Author: pluto Date: Thu Sep 15 07:58:42 2005 GMT Module: SOURCES Tag: LINUX_2_6 ---- Log message: - [base] expire match.
---- Files affected: SOURCES: iptables-nf-expire.patch (NONE -> 1.1.2.1) (NEW), linux-2.6-nf-expire.patch (NONE -> 1.1.2.1) (NEW) ---- Diffs: ================================================================ Index: SOURCES/iptables-nf-expire.patch diff -u /dev/null SOURCES/iptables-nf-expire.patch:1.1.2.1 --- /dev/null Thu Sep 15 09:58:42 2005 +++ SOURCES/iptables-nf-expire.patch Thu Sep 15 09:58:37 2005 @@ -0,0 +1,388 @@ + .expire-test | 3 + .expire-test6 | 3 + libip6t_expire.c | 170 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + libip6t_expire.man | 5 + + libipt_expire.c | 170 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + libipt_expire.man | 5 + + 6 files changed, 356 insertions(+) + +diff -uNr iptables-1.3.3/extensions/.expire-test iptables-1.3.3.patched/extensions/.expire-test +--- iptables-1.3.3/extensions/.expire-test 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.3.patched/extensions/.expire-test 2005-09-15 09:51:28.547760250 +0200 +@@ -0,0 +1,3 @@ ++#!/bin/sh ++ ++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_expire.h ] && echo expire +diff -uNr iptables-1.3.3/extensions/.expire-test6 iptables-1.3.3.patched/extensions/.expire-test6 +--- iptables-1.3.3/extensions/.expire-test6 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.3.patched/extensions/.expire-test6 2005-09-15 09:51:28.547760250 +0200 +@@ -0,0 +1,3 @@ ++#!/bin/sh ++ ++[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_expire.h ] && echo expire +diff -uNr iptables-1.3.3/extensions/libip6t_expire.c iptables-1.3.3.patched/extensions/libip6t_expire.c +--- iptables-1.3.3/extensions/libip6t_expire.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.3.patched/extensions/libip6t_expire.c 2005-09-15 09:51:28.551760500 +0200 +@@ -0,0 +1,170 @@ ++/* This library manipulates expiring firewall rules ++ * ++ * This library is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this library; if not, write to: ++ * The Free Software Foundation, Inc. ++ * 59 Temple Place, Suite 330 ++ * Boston, MA 02111-1307 USA ++ * ++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]> ++ */ ++ ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++#include <getopt.h> ++#include <time.h> ++ ++#include <ip6tables.h> ++#include <linux/netfilter_ipv6/ip6t_expire.h> ++ ++static void ip6t_exp_help(void); ++static int ip6t_exp_parse(int, char **, int, unsigned int *, ++ const struct ip6t_entry *, unsigned int *, ++ struct ip6t_entry_match **); ++static void ip6t_exp_final_check(unsigned int); ++static void ip6t_exp_print(const struct ip6t_ip *, ++ const struct ip6t_entry_match *, int); ++static void ip6t_exp_save(const struct ip6t_ip *, const struct ip6t_entry_match *); ++ ++/** ++ * options ++ */ ++static struct option ip6t_exp_opts[] = { ++ { "expiration", 1, 0, 'e' }, ++ { 0 } ++}; ++ ++/** ++ * match ++ */ ++static struct iptables_match ip6t_expire_match = { ++ .next = NULL, ++ .name = "expire", ++ .version = IPTABLES_VERSION, ++ .size = IP6T_ALIGN(sizeof(struct ip6t_exp_info)), ++ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_exp_info)), ++ .help = &ip6t_exp_help, ++ .parse = &ip6t_exp_parse, ++ .final_check = &ip6t_exp_final_check, ++ .print = &ip6t_exp_print, ++ .save = &ip6t_exp_save, ++ .extra_opts = ip6t_exp_opts ++}; ++ ++/** ++ * shared library initialization ++ * @see register_match() ++ */ ++void ++_init(void) ++{ ++ register_match(&ip6t_expire_match); ++} ++ ++/** ++ * print usage