Author: pluto Date: Thu Sep 15 07:58:42 2005 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- [base] expire match.
---- Files affected:
SOURCES:
iptables-nf-expire.patch (NONE -> 1.1.2.1) (NEW), linux-2.6-nf-expire.patch
(NONE -> 1.1.2.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/iptables-nf-expire.patch
diff -u /dev/null SOURCES/iptables-nf-expire.patch:1.1.2.1
--- /dev/null Thu Sep 15 09:58:42 2005
+++ SOURCES/iptables-nf-expire.patch Thu Sep 15 09:58:37 2005
@@ -0,0 +1,388 @@
+ .expire-test | 3
+ .expire-test6 | 3
+ libip6t_expire.c | 170
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+ libip6t_expire.man | 5 +
+ libipt_expire.c | 170
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+ libipt_expire.man | 5 +
+ 6 files changed, 356 insertions(+)
+
+diff -uNr iptables-1.3.3/extensions/.expire-test
iptables-1.3.3.patched/extensions/.expire-test
+--- iptables-1.3.3/extensions/.expire-test 1970-01-01 01:00:00.000000000
+0100
++++ iptables-1.3.3.patched/extensions/.expire-test 2005-09-15
09:51:28.547760250 +0200
+@@ -0,0 +1,3 @@
++#!/bin/sh
++
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_expire.h ] && echo expire
+diff -uNr iptables-1.3.3/extensions/.expire-test6
iptables-1.3.3.patched/extensions/.expire-test6
+--- iptables-1.3.3/extensions/.expire-test6 1970-01-01 01:00:00.000000000
+0100
++++ iptables-1.3.3.patched/extensions/.expire-test6 2005-09-15
09:51:28.547760250 +0200
+@@ -0,0 +1,3 @@
++#!/bin/sh
++
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_expire.h ] && echo expire
+diff -uNr iptables-1.3.3/extensions/libip6t_expire.c
iptables-1.3.3.patched/extensions/libip6t_expire.c
+--- iptables-1.3.3/extensions/libip6t_expire.c 1970-01-01 01:00:00.000000000
+0100
++++ iptables-1.3.3.patched/extensions/libip6t_expire.c 2005-09-15
09:51:28.551760500 +0200
+@@ -0,0 +1,170 @@
++/* This library manipulates expiring firewall rules
++ *
++ * This library is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this library; if not, write to:
++ * The Free Software Foundation, Inc.
++ * 59 Temple Place, Suite 330
++ * Boston, MA 02111-1307 USA
++ *
++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]>
++ */
++
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <time.h>
++
++#include <ip6tables.h>
++#include <linux/netfilter_ipv6/ip6t_expire.h>
++
++static void ip6t_exp_help(void);
++static int ip6t_exp_parse(int, char **, int, unsigned int *,
++ const struct ip6t_entry *, unsigned int *,
++ struct ip6t_entry_match **);
++static void ip6t_exp_final_check(unsigned int);
++static void ip6t_exp_print(const struct ip6t_ip *,
++ const struct ip6t_entry_match *, int);
++static void ip6t_exp_save(const struct ip6t_ip *, const struct
ip6t_entry_match *);
++
++/**
++ * options
++ */
++static struct option ip6t_exp_opts[] = {
++ { "expiration", 1, 0, 'e' },
++ { 0 }
++};
++
++/**
++ * match
++ */
++static struct iptables_match ip6t_expire_match = {
++ .next = NULL,
++ .name = "expire",
++ .version = IPTABLES_VERSION,
++ .size = IP6T_ALIGN(sizeof(struct ip6t_exp_info)),
++ .userspacesize = IP6T_ALIGN(sizeof(struct ip6t_exp_info)),
++ .help = &ip6t_exp_help,
++ .parse = &ip6t_exp_parse,
++ .final_check = &ip6t_exp_final_check,
++ .print = &ip6t_exp_print,
++ .save = &ip6t_exp_save,
++ .extra_opts = ip6t_exp_opts
++};
++
++/**
++ * shared library initialization
++ * @see register_match()
++ */
++void
++_init(void)
++{
++ register_match(&ip6t_expire_match);
++}
++
++/**
++ * print usage information
++ */
++static void
