[PATCH] REJECT for 2.6.9+

[PATCH] REJECT for 2.6.9+

[Jonas Berlin]

[-- Attachment #1.1: Type: text/plain, Size: 303 bytes --]

Because include/linux/netfilter_ipv6/ip6t_REJECT.h was removed in 2.6.9, the
pom-ng module REJECT does not apply anymore. So this patch adds a 2.6.9
branch which is identical to 2.6 except the .h file is added.

The empty patch file is there so that the original patch won't be attempted.

-- 
- xkr47


[-- Attachment #1.2: REJECT-2.6.9.patch --]
[-- Type: text/x-patch, Size: 13916 bytes --]

Index: pom/REJECT/linux-2.6.9.patch
===================================================================
Index: pom/REJECT/linux-2.6.9/include/linux/netfilter_ipv6/ip6t_REJECT.h
===================================================================
--- pom/REJECT/linux-2.6.9/include/linux/netfilter_ipv6/ip6t_REJECT.h	(revision 0)
+++ pom/REJECT/linux-2.6.9/include/linux/netfilter_ipv6/ip6t_REJECT.h	(revision 0)
@@ -0,0 +1,18 @@
+#ifndef _IP6T_REJECT_H
+#define _IP6T_REJECT_H
+
+enum ip6t_reject_with {
+	IP6T_ICMP6_NO_ROUTE,
+	IP6T_ICMP6_ADM_PROHIBITED,
+	IP6T_ICMP6_NOT_NEIGHBOUR,
+	IP6T_ICMP6_ADDR_UNREACH,
+	IP6T_ICMP6_PORT_UNREACH,
+	IP6T_ICMP6_ECHOREPLY,
+	IP6T_TCP_RESET
+};
+
+struct ip6t_reject_info {
+	enum ip6t_reject_with with;      /* reject type */
+};
+
+#endif /*_IP6T_REJECT_H*/
Index: pom/REJECT/linux-2.6.9/net/ipv6/netfilter/ip6t_REJECT.c
===================================================================
--- pom/REJECT/linux-2.6.9/net/ipv6/netfilter/ip6t_REJECT.c	(revision 0)
+++ pom/REJECT/linux-2.6.9/net/ipv6/netfilter/ip6t_REJECT.c	(revision 0)
@@ -0,0 +1,459 @@
+/*
+ * IP6 tables REJECT target module
+ * Linux INET6 implementation
+ *
+ * Copyright (C)2003 USAGI/WIDE Project
+ *
+ * Authors:
+ *	Yasuyuki Kozakai	<yasuyuki.kozakai@toshiba.co.jp>
+ *
+ * Based on net/ipv4/netfilter/ipt_REJECT.c
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ */
+
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/icmpv6.h>
+#include <net/ipv6.h>
+#include <net/tcp.h>
+#include <net/icmp.h>
+#include <net/ip6_checksum.h>
+#include <net/ip6_fib.h>
+#include <net/ip6_route.h>
+#include <net/flow.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_REJECT.h>
+
+MODULE_AUTHOR("Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>");
+MODULE_DESCRIPTION("IP6 tables REJECT target module");
+MODULE_LICENSE("GPL");
+
+#if 0
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+#if 0
+static void connection_attach(struct sk_buff *new_skb, struct nf_ct_info *nfct)
+{
+	void (*attach)(struct sk_buff *, struct nf_ct_info *);
+	if (nfct && (attach = ip6_ct_attach) != NULL) {
+		mb();
+		attach(new_skb, nfct);
+	}
+}
+#endif
+
+static int maybe_reroute(struct sk_buff *skb)
+{
+	if (skb->nfcache & NFC_ALTERED){
+		if (ip6_route_me_harder(skb) != 0){
+			kfree_skb(skb);
+			return -EINVAL;
+		}
+	}
+
+	return dst_output(skb);
+}
+
+/* Send RST reply */
+static void send_reset(struct sk_buff *oldskb)
+{
+	struct sk_buff *nskb;
+	struct tcphdr otcph, *tcph;
+	unsigned int otcplen, tcphoff, hh_len;
+	int needs_ack;
+	struct ipv6hdr *oip6h = oldskb->nh.ipv6h, *ip6h;
+	struct dst_entry *dst = NULL;
+	u8 proto;
+	struct flowi fl;
+	proto = oip6h->nexthdr;
+	int err;
+
+	if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
