From: Arne Fitzenreiter Date: Sun, 14 Feb 2010 10:13:20 +0000 (+0100) Subject: Updated iptables (1.4.6). X-Git-Tag: v2.9-beta1~412^2~70^2~4 X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=3dad55587b21897d2f7ffe31b8f6f058b3103c03 Updated iptables (1.4.6). --- diff --git a/lfs/iptables b/lfs/iptables index 99afe2bfc8..247ec1eb26 100644 --- a/lfs/iptables +++ b/lfs/iptables @@ -24,7 +24,7 @@ include Config -VER = 1.4.2 +VER = 1.4.6 THISAPP = iptables-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -36,17 +36,17 @@ TARGET = $(DIR_INFO)/$(THISAPP) # Top-level Rules ############################################################################### objects = $(DL_FILE) \ - netfilter-layer7-v2.21.tar.gz \ + netfilter-layer7-v2.22.tar.gz \ libnfnetlink-0.0.41.tar.bz2 \ libnetfilter_queue-0.0.17.tar.bz2 $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -netfilter-layer7-v2.21.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.21.tar.gz +netfilter-layer7-v2.22.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.22.tar.gz libnfnetlink-0.0.41.tar.bz2 = $(URL_IPFIRE)/libnfnetlink-0.0.41.tar.bz2 libnetfilter_queue-0.0.17.tar.bz2 = $(URL_IPFIRE)/libnetfilter_queue-0.0.17.tar.bz2 -$(DL_FILE)_MD5 = a138d1c2e74321e0e4e228a9fb301c9a -netfilter-layer7-v2.21.tar.gz_MD5 = 838422e7d9a06b42e682e9064e5210b5 +$(DL_FILE)_MD5 = c67cf30e281a924def6426be0973df56 +netfilter-layer7-v2.22.tar.gz_MD5 = 98dff8a3d5a31885b73341633f69501f libnfnetlink-0.0.41.tar.bz2_MD5 = 5d844ea1f557bad0364d5b85cd10c796 libnetfilter_queue-0.0.17.tar.bz2_MD5 = 2cde35e678ead3a8f9eb896bf807a159 @@ -80,18 +80,21 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) $(DIR_SRC)/libnfnetlink-0.0.41 $(DIR_SRC)/netfilter-layer7* $(DIR_SRC)/libnetfilter_queue-0.0.17 @cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.21.tar.gz - cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.21/iptables-1.4.1.1-for-kernel-2.6.20forward/* \ + -cd /usr/include && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.6-errorno_includes.patch + cp -rf /usr/src/linux/include/linux/netfilter /usr/include/linux + + # Layer7 + cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.22.tar.gz + cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \ ./extensions/ # ipp2p 0.8.2-pomng - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.1.1-ipp2p-0.8.2-pomng.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.6-ipp2p-0.8.2-pomng.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.2-imq.patch + # imq + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.6-imq_test1.patch chmod +x $(DIR_APP)/extensions/.IMQ-test* - # hack to disable IPv6 compilation as the configuration variable does not work when ip6.h is present - # cd $(DIR_APP) && sed -i -e 's/DO_IPV6:=1/DO_IPV6:=0/' Makefile cd $(DIR_APP) && ./configure --prefix=/usr --with-ksource=/usr/src/linux \ --libdir=/lib --includedir=/usr/include --enable-libipq \ --libexecdir=/lib --bindir=/sbin \ @@ -99,13 +102,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install - cd $(DIR_APP) && cp -fva include/* /usr/include - -mkdir /usr/include/libiptc - cd $(DIR_APP) && cp -vf include/libiptc/{libiptc.h,ipt_kernel_headers.h} \ - /usr/include/libiptc - cd $(DIR_APP) && cp -vf libiptc/{*.o,*.a} \ - /lib - cd $(DIR_SRC) && tar xfj $(DIR_DL)/libnfnetlink-0.0.41.tar.bz2 cd $(DIR_SRC)/libnfnetlink-0.0.41 && ./configure --prefix=/usr cd $(DIR_SRC)/libnfnetlink-0.0.41 && make $(MAKETUNING) $(EXTRA_MAKE) @@ -115,5 +111,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_SRC)/libnetfilter_queue-0.0.17 && ./configure --prefix=/usr cd $(DIR_SRC)/libnetfilter_queue-0.0.17 && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_SRC)/libnetfilter_queue-0.0.17 && make install + @rm -rf $(DIR_APP) $(DIR_SRC)/libnfnetlink-0.0.41 $(DIR_SRC)/netfilter-layer7* $(DIR_SRC)/libnetfilter_queue-0.0.17 @$(POSTBUILD) diff --git a/src/patches/iptables-1.4.6-errorno_includes.patch b/src/patches/iptables-1.4.6-errorno_includes.patch