diff options
Diffstat (limited to 'package/iptables')
26 files changed, 1886 insertions, 0 deletions
diff --git a/package/iptables/Makefile b/package/iptables/Makefile new file mode 100644 index 000000000..ff7d42821 --- /dev/null +++ b/package/iptables/Makefile @@ -0,0 +1,475 @@ +# +# Copyright (C) 2006-2012 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/kernel.mk + +PKG_NAME:=iptables +PKG_VERSION:=1.4.10 +PKG_RELEASE:=4 + +PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198 +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \ + ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \ + ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \ + ftp://ftp.no.netfilter.org/pub/netfilter/iptables/ + +PKG_FIXUP:=autoreconf +PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 + +ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"") +PATCH_DIR:= +endif + +include $(INCLUDE_DIR)/package.mk +ifeq ($(DUMP),) + -include $(LINUX_DIR)/.config + include $(INCLUDE_DIR)/netfilter.mk + STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s) +endif + + +define Package/iptables/Default + SECTION:=net + CATEGORY:=Network + SUBMENU:=Firewall + URL:=http://netfilter.org/ +endef + +define Package/iptables/Module +$(call Package/iptables/Default) + DEPENDS:=iptables $(1) +endef + +define Package/iptables +$(call Package/iptables/Default) + TITLE:=IPv4 firewall administration tool + MENU:=1 + DEPENDS+= +kmod-ipt-core +libip4tc +libxtables +endef + +define Package/iptables/description +IPv4 firewall administration tool. + + Matches: + - icmp + - tcp + - udp + - comment + - limit + - mac + - multiport + + Targets: + - ACCEPT + - DROP + - REJECT + - LOG + - TCPMSS + + Tables: + - filter + - mangle + +endef + +define Package/iptables-mod-conntrack-extra +$(call Package/iptables/Module, +kmod-ipt-conntrack-extra) + TITLE:=Extra connection tracking extensions +endef + +define Package/iptables-mod-conntrack-extra/description +Extra iptables extensions for connection tracking. + + Matches: + - connbytes + - connmark + - recent + - helper + + Targets: + - CONNMARK + +endef + +define Package/iptables-mod-filter +$(call Package/iptables/Module, +kmod-ipt-filter) + TITLE:=Content inspection extensions +endef + +define Package/iptables-mod-filter/description +iptables extensions for packet content inspection. +Includes support for: + + Matches: + - layer7 + - string + +endef + +define Package/iptables-mod-ipopt +$(call Package/iptables/Module, +kmod-ipt-ipopt) + TITLE:=IP/Packet option extensions +endef + +define Package/iptables-mod-ipopt/description +iptables extensions for matching/changing IP packet options. + + Matches: + - dscp + - ecn + - length + - mark + - statistic + - tcpmss + - time + - unclean + - hl + + Targets: + - DSCP + - CLASSIFY + - ECN + - MARK + - HL + +endef + +define Package/iptables-mod-ipsec +$(call Package/iptables/Module, +kmod-ipt-ipsec) + TITLE:=IPsec extensions +endef + +define Package/iptables-mod-ipsec/description +iptables extensions for matching ipsec traffic. + + Matches: + - ah + - esp + - policy + +endef + +define Package/iptables-mod-ipset +$(call Package/iptables/Module,) + TITLE:=IPset iptables extensions +endef + +define Package/iptables-mod-ipset/description +IPset iptables extensions. + + Matches: + - set + + Targets: + - SET + +endef + +define Package/iptables-mod-nat-extra +$(call Package/iptables/Module, +kmod-ipt-nat-extra) + TITLE:=Extra NAT extensions +endef + +define Package/iptables-mod-nat-extra/description +iptables extensions for extra NAT targets. + + Targets: + - MIRROR + - NETMAP + - REDIRECT +endef + +define Package/iptables-mod-ulog +$(call Package/iptables/Module, +kmod-ipt-ulog) + TITLE:=user-space packet logging +endef + +define Package/iptables-mod-ulog/description +iptables extensions for user-space packet logging. + + Targets: + - ULOG + +endef + +define Package/iptables-mod-hashlimit +$(call Package/iptables/Module, +kmod-ipt-hashlimit) + TITLE:=hashlimit matching +endef + +define Package/iptables-mod-hashlimit/description +iptables extensions for hashlimit matching + + Matches: + - hashlimit + +endef + +define Package/iptables-mod-iprange +$(call Package/iptables/Module, +kmod-ipt-iprange) + TITLE:=IP range extension +endef + +define Package/iptables-mod-iprange/description +iptables extensions for matching ip ranges. + + Matches: + - iprange + +endef + +define Package/iptables-mod-extra +$(call Package/iptables/Module, +kmod-ipt-extra) + TITLE:=Other extra iptables extensions +endef + +define Package/iptables-mod-extra/description +Other extra iptables extensions. + + Matches: + - condition + - owner + - physdev (if ebtables is enabled) + - pkttype + - quota + +endef + +define Package/iptables-mod-led +$(call Package/iptables/Module, +kmod-ipt-led) + TITLE:=LED trigger iptables extension +endef + +define Package/iptables-mod-led/description +iptables extension for triggering a LED. + + Targets: + - LED + +endef + +define Package/iptables-mod-tproxy +$(call Package/iptables/Module, +kmod-ipt-tproxy) + TITLE:=Transparent proxy iptables extensions +endef + +define Package/iptables-mod-tproxy/description +Transparent proxy iptables extensions. + + Matches: + - socket + + Targets: + - TPROXY + +endef + +define Package/iptables-mod-tee +$(call Package/iptables/Module, +kmod-ipt-tee) + TITLE:=TEE iptables extensions +endef + +define Package/iptables-mod-tee/description +TEE iptables extensions. + + Targets: + - TEE + +endef + +define Package/iptables-mod-u32 +$(call Package/iptables/Module, +kmod-ipt-u32) + TITLE:=U32 iptables extensions +endef + +define Package/iptables-mod-u32/description +U32 iptables extensions. + + Matches: + - u32 + +endef + +define Package/ip6tables +$(call Package/iptables/Default) + DEPENDS:=+kmod-ip6tables +libip6tc +libxtables + CATEGORY:=IPv6 + TITLE:=IPv6 firewall administration tool + MENU:=1 +endef + +define Package/libiptc +$(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + DEPENDS:=+libip4tc +libip6tc + TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub) +endef + +define Package/libip4tc +$(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv4 firewall - shared libiptc library +endef + +define Package/libip6tc +$(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv6 firewall - shared libiptc library +endef + +define Package/libxtables + $(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv4/IPv6 firewall - shared xtables library +endef + +define Package/libipq + $(call Package/iptables/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE:=IPv4/IPv6 firewall - shared libipq library +endef + +TARGET_CPPFLAGS := \ + -I$(PKG_BUILD_DIR)/include \ + -I$(LINUX_DIR)/user_headers/include \ + $(TARGET_CPPFLAGS) + +TARGET_CFLAGS += \ + -I$(PKG_BUILD_DIR)/include \ + -I$(LINUX_DIR)/user_headers/include + +CONFIGURE_ARGS += \ + --enable-shared \ + --enable-devel \ + $(if $(CONFIG_IPV6),--enable-ipv6,--disable-ipv6) \ + --enable-libipq \ + --with-kernel="$(LINUX_DIR)/user_headers" \ + --with-xtlibdir=/usr/lib/iptables \ + --enable-static + +MAKE_FLAGS := \ + $(TARGET_CONFIGURE_OPTS) \ + COPT_FLAGS="$(TARGET_CFLAGS)" \ + KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \ + KBUILD_OUTPUT="$(LINUX_DIR)" \ + BUILTIN_MODULES="$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m)))" + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(INSTALL_DIR) $(1)/usr/include/iptables + $(INSTALL_DIR) $(1)/usr/include/net/netfilter + + # XXX: iptables header fixup, some headers are not installed