webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-19 23:43:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updated iptables (1.4.6).

Browse Source
This commit is contained in:
Arne Fitzenreiter
2010-02-14 11:13:20 +01:00
parent 71a6a98ddb
commit 3dad55587b
4 changed files with 792 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
lfs/iptables
View File

@@ -24,7 +24,7 @@
include Config
VER = 1.4.2
VER = 1.4.6
THISAPP = iptables-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -36,17 +36,17 @@ TARGET = $(DIR_INFO)/$(THISAPP)
# Top-level Rules
###############################################################################
objects = $(DL_FILE) \
netfilter-layer7-v2.21.tar.gz \
netfilter-layer7-v2.22.tar.gz \
libnfnetlink-0.0.41.tar.bz2 \
libnetfilter_queue-0.0.17.tar.bz2
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
netfilter-layer7-v2.21.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.21.tar.gz
netfilter-layer7-v2.22.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.22.tar.gz
libnfnetlink-0.0.41.tar.bz2 = $(URL_IPFIRE)/libnfnetlink-0.0.41.tar.bz2
libnetfilter_queue-0.0.17.tar.bz2 = $(URL_IPFIRE)/libnetfilter_queue-0.0.17.tar.bz2
$(DL_FILE)_MD5 = a138d1c2e74321e0e4e228a9fb301c9a
netfilter-layer7-v2.21.tar.gz_MD5 = 838422e7d9a06b42e682e9064e5210b5
$(DL_FILE)_MD5 = c67cf30e281a924def6426be0973df56
netfilter-layer7-v2.22.tar.gz_MD5 = 98dff8a3d5a31885b73341633f69501f
libnfnetlink-0.0.41.tar.bz2_MD5 = 5d844ea1f557bad0364d5b85cd10c796
libnetfilter_queue-0.0.17.tar.bz2_MD5 = 2cde35e678ead3a8f9eb896bf807a159
@@ -80,18 +80,21 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@rm -rf $(DIR_APP) $(DIR_SRC)/libnfnetlink-0.0.41 $(DIR_SRC)/netfilter-layer7* $(DIR_SRC)/libnetfilter_queue-0.0.17
@cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.21.tar.gz
cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.21/iptables-1.4.1.1-for-kernel-2.6.20forward/* \
-cd /usr/include && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.6-errorno_includes.patch
cp -rf /usr/src/linux/include/linux/netfilter /usr/include/linux
# Layer7
cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.22.tar.gz
cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
./extensions/
# ipp2p 0.8.2-pomng
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.1.1-ipp2p-0.8.2-pomng.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.6-ipp2p-0.8.2-pomng.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.2-imq.patch
# imq
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/iptables-1.4.6-imq_test1.patch
chmod +x $(DIR_APP)/extensions/.IMQ-test*
# hack to disable IPv6 compilation as the configuration variable does not work when ip6.h is present
# cd $(DIR_APP) && sed -i -e 's/DO_IPV6:=1/DO_IPV6:=0/' Makefile
cd $(DIR_APP) && ./configure --prefix=/usr --with-ksource=/usr/src/linux \
--libdir=/lib --includedir=/usr/include --enable-libipq \
--libexecdir=/lib --bindir=/sbin \
@@ -99,13 +102,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
cd $(DIR_APP) && cp -fva include/* /usr/include
-mkdir /usr/include/libiptc
cd $(DIR_APP) && cp -vf include/libiptc/{libiptc.h,ipt_kernel_headers.h} \
/usr/include/libiptc
cd $(DIR_APP) && cp -vf libiptc/{*.o,*.a} \
/lib
cd $(DIR_SRC) && tar xfj $(DIR_DL)/libnfnetlink-0.0.41.tar.bz2
cd $(DIR_SRC)/libnfnetlink-0.0.41 && ./configure --prefix=/usr
cd $(DIR_SRC)/libnfnetlink-0.0.41 && make $(MAKETUNING) $(EXTRA_MAKE)
@@ -115,5 +111,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_SRC)/libnetfilter_queue-0.0.17 && ./configure --prefix=/usr
cd $(DIR_SRC)/libnetfilter_queue-0.0.17 && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_SRC)/libnetfilter_queue-0.0.17 && make install
