restructure; cleanup
[openwrt/svn-archive/archive.git] / obsolete-buildroot / sources / openwrt / kernel / patches / 100-revert_netfilter.patch
1 diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack.h
2 --- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack.h 2003-08-12 07:43:11.000000000 -0400
3 +++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack.h 2004-05-09 04:13:03.000000000 -0400
4 @@ -45,39 +45,27 @@
5
6 #include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
7 #include <linux/netfilter_ipv4/ip_conntrack_icmp.h>
8 -#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
9
10 /* per conntrack: protocol private data */
11 union ip_conntrack_proto {
12 /* insert conntrack proto private data here */
13 - struct ip_ct_gre gre;
14 struct ip_ct_tcp tcp;
15 struct ip_ct_icmp icmp;
16 };
17
18 union ip_conntrack_expect_proto {
19 /* insert expect proto private data here */
20 - struct ip_ct_gre_expect gre;
21 };
22
23 /* Add protocol helper include file here */
24 -#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
25 -#include <linux/netfilter_ipv4/ip_conntrack_mms.h>
26 -#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
27 -
28 #include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
29 #include <linux/netfilter_ipv4/ip_conntrack_irc.h>
30 -#include <linux/netfilter_ipv4/ip_autofw.h>
31
32 /* per expectation: application helper private data */
33 union ip_conntrack_expect_help {
34 /* insert conntrack helper private data (expect) here */
35 - struct ip_ct_pptp_expect exp_pptp_info;
36 - struct ip_ct_mms_expect exp_mms_info;
37 - struct ip_ct_h225_expect exp_h225_info;
38 struct ip_ct_ftp_expect exp_ftp_info;
39 struct ip_ct_irc_expect exp_irc_info;
40 - struct ip_autofw_expect exp_autofw_info;
41
42 #ifdef CONFIG_IP_NF_NAT_NEEDED
43 union {
44 @@ -89,21 +77,16 @@
45 /* per conntrack: application helper private data */
46 union ip_conntrack_help {
47 /* insert conntrack helper private data (master) here */
48 - struct ip_ct_pptp_master ct_pptp_info;
49 - struct ip_ct_mms_master ct_mms_info;
50 - struct ip_ct_h225_master ct_h225_info;
51 struct ip_ct_ftp_master ct_ftp_info;
52 struct ip_ct_irc_master ct_irc_info;
53 };
54
55 #ifdef CONFIG_IP_NF_NAT_NEEDED
56 #include <linux/netfilter_ipv4/ip_nat.h>
57 -#include <linux/netfilter_ipv4/ip_nat_pptp.h>
58
59 /* per conntrack: nat application helper private data */
60 union ip_conntrack_nat_help {
61 /* insert nat helper private data here */
62 - struct ip_nat_pptp nat_pptp_info;
63 };
64 #endif
65
66 @@ -275,9 +258,5 @@
67 }
68
69 extern unsigned int ip_conntrack_htable_size;
70 -
71 -/* connection tracking time out variables. */
72 -extern int sysctl_ip_conntrack_tcp_timeouts[10];
73 -extern int sysctl_ip_conntrack_udp_timeouts[2];
74 #endif /* __KERNEL__ */
75 #endif /* _IP_CONNTRACK_H */
76 diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_h323.h
77 --- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h 2003-07-04 04:12:27.000000000 -0400
78 +++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_h323.h 1969-12-31 19:00:00.000000000 -0500
79 @@ -1,30 +0,0 @@
80 -#ifndef _IP_CONNTRACK_H323_H
81 -#define _IP_CONNTRACK_H323_H
82 -/* H.323 connection tracking. */
83 -
84 -#ifdef __KERNEL__
85 -/* Protects H.323 related data */
86 -DECLARE_LOCK_EXTERN(ip_h323_lock);
87 -#endif
88 -
89 -/* Default H.225 port */
90 -#define H225_PORT 1720
91 -
92 -/* This structure is per expected connection */
93 -struct ip_ct_h225_expect {
94 - u_int16_t port; /* Port of the H.225 helper/RTCP/RTP channel */
95 - enum ip_conntrack_dir dir; /* Direction of the original connection */
96 - unsigned int offset; /* offset of the address in the payload */
97 -};
98 -
99 -/* This structure exists only once per master */
100 -struct ip_ct_h225_master {
101 - int is_h225; /* H.225 or H.245 connection */
102 -#ifdef CONFIG_IP_NF_NAT_NEEDED
103 - enum ip_conntrack_dir dir; /* Direction of the original connection */
104 - u_int32_t seq[IP_CT_DIR_MAX]; /* Exceptional packet mangling for signal addressess... */
105 - unsigned int offset[IP_CT_DIR_MAX]; /* ...and the offset of the addresses in the payload */
106 -#endif
107 -};
108 -
109 -#endif /* _IP_CONNTRACK_H323_H */
110 diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_mms.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_mms.h
111 --- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_mms.h 2003-07-04 04:12:27.000000000 -0400
112 +++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_mms.h 1969-12-31 19:00:00.000000000 -0500
113 @@ -1,31 +0,0 @@
114 -#ifndef _IP_CONNTRACK_MMS_H
115 -#define _IP_CONNTRACK_MMS_H
116 -/* MMS tracking. */
117 -
118 -#ifdef __KERNEL__
119 -#include <linux/netfilter_ipv4/lockhelp.h>
120 -
121 -DECLARE_LOCK_EXTERN(ip_mms_lock);
122 -
123 -#define MMS_PORT 1755
124 -#define MMS_SRV_MSG_ID 196610
125 -
126 -#define MMS_SRV_MSG_OFFSET 36
127 -#define MMS_SRV_UNICODE_STRING_OFFSET 60
128 -#define MMS_SRV_CHUNKLENLV_OFFSET 16
129 -#define MMS_SRV_CHUNKLENLM_OFFSET 32
130 -#define MMS_SRV_MESSAGELENGTH_OFFSET 8
131 -#endif
132 -
133 -/* This structure is per expected connection */
134 -struct ip_ct_mms_expect {
135 - u_int32_t len;
136 - u_int32_t padding;
137 - u_int16_t port;
138 -};
139 -
140 -/* This structure exists only once per master */
141 -struct ip_ct_mms_master {
142 -};
143 -
144 -#endif /* _IP_CONNTRACK_MMS_H */
145 diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_pptp.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_pptp.h
146 --- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_pptp.h 2003-07-04 04:12:27.000000000 -0400
147 +++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_pptp.h 1969-12-31 19:00:00.000000000 -0500
148 @@ -1,313 +0,0 @@
149 -/* PPTP constants and structs */
150 -#ifndef _CONNTRACK_PPTP_H
151 -#define _CONNTRACK_PPTP_H
152 -
153 -/* state of the control session */
154 -enum pptp_ctrlsess_state {
155 - PPTP_SESSION_NONE, /* no session present */
156 - PPTP_SESSION_ERROR, /* some session error */
157 - PPTP_SESSION_STOPREQ, /* stop_sess request seen */
158 - PPTP_SESSION_REQUESTED, /* start_sess request seen */
159 - PPTP_SESSION_CONFIRMED, /* session established */
160 -};
161 -
162 -/* state of the call inside the control session */
163 -enum pptp_ctrlcall_state {
164 - PPTP_CALL_NONE,
165 - PPTP_CALL_ERROR,
166 - PPTP_CALL_OUT_REQ,
167 - PPTP_CALL_OUT_CONF,
168 - PPTP_CALL_IN_REQ,
169 - PPTP_CALL_IN_REP,
170 - PPTP_CALL_IN_CONF,
171 - PPTP_CALL_CLEAR_REQ,
172 -};
173 -
174 -
175 -/* conntrack private data */
176 -struct ip_ct_pptp_master {
177 - enum pptp_ctrlsess_state sstate; /* session state */
178 -
179 - /* everything below is going to be per-expectation in newnat,
180 - * since there could be more than one call within one session */
181 - enum pptp_ctrlcall_state cstate; /* call state */
182 - u_int16_t pac_call_id; /* call id of PAC, host byte order */
183 - u_int16_t pns_call_id; /* call id of PNS, host byte order */
184 -};
185 -
186 -/* conntrack_expect private member */
187 -struct ip_ct_pptp_expect {
188 - enum pptp_ctrlcall_state cstate; /* call state */
189 - u_int16_t pac_call_id; /* call id of PAC */
190 - u_int16_t pns_call_id; /* call id of PNS */
191 -};
192 -
193 -
194 -#ifdef __KERNEL__
195 -
196 -#include <linux/netfilter_ipv4/lockhelp.h>
197 -DECLARE_LOCK_EXTERN(ip_pptp_lock);
198 -
199 -#define IP_CONNTR_PPTP PPTP_CONTROL_PORT
200 -
201 -union pptp_ctrl_union {
202 - void *rawreq;
203 - struct PptpStartSessionRequest *sreq;
204 - struct PptpStartSessionReply *srep;
205 - struct PptpStopSessionReqest *streq;
206 - struct PptpStopSessionReply *strep;
207 - struct PptpOutCallRequest *ocreq;
208 - struct PptpOutCallReply *ocack;
209 - struct PptpInCallRequest *icreq;
210 - struct PptpInCallReply *icack;
211 - struct PptpInCallConnected *iccon;
212 - struct PptpClearCallRequest *clrreq;
213 - struct PptpCallDisconnectNotify *disc;
214 - struct PptpWanErrorNotify *wanerr;
215 - struct PptpSetLinkInfo *setlink;
216 -};
217 -
218 -
219 -
220 -#define PPTP_CONTROL_PORT 1723
221 -
222 -#define PPTP_PACKET_CONTROL 1
223 -#define PPTP_PACKET_MGMT 2
224 -
225 -#define PPTP_MAGIC_COOKIE 0x1a2b3c4d
226 -
227 -struct pptp_pkt_hdr {
228 - __u16 packetLength;
229 - __u16 packetType;
230 - __u32 magicCookie;
231 -};
232 -
233 -/* PptpControlMessageType values */
234 -#define PPTP_START_SESSION_REQUEST 1
235 -#define PPTP_START_SESSION_REPLY 2
236 -#define PPTP_STOP_SESSION_REQUEST 3
237 -#define PPTP_STOP_SESSION_REPLY 4
238 -#define PPTP_ECHO_REQUEST 5
239 -#define PPTP_ECHO_REPLY 6
240 -#define PPTP_OUT_CALL_REQUEST 7
241 -#define PPTP_OUT_CALL_REPLY 8
242 -#define PPTP_IN_CALL_REQUEST 9
243 -#define PPTP_IN_CALL_REPLY 10
244 -#define PPTP_IN_CALL_CONNECT 11
245 -#define PPTP_CALL_CLEAR_REQUEST 12
246 -#define PPTP_CALL_DISCONNECT_NOTIFY 13
247 -#define PPTP_WAN_ERROR_NOTIFY 14
248 -#define PPTP_SET_LINK_INFO 15
249 -
250 -#define PPTP_MSG_MAX 15
251 -
252 -/* PptpGeneralError values */
253 -#define PPTP_ERROR_CODE_NONE 0
254 -#define PPTP_NOT_CONNECTED 1
255 -#define PPTP_BAD_FORMAT 2
256 -#define PPTP_BAD_VALUE 3
257 -#define PPTP_NO_RESOURCE 4
258 -#define PPTP_BAD_CALLID 5
259 -#define PPTP_REMOVE_DEVICE_ERROR 6
260 -
261 -struct PptpControlHeader {
262 - __u16 messageType;
263 - __u16 reserved;
264 -};
265 -
266 -/* FramingCapability Bitmap Values */
267 -#define PPTP_FRAME_CAP_ASYNC 0x1
268 -#define PPTP_FRAME_CAP_SYNC 0x2
269 -
270 -/* BearerCapability Bitmap Values */
271 -#define PPTP_BEARER_CAP_ANALOG 0x1
272 -#define PPTP_BEARER_CAP_DIGITAL 0x2
273 -
274 -struct PptpStartSessionRequest {
275 - __u16 protocolVersion;
276 - __u8 reserved1;
277 - __u8 reserved2;
278 - __u32 framingCapability;
279 - __u32 bearerCapability;
280 - __u16 maxChannels;
281 - __u16 firmwareRevision;
282 - __u8 hostName[64];
283 - __u8 vendorString[64];
284 -};
285 -
286 -/* PptpStartSessionResultCode Values */
287 -#define PPTP_START_OK 1
288 -#define PPTP_START_GENERAL_ERROR 2
289 -#define PPTP_START_ALREADY_CONNECTED 3
290 -#define PPTP_START_NOT_AUTHORIZED 4
291 -#define PPTP_START_UNKNOWN_PROTOCOL 5
292 -
293 -struct PptpStartSessionReply {
294 - __u16 protocolVersion;
295 - __u8 resultCode;
296 - __u8 generalErrorCode;
297 - __u32 framingCapability;
298 - __u32 bearerCapability;
299 - __u16 maxChannels;
300 - __u16 firmwareRevision;
301 - __u8 hostName[64];
302 - __u8 vendorString[64];
303 -};
304 -
305 -/* PptpStopReasons */
306 -#define PPTP_STOP_NONE 1
307 -#define PPTP_STOP_PROTOCOL 2
308 -#define PPTP_STOP_LOCAL_SHUTDOWN 3
309 -
310 -struct PptpStopSessionRequest {
311 - __u8 reason;
312 -};
313 -
314 -/* PptpStopSessionResultCode */
315 -#define PPTP_STOP_OK 1
316 -#define PPTP_STOP_GENERAL_ERROR 2
317 -
318 -struct PptpStopSessionReply {
319 - __u8 resultCode;
320 - __u8 generalErrorCode;
321 -};
322 -
323 -struct PptpEchoRequest {
324 - __u32 identNumber;
325 -};
326 -
327 -/* PptpEchoReplyResultCode */
328 -#define PPTP_ECHO_OK 1
329 -#define PPTP_ECHO_GENERAL_ERROR 2
330 -
331 -struct PptpEchoReply {
332 - __u32 identNumber;
333 - __u8 resultCode;
334 - __u8 generalErrorCode;
335 - __u16 reserved;
336 -};
337 -
338 -/* PptpFramingType */
339 -#define PPTP_ASYNC_FRAMING 1
340 -#define PPTP_SYNC_FRAMING 2
341 -#define PPTP_DONT_CARE_FRAMING 3
342 -
343 -/* PptpCallBearerType */
344 -#define PPTP_ANALOG_TYPE 1
345 -#define PPTP_DIGITAL_TYPE 2
346 -#define PPTP_DONT_CARE_BEARER_TYPE 3
347 -
348 -struct PptpOutCallRequest {
349 - __u16 callID;
350 - __u16 callSerialNumber;
351 - __u32 minBPS;
352 - __u32 maxBPS;
353 - __u32 bearerType;
354 - __u32 framingType;
355 - __u16 packetWindow;
356 - __u16 packetProcDelay;
357 - __u16 reserved1;
358 - __u16 phoneNumberLength;
359 - __u16 reserved2;
360 - __u8 phoneNumber[64];
361 - __u8 subAddress[64];
362 -};
363 -
364 -/* PptpCallResultCode */
365 -#define PPTP_OUTCALL_CONNECT 1
366 -#define PPTP_OUTCALL_GENERAL_ERROR 2
367 -#define PPTP_OUTCALL_NO_CARRIER 3
368 -#define PPTP_OUTCALL_BUSY 4
369 -#define PPTP_OUTCALL_NO_DIAL_TONE 5
370 -#define PPTP_OUTCALL_TIMEOUT 6
371 -#define PPTP_OUTCALL_DONT_ACCEPT 7
372 -
373 -struct PptpOutCallReply {
374 - __u16 callID;
375 - __u16 peersCallID;
376 - __u8 resultCode;
377 - __u8 generalErrorCode;
378 - __u16 causeCode;
379 - __u32 connectSpeed;
380 - __u16 packetWindow;
381 - __u16 packetProcDelay;
382 - __u32 physChannelID;
383 -};
384 -
385 -struct PptpInCallRequest {
386 - __u16 callID;
387 - __u16 callSerialNumber;
388 - __u32 callBearerType;
389 - __u32 physChannelID;
390 - __u16 dialedNumberLength;
391 - __u16 dialingNumberLength;
392 - __u8 dialedNumber[64];
393 - __u8 dialingNumber[64];
394 - __u8 subAddress[64];
395 -};
396 -
397 -/* PptpInCallResultCode */
398 -#define PPTP_INCALL_ACCEPT 1
399 -#define PPTP_INCALL_GENERAL_ERROR 2
400 -#define PPTP_INCALL_DONT_ACCEPT 3
401 -
402 -struct PptpInCallReply {
403 - __u16 callID;
404 - __u16 peersCallID;
405 - __u8 resultCode;
406 - __u8 generalErrorCode;
407 - __u16 packetWindow;
408 - __u16 packetProcDelay;
