target/linux/generic-2.4/patches/620-netfilter_iprange.patch

   1 Index: linux-2.4.35.4/Documentation/Configure.help
   2 ===================================================================
   3 --- linux-2.4.35.4.orig/Documentation/Configure.help    2007-12-15 05:20:10.792455269 +0100
   4 +++ linux-2.4.35.4/Documentation/Configure.help 2007-12-15 05:20:11.948521148 +0100
   5 @@ -2986,6 +2986,14 @@
   6    If you want to compile it as a module, say M here and read
   7    <file:Documentation/modules.txt>.  If unsure, say `N'.
   8
   9 +iprange match support
  10 +CONFIG_IP_NF_MATCH_IPRANGE
  11 +  This option makes possible to match IP addresses against
  12 +  IP address ranges.
  13 +
  14 +  If you want to compile it as a module, say M here and read
  15 +  <file:Documentation/modules.txt>.  If unsure, say `N'.
  16 +
  17  Condition variable match support
  18  CONFIG_IP_NF_MATCH_CONDITION
  19    This option allows you to match firewall rules against condition
  20 Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_iprange.h
  21 ===================================================================
  22 --- /dev/null   1970-01-01 00:00:00.000000000 +0000
  23 +++ linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_iprange.h   2007-12-15 05:20:11.952521377 +0100
  24 @@ -0,0 +1,23 @@
  25 +#ifndef _IPT_IPRANGE_H
  26 +#define _IPT_IPRANGE_H
  27 +
  28 +#define IPRANGE_SRC            0x01    /* Match source IP address */
  29 +#define IPRANGE_DST            0x02    /* Match destination IP address */
  30 +#define IPRANGE_SRC_INV                0x10    /* Negate the condition */
  31 +#define IPRANGE_DST_INV                0x20    /* Negate the condition */
  32 +
  33 +struct ipt_iprange {
  34 +       /* Inclusive: network order. */
  35 +       u_int32_t min_ip, max_ip;
  36 +};
  37 +
  38 +struct ipt_iprange_info
  39 +{
  40 +       struct ipt_iprange src;
  41 +       struct ipt_iprange dst;
  42 +
  43 +       /* Flags from above */
  44 +       u_int8_t flags;
  45 +};
  46 +
  47 +#endif /* _IPT_IPRANGE_H */
  48 Index: linux-2.4.35.4/net/ipv4/netfilter/Config.in
  49 ===================================================================
  50 --- linux-2.4.35.4.orig/net/ipv4/netfilter/Config.in    2007-12-15 05:20:11.688506331 +0100
  51 +++ linux-2.4.35.4/net/ipv4/netfilter/Config.in 2007-12-15 05:20:11.960521836 +0100
  52 @@ -27,6 +27,7 @@
  53  if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
  54  # The simple matches.
  55    dep_tristate '  limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES
  56 +  dep_tristate '  IP range match support' CONFIG_IP_NF_MATCH_IPRANGE $CONFIG_IP_NF_IPTABLES
  57    dep_tristate '  quota match support' CONFIG_IP_NF_MATCH_QUOTA $CONFIG_IP_NF_IPTABLES
  58
  59    dep_tristate '  IP set support' CONFIG_IP_NF_SET $CONFIG_IP_NF_IPTABLES
  60 Index: linux-2.4.35.4/net/ipv4/netfilter/ipt_iprange.c
  61 ===================================================================
  62 --- /dev/null   1970-01-01 00:00:00.000000000 +0000
  63 +++ linux-2.4.35.4/net/ipv4/netfilter/ipt_iprange.c     2007-12-15 05:20:11.964522063 +0100
  64 @@ -0,0 +1,101 @@
  65 +/*
  66 + * iptables module to match IP address ranges
  67 + *   (c) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  68 + *
  69 + * Released under the terms of GNU GPLv2.
  70 + *
  71 + */
  72 +#include <linux/module.h>
  73 +#include <linux/skbuff.h>
  74 +#include <linux/ip.h>
  75 +#include <linux/netfilter_ipv4/ip_tables.h>
  76 +#include <linux/netfilter_ipv4/ipt_iprange.h>
  77 +
  78 +MODULE_LICENSE("GPL");
  79 +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
  80 +MODULE_DESCRIPTION("iptables arbitrary IP range match module");
  81 +
  82 +#if 0
  83 +#define DEBUGP printk
  84 +#else
  85 +#define DEBUGP(format, args...)
