summaryrefslogtreecommitdiff
path: root/package/iptables/patches/1.4.3.2
diff options
context:
space:
mode:
Diffstat (limited to 'package/iptables/patches/1.4.3.2')
-rw-r--r--package/iptables/patches/1.4.3.2/002-layer7_2.17.patch390
-rw-r--r--package/iptables/patches/1.4.3.2/005-imq1.patch198
-rw-r--r--package/iptables/patches/1.4.3.2/008-netfilter_include_linux_type_h.patch10
-rw-r--r--package/iptables/patches/1.4.3.2/009-table-alignment.patch12
4 files changed, 610 insertions, 0 deletions
diff --git a/package/iptables/patches/1.4.3.2/002-layer7_2.17.patch b/package/iptables/patches/1.4.3.2/002-layer7_2.17.patch
new file mode 100644
index 0000000000..ac6b1a4841
--- /dev/null
+++ b/package/iptables/patches/1.4.3.2/002-layer7_2.17.patch
@@ -0,0 +1,390 @@
+diff -Nur iptables.old/extensions/libxt_layer7.c iptables.new/extensions/libxt_layer7.c
+--- iptables.old/extensions/libxt_layer7.c 1970-01-01 01:00:00.000000000 +0100
++++ iptables.new/extensions/libxt_layer7.c 2008-08-22 16:00:52.000000000 +0200
+@@ -0,0 +1,368 @@
++/*
++ Shared library add-on to iptables for layer 7 matching support.
++
++ By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008.
++
++ http://l7-filter.sf.net
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License
++ as published by the Free Software Foundation; either version
++ 2 of the License, or (at your option) any later version.
++ http://www.gnu.org/licenses/gpl.txt
++*/
++
++#define _GNU_SOURCE
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ctype.h>
++#include <dirent.h>
++
++#include <xtables.h>
++#include <linux/netfilter/xt_layer7.h>
++
++#define MAX_FN_LEN 256
++
++static char l7dir[MAX_FN_LEN] = "\0";
++
++/* Function which prints out usage message. */
++static void help(void)
++{
++ printf(
++ "layer7 match options:\n"
++ " --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
++ " (--l7dir must be specified before --l7proto if used)\n"
++ "[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n");
++}
++
++static const struct option opts[] = {
++ { .name = "l7proto", .has_arg = 1, .val = 'p' },
++ { .name = "l7dir", .has_arg = 1, .val = 'd' },
++ { .name = NULL }
++};
++
++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
++static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
++{
++ FILE * f;
++ char * line = NULL;
++ size_t len = 0;
++
++ enum { protocol, pattern, done } datatype = protocol;
++
++ f = fopen(filename, "r");
++
++ if(!f)
++ return 0;
++
++ while(getline(&line, &len, f) != -1)
++ {
++ if(strlen(line) < 2 || line[0] == '#')
++ continue;
++
++ /* strip the pesky newline... */
++ if(line[strlen(line) - 1] == '\n')
++ line[strlen(line) - 1] = '\0';
++
++ if(datatype == protocol)
++ {
++ /* Ignore everything on the line beginning with the
++ first space or tab . For instance, this allows the
++ protocol line in http.pat to be "http " (or
++ "http I am so cool") instead of just "http". */
++ if(strchr(line, ' ')){
++ char * space = strchr(line, ' ');
++ space[0] = '\0';
++ }
++ if(strchr(line, '\t')){
++ char * space = strchr(line, '\t');
++ space[0] = '\0';
++ }
++
