Author: pluto
Date: Thu Jul 28 11:04:10 2005
New Revision: 6248
Added:
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_IPMARK.h
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv6/ip6t_HL.h
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_IPMARK.c
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_SET.c
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/ip6t_HL.c
Modified:
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_queue.h
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_queue.c
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Kconfig
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Makefile
netfilter-2.6/patch-o-matic-ng/trunk/status
Log:
- HOPLIMIT, IPMARK, ip_queue_vmark.
Modified:
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_queue.h
==============================================================================
---
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_queue.h
(original)
+++
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_queue.h
Thu Jul 28 11:04:10 2005
@@ -47,10 +47,20 @@
unsigned char payload[0]; /* Optional replacement packet */
} ipq_verdict_msg_t;
+typedef struct ipq_vwmark_msg {
+ unsigned int value; /* Verdict to hand to netfilter */
+ unsigned long id; /* Packet ID for this verdict */
+ size_t data_len; /* Length of replacement data */
+ unsigned char payload[0]; /* Optional replacement packet */
+ unsigned long nfmark; /* Mark for the Packet */
+} ipq_vwmark_msg_t;
+
+
typedef struct ipq_peer_msg {
union {
ipq_verdict_msg_t verdict;
ipq_mode_msg_t mode;
+ ipq_vwmark_msg_t vwmark;
} msg;
} ipq_peer_msg_t;
@@ -67,6 +77,7 @@
#define IPQM_MODE (IPQM_BASE + 1) /* Mode request from peer */
#define IPQM_VERDICT (IPQM_BASE + 2) /* Verdict from peer */
#define IPQM_PACKET (IPQM_BASE + 3) /* Packet from kernel */
-#define IPQM_MAX (IPQM_BASE + 4)
+#define IPQM_VWMARK (IPQM_BASE + 4) /* Verdict and mark from peer */
+#define IPQM_MAX (IPQM_BASE + 5)
#endif /*_IP_QUEUE_H*/
Added:
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_IPMARK.h
==============================================================================
--- (empty file)
+++
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_IPMARK.h
Thu Jul 28 11:04:10 2005
@@ -0,0 +1,13 @@
+#ifndef _IPT_IPMARK_H_target
+#define _IPT_IPMARK_H_target
+
+struct ipt_ipmark_target_info {
+ unsigned long andmask;
+ unsigned long ormask;
+ unsigned int addr;
+};
+
+#define IPT_IPMARK_SRC 0
+#define IPT_IPMARK_DST 1
+
+#endif /*_IPT_IPMARK_H_target*/
Added:
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv6/ip6t_HL.h
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv6/ip6t_HL.h
Thu Jul 28 11:04:10 2005
@@ -0,0 +1,22 @@
+/* Hop Limit modification module for ip6tables
+ * Maciej Soltysiak <[EMAIL PROTECTED]>
+ * Based on HW's TTL module */
+
+#ifndef _IP6T_HL_H
+#define _IP6T_HL_H
+
+enum {
+ IP6T_HL_SET = 0,
+ IP6T_HL_INC,
+ IP6T_HL_DEC
+};
+
+#define IP6T_HL_MAXMODE IP6T_HL_DEC
+
+struct ip6t_HL_info {
+ u_int8_t mode;
+ u_int8_t hop_limit;
+};
+
+
+#endif
Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig
(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig Thu Jul
28 11:04:10 2005
@@ -1015,5 +1015,17 @@
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
+config IP_NF_TARGET_IPMARK
+ tristate 'IPMARK target support'
+ depends on IP_NF_MANGLE
+ help
+ This option adds a `IPMARK' target, which allows you to create rules
+ in the `mangle' table which alter the netfilter mark (nfmark) field
+ basing on the source or destination ip address of the packet.
+ This is very useful for very fast massive mangling and marking.
+
+ If you want to compile it as a module, say M here and read
+ <file:Documentation/modules.txt>. If unsure, say `N'.
