Author: cieciwa Date: Thu May 4 09:09:24 2006 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- new netfilter snapshot [no diffs from 20060329]
---- Files affected:
SOURCES:
pom-ng-IPV4OPTSSTRIP-20060504.patch (NONE -> 1.1.2.1) (NEW),
pom-ng-connlimit-20060504.patch (NONE -> 1.1.2.1) (NEW),
pom-ng-expire-20060504.patch (NONE -> 1.1.2.1) (NEW),
pom-ng-fuzzy-20060504.patch (NONE -> 1.1.2.1) (NEW),
pom-ng-ipv4options-20060504.patch (NONE -> 1.1.2.1) (NEW),
pom-ng-nth-20060504.patch (NONE -> 1.1.2.1) (NEW), pom-ng-osf-20060504.patch
(NONE -> 1.1.2.1) (NEW), pom-ng-psd-20060504.patch (NONE -> 1.1.2.1) (NEW),
pom-ng-quota-20060504.patch (NONE -> 1.1.2.1) (NEW),
pom-ng-random-20060504.patch (NONE -> 1.1.2.1) (NEW),
pom-ng-set-20060504.patch (NONE -> 1.1.2.1) (NEW), pom-ng-time-20060504.patch
(NONE -> 1.1.2.1) (NEW), pom-ng-u32-20060504.patch (NONE -> 1.1.2.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/pom-ng-IPV4OPTSSTRIP-20060504.patch
diff -u /dev/null SOURCES/pom-ng-IPV4OPTSSTRIP-20060504.patch:1.1.2.1
--- /dev/null Thu May 4 11:09:24 2006
+++ SOURCES/pom-ng-IPV4OPTSSTRIP-20060504.patch Thu May 4 11:09:19 2006
@@ -0,0 +1,120 @@
+ Kconfig | 10 +++++
+ Makefile | 1
+ ipt_IPV4OPTSSTRIP.c | 87
++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 98 insertions(+)
+
+diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig
linux/net/ipv4/netfilter/Kconfig
+--- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000
+0200
++++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 09:57:42.000000000 +0200
+@@ -606,5 +606,15 @@
+ Allows altering the ARP packet payload: source and destination
+ hardware and network addresses.
+
++config IP_NF_TARGET_IPV4OPTSSTRIP
++ tristate 'IPV4OPTSSTRIP target support'
++ depends on IP_NF_MANGLE
++ help
++ This option adds an IPV4OPTSSTRIP target.
++ This target allows you to strip all IP options in a packet.
++
++ If you want to compile it as a module, say M here and read
++ Documentation/modules.txt. If unsure, say `N'.
++
+ endmenu
+
+diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile
linux/net/ipv4/netfilter/Makefile
+--- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000
+0200
++++ linux/net/ipv4/netfilter/Makefile 2006-05-04 09:57:42.000000000 +0200
+@@ -0,0 +0,1 @@
++obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
+diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
linux/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
+--- linux.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 1970-01-01
01:00:00.000000000 +0100
++++ linux/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 2006-05-04
09:57:42.000000000 +0200
+@@ -0,0 +1,87 @@
++/**
++ * Strip all IP options in the IP packet header.