++ip6t_exp_help(void)
++{
++ printf("EXPIRE match options\n"
++ " --expiration [+]TIME\t\t"
++ "rule expires at [in] TIME\n\n");
++}
++
++/**
++ * parse module specific options
++ * @param c the short option character
++ * @param argv the arguments array
++ * @param invert is this an inverted argument
++ * @param flags module specific flags
++ * @param entry the entry
++ * @param nfcache netfilter cache flags
++ * @param match the match
++ * @return zero if an option was found, non-zero otherwise
++ */
++static int
++ip6t_exp_parse(int c, char **argv, int invert, unsigned int *flags,
++ const struct ip6t_entry *entry, unsigned int *nfcache,
++ struct ip6t_entry_match **match)
++{
++ char *arg;
++ struct ip6t_exp_info *info;
++
++ info = (struct ip6t_exp_info *)(*match)->data;
++ info->expiration = 0;
++ switch (c) {
++ case 'e':
++ arg = argv[optind-1];
++ check_inverse(arg, &invert, &optind, 0);
++ if (invert)
++ exit_error(PARAMETER_PROBLEM,
++ "--expiration cannot be inverted");
++ if (*arg == '+')
++ arg++;
++ if (string_to_number_l(
++ arg, 1, 0, &info->expiration) < 0)
++ exit_error(PARAMETER_PROBLEM,
++ "invalid expiration time");
++ *flags = 1;
++ if (*argv[optind-1] == '+')
++ info->expiration += time(NULL);
++ break;
++ default:
++ return 0;
++ }
++ return 1;
++}
++
++/**
++ * ensures an expiration was specified
++ * @param flags module specific flags from options parsing
++ */
++static void
++ip6t_exp_final_check(unsigned int flags)
++{
++ if (flags != 1)
++ exit_error(PARAMETER_PROBLEM,
++ "you must specify an expiration time (--expiration)");
++}
++
++/**
++ * print information about an expiring match
++ * in a format suitable for viewing
++ * @param ip the address information
++ * @param match the match
++ * @param numeric the verbose level (?)
++ */
++static void
++ip6t_exp_print(const struct ip6t_ip *ip,
++ const struct ip6t_entry_match *match, int numeric)
++{
++ struct ip6t_exp_info *info;
++ info = (struct ip6t_exp_info *)match->data;
++ printf("expires in %lds ", info->expiration - time(NULL));
++}
++
++/**
++ * print information about an expiring match
++ * in a format suitable for reconstructing the match
++ * @param ip the address information
++ * @param match the match
++ */
++static void
++ip6t_exp_save(const struct ip6t_ip *ip, const struct ip6t_entry_match *match)
++{
++ struct ip6t_exp_info *info;
++ info = (struct ip6t_exp_info *)match->data;
++ printf("-m expire --expiration %ld ", info->expiration);
++}
+diff -uNr iptables-1.3.3/extensions/libip6t_expire.man
iptables-1.3.3.patched/extensions/libip6t_expire.man
+--- iptables-1.3.3/extensions/libip6t_expire.man 1970-01-01
01:00:00.000000000 +0100
++++ iptables-1.3.3.patched/extensions/libip6t_expire.man 2005-09-15
09:51:28.551760500 +0200
+@@ -0,0 +1,5 @@
++This module matches until its expiration time.
++.TP
++.BI "--expiration " "[\fItime\fP]"
++Match against the other rule criteria until the expiration time. After
++the expiration time, the entire rule will be removed from the table.
+diff -uNr iptables-1.3.3/extensions/libipt_expire.c
iptables-1.3.3.patched/extensions/libipt_expire.c
+--- iptables-1.3.3/extensions/libipt_expire.c 1970-01-01 01:00:00.000000000
+0100
++++ iptables-1.3.3.patched/extensions/libipt_expire.c 2005-09-15
09:51:28.555760750 +0200
+@@ -0,0 +1,170 @@
++/* This library manipulates expiring firewall rules
++ *
++ * This library is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this library; if not, write to:
++ * The Free Software Foundation, Inc.
