From 469f5e661c19cfd000235d65d5cf6fefdd6a14cf Mon Sep 17 00:00:00 2001 From: nbd Date: Fri, 1 Apr 2005 21:05:15 +0000 Subject: add layer7 to iptables/kernel git-svn-id: svn://svn.openwrt.org/openwrt/trunk@511 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- openwrt/package/iptables/kernelconfig.mk | 1 + .../package/iptables/patches/01-ipp2p-0.7.4.patch | 506 ++++++++++++++ .../package/iptables/patches/02-layer7-1.1.patch | 756 +++++++++++++++++++++ openwrt/package/iptables/patches/ipp2p-0.7.4.patch | 506 -------------- 4 files changed, 1263 insertions(+), 506 deletions(-) create mode 100644 openwrt/package/iptables/patches/01-ipp2p-0.7.4.patch create mode 100644 openwrt/package/iptables/patches/02-layer7-1.1.patch delete mode 100644 openwrt/package/iptables/patches/ipp2p-0.7.4.patch (limited to 'openwrt/package/iptables') diff --git a/openwrt/package/iptables/kernelconfig.mk b/openwrt/package/iptables/kernelconfig.mk index 319cea8e6a..00d2349aa3 100644 --- a/openwrt/package/iptables/kernelconfig.mk +++ b/openwrt/package/iptables/kernelconfig.mk @@ -22,6 +22,7 @@ ext-$(CONFIG_IP_NF_MATCH_CONNTRACK) += conntrack ext-$(CONFIG_IP_NF_MATCH_UNCLEAN) += unclean ext-$(CONFIG_IP_NF_MATCH_OWNER) += owner ext-$(CONFIG_IP_NF_MATCH_PHYSDEV) += physdev +ext-$(CONFIG_IP_NF_MATCH_LAYER7) += layer7 ext-$(CONFIG_IP_NF_TARGET_MASQUERADE) += MASQUERADE ext-$(CONFIG_IP_NF_TARGET_REDIRECT) += REDIRECT ext-$(CONFIG_IP_NF_TARGET_REJECT) += REJECT diff --git a/openwrt/package/iptables/patches/01-ipp2p-0.7.4.patch b/openwrt/package/iptables/patches/01-ipp2p-0.7.4.patch new file mode 100644 index 0000000000..d39a39d2d6 --- /dev/null +++ b/openwrt/package/iptables/patches/01-ipp2p-0.7.4.patch @@ -0,0 +1,506 @@ +diff -urN iptables-1.2.11.old/extensions/libipt_ipp2p.c iptables-1.2.11/extensions/libipt_ipp2p.c +--- iptables-1.2.11.old/extensions/libipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.2.11/extensions/libipt_ipp2p.c 2005-03-12 00:50:27.000000000 +0100 +@@ -0,0 +1,455 @@ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include ++ ++ ++ ++ ++static void ++help(void) ++{ ++ printf( ++ "IPP2P v%s options:\n" ++ " --ipp2p Grab all known p2p packets\n" ++ " --ipp2p-data Identify all known p2p download commands (obsolete)\n\n" ++ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n" ++ " --dc [TCP] All known Direct Connect packets\n" ++ " --kazaa [TCP&UDP] All known KaZaA packets\n" ++ " --gnu [TCP&UDP] All known Gnutella packets\n" ++ " --bit [TCP&UDP] All known BitTorrent packets\n" ++ " --apple [TCP] All known AppleJuice packets (beta - just a few tests until now)\n" ++ " --winmx [TCP] All known WinMX (beta - need feedback)\n" ++ " --soul [TCP] All known SoulSeek (beta - need feedback!)\n" ++ " --ares [TCP] All known Ares - use with DROP only (beta - need feedback!)\n\n" ++ " --edk-data [TCP] eDonkey/eMule/Overnet download commands (obsolete)\n" ++ " --dc-data [TCP] Direct Connect download command (obsolete)\n" ++ " --kazaa-data [TCP] KaZaA download command (obsolete)\n" ++ " --gnu-data [TCP] Gnutella download command (obsolete)\n" ++ "\nNote that the follwing options will have the same meaning:\n" ++ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu'\n" ++ " '--ipp2p-data' is equal to '--edk-data --dc-data --kazaa-data --gnu-data'\n" ++ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n" ++ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n" ++ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n" ++ "\nExamples:\n" ++ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n" ++ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n" ++ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n" ++ , IPP2P_VERSION); ++} ++ ++ ++ ++static struct option opts[] = { ++ { "ipp2p", 0, 0, '1' }, ++ { "edk", 0, 0, '2' }, ++ { "ipp2p-data", 0, 0, '3' }, ++ { "kazaa-data", 0, 0, '4' }, ++ { "edk-data", 0, 0, '5' }, ++ { "dc-data", 0, 0, '6' }, ++ { "dc", 0, 0, '7' }, ++ { "gnu-data", 0, 0, '8' }, ++ { "gnu", 0, 0, '9' }, ++ { "kazaa", 0, 0, 'a' }, ++ { "bit", 0, 0, 'b' }, ++ { "apple", 0, 0, 'c' }, ++ { "soul", 0, 0, 'd' }, ++ { "winmx", 0, 0, 'e' }, ++ { "ares", 0, 0, 'f' }, ++ { "debug", 0, 0, 'g' }, ++ {0} ++}; ++ ++ ++ ++static void ++init(struct ipt_entry_match *m, unsigned int *nfcache) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data; ++ ++ *nfcache |= NFC_UNKNOWN; ++ ++ /*init the module with default values*/ ++ info->cmd = 0; ++ info->debug = 0; ++ ++} ++ ++ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ipt_entry *entry, ++ unsigned int *nfcache, ++ struct ipt_entry_match **match) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data; ++ ++ switch (c) { ++ case '1': /*cmd: ipp2p*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!"); ++ if ((*flags) != 0) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += SHORT_HAND_IPP2P; ++ info->cmd = *flags; ++ break; ++ ++ case '2': /*cmd: edk*/ ++ if ((*flags & IPP2P_EDK) == IPP2P_EDK) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--edk' may only be " ++ "specified once"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--edk' OR `--edk-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_EDK; ++ info->cmd = *flags; ++ break; ++ ++ case '3': /*cmd: ipp2p-data*/ ++ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags) != 0) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += SHORT_HAND_DATA; ++ info->cmd = *flags; ++ break; ++ ++ case '4': /*cmd: kazaa-data*/ ++ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--kazaa-data' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_DATA_KAZAA; ++ info->cmd = *flags; ++ break; ++ ++ case '5': /*cmd: edk-data*/ ++ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--edk-data' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_EDK) == IPP2P_EDK) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--edk' OR `--edk-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_DATA_EDK; ++ info->cmd = *flags; ++ break; ++ ++ case '6': /*cmd: dc-data*/ ++ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--dc-data' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DC) == IPP2P_DC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--dc' OR `--dc-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_DATA_DC; ++ info->cmd = *flags; ++ break; ++ ++ case '7': /*cmd: dc*/ ++ if ((*flags & IPP2P_DC) == IPP2P_DC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--dc' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--dc' OR `--dc-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_DC; ++ info->cmd = *flags; ++ break; ++ ++ ++ case '8': /*cmd: gnu-data*/ ++ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--gnu-data' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_GNU) == IPP2P_GNU) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_DATA_GNU; ++ info->cmd = *flags; ++ break; ++ ++ case '9': /*cmd: gnu*/ ++ if ((*flags & IPP2P_GNU) == IPP2P_GNU) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--gnu' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_GNU; ++ info->cmd = *flags; ++ break; ++ ++ case 'a': /*cmd: kazaa*/ ++ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--kazaa' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_KAZAA; ++ info->cmd = *flags; ++ break; ++ ++ case 'b': /*cmd: bit*/ ++ if ((*flags & IPP2P_BIT) == IPP2P_BIT) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--bit' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_BIT; ++ info->cmd = *flags; ++ break; ++ ++ case 'c': /*cmd: apple*/ ++ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--apple' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_APPLE; ++ info->cmd = *flags; ++ break; ++ ++ ++ case 'd': /*cmd: soul*/ ++ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--soul' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_SOUL; ++ info->cmd = *flags; ++ break; ++ ++ ++ case 'e': /*cmd: winmx*/ ++ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--winmx' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_WINMX; ++ info->cmd = *flags; ++ break; ++ ++ case 'f': /*cmd: ares*/ ++ if ((*flags & IPP2P_ARES) == IPP2P_ARES) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ares' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_ARES; ++ info->cmd = *flags; ++ break; ++ ++ case 'g': /*cmd: debug*/ ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ info->debug = 1; ++ break; ++ ++ default: ++ exit_error(PARAMETER_PROBLEM, ++ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); ++ return 0; ++ } ++ return 1; ++} ++ ++ ++static void ++final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, ++ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); ++} ++ ++ ++ ++static void ++print(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match, ++ int numeric) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; ++ ++ printf("ipp2p v%s", IPP2P_VERSION); ++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p"); ++ if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data"); ++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa"); ++ if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data"); ++ if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data"); ++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu"); ++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk"); ++ if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data"); ++ if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data"); ++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc"); ++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit"); ++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple"); ++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul"); ++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx"); ++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares"); ++ if (info->debug != 0) printf(" --debug"); ++ printf(" "); ++} ++ ++ ++ ++static void ++save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; ++ ++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p "); ++ if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data "); ++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa "); ++ if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data "); ++ if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data "); ++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu "); ++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk "); ++ if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data "); ++ if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data "); ++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc "); ++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit "); ++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple "); ++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul "); ++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx "); ++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares "); ++ if (info->debug != 0) printf("--debug "); ++} ++ ++ ++ ++ ++static ++struct iptables_match ipp2p= ++{ ++ .next = NULL, ++ .name = "ipp2p", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++ ++ ++void _init(void) ++{ ++ register_match(&ipp2p); ++} ++ +diff -urN iptables-1.2.11.old/extensions/Makefile iptables-1.2.11/extensions/Makefile +--- iptables-1.2.11.old/extensions/Makefile 2004-06-17 12:22:54.000000000 +0200 ++++ iptables-1.2.11/extensions/Makefile 2005-03-12 00:50:12.000000000 +0100 +@@ -8,6 +8,10 @@ + PF_EXT_SLIB:=ah connlimit connmark conntrack dscp ecn esp helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG + PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner standard tcp udp HL LOG MARK TRACE + ++ ++# ipp2p ++PF_EXT_SLIB += ipp2p ++ + # Optionals + PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) + PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) +diff -urN iptables-1.2.11.old/include/linux/netfilter_ipv4/ipt_ipp2p.h iptables-1.2.11/include/linux/netfilter_ipv4/ipt_ipp2p.h +--- iptables-1.2.11.old/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.2.11/include/linux/netfilter_ipv4/ipt_ipp2p.h 2005-03-12 00:50:46.000000000 +0100 +@@ -0,0 +1,29 @@ ++#ifndef __IPT_IPP2P_H ++#define __IPT_IPP2P_H ++#define IPP2P_VERSION "0.7.4" ++ ++struct ipt_p2p_info { ++ int cmd; ++ int debug; ++}; ++ ++#endif //__IPT_IPP2P_H ++ ++#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/ ++#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/ ++#define SHORT_HAND_NONE 5 /* no short hand*/ ++ ++#define IPP2P_EDK 2 ++#define IPP2P_DATA_KAZAA 8 ++#define IPP2P_DATA_EDK 16 ++#define IPP2P_DATA_DC 32 ++#define IPP2P_DC 64 ++#define IPP2P_DATA_GNU 128 ++#define IPP2P_GNU 256 ++#define IPP2P_KAZAA 512 ++#define IPP2P_BIT 1024 ++#define IPP2P_APPLE 2048 ++#define IPP2P_SOUL 4096 ++#define IPP2P_WINMX 8192 ++#define IPP2P_ARES 16384 ++ diff --git a/openwrt/package/iptables/patches/02-layer7-1.1.patch b/openwrt/package/iptables/patches/02-layer7-1.1.patch new file mode 100644 index 0000000000..6eee8a1d88 --- /dev/null +++ b/openwrt/package/iptables/patches/02-layer7-1.1.patch @@ -0,0 +1,756 @@ +diff -Nurp iptables-1.3.0-stock/extensions/.layer7-test iptables-1.3.0-layer7/extensions/.layer7-test +--- iptables-1.3.0-stock/extensions/.layer7-test 1969-12-31 18:00:00.000000000 -0600 ++++ iptables-1.3.0-layer7/extensions/.layer7-test 2005-03-01 22:12:06.000000000 -0600 +@@ -0,0 +1,2 @@ ++#! /bin/sh ++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_layer7.h ] && echo layer7 +diff -Nurp iptables-1.3.0-stock/extensions/libipt_layer7.c iptables-1.3.0-layer7/extensions/libipt_layer7.c +--- iptables-1.3.0-stock/extensions/libipt_layer7.c 1969-12-31 18:00:00.000000000 -0600 ++++ iptables-1.3.0-layer7/extensions/libipt_layer7.c 2005-03-06 22:14:13.000000000 -0600 +@@ -0,0 +1,357 @@ ++/* ++ Shared library add-on to iptables to add layer 7 matching support. ++ ++ By Matthew Strait , Oct 2003. ++ ++ http://l7-filter.sf.net ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License ++ as published by the Free Software Foundation; either version ++ 2 of the License, or (at your option) any later version. ++ http://www.gnu.org/licenses/gpl.txt ++ ++ Based on libipt_string.c (C) 2000 Emmanuel Roger ++*/ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++#define MAX_FN_LEN 256 ++ ++static char l7dir[MAX_FN_LEN] = "\0"; ++ ++/* Function which prints out usage message. */ ++static void help(void) ++{ ++ printf( ++ "LAYER7 match v%s options:\n" ++ "--l7dir : Look for patterns here instead of /etc/l7-protocols/\n" ++ " (--l7dir must be specified before --l7proto if used!)\n" ++ "--l7proto [!] : Match the protocol defined in /etc/l7-protocols/name.pat\n", ++ IPTABLES_VERSION); ++ fputc('\n', stdout); ++} ++ ++static struct option opts[] = { ++ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' }, ++ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' }, ++ { .name = 0 } ++}; ++ ++/* Initialize the match. */ ++static void init(struct ipt_entry_match *m, unsigned int *nfcache) ++{ ++ *nfcache |= NFC_UNKNOWN; ++} ++ ++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */ ++int parse_protocol_file(char * filename, const unsigned char * protoname, struct ipt_layer7_info *info) ++{ ++ FILE * f; ++ char * line = NULL; ++ size_t len = 0; ++ ++ enum { protocol, pattern, done } datatype = protocol; ++ ++ f = fopen(filename, "r"); ++ ++ if(!f) ++ return 0; ++ ++ while(getline(&line, &len, f) != -1) ++ { ++ if(strlen(line) < 2 || line[0] == '#') ++ continue; ++ ++ /* strip the pesky newline... */ ++ if(line[strlen(line) - 1] == '\n') ++ line[strlen(line) - 1] = '\0'; ++ ++ if(datatype == protocol) ++ { ++ if(strcmp(line, protoname)) ++ exit_error(OTHER_PROBLEM, ++ "Protocol name (%s) doesn't match file name (%s). Bailing out\n", ++ protoname, filename); ++ ++ if(strlen(line) >= MAX_PROTOCOL_LEN) ++ exit_error(PARAMETER_PROBLEM, ++ "Protocol name in %s too long!", filename); ++ strncpy(info->protocol, line, MAX_PROTOCOL_LEN); ++ ++ datatype = pattern; ++ } ++ else if(datatype == pattern) ++ { ++ if(strlen(line) >= MAX_PATTERN_LEN) ++ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename); ++ strncpy(info->pattern, line, MAX_PATTERN_LEN); ++ ++ datatype = done; ++ break; ++ } ++ else ++ exit_error(OTHER_PROBLEM, "Internal error"); ++ } ++ ++ if(datatype != done) ++ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename); ++ ++ if(line) free(line); ++ fclose(f); ++ ++ return 1; ++ ++/* ++ fprintf(stderr, "protocol: %s\npattern: %s\n\n", ++ info->protocol, ++ info->pattern); ++*/ ++} ++ ++static int hex2dec(char c) ++{ ++ switch (c) ++ { ++ case '0' ... '9': ++ return c - '0'; ++ case 'a' ... 