++ *
++ * (C) 2001 by Fabrice MARIE <[EMAIL PROTECTED]>
++ * This software is distributed under GNU GPL v2, 1991
++ */
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <net/ip.h>
++#include <net/checksum.h>
++
++#include <linux/netfilter_ipv4/ip_tables.h>
++
++MODULE_AUTHOR("Fabrice MARIE <[EMAIL PROTECTED]>");
++MODULE_DESCRIPTION("Strip all options in IPv4 packets");
++MODULE_LICENSE("GPL");
++
++static unsigned int
++target(struct sk_buff **pskb,
++ const struct net_device *in,
++ const struct net_device *out,
++ unsigned int hooknum,
++ const void *targinfo,
++ void *userinfo)
++{
++ struct iphdr *iph;
++ struct sk_buff *skb;
++ struct ip_options *opt;
++ unsigned char *optiph;
++ int l;
++
++ if (!skb_make_writable(pskb, (*pskb)->len))
++ return NF_DROP;
++
++ skb = (*pskb);
++ iph = (*pskb)->nh.iph;
++ optiph = skb->nh.raw;
++ l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen;
++
++ /* if no options in packet then nothing to clear. */
++ if (iph->ihl * 4 == sizeof(struct iphdr))
++ return IPT_CONTINUE;
++
++ /* else clear all options */
++ memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
++ memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l);
++ opt = &(IPCB(skb)->opt);
++ opt->is_data = 0;
++ opt->optlen = l;
++
++ return IPT_CONTINUE;
++}
++
++static int
++checkentry(const char *tablename,
++ const struct ipt_entry *e,
++ void *targinfo,
++ unsigned int targinfosize,
++ unsigned int hook_mask)
++{
++ if (strcmp(tablename, "mangle")) {
++ printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from
\"mangle\" table, not \"%s\"\n", tablename);
++ return 0;
++ }
++ /* nothing else to check because no parameters */
++ return 1;
++}
++
++static struct ipt_target ipt_ipv4optsstrip_reg = {
++ .name = "IPV4OPTSSTRIP",
++ .target = target,
++ .checkentry = checkentry,
++ .me = THIS_MODULE };
++
++static int __init init(void)
++{
++ return ipt_register_target(&ipt_ipv4optsstrip_reg);
++}
++
++static void __exit fini(void)
++{
++ ipt_unregister_target(&ipt_ipv4optsstrip_reg);
++}
++
++module_init(init);
++module_exit(fini);
================================================================
Index: SOURCES/pom-ng-connlimit-20060504.patch
diff -u /dev/null SOURCES/pom-ng-connlimit-20060504.patch:1.1.2.1
--- /dev/null Thu May 4 11:09:24 2006
+++ SOURCES/pom-ng-connlimit-20060504.patch Thu May 4 11:09:19 2006
@@ -0,0 +1,279 @@
+ include/linux/netfilter_ipv4/ipt_connlimit.h | 12 +
+ net/ipv4/netfilter/Kconfig | 10 +
+ net/ipv4/netfilter/Makefile | 1
+ net/ipv4/netfilter/ipt_connlimit.c | 228
+++++++++++++++++++++++++++
+ 4 files changed, 251 insertions(+)
+
+diff -Nur --exclude '*.orig'
linux.org/include/linux/netfilter_ipv4/ipt_connlimit.h
linux/include/linux/netfilter_ipv4/ipt_connlimit.h
+--- linux.org/include/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01
01:00:00.000000000 +0100
++++ linux/include/linux/netfilter_ipv4/ipt_connlimit.h 2006-05-04
10:02:23.000000000 +0200
+@@ -0,0 +1,12 @@
++#ifndef _IPT_CONNLIMIT_H
++#define _IPT_CONNLIMIT_H
++
++struct ipt_connlimit_data;
++
++struct ipt_connlimit_info {
++ int limit;
++ int inverse;
++ u_int32_t mask;
++ struct ipt_connlimit_data *data;
++};
++#endif /* _IPT_CONNLIMIT_H */
+diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig
linux/net/ipv4/netfilter/Kconfig
+--- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000
+0200
++++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 10:02:23.000000000 +0200
+@@ -606,5 +606,15 @@
+ Allows altering the ARP packet payload: source and destination
+ hardware and network addresses.
+
++config IP_NF_MATCH_CONNLIMIT
++ tristate 'Connections/IP limit match support'
++ depends on IP_NF_IPTABLES
++ help
++ This match allows you to restrict the number of parallel TCP
++ connections to a server per client IP address (or address block).
++
++ If you want to compile it as a module, say M here and read
++ Documentation/modules.txt. If unsure, say `N'.