  86 +#endif
  87 +
  88 +static int
  89 +match(const struct sk_buff *skb,
  90 +      const struct net_device *in,
  91 +      const struct net_device *out,
  92 +      const void *matchinfo,
  93 +      int offset,
  94 +      const void *hdr,
  95 +      u_int16_t datalen,
  96 +      int *hotdrop)
  97 +{
  98 +       const struct ipt_iprange_info *info = matchinfo;
  99 +       const struct iphdr *iph = skb->nh.iph;
 100 +
 101 +
 102 +       if (info->flags & IPRANGE_SRC) {
 103 +               if (((ntohl(iph->saddr) < ntohl(info->src.min_ip))
 104 +                         || (ntohl(iph->saddr) > ntohl(info->src.max_ip)))
 105 +                        ^ !!(info->flags & IPRANGE_SRC_INV)) {
 106 +                       DEBUGP("src IP %u.%u.%u.%u NOT in range %s"
 107 +                              "%u.%u.%u.%u-%u.%u.%u.%u\n",
 108 +                               NIPQUAD(iph->saddr),
 109 +                               info->flags & IPRANGE_SRC_INV ? "(INV) " : "",
 110 +                               NIPQUAD(info->src.min_ip),
 111 +                               NIPQUAD(info->src.max_ip));
 112 +                       return 0;
 113 +               }
 114 +       }
 115 +       if (info->flags & IPRANGE_DST) {
 116 +               if (((ntohl(iph->daddr) < ntohl(info->dst.min_ip))
 117 +                         || (ntohl(iph->daddr) > ntohl(info->dst.max_ip)))
 118 +                        ^ !!(info->flags & IPRANGE_DST_INV)) {
 119 +                       DEBUGP("dst IP %u.%u.%u.%u NOT in range %s"
 120 +                              "%u.%u.%u.%u-%u.%u.%u.%u\n",
 121 +                               NIPQUAD(iph->daddr),
 122 +                               info->flags & IPRANGE_DST_INV ? "(INV) " : "",
 123 +                               NIPQUAD(info->dst.min_ip),
 124 +                               NIPQUAD(info->dst.max_ip));
 125 +                       return 0;
 126 +               }
 127 +       }
 128 +       return 1;
 129 +}
 130 +
 131 +static int check(const char *tablename,
 132 +                const struct ipt_ip *ip,
 133 +                void *matchinfo,
 134 +                unsigned int matchsize,
 135 +                unsigned int hook_mask)
 136 +{
 137 +       /* verify size */
 138 +       if (matchsize != IPT_ALIGN(sizeof(struct ipt_iprange_info)))
 139 +               return 0;
 140 +
 141 +       return 1;
 142 +}
 143 +
 144 +static struct ipt_match iprange_match =
 145 +{
 146 +       .list = { NULL, NULL },
 147 +       .name = "iprange",
 148 +       .match = &match,
 149 +       .checkentry = &check,
 150 +       .destroy = NULL,
 151 +       .me = THIS_MODULE
 152 +};
 153 +
 154 +static int __init init(void)
 155 +{
 156 +       return ipt_register_match(&iprange_match);
 157 +}
 158 +
 159 +static void __exit fini(void)
 160 +{
 161 +       ipt_unregister_match(&iprange_match);
 162 +}
 163 +
 164 +module_init(init);
 165 +module_exit(fini);
 166 Index: linux-2.4.35.4/net/ipv4/netfilter/Makefile
 167 ===================================================================
 168 --- linux-2.4.35.4.orig/net/ipv4/netfilter/Makefile     2007-12-15 05:20:11.696506789 +0100
 169 +++ linux-2.4.35.4/net/ipv4/netfilter/Makefile  2007-12-15 05:20:11.976522746 +0100
 170 @@ -90,6 +90,7 @@
 171  # matches
 172  obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 173  obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
 174 +obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
 175  obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
 176  obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
 177  obj-$(CONFIG_IP_NF_MATCH_SET) += ipt_set.o