++ * 59 Temple Place, Suite 330
++ * Boston, MA 02111-1307 USA
++ *
++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]>
++ */
++
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <time.h>
++
++#include <iptables.h>
++#include <linux/netfilter_ipv4/ipt_expire.h>
++
++static void ipt_exp_help(void);
++static int ipt_exp_parse(int, char **, int, unsigned int *,
++ const struct ipt_entry *, unsigned int *,
++ struct ipt_entry_match **);
++static void ipt_exp_final_check(unsigned int);
++static void ipt_exp_print(const struct ipt_ip *,
++ const struct ipt_entry_match *, int);
++static void ipt_exp_save(const struct ipt_ip *, const struct ipt_entry_match
*);
++
++/**
++ * options
++ */
++static struct option ipt_exp_opts[] = {
++ { "expiration", 1, 0, 'e' },
++ { 0 }
++};
++
++/**
++ * match
++ */
++static struct iptables_match ipt_expire_match = {
++ .next = NULL,
++ .name = "expire",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct ipt_exp_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_exp_info)),
++ .help = &ipt_exp_help,
++ .parse = &ipt_exp_parse,
++ .final_check = &ipt_exp_final_check,
++ .print = &ipt_exp_print,
++ .save = &ipt_exp_save,
++ .extra_opts = ipt_exp_opts
++};
++
++/**
++ * shared library initialization
++ * @see register_match()
++ */
++void
++_init(void)
++{
++ register_match(&ipt_expire_match);
++}
++
++/**
++ * print usage information
++ */
++static void
++ipt_exp_help(void)
++{
++ printf("EXPIRE match options\n"
++ " --expiration [+]TIME\t\t"
++ "rule expires at [in] TIME\n\n");
++}
++
++/**
++ * parse module specific options
++ * @param c the short option character
++ * @param argv the arguments array
++ * @param invert is this an inverted argument
++ * @param flags module specific flags
++ * @param entry the entry
++ * @param nfcache netfilter cache flags
++ * @param match the match
++ * @return zero if an option was found, non-zero otherwise
++ */
++static int
++ipt_exp_parse(int c, char **argv, int invert, unsigned int *flags,
++ const struct ipt_entry *entry, unsigned int *nfcache,
++ struct ipt_entry_match **match)
++{
++ char *arg;
++ struct ipt_exp_info *info;
++
++ info = (struct ipt_exp_info *)(*match)->data;
++ info->expiration = 0;
++ switch (c) {
++ case 'e':
++ arg = argv[optind-1];
++ check_inverse(arg, &invert, &optind, 0);
++ if (invert)
++ exit_error(PARAMETER_PROBLEM,
++ "--expiration cannot be inverted");
++ if (*arg == '+')
++ arg++;
++ if (string_to_number_l(
++ arg, 1, 0, &info->expiration) < 0)
++ exit_error(PARAMETER_PROBLEM,
++ "invalid expiration time");
++ *flags = 1;
++ if (*argv[optind-1] == '+')
++ info->expiration += time(NULL);
++ break;
++ default:
++ return 0;
++ }
++ return 1;
++}
++
++/**
++ * ensures an expiration was specified
++ * @param flags module specific flags from options parsing
++ */
++static void
++ipt_exp_final_check(unsigned int flags)
++{
++ if (flags != 1)
++ exit_error(PARAMETER_PROBLEM,
++ "you must specify an expiration time (--expiration)");
++}
++
++/**
++ * print information about an expiring match
++ * in a format suitable for viewing
++ * @param ip the address information
++ * @param match the match
++ * @param numeric the verbose level (?)
