diff options
-rw-r--r-- | include/netfilter.mk | 3 | ||||
-rw-r--r-- | target/linux/generic-2.4/patches/621-netfilter_random.patch | 318 |
2 files changed, 321 insertions, 0 deletions
diff --git a/include/netfilter.mk b/include/netfilter.mk index 51f72fb9d3..ad65f885fe 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -71,6 +71,9 @@ IPT_IPOPT-$(CONFIG_IP_NF_MATCH_MARK) += $(P_V4)ipt_mark IPT_IPOPT-$(CONFIG_NETFILTER_XT_MATCH_MARK) += $(P_XT)xt_mark IPT_IPOPT-$(CONFIG_IP_NF_TARGET_MARK) += $(P_V4)ipt_MARK IPT_IPOPT-$(CONFIG_NETFILTER_XT_TARGET_MARK) += $(P_XT)xt_MARK +ifeq ($(CONFIG_LINUX_2_4),y) +IPT_IPOPT-$(CONFIG_NETFILTER_XT_TARGET_MARK) += $(P_V4)ipt_random +endif IPT_IPOPT-$(CONFIG_IP_NF_MATCH_TCPMSS) += $(P_V4)ipt_tcpmss IPT_IPOPT-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += $(P_XT)xt_tcpmss IPT_IPOPT-$(CONFIG_IP_NF_TARGET_TCPMSS) += $(P_V4)ipt_TCPMSS diff --git a/target/linux/generic-2.4/patches/621-netfilter_random.patch b/target/linux/generic-2.4/patches/621-netfilter_random.patch new file mode 100644 index 0000000000..1ee85be46f --- /dev/null +++ b/target/linux/generic-2.4/patches/621-netfilter_random.patch @@ -0,0 +1,318 @@ +diff -Naurp linux-2.4.34/Documentation/Configure.help linux-2.4.34.patched/Documentation/Configure.help +--- linux-2.4.34/Documentation/Configure.help 2007-07-08 05:01:42.000000000 +0200 ++++ linux-2.4.34.patched/Documentation/Configure.help 2007-07-08 05:02:26.000000000 +0200 +@@ -2914,6 +2914,15 @@ CONFIG_IP_NF_MATCH_MAC + If you want to compile it as a module, say M here and read + <file:Documentation/modules.txt>. If unsure, say `N'. + ++Random match support ++CONFIG_IP_NF_MATCH_RANDOM ++ This option adds a `random' match, ++ which allow you to match packets randomly ++ following a given probability. ++ ++ If you want to compile it as a module, say M here and read ++ Documentation/modules.txt. If unsure, say `N'. ++ + Netfilter MARK match support + CONFIG_IP_NF_MATCH_MARK + Netfilter mark matching allows you to match packets based on the +@@ -3221,6 +3230,7 @@ CONFIG_IP_NF_MATCH_HELPER + If you want to compile it as a module, say M here and read + Documentation/modules.txt. If unsure, say `Y'. + ++ + TCPMSS match support + CONFIG_IP_NF_MATCH_TCPMSS + This option adds a `tcpmss' match, which allows you to examine the +@@ -3299,6 +3309,14 @@ CONFIG_IP6_NF_MATCH_MAC + If you want to compile it as a module, say M here and read + <file:Documentation/modules.txt>. If unsure, say `N'. + ++CONFIG_IP6_NF_MATCH_RANDOM ++ This option adds a `random' match, ++ which allow you to match packets randomly ++ following a given probability. ++ ++ If you want to compile it as a module, say M here and read ++ Documentation/modules.txt. If unsure, say `N'. ++ + length match support + CONFIG_IP6_NF_MATCH_LENGTH + This option allows you to match the length of a packet against a +diff -Naurp linux-2.4.34/include/linux/netfilter_ipv4/ipt_random.h linux-2.4.34.patched/include/linux/netfilter_ipv4/ipt_random.h +--- linux-2.4.34/include/linux/netfilter_ipv4/ipt_random.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.4.34.patched/include/linux/netfilter_ipv4/ipt_random.h 2007-07-08 05:02:26.000000000 +0200 +@@ -0,0 +1,11 @@ ++#ifndef _IPT_RAND_H ++#define _IPT_RAND_H ++ ++#include <linux/param.h> ++#include <linux/types.h> ++ ++struct ipt_rand_info { ++ u_int8_t average; ++}; ++ ++#endif /*_IPT_RAND_H*/ +diff -Naurp linux-2.4.34/include/linux/netfilter_ipv6/ip6t_random.h linux-2.4.34.patched/include/linux/netfilter_ipv6/ip6t_random.h +--- linux-2.4.34/include/linux/netfilter_ipv6/ip6t_random.