Hi,
IPv6 fragmentation header match
FRAG v1.2.6a options:
--fragid [!] id[:id] match the id (range)
--fraglen [!] length total length of this header
--fragres check the reserved filed, too
--fragfirst matches on the frst fragment
[--fragmore|--fraglast] there are more fragments or this
is the last one
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-------------------------/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /---------------------------------------------->
diff -urN netfilter/userspace.old/extensions/.frag-test6 netfilter/userspace/extensions/.frag-test6
--- netfilter/userspace.old/extensions/.frag-test6 Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/extensions/.frag-test6 Mon Mar 25 22:24:12 2002
@@ -0,0 +1,2 @@
+#!/bin/sh
+[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_frag.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_frag.h ] && echo frag
diff -urN netfilter/userspace.old/extensions/libip6t_frag.c netfilter/userspace/extensions/libip6t_frag.c
--- netfilter/userspace.old/extensions/libip6t_frag.c Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/extensions/libip6t_frag.c Tue Mar 26 01:15:20 2002
@@ -0,0 +1,273 @@
+/* Shared library add-on to ip6tables to add Fragmentation header support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <errno.h>
+#include <ip6tables.h>
+#include <linux/netfilter_ipv6/ip6t_frag.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf(
+"FRAG v%s options:\n"
+" --fragid [!] id[:id] match the id (range)\n"
+" --fraglen [!] length total length of this header\n"
+" --fragres check the reserved filed, too\n"
+" --fragfirst matches on the frst fragment\n"
+" [--fragmore|--fraglast] there are more fragments or this\n"
+" is the last one\n",
+NETFILTER_VERSION);
+}
+
+static struct option opts[] = {
+ { "fragid", 1, 0, '1' },
+ { "fraglen", 1, 0, '2' },
+ { "fragres", 0, 0, '3' },
+ { "fragfirst", 0, 0, '4' },
+ { "fragmore", 0, 0, '5' },
+ { "fraglast", 0, 0, '6' },
+ {0}
+};
+
+static u_int32_t
+parse_frag_id(const char *idstr, const char *typestr)
+{
+ unsigned long int id;
+ char* ep;
+
+ id = strtoul(idstr,&ep,0) ;
+
+ if ( idstr == ep ) {
+ exit_error(PARAMETER_PROBLEM,
+ "FRAG no valid digits in %s `%s'", typestr, idstr);
+ }
+ if ( id == ULONG_MAX && errno == ERANGE ) {
+ exit_error(PARAMETER_PROBLEM,
+ "%s `%s' specified too big: would overflow",
+ typestr, idstr);
+ }
+ if ( *idstr != '\0' && *ep != '\0' ) {
+ exit_error(PARAMETER_PROBLEM,
+ "FRAG error parsing %s `%s'", typestr, idstr);
+ }
+ return (u_int32_t) id;
+}
+
+static void
+parse_frag_ids(const char *idstring, u_int32_t *ids)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(idstring);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ ids[0] = ids[1] = parse_frag_id(buffer,"id");
+ else {
+ *cp = '\0';
+ cp++;
+
+ ids[0] = buffer[0] ? parse_frag_id(buffer,"id") : 0;
+ ids[1] = cp[0] ? parse_frag_id(cp,"id") : 0xFFFFFFFF;
