[kernel] generic-2.4: fix ipt_random patch after removal of ipt_time
[openwrt/svn-archive/archive.git] / target / linux / generic-2.4 / patches / 621-netfilter_random.patch
1 Index: linux-2.4.35.4/Documentation/Configure.help
2 ===================================================================
3 --- linux-2.4.35.4.orig/Documentation/Configure.help
4 +++ linux-2.4.35.4/Documentation/Configure.help
5 @@ -2914,6 +2914,15 @@ CONFIG_IP_NF_MATCH_MAC
6 If you want to compile it as a module, say M here and read
7 <file:Documentation/modules.txt>. If unsure, say `N'.
8
9 +Random match support
10 +CONFIG_IP_NF_MATCH_RANDOM
11 + This option adds a `random' match,
12 + which allow you to match packets randomly
13 + following a given probability.
14 +
15 + If you want to compile it as a module, say M here and read
16 + Documentation/modules.txt. If unsure, say `N'.
17 +
18 Netfilter MARK match support
19 CONFIG_IP_NF_MATCH_MARK
20 Netfilter mark matching allows you to match packets based on the
21 @@ -3229,6 +3238,7 @@ CONFIG_IP_NF_MATCH_HELPER
22 If you want to compile it as a module, say M here and read
23 Documentation/modules.txt. If unsure, say `Y'.
24
25 +
26 TCPMSS match support
27 CONFIG_IP_NF_MATCH_TCPMSS
28 This option adds a `tcpmss' match, which allows you to examine the
29 @@ -3376,6 +3386,14 @@ CONFIG_IP6_NF_MATCH_MAC
30 If you want to compile it as a module, say M here and read
31 <file:Documentation/modules.txt>. If unsure, say `N'.
32
33 +CONFIG_IP6_NF_MATCH_RANDOM
34 + This option adds a `random' match,
35 + which allow you to match packets randomly
36 + following a given probability.
37 +
38 + If you want to compile it as a module, say M here and read
39 + Documentation/modules.txt. If unsure, say `N'.
40 +
41 length match support
42 CONFIG_IP6_NF_MATCH_LENGTH
43 This option allows you to match the length of a packet against a
44 Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_random.h
45 ===================================================================
46 --- /dev/null
47 +++ linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_random.h
48 @@ -0,0 +1,11 @@
49 +#ifndef _IPT_RAND_H
50 +#define _IPT_RAND_H
51 +
52 +#include <linux/param.h>
53 +#include <linux/types.h>
54 +
55 +struct ipt_rand_info {
56 + u_int8_t average;
57 +};
58 +
59 +#endif /*_IPT_RAND_H*/
60 Index: linux-2.4.35.4/include/linux/netfilter_ipv6/ip6t_random.h
61 ===================================================================
62 --- /dev/null
63 +++ linux-2.4.35.4/include/linux/netfilter_ipv6/ip6t_random.h
64 @@ -0,0 +1,11 @@
65 +#ifndef _IP6T_RAND_H
66 +#define _IP6T_RAND_H
67 +
68 +#include <linux/param.h>
69 +#include <linux/types.h>
70 +
71 +struct ip6t_rand_info {
72 + u_int8_t average;
73 +};
74 +
75 +#endif /*_IP6T_RAND_H*/
76 Index: linux-2.4.35.4/net/ipv4/netfilter/Config.in
77 ===================================================================
78 --- linux-2.4.35.4.orig/net/ipv4/netfilter/Config.in
79 +++ linux-2.4.35.4/net/ipv4/netfilter/Config.in
80 @@ -48,6 +48,7 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
81 dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES
82 dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES
83 dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES
84 + dep_tristate ' random match support' CONFIG_IP_NF_MATCH_RANDOM $CONFIG_IP_NF_IPTABLES
85 dep_tristate ' condition match support' CONFIG_IP_NF_MATCH_CONDITION $CONFIG_IP_NF_IPTABLES
86 dep_tristate ' recent match support' CONFIG_IP_NF_MATCH_RECENT $CONFIG_IP_NF_IPTABLES
87 dep_tristate ' ECN match support' CONFIG_IP_NF_MATCH_ECN $CONFIG_IP_NF_IPTABLES
88 Index: linux-2.4.35.4/net/ipv4/netfilter/ipt_random.c
89 ===================================================================
90 --- /dev/null
91 +++ linux-2.4.35.4/net/ipv4/netfilter/ipt_random.c
92 @@ -0,0 +1,96 @@
93 +/*
94 + This is a module which is used for a "random" match support.