'f': ++ return c - 'a' + 10; ++ case 'A' ... 'F': ++ return c - 'A' + 10; ++ default: ++ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n"); ++ return 0; ++ } ++} ++ ++/* takes a string with \xHH escapes and returns one with the characters ++they stand for */ ++static char * pre_process(char * s) ++{ ++ char * result = malloc(strlen(s) + 1); ++ int sindex = 0, rindex = 0; ++ while( sindex < strlen(s) ) ++ { ++ if( sindex + 3 < strlen(s) && ++ s[sindex] == '\\' && s[sindex+1] == 'x' && ++ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) ++ { ++ /* carefully remember to call tolower here... */ ++ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 + ++ hex2dec(s[sindex + 3] ) ); ++ sindex += 3; /* 4 total */ ++ } ++ else ++ result[rindex] = tolower(s[sindex]); ++ ++ sindex++; ++ rindex++; ++ } ++ result[rindex] = '\0'; ++ ++ return result; ++} ++ ++#define MAX_SUBDIRS 128 ++char ** readl7dir(char * dirname) ++{ ++ DIR * scratchdir; ++ struct dirent ** namelist; ++ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *)); ++ ++ int n, d = 1; ++ subdirs[0] = ""; ++ ++ n = scandir(dirname, &namelist, 0, alphasort); ++ ++ if (n < 0) ++ { ++ perror("scandir"); ++ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname); ++ } ++ else ++ { ++ while(n--) ++ { ++ char fulldirname[MAX_FN_LEN]; ++ ++ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name); ++ ++ if((scratchdir = opendir(fulldirname)) != NULL) ++ { ++ closedir(scratchdir); ++ ++ if(!strcmp(namelist[n]->d_name, ".") || ++ !strcmp(namelist[n]->d_name, "..")) ++ /* do nothing */ ; ++ else ++ { ++ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1); ++ strcpy(subdirs[d], namelist[n]->d_name); ++ d++; ++ if(d >= MAX_SUBDIRS - 1) ++ { ++ fprintf(stderr, ++ "Too many subdirectories, skipping the rest!\n"); ++ break; ++ } ++ } ++ } ++ free(namelist[n]); ++ } ++ free(namelist); ++ } ++ ++ subdirs[d] = NULL; ++ ++ return subdirs; ++} ++ ++static void ++parse_layer7_protocol(const unsigned char *s, struct ipt_layer7_info *info) ++{ ++ char filename[MAX_FN_LEN]; ++ char * dir = NULL; ++ char ** subdirs; ++ int n = 0, done = 0; ++ ++ if(strlen(l7dir) > 0) ++ dir = l7dir; ++ else ++ dir = "/etc/l7-protocols"; ++ ++ subdirs = readl7dir(dir); ++ ++ while(subdirs[n] != NULL) ++ { ++ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s); ++ ++ //fprintf(stderr, "Trying to find pattern in %s ... ", filename); ++ ++ if(c > MAX_FN_LEN) ++ { ++ exit_error(OTHER_PROBLEM, ++ "Filename beginning with %s is too long!\n", filename); ++ } ++ ++ /* read in the pattern from the file */ ++ if(parse_protocol_file(filename, s, info)) ++ { ++ //fprintf(stderr, "found\n"); ++ done = 1; ++ break; ++ } ++ ++ //fprintf(stderr, "not found\n"); ++ ++ n++; ++ } ++ ++ if(!done) ++ exit_error(OTHER_PROBLEM, ++ "Couldn't find a pattern definition file for %s.\n", s); ++ ++ /* process \xHH escapes and tolower everything. (our regex lib has no ++ case insensitivity option.) */ ++ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN); ++} ++ ++/* Function which parses command options; returns true if it ate an option */ ++static int parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ipt_entry *entry, unsigned int *nfcache, ++ struct ipt_entry_match **match) ++{ ++ struct ipt_layer7_info *layer7info = ++ (struct ipt_layer7_info *)(*match)->data; ++ ++ switch (c) { ++ case '1': ++ check_inverse(optarg, &invert, &optind, 0); ++ parse_layer7_protocol(argv[optind-1], layer7info); ++ if (invert) ++ layer7info->invert = 1; ++ *flags = 1; ++ break; ++ ++ case '2': ++ /* not going to use this, but maybe we need to strip a ! anyway (?) */ ++ check_inverse(optarg, &invert, &optind, 0); ++ ++ if(strlen(argv[optind-1]) >= MAX_FN_LEN) ++ exit_error(PARAMETER_PROBLEM, "directory name too long\n"); ++ ++ strncpy(l7dir, argv[optind-1], MAX_FN_LEN); ++ ++ *flags = 1; ++ break; ++ ++ default: ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* Final check; must have specified --pattern. */ ++static void final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, ++ "LAYER7 match: You must specify `--pattern'"); ++} ++ ++static void print_protocol(char s[], int invert, int numeric) ++{ ++ fputs("l7proto ", stdout); ++ if (invert) fputc('!', stdout); ++ printf("%s ", s); ++} ++ ++/* Prints out the matchinfo. */ ++static void print(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match, ++ int numeric) ++{ ++ printf("LAYER7 "); ++ ++ print_protocol(((struct ipt_layer7_info *)match->data)->protocol, ++ ((struct ipt_layer7_info *)match->data)->invert, numeric); ++} ++/* Saves the union ipt_matchinfo in parsable form to stdout. */ ++static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ++{ ++ const struct ipt_layer7_info *info = ++ (const struct ipt_layer7_info*) match->data; ++ ++ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol); ++} ++ ++static struct iptables_match layer7 = { ++ .name = "layer7", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_layer7_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_layer7_info)), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++void _init(void) ++{ ++ register_match(&layer7); ++} +diff -Nurp iptables-1.3.0-stock/extensions/libipt_layer7.c.orig iptables-1.3.0-layer7/extensions/libipt_layer7.c.orig +--- iptables-1.3.0-stock/extensions/libipt_layer7.c.orig 1969-12-31 18:00:00.000000000 -0600 ++++ iptables-1.3.0-layer7/extensions/libipt_layer7.c.orig 2005-03-06 22:20:28.000000000 -0600 +@@ -0,0 +1,357 @@ ++/* ++ Shared library add-on to iptables to add layer 7 matching support. ++ ++ By Matthew Strait , Oct 2003. ++ ++ http://l7-filter.sf.net ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License ++ as published by the Free Software Foundation; either version ++ 2 of the License, or (at your option) any later version. ++ http://www.gnu.org/licenses/gpl.txt ++ ++ Based on libipt_string.c (C) 2000 Emmanuel Roger ++*/ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++#define MAX_FN_LEN 256 ++ ++static char l7dir[MAX_FN_LEN] = "\0"; ++ ++/* Function which prints out usage message. */ ++static void help(void) ++{ ++ printf( ++ "LAYER7 match v%s options:\n" ++ "--l7dir : Look for patterns here instead of /etc/l7-protocols/\n" ++ " (--l7dir must be specified before --l7proto if used!)\n" ++ "--l7proto [!] : Match the protocol defined in /etc/l7-protocols/name.pat\n", ++ IPTABLES_VERSION); ++ fputc('\n', stdout); ++} ++ ++static struct option opts[] = { ++ { .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' }, ++ { .name = "l7dir", .has_arg = 1, .flag = 0, .val = '2' }, ++ { .name = 0 } ++}; ++ ++/* Initialize the match. */ ++static void init(struct ipt_entry_match *m, unsigned int *nfcache) ++{ ++ *nfcache |= NFC_UNKNOWN; ++} ++ ++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */ ++int parse_protocol_file(char * filename, const unsigned char * protoname, struct ipt_layer7_info *info) ++{ ++ FILE * f; ++ char * line = NULL; ++ int len = 0; ++ ++ enum { protocol, pattern, done } datatype = protocol; ++ ++ f = fopen(filename, "r"); ++ ++ if(!f) ++ return 0; ++ ++ while(getline(&line, &len, f) != -1) ++ { ++ if(strlen(line) < 2 || line[0] == '#') ++ continue; ++ ++ /* strip the pesky newline... */ ++ if(line[strlen(line) - 1] == '\n') ++ line[strlen(line) - 1] = '\0'; ++ ++ if(datatype == protocol) ++ { ++ if(strcmp(line, protoname)) ++ exit_error(OTHER_PROBLEM, ++ "Protocol name (%s) doesn't match file name (%s). Bailing out\n", ++ protoname, filename); ++ ++ if(strlen(line) >= MAX_PROTOCOL_LEN) ++ exit_error(PARAMETER_PROBLEM, ++ "Protocol name in %s too long!", filename); ++ strncpy(info->protocol, line, MAX_PROTOCOL_LEN); ++ ++ datatype = pattern; ++ } ++ else if(datatype == pattern) ++ { ++ if(strlen(line) >= MAX_PATTERN_LEN) ++ exit_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename); ++ strncpy(info->pattern, line, MAX_PATTERN_LEN); ++ ++ datatype = done; ++ break; ++ } ++ else ++ exit_error(OTHER_PROBLEM, "Internal error"); ++ } ++ ++ if(datatype != done) ++ exit_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename); ++ ++ if(line) free(line); ++ fclose(f); ++ ++ return 1; ++ ++/* ++ fprintf(stderr, "protocol: %s\npattern: %s\n\n", ++ info->protocol, ++ info->pattern); ++*/ ++} ++ ++static int hex2dec(char c) ++{ ++ switch (c) ++ { ++ case '0' ... '9': ++ return c - '0'; ++ case 'a' ... 'f': ++ return c - 'a' + 10; ++ case 'A' ... 'F': ++ return c - 'A' + 10; ++ default: ++ exit_error(OTHER_PROBLEM, "hex2dec: bad value!\n"); ++ return 0; ++ } ++} ++ ++/* takes a string with \xHH escapes and returns one with the characters ++they stand for */ ++static char * pre_process(char * s) ++{ ++ char * result = malloc(strlen(s) + 1); ++ int sindex = 0, rindex = 0; ++ while( sindex < strlen(s) ) ++ { ++ if( sindex + 3 < strlen(s) && ++ s[sindex] == '\\' && s[sindex+1] == 'x' && ++ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) ++ { ++ /* carefully remember to call tolower here... */ ++ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 + ++ hex2dec(s[sindex + 3] ) ); ++ sindex += 3; /* 4 total */ ++ } ++ else ++ result[rindex] = tolower(s[sindex]); ++ ++ sindex++; ++ rindex++; ++ } ++ result[rindex] = '\0'; ++ ++ return result; ++} ++ ++#define MAX_SUBDIRS 128 ++char ** readl7dir(char * dirname) ++{ ++ DIR * scratchdir; ++ struct dirent ** namelist; ++ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *)); ++ ++ int n, d = 1; ++ subdirs[0] = ""; ++ ++ n = scandir(dirname, &namelist, 0, alphasort); ++ ++ if (n < 0) ++ { ++ perror("scandir"); ++ exit_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname); ++ } ++ else ++ { ++ while(n--) ++ { ++ char fulldirname[MAX_FN_LEN]; ++ ++ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name); ++ ++ if((scratchdir = opendir(fulldirname)) != NULL) ++ { ++ closedir(scratchdir); ++ ++ if(!strcmp(namelist[n]->d_name, ".") || ++ !strcmp(namelist[n]->d_name, "..")) ++ /* do nothing */ ; ++ else ++ { ++ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1); ++ strcpy(subdirs[d], namelist[n]->d_name); ++ d++; ++ if(d >= MAX_SUBDIRS - 1) ++ { ++ fprintf(stderr, ++ "Too many subdirectories, skipping the rest!\n"); ++ break; ++ } ++ } ++ } ++ free(namelist[n]); ++ } ++ free(namelist); ++ } ++ ++ subdirs[d] = NULL; ++ ++ return subdirs; ++} ++ ++static void ++parse_layer7_protocol(const unsigned char *s, struct ipt_layer7_info *info) ++{ ++ char filename[MAX_FN_LEN]; ++ char * dir = NULL; ++ char ** subdirs; ++ int n = 0, done = 0; ++ ++ if(strlen(l7dir) > 0) ++ dir = l7dir; ++ else ++ dir = "/etc/l7-protocols"; ++ ++ subdirs = readl7dir(dir); ++ ++ while(subdirs[n] != NULL) ++ { ++ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s); ++ ++ //fprintf(stderr, "Trying to find pattern in %s ... ", filename); ++ ++ if(c > MAX_FN_LEN) ++ { ++ exit_error(OTHER_PROBLEM, ++ "Filename beginning with %s is too long!