information ++ */ ++static void ++ip6t_exp_help(void) ++{ ++ printf("EXPIRE match options\n" ++ " --expiration [+]TIME\t\t" ++ "rule expires at [in] TIME\n\n"); ++} ++ ++/** ++ * parse module specific options ++ * @param c the short option character ++ * @param argv the arguments array ++ * @param invert is this an inverted argument ++ * @param flags module specific flags ++ * @param entry the entry ++ * @param nfcache netfilter cache flags ++ * @param match the match ++ * @return zero if an option was found, non-zero otherwise ++ */ ++static int ++ip6t_exp_parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ip6t_entry *entry, unsigned int *nfcache, ++ struct ip6t_entry_match **match) ++{ ++ char *arg; ++ struct ip6t_exp_info *info; ++ ++ info = (struct ip6t_exp_info *)(*match)->data; ++ info->expiration = 0; ++ switch (c) { ++ case 'e': ++ arg = argv[optind-1]; ++ check_inverse(arg, &invert, &optind, 0); ++ if (invert) ++ exit_error(PARAMETER_PROBLEM, ++ "--expiration cannot be inverted"); ++ if (*arg == '+') ++ arg++; ++ if (string_to_number_l( ++ arg, 1, 0, &info->expiration) < 0) ++ exit_error(PARAMETER_PROBLEM, ++ "invalid expiration time"); ++ *flags = 1; ++ if (*argv[optind-1] == '+') ++ info->expiration += time(NULL); ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++/** ++ * ensures an expiration was specified ++ * @param flags module specific flags from options parsing ++ */ ++static void ++ip6t_exp_final_check(unsigned int flags) ++{ ++ if (flags != 1) ++ exit_error(PARAMETER_PROBLEM, ++ "you must specify an expiration time (--expiration)"); ++} ++ ++/** ++ * print information about an expiring match ++ * in a format suitable for viewing ++ * @param ip the address information ++ * @param match the match ++ * @param numeric the verbose level (?) ++ */ ++static void ++ip6t_exp_print(const struct ip6t_ip *ip, ++ const struct ip6t_entry_match *match, int numeric) ++{ ++ struct ip6t_exp_info *info; ++ info = (struct ip6t_exp_info *)match->data; ++ printf("expires in %lds ", info->expiration - time(NULL)); ++} ++ ++/** ++ * print information about an expiring match ++ * in a format suitable for reconstructing the match ++ * @param ip the address information ++ * @param match the match ++ */ ++static void ++ip6t_exp_save(const struct ip6t_ip *ip, const struct ip6t_entry_match *match) ++{ ++ struct ip6t_exp_info *info; ++ info = (struct ip6t_exp_info *)match->data; ++ printf("-m expire --expiration %ld ", info->expiration); ++} +diff -uNr iptables-1.3.3/extensions/libip6t_expire.man iptables-1.3.3.patched/extensions/libip6t_expire.man +--- iptables-1.3.3/extensions/libip6t_expire.man 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.3.patched/extensions/libip6t_expire.man 2005-09-15 09:51:28.551760500 +0200 +@@ -0,0 +1,5 @@ ++This module matches until its expiration time. ++.TP ++.BI "--expiration " "[\fItime\fP]" ++Match against the other rule criteria until the expiration time. After ++the expiration time, the entire rule will be removed from the table. +diff -uNr iptables-1.3.3/extensions/libipt_expire.c iptables-1.3.3.patched/extensions/libipt_expire.c +--- iptables-1.3.3/extensions/libipt_expire.