diff options
Diffstat (limited to 'package/iptables/patches/1.4.3.2')
4 files changed, 610 insertions, 0 deletions
diff --git a/package/iptables/patches/1.4.3.2/002-layer7_2.17.patch b/package/iptables/patches/1.4.3.2/002-layer7_2.17.patch new file mode 100644 index 0000000000..ac6b1a4841 --- /dev/null +++ b/package/iptables/patches/1.4.3.2/002-layer7_2.17.patch @@ -0,0 +1,390 @@ +diff -Nur iptables.old/extensions/libxt_layer7.c iptables.new/extensions/libxt_layer7.c +--- iptables.old/extensions/libxt_layer7.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.new/extensions/libxt_layer7.c 2008-08-22 16:00:52.000000000 +0200 +@@ -0,0 +1,368 @@ ++/* ++ Shared library add-on to iptables for layer 7 matching support. ++ ++ By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008. ++ ++ http://l7-filter.sf.net ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License ++ as published by the Free Software Foundation; either version ++ 2 of the License, or (at your option) any later version. ++ http://www.gnu.org/licenses/gpl.txt ++*/ ++ ++#define _GNU_SOURCE ++#include <stdio.h> ++#include <netdb.h> ++#include <string.h> ++#include <stdlib.h> ++#include <getopt.h> ++#include <ctype.h> ++#include <dirent.h> ++ ++#include <xtables.h> ++#include <linux/netfilter/xt_layer7.h> ++ ++#define MAX_FN_LEN 256 ++ ++static char l7dir[MAX_FN_LEN] = "\0"; ++ ++/* Function which prints out usage message. */ ++static void help(void) ++{ ++ printf( ++ "layer7 match options:\n" ++ " --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n" ++ " (--l7dir must be specified before --l7proto if used)\n" ++ "[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n"); ++} ++ ++static const struct option opts[] = { ++ { .name = "l7proto", .has_arg = 1, .val = 'p' }, ++ { .name = "l7dir", .has_arg = 1, .val = 'd' }, ++ { .name = NULL } ++}; ++ ++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */ ++static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info) ++{ ++ FILE * f; ++ char * line = NULL; ++ size_t len = 0; ++ ++ enum { protocol, pattern, done } datatype = protocol; ++ ++ f = fopen(filename, "r"); ++ ++ if(!f) ++ return 0; ++ ++ while(getline(&line, &len, f) != -1) ++ { ++ if(strlen(line) < 2 || line[0] == '#') ++ continue; ++ ++ /* strip the pesky newline... */ ++ if(line[strlen(line) - 1] == '\n') ++ line[strlen(line) - 1] = '\0'; ++ ++ if(datatype == protocol) ++ { ++ /* Ignore everything on the line beginning with the ++ first space or tab . For instance, this allows the ++ protocol line in http.pat to be "http " (or ++ "http I am so cool") instead of just "http". */ ++ if(strchr(line, ' ')){ ++ char * space = strchr(line, ' '); ++ space[0] = '\0'; ++ } ++ if(strchr(line, '\t')){ ++ char * space = strchr(line, '\t'); ++ space[0] = '\0'; ++ } ++ ++ /* sanity check. First non-comment non-blank ++ line must be the same as the file name. */ ++ if(strcmp(line, protoname)) ++ exit_error(OTHER_PROBLEM, ++ "Protocol name (%s) doesn't match file name (%s). Bailing out\n", ++ line, filename); ++ ++ if(strlen(line) >= MAX_PROTOCOL_LEN) ++ exit_error(PARAMETER_PROBLEM, ++ "Protocol name in %s too long!", filename); ++ strncpy(info->protocol, line, MAX_PROTOCOL_LEN); ++ ++ datatype = pattern; ++ } ++ else if(datatype == pattern) ++ { ++ if(strlen(line) >= MAX_PATTERN_LEN) ++ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename); ++ strncpy(info->pattern, line, MAX_PATTERN_LEN); ++ ++ datatype = done; ++ break; ++ } ++ else ++ exit_error(OTHER_PROBLEM, "Internal error"); ++ } ++ ++ if(datatype != done) ++ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename); ++ ++ if(line) free(line); ++ fclose(f); ++ ++ return 1; ++} ++ ++static int hex2dec(char c) ++{ ++ switch (c) ++ { ++ case '0' ... '9': ++ return c - '0'; ++ case 'a' ... 