\n", filename); ++ } ++ ++ /* read in the pattern from the file */ ++ if(parse_protocol_file(filename, s, info)) ++ { ++ //fprintf(stderr, "found\n"); ++ done = 1; ++ break; ++ } ++ ++ //fprintf(stderr, "not found\n"); ++ ++ n++; ++ } ++ ++ if(!done) ++ exit_error(OTHER_PROBLEM, ++ "Couldn't find a pattern definition file for %s.\n", s); ++ ++ /* process \xHH escapes and tolower everything. (our regex lib has no ++ case insensitivity option.) */ ++ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN); ++} ++ ++/* Function which parses command options; returns true if it ate an option */ ++static int parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ipt_entry *entry, unsigned int *nfcache, ++ struct ipt_entry_match **match) ++{ ++ struct ipt_layer7_info *layer7info = ++ (struct ipt_layer7_info *)(*match)->data; ++ ++ switch (c) { ++ case '1': ++ check_inverse(optarg, &invert, &optind, 0); ++ parse_layer7_protocol(argv[optind-1], layer7info); ++ if (invert) ++ layer7info->invert = 1; ++ *flags = 1; ++ break; ++ ++ case '2': ++ /* not going to use this, but maybe we need to strip a ! anyway (?) */ ++ check_inverse(optarg, &invert, &optind, 0); ++ ++ if(strlen(argv[optind-1]) >= MAX_FN_LEN) ++ exit_error(PARAMETER_PROBLEM, "directory name too long\n"); ++ ++ strncpy(l7dir, argv[optind-1], MAX_FN_LEN); ++ ++ *flags = 1; ++ break; ++ ++ default: ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* Final check; must have specified --pattern. */ ++static void final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, ++ "LAYER7 match: You must specify `--pattern'"); ++} ++ ++static void print_protocol(char s[], int invert, int numeric) ++{ ++ fputs("l7proto ", stdout); ++ if (invert) fputc('!', stdout); ++ printf("%s ", s); ++} ++ ++/* Prints out the matchinfo. */ ++static void print(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match, ++ int numeric) ++{ ++ printf("LAYER7 "); ++ ++ print_protocol(((struct ipt_layer7_info *)match->data)->protocol, ++ ((struct ipt_layer7_info *)match->data)->invert, numeric); ++} ++/* Saves the union ipt_matchinfo in parsable form to stdout. */ ++static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ++{ ++ const struct ipt_layer7_info *info = ++ (const struct ipt_layer7_info*) match->data; ++ ++ printf("--l7proto %s%s ", (info->invert) ? "! ": "", info->protocol); ++} ++ ++static struct iptables_match layer7 = { ++ .name = "layer7", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_layer7_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_layer7_info)), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++void _init(void) ++{ ++ register_match(&layer7); ++} +diff -Nurp iptables-1.3.0-stock/extensions/libipt_layer7.man iptables-1.3.0-layer7/extensions/libipt_layer7.man +--- iptables-1.3.0-stock/extensions/libipt_layer7.man 1969-12-31 18:00:00.000000000 -0600 ++++ iptables-1.3.0-layer7/extensions/libipt_layer7.man 2005-03-01 22:12:06.000000000 -0600 +@@ -0,0 +1,13 @@ ++This module matches packets based on the application layer data of ++their connections. It uses regular expression matching to compare ++the application layer data to regular expressions found it the layer7 ++configuration files. This is an experimental module which can be found at ++http://l7-filter.sf.net. It takes two options. ++.TP ++.BI "--l7proto " "\fIprotocol\fP" ++Match the specified protocol. The protocol name must match a file ++name in /etc/l7-protocols/ ++.TP ++.BI "--l7dir " "\fIdirectory\fP" ++Use \fIdirectory\fP instead of /etc/l7-protocols/ ++ +--- iptables-1.3.1/extensions/Makefile.orig 2005-04-01 23:02:50.000000000 +0200 ++++ iptables-1.3.1/extensions/Makefile 2005-04-01 23:03:06.000000000 +0200 +@@ -11,6 +11,8 @@ + + # ipp2p + PF_EXT_SLIB += ipp2p ++# layer7 ++PF_EXT_SLIB += layer7 + + # Optionals + PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) diff --git a/openwrt/package/iptables/patches/ipp2p-0.7.4.patch b/openwrt/package/iptables/patches/ipp2p-0.7.4.patch deleted file mode 100644 index d39a39d2d6..0000000000 --- a/openwrt/package/iptables/patches/ipp2p-0.7.4.patch +++ /dev/null @@ -1,506 +0,0 @@ -diff -urN iptables-1.2.11.old/extensions/libipt_ipp2p.c iptables-1.2.11/extensions/libipt_ipp2p.c ---- iptables-1.2.11.old/extensions/libipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100 -+++ iptables-1.2.11/extensions/libipt_ipp2p.c 2005-03-12 00:50:27.000000000 +0100 -@@ -0,0 +1,455 @@ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+ -+#include -+ -+ -+ -+ -+static void -+help(void) -+{ -+ printf( -+ "IPP2P v%s options:\n" -+ " --ipp2p Grab all known p2p packets\n" -+ " --ipp2p-data Identify all known p2p download commands (obsolete)\n\n" -+ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n" -+ " --dc [TCP] All known Direct Connect packets\n" -+ " --kazaa [TCP&UDP] All known KaZaA packets\n" -+ " --gnu [TCP&UDP] All known Gnutella packets\n" -+ " --bit [TCP&UDP] All known BitTorrent packets\n" -+ " --apple [TCP] All known AppleJuice packets (beta - just a few tests until now)\n" -+ " --winmx [TCP] All known WinMX (beta - need feedback)\n" -+ " --soul [TCP] All known SoulSeek (beta - need feedback!)\n" -+ " --ares [TCP] All known Ares - use with DROP only (beta - need feedback!)