summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--include/netfilter.mk4
-rw-r--r--package/iptables/Makefile104
-rw-r--r--package/iptables/patches/008-chaostables.patch342
-rw-r--r--package/iptables/patches/009-tarpit-support.patch106
-rw-r--r--package/iptables/patches/1.3.8/001-ipp2p_0.8.1rc1.patch457
-rw-r--r--package/iptables/patches/1.3.8/002-layer7_2.17.patch (renamed from package/iptables/patches/002-layer7-1.5nbd.patch)118
-rw-r--r--package/iptables/patches/1.3.8/003-layer7_2.17_pktmatch.patch42
-rw-r--r--package/iptables/patches/1.3.8/004-drop_multiport_v0_support.patch (renamed from package/iptables/patches/004-multiport_v1.patch)14
-rw-r--r--package/iptables/patches/1.3.8/005-imq1.patch (renamed from package/iptables/patches/005-imq1.patch)16
-rw-r--r--package/iptables/patches/1.4.0/001-ipp2p-0.8.1rc1.patch (renamed from package/iptables/patches/001-ipp2p-0.8.1rc1.patch)53
-rw-r--r--package/iptables/patches/1.4.0/002-layer7_2.17.patch418
-rw-r--r--package/iptables/patches/1.4.0/003-layer7_2.17_pktmatch.patch43
-rw-r--r--package/iptables/patches/1.4.0/004-drop_multiport_v0_support.patch279
-rw-r--r--package/iptables/patches/1.4.0/005-imq1.patch219
-rw-r--r--package/iptables/patches/1.4.0/006-chaostables_0.8.patch393
-rw-r--r--package/iptables/patches/1.4.0/007-tarpit_support.patch106
-rw-r--r--package/kernel/modules/netfilter.mk131
-rw-r--r--target/linux/generic-2.4/patches/602-netfilter_layer7_2.17_with_pktmatch.patch (renamed from target/linux/generic-2.4/patches/602-netfilter_layer7_2.1nbd.patch)4
-rw-r--r--target/linux/generic-2.6/config-2.6.224
-rw-r--r--target/linux/generic-2.6/config-default4
-rw-r--r--target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.17.patch (renamed from target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.9.patch)673
-rw-r--r--target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch68
-rw-r--r--target/linux/generic-2.6/patches-2.6.22/110-ipp2p_0.8.1rc1.patch39
-rw-r--r--target/linux/generic-2.6/patches-2.6.22/170-netfilter_chaostables_0.8.patch (renamed from target/linux/generic-2.6/patches-2.6.22/170-netfilter_chaostables.patch)674
-rw-r--r--target/linux/generic-2.6/patches-2.6.22/171-netfilter_tarpit.patch22
-rw-r--r--target/linux/generic-2.6/patches-2.6.23/101-netfilter_layer7_pktmatch.patch113
-rw-r--r--target/linux/generic-2.6/patches-2.6.23/170-netfilter_chaostables_0.8.patch (renamed from target/linux/generic-2.6/patches-2.6.23/170-netfilter_chaostables.patch)652
-rw-r--r--target/linux/generic-2.6/patches-2.6.23/171-netfilter_tarpit.patch20
-rw-r--r--target/linux/generic-2.6/patches-2.6.24/101-netfilter_layer7_pktmatch.patch113
-rw-r--r--target/linux/generic-2.6/patches-2.6.24/170-netfilter_chaostables_0.8.patch (renamed from target/linux/generic-2.6/patches-2.6.24/170-netfilter_chaostables.patch)631
-rw-r--r--target/linux/generic-2.6/patches/100-netfilter_layer7_2.17.patch (renamed from target/linux/generic-2.6/patches/100-netfilter_layer7_2.9.patch)685
-rw-r--r--target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch83
-rw-r--r--target/linux/generic-2.6/patches/110-ipp2p_0.8.1rc1.patch41
-rw-r--r--target/linux/generic-2.6/patches/170-netfilter_chaostables.patch946
-rw-r--r--target/linux/generic-2.6/patches/170-netfilter_chaostables_0.8.patch853
-rw-r--r--target/linux/generic-2.6/patches/171-netfilter_tarpit.patch325
-rw-r--r--target/linux/generic-2.6/patches/999-backport_ip_hdr_and_friends.patch58
37 files changed, 5352 insertions, 3501 deletions
diff --git a/include/netfilter.mk b/include/netfilter.mk
index ee0dbf3a13..7e7005d2a2 100644
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -100,6 +100,7 @@ $(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_STATISTIC, $(P_XT)xt_st
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TCPMSS, $(P_V4)ipt_tcpmss))
$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_TCPMSS, $(P_XT)xt_tcpmss))
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TIME, $(P_V4)ipt_time))
+$(eval $(call nf_add,IPT_IPOPT,CONFIG_NETFILTER_XT_MATCH_TIME, $(P_XT)xt_time))
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TOS, $(P_V4)ipt_tos))
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_TTL, $(P_V4)ipt_ttl))
$(eval $(call nf_add,IPT_IPOPT,CONFIG_IP_NF_MATCH_UNCLEAN, $(P_V4)ipt_unclean))
@@ -249,6 +250,9 @@ $(eval $(call nf_add,IPT_ULOG,CONFIG_IP_NF_TARGET_ULOG, $(P_V4)ipt_ULOG))
IPT_BUILTIN := $(if $(NF_KMOD),,$(P_V4)ipt_standard)
IPT_BUILTIN += $(if $(NF_KMOD),,$(P_V4)ipt_icmp $(P_V4)ipt_tcp $(P_V4)ipt_udp)
+IPT_BUILTIN += $(if $(NF_KMOD),,$(P_XT)xt_standard)
+IPT_BUILTIN += $(if $(NF_KMOD),,$(P_XT)xt_icmp $(P_XT)xt_tcp $(P_XT)xt_udp)
+
IPT_BUILTIN += $(IPT_CONNTRACK-y)
IPT_BUILTIN += $(IPT_EXTRA-y)
IPT_BUILTIN += $(IPT_FILTER-y)
diff --git a/package/iptables/Makefile b/package/iptables/Makefile
index 8f24a3b3db..ff55ce590a 100644
--- a/package/iptables/Makefile
+++ b/package/iptables/Makefile
@@ -1,5 +1,5 @@
-#
-# Copyright (C) 2006 OpenWrt.org
+#
+# Copyright (C) 2006-2008 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
@@ -10,15 +10,28 @@ include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=iptables
-PKG_VERSION:=1.3.8
-PKG_RELEASE:=2
+
+ifeq ($(CONFIG_LINUX_2_4),y)
+ PKG_VERSION:=1.3.8
+ PKG_RELEASE:=3
+ PKG_MD5SUM:=0a9209f928002e5eee9cdff8fef4d4b3
+endif
+
+ifeq ($(CONFIG_LINUX_2_6),y)
+ PKG_VERSION:=1.4.0
+ PKG_RELEASE:=1
+ PKG_MD5SUM:=90cfa8a554a29b0b859a625e701af2a7
+endif
+
+PKG_VERSION?=<IPTABLES_VERSION>
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
-PKG_MD5SUM:=0a9209f928002e5eee9cdff8fef4d4b3
+
+PATCH_DIR:=./patches/$(PKG_VERSION)
include $(INCLUDE_DIR)/package.mk
ifeq ($(DUMP),)
@@ -33,6 +46,11 @@ define Package/iptables/Default
URL:=http://netfilter.org/
endef
+define Package/iptables/Module
+$(call Package/iptables/Default)
+ DEPENDS:=iptables $(1)
+endef
+
define Package/iptables
$(call Package/iptables/Default)
TITLE:=IPv4 firewall administration tool
@@ -45,8 +63,7 @@ define Package/iptables/conffiles
endef
define Package/iptables-mod-conntrack
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-conntrack
+$(call Package/iptables/Module, +kmod-ipt-conntrack)
TITLE:=connection tracking modules
endef
@@ -59,39 +76,36 @@ define Package/iptables-mod-conntrack/description
endef
define Package/iptables-mod-filter
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-filter
+$(call Package/iptables/Module, +kmod-ipt-filter)
TITLE:=filter modules
endef
define Package/iptables-mod-filter/description
iptables extensions for packet content inspection.
- Includes:
+ Includes:
- libipt_ipp2p
- - libipt_layer7
+ - libipt_layer7
endef
define Package/iptables-mod-imq
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-imq
+$(call Package/iptables/Module, +kmod-ipt-imq)
TITLE:=IMQ support
endef
define Package/iptables-mod-imq/description
iptables extension for IMQ support.
- Includes:
+ Includes:
- libipt_IMQ
endef
define Package/iptables-mod-ipopt
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-ipopt
+$(call Package/iptables/Module, +kmod-ipt-ipopt)
TITLE:=IP/Packet option modules
endef
define Package/iptables-mod-ipopt/description
iptables extensions for matching/changing IP packet options.\\\
- Includes:
+ Includes:
- libipt_CLASSIFY
- libipt_dscp/DSCP
- libipt_ecn/ECN
@@ -102,68 +116,63 @@ define Package/iptables-mod-ipopt/description
- libipt_tcpmms
- libipt_tos/TOS
- libipt_ttl/TTL
- - libipt_unclean
+ - libipt_unclean
endef
define Package/iptables-mod-ipsec
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-ipsec
+$(call Package/iptables/Module, +kmod-ipt-ipsec)
TITLE:=IPSec extensions
endef
define Package/iptables-mod-ipsec/description
iptables extensions for matching ipsec traffic.
- Includes:
+ Includes:
- libipt_ah
- libipt_esp
- libipt_policy
endef
define Package/iptables-mod-nat
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-nat
+$(call Package/iptables/Module, +kmod-ipt-nat)
TITLE:=extra NAT targets
endef
define Package/iptables-mod-nat/description
iptables extensions for different NAT targets.
- Includes:
+ Includes:
- libipt_REDIRECT
endef
define Package/iptables-mod-ulog
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-ulog
+$(call Package/iptables/Module, +kmod-ipt-ulog)
TITLE:=user-space packet logging
endef
define Package/iptables-mod-ulog/description
iptables extensions for user-space packet logging.
- Includes:
+ Includes:
- libipt_ULOG
endef
define Package/iptables-mod-iprange
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-iprange
+$(call Package/iptables/Module, +kmod-ipt-iprange)
TITLE:=ip range module
endef
define Package/iptables-mod-iprange/description
iptables extensions for matching ip ranges.
- Includes:
+ Includes:
- libipt_iprange
endef
define Package/iptables-mod-extra
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-extra
+$(call Package/iptables/Module, +kmod-ipt-extra)
TITLE:=other extra iptables extensions
endef
define Package/iptables-mod-extra/description
other extra iptables extensions.
- Includes:
+ Includes:
- libipt_limit
- libipt_owner
- libipt_physdev
@@ -177,37 +186,36 @@ define Package/iptables-mod-extra/description
endef
define Package/iptables-mod-ipset
-$(call Package/iptables/Default)
- DEPENDS:=iptables +kmod-ipt-ipset
+$(call Package/iptables/Module, +kmod-ipt-ipset)
TITLE:=ipset iptables extension
endef
define Package/iptables-utils
-$(call Package/iptables/Default)
- DEPENDS:=iptables
+$(call Package/iptables/Module, )
TITLE:=iptables save and restore utilities
endef
define Package/ip6tables
$(call Package/iptables/Default)
- DEPENDS:=+kmod-ipv6
- CATEGORY:=Network
+ DEPENDS:=+kmod-ip6tables
+ CATEGORY:=IPv6
TITLE:=IPv6 firewall administration tool
+ MENU:=1
endef
define Package/ip6tables-utils
$(call Package/iptables/Default)
DEPENDS:=ip6tables
- CATEGORY:=Network
+ CATEGORY:=IPv6
TITLE:=ip6tables save and restore utilities
endef
define Build/Prepare
$(call Build/Prepare/Default)
- chmod a+x $(PKG_BUILD_DIR)/extensions/.*-test*
endef
define Build/Configure
+ chmod a+x $(PKG_BUILD_DIR)/extensions/.*-test*
rm -f $(PKG_BUILD_DIR)/.configured*
$(MAKE) -C $(PKG_BUILD_DIR) \
clean
@@ -220,6 +228,7 @@ define Build/Compile
COPT_FLAGS="$(TARGET_CFLAGS)" \
LDFLAGS="-rdynamic -static-libgcc" \
KERNEL_DIR="$(LINUX_DIR)" PREFIX=/usr \
+ KBUILD_OUTPUT="$(LINUX_DIR)" \
DESTDIR="$(PKG_INSTALL_DIR)" \
all experimental install install-experimental
endef
@@ -229,6 +238,7 @@ define Build/InstallDev
$(TARGET_CONFIGURE_OPTS) \
COPT_FLAGS="$(TARGET_CFLAGS)" \
KERNEL_DIR="$(LINUX_DIR)" PREFIX=/usr \
+ KBUILD_OUTPUT="$(LINUX_DIR)" \
DESTDIR="$(1)" \
install-devel
$(CP) $(PKG_BUILD_DIR)/include $(1)/usr
@@ -247,7 +257,11 @@ define Package/iptables/install
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/lib/iptables
(cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \
- $(CP) $(patsubst %,lib%.so,$(IPT_BUILTIN:xt_%=ipt_%)) $(1)/usr/lib/iptables/ \
+ for m in $(patsubst xt_%,ipt_%,$(IPT_BUILTIN)) $(patsubst ipt_%,xt_%,$(IPT_BUILTIN)); do \
+ if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$${m}.so ]; then \
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$${m}.so $(1)/usr/lib/iptables/ ;\
+ fi; \
+ done \
)
endef
@@ -273,8 +287,10 @@ endef
define BuildPlugin
define Package/$(1)/install
$(INSTALL_DIR) $$(1)/usr/lib/iptables
- for m in $$(patsubst xt_%,ipt_%,$(2)); do \
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
+ for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)); do \
+ if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
+ fi; \
done
$(3)
endef
diff --git a/package/iptables/patches/008-chaostables.patch b/package/iptables/patches/008-chaostables.patch
deleted file mode 100644
index 60b077942a..0000000000
--- a/package/iptables/patches/008-chaostables.patch
+++ /dev/null
@@ -1,342 +0,0 @@
-Index: iptables-1.3.8/extensions/.CHAOS-test
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/.CHAOS-test 2007-07-31 15:27:57.000000000 -0500
-@@ -0,0 +1,2 @@
-+#!/bin/sh
-+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS";
-Index: iptables-1.3.8/extensions/.DELUDE-test
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/.DELUDE-test 2007-07-31 15:27:57.000000000 -0500
-@@ -0,0 +1,2 @@
-+#!/bin/sh
-+echo "DELUDE";
-Index: iptables-1.3.8/extensions/libipt_CHAOS.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_CHAOS.c 2007-07-31 15:27:57.000000000 -0500
-@@ -0,0 +1,111 @@
-+/*
-+ CHAOS target for iptables
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ released under the terms of the GNU General Public
-+ License version 2.x and only versions 2.x.
-+*/
-+#include <getopt.h>
-+#include <stdio.h>
-+#include <string.h>
-+
-+#include <iptables.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+#include <linux/netfilter/xt_CHAOS.h>
-+
-+static void libipt_chaos_help(void)
-+{
-+ printf(
-+ "CHAOS target v%s options:\n"
-+ " --delude Enable DELUDE processing for TCP\n"
-+ " --tarpit Enable TARPIT processing for TCP\n",
-+ IPTABLES_VERSION);
-+ return;
-+}
-+
-+static int libipt_chaos_parse(int c, char **argv, int invert,
-+ unsigned int *flags, const struct ipt_entry *entry,
-+ struct ipt_entry_target **target)
-+{
-+ struct xt_chaos_info *info = (void *)((*target)->data);
-+ switch(c) {
-+ case 'd':
-+ info->variant = XTCHAOS_DELUDE;
-+ *flags |= 0x02;
-+ return 1;
-+ case 't':
-+ info->variant = XTCHAOS_TARPIT;
-+ *flags |= 0x01;
-+ return 1;
-+ }
-+ return 0;
-+}
-+
-+static void libipt_chaos_check(unsigned int flags)
-+{
-+ if(flags != 0x03)
-+ return;
-+ /* If flags == 0x03, both were specified, which should not be. */
-+ exit_error(PARAMETER_PROBLEM,
-+ "CHAOS: only one of --tarpit or --delude may be specified");
-+ return;
-+}
-+
-+static void libipt_chaos_print(const struct ipt_ip *ip,
-+ const struct ipt_entry_target *target, int numeric)
-+{
-+ const struct xt_chaos_info *info = (const void *)target->data;
-+ switch(info->variant) {
-+ case XTCHAOS_DELUDE:
-+ printf("DELUDE ");
-+ break;
-+ case XTCHAOS_TARPIT:
-+ printf("TARPIT ");
-+ break;
-+ default:
-+ break;
-+ }
-+ return;
-+}
-+
-+static void libipt_chaos_save(const struct ipt_ip *ip,
-+ const struct ipt_entry_target *target)
-+{
-+ const struct xt_chaos_info *info = (const void *)target->data;
-+ switch(info->variant) {
-+ case XTCHAOS_DELUDE:
-+ printf("--delude ");
-+ break;
-+ case XTCHAOS_TARPIT:
-+ printf("--tarpit ");
-+ break;
-+ default:
-+ break;
-+ }
-+ return;
-+}
-+
-+static struct option libipt_chaos_opts[] = {
-+ {"delude", 0, NULL, 'd'},
-+ {"tarpit", 0, NULL, 't'},
-+ {NULL},
-+};
-+
-+static struct iptables_target libipt_chaos_info = {
-+ .name = "CHAOS",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(sizeof(struct xt_chaos_info)),
-+ .userspacesize = IPT_ALIGN(sizeof(struct xt_chaos_info)),
-+ .help = libipt_chaos_help,
-+ .parse = libipt_chaos_parse,
-+ .final_check = libipt_chaos_check,
-+ .print = libipt_chaos_print,
-+ .save = libipt_chaos_save,
-+ .extra_opts = libipt_chaos_opts,
-+};
-+
-+static __attribute__((constructor)) void libipt_chaos_init(void)
-+{
-+ register_target(&libipt_chaos_info);
-+ return;
-+}
-Index: iptables-1.3.8/extensions/libipt_DELUDE.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_DELUDE.c 2007-07-31 15:27:57.000000000 -0500
-@@ -0,0 +1,66 @@
-+/*
-+ DELUDE target for iptables
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ released under the terms of the GNU General Public
-+ License version 2.x and only versions 2.x.
-+*/
-+#include <getopt.h>
-+#include <stdio.h>
-+#include <string.h>
-+
-+#include <iptables.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+
-+static void libipt_delude_help(void)
-+{
-+ printf("DELUDE takes no options\n");
-+ return;
-+}
-+
-+static int libipt_delude_parse(int c, char **argv, int invert,
-+ unsigned int *flags, const struct ipt_entry *entry,
-+ struct ipt_entry_target **target)
-+{
-+ return 0;
-+}
-+
-+static void libipt_delude_check(unsigned int flags)
-+{
-+ return;
-+}
-+
-+static void libipt_delude_print(const struct ipt_ip *ip,
-+ const struct ipt_entry_target *target, int numeric)
-+{
-+ return;
-+}
-+
-+static void libipt_delude_save(const struct ipt_ip *ip,
-+ const struct ipt_entry_target *target)
-+{
-+ return;
-+}
-+
-+static struct option libipt_delude_opts[] = {
-+ {NULL},
-+};
-+
-+static struct iptables_target libipt_delude_info = {
-+ .name = "DELUDE",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(0),
-+ .userspacesize = IPT_ALIGN(0),
-+ .help = libipt_delude_help,
-+ .parse = libipt_delude_parse,
-+ .final_check = libipt_delude_check,
-+ .print = libipt_delude_print,
-+ .save = libipt_delude_save,
-+ .extra_opts = libipt_delude_opts,
-+};
-+
-+static __attribute__((constructor)) void libipt_delude_init(void)
-+{
-+ register_target(&libipt_delude_info);
-+ return;
-+}
-Index: iptables-1.3.8/extensions/libipt_portscan.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_portscan.c 2007-07-31 15:27:57.000000000 -0500
-@@ -0,0 +1,129 @@
-+/*
-+ portscan match for iptables
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ released under the terms of the GNU General Public
-+ License version 2.x and only versions 2.x.
-+*/
-+#include <stdio.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <getopt.h>
-+
-+#include <iptables.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+#include <linux/netfilter/xt_portscan.h>
-+
-+static void libipt_portscan_help(void)
-+{
-+ printf(
-+ "portscan match v%s options:\n"
-+ "(Combining them will make them match by OR-logic)\n"
-+ " --stealth Match TCP Stealth packets\n"
-+ " --synscan Match TCP SYN scans\n"
-+ " --cnscan Match TCP Connect scans\n"
-+ " --grscan Match Banner Grabbing scans\n",
-+ IPTABLES_VERSION);
-+ return;
-+}
-+
-+static void libipt_portscan_mtinit(struct ipt_entry_match *match,
-+ unsigned int *nfcache)
-+{
-+ /* Cannot cache this */
-+ *nfcache |= NFC_UNKNOWN;
-+ return;
-+}
-+
-+static int libipt_portscan_parse(int c, char **argv, int invert,
-+ unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfc,
-+ struct ipt_entry_match **match)
-+{
-+ struct xt_portscan_info *info = (void *)((*match)->data);
-+
-+ switch(c) {
-+ case 'c':
-+ info->match_cn = 1;
-+ return 1;
-+ case 'g':
-+ info->match_gr = 1;
-+ return 1;
-+ case 's':
-+ info->match_syn = 1;
-+ return 1;
-+ case 'x':
-+ info->match_stealth = 1;
-+ return 1;
-+ default:
-+ return 0;
-+ }
-+}
-+
-+static void libipt_portscan_check(unsigned int flags)
-+{
-+ return;
-+}
-+
-+static void libipt_portscan_print(const struct ipt_ip *ip,
-+ const struct ipt_entry_match *match, int numeric)
-+{
-+ const struct xt_portscan_info *info = (const void *)(match->data);
-+ const char *s = "";
-+
-+ printf("portscan ");
-+ if(info->match_stealth) {
-+ printf("STEALTH");
-+ s = ",";
-+ }
-+ if(info->match_syn) {
-+ printf("%sSYNSCAN", s);
-+ s = ",";
-+ }
-+ if(info->match_cn) {
-+ printf("%sCNSCAN", s);
-+ s = ",";
-+ }
-+ if(info->match_gr)
-+ printf("%sGRSCAN", s);
-+ printf(" ");
-+ return;
-+}
-+
-+static void libipt_portscan_save(const struct ipt_ip *ip,
-+ const struct ipt_entry_match *match)
-+{
-+ const struct xt_portscan_info *info = (const void *)(match->data);
-+ if(info->match_stealth) printf("--stealth ");
-+ if(info->match_syn) printf("--synscan ");
-+ if(info->match_cn) printf("--cnscan ");
-+ if(info->match_gr) printf("--grscan ");
-+ return;
-+}
-+
-+static struct option libipt_portscan_opts[] = {
-+ {"stealth", 0, NULL, 'x'},
-+ {"synscan", 0, NULL, 's'},
-+ {"cnscan", 0, NULL, 'c'},
-+ {"grscan", 0, NULL, 'g'},
-+ {NULL},
-+};
-+
-+static struct iptables_match libipt_portscan_info = {
-+ .name = "portscan",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(sizeof(struct xt_portscan_info)),
-+ .userspacesize = IPT_ALIGN(sizeof(struct xt_portscan_info)),
-+ .help = libipt_portscan_help,
-+ .init = libipt_portscan_mtinit,
-+ .parse = libipt_portscan_parse,
-+ .final_check = libipt_portscan_check,
-+ .print = libipt_portscan_print,
-+ .save = libipt_portscan_save,
-+ .extra_opts = libipt_portscan_opts,
-+};
-+
-+static __attribute__((constructor)) void libipt_portscan_init(void)
-+{
-+ register_match(&libipt_portscan_info);
-+ return;
-+}
-Index: iptables-1.3.8/extensions/.portscan-test
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/.portscan-test 2007-07-31 15:27:57.000000000 -0500
-@@ -0,0 +1,2 @@
-+#!/bin/sh
-+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan";
diff --git a/package/iptables/patches/009-tarpit-support.patch b/package/iptables/patches/009-tarpit-support.patch
deleted file mode 100644
index 3105379877..0000000000
--- a/package/iptables/patches/009-tarpit-support.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-diff -N -u -r iptables-1.3.8-20070817/extensions/libipt_TARPIT.c iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.c
---- iptables-1.3.8-20070817/extensions/libipt_TARPIT.c 1969-12-31 19:00:00.000000000 -0500
-+++ iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.c 2007-08-18 14:49:25.000000000 -0400
-@@ -0,0 +1,58 @@
-+/* Shared library add-on to iptables for TARPIT support */
-+#include <stdio.h>
-+#include <getopt.h>
-+#include <iptables.h>
-+
-+static void
-+help(void)
-+{
-+ fputs(
-+"TARPIT takes no options\n"
-+"\n", stdout);
-+}
-+
-+static struct option opts[] = {
-+ { 0 }
-+};
-+
-+static int
-+parse(int c, char **argv, int invert, unsigned int *flags,
-+ const struct ipt_entry *entry,
-+ struct ipt_entry_target **target)
-+{
-+ return 0;
-+}
-+
-+static void final_check(unsigned int flags)
-+{
-+}
-+
-+static void
-+print(const struct ipt_ip *ip,
-+ const struct ipt_entry_target *target,
-+ int numeric)
-+{
-+}
-+
-+static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-+{
-+}
-+
-+static struct iptables_target tarpit = {
-+ .next = NULL,
-+ .name = "TARPIT",
-+ .version = IPTABLES_VERSION,
-+ .size = IPT_ALIGN(0),
-+ .userspacesize = IPT_ALIGN(0),
-+ .help = &help,
-+ .parse = &parse,
-+ .final_check = &final_check,
-+ .print = &print,
-+ .save = &save,
-+ .extra_opts = opts
-+};
-+
-+void _init(void)
-+{
-+ register_target(&tarpit);
-+}
-diff -N -u -r iptables-1.3.8-20070817/extensions/libipt_TARPIT.man iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.man
---- iptables-1.3.8-20070817/extensions/libipt_TARPIT.man 1969-12-31 19:00:00.000000000 -0500
-+++ iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.man 2007-08-18 14:49:25.000000000 -0400
-@@ -0,0 +1,34 @@
-+Captures and holds incoming TCP connections using no local
-+per-connection resources. Connections are accepted, but immediately
-+switched to the persist state (0 byte window), in which the remote
-+side stops sending data and asks to continue every 60-240 seconds.
-+Attempts to close the connection are ignored, forcing the remote side
-+to time out the connection in 12-24 minutes.
-+
-+This offers similar functionality to LaBrea
-+<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
-+hardware or IPs. Any TCP port that you would normally DROP or REJECT
-+can instead become a tarpit.
-+
-+To tarpit connections to TCP port 80 destined for the current machine:
-+.IP
-+iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
-+.P
-+To significantly slow down Code Red/Nimda-style scans of unused address
-+space, forward unused ip addresses to a Linux box not acting as a router
-+(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
-+forwarding on the Linux box, and add:
-+.IP
-+iptables -A FORWARD -p tcp -j TARPIT
-+.IP
-+iptables -A FORWARD -j DROP
-+.TP
-+NOTE:
-+If you use the conntrack module while you are using TARPIT, you should
-+also use the NOTRACK target, or the kernel will unnecessarily allocate
-+resources for each TARPITted connection. To TARPIT incoming
-+connections to the standard IRC port while using conntrack, you could:
-+.IP
-+iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
-+.IP
-+iptables -A INPUT -p tcp --dport 6667 -j TARPIT
-diff -N -u -r iptables-1.3.8-20070817/extensions/.TARPIT-test iptables-1.3.8-20070817-nf/extensions/.TARPIT-test
---- iptables-1.3.8-20070817/extensions/.TARPIT-test 1969-12-31 19:00:00.000000000 -0500
-+++ iptables-1.3.8-20070817-nf/extensions/.TARPIT-test 2007-08-18 14:49:25.000000000 -0400
-@@ -0,0 +1,2 @@
-+#! /bin/sh
-+[ -f $KERNEL_DIR/net/netfilter/xt_TARPIT.c ] && echo TARPIT
diff --git a/package/iptables/patches/1.3.8/001-ipp2p_0.8.1rc1.patch b/package/iptables/patches/1.3.8/001-ipp2p_0.8.1rc1.patch
new file mode 100644
index 0000000000..e8c82c2155
--- /dev/null
+++ b/package/iptables/patches/1.3.8/001-ipp2p_0.8.1rc1.patch
@@ -0,0 +1,457 @@
+Index: iptables-1.3.8/extensions/Makefile
+===================================================================
+--- iptables-1.3.8.orig/extensions/Makefile
++++ iptables-1.3.8/extensions/Makefile
+@@ -13,6 +13,10 @@ PF_EXT_SE_SLIB:=SECMARK CONNSECMARK
+ PF6_EXT_SE_SLIB:=SECMARK CONNSECMARK
+ endif
+
++
++# ipp2p
++PF_EXT_SLIB += ipp2p
++
+ # Optionals
+ PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
+ PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
+Index: iptables-1.3.8/extensions/libipt_ipp2p.c
+===================================================================
+--- /dev/null
++++ iptables-1.3.8/extensions/libipt_ipp2p.c
+@@ -0,0 +1,401 @@
++
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ctype.h>
++
++#include <iptables.h>
++
++#include <linux/netfilter_ipv4/ipt_ipp2p.h>
++
++static void
++help(void)
++{
++ printf(
++ "IPP2P v%s options:\n"
++ " --ipp2p Grab all known p2p packets\n"
++ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n"
++ " --dc [TCP] All known Direct Connect packets\n"
++ " --kazaa [TCP&UDP] All known KaZaA packets\n"
++ " --gnu [TCP&UDP] All known Gnutella packets\n"
++ " --bit [TCP&UDP] All known BitTorrent packets\n"
++ " --apple [TCP] All known AppleJuice packets\n"
++ " --winmx [TCP] All known WinMX\n"
++ " --soul [TCP] All known SoulSeek\n"
++ " --ares [TCP] All known Ares\n\n"
++ " EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n"
++ " --mute [TCP] All known Mute packets\n"
++ " --waste [TCP] All known Waste packets\n"
++ " --xdcc [TCP] All known XDCC packets (only xdcc login)\n\n"
++ " DEBUG SUPPPORT, use only if you know why\n"
++ " --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n"
++ "\nNote that the follwing options will have the same meaning:\n"
++ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares'\n"
++ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n"
++ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n"
++ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n"
++ "\nExamples:\n"
++ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n"
++ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n"
++ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n"
++ , IPP2P_VERSION);
++}
++
++static struct option opts[] = {
++ { "ipp2p", 0, 0, '1' },
++ { "edk", 0, 0, '2' },
++ { "dc", 0, 0, '7' },
++ { "gnu", 0, 0, '9' },
++ { "kazaa", 0, 0, 'a' },
++ { "bit", 0, 0, 'b' },
++ { "apple", 0, 0, 'c' },
++ { "soul", 0, 0, 'd' },
++ { "winmx", 0, 0, 'e' },
++ { "ares", 0, 0, 'f' },
++ { "mute", 0, 0, 'g' },
++ { "waste", 0, 0, 'h' },
++ { "xdcc", 0, 0, 'i' },
++ { "debug", 0, 0, 'j' },
++ {0}
++};
++
++
++
++static void
++init(struct ipt_entry_match *m, unsigned int *nfcache)
++{
++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data;
++
++ *nfcache |= NFC_UNKNOWN;
++
++ /*init the module with default values*/
++ info->cmd = 0;
++ info->debug = 0;
++
++}
++
++
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++ const struct ipt_entry *entry,
++ unsigned int *nfcache,
++ struct ipt_entry_match **match)
++{
++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data;
++
++ switch (c) {
++ case '1': /*cmd: ipp2p*/
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified once!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags) != 0)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += SHORT_HAND_IPP2P;
++ info->cmd = *flags;
++ break;
++
++ case '2': /*cmd: edk*/
++ if ((*flags & IPP2P_EDK) == IPP2P_EDK)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--edk' may only be "
++ "specified once");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: use `--edk' OR `--edk-data' but not both of them!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_EDK;
++ info->cmd = *flags;
++ break;
++
++
++ case '7': /*cmd: dc*/
++ if ((*flags & IPP2P_DC) == IPP2P_DC)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--dc' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: use `--dc' OR `--dc-data' but not both of them!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_DC;
++ info->cmd = *flags;
++ break;
++
++
++ case '9': /*cmd: gnu*/
++ if ((*flags & IPP2P_GNU) == IPP2P_GNU)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--gnu' may only be "
++ "specified once!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_GNU;
++ info->cmd = *flags;
++ break;
++
++ case 'a': /*cmd: kazaa*/
++ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--kazaa' may only be "
++ "specified once!");
++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p-data' may only be "
++ "specified alone!");*/
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_KAZAA;
++ info->cmd = *flags;
++ break;
++
++ case 'b': /*cmd: bit*/
++ if ((*flags & IPP2P_BIT) == IPP2P_BIT)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--bit' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_BIT;
++ info->cmd = *flags;
++ break;
++
++ case 'c': /*cmd: apple*/
++ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--apple' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_APPLE;
++ info->cmd = *flags;
++ break;
++
++
++ case 'd': /*cmd: soul*/
++ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--soul' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_SOUL;
++ info->cmd = *flags;
++ break;
++
++
++ case 'e': /*cmd: winmx*/
++ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--winmx' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_WINMX;
++ info->cmd = *flags;
++ break;
++
++ case 'f': /*cmd: ares*/
++ if ((*flags & IPP2P_ARES) == IPP2P_ARES)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ares' may only be "
++ "specified once!");
++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ipp2p' may only be "
++ "specified alone!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_ARES;
++ info->cmd = *flags;
++ break;
++
++ case 'g': /*cmd: mute*/
++ if ((*flags & IPP2P_MUTE) == IPP2P_MUTE)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--mute' may only be "
++ "specified once!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_MUTE;
++ info->cmd = *flags;
++ break;
++ case 'h': /*cmd: waste*/
++ if ((*flags & IPP2P_WASTE) == IPP2P_WASTE)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--waste' may only be "
++ "specified once!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_WASTE;
++ info->cmd = *flags;
++ break;
++ case 'i': /*cmd: xdcc*/
++ if ((*flags & IPP2P_XDCC) == IPP2P_XDCC)
++ exit_error(PARAMETER_PROBLEM,
++ "ipp2p: `--ares' may only be "
++ "specified once!");
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ *flags += IPP2P_XDCC;
++ info->cmd = *flags;
++ break;
++
++ case 'j': /*cmd: debug*/
++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
++ info->debug = 1;
++ break;
++
++ default:
++// exit_error(PARAMETER_PROBLEM,
++// "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
++ return 0;
++ }
++ return 1;
++}
++
++
++static void
++final_check(unsigned int flags)
++{
++ if (!flags)
++ exit_error(PARAMETER_PROBLEM,
++ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
++}
++
++
++
++static void
++print(const struct ipt_ip *ip,
++ const struct ipt_entry_match *match,
++ int numeric)
++{
++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
++
++ printf("ipp2p v%s", IPP2P_VERSION);
++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p");
++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data");
++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa");
++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data");
++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data");
++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu");
++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk");
++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data");
++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data");
++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc");
++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit");
++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple");
++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul");
++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx");
++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares");
++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute");
++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste");
++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc");
++ if (info->debug != 0) printf(" --debug");
++ printf(" ");
++}
++
++
++
++static void
++save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
++{
++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
++
++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p ");
++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data ");
++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa ");
++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data ");
++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data ");
++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu ");
++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk ");
++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data ");
++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data ");
++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc ");
++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit ");
++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple ");
++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul ");
++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx ");
++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares ");
++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute");
++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste");
++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc");
++ if (info->debug != 0) printf("--debug ");
++}
++
++
++
++
++static
++struct iptables_match ipp2p=
++{
++ .next = NULL,
++ .name = "ipp2p",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
++ .help = &help,
++ .init = &init,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++
++
++void _init(void)
++{
++ register_match(&ipp2p);
++}
++
+Index: iptables-1.3.8/include/linux/netfilter_ipv4/ipt_ipp2p.h
+===================================================================
+--- /dev/null
++++ iptables-1.3.8/include/linux/netfilter_ipv4/ipt_ipp2p.h
+@@ -0,0 +1,31 @@
++#ifndef __IPT_IPP2P_H
++#define __IPT_IPP2P_H
++#define IPP2P_VERSION "0.8.1_rc1"
++
++struct ipt_p2p_info {
++ int cmd;
++ int debug;
++};
++
++#endif //__IPT_IPP2P_H
++
++#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/
++//#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/
++#define SHORT_HAND_NONE 5 /* no short hand*/
++
++#define IPP2P_EDK (1 << 1)
++#define IPP2P_DATA_KAZAA (1 << 2)
++#define IPP2P_DATA_EDK (1 << 3)
++#define IPP2P_DATA_DC (1 << 4)
++#define IPP2P_DC (1 << 5)
++#define IPP2P_DATA_GNU (1 << 6)
++#define IPP2P_GNU (1 << 7)
++#define IPP2P_KAZAA (1 << 8)
++#define IPP2P_BIT (1 << 9)
++#define IPP2P_APPLE (1 << 10)
++#define IPP2P_SOUL (1 << 11)
++#define IPP2P_WINMX (1 << 12)
++#define IPP2P_ARES (1 << 13)
++#define IPP2P_MUTE (1 << 14)
++#define IPP2P_WASTE (1 << 15)
++#define IPP2P_XDCC (1 << 16)
diff --git a/package/iptables/patches/002-layer7-1.5nbd.patch b/package/iptables/patches/1.3.8/002-layer7_2.17.patch
index ef80c8f0cc..68da741e00 100644
--- a/package/iptables/patches/002-layer7-1.5nbd.patch
+++ b/package/iptables/patches/1.3.8/002-layer7_2.17.patch
@@ -1,48 +1,15 @@
Index: iptables-1.3.8/extensions/.layer7-test
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/.layer7-test 2007-07-31 15:27:56.000000000 -0500
-@@ -0,0 +1,3 @@
+--- /dev/null
++++ iptables-1.3.8/extensions/.layer7-test
+@@ -0,0 +1,2 @@
+#! /bin/sh
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_layer7.h ] && echo layer7
-+[ -f $KERNEL_DIR/include/linux/netfilter/xt_layer7.h ] && echo layer7
-Index: iptables-1.3.8/extensions/ipt_layer7.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/ipt_layer7.h 2007-07-31 15:27:56.000000000 -0500
-@@ -0,0 +1,27 @@
-+/*
-+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
-+ http://l7-filter.sf.net
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+*/
-+
-+#ifndef _IPT_LAYER7_H
-+#define _IPT_LAYER7_H
-+
-+#define MAX_PATTERN_LEN 8192
-+#define MAX_PROTOCOL_LEN 256
-+
-+typedef char *(*proc_ipt_search) (char *, char, char *);
-+
-+struct ipt_layer7_info {
-+ char protocol[MAX_PROTOCOL_LEN];
-+ char invert:1;
-+ char pattern[MAX_PATTERN_LEN];
-+ char pkt;
-+};
-+
-+#endif /* _IPT_LAYER7_H */
Index: iptables-1.3.8/extensions/libipt_layer7.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_layer7.c 2007-07-31 15:27:56.000000000 -0500
-@@ -0,0 +1,358 @@
+--- /dev/null
++++ iptables-1.3.8/extensions/libipt_layer7.c
+@@ -0,0 +1,394 @@
+/*
+ Shared library add-on to iptables to add layer 7 matching support.
+
@@ -69,7 +36,7 @@ Index: iptables-1.3.8/extensions/libipt_layer7.c
+#include <dirent.h>
+
+#include <iptables.h>
-+#include "ipt_layer7.h"
++#include <linux/netfilter_ipv4/ipt_layer7.h>
+
+#define MAX_FN_LEN 256
+
@@ -82,8 +49,7 @@ Index: iptables-1.3.8/extensions/libipt_layer7.c
+ "LAYER7 match v%s options:\n"
+ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
+ " (--l7dir must be specified before --l7proto if used!)\n"
-+ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n"
-+ "--l7pkt : Skip connection tracking and match individual packets\n",
++ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
+ IPTABLES_VERSION);
+ fputc('\n', stdout);
+}
@@ -91,7 +57,6 @@ Index: iptables-1.3.8/extensions/libipt_layer7.c
+static struct option opts[] = {
+ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
+ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
-+ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' },
+ { .name = 0 }
+};
+
@@ -120,10 +85,25 @@ Index: iptables-1.3.8/extensions/libipt_layer7.c
+
+ if(datatype == protocol)
+ {
++ /* Ignore everything on the line beginning with the
++ first space or tab . For instance, this allows the
++ protocol line in http.pat to be "http " (or
++ "http I am so cool") instead of just "http". */
++ if(strchr(line, ' ')){
++ char * space = strchr(line, ' ');
++ space[0] = '\0';
++ }
++ if(strchr(line, '\t')){
++ char * space = strchr(line, '\t');
++ space[0] = '\0';
++ }
++
++ /* sanity check. First non-comment non-blank
++ line must be the same as the file name. */
+ if(strcmp(line, protoname))
+ exit_error(OTHER_PROBLEM,
+ "Protocol name (%s) doesn't match file name (%s). Bailing out\n",
-+ protoname, filename);
++ line, filename);
+
+ if(strlen(line) >= MAX_PROTOCOL_LEN)
+ exit_error(PARAMETER_PROBLEM,
@@ -191,6 +171,35 @@ Index: iptables-1.3.8/extensions/libipt_layer7.c
+ /* carefully remember to call tolower here... */
+ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 +
+ hex2dec(s[sindex + 3] ) );
++
++ switch ( result[rindex] )
++ {
++ case 0x24:
++ case 0x28:
++ case 0x29:
++ case 0x2a:
++ case 0x2b:
++ case 0x2e:
++ case 0x3f:
++ case 0x5b:
++ case 0x5c:
++ case 0x5d:
++ case 0x5e:
++ case 0x7c:
++ fprintf(stderr,
++ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
++ "I recommend that you write this as %c or \\%c, depending on what you meant.\n",
++ result[rindex], s[sindex + 2], s[sindex + 3], result[rindex], result[rindex]);
++ break;
++ case 0x00:
++ fprintf(stderr,
++ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n");
++ break;
++ default:
++ break;
++ }
++
++
+ sindex += 3; /* 4 total */
+ }
+ else
@@ -336,9 +345,6 @@ Index: iptables-1.3.8/extensions/libipt_layer7.c
+
+ *flags = 1;
+ break;
-+ case '3':
-+ layer7info->pkt = 1;
-+ break;
+
+ default:
+ return 0;
@@ -347,12 +353,12 @@ Index: iptables-1.3.8/extensions/libipt_layer7.c
+ return 1;
+}
+
-+/* Final check; must have specified --pattern. */
++/* Final check; must have specified --l7proto */
+static void final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
-+ "LAYER7 match: You must specify `--pattern'");
++ "LAYER7 match: You must specify `--l7proto'");
+}
+
+static void print_protocol(char s[], int invert, int numeric)
@@ -371,9 +377,6 @@ Index: iptables-1.3.8/extensions/libipt_layer7.c
+
+ print_protocol(((struct ipt_layer7_info *)match->data)->protocol,
+ ((struct ipt_layer7_info *)match->data)->invert, numeric);
-+
-+ if (((struct ipt_layer7_info *)match->data)->pkt)
-+ printf("l7pkt ");
+}
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
@@ -403,9 +406,9 @@ Index: iptables-1.3.8/extensions/libipt_layer7.c
+}
Index: iptables-1.3.8/extensions/libipt_layer7.man
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_layer7.man 2007-07-31 15:27:56.000000000 -0500
-@@ -0,0 +1,13 @@
+--- /dev/null
++++ iptables-1.3.8/extensions/libipt_layer7.man
+@@ -0,0 +1,14 @@
+This module matches packets based on the application layer data of
+their connections. It uses regular expression matching to compare
+the application layer data to regular expressions found it the layer7
@@ -414,8 +417,9 @@ Index: iptables-1.3.8/extensions/libipt_layer7.man
+.TP
+.BI "--l7proto " "\fIprotocol\fP"
+Match the specified protocol. The protocol name must match a file
-+name in /etc/l7-protocols/
++name in /etc/l7-protocols/ or one of its first-level child directories.
+.TP
+.BI "--l7dir " "\fIdirectory\fP"
-+Use \fIdirectory\fP instead of /etc/l7-protocols/
++Use \fIdirectory\fP instead of /etc/l7-protocols/. This option must be
++specified before --l7proto.
