--- /dev/null
+diff -urN -X /tmp/fileVB9oIz --minimal tmp/include/linux/netfilter_ipv4/ipt_REJECT.h working-2.4.0-test3-9/include/linux/netfilter_ipv4/ipt_REJECT.h
+--- tmp/include/linux/netfilter_ipv4/ipt_REJECT.h Tue Mar 28 04:35:56 2000
++++ working-2.4.0-test3-9/include/linux/netfilter_ipv4/ipt_REJECT.h Tue Jul 11 17:36:54 2000
+@@ -6,7 +6,10 @@
+ IPT_ICMP_HOST_UNREACHABLE,
+ IPT_ICMP_PROT_UNREACHABLE,
+ IPT_ICMP_PORT_UNREACHABLE,
+- IPT_ICMP_ECHOREPLY
++ IPT_ICMP_ECHOREPLY,
++ IPT_ICMP_NET_PROHIBITED,
++ IPT_ICMP_HOST_PROHIBITED,
++ IPT_TCP_RESET
+ };
+
+ struct ipt_reject_info {
+diff -urN -X /tmp/fileVB9oIz --minimal tmp/net/core/netfilter.c working-2.4.0-test3-9/net/core/netfilter.c
+--- tmp/net/core/netfilter.c Fri Apr 14 10:19:57 2000
++++ working-2.4.0-test3-9/net/core/netfilter.c Wed Jul 12 12:18:42 2000
+@@ -261,11 +261,11 @@
+ if (skb->nf_debug != ((1 << NF_IP_PRE_ROUTING)
+ | (1 << NF_IP_FORWARD)
+ | (1 << NF_IP_POST_ROUTING))) {
+- /* Fragments will have no owners, but still
+- may be local */
+- if (!(skb->nh.iph->frag_off & htons(IP_MF|IP_OFFSET))
+- || skb->nf_debug != ((1 << NF_IP_LOCAL_OUT)
+- | (1 << NF_IP_POST_ROUTING))){
++ /* Fragments, entunnelled packets, TCP RSTs
++ generated by ipt_REJECT will have no
++ owners, but still may be local */
++ if (skb->nf_debug != ((1 << NF_IP_LOCAL_OUT)
++ | (1 << NF_IP_POST_ROUTING))){
+ printk("ip_finish_output:"
+ " bad unowned skb = %p: ",skb);
+ debug_print_hooks_ip(skb->nf_debug);
+diff -urN -X /tmp/fileVB9oIz --minimal tmp/net/ipv4/netfilter/ip_conntrack_core.c working-2.4.0-test3-9/net/ipv4/netfilter/ip_conntrack_core.c
+--- tmp/net/ipv4/netfilter/ip_conntrack_core.c Tue Jul 11 12:08:17 2000
++++ working-2.4.0-test3-9/net/ipv4/netfilter/ip_conntrack_core.c Tue Jul 11 17:12:08 2000
+@@ -551,6 +551,7 @@
+ resolve_normal_ct(struct sk_buff *skb,
+ struct ip_conntrack_protocol *proto,
+ int *set_reply,
++ unsigned int hooknum,
+ enum ip_conntrack_info *ctinfo)
+ {
+ struct ip_conntrack_tuple tuple;
+@@ -573,6 +574,21 @@
+ if (DIRECTION(h) == IP_CT_DIR_REPLY) {
+ /* Reply on unconfirmed connection => unclassifiable */
+ if (!(h->ctrack->status & IPS_CONFIRMED)) {
++ /* Exception: local TCP RSTs (generated by
++ REJECT target). */
++ if (hooknum == NF_IP_LOCAL_OUT
++ && h->tuple.dst.protonum == IPPROTO_TCP) {
++ const struct tcphdr *tcph
++ = (const struct tcphdr *)
++ ((u_int32_t *)skb->nh.iph
++ + skb->nh.iph->ihl);
++ if (tcph->rst) {
++ *ctinfo = IP_CT_ESTABLISHED
++ + IP_CT_IS_REPLY;
++ *set_reply = 0;
++ goto set_skb;
++ }
++ }
+ DEBUGP("Reply on unconfirmed connection\n");
+ ip_conntrack_put(h->ctrack);
+ return NULL;
+@@ -598,6 +614,7 @@
+ }