+	    (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) {
+		DEBUGP("ip6t_REJECT: addr is not unicast.\n");
+		return;
+	}
+
+	tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data),
+				   &proto, oldskb->len - ((u8*)(oip6h+1)
+							  - oldskb->data));
+
+	if ((tcphoff < 0) || (tcphoff > oldskb->len)) {
+		DEBUGP("ip6t_REJECT: Can't get TCP header.\n");
+		return;
+	}
+
+	otcplen = oldskb->len - tcphoff;
+
+	/* IP header checks: fragment, too short. */
+	if ((proto != IPPROTO_TCP) || (otcplen < sizeof(struct tcphdr))) {
+		DEBUGP("ip6t_REJECT: proto(%d) != IPPROTO_TCP, or too short. otcplen = %d\n",
+			proto, otcplen);
+		return;
+	}
+
+	if (skb_copy_bits(oldskb, tcphoff, &otcph, sizeof(struct tcphdr))) {
+		if (net_ratelimit())
+			printk("ip6t_REJECT: Can't copy tcp header\n");
+		return;
+	}
+
+	/* No RST for RST. */
+	if (otcph.rst) {
+		DEBUGP("ip6t_REJECT: RST is set\n");
+		return;
+	}
+
+	/* Check checksum. */
+	if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
+			    skb_checksum(oldskb, tcphoff, otcplen, 0))) {
+		DEBUGP("ip6t_REJECT: TCP checksum is invalid\n");
+		return;
+	}
+
+	memset(&fl, 0, sizeof(fl));
+	fl.proto = IPPROTO_TCP;
+	ipv6_addr_copy(&fl.fl6_src, &oip6h->daddr);
+	ipv6_addr_copy(&fl.fl6_dst, &oip6h->saddr);
+	fl.fl_ip_sport = otcph.dest;
+	fl.fl_ip_dport = otcph.source;
+	err = ip6_dst_lookup(NULL, &dst, &fl);
+	if (err) {
+		if (net_ratelimit())
+			printk("ip6t_REJECT: can't find dst. err = %d\n", err);
+		return;
+	}
+
+	hh_len = (dst->dev->hard_header_len + 15)&~15;
+	nskb = alloc_skb(hh_len + 15 + dst->header_len + sizeof(struct ipv6hdr)
+			 + sizeof(struct tcphdr) + dst->trailer_len,
+			 GFP_ATOMIC);
+
+	if (!nskb) {
+		if (net_ratelimit())
+			printk("ip6t_REJECT: Can't alloc skb\n");
+		dst_release(dst);
+		return;
+	}
+
+	nskb->dst = dst;
+	dst_hold(dst);
+
+	skb_reserve(nskb, hh_len + dst->header_len);
+
+	ip6h = nskb->nh.ipv6h = (struct ipv6hdr *)
+					skb_put(nskb, sizeof(struct ipv6hdr));
+	ip6h->version = 6;
+	ip6h->hop_limit = dst_metric(dst, RTAX_HOPLIMIT);
+	ip6h->nexthdr = IPPROTO_TCP;
+	ip6h->payload_len = htons(sizeof(struct tcphdr));
+	ipv6_addr_copy(&ip6h->saddr, &oip6h->daddr);
+	ipv6_addr_copy(&ip6h->daddr, &oip6h->saddr);
+
+	tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
+	/* Truncate to length (no data) */
+	tcph->doff = sizeof(struct tcphdr)/4;
+	tcph->source = otcph.dest;
+	tcph->dest = otcph.source;
+
+	if (otcph.ack) {
+		needs_ack = 0;
+		tcph->seq = otcph.ack_seq;
+		tcph->ack_seq = 0;
+	} else {
+		needs_ack = 1;
+		tcph->ack_seq = htonl(ntohl(otcph.seq) + otcph.syn + otcph.fin
+				      + otcplen - (otcph.doff<<2));
+		tcph->seq = 0;
+	}
+
+	/* Reset flags */
+	((u_int8_t *)tcph)[13] = 0;
+	tcph->rst = 1;
+	tcph->ack = needs_ack;
+	tcph->window = 0;
+	tcph->urg_ptr = 0;
+	tcph->check = 0;
+
+	/* Adjust TCP checksum */
+	tcph->check = csum_ipv6_magic(&nskb->nh.ipv6h->saddr,
+				      &nskb->nh.ipv6h->daddr,
+				      sizeof(struct tcphdr), IPPROTO_TCP,
+				      csum_partial((char *)tcph,
+						   sizeof(struct tcphdr), 0));
+
+#if 0
+	connection_attach(nskb, oldskb->nfct);
+#endif
+
+	NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
+		maybe_reroute);
+
+	dst_release(dst);
+}
+
+static void send_unreach(struct sk_buff *skb_in, unsigned char code)
+{