++ */
++static void
++ipt_exp_print(const struct ipt_ip *ip,
++ const struct ipt_entry_match *match, int numeric)
++{
++ struct ipt_exp_info *info;
++ info = (struct ipt_exp_info *)match->data;
++ printf("expires in %lds ", info->expiration - time(NULL));
++}
++
++/**
++ * print information about an expiring match
++ * in a format suitable for reconstructing the match
++ * @param ip the address information
++ * @param match the match
++ */
++static void
++ipt_exp_save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
++{
++ struct ipt_exp_info *info;
++ info = (struct ipt_exp_info *)match->data;
++ printf("-m expire --expiration %ld ", info->expiration);
++}
+diff -uNr iptables-1.3.3/extensions/libipt_expire.man
iptables-1.3.3.patched/extensions/libipt_expire.man
+--- iptables-1.3.3/extensions/libipt_expire.man 1970-01-01
01:00:00.000000000 +0100
++++ iptables-1.3.3.patched/extensions/libipt_expire.man 2005-09-15
09:51:28.555760750 +0200
+@@ -0,0 +1,5 @@
++This module matches until its expiration time.
++.TP
++.BI "--expiration " "[\fItime\fP]"
++Match against the other rule criteria until the expiration time. After
++the expiration time, the entire rule will be removed from the table.
================================================================
Index: SOURCES/linux-2.6-nf-expire.patch
diff -u /dev/null SOURCES/linux-2.6-nf-expire.patch:1.1.2.1
--- /dev/null Thu Sep 15 09:58:42 2005
+++ SOURCES/linux-2.6-nf-expire.patch Thu Sep 15 09:58:37 2005
@@ -0,0 +1,1269 @@
+ include/linux/netfilter_ipv4/ipt_expire.h | 32 +
+ include/linux/netfilter_ipv6/ip6t_expire.h | 32 +
+ net/ipv4/netfilter/Kconfig | 11
+ net/ipv4/netfilter/Makefile | 1
+ net/ipv4/netfilter/ipt_expire.c | 563 ++++++++++++++++++++++++++++
+ net/ipv6/netfilter/Kconfig | 11
+ net/ipv6/netfilter/Makefile | 1
+ net/ipv6/netfilter/ip6t_expire.c | 566
+++++++++++++++++++++++++++++
+ 8 files changed, 1217 insertions(+)
+
+diff -uNr linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ipt_expire.h
linux-2.6.13.1/include/linux/netfilter_ipv4/ipt_expire.h
+--- linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ipt_expire.h
1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.13.1/include/linux/netfilter_ipv4/ipt_expire.h 2005-09-15
09:51:28.559761000 +0200
+@@ -0,0 +1,32 @@
++/* This module matches until it expires, at which point the entire
++ * rule is deleted
++ *
++ * This module is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This module is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this module; if not, write to:
++ * The Free Software Foundation, Inc.
++ * 59 Temple Place, Suite 330
++ * Boston, MA 02111-1307 USA
++ *
++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]>
++ */
++
++#ifndef __IPT_EXPIRE_H
++#define __IPT_EXPIRE_H
++
++#include <linux/types.h>
++
++struct ipt_exp_info {
++ time_t expiration;
++};
++
++#endif
+diff -uNr linux-2.6.13.1/include.orig/linux/netfilter_ipv6/ip6t_expire.h
linux-2.6.13.1/include/linux/netfilter_ipv6/ip6t_expire.h
+--- linux-2.6.13.1/include.orig/linux/netfilter_ipv6/ip6t_expire.h
1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.13.1/include/linux/netfilter_ipv6/ip6t_expire.h 2005-09-15
09:51:28.559761000 +0200
+@@ -0,0 +1,32 @@
++/* This module matches until it expires, at which point the entire
++ * rule is deleted
++ *
++ * This module is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This module is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this module; if not, write to:
++ * The Free Software Foundation, Inc.
++ * 59 Temple Place, Suite 330
++ * Boston, MA 02111-1307 USA
++ *
++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]>
++ */
++
++#ifndef __IP6T_EXPIRE_H
++#define __IP6T_EXPIRE_H
++
++#include <linux/types.h>
++
++struct ip6t_exp_info {
++ time_t expiration;
++};
++
++#endif
+diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/ipt_expire.c
linux-2.6.13.1/net/ipv4/netfilter/ipt_expire.c
+--- linux-2.6.13.1/net.orig/ipv4/netfilter/ipt_expire.c 1970-01-01
01:00:00.000000000 +0100
++++ linux-2.6.13.1/net/ipv4/netfilter/ipt_expire.c 2005-09-15
09:51:28.559761000 +0200
+@@ -0,0 +1,563 @@
++/* This module matches until it expires, at which point the entire
++ * rule is deleted
++ *
++ * This module is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This module is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this module; if not, write to:
++ * The Free Software Foundation, Inc.