409 - __u16 reserved;
410 -};
411 -
412 -struct PptpInCallConnected {
413 - __u16 peersCallID;
414 - __u16 reserved;
415 - __u32 connectSpeed;
416 - __u16 packetWindow;
417 - __u16 packetProcDelay;
418 - __u32 callFramingType;
419 -};
420 -
421 -struct PptpClearCallRequest {
422 - __u16 callID;
423 - __u16 reserved;
424 -};
425 -
426 -struct PptpCallDisconnectNotify {
427 - __u16 callID;
428 - __u8 resultCode;
429 - __u8 generalErrorCode;
430 - __u16 causeCode;
431 - __u16 reserved;
432 - __u8 callStatistics[128];
433 -};
434 -
435 -struct PptpWanErrorNotify {
436 - __u16 peersCallID;
437 - __u16 reserved;
438 - __u32 crcErrors;
439 - __u32 framingErrors;
440 - __u32 hardwareOverRuns;
441 - __u32 bufferOverRuns;
442 - __u32 timeoutErrors;
443 - __u32 alignmentErrors;
444 -};
445 -
446 -struct PptpSetLinkInfo {
447 - __u16 peersCallID;
448 - __u16 reserved;
449 - __u32 sendAccm;
450 - __u32 recvAccm;
451 -};
452 -
453 -
454 -struct pptp_priv_data {
455 - __u16 call_id;
456 - __u16 mcall_id;
457 - __u16 pcall_id;
458 -};
459 -
460 -#endif /* __KERNEL__ */
461 -#endif /* _CONNTRACK_PPTP_H */
462 diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
463 --- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2003-07-04 04:12:27.000000000 -0400
464 +++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 1969-12-31 19:00:00.000000000 -0500
465 @@ -1,121 +0,0 @@
466 -#ifndef _CONNTRACK_PROTO_GRE_H
467 -#define _CONNTRACK_PROTO_GRE_H
468 -#include <asm/byteorder.h>
469 -
470 -/* GRE PROTOCOL HEADER */
471 -
472 -/* GRE Version field */
473 -#define GRE_VERSION_1701 0x0
474 -#define GRE_VERSION_PPTP 0x1
475 -
476 -/* GRE Protocol field */
477 -#define GRE_PROTOCOL_PPTP 0x880B
478 -
479 -/* GRE Flags */
480 -#define GRE_FLAG_C 0x80
481 -#define GRE_FLAG_R 0x40
482 -#define GRE_FLAG_K 0x20
483 -#define GRE_FLAG_S 0x10
484 -#define GRE_FLAG_A 0x80
485 -
486 -#define GRE_IS_C(f) ((f)&GRE_FLAG_C)
487 -#define GRE_IS_R(f) ((f)&GRE_FLAG_R)
488 -#define GRE_IS_K(f) ((f)&GRE_FLAG_K)
489 -#define GRE_IS_S(f) ((f)&GRE_FLAG_S)
490 -#define GRE_IS_A(f) ((f)&GRE_FLAG_A)
491 -
492 -/* GRE is a mess: Four different standards */
493 -struct gre_hdr {
494 -#if defined(__LITTLE_ENDIAN_BITFIELD)
495 - __u16 rec:3,
496 - srr:1,
497 - seq:1,
498 - key:1,
499 - routing:1,
500 - csum:1,
501 - version:3,
502 - reserved:4,
503 - ack:1;
504 -#elif defined(__BIG_ENDIAN_BITFIELD)
505 - __u16 csum:1,
506 - routing:1,
507 - key:1,
508 - seq:1,
509 - srr:1,
510 - rec:3,
511 - ack:1,
512 - reserved:4,
513 - version:3;
514 -#else
515 -#error "Adjust your <asm/byteorder.h> defines"
516 -#endif
517 - __u16 protocol;
518 -};
519 -
520 -/* modified GRE header for PPTP */
521 -struct gre_hdr_pptp {
522 - __u8 flags; /* bitfield */
523 - __u8 version; /* should be GRE_VERSION_PPTP */
524 - __u16 protocol; /* should be GRE_PROTOCOL_PPTP */
525 - __u16 payload_len; /* size of ppp payload, not inc. gre header */
526 - __u16 call_id; /* peer's call_id for this session */
527 - __u32 seq; /* sequence number. Present if S==1 */
528 - __u32 ack; /* seq number of highest packet recieved by */
529 - /* sender in this session */
530 -};
531 -
532 -
533 -/* this is part of ip_conntrack */
534 -struct ip_ct_gre {
535 - unsigned int stream_timeout;
536 - unsigned int timeout;
537 -};
538 -
539 -/* this is part of ip_conntrack_expect */
540 -struct ip_ct_gre_expect {
541 - struct ip_ct_gre_keymap *keymap_orig, *keymap_reply;
542 -};
543 -
544 -#ifdef __KERNEL__
545 -
546 -/* structure for original <-> reply keymap */
547 -struct ip_ct_gre_keymap {
548 - struct list_head list;
549 -
550 - struct ip_conntrack_tuple tuple;
551 - struct ip_conntrack_expect *master;
552 -};
553 -
554 -
555 -/* add new tuple->key_reply pair to keymap */
556 -int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp,
557 - struct ip_conntrack_tuple *t,
558 - int reply);
559 -
560 -/* change an existing keymap entry */
561 -void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km,
562 - struct ip_conntrack_tuple *t);
563 -
564 -
565 -
566 -/* get pointer to gre key, if present */
567 -static inline u_int32_t *gre_key(struct gre_hdr *greh)
568 -{
569 - if (!greh->key)
570 - return NULL;
571 - if (greh->csum || greh->routing)
572 - return (u_int32_t *) (greh+sizeof(*greh)+4);
573 - return (u_int32_t *) (greh+sizeof(*greh));
574 -}
575 -
576 -/* get pointer ot gre csum, if present */
577 -static inline u_int16_t *gre_csum(struct gre_hdr *greh)
578 -{
579 - if (!greh->csum)
580 - return NULL;
581 - return (u_int16_t *) (greh+sizeof(*greh));
582 -}
583 -
584 -#endif /* __KERNEL__ */
585 -
586 -#endif /* _CONNTRACK_PROTO_GRE_H */
587 diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tftp.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tftp.h
588 --- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tftp.h 2003-07-04 04:12:27.000000000 -0400
589 +++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tftp.h 1969-12-31 19:00:00.000000000 -0500
590 @@ -1,13 +0,0 @@
591 -#ifndef _IP_CT_TFTP
592 -#define _IP_CT_TFTP
593 -
594 -#define TFTP_PORT 69
595 -
596 -struct tftphdr {
597 - u_int16_t opcode;
598 -};
599 -
600 -#define TFTP_OPCODE_READ 1
601 -#define TFTP_OPCODE_WRITE 2
602 -
603 -#endif /* _IP_CT_TFTP */
604 diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
605 --- src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2003-07-04 04:12:27.000000000 -0400
606 +++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2004-05-09 04:13:03.000000000 -0400
607 @@ -14,7 +14,7 @@
608 union ip_conntrack_manip_proto
609 {
610 /* Add other protocols here. */
611 - u_int32_t all;
612 + u_int16_t all;
613
614 struct {
615 u_int16_t port;
616 @@ -25,9 +25,6 @@
617 struct {
618 u_int16_t id;
619 } icmp;
620 - struct {
621 - u_int32_t key;
622 - } gre;
623 };
624
625 /* The manipulable part of the tuple. */
626 @@ -47,7 +44,7 @@
627 u_int32_t ip;
628 union {
629 /* Add other protocols here. */
630 - u_int64_t all;
631 + u_int16_t all;
632
633 struct {
634 u_int16_t port;
635 @@ -58,11 +55,6 @@
636 struct {
637 u_int8_t type, code;
638 } icmp;
639 - struct {
640 - u_int16_t protocol;
641 - u_int8_t version;
642 - u_int32_t key;
643 - } gre;
644 } u;
645
646 /* The protocol. */
647 @@ -80,16 +72,10 @@
648 #ifdef __KERNEL__
649
650 #define DUMP_TUPLE(tp) \
651 -DEBUGP("tuple %p: %u %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u\n", \
652 +DEBUGP("tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n", \
653 (tp), (tp)->dst.protonum, \
654 - NIPQUAD((tp)->src.ip), ntohl((tp)->src.u.all), \
655 - NIPQUAD((tp)->dst.ip), ntohl((tp)->dst.u.all))
656 -
657 -#define DUMP_TUPLE_RAW(x) \
658 - DEBUGP("tuple %p: %u %u.%u.%u.%u:0x%08x -> %u.%u.%u.%u:0x%08x\n",\
659 - (x), (x)->dst.protonum, \
660 - NIPQUAD((x)->src.ip), ntohl((x)->src.u.all), \
661 - NIPQUAD((x)->dst.ip), ntohl((x)->dst.u.all))
662 + NIPQUAD((tp)->src.ip), ntohs((tp)->src.u.all), \
663 + NIPQUAD((tp)->dst.ip), ntohs((tp)->dst.u.all))
664
665 #define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
666
667 diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_nat_pptp.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_nat_pptp.h
668 --- src/linux/linux/include/linux/netfilter_ipv4/ip_nat_pptp.h 2003-07-04 04:12:27.000000000 -0400
669 +++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_nat_pptp.h 1969-12-31 19:00:00.000000000 -0500
670 @@ -1,11 +0,0 @@
671 -/* PPTP constants and structs */
672 -#ifndef _NAT_PPTP_H
673 -#define _NAT_PPTP_H
674 -
675 -/* conntrack private data */
676 -struct ip_nat_pptp {
677 - u_int16_t pns_call_id; /* NAT'ed PNS call id */
678 - u_int16_t pac_call_id; /* NAT'ed PAC call id */
679 -};
680 -
681 -#endif /* _NAT_PPTP_H */
682 diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ip_pool.h src/linux/linux.stock/include/linux/netfilter_ipv4/ip_pool.h
683 --- src/linux/linux/include/linux/netfilter_ipv4/ip_pool.h 2003-07-04 04:12:27.000000000 -0400
684 +++ src/linux/linux.stock/include/linux/netfilter_ipv4/ip_pool.h 1969-12-31 19:00:00.000000000 -0500
685 @@ -1,64 +0,0 @@
686 -#ifndef _IP_POOL_H
687 -#define _IP_POOL_H
688 -
689 -/***************************************************************************/
690 -/* This program is free software; you can redistribute it and/or modify */
691 -/* it under the terms of the GNU General Public License as published by */
692 -/* the Free Software Foundation; either version 2 of the License, or */
693 -/* (at your option) any later version. */
694 -/* */
695 -/* This program is distributed in the hope that it will be useful, */
696 -/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
697 -/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
698 -/* GNU General Public License for more details. */
699 -/* */
700 -/* You should have received a copy of the GNU General Public License */
701 -/* along with this program; if not, write to the Free Software */
702 -/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/
703 -/***************************************************************************/
704 -
705 -/* A sockopt of such quality has hardly ever been seen before on the open
706 - * market! This little beauty, hardly ever used: above 64, so it's
707 - * traditionally used for firewalling, not touched (even once!) by the
708 - * 2.0, 2.2 and 2.4 kernels!
709 - *
710 - * Comes with its own certificate of authenticity, valid anywhere in the
711 - * Free world!
712 - *
713 - * Rusty, 19.4.2000
714 - */
715 -#define SO_IP_POOL 81
716 -
717 -typedef int ip_pool_t; /* pool index */
718 -#define IP_POOL_NONE ((ip_pool_t)-1)
719 -
720 -struct ip_pool_request {
721 - int op;
722 - ip_pool_t index;
723 - u_int32_t addr;
724 - u_int32_t addr2;
725 -};
726 -
727 -/* NOTE: I deliberately break the first cut ippool utility. Nobody uses it. */
728 -
729 -#define IP_POOL_BAD001 0x00000010
730 -
731 -#define IP_POOL_FLUSH 0x00000011 /* req.index, no arguments */
732 -#define IP_POOL_INIT 0x00000012 /* from addr to addr2 incl. */
733 -#define IP_POOL_DESTROY 0x00000013 /* req.index, no arguments */
734 -#define IP_POOL_ADD_ADDR 0x00000014 /* add addr to pool */
735 -#define IP_POOL_DEL_ADDR 0x00000015 /* del addr from pool */
736 -#define IP_POOL_HIGH_NR 0x00000016 /* result in req.index */
737 -#define IP_POOL_LOOKUP 0x00000017 /* result in addr and addr2 */
738 -#define IP_POOL_USAGE 0x00000018 /* result in addr */
739 -#define IP_POOL_TEST_ADDR 0x00000019 /* result (0/1) returned */
740 -
741 -#ifdef __KERNEL__
742 -
743 -/* NOTE: ip_pool_match() and ip_pool_mod() expect ADDR to be host byte order */
744 -extern int ip_pool_match(ip_pool_t pool, u_int32_t addr);
745 -extern int ip_pool_mod(ip_pool_t pool, u_int32_t addr, int isdel);
746 -
747 -#endif
748 -
749 -#endif /*_IP_POOL_H*/
750 diff -Nurb src/linux/linux/include/linux/netfilter_ipv4/ipt_pool.h src/linux/linux.stock/include/linux/netfilter_ipv4/ipt_pool.h
751 --- src/linux/linux/include/linux/netfilter_ipv4/ipt_pool.h 2003-07-04 04:12:27.000000000 -0400
752 +++ src/linux/linux.stock/include/linux/netfilter_ipv4/ipt_pool.h 1969-12-31 19:00:00.000000000 -0500
753 @@ -1,25 +0,0 @@
754 -#ifndef _IPT_POOL_H
755 -#define _IPT_POOL_H
756 -
757 -#include <linux/netfilter_ipv4/ip_pool.h>
758 -
759 -#define IPT_POOL_INV_SRC 0x00000001
760 -#define IPT_POOL_INV_DST 0x00000002
761 -#define IPT_POOL_DEL_SRC 0x00000004
762 -#define IPT_POOL_DEL_DST 0x00000008
763 -#define IPT_POOL_INV_MOD_SRC 0x00000010
764 -#define IPT_POOL_INV_MOD_DST 0x00000020
765 -#define IPT_POOL_MOD_SRC_ACCEPT 0x00000040
766 -#define IPT_POOL_MOD_DST_ACCEPT 0x00000080
767 -#define IPT_POOL_MOD_SRC_DROP 0x00000100
768 -#define IPT_POOL_MOD_DST_DROP 0x00000200
769 -
770 -/* match info */
771 -struct ipt_pool_info
772 -{
773 - ip_pool_t src;
774 - ip_pool_t dst;
775 - unsigned flags;
776 -};
777 -
778 -#endif /*_IPT_POOL_H*/
779 diff -Nurb src/linux/linux/net/ipv4/netfilter/Config.in src/linux/linux.stock/net/ipv4/netfilter/Config.in
780 --- src/linux/linux/net/ipv4/netfilter/Config.in 2004-02-19 06:04:35.000000000 -0500
781 +++ src/linux/linux.stock/net/ipv4/netfilter/Config.in 2004-05-09 04:13:03.000000000 -0400
782 @@ -7,12 +7,7 @@
783 tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK
784 if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
785 dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
786 - dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK
787 - dep_tristate ' H.323 (netmeeting) support' CONFIG_IP_NF_H323 $CONFIG_IP_NF_CONNTRACK
788 dep_tristate ' IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
789 - dep_tristate ' MMS protocol support' CONFIG_IP_NF_MMS $CONFIG_IP_NF_CONNTRACK
790 - dep_tristate ' GRE protocol support' CONFIG_IP_NF_CT_PROTO_GRE $CONFIG_IP_NF_CONNTRACK
791 - dep_tristate ' PPTP protocol support' CONFIG_IP_NF_PPTP $CONFIG_IP_NF_CT_PROTO_GRE
792 fi
793
794 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
795 @@ -22,19 +17,11 @@
796 if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
797 # The simple matches.