+ *set_reply = 0;
+ }
++ set_skb:
+ skb->nfct = &h->ctrack->infos[*ctinfo];
+ return h->ctrack;
+ }
+@@ -669,7 +686,7 @@
+ && icmp_error_track(*pskb, &ctinfo, hooknum))
+ return NF_ACCEPT;
+
+- if (!(ct = resolve_normal_ct(*pskb, proto, &set_reply, &ctinfo)))
++ if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo)))
+ /* Not valid part of a connection */
+ return NF_ACCEPT;
+
+diff -urN -X /tmp/fileVB9oIz --minimal tmp/net/ipv4/netfilter/ip_conntrack_standalone.c working-2.4.0-test3-9/net/ipv4/netfilter/ip_conntrack_standalone.c
+--- tmp/net/ipv4/netfilter/ip_conntrack_standalone.c Fri Apr 28 08:43:15 2000
++++ working-2.4.0-test3-9/net/ipv4/netfilter/ip_conntrack_standalone.c Tue Jul 11 17:12:08 2000
+@@ -169,11 +169,15 @@
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+ {
+- /* We've seen it coming out the other side: confirm */
++ /* We've seen it coming out the other side: confirm (only if
++ new packet: REJECT can generate TCP RESET response, or ICMP
++ errors) */
+ if ((*pskb)->nfct) {
+ struct ip_conntrack *ct
+ = (struct ip_conntrack *)(*pskb)->nfct->master;
+- if (!(ct->status & IPS_CONFIRMED))
++ /* ctinfo is the index of the nfct inside the conntrack */
++ if ((*pskb)->nfct - ct->infos == IP_CT_NEW
++ && !(ct->status & IPS_CONFIRMED))
+ ip_conntrack_confirm(ct);
+ }
+ return NF_ACCEPT;
+@@ -191,7 +195,8 @@
+ if ((*pskb)->nfct) {
+ struct ip_conntrack *ct
+ = (struct ip_conntrack *)(*pskb)->nfct->master;
+- if (!(ct->status & IPS_CONFIRMED))
++ if ((*pskb)->nfct - ct->infos == IP_CT_NEW
++ && !(ct->status & IPS_CONFIRMED))
+ ip_conntrack_confirm(ct);
+ }
+
+diff -urN -X /tmp/fileVB9oIz --minimal tmp/net/ipv4/netfilter/ip_fw_compat.c working-2.4.0-test3-9/net/ipv4/netfilter/ip_fw_compat.c
+--- tmp/net/ipv4/netfilter/ip_fw_compat.c Tue Jul 11 12:08:17 2000
++++ working-2.4.0-test3-9/net/ipv4/netfilter/ip_fw_compat.c Tue Jul 11 17:12:08 2000
+@@ -71,7 +71,8 @@
+ struct ip_conntrack *ct
+ = (struct ip_conntrack *)skb->nfct->master;
+
+- if (!(ct->status & IPS_CONFIRMED))
++ if (skb->nfct - ct->infos == IP_CT_NEW
++ && !(ct->status & IPS_CONFIRMED))
+ ip_conntrack_confirm(ct);
+ }
+ }
+diff -urN -X /tmp/fileVB9oIz --minimal tmp/net/ipv4/netfilter/ipt_REJECT.c working-2.4.0-test3-9/net/ipv4/netfilter/ipt_REJECT.c
+--- tmp/net/ipv4/netfilter/ipt_REJECT.c Tue Jun 27 14:52:47 2000
++++ working-2.4.0-test3-9/net/ipv4/netfilter/ipt_REJECT.c Wed Jul 12 17:46:26 2000
+@@ -7,6 +7,7 @@
+ #include <linux/ip.h>
+ #include <net/icmp.h>
+ #include <net/ip.h>
++#include <net/tcp.h>
+ struct in_device;
+ #include <net/route.h>
+ #include <linux/netfilter_ipv4/ip_tables.h>
+@@ -18,6 +19,113 @@
+ #define DEBUGP(format, args...)