95 + This file is distributed under the terms of the GNU General Public
96 + License (GPL). Copies of the GPL can be obtained from:
97 + ftp://prep.ai.mit.edu/pub/gnu/GPL
98 +
99 + 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial implementation.
100 +*/
101 +
102 +#include <linux/module.h>
103 +#include <linux/skbuff.h>
104 +#include <linux/ip.h>
105 +#include <linux/random.h>
106 +#include <net/tcp.h>
107 +#include <linux/spinlock.h>
108 +#include <linux/netfilter_ipv4/ip_tables.h>
109 +#include <linux/netfilter_ipv4/ipt_random.h>
110 +
111 +MODULE_LICENSE("GPL");
112 +
113 +static int
114 +ipt_rand_match(const struct sk_buff *pskb,
115 + const struct net_device *in,
116 + const struct net_device *out,
117 + const void *matchinfo,
118 + int offset,
119 + const void *hdr,
120 + u_int16_t datalen,
121 + int *hotdrop)
122 +{
123 + /* Parameters from userspace */
124 + const struct ipt_rand_info *info = matchinfo;
125 + u_int8_t random_number;
126 +
127 + /* get 1 random number from the kernel random number generation routine */
128 + get_random_bytes((void *)(&random_number), 1);
129 +
130 + /* Do we match ? */
131 + if (random_number <= info->average)
132 + return 1;
133 + else
134 + return 0;
135 +}
136 +
137 +static int
138 +ipt_rand_checkentry(const char *tablename,
139 + const struct ipt_ip *e,
140 + void *matchinfo,
141 + unsigned int matchsize,
142 + unsigned int hook_mask)
143 +{
144 + /* Parameters from userspace */
145 + const struct ipt_rand_info *info = matchinfo;
146 +
147 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_rand_info))) {
148 + printk("ipt_random: matchsize %u != %u\n", matchsize,
149 + IPT_ALIGN(sizeof(struct ipt_rand_info)));
150 + return 0;
151 + }
152 +
153 + /* must be 1 <= average % <= 99 */
154 + /* 1 x 2.55 = 2 */
155 + /* 99 x 2.55 = 252 */
156 + if ((info->average < 2) || (info->average > 252)) {
157 + printk("ipt_random: invalid average %u\n", info->average);
158 + return 0;
159 + }
160 +
161 + return 1;
162 +}
163 +
164 +static struct ipt_match ipt_rand_reg = {
165 + {NULL, NULL},
166 + "random",
167 + ipt_rand_match,
168 + ipt_rand_checkentry,
169 + NULL,
170 + THIS_MODULE };
171 +
172 +static int __init init(void)
173 +{
174 + if (ipt_register_match(&ipt_rand_reg))
175 + return -EINVAL;
176 +
177 + printk("ipt_random match loaded\n");
178 + return 0;
179 +}
180 +
181 +static void __exit fini(void)
182 +{
183 + ipt_unregister_match(&ipt_rand_reg);
184 + printk("ipt_random match unloaded\n");
185 +}
186 +
187 +module_init(init);
188 +module_exit(fini);
189 Index: linux-2.4.35.4/net/ipv4/netfilter/Makefile
190 ===================================================================
191 --- linux-2.4.35.4.orig/net/ipv4/netfilter/Makefile
192 +++ linux-2.4.35.4/net/ipv4/netfilter/Makefile
193 @@ -115,6 +115,8 @@ obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos
194 obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o
195 obj-$(CONFIG_IP_NF_MATCH_CONDITION) += ipt_condition.o
196
197 +obj-$(CONFIG_IP_NF_MATCH_RANDOM) += ipt_random.o
198 +
199 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
200
201 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
202 Index: linux-2.4.35.4/net/ipv6/netfilter/Config.in
203 ===================================================================
204 --- linux-2.4.35.4.orig/net/ipv6/netfilter/Config.in
205 +++ linux-2.4.35.4/net/ipv6/netfilter/Config.in
206 @@ -19,6 +19,7 @@ if [ "$CONFIG_IP6_NF_IPTABLES" != "n" ];
207 dep_tristate ' limit match support' CONFIG_IP6_NF_MATCH_LIMIT $CONFIG_IP6_NF_IPTABLES
208 dep_tristate ' condition match support' CONFIG_IP6_NF_MATCH_CONDITION $CONFIG_IP6_NF_IPTABLES
209 dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES
210 + dep_tristate ' Random match support' CONFIG_IP6_NF_MATCH_RANDOM $CONFIG_IP6_NF_IPTABLES
211 if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
212 dep_tristate ' Routing header match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_RT $CONFIG_IP6_NF_IPTABLES
213 fi
214 Index: linux-2.4.35.4/net/ipv6/netfilter/ip6t_random.c
215 ===================================================================
216 --- /dev/null
217 +++ linux-2.4.35.4/net/ipv6/netfilter/ip6t_random.c
218 @@ -0,0 +1,97 @@
219 +/*
220 + This is a module which is used for a "random" match support.
