Author: pluto Date: Thu Sep 15 07:20:38 2005 GMT Module: SOURCES Tag: LINUX_2_6 ---- Log message: - [base] hoplimit, ttl, ipv4optsstrip
---- Files affected: SOURCES: linux-2.6-nf-TTL.patch (NONE -> 1.1.2.1) (NEW), linux-2.6-nf-HOPLIMIT.patch (NONE -> 1.1.2.1) (NEW), linux-2.6-nf-IPV4OPTSSTRIP.patch (NONE -> 1.1.2.1) (NEW) ---- Diffs: ================================================================ Index: SOURCES/linux-2.6-nf-TTL.patch diff -u /dev/null SOURCES/linux-2.6-nf-TTL.patch:1.1.2.1 --- /dev/null Thu Sep 15 09:20:39 2005 +++ SOURCES/linux-2.6-nf-TTL.patch Thu Sep 15 09:20:33 2005 @@ -0,0 +1,181 @@ + include/linux/netfilter_ipv4/ipt_TTL.h | 21 +++++ + net/ipv4/netfilter/Kconfig | 11 ++ + net/ipv4/netfilter/Makefile | 3 + net/ipv4/netfilter/ipt_TTL.c | 122 +++++++++++++++++++++++++++++++++ + 4 files changed, 157 insertions(+) +diff -uNr linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ipt_TTL.h linux-2.6.13.1/include/linux/netfilter_ipv4/ipt_TTL.h +--- linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ipt_TTL.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.13.1/include/linux/netfilter_ipv4/ipt_TTL.h 2005-09-15 09:02:15.928364500 +0200 +@@ -0,0 +1,21 @@ ++/* TTL modification module for IP tables ++ * (C) 2000 by Harald Welte <[EMAIL PROTECTED]> */ ++ ++#ifndef _IPT_TTL_H ++#define _IPT_TTL_H ++ ++enum { ++ IPT_TTL_SET = 0, ++ IPT_TTL_INC, ++ IPT_TTL_DEC ++}; ++ ++#define IPT_TTL_MAXMODE IPT_TTL_DEC ++ ++struct ipt_TTL_info { ++ u_int8_t mode; ++ u_int8_t ttl; ++}; ++ ++ ++#endif +diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/ipt_TTL.c linux-2.6.13.1/net/ipv4/netfilter/ipt_TTL.c +--- linux-2.6.13.1/net.orig/ipv4/netfilter/ipt_TTL.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.13.1/net/ipv4/netfilter/ipt_TTL.c 2005-09-15 09:02:15.932362750 +0200 +@@ -0,0 +1,122 @@ ++/* TTL modification target for IP tables ++ * (C) 2000 by Harald Welte <[EMAIL PROTECTED]> ++ * ++ * Version: $Revision$ ++ * ++ * This software is distributed under the terms of GNU GPL ++ */ ++ ++#include <linux/module.h> ++#include <linux/skbuff.h> ++#include <linux/ip.h> ++#include <net/checksum.h> ++ ++#include <linux/netfilter_ipv4/ip_tables.h> ++#include <linux/netfilter_ipv4/ipt_TTL.h> ++ ++MODULE_AUTHOR("Harald Welte <[EMAIL PROTECTED]>"); ++MODULE_DESCRIPTION("IP tables TTL modification module"); ++MODULE_LICENSE("GPL"); ++ ++static unsigned int ++ipt_ttl_target(struct sk_buff **pskb, const struct net_device *in, ++ const struct net_device *out, unsigned int hooknum, ++ const void *targinfo, void *userinfo) ++{ ++ struct iphdr *iph; ++ const struct ipt_TTL_info *info = targinfo; ++ u_int16_t diffs[2]; ++ int new_ttl; ++ ++ if (!skb_ip_make_writable(pskb, (*pskb)->len)) ++ return NF_DROP; ++ ++ iph = (*pskb)->nh.iph; ++ ++ switch (info->mode) { ++ case IPT_TTL_SET: ++ new_ttl = info->ttl; ++ break; ++ case IPT_TTL_INC: ++ new_ttl = iph->ttl + info->ttl; ++ if (new_ttl > 255) ++ new_ttl = 255; ++ break; ++ case IPT_TTL_DEC: ++ new_ttl = iph->ttl - info->ttl; ++ if (new_ttl < 0) ++ new_ttl = 0; ++ break; ++ default: ++ new_ttl = iph->ttl; ++ break; ++ } ++ ++ if (new_ttl != iph->ttl) { ++ diffs[0] = htons(((unsigned)iph->ttl) << 8) ^ 0xFFFF; ++ iph->ttl = new_ttl; ++ diffs[1] = htons(((unsigned)iph->ttl) << 8); ++ iph->check = csum_fold(csum_partial((char *)diffs, ++ sizeof(diffs), ++ iph->check^0xFFFF)); ++ (*pskb)->nfcache |= NFC_ALTERED; ++ } ++ ++ return IPT_CONTINUE; ++} ++ ++static int ipt_ttl_checkentry(const char *tablename, ++ const struct ipt_entry *e, ++ void *targinfo, ++ unsigned int targinfosize, ++ unsigned int hook_mask) ++{ ++ struct ipt_TTL_info *info = targinfo; ++ ++ if (targinfosize != IPT_ALIGN(sizeof(struct ipt_TTL_info))) { ++ printk(KERN_WARNING "TTL: targinfosize %u != %Zu\n", ++ targinfosize, ++ IPT_ALIGN(sizeof(struct ipt_TTL_info))); ++ return 0; ++ } ++ ++ if (strcmp(tablename, "mangle")) { ++ printk(KERN_WARNING "TTL: can only be called from " ++ "\"mangle\" table, not \"%s\"\n", tablename); ++ return 0; ++ } ++ ++ if (info->mode > IPT_TTL_MAXMODE) { ++ printk(KERN_WARNING "TTL: invalid or unknown Mode %u\n", ++ info->mode); ++ return 0; ++ } ++ ++ if ((info->mode != IPT_TTL_SET) && (info->ttl == 0)) { ++ printk(KERN_WARNING "TTL: increment/decrement doesn't " ++ "make sense with value 0\n"); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++static struct ipt_target ipt_TTL = { ++ .name = "TTL", ++ .target = ipt_ttl_target, ++ .checkentry = ipt_ttl_checkentry, ++ .me = THIS_MODULE, ++}; ++ ++static int __init init(void) ++{ ++ return ipt_register_target(&ipt_TTL); ++} ++ ++static void __exit fini(void) ++{ ++ ipt_unregister_target(&ipt_TTL); ++} ++ ++module_init(init); ++module_exit(fini); +diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/Kconfig linux-2.6.13.1/net/ipv4/netfilter/Kconfig +--- linux-2.6.13.1/net.orig/ipv4/netfilter/Kconfig 2005-09-10 04:42:58.000000000 +0200 ++++ linux-2.6.13.1/net/ipv4/netfilter/Kconfig 2005-09-15 09:02:15.936361000 +0200 +@@ -692,5 +692,16 @@ + Allows altering the ARP packet payload: source and destination + hardware and network addresses. + ++config IP_NF_TARGET_TTL ++ tristate 'TTL target support' ++ depends on IP_NF_MANGLE ++ help ++ This option adds a `TTL' target, which enables the user to set ++ the TTL value or increment / decrement the TTL value by a given ++ amount. ++ ++ If you want to compile it as a module, say M here and read ++ Documentation/modules.txt. If unsure, say `N'. ++ + endmenu + +diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/Makefile linux-2.6.13.1/net/ipv4/netfilter/Makefile +--- linux-2.6.13.1/net.orig/ipv4/netfilter/Makefile 2005-09-10 04:42:58.000000000 +0200 ++++ linux-2.6.13.1/net/ipv4/netfilter/Makefile 2005-09-15 09:03:09.078554750 +0200 +@@ -0,0 +0,1 @@ ++obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o ================================================================ Index: SOURCES/linux-2.6-nf-HOPLIMIT.patch diff -u /dev/null SOURCES/linux-2.6-nf-HOPLIMIT.patch:1.1.2.1 --- /dev/null Thu Sep 15 09:20:39 2005 +++ SOURCES/linux-2.6-nf-HOPLIMIT.patch Thu Sep 15 09:20:33 2005 @@ -0,0 +1,172 @@ + + include/linux/netfilter_ipv6/ip6t_HL.h | 22 ++++++ + net/ipv6/netfilter/Kconfig | 10 ++ + net/ipv6/netfilter/Makefile | 1 + net/ipv6/netfilter/ip6t_HL.c | 111 +++++++++++++++++++++++++++++++++ + 4 files changed, 144 insertions(+) + +diff -uNr linux-2.6.13.1/include.orig/linux/netfilter_ipv6/ip6t_HL.h linux-2.6.13.1/include/linux/netfilter_ipv6/ip6t_HL.h +--- linux-2.6.13.1/include.orig/linux/netfilter_ipv6/ip6t_HL.