+
diff --git a/package/iptables/patches/1.3.8/003-layer7_2.17_pktmatch.patch b/package/iptables/patches/1.3.8/003-layer7_2.17_pktmatch.patch
new file mode 100644
index 0000000000..c88f759630
--- /dev/null
+++ b/package/iptables/patches/1.3.8/003-layer7_2.17_pktmatch.patch
@@ -0,0 +1,42 @@
+Index: iptables-1.3.8/extensions/libipt_layer7.c
+===================================================================
+--- iptables-1.3.8.orig/extensions/libipt_layer7.c
++++ iptables-1.3.8/extensions/libipt_layer7.c
+@@ -37,7 +37,8 @@ static void help(void)
+ "LAYER7 match v%s options:\n"
+ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
+ " (--l7dir must be specified before --l7proto if used!)\n"
+- "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
++ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n"
++ "--l7pkt : Skip connection tracking and match individual packets\n",
+ IPTABLES_VERSION);
+ fputc('\n', stdout);
+ }
+@@ -45,6 +46,7 @@ static void help(void)
+ static struct option opts[] = {
+ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
+ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
++ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' },
+ { .name = 0 }
+ };
+
+@@ -333,6 +335,9 @@ static int parse(int c, char **argv, int
+
+ *flags = 1;
+ break;
++ case '3':
++ layer7info->pkt = 1;
++ break;
+
+ default:
+ return 0;
+@@ -365,6 +370,9 @@ static void print(const struct ipt_ip *i
+
+ print_protocol(((struct ipt_layer7_info *)match->data)->protocol,
+ ((struct ipt_layer7_info *)match->data)->invert, numeric);
++
++ if (((struct ipt_layer7_info *)match->data)->pkt)
++ printf("l7pkt ");
+ }
+ /* Saves the union ipt_matchinfo in parsable form to stdout. */
+ static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
diff --git a/package/iptables/patches/004-multiport_v1.patch b/package/iptables/patches/1.3.8/004-drop_multiport_v0_support.patch
index 1acfe24848..e5cbeb6f34 100644
--- a/package/iptables/patches/004-multiport_v1.patch
+++ b/package/iptables/patches/1.3.8/004-drop_multiport_v0_support.patch
@@ -1,7 +1,7 @@
Index: iptables-1.3.8/extensions/libipt_multiport.c
===================================================================
---- iptables-1.3.8.orig/extensions/libipt_multiport.c 2007-07-31 15:27:55.000000000 -0500
-+++ iptables-1.3.8/extensions/libipt_multiport.c 2007-07-31 15:27:56.000000000 -0500
+--- iptables-1.3.8.orig/extensions/libipt_multiport.c
++++ iptables-1.3.8/extensions/libipt_multiport.c
@@ -8,24 +8,6 @@
/* To ensure that iptables compiles with an old kernel */
#include "../include/linux/netfilter_ipv4/ipt_multiport.h"
@@ -27,7 +27,7 @@ Index: iptables-1.3.8/extensions/libipt_multiport.c
static void
help_v1(void)
{
-@@ -70,26 +52,6 @@
+@@ -70,26 +52,6 @@ proto_to_name(u_int8_t proto)
}
}
@@ -54,7 +54,7 @@ Index: iptables-1.3.8/extensions/libipt_multiport.c
static void
parse_multi_ports_v1(const char *portstring,
struct ipt_multiport_v1 *multiinfo,
-@@ -156,58 +118,6 @@
+@@ -156,58 +118,6 @@ check_proto(const struct ipt_entry *entr
"multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP");
}
@@ -113,7 +113,7 @@ Index: iptables-1.3.8/extensions/libipt_multiport.c
static int
parse_v1(int c, char **argv, int invert, unsigned int *flags,
const struct ipt_entry *entry,
-@@ -284,43 +194,6 @@
+@@ -284,43 +194,6 @@ print_port(u_int16_t port, u_int8_t prot
printf("%s", service);
}
@@ -157,7 +157,7 @@ Index: iptables-1.3.8/extensions/libipt_multiport.c
static void
print_v1(const struct ipt_ip *ip,
const struct ipt_entry_match *match,
-@@ -364,34 +237,6 @@
+@@ -364,34 +237,6 @@ print_v1(const struct ipt_ip *ip,
printf(" ");
}
@@ -192,7 +192,7 @@ Index: iptables-1.3.8/extensions/libipt_multiport.c
static void save_v1(const struct ipt_ip *ip,
const struct ipt_entry_match *match)
{
-@@ -427,19 +272,20 @@
+@@ -427,19 +272,20 @@ static void save_v1(const struct ipt_ip
printf(" ");
}
diff --git a/package/iptables/patches/005-imq1.patch b/package/iptables/patches/1.3.8/005-imq1.patch
index a3741959cf..f17ddeafd6 100644
--- a/package/iptables/patches/005-imq1.patch
+++ b/package/iptables/patches/1.3.8/005-imq1.patch
@@ -1,15 +1,15 @@
Index: iptables-1.3.8/extensions/.IMQ-test6
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/.IMQ-test6 2007-07-31 15:27:56.000000000 -0500
+--- /dev/null
++++ iptables-1.3.8/extensions/.IMQ-test6
@@ -0,0 +1,3 @@
+#!/bin/sh
+# True if IMQ target patch is applied.
+[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_IMQ.c ] && echo IMQ
Index: iptables-1.3.8/extensions/libip6t_IMQ.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libip6t_IMQ.c 2007-07-31 15:27:56.000000000 -0500
+--- /dev/null
++++ iptables-1.3.8/extensions/libip6t_IMQ.c
@@ -0,0 +1,101 @@
+/* Shared library add-on to iptables to add IMQ target support. */
+#include <stdio.h>
@@ -114,16 +114,16 @@ Index: iptables-1.3.8/extensions/libip6t_IMQ.c
+}
Index: iptables-1.3.8/extensions/.IMQ-test
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/.IMQ-test 2007-07-31 15:27:56.000000000 -0500
+--- /dev/null
++++ iptables-1.3.8/extensions/.IMQ-test
@@ -0,0 +1,3 @@
+#!/bin/sh
+# True if IMQ target patch is applied.
+[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IMQ.c ] && echo IMQ
Index: iptables-1.3.8/extensions/libipt_IMQ.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_IMQ.c 2007-07-31 15:27:56.000000000 -0500
+--- /dev/null
++++ iptables-1.3.8/extensions/libipt_IMQ.c
@@ -0,0 +1,101 @@
+/* Shared library add-on to iptables to add IMQ target support. */
+#include <stdio.h>
diff --git a/package/iptables/patches/001-ipp2p-0.8.1rc1.patch b/package/iptables/patches/1.4.0/001-ipp2p-0.8.1rc1.patch
index 7ca62d2140..3b32b948b3 100644
--- a/package/iptables/patches/001-ipp2p-0.8.1rc1.patch
+++ b/package/iptables/patches/1.4.0/001-ipp2p-0.8.1rc1.patch
@@ -1,9 +1,9 @@
-Index: iptables-1.3.8/extensions/Makefile
+Index: iptables-1.4.0/extensions/Makefile
===================================================================
---- iptables-1.3.8.orig/extensions/Makefile 2007-07-31 15:27:55.000000000 -0500
-+++ iptables-1.3.8/extensions/Makefile 2007-07-31 15:27:55.000000000 -0500
-@@ -13,6 +13,10 @@
- PF6_EXT_SE_SLIB:=SECMARK CONNSECMARK
+--- iptables-1.4.0.orig/extensions/Makefile
++++ iptables-1.4.0/extensions/Makefile
+@@ -19,6 +19,10 @@ PF6_EXT_SE_SLIB:=$(PF6_EXT_SELINUX_SLIB)
+ PFX_EXT_SE_SLIB:=$(PFX_EXT_SELINUX_SLIB)
endif
+
@@ -13,11 +13,11 @@ Index: iptables-1.3.8/extensions/Makefile
# Optionals
PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
-Index: iptables-1.3.8/extensions/libipt_ipp2p.c
+Index: iptables-1.4.0/extensions/libipt_ipp2p.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/extensions/libipt_ipp2p.c 2007-07-31 15:27:55.000000000 -0500
-@@ -0,0 +1,401 @@
+--- /dev/null
++++ iptables-1.4.0/extensions/libipt_ipp2p.c
+@@ -0,0 +1,398 @@
+
+#include <stdio.h>
+#include <netdb.h>
@@ -84,12 +84,10 @@ Index: iptables-1.3.8/extensions/libipt_ipp2p.c
+
+
+static void
-+init(struct ipt_entry_match *m, unsigned int *nfcache)
++init(struct xt_entry_match *m)
+{
+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data;
+
-+ *nfcache |= NFC_UNKNOWN;
-+
+ /*init the module with default values*/
+ info->cmd = 0;
+ info->debug = 0;
@@ -99,9 +97,8 @@ Index: iptables-1.3.8/extensions/libipt_ipp2p.c
+
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
-+ const struct ipt_entry *entry,
-+ unsigned int *nfcache,
-+ struct ipt_entry_match **match)
++ const void *entry,
++ struct xt_entry_match **match)
+{
+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data;
+
@@ -335,8 +332,8 @@ Index: iptables-1.3.8/extensions/libipt_ipp2p.c
+
+
+static void
-+print(const struct ipt_ip *ip,
-+ const struct ipt_entry_match *match,
++print(const void *ip,
++ const struct xt_entry_match *match,
+ int numeric)
+{
+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
@@ -367,7 +364,7 @@ Index: iptables-1.3.8/extensions/libipt_ipp2p.c
+
+
+static void
-+save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
++save(const void *ip, const struct xt_entry_match *match)
+{
+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
+
@@ -398,17 +395,17 @@ Index: iptables-1.3.8/extensions/libipt_ipp2p.c
+static
+struct iptables_match ipp2p=
+{
-+ .next = NULL,
++ .family = AF_INET,
+ .name = "ipp2p",
+ .version = IPTABLES_VERSION,
+ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
-+ .help = &help,
-+ .init = &init,
-+ .parse = &parse,
-+ .final_check = &final_check,
-+ .print = &print,
-+ .save = &save,
++ .help = help,
++ .init = init,
++ .parse = parse,
++ .final_check = final_check,
++ .print = print,
++ .save = save,
+ .extra_opts = opts
+};
+
@@ -419,10 +416,10 @@ Index: iptables-1.3.8/extensions/libipt_ipp2p.c
+ register_match(&ipp2p);
+}
+
-Index: iptables-1.3.8/include/linux/netfilter_ipv4/ipt_ipp2p.h
+Index: iptables-1.4.0/include/linux/netfilter_ipv4/ipt_ipp2p.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ iptables-1.3.8/include/linux/netfilter_ipv4/ipt_ipp2p.h 2007-07-31 15:27:55.000000000 -0500
+--- /dev/null
++++ iptables-1.4.0/include/linux/netfilter_ipv4/ipt_ipp2p.h
@@ -0,0 +1,31 @@
+#ifndef __IPT_IPP2P_H
+#define __IPT_IPP2P_H
diff --git a/package/iptables/patches/1.4.0/002-layer7_2.17.patch b/package/iptables/patches/1.4.0/002-layer7_2.17.patch
new file mode 100644
index 0000000000..ed19118b09
--- /dev/null
+++ b/package/iptables/patches/1.4.0/002-layer7_2.17.patch
@@ -0,0 +1,418 @@
+--- iptables-1.4.0rc1/extensions/libipt_layer7.c 1969-12-31 18:00:00.000000000 -0600
++++ iptables-1.4.0rc1-layer7/extensions/libipt_layer7.c 2007-11-19 06:06:56.000000000 -0600
+@@ -0,0 +1,393 @@
++/*
++ Shared library add-on to iptables to add layer 7 matching support.
++
++ By Matthew Strait <quadong@users.sf.net>, Oct 2003.
++
++ http://l7-filter.sf.net
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License
++ as published by the Free Software Foundation; either version
++ 2 of the License, or (at your option) any later version.
++ http://www.gnu.org/licenses/gpl.txt
++
++ Based on libipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
++*/
++
++#define _GNU_SOURCE
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ctype.h>
++#include <dirent.h>
++
++#include <iptables.h>
++#include <linux/netfilter/xt_layer7.h>
++
++#define MAX_FN_LEN 256
++
++static char l7dir[MAX_FN_LEN] = "\0";
++
++/* Function which prints out usage message. */
++static void help(void)
++{
++ printf(
++ "LAYER7 match v%s options:\n"
++ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
++ " (--l7dir must be specified before --l7proto if used!)\n"
++ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
++ IPTABLES_VERSION);
++ fputc('\n', stdout);
++}
++
++static struct option opts[] = {
++ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
++ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
++ { .name = 0 }
++};
++
++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
++int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
++{
++ FILE * f;
++ char * line = NULL;
++ size_t len = 0;
++
++ enum { protocol, pattern, done } datatype = protocol;
++
++ f = fopen(filename, "r");
++
++ if(!f)
++ return 0;
++
++ while(getline(&line, &len, f) != -1)
++ {
++ if(strlen(line) < 2 || line[0] == '#')
++ continue;
++
++ /* strip the pesky newline... */
++ if(line[strlen(line) - 1] == '\n')
++ line[strlen(line) - 1] = '\0';
++
++ if(datatype == protocol)
++ {
++ /* Ignore everything on the line beginning with the
++ first space or tab . For instance, this allows the
++ protocol line in http.pat to be "http " (or
++ "http I am so cool") instead of just "http". */
++ if(strchr(line, ' ')){
++ char * space = strchr(line, ' ');
++ space[0] = '\0';
++ }
++ if(strchr(line, '\t')){
++ char * space = strchr(line, '\t');
++ space[0] = '\0';
++ }
++
++ /* sanity check. First non-comment non-blank
++ line must be the same as the file name. */
++ if(strcmp(line, protoname))
++ exit_error(OTHER_PROBLEM,
++ "Protocol name (%s) doesn't match file name (%s). Bailing out\n",
++ line, filename);
++
++ if(strlen(line) >= MAX_PROTOCOL_LEN)
++ exit_error(PARAMETER_PROBLEM,
++ "Protocol name in %s too long!", filename);
++ strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
++
++ datatype = pattern;
++ }
++ else if(datatype == pattern)
++ {
++ if(strlen(line) >= MAX_PATTERN_LEN)
++ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
++ strncpy(info->pattern, line, MAX_PATTERN_LEN);
++
++ datatype = done;
++ break;
++ }
++ else
++ exit_error(OTHER_PROBLEM, "Internal error");
++ }
++
++ if(datatype != done)
++ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
++
++ if(line) free(line);
++ fclose(f);
++
++ return 1;
++
++/*
++ fprintf(stderr, "protocol: %s\npattern: %s\n\n",
++ info->protocol,
++ info->pattern);
++*/
++}
++
++static int hex2dec(char c)
++{
++ switch (c)
++ {
++ case '0' ... '9':
++ return c - '0';
++ case 'a' ... 'f':
++ return c - 'a' + 10;
++ case 'A' ... 'F':
++ return c - 'A' + 10;
++ default:
++ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
++ return 0;
++ }
++}
++
++/* takes a string with \xHH escapes and returns one with the characters
++they stand for */
++static char * pre_process(char * s)
++{
++ char * result = malloc(strlen(s) + 1);
++ int sindex = 0, rindex = 0;
++ while( sindex < strlen(s) )
++ {
++ if( sindex + 3 < strlen(s) &&
++ s[sindex] == '\\' && s[sindex+1] == 'x' &&
++ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) )
++ {
++ /* carefully remember to call tolower here... */
++ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 +
++ hex2dec(s[sindex + 3] ) );
++
++ switch ( result[rindex] )
++ {
++ case 0x24:
++ case 0x28:
++ case 0x29:
++ case 0x2a:
++ case 0x2b:
++ case 0x2e:
++ case 0x3f:
++ case 0x5b:
++ case 0x5c:
++ case 0x5d:
++ case 0x5e:
++ case 0x7c:
++ fprintf(stderr,
++ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
++ "I recommend that you write this as %c or \\%c, depending on what you meant.\n",
++ result[rindex], s[sindex + 2], s[sindex + 3], result[rindex], result[rindex]);
++ break;
++ case 0x00:
++ fprintf(stderr,
++ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n");
++ break;
++ default:
++ break;
++ }
++
++
++ sindex += 3; /* 4 total */
++ }
++ else
++ result[rindex] = tolower(s[sindex]);
++
++ sindex++;
++ rindex++;
++ }
++ result[rindex] = '\0';
++
++ return result;
++}
++
++#define MAX_SUBDIRS 128
++char ** readl7dir(char * dirname)
++{
++ DIR * scratchdir;
++ struct dirent ** namelist;
++ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
++
++ int n, d = 1;
++ subdirs[0] = "";
++
++ n = scandir(dirname, &namelist, 0, alphasort);
++
++ if (n < 0)
++ {
++ perror("scandir");
++ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
++ }
++ else
++ {
++ while(n--)
++ {
++ char fulldirname[MAX_FN_LEN];
++
++ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
++
++ if((scratchdir = opendir(fulldirname)) != NULL)
++ {
++ closedir(scratchdir);
++
++ if(!strcmp(namelist[n]->d_name, ".") ||
++ !strcmp(namelist[n]->d_name, ".."))
++ /* do nothing */ ;
++ else
++ {
++ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
++ strcpy(subdirs[d], namelist[n]->d_name);
++ d++;
++ if(d >= MAX_SUBDIRS - 1)
++ {
++ fprintf(stderr,
++ "Too many subdirectories, skipping the rest!\n");
++ break;
++ }
++ }
++ }
++ free(namelist[n]);
++ }
++ free(namelist);
++ }
++
++ subdirs[d] = NULL;
++
++ return subdirs;
++}
++
++static void
++parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
++{
++ char filename[MAX_FN_LEN];
++ char * dir = NULL;
++ char ** subdirs;
++ int n = 0, done = 0;
++
++ if(strlen(l7dir) > 0)
++ dir = l7dir;
++ else
++ dir = "/etc/l7-protocols";
++
++ subdirs = readl7dir(dir);
++
++ while(subdirs[n] != NULL)
++ {
++ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
++
++ //fprintf(stderr, "Trying to find pattern in %s ... ", filename);
++
++ if(c > MAX_FN_LEN)
++ {
++ exit_error(OTHER_PROBLEM,
++ "Filename beginning with %s is too long!\n", filename);
++ }
++
++ /* read in the pattern from the file */
++ if(parse_protocol_file(filename, s, info))
++ {
++ //fprintf(stderr, "found\n");
++ done = 1;
++ break;
++ }
++
++ //fprintf(stderr, "not found\n");
++
++ n++;
++ }
++
++ if(!done)
++ exit_error(OTHER_PROBLEM,
++ "Couldn't find a pattern definition file for %s.\n", s);
++
++ /* process \xHH escapes and tolower everything. (our regex lib has no
++ case insensitivity option.) */
++ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
++}
++
++/* Function which parses command options; returns true if it ate an option */
++static int parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry, struct xt_entry_match **match)
++{
++ struct xt_layer7_info *layer7info =
++ (struct xt_layer7_info *)(*match)->data;
++
++ switch (c) {
++ case '1':
++ check_inverse(optarg, &invert, &optind, 0);
++ parse_layer7_protocol(argv[optind-1], layer7info);
++ if (invert)
++ layer7info->invert = 1;
++ *flags = 1;
++ break;
++
++ case '2':
++ /* not going to use this, but maybe we need to strip a ! anyway (?) */
++ check_inverse(optarg, &invert, &optind, 0);
++
++ if(strlen(argv[optind-1]) >= MAX_FN_LEN)
++ exit_error(PARAMETER_PROBLEM, "directory name too long\n");
++
++ strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
++
++ *flags = 1;
++ break;
++
++ default:
++ return 0;
++ }
++
++ return 1;
++}
++
++/* Final check; must have specified --l7proto */
++static void final_check(unsigned int flags)
++{
++ if (!flags)
++ exit_error(PARAMETER_PROBLEM,
++ "LAYER7 match: You must specify `--l7proto'");
++}
++
++static void print_protocol(char s[], int invert, int numeric)
++{
++ fputs("l7proto ", stdout);
++ if (invert) fputc('!', stdout);
++ printf("%s ", s);
++}
++
++/* Prints out the matchinfo. */
++static void print(const void *ip,
++ const struct xt_entry_match *match,
++ int numeric)
++{
++ printf("LAYER7 ");
++
++ print_protocol(((struct xt_layer7_info *)match->data)->protocol,
++ ((struct xt_layer7_info *)match->data)->invert, numeric);
++}
++/* Saves the union ipt_matchinfo in parsable form to stdout. */
++static void save(const void *ip, const struct xt_entry_match *match)
++{
++ const struct xt_layer7_info *info =
++ (const struct xt_layer7_info*) match->data;
++
++ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol);
++}
++
++static struct iptables_match layer7 = {
++ .name = "layer7",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct xt_layer7_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct xt_layer7_info)),
++ .help = &help,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++void _init(void)
++{
++ register_match(&layer7);
++}
+--- iptables-1.4.0rc1/extensions/libipt_layer7.man 1969-12-31 18:00:00.000000000 -0600
++++ iptables-1.4.0rc1-layer7/extensions/libipt_layer7.man 2007-11-19 05:49:46.000000000 -0600
+@@ -0,0 +1,14 @@
++This module matches packets based on the application layer data of
++their connections. It uses regular expression matching to compare
++the application layer data to regular expressions found it the layer7
++configuration files. This is an experimental module which can be found at
++http://l7-filter.sf.net. It takes two options.
++.TP
++.BI "--l7proto " "\fIprotocol\fP"
++Match the specified protocol. The protocol name must match a file
++name in /etc/l7-protocols/ or one of its first-level child directories.
++.TP
++.BI "--l7dir " "\fIdirectory\fP"
++Use \fIdirectory\fP instead of /etc/l7-protocols/. This option must be
++specified before --l7proto.
++
+--- iptables-1.4.0rc1/extensions/.layer7-test 1969-12-31 18:00:00.000000000 -0600
++++ iptables-1.4.0rc1-layer7/extensions/.layer7-test 2007-11-19 06:18:58.000000000 -0600
+@@ -0,0 +1,2 @@
++#! /bin/sh
++[ -f $KERNEL_DIR/include/linux/netfilter/xt_layer7.h ] && echo layer7
diff --git a/package/iptables/patches/1.4.0/003-layer7_2.17_pktmatch.patch b/package/iptables/patches/1.4.0/003-layer7_2.17_pktmatch.patch
new file mode 100644
index 0000000000..dd6efc15dc
--- /dev/null
+++ b/package/iptables/patches/1.4.0/003-layer7_2.17_pktmatch.patch
@@ -0,0 +1,43 @@
+Index: iptables-1.4.0/extensions/libipt_layer7.c
+===================================================================
+--- iptables-1.4.0.orig/extensions/libipt_layer7.c
++++ iptables-1.4.0/extensions/libipt_layer7.c
+@@ -43,7 +43,8 @@ static void help(void)
+ "LAYER7 match v%s options:\n"
+ "--l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
+ " (--l7dir must be specified before --l7proto if used!)\n"
+- "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
++ "--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n"
++ "--l7pkt : Skip connection tracking and match individual packets\n",
+ IPTABLES_VERSION);
+ fputc('\n', stdout);
+ }
+@@ -51,6 +52,7 @@ static void help(void)
+ static struct option opts[] = {
+ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
+ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' },
++ { .name = "l7pkt", .has_arg = 0, .flag = 0, .val = '3' },
+ { .name = 0 }
+ };
+
+@@ -339,6 +341,10 @@ static int parse(int c, char **argv, int
+ *flags = 1;
+ break;
+
++ case '3':
++ layer7info->pkt = 1;
++ break;
++
+ default:
+ return 0;
+ }
+@@ -370,6 +376,9 @@ static void print(const void *ip,
+
+ print_protocol(((struct xt_layer7_info *)match->data)->protocol,
+ ((struct xt_layer7_info *)match->data)->invert, numeric);
++
++ if (((struct xt_layer7_info *)match->data)->pkt)
++ printf("l7pkt ");
+ }
+ /* Saves the union ipt_matchinfo in parsable form to stdout. */
+ static void save(const void *ip, const struct xt_entry_match *match)
diff --git a/package/iptables/patches/1.4.0/004-drop_multiport_v0_support.patch b/package/iptables/patches/1.4.0/004-drop_multiport_v0_support.patch
new file mode 100644
index 0000000000..0f6e01b19d
--- /dev/null
+++ b/package/iptables/patches/1.4.0/004-drop_multiport_v0_support.patch
@@ -0,0 +1,279 @@
+Index: iptables-1.4.0/extensions/libxt_multiport.c
+===================================================================
+--- iptables-1.4.0.orig/extensions/libxt_multiport.c
++++ iptables-1.4.0/extensions/libxt_multiport.c
+@@ -12,22 +12,6 @@
+ #include "../include/linux/netfilter/xt_multiport.h"
+
+ /* Function which prints out usage message. */
+-static void multiport_help(void)
+-{
+- printf(
+-"multiport v%s options:\n"
+-" --source-ports port[,port,port...]\n"
+-" --sports ...\n"
+-" match source port(s)\n"
+-" --destination-ports port[,port,port...]\n"
+-" --dports ...\n"
+-" match destination port(s)\n"
+-" --ports port[,port,port]\n"
+-" match both source and destination port(s)\n"
+-" NOTE: this kernel does not support port ranges in multiport.\n",
+-IPTABLES_VERSION);
+-}
+-
+ static void multiport_help_v1(void)
+ {
+ printf(
+@@ -71,26 +55,6 @@ proto_to_name(u_int8_t proto)
+ }
+ }
+
+-static unsigned int
+-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
+-{
+- char *buffer, *cp, *next;
+- unsigned int i;
+-
+- buffer = strdup(portstring);
+- if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed");
+-
+- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
+- {
+- next=strchr(cp, ',');
+- if (next) *next++='\0';
+- ports[i] = parse_port(cp, proto);
+- }
+- if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified");
+- free(buffer);
+- return i;
+-}
+-
+ static void
+ parse_multi_ports_v1(const char *portstring,
+ struct xt_multiport_v1 *multiinfo,
+@@ -154,73 +118,6 @@ check_proto(u_int16_t pnum, u_int8_t inv
+ /* Function which parses command options; returns true if it
+ ate an option */
+ static int
+-__multiport_parse(int c, char **argv, int invert, unsigned int *flags,
+- struct xt_entry_match **match, u_int16_t pnum,
+- u_int8_t invflags)
+-{
+- const char *proto;
+- struct xt_multiport *multiinfo
+- = (struct xt_multiport *)(*match)->data;
+-
+- switch (c) {
+- case '1':
+- check_inverse(argv[optind-1], &invert, &optind, 0);
+- proto = check_proto(pnum, invflags);
+- multiinfo->count = parse_multi_ports(argv[optind-1],
+- multiinfo->ports, proto);
+- multiinfo->flags = XT_MULTIPORT_SOURCE;
+- break;
+-
+- case '2':
+- check_inverse(argv[optind-1], &invert, &optind, 0);
+- proto = check_proto(pnum, invflags);
+- multiinfo->count = parse_multi_ports(argv[optind-1],
+- multiinfo->ports, proto);
+- multiinfo->flags = XT_MULTIPORT_DESTINATION;
+- break;
+-
+- case '3':
+- check_inverse(argv[optind-1], &invert, &optind, 0);
+- proto = check_proto(pnum, invflags);
+- multiinfo->count = parse_multi_ports(argv[optind-1],
+- multiinfo->ports, proto);
+- multiinfo->flags = XT_MULTIPORT_EITHER;
+- break;
+-
+- default:
+- return 0;
+- }
+-
+- if (invert)
+- exit_error(PARAMETER_PROBLEM,
+- "multiport does not support invert");
+-
+- if (*flags)
+- exit_error(PARAMETER_PROBLEM,
+- "multiport can only have one option");
+- *flags = 1;
+- return 1;
+-}
+-
+-static int
+-multiport_parse(int c, char **argv, int invert, unsigned int *flags,
+- const void *e, struct xt_entry_match **match)
+-{
+- const struct ipt_entry *entry = e;
+- return __multiport_parse(c, argv, invert, flags, match,
+- entry->ip.proto, entry->ip.invflags);
+-}
+-
+-static int
+-multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
+- const void *e, struct xt_entry_match **match)
+-{
+- const struct ip6t_entry *entry = (const struct ip6t_entry *)e;
+- return __multiport_parse(c, argv, invert, flags, match,
+- entry->ipv6.proto, entry->ipv6.invflags);
+-}
+-
+-static int
+ __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags,
+ struct xt_entry_match **match, u_int16_t pnum,
+ u_int8_t invflags)
+@@ -313,55 +210,6 @@ print_port(u_int16_t port, u_int8_t prot
+ }
+
+ /* Prints out the matchinfo. */
+-static void
+-__multiport_print(const struct xt_entry_match *match, int numeric,
+- u_int16_t proto)
+-{
+- const struct xt_multiport *multiinfo
+- = (const struct xt_multiport *)match->data;
+- unsigned int i;
+-
+- printf("multiport ");
+-
+- switch (multiinfo->flags) {
+- case XT_MULTIPORT_SOURCE:
+- printf("sports ");
+- break;
+-
+- case XT_MULTIPORT_DESTINATION:
+- printf("dports ");
+- break;
+-
+- case XT_MULTIPORT_EITHER:
+- printf("ports ");
+- break;
+-
+- default:
+- printf("ERROR ");
+- break;
+- }
+-
+- for (i=0; i < multiinfo->count; i++) {
+- printf("%s", i ? "," : "");
+- print_port(multiinfo->ports[i], proto, numeric);
+- }
+- printf(" ");
+-}
+-
+-static void multiport_print(const void *ip_void,
+- const struct xt_entry_match *match, int numeric)
+-{
+- const struct ipt_ip *ip = ip_void;
+- __multiport_print(match, numeric, ip->proto);
+-}
+-
+-static void multiport_print6(const void *ip_void,
+- const struct xt_entry_match *match, int numeric)
+-{
+- const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
+- __multiport_print(match, numeric, ip->proto);
+-}
+-
+ static void __multiport_print_v1(const struct xt_entry_match *match,
+ int numeric, u_int16_t proto)
+ {
+@@ -418,48 +266,6 @@ static void multiport_print6_v1(const vo
+ }
+
+ /* Saves the union ipt_matchinfo in parsable form to stdout. */
+-static void __multiport_save(const struct xt_entry_match *match,
+- u_int16_t proto)
+-{
+- const struct xt_multiport *multiinfo
+- = (const struct xt_multiport *)match->data;
+- unsigned int i;
+-
+- switch (multiinfo->flags) {
+- case XT_MULTIPORT_SOURCE:
+- printf("--sports ");
+- break;
+-
+- case XT_MULTIPORT_DESTINATION:
+- printf("--dports ");
+- break;
+-
+- case XT_MULTIPORT_EITHER:
+- printf("--ports ");
+- break;
+- }
+-
+- for (i=0; i < multiinfo->count; i++) {
+- printf("%s", i ? "," : "");
+- print_port(multiinfo->ports[i], proto, 1);
+- }
+- printf(" ");
+-}
+-
+-static void multiport_save(const void *ip_void,
+- const struct xt_entry_match *match)
+-{
+- const struct ipt_ip *ip = ip_void;
+- __multiport_save(match, ip->proto);
+-}
+-
+-static void multiport_save6(const void *ip_void,
+- const struct xt_entry_match *match)
+-{
+- const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
+- __multiport_save(match, ip->proto);
+-}
+-
+ static void __multiport_save_v1(const struct xt_entry_match *match,
+ u_int16_t proto)
+ {
+@@ -509,36 +315,6 @@ static void multiport_save6_v1(const voi
+ __multiport_save_v1(match, ip->proto);
+ }
+
+-static struct xtables_match multiport_match = {
+- .family = AF_INET,
+- .name = "multiport",
+- .revision = 0,
+- .version = IPTABLES_VERSION,
+- .size = XT_ALIGN(sizeof(struct xt_multiport)),
+- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
+- .help = multiport_help,
+- .parse = multiport_parse,
+- .final_check = multiport_check,
+- .print = multiport_print,
+- .save = multiport_save,
+- .extra_opts = multiport_opts,
+-};
+-
+-static struct xtables_match multiport_match6 = {
+- .family = AF_INET6,
+- .name = "multiport",
+- .revision = 0,
+- .version = IPTABLES_VERSION,
+- .size = XT_ALIGN(sizeof(struct xt_multiport)),
+- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
+- .help = multiport_help,
+- .parse = multiport_parse6,
+- .final_check = multiport_check,
+- .print = multiport_print6,
+- .save = multiport_save6,
+- .extra_opts = multiport_opts,
+-};
+-
+ static struct xtables_match multiport_match_v1 = {
+ .family = AF_INET,
+ .name = "multiport",
+@@ -572,8 +348,6 @@ static struct xtables_match multiport_ma
+ void
+ _init(void)
+ {
+- xtables_register_match(&multiport_match);
+- xtables_register_match(&multiport_match6);
+ xtables_register_match(&multiport_match_v1);
+ xtables_register_match(&multiport_match6_v1);
+ }
diff --git a/package/iptables/patches/1.4.0/005-imq1.patch b/package/iptables/patches/1.4.0/005-imq1.patch
new file mode 100644
index 0000000000..63617076bd
--- /dev/null
+++ b/package/iptables/patches/1.4.0/005-imq1.patch
@@ -0,0 +1,219 @@
+--- iptables-1.4.0.orig/extensions.orig/.IMQ-test6 Thu Jan 1 01:00:00 1970
++++ iptables-1.4.0/extensions/.IMQ-test6 Mon Jun 16 10:12:47 2003
+@@ -0,0 +1,3 @@
++#!/bin/sh
++# True if IMQ target patch is applied.
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_IMQ.h ] && echo IMQ
+--- iptables-1.4.0.orig/extensions.orig/libip6t_IMQ.c Thu Jan 1 01:00:00 1970
++++ iptables-1.4.0/extensions/libip6t_IMQ.c Mon Jun 16 10:12:47 2003
+@@ -0,0 +1,100 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <ip6tables.h>
++#include <linux/netfilter_ipv6/ip6_tables.h>
++#include <linux/netfilter_ipv6/ip6t_IMQ.h>
++
++/* Function which prints out usage message. */
++static void
++help(void)
++{
++ printf(
++"IMQ target v%s options:\n"
++" --todev <N> enqueue to imq<N>, defaults to 0\n",
++IPTABLES_VERSION);
++}
++
++static struct option opts[] = {
++ { "todev", 1, 0, '1' },
++ { 0 }
++};
++
++/* Initialize the target. */
++static void
++init(struct xt_entry_target *t)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data;
++
++ mr->todev = 0;
++}
++
++/* Function which parses command options; returns true if it
++ ate an option */
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry,
++ struct xt_entry_target **target)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)(*target)->data;
++
++ switch(c) {
++ case '1':
++ if (check_inverse(optarg, &invert, NULL, 0))
++ exit_error(PARAMETER_PROBLEM,
++ "Unexpected `!' after --todev");
++ mr->todev=atoi(optarg);
++ break;
++ default:
++ return 0;
++ }
++ return 1;
++}
++
++static void
++final_check(unsigned int flags)
++{
++}
++
++/* Prints out the targinfo. */
++static void
++print(const void *ip,
++ const struct xt_entry_target *target,
++ int numeric)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
++
++ printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void
++save(const void *ip, const struct xt_entry_target *target)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
++
++ printf("--todev %u", mr->todev);
++}
++
++static struct ip6tables_target imq = {
++ .next = NULL,
++ .name = "IMQ",
++ .version = IPTABLES_VERSION,
++ .size = IP6T_ALIGN(sizeof(struct ip6t_imq_info)),
++ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_imq_info)),
++ .help = &help,
++ .init = &init,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++static __attribute__((constructor)) void _init(void)
++{
++ register_target6(&imq);
++}
+--- iptables-1.4.0.orig/extensions.orig/.IMQ-test Thu Jan 1 01:00:00 1970
++++ iptables-1.4.0/extensions/.IMQ-test Mon Jun 16 10:12:47 2003
+@@ -0,0 +1,3 @@
++#!/bin/sh
++# True if IMQ target patch is applied.
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IMQ.h ] && echo IMQ
+--- iptables-1.4.0.orig/extensions.orig/libipt_IMQ.c Thu Jan 1 01:00:00 1970
++++ iptables-1.4.0/extensions/libipt_IMQ.c Mon Jun 16 10:12:47 2003
+@@ -0,0 +1,100 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <iptables.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_IMQ.h>
++
++/* Function which prints out usage message. */
++static void
++help(void)
++{
++ printf(
++"IMQ target v%s options:\n"
++" --todev <N> enqueue to imq<N>, defaults to 0\n",
++IPTABLES_VERSION);
++}
++
++static struct option opts[] = {
++ { "todev", 1, 0, '1' },
++ { 0 }
++};
++
++/* Initialize the target. */
++static void
++init(struct xt_entry_target *t)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data;
++
++ mr->todev = 0;
++}
++
++/* Function which parses command options; returns true if it
++ ate an option */
++static int
++parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry,
++ struct xt_entry_target **target)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data;
++
++ switch(c) {
++ case '1':
++ if (check_inverse(optarg, &invert, NULL, 0))
++ exit_error(PARAMETER_PROBLEM,
++ "Unexpected `!' after --todev");
++ mr->todev=atoi(optarg);
++ break;
++ default:
++ return 0;
++ }
++ return 1;
++}
++
++static void
++final_check(unsigned int flags)
++{
++}
++
++/* Prints out the targinfo. */
++static void
++print(const void *ip,
++ const struct xt_entry_target *target,
++ int numeric)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
++
++ printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void
++save(const void *ip, const struct xt_entry_target *target)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
++
++ printf("--todev %u", mr->todev);
++}
++
++static struct iptables_target imq = {
++ .next = NULL,
++ .name = "IMQ",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct ipt_imq_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_imq_info)),
++ .help = &help,
++ .init = &init,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++static __attribute__((constructor)) void _init(void)
++{
++ register_target(&imq);
++}
+
diff --git a/package/iptables/patches/1.4.0/006-chaostables_0.8.patch b/package/iptables/patches/1.4.0/006-chaostables_0.8.patch
new file mode 100644
index 0000000000..a9eb14544f
--- /dev/null
+++ b/package/iptables/patches/1.4.0/006-chaostables_0.8.patch
@@ -0,0 +1,393 @@
+Index: iptables-1.4.0/extensions/.CHAOS-testx
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/.CHAOS-testx
+@@ -0,0 +1,3 @@
++#! /bin/sh
++
++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS"
+Index: iptables-1.4.0/extensions/libxt_CHAOS.c
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_CHAOS.c
+@@ -0,0 +1,114 @@
++/*
++ * CHAOS target for iptables
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <getopt.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <string.h>
++
++#include <xtables.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_CHAOS.h>
++
++enum {
++ F_DELUDE = 1 << 0,
++ F_TARPIT = 1 << 1,
++};
++
++static const struct option chaos_tg_opts[] = {
++ {.name = "delude", .has_arg = false, .val = 'd'},
++ {.name = "tarpit", .has_arg = false, .val = 't'},
++ {},
++};
++
++static void chaos_tg_help(void)
++{
++ printf(
++ "CHAOS target v%s options:\n"
++ " --delude Enable DELUDE processing for TCP\n"
++ " --tarpit Enable TARPIT processing for TCP\n",
++ IPTABLES_VERSION);
++ return;
++}
++
++static int chaos_tg_parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry, struct xt_entry_target **target)
++{
++ struct xt_chaos_target_info *info = (void *)((*target)->data);
++ switch (c) {
++ case 'd':
++ info->variant = XTCHAOS_DELUDE;
++ *flags |= F_DELUDE;
++ return true;
++ case 't':
++ info->variant = XTCHAOS_TARPIT;
++ *flags |= F_TARPIT;
++ return true;
++ }
++ return false;
++}
++
++static void chaos_tg_check(unsigned int flags)
++{
++ if ((flags & (F_DELUDE | F_TARPIT)) == (F_DELUDE | F_TARPIT))
++ /* If flags == 0x03, both were specified, which should not be. */
++ exit_error(PARAMETER_PROBLEM,
++ "CHAOS: only one of --tarpit or --delude "
++ "may be specified");
++ return;
++}
++
++static void chaos_tg_print(const void *ip,
++ const struct xt_entry_target *target, int numeric)
++{
++ const struct xt_chaos_target_info *info = (const void *)target->data;
++ switch (info->variant) {
++ case XTCHAOS_DELUDE:
++ printf("DELUDE ");
++ break;
++ case XTCHAOS_TARPIT:
++ printf("TARPIT ");
++ break;
++ }
++ return;
++}
++
++static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
++{
++ const struct xt_chaos_target_info *info = (const void *)target->data;
++ switch (info->variant) {
++ case XTCHAOS_DELUDE:
++ printf("--delude ");
++ break;
++ case XTCHAOS_TARPIT:
++ printf("--tarpit ");
++ break;
++ }
++ return;
++}
++
++static struct xtables_target chaos_tg_reg = {
++ .version = IPTABLES_VERSION,
++ .name = "CHAOS",
++ .family = AF_INET,
++ .size = XT_ALIGN(sizeof(struct xt_chaos_target_info)),
++ .userspacesize = XT_ALIGN(sizeof(struct xt_chaos_target_info)),
++ .help = chaos_tg_help,
++ .parse = chaos_tg_parse,
++ .final_check = chaos_tg_check,
++ .print = chaos_tg_print,
++ .save = chaos_tg_save,
++ .extra_opts = chaos_tg_opts,
++};
++
++void _init(void)
++{
++ xtables_register_target(&chaos_tg_reg);
++ return;
++}
+Index: iptables-1.4.0/extensions/libxt_CHAOS.man
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_CHAOS.man
+@@ -0,0 +1,18 @@
++Causes confusion on the other end by doing odd things with incoming packets.
++CHAOS will randomly reply (or not) with one of its configurable subtargets:
++.TP
++\fB--delude\fR
++Use the REJECT and DELUDE targets as a base to do a sudden or deferred
++connection reset, fooling some network scanners to return non-deterministic
++(randomly open/closed) results, and in case it is deemed open, it is actually
++closed/filtered.
++.TP
++\fB--tarpit\fR
++Use the REJECT and TARPIT target as a base to hold the connection until it
++times out. This consumes conntrack entries when connection tracking is loaded
++(which usually is on most machines), and routers inbetween you and the Internet
++may fail to do their connection tracking if they have to handle more
++connections than they can.
++.PP
++The randomness factor of not replying vs. replying can be set during load-time
++of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
+Index: iptables-1.4.0/extensions/.DELUDE-testx
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/.DELUDE-testx
+@@ -0,0 +1,3 @@
++#! /bin/sh
++
++[ -f "$KERNEL_DIR/net/netfilter/xt_DELUDE.c" ] && echo "DELUDE"
+Index: iptables-1.4.0/extensions/libxt_DELUDE.c
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_DELUDE.c
+@@ -0,0 +1,49 @@
++/*
++ * DELUDE target for iptables
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <getopt.h>
++#include <stdio.h>
++#include <string.h>
++
++#include <xtables.h>
++#include <linux/netfilter/x_tables.h>
++
++static void delude_tg_help(void)
++{
++ printf("DELUDE takes no options\n");
++ return;
++}
++
++static int delude_tg_parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry, struct xt_entry_target **target)
++{
++ return 0;
++}
++
++static void delude_tg_check(unsigned int flags)
++{
++ return;
++}
++
++static struct xtables_target delude_tg_reg = {
++ .version = IPTABLES_VERSION,
++ .name = "DELUDE",
++ .family = AF_INET,
++ .size = XT_ALIGN(0),
++ .userspacesize = XT_ALIGN(0),
++ .help = delude_tg_help,
++ .parse = delude_tg_parse,
++ .final_check = delude_tg_check,
++};
++
++void _init(void)
++{
++ xtables_register_target(&delude_tg_reg);
++ return;
++}
+Index: iptables-1.4.0/extensions/libxt_DELUDE.man
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_DELUDE.man
+@@ -0,0 +1,4 @@
++The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other
++packets with an RST. This will terminate the connection much like REJECT, but
++network scanners doing TCP half-open discovery can be spoofed to make them
++belive the port is open rather than closed/filtered.
+Index: iptables-1.4.0/extensions/.portscan-testx
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/.portscan-testx
+@@ -0,0 +1,3 @@
++#! /bin/sh
++
++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan"
+Index: iptables-1.4.0/extensions/libxt_portscan.c
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_portscan.c
+@@ -0,0 +1,127 @@
++/*
++ * portscan match for iptables
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <stdbool.h>
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <xtables.h>
++#include <iptables.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_portscan.h>
++
++static const struct option portscan_mt_opts[] = {
++ {.name = "stealth", .has_arg = false, .val = 'x'},
++ {.name = "synscan", .has_arg = false, .val = 's'},
++ {.name = "cnscan", .has_arg = false, .val = 'c'},
++ {.name = "grscan", .has_arg = false, .val = 'g'},
++ {},
++};
++
++static void portscan_mt_help(void)
++{
++ printf(
++ "portscan match v%s options:\n"
++ "(Combining them will make them match by OR-logic)\n"
++ " --stealth Match TCP Stealth packets\n"
++ " --synscan Match TCP SYN scans\n"
++ " --cnscan Match TCP Connect scans\n"
++ " --grscan Match Banner Grabbing scans\n",
++ IPTABLES_VERSION);
++ return;
++}
++
++static int portscan_mt_parse(int c, char **argv, int invert,
++ unsigned int *flags, const void *entry, struct xt_entry_match **match)
++{
++ struct xt_portscan_match_info *info = (void *)((*match)->data);
++
++ switch (c) {
++ case 'c':
++ info->match_cn = true;
++ return true;
++ case 'g':
++ info->match_gr = true;
++ return true;
++ case 's':
++ info->match_syn = true;
++ return true;
++ case 'x':
++ info->match_stealth = true;
++ return true;
++ }
++ return false;
++}
++
++static void portscan_mt_check(unsigned int flags)
++{
++ return;
++}
++
++static void portscan_mt_print(const void *ip,
++ const struct xt_entry_match *match, int numeric)
++{
++ const struct xt_portscan_match_info *info = (const void *)(match->data);
++ const char *s = "";
++
++ printf("portscan ");
++ if (info->match_stealth) {
++ printf("STEALTH");
++ s = ",";
++ }
++ if (info->match_syn) {
++ printf("%sSYNSCAN", s);
++ s = ",";
++ }
++ if (info->match_cn) {
++ printf("%sCNSCAN", s);
++ s = ",";
++ }
++ if (info->match_gr)
++ printf("%sGRSCAN", s);
++ printf(" ");
++ return;
++}
++
++static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
++{
++ const struct xt_portscan_match_info *info = (const void *)(match->data);
++
++ if (info->match_stealth)
++ printf("--stealth ");
++ if (info->match_syn)
++ printf("--synscan ");
++ if (info->match_cn)
++ printf("--cnscan ");
++ if (info->match_gr)
++ printf("--grscan ");
++ return;
++}
++
++static struct xtables_match portscan_mt_reg = {
++ .version = IPTABLES_VERSION,
++ .name = "portscan",
++ .family = AF_INET,
++ .size = XT_ALIGN(sizeof(struct xt_portscan_match_info)),
++ .userspacesize = XT_ALIGN(sizeof(struct xt_portscan_match_info)),
++ .help = portscan_mt_help,
++ .parse = portscan_mt_parse,
++ .final_check = portscan_mt_check,
++ .print = portscan_mt_print,
++ .save = portscan_mt_save,
++ .extra_opts = portscan_mt_opts,
++};
++
++void _init(void)
++{
++ xtables_register_match(&portscan_mt_reg);
++ return;
++}
+Index: iptables-1.4.0/extensions/libxt_portscan.man
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_portscan.man
+@@ -0,0 +1,27 @@
++Detects simple port scan attemps based upon the packet's contents. (This is
++different from other implementations, which also try to match the rate of new
++connections.) Note that an attempt is only discovered after it has been carried
++out, but this information can be used in conjunction with other rules to block
++the remote host's future connections. So this match module will match on the
++(probably) last packet the remote side will send to your machine.
++.TP
++\fB--stealth\fR
++Match if the packet did not belong to any known TCP connection
++(Stealth/FIN/XMAS/NULL scan).
++.TP
++\fB--synscan\fR
++Match if the connection was a TCP half-open discovery (SYN scan), i.e. the
++connection was torn down after the 2nd packet in the 3-way handshake.
++.TP
++\fB--cnscan\fR
++Match if the connection was a TCP full open discovery (connect scan), i.e. the
++connection was torn down after completion of the 3-way handshake.