++ * 59 Temple Place, Suite 330
++ * Boston, MA 02111-1307 USA
++ *
++ * Copyright Š 2005 Bryan Cardillo <[EMAIL PROTECTED]>
++ */
++
++#include <linux/config.h>
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/workqueue.h>
++#include <linux/vmalloc.h>
++#include <linux/time.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_expire.h>
++
++#if CONFIG_NETFILTER_DEBUG
++#define dprintk(format, args...) \
++ printk("ipt_expire[%s]: " format "\n", __FUNCTION__, ## args)
++#else
++#define dprintk(format, args...)
++#endif
++
++MODULE_AUTHOR("Bryan Cardillo <[EMAIL PROTECTED]>");
++MODULE_DESCRIPTION("an iptables expiring match module");
++MODULE_LICENSE("GPL");
++MODULE_VERSION("1.1");
++static int __init ipt_exp_init(void);
++static void __exit ipt_exp_exit(void);
++module_init(ipt_exp_init);
++module_exit(ipt_exp_exit);
++
++static int ipt_exp_match(const struct sk_buff *,
++ const struct net_device *, const struct net_device *,
++ const void *, int, int *);
++static int ipt_exp_checkentry(const char *, const struct ipt_ip *,
++ void *, unsigned int, unsigned int);
++static int ipt_exp_add_table(const char *);
++static void ipt_exp_remove_table(const char *);
++static void ipt_exp_schedule_expiration(time_t);
++static void ipt_exp_work_fn(void *);
++static int ipt_exp_get_info(const char *, struct ipt_getinfo *);
++static int ipt_exp_get_entries(struct ipt_getinfo *, struct ipt_get_entries
*);
++static int ipt_exp_get_active(struct ipt_getinfo *,
++ struct ipt_get_entries *, struct ipt_replace *);
++static int ipt_exp_copy_active(struct ipt_entry *, struct ipt_replace *);
++static int ipt_exp_is_expired(struct ipt_entry_match *);
++static int ipt_exp_replace_expired(struct ipt_replace *);
++static int ipt_exp_get_counters(struct ipt_get_entries *,
++ struct ipt_replace *, struct ipt_counters_info *);
++static int ipt_exp_copy_counter(struct ipt_entry *, struct ipt_replace *,
++ struct ipt_counters_info *, int *);
++static int ipt_exp_restore_counters(struct ipt_counters_info *);
++
++/**
++ * struct for list of tables
++ */
++struct ipt_exp_table {
++ /**
++ * the table name
++ */
++ char name[IPT_TABLE_MAXNAMELEN];
++ /**
++ * a list_head structure enabling list inclusion
++ */
++ struct list_head list;
++};
++
++/**
++ * work_struct for scheduling the deletion of expired rules
++ */
++static DECLARE_WORK(ipt_exp_work, &ipt_exp_work_fn, NULL);
++
++/**
++ * iptables match
++ */
++static struct ipt_match ipt_expire_match = {
++ .name = "expire",
++ .match = &ipt_exp_match,
++ .checkentry = &ipt_exp_checkentry,
++ .me = THIS_MODULE
++};
++
++/**
++ * the list of tables contained expiring entries
++ */
++static spinlock_t ipt_exp_tables_lock = SPIN_LOCK_UNLOCKED;
++static LIST_HEAD(ipt_exp_tables);
++
++/**
++ * initialize module and register iptables match
++ * @see module_init()
++ * @see ipt_register_match()
++ */
++static int __init
++ipt_exp_init(void)
<<Diff was trimmed, longer than 597 lines>>
_______________________________________________
pld-cvs-commit mailing list
pld-cvs-commit@lists.pld-linux.org
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
