1 diff -Naurp linux-2.4.34/Documentation/Configure.help linux-2.4.34.patched/Documentation/Configure.help
2 --- linux-2.4.34/Documentation/Configure.help 2007-07-08 05:01:42.000000000 +0200
3 +++ linux-2.4.34.patched/Documentation/Configure.help 2007-07-08 05:02:26.000000000 +0200
4 @@ -2914,6 +2914,15 @@ CONFIG_IP_NF_MATCH_MAC
5 If you want to compile it as a module, say M here and read
6 <file:Documentation/modules.txt>. If unsure, say `N'.
9 +CONFIG_IP_NF_MATCH_RANDOM
10 + This option adds a `random' match,
11 + which allow you to match packets randomly
12 + following a given probability.
14 + If you want to compile it as a module, say M here and read
15 + Documentation/modules.txt. If unsure, say `N'.
17 Netfilter MARK match support
18 CONFIG_IP_NF_MATCH_MARK
19 Netfilter mark matching allows you to match packets based on the
20 @@ -3221,6 +3230,7 @@ CONFIG_IP_NF_MATCH_HELPER
21 If you want to compile it as a module, say M here and read
22 Documentation/modules.txt. If unsure, say `Y'.
26 CONFIG_IP_NF_MATCH_TCPMSS
27 This option adds a `tcpmss' match, which allows you to examine the
28 @@ -3299,6 +3309,14 @@ CONFIG_IP6_NF_MATCH_MAC
29 If you want to compile it as a module, say M here and read
30 <file:Documentation/modules.txt>. If unsure, say `N'.
32 +CONFIG_IP6_NF_MATCH_RANDOM
33 + This option adds a `random' match,
34 + which allow you to match packets randomly
35 + following a given probability.
37 + If you want to compile it as a module, say M here and read
38 + Documentation/modules.txt. If unsure, say `N'.
41 CONFIG_IP6_NF_MATCH_LENGTH
42 This option allows you to match the length of a packet against a
43 diff -Naurp linux-2.4.34/include/linux/netfilter_ipv4/ipt_random.h linux-2.4.34.patched/include/linux/netfilter_ipv4/ipt_random.h
44 --- linux-2.4.34/include/linux/netfilter_ipv4/ipt_random.h 1970-01-01 01:00:00.000000000 +0100
45 +++ linux-2.4.34.patched/include/linux/netfilter_ipv4/ipt_random.h 2007-07-08 05:02:26.000000000 +0200
50 +#include <linux/param.h>
51 +#include <linux/types.h>
53 +struct ipt_rand_info {
57 +#endif /*_IPT_RAND_H*/
58 diff -Naurp linux-2.4.34/include/linux/netfilter_ipv6/ip6t_random.h linux-2.4.34.patched/include/linux/netfilter_ipv6/ip6t_random.h
59 --- linux-2.4.34/include/linux/netfilter_ipv6/ip6t_random.h 1970-01-01 01:00:00.000000000 +0100
60 +++ linux-2.4.34.patched/include/linux/netfilter_ipv6/ip6t_random.h 2007-07-08 05:02:26.000000000 +0200
65 +#include <linux/param.h>
66 +#include <linux/types.h>
68 +struct ip6t_rand_info {
72 +#endif /*_IP6T_RAND_H*/
73 diff -Naurp linux-2.4.34/net/ipv4/netfilter/Config.in linux-2.4.34.patched/net/ipv4/netfilter/Config.in
74 --- linux-2.4.34/net/ipv4/netfilter/Config.in 2007-07-08 05:01:42.000000000 +0200
75 +++ linux-2.4.34.patched/net/ipv4/netfilter/Config.in 2007-07-08 05:03:32.000000000 +0200
76 @@ -32,6 +32,7 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
77 dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES
78 dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES
79 dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES
80 + dep_tristate ' random match support' CONFIG_IP_NF_MATCH_RANDOM $CONFIG_IP_NF_IPTABLES
81 dep_tristate ' TIME match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_TIME $CONFIG_IP_NF_IPTABLES
82 dep_tristate ' condition match support' CONFIG_IP_NF_MATCH_CONDITION $CONFIG_IP_NF_IPTABLES
83 dep_tristate ' recent match support' CONFIG_IP_NF_MATCH_RECENT $CONFIG_IP_NF_IPTABLES
84 diff -Naurp linux-2.4.34/net/ipv4/netfilter/ipt_random.c linux-2.4.34.patched/net/ipv4/netfilter/ipt_random.c
85 --- linux-2.4.34/net/ipv4/netfilter/ipt_random.c 1970-01-01 01:00:00.000000000 +0100
86 +++ linux-2.4.34.patched/net/ipv4/netfilter/ipt_random.c 2007-07-08 05:02:26.000000000 +0200
89 + This is a module which is used for a "random" match support.
