Author: baggins Date: Tue Aug 7 16:51:13 2007 GMT Module: SOURCES Tag: LINUX_2_6 ---- Log message: - patch-o-matic-ng-20070806
---- Files affected: SOURCES: kernel-pom-ng-TARPIT.patch (1.1.2.1 -> 1.1.2.2) , kernel-pom-ng-connlimit.patch (1.1.2.1 -> 1.1.2.2) , kernel-pom-ng-ipp2p.patch (1.1.2.1 -> 1.1.2.2) , kernel-pom-ng-set.patch (1.1.2.1 -> 1.1.2.2) , kernel-pom-ng-time.patch (1.1.2.1 -> 1.1.2.2) , kernel-pom-ng-u32.patch (1.1.2.1 -> 1.1.2.2) ---- Diffs: ================================================================ Index: SOURCES/kernel-pom-ng-TARPIT.patch diff -u SOURCES/kernel-pom-ng-TARPIT.patch:1.1.2.1 SOURCES/kernel-pom-ng-TARPIT.patch:1.1.2.2 --- SOURCES/kernel-pom-ng-TARPIT.patch:1.1.2.1 Wed May 30 13:53:30 2007 +++ SOURCES/kernel-pom-ng-TARPIT.patch Tue Aug 7 18:51:07 2007 @@ -1,44 +1,7 @@ -diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig ---- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 11:41:48.000000000 +0200 -+++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 11:42:48.000000000 +0200 -@@ -830,5 +830,22 @@ config IP_NF_TARGET_ROUTE - Documentation/modules.txt. The module will be called ipt_ROUTE.o. - If unsure, say `N'. - -+config IP_NF_TARGET_TARPIT -+ tristate 'TARPIT target support' -+ depends on IP_NF_FILTER -+ help -+ Adds a TARPIT target to iptables, which captures and holds -+ incoming TCP connections using no local per-connection resources. -+ Connections are accepted, but immediately switched to the persist -+ state (0 byte window), in which the remote side stops sending data -+ and asks to continue every 60-240 seconds. Attempts to close the -+ connection are ignored, forcing the remote side to time out the -+ connection in 12-24 minutes. -+ -+ This offers similar functionality to LaBrea -+ <http://www.hackbusters.net/LaBrea/> but doesn't require dedicated -+ hardware or IPs. Any TCP port that you would normally DROP or REJECT -+ can instead become a tarpit. -+ - endmenu - -diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile ---- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 11:41:48.000000000 +0200 -+++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 11:42:49.000000000 +0200 -@@ -99,6 +99,7 @@ obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ip - - # targets - obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o -+obj-$(CONFIG_IP_NF_TARGET_TARPIT) += ipt_TARPIT.o - obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o - obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o - obj-$(CONFIG_IP_NF_TARGET_IMQ) += ipt_IMQ.o -diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_TARPIT.c linux-2.6.21.b/net/ipv4/netfilter/ipt_TARPIT.c ---- linux-2.6.21.a/net/ipv4/netfilter/ipt_TARPIT.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.b/net/ipv4/netfilter/ipt_TARPIT.c 2007-05-30 11:42:49.000000000 +0200 -@@ -0,0 +1,292 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ipt_TARPIT.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_TARPIT.c +--- linux-2.6.22/net/ipv4/netfilter/ipt_TARPIT.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_TARPIT.c 2007-08-07 18:38:14.000000000 +0200 +@@ -0,0 +1,291 @@ +/* + * Kernel module to capture and hold incoming TCP connections using + * no local per-connection resources. @@ -87,7 +50,6 @@ +#include <net/route.h> +#include <linux/random.h> +#include <linux/netfilter_ipv4/ip_tables.h> -+#include <linux/netfilter/x_tables.h> + +#if 0 +#define DEBUGP printk @@ -102,12 +64,11 @@ +static int ip_direct_send(struct sk_buff *skb) +{ + struct dst_entry *dst = skb->dst; -+ struct hh_cache *hh = dst->hh; + -+ if (hh) { -+ return neigh_hh_output(dst->hh, skb); -+ } else if (dst->neighbour) -+ return dst->neighbour->output(skb); ++ if (dst->hh) ++ return neigh_hh_output(dst->hh, skb); ++ else if (dst->neighbour) ++ return dst->neighbour->output(skb); + + if (net_ratelimit()) + printk(KERN_DEBUG "TARPIT ip_direct_send: no header cache and no neighbor!\n"); @@ -312,8 +273,9 @@ + return 1; +} + -+static struct ipt_target ipt_tarpit_reg = { ++static struct xt_target ipt_tarpit_reg = { + .name = "TARPIT", ++ .family = AF_INET, + .target = tarpit, + .checkentry = check, + .me = THIS_MODULE @@ -331,3 +293,40 @@ + +module_init(init); +module_exit(fini); +diff -Nru linux-2.6.22/net/ipv4/netfilter/Kconfig linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig +--- linux-2.6.22/net/ipv4/netfilter/Kconfig 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig 2007-08-07 18:38:14.000000000 +0200 +@@ -402,5 +402,22 @@ + Allows altering the ARP packet payload: source and destination + hardware and network addresses. + ++config IP_NF_TARGET_TARPIT ++ tristate 'TARPIT target support' ++ depends on IP_NF_FILTER ++ help ++ Adds a TARPIT target to iptables, which captures and holds ++ incoming TCP connections using no local per-connection resources. ++ Connections are accepted, but immediately switched to the persist ++ state (0 byte window), in which the remote side stops sending data ++ and asks to continue every 60-240 seconds. Attempts to close the ++ connection are ignored, forcing the remote side to time out the ++ connection in 12-24 minutes. ++ ++ This offers similar functionality to LaBrea ++ <http://www.hackbusters.net/LaBrea/> but doesn't require dedicated ++ hardware or IPs. Any TCP port that you would normally DROP or REJECT ++ can instead become a tarpit. ++ + endmenu + +diff -Nru linux-2.6.22/net/ipv4/netfilter/Makefile linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile +--- linux-2.6.22/net/ipv4/netfilter/Makefile 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile 2007-08-07 18:38:14.000000000 +0200 +@@ -52,6 +52,7 @@ + + # targets + obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o ++obj-$(CONFIG_IP_NF_TARGET_TARPIT) += ipt_TARPIT.o + obj-$(CONFIG_IP_NF_TARGET_TOS) += ipt_TOS.o + obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o + obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o ================================================================ Index: SOURCES/kernel-pom-ng-connlimit.patch diff -u SOURCES/kernel-pom-ng-connlimit.patch:1.1.2.1 SOURCES/kernel-pom-ng-connlimit.patch:1.1.2.2 --- SOURCES/kernel-pom-ng-connlimit.patch:1.1.2.1 Wed May 30 13:53:30 2007 +++ SOURCES/kernel-pom-ng-connlimit.patch Tue Aug 7 18:51:08 2007 @@ -1,6 +1,6 @@ -diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_connlimit.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_connlimit.h ---- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_connlimit.h 2007-05-30 12:04:08.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ipt_connlimit.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_connlimit.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_connlimit.h 2007-08-07 18:38:25.000000000 +0200 @@ -0,0 +1,12 @@ +#ifndef _IPT_CONNLIMIT_H +#define _IPT_CONNLIMIT_H @@ -14,48 +14,16 @@ + struct ipt_connlimit_data *data; +}; +#endif /* _IPT_CONNLIMIT_H */ -diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig ---- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 12:02:56.000000000 +0200 -+++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 12:04:08.000000000 +0200 -@@ -911,5 +911,15 @@ config IP_NF_TARGET_IPMARK - - - -+config IP_NF_MATCH_CONNLIMIT -+ tristate 'Connections/IP limit match support' -+ depends on IP_NF_IPTABLES -+ help -+ This match allows you to restrict the number of parallel TCP -+ connections to a server per client IP address (or address block). -+ -+ If you want to compile it as a module, say M here and read -+ Documentation/modules.txt. If unsure, say `N'. -+ - endmenu - -diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile ---- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 12:02:56.000000000 +0200 -+++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 12:04:08.000000000 +0200 -@@ -90,6 +90,7 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o - obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o - obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o - obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o -+obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o - - obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o - -diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_connlimit.c linux-2.6.21.b/net/ipv4/netfilter/ipt_connlimit.c ---- linux-2.6.21.a/net/ipv4/netfilter/ipt_connlimit.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.b/net/ipv4/netfilter/ipt_connlimit.c 2007-05-30 12:04:47.000000000 +0200 -@@ -0,0 +1,260 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ipt_connlimit.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_connlimit.c +--- linux-2.6.22/net/ipv4/netfilter/ipt_connlimit.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_connlimit.c 2007-08-07 18:38:25.000000000 +0200 +@@ -0,0 +1,340 @@ +/* + * netfilter module to limit the number of parallel tcp + * connections per IP address. + * (c) 2000 Gerd Knorr <[EMAIL PROTECTED]> + * Nov 2002: Martin Bene <[EMAIL PROTECTED]>: + * only ignore TIME_WAIT or gone connections -+ * Feb 2007: Marek Guevara Braun <[EMAIL PROTECTED]>: -+ * from ip_conntrack to nf_conntrack + * + * based on ... + * @@ -66,11 +34,21 @@ +#include <linux/skbuff.h> +#include <linux/version.h> +#include <linux/list.h> -+#include <linux/netfilter/x_tables.h> ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) ++#define CONFIG_NF_CONNTRACK_SUPPORT ++#endif ++ ++#ifdef CONFIG_NF_CONNTRACK_SUPPORT +#include <net/netfilter/nf_conntrack.h> +#include <net/netfilter/nf_conntrack_core.h> -+#include <net/netfilter/ipv4/nf_conntrack_ipv4.h> -+#include <net/netfilter/nf_conntrack_compat.h> ++#include <linux/netfilter/nf_conntrack_tcp.h> ++#else ++#include <linux/netfilter_ipv4/ip_conntrack.h> ++#include <linux/netfilter_ipv4/ip_conntrack_core.h> ++#include <linux/netfilter_ipv4/ip_conntrack_tcp.h> ++#endif ++ +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv4/ipt_connlimit.h> + @@ -82,7 +60,11 @@ +struct ipt_connlimit_conn +{ + struct list_head list; ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT ++ struct ip_conntrack_tuple tuple; ++#else + struct nf_conntrack_tuple tuple; ++#endif +}; + +struct ipt_connlimit_data { @@ -97,7 +79,12 @@ + +static int count_them(struct ipt_connlimit_data *data, + u_int32_t addr, u_int32_t mask, ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT ++ struct ip_conntrack *ct) ++#else + struct nf_conn *ct) ++#endif ++ +{ +#if DEBUG + const static char *tcp[] = { "none", "established", "syn_sent", "syn_recv", @@ -105,8 +92,13 @@ + "last_ack", "listen" }; +#endif + int addit = 1, matches = 0; ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT ++ struct ip_conntrack_tuple tuple; ++ struct ip_conntrack_tuple_hash *found; ++#else + struct nf_conntrack_tuple tuple; + struct nf_conntrack_tuple_hash *found; ++#endif + struct ipt_connlimit_conn *conn; + struct list_head *hash,*lh; + @@ -116,11 +108,22 @@ + + /* check the saved connections */ + for (lh = hash->next; lh != hash; lh = lh->next) { ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT ++ struct ip_conntrack *found_ct = NULL; ++ conn = list_entry(lh, struct ipt_connlimit_conn, list); ++ found = ip_conntrack_find_get(&conn->tuple, ct); ++#else + struct nf_conn *found_ct = NULL; -+ conn = list_entry(lh,struct ipt_connlimit_conn,list); -+ found = nf_conntrack_find_get(&conn->tuple,ct); ++ conn = list_entry(lh, struct ipt_connlimit_conn, list); ++ found = nf_conntrack_find_get(&conn->tuple, ct); ++#endif ++ + if (found != NULL ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT ++ && (found_ct = tuplehash_to_ctrack(found)) != NULL ++#else + && (found_ct = nf_ct_tuplehash_to_ctrack(found)) != NULL ++#endif + && 0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) + && found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) { + /* Just to be sure we have it only once in the list. @@ -131,8 +134,13 @@ +#if DEBUG + printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d %s\n", + ipt_iphash(addr & mask), ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + NIPQUAD(conn->tuple.src.ip), ntohs(conn->tuple.src.u.tcp.port), + NIPQUAD(conn->tuple.dst.ip), ntohs(conn->tuple.dst.u.tcp.port), ++#else ++ NIPQUAD(conn->tuple.src.u3.ip), ntohs(conn->tuple.src.u.tcp.port), ++ NIPQUAD(conn->tuple.dst.u3.ip), ntohs(conn->tuple.dst.u.tcp.port), ++#endif + (NULL != found) ? tcp[found_ct->proto.tcp.state] : "gone"); +#endif + if (NULL == found) { @@ -151,7 +159,11 @@ + nf_conntrack_put(&found_ct->ct_general); + continue; + } ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT ++ if ((addr & mask) == (conn->tuple.src.ip & mask)) { ++#else + if ((addr & mask) == (conn->tuple.src.u3.ip & mask)) { ++#endif + /* same source IP address -> be counted! */ + matches++; + } @@ -162,8 +174,14 @@ +#if DEBUG + printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d new\n", + ipt_iphash(addr & mask), ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT + NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port), + NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port)); ++#else ++ NIPQUAD(tuple.src.u3.ip), ntohs(tuple.src.u.tcp.port), ++ NIPQUAD(tuple.dst.u3.ip), ntohs(tuple.dst.u.tcp.port)); ++#endif ++ +#endif + conn = kmalloc(sizeof(*conn),GFP_ATOMIC); + if (NULL == conn) { @@ -196,16 +214,28 @@ +{ + const struct ipt_connlimit_info *info = matchinfo; + int connections, rv; ++#ifndef CONFIG_NF_CONNTRACK_SUPPORT ++ struct ip_conntrack *ct; ++ enum ip_conntrack_info ctinfo; ++ ++ ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo); ++#else + struct nf_conn *ct; + enum ip_conntrack_info ctinfo; + -+ ct = nf_ct_get(skb, &ctinfo); ++ ct = nf_ct_get((struct sk_buff *)skb, &ctinfo); ++#endif + if (NULL == ct) { + printk("ipt_connlimit: Oops: invalid ct state ?\n"); + *hotdrop = 1; + return 0; + } -+ connections = count_them(info->data,skb->nh.iph->saddr,info->mask,ct); ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) ++ connections = count_them(info->data, ip_hdr(skb)->saddr, info->mask, ct); ++#else ++ connections = count_them(info->data, skb->nh.iph->saddr, info->mask, ct); ++#endif + if (-1 == connections) { + printk("ipt_connlimit: Hmm, kmalloc failed :-(\n"); + *hotdrop = 1; /* let's free some memory :-) */ @@ -222,17 +252,19 @@ + return rv; +} + -+static int check(const char *tablename, ++static int checkentry(const char *tablename, +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) + const void *ip_void, +#else -+ ++ const struct ipt_ip *ip, +#endif +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) + const struct xt_match *match, +#endif + void *matchinfo, -+ ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) ++ unsigned int matchsize, ++#endif + unsigned int hook_mask) +{ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) @@ -265,7 +297,11 @@ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) + const struct xt_match *match, +#endif ++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) ++ void *matchinfo, unsigned int matchsize) ++#else + void *matchinfo) ++#endif +{ + struct ipt_connlimit_info *info = matchinfo; + struct ipt_connlimit_conn *conn; @@ -284,27 +320,71 @@ + kfree(info->data); +} + -+static struct xt_match connlimit_match = { ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++static struct xt_match connlimit_match = { ++#else ++static struct ipt_match connlimit_match = { ++#endif + .name = "connlimit", -+ .family = AF_INET, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ .family = AF_INET, ++#endif + .match = &match, +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) + .matchsize = sizeof(struct ipt_connlimit_info), +#endif -+ .checkentry = &check, ++ .checkentry = &checkentry, + .destroy = &destroy, + .me = THIS_MODULE +}; + +static int __init init(void) +{ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) + return xt_register_match(&connlimit_match); ++#else ++ return ipt_register_match(&connlimit_match); ++#endif +} + +static void __exit fini(void) +{ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) + xt_unregister_match(&connlimit_match); ++#else ++ ipt_unregister_match(&connlimit_match); ++#endif +} + +module_init(init); +module_exit(fini); +diff -Nru linux-2.6.22/net/ipv4/netfilter/Kconfig linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig +--- linux-2.6.22/net/ipv4/netfilter/Kconfig 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Kconfig 2007-08-07 18:38:25.000000000 +0200 +@@ -402,5 +402,15 @@ + Allows altering the ARP packet payload: source and destination + hardware and network addresses. + ++config IP_NF_MATCH_CONNLIMIT ++ tristate 'Connections/IP limit match support' ++ depends on IP_NF_IPTABLES ++ help ++ This match allows you to restrict the number of parallel TCP ++ connections to a server per client IP address (or address block). ++ ++ If you want to compile it as a module, say M here and read ++ Documentation/modules.txt. If unsure, say `N'. ++ + endmenu + +diff -Nru linux-2.6.22/net/ipv4/netfilter/Makefile linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile +--- linux-2.6.22/net/ipv4/netfilter/Makefile 2007-07-09 01:32:17.000000000 +0200 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/Makefile 2007-08-07 18:38:25.000000000 +0200 +@@ -44,6 +44,7 @@ + obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o + obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o + obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o ++obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o + obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o + obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o + obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o ================================================================ Index: SOURCES/kernel-pom-ng-ipp2p.patch diff -u SOURCES/kernel-pom-ng-ipp2p.patch:1.1.2.1 SOURCES/kernel-pom-ng-ipp2p.patch:1.1.2.2 --- SOURCES/kernel-pom-ng-ipp2p.patch:1.1.2.1 Wed May 30 13:53:30 2007 +++ SOURCES/kernel-pom-ng-ipp2p.patch Tue Aug 7 18:51:08 2007 @@ -1,6 +1,6 @@ -diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipp2p.h ---- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_ipp2p.h 2007-05-30 12:10:42.000000000 +0200 +diff -Nru linux-2.6.22/include/linux/netfilter_ipv4/ipt_ipp2p.h linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_ipp2p.h +--- linux-2.6.22/include/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/include/linux/netfilter_ipv4/ipt_ipp2p.h 2007-08-07 18:38:54.000000000 +0200 @@ -0,0 +1,31 @@ +#ifndef __IPT_IPP2P_H +#define __IPT_IPP2P_H @@ -33,46 +33,15 @@ +#define IPP2P_MUTE (1 << 14) +#define IPP2P_WASTE (1 << 15) +#define IPP2P_XDCC (1 << 16) -diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig ---- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 12:09:52.000000000 +0200 -+++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 12:10:42.000000000 +0200 -@@ -937,5 +937,15 @@ config IP_NF_MATCH_GEOIP - called `ipt_geoip'. If unsure, say `N'. - - -+config IP_NF_MATCH_IPP2P -+ tristate 'IPP2P match support' -+ depends on IP_NF_IPTABLES -+ help -+ This option makes possible to match some P2P packets -+ therefore helps controlling such traffic. -+ -+ If you want to compile it as a module, say M here and read -+ <file:Documentation/modules.txt>. If unsure, say `N'. -+ - endmenu - -diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile ---- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 12:09:52.000000000 +0200 -+++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 12:10:42.000000000 +0200 -@@ -95,6 +95,7 @@ obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += i - obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o - - obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o -+obj-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p.o - obj-$(CONFIG_IP_NF_MATCH_GEOIP) += ipt_geoip.o - obj-$(CONFIG_IP_NF_MATCH_U32) += ipt_u32.o - obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o -diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.21.b/net/ipv4/netfilter/ipt_ipp2p.c ---- linux-2.6.21.a/net/ipv4/netfilter/ipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.21.b/net/ipv4/netfilter/ipt_ipp2p.c 2007-05-30 12:10:42.000000000 +0200 -@@ -0,0 +1,888 @@ +diff -Nru linux-2.6.22/net/ipv4/netfilter/ipt_ipp2p.c linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_ipp2p.c +--- linux-2.6.22/net/ipv4/netfilter/ipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.22-pom2patch/net/ipv4/netfilter/ipt_ipp2p.c 2007-08-07 18:38:54.000000000 +0200 +@@ -0,0 +1,904 @@ +#if defined(MODVERSIONS) +#include <linux/modversions.h> +#endif +#include <linux/module.h> +#include <linux/version.h> -+#include <linux/netfilter/x_tables.h> +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv4/ipt_ipp2p.h> +#include <net/tcp.h> @@ -816,7 +785,11 @@ +{ + const struct ipt_p2p_info *info = matchinfo; + unsigned char *haystack; ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) ++ struct iphdr *ip = ip_hdr(skb); ++#else + struct iphdr *ip = skb->nh.iph; ++#endif + int p2p_result = 0, i = 0; +// int head_len; + int hlen = ntohs(ip->tot_len)-(ip->ihl*4); /*hlen = packet-data length*/ @@ -916,8 +889,11 @@ + + + -+ -+static struct xt_match ipp2p_match = { ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++static struct xt_match ipp2p_match = { ++#else ++static struct ipt_match ipp2p_match = { ++#endif +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) + { NULL, NULL }, + "ipp2p", @@ -928,7 +904,9 @@ +#endif +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) + .name = "ipp2p", -+ .family = AF_INET, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) ++ .family = AF_INET, ++#endif + .match = &match, +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) + .matchsize = sizeof(struct ipt_p2p_info), @@ -942,12 +920,20 @@ +static int __init init(void) +{ + printk(KERN_INFO "IPP2P v%s loading\n", IPP2P_VERSION); ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) + return xt_register_match(&ipp2p_match); ++#else ++ return ipt_register_match(&ipp2p_match); ++#endif +} + +static void __exit fini(void) +{ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) + xt_unregister_match(&ipp2p_match); ++#else ++ ipt_unregister_match(&ipp2p_match); ++#endif + printk(KERN_INFO "IPP2P v%s unloaded\n", IPP2P_VERSION); +} + @@ -955,3 +941,33 @@ +module_exit(fini); + <<Diff was trimmed, longer than 597 lines>> ---- CVS-web: http://cvs.pld-linux.org/SOURCES/kernel-pom-ng-TARPIT.patch?r1=1.1.2.1&r2=1.1.2.2&f=u http://cvs.pld-linux.org/SOURCES/kernel-pom-ng-connlimit.patch?r1=1.1.2.1&r2=1.1.2.2&f=u http://cvs.pld-linux.org/SOURCES/kernel-pom-ng-ipp2p.patch?r1=1.1.2.1&r2=1.1.2.2&f=u http://cvs.pld-linux.org/SOURCES/kernel-pom-ng-set.patch?r1=1.1.2.1&r2=1.1.2.2&f=u http://cvs.pld-linux.org/SOURCES/kernel-pom-ng-time.patch?r1=1.1.2.1&r2=1.1.2.2&f=u http://cvs.pld-linux.org/SOURCES/kernel-pom-ng-u32.patch?r1=1.1.2.1&r2=1.1.2.2&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