798 dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES
799 -
800 - dep_tristate ' IP address pool support' CONFIG_IP_NF_POOL $CONFIG_IP_NF_IPTABLES
801 - if [ "$CONFIG_IP_NF_POOL" = "y" -o "$CONFIG_IP_NF_POOL" = "m" ]; then
802 - bool ' enable statistics on pool usage' CONFIG_IP_POOL_STATISTICS n
803 - fi
804 -
805 dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC $CONFIG_IP_NF_IPTABLES
806 dep_tristate ' Packet type match support' CONFIG_IP_NF_MATCH_PKTTYPE $CONFIG_IP_NF_IPTABLES
807 dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES
808 dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES
809 - dep_tristate ' Multiple port with ranges match support' CONFIG_IP_NF_MATCH_MPORT $CONFIG_IP_NF_IPTABLES
810 dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES
811 - dep_tristate ' TIME match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_TIME $CONFIG_IP_NF_IPTABLES
812 dep_tristate ' ECN match support' CONFIG_IP_NF_MATCH_ECN $CONFIG_IP_NF_IPTABLES
813
814 dep_tristate ' DSCP match support' CONFIG_IP_NF_MATCH_DSCP $CONFIG_IP_NF_IPTABLES
815 @@ -52,7 +39,6 @@
816 fi
817 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
818 dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
819 - dep_tristate ' Webstr match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_WEBSTR $CONFIG_IP_NF_IPTABLES
820 dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES
821 fi
822 # The targets
823 @@ -70,29 +56,6 @@
824 define_bool CONFIG_IP_NF_NAT_NEEDED y
825 dep_tristate ' MASQUERADE target support' CONFIG_IP_NF_TARGET_MASQUERADE $CONFIG_IP_NF_NAT
826 dep_tristate ' REDIRECT target support' CONFIG_IP_NF_TARGET_REDIRECT $CONFIG_IP_NF_NAT
827 - dep_tristate ' Automatic port forwarding (autofw) target support' CONFIG_IP_NF_AUTOFW $CONFIG_IP_NF_NAT
828 - dep_tristate ' TRIGGER target support (port-trigger)' CONFIG_IP_NF_TARGET_TRIGGER $CONFIG_IP_NF_NAT
829 - if [ "$CONFIG_IP_NF_H323" = "m" ]; then
830 - define_tristate CONFIG_IP_NF_NAT_H323 m
831 - else
832 - if [ "$CONFIG_IP_NF_H323" = "y" ]; then
833 - define_tristate CONFIG_IP_NF_NAT_H323 $CONFIG_IP_NF_NAT
834 - fi
835 - fi
836 - if [ "$CONFIG_IP_NF_PPTP" = "m" ]; then
837 - define_tristate CONFIG_IP_NF_NAT_PPTP m
838 - else
839 - if [ "$CONFIG_IP_NF_PPTP" = "y" ]; then
840 - define_tristate CONFIG_IP_NF_NAT_PPTP $CONFIG_IP_NF_NAT
841 - fi
842 - fi
843 - if [ "$CONFIG_IP_NF_CT_PROTO_GRE" = "m" ]; then
844 - define_tristate CONFIG_IP_NF_NAT_PROTO_GRE m
845 - else
846 - if [ "$CONFIG_IP_NF_CT_PROTO_GRE" = "y" ]; then
847 - define_tristate CONFIG_IP_NF_NAT_PROTO_GRE $CONFIG_IP_NF_NAT
848 - fi
849 - fi
850 bool ' NAT of local connections (READ HELP)' CONFIG_IP_NF_NAT_LOCAL
851 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
852 dep_tristate ' Basic SNMP-ALG support (EXPERIMENTAL)' CONFIG_IP_NF_NAT_SNMP_BASIC $CONFIG_IP_NF_NAT
853 @@ -104,13 +67,6 @@
854 define_tristate CONFIG_IP_NF_NAT_IRC $CONFIG_IP_NF_NAT
855 fi
856 fi
857 - if [ "$CONFIG_IP_NF_MMS" = "m" ]; then
858 - define_tristate CONFIG_IP_NF_NAT_MMS m
859 - else
860 - if [ "$CONFIG_IP_NF_MMS" = "y" ]; then
861 - define_tristate CONFIG_IP_NF_NAT_MMS $CONFIG_IP_NF_NAT
862 - fi
863 - fi
864 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
865 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
866 if [ "$CONFIG_IP_NF_FTP" = "m" ]; then
867 @@ -120,13 +76,6 @@
868 define_tristate CONFIG_IP_NF_NAT_FTP $CONFIG_IP_NF_NAT
869 fi
870 fi
871 - if [ "$CONFIG_IP_NF_TFTP" = "m" ]; then
872 - define_tristate CONFIG_IP_NF_NAT_TFTP m
873 - else
874 - if [ "$CONFIG_IP_NF_TFTP" = "y" ]; then
875 - define_tristate CONFIG_IP_NF_NAT_TFTP $CONFIG_IP_NF_NAT
876 - fi
877 - fi
878 fi
879 fi
880
881 diff -Nurb src/linux/linux/net/ipv4/netfilter/Makefile src/linux/linux.stock/net/ipv4/netfilter/Makefile
882 --- src/linux/linux/net/ipv4/netfilter/Makefile 2004-02-19 06:04:35.000000000 -0500
883 +++ src/linux/linux.stock/net/ipv4/netfilter/Makefile 2004-05-09 04:13:03.000000000 -0400
884 @@ -31,48 +31,20 @@
885 # connection tracking
886 obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
887
888 -# H.323 support
889 -obj-$(CONFIG_IP_NF_H323) += ip_conntrack_h323.o
890 -obj-$(CONFIG_IP_NF_NAT_H323) += ip_nat_h323.o
891 -ifdef CONFIG_IP_NF_NAT_H323
892 - export-objs += ip_conntrack_h323.o
893 -endif
894 -
895 -
896 -# connection tracking protocol helpers
897 -obj-$(CONFIG_IP_NF_CT_PROTO_GRE) += ip_conntrack_proto_gre.o
898 -ifdef CONFIG_IP_NF_CT_PROTO_GRE
899 - export-objs += ip_conntrack_proto_gre.o
900 -endif
901 -
902 -# NAT protocol helpers
903 -obj-$(CONFIG_IP_NF_NAT_PROTO_GRE) += ip_nat_proto_gre.o
904 -
905 # connection tracking helpers
906 -obj-$(CONFIG_IP_NF_MMS) += ip_conntrack_mms.o
907 -ifdef CONFIG_IP_NF_NAT_MMS
908 - export-objs += ip_conntrack_mms.o
909 -endif
910 -obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp.o
911 -ifdef CONFIG_IP_NF_NAT_PPTP
912 - export-objs += ip_conntrack_pptp.o
913 -endif
914 -obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o
915 obj-$(CONFIG_IP_NF_FTP) += ip_conntrack_ftp.o
916 ifdef CONFIG_IP_NF_NAT_FTP
917 export-objs += ip_conntrack_ftp.o
918 endif
919 +
920 obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o
921 ifdef CONFIG_IP_NF_NAT_IRC
922 export-objs += ip_conntrack_irc.o
923 endif
924
925 # NAT helpers
926 -obj-$(CONFIG_IP_NF_NAT_PPTP) += ip_nat_pptp.o
927 -obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o
928 obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o
929 obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o
930 -obj-$(CONFIG_IP_NF_NAT_MMS) += ip_nat_mms.o
931
932 # generic IP tables
933 obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
934 @@ -86,19 +58,12 @@
935 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
936 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
937 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
938 -obj-$(CONFIG_IP_NF_POOL) += ipt_pool.o ip_pool.o
939 obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
940
941 obj-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype.o
942 obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o
943 -
944 -obj-$(CONFIG_IP_NF_MATCH_MPORT) += ipt_mport.o
945 -
946 obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
947 obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
948 -
949 -obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o
950 -
951 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
952 obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o
953 obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o
954 @@ -109,7 +74,6 @@
955 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
956 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
957 obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
958 -obj-$(CONFIG_IP_NF_MATCH_WEBSTR) += ipt_webstr.o
959 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
960
961 # targets
962 @@ -125,8 +89,6 @@
963 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
964 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
965 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
966 -obj-$(CONFIG_IP_NF_AUTOFW) += ip_autofw.o
967 -obj-$(CONFIG_IP_NF_TARGET_TRIGGER) += ipt_TRIGGER.o
968
969 # generic ARP tables
970 obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
971 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_core.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_core.c
972 --- src/linux/linux/net/ipv4/netfilter/ip_conntrack_core.c 2003-08-12 07:33:45.000000000 -0400
973 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_core.c 2004-05-09 04:13:03.000000000 -0400
974 @@ -47,7 +47,11 @@
975
976 #define IP_CONNTRACK_VERSION "2.1"
977
978 +#if 0
979 +#define DEBUGP printk
980 +#else
981 #define DEBUGP(format, args...)
982 +#endif
983
984 DECLARE_RWLOCK(ip_conntrack_lock);
985 DECLARE_RWLOCK(ip_conntrack_expect_tuple_lock);
986 @@ -62,29 +66,6 @@
987 struct list_head *ip_conntrack_hash;
988 static kmem_cache_t *ip_conntrack_cachep;
989
990 -#define SECS * HZ
991 -#define MINS * 60 SECS
992 -#define HOURS * 60 MINS
993 -#define DAYS * 24 HOURS
994 -
995 -int sysctl_ip_conntrack_tcp_timeouts[10] = {
996 - 30 MINS, /* TCP_CONNTRACK_NONE, */
997 - 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
998 - 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
999 - 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
1000 - 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
1001 - 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
1002 - 10 SECS, /* TCP_CONNTRACK_CLOSE, */
1003 - 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
1004 - 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
1005 - 2 MINS, /* TCP_CONNTRACK_LISTEN, */
1006 -};
1007 -
1008 -int sysctl_ip_conntrack_udp_timeouts[2] = {
1009 - 30 SECS, /* UNREPLIED */
1010 - 180 SECS /* ASSURED */
1011 -};
1012 -
1013 extern struct ip_conntrack_protocol ip_conntrack_generic_protocol;
1014
1015 static inline int proto_cmpfn(const struct ip_conntrack_protocol *curr,
1016 @@ -129,6 +110,9 @@
1017 static inline u_int32_t
1018 hash_conntrack(const struct ip_conntrack_tuple *tuple)
1019 {
1020 +#if 0
1021 + dump_tuple(tuple);
1022 +#endif
1023 /* ntohl because more differences in low bits. */
1024 /* To ensure that halves of the same connection don't hash
1025 clash, we add the source per-proto again. */
1026 @@ -160,8 +144,6 @@
1027 tuple->dst.ip = iph->daddr;
1028 tuple->dst.protonum = iph->protocol;
1029
1030 - tuple->src.u.all = tuple->dst.u.all = 0;
1031 -
1032 ret = protocol->pkt_to_tuple((u_int32_t *)iph + iph->ihl,
1033 len - 4*iph->ihl,
1034 tuple);
1035 @@ -177,8 +159,6 @@
1036 inverse->dst.ip = orig->src.ip;
1037 inverse->dst.protonum = orig->dst.protonum;
1038
1039 - inverse->src.u.all = inverse->dst.u.all = 0;
1040 -
1041 return protocol->invert_tuple(inverse, orig);
1042 }
1043
1044 @@ -196,8 +176,8 @@
1045 static void
1046 destroy_expect(struct ip_conntrack_expect *exp)
1047 {
1048 - DEBUGP("destroy_expect(%p) use=%d\n", exp, atomic_read(&exp->use));
1049 - IP_NF_ASSERT(atomic_read(&exp->use));
1050 + DEBUGP("destroy_expect(%p) use=%d\n", exp, atomic_read(exp->use));
1051 + IP_NF_ASSERT(atomic_read(exp->use));
1052 IP_NF_ASSERT(!timer_pending(&exp->timeout));
1053
1054 kfree(exp);
1055 @@ -267,11 +247,11 @@
1056 static void unexpect_related(struct ip_conntrack_expect *expect)
1057 {
1058 IP_NF_ASSERT(expect->expectant);
1059 + IP_NF_ASSERT(expect->expectant->helper);
1060 /* if we are supposed to have a timer, but we can't delete
1061 * it: race condition. __unexpect_related will
1062 * be calledd by timeout function */
1063 - if (expect->expectant->helper
1064 - && expect->expectant->helper->timeout
1065 + if (expect->expectant->helper->timeout
1066 && !del_timer(&expect->timeout))
1067 return;
1068
1069 @@ -580,6 +560,7 @@
1070 if (!h) {
1071 /* Locally generated ICMPs will match inverted if they
1072 haven't been SNAT'ed yet */
1073 + /* FIXME: NAT code has to handle half-done double NAT --RR */
1074 if (hooknum == NF_IP_LOCAL_OUT)
1075 h = ip_conntrack_find_get(&origtuple, NULL);
1076
1077 @@ -725,7 +706,6 @@
1078
1079 /* If the expectation is dying, then this is a looser. */
1080 if (expected
1081 - && expected->expectant->helper
1082 && expected->expectant->helper->timeout
1083 && ! del_timer(&expected->timeout))
1084 expected = NULL;
1085 @@ -744,7 +724,6 @@
1086 conntrack->master = expected;
1087 expected->sibling = conntrack;
1088 LIST_DELETE(&ip_conntrack_expect_list, expected);
1089 - INIT_LIST_HEAD(&expected->list);
1090 expected->expectant->expecting--;
1091 nf_conntrack_get(&master_ct(conntrack)->infos[0]);
1092 }
1093 @@ -821,9 +800,23 @@
1094 int set_reply;
1095 int ret;
1096
1097 + /* FIXME: Do this right please. --RR */
1098 (*pskb)->nfcache |= NFC_UNKNOWN;
1099
1100 /* Doesn't cover locally-generated broadcast, so not worth it. */
1101 +#if 0
1102 + /* Ignore broadcast: no `connection'. */
1103 + if ((*pskb)->pkt_type == PACKET_BROADCAST) {
1104 + printk("Broadcast packet!\n");
1105 + return NF_ACCEPT;
1106 + } else if (((*pskb)->nh.iph->daddr & htonl(0x000000FF))
1107 + == htonl(0x000000FF)) {
1108 + printk("Should bcast: %u.%u.%u.%u->%u.%u.%u.%u (sk=%p, ptype=%u)\n",
1109 + NIPQUAD((*pskb)->nh.iph->saddr),
1110 + NIPQUAD((*pskb)->nh.iph->daddr),
1111 + (*pskb)->sk, (*pskb)->pkt_type);
1112 + }
1113 +#endif
1114
1115 /* Previously seen (loopback)? Ignore. Do this before
1116 fragment check. */
1117 @@ -943,8 +936,8 @@
1118 * so there is no need to use the tuple lock too */
1119
1120 DEBUGP("ip_conntrack_expect_related %p\n", related_to);
1121 - DEBUGP("tuple: "); DUMP_TUPLE_RAW(&expect->tuple);
1122 - DEBUGP("mask: "); DUMP_TUPLE_RAW(&expect->mask);
1123 + DEBUGP("tuple: "); DUMP_TUPLE(&expect->tuple);
1124 + DEBUGP("mask: "); DUMP_TUPLE(&expect->mask);
1125
1126 old = LIST_FIND(&ip_conntrack_expect_list, resent_expect,
1127 struct ip_conntrack_expect *, &expect->tuple,
1128 @@ -954,8 +947,7 @@
1129 pointing into the payload - otherwise we should have to copy
1130 the data filled out by the helper over the old one */
1131 DEBUGP("expect_related: resent packet\n");
1132 - if (related_to->helper &&
1133 - related_to->helper->timeout) {
1134 + if (related_to->helper->timeout) {
1135 if (!del_timer(&old->timeout)) {
1136 /* expectation is dying. Fall through */
1137 old = NULL;
1138 @@ -970,32 +962,26 @@
1139 WRITE_UNLOCK(&ip_conntrack_lock);
1140 return -EEXIST;
1141 }
1142 - } else if (related_to->helper &&
1143 - related_to->helper->max_expected &&
1144 + } else if (related_to->helper->max_expected &&
1145 related_to->expecting >= related_to->helper->max_expected) {
1146 struct list_head *cur_item;
1147 /* old == NULL */
1148 - if (!(related_to->helper->flags &
1149 - IP_CT_HELPER_F_REUSE_EXPECT)) {
1150 - WRITE_UNLOCK(&ip_conntrack_lock);
1151 if (net_ratelimit())
1152 printk(KERN_WARNING
1153 "ip_conntrack: max number of expected "
1154 "connections %i of %s reached for "
1155 - "%u.%u.%u.%u->%u.%u.%u.%u\n",
1156 + "%u.%u.%u.%u->%u.%u.%u.%u%s\n",
1157 related_to->helper->max_expected,
1158 related_to->helper->name,
1159 NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip),
1160 - NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
1161 + NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip),
1162 + related_to->helper->flags & IP_CT_HELPER_F_REUSE_EXPECT ?
1163 + ", reusing" : "");
1164 + if (!(related_to->helper->flags &
1165 + IP_CT_HELPER_F_REUSE_EXPECT)) {
1166 + WRITE_UNLOCK(&ip_conntrack_lock);
1167 return -EPERM;
1168 }
1169 - DEBUGP("ip_conntrack: max number of expected "
1170 - "connections %i of %s reached for "
1171 - "%u.%u.%u.%u->%u.%u.%u.%u, reusing\n",
1172 - related_to->helper->max_expected,
1173 - related_to->helper->name,
1174 - NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip),
1175 - NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
1176
1177 /* choose the the oldest expectation to evict */
1178 list_for_each(cur_item, &related_to->sibling_list) {
1179 @@ -1055,8 +1041,7 @@
1180 /* add to global list of expectations */
1181 list_prepend(&ip_conntrack_expect_list, &new->list);
1182 /* add and start timer if required */
1183 - if (related_to->helper &&
1184 - related_to->helper->timeout) {
1185 + if (related_to->helper->timeout) {
1186 init_timer(&new->timeout);
1187 new->timeout.data = (unsigned long)new;
1188 new->timeout.function = expectation_timed_out;
1189 @@ -1079,10 +1064,11 @@
1190
1191 MUST_BE_READ_LOCKED(&ip_conntrack_lock);
1192 WRITE_LOCK(&ip_conntrack_expect_tuple_lock);
1193 +
1194 DEBUGP("change_expect:\n");
1195 - DEBUGP("exp tuple: "); DUMP_TUPLE_RAW(&expect->tuple);
1196 - DEBUGP("exp mask: "); DUMP_TUPLE_RAW(&expect->mask);
1197 - DEBUGP("newtuple: "); DUMP_TUPLE_RAW(newtuple);
1198 + DEBUGP("exp tuple: "); DUMP_TUPLE(&expect->tuple);
1199 + DEBUGP("exp mask: "); DUMP_TUPLE(&expect->mask);
1200 + DEBUGP("newtuple: "); DUMP_TUPLE(newtuple);
1201 if (expect->ct_tuple.dst.protonum == 0) {
1202 /* Never seen before */
1203 DEBUGP("change expect: never seen before\n");
1204 @@ -1360,8 +1346,6 @@
1205 0, NULL };
1206
1207 #define NET_IP_CONNTRACK_MAX 2089
1208 -#define NET_IP_CONNTRACK_TCP_TIMEOUTS 2090
1209 -#define NET_IP_CONNTRACK_UDP_TIMEOUTS 2091
1210 #define NET_IP_CONNTRACK_MAX_NAME "ip_conntrack_max"
1211
1212 #ifdef CONFIG_SYSCTL
1213 @@ -1370,14 +1354,6 @@
1214 static ctl_table ip_conntrack_table[] = {
1215 { NET_IP_CONNTRACK_MAX, NET_IP_CONNTRACK_MAX_NAME, &ip_conntrack_max,
1216 sizeof(ip_conntrack_max), 0644, NULL, proc_dointvec },
1217 - { NET_IP_CONNTRACK_TCP_TIMEOUTS, "ip_conntrack_tcp_timeouts",
1218 - &sysctl_ip_conntrack_tcp_timeouts,
1219 - sizeof(sysctl_ip_conntrack_tcp_timeouts),
1220 - 0644, NULL, &proc_dointvec_jiffies, &sysctl_jiffies },
1221 - { NET_IP_CONNTRACK_UDP_TIMEOUTS, "ip_conntrack_udp_timeouts",
1222 - &sysctl_ip_conntrack_udp_timeouts,
1223 - sizeof(sysctl_ip_conntrack_udp_timeouts),
1224 - 0644, NULL, &proc_dointvec_jiffies, &sysctl_jiffies },
1225 { 0 }
1226 };
1227
1228 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_ftp.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_ftp.c
1229 --- src/linux/linux/net/ipv4/netfilter/ip_conntrack_ftp.c 2003-07-04 04:12:31.000000000 -0400
1230 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_ftp.c 2004-05-09 04:13:03.000000000 -0400
1231 @@ -24,7 +24,11 @@
1232 static int loose = 0;
1233 MODULE_PARM(loose, "i");
1234
1235 +#if 0
1236 +#define DEBUGP printk
1237 +#else
1238 #define DEBUGP(format, args...)
