Hi all,
I am not sure exactly where to send this email. A have chosen the
ip4/ip6 networking as the issues are in this area of the kernel.
The kernel patch files patch-2.6.9 and patch-2.6.10 do not apear to be
correct. I had some errors during patching so I generated a diff against a
freshly downloaded linux-2.6.10 kernel. See the steps below:
1) bzcat linux-2.6.8.1.tar.bz2 | tar -xf -
2) cd linux-2.6.8.1
3) bzcat ../patch-2.6.8.1.bz2 | patch -R -p1
This gives a 2.6.8 kernel.
4) bzcat ../patch-2.6.9.bz2 | patch -p1
This should give a 2.6.9 kernel. The patch has two errors:
./net/ipv4/netfilter/ipt_ecn.c.rej
./net/ipv4/netfilter/ipt_tcpmss.c.rej
5) bzcat ../patch-2.6.10.bz2 | patch -p1 -f
This should give a 2.6.10 kernel. The patch has three erros:
./include/linux/netfilter_ipv4/ipt_connmark.h.rej
./net/ipv4/netfilter/ipt_connmark.c.rej
./net/ipv6/netfilter/ip6t_MARK.c.rej
6) cd ..; mv linux-2.6.8.1 linux-2.6.10p
7) bzcat linux-2.6.10.tar.bz2 | tar -xf -
8) diff -rupN linux-2.6.10p linux-2.6.10 | tee patch-2.6.10.err
patch-2.6.10.err:
------------------------------------------------------------------------
diff -rupN linux-2.6.10p/include/linux/netfilter_ipv4/ipt_connmark.h.rej linux-2.6.10/include/linux/netfilter_ipv4/ipt_connmark.h.rej
--- linux-2.6.10p/include/linux/netfilter_ipv4/ipt_connmark.h.rej 2005-02-25 16:00:01.703125000 +0000
+++ linux-2.6.10/include/linux/netfilter_ipv4/ipt_connmark.h.rej 1970-01-01 00:00:00.000000000 +0000
@@ -1,21 +0,0 @@
-***************
-*** 0 ****
---- 1,18 ----
-+ #ifndef _IPT_CONNMARK_H
-+ #define _IPT_CONNMARK_H
-+
-+ /* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
-+ * by Henrik Nordstrom <[email protected]>
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ */
-+
-+ struct ipt_connmark_info {
-+ unsigned long mark, mask;
-+ u_int8_t invert;
-+ };
-+
-+ #endif /*_IPT_CONNMARK_H*/
diff -rupN linux-2.6.10p/net/ipv4/netfilter/ipt_TCPMSS.c linux-2.6.10/net/ipv4/netfilter/ipt_TCPMSS.c
--- linux-2.6.10p/net/ipv4/netfilter/ipt_TCPMSS.c 1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.10/net/ipv4/netfilter/ipt_TCPMSS.c 2004-12-24 21:34:48.000000000 +0000
@@ -0,0 +1,262 @@
+/*
+ * This is a module which is used for setting the MSS option in TCP packets.
+ *
+ * Copyright (C) 2000 Marc Boucher <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/ip.h>
+#include <net/tcp.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_TCPMSS.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Marc Boucher <[email protected]>");
+MODULE_DESCRIPTION("iptables TCP MSS modification module");
+
+#if 0
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+static u_int16_t
+cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
+{
+ u_int32_t diffs[] = { oldvalinv, newval };
+ return csum_fold(csum_partial((char *)diffs, sizeof(diffs),
+ oldcheck^0xFFFF));
+}
+
+static inline unsigned int
+optlen(const u_int8_t *opt, unsigned int offset)
+{
+ /* Beware zero-length options: make finite progress */
+ if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0) return 1;
+ else return opt[offset+1];
+}
+
+static unsigned int
+ipt_tcpmss_target(struct sk_buff **pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ unsigned int hooknum,
+ const void *targinfo,
+ void *userinfo)
+{
+ const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
+ struct tcphdr *tcph;
+ struct iphdr *iph;
+ u_int16_t tcplen, newtotlen, oldval, newmss;
+ unsigned int i;
+ u_int8_t *opt;
+
+ if (!skb_ip_make_writable(pskb, (*pskb)->len))
+ return NF_DROP;
+
+ iph = (*pskb)->nh.iph;
+ tcplen = (*pskb)->len - iph->ihl*4;
+
+ tcph = (void *)iph + iph->ihl*4;
+
+ /* Since it passed flags test in tcp match, we know it is is
+ not a fragment, and has data >= tcp header length. SYN
+ packets should not contain data: if they did, then we risk
+ running over MTU, sending Frag Needed and breaking things
+ badly. --RR */
+ if (tcplen != tcph->doff*4) {
+ if (net_ratelimit())
+ printk(KERN_ERR
+ "ipt_tcpmss_target: bad length (%d bytes)\n",
+ (*pskb)->len);
+ return NF_DROP;
+ }
+
+ if(tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) {
+ if(!(*pskb)->dst) {
+ if (net_ratelimit())
+ printk(KERN_ERR
+ "ipt_tcpmss_target: no dst?! can't determine path-MTU\n");
+ return NF_DROP; /* or IPT_CONTINUE ?? */
+ }
+
+ if(dst_pmtu((*pskb)->dst) <= (sizeof(struct iphdr) + sizeof(struct tcphdr))) {
+ if (net_ratelimit())
+ printk(KERN_ERR
+ "ipt_tcpmss_target: unknown or invalid path-MTU (%d)\n", dst_pmtu((*pskb)->dst));
+ return NF_DROP; /* or IPT_CONTINUE ?? */
+ }
+
+ newmss = dst_pmtu((*pskb)->dst) - sizeof(struct iphdr) - sizeof(struct tcphdr);
+ } else
+ newmss = tcpmssinfo->mss;
+
+ opt = (u_int8_t *)tcph;
+ for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)){
+ if ((opt[i] == TCPOPT_MSS) &&
+ ((tcph->doff*4 - i) >= TCPOLEN_MSS) &&
+ (opt[i+1] == TCPOLEN_MSS)) {
+ u_int16_t oldmss;
+
+ oldmss = (opt[i+2] << 8) | opt[i+3];
+
+ if((tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) &&
+ (oldmss <= newmss))
+ return IPT_CONTINUE;
+
+ opt[i+2] = (newmss & 0xff00) >> 8;
+ opt[i+3] = (newmss & 0x00ff);
+
+ tcph->check = cheat_check(htons(oldmss)^0xFFFF,
+ htons(newmss),
+ tcph->check);
+
+ DEBUGP(KERN_INFO "ipt_tcpmss_target: %u.%u.%u.%u:%hu"
+ "->%u.%u.%u.%u:%hu changed TCP MSS option"
+ " (from %u to %u)\n",
+ NIPQUAD((*pskb)->nh.iph->saddr),
+ ntohs(tcph->source),
+ NIPQUAD((*pskb)->nh.iph->daddr),
+ ntohs(tcph->dest),
+ oldmss, newmss);
+ goto retmodified;
+ }
+ }
+
+ /*
+ * MSS Option not found ?! add it..