++ /* sanity check. First non-comment non-blank
++ line must be the same as the file name. */
++ if(strcmp(line, protoname))
++ exit_error(OTHER_PROBLEM,
++ "Protocol name (%s) doesn't match file name (%s). Bailing out\n",
++ line, filename);
++
++ if(strlen(line) >= MAX_PROTOCOL_LEN)
++ exit_error(PARAMETER_PROBLEM,
++ "Protocol name in %s too long!", filename);
++ strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
++
++ datatype = pattern;
++ }
++ else if(datatype == pattern)
++ {
++ if(strlen(line) >= MAX_PATTERN_LEN)
++ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
++ strncpy(info->pattern, line, MAX_PATTERN_LEN);
++
++ datatype = done;
++ break;
++ }
++ else
++ exit_error(OTHER_PROBLEM, "Internal error");
++ }
++
++ if(datatype != done)
++ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
++
++ if(line) free(line);
++ fclose(f);
++
++ return 1;
++}
++
++static int hex2dec(char c)
++{
++ switch (c)
++ {
++ case '0' ... '9':
++ return c - '0';
++ case 'a' ... 'f':
++ return c - 'a' + 10;
++ case 'A' ... 'F':
++ return c - 'A' + 10;
++ default:
++ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
++ return 0;
++ }
++}
++
++/* takes a string with \xHH escapes and returns one with the characters
++they stand for */
++static char * pre_process(char * s)
++{
++ char * result = malloc(strlen(s) + 1);
++ int sindex = 0, rrindex = 0;
++ while( sindex < strlen(s) )
++ {
++ if( sindex + 3 < strlen(s) &&
++ s[sindex] == '\\' && s[sindex+1] == 'x' &&
++ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) )
++ {
++ /* carefully remember to call tolower here... */
++ result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 +
++ hex2dec(s[sindex + 3] ) );
++
++ switch ( result[rrindex] )
++ {
++ case 0x24:
++ case 0x28:
++ case 0x29:
++ case 0x2a:
++ case 0x2b:
++ case 0x2e:
++ case 0x3f:
++ case 0x5b:
++ case 0x5c:
++ case 0x5d:
++ case 0x5e:
++ case 0x7c:
++ fprintf(stderr,
++ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
++ "I recommend that you write this as %c or \\%c, depending on what you meant.\n",
++ result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]);
++ break;
++ case 0x00:
++ fprintf(stderr,
++ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n");
++ break;
++ default:
++ break;
++ }
++
++
++ sindex += 3; /* 4 total */
++ }
++ else
++ result[rrindex] = tolower(s[sindex]);
++
++ sindex++;
++ rrindex++;
++ }
++ result[rrindex] = '\0';
++
++ return result;
++}
++
++#define MAX_SUBDIRS 128
++static char ** readl7dir(char * dirname)
++{
++ DIR * scratchdir;
++ struct dirent ** namelist;
++ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
++
++ int n, d = 1;
++ subdirs[0] = "";
++
++ n = scandir(dirname, &namelist, 0, alphasort);
++
++ if (n < 0)
++ {
++ perror("scandir");
++ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
++ }
++ else
++ {
++ while(n--)
++ {
++ char fulldirname[MAX_FN_LEN];
++
++ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
++
++ if((scratchdir = opendir(fulldirname)) != NULL)
++ {
++ closedir(scratchdir);
++
++ if(!strcmp(namelist[n]->d_name, ".") ||
++ !strcmp(namelist[n]->d_name, ".."))