1239 +#endif
1240
1241 static int try_rfc959(const char *, size_t, u_int32_t [], char);
1242 static int try_eprt(const char *, size_t, u_int32_t [], char);
1243 @@ -191,6 +195,16 @@
1244 }
1245
1246 if (strnicmp(data, pattern, plen) != 0) {
1247 +#if 0
1248 + size_t i;
1249 +
1250 + DEBUGP("ftp: string mismatch\n");
1251 + for (i = 0; i < plen; i++) {
1252 + DEBUGFTP("ftp:char %u `%c'(%u) vs `%c'(%u)\n",
1253 + i, data[i], data[i],
1254 + pattern[i], pattern[i]);
1255 + }
1256 +#endif
1257 return 0;
1258 }
1259
1260 @@ -214,6 +228,7 @@
1261 return 1;
1262 }
1263
1264 +/* FIXME: This should be in userspace. Later. */
1265 static int help(const struct iphdr *iph, size_t len,
1266 struct ip_conntrack *ct,
1267 enum ip_conntrack_info ctinfo)
1268 @@ -249,6 +264,7 @@
1269 }
1270
1271 /* Checksum invalid? Ignore. */
1272 + /* FIXME: Source route IP option packets --RR */
1273 if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
1274 csum_partial((char *)tcph, tcplen, 0))) {
1275 DEBUGP("ftp_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
1276 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_h323.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_h323.c
1277 --- src/linux/linux/net/ipv4/netfilter/ip_conntrack_h323.c 2003-07-04 04:12:31.000000000 -0400
1278 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_h323.c 1969-12-31 19:00:00.000000000 -0500
1279 @@ -1,302 +0,0 @@
1280 -/*
1281 - * H.323 'brute force' extension for H.323 connection tracking.
1282 - * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
1283 - *
1284 - * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project.
1285 - * (http://www.coritel.it/projects/sofia/nat/)
1286 - * Uses Sampsa Ranta's excellent idea on using expectfn to 'bind'
1287 - * the unregistered helpers to the conntrack entries.
1288 - */
1289 -
1290 -
1291 -#include <linux/module.h>
1292 -#include <linux/netfilter.h>
1293 -#include <linux/ip.h>
1294 -#include <net/checksum.h>
1295 -#include <net/tcp.h>
1296 -
1297 -#include <linux/netfilter_ipv4/lockhelp.h>
1298 -#include <linux/netfilter_ipv4/ip_conntrack.h>
1299 -#include <linux/netfilter_ipv4/ip_conntrack_core.h>
1300 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
1301 -#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
1302 -#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
1303 -
1304 -MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
1305 -MODULE_DESCRIPTION("H.323 'brute force' connection tracking module");
1306 -MODULE_LICENSE("GPL");
1307 -
1308 -DECLARE_LOCK(ip_h323_lock);
1309 -struct module *ip_conntrack_h323 = THIS_MODULE;
1310 -
1311 -#define DEBUGP(format, args...)
1312 -
1313 -static int h245_help(const struct iphdr *iph, size_t len,
1314 - struct ip_conntrack *ct,
1315 - enum ip_conntrack_info ctinfo)
1316 -{
1317 - struct tcphdr *tcph = (void *)iph + iph->ihl * 4;
1318 - unsigned char *data = (unsigned char *) tcph + tcph->doff * 4;
1319 - unsigned char *data_limit;
1320 - u_int32_t tcplen = len - iph->ihl * 4;
1321 - u_int32_t datalen = tcplen - tcph->doff * 4;
1322 - int dir = CTINFO2DIR(ctinfo);
1323 - struct ip_ct_h225_master *info = &ct->help.ct_h225_info;
1324 - struct ip_conntrack_expect expect, *exp = &expect;
1325 - struct ip_ct_h225_expect *exp_info = &exp->help.exp_h225_info;
1326 - u_int16_t data_port;
1327 - u_int32_t data_ip;
1328 - unsigned int i;
1329 -
1330 - DEBUGP("ct_h245_help: help entered %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n",
1331 - NIPQUAD(iph->saddr), ntohs(tcph->source),
1332 - NIPQUAD(iph->daddr), ntohs(tcph->dest));
1333 -
1334 - /* Can't track connections formed before we registered */
1335 - if (!info)
1336 - return NF_ACCEPT;
1337 -
1338 - /* Until there's been traffic both ways, don't look in packets. */
1339 - if (ctinfo != IP_CT_ESTABLISHED
1340 - && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
1341 - DEBUGP("ct_h245_help: Conntrackinfo = %u\n", ctinfo);
1342 - return NF_ACCEPT;
1343 - }
1344 -
1345 - /* Not whole TCP header or too short packet? */
1346 - if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4 + 5) {
1347 - DEBUGP("ct_h245_help: tcplen = %u\n", (unsigned)tcplen);
1348 - return NF_ACCEPT;
1349 - }
1350 -
1351 - /* Checksum invalid? Ignore. */
1352 - if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
1353 - csum_partial((char *)tcph, tcplen, 0))) {
1354 - DEBUGP("ct_h245_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
1355 - tcph, tcplen, NIPQUAD(iph->saddr),
1356 - NIPQUAD(iph->daddr));
1357 - return NF_ACCEPT;
1358 - }
1359 -
1360 - data_limit = (unsigned char *) data + datalen;
1361 - /* bytes: 0123 45
1362 - ipadrr port */
1363 - for (i = 0; data < (data_limit - 5); data++, i++) {
1364 - memcpy(&data_ip, data, sizeof(u_int32_t));
1365 - if (data_ip == iph->saddr) {
1366 - memcpy(&data_port, data + 4, sizeof(u_int16_t));
1367 - memset(&expect, 0, sizeof(expect));
1368 - /* update the H.225 info */
1369 - DEBUGP("ct_h245_help: new RTCP/RTP requested %u.%u.%u.%u:->%u.%u.%u.%u:%u\n",
1370 - NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
1371 - NIPQUAD(iph->saddr), ntohs(data_port));
1372 - LOCK_BH(&ip_h323_lock);
1373 - info->is_h225 = H225_PORT + 1;
1374 - exp_info->port = data_port;
1375 - exp_info->dir = dir;
1376 - exp_info->offset = i;
1377 -
1378 - exp->seq = ntohl(tcph->seq) + i;
1379 -
1380 - exp->tuple = ((struct ip_conntrack_tuple)
1381 - { { ct->tuplehash[!dir].tuple.src.ip,
1382 - { 0 } },
1383 - { data_ip,
1384 - { data_port },
1385 - IPPROTO_UDP }});
1386 - exp->mask = ((struct ip_conntrack_tuple)
1387 - { { 0xFFFFFFFF, { 0 } },
1388 - { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }});
1389 -
1390 - exp->expectfn = NULL;
1391 -
1392 - /* Ignore failure; should only happen with NAT */
1393 - ip_conntrack_expect_related(ct, exp);
1394 -
1395 - UNLOCK_BH(&ip_h323_lock);
1396 - }
1397 - }
1398 -
1399 - return NF_ACCEPT;
1400 -
1401 -}
1402 -
1403 -/* H.245 helper is not registered! */
1404 -static struct ip_conntrack_helper h245 =
1405 - { { NULL, NULL },
1406 - "H.245", /* name */
1407 - IP_CT_HELPER_F_REUSE_EXPECT, /* flags */
1408 - NULL, /* module */
1409 - 8, /* max_ expected */
1410 - 240, /* timeout */
1411 - { { 0, { 0 } }, /* tuple */
1412 - { 0, { 0 }, IPPROTO_TCP } },
1413 - { { 0, { 0xFFFF } }, /* mask */
1414 - { 0, { 0 }, 0xFFFF } },
1415 - h245_help /* helper */
1416 - };
1417 -
1418 -static int h225_expect(struct ip_conntrack *ct)
1419 -{
1420 - WRITE_LOCK(&ip_conntrack_lock);
1421 - ct->helper = &h245;
1422 - DEBUGP("h225_expect: helper for %p added\n", ct);
1423 - WRITE_UNLOCK(&ip_conntrack_lock);
1424 -
1425 - return NF_ACCEPT; /* unused */
1426 -}
1427 -
1428 -static int h225_help(const struct iphdr *iph, size_t len,
1429 - struct ip_conntrack *ct,
1430 - enum ip_conntrack_info ctinfo)
1431 -{
1432 - struct tcphdr *tcph = (void *)iph + iph->ihl * 4;
1433 - unsigned char *data = (unsigned char *) tcph + tcph->doff * 4;
1434 - unsigned char *data_limit;
1435 - u_int32_t tcplen = len - iph->ihl * 4;
1436 - u_int32_t datalen = tcplen - tcph->doff * 4;
1437 - int dir = CTINFO2DIR(ctinfo);
1438 - struct ip_ct_h225_master *info = &ct->help.ct_h225_info;
1439 - struct ip_conntrack_expect expect, *exp = &expect;
1440 - struct ip_ct_h225_expect *exp_info = &exp->help.exp_h225_info;
1441 - u_int16_t data_port;
1442 - u_int32_t data_ip;
1443 - unsigned int i;
1444 -
1445 - DEBUGP("ct_h225_help: help entered %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n",
1446 - NIPQUAD(iph->saddr), ntohs(tcph->source),
1447 - NIPQUAD(iph->daddr), ntohs(tcph->dest));
1448 -
1449 - /* Can't track connections formed before we registered */
1450 - if (!info)
1451 - return NF_ACCEPT;
1452 -
1453 - /* Until there's been traffic both ways, don't look in packets. */
1454 - if (ctinfo != IP_CT_ESTABLISHED
1455 - && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
1456 - DEBUGP("ct_h225_help: Conntrackinfo = %u\n", ctinfo);
1457 - return NF_ACCEPT;
1458 - }
1459 -
1460 - /* Not whole TCP header or too short packet? */
1461 - if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4 + 5) {
1462 - DEBUGP("ct_h225_help: tcplen = %u\n", (unsigned)tcplen);
1463 - return NF_ACCEPT;
1464 - }
1465 -
1466 - /* Checksum invalid? Ignore. */
1467 - if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
1468 - csum_partial((char *)tcph, tcplen, 0))) {
1469 - DEBUGP("ct_h225_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
1470 - tcph, tcplen, NIPQUAD(iph->saddr),
1471 - NIPQUAD(iph->daddr));
1472 - return NF_ACCEPT;
1473 - }
1474 -
1475 - data_limit = (unsigned char *) data + datalen;
1476 - /* bytes: 0123 45
1477 - ipadrr port */
1478 - for (i = 0; data < (data_limit - 5); data++, i++) {
1479 - memcpy(&data_ip, data, sizeof(u_int32_t));
1480 - if (data_ip == iph->saddr) {
1481 - memcpy(&data_port, data + 4, sizeof(u_int16_t));
1482 - if (data_port == tcph->source) {
1483 - /* Signal address */
1484 - DEBUGP("ct_h225_help: sourceCallSignalAddress from %u.%u.%u.%u\n",
1485 - NIPQUAD(iph->saddr));
1486 - /* Update the H.225 info so that NAT can mangle the address/port
1487 - even when we have no expected connection! */
1488 -#ifdef CONFIG_IP_NF_NAT_NEEDED
1489 - LOCK_BH(&ip_h323_lock);
1490 - info->dir = dir;
1491 - info->seq[IP_CT_DIR_ORIGINAL] = ntohl(tcph->seq) + i;
1492 - info->offset[IP_CT_DIR_ORIGINAL] = i;
1493 - UNLOCK_BH(&ip_h323_lock);
1494 -#endif
1495 - } else {
1496 - memset(&expect, 0, sizeof(expect));
1497 -
1498 - /* update the H.225 info */
1499 - LOCK_BH(&ip_h323_lock);
1500 - info->is_h225 = H225_PORT;
1501 - exp_info->port = data_port;
1502 - exp_info->dir = dir;
1503 - exp_info->offset = i;
1504 -
1505 - exp->seq = ntohl(tcph->seq) + i;
1506 -
1507 - exp->tuple = ((struct ip_conntrack_tuple)
1508 - { { ct->tuplehash[!dir].tuple.src.ip,
1509 - { 0 } },
1510 - { data_ip,
1511 - { data_port },
1512 - IPPROTO_TCP }});
1513 - exp->mask = ((struct ip_conntrack_tuple)
1514 - { { 0xFFFFFFFF, { 0 } },
1515 - { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }});
1516 -
1517 - exp->expectfn = h225_expect;
1518 -
1519 - /* Ignore failure */
1520 - ip_conntrack_expect_related(ct, exp);
1521 -
1522 - DEBUGP("ct_h225_help: new H.245 requested %u.%u.%u.%u->%u.%u.%u.%u:%u\n",
1523 - NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
1524 - NIPQUAD(iph->saddr), ntohs(data_port));
1525 -
1526 - UNLOCK_BH(&ip_h323_lock);
1527 - }
1528 -#ifdef CONFIG_IP_NF_NAT_NEEDED
1529 - } else if (data_ip == iph->daddr) {
1530 - memcpy(&data_port, data + 4, sizeof(u_int16_t));
1531 - if (data_port == tcph->dest) {
1532 - /* Signal address */
1533 - DEBUGP("ct_h225_help: destCallSignalAddress %u.%u.%u.%u\n",
1534 - NIPQUAD(iph->daddr));
1535 - /* Update the H.225 info so that NAT can mangle the address/port
1536 - even when we have no expected connection! */
1537 - LOCK_BH(&ip_h323_lock);
1538 - info->dir = dir;
1539 - info->seq[IP_CT_DIR_REPLY] = ntohl(tcph->seq) + i;
1540 - info->offset[IP_CT_DIR_REPLY] = i;
1541 - UNLOCK_BH(&ip_h323_lock);
1542 - }
1543 -#endif
1544 - }
1545 - }
1546 -
1547 - return NF_ACCEPT;
1548 -
1549 -}
1550 -
1551 -static struct ip_conntrack_helper h225 =
1552 - { { NULL, NULL },
1553 - "H.225", /* name */
1554 - IP_CT_HELPER_F_REUSE_EXPECT, /* flags */
1555 - THIS_MODULE, /* module */
1556 - 2, /* max_expected */
1557 - 240, /* timeout */
1558 - { { 0, { __constant_htons(H225_PORT) } }, /* tuple */
1559 - { 0, { 0 }, IPPROTO_TCP } },
1560 - { { 0, { 0xFFFF } }, /* mask */
1561 - { 0, { 0 }, 0xFFFF } },
1562 - h225_help /* helper */
1563 - };
1564 -
1565 -static int __init init(void)
1566 -{
1567 - return ip_conntrack_helper_register(&h225);
1568 -}
1569 -
1570 -static void __exit fini(void)
1571 -{
1572 - /* Unregister H.225 helper */
1573 - ip_conntrack_helper_unregister(&h225);
1574 -}
1575 -
1576 -#ifdef CONFIG_IP_NF_NAT_NEEDED
1577 -EXPORT_SYMBOL(ip_h323_lock);
1578 -#endif
1579 -
1580 -module_init(init);
1581 -module_exit(fini);
1582 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_mms.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_mms.c
1583 --- src/linux/linux/net/ipv4/netfilter/ip_conntrack_mms.c 2003-07-04 04:12:31.000000000 -0400
1584 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_mms.c 1969-12-31 19:00:00.000000000 -0500
1585 @@ -1,292 +0,0 @@
1586 -/* MMS extension for IP connection tracking
1587 - * (C) 2002 by Filip Sneppe <filip.sneppe@cronos.be>
1588 - * based on ip_conntrack_ftp.c and ip_conntrack_irc.c
1589 - *
1590 - * ip_conntrack_mms.c v0.3 2002-09-22
1591 - *
1592 - * This program is free software; you can redistribute it and/or
1593 - * modify it under the terms of the GNU General Public License
1594 - * as published by the Free Software Foundation; either version
1595 - * 2 of the License, or (at your option) any later version.
1596 - *
1597 - * Module load syntax:
1598 - * insmod ip_conntrack_mms.o ports=port1,port2,...port<MAX_PORTS>
1599 - *
1600 - * Please give the ports of all MMS servers You wish to connect to.
1601 - * If you don't specify ports, the default will be TCP port 1755.