++.TP
++\fB--grscan\fR
++Match if data in the connection only flew in the direction of the remote side,
++e.g. if the connection was terminated after a locally running daemon sent its
++identification. (e.g. openssh)
++.PP
++NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
++so be advised to carefully use xt_portscan in conjunction with blocking rules,
++as it may lock out your very own internal network.
diff --git a/package/iptables/patches/1.4.0/007-tarpit_support.patch b/package/iptables/patches/1.4.0/007-tarpit_support.patch
new file mode 100644
index 0000000000..f1914f90be
--- /dev/null
+++ b/package/iptables/patches/1.4.0/007-tarpit_support.patch
@@ -0,0 +1,106 @@
+Index: iptables-1.4.0/extensions/libxt_TARPIT.c
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_TARPIT.c
+@@ -0,0 +1,55 @@
++/* Shared library add-on to iptables to add TARPIT target support */
++#include <stdio.h>
++#include <getopt.h>
++
++#include <xtables.h>
++#include <linux/netfilter/x_tables.h>
++
++static void TARPIT_help(void)
++{
++ fputs(
++"TARPIT takes no options\n"
++"\n", stdout);
++}
++
++static struct option TARPIT_opts[] = {
++ { 0 }
++};
++
++static int TARPIT_parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry, struct xt_entry_target **target)
++{
++ return 0;
++}
++
++static void TARPIT_final_check(unsigned int flags)
++{
++}
++
++static void TARPIT_print(const void *ip, const struct xt_entry_target *target,
++ int numeric)
++{
++}
++
++static void TARPIT_save(const void *ip, const struct xt_entry_target *target)
++{
++}
++
++static struct xtables_target tarpit_target = {
++ .family = AF_INET,
++ .name = "TARPIT",
++ .version = IPTABLES_VERSION,
++ .size = XT_ALIGN(0),
++ .userspacesize = XT_ALIGN(0),
++ .help = TARPIT_help,
++ .parse = TARPIT_parse,
++ .final_check = TARPIT_final_check,
++ .print = TARPIT_print,
++ .save = TARPIT_save,
++ .extra_opts = TARPIT_opts
++};
++
++void _init(void)
++{
++ xtables_register_target(&tarpit_target);
++}
+Index: iptables-1.4.0/extensions/libxt_TARPIT.man
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/libxt_TARPIT.man
+@@ -0,0 +1,34 @@
++Captures and holds incoming TCP connections using no local
++per-connection resources. Connections are accepted, but immediately
++switched to the persist state (0 byte window), in which the remote
++side stops sending data and asks to continue every 60-240 seconds.
++Attempts to close the connection are ignored, forcing the remote side
++to time out the connection in 12-24 minutes.
++
++This offers similar functionality to LaBrea
++<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
++hardware or IPs. Any TCP port that you would normally DROP or REJECT
++can instead become a tarpit.
++
++To tarpit connections to TCP port 80 destined for the current machine:
++.IP
++iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
++.P
++To significantly slow down Code Red/Nimda-style scans of unused address
++space, forward unused ip addresses to a Linux box not acting as a router
++(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
++forwarding on the Linux box, and add:
++.IP
++iptables -A FORWARD -p tcp -j TARPIT
++.IP
++iptables -A FORWARD -j DROP
++.TP
++NOTE:
++If you use the conntrack module while you are using TARPIT, you should
++also use the NOTRACK target, or the kernel will unnecessarily allocate
++resources for each TARPITted connection. To TARPIT incoming
++connections to the standard IRC port while using conntrack, you could:
++.IP
++iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
++.IP
++iptables -A INPUT -p tcp --dport 6667 -j TARPIT
+Index: iptables-1.4.0/extensions/.TARPIT-testx
+===================================================================
+--- /dev/null
++++ iptables-1.4.0/extensions/.TARPIT-testx
+@@ -0,0 +1,2 @@
++#! /bin/sh
++[ -f "$KERNEL_DIR/net/netfilter/xt_TARPIT.c" ] && echo "TARPIT"
diff --git a/package/kernel/modules/netfilter.mk b/package/kernel/modules/netfilter.mk
index 61a4013c39..bafb5ea92e 100644
--- a/package/kernel/modules/netfilter.mk
+++ b/package/kernel/modules/netfilter.mk
@@ -1,4 +1,4 @@
-#
+#
# Copyright (C) 2006 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
@@ -19,9 +19,9 @@ endef
define KernelPackage/ipt-conntrack/description
Netfilter (IPv4) kernel modules for connection tracking
- Includes:
- - ipt_conntrack
- - ipt_helper
+ Includes:
+ - ipt_conntrack
+ - ipt_helper
- ipt_connmark/CONNMARK
endef
@@ -37,9 +37,9 @@ define KernelPackage/ipt-filter
endef
define KernelPackage/ipt-filter/description
- Netfilter (IPv4) kernel modules for packet content inspection
- Includes:
- - ipt_ipp2p
+ Netfilter (IPv4) kernel modules for packet content inspection
+ Includes:
+ - ipt_ipp2p
- ipt_layer7
endef
@@ -55,16 +55,16 @@ define KernelPackage/ipt-ipopt
endef
define KernelPackage/ipt-ipopt/description
- Netfilter (IPv4) modules for matching/changing IP packet options
- Includes:
- - ipt_CLASSIFY
- - ipt_dscp/DSCP
- - ipt_ecn/ECN
- - ipt_length
- - ipt_mac
- - ipt_tos/TOS
- - ipt_tcpmms
- - ipt_ttl/TTL
+ Netfilter (IPv4) modules for matching/changing IP packet options
+ Includes:
+ - ipt_CLASSIFY
+ - ipt_dscp/DSCP
+ - ipt_ecn/ECN
+ - ipt_length
+ - ipt_mac
+ - ipt_tos/TOS
+ - ipt_tcpmms
+ - ipt_ttl/TTL
- ipt_unclean
endef
@@ -80,9 +80,9 @@ define KernelPackage/ipt-ipsec
endef
define KernelPackage/ipt-ipsec/description
- Netfilter (IPv4) modules for matching IPSec packets
- Includes:
- - ipt_ah
+ Netfilter (IPv4) modules for matching IPSec packets
+ Includes:
+ - ipt_ah
- ipt_esp
endef
@@ -98,9 +98,9 @@ define KernelPackage/ipt-nat
endef
define KernelPackage/ipt-nat/description
- Netfilter (IPv4) modules for extra NAT targets
- Includes:
- - ipt_REDIRECT
+ Netfilter (IPv4) modules for extra NAT targets
+ Includes:
+ - ipt_REDIRECT
- ipt_NETMAP
endef
@@ -116,12 +116,12 @@ define KernelPackage/ipt-nathelper
endef
define KernelPackage/ipt-nathelper/description
- Default Netfilter (IPv4) Conntrack and NAT helpers
- Includes:
- - ip_conntrack_ftp
- - ip_nat_ftp
- - ip_conntrack_irc
- - ip_nat_irc
+ Default Netfilter (IPv4) Conntrack and NAT helpers
+ Includes:
+ - ip_conntrack_ftp
+ - ip_nat_ftp
+ - ip_conntrack_irc
+ - ip_nat_irc
- ip_conntrack_tftp
endef
@@ -137,15 +137,15 @@ define KernelPackage/ipt-nathelper-extra
endef
define KernelPackage/ipt-nathelper-extra/description
- Extra Netfilter (IPv4) Conntrack and NAT helpers
- Includes:
- - ip_conntrack_amanda
- - ip_conntrack_proto_gre
- - ip_nat_proto_gre
- - ip_conntrack_pptp
- - ip_nat_pptp
- - ip_conntrack_sip
- - ip_nat_sip
+ Extra Netfilter (IPv4) Conntrack and NAT helpers
+ Includes:
+ - ip_conntrack_amanda
+ - ip_conntrack_proto_gre
+ - ip_nat_proto_gre
+ - ip_conntrack_pptp
+ - ip_nat_pptp
+ - ip_conntrack_sip
+ - ip_nat_sip
- ip_nat_snmp_basic
endef
@@ -176,8 +176,8 @@ define KernelPackage/ipt-queue
endef
define KernelPackage/ipt-queue/description
- Netfilter (IPv4) module for user-space packet queueing
- Includes:
+ Netfilter (IPv4) module for user-space packet queueing
+ Includes:
- ipt_QUEUE
endef
@@ -193,8 +193,8 @@ define KernelPackage/ipt-ulog
endef
define KernelPackage/ipt-ulog/description
- Netfilter (IPv4) module for user-space packet logging
- Includes:
+ Netfilter (IPv4) module for user-space packet logging
+ Includes:
- ipt_ULOG
endef
@@ -209,8 +209,8 @@ define KernelPackage/ipt-iprange
endef
define KernelPackage/ipt-iprange/description
- Netfilter (IPv4) module for matching ip ranges
- Includes:
+ Netfilter (IPv4) module for matching ip ranges
+ Includes:
- ipt_IPRANGE
endef
@@ -227,17 +227,17 @@ endef
define KernelPackage/ipt-ipset/description
Netfilter kernel modules for ipset
- Includes:
- - ip_set
- - ip_set_iphash
- - ip_set_ipmap
- - ip_set_ipporthash
- - ip_set_iptree
+ Includes:
+ - ip_set
+ - ip_set_iphash
+ - ip_set_ipmap
+ - ip_set_ipporthash
+ - ip_set_iptree
- ip_set_iptreemap
- - ip_set_macipmap
- - ip_set_nethash
- - ip_set_portmap
- - ipt_set
+ - ip_set_macipmap
+ - ip_set_nethash
+ - ip_set_portmap
+ - ipt_set
- ipt_SET
endef
@@ -254,17 +254,17 @@ endef
define KernelPackage/ipt-extra/description
Other Netfilter (IPv4) kernel modules
- Includes:
- - ipt_limit
- - ipt_owner
- - ipt_physdev
- - ipt_pkttype
- - ipt_recent
- - iptable_raw
- - xt_NOTRACK
- - xt_TARPIT
- - xt_DELUDE
- - xt_CHAOS
+ Includes:
+ - ipt_limit
+ - ipt_owner
+ - ipt_physdev
+ - ipt_pkttype
+ - ipt_recent
+ - iptable_raw
+ - xt_NOTRACK
+ - xt_TARPIT
+ - xt_DELUDE
+ - xt_CHAOS
endef
$(eval $(call KernelPackage,ipt-extra))
@@ -273,6 +273,7 @@ $(eval $(call KernelPackage,ipt-extra))
define KernelPackage/ip6tables
SUBMENU:=$(NF_MENU)
TITLE:=IPv6 modules
+ DEPENDS:=+kmod-ipv6
KCONFIG:=CONFIG_IP6_NF_IPTABLES
FILES:=$(foreach mod,$(IPT_IPV6-m),$(LINUX_DIR)/net/$(mod).$(LINUX_KMOD_SUFFIX))
AUTOLOAD:=$(call AutoLoad,40,$(notdir $(IPT_IPV6-m)))
diff --git a/target/linux/generic-2.4/patches/602-netfilter_layer7_2.1nbd.patch b/target/linux/generic-2.4/patches/602-netfilter_layer7_2.17_with_pktmatch.patch
index 301a3a79f2..cfbca53315 100644
--- a/target/linux/generic-2.4/patches/602-netfilter_layer7_2.1nbd.patch
+++ b/target/linux/generic-2.4/patches/602-netfilter_layer7_2.17_with_pktmatch.patch
@@ -69,9 +69,9 @@ Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_layer7.h
+
+struct ipt_layer7_info {
+ char protocol[MAX_PROTOCOL_LEN];
-+ char invert:1;
+ char pattern[MAX_PATTERN_LEN];
-+ char pkt;
++ u_int8_t invert;
++ u_int8_t pkt;
+};
+
+#endif /* _IPT_LAYER7_H */
diff --git a/target/linux/generic-2.6/config-2.6.22 b/target/linux/generic-2.6/config-2.6.22
index f18508eb1a..c91d1e338b 100644
--- a/target/linux/generic-2.6/config-2.6.22
+++ b/target/linux/generic-2.6/config-2.6.22
@@ -558,8 +558,6 @@ CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_IPP2P=m
CONFIG_IP_NF_MATCH_IPRANGE=m
-CONFIG_IP_NF_MATCH_LAYER7=m
-# CONFIG_IP_NF_MATCH_LAYER7_DEBUG is not set
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_SET=m
@@ -745,6 +743,8 @@ CONFIG_NETFILTER_XT_MATCH_PORTSCAN=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_LAYER7=m
+# CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG is not set
# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
diff --git a/target/linux/generic-2.6/config-default b/target/linux/generic-2.6/config-default
index d814b01b7d..cbef53671d 100644
--- a/target/linux/generic-2.6/config-default
+++ b/target/linux/generic-2.6/config-default
@@ -533,8 +533,6 @@ CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_IPP2P=m
CONFIG_IP_NF_MATCH_IPRANGE=m
-CONFIG_IP_NF_MATCH_LAYER7=m
-# CONFIG_IP_NF_MATCH_LAYER7_DEBUG is not set
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_SET=m
@@ -713,6 +711,8 @@ CONFIG_NETFILTER_XT_MATCH_PORTSCAN=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_LAYER7=m
+# CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG is not set
# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
diff --git a/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.9.patch b/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.17.patch
index 0b16a30313..bfac6801a6 100644
--- a/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.9.patch
+++ b/target/linux/generic-2.6/patches-2.6.22/100-netfilter_layer7_2.17.patch
@@ -1,80 +1,58 @@
-Index: linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h
+Index: linux-2.6.22.18/net/netfilter/Kconfig
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:43:29.440242750 +0200
-@@ -0,0 +1,26 @@
-+/*
-+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
-+ http://l7-filter.sf.net
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+*/
-+
-+#ifndef _IPT_LAYER7_H
-+#define _IPT_LAYER7_H
-+
-+#define MAX_PATTERN_LEN 8192
-+#define MAX_PROTOCOL_LEN 256
+--- linux-2.6.22.18.orig/net/netfilter/Kconfig
++++ linux-2.6.22.18/net/netfilter/Kconfig
+@@ -603,6 +603,27 @@ config NETFILTER_XT_MATCH_STATE
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_MATCH_LAYER7
++ tristate '"layer7" match support'
++ depends on NETFILTER_XTABLES
++ depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
++ depends on NF_CT_ACCT
++ help
++ Say Y if you want to be able to classify connections (and their
++ packets) based on regular expression matching of their application
++ layer data. This is one way to classify applications such as
++ peer-to-peer filesharing systems that do not always use the same
++ port.
+
-+typedef char *(*proc_ipt_search) (char *, char, char *);
++ To compile it as a module, choose M here. If unsure, say N.
+
-+struct ipt_layer7_info {
-+ char protocol[MAX_PROTOCOL_LEN];
-+ char invert:1;
-+ char pattern[MAX_PATTERN_LEN];
-+};
++config NETFILTER_XT_MATCH_LAYER7_DEBUG
++ bool 'Layer 7 debugging output'
++ depends on NETFILTER_XT_MATCH_LAYER7
++ help
++ Say Y to get lots of debugging output.
+
-+#endif /* _IPT_LAYER7_H */
-Index: linux-2.6.22-rc6/net/netfilter/nf_conntrack_core.c
-===================================================================
---- linux-2.6.22-rc6.orig/net/netfilter/nf_conntrack_core.c 2007-07-02 02:16:21.833537750 +0200
-+++ linux-2.6.22-rc6/net/netfilter/nf_conntrack_core.c 2007-07-02 02:16:23.497641750 +0200
-@@ -330,6 +330,13 @@
- * too. */
- nf_ct_remove_expectations(ct);
-
-+ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ if(ct->layer7.app_proto)
-+ kfree(ct->layer7.app_proto);
-+ if(ct->layer7.app_data)
-+ kfree(ct->layer7.app_data);
-+ #endif
+
- /* We overload first tuple to link into unconfirmed list. */
- if (!nf_ct_is_confirmed(ct)) {
- BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
-Index: linux-2.6.22-rc6/net/netfilter/nf_conntrack_standalone.c
+ config NETFILTER_XT_MATCH_STATISTIC
+ tristate '"statistic" match support'
+ depends on NETFILTER_XTABLES
+Index: linux-2.6.22.18/net/netfilter/Makefile
===================================================================
---- linux-2.6.22-rc6.orig/net/netfilter/nf_conntrack_standalone.c 2007-07-02 02:16:21.845538500 +0200
-+++ linux-2.6.22-rc6/net/netfilter/nf_conntrack_standalone.c 2007-07-02 02:16:23.521643250 +0200
-@@ -184,6 +184,12 @@
- return -ENOSPC;
- #endif
-
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ if(conntrack->layer7.app_proto)
-+ if (seq_printf(s, "l7proto=%s ",conntrack->layer7.app_proto))
-+ return 1;
-+#endif
-+
- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
- return -ENOSPC;
-
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+--- linux-2.6.22.18.orig/net/netfilter/Makefile
++++ linux-2.6.22.18/net/netfilter/Makefile
+@@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) +
+ obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_LAYER7) += xt_layer7.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
+Index: linux-2.6.22.18/net/netfilter/xt_layer7.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:43:44.341174000 +0200
-@@ -0,0 +1,583 @@
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/xt_layer7.c
+@@ -0,0 +1,634 @@
+/*
+ Kernel module to match application layer (OSI layer 7) data in connections.
+
+ http://l7-filter.sf.net
+
-+ By Matthew Strait and Ethan Sommer, 2003-2006.
++ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer.
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License
@@ -82,37 +60,37 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+ 2 of the License, or (at your option) any later version.
+ http://www.gnu.org/licenses/gpl.txt
+
-+ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
-+ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski
-+
-+ Jan Engelhardt, 2007-03-11: Arrange to compile with nf_conntrack
++ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>,
++ xt_helper.c (C) 2002 Harald Welte and cls_layer7.c (C) 2003 Matthew Strait,
++ Ethan Sommer, Justin Levandoski.
+*/
+
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/proc_fs.h>
-+#include <linux/ctype.h>
++#include <linux/spinlock.h>
++#include <linux/version.h>
+#include <net/ip.h>
+#include <net/tcp.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter.h>
+#include <net/netfilter/nf_conntrack.h>
-+#include <net/netfilter/nf_nat_rule.h>
-+#include <linux/spinlock.h>
++#include <net/netfilter/nf_conntrack_core.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_layer7.h>
++#include <linux/ctype.h>
++#include <linux/proc_fs.h>
+
+#include "regexp/regexp.c"
+
-+#include <linux/netfilter_ipv4/ipt_layer7.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+
-+MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
+MODULE_LICENSE("GPL");
++MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
+MODULE_DESCRIPTION("iptables application layer match module");
-+MODULE_VERSION("2.0");
++MODULE_ALIAS("ipt_layer7");
++MODULE_VERSION("2.17");
+
+static int maxdatalen = 2048; // this is the default
+module_param(maxdatalen, int, 0444);
+MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter");
-+
-+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
++#ifdef CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG
+ #define DPRINTK(format,args...) printk(format,##args)
+#else
+ #define DPRINTK(format,args...)
@@ -131,23 +109,7 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+ struct pattern_cache * next;
+} * first_pattern_cache = NULL;
+
-+/* I'm new to locking. Here are my assumptions:
-+
-+- No one will write to /proc/net/layer7_numpackets over and over very fast;
-+ if they did, nothing awful would happen.
-+
-+- This code will never be processing the same packet twice at the same time,
-+ because iptables rules are traversed in order.
-+
-+- It doesn't matter if two packets from different connections are in here at
-+ the same time, because they don't share any data.
-+
-+- It _does_ matter if two packets from the same connection (or one from a
-+ master and one from its child) are here at the same time. In this case,
-+ we have to protect the conntracks and the list of compiled patterns.
-+*/
-+DEFINE_RWLOCK(ct_lock);
-+DEFINE_SPINLOCK(list_lock);
++DEFINE_SPINLOCK(l7_lock);
+
+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
+/* Converts an unfriendly string into a friendly one by
@@ -159,7 +121,8 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+
+ if(!f) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n");
++ printk(KERN_ERR "layer7: out of memory in "
++ "friendly_print, bailing.\n");
+ return NULL;
+ }
+
@@ -176,14 +139,14 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+{
+ switch (i) {
+ case 0 ... 9:
-+ return (char)(i + '0');
++ return (i + '0');
+ break;
+ case 10 ... 15:
-+ return (char)(i - 10 + 'a');
++ return (i - 10 + 'a');
+ break;
+ default:
+ if (net_ratelimit())
-+ printk("Problem in dec2hex\n");
++ printk("layer7: Problem in dec2hex\n");
+ return '\0';
+ }
+}
@@ -195,7 +158,8 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+
+ if(!g) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n");
++ printk(KERN_ERR "layer7: out of memory in hex_print, "
++ "bailing.\n");
+ return NULL;
+ }
+
@@ -212,7 +176,8 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+
+/* Use instead of regcomp. As we expect to be seeing the same regexps over and
+over again, it make sense to cache the results. */
-+static regexp * compile_and_cache(char * regex_string, char * protocol)
++static regexp * compile_and_cache(const char * regex_string,
++ const char * protocol)
+{
+ struct pattern_cache * node = first_pattern_cache;
+ struct pattern_cache * last_pattern_cache = first_pattern_cache;
@@ -234,7 +199,8 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+
+ if(!tmp) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
++ printk(KERN_ERR "layer7: out of memory in "
++ "compile_and_cache, bailing.\n");
+ return NULL;
+ }
+
@@ -244,7 +210,8 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+
+ if(!tmp->regex_string || !tmp->pattern) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
++ printk(KERN_ERR "layer7: out of memory in "
++ "compile_and_cache, bailing.\n");
+ kfree(tmp->regex_string);
+ kfree(tmp->pattern);
+ kfree(tmp);
@@ -262,10 +229,12 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+ /* copy the string and compile the regex */
+ len = strlen(regex_string);
+ DPRINTK("About to compile this: \"%s\"\n", regex_string);
-+ node->pattern = regcomp(regex_string, &len);
++ node->pattern = regcomp((char *)regex_string, &len);
+ if ( !node->pattern ) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol);
++ printk(KERN_ERR "layer7: Error compiling regexp "
++ "\"%s\" (%s)\n",
++ regex_string, protocol);
+ /* pattern is now cached as NULL, so we won't try again. */
+ }
+
@@ -305,25 +274,30 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+ return ip_hl + 8; /* ICMP header is 8 bytes */
+ } else {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: tried to handle unknown protocol!\n");
++ printk(KERN_ERR "layer7: tried to handle unknown "
++ "protocol!\n");
+ return ip_hl + 8; /* something reasonable */
+ }
+}
+
+/* handles whether there's a match when we aren't appending data anymore */
-+static int match_no_append(struct nf_conn * conntrack, struct nf_conn * master_conntrack,
-+ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo,
-+ struct ipt_layer7_info * info)
++static int match_no_append(struct nf_conn * conntrack,
++ struct nf_conn * master_conntrack,
++ enum ip_conntrack_info ctinfo,
++ enum ip_conntrack_info master_ctinfo,
++ const struct xt_layer7_info * info)
+{
+ /* If we're in here, throw the app data away */
-+ write_lock(&ct_lock);
+ if(master_conntrack->layer7.app_data != NULL) {
+
+ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
+ if(!master_conntrack->layer7.app_proto) {
-+ char * f = friendly_print(master_conntrack->layer7.app_data);
-+ char * g = hex_print(master_conntrack->layer7.app_data);
-+ DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n",
++ char * f =
++ friendly_print(master_conntrack->layer7.app_data);
++ char * g =
++ hex_print(master_conntrack->layer7.app_data);
++ DPRINTK("\nl7-filter gave up after %d bytes "
++ "(%d packets):\n%s\n",
+ strlen(f), TOTAL_PACKETS, f);
+ kfree(f);
+ DPRINTK("In hex: %s\n", g);
@@ -334,53 +308,54 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+ kfree(master_conntrack->layer7.app_data);
+ master_conntrack->layer7.app_data = NULL; /* don't free again */
+ }
-+ write_unlock(&ct_lock);
+
+ if(master_conntrack->layer7.app_proto){
-+ /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */
-+ write_lock(&ct_lock);
++ /* Here child connections set their .app_proto (for /proc) */
+ if(!conntrack->layer7.app_proto) {
-+ conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC);
++ conntrack->layer7.app_proto =
++ kmalloc(strlen(master_conntrack->layer7.app_proto)+1,
++ GFP_ATOMIC);
+ if(!conntrack->layer7.app_proto){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
-+ write_unlock(&ct_lock);
++ printk(KERN_ERR "layer7: out of memory "
++ "in match_no_append, "
++ "bailing.\n");
+ return 1;
+ }
-+ strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto);
++ strcpy(conntrack->layer7.app_proto,
++ master_conntrack->layer7.app_proto);
+ }
-+ write_unlock(&ct_lock);
+
-+ return (!strcmp(master_conntrack->layer7.app_proto, info->protocol));
++ return (!strcmp(master_conntrack->layer7.app_proto,
++ info->protocol));
+ }
+ else {
+ /* If not classified, set to "unknown" to distinguish from
+ connections that are still being tested. */
-+ write_lock(&ct_lock);
-+ master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC);
++ master_conntrack->layer7.app_proto =
++ kmalloc(strlen("unknown")+1, GFP_ATOMIC);
+ if(!master_conntrack->layer7.app_proto){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
-+ write_unlock(&ct_lock);
++ printk(KERN_ERR "layer7: out of memory in "
++ "match_no_append, bailing.\n");
+ return 1;
+ }
+ strcpy(master_conntrack->layer7.app_proto, "unknown");
-+ write_unlock(&ct_lock);
+ return 0;
+ }
+}
+
+/* add the new app data to the conntrack. Return number of bytes added. */
+static int add_data(struct nf_conn * master_conntrack,
-+ char * app_data, int appdatalen)
++ char * app_data, int appdatalen)
+{
+ int length = 0, i;
+ int oldlength = master_conntrack->layer7.app_data_len;
+
-+ // This is a fix for a race condition by Deti Fliegl. However, I'm not
-+ // clear on whether the race condition exists or whether this really
-+ // fixes it. I might just be being dense... Anyway, if it's not really
-+ // a fix, all it does is waste a very small amount of time.
++ /* This is a fix for a race condition by Deti Fliegl. However, I'm not
++ clear on whether the race condition exists or whether this really
++ fixes it. I might just be being dense... Anyway, if it's not really
++ a fix, all it does is waste a very small amount of time. */
+ if(!master_conntrack->layer7.app_data) return 0;
+
+ /* Strip nulls. Make everything lower case (our regex lib doesn't
@@ -388,9 +363,10 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+ for(i = 0; i < maxdatalen-oldlength-1 &&
+ i < appdatalen; i++) {
+ if(app_data[i] != '\0') {
++ /* the kernel version of tolower mungs 'upper ascii' */
+ master_conntrack->layer7.app_data[length+oldlength] =
-+ /* the kernel version of tolower mungs 'upper ascii' */
-+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
++ isascii(app_data[i])?
++ tolower(app_data[i]) : app_data[i];
+ length++;
+ }
+ }
@@ -401,33 +377,109 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+ return length;
+}
+
-+/* Returns true on match and false otherwise. */
-+static int match(const struct sk_buff *skbin,
-+ const struct net_device *in, const struct net_device *out,
-+ const struct xt_match *match, const void *matchinfo,
-+ int offset, unsigned int protoff, int *hotdrop)
++/* taken from drivers/video/modedb.c */
++static int my_atoi(const char *s)
++{
++ int val = 0;
++
++ for (;; s++) {
++ switch (*s) {
++ case '0'...'9':
++ val = 10*val+(*s-'0');
++ break;
++ default:
++ return val;
++ }
++ }
++}
++
++/* write out num_packets to userland. */
++static int layer7_read_proc(char* page, char ** start, off_t off, int count,
++ int* eof, void * data)
++{
++ if(num_packets > 99 && net_ratelimit())
++ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
++
++ page[0] = num_packets/10 + '0';
++ page[1] = num_packets%10 + '0';
++ page[2] = '\n';
++ page[3] = '\0';
++
++ *eof=1;
++
++ return 3;
++}
++
++/* Read in num_packets from userland */
++static int layer7_write_proc(struct file* file, const char* buffer,
++ unsigned long count, void *data)
++{
++ char * foo = kmalloc(count, GFP_ATOMIC);
++
++ if(!foo){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory, bailing. "
++ "num_packets unchanged.\n");
++ return count;
++ }
++
++ if(copy_from_user(foo, buffer, count)) {
++ return -EFAULT;
++ }
++
++
++ num_packets = my_atoi(foo);
++ kfree (foo);
++
++ /* This has an arbitrary limit to make the math easier. I'm lazy.
++ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
++ if(num_packets > 99) {
++ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
++ num_packets = 99;
++ } else if(num_packets < 1) {
++ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
++ num_packets = 1;
++ }
++
++ return count;
++}
++
++static int
++match(const struct sk_buff *skbin,
++ const struct net_device *in,
++ const struct net_device *out,
++ const struct xt_match *match,
++ const void *matchinfo,
++ int offset,
++ unsigned int protoff,
++ int *hotdrop)
+{
+ /* sidestep const without getting a compiler warning... */
-+ struct sk_buff * skb = (struct sk_buff *)skbin;
++ struct sk_buff * skb = (struct sk_buff *)skbin;
+
-+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
++ const struct xt_layer7_info * info = matchinfo;
+ enum ip_conntrack_info master_ctinfo, ctinfo;
-+ struct nf_conn *master_conntrack;
-+ struct nf_conn *conntrack;
++ struct nf_conn *master_conntrack, *conntrack;
+ unsigned char * app_data;
+ unsigned int pattern_result, appdatalen;
+ regexp * comppattern;
+
++ /* Be paranoid/incompetent - lock the entire match function. */
++ spin_lock_bh(&l7_lock);
++
+ if(!can_handle(skb)){
+ DPRINTK("layer7: This is some protocol I can't handle.\n");
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+
+ /* Treat parent & all its children together as one connection, except
+ for the purpose of setting conntrack->layer7.app_proto in the actual
+ connection. This makes /proc/net/ip_conntrack more satisfying. */
-+ if(((conntrack = nf_ct_get((struct sk_buff *)skb, &ctinfo)) == NULL) ||
-+ ((master_conntrack = nf_ct_get((struct sk_buff *)skb, &master_ctinfo)) == NULL)) {
++ if(!(conntrack = nf_ct_get(skb, &ctinfo)) ||
++ !(master_conntrack=nf_ct_get(skb,&master_ctinfo))){
++ DPRINTK("layer7: couldn't get conntrack.\n");
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+
@@ -439,95 +491,100 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+ if(TOTAL_PACKETS > num_packets ||
+ master_conntrack->layer7.app_proto) {
+
-+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
++ pattern_result = match_no_append(conntrack, master_conntrack,
++ ctinfo, master_ctinfo, info);
+
-+ /* skb->cb[0] == seen. Don't do things twice if there are multiple l7
-+ rules. I'm not sure that using cb for this purpose is correct, even though
-+ it says "put your private variables there". But it doesn't look like it
-+ is being used for anything else in the skbs that make it here. */
-+ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
++ /* skb->cb[0] == seen. Don't do things twice if there are
++ multiple l7 rules. I'm not sure that using cb for this purpose
++ is correct, even though it says "put your private variables
++ there". But it doesn't look like it is being used for anything
++ else in the skbs that make it here. */
++ skb->cb[0] = 1; /* marking it seen here's probably irrelevant */
+
++ spin_unlock_bh(&l7_lock);
+ return (pattern_result ^ info->invert);
+ }
+
+ if(skb_is_nonlinear(skb)){
+ if(skb_linearize(skb) != 0){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n");
++ printk(KERN_ERR "layer7: failed to linearize "
++ "packet, bailing.\n");
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+ }
+
+ /* now that the skb is linearized, it's safe to set these. */
+ app_data = skb->data + app_data_offset(skb);
-+ appdatalen = skb->tail - app_data;
++ appdatalen = skb_tail_pointer(skb) - app_data;
+
-+ spin_lock_bh(&list_lock);
+ /* the return value gets checked later, when we're ready to use it */
+ comppattern = compile_and_cache(info->pattern, info->protocol);
-+ spin_unlock_bh(&list_lock);
+
+ /* On the first packet of a connection, allocate space for app data */
-+ write_lock(&ct_lock);
-+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
-+ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
++ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
++ !master_conntrack->layer7.app_data){
++ master_conntrack->layer7.app_data =
++ kmalloc(maxdatalen, GFP_ATOMIC);
+ if(!master_conntrack->layer7.app_data){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
-+ write_unlock(&ct_lock);
++ printk(KERN_ERR "layer7: out of memory in "
++ "match, bailing.\n");
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+
+ master_conntrack->layer7.app_data[0] = '\0';
+ }
-+ write_unlock(&ct_lock);
+
+ /* Can be here, but unallocated, if numpackets is increased near
+ the beginning of a connection */
-+ if(master_conntrack->layer7.app_data == NULL)
++ if(master_conntrack->layer7.app_data == NULL){
++ spin_unlock_bh(&l7_lock);
+ return (info->invert); /* unmatched */
++ }
+
+ if(!skb->cb[0]){
+ int newbytes;
-+ write_lock(&ct_lock);
+ newbytes = add_data(master_conntrack, app_data, appdatalen);
-+ write_unlock(&ct_lock);
+
+ if(newbytes == 0) { /* didn't add any data */
+ skb->cb[0] = 1;
+ /* Didn't match before, not going to match now */
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+ }
+
+ /* If looking for "unknown", then never match. "Unknown" means that
+ we've given up; we're still trying with these packets. */
-+ read_lock(&ct_lock);
+ if(!strcmp(info->protocol, "unknown")) {
+ pattern_result = 0;
+ /* If looking for "unset", then always match. "Unset" means that we
+ haven't yet classified the connection. */
+ } else if(!strcmp(info->protocol, "unset")) {
+ pattern_result = 2;
-+ DPRINTK("layer7: matched unset: not yet classified (%d/%d packets)\n", TOTAL_PACKETS, num_packets);
++ DPRINTK("layer7: matched unset: not yet classified "
++ "(%d/%d packets)\n", TOTAL_PACKETS, num_packets);
+ /* If the regexp failed to compile, don't bother running it */
-+ } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
++ } else if(comppattern &&
++ regexec(comppattern, master_conntrack->layer7.app_data)){
+ DPRINTK("layer7: matched %s\n", info->protocol);
+ pattern_result = 1;
+ } else pattern_result = 0;
-+ read_unlock(&ct_lock);
+
+ if(pattern_result == 1) {
-+ write_lock(&ct_lock);
-+ master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
++ master_conntrack->layer7.app_proto =
++ kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
+ if(!master_conntrack->layer7.app_proto){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
-+ write_unlock(&ct_lock);
++ printk(KERN_ERR "layer7: out of memory in "
++ "match, bailing.\n");
++ spin_unlock_bh(&l7_lock);
+ return (pattern_result ^ info->invert);
+ }
+ strcpy(master_conntrack->layer7.app_proto, info->protocol);
-+ write_unlock(&ct_lock);
+ } else if(pattern_result > 1) { /* cleanup from "unset" */
+ pattern_result = 1;
+ }
@@ -535,169 +592,99 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+ /* mark the packet seen */
+ skb->cb[0] = 1;
+
++ spin_unlock_bh(&l7_lock);
+ return (pattern_result ^ info->invert);
+}
+
-+static struct xt_match layer7_match = {
-+ .name = "layer7",
-+ .match = &match,
-+ .matchsize = sizeof(struct ipt_layer7_info),
-+ .family = AF_INET,
-+ .me = THIS_MODULE
-+};
++static int check(const char *tablename,
++ const void *inf,
++ const struct xt_match *match,
++ void *matchinfo,
++ unsigned int hook_mask)
+
-+/* taken from drivers/video/modedb.c */
-+static int my_atoi(const char *s)
+{
-+ int val = 0;
-+
-+ for (;; s++) {
-+ switch (*s) {
-+ case '0'...'9':
-+ val = 10*val+(*s-'0');
-+ break;
-+ default:
-+ return val;
-+ }
-+ }
++ // load nf_conntrack_ipv4
++ if (nf_ct_l3proto_try_module_get(match->family) < 0) {
++ printk(KERN_WARNING "can't load conntrack support for "
++ "proto=%d\n", match->family);
++ return false;
++ }
++ return true;
+}
+
-+/* write out num_packets to userland. */
-+static int layer7_read_proc(char* page, char ** start, off_t off, int count,
-+ int* eof, void * data)
++static void
++destroy(const struct xt_match *match, void *matchinfo)
+{
-+ if(num_packets > 99 && net_ratelimit())
-+ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
-+
-+ page[0] = num_packets/10 + '0';
-+ page[1] = num_packets%10 + '0';
-+ page[2] = '\n';
-+ page[3] = '\0';
-+
-+ *eof=1;
-+
-+ return 3;
++ nf_ct_l3proto_module_put(match->family);
+}
+
-+/* Read in num_packets from userland */
-+static int layer7_write_proc(struct file* file, const char* buffer,
-+ unsigned long count, void *data)
++static struct xt_match xt_layer7_match[] = {
+{
-+ char * foo = kmalloc(count, GFP_ATOMIC);
-+
-+ if(!foo){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory, bailing. num_packets unchanged.\n");
-+ return count;
-+ }
-+
-+ if(copy_from_user(foo, buffer, count)) {
-+ return -EFAULT;
-+ }
-+
-+
-+ num_packets = my_atoi(foo);
-+ kfree (foo);
-+
-+ /* This has an arbitrary limit to make the math easier. I'm lazy.
-+ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
-+ if(num_packets > 99) {
-+ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
-+ num_packets = 99;
-+ } else if(num_packets < 1) {
-+ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
-+ num_packets = 1;
-+ }
++ .name = "layer7",
++ .family = AF_INET,
++ .checkentry = check,
++ .match = match,
++ .destroy = destroy,
++ .matchsize = sizeof(struct xt_layer7_info),
++ .me = THIS_MODULE
++}
++};
+
-+ return count;
++static void layer7_cleanup_proc(void)
++{
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
++ remove_proc_entry("layer7_numpackets", proc_net);
++#else
++ remove_proc_entry("layer7_numpackets", init_net.proc_net);
++#endif
+}
+
+/* register the proc file */
+static void layer7_init_proc(void)
+{
+ struct proc_dir_entry* entry;
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
++#else
++ entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
++#endif
+ entry->read_proc = layer7_read_proc;
+ entry->write_proc = layer7_write_proc;
+}
+
-+static void layer7_cleanup_proc(void)
-+{
-+ remove_proc_entry("layer7_numpackets", proc_net);
-+}
-+
-+static int __init ipt_layer7_init(void)
++static int __init xt_layer7_init(void)
+{
+ need_conntrack();
+
+ layer7_init_proc();
+ if(maxdatalen < 1) {
-+ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n");
++ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, "
++ "using 1\n");
+ maxdatalen = 1;
+ }
+ /* This is not a hard limit. It's just here to prevent people from
+ bringing their slow machines to a grinding halt. */
+ else if(maxdatalen > 65536) {
-+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
++ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, "
++ "using 65536\n");
+ maxdatalen = 65536;
+ }
-+ return xt_register_match(&layer7_match);
++ return xt_register_matches(xt_layer7_match,
++ ARRAY_SIZE(xt_layer7_match));
+}
+
-+static void __exit ipt_layer7_fini(void)
++static void __exit xt_layer7_fini(void)
+{
+ layer7_cleanup_proc();
-+ xt_unregister_match(&layer7_match);
++ xt_unregister_matches(xt_layer7_match, ARRAY_SIZE(xt_layer7_match));
+}
+
-+module_init(ipt_layer7_init);
-+module_exit(ipt_layer7_fini);
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/Kconfig
-===================================================================
---- linux-2.6.22-rc6.orig/net/ipv4/netfilter/Kconfig 2007-07-02 02:16:21.857539250 +0200
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/Kconfig 2007-07-02 03:43:29.324235500 +0200
-@@ -63,6 +63,24 @@
-
- To compile it as a module, choose M here. If unsure, say N.
-
-+config IP_NF_MATCH_LAYER7
-+ tristate "Layer 7 match support (EXPERIMENTAL)"
-+ depends on IP_NF_IPTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL
-+ help
-+ Say Y if you want to be able to classify connections (and their
-+ packets) based on regular expression matching of their application
-+ layer data. This is one way to classify applications such as
-+ peer-to-peer filesharing systems that do not always use the same
-+ port.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
-+config IP_NF_MATCH_LAYER7_DEBUG
-+ bool "Layer 7 debugging output"
-+ depends on IP_NF_MATCH_LAYER7
-+ help
-+ Say Y to get lots of debugging output.
-+
- config IP_NF_MATCH_TOS
- tristate "TOS match support"
- depends on IP_NF_IPTABLES
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/Makefile
++module_init(xt_layer7_init);
++module_exit(xt_layer7_fini);
+Index: linux-2.6.22.18/net/netfilter/regexp/regexp.c
===================================================================
---- linux-2.6.22-rc6.orig/net/ipv4/netfilter/Makefile 2007-07-02 02:16:21.865539750 +0200
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/Makefile 2007-07-02 03:43:29.336236250 +0200
-@@ -50,6 +50,8 @@
- obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
- obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
-
-+obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
-+
- # targets
- obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
- obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c 2007-07-02 02:35:33.797531000 +0200
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/regexp/regexp.c
@@ -0,0 +1,1197 @@
+/*
+ * regcomp and regexec -- regsub and regerror are elsewhere
@@ -935,7 +922,7 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c
+ register int len;
+ int flags;
+ struct match_globals g;
-+
++
+ /* commented out by ethan
+ extern char *malloc();
+ */
@@ -1062,7 +1049,7 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c
+ }
+
+ /* Make a closing node, and hook it on the end. */
-+ ender = regnode(g, (paren) ? CLOSE+parno : END);
++ ender = regnode(g, (paren) ? CLOSE+parno : END);
+ regtail(g, ret, ender);
+
+ /* Hook the tails of the branches to the closing node. */
@@ -1896,10 +1883,10 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.c
+#endif
+
+
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h
+Index: linux-2.6.22.18/net/netfilter/regexp/regexp.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h 2007-07-02 02:16:23.677653000 +0200
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/regexp/regexp.h
@@ -0,0 +1,41 @@
+/*
+ * Definitions etc. for regexp(3) routines.
@@ -1942,20 +1929,20 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regexp.h
+void regerror(char *s);
+
+#endif
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regmagic.h
+Index: linux-2.6.22.18/net/netfilter/regexp/regmagic.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regmagic.h 2007-07-02 02:16:23.701654500 +0200
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/regexp/regmagic.h
@@ -0,0 +1,5 @@
+/*
+ * The first byte of the regexp internal "program" is actually this magic
+ * number; the start node begins in the second byte.
+ */
+#define MAGIC 0234
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c
+Index: linux-2.6.22.18/net/netfilter/regexp/regsub.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c 2007-07-02 02:35:46.074298250 +0200
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/regexp/regsub.c
@@ -0,0 +1,95 @@
+/*
+ * regsub
@@ -2013,7 +2000,7 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c
+ register char c;
+ register int no;
+ register int len;
-+
++
+ /* Not necessary and gcc doesn't like it -MLS */
+ /*extern char *strncpy();*/
+
@@ -2052,15 +2039,53 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/regexp/regsub.c
+ }
+ *dst++ = '\0';
+}
-Index: linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h
+Index: linux-2.6.22.18/net/netfilter/nf_conntrack_core.c
+===================================================================
+--- linux-2.6.22.18.orig/net/netfilter/nf_conntrack_core.c
++++ linux-2.6.22.18/net/netfilter/nf_conntrack_core.c
+@@ -330,6 +330,14 @@ destroy_conntrack(struct nf_conntrack *n
+ * too. */
+ nf_ct_remove_expectations(ct);
+
++ #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ if(ct->layer7.app_proto)
++ kfree(ct->layer7.app_proto);
++ if(ct->layer7.app_data)
++ kfree(ct->layer7.app_data);
++ #endif
++
++
+ /* We overload first tuple to link into unconfirmed list. */
+ if (!nf_ct_is_confirmed(ct)) {
+ BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
+Index: linux-2.6.22.18/net/netfilter/nf_conntrack_standalone.c
===================================================================
---- linux-2.6.22-rc6.orig/include/net/netfilter/nf_conntrack.h 2007-07-02 02:16:21.825537250 +0200
-+++ linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h 2007-07-02 02:16:23.749657500 +0200
-@@ -128,6 +128,21 @@
+--- linux-2.6.22.18.orig/net/netfilter/nf_conntrack_standalone.c
++++ linux-2.6.22.18/net/netfilter/nf_conntrack_standalone.c
+@@ -184,7 +184,12 @@ static int ct_seq_show(struct seq_file *
+ return -ENOSPC;
+ #endif
+
+- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ if(conntrack->layer7.app_proto)
++ if(seq_printf(s, "l7proto=%s ", conntrack->layer7.app_proto))
++ return -ENOSPC;
++#endif
++ if (seq_printf(s, "asdfuse=%u\n", atomic_read(&conntrack->ct_general.use)))
+ return -ENOSPC;
+
+ return 0;
+Index: linux-2.6.22.18/include/net/netfilter/nf_conntrack.h
+===================================================================
+--- linux-2.6.22.18.orig/include/net/netfilter/nf_conntrack.h
++++ linux-2.6.22.18/include/net/netfilter/nf_conntrack.h
+@@ -128,6 +128,22 @@ struct nf_conn
u_int32_t secmark;
#endif
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
+ struct {
+ /*
+ * e.g. "http". NULL before decision. "unknown" after decision
@@ -2078,3 +2103,21 @@ Index: linux-2.6.22-rc6/include/net/netfilter/nf_conntrack.h
/* Storage reserved for other modules: */
union nf_conntrack_proto proto;
+Index: linux-2.6.22.18/include/linux/netfilter/xt_layer7.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/include/linux/netfilter/xt_layer7.h
+@@ -0,0 +1,13 @@
++#ifndef _XT_LAYER7_H
++#define _XT_LAYER7_H
++
++#define MAX_PATTERN_LEN 8192
++#define MAX_PROTOCOL_LEN 256
++
++struct xt_layer7_info {
++ char protocol[MAX_PROTOCOL_LEN];
++ char pattern[MAX_PATTERN_LEN];
++ u_int8_t invert;
++};
++
++#endif /* _XT_LAYER7_H */
diff --git a/target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch b/target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch
index 5ac30a7c2e..8f2456ffed 100644
--- a/target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch
+++ b/target/linux/generic-2.6/patches-2.6.22/101-netfilter_layer7_pktmatch.patch
@@ -1,36 +1,37 @@
-Index: linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h
+Index: linux-2.6.22.18/include/linux/netfilter/xt_layer7.h
===================================================================
---- linux-2.6.22-rc6.orig/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:23:28.597194750 +0200
-+++ linux-2.6.22-rc6/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 03:23:44.730203000 +0200
-@@ -21,6 +21,7 @@
+--- linux-2.6.22.18.orig/include/linux/netfilter/xt_layer7.h
++++ linux-2.6.22.18/include/linux/netfilter/xt_layer7.h
+@@ -8,6 +8,7 @@ struct xt_layer7_info {
char protocol[MAX_PROTOCOL_LEN];
- char invert:1;
char pattern[MAX_PATTERN_LEN];
-+ char pkt;
+ u_int8_t invert;
++ u_int8_t pkt;
};
- #endif /* _IPT_LAYER7_H */
-Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+ #endif /* _XT_LAYER7_H */
+Index: linux-2.6.22.18/net/netfilter/xt_layer7.c
===================================================================
---- linux-2.6.22-rc6.orig/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:23:28.609195500 +0200
-+++ linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 03:23:54.234797000 +0200
-@@ -300,33 +300,34 @@
+--- linux-2.6.22.18.orig/net/netfilter/xt_layer7.c
++++ linux-2.6.22.18/net/netfilter/xt_layer7.c
+@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con
}
/* add the new app data to the conntrack. Return number of bytes added. */
-static int add_data(struct nf_conn * master_conntrack,
-- char * app_data, int appdatalen)
+- char * app_data, int appdatalen)
+static int add_datastr(char *target, int offset, char *app_data, int len)
{
int length = 0, i;
- int oldlength = master_conntrack->layer7.app_data_len;
-
-- // This is a fix for a race condition by Deti Fliegl. However, I'm not
-- // clear on whether the race condition exists or whether this really
-- // fixes it. I might just be being dense... Anyway, if it's not really
-- // a fix, all it does is waste a very small amount of time.
+- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
+- clear on whether the race condition exists or whether this really
+- fixes it. I might just be being dense... Anyway, if it's not really
+- a fix, all it does is waste a very small amount of time. */
- if(!master_conntrack->layer7.app_data) return 0;
-+ if(!target) return 0;
++
++ if (!target) return 0;
/* Strip nulls. Make everything lower case (our regex lib doesn't
do case insensitivity). Add it to the end of the current data. */
@@ -38,15 +39,16 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
- i < appdatalen; i++) {
+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
if(app_data[i] != '\0') {
+ /* the kernel version of tolower mungs 'upper ascii' */
- master_conntrack->layer7.app_data[length+oldlength] =
+ target[length+offset] =
- /* the kernel version of tolower mungs 'upper ascii' */
- isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
+ isascii(app_data[i])?
+ tolower(app_data[i]) : app_data[i];
length++;
}
}
+ target[length+offset] = '\0';
-+
++
+ return length;
+}
@@ -54,7 +56,7 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
- master_conntrack->layer7.app_data_len = length + oldlength;
+/* add the new app data to the conntrack. Return number of bytes added. */
+static int add_data(struct nf_conn * master_conntrack,
-+ char * app_data, int appdatalen)
++ char * app_data, int appdatalen)
+{
+ int length;
@@ -63,29 +65,29 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
return length;
}
-@@ -343,7 +344,7 @@
+@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin,
+ const struct xt_layer7_info * info = matchinfo;
enum ip_conntrack_info master_ctinfo, ctinfo;
- struct nf_conn *master_conntrack;
- struct nf_conn *conntrack;
+ struct nf_conn *master_conntrack, *conntrack;
- unsigned char * app_data;
+ unsigned char *app_data, *tmp_data;
unsigned int pattern_result, appdatalen;
regexp * comppattern;
-@@ -365,8 +366,8 @@
+@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin,
master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */
- if(TOTAL_PACKETS > num_packets ||
- master_conntrack->layer7.app_proto) {
+ if(!info->pkt && (TOTAL_PACKETS > num_packets ||
-+ master_conntrack->layer7.app_proto)) {
-
- pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
++ master_conntrack->layer7.app_proto)) {
-@@ -396,6 +397,23 @@
+ pattern_result = match_no_append(conntrack, master_conntrack,
+ ctinfo, master_ctinfo, info);
+@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin,
+ /* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol);
- spin_unlock_bh(&list_lock);
+ if (info->pkt) {
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
@@ -98,12 +100,14 @@ Index: linux-2.6.22-rc6/net/ipv4/netfilter/ipt_layer7.c
+ tmp_data[0] = '\0';
+ add_datastr(tmp_data, 0, app_data, appdatalen);
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
++
+ kfree(tmp_data);
+ tmp_data = NULL;
++ spin_unlock_bh(&l7_lock);
+
+ return (pattern_result ^ info->invert);
+ }
+
/* On the first packet of a connection, allocate space for app data */
- write_lock(&ct_lock);
- if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
+ !master_conntrack->layer7.app_data){
diff --git a/target/linux/generic-2.6/patches-2.6.22/110-ipp2p_0.8.1rc1.patch b/target/linux/generic-2.6/patches-2.6.22/110-ipp2p_0.8.1rc1.patch
index 6963ac098e..9a4cb63cd1 100644
--- a/target/linux/generic-2.6/patches-2.6.22/110-ipp2p_0.8.1rc1.patch
+++ b/target/linux/generic-2.6/patches-2.6.22/110-ipp2p_0.8.1rc1.patch
@@ -1,6 +1,7 @@
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h 2007-05-26 20:21:54.586864296 +0200
+Index: linux-2.6.22.18/include/linux/netfilter_ipv4/ipt_ipp2p.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/include/linux/netfilter_ipv4/ipt_ipp2p.h
@@ -0,0 +1,31 @@
+#ifndef __IPT_IPP2P_H
+#define __IPT_IPP2P_H
@@ -33,9 +34,10 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6.
+#define IPP2P_MUTE (1 << 14)
+#define IPP2P_WASTE (1 << 15)
+#define IPP2P_XDCC (1 << 16)
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_ipp2p.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_ipp2p.c 2007-05-26 20:21:54.587864144 +0200
+Index: linux-2.6.22.18/net/ipv4/netfilter/ipt_ipp2p.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/ipv4/netfilter/ipt_ipp2p.c
@@ -0,0 +1,882 @@
+#if defined(MODVERSIONS)
+#include <linux/modversions.h>
@@ -919,12 +921,13 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.1.dev/n
+module_exit(fini);
+
+
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig
---- linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig 2007-05-26 20:17:47.626407992 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig 2007-05-26 20:21:54.587864144 +0200
-@@ -81,6 +81,12 @@
- help
- Say Y to get lots of debugging output.
+Index: linux-2.6.22.18/net/ipv4/netfilter/Kconfig
+===================================================================
+--- linux-2.6.22.18.orig/net/ipv4/netfilter/Kconfig
++++ linux-2.6.22.18/net/ipv4/netfilter/Kconfig
+@@ -63,6 +63,12 @@ config IP_NF_MATCH_IPRANGE
+
+ To compile it as a module, choose M here. If unsure, say N.
+config IP_NF_MATCH_IPP2P
+ tristate "IPP2P"
@@ -935,15 +938,15 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/i
config IP_NF_MATCH_TOS
tristate "TOS match support"
depends on IP_NF_IPTABLES
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile
---- linux-2.6.21.1.old/net/ipv4/netfilter/Makefile 2007-05-26 20:17:47.638406168 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile 2007-05-26 20:21:54.588863992 +0200
-@@ -49,7 +49,7 @@
+Index: linux-2.6.22.18/net/ipv4/netfilter/Makefile
+===================================================================
+--- linux-2.6.22.18.orig/net/ipv4/netfilter/Makefile
++++ linux-2.6.22.18/net/ipv4/netfilter/Makefile
+@@ -49,6 +49,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
--
+obj-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p.o
- obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
# targets
+ obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
diff --git a/target/linux/generic-2.6/patches-2.6.22/170-netfilter_chaostables.patch b/target/linux/generic-2.6/patches-2.6.22/170-netfilter_chaostables_0.8.patch
index 2bc678e961..e2a288d921 100644
--- a/target/linux/generic-2.6/patches-2.6.22/170-netfilter_chaostables.patch
+++ b/target/linux/generic-2.6/patches-2.6.22/170-netfilter_chaostables_0.8.patch
@@ -1,15 +1,17 @@
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_conntrack.h linux-2.6.21.1.dev/include/linux/netfilter/oot_conntrack.h
---- linux-2.6.21.1.old/include/linux/netfilter/oot_conntrack.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/oot_conntrack.h 2007-05-26 20:40:10.922195992 +0200
+Index: linux-2.6.22.18/include/linux/netfilter/oot_conntrack.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/include/linux/netfilter/oot_conntrack.h
@@ -0,0 +1,5 @@
+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
+# include <linux/netfilter_ipv4/ip_conntrack.h>
+#else /* linux-2.6.20+ */
+# include <net/netfilter/nf_nat_rule.h>
+#endif
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h linux-2.6.21.1.dev/include/linux/netfilter/oot_trans.h
---- linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/oot_trans.h 2007-05-26 20:40:10.940193256 +0200
+Index: linux-2.6.22.18/include/linux/netfilter/oot_trans.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/include/linux/netfilter/oot_trans.h
@@ -0,0 +1,14 @@
+/* Out of tree workarounds */
+#include <linux/version.h>
@@ -25,39 +27,42 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h linux-2.6.21.1.
+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
+ tcp_v4_check((tcph_sz), (s), (d), (csp))
+#endif
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/xt_CHAOS.h linux-2.6.21.1.dev/include/linux/netfilter/xt_CHAOS.h
---- linux-2.6.21.1.old/include/linux/netfilter/xt_CHAOS.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/xt_CHAOS.h 2007-05-26 20:40:10.940193256 +0200
+Index: linux-2.6.22.18/include/linux/netfilter/xt_CHAOS.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/include/linux/netfilter/xt_CHAOS.h
@@ -0,0 +1,14 @@
-+#ifndef _LINUX_XT_CHAOS_H
-+#define _LINUX_XT_CHAOS_H 1
++#ifndef _LINUX_NETFILTER_XT_CHAOS_H
++#define _LINUX_NETFILTER_XT_CHAOS_H 1
+
-+enum xt_chaos_variant {
++enum xt_chaos_target_variant {
+ XTCHAOS_NORMAL,
+ XTCHAOS_TARPIT,
+ XTCHAOS_DELUDE,
+};
+
-+struct xt_chaos_info {
-+ enum xt_chaos_variant variant;
++struct xt_chaos_target_info {
++ uint8_t variant;
+};
+
-+#endif /* _LINUX_XT_CHAOS_H */
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/xt_portscan.h linux-2.6.21.1.dev/include/linux/netfilter/xt_portscan.h
---- linux-2.6.21.1.old/include/linux/netfilter/xt_portscan.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/xt_portscan.h 2007-05-26 20:40:10.940193256 +0200
++#endif /* _LINUX_NETFILTER_XT_CHAOS_H */
+Index: linux-2.6.22.18/include/linux/netfilter/xt_portscan.h
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/include/linux/netfilter/xt_portscan.h
@@ -0,0 +1,8 @@
-+#ifndef _LINUX_XT_PORTSCAN_H
-+#define _LINUX_XT_PORTSCAN_H 1
++#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
++#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
+
-+struct xt_portscan_info {
-+ unsigned int match_stealth, match_syn, match_cn, match_gr;
++struct xt_portscan_match_info {
++ uint8_t match_stealth, match_syn, match_cn, match_gr;
+};
+
-+#endif /* _LINUX_XT_PORTSCAN_H */
-diff -urN linux-2.6.21.1.old/net/netfilter/find_match.c linux-2.6.21.1.dev/net/netfilter/find_match.c
---- linux-2.6.21.1.old/net/netfilter/find_match.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/find_match.c 2007-05-26 20:40:10.970188696 +0200
++#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */
+Index: linux-2.6.22.18/net/netfilter/find_match.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/find_match.c
@@ -0,0 +1,39 @@
+/*
+ xt_request_find_match
@@ -90,7 +95,7 @@ diff -urN linux-2.6.21.1.old/net/netfilter/find_match.c linux-2.6.21.1.dev/net/n
+
+ match = try_then_request_module(xt_find_match(af, name, revision),
+ "%st_%s", xt_prefix[af], name);
-+ if(IS_ERR(match) || match == NULL)
++ if (IS_ERR(match) || match == NULL)
+ return NULL;
+
+ return match;
@@ -98,10 +103,11 @@ diff -urN linux-2.6.21.1.old/net/netfilter/find_match.c linux-2.6.21.1.dev/net/n
+
+/* In case it goes into mainline, let this out-of-tree package compile */
+#define xt_request_find_match xt_request_find_match_lo
-diff -urN linux-2.6.21.1.old/net/netfilter/Kconfig linux-2.6.21.1.dev/net/netfilter/Kconfig
---- linux-2.6.21.1.old/net/netfilter/Kconfig 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/netfilter/Kconfig 2007-05-26 20:40:11.003183680 +0200
-@@ -255,6 +255,14 @@
+Index: linux-2.6.22.18/net/netfilter/Kconfig
+===================================================================
+--- linux-2.6.22.18.orig/net/netfilter/Kconfig
++++ linux-2.6.22.18/net/netfilter/Kconfig
+@@ -255,6 +255,14 @@ config NETFILTER_XTABLES
# alphabetically ordered list of targets
@@ -116,7 +122,7 @@ diff -urN linux-2.6.21.1.old/net/netfilter/Kconfig linux-2.6.21.1.dev/net/netfil
config NETFILTER_XT_TARGET_CLASSIFY
tristate '"CLASSIFY" target support'
depends on NETFILTER_XTABLES
-@@ -282,6 +290,14 @@
+@@ -282,6 +290,14 @@ config NETFILTER_XT_TARGET_CONNMARK
<file:Documentation/kbuild/modules.txt>. The module will be called
ipt_CONNMARK.ko. If unsure, say `N'.
@@ -131,7 +137,7 @@ diff -urN linux-2.6.21.1.old/net/netfilter/Kconfig linux-2.6.21.1.dev/net/netfil
config NETFILTER_XT_TARGET_DSCP
tristate '"DSCP" target support'
depends on NETFILTER_XTABLES
-@@ -526,6 +542,14 @@
+@@ -526,6 +542,14 @@ config NETFILTER_XT_MATCH_POLICY
To compile it as a module, choose M here. If unsure, say N.
@@ -146,40 +152,38 @@ diff -urN linux-2.6.21.1.old/net/netfilter/Kconfig linux-2.6.21.1.dev/net/netfil
config NETFILTER_XT_MATCH_MULTIPORT
tristate "Multiple port match support"
depends on NETFILTER_XTABLES
-diff -urN linux-2.6.21.1.old/net/netfilter/Makefile linux-2.6.21.1.dev/net/netfilter/Makefile
---- linux-2.6.21.1.old/net/netfilter/Makefile 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/netfilter/Makefile 2007-05-26 20:40:11.003183680 +0200
-@@ -37,8 +37,10 @@
- obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
-
- # targets
+Index: linux-2.6.22.18/net/netfilter/Makefile
+===================================================================
+--- linux-2.6.22.18.orig/net/netfilter/Makefile
++++ linux-2.6.22.18/net/netfilter/Makefile
+@@ -47,6 +47,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK
+ obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
-@@ -63,6 +65,7 @@
- obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
+
+ # matches
+ obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
+@@ -74,3 +76,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING)
+ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
-diff -urN linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c linux-2.6.21.1.dev/net/netfilter/xt_CHAOS.c
---- linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/xt_CHAOS.c 2007-05-26 20:40:11.004183528 +0200
-@@ -0,0 +1,204 @@
+Index: linux-2.6.22.18/net/netfilter/xt_CHAOS.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/xt_CHAOS.c
+@@ -0,0 +1,200 @@
+/*
-+ CHAOS target for netfilter
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
++ * CHAOS target for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
+#include <linux/icmp.h>
+#include <linux/in.h>
+#include <linux/ip.h>
@@ -190,9 +194,17 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c linux-2.6.21.1.dev/net/net
+#include <linux/netfilter/xt_tcpudp.h>
+#include <linux/netfilter_ipv4/ipt_REJECT.h>
+#include <net/ip.h>
-+#include <linux/netfilter/xt_CHAOS.h>
-+#include "find_match.c"
-+#include <linux/netfilter/oot_trans.h>
++#if defined(_LOCAL)
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \
++ defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE)
++# include <linux/netfilter/xt_CHAOS.h>
++# include "find_match.c"
++#else
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#endif
+#define PFX KBUILD_MODNAME ": "
+
+/* Module parameters */
@@ -218,110 +230,97 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c linux-2.6.21.1.dev/net/net
+};
+
+/* CHAOS functions */
-+static void xt_chaos_total(const struct xt_chaos_info *info,
++static void xt_chaos_total(const struct xt_chaos_target_info *info,
+ struct sk_buff **pskb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum)
+{
-+ const int protoff = ip_hdrlen(*pskb);
-+ const int offset = ntohs(ip_hdr(*pskb)->frag_off) & IP_OFFSET;
++ const struct iphdr *iph = ip_hdr(*pskb);
++ const int protoff = 4 * iph->ihl;
++ const int offset = ntohs(iph->frag_off) & IP_OFFSET;
+ const struct xt_target *destiny;
+ int hotdrop = 0, ret;
+
+ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
+ offset, protoff, &hotdrop);
-+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
++ if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
+ return;
+
+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
-+#ifdef HAVE_TARGUSERINFO
-+ destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL);
-+#else
+ destiny->target(pskb, in, out, hooknum, destiny, NULL);
-+#endif
+ return;
+}
+
-+static unsigned int xt_chaos_target(struct sk_buff **pskb,
++static unsigned int chaos_tg(struct sk_buff **pskb,
+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
+{
-+ /* Equivalent to:
++ /*
++ * Equivalent to:
+ * -A chaos -m statistic --mode random --probability \
+ * $reject_percentage -j REJECT --reject-with host-unreach;
+ * -A chaos -p tcp -m statistic --mode random --probability \
+ * $delude_percentage -j DELUDE;
+ * -A chaos -j DROP;
+ */
-+ const struct xt_chaos_info *info = targinfo;
++ const struct xt_chaos_target_info *info = targinfo;
++ const struct iphdr *iph = ip_hdr(*pskb);
+
-+ if((unsigned int)net_random() <= reject_percentage)
-+#ifdef HAVE_TARGUSERINFO
-+ return xt_reject->target(pskb, in, out, hooknum, target,
-+ &reject_params, userinfo);
-+#else
++ if ((unsigned int)net_random() <= reject_percentage)
+ return xt_reject->target(pskb, in, out, hooknum, target,
+ &reject_params);
-+#endif
+
+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
-+ if(ip_hdr(*pskb)->protocol == IPPROTO_TCP &&
-+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
++ if (iph->protocol == IPPROTO_TCP &&
++ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
+ xt_chaos_total(info, pskb, in, out, hooknum);
+
+ return NF_DROP;
+}
+
-+static int xt_chaos_checkentry(const char *tablename, const void *entry,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
++static int chaos_tg_check(const char *tablename, const void *entry,
++ const struct xt_target *target, void *targinfo, unsigned int hook_mask)
+{
-+ const struct xt_chaos_info *info = targinfo;
-+ if(info->variant == XTCHAOS_DELUDE && !have_delude) {
++ const struct xt_chaos_target_info *info = targinfo;
++
++ if (info->variant == XTCHAOS_DELUDE && !have_delude) {
+ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
+ "DELUDE module not available\n");
-+ return 0;
++ return false;
+ }
-+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
++ if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
+ "TARPIT module not available\n");
-+ return 0;
++ return false;
+ }
-+ return 1;
++
++ return true;
+}
+
-+static struct xt_target xt_chaos_info = {
++static struct xt_target chaos_tg_reg = {
+ .name = "CHAOS",
-+ .target = xt_chaos_target,
-+ .checkentry = xt_chaos_checkentry,
++ .family = AF_INET,
+ .table = "filter",
-+ .targetsize = sizeof(struct xt_chaos_info),
+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
+ (1 << NF_IP_LOCAL_OUT),
-+ .family = AF_INET,
++ .checkentry = chaos_tg_check,
++ .target = chaos_tg,
++ .targetsize = sizeof(struct xt_chaos_target_info),
+ .me = THIS_MODULE,
+};
+
-+static int __init xt_chaos_init(void)
++static int __init chaos_tg_init(void)
+{
+ int ret = -EINVAL;
+
+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
-+ if(xm_tcp == NULL) {
++ if (xm_tcp == NULL) {
+ printk(KERN_WARNING PFX "Error: Could not find or load "
+ "\"tcp\" match\n");
+ return -EINVAL;
+ }
+
+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
-+ if(xt_reject == NULL) {
++ if (xt_reject == NULL) {
+ printk(KERN_WARNING PFX "Error: Could not find or load "
+ "\"REJECT\" target\n");
+ goto out2;
@@ -329,17 +328,17 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c linux-2.6.21.1.dev/net/net
+
+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
+ have_tarpit = xt_tarpit != NULL;
-+ if(!have_tarpit)
++ if (!have_tarpit)
+ printk(KERN_WARNING PFX "Warning: Could not find or load "
+ "\"TARPIT\" target\n");
+
+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
+ have_delude = xt_delude != NULL;
-+ if(!have_delude)
++ if (!have_delude)
+ printk(KERN_WARNING PFX "Warning: Could not find or load "
+ "\"DELUDE\" target\n");
+
-+ if((ret = xt_register_target(&xt_chaos_info)) != 0) {
++ if ((ret = xt_register_target(&chaos_tg_reg)) != 0) {
+ printk(KERN_WARNING PFX "xt_register_target returned "
+ "error %d\n", ret);
+ goto out3;
@@ -348,9 +347,9 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c linux-2.6.21.1.dev/net/net
+ return 0;
+
+ out3:
-+ if(have_delude)
++ if (have_delude)
+ module_put(xt_delude->me);
-+ if(have_tarpit)
++ if (have_tarpit)
+ module_put(xt_tarpit->me);
+ module_put(xt_reject->me);
+ out2:
@@ -358,131 +357,67 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c linux-2.6.21.1.dev/net/net
+ return ret;
+}
+
-+static void __exit xt_chaos_exit(void)
++static void __exit chaos_tg_exit(void)
+{
-+ xt_unregister_target(&xt_chaos_info);
++ xt_unregister_target(&chaos_tg_reg);
+ module_put(xm_tcp->me);
+ module_put(xt_reject->me);
-+ if(have_delude)
++ if (have_delude)
+ module_put(xt_delude->me);
-+ if(have_tarpit)
++ if (have_tarpit)
+ module_put(xt_tarpit->me);
+ return;
+}
+
-+module_init(xt_chaos_init);
-+module_exit(xt_chaos_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter CHAOS target");
++module_init(chaos_tg_init);
++module_exit(chaos_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"CHAOS\" target");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_CHAOS");
-diff -urN linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c linux-2.6.21.1.dev/net/netfilter/xt_DELUDE.c
---- linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/xt_DELUDE.c 2007-05-26 20:40:11.004183528 +0200
-@@ -0,0 +1,288 @@
+Index: linux-2.6.22.18/net/netfilter/xt_DELUDE.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/xt_DELUDE.c
+@@ -0,0 +1,197 @@
+/*
-+ DELUDE target
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
-+
-+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
-+ (C) 1999-2001 Paul `Rusty' Russell
-+ (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
-+
-+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
++ * DELUDE target
++ * Copyright © CC Computer Consultants GmbH, 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
++ * (C) 1999-2001 Paul `Rusty' Russell
++ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
++ *
++ * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
-+#include <linux/random.h>
+#include <linux/tcp.h>
-+#include <linux/udp.h>
-+#include <linux/icmp.h>
-+#include <net/icmp.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <net/route.h>
-+#include <net/dst.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter/x_tables.h>
+#ifdef CONFIG_BRIDGE_NETFILTER
+# include <linux/netfilter_bridge.h>
+#endif
-+#include <linux/netfilter/oot_trans.h>
++#include <net/tcp.h>
+#define PFX KBUILD_MODNAME ": "
+
-+static inline struct rtable *route_reverse(struct sk_buff *skb,
-+ struct tcphdr *tcph, int hook)
-+{
-+ struct iphdr *iph = ip_hdr(skb);
-+ struct dst_entry *odst;
-+ struct flowi fl = {};
-+ struct rtable *rt;
-+
-+ /* We don't require ip forwarding to be enabled to be able to
-+ * send a RST reply for bridged traffic. */
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ ) {
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ if (hook == NF_IP_LOCAL_IN)
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+ } else {
-+ /* non-local src, find valid iif to satisfy
-+ * rp-filter when calling ip_route_input. */
-+ fl.nl_u.ip4_u.daddr = iph->daddr;
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+
-+ odst = skb->dst;
-+ if (ip_route_input(skb, iph->saddr, iph->daddr,
-+ RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+ dst_release(&rt->u.dst);
-+ rt = (struct rtable *)skb->dst;
-+ skb->dst = odst;
-+
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+ }
-+
-+ if (rt->u.dst.error) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+
-+ fl.proto = IPPROTO_TCP;
-+ fl.fl_ip_sport = tcph->dest;
-+ fl.fl_ip_dport = tcph->source;
-+
-+ xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
-+
-+ return rt;
-+}
-+
-+static void send_reset(struct sk_buff *oldskb, int hook)
++static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
+{
-+ struct sk_buff *nskb;
-+ struct iphdr *iph = ip_hdr(oldskb);
+ struct tcphdr _otcph, *oth, *tcph;
-+ __be16 tmp_port;
-+ __be32 tmp_addr;
-+ int needs_ack;
+ unsigned int addr_type;
++ struct sk_buff *nskb;
++ u_int16_t tmp_port;
++ u_int32_t tmp_addr;
++ struct iphdr *niph;
++ bool needs_ack;
+
+ /* IP header checks: fragment. */
-+ if (iph->frag_off & htons(IP_OFFSET))
++ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
+ return;
+
+ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
@@ -508,78 +443,75 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c linux-2.6.21.1.dev/net/ne
+
+ /* This packet will not be the same as the other: clear nf fields */
+ nf_reset(nskb);
-+ nskb->nfmark = 0;
++ nskb->mark = 0;
+ skb_init_secmark(nskb);
+
+ skb_shinfo(nskb)->gso_size = 0;
+ skb_shinfo(nskb)->gso_segs = 0;
+ skb_shinfo(nskb)->gso_type = 0;
+
-+ tcph = tcp_hdr(nskb);
++ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
+
+ /* Swap source and dest */
-+ tmp_addr = ip_hdr(nskb)->saddr;
-+ ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr;
-+ ip_hdr(nskb)->daddr = tmp_addr;
-+ tmp_port = tcph->source;
++ niph = ip_hdr(nskb);
++ tmp_addr = niph->saddr;
++ niph->saddr = niph->daddr;
++ niph->daddr = tmp_addr;
++ tmp_port = tcph->source;
+ tcph->source = tcph->dest;
-+ tcph->dest = tmp_port;
++ tcph->dest = tmp_port;
+
+ /* Truncate to length (no data) */
-+ tcph->doff = sizeof(struct tcphdr)/4;
++ tcph->doff = sizeof(struct tcphdr) / 4;
+ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
-+ ip_hdr(nskb)->tot_len = htons(nskb->len);
++ niph->tot_len = htons(nskb->len);
+
-+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
++ if (oth->syn && !oth->ack && !oth->rst && !oth->fin) {
+ /* DELUDE essential part */
+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
+ oldskb->len - ip_hdrlen(oldskb) -
+ (oth->doff << 2));
-+ tcph->seq = htonl(secure_tcp_sequence_number(
-+ ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr,
-+ tcph->source, tcph->dest));
-+ tcph->ack = 1;
++ tcph->seq = false;
++ tcph->ack = true;
+ } else {
-+ if(!tcph->ack) {
-+ needs_ack = 1;
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
-+ + oldskb->len - ip_hdrlen(oldskb)
-+ - (oth->doff<<2));
-+ tcph->seq = 0;
++ if (!tcph->ack) {
++ needs_ack = true;
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn +
++ oth->fin + oldskb->len -
++ ip_hdrlen(oldskb) - (oth->doff<<2));
++ tcph->seq = false;
+ } else {
-+ needs_ack = 0;
-+ tcph->seq = oth->ack_seq;
-+ tcph->ack_seq = 0;
++ needs_ack = false;
++ tcph->seq = oth->ack_seq;
++ tcph->ack_seq = false;
+ }
+
+ /* Reset flags */
+ ((u_int8_t *)tcph)[13] = 0;
-+ tcph->rst = 1;
++ tcph->rst = true;
+ tcph->ack = needs_ack;
+ }
+
-+
-+ tcph->window = 0;
++ tcph->window = 0;
+ tcph->urg_ptr = 0;
+
+ /* Adjust TCP checksum */
+ tcph->check = 0;
-+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
-+ ip_hdr(nskb)->saddr,
-+ ip_hdr(nskb)->daddr,
-+ csum_partial((char *)tcph,
-+ sizeof(struct tcphdr), 0));
++ tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
++ niph->daddr, csum_partial((char *)tcph,
++ sizeof(struct tcphdr), 0));
+
+ /* Set DF, id = 0 */
-+ ip_hdr(nskb)->frag_off = htons(IP_DF);
-+ ip_hdr(nskb)->id = 0;
++ niph->frag_off = htons(IP_DF);
++ niph->id = 0;
+
+ addr_type = RTN_UNSPEC;
-+ if (hook != NF_IP_FORWARD
+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
++ if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL &&
++ nskb->nf_bridge->mask & BRNF_BRIDGED))
++#else
++ if (hook != NF_IP_FORWARD)
+#endif
-+ )
+ addr_type = RTN_LOCAL;
+
+ if (ip_route_me_harder(&nskb, addr_type))
@@ -588,12 +520,11 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c linux-2.6.21.1.dev/net/ne
+ nskb->ip_summed = CHECKSUM_NONE;
+
+ /* Adjust IP TTL */
-+ ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
+
+ /* Adjust IP checksum */
-+ ip_hdr(nskb)->check = 0;
-+ ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb),
-+ ip_hdr(nskb)->ihl);
++ niph->check = 0;
++ niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl);
+
+ /* "Never happens" */
+ if (nskb->len > dst_mtu(nskb->dst))
@@ -609,77 +540,57 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c linux-2.6.21.1.dev/net/ne
+ kfree_skb(nskb);
+}
+
-+static unsigned int xt_delude_target(struct sk_buff **pskb,
++static unsigned int delude_tg(struct sk_buff **pskb,
+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
+{
+ /* WARNING: This code causes reentry within iptables.
+ This means that the iptables jump stack is now crap. We
+ must return an absolute verdict. --RR */
-+ send_reset(*pskb, hooknum);
++ delude_send_reset(*pskb, hooknum);
+ return NF_DROP;
+}
+
-+static int xt_delude_check(const char *tablename, const void *e_void,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) {
-+ printk(KERN_WARNING PFX "DELUDE may not be used in chains "
-+ "other than INPUT and FORWARD\n");
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static struct xt_target xt_delude_info = {
++static struct xt_target delude_tg_reg = {
+ .name = "DELUDE",
-+ .target = xt_delude_target,
-+ .checkentry = xt_delude_check,
++ .family = AF_INET,
+ .table = "filter",
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD),
++ .target = delude_tg,
+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
+ .me = THIS_MODULE,
+};
+
-+static int __init xt_delude_init(void)
++static int __init delude_tg_init(void)
+{
-+ return xt_register_target(&xt_delude_info);
++ return xt_register_target(&delude_tg_reg);
+}
+
-+static void __exit xt_delude_exit(void)
++static void __exit delude_tg_exit(void)
+{
-+ xt_unregister_target(&xt_delude_info);
++ xt_unregister_target(&delude_tg_reg);
+}
+
-+module_init(xt_delude_init);
-+module_exit(xt_delude_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter DELUDE target");
++module_init(delude_tg_init);
++module_exit(delude_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"DELUDE\" target");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_DELUDE");
-diff -urN linux-2.6.21.1.old/net/netfilter/xt_portscan.c linux-2.6.21.1.dev/net/netfilter/xt_portscan.c
---- linux-2.6.21.1.old/net/netfilter/xt_portscan.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/xt_portscan.c 2007-05-26 20:40:11.004183528 +0200
-@@ -0,0 +1,272 @@
+Index: linux-2.6.22.18/net/netfilter/xt_portscan.c
+===================================================================
+--- /dev/null
++++ linux-2.6.22.18/net/netfilter/xt_portscan.c
+@@ -0,0 +1,269 @@
+/*
-+ portscan match for netfilter
-+
-+ Written by Jan Engelhardt, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
++ * portscan match for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/module.h>
@@ -691,9 +602,15 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_portscan.c linux-2.6.21.1.dev/net/
+#include <linux/version.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter/oot_conntrack.h>
-+#include <linux/netfilter/xt_portscan.h>
-+#include <linux/netfilter/oot_trans.h>
++#include <net/netfilter/nf_nat_rule.h>
++#if defined(_LOCAL)
++# include "xt_portscan.h"
++#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE)
++# include <linux/netfilter/xt_portscan.h>
++#else
++# include "xt_portscan.h"
++#endif
+#define PFX KBUILD_MODNAME ": "
+
+enum {
@@ -740,55 +657,55 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_portscan.c linux-2.6.21.1.dev/net/
+MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
+
+/* TCP flag functions */
-+static inline int tflg_ack4(const struct tcphdr *th)
++static inline bool tflg_ack4(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
+}
+
-+static inline int tflg_ack6(const struct tcphdr *th)
++static inline bool tflg_ack6(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
+}
+
-+static inline int tflg_fin(const struct tcphdr *th)
++static inline bool tflg_fin(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
+}
+
-+static inline int tflg_rst(const struct tcphdr *th)
++static inline bool tflg_rst(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
+}
+
-+static inline int tflg_rstack(const struct tcphdr *th)
++static inline bool tflg_rstack(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
+ (TCP_FLAG_ACK | TCP_FLAG_RST);
+}
+
-+static inline int tflg_syn(const struct tcphdr *th)
++static inline bool tflg_syn(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
+}
+
-+static inline int tflg_synack(const struct tcphdr *th)
++static inline bool tflg_synack(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
+ (TCP_FLAG_SYN | TCP_FLAG_ACK);
+}
+
+/* portscan functions */
-+static inline int xt_portscan_stealth(const struct tcphdr *th)
++static inline bool portscan_mt_stealth(const struct tcphdr *th)
+{
+ /*
+ * "Connection refused" replies to our own probes must not be matched.
+ */
-+ if(tflg_rstack(th))
-+ return 0;
++ if (tflg_rstack(th))
++ return false;
+
-+ if(tflg_rst(th) && printk_ratelimit()) {
++ if (tflg_rst(th) && printk_ratelimit()) {
+ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
-+ return 0;
++ return false;
+ }
+
+ /*
@@ -800,42 +717,43 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_portscan.c linux-2.6.21.1.dev/net/
+ return !tflg_syn(th);
+}
+
-+static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate,
-+ int loopback, const struct tcphdr *tcph, int payload_len)
++static inline unsigned int portscan_mt_full(int mark,
++ enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
++ unsigned int payload_len)
+{
-+ if(mark == mark_estab2) {
++ if (mark == mark_estab2) {
+ /*
+ * -m connmark --mark $ESTAB2
+ */
-+ if(tflg_ack4(tcph) && payload_len == 0)
++ if (tflg_ack4(tcph) && payload_len == 0)
+ return mark; /* keep mark */
-+ else if(tflg_rst(tcph) || tflg_fin(tcph))
++ else if (tflg_rst(tcph) || tflg_fin(tcph))
+ return mark_grscan;
+ else
+ return mark_valid;
-+ } else if(mark == mark_estab1) {
++ } else if (mark == mark_estab1) {
+ /*
+ * -m connmark --mark $ESTAB1
+ */
-+ if(tflg_rst(tcph) || tflg_fin(tcph))
++ if (tflg_rst(tcph) || tflg_fin(tcph))
+ return mark_cnscan;
-+ else if(!loopback && tflg_ack4(tcph) && payload_len == 0)
++ else if (!loopback && tflg_ack4(tcph) && payload_len == 0)
+ return mark_estab2;
+ else
+ return mark_valid;
-+ } else if(mark == mark_synrcv) {
++ } else if (mark == mark_synrcv) {
+ /*
+ * -m connmark --mark $SYN
+ */
-+ if(loopback && tflg_synack(tcph))
++ if (loopback && tflg_synack(tcph))
+ return mark; /* keep mark */
-+ else if(loopback && tflg_rstack(tcph))
++ else if (loopback && tflg_rstack(tcph))
+ return mark_closed;
-+ else if(tflg_ack6(tcph))
++ else if (tflg_ack6(tcph))
+ return mark_estab1;
+ else
+ return mark_synscan;
-+ } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) {
++ } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) {
+ /*
+ * -p tcp --syn --ctstate NEW
+ */
@@ -844,30 +762,30 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_portscan.c linux-2.6.21.1.dev/net/
+ return mark;
+}
+
-+static int xt_portscan_match(const struct sk_buff *skb,
++static int portscan_mt(const struct sk_buff *skb,
+ const struct net_device *in, const struct net_device *out,
+ const struct xt_match *match, const void *matchinfo, int offset,
+ unsigned int protoff, int *hotdrop)
+{
-+ const struct xt_portscan_info *info = matchinfo;
++ const struct xt_portscan_match_info *info = matchinfo;
+ enum ip_conntrack_info ctstate;
-+ struct nf_conn *ctdata;
+ const struct tcphdr *tcph;
++ struct nf_conn *ctdata;
+ struct tcphdr tcph_buf;
+
+ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
-+ if(tcph == NULL)
-+ return 0;
++ if (tcph == NULL)
++ return false;
+
+ /* Check for invalid packets: -m conntrack --ctstate INVALID */
-+ if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
-+ if(info->match_stealth)
-+ return xt_portscan_stealth(tcph);
++ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
++ if (info->match_stealth)
++ return portscan_mt_stealth(tcph);
+ /*
+ * If @ctdata is NULL, we cannot match the other scan
+ * types, return.
+ */
-+ return 0;
++ return false;
+ }
+
+ /*
@@ -875,17 +793,17 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_portscan.c linux-2.6.21.1.dev/net/
+ * simulate must not be run through again. And for speedup, do not call
+ * it either when the connection is already VALID.
+ */
-+ if((ctdata->mark & connmark_mask) == mark_valid ||
-+ (skb->nfmark & packet_mask) != mark_seen)
-+ {
++ if ((ctdata->mark & connmark_mask) == mark_valid ||
++ (skb->mark & packet_mask) != mark_seen) {
+ unsigned int n;
-+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
++
++ n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
+ in == &loopback_dev, tcph,
+ skb->len - protoff - 4 * tcph->doff);
+
+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
-+ ((struct sk_buff *)skb)->nfmark =
-+ (skb->nfmark & ~packet_mask) | mark_seen;
++ ((struct sk_buff *)skb)->mark =
++ (skb->mark & ~packet_mask) ^ mark_seen;
+ }
+
+ return (info->match_syn && ctdata->mark == mark_synscan) ||
@@ -893,61 +811,51 @@ diff -urN linux-2.6.21.1.old/net/netfilter/xt_portscan.c linux-2.6.21.1.dev/net/
+ (info->match_gr && ctdata->mark == mark_grscan);
+}
+
-+static int xt_portscan_checkentry(const char *tablename, const void *entry,
-+ const struct xt_match *match, void *matchinfo,
-+#ifdef HAVE_MATCHINFOSIZE
-+ unsigned int matchinfosize,
-+#endif
-+ unsigned int hook_mask)
++static int portscan_mt_check(const char *tablename, const void *entry,
++ const struct xt_match *match, void *matchinfo, unsigned int hook_mask)
+{
-+ const struct xt_portscan_info *info = matchinfo;
-+#ifdef HAVE_MATCHINFOSIZE
-+ if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) {
-+ printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n",
-+ matchinfosize,
-+ XT_ALIGN(sizeof(struct xt_portscan_info)));
-+ return 0;
-+ }
-+#endif
-+ if((info->match_stealth & ~1) || (info->match_syn & ~1) ||
-+ (info->match_cn & ~1) || (info->match_gr & ~1)) {
++ const struct xt_portscan_match_info *info = matchinfo;
++
++ if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
++ (info->match_cn & ~1) || (info->match_gr & ~1)) {
+ printk(KERN_WARNING PFX "Invalid flags\n");
-+ return 0;
++ return false;
+ }
-+ return 1;
++ return true;
+}
+
-+static struct xt_match xt_portscan = {
++static struct xt_match portscan_mt_reg __read_mostly = {
+ .name = "portscan",
-+ .match = xt_portscan_match,
-+ .checkentry = xt_portscan_checkentry,
-+ .matchsize = sizeof(struct xt_portscan_info),
-+ .proto = IPPROTO_TCP,
+ .family = AF_INET,
++ .match = portscan_mt,
++ .checkentry = portscan_mt_check,
++ .matchsize = sizeof(struct xt_portscan_match_info),
++ .proto = IPPROTO_TCP,
+ .me = THIS_MODULE,
+};
+
-+static int __init xt_portscan_init(void)
++static int __init portscan_mt_init(void)
+{
-+ return xt_register_match(&xt_portscan);
++ return xt_register_match(&portscan_mt_reg);
+}
+
-+static void __exit xt_portscan_exit(void)
++static void __exit portscan_mt_exit(void)
+{
-+ xt_unregister_match(&xt_portscan);
++ xt_unregister_match(&portscan_mt_reg);
+ return;
+}
+
-+module_init(xt_portscan_init);
-+module_exit(xt_portscan_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter portscan match module");
++module_init(portscan_mt_init);
++module_exit(portscan_mt_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"portscan\" match");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_portscan");
-diff -urN linux-2.6.22-rc3.old/drivers/char/random.c linux-2.6.22-rc3.dev/drivers/char/random.c
---- linux-2.6.22-rc3.old/drivers/char/random.c 2007-05-26 03:55:14.000000000 +0100
-+++ linux-2.6.22-rc3.dev/drivers/char/random.c 2007-05-29 11:21:53.000000000 +0100
-@@ -1557,6 +1557,8 @@
+Index: linux-2.6.22.18/drivers/char/random.c
+===================================================================
+--- linux-2.6.22.18.orig/drivers/char/random.c
++++ linux-2.6.22.18/drivers/char/random.c
+@@ -1564,6 +1564,8 @@ __u32 secure_tcp_sequence_number(__be32
return seq;
}
diff --git a/target/linux/generic-2.6/patches-2.6.22/171-netfilter_tarpit.patch b/target/linux/generic-2.6/patches-2.6.22/171-netfilter_tarpit.patch
index 52c89d80f2..2e5b9e813a 100644
--- a/target/linux/generic-2.6/patches-2.6.22/171-netfilter_tarpit.patch
+++ b/target/linux/generic-2.6/patches-2.6.22/171-netfilter_tarpit.patch
@@ -1,7 +1,7 @@
-Index: linux-2.6.22.4/net/netfilter/Kconfig
+Index: linux-2.6.22.18/net/netfilter/Kconfig
===================================================================
---- linux-2.6.22.4.orig/net/netfilter/Kconfig
-+++ linux-2.6.22.4/net/netfilter/Kconfig
+--- linux-2.6.22.18.orig/net/netfilter/Kconfig
++++ linux-2.6.22.18/net/netfilter/Kconfig
@@ -379,6 +379,23 @@ config NETFILTER_XT_TARGET_CONNSECMARK
To compile it as a module, choose M here. If unsure, say N.
@@ -26,22 +26,22 @@ Index: linux-2.6.22.4/net/netfilter/Kconfig
config NETFILTER_XT_TARGET_TCPMSS
tristate '"TCPMSS" target support'
depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
-Index: linux-2.6.22.4/net/netfilter/Makefile
+Index: linux-2.6.22.18/net/netfilter/Makefile
===================================================================
---- linux-2.6.22.4.orig/net/netfilter/Makefile
-+++ linux-2.6.22.4/net/netfilter/Makefile
-@@ -47,6 +47,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE
+--- linux-2.6.22.18.orig/net/netfilter/Makefile
++++ linux-2.6.22.18/net/netfilter/Makefile
+@@ -45,6 +45,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE
obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
-
-Index: linux-2.6.22.4/net/netfilter/xt_TARPIT.c
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
+Index: linux-2.6.22.18/net/netfilter/xt_TARPIT.c
===================================================================
--- /dev/null
-+++ linux-2.6.22.4/net/netfilter/xt_TARPIT.c
++++ linux-2.6.22.18/net/netfilter/xt_TARPIT.c
@@ -0,0 +1,280 @@
+/*
+ * Kernel module to capture and hold incoming TCP connections using
@@ -284,7 +284,7 @@ Index: linux-2.6.22.4/net/netfilter/xt_TARPIT.c
+ return NF_DROP;
+}
+
-+static bool xt_tarpit_check(const char *tablename, const void *entry,
++static int xt_tarpit_check(const char *tablename, const void *entry,
+ const struct xt_target *target, void *targinfo,
+ unsigned int hook_mask)
+{
diff --git a/target/linux/generic-2.6/patches-2.6.23/101-netfilter_layer7_pktmatch.patch b/target/linux/generic-2.6/patches-2.6.23/101-netfilter_layer7_pktmatch.patch
new file mode 100644
index 0000000000..2574543131
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.23/101-netfilter_layer7_pktmatch.patch
@@ -0,0 +1,113 @@
+Index: linux-2.6.23.16/include/linux/netfilter/xt_layer7.h
+===================================================================
+--- linux-2.6.23.16.orig/include/linux/netfilter/xt_layer7.h
++++ linux-2.6.23.16/include/linux/netfilter/xt_layer7.h
+@@ -8,6 +8,7 @@ struct xt_layer7_info {
+ char protocol[MAX_PROTOCOL_LEN];
+ char pattern[MAX_PATTERN_LEN];
+ u_int8_t invert;
++ u_int8_t pkt;
+ };
+
+ #endif /* _XT_LAYER7_H */
+Index: linux-2.6.23.16/net/netfilter/xt_layer7.c
+===================================================================
+--- linux-2.6.23.16.orig/net/netfilter/xt_layer7.c
++++ linux-2.6.23.16/net/netfilter/xt_layer7.c
+@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con
+ }
+
+ /* add the new app data to the conntrack. Return number of bytes added. */
+-static int add_data(struct nf_conn * master_conntrack,
+- char * app_data, int appdatalen)
++static int add_datastr(char *target, int offset, char *app_data, int len)
+ {
+ int length = 0, i;
+- int oldlength = master_conntrack->layer7.app_data_len;
+-
+- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
+- clear on whether the race condition exists or whether this really
+- fixes it. I might just be being dense... Anyway, if it's not really
+- a fix, all it does is waste a very small amount of time. */
+- if(!master_conntrack->layer7.app_data) return 0;
++
++ if (!target) return 0;
+
+ /* Strip nulls. Make everything lower case (our regex lib doesn't
+ do case insensitivity). Add it to the end of the current data. */
+- for(i = 0; i < maxdatalen-oldlength-1 &&
+- i < appdatalen; i++) {
++ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
+ if(app_data[i] != '\0') {
+ /* the kernel version of tolower mungs 'upper ascii' */
+- master_conntrack->layer7.app_data[length+oldlength] =
++ target[length+offset] =
+ isascii(app_data[i])?