@rm -rf $(DIR_APP) $(DIR_SRC)/libnfnetlink-0.0.41 $(DIR_SRC)/netfilter-layer7* $(DIR_SRC)/libnetfilter_queue-0.0.17
@$(POSTBUILD)

170
src/patches/iptables-1.4.6-errorno_includes.patch Normal file
View File

@@ -0,0 +1,170 @@
diff -Naur include.org/asm/errno.h include/asm/errno.h
--- include.org/asm/errno.h 2010-02-12 18:21:40.000000000 +0100
+++ include/asm/errno.h 2010-02-12 18:19:41.000000000 +0100
@@ -5,4 +5,8 @@
#include <linux/errno.h>
#endif
+#ifndef _ASM_GENERIC_ERRNO_H
+ #include <asm-generic/errno.h>
+#endif
+
#endif
diff -Naur include.org/asm-generic/errno-base.h include/asm-generic/errno-base.h
--- include.org/asm-generic/errno-base.h 1970-01-01 01:00:00.000000000 +0100
+++ include/asm-generic/errno-base.h 2010-02-09 13:57:19.000000000 +0100
@@ -0,0 +1,39 @@
+#ifndef _ASM_GENERIC_ERRNO_BASE_H
+#define _ASM_GENERIC_ERRNO_BASE_H
+
+#define EPERM 1 /* Operation not permitted */
+#define ENOENT 2 /* No such file or directory */
+#define ESRCH 3 /* No such process */
+#define EINTR 4 /* Interrupted system call */
+#define EIO 5 /* I/O error */
+#define ENXIO 6 /* No such device or address */
+#define E2BIG 7 /* Argument list too long */
+#define ENOEXEC 8 /* Exec format error */
+#define EBADF 9 /* Bad file number */
+#define ECHILD 10 /* No child processes */
+#define EAGAIN 11 /* Try again */
+#define ENOMEM 12 /* Out of memory */
+#define EACCES 13 /* Permission denied */
+#define EFAULT 14 /* Bad address */
+#define ENOTBLK 15 /* Block device required */
+#define EBUSY 16 /* Device or resource busy */
+#define EEXIST 17 /* File exists */
+#define EXDEV 18 /* Cross-device link */
+#define ENODEV 19 /* No such device */
+#define ENOTDIR 20 /* Not a directory */
+#define EISDIR 21 /* Is a directory */
+#define EINVAL 22 /* Invalid argument */
+#define ENFILE 23 /* File table overflow */
+#define EMFILE 24 /* Too many open files */
+#define ENOTTY 25 /* Not a typewriter */
+#define ETXTBSY 26 /* Text file busy */
+#define EFBIG 27 /* File too large */
+#define ENOSPC 28 /* No space left on device */
+#define ESPIPE 29 /* Illegal seek */
+#define EROFS 30 /* Read-only file system */
+#define EMLINK 31 /* Too many links */
+#define EPIPE 32 /* Broken pipe */
+#define EDOM 33 /* Math argument out of domain of func */
+#define ERANGE 34 /* Math result not representable */
+
+#endif
diff -Naur include.org/asm-generic/errno.h include/asm-generic/errno.h
--- include.org/asm-generic/errno.h 1970-01-01 01:00:00.000000000 +0100
+++ include/asm-generic/errno.h 2010-02-09 13:57:19.000000000 +0100
@@ -0,0 +1,111 @@
+#ifndef _ASM_GENERIC_ERRNO_H
+#define _ASM_GENERIC_ERRNO_H
+
+#include <asm-generic/errno-base.h>
+
+#define EDEADLK 35 /* Resource deadlock would occur */
+#define ENAMETOOLONG 36 /* File name too long */
+#define ENOLCK 37 /* No record locks available */
+#define ENOSYS 38 /* Function not implemented */
+#define ENOTEMPTY 39 /* Directory not empty */
+#define ELOOP 40 /* Too many symbolic links encountered */
+#define EWOULDBLOCK EAGAIN /* Operation would block */
+#define ENOMSG 42 /* No message of desired type */
+#define EIDRM 43 /* Identifier removed */
+#define ECHRNG 44 /* Channel number out of range */
+#define EL2NSYNC 45 /* Level 2 not synchronized */
+#define EL3HLT 46 /* Level 3 halted */
+#define EL3RST 47 /* Level 3 reset */
+#define ELNRNG 48 /* Link number out of range */
+#define EUNATCH 49 /* Protocol driver not attached */
+#define ENOCSI 50 /* No CSI structure available */
+#define EL2HLT 51 /* Level 2 halted */
+#define EBADE 52 /* Invalid exchange */
