1diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/include/linux/netfilter.h linux-2.4.18-raw/include/linux/netfilter.h 2--- linux-2.4.18-orig/include/linux/netfilter.h Thu Nov 22 20:47:48 2001 3+++ linux-2.4.18-raw/include/linux/netfilter.h Mon Jul 15 17:56:27 2002 4@@ -22,6 +22,7 @@ 5 /* Generic cache responses from hook functions. */ 6 #define NFC_ALTERED 0x8000 7 #define NFC_UNKNOWN 0x4000 8+#define NFC_TRACE 0x2000 9 10 #ifdef __KERNEL__ 11 #include <linux/config.h> 12diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.18-raw/include/linux/netfilter_ipv4/ip_conntrack.h 13--- linux-2.4.18-orig/include/linux/netfilter_ipv4/ip_conntrack.h Mon Feb 25 20:38:13 2002 14+++ linux-2.4.18-raw/include/linux/netfilter_ipv4/ip_conntrack.h Thu Jun 13 11:34:50 2002 15@@ -190,5 +190,8 @@ 16 } 17 18 extern unsigned int ip_conntrack_htable_size; 19+ 20+/* A fake conntrack entry which never vanishes. */ 21+extern struct ip_conntrack ip_conntrack_untracked; 22 #endif /* __KERNEL__ */ 23 #endif /* _IP_CONNTRACK_H */ 24diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/include/linux/netfilter_ipv4/ip_tables.h linux-2.4.18-raw/include/linux/netfilter_ipv4/ip_tables.h 25--- linux-2.4.18-orig/include/linux/netfilter_ipv4/ip_tables.h Mon Feb 25 20:38:13 2002 26+++ linux-2.4.18-raw/include/linux/netfilter_ipv4/ip_tables.h Wed Jun 12 17:37:50 2002 27@@ -443,5 +443,18 @@ 28 void *userdata); 29 30 #define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_entry)-1)) & ~(__alignof__(struct ipt_entry)-1)) 31+ 32+/* Internal packet logging interface */ 33+extern void (*ipt_packet_log_fn)(struct sk_buff **pskb, 34+ unsigned int hooknum, 35+ const struct net_device *in, 36+ const struct net_device *out, 37+ const char *prefix); 38+ 39+extern void ipt_log_packet(struct sk_buff **pskb, 40+ unsigned int hooknum, 41+ const struct net_device *in, 42+ const struct net_device *out, 43+ const char *prefix); 44 #endif /*__KERNEL__*/ 45 #endif /* _IPTABLES_H */ 46diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/include/linux/netfilter_ipv4/ipt_ULOG.h linux-2.4.18-raw/include/linux/netfilter_ipv4/ipt_ULOG.h 47--- linux-2.4.18-orig/include/linux/netfilter_ipv4/ipt_ULOG.h Mon Feb 25 20:38:13 2002 48+++ linux-2.4.18-raw/include/linux/netfilter_ipv4/ipt_ULOG.h Sat Jun 8 19:40:31 2002 49@@ -20,6 +20,9 @@ 50 * Assuming a standard ethernet-mtu of 1500, we could define this up 51 * to 80... but even 50 seems to be big enough. */ 52 53+#define ULOG_DEFAULT_NLGROUP 1 54+#define ULOG_DEFAULT_QTHRESHOLD 1 55+ 56 /* private data structure for each rule with a ULOG target */ 57 struct ipt_ulog_info { 58 unsigned int nl_group; 59diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/include/linux/netfilter_ipv4/ipt_state.h linux-2.4.18-raw/include/linux/netfilter_ipv4/ipt_state.h 60--- linux-2.4.18-orig/include/linux/netfilter_ipv4/ipt_state.h Fri Apr 14 18:37:20 2000 61+++ linux-2.4.18-raw/include/linux/netfilter_ipv4/ipt_state.h Sat Jun 8 17:09:52 2002 62@@ -3,6 +3,7 @@ 63 64 #define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1)) 65 #define IPT_STATE_INVALID (1 << 0) 66+#define IPT_STATE_UNTRACKED (1 << (IP_CT_IS_REPLY+1)) 67 68 struct ipt_state_info 69 { 70diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.18-raw/net/ipv4/netfilter/ip_conntrack_core.c 71--- linux-2.4.18-orig/net/ipv4/netfilter/ip_conntrack_core.c Tue Aug 7 17:30:50 2001 72+++ linux-2.4.18-raw/net/ipv4/netfilter/ip_conntrack_core.c Thu Jun 13 11:32:30 2002 73@@ -54,6 +54,7 @@ 74 static atomic_t ip_conntrack_count = ATOMIC_INIT(0); 75 struct list_head *ip_conntrack_hash; 76 static kmem_cache_t *ip_conntrack_cachep; 77+struct ip_conntrack ip_conntrack_untracked; 78 79 extern struct ip_conntrack_protocol ip_conntrack_generic_protocol; 80 81@@ -1143,5 +1144,14 @@ 82 83 /* For use by ipt_REJECT */ 84 ip_ct_attach = ip_conntrack_attach; 85+ 86+ /* Set up fake conntrack: 87+ to never be deleted, not in any hashes */ 88+ atomic_set(&ip_conntrack_untracked.ct_general.use, 1); 89+ /* and look it like as a confirmed connection */ 90+ ip_conntrack_untracked.tuplehash[IP_CT_DIR_ORIGINAL].list.next = (struct list_head *)&ip_conntrack_untracked; 91+ /* and prepare the ctinfo field for NAT. */ 92+ ip_conntrack_untracked.infos[IP_CT_NEW].master = &ip_conntrack_untracked.ct_general; 93+ 94 return ret; 95 } 96diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.4.18-raw/net/ipv4/netfilter/ip_conntrack_standalone.c 97--- linux-2.4.18-orig/net/ipv4/netfilter/ip_conntrack_standalone.c Mon Feb 25 20:38:14 2002 98+++ linux-2.4.18-raw/net/ipv4/netfilter/ip_conntrack_standalone.c Thu Jun 13 11:31:59 2002 99@@ -338,3 +338,4 @@ 100 EXPORT_SYMBOL(ip_conntrack_tuple_taken); 101 EXPORT_SYMBOL(ip_ct_gather_frags); 102 EXPORT_SYMBOL(ip_conntrack_htable_size); 103+EXPORT_SYMBOL(ip_conntrack_untracked); 104diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/net/ipv4/netfilter/ip_nat_core.c linux-2.4.18-raw/net/ipv4/netfilter/ip_nat_core.c 105--- linux-2.4.18-orig/net/ipv4/netfilter/ip_nat_core.c Fri Dec 21 18:42:05 2001 106+++ linux-2.4.18-raw/net/ipv4/netfilter/ip_nat_core.c Wed Jul 31 08:41:25 2002 107@@ -897,6 +897,10 @@ 108 IP_NF_ASSERT(ip_conntrack_destroyed == NULL); 109 ip_conntrack_destroyed = &ip_nat_cleanup_conntrack; 110+ 111+ /* Initialize fake conntrack so that NAT will skip it */ 112+ ip_conntrack_untracked.nat.info.initialized |= 113+ (1 << IP_NAT_MANIP_SRC) | (1 << IP_NAT_MANIP_DST); 114 115 return 0; 116 } 117diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/net/ipv4/netfilter/ip_tables.c linux-2.4.18-raw/net/ipv4/netfilter/ip_tables.c 118--- linux-2.4.18-orig/net/ipv4/netfilter/ip_tables.c Mon Feb 25 20:38:14 2002 119+++ linux-2.4.18-raw/net/ipv4/netfilter/ip_tables.c Tue Jul 23 11:21:42 2002 120@@ -7,6 +7,8 @@ 121 * 19 Jan 2002 Harald Welte <laforge@gnumonks.org> 122 * - increase module usage count as soon as we have rules inside 123 * a table 124+ * 8 Jun 2002 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 125+ * - packet logging interface added 126 */ 127 #include <linux/config.h> 128 #include <linux/skbuff.h> 129@@ -24,6 +26,16 @@ 130 131 #include <linux/netfilter_ipv4/ip_tables.h> 132 133+#ifdef