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.4.34.patched/include/linux/netfilter_ipv6/ip6t_random.h 2007-07-08 05:02:26.000000000 +0200 +@@ -0,0 +1,11 @@ ++#ifndef _IP6T_RAND_H ++#define _IP6T_RAND_H ++ ++#include <linux/param.h> ++#include <linux/types.h> ++ ++struct ip6t_rand_info { ++ u_int8_t average; ++}; ++ ++#endif /*_IP6T_RAND_H*/ +diff -Naurp linux-2.4.34/net/ipv4/netfilter/Config.in linux-2.4.34.patched/net/ipv4/netfilter/Config.in +--- linux-2.4.34/net/ipv4/netfilter/Config.in 2007-07-08 05:01:42.000000000 +0200 ++++ linux-2.4.34.patched/net/ipv4/netfilter/Config.in 2007-07-08 05:03:32.000000000 +0200 +@@ -32,6 +32,7 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; + dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES + dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES + dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES ++ dep_tristate ' random match support' CONFIG_IP_NF_MATCH_RANDOM $CONFIG_IP_NF_IPTABLES + dep_tristate ' TIME match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_TIME $CONFIG_IP_NF_IPTABLES + dep_tristate ' condition match support' CONFIG_IP_NF_MATCH_CONDITION $CONFIG_IP_NF_IPTABLES + dep_tristate ' recent match support' CONFIG_IP_NF_MATCH_RECENT $CONFIG_IP_NF_IPTABLES +diff -Naurp linux-2.4.34/net/ipv4/netfilter/ipt_random.c linux-2.4.34.patched/net/ipv4/netfilter/ipt_random.c +--- linux-2.4.34/net/ipv4/netfilter/ipt_random.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.4.34.patched/net/ipv4/netfilter/ipt_random.c 2007-07-08 05:02:26.000000000 +0200 +@@ -0,0 +1,96 @@ ++/* ++ This is a module which is used for a "random" match support. ++ This file is distributed under the terms of the GNU General Public ++ License (GPL). Copies of the GPL can be obtained from: ++ ftp://prep.ai.mit.edu/pub/gnu/GPL ++ ++ 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial implementation. ++*/ ++ ++#include <linux/module.h> ++#include <linux/skbuff.h> ++#include <linux/ip.h> ++#include <linux/random.h> ++#include <net/tcp.h> ++#include <linux/spinlock.h> ++#include <linux/netfilter_ipv4/ip_tables.h> ++#include <linux/netfilter_ipv4/ipt_random.h> ++ ++MODULE_LICENSE("GPL"); ++ ++static int ++ipt_rand_match(const struct sk_buff *pskb, ++ const struct net_device *in, ++ const struct net_device *out, ++ const void *matchinfo, ++ int offset, ++ const void *hdr, ++ u_int16_t datalen, ++ int *hotdrop) ++{ ++ /* Parameters from userspace */ ++ const struct ipt_rand_info *info = matchinfo; ++ u_int8_t random_number; ++ ++ /* get 1 random number from the kernel random number generation routine */ ++ get_random_bytes((void *)(&random_number), 1); ++ ++ /* Do we match ? */ ++ if (random_number <= info->average) ++ return 1; ++ else ++ return 0; ++} ++ ++static int ++ipt_rand_checkentry(const char *tablename, ++ const struct ipt_ip *e, ++ void *matchinfo, ++ unsigned int matchsize, ++ unsigned int hook_mask) ++{ ++ /* Parameters from userspace */ ++ const struct ipt_rand_info *info = matchinfo; ++ ++ if (matchsize != IPT_ALIGN(sizeof(struct ipt_rand_info))) { ++ printk("ipt_random: matchsize %u != %u\n", matchsize, ++ IPT_ALIGN(sizeof(struct ipt_rand_info))); ++ return 0; ++ } ++ ++ /* must be 1 <= average % <= 99 */ ++ /* 1 x 2.55 = 2 */ ++ /* 99 x 2.55 = 252 */ ++ if ((info->average < 2) || (info->average > 252)) { ++ printk("ipt_random: invalid average %u\n", info->average); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++static struct ipt_match ipt_rand_reg = { ++ {NULL, NULL}, ++ "random", ++ ipt_rand_match, ++ ipt_rand_checkentry, ++ NULL, ++ THIS_MODULE }; ++ ++static int __init init(void) ++{ ++ if (ipt_register_match(&ipt_rand_reg)) ++ return -EINVAL; ++ ++ printk("ipt_random match loaded\n"); ++ return 0; ++} ++ ++static void __exit fini(void) ++{ ++ ipt_unregister_match(&ipt_rand_reg); ++ printk("ipt_random match unloaded\n"); ++} ++ ++module_init(init); ++module_exit(fini); +diff -Naurp linux-2.4.34/net/ipv4/netfilter/Makefile linux-2.4.34.patched/net/ipv4/netfilter/Makefile +--- linux-2.4.34/net/ipv4/netfilter/Makefile 2007-07-08 05:01:42.000000000 +0200 ++++ linux-2.4.34.patched/net/ipv4/netfilter/Makefile 2007-07-08 05:02:26.000000000 +0200 +@@ -102,6 +102,8 @@ obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos + obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o + obj-$(CONFIG_IP_NF_MATCH_CONDITION) += ipt_condition.o + ++obj-$(CONFIG_IP_NF_MATCH_RANDOM) += ipt_random.o ++ + obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o + + obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o +diff -Naurp linux-2.4.34/net/ipv6/netfilter/Config.in linux-2.4.34.patched/net/ipv6/netfilter/Config.in +--- linux-2.4.34/net/ipv6/netfilter/Config.in 