++
+ endmenu
+
+diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile
linux/net/ipv4/netfilter/Makefile
+--- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000
+0200
++++ linux/net/ipv4/netfilter/Makefile 2006-05-04 10:02:23.000000000 +0200
+@@ -0,0 +0,1 @@
++obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
+diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_connlimit.c
linux/net/ipv4/netfilter/ipt_connlimit.c
+--- linux.org/net/ipv4/netfilter/ipt_connlimit.c 1970-01-01
01:00:00.000000000 +0100
++++ linux/net/ipv4/netfilter/ipt_connlimit.c 2006-05-04 10:02:23.000000000
+0200
+@@ -0,0 +1,229 @@
++/*
++ * netfilter module to limit the number of parallel tcp
++ * connections per IP address.
++ * (c) 2000 Gerd Knorr <[EMAIL PROTECTED]>
++ * Nov 2002: Martin Bene <[EMAIL PROTECTED]>:
++ * only ignore TIME_WAIT or gone connections
++ *
++ * based on ...
++ *
++ * Kernel module to match connection tracking information.
++ * GPL (C) 1999 Rusty Russell ([EMAIL PROTECTED]).
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/list.h>
++#include <linux/netfilter_ipv4/ip_conntrack.h>
++#include <linux/netfilter_ipv4/ip_conntrack_core.h>
++#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_connlimit.h>
++
++#define DEBUG 0
++
++MODULE_LICENSE("GPL");
++
++/* we'll save the tuples of all connections we care about */
++struct ipt_connlimit_conn
++{
++ struct list_head list;
++ struct ip_conntrack_tuple tuple;
++};
++
++struct ipt_connlimit_data {
++ spinlock_t lock;
++ struct list_head iphash[256];
++};
++
++static inline unsigned ipt_iphash(const unsigned addr)
++{
++ return ((addr ^ (addr >> 8) ^ (addr >> 16) ^ (addr >> 24)) & 0xff);
++}
++
++static int count_them(struct ipt_connlimit_data *data,
++ u_int32_t addr, u_int32_t mask,
++ struct ip_conntrack *ct)
++{
++#if DEBUG
++ const static char *tcp[] = { "none", "established", "syn_sent",
"syn_recv",
++ "fin_wait", "time_wait", "close",
"close_wait",
++ "last_ack", "listen" };
++#endif
++ int addit = 1, matches = 0;
++ struct ip_conntrack_tuple tuple;
++ struct ip_conntrack_tuple_hash *found;
++ struct ipt_connlimit_conn *conn;
++ struct list_head *hash,*lh;
++
++ spin_lock_bh(&data->lock);
++ tuple = ct->tuplehash[0].tuple;
++ hash = &data->iphash[ipt_iphash(addr & mask)];
++
++ /* check the saved connections */
++ for (lh = hash->next; lh != hash; lh = lh->next) {
++ struct ip_conntrack *found_ct = NULL;
++ conn = list_entry(lh,struct ipt_connlimit_conn,list);
++ found = ip_conntrack_find_get(&conn->tuple,ct);
++ if (found != NULL
++ && (found_ct = tuplehash_to_ctrack(found)) != NULL
++ && 0 == memcmp(&conn->tuple,&tuple,sizeof(tuple))
++ && found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
++ /* Just to be sure we have it only once in the list.
