parent
62e1634ed9
commit
e5520b8853
|
@ -71,6 +71,9 @@ IPT_IPOPT-$(CONFIG_IP_NF_MATCH_MARK) += $(P_V4)ipt_mark
|
|||
IPT_IPOPT-$(CONFIG_NETFILTER_XT_MATCH_MARK) += $(P_XT)xt_mark
|
||||
IPT_IPOPT-$(CONFIG_IP_NF_TARGET_MARK) += $(P_V4)ipt_MARK
|
||||
IPT_IPOPT-$(CONFIG_NETFILTER_XT_TARGET_MARK) += $(P_XT)xt_MARK
|
||||
ifeq ($(CONFIG_LINUX_2_4),y)
|
||||
IPT_IPOPT-$(CONFIG_NETFILTER_XT_TARGET_MARK) += $(P_V4)ipt_random
|
||||
endif
|
||||
IPT_IPOPT-$(CONFIG_IP_NF_MATCH_TCPMSS) += $(P_V4)ipt_tcpmss
|
||||
IPT_IPOPT-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += $(P_XT)xt_tcpmss
|
||||
IPT_IPOPT-$(CONFIG_IP_NF_TARGET_TCPMSS) += $(P_V4)ipt_TCPMSS
|
||||
|
|
|
@ -0,0 +1,318 @@
|
|||
diff -Naurp linux-2.4.34/Documentation/Configure.help linux-2.4.34.patched/Documentation/Configure.help
|
||||
--- linux-2.4.34/Documentation/Configure.help 2007-07-08 05:01:42.000000000 +0200
|
||||
+++ linux-2.4.34.patched/Documentation/Configure.help 2007-07-08 05:02:26.000000000 +0200
|
||||
@@ -2914,6 +2914,15 @@ CONFIG_IP_NF_MATCH_MAC
|
||||
If you want to compile it as a module, say M here and read
|
||||
<file:Documentation/modules.txt>. If unsure, say `N'.
|
||||
|
||||
+Random match support
|
||||
+CONFIG_IP_NF_MATCH_RANDOM
|
||||
+ This option adds a `random' match,
|
||||
+ which allow you to match packets randomly
|
||||
+ following a given probability.
|
||||
+
|
||||
+ If you want to compile it as a module, say M here and read
|
||||
+ Documentation/modules.txt. If unsure, say `N'.
|
||||
+
|
||||
Netfilter MARK match support
|
||||
CONFIG_IP_NF_MATCH_MARK
|
||||
Netfilter mark matching allows you to match packets based on the
|
||||
@@ -3221,6 +3230,7 @@ CONFIG_IP_NF_MATCH_HELPER
|
||||
If you want to compile it as a module, say M here and read
|
||||
Documentation/modules.txt. If unsure, say `Y'.
|
||||
|
||||
+
|
||||
TCPMSS match support
|
||||
CONFIG_IP_NF_MATCH_TCPMSS
|
||||
This option adds a `tcpmss' match, which allows you to examine the
|
||||
@@ -3299,6 +3309,14 @@ CONFIG_IP6_NF_MATCH_MAC
|
||||
If you want to compile it as a module, say M here and read
|
||||
<file:Documentation/modules.txt>. If unsure, say `N'.
|
||||
|
||||
+CONFIG_IP6_NF_MATCH_RANDOM
|
||||
+ This option adds a `random' match,
|
||||
+ which allow you to match packets randomly
|
||||
+ following a given probability.
|
||||
+
|
||||
+ If you want to compile it as a module, say M here and read
|
||||
+ Documentation/modules.txt. If unsure, say `N'.