2007-07-08 05:01:42.000000000 +0200 ++++ linux-2.4.34.patched/net/ipv6/netfilter/Config.in 2007-07-08 05:02:26.000000000 +0200 +@@ -19,6 +19,7 @@ if [ "$CONFIG_IP6_NF_IPTABLES" != "n" ]; + dep_tristate ' limit match support' CONFIG_IP6_NF_MATCH_LIMIT $CONFIG_IP6_NF_IPTABLES + dep_tristate ' condition match support' CONFIG_IP6_NF_MATCH_CONDITION $CONFIG_IP6_NF_IPTABLES + dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES ++ dep_tristate ' Random match support' CONFIG_IP6_NF_MATCH_RANDOM $CONFIG_IP6_NF_IPTABLES + if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then + dep_tristate ' Routing header match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_RT $CONFIG_IP6_NF_IPTABLES + fi +diff -Naurp linux-2.4.34/net/ipv6/netfilter/ip6t_random.c linux-2.4.34.patched/net/ipv6/netfilter/ip6t_random.c +--- linux-2.4.34/net/ipv6/netfilter/ip6t_random.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.4.34.patched/net/ipv6/netfilter/ip6t_random.c 2007-07-08 05:02:26.000000000 +0200 +@@ -0,0 +1,97 @@ ++/* ++ This is a module which is used for a "random" match support. ++ This file is distributed under the terms of the GNU General Public ++ License (GPL). Copies of the GPL can be obtained from: ++ ftp://prep.ai.mit.edu/pub/gnu/GPL ++ ++ 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial implementation. ++ 2003-04-30 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 Port ++*/ ++ ++#include <linux/module.h> ++#include <linux/skbuff.h> ++#include <linux/ip.h> ++#include <linux/random.h> ++#include <net/tcp.h> ++#include <linux/spinlock.h> ++#include <linux/netfilter_ipv6/ip6_tables.h> ++#include <linux/netfilter_ipv6/ip6t_random.h> ++ ++MODULE_LICENSE("GPL"); ++ ++static int ++ip6t_rand_match(const struct sk_buff *pskb, ++ const struct net_device *in, ++ const struct net_device *out, ++ const void *matchinfo, ++ int offset, ++ const void *hdr, ++ u_int16_t datalen, ++ int *hotdrop) ++{ ++ /* Parameters from userspace */ ++ const struct ip6t_rand_info *info = matchinfo; ++ u_int8_t random_number; ++ ++ /* get 1 random number from the kernel random number generation routine */ ++ get_random_bytes((void *)(&random_number), 1); ++ ++ /* Do we match ? */ ++ if (random_number <= info->average) ++ return 1; ++ else ++ return 0; ++} ++ ++static int ++ip6t_rand_checkentry(const char *tablename, ++ const struct ip6t_ip6 *e, ++ void *matchinfo, ++ unsigned int matchsize, ++ unsigned int hook_mask) ++{ ++ /* Parameters from userspace */ ++ const struct ip6t_rand_info *info = matchinfo; ++ ++ if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_rand_info))) { ++ printk("ip6t_random: matchsize %u != %u\n", matchsize, ++ IP6T_ALIGN(sizeof(struct ip6t_rand_info))); ++ return 0; ++ } ++ ++ /* must be 1 <= average % <= 99 */ ++ /* 1 x 2.55 = 2 */ ++ /* 99 x 2.55 = 252 */ ++ if ((info->average < 2) || (info->average > 252)) { ++ printk("ip6t_random: invalid average %u\n", info->average); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++static struct ip6t_match ip6t_rand_reg = { ++ {NULL, NULL}, ++ "random", ++ ip6t_rand_match, ++ ip6t_rand_checkentry, ++ NULL, ++ THIS_MODULE }; ++ ++static int __init init(void) ++{ ++ if (ip6t_register_match(&ip6t_rand_reg)) ++ return -EINVAL; ++ ++ printk("ip6t_random match loaded\n"); ++ return 0; ++} ++ ++static void __exit fini(void) ++{ ++ ip6t_unregister_match(&ip6t_rand_reg); ++ printk("ip6t_random match unloaded\n"); ++} ++ ++module_init(init); ++module_exit(fini); +diff -Naurp linux-2.4.34/net/ipv6/netfilter/Makefile linux-2.4.34.patched/net/ipv6/netfilter/Makefile +--- linux-2.4.34/net/ipv6/netfilter/Makefile 2007-07-08 05:01:42.000000000 +0200 ++++ linux-2.4.34.patched/net/ipv6/netfilter/Makefile 2007-07-08 05:02:26.000000000 +0200 +@@ -32,6 +32,7 @@ obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t + obj-$(CONFIG_IP6_NF_TARGET_IMQ) += ip6t_IMQ.o + obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o + obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o ++obj-$(CONFIG_IP6_NF_MATCH_RANDOM) += ip6t_random.o + obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o + + include $(TOPDIR)/Rules.make |