+ }
+ free(buffer);
+}
+
+/* Initialize the match. */
+static void
+init(struct ip6t_entry_match *m, unsigned int *nfcache)
+{
+ struct ip6t_frag *fraginfo = (struct ip6t_frag *)m->data;
+
+ fraginfo->ids[0] = 0x0L;
+ fraginfo->ids[1] = 0xFFFFFFFF;
+ fraginfo->hdrlen = 0;
+ fraginfo->flags = 0;
+ fraginfo->invflags = 0;
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ip6t_entry *entry,
+ unsigned int *nfcache,
+ struct ip6t_entry_match **match)
+{
+ struct ip6t_frag *fraginfo = (struct ip6t_frag *)(*match)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags & IP6T_FRAG_IDS)
+ exit_error(PARAMETER_PROBLEM,
+ "Only one `--fragid' allowed");
+ check_inverse(optarg, &invert, &optind, 0);
+ parse_frag_ids(argv[optind-1], fraginfo->ids);
+ if (invert)
+ fraginfo->invflags |= IP6T_FRAG_INV_IDS;
+ fraginfo->flags |= IP6T_FRAG_IDS;
+ *flags |= IP6T_FRAG_IDS;
+ break;
+ case '2':
+ if (*flags & IP6T_FRAG_LEN)
+ exit_error(PARAMETER_PROBLEM,
+ "Only one `--fraglen' allowed");
+ check_inverse(optarg, &invert, &optind, 0);
+ fraginfo->hdrlen = parse_frag_id(argv[optind-1], "length");
+ if (invert)
+ fraginfo->invflags |= IP6T_FRAG_INV_LEN;
+ fraginfo->flags |= IP6T_FRAG_LEN;
+ *flags |= IP6T_FRAG_LEN;
+ break;
+ case '3':
+ if (*flags & IP6T_FRAG_RES)
+ exit_error(PARAMETER_PROBLEM,
+ "Only one `--fragres' allowed");
+ fraginfo->flags |= IP6T_FRAG_RES;
+ *flags |= IP6T_FRAG_RES;
+ break;
+ case '4':
+ if (*flags & IP6T_FRAG_FST)
+ exit_error(PARAMETER_PROBLEM,
+ "Only one `--fragfirst' allowed");
+ fraginfo->flags |= IP6T_FRAG_FST;
+ *flags |= IP6T_FRAG_FST;
+ break;
+ case '5':
+ if (*flags & (IP6T_FRAG_MF|IP6T_FRAG_NMF))
+ exit_error(PARAMETER_PROBLEM,
+ "Only one `--fragmore' or `--fraglast' allowed");
+ fraginfo->flags |= IP6T_FRAG_MF;
+ *flags |= IP6T_FRAG_MF;
+ break;
+ case '6':
+ if (*flags & (IP6T_FRAG_MF|IP6T_FRAG_NMF))
+ exit_error(PARAMETER_PROBLEM,
+ "Only one `--fragmore' or `--fraglast' allowed");
+ fraginfo->flags |= IP6T_FRAG_NMF;
+ *flags |= IP6T_FRAG_NMF;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+/* Final check; we don't care. */
+static void
+final_check(unsigned int flags)
+{
+}
+
+static void
+print_ids(const char *name, u_int32_t min, u_int32_t max,
+ int invert)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (min != 0 || max != 0xFFFFFFFF || invert) {
+ printf("%s", name);
+ if (min == max) {
+ printf(":%s", inv);
+ printf("%u", min);
+ } else {
+ printf("s:%s", inv);
+ printf("%u",min);
+ printf(":");
+ printf("%u",max);
+ }
+ printf(" ");
+ }
+}
+
+static void
+print_len(const char *name, u_int32_t len, int invert)
+{
+ const char *inv = invert ? "!" : "";
+
+ if (len != 0 || invert) {
+ printf("%s", name);
+ printf(":%s", inv);
+ printf("%u", len);
+ printf(" ");
+ }
+}
+
+/* Prints out the union ip6t_matchinfo. */
+static void
+print(const struct ip6t_ip6 *ip,
+ const struct ip6t_entry_match *match, int numeric)
