diff options
| -rw-r--r-- | extensions/libip6t_limit.c | 3 | ||||
| -rw-r--r-- | extensions/libipt_conntrack.c | 34 | ||||
| -rw-r--r-- | extensions/libipt_limit.c | 3 | ||||
| -rw-r--r-- | include/linux/netfilter_ipv4/ipt_conntrack.h | 6 | ||||
| -rw-r--r-- | include/linux/netfilter_ipv4/ipt_limit.h | 26 | ||||
| -rw-r--r-- | include/linux/netfilter_ipv6/ip6t_limit.h | 25 |
6 files changed, 89 insertions, 8 deletions
diff --git a/extensions/libip6t_limit.c b/extensions/libip6t_limit.c index 9516252b..e141d01b 100644 --- a/extensions/libip6t_limit.c +++ b/extensions/libip6t_limit.c @@ -11,7 +11,8 @@ #include <ip6tables.h> #include <stddef.h> #include <linux/netfilter_ipv6/ip6_tables.h> -#include <linux/netfilter_ipv6/ip6t_limit.h> +/* For 64bit kernel / 32bit userspace */ +#include "../include/linux/netfilter_ipv6/ip6t_limit.h" #define IP6T_LIMIT_AVG "3/hour" #define IP6T_LIMIT_BURST 5 diff --git a/extensions/libipt_conntrack.c b/extensions/libipt_conntrack.c index 48c2f1dc..49a2afbe 100644 --- a/extensions/libipt_conntrack.c +++ b/extensions/libipt_conntrack.c @@ -11,7 +11,8 @@ #include <iptables.h> #include <linux/netfilter_ipv4/ip_conntrack.h> #include <linux/netfilter_ipv4/ip_conntrack_tuple.h> -#include <linux/netfilter_ipv4/ipt_conntrack.h> +/* For 64bit kernel / 32bit userspace */ +#include "../include/linux/netfilter_ipv4/ipt_conntrack.h" #ifndef IPT_CONNTRACK_STATE_UNTRACKED #define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3)) @@ -135,17 +136,29 @@ parse_statuses(const char *arg, struct ipt_conntrack_info *sinfo) exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg); } - +#ifdef KERNEL_64_USERSPACE_32 +static unsigned long long +parse_expire(const char *s) +{ + unsigned long long len; + + if (string_to_number_ll(s, 0, 0, &len) == -1) + exit_error(PARAMETER_PROBLEM, "expire value invalid: `%s'\n", s); + else + return len; +} +#else static unsigned long parse_expire(const char *s) { unsigned int len; - if (string_to_number(s, 0, 0xFFFFFFFF, &len) == -1) + if (string_to_number(s, 0, 0, &len) == -1) exit_error(PARAMETER_PROBLEM, "expire value invalid: `%s'\n", s); else return len; } +#endif /* If a single value is provided, min and max are both set to the value */ static void @@ -162,15 +175,19 @@ parse_expires(const char *s, struct ipt_conntrack_info *sinfo) cp++; sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0; - sinfo->expires_max = cp[0] ? parse_expire(cp) : 0xFFFFFFFF; + sinfo->expires_max = cp[0] ? parse_expire(cp) : -1; } free(buffer); if (sinfo->expires_min > sinfo->expires_max) exit_error(PARAMETER_PROBLEM, +#ifdef KERNEL_64_USERSPACE_32 + "expire min. range value `%llu' greater than max. " + "range value `%llu'", sinfo->expires_min, sinfo->expires_max); +#else "expire min. range value `%lu' greater than max. " "range value `%lu'", sinfo->expires_min, sinfo->expires_max); - +#endif } /* Function which parses command options; returns true if it @@ -485,10 +502,17 @@ matchinfo_print(const struct ipt_ip *ip, const struct ipt_entry_match *match, in if (sinfo->invflags & IPT_CONNTRACK_EXPIRES) printf("! "); +#ifdef KERNEL_64_USERSPACE_32 + if (sinfo->expires_max == sinfo->expires_min) + printf("%llu ", sinfo->expires_min); + else + printf("%llu:%llu ", sinfo->expires_min, sinfo->expires_max); +#else if (sinfo->expires_max == sinfo->expires_min) printf("%lu ", sinfo->expires_min); else printf("%lu:%lu ", sinfo->expires_min, sinfo->expires_max); +#endif } } diff --git a/extensions/libipt_limit.c b/extensions/libipt_limit.c index af381fa3..4d52040c 100644 --- a/extensions/libipt_limit.c +++ b/extensions/libipt_limit.c @@ -11,7 +11,8 @@ #include <iptables.h> #include <stddef.h> #include <linux/netfilter_ipv4/ip_tables.h> -#include <linux/netfilter_ipv4/ipt_limit.h> +/* For 64bit kernel / 32bit userspace */ +#include "../include/linux/netfilter_ipv4/ipt_limit.h" #define IPT_LIMIT_AVG "3/hour" #define IPT_LIMIT_BURST 5 diff --git a/include/linux/netfilter_ipv4/ipt_conntrack.h b/include/linux/netfilter_ipv4/ipt_conntrack.h index eb97456c..98770212 100644 --- a/include/linux/netfilter_ipv4/ipt_conntrack.h +++ b/include/linux/netfilter_ipv4/ipt_conntrack.h @@ -10,6 +10,7 @@ #define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1)) #define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2)) +#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3)) /* flags, invflags: */ #define IPT_CONNTRACK_STATE 0x01 @@ -28,7 +29,11 @@ struct ipt_conntrack_info struct ip_conntrack_tuple tuple[IP_CT_DIR_MAX]; struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX]; +#ifdef KERNEL_64_USERSPACE_32 + unsigned long long expires_min, expires_max; +#else unsigned long expires_min, expires_max; +#endif /* Flags word */ u_int8_t flags; @@ -36,4 +41,3 @@ struct ipt_conntrack_info u_int8_t invflags; }; #endif /*_IPT_CONNTRACK_H*/ - diff --git a/include/linux/netfilter_ipv4/ipt_limit.h b/include/linux/netfilter_ipv4/ipt_limit.h new file mode 100644 index 00000000..e2fb1660 --- /dev/null +++ b/include/linux/netfilter_ipv4/ipt_limit.h @@ -0,0 +1,26 @@ +#ifndef _IPT_RATE_H +#define _IPT_RATE_H + +/* timings are in milliseconds. */ +#define IPT_LIMIT_SCALE 10000 + +/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 + seconds, or one every 59 hours. */ +struct ipt_rateinfo { + u_int32_t avg; /* Average secs between packets * scale */ + u_int32_t burst; /* Period multiplier for upper limit. */ + +#ifdef KERNEL_64_USERSPACE_32 + u_int64_t prev; + u_int64_t placeholder; +#else + /* Used internally by the kernel */ + unsigned long prev; + /* Ugly, ugly fucker. */ + struct ipt_rateinfo *master; +#endif + + u_int32_t credit; + u_int32_t credit_cap, cost; +}; +#endif /*_IPT_RATE_H*/ diff --git a/include/linux/netfilter_ipv6/ip6t_limit.h b/include/linux/netfilter_ipv6/ip6t_limit.h new file mode 100644 index 00000000..cd3e8347 --- /dev/null +++ b/include/linux/netfilter_ipv6/ip6t_limit.h @@ -0,0 +1,25 @@ +#ifndef _IP6T_RATE_H +#define _IP6T_RATE_H + +/* timings are in milliseconds. */ +#define IP6T_LIMIT_SCALE 10000 + +/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490 + seconds, or one every 59 hours. */ +struct ip6t_rateinfo { + u_int32_t avg; /* Average secs between packets * scale */ + u_int32_t burst; /* Period multiplier for upper limit. */ + +#ifdef KERNEL_64_USERSPACE_32 + u_int64_t prev; + u_int64_t placeholder; +#else + /* Used internally by the kernel */ + unsigned long prev; + /* Ugly, ugly fucker. */ + struct ip6t_rateinfo *master; +#endif + u_int32_t credit; + u_int32_t credit_cap, cost; +}; +#endif /*_IPT_RATE_H*/ |