++ /* do nothing */ ;
++ else
++ {
++ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
++ strcpy(subdirs[d], namelist[n]->d_name);
++ d++;
++ if(d >= MAX_SUBDIRS - 1)
++ {
++ fprintf(stderr,
++ "Too many subdirectories, skipping the rest!\n");
++ break;
++ }
++ }
++ }
++ free(namelist[n]);
++ }
++ free(namelist);
++ }
++
++ subdirs[d] = NULL;
++
++ return subdirs;
++}
++
++static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
++{
++ char filename[MAX_FN_LEN];
++ char * dir = NULL;
++ char ** subdirs;
++ int n = 0, done = 0;
++
++ if(strlen(l7dir) > 0) dir = l7dir;
++ else dir = "/etc/l7-protocols";
++
++ subdirs = readl7dir(dir);
++
++ while(subdirs[n] != NULL)
++ {
++ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
++
++ if(c > MAX_FN_LEN)
++ exit_error(OTHER_PROBLEM,
++ "Filename beginning with %s is too long!\n", filename);
++
++ /* read in the pattern from the file */
++ if(parse_protocol_file(filename, s, info)){
++ done = 1;
++ break;
++ }
++
++ n++;
++ }
++
++ if(!done)
++ exit_error(OTHER_PROBLEM,
++ "Couldn't find a pattern definition file for %s.\n", s);
++
++ /* process \xHH escapes and tolower everything. (our regex lib has no
++ case insensitivity option.) */
++ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
++}
++
++/* Function which parses command options; returns true if it ate an option */
++static int parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry, struct xt_entry_match **match)
++{
++ struct xt_layer7_info *layer7info =
++ (struct xt_layer7_info *)(*match)->data;
++
++ switch (c) {
++ case 'p':
++ parse_layer7_protocol(argv[optind-1], layer7info);
++ if (invert)
++ layer7info->invert = true;
++ *flags = 1;
++ break;
++
++ case 'd':
++ if(strlen(argv[optind-1]) >= MAX_FN_LEN)
++ exit_error(PARAMETER_PROBLEM, "directory name too long\n");
++
++ strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
++
++ *flags = 1;
++ break;
++
++ default:
++ return 0;
++ }
++
++ return 1;
++}
++
++/* Final check; must have specified --l7proto */
++static void final_check(unsigned int flags)
++{
++ if (!flags)
++ exit_error(PARAMETER_PROBLEM,
++ "LAYER7 match: You must specify `--l7proto'");
++}
++
++static void print_protocol(char s[], int invert, int numeric)
++{
++ fputs("l7proto ", stdout);
++ if (invert) fputc('!', stdout);
++ printf("%s ", s);
++}
++
++/* Prints out the matchinfo. */
++static void print(const void *ip,
++ const struct xt_entry_match *match,
++ int numeric)
++{
++ printf("LAYER7 ");
++ print_protocol(((struct xt_layer7_info *)match->data)->protocol,
++ ((struct xt_layer7_info *)match->data)->invert, numeric);
++}
++/* Saves the union ipt_matchinfo in parsable form to stdout. */
++static void save(const void *ip, const struct xt_entry_match *match)
++{
++ const struct xt_layer7_info *info =
++ (const struct xt_layer7_info*) match->data;
++
++ printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol);
++}
++
++static struct xtables_match layer7 = {
++ .family = AF_INET,
++ .name = "layer7",
++ .version = XTABLES_VERSION,
++ .size = XT_ALIGN(sizeof(struct xt_layer7_info)),
++ .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)),
++ .help = &help,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++void _init(void)
++{
++ xtables_register_match(&layer7);
++}
+diff -Nur iptables.old/extensions/libxt_layer7.man iptables.new/extensions/libxt_layer7.man
+--- iptables.old/extensions/libxt_layer7.man 1970-01-01 01:00:00.000000000 +0100
++++ iptables.new/extensions/libxt_layer7.man 2008-08-22 16:00:52.000000000 +0200
+@@ -0,0 +1,14 @@
++This module matches packets based on the application layer data of
++their connections. It uses regular expression matching to compare
++the application layer data to regular expressions found it the layer7
++configuration files. This is an experimental module which can be found at
++http://l7-filter.sf.net. It takes two options.
++.TP
++.BI "--l7proto " "\fIprotocol\fP"
++Match the specified protocol. The protocol name must match a file
++name in /etc/l7-protocols/ or one of its first-level child directories.
++.TP
++.BI "--l7dir " "\fIdirectory\fP"
++Use \fIdirectory\fP instead of /etc/l7-protocols/. This option must be
++specified before --l7proto.