++ We should'nt see tuples twice unless someone hooks
this
++ into a table without "-p tcp --syn" */
++ addit = 0;
++ }
++#if DEBUG
++ printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d
dst=%u.%u.%u.%u:%d %s\n",
++ ipt_iphash(addr & mask),
++ NIPQUAD(conn->tuple.src.ip),
ntohs(conn->tuple.src.u.tcp.port),
++ NIPQUAD(conn->tuple.dst.ip),
ntohs(conn->tuple.dst.u.tcp.port),
++ (NULL != found) ? tcp[found_ct->proto.tcp.state] :
"gone");
++#endif
++ if (NULL == found) {
++ /* this one is gone */
++ lh = lh->prev;
++ list_del(lh->next);
++ kfree(conn);
++ continue;
++ }
++ if (found_ct->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT) {
++ /* we don't care about connections which are
++ closed already -> ditch it */
++ lh = lh->prev;
++ list_del(lh->next);
++ kfree(conn);
++ nf_conntrack_put(&found_ct->ct_general);
++ continue;
++ }
++ if ((addr & mask) == (conn->tuple.src.ip & mask)) {
++ /* same source IP address -> be counted! */
++ matches++;
++ }
++ nf_conntrack_put(&found_ct->ct_general);
++ }
++ if (addit) {
++ /* save the new connection in our list */
++#if DEBUG
++ printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d
dst=%u.%u.%u.%u:%d new\n",
++ ipt_iphash(addr & mask),
++ NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port),
++ NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port));
++#endif
++ conn = kmalloc(sizeof(*conn),GFP_ATOMIC);
++ if (NULL == conn) {
++ spin_unlock_bh(&data->lock);
++ return -1;
++ }
++ memset(conn,0,sizeof(*conn));
++ INIT_LIST_HEAD(&conn->list);
++ conn->tuple = tuple;
++ list_add(&conn->list,hash);
++ matches++;
++ }
++ spin_unlock_bh(&data->lock);
++ return matches;
++}
++
++static int
++match(const struct sk_buff *skb,
++ const struct net_device *in,
++ const struct net_device *out,
++ const void *matchinfo,
++ int offset,
++ unsigned int protoff,
++ int *hotdrop)
++{
++ const struct ipt_connlimit_info *info = matchinfo;
++ int connections, match;
++ struct ip_conntrack *ct;
++ enum ip_conntrack_info ctinfo;
++
++ ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
++ if (NULL == ct) {
++ printk("ipt_connlimit: Oops: invalid ct state ?\n");
++ *hotdrop = 1;
++ return 0;
++ }
++ connections = count_them(info->data,skb->nh.iph->saddr,info->mask,ct);
++ if (-1 == connections) {
++ printk("ipt_connlimit: Hmm, kmalloc failed :-(\n");
++ *hotdrop = 1; /* let's free some memory :-) */
++ return 0;
++ }
++ match = (info->inverse) ? (connections <= info->limit) : (connections
> info->limit);
++#if DEBUG
++ printk("ipt_connlimit: src=%u.%u.%u.%u mask=%u.%u.%u.%u "
++ "connections=%d limit=%d match=%s\n",
++ NIPQUAD(skb->nh.iph->saddr), NIPQUAD(info->mask),
++ connections, info->limit, match ? "yes" : "no");
++#endif
++
++ return match;
++}
++
++static int check(const char *tablename,
++ const struct ipt_ip *ip,
++ void *matchinfo,
++ unsigned int matchsize,
++ unsigned int hook_mask)
++{
++ struct ipt_connlimit_info *info = matchinfo;
++ int i;
++
++ /* verify size */
++ if (matchsize != IPT_ALIGN(sizeof(struct ipt_connlimit_info)))
++ return 0;
++
++ /* refuse anything but tcp */
++ if (ip->proto != IPPROTO_TCP)
++ return 0;
++
++ /* init private data */
++ info->data = kmalloc(sizeof(struct ipt_connlimit_data),GFP_KERNEL);
++ spin_lock_init(&(info->data->lock));
++ for (i = 0; i < 256; i++)
++ INIT_LIST_HEAD(&(info->data->iphash[i]));
++
++ return 1;
++}
++
++static void destroy(void *matchinfo, unsigned int matchinfosize)
++{
++ struct ipt_connlimit_info *info = matchinfo;
++ struct ipt_connlimit_conn *conn;
++ struct list_head *hash;
++ int i;
++