221 + This file is distributed under the terms of the GNU General Public
222 + License (GPL). Copies of the GPL can be obtained from:
223 + ftp://prep.ai.mit.edu/pub/gnu/GPL
224 +
225 + 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial implementation.
226 + 2003-04-30 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 Port
227 +*/
228 +
229 +#include <linux/module.h>
230 +#include <linux/skbuff.h>
231 +#include <linux/ip.h>
232 +#include <linux/random.h>
233 +#include <net/tcp.h>
234 +#include <linux/spinlock.h>
235 +#include <linux/netfilter_ipv6/ip6_tables.h>
236 +#include <linux/netfilter_ipv6/ip6t_random.h>
237 +
238 +MODULE_LICENSE("GPL");
239 +
240 +static int
241 +ip6t_rand_match(const struct sk_buff *pskb,
242 + const struct net_device *in,
243 + const struct net_device *out,
244 + const void *matchinfo,
245 + int offset,
246 + const void *hdr,
247 + u_int16_t datalen,
248 + int *hotdrop)
249 +{
250 + /* Parameters from userspace */
251 + const struct ip6t_rand_info *info = matchinfo;
252 + u_int8_t random_number;
253 +
254 + /* get 1 random number from the kernel random number generation routine */
255 + get_random_bytes((void *)(&random_number), 1);
256 +
257 + /* Do we match ? */
258 + if (random_number <= info->average)
259 + return 1;
260 + else
261 + return 0;
262 +}
263 +
264 +static int
265 +ip6t_rand_checkentry(const char *tablename,
266 + const struct ip6t_ip6 *e,
267 + void *matchinfo,
268 + unsigned int matchsize,
269 + unsigned int hook_mask)
270 +{
271 + /* Parameters from userspace */
272 + const struct ip6t_rand_info *info = matchinfo;
273 +
274 + if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_rand_info))) {
275 + printk("ip6t_random: matchsize %u != %u\n", matchsize,
276 + IP6T_ALIGN(sizeof(struct ip6t_rand_info)));
277 + return 0;
278 + }
279 +
280 + /* must be 1 <= average % <= 99 */
281 + /* 1 x 2.55 = 2 */
282 + /* 99 x 2.55 = 252 */
283 + if ((info->average < 2) || (info->average > 252)) {
284 + printk("ip6t_random: invalid average %u\n", info->average);
285 + return 0;
286 + }
287 +
288 + return 1;
289 +}
290 +
291 +static struct ip6t_match ip6t_rand_reg = {
292 + {NULL, NULL},
293 + "random",
294 + ip6t_rand_match,
295 + ip6t_rand_checkentry,
296 + NULL,
297 + THIS_MODULE };
298 +
299 +static int __init init(void)
300 +{
301 + if (ip6t_register_match(&ip6t_rand_reg))
302 + return -EINVAL;
303 +
304 + printk("ip6t_random match loaded\n");
305 + return 0;
306 +}
307 +
308 +static void __exit fini(void)
309 +{
310 + ip6t_unregister_match(&ip6t_rand_reg);
311 + printk("ip6t_random match unloaded\n");
312 +}
313 +
314 +module_init(init);
315 +module_exit(fini);
316 Index: linux-2.4.35.4/net/ipv6/netfilter/Makefile
317 ===================================================================
318 --- linux-2.4.35.4.orig/net/ipv6/netfilter/Makefile
319 +++ linux-2.4.35.4/net/ipv6/netfilter/Makefile
320 @@ -32,6 +32,7 @@ obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t
321 obj-$(CONFIG_IP6_NF_TARGET_IMQ) += ip6t_IMQ.o
322 obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
323 obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
324 +obj-$(CONFIG_IP6_NF_MATCH_RANDOM) += ip6t_random.o
325 obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
326
327 include $(TOPDIR)/Rules.make