by iptables anymore + $(CP) $(PKG_BUILD_DIR)/include/net/netfilter/*.h $(1)/usr/include/net/netfilter/ + $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/ + $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/ + $(CP) $(PKG_BUILD_DIR)/include/libipq/libipq.h $(1)/usr/include/ + $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/ + $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/ + + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libiptc.pc $(1)/usr/lib/pkgconfig/ +endef + +define Package/iptables/install + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/ + $(LN) iptables $(1)/usr/sbin/iptables-save + $(LN) iptables $(1)/usr/sbin/iptables-restore + $(INSTALL_DIR) $(1)/usr/lib/iptables +endef + +define Package/ip6tables/install + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables $(1)/usr/sbin/ + $(LN) ip6tables $(1)/usr/sbin/ip6tables-save + $(LN) ip6tables $(1)/usr/sbin/ip6tables-restore + $(INSTALL_DIR) $(1)/usr/lib/iptables + (cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \ + $(CP) libip6t_*.so $(1)/usr/lib/iptables/ \ + ) +endef + +define Package/libiptc/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/ +endef + +define Package/libip4tc/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/ +endef + +define Package/libip6tc/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/ +endef + +define Package/libxtables/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/ +endef + +define Package/libipq/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/ +endef + +define BuildPlugin + define Package/$(1)/install + $(INSTALL_DIR) $$(1)/usr/lib/iptables + for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)); do \ + if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \ + fi; \ + done + $(3) + endef + + $$(eval $$(call BuildPackage,$(1))) +endef + +L7_INSTALL:=\ + $(INSTALL_DIR) $$(1)/etc/l7-protocols; \ + $(CP) files/l7/*.pat $$(1)/etc/l7-protocols/ + + +$(eval $(call BuildPackage,iptables)) +$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m))) +$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m))) +$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL))) +$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m))) +$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m))) +$(eval $(call BuildPlugin,iptables-mod-ipset,ipt_set ipt_SET)) +$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m))) +$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m))) +$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m))) +$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m))) +$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m))) +$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m))) +$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m))) +$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m))) +$(eval $(call BuildPackage,ip6tables)) +$(eval $(call BuildPackage,libiptc)) +$(eval $(call BuildPackage,libip4tc)) +$(eval $(call BuildPackage,libip6tc)) +$(eval $(call BuildPackage,libxtables)) +$(eval $(call BuildPackage,libipq)) diff --git a/package/iptables/files/l7/aim.pat b/package/iptables/files/l7/aim.pat new file mode 100644 index 000000000..5c43930fd --- /dev/null +++ b/package/iptables/files/l7/aim.pat @@ -0,0 +1,28 @@ +# AIM - AOL instant messenger (OSCAR and TOC) +# Pattern attributes: good slow notsofast +# Protocol groups: chat proprietary +# Wiki: http://www.protocolinfo.org/wiki/AIM +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 5190 +# +# This may also match ICQ traffic. +# +# This pattern has been tested and is believed to work well. + +aim +# See http://gridley.res.carleton.edu/~straitm/final (and various other places) +# The first bit matches OSCAR signon and data commands, but not sure what +# \x03\x0b matches, but it works apparently. +# The next three bits match various parts of the TOC signon process. +# The third one is the magic number "*", then 0x01 for "signon", then up to four +# bytes ("up to" because l7-filter strips out nulls) which contain a sequence +# number (2 bytes) the data length (2 more) and 3 nulls (which don't count), +# then 0x01 for the version number (not sure if there ever has been another +# version) +# The fourth one is a command string, followed by some stuff, then the +# beginning of the "roasted" password + +# This pattern is too slow! + +^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x diff --git a/package/iptables/files/l7/bittorrent.pat b/package/iptables/files/l7/bittorrent.pat new file mode 100644 index 000000000..4a3ba88d5 --- /dev/null +++ b/package/iptables/files/l7/bittorrent.pat @@ -0,0 +1,25 @@ +# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com +# Pattern attributes: good slow594 notsofast undermatch +# Protocol groups: p2p open_source +# Wiki: http://www.protocolinfo.org/wiki/Bittorrent +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested and is believed to work well. +# It will, however, not work on bittorrent streams that are encrypted, since +# it's impossible to match (well) encrypted data. + +bittorrent + +# Does not attempt to match the HTTP download of the tracker +# 0x13 is the length of "bittorrent protocol" +# Second two bits match UDP wierdness +# Next bit matches something Azureus does +# Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next +# packet and perhaps this will match multiple clients. +# bitcomet-specific strings contributed by liangjun. + +# This is not a valid GNU basic regular expression (but that's ok). +^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP] + +# This pattern is "fast", but won't catch as much +#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=) diff --git a/package/iptables/files/l7/edonkey.pat b/package/iptables/files/l7/edonkey.pat new file mode 100644 index 000000000..75807f8eb --- /dev/null +++ b/package/iptables/files/l7/edonkey.pat @@ -0,0 +1,37 @@ +# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others +# Pattern attributes: good veryfast fast overmatch +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/EDonkey +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4 +# and a long time ago with something else. +# +# In addition to matching what you might expect, this matches much of +# what eMule does when you tell it to only connect to the KAD network. +# I don't quite know what to make of this. + +# Thanks to Matt Skidmore <fox AT woozle.org> + +edonkey + +# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6 +# +# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5. +# As of April 2006, I also see some \xe4. +# +# God this is a mess. What an irritating protocol. +# This will match about 2% of streams with random data in them! +# (But fortunately much fewer than 2% of streams that are other protocols. +# You can test this with the data in ../testing/) + +^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$) + +# matches everything and too much +# ^(\xe3|\xc5|\xd4) + +# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me. + +# bandwidtharbitrator uses +# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey +# no comments to explain what all the mush is, of course... diff --git a/package/iptables/files/l7/fasttrack.pat b/package/iptables/files/l7/fasttrack.pat new file mode 100644 index 000000000..6ed8ff1d1 --- /dev/null +++ b/package/iptables/files/l7/fasttrack.pat @@ -0,0 +1,23 @@ +# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc) +# Pattern attributes: good slow notsofast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/Fasttrack +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Tested with Kazaa Lite Resurrection 0.0.7.6F +# +# This appears to match the download connections well, but not the search +# connections (I think they are encrypted :-( ). + +fasttrack +# while this is a valid http request, this will be caught because +# the http pattern matches the response (and therefore the next packet) +# Even so, it's best to put this match earlier in the chain. +# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup + +# This pattern is kinda slow, but not too bad. +^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? + +# This isn't much faster: +#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? + diff --git a/package/iptables/files/l7/ftp.pat b/package/iptables/files/l7/ftp.pat new file mode 100644 index 000000000..44d97c467 --- /dev/null +++ b/package/iptables/files/l7/ftp.pat @@ -0,0 +1,46 @@ +# FTP - File Transfer Protocol - RFC 959 +# Pattern attributes: great notsofast fast +# Protocol groups: document_retrieval ietf_internet_standard +# Wiki: http://protocolinfo.org/wiki/FTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 21. Note that the data stream is on a dynamically +# assigned port, which means that you will need the FTP connection +# tracking module in your kernel to usefully match FTP data transfers. +# +# This pattern is well tested. +# +# Handles the first two things a server should say: +# +# First, the server says it's ready by sending "220". Most servers say +# something after 220, even though they don't have to, and it usually +# includes the string "ftp" (l7-filter is case insensitive). This +# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP +# Server, and whatever ftp.microsoft.com uses. Almost all servers use only +# ASCII printable characters between the "220" and the "FTP", but non-English +# ones might use others. +# +# The next thing the server sends is a 331. All the above servers also +# send something including "password" after this code. By default, we +# do not match on this because it takes another packet and is more work +# for regexec. + +ftp +# by default, we allow only ASCII +^220[\x09-\x0d -~]*ftp + +# This covers UTF-8 as well +#^220[\x09-\x0d -~\x80-\xfd]*ftp + +# This allows any characters and is about 4x faster than either of the above +# (which are about the same as each other) +#^220.*ftp + +# This is much slower +#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password + +# This pattern is more precise, but takes longer to match. (3 packets vs. 1) +#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331 + +# same as above, but slightly less precise and only takes 2 packets. +#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a diff --git a/package/iptables/files/l7/gnutella.pat b/package/iptables/files/l7/gnutella.pat new file mode 100644 index 000000000..770ed43b3 --- /dev/null +++ b/package/iptables/files/l7/gnutella.pat @@ -0,0 +1,34 @@ +# Gnutella - P2P filesharing +# Pattern attributes: good notsofast notsofast +# Protocol groups: p2p open_source +# Wiki: http://www.protocolinfo.org/wiki/Gnutella +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This should match both Gnutella and "Gnutella2" ("Mike's protocol") +# +# Various clients use this protocol including Mactella, Shareaza, +# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare. +# +# This is tested with gtk-gnutella and Shareaza. + +# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver +# http://rfc-gnutella.sf.net/ +# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification +# http://en.wikipedia.org/wiki/Shareaza + +gnutella + +# The first part matches UDP messages - All start with "GND", then have +# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes +# that can be anything, then a fragment number, which must start at 1. +# The rest matches TCP first client message or first server message (in case +# we can't see client messages). Some parts of this are empirical rather than +# document based. Assumes version is between 0.0 and 2.9. (usually is +# 0.4 or 0.6). I'm guessing at many of the user-agents. +# The last bit is emprical and probably only matches Limewire. +^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime) + +# Needlessly precise, at the expense of time +#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime) + + diff --git a/package/iptables/files/l7/http.pat b/package/iptables/files/l7/http.pat new file mode 100644 index 000000000..5122310d2 --- /dev/null +++ b/package/iptables/files/l7/http.pat @@ -0,0 +1,28 @@ +# HTTP - HyperText Transfer Protocol - RFC 2616 +# Pattern attributes: great slow notsofast superset +# Protocol groups: document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 80 +# +# This pattern has been tested and is believed to work well. +# +# this intentionally catches the response from the server rather than +# the request so that other protocols which use http (like kazaa) can be +# caught based on specific http requests regardless of the ordering of +# filters... also matches posts + +# Sites that serve really long cookies may break this by pushing the +# server response too far away from the beginning of the connection. To +# fix this, increase the kernel's data buffer length. + +http +# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616) +# As specified in rfc 2616 a status code is preceeded and followed by a +# space. +http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019] +# A slightly faster version that might be good enough: +#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019] +# old pattern(s): +#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/) diff --git a/package/iptables/files/l7/ident.pat b/package/iptables/files/l7/ident.pat new file mode 100644 index 000000000..3205e5e69 --- /dev/null +++ b/package/iptables/files/l7/ident.pat @@ -0,0 +1,15 @@ +# Ident - Identification Protocol - RFC 1413 +# Pattern attributes: good fast fast +# Protocol groups: networking ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/Ident +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 113 +# +# This pattern is believed to work. + +ident +# "number , numberCRLF" possibly without the CR and/or LF. +# ^$ is appropriate because the first packet should never have anything +# else in it. +^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$ diff --git a/package/iptables/files/l7/irc.pat b/package/iptables/files/l7/irc.pat new file mode 100644 index 000000000..e25360caf --- /dev/null +++ b/package/iptables/files/l7/irc.pat @@ -0,0 +1,20 @@ +# IRC - Internet Relay Chat - RFC 1459 +# Pattern attributes: great veryfast fast +# Protocol groups: chat ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/IRC +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 6666 or 6667 +# Note that chat traffic runs on these ports, but IRC-DCC traffic (which +# can use much more bandwidth) uses a dynamically assigned port, so you +# must have the IRC connection tracking module in your kernel to classify +# this. +# +# This pattern has been tested and is believed to work well. + +irc +# First thing that happens is that the client sends NICK and USER, in +# either order. This allows MIRC color codes (\x02-\x0d instead of +# \x09-\x0d). +^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a) + diff --git a/package/iptables/files/l7/jabber.pat b/package/iptables/files/l7/jabber.pat new file mode 100644 index 000000000..7c328905e --- /dev/null +++ b/package/iptables/files/l7/jabber.pat @@ -0,0 +1,24 @@ +# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org +# Pattern attributes: good notsofast notsofast +# Protocol groups: chat ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/Jabber +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested with Gaim and Gabber. It is only tested +# with non-SSL mode Jabber with no proxies. + +# Thanks to Jan Hudec for some improvements. + +# Jabber seems to take a long time to set up a connection. I'm +# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets +# is this: +# <stream:stream to='12jabber.com' xmlns='jabber:client' +# xmlns:stream='http://etherx.jabber.org/streams'><?xml +# version='1.0'?