++ /* cleanup */
++ for (i = 0; i < 256; i++) {
++ hash = &(info->data->iphash[i]);
++ while (hash != hash->next) {
++ conn = list_entry(hash->next,struct
ipt_connlimit_conn,list);
++ list_del(hash->next);
++ kfree(conn);
++ }
++ }
++ kfree(info->data);
++}
++
++static struct ipt_match connlimit_match = {
++ .name = "connlimit",
++ .match = &match,
++ .checkentry = &check,
++ .destroy = &destroy,
++ .me = THIS_MODULE
++};
++
++static int __init init(void)
++{
++ return ipt_register_match(&connlimit_match);
++}
++
++static void __exit fini(void)
++{
++ ipt_unregister_match(&connlimit_match);
++}
++
++module_init(init);
++module_exit(fini);
================================================================
Index: SOURCES/pom-ng-expire-20060504.patch
diff -u /dev/null SOURCES/pom-ng-expire-20060504.patch:1.1.2.1
--- /dev/null Thu May 4 11:09:24 2006
+++ SOURCES/pom-ng-expire-20060504.patch Thu May 4 11:09:19 2006
@@ -0,0 +1,1269 @@
+ include/linux/netfilter_ipv4/ipt_expire.h | 32 +
+ include/linux/netfilter_ipv6/ip6t_expire.h | 32 +
+ net/ipv4/netfilter/Kconfig | 11
+ net/ipv4/netfilter/Makefile | 1
+ net/ipv4/netfilter/ipt_expire.c | 563 ++++++++++++++++++++++++++++
+ net/ipv6/netfilter/Kconfig | 11
+ net/ipv6/netfilter/Makefile | 1
+ net/ipv6/netfilter/ip6t_expire.c | 566
+++++++++++++++++++++++++++++
+ 8 files changed, 1217 insertions(+)
+
+diff -Nur --exclude '*.orig'
linux.org/include/linux/netfilter_ipv4/ipt_expire.h
linux/include/linux/netfilter_ipv4/ipt_expire.h
+--- linux.org/include/linux/netfilter_ipv4/ipt_expire.h 1970-01-01
01:00:00.000000000 +0100
++++ linux/include/linux/netfilter_ipv4/ipt_expire.h 2006-05-04
10:04:04.000000000 +0200
+@@ -0,0 +1,32 @@
++/* This module matches until it expires, at which point the entire
++ * rule is deleted
++ *
++ * This module is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This module is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this module; if not, write to:
++ * The Free Software Foundation, Inc.
++ * 59 Temple Place, Suite 330
++ * Boston, MA 02111-1307 USA
++ *
++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]>
++ */
++
++#ifndef __IPT_EXPIRE_H
++#define __IPT_EXPIRE_H
++
++#include <linux/types.h>
++
++struct ipt_exp_info {
++ time_t expiration;
++};
++
++#endif
+diff -Nur --exclude '*.orig'
linux.org/include/linux/netfilter_ipv6/ip6t_expire.h
linux/include/linux/netfilter_ipv6/ip6t_expire.h
+--- linux.org/include/linux/netfilter_ipv6/ip6t_expire.h 1970-01-01
01:00:00.000000000 +0100
++++ linux/include/linux/netfilter_ipv6/ip6t_expire.h 2006-05-04
10:04:04.000000000 +0200
+@@ -0,0 +1,32 @@
++/* This module matches until it expires, at which point the entire
++ * rule is deleted
++ *
++ * This module is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This module is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this module; if not, write to:
++ * The Free Software Foundation, Inc.
++ * 59 Temple Place, Suite 330
++ * Boston, MA 02111-1307 USA
++ *
++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]>
++ */
++
++#ifndef __IP6T_EXPIRE_H
++#define __IP6T_EXPIRE_H
++
++#include <linux/types.h>
++
++struct ip6t_exp_info {
++ time_t expiration;
++};
++
++#endif
+diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Kconfig
linux/net/ipv4/netfilter/Kconfig
+--- linux.org/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000
+0200
++++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 10:04:04.000000000 +0200
+@@ -606,5 +606,16 @@
+ Allows altering the ARP packet payload: source and destination
+ hardware and network addresses.