CONFIG_IP_NF_TARGET_TRACE_NEEDED 134+static const char *hooknames[] 135+= { [NF_IP_PRE_ROUTING] "PREROUTING", 136+ [NF_IP_LOCAL_IN] "INPUT", 137+ [NF_IP_FORWARD] "FORWARD", 138+ [NF_IP_LOCAL_OUT] "OUTPUT", 139+ [NF_IP_POST_ROUTING] "POSTROUTING", 140+}; 141+#endif 142+ 143 /*#define DEBUG_IP_FIREWALL*/ 144 /*#define DEBUG_ALLOW_ALL*/ /* Useful for remote debugging */ 145 /*#define DEBUG_IP_FIREWALL_USER*/ 146@@ -117,6 +129,31 @@ 147 #define up(x) do { printk("UP:%u:" #x "\n", __LINE__); up(x); } while(0) 148 #endif 149 150+/* We rely on the LOG targets */ 151+void (*ipt_packet_log_fn)(struct sk_buff **pskb, 152+ unsigned int hooknum, 153+ const struct net_device *in, 154+ const struct net_device *out, 155+ const char *prefix) = NULL; 156+ 157+void ipt_log_packet(struct sk_buff **pskb, 158+ unsigned int hooknum, 159+ const struct net_device *in, 160+ const struct net_device *out, 161+ const char *prefix) 162+{ 163+ static unsigned int reported = 0; 164+ 165+ if (ipt_packet_log_fn == NULL) { 166+ if (!reported) { 167+ printk(KERN_WARNING "ip_tables: can\'t log yet, " 168+ "no backend logging module loaded in!\n"); 169+ reported++; 170+ } 171+ } else 172+ ipt_packet_log_fn(pskb, hooknum, in, out, prefix); 173+} 174+ 175 /* Returns whether matches rule or not. */ 176 static inline int 177 ip_packet_match(const struct iphdr *ip, 178@@ -250,6 +287,39 @@ 179 return (struct ipt_entry *)(base + offset); 180 } 181 182+static inline int 183+get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e, 184+ char **chainname, u_int16_t *rulenum) 185+{ 186+ struct ipt_entry_target *t; 187+ 188+ (*rulenum)++; 189+ 190+ if (s == e) 191+ return 1; 192+ 193+ t = ipt_get_target(s); 194+ if (strcmp(t->u.kernel.target->name, IPT_ERROR_TARGET) == 0) { 195+ *chainname = t->data; 196+ (*rulenum) = 0; 197+ } 198+ 199+ return 0; 200+} 201+ 202+/* All zeroes == unconditional rule. */ 203+static inline int 204+unconditional(const struct ipt_ip *ip) 205+{ 206+ unsigned int i; 207+ 208+ for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++) 209+ if (((__u32 *)ip)[i]) 210+ return 0; 211+ 212+ return 1; 213+} 214+ 215 /* Returns one of the generic firewall policies, like NF_ACCEPT. */ 216 unsigned int 217 ipt_do_table(struct sk_buff **pskb, 218@@ -325,6 +395,31 @@ 219 220 t = ipt_get_target(e); 221 IP_NF_ASSERT(t->u.kernel.target); 222+#ifdef CONFIG_IP_NF_TARGET_TRACE_NEEDED 223+ /* The packet traced and the rule isn't an unconditional return/END. */ 224+ if (((*pskb)->nfcache & NFC_TRACE) 225+ && !(e->target_offset == sizeof(struct ipt_entry) 226+ && (strcmp(t->u.kernel.target->name, 227+ IPT_STANDARD_TARGET) == 0) 228+ && !t->u.kernel.target->target 229+ && ((struct ipt_standard_target *)t)->verdict < 0 230+ && unconditional(&e->ip))) { 231+ /* "TRACE: tablename/chainname/rulenum " */ 232+ char prefix[11+2*IPT_TABLE_MAXNAMELEN+6]; 233+ char *chainname = (char *) hooknames[hook]; 234+ u_int16_t rulenum = 0; 235+ 236+ IPT_ENTRY_ITERATE(get_entry(table_base, table->private->hook_entry[hook]), 237+ table->private->size, 238+ get_chainname_rulenum, 239+ e, &chainname, &rulenum); 