+{
+ const struct ip6t_frag *frag = (struct ip6t_frag *)match->data;
+
+ printf("frag ");
+ print_ids("id", frag->ids[0], frag->ids[1],
+ frag->invflags & IP6T_FRAG_INV_IDS);
+ print_len("length", frag->hdrlen,
+ frag->invflags & IP6T_FRAG_INV_LEN);
+ if (frag->flags & IP6T_FRAG_RES) printf("reserved ");
+ if (frag->flags & IP6T_FRAG_FST) printf("first ");
+ if (frag->flags & IP6T_FRAG_MF) printf("more ");
+ if (frag->flags & IP6T_FRAG_NMF) printf("last ");
+ if (frag->invflags & ~IP6T_FRAG_INV_MASK)
+ printf("Unknown invflags: 0x%X ",
+ frag->invflags & ~IP6T_FRAG_INV_MASK);
+}
+
+/* Saves the union ip6t_matchinfo in parsable form to stdout. */
+static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
+{
+ const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data;
+
+ if (!(fraginfo->ids[0] == 0
+ && fraginfo->ids[1] == 0xFFFFFFFF)) {
+ printf("--fragid %s",
+ (fraginfo->invflags & IP6T_FRAG_INV_IDS) ? "! " : "");
+ if (fraginfo->ids[0]
+ != fraginfo->ids[1])
+ printf("%u:%u ",
+ fraginfo->ids[0],
+ fraginfo->ids[1]);
+ else
+ printf("%u ",
+ fraginfo->ids[0]);
+ }
+
+ if (fraginfo->hdrlen != 0 ) {
+ printf("--fraglen %s%u ",
+ (fraginfo->invflags & IP6T_FRAG_INV_LEN) ? "! " : "",
+ fraginfo->hdrlen);
+ }
+
+ if (fraginfo->flags & IP6T_FRAG_RES) printf("--fragres ");
+ if (fraginfo->flags & IP6T_FRAG_FST) printf("--fragfirst ");
+ if (fraginfo->flags & IP6T_FRAG_MF) printf("--fragmore ");
+ if (fraginfo->flags & IP6T_FRAG_NMF) printf("--fraglast ");
+
+}
+
+static
+struct ip6tables_match frag
+= { NULL,
+ "frag",
+ NETFILTER_VERSION,
+ IP6T_ALIGN(sizeof(struct ip6t_frag)),
+ IP6T_ALIGN(sizeof(struct ip6t_frag)),
+ &help,
+ &init,
+ &parse,
+ &final_check,
+ &print,
+ &save,
+ opts
+};
+
+void
+_init(void)
+{
+ register_match6(&frag);
+}
diff -urN netfilter/userspace.old/include/linux/netfilter_ipv6/ip6t_ah.h netfilter/userspace/include/linux/netfilter_ipv6/ip6t_ah.h
--- netfilter/userspace.old/include/linux/netfilter_ipv6/ip6t_ah.h Mon Mar 25 22:23:31 2002
+++ netfilter/userspace/include/linux/netfilter_ipv6/ip6t_ah.h Mon Mar 25 22:25:46 2002
@@ -18,4 +18,13 @@
#define IP6T_AH_INV_LEN 0x02 /* Invert the sense of length. */
#define IP6T_AH_INV_MASK 0x03 /* All possible flags. */
+#define MASK_HOPOPTS 128
+#define MASK_DSTOPTS 64
+#define MASK_ROUTING 32
+#define MASK_FRAGMENT 16
+#define MASK_AH 8
+#define MASK_ESP 4
+#define MASK_NONE 2
+#define MASK_PROTO 1
+
#endif /*_IP6T_AH_H*/
diff -urN netfilter/userspace.old/include/linux/netfilter_ipv6/ip6t_frag.h netfilter/userspace/include/linux/netfilter_ipv6/ip6t_frag.h
--- netfilter/userspace.old/include/linux/netfilter_ipv6/ip6t_frag.h Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/include/linux/netfilter_ipv6/ip6t_frag.h Mon Mar 25 22:37:21 2002
@@ -0,0 +1,33 @@
+#ifndef _IP6T_FRAG_H
+#define _IP6T_FRAG_H
+
+struct ip6t_frag
+{
+ u_int32_t ids[2]; /* Security Parameter Index */