\n\n" -+ " --edk-data [TCP] eDonkey/eMule/Overnet download commands (obsolete)\n" -+ " --dc-data [TCP] Direct Connect download command (obsolete)\n" -+ " --kazaa-data [TCP] KaZaA download command (obsolete)\n" -+ " --gnu-data [TCP] Gnutella download command (obsolete)\n" -+ "\nNote that the follwing options will have the same meaning:\n" -+ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu'\n" -+ " '--ipp2p-data' is equal to '--edk-data --dc-data --kazaa-data --gnu-data'\n" -+ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n" -+ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n" -+ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n" -+ "\nExamples:\n" -+ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n" -+ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n" -+ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n" -+ , IPP2P_VERSION); -+} -+ -+ -+ -+static struct option opts[] = { -+ { "ipp2p", 0, 0, '1' }, -+ { "edk", 0, 0, '2' }, -+ { "ipp2p-data", 0, 0, '3' }, -+ { "kazaa-data", 0, 0, '4' }, -+ { "edk-data", 0, 0, '5' }, -+ { "dc-data", 0, 0, '6' }, -+ { "dc", 0, 0, '7' }, -+ { "gnu-data", 0, 0, '8' }, -+ { "gnu", 0, 0, '9' }, -+ { "kazaa", 0, 0, 'a' }, -+ { "bit", 0, 0, 'b' }, -+ { "apple", 0, 0, 'c' }, -+ { "soul", 0, 0, 'd' }, -+ { "winmx", 0, 0, 'e' }, -+ { "ares", 0, 0, 'f' }, -+ { "debug", 0, 0, 'g' }, -+ {0} -+}; -+ -+ -+ -+static void -+init(struct ipt_entry_match *m, unsigned int *nfcache) -+{ -+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data; -+ -+ *nfcache |= NFC_UNKNOWN; -+ -+ /*init the module with default values*/ -+ info->cmd = 0; -+ info->debug = 0; -+ -+} -+ -+ -+static int -+parse(int c, char **argv, int invert, unsigned int *flags, -+ const struct ipt_entry *entry, -+ unsigned int *nfcache, -+ struct ipt_entry_match **match) -+{ -+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data; -+ -+ switch (c) { -+ case '1': /*cmd: ipp2p*/ -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!"); -+ if ((*flags) != 0) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += SHORT_HAND_IPP2P; -+ info->cmd = *flags; -+ break; -+ -+ case '2': /*cmd: edk*/ -+ if ((*flags & IPP2P_EDK) == IPP2P_EDK) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--edk' may only be " -+ "specified once"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!"); -+ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--edk' OR `--edk-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_EDK; -+ info->cmd = *flags; -+ break; -+ -+ case '3': /*cmd: ipp2p-data*/ -+ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags) != 0) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += SHORT_HAND_DATA; -+ info->cmd = *flags; -+ break; -+ -+ case '4': /*cmd: kazaa-data*/ -+ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--kazaa-data' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!"); -+ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_DATA_KAZAA; -+ info->cmd = *flags; -+ break; -+ -+ case '5': /*cmd: edk-data*/ -+ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--edk-data' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!"); -+ if ((*flags & IPP2P_EDK) == IPP2P_EDK) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--edk' OR `--edk-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_DATA_EDK; -+ info->cmd = *flags; -+ break; -+ -+ case '6': /*cmd: dc-data*/ -+ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--dc-data' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags & IPP2P_DC) == IPP2P_DC) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--dc' OR `--dc-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_DATA_DC; -+ info->cmd = *flags; -+ break; -+ -+ case '7': /*cmd: dc*/ -+ if ((*flags & IPP2P_DC) == IPP2P_DC) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--dc' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!"); -+ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--dc' OR `--dc-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_DC; -+ info->cmd = *flags; -+ break; -+ -+ -+ case '8': /*cmd: gnu-data*/ -+ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--gnu-data' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!"); -+ if ((*flags & IPP2P_GNU) == IPP2P_GNU) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_DATA_GNU; -+ info->cmd = *flags; -+ break; -+ -+ case '9': /*cmd: gnu*/ -+ if ((*flags & IPP2P_GNU) == IPP2P_GNU) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--gnu' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_GNU; -+ info->cmd = *flags; -+ break; -+ -+ case 'a': /*cmd: kazaa*/ -+ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--kazaa' may only be " -+ "specified once!"); -+ if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p-data' may only be " -+ "specified alone!"); -+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ipp2p' may only be " -+ "specified alone!"); -+ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_KAZAA; -+ info->cmd = *flags; -+ break; -+ -+ case 'b': /*cmd: bit*/ -+ if ((*flags & IPP2P_BIT) == IPP2P_BIT) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--bit' may only be " -+ "specified once!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_BIT; -+ info->cmd = *flags; -+ break; -+ -+ case 'c': /*cmd: apple*/ -+ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--apple' may only be " -+ "specified once!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_APPLE; -+ info->cmd = *flags; -+ break; -+ -+ -+ case 'd': /*cmd: soul*/ -+ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--soul' may only be " -+ "specified once!