new file mode 100644 index 0000000000..a25c5a313c --- /dev/null +++ b/src/patches/iptables-1.4.6-errorno_includes.patch @@ -0,0 +1,170 @@ +diff -Naur include.org/asm/errno.h include/asm/errno.h +--- include.org/asm/errno.h 2010-02-12 18:21:40.000000000 +0100 ++++ include/asm/errno.h 2010-02-12 18:19:41.000000000 +0100 +@@ -5,4 +5,8 @@ + #include + #endif + ++#ifndef _ASM_GENERIC_ERRNO_H ++ #include ++#endif ++ + #endif +diff -Naur include.org/asm-generic/errno-base.h include/asm-generic/errno-base.h +--- include.org/asm-generic/errno-base.h 1970-01-01 01:00:00.000000000 +0100 ++++ include/asm-generic/errno-base.h 2010-02-09 13:57:19.000000000 +0100 +@@ -0,0 +1,39 @@ ++#ifndef _ASM_GENERIC_ERRNO_BASE_H ++#define _ASM_GENERIC_ERRNO_BASE_H ++ ++#define EPERM 1 /* Operation not permitted */ ++#define ENOENT 2 /* No such file or directory */ ++#define ESRCH 3 /* No such process */ ++#define EINTR 4 /* Interrupted system call */ ++#define EIO 5 /* I/O error */ ++#define ENXIO 6 /* No such device or address */ ++#define E2BIG 7 /* Argument list too long */ ++#define ENOEXEC 8 /* Exec format error */ ++#define EBADF 9 /* Bad file number */ ++#define ECHILD 10 /* No child processes */ ++#define EAGAIN 11 /* Try again */ ++#define ENOMEM 12 /* Out of memory */ ++#define EACCES 13 /* Permission denied */ ++#define EFAULT 14 /* Bad address */ ++#define ENOTBLK 15 /* Block device required */ ++#define EBUSY 16 /* Device or resource busy */ ++#define EEXIST 17 /* File exists */ ++#define EXDEV 18 /* Cross-device link */ ++#define ENODEV 19 /* No such device */ ++#define ENOTDIR 20 /* Not a directory */ ++#define EISDIR 21 /* Is a directory */ ++#define EINVAL 22 /* Invalid argument */ ++#define ENFILE 23 /* File table overflow */ ++#define EMFILE 24 /* Too many open files */ ++#define ENOTTY 25 /* Not a typewriter */ ++#define ETXTBSY 26 /* Text file busy */ ++#define EFBIG 27 /* File too large */ ++#define ENOSPC 28 /* No space left on device */ ++#define ESPIPE 29 /* Illegal seek */ ++#define EROFS 30 /* Read-only file system */ ++#define EMLINK 31 /* Too many links */ ++#define EPIPE 32 /* Broken pipe */ ++#define EDOM 33 /* Math argument out of domain of func */ ++#define ERANGE 34 /* Math result not representable */ ++ ++#endif +diff -Naur include.org/asm-generic/errno.h include/asm-generic/errno.h +--- include.org/asm-generic/errno.h 1970-01-01 01:00:00.000000000 +0100 ++++ include/asm-generic/errno.h 2010-02-09 13:57:19.000000000 +0100 +@@ -0,0 +1,111 @@ ++#ifndef _ASM_GENERIC_ERRNO_H ++#define _ASM_GENERIC_ERRNO_H ++ ++#include ++ ++#define EDEADLK 35 /* Resource deadlock would occur */ ++#define ENAMETOOLONG 36 /* File name too long */ ++#define ENOLCK 37 /* No record locks available */ ++#define ENOSYS 38 /* Function not implemented */ ++#define ENOTEMPTY 39 /* Directory not empty */ ++#define ELOOP 40 /* Too many symbolic links encountered */ ++#define EWOULDBLOCK EAGAIN /* Operation would block */ ++#define ENOMSG 42 /* No message of desired type */ ++#define EIDRM 43 /* Identifier removed */ ++#define ECHRNG 44 /* Channel number out of range */ ++#define EL2NSYNC 45 /* Level 2 not synchronized */ ++#define EL3HLT 46 /* Level 3 halted */ ++#define EL3RST 47 /* Level 3 reset */ ++#define ELNRNG 48 /* Link number out of range */ ++#define EUNATCH 49 /* Protocol driver not attached */ ++#define ENOCSI 50 /* No CSI structure available */ ++#define EL2HLT 51 /* Level 2 halted */ ++#define EBADE 52 /* Invalid exchange */ ++#define EBADR 53 /* Invalid request descriptor */ ++#define EXFULL 54 /* Exchange full */ ++#define ENOANO 55 /* No anode */ ++#define EBADRQC 56 /* Invalid request code */ ++#define EBADSLT 57 /* Invalid slot */ ++ ++#define EDEADLOCK EDEADLK ++ ++#define EBFONT 59 /* Bad font file format */ ++#define ENOSTR 60 /* Device not a stream */ ++#define ENODATA 61 /* No data available */ ++#define ETIME 62 /* Timer expired */ ++#define ENOSR 63 /* Out of streams