+ */
+ if (skb_tailroom((*pskb)) < TCPOLEN_MSS) {
+ struct sk_buff *newskb;
+
+ newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
+ TCPOLEN_MSS, GFP_ATOMIC);
+ if (!newskb) {
+ if (net_ratelimit())
+ printk(KERN_ERR "ipt_tcpmss_target:"
+ " unable to allocate larger skb\n");
+ return NF_DROP;
+ }
+
+ kfree_skb(*pskb);
+ *pskb = newskb;
+ iph = (*pskb)->nh.iph;
+ tcph = (void *)iph + iph->ihl*4;
+ }
+
+ skb_put((*pskb), TCPOLEN_MSS);
+
+ opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
+ memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
+
+ tcph->check = cheat_check(htons(tcplen) ^ 0xFFFF,
+ htons(tcplen + TCPOLEN_MSS), tcph->check);
+ tcplen += TCPOLEN_MSS;
+
+ opt[0] = TCPOPT_MSS;
+ opt[1] = TCPOLEN_MSS;
+ opt[2] = (newmss & 0xff00) >> 8;
+ opt[3] = (newmss & 0x00ff);
+
+ tcph->check = cheat_check(~0, *((u_int32_t *)opt), tcph->check);
+
+ oldval = ((u_int16_t *)tcph)[6];
+ tcph->doff += TCPOLEN_MSS/4;
+ tcph->check = cheat_check(oldval ^ 0xFFFF,
+ ((u_int16_t *)tcph)[6], tcph->check);
+
+ newtotlen = htons(ntohs(iph->tot_len) + TCPOLEN_MSS);
+ iph->check = cheat_check(iph->tot_len ^ 0xFFFF,
+ newtotlen, iph->check);
+ iph->tot_len = newtotlen;
+
+ DEBUGP(KERN_INFO "ipt_tcpmss_target: %u.%u.%u.%u:%hu"
+ "->%u.%u.%u.%u:%hu added TCP MSS option (%u)\n",
+ NIPQUAD((*pskb)->nh.iph->saddr),
+ ntohs(tcph->source),
+ NIPQUAD((*pskb)->nh.iph->daddr),
+ ntohs(tcph->dest),
+ newmss);
+
+ retmodified:
+ /* We never hw checksum SYN packets. */
+ BUG_ON((*pskb)->ip_summed == CHECKSUM_HW);
+
+ (*pskb)->nfcache |= NFC_UNKNOWN | NFC_ALTERED;
+ return IPT_CONTINUE;
+}
+
+#define TH_SYN 0x02
+
+static inline int find_syn_match(const struct ipt_entry_match *m)
+{
+ const struct ipt_tcp *tcpinfo = (const struct ipt_tcp *)m->data;
+
+ if (strcmp(m->u.kernel.match->name, "tcp") == 0
+ && (tcpinfo->flg_cmp & TH_SYN)
+ && !(tcpinfo->invflags & IPT_TCP_INV_FLAGS))
+ return 1;
+
+ return 0;
+}
+
+/* Must specify -p tcp --syn/--tcp-flags SYN */
+static int
+ipt_tcpmss_checkentry(const char *tablename,
+ const struct ipt_entry *e,
+ void *targinfo,
+ unsigned int targinfosize,
+ unsigned int hook_mask)
+{
+ const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
+
+ if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tcpmss_info))) {
+ DEBUGP("ipt_tcpmss_checkentry: targinfosize %u != %u\n",
+ targinfosize, IPT_ALIGN(sizeof(struct ipt_tcpmss_info)));
+ return 0;
+ }
+
+
+ if((tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) &&
+ ((hook_mask & ~((1 << NF_IP_FORWARD)
+ | (1 << NF_IP_LOCAL_OUT)
+ | (1 << NF_IP_POST_ROUTING))) != 0)) {
+ printk("TCPMSS: path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
+ return 0;
+ }
+
+ if (e->ip.proto == IPPROTO_TCP
+ && !(e->ip.invflags & IPT_INV_PROTO)
+ && IPT_MATCH_ITERATE(e, find_syn_match))
+ return 1;
+
+ printk("TCPMSS: Only works on TCP SYN packets\n");
+ return 0;
+}
+
+static struct ipt_target ipt_tcpmss_reg = {
+ .name = "TCPMSS",
+ .target = ipt_tcpmss_target,
+ .checkentry = ipt_tcpmss_checkentry,
+ .me = THIS_MODULE,
+};
+
+static int __init init(void)
+{
+ return ipt_register_target(&ipt_tcpmss_reg);
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_target(&ipt_tcpmss_reg);
+}
+
+module_init(init);
+module_exit(fini);
diff -rupN linux-2.6.10p/net/ipv4/netfilter/ipt_connmark.c.rej linux-2.6.10/net/ipv4/netfilter/ipt_connmark.c.rej
--- linux-2.6.10p/net/ipv4/netfilter/ipt_connmark.c.rej 2005-02-25 16:06:01.390625000 +0000
+++ linux-2.6.10/net/ipv4/netfilter/ipt_connmark.c.rej 1970-01-01 00:00:00.000000000 +0000
@@ -1,84 +0,0 @@
-***************
-*** 0 ****
---- 1,81 ----
-+ /* This kernel module matches connection mark values set by the
-+ * CONNMARK target
-+ *
-+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
-+ * by Henrik Nordstrom <[email protected]>
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-+ */
-+
-+ #include <linux/module.h>
-+ #include <linux/skbuff.h>
-+
-+ MODULE_AUTHOR("Henrik Nordstrom <[email protected]>");
-+ MODULE_DESCRIPTION("IP tables connmark match module");
-+ MODULE_LICENSE("GPL");
-+
-+ #include <linux/netfilter_ipv4/ip_tables.h>
-+ #include <linux/netfilter_ipv4/ipt_connmark.h>
-+ #include <linux/netfilter_ipv4/ip_conntrack.h>
-+
-+ static int
-+ match(const struct sk_buff *skb,
-+ const struct net_device *in,
-+ const struct net_device *out,
-+ const void *matchinfo,
-+ int offset,
-+ int *hotdrop)
-+ {
-+ const struct ipt_connmark_info *info = matchinfo;
-+ enum ip_conntrack_info ctinfo;
-+ struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
-+ if (!ct)
-+ return 0;
-+
-+ return ((ct->mark & info->mask) == info->mark) ^ info->invert;
-+ }
-+
-+ static int
-+ checkentry(const char *tablename,
-+ const struct ipt_ip *ip,
-+ void *matchinfo,
-+ unsigned int matchsize,
-+ unsigned int hook_mask)
-+ {
-+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
-+ return 0;
-+
-+ return 1;
-+ }
-+
-+ static struct ipt_match connmark_match = {
-+ .name = "connmark",
-+ .match = &match,
-+ .checkentry = &checkentry,
-+ .me = THIS_MODULE
-+ };
-+
-+ static int __init init(void)
-+ {