1602 - *
1603 - * More info on MMS protocol, firewalls and NAT:
1604 - * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmt/html/MMSFirewall.asp
1605 - * http://www.microsoft.com/windows/windowsmedia/serve/firewall.asp
1606 - *
1607 - * The SDP project people are reverse-engineering MMS:
1608 - * http://get.to/sdp
1609 - */
1610 -
1611 -#include <linux/config.h>
1612 -#include <linux/module.h>
1613 -#include <linux/netfilter.h>
1614 -#include <linux/ip.h>
1615 -#include <linux/ctype.h>
1616 -#include <net/checksum.h>
1617 -#include <net/tcp.h>
1618 -
1619 -#include <linux/netfilter_ipv4/lockhelp.h>
1620 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
1621 -#include <linux/netfilter_ipv4/ip_conntrack_mms.h>
1622 -
1623 -DECLARE_LOCK(ip_mms_lock);
1624 -struct module *ip_conntrack_mms = THIS_MODULE;
1625 -
1626 -#define MAX_PORTS 8
1627 -static int ports[MAX_PORTS];
1628 -static int ports_c;
1629 -#ifdef MODULE_PARM
1630 -MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
1631 -#endif
1632 -
1633 -#define DEBUGP(format, args...)
1634 -
1635 -#ifdef CONFIG_IP_NF_NAT_NEEDED
1636 -EXPORT_SYMBOL(ip_mms_lock);
1637 -#endif
1638 -
1639 -MODULE_AUTHOR("Filip Sneppe <filip.sneppe@cronos.be>");
1640 -MODULE_DESCRIPTION("Microsoft Windows Media Services (MMS) connection tracking module");
1641 -MODULE_LICENSE("GPL");
1642 -
1643 -/* #define isdigit(c) (c >= '0' && c <= '9') */
1644 -
1645 -/* copied from drivers/usb/serial/io_edgeport.c - not perfect but will do the trick */
1646 -static void unicode_to_ascii (char *string, short *unicode, int unicode_size)
1647 -{
1648 - int i;
1649 - for (i = 0; i < unicode_size; ++i) {
1650 - string[i] = (char)(unicode[i]);
1651 - }
1652 - string[unicode_size] = 0x00;
1653 -}
1654 -
1655 -__inline static int atoi(char *s)
1656 -{
1657 - int i=0;
1658 - while (isdigit(*s)) {
1659 - i = i*10 + *(s++) - '0';
1660 - }
1661 - return i;
1662 -}
1663 -
1664 -/* convert ip address string like "192.168.0.10" to unsigned int */
1665 -__inline static u_int32_t asciiiptoi(char *s)
1666 -{
1667 - unsigned int i, j, k;
1668 -
1669 - for(i=k=0; k<3; ++k, ++s, i<<=8) {
1670 - i+=atoi(s);
1671 - for(j=0; (*(++s) != '.') && (j<3); ++j)
1672 - ;
1673 - }
1674 - i+=atoi(s);
1675 - return ntohl(i);
1676 -}
1677 -
1678 -int parse_mms(const char *data,
1679 - const unsigned int datalen,
1680 - u_int32_t *mms_ip,
1681 - u_int16_t *mms_proto,
1682 - u_int16_t *mms_port,
1683 - char **mms_string_b,
1684 - char **mms_string_e,
1685 - char **mms_padding_e)
1686 -{
1687 - int unicode_size, i;
1688 - char tempstring[28]; /* "\\255.255.255.255\UDP\65535" */
1689 - char getlengthstring[28];
1690 -
1691 - for(unicode_size=0;
1692 - (char) *(data+(MMS_SRV_UNICODE_STRING_OFFSET+unicode_size*2)) != (char)0;
1693 - unicode_size++)
1694 - if ((unicode_size == 28) || (MMS_SRV_UNICODE_STRING_OFFSET+unicode_size*2 >= datalen))
1695 - return -1; /* out of bounds - incomplete packet */
1696 -
1697 - unicode_to_ascii(tempstring, (short *)(data+MMS_SRV_UNICODE_STRING_OFFSET), unicode_size);
1698 - DEBUGP("ip_conntrack_mms: offset 60: %s\n", (const char *)(tempstring));
1699 -
1700 - /* IP address ? */
1701 - *mms_ip = asciiiptoi(tempstring+2);
1702 -
1703 - i=sprintf(getlengthstring, "%u.%u.%u.%u", HIPQUAD(*mms_ip));
1704 -
1705 - /* protocol ? */
1706 - if(strncmp(tempstring+3+i, "TCP", 3)==0)
1707 - *mms_proto = IPPROTO_TCP;
1708 - else if(strncmp(tempstring+3+i, "UDP", 3)==0)
1709 - *mms_proto = IPPROTO_UDP;
1710 -
1711 - /* port ? */
1712 - *mms_port = atoi(tempstring+7+i);
1713 -
1714 - /* we store a pointer to the beginning of the "\\a.b.c.d\proto\port"
1715 - unicode string, one to the end of the string, and one to the end
1716 - of the packet, since we must keep track of the number of bytes
1717 - between end of the unicode string and the end of packet (padding) */
1718 - *mms_string_b = (char *)(data + MMS_SRV_UNICODE_STRING_OFFSET);
1719 - *mms_string_e = (char *)(data + MMS_SRV_UNICODE_STRING_OFFSET + unicode_size * 2);
1720 - *mms_padding_e = (char *)(data + datalen); /* looks funny, doesn't it */
1721 - return 0;
1722 -}
1723 -
1724 -
1725 -static int help(const struct iphdr *iph, size_t len,
1726 - struct ip_conntrack *ct,
1727 - enum ip_conntrack_info ctinfo)
1728 -{
1729 - /* tcplen not negative guaranteed by ip_conntrack_tcp.c */
1730 - struct tcphdr *tcph = (void *)iph + iph->ihl * 4;
1731 - const char *data = (const char *)tcph + tcph->doff * 4;
1732 - unsigned int tcplen = len - iph->ihl * 4;
1733 - unsigned int datalen = tcplen - tcph->doff * 4;
1734 - int dir = CTINFO2DIR(ctinfo);
1735 - struct ip_conntrack_expect expect, *exp = &expect;
1736 - struct ip_ct_mms_expect *exp_mms_info = &exp->help.exp_mms_info;
1737 -
1738 - u_int32_t mms_ip;
1739 - u_int16_t mms_proto;
1740 - char mms_proto_string[8];
1741 - u_int16_t mms_port;
1742 - char *mms_string_b, *mms_string_e, *mms_padding_e;
1743 -
1744 - /* Until there's been traffic both ways, don't look in packets. */
1745 - if (ctinfo != IP_CT_ESTABLISHED
1746 - && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
1747 - DEBUGP("ip_conntrack_mms: Conntrackinfo = %u\n", ctinfo);
1748 - return NF_ACCEPT;
1749 - }
1750 -
1751 - /* Not whole TCP header? */
1752 - if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff*4) {
1753 - DEBUGP("ip_conntrack_mms: tcplen = %u\n", (unsigned)tcplen);
1754 - return NF_ACCEPT;
1755 - }
1756 -
1757 - /* Checksum invalid? Ignore. */
1758 - if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
1759 - csum_partial((char *)tcph, tcplen, 0))) {
1760 - DEBUGP("mms_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
1761 - tcph, tcplen, NIPQUAD(iph->saddr),
1762 - NIPQUAD(iph->daddr));
1763 - return NF_ACCEPT;
1764 - }
1765 -
1766 - /* Only look at packets with 0x00030002/196610 on bytes 36->39 of TCP payload */
1767 - if( (MMS_SRV_MSG_OFFSET < datalen) &&
1768 - ((*(u32 *)(data+MMS_SRV_MSG_OFFSET)) == MMS_SRV_MSG_ID)) {
1769 - DEBUGP("ip_conntrack_mms: offset 37: %u %u %u %u, datalen:%u\n",
1770 - (u8)*(data+36), (u8)*(data+37),
1771 - (u8)*(data+38), (u8)*(data+39),
1772 - datalen);
1773 - if(parse_mms(data, datalen, &mms_ip, &mms_proto, &mms_port,
1774 - &mms_string_b, &mms_string_e, &mms_padding_e))
1775 - if(net_ratelimit())
1776 - printk(KERN_WARNING
1777 - "ip_conntrack_mms: Unable to parse data payload\n");
1778 -
1779 - memset(&expect, 0, sizeof(expect));
1780 -
1781 - sprintf(mms_proto_string, "(%u)", mms_proto);
1782 - DEBUGP("ip_conntrack_mms: adding %s expectation %u.%u.%u.%u -> %u.%u.%u.%u:%u\n",
1783 - mms_proto == IPPROTO_TCP ? "TCP"
1784 - : mms_proto == IPPROTO_UDP ? "UDP":mms_proto_string,
1785 - NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
1786 - NIPQUAD(mms_ip),
1787 - mms_port);
1788 -
1789 - /* it's possible that the client will just ask the server to tunnel
1790 - the stream over the same TCP session (from port 1755): there's
1791 - shouldn't be a need to add an expectation in that case, but it
1792 - makes NAT packet mangling so much easier */
1793 - LOCK_BH(&ip_mms_lock);
1794 -
1795 - DEBUGP("ip_conntrack_mms: tcph->seq = %u\n", tcph->seq);
1796 -
1797 - exp->seq = ntohl(tcph->seq) + (mms_string_b - data);
1798 - exp_mms_info->len = (mms_string_e - mms_string_b);
1799 - exp_mms_info->padding = (mms_padding_e - mms_string_e);
1800 - exp_mms_info->port = mms_port;
1801 -
1802 - DEBUGP("ip_conntrack_mms: wrote info seq=%u (ofs=%u), len=%d, padding=%u\n",
1803 - exp->seq, (mms_string_e - data), exp_mms_info->len, exp_mms_info->padding);
1804 -
1805 - exp->tuple = ((struct ip_conntrack_tuple)
1806 - { { ct->tuplehash[!dir].tuple.src.ip, { 0 } },
1807 - { mms_ip,
1808 - { (__u16) ntohs(mms_port) },
1809 - mms_proto } }
1810 - );
1811 - exp->mask = ((struct ip_conntrack_tuple)
1812 - { { 0xFFFFFFFF, { 0 } },
1813 - { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }});
1814 - exp->expectfn = NULL;
1815 - ip_conntrack_expect_related(ct, &expect);
1816 - UNLOCK_BH(&ip_mms_lock);
1817 - }
1818 -
1819 - return NF_ACCEPT;
1820 -}
1821 -
1822 -static struct ip_conntrack_helper mms[MAX_PORTS];
1823 -static char mms_names[MAX_PORTS][10];
1824 -
1825 -/* Not __exit: called from init() */
1826 -static void fini(void)
1827 -{
1828 - int i;
1829 - for (i = 0; (i < MAX_PORTS) && ports[i]; i++) {
1830 - DEBUGP("ip_conntrack_mms: unregistering helper for port %d\n",
1831 - ports[i]);
1832 - ip_conntrack_helper_unregister(&mms[i]);
1833 - }
1834 -}
1835 -
1836 -static int __init init(void)
1837 -{
1838 - int i, ret;
1839 - char *tmpname;
1840 -
1841 - if (ports[0] == 0)
1842 - ports[0] = MMS_PORT;
1843 -
1844 - for (i = 0; (i < MAX_PORTS) && ports[i]; i++) {
1845 - memset(&mms[i], 0, sizeof(struct ip_conntrack_helper));
1846 - mms[i].tuple.src.u.tcp.port = htons(ports[i]);
1847 - mms[i].tuple.dst.protonum = IPPROTO_TCP;
1848 - mms[i].mask.src.u.tcp.port = 0xFFFF;
1849 - mms[i].mask.dst.protonum = 0xFFFF;
1850 - mms[i].max_expected = 1;
1851 - mms[i].timeout = 0;
1852 - mms[i].flags = IP_CT_HELPER_F_REUSE_EXPECT;
1853 - mms[i].me = THIS_MODULE;
1854 - mms[i].help = help;
1855 -
1856 - tmpname = &mms_names[i][0];
1857 - if (ports[i] == MMS_PORT)
1858 - sprintf(tmpname, "mms");
1859 - else
1860 - sprintf(tmpname, "mms-%d", ports[i]);
1861 - mms[i].name = tmpname;
1862 -
1863 - DEBUGP("ip_conntrack_mms: registering helper for port %d\n",
1864 - ports[i]);
1865 - ret = ip_conntrack_helper_register(&mms[i]);
1866 -
1867 - if (ret) {
1868 - fini();
1869 - return ret;
1870 - }
1871 - ports_c++;
1872 - }
1873 - return 0;
1874 -}
1875 -
1876 -module_init(init);
1877 -module_exit(fini);
1878 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_pptp.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_pptp.c
1879 --- src/linux/linux/net/ipv4/netfilter/ip_conntrack_pptp.c 2003-07-04 04:12:31.000000000 -0400
1880 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_pptp.c 1969-12-31 19:00:00.000000000 -0500
1881 @@ -1,531 +0,0 @@
1882 -/*
1883 - * ip_conntrack_pptp.c - Version 1.11
1884 - *
1885 - * Connection tracking support for PPTP (Point to Point Tunneling Protocol).
1886 - * PPTP is a a protocol for creating virtual private networks.
1887 - * It is a specification defined by Microsoft and some vendors
1888 - * working with Microsoft. PPTP is built on top of a modified
1889 - * version of the Internet Generic Routing Encapsulation Protocol.
1890 - * GRE is defined in RFC 1701 and RFC 1702. Documentation of
1891 - * PPTP can be found in RFC 2637
1892 - *
1893 - * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>,
1894 - *
1895 - * Development of this code funded by Astaro AG (http://www.astaro.com/)
1896 - *
1897 - * Limitations:
1898 - * - We blindly assume that control connections are always
1899 - * established in PNS->PAC direction. This is a violation
1900 - * of RFFC2673
1901 - *
1902 - * TODO: - finish support for multiple calls within one session
1903 - * (needs expect reservations in newnat)
1904 - * - testing of incoming PPTP calls
1905 - */
1906 -
1907 -#include <linux/config.h>
1908 -#include <linux/module.h>
1909 -#include <linux/netfilter.h>
1910 -#include <linux/ip.h>
1911 -#include <net/checksum.h>
1912 -#include <net/tcp.h>
1913 -
1914 -#include <linux/netfilter_ipv4/lockhelp.h>
1915 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
1916 -#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
1917 -#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
1918 -
1919 -MODULE_LICENSE("GPL");
1920 -MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
1921 -MODULE_DESCRIPTION("Netfilter connection tracking helper module for PPTP");
1922 -
1923 -DECLARE_LOCK(ip_pptp_lock);
1924 -
1925 -#define DEBUGP(format, args...)