+ u_int32_t hdrlen; /* Header Length */
+ u_int8_t flags; /* */
+ u_int8_t invflags; /* Inverse flags */
+};
+
+#define IP6T_FRAG_IDS 0x01
+#define IP6T_FRAG_LEN 0x02
+#define IP6T_FRAG_RES 0x04
+#define IP6T_FRAG_FST 0x08
+#define IP6T_FRAG_MF 0x10
+#define IP6T_FRAG_NMF 0x20
+
+/* Values for "invflags" field in struct ip6t_frag. */
+#define IP6T_FRAG_INV_IDS 0x01 /* Invert the sense of ids. */
+#define IP6T_FRAG_INV_LEN 0x02 /* Invert the sense of length. */
+#define IP6T_FRAG_INV_MASK 0x03 /* All possible flags. */
+
+#define MASK_HOPOPTS 128
+#define MASK_DSTOPTS 64
+#define MASK_ROUTING 32
+#define MASK_FRAGMENT 16
+#define MASK_AH 8
+#define MASK_ESP 4
+#define MASK_NONE 2
+#define MASK_PROTO 1
+
+#endif /*_IP6T_FRAG_H*/
diff -urN netfilter/userspace.old/patch-o-matic/base/frag6.patch.ipv6 netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6
--- netfilter/userspace.old/patch-o-matic/base/frag6.patch.ipv6 Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6 Tue Mar 26 01:19:46 2002
@@ -0,0 +1,286 @@
+diff -urN linux/net/ipv6/netfilter/ip6t_frag.c linux.dev/net/ipv6/netfilter/ip6t_frag.c
+--- linux/net/ipv6/netfilter/ip6t_frag.c Thu Jan 1 01:00:00 1970
++++ linux.dev/net/ipv6/netfilter/ip6t_frag.c Thu Mar 21 21:58:56 2002
+@@ -0,0 +1,244 @@
++/* Kernel module to match FRAG parameters. */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ipv6.h>
++#include <linux/types.h>
++#include <net/checksum.h>
++#include <net/ipv6.h>
++
++#include <linux/netfilter_ipv6/ip6_tables.h>
++#include <linux/netfilter_ipv6/ip6t_frag.h>
++
++EXPORT_NO_SYMBOLS;
++MODULE_LICENSE("GPL");
++MODULE_DESCRIPTION("IPv6 FRAG match");
++MODULE_AUTHOR("Andras Kis-Szabo <[EMAIL PROTECTED]>");
++
++#if 0
++#define DEBUGP printk
++#else
++#define DEBUGP(format, args...)
++#endif
++
++#if 0
++#if BYTE_ORDER == BIG_ENDIAN
++#define IP6F_OFF_MASK 0xfff8 /* mask out offset from _offlg */
++#define IP6F_RESERVED_MASK 0x0006 /* reserved bits in ip6f_offlg */
++#define IP6F_MORE_FRAG 0x0001 /* more-fragments flag */
++#else /* BYTE_ORDER == LITTLE_ENDIAN */
++#define IP6F_OFF_MASK 0xf8ff /* mask out offset from _offlg */
++#define IP6F_RESERVED_MASK 0x0600 /* reserved bits in ip6f_offlg */
++#define IP6F_MORE_FRAG 0x0100 /* more-fragments flag */
++#endif
++#endif
++
++#define IP6F_OFF_MASK 0xf8ff /* mask out offset from _offlg */
++#define IP6F_RESERVED_MASK 0x0600 /* reserved bits in ip6f_offlg */
++#define IP6F_MORE_FRAG 0x0100 /* more-fragments flag */
++
++struct fraghdr {
++ __u8 nexthdr;
++ __u8 hdrlen;
++ __u16 info;
++ __u32 id;
++};
++
++int ipv6_ext_hdr(u8 nexthdr)
++{
++ return ( (nexthdr == NEXTHDR_HOP) ||
++ (nexthdr == NEXTHDR_ROUTING) ||
++ (nexthdr == NEXTHDR_FRAGMENT) ||
++ (nexthdr == NEXTHDR_AUTH) ||
++ (nexthdr == NEXTHDR_ESP) ||
++ (nexthdr == NEXTHDR_NONE) ||
++ (nexthdr == NEXTHDR_DEST) );
++}
++
++/* Returns 1 if the id is matched by the range, 0 otherwise */