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.3.patched/extensions/libipt_expire.c 2005-09-15 09:51:28.555760750 +0200 +@@ -0,0 +1,170 @@ ++/* This library manipulates expiring firewall rules ++ * ++ * This library is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this library; if not, write to: ++ * The Free Software Foundation, Inc. ++ * 59 Temple Place, Suite 330 ++ * Boston, MA 02111-1307 USA ++ * ++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]> ++ */ ++ ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++#include <getopt.h> ++#include <time.h> ++ ++#include <iptables.h> ++#include <linux/netfilter_ipv4/ipt_expire.h> ++ ++static void ipt_exp_help(void); ++static int ipt_exp_parse(int, char **, int, unsigned int *, ++ const struct ipt_entry *, unsigned int *, ++ struct ipt_entry_match **); ++static void ipt_exp_final_check(unsigned int); ++static void ipt_exp_print(const struct ipt_ip *, ++ const struct ipt_entry_match *, int); ++static void ipt_exp_save(const struct ipt_ip *, const struct ipt_entry_match *); ++ ++/** ++ * options ++ */ ++static struct option ipt_exp_opts[] = { ++ { "expiration", 1, 0, 'e' }, ++ { 0 } ++}; ++ ++/** ++ * match ++ */ ++static struct iptables_match ipt_expire_match = { ++ .next = NULL, ++ .name = "expire", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_exp_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_exp_info)), ++ .help = &ipt_exp_help, ++ .parse = &ipt_exp_parse, ++ .final_check = &ipt_exp_final_check, ++ .print = &ipt_exp_print, ++ .save = &ipt_exp_save, ++ .extra_opts = ipt_exp_opts ++}; ++ ++/** ++ * shared library initialization ++ * @see register_match() ++ */ ++void ++_init(void) ++{ ++ register_match(&ipt_expire_match); ++} ++ ++/** ++ * print usage information ++ */ ++static void ++ipt_exp_help(void) ++{ ++ printf("EXPIRE match options\n" ++ " --expiration [+]TIME\t\t" ++ "rule expires at [in] TIME\n\n"); ++} ++ ++/** ++ * parse module specific options ++ * @param c the short option character ++ * @param argv the arguments array ++ * @param invert is this an inverted argument ++ * @param flags module specific flags ++ * @param entry the entry ++ * @param nfcache netfilter cache flags ++ * @param match the match ++ * @return zero if an option was found, non-zero otherwise ++ */ ++static int ++ipt_exp_parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct ipt_entry *entry, unsigned int *nfcache, ++ struct ipt_entry_match **match) ++{ ++ char *arg; ++ struct ipt_exp_info *info; ++ ++ info = (struct ipt_exp_info *)(*match)->data; ++ info->expiration = 0; ++ switch (c) { ++ case 'e': ++ arg = argv[optind-1]; ++ check_inverse(arg, &invert, &optind, 0); ++ if (invert) ++ exit_error(PARAMETER_PROBLEM, ++ "--expiration cannot be inverted"); ++ if (*arg == '+') ++ arg++; ++ if (string_to_number_l( ++ arg, 1, 0, &info->expiration) < 0) ++ exit_error(PARAMETER_PROBLEM, ++ "invalid expiration time"); ++ *flags = 1; ++ if (*argv[optind-1] == '+') ++ info->expiration += time(NULL); ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++/** ++ * ensures an expiration was specified ++ * @param flags module specific flags from options parsing ++ */ ++static void ++ipt_exp_final_check(unsigned int flags) ++{ ++ if (flags != 1) ++ exit_error(PARAMETER_PROBLEM, ++ "you must specify an expiration time (--expiration)"); ++} ++ ++/** ++ * print information about an expiring match ++ * in a format suitable for viewing ++ * @param ip the address information ++ * @param match the match ++ * @param numeric the verbose level (?) ++ */ ++static void ++ipt_exp_print(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match, int numeric) ++{ ++ struct ipt_exp_info *info; ++ info = (struct ipt_exp_info *)match->data; ++ printf("expires in %lds ", info->expiration - time(NULL)); ++} ++ ++/** ++ * print information about an expiring match ++ * in a format suitable for reconstructing the match ++ * @param ip the