[netfilter-cvslog] r3750 - in
trunk/patch-o-matic-ng/talk-conntrack-nat: .
linux-2.6.11/net/ipv4/netfilter
laforge at netfilter.org
laforge at netfilter.org
Wed Mar 2 12:55:50 CET 2005
Author: laforge at netfilter.org
Date: 2005-03-02 12:55:49 +0100 (Wed, 02 Mar 2005)
New Revision: 3750
Added:
trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/
Modified:
trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_talk.c
trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_talk.c
Log:
add incomplete 2.6.11 branch
Copied: trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11 (from rev 3749, trunk/patch-o-matic-ng/talk-conntrack-nat/linux)
Modified: trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_talk.c
===================================================================
--- trunk/patch-o-matic-ng/talk-conntrack-nat/linux/net/ipv4/netfilter/ip_conntrack_talk.c 2005-03-01 20:30:53 UTC (rev 3749)
+++ trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_conntrack_talk.c 2005-03-02 11:55:49 UTC (rev 3750)
@@ -40,6 +40,14 @@
* [1]: M. Hunter, talk: a historical protocol for interactive communication
* draft-hunter-talk-00.txt
* [2]: D.B. Chapman, E.D. Zwicky: Building Internet Firewalls (O'Reilly)
+ *
+ * Modifications:
+ * 2005-02-13 Harald Welte <laforge at netfilter.org>
+ * - update to 2.6.x API
+ * - update to post 2.6.11 helper infrastructure
+ * - use c99 structure initializers
+ * - explicitly allocate expectation
+ *
*/
#include <linux/config.h>
#include <linux/module.h>
@@ -61,18 +69,25 @@
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>");
MODULE_DESCRIPTION("talk connection tracking module");
MODULE_LICENSE("GPL");
-#ifdef MODULE_PARM
-MODULE_PARM(talk, "i");
+module_param(talk, int, 0400);
MODULE_PARM_DESC(talk, "support (old) talk protocol");
-MODULE_PARM(ntalk, "i");
+module_param(ntalk, int, 0400);
MODULE_PARM_DESC(ntalk, "support ntalk protocol");
-MODULE_PARM(ntalk2, "i");
+module_param(ntalk2, int, 0400);
MODULE_PARM_DESC(ntalk2, "support ntalk2 protocol");
#endif
-DECLARE_LOCK(ip_talk_lock);
-struct module *ip_conntrack_talk = THIS_MODULE;
+static char talk_buffer[65536];
+static DECLARE_LOCK(talk_buffer_lock);
+unsigned int (*ip_nat_talk_hook)(struct sk_buff **pskb,
+ enum ip_conntrack_info ctinfo,
+ unsigned int matchoff,
+ unsigned int matchlen,
+ struct ip_conntrack_expect *exp,
+ u32 *seq);
+EXPORT_SYMBOL_GPL(ip_nat_talk_hook);
+
#if 0
#define DEBUGP printk
#else
@@ -84,7 +99,7 @@
static int (*talk_expectfn[2])(struct ip_conntrack *ct) = {talk_expect, ntalk_expect};
-static int talk_help_response(const struct iphdr *iph, size_t len,
+static int talk_help_response(struct sk_buff **pskb,
struct ip_conntrack *ct,
enum ip_conntrack_info ctinfo,
int talk_port,
@@ -94,7 +109,7 @@
struct talk_addr *addr)
{
int dir = CTINFO2DIR(ctinfo);
- struct ip_conntrack_expect expect, *exp = &expect;
