diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_autofw.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_autofw.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_autofw.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_autofw.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,17 +0,0 @@ -#ifndef _IP_AUTOFW_H -#define _IP_AUTOFW_H - -#define AUTOFW_MASTER_TIMEOUT 600 /* 600 secs */ - -struct ip_autofw_info { - u_int16_t proto; /* Related protocol */ - u_int16_t dport[2]; /* Related destination port range */ - u_int16_t to[2]; /* Port range to map related destination port range to */ -}; - -struct ip_autofw_expect { - u_int16_t dport[2]; /* Related destination port range */ - u_int16_t to[2]; /* Port range to map related destination port range to */ -}; - -#endif /*_IP_AUTOFW_H*/ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack.h 2005-11-08 06:24:51.000000000 -0800 @@ -45,41 +45,27 @@ #include #include -#include /* per conntrack: protocol private data */ union ip_conntrack_proto { /* insert conntrack proto private data here */ - struct ip_ct_gre gre; struct ip_ct_tcp tcp; struct ip_ct_icmp icmp; }; union ip_conntrack_expect_proto { /* insert expect proto private data here */ - struct ip_ct_gre_expect gre; }; /* Add protocol helper include file here */ -#include -#include -#include -#include - #include #include -#include /* per expectation: application helper private data */ union ip_conntrack_expect_help { /* insert conntrack helper private data (expect) here */ - struct ip_ct_pptp_expect exp_pptp_info; - struct ip_ct_sip_expect exp_sip_info; - struct ip_ct_mms_expect exp_mms_info; - struct ip_ct_h225_expect exp_h225_info; struct ip_ct_ftp_expect exp_ftp_info; struct ip_ct_irc_expect exp_irc_info; - struct ip_autofw_expect exp_autofw_info; #ifdef CONFIG_IP_NF_NAT_NEEDED union { @@ -91,22 +77,16 @@ /* per conntrack: application helper private data */ union ip_conntrack_help { /* insert conntrack helper private data (master) here */ - struct ip_ct_pptp_master ct_pptp_info; - struct ip_ct_sip_master ct_sip_info; - struct ip_ct_mms_master ct_mms_info; - struct ip_ct_h225_master ct_h225_info; struct ip_ct_ftp_master ct_ftp_info; struct ip_ct_irc_master ct_irc_info; }; #ifdef CONFIG_IP_NF_NAT_NEEDED #include -#include /* per conntrack: nat application helper private data */ union ip_conntrack_nat_help { /* insert nat helper private data here */ - struct ip_nat_pptp nat_pptp_info; }; #endif @@ -278,9 +258,5 @@ } extern unsigned int ip_conntrack_htable_size; - -/* connection tracking time out variables. */ -extern int sysctl_ip_conntrack_tcp_timeouts[10]; -extern int sysctl_ip_conntrack_udp_timeouts[2]; #endif /* __KERNEL__ */ #endif /* _IP_CONNTRACK_H */ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_h323.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_h323.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_h323.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_h323.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,30 +0,0 @@ -#ifndef _IP_CONNTRACK_H323_H -#define _IP_CONNTRACK_H323_H -/* H.323 connection tracking. */ - -#ifdef __KERNEL__ -/* Protects H.323 related data */ -DECLARE_LOCK_EXTERN(ip_h323_lock); -#endif - -/* Default H.225 port */ -#define H225_PORT 1720 - -/* This structure is per expected connection */ -struct ip_ct_h225_expect { - u_int16_t port; /* Port of the H.225 helper/RTCP/RTP channel */ - enum ip_conntrack_dir dir; /* Direction of the original connection */ - unsigned int offset; /* offset of the address in the payload */ -}; - -/* This structure exists only once per master */ -struct ip_ct_h225_master { - int is_h225; /* H.225 or H.245 connection */ -#ifdef CONFIG_IP_NF_NAT_NEEDED - enum ip_conntrack_dir dir; /* Direction of the original connection */ - u_int32_t seq[IP_CT_DIR_MAX]; /* Exceptional packet mangling for signal addressess... */ - unsigned int offset[IP_CT_DIR_MAX]; /* ...and the offset of the addresses in the payload */ -#endif -}; - -#endif /* _IP_CONNTRACK_H323_H */ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_mms.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_mms.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_mms.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_mms.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,31 +0,0 @@ -#ifndef _IP_CONNTRACK_MMS_H -#define _IP_CONNTRACK_MMS_H -/* MMS tracking. */ - -#ifdef __KERNEL__ -#include - -DECLARE_LOCK_EXTERN(ip_mms_lock); - -#define MMS_PORT 1755 -#define MMS_SRV_MSG_ID 196610 - -#define MMS_SRV_MSG_OFFSET 36 -#define MMS_SRV_UNICODE_STRING_OFFSET 60 -#define MMS_SRV_CHUNKLENLV_OFFSET 16 -#define MMS_SRV_CHUNKLENLM_OFFSET 32 -#define MMS_SRV_MESSAGELENGTH_OFFSET 8 -#endif - -/* This structure is per expected connection */ -struct ip_ct_mms_expect { - u_int32_t len; - u_int32_t padding; - u_int16_t port; -}; - -/* This structure exists only once per master */ -struct ip_ct_mms_master { -}; - -#endif /* _IP_CONNTRACK_MMS_H */ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_pptp.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_pptp.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_pptp.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_pptp.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,313 +0,0 @@ -/* PPTP constants and structs */ -#ifndef _CONNTRACK_PPTP_H -#define _CONNTRACK_PPTP_H - -/* state of the control session */ -enum pptp_ctrlsess_state { - PPTP_SESSION_NONE, /* no session present */ - PPTP_SESSION_ERROR, /* some session error */ - PPTP_SESSION_STOPREQ, /* stop_sess request seen */ - PPTP_SESSION_REQUESTED, /* start_sess request seen */ - PPTP_SESSION_CONFIRMED, /* session established */ -}; - -/* state of the call inside the control session */ -enum pptp_ctrlcall_state { - PPTP_CALL_NONE, - PPTP_CALL_ERROR, - PPTP_CALL_OUT_REQ, - PPTP_CALL_OUT_CONF, - PPTP_CALL_IN_REQ, - PPTP_CALL_IN_REP, - PPTP_CALL_IN_CONF, - PPTP_CALL_CLEAR_REQ, -}; - - -/* conntrack private data */ -struct ip_ct_pptp_master { - enum pptp_ctrlsess_state sstate; /* session state */ - - /* everything below is going to be per-expectation in newnat, - * since there could be more than one call within one session */ - enum pptp_ctrlcall_state cstate; /* call state */ - u_int16_t pac_call_id; /* call id of PAC, host byte order */ - u_int16_t pns_call_id; /* call id of PNS, host byte order */ -}; - -/* conntrack_expect private member */ -struct ip_ct_pptp_expect { - enum pptp_ctrlcall_state cstate; /* call state */ - u_int16_t pac_call_id; /* call id of PAC */ - u_int16_t pns_call_id; /* call id of PNS */ -}; - - -#ifdef __KERNEL__ - -#include -DECLARE_LOCK_EXTERN(ip_pptp_lock); - -#define IP_CONNTR_PPTP PPTP_CONTROL_PORT - -union pptp_ctrl_union { - void *rawreq; - struct PptpStartSessionRequest *sreq; - struct PptpStartSessionReply *srep; - struct PptpStopSessionReqest *streq; - struct PptpStopSessionReply *strep; - struct PptpOutCallRequest *ocreq; - struct PptpOutCallReply *ocack; - struct PptpInCallRequest *icreq; - struct PptpInCallReply *icack; - struct PptpInCallConnected *iccon; - struct PptpClearCallRequest *clrreq; - struct PptpCallDisconnectNotify *disc; - struct PptpWanErrorNotify *wanerr; - struct PptpSetLinkInfo *setlink; -}; - - - -#define PPTP_CONTROL_PORT 1723 - -#define PPTP_PACKET_CONTROL 1 -#define PPTP_PACKET_MGMT 2 - -#define PPTP_MAGIC_COOKIE 0x1a2b3c4d - -struct pptp_pkt_hdr { - __u16 packetLength; - __u16 packetType; - __u32 magicCookie; -}; - -/* PptpControlMessageType values */ -#define PPTP_START_SESSION_REQUEST 1 -#define PPTP_START_SESSION_REPLY 2 -#define PPTP_STOP_SESSION_REQUEST 3 -#define PPTP_STOP_SESSION_REPLY 4 -#define PPTP_ECHO_REQUEST 5 -#define PPTP_ECHO_REPLY 6 -#define PPTP_OUT_CALL_REQUEST 7 -#define PPTP_OUT_CALL_REPLY 8 -#define PPTP_IN_CALL_REQUEST 9 -#define PPTP_IN_CALL_REPLY 10 -#define PPTP_IN_CALL_CONNECT 11 -#define PPTP_CALL_CLEAR_REQUEST 12 -#define PPTP_CALL_DISCONNECT_NOTIFY 13 -#define PPTP_WAN_ERROR_NOTIFY 14 -#define PPTP_SET_LINK_INFO 15 - -#define PPTP_MSG_MAX 15 - -/* PptpGeneralError values */ -#define PPTP_ERROR_CODE_NONE 0 -#define PPTP_NOT_CONNECTED 1 -#define PPTP_BAD_FORMAT 2 -#define PPTP_BAD_VALUE 3 -#define PPTP_NO_RESOURCE 4 -#define PPTP_BAD_CALLID 5 -#define PPTP_REMOVE_DEVICE_ERROR 6 - -struct PptpControlHeader { - __u16 messageType; - __u16 reserved; -}; - -/* FramingCapability Bitmap Values */ -#define PPTP_FRAME_CAP_ASYNC 0x1 -#define PPTP_FRAME_CAP_SYNC 0x2 - -/* BearerCapability Bitmap Values */ -#define PPTP_BEARER_CAP_ANALOG 0x1 -#define PPTP_BEARER_CAP_DIGITAL 0x2 - -struct PptpStartSessionRequest { - __u16 protocolVersion; - __u8 reserved1; - __u8 reserved2; - __u32 framingCapability; - __u32 bearerCapability; - __u16 maxChannels; - __u16 firmwareRevision; - __u8 hostName[64]; - __u8 vendorString[64]; -}; - -/* PptpStartSessionResultCode Values */ -#define PPTP_START_OK 1 -#define PPTP_START_GENERAL_ERROR 2 -#define PPTP_START_ALREADY_CONNECTED 3 -#define PPTP_START_NOT_AUTHORIZED 4 -#define PPTP_START_UNKNOWN_PROTOCOL 5 - -struct PptpStartSessionReply { - __u16 protocolVersion; - __u8 resultCode; - __u8 generalErrorCode; - __u32 framingCapability; - __u32 bearerCapability; - __u16 maxChannels; - __u16 firmwareRevision; - __u8 hostName[64]; - __u8 vendorString[64]; -}; - -/* PptpStopReasons */ -#define PPTP_STOP_NONE 1 -#define PPTP_STOP_PROTOCOL 2 -#define PPTP_STOP_LOCAL_SHUTDOWN 3 - -struct PptpStopSessionRequest { - __u8 reason; -}; - -/* PptpStopSessionResultCode */ -#define PPTP_STOP_OK 1 -#define PPTP_STOP_GENERAL_ERROR 2 - -struct PptpStopSessionReply { - __u8 resultCode; - __u8 generalErrorCode; -}; - -struct PptpEchoRequest { - __u32 identNumber; -}; - -/* PptpEchoReplyResultCode */ -#define PPTP_ECHO_OK 1 -#define PPTP_ECHO_GENERAL_ERROR 2 - -struct PptpEchoReply { - __u32 identNumber; - __u8 resultCode; - __u8 generalErrorCode; - __u16 reserved; -}; - -/* PptpFramingType */ -#define PPTP_ASYNC_FRAMING 1 -#define PPTP_SYNC_FRAMING 2 -#define PPTP_DONT_CARE_FRAMING 3 - -/* PptpCallBearerType */ -#define PPTP_ANALOG_TYPE 1 -#define PPTP_DIGITAL_TYPE 2 -#define PPTP_DONT_CARE_BEARER_TYPE 3 - -struct PptpOutCallRequest { - __u16 callID; - __u16 callSerialNumber; - __u32 minBPS; - __u32 maxBPS; - __u32 bearerType; - __u32 framingType; - __u16 packetWindow; - __u16 packetProcDelay; - __u16 reserved1; - __u16 phoneNumberLength; - __u16 reserved2; - __u8 phoneNumber[64]; - __u8 subAddress[64]; -}; - -/* PptpCallResultCode */ -#define PPTP_OUTCALL_CONNECT 1 -#define PPTP_OUTCALL_GENERAL_ERROR 2 -#define PPTP_OUTCALL_NO_CARRIER 3 -#define PPTP_OUTCALL_BUSY 4 -#define PPTP_OUTCALL_NO_DIAL_TONE 5 -#define PPTP_OUTCALL_TIMEOUT 6 -#define PPTP_OUTCALL_DONT_ACCEPT 7 - -struct PptpOutCallReply { - __u16 callID; - __u16 peersCallID; - __u8 resultCode; - __u8 generalErrorCode; - __u16 causeCode; - __u32 connectSpeed; - __u16 packetWindow; - __u16 packetProcDelay; - __u32 physChannelID; -}; - -struct PptpInCallRequest { - __u16 callID; - __u16 callSerialNumber; - __u32 callBearerType; - __u32 physChannelID; - __u16 dialedNumberLength; - __u16 dialingNumberLength; - __u8 dialedNumber[64]; - __u8 dialingNumber[64]; - __u8 subAddress[64]; -}; - -/* PptpInCallResultCode */ -#define PPTP_INCALL_ACCEPT 1 -#define PPTP_INCALL_GENERAL_ERROR 2 -#define PPTP_INCALL_DONT_ACCEPT 3 - -struct PptpInCallReply { - __u16 callID; - __u16 peersCallID; - __u8 resultCode; - __u8 generalErrorCode; - __u16 packetWindow; - __u16 packetProcDelay; - __u16 reserved; -}; - -struct PptpInCallConnected { - __u16 peersCallID; - __u16 reserved; - __u32 connectSpeed; - __u16 packetWindow; - __u16 packetProcDelay; - __u32 callFramingType; -}; - -struct PptpClearCallRequest { - __u16 callID; - __u16 reserved; -}; - -struct PptpCallDisconnectNotify { - __u16 callID; - __u8 resultCode; - __u8 generalErrorCode; - __u16 causeCode; - __u16 reserved; - __u8 callStatistics[128]; -}; - -struct PptpWanErrorNotify { - __u16 peersCallID; - __u16 reserved; - __u32 crcErrors; - __u32 framingErrors; - __u32 hardwareOverRuns; - __u32 bufferOverRuns; - __u32 timeoutErrors; - __u32 alignmentErrors; -}; - -struct PptpSetLinkInfo { - __u16 peersCallID; - __u16 reserved; - __u32 sendAccm; - __u32 recvAccm; -}; - - -struct pptp_priv_data { - __u16 call_id; - __u16 mcall_id; - __u16 pcall_id; -}; - -#endif /* __KERNEL__ */ -#endif /* _CONNTRACK_PPTP_H */ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,123 +0,0 @@ -#ifndef _CONNTRACK_PROTO_GRE_H -#define _CONNTRACK_PROTO_GRE_H -#include - -/* GRE PROTOCOL HEADER */ - -/* GRE Version field */ -#define GRE_VERSION_1701 0x0 -#define GRE_VERSION_PPTP 0x1 - -/* GRE Protocol field */ -#define GRE_PROTOCOL_PPTP 0x880B - -/* GRE Flags */ -#define GRE_FLAG_C 0x80 -#define GRE_FLAG_R 0x40 -#define GRE_FLAG_K 0x20 -#define GRE_FLAG_S 0x10 -#define GRE_FLAG_A 0x80 - -#define GRE_IS_C(f) ((f)&GRE_FLAG_C) -#define GRE_IS_R(f) ((f)&GRE_FLAG_R) -#define GRE_IS_K(f) ((f)&GRE_FLAG_K) -#define GRE_IS_S(f) ((f)&GRE_FLAG_S) -#define GRE_IS_A(f) ((f)&GRE_FLAG_A) - -/* GRE is a mess: Four different standards */ -struct gre_hdr { -#if defined(__LITTLE_ENDIAN_BITFIELD) - __u16 rec:3, - srr:1, - seq:1, - key:1, - routing:1, - csum:1, - version:3, - reserved:4, - ack:1; -#elif defined(__BIG_ENDIAN_BITFIELD) - __u16 csum:1, - routing:1, - key:1, - seq:1, - srr:1, - rec:3, - ack:1, - reserved:4, - version:3; -#else -#error "Adjust your defines" -#endif - __u16 protocol; -}; - -/* modified GRE header for PPTP */ -struct gre_hdr_pptp { - __u8 flags; /* bitfield */ - __u8 version; /* should be GRE_VERSION_PPTP */ - __u16 protocol; /* should be GRE_PROTOCOL_PPTP */ - __u16 payload_len; /* size of ppp payload, not inc. gre header */ - __u16 call_id; /* peer's call_id for this session */ - __u32 seq; /* sequence number. Present if S==1 */ - __u32 ack; /* seq number of highest packet recieved by */ - /* sender in this session */ -}; - - -/* this is part of ip_conntrack */ -struct ip_ct_gre { - unsigned int stream_timeout; - unsigned int timeout; -}; - -/* this is part of ip_conntrack_expect */ -struct ip_ct_gre_expect { - struct ip_ct_gre_keymap *keymap_orig, *keymap_reply; -}; - -#ifdef __KERNEL__ -struct ip_conntrack_expect; - -/* structure for original <-> reply keymap */ -struct ip_ct_gre_keymap { - struct list_head list; - - struct ip_conntrack_tuple tuple; -}; - - -/* add new tuple->key_reply pair to keymap */ -int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp, - struct ip_conntrack_tuple *t, - int reply); - -/* change an existing keymap entry */ -void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km, - struct ip_conntrack_tuple *t); - -/* delete keymap entries */ -void ip_ct_gre_keymap_destroy(struct ip_conntrack_expect *exp); - - -/* get pointer to gre key, if present */ -static inline u_int32_t *gre_key(struct gre_hdr *greh) -{ - if (!greh->key) - return NULL; - if (greh->csum || greh->routing) - return (u_int32_t *) (greh+sizeof(*greh)+4); - return (u_int32_t *) (greh+sizeof(*greh)); -} - -/* get pointer ot gre csum, if present */ -static inline u_int16_t *gre_csum(struct gre_hdr *greh) -{ - if (!greh->csum) - return NULL; - return (u_int16_t *) (greh+sizeof(*greh)); -} - -#endif /* __KERNEL__ */ - -#endif /* _CONNTRACK_PROTO_GRE_H */ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_sip.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_sip.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_sip.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_sip.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,56 +0,0 @@ -#ifndef _IP_CONNTRACK_SIP_H -#define _IP_CONNTRACK_SIP_H -/* SIP tracking. */ - -#ifdef __KERNEL__ - -#include - -/* Protects sip part of conntracks */ -DECLARE_LOCK_EXTERN(ip_sip_lock); - -#define SIP_PORT 5060 /* UDP */ -#define SIP_EXPIRES 3600 /* seconds */ -#define RTP_TIMEOUT 180 /* seconds */ - -#endif /* __KERNEL__ */ - -/* SIP Request */ -#define SIP_INVITE 0x01 -#define SIP_ACK 0x02 -#define SIP_BYE 0x04 -/* SIP Response */ -#define SIP_100 0x10 -#define SIP_200 0x20 -#define SIP_200_BYE 0x40 -/* SIP session direction */ -#define SIP_OUTGOING 0 -#define SIP_INCOMING 1 - -enum ip_ct_conntype -{ - CONN_SIP, - CONN_RTP, - CONN_RTCP, -}; - -/* This structure is per expected connection */ -struct ip_ct_sip_expect -{ - u_int16_t port; /* TCP port that was to be used */ - - enum ip_ct_conntype type; - int nated; -}; - -/* This structure exists only once per master */ -struct ip_ct_sip_master { - int mangled; - u_int16_t rtpport; -}; - -extern u_int16_t find_sdp_audio_port(const char *data, size_t dlen, - unsigned int *numoff, unsigned int *numlen); -extern int find_sdp_rtp_addr(const char *data, size_t dlen, - unsigned int *numoff, unsigned int *numlen, u_int32_t *addr); -#endif /* _IP_CONNTRACK_SIP_H */ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_tftp.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_tftp.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_tftp.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_tftp.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,13 +0,0 @@ -#ifndef _IP_CT_TFTP -#define _IP_CT_TFTP - -#define TFTP_PORT 69 - -struct tftphdr { - u_int16_t opcode; -}; - -#define TFTP_OPCODE_READ 1 -#define TFTP_OPCODE_WRITE 2 - -#endif /* _IP_CT_TFTP */ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_tuple.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2002-02-25 11:38:13.000000000 -0800 @@ -14,7 +14,7 @@ union ip_conntrack_manip_proto { /* Add other protocols here. */ - u_int32_t all; + u_int16_t all; struct { u_int16_t port; @@ -25,9 +25,6 @@ struct { u_int16_t id; } icmp; - struct { - u_int32_t key; - } gre; }; /* The manipulable part of the tuple. */ @@ -47,7 +44,7 @@ u_int32_t ip; union { /* Add other protocols here. */ - u_int64_t all; + u_int16_t all; struct { u_int16_t port; @@ -58,11 +55,6 @@ struct { u_int8_t type, code; } icmp; - struct { - u_int16_t protocol; - u_int8_t version; - u_int32_t key; - } gre; } u; /* The protocol. */ @@ -80,16 +72,10 @@ #ifdef __KERNEL__ #define DUMP_TUPLE(tp) \ -DEBUGP("tuple %p: %u %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u\n", \ +DEBUGP("tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n", \ (tp), (tp)->dst.protonum, \ - NIPQUAD((tp)->src.ip), ntohl((tp)->src.u.all), \ - NIPQUAD((tp)->dst.ip), ntohl((tp)->dst.u.all)) - -#define DUMP_TUPLE_RAW(x) \ - DEBUGP("tuple %p: %u %u.%u.%u.%u:0x%08x -> %u.%u.%u.%u:0x%08x\n",\ - (x), (x)->dst.protonum, \ - NIPQUAD((x)->src.ip), ntohl((x)->src.u.all), \ - NIPQUAD((x)->dst.ip), ntohl((x)->dst.u.all)) + NIPQUAD((tp)->src.ip), ntohs((tp)->src.u.all), \ + NIPQUAD((tp)->dst.ip), ntohs((tp)->dst.u.all)) #define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_udp.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_udp.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_conntrack_udp.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_conntrack_udp.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,6 +0,0 @@ -#ifndef _IP_CONNTRACK_UDP_H -#define _IP_CONNTRACK_UDP_H - -#define UDP_TIMEOUT 0 -#define UDP_STREAM_TIMEOUT 1 -#endif /* _IP_CONNTRACK_UDP_H */ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_nat_helper.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_nat_helper.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_nat_helper.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_nat_helper.h 2005-11-08 06:24:52.000000000 -0800 @@ -50,13 +50,6 @@ unsigned int match_len, char *rep_buffer, unsigned int rep_len); -extern int ip_nat_mangle_udp_packet(struct sk_buff **skb, - struct ip_conntrack *ct, - enum ip_conntrack_info ctinfo, - unsigned int match_offset, - unsigned int match_len, - char *rep_buffer, - unsigned int rep_len); extern int ip_nat_seq_adjust(struct sk_buff *skb, struct ip_conntrack *ct, enum ip_conntrack_info ctinfo); diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_nat_pptp.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_nat_pptp.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_nat_pptp.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_nat_pptp.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,11 +0,0 @@ -/* PPTP constants and structs */ -#ifndef _NAT_PPTP_H -#define _NAT_PPTP_H - -/* conntrack private data */ -struct ip_nat_pptp { - u_int16_t pns_call_id; /* NAT'ed PNS call id */ - u_int16_t pac_call_id; /* NAT'ed PAC call id */ -}; - -#endif /* _NAT_PPTP_H */ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_pool.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_pool.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ip_pool.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ip_pool.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -#ifndef _IP_POOL_H -#define _IP_POOL_H - -/***************************************************************************/ -/* This program is free software; you can redistribute it and/or modify */ -/* it under the terms of the GNU General Public License as published by */ -/* the Free Software Foundation; either version 2 of the License, or */ -/* (at your option) any later version. */ -/* */ -/* This program is distributed in the hope that it will be useful, */ -/* but WITHOUT ANY WARRANTY; without even the implied warranty of */ -/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */ -/* GNU General Public License for more details. */ -/* */ -/* You should have received a copy of the GNU General Public License */ -/* along with this program; if not, write to the Free Software */ -/* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/ -/***************************************************************************/ - -/* A sockopt of such quality has hardly ever been seen before on the open - * market! This little beauty, hardly ever used: above 64, so it's - * traditionally used for firewalling, not touched (even once!) by the - * 2.0, 2.2 and 2.4 kernels! - * - * Comes with its own certificate of authenticity, valid anywhere in the - * Free world! - * - * Rusty, 19.4.2000 - */ -#define SO_IP_POOL 81 - -typedef int ip_pool_t; /* pool index */ -#define IP_POOL_NONE ((ip_pool_t)-1) - -struct ip_pool_request { - int op; - ip_pool_t index; - u_int32_t addr; - u_int32_t addr2; -}; - -/* NOTE: I deliberately break the first cut ippool utility. Nobody uses it. */ - -#define IP_POOL_BAD001 0x00000010 - -#define IP_POOL_FLUSH 0x00000011 /* req.index, no arguments */ -#define IP_POOL_INIT 0x00000012 /* from addr to addr2 incl. */ -#define IP_POOL_DESTROY 0x00000013 /* req.index, no arguments */ -#define IP_POOL_ADD_ADDR 0x00000014 /* add addr to pool */ -#define IP_POOL_DEL_ADDR 0x00000015 /* del addr from pool */ -#define IP_POOL_HIGH_NR 0x00000016 /* result in req.index */ -#define IP_POOL_LOOKUP 0x00000017 /* result in addr and addr2 */ -#define IP_POOL_USAGE 0x00000018 /* result in addr */ -#define IP_POOL_TEST_ADDR 0x00000019 /* result (0/1) returned */ - -#ifdef __KERNEL__ - -/* NOTE: ip_pool_match() and ip_pool_mod() expect ADDR to be host byte order */ -extern int ip_pool_match(ip_pool_t pool, u_int32_t addr); -extern int ip_pool_mod(ip_pool_t pool, u_int32_t addr, int isdel); - -#endif - -#endif /*_IP_POOL_H*/ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ipt_mport.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ipt_mport.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ipt_mport.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ipt_mport.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,24 +0,0 @@ -#ifndef _IPT_MPORT_H -#define _IPT_MPORT_H -#include - -#define IPT_MPORT_SOURCE (1<<0) -#define IPT_MPORT_DESTINATION (1<<1) -#define IPT_MPORT_EITHER (IPT_MPORT_SOURCE|IPT_MPORT_DESTINATION) - -#define IPT_MULTI_PORTS 15 - -/* Must fit inside union ipt_matchinfo: 32 bytes */ -/* every entry in ports[] except for the last one has one bit in pflags - * associated with it. If this bit is set, the port is the first port of - * a portrange, with the next entry being the last. - * End of list is marked with pflags bit set and port=65535. - * If 14 ports are used (last one does not have a pflag), the last port - * is repeated to fill the last entry in ports[] */ -struct ipt_mport -{ - u_int8_t flags:2; /* Type of comparison */ - u_int16_t pflags:14; /* Port flags */ - u_int16_t ports[IPT_MULTI_PORTS]; /* Ports */ -}; -#endif /*_IPT_MPORT_H*/ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ipt_pool.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ipt_pool.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ipt_pool.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ipt_pool.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,25 +0,0 @@ -#ifndef _IPT_POOL_H -#define _IPT_POOL_H - -#include - -#define IPT_POOL_INV_SRC 0x00000001 -#define IPT_POOL_INV_DST 0x00000002 -#define IPT_POOL_DEL_SRC 0x00000004 -#define IPT_POOL_DEL_DST 0x00000008 -#define IPT_POOL_INV_MOD_SRC 0x00000010 -#define IPT_POOL_INV_MOD_DST 0x00000020 -#define IPT_POOL_MOD_SRC_ACCEPT 0x00000040 -#define IPT_POOL_MOD_DST_ACCEPT 0x00000080 -#define IPT_POOL_MOD_SRC_DROP 0x00000100 -#define IPT_POOL_MOD_DST_DROP 0x00000200 - -/* match info */ -struct ipt_pool_info -{ - ip_pool_t src; - ip_pool_t dst; - unsigned flags; -}; - -#endif /*_IPT_POOL_H*/ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ipt_time.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ipt_time.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ipt_time.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ipt_time.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,13 +0,0 @@ -#ifndef __ipt_time_h_included__ -#define __ipt_time_h_included__ - - -struct ipt_time_info { - unsigned int days_match; /* 1 bit per day (bit 0 = Sunday) */ - unsigned int time_start; /* 0 < time_start < 24*60*60-1 = 86399 */ - unsigned int time_stop; /* 0 < time_end < 24*60*60-1 = 86399 */ - int kerneltime; /* ignore skb time (and use kerneltime) or not. */ -}; - - -#endif /* __ipt_time_h_included__ */ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ipt_TRIGGER.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ipt_TRIGGER.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ipt_TRIGGER.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ipt_TRIGGER.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,24 +0,0 @@ -#ifndef _IPT_TRIGGER_H_target -#define _IPT_TRIGGER_H_target - -#define TRIGGER_TIMEOUT 600 /* 600 secs */ - -enum ipt_trigger_type -{ - IPT_TRIGGER_DNAT = 1, - IPT_TRIGGER_IN = 2, - IPT_TRIGGER_OUT = 3 -}; - -struct ipt_trigger_ports { - u_int16_t mport[2]; /* Related destination port range */ - u_int16_t rport[2]; /* Port range to map related destination port range to */ -}; - -struct ipt_trigger_info { - enum ipt_trigger_type type; - u_int16_t proto; /* Related protocol */ - struct ipt_trigger_ports ports; -}; - -#endif /*_IPT_TRIGGER_H_target*/ diff -ruN linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ipt_webstr.h linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ipt_webstr.h --- linux-2.4.20-WRTup/include/linux/netfilter_ipv4/ipt_webstr.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/include/linux/netfilter_ipv4/ipt_webstr.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,28 +0,0 @@ -#ifndef _IPT_WEBSTR_H -#define _IPT_WEBSTR_H - -#define BM_MAX_NLEN 256 -#define BM_MAX_HLEN 1024 - -#define BLK_JAVA 0x01 -#define BLK_ACTIVE 0x02 -#define BLK_COOKIE 0x04 -#define BLK_PROXY 0x08 - -typedef char *(*proc_ipt_search) (char *, char *, int, int); - -struct ipt_webstr_info { - char string[BM_MAX_NLEN]; - u_int16_t invert; - u_int16_t len; - u_int8_t type; -}; - -enum ipt_webstr_type -{ - IPT_WEBSTR_HOST, - IPT_WEBSTR_URL, - IPT_WEBSTR_CONTENT -}; - -#endif /* _IPT_WEBSTR_H */ diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/Config.in linux-2.4.20-WRTstp/net/ipv4/netfilter/Config.in --- linux-2.4.20-WRTup/net/ipv4/netfilter/Config.in 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/Config.in 2005-11-08 06:24:53.000000000 -0800 @@ -7,13 +7,7 @@ tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK - dep_tristate ' TFTP protocol support' CONFIG_IP_NF_TFTP $CONFIG_IP_NF_CONNTRACK - dep_tristate ' H.323 (netmeeting) support' CONFIG_IP_NF_H323 $CONFIG_IP_NF_CONNTRACK dep_tristate ' IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK - dep_tristate ' MMS protocol support' CONFIG_IP_NF_MMS $CONFIG_IP_NF_CONNTRACK - dep_tristate ' GRE protocol support' CONFIG_IP_NF_CT_PROTO_GRE $CONFIG_IP_NF_CONNTRACK - dep_tristate ' PPTP protocol support' CONFIG_IP_NF_PPTP $CONFIG_IP_NF_CT_PROTO_GRE - dep_tristate ' SIP protocol support' CONFIG_IP_NF_SIP $CONFIG_IP_NF_CONNTRACK fi if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then @@ -23,19 +17,11 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then # The simple matches. dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES - - dep_tristate ' IP address pool support' CONFIG_IP_NF_POOL $CONFIG_IP_NF_IPTABLES - if [ "$CONFIG_IP_NF_POOL" = "y" -o "$CONFIG_IP_NF_POOL" = "m" ]; then - bool ' enable statistics on pool usage' CONFIG_IP_POOL_STATISTICS n - fi - dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC $CONFIG_IP_NF_IPTABLES dep_tristate ' Packet type match support' CONFIG_IP_NF_MATCH_PKTTYPE $CONFIG_IP_NF_IPTABLES dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES - dep_tristate ' Multiple port with ranges match support' CONFIG_IP_NF_MATCH_MPORT $CONFIG_IP_NF_IPTABLES dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES - dep_tristate ' TIME match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_TIME $CONFIG_IP_NF_IPTABLES dep_tristate ' ECN match support' CONFIG_IP_NF_MATCH_ECN $CONFIG_IP_NF_IPTABLES dep_tristate ' DSCP match support' CONFIG_IP_NF_MATCH_DSCP $CONFIG_IP_NF_IPTABLES @@ -53,7 +39,6 @@ fi if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES - dep_tristate ' Webstr match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_WEBSTR $CONFIG_IP_NF_IPTABLES dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_OWNER $CONFIG_IP_NF_IPTABLES fi # The targets @@ -71,36 +56,6 @@ define_bool CONFIG_IP_NF_NAT_NEEDED y dep_tristate ' MASQUERADE target support' CONFIG_IP_NF_TARGET_MASQUERADE $CONFIG_IP_NF_NAT dep_tristate ' REDIRECT target support' CONFIG_IP_NF_TARGET_REDIRECT $CONFIG_IP_NF_NAT - dep_tristate ' Automatic port forwarding (autofw) target support' CONFIG_IP_NF_AUTOFW $CONFIG_IP_NF_NAT - dep_tristate ' TRIGGER target support (port-trigger)' CONFIG_IP_NF_TARGET_TRIGGER $CONFIG_IP_NF_NAT - if [ "$CONFIG_IP_NF_H323" = "m" ]; then - define_tristate CONFIG_IP_NF_NAT_H323 m - else - if [ "$CONFIG_IP_NF_H323" = "y" ]; then - define_tristate CONFIG_IP_NF_NAT_H323 $CONFIG_IP_NF_NAT - fi - fi - if [ "$CONFIG_IP_NF_PPTP" = "m" ]; then - define_tristate CONFIG_IP_NF_NAT_PPTP m - else - if [ "$CONFIG_IP_NF_PPTP" = "y" ]; then - define_tristate CONFIG_IP_NF_NAT_PPTP $CONFIG_IP_NF_NAT - fi - fi - if [ "$CONFIG_IP_NF_SIP" = "m" ]; then - define_tristate CONFIG_IP_NF_NAT_SIP m - else - if [ "$CONFIG_IP_NF_SIP" = "y" ]; then - define_tristate CONFIG_IP_NF_NAT_SIP $CONFIG_IP_NF_NAT - fi - fi - if [ "$CONFIG_IP_NF_CT_PROTO_GRE" = "m" ]; then - define_tristate CONFIG_IP_NF_NAT_PROTO_GRE m - else - if [ "$CONFIG_IP_NF_CT_PROTO_GRE" = "y" ]; then - define_tristate CONFIG_IP_NF_NAT_PROTO_GRE $CONFIG_IP_NF_NAT - fi - fi bool ' NAT of local connections (READ HELP)' CONFIG_IP_NF_NAT_LOCAL if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then dep_tristate ' Basic SNMP-ALG support (EXPERIMENTAL)' CONFIG_IP_NF_NAT_SNMP_BASIC $CONFIG_IP_NF_NAT @@ -112,29 +67,15 @@ define_tristate CONFIG_IP_NF_NAT_IRC $CONFIG_IP_NF_NAT fi fi - if [ "$CONFIG_IP_NF_MMS" = "m" ]; then - define_tristate CONFIG_IP_NF_NAT_MMS m - else - if [ "$CONFIG_IP_NF_MMS" = "y" ]; then - define_tristate CONFIG_IP_NF_NAT_MMS $CONFIG_IP_NF_NAT - fi - fi # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh. if [ "$CONFIG_IP_NF_FTP" = "m" ]; then - define_tristate CONFIG_IP_NF_NAT_FTP m + define_tristate CONFIG_IP_NF_NAT_FTP m else if [ "$CONFIG_IP_NF_FTP" = "y" ]; then define_tristate CONFIG_IP_NF_NAT_FTP $CONFIG_IP_NF_NAT fi fi - if [ "$CONFIG_IP_NF_TFTP" = "m" ]; then - define_tristate CONFIG_IP_NF_NAT_TFTP m - else - if [ "$CONFIG_IP_NF_TFTP" = "y" ]; then - define_tristate CONFIG_IP_NF_NAT_TFTP $CONFIG_IP_NF_NAT - fi - fi fi fi diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_autofw.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_autofw.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_autofw.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_autofw.c 1969-12-31 16:00:00.000000000 -0800 @@ -1,320 +0,0 @@ -/* - * Automatic port forwarding target. When this target is entered, a - * related connection to a port in the reply direction will be - * expected. This connection may be mapped to a different port. - * - * Copyright 2005, Broadcom Corporation - * All Rights Reserved. - * - * THIS SOFTWARE IS OFFERED "AS IS", AND BROADCOM GRANTS NO WARRANTIES OF ANY - * KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. BROADCOM - * SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS - * FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE. - * - * $Id: ip_autofw.c,v 1.1.1.7 2005/03/07 07:31:10 kanki Exp $ - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -DECLARE_LOCK(ip_autofw_lock); - -#define DEBUGP(format, args...) - -static unsigned int -autofw_nat_help(struct ip_conntrack *ct, - struct ip_conntrack_expect *exp, - struct ip_nat_info *info, - enum ip_conntrack_info ctinfo, - unsigned int hooknum, - struct sk_buff **pskb) -{ - return NF_ACCEPT; -} - -static unsigned int -autofw_nat_expected(struct sk_buff **pskb, - unsigned int hooknum, - struct ip_conntrack *ct, - struct ip_nat_info *info) -{ - struct ip_nat_multi_range mr; - u_int32_t newdstip, newsrcip, newip; - u_int16_t port; - struct ip_conntrack *master = master_ct(ct); - - IP_NF_ASSERT(info); - IP_NF_ASSERT(master); - - IP_NF_ASSERT(!(info->initialized & (1<tuplehash[IP_CT_DIR_ORIGINAL].tuple); - - LOCK_BH(&ip_autofw_lock); - - port = ntohs(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.all); - newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; -#ifdef NEW_PORT_TRIG - newsrcip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; -#else - newsrcip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; -#endif - - if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC) - newip = newsrcip; - else { - if (port < ntohs(ct->master->help.exp_autofw_info.dport[0]) || - port > ntohs(ct->master->help.exp_autofw_info.dport[1])) { - UNLOCK_BH(&ip_autofw_lock); - return NF_DROP; - } - newip = newdstip; - } - - mr.rangesize = 1; - /* We don't want to manip the per-protocol, just the IPs... */ - mr.range[0].flags = IP_NAT_RANGE_MAP_IPS; - mr.range[0].min_ip = mr.range[0].max_ip = newip; - - /* ... unless we're doing a MANIP_DST, in which case, make - sure we map to the correct port */ - port -= ntohs(ct->master->help.exp_autofw_info.dport[0]); - port += ntohs(ct->master->help.exp_autofw_info.to[0]); - if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) { - mr.range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED; - mr.range[0].min = mr.range[0].max - = ((union ip_conntrack_manip_proto) - { htons(port) }); - DEBUGP("autofw_nat_expected: to %u.%u.%u.%u:%hu\n", NIPQUAD(newip), port); - } - - UNLOCK_BH(&ip_autofw_lock); - - return ip_nat_setup_info(ct, &mr, hooknum); -} - - -#ifdef NEW_PORT_TRIG - -static int autofw_ct_help(const struct iphdr *iph, size_t len, - struct ip_conntrack *ct, - enum ip_conntrack_info ctinfo) -{ - ip_ct_refresh(ct, (AUTOFW_MASTER_TIMEOUT * HZ)); - return NF_ACCEPT; -} - -static struct ip_conntrack_helper autofw_ct_helper = - { { NULL, NULL }, - "autofw", /* name */ - IP_CT_HELPER_F_REUSE_EXPECT, /* flags */ - NULL, /* module */ - 100, /* max_ expected */ - 0, /* timeout */ - { { 0, { 0 } }, /* tuple */ - { 0, { 0 }, IPPROTO_TCP } }, - { { 0, { 0xFFFF } }, /* mask */ - { 0, { 0 }, 0xFFFF } }, - autofw_ct_help /* helper */ - }; - -#endif /* NEW_PORT_TRIG */ - -static struct ip_nat_helper autofw_nat_helper = - { { NULL, NULL }, - "autofw", /* name */ - 0, /* flags */ - NULL, /* module */ - { { 0, { 0 } }, /* tuple */ - { 0, { 0 }, 0 } }, - { { 0, { 0 } }, /* mask */ - { 0, { 0 }, 0 } }, - autofw_nat_help, /* helper */ - autofw_nat_expected }; /* expectfn */ - -static int -autofw_expect(struct ip_conntrack *ct) -{ - u_int16_t port; - struct ip_conntrack_expect expect, *exp = &expect; - - DEBUGP("autofw_expect: got "); - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); - - LOCK_BH(&ip_autofw_lock); - - port = ntohs(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.all); - if (port >= ntohs(ct->master->help.exp_autofw_info.dport[0]) && - port <= ntohs(ct->master->help.exp_autofw_info.dport[1])) { - WRITE_LOCK(&ip_conntrack_lock); - /* This is so perverse. Pretend like we were expecting to NAT all along. */ - master_ct(ct)->nat.info.helper = &autofw_nat_helper; -#ifdef NEW_PORT_TRIG - master_ct(ct)->helper = &autofw_ct_helper; -#endif - DEBUGP("autofw_expect: helper for %p added\n", ct); - WRITE_UNLOCK(&ip_conntrack_lock); - } - - /* This is even more perverse. Expect it again. */ - memset(exp, 0, sizeof(struct ip_conntrack_expect)); -#ifdef NEW_PORT_TRIG - exp->tuple.dst.u.udp.port = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.all; - exp->mask.dst.u.udp.port = 0xFFFF; -#else - exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; - exp->mask.src.ip = 0xFFFFFFFF; -#endif - exp->tuple.dst.protonum = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum; - exp->mask.dst.protonum = 0xFFFF; - exp->expectfn = autofw_expect; - exp->help.exp_autofw_info.dport[0] = ct->master->help.exp_autofw_info.dport[0]; - exp->help.exp_autofw_info.dport[1] = ct->master->help.exp_autofw_info.dport[1]; - exp->help.exp_autofw_info.to[0] = ct->master->help.exp_autofw_info.to[0]; - exp->help.exp_autofw_info.to[1] = ct->master->help.exp_autofw_info.to[1]; - - DEBUGP("autofw_expect: expecting "); - DUMP_TUPLE(&exp->tuple); - - /* Ignore failure; should only happen with NAT */ - ip_conntrack_expect_related(master_ct(ct), exp); - - UNLOCK_BH(&ip_autofw_lock); - - return NF_ACCEPT; /* unused */ -} - - -static unsigned int -target(struct sk_buff **pskb, - unsigned int hooknum, - const struct net_device *in, - const struct net_device *out, - const void *targinfo, - void *userinfo) -{ - const struct ip_autofw_info *info = targinfo; -#ifndef NEW_PORT_TRIG - const struct iphdr *iph = (*pskb)->nh.iph; -#endif - struct ip_conntrack *ct; - enum ip_conntrack_info ctinfo; - struct ip_conntrack_expect expect, *exp = &expect; -#ifdef NEW_PORT_TRIG - u_int16_t port; -#endif - - if (!(ct = ip_conntrack_get(*pskb, &ctinfo))) - return IPT_CONTINUE; - - LOCK_BH(&ip_autofw_lock); - -#ifdef NEW_PORT_TRIG - for (port = ntohs(info->dport[0]); port <= ntohs(info->dport[1]); port++) { - memset(exp, 0, sizeof(struct ip_conntrack_expect)); - exp->tuple.dst.protonum = info->proto; - exp->tuple.dst.u.udp.port = htons(port); - exp->mask.dst.protonum = 0xFFFF; - exp->mask.dst.u.udp.port = 0xFFFF; - - exp->expectfn = autofw_expect; - exp->help.exp_autofw_info.dport[0] = info->dport[0]; - exp->help.exp_autofw_info.dport[1] = info->dport[1]; - exp->help.exp_autofw_info.to[0] = info->to[0]; - exp->help.exp_autofw_info.to[1] = info->to[1]; - - DEBUGP("autofw_expect: expecting "); - DUMP_TUPLE(&exp->tuple); - - /* Ignore failure; should only happen with NAT */ - ip_conntrack_expect_related(ct, exp); - } -#else - memset(exp, 0, sizeof(struct ip_conntrack_expect)); - exp->tuple.src.ip = iph->daddr; - exp->tuple.dst.protonum = info->proto; - exp->mask.src.ip = 0xFFFFFFFF; - exp->mask.dst.protonum = 0xFFFF; - exp->expectfn = autofw_expect; - exp->help.exp_autofw_info.dport[0] = info->dport[0]; - exp->help.exp_autofw_info.dport[1] = info->dport[1]; - exp->help.exp_autofw_info.to[0] = info->to[0]; - exp->help.exp_autofw_info.to[1] = info->to[1]; - - DEBUGP("autofw_expect: expecting "); - DUMP_TUPLE(&exp->tuple); - - /* Ignore failure; should only happen with NAT */ - ip_conntrack_expect_related(ct, exp); -#endif - - UNLOCK_BH(&ip_autofw_lock); - - return IPT_CONTINUE; -} - -/* Must specify -p tcp/udp --dport port */ -static int -checkentry(const char *tablename, - const struct ipt_entry *e, - void *targinfo, - unsigned int targinfosize, - unsigned int hook_mask) -{ - const struct ip_autofw_info *info = targinfo; - - if (strcmp(tablename, "nat") != 0) { - DEBUGP("autofw_check: bad table `%s'.\n", tablename); - return 0; - } - if (targinfosize != IPT_ALIGN(sizeof(*info))) { - DEBUGP("autofw_check: size %u != %u.\n", - targinfosize, sizeof(*info)); - return 0; - } - if (hook_mask & ~(1 << NF_IP_PRE_ROUTING)) { - DEBUGP("autofw_check: bad hooks %x.\n", hook_mask); - return 0; - } - if (info->proto != IPPROTO_TCP && info->proto != IPPROTO_UDP) { - DEBUGP("autofw_check: bad proto %d.\n", info->proto); - return 0; - } - - return 1; -} - -static struct ipt_target autofw_target -= { { NULL, NULL }, "autofw", - target, checkentry, NULL, THIS_MODULE }; - -static int __init init(void) -{ - return ipt_register_target(&autofw_target); -} - -static void __exit fini(void) -{ - ipt_unregister_target(&autofw_target); -} - -module_init(init); -module_exit(fini); diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_core.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_core.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_core.c 2005-11-08 06:24:53.000000000 -0800 @@ -66,29 +66,6 @@ struct list_head *ip_conntrack_hash; static kmem_cache_t *ip_conntrack_cachep; -#define SECS * HZ -#define MINS * 60 SECS -#define HOURS * 60 MINS -#define DAYS * 24 HOURS - -int sysctl_ip_conntrack_tcp_timeouts[10] = { - 30 MINS, /* TCP_CONNTRACK_NONE, */ - 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */ - 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */ - 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */ - 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */ - 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */ - 10 SECS, /* TCP_CONNTRACK_CLOSE, */ - 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */ - 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */ - 2 MINS, /* TCP_CONNTRACK_LISTEN, */ -}; - -int sysctl_ip_conntrack_udp_timeouts[2] = { - 30 SECS, /* UNREPLIED */ - 180 SECS /* ASSURED */ -}; - extern struct ip_conntrack_protocol ip_conntrack_generic_protocol; static inline int proto_cmpfn(const struct ip_conntrack_protocol *curr, @@ -167,8 +144,6 @@ tuple->dst.ip = iph->daddr; tuple->dst.protonum = iph->protocol; - tuple->src.u.all = tuple->dst.u.all = 0; - ret = protocol->pkt_to_tuple((u_int32_t *)iph + iph->ihl, len - 4*iph->ihl, tuple); @@ -184,8 +159,6 @@ inverse->dst.ip = orig->src.ip; inverse->dst.protonum = orig->dst.protonum; - inverse->src.u.all = inverse->dst.u.all = 0; - return protocol->invert_tuple(inverse, orig); } @@ -203,8 +176,8 @@ static void destroy_expect(struct ip_conntrack_expect *exp) { - DEBUGP("destroy_expect(%p) use=%d\n", exp, atomic_read(&exp->use)); - IP_NF_ASSERT(atomic_read(&exp->use)); + DEBUGP("destroy_expect(%p) use=%d\n", exp, atomic_read(exp->use)); + IP_NF_ASSERT(atomic_read(exp->use)); IP_NF_ASSERT(!timer_pending(&exp->timeout)); kfree(exp); @@ -274,11 +247,11 @@ static void unexpect_related(struct ip_conntrack_expect *expect) { IP_NF_ASSERT(expect->expectant); + IP_NF_ASSERT(expect->expectant->helper); /* if we are supposed to have a timer, but we can't delete * it: race condition. __unexpect_related will * be calledd by timeout function */ - if (expect->expectant->helper - && expect->expectant->helper->timeout + if (expect->expectant->helper->timeout && !del_timer(&expect->timeout)) return; @@ -733,7 +706,6 @@ /* If the expectation is dying, then this is a looser. */ if (expected - && expected->expectant->helper && expected->expectant->helper->timeout && ! del_timer(&expected->timeout)) expected = NULL; @@ -752,14 +724,13 @@ conntrack->master = expected; expected->sibling = conntrack; LIST_DELETE(&ip_conntrack_expect_list, expected); - INIT_LIST_HEAD(&expected->list); expected->expectant->expecting--; nf_conntrack_get(&master_ct(conntrack)->infos[0]); } atomic_inc(&ip_conntrack_count); WRITE_UNLOCK(&ip_conntrack_lock); - if (expected && is_confirmed(expected->expectant) && expected->expectfn) + if (expected && expected->expectfn) expected->expectfn(conntrack); return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL]; } @@ -965,8 +936,8 @@ * so there is no need to use the tuple lock too */ DEBUGP("ip_conntrack_expect_related %p\n", related_to); - DEBUGP("tuple: "); DUMP_TUPLE_RAW(&expect->tuple); - DEBUGP("mask: "); DUMP_TUPLE_RAW(&expect->mask); + DEBUGP("tuple: "); DUMP_TUPLE(&expect->tuple); + DEBUGP("mask: "); DUMP_TUPLE(&expect->mask); old = LIST_FIND(&ip_conntrack_expect_list, resent_expect, struct ip_conntrack_expect *, &expect->tuple, @@ -976,8 +947,7 @@ pointing into the payload - otherwise we should have to copy the data filled out by the helper over the old one */ DEBUGP("expect_related: resent packet\n"); - if (related_to->helper && - related_to->helper->timeout) { + if (related_to->helper->timeout) { if (!del_timer(&old->timeout)) { /* expectation is dying. Fall through */ old = NULL; @@ -992,33 +962,27 @@ WRITE_UNLOCK(&ip_conntrack_lock); return -EEXIST; } - } else if (related_to->helper && - related_to->helper->max_expected && + } else if (related_to->helper->max_expected && related_to->expecting >= related_to->helper->max_expected) { struct list_head *cur_item; /* old == NULL */ + if (net_ratelimit()) + printk(KERN_WARNING + "ip_conntrack: max number of expected " + "connections %i of %s reached for " + "%u.%u.%u.%u->%u.%u.%u.%u%s\n", + related_to->helper->max_expected, + related_to->helper->name, + NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip), + NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip), + related_to->helper->flags & IP_CT_HELPER_F_REUSE_EXPECT ? + ", reusing" : ""); if (!(related_to->helper->flags & IP_CT_HELPER_F_REUSE_EXPECT)) { WRITE_UNLOCK(&ip_conntrack_lock); - if (net_ratelimit()) - printk(KERN_WARNING - "ip_conntrack: max number of expected " - "connections %i of %s reached for " - "%u.%u.%u.%u->%u.%u.%u.%u\n", - related_to->helper->max_expected, - related_to->helper->name, - NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip), - NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip)); return -EPERM; } - DEBUGP("ip_conntrack: max number of expected " - "connections %i of %s reached for " - "%u.%u.%u.%u->%u.%u.%u.%u, reusing\n", - related_to->helper->max_expected, - related_to->helper->name, - NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip), - NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip)); - + /* choose the the oldest expectation to evict */ list_for_each(cur_item, &related_to->sibling_list) { struct ip_conntrack_expect *cur; @@ -1077,8 +1041,7 @@ /* add to global list of expectations */ list_prepend(&ip_conntrack_expect_list, &new->list); /* add and start timer if required */ - if (related_to->helper && - related_to->helper->timeout) { + if (related_to->helper->timeout) { init_timer(&new->timeout); new->timeout.data = (unsigned long)new; new->timeout.function = expectation_timed_out; @@ -1101,10 +1064,11 @@ MUST_BE_READ_LOCKED(&ip_conntrack_lock); WRITE_LOCK(&ip_conntrack_expect_tuple_lock); + DEBUGP("change_expect:\n"); - DEBUGP("exp tuple: "); DUMP_TUPLE_RAW(&expect->tuple); - DEBUGP("exp mask: "); DUMP_TUPLE_RAW(&expect->mask); - DEBUGP("newtuple: "); DUMP_TUPLE_RAW(newtuple); + DEBUGP("exp tuple: "); DUMP_TUPLE(&expect->tuple); + DEBUGP("exp mask: "); DUMP_TUPLE(&expect->mask); + DEBUGP("newtuple: "); DUMP_TUPLE(newtuple); if (expect->ct_tuple.dst.protonum == 0) { /* Never seen before */ DEBUGP("change expect: never seen before\n"); @@ -1382,8 +1346,6 @@ 0, NULL }; #define NET_IP_CONNTRACK_MAX 2089 -#define NET_IP_CONNTRACK_TCP_TIMEOUTS 2090 -#define NET_IP_CONNTRACK_UDP_TIMEOUTS 2091 #define NET_IP_CONNTRACK_MAX_NAME "ip_conntrack_max" #ifdef CONFIG_SYSCTL @@ -1392,14 +1354,6 @@ static ctl_table ip_conntrack_table[] = { { NET_IP_CONNTRACK_MAX, NET_IP_CONNTRACK_MAX_NAME, &ip_conntrack_max, sizeof(ip_conntrack_max), 0644, NULL, proc_dointvec }, - { NET_IP_CONNTRACK_TCP_TIMEOUTS, "ip_conntrack_tcp_timeouts", - &sysctl_ip_conntrack_tcp_timeouts, - sizeof(sysctl_ip_conntrack_tcp_timeouts), - 0644, NULL, &proc_dointvec_jiffies, &sysctl_jiffies }, - { NET_IP_CONNTRACK_UDP_TIMEOUTS, "ip_conntrack_udp_timeouts", - &sysctl_ip_conntrack_udp_timeouts, - sizeof(sysctl_ip_conntrack_udp_timeouts), - 0644, NULL, &proc_dointvec_jiffies, &sysctl_jiffies }, { 0 } }; diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_h323.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_h323.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_h323.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_h323.c 1969-12-31 16:00:00.000000000 -0800 @@ -1,302 +0,0 @@ -/* - * H.323 'brute force' extension for H.323 connection tracking. - * Jozsef Kadlecsik - * - * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project. - * (http://www.coritel.it/projects/sofia/nat/) - * Uses Sampsa Ranta's excellent idea on using expectfn to 'bind' - * the unregistered helpers to the conntrack entries. - */ - - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -MODULE_AUTHOR("Jozsef Kadlecsik "); -MODULE_DESCRIPTION("H.323 'brute force' connection tracking module"); -MODULE_LICENSE("GPL"); - -DECLARE_LOCK(ip_h323_lock); -struct module *ip_conntrack_h323 = THIS_MODULE; - -#define DEBUGP(format, args...) - -static int h245_help(const struct iphdr *iph, size_t len, - struct ip_conntrack *ct, - enum ip_conntrack_info ctinfo) -{ - struct tcphdr *tcph = (void *)iph + iph->ihl * 4; - unsigned char *data = (unsigned char *) tcph + tcph->doff * 4; - unsigned char *data_limit; - u_int32_t tcplen = len - iph->ihl * 4; - u_int32_t datalen = tcplen - tcph->doff * 4; - int dir = CTINFO2DIR(ctinfo); - struct ip_ct_h225_master *info = &ct->help.ct_h225_info; - struct ip_conntrack_expect expect, *exp = &expect; - struct ip_ct_h225_expect *exp_info = &exp->help.exp_h225_info; - u_int16_t data_port; - u_int32_t data_ip; - unsigned int i; - - DEBUGP("ct_h245_help: help entered %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", - NIPQUAD(iph->saddr), ntohs(tcph->source), - NIPQUAD(iph->daddr), ntohs(tcph->dest)); - - /* Can't track connections formed before we registered */ - if (!info) - return NF_ACCEPT; - - /* Until there's been traffic both ways, don't look in packets. */ - if (ctinfo != IP_CT_ESTABLISHED - && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { - DEBUGP("ct_h245_help: Conntrackinfo = %u\n", ctinfo); - return NF_ACCEPT; - } - - /* Not whole TCP header or too short packet? */ - if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4 + 5) { - DEBUGP("ct_h245_help: tcplen = %u\n", (unsigned)tcplen); - return NF_ACCEPT; - } - - /* Checksum invalid? Ignore. */ - if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, - csum_partial((char *)tcph, tcplen, 0))) { - DEBUGP("ct_h245_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", - tcph, tcplen, NIPQUAD(iph->saddr), - NIPQUAD(iph->daddr)); - return NF_ACCEPT; - } - - data_limit = (unsigned char *) data + datalen; - /* bytes: 0123 45 - ipadrr port */ - for (i = 0; data < (data_limit - 5); data++, i++) { - memcpy(&data_ip, data, sizeof(u_int32_t)); - if (data_ip == iph->saddr) { - memcpy(&data_port, data + 4, sizeof(u_int16_t)); - memset(&expect, 0, sizeof(expect)); - /* update the H.225 info */ - DEBUGP("ct_h245_help: new RTCP/RTP requested %u.%u.%u.%u:->%u.%u.%u.%u:%u\n", - NIPQUAD(ct->tuplehash[!dir].tuple.src.ip), - NIPQUAD(iph->saddr), ntohs(data_port)); - LOCK_BH(&ip_h323_lock); - info->is_h225 = H225_PORT + 1; - exp_info->port = data_port; - exp_info->dir = dir; - exp_info->offset = i; - - exp->seq = ntohl(tcph->seq) + i; - - exp->tuple = ((struct ip_conntrack_tuple) - { { ct->tuplehash[!dir].tuple.src.ip, - { 0 } }, - { data_ip, - { data_port }, - IPPROTO_UDP }}); - exp->mask = ((struct ip_conntrack_tuple) - { { 0xFFFFFFFF, { 0 } }, - { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }}); - - exp->expectfn = NULL; - - /* Ignore failure; should only happen with NAT */ - ip_conntrack_expect_related(ct, exp); - - UNLOCK_BH(&ip_h323_lock); - } - } - - return NF_ACCEPT; - -} - -/* H.245 helper is not registered! */ -static struct ip_conntrack_helper h245 = - { { NULL, NULL }, - "H.245", /* name */ - IP_CT_HELPER_F_REUSE_EXPECT, /* flags */ - NULL, /* module */ - 8, /* max_ expected */ - 240, /* timeout */ - { { 0, { 0 } }, /* tuple */ - { 0, { 0 }, IPPROTO_TCP } }, - { { 0, { 0xFFFF } }, /* mask */ - { 0, { 0 }, 0xFFFF } }, - h245_help /* helper */ - }; - -static int h225_expect(struct ip_conntrack *ct) -{ - WRITE_LOCK(&ip_conntrack_lock); - ct->helper = &h245; - DEBUGP("h225_expect: helper for %p added\n", ct); - WRITE_UNLOCK(&ip_conntrack_lock); - - return NF_ACCEPT; /* unused */ -} - -static int h225_help(const struct iphdr *iph, size_t len, - struct ip_conntrack *ct, - enum ip_conntrack_info ctinfo) -{ - struct tcphdr *tcph = (void *)iph + iph->ihl * 4; - unsigned char *data = (unsigned char *) tcph + tcph->doff * 4; - unsigned char *data_limit; - u_int32_t tcplen = len - iph->ihl * 4; - u_int32_t datalen = tcplen - tcph->doff * 4; - int dir = CTINFO2DIR(ctinfo); - struct ip_ct_h225_master *info = &ct->help.ct_h225_info; - struct ip_conntrack_expect expect, *exp = &expect; - struct ip_ct_h225_expect *exp_info = &exp->help.exp_h225_info; - u_int16_t data_port; - u_int32_t data_ip; - unsigned int i; - - DEBUGP("ct_h225_help: help entered %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n", - NIPQUAD(iph->saddr), ntohs(tcph->source), - NIPQUAD(iph->daddr), ntohs(tcph->dest)); - - /* Can't track connections formed before we registered */ - if (!info) - return NF_ACCEPT; - - /* Until there's been traffic both ways, don't look in packets. */ - if (ctinfo != IP_CT_ESTABLISHED - && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { - DEBUGP("ct_h225_help: Conntrackinfo = %u\n", ctinfo); - return NF_ACCEPT; - } - - /* Not whole TCP header or too short packet? */ - if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4 + 5) { - DEBUGP("ct_h225_help: tcplen = %u\n", (unsigned)tcplen); - return NF_ACCEPT; - } - - /* Checksum invalid? Ignore. */ - if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, - csum_partial((char *)tcph, tcplen, 0))) { - DEBUGP("ct_h225_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", - tcph, tcplen, NIPQUAD(iph->saddr), - NIPQUAD(iph->daddr)); - return NF_ACCEPT; - } - - data_limit = (unsigned char *) data + datalen; - /* bytes: 0123 45 - ipadrr port */ - for (i = 0; data < (data_limit - 5); data++, i++) { - memcpy(&data_ip, data, sizeof(u_int32_t)); - if (data_ip == iph->saddr) { - memcpy(&data_port, data + 4, sizeof(u_int16_t)); - if (data_port == tcph->source) { - /* Signal address */ - DEBUGP("ct_h225_help: sourceCallSignalAddress from %u.%u.%u.%u\n", - NIPQUAD(iph->saddr)); - /* Update the H.225 info so that NAT can mangle the address/port - even when we have no expected connection! */ -#ifdef CONFIG_IP_NF_NAT_NEEDED - LOCK_BH(&ip_h323_lock); - info->dir = dir; - info->seq[IP_CT_DIR_ORIGINAL] = ntohl(tcph->seq) + i; - info->offset[IP_CT_DIR_ORIGINAL] = i; - UNLOCK_BH(&ip_h323_lock); -#endif - } else { - memset(&expect, 0, sizeof(expect)); - - /* update the H.225 info */ - LOCK_BH(&ip_h323_lock); - info->is_h225 = H225_PORT; - exp_info->port = data_port; - exp_info->dir = dir; - exp_info->offset = i; - - exp->seq = ntohl(tcph->seq) + i; - - exp->tuple = ((struct ip_conntrack_tuple) - { { ct->tuplehash[!dir].tuple.src.ip, - { 0 } }, - { data_ip, - { data_port }, - IPPROTO_TCP }}); - exp->mask = ((struct ip_conntrack_tuple) - { { 0xFFFFFFFF, { 0 } }, - { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }}); - - exp->expectfn = h225_expect; - - /* Ignore failure */ - ip_conntrack_expect_related(ct, exp); - - DEBUGP("ct_h225_help: new H.245 requested %u.%u.%u.%u->%u.%u.%u.%u:%u\n", - NIPQUAD(ct->tuplehash[!dir].tuple.src.ip), - NIPQUAD(iph->saddr), ntohs(data_port)); - - UNLOCK_BH(&ip_h323_lock); - } -#ifdef CONFIG_IP_NF_NAT_NEEDED - } else if (data_ip == iph->daddr) { - memcpy(&data_port, data + 4, sizeof(u_int16_t)); - if (data_port == tcph->dest) { - /* Signal address */ - DEBUGP("ct_h225_help: destCallSignalAddress %u.%u.%u.%u\n", - NIPQUAD(iph->daddr)); - /* Update the H.225 info so that NAT can mangle the address/port - even when we have no expected connection! */ - LOCK_BH(&ip_h323_lock); - info->dir = dir; - info->seq[IP_CT_DIR_REPLY] = ntohl(tcph->seq) + i; - info->offset[IP_CT_DIR_REPLY] = i; - UNLOCK_BH(&ip_h323_lock); - } -#endif - } - } - - return NF_ACCEPT; - -} - -static struct ip_conntrack_helper h225 = - { { NULL, NULL }, - "H.225", /* name */ - IP_CT_HELPER_F_REUSE_EXPECT, /* flags */ - THIS_MODULE, /* module */ - 2, /* max_expected */ - 240, /* timeout */ - { { 0, { __constant_htons(H225_PORT) } }, /* tuple */ - { 0, { 0 }, IPPROTO_TCP } }, - { { 0, { 0xFFFF } }, /* mask */ - { 0, { 0 }, 0xFFFF } }, - h225_help /* helper */ - }; - -static int __init init(void) -{ - return ip_conntrack_helper_register(&h225); -} - -static void __exit fini(void) -{ - /* Unregister H.225 helper */ - ip_conntrack_helper_unregister(&h225); -} - -#ifdef CONFIG_IP_NF_NAT_NEEDED -EXPORT_SYMBOL(ip_h323_lock); -#endif - -module_init(init); -module_exit(fini); diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_mms.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_mms.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_mms.