240+ 241+ snprintf(prefix, sizeof(prefix), "TRACE: %s/%s/%u ", 242+ table->name, chainname, rulenum); 243+ 244+ ipt_log_packet(pskb, hook, in, out, prefix); 245+ } 246+#endif 247 /* Standard target? */ 248 if (!t->u.kernel.target->target) { 249 int v; 250@@ -481,19 +576,6 @@ 251 return find_inlist_lock(&ipt_target, name, "ipt_", error, mutex); 252 } 253 254-/* All zeroes == unconditional rule. */ 255-static inline int 256-unconditional(const struct ipt_ip *ip) 257-{ 258- unsigned int i; 259- 260- for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++) 261- if (((__u32 *)ip)[i]) 262- return 0; 263- 264- return 1; 265-} 266- 267 /* Figures out from what hook each rule can be called: returns 0 if 268 there are loops. Puts hook bitmask in comefrom. */ 269 static int 270@@ -1786,6 +1868,8 @@ 271 EXPORT_SYMBOL(ipt_do_table); 272 EXPORT_SYMBOL(ipt_register_target); 273 EXPORT_SYMBOL(ipt_unregister_target); 274+EXPORT_SYMBOL(ipt_log_packet); 275+EXPORT_SYMBOL(ipt_packet_log_fn); 276 277 module_init(init); 278 module_exit(fini); 279diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/net/ipv4/netfilter/ipt_LOG.c linux-2.4.18-raw/net/ipv4/netfilter/ipt_LOG.c 280--- linux-2.4.18-orig/net/ipv4/netfilter/ipt_LOG.c Mon Feb 25 20:38:14 2002 281+++ linux-2.4.18-raw/net/ipv4/netfilter/ipt_LOG.c Thu Jun 13 16:05:22 2002 282@@ -2,6 +2,7 @@ 283 * This is a module which is used for logging packets. 284 */ 285 #include <linux/module.h> 286+#include <linux/kernel.h> 287 #include <linux/skbuff.h> 288 #include <linux/ip.h> 289 #include <linux/spinlock.h> 290@@ -270,23 +271,21 @@ 291 /* maxlen = 230+ 91 + 230 + 252 = 803 */ 292 } 293 294-static unsigned int 295-ipt_log_target(struct sk_buff **pskb, 296- unsigned int hooknum, 297- const struct net_device *in, 298- const struct net_device *out, 299- const void *targinfo, 300- void *userinfo) 301+static void 302+ipt_log(struct sk_buff **pskb, 303+ unsigned int hooknum, 304+ const struct net_device *in, 305+ const struct net_device *out, 306+ const struct ipt_log_info *loginfo, 307+ const char *level_string, 308+ const char *prefix) 309 { 310 struct iphdr *iph = (*pskb)->nh.iph; 311- const struct ipt_log_info *loginfo = targinfo; 312- char level_string[4] = "< >"; 313 314- level_string[1] = '0' + (loginfo->level % 8); 315 spin_lock_bh(&log_lock); 316 printk(level_string); 317 printk("%sIN=%s OUT=%s ", 318- loginfo->prefix, 319+ prefix == NULL ? loginfo->prefix : prefix, 320 in ? in->name : "", 321 out ? out->name : ""); 322 if (in && !out) { 323@@ -306,10 +305,37 @@ 324 dump_packet(loginfo, iph, (*pskb)->len, 1); 325 printk("\n"); 326 spin_unlock_bh(&log_lock); 327+} 328+ 329+static unsigned int 330+ipt_log_target(struct sk_buff **pskb, 331+ unsigned int hooknum, 332+ const struct net_device *in, 333+ const struct net_device *out, 334+ const void *targinfo, 335+ void *userinfo) 336+{ 337+ const struct ipt_log_info *loginfo = targinfo; 338+ char level_string[4] = "< >"; 339+ 340+ level_string[1] = '0' + (loginfo->level % 8); 341+ ipt_log(pskb, hooknum, in, out, loginfo, level_string, NULL); 342 343 return IPT_CONTINUE; 344 } 345 346+static void 347+ipt_log_fn(struct sk_buff **pskb, 348+ unsigned int hooknum, 349+ const struct net_device *in, 350+ const struct net_device *out, 351+ const char *prefix) 352+{ 353+ struct ipt_log_info loginfo = { 0, IPT_LOG_MASK, ""}; 354+ 355+ ipt_log(pskb, hooknum, in, out, &loginfo, KERN_WARNING, prefix); 356+} 357+ 358 static int ipt_log_checkentry(const char *tablename, 359 const struct ipt_entry *e, 360 void *targinfo, 361@@ -346,6 +372,9 @@ 362 { 363 if (ipt_register_target(&ipt_log_reg)) 364 return -EINVAL; 365+ 366+ if (ipt_packet_log_fn == NULL) 367+ ipt_packet_log_fn = ipt_log_fn; 368 369 return 0; 370 } 371@@ -353,6 +382,9 @@ 372 static void __exit fini(void) 373 { 374 ipt_unregister_target(&ipt_log_reg); 375+ 376+ if (ipt_packet_log_fn == ipt_log_fn) 377+ ipt_packet_log_fn = NULL; 378 } 379 380 module_init(init); 381diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/net/ipv4/netfilter/ipt_NOTRACK.c linux-2.4.18-raw/net/ipv4/netfilter/ipt_NOTRACK.c 382--- linux-2.4.18-orig/net/ipv4/netfilter/ipt_NOTRACK.c Thu Jan 1 01:00:00 1970 383+++ linux-2.4.18-raw/net/ipv4/netfilter/ipt_NOTRACK.c Thu Jun 13 11:33:59 2002 384@@ -0,0 +1,63 @@ 385+/* This is a module which is used for setting up fake conntracks 386+ on packets so that they are not seen by the conntrack/NAT code */ 387+#include <linux/module.h> 388+#include <linux/skbuff.h> 389+ 390+#include <linux/netfilter_ipv4/ip_tables.h> 391+#include <linux/netfilter_ipv4/ip_conntrack.h> 392+ 393+static unsigned int 394+target(struct sk_buff **pskb, 395+ unsigned int hooknum, 396+ const struct net_device *in, 397+ const struct net_device *out, 398+ const void *targinfo, 399+ void *userinfo) 400+{ 401+ if((*pskb)->nfct == NULL) { 402+ (*pskb)->nfct = &ip_conntrack_untracked.infos[IP_CT_NEW]; 403+ nf_conntrack_get((*pskb)->nfct); 404+ } 405+ return IPT_CONTINUE; 406+} 407+ 408+static int 409+checkentry(const char *tablename, 410+ const struct ipt_entry *e, 411+ void *targinfo, 412+ unsigned int targinfosize, 413+ unsigned int hook_mask) 414+{ 415+ if (targinfosize != 0) { 416+ printk(KERN_WARNING "NOTRACK: targinfosize %u != 0\n", 417+ targinfosize); 418+ return 0; 419+ } 420+ 421+ if (strcmp(tablename, "raw") != 0) { 422+ printk(KERN_WARNING "NOTRACK: can only be called from \"raw\" table, not \"%s\"\n", tablename); 423+ return 0; 424+ } 425+ 426+ return 1; 427+} 428+ 429+static struct ipt_target ipt_notrack_reg 430+= { { NULL, NULL }, "NOTRACK", target, checkentry, NULL, THIS_MODULE }; 431+ 432+static int __init init(void) 433+{ 434+ if (ipt_register_target(&ipt_notrack_reg)) 435+ return -EINVAL; 436+ 437+ return 0; 438+} 439+ 440+static void __exit fini(void) 441+{ 442+ ipt_unregister_target(&ipt_notrack_reg); 443+} 444+ 445+module_init(init); 446+module_exit(fini); 447+MODULE_LICENSE("GPL"); 448diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/net/ipv4/netfilter/ipt_TRACE.c linux-2.4.18-raw/net/ipv4/netfilter/ipt_TRACE.c 449--- linux-2.4.18-orig/net/ipv4/netfilter/ipt_TRACE.c Thu Jan 1 01:00:00 1970 450+++ linux-2.4.18-raw/net/ipv4/netfilter/ipt_TRACE.c