++
diff --git a/package/iptables/patches/1.4.3.2/005-imq1.patch b/package/iptables/patches/1.4.3.2/005-imq1.patch
new file mode 100644
index 0000000000..3c96a3bc32
--- /dev/null
+++ b/package/iptables/patches/1.4.3.2/005-imq1.patch
@@ -0,0 +1,198 @@
+--- iptables-1.4.1-rc3.orig/extensions/.IMQ-test 1970-01-01 10:00:00.000000000 +1000
++++ iptables-1.4.1-rc3/extensions/.IMQ-test 2008-06-08 22:41:49.000000000 +1000
+@@ -0,0 +1,3 @@
++#!/bin/sh
++# True if IMQ target patch is applied.
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IMQ.h ] && echo IMQ
+diff -pruN iptables-1.4.1-rc3.orig/extensions/.IMQ-test6 iptables-1.4.1-rc3/extensions/.IMQ-test6
+--- iptables-1.4.1-rc3.orig/extensions/.IMQ-test6 1970-01-01 10:00:00.000000000 +1000
++++ iptables-1.4.1-rc3/extensions/.IMQ-test6 2008-06-08 22:41:49.000000000 +1000
+@@ -0,0 +1,3 @@
++#!/bin/sh
++# True if IMQ target patch is applied.
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_IMQ.h ] && echo IMQ
+diff -pruN iptables-1.4.1-rc3.orig/extensions/libip6t_IMQ.c iptables-1.4.1-rc3/extensions/libip6t_IMQ.c
+--- iptables-1.4.1-rc3.orig/extensions/libip6t_IMQ.c 1970-01-01 10:00:00.000000000 +1000
++++ iptables-1.4.1-rc3/extensions/libip6t_IMQ.c 2008-06-08 22:46:57.000000000 +1000
+@@ -0,0 +1,89 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <ip6tables.h>
++#include <linux/netfilter_ipv6/ip6_tables.h>
++#include <linux/netfilter_ipv6/ip6t_IMQ.h>
++
++/* Function which prints out usage message. */
++static void IMQ_help(void)
++{
++ printf(
++"IMQ target v%s options:\n"
++" --todev <N> enqueue to imq<N>, defaults to 0\n",
++XTABLES_VERSION);
++}
++
++static struct option IMQ_opts[] = {
++ { "todev", 1, 0, '1' },
++ { 0 }
++};
++
++/* Initialize the target. */
++static void IMQ_init(struct xt_entry_target *t)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data;
++
++ mr->todev = 0;
++}
++
++/* Function which parses command options; returns true if it
++ ate an option */
++static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry,
++ struct xt_entry_target **target)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)(*target)->data;
++
++ switch(c) {
++ case '1':
++ if (check_inverse(optarg, &invert, NULL, 0))
++ exit_error(PARAMETER_PROBLEM,
++ "Unexpected `!' after --todev");
++ mr->todev=atoi(optarg);
++ break;
++ default:
++ return 0;
++ }
++ return 1;
++}
++
++/* Prints out the targinfo. */
++static void IMQ_print(const void *ip,
++ const struct xt_entry_target *target,
++ int numeric)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
++
++ printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void IMQ_save(const void *ip, const struct xt_entry_target *target)
++{
++ struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
++
++ printf("--todev %u", mr->todev);
++}
++
++static struct xtables_target imq = {
++ .name = "IMQ",
++ .version = XTABLES_VERSION,
++ .family = PF_INET6,
++ .size = XT_ALIGN(sizeof(struct ip6t_imq_info)),
++ .userspacesize = XT_ALIGN(sizeof(struct ip6t_imq_info)),
++ .help = IMQ_help,
++ .init = IMQ_init,
++ .parse = IMQ_parse,
++ .print = IMQ_print,
++ .save = IMQ_save,
++ .extra_opts = IMQ_opts,
++};
++
++void _init(void)
++{
++ xtables_register_target(&imq);
++}
+diff -pruN iptables-1.4.1-rc3.orig/extensions/libipt_IMQ.c iptables-1.4.1-rc3/extensions/libipt_IMQ.c
+--- iptables-1.4.1-rc3.orig/extensions/libipt_IMQ.c 1970-01-01 10:00:00.000000000 +1000