1926 -
1927 -#define SECS *HZ
1928 -#define MINS * 60 SECS
1929 -#define HOURS * 60 MINS
1930 -#define DAYS * 24 HOURS
1931 -
1932 -#define PPTP_GRE_TIMEOUT (10 MINS)
1933 -#define PPTP_GRE_STREAM_TIMEOUT (5 DAYS)
1934 -
1935 -static int pptp_expectfn(struct ip_conntrack *ct)
1936 -{
1937 - struct ip_conntrack_expect *exp, *other_exp;
1938 - struct ip_conntrack *master;
1939 -
1940 - DEBUGP("increasing timeouts\n");
1941 - /* increase timeout of GRE data channel conntrack entry */
1942 - ct->proto.gre.timeout = PPTP_GRE_TIMEOUT;
1943 - ct->proto.gre.stream_timeout = PPTP_GRE_STREAM_TIMEOUT;
1944 -
1945 - master = master_ct(ct);
1946 - if (!master) {
1947 - DEBUGP(" no master!!!\n");
1948 - return 0;
1949 - }
1950 -
1951 - DEBUGP("completing tuples with ct info\n");
1952 - /* we can do this, since we're unconfirmed */
1953 - if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.gre.key ==
1954 - htonl(master->help.ct_pptp_info.pac_call_id)) {
1955 - /* assume PNS->PAC */
1956 - ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key =
1957 - htonl(master->help.ct_pptp_info.pns_call_id);
1958 - ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key =
1959 - htonl(master->help.ct_pptp_info.pns_call_id);
1960 - } else {
1961 - /* assume PAC->PNS */
1962 - ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key =
1963 - htonl(master->help.ct_pptp_info.pac_call_id);
1964 - ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key =
1965 - htonl(master->help.ct_pptp_info.pns_call_id);
1966 - }
1967 -
1968 - return 0;
1969 -}
1970 -
1971 -/* timeout GRE data connections */
1972 -static int pptp_timeout_related(struct ip_conntrack *ct)
1973 -{
1974 - struct list_head *cur_item;
1975 - struct ip_conntrack_expect *exp;
1976 -
1977 - list_for_each(cur_item, &ct->sibling_list) {
1978 - exp = list_entry(cur_item, struct ip_conntrack_expect,
1979 - expected_list);
1980 -
1981 - if (!exp->sibling)
1982 - continue;
1983 -
1984 - DEBUGP("setting timeout of conntrack %p to 0\n",
1985 - exp->sibling);
1986 - exp->sibling->proto.gre.timeout = 0;
1987 - exp->sibling->proto.gre.stream_timeout = 0;
1988 - ip_ct_refresh(exp->sibling, 0);
1989 - }
1990 -
1991 - return 0;
1992 -}
1993 -
1994 -/* expect GRE connection in PNS->PAC direction */
1995 -static inline int
1996 -exp_gre(struct ip_conntrack *master,
1997 - u_int32_t seq,
1998 - u_int16_t callid,
1999 - u_int16_t peer_callid)
2000 -{
2001 - struct ip_conntrack_expect exp;
2002 - struct ip_conntrack_tuple inv_tuple;
2003 -
2004 - memset(&exp, 0, sizeof(exp));
2005 - /* tuple in original direction, PAC->PNS */
2006 - exp.tuple.src.ip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
2007 - exp.tuple.src.u.gre.key = htonl(ntohs(peer_callid));
2008 - exp.tuple.dst.ip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
2009 - exp.tuple.dst.u.gre.key = htonl(ntohs(callid));
2010 - exp.tuple.dst.u.gre.protocol = __constant_htons(GRE_PROTOCOL_PPTP);
2011 - exp.tuple.dst.u.gre.version = GRE_VERSION_PPTP;
2012 - exp.tuple.dst.protonum = IPPROTO_GRE;
2013 -
2014 - exp.mask.src.ip = 0xffffffff;
2015 - exp.mask.src.u.all = 0;
2016 - exp.mask.dst.u.all = 0;
2017 - exp.mask.dst.u.gre.key = 0xffffffff;
2018 - exp.mask.dst.u.gre.version = 0xff;
2019 - exp.mask.dst.u.gre.protocol = 0xffff;
2020 - exp.mask.dst.ip = 0xffffffff;
2021 - exp.mask.dst.protonum = 0xffff;
2022 -
2023 - exp.seq = seq;
2024 - exp.expectfn = pptp_expectfn;
2025 -
2026 - exp.help.exp_pptp_info.pac_call_id = ntohs(callid);
2027 - exp.help.exp_pptp_info.pns_call_id = ntohs(peer_callid);
2028 -
2029 - DEBUGP("calling expect_related ");
2030 - DUMP_TUPLE_RAW(&exp.tuple);
2031 -
2032 - /* Add GRE keymap entries */
2033 - ip_ct_gre_keymap_add(&exp, &exp.tuple, 0);
2034 - invert_tuplepr(&inv_tuple, &exp.tuple);
2035 - ip_ct_gre_keymap_add(&exp, &inv_tuple, 1);
2036 -
2037 - ip_conntrack_expect_related(master, &exp);
2038 -
2039 - return 0;
2040 -}
2041 -
2042 -static inline int
2043 -pptp_inbound_pkt(struct tcphdr *tcph,
2044 - struct pptp_pkt_hdr *pptph,
2045 - size_t datalen,
2046 - struct ip_conntrack *ct,
2047 - enum ip_conntrack_info ctinfo)
2048 -{
2049 - struct PptpControlHeader *ctlh;
2050 - union pptp_ctrl_union pptpReq;
2051 -
2052 - struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info;
2053 - u_int16_t msg, *cid, *pcid;
2054 - u_int32_t seq;
2055 -
2056 - ctlh = (struct PptpControlHeader *)
2057 - ((char *) pptph + sizeof(struct pptp_pkt_hdr));
2058 - pptpReq.rawreq = (void *)
2059 - ((char *) ctlh + sizeof(struct PptpControlHeader));
2060 -
2061 - msg = ntohs(ctlh->messageType);
2062 - DEBUGP("inbound control message %s\n", strMName[msg]);
2063 -
2064 - switch (msg) {
2065 - case PPTP_START_SESSION_REPLY:
2066 - /* server confirms new control session */
2067 - if (info->sstate < PPTP_SESSION_REQUESTED) {
2068 - DEBUGP("%s without START_SESS_REQUEST\n",
2069 - strMName[msg]);
2070 - break;
2071 - }
2072 - if (pptpReq.srep->resultCode == PPTP_START_OK)
2073 - info->sstate = PPTP_SESSION_CONFIRMED;
2074 - else
2075 - info->sstate = PPTP_SESSION_ERROR;
2076 - break;
2077 -
2078 - case PPTP_STOP_SESSION_REPLY:
2079 - /* server confirms end of control session */
2080 - if (info->sstate > PPTP_SESSION_STOPREQ) {
2081 - DEBUGP("%s without STOP_SESS_REQUEST\n",
2082 - strMName[msg]);
2083 - break;
2084 - }
2085 - if (pptpReq.strep->resultCode == PPTP_STOP_OK)
2086 - info->sstate = PPTP_SESSION_NONE;
2087 - else
2088 - info->sstate = PPTP_SESSION_ERROR;
2089 - break;
2090 -
2091 - case PPTP_OUT_CALL_REPLY:
2092 - /* server accepted call, we now expect GRE frames */
2093 - if (info->sstate != PPTP_SESSION_CONFIRMED) {
2094 - DEBUGP("%s but no session\n", strMName[msg]);
2095 - break;
2096 - }
2097 - if (info->cstate != PPTP_CALL_OUT_REQ &&
2098 - info->cstate != PPTP_CALL_OUT_CONF) {
2099 - DEBUGP("%s without OUTCALL_REQ\n", strMName[msg]);
2100 - break;
2101 - }
2102 - if (pptpReq.ocack->resultCode != PPTP_OUTCALL_CONNECT) {
2103 - info->cstate = PPTP_CALL_NONE;
2104 - break;
2105 - }
2106 -
2107 - cid = &pptpReq.ocack->callID;
2108 - pcid = &pptpReq.ocack->peersCallID;
2109 -
2110 - info->pac_call_id = ntohs(*cid);
2111 -
2112 - if (htons(info->pns_call_id) != *pcid) {
2113 - DEBUGP("%s for unknown callid %u\n",
2114 - strMName[msg], ntohs(*pcid));
2115 - break;
2116 - }
2117 -
2118 - DEBUGP("%s, CID=%X, PCID=%X\n", strMName[msg],
2119 - ntohs(*cid), ntohs(*pcid));
2120 -
2121 - info->cstate = PPTP_CALL_OUT_CONF;
2122 -
2123 - seq = ntohl(tcph->seq) + ((void *)pcid - (void *)pptph);
2124 - exp_gre(ct, seq, *cid, *pcid);
2125 - break;
2126 -
2127 - case PPTP_IN_CALL_REQUEST:
2128 - /* server tells us about incoming call request */
2129 - if (info->sstate != PPTP_SESSION_CONFIRMED) {
2130 - DEBUGP("%s but no session\n", strMName[msg]);
2131 - break;
2132 - }
2133 - pcid = &pptpReq.icack->peersCallID;
2134 - DEBUGP("%s, PCID=%X\n", strMName[msg], ntohs(*pcid));
2135 - info->cstate = PPTP_CALL_IN_REQ;
2136 - info->pac_call_id= ntohs(*pcid);
2137 - break;
2138 -
2139 - case PPTP_IN_CALL_CONNECT:
2140 - /* server tells us about incoming call established */
2141 - if (info->sstate != PPTP_SESSION_CONFIRMED) {
2142 - DEBUGP("%s but no session\n", strMName[msg]);
2143 - break;
2144 - }
2145 - if (info->sstate != PPTP_CALL_IN_REP
2146 - && info->sstate != PPTP_CALL_IN_CONF) {
2147 - DEBUGP("%s but never sent IN_CALL_REPLY\n",
2148 - strMName[msg]);
2149 - break;
2150 - }
2151 -
2152 - pcid = &pptpReq.iccon->peersCallID;
2153 - cid = &info->pac_call_id;
2154 -
2155 - if (info->pns_call_id != ntohs(*pcid)) {
2156 - DEBUGP("%s for unknown CallID %u\n",
2157 - strMName[msg], ntohs(*cid));
2158 - break;
2159 - }
2160 -
2161 - DEBUGP("%s, PCID=%X\n", strMName[msg], ntohs(*pcid));
2162 - info->cstate = PPTP_CALL_IN_CONF;
2163 -
2164 - /* we expect a GRE connection from PAC to PNS */
2165 - seq = ntohl(tcph->seq) + ((void *)pcid - (void *)pptph);
2166 - exp_gre(ct, seq, *cid, *pcid);
2167 -
2168 - break;
2169 -
2170 - case PPTP_CALL_DISCONNECT_NOTIFY:
2171 - /* server confirms disconnect */
2172 - cid = &pptpReq.disc->callID;
2173 - DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*cid));
2174 - info->cstate = PPTP_CALL_NONE;
2175 -
2176 - /* untrack this call id, unexpect GRE packets */
2177 - pptp_timeout_related(ct);
2178 - /* NEWNAT: look up exp for call id and unexpct_related */
2179 - break;
2180 -
2181 - case PPTP_WAN_ERROR_NOTIFY:
2182 - break;
2183 -
2184 - case PPTP_ECHO_REQUEST:
2185 - case PPTP_ECHO_REPLY:
2186 - /* I don't have to explain these ;) */
2187 - break;
2188 - default:
2189 - DEBUGP("invalid %s (TY=%d)\n", (msg <= PPTP_MSG_MAX)
2190 - ? strMName[msg]:strMName[0], msg);
2191 - break;
2192 - }
2193 -
2194 - return NF_ACCEPT;
2195 -
2196 -}
2197 -
2198 -static inline int
2199 -pptp_outbound_pkt(struct tcphdr *tcph,
2200 - struct pptp_pkt_hdr *pptph,
2201 - size_t datalen,
2202 - struct ip_conntrack *ct,
2203 - enum ip_conntrack_info ctinfo)
2204 -{
2205 - struct PptpControlHeader *ctlh;
2206 - union pptp_ctrl_union pptpReq;
2207 - struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info;
2208 - u_int16_t msg, *cid, *pcid;
2209 -
2210 - ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph));
2211 - pptpReq.rawreq = (void *) ((void *) ctlh + sizeof(*ctlh));
2212 -
2213 - msg = ntohs(ctlh->messageType);
2214 - DEBUGP("outbound control message %s\n", strMName[msg]);
2215 -
2216 - switch (msg) {
2217 - case PPTP_START_SESSION_REQUEST:
2218 - /* client requests for new control session */
2219 - if (info->sstate != PPTP_SESSION_NONE) {
2220 - DEBUGP("%s but we already have one",
2221 - strMName[msg]);
2222 - }
2223 - info->sstate = PPTP_SESSION_REQUESTED;
2224 - break;
2225 - case PPTP_STOP_SESSION_REQUEST:
2226 - /* client requests end of control session */
2227 - info->sstate = PPTP_SESSION_STOPREQ;
2228 - break;
2229 -
2230 - case PPTP_OUT_CALL_REQUEST:
2231 - /* client initiating connection to server */
2232 - if (info->sstate != PPTP_SESSION_CONFIRMED) {
2233 - DEBUGP("%s but no session\n",
2234 - strMName[msg]);
2235 - break;
2236 - }
2237 - info->cstate = PPTP_CALL_OUT_REQ;
2238 - /* track PNS call id */
2239 - cid = &pptpReq.ocreq->callID;
2240 - DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*cid));
2241 - info->pns_call_id = ntohs(*cid);
2242 - break;
2243 - case PPTP_IN_CALL_REPLY:
2244 - /* client answers incoming call */
2245 - if (info->cstate != PPTP_CALL_IN_REQ
2246 - && info->cstate != PPTP_CALL_IN_REP) {
2247 - DEBUGP("%s without incall_req\n",
2248 - strMName[msg]);
2249 - break;
2250 - }
2251 - if (pptpReq.icack->resultCode != PPTP_INCALL_ACCEPT) {
2252 - info->cstate = PPTP_CALL_NONE;
2253 - break;
2254 - }
2255 - pcid = &pptpReq.icack->peersCallID;
2256 - if (info->pac_call_id != ntohs(*pcid)) {
2257 - DEBUGP("%s for unknown call %u\n",
2258 - strMName[msg], ntohs(*pcid));
2259 - break;
2260 - }
2261 - DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*pcid));
2262 - /* part two of the three-way handshake */
2263 - info->cstate = PPTP_CALL_IN_REP;
2264 - info->pns_call_id = ntohs(pptpReq.icack->callID);
2265 - break;
2266 -
2267 - case PPTP_CALL_CLEAR_REQUEST:
2268 - /* client requests hangup of call */
2269 - if (info->sstate != PPTP_SESSION_CONFIRMED) {
2270 - DEBUGP("CLEAR_CALL but no session\n");
2271 - break;
2272 - }
2273 - /* FUTURE: iterate over all calls and check if
2274 - * call ID is valid. We don't do this without newnat,
2275 - * because we only know about last call */
2276 - info->cstate = PPTP_CALL_CLEAR_REQ;
2277 - break;
2278 - case PPTP_SET_LINK_INFO:
2279 - break;
2280 - case PPTP_ECHO_REQUEST:
2281 - case PPTP_ECHO_REPLY:
2282 - /* I don't have to explain these ;) */
2283 - break;
2284 - default:
2285 - DEBUGP("invalid %s (TY=%d)\n", (msg <= PPTP_MSG_MAX)?
2286 - strMName[msg]:strMName[0], msg);
2287 - /* unknown: no need to create GRE masq table entry */
2288 - break;
2289 - }
2290 -
2291 - return NF_ACCEPT;
2292 -}
2293 -
2294 -
2295 -/* track caller id inside control connection, call expect_related */
2296 -static int
2297 -conntrack_pptp_help(const struct iphdr *iph, size_t len,
2298 - struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
2299 -
2300 -{
2301 - struct pptp_pkt_hdr *pptph;
2302 -
2303 - struct tcphdr *tcph = (void *) iph + iph->ihl * 4;
2304 - u_int32_t tcplen = len - iph->ihl * 4;
2305 - u_int32_t datalen = tcplen - tcph->doff * 4;
2306 - void *datalimit;
2307 - int dir = CTINFO2DIR(ctinfo);
2308 - struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info;
2309 -
2310 - int oldsstate, oldcstate;
2311 - int ret;
2312 -
2313 - /* don't do any tracking before tcp handshake complete */
2314 - if (ctinfo != IP_CT_ESTABLISHED
2315 - && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
2316 - DEBUGP("ctinfo = %u, skipping\n", ctinfo);
2317 - return NF_ACCEPT;
2318 - }
2319 -
2320 - /* not a complete TCP header? */
2321 - if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4) {
2322 - DEBUGP("tcplen = %u\n", tcplen);
2323 - return NF_ACCEPT;
2324 - }
2325 -
2326 - /* checksum invalid? */
2327 - if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
2328 - csum_partial((char *) tcph, tcplen, 0))) {
2329 - printk(KERN_NOTICE __FILE__ ": bad csum\n");
2330 -// return NF_ACCEPT;
2331 - }
2332 -
2333 - if (tcph->fin || tcph->rst) {
2334 - DEBUGP("RST/FIN received, timeouting GRE\n");
2335 - /* can't do this after real newnat */
2336 - info->cstate = PPTP_CALL_NONE;
2337 -
2338 - /* untrack this call id, unexpect GRE packets */
2339 - pptp_timeout_related(ct);
2340 - /* no need to call unexpect_related since master conn
2341 - * dies anyway */
2342 - }
2343 -
2344 -
2345 - pptph = (struct pptp_pkt_hdr *) ((void *) tcph + tcph->doff * 4);
2346 - datalimit = (void *) pptph + datalen;
2347 -
2348 - /* not a full pptp packet header? */
2349 - if ((void *) pptph+sizeof(*pptph) >= datalimit) {
2350 - DEBUGP("no full PPTP header, can't track\n");
2351 - return NF_ACCEPT;
2352 - }
2353 -
2354 - /* if it's not a control message we can't do anything with it */
2355 - if (ntohs(pptph->packetType) != PPTP_PACKET_CONTROL ||
2356 - ntohl(pptph->magicCookie) != PPTP_MAGIC_COOKIE) {
2357 - DEBUGP("not a control packet\n");
2358 - return NF_ACCEPT;
2359 - }
2360 -
2361 - oldsstate = info->sstate;
2362 - oldcstate = info->cstate;
2363 -
2364 - LOCK_BH(&ip_pptp_lock);
2365 -
2366 - if (dir == IP_CT_DIR_ORIGINAL)
2367 - /* client -> server (PNS -> PAC) */
2368 - ret = pptp_outbound_pkt(tcph, pptph, datalen, ct, ctinfo);
2369 - else
2370 - /* server -> client (PAC -> PNS) */
2371 - ret = pptp_inbound_pkt(tcph, pptph, datalen, ct, ctinfo);
2372 - DEBUGP("sstate: %d->%d, cstate: %d->%d\n",
2373 - oldsstate, info->sstate, oldcstate, info->cstate);
2374 - UNLOCK_BH(&ip_pptp_lock);
2375 -
2376 - return ret;
2377 -}
2378 -
2379 -/* control protocol helper */
2380 -static struct ip_conntrack_helper pptp = {
2381 - { NULL, NULL },
2382 - "pptp", IP_CT_HELPER_F_REUSE_EXPECT, THIS_MODULE, 2, 0,
2383 - { { 0, { tcp: { port: __constant_htons(PPTP_CONTROL_PORT) } } },
2384 - { 0, { 0 }, IPPROTO_TCP } },
2385 - { { 0, { tcp: { port: 0xffff } } },
2386 - { 0, { 0 }, 0xffff } },
2387 - conntrack_pptp_help };
2388 -
2389 -/* ip_conntrack_pptp initialization */
2390 -static int __init init(void)
2391 -{
2392 - int retcode;
2393 -
2394 - DEBUGP(__FILE__ ": registering helper\n");
2395 - if ((retcode = ip_conntrack_helper_register(&pptp))) {
2396 - printk(KERN_ERR "Unable to register conntrack application "
2397 - "helper for pptp: %d\n", retcode);
2398 - return -EIO;
2399 - }
2400 -
2401 - return 0;
2402 -}
2403 -
2404 -static void __exit fini(void)
2405 -{
2406 - ip_conntrack_helper_unregister(&pptp);
2407 -}
2408 -
2409 -module_init(init);
2410 -module_exit(fini);
2411 -
2412 -EXPORT_SYMBOL(ip_pptp_lock);
2413 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_pptp_priv.h src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_pptp_priv.h
2414 --- src/linux/linux/net/ipv4/netfilter/ip_conntrack_pptp_priv.h 2003-07-04 04:12:31.000000000 -0400
2415 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_pptp_priv.h 1969-12-31 19:00:00.000000000 -0500
2416 @@ -1,24 +0,0 @@
2417 -#ifndef _IP_CT_PPTP_PRIV_H
2418 -#define _IP_CT_PPTP_PRIV_H
2419 -
2420 -/* PptpControlMessageType names */
2421 -static const char *strMName[] = {
2422 - "UNKNOWN_MESSAGE",
2423 - "START_SESSION_REQUEST",
2424 - "START_SESSION_REPLY",
2425 - "STOP_SESSION_REQUEST",
2426 - "STOP_SESSION_REPLY",
2427 - "ECHO_REQUEST",
2428 - "ECHO_REPLY",
2429 - "OUT_CALL_REQUEST",
2430 - "OUT_CALL_REPLY",
2431 - "IN_CALL_REQUEST",
2432 - "IN_CALL_REPLY",
2433 - "IN_CALL_CONNECT",
2434 - "CALL_CLEAR_REQUEST",
2435 - "CALL_DISCONNECT_NOTIFY",
2436 - "WAN_ERROR_NOTIFY",
2437 - "SET_LINK_INFO"
2438 -};
2439 -
2440 -#endif
2441 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_proto_gre.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_proto_gre.c
2442 --- src/linux/linux/net/ipv4/netfilter/ip_conntrack_proto_gre.c 2003-07-04 04:12:31.000000000 -0400
2443 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_proto_gre.c 1969-12-31 19:00:00.000000000 -0500
2444 @@ -1,320 +0,0 @@
2445 -/*
2446 - * ip_conntrack_proto_gre.c - Version 1.11
2447 - *
2448 - * Connection tracking protocol helper module for GRE.