+ struct ip_conntrack_expect *exp;
struct ip_ct_talk_expect *exp_talk_info = &exp->help.exp_talk_info;
DEBUGP("ip_ct_talk_help_response: %u.%u.%u.%u:%u, type %d answer %d\n",
@@ -104,14 +119,16 @@
if (!(answer == SUCCESS && type == mode))
return NF_ACCEPT;
- memset(&expect, 0, sizeof(expect));
+ exp = ip_conntrack_expect_alloc();
+ if (exp == NULL) {
+ return NF_DROP;
+ }
if (type == ANNOUNCE) {
DEBUGP("ip_ct_talk_help_response: ANNOUNCE\n");
/* update the talk info */
- LOCK_BH(&ip_talk_lock);
exp_talk_info->port = htons(talk_port);
/* expect callee client -> caller server message */
@@ -123,24 +140,31 @@
IPPROTO_UDP }});
exp->mask = ((struct ip_conntrack_tuple)
{ { 0xFFFFFFFF, { 0 } },
- { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFFFF }});
+ { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFF }});
exp->expectfn = talk_expectfn[talk_port - TALK_PORT];
+ exp->master = ct;
- DEBUGP("ip_ct_talk_help_response: callee client %u.%u.%u.%u:%u -> caller daemon %u.%u.%u.%u:%u!\n",
- NIPQUAD(exp->tuple.src.ip), ntohs(exp->tuple.src.u.udp.port),
- NIPQUAD(exp->tuple.dst.ip), ntohs(exp->tuple.dst.u.udp.port));
+ DEBUGP("ip_ct_talk_help_response: callee client "
+ "%u.%u.%u.%u:%u -> caller daemon %u.%u.%u.%u:%u!\n",
+ NIPQUAD(exp->tuple.src.ip),
+ ntohs(exp->tuple.src.u.udp.port),
+ NIPQUAD(exp->tuple.dst.ip),
+ ntohs(exp->tuple.dst.u.udp.port));
- /* Ignore failure; should only happen with NAT */
- ip_conntrack_expect_related(ct, &expect);
- UNLOCK_BH(&ip_talk_lock);
- }
- if (type == LOOK_UP) {
+ if (ip_nat_talk_hook)
+ ret = ip_nat_talk_hook(pskb, ctinfo,
+ ...
+ exp);
+ else if (ip_conntrack_expect_related(exp) != 0) {
+ ip_conntrack_expect_free(exp);
+ ret = NF_DROP;
+ }
+ } else if (type == LOOK_UP) {
DEBUGP("ip_ct_talk_help_response: LOOK_UP\n");
/* update the talk info */
- LOCK_BH(&ip_talk_lock);
exp_talk_info->port = addr->ta_port;
/* expect callee client -> caller client connection */
@@ -152,31 +176,43 @@
IPPROTO_TCP }});
exp->mask = ((struct ip_conntrack_tuple)
{ { 0xFFFFFFFF, { 0 } },
- { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }});
-
+ { 0xFFFFFFFF, { 0xFFFF }, 0xFF }});
exp->expectfn = NULL;
-
- DEBUGP("ip_ct_talk_help_response: callee client %u.%u.%u.%u:%u -> caller client %u.%u.%u.%u:%u!\n",
- NIPQUAD(exp->tuple.src.ip), ntohs(exp->tuple.src.u.tcp.port),
- NIPQUAD(exp->tuple.dst.ip), ntohs(exp->tuple.dst.u.tcp.port));
+ exp->master = ct;
- /* Ignore failure; should only happen with NAT */
- ip_conntrack_expect_related(ct, &expect);
- UNLOCK_BH(&ip_talk_lock);
+ DEBUGP("ip_ct_talk_help_response: callee client "
+ "%u.%u.%u.%u:%u -> caller client %u.%u.%u.%u:%u!\n",
+ NIPQUAD(exp->tuple.src.ip),
+ ntohs(exp->tuple.src.u.tcp.port),
+ NIPQUAD(exp->tuple.dst.ip),
+ ntohs(exp->tuple.dst.u.tcp.port));
+
+ if (ip_nat_talk_hook)
+ ret = ip_nat_talk_hook(pskb, ctinfo,
+ ...