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.13.1/include/linux/netfilter_ipv6/ip6t_HL.h 2005-09-15 08:42:13.680280500 +0200 +@@ -0,0 +1,22 @@ ++/* Hop Limit modification module for ip6tables ++ * Maciej Soltysiak <[EMAIL PROTECTED]> ++ * Based on HW's TTL module */ ++ ++#ifndef _IP6T_HL_H ++#define _IP6T_HL_H ++ ++enum { ++ IP6T_HL_SET = 0, ++ IP6T_HL_INC, ++ IP6T_HL_DEC ++}; ++ ++#define IP6T_HL_MAXMODE IP6T_HL_DEC ++ ++struct ip6t_HL_info { ++ u_int8_t mode; ++ u_int8_t hop_limit; ++}; ++ ++ ++#endif +diff -uNr linux-2.6.13.1/net.orig/ipv6/netfilter/ip6t_HL.c linux-2.6.13.1/net/ipv6/netfilter/ip6t_HL.c +--- linux-2.6.13.1/net.orig/ipv6/netfilter/ip6t_HL.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.13.1/net/ipv6/netfilter/ip6t_HL.c 2005-09-15 08:42:13.680280500 +0200 +@@ -0,0 +1,111 @@ ++/* ++ * Hop Limit modification target for ip6tables ++ * Maciej Soltysiak <[EMAIL PROTECTED]> ++ * Based on HW's TTL module ++ * ++ * This software is distributed under the terms of GNU GPL ++ */ ++ ++#include <linux/module.h> ++#include <linux/skbuff.h> ++#include <linux/ip.h> ++ ++#include <linux/netfilter_ipv6/ip6_tables.h> ++#include <linux/netfilter_ipv6/ip6t_HL.h> ++ ++MODULE_AUTHOR("Maciej Soltysiak <[EMAIL PROTECTED]>"); ++MODULE_DESCRIPTION("IP tables Hop Limit modification module"); ++MODULE_LICENSE("GPL"); ++ ++static unsigned int ip6t_hl_target(struct sk_buff **pskb, ++ const struct net_device *in, ++ const struct net_device *out, ++ unsigned int hooknum, ++ const void *targinfo, void *userinfo) ++{ ++ struct ipv6hdr *ip6h = (*pskb)->nh.ipv6h; ++ const struct ip6t_HL_info *info = targinfo; ++ u_int16_t diffs[2]; ++ int new_hl; ++ ++ switch (info->mode) { ++ case IP6T_HL_SET: ++ new_hl = info->hop_limit; ++ break; ++ case IP6T_HL_INC: ++ new_hl = ip6h->hop_limit + info->hop_limit; ++ if (new_hl > 255) ++ new_hl = 255; ++ break; ++ case IP6T_HL_DEC: ++ new_hl = ip6h->hop_limit - info->hop_limit; ++ if (new_hl < 0) ++ new_hl = 0; ++ break; ++ default: ++ new_hl = ip6h->hop_limit; ++ break; ++ } ++ ++ if (new_hl != ip6h->hop_limit) { ++ diffs[0] = htons(((unsigned)ip6h->hop_limit) << 8) ^ 0xFFFF; ++ ip6h->hop_limit = new_hl; ++ diffs[1] = htons(((unsigned)ip6h->hop_limit) << 8); ++ } ++ ++ return IP6T_CONTINUE; ++} ++ ++static int ip6t_hl_checkentry(const char *tablename, ++ const struct ip6t_entry *e, ++ void *targinfo, ++ unsigned int targinfosize, ++ unsigned int hook_mask) ++{ ++ struct ip6t_HL_info *info = targinfo; ++ ++ if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_HL_info))) { ++ printk(KERN_WARNING "HL: targinfosize %u != %Zu\n", ++ targinfosize, ++ IP6T_ALIGN(sizeof(struct ip6t_HL_info))); ++ return 0; ++ } ++ ++ if (strcmp(tablename, "mangle")) { ++ printk(KERN_WARNING "HL: can only be called from \"mangle\" table, not \"%s\"\n", tablename); ++ return 0; ++ } ++ ++ if (info->mode > IP6T_HL_MAXMODE) { ++ printk(KERN_WARNING "HL: invalid or unknown Mode %u\n", ++ info->mode); ++ return 0; ++ } ++ ++ if ((info->mode != IP6T_HL_SET) && (info->hop_limit == 0)) { ++ printk(KERN_WARNING "HL: increment/decrement doesn't make sense with value 0\n"); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++static struct ip6t_target ip6t_HL = { ++ .name = "HL", ++ .target = ip6t_hl_target, ++ .checkentry = ip6t_hl_checkentry, ++ .me = THIS_MODULE ++}; ++ ++static int __init init(void) ++{ ++ return ip6t_register_target(&ip6t_HL); ++} ++ ++static void __exit fini(void) ++{ ++ ip6t_unregister_target(&ip6t_HL); ++} ++ ++module_init(init); ++module_exit(fini); +diff -uNr linux-2.6.13.1/net.orig/ipv6/netfilter/Kconfig linux-2.6.13.1/net/ipv6/netfilter/Kconfig +--- linux-2.6.13.1/net.orig/ipv6/netfilter/Kconfig 2005-09-10 04:42:58.000000000 +0200 ++++ linux-2.6.13.1/net/ipv6/netfilter/Kconfig 2005-09-15 08:42:13.684280750 +0200 +@@ -238,5 +238,15 @@ + If you want to compile it as a module, say M here and read + <file:Documentation/modules.txt>. If unsure, say `N'. + ++config IP6_NF_TARGET_HL ++ tristate 'HL target support' ++ depends on IP6_NF_MANGLE ++ help ++ This option adds a `HL' target, which allows you to modify the value of ++ IPv6 Hop Limit field. ++ ++ If you want to compile it as a module, say M here and read ++ <file:Documentation/modules.txt>. If unsure, say `N'. ++ + endmenu + +diff -uNr linux-2.6.13.1/net.orig/ipv6/netfilter/Makefile linux-2.6.13.1/net/ipv6/netfilter/Makefile +--- linux-2.6.13.1/net.orig/ipv6/netfilter/Makefile 2005-09-10 04:42:58.000000000 +0200 ++++ linux-2.6.13.1/net/ipv6/netfilter/Makefile 2005-09-15 08:50:48.456452000 +0200 +@@ -0,0 +0,1 @@ ++obj-$(CONFIG_IP6_NF_TARGET_HL) += ip6t_HL.o ================================================================ Index: SOURCES/linux-2.6-nf-IPV4OPTSSTRIP.patch diff -u /dev/null SOURCES/linux-2.6-nf-IPV4OPTSSTRIP.patch:1.1.2.1 --- /dev/null Thu Sep 15 09:20:39 2005 +++ SOURCES/linux-2.6-nf-IPV4OPTSSTRIP.patch Thu Sep 15 09:20:33 2005 @@ -0,0 +1,121 @@ + Kconfig | 10 +++++ + Makefile | 3 + + ipt_IPV4OPTSSTRIP.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 102 insertions(+) +diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux-2.6.13.1/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c +--- linux-2.6.13.1/net.orig/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.13.1/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c 2005-09-15 08:53:35.990922250 +0200 +@@ -0,0 +1,89 @@ ++/** ++ * Strip all IP options in the IP packet header. ++ * ++ * (C) 2001 by Fabrice MARIE <[EMAIL PROTECTED]> ++ * This software is distributed under GNU GPL v2, 1991 ++ */ ++ ++#include <linux/module.h> ++#include <linux/skbuff.h> ++#include <net/ip.h> ++#include <net/checksum.h> ++ ++#include <linux/netfilter_ipv4/ip_tables.h> ++ ++MODULE_AUTHOR("Fabrice MARIE <[EMAIL PROTECTED]>"); ++MODULE_DESCRIPTION("Strip all options in IPv4 packets"); ++MODULE_LICENSE("GPL"); ++ ++static unsigned int ++target(struct sk_buff **pskb, ++ const struct net_device *in, ++ const struct net_device *out, ++ unsigned int hooknum, ++ const void *targinfo, ++ void *userinfo) ++{ ++ struct iphdr *iph; ++ struct sk_buff *skb; ++ struct ip_options *opt; ++ unsigned char *optiph; ++ int l; ++ ++ if (!skb_ip_make_writable(pskb, (*pskb)->len)) ++ return NF_DROP; ++ ++ skb = (*pskb); ++ iph = (*pskb)->nh.iph; ++ optiph = skb->nh.raw; ++ l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen; ++ ++ /* if no options in packet then nothing to clear. */ ++ if (iph->ihl * 4 == sizeof(struct iphdr)) ++ return IPT_CONTINUE; ++ ++ /* else clear all options */ ++ memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options)); ++ memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l); ++ opt = &(IPCB(skb)->opt); ++ opt->is_data = 0; ++ opt->optlen = l; ++ ++ skb->nfcache |= NFC_ALTERED; ++ ++ return IPT_CONTINUE; ++} ++ ++static int ++checkentry(const char *tablename, ++ const struct ipt_entry *e, ++ void *targinfo, ++ unsigned int targinfosize, ++ unsigned int hook_mask) ++{ ++ if (strcmp(tablename, "mangle")) { ++ printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from \"mangle\" table, not \"%s\"\n", tablename); ++ return 0; ++ } ++ /* nothing else to check because no parameters */ ++ return 1; ++} ++ ++static struct ipt_target ipt_ipv4optsstrip_reg = { ++ .name = "IPV4OPTSSTRIP", ++ .target = target, ++ .checkentry = checkentry, ++ .me = THIS_MODULE }; ++ ++static int __init init(void) ++{ ++ return ipt_register_target(&ipt_ipv4optsstrip_reg); ++} ++ ++static void __exit fini(void) ++{ ++ ipt_unregister_target(&ipt_ipv4optsstrip_reg); ++} ++ ++module_init(init); ++module_exit(fini); +diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/Kconfig linux-2.6.13.1/net/ipv4/netfilter/Kconfig +--- linux-2.6.13.1/net.orig/ipv4/netfilter/Kconfig 2005-09-10 04:42:58.000000000 +0200 ++++ linux-2.6.13.1/net/ipv4/netfilter/Kconfig 2005-09-15 08:53:35.998922750 +0200 +@@ -692,5 +692,15 @@ + Allows altering the ARP packet payload: source and destination + hardware and network addresses. + ++config IP_NF_TARGET_IPV4OPTSSTRIP ++ tristate 'IPV4OPTSSTRIP target support' ++ depends on IP_NF_MANGLE ++ help ++ This option adds an IPV4OPTSSTRIP target. ++ This target allows you to strip all IP options in a packet. ++ ++ If you want to compile it as a module, say M here and read ++ Documentation/modules.txt. If unsure, say `N'. ++ + endmenu + +diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/Makefile linux-2.6.13.1/net/ipv4/netfilter/Makefile +--- linux-2.6.13.1/net.orig/ipv4/netfilter/Makefile 2005-09-10 04:42:58.000000000 +0200 ++++ linux-2.6.13.1/net/ipv4/netfilter/Makefile 2005-09-15 08:58:54.650837250 +0200 +@@ -0,0 +0,1 @@ ++obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o ================================================================ _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit