Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use iptables 1.4.14 with kernel 2.6.22 #7

Open
wants to merge 5 commits into
base: 374.43_2-update
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion release/src-rt/linux/linux-2.6/include/linux/icmpv6.h
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,8 @@ static inline struct icmp6hdr *icmp6_hdr(const struct sk_buff *skb)
#define ICMPV6_NOT_NEIGHBOUR 2
#define ICMPV6_ADDR_UNREACH 3
#define ICMPV6_PORT_UNREACH 4
#define ICMPV6_SRC_ADDR_FAIL_POLICY 5
#define ICMPV6_POLICY_FAIL 5
#define ICMPV6_REJECT_ROUTE 6

/*
* Codes for Time Exceeded
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,8 @@ struct xt_mark_target_info_v1 {
u_int8_t mode;
};

struct xt_mark_tginfo2 {
u_int32_t mark, mask;
};

#endif /*_XT_MARK_H_target */
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
#define _XT_CONNTRACK_H

#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <linux/in.h>

#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define XT_CONNTRACK_STATE_INVALID (1 << 0)
Expand All @@ -16,14 +15,21 @@
#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))

/* flags, invflags: */
#define XT_CONNTRACK_STATE 0x01
#define XT_CONNTRACK_PROTO 0x02
#define XT_CONNTRACK_ORIGSRC 0x04
#define XT_CONNTRACK_ORIGDST 0x08
#define XT_CONNTRACK_REPLSRC 0x10
#define XT_CONNTRACK_REPLDST 0x20
#define XT_CONNTRACK_STATUS 0x40
#define XT_CONNTRACK_EXPIRES 0x80
enum {
XT_CONNTRACK_STATE = 1 << 0,
XT_CONNTRACK_PROTO = 1 << 1,
XT_CONNTRACK_ORIGSRC = 1 << 2,
XT_CONNTRACK_ORIGDST = 1 << 3,
XT_CONNTRACK_REPLSRC = 1 << 4,
XT_CONNTRACK_REPLDST = 1 << 5,
XT_CONNTRACK_STATUS = 1 << 6,
XT_CONNTRACK_EXPIRES = 1 << 7,
XT_CONNTRACK_ORIGSRC_PORT = 1 << 8,
XT_CONNTRACK_ORIGDST_PORT = 1 << 9,
XT_CONNTRACK_REPLSRC_PORT = 1 << 10,
XT_CONNTRACK_REPLDST_PORT = 1 << 11,
XT_CONNTRACK_DIRECTION = 1 << 12,
};

/* This is exposed to userspace, so remains frozen in time. */
struct ip_conntrack_old_tuple
Expand Down Expand Up @@ -60,4 +66,18 @@ struct xt_conntrack_info
/* Inverse flags */
u_int8_t invflags;
};

struct xt_conntrack_mtinfo1 {
union nf_inet_addr origsrc_addr, origsrc_mask;
union nf_inet_addr origdst_addr, origdst_mask;
union nf_inet_addr replsrc_addr, replsrc_mask;
union nf_inet_addr repldst_addr, repldst_mask;
u_int32_t expires_min, expires_max;
u_int16_t l4proto;
__be16 origsrc_port, origdst_port;
__be16 replsrc_port, repldst_port;
u_int16_t match_flags, invert_flags;
u_int8_t state_mask, status_mask;
};

#endif /*_XT_CONNTRACK_H*/
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,10 @@ enum ip6t_reject_with {
IP6T_ICMP6_NOT_NEIGHBOUR,
IP6T_ICMP6_ADDR_UNREACH,
IP6T_ICMP6_PORT_UNREACH,
IP6T_ICMP6_SRC_ADDR_FAIL_POLICY,
IP6T_ICMP6_ECHOREPLY,
IP6T_TCP_RESET
IP6T_TCP_RESET,
IP6T_ICMP6_POLICY_FAIL,
IP6T_ICMP6_REJECT_ROUTE
};

struct ip6t_reject_info {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
#ifndef _NF_CONNTRACK_TUPLE_H
#define _NF_CONNTRACK_TUPLE_H

#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>

/* A `tuple' is a structure containing the information to uniquely
Expand All @@ -20,15 +21,8 @@
"non-manipulatable" lines, for the benefit of the NAT code.
*/

#define NF_CT_TUPLE_L3SIZE 4

/* The l3 protocol-specific manipulable parts of the tuple: always in
network order! */
union nf_conntrack_address {
u_int32_t all[NF_CT_TUPLE_L3SIZE];
__be32 ip;
__be32 ip6[4];
};
#define nf_conntrack_address nf_inet_addr
#define NF_CT_TUPLE_L3SIZE ARRAY_SIZE(((union nf_inet_addr *)NULL)->all)

/* The protocol-specific manipulable parts of the tuple: always in
network order! */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -208,15 +208,18 @@ static unsigned int reject6_target(struct sk_buff **pskb,
case IP6T_ICMP6_PORT_UNREACH:
send_unreach(*pskb, ICMPV6_PORT_UNREACH, hooknum);
break;
case IP6T_ICMP6_SRC_ADDR_FAIL_POLICY:
send_unreach(*pskb, ICMPV6_SRC_ADDR_FAIL_POLICY, hooknum);
break;
case IP6T_ICMP6_ECHOREPLY:
/* Do nothing */
break;
case IP6T_TCP_RESET:
send_reset(*pskb);
break;
case IP6T_ICMP6_POLICY_FAIL:
send_unreach(*pskb, ICMPV6_POLICY_FAIL, hooknum);
break;
case IP6T_ICMP6_REJECT_ROUTE:
send_unreach(*pskb, ICMPV6_REJECT_ROUTE, hooknum);
break;
default:
if (net_ratelimit())
printk(KERN_WARNING "ip6t_REJECT: case %u not handled yet\n", reject->with);
Expand Down
36 changes: 36 additions & 0 deletions release/src-rt/linux/linux-2.6/net/netfilter/xt_MARK.c
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,26 @@ target_v1(struct sk_buff **pskb,
}


static unsigned int
mark_tg(struct sk_buff **pskb, const struct net_device *in,
const struct net_device *out, unsigned int hooknum,
const struct xt_target *target, const void *targinfo)
{
const struct xt_mark_tginfo2 *info = targinfo;

(*pskb)->mark = ((*pskb)->mark & ~info->mask) ^ info->mark;

#ifdef HNDCTF
{
enum ip_conntrack_info ctinfo;
struct nf_conn *ct = nf_ct_get(*pskb, &ctinfo);
if(ct) ct->ctf_flags |= CTF_FLAGS_EXCLUDED;
}
#endif /* HNDCTF */

return XT_CONTINUE;
}

static int
checkentry_v0(const char *tablename,
const void *entry,
Expand Down Expand Up @@ -193,6 +213,22 @@ static struct xt_target xt_mark_target[] = {
.table = "mangle",
.me = THIS_MODULE,
},
{
.name = "MARK",
.revision = 2,
.family = AF_INET,
.target = mark_tg,
.targetsize = sizeof(struct xt_mark_tginfo2),
.me = THIS_MODULE,
},
{
.name = "MARK",
.revision = 2,
.family = AF_INET6,
.target = mark_tg,
.targetsize = sizeof(struct xt_mark_tginfo2),
.me = THIS_MODULE,
},
};

static int __init xt_mark_init(void)
Expand Down
Loading