2449 - *
2450 - * GRE is a generic encapsulation protocol, which is generally not very
2451 - * suited for NAT, as it has no protocol-specific part as port numbers.
2452 - *
2453 - * It has an optional key field, which may help us distinguishing two
2454 - * connections between the same two hosts.
2455 - *
2456 - * GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784
2457 - *
2458 - * PPTP is built on top of a modified version of GRE, and has a mandatory
2459 - * field called "CallID", which serves us for the same purpose as the key
2460 - * field in plain GRE.
2461 - *
2462 - * Documentation about PPTP can be found in RFC 2637
2463 - *
2464 - * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
2465 - *
2466 - * Development of this code funded by Astaro AG (http://www.astaro.com/)
2467 - *
2468 - */
2469 -
2470 -#include <linux/config.h>
2471 -#include <linux/module.h>
2472 -#include <linux/types.h>
2473 -#include <linux/timer.h>
2474 -#include <linux/netfilter.h>
2475 -#include <linux/ip.h>
2476 -#include <linux/in.h>
2477 -#include <linux/list.h>
2478 -
2479 -#include <linux/netfilter_ipv4/lockhelp.h>
2480 -
2481 -DECLARE_RWLOCK(ip_ct_gre_lock);
2482 -#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_ct_gre_lock)
2483 -#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_ct_gre_lock)
2484 -
2485 -#include <linux/netfilter_ipv4/listhelp.h>
2486 -#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
2487 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
2488 -#include <linux/netfilter_ipv4/ip_conntrack_core.h>
2489 -
2490 -#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
2491 -#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
2492 -
2493 -MODULE_LICENSE("GPL");
2494 -MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
2495 -MODULE_DESCRIPTION("netfilter connection tracking protocol helper for GRE");
2496 -
2497 -/* shamelessly stolen from ip_conntrack_proto_udp.c */
2498 -#define GRE_TIMEOUT (30*HZ)
2499 -#define GRE_STREAM_TIMEOUT (180*HZ)
2500 -
2501 -#define DEBUGP(x, args...)
2502 -#define DUMP_TUPLE_GRE(x)
2503 -
2504 -/* GRE KEYMAP HANDLING FUNCTIONS */
2505 -static LIST_HEAD(gre_keymap_list);
2506 -
2507 -static inline int gre_key_cmpfn(const struct ip_ct_gre_keymap *km,
2508 - const struct ip_conntrack_tuple *t)
2509 -{
2510 - return ((km->tuple.src.ip == t->src.ip) &&
2511 - (km->tuple.dst.ip == t->dst.ip) &&
2512 - (km->tuple.dst.protonum == t->dst.protonum) &&
2513 - (km->tuple.dst.u.all == t->dst.u.all));
2514 -}
2515 -
2516 -/* look up the source key for a given tuple */
2517 -static u_int32_t gre_keymap_lookup(struct ip_conntrack_tuple *t)
2518 -{
2519 - struct ip_ct_gre_keymap *km;
2520 - u_int32_t key;
2521 -
2522 - READ_LOCK(&ip_ct_gre_lock);
2523 - km = LIST_FIND(&gre_keymap_list, gre_key_cmpfn,
2524 - struct ip_ct_gre_keymap *, t);
2525 - if (!km) {
2526 - READ_UNLOCK(&ip_ct_gre_lock);
2527 - return 0;
2528 - }
2529 -
2530 - key = km->tuple.src.u.gre.key;
2531 - READ_UNLOCK(&ip_ct_gre_lock);
2532 -
2533 - return key;
2534 -}
2535 -
2536 -/* add a single keymap entry, associate with specified expect */
2537 -int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp,
2538 - struct ip_conntrack_tuple *t, int reply)
2539 -{
2540 - struct ip_ct_gre_keymap *km;
2541 -
2542 - km = kmalloc(sizeof(*km), GFP_ATOMIC);
2543 - if (!km)
2544 - return -1;
2545 -
2546 - /* initializing list head should be sufficient */
2547 - memset(km, 0, sizeof(*km));
2548 -
2549 - memcpy(&km->tuple, t, sizeof(*t));
2550 - km->master = exp;
2551 -
2552 - if (!reply)
2553 - exp->proto.gre.keymap_orig = km;
2554 - else
2555 - exp->proto.gre.keymap_reply = km;
2556 -
2557 - DEBUGP("adding new entry %p: ", km);
2558 - DUMP_TUPLE_GRE(&km->tuple);
2559 -
2560 - WRITE_LOCK(&ip_ct_gre_lock);
2561 - list_append(&gre_keymap_list, km);
2562 - WRITE_UNLOCK(&ip_ct_gre_lock);
2563 -
2564 - return 0;
2565 -}
2566 -
2567 -/* change the tuple of a keymap entry (used by nat helper) */
2568 -void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km,
2569 - struct ip_conntrack_tuple *t)
2570 -{
2571 - DEBUGP("changing entry %p to: ", km);
2572 - DUMP_TUPLE_GRE(t);
2573 -
2574 - WRITE_LOCK(&ip_ct_gre_lock);
2575 - memcpy(&km->tuple, t, sizeof(km->tuple));
2576 - WRITE_UNLOCK(&ip_ct_gre_lock);
2577 -}
2578 -
2579 -
2580 -/* PUBLIC CONNTRACK PROTO HELPER FUNCTIONS */
2581 -
2582 -/* invert gre part of tuple */
2583 -static int gre_invert_tuple(struct ip_conntrack_tuple *tuple,
2584 - const struct ip_conntrack_tuple *orig)
2585 -{
2586 - tuple->dst.u.gre.protocol = orig->dst.u.gre.protocol;
2587 - tuple->dst.u.gre.version = orig->dst.u.gre.version;
2588 -
2589 - tuple->dst.u.gre.key = orig->src.u.gre.key;
2590 - tuple->src.u.gre.key = orig->dst.u.gre.key;
2591 -
2592 - return 1;
2593 -}
2594 -
2595 -/* gre hdr info to tuple */
2596 -static int gre_pkt_to_tuple(const void *datah, size_t datalen,
2597 - struct ip_conntrack_tuple *tuple)
2598 -{
2599 - struct gre_hdr *grehdr = (struct gre_hdr *) datah;
2600 - struct gre_hdr_pptp *pgrehdr = (struct gre_hdr_pptp *) datah;
2601 - u_int32_t srckey;
2602 -
2603 - /* core guarantees 8 protocol bytes, no need for size check */
2604 -
2605 - tuple->dst.u.gre.version = grehdr->version;
2606 - tuple->dst.u.gre.protocol = grehdr->protocol;
2607 -
2608 - switch (grehdr->version) {
2609 - case GRE_VERSION_1701:
2610 - if (!grehdr->key) {
2611 - DEBUGP("Can't track GRE without key\n");
2612 - return 0;
2613 - }
2614 - tuple->dst.u.gre.key = *(gre_key(grehdr));
2615 - break;
2616 -
2617 - case GRE_VERSION_PPTP:
2618 - if (ntohs(grehdr->protocol) != GRE_PROTOCOL_PPTP) {
2619 - DEBUGP("GRE_VERSION_PPTP but unknown proto\n");
2620 - return 0;
2621 - }
2622 - tuple->dst.u.gre.key = htonl(ntohs(pgrehdr->call_id));
2623 - break;
2624 -
2625 - default:
2626 - printk(KERN_WARNING "unknown GRE version %hu\n",
2627 - tuple->dst.u.gre.version);
2628 - return 0;
2629 - }
2630 -
2631 - srckey = gre_keymap_lookup(tuple);
2632 -
2633 - tuple->src.u.gre.key = srckey;
2634 -
2635 - return 1;
2636 -}
2637 -
2638 -/* print gre part of tuple */
2639 -static unsigned int gre_print_tuple(char *buffer,
2640 - const struct ip_conntrack_tuple *tuple)
2641 -{
2642 - return sprintf(buffer, "version=%d protocol=0x%04x srckey=0x%x dstkey=0x%x ",
2643 - tuple->dst.u.gre.version,
2644 - ntohs(tuple->dst.u.gre.protocol),
2645 - ntohl(tuple->src.u.gre.key),
2646 - ntohl(tuple->dst.u.gre.key));
2647 -}
2648 -
2649 -/* print private data for conntrack */
2650 -static unsigned int gre_print_conntrack(char *buffer,
2651 - const struct ip_conntrack *ct)
2652 -{
2653 - return sprintf(buffer, "timeout=%u, stream_timeout=%u ",
2654 - (ct->proto.gre.timeout / HZ),
2655 - (ct->proto.gre.stream_timeout / HZ));
2656 -}
2657 -
2658 -/* Returns verdict for packet, and may modify conntrack */
2659 -static int gre_packet(struct ip_conntrack *ct,
2660 - struct iphdr *iph, size_t len,
2661 - enum ip_conntrack_info conntrackinfo)
2662 -{
2663 - /* If we've seen traffic both ways, this is a GRE connection.
2664 - * Extend timeout. */
2665 - if (ct->status & IPS_SEEN_REPLY) {
2666 - ip_ct_refresh(ct, ct->proto.gre.stream_timeout);
2667 - /* Also, more likely to be important, and not a probe. */
2668 - set_bit(IPS_ASSURED_BIT, &ct->status);
2669 - } else
2670 - ip_ct_refresh(ct, ct->proto.gre.timeout);
2671 -
2672 - return NF_ACCEPT;
2673 -}
2674 -
2675 -/* Called when a new connection for this protocol found. */
2676 -static int gre_new(struct ip_conntrack *ct,
2677 - struct iphdr *iph, size_t len)
2678 -{
2679 - DEBUGP(": ");
2680 - DUMP_TUPLE_GRE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
2681 -
2682 - /* initialize to sane value. Ideally a conntrack helper
2683 - * (e.g. in case of pptp) is increasing them */
2684 - ct->proto.gre.stream_timeout = GRE_STREAM_TIMEOUT;
2685 - ct->proto.gre.timeout = GRE_TIMEOUT;
2686 -
2687 - return 1;
2688 -}
2689 -
2690 -/* Called when a conntrack entry has already been removed from the hashes
2691 - * and is about to be deleted from memory */
2692 -static void gre_destroy(struct ip_conntrack *ct)
2693 -{
2694 - struct ip_conntrack_expect *master = ct->master;
2695 -
2696 - DEBUGP(" entering\n");
2697 -
2698 - if (!master) {
2699 - DEBUGP("no master exp for ct %p\n", ct);
2700 - return;
2701 - }
2702 -
2703 - WRITE_LOCK(&ip_ct_gre_lock);
2704 - if (master->proto.gre.keymap_orig) {
2705 - DEBUGP("removing %p from list\n", master->proto.gre.keymap_orig);
2706 - list_del(&master->proto.gre.keymap_orig->list);
2707 - kfree(master->proto.gre.keymap_orig);
2708 - }
2709 - if (master->proto.gre.keymap_reply) {
2710 - DEBUGP("removing %p from list\n", master->proto.gre.keymap_reply);
2711 - list_del(&master->proto.gre.keymap_reply->list);
2712 - kfree(master->proto.gre.keymap_reply);
2713 - }
2714 - WRITE_UNLOCK(&ip_ct_gre_lock);
2715 -}
2716 -
2717 -/* protocol helper struct */
2718 -static struct ip_conntrack_protocol gre = { { NULL, NULL }, IPPROTO_GRE,
2719 - "gre",
2720 - gre_pkt_to_tuple,
2721 - gre_invert_tuple,
2722 - gre_print_tuple,
2723 - gre_print_conntrack,
2724 - gre_packet,
2725 - gre_new,
2726 - gre_destroy,
2727 - NULL,
2728 - THIS_MODULE };
2729 -
2730 -/* ip_conntrack_proto_gre initialization */
2731 -static int __init init(void)
2732 -{
2733 - int retcode;
2734 -
2735 - if ((retcode = ip_conntrack_protocol_register(&gre))) {
2736 - printk(KERN_ERR "Unable to register conntrack protocol "
2737 - "helper for gre: %d\n", retcode);
2738 - return -EIO;
2739 - }
2740 -
2741 - return 0;
2742 -}
2743 -
2744 -static void __exit fini(void)
2745 -{
2746 - struct list_head *pos, *n;
2747 -
2748 - /* delete all keymap entries */
2749 - WRITE_LOCK(&ip_ct_gre_lock);
2750 - list_for_each_safe(pos, n, &gre_keymap_list) {
2751 - DEBUGP("deleting keymap %p\n", pos);
2752 - list_del(pos);
2753 - kfree(pos);
2754 - }
2755 - WRITE_UNLOCK(&ip_ct_gre_lock);
2756 -
2757 - ip_conntrack_protocol_unregister(&gre);
2758 -}
2759 -
2760 -EXPORT_SYMBOL(ip_ct_gre_keymap_add);
2761 -EXPORT_SYMBOL(ip_ct_gre_keymap_change);
2762 -
2763 -module_init(init);
2764 -module_exit(fini);
2765 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
2766 --- src/linux/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2003-08-12 07:33:45.000000000 -0400
2767 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2004-05-09 04:13:03.000000000 -0400
2768 @@ -15,11 +15,17 @@
2769 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
2770 #include <linux/netfilter_ipv4/lockhelp.h>
2771
2772 +#if 0
2773 +#define DEBUGP printk
2774 +#else
2775 #define DEBUGP(format, args...)
2776 +#endif
2777
2778 /* Protects conntrack->proto.tcp */
2779 static DECLARE_RWLOCK(tcp_lock);
2780
2781 +/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
2782 + closely. They're more complex. --RR */
2783
2784 /* Actually, I believe that neither ipmasq (where this code is stolen
2785 from) nor ipfilter do it exactly right. A new conntrack machine taking
2786 @@ -39,6 +45,25 @@
2787 "LISTEN"
2788 };
2789
2790 +#define SECS *HZ
2791 +#define MINS * 60 SECS
2792 +#define HOURS * 60 MINS
2793 +#define DAYS * 24 HOURS
2794 +
2795 +
2796 +static unsigned long tcp_timeouts[]
2797 += { 30 MINS, /* TCP_CONNTRACK_NONE, */
2798 + 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
2799 + 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
2800 + 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
2801 + 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
2802 + 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
2803 + 10 SECS, /* TCP_CONNTRACK_CLOSE, */
2804 + 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
2805 + 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
2806 + 2 MINS, /* TCP_CONNTRACK_LISTEN, */
2807 +};
2808 +
2809 #define sNO TCP_CONNTRACK_NONE
2810 #define sES TCP_CONNTRACK_ESTABLISHED
2811 #define sSS TCP_CONNTRACK_SYN_SENT
2812 @@ -161,13 +186,13 @@
2813 && tcph->syn && tcph->ack)
2814 conntrack->proto.tcp.handshake_ack
2815 = htonl(ntohl(tcph->seq) + 1);
2816 + WRITE_UNLOCK(&tcp_lock);
2817
2818 /* If only reply is a RST, we can consider ourselves not to
2819 have an established connection: this is a fairly common
2820 problem case, so we can delete the conntrack
2821 immediately. --RR */
2822 if (!(conntrack->status & IPS_SEEN_REPLY) && tcph->rst) {
2823 - WRITE_UNLOCK(&tcp_lock);
2824 if (del_timer(&conntrack->timeout))
2825 conntrack->timeout.function((unsigned long)conntrack);
2826 } else {
2827 @@ -178,9 +203,7 @@
2828 && tcph->ack_seq == conntrack->proto.tcp.handshake_ack)
2829 set_bit(IPS_ASSURED_BIT, &conntrack->status);
2830
2831 - WRITE_UNLOCK(&tcp_lock);
2832 - ip_ct_refresh(conntrack,
2833 - sysctl_ip_conntrack_tcp_timeouts[newconntrack]);
2834 + ip_ct_refresh(conntrack, tcp_timeouts[newconntrack]);
2835 }
2836
2837 return NF_ACCEPT;
2838 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_proto_udp.c
2839 --- src/linux/linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2003-08-12 07:33:45.000000000 -0400
2840 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2004-05-09 04:13:03.000000000 -0400
2841 @@ -5,7 +5,9 @@
2842 #include <linux/in.h>
2843 #include <linux/udp.h>
2844 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
2845 -#include <linux/netfilter_ipv4/ip_conntrack_udp.h>
2846 +
2847 +#define UDP_TIMEOUT (30*HZ)
2848 +#define UDP_STREAM_TIMEOUT (180*HZ)
2849
2850 static int udp_pkt_to_tuple(const void *datah, size_t datalen,
2851 struct ip_conntrack_tuple *tuple)
2852 @@ -50,13 +52,11 @@
2853 /* If we've seen traffic both ways, this is some kind of UDP
2854 stream. Extend timeout. */
2855 if (conntrack->status & IPS_SEEN_REPLY) {
2856 - ip_ct_refresh(conntrack,
2857 - sysctl_ip_conntrack_udp_timeouts[UDP_STREAM_TIMEOUT]);
2858 + ip_ct_refresh(conntrack, UDP_STREAM_TIMEOUT);
2859 /* Also, more likely to be important, and not a probe */
2860 set_bit(IPS_ASSURED_BIT, &conntrack->status);
2861 } else
2862 - ip_ct_refresh(conntrack,
2863 - sysctl_ip_conntrack_udp_timeouts[UDP_TIMEOUT]);
2864 + ip_ct_refresh(conntrack, UDP_TIMEOUT);
2865
2866 return NF_ACCEPT;
2867 }
2868 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_standalone.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_standalone.c
2869 --- src/linux/linux/net/ipv4/netfilter/ip_conntrack_standalone.c 2003-08-12 07:33:45.000000000 -0400
2870 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-05-09 04:13:03.000000000 -0400
2871 @@ -27,7 +27,11 @@
2872 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
2873 #include <linux/netfilter_ipv4/listhelp.h>
2874
2875 +#if 0
2876 +#define DEBUGP printk
2877 +#else
2878 #define DEBUGP(format, args...)