|
||||
+
|
||||
length match support
|
||||
CONFIG_IP6_NF_MATCH_LENGTH
|
||||
This option allows you to match the length of a packet against a
|
||||
diff -Naurp linux-2.4.34/include/linux/netfilter_ipv4/ipt_random.h linux-2.4.34.patched/include/linux/netfilter_ipv4/ipt_random.h
|
||||
--- linux-2.4.34/include/linux/netfilter_ipv4/ipt_random.h 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ linux-2.4.34.patched/include/linux/netfilter_ipv4/ipt_random.h 2007-07-08 05:02:26.000000000 +0200
|
||||
@@ -0,0 +1,11 @@
|
||||
+#ifndef _IPT_RAND_H
|
||||
+#define _IPT_RAND_H
|
||||
+
|
||||
+#include <linux/param.h>
|
||||
+#include <linux/types.h>
|
||||
+
|
||||
+struct ipt_rand_info {
|
||||
+ u_int8_t average;
|
||||
+};
|
||||
+
|
||||
+#endif /*_IPT_RAND_H*/
|
||||
diff -Naurp linux-2.4.34/include/linux/netfilter_ipv6/ip6t_random.h linux-2.4.34.patched/include/linux/netfilter_ipv6/ip6t_random.h
|
||||
--- linux-2.4.34/include/linux/netfilter_ipv6/ip6t_random.h 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ linux-2.4.34.patched/include/linux/netfilter_ipv6/ip6t_random.h 2007-07-08 05:02:26.000000000 +0200
|
||||
@@ -0,0 +1,11 @@
|
||||
+#ifndef _IP6T_RAND_H
|
||||
+#define _IP6T_RAND_H
|
||||
+
|
||||
+#include <linux/param.h>
|
||||
+#include <linux/types.h>
|
||||
+
|
||||
+struct ip6t_rand_info {
|
||||
+ u_int8_t average;
|
||||
+};
|
||||
+
|
||||
+#endif /*_IP6T_RAND_H*/
|
||||
diff -Naurp linux-2.4.34/net/ipv4/netfilter/Config.in linux-2.4.34.patched/net/ipv4/netfilter/Config.in
|
||||
--- linux-2.4.34/net/ipv4/netfilter/Config.in 2007-07-08 05:01:42.000000000 +0200
|
||||
+++ linux-2.4.34.patched/net/ipv4/netfilter/Config.in 2007-07-08 05:03:32.000000000 +0200
|
||||
@@ -32,6 +32,7 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ];
|
||||
dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES
|
||||
dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES
|
||||
dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES
|
||||
+ dep_tristate ' random match support' CONFIG_IP_NF_MATCH_RANDOM $CONFIG_IP_NF_IPTABLES
|
||||
dep_tristate ' TIME match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_TIME $CONFIG_IP_NF_IPTABLES
|
||||
dep_tristate ' condition match support' CONFIG_IP_NF_MATCH_CONDITION $CONFIG_IP_NF_IPTABLES
|
||||
dep_tristate ' recent match support' CONFIG_IP_NF_MATCH_RECENT $CONFIG_IP_NF_IPTABLES
|
||||
diff -Naurp linux-2.4.34/net/ipv4/netfilter/ipt_random.c linux-2.4.34.patched/net/ipv4/netfilter/ipt_random.c
|
||||
--- linux-2.4.34/net/ipv4/netfilter/ipt_random.c 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ linux-2.4.34.patched/net/ipv4/netfilter/ipt_random.c 2007-07-08 05:02:26.000000000 +0200
|
||||
@@ -0,0 +1,96 @@
|
||||
+/*
|
||||
+ This is a module which is used for a "random" match support.
|
||||
+ This file is distributed under the terms of the GNU General Public
|
||||
+ License (GPL). Copies of the GPL can be obtained from:
|
||||
+ ftp://prep.ai.mit.edu/pub/gnu/GPL
|
||||
+
|
||||
+ 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial implementation.
|
||||
+*/
|
||||
+
|
||||
+#include <linux/module.h>
|
||||
+#include <linux/skbuff.h>
|
||||
+#include <linux/ip.h>
|
||||
+#include <linux/random.h>
|
||||
+#include <net/tcp.h>
|
||||
+#include <linux/spinlock.h>
|
||||
+#include <linux/netfilter_ipv4/ip_tables.h>
|
||||
+#include <linux/netfilter_ipv4/ipt_random.h>
|
||||
+
|
||||
+MODULE_LICENSE("GPL");
|
||||
+
|
||||
+static int
|
||||
+ipt_rand_match(const struct sk_buff *pskb,
|
||||
+ const struct net_device *in,
|
||||
+ const struct net_device *out,
|
||||
+ const void *matchinfo,
|
||||
+ int offset,
|
||||
+ const void *hdr,
|
||||
+ u_int16_t datalen,
|
||||
+ int *hotdrop)
|
||||
+{
|
||||
+ /* Parameters from userspace */
|
||||
+ const struct ipt_rand_info *info = matchinfo;
|