+ exp);
+ else if (ip_conntrack_expect_related(exp) != 0) {
+ ip_conntrack_expect_free(exp);
+ ret = NF_DROP;
+ }
}
return NF_ACCEPT;
}
/* FIXME: This should be in userspace. Later. */
-static int talk_help(const struct iphdr *iph, size_t len,
+static int talk_help(struct sk_buff **pskb,
struct ip_conntrack *ct,
enum ip_conntrack_info ctinfo,
int talk_port,
u_char mode)
{
- struct udphdr *udph = (void *)iph + iph->ihl * 4;
- const char *data = (const char *)udph + sizeof(struct udphdr);
+ int ret;
+ unsigned int dataoff;
+ struct udphdr _udph, *uh;
+ char *tb_ptr, *data;
+ //struct udphdr *udph = (void *)iph + iph->ihl * 4;
+ //const char *data = (const char *)udph + sizeof(struct udphdr);
int dir = CTINFO2DIR(ctinfo);
size_t udplen;
@@ -189,13 +225,18 @@
return NF_ACCEPT;
}
+ if (dir == IP_CT_DIR_ORIGINAL)
+ return NF_ACCEPT;
+
/* Not whole UDP header? */
- udplen = len - iph->ihl * 4;
- if (udplen < sizeof(struct udphdr)) {
- DEBUGP("ip_ct_talk_help: too short for udph, udplen = %u\n", (unsigned)udplen);
+ uh = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4,
+ sizeof(_udph), &_udph);
+ if (uh == NULL) {
+ DEBUGP("ip_ct_talk_help: short for udph\n");
return NF_ACCEPT;
}
+#if 0
/* Checksum invalid? Ignore. */
/* FIXME: Source route IP option packets --RR */
if (csum_tcpudp_magic(iph->saddr, iph->daddr, udplen, IPPROTO_UDP,
@@ -205,16 +246,26 @@
NIPQUAD(iph->daddr));
return NF_ACCEPT;
}
+#endif
+
+ udplen = (*pskb)->len - (*pskb)->nh.iph.ihl*4;
+ dataoff = (*pskb)->nh.iph.ihl*4 + sizeof(_udph);
+ if (dataoff >= (*pskb)->len)
+ return NF_ACCEPT;
+
+ LOCK_BH(&talk_buffer_lock);
+ tb_ptr = skb_header_pointer(*pskb, dataoff,
+ (*pskb)->len - dataoff, talk_buffer);
+ BUG_ON(tb_ptr == NULL);
+
+ data = tb_ptr;
DEBUGP("ip_ct_talk_help: %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n",
NIPQUAD(iph->saddr), ntohs(udph->source), NIPQUAD(iph->daddr), ntohs(udph->dest));
- if (dir == IP_CT_DIR_ORIGINAL)
- return NF_ACCEPT;
-
if (talk_port == TALK_PORT
&& udplen == sizeof(struct udphdr) + sizeof(struct talk_response))
- return talk_help_response(iph, len, ct, ctinfo, talk_port, mode,
+ ret = talk_help_response(pskb, ct, ctinfo, talk_port, mode,
((struct talk_response *)data)->type,
((struct talk_response *)data)->answer,
&(((struct talk_response *)data)->addr));
@@ -222,7 +273,7 @@
&& ntalk
&& udplen == sizeof(struct udphdr) + sizeof(struct ntalk_response)
&& ((struct ntalk_response *)data)->vers == NTALK_VERSION)
- return talk_help_response(iph, len, ct, ctinfo, talk_port, mode,
+ ret = talk_help_response(pskb, ct, ctinfo, talk_port, mode,
((struct ntalk_response *)data)->type,
((struct ntalk_response *)data)->answer,
&(((struct ntalk_response *)data)->addr));
@@ -230,7 +281,7 @@
&& ntalk2
&& udplen >= sizeof(struct udphdr) + sizeof(struct ntalk2_response)
&& ((struct ntalk2_response *)data)->vers == NTALK2_VERSION)
- return talk_help_response(iph, len, ct, ctinfo, talk_port, mode,
+ ret = talk_help_response(pskb, ct, ctinfo, talk_port, mode,
((struct ntalk2_response *)data)->type,
((struct ntalk2_response *)data)->answer,
&(((struct ntalk2_response *)data)->addr));
@@ -238,46 +289,56 @@