><stream:stream +# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951' +# xmlns='jabber:client' from='12jabber.com'> +# +# No mention of my username or password yet, you'll note. + +jabber +<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber diff --git a/package/iptables/files/l7/msnmessenger.pat b/package/iptables/files/l7/msnmessenger.pat new file mode 100644 index 000000000..11dfc10be --- /dev/null +++ b/package/iptables/files/l7/msnmessenger.pat @@ -0,0 +1,28 @@ +# MSN Messenger - Microsoft Network chat client +# Pattern attributes: good slow notsofast +# Protocol groups: chat proprietary +# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually uses TCP port 1863 +# http://www.hypothetic.org/docs/msn/index.php +# http://msnpiki.msnfanatic.com/ +# +# This pattern has been tested and is believed to work well. + +msnmessenger + +# First branch: login +# ver: allow versions up to 99. +# I've never seen a cvr other than cvr0. Maybe this will be trouble later? +# Can't anchor at the beginning because sometimes this is encapsulated in +# HTTP. But either way, the first packet ends like this. +# Second/Third branches: accepting/sending a message +# I will assume that these can also be encapsulated in HTTP, although I have +# not checked. Example of each direction: +# ANS 1 quadong@hotmail.com 1139803431.29427 17522047 +# USR 1 quadong@hotmail.com 530423708.968145.366138 + +# Branches are written entirely separately for better performance. +ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$ + diff --git a/package/iptables/files/l7/ntp.pat b/package/iptables/files/l7/ntp.pat new file mode 100644 index 000000000..760cfdbe5 --- /dev/null +++ b/package/iptables/files/l7/ntp.pat @@ -0,0 +1,17 @@ +# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030 +# Pattern attributes: good fast fast overmatch +# Protocol groups: time_synchronization ietf_draft_standard +# Wiki: http://www.protocolinfo.org/wiki/NTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern is tested and is believed to work. + +# client|server +# Requires the server's timestamp to be in the present or future (of 2005). +# Tested with ntpdate on Linux. +# Assumes version 2, 3 or 4. + +# Note that ntp packets are always 48 bytes, so you should match on that too. + +ntp +^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff]) diff --git a/package/iptables/files/l7/pop3.pat b/package/iptables/files/l7/pop3.pat new file mode 100644 index 000000000..3ae4c147b --- /dev/null +++ b/package/iptables/files/l7/pop3.pat @@ -0,0 +1,50 @@ +# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939 +# Pattern attributes: great veryfast fast +# Protocol groups: mail ietf_internet_standard +# Wiki: http://www.protocolinfo.org/wiki/POP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested somewhat. + +# this is a difficult protocol to match because of the relative lack of +# distinguishing information. Read on. +pop3 + +# this the most conservative pattern. It should definitely work. +#^(\+ok|-err) + +# this pattern assumes that the server says _something_ after +ok or -err +# I think this is probably the way to go. +^(\+ok |-err ) + +# more that 90% of servers seem to say "pop" after "+ok", but not all. +#^(\+ok .*pop) + +# Here's another tack. I think this is my second favorite. +#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command)) + +# this matches the server saying "you have N messages that are M bytes", +# which the client probably asks for early in the session (not tested) +#\+ok [0-9]+ [0-9]+ + +# some sample servers: +# RFC example: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us> +# mail.dreamhost.com: +OK Hello there. +# pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled) +# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon> +# *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu> +# mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready +# mail.gustavus.edu: +OK POP3 solen v2001.78 server ready +# mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready +# mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003)) +# pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting. +# mail.mac.com: +OK Netscape Messaging Multiplexor ready + +# various error strings: +#-ERR Invalid command. +#-ERR invalid command +#-ERR unimplemented +#-ERR Invalid command, try one of: USER name, PASS string, QUIT +#-ERR Unknown AUTHORIZATION state command +#-ERR Unrecognized command +#-ERR Unknown command: "sadf'". diff --git a/package/iptables/files/l7/smtp.pat b/package/iptables/files/l7/smtp.pat new file mode 100644 index 000000000..2f5d1957f --- /dev/null +++ b/package/iptables/files/l7/smtp.pat @@ -0,0 +1,40 @@ +# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869) +# Pattern attributes: great notsofast fast +# Protocol groups: mail ietf_internet_standard +# Wiki: http://www.protocolinfo.org/wiki/SMTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# usually runs on port 25 +# +# This pattern has been tested and is believed to work well. + +# As usual, no text is required after "220", but all known servers have some +# there. It (almost?) always has string "smtp" in it. The RFC examples +# does not, so we match those too, just in case anyone has copied them +# literally. +# +# Some examples: +# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3 +# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400 +# 220 mail.ut.caldera.com ESMTP +# 220 persephone.pmail.gen.nz ESMTP server ready. +# 220 smtp1.superb.net ESMTP +# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready +# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4 +# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500 +# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3) +# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200 +# 220-mail.email-scan.com ESMTP +# 220 smaug.dreamhost.com ESMTP +# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648) +# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT) +# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700 +# +# RFC examples: +# 220 xyz.com Simple Mail Transfer Service Ready (RFC example) +# 220 dbc.mtview.ca.us SMTP service ready + +smtp +^220[\x09-\x0d -~]* (e?smtp|simple mail) +userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail) +userspace flags=REG_NOSUB REG_EXTENDED diff --git a/package/iptables/files/l7/ssl.pat b/package/iptables/files/l7/ssl.pat new file mode 100644 index 000000000..ae30ee440 --- /dev/null +++ b/package/iptables/files/l7/ssl.pat @@ -0,0 +1,16 @@ +# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246 +# Pattern attributes: good notsofast fast superset +# Protocol groups: secure ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/SSL +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 443 +# +# This is a superset of