-+ return ipt_register_match(&connmark_match);
-+ }
-+
-+ static void __exit fini(void)
-+ {
-+ ipt_unregister_match(&connmark_match);
-+ }
-+
-+ module_init(init);
-+ module_exit(fini);
diff -rupN linux-2.6.10p/net/ipv4/netfilter/ipt_ecn.c.orig linux-2.6.10/net/ipv4/netfilter/ipt_ecn.c.orig
--- linux-2.6.10p/net/ipv4/netfilter/ipt_ecn.c.orig 2005-02-25 15:53:04.375000000 +0000
+++ linux-2.6.10/net/ipv4/netfilter/ipt_ecn.c.orig 1970-01-01 00:00:00.000000000 +0000
@@ -1,178 +0,0 @@
-/* iptables module for the IPv4 and TCP ECN bits, Version 1.5
- *
- * (C) 2002 by Harald Welte <[email protected]>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
-*/
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <linux/tcp.h>
-#include <net/checksum.h>
-
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_ECN.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Harald Welte <[email protected]>");
-MODULE_DESCRIPTION("iptables ECN modification module");
-
-/* set ECT codepoint from IP header.
- * return 0 if there was an error. */
-static inline int
-set_ect_ip(struct sk_buff **pskb, const struct ipt_ECN_info *einfo)
-{
- if (((*pskb)->nh.iph->tos & IPT_ECN_IP_MASK)
- != (einfo->ip_ect & IPT_ECN_IP_MASK)) {
- u_int16_t diffs[2];
-
- if (!skb_ip_make_writable(pskb, sizeof(struct iphdr)))
- return 0;
-
- diffs[0] = htons((*pskb)->nh.iph->tos) ^ 0xFFFF;
- (*pskb)->nh.iph->tos &= ~IPT_ECN_IP_MASK;
- (*pskb)->nh.iph->tos |= (einfo->ip_ect & IPT_ECN_IP_MASK);
- diffs[1] = htons((*pskb)->nh.iph->tos);
- (*pskb)->nh.iph->check
- = csum_fold(csum_partial((char *)diffs,
- sizeof(diffs),
- (*pskb)->nh.iph->check
- ^0xFFFF));
- (*pskb)->nfcache |= NFC_ALTERED;
- }
- return 1;
-}
-
-/* Return 0 if there was an error. */
-static inline int
-set_ect_tcp(struct sk_buff **pskb, const struct ipt_ECN_info *einfo, int inward)
-{
- struct tcphdr _tcph, *th;
- u_int16_t diffs[2];
-
- /* Not enought header? */
- th = skb_header_pointer(*pskb, (*pskb)->nh.iph->ihl*4,
- sizeof(_tcph), &_tcph);
- if (th == NULL)
- return 0;
-
- diffs[0] = ((u_int16_t *)th)[6];
- if (einfo->operation & IPT_ECN_OP_SET_ECE)
- th->ece = einfo->proto.tcp.ece;
-
- if (einfo->operation & IPT_ECN_OP_SET_CWR)
- th->cwr = einfo->proto.tcp.cwr;
- diffs[1] = ((u_int16_t *)&th)[6];
-
- /* Only mangle if it's changed. */
- if (diffs[0] != diffs[1]) {
- diffs[0] = diffs[0] ^ 0xFFFF;
- if (!skb_ip_make_writable(pskb,
- (*pskb)->nh.iph->ihl*4+sizeof(_tcph)))
- return 0;
-
- if (th != &_tcph)
- memcpy(&_tcph, th, sizeof(_tcph));
-
- if ((*pskb)->ip_summed != CHECKSUM_HW)
- _tcph.check = csum_fold(csum_partial((char *)diffs,
- sizeof(diffs),
- _tcph.check^0xFFFF));
- memcpy((*pskb)->data + (*pskb)->nh.iph->ihl*4,
- &_tcph, sizeof(_tcph));
- if ((*pskb)->ip_summed == CHECKSUM_HW)
- if (skb_checksum_help(pskb, inward))
- return 0;
- (*pskb)->nfcache |= NFC_ALTERED;
- }
- return 1;
-}
-
-static unsigned int
-target(struct sk_buff **pskb,
- const struct net_device *in,
- const struct net_device *out,
- unsigned int hooknum,
- const void *targinfo,
- void *userinfo)
-{
- const struct ipt_ECN_info *einfo = targinfo;
-
- if (einfo->operation & IPT_ECN_OP_SET_IP)
- if (!set_ect_ip(pskb, einfo))
- return NF_DROP;
-
- if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR)
- && (*pskb)->nh.iph->protocol == IPPROTO_TCP)
- if (!set_ect_tcp(pskb, einfo, (out == NULL)))
- return NF_DROP;
-
- return IPT_CONTINUE;
-}
-
-static int
-checkentry(const char *tablename,
- const struct ipt_entry *e,
- void *targinfo,
- unsigned int targinfosize,
- unsigned int hook_mask)
-{
- const struct ipt_ECN_info *einfo = (struct ipt_ECN_info *)targinfo;
-
- if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ECN_info))) {
- printk(KERN_WARNING "ECN: targinfosize %u != %Zu\n",
- targinfosize,
- IPT_ALIGN(sizeof(struct ipt_ECN_info)));
- return 0;
- }
-
- if (strcmp(tablename, "mangle") != 0) {
- printk(KERN_WARNING "ECN: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
- return 0;
- }
-
- if (einfo->operation & IPT_ECN_OP_MASK) {
- printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",
- einfo->operation);
- return 0;
- }
- if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
- printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n",
- einfo->ip_ect);
- return 0;
- }
-
- if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
- && e->ip.proto != IPPROTO_TCP) {
- printk(KERN_WARNING "ECN: cannot use TCP operations on a "
- "non-tcp rule\n");
- return 0;
- }
-
- return 1;
-}
-
-static struct ipt_target ipt_ecn_reg = {
- .name = "ECN",
- .target = target,
- .checkentry = checkentry,
- .me = THIS_MODULE,
-};
-
-static int __init init(void)
-{
- return ipt_register_target(&ipt_ecn_reg);
-}
-
-static void __exit fini(void)
-{
- ipt_unregister_target(&ipt_ecn_reg);
-}
-
-module_init(init);
-module_exit(fini);
diff -rupN linux-2.6.10p/net/ipv4/netfilter/ipt_ecn.c.rej linux-2.6.10/net/ipv4/netfilter/ipt_ecn.c.rej
--- linux-2.6.10p/net/ipv4/netfilter/ipt_ecn.c.rej 2005-02-25 15:53:04.812500000 +0000
+++ linux-2.6.10/net/ipv4/netfilter/ipt_ecn.c.rej 1970-01-01 00:00:00.000000000 +0000
@@ -1,68 +0,0 @@