++++ iptables-1.4.1-rc3/extensions/libipt_IMQ.c 2008-06-08 22:46:25.000000000 +1000
+@@ -0,0 +1,88 @@
++/* Shared library add-on to iptables to add IMQ target support. */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <iptables.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_IMQ.h>
++
++/* Function which prints out usage message. */
++static void IMQ_help(void)
++{
++ printf(
++"IMQ target v%s options:\n"
++" --todev <N> enqueue to imq<N>, defaults to 0\n",
++XTABLES_VERSION);
++}
++
++static struct option IMQ_opts[] = {
++ { "todev", 1, 0, '1' },
++ { 0 }
++};
++
++/* Initialize the target. */
++static void IMQ_init(struct xt_entry_target *t)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data;
++
++ mr->todev = 0;
++}
++
++/* Function which parses command options; returns true if it
++ ate an option */
++static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry, struct xt_entry_target **target)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data;
++
++ switch(c) {
++ case '1':
++ if (check_inverse(optarg, &invert, NULL, 0))
++ exit_error(PARAMETER_PROBLEM,
++ "Unexpected `!' after --todev");
++ mr->todev=atoi(optarg);
++ break;
++ default:
++ return 0;
++ }
++ return 1;
++}
++
++/* Prints out the targinfo. */
++static void IMQ_print(const void *ip,
++ const struct xt_entry_target *target,
++ int numeric)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
++
++ printf("IMQ: todev %u ", mr->todev);
++}
++
++/* Saves the union ipt_targinfo in parsable form to stdout. */
++static void IMQ_save(const void *ip, const struct xt_entry_target *target)
++{
++ struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
++
++ printf("--todev %u", mr->todev);
++}
++
++static struct xtables_target imq = {
++ .name = "IMQ",
++ .version = XTABLES_VERSION,
++ .family = PF_INET,
++ .size = XT_ALIGN(sizeof(struct ipt_imq_info)),
++ .userspacesize = XT_ALIGN(sizeof(struct ipt_imq_info)),
++ .help = IMQ_help,
++ .init = IMQ_init,
++ .parse = IMQ_parse,
++ .print = IMQ_print,
++ .save = IMQ_save,
++ .extra_opts = IMQ_opts,
++};
++
++void _init(void)
++{
++ xtables_register_target(&imq);
++}
diff --git a/package/iptables/patches/1.4.3.2/008-netfilter_include_linux_type_h.patch b/package/iptables/patches/1.4.3.2/008-netfilter_include_linux_type_h.patch
new file mode 100644
index 0000000000..761f1c4977
--- /dev/null
+++ b/package/iptables/patches/1.4.3.2/008-netfilter_include_linux_type_h.patch
@@ -0,0 +1,10 @@
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -1,6 +1,7 @@
+ #ifndef __LINUX_NETFILTER_H
+ #define __LINUX_NETFILTER_H
+
++#include <linux/types.h>
+
+ /* Responses from hook functions. */
+ #define NF_DROP 0
diff --git a/package/iptables/patches/1.4.3.2/009-table-alignment.patch b/package/iptables/patches/1.4.3.2/009-table-alignment.patch
new file mode 100644
index 0000000000..5b14982917
--- /dev/null
+++ b/package/iptables/patches/1.4.3.2/009-table-alignment.patch
@@ -0,0 +1,12 @@
+diff -Naur iptables-1.4.1.1.ori/libiptc/libiptc.c iptables-1.4.1.1/libiptc/libiptc.c
+--- iptables-1.4.1.1.ori/libiptc/libiptc.c 2008-06-16 15:12:40.000000000 +0200
++++ iptables-1.4.1.1/libiptc/libiptc.c 2009-01-08 12:27:24.000000000 +0100
+@@ -66,7 +66,7 @@
+ struct ipt_error_target
+ {
+ STRUCT_ENTRY_TARGET t;
+- char error[TABLE_MAXNAMELEN];
++ char error[FUNCTION_MAXNAMELEN];
+ };
+
+ struct chain_head;