+
endmenu
Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile
(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile Thu Jul
28 11:04:10 2005
@@ -98,6 +98,7 @@
obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
obj-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP.o
obj-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK.o
+obj-$(CONFIG_IP_NF_TARGET_IPMARK) += ipt_IPMARK.o
obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_queue.c
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_queue.c
(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_queue.c Thu Jul
28 11:04:10 2005
@@ -443,6 +443,33 @@
}
static int
+ipq_set_vwmark(struct ipq_vwmark_msg *vmsg, unsigned int len)
+{
+ struct ipq_queue_entry *entry;
+
+ if (vmsg->value > NF_MAX_VERDICT)
+ return -EINVAL;
+
+ entry = ipq_find_dequeue_entry(id_cmp, vmsg->id);
+ if (entry == NULL)
+ return -ENOENT;
+ else {
+ int verdict = vmsg->value;
+
+ if (vmsg->data_len && vmsg->data_len == len)
+ if (ipq_mangle_ipv4((ipq_verdict_msg_t *)vmsg, entry) <
0)
+ verdict = NF_DROP;
+
+ /* set mark of associated skb */
+ entry->skb->nfmark = vmsg->nfmark;
+
+ ipq_issue_verdict(entry, verdict);
+ return 0;
+ }
+}
+
+
+static int
ipq_receive_peer(struct ipq_peer_msg *pmsg,
unsigned char type, unsigned int len)
{
@@ -464,6 +491,14 @@
status = ipq_set_verdict(&pmsg->msg.verdict,
len - sizeof(*pmsg));
break;
+ case IPQM_VWMARK:
+ if (pmsg->msg.verdict.value > NF_MAX_VERDICT)
+ status = -EINVAL;
+ else
+ status = ipq_set_vwmark(&pmsg->msg.vwmark,
+ len - sizeof(*pmsg));
+ break;
+
default:
status = -EINVAL;
}
Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_IPMARK.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_IPMARK.c
Thu Jul 28 11:04:10 2005
@@ -0,0 +1,81 @@
+/* This is a module which is used for setting the NFMARK field of an skb. */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_IPMARK.h>
+
+MODULE_AUTHOR("Grzegorz Janoszka <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("IP tables IPMARK: mark based on ip address");
+MODULE_LICENSE("GPL");
+
+static unsigned int
+target(struct sk_buff **pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ unsigned int hooknum,
+ const void *targinfo,
+ void *userinfo)
+{
+ const struct ipt_ipmark_target_info *ipmarkinfo = targinfo;
+ struct iphdr *iph = (*pskb)->nh.iph;
+ unsigned long mark;
+
+ if (ipmarkinfo->addr == IPT_IPMARK_SRC)
+ mark = (unsigned long) ntohl(iph->saddr);
+ else
+ mark = (unsigned long) ntohl(iph->daddr);
+
+ mark &= ipmarkinfo->andmask;
+ mark |= ipmarkinfo->ormask;
+
+ if ((*pskb)->nfmark != mark) {
+ (*pskb)->nfmark = mark;
+ (*pskb)->nfcache |= NFC_ALTERED;
+ }
+ return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+ const struct ipt_entry *e,
+ void *targinfo,
+ unsigned int targinfosize,
+ unsigned int hook_mask)
+{
+ if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ipmark_target_info))) {
+ printk(KERN_WARNING "IPMARK: targinfosize %u != %Zu\n",
+ targinfosize,
+ IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)));
+ return 0;
+ }
+
+ if (strcmp(tablename, "mangle") != 0) {
+ printk(KERN_WARNING "IPMARK: can only be called from \"mangle\"
table, not \"%s\"\n", tablename);
+ return 0;
+ }
+
+ return 1;
+}
+
+static struct ipt_target ipt_ipmark_reg = {
+ .name = "IPMARK",
+ .target = target,
+ .checkentry = checkentry,
+ .me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+ return ipt_register_target(&ipt_ipmark_reg);
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_target(&ipt_ipmark_reg);
+}
+
+module_init(init);
+module_exit(fini);
Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_SET.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_SET.c Thu Jul
28 11:04:10 2005