||||
+ u_int8_t random_number;
|
||||
+
|
||||
+ /* get 1 random number from the kernel random number generation routine */
|
||||
+ get_random_bytes((void *)(&random_number), 1);
|
||||
+
|
||||
+ /* Do we match ? */
|
||||
+ if (random_number <= info->average)
|
||||
+ return 1;
|
||||
+ else
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+ipt_rand_checkentry(const char *tablename,
|
||||
+ const struct ipt_ip *e,
|
||||
+ void *matchinfo,
|
||||
+ unsigned int matchsize,
|
||||
+ unsigned int hook_mask)
|
||||
+{
|
||||
+ /* Parameters from userspace */
|
||||
+ const struct ipt_rand_info *info = matchinfo;
|
||||
+
|
||||
+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_rand_info))) {
|
||||
+ printk("ipt_random: matchsize %u != %u\n", matchsize,
|
||||
+ IPT_ALIGN(sizeof(struct ipt_rand_info)));
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* must be 1 <= average % <= 99 */
|
||||
+ /* 1 x 2.55 = 2 */
|
||||
+ /* 99 x 2.55 = 252 */
|
||||
+ if ((info->average < 2) || (info->average > 252)) {
|
||||
+ printk("ipt_random: invalid average %u\n", info->average);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static struct ipt_match ipt_rand_reg = {
|
||||
+ {NULL, NULL},
|
||||
+ "random",
|
||||
+ ipt_rand_match,
|
||||
+ ipt_rand_checkentry,
|
||||
+ NULL,
|
||||
+ THIS_MODULE };
|
||||
+
|
||||
+static int __init init(void)
|
||||
+{
|
||||
+ if (ipt_register_match(&ipt_rand_reg))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ printk("ipt_random match loaded\n");
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static void __exit fini(void)
|
||||
+{
|
||||
+ ipt_unregister_match(&ipt_rand_reg);
|
||||
+ printk("ipt_random match unloaded\n");
|
||||
+}
|
||||
+
|
||||
+module_init(init);
|
||||
+module_exit(fini);
|
||||
diff -Naurp linux-2.4.34/net/ipv4/netfilter/Makefile linux-2.4.34.patched/net/ipv4/netfilter/Makefile
|
||||
--- linux-2.4.34/net/ipv4/netfilter/Makefile 2007-07-08 05:01:42.000000000 +0200
|
||||
+++ linux-2.4.34.patched/net/ipv4/netfilter/Makefile 2007-07-08 05:02:26.000000000 +0200
|
||||
@@ -102,6 +102,8 @@ obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos
|
||||
obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o
|
||||
obj-$(CONFIG_IP_NF_MATCH_CONDITION) += ipt_condition.o
|
||||
|
||||
+obj-$(CONFIG_IP_NF_MATCH_RANDOM) += ipt_random.o
|
||||
+
|
||||
obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
|
||||
|
||||
obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
|
||||
diff -Naurp linux-2.4.34/net/ipv6/netfilter/Config.in linux-2.4.34.patched/net/ipv6/netfilter/Config.in
|
||||
--- linux-2.4.34/net/ipv6/netfilter/Config.in 2007-07-08 05:01:42.000000000 +0200
|
||||
+++ linux-2.4.34.patched/net/ipv6/netfilter/Config.in 2007-07-08 05:02:26.000000000 +0200
|
||||
@@ -19,6 +19,7 @@ if [ "$CONFIG_IP6_NF_IPTABLES" != "n" ];
|
||||
dep_tristate ' limit match support' CONFIG_IP6_NF_MATCH_LIMIT $CONFIG_IP6_NF_IPTABLES
|
||||
dep_tristate ' condition match support' CONFIG_IP6_NF_MATCH_CONDITION $CONFIG_IP6_NF_IPTABLES
|
||||
dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES
|
||||
+ dep_tristate ' Random match support' CONFIG_IP6_NF_MATCH_RANDOM $CONFIG_IP6_NF_IPTABLES
|
||||
if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
|
||||
dep_tristate ' Routing header match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_RT $CONFIG_IP6_NF_IPTABLES
|
||||
fi
|
||||
diff -Naurp linux-2.4.34/net/ipv6/netfilter/ip6t_random.c linux-2.4.34.patched/net/ipv6/netfilter/ip6t_random.c
|
||||
--- linux-2.4.34/net/ipv6/netfilter/ip6t_random.c 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ linux-2.4.34.patched/net/ipv6/netfilter/ip6t_random.c 2007-07-08 05:02:26.000000000 +0200
|
||||
@@ -0,0 +1,97 @@
|
||||
+/*
|
||||
+ This is a module which is used for a "random" match support.