2879 +#endif
2880
2881 struct module *ip_conntrack_module = THIS_MODULE;
2882 MODULE_LICENSE("GPL");
2883 @@ -52,17 +56,12 @@
2884 return len;
2885 }
2886
2887 +/* FIXME: Don't print source proto part. --RR */
2888 static unsigned int
2889 print_expect(char *buffer, const struct ip_conntrack_expect *expect)
2890 {
2891 unsigned int len;
2892
2893 - if (!expect || !expect->expectant || !expect->expectant->helper) {
2894 - DEBUGP("expect %x expect->expectant %x expect->expectant->helper %x\n",
2895 - expect, expect->expectant, expect->expectant->helper);
2896 - return 0;
2897 - }
2898 -
2899 if (expect->expectant->helper->timeout)
2900 len = sprintf(buffer, "EXPECTING: %lu ",
2901 timer_pending(&expect->timeout)
2902 @@ -294,6 +293,8 @@
2903 return ret;
2904 }
2905
2906 +/* FIXME: Allow NULL functions and sub in pointers to generic for
2907 + them. --RR */
2908 int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto)
2909 {
2910 int ret = 0;
2911 @@ -362,8 +363,6 @@
2912 EXPORT_SYMBOL(ip_ct_find_proto);
2913 EXPORT_SYMBOL(__ip_ct_find_proto);
2914 EXPORT_SYMBOL(ip_ct_find_helper);
2915 -EXPORT_SYMBOL(sysctl_ip_conntrack_tcp_timeouts);
2916 -EXPORT_SYMBOL(sysctl_ip_conntrack_udp_timeouts);
2917 EXPORT_SYMBOL(ip_conntrack_expect_related);
2918 EXPORT_SYMBOL(ip_conntrack_change_expect);
2919 EXPORT_SYMBOL(ip_conntrack_unexpect_related);
2920 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_conntrack_tftp.c src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_tftp.c
2921 --- src/linux/linux/net/ipv4/netfilter/ip_conntrack_tftp.c 2003-07-04 04:12:31.000000000 -0400
2922 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_conntrack_tftp.c 1969-12-31 19:00:00.000000000 -0500
2923 @@ -1,126 +0,0 @@
2924 -/*
2925 - * Licensed under GNU GPL version 2 Copyright Magnus Boden <mb@ozaba.mine.nu>
2926 - * Version: 0.0.7
2927 - *
2928 - * Thu 21 Mar 2002 Harald Welte <laforge@gnumonks.org>
2929 - * - port to newnat API
2930 - *
2931 - */
2932 -
2933 -#include <linux/module.h>
2934 -#include <linux/ip.h>
2935 -#include <linux/udp.h>
2936 -
2937 -#include <linux/netfilter.h>
2938 -#include <linux/netfilter_ipv4/ip_tables.h>
2939 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
2940 -#include <linux/netfilter_ipv4/ip_conntrack_tftp.h>
2941 -
2942 -MODULE_AUTHOR("Magnus Boden <mb@ozaba.mine.nu>");
2943 -MODULE_DESCRIPTION("Netfilter connection tracking module for tftp");
2944 -MODULE_LICENSE("GPL");
2945 -
2946 -#define MAX_PORTS 8
2947 -static int ports[MAX_PORTS];
2948 -static int ports_c = 0;
2949 -#ifdef MODULE_PARM
2950 -MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
2951 -MODULE_PARM_DESC(ports, "port numbers of tftp servers");
2952 -#endif
2953 -
2954 -#define DEBUGP(format, args...)
2955 -
2956 -static int tftp_help(const struct iphdr *iph, size_t len,
2957 - struct ip_conntrack *ct,
2958 - enum ip_conntrack_info ctinfo)
2959 -{
2960 - struct udphdr *udph = (void *)iph + iph->ihl * 4;
2961 - struct tftphdr *tftph = (void *)udph + 8;
2962 - struct ip_conntrack_expect exp;
2963 -
2964 - switch (ntohs(tftph->opcode)) {
2965 - /* RRQ and WRQ works the same way */
2966 - case TFTP_OPCODE_READ:
2967 - case TFTP_OPCODE_WRITE:
2968 - DEBUGP("");
2969 - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
2970 - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
2971 - memset(&exp, 0, sizeof(exp));
2972 -
2973 - exp.tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
2974 - exp.mask.src.ip = 0xffffffff;
2975 - exp.mask.dst.ip = 0xffffffff;
2976 - exp.mask.dst.u.udp.port = 0xffff;
2977 - exp.mask.dst.protonum = 0xffff;
2978 - exp.expectfn = NULL;
2979 -
2980 - DEBUGP("expect: ");
2981 - DUMP_TUPLE(&exp.tuple);
2982 - DUMP_TUPLE(&exp.mask);
2983 - ip_conntrack_expect_related(ct, &exp);
2984 - break;
2985 - default:
2986 - DEBUGP("Unknown opcode\n");
2987 - }
2988 - return NF_ACCEPT;
2989 -}
2990 -
2991 -static struct ip_conntrack_helper tftp[MAX_PORTS];
2992 -static char tftp_names[MAX_PORTS][10];
2993 -
2994 -static void fini(void)
2995 -{
2996 - int i;
2997 -
2998 - for (i = 0 ; i < ports_c; i++) {
2999 - DEBUGP("unregistering helper for port %d\n",
3000 - ports[i]);
3001 - ip_conntrack_helper_unregister(&tftp[i]);
3002 - }
3003 -}
3004 -
3005 -static int __init init(void)
3006 -{
3007 - int i, ret;
3008 - char *tmpname;
3009 -
3010 - if (!ports[0])
3011 - ports[0]=TFTP_PORT;
3012 -
3013 - for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) {
3014 - /* Create helper structure */
3015 - memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper));
3016 -
3017 - tftp[i].tuple.dst.protonum = IPPROTO_UDP;
3018 - tftp[i].tuple.src.u.udp.port = htons(ports[i]);
3019 - tftp[i].mask.dst.protonum = 0xFFFF;
3020 - tftp[i].mask.src.u.udp.port = 0xFFFF;
3021 - tftp[i].max_expected = 1;
3022 - tftp[i].timeout = 0;
3023 - tftp[i].flags = IP_CT_HELPER_F_REUSE_EXPECT;
3024 - tftp[i].me = THIS_MODULE;
3025 - tftp[i].help = tftp_help;
3026 -
3027 - tmpname = &tftp_names[i][0];
3028 - if (ports[i] == TFTP_PORT)
3029 - sprintf(tmpname, "tftp");
3030 - else
3031 - sprintf(tmpname, "tftp-%d", i);
3032 - tftp[i].name = tmpname;
3033 -
3034 - DEBUGP("port #%d: %d\n", i, ports[i]);
3035 -
3036 - ret=ip_conntrack_helper_register(&tftp[i]);
3037 - if (ret) {
3038 - printk("ERROR registering helper for port %d\n",
3039 - ports[i]);
3040 - fini();
3041 - return(ret);
3042 - }
3043 - ports_c++;
3044 - }
3045 - return(0);
3046 -}
3047 -
3048 -module_init(init);
3049 -module_exit(fini);
3050 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_nat_core.c src/linux/linux.stock/net/ipv4/netfilter/ip_nat_core.c
3051 --- src/linux/linux/net/ipv4/netfilter/ip_nat_core.c 2003-07-04 04:12:31.000000000 -0400
3052 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_nat_core.c 2004-05-09 04:13:03.000000000 -0400
3053 @@ -31,7 +31,11 @@
3054 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
3055 #include <linux/netfilter_ipv4/listhelp.h>
3056
3057 +#if 0
3058 +#define DEBUGP printk
3059 +#else
3060 #define DEBUGP(format, args...)
3061 +#endif
3062
3063 DECLARE_RWLOCK(ip_nat_lock);
3064 DECLARE_RWLOCK_EXTERN(ip_conntrack_lock);
3065 @@ -207,6 +211,7 @@
3066 {
3067 struct rtable *rt;
3068
3069 + /* FIXME: IPTOS_TOS(iph->tos) --RR */
3070 if (ip_route_output(&rt, var_ip, 0, 0, 0) != 0) {
3071 DEBUGP("do_extra_mangle: Can't get route to %u.%u.%u.%u\n",
3072 NIPQUAD(var_ip));
3073 @@ -429,7 +434,7 @@
3074 *tuple = *orig_tuple;
3075 while ((rptr = find_best_ips_proto_fast(tuple, mr, conntrack, hooknum))
3076 != NULL) {
3077 - DEBUGP("Found best for "); DUMP_TUPLE_RAW(tuple);
3078 + DEBUGP("Found best for "); DUMP_TUPLE(tuple);
3079 /* 3) The per-protocol part of the manip is made to
3080 map into the range to make a unique tuple. */
3081
3082 @@ -529,6 +534,31 @@
3083 invert_tuplepr(&orig_tp,
3084 &conntrack->tuplehash[IP_CT_DIR_REPLY].tuple);
3085
3086 +#if 0
3087 + {
3088 + unsigned int i;
3089 +
3090 + DEBUGP("Hook %u (%s), ", hooknum,
3091 + HOOK2MANIP(hooknum)==IP_NAT_MANIP_SRC ? "SRC" : "DST");
3092 + DUMP_TUPLE(&orig_tp);
3093 + DEBUGP("Range %p: ", mr);
3094 + for (i = 0; i < mr->rangesize; i++) {
3095 + DEBUGP("%u:%s%s%s %u.%u.%u.%u - %u.%u.%u.%u %u - %u\n",
3096 + i,
3097 + (mr->range[i].flags & IP_NAT_RANGE_MAP_IPS)
3098 + ? " MAP_IPS" : "",
3099 + (mr->range[i].flags
3100 + & IP_NAT_RANGE_PROTO_SPECIFIED)
3101 + ? " PROTO_SPECIFIED" : "",
3102 + (mr->range[i].flags & IP_NAT_RANGE_FULL)
3103 + ? " FULL" : "",
3104 + NIPQUAD(mr->range[i].min_ip),
3105 + NIPQUAD(mr->range[i].max_ip),
3106 + mr->range[i].min.all,
3107 + mr->range[i].max.all);
3108 + }
3109 + }
3110 +#endif
3111
3112 do {
3113 if (!get_unique_tuple(&new_tuple, &orig_tp, mr, conntrack,
3114 @@ -538,6 +568,15 @@
3115 return NF_DROP;
3116 }
3117
3118 +#if 0
3119 + DEBUGP("Hook %u (%s) %p\n", hooknum,
3120 + HOOK2MANIP(hooknum)==IP_NAT_MANIP_SRC ? "SRC" : "DST",
3121 + conntrack);
3122 + DEBUGP("Original: ");
3123 + DUMP_TUPLE(&orig_tp);
3124 + DEBUGP("New: ");
3125 + DUMP_TUPLE(&new_tuple);
3126 +#endif
3127
3128 /* We now have two tuples (SRCIP/SRCPT/DSTIP/DSTPT):
3129 the original (A/B/C/D') and the mangled one (E/F/G/H').
3130 @@ -554,6 +593,8 @@
3131 If fail this race (reply tuple now used), repeat. */
3132 } while (!ip_conntrack_alter_reply(conntrack, &reply));
3133
3134 + /* FIXME: We can simply used existing conntrack reply tuple
3135 + here --RR */
3136 /* Create inverse of original: C/D/A/B' */
3137 invert_tuplepr(&inv_tuple, &orig_tp);
3138
3139 @@ -678,6 +719,17 @@
3140 iph->check);
3141 iph->daddr = manip->ip;
3142 }
3143 +#if 0
3144 + if (ip_fast_csum((u8 *)iph, iph->ihl) != 0)
3145 + DEBUGP("IP: checksum on packet bad.\n");
3146 +
3147 + if (proto == IPPROTO_TCP) {
3148 + void *th = (u_int32_t *)iph + iph->ihl;
3149 + if (tcp_v4_check(th, len - 4*iph->ihl, iph->saddr, iph->daddr,
3150 + csum_partial((char *)th, len-4*iph->ihl, 0)))
3151 + DEBUGP("TCP: checksum on packet bad\n");
3152 + }
3153 +#endif
3154 }
3155
3156 static inline int exp_for_packet(struct ip_conntrack_expect *exp,
3157 @@ -765,6 +817,7 @@
3158 continue;
3159
3160 if (exp_for_packet(exp, pskb)) {
3161 + /* FIXME: May be true multiple times in the case of UDP!! */
3162 DEBUGP("calling nat helper (exp=%p) for packet\n",
3163 exp);
3164 ret = helper->help(ct, exp, info, ctinfo,
3165 @@ -926,6 +979,7 @@
3166 INIT_LIST_HEAD(&byipsproto[i]);
3167 }
3168
3169 + /* FIXME: Man, this is a hack. <SIGH> */
3170 IP_NF_ASSERT(ip_conntrack_destroyed == NULL);
3171 ip_conntrack_destroyed = &ip_nat_cleanup_conntrack;
3172
3173 diff -Nurb src/linux/linux/net/ipv4/netfilter/ip_nat_h323.c src/linux/linux.stock/net/ipv4/netfilter/ip_nat_h323.c
3174 --- src/linux/linux/net/ipv4/netfilter/ip_nat_h323.c 2003-07-04 04:12:31.000000000 -0400
3175 +++ src/linux/linux.stock/net/ipv4/netfilter/ip_nat_h323.c 1969-12-31 19:00:00.000000000 -0500
3176 @@ -1,403 +0,0 @@
3177 -/*
3178 - * H.323 'brute force' extension for NAT alteration.
3179 - * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
3180 - *
3181 - * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project.
3182 - * (http://www.coritel.it/projects/sofia/nat.html)
3183 - * Uses Sampsa Ranta's excellent idea on using expectfn to 'bind'
3184 - * the unregistered helpers to the conntrack entries.
3185 - */
3186 -
3187 -
3188 -#include <linux/module.h>
3189 -#include <linux/netfilter.h>
3190 -#include <linux/ip.h>
3191 -#include <net/checksum.h>
3192 -#include <net/tcp.h>
3193 -
3194 -#include <linux/netfilter_ipv4/lockhelp.h>
3195 -#include <linux/netfilter_ipv4/ip_nat.h>
3196 -#include <linux/netfilter_ipv4/ip_nat_helper.h>
3197 -#include <linux/netfilter_ipv4/ip_nat_rule.h>
3198 -#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
3199 -#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
3200 -#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
3201 -
3202 -MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
3203 -MODULE_DESCRIPTION("H.323 'brute force' connection tracking module");
3204 -MODULE_LICENSE("GPL");
3205 -
3206 -DECLARE_LOCK_EXTERN(ip_h323_lock);
3207 -struct module *ip_nat_h323 = THIS_MODULE;
3208 -
3209 -#define DEBUGP(format, args...)
3210 -
3211 -
3212 -static unsigned int
3213 -h225_nat_expected(struct sk_buff **pskb,
3214 - unsigned int hooknum,
3215 - struct ip_conntrack *ct,
3216 - struct ip_nat_info *info);
3217 -
3218 -static unsigned int h225_nat_help(struct ip_conntrack *ct,
3219 - struct ip_conntrack_expect *exp,
3220 - struct ip_nat_info *info,
3221 - enum ip_conntrack_info ctinfo,
3222 - unsigned int hooknum,
3223 - struct sk_buff **pskb);
3224 -
3225 -static struct ip_nat_helper h245 =
3226 - { { NULL, NULL },
3227 - "H.245", /* name */
3228 - 0, /* flags */
3229 - NULL, /* module */
3230 - { { 0, { 0 } }, /* tuple */
3231 - { 0, { 0 }, IPPROTO_TCP } },
3232 - { { 0, { 0xFFFF } }, /* mask */
3233 - { 0, { 0 }, 0xFFFF } },
3234 - h225_nat_help, /* helper */
3235 - h225_nat_expected /* expectfn */
3236 - };
3237 -
3238 -static unsigned int
3239 -h225_nat_expected(struct sk_buff **pskb,
3240 - unsigned int hooknum,
3241 - struct ip_conntrack *ct,
3242 - struct ip_nat_info *info)
3243 -{
3244 - struct ip_nat_multi_range mr;<