'f': ++ return c - 'a' + 10; ++ case 'A' ... 'F': ++ return c - 'A' + 10; ++ default: ++ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n"); ++ return 0; ++ } ++} ++ ++/* takes a string with \xHH escapes and returns one with the characters ++they stand for */ ++static char * pre_process(char * s) ++{ ++ char * result = malloc(strlen(s) + 1); ++ int sindex = 0, rrindex = 0; ++ while( sindex < strlen(s) ) ++ { ++ if( sindex + 3 < strlen(s) && ++ s[sindex] == '\\' && s[sindex+1] == 'x' && ++ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) ++ { ++ /* carefully remember to call tolower here... */ ++ result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 + ++ hex2dec(s[sindex + 3] ) ); ++ ++ switch ( result[rrindex] ) ++ { ++ case 0x24: ++ case 0x28: ++ case 0x29: ++ case 0x2a: ++ case 0x2b: ++ case 0x2e: ++ case 0x3f: ++ case 0x5b: ++ case 0x5c: ++ case 0x5d: ++ case 0x5e: ++ case 0x7c: ++ fprintf(stderr, ++ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n" ++ "I recommend that you write this as %c or \\%c, depending on what you meant.\n", ++ result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]); ++ break; ++ case 0x00: ++ fprintf(stderr, ++ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n"); ++ break; ++ default: ++ break; ++ } ++ ++ ++ sindex += 3; /* 4 total */ ++ } ++ else ++ result[rrindex] = tolower(s[sindex]); ++ ++ sindex++; ++ rrindex++; ++ } ++ result[rrindex] = '\0'; ++ ++ return result; ++} ++ ++#define MAX_SUBDIRS 128 ++static char ** readl7dir(char * dirname) ++{ ++ DIR * scratchdir; ++ struct dirent ** namelist; ++ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *)); ++ ++ int n, d = 1; ++ subdirs[0] = ""; ++ ++ n = scandir(dirname, &namelist, 0, alphasort); ++ ++ if (n < 0) ++ { ++ perror("scandir"); ++ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname); ++ } ++ else ++ { ++ while(n--) ++ { ++ char fulldirname[MAX_FN_LEN]; ++ ++ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name); ++ ++ if((scratchdir = opendir(fulldirname)) != NULL) ++ { ++ closedir(scratchdir); ++ ++ if(!strcmp(namelist[n]->d_name, ".") || ++ !strcmp(namelist[n]->d_name, "..")) ++ /* do nothing */ ; ++ else ++ { ++ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1); ++ strcpy(subdirs[d], namelist[n]->d_name); ++ d++; ++ if(d >= MAX_SUBDIRS - 1) ++ { ++ fprintf(stderr, ++ "Too many subdirectories, skipping the rest!\n"); ++ break; ++ } ++ } ++ } ++ free(namelist[n]); ++ } ++ free(namelist); ++ } ++ ++ subdirs[d] = NULL; ++ ++ return subdirs; ++} ++ ++static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info) ++{ ++ char filename[MAX_FN_LEN]; ++ char * dir = NULL; ++ char ** subdirs; ++ int n = 0, done = 0; ++ ++ if(strlen(l7dir) > 0) dir = l7dir; ++ else dir = "/etc/l7-protocols"; ++ ++ subdirs = readl7dir(dir); ++ ++ while(subdirs[n] != NULL) ++ { ++ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s); ++ ++ if(c > MAX_FN_LEN) ++ exit_error(OTHER_PROBLEM, ++ "Filename beginning with %s is too long!\n", filename); ++ ++ /* read in the pattern from the file */ ++ if(parse_protocol_file(filename, s, info)){ ++ done = 1; ++ break; ++ } ++ ++ n++; ++ } ++ ++ if(!done) ++ exit_error(OTHER_PROBLEM, ++ "Couldn't find a pattern definition file for %s.\n", s); ++ ++ /* process \xHH escapes and tolower everything. (our regex lib has no ++ case insensitivity option.) */ ++ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN); ++} ++ ++/* Function which parses command options; returns true if it ate an option */ ++static int parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_match **match) ++{ ++ struct xt_layer7_info *layer7info = ++ (struct xt_layer7_info *)(*match)->data; ++ ++ switch (c) { ++ case 'p': ++ parse_layer7_protocol(argv[optind-1], layer7info); ++ if (invert) ++ layer7info->invert = true; ++ *flags = 1; ++ break; ++ ++ case 'd': ++ if(strlen(argv[optind-1]) >= MAX_FN_LEN) ++ exit_error(PARAMETER_PROBLEM, "directory name too long\n"); ++ ++ strncpy(l7dir, argv[optind-1], MAX_FN_LEN); ++ ++ *flags = 1; ++ break; ++ ++ default: ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* Final check; must have specified --l7proto */ ++static void final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, ++ "LAYER7 match: You must specify `--l7proto'"); ++} ++ ++static void print_protocol(char s[], int invert, int numeric) ++{ ++ fputs("l7proto ", stdout); ++ if (invert) fputc('!', stdout); ++ printf("%s ", s); ++} ++ ++/* Prints out the matchinfo. */ ++static void print(const void *ip, ++ const struct xt_entry_match *match, ++ int numeric) ++{ ++ printf("LAYER7 "); ++ print_protocol(((struct xt_layer7_info *)match->data)->protocol, ++ ((struct xt_layer7_info *)match->data)->invert, numeric); ++} ++/* Saves the union ipt_matchinfo in parsable form to stdout. */ ++static void save(const void *ip, const struct xt_entry_match *match) ++{ ++ const struct xt_layer7_info *info = ++ (const struct xt_layer7_info*) match->data; ++ ++ printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol); ++} ++ ++static struct xtables_match layer7 = { ++ .family = AF_INET, ++ .name = "layer7", ++ .version = XTABLES_VERSION, ++ .size = XT_ALIGN(sizeof(struct xt_layer7_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)), ++ .help = &help, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++void _init(void) ++{ ++ xtables_register_match(&layer7); ++} +diff -Nur iptables.old/extensions/libxt_layer7.man iptables.new/extensions/libxt_layer7.man +--- iptables.old/extensions/libxt_layer7.man 1970-01-01 01:00:00.000000000 +0100 ++++ iptables.new/extensions/libxt_layer7.man 2008-08-22 16:00:52.000000000 +0200 +@@ -0,0 +1,14 @@ ++This module matches packets based on the application layer data of ++their connections. It uses regular expression matching to compare ++the application layer data to regular expressions found it the layer7 ++configuration files. This is an experimental module which can be found at ++http://l7-filter.sf.net. It takes two options. ++.TP ++.BI "--l7proto " "\fIprotocol\fP" ++Match the specified protocol. The protocol name must match a file ++name in /etc/l7-protocols/ or one of its first-level child directories. ++.TP ++.BI "--l7dir " "\fIdirectory\fP" ++Use \fIdirectory\fP instead of /etc/l7-protocols/. This option must be ++specified before --l7proto. ++ diff --git a/package/iptables/patches/1.4.3.2/005-imq1.patch b/package/iptables/patches/1.4.3.2/005-imq1.patch new file mode 100644 index 0000000000..3c96a3bc32 --- /dev/null +++ b/package/iptables/patches/1.4.3.2/005-imq1.patch @@ -0,0 +1,198 @@ +--- iptables-1.4.1-rc3.orig/extensions/.IMQ-test 1970-01-01 10:00:00.000000000 +1000 ++++ iptables-1.4.1-rc3/extensions/.IMQ-test 2008-06-08 22:41:49.000000000 +1000 +@@ -0,0 +1,3 @@ ++#!