DEBUGP("ip_ct_talk_help: not ntalk/ntalk2 response, datalen %u != %u or %u + max 256\n",
(unsigned)udplen - sizeof(struct udphdr),
sizeof(struct ntalk_response), sizeof(struct ntalk2_response));
- return NF_ACCEPT;
+ ret = NF_ACCEPT;
}
+ UNLOCK_BH(&talk_buffer_lock);
+ return ret;
}
-static int lookup_help(const struct iphdr *iph, size_t len,
+static int lookup_help(struct sk_buff **pskb,
struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
{
- return talk_help(iph, len, ct, ctinfo, TALK_PORT, LOOK_UP);
+ return talk_help(pskb, ct, ctinfo, TALK_PORT, LOOK_UP);
}
-static int lookup_nhelp(const struct iphdr *iph, size_t len,
+static int lookup_nhelp(struct sk_buff **pskb,
struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
{
- return talk_help(iph, len, ct, ctinfo, NTALK_PORT, LOOK_UP);
+ return talk_help(psk, ct, ctinfo, NTALK_PORT, LOOK_UP);
}
-static struct ip_conntrack_helper lookup_helpers[2] =
- { { { NULL, NULL },
- "talk", /* name */
- 0, /* flags */
- NULL, /* module */
- 1, /* max_expected */
- 240, /* timeout */
- { { 0, { __constant_htons(TALK_PORT) } }, /* tuple */
- { 0, { 0 }, IPPROTO_UDP } },
- { { 0, { 0xFFFF } }, /* mask */
- { 0, { 0 }, 0xFFFF } },
- lookup_help }, /* helper */
- { { NULL, NULL },
- "ntalk", /* name */
- 0, /* flags */
- NULL, /* module */
- 1, /* max_expected */
- 240, /* timeout */
- { { 0, { __constant_htons(NTALK_PORT) } }, /* tuple */
- { 0, { 0 }, IPPROTO_UDP } },
- { { 0, { 0xFFFF } }, /* mask */
- { 0, { 0 }, 0xFFFF } },
- lookup_nhelp } /* helper */
- };
+static struct ip_conntrack_helper lookup_helpers[2] = {
+ {
+ .name = "talk-lookup",
+ .module = THIS_MODULE,
+ .max_expected = 1,
+ .timeout = 4 * 60,
+ .tuple = {
+ .src.u.udp.port = __constant_htons(TALK_PORT),
+ .dst.protonum = IPPROTO_UDP,
+ },
+ .mask = {
+ .src.u.udp.port = 0xffff,
+ .dst.protonum = 0xff,
+ },
+ .help = &lookup_help,
+ },
+ {
+ .name = "ntalk-lookup",
+ .module = THIS_MODULE,
+ .max_expected = 1,
+ .timeout = 4 * 60,
+ .tuple = {
+ .src.u.udp.port = __constant_htons(NTALK_PORT),
+ .dst.protonum = IPPROTO_UDP,
+ },
+ .mask = {
+ .src.u.udp.port = 0xffff,
+ .dst.protonum = 0xff,
+ },
+ .help = &lookup_nhelp,
+ },
+};
static int talk_expect(struct ip_conntrack *ct)
{
@@ -299,42 +360,50 @@
return NF_ACCEPT; /* unused */
}
-static int help(const struct iphdr *iph, size_t len,
+static int help(struct sk_buff **pskb,
struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
{
return talk_help(iph, len, ct, ctinfo, TALK_PORT, ANNOUNCE);
}
-static int nhelp(const struct iphdr *iph, size_t len,
+static int nhelp(struct sk_buff **pskb,
struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
{
return talk_help(iph, len, ct, ctinfo, NTALK_PORT, ANNOUNCE);
}
-static struct ip_conntrack_helper talk_helpers[2] =
- { { { NULL, NULL },
- "talk", /* name */
- 0, /* flags */
- THIS_MODULE, /* module */
- 1, /* max_expected */
- 240, /* timeout */
- { { 0, { __constant_htons(TALK_PORT) } }, /* tuple */
- { 0, { 0 }, IPPROTO_UDP } },
- { { 0, { 0xFFFF } }, /* mask */
- { 0, { 0 }, 0xFFFF } },
- help }, /* helper */
- { { NULL, NULL },
- "ntalk", /* name */
- 0, /* flags */
- THIS_MODULE, /* module */