-***************
-*** 30,60 ****
- const struct ipt_ecn_info *einfo,
- int *hotdrop)
- {
-- struct tcphdr tcph;
-
- /* In practice, TCP match does this, so can't fail. But let's
-- be good citizens. */
-- if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &tcph, sizeof(tcph)) < 0) {
- *hotdrop = 0;
- return 0;
- }
-
- if (einfo->operation & IPT_ECN_OP_MATCH_ECE) {
- if (einfo->invert & IPT_ECN_OP_MATCH_ECE) {
-- if (tcph.ece == 1)
- return 0;
- } else {
-- if (tcph.ece == 0)
- return 0;
- }
- }
-
- if (einfo->operation & IPT_ECN_OP_MATCH_CWR) {
- if (einfo->invert & IPT_ECN_OP_MATCH_CWR) {
-- if (tcph.cwr == 1)
- return 0;
- } else {
-- if (tcph.cwr == 0)
- return 0;
- }
- }
---- 30,63 ----
- const struct ipt_ecn_info *einfo,
- int *hotdrop)
- {
-+ struct tcphdr _tcph, *th;
-
- /* In practice, TCP match does this, so can't fail. But let's
-+ * be good citizens.
-+ */
-+ th = skb_header_pointer(skb, skb->nh.iph->ihl * 4,
-+ sizeof(_tcph), &_tcph);
-+ if (th == NULL) {
- *hotdrop = 0;
- return 0;
- }
-
- if (einfo->operation & IPT_ECN_OP_MATCH_ECE) {
- if (einfo->invert & IPT_ECN_OP_MATCH_ECE) {
-+ if (th->ece == 1)
- return 0;
- } else {
-+ if (th->ece == 0)
- return 0;
- }
- }
-
- if (einfo->operation & IPT_ECN_OP_MATCH_CWR) {
- if (einfo->invert & IPT_ECN_OP_MATCH_CWR) {
-+ if (th->cwr == 1)
- return 0;
- } else {
-+ if (th->cwr == 0)
- return 0;
- }
- }
diff -rupN linux-2.6.10p/net/ipv4/netfilter/ipt_tcpmss.c linux-2.6.10/net/ipv4/netfilter/ipt_tcpmss.c
--- linux-2.6.10p/net/ipv4/netfilter/ipt_tcpmss.c 2005-02-25 16:06:02.000000000 +0000
+++ linux-2.6.10/net/ipv4/netfilter/ipt_tcpmss.c 1970-01-01 00:00:00.000000000 +0000
@@ -1,262 +0,0 @@
-/*
- * This is a module which is used for setting the MSS option in TCP packets.
- *
- * Copyright (C) 2000 Marc Boucher <[email protected]>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-
-#include <linux/ip.h>
-#include <net/tcp.h>
-
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_TCPMSS.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marc Boucher <[email protected]>");
-MODULE_DESCRIPTION("iptables TCP MSS modification module");
-
-#if 0
-#define DEBUGP printk
-#else
-#define DEBUGP(format, args...)
-#endif
-
-static u_int16_t
-cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
-{
- u_int32_t diffs[] = { oldvalinv, newval };
- return csum_fold(csum_partial((char *)diffs, sizeof(diffs),
- oldcheck^0xFFFF));
-}
-
-static inline unsigned int
-optlen(const u_int8_t *opt, unsigned int offset)
-{
- /* Beware zero-length options: make finite progress */
- if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0) return 1;
- else return opt[offset+1];
-}
-
-static unsigned int
-ipt_tcpmss_target(struct sk_buff **pskb,
- const struct net_device *in,
- const struct net_device *out,
- unsigned int hooknum,
- const void *targinfo,
- void *userinfo)
-{
- const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
- struct tcphdr *tcph;
- struct iphdr *iph;
- u_int16_t tcplen, newtotlen, oldval, newmss;
- unsigned int i;
- u_int8_t *opt;
-
- if (!skb_ip_make_writable(pskb, (*pskb)->len))
- return NF_DROP;
-
- iph = (*pskb)->nh.iph;
- tcplen = (*pskb)->len - iph->ihl*4;
-
- tcph = (void *)iph + iph->ihl*4;
-
- /* Since it passed flags test in tcp match, we know it is is
- not a fragment, and has data >= tcp header length. SYN
- packets should not contain data: if they did, then we risk
- running over MTU, sending Frag Needed and breaking things
- badly. --RR */
- if (tcplen != tcph->doff*4) {
- if (net_ratelimit())
- printk(KERN_ERR
- "ipt_tcpmss_target: bad length (%d bytes)\n",
- (*pskb)->len);
- return NF_DROP;
- }
-
- if(tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) {
- if(!(*pskb)->dst) {
- if (net_ratelimit())
- printk(KERN_ERR
- "ipt_tcpmss_target: no dst?! can't determine path-MTU\n");
- return NF_DROP; /* or IPT_CONTINUE ?? */
- }
-
- if(dst_pmtu((*pskb)->dst) <= (sizeof(struct iphdr) + sizeof(struct tcphdr))) {
- if (net_ratelimit())
- printk(KERN_ERR
- "ipt_tcpmss_target: unknown or invalid path-MTU (%d)\n", dst_pmtu((*pskb)->dst));
- return NF_DROP; /* or IPT_CONTINUE ?? */
- }
-
- newmss = dst_pmtu((*pskb)->dst) - sizeof(struct iphdr) - sizeof(struct tcphdr);
- } else
- newmss = tcpmssinfo->mss;
-
- opt = (u_int8_t *)tcph;
- for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)){
- if ((opt[i] == TCPOPT_MSS) &&
- ((tcph->doff*4 - i) >= TCPOLEN_MSS) &&
- (opt[i+1] == TCPOLEN_MSS)) {
- u_int16_t oldmss;
-
- oldmss = (opt[i+2] << 8) | opt[i+3];
-
- if((tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) &&
- (oldmss <= newmss))
- return IPT_CONTINUE;
-
- opt[i+2] = (newmss & 0xff00) >> 8;
- opt[i+3] = (newmss & 0x00ff);
-
- tcph->check = cheat_check(htons(oldmss)^0xFFFF,
- htons(newmss),
- tcph->check);
-
- DEBUGP(KERN_INFO "ipt_tcpmss_target: %u.%u.%u.%u:%hu"
- "->%u.%u.%u.%u:%hu changed TCP MSS option"
- " (from %u to %u)\n",
- NIPQUAD((*pskb)->nh.iph->saddr),
- ntohs(tcph->source),
- NIPQUAD((*pskb)->nh.iph->daddr),
- ntohs(tcph->dest),
- oldmss, newmss);
- goto retmodified;
- }
- }
-
- /*
- * MSS Option not found ?! add it..
- */
- if (skb_tailroom((*pskb)) < TCPOLEN_MSS) {
- struct sk_buff *newskb;
-
- newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
- TCPOLEN_MSS, GFP_ATOMIC);
- if (!newskb) {
- if (net_ratelimit())
- printk(KERN_ERR "ipt_tcpmss_target:"
- " unable to allocate larger skb\n");
- return NF_DROP;
- }
-
- kfree_skb(*pskb);
- *pskb = newskb;
- iph = (*pskb)->nh.iph;
- tcph = (void *)iph + iph->ihl*4;
- }
-
- skb_put((*pskb), TCPOLEN_MSS);
-
- opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
- memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
-
- tcph->check = cheat_check(htons(tcplen) ^ 0xFFFF,
- htons(tcplen + TCPOLEN_MSS), tcph->check);
- tcplen += TCPOLEN_MSS;
-
- opt[0] = TCPOPT_MSS;
- opt[1] = TCPOLEN_MSS;
- opt[2] = (newmss & 0xff00) >> 8;
- opt[3] = (newmss & 0x00ff);
-
- tcph->check = cheat_check(~0, *((u_int32_t *)opt), tcph->check);
-
- oldval = ((u_int16_t *)tcph)[6];
- tcph->doff += TCPOLEN_MSS/4;
- tcph->check = cheat_check(oldval ^ 0xFFFF,
- ((u_int16_t *)tcph)[6], tcph->check);
-
- newtotlen = htons(ntohs(iph->tot_len) + TCPOLEN_MSS);
- iph->check = cheat_check(iph->tot_len ^ 0xFFFF,
- newtotlen, iph->check);
- iph->tot_len = newtotlen;
-
- DEBUGP(KERN_INFO "ipt_tcpmss_target: %u.%u.%u.%u:%hu"
- "->%u.%u.%u.%u:%hu added TCP MSS option (%u)\n",
- NIPQUAD((*pskb)->nh.iph->saddr),
- ntohs(tcph->source),
- NIPQUAD((*pskb)->nh.iph->daddr),
- ntohs(tcph->dest),
- newmss);
-
- retmodified:
- /* We never hw checksum SYN packets. */
- BUG_ON((*pskb)->ip_summed == CHECKSUM_HW);
-
- (*pskb)->nfcache |= NFC_UNKNOWN | NFC_ALTERED;
- return IPT_CONTINUE;
-}
-
-#define TH_SYN 0x02
-
-static inline int find_syn_match(const struct ipt_entry_match *m)
-{
- const struct ipt_tcp *tcpinfo = (const struct ipt_tcp *)m->data;
-
- if (strcmp(m->u.kernel.match->name, "tcp") == 0
- && (tcpinfo->flg_cmp & TH_SYN)
- && !(tcpinfo->invflags & IPT_TCP_INV_FLAGS))
- return 1;
-
- return 0;
-}
-
-/* Must specify -p tcp --syn/--tcp-flags SYN */
-static int
-ipt_tcpmss_checkentry(const char *tablename,
- const struct ipt_entry *e,
- void *targinfo,
- unsigned int targinfosize,
- unsigned int hook_mask)
-{
- const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
-
- if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tcpmss_info))) {
- DEBUGP("ipt_tcpmss_checkentry: targinfosize %u != %u\n",
- targinfosize, IPT_ALIGN(sizeof(struct ipt_tcpmss_info)));
- return 0;
- }
-
-
- if((tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) &&
- ((hook_mask & ~((1 << NF_IP_FORWARD)
- | (1 << NF_IP_LOCAL_OUT)
- | (1 << NF_IP_POST_ROUTING))) != 0)) {
- printk("TCPMSS: path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
- return 0;
- }
-
- if (e->ip.proto == IPPROTO_TCP
- && !(e->ip.invflags & IPT_INV_PROTO)
- && IPT_MATCH_ITERATE(e, find_syn_match))
- return 1;
-
- printk("TCPMSS: Only works on TCP SYN packets\n");
- return 0;
-}
-
-static struct ipt_target ipt_tcpmss_reg = {
- .name = "TCPMSS",
- .target = ipt_tcpmss_target,
- .checkentry = ipt_tcpmss_checkentry,
- .me = THIS_MODULE,
-};
-
-static int __init init(void)
-{
- return ipt_register_target(&ipt_tcpmss_reg);
-}
-
-static void __exit fini(void)
-{
- ipt_unregister_target(&ipt_tcpmss_reg);
-}
-
-module_init(init);
-module_exit(fini);
diff -rupN linux-2.6.10p/net/ipv4/netfilter/ipt_tcpmss.c.orig linux-2.6.10/net/ipv4/netfilter/ipt_tcpmss.c.orig
--- linux-2.6.10p/net/ipv4/netfilter/ipt_tcpmss.c.orig 2005-02-25 15:53:05.156250000 +0000
+++ linux-2.6.10/net/ipv4/netfilter/ipt_tcpmss.c.orig 1970-01-01 00:00:00.000000000 +0000
@@ -1,262 +0,0 @@
-/*
- * This is a module which is used for setting the MSS option in TCP packets.
- *
- * Copyright (C) 2000 Marc Boucher <[email protected]>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-
-#include <linux/ip.h>
-#include <net/tcp.h>
-
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_TCPMSS.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marc Boucher <[email protected]>");
-MODULE_DESCRIPTION("iptables TCP MSS modification module");
-
-#if 0
-#define DEBUGP printk
-#else
-#define DEBUGP(format, args...)
-#endif
-
-static u_int16_t
-cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
-{
- u_int32_t diffs[] = { oldvalinv, newval };
- return csum_fold(csum_partial((char *)diffs, sizeof(diffs),
- oldcheck^0xFFFF));
-}
-
-static inline unsigned int
-optlen(const u_int8_t *opt, unsigned int offset)
-{
- /* Beware zero-length options: make finite progress */
- if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0) return 1;
- else return opt[offset+1];
-}
-
-static unsigned int
-ipt_tcpmss_target(struct sk_buff **pskb,
- const struct net_device *in,
- const struct net_device *out,
- unsigned int hooknum,
- const void *targinfo,
- void *userinfo)
-{
- const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
- struct tcphdr *tcph;
- struct iphdr *iph;
- u_int16_t tcplen, newtotlen, oldval, newmss;
- unsigned int i;
- u_int8_t *opt;
-
- if (!skb_ip_make_writable(pskb, (*pskb)->len))
- return NF_DROP;
-
- iph = (*pskb)->nh.iph;
- tcplen = (*pskb)->len - iph->ihl*4;
-
- tcph = (void *)iph + iph->ihl*4;
-
- /* Since it passed flags test in tcp match, we know it is is
- not a fragment, and has data >= tcp header length. SYN
- packets should not contain data: if they did, then we risk
- running over MTU, sending Frag Needed and breaking things
- badly. --RR */
- if (tcplen != tcph->doff*4) {
- if (net_ratelimit())
- printk(KERN_ERR
- "ipt_tcpmss_target: bad length (%d bytes)\n",
- (*pskb)->len);
- return NF_DROP;
- }
-
- if(tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) {
- if(!(*pskb)->dst) {
- if (net_ratelimit())
- printk(KERN_ERR
- "ipt_tcpmss_target: no dst?! can't determine path-MTU\n");
- return NF_DROP; /* or IPT_CONTINUE ?? */
- }
-
- if(dst_pmtu((*pskb)->dst) <= (sizeof(struct iphdr) + sizeof(struct tcphdr))) {
- if (net_ratelimit())
- printk(KERN_ERR
- "ipt_tcpmss_target: unknown or invalid path-MTU (%d)\n", dst_pmtu((*pskb)->dst));
- return NF_DROP; /* or IPT_CONTINUE ?? */
- }
-
- newmss = dst_pmtu((*pskb)->dst) - sizeof(struct iphdr) - sizeof(struct tcphdr);
- } else
- newmss = tcpmssinfo->mss;
-
- opt = (u_int8_t *)tcph;
- for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)){
- if ((opt[i] == TCPOPT_MSS) &&
- ((tcph->doff*4 - i) >= TCPOLEN_MSS) &&
- (opt[i+1] == TCPOLEN_MSS)) {
- u_int16_t oldmss;
-
- oldmss = (opt[i+2] << 8) | opt[i+3];
-
- if((tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) &&
- (oldmss <= newmss))
- return IPT_CONTINUE;
-
- opt[i+2] = (newmss & 0xff00) >> 8;
- opt[i+3] = (newmss & 0x00ff);
-
- tcph->check = cheat_check(htons(oldmss)^0xFFFF,
- htons(newmss),
- tcph->check);
-
- DEBUGP(KERN_INFO "ipt_tcpmss_target: %u.%u.%u.%u:%hu"
- "->%u.%u.%u.%u:%hu changed TCP MSS option"
- " (from %u to %u)\n",
- NIPQUAD((*pskb)->nh.iph->saddr),
- ntohs(tcph->source),
- NIPQUAD((*pskb)->nh.iph->daddr),
- ntohs(tcph->dest),
- oldmss, newmss);
- goto retmodified;
- }
- }
-
- /*
- * MSS Option not found ?! add it..
- */
- if (skb_tailroom((*pskb)) < TCPOLEN_MSS) {
- struct sk_buff *newskb;
-
- newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
- TCPOLEN_MSS, GFP_ATOMIC);
- if (!newskb) {
- if (net_ratelimit())
- printk(KERN_ERR "ipt_tcpmss_target:"
- " unable to allocate larger skb\n");
- return NF_DROP;
- }
-
- kfree_skb(*pskb);
- *pskb = newskb;
- iph = (*pskb)->nh.iph;
- tcph = (void *)iph + iph->ihl*4;
- }
-
- skb_put((*pskb), TCPOLEN_MSS);
-
- opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
- memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
-
- tcph->check = cheat_check(htons(tcplen) ^ 0xFFFF,
- htons(tcplen + TCPOLEN_MSS), tcph->check);
- tcplen += TCPOLEN_MSS;
-
- opt[0] = TCPOPT_MSS;
- opt[1] = TCPOLEN_MSS;
- opt[2] = (newmss & 0xff00) >> 8;
- opt[3] = (newmss & 0x00ff);
-
- tcph->check = cheat_check(~0, *((u_int32_t *)opt), tcph->check);
-
- oldval = ((u_int16_t *)tcph)[6];
- tcph->doff += TCPOLEN_MSS/4;
- tcph->check = cheat_check(oldval ^ 0xFFFF,
- ((u_int16_t *)tcph)[6], tcph->check);
-
- newtotlen = htons(ntohs(iph->tot_len) + TCPOLEN_MSS);
- iph->check = cheat_check(iph->tot_len ^ 0xFFFF,
- newtotlen, iph->check);
- iph->tot_len = newtotlen;
-
- DEBUGP(KERN_INFO "ipt_tcpmss_target: %u.%u.%u.%u:%hu"
- "->%u.%u.%u.%u:%hu added TCP MSS option (%u)\n",
- NIPQUAD((*pskb)->nh.iph->saddr),
- ntohs(tcph->source),
- NIPQUAD((*pskb)->nh.iph->daddr),
- ntohs(tcph->dest),
- newmss);
-
- retmodified:
- /* We never hw checksum SYN packets. */
- BUG_ON((*pskb)->ip_summed == CHECKSUM_HW);
-
- (*pskb)->nfcache |= NFC_UNKNOWN | NFC_ALTERED;
- return IPT_CONTINUE;
-}
-
-#define TH_SYN 0x02
-
-static inline int find_syn_match(const struct ipt_entry_match *m)
-{
- const struct ipt_tcp *tcpinfo = (const struct ipt_tcp *)m->data;
-
- if (strcmp(m->u.kernel.match->name, "tcp") == 0
- && (tcpinfo->flg_cmp & TH_SYN)
- && !(tcpinfo->invflags & IPT_TCP_INV_FLAGS))
- return 1;
-
- return 0;
-}
-
-/* Must specify -p tcp --syn/--tcp-flags SYN */
-static int
-ipt_tcpmss_checkentry(const char *tablename,
- const struct ipt_entry *e,
- void *targinfo,
- unsigned int targinfosize,
- unsigned int hook_mask)
-{
- const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
-
- if (targinfosize != IPT_ALIGN(sizeof(struct ipt_tcpmss_info))) {
- DEBUGP("ipt_tcpmss_checkentry: targinfosize %u != %u\n",
- targinfosize, IPT_ALIGN(sizeof(struct ipt_tcpmss_info)));
- return 0;
- }
-
-
- if((tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) &&
- ((hook_mask & ~((1 << NF_IP_FORWARD)
- | (1 << NF_IP_LOCAL_OUT)
- | (1 << NF_IP_POST_ROUTING))) != 0)) {
- printk("TCPMSS: path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
- return 0;
- }
-
- if (e->ip.proto == IPPROTO_TCP
- && !(e->ip.invflags & IPT_INV_PROTO)
- && IPT_MATCH_ITERATE(e, find_syn_match))
- return 1;
-
- printk("TCPMSS: Only works on TCP SYN packets\n");
- return 0;
-}
-
-static struct ipt_target ipt_tcpmss_reg = {
- .name = "TCPMSS",
- .target = ipt_tcpmss_target,
- .checkentry = ipt_tcpmss_checkentry,
- .me = THIS_MODULE,
-};
-
-static int __init init(void)
-{
- return ipt_register_target(&ipt_tcpmss_reg);
-}
-
-static void __exit fini(void)
-{
- ipt_unregister_target(&ipt_tcpmss_reg);
-}
-
-module_init(init);
-module_exit(fini);
diff -rupN linux-2.6.10p/net/ipv4/netfilter/ipt_tcpmss.c.rej linux-2.6.10/net/ipv4/netfilter/ipt_tcpmss.c.rej
--- linux-2.6.10p/net/ipv4/netfilter/ipt_tcpmss.c.rej 2005-02-25 16:06:02.078125000 +0000
+++ linux-2.6.10/net/ipv4/netfilter/ipt_tcpmss.c.rej 1970-01-01 00:00:00.000000000 +0000
@@ -1,27 +0,0 @@
-***************
-*** 87,104 ****
- info->invert, hotdrop);
- }
-
-- static inline int find_syn_match(const struct ipt_entry_match *m)
-- {
-- const struct ipt_tcp *tcpinfo = (const struct ipt_tcp *)m->data;
--
-- if (strcmp(m->u.kernel.match->name, "tcp") == 0
-- && (tcpinfo->flg_cmp & TH_SYN)
-- && !(tcpinfo->invflags & IPT_TCP_INV_FLAGS))
-- return 1;
--
-- return 0;
-- }
--
- static int
- checkentry(const char *tablename,
- const struct ipt_ip *ip,
---- 87,92 ----
- info->invert, hotdrop);
- }
-
- static int
- checkentry(const char *tablename,
- const struct ipt_ip *ip,
diff -rupN linux-2.6.10p/net/ipv6/netfilter/ip6t_MARK.c.orig linux-2.6.10/net/ipv6/netfilter/ip6t_MARK.c.orig
--- linux-2.6.10p/net/ipv6/netfilter/ip6t_MARK.c.orig 2004-08-14 11:56:25.000000000 +0100
+++ linux-2.6.10/net/ipv6/netfilter/ip6t_MARK.c.orig 1970-01-01 00:00:00.000000000 +0000
@@ -1,67 +0,0 @@
-/* Kernel module to match NFMARK values. */
-
-/* (C) 1999-2001 Marc Boucher <[email protected]>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-
-#include <linux/netfilter_ipv6/ip6t_mark.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Netfilter Core Team <[email protected]>");
-MODULE_DESCRIPTION("ip6tables mark match");
-
-static int
-match(const struct sk_buff *skb,
- const struct net_device *in,
- const struct net_device *out,
- const void *matchinfo,
- int offset,
- const void *hdr,
- u_int16_t datalen,
- int *hotdrop)
-{
- const struct ip6t_mark_info *info = matchinfo;
-
- return ((skb->nfmark & info->mask) == info->mark) ^ info->invert;
-}
-
-static int
-checkentry(const char *tablename,
- const struct ip6t_ip6 *ip,
- void *matchinfo,
- unsigned int matchsize,
- unsigned int hook_mask)
-{
- if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_mark_info)))
- return 0;
-
- return 1;
-}
-
-static struct ip6t_match mark_match = {
- .name = "mark",
- .match = &match,
- .checkentry = &checkentry,
- .me = THIS_MODULE,
-};
-
-static int __init init(void)
-{
- return ip6t_register_match(&mark_match);
-}
-
-static void __exit fini(void)
-{
- ip6t_unregister_match(&mark_match);
-}
-
-module_init(init);
-module_exit(fini);
diff -rupN linux-2.6.10p/net/ipv6/netfilter/ip6t_MARK.c.rej linux-2.6.10/net/ipv6/netfilter/ip6t_MARK.c.rej
--- linux-2.6.10p/net/ipv6/netfilter/ip6t_MARK.c.rej 2005-02-25 16:06:04.781250000 +0000
+++ linux-2.6.10/net/ipv6/netfilter/ip6t_MARK.c.rej 1970-01-01 00:00:00.000000000 +0000
@@ -1,21 +0,0 @@
-***************
-*** 20,28 ****
-
- static unsigned int
- target(struct sk_buff **pskb,
-- unsigned int hooknum,
- const struct net_device *in,
- const struct net_device *out,
- const void *targinfo,
- void *userinfo)
- {
---- 20,28 ----
-
- static unsigned int
- target(struct sk_buff **pskb,
- const struct net_device *in,
- const struct net_device *out,
-+ unsigned int hooknum,
- const void *targinfo,
- void *userinfo)
- {
------------------------------------------------------------------------
Regards
Mark Fortescue.
On Fri, 2005-02-25 at 16:40 +0000, Mark Fortescue wrote:
> Hi all,
>
> I am not sure exactly where to send this email. A have chosen the
> ip4/ip6 networking as the issues are in this area of the kernel.
>
> The kernel patch files patch-2.6.9 and patch-2.6.10 do not apear to be
> correct.
No, you're doing it wrong. 2.6.8.1 was a bugfix release. The correct
patching order is 2.6.8 -> 2.6.9 -> 2.6.10.
Lee
On Friday 25 February 2005 17:40, Mark Fortescue wrote:
> Hi all,
>
> I am not sure exactly where to send this email. A have chosen the
> ip4/ip6 networking as the issues are in this area of the kernel.
>
> The kernel patch files patch-2.6.9 and patch-2.6.10 do not apear to be
> correct. I had some errors during patching so I generated a diff against a
> freshly downloaded linux-2.6.10 kernel. See the steps below:
You first have to go back to kernel 2.6.8, and then patch upwards to 2.6.9 and
2.6.10. Don't patch upwards from 2.6.8.1.
Jan
--
It's better to burn out than to fade away.
On Fri, Feb 25, 2005 at 11:47:23AM -0500, Lee Revell wrote:
> On Fri, 2005-02-25 at 16:40 +0000, Mark Fortescue wrote:
> > The kernel patch files patch-2.6.9 and patch-2.6.10 do not apear to be
> > correct.
>
> No, you're doing it wrong. 2.6.8.1 was a bugfix release. The correct
> patching order is 2.6.8 -> 2.6.9 -> 2.6.10.
Hi did patch from 2.6.8:
#v+
3) bzcat ../patch-2.6.8.1.bz2 | patch -R -p1
This gives a 2.6.8 kernel.
#v-
--
Tomasz Torcz "Never underestimate the bandwidth of a station
[email protected] wagon filled with backup tapes." -- Jim Gray
On Fri, 25 Feb 2005, Mark Fortescue wrote:
> The kernel patch files patch-2.6.9 and patch-2.6.10 do not apear to be
> correct. I had some errors during patching so I generated a diff against a
> freshly downloaded linux-2.6.10 kernel. See the steps below:
>
> 1) bzcat linux-2.6.8.1.tar.bz2 | tar -xf -
> 2) cd linux-2.6.8.1
> 3) bzcat ../patch-2.6.8.1.bz2 | patch -R -p1
> This gives a 2.6.8 kernel.
>
> 4) bzcat ../patch-2.6.9.bz2 | patch -p1
> This should give a 2.6.9 kernel. The patch has two errors:
> ./net/ipv4/netfilter/ipt_ecn.c.rej
> ./net/ipv4/netfilter/ipt_tcpmss.c.rej
>
> 5) bzcat ../patch-2.6.10.bz2 | patch -p1 -f
> This should give a 2.6.10 kernel. The patch has three erros:
> ./include/linux/netfilter_ipv4/ipt_connmark.h.rej
> ./net/ipv4/netfilter/ipt_connmark.c.rej
> ./net/ipv6/netfilter/ip6t_MARK.c.rej
> 6) cd ..; mv linux-2.6.8.1 linux-2.6.10p
> 7) bzcat linux-2.6.10.tar.bz2 | tar -xf -
> 8) diff -rupN linux-2.6.10p linux-2.6.10 | tee patch-2.6.10.err
Yes, these steps should work. Actually, I just checked (copy & paste the
commands from your mail), and it works for me.
Are you sure your files are ok? md5sums for my copies of the files are
cffcd2919d9c8ef793ce1ac07a440eda linux-2.6.10.tar.bz2
98f93075c7c24e681eaf7e70783af5e4 linux-2.6.8.1.tar.gz
98b7db13a3f13199a48e89a79d2ee388 patch-2.6.10.bz2
824b7d88ab2fabc031f1a6c1e6e288ee patch-2.6.8.1.bz2
fe744cdcd31b97b803e51ad785520489 patch-2.6.9.bz2
Are you sure your filesystem works ok? Not out of quota?
Tim
Hi,
Sorry for the trouble. I have worked out what is going on.
I have been using Cygwin, but I has assumed incorrectly that MS WindowsXP
SP2, like MS Windows 2000, honered mixed case filenames correctly. This is
not the case making MS WindowsXP SP2 Pro non POSIX complient (what a
supprise). A quick google search sugests that I am not the only person
to have issues with this.
Is there any chance that at some point in the future, the kernel filenames
will be changed so that dumb OS like MS Windows don't mess it all up ?
Regards
Mark Fortescue.
On Fri, 25 Feb 2005, Tim Schmielau wrote:
> On Fri, 25 Feb 2005, Mark Fortescue wrote:
>
> > The kernel patch files patch-2.6.9 and patch-2.6.10 do not apear to be
> > correct. I had some errors during patching so I generated a diff against a
> > freshly downloaded linux-2.6.10 kernel. See the steps below:
> >
> > 1) bzcat linux-2.6.8.1.tar.bz2 | tar -xf -
> > 2) cd linux-2.6.8.1
> > 3) bzcat ../patch-2.6.8.1.bz2 | patch -R -p1
> > This gives a 2.6.8 kernel.
> >
> > 4) bzcat ../patch-2.6.9.bz2 | patch -p1
> > This should give a 2.6.9 kernel. The patch has two errors:
> > ./net/ipv4/netfilter/ipt_ecn.c.rej
> > ./net/ipv4/netfilter/ipt_tcpmss.c.rej
> >
> > 5) bzcat ../patch-2.6.10.bz2 | patch -p1 -f
> > This should give a 2.6.10 kernel. The patch has three erros:
> > ./include/linux/netfilter_ipv4/ipt_connmark.h.rej
> > ./net/ipv4/netfilter/ipt_connmark.c.rej
> > ./net/ipv6/netfilter/ip6t_MARK.c.rej
> > 6) cd ..; mv linux-2.6.8.1 linux-2.6.10p
> > 7) bzcat linux-2.6.10.tar.bz2 | tar -xf -
> > 8) diff -rupN linux-2.6.10p linux-2.6.10 | tee patch-2.6.10.err
>
> Yes, these steps should work. Actually, I just checked (copy & paste the
> commands from your mail), and it works for me.
>
> Are you sure your files are ok? md5sums for my copies of the files are
>
> cffcd2919d9c8ef793ce1ac07a440eda linux-2.6.10.tar.bz2
> 98f93075c7c24e681eaf7e70783af5e4 linux-2.6.8.1.tar.gz
> 98b7db13a3f13199a48e89a79d2ee388 patch-2.6.10.bz2
> 824b7d88ab2fabc031f1a6c1e6e288ee patch-2.6.8.1.bz2
> fe744cdcd31b97b803e51ad785520489 patch-2.6.9.bz2
>
> Are you sure your filesystem works ok? Not out of quota?
>
> Tim
>