Fri Jun 7 23:35:58 2002 451@@ -0,0 +1,59 @@ 452+/* This is a module which is used for setting 453+ the NFC_TRACE flag in the nfcache field of an skb. */ 454+#include <linux/module.h> 455+#include <linux/skbuff.h> 456+ 457+#include <linux/netfilter_ipv4/ip_tables.h> 458+ 459+static unsigned int 460+target(struct sk_buff **pskb, 461+ unsigned int hooknum, 462+ const struct net_device *in, 463+ const struct net_device *out, 464+ const void *targinfo, 465+ void *userinfo) 466+{ 467+ (*pskb)->nfcache |= NFC_TRACE; 468+ return IPT_CONTINUE; 469+} 470+ 471+static int 472+checkentry(const char *tablename, 473+ const struct ipt_entry *e, 474+ void *targinfo, 475+ unsigned int targinfosize, 476+ unsigned int hook_mask) 477+{ 478+ if (targinfosize != 0) { 479+ printk(KERN_WARNING "TRACE: targinfosize %u != 0\n", 480+ targinfosize); 481+ return 0; 482+ } 483+ 484+ if (strcmp(tablename, "raw") != 0) { 485+ printk(KERN_WARNING "TRACE: can only be called from \"raw\" table, not \"%s\"\n", tablename); 486+ return 0; 487+ } 488+ 489+ return 1; 490+} 491+ 492+static struct ipt_target ipt_trace_reg 493+= { { NULL, NULL }, "TRACE", target, checkentry, NULL, THIS_MODULE }; 494+ 495+static int __init init(void) 496+{ 497+ if (ipt_register_target(&ipt_trace_reg)) 498+ return -EINVAL; 499+ 500+ return 0; 501+} 502+ 503+static void __exit fini(void) 504+{ 505+ ipt_unregister_target(&ipt_trace_reg); 506+} 507+ 508+module_init(init); 509+module_exit(fini); 510+MODULE_LICENSE("GPL"); 511diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/net/ipv4/netfilter/ipt_ULOG.c linux-2.4.18-raw/net/ipv4/netfilter/ipt_ULOG.c 512--- linux-2.4.18-orig/net/ipv4/netfilter/ipt_ULOG.c Mon Feb 25 20:38:14 2002 513+++ linux-2.4.18-raw/net/ipv4/netfilter/ipt_ULOG.c Thu Jun 13 09:27:18 2002 514@@ -74,6 +74,9 @@ 515 static unsigned int flushtimeout = 10 * HZ; 516 MODULE_PARM(flushtimeout, "i"); 517 MODULE_PARM_DESC(flushtimeout, "buffer flush timeout"); 518+static unsigned int takeover = 0; 519+MODULE_PARM(takeover, "i"); 520+MODULE_PARM_DESC(takeover, "take over internal logging from ipt_LOG"); 521 522 /* global data structures */ 523 524@@ -157,17 +160,17 @@ 525 return skb; 526 } 527 528-static unsigned int ipt_ulog_target(struct sk_buff **pskb, 529- unsigned int hooknum, 530- const struct net_device *in, 531- const struct net_device *out, 532- const void *targinfo, void *userinfo) 533+static void ipt_ulog(struct sk_buff **pskb, 534+ unsigned int hooknum, 535+ const struct net_device *in, 536+ const struct net_device *out, 537+ const struct ipt_ulog_info *loginfo, 538+ const char *prefix) 539 { 540 ulog_buff_t *ub; 541 ulog_packet_msg_t *pm; 542 size_t size, copy_len; 543 struct nlmsghdr *nlh; 544- struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo; 545 546 /* calculate the size of the skb needed */ 547 if ((loginfo->copy_range == 0) || 548@@ -213,7 +216,9 @@ 549 pm->timestamp_usec = (*pskb)->stamp.tv_usec; 550 pm->mark = (*pskb)->nfmark; 551 pm->hook = hooknum; 552- if (loginfo->prefix[0] != '\0') 553+ if (prefix != NULL) 554+ strncpy(pm->prefix, prefix, sizeof(pm->prefix)); 