++static inline int
++id_match(u_int32_t min, u_int32_t max, u_int32_t id, int invert)
++{
++ int r=0;
++ DEBUGP("frag id_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ',
++ min,id,max);
++ r=(id >= min && id <= max) ^ invert;
++ DEBUGP(" result %s\n",r? "PASS" : "FAILED");
++ return r;
++}
++
++static int
++match(const struct sk_buff *skb,
++ const struct net_device *in,
++ const struct net_device *out,
++ const void *matchinfo,
++ int offset,
++ const void *protohdr,
++ u_int16_t datalen,
++ int *hotdrop)
++{
++ struct fraghdr *frag = NULL;
++ const struct ip6t_frag *fraginfo = matchinfo;
++ unsigned int temp;
++ int len;
++ u8 nexthdr;
++ unsigned int ptr;
++ unsigned int hdrlen = 0;
++
++ /* type of the 1st exthdr */
++ nexthdr = skb->nh.ipv6h->nexthdr;
++ /* pointer to the 1st exthdr */
++ ptr = sizeof(struct ipv6hdr);
++ /* available length */
++ len = skb->len - ptr;
++ temp = 0;
++
++ while (ipv6_ext_hdr(nexthdr)) {
++ struct ipv6_opt_hdr *hdr;
++
++ DEBUGP("ipv6_frag header iteration \n");
++
++ /* Is there enough space for the next ext header? */
++ if (len < (int)sizeof(struct ipv6_opt_hdr))
++ return 0;
++ /* No more exthdr -> evaluate */
++ if (nexthdr == NEXTHDR_NONE) {
++ break;
++ }
++ /* ESP -> evaluate */
++ if (nexthdr == NEXTHDR_ESP) {
++ break;
++ }
++
++ hdr=skb->data+ptr;
++
++ /* Calculate the header length */
++ if (nexthdr == NEXTHDR_FRAGMENT) {
++ hdrlen = 8;
++ } else if (nexthdr == NEXTHDR_AUTH)
++ hdrlen = (hdr->hdrlen+2)<<2;
++ else
++ hdrlen = ipv6_optlen(hdr);
++
++ /* FRAG -> evaluate */
++ if (nexthdr == NEXTHDR_FRAGMENT) {
++ temp |= MASK_FRAGMENT;
++ break;
++ }
++
++
++ /* set the flag */
++ switch (nexthdr){
++ case NEXTHDR_HOP:
++ case NEXTHDR_ROUTING:
++ case NEXTHDR_FRAGMENT:
++ case NEXTHDR_AUTH:
++ case NEXTHDR_DEST:
++ break;
++ default:
++ DEBUGP("ipv6_frag match: unknown nextheader %u\n",nexthdr);
++ return 0;
++ break;
++ }
++
++ nexthdr = hdr->nexthdr;
++ len -= hdrlen;
++ ptr += hdrlen;
++ }
++
++ /* FRAG header not found */
++ if ( temp != MASK_FRAGMENT ) return 0;
++
++ if (len < (int)sizeof(struct fraghdr)){
++ *hotdrop = 1;
++ return 0;
++ }
++
++ frag=skb->data+ptr;
++
++ DEBUGP("IPv6 FRAG LEN %u %u ", hdrlen, frag->hdrlen);
++ DEBUGP("INFO %04X ", frag->info);
++ DEBUGP("OFFSET %04X ", frag->info & IP6F_OFF_MASK);
++ DEBUGP("RES %04X ", frag->info & IP6F_RESERVED_MASK);
++ DEBUGP("MF %04X ", frag->info & IP6F_MORE_FRAG);
++ DEBUGP("ID %u %08X\n", ntohl(frag->id), ntohl(frag->id));
++
++ DEBUGP("IPv6 FRAG id %02X ",
++ (id_match(fraginfo->ids[0], fraginfo->ids[1],
++ ntohl(frag->id),
++ !!(fraginfo->invflags & IP6T_FRAG_INV_IDS))));
++ DEBUGP("len %02X %04X %02X ",
++ fraginfo->hdrlen, hdrlen,
++ (!fraginfo->hdrlen ||
++ (fraginfo->hdrlen == hdrlen) ^
++ !!(fraginfo->invflags & IP6T_FRAG_INV_LEN)));
++ DEBUGP("res %02X %02X %02X ",
++ (fraginfo->flags & IP6T_FRAG_RES), frag->info & IP6F_RESERVED_MASK,