+ tolower(app_data[i]) : app_data[i];
+ length++;
+ }
+ }
++ target[length+offset] = '\0';
++
++ return length;
++}
+
+- master_conntrack->layer7.app_data[length+oldlength] = '\0';
+- master_conntrack->layer7.app_data_len = length + oldlength;
++/* add the new app data to the conntrack. Return number of bytes added. */
++static int add_data(struct nf_conn * master_conntrack,
++ char * app_data, int appdatalen)
++{
++ int length;
+
++ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
++ master_conntrack->layer7.app_data_len += length;
+ return length;
+ }
+
+@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin,
+ const struct xt_layer7_info * info = matchinfo;
+ enum ip_conntrack_info master_ctinfo, ctinfo;
+ struct nf_conn *master_conntrack, *conntrack;
+- unsigned char * app_data;
++ unsigned char *app_data, *tmp_data;
+ unsigned int pattern_result, appdatalen;
+ regexp * comppattern;
+
+@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin,
+ master_conntrack = master_ct(master_conntrack);
+
+ /* if we've classified it or seen too many packets */
+- if(TOTAL_PACKETS > num_packets ||
+- master_conntrack->layer7.app_proto) {
++ if(!info->pkt && (TOTAL_PACKETS > num_packets ||
++ master_conntrack->layer7.app_proto)) {
+
+ pattern_result = match_no_append(conntrack, master_conntrack,
+ ctinfo, master_ctinfo, info);
+@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin,
+ /* the return value gets checked later, when we're ready to use it */
+ comppattern = compile_and_cache(info->pattern, info->protocol);
+
++ if (info->pkt) {
++ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
++ if(!tmp_data){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
++ return info->invert;
++ }
++
++ tmp_data[0] = '\0';
++ add_datastr(tmp_data, 0, app_data, appdatalen);
++ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
++
++ kfree(tmp_data);
++ tmp_data = NULL;
++ spin_unlock_bh(&l7_lock);
++
++ return (pattern_result ^ info->invert);
++ }
++
+ /* On the first packet of a connection, allocate space for app data */
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
+ !master_conntrack->layer7.app_data){
diff --git a/target/linux/generic-2.6/patches-2.6.23/170-netfilter_chaostables.patch b/target/linux/generic-2.6/patches-2.6.23/170-netfilter_chaostables_0.8.patch
index cfc0092330..ad9e0597bf 100644
--- a/target/linux/generic-2.6/patches-2.6.23/170-netfilter_chaostables.patch
+++ b/target/linux/generic-2.6/patches-2.6.23/170-netfilter_chaostables_0.8.patch
@@ -1,17 +1,17 @@
-Index: linux-2.6.23/include/linux/netfilter/oot_conntrack.h
+Index: linux-2.6.23.16/include/linux/netfilter/oot_conntrack.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/oot_conntrack.h 2007-10-10 13:52:59.000000000 +0800
+--- /dev/null
++++ linux-2.6.23.16/include/linux/netfilter/oot_conntrack.h
@@ -0,0 +1,5 @@
+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
+# include <linux/netfilter_ipv4/ip_conntrack.h>
+#else /* linux-2.6.20+ */
+# include <net/netfilter/nf_nat_rule.h>
+#endif
-Index: linux-2.6.23/include/linux/netfilter/oot_trans.h
+Index: linux-2.6.23.16/include/linux/netfilter/oot_trans.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/oot_trans.h 2007-10-10 13:52:59.000000000 +0800
+--- /dev/null
++++ linux-2.6.23.16/include/linux/netfilter/oot_trans.h
@@ -0,0 +1,14 @@
+/* Out of tree workarounds */
+#include <linux/version.h>
@@ -27,42 +27,42 @@ Index: linux-2.6.23/include/linux/netfilter/oot_trans.h
+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
+ tcp_v4_check((tcph_sz), (s), (d), (csp))
+#endif
-Index: linux-2.6.23/include/linux/netfilter/xt_CHAOS.h
+Index: linux-2.6.23.16/include/linux/netfilter/xt_CHAOS.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/xt_CHAOS.h 2007-10-10 13:52:59.000000000 +0800
+--- /dev/null
++++ linux-2.6.23.16/include/linux/netfilter/xt_CHAOS.h
@@ -0,0 +1,14 @@
-+#ifndef _LINUX_XT_CHAOS_H
-+#define _LINUX_XT_CHAOS_H 1
++#ifndef _LINUX_NETFILTER_XT_CHAOS_H
++#define _LINUX_NETFILTER_XT_CHAOS_H 1
+
-+enum xt_chaos_variant {
++enum xt_chaos_target_variant {
+ XTCHAOS_NORMAL,
+ XTCHAOS_TARPIT,
+ XTCHAOS_DELUDE,
+};
+
-+struct xt_chaos_info {
-+ enum xt_chaos_variant variant;
++struct xt_chaos_target_info {
++ uint8_t variant;
+};
+
-+#endif /* _LINUX_XT_CHAOS_H */
-Index: linux-2.6.23/include/linux/netfilter/xt_portscan.h
++#endif /* _LINUX_NETFILTER_XT_CHAOS_H */
+Index: linux-2.6.23.16/include/linux/netfilter/xt_portscan.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/xt_portscan.h 2007-10-10 13:52:59.000000000 +0800
+--- /dev/null
++++ linux-2.6.23.16/include/linux/netfilter/xt_portscan.h
@@ -0,0 +1,8 @@
-+#ifndef _LINUX_XT_PORTSCAN_H
-+#define _LINUX_XT_PORTSCAN_H 1
++#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
++#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
+
-+struct xt_portscan_info {
-+ unsigned int match_stealth, match_syn, match_cn, match_gr;
++struct xt_portscan_match_info {
++ uint8_t match_stealth, match_syn, match_cn, match_gr;
+};
+
-+#endif /* _LINUX_XT_PORTSCAN_H */
-Index: linux-2.6.23/net/netfilter/find_match.c
++#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */
+Index: linux-2.6.23.16/net/netfilter/find_match.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/find_match.c 2007-10-10 13:52:59.000000000 +0800
+--- /dev/null
++++ linux-2.6.23.16/net/netfilter/find_match.c
@@ -0,0 +1,39 @@
+/*
+ xt_request_find_match
@@ -95,7 +95,7 @@ Index: linux-2.6.23/net/netfilter/find_match.c
+
+ match = try_then_request_module(xt_find_match(af, name, revision),
+ "%st_%s", xt_prefix[af], name);
-+ if(IS_ERR(match) || match == NULL)
++ if (IS_ERR(match) || match == NULL)
+ return NULL;
+
+ return match;
@@ -103,11 +103,11 @@ Index: linux-2.6.23/net/netfilter/find_match.c
+
+/* In case it goes into mainline, let this out-of-tree package compile */
+#define xt_request_find_match xt_request_find_match_lo
-Index: linux-2.6.23/net/netfilter/Kconfig
+Index: linux-2.6.23.16/net/netfilter/Kconfig
===================================================================
---- linux-2.6.23.orig/net/netfilter/Kconfig 2007-10-10 04:31:38.000000000 +0800
-+++ linux-2.6.23/net/netfilter/Kconfig 2007-10-10 13:53:04.000000000 +0800
-@@ -265,6 +265,14 @@
+--- linux-2.6.23.16.orig/net/netfilter/Kconfig
++++ linux-2.6.23.16/net/netfilter/Kconfig
+@@ -265,6 +265,14 @@ config NETFILTER_XTABLES
# alphabetically ordered list of targets
@@ -122,7 +122,7 @@ Index: linux-2.6.23/net/netfilter/Kconfig
config NETFILTER_XT_TARGET_CLASSIFY
tristate '"CLASSIFY" target support'
depends on NETFILTER_XTABLES
-@@ -292,6 +300,14 @@
+@@ -292,6 +300,14 @@ config NETFILTER_XT_TARGET_CONNMARK
<file:Documentation/kbuild/modules.txt>. The module will be called
ipt_CONNMARK.ko. If unsure, say `N'.
@@ -137,7 +137,7 @@ Index: linux-2.6.23/net/netfilter/Kconfig
config NETFILTER_XT_TARGET_DSCP
tristate '"DSCP" target support'
depends on NETFILTER_XTABLES
-@@ -556,6 +572,14 @@
+@@ -556,6 +572,14 @@ config NETFILTER_XT_MATCH_POLICY
To compile it as a module, choose M here. If unsure, say N.
@@ -152,42 +152,38 @@ Index: linux-2.6.23/net/netfilter/Kconfig
config NETFILTER_XT_MATCH_MULTIPORT
tristate "Multiple port match support"
depends on NETFILTER_XTABLES
-Index: linux-2.6.23/net/netfilter/Makefile
+Index: linux-2.6.23.16/net/netfilter/Makefile
===================================================================
---- linux-2.6.23.orig/net/netfilter/Makefile 2007-10-10 04:31:38.000000000 +0800
-+++ linux-2.6.23/net/netfilter/Makefile 2007-10-10 13:52:59.000000000 +0800
-@@ -38,8 +38,10 @@
- obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
-
- # targets
+--- linux-2.6.23.16.orig/net/netfilter/Makefile
++++ linux-2.6.23.16/net/netfilter/Makefile
+@@ -49,6 +49,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE)
+ obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
-@@ -66,6 +68,7 @@
- obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
+
+ # matches
+ obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
+@@ -78,3 +80,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS)
+ obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
-Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+Index: linux-2.6.23.16/net/netfilter/xt_CHAOS.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/xt_CHAOS.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,205 @@
+--- /dev/null
++++ linux-2.6.23.16/net/netfilter/xt_CHAOS.c
+@@ -0,0 +1,200 @@
+/*
-+ CHAOS target for netfilter
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
++ * CHAOS target for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
+#include <linux/icmp.h>
+#include <linux/in.h>
+#include <linux/ip.h>
@@ -198,9 +194,17 @@ Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+#include <linux/netfilter/xt_tcpudp.h>
+#include <linux/netfilter_ipv4/ipt_REJECT.h>
+#include <net/ip.h>
-+#include <linux/netfilter/xt_CHAOS.h>
-+#include "find_match.c"
-+#include <linux/netfilter/oot_trans.h>
++#if defined(_LOCAL)
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \
++ defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE)
++# include <linux/netfilter/xt_CHAOS.h>
++# include "find_match.c"
++#else
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#endif
+#define PFX KBUILD_MODNAME ": "
+
+/* Module parameters */
@@ -226,111 +230,97 @@ Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+};
+
+/* CHAOS functions */
-+static void xt_chaos_total(const struct xt_chaos_info *info,
++static void xt_chaos_total(const struct xt_chaos_target_info *info,
+ struct sk_buff **pskb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum)
+{
-+ const int protoff = ip_hdrlen(*pskb);
-+ const int offset = ntohs(ip_hdr(*pskb)->frag_off) & IP_OFFSET;
++ const struct iphdr *iph = ip_hdr(*pskb);
++ const int protoff = 4 * iph->ihl;
++ const int offset = ntohs(iph->frag_off) & IP_OFFSET;
+ const struct xt_target *destiny;
-+ bool hotdrop = false;
-+ int ret;
++ bool hotdrop = false, ret;
+
+ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
+ offset, protoff, &hotdrop);
-+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
++ if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
+ return;
+
+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
-+#ifdef HAVE_TARGUSERINFO
-+ destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL);
-+#else
+ destiny->target(pskb, in, out, hooknum, destiny, NULL);
-+#endif
+ return;
+}
+
-+static unsigned int xt_chaos_target(struct sk_buff **pskb,
++static unsigned int chaos_tg(struct sk_buff **pskb,
+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
+{
-+ /* Equivalent to:
++ /*
++ * Equivalent to:
+ * -A chaos -m statistic --mode random --probability \
+ * $reject_percentage -j REJECT --reject-with host-unreach;
+ * -A chaos -p tcp -m statistic --mode random --probability \
+ * $delude_percentage -j DELUDE;
+ * -A chaos -j DROP;
+ */
-+ const struct xt_chaos_info *info = targinfo;
++ const struct xt_chaos_target_info *info = targinfo;
++ const struct iphdr *iph = ip_hdr(*pskb);
+
-+ if((unsigned int)net_random() <= reject_percentage)
-+#ifdef HAVE_TARGUSERINFO
-+ return xt_reject->target(pskb, in, out, hooknum, target,
-+ &reject_params, userinfo);
-+#else
++ if ((unsigned int)net_random() <= reject_percentage)
+ return xt_reject->target(pskb, in, out, hooknum, target,
+ &reject_params);
-+#endif
+
+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
-+ if(ip_hdr(*pskb)->protocol == IPPROTO_TCP &&
-+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
++ if (iph->protocol == IPPROTO_TCP &&
++ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
+ xt_chaos_total(info, pskb, in, out, hooknum);
+
+ return NF_DROP;
+}
+
-+static bool xt_chaos_checkentry(const char *tablename, const void *entry,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
++static bool chaos_tg_check(const char *tablename, const void *entry,
++ const struct xt_target *target, void *targinfo, unsigned int hook_mask)
+{
-+ const struct xt_chaos_info *info = targinfo;
-+ if(info->variant == XTCHAOS_DELUDE && !have_delude) {
++ const struct xt_chaos_target_info *info = targinfo;
++
++ if (info->variant == XTCHAOS_DELUDE && !have_delude) {
+ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
+ "DELUDE module not available\n");
+ return false;
+ }
-+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
++ if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
+ "TARPIT module not available\n");
+ return false;
+ }
++
+ return true;
+}
+
-+static struct xt_target xt_chaos_info = {
++static struct xt_target chaos_tg_reg = {
+ .name = "CHAOS",
-+ .target = xt_chaos_target,
-+ .checkentry = xt_chaos_checkentry,
++ .family = AF_INET,
+ .table = "filter",
-+ .targetsize = sizeof(struct xt_chaos_info),
+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
+ (1 << NF_IP_LOCAL_OUT),
-+ .family = AF_INET,
++ .checkentry = chaos_tg_check,
++ .target = chaos_tg,
++ .targetsize = sizeof(struct xt_chaos_target_info),
+ .me = THIS_MODULE,
+};
+
-+static int __init xt_chaos_init(void)
++static int __init chaos_tg_init(void)
+{
+ int ret = -EINVAL;
+
+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
-+ if(xm_tcp == NULL) {
++ if (xm_tcp == NULL) {
+ printk(KERN_WARNING PFX "Error: Could not find or load "
+ "\"tcp\" match\n");
+ return -EINVAL;
+ }
+
+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
-+ if(xt_reject == NULL) {
++ if (xt_reject == NULL) {
+ printk(KERN_WARNING PFX "Error: Could not find or load "
+ "\"REJECT\" target\n");
+ goto out2;
@@ -338,17 +328,17 @@ Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+
+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
+ have_tarpit = xt_tarpit != NULL;
-+ if(!have_tarpit)
++ if (!have_tarpit)
+ printk(KERN_WARNING PFX "Warning: Could not find or load "
+ "\"TARPIT\" target\n");
+
+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
+ have_delude = xt_delude != NULL;
-+ if(!have_delude)
++ if (!have_delude)
+ printk(KERN_WARNING PFX "Warning: Could not find or load "
+ "\"DELUDE\" target\n");
+
-+ if((ret = xt_register_target(&xt_chaos_info)) != 0) {
++ if ((ret = xt_register_target(&chaos_tg_reg)) != 0) {
+ printk(KERN_WARNING PFX "xt_register_target returned "
+ "error %d\n", ret);
+ goto out3;
@@ -357,9 +347,9 @@ Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+ return 0;
+
+ out3:
-+ if(have_delude)
++ if (have_delude)
+ module_put(xt_delude->me);
-+ if(have_tarpit)
++ if (have_tarpit)
+ module_put(xt_tarpit->me);
+ module_put(xt_reject->me);
+ out2:
@@ -367,132 +357,67 @@ Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+ return ret;
+}
+
-+static void __exit xt_chaos_exit(void)
++static void __exit chaos_tg_exit(void)
+{
-+ xt_unregister_target(&xt_chaos_info);
++ xt_unregister_target(&chaos_tg_reg);
+ module_put(xm_tcp->me);
+ module_put(xt_reject->me);
-+ if(have_delude)
++ if (have_delude)
+ module_put(xt_delude->me);
-+ if(have_tarpit)
++ if (have_tarpit)
+ module_put(xt_tarpit->me);
+ return;
+}
+
-+module_init(xt_chaos_init);
-+module_exit(xt_chaos_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter CHAOS target");
++module_init(chaos_tg_init);
++module_exit(chaos_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"CHAOS\" target");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_CHAOS");
-Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
+Index: linux-2.6.23.16/net/netfilter/xt_DELUDE.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/xt_DELUDE.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,288 @@
+--- /dev/null
++++ linux-2.6.23.16/net/netfilter/xt_DELUDE.c
+@@ -0,0 +1,197 @@
+/*
-+ DELUDE target
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
-+
-+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
-+ (C) 1999-2001 Paul `Rusty' Russell
-+ (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
-+
-+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
++ * DELUDE target
++ * Copyright © CC Computer Consultants GmbH, 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
++ * (C) 1999-2001 Paul `Rusty' Russell
++ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
++ *
++ * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
-+#include <linux/random.h>
+#include <linux/tcp.h>
-+#include <linux/udp.h>
-+#include <linux/icmp.h>
-+#include <net/icmp.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <net/route.h>
-+#include <net/dst.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter/x_tables.h>
+#ifdef CONFIG_BRIDGE_NETFILTER
+# include <linux/netfilter_bridge.h>
+#endif
-+#include <linux/netfilter/oot_trans.h>
++#include <net/tcp.h>
+#define PFX KBUILD_MODNAME ": "
+
-+static inline struct rtable *route_reverse(struct sk_buff *skb,
-+ struct tcphdr *tcph, int hook)
++static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
+{
-+ struct iphdr *iph = ip_hdr(skb);
-+ struct dst_entry *odst;
-+ struct flowi fl = {};
-+ struct rtable *rt;
-+
-+ /* We don't require ip forwarding to be enabled to be able to
-+ * send a RST reply for bridged traffic. */
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ ) {
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ if (hook == NF_IP_LOCAL_IN)
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+ } else {
-+ /* non-local src, find valid iif to satisfy
-+ * rp-filter when calling ip_route_input. */
-+ fl.nl_u.ip4_u.daddr = iph->daddr;
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+
-+ odst = skb->dst;
-+ if (ip_route_input(skb, iph->saddr, iph->daddr,
-+ RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+ dst_release(&rt->u.dst);
-+ rt = (struct rtable *)skb->dst;
-+ skb->dst = odst;
-+
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+ }
-+
-+ if (rt->u.dst.error) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+
-+ fl.proto = IPPROTO_TCP;
-+ fl.fl_ip_sport = tcph->dest;
-+ fl.fl_ip_dport = tcph->source;
-+
-+ xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
-+
-+ return rt;
-+}
-+
-+static void send_reset(struct sk_buff *oldskb, int hook)
-+{
-+ struct sk_buff *nskb;
-+ struct iphdr *iph = ip_hdr(oldskb);
+ struct tcphdr _otcph, *oth, *tcph;
-+ __be16 tmp_port;
-+ __be32 tmp_addr;
-+ int needs_ack;
+ unsigned int addr_type;
++ struct sk_buff *nskb;
++ u_int16_t tmp_port;
++ u_int32_t tmp_addr;
++ struct iphdr *niph;
++ bool needs_ack;
+
+ /* IP header checks: fragment. */
-+ if (iph->frag_off & htons(IP_OFFSET))
++ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
+ return;
+
+ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
@@ -518,78 +443,75 @@ Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
+
+ /* This packet will not be the same as the other: clear nf fields */
+ nf_reset(nskb);
-+ nskb->nfmark = 0;
++ nskb->mark = 0;
+ skb_init_secmark(nskb);
+
+ skb_shinfo(nskb)->gso_size = 0;
+ skb_shinfo(nskb)->gso_segs = 0;
+ skb_shinfo(nskb)->gso_type = 0;
+
-+ tcph = tcp_hdr(nskb);
++ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
+
+ /* Swap source and dest */
-+ tmp_addr = ip_hdr(nskb)->saddr;
-+ ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr;
-+ ip_hdr(nskb)->daddr = tmp_addr;
-+ tmp_port = tcph->source;
++ niph = ip_hdr(nskb);
++ tmp_addr = niph->saddr;
++ niph->saddr = niph->daddr;
++ niph->daddr = tmp_addr;
++ tmp_port = tcph->source;
+ tcph->source = tcph->dest;
-+ tcph->dest = tmp_port;
++ tcph->dest = tmp_port;
+
+ /* Truncate to length (no data) */
-+ tcph->doff = sizeof(struct tcphdr)/4;
++ tcph->doff = sizeof(struct tcphdr) / 4;
+ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
-+ ip_hdr(nskb)->tot_len = htons(nskb->len);
++ niph->tot_len = htons(nskb->len);
+
-+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
++ if (oth->syn && !oth->ack && !oth->rst && !oth->fin) {
+ /* DELUDE essential part */
+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
+ oldskb->len - ip_hdrlen(oldskb) -
+ (oth->doff << 2));
-+ tcph->seq = htonl(secure_tcp_sequence_number(
-+ ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr,
-+ tcph->source, tcph->dest));
-+ tcph->ack = 1;
++ tcph->seq = false;
++ tcph->ack = true;
+ } else {
-+ if(!tcph->ack) {
-+ needs_ack = 1;
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
-+ + oldskb->len - ip_hdrlen(oldskb)
-+ - (oth->doff<<2));
-+ tcph->seq = 0;
++ if (!tcph->ack) {
++ needs_ack = true;
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn +
++ oth->fin + oldskb->len -
++ ip_hdrlen(oldskb) - (oth->doff<<2));
++ tcph->seq = false;
+ } else {
-+ needs_ack = 0;
-+ tcph->seq = oth->ack_seq;
-+ tcph->ack_seq = 0;
++ needs_ack = false;
++ tcph->seq = oth->ack_seq;
++ tcph->ack_seq = false;
+ }
+
+ /* Reset flags */
+ ((u_int8_t *)tcph)[13] = 0;
-+ tcph->rst = 1;
++ tcph->rst = true;
+ tcph->ack = needs_ack;
+ }
+
-+
-+ tcph->window = 0;
++ tcph->window = 0;
+ tcph->urg_ptr = 0;
+
+ /* Adjust TCP checksum */
+ tcph->check = 0;
-+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
-+ ip_hdr(nskb)->saddr,
-+ ip_hdr(nskb)->daddr,
-+ csum_partial((char *)tcph,
-+ sizeof(struct tcphdr), 0));
++ tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
++ niph->daddr, csum_partial((char *)tcph,
++ sizeof(struct tcphdr), 0));
+
+ /* Set DF, id = 0 */
-+ ip_hdr(nskb)->frag_off = htons(IP_DF);
-+ ip_hdr(nskb)->id = 0;
++ niph->frag_off = htons(IP_DF);
++ niph->id = 0;
+
+ addr_type = RTN_UNSPEC;
-+ if (hook != NF_IP_FORWARD
+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
++ if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL &&
++ nskb->nf_bridge->mask & BRNF_BRIDGED))
++#else
++ if (hook != NF_IP_FORWARD)
+#endif
-+ )
+ addr_type = RTN_LOCAL;
+
+ if (ip_route_me_harder(&nskb, addr_type))
@@ -598,12 +520,11 @@ Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
+ nskb->ip_summed = CHECKSUM_NONE;
+
+ /* Adjust IP TTL */
-+ ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
+
+ /* Adjust IP checksum */
-+ ip_hdr(nskb)->check = 0;
-+ ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb),
-+ ip_hdr(nskb)->ihl);
++ niph->check = 0;
++ niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl);
+
+ /* "Never happens" */
+ if (nskb->len > dst_mtu(nskb->dst))
@@ -619,78 +540,57 @@ Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
+ kfree_skb(nskb);
+}
+
-+static unsigned int xt_delude_target(struct sk_buff **pskb,
++static unsigned int delude_tg(struct sk_buff **pskb,
+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
+{
+ /* WARNING: This code causes reentry within iptables.
+ This means that the iptables jump stack is now crap. We
+ must return an absolute verdict. --RR */
-+ send_reset(*pskb, hooknum);
++ delude_send_reset(*pskb, hooknum);
+ return NF_DROP;
+}
+
-+static bool xt_delude_check(const char *tablename, const void *e_void,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) {
-+ printk(KERN_WARNING PFX "DELUDE may not be used in chains "
-+ "other than INPUT and FORWARD\n");
-+ return false;
-+ }
-+ return true;
-+}
-+
-+static struct xt_target xt_delude_info = {
++static struct xt_target delude_tg_reg = {
+ .name = "DELUDE",
-+ .target = xt_delude_target,
-+ .checkentry = xt_delude_check,
++ .family = AF_INET,
+ .table = "filter",
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD),
++ .target = delude_tg,
+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
+ .me = THIS_MODULE,
+};
+
-+static int __init xt_delude_init(void)
++static int __init delude_tg_init(void)
+{
-+ return xt_register_target(&xt_delude_info);
++ return xt_register_target(&delude_tg_reg);
+}
+
-+static void __exit xt_delude_exit(void)
++static void __exit delude_tg_exit(void)
+{
-+ xt_unregister_target(&xt_delude_info);
++ xt_unregister_target(&delude_tg_reg);
+}
+
-+module_init(xt_delude_init);
-+module_exit(xt_delude_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter DELUDE target");
++module_init(delude_tg_init);
++module_exit(delude_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"DELUDE\" target");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_DELUDE");
-Index: linux-2.6.23/net/netfilter/xt_portscan.c
+Index: linux-2.6.23.16/net/netfilter/xt_portscan.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/xt_portscan.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,272 @@
+--- /dev/null
++++ linux-2.6.23.16/net/netfilter/xt_portscan.c
+@@ -0,0 +1,269 @@
+/*
-+ portscan match for netfilter
-+
-+ Written by Jan Engelhardt, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
++ * portscan match for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/module.h>
@@ -702,9 +602,15 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+#include <linux/version.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter/oot_conntrack.h>
-+#include <linux/netfilter/xt_portscan.h>
-+#include <linux/netfilter/oot_trans.h>
++#include <net/netfilter/nf_nat_rule.h>
++#if defined(_LOCAL)
++# include "xt_portscan.h"
++#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE)
++# include <linux/netfilter/xt_portscan.h>
++#else
++# include "xt_portscan.h"
++#endif
+#define PFX KBUILD_MODNAME ": "
+
+enum {
@@ -751,55 +657,55 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
+
+/* TCP flag functions */
-+static inline int tflg_ack4(const struct tcphdr *th)
++static inline bool tflg_ack4(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
+}
+
-+static inline int tflg_ack6(const struct tcphdr *th)
++static inline bool tflg_ack6(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
+}
+
-+static inline int tflg_fin(const struct tcphdr *th)
++static inline bool tflg_fin(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
+}
+
-+static inline int tflg_rst(const struct tcphdr *th)
++static inline bool tflg_rst(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
+}
+
-+static inline int tflg_rstack(const struct tcphdr *th)
++static inline bool tflg_rstack(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
+ (TCP_FLAG_ACK | TCP_FLAG_RST);
+}
+
-+static inline int tflg_syn(const struct tcphdr *th)
++static inline bool tflg_syn(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
+}
+
-+static inline int tflg_synack(const struct tcphdr *th)
++static inline bool tflg_synack(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
+ (TCP_FLAG_SYN | TCP_FLAG_ACK);
+}
+
+/* portscan functions */
-+static inline int xt_portscan_stealth(const struct tcphdr *th)
++static inline bool portscan_mt_stealth(const struct tcphdr *th)
+{
+ /*
+ * "Connection refused" replies to our own probes must not be matched.
+ */
-+ if(tflg_rstack(th))
-+ return 0;
++ if (tflg_rstack(th))
++ return false;
+
-+ if(tflg_rst(th) && printk_ratelimit()) {
++ if (tflg_rst(th) && printk_ratelimit()) {
+ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
-+ return 0;
++ return false;
+ }
+
+ /*
@@ -811,42 +717,43 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+ return !tflg_syn(th);
+}
+
-+static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate,
-+ int loopback, const struct tcphdr *tcph, int payload_len)
++static inline unsigned int portscan_mt_full(int mark,
++ enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
++ unsigned int payload_len)
+{
-+ if(mark == mark_estab2) {
++ if (mark == mark_estab2) {
+ /*
+ * -m connmark --mark $ESTAB2
+ */
-+ if(tflg_ack4(tcph) && payload_len == 0)
++ if (tflg_ack4(tcph) && payload_len == 0)
+ return mark; /* keep mark */
-+ else if(tflg_rst(tcph) || tflg_fin(tcph))
++ else if (tflg_rst(tcph) || tflg_fin(tcph))
+ return mark_grscan;
+ else
+ return mark_valid;
-+ } else if(mark == mark_estab1) {
++ } else if (mark == mark_estab1) {
+ /*
+ * -m connmark --mark $ESTAB1
+ */
-+ if(tflg_rst(tcph) || tflg_fin(tcph))
++ if (tflg_rst(tcph) || tflg_fin(tcph))
+ return mark_cnscan;
-+ else if(!loopback && tflg_ack4(tcph) && payload_len == 0)
++ else if (!loopback && tflg_ack4(tcph) && payload_len == 0)
+ return mark_estab2;
+ else
+ return mark_valid;
-+ } else if(mark == mark_synrcv) {
++ } else if (mark == mark_synrcv) {
+ /*
+ * -m connmark --mark $SYN
+ */
-+ if(loopback && tflg_synack(tcph))
++ if (loopback && tflg_synack(tcph))
+ return mark; /* keep mark */
-+ else if(loopback && tflg_rstack(tcph))
++ else if (loopback && tflg_rstack(tcph))
+ return mark_closed;
-+ else if(tflg_ack6(tcph))
++ else if (tflg_ack6(tcph))
+ return mark_estab1;
+ else
+ return mark_synscan;
-+ } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) {
++ } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) {
+ /*
+ * -p tcp --syn --ctstate NEW
+ */
@@ -855,25 +762,25 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+ return mark;
+}
+
-+static bool xt_portscan_match(const struct sk_buff *skb,
++static bool portscan_mt(const struct sk_buff *skb,
+ const struct net_device *in, const struct net_device *out,
+ const struct xt_match *match, const void *matchinfo, int offset,
+ unsigned int protoff, bool *hotdrop)
+{
-+ const struct xt_portscan_info *info = matchinfo;
++ const struct xt_portscan_match_info *info = matchinfo;
+ enum ip_conntrack_info ctstate;
-+ struct nf_conn *ctdata;
+ const struct tcphdr *tcph;
++ struct nf_conn *ctdata;
+ struct tcphdr tcph_buf;
+
+ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
-+ if(tcph == NULL)
++ if (tcph == NULL)
+ return false;
+
+ /* Check for invalid packets: -m conntrack --ctstate INVALID */
-+ if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
-+ if(info->match_stealth)
-+ return xt_portscan_stealth(tcph);
++ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
++ if (info->match_stealth)
++ return portscan_mt_stealth(tcph);
+ /*
+ * If @ctdata is NULL, we cannot match the other scan
+ * types, return.
@@ -886,17 +793,17 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+ * simulate must not be run through again. And for speedup, do not call
+ * it either when the connection is already VALID.
+ */
-+ if((ctdata->mark & connmark_mask) == mark_valid ||
-+ (skb->nfmark & packet_mask) != mark_seen)
-+ {
++ if ((ctdata->mark & connmark_mask) == mark_valid ||
++ (skb->mark & packet_mask) != mark_seen) {
+ unsigned int n;
-+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
++
++ n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
+ in == &loopback_dev, tcph,
+ skb->len - protoff - 4 * tcph->doff);
+
+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
-+ ((struct sk_buff *)skb)->nfmark =
-+ (skb->nfmark & ~packet_mask) | mark_seen;
++ ((struct sk_buff *)skb)->mark =
++ (skb->mark & ~packet_mask) ^ mark_seen;
+ }
+
+ return (info->match_syn && ctdata->mark == mark_synscan) ||
@@ -904,62 +811,51 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+ (info->match_gr && ctdata->mark == mark_grscan);
+}
+
-+static bool xt_portscan_checkentry(const char *tablename, const void *entry,
-+ const struct xt_match *match, void *matchinfo,
-+#ifdef HAVE_MATCHINFOSIZE
-+ unsigned int matchinfosize,
-+#endif
-+ unsigned int hook_mask)
++static bool portscan_mt_check(const char *tablename, const void *entry,
++ const struct xt_match *match, void *matchinfo, unsigned int hook_mask)
+{
-+ const struct xt_portscan_info *info = matchinfo;
-+#ifdef HAVE_MATCHINFOSIZE
-+ if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) {
-+ printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n",
-+ matchinfosize,
-+ XT_ALIGN(sizeof(struct xt_portscan_info)));
-+ return false;
-+ }
-+#endif
-+ if((info->match_stealth & ~1) || (info->match_syn & ~1) ||
-+ (info->match_cn & ~1) || (info->match_gr & ~1)) {
++ const struct xt_portscan_match_info *info = matchinfo;
++
++ if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
++ (info->match_cn & ~1) || (info->match_gr & ~1)) {
+ printk(KERN_WARNING PFX "Invalid flags\n");
+ return false;
+ }
+ return true;
+}
+
-+static struct xt_match xt_portscan = {
++static struct xt_match portscan_mt_reg __read_mostly = {
+ .name = "portscan",
-+ .match = xt_portscan_match,
-+ .checkentry = xt_portscan_checkentry,
-+ .matchsize = sizeof(struct xt_portscan_info),
-+ .proto = IPPROTO_TCP,
+ .family = AF_INET,
++ .match = portscan_mt,
++ .checkentry = portscan_mt_check,
++ .matchsize = sizeof(struct xt_portscan_match_info),
++ .proto = IPPROTO_TCP,
+ .me = THIS_MODULE,
+};
+
-+static int __init xt_portscan_init(void)
++static int __init portscan_mt_init(void)
+{
-+ return xt_register_match(&xt_portscan);
++ return xt_register_match(&portscan_mt_reg);
+}
+
-+static void __exit xt_portscan_exit(void)
++static void __exit portscan_mt_exit(void)
+{
-+ xt_unregister_match(&xt_portscan);
++ xt_unregister_match(&portscan_mt_reg);
+ return;
+}
+
-+module_init(xt_portscan_init);
-+module_exit(xt_portscan_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter portscan match module");
++module_init(portscan_mt_init);
++module_exit(portscan_mt_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"portscan\" match");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_portscan");
-Index: linux-2.6.23/drivers/char/random.c
+Index: linux-2.6.23.16/drivers/char/random.c
===================================================================
---- linux-2.6.23.orig/drivers/char/random.c 2007-10-10 04:31:38.000000000 +0800
-+++ linux-2.6.23/drivers/char/random.c 2007-10-10 13:52:59.000000000 +0800
-@@ -1564,6 +1564,8 @@
+--- linux-2.6.23.16.orig/drivers/char/random.c
++++ linux-2.6.23.16/drivers/char/random.c
+@@ -1564,6 +1564,8 @@ __u32 secure_tcp_sequence_number(__be32
return seq;
}
diff --git a/target/linux/generic-2.6/patches-2.6.23/171-netfilter_tarpit.patch b/target/linux/generic-2.6/patches-2.6.23/171-netfilter_tarpit.patch
index 058dda5c28..073951a15c 100644
--- a/target/linux/generic-2.6/patches-2.6.23/171-netfilter_tarpit.patch
+++ b/target/linux/generic-2.6/patches-2.6.23/171-netfilter_tarpit.patch
@@ -1,7 +1,7 @@
-Index: linux-2.6.23/net/netfilter/Kconfig
+Index: linux-2.6.23.16/net/netfilter/Kconfig
===================================================================
---- linux-2.6.23.orig/net/netfilter/Kconfig
-+++ linux-2.6.23/net/netfilter/Kconfig
+--- linux-2.6.23.16.orig/net/netfilter/Kconfig
++++ linux-2.6.23.16/net/netfilter/Kconfig
@@ -401,6 +401,23 @@ config NETFILTER_XT_TARGET_CONNSECMARK
To compile it as a module, choose M here. If unsure, say N.
@@ -26,22 +26,22 @@ Index: linux-2.6.23/net/netfilter/Kconfig
config NETFILTER_XT_TARGET_TCPMSS
tristate '"TCPMSS" target support'
depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
-Index: linux-2.6.23/net/netfilter/Makefile
+Index: linux-2.6.23.16/net/netfilter/Makefile
===================================================================
---- linux-2.6.23.orig/net/netfilter/Makefile
-+++ linux-2.6.23/net/netfilter/Makefile
-@@ -49,6 +49,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG)
+--- linux-2.6.23.16.orig/net/netfilter/Makefile
++++ linux-2.6.23.16/net/netfilter/Makefile
+@@ -47,6 +47,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG)
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
-
-Index: linux-2.6.23/net/netfilter/xt_TARPIT.c
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
+Index: linux-2.6.23.16/net/netfilter/xt_TARPIT.c
===================================================================
--- /dev/null
-+++ linux-2.6.23/net/netfilter/xt_TARPIT.c
++++ linux-2.6.23.16/net/netfilter/xt_TARPIT.c
@@ -0,0 +1,280 @@
+/*
+ * Kernel module to capture and hold incoming TCP connections using
diff --git a/target/linux/generic-2.6/patches-2.6.24/101-netfilter_layer7_pktmatch.patch b/target/linux/generic-2.6/patches-2.6.24/101-netfilter_layer7_pktmatch.patch
new file mode 100644
index 0000000000..9605e4fa62
--- /dev/null
+++ b/target/linux/generic-2.6/patches-2.6.24/101-netfilter_layer7_pktmatch.patch
@@ -0,0 +1,113 @@
+Index: linux-2.6.24/include/linux/netfilter/xt_layer7.h
+===================================================================
+--- linux-2.6.24.orig/include/linux/netfilter/xt_layer7.h
++++ linux-2.6.24/include/linux/netfilter/xt_layer7.h
+@@ -8,6 +8,7 @@ struct xt_layer7_info {
+ char protocol[MAX_PROTOCOL_LEN];
+ char pattern[MAX_PATTERN_LEN];
+ u_int8_t invert;
++ u_int8_t pkt;
+ };
+
+ #endif /* _XT_LAYER7_H */
+Index: linux-2.6.24/net/netfilter/xt_layer7.c
+===================================================================
+--- linux-2.6.24.orig/net/netfilter/xt_layer7.c
++++ linux-2.6.24/net/netfilter/xt_layer7.c
+@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con
+ }
+
+ /* add the new app data to the conntrack. Return number of bytes added. */
+-static int add_data(struct nf_conn * master_conntrack,
+- char * app_data, int appdatalen)
++static int add_datastr(char *target, int offset, char *app_data, int len)
+ {
+ int length = 0, i;
+- int oldlength = master_conntrack->layer7.app_data_len;
+-
+- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
+- clear on whether the race condition exists or whether this really
+- fixes it. I might just be being dense... Anyway, if it's not really
+- a fix, all it does is waste a very small amount of time. */
+- if(!master_conntrack->layer7.app_data) return 0;
++
++ if (!target) return 0;
+
+ /* Strip nulls. Make everything lower case (our regex lib doesn't
+ do case insensitivity). Add it to the end of the current data. */
+- for(i = 0; i < maxdatalen-oldlength-1 &&
+- i < appdatalen; i++) {
++ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
+ if(app_data[i] != '\0') {
+ /* the kernel version of tolower mungs 'upper ascii' */
+- master_conntrack->layer7.app_data[length+oldlength] =
++ target[length+offset] =
+ isascii(app_data[i])?
+ tolower(app_data[i]) : app_data[i];
+ length++;
+ }
+ }
++ target[length+offset] = '\0';
++
++ return length;
++}
+
+- master_conntrack->layer7.app_data[length+oldlength] = '\0';
+- master_conntrack->layer7.app_data_len = length + oldlength;
++/* add the new app data to the conntrack. Return number of bytes added. */
++static int add_data(struct nf_conn * master_conntrack,
++ char * app_data, int appdatalen)
++{
++ int length;
+
++ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
++ master_conntrack->layer7.app_data_len += length;
+ return length;
+ }
+
+@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin,
+ const struct xt_layer7_info * info = matchinfo;
+ enum ip_conntrack_info master_ctinfo, ctinfo;
+ struct nf_conn *master_conntrack, *conntrack;
+- unsigned char * app_data;
++ unsigned char *app_data, *tmp_data;
+ unsigned int pattern_result, appdatalen;
+ regexp * comppattern;
+
+@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin,
+ master_conntrack = master_ct(master_conntrack);
+
+ /* if we've classified it or seen too many packets */
+- if(TOTAL_PACKETS > num_packets ||
+- master_conntrack->layer7.app_proto) {
++ if(!info->pkt && (TOTAL_PACKETS > num_packets ||
++ master_conntrack->layer7.app_proto)) {
+
+ pattern_result = match_no_append(conntrack, master_conntrack,
+ ctinfo, master_ctinfo, info);
+@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin,
+ /* the return value gets checked later, when we're ready to use it */
+ comppattern = compile_and_cache(info->pattern, info->protocol);
+
++ if (info->pkt) {
++ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
++ if(!tmp_data){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
++ return info->invert;
++ }
++
++ tmp_data[0] = '\0';
++ add_datastr(tmp_data, 0, app_data, appdatalen);
++ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
++
++ kfree(tmp_data);
++ tmp_data = NULL;
++ spin_unlock_bh(&l7_lock);
++
++ return (pattern_result ^ info->invert);
++ }
++
+ /* On the first packet of a connection, allocate space for app data */
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
+ !master_conntrack->layer7.app_data){
diff --git a/target/linux/generic-2.6/patches-2.6.24/170-netfilter_chaostables.patch b/target/linux/generic-2.6/patches-2.6.24/170-netfilter_chaostables_0.8.patch
index b55aeb1eb3..38b50004eb 100644
--- a/target/linux/generic-2.6/patches-2.6.24/170-netfilter_chaostables.patch
+++ b/target/linux/generic-2.6/patches-2.6.24/170-netfilter_chaostables_0.8.patch
@@ -1,17 +1,17 @@
-Index: linux-2.6.23/include/linux/netfilter/oot_conntrack.h
+Index: linux-2.6.24/include/linux/netfilter/oot_conntrack.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/oot_conntrack.h 2007-10-10 13:52:59.000000000 +0800
+--- /dev/null
++++ linux-2.6.24/include/linux/netfilter/oot_conntrack.h
@@ -0,0 +1,5 @@
+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
+# include <linux/netfilter_ipv4/ip_conntrack.h>
+#else /* linux-2.6.20+ */
+# include <net/netfilter/nf_nat_rule.h>
+#endif
-Index: linux-2.6.23/include/linux/netfilter/oot_trans.h
+Index: linux-2.6.24/include/linux/netfilter/oot_trans.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/oot_trans.h 2007-10-10 13:52:59.000000000 +0800
+--- /dev/null
++++ linux-2.6.24/include/linux/netfilter/oot_trans.h
@@ -0,0 +1,14 @@
+/* Out of tree workarounds */
+#include <linux/version.h>
@@ -27,42 +27,42 @@ Index: linux-2.6.23/include/linux/netfilter/oot_trans.h
+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
+ tcp_v4_check((tcph_sz), (s), (d), (csp))
+#endif
-Index: linux-2.6.23/include/linux/netfilter/xt_CHAOS.h
+Index: linux-2.6.24/include/linux/netfilter/xt_CHAOS.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/xt_CHAOS.h 2007-10-10 13:52:59.000000000 +0800
+--- /dev/null
++++ linux-2.6.24/include/linux/netfilter/xt_CHAOS.h
@@ -0,0 +1,14 @@
-+#ifndef _LINUX_XT_CHAOS_H
-+#define _LINUX_XT_CHAOS_H 1
++#ifndef _LINUX_NETFILTER_XT_CHAOS_H
++#define _LINUX_NETFILTER_XT_CHAOS_H 1
+
-+enum xt_chaos_variant {
++enum xt_chaos_target_variant {
+ XTCHAOS_NORMAL,
+ XTCHAOS_TARPIT,
+ XTCHAOS_DELUDE,
+};
+
-+struct xt_chaos_info {
-+ enum xt_chaos_variant variant;
++struct xt_chaos_target_info {
++ uint8_t variant;
+};
+
-+#endif /* _LINUX_XT_CHAOS_H */
-Index: linux-2.6.23/include/linux/netfilter/xt_portscan.h
++#endif /* _LINUX_NETFILTER_XT_CHAOS_H */
+Index: linux-2.6.24/include/linux/netfilter/xt_portscan.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/include/linux/netfilter/xt_portscan.h 2007-10-10 13:52:59.000000000 +0800
+--- /dev/null
++++ linux-2.6.24/include/linux/netfilter/xt_portscan.h
@@ -0,0 +1,8 @@
-+#ifndef _LINUX_XT_PORTSCAN_H
-+#define _LINUX_XT_PORTSCAN_H 1
++#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
++#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
+
-+struct xt_portscan_info {
-+ unsigned int match_stealth, match_syn, match_cn, match_gr;
++struct xt_portscan_match_info {
++ uint8_t match_stealth, match_syn, match_cn, match_gr;
+};
+
-+#endif /* _LINUX_XT_PORTSCAN_H */
-Index: linux-2.6.23/net/netfilter/find_match.c
++#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */
+Index: linux-2.6.24/net/netfilter/find_match.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/find_match.c 2007-10-10 13:52:59.000000000 +0800
+--- /dev/null
++++ linux-2.6.24/net/netfilter/find_match.c
@@ -0,0 +1,39 @@
+/*
+ xt_request_find_match
@@ -95,7 +95,7 @@ Index: linux-2.6.23/net/netfilter/find_match.c
+
+ match = try_then_request_module(xt_find_match(af, name, revision),
+ "%st_%s", xt_prefix[af], name);
-+ if(IS_ERR(match) || match == NULL)
++ if (IS_ERR(match) || match == NULL)
+ return NULL;
+
+ return match;
@@ -103,11 +103,11 @@ Index: linux-2.6.23/net/netfilter/find_match.c
+
+/* In case it goes into mainline, let this out-of-tree package compile */
+#define xt_request_find_match xt_request_find_match_lo
-Index: linux-2.6.23/net/netfilter/Kconfig
+Index: linux-2.6.24/net/netfilter/Kconfig
===================================================================
---- linux-2.6.23.orig/net/netfilter/Kconfig 2007-10-10 04:31:38.000000000 +0800
-+++ linux-2.6.23/net/netfilter/Kconfig 2007-10-10 13:53:04.000000000 +0800
-@@ -265,6 +265,14 @@
+--- linux-2.6.24.orig/net/netfilter/Kconfig
++++ linux-2.6.24/net/netfilter/Kconfig
+@@ -265,6 +265,14 @@ config NETFILTER_XTABLES
# alphabetically ordered list of targets
@@ -122,7 +122,7 @@ Index: linux-2.6.23/net/netfilter/Kconfig
config NETFILTER_XT_TARGET_CLASSIFY
tristate '"CLASSIFY" target support'
depends on NETFILTER_XTABLES
-@@ -292,6 +300,14 @@
+@@ -292,6 +300,14 @@ config NETFILTER_XT_TARGET_CONNMARK
<file:Documentation/kbuild/modules.txt>. The module will be called
ipt_CONNMARK.ko. If unsure, say `N'.