+#define EBADR 53 /* Invalid request descriptor */
+#define EXFULL 54 /* Exchange full */
+#define ENOANO 55 /* No anode */
+#define EBADRQC 56 /* Invalid request code */
+#define EBADSLT 57 /* Invalid slot */
+
+#define EDEADLOCK EDEADLK
+
+#define EBFONT 59 /* Bad font file format */
+#define ENOSTR 60 /* Device not a stream */
+#define ENODATA 61 /* No data available */
+#define ETIME 62 /* Timer expired */
+#define ENOSR 63 /* Out of streams resources */
+#define ENONET 64 /* Machine is not on the network */
+#define ENOPKG 65 /* Package not installed */
+#define EREMOTE 66 /* Object is remote */
+#define ENOLINK 67 /* Link has been severed */
+#define EADV 68 /* Advertise error */
+#define ESRMNT 69 /* Srmount error */
+#define ECOMM 70 /* Communication error on send */
+#define EPROTO 71 /* Protocol error */
+#define EMULTIHOP 72 /* Multihop attempted */
+#define EDOTDOT 73 /* RFS specific error */
+#define EBADMSG 74 /* Not a data message */
+#define EOVERFLOW 75 /* Value too large for defined data type */
+#define ENOTUNIQ 76 /* Name not unique on network */
+#define EBADFD 77 /* File descriptor in bad state */
+#define EREMCHG 78 /* Remote address changed */
+#define ELIBACC 79 /* Can not access a needed shared library */
+#define ELIBBAD 80 /* Accessing a corrupted shared library */
+#define ELIBSCN 81 /* .lib section in a.out corrupted */
+#define ELIBMAX 82 /* Attempting to link in too many shared libraries */
+#define ELIBEXEC 83 /* Cannot exec a shared library directly */
+#define EILSEQ 84 /* Illegal byte sequence */
+#define ERESTART 85 /* Interrupted system call should be restarted */
+#define ESTRPIPE 86 /* Streams pipe error */
+#define EUSERS 87 /* Too many users */
+#define ENOTSOCK 88 /* Socket operation on non-socket */
+#define EDESTADDRREQ 89 /* Destination address required */
+#define EMSGSIZE 90 /* Message too long */
+#define EPROTOTYPE 91 /* Protocol wrong type for socket */
+#define ENOPROTOOPT 92 /* Protocol not available */
+#define EPROTONOSUPPORT 93 /* Protocol not supported */
+#define ESOCKTNOSUPPORT 94 /* Socket type not supported */
+#define EOPNOTSUPP 95 /* Operation not supported on transport endpoint */
+#define EPFNOSUPPORT 96 /* Protocol family not supported */
+#define EAFNOSUPPORT 97 /* Address family not supported by protocol */
+#define EADDRINUSE 98 /* Address already in use */
+#define EADDRNOTAVAIL 99 /* Cannot assign requested address */
+#define ENETDOWN 100 /* Network is down */
+#define ENETUNREACH 101 /* Network is unreachable */
+#define ENETRESET 102 /* Network dropped connection because of reset */
+#define ECONNABORTED 103 /* Software caused connection abort */
+#define ECONNRESET 104 /* Connection reset by peer */
+#define ENOBUFS 105 /* No buffer space available */
+#define EISCONN 106 /* Transport endpoint is already connected */
+#define ENOTCONN 107 /* Transport endpoint is not connected */
+#define ESHUTDOWN 108 /* Cannot send after transport endpoint shutdown */
+#define ETOOMANYREFS 109 /* Too many references: cannot splice */
+#define ETIMEDOUT 110 /* Connection timed out */
+#define ECONNREFUSED 111 /* Connection refused */
+#define EHOSTDOWN 112 /* Host is down */
+#define EHOSTUNREACH 113 /* No route to host */
+#define EALREADY 114 /* Operation already in progress */
+#define EINPROGRESS 115 /* Operation now in progress */
+#define ESTALE 116 /* Stale NFS file handle */
+#define EUCLEAN 117 /* Structure needs cleaning */
+#define ENOTNAM 118 /* Not a XENIX named type file */
+#define ENAVAIL 119 /* No XENIX semaphores available */
+#define EISNAM 120 /* Is a named type file */