90 + This file is distributed under the terms of the GNU General Public
91 + License (GPL). Copies of the GPL can be obtained from:
92 + ftp://prep.ai.mit.edu/pub/gnu/GPL
94 + 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial implementation.
97 +#include <linux/module.h>
98 +#include <linux/skbuff.h>
99 +#include <linux/ip.h>
100 +#include <linux/random.h>
101 +#include <net/tcp.h>
102 +#include <linux/spinlock.h>
103 +#include <linux/netfilter_ipv4/ip_tables.h>
104 +#include <linux/netfilter_ipv4/ipt_random.h>
106 +MODULE_LICENSE("GPL");
109 +ipt_rand_match(const struct sk_buff *pskb,
110 + const struct net_device *in,
111 + const struct net_device *out,
112 + const void *matchinfo,
118 + /* Parameters from userspace */
119 + const struct ipt_rand_info *info = matchinfo;
120 + u_int8_t random_number;
122 + /* get 1 random number from the kernel random number generation routine */
123 + get_random_bytes((void *)(&random_number), 1);
125 + /* Do we match ? */
126 + if (random_number <= info->average)
133 +ipt_rand_checkentry(const char *tablename,
134 + const struct ipt_ip *e,
136 + unsigned int matchsize,
137 + unsigned int hook_mask)
139 + /* Parameters from userspace */
140 + const struct ipt_rand_info *info = matchinfo;
142 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_rand_info))) {
143 + printk("ipt_random: matchsize %u != %u\n", matchsize,
144 + IPT_ALIGN(sizeof(struct ipt_rand_info)));
148 + /* must be 1 <= average % <= 99 */
150 + /* 99 x 2.55 = 252 */
151 + if ((info->average < 2) || (info->average > 252)) {
152 + printk("ipt_random: invalid average %u\n", info->average);
159 +static struct ipt_match ipt_rand_reg = {
163 + ipt_rand_checkentry,
167 +static int __init init(void)
169 + if (ipt_register_match(&ipt_rand_reg))
172 + printk("ipt_random match loaded\n");
176 +static void __exit fini(void)
178 + ipt_unregister_match(&ipt_rand_reg);
179 + printk("ipt_random match unloaded\n");
184 diff -Naurp linux-2.4.34/net/ipv4/netfilter/Makefile linux-2.4.34.patched/net/ipv4/netfilter/Makefile
185 --- linux-2.4.34/net/ipv4/netfilter/Makefile 2007-07-08 05:01:42.000000000 +0200
186 +++ linux-2.4.34.patched/net/ipv4/netfilter/Makefile 2007-07-08 05:02:26.000000000 +0200
187 @@ -102,6 +102,8 @@ obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos
188 obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o
189 obj-$(CONFIG_IP_NF_MATCH_CONDITION) += ipt_condition.o
191 +obj-$(CONFIG_IP_NF_MATCH_RANDOM) += ipt_random.o
193 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
195 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
196 diff -Naurp linux-2.4.34/net/ipv6/netfilter/Config.in linux-2.4.34.patched/net/ipv6/netfilter/Config.in
197 --- linux-2.4.34/net/ipv6/netfilter/Config.in 2007-07-08 05:01:42.000000000 +0200
198 +++ linux-2.4.34.patched/net/ipv6/netfilter/Config.in 2007-07-08 05:02:26.000000000 +0200
199 @@ -19,6 +19,7 @@ if [ "$CONFIG_IP6_NF_IPTABLES" != "n" ];
200 dep_tristate ' limit match support' CONFIG_IP6_NF_MATCH_LIMIT $CONFIG_IP6_NF_IPTABLES
201 dep_tristate ' condition match support' CONFIG_IP6_NF_MATCH_CONDITION $CONFIG_IP6_NF_IPTABLES
202 dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES
203 + dep_tristate ' Random match support' CONFIG_IP6_NF_MATCH_RANDOM $CONFIG_IP6_NF_IPTABLES
204 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
205 dep_tristate ' Routing header match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_RT $CONFIG_IP6_NF_IPTABLES
207 diff -Naurp linux-2.4.34/net/ipv6/netfilter/ip6t_random.c linux-2.4.34.patched/net/ipv6/netfilter/ip6t_random.c
208 --- linux-2.4.34/net/ipv6/netfilter/ip6t_random.c 1970-01-01 01:00:00.000000000 +0100
209 +++ linux-2.4.34.patched/net/ipv6/netfilter/ip6t_random.c 2007-07-08 05:02:26.000000000 +0200
212 + This is a module which is used for a "random" match support.