@@ -137,7 +137,7 @@ Index: linux-2.6.23/net/netfilter/Kconfig
config NETFILTER_XT_TARGET_DSCP
tristate '"DSCP" target support'
depends on NETFILTER_XTABLES
-@@ -556,6 +572,14 @@
+@@ -556,6 +572,14 @@ config NETFILTER_XT_MATCH_POLICY
To compile it as a module, choose M here. If unsure, say N.
@@ -152,11 +152,11 @@ Index: linux-2.6.23/net/netfilter/Kconfig
config NETFILTER_XT_MATCH_MULTIPORT
tristate "Multiple port match support"
depends on NETFILTER_XTABLES
-Index: linux-2.6.23/net/netfilter/Makefile
+Index: linux-2.6.24/net/netfilter/Makefile
===================================================================
---- linux-2.6.23.orig/net/netfilter/Makefile 2007-10-10 04:31:38.000000000 +0800
-+++ linux-2.6.23/net/netfilter/Makefile 2007-10-10 13:52:59.000000000 +0800
-@@ -49,6 +49,8 @@
+--- linux-2.6.24.orig/net/netfilter/Makefile
++++ linux-2.6.24/net/netfilter/Makefile
+@@ -49,6 +49,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK
obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
@@ -165,24 +165,25 @@ Index: linux-2.6.23/net/netfilter/Makefile
# matches
obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
-@@ -79,3 +81,4 @@
+@@ -79,3 +81,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING)
obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
-Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+Index: linux-2.6.24/net/netfilter/xt_CHAOS.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/xt_CHAOS.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,205 @@
+--- /dev/null
++++ linux-2.6.24/net/netfilter/xt_CHAOS.c
+@@ -0,0 +1,200 @@
+/*
-+ CHAOS target for netfilter
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
++ * CHAOS target for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
+#include <linux/icmp.h>
+#include <linux/in.h>
+#include <linux/ip.h>
@@ -193,9 +194,17 @@ Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+#include <linux/netfilter/xt_tcpudp.h>
+#include <linux/netfilter_ipv4/ipt_REJECT.h>
+#include <net/ip.h>
-+#include <linux/netfilter/xt_CHAOS.h>
-+#include "find_match.c"
-+#include <linux/netfilter/oot_trans.h>
++#if defined(_LOCAL)
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \
++ defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE)
++# include <linux/netfilter/xt_CHAOS.h>
++# include "find_match.c"
++#else
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#endif
+#define PFX KBUILD_MODNAME ": "
+
+/* Module parameters */
@@ -221,111 +230,97 @@ Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+};
+
+/* CHAOS functions */
-+static void xt_chaos_total(const struct xt_chaos_info *info,
++static void xt_chaos_total(const struct xt_chaos_target_info *info,
+ struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum)
+{
-+ const int protoff = ip_hdrlen(skb);
-+ const int offset = ntohs(ip_hdr(skb)->frag_off) & IP_OFFSET;
++ const struct iphdr *iph = ip_hdr(skb);
++ const int protoff = 4 * iph->ihl;
++ const int offset = ntohs(iph->frag_off) & IP_OFFSET;
+ const struct xt_target *destiny;
-+ bool hotdrop = false;
-+ int ret;
++ bool hotdrop = false, ret;
+
+ ret = xm_tcp->match(skb, in, out, xm_tcp, &tcp_params,
+ offset, protoff, &hotdrop);
-+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
++ if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
+ return;
+
+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
-+#ifdef HAVE_TARGUSERINFO
-+ destiny->target(skb, in, out, hooknum, destiny, NULL, NULL);
-+#else
+ destiny->target(skb, in, out, hooknum, destiny, NULL);
-+#endif
+ return;
+}
+
-+static unsigned int xt_chaos_target(struct sk_buff *skb,
++static unsigned int chaos_tg(struct sk_buff *skb,
+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
+{
-+ /* Equivalent to:
++ /*
++ * Equivalent to:
+ * -A chaos -m statistic --mode random --probability \
+ * $reject_percentage -j REJECT --reject-with host-unreach;
+ * -A chaos -p tcp -m statistic --mode random --probability \
+ * $delude_percentage -j DELUDE;
+ * -A chaos -j DROP;
+ */
-+ const struct xt_chaos_info *info = targinfo;
++ const struct xt_chaos_target_info *info = targinfo;
++ const struct iphdr *iph = ip_hdr(skb);
+
-+ if((unsigned int)net_random() <= reject_percentage)
-+#ifdef HAVE_TARGUSERINFO
-+ return xt_reject->target(skb, in, out, hooknum, target,
-+ &reject_params, userinfo);
-+#else
++ if ((unsigned int)net_random() <= reject_percentage)
+ return xt_reject->target(skb, in, out, hooknum, target,
+ &reject_params);
-+#endif
+
+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
-+ if(ip_hdr(skb)->protocol == IPPROTO_TCP &&
-+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
++ if (iph->protocol == IPPROTO_TCP &&
++ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
+ xt_chaos_total(info, skb, in, out, hooknum);
+
+ return NF_DROP;
+}
+
-+static bool xt_chaos_checkentry(const char *tablename, const void *entry,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
++static bool chaos_tg_check(const char *tablename, const void *entry,
++ const struct xt_target *target, void *targinfo, unsigned int hook_mask)
+{
-+ const struct xt_chaos_info *info = targinfo;
-+ if(info->variant == XTCHAOS_DELUDE && !have_delude) {
++ const struct xt_chaos_target_info *info = targinfo;
++
++ if (info->variant == XTCHAOS_DELUDE && !have_delude) {
+ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
+ "DELUDE module not available\n");
+ return false;
+ }
-+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
++ if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
+ "TARPIT module not available\n");
+ return false;
+ }
++
+ return true;
+}
+
-+static struct xt_target xt_chaos_info = {
++static struct xt_target chaos_tg_reg = {
+ .name = "CHAOS",
-+ .target = xt_chaos_target,
-+ .checkentry = xt_chaos_checkentry,
++ .family = AF_INET,
+ .table = "filter",
-+ .targetsize = sizeof(struct xt_chaos_info),
+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
+ (1 << NF_IP_LOCAL_OUT),
-+ .family = AF_INET,
++ .checkentry = chaos_tg_check,
++ .target = chaos_tg,
++ .targetsize = sizeof(struct xt_chaos_target_info),
+ .me = THIS_MODULE,
+};
+
-+static int __init xt_chaos_init(void)
++static int __init chaos_tg_init(void)
+{
+ int ret = -EINVAL;
+
+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
-+ if(xm_tcp == NULL) {
++ if (xm_tcp == NULL) {
+ printk(KERN_WARNING PFX "Error: Could not find or load "
+ "\"tcp\" match\n");
+ return -EINVAL;
+ }
+
+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
-+ if(xt_reject == NULL) {
++ if (xt_reject == NULL) {
+ printk(KERN_WARNING PFX "Error: Could not find or load "
+ "\"REJECT\" target\n");
+ goto out2;
@@ -333,17 +328,17 @@ Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+
+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
+ have_tarpit = xt_tarpit != NULL;
-+ if(!have_tarpit)
++ if (!have_tarpit)
+ printk(KERN_WARNING PFX "Warning: Could not find or load "
+ "\"TARPIT\" target\n");
+
+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
+ have_delude = xt_delude != NULL;
-+ if(!have_delude)
++ if (!have_delude)
+ printk(KERN_WARNING PFX "Warning: Could not find or load "
+ "\"DELUDE\" target\n");
+
-+ if((ret = xt_register_target(&xt_chaos_info)) != 0) {
++ if ((ret = xt_register_target(&chaos_tg_reg)) != 0) {
+ printk(KERN_WARNING PFX "xt_register_target returned "
+ "error %d\n", ret);
+ goto out3;
@@ -352,9 +347,9 @@ Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+ return 0;
+
+ out3:
-+ if(have_delude)
++ if (have_delude)
+ module_put(xt_delude->me);
-+ if(have_tarpit)
++ if (have_tarpit)
+ module_put(xt_tarpit->me);
+ module_put(xt_reject->me);
+ out2:
@@ -362,132 +357,67 @@ Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+ return ret;
+}
+
-+static void __exit xt_chaos_exit(void)
++static void __exit chaos_tg_exit(void)
+{
-+ xt_unregister_target(&xt_chaos_info);
++ xt_unregister_target(&chaos_tg_reg);
+ module_put(xm_tcp->me);
+ module_put(xt_reject->me);
-+ if(have_delude)
++ if (have_delude)
+ module_put(xt_delude->me);
-+ if(have_tarpit)
++ if (have_tarpit)
+ module_put(xt_tarpit->me);
+ return;
+}
+
-+module_init(xt_chaos_init);
-+module_exit(xt_chaos_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter CHAOS target");
++module_init(chaos_tg_init);
++module_exit(chaos_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"CHAOS\" target");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_CHAOS");
-Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
+Index: linux-2.6.24/net/netfilter/xt_DELUDE.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/xt_DELUDE.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,288 @@
+--- /dev/null
++++ linux-2.6.24/net/netfilter/xt_DELUDE.c
+@@ -0,0 +1,197 @@
+/*
-+ DELUDE target
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
-+
-+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
-+ (C) 1999-2001 Paul `Rusty' Russell
-+ (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
-+
-+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
++ * DELUDE target
++ * Copyright © CC Computer Consultants GmbH, 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
++ * (C) 1999-2001 Paul `Rusty' Russell
++ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
++ *
++ * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
-+#include <linux/random.h>
+#include <linux/tcp.h>
-+#include <linux/udp.h>
-+#include <linux/icmp.h>
-+#include <net/icmp.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <net/route.h>
-+#include <net/dst.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter/x_tables.h>
+#ifdef CONFIG_BRIDGE_NETFILTER
+# include <linux/netfilter_bridge.h>
+#endif
-+#include <linux/netfilter/oot_trans.h>
++#include <net/tcp.h>
+#define PFX KBUILD_MODNAME ": "
+
-+static inline struct rtable *route_reverse(struct sk_buff *skb,
-+ struct tcphdr *tcph, int hook)
++static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
+{
-+ struct iphdr *iph = ip_hdr(skb);
-+ struct dst_entry *odst;
-+ struct flowi fl = {};
-+ struct rtable *rt;
-+
-+ /* We don't require ip forwarding to be enabled to be able to
-+ * send a RST reply for bridged traffic. */
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ ) {
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ if (hook == NF_IP_LOCAL_IN)
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+ } else {
-+ /* non-local src, find valid iif to satisfy
-+ * rp-filter when calling ip_route_input. */
-+ fl.nl_u.ip4_u.daddr = iph->daddr;
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+
-+ odst = skb->dst;
-+ if (ip_route_input(skb, iph->saddr, iph->daddr,
-+ RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+ dst_release(&rt->u.dst);
-+ rt = (struct rtable *)skb->dst;
-+ skb->dst = odst;
-+
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+ }
-+
-+ if (rt->u.dst.error) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+
-+ fl.proto = IPPROTO_TCP;
-+ fl.fl_ip_sport = tcph->dest;
-+ fl.fl_ip_dport = tcph->source;
-+
-+ xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
-+
-+ return rt;
-+}
-+
-+static void send_reset(struct sk_buff *oldskb, int hook)
-+{
-+ struct sk_buff *nskb;
-+ struct iphdr *iph = ip_hdr(oldskb);
+ struct tcphdr _otcph, *oth, *tcph;
-+ __be16 tmp_port;
-+ __be32 tmp_addr;
-+ int needs_ack;
+ unsigned int addr_type;
++ struct sk_buff *nskb;
++ u_int16_t tmp_port;
++ u_int32_t tmp_addr;
++ struct iphdr *niph;
++ bool needs_ack;
+
+ /* IP header checks: fragment. */
-+ if (iph->frag_off & htons(IP_OFFSET))
++ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
+ return;
+
+ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
@@ -513,78 +443,75 @@ Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
+
+ /* This packet will not be the same as the other: clear nf fields */
+ nf_reset(nskb);
-+ nskb->nfmark = 0;
++ nskb->mark = 0;
+ skb_init_secmark(nskb);
+
+ skb_shinfo(nskb)->gso_size = 0;
+ skb_shinfo(nskb)->gso_segs = 0;
+ skb_shinfo(nskb)->gso_type = 0;
+
-+ tcph = tcp_hdr(nskb);
++ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
+
+ /* Swap source and dest */
-+ tmp_addr = ip_hdr(nskb)->saddr;
-+ ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr;
-+ ip_hdr(nskb)->daddr = tmp_addr;
-+ tmp_port = tcph->source;
++ niph = ip_hdr(nskb);
++ tmp_addr = niph->saddr;
++ niph->saddr = niph->daddr;
++ niph->daddr = tmp_addr;
++ tmp_port = tcph->source;
+ tcph->source = tcph->dest;
-+ tcph->dest = tmp_port;
++ tcph->dest = tmp_port;
+
+ /* Truncate to length (no data) */
-+ tcph->doff = sizeof(struct tcphdr)/4;
++ tcph->doff = sizeof(struct tcphdr) / 4;
+ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
-+ ip_hdr(nskb)->tot_len = htons(nskb->len);
++ niph->tot_len = htons(nskb->len);
+
-+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
++ if (oth->syn && !oth->ack && !oth->rst && !oth->fin) {
+ /* DELUDE essential part */
+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
+ oldskb->len - ip_hdrlen(oldskb) -
+ (oth->doff << 2));
-+ tcph->seq = htonl(secure_tcp_sequence_number(
-+ ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr,
-+ tcph->source, tcph->dest));
-+ tcph->ack = 1;
++ tcph->seq = false;
++ tcph->ack = true;
+ } else {
-+ if(!tcph->ack) {
-+ needs_ack = 1;
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
-+ + oldskb->len - ip_hdrlen(oldskb)
-+ - (oth->doff<<2));
-+ tcph->seq = 0;
++ if (!tcph->ack) {
++ needs_ack = true;
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn +
++ oth->fin + oldskb->len -
++ ip_hdrlen(oldskb) - (oth->doff<<2));
++ tcph->seq = false;
+ } else {
-+ needs_ack = 0;
-+ tcph->seq = oth->ack_seq;
-+ tcph->ack_seq = 0;
++ needs_ack = false;
++ tcph->seq = oth->ack_seq;
++ tcph->ack_seq = false;
+ }
+
+ /* Reset flags */
+ ((u_int8_t *)tcph)[13] = 0;
-+ tcph->rst = 1;
++ tcph->rst = true;
+ tcph->ack = needs_ack;
+ }
+
-+
-+ tcph->window = 0;
++ tcph->window = 0;
+ tcph->urg_ptr = 0;
+
+ /* Adjust TCP checksum */
+ tcph->check = 0;
-+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
-+ ip_hdr(nskb)->saddr,
-+ ip_hdr(nskb)->daddr,
-+ csum_partial((char *)tcph,
-+ sizeof(struct tcphdr), 0));
++ tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
++ niph->daddr, csum_partial((char *)tcph,
++ sizeof(struct tcphdr), 0));
+
+ /* Set DF, id = 0 */
-+ ip_hdr(nskb)->frag_off = htons(IP_DF);
-+ ip_hdr(nskb)->id = 0;
++ niph->frag_off = htons(IP_DF);
++ niph->id = 0;
+
+ addr_type = RTN_UNSPEC;
-+ if (hook != NF_IP_FORWARD
+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
++ if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL &&
++ nskb->nf_bridge->mask & BRNF_BRIDGED))
++#else
++ if (hook != NF_IP_FORWARD)
+#endif
-+ )
+ addr_type = RTN_LOCAL;
+
+ if (ip_route_me_harder(nskb, addr_type))
@@ -593,12 +520,11 @@ Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
+ nskb->ip_summed = CHECKSUM_NONE;
+
+ /* Adjust IP TTL */
-+ ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
+
+ /* Adjust IP checksum */
-+ ip_hdr(nskb)->check = 0;
-+ ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb),
-+ ip_hdr(nskb)->ihl);
++ niph->check = 0;
++ niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl);
+
+ /* "Never happens" */
+ if (nskb->len > dst_mtu(nskb->dst))
@@ -614,78 +540,57 @@ Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
+ kfree_skb(nskb);
+}
+
-+static unsigned int xt_delude_target(struct sk_buff *skb,
++static unsigned int delude_tg(struct sk_buff *skb,
+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
+{
+ /* WARNING: This code causes reentry within iptables.
+ This means that the iptables jump stack is now crap. We
+ must return an absolute verdict. --RR */
-+ send_reset(skb, hooknum);
++ delude_send_reset(skb, hooknum);
+ return NF_DROP;
+}
+
-+static bool xt_delude_check(const char *tablename, const void *e_void,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) {
-+ printk(KERN_WARNING PFX "DELUDE may not be used in chains "
-+ "other than INPUT and FORWARD\n");
-+ return false;
-+ }
-+ return true;
-+}
-+
-+static struct xt_target xt_delude_info = {
++static struct xt_target delude_tg_reg = {
+ .name = "DELUDE",
-+ .target = xt_delude_target,
-+ .checkentry = xt_delude_check,
++ .family = AF_INET,
+ .table = "filter",
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD),
++ .target = delude_tg,
+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
+ .me = THIS_MODULE,
+};
+
-+static int __init xt_delude_init(void)
++static int __init delude_tg_init(void)
+{
-+ return xt_register_target(&xt_delude_info);
++ return xt_register_target(&delude_tg_reg);
+}
+
-+static void __exit xt_delude_exit(void)
++static void __exit delude_tg_exit(void)
+{
-+ xt_unregister_target(&xt_delude_info);
++ xt_unregister_target(&delude_tg_reg);
+}
+
-+module_init(xt_delude_init);
-+module_exit(xt_delude_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter DELUDE target");
++module_init(delude_tg_init);
++module_exit(delude_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"DELUDE\" target");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_DELUDE");
-Index: linux-2.6.23/net/netfilter/xt_portscan.c
+Index: linux-2.6.24/net/netfilter/xt_portscan.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.23/net/netfilter/xt_portscan.c 2007-10-10 13:52:59.000000000 +0800
-@@ -0,0 +1,272 @@
+--- /dev/null
++++ linux-2.6.24/net/netfilter/xt_portscan.c
+@@ -0,0 +1,269 @@
+/*
-+ portscan match for netfilter
-+
-+ Written by Jan Engelhardt, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
++ * portscan match for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/module.h>
@@ -697,9 +602,15 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+#include <linux/version.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter/oot_conntrack.h>
-+#include <linux/netfilter/xt_portscan.h>
-+#include <linux/netfilter/oot_trans.h>
++#include <net/netfilter/nf_nat_rule.h>
++#if defined(_LOCAL)
++# include "xt_portscan.h"
++#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE)
++# include <linux/netfilter/xt_portscan.h>
++#else
++# include "xt_portscan.h"
++#endif
+#define PFX KBUILD_MODNAME ": "
+
+enum {
@@ -746,55 +657,55 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
+
+/* TCP flag functions */
-+static inline int tflg_ack4(const struct tcphdr *th)
++static inline bool tflg_ack4(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
+}
+
-+static inline int tflg_ack6(const struct tcphdr *th)
++static inline bool tflg_ack6(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
+}
+
-+static inline int tflg_fin(const struct tcphdr *th)
++static inline bool tflg_fin(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
+}
+
-+static inline int tflg_rst(const struct tcphdr *th)
++static inline bool tflg_rst(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
+}
+
-+static inline int tflg_rstack(const struct tcphdr *th)
++static inline bool tflg_rstack(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
+ (TCP_FLAG_ACK | TCP_FLAG_RST);
+}
+
-+static inline int tflg_syn(const struct tcphdr *th)
++static inline bool tflg_syn(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
+}
+
-+static inline int tflg_synack(const struct tcphdr *th)
++static inline bool tflg_synack(const struct tcphdr *th)
+{
+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
+ (TCP_FLAG_SYN | TCP_FLAG_ACK);
+}
+
+/* portscan functions */
-+static inline int xt_portscan_stealth(const struct tcphdr *th)
++static inline bool portscan_mt_stealth(const struct tcphdr *th)
+{
+ /*
+ * "Connection refused" replies to our own probes must not be matched.
+ */
-+ if(tflg_rstack(th))
-+ return 0;
++ if (tflg_rstack(th))
++ return false;
+
-+ if(tflg_rst(th) && printk_ratelimit()) {
++ if (tflg_rst(th) && printk_ratelimit()) {
+ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
-+ return 0;
++ return false;
+ }
+
+ /*
@@ -806,42 +717,43 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+ return !tflg_syn(th);
+}
+
-+static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate,
-+ int loopback, const struct tcphdr *tcph, int payload_len)
++static inline unsigned int portscan_mt_full(int mark,
++ enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
++ unsigned int payload_len)
+{
-+ if(mark == mark_estab2) {
++ if (mark == mark_estab2) {
+ /*
+ * -m connmark --mark $ESTAB2
+ */
-+ if(tflg_ack4(tcph) && payload_len == 0)
++ if (tflg_ack4(tcph) && payload_len == 0)
+ return mark; /* keep mark */
-+ else if(tflg_rst(tcph) || tflg_fin(tcph))
++ else if (tflg_rst(tcph) || tflg_fin(tcph))
+ return mark_grscan;
+ else
+ return mark_valid;
-+ } else if(mark == mark_estab1) {
++ } else if (mark == mark_estab1) {
+ /*
+ * -m connmark --mark $ESTAB1
+ */
-+ if(tflg_rst(tcph) || tflg_fin(tcph))
++ if (tflg_rst(tcph) || tflg_fin(tcph))
+ return mark_cnscan;
-+ else if(!loopback && tflg_ack4(tcph) && payload_len == 0)
++ else if (!loopback && tflg_ack4(tcph) && payload_len == 0)
+ return mark_estab2;
+ else
+ return mark_valid;
-+ } else if(mark == mark_synrcv) {
++ } else if (mark == mark_synrcv) {
+ /*
+ * -m connmark --mark $SYN
+ */
-+ if(loopback && tflg_synack(tcph))
++ if (loopback && tflg_synack(tcph))
+ return mark; /* keep mark */
-+ else if(loopback && tflg_rstack(tcph))
++ else if (loopback && tflg_rstack(tcph))
+ return mark_closed;
-+ else if(tflg_ack6(tcph))
++ else if (tflg_ack6(tcph))
+ return mark_estab1;
+ else
+ return mark_synscan;
-+ } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) {
++ } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) {
+ /*
+ * -p tcp --syn --ctstate NEW
+ */
@@ -850,25 +762,25 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+ return mark;
+}
+
-+static bool xt_portscan_match(const struct sk_buff *skb,
++static bool portscan_mt(const struct sk_buff *skb,
+ const struct net_device *in, const struct net_device *out,
+ const struct xt_match *match, const void *matchinfo, int offset,
+ unsigned int protoff, bool *hotdrop)
+{
-+ const struct xt_portscan_info *info = matchinfo;
++ const struct xt_portscan_match_info *info = matchinfo;
+ enum ip_conntrack_info ctstate;
-+ struct nf_conn *ctdata;
+ const struct tcphdr *tcph;
++ struct nf_conn *ctdata;
+ struct tcphdr tcph_buf;
+
+ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
-+ if(tcph == NULL)
++ if (tcph == NULL)
+ return false;
+
+ /* Check for invalid packets: -m conntrack --ctstate INVALID */
-+ if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
-+ if(info->match_stealth)
-+ return xt_portscan_stealth(tcph);
++ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
++ if (info->match_stealth)
++ return portscan_mt_stealth(tcph);
+ /*
+ * If @ctdata is NULL, we cannot match the other scan
+ * types, return.
@@ -881,17 +793,17 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+ * simulate must not be run through again. And for speedup, do not call
+ * it either when the connection is already VALID.
+ */
-+ if((ctdata->mark & connmark_mask) == mark_valid ||
-+ (skb->nfmark & packet_mask) != mark_seen)
-+ {
++ if ((ctdata->mark & connmark_mask) == mark_valid ||
++ (skb->mark & packet_mask) != mark_seen) {
+ unsigned int n;
-+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
-+ (in->flags && IFF_LOOPBACK) == IFF_LOOPBACK, tcph,
++
++ n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
++ (in->flags & IFF_LOOPBACK) == IFF_LOOPBACK, tcph,
+ skb->len - protoff - 4 * tcph->doff);
+
+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
-+ ((struct sk_buff *)skb)->nfmark =
-+ (skb->nfmark & ~packet_mask) | mark_seen;
++ ((struct sk_buff *)skb)->mark =
++ (skb->mark & ~packet_mask) ^ mark_seen;
+ }
+
+ return (info->match_syn && ctdata->mark == mark_synscan) ||
@@ -899,62 +811,51 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+ (info->match_gr && ctdata->mark == mark_grscan);
+}
+
-+static bool xt_portscan_checkentry(const char *tablename, const void *entry,
-+ const struct xt_match *match, void *matchinfo,
-+#ifdef HAVE_MATCHINFOSIZE
-+ unsigned int matchinfosize,
-+#endif
-+ unsigned int hook_mask)
++static bool portscan_mt_check(const char *tablename, const void *entry,
++ const struct xt_match *match, void *matchinfo, unsigned int hook_mask)
+{
-+ const struct xt_portscan_info *info = matchinfo;
-+#ifdef HAVE_MATCHINFOSIZE
-+ if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) {
-+ printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n",
-+ matchinfosize,
-+ XT_ALIGN(sizeof(struct xt_portscan_info)));
-+ return false;
-+ }
-+#endif
-+ if((info->match_stealth & ~1) || (info->match_syn & ~1) ||
-+ (info->match_cn & ~1) || (info->match_gr & ~1)) {
++ const struct xt_portscan_match_info *info = matchinfo;
++
++ if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
++ (info->match_cn & ~1) || (info->match_gr & ~1)) {
+ printk(KERN_WARNING PFX "Invalid flags\n");
+ return false;
+ }
+ return true;
+}
+
-+static struct xt_match xt_portscan = {
++static struct xt_match portscan_mt_reg __read_mostly = {
+ .name = "portscan",
-+ .match = xt_portscan_match,
-+ .checkentry = xt_portscan_checkentry,
-+ .matchsize = sizeof(struct xt_portscan_info),
-+ .proto = IPPROTO_TCP,
+ .family = AF_INET,
++ .match = portscan_mt,
++ .checkentry = portscan_mt_check,
++ .matchsize = sizeof(struct xt_portscan_match_info),
++ .proto = IPPROTO_TCP,
+ .me = THIS_MODULE,
+};
+
-+static int __init xt_portscan_init(void)
++static int __init portscan_mt_init(void)
+{
-+ return xt_register_match(&xt_portscan);
++ return xt_register_match(&portscan_mt_reg);
+}
+
-+static void __exit xt_portscan_exit(void)
++static void __exit portscan_mt_exit(void)
+{
-+ xt_unregister_match(&xt_portscan);
++ xt_unregister_match(&portscan_mt_reg);
+ return;
+}
+
-+module_init(xt_portscan_init);
-+module_exit(xt_portscan_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter portscan match module");
++module_init(portscan_mt_init);
++module_exit(portscan_mt_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"portscan\" match");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_portscan");
-Index: linux-2.6.23/drivers/char/random.c
+Index: linux-2.6.24/drivers/char/random.c
===================================================================
---- linux-2.6.23.orig/drivers/char/random.c 2007-10-10 04:31:38.000000000 +0800
-+++ linux-2.6.23/drivers/char/random.c 2007-10-10 13:52:59.000000000 +0800
-@@ -1564,6 +1564,8 @@
+--- linux-2.6.24.orig/drivers/char/random.c
++++ linux-2.6.24/drivers/char/random.c
+@@ -1564,6 +1564,8 @@ __u32 secure_tcp_sequence_number(__be32
return seq;
}
diff --git a/target/linux/generic-2.6/patches/100-netfilter_layer7_2.9.patch b/target/linux/generic-2.6/patches/100-netfilter_layer7_2.17.patch
index 437f883e8a..52908b3076 100644
--- a/target/linux/generic-2.6/patches/100-netfilter_layer7_2.9.patch
+++ b/target/linux/generic-2.6/patches/100-netfilter_layer7_2.17.patch
@@ -1,80 +1,58 @@
-Index: linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h
+Index: linux-2.6.21.7/net/netfilter/Kconfig
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 00:43:58.271086750 +0200
-@@ -0,0 +1,26 @@
-+/*
-+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
-+ http://l7-filter.sf.net
-+
-+ This program is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU General Public License
-+ as published by the Free Software Foundation; either version
-+ 2 of the License, or (at your option) any later version.
-+ http://www.gnu.org/licenses/gpl.txt
-+*/
-+
-+#ifndef _IPT_LAYER7_H
-+#define _IPT_LAYER7_H
-+
-+#define MAX_PATTERN_LEN 8192
-+#define MAX_PROTOCOL_LEN 256
+--- linux-2.6.21.7.orig/net/netfilter/Kconfig
++++ linux-2.6.21.7/net/netfilter/Kconfig
+@@ -640,6 +640,27 @@ config NETFILTER_XT_MATCH_STATE
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_MATCH_LAYER7
++ tristate '"layer7" match support'
++ depends on NETFILTER_XTABLES
++ depends on EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK)
++ depends on NF_CT_ACCT
++ help
++ Say Y if you want to be able to classify connections (and their
++ packets) based on regular expression matching of their application
++ layer data. This is one way to classify applications such as
++ peer-to-peer filesharing systems that do not always use the same
++ port.
+
-+typedef char *(*proc_ipt_search) (char *, char, char *);
++ To compile it as a module, choose M here. If unsure, say N.
+
-+struct ipt_layer7_info {
-+ char protocol[MAX_PROTOCOL_LEN];
-+ char invert:1;
-+ char pattern[MAX_PATTERN_LEN];
-+};
++config NETFILTER_XT_MATCH_LAYER7_DEBUG
++ bool 'Layer 7 debugging output'
++ depends on NETFILTER_XT_MATCH_LAYER7
++ help
++ Say Y to get lots of debugging output.
+
-+#endif /* _IPT_LAYER7_H */
-Index: linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_core.c
-===================================================================
---- linux-2.6.21.5.orig/net/ipv4/netfilter/ip_conntrack_core.c 2007-07-02 00:37:53.432285750 +0200
-+++ linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_core.c 2007-07-02 00:37:55.496414750 +0200
-@@ -332,6 +332,13 @@
- * too. */
- ip_ct_remove_expectations(ct);
-
-+ #if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ if(ct->layer7.app_proto)
-+ kfree(ct->layer7.app_proto);
-+ if(ct->layer7.app_data)
-+ kfree(ct->layer7.app_data);
-+ #endif
+
- /* We overload first tuple to link into unconfirmed list. */
- if (!is_confirmed(ct)) {
- BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
-Index: linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_standalone.c
+ config NETFILTER_XT_MATCH_STATISTIC
+ tristate '"statistic" match support'
+ depends on NETFILTER_XTABLES
+Index: linux-2.6.21.7/net/netfilter/Makefile
===================================================================
---- linux-2.6.21.5.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-07-02 00:37:53.440286250 +0200
-+++ linux-2.6.21.5/net/ipv4/netfilter/ip_conntrack_standalone.c 2007-07-02 00:37:55.544417750 +0200
-@@ -188,6 +188,12 @@
- return -ENOSPC;
- #endif
-
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
-+ if(conntrack->layer7.app_proto)
-+ if (seq_printf(s, "l7proto=%s ",conntrack->layer7.app_proto))
-+ return 1;
-+#endif
-+
- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
- return -ENOSPC;
-
-Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+--- linux-2.6.21.7.orig/net/netfilter/Makefile
++++ linux-2.6.21.7/net/netfilter/Makefile
+@@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) +
+ obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_LAYER7) += xt_layer7.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
+Index: linux-2.6.21.7/net/netfilter/xt_layer7.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:27:54.195821750 +0200
-@@ -0,0 +1,583 @@
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/xt_layer7.c
+@@ -0,0 +1,634 @@
+/*
+ Kernel module to match application layer (OSI layer 7) data in connections.
+
+ http://l7-filter.sf.net
+
-+ By Matthew Strait and Ethan Sommer, 2003-2006.
++ (C) 2003, 2004, 2005, 2006, 2007 Matthew Strait and Ethan Sommer.
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License
@@ -82,37 +60,37 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+ 2 of the License, or (at your option) any later version.
+ http://www.gnu.org/licenses/gpl.txt
+
-+ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>
-+ and cls_layer7.c (C) 2003 Matthew Strait, Ethan Sommer, Justin Levandoski
-+
-+ Jan Engelhardt, 2007-03-11: Arrange to compile with nf_conntrack
++ Based on ipt_string.c (C) 2000 Emmanuel Roger <winfield@freegates.be>,
++ xt_helper.c (C) 2002 Harald Welte and cls_layer7.c (C) 2003 Matthew Strait,
++ Ethan Sommer, Justin Levandoski.
+*/
+
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/proc_fs.h>
-+#include <linux/ctype.h>
++#include <linux/spinlock.h>
++#include <linux/version.h>
+#include <net/ip.h>
+#include <net/tcp.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter.h>
+#include <net/netfilter/nf_conntrack.h>
-+#include <net/netfilter/nf_nat_rule.h>
-+#include <linux/spinlock.h>
++#include <net/netfilter/nf_conntrack_core.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_layer7.h>
++#include <linux/ctype.h>
++#include <linux/proc_fs.h>
+
+#include "regexp/regexp.c"
+
-+#include <linux/netfilter_ipv4/ipt_layer7.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+
-+MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
+MODULE_LICENSE("GPL");
++MODULE_AUTHOR("Matthew Strait <quadong@users.sf.net>, Ethan Sommer <sommere@users.sf.net>");
+MODULE_DESCRIPTION("iptables application layer match module");
-+MODULE_VERSION("2.0");
++MODULE_ALIAS("ipt_layer7");
++MODULE_VERSION("2.17");
+
+static int maxdatalen = 2048; // this is the default
+module_param(maxdatalen, int, 0444);
+MODULE_PARM_DESC(maxdatalen, "maximum bytes of data looked at by l7-filter");
-+
-+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
++#ifdef CONFIG_NETFILTER_XT_MATCH_LAYER7_DEBUG
+ #define DPRINTK(format,args...) printk(format,##args)
+#else
+ #define DPRINTK(format,args...)
@@ -131,23 +109,7 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+ struct pattern_cache * next;
+} * first_pattern_cache = NULL;
+
-+/* I'm new to locking. Here are my assumptions:
-+
-+- No one will write to /proc/net/layer7_numpackets over and over very fast;
-+ if they did, nothing awful would happen.
-+
-+- This code will never be processing the same packet twice at the same time,
-+ because iptables rules are traversed in order.
-+
-+- It doesn't matter if two packets from different connections are in here at
-+ the same time, because they don't share any data.
-+
-+- It _does_ matter if two packets from the same connection (or one from a
-+ master and one from its child) are here at the same time. In this case,
-+ we have to protect the conntracks and the list of compiled patterns.
-+*/
-+DEFINE_RWLOCK(ct_lock);
-+DEFINE_SPINLOCK(list_lock);
++DEFINE_SPINLOCK(l7_lock);
+
+#ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
+/* Converts an unfriendly string into a friendly one by
@@ -159,7 +121,8 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+
+ if(!f) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in friendly_print, bailing.\n");
++ printk(KERN_ERR "layer7: out of memory in "
++ "friendly_print, bailing.\n");
+ return NULL;
+ }
+
@@ -176,14 +139,14 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+{
+ switch (i) {
+ case 0 ... 9:
-+ return (char)(i + '0');
++ return (i + '0');
+ break;
+ case 10 ... 15:
-+ return (char)(i - 10 + 'a');
++ return (i - 10 + 'a');
+ break;
+ default:
+ if (net_ratelimit())
-+ printk("Problem in dec2hex\n");
++ printk("layer7: Problem in dec2hex\n");
+ return '\0';
+ }
+}
@@ -195,7 +158,8 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+
+ if(!g) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in hex_print, bailing.\n");
++ printk(KERN_ERR "layer7: out of memory in hex_print, "
++ "bailing.\n");
+ return NULL;
+ }
+
@@ -212,7 +176,8 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+
+/* Use instead of regcomp. As we expect to be seeing the same regexps over and
+over again, it make sense to cache the results. */
-+static regexp * compile_and_cache(char * regex_string, char * protocol)
++static regexp * compile_and_cache(const char * regex_string,
++ const char * protocol)
+{
+ struct pattern_cache * node = first_pattern_cache;
+ struct pattern_cache * last_pattern_cache = first_pattern_cache;
@@ -234,7 +199,8 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+
+ if(!tmp) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
++ printk(KERN_ERR "layer7: out of memory in "
++ "compile_and_cache, bailing.\n");
+ return NULL;
+ }
+
@@ -244,7 +210,8 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+
+ if(!tmp->regex_string || !tmp->pattern) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in compile_and_cache, bailing.\n");
++ printk(KERN_ERR "layer7: out of memory in "
++ "compile_and_cache, bailing.\n");
+ kfree(tmp->regex_string);
+ kfree(tmp->pattern);
+ kfree(tmp);
@@ -262,10 +229,12 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+ /* copy the string and compile the regex */
+ len = strlen(regex_string);
+ DPRINTK("About to compile this: \"%s\"\n", regex_string);
-+ node->pattern = regcomp(regex_string, &len);
++ node->pattern = regcomp((char *)regex_string, &len);
+ if ( !node->pattern ) {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: Error compiling regexp \"%s\" (%s)\n", regex_string, protocol);
++ printk(KERN_ERR "layer7: Error compiling regexp "
++ "\"%s\" (%s)\n",
++ regex_string, protocol);
+ /* pattern is now cached as NULL, so we won't try again. */
+ }
+
@@ -275,11 +244,11 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+
+static int can_handle(const struct sk_buff *skb)
+{
-+ if(!skb->nh.iph) /* not IP */
++ if(!ip_hdr(skb)) /* not IP */
+ return 0;
-+ if(skb->nh.iph->protocol != IPPROTO_TCP &&
-+ skb->nh.iph->protocol != IPPROTO_UDP &&
-+ skb->nh.iph->protocol != IPPROTO_ICMP)
++ if(ip_hdr(skb)->protocol != IPPROTO_TCP &&
++ ip_hdr(skb)->protocol != IPPROTO_UDP &&
++ ip_hdr(skb)->protocol != IPPROTO_ICMP)
+ return 0;
+ return 1;
+}
@@ -287,11 +256,11 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+/* Returns offset the into the skb->data that the application data starts */
+static int app_data_offset(const struct sk_buff *skb)
+{
-+ /* In case we are ported somewhere (ebtables?) where skb->nh.iph
++ /* In case we are ported somewhere (ebtables?) where ip_hdr(skb)
+ isn't set, this can be gotten from 4*(skb->data[0] & 0x0f) as well. */
-+ int ip_hl = 4*skb->nh.iph->ihl;
++ int ip_hl = 4*ip_hdr(skb)->ihl;
+
-+ if( skb->nh.iph->protocol == IPPROTO_TCP ) {
++ if( ip_hdr(skb)->protocol == IPPROTO_TCP ) {
+ /* 12 == offset into TCP header for the header length field.
+ Can't get this with skb->h.th->doff because the tcphdr
+ struct doesn't get set when routing (this is confirmed to be
@@ -299,31 +268,36 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+ int tcp_hl = 4*(skb->data[ip_hl + 12] >> 4);
+
+ return ip_hl + tcp_hl;
-+ } else if( skb->nh.iph->protocol == IPPROTO_UDP ) {
++ } else if( ip_hdr(skb)->protocol == IPPROTO_UDP ) {
+ return ip_hl + 8; /* UDP header is always 8 bytes */
-+ } else if( skb->nh.iph->protocol == IPPROTO_ICMP ) {
++ } else if( ip_hdr(skb)->protocol == IPPROTO_ICMP ) {
+ return ip_hl + 8; /* ICMP header is 8 bytes */
+ } else {
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: tried to handle unknown protocol!\n");
++ printk(KERN_ERR "layer7: tried to handle unknown "
++ "protocol!\n");
+ return ip_hl + 8; /* something reasonable */
+ }
+}
+
+/* handles whether there's a match when we aren't appending data anymore */
-+static int match_no_append(struct ip_conntrack * conntrack, struct ip_conntrack * master_conntrack,
-+ enum ip_conntrack_info ctinfo, enum ip_conntrack_info master_ctinfo,
-+ struct ipt_layer7_info * info)
++static int match_no_append(struct nf_conn * conntrack,
++ struct nf_conn * master_conntrack,
++ enum ip_conntrack_info ctinfo,
++ enum ip_conntrack_info master_ctinfo,
++ const struct xt_layer7_info * info)
+{
+ /* If we're in here, throw the app data away */
-+ write_lock(&ct_lock);
+ if(master_conntrack->layer7.app_data != NULL) {
+
+ #ifdef CONFIG_IP_NF_MATCH_LAYER7_DEBUG
+ if(!master_conntrack->layer7.app_proto) {
-+ char * f = friendly_print(master_conntrack->layer7.app_data);
-+ char * g = hex_print(master_conntrack->layer7.app_data);
-+ DPRINTK("\nl7-filter gave up after %d bytes (%d packets):\n%s\n",
++ char * f =
++ friendly_print(master_conntrack->layer7.app_data);
++ char * g =
++ hex_print(master_conntrack->layer7.app_data);
++ DPRINTK("\nl7-filter gave up after %d bytes "
++ "(%d packets):\n%s\n",
+ strlen(f), TOTAL_PACKETS, f);
+ kfree(f);
+ DPRINTK("In hex: %s\n", g);
@@ -334,53 +308,54 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+ kfree(master_conntrack->layer7.app_data);
+ master_conntrack->layer7.app_data = NULL; /* don't free again */
+ }
-+ write_unlock(&ct_lock);
+
+ if(master_conntrack->layer7.app_proto){
-+ /* Here child connections set their .app_proto (for /proc/net/ip_conntrack) */
-+ write_lock(&ct_lock);
++ /* Here child connections set their .app_proto (for /proc) */
+ if(!conntrack->layer7.app_proto) {
-+ conntrack->layer7.app_proto = kmalloc(strlen(master_conntrack->layer7.app_proto)+1, GFP_ATOMIC);
++ conntrack->layer7.app_proto =
++ kmalloc(strlen(master_conntrack->layer7.app_proto)+1,
++ GFP_ATOMIC);
+ if(!conntrack->layer7.app_proto){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
-+ write_unlock(&ct_lock);
++ printk(KERN_ERR "layer7: out of memory "
++ "in match_no_append, "
++ "bailing.\n");
+ return 1;
+ }
-+ strcpy(conntrack->layer7.app_proto, master_conntrack->layer7.app_proto);
++ strcpy(conntrack->layer7.app_proto,
++ master_conntrack->layer7.app_proto);
+ }
-+ write_unlock(&ct_lock);
+
-+ return (!strcmp(master_conntrack->layer7.app_proto, info->protocol));
++ return (!strcmp(master_conntrack->layer7.app_proto,
++ info->protocol));
+ }
+ else {
+ /* If not classified, set to "unknown" to distinguish from
+ connections that are still being tested. */
-+ write_lock(&ct_lock);
-+ master_conntrack->layer7.app_proto = kmalloc(strlen("unknown")+1, GFP_ATOMIC);
++ master_conntrack->layer7.app_proto =
++ kmalloc(strlen("unknown")+1, GFP_ATOMIC);
+ if(!master_conntrack->layer7.app_proto){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match_no_append, bailing.\n");
-+ write_unlock(&ct_lock);
++ printk(KERN_ERR "layer7: out of memory in "
++ "match_no_append, bailing.\n");
+ return 1;
+ }
+ strcpy(master_conntrack->layer7.app_proto, "unknown");
-+ write_unlock(&ct_lock);
+ return 0;
+ }
+}
+
+/* add the new app data to the conntrack. Return number of bytes added. */
-+static int add_data(struct ip_conntrack * master_conntrack,
-+ char * app_data, int appdatalen)
++static int add_data(struct nf_conn * master_conntrack,
++ char * app_data, int appdatalen)
+{
+ int length = 0, i;
+ int oldlength = master_conntrack->layer7.app_data_len;
+
-+ // This is a fix for a race condition by Deti Fliegl. However, I'm not
-+ // clear on whether the race condition exists or whether this really
-+ // fixes it. I might just be being dense... Anyway, if it's not really
-+ // a fix, all it does is waste a very small amount of time.
++ /* This is a fix for a race condition by Deti Fliegl. However, I'm not
++ clear on whether the race condition exists or whether this really
++ fixes it. I might just be being dense... Anyway, if it's not really
++ a fix, all it does is waste a very small amount of time. */
+ if(!master_conntrack->layer7.app_data) return 0;
+
+ /* Strip nulls. Make everything lower case (our regex lib doesn't
@@ -388,9 +363,10 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+ for(i = 0; i < maxdatalen-oldlength-1 &&
+ i < appdatalen; i++) {
+ if(app_data[i] != '\0') {
++ /* the kernel version of tolower mungs 'upper ascii' */
+ master_conntrack->layer7.app_data[length+oldlength] =
-+ /* the kernel version of tolower mungs 'upper ascii' */
-+ isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
++ isascii(app_data[i])?
++ tolower(app_data[i]) : app_data[i];
+ length++;
+ }
+ }
@@ -401,33 +377,109 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+ return length;
+}
+
-+/* Returns true on match and false otherwise. */
-+static int match(const struct sk_buff *skbin,
-+ const struct net_device *in, const struct net_device *out,
-+ const struct xt_match *match, const void *matchinfo,
-+ int offset, unsigned int protoff, int *hotdrop)
++/* taken from drivers/video/modedb.c */
++static int my_atoi(const char *s)
++{
++ int val = 0;
++
++ for (;; s++) {
++ switch (*s) {
++ case '0'...'9':
++ val = 10*val+(*s-'0');
++ break;
++ default:
++ return val;
++ }
++ }
++}
++
++/* write out num_packets to userland. */
++static int layer7_read_proc(char* page, char ** start, off_t off, int count,
++ int* eof, void * data)
++{
++ if(num_packets > 99 && net_ratelimit())
++ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
++
++ page[0] = num_packets/10 + '0';
++ page[1] = num_packets%10 + '0';
++ page[2] = '\n';
++ page[3] = '\0';
++
++ *eof=1;
++
++ return 3;
++}
++
++/* Read in num_packets from userland */
++static int layer7_write_proc(struct file* file, const char* buffer,
++ unsigned long count, void *data)
++{
++ char * foo = kmalloc(count, GFP_ATOMIC);
++
++ if(!foo){
++ if (net_ratelimit())
++ printk(KERN_ERR "layer7: out of memory, bailing. "
++ "num_packets unchanged.\n");
++ return count;
++ }
++
++ if(copy_from_user(foo, buffer, count)) {
++ return -EFAULT;
++ }
++
++
++ num_packets = my_atoi(foo);
++ kfree (foo);
++
++ /* This has an arbitrary limit to make the math easier. I'm lazy.
++ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
++ if(num_packets > 99) {
++ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
++ num_packets = 99;
++ } else if(num_packets < 1) {
++ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
++ num_packets = 1;
++ }
++
++ return count;
++}
++
++static int
++match(const struct sk_buff *skbin,
++ const struct net_device *in,
++ const struct net_device *out,
++ const struct xt_match *match,
++ const void *matchinfo,
++ int offset,
++ unsigned int protoff,
++ int *hotdrop)
+{
+ /* sidestep const without getting a compiler warning... */
+ struct sk_buff * skb = (struct sk_buff *)skbin;
+
-+ struct ipt_layer7_info * info = (struct ipt_layer7_info *)matchinfo;
++ const struct xt_layer7_info * info = matchinfo;
+ enum ip_conntrack_info master_ctinfo, ctinfo;
-+ struct nf_conn *master_conntrack;
-+ struct ip_conntrack *conntrack;
++ struct nf_conn *master_conntrack, *conntrack;
+ unsigned char * app_data;
+ unsigned int pattern_result, appdatalen;
+ regexp * comppattern;
+
++ /* Be paranoid/incompetent - lock the entire match function. */
++ spin_lock_bh(&l7_lock);
++
+ if(!can_handle(skb)){
+ DPRINTK("layer7: This is some protocol I can't handle.\n");
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+
+ /* Treat parent & all its children together as one connection, except
+ for the purpose of setting conntrack->layer7.app_proto in the actual
+ connection. This makes /proc/net/ip_conntrack more satisfying. */
-+ if(((conntrack = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) == NULL) ||
-+ ((master_conntrack = ip_conntrack_get((struct sk_buff *)skb, &master_ctinfo)) == NULL)) {
++ if(!(conntrack = nf_ct_get(skb, &ctinfo)) ||
++ !(master_conntrack=nf_ct_get(skb,&master_ctinfo))){
++ DPRINTK("layer7: couldn't get conntrack.\n");
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+
@@ -439,95 +491,100 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+ if(TOTAL_PACKETS > num_packets ||
+ master_conntrack->layer7.app_proto) {
+
-+ pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
++ pattern_result = match_no_append(conntrack, master_conntrack,
++ ctinfo, master_ctinfo, info);
+
-+ /* skb->cb[0] == seen. Don't do things twice if there are multiple l7
-+ rules. I'm not sure that using cb for this purpose is correct, even though
-+ it says "put your private variables there". But it doesn't look like it
-+ is being used for anything else in the skbs that make it here. */
-+ skb->cb[0] = 1; /* marking it seen here is probably irrelevant, but consistant */
++ /* skb->cb[0] == seen. Don't do things twice if there are
++ multiple l7 rules. I'm not sure that using cb for this purpose
++ is correct, even though it says "put your private variables
++ there". But it doesn't look like it is being used for anything
++ else in the skbs that make it here. */
++ skb->cb[0] = 1; /* marking it seen here's probably irrelevant */
+
++ spin_unlock_bh(&l7_lock);
+ return (pattern_result ^ info->invert);
+ }
+
+ if(skb_is_nonlinear(skb)){
+ if(skb_linearize(skb) != 0){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: failed to linearize packet, bailing.\n");
++ printk(KERN_ERR "layer7: failed to linearize "
++ "packet, bailing.\n");
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+ }
+
+ /* now that the skb is linearized, it's safe to set these. */
+ app_data = skb->data + app_data_offset(skb);
-+ appdatalen = skb->tail - app_data;
++ appdatalen = skb_tail_pointer(skb) - app_data;
+
-+ spin_lock_bh(&list_lock);
+ /* the return value gets checked later, when we're ready to use it */
+ comppattern = compile_and_cache(info->pattern, info->protocol);
-+ spin_unlock_bh(&list_lock);
+
+ /* On the first packet of a connection, allocate space for app data */
-+ write_lock(&ct_lock);
-+ if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
-+ master_conntrack->layer7.app_data = kmalloc(maxdatalen, GFP_ATOMIC);
++ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
++ !master_conntrack->layer7.app_data){
++ master_conntrack->layer7.app_data =
++ kmalloc(maxdatalen, GFP_ATOMIC);
+ if(!master_conntrack->layer7.app_data){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
-+ write_unlock(&ct_lock);
++ printk(KERN_ERR "layer7: out of memory in "
++ "match, bailing.\n");
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+
+ master_conntrack->layer7.app_data[0] = '\0';
+ }
-+ write_unlock(&ct_lock);
+
+ /* Can be here, but unallocated, if numpackets is increased near
+ the beginning of a connection */
-+ if(master_conntrack->layer7.app_data == NULL)
++ if(master_conntrack->layer7.app_data == NULL){
++ spin_unlock_bh(&l7_lock);
+ return (info->invert); /* unmatched */
++ }
+
+ if(!skb->cb[0]){
+ int newbytes;
-+ write_lock(&ct_lock);
+ newbytes = add_data(master_conntrack, app_data, appdatalen);
-+ write_unlock(&ct_lock);
+
+ if(newbytes == 0) { /* didn't add any data */
+ skb->cb[0] = 1;
+ /* Didn't match before, not going to match now */
++ spin_unlock_bh(&l7_lock);
+ return info->invert;
+ }
+ }
+
+ /* If looking for "unknown", then never match. "Unknown" means that
+ we've given up; we're still trying with these packets. */
-+ read_lock(&ct_lock);
+ if(!strcmp(info->protocol, "unknown")) {
+ pattern_result = 0;
+ /* If looking for "unset", then always match. "Unset" means that we
+ haven't yet classified the connection. */
+ } else if(!strcmp(info->protocol, "unset")) {
+ pattern_result = 2;
-+ DPRINTK("layer7: matched unset: not yet classified (%d/%d packets)\n", TOTAL_PACKETS, num_packets);
++ DPRINTK("layer7: matched unset: not yet classified "
++ "(%d/%d packets)\n", TOTAL_PACKETS, num_packets);
+ /* If the regexp failed to compile, don't bother running it */
-+ } else if(comppattern && regexec(comppattern, master_conntrack->layer7.app_data)) {
++ } else if(comppattern &&
++ regexec(comppattern, master_conntrack->layer7.app_data)){
+ DPRINTK("layer7: matched %s\n", info->protocol);
+ pattern_result = 1;
+ } else pattern_result = 0;
-+ read_unlock(&ct_lock);
+
+ if(pattern_result == 1) {
-+ write_lock(&ct_lock);
-+ master_conntrack->layer7.app_proto = kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
++ master_conntrack->layer7.app_proto =
++ kmalloc(strlen(info->protocol)+1, GFP_ATOMIC);
+ if(!master_conntrack->layer7.app_proto){
+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory in match, bailing.\n");
-+ write_unlock(&ct_lock);
++ printk(KERN_ERR "layer7: out of memory in "
++ "match, bailing.\n");
++ spin_unlock_bh(&l7_lock);
+ return (pattern_result ^ info->invert);
+ }
+ strcpy(master_conntrack->layer7.app_proto, info->protocol);
-+ write_unlock(&ct_lock);
+ } else if(pattern_result > 1) { /* cleanup from "unset" */
+ pattern_result = 1;
+ }
@@ -535,169 +592,99 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+ /* mark the packet seen */
+ skb->cb[0] = 1;
+
++ spin_unlock_bh(&l7_lock);
+ return (pattern_result ^ info->invert);
+}
+
-+static struct xt_match layer7_match = {
-+ .name = "layer7",
-+ .match = &match,
-+ .matchsize = sizeof(struct ipt_layer7_info),
-+ .family = AF_INET,
-+ .me = THIS_MODULE
-+};
++static int check(const char *tablename,
++ const void *inf,
++ const struct xt_match *match,
++ void *matchinfo,
++ unsigned int hook_mask)
+
-+/* taken from drivers/video/modedb.c */
-+static int my_atoi(const char *s)
+{
-+ int val = 0;
-+
-+ for (;; s++) {
-+ switch (*s) {
-+ case '0'...'9':
-+ val = 10*val+(*s-'0');
-+ break;
-+ default:
-+ return val;
-+ }
-+ }
++ // load nf_conntrack_ipv4
++ if (nf_ct_l3proto_try_module_get(match->family) < 0) {
++ printk(KERN_WARNING "can't load conntrack support for "
++ "proto=%d\n", match->family);
++ return false;
++ }
++ return true;
+}
+
-+/* write out num_packets to userland. */
-+static int layer7_read_proc(char* page, char ** start, off_t off, int count,
-+ int* eof, void * data)
++static void
++destroy(const struct xt_match *match, void *matchinfo)
+{
-+ if(num_packets > 99 && net_ratelimit())
-+ printk(KERN_ERR "layer7: NOT REACHED. num_packets too big\n");
-+
-+ page[0] = num_packets/10 + '0';
-+ page[1] = num_packets%10 + '0';
-+ page[2] = '\n';
-+ page[3] = '\0';
-+
-+ *eof=1;
-+
-+ return 3;
++ nf_ct_l3proto_module_put(match->family);
+}
+
-+/* Read in num_packets from userland */
-+static int layer7_write_proc(struct file* file, const char* buffer,
-+ unsigned long count, void *data)
++static struct xt_match xt_layer7_match[] = {
+{
-+ char * foo = kmalloc(count, GFP_ATOMIC);
-+
-+ if(!foo){
-+ if (net_ratelimit())
-+ printk(KERN_ERR "layer7: out of memory, bailing. num_packets unchanged.\n");
-+ return count;
-+ }
-+
-+ if(copy_from_user(foo, buffer, count)) {
-+ return -EFAULT;
-+ }
-+
-+
-+ num_packets = my_atoi(foo);
-+ kfree (foo);
-+
-+ /* This has an arbitrary limit to make the math easier. I'm lazy.
-+ But anyway, 99 is a LOT! If you want more, you're doing it wrong! */
-+ if(num_packets > 99) {
-+ printk(KERN_WARNING "layer7: num_packets can't be > 99.\n");
-+ num_packets = 99;
-+ } else if(num_packets < 1) {
-+ printk(KERN_WARNING "layer7: num_packets can't be < 1.\n");
-+ num_packets = 1;
-+ }
++ .name = "layer7",
++ .family = AF_INET,
++ .checkentry = check,
++ .match = match,
++ .destroy = destroy,
++ .matchsize = sizeof(struct xt_layer7_info),
++ .me = THIS_MODULE
++}
++};
+
-+ return count;
++static void layer7_cleanup_proc(void)
++{
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
++ remove_proc_entry("layer7_numpackets", proc_net);
++#else
++ remove_proc_entry("layer7_numpackets", init_net.proc_net);
++#endif
+}
+
+/* register the proc file */
+static void layer7_init_proc(void)
+{
+ struct proc_dir_entry* entry;
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,23)
+ entry = create_proc_entry("layer7_numpackets", 0644, proc_net);
++#else
++ entry = create_proc_entry("layer7_numpackets", 0644, init_net.proc_net);
++#endif
+ entry->read_proc = layer7_read_proc;
+ entry->write_proc = layer7_write_proc;
+}
+
-+static void layer7_cleanup_proc(void)
-+{
-+ remove_proc_entry("layer7_numpackets", proc_net);
-+}
-+
-+static int __init ipt_layer7_init(void)
++static int __init xt_layer7_init(void)
+{
+ need_conntrack();
+
+ layer7_init_proc();
+ if(maxdatalen < 1) {
-+ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, using 1\n");
++ printk(KERN_WARNING "layer7: maxdatalen can't be < 1, "
++ "using 1\n");
+ maxdatalen = 1;
+ }
+ /* This is not a hard limit. It's just here to prevent people from
+ bringing their slow machines to a grinding halt. */
+ else if(maxdatalen > 65536) {
-+ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, using 65536\n");
++ printk(KERN_WARNING "layer7: maxdatalen can't be > 65536, "
++ "using 65536\n");
+ maxdatalen = 65536;
+ }
-+ return xt_register_match(&layer7_match);
++ return xt_register_matches(xt_layer7_match,
++ ARRAY_SIZE(xt_layer7_match));
+}
+
-+static void __exit ipt_layer7_fini(void)
++static void __exit xt_layer7_fini(void)
+{
+ layer7_cleanup_proc();
-+ xt_unregister_match(&layer7_match);
++ xt_unregister_matches(xt_layer7_match, ARRAY_SIZE(xt_layer7_match));
+}
+
-+module_init(ipt_layer7_init);
-+module_exit(ipt_layer7_fini);
-Index: linux-2.6.21.5/net/ipv4/netfilter/Kconfig
-===================================================================
---- linux-2.6.21.5.orig/net/ipv4/netfilter/Kconfig 2007-07-02 00:37:53.456287250 +0200
-+++ linux-2.6.21.5/net/ipv4/netfilter/Kconfig 2007-07-02 01:21:17.231013000 +0200
-@@ -245,6 +245,24 @@
-
- To compile it as a module, choose M here. If unsure, say N.
-
-+config IP_NF_MATCH_LAYER7
-+ tristate "Layer 7 match support (EXPERIMENTAL)"
-+ depends on IP_NF_IPTABLES && NF_CT_ACCT && NF_CONNTRACK && EXPERIMENTAL
-+ help
-+ Say Y if you want to be able to classify connections (and their
-+ packets) based on regular expression matching of their application
-+ layer data. This is one way to classify applications such as
-+ peer-to-peer filesharing systems that do not always use the same
-+ port.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
-+config IP_NF_MATCH_LAYER7_DEBUG
-+ bool "Layer 7 debugging output"
-+ depends on IP_NF_MATCH_LAYER7
-+ help
-+ Say Y to get lots of debugging output.
-+
- config IP_NF_MATCH_TOS
- tristate "TOS match support"
- depends on IP_NF_IPTABLES
-Index: linux-2.6.21.5/net/ipv4/netfilter/Makefile
++module_init(xt_layer7_init);
++module_exit(xt_layer7_fini);
+Index: linux-2.6.21.7/net/netfilter/regexp/regexp.c
===================================================================
---- linux-2.6.21.5.orig/net/ipv4/netfilter/Makefile 2007-07-02 00:37:53.464287750 +0200
-+++ linux-2.6.21.5/net/ipv4/netfilter/Makefile 2007-07-02 00:43:58.191081750 +0200
-@@ -92,6 +92,8 @@
- obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
- obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
-
-+obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
-+
- # targets
- obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
- obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o
-Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c 2007-07-02 00:37:55.648424250 +0200
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/regexp/regexp.c
@@ -0,0 +1,1197 @@
+/*
+ * regcomp and regexec -- regsub and regerror are elsewhere
@@ -1896,10 +1883,10 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.c
+#endif
+
+
-Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h
+Index: linux-2.6.21.7/net/netfilter/regexp/regexp.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h 2007-07-02 00:37:55.700427500 +0200
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/regexp/regexp.h
@@ -0,0 +1,41 @@
+/*
+ * Definitions etc. for regexp(3) routines.
@@ -1942,20 +1929,20 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regexp.h
+void regerror(char *s);
+
+#endif
-Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regmagic.h
+Index: linux-2.6.21.7/net/netfilter/regexp/regmagic.h
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regmagic.h 2007-07-02 00:37:55.724429000 +0200
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/regexp/regmagic.h
@@ -0,0 +1,5 @@
+/*
+ * The first byte of the regexp internal "program" is actually this magic
+ * number; the start node begins in the second byte.
+ */
+#define MAGIC 0234
-Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c
+Index: linux-2.6.21.7/net/netfilter/regexp/regsub.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c 2007-07-02 00:37:55.752430750 +0200
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/regexp/regsub.c
@@ -0,0 +1,95 @@
+/*
+ * regsub
@@ -2052,15 +2039,53 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/regexp/regsub.c
+ }
+ *dst++ = '\0';
+}
-Index: linux-2.6.21.5/include/net/netfilter/nf_conntrack.h
+Index: linux-2.6.21.7/net/netfilter/nf_conntrack_core.c
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/nf_conntrack_core.c
++++ linux-2.6.21.7/net/netfilter/nf_conntrack_core.c
+@@ -352,6 +352,14 @@ destroy_conntrack(struct nf_conntrack *n
+ * too. */
+ nf_ct_remove_expectations(ct);
+
++ #if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ if(ct->layer7.app_proto)
++ kfree(ct->layer7.app_proto);
++ if(ct->layer7.app_data)
++ kfree(ct->layer7.app_data);
++ #endif
++
++
+ /* We overload first tuple to link into unconfirmed list. */
+ if (!nf_ct_is_confirmed(ct)) {
+ BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
+Index: linux-2.6.21.7/net/netfilter/nf_conntrack_standalone.c
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/nf_conntrack_standalone.c
++++ linux-2.6.21.7/net/netfilter/nf_conntrack_standalone.c
+@@ -195,7 +195,12 @@ static int ct_seq_show(struct seq_file *
+ return -ENOSPC;
+ #endif
+
+- if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use)))
++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++ if(conntrack->layer7.app_proto)
++ if(seq_printf(s, "l7proto=%s ", conntrack->layer7.app_proto))
++ return -ENOSPC;
++#endif
++ if (seq_printf(s, "asdfuse=%u\n", atomic_read(&conntrack->ct_general.use)))
+ return -ENOSPC;
+
+ return 0;
+Index: linux-2.6.21.7/include/net/netfilter/nf_conntrack.h
===================================================================
---- linux-2.6.21.5.orig/include/net/netfilter/nf_conntrack.h 2007-07-02 00:49:22.815369500 +0200
-+++ linux-2.6.21.5/include/net/netfilter/nf_conntrack.h 2007-07-02 00:56:21.413530250 +0200
-@@ -128,6 +128,21 @@
+--- linux-2.6.21.7.orig/include/net/netfilter/nf_conntrack.h
++++ linux-2.6.21.7/include/net/netfilter/nf_conntrack.h
+@@ -128,6 +128,22 @@ struct nf_conn
u_int32_t secmark;
#endif
-+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
++#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
+ struct {
+ /*
+ * e.g. "http". NULL before decision. "unknown" after decision
@@ -2078,3 +2103,21 @@ Index: linux-2.6.21.5/include/net/netfilter/nf_conntrack.h
/* Storage reserved for other modules: */
union nf_conntrack_proto proto;
+Index: linux-2.6.21.7/include/linux/netfilter/xt_layer7.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/include/linux/netfilter/xt_layer7.h
+@@ -0,0 +1,13 @@
++#ifndef _XT_LAYER7_H
++#define _XT_LAYER7_H
++
++#define MAX_PATTERN_LEN 8192
++#define MAX_PROTOCOL_LEN 256
++
++struct xt_layer7_info {
++ char protocol[MAX_PROTOCOL_LEN];
++ char pattern[MAX_PATTERN_LEN];
++ u_int8_t invert;
++};
++
++#endif /* _XT_LAYER7_H */
diff --git a/target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch b/target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch
index 966353ad2f..cabffacc14 100644
--- a/target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch
+++ b/target/linux/generic-2.6/patches/101-netfilter_layer7_pktmatch.patch
@@ -1,37 +1,37 @@
-Index: linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h
+Index: linux-2.6.21.7/include/linux/netfilter/xt_layer7.h
===================================================================
---- linux-2.6.21.5.orig/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 00:43:58.271086750 +0200
-+++ linux-2.6.21.5/include/linux/netfilter_ipv4/ipt_layer7.h 2007-07-02 01:36:08.914739750 +0200
-@@ -21,6 +21,7 @@
+--- linux-2.6.21.7.orig/include/linux/netfilter/xt_layer7.h
++++ linux-2.6.21.7/include/linux/netfilter/xt_layer7.h
+@@ -8,6 +8,7 @@ struct xt_layer7_info {
char protocol[MAX_PROTOCOL_LEN];
- char invert:1;
char pattern[MAX_PATTERN_LEN];
-+ char pkt;
+ u_int8_t invert;
++ u_int8_t pkt;
};
- #endif /* _IPT_LAYER7_H */
-Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+ #endif /* _XT_LAYER7_H */
+Index: linux-2.6.21.7/net/netfilter/xt_layer7.c
===================================================================
---- linux-2.6.21.5.orig/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:27:54.195821750 +0200
-+++ linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c 2007-07-02 01:37:01.990056750 +0200
-@@ -299,33 +299,34 @@
- }
+--- linux-2.6.21.7.orig/net/netfilter/xt_layer7.c
++++ linux-2.6.21.7/net/netfilter/xt_layer7.c
+@@ -297,34 +297,36 @@ static int match_no_append(struct nf_con
}
--/* add the new app data to the conntrack. Return number of bytes added. */
--static int add_data(struct ip_conntrack * master_conntrack,
-- char * app_data, int appdatalen)
+ /* add the new app data to the conntrack. Return number of bytes added. */
+-static int add_data(struct nf_conn * master_conntrack,
+- char * app_data, int appdatalen)
+static int add_datastr(char *target, int offset, char *app_data, int len)
{
int length = 0, i;
- int oldlength = master_conntrack->layer7.app_data_len;
-
-- // This is a fix for a race condition by Deti Fliegl. However, I'm not
-- // clear on whether the race condition exists or whether this really
-- // fixes it. I might just be being dense... Anyway, if it's not really
-- // a fix, all it does is waste a very small amount of time.
+- /* This is a fix for a race condition by Deti Fliegl. However, I'm not
+- clear on whether the race condition exists or whether this really
+- fixes it. I might just be being dense... Anyway, if it's not really
+- a fix, all it does is waste a very small amount of time. */
- if(!master_conntrack->layer7.app_data) return 0;
-+ if(!target) return 0;
++
++ if (!target) return 0;
/* Strip nulls. Make everything lower case (our regex lib doesn't
do case insensitivity). Add it to the end of the current data. */
@@ -39,54 +39,55 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
- i < appdatalen; i++) {
+ for(i = 0; i < maxdatalen-offset-1 && i < len; i++) {
if(app_data[i] != '\0') {
+ /* the kernel version of tolower mungs 'upper ascii' */
- master_conntrack->layer7.app_data[length+oldlength] =
+ target[length+offset] =
- /* the kernel version of tolower mungs 'upper ascii' */
- isascii(app_data[i])? tolower(app_data[i]) : app_data[i];
+ isascii(app_data[i])?
+ tolower(app_data[i]) : app_data[i];
length++;
}
}
+ target[length+offset] = '\0';
++
++ return length;
++}
- master_conntrack->layer7.app_data[length+oldlength] = '\0';
- master_conntrack->layer7.app_data_len = length + oldlength;
-+ return length;
-+}
-+
+/* add the new app data to the conntrack. Return number of bytes added. */
-+static int add_data(struct ip_conntrack * master_conntrack,
-+ char * app_data, int appdatalen)
++static int add_data(struct nf_conn * master_conntrack,
++ char * app_data, int appdatalen)
+{
+ int length;
-+
+
+ length = add_datastr(master_conntrack->layer7.app_data, master_conntrack->layer7.app_data_len, app_data, appdatalen);
+ master_conntrack->layer7.app_data_len += length;
-
return length;
}
-@@ -343,7 +344,7 @@
+
+@@ -411,7 +413,7 @@ match(const struct sk_buff *skbin,
+ const struct xt_layer7_info * info = matchinfo;
enum ip_conntrack_info master_ctinfo, ctinfo;
- struct nf_conn *master_conntrack;
- struct ip_conntrack *conntrack;
+ struct nf_conn *master_conntrack, *conntrack;
- unsigned char * app_data;
+ unsigned char *app_data, *tmp_data;
unsigned int pattern_result, appdatalen;
regexp * comppattern;
-@@ -365,8 +366,8 @@
+@@ -439,8 +441,8 @@ match(const struct sk_buff *skbin,
master_conntrack = master_ct(master_conntrack);
/* if we've classified it or seen too many packets */
- if(TOTAL_PACKETS > num_packets ||
- master_conntrack->layer7.app_proto) {
+ if(!info->pkt && (TOTAL_PACKETS > num_packets ||
-+ master_conntrack->layer7.app_proto)) {
-
- pattern_result = match_no_append(conntrack, master_conntrack, ctinfo, master_ctinfo, info);
++ master_conntrack->layer7.app_proto)) {
-@@ -396,6 +397,23 @@
+ pattern_result = match_no_append(conntrack, master_conntrack,
+ ctinfo, master_ctinfo, info);
+@@ -473,6 +475,25 @@ match(const struct sk_buff *skbin,
+ /* the return value gets checked later, when we're ready to use it */
comppattern = compile_and_cache(info->pattern, info->protocol);
- spin_unlock_bh(&list_lock);
+ if (info->pkt) {
+ tmp_data = kmalloc(maxdatalen, GFP_ATOMIC);
@@ -99,12 +100,14 @@ Index: linux-2.6.21.5/net/ipv4/netfilter/ipt_layer7.c
+ tmp_data[0] = '\0';
+ add_datastr(tmp_data, 0, app_data, appdatalen);
+ pattern_result = ((comppattern && regexec(comppattern, tmp_data)) ? 1 : 0);
++
+ kfree(tmp_data);
+ tmp_data = NULL;
++ spin_unlock_bh(&l7_lock);
+
+ return (pattern_result ^ info->invert);
+ }
+
/* On the first packet of a connection, allocate space for app data */
- write_lock(&ct_lock);
- if(TOTAL_PACKETS == 1 && !skb->cb[0] && !master_conntrack->layer7.app_data) {
+ if(TOTAL_PACKETS == 1 && !skb->cb[0] &&
+ !master_conntrack->layer7.app_data){
diff --git a/target/linux/generic-2.6/patches/110-ipp2p_0.8.1rc1.patch b/target/linux/generic-2.6/patches/110-ipp2p_0.8.1rc1.patch
index 509c5eb169..5f202ca99e 100644
--- a/target/linux/generic-2.6/patches/110-ipp2p_0.8.1rc1.patch
+++ b/target/linux/generic-2.6/patches/110-ipp2p_0.8.1rc1.patch
@@ -1,6 +1,7 @@
-diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h
---- linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter_ipv4/ipt_ipp2p.h 2007-05-26 20:21:54.586864296 +0200
+Index: linux-2.6.21.7/include/linux/netfilter_ipv4/ipt_ipp2p.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/include/linux/netfilter_ipv4/ipt_ipp2p.h
@@ -0,0 +1,31 @@
+#ifndef __IPT_IPP2P_H
+#define __IPT_IPP2P_H
@@ -33,9 +34,10 @@ diff -urN linux-2.6.21.1.old/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6.
+#define IPP2P_MUTE (1 << 14)
+#define IPP2P_WASTE (1 << 15)
+#define IPP2P_XDCC (1 << 16)
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_ipp2p.c
---- linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/ipt_ipp2p.c 2007-05-26 20:21:54.587864144 +0200
+Index: linux-2.6.21.7/net/ipv4/netfilter/ipt_ipp2p.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/ipv4/netfilter/ipt_ipp2p.c
@@ -0,0 +1,882 @@
+#if defined(MODVERSIONS)
+#include <linux/modversions.h>
@@ -782,7 +784,7 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.1.dev/n
+{
+ const struct ipt_p2p_info *info = matchinfo;
+ unsigned char *haystack;
-+ struct iphdr *ip = skb->nh.iph;
++ struct iphdr *ip = ip_hdr(skb);
+ int p2p_result = 0, i = 0;
+// int head_len;
+ int hlen = ntohs(ip->tot_len)-(ip->ihl*4); /*hlen = packet-data length*/
@@ -919,12 +921,13 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.1.dev/n
+module_exit(fini);
+
+
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig
---- linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig 2007-05-26 20:17:47.626407992 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Kconfig 2007-05-26 20:21:54.587864144 +0200
-@@ -263,6 +263,12 @@
- help
- Say Y to get lots of debugging output.
+Index: linux-2.6.21.7/net/ipv4/netfilter/Kconfig
+===================================================================
+--- linux-2.6.21.7.orig/net/ipv4/netfilter/Kconfig
++++ linux-2.6.21.7/net/ipv4/netfilter/Kconfig
+@@ -245,6 +245,12 @@ config IP_NF_MATCH_IPRANGE
+
+ To compile it as a module, choose M here. If unsure, say N.
+config IP_NF_MATCH_IPP2P
+ tristate "IPP2P"
@@ -935,15 +938,15 @@ diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Kconfig linux-2.6.21.1.dev/net/i
config IP_NF_MATCH_TOS
tristate "TOS match support"
depends on IP_NF_IPTABLES
-diff -urN linux-2.6.21.1.old/net/ipv4/netfilter/Makefile linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile
---- linux-2.6.21.1.old/net/ipv4/netfilter/Makefile 2007-05-26 20:17:47.638406168 +0200
-+++ linux-2.6.21.1.dev/net/ipv4/netfilter/Makefile 2007-05-26 20:21:54.588863992 +0200
-@@ -91,7 +91,7 @@
+Index: linux-2.6.21.7/net/ipv4/netfilter/Makefile
+===================================================================
+--- linux-2.6.21.7.orig/net/ipv4/netfilter/Makefile
++++ linux-2.6.21.7/net/ipv4/netfilter/Makefile
+@@ -91,6 +91,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
--
+obj-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p.o
- obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
# targets
+ obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
diff --git a/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch b/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch
deleted file mode 100644
index 2c24975f54..0000000000
--- a/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch
+++ /dev/null
@@ -1,946 +0,0 @@
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_conntrack.h linux-2.6.21.1.dev/include/linux/netfilter/oot_conntrack.h
---- linux-2.6.21.1.old/include/linux/netfilter/oot_conntrack.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/oot_conntrack.h 2007-05-26 20:40:10.922195992 +0200
-@@ -0,0 +1,5 @@
-+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
-+# include <linux/netfilter_ipv4/ip_conntrack.h>
-+#else /* linux-2.6.20+ */
-+# include <net/netfilter/nf_nat_rule.h>
-+#endif
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h linux-2.6.21.1.dev/include/linux/netfilter/oot_trans.h
---- linux-2.6.21.1.old/include/linux/netfilter/oot_trans.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/oot_trans.h 2007-05-26 20:40:10.940193256 +0200
-@@ -0,0 +1,14 @@
-+/* Out of tree workarounds */
-+#include <linux/version.h>
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-+# define HAVE_MATCHINFOSIZE 1
-+# define HAVE_TARGUSERINFO 1
-+# define HAVE_TARGINFOSIZE 1
-+#endif
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
-+# define nfmark mark
-+#endif
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
-+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
-+ tcp_v4_check((tcph_sz), (s), (d), (csp))
-+#endif
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/xt_CHAOS.h linux-2.6.21.1.dev/include/linux/netfilter/xt_CHAOS.h
---- linux-2.6.21.1.old/include/linux/netfilter/xt_CHAOS.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/xt_CHAOS.h 2007-05-26 20:40:10.940193256 +0200
-@@ -0,0 +1,14 @@
-+#ifndef _LINUX_XT_CHAOS_H
-+#define _LINUX_XT_CHAOS_H 1
-+
-+enum xt_chaos_variant {
-+ XTCHAOS_NORMAL,
-+ XTCHAOS_TARPIT,
-+ XTCHAOS_DELUDE,
-+};
-+
-+struct xt_chaos_info {
-+ enum xt_chaos_variant variant;
-+};
-+
-+#endif /* _LINUX_XT_CHAOS_H */
-diff -urN linux-2.6.21.1.old/include/linux/netfilter/xt_portscan.h linux-2.6.21.1.dev/include/linux/netfilter/xt_portscan.h
---- linux-2.6.21.1.old/include/linux/netfilter/xt_portscan.h 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/include/linux/netfilter/xt_portscan.h 2007-05-26 20:40:10.940193256 +0200
-@@ -0,0 +1,8 @@
-+#ifndef _LINUX_XT_PORTSCAN_H
-+#define _LINUX_XT_PORTSCAN_H 1
-+
-+struct xt_portscan_info {
-+ unsigned int match_stealth, match_syn, match_cn, match_gr;
-+};
-+
-+#endif /* _LINUX_XT_PORTSCAN_H */
-diff -urN linux-2.6.21.1.old/net/netfilter/find_match.c linux-2.6.21.1.dev/net/netfilter/find_match.c
---- linux-2.6.21.1.old/net/netfilter/find_match.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/find_match.c 2007-05-26 20:40:10.970188696 +0200
-@@ -0,0 +1,39 @@
-+/*
-+ xt_request_find_match
-+ by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+
-+ Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
-+ Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/err.h>
-+#include <linux/netfilter_arp.h>
-+#include <linux/socket.h>
-+#include <linux/netfilter/x_tables.h>
-+
-+/*
-+ * Yeah this code is sub-optimal, but the function is missing in
-+ * mainline so far. -jengelh
-+ */
-+static struct xt_match *xt_request_find_match_lo(int af, const char *name,
-+ u8 revision)
-+{
-+ static const char *const xt_prefix[] = {
-+ [AF_INET] = "ip",
-+ [AF_INET6] = "ip6",
-+ [NF_ARP] = "arp",
-+ };
-+ struct xt_match *match;
-+
-+ match = try_then_request_module(xt_find_match(af, name, revision),
-+ "%st_%s", xt_prefix[af], name);
-+ if(IS_ERR(match) || match == NULL)
-+ return NULL;
-+
-+ return match;
-+}
-+
-+/* In case it goes into mainline, let this out-of-tree package compile */
-+#define xt_request_find_match xt_request_find_match_lo
-diff -urN linux-2.6.21.1.old/net/netfilter/Kconfig linux-2.6.21.1.dev/net/netfilter/Kconfig
---- linux-2.6.21.1.old/net/netfilter/Kconfig 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/netfilter/Kconfig 2007-05-26 20:40:11.003183680 +0200
-@@ -287,6 +287,14 @@
-
- # alphabetically ordered list of targets
-
-+config NETFILTER_XT_TARGET_CHAOS
-+ tristate '"CHAOS" target support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a `CHAOS' target.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_TARGET_CLASSIFY
- tristate '"CLASSIFY" target support'
- depends on NETFILTER_XTABLES
-@@ -315,6 +323,14 @@
- <file:Documentation/modules.txt>. The module will be called
- ipt_CONNMARK.o. If unsure, say `N'.
-
-+config NETFILTER_XT_TARGET_DELUDE
-+ tristate '"DELUDE" target support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a `DELUDE' target.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_TARGET_DSCP
- tristate '"DSCP" target support'
- depends on NETFILTER_XTABLES
-@@ -563,6 +579,14 @@
-
- To compile it as a module, choose M here. If unsure, say N.
-
-+config NETFILTER_XT_MATCH_PORTSCAN
-+ tristate '"portscan" match support'
-+ depends on NETFILTER_XTABLES
-+ help
-+ This option adds a 'portscan' match support.
-+
-+ To compile it as a module, choose M here. If unsure, say N.
-+
- config NETFILTER_XT_MATCH_MULTIPORT
- tristate "Multiple port match support"
- depends on NETFILTER_XTABLES
-diff -urN linux-2.6.21.1.old/net/netfilter/Makefile linux-2.6.21.1.dev/net/netfilter/Makefile
---- linux-2.6.21.1.old/net/netfilter/Makefile 2007-04-27 23:49:26.000000000 +0200
-+++ linux-2.6.21.1.dev/net/netfilter/Makefile 2007-05-26 20:40:11.003183680 +0200
-@@ -37,8 +37,10 @@
- obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
-
- # targets
-+obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
-+obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
- obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
-@@ -63,6 +65,7 @@
- obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
-+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
- obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
-diff -urN linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c linux-2.6.21.1.dev/net/netfilter/xt_CHAOS.c
---- linux-2.6.21.1.old/net/netfilter/xt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/xt_CHAOS.c 2007-05-26 20:40:11.004183528 +0200
-@@ -0,0 +1,204 @@
-+/*
-+ CHAOS target for netfilter
-+
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/icmp.h>
-+#include <linux/in.h>
-+#include <linux/ip.h>
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/stat.h>
-+#include <linux/netfilter/x_tables.h>
-+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter_ipv4/ipt_REJECT.h>
-+#include <net/ip.h>
-+#include <linux/netfilter/xt_CHAOS.h>
-+#include "find_match.c"
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+/* Module parameters */
-+static unsigned int reject_percentage = ~0U * .01;
-+static unsigned int delude_percentage = ~0U * .0101;
-+module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
-+module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
-+
-+/* References to other matches/targets */
-+static struct xt_match *xm_tcp;
-+static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
-+
-+static int have_delude, have_tarpit;
-+
-+/* Static data for other matches/targets */
-+static const struct ipt_reject_info reject_params = {
-+ .with = ICMP_HOST_UNREACH,
-+};
-+
-+static const struct xt_tcp tcp_params = {
-+ .spts = {0, ~0},
-+ .dpts = {0, ~0},
-+};
-+
-+/* CHAOS functions */
-+static void xt_chaos_total(const struct xt_chaos_info *info,
-+ struct sk_buff **pskb, const struct net_device *in,
-+ const struct net_device *out, unsigned int hooknum)
-+{
-+ const int protoff = 4 * (*pskb)->nh.iph->ihl;
-+ const int offset = ntohs((*pskb)->nh.iph->frag_off) & IP_OFFSET;
-+ const struct xt_target *destiny;
-+ int hotdrop = 0, ret;
-+
-+ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
-+ offset, protoff, &hotdrop);
-+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
-+ return;
-+
-+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
-+#ifdef HAVE_TARGUSERINFO
-+ destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL);
-+#else
-+ destiny->target(pskb, in, out, hooknum, destiny, NULL);
-+#endif
-+ return;
-+}
-+
-+static unsigned int xt_chaos_target(struct sk_buff **pskb,
-+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
-+{
-+ /* Equivalent to:
-+ * -A chaos -m statistic --mode random --probability \
-+ * $reject_percentage -j REJECT --reject-with host-unreach;
-+ * -A chaos -p tcp -m statistic --mode random --probability \
-+ * $delude_percentage -j DELUDE;
-+ * -A chaos -j DROP;
-+ */
-+ const struct xt_chaos_info *info = targinfo;
-+
-+ if((unsigned int)net_random() <= reject_percentage)
-+#ifdef HAVE_TARGUSERINFO
-+ return xt_reject->target(pskb, in, out, hooknum, target,
-+ &reject_params, userinfo);
-+#else
-+ return xt_reject->target(pskb, in, out, hooknum, target,
-+ &reject_params);
-+#endif
-+
-+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
-+ if((*pskb)->nh.iph->protocol == IPPROTO_TCP &&
-+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
-+ xt_chaos_total(info, pskb, in, out, hooknum);
-+
-+ return NF_DROP;
-+}
-+
-+static int xt_chaos_checkentry(const char *tablename, const void *entry,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ const struct xt_chaos_info *info = targinfo;
-+ if(info->variant == XTCHAOS_DELUDE && !have_delude) {
-+ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
-+ "DELUDE module not available\n");
-+ return 0;
-+ }
-+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
-+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
-+ "TARPIT module not available\n");
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static struct xt_target xt_chaos_info = {
-+ .name = "CHAOS",
-+ .target = xt_chaos_target,
-+ .checkentry = xt_chaos_checkentry,
-+ .table = "filter",
-+ .targetsize = sizeof(struct xt_chaos_info),
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_chaos_init(void)
-+{
-+ int ret = -EINVAL;
-+
-+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
-+ if(xm_tcp == NULL) {
-+ printk(KERN_WARNING PFX "Error: Could not find or load "
-+ "\"tcp\" match\n");
-+ return -EINVAL;
-+ }
-+
-+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
-+ if(xt_reject == NULL) {
-+ printk(KERN_WARNING PFX "Error: Could not find or load "
-+ "\"REJECT\" target\n");
-+ goto out2;
-+ }
-+
-+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
-+ have_tarpit = xt_tarpit != NULL;
-+ if(!have_tarpit)
-+ printk(KERN_WARNING PFX "Warning: Could not find or load "
-+ "\"TARPIT\" target\n");
-+
-+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
-+ have_delude = xt_delude != NULL;
-+ if(!have_delude)
-+ printk(KERN_WARNING PFX "Warning: Could not find or load "
-+ "\"DELUDE\" target\n");
-+
-+ if((ret = xt_register_target(&xt_chaos_info)) != 0) {
-+ printk(KERN_WARNING PFX "xt_register_target returned "
-+ "error %d\n", ret);
-+ goto out3;
-+ }
-+
-+ return 0;
-+
-+ out3:
-+ if(have_delude)
-+ module_put(xt_delude->me);
-+ if(have_tarpit)
-+ module_put(xt_tarpit->me);
-+ module_put(xt_reject->me);
-+ out2:
-+ module_put(xm_tcp->me);
-+ return ret;
-+}
-+
-+static void __exit xt_chaos_exit(void)
-+{
-+ xt_unregister_target(&xt_chaos_info);
-+ module_put(xm_tcp->me);
-+ module_put(xt_reject->me);
-+ if(have_delude)
-+ module_put(xt_delude->me);
-+ if(have_tarpit)
-+ module_put(xt_tarpit->me);
-+ return;
-+}
-+
-+module_init(xt_chaos_init);
-+module_exit(xt_chaos_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter CHAOS target");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_CHAOS");
-diff -urN linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c linux-2.6.21.1.dev/net/netfilter/xt_DELUDE.c
---- linux-2.6.21.1.old/net/netfilter/xt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/xt_DELUDE.c 2007-05-26 20:40:11.004183528 +0200
-@@ -0,0 +1,288 @@
-+/*
-+ DELUDE target
-+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
-+
-+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
-+ (C) 1999-2001 Paul `Rusty' Russell
-+ (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
-+
-+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/module.h>
-+#include <linux/skbuff.h>
-+#include <linux/ip.h>
-+#include <linux/random.h>
-+#include <linux/tcp.h>
-+#include <linux/udp.h>
-+#include <linux/icmp.h>
-+#include <net/icmp.h>
-+#include <net/ip.h>
-+#include <net/tcp.h>
-+#include <net/route.h>
-+#include <net/dst.h>
-+#include <linux/netfilter_ipv4/ip_tables.h>
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+# include <linux/netfilter_bridge.h>
-+#endif
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+static inline struct rtable *route_reverse(struct sk_buff *skb,
-+ struct tcphdr *tcph, int hook)
-+{
-+ struct iphdr *iph = skb->nh.iph;
-+ struct dst_entry *odst;
-+ struct flowi fl = {};
-+ struct rtable *rt;
-+
-+ /* We don't require ip forwarding to be enabled to be able to
-+ * send a RST reply for bridged traffic. */
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ ) {
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ if (hook == NF_IP_LOCAL_IN)
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+ } else {
-+ /* non-local src, find valid iif to satisfy
-+ * rp-filter when calling ip_route_input. */
-+ fl.nl_u.ip4_u.daddr = iph->daddr;
-+ if (ip_route_output_key(&rt, &fl) != 0)
-+ return NULL;
-+
-+ odst = skb->dst;
-+ if (ip_route_input(skb, iph->saddr, iph->daddr,
-+ RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+ dst_release(&rt->u.dst);
-+ rt = (struct rtable *)skb->dst;
-+ skb->dst = odst;
-+
-+ fl.nl_u.ip4_u.daddr = iph->saddr;
-+ fl.nl_u.ip4_u.saddr = iph->daddr;
-+ fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
-+ }
-+
-+ if (rt->u.dst.error) {
-+ dst_release(&rt->u.dst);
-+ return NULL;
-+ }
-+
-+ fl.proto = IPPROTO_TCP;
-+ fl.fl_ip_sport = tcph->dest;
-+ fl.fl_ip_dport = tcph->source;
-+
-+ xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
-+
-+ return rt;
-+}
-+
-+static void send_reset(struct sk_buff *oldskb, int hook)
-+{
-+ struct sk_buff *nskb;
-+ struct iphdr *iph = oldskb->nh.iph;
-+ struct tcphdr _otcph, *oth, *tcph;
-+ __be16 tmp_port;
-+ __be32 tmp_addr;
-+ int needs_ack;
-+ unsigned int addr_type;
-+
-+ /* IP header checks: fragment. */
-+ if (oldskb->nh.iph->frag_off & htons(IP_OFFSET))
-+ return;
-+
-+ oth = skb_header_pointer(oldskb, oldskb->nh.iph->ihl * 4,
-+ sizeof(_otcph), &_otcph);
-+ if (oth == NULL)
-+ return;
-+
-+ /* No RST for RST. */
-+ if (oth->rst)
-+ return;
-+
-+ /* Check checksum */
-+ if (nf_ip_checksum(oldskb, hook, iph->ihl * 4, IPPROTO_TCP))
-+ return;
-+
-+ /* We need a linear, writeable skb. We also need to expand
-+ headroom in case hh_len of incoming interface < hh_len of
-+ outgoing interface */
-+ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
-+ GFP_ATOMIC);
-+ if (!nskb)
-+ return;
-+
-+ /* This packet will not be the same as the other: clear nf fields */
-+ nf_reset(nskb);
-+ nskb->nfmark = 0;
-+ skb_init_secmark(nskb);
-+
-+ skb_shinfo(nskb)->gso_size = 0;
-+ skb_shinfo(nskb)->gso_segs = 0;
-+ skb_shinfo(nskb)->gso_type = 0;
-+
-+ tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
-+
-+ /* Swap source and dest */
-+ tmp_addr = nskb->nh.iph->saddr;
-+ nskb->nh.iph->saddr = nskb->nh.iph->daddr;
-+ nskb->nh.iph->daddr = tmp_addr;
-+ tmp_port = tcph->source;
-+ tcph->source = tcph->dest;
-+ tcph->dest = tmp_port;
-+
-+ /* Truncate to length (no data) */
-+ tcph->doff = sizeof(struct tcphdr)/4;
-+ skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
-+ nskb->nh.iph->tot_len = htons(nskb->len);
-+
-+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
-+ /* DELUDE essential part */
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
-+ oldskb->len - oldskb->nh.iph->ihl * 4 -
-+ (oth->doff << 2));
-+ tcph->seq = htonl(secure_tcp_sequence_number(
-+ nskb->nh.iph->saddr, nskb->nh.iph->daddr,
-+ tcph->source, tcph->dest));
-+ tcph->ack = 1;
-+ } else {
-+ if(!tcph->ack) {
-+ needs_ack = 1;
-+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
-+ + oldskb->len - oldskb->nh.iph->ihl*4
-+ - (oth->doff<<2));
-+ tcph->seq = 0;
-+ } else {
-+ needs_ack = 0;
-+ tcph->seq = oth->ack_seq;
-+ tcph->ack_seq = 0;
-+ }
-+
-+ /* Reset flags */
-+ ((u_int8_t *)tcph)[13] = 0;
-+ tcph->rst = 1;
-+ tcph->ack = needs_ack;
-+ }
-+
-+
-+ tcph->window = 0;
-+ tcph->urg_ptr = 0;
-+
-+ /* Adjust TCP checksum */
-+ tcph->check = 0;
-+ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
-+ nskb->nh.iph->saddr,
-+ nskb->nh.iph->daddr,
-+ csum_partial((char *)tcph,
-+ sizeof(struct tcphdr), 0));
-+
-+ /* Set DF, id = 0 */
-+ nskb->nh.iph->frag_off = htons(IP_DF);
-+ nskb->nh.iph->id = 0;
-+
-+ addr_type = RTN_UNSPEC;
-+ if (hook != NF_IP_FORWARD
-+#ifdef CONFIG_BRIDGE_NETFILTER
-+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
-+#endif
-+ )
-+ addr_type = RTN_LOCAL;
-+
-+ if (ip_route_me_harder(&nskb, addr_type))
-+ goto free_nskb;
-+
-+ nskb->ip_summed = CHECKSUM_NONE;
-+
-+ /* Adjust IP TTL */
-+ nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
-+
-+ /* Adjust IP checksum */
-+ nskb->nh.iph->check = 0;
-+ nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
-+ nskb->nh.iph->ihl);
-+
-+ /* "Never happens" */
-+ if (nskb->len > dst_mtu(nskb->dst))
-+ goto free_nskb;
-+
-+ nf_ct_attach(nskb, oldskb);
-+
-+ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
-+ dst_output);
-+ return;
-+
-+ free_nskb:
-+ kfree_skb(nskb);
-+}
-+
-+static unsigned int xt_delude_target(struct sk_buff **pskb,
-+ const struct net_device *in, const struct net_device *out,
-+ unsigned int hooknum, const struct xt_target *target, const void *targinfo
-+#ifdef HAVE_TARGUSERINFO
-+ ,
-+ void *userinfo
-+#endif
-+ )
-+{
-+ /* WARNING: This code causes reentry within iptables.