++ !((fraginfo->flags & IP6T_FRAG_RES) && (frag->info & IP6F_RESERVED_MASK)));
++ DEBUGP("first %02X %02X %02X ",
++ (fraginfo->flags & IP6T_FRAG_FST), frag->info & IP6F_OFF_MASK,
++ !((fraginfo->flags & IP6T_FRAG_FST) && (frag->info & IP6F_OFF_MASK)));
++ DEBUGP("mf %02X %02X %02X ",
++ (fraginfo->flags & IP6T_FRAG_MF), frag->info & IP6F_MORE_FRAG,
++ !((fraginfo->flags & IP6T_FRAG_MF) && !((frag->info & IP6F_MORE_FRAG))));
++ DEBUGP("last %02X %02X %02X\n",
++ (fraginfo->flags & IP6T_FRAG_NMF), frag->info & IP6F_MORE_FRAG,
++ !((fraginfo->flags & IP6T_FRAG_NMF) && (frag->info & IP6F_MORE_FRAG)));
++
++ return (frag != NULL)
++ &&
++ (id_match(fraginfo->ids[0], fraginfo->ids[1],
++ ntohl(frag->id),
++ !!(fraginfo->invflags & IP6T_FRAG_INV_IDS)))
++ &&
++ (!fraginfo->hdrlen ||
++ (fraginfo->hdrlen == hdrlen) ^
++ !!(fraginfo->invflags & IP6T_FRAG_INV_LEN))
++ &&
++ !((fraginfo->flags & IP6T_FRAG_RES) && (frag->info & IP6F_RESERVED_MASK))
++ &&
++ !((fraginfo->flags & IP6T_FRAG_FST) && (frag->info & IP6F_OFF_MASK))
++ &&
++ !((fraginfo->flags & IP6T_FRAG_MF) && !((frag->info & IP6F_MORE_FRAG)))
++ &&
++ !((fraginfo->flags & IP6T_FRAG_NMF) && (frag->info & IP6F_MORE_FRAG));
++}
++
++/* Called when user tries to insert an entry of this type. */
++static int
++checkentry(const char *tablename,
++ const struct ip6t_ip6 *ip,
++ void *matchinfo,
++ unsigned int matchinfosize,
++ unsigned int hook_mask)
++{
++ const struct ip6t_frag *fraginfo = matchinfo;
++
++ if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_frag))) {
++ DEBUGP("ip6t_frag: matchsize %u != %u\n",
++ matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_frag)));
++ return 0;
++ }
++ if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) {
++ DEBUGP("ip6t_frag: unknown flags %X\n",
++ fraginfo->invflags);
++ return 0;
++ }
++
++ return 1;
++}
++
++static struct ip6t_match frag_match
++= { { NULL, NULL }, "frag", &match, &checkentry, NULL, THIS_MODULE };
++
++static int __init init(void)
++{
++ return ip6t_register_match(&frag_match);
++}
++
++static void __exit cleanup(void)
++{
++ ip6t_unregister_match(&frag_match);
++}
++
++module_init(init);
++module_exit(cleanup);
+diff -urN linux/include/linux/netfilter_ipv6/ip6t_frag.h linux.dev/include/linux/netfilter_ipv6/ip6t_frag.h
+--- linux/include/linux/netfilter_ipv6/ip6t_frag.h Thu Jan 1 01:00:00 1970
++++ linux.dev/include/linux/netfilter_ipv6/ip6t_frag.h Thu Mar 21 21:12:40 2002
+@@ -0,0 +1,33 @@
++#ifndef _IP6T_FRAG_H
++#define _IP6T_FRAG_H
++
++struct ip6t_frag
++{
++ u_int32_t ids[2]; /* Security Parameter Index */
++ u_int32_t hdrlen; /* Header Length */
++ u_int8_t flags; /* */
++ u_int8_t invflags; /* Inverse flags */
++};
++
++#define IP6T_FRAG_IDS 0x01
++#define IP6T_FRAG_LEN 0x02
++#define IP6T_FRAG_RES 0x04
++#define IP6T_FRAG_FST 0x08
++#define IP6T_FRAG_MF 0x10
++#define IP6T_FRAG_NMF 0x20
++
++/* Values for "invflags" field in struct ip6t_frag. */
++#define IP6T_FRAG_INV_IDS 0x01 /* Invert the sense of ids. */
++#define IP6T_FRAG_INV_LEN 0x02 /* Invert the sense of length. */
++#define IP6T_FRAG_INV_MASK 0x03 /* All possible flags. */
++
++#define MASK_HOPOPTS 128
++#define MASK_DSTOPTS 64
++#define MASK_ROUTING 32
++#define MASK_FRAGMENT 16
++#define MASK_AH 8
++#define MASK_ESP 4
++#define MASK_NONE 2
++#define MASK_PROTO 1
++
++#endif /*_IP6T_FRAG_H*/
++
diff -urN netfilter/userspace.old/patch-o-matic/base/frag6.patch.ipv6.config.in netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6.config.in
--- netfilter/userspace.old/patch-o-matic/base/frag6.patch.ipv6.config.in Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6.config.in Tue Mar 26 01:11:22 2002
@@ -0,0 +1,4 @@
+ dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES
+ if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
+ dep_tristate ' Fragmentation header match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_FRAG $CONFIG_IP6_NF_IPTABLES
+ fi
diff -urN netfilter/userspace.old/patch-o-matic/base/frag6.patch.ipv6.configure.help netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6.configure.help
--- netfilter/userspace.old/patch-o-matic/base/frag6.patch.ipv6.configure.help Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6.configure.help Tue Mar 26 01:13:03 2002
@@ -0,0 +1,9 @@
+CONFIG_IP6_NF_MATCH_MAC
+Fragmentation header match support (EXPERIMENTAL)
+CONFIG_IP6_NF_MATCH_FRAG
+ This match extension (`frag') allow you to select the packet based on the
+ fileds of the fragmentation header of the IPv6 packets.
+
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.
+
diff -urN netfilter/userspace.old/patch-o-matic/base/frag6.patch.ipv6.help netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6.help
--- netfilter/userspace.old/patch-o-matic/base/frag6.patch.ipv6.help Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6.help Tue Mar 26 01:14:23 2002
@@ -0,0 +1,14 @@
+Author: Andras Kis-Szabo <[EMAIL PROTECTED]>
+Status: It works 4 me!
+
+ This match extension (`frag') allow you to select the packet based on the
+ fileds of the fragmentation header of the IPv6 packets.
+
+ FRAG options:
+ --fragid [!] id[:id] match the id (range)
+ --fraglen [!] length total length of this header
+ --fragres check the reserved filed, too
+ --fragfirst matches on the frst fragment
+ [--fragmore|--fraglast] there are more fragments or this
+ is the last one
+
diff -urN netfilter/userspace.old/patch-o-matic/base/frag6.patch.ipv6.makefile netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6.makefile
--- netfilter/userspace.old/patch-o-matic/base/frag6.patch.ipv6.makefile Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/base/frag6.patch.ipv6.makefile Tue Mar 26 01:14:39 2002
@@ -0,0 +1,2 @@
+obj-$(CONFIG_IP6_NF_MATCH_MAC) += ip6t_mac.o
+obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
