1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
|
diff -Naurp linux-2.4.34/Documentation/Configure.help linux-2.4.34.patched/Documentation/Configure.help
--- linux-2.4.34/Documentation/Configure.help 2007-07-08 05:01:42.000000000 +0200
+++ linux-2.4.34.patched/Documentation/Configure.help 2007-07-08 05:02:26.000000000 +0200
@@ -2914,6 +2914,15 @@ CONFIG_IP_NF_MATCH_MAC
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
+Random match support
+CONFIG_IP_NF_MATCH_RANDOM
+ This option adds a `random' match,
+ which allow you to match packets randomly
+ following a given probability.
+
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.
+
Netfilter MARK match support
CONFIG_IP_NF_MATCH_MARK
Netfilter mark matching allows you to match packets based on the
@@ -3221,6 +3230,7 @@ CONFIG_IP_NF_MATCH_HELPER
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `Y'.
+
TCPMSS match support
CONFIG_IP_NF_MATCH_TCPMSS
This option adds a `tcpmss' match, which allows you to examine the
@@ -3299,6 +3309,14 @@ CONFIG_IP6_NF_MATCH_MAC
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
+CONFIG_IP6_NF_MATCH_RANDOM
+ This option adds a `random' match,
+ which allow you to match packets randomly
+ following a given probability.
+
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.
+
length match support
CONFIG_IP6_NF_MATCH_LENGTH
This option allows you to match the length of a packet against a
diff -Naurp linux-2.4.34/include/linux/netfilter_ipv4/ipt_random.h linux-2.4.34.patched/include/linux/netfilter_ipv4/ipt_random.h
--- linux-2.4.34/include/linux/netfilter_ipv4/ipt_random.h 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.4.34.patched/include/linux/netfilter_ipv4/ipt_random.h 2007-07-08 05:02:26.000000000 +0200
@@ -0,0 +1,11 @@
+#ifndef _IPT_RAND_H
+#define _IPT_RAND_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+struct ipt_rand_info {
+ u_int8_t average;
+};
+
+#endif /*_IPT_RAND_H*/
diff -Naurp linux-2.4.34/include/linux/netfilter_ipv6/ip6t_random.h linux-2.4.34.patched/include/linux/netfilter_ipv6/ip6t_random.h
--- linux-2.4.34/include/linux/netfilter_ipv6/ip6t_random.h 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.4.34.patched/include/linux/netfilter_ipv6/ip6t_random.h 2007-07-08 05:02:26.000000000 +0200
@@ -0,0 +1,11 @@
+#ifndef _IP6T_RAND_H
+#define _IP6T_RAND_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+struct ip6t_rand_info {
+ u_int8_t average;
+};
+
+#endif /*_IP6T_RAND_H*/
diff -Naurp linux-2.4.34/net/ipv4/netfilter/Config.in linux-2.4.34.patched/net/ipv4/netfilter/Config.in
--- linux-2.4.34/net/ipv4/netfilter/Config.in 2007-07-08 05:01:42.000000000 +0200
+++ linux-2.4.34.patched/net/ipv4/netfilter/Config.in 2007-07-08 05:03:32.000000000 +0200
@@ -32,6 +32,7 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES
dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES
dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES
+ dep_tristate ' random match support' CONFIG_IP_NF_MATCH_RANDOM $CONFIG_IP_NF_IPTABLES
dep_tristate ' TIME match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_TIME $CONFIG_IP_NF_IPTABLES
dep_tristate ' condition match support' CONFIG_IP_NF_MATCH_CONDITION $CONFIG_IP_NF_IPTABLES
dep_tristate ' recent match support' CONFIG_IP_NF_MATCH_RECENT $CONFIG_IP_NF_IPTABLES
diff -Naurp linux-2.4.34/net/ipv4/netfilter/ipt_random.c linux-2.4.34.patched/net/ipv4/netfilter/ipt_random.c
--- linux-2.4.34/net/ipv4/netfilter/ipt_random.c 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.4.34.patched/net/ipv4/netfilter/ipt_random.c 2007-07-08 05:02:26.000000000 +0200
@@ -0,0 +1,96 @@
+/*
+ This is a module which is used for a "random" match support.
+ This file is distributed under the terms of the GNU General Public
+ License (GPL). Copies of the GPL can be obtained from:
+ ftp://prep.ai.mit.edu/pub/gnu/GPL
+
+ 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial implementation.
+*/
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/random.h>
+#include <net/tcp.h>
+#include <linux/spinlock.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_random.h>
+
+MODULE_LICENSE("GPL");
+
+static int
+ipt_rand_match(const struct sk_buff *pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *matchinfo,
+ int offset,
+ const void *hdr,
+ u_int16_t datalen,
+ int *hotdrop)
+{
+ /* Parameters from userspace */
+ const struct ipt_rand_info *info = matchinfo;
+ u_int8_t random_number;
+
+ /* get 1 random number from the kernel random number generation routine */
+ get_random_bytes((void *)(&random_number), 1);
+
+ /* Do we match ? */
+ if (random_number <= info->average)
+ return 1;
+ else
+ return 0;
+}
+
+static int
+ipt_rand_checkentry(const char *tablename,
+ const struct ipt_ip *e,
+ void *matchinfo,
+ unsigned int matchsize,
+ unsigned int hook_mask)
+{
+ /* Parameters from userspace */
+ const struct ipt_rand_info *info = matchinfo;
+
+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_rand_info))) {
+ printk("ipt_random: matchsize %u != %u\n", matchsize,
+ IPT_ALIGN(sizeof(struct ipt_rand_info)));
+ return 0;
+ }
+
+ /* must be 1 <= average % <= 99 */
+ /* 1 x 2.55 = 2 */
+ /* 99 x 2.55 = 252 */
+ if ((info->average < 2) || (info->average > 252)) {
+ printk("ipt_random: invalid average %u\n", info->average);
+ return 0;
+ }
+
+ return 1;
+}
+
+static struct ipt_match ipt_rand_reg = {
+ {NULL, NULL},
+ "random",
+ ipt_rand_match,
+ ipt_rand_checkentry,
+ NULL,
+ THIS_MODULE };
+
+static int __init init(void)
+{
+ if (ipt_register_match(&ipt_rand_reg))
+ return -EINVAL;
+
+ printk("ipt_random match loaded\n");
+ return 0;
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_match(&ipt_rand_reg);
+ printk("ipt_random match unloaded\n");
+}
+
+module_init(init);
+module_exit(fini);
diff -Naurp linux-2.4.34/net/ipv4/netfilter/Makefile linux-2.4.34.patched/net/ipv4/netfilter/Makefile
--- linux-2.4.34/net/ipv4/netfilter/Makefile 2007-07-08 05:01:42.000000000 +0200
+++ linux-2.4.34.patched/net/ipv4/netfilter/Makefile 2007-07-08 05:02:26.000000000 +0200
@@ -102,6 +102,8 @@ obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos
obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o
obj-$(CONFIG_IP_NF_MATCH_CONDITION) += ipt_condition.o
+obj-$(CONFIG_IP_NF_MATCH_RANDOM) += ipt_random.o
+
obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
diff -Naurp linux-2.4.34/net/ipv6/netfilter/Config.in linux-2.4.34.patched/net/ipv6/netfilter/Config.in
--- linux-2.4.34/net/ipv6/netfilter/Config.in 2007-07-08 05:01:42.000000000 +0200
+++ linux-2.4.34.patched/net/ipv6/netfilter/Config.in 2007-07-08 05:02:26.000000000 +0200
@@ -19,6 +19,7 @@ if [ "$CONFIG_IP6_NF_IPTABLES" != "n" ];
dep_tristate ' limit match support' CONFIG_IP6_NF_MATCH_LIMIT $CONFIG_IP6_NF_IPTABLES
dep_tristate ' condition match support' CONFIG_IP6_NF_MATCH_CONDITION $CONFIG_IP6_NF_IPTABLES
dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES
+ dep_tristate ' Random match support' CONFIG_IP6_NF_MATCH_RANDOM $CONFIG_IP6_NF_IPTABLES
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
dep_tristate ' Routing header match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_RT $CONFIG_IP6_NF_IPTABLES
fi
diff -Naurp linux-2.4.34/net/ipv6/netfilter/ip6t_random.c linux-2.4.34.patched/net/ipv6/netfilter/ip6t_random.c
--- linux-2.4.34/net/ipv6/netfilter/ip6t_random.c 1970-01-01 01:00:00.000000000 +0100
+++ linux-2.4.34.patched/net/ipv6/netfilter/ip6t_random.c 2007-07-08 05:02:26.000000000 +0200
@@ -0,0 +1,97 @@
+/*
+ This is a module which is used for a "random" match support.
+ This file is distributed under the terms of the GNU General Public
+ License (GPL). Copies of the GPL can be obtained from:
+ ftp://prep.ai.mit.edu/pub/gnu/GPL
+
+ 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial implementation.
+ 2003-04-30 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 Port
+*/
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/random.h>
+#include <net/tcp.h>
+#include <linux/spinlock.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_random.h>
+
+MODULE_LICENSE("GPL");
+
+static int
+ip6t_rand_match(const struct sk_buff *pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *matchinfo,
+ int offset,
+ const void *hdr,
+ u_int16_t datalen,
+ int *hotdrop)
+{
+ /* Parameters from userspace */
+ const struct ip6t_rand_info *info = matchinfo;
+ u_int8_t random_number;
+
+ /* get 1 random number from the kernel random number generation routine */
+ get_random_bytes((void *)(&random_number), 1);
+
+ /* Do we match ? */
+ if (random_number <= info->average)
+ return 1;
+ else
+ return 0;
+}
+
+static int
+ip6t_rand_checkentry(const char *tablename,
+ const struct ip6t_ip6 *e,
+ void *matchinfo,
+ unsigned int matchsize,
+ unsigned int hook_mask)
+{
+ /* Parameters from userspace */
+ const struct ip6t_rand_info *info = matchinfo;
+
+ if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_rand_info))) {
+ printk("ip6t_random: matchsize %u != %u\n", matchsize,
+ IP6T_ALIGN(sizeof(struct ip6t_rand_info)));
+ return 0;
+ }
+
+ /* must be 1 <= average % <= 99 */
+ /* 1 x 2.55 = 2 */
+ /* 99 x 2.55 = 252 */
+ if ((info->average < 2) || (info->average > 252)) {
+ printk("ip6t_random: invalid average %u\n", info->average);
+ return 0;
+ }
+
+ return 1;
+}
+
+static struct ip6t_match ip6t_rand_reg = {
+ {NULL, NULL},
+ "random",
+ ip6t_rand_match,
+ ip6t_rand_checkentry,
+ NULL,
+ THIS_MODULE };
+
+static int __init init(void)
+{
+ if (ip6t_register_match(&ip6t_rand_reg))
+ return -EINVAL;
+
+ printk("ip6t_random match loaded\n");
+ return 0;
+}
+
+static void __exit fini(void)
+{
+ ip6t_unregister_match(&ip6t_rand_reg);
+ printk("ip6t_random match unloaded\n");
+}
+
+module_init(init);
+module_exit(fini);
diff -Naurp linux-2.4.34/net/ipv6/netfilter/Makefile linux-2.4.34.patched/net/ipv6/netfilter/Makefile
--- linux-2.4.34/net/ipv6/netfilter/Makefile 2007-07-08 05:01:42.000000000 +0200
+++ linux-2.4.34.patched/net/ipv6/netfilter/Makefile 2007-07-08 05:02:26.000000000 +0200
@@ -32,6 +32,7 @@ obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t
obj-$(CONFIG_IP6_NF_TARGET_IMQ) += ip6t_IMQ.o
obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
+obj-$(CONFIG_IP6_NF_MATCH_RANDOM) += ip6t_random.o
obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
include $(TOPDIR)/Rules.make
|