-+ This means that the iptables jump stack is now crap. We
-+ must return an absolute verdict. --RR */
-+ send_reset(*pskb, hooknum);
-+ return NF_DROP;
-+}
-+
-+static int xt_delude_check(const char *tablename, const void *e_void,
-+ const struct xt_target *target, void *targinfo,
-+#ifdef HAVE_TARGINFOSIZE
-+ unsigned int targinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) {
-+ printk(KERN_WARNING PFX "DELUDE may not be used in chains "
-+ "other than INPUT and FORWARD\n");
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static struct xt_target xt_delude_info = {
-+ .name = "DELUDE",
-+ .target = xt_delude_target,
-+ .checkentry = xt_delude_check,
-+ .table = "filter",
-+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
-+ (1 << NF_IP_LOCAL_OUT),
-+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_delude_init(void)
-+{
-+ return xt_register_target(&xt_delude_info);
-+}
-+
-+static void __exit xt_delude_exit(void)
-+{
-+ xt_unregister_target(&xt_delude_info);
-+}
-+
-+module_init(xt_delude_init);
-+module_exit(xt_delude_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter DELUDE target");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_DELUDE");
-diff -urN linux-2.6.21.1.old/net/netfilter/xt_portscan.c linux-2.6.21.1.dev/net/netfilter/xt_portscan.c
---- linux-2.6.21.1.old/net/netfilter/xt_portscan.c 1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.21.1.dev/net/netfilter/xt_portscan.c 2007-05-26 20:40:11.004183528 +0200
-@@ -0,0 +1,272 @@
-+/*
-+ portscan match for netfilter
-+
-+ Written by Jan Engelhardt, 2006 - 2007
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License version 2 as
-+ published by the Free Software Foundation.
-+*/
-+#include <linux/in.h>
-+#include <linux/ip.h>
-+#include <linux/module.h>
-+#include <linux/moduleparam.h>
-+#include <linux/skbuff.h>
-+#include <linux/stat.h>
-+#include <linux/tcp.h>
-+#include <linux/types.h>
-+#include <linux/version.h>
-+#include <linux/netfilter/x_tables.h>
-+#include <linux/netfilter/xt_tcpudp.h>
-+#include <linux/netfilter/oot_conntrack.h>
-+#include <linux/netfilter/xt_portscan.h>
-+#include <linux/netfilter/oot_trans.h>
-+#define PFX KBUILD_MODNAME ": "
-+
-+enum {
-+ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
-+ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
-+ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
-+};
-+
-+/* Module parameters */
-+static unsigned int
-+ connmark_mask = ~0,
-+ packet_mask = ~0,
-+ mark_seen = 0x9,
-+ mark_synrcv = 0x1,
-+ mark_closed = 0x2,
-+ mark_synscan = 0x3,
-+ mark_estab1 = 0x4,
-+ mark_estab2 = 0x5,
-+ mark_cnscan = 0x6,
-+ mark_grscan = 0x7,
-+ mark_valid = 0x8;
-+
-+module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
-+module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
-+module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
-+MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
-+MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
-+MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
-+MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
-+MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
-+MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
-+MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
-+MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
-+MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
-+MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
-+MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
-+
-+/* TCP flag functions */
-+static inline int tflg_ack4(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
-+}
-+
-+static inline int tflg_ack6(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
-+}
-+
-+static inline int tflg_fin(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
-+}
-+
-+static inline int tflg_rst(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
-+}
-+
-+static inline int tflg_rstack(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
-+ (TCP_FLAG_ACK | TCP_FLAG_RST);
-+}
-+
-+static inline int tflg_syn(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
-+}
-+
-+static inline int tflg_synack(const struct tcphdr *th)
-+{
-+ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
-+ (TCP_FLAG_SYN | TCP_FLAG_ACK);
-+}
-+
-+/* portscan functions */
-+static inline int xt_portscan_stealth(const struct tcphdr *th)
-+{
-+ /*
-+ * "Connection refused" replies to our own probes must not be matched.
-+ */
-+ if(tflg_rstack(th))
-+ return 0;
-+
-+ if(tflg_rst(th) && printk_ratelimit()) {
-+ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
-+ return 0;
-+ }
-+
-+ /*
-+ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
-+ * packets that are not associated with any connection -- this will
-+ * match most scan types (NULL, XMAS, FIN) and ridiculous flag
-+ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
-+ */
-+ return !tflg_syn(th);
-+}
-+
-+static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate,
-+ int loopback, const struct tcphdr *tcph, int payload_len)
-+{
-+ if(mark == mark_estab2) {
-+ /*
-+ * -m connmark --mark $ESTAB2
-+ */
-+ if(tflg_ack4(tcph) && payload_len == 0)
-+ return mark; /* keep mark */
-+ else if(tflg_rst(tcph) || tflg_fin(tcph))
-+ return mark_grscan;
-+ else
-+ return mark_valid;
-+ } else if(mark == mark_estab1) {
-+ /*
-+ * -m connmark --mark $ESTAB1
-+ */
-+ if(tflg_rst(tcph) || tflg_fin(tcph))
-+ return mark_cnscan;
-+ else if(!loopback && tflg_ack4(tcph) && payload_len == 0)
-+ return mark_estab2;
-+ else
-+ return mark_valid;
-+ } else if(mark == mark_synrcv) {
-+ /*
-+ * -m connmark --mark $SYN
-+ */
-+ if(loopback && tflg_synack(tcph))
-+ return mark; /* keep mark */
-+ else if(loopback && tflg_rstack(tcph))
-+ return mark_closed;
-+ else if(tflg_ack6(tcph))
-+ return mark_estab1;
-+ else
-+ return mark_synscan;
-+ } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) {
-+ /*
-+ * -p tcp --syn --ctstate NEW
-+ */
-+ return mark_synrcv;
-+ }
-+ return mark;
-+}
-+
-+static int xt_portscan_match(const struct sk_buff *skb,
-+ const struct net_device *in, const struct net_device *out,
-+ const struct xt_match *match, const void *matchinfo, int offset,
-+ unsigned int protoff, int *hotdrop)
-+{
-+ const struct xt_portscan_info *info = matchinfo;
-+ enum ip_conntrack_info ctstate;
-+ struct ip_conntrack *ctdata;
-+ const struct tcphdr *tcph;
-+ struct tcphdr tcph_buf;
-+
-+ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
-+ if(tcph == NULL)
-+ return 0;
-+
-+ /* Check for invalid packets: -m conntrack --ctstate INVALID */
-+ if((ctdata = ip_conntrack_get(skb, &ctstate)) == NULL) {
-+ if(info->match_stealth)
-+ return xt_portscan_stealth(tcph);
-+ /*
-+ * If @ctdata is NULL, we cannot match the other scan
-+ * types, return.
-+ */
-+ return 0;
-+ }
-+
-+ /*
-+ * If -m portscan was previously applied to this packet, the rules we
-+ * simulate must not be run through again. And for speedup, do not call
-+ * it either when the connection is already VALID.
-+ */
-+ if((ctdata->mark & connmark_mask) == mark_valid ||
-+ (skb->nfmark & packet_mask) != mark_seen)
-+ {
-+ unsigned int n;
-+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
-+ in == &loopback_dev, tcph,
-+ skb->len - protoff - 4 * tcph->doff);
-+
-+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
-+ ((struct sk_buff *)skb)->nfmark =
-+ (skb->nfmark & ~packet_mask) | mark_seen;
-+ }
-+
-+ return (info->match_syn && ctdata->mark == mark_synscan) ||
-+ (info->match_cn && ctdata->mark == mark_cnscan) ||
-+ (info->match_gr && ctdata->mark == mark_grscan);
-+}
-+
-+static int xt_portscan_checkentry(const char *tablename, const void *entry,
-+ const struct xt_match *match, void *matchinfo,
-+#ifdef HAVE_MATCHINFOSIZE
-+ unsigned int matchinfosize,
-+#endif
-+ unsigned int hook_mask)
-+{
-+ const struct xt_portscan_info *info = matchinfo;
-+#ifdef HAVE_MATCHINFOSIZE
-+ if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) {
-+ printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n",
-+ matchinfosize,
-+ XT_ALIGN(sizeof(struct xt_portscan_info)));
-+ return 0;
-+ }
-+#endif
-+ if((info->match_stealth & ~1) || (info->match_syn & ~1) ||
-+ (info->match_cn & ~1) || (info->match_gr & ~1)) {
-+ printk(KERN_WARNING PFX "Invalid flags\n");
-+ return 0;
-+ }
-+ return 1;
-+}
-+
-+static struct xt_match xt_portscan = {
-+ .name = "portscan",
-+ .match = xt_portscan_match,
-+ .checkentry = xt_portscan_checkentry,
-+ .matchsize = sizeof(struct xt_portscan_info),
-+ .proto = IPPROTO_TCP,
-+ .family = AF_INET,
-+ .me = THIS_MODULE,
-+};
-+
-+static int __init xt_portscan_init(void)
-+{
-+ return xt_register_match(&xt_portscan);
-+}
-+
-+static void __exit xt_portscan_exit(void)
-+{
-+ xt_unregister_match(&xt_portscan);
-+ return;
-+}
-+
-+module_init(xt_portscan_init);
-+module_exit(xt_portscan_exit);
-+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
-+MODULE_DESCRIPTION("netfilter portscan match module");
-+MODULE_LICENSE("GPL");
-+MODULE_ALIAS("ipt_portscan");
diff --git a/target/linux/generic-2.6/patches/170-netfilter_chaostables_0.8.patch b/target/linux/generic-2.6/patches/170-netfilter_chaostables_0.8.patch
new file mode 100644
index 0000000000..063bcf1e64
--- /dev/null
+++ b/target/linux/generic-2.6/patches/170-netfilter_chaostables_0.8.patch
@@ -0,0 +1,853 @@
+Index: linux-2.6.21.7/include/linux/netfilter/oot_conntrack.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/include/linux/netfilter/oot_conntrack.h
+@@ -0,0 +1,5 @@
++#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
++# include <linux/netfilter_ipv4/ip_conntrack.h>
++#else /* linux-2.6.20+ */
++# include <net/netfilter/nf_nat_rule.h>
++#endif
+Index: linux-2.6.21.7/include/linux/netfilter/oot_trans.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/include/linux/netfilter/oot_trans.h
+@@ -0,0 +1,14 @@
++/* Out of tree workarounds */
++#include <linux/version.h>
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
++# define HAVE_MATCHINFOSIZE 1
++# define HAVE_TARGUSERINFO 1
++# define HAVE_TARGINFOSIZE 1
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
++# define nfmark mark
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
++# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
++ tcp_v4_check((tcph_sz), (s), (d), (csp))
++#endif
+Index: linux-2.6.21.7/include/linux/netfilter/xt_CHAOS.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/include/linux/netfilter/xt_CHAOS.h
+@@ -0,0 +1,14 @@
++#ifndef _LINUX_NETFILTER_XT_CHAOS_H
++#define _LINUX_NETFILTER_XT_CHAOS_H 1
++
++enum xt_chaos_target_variant {
++ XTCHAOS_NORMAL,
++ XTCHAOS_TARPIT,
++ XTCHAOS_DELUDE,
++};
++
++struct xt_chaos_target_info {
++ uint8_t variant;
++};
++
++#endif /* _LINUX_NETFILTER_XT_CHAOS_H */
+Index: linux-2.6.21.7/include/linux/netfilter/xt_portscan.h
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/include/linux/netfilter/xt_portscan.h
+@@ -0,0 +1,8 @@
++#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
++#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
++
++struct xt_portscan_match_info {
++ uint8_t match_stealth, match_syn, match_cn, match_gr;
++};
++
++#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */
+Index: linux-2.6.21.7/net/netfilter/find_match.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/find_match.c
+@@ -0,0 +1,39 @@
++/*
++ xt_request_find_match
++ by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
++
++ Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
++ Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License version 2 as
++ published by the Free Software Foundation.
++*/
++#include <linux/err.h>
++#include <linux/netfilter_arp.h>
++#include <linux/socket.h>
++#include <linux/netfilter/x_tables.h>
++
++/*
++ * Yeah this code is sub-optimal, but the function is missing in
++ * mainline so far. -jengelh
++ */
++static struct xt_match *xt_request_find_match_lo(int af, const char *name,
++ u8 revision)
++{
++ static const char *const xt_prefix[] = {
++ [AF_INET] = "ip",
++ [AF_INET6] = "ip6",
++ [NF_ARP] = "arp",
++ };
++ struct xt_match *match;
++
++ match = try_then_request_module(xt_find_match(af, name, revision),
++ "%st_%s", xt_prefix[af], name);
++ if (IS_ERR(match) || match == NULL)
++ return NULL;
++
++ return match;
++}
++
++/* In case it goes into mainline, let this out-of-tree package compile */
++#define xt_request_find_match xt_request_find_match_lo
+Index: linux-2.6.21.7/net/netfilter/Kconfig
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/Kconfig
++++ linux-2.6.21.7/net/netfilter/Kconfig
+@@ -287,6 +287,14 @@ config NETFILTER_XTABLES
+
+ # alphabetically ordered list of targets
+
++config NETFILTER_XT_TARGET_CHAOS
++ tristate '"CHAOS" target support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a `CHAOS' target.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_TARGET_CLASSIFY
+ tristate '"CLASSIFY" target support'
+ depends on NETFILTER_XTABLES
+@@ -315,6 +323,14 @@ config NETFILTER_XT_TARGET_CONNMARK
+ <file:Documentation/modules.txt>. The module will be called
+ ipt_CONNMARK.o. If unsure, say `N'.
+
++config NETFILTER_XT_TARGET_DELUDE
++ tristate '"DELUDE" target support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a `DELUDE' target.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_TARGET_DSCP
+ tristate '"DSCP" target support'
+ depends on NETFILTER_XTABLES
+@@ -563,6 +579,14 @@ config NETFILTER_XT_MATCH_POLICY
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_MATCH_PORTSCAN
++ tristate '"portscan" match support'
++ depends on NETFILTER_XTABLES
++ help
++ This option adds a 'portscan' match support.
++
++ To compile it as a module, choose M here. If unsure, say N.
++
+ config NETFILTER_XT_MATCH_MULTIPORT
+ tristate "Multiple port match support"
+ depends on NETFILTER_XTABLES
+Index: linux-2.6.21.7/net/netfilter/Makefile
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/Makefile
++++ linux-2.6.21.7/net/netfilter/Makefile
+@@ -47,6 +47,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK
+ obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
++obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
++obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
+
+ # matches
+ obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
+@@ -74,3 +76,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING)
+ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
+ obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
++obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
+Index: linux-2.6.21.7/net/netfilter/xt_CHAOS.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/xt_CHAOS.c
+@@ -0,0 +1,200 @@
++/*
++ * CHAOS target for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <linux/icmp.h>
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/stat.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_tcpudp.h>
++#include <linux/netfilter_ipv4/ipt_REJECT.h>
++#include <net/ip.h>
++#if defined(_LOCAL)
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \
++ defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE)
++# include <linux/netfilter/xt_CHAOS.h>
++# include "find_match.c"
++#else
++# include "xt_CHAOS.h"
++# include "find_match.c"
++#endif
++#define PFX KBUILD_MODNAME ": "
++
++/* Module parameters */
++static unsigned int reject_percentage = ~0U * .01;
++static unsigned int delude_percentage = ~0U * .0101;
++module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
++module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
++
++/* References to other matches/targets */
++static struct xt_match *xm_tcp;
++static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
++
++static int have_delude, have_tarpit;
++
++/* Static data for other matches/targets */
++static const struct ipt_reject_info reject_params = {
++ .with = ICMP_HOST_UNREACH,
++};
++
++static const struct xt_tcp tcp_params = {
++ .spts = {0, ~0},
++ .dpts = {0, ~0},
++};
++
++/* CHAOS functions */
++static void xt_chaos_total(const struct xt_chaos_target_info *info,
++ struct sk_buff **pskb, const struct net_device *in,
++ const struct net_device *out, unsigned int hooknum)
++{
++ const struct iphdr *iph = ip_hdr(*pskb);
++ const int protoff = 4 * iph->ihl;
++ const int offset = ntohs(iph->frag_off) & IP_OFFSET;
++ const struct xt_target *destiny;
++ int hotdrop = 0, ret;
++
++ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
++ offset, protoff, &hotdrop);
++ if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
++ return;
++
++ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
++ destiny->target(pskb, in, out, hooknum, destiny, NULL);
++ return;
++}
++
++static unsigned int chaos_tg(struct sk_buff **pskb,
++ const struct net_device *in, const struct net_device *out,
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
++{
++ /*
++ * Equivalent to:
++ * -A chaos -m statistic --mode random --probability \
++ * $reject_percentage -j REJECT --reject-with host-unreach;
++ * -A chaos -p tcp -m statistic --mode random --probability \
++ * $delude_percentage -j DELUDE;
++ * -A chaos -j DROP;
++ */
++ const struct xt_chaos_target_info *info = targinfo;
++ const struct iphdr *iph = ip_hdr(*pskb);
++
++ if ((unsigned int)net_random() <= reject_percentage)
++ return xt_reject->target(pskb, in, out, hooknum, target,
++ &reject_params);
++
++ /* TARPIT/DELUDE may not be called from the OUTPUT chain */
++ if (iph->protocol == IPPROTO_TCP &&
++ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
++ xt_chaos_total(info, pskb, in, out, hooknum);
++
++ return NF_DROP;
++}
++
++static int chaos_tg_check(const char *tablename, const void *entry,
++ const struct xt_target *target, void *targinfo, unsigned int hook_mask)
++{
++ const struct xt_chaos_target_info *info = targinfo;
++
++ if (info->variant == XTCHAOS_DELUDE && !have_delude) {
++ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
++ "DELUDE module not available\n");
++ return false;
++ }
++ if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
++ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
++ "TARPIT module not available\n");
++ return false;
++ }
++
++ return true;
++}
++
++static struct xt_target chaos_tg_reg = {
++ .name = "CHAOS",
++ .family = AF_INET,
++ .table = "filter",
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
++ (1 << NF_IP_LOCAL_OUT),
++ .checkentry = chaos_tg_check,
++ .target = chaos_tg,
++ .targetsize = sizeof(struct xt_chaos_target_info),
++ .me = THIS_MODULE,
++};
++
++static int __init chaos_tg_init(void)
++{
++ int ret = -EINVAL;
++
++ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
++ if (xm_tcp == NULL) {
++ printk(KERN_WARNING PFX "Error: Could not find or load "
++ "\"tcp\" match\n");
++ return -EINVAL;
++ }
++
++ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
++ if (xt_reject == NULL) {
++ printk(KERN_WARNING PFX "Error: Could not find or load "
++ "\"REJECT\" target\n");
++ goto out2;
++ }
++
++ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
++ have_tarpit = xt_tarpit != NULL;
++ if (!have_tarpit)
++ printk(KERN_WARNING PFX "Warning: Could not find or load "
++ "\"TARPIT\" target\n");
++
++ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
++ have_delude = xt_delude != NULL;
++ if (!have_delude)
++ printk(KERN_WARNING PFX "Warning: Could not find or load "
++ "\"DELUDE\" target\n");
++
++ if ((ret = xt_register_target(&chaos_tg_reg)) != 0) {
++ printk(KERN_WARNING PFX "xt_register_target returned "
++ "error %d\n", ret);
++ goto out3;
++ }
++
++ return 0;
++
++ out3:
++ if (have_delude)
++ module_put(xt_delude->me);
++ if (have_tarpit)
++ module_put(xt_tarpit->me);
++ module_put(xt_reject->me);
++ out2:
++ module_put(xm_tcp->me);
++ return ret;
++}
++
++static void __exit chaos_tg_exit(void)
++{
++ xt_unregister_target(&chaos_tg_reg);
++ module_put(xm_tcp->me);
++ module_put(xt_reject->me);
++ if (have_delude)
++ module_put(xt_delude->me);
++ if (have_tarpit)
++ module_put(xt_tarpit->me);
++ return;
++}
++
++module_init(chaos_tg_init);
++module_exit(chaos_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"CHAOS\" target");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_CHAOS");
+Index: linux-2.6.21.7/net/netfilter/xt_DELUDE.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/xt_DELUDE.c
+@@ -0,0 +1,197 @@
++/*
++ * DELUDE target
++ * Copyright © CC Computer Consultants GmbH, 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
++ * (C) 1999-2001 Paul `Rusty' Russell
++ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
++ *
++ * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ip.h>
++#include <linux/tcp.h>
++#include <linux/netfilter/x_tables.h>
++#ifdef CONFIG_BRIDGE_NETFILTER
++# include <linux/netfilter_bridge.h>
++#endif
++#include <net/tcp.h>
++#define PFX KBUILD_MODNAME ": "
++
++static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
++{
++ struct tcphdr _otcph, *oth, *tcph;
++ unsigned int addr_type;
++ struct sk_buff *nskb;
++ u_int16_t tmp_port;
++ u_int32_t tmp_addr;
++ struct iphdr *niph;
++ bool needs_ack;
++
++ /* IP header checks: fragment. */
++ if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
++ return;
++
++ oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
++ sizeof(_otcph), &_otcph);
++ if (oth == NULL)
++ return;
++
++ /* No RST for RST. */
++ if (oth->rst)
++ return;
++
++ /* Check checksum */
++ if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
++ return;
++
++ /* We need a linear, writeable skb. We also need to expand
++ headroom in case hh_len of incoming interface < hh_len of
++ outgoing interface */
++ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
++ GFP_ATOMIC);
++ if (!nskb)
++ return;
++
++ /* This packet will not be the same as the other: clear nf fields */
++ nf_reset(nskb);
++ nskb->mark = 0;
++ skb_init_secmark(nskb);
++
++ skb_shinfo(nskb)->gso_size = 0;
++ skb_shinfo(nskb)->gso_segs = 0;
++ skb_shinfo(nskb)->gso_type = 0;
++
++ tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
++
++ /* Swap source and dest */
++ niph = ip_hdr(nskb);
++ tmp_addr = niph->saddr;
++ niph->saddr = niph->daddr;
++ niph->daddr = tmp_addr;
++ tmp_port = tcph->source;
++ tcph->source = tcph->dest;
++ tcph->dest = tmp_port;
++
++ /* Truncate to length (no data) */
++ tcph->doff = sizeof(struct tcphdr) / 4;
++ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
++ niph->tot_len = htons(nskb->len);
++
++ if (oth->syn && !oth->ack && !oth->rst && !oth->fin) {
++ /* DELUDE essential part */
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
++ oldskb->len - ip_hdrlen(oldskb) -
++ (oth->doff << 2));
++ tcph->seq = false;
++ tcph->ack = true;
++ } else {
++ if (!tcph->ack) {
++ needs_ack = true;
++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn +
++ oth->fin + oldskb->len -
++ ip_hdrlen(oldskb) - (oth->doff<<2));
++ tcph->seq = false;
++ } else {
++ needs_ack = false;
++ tcph->seq = oth->ack_seq;
++ tcph->ack_seq = false;
++ }
++
++ /* Reset flags */
++ ((u_int8_t *)tcph)[13] = 0;
++ tcph->rst = true;
++ tcph->ack = needs_ack;
++ }
++
++ tcph->window = 0;
++ tcph->urg_ptr = 0;
++
++ /* Adjust TCP checksum */
++ tcph->check = 0;
++ tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
++ niph->daddr, csum_partial((char *)tcph,
++ sizeof(struct tcphdr), 0));
++
++ /* Set DF, id = 0 */
++ niph->frag_off = htons(IP_DF);
++ niph->id = 0;
++
++ addr_type = RTN_UNSPEC;
++#ifdef CONFIG_BRIDGE_NETFILTER
++ if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL &&
++ nskb->nf_bridge->mask & BRNF_BRIDGED))
++#else
++ if (hook != NF_IP_FORWARD)
++#endif
++ addr_type = RTN_LOCAL;
++
++ if (ip_route_me_harder(&nskb, addr_type))
++ goto free_nskb;
++
++ nskb->ip_summed = CHECKSUM_NONE;
++
++ /* Adjust IP TTL */
++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
++
++ /* Adjust IP checksum */
++ niph->check = 0;
++ niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl);
++
++ /* "Never happens" */
++ if (nskb->len > dst_mtu(nskb->dst))
++ goto free_nskb;
++
++ nf_ct_attach(nskb, oldskb);
++
++ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
++ dst_output);
++ return;
++
++ free_nskb:
++ kfree_skb(nskb);
++}
++
++static unsigned int delude_tg(struct sk_buff **pskb,
++ const struct net_device *in, const struct net_device *out,
++ unsigned int hooknum, const struct xt_target *target, const void *targinfo)
++{
++ /* WARNING: This code causes reentry within iptables.
++ This means that the iptables jump stack is now crap. We
++ must return an absolute verdict. --RR */
++ delude_send_reset(*pskb, hooknum);
++ return NF_DROP;
++}
++
++static struct xt_target delude_tg_reg = {
++ .name = "DELUDE",
++ .family = AF_INET,
++ .table = "filter",
++ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD),
++ .target = delude_tg,
++ .proto = IPPROTO_TCP,
++ .me = THIS_MODULE,
++};
++
++static int __init delude_tg_init(void)
++{
++ return xt_register_target(&delude_tg_reg);
++}
++
++static void __exit delude_tg_exit(void)
++{
++ xt_unregister_target(&delude_tg_reg);
++}
++
++module_init(delude_tg_init);
++module_exit(delude_tg_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"DELUDE\" target");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_DELUDE");
+Index: linux-2.6.21.7/net/netfilter/xt_portscan.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/xt_portscan.c
+@@ -0,0 +1,269 @@
++/*
++ * portscan match for netfilter
++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007
++ * Contact: Jan Engelhardt <jengelh@computergmbh.de>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License; either version
++ * 2 or 3 as published by the Free Software Foundation.
++ */
++#include <linux/in.h>
++#include <linux/ip.h>
++#include <linux/module.h>
++#include <linux/moduleparam.h>
++#include <linux/skbuff.h>
++#include <linux/stat.h>
++#include <linux/tcp.h>
++#include <linux/types.h>
++#include <linux/version.h>
++#include <linux/netfilter/x_tables.h>
++#include <linux/netfilter/xt_tcpudp.h>
++#include <net/netfilter/nf_nat_rule.h>
++#if defined(_LOCAL)
++# include "xt_portscan.h"
++#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \
++ defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE)
++# include <linux/netfilter/xt_portscan.h>
++#else
++# include "xt_portscan.h"
++#endif
++#define PFX KBUILD_MODNAME ": "
++
++enum {
++ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
++ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
++ TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
++};
++
++/* Module parameters */
++static unsigned int
++ connmark_mask = ~0,
++ packet_mask = ~0,
++ mark_seen = 0x9,
++ mark_synrcv = 0x1,
++ mark_closed = 0x2,
++ mark_synscan = 0x3,
++ mark_estab1 = 0x4,
++ mark_estab2 = 0x5,
++ mark_cnscan = 0x6,
++ mark_grscan = 0x7,
++ mark_valid = 0x8;
++
++module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
++module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
++module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
++module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
++module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
++module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
++module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
++module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
++module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
++MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
++MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
++MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
++MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
++MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
++MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
++MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
++MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
++MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
++MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
++MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
++
++/* TCP flag functions */
++static inline bool tflg_ack4(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
++}
++
++static inline bool tflg_ack6(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
++}
++
++static inline bool tflg_fin(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
++}
++
++static inline bool tflg_rst(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
++}
++
++static inline bool tflg_rstack(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
++ (TCP_FLAG_ACK | TCP_FLAG_RST);
++}
++
++static inline bool tflg_syn(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
++}
++
++static inline bool tflg_synack(const struct tcphdr *th)
++{
++ return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
++ (TCP_FLAG_SYN | TCP_FLAG_ACK);
++}
++
++/* portscan functions */
++static inline bool portscan_mt_stealth(const struct tcphdr *th)
++{
++ /*
++ * "Connection refused" replies to our own probes must not be matched.
++ */
++ if (tflg_rstack(th))
++ return false;
++
++ if (tflg_rst(th) && printk_ratelimit()) {
++ printk(KERN_WARNING PFX "Warning: Pure RST received\n");
++ return false;
++ }
++
++ /*
++ * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
++ * packets that are not associated with any connection -- this will
++ * match most scan types (NULL, XMAS, FIN) and ridiculous flag
++ * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
++ */
++ return !tflg_syn(th);
++}
++
++static inline unsigned int portscan_mt_full(int mark,
++ enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
++ unsigned int payload_len)
++{
++ if (mark == mark_estab2) {
++ /*
++ * -m connmark --mark $ESTAB2
++ */
++ if (tflg_ack4(tcph) && payload_len == 0)
++ return mark; /* keep mark */
++ else if (tflg_rst(tcph) || tflg_fin(tcph))
++ return mark_grscan;
++ else
++ return mark_valid;
++ } else if (mark == mark_estab1) {
++ /*
++ * -m connmark --mark $ESTAB1
++ */
++ if (tflg_rst(tcph) || tflg_fin(tcph))
++ return mark_cnscan;
++ else if (!loopback && tflg_ack4(tcph) && payload_len == 0)
++ return mark_estab2;
++ else
++ return mark_valid;
++ } else if (mark == mark_synrcv) {
++ /*
++ * -m connmark --mark $SYN
++ */
++ if (loopback && tflg_synack(tcph))
++ return mark; /* keep mark */
++ else if (loopback && tflg_rstack(tcph))
++ return mark_closed;
++ else if (tflg_ack6(tcph))
++ return mark_estab1;
++ else
++ return mark_synscan;
++ } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) {
++ /*
++ * -p tcp --syn --ctstate NEW
++ */
++ return mark_synrcv;
++ }
++ return mark;
++}
++
++static int portscan_mt(const struct sk_buff *skb,
++ const struct net_device *in, const struct net_device *out,
++ const struct xt_match *match, const void *matchinfo, int offset,
++ unsigned int protoff, int *hotdrop)
++{
++ const struct xt_portscan_match_info *info = matchinfo;
++ enum ip_conntrack_info ctstate;
++ const struct tcphdr *tcph;
++ struct nf_conn *ctdata;
++ struct tcphdr tcph_buf;
++
++ tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
++ if (tcph == NULL)
++ return false;
++
++ /* Check for invalid packets: -m conntrack --ctstate INVALID */
++ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
++ if (info->match_stealth)
++ return portscan_mt_stealth(tcph);
++ /*
++ * If @ctdata is NULL, we cannot match the other scan
++ * types, return.
++ */
++ return false;
++ }
++
++ /*
++ * If -m portscan was previously applied to this packet, the rules we
++ * simulate must not be run through again. And for speedup, do not call
++ * it either when the connection is already VALID.
++ */
++ if ((ctdata->mark & connmark_mask) == mark_valid ||
++ (skb->mark & packet_mask) != mark_seen) {
++ unsigned int n;
++
++ n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
++ in == &loopback_dev, tcph,
++ skb->len - protoff - 4 * tcph->doff);
++
++ ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
++ ((struct sk_buff *)skb)->mark =
++ (skb->mark & ~packet_mask) ^ mark_seen;
++ }
++
++ return (info->match_syn && ctdata->mark == mark_synscan) ||
++ (info->match_cn && ctdata->mark == mark_cnscan) ||
++ (info->match_gr && ctdata->mark == mark_grscan);
++}
++
++static int portscan_mt_check(const char *tablename, const void *entry,
++ const struct xt_match *match, void *matchinfo, unsigned int hook_mask)
++{
++ const struct xt_portscan_match_info *info = matchinfo;
++
++ if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
++ (info->match_cn & ~1) || (info->match_gr & ~1)) {
++ printk(KERN_WARNING PFX "Invalid flags\n");
++ return false;
++ }
++ return true;
++}
++
++static struct xt_match portscan_mt_reg __read_mostly = {
++ .name = "portscan",
++ .family = AF_INET,
++ .match = portscan_mt,
++ .checkentry = portscan_mt_check,
++ .matchsize = sizeof(struct xt_portscan_match_info),
++ .proto = IPPROTO_TCP,
++ .me = THIS_MODULE,
++};
++
++static int __init portscan_mt_init(void)
++{
++ return xt_register_match(&portscan_mt_reg);
++}
++
++static void __exit portscan_mt_exit(void)
++{
++ xt_unregister_match(&portscan_mt_reg);
++ return;
++}
++
++module_init(portscan_mt_init);
++module_exit(portscan_mt_exit);
++MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
++MODULE_DESCRIPTION("netfilter \"portscan\" match");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_portscan");
diff --git a/target/linux/generic-2.6/patches/171-netfilter_tarpit.patch b/target/linux/generic-2.6/patches/171-netfilter_tarpit.patch
new file mode 100644
index 0000000000..a686bd3d6f
--- /dev/null
+++ b/target/linux/generic-2.6/patches/171-netfilter_tarpit.patch
@@ -0,0 +1,325 @@
+Index: linux-2.6.21.7/net/netfilter/Kconfig
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/Kconfig
++++ linux-2.6.21.7/net/netfilter/Kconfig
+@@ -414,6 +414,23 @@ config NETFILTER_XT_TARGET_CONNSECMARK
+
+ To compile it as a module, choose M here. If unsure, say N.
+
++config NETFILTER_XT_TARGET_TARPIT
++ tristate '"TARPIT" target support'
++ depends on NETFILTER_XTABLES
++ ---help---
++ Adds a TARPIT target to iptables, which captures and holds
++ incoming TCP connections using no local per-connection resources.
++ Connections are accepted, but immediately switched to the persist
++ state (0 byte window), in which the remote side stops sending data
++ and asks to continue every 60-240 seconds. Attempts to close the
++ connection are ignored, forcing the remote side to time out the
++ connection in 12-24 minutes.
++
++ This offers similar functionality to LaBrea
++ <http://www.hackbusters.net/LaBrea/>, but does not require dedicated
++ hardware or IPs. Any TCP port that you would normally DROP or REJECT
++ can instead become a tarpit.
++
+ config NETFILTER_XT_TARGET_TCPMSS
+ tristate '"TCPMSS" target support'
+ depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
+Index: linux-2.6.21.7/net/netfilter/Makefile
+===================================================================
+--- linux-2.6.21.7.orig/net/netfilter/Makefile
++++ linux-2.6.21.7/net/netfilter/Makefile
+@@ -45,6 +45,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE
+ obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
++obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
+ obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
+Index: linux-2.6.21.7/net/netfilter/xt_TARPIT.c
+===================================================================
+--- /dev/null
++++ linux-2.6.21.7/net/netfilter/xt_TARPIT.c
+@@ -0,0 +1,280 @@
++/*
++ * Kernel module to capture and hold incoming TCP connections using
++ * no local per-connection resources.
++ *
++ * Based on ipt_REJECT.c and offering functionality similar to
++ * LaBrea <http://www.hackbusters.net/LaBrea/>.
++ *
++ * Copyright (c) 2002 Aaron Hopkins <tools@die.net>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
++ *
++ * Goal:
++ * - Allow incoming TCP connections to be established.
++ * - Passing data should result in the connection being switched to the
++ * persist state (0 byte window), in which the remote side stops sending
++ * data and asks to continue every 60 seconds.
++ * - Attempts to shut down the connection should be ignored completely, so
++ * the remote side ends up having to time it out.
++ *
++ * This means:
++ * - Reply to TCP SYN,!ACK,!RST,!FIN with SYN-ACK, window 5 bytes
++ * - Reply to TCP SYN,ACK,!RST,!FIN with RST to prevent spoofing
++ * - Reply to TCP !SYN,!RST,!FIN with ACK, window 0 bytes, rate-limited
++ */
++
++#include <linux/version.h>
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ip.h>
++#include <net/ip.h>
++#include <net/tcp.h>
++#include <net/icmp.h>
++struct in_device;
++#include <net/route.h>
++#include <linux/random.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++
++#if 0
++#define DEBUGP printk
++#else
++#define DEBUGP(format, args...)
++#endif
++
++/* Stolen from ip_finish_output2 */
++static int ip_direct_send(struct sk_buff *skb)
++{
++ struct dst_entry *dst = skb->dst;
++
++ if (dst->hh != NULL)
++ return neigh_hh_output(dst->hh, skb);
++ else if (dst->neighbour != NULL)
++ return dst->neighbour->output(skb);
++
++ if (net_ratelimit())
++ printk(KERN_DEBUG "TARPIT ip_direct_send: no header cache and no neighbor!\n");
++
++ kfree_skb(skb);
++ return -EINVAL;
++}
++
++
++/* Send reply */
++static void tarpit_tcp(const struct sk_buff *oskb, struct rtable *ort,
++ unsigned int local)
++{
++ struct sk_buff *nskb;
++ struct rtable *nrt;
++ struct tcphdr *otcph, *ntcph;
++ struct flowi fl = {};
++ unsigned int otcplen;
++ u_int16_t tmp;
++
++ const struct iphdr *oiph = ip_hdr(oskb);
++ struct iphdr *niph;
++
++ /* A truncated TCP header is not going to be useful */
++ if (oskb->len < ip_hdrlen(oskb) + sizeof(struct tcphdr))
++ return;
++
++ otcph = (void *)oiph + ip_hdrlen(oskb);
++ otcplen = oskb->len - ip_hdrlen(oskb);
++
++ /* No replies for RST or FIN */
++ if (otcph->rst || otcph->fin)
++ return;
++
++ /* No reply to !SYN,!ACK. Rate-limit replies to !SYN,ACKs */
++ if (!otcph->syn && (!otcph->ack || !xrlim_allow(&ort->u.dst, 1*HZ)))
++ return;
++
++ /* Check checksum. */
++ if (tcp_v4_check(otcplen, oiph->saddr, oiph->daddr,
++ csum_partial((char *)otcph, otcplen, 0)) != 0)
++ return;
++
++ /*
++ * Copy skb (even if skb is about to be dropped, we cannot just
++ * clone it because there may be other things, such as tcpdump,
++ * interested in it)
++ */
++ nskb = skb_copy(oskb, GFP_ATOMIC);
++ if (nskb == NULL)
++ return;
++
++ niph = ip_hdr(nskb);
++
++ /* This packet will not be the same as the other: clear nf fields */
++ nf_conntrack_put(nskb->nfct);
++ nskb->nfct = NULL;
++#ifdef CONFIG_NETFILTER_DEBUG
++ nskb->nf_debug = 0;
++#endif
++
++ ntcph = (void *)niph + ip_hdrlen(nskb);
++
++ /* Truncate to length (no data) */
++ ntcph->doff = sizeof(struct tcphdr)/4;
++ skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
++ niph->tot_len = htons(nskb->len);
++
++ /* Swap source and dest */
++ niph->daddr = xchg(&niph->saddr, niph->daddr);
++ tmp = ntcph->source;
++ ntcph->source = ntcph->dest;
++ ntcph->dest = tmp;
++
++ /* Use supplied sequence number or make a new one */
++ ntcph->seq = otcph->ack ? otcph->ack_seq
++ : htonl(secure_tcp_sequence_number(niph->saddr,
++ niph->daddr,
++ ntcph->source,
++ ntcph->dest));
++
++ /* Our SYN-ACKs must have a >0 window */
++ ntcph->window = (otcph->syn && !otcph->ack) ? htons(5) : 0;
++
++ ntcph->urg_ptr = 0;
++
++ /* Reset flags */
++ ((u_int8_t *)ntcph)[13] = 0;
++
++ if (otcph->syn && otcph->ack) {
++ ntcph->rst = 1;
++ ntcph->ack_seq = 0;
++ } else {
++ ntcph->syn = otcph->syn;
++ ntcph->ack = 1;
++ ntcph->ack_seq = htonl(ntohl(otcph->seq) + otcph->syn);
++ }
++
++ /* Adjust TCP checksum */
++ ntcph->check = 0;
++ ntcph->check = tcp_v4_check(sizeof(struct tcphdr),
++ niph->saddr,
++ niph->daddr,
++ csum_partial((char *)ntcph,
++ sizeof(struct tcphdr), 0));
++
++ fl.nl_u.ip4_u.daddr = niph->daddr;
++ fl.nl_u.ip4_u.saddr = local ? niph->saddr : 0;
++ fl.nl_u.ip4_u.tos = RT_TOS(niph->tos) | RTO_CONN;
++ fl.oif = 0;
++
++ if (ip_route_output_key(&nrt, &fl))
++ goto free_nskb;
++
++ dst_release(nskb->dst);
++ nskb->dst = &nrt->u.dst;
++
++ /* Adjust IP TTL */
++ niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
++
++ /* Set DF, id = 0 */
++ niph->frag_off = htons(IP_DF);
++ niph->id = 0;
++
++ /* Adjust IP checksum */
++ niph->check = 0;
++ niph->check = ip_fast_csum((unsigned char *)niph, niph->ihl);
++
++ /* "Never happens" */
++ if (nskb->len > dst_mtu(nskb->dst))
++ goto free_nskb;
++
++ ip_direct_send(nskb);
++ return;
++
++ free_nskb:
++ kfree_skb(nskb);
++}
++
++static unsigned int xt_tarpit_target(struct sk_buff **pskb,
++ const struct net_device *in,
++ const struct net_device *out,
++ unsigned int hooknum,
++ const struct xt_target *target,
++ const void *targinfo)
++{
++ const struct sk_buff *skb = *pskb;
++ const struct iphdr *iph = ip_hdr(skb);
++ struct rtable *rt = (void *)skb->dst;
++
++ /* Do we have an input route cache entry? */
++ if (rt == NULL)
++ return NF_DROP;
++
++ /* No replies to physical multicast/broadcast */
++ if (skb->pkt_type != PACKET_HOST && skb->pkt_type != PACKET_OTHERHOST)
++ return NF_DROP;
++
++ /* Now check at the protocol level */
++ if (rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
++ return NF_DROP;
++
++ /*
++ * Our naive response construction does not deal with IP
++ * options, and probably should not try.
++ */
++ if (iph->ihl * 4 != sizeof(struct iphdr))
++ return NF_DROP;
++
++ /* We are not interested in fragments */
++ if (iph->frag_off & htons(IP_OFFSET))
++ return NF_DROP;
++
++ tarpit_tcp(skb, rt, hooknum == NF_IP_LOCAL_IN);
++ return NF_DROP;
++}
++
++static int xt_tarpit_check(const char *tablename, const void *entry,
++ const struct xt_target *target, void *targinfo,
++ unsigned int hook_mask)
++{
++ bool invalid;
++
++ if (strcmp(tablename, "raw") == 0 && hook_mask == NF_IP_PRE_ROUTING)
++ return true;
++ if (strcmp(tablename, "filter") != 0)
++ return false;
++ invalid = hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD));
++ return !invalid;
++}
++
++static struct xt_target xt_tarpit_reg = {
++ .name = "TARPIT",
++ .family = AF_INET,
++ .proto = IPPROTO_TCP,
++ .target = xt_tarpit_target,
++ .checkentry = xt_tarpit_check,
++ .me = THIS_MODULE,
++};
++
++static int __init xt_tarpit_init(void)
++{
++ return xt_register_target(&xt_tarpit_reg);
++}
++
++static void __exit xt_tarpit_exit(void)
++{
++ xt_unregister_target(&xt_tarpit_reg);
++}
++
++module_init(xt_tarpit_init);
++module_exit(xt_tarpit_exit);
++MODULE_DESCRIPTION("netfilter xt_TARPIT target module");
++MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_TARPIT");
diff --git a/target/linux/generic-2.6/patches/999-backport_ip_hdr_and_friends.patch b/target/linux/generic-2.6/patches/999-backport_ip_hdr_and_friends.patch
new file mode 100644
index 0000000000..bb8f4f3342
--- /dev/null
+++ b/target/linux/generic-2.6/patches/999-backport_ip_hdr_and_friends.patch
@@ -0,0 +1,58 @@
+Index: linux-2.6.21.7/include/linux/ip.h
+===================================================================
+--- linux-2.6.21.7.orig/include/linux/ip.h
++++ linux-2.6.21.7/include/linux/ip.h
+@@ -104,6 +104,16 @@ struct iphdr {
+ /*The options start here. */
+ };
+
++#ifdef __KERNEL__
++#include <linux/skbuff.h>
++
++static inline struct iphdr *ip_hdr(const struct sk_buff *skb)
++{
++ return (struct iphdr *)skb_network_header(skb);
++}
++
++#endif
++
+ struct ip_auth_hdr {
+ __u8 nexthdr;
+ __u8 hdrlen; /* This one is measured in 32 bit units! */
+Index: linux-2.6.21.7/include/linux/skbuff.h
+===================================================================
+--- linux-2.6.21.7.orig/include/linux/skbuff.h
++++ linux-2.6.21.7/include/linux/skbuff.h
+@@ -966,6 +966,16 @@ static inline void skb_reserve(struct sk
+ skb->tail += len;
+ }
+
++static inline unsigned char *skb_network_header(const struct sk_buff *skb)
++{
++ return skb->nh.raw;
++}
++
++static inline unsigned char *skb_tail_pointer(const struct sk_buff *skb)
++{
++ return skb->tail;
++}
++
+ /*
+ * CPUs often take a performance hit when accessing unaligned memory
+ * locations. The actual performance hit varies, it can be small if the
+Index: linux-2.6.21.7/include/net/ip.h
+===================================================================
+--- linux-2.6.21.7.orig/include/net/ip.h
++++ linux-2.6.21.7/include/net/ip.h
+@@ -43,6 +43,11 @@ struct inet_skb_parm
+ #define IPSKB_REROUTED 16
+ };
+
++static inline unsigned int ip_hdrlen(const struct sk_buff *skb)
++{
++ return ip_hdr(skb)->ihl * 4;
++}
++
+ struct ipcm_cookie
+ {
+ __be32 addr;