address information ++ * @param match the match ++ */ ++static void ++ipt_exp_save(const struct ipt_ip *ip, const struct ipt_entry_match *match) ++{ ++ struct ipt_exp_info *info; ++ info = (struct ipt_exp_info *)match->data; ++ printf("-m expire --expiration %ld ", info->expiration); ++} +diff -uNr iptables-1.3.3/extensions/libipt_expire.man iptables-1.3.3.patched/extensions/libipt_expire.man +--- iptables-1.3.3/extensions/libipt_expire.man 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.3.patched/extensions/libipt_expire.man 2005-09-15 09:51:28.555760750 +0200 +@@ -0,0 +1,5 @@ ++This module matches until its expiration time. ++.TP ++.BI "--expiration " "[\fItime\fP]" ++Match against the other rule criteria until the expiration time. After ++the expiration time, the entire rule will be removed from the table. ================================================================ Index: SOURCES/linux-2.6-nf-expire.patch diff -u /dev/null SOURCES/linux-2.6-nf-expire.patch:1.1.2.1 --- /dev/null Thu Sep 15 09:58:42 2005 +++ SOURCES/linux-2.6-nf-expire.patch Thu Sep 15 09:58:37 2005 @@ -0,0 +1,1269 @@ + include/linux/netfilter_ipv4/ipt_expire.h | 32 + + include/linux/netfilter_ipv6/ip6t_expire.h | 32 + + net/ipv4/netfilter/Kconfig | 11 + net/ipv4/netfilter/Makefile | 1 + net/ipv4/netfilter/ipt_expire.c | 563 ++++++++++++++++++++++++++++ + net/ipv6/netfilter/Kconfig | 11 + net/ipv6/netfilter/Makefile | 1 + net/ipv6/netfilter/ip6t_expire.c | 566 +++++++++++++++++++++++++++++ + 8 files changed, 1217 insertions(+) + +diff -uNr linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ipt_expire.h linux-2.6.13.1/include/linux/netfilter_ipv4/ipt_expire.h +--- linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ipt_expire.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.13.1/include/linux/netfilter_ipv4/ipt_expire.h 2005-09-15 09:51:28.559761000 +0200 +@@ -0,0 +1,32 @@ ++/* This module matches until it expires, at which point the entire ++ * rule is deleted ++ * ++ * This module is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This module is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this module; if not, write to: ++ * The Free Software Foundation, Inc. ++ * 59 Temple Place, Suite 330 ++ * Boston, MA 02111-1307 USA ++ * ++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]> ++ */ ++ ++#ifndef __IPT_EXPIRE_H ++#define __IPT_EXPIRE_H ++ ++#include <linux/types.h> ++ ++struct ipt_exp_info { ++ time_t expiration; ++}; ++ ++#endif +diff -uNr linux-2.6.13.1/include.orig/linux/netfilter_ipv6/ip6t_expire.h linux-2.6.13.1/include/linux/netfilter_ipv6/ip6t_expire.h +--- linux-2.6.13.1/include.orig/linux/netfilter_ipv6/ip6t_expire.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.13.1/include/linux/netfilter_ipv6/ip6t_expire.h 2005-09-15 09:51:28.559761000 +0200 +@@ -0,0 +1,32 @@ ++/* This module matches until it expires, at which point the entire ++ * rule is deleted ++ * ++ * This module is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This module is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this module; if not, write to: ++ * The Free Software Foundation, Inc. ++ * 59 Temple Place, Suite 330 ++ * Boston, MA 02111-1307 USA ++ * ++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]> ++ */ ++ ++#ifndef __IP6T_EXPIRE_H ++#define __IP6T_EXPIRE_H ++ ++#include <linux/types.h> ++ ++struct ip6t_exp_info { ++ time_t expiration; ++}; ++ ++#endif +diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/ipt_expire.c linux-2.6.13.1/net/ipv4/netfilter/ipt_expire.c +--- linux-2.6.13.1/net.orig/ipv4/netfilter/ipt_expire.