|
||||
+ This file is distributed under the terms of the GNU General Public
|
||||
+ License (GPL). Copies of the GPL can be obtained from:
|
||||
+ ftp://prep.ai.mit.edu/pub/gnu/GPL
|
||||
+
|
||||
+ 2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial implementation.
|
||||
+ 2003-04-30 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 Port
|
||||
+*/
|
||||
+
|
||||
+#include <linux/module.h>
|
||||
+#include <linux/skbuff.h>
|
||||
+#include <linux/ip.h>
|
||||
+#include <linux/random.h>
|
||||
+#include <net/tcp.h>
|
||||
+#include <linux/spinlock.h>
|
||||
+#include <linux/netfilter_ipv6/ip6_tables.h>
|
||||
+#include <linux/netfilter_ipv6/ip6t_random.h>
|
||||
+
|
||||
+MODULE_LICENSE("GPL");
|
||||
+
|
||||
+static int
|
||||
+ip6t_rand_match(const struct sk_buff *pskb,
|
||||
+ const struct net_device *in,
|
||||
+ const struct net_device *out,
|
||||
+ const void *matchinfo,
|
||||
+ int offset,
|
||||
+ const void *hdr,
|
||||
+ u_int16_t datalen,
|
||||
+ int *hotdrop)
|
||||
+{
|
||||
+ /* Parameters from userspace */
|
||||
+ const struct ip6t_rand_info *info = matchinfo;
|
||||
+ u_int8_t random_number;
|
||||
+
|
||||
+ /* get 1 random number from the kernel random number generation routine */
|
||||
+ get_random_bytes((void *)(&random_number), 1);
|
||||
+
|
||||
+ /* Do we match ? */
|
||||
+ if (random_number <= info->average)
|
||||
+ return 1;
|
||||
+ else
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+ip6t_rand_checkentry(const char *tablename,
|
||||
+ const struct ip6t_ip6 *e,
|
||||
+ void *matchinfo,
|
||||
+ unsigned int matchsize,
|
||||
+ unsigned int hook_mask)
|
||||
+{
|
||||
+ /* Parameters from userspace */
|
||||
+ const struct ip6t_rand_info *info = matchinfo;
|
||||
+
|
||||
+ if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_rand_info))) {
|
||||
+ printk("ip6t_random: matchsize %u != %u\n", matchsize,
|
||||
+ IP6T_ALIGN(sizeof(struct ip6t_rand_info)));
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* must be 1 <= average % <= 99 */
|
||||
+ /* 1 x 2.55 = 2 */
|
||||
+ /* 99 x 2.55 = 252 */
|
||||
+ if ((info->average < 2) || (info->average > 252)) {
|
||||
+ printk("ip6t_random: invalid average %u\n", info->average);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static struct ip6t_match ip6t_rand_reg = {
|
||||
+ {NULL, NULL},
|
||||
+ "random",
|
||||
+ ip6t_rand_match,
|
||||
+ ip6t_rand_checkentry,
|
||||
+ NULL,
|
||||
+ THIS_MODULE };
|
||||
+
|
||||
+static int __init init(void)
|
||||
+{
|
||||
+ if (ip6t_register_match(&ip6t_rand_reg))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ printk("ip6t_random match loaded\n");
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static void __exit fini(void)
|
||||
+{
|
||||
+ ip6t_unregister_match(&ip6t_rand_reg);
|
||||
+ printk("ip6t_random match unloaded\n");
|
||||
+}
|
||||
+
|
||||
+module_init(init);
|
||||
+module_exit(fini);
|
||||
diff -Naurp linux-2.4.34/net/ipv6/netfilter/Makefile linux-2.4.34.patched/net/ipv6/netfilter/Makefile
|
||||
--- linux-2.4.34/net/ipv6/netfilter/Makefile 2007-07-08 05:01:42.000000000 +0200
|
||||
+++ linux-2.4.34.patched/net/ipv6/netfilter/Makefile 2007-07-08 05:02:26.000000000 +0200
|
||||
@@ -32,6 +32,7 @@ obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t
|
||||
obj-$(CONFIG_IP6_NF_TARGET_IMQ) += ip6t_IMQ.o
|
||||
obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
|
||||
obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
|
||||
+obj-$(CONFIG_IP6_NF_MATCH_RANDOM) += ip6t_random.o
|
||||
obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
|
||||
|
||||
include $(TOPDIR)/Rules.make
|
Loading…
Reference in New Issue