resources */ ++#define ENONET 64 /* Machine is not on the network */ ++#define ENOPKG 65 /* Package not installed */ ++#define EREMOTE 66 /* Object is remote */ ++#define ENOLINK 67 /* Link has been severed */ ++#define EADV 68 /* Advertise error */ ++#define ESRMNT 69 /* Srmount error */ ++#define ECOMM 70 /* Communication error on send */ ++#define EPROTO 71 /* Protocol error */ ++#define EMULTIHOP 72 /* Multihop attempted */ ++#define EDOTDOT 73 /* RFS specific error */ ++#define EBADMSG 74 /* Not a data message */ ++#define EOVERFLOW 75 /* Value too large for defined data type */ ++#define ENOTUNIQ 76 /* Name not unique on network */ ++#define EBADFD 77 /* File descriptor in bad state */ ++#define EREMCHG 78 /* Remote address changed */ ++#define ELIBACC 79 /* Can not access a needed shared library */ ++#define ELIBBAD 80 /* Accessing a corrupted shared library */ ++#define ELIBSCN 81 /* .lib section in a.out corrupted */ ++#define ELIBMAX 82 /* Attempting to link in too many shared libraries */ ++#define ELIBEXEC 83 /* Cannot exec a shared library directly */ ++#define EILSEQ 84 /* Illegal byte sequence */ ++#define ERESTART 85 /* Interrupted system call should be restarted */ ++#define ESTRPIPE 86 /* Streams pipe error */ ++#define EUSERS 87 /* Too many users */ ++#define ENOTSOCK 88 /* Socket operation on non-socket */ ++#define EDESTADDRREQ 89 /* Destination address required */ ++#define EMSGSIZE 90 /* Message too long */ ++#define EPROTOTYPE 91 /* Protocol wrong type for socket */ ++#define ENOPROTOOPT 92 /* Protocol not available */ ++#define EPROTONOSUPPORT 93 /* Protocol not supported */ ++#define ESOCKTNOSUPPORT 94 /* Socket type not supported */ ++#define EOPNOTSUPP 95 /* Operation not supported on transport endpoint */ ++#define EPFNOSUPPORT 96 /* Protocol family not supported */ ++#define EAFNOSUPPORT 97 /* Address family not supported by protocol */ ++#define EADDRINUSE 98 /* Address already in use */ ++#define EADDRNOTAVAIL 99 /* Cannot assign requested address */ ++#define ENETDOWN 100 /* Network is down */ ++#define ENETUNREACH 101 /* Network is unreachable */ ++#define ENETRESET 102 /* Network dropped connection because of reset */ ++#define ECONNABORTED 103 /* Software caused connection abort */ ++#define ECONNRESET 104 /* Connection reset by peer */ ++#define ENOBUFS 105 /* No buffer space available */ ++#define EISCONN 106 /* Transport endpoint is already connected */ ++#define ENOTCONN 107 /* Transport endpoint is not connected */ ++#define ESHUTDOWN 108 /* Cannot send after transport endpoint shutdown */ ++#define ETOOMANYREFS 109 /* Too many references: cannot splice */ ++#define ETIMEDOUT 110 /* Connection timed out */ ++#define ECONNREFUSED 111 /* Connection refused */ ++#define EHOSTDOWN 112 /* Host is down */ ++#define EHOSTUNREACH 113 /* No route to host */ ++#define EALREADY 114 /* Operation already in progress */ ++#define EINPROGRESS 115 /* Operation now in progress */ ++#define ESTALE 116 /* Stale NFS file handle */ ++#define EUCLEAN 117 /* Structure needs cleaning */ ++#define ENOTNAM 118 /* Not a XENIX named type file */ ++#define ENAVAIL 119 /* No XENIX semaphores available */ ++#define EISNAM 120 /* Is a named type file */ ++#define EREMOTEIO 121 /* Remote I/O error */ ++#define EDQUOT 122 /* Quota exceeded */ ++ ++#define ENOMEDIUM 123 /* No medium found */ ++#define EMEDIUMTYPE 124 /* Wrong medium type */ ++#define ECANCELED 125 /* Operation Canceled */ ++#define ENOKEY 126 /* Required key not available */ ++#define EKEYEXPIRED 127 /* Key has expired */ ++#define EKEYREVOKED 128 /* Key has been revoked */ ++#define EKEYREJECTED 129 /* Key was rejected by service */ ++ ++/* for robust mutexes */ ++#define EOWNERDEAD 130 /* Owner died */ ++#define ENOTRECOVERABLE 131 /* State not recoverable */ ++ ++#define ERFKILL 132 /* Operation not possible due to RF-kill */ ++ ++#endif diff --git a/src/patches/iptables-1.4.6-imq_test1.patch b/src/patches/iptables-1.4.6-imq_test1.patch new file mode 100644 index 0000000000..2b4fb79cb0 --- /dev/null +++ b/src/patches/iptables-1.4.6-imq_test1.patch @@ -0,0 +1,126 @@ +diff -Naurw iptables-1.4.1/extensions/.IMQ-testx iptables-1.4.1.imq/extensions/.IMQ-testx +--- iptables-1.4.1/extensions/.IMQ-testx 1969-12-31 21:00:00.000000000 -0300 ++++ iptables-1.4.1.imq/extensions/.IMQ-testx 2008-06-24 22:20:06.000000000 -0300 +@@ -0,0 +1,3 @@ ++#!