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.13.1/net/ipv4/netfilter/ipt_expire.c 2005-09-15 09:51:28.559761000 +0200 +@@ -0,0 +1,563 @@ ++/* This module matches until it expires, at which point the entire ++ * rule is deleted ++ * ++ * This module is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This module is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this module; if not, write to: ++ * The Free Software Foundation, Inc. ++ * 59 Temple Place, Suite 330 ++ * Boston, MA 02111-1307 USA ++ * ++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]> ++ */ ++ ++#include <linux/config.h> ++#include <linux/kernel.h> ++#include <linux/module.h> ++#include <linux/workqueue.h> ++#include <linux/vmalloc.h> ++#include <linux/time.h> ++#include <linux/netfilter_ipv4/ip_tables.h> ++#include <linux/netfilter_ipv4/ipt_expire.h> ++ ++#if CONFIG_NETFILTER_DEBUG ++#define dprintk(format, args...) \ ++ printk("ipt_expire[%s]: " format "\n", __FUNCTION__, ## args) ++#else ++#define dprintk(format, args...) ++#endif ++ ++MODULE_AUTHOR("Bryan Cardillo <[EMAIL PROTECTED]>"); ++MODULE_DESCRIPTION("an iptables expiring match module"); ++MODULE_LICENSE("GPL"); ++MODULE_VERSION("1.1"); ++static int __init ipt_exp_init(void); ++static void __exit ipt_exp_exit(void); ++module_init(ipt_exp_init); ++module_exit(ipt_exp_exit); ++ ++static int ipt_exp_match(const struct sk_buff *, ++ const struct net_device *, const struct net_device *, ++ const void *, int, int *); ++static int ipt_exp_checkentry(const char *, const struct ipt_ip *, ++ void *, unsigned int, unsigned int); ++static int ipt_exp_add_table(const char *); ++static void ipt_exp_remove_table(const char *); ++static void ipt_exp_schedule_expiration(time_t); ++static void ipt_exp_work_fn(void *); ++static int ipt_exp_get_info(const char *, struct ipt_getinfo *); ++static int ipt_exp_get_entries(struct ipt_getinfo *, struct ipt_get_entries *); ++static int ipt_exp_get_active(struct ipt_getinfo *, ++ struct ipt_get_entries *, struct ipt_replace *); ++static int ipt_exp_copy_active(struct ipt_entry *, struct ipt_replace *); ++static int ipt_exp_is_expired(struct ipt_entry_match *); ++static int ipt_exp_replace_expired(struct ipt_replace *); ++static int ipt_exp_get_counters(struct ipt_get_entries *, ++ struct ipt_replace *, struct ipt_counters_info *); ++static int ipt_exp_copy_counter(struct ipt_entry *, struct ipt_replace *, ++ struct ipt_counters_info *, int *); ++static int ipt_exp_restore_counters(struct ipt_counters_info *); ++ ++/** ++ * struct for list of tables ++ */ ++struct ipt_exp_table { ++ /** ++ * the table name ++ */ ++ char name[IPT_TABLE_MAXNAMELEN]; ++ /** ++ * a list_head structure enabling list inclusion ++ */ ++ struct list_head list; ++}; ++ ++/** ++ * work_struct for scheduling the deletion of expired rules ++ */ ++static DECLARE_WORK(ipt_exp_work, &ipt_exp_work_fn, NULL); ++ ++/** ++ * iptables match ++ */ ++static struct ipt_match ipt_expire_match = { ++ .name = "expire", ++ .match = &ipt_exp_match, ++ .checkentry = &ipt_exp_checkentry, ++ .me = THIS_MODULE ++}; ++ ++/** ++ * the list of tables contained expiring entries ++ */ ++static spinlock_t ipt_exp_tables_lock = SPIN_LOCK_UNLOCKED; ++static LIST_HEAD(ipt_exp_tables); ++ ++/** ++ * initialize module and register iptables match ++ * @see module_init() ++ * @see ipt_register_match() ++ */ ++static int __init ++ipt_exp_init(void) <<Diff was trimmed, longer than 597 lines>> _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit