upgrade iptables to 1.4.1.1, needed for proper 2.6.27 support

SVN-Revision: 13458

package/iptables/Makefile

@@ -15,13 +15,13 @@ ifeq ($(CONFIG_LINUX_2_4),y)
   PKG_VERSION:=1.3.8
   PKG_RELEASE:=4
   PKG_MD5SUM:=0a9209f928002e5eee9cdff8fef4d4b3
-  MAKE_TARGETS:=experimental install-experimental
+  MAKE_TARGETS:=experimental install-experimental install-devel
 endif
 
 ifeq ($(CONFIG_LINUX_2_6),y)
-  PKG_VERSION:=1.4.0
+  PKG_VERSION:=1.4.1.1
   PKG_RELEASE:=1
-  PKG_MD5SUM:=90cfa8a554a29b0b859a625e701af2a7
+  PKG_MD5SUM:=723fa88d8a0915e184f99e03e9bf06cb
 endif
 
 PKG_VERSION?=<IPTABLES_VERSION>
@@ -245,14 +245,17 @@ define Build/Prepare
 	$(call Build/Prepare/Default)
 endef
 
-define Build/Configure
+ifeq ($(KERNEL),2.4)
+  define Build/Configure
 	chmod a+x $(PKG_BUILD_DIR)/extensions/.*-test*
 	rm -f $(PKG_BUILD_DIR)/.configured*
 	$(MAKE) -C $(PKG_BUILD_DIR) \
 		clean
-endef
+  endef
+endif
 
 TARGET_CFLAGS += $(FPIC)
+CONFIGURE_ARGS += --enable-devel --with-xtlibdir=/usr/lib/iptables 
 
 define Build/Compile
 	mkdir -p $(PKG_INSTALL_DIR)
@@ -267,13 +270,7 @@ define Build/Compile
 endef
 
 define Build/InstallDev
-	$(MAKE) -C $(PKG_BUILD_DIR) \
-		$(TARGET_CONFIGURE_OPTS) \
-		COPT_FLAGS="$(TARGET_CFLAGS)" \
-		KERNEL_DIR="$(LINUX_DIR)" PREFIX=/usr \
-		KBUILD_OUTPUT="$(LINUX_DIR)" \
-		DESTDIR="$(1)" \
-		install-devel
+	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_BUILD_DIR)/include $(1)/usr
 	$(CP) $(PKG_BUILD_DIR)/libiptc/libiptc.a $(1)/usr/lib
 endef

package/iptables/patches/1.4.0/003-layer7_2.17_pktmatch.patch

@@ -1,43 +0,0 @@
-Index: iptables-1.4.0/extensions/libipt_layer7.c
-===================================================================
---- iptables-1.4.0.orig/extensions/libipt_layer7.c
-+++ iptables-1.4.0/extensions/libipt_layer7.c
-@@ -43,7 +43,8 @@ static void help(void)
- 	"LAYER7 match v%s options:\n"
- 	"--l7dir <directory>  : Look for patterns here instead of /etc/l7-protocols/\n"
- 	"                       (--l7dir must be specified before --l7proto if used!)\n"
--	"--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
-+	"--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n"
-+	"--l7pkt              : Skip connection tracking and match individual packets\n",
- 	IPTABLES_VERSION);
- 	fputc('\n', stdout);
- }
-@@ -51,6 +52,7 @@ static void help(void)
- static struct option opts[] = {
- 	{ .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
- 	{ .name = "l7dir",   .has_arg = 1, .flag = 0, .val = '2' },
-+	{ .name = "l7pkt",   .has_arg = 0, .flag = 0, .val = '3' },
- 	{ .name = 0 }
- };
- 
-@@ -339,6 +341,10 @@ static int parse(int c, char **argv, int
- 		*flags = 1;
- 		break;
- 
-+	case '3':
-+		layer7info->pkt = 1;
-+		break;
-+
- 	default:
- 		return 0;
- 	}
-@@ -370,6 +376,9 @@ static void print(const void *ip,
- 
- 	print_protocol(((struct xt_layer7_info *)match->data)->protocol,
- 		  ((struct xt_layer7_info *)match->data)->invert, numeric);
-+
-+	if (((struct xt_layer7_info *)match->data)->pkt)
-+		printf("l7pkt ");
- }
- /* Saves the union ipt_matchinfo in parsable form to stdout. */
- static void save(const void *ip, const struct xt_entry_match *match)

package/iptables/patches/1.4.0/004-drop_multiport_v0_support.patch

@@ -1,279 +0,0 @@
-Index: iptables-1.4.0/extensions/libxt_multiport.c
-===================================================================
---- iptables-1.4.0.orig/extensions/libxt_multiport.c
-+++ iptables-1.4.0/extensions/libxt_multiport.c
-@@ -12,22 +12,6 @@
- #include "../include/linux/netfilter/xt_multiport.h"
- 
- /* Function which prints out usage message. */
--static void multiport_help(void)
--{
--	printf(
--"multiport v%s options:\n"
--" --source-ports port[,port,port...]\n"
--" --sports ...\n"
--"				match source port(s)\n"
--" --destination-ports port[,port,port...]\n"
--" --dports ...\n"
--"				match destination port(s)\n"
--" --ports port[,port,port]\n"
--"				match both source and destination port(s)\n"
--" NOTE: this kernel does not support port ranges in multiport.\n",
--IPTABLES_VERSION);
--}
--
- static void multiport_help_v1(void)
- {
- 	printf(
-@@ -71,26 +55,6 @@ proto_to_name(u_int8_t proto)
- 	}
- }
- 
--static unsigned int
--parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
--{
--	char *buffer, *cp, *next;
--	unsigned int i;
--
--	buffer = strdup(portstring);
--	if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed");
--
--	for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
--	{
--		next=strchr(cp, ',');
--		if (next) *next++='\0';
--		ports[i] = parse_port(cp, proto);
--	}
--	if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified");
--	free(buffer);
--	return i;
--}
--
- static void
- parse_multi_ports_v1(const char *portstring, 
- 		     struct xt_multiport_v1 *multiinfo,
-@@ -154,73 +118,6 @@ check_proto(u_int16_t pnum, u_int8_t inv
- /* Function which parses command options; returns true if it
-    ate an option */
- static int
--__multiport_parse(int c, char **argv, int invert, unsigned int *flags,
--                  struct xt_entry_match **match, u_int16_t pnum,
--                  u_int8_t invflags)
--{
--	const char *proto;
--	struct xt_multiport *multiinfo
--		= (struct xt_multiport *)(*match)->data;
--
--	switch (c) {
--	case '1':
--		check_inverse(argv[optind-1], &invert, &optind, 0);
--		proto = check_proto(pnum, invflags);
--		multiinfo->count = parse_multi_ports(argv[optind-1],
--						     multiinfo->ports, proto);
--		multiinfo->flags = XT_MULTIPORT_SOURCE;
--		break;
--
--	case '2':
--		check_inverse(argv[optind-1], &invert, &optind, 0);
--		proto = check_proto(pnum, invflags);
--		multiinfo->count = parse_multi_ports(argv[optind-1],
--						     multiinfo->ports, proto);
--		multiinfo->flags = XT_MULTIPORT_DESTINATION;
--		break;
--
--	case '3':
--		check_inverse(argv[optind-1], &invert, &optind, 0);
--		proto = check_proto(pnum, invflags);
--		multiinfo->count = parse_multi_ports(argv[optind-1],
--						     multiinfo->ports, proto);
--		multiinfo->flags = XT_MULTIPORT_EITHER;
--		break;
--
--	default:
--		return 0;
--	}
--
--	if (invert)
--		exit_error(PARAMETER_PROBLEM,
--			   "multiport does not support invert");
--
--	if (*flags)
--		exit_error(PARAMETER_PROBLEM,
--			   "multiport can only have one option");
--	*flags = 1;
--	return 1;
--}
--
--static int
--multiport_parse(int c, char **argv, int invert, unsigned int *flags,
--                const void *e, struct xt_entry_match **match)
--{
--	const struct ipt_entry *entry = e;
--	return __multiport_parse(c, argv, invert, flags, match,
--	       entry->ip.proto, entry->ip.invflags);
--}
--
--static int
--multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
--                 const void *e, struct xt_entry_match **match)
--{
--	const struct ip6t_entry *entry = (const struct ip6t_entry *)e;
--	return __multiport_parse(c, argv, invert, flags, match,
--	       entry->ipv6.proto, entry->ipv6.invflags);
--}
--
--static int
- __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags,
-                      struct xt_entry_match **match, u_int16_t pnum,
-                      u_int8_t invflags)
-@@ -313,55 +210,6 @@ print_port(u_int16_t port, u_int8_t prot
- }
- 
- /* Prints out the matchinfo. */
--static void
--__multiport_print(const struct xt_entry_match *match, int numeric,
--                  u_int16_t proto)
--{
--	const struct xt_multiport *multiinfo
--		= (const struct xt_multiport *)match->data;
--	unsigned int i;
--
--	printf("multiport ");
--
--	switch (multiinfo->flags) {
--	case XT_MULTIPORT_SOURCE:
--		printf("sports ");
--		break;
--
--	case XT_MULTIPORT_DESTINATION:
--		printf("dports ");
--		break;
--
--	case XT_MULTIPORT_EITHER:
--		printf("ports ");
--		break;
--
--	default:
--		printf("ERROR ");
--		break;
--	}
--
--	for (i=0; i < multiinfo->count; i++) {
--		printf("%s", i ? "," : "");
--		print_port(multiinfo->ports[i], proto, numeric);
--	}
--	printf(" ");
--}
--
--static void multiport_print(const void *ip_void,
--                            const struct xt_entry_match *match, int numeric)
--{
--	const struct ipt_ip *ip = ip_void;
--	__multiport_print(match, numeric, ip->proto);
--}
--
--static void multiport_print6(const void *ip_void,
--                             const struct xt_entry_match *match, int numeric)
--{
--	const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
--	__multiport_print(match, numeric, ip->proto);
--}
--
- static void __multiport_print_v1(const struct xt_entry_match *match,
-                                  int numeric, u_int16_t proto)
- {
-@@ -418,48 +266,6 @@ static void multiport_print6_v1(const vo
- }
- 
- /* Saves the union ipt_matchinfo in parsable form to stdout. */
--static void __multiport_save(const struct xt_entry_match *match,
--                             u_int16_t proto)
--{
--	const struct xt_multiport *multiinfo
--		= (const struct xt_multiport *)match->data;
--	unsigned int i;
--
--	switch (multiinfo->flags) {
--	case XT_MULTIPORT_SOURCE:
--		printf("--sports ");
--		break;
--
--	case XT_MULTIPORT_DESTINATION:
--		printf("--dports ");
--		break;
--
--	case XT_MULTIPORT_EITHER:
--		printf("--ports ");
--		break;
--	}
--
--	for (i=0; i < multiinfo->count; i++) {
--		printf("%s", i ? "," : "");
--		print_port(multiinfo->ports[i], proto, 1);
--	}
--	printf(" ");
--}
--
--static void multiport_save(const void *ip_void,
--                           const struct xt_entry_match *match)
--{
--	const struct ipt_ip *ip = ip_void;
--	__multiport_save(match, ip->proto);
--}
--
--static void multiport_save6(const void *ip_void,
--                            const struct xt_entry_match *match)
--{
--	const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
--	__multiport_save(match, ip->proto);
--}
--
- static void __multiport_save_v1(const struct xt_entry_match *match,
-                                 u_int16_t proto)
- {
-@@ -509,36 +315,6 @@ static void multiport_save6_v1(const voi
- 	__multiport_save_v1(match, ip->proto);
- }
- 
--static struct xtables_match multiport_match = {
--	.family		= AF_INET,
--	.name		= "multiport",
--	.revision	= 0,
--	.version	= IPTABLES_VERSION,
--	.size		= XT_ALIGN(sizeof(struct xt_multiport)),
--	.userspacesize	= XT_ALIGN(sizeof(struct xt_multiport)),
--	.help		= multiport_help,
--	.parse		= multiport_parse,
--	.final_check	= multiport_check,
--	.print		= multiport_print,
--	.save		= multiport_save,
--	.extra_opts	= multiport_opts,
--};
--
--static struct xtables_match multiport_match6 = {
--	.family		= AF_INET6,
--	.name		= "multiport",
--	.revision	= 0,
--	.version	= IPTABLES_VERSION,
--	.size		= XT_ALIGN(sizeof(struct xt_multiport)),
--	.userspacesize	= XT_ALIGN(sizeof(struct xt_multiport)),
--	.help		= multiport_help,
--	.parse		= multiport_parse6,
--	.final_check	= multiport_check,
--	.print		= multiport_print6,
--	.save		= multiport_save6,
--	.extra_opts	= multiport_opts,
--};
--
- static struct xtables_match multiport_match_v1 = {
- 	.family		= AF_INET,
- 	.name		= "multiport",
-@@ -572,8 +348,6 @@ static struct xtables_match multiport_ma
- void
- _init(void)
- {
--	xtables_register_match(&multiport_match);
--	xtables_register_match(&multiport_match6);
- 	xtables_register_match(&multiport_match_v1);
- 	xtables_register_match(&multiport_match6_v1);
- }

package/iptables/patches/1.4.0/001-ipp2p-0.8.1rc1.patch → package/iptables/patches/1.4.1.1/001-ipp2p-0.8.1rc1.patch

@@ -1,24 +1,13 @@
-Index: iptables-1.4.0/extensions/Makefile
-===================================================================
---- iptables-1.4.0.orig/extensions/Makefile
-+++ iptables-1.4.0/extensions/Makefile
-@@ -19,6 +19,10 @@ PF6_EXT_SE_SLIB:=$(PF6_EXT_SELINUX_SLIB)
- PFX_EXT_SE_SLIB:=$(PFX_EXT_SELINUX_SLIB)
- endif
- 
-+
-+# ipp2p
-+PF_EXT_SLIB += ipp2p
-+
- # Optionals
- PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
- PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
-Index: iptables-1.4.0/extensions/libipt_ipp2p.c
-===================================================================
---- /dev/null
-+++ iptables-1.4.0/extensions/libipt_ipp2p.c
-@@ -0,0 +1,398 @@
-+
+diff -Nur iptables-1.4.1.1/extensions/.ipp2p-test iptables-1.4.1.1-owrt/extensions/.ipp2p-test
+--- iptables-1.4.1.1/extensions/.ipp2p-test	1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.4.1.1-owrt/extensions/.ipp2p-test	2008-10-10 00:10:50.000000000 +0200
+@@ -0,0 +1,2 @@
++#! /bin/sh
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ipp2p.h ] && echo ipp2p
+diff -Nur iptables-1.4.1.1/extensions/libipt_ipp2p.c iptables-1.4.1.1-owrt/extensions/libipt_ipp2p.c
+--- iptables-1.4.1.1/extensions/libipt_ipp2p.c	1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.4.1.1-owrt/extensions/libipt_ipp2p.c	2008-10-10 00:10:50.000000000 +0200
+@@ -0,0 +1,424 @@
 +#include <stdio.h>
 +#include <netdb.h>
 +#include <string.h>
@@ -30,6 +19,15 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c
 +
 +#include <linux/netfilter_ipv4/ipt_ipp2p.h>
 +
++#ifndef XTABLES_VERSION
++#define XTABLES_VERSION IPTABLES_VERSION
++#endif
++
++#ifdef IPT_LIB_DIR
++#define xtables_target iptables_target
++#define xtables_register_target register_target
++#endif
++
 +static void
 +help(void)
 +{
@@ -81,24 +79,34 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c
 +        {0}
 +};
 +
-+	
 +
 +static void
++#ifdef _XTABLES_H
 +init(struct xt_entry_match *m)
++#else
++init(struct ipt_entry_match *t, unsigned int *nfcache)
++#endif
 +{
 +    struct ipt_p2p_info *info = (struct ipt_p2p_info *)m->data;
 +
++#ifndef _XTABLES_H
++    *nfcache |= NFC_UNKNOWN;
++#endif
++
 +    /*init the module with default values*/
 +    info->cmd = 0;
 +    info->debug = 0;
 +
 +}
-+	
++
 +
 +static int
 +parse(int c, char **argv, int invert, unsigned int *flags,
-+	const void *entry,
-+	struct xt_entry_match **match)
++#ifdef _XTABLES_H
++      const void *entry, struct xt_entry_match **match)
++#else
++      const struct ipt_entry *entry, unsigned int *nfcache, struct ipt_entry_match **match)
++#endif
 +{
 +    struct ipt_p2p_info *info = (struct ipt_p2p_info *)(*match)->data;
 +    
@@ -108,10 +116,13 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c
 +		    exit_error(PARAMETER_PROBLEM,
 +				"ipp2p: `--ipp2p' may only be "
 +				"specified once!");
++
 +/*	    if ((*flags & SHORT_HAND_DATA) == SHORT_HAND_DATA)
 +		    exit_error(PARAMETER_PROBLEM,
 +				"ipp2p: `--ipp2p-data' may only be "
-+				"specified alone!");*/
++				"specified alone!");
++*/
++
 +	    if ((*flags) != 0)
 +		    exit_error(PARAMETER_PROBLEM,
 +				"ipp2p: `--ipp2p' may only be "
@@ -329,11 +340,14 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c
 +	    "\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
 +}
 +
-+
-+
 +static void
++#ifdef _XTABLES_H
 +print(const void *ip,
-+        const struct xt_entry_match *match,
++      const struct xt_entry_match *match,
++#else
++print(const struct ipt_ip *ip,
++      const struct ipt_entry_match *match,
++#endif
 +	int numeric)
 +{
 +    struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
@@ -360,11 +374,15 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c
 +    if (info->debug != 0) printf(" --debug");
 +    printf(" ");
 +}
-+			    						   
-+
 +
 +static void
-+save(const void *ip, const struct xt_entry_match *match)
++#ifdef _XTABLES_H
++save(const void *ip,
++     const struct xt_entry_match *match)
++#else
++save(const struct ipt_ip *ip,
++     const struct ipt_entry_match *match)
++#endif
 +{
 +    struct ipt_p2p_info *info = (struct ipt_p2p_info *)match->data;
 +    
@@ -390,22 +408,20 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c
 +}
 +
 +		
-+
-+
 +static 
-+struct iptables_match ipp2p= 
++struct xtables_match ipp2p= 
 +{ 
-+    .family         = AF_INET,	
++    .next           = NULL,
 +    .name           = "ipp2p",
-+    .version        = IPTABLES_VERSION,
++    .version        = XTABLES_VERSION,
 +    .size           = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
 +    .userspacesize  = IPT_ALIGN(sizeof(struct ipt_p2p_info)),
-+    .help           = help,
-+    .init           = init,
-+    .parse          = parse,
-+    .final_check    = final_check,
-+    .print          = print,
-+    .save           = save,
++    .help           = &help,
++    .init           = &init,
++    .parse          = &parse,
++    .final_check    = &final_check,
++    .print          = &print,
++    .save           = &save,
 +    .extra_opts     = opts
 +};
 +					    
@@ -413,42 +429,53 @@ Index: iptables-1.4.0/extensions/libipt_ipp2p.c
 +
 +void _init(void)
 +{
-+    register_match(&ipp2p);
++    xtables_register_match(&ipp2p);
 +}
 +
-Index: iptables-1.4.0/include/linux/netfilter_ipv4/ipt_ipp2p.h
-===================================================================
---- /dev/null
-+++ iptables-1.4.0/include/linux/netfilter_ipv4/ipt_ipp2p.h
-@@ -0,0 +1,31 @@
-+#ifndef __IPT_IPP2P_H
-+#define __IPT_IPP2P_H
-+#define IPP2P_VERSION "0.8.1_rc1"
-+
-+struct ipt_p2p_info {
-+    int cmd;
-+    int debug;
-+};
-+
-+#endif //__IPT_IPP2P_H
-+
-+#define SHORT_HAND_IPP2P	1 /* --ipp2p switch*/
-+//#define SHORT_HAND_DATA		4 /* --ipp2p-data switch*/
-+#define SHORT_HAND_NONE		5 /* no short hand*/
-+
-+#define IPP2P_EDK		(1 << 1)
-+#define IPP2P_DATA_KAZAA	(1 << 2)
-+#define IPP2P_DATA_EDK		(1 << 3)
-+#define IPP2P_DATA_DC		(1 << 4)
-+#define IPP2P_DC		(1 << 5)
-+#define IPP2P_DATA_GNU		(1 << 6)
-+#define IPP2P_GNU		(1 << 7)
-+#define IPP2P_KAZAA		(1 << 8)
-+#define IPP2P_BIT		(1 << 9)
-+#define IPP2P_APPLE		(1 << 10)
-+#define IPP2P_SOUL		(1 << 11)
-+#define IPP2P_WINMX		(1 << 12)
-+#define IPP2P_ARES		(1 << 13)
-+#define IPP2P_MUTE		(1 << 14)
-+#define IPP2P_WASTE		(1 << 15)
-+#define IPP2P_XDCC		(1 << 16)
+diff -Nur iptables-1.4.1.1/extensions/libipt_ipp2p.man iptables-1.4.1.1-owrt/extensions/libipt_ipp2p.man
+--- iptables-1.4.1.1/extensions/libipt_ipp2p.man	1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.4.1.1-owrt/extensions/libipt_ipp2p.man	2008-10-10 00:10:50.000000000 +0200
+@@ -0,0 +1,43 @@
++This module matches certain packets in P2P flows. It is not
++designed to match all packets belonging to a P2P connection - 
++use IPP2P together with CONNMARK for this purpose. Also visit
++http://www.ipp2p.org for detailed information.
++
++Use it together with -p tcp or -p udp to search these protocols
++only or without -p switch to search packets of both protocols.
++
++IPP2P provides the following options:
++.TP
++.B "--edk "
++Matches as many eDonkey/eMule packets as possible.
++.TP
++.B "--kazaa "
++Matches as many KaZaA packets as possible.
++.TP
++.B "--gnu "
++Matches as many Gnutella packets as possible.
++.TP
++.B "--dc "
++Matches as many Direct Connect packets as possible.
++.TP
++.B "--bit "
++Matches BitTorrent packets.
++.TP
++.B "--apple "
++Matches AppleJuice packets.
++.TP
++.B "--soul "
++Matches some SoulSeek packets. Considered as beta, use careful!
++.TP
++.B "--winmx "
++Matches some WinMX packets. Considered as beta, use careful!
++.TP
++.B "--ares "
++Matches Ares and AresLite packets. Use together with -j DROP only.
++.TP
++.B "--ipp2p "
++Short hand for: --edk --kazaa --gnu --dc
++.TP
++.B "--debug "
++Prints some information about each hit into kernel logfile. May 
++produce huge logfiles so beware!

package/iptables/patches/1.4.0/002-layer7_2.17.patch → package/iptables/patches/1.4.1.1/002-layer7_2.17.patch

@@ -1,10 +1,11 @@
---- iptables-1.4.0rc1/extensions/libipt_layer7.c	1969-12-31 18:00:00.000000000 -0600
-+++ iptables-1.4.0rc1-layer7/extensions/libipt_layer7.c	2007-11-19 06:06:56.000000000 -0600
-@@ -0,0 +1,393 @@
+diff -Nur iptables.old/extensions/libxt_layer7.c iptables.new/extensions/libxt_layer7.c
+--- iptables.old/extensions/libxt_layer7.c	1970-01-01 01:00:00.000000000 +0100
++++ iptables.new/extensions/libxt_layer7.c	2008-08-22 16:00:52.000000000 +0200
+@@ -0,0 +1,368 @@
 +/* 
-+   Shared library add-on to iptables to add layer 7 matching support. 
++   Shared library add-on to iptables for layer 7 matching support. 
 +  
-+   By Matthew Strait <[email protected]>, Oct 2003.
++   By Matthew Strait <[email protected]>, Oct 2003-Aug 2008.
 +
 +   http://l7-filter.sf.net 
 +
@@ -13,8 +14,6 @@
 +   as published by the Free Software Foundation; either version
 +   2 of the License, or (at your option) any later version.
 +   http://www.gnu.org/licenses/gpl.txt
-+
-+   Based on libipt_string.c (C) 2000 Emmanuel Roger <[email protected]>
 +*/
 +
 +#define _GNU_SOURCE
@@ -26,7 +25,7 @@
 +#include <ctype.h>
 +#include <dirent.h>
 +
-+#include <iptables.h>
++#include <xtables.h>
 +#include <linux/netfilter/xt_layer7.h>
 +
 +#define MAX_FN_LEN 256
@@ -37,22 +36,20 @@
 +static void help(void)
 +{
 +	printf(
-+	"LAYER7 match v%s options:\n"
-+	"--l7dir <directory>  : Look for patterns here instead of /etc/l7-protocols/\n"
-+	"                       (--l7dir must be specified before --l7proto if used!)\n"
-+	"--l7proto [!] <name> : Match the protocol defined in /etc/l7-protocols/name.pat\n",
-+	IPTABLES_VERSION);
-+	fputc('\n', stdout);
++	"layer7 match options:\n"
++	"    --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
++	"                          (--l7dir must be specified before --l7proto if used)\n"
++	"[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n");
 +}
 +
-+static struct option opts[] = {
-+	{ .name = "l7proto", .has_arg = 1, .flag = 0, .val = '1' },
-+	{ .name = "l7dir",   .has_arg = 1, .flag = 0, .val = '2' },
-+	{ .name = 0 }
++static const struct option opts[] = {
++	{ .name = "l7proto", .has_arg = 1, .val = 'p' },
++	{ .name = "l7dir",   .has_arg = 1, .val = 'd' },
++	{ .name = NULL }
 +};
 +
 +/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
-+int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
++static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
 +{
 +	FILE * f;
 +	char * line = NULL;
@@ -123,12 +120,6 @@
 +	fclose(f);
 +
 +	return 1;
-+
-+/*
-+	fprintf(stderr, "protocol: %s\npattern: %s\n\n", 
-+			info->protocol,
-+			info->pattern);
-+*/
 +}
 +
 +static int hex2dec(char c)
@@ -152,7 +143,7 @@
 +static char * pre_process(char * s)
 +{
 +	char * result = malloc(strlen(s) + 1);
-+	int sindex = 0, rindex = 0;
++	int sindex = 0, rrindex = 0;
 +        while( sindex < strlen(s) )
 +        {
 +            if( sindex + 3 < strlen(s) &&
@@ -160,10 +151,10 @@
 +                isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) 
 +                {
 +                        /* carefully remember to call tolower here... */
-+                        result[rindex] = tolower( hex2dec(s[sindex + 2])*16 +
++                        result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 +
 +                                                  hex2dec(s[sindex + 3] ) );
 +
-+			switch ( result[rindex] )
++			switch ( result[rrindex] )
 +			{
 +			case 0x24:
 +			case 0x28:
@@ -180,7 +171,7 @@
 +				fprintf(stderr, 
 +					"Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
 +					"I recommend that you write this as %c or \\%c, depending on what you meant.\n",
-+					result[rindex], s[sindex + 2], s[sindex + 3], result[rindex], result[rindex]);
++					result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]);
 +				break;
 +			case 0x00:
 +				fprintf(stderr, 
@@ -194,18 +185,18 @@
 +                        sindex += 3; /* 4 total */
 +                }
 +                else
-+                        result[rindex] = tolower(s[sindex]);
++                        result[rrindex] = tolower(s[sindex]);
 +
 +		sindex++; 
-+		rindex++;
++		rrindex++;
 +        }
-+	result[rindex] = '\0';
++	result[rrindex] = '\0';
 +
 +	return result;
 +}
 +
 +#define MAX_SUBDIRS 128
-+char ** readl7dir(char * dirname)
++static char ** readl7dir(char * dirname)
 +{
 +        DIR             * scratchdir;
 +        struct dirent   ** namelist;
@@ -259,18 +250,15 @@
 +	return subdirs;
 +}
 +
-+static void
-+parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
++static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
 +{
 +	char filename[MAX_FN_LEN];
 +	char * dir = NULL;
 +	char ** subdirs;
 +	int n = 0, done = 0;
 +
-+	if(strlen(l7dir) > 0)
-+		dir = l7dir;
-+	else
-+		dir = "/etc/l7-protocols";
++	if(strlen(l7dir) > 0) dir = l7dir;
++	else                  dir = "/etc/l7-protocols";
 +
 +	subdirs = readl7dir(dir);
 +
@@ -278,24 +266,16 @@
 +	{
 +		int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
 +
-+		//fprintf(stderr, "Trying to find pattern in %s ... ", filename);
-+
 +		if(c > MAX_FN_LEN)
-+		{
 +			exit_error(OTHER_PROBLEM, 
 +				"Filename beginning with %s is too long!\n", filename);
-+		}
 +
 +		/* read in the pattern from the file */
-+		if(parse_protocol_file(filename, s, info))
-+		{
-+			//fprintf(stderr, "found\n");
++		if(parse_protocol_file(filename, s, info)){
 +			done = 1;
 +			break;
 +		}
 +		
-+		//fprintf(stderr, "not found\n");
-+
 +		n++;
 +	}
 +
@@ -316,18 +296,14 @@
 +		(struct xt_layer7_info *)(*match)->data;
 +
 +	switch (c) {
-+	case '1':
-+		check_inverse(optarg, &invert, &optind, 0);
++	case 'p':
 +		parse_layer7_protocol(argv[optind-1], layer7info);
 +		if (invert)
-+			layer7info->invert = 1;
++			layer7info->invert = true;
 +		*flags = 1;
 +		break;
 +
-+	case '2':
-+		/* not going to use this, but maybe we need to strip a ! anyway (?) */
-+		check_inverse(optarg, &invert, &optind, 0);
-+
++	case 'd':
 +		if(strlen(argv[optind-1]) >= MAX_FN_LEN)
 +			exit_error(PARAMETER_PROBLEM, "directory name too long\n");
 +
@@ -364,7 +340,6 @@
 +      int numeric)
 +{
 +	printf("LAYER7 ");
-+
 +	print_protocol(((struct xt_layer7_info *)match->data)->protocol,
 +		  ((struct xt_layer7_info *)match->data)->invert, numeric);
 +}
@@ -374,14 +349,15 @@
 +        const struct xt_layer7_info *info =
 +            (const struct xt_layer7_info*) match->data;
 +
-+        printf("--l7proto %s%s ", (info->invert)   ? "! ": "", info->protocol);
++        printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol);
 +}
 +
-+static struct iptables_match layer7 = { 
++static struct xtables_match layer7 = { 
++    .family        = AF_INET,
 +    .name          = "layer7",
-+    .version       = IPTABLES_VERSION,
-+    .size          = IPT_ALIGN(sizeof(struct xt_layer7_info)),
-+    .userspacesize = IPT_ALIGN(sizeof(struct xt_layer7_info)),
++    .version       = XTABLES_VERSION,
++    .size          = XT_ALIGN(sizeof(struct xt_layer7_info)),
++    .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)),
 +    .help          = &help,
 +    .parse         = &parse,
 +    .final_check   = &final_check,
@@ -392,10 +368,11 @@
 +
 +void _init(void)
 +{
-+	register_match(&layer7);
++	xtables_register_match(&layer7);
 +}
---- iptables-1.4.0rc1/extensions/libipt_layer7.man	1969-12-31 18:00:00.000000000 -0600
-+++ iptables-1.4.0rc1-layer7/extensions/libipt_layer7.man	2007-11-19 05:49:46.000000000 -0600
+diff -Nur iptables.old/extensions/libxt_layer7.man iptables.new/extensions/libxt_layer7.man
+--- iptables.old/extensions/libxt_layer7.man	1970-01-01 01:00:00.000000000 +0100
++++ iptables.new/extensions/libxt_layer7.man	2008-08-22 16:00:52.000000000 +0200
 @@ -0,0 +1,14 @@
 +This module matches packets based on the application layer data of 
 +their connections.  It uses regular expression matching to compare 
@@ -411,8 +388,3 @@
 +Use \fIdirectory\fP instead of /etc/l7-protocols/.  This option must be 
 +specified before --l7proto.
 +
---- iptables-1.4.0rc1/extensions/.layer7-test	1969-12-31 18:00:00.000000000 -0600
-+++ iptables-1.4.0rc1-layer7/extensions/.layer7-test	2007-11-19 06:18:58.000000000 -0600
-@@ -0,0 +1,2 @@
-+#! /bin/sh
-+[ -f $KERNEL_DIR/include/linux/netfilter/xt_layer7.h ] && echo layer7

package/iptables/patches/1.4.0/005-imq1.patch → package/iptables/patches/1.4.1.1/005-imq1.patch

@@ -1,12 +1,20 @@
---- iptables-1.4.0.orig/extensions.orig/.IMQ-test6	Thu Jan  1 01:00:00 1970
-+++ iptables-1.4.0/extensions/.IMQ-test6	Mon Jun 16 10:12:47 2003
+--- iptables-1.4.1-rc3.orig/extensions/.IMQ-test	1970-01-01 10:00:00.000000000 +1000
++++ iptables-1.4.1-rc3/extensions/.IMQ-test	2008-06-08 22:41:49.000000000 +1000
+@@ -0,0 +1,3 @@
++#!/bin/sh
++# True if IMQ target patch is applied.
++[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IMQ.h ] && echo IMQ
+diff -pruN iptables-1.4.1-rc3.orig/extensions/.IMQ-test6 iptables-1.4.1-rc3/extensions/.IMQ-test6
+--- iptables-1.4.1-rc3.orig/extensions/.IMQ-test6	1970-01-01 10:00:00.000000000 +1000
++++ iptables-1.4.1-rc3/extensions/.IMQ-test6	2008-06-08 22:41:49.000000000 +1000
 @@ -0,0 +1,3 @@
 +#!/bin/sh
 +# True if IMQ target patch is applied.
 +[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_IMQ.h ] && echo IMQ
---- iptables-1.4.0.orig/extensions.orig/libip6t_IMQ.c	Thu Jan  1 01:00:00 1970
-+++ iptables-1.4.0/extensions/libip6t_IMQ.c	Mon Jun 16 10:12:47 2003
-@@ -0,0 +1,100 @@
+diff -pruN iptables-1.4.1-rc3.orig/extensions/libip6t_IMQ.c iptables-1.4.1-rc3/extensions/libip6t_IMQ.c
+--- iptables-1.4.1-rc3.orig/extensions/libip6t_IMQ.c	1970-01-01 10:00:00.000000000 +1000
++++ iptables-1.4.1-rc3/extensions/libip6t_IMQ.c	2008-06-08 22:46:57.000000000 +1000
+@@ -0,0 +1,89 @@
 +/* Shared library add-on to iptables to add IMQ target support. */
 +#include <stdio.h>
 +#include <string.h>
@@ -18,23 +26,21 @@
 +#include <linux/netfilter_ipv6/ip6t_IMQ.h>
 +
 +/* Function which prints out usage message. */
-+static void
-+help(void)
++static void IMQ_help(void)
 +{
 +	printf(
 +"IMQ target v%s options:\n"
 +"  --todev <N>		enqueue to imq<N>, defaults to 0\n", 
-+IPTABLES_VERSION);
++XTABLES_VERSION);
 +}
 +
-+static struct option opts[] = {
++static struct option IMQ_opts[] = {
 +	{ "todev", 1, 0, '1' },
 +	{ 0 }
 +};
 +
 +/* Initialize the target. */
-+static void
-+init(struct xt_entry_target *t)
++static void IMQ_init(struct xt_entry_target *t)
 +{
 +	struct ip6t_imq_info *mr = (struct ip6t_imq_info*)t->data;
 +
@@ -43,8 +49,7 @@
 +
 +/* Function which parses command options; returns true if it
 +   ate an option */
-+static int
-+parse(int c, char **argv, int invert, unsigned int *flags,
++static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags,
 +      const void *entry,
 +      struct xt_entry_target **target)
 +{
@@ -63,14 +68,8 @@
 +	return 1;
 +}
 +
-+static void
-+final_check(unsigned int flags)
-+{
-+}
-+
 +/* Prints out the targinfo. */
-+static void
-+print(const void *ip,
++static void IMQ_print(const void *ip,
 +      const struct xt_entry_target *target,
 +      int numeric)
 +{
@@ -80,42 +79,35 @@
 +}
 +
 +/* Saves the union ipt_targinfo in parsable form to stdout. */
-+static void
-+save(const void *ip, const struct xt_entry_target *target)
++static void IMQ_save(const void *ip, const struct xt_entry_target *target)
 +{
 +	struct ip6t_imq_info *mr = (struct ip6t_imq_info*)target->data;
 +
 +	printf("--todev %u", mr->todev);
 +}
 +
-+static struct ip6tables_target imq = {
-+	.next		= NULL,
++static struct xtables_target imq = {
 +	.name		= "IMQ",
-+	.version	= IPTABLES_VERSION,
-+	.size		= IP6T_ALIGN(sizeof(struct ip6t_imq_info)),
-+	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_imq_info)),
-+	.help		= &help,
-+	.init		= &init,
-+	.parse		= &parse,
-+	.final_check	= &final_check,
-+	.print		= &print,
-+	.save		= &save,
-+	.extra_opts	= opts
++	.version	= XTABLES_VERSION,
++	.family		= PF_INET6,
++	.size		= XT_ALIGN(sizeof(struct ip6t_imq_info)),
++	.userspacesize	= XT_ALIGN(sizeof(struct ip6t_imq_info)),
++	.help		= IMQ_help,
++	.init		= IMQ_init,
++	.parse		= IMQ_parse,
++	.print		= IMQ_print,
++	.save		= IMQ_save,
++	.extra_opts	= IMQ_opts,
 +};
 +
-+static __attribute__((constructor)) void _init(void)
++void _init(void)
 +{
-+	register_target6(&imq);
++	xtables_register_target(&imq);
 +}
---- iptables-1.4.0.orig/extensions.orig/.IMQ-test	Thu Jan  1 01:00:00 1970
-+++ iptables-1.4.0/extensions/.IMQ-test	Mon Jun 16 10:12:47 2003
-@@ -0,0 +1,3 @@
-+#!/bin/sh
-+# True if IMQ target patch is applied.
-+[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IMQ.h ] && echo IMQ
---- iptables-1.4.0.orig/extensions.orig/libipt_IMQ.c	Thu Jan  1 01:00:00 1970
-+++ iptables-1.4.0/extensions/libipt_IMQ.c	Mon Jun 16 10:12:47 2003
-@@ -0,0 +1,100 @@
+diff -pruN iptables-1.4.1-rc3.orig/extensions/libipt_IMQ.c iptables-1.4.1-rc3/extensions/libipt_IMQ.c
+--- iptables-1.4.1-rc3.orig/extensions/libipt_IMQ.c	1970-01-01 10:00:00.000000000 +1000
++++ iptables-1.4.1-rc3/extensions/libipt_IMQ.c	2008-06-08 22:46:25.000000000 +1000
+@@ -0,0 +1,88 @@
 +/* Shared library add-on to iptables to add IMQ target support. */
 +#include <stdio.h>
 +#include <string.h>
@@ -127,23 +119,21 @@
 +#include <linux/netfilter_ipv4/ipt_IMQ.h>
 +
 +/* Function which prints out usage message. */
-+static void
-+help(void)
++static void IMQ_help(void)
 +{
 +	printf(
 +"IMQ target v%s options:\n"
 +"  --todev <N>		enqueue to imq<N>, defaults to 0\n", 
-+IPTABLES_VERSION);
++XTABLES_VERSION);
 +}
 +
-+static struct option opts[] = {
++static struct option IMQ_opts[] = {
 +	{ "todev", 1, 0, '1' },
 +	{ 0 }
 +};
 +
 +/* Initialize the target. */
-+static void
-+init(struct xt_entry_target *t)
++static void IMQ_init(struct xt_entry_target *t)
 +{
 +	struct ipt_imq_info *mr = (struct ipt_imq_info*)t->data;
 +
@@ -152,10 +142,8 @@
 +
 +/* Function which parses command options; returns true if it
 +   ate an option */
-+static int
-+parse(int c, char **argv, int invert, unsigned int *flags,
-+      const void *entry,
-+      struct xt_entry_target **target)
++static int IMQ_parse(int c, char **argv, int invert, unsigned int *flags,
++      const void *entry, struct xt_entry_target **target)
 +{
 +	struct ipt_imq_info *mr = (struct ipt_imq_info*)(*target)->data;
 +	
@@ -172,14 +160,8 @@
 +	return 1;
 +}
 +
-+static void
-+final_check(unsigned int flags)
-+{
-+}
-+
 +/* Prints out the targinfo. */
-+static void
-+print(const void *ip,
++static void IMQ_print(const void *ip,
 +      const struct xt_entry_target *target,
 +      int numeric)
 +{
@@ -189,31 +171,28 @@
 +}
 +
 +/* Saves the union ipt_targinfo in parsable form to stdout. */
-+static void
-+save(const void *ip, const struct xt_entry_target *target)
++static void IMQ_save(const void *ip, const struct xt_entry_target *target)
 +{
 +	struct ipt_imq_info *mr = (struct ipt_imq_info*)target->data;
 +
 +	printf("--todev %u", mr->todev);
 +}
 +
-+static struct iptables_target imq = {
-+	.next		= NULL,
++static struct xtables_target imq = {
 +	.name		= "IMQ",
-+	.version	= IPTABLES_VERSION,
-+	.size		= IPT_ALIGN(sizeof(struct ipt_imq_info)),
-+	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_imq_info)),
-+	.help		= &help,
-+	.init		= &init,
-+	.parse		= &parse,
-+	.final_check	= &final_check,
-+	.print		= &print,
-+	.save		= &save,
-+	.extra_opts	= opts
++	.version	= XTABLES_VERSION,
++	.family		= PF_INET,
++	.size		= XT_ALIGN(sizeof(struct ipt_imq_info)),
++	.userspacesize	= XT_ALIGN(sizeof(struct ipt_imq_info)),
++	.help		= IMQ_help,
++	.init		= IMQ_init,
++	.parse		= IMQ_parse,
++	.print		= IMQ_print,
++	.save		= IMQ_save,
++	.extra_opts	= IMQ_opts,
 +};
 +
-+static __attribute__((constructor)) void _init(void)
++void _init(void)
 +{
-+	register_target(&imq);
++	xtables_register_target(&imq);
 +}
-

package/iptables/patches/1.4.0/006-chaostables_0.8.patch → package/iptables/patches/1.4.1.1/006-chaostables_0.8.patch

@@ -46,7 +46,7 @@ Index: iptables-1.4.0/extensions/libxt_CHAOS.c
 +		"CHAOS target v%s options:\n"
 +		"  --delude     Enable DELUDE processing for TCP\n"
 +		"  --tarpit     Enable TARPIT processing for TCP\n",
-+		IPTABLES_VERSION);
++		XTABLES_VERSION);
 +	return;
 +}
 +
@@ -107,7 +107,7 @@ Index: iptables-1.4.0/extensions/libxt_CHAOS.c
 +}
 +
 +static struct xtables_target chaos_tg_reg = {
-+	.version       = IPTABLES_VERSION,
++	.version       = XTABLES_VERSION,
 +	.name          = "CHAOS",
 +	.family        = AF_INET,
 +	.size          = XT_ALIGN(sizeof(struct xt_chaos_target_info)),
@@ -195,7 +195,7 @@ Index: iptables-1.4.0/extensions/libxt_DELUDE.c
 +}
 +
 +static struct xtables_target delude_tg_reg = {
-+	.version       = IPTABLES_VERSION,
++	.version       = XTABLES_VERSION,
 +	.name          = "DELUDE",
 +	.family        = AF_INET,
 +	.size          = XT_ALIGN(0),
@@ -269,7 +269,7 @@ Index: iptables-1.4.0/extensions/libxt_portscan.c
 +		"  --synscan    Match TCP SYN scans\n"
 +		"  --cnscan     Match TCP Connect scans\n"
 +		"  --grscan     Match Banner Grabbing scans\n",
-+		IPTABLES_VERSION);
++		XTABLES_VERSION);
 +	return;
 +}
 +
@@ -341,7 +341,7 @@ Index: iptables-1.4.0/extensions/libxt_portscan.c
 +}
 +
 +static struct xtables_match portscan_mt_reg = {
-+	.version       = IPTABLES_VERSION,
++	.version       = XTABLES_VERSION,
 +	.name          = "portscan",
 +	.family        = AF_INET,
 +	.size          = XT_ALIGN(sizeof(struct xt_portscan_match_info)),

package/iptables/patches/1.4.0/007-tarpit_support.patch → package/iptables/patches/1.4.1.1/007-tarpit_support.patch

@@ -43,7 +43,7 @@ Index: iptables-1.4.0/extensions/libxt_TARPIT.c
 +static struct xtables_target tarpit_target = {
 +	.family		= AF_INET,
 +	.name		= "TARPIT",
-+	.version	= IPTABLES_VERSION,
++	.version	= XTABLES_VERSION,
 +	.size		= XT_ALIGN(0),
 +	.userspacesize	= XT_ALIGN(0),
 +	.help		= TARPIT_help,