/bin/sh ++# True if IMQ target patch is applied. ++[ -f $KERNEL_DIR/include/linux/netfilter/xt_IMQ.h ] && echo IMQ +diff -Naurw iptables-1.4.1/extensions/libxt_IMQ.c iptables-1.4.1.imq/extensions/libxt_IMQ.c +--- iptables-1.4.1/extensions/libxt_IMQ.c 1969-12-31 21:00:00.000000000 -0300 ++++ iptables-1.4.1.imq/extensions/libxt_IMQ.c 2008-06-24 22:31:02.000000000 -0300 +@@ -0,0 +1,103 @@ ++/* Shared library add-on to iptables to add IMQ target support. */ ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* Function which prints out usage message. */ ++static void IMQ_help(void) ++{ ++ printf( ++"IMQ target options:\n" ++" --todev enqueue to imq, defaults to 0\n"); ++ ++} ++ ++static struct option IMQ_opts[] = { ++ { "todev", 1, 0, '1' }, ++ { 0 } ++}; ++ ++/* Initialize the target. */ ++static void IMQ_init(struct xt_entry_target *t) ++{ ++ struct xt_imq_info *mr = (struct xt_imq_info*)t->data; ++ ++ mr->todev = 0; ++} ++ ++/* Function which parses command options; returns true if it ++ ate an option */ ++static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_target **target) ++{ ++ struct xt_imq_info *mr = (struct xt_imq_info*)(*target)->data; ++ ++ switch(c) { ++ case '1': ++ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv)) ++ xtables_error(PARAMETER_PROBLEM, ++ "Unexpected `!' for --todev"); ++ mr->todev=atoi(optarg); ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++/* Prints out the targinfo. */ ++static void IMQ_print(const void *ip, ++ const struct xt_entry_target *target, ++ int numeric) ++{ ++ struct xt_imq_info *mr = (struct xt_imq_info*)target->data; ++ ++ printf("IMQ: todev %u ", mr->todev); ++} ++ ++/* Saves the union ipt_targinfo in parsable form to stdout. */ ++static void IMQ_save(const void *ip, const struct xt_entry_target *target) ++{ ++ struct xt_imq_info *mr = (struct xt_imq_info*)target->data; ++ ++ printf("--todev %u", mr->todev); ++} ++ ++static struct xtables_target imq_target = { ++ .name = "IMQ", ++ .version = XTABLES_VERSION, ++ .family = NFPROTO_IPV4, ++ .size = XT_ALIGN(sizeof(struct xt_imq_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_imq_info)), ++ .help = IMQ_help, ++ .init = IMQ_init, ++ .parse = IMQ_parse, ++ .print = IMQ_print, ++ .save = IMQ_save, ++ .extra_opts = IMQ_opts, ++}; ++ ++static struct xtables_target imq_target6 = { ++ .name = "IMQ", ++ .version = XTABLES_VERSION, ++ .family = NFPROTO_IPV6, ++ .size = XT_ALIGN(sizeof(struct xt_imq_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_imq_info)), ++ .help = IMQ_help, ++ .init = IMQ_init, ++ .parse = IMQ_parse, ++ .print = IMQ_print, ++ .save = IMQ_save, ++ .extra_opts = IMQ_opts, ++}; ++ ++// void __attribute((constructor)) nf_ext_init(void){ ++void _init(void){ ++ xtables_register_target(&imq_target); ++ xtables_register_target(&imq_target6); ++} +--- iptables-1.4.1.1/include/linux/netfilter/xt_IMQ.h 1970-01-01 02:00:00.000000000 +0200 ++++ iptables-1.4.1.1.new/include/linux/netfilter/xt_IMQ.h 2008-08-05 00:41:28.000000000 +0300 +@@ -0,0 +1,9 @@ ++#ifndef _XT_IMQ_H ++#define _XT_IMQ_H ++ ++struct xt_imq_info { ++ unsigned int todev; /* target imq device */ ++}; ++ ++#endif /* _XT_IMQ_H */ ++ diff --git a/src/patches/iptables-1.4.6-ipp2p-0.8.2-pomng.patch b/src/patches/iptables-1.4.6-ipp2p-0.8.2-pomng.patch new file mode 100644 index 0000000000..5f9c3071a7 --- /dev/null +++ b/src/patches/iptables-1.4.6-ipp2p-0.8.2-pomng.patch @@ -0,0 +1,481 @@ +diff -Naur iptables-1.4.6.org/extensions/.ipp2p-test iptables-1.4.6/extensions/.ipp2p-test +--- iptables-1.4.6.org/extensions/.ipp2p-test 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.4.6/extensions/.ipp2p-test 2010-02-13 20:02:52.000000000 +0100 +@@ -0,0 +1,2 @@ ++#! /bin/sh ++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ipp2p.h ] && echo ipp2p +diff -Naur iptables-1.4.6.org/extensions/libipt_ipp2p.c iptables-1.4.6/extensions/libipt_ipp2p.c +--- iptables-1.4.6.org/extensions/libipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.4.6/extensions/libipt_ipp2p.c 2010-02-13 20:02:52.000000000 +0100 +@@ -0,0 +1,424 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include ++ ++#ifndef XTABLES_VERSION ++#define XTABLES_VERSION IPTABLES_VERSION ++#endif ++ ++#ifdef IPT_LIB_DIR ++#define xtables_target iptables_target ++#define xtables_register_target register_target ++#endif ++ ++static void ++help(void) ++{ ++ printf( ++ "IPP2P v%s options:\n" ++ " --ipp2p Grab all known p2p packets\n" ++ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n" ++ " --dc [TCP] All known Direct Connect packets\n" ++ " --kazaa [TCP&UDP] All known KaZaA packets\n" ++ " --gnu [TCP&UDP] All known Gnutella packets\n" ++ " --bit [TCP&UDP] All known BitTorrent packets\n" ++ " --apple [TCP] All known AppleJuice packets\n" ++ " --winmx [TCP] All known WinMX\n" ++ " --soul [TCP] All known SoulSeek\n" ++ " --ares [TCP] All known Ares\n\n" ++ " EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n" ++ " --mute [TCP] All known Mute packets\n" ++ " --waste [TCP] All known Waste packets\n" ++ " --xdcc [TCP] All known XDCC packets (only xdcc login)\n\n" ++ " DEBUG SUPPPORT, use only if you know why\n" ++ " --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n" ++ "\nNote that the follwing options will have the same meaning:\n" ++ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares'\n" ++ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n" ++ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n" ++ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n" ++ "\nExamples:\n" ++ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n" ++ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n" ++ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n" ++ , IPP2P_VERSION); ++} ++ ++static struct option opts[] = { ++ { "ipp2p", 0, 0, '1' }, ++ { "edk", 0, 0, '2' }, ++ { "dc", 0, 0, '7' }, ++ { "gnu", 0, 0, '9' }, ++ { "kazaa", 0, 0, 'a' }, ++ { "bit", 0, 0, 'b' }, ++ { "apple", 0, 0, 'c' }, ++ { "soul", 0, 0, 'd' }, ++ { "winmx", 0, 0, 'e' }, ++ { "ares", 0, 0, 'f' }, ++ { "mute", 0, 0, 'g' }, ++ { "waste", 0, 0, 'h' }, ++ { "xdcc", 0, 0, 'i' }, ++ { "debug", 0, 0, 'j' }, ++ {0} ++}; ++ ++ ++static void ++#ifdef _XTABLES_H ++init(struct xt_entry_match *m) ++#else ++init(struct ipt_entry_match *t, unsigned int *nfcache) ++#endif ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data; ++ ++#ifndef _XTABLES_H ++ *nfcache |= NFC_UNKNOWN; ++#endif ++ ++ /*init the module with default values*/ ++ info->cmd = 0; ++ info->debug = 0; ++ ++} ++ ++ ++static int ++parse(int c, char **argv, int invert, unsigned int *flags, ++#ifdef _XTABLES_H ++ const void *entry, struct xt_entry_match **match) ++#else ++ const struct ipt_entry *entry, unsigned int *nfcache, struct ipt_entry_match **match) ++#endif ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data; ++ ++ switch (c) { ++ case '1': /*cmd: ipp2p*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified once!"); ++ ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!"); ++*/ ++ ++ if ((*flags) != 0) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += SHORT_HAND_IPP2P; ++ info->cmd = *flags; ++ break; ++ ++ case '2': /*cmd: edk*/ ++ if ((*flags & IPP2P_EDK) == IPP2P_EDK) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--edk' may only be " ++ "specified once"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--edk' OR `--edk-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_EDK; ++ info->cmd = *flags; ++ break; ++ ++ ++ case '7': /*cmd: dc*/ ++ if ((*flags & IPP2P_DC) == IPP2P_DC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--dc' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--dc' OR `--dc-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_DC; ++ info->cmd = *flags; ++ break; ++ ++ ++ case '9': /*cmd: gnu*/ ++ if ((*flags & IPP2P_GNU) == IPP2P_GNU) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--gnu' may only be " ++ "specified once!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_GNU; ++ info->cmd = *flags; ++ break; ++ ++ case 'a': /*cmd: kazaa*/ ++ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--kazaa' may only be " ++ "specified once!"); ++/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p-data' may only be " ++ "specified alone!");*/ ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_KAZAA; ++ info->cmd = *flags; ++ break; ++ ++ case 'b': /*cmd: bit*/ ++ if ((*flags & IPP2P_BIT) == IPP2P_BIT) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--bit' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_BIT; ++ info->cmd = *flags; ++ break; ++ ++ case 'c': /*cmd: apple*/ ++ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--apple' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_APPLE; ++ info->cmd = *flags; ++ break; ++ ++ ++ case 'd': /*cmd: soul*/ ++ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--soul' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_SOUL; ++ info->cmd = *flags; ++ break; ++ ++ ++ case 'e': /*cmd: winmx*/ ++ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--winmx' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_WINMX; ++ info->cmd = *flags; ++ break; ++ ++ case 'f': /*cmd: ares*/ ++ if ((*flags & IPP2P_ARES) == IPP2P_ARES) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ares' may only be " ++ "specified once!"); ++ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ipp2p' may only be " ++ "specified alone!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_ARES; ++ info->cmd = *flags; ++ break; ++ ++ case 'g': /*cmd: mute*/ ++ if ((*flags & IPP2P_MUTE) == IPP2P_MUTE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--mute' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_MUTE; ++ info->cmd = *flags; ++ break; ++ case 'h': /*cmd: waste*/ ++ if ((*flags & IPP2P_WASTE) == IPP2P_WASTE) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--waste' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_WASTE; ++ info->cmd = *flags; ++ break; ++ case 'i': /*cmd: xdcc*/ ++ if ((*flags & IPP2P_XDCC) == IPP2P_XDCC) ++ exit_error(PARAMETER_PROBLEM, ++ "ipp2p: `--ares' may only be " ++ "specified once!"); ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ *flags += IPP2P_XDCC; ++ info->cmd = *flags; ++ break; ++ ++ case 'j': /*cmd: debug*/ ++ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!"); ++ info->debug = 1; ++ break; ++ ++ default: ++// exit_error(PARAMETER_PROBLEM, ++// "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); ++ return 0; ++ } ++ return 1; ++} ++ ++ ++static void ++final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, ++ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n"); ++} ++ ++static void ++#ifdef _XTABLES_H ++print(const void *ip, ++ const struct xt_entry_match *match, ++#else ++print(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match, ++#endif ++ int numeric) ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; ++ ++ printf("ipp2p