+#define EREMOTEIO 121 /* Remote I/O error */
+#define EDQUOT 122 /* Quota exceeded */
+
+#define ENOMEDIUM 123 /* No medium found */
+#define EMEDIUMTYPE 124 /* Wrong medium type */
+#define ECANCELED 125 /* Operation Canceled */
+#define ENOKEY 126 /* Required key not available */
+#define EKEYEXPIRED 127 /* Key has expired */
+#define EKEYREVOKED 128 /* Key has been revoked */
+#define EKEYREJECTED 129 /* Key was rejected by service */
+
+/* for robust mutexes */
+#define EOWNERDEAD 130 /* Owner died */
+#define ENOTRECOVERABLE 131 /* State not recoverable */
+
+#define ERFKILL 132 /* Operation not possible due to RF-kill */
+
+#endif

126
src/patches/iptables-1.4.6-imq_test1.patch Normal file
View File

@@ -0,0 +1,126 @@
diff -Naurw iptables-1.4.1/extensions/.IMQ-testx iptables-1.4.1.imq/extensions/.IMQ-testx
--- iptables-1.4.1/extensions/.IMQ-testx 1969-12-31 21:00:00.000000000 -0300
+++ iptables-1.4.1.imq/extensions/.IMQ-testx 2008-06-24 22:20:06.000000000 -0300
@@ -0,0 +1,3 @@
+#!/bin/sh
+# True if IMQ target patch is applied.
+[ -f $KERNEL_DIR/include/linux/netfilter/xt_IMQ.h ] && echo IMQ
diff -Naurw iptables-1.4.1/extensions/libxt_IMQ.c iptables-1.4.1.imq/extensions/libxt_IMQ.c
--- iptables-1.4.1/extensions/libxt_IMQ.c 1969-12-31 21:00:00.000000000 -0300
+++ iptables-1.4.1.imq/extensions/libxt_IMQ.c 2008-06-24 22:31:02.000000000 -0300
@@ -0,0 +1,103 @@
+/* Shared library add-on to iptables to add IMQ target support. */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_IMQ.h>
+
+/* Function which prints out usage message. */
+static void IMQ_help(void)
+{
+ printf(
+"IMQ target options:\n"
+" --todev <N> enqueue to imq<N>, defaults to 0\n");
+
+}
+
+static struct option IMQ_opts[] = {
+ { "todev", 1, 0, '1' },
+ { 0 }
+};
+
+/* Initialize the target. */
+static void IMQ_init(struct xt_entry_target *t)
+{
+ struct xt_imq_info *mr = (struct xt_imq_info*)t->data;
+
+ mr->todev = 0;
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_imq_info *mr = (struct xt_imq_info*)(*target)->data;
+
+ switch(c) {
+ case '1':
+ if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
+ xtables_error(PARAMETER_PROBLEM,
+ "Unexpected `!' for --todev");
+ mr->todev=atoi(optarg);
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+/* Prints out the targinfo. */
+static void IMQ_print(const void *ip,
+ const struct xt_entry_target *target,
+ int numeric)
+{
+ struct xt_imq_info *mr = (struct xt_imq_info*)target->data;
+
+ printf("IMQ: todev %u ", mr->todev);
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void IMQ_save(const void *ip, const struct xt_entry_target *target)
+{
+ struct xt_imq_info *mr = (struct xt_imq_info*)target->data;
+
+ printf("--todev %u", mr->todev);
+}
+
+static struct xtables_target imq_target = {
+ .name = "IMQ",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_imq_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_imq_info)),
+ .help = IMQ_help,
+ .init = IMQ_init,
+ .parse = IMQ_parse,
+ .print = IMQ_print,
+ .save = IMQ_save,
+ .extra_opts = IMQ_opts,
+};
+
+static struct xtables_target imq_target6 = {
+ .name = "IMQ",
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct xt_imq_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_imq_info)),
+ .help = IMQ_help,
+ .init = IMQ_init,
+ .parse = IMQ_parse,
+ .print = IMQ_print,
+ .save = IMQ_save,
+ .extra_opts = IMQ_opts,
+};
+
+// void __attribute((constructor)) nf_ext_init(void){
+void _init(void){
+ xtables_register_target(&imq_target);
+ xtables_register_target(&imq_target6);
+}
--- iptables-1.4.1.1/include/linux/netfilter/xt_IMQ.h 1970-01-01 02:00:00.000000000 +0200