+ #endif
+
++/* Send RST reply */
++static void send_reset(struct sk_buff *oldskb)
++{
++ struct sk_buff *nskb;
++ struct tcphdr *tcph;
++ struct rtable *rt;
++ unsigned int tcplen;
++ int needs_ack;
++
++ /* Clone skb (skb is about to be dropped, so we don't care) */
++ nskb = skb_clone(oldskb, GFP_ATOMIC);
++ if (!nskb)
++ return;
++
++ /* This packet will not be the same as the other: clear nf fields */
++ nf_conntrack_put(nskb->nfct);
++ nskb->nfct = NULL;
++ nskb->nfcache = 0;
++#ifdef CONFIG_NETFILTER_DEBUG
++ nskb->nf_debug = 0;
++#endif
++
++ /* IP header checks: fragment, too short. */
++ if (nskb->nh.iph->frag_off & htons(IP_OFFSET)
++ || nskb->len < (nskb->nh.iph->ihl<<2) + sizeof(struct tcphdr))
++ goto free_nskb;
++
++ tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
++ tcplen = nskb->len - nskb->nh.iph->ihl*4;
++
++ /* Check checksum. */
++ if (tcp_v4_check(tcph, tcplen, nskb->nh.iph->saddr,
++ nskb->nh.iph->daddr,
++ csum_partial((char *)tcph, tcplen, 0)) != 0)
++ goto free_nskb;
++
++ /* No RST for RST. */
++ if (tcph->rst)
++ goto free_nskb;
++
++ nskb->nh.iph->daddr = xchg(&nskb->nh.iph->saddr, nskb->nh.iph->daddr);
++ tcph->source = xchg(&tcph->dest, tcph->source);
++
++ /* Truncate to length (no data) */
++ tcph->doff = sizeof(struct tcphdr)/4;
++ skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
++
++ if (tcph->ack) {
++ needs_ack = 0;
++ tcph->seq = tcph->ack_seq;
++ tcph->ack_seq = 0;
++ } else {
++ needs_ack = 1;
++ tcph->seq = 0;
++ tcph->ack_seq = htonl(ntohl(tcph->seq) + tcph->syn + tcph->fin
++ + tcplen - (tcph->doff<<2));
++ }
++
++ /* Reset flags */
++ ((u_int8_t *)tcph)[13] = 0;
++ tcph->rst = 1;
++ if (needs_ack)
++ tcph->ack = 1;
++
++ tcph->window = 0;
++ tcph->urg_ptr = 0;
++
++ /* Adjust TCP checksum */
++ tcph->check = 0;
++ tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
++ nskb->nh.iph->saddr,
++ nskb->nh.iph->daddr,
++ csum_partial((char *)tcph,
++ sizeof(struct tcphdr), 0));
++
++ /* Adjust IP TTL, DF */
++ nskb->nh.iph->ttl = MAXTTL;
++ /* Set DF, id = 0 */
++ nskb->nh.iph->frag_off = htons(IP_DF);
++ nskb->nh.iph->id = 0;
++
++ /* Adjust IP checksum */
++ nskb->nh.iph->check = 0;
++ nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
++ nskb->nh.iph->ihl);
++
++ /* Routing */
++ if (ip_route_output(&rt, nskb->nh.iph->daddr, nskb->nh.iph->saddr,
++ RT_TOS(nskb->nh.iph->tos) | RTO_CONN,
++ 0) != 0)
++ goto free_nskb;
++
++ dst_release(nskb->dst);
++ nskb->dst = &rt->u.dst;
++
++ /* "Never happens" */
++ if (nskb->len > nskb->dst->pmtu)
++ goto free_nskb;
++
++ NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
++ ip_finish_output);
++ return;
++
++ free_nskb:
++ kfree_skb(nskb);
++}
++
+ static unsigned int reject(struct sk_buff **pskb,
+ unsigned int hooknum,
+ const struct net_device *in,
+@@ -43,6 +151,12 @@
+ case IPT_ICMP_PORT_UNREACHABLE:
+ icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+ break;
++ case IPT_ICMP_NET_PROHIBITED:
++ icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0);
++ break;
++ case IPT_ICMP_HOST_PROHIBITED:
++ icmp_send(*pskb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0);
++ break;
+ case IPT_ICMP_ECHOREPLY: {
+ struct icmphdr *icmph = (struct icmphdr *)
+ ((u_int32_t *)(*pskb)->nh.iph + (*pskb)->nh.iph->ihl);
+@@ -64,6 +178,9 @@
+ }
+ }
+ break;
++ case IPT_TCP_RESET:
++ send_reset(*pskb);
++ break;
+ }
+
+ return NF_DROP;
+@@ -96,7 +213,7 @@
+
+ /* Only allow these for packet filtering. */
+ if (strcmp(tablename, "filter") != 0) {
+- DEBUGP("REJECT: bad table `%s'.\n", table);
++ DEBUGP("REJECT: bad table `%s'.\n", tablename);
+ return 0;
+ }
+ if ((hook_mask & ~((1 << NF_IP_LOCAL_IN)
+@@ -116,6 +233,18 @@
+ /* Must contain ICMP match. */
+ if (IPT_MATCH_ITERATE(e, find_ping_match) == 0) {
+ DEBUGP("REJECT: ECHOREPLY illegal for non-ping\n");
++ return 0;
++ }
++ } else if (rejinfo->with == IPT_TCP_RESET) {
++ /* Must specify that it's a TCP packet */
++ if (e->ip.proto != IPPROTO_TCP
++ || (e->ip.invflags & IPT_INV_PROTO)) {
++ DEBUGP("REJECT: TCP_RESET illegal for non-tcp\n");
++ return 0;
++ }
++ /* Only for local input. Rest is too dangerous. */
++ if ((hook_mask & ~(1 << NF_IP_LOCAL_IN)) != 0) {
++ DEBUGP("REJECT: TCP_RESET only from INPUT\n");
+ return 0;
+ }
+ }
projects / thirdparty / iptables.git / commitdiff