v%s", IPP2P_VERSION); ++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p"); ++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data"); ++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa"); ++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data"); ++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data"); ++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu"); ++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk"); ++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data"); ++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data"); ++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc"); ++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit"); ++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple"); ++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul"); ++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx"); ++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares"); ++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute"); ++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste"); ++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc"); ++ if (info->debug != 0) printf(" --debug"); ++ printf(" "); ++} ++ ++static void ++#ifdef _XTABLES_H ++save(const void *ip, ++ const struct xt_entry_match *match) ++#else ++save(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match) ++#endif ++{ ++ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data; ++ ++ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p "); ++// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data "); ++ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa "); ++// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data "); ++// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data "); ++ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu "); ++ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk "); ++// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data "); ++// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data "); ++ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc "); ++ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit "); ++ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple "); ++ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul "); ++ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx "); ++ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares "); ++ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute"); ++ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste"); ++ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc"); ++ if (info->debug != 0) printf("--debug "); ++} ++ ++ ++static ++struct xtables_match ipp2p= ++{ ++ .next = NULL, ++ .name = "ipp2p", ++ .version = XTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)), ++ .help = &help, ++ .init = &init, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++ ++ ++void _init(void) ++{ ++ xtables_register_match(&ipp2p); ++} ++ +diff -Naur iptables-1.4.6.org/extensions/libipt_ipp2p.man iptables-1.4.6/extensions/libipt_ipp2p.man +--- iptables-1.4.6.org/extensions/libipt_ipp2p.man 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.4.6/extensions/libipt_ipp2p.man 2010-02-13 20:02:52.000000000 +0100 +@@ -0,0 +1,43 @@ ++This module matches certain packets in P2P flows. It is not ++designed to match all packets belonging to a P2P connection - ++use IPP2P together with CONNMARK for this purpose. Also visit ++http://www.ipp2p.org for detailed information. ++ ++Use it together with -p tcp or -p udp to search these protocols ++only or without -p switch to search packets of both protocols. ++ ++IPP2P provides the following options: ++.TP ++.B "--edk " ++Matches as many eDonkey/eMule packets as possible. ++.TP ++.B "--kazaa " ++Matches as many KaZaA packets as possible. ++.TP ++.B "--gnu " ++Matches as many Gnutella packets as possible. ++.TP ++.B "--dc " ++Matches as many Direct Connect packets as possible. ++.TP ++.B "--bit " ++Matches BitTorrent packets. ++.TP ++.B "--apple " ++Matches AppleJuice packets. ++.TP ++.B "--soul " ++Matches some SoulSeek packets. Considered as beta, use careful! ++.TP ++.B "--winmx " ++Matches some WinMX packets. Considered as beta, use careful! ++.TP ++.B "--ares " ++Matches Ares and AresLite packets. Use together with -j DROP only. ++.TP ++.B "--ipp2p " ++Short hand for: --edk --kazaa --gnu --dc ++.TP ++.B "--debug " ++Prints some information about each hit into kernel logfile. May ++produce huge logfiles so beware!