555+ else if (loginfo->prefix[0] != '\0') 556 strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix)); 557 else 558 *(pm->prefix) = '\0'; 559@@ -259,7 +264,7 @@ 560 561 UNLOCK_BH(&ulog_lock); 562 563- return IPT_CONTINUE; 564+ return; 565 566 567 nlmsg_failure: 568@@ -269,10 +274,35 @@ 569 PRINTR("ipt_ULOG: Error building netlink message\n"); 570 571 UNLOCK_BH(&ulog_lock); 572+} 573+ 574+static unsigned int ipt_ulog_target(struct sk_buff **pskb, 575+ unsigned int hooknum, 576+ const struct net_device *in, 577+ const struct net_device *out, 578+ const void *targinfo, void *userinfo) 579+{ 580+ struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo; 581+ 582+ ipt_ulog(pskb, hooknum, in, out, loginfo, NULL); 583 584 return IPT_CONTINUE; 585 } 586 587+static void ipt_ulog_fn(struct sk_buff **pskb, 588+ unsigned int hooknum, 589+ const struct net_device *in, 590+ const struct net_device *out, 591+ const char *prefix) 592+{ 593+ struct ipt_ulog_info loginfo = { ULOG_DEFAULT_NLGROUP, 594+ 0, 595+ ULOG_DEFAULT_QTHRESHOLD, 596+ "" }; 597+ 598+ ipt_ulog(pskb, hooknum, in, out, &loginfo, prefix); 599+} 600+ 601 static int ipt_ulog_checkentry(const char *tablename, 602 const struct ipt_entry *e, 603 void *targinfo, 604@@ -334,6 +364,9 @@ 605 return -EINVAL; 606 } 607 608+ if (ipt_packet_log_fn == NULL || takeover) 609+ ipt_packet_log_fn = ipt_ulog_fn; 610+ 611 return 0; 612 } 613 614@@ -343,6 +376,8 @@ 615 616 ipt_unregister_target(&ipt_ulog_reg); 617 sock_release(nflognl->socket); 618+ if (ipt_packet_log_fn == ipt_ulog_fn) 619+ ipt_packet_log_fn = NULL; 620 } 621 622 module_init(init); 623diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/net/ipv4/netfilter/ipt_state.c linux-2.4.18-raw/net/ipv4/netfilter/ipt_state.c 624--- linux-2.4.18-orig/net/ipv4/netfilter/ipt_state.c Sun Sep 30 21:26:08 2001 625+++ linux-2.4.18-raw/net/ipv4/netfilter/ipt_state.c Thu Jun 13 11:34:20 2002 626@@ -21,7 +21,9 @@ 627 enum ip_conntrack_info ctinfo; 628 unsigned int statebit; 629 630- if (!ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) 631+ if (skb->nfct == &ip_conntrack_untracked.infos[IP_CT_NEW]) 632+ statebit = IPT_STATE_UNTRACKED; 633+ else if (!ip_conntrack_get((struct sk_buff *)skb, &ctinfo)) 634 statebit = IPT_STATE_INVALID; 635 else 636 statebit = IPT_STATE_BIT(ctinfo); 637diff -urN --exclude-from=diff.exclude-raw linux-2.4.18-orig/net/ipv4/netfilter/iptable_raw.c linux-2.4.18-raw/net/ipv4/netfilter/iptable_raw.c 638--- linux-2.4.18-orig/net/ipv4/netfilter/iptable_raw.c Thu Jan 1 01:00:00 1970 639+++ linux-2.4.18-raw/net/ipv4/netfilter/iptable_raw.c Sat Jun 8 17:46:42 2002 640@@ -0,0 +1,133 @@ 641+/* 642+ * 'raw' table, which is the very first hooked in at PRE_ROUTING and LOCAL_OUT 643+ */ 644+#include <linux/module.h> 645+#include <linux/netfilter_ipv4/ip_tables.h> 646+ 647+#define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT)) 648+ 649+/* Standard entry. */ 650+struct ipt_standard 651+{ 652+ struct ipt_entry entry; 653+ struct ipt_standard_target target; 654+}; 655+ 656+struct ipt_error_target 657+{ 658+ struct ipt_entry_target target; 659+ char errorname[IPT_FUNCTION_MAXNAMELEN]; 660+}; 661+ 662+struct ipt_error 663+{ 664+ struct ipt_entry entry; 665+ struct ipt_error_target target; 666+}; 667+ 668+static struct 669+{ 670+ struct ipt_replace repl; 671+ struct ipt_standard entries[2]; 672+ struct ipt_error term; 673+} initial_table __initdata 674+= { { "raw", RAW_VALID_HOOKS, 3, 675+ sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error), 676+ { [NF_IP_PRE_ROUTING] 0, 677+ [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) }, 678+ { [NF_IP_PRE_ROUTING] 0, 679+ [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) }, 680+ 0, NULL, { } }, 681+ { 682+ /* PRE_ROUTING */ 683+ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, 684+ 0, 685+ sizeof(struct ipt_entry), 686+ sizeof(struct ipt_standard), 687+ 0, { 0, 0 }, { } }, 688+ { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, 689+ -NF_ACCEPT - 1 } }, 690+ /* LOCAL_OUT */ 691+ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, 692+ 0, 693+ sizeof(struct ipt_entry), 694+ sizeof(struct ipt_standard), 695+ 0, { 0, 0 }, { } }, 696+ { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, 697+ -NF_ACCEPT - 1 } } 698+ }, 699+ /* ERROR */ 700+ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, 701+ 0, 702+ sizeof(struct ipt_entry), 703+ sizeof(struct ipt_error), 704+ 0, { 0, 0 }, { } }, 705+ { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } }, 706+ { } }, 707+ "ERROR" 708+ } 709+ } 710+}; 711+ 712+static struct ipt_table packet_raw 713+= { { NULL, NULL }, "raw", &initial_table.repl, 714+ RAW_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL, THIS_MODULE }; 715+ 716+/* The work comes in here from netfilter.c. */ 717+static unsigned int 718+ipt_hook(unsigned int hook, 719+ struct sk_buff **pskb, 720+ const struct net_device *in, 721+ const struct net_device *out, 722+ int (*okfn)(struct sk_buff *)) 723+{ 724+ return ipt_do_table(pskb, hook, in, out, &packet_raw, NULL); 725+} 726+ 727+/* 'raw' is the very first table. */ 728+static struct nf_hook_ops ipt_ops[] 729+= { { { NULL, NULL }, ipt_hook, PF_INET, NF_IP_PRE_ROUTING, NF_IP_PRI_FIRST }, 730+ { { NULL, NULL }, ipt_hook, PF_INET, NF_IP_LOCAL_OUT, NF_IP_PRI_FIRST } 731+}; 732+ 733+static int __init init(void) 734+{ 735+ int ret; 736+ 737+ /* Register table */ 738+ ret = ipt_register_table(&packet_raw); 739+ if (ret < 0) 740+ return ret; 741+ 742+ /* Register hooks */ 743+ ret = nf_register_hook(&ipt_ops[0]); 744+ if (ret < 0) 745+ goto cleanup_table; 746+ 747+ ret = nf_register_hook(&ipt_ops[1]); 748+ if (ret < 0) 749+ goto cleanup_hook0; 750+ 751+ return ret; 752+ 753+ cleanup_hook0: 754+ nf_unregister_hook(&ipt_ops[0]); 755+ cleanup_table: 756+ ipt_unregister_table(&packet_raw); 757+ 758+ return ret; 759+} 760+ 761+static void __exit fini(void) 762+{ 763+ unsigned int i; 764+ 765+ for (i = 0; i < sizeof(ipt_ops)/sizeof(struct nf_hook_ops); i++) 766+ nf_unregister_hook(&ipt_ops[i]); 767+ 768+ ipt_unregister_table(&packet_raw); 769+} 770+ 771+module_init(init); 772+module_exit(fini); 773+MODULE_LICENSE("GPL"); 774