validcertssl. For it to match, it must be first. +# +# This pattern has been tested and is believed to work well. + +ssl +# Server Hello with certificate | Client Hello +# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1 +^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b) diff --git a/package/iptables/files/l7/vnc.pat b/package/iptables/files/l7/vnc.pat new file mode 100644 index 000000000..79d0ae8a2 --- /dev/null +++ b/package/iptables/files/l7/vnc.pat @@ -0,0 +1,23 @@ +# VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer +# Pattern attributes: great veryfast fast +# Protocol groups: remote_access +# Wiki: http://www.protocolinfo.org/wiki/VNC +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# http://www.realvnc.com/documentation.html +# +# This pattern has been verified with vnc v3.3.7 on WinXP and Linux +# +# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern. + +vnc +# Assumes single digit major and minor version numbers +# This message should be all alone in the first packet, so ^$ is appropriate +^rfb 00[1-9]\.00[0-9]\x0a$ + +# This is a more restrictive version which assumes the version numbers +# are ones actually in existance at the time of this writing, i.e. 3.3, +# 3.7 and 3.8 (with some clients wrongly reporting 3.5). It should be +# slightly faster, but probably not worth the extra maintenance. +# ^rfb 003\.00[3578]\x0a$ + diff --git a/package/iptables/patches/002-layer7_2.22.patch b/package/iptables/patches/002-layer7_2.22.patch new file mode 100644 index 000000000..ba4531e3f --- /dev/null +++ b/package/iptables/patches/002-layer7_2.22.patch @@ -0,0 +1,371 @@ +--- /dev/null ++++ b/extensions/libxt_layer7.c +@@ -0,0 +1,368 @@ ++/* ++ Shared library add-on to iptables for layer 7 matching support. ++ ++ By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008. ++ ++ http://l7-filter.sf.net ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License ++ as published by the Free Software Foundation; either version ++ 2 of the License, or (at your option) any later version. ++ http://www.gnu.org/licenses/gpl.txt ++*/ ++ ++#define _GNU_SOURCE ++#include <stdio.h> ++#include <netdb.h> ++#include <string.h> ++#include <stdlib.h> ++#include <getopt.h> ++#include <ctype.h> ++#include <dirent.h> ++ ++#include <xtables.h> ++#include <linux/netfilter/xt_layer7.h> ++ ++#define MAX_FN_LEN 256 ++ ++static char l7dir[MAX_FN_LEN] = "\0"; ++ ++/* Function which prints out usage message. */ ++static void help(void) ++{ ++ printf( ++ "layer7 match options:\n" ++ " --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n" ++ " (--l7dir must be specified before --l7proto if used)\n" ++ "[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n"); ++} ++ ++static const struct option opts[] = { ++ { .name = "l7proto", .has_arg = 1, .val = 'p' }, ++ { .name = "l7dir", .has_arg = 1, .val = 'd' }, ++ { .name = NULL } ++}; ++ ++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */ ++static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info) ++{ ++ FILE * f; ++ char * line = NULL; ++ size_t len = 0; ++ ++ enum { protocol, pattern, done } datatype = protocol; ++ ++ f = fopen(filename, "r"); ++ ++ if(!f) ++ return 0; ++ ++ while(getline(&line, &len, f) != -1) ++ { ++ if(strlen(line) < 2 || line[0] == '#') ++ continue; ++ ++ /* strip the pesky newline... */ ++ if(line[strlen(line) - 1] == '\n') ++ line[strlen(line) - 1] = '\0'; ++ ++ if(datatype == protocol) ++ { ++ /* Ignore everything on the line beginning with the ++ first space or tab . For instance, this allows the ++ protocol line in http.pat to be "http " (or ++ "http I am so cool") instead of just "http". */ ++ if(strchr(line, ' ')){ ++ char * space = strchr(line, ' '); ++ space[0] = '\0'; ++ } ++ if(strchr(line, '\t')){ ++ char * space = strchr(line, '\t'); ++ space[0] = '\0'; ++ } ++ ++ /* sanity check. First non-comment non-blank ++ line must be the same as the file name. */ ++ if(strcmp(line, protoname)) ++ xtables_error(OTHER_PROBLEM, ++ "Protocol name (%s) doesn't match file name (%s). Bailing out\n", ++ line, filename); ++ ++ if(strlen(line) >= MAX_PROTOCOL_LEN) ++ xtables_error(PARAMETER_PROBLEM, ++ "Protocol name in %s too long!", filename); ++ strncpy(info->protocol, line, MAX_PROTOCOL_LEN); ++ ++ datatype = pattern; ++ } ++ else if(datatype == pattern) ++ { ++ if(strlen(line) >= MAX_PATTERN_LEN) ++ xtables_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename); ++ strncpy(info->pattern, line, MAX_PATTERN_LEN); ++ ++ datatype = done; ++ break; ++ } ++ else ++ xtables_error(OTHER_PROBLEM, "Internal error"); ++ } ++ ++ if(datatype != done) ++ xtables_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename); ++ ++ if(line) free(line); ++ fclose(f); ++ ++ return 1; ++} ++ ++static int hex2dec(char c) ++{ ++ switch (c) ++ { ++ case '0' ... '9': ++ return c - '0'; ++ case 'a' ... 'f': ++ return c - 'a' + 10; ++ case 'A' ... 'F': ++ return c - 'A' + 10; ++ default: ++ xtables_error(OTHER_PROBLEM, "hex2dec: bad value!\n"); ++ return 0; ++ } ++} ++ ++/* takes a string with \xHH escapes and returns one with the characters ++they stand for */ ++static char * pre_process(char * s) ++{ ++ char * result = malloc(strlen(s) + 1); ++ int sindex = 0, rrindex = 0; ++ while( sindex < strlen(s) ) ++ { ++ if( sindex + 3 < strlen(s) && ++ s[sindex] == '\\' && s[sindex+1] == 'x' && ++ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) ++ { ++ /* carefully remember to call tolower here... */ ++ result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 + ++ hex2dec(s[sindex + 3] ) ); ++ ++ switch ( result[rrindex] ) ++ { ++ case 0x24: ++ case 0x28: ++ case 0x29: ++ case 0x2a: ++ case 0x2b: ++ case 0x2e: ++ case 0x3f: ++ case 0x5b: ++ case 0x5c: ++ case 0x5d: ++ case 0x5e: ++ case 0x7c: ++ fprintf(stderr, ++ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n" ++ "I recommend that you write this as %c or \\%c, depending on what you meant.\n", ++ result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]); ++ break; ++ case 0x00: ++ fprintf(stderr, ++ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n"); ++ break; ++ default: ++ break; ++ } ++ ++ ++ sindex += 3; /* 4 total */ ++ } ++ else ++ result[rrindex] = tolower(s[sindex]); ++ ++ sindex++; ++ rrindex++; ++ } ++ result[rrindex] = '\0'; ++ ++ return result; ++} ++ ++#define MAX_SUBDIRS 128 ++static char ** readl7dir(char * dirname) ++{ ++ DIR * scratchdir; ++ struct dirent ** namelist; ++ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *)); ++ ++ int n, d = 1; ++ subdirs[0] = ""; ++ ++ n = scandir(dirname, &namelist, 0, alphasort); ++ ++ if (n < 0) ++ { ++ perror("scandir"); ++ xtables_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname); ++ } ++ else ++ { ++ while(n--) ++ { ++ char fulldirname[MAX_FN_LEN]; ++ ++ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name); ++ ++ if((scratchdir = opendir(fulldirname)) != NULL) ++ { ++ closedir(scratchdir); ++ ++ if(!strcmp(namelist[n]->d_name, ".") || ++ !strcmp(namelist[n]->d_name, "..")) ++ /* do nothing */ ; ++ else ++ { ++ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1); ++ strcpy(subdirs[d], namelist[n]->d_name); ++ d++; ++ if(d >= MAX_SUBDIRS - 1) ++ { ++ fprintf(stderr, ++ "Too many subdirectories, skipping the rest!