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_mms.c 1969-12-31 16:00:00.000000000 -0800 @@ -1,292 +0,0 @@ -/* MMS extension for IP connection tracking - * (C) 2002 by Filip Sneppe - * based on ip_conntrack_ftp.c and ip_conntrack_irc.c - * - * ip_conntrack_mms.c v0.3 2002-09-22 - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version - * 2 of the License, or (at your option) any later version. - * - * Module load syntax: - * insmod ip_conntrack_mms.o ports=port1,port2,...port - * - * Please give the ports of all MMS servers You wish to connect to. - * If you don't specify ports, the default will be TCP port 1755. - * - * More info on MMS protocol, firewalls and NAT: - * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwmt/html/MMSFirewall.asp - * http://www.microsoft.com/windows/windowsmedia/serve/firewall.asp - * - * The SDP project people are reverse-engineering MMS: - * http://get.to/sdp - */ - -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include - -DECLARE_LOCK(ip_mms_lock); -struct module *ip_conntrack_mms = THIS_MODULE; - -#define MAX_PORTS 8 -static int ports[MAX_PORTS]; -static int ports_c; -#ifdef MODULE_PARM -MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); -#endif - -#define DEBUGP(format, args...) - -#ifdef CONFIG_IP_NF_NAT_NEEDED -EXPORT_SYMBOL(ip_mms_lock); -#endif - -MODULE_AUTHOR("Filip Sneppe "); -MODULE_DESCRIPTION("Microsoft Windows Media Services (MMS) connection tracking module"); -MODULE_LICENSE("GPL"); - -/* #define isdigit(c) (c >= '0' && c <= '9') */ - -/* copied from drivers/usb/serial/io_edgeport.c - not perfect but will do the trick */ -static void unicode_to_ascii (char *string, short *unicode, int unicode_size) -{ - int i; - for (i = 0; i < unicode_size; ++i) { - string[i] = (char)(unicode[i]); - } - string[unicode_size] = 0x00; -} - -__inline static int atoi(char *s) -{ - int i=0; - while (isdigit(*s)) { - i = i*10 + *(s++) - '0'; - } - return i; -} - -/* convert ip address string like "192.168.0.10" to unsigned int */ -__inline static u_int32_t asciiiptoi(char *s) -{ - unsigned int i, j, k; - - for(i=k=0; k<3; ++k, ++s, i<<=8) { - i+=atoi(s); - for(j=0; (*(++s) != '.') && (j<3); ++j) - ; - } - i+=atoi(s); - return ntohl(i); -} - -int parse_mms(const char *data, - const unsigned int datalen, - u_int32_t *mms_ip, - u_int16_t *mms_proto, - u_int16_t *mms_port, - char **mms_string_b, - char **mms_string_e, - char **mms_padding_e) -{ - int unicode_size, i; - char tempstring[28]; /* "\\255.255.255.255\UDP\65535" */ - char getlengthstring[28]; - - for(unicode_size=0; - (char) *(data+(MMS_SRV_UNICODE_STRING_OFFSET+unicode_size*2)) != (char)0; - unicode_size++) - if ((unicode_size == 28) || (MMS_SRV_UNICODE_STRING_OFFSET+unicode_size*2 >= datalen)) - return -1; /* out of bounds - incomplete packet */ - - unicode_to_ascii(tempstring, (short *)(data+MMS_SRV_UNICODE_STRING_OFFSET), unicode_size); - DEBUGP("ip_conntrack_mms: offset 60: %s\n", (const char *)(tempstring)); - - /* IP address ? */ - *mms_ip = asciiiptoi(tempstring+2); - - i=sprintf(getlengthstring, "%u.%u.%u.%u", HIPQUAD(*mms_ip)); - - /* protocol ? */ - if(strncmp(tempstring+3+i, "TCP", 3)==0) - *mms_proto = IPPROTO_TCP; - else if(strncmp(tempstring+3+i, "UDP", 3)==0) - *mms_proto = IPPROTO_UDP; - - /* port ? */ - *mms_port = atoi(tempstring+7+i); - - /* we store a pointer to the beginning of the "\\a.b.c.d\proto\port" - unicode string, one to the end of the string, and one to the end - of the packet, since we must keep track of the number of bytes - between end of the unicode string and the end of packet (padding) */ - *mms_string_b = (char *)(data + MMS_SRV_UNICODE_STRING_OFFSET); - *mms_string_e = (char *)(data + MMS_SRV_UNICODE_STRING_OFFSET + unicode_size * 2); - *mms_padding_e = (char *)(data + datalen); /* looks funny, doesn't it */ - return 0; -} - - -static int help(const struct iphdr *iph, size_t len, - struct ip_conntrack *ct, - enum ip_conntrack_info ctinfo) -{ - /* tcplen not negative guaranteed by ip_conntrack_tcp.c */ - struct tcphdr *tcph = (void *)iph + iph->ihl * 4; - const char *data = (const char *)tcph + tcph->doff * 4; - unsigned int tcplen = len - iph->ihl * 4; - unsigned int datalen = tcplen - tcph->doff * 4; - int dir = CTINFO2DIR(ctinfo); - struct ip_conntrack_expect expect, *exp = &expect; - struct ip_ct_mms_expect *exp_mms_info = &exp->help.exp_mms_info; - - u_int32_t mms_ip; - u_int16_t mms_proto; - char mms_proto_string[8]; - u_int16_t mms_port; - char *mms_string_b, *mms_string_e, *mms_padding_e; - - /* Until there's been traffic both ways, don't look in packets. */ - if (ctinfo != IP_CT_ESTABLISHED - && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) { - DEBUGP("ip_conntrack_mms: Conntrackinfo = %u\n", ctinfo); - return NF_ACCEPT; - } - - /* Not whole TCP header? */ - if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff*4) { - DEBUGP("ip_conntrack_mms: tcplen = %u\n", (unsigned)tcplen); - return NF_ACCEPT; - } - - /* Checksum invalid? Ignore. */ - if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, - csum_partial((char *)tcph, tcplen, 0))) { - DEBUGP("mms_help: bad csum: %p %u %u.%u.%u.%u %u.%u.%u.%u\n", - tcph, tcplen, NIPQUAD(iph->saddr), - NIPQUAD(iph->daddr)); - return NF_ACCEPT; - } - - /* Only look at packets with 0x00030002/196610 on bytes 36->39 of TCP payload */ - if( (MMS_SRV_MSG_OFFSET < datalen) && - ((*(u32 *)(data+MMS_SRV_MSG_OFFSET)) == MMS_SRV_MSG_ID)) { - DEBUGP("ip_conntrack_mms: offset 37: %u %u %u %u, datalen:%u\n", - (u8)*(data+36), (u8)*(data+37), - (u8)*(data+38), (u8)*(data+39), - datalen); - if(parse_mms(data, datalen, &mms_ip, &mms_proto, &mms_port, - &mms_string_b, &mms_string_e, &mms_padding_e)) - if(net_ratelimit()) - printk(KERN_WARNING - "ip_conntrack_mms: Unable to parse data payload\n"); - - memset(&expect, 0, sizeof(expect)); - - sprintf(mms_proto_string, "(%u)", mms_proto); - DEBUGP("ip_conntrack_mms: adding %s expectation %u.%u.%u.%u -> %u.%u.%u.%u:%u\n", - mms_proto == IPPROTO_TCP ? "TCP" - : mms_proto == IPPROTO_UDP ? "UDP":mms_proto_string, - NIPQUAD(ct->tuplehash[!dir].tuple.src.ip), - NIPQUAD(mms_ip), - mms_port); - - /* it's possible that the client will just ask the server to tunnel - the stream over the same TCP session (from port 1755): there's - shouldn't be a need to add an expectation in that case, but it - makes NAT packet mangling so much easier */ - LOCK_BH(&ip_mms_lock); - - DEBUGP("ip_conntrack_mms: tcph->seq = %u\n", tcph->seq); - - exp->seq = ntohl(tcph->seq) + (mms_string_b - data); - exp_mms_info->len = (mms_string_e - mms_string_b); - exp_mms_info->padding = (mms_padding_e - mms_string_e); - exp_mms_info->port = mms_port; - - DEBUGP("ip_conntrack_mms: wrote info seq=%u (ofs=%u), len=%d, padding=%u\n", - exp->seq, (mms_string_e - data), exp_mms_info->len, exp_mms_info->padding); - - exp->tuple = ((struct ip_conntrack_tuple) - { { ct->tuplehash[!dir].tuple.src.ip, { 0 } }, - { mms_ip, - { (__u16) ntohs(mms_port) }, - mms_proto } } - ); - exp->mask = ((struct ip_conntrack_tuple) - { { 0xFFFFFFFF, { 0 } }, - { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }}); - exp->expectfn = NULL; - ip_conntrack_expect_related(ct, &expect); - UNLOCK_BH(&ip_mms_lock); - } - - return NF_ACCEPT; -} - -static struct ip_conntrack_helper mms[MAX_PORTS]; -static char mms_names[MAX_PORTS][10]; - -/* Not __exit: called from init() */ -static void fini(void) -{ - int i; - for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { - DEBUGP("ip_conntrack_mms: unregistering helper for port %d\n", - ports[i]); - ip_conntrack_helper_unregister(&mms[i]); - } -} - -static int __init init(void) -{ - int i, ret; - char *tmpname; - - if (ports[0] == 0) - ports[0] = MMS_PORT; - - for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { - memset(&mms[i], 0, sizeof(struct ip_conntrack_helper)); - mms[i].tuple.src.u.tcp.port = htons(ports[i]); - mms[i].tuple.dst.protonum = IPPROTO_TCP; - mms[i].mask.src.u.tcp.port = 0xFFFF; - mms[i].mask.dst.protonum = 0xFFFF; - mms[i].max_expected = 1; - mms[i].timeout = 0; - mms[i].flags = IP_CT_HELPER_F_REUSE_EXPECT; - mms[i].me = THIS_MODULE; - mms[i].help = help; - - tmpname = &mms_names[i][0]; - if (ports[i] == MMS_PORT) - sprintf(tmpname, "mms"); - else - sprintf(tmpname, "mms-%d", ports[i]); - mms[i].name = tmpname; - - DEBUGP("ip_conntrack_mms: registering helper for port %d\n", - ports[i]); - ret = ip_conntrack_helper_register(&mms[i]); - - if (ret) { - fini(); - return ret; - } - ports_c++; - } - return 0; -} - -module_init(init); -module_exit(fini); diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_pptp.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_pptp.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_pptp.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_pptp.c 1969-12-31 16:00:00.000000000 -0800 @@ -1,637 +0,0 @@ -/* - * ip_conntrack_pptp.c - Version 1.9 - * - * Connection tracking support for PPTP (Point to Point Tunneling Protocol). - * PPTP is a a protocol for creating virtual private networks. - * It is a specification defined by Microsoft and some vendors - * working with Microsoft. PPTP is built on top of a modified - * version of the Internet Generic Routing Encapsulation Protocol. - * GRE is defined in RFC 1701 and RFC 1702. Documentation of - * PPTP can be found in RFC 2637 - * - * (C) 2000-2003 by Harald Welte - * - * Development of this code funded by Astaro AG (http://www.astaro.com/) - * - * Limitations: - * - We blindly assume that control connections are always - * established in PNS->PAC direction. This is a violation - * of RFFC2673 - * - * TODO: - finish support for multiple calls within one session - * (needs expect reservations in newnat) - * - testing of incoming PPTP calls - * - * Changes: - * 2002-02-05 - Version 1.3 - * - Call ip_conntrack_unexpect_related() from - * pptp_timeout_related() to destroy expectations in case - * CALL_DISCONNECT_NOTIFY or tcp fin packet was seen - * (Philip Craig ) - * - Add Version information at module loadtime - * 2002-02-10 - Version 1.6 - * - move to C99 style initializers - * - remove second expectation if first arrives - * - */ - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#define IP_CT_PPTP_VERSION "1.9" - -MODULE_LICENSE("GPL"); -MODULE_AUTHOR("Harald Welte "); -MODULE_DESCRIPTION("Netfilter connection tracking helper module for PPTP"); - -DECLARE_LOCK(ip_pptp_lock); - -#if 0 -#include "ip_conntrack_pptp_priv.h" -#define DEBUGP(format, args...) printk(KERN_DEBUG __FILE__ ":" __FUNCTION__ \ - ": " format, ## args) -#else -#define DEBUGP(format, args...) -#endif - -#define SECS *HZ -#define MINS * 60 SECS -#define HOURS * 60 MINS -#define DAYS * 24 HOURS - -#define PPTP_GRE_TIMEOUT (10 MINS) -#define PPTP_GRE_STREAM_TIMEOUT (5 DAYS) - -static int pptp_expectfn(struct ip_conntrack *ct) -{ - struct ip_conntrack *master; - struct ip_conntrack_expect *exp; - - DEBUGP("increasing timeouts\n"); - /* increase timeout of GRE data channel conntrack entry */ - ct->proto.gre.timeout = PPTP_GRE_TIMEOUT; - ct->proto.gre.stream_timeout = PPTP_GRE_STREAM_TIMEOUT; - - master = master_ct(ct); - if (!master) { - DEBUGP(" no master!!!\n"); - return 0; - } - - exp = ct->master; - if (!exp) { - DEBUGP("no expectation!!\n"); - return 0; - } - - DEBUGP("completing tuples with ct info\n"); - /* we can do this, since we're unconfirmed */ - if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.gre.key == - htonl(master->help.ct_pptp_info.pac_call_id)) { - /* assume PNS->PAC */ - ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key = - htonl(master->help.ct_pptp_info.pns_call_id); - ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key = - htonl(master->help.ct_pptp_info.pns_call_id); - } else { - /* assume PAC->PNS */ - ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.gre.key = - htonl(master->help.ct_pptp_info.pac_call_id); - ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u.gre.key = - htonl(master->help.ct_pptp_info.pac_call_id); - } - - /* delete other expectation */ - if (exp->expected_list.next != &exp->expected_list) { - struct ip_conntrack_expect *other_exp; - struct list_head *cur_item, *next; - - for (cur_item = master->sibling_list.next; - cur_item != &master->sibling_list; cur_item = next) { - next = cur_item->next; - other_exp = list_entry(cur_item, - struct ip_conntrack_expect, - expected_list); - /* remove only if occurred at same sequence number */ - if (other_exp != exp && other_exp->seq == exp->seq) { - DEBUGP("unexpecting other direction\n"); - ip_ct_gre_keymap_destroy(other_exp); - ip_conntrack_unexpect_related(other_exp); - } - } - } - - return 0; -} - -/* timeout GRE data connections */ -static int pptp_timeout_related(struct ip_conntrack *ct) -{ - struct list_head *cur_item, *next; - struct ip_conntrack_expect *exp; - - /* FIXME: do we have to lock something ? */ - for (cur_item = ct->sibling_list.next; - cur_item != &ct->sibling_list; cur_item = next) { - next = cur_item->next; - exp = list_entry(cur_item, struct ip_conntrack_expect, - expected_list); - - ip_ct_gre_keymap_destroy(exp); - if (!exp->sibling) { - ip_conntrack_unexpect_related(exp); - continue; - } - - DEBUGP("setting timeout of conntrack %p to 0\n", - exp->sibling); - exp->sibling->proto.gre.timeout = 0; - exp->sibling->proto.gre.stream_timeout = 0; - ip_ct_refresh(exp->sibling, 0); - } - - return 0; -} - -/* expect GRE connections (PNS->PAC and PAC->PNS direction) */ -static inline int -exp_gre(struct ip_conntrack *master, - u_int32_t seq, - u_int16_t callid, - u_int16_t peer_callid) -{ - struct ip_conntrack_expect exp; - struct ip_conntrack_tuple inv_tuple; - - memset(&exp, 0, sizeof(exp)); - /* tuple in original direction, PNS->PAC */ - exp.tuple.src.ip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; - exp.tuple.src.u.gre.key = htonl(ntohs(peer_callid)); - exp.tuple.dst.ip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; - exp.tuple.dst.u.gre.key = htonl(ntohs(callid)); - exp.tuple.dst.u.gre.protocol = __constant_htons(GRE_PROTOCOL_PPTP); - exp.tuple.dst.u.gre.version = GRE_VERSION_PPTP; - exp.tuple.dst.protonum = IPPROTO_GRE; - - exp.mask.src.ip = 0xffffffff; - exp.mask.src.u.all = 0; - exp.mask.dst.u.all = 0; - exp.mask.dst.u.gre.key = 0xffffffff; - exp.mask.dst.u.gre.version = 0xff; - exp.mask.dst.u.gre.protocol = 0xffff; - exp.mask.dst.ip = 0xffffffff; - exp.mask.dst.protonum = 0xffff; - - exp.seq = seq; - exp.expectfn = pptp_expectfn; - - exp.help.exp_pptp_info.pac_call_id = ntohs(callid); - exp.help.exp_pptp_info.pns_call_id = ntohs(peer_callid); - - DEBUGP("calling expect_related "); - DUMP_TUPLE_RAW(&exp.tuple); - - /* Add GRE keymap entries */ - if (ip_ct_gre_keymap_add(&exp, &exp.tuple, 0) != 0) - return 1; - - invert_tuplepr(&inv_tuple, &exp.tuple); - if (ip_ct_gre_keymap_add(&exp, &inv_tuple, 1) != 0) { - ip_ct_gre_keymap_destroy(&exp); - return 1; - } - - if (ip_conntrack_expect_related(master, &exp) != 0) { - ip_ct_gre_keymap_destroy(&exp); - DEBUGP("cannot expect_related()\n"); - return 1; - } - - /* tuple in reply direction, PAC->PNS */ - exp.tuple.src.ip = master->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip; - exp.tuple.src.u.gre.key = htonl(ntohs(callid)); - exp.tuple.dst.ip = master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; - exp.tuple.dst.u.gre.key = htonl(ntohs(peer_callid)); - - DEBUGP("calling expect_related "); - DUMP_TUPLE_RAW(&exp.tuple); - - /* Add GRE keymap entries */ - ip_ct_gre_keymap_add(&exp, &exp.tuple, 0); - invert_tuplepr(&inv_tuple, &exp.tuple); - ip_ct_gre_keymap_add(&exp, &inv_tuple, 1); - /* FIXME: cannot handle error correctly, since we need to free - * the above keymap :( */ - - if (ip_conntrack_expect_related(master, &exp) != 0) { - /* free the second pair of keypmaps */ - ip_ct_gre_keymap_destroy(&exp); - DEBUGP("cannot expect_related():\n"); - return 1; - } - - return 0; -} - -static inline int -pptp_inbound_pkt(struct tcphdr *tcph, - struct pptp_pkt_hdr *pptph, - size_t datalen, - struct ip_conntrack *ct, - enum ip_conntrack_info ctinfo) -{ - struct PptpControlHeader *ctlh; - union pptp_ctrl_union pptpReq; - - struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info; - u_int16_t msg, *cid, *pcid; - u_int32_t seq; - - ctlh = (struct PptpControlHeader *) - ((char *) pptph + sizeof(struct pptp_pkt_hdr)); - pptpReq.rawreq = (void *) - ((char *) ctlh + sizeof(struct PptpControlHeader)); - - msg = ntohs(ctlh->messageType); - DEBUGP("inbound control message %s\n", strMName[msg]); - - switch (msg) { - case PPTP_START_SESSION_REPLY: - /* server confirms new control session */ - if (info->sstate < PPTP_SESSION_REQUESTED) { - DEBUGP("%s without START_SESS_REQUEST\n", - strMName[msg]); - break; - } - if (pptpReq.srep->resultCode == PPTP_START_OK) - info->sstate = PPTP_SESSION_CONFIRMED; - else - info->sstate = PPTP_SESSION_ERROR; - break; - - case PPTP_STOP_SESSION_REPLY: - /* server confirms end of control session */ - if (info->sstate > PPTP_SESSION_STOPREQ) { - DEBUGP("%s without STOP_SESS_REQUEST\n", - strMName[msg]); - break; - } - if (pptpReq.strep->resultCode == PPTP_STOP_OK) - info->sstate = PPTP_SESSION_NONE; - else - info->sstate = PPTP_SESSION_ERROR; - break; - - case PPTP_OUT_CALL_REPLY: - /* server accepted call, we now expect GRE frames */ - if (info->sstate != PPTP_SESSION_CONFIRMED) { - DEBUGP("%s but no session\n", strMName[msg]); - break; - } - if (info->cstate != PPTP_CALL_OUT_REQ && - info->cstate != PPTP_CALL_OUT_CONF) { - DEBUGP("%s without OUTCALL_REQ\n", strMName[msg]); - break; - } - if (pptpReq.ocack->resultCode != PPTP_OUTCALL_CONNECT) { - info->cstate = PPTP_CALL_NONE; - break; - } - - cid = &pptpReq.ocack->callID; - pcid = &pptpReq.ocack->peersCallID; - - info->pac_call_id = ntohs(*cid); - - if (htons(info->pns_call_id) != *pcid) { - DEBUGP("%s for unknown callid %u\n", - strMName[msg], ntohs(*pcid)); - break; - } - - DEBUGP("%s, CID=%X, PCID=%X\n", strMName[msg], - ntohs(*cid), ntohs(*pcid)); - - info->cstate = PPTP_CALL_OUT_CONF; - - seq = ntohl(tcph->seq) + ((void *)pcid - (void *)pptph); - if (exp_gre(ct, seq, *cid, *pcid) != 0) - printk("ip_conntrack_pptp: error during exp_gre\n"); - break; - - case PPTP_IN_CALL_REQUEST: - /* server tells us about incoming call request */ - if (info->sstate != PPTP_SESSION_CONFIRMED) { - DEBUGP("%s but no session\n", strMName[msg]); - break; - } - pcid = &pptpReq.icack->peersCallID; - DEBUGP("%s, PCID=%X\n", strMName[msg], ntohs(*pcid)); - info->cstate = PPTP_CALL_IN_REQ; - info->pac_call_id= ntohs(*pcid); - break; - - case PPTP_IN_CALL_CONNECT: - /* server tells us about incoming call established */ - if (info->sstate != PPTP_SESSION_CONFIRMED) { - DEBUGP("%s but no session\n", strMName[msg]); - break; - } - if (info->sstate != PPTP_CALL_IN_REP - && info->sstate != PPTP_CALL_IN_CONF) { - DEBUGP("%s but never sent IN_CALL_REPLY\n", - strMName[msg]); - break; - } - - pcid = &pptpReq.iccon->peersCallID; - cid = &info->pac_call_id; - - if (info->pns_call_id != ntohs(*pcid)) { - DEBUGP("%s for unknown CallID %u\n", - strMName[msg], ntohs(*cid)); - break; - } - - DEBUGP("%s, PCID=%X\n", strMName[msg], ntohs(*pcid)); - info->cstate = PPTP_CALL_IN_CONF; - - /* we expect a GRE connection from PAC to PNS */ - seq = ntohl(tcph->seq) + ((void *)pcid - (void *)pptph); - if (exp_gre(ct, seq, *cid, *pcid) != 0) - printk("ip_conntrack_pptp: error during exp_gre\n"); - - break; - - case PPTP_CALL_DISCONNECT_NOTIFY: - /* server confirms disconnect */ - cid = &pptpReq.disc->callID; - DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*cid)); - info->cstate = PPTP_CALL_NONE; - - /* untrack this call id, unexpect GRE packets */ - pptp_timeout_related(ct); - break; - - case PPTP_WAN_ERROR_NOTIFY: - break; - - case PPTP_ECHO_REQUEST: - case PPTP_ECHO_REPLY: - /* I don't have to explain these ;) */ - break; - default: - DEBUGP("invalid %s (TY=%d)\n", (msg <= PPTP_MSG_MAX) - ? strMName[msg]:strMName[0], msg); - break; - } - - return NF_ACCEPT; - -} - -static inline int -pptp_outbound_pkt(struct tcphdr *tcph, - struct pptp_pkt_hdr *pptph, - size_t datalen, - struct ip_conntrack *ct, - enum ip_conntrack_info ctinfo) -{ - struct PptpControlHeader *ctlh; - union pptp_ctrl_union pptpReq; - struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info; - u_int16_t msg, *cid, *pcid; - - ctlh = (struct PptpControlHeader *) ((void *) pptph + sizeof(*pptph)); - pptpReq.rawreq = (void *) ((void *) ctlh + sizeof(*ctlh)); - - msg = ntohs(ctlh->messageType); - DEBUGP("outbound control message %s\n", strMName[msg]); - - switch (msg) { - case PPTP_START_SESSION_REQUEST: - /* client requests for new control session */ - if (info->sstate != PPTP_SESSION_NONE) { - DEBUGP("%s but we already have one", - strMName[msg]); - } - info->sstate = PPTP_SESSION_REQUESTED; - break; - case PPTP_STOP_SESSION_REQUEST: - /* client requests end of control session */ - info->sstate = PPTP_SESSION_STOPREQ; - break; - - case PPTP_OUT_CALL_REQUEST: - /* client initiating connection to server */ - if (info->sstate != PPTP_SESSION_CONFIRMED) { - DEBUGP("%s but no session\n", - strMName[msg]); - break; - } - info->cstate = PPTP_CALL_OUT_REQ; - /* track PNS call id */ - cid = &pptpReq.ocreq->callID; - DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*cid)); - info->pns_call_id = ntohs(*cid); - break; - case PPTP_IN_CALL_REPLY: - /* client answers incoming call */ - if (info->cstate != PPTP_CALL_IN_REQ - && info->cstate != PPTP_CALL_IN_REP) { - DEBUGP("%s without incall_req\n", - strMName[msg]); - break; - } - if (pptpReq.icack->resultCode != PPTP_INCALL_ACCEPT) { - info->cstate = PPTP_CALL_NONE; - break; - } - pcid = &pptpReq.icack->peersCallID; - if (info->pac_call_id != ntohs(*pcid)) { - DEBUGP("%s for unknown call %u\n", - strMName[msg], ntohs(*pcid)); - break; - } - DEBUGP("%s, CID=%X\n", strMName[msg], ntohs(*pcid)); - /* part two of the three-way handshake */ - info->cstate = PPTP_CALL_IN_REP; - info->pns_call_id = ntohs(pptpReq.icack->callID); - break; - - case PPTP_CALL_CLEAR_REQUEST: - /* client requests hangup of call */ - if (info->sstate != PPTP_SESSION_CONFIRMED) { - DEBUGP("CLEAR_CALL but no session\n"); - break; - } - /* FUTURE: iterate over all calls and check if - * call ID is valid. We don't do this without newnat, - * because we only know about last call */ - info->cstate = PPTP_CALL_CLEAR_REQ; - break; - case PPTP_SET_LINK_INFO: - break; - case PPTP_ECHO_REQUEST: - case PPTP_ECHO_REPLY: - /* I don't have to explain these ;) */ - break; - default: - DEBUGP("invalid %s (TY=%d)\n", (msg <= PPTP_MSG_MAX)? - strMName[msg]:strMName[0], msg); - /* unknown: no need to create GRE masq table entry */ - break; - } - - return NF_ACCEPT; -} - - -/* track caller id inside control connection, call expect_related */ -static int -conntrack_pptp_help(const struct iphdr *iph, size_t len, - struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) - -{ - struct pptp_pkt_hdr *pptph; - - struct tcphdr *tcph = (void *) iph + iph->ihl * 4; - u_int32_t tcplen = len - iph->ihl * 4; - u_int32_t datalen = tcplen - tcph->doff * 4; - void *datalimit; - int dir = CTINFO2DIR(ctinfo); - struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info; - - int oldsstate, oldcstate; - int ret; - - /* don't do any tracking before tcp handshake complete */ - if (ctinfo != IP_CT_ESTABLISHED - && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) { - DEBUGP("ctinfo = %u, skipping\n", ctinfo); - return NF_ACCEPT; - } - - /* not a complete TCP header? */ - if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4) { - DEBUGP("tcplen = %u\n", tcplen); - return NF_ACCEPT; - } - - /* checksum invalid? */ - if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr, - csum_partial((char *) tcph, tcplen, 0))) { - printk(KERN_NOTICE __FILE__ ": bad csum\n"); - /* W2K PPTP server sends TCP packets with wrong checksum :(( */ - //return NF_ACCEPT; - } - - if (tcph->fin || tcph->rst) { - DEBUGP("RST/FIN received, timeouting GRE\n"); - /* can't do this after real newnat */ - info->cstate = PPTP_CALL_NONE; - - /* untrack this call id, unexpect GRE packets */ - pptp_timeout_related(ct); - } - - - pptph = (struct pptp_pkt_hdr *) ((void *) tcph + tcph->doff * 4); - datalimit = (void *) pptph + datalen; - - /* not a full pptp packet header? */ - if ((void *) pptph+sizeof(*pptph) >= datalimit) { - DEBUGP("no full PPTP header, can't track\n"); - return NF_ACCEPT; - } - - /* if it's not a control message we can't do anything with it */ - if (ntohs(pptph->packetType) != PPTP_PACKET_CONTROL || - ntohl(pptph->magicCookie) != PPTP_MAGIC_COOKIE) { - DEBUGP("not a control packet\n"); - return NF_ACCEPT; - } - - oldsstate = info->sstate; - oldcstate = info->cstate; - - LOCK_BH(&ip_pptp_lock); - - /* FIXME: We just blindly assume that the control connection is always - * established from PNS->PAC. However, RFC makes no guarantee */ - if (dir == IP_CT_DIR_ORIGINAL) - /* client -> server (PNS -> PAC) */ - ret = pptp_outbound_pkt(tcph, pptph, datalen, ct, ctinfo); - else - /* server -> client (PAC -> PNS) */ - ret = pptp_inbound_pkt(tcph, pptph, datalen, ct, ctinfo); - DEBUGP("sstate: %d->%d, cstate: %d->%d\n", - oldsstate, info->sstate, oldcstate, info->cstate); - UNLOCK_BH(&ip_pptp_lock); - - return ret; -} - -/* control protocol helper */ -static struct ip_conntrack_helper pptp = { - .list = { NULL, NULL }, - .name = "pptp", - .flags = IP_CT_HELPER_F_REUSE_EXPECT, - .me = THIS_MODULE, - .max_expected = 2, - .timeout = 0, - .tuple = { .src = { .ip = 0, - .u = { .tcp = { .port = - __constant_htons(PPTP_CONTROL_PORT) } } - }, - .dst = { .ip = 0, - .u = { .all = 0 }, - .protonum = IPPROTO_TCP - } - }, - .mask = { .src = { .ip = 0, - .u = { .tcp = { .port = 0xffff } } - }, - .dst = { .ip = 0, - .u = { .all = 0 }, - .protonum = 0xffff - } - }, - .help = conntrack_pptp_help -}; - -/* ip_conntrack_pptp initialization */ -static int __init init(void) -{ - int retcode; - - DEBUGP(__FILE__ ": registering helper\n"); - if ((retcode = ip_conntrack_helper_register(&pptp))) { - printk(KERN_ERR "Unable to register conntrack application " - "helper for pptp: %d\n", retcode); - return -EIO; - } - - printk("ip_conntrack_pptp version %s loaded\n", IP_CT_PPTP_VERSION); - return 0; -} - -static void __exit fini(void) -{ - ip_conntrack_helper_unregister(&pptp); - printk("ip_conntrack_pptp version %s unloaded\n", IP_CT_PPTP_VERSION); -} - -module_init(init); -module_exit(fini); - -EXPORT_SYMBOL(ip_pptp_lock); diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_pptp_priv.h linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_pptp_priv.h --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_pptp_priv.h 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_pptp_priv.h 1969-12-31 16:00:00.000000000 -0800 @@ -1,24 +0,0 @@ -#ifndef _IP_CT_PPTP_PRIV_H -#define _IP_CT_PPTP_PRIV_H - -/* PptpControlMessageType names */ -static const char *strMName[] = { - "UNKNOWN_MESSAGE", - "START_SESSION_REQUEST", - "START_SESSION_REPLY", - "STOP_SESSION_REQUEST", - "STOP_SESSION_REPLY", - "ECHO_REQUEST", - "ECHO_REPLY", - "OUT_CALL_REQUEST", - "OUT_CALL_REPLY", - "IN_CALL_REQUEST", - "IN_CALL_REPLY", - "IN_CALL_CONNECT", - "CALL_CLEAR_REQUEST", - "CALL_DISCONNECT_NOTIFY", - "WAN_ERROR_NOTIFY", - "SET_LINK_INFO" -}; - -#endif diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_proto_gre.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_proto_gre.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_proto_gre.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_proto_gre.c 1969-12-31 16:00:00.000000000 -0800 @@ -1,343 +0,0 @@ -/* - * ip_conntrack_proto_gre.c - Version 1.2 - * - * Connection tracking protocol helper module for GRE. - * - * GRE is a generic encapsulation protocol, which is generally not very - * suited for NAT, as it has no protocol-specific part as port numbers. - * - * It has an optional key field, which may help us distinguishing two - * connections between the same two hosts. - * - * GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784 - * - * PPTP is built on top of a modified version of GRE, and has a mandatory - * field called "CallID", which serves us for the same purpose as the key - * field in plain GRE. - * - * Documentation about PPTP can be found in RFC 2637 - * - * (C) 2000-2003 by Harald Welte - * - * Development of this code funded by Astaro AG (http://www.astaro.com/) - * - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -DECLARE_RWLOCK(ip_ct_gre_lock); -#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_ct_gre_lock) -#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_ct_gre_lock) - -#include -#include -#include -#include - -#include -#include - -MODULE_LICENSE("GPL"); -MODULE_AUTHOR("Harald Welte "); -MODULE_DESCRIPTION("netfilter connection tracking protocol helper for GRE"); - -/* shamelessly stolen from ip_conntrack_proto_udp.c */ -#define GRE_TIMEOUT (30*HZ) -#define GRE_STREAM_TIMEOUT (180*HZ) - -#if 0 -#define DEBUGP(format, args...) printk(KERN_DEBUG __FILE__ ":" __FUNCTION__ \ - ": " format, ## args) -#define DUMP_TUPLE_GRE(x) printk("%u.%u.%u.%u:0x%x -> %u.%u.%u.