- 1, /* max_expected */
- 240, /* timeout */
- { { 0, { __constant_htons(NTALK_PORT) } }, /* tuple */
- { 0, { 0 }, IPPROTO_UDP } },
- { { 0, { 0xFFFF } }, /* mask */
- { 0, { 0 }, 0xFFFF } },
- nhelp } /* helper */
- };
+static struct ip_conntrack_helper talk_helpers[2] = {
+ {
+ .name = "talk",
+ .help = &help,
+ .me = THIS_MODULE,
+ .max_expected = 1,
+ .timeout = 4 * 60, /* 4 minutes */
+ .tuple = {
+ .src.u.udp.port = __constant_htons(TALK_PORT),
+ .dst.protonum = IPPROTO_UDP,
+ },
+ .mask = {
+ .src.u.udp.port = 0xffff,
+ .dst.protonum = 0xff,
+ },
+ },
+ {
+ .name = "ntalk",
+ .help = &nhelp,
+ .me = THIS_MODULE,
+ .max_expected = 1,
+ .timeout = 4 * 60, /* 4 minutes */
+ .tuple = {
+ .src.u.udp.port = __constant_htons(NTALK_PORT),
+ .dst.protonum = IPPROTO_UDP,
+ },
+ .mask = {
+ .src.u.udp.port = 0xffff,
+ .dst.protonum = IPPROTO_UDP,
+ },
+ },
+};
static int __init init(void)
{
@@ -354,7 +423,5 @@
ip_conntrack_helper_unregister(&talk_helpers[1]);
}
-EXPORT_SYMBOL(ip_talk_lock);
-
module_init(init);
module_exit(fini);
Modified: trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_talk.c
===================================================================
--- trunk/patch-o-matic-ng/talk-conntrack-nat/linux/net/ipv4/netfilter/ip_nat_talk.c 2005-03-01 20:30:53 UTC (rev 3749)
+++ trunk/patch-o-matic-ng/talk-conntrack-nat/linux-2.6.11/net/ipv4/netfilter/ip_nat_talk.c 2005-03-02 11:55:49 UTC (rev 3750)
@@ -16,6 +16,11 @@
*
* The default is talk=1 ntalk=1 ntalk2=1
*
+ * Modifications:
+ * 2005-02-13 Harald Welte <laforge at netfilter.org>
+ * - update to 2.6.x API
+ * - update to post 2.6.11 helper infrastructure
+ * - use c99 structure initializers
*
*/
#include <linux/module.h>
@@ -32,20 +37,8 @@
#include <linux/netfilter_ipv4/ip_conntrack_talk.h>
#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-/* Default all talk protocols are supported */
-static int talk = 1;
-static int ntalk = 1;
-static int ntalk2 = 1;
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>");
MODULE_DESCRIPTION("talk network address translation module");
-#ifdef MODULE_PARM
-MODULE_PARM(talk, "i");
-MODULE_PARM_DESC(talk, "support (old) talk protocol");
-MODULE_PARM(ntalk, "i");
-MODULE_PARM_DESC(ntalk, "support ntalk protocol");
-MODULE_PARM(ntalk2, "i");
-MODULE_PARM_DESC(ntalk2, "support ntalk2 protocol");
-#endif
#if 0
#define DEBUGP printk
@@ -444,29 +437,16 @@
static int __init init(void)
{
- int ret = 0;
-
- if (talk > 0) {
- ret = ip_nat_helper_register(&talk_helpers[0]);
-
- if (ret != 0)
- return ret;
- }
- if (ntalk > 0 || ntalk2 > 0) {
- ret = ip_nat_helper_register(&talk_helpers[1]);
-
- if (ret != 0 && talk > 0)
- ip_nat_helper_unregister(&talk_helpers[0]);
- }
- return ret;
+ BUG_ON(ip_nat_talk_hook);
+ ip_nat_talk_hook = &talk_help;
+ return 0;
}
static void __exit fini(void)
{
- if (talk > 0)
- ip_nat_helper_unregister(&talk_helpers[0]);
- if (ntalk > 0 || ntalk2 > 0)
- ip_nat_helper_unregister(&talk_helpers[1]);
+ ip_nat_talk_hook = NULL;
+ /* Make sure noone calls it, meanwhile */
+ synchronize_net();
}
module_init(init);
More information about the netfilter-cvslog
mailing list