213 + This file is distributed under the terms of the GNU General Public
214 + License (GPL). Copies of the GPL can be obtained from:
215 + ftp://prep.ai.mit.edu/pub/gnu/GPL
217 + 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial implementation.
218 + 2003-04-30 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 Port
221 +#include <linux/module.h>
222 +#include <linux/skbuff.h>
223 +#include <linux/ip.h>
224 +#include <linux/random.h>
225 +#include <net/tcp.h>
226 +#include <linux/spinlock.h>
227 +#include <linux/netfilter_ipv6/ip6_tables.h>
228 +#include <linux/netfilter_ipv6/ip6t_random.h>
230 +MODULE_LICENSE("GPL");
233 +ip6t_rand_match(const struct sk_buff *pskb,
234 + const struct net_device *in,
235 + const struct net_device *out,
236 + const void *matchinfo,
242 + /* Parameters from userspace */
243 + const struct ip6t_rand_info *info = matchinfo;
244 + u_int8_t random_number;
246 + /* get 1 random number from the kernel random number generation routine */
247 + get_random_bytes((void *)(&random_number), 1);
249 + /* Do we match ? */
250 + if (random_number <= info->average)
257 +ip6t_rand_checkentry(const char *tablename,
258 + const struct ip6t_ip6 *e,
260 + unsigned int matchsize,
261 + unsigned int hook_mask)
263 + /* Parameters from userspace */
264 + const struct ip6t_rand_info *info = matchinfo;
266 + if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_rand_info))) {
267 + printk("ip6t_random: matchsize %u != %u\n", matchsize,
268 + IP6T_ALIGN(sizeof(struct ip6t_rand_info)));
272 + /* must be 1 <= average % <= 99 */
274 + /* 99 x 2.55 = 252 */
275 + if ((info->average < 2) || (info->average > 252)) {
276 + printk("ip6t_random: invalid average %u\n", info->average);
283 +static struct ip6t_match ip6t_rand_reg = {
287 + ip6t_rand_checkentry,
291 +static int __init init(void)
293 + if (ip6t_register_match(&ip6t_rand_reg))
296 + printk("ip6t_random match loaded\n");
300 +static void __exit fini(void)
302 + ip6t_unregister_match(&ip6t_rand_reg);
303 + printk("ip6t_random match unloaded\n");
308 diff -Naurp linux-2.4.34/net/ipv6/netfilter/Makefile linux-2.4.34.patched/net/ipv6/netfilter/Makefile
309 --- linux-2.4.34/net/ipv6/netfilter/Makefile 2007-07-08 05:01:42.000000000 +0200
310 +++ linux-2.4.34.patched/net/ipv6/netfilter/Makefile 2007-07-08 05:02:26.000000000 +0200
311 @@ -32,6 +32,7 @@ obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t
312 obj-$(CONFIG_IP6_NF_TARGET_IMQ) += ip6t_IMQ.o
313 obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
314 obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
315 +obj-$(CONFIG_IP6_NF_MATCH_RANDOM) += ip6t_random.o
316 obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
318 include $(TOPDIR)/Rules.make