%u:0x%x:%u:0x%x\n", \ - NIPQUAD((x)->src.ip), ntohl((x)->src.u.gre.key), \ - NIPQUAD((x)->dst.ip), ntohl((x)->dst.u.gre.key), \ - (x)->dst.u.gre.version, \ - ntohs((x)->dst.u.gre.protocol)) -#else -#define DEBUGP(x, args...) -#define DUMP_TUPLE_GRE(x) -#endif - -/* GRE KEYMAP HANDLING FUNCTIONS */ -static LIST_HEAD(gre_keymap_list); - -static inline int gre_key_cmpfn(const struct ip_ct_gre_keymap *km, - const struct ip_conntrack_tuple *t) -{ - return ((km->tuple.src.ip == t->src.ip) && - (km->tuple.dst.ip == t->dst.ip) && - (km->tuple.dst.protonum == t->dst.protonum) && - (km->tuple.dst.u.all == t->dst.u.all)); -} - -/* look up the source key for a given tuple */ -static u_int32_t gre_keymap_lookup(struct ip_conntrack_tuple *t) -{ - struct ip_ct_gre_keymap *km; - u_int32_t key; - - READ_LOCK(&ip_ct_gre_lock); - km = LIST_FIND(&gre_keymap_list, gre_key_cmpfn, - struct ip_ct_gre_keymap *, t); - if (!km) { - READ_UNLOCK(&ip_ct_gre_lock); - return 0; - } - - key = km->tuple.src.u.gre.key; - READ_UNLOCK(&ip_ct_gre_lock); - - return key; -} - -/* add a single keymap entry, associate with specified expect */ -int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp, - struct ip_conntrack_tuple *t, int reply) -{ - struct ip_ct_gre_keymap *km; - - km = kmalloc(sizeof(*km), GFP_ATOMIC); - if (!km) - return -1; - - /* initializing list head should be sufficient */ - memset(km, 0, sizeof(*km)); - - memcpy(&km->tuple, t, sizeof(*t)); - - if (!reply) - exp->proto.gre.keymap_orig = km; - else - exp->proto.gre.keymap_reply = km; - - DEBUGP("adding new entry %p: ", km); - DUMP_TUPLE_GRE(&km->tuple); - - WRITE_LOCK(&ip_ct_gre_lock); - list_append(&gre_keymap_list, km); - WRITE_UNLOCK(&ip_ct_gre_lock); - - return 0; -} - -/* change the tuple of a keymap entry (used by nat helper) */ -void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km, - struct ip_conntrack_tuple *t) -{ - DEBUGP("changing entry %p to: ", km); - DUMP_TUPLE_GRE(t); - - WRITE_LOCK(&ip_ct_gre_lock); - memcpy(&km->tuple, t, sizeof(km->tuple)); - WRITE_UNLOCK(&ip_ct_gre_lock); -} - -/* destroy the keymap entries associated with specified expect */ -void ip_ct_gre_keymap_destroy(struct ip_conntrack_expect *exp) -{ - DEBUGP("entering for exp %p\n", exp); - WRITE_LOCK(&ip_ct_gre_lock); - if (exp->proto.gre.keymap_orig) { - DEBUGP("removing %p from list\n", exp->proto.gre.keymap_orig); - list_del(&exp->proto.gre.keymap_orig->list); - kfree(exp->proto.gre.keymap_orig); - exp->proto.gre.keymap_orig = NULL; - } - if (exp->proto.gre.keymap_reply) { - DEBUGP("removing %p from list\n", exp->proto.gre.keymap_reply); - list_del(&exp->proto.gre.keymap_reply->list); - kfree(exp->proto.gre.keymap_reply); - exp->proto.gre.keymap_reply = NULL; - } - WRITE_UNLOCK(&ip_ct_gre_lock); -} - - -/* PUBLIC CONNTRACK PROTO HELPER FUNCTIONS */ - -/* invert gre part of tuple */ -static int gre_invert_tuple(struct ip_conntrack_tuple *tuple, - const struct ip_conntrack_tuple *orig) -{ - tuple->dst.u.gre.protocol = orig->dst.u.gre.protocol; - tuple->dst.u.gre.version = orig->dst.u.gre.version; - - tuple->dst.u.gre.key = orig->src.u.gre.key; - tuple->src.u.gre.key = orig->dst.u.gre.key; - - return 1; -} - -/* gre hdr info to tuple */ -static int gre_pkt_to_tuple(const void *datah, size_t datalen, - struct ip_conntrack_tuple *tuple) -{ - struct gre_hdr *grehdr = (struct gre_hdr *) datah; - struct gre_hdr_pptp *pgrehdr = (struct gre_hdr_pptp *) datah; - u_int32_t srckey; - - /* core guarantees 8 protocol bytes, no need for size check */ - - tuple->dst.u.gre.version = grehdr->version; - tuple->dst.u.gre.protocol = grehdr->protocol; - - switch (grehdr->version) { - case GRE_VERSION_1701: - if (!grehdr->key) { - DEBUGP("Can't track GRE without key\n"); - return 0; - } - tuple->dst.u.gre.key = *(gre_key(grehdr)); - break; - - case GRE_VERSION_PPTP: - if (ntohs(grehdr->protocol) != GRE_PROTOCOL_PPTP) { - DEBUGP("GRE_VERSION_PPTP but unknown proto\n"); - return 0; - } - tuple->dst.u.gre.key = htonl(ntohs(pgrehdr->call_id)); - break; - - default: - printk(KERN_WARNING "unknown GRE version %hu\n", - tuple->dst.u.gre.version); - return 0; - } - - srckey = gre_keymap_lookup(tuple); - -#if 0 - DEBUGP("found src key %x for tuple ", ntohl(srckey)); - DUMP_TUPLE_GRE(tuple); -#endif - tuple->src.u.gre.key = srckey; - - return 1; -} - -/* print gre part of tuple */ -static unsigned int gre_print_tuple(char *buffer, - const struct ip_conntrack_tuple *tuple) -{ - return sprintf(buffer, "version=%d protocol=0x%04x srckey=0x%x dstkey=0x%x ", - tuple->dst.u.gre.version, - ntohs(tuple->dst.u.gre.protocol), - ntohl(tuple->src.u.gre.key), - ntohl(tuple->dst.u.gre.key)); -} - -/* print private data for conntrack */ -static unsigned int gre_print_conntrack(char *buffer, - const struct ip_conntrack *ct) -{ - return sprintf(buffer, "timeout=%u, stream_timeout=%u ", - (ct->proto.gre.timeout / HZ), - (ct->proto.gre.stream_timeout / HZ)); -} - -/* Returns verdict for packet, and may modify conntrack */ -static int gre_packet(struct ip_conntrack *ct, - struct iphdr *iph, size_t len, - enum ip_conntrack_info conntrackinfo) -{ - /* If we've seen traffic both ways, this is a GRE connection. - * Extend timeout. */ - if (ct->status & IPS_SEEN_REPLY) { - ip_ct_refresh(ct, ct->proto.gre.stream_timeout); - /* Also, more likely to be important, and not a probe. */ - set_bit(IPS_ASSURED_BIT, &ct->status); - } else - ip_ct_refresh(ct, ct->proto.gre.timeout); - - return NF_ACCEPT; -} - -/* Called when a new connection for this protocol found. */ -static int gre_new(struct ip_conntrack *ct, - struct iphdr *iph, size_t len) -{ - DEBUGP(": "); - DUMP_TUPLE_GRE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); - - /* initialize to sane value. Ideally a conntrack helper - * (e.g. in case of pptp) is increasing them */ - ct->proto.gre.stream_timeout = GRE_STREAM_TIMEOUT; - ct->proto.gre.timeout = GRE_TIMEOUT; - - return 1; -} - -/* Called when a conntrack entry has already been removed from the hashes - * and is about to be deleted from memory */ -static void gre_destroy(struct ip_conntrack *ct) -{ - struct ip_conntrack_expect *master = ct->master; - - DEBUGP(" entering\n"); - - if (!master) { - DEBUGP("no master exp for ct %p\n", ct); - return; - } - - ip_ct_gre_keymap_destroy(master); -} - -/* protocol helper struct */ -static struct ip_conntrack_protocol gre = { { NULL, NULL }, IPPROTO_GRE, - "gre", - gre_pkt_to_tuple, - gre_invert_tuple, - gre_print_tuple, - gre_print_conntrack, - gre_packet, - gre_new, - gre_destroy, - NULL, - THIS_MODULE }; - -/* ip_conntrack_proto_gre initialization */ -static int __init init(void) -{ - int retcode; - - if ((retcode = ip_conntrack_protocol_register(&gre))) { - printk(KERN_ERR "Unable to register conntrack protocol " - "helper for gre: %d\n", retcode); - return -EIO; - } - - return 0; -} - -static void __exit fini(void) -{ - struct list_head *pos, *n; - - /* delete all keymap entries */ - WRITE_LOCK(&ip_ct_gre_lock); - list_for_each_safe(pos, n, &gre_keymap_list) { - DEBUGP("deleting keymap %p at module unload time\n", pos); - list_del(pos); - kfree(pos); - } - WRITE_UNLOCK(&ip_ct_gre_lock); - - ip_conntrack_protocol_unregister(&gre); -} - -EXPORT_SYMBOL(ip_ct_gre_keymap_add); -EXPORT_SYMBOL(ip_ct_gre_keymap_change); -EXPORT_SYMBOL(ip_ct_gre_keymap_destroy); - -module_init(init); -module_exit(fini); diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_proto_tcp.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_proto_tcp.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2005-11-08 06:24:53.000000000 -0800 @@ -45,6 +45,25 @@ "LISTEN" }; +#define SECS *HZ +#define MINS * 60 SECS +#define HOURS * 60 MINS +#define DAYS * 24 HOURS + + +static unsigned long tcp_timeouts[] += { 30 MINS, /* TCP_CONNTRACK_NONE, */ + 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */ + 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */ + 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */ + 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */ + 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */ + 10 SECS, /* TCP_CONNTRACK_CLOSE, */ + 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */ + 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */ + 2 MINS, /* TCP_CONNTRACK_LISTEN, */ +}; + #define sNO TCP_CONNTRACK_NONE #define sES TCP_CONNTRACK_ESTABLISHED #define sSS TCP_CONNTRACK_SYN_SENT @@ -167,20 +186,13 @@ && tcph->syn && tcph->ack) conntrack->proto.tcp.handshake_ack = htonl(ntohl(tcph->seq) + 1); - - if (oldtcpstate == TCP_CONNTRACK_SYN_SENT - && CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY - && tcph->syn && !tcph->ack){ - WRITE_UNLOCK(&tcp_lock); - return -1; - } + WRITE_UNLOCK(&tcp_lock); /* If only reply is a RST, we can consider ourselves not to have an established connection: this is a fairly common problem case, so we can delete the conntrack immediately. --RR */ if (!(conntrack->status & IPS_SEEN_REPLY) && tcph->rst) { - WRITE_UNLOCK(&tcp_lock); if (del_timer(&conntrack->timeout)) conntrack->timeout.function((unsigned long)conntrack); } else { @@ -191,9 +203,7 @@ && tcph->ack_seq == conntrack->proto.tcp.handshake_ack) set_bit(IPS_ASSURED_BIT, &conntrack->status); - WRITE_UNLOCK(&tcp_lock); - ip_ct_refresh(conntrack, - sysctl_ip_conntrack_tcp_timeouts[newconntrack]); + ip_ct_refresh(conntrack, tcp_timeouts[newconntrack]); } return NF_ACCEPT; @@ -217,12 +227,6 @@ return 0; } - if (tcph->syn && tcph->ack) - { - printk("ip_conntrack_tcp: invalid new deleting.\n"); - return 0; - } - conntrack->proto.tcp.state = newconntrack; return 1; } diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_proto_udp.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_proto_udp.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2005-11-08 06:24:53.000000000 -0800 @@ -5,7 +5,9 @@ #include #include #include -#include + +#define UDP_TIMEOUT (30*HZ) +#define UDP_STREAM_TIMEOUT (180*HZ) static int udp_pkt_to_tuple(const void *datah, size_t datalen, struct ip_conntrack_tuple *tuple) @@ -50,13 +52,11 @@ /* If we've seen traffic both ways, this is some kind of UDP stream. Extend timeout. */ if (conntrack->status & IPS_SEEN_REPLY) { - ip_ct_refresh(conntrack, - sysctl_ip_conntrack_udp_timeouts[UDP_STREAM_TIMEOUT]); + ip_ct_refresh(conntrack, UDP_STREAM_TIMEOUT); /* Also, more likely to be important, and not a probe */ set_bit(IPS_ASSURED_BIT, &conntrack->status); } else - ip_ct_refresh(conntrack, - sysctl_ip_conntrack_udp_timeouts[UDP_TIMEOUT]); + ip_ct_refresh(conntrack, UDP_TIMEOUT); return NF_ACCEPT; } diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_sip.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_sip.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_sip.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_sip.c 1969-12-31 16:00:00.000000000 -0800 @@ -1,312 +0,0 @@ -/* - * SIP extension for IP connection tracking. - * - * Copyright (C) 2004, CyberTAN Corporation - * All Rights Reserved. - * - * THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY - * KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN - * SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS - * FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE. - * - */ - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -DECLARE_LOCK(ip_sip_lock); - -struct module *ip_conntrack_sip = THIS_MODULE; - -#define MAX_PORTS 8 -static int ports[MAX_PORTS]; -static int ports_c; -#ifdef MODULE_PARM -MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); -#endif - -#if 0 - #define DEBUGP printk -#else - #define DEBUGP(format, args...) -#endif - -#define RTCP_SUPPORT - -static int set_expected_rtp(struct ip_conntrack *ct, u_int32_t dstip, - u_int16_t dstport, unsigned int conntype) -{ - struct ip_conntrack_expect expect, *exp = &expect; - struct ip_ct_sip_expect *exp_sip_info = &exp->help.exp_sip_info; - int ret = 0; - - memset(&expect, 0, sizeof(expect)); - LOCK_BH(&ip_sip_lock); - - DEBUGP("conntrack_sip: %s: [%s]: DST=%u.%u.%u.%u:%u\n", __FUNCTION__, - conntype == CONN_RTP ? "RTP" : "RTCP", NIPQUAD(dstip), dstport); - - /* exp_sip_info */ - exp_sip_info->port = dstport; - exp_sip_info->type = conntype; - exp_sip_info->nated = 0; - - /* new expectation */ - exp->tuple = ((struct ip_conntrack_tuple) - { { 0, { 0 } }, - { dstip, { htons(dstport) }, IPPROTO_UDP }}); - exp->mask = ((struct ip_conntrack_tuple) - { { 0, { 0 } }, - { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }}); - exp->expectfn = NULL; - - if ((ret=ip_conntrack_expect_related(ct, exp)) != 0) { - DEBUGP("Can't add new expectation. \n"); - } - - UNLOCK_BH(&ip_sip_lock); - - return ret; -} - -/* -static int unset_expected_rtp(struct ip_conntrack *ct, u_int32_t dstip, u_int16_t dstport) -{ - struct ip_conntrack_expect *exp; - const struct ip_conntrack_tuple tuple = { { 0, { 0 } }, - { dstip, { htons(dstport) }, IPPROTO_UDP }}; - - LOCK_BH(&ip_sip_lock); - - exp = ip_conntrack_expect_find_get(&tuple); - if (exp) { - DEBUGP("Find the expectation %p, then delete it.\n", exp); - ip_conntrack_unexpect_related(exp); - } - - UNLOCK_BH(&ip_sip_lock); - - return 0; -}*/ - -/* return: - * 0 : Not found - * 1 : Found domain name - * 2 : Found dotted quads - */ -int find_sdp_rtp_addr(const char *data, size_t dlen, - unsigned int *numoff, unsigned int *numlen, u_int32_t *addr) -{ - char *st, *p = (char *)data; - const char *limit = data + dlen; - unsigned char p1, p2, p3, p4; - - while (p < limit) { - /* find 'c=' line */ - if (strncmp(p, "\nc=",3) && strncmp(p, "\rc=",3)) { - p++; - continue; - } - p += 3; - - if (strncmp(p, "IN IP4 ",7)) - continue; - p += 7; - - /* IP address */ - st = p; - - /* FQDNs or dotted quads */ - while (isalpha(*p) || isdigit(*p) || (*p=='.') || (*p=='-')) { - p++; - if (p == limit) - return 0; - } - - *numoff = st - data; - *numlen = p - st; - - /* Convert the IP address */ - p1 = simple_strtoul(st, &st ,10); - if (*st != '.') - return 1; - p2 = simple_strtoul(st+1, &st, 10); - if (*st != '.') - return 1; - p3 = simple_strtoul(st+1, &st, 10); - if (*st != '.') - return 1; - p4 = simple_strtoul(st+1, &st, 10); - - *addr = (p1<<24) | (p2<<16) | (p3<<8) | p4; - - return 2; - } - - return 0; -} - -u_int16_t find_sdp_audio_port(const char *data, size_t dlen, - unsigned int *numoff, unsigned int *numlen) -{ - char *st, *p = (char *)data; - const char *limit = data + dlen; - u_int16_t port = 0; - - while (p < limit) { - /* find 'm=' */ - if (strncmp(p, "\nm=", 3) && strncmp(p, "\rm=", 3)) { - p++; - continue; - } - p += 3; - - /* audio stream */ - if (strncmp(p ,"audio ",6)) - continue; - p += 6; - - st = p; - port = simple_strtoul(p, &p, 10); - - *numoff = st - data; - *numlen = p - st; - - return port; - } - - return 0; -} - -static int help(const struct iphdr *iph, size_t len, - struct ip_conntrack *ct, - enum ip_conntrack_info ctinfo) -{ - int dir = CTINFO2DIR(ctinfo); - unsigned int matchlen, matchoff; - - u_int32_t ipaddr=0; - u_int16_t port = 0; - - int found = 0; - struct udphdr *udph = (void *)iph + iph->ihl * 4; - const char *data = (const char *)udph + 8; - unsigned int udplen = len - iph->ihl * 4; - unsigned int datalen = udplen - 8; - struct ip_ct_sip_master *ct_sip_info = &ct->help.ct_sip_info; - - DEBUGP("\nconntrack_sip: help(): DIR=%d, conntrackinfo=%u\n", dir, ctinfo); - DEBUGP("conntrack_sip: %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u\n", - NIPQUAD(ct->tuplehash[dir].tuple.src.ip), - ntohs(ct->tuplehash[dir].tuple.src.u.udp.port), - NIPQUAD(ct->tuplehash[dir].tuple.dst.ip), - ntohs(ct->tuplehash[dir].tuple.dst.u.udp.port) ); - - /* Reset for a new incoming packet */ - ct_sip_info->mangled = 0; - - /* keep the connection alive */ - ip_ct_refresh(ct, (SIP_EXPIRES * HZ)); - - /* Don't need to set the expectation for upstream direction */ - if (dir == IP_CT_DIR_REPLY) - return NF_ACCEPT; - - /* Need to set the expected connection for further incoming RTP stream */ - if (strncmp(data, "INVITE", 6) != 0 && strncmp(data, "SIP/2.0 200", 11) != 0) { - DEBUGP("conntrack_sip: Not interesting packet.\n"); - return NF_ACCEPT; - } - - /* Find RTP address */ - found = find_sdp_rtp_addr(data, datalen, &matchoff, &matchlen, &ipaddr); - if (!found) - return NF_ACCEPT; - - DEBUGP("conntrack_sip: 'IN IP4' is %s.\n", (found == 1) ? "FQDNs" : "dotted quads"); - - /* If it's a null address, then the call is on hold */ - if (found == 2 && ipaddr == 0) { - DEBUGP("conntrack_sip: Null address is found.\n"); - return NF_ACCEPT; - } - - /* Find audio port, and we don't like the well-known ports, - * which is less than 1024 */ - port = find_sdp_audio_port(data, datalen, &matchoff, &matchlen); - if (port < 1024) - return NF_ACCEPT; - - DEBUGP("conntrack_sip: audio port=%d.\n", port); - - ipaddr = ct->tuplehash[dir].tuple.src.ip; - ct_sip_info->rtpport = port; - - /* RFC1889 - RTP uses an even port number and the corresponding RTCP - * stream uses the next higher (odd) port number. */ - if (set_expected_rtp(ct, ipaddr, port, CONN_RTP) == 0) { -#ifdef RTCP_SUPPORT - set_expected_rtp(ct, ipaddr, port + 1, CONN_RTCP); -#endif - } - - return NF_ACCEPT; -} - -static struct ip_conntrack_helper sip[MAX_PORTS]; - - -/* Not __exit: called from init() */ -static void fini(void) -{ - int i; - for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { - DEBUGP("ip_ct_sip: unregistering helper for port %d\n", - ports[i]); - ip_conntrack_helper_unregister(&sip[i]); - } -} - -static int __init init(void) -{ - int i, ret; - - if (ports[0] == 0) - ports[0] = SIP_PORT; - - for (i = 0; (i < MAX_PORTS) && ports[i]; i++) { - memset(&sip[i], 0, sizeof(struct ip_conntrack_helper)); - sip[i].tuple.dst.u.udp.port = htons(ports[i]); - sip[i].tuple.dst.protonum = IPPROTO_UDP; - sip[i].mask.dst.u.udp.port = 0xF0FF; - sip[i].mask.dst.protonum = 0xFFFF; - sip[i].help = help; - sip[i].timeout = RTP_TIMEOUT; - DEBUGP("ip_ct_sip: registering helper for port %d\n", - ports[i]); - ret = ip_conntrack_helper_register(&sip[i]); - - if (ret) { - fini(); - return ret; - } - ports_c++; - } - return 0; -} - - -EXPORT_SYMBOL(ip_sip_lock); -EXPORT_SYMBOL(ip_conntrack_sip); - -module_init(init); -module_exit(fini); diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_standalone.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_standalone.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-11-08 06:24:53.000000000 -0800 @@ -62,12 +62,6 @@ { unsigned int len; - if (!expect || !expect->expectant || !expect->expectant->helper) { - DEBUGP("expect %x expect->expectant %x expect->expectant->helper %x\n", - expect, expect->expectant, expect->expectant->helper); - return 0; - } - if (expect->expectant->helper->timeout) len = sprintf(buffer, "EXPECTING: %lu ", timer_pending(&expect->timeout) @@ -369,8 +363,6 @@ EXPORT_SYMBOL(ip_ct_find_proto); EXPORT_SYMBOL(__ip_ct_find_proto); EXPORT_SYMBOL(ip_ct_find_helper); -EXPORT_SYMBOL(sysctl_ip_conntrack_tcp_timeouts); -EXPORT_SYMBOL(sysctl_ip_conntrack_udp_timeouts); EXPORT_SYMBOL(ip_conntrack_expect_related); EXPORT_SYMBOL(ip_conntrack_change_expect); EXPORT_SYMBOL(ip_conntrack_unexpect_related); diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_tftp.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_conntrack_tftp.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_conntrack_tftp.c 1969-12-31 16:00:00.000000000 -0800 @@ -1,126 +0,0 @@ -/* - * Licensed under GNU GPL version 2 Copyright Magnus Boden - * Version: 0.0.7 - * - * Thu 21 Mar 2002 Harald Welte - * - port to newnat API - * - */ - -#include -#include -#include - -#include -#include -#include -#include - -MODULE_AUTHOR("Magnus Boden "); -MODULE_DESCRIPTION("Netfilter connection tracking module for tftp"); -MODULE_LICENSE("GPL"); - -#define MAX_PORTS 8 -static int ports[MAX_PORTS]; -static int ports_c = 0; -#ifdef MODULE_PARM -MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i"); -MODULE_PARM_DESC(ports, "port numbers of tftp servers"); -#endif - -#define DEBUGP(format, args...) - -static int tftp_help(const struct iphdr *iph, size_t len, - struct ip_conntrack *ct, - enum ip_conntrack_info ctinfo) -{ - struct udphdr *udph = (void *)iph + iph->ihl * 4; - struct tftphdr *tftph = (void *)udph + 8; - struct ip_conntrack_expect exp; - - switch (ntohs(tftph->opcode)) { - /* RRQ and WRQ works the same way */ - case TFTP_OPCODE_READ: - case TFTP_OPCODE_WRITE: - DEBUGP(""); - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); - memset(&exp, 0, sizeof(exp)); - - exp.tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple; - exp.mask.src.ip = 0xffffffff; - exp.mask.dst.ip = 0xffffffff; - exp.mask.dst.u.udp.port = 0xffff; - exp.mask.dst.protonum = 0xffff; - exp.expectfn = NULL; - - DEBUGP("expect: "); - DUMP_TUPLE(&exp.tuple); - DUMP_TUPLE(&exp.mask); - ip_conntrack_expect_related(ct, &exp); - break; - default: - DEBUGP("Unknown opcode\n"); - } - return NF_ACCEPT; -} - -static struct ip_conntrack_helper tftp[MAX_PORTS]; -static char tftp_names[MAX_PORTS][10]; - -static void fini(void) -{ - int i; - - for (i = 0 ; i < ports_c; i++) { - DEBUGP("unregistering helper for port %d\n", - ports[i]); - ip_conntrack_helper_unregister(&tftp[i]); - } -} - -static int __init init(void) -{ - int i, ret; - char *tmpname; - - if (!ports[0]) - ports[0]=TFTP_PORT; - - for (i = 0 ; (i < MAX_PORTS) && ports[i] ; i++) { - /* Create helper structure */ - memset(&tftp[i], 0, sizeof(struct ip_conntrack_helper)); - - tftp[i].tuple.dst.protonum = IPPROTO_UDP; - tftp[i].tuple.src.u.udp.port = htons(ports[i]); - tftp[i].mask.dst.protonum = 0xFFFF; - tftp[i].mask.src.u.udp.port = 0xFFFF; - tftp[i].max_expected = 1; - tftp[i].timeout = 0; - tftp[i].flags = IP_CT_HELPER_F_REUSE_EXPECT; - tftp[i].me = THIS_MODULE; - tftp[i].help = tftp_help; - - tmpname = &tftp_names[i][0]; - if (ports[i] == TFTP_PORT) - sprintf(tmpname, "tftp"); - else - sprintf(tmpname, "tftp-%d", i); - tftp[i].name = tmpname; - - DEBUGP("port #%d: %d\n", i, ports[i]); - - ret=ip_conntrack_helper_register(&tftp[i]); - if (ret) { - printk("ERROR registering helper for port %d\n", - ports[i]); - fini(); - return(ret); - } - ports_c++; - } - return(0); -} - -module_init(init); -module_exit(fini); diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_nat_core.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_nat_core.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_nat_core.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_nat_core.c 2005-11-08 06:24:53.000000000 -0800 @@ -434,7 +434,7 @@ *tuple = *orig_tuple; while ((rptr = find_best_ips_proto_fast(tuple, mr, conntrack, hooknum)) != NULL) { - DEBUGP("Found best for "); DUMP_TUPLE_RAW(tuple); + DEBUGP("Found best for "); DUMP_TUPLE(tuple); /* 3) The per-protocol part of the manip is made to map into the range to make a unique tuple. */ diff -ruN linux-2.4.20-WRTup/net/ipv4/netfilter/ip_nat_h323.c linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_nat_h323.c --- linux-2.4.20-WRTup/net/ipv4/netfilter/ip_nat_h323.c 2006-06-12 18:08:33.000000000 -0700 +++ linux-2.4.20-WRTstp/net/ipv4/netfilter/ip_nat_h323.c 1969-12-31 16:00:00.000000000 -0800 @@ -1,403 +0,0 @@ -/* - * H.323 'brute force' extension for NAT alteration. - * Jozsef Kadlecsik - * - * Based on ip_masq_h323.c for 2.2 kernels from CoRiTel, Sofia project. - * (http://www.coritel.it/projects/sofia/nat.html) - * Uses Sampsa Ranta's excellent idea on using expectfn to 'bind' - * the unregistered helpers to the conntrack entries. - */ - - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -MODULE_AUTHOR("Jozsef Kadlecsik "); -MODULE_DESCRIPTION("H.323 'brute force' connection tracking module"); -MODULE_LICENSE("GPL"); - -DECLARE_LOCK_EXTERN(ip_h323_lock); -struct module *ip_nat_h323 = THIS_MODULE; - -#define DEBUGP(format, args...) - - -static unsigned int -h225_nat_expected(struct sk_buff **pskb, - unsigned int hooknum, - struct ip_conntrack *ct, - struct ip_nat_info *info); - -static unsigned int h225_nat_help(struct ip_conntrack *ct, - struct ip_conntrack_expect *exp, - struct ip_nat_info *info, - enum ip_conntrack_info ctinfo, - unsigned int hooknum, - struct sk_buff **pskb); - -static struct ip_nat_helper h245 = - { { NULL, NULL }, - "H.245", /* name */ - 0, /* flags */ - NULL, /* module */ - { { 0, { 0 } }, /* tuple */ - { 0, { 0 }, IPPROTO_TCP } }, - { { 0, { 0xFFFF } }, /* mask */ - { 0, { 0 }, 0xFFFF } }, - h225_nat_help, /* helper */ - h225_nat_expected /* expectfn */ - }; - -static unsigned int -h225_nat_expected(struct sk_buff **pskb, - unsigned int hooknum, - struct ip_conntrack *ct, - struct ip_nat_info *info) -{ - struct ip_nat_multi_range mr; - u_int32_t newdstip, newsrcip, newip; - u_int16_t port; - struct ip_ct_h225_expect *exp_info; - struct ip_ct_h225_master *master_info; - struct ip_conntrack *master = master_ct(ct); - unsigned int is_h225, ret; - - IP_NF_ASSERT(info); - IP_NF_ASSERT(master); - - IP_NF_ASSERT(!(info->initialized & (1<master->expectant->help.ct_h225_info; - exp_info = &ct->master->help.exp_h225_info; - - LOCK_BH(&ip_h323_lock); - - DEBUGP("master: "); - DUMP_TUPLE(&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple); - DUMP_TUPLE(&master->tuplehash[IP_CT_DIR_REPLY].tuple); - DEBUGP("conntrack: "); - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); - if (exp_info->dir == IP_CT_DIR_ORIGINAL) { - /* Make connection go to the client. */ - newdstip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; - newsrcip = master->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; - DEBUGP("h225_nat_expected: %u.%u.%u.%u->%u.%u.%u.%u (to client)\n", - NIPQUAD(newsrcip), NIPQUAD(newdstip)); - } else { - /* Make the connection go to the server */ - newdstip = master->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip; - newsrcip = master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; - DEBUGP("h225_nat_expected: %u.%u.%u.%u->%u.%u.%u.%u (to server)\n", - NIPQUAD(newsrcip), NIPQUAD(newdstip)); - } - port = exp_info->port; - is_h225 = master_info->is_h225 == H225_PORT; - UNLOCK_BH(&ip_h323_lock); - - if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC) - newip = newsrcip; - else - newip = newdstip; - - DEBUGP("h225_nat_expected: IP to %u.%u.%u.%u\n", NIPQUAD(newip)); - - mr.rangesize = 1; - /* We don't want to manip the per-protocol, just the IPs... */ - mr.range[0].flags = IP_NAT_RANGE_MAP_IPS; - mr.range[0].min_ip = mr.range[0].max_ip = newip; - - /* ... unless we're doing a MANIP_DST, in which case, make - sure we map to the correct port */ - if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) { - mr.range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED; - mr.range[0].min = mr.range[0].max - = ((union ip_conntrack_manip_proto) - { port }); - } - - ret = ip_nat_setup_info(ct, &mr, hooknum); - - if (is_h225) { - DEBUGP("h225_nat_expected: H.225, setting NAT helper for %p\n", ct); - /* NAT expectfn called with ip_nat_lock write-locked */ - info->helper = &h245; - } - return ret; -} - -static int h323_signal_address_fixup(struct ip_conntrack *ct, - struct sk_buff **pskb, - enum ip_conntrack_info ctinfo) -{ - struct iphdr *iph = (*pskb)->nh.iph; - struct tcphdr *tcph = (void *)iph + iph->ihl*4; - unsigned char *data; - u_int32_t tcplen = (*pskb)->len - iph->ihl*4; - u_int32_t datalen = tcplen - tcph->doff*4; - struct ip_ct_h225_master *info = &ct->help.ct_h225_info; - u_int32_t newip; - u_int16_t port; - u_int8_t buffer[6]; - int i; - - MUST_BE_LOCKED(&ip_h323_lock); - - DEBUGP("h323_signal_address_fixup: %s %s\n", - between(info->seq[IP_CT_DIR_ORIGINAL], ntohl(tcph->seq), ntohl(tcph->seq) + datalen) - ? "yes" : "no", - between(info->seq[IP_CT_DIR_REPLY], ntohl(tcph->seq), ntohl(tcph->seq) + datalen) - ? "yes" : "no"); - if (!(between(info->seq[IP_CT_DIR_ORIGINAL], ntohl(tcph->seq), ntohl(tcph->seq) + datalen) - || between(info->seq[IP_CT_DIR_REPLY], ntohl(tcph->seq), ntohl(tcph->seq) + datalen))) - return 1; - - DEBUGP("h323_signal_address_fixup: offsets %u + 6 and %u + 6 in %u\n", - info->offset[IP_CT_DIR_ORIGINAL], - info->offset[IP_CT_DIR_REPLY], - tcplen); - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); - - for (i = 0; i < IP_CT_DIR_MAX; i++) { - DEBUGP("h323_signal_address_fixup: %s %s\n", - info->dir == IP_CT_DIR_ORIGINAL ? "original" : "reply", - i == IP_CT_DIR_ORIGINAL ? "caller" : "callee"); - if (!between(info->seq[i], ntohl(tcph->seq), - ntohl(tcph->seq) + datalen)) - continue; - if (!between(info->seq[i] + 6, ntohl(tcph->seq), - ntohl(tcph->seq) + datalen)) { - /* Partial retransmisison. It's a cracker being funky. */ - if (net_ratelimit()) { - printk("H.323_NAT: partial packet %u/6 in %u/%u\n", - info->seq[i], - ntohl(tcph->seq), - ntohl(tcph->seq) + datalen); - } - return 0; - } - - /* Change address inside packet to match way we're mapping - this connection. */ - if (i == IP_CT_DIR_ORIGINAL) { - newip = ct->tuplehash[!info->dir].tuple.dst.ip; - port = ct->tuplehash[!info->dir].tuple.dst.u.tcp.port; - } else { - newip = ct->tuplehash[!info->dir].tuple.src.ip; - port = ct->tuplehash[!info->dir].tuple.src.u.tcp.port; - } - - data = (char *) tcph + tcph->doff * 4 + info->offset[i]; - - DEBUGP("h323_signal_address_fixup: orig %s IP:port %u.%u.%u.%u:%u\n", - i == IP_CT_DIR_ORIGINAL ? "source" : "dest ", - data[0], data[1], data[2], data[3], - (data[4] << 8 | data[5])); - - /* Modify the packet */ - memcpy(buffer, &newip, 4); - memcpy(buffer + 4, &port, 2); - if (!ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, info->offset[i], - 6, buffer, 6)) - return 0; - - DEBUGP("h323_signal_address_fixup: new %s IP:port %u.%u.%u.%u:%u\n", - i == IP_CT_DIR_ORIGINAL ? "source" : "dest ", - data[0], data[1], data[2], data[3], - (data[4] << 8 | data[5])); - } - - return 1; -} - -static int h323_data_fixup(struct ip_ct_h225_expect *info, - struct ip_conntrack *ct, - struct sk_buff **pskb, - enum ip_conntrack_info ctinfo, - struct ip_conntrack_expect *expect) -{ - u_int32_t newip; - u_int16_t port; - u_int8_t buffer[6]; - struct ip_conntrack_tuple newtuple; - struct iphdr *iph = (*pskb)->nh.iph; - struct tcphdr *tcph = (void *)iph + iph->ihl*4; - unsigned char *data; - u_int32_t tcplen = (*pskb)->len - iph->ihl*4; - struct ip_ct_h225_master *master_info = &ct->help.ct_h225_info; - int is_h225; - - MUST_BE_LOCKED(&ip_h323_lock); - DEBUGP("h323_data_fixup: offset %u + 6 in %u\n", info->offset, tcplen); - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); - DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); - - if (!between(expect->seq + 6, ntohl(tcph->seq), - ntohl(tcph->seq) + tcplen - tcph->doff * 4)) { - /* Partial retransmisison. It's a cracker being funky. */ - if (net_ratelimit()) { - printk("H.323_NAT: partial packet %u/6 in %u/%u\n", - expect->seq, - ntohl(tcph->seq), - ntohl(tcph->seq) + tcplen - tcph->doff * 4); - } - return 0; - } - - /* Change address inside packet to match way we're mapping - this connection. */ - if (info->dir == IP_CT_DIR_REPLY) { - /* Must be where client thinks server is */ - newip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; - /* Expect something from client->server */ - newtuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; - newtuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip; - } else { - /* Must be where server thinks client is */ - newip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; - /* Expect something from server->client */ - newtuple.src.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip; - newtuple.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip; - } - - is_h225 = (master_info->is_h225 == H225_PORT); - - if (is_