\n"); ++ break; ++ } ++ } ++ } ++ free(namelist[n]); ++ } ++ free(namelist); ++ } ++ ++ subdirs[d] = NULL; ++ ++ return subdirs; ++} ++ ++static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info) ++{ ++ char filename[MAX_FN_LEN]; ++ char * dir = NULL; ++ char ** subdirs; ++ int n = 0, done = 0; ++ ++ if(strlen(l7dir) > 0) dir = l7dir; ++ else dir = "/etc/l7-protocols"; ++ ++ subdirs = readl7dir(dir); ++ ++ while(subdirs[n] != NULL) ++ { ++ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s); ++ ++ if(c > MAX_FN_LEN) ++ xtables_error(OTHER_PROBLEM, ++ "Filename beginning with %s is too long!\n", filename); ++ ++ /* read in the pattern from the file */ ++ if(parse_protocol_file(filename, s, info)){ ++ done = 1; ++ break; ++ } ++ ++ n++; ++ } ++ ++ if(!done) ++ xtables_error(OTHER_PROBLEM, ++ "Couldn't find a pattern definition file for %s.\n", s); ++ ++ /* process \xHH escapes and tolower everything. (our regex lib has no ++ case insensitivity option.) */ ++ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN); ++} ++ ++/* Function which parses command options; returns true if it ate an option */ ++static int parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_match **match) ++{ ++ struct xt_layer7_info *layer7info = ++ (struct xt_layer7_info *)(*match)->data; ++ ++ switch (c) { ++ case 'p': ++ parse_layer7_protocol(argv[optind-1], layer7info); ++ if (invert) ++ layer7info->invert = true; ++ *flags = 1; ++ break; ++ ++ case 'd': ++ if(strlen(argv[optind-1]) >= MAX_FN_LEN) ++ xtables_error(PARAMETER_PROBLEM, "directory name too long\n"); ++ ++ strncpy(l7dir, argv[optind-1], MAX_FN_LEN); ++ ++ *flags = 1; ++ break; ++ ++ default: ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* Final check; must have specified --l7proto */ ++static void final_check(unsigned int flags) ++{ ++ if (!flags) ++ xtables_error(PARAMETER_PROBLEM, ++ "LAYER7 match: You must specify `--l7proto'"); ++} ++ ++static void print_protocol(char s[], int invert, int numeric) ++{ ++ fputs("l7proto ", stdout); ++ if (invert) fputc('!', stdout); ++ printf("%s ", s); ++} ++ ++/* Prints out the matchinfo. */ ++static void print(const void *ip, ++ const struct xt_entry_match *match, ++ int numeric) ++{ ++ printf("LAYER7 "); ++ print_protocol(((struct xt_layer7_info *)match->data)->protocol, ++ ((struct xt_layer7_info *)match->data)->invert, numeric); ++} ++/* Saves the union ipt_matchinfo in parsable form to stdout. */ ++static void save(const void *ip, const struct xt_entry_match *match) ++{ ++ const struct xt_layer7_info *info = ++ (const struct xt_layer7_info*) match->data; ++ ++ printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol); ++} ++ ++static struct xtables_match layer7 = { ++ .family = AF_INET, ++ .name = "layer7", ++ .version = XTABLES_VERSION, ++ .size = XT_ALIGN(sizeof(struct xt_layer7_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)), ++ .help = &help, ++ .parse = &parse, ++ .final_check = &final_check, ++ .print = &print, ++ .save = &save, ++ .extra_opts = opts ++}; ++ ++void _init(void) ++{ ++ xtables_register_match(&layer7); ++} diff --git a/package/iptables/patches/009-table-alignment.patch b/package/iptables/patches/009-table-alignment.patch new file mode 100644 index 000000000..53012ab32 --- /dev/null +++ b/package/iptables/patches/009-table-alignment.patch @@ -0,0 +1,11 @@ +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -69,7 +69,7 @@ static const char *hooknames[] = { + struct ipt_error_target + { + STRUCT_ENTRY_TARGET t; +- char error[TABLE_MAXNAMELEN]; ++ char error[FUNCTION_MAXNAMELEN]; + }; + + struct chain_head; diff --git a/package/iptables/patches/010-multiport-linux-2.4-compat.patch b/package/iptables/patches/010-multiport-linux-2.4-compat.patch new file mode 100644 index 000000000..3b35f7e3c --- /dev/null +++ b/package/iptables/patches/010-multiport-linux-2.4-compat.patch @@ -0,0 +1,265 @@ +--- a/extensions/libxt_multiport.c ++++ b/extensions/libxt_multiport.c +@@ -15,21 +15,6 @@ + #include <linux/netfilter/xt_multiport.h> + + /* Function which prints out usage message. */ +-static void multiport_help(void) +-{ +- printf( +-"multiport match options:\n" +-" --source-ports port[,port,port...]\n" +-" --sports ...\n" +-" match source port(s)\n" +-" --destination-ports port[,port,port...]\n" +-" --dports ...\n" +-" match destination port(s)\n" +-" --ports port[,port,port]\n" +-" match both source and destination port(s)\n" +-" NOTE: this kernel does not support port ranges in multiport.\n"); +-} +- + static void multiport_help_v1(void) + { + printf( +@@ -72,26 +57,6 @@ proto_to_name(u_int8_t proto) + } + } + +-static unsigned int +-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto) +-{ +- char *buffer, *cp, *next; +- unsigned int i; +- +- buffer = strdup(portstring); +- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); +- +- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++) +- { +- next=strchr(cp, ','); +- if (next) *next++='\0'; +- ports[i] = xtables_parse_port(cp, proto); +- } +- if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified"); +- free(buffer); +- return i; +-} +- + static void + parse_multi_ports_v1(const char *portstring, + struct xt_multiport_v1 *multiinfo, +@@ -155,73 +120,6 @@ check_proto(u_int16_t pnum, u_int8_t inv + /* Function which parses command options; returns true if it + ate an option */ + static int +-__multiport_parse(int c, char **argv, int invert, unsigned int *flags, +- struct xt_entry_match **match, u_int16_t pnum, +- u_int8_t invflags) +-{ +- const char *proto; +- struct xt_multiport *multiinfo +- = (struct xt_multiport *)(*match)->data; +- +- switch (c) { +- case '1': +- xtables_check_inverse(optarg, &invert, &optind, 0, argv); +- proto = check_proto(pnum, invflags); +- multiinfo->count = parse_multi_ports(optarg, +- multiinfo->ports, proto); +- multiinfo->flags = XT_MULTIPORT_SOURCE; +- break; +- +- case '2': +- xtables_check_inverse(optarg, &invert, &optind, 0, argv); +- proto = check_proto(pnum, invflags); +- multiinfo->count = parse_multi_ports(optarg, +- multiinfo->ports, proto); +- multiinfo->flags = XT_MULTIPORT_DESTINATION; +- break; +- +- case '3': +- xtables_check_inverse(optarg, &invert, &optind, 0, argv); +- proto = check_proto(pnum, invflags); +- multiinfo->count = parse_multi_ports(optarg, +- multiinfo->ports, proto); +- multiinfo->flags = XT_MULTIPORT_EITHER; +- break; +- +- default: +- return 0; +- } +- +- if (invert) +- xtables_error(PARAMETER_PROBLEM, +- "multiport does not support invert"); +- +- if (*flags) +- xtables_error(PARAMETER_PROBLEM, +- "multiport can only have one option"); +- *flags = 1; +- return 1; +-} +- +-static int +-multiport_parse(int c, char **argv, int invert, unsigned int *flags, +- const void *e, struct xt_entry_match **match) +-{ +- const struct ipt_entry *entry = e; +- return __multiport_parse(c, argv, invert, flags, match, +- entry->ip.proto, entry->ip.invflags); +-} +- +-static int +-multiport_parse6(int c, char **argv, int invert, unsigned int *flags, +- const void *e, struct xt_entry_match **match) +-{ +- const struct ip6t_entry *entry = e; +- return __multiport_parse(c, argv, invert, flags, match, +- entry->ipv6.proto, entry->ipv6.invflags); +-} +- +-static int + __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags, + struct xt_entry_match **match, u_int16_t pnum, + u_int8_t invflags) +@@ -314,55 +212,6 @@ print_port(u_int16_t port, u_int8_t prot + } + + /* Prints out the matchinfo. */ +-static void +-__multiport_print(const struct xt_entry_match *match, int numeric, +- u_int16_t proto) +-{ +- const struct xt_multiport *multiinfo +- = (const struct xt_multiport *)match->data; +- unsigned int i; +- +- printf("multiport "); +- +- switch (multiinfo->flags) { +- case XT_MULTIPORT_SOURCE: +- printf("sports "); +- break; +- +- case XT_MULTIPORT_DESTINATION: +- printf("dports "); +- break; +- +- case XT_MULTIPORT_EITHER: +- printf("ports "); +- break; +- +- default: +- printf("ERROR "); +- break; +- } +- +- for (i=0; i < multiinfo->count; i++) { +- printf("%s", i ? "," : ""); +- print_port(multiinfo->ports[i], proto, numeric); +- } +- printf(" "); +-} +- +-static void multiport_print(const void *ip_void, +- const struct xt_entry_match *match, int numeric) +-{ +- const struct ipt_ip *ip = ip_void; +- __multiport_print(match, numeric, ip->proto); +-} +- +-static void multiport_print6(const void *ip_void, +- const struct xt_entry_match *match, int numeric) +-{ +- const struct ip6t_ip6 *ip = ip_void; +- __multiport_print(match, numeric, ip->proto); +-} +- + static void __multiport_print_v1(const struct xt_entry_match *match, + int numeric, u_int16_t proto) + { +@@ -419,48 +268,6 @@ static void multiport_print6_v1(const vo + } + + /* Saves the union ipt_matchinfo in parsable form to stdout. */ +-static void __multiport_save(const struct xt_entry_match *match, +- u_int16_t proto) +-{ +- const struct xt_multiport *multiinfo +- = (const struct xt_multiport *)match->data; +- unsigned int i; +- +- switch (multiinfo->flags) { +- case XT_MULTIPORT_SOURCE: +- printf("--sports "); +- break; +- +- case XT_MULTIPORT_DESTINATION: +- printf("--dports "); +- break; +- +- case XT_MULTIPORT_EITHER: +- printf("--ports "); +- break; +- } +- +- for (i=0; i < multiinfo->count; i++) { +- printf("%s", i ? "," : ""); +- print_port(multiinfo->ports[i], proto, 1); +- } +- printf(" "); +-} +- +-static void multiport_save(const void *ip_void, +- const struct xt_entry_match *match) +-{ +- const struct ipt_ip *ip = ip_void; +- __multiport_save(match, ip->proto); +-} +- +-static void multiport_save6(const void *ip_void, +- const struct xt_entry_match *match) +-{ +- const struct ip6t_ip6 *ip = ip_void; +- __multiport_save(match, ip->proto); +-} +- + static void __multiport_save_v1(const struct xt_entry_match *match, + u_int16_t proto) + { +@@ -514,34 +321,6 @@ static struct xtables_match multiport_mt + { + .family = NFPROTO_IPV4, + .name = "multiport", +- .revision = 0, +- .version = XTABLES_VERSION, +- .size = XT_ALIGN(sizeof(struct xt_multiport)), +- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), +- .help = multiport_help, +- .parse = multiport_parse, +- .final_check = multiport_check, +- .print = multiport_print, +- .save = multiport_save, +- .extra_opts = multiport_opts, +- }, +- { +- .family = NFPROTO_IPV6, +- .name = "multiport", +- .revision = 0, +- .version = XTABLES_VERSION, +- .size = XT_ALIGN(sizeof(struct xt_multiport)), +- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)), +- .help = multiport_help, +- .parse = multiport_parse6, +- .final_check = multiport_check, +- .print = multiport_print6, +- .save = multiport_save6, +- .extra_opts = multiport_opts, +- }, +- { +- .family = NFPROTO_IPV4, +- .name = "multiport", + .version = XTABLES_VERSION, + .revision = 1, + .size = XT_ALIGN(sizeof(struct xt_multiport_v1)), diff --git a/package/iptables/patches/011-recent-add-reap.patch b/package/iptables/patches/011-recent-add-reap.patch new file mode 100644 index 000000000..275265b99 --- /dev/null +++ b/package/iptables/patches/011-recent-add-reap.patch @@ -0,0 +1,116 @@ +From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001 +From: Tim Gardner <tim.gardner@canonical.com> +Date: Mon, 1 Mar 2010 19:00:29 -0700 +Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation + +Signed-off-by: Tim Gardner <tim.gardner@canonical.com> +--- + extensions/libxt_recent.c | 20 ++++++++++++++++++++ + extensions/libxt_recent.man | 5 +++++ + include/linux/netfilter/xt_recent.h | 7 +++++++ + 3 files changed, 32 insertions(+), 0 deletions(-) + +--- a/extensions/libxt_recent.c ++++ b/extensions/libxt_recent.c +@@ -20,6 +20,7 @@ static const struct option recent_opts[] + {.name = "name", .has_arg = true, .val = 208}, + {.name = "rsource", .has_arg = false, .val = 209}, + {.name = "rdest", .has_arg = false, .val = 210}, ++ {.name = "reap", .has_arg = false, .val = 211}, + XT_GETOPT_TABLEEND, + }; + +@@ -37,6 +38,7 @@ static void recent_help(void) + " --hitcount hits For check and update commands above.\n" + " Specifies that the match will only occur if source address seen hits times.\n" + " May be used in conjunction with the seconds option.\n" ++" --reap Remove entries that have expired. Can only be used with --seconds\n" + " --rttl For check and update commands above.\n" + " Specifies that the match will only occur if the source address and the TTL\n" + " match between this packet and the one which was set.\n" +@@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_ + (XT_RECENT_SET | XT_RECENT_CHECK | \ + XT_RECENT_UPDATE | XT_RECENT_REMOVE) + ++#define XT_RECENT_SECONDS 1 << 31 ++ + static int recent_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) + { +@@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar + + case 204: + info->seconds = atoi(optarg); ++ *flags |= XT_RECENT_SECONDS; + break; + + case 205: +@@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar + info->side = XT_RECENT_DEST; + break; + ++ case 211: ++ info->check_set |= XT_RECENT_REAP; ++ *flags |= XT_RECENT_REAP; ++ break; ++ + default: + return 0; + } +@@ -157,6 +167,12 @@ static void recent_check(unsigned int fl + xtables_error(PARAMETER_PROBLEM, + "recent: --rttl may only be used with --rcheck or " + "--update"); ++ if ((flags & XT_RECENT_REAP) && ++ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) || ++ (!(flags & XT_RECENT_SECONDS)))) ++ xtables_error(PARAMETER_PROBLEM, ++ "recent: --reap may only be used with --rcheck or " ++ "--update and --seconds"); + } + + static void recent_print(const void *ip, const struct xt_entry_match *match, +@@ -185,6 +201,8 @@ static void recent_print(const void *ip, + printf("side: source "); + if (info->side == XT_RECENT_DEST) + printf("side: dest "); ++ if (info->check_set & XT_RECENT_REAP) ++ printf("reap "); + } + + static void recent_save(const void *ip, const struct xt_entry_match *match) +@@ -211,6 +229,8 @@ static void recent_save(const void *ip, + printf("--rsource "); + if (info->side == XT_RECENT_DEST) + printf("--rdest "); ++ if (info->check_set & XT_RECENT_REAP) ++ printf("--reap "); + } + + static struct xtables_match recent_mt_reg = { +--- a/extensions/libxt_recent.man ++++ b/extensions/libxt_recent.man +@@ -41,6 +41,11 @@ This option must be used in conjunction + \fB\-\-update\fP. When used, this will narrow the match to only happen when the + address is in the list and was seen within the last given number of seconds. + .TP ++\fB\-\-reap\fP \fIreap\fP ++This option must be used in conjunction with \fB\-\-seconds\fP. When used, this ++will remove entries with the most recent timestamp older then \fB\-\-seconds\fP ++since the last packet was received. ++.TP + \fB\-\-hitcount\fP \fIhits\fP + This option must be used in conjunction with one of \fB\-\-rcheck\fP or + \fB\-\-update\fP. When used, this will narrow the match to only happen when the +--- a/include/linux/netfilter/xt_recent.h ++++ b/include/linux/netfilter/xt_recent.h +@@ -23,6 +23,9 @@ enum { + #define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\ + XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP) + ++/* Only allowed with --rcheck and --update */ ++#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP) ++ + struct xt_recent_mtinfo { + __u32 seconds; + __u32 hit_count; diff --git