@@ -0,0 +1,128 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <[EMAIL PROTECTED]>
+ * Patrick Schaaf <[EMAIL PROTECTED]>
+ * Martin Josefsson <[EMAIL PROTECTED]>
+ * Copyright (C) 2003-2004 Jozsef Kadlecsik <[EMAIL PROTECTED]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+/* ipt_SET.c - netfilter target to manipulate IP sets */
+
+#include <linux/types.h>
+#include <linux/ip.h>
+#include <linux/timer.h>
+#include <linux/module.h>
+#include <linux/netfilter.h>
+#include <linux/netdevice.h>
+#include <linux/if.h>
+#include <linux/inetdevice.h>
+#include <net/protocol.h>
+#include <net/checksum.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <linux/netfilter_ipv4/ipt_set.h>
+
+static unsigned int
+target(struct sk_buff **pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ unsigned int hooknum,
+ const void *targinfo,
+ void *userinfo)
+{
+ const struct ipt_set_info_target *info = targinfo;
+
+ if (info->add_set.index != IP_SET_INVALID_ID)
+ ip_set_addip_kernel(info->add_set.index,
+ *pskb,
+ info->add_set.flags);
+ if (info->del_set.index != IP_SET_INVALID_ID)
+ ip_set_delip_kernel(info->del_set.index,
+ *pskb,
+ info->del_set.flags);
+
+ return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+ const struct ipt_entry *e,
+ void *targinfo,
+ unsigned int targinfosize, unsigned int hook_mask)
+{
+ struct ipt_set_info_target *info =
+ (struct ipt_set_info_target *) targinfo;
+ ip_set_id_t index;
+
+ if (targinfosize != IPT_ALIGN(sizeof(*info))) {
+ DP("bad target info size %u", targinfosize);
+ return 0;
+ }
+
+ if (info->add_set.index != IP_SET_INVALID_ID) {
+ index = ip_set_get_byindex(info->add_set.index);
+ if (index == IP_SET_INVALID_ID) {
+ ip_set_printk("cannot find add_set index %u as target",
+ info->add_set.index);
+ return 0; /* error */
+ }
+ }
+
+ if (info->del_set.index != IP_SET_INVALID_ID) {
+ index = ip_set_get_byindex(info->del_set.index);
+ if (index == IP_SET_INVALID_ID) {
+ ip_set_printk("cannot find del_set index %u as target",
+ info->del_set.index);
+ return 0; /* error */
+ }
+ }
+ if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0
+ || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) {
+ ip_set_printk("That's nasty!");
+ return 0; /* error */
+ }
+
+ return 1;
+}
+
+static void destroy(void *targetinfo, unsigned int targetsize)
+{
+ struct ipt_set_info_target *info = targetinfo;
+
+ if (targetsize != IPT_ALIGN(sizeof(struct ipt_set_info_target))) {
+ ip_set_printk("invalid targetsize %d", targetsize);
+ return;
+ }
+
+ if (info->add_set.index != IP_SET_INVALID_ID)
+ ip_set_put(info->add_set.index);
+ if (info->del_set.index != IP_SET_INVALID_ID)
+ ip_set_put(info->del_set.index);
+}
+
+static struct ipt_target SET_target = {
+ .name = "SET",
+ .target = target,
+ .checkentry = checkentry,
+ .destroy = destroy,
+ .me = THIS_MODULE
+};
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("iptables IP set target module");
+
+static int __init init(void)
+{
+ return ipt_register_target(&SET_target);
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_target(&SET_target);
+}
+
+module_init(init);
+module_exit(fini);
Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Kconfig
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Kconfig
(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Kconfig Thu Jul
28 11:04:10 2005
@@ -296,5 +296,15 @@
To compile it as a module, choose M here. If unsure, say N.
+config IP6_NF_TARGET_HL
+ tristate 'HL target support'
+ depends on IP6_NF_MANGLE
+ help
+ This option adds a `HL' target, which allows you to modify the value
of
+ IPv6 Hop Limit field.
+
+ If you want to compile it as a module, say M here and read
+ <file:Documentation/modules.txt>. If unsure, say `N'.
+
endmenu
Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Makefile
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Makefile
(original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Makefile Thu Jul
28 11:04:10 2005
@@ -24,6 +24,7 @@
obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t_MARK.o
obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
+obj-$(CONFIG_IP6_NF_TARGET_HL) += ip6t_HL.o
obj-$(CONFIG_IP6_NF_MATCH_NTH) += ip6t_nth.o
obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/ip6t_HL.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/ip6t_HL.c Thu Jul
28 11:04:10 2005
@@ -0,0 +1,111 @@
+/*
+ * Hop Limit modification target for ip6tables
+ * Maciej Soltysiak <[EMAIL PROTECTED]>
+ * Based on HW's TTL module
+ *
+ * This software is distributed under the terms of GNU GPL
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_HL.h>
+
+MODULE_AUTHOR("Maciej Soltysiak <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("IP tables Hop Limit modification module");
+MODULE_LICENSE("GPL");
+
+static unsigned int ip6t_hl_target(struct sk_buff **pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ unsigned int hooknum,
+ const void *targinfo, void *userinfo)
+{
+ struct ipv6hdr *ip6h = (*pskb)->nh.ipv6h;
+ const struct ip6t_HL_info *info = targinfo;
+ u_int16_t diffs[2];
+ int new_hl;
+
+ switch (info->mode) {
+ case IP6T_HL_SET:
+ new_hl = info->hop_limit;
+ break;
+ case IP6T_HL_INC:
+ new_hl = ip6h->hop_limit + info->hop_limit;
+ if (new_hl > 255)
+ new_hl = 255;
+ break;
+ case IP6T_HL_DEC:
+ new_hl = ip6h->hop_limit - info->hop_limit;
+ if (new_hl < 0)
+ new_hl = 0;
+ break;
+ default:
+ new_hl = ip6h->hop_limit;
+ break;
+ }
+
+ if (new_hl != ip6h->hop_limit) {
+ diffs[0] = htons(((unsigned)ip6h->hop_limit) << 8) ^ 0xFFFF;
+ ip6h->hop_limit = new_hl;
+ diffs[1] = htons(((unsigned)ip6h->hop_limit) << 8);
+ }
+
+ return IP6T_CONTINUE;
+}
+
+static int ip6t_hl_checkentry(const char *tablename,
+ const struct ip6t_entry *e,
+ void *targinfo,
+ unsigned int targinfosize,
+ unsigned int hook_mask)
+{
+ struct ip6t_HL_info *info = targinfo;
+
+ if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_HL_info))) {
+ printk(KERN_WARNING "HL: targinfosize %u != %Zu\n",
+ targinfosize,
+ IP6T_ALIGN(sizeof(struct ip6t_HL_info)));
+ return 0;
+ }
+
+ if (strcmp(tablename, "mangle")) {
+ printk(KERN_WARNING "HL: can only be called from \"mangle\"
table, not \"%s\"\n", tablename);
+ return 0;
+ }
+
+ if (info->mode > IP6T_HL_MAXMODE) {
+ printk(KERN_WARNING "HL: invalid or unknown Mode %u\n",
+ info->mode);
+ return 0;
+ }
+
+ if ((info->mode != IP6T_HL_SET) && (info->hop_limit == 0)) {
+ printk(KERN_WARNING "HL: increment/decrement doesn't make sense
with value 0\n");
+ return 0;
+ }
+
+ return 1;
+}
+
+static struct ip6t_target ip6t_HL = {
+ .name = "HL",
+ .target = ip6t_hl_target,
+ .checkentry = ip6t_hl_checkentry,
+ .me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+ return ip6t_register_target(&ip6t_HL);
+}
+
+static void __exit fini(void)
+{
+ ip6t_unregister_target(&ip6t_HL);
+}
+
+module_init(init);
+module_exit(fini);
Modified: netfilter-2.6/patch-o-matic-ng/trunk/status
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/status (original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/status Thu Jul 28 11:04:10 2005
@@ -13,10 +13,10 @@
goto 2005/07/27 added
h323-conntrack-nat 2005/07/27 updated
hashlimit updated
-HOPLIMIT added
-IPMARK added
+HOPLIMIT 2005/07/27 added
+IPMARK 2005/07/27 added
ipp2p added+updated (v0.7.4)
-ip_queue_vmark added
+ip_queue_vmark 2005/07/27 added
iprange updated
ipv4options 2005/07/27 added
IPV4OPTSSTRIP 2005/07/27 added
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
