nefilter: fix chaostables on 2.6.24

SVN-Revision: 10320
This commit is contained in:
Gabor Juhos 2008-01-30 08:05:47 +00:00
parent 3dae29dc4a
commit db7a2e3e55
2 changed files with 16 additions and 16 deletions

View file

@ -784,7 +784,7 @@ CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STRING=m CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_U32=m CONFIG_NETFILTER_XT_MATCH_U32=m
# CONFIG_NETFILTER_XT_TARGET_CHAOS is not set CONFIG_NETFILTER_XT_TARGET_CHAOS=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_DELUDE=m CONFIG_NETFILTER_XT_TARGET_DELUDE=m

View file

@ -222,30 +222,30 @@ Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+ +
+/* CHAOS functions */ +/* CHAOS functions */
+static void xt_chaos_total(const struct xt_chaos_info *info, +static void xt_chaos_total(const struct xt_chaos_info *info,
+ struct sk_buff **pskb, const struct net_device *in, + struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum) + const struct net_device *out, unsigned int hooknum)
+{ +{
+ const int protoff = ip_hdrlen(*pskb); + const int protoff = ip_hdrlen(skb);
+ const int offset = ntohs(ip_hdr(*pskb)->frag_off) & IP_OFFSET; + const int offset = ntohs(ip_hdr(skb)->frag_off) & IP_OFFSET;
+ const struct xt_target *destiny; + const struct xt_target *destiny;
+ bool hotdrop = false; + bool hotdrop = false;
+ int ret; + int ret;
+ +
+ ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params, + ret = xm_tcp->match(skb, in, out, xm_tcp, &tcp_params,
+ offset, protoff, &hotdrop); + offset, protoff, &hotdrop);
+ if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage) + if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
+ return; + return;
+ +
+ destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude; + destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
+#ifdef HAVE_TARGUSERINFO +#ifdef HAVE_TARGUSERINFO
+ destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL); + destiny->target(skb, in, out, hooknum, destiny, NULL, NULL);
+#else +#else
+ destiny->target(pskb, in, out, hooknum, destiny, NULL); + destiny->target(skb, in, out, hooknum, destiny, NULL);
+#endif +#endif
+ return; + return;
+} +}
+ +
+static unsigned int xt_chaos_target(struct sk_buff **pskb, +static unsigned int xt_chaos_target(struct sk_buff *skb,
+ const struct net_device *in, const struct net_device *out, + const struct net_device *in, const struct net_device *out,
+ unsigned int hooknum, const struct xt_target *target, const void *targinfo + unsigned int hooknum, const struct xt_target *target, const void *targinfo
+#ifdef HAVE_TARGUSERINFO +#ifdef HAVE_TARGUSERINFO
@ -265,17 +265,17 @@ Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
+ +
+ if((unsigned int)net_random() <= reject_percentage) + if((unsigned int)net_random() <= reject_percentage)
+#ifdef HAVE_TARGUSERINFO +#ifdef HAVE_TARGUSERINFO
+ return xt_reject->target(pskb, in, out, hooknum, target, + return xt_reject->target(skb, in, out, hooknum, target,
+ &reject_params, userinfo); + &reject_params, userinfo);
+#else +#else
+ return xt_reject->target(pskb, in, out, hooknum, target, + return xt_reject->target(skb, in, out, hooknum, target,
+ &reject_params); + &reject_params);
+#endif +#endif
+ +
+ /* TARPIT/DELUDE may not be called from the OUTPUT chain */ + /* TARPIT/DELUDE may not be called from the OUTPUT chain */
+ if(ip_hdr(*pskb)->protocol == IPPROTO_TCP && + if(ip_hdr(skb)->protocol == IPPROTO_TCP &&
+ info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT) + info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
+ xt_chaos_total(info, pskb, in, out, hooknum); + xt_chaos_total(info, skb, in, out, hooknum);
+ +
+ return NF_DROP; + return NF_DROP;
+} +}
@ -587,7 +587,7 @@ Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
+ ) + )
+ addr_type = RTN_LOCAL; + addr_type = RTN_LOCAL;
+ +
+ if (ip_route_me_harder(&nskb, addr_type)) + if (ip_route_me_harder(nskb, addr_type))
+ goto free_nskb; + goto free_nskb;
+ +
+ nskb->ip_summed = CHECKSUM_NONE; + nskb->ip_summed = CHECKSUM_NONE;
@ -614,7 +614,7 @@ Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
+ kfree_skb(nskb); + kfree_skb(nskb);
+} +}
+ +
+static unsigned int xt_delude_target(struct sk_buff **pskb, +static unsigned int xt_delude_target(struct sk_buff *skb,
+ const struct net_device *in, const struct net_device *out, + const struct net_device *in, const struct net_device *out,
+ unsigned int hooknum, const struct xt_target *target, const void *targinfo + unsigned int hooknum, const struct xt_target *target, const void *targinfo
+#ifdef HAVE_TARGUSERINFO +#ifdef HAVE_TARGUSERINFO
@ -626,7 +626,7 @@ Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
+ /* WARNING: This code causes reentry within iptables. + /* WARNING: This code causes reentry within iptables.
+ This means that the iptables jump stack is now crap. We + This means that the iptables jump stack is now crap. We
+ must return an absolute verdict. --RR */ + must return an absolute verdict. --RR */
+ send_reset(*pskb, hooknum); + send_reset(skb, hooknum);
+ return NF_DROP; + return NF_DROP;
+} +}
+ +
@ -886,7 +886,7 @@ Index: linux-2.6.23/net/netfilter/xt_portscan.c
+ { + {
+ unsigned int n; + unsigned int n;
+ n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate, + n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
+ in == &loopback_dev, tcph, + (in->flags && IFF_LOOPBACK) == IFF_LOOPBACK, tcph,
+ skb->len - protoff - 4 * tcph->doff); + skb->len - protoff - 4 * tcph->doff);
+ +
+ ctdata->mark = (ctdata->mark & ~connmark_mask) | n; + ctdata->mark = (ctdata->mark & ~connmark_mask) | n;