a/package/iptables/patches/020-iptables-disable-modprobe.patch b/package/iptables/patches/020-iptables-disable-modprobe.patch new file mode 100644 index 000000000..338962ffb --- /dev/null +++ b/package/iptables/patches/020-iptables-disable-modprobe.patch @@ -0,0 +1,18 @@ +--- a/xtables.c ++++ b/xtables.c +@@ -305,6 +305,7 @@ static char *get_modprobe(void) + + int xtables_insmod(const char *modname, const char *modprobe, bool quiet) + { ++#if 0 + char *buf = NULL; + char *argv[4]; + int status; +@@ -348,6 +349,7 @@ int xtables_insmod(const char *modname, + free(buf); + if (WIFEXITED(status) && WEXITSTATUS(status) == 0) + return 0; ++#endif + return -1; + } + diff --git a/package/iptables/patches/030-no-libnfnetlink.patch b/package/iptables/patches/030-no-libnfnetlink.patch new file mode 100644 index 000000000..cda9a7205 --- /dev/null +++ b/package/iptables/patches/030-no-libnfnetlink.patch @@ -0,0 +1,92 @@ +--- a/configure ++++ b/configure +@@ -10917,75 +10917,7 @@ $as_echo "no" >&6; } + fi + fi + +-pkg_failed=no +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5 +-$as_echo_n "checking for libnfnetlink... " >&6; } +- +-if test -n "$libnfnetlink_CFLAGS"; then +- pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS" +- elif test -n "$PKG_CONFIG"; then +- if test -n "$PKG_CONFIG" && \ +- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5 +- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; }; then +- pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null` +-else +- pkg_failed=yes +-fi +- else +- pkg_failed=untried +-fi +-if test -n "$libnfnetlink_LIBS"; then +- pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS" +- elif test -n "$PKG_CONFIG"; then +- if test -n "$PKG_CONFIG" && \ +- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5 +- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; }; then +- pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null` +-else +- pkg_failed=yes +-fi +- else +- pkg_failed=untried +-fi +- +- +- +-if test $pkg_failed = yes; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then +- _pkg_short_errors_supported=yes +-else +- _pkg_short_errors_supported=no +-fi +- if test $_pkg_short_errors_supported = yes; then +- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libnfnetlink >= 1.0" 2>&1` +- else +- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors "libnfnetlink >= 1.0" 2>&1` +- fi +- # Put the nasty error message in config.log where it belongs +- echo "$libnfnetlink_PKG_ERRORS" >&5 +- +- nfnetlink=0 +-elif test $pkg_failed = untried; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- nfnetlink=0 +-else +- libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS +- libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- nfnetlink=1 +-fi +- if test "$nfnetlink" = 1; then ++if false; then + HAVE_LIBNFNETLINK_TRUE= + HAVE_LIBNFNETLINK_FALSE='#' + else +--- a/configure.ac ++++ b/configure.ac +@@ -79,9 +79,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test + AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"]) + AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"]) + +-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0], +- [nfnetlink=1], [nfnetlink=0]) +-AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1]) ++AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false]) + + regular_CFLAGS="${largefile_cflags} \ + -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \ diff --git a/package/iptables/patches/100-bash-location.patch b/package/iptables/patches/100-bash-location.patch new file mode 100644 index 000000000..818246e76 --- /dev/null +++ b/package/iptables/patches/100-bash-location.patch @@ -0,0 +1,16 @@ +--- a/autogen.sh ++++ b/autogen.sh +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/usr/bin/env bash + + autoreconf -fi; + rm -Rf autom4te*.cache; +--- a/iptables-apply ++++ b/iptables-apply +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/usr/bin/env bash + # + # iptables-apply -- a safer way to update iptables remotely + # diff --git a/package/iptables/patches/110-linux_3.2_compat.patch b/package/iptables/patches/110-linux_3.2_compat.patch new file mode 100644 index 000000000..2cdd673d2 --- /dev/null +++ b/package/iptables/patches/110-linux_3.2_compat.patch @@ -0,0 +1,12 @@ +--- iptables-1.4.10/include/linux/types.h.orig 2011-11-07 00:08:33.000000000 +0100 ++++ iptables-1.4.10/include/linux/types.h 2011-11-07 00:09:25.000000000 +0100 +@@ -34,5 +34,9 @@ + typedef __u16 __bitwise __sum16; + typedef __u32 __bitwise __wsum; + ++#define __aligned_u64 __u64 __attribute__((aligned(8))) ++#define __aligned_be64 __be64 __attribute__((aligned(8))) ++#define __aligned_le64 __le64 __attribute__((aligned(8))) ++ + #endif /* __ASSEMBLY__ */ + #endif /* _LINUX_TYPES_H */ diff --git a/package/iptables/patches/200-configurable_builtin.patch b/package/iptables/patches/200-configurable_builtin.patch new file mode 100644 index 000000000..9f9cc387c --- /dev/null +++ b/package/iptables/patches/200-configurable_builtin.patch @@ -0,0 +1,56 @@ +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -40,9 +40,24 @@ + pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) + pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod}) + pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod}) +-pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod}) +-pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod}) +-pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod}) ++ ++ifdef BUILTIN_MODULES ++pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod}) ++pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod}) ++pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod}) ++else ++@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod) ++@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod) ++@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod) ++endif ++ ++pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod)) ++pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod)) ++pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod)) ++ ++pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static}) ++pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static}) ++pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static}) + pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod}) + pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod}) + pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod}) +@@ -54,10 +69,10 @@ + targets := libext4.a libext6.a matches4.man matches6.man \ + targets4.man targets6.man + targets_install := +-@ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs} +-@ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs} +-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} +-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} ++libext4_objs := ${pfx_objs} ${pf4_objs} ++libext6_objs := ${pfx_objs} ${pf6_objs} ++targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs} ++targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}) + + .SECONDARY: + +@@ -107,8 +122,8 @@ + libext6.a: initext6.o ${libext6_objs} + ${AM_VERBOSE_AR} ${AR} crs $@ $^; + +-initext_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ipt_,${pf4_build_mod}) +-initext6_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ip6t_,${pf6_build_mod}) ++initext_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ipt_,${pf4_build_static}) ++initext6_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ip6t_,${pf6_build_static}) + + .initext4.dd: FORCE + @echo "${initext_func}" >$@.tmp; \ |