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_SOUL; -+ info->cmd = *flags; -+ break; -+ -+ -+ case 'e': /*cmd: winmx*/ -+ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--winmx' may only be " -+ "specified once!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_WINMX; -+ info->cmd = *flags; -+ break; -+ -+ case 'f': /*cmd: ares*/ -+ if ((*flags & IPP2P_ARES) == IPP2P_ARES) -+ exit_error(PARAMETER_PROBLEM, -+ "ipp2p: `--ares' may only be " -+ "specified once!"); -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ *flags += IPP2P_ARES; -+ info->cmd = *flags; -+ break; -+ -+ case 'g': /*cmd: debug*/ -+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); -+ info->debug = 1; -+ break; -+ -+ default: -+ exit_error(PARAMETER_PROBLEM, -+ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); -+ return 0; -+ } -+ return 1; -+} -+ -+ -+static void -+final_check(unsigned int flags) -+{ -+ if (!flags) -+ exit_error(PARAMETER_PROBLEM, -+ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); -+} -+ -+ -+ -+static void -+print(const struct ipt_ip *ip, -+ const struct ipt_entry_match *match, -+ int numeric) -+{ -+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; -+ -+ printf("ipp2p v%s", IPP2P_VERSION); -+ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p"); -+ if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data"); -+ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa"); -+ if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data"); -+ if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data"); -+ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu"); -+ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk"); -+ if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data"); -+ if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data"); -+ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc"); -+ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit"); -+ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple"); -+ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul"); -+ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx"); -+ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares"); -+ if (info->debug != 0) printf(" --debug"); -+ printf(" "); -+} -+ -+ -+ -+static void -+save(const struct ipt_ip *ip, const struct ipt_entry_match *match) -+{ -+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; -+ -+ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p "); -+ if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data "); -+ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa "); -+ if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data "); -+ if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data "); -+ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu "); -+ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk "); -+ if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data "); -+ if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data "); -+ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc "); -+ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit "); -+ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple "); -+ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul "); -+ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx "); -+ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares "); -+ if (info->debug != 0) printf("--debug "); -+} -+ -+ -+ -+ -+static -+struct iptables_match ipp2p= -+{ -+ .next = NULL, -+ .name = "ipp2p", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)), -+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)), -+ .help = &help, -+ .init = &init, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts -+}; -+ -+ -+ -+void _init(void) -+{ -+ register_match(&ipp2p); -+} -+ -diff -urN iptables-1.2.11.old/extensions/Makefile iptables-1.2.11/extensions/Makefile ---- iptables-1.2.11.old/extensions/Makefile 2004-06-17 12:22:54.000000000 +0200 -+++ iptables-1.2.11/extensions/Makefile 2005-03-12 00:50:12.000000000 +0100 -@@ -8,6 +8,10 @@ - PF_EXT_SLIB:=ah connlimit connmark conntrack dscp ecn esp helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG - PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner standard tcp udp HL LOG MARK TRACE - -+ -+# ipp2p -+PF_EXT_SLIB += ipp2p -+ - # Optionals - PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) - PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T))) -diff -urN iptables-1.2.11.old/include/linux/netfilter_ipv4/ipt_ipp2p.h iptables-1.2.11/include/linux/netfilter_ipv4/ipt_ipp2p.h ---- iptables-1.2.11.old/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100 -+++ iptables-1.2.11/include/linux/netfilter_ipv4/ipt_ipp2p.h 2005-03-12 00:50:46.000000000 +0100 -@@ -0,0 +1,29 @@ -+#ifndef __IPT_IPP2P_H -+#define __IPT_IPP2P_H -+#define IPP2P_VERSION "0.7.4" -+ -+struct ipt_p2p_info { -+ int cmd; -+ int debug; -+}; -+ -+#endif //__IPT_IPP2P_H -+ -+#define SHORT_HAND_IPP2P 1 /* --ipp2p switch*/ -+#define SHORT_HAND_DATA 4 /* --ipp2p-data switch*/ -+#define SHORT_HAND_NONE 5 /* no short hand*/ -+ -+#define IPP2P_EDK 2 -+#define IPP2P_DATA_KAZAA 8 -+#define IPP2P_DATA_EDK 16 -+#define IPP2P_DATA_DC 32 -+#define IPP2P_DC 64 -+#define IPP2P_DATA_GNU 128 -+#define IPP2P_GNU 256 -+#define IPP2P_KAZAA 512 -+#define IPP2P_BIT 1024 -+#define IPP2P_APPLE 2048 -+#define IPP2P_SOUL 4096 -+#define IPP2P_WINMX 8192 -+#define IPP2P_ARES 16384 -+ -- cgit v1.2.3