+++ iptables-1.4.1.1.new/include/linux/netfilter/xt_IMQ.h 2008-08-05 00:41:28.000000000 +0300
@@ -0,0 +1,9 @@
+#ifndef _XT_IMQ_H
+#define _XT_IMQ_H
+
+struct xt_imq_info {
+ unsigned int todev; /* target imq device */
+};
+
+#endif /* _XT_IMQ_H */
+

481
src/patches/iptables-1.4.6-ipp2p-0.8.2-pomng.patch Normal file
View File

@@ -0,0 +1,481 @@
diff -Naur iptables-1.4.6.org/extensions/.ipp2p-test iptables-1.4.6/extensions/.ipp2p-test
--- iptables-1.4.6.org/extensions/.ipp2p-test 1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.4.6/extensions/.ipp2p-test 2010-02-13 20:02:52.000000000 +0100
@@ -0,0 +1,2 @@
+#! /bin/sh
+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ipp2p.h ] && echo ipp2p
diff -Naur iptables-1.4.6.org/extensions/libipt_ipp2p.c iptables-1.4.6/extensions/libipt_ipp2p.c
--- iptables-1.4.6.org/extensions/libipt_ipp2p.c 1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.4.6/extensions/libipt_ipp2p.c 2010-02-13 20:02:52.000000000 +0100
@@ -0,0 +1,424 @@
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <ctype.h>
+
+#include <iptables.h>
+
+#include <linux/netfilter_ipv4/ipt_ipp2p.h>
+
+#ifndef XTABLES_VERSION
+#define XTABLES_VERSION IPTABLES_VERSION
+#endif
+
+#ifdef IPT_LIB_DIR
+#define xtables_target iptables_target
+#define xtables_register_target register_target
+#endif
+
+static void
+help(void)
+{
+ printf(
+ "IPP2P v%s options:\n"
+ " --ipp2p Grab all known p2p packets\n"
+ " --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets\n"
+ " --dc [TCP] All known Direct Connect packets\n"
+ " --kazaa [TCP&UDP] All known KaZaA packets\n"
+ " --gnu [TCP&UDP] All known Gnutella packets\n"
+ " --bit [TCP&UDP] All known BitTorrent packets\n"
+ " --apple [TCP] All known AppleJuice packets\n"
+ " --winmx [TCP] All known WinMX\n"
+ " --soul [TCP] All known SoulSeek\n"
+ " --ares [TCP] All known Ares\n\n"
+ " EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n"
+ " --mute [TCP] All known Mute packets\n"
+ " --waste [TCP] All known Waste packets\n"
+ " --xdcc [TCP] All known XDCC packets (only xdcc login)\n\n"
+ " DEBUG SUPPPORT, use only if you know why\n"
+ " --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n"
+ "\nNote that the follwing options will have the same meaning:\n"
+ " '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares'\n"
+ "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n"
+ "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n"
+ "\nSee README included with this package for more details or visit http://www.ipp2p.org\n"
+ "\nExamples:\n"
+ " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n"
+ " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n"
+ " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n"
+ , IPP2P_VERSION);
+}
+
+static struct option opts[] = {
+ { "ipp2p", 0, 0, '1' },
+ { "edk", 0, 0, '2' },
+ { "dc", 0, 0, '7' },
+ { "gnu", 0, 0, '9' },
+ { "kazaa", 0, 0, 'a' },
+ { "bit", 0, 0, 'b' },
+ { "apple", 0, 0, 'c' },
+ { "soul", 0, 0, 'd' },
+ { "winmx", 0, 0, 'e' },
+ { "ares", 0, 0, 'f' },
+ { "mute", 0, 0, 'g' },
+ { "waste", 0, 0, 'h' },
+ { "xdcc", 0, 0, 'i' },
+ { "debug", 0, 0, 'j' },
+ {0}
+};
+
+
+static void
+#ifdef _XTABLES_H
+init(struct xt_entry_match *m)
+#else
+init(struct ipt_entry_match *t, unsigned int *nfcache)
+#endif
+{
+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data;
+
+#ifndef _XTABLES_H
+ *nfcache |= NFC_UNKNOWN;
+#endif
+
+ /*init the module with default values*/
+ info->cmd = 0;
+ info->debug = 0;
+
+}
+
+
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+#ifdef _XTABLES_H
+ const void *entry, struct xt_entry_match **match)
+#else
+ const struct ipt_entry *entry, unsigned int *nfcache, struct ipt_entry_match **match)
+#endif
+{
+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data;
+
+ switch (c) {
+ case '1': /*cmd: ipp2p*/
+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p' may only be "
+ "specified once!");
+
+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p-data' may only be "
+ "specified alone!");
+*/
+
+ if ((*flags) != 0)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p' may only be "
+ "specified alone!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += SHORT_HAND_IPP2P;
+ info->cmd = *flags;
+ break;
+
+ case '2': /*cmd: edk*/
+ if ((*flags & IPP2P_EDK) == IPP2P_EDK)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--edk' may only be "
+ "specified once");
+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p' may only be "
+ "specified alone!");
+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p-data' may only be "
+ "specified alone!");*/
+ if ((*flags & IPP2P_DATA_EDK) == IPP2P_DATA_EDK)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: use `--edk' OR `--edk-data' but not both of them!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += IPP2P_EDK;
+ info->cmd = *flags;
+ break;
+
+
+ case '7': /*cmd: dc*/
+ if ((*flags & IPP2P_DC) == IPP2P_DC)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--dc' may only be "
+ "specified once!");
+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p' may only be "
+ "specified alone!");
+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p-data' may only be "
+ "specified alone!");*/
+ if ((*flags & IPP2P_DATA_DC) == IPP2P_DATA_DC)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: use `--dc' OR `--dc-data' but not both of them!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += IPP2P_DC;
+ info->cmd = *flags;
+ break;
+
+
+ case '9': /*cmd: gnu*/
+ if ((*flags & IPP2P_GNU) == IPP2P_GNU)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--gnu' may only be "
+ "specified once!");
+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p-data' may only be "
+ "specified alone!");*/
+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p' may only be "
+ "specified alone!");
+ if ((*flags & IPP2P_DATA_GNU) == IPP2P_DATA_GNU)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: use `--gnu' OR `--gnu-data' but not both of them!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += IPP2P_GNU;
+ info->cmd = *flags;
+ break;
+
+ case 'a': /*cmd: kazaa*/
+ if ((*flags & IPP2P_KAZAA) == IPP2P_KAZAA)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--kazaa' may only be "
+ "specified once!");
+/* if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p-data' may only be "
+ "specified alone!");*/
+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p' may only be "
+ "specified alone!");
+ if ((*flags & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += IPP2P_KAZAA;
+ info->cmd = *flags;
+ break;
+
+ case 'b': /*cmd: bit*/
+ if ((*flags & IPP2P_BIT) == IPP2P_BIT)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--bit' may only be "
+ "specified once!");
+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p' may only be "
+ "specified alone!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += IPP2P_BIT;
+ info->cmd = *flags;
+ break;
+
+ case 'c': /*cmd: apple*/
+ if ((*flags & IPP2P_APPLE) == IPP2P_APPLE)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--apple' may only be "
+ "specified once!");
+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p' may only be "
+ "specified alone!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += IPP2P_APPLE;
+ info->cmd = *flags;
+ break;
+
+
+ case 'd': /*cmd: soul*/
+ if ((*flags & IPP2P_SOUL) == IPP2P_SOUL)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--soul' may only be "
+ "specified once!");
+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p' may only be "
+ "specified alone!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += IPP2P_SOUL;
+ info->cmd = *flags;
+ break;
+
+
+ case 'e': /*cmd: winmx*/
+ if ((*flags & IPP2P_WINMX) == IPP2P_WINMX)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--winmx' may only be "
+ "specified once!");
+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p' may only be "
+ "specified alone!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += IPP2P_WINMX;
+ info->cmd = *flags;
+ break;
+
+ case 'f': /*cmd: ares*/
+ if ((*flags & IPP2P_ARES) == IPP2P_ARES)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ares' may only be "
+ "specified once!");
+ if ((*flags & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ipp2p' may only be "
+ "specified alone!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += IPP2P_ARES;
+ info->cmd = *flags;
+ break;
+
+ case 'g': /*cmd: mute*/
+ if ((*flags & IPP2P_MUTE) == IPP2P_MUTE)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--mute' may only be "
+ "specified once!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += IPP2P_MUTE;
+ info->cmd = *flags;
+ break;
+ case 'h': /*cmd: waste*/
+ if ((*flags & IPP2P_WASTE) == IPP2P_WASTE)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--waste' may only be "
+ "specified once!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += IPP2P_WASTE;
+ info->cmd = *flags;
+ break;
+ case 'i': /*cmd: xdcc*/
+ if ((*flags & IPP2P_XDCC) == IPP2P_XDCC)
+ exit_error(PARAMETER_PROBLEM,
+ "ipp2p: `--ares' may only be "
+ "specified once!");
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ *flags += IPP2P_XDCC;
+ info->cmd = *flags;
+ break;
+
+ case 'j': /*cmd: debug*/
+ if (invert) exit_error(PARAMETER_PROBLEM, "ipp2p: invert [!] is not allowed!");
+ info->debug = 1;
+ break;
+
+ default:
+// exit_error(PARAMETER_PROBLEM,
+// "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
+ return 0;
+ }
+ return 1;
+}
+
+
+static void
+final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
+}
+
+static void
+#ifdef _XTABLES_H
+print(const void *ip,
+ const struct xt_entry_match *match,
+#else
+print(const struct ipt_ip *ip,
+ const struct ipt_entry_match *match,
+#endif
+ int numeric)
+{
+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
+
+ printf("ipp2p v%s", IPP2P_VERSION);
+ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf(" --ipp2p");
+// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf(" --ipp2p-data");
+ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf(" --kazaa");
+// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf(" --kazaa-data");
+// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf(" --gnu-data");
+ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf(" --gnu");
+ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf(" --edk");
+// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf(" --edk-data");
+// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf(" --dc-data");
+ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf(" --dc");
+ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf(" --bit");
+ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf(" --apple");
+ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf(" --soul");
+ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf(" --winmx");
+ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf(" --ares");
+ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute");
+ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste");
+ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc");
+ if (info->debug != 0) printf(" --debug");
+ printf(" ");
+}
+
+static void
+#ifdef _XTABLES_H
+save(const void *ip,
+ const struct xt_entry_match *match)
+#else
+save(const struct ipt_ip *ip,
+ const struct ipt_entry_match *match)
+#endif
+{
+ struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
+
+ if ((info->cmd & SHORT_HAND_IPP2P) == SHORT_HAND_IPP2P) printf("--ipp2p ");
+// if ((info->cmd & SHORT_HAND_DATA) == SHORT_HAND_DATA) printf("--ipp2p-data ");
+ if ((info->cmd & IPP2P_KAZAA) == IPP2P_KAZAA) printf("--kazaa ");
+// if ((info->cmd & IPP2P_DATA_KAZAA) == IPP2P_DATA_KAZAA) printf("--kazaa-data ");
+// if ((info->cmd & IPP2P_DATA_GNU) == IPP2P_DATA_GNU) printf("--gnu-data ");
+ if ((info->cmd & IPP2P_GNU) == IPP2P_GNU) printf("--gnu ");
+ if ((info->cmd & IPP2P_EDK) == IPP2P_EDK) printf("--edk ");
+// if ((info->cmd & IPP2P_DATA_EDK) == IPP2P_DATA_EDK) printf("--edk-data ");
+// if ((info->cmd & IPP2P_DATA_DC) == IPP2P_DATA_DC) printf("--dc-data ");
+ if ((info->cmd & IPP2P_DC) == IPP2P_DC) printf("--dc ");
+ if ((info->cmd & IPP2P_BIT) == IPP2P_BIT) printf("--bit ");
+ if ((info->cmd & IPP2P_APPLE) == IPP2P_APPLE) printf("--apple ");
+ if ((info->cmd & IPP2P_SOUL) == IPP2P_SOUL) printf("--soul ");
+ if ((info->cmd & IPP2P_WINMX) == IPP2P_WINMX) printf("--winmx ");
+ if ((info->cmd & IPP2P_ARES) == IPP2P_ARES) printf("--ares ");
+ if ((info->cmd & IPP2P_MUTE) == IPP2P_MUTE) printf(" --mute");
+ if ((info->cmd & IPP2P_WASTE) == IPP2P_WASTE) printf(" --waste");
+ if ((info->cmd & IPP2P_XDCC) == IPP2P_XDCC) printf(" --xdcc");
+ if (info->debug != 0) printf("--debug ");
+}
+
+
+static
+struct xtables_match ipp2p=
+{
+ .next = NULL,
+ .name = "ipp2p",
+ .version = XTABLES_VERSION,
+ .size = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
+ .help = &help,
+ .init = &init,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts
+};
+
+
+
+void _init(void)
+{
+ xtables_register_match(&ipp2p);
+}
+
diff -Naur iptables-1.4.6.org/extensions/libipt_ipp2p.man iptables-1.4.6/extensions/libipt_ipp2p.man
--- iptables-1.4.6.org/extensions/libipt_ipp2p.man 1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.4.6/extensions/libipt_ipp2p.man 2010-02-13 20:02:52.000000000 +0100
@@ -0,0 +1,43 @@
+This module matches certain packets in P2P flows. It is not
+designed to match all packets belonging to a P2P connection -
+use IPP2P together with CONNMARK for this purpose. Also visit
+http://www.ipp2p.org for detailed information.
+
+Use it together with -p tcp or -p udp to search these protocols
+only or without -p switch to search packets of both protocols.
+
+IPP2P provides the following options:
+.TP
+.B "--edk "
+Matches as many eDonkey/eMule packets as possible.
+.TP
+.B "--kazaa "
+Matches as many KaZaA packets as possible.
+.TP
+.B "--gnu "
+Matches as many Gnutella packets as possible.
+.TP
+.B "--dc "
+Matches as many Direct Connect packets as possible.
+.TP
+.B "--bit "
+Matches BitTorrent packets.
+.TP
+.B "--apple "
+Matches AppleJuice packets.
+.TP
+.B "--soul "
+Matches some SoulSeek packets. Considered as beta, use careful!
+.TP
+.B "--winmx "
+Matches some WinMX packets. Considered as beta, use careful!
+.TP
+.B "--ares "
+Matches Ares and AresLite packets. Use together with -j DROP only.
+.TP
+.B "--ipp2p "
+Short hand for: --edk --kazaa --gnu --dc
+.TP
+.B "--debug "
+Prints some information about each hit into kernel logfile. May
+produce huge logfiles so beware!