/bin/sh ++# True if IMQ target patch is applied. ++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IMQ.h ] && echo IMQ +diff -pruN iptables-1.4.1-rc3.orig/extensions/.IMQ-test6 iptables-1.4.1-rc3/extensions/.IMQ-test6 +--- iptables-1.4.1-rc3.orig/extensions/.IMQ-test6 1970-01-01 10:00:00.000000000 +1000 ++++ iptables-1.4.1-rc3/extensions/.IMQ-test6 2008-06-08 22:41:49.000000000 +1000 +@@ -0,0 +1,3 @@ ++#!/bin/sh ++# True if IMQ target patch is applied. ++[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_IMQ.h ] && echo IMQ +diff -pruN iptables-1.4.1-rc3.orig/extensions/libip6t_IMQ.c iptables-1.4.1-rc3/extensions/libip6t_IMQ.c +--- iptables-1.4.1-rc3.orig/extensions/libip6t_IMQ.c 1970-01-01 10:00:00.000000000 +1000 ++++ iptables-1.4.1-rc3/extensions/libip6t_IMQ.c 2008-06-08 22:46:57.000000000 +1000 +@@ -0,0 +1,89 @@ ++/* Shared library add-on to iptables to add IMQ target support. */ ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++#include <getopt.h> ++ ++#include <ip6tables.h> ++#include <linux/netfilter_ipv6/ip6_tables.h> ++#include <linux/netfilter_ipv6/ip6t_IMQ.h> ++ ++/* Function which prints out usage message. */ ++static void IMQ_help(void) ++{ ++ printf( ++"IMQ target v%s options:\n" ++" --todev <N> enqueue to imq<N>, defaults to 0\n", ++XTABLES_VERSION); ++} ++ ++static struct option IMQ_opts[] = { ++ { "todev", 1, 0, '1' }, ++ { 0 } ++}; ++ ++/* Initialize the target. */ ++static void IMQ_init(struct xt_entry_target *t) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data; ++ ++ mr->todev = 0; ++} ++ ++/* Function which parses command options; returns true if it ++ ate an option */ ++static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, ++ struct xt_entry_target **target) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)(*target)->data; ++ ++ switch(c) { ++ case '1': ++ if (check_inverse(optarg, &invert, NULL, 0)) ++ exit_error(PARAMETER_PROBLEM, ++ "Unexpected `!' after --todev"); ++ mr->todev=atoi(optarg); ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++/* Prints out the targinfo. */ ++static void IMQ_print(const void *ip, ++ const struct xt_entry_target *target, ++ int numeric) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; ++ ++ printf("IMQ: todev %u ", mr->todev); ++} ++ ++/* Saves the union ipt_targinfo in parsable form to stdout. */ ++static void IMQ_save(const void *ip, const struct xt_entry_target *target) ++{ ++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data; ++ ++ printf("--todev %u", mr->todev); ++} ++ ++static struct xtables_target imq = { ++ .name = "IMQ", ++ .version = XTABLES_VERSION, ++ .family = PF_INET6, ++ .size = XT_ALIGN(sizeof(struct ip6t_imq_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct ip6t_imq_info)), ++ .help = IMQ_help, ++ .init = IMQ_init, ++ .parse = IMQ_parse, ++ .print = IMQ_print, ++ .save = IMQ_save, ++ .extra_opts = IMQ_opts, ++}; ++ ++void _init(void) ++{ ++ xtables_register_target(&imq); ++} +diff -pruN iptables-1.4.1-rc3.orig/extensions/libipt_IMQ.c iptables-1.4.1-rc3/extensions/libipt_IMQ.c +--- iptables-1.4.1-rc3.orig/extensions/libipt_IMQ.c 1970-01-01 10:00:00.000000000 +1000 ++++ iptables-1.4.1-rc3/extensions/libipt_IMQ.c 2008-06-08 22:46:25.000000000 +1000 +@@ -0,0 +1,88 @@ ++/* Shared library add-on to iptables to add IMQ target support. */ ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++#include <getopt.h> ++ ++#include <iptables.h> ++#include <linux/netfilter_ipv4/ip_tables.h> ++#include <linux/netfilter_ipv4/ipt_IMQ.h> ++ ++/* Function which prints out usage message. */ ++static void IMQ_help(void) ++{ ++ printf( ++"IMQ target v%s options:\n" ++" --todev <N> enqueue to imq<N>, defaults to 0\n", ++XTABLES_VERSION); ++} ++ ++static struct option IMQ_opts[] = { ++ { "todev", 1, 0, '1' }, ++ { 0 } ++}; ++ ++/* Initialize the target. */ ++static void IMQ_init(struct xt_entry_target *t) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data; ++ ++ mr->todev = 0; ++} ++ ++/* Function which parses command options; returns true if it ++ ate an option */ ++static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_target **target) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data; ++ ++ switch(c) { ++ case '1': ++ if (check_inverse(optarg, &invert, NULL, 0)) ++ exit_error(PARAMETER_PROBLEM, ++ "Unexpected `!' after --todev"); ++ mr->todev=atoi(optarg); ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++/* Prints out the targinfo. */ ++static void IMQ_print(const void *ip, ++ const struct xt_entry_target *target, ++ int numeric) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; ++ ++ printf("IMQ: todev %u ", mr->todev); ++} ++ ++/* Saves the union ipt_targinfo in parsable form to stdout. */ ++static void IMQ_save(const void *ip, const struct xt_entry_target *target) ++{ ++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data; ++ ++ printf("--todev %u", mr->todev); ++} ++ ++static struct xtables_target imq = { ++ .name = "IMQ", ++ .version = XTABLES_VERSION, ++ .family = PF_INET, ++ .size = XT_ALIGN(sizeof(struct ipt_imq_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct ipt_imq_info)), ++ .help = IMQ_help, ++ .init = IMQ_init, ++ .parse = IMQ_parse, ++ .print = IMQ_print, ++ .save = IMQ_save, ++ .extra_opts = IMQ_opts, ++}; ++ ++void _init(void) ++{ ++ xtables_register_target(&imq); ++} diff --git a/package/iptables/patches/1.4.3.2/008-netfilter_include_linux_type_h.patch b/package/iptables/patches/1.4.3.2/008-netfilter_include_linux_type_h.patch new file mode 100644 index 0000000000..761f1c4977 --- /dev/null +++ b/package/iptables/patches/1.4.3.2/008-netfilter_include_linux_type_h.patch @@ -0,0 +1,10 @@ +--- a/include/linux/netfilter.h ++++ b/include/linux/netfilter.h +@@ -1,6 +1,7 @@ + #ifndef __LINUX_NETFILTER_H + #define __LINUX_NETFILTER_H + ++#include <linux/types.h> + + /* Responses from hook functions. */ + #define NF_DROP 0 diff --git a/package/iptables/patches/1.4.3.2/009-table-alignment.patch b/package/iptables/patches/1.4.3.2/009-table-alignment.patch new file mode 100644 index 0000000000..5b14982917 --- /dev/null +++ b/package/iptables/patches/1.4.3.2/009-table-alignment.patch @@ -0,0 +1,12 @@ +diff -Naur iptables-1.4.1.1.ori/libiptc/libiptc.c iptables-1.4.1.1/libiptc/libiptc.c +--- iptables-1.4.1.1.ori/libiptc/libiptc.c 2008-06-16 15:12:40.000000000 +0200 ++++ iptables-1.4.1.1/libiptc/libiptc.c 2009-01-08 12:27:24.000000000 +0100 +@@ -66,7 +66,7 @@ + struct ipt_error_target + { + STRUCT_ENTRY_TARGET t; +- char error[TABLE_MAXNAMELEN]; ++ char error[FUNCTION_MAXNAMELEN]; + }; + + struct chain_head; |