+
++config IP_NF_MATCH_EXPIRE
++ tristate 'expiring match support'
++ depends on IP_NF_IPTABLES
++ help
++ This option adds an expiring match, which allows you to add
++ rules to your iptables ruleset which will later be removed
++ automatically.
++
++ If you want to compile it as a module, say M here and read
++ Documentation/modules.txt. If unsure, say `N'.
++
+ endmenu
+
+diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/Makefile
linux/net/ipv4/netfilter/Makefile
+--- linux.org/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000
+0200
++++ linux/net/ipv4/netfilter/Makefile 2006-05-04 10:04:04.000000000 +0200
+@@ -0,0 +0,1 @@
++obj-$(CONFIG_IP_NF_MATCH_EXPIRE) += ipt_expire.o
+diff -Nur --exclude '*.orig' linux.org/net/ipv4/netfilter/ipt_expire.c
linux/net/ipv4/netfilter/ipt_expire.c
+--- linux.org/net/ipv4/netfilter/ipt_expire.c 1970-01-01 01:00:00.000000000
+0100
++++ linux/net/ipv4/netfilter/ipt_expire.c 2006-05-04 10:04:04.000000000
+0200
+@@ -0,0 +1,563 @@
++/* This module matches until it expires, at which point the entire
++ * rule is deleted
++ *
++ * This module is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This module is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this module; if not, write to:
++ * The Free Software Foundation, Inc.
++ * 59 Temple Place, Suite 330
++ * Boston, MA 02111-1307 USA
++ *
++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]>
++ */
++
++#include <linux/config.h>
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/workqueue.h>
++#include <linux/vmalloc.h>
++#include <linux/time.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_expire.h>
++
++#if CONFIG_NETFILTER_DEBUG
++#define dprintk(format, args...) \
++ printk("ipt_expire[%s]: " format "\n", __FUNCTION__, ## args)
++#else
++#define dprintk(format, args...)
++#endif
++
++MODULE_AUTHOR("Bryan Cardillo <[EMAIL PROTECTED]>");
++MODULE_DESCRIPTION("an iptables expiring match module");
++MODULE_LICENSE("GPL");
++MODULE_VERSION("1.1");
++static int __init ipt_exp_init(void);
++static void __exit ipt_exp_exit(void);
++module_init(ipt_exp_init);
++module_exit(ipt_exp_exit);
++
++static int ipt_exp_match(const struct sk_buff *,
++ const struct net_device *, const struct net_device *,
++ const void *, int, unsigned int, int *);
++static int ipt_exp_checkentry(const char *, const struct ipt_ip *,
++ void *, unsigned int, unsigned int);
++static int ipt_exp_add_table(const char *);
++static void ipt_exp_remove_table(const char *);
++static void ipt_exp_schedule_expiration(time_t);
++static void ipt_exp_work_fn(void *);
++static int ipt_exp_get_info(const char *, struct ipt_getinfo *);
++static int ipt_exp_get_entries(struct ipt_getinfo *, struct ipt_get_entries
*);
++static int ipt_exp_get_active(struct ipt_getinfo *,
++ struct ipt_get_entries *, struct ipt_replace *);
++static int ipt_exp_copy_active(struct ipt_entry *, struct ipt_replace *);
++static int ipt_exp_is_expired(struct ipt_entry_match *);
++static int ipt_exp_replace_expired(struct ipt_replace *);
++static int ipt_exp_get_counters(struct ipt_get_entries *,
++ struct ipt_replace *, struct ipt_counters_info *);
++static int ipt_exp_copy_counter(struct ipt_entry *, struct ipt_replace *,
++ struct ipt_counters_info *, int *);
++static int ipt_exp_restore_counters(struct ipt_counters_info *);
++
<<Diff was trimmed, longer than 597 lines>>
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