+	struct ipv6hdr *ip6h, *hdr = skb_in->nh.ipv6h;
+	struct icmp6hdr *icmp6h;
+	struct dst_entry *dst = NULL;
+	struct rt6_info *rt;
+	int tmo;
+	__u32 csum;
+	unsigned int len, datalen, hh_len;
+	int saddr_type, daddr_type;
+	unsigned int ptr, ip6off;
+	u8 proto;
+	struct flowi fl;
+	struct sk_buff *nskb;
+	char *data;
+
+	saddr_type = ipv6_addr_type(&hdr->saddr);
+	daddr_type = ipv6_addr_type(&hdr->daddr);
+
+	if ((!(saddr_type & IPV6_ADDR_UNICAST)) ||
+	    (!(daddr_type & IPV6_ADDR_UNICAST))) {
+		DEBUGP("ip6t_REJECT: addr is not unicast.\n");
+		return;
+	}
+
+	ip6off = skb_in->nh.raw - skb_in->data;
+	proto = hdr->nexthdr;
+	ptr = ipv6_skip_exthdr(skb_in, ip6off + sizeof(struct ipv6hdr), &proto,
+			       skb_in->len - ip6off);
+
+	if ((ptr < 0) || (ptr > skb_in->len)) {
+		ptr = ip6off + sizeof(struct ipv6hdr);
+		proto = hdr->nexthdr;
+	} else if (proto == IPPROTO_ICMPV6) {
+                u8 type;
+
+                if (skb_copy_bits(skb_in, ptr + offsetof(struct icmp6hdr,
+						      icmp6_type), &type, 1)) {
+			DEBUGP("ip6t_REJECT: Can't get ICMPv6 type\n");
+			return;
+		}
+
+		if (!(type & ICMPV6_INFOMSG_MASK)) {
+			DEBUGP("ip6t_REJECT: no reply to icmp error\n");
+			return;
+		}
+        } else if (proto == IPPROTO_UDP) {
+		int plen = skb_in->len - (ptr - ip6off);
+		uint16_t check;
+
+		if (plen < sizeof(struct udphdr)) {
+			DEBUGP("ip6t_REJECT: too short\n");
+			return;
+		}
+
+		if (skb_copy_bits(skb_in, ptr + offsetof(struct udphdr, check),
+				  &check, 2)) {
+			if (net_ratelimit())
+				printk("ip6t_REJECT: can't get copy from skb");
+			return;
+		}
+
+		if (check &&
+		    csum_ipv6_magic(&hdr->saddr, &hdr->daddr, plen,
+				    IPPROTO_UDP,
+				    skb_checksum(skb_in, ptr, plen, 0))) {
+			DEBUGP("ip6t_REJECT: UDP checksum is invalid.\n");
+			return;
+		}
+	}
+
+	memset(&fl, 0, sizeof(fl));
+	fl.proto = IPPROTO_ICMPV6;
+	ipv6_addr_copy(&fl.fl6_src, &hdr->daddr);
+	ipv6_addr_copy(&fl.fl6_dst, &hdr->saddr);
+	fl.fl_icmp_type = ICMPV6_DEST_UNREACH;
+	fl.fl_icmp_code = code;
+
+	if (ip6_dst_lookup(NULL, &dst, &fl)) {
+		return;
+	}
+
+	rt = (struct rt6_info *)dst;
+	tmo = 1*HZ;
+
+	if (rt->rt6i_dst.plen < 128)
+		tmo >>= ((128 - rt->rt6i_dst.plen)>>5);
+
+	if (!xrlim_allow(dst, tmo)) {
+		if (net_ratelimit())
+			printk("ip6t_REJECT: rate limitted\n");
+		goto dst_release_out;
+	}
+
+	len = skb_in->len + sizeof(struct ipv6hdr) + sizeof(struct icmp6hdr);
+
+	if (len > dst_pmtu(dst))
+		len = dst_pmtu(dst);
+	if (len > IPV6_MIN_MTU)
+		len = IPV6_MIN_MTU;
+
+	datalen = len - sizeof(struct ipv6hdr) - sizeof(struct icmp6hdr);
+	hh_len = (rt->u.dst.dev->hard_header_len + 15)&~15;
+
+	nskb = alloc_skb(hh_len + 15 + dst->header_len + dst->trailer_len + len,
+			 GFP_ATOMIC);
+
+	if (!nskb) {
+		if (net_ratelimit())
+			printk("ip6t_REJECT: can't alloc skb\n");
+		goto dst_release_out;
+	}
+
+	nskb->priority = 0;
+	nskb->dst = dst;
+	dst_hold(dst);
+
+	skb_reserve(nskb, hh_len + dst->header_len);
+
+	ip6h = nskb->nh.ipv6h = (struct ipv6hdr *)
+					skb_put(nskb, sizeof(struct ipv6hdr));
+	ip6h->version = 6;
+	ip6h->hop_limit = dst_metric(dst, RTAX_HOPLIMIT);
+	ip6h->nexthdr = IPPROTO_ICMPV6;
+	ip6h->payload_len = htons(datalen + sizeof(struct icmp6hdr));
+	ipv6_addr_copy(&ip6h->saddr, &hdr->daddr);
+	ipv6_addr_copy(&ip6h->daddr, &hdr->saddr);
+
+	icmp6h = (struct icmp6hdr *) skb_put(nskb, sizeof(struct icmp6hdr));
+	icmp6h->icmp6_type = ICMPV6_DEST_UNREACH;
+	icmp6h->icmp6_code = code;
+	icmp6h->icmp6_cksum = 0;
+
+	data = skb_put(nskb, datalen);
+
+	csum = csum_partial((unsigned char *)icmp6h, sizeof(struct icmp6hdr), 0);
+	csum = skb_copy_and_csum_bits(skb_in, ip6off, data, datalen, csum);
+	icmp6h->icmp6_cksum = csum_ipv6_magic(&hdr->saddr, &hdr->daddr,
+					     datalen + sizeof(struct icmp6hdr),
+					     IPPROTO_ICMPV6, csum);
+
+#if 0
+	connection_attach(nskb, skb_in->nfct);
+#endif
+	NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
+		maybe_reroute);
+
+dst_release_out:
+	dst_release(dst);
+}
+
+static unsigned int reject6_target(struct sk_buff **pskb,
+			   unsigned int hooknum,
+			   const struct net_device *in,
+			   const struct net_device *out,
+			   const void *targinfo,
+			   void *userinfo)
+{
+	const struct ip6t_reject_info *reject = targinfo;
+
+	DEBUGP(KERN_DEBUG "%s: medium point\n", __FUNCTION__);
+	/* WARNING: This code causes reentry within ip6tables.
+	   This means that the ip6tables jump stack is now crap.  We
+	   must return an absolute verdict. --RR */
+    	switch (reject->with) {
+    	case IP6T_ICMP6_NO_ROUTE:
+    		send_unreach(*pskb, ICMPV6_NOROUTE);
+    		break;
+    	case IP6T_ICMP6_ADM_PROHIBITED:
+    		send_unreach(*pskb, ICMPV6_ADM_PROHIBITED);
+    		break;
+    	case IP6T_ICMP6_NOT_NEIGHBOUR:
+    		send_unreach(*pskb, ICMPV6_NOT_NEIGHBOUR);
+    		break;
+    	case IP6T_ICMP6_ADDR_UNREACH:
+    		send_unreach(*pskb, ICMPV6_ADDR_UNREACH);
+    		break;
+    	case IP6T_ICMP6_PORT_UNREACH:
+    		send_unreach(*pskb, ICMPV6_PORT_UNREACH);
+    		break;
+    	case IP6T_ICMP6_ECHOREPLY:
+		/* Do nothing */
+		break;
+	case IP6T_TCP_RESET:
+		send_reset(*pskb);
+		break;
+	default:
+		if (net_ratelimit())
+			printk(KERN_WARNING "ip6t_REJECT: case %u not handled yet\n", reject->with);
+		break;
+	}
+
+	return NF_DROP;
+}
+
+static int check(const char *tablename,
+		 const struct ip6t_entry *e,
+		 void *targinfo,
+		 unsigned int targinfosize,
+		 unsigned int hook_mask)
+{
+ 	const struct ip6t_reject_info *rejinfo = targinfo;
+
+ 	if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_reject_info))) {
+  		DEBUGP("ip6t_REJECT: targinfosize %u != 0\n", targinfosize);
+  		return 0;
+  	}
+
+	/* Only allow these for packet filtering. */
+	if (strcmp(tablename, "filter") != 0) {
+		DEBUGP("ip6t_REJECT: bad table `%s'.\n", tablename);
+		return 0;
+	}
+
+	if ((hook_mask & ~((1 << NF_IP6_LOCAL_IN)
+			   | (1 << NF_IP6_FORWARD)
+			   | (1 << NF_IP6_LOCAL_OUT))) != 0) {
+		DEBUGP("ip6t_REJECT: bad hook mask %X\n", hook_mask);
+		return 0;
+	}
+
+	if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
+		printk("ip6t_REJECT: ECHOREPLY is not supported.\n");
+		return 0;
+	} else if (rejinfo->with == IP6T_TCP_RESET) {
+		/* Must specify that it's a TCP packet */
+		if (e->ipv6.proto != IPPROTO_TCP
+		    || (e->ipv6.invflags & IP6T_INV_PROTO)) {
+			DEBUGP("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
+			return 0;
+		}
+	}
+
+	return 1;
+}
+
+static struct ip6t_target ip6t_reject_reg = {
+	.name		= "REJECT",
+	.target		= reject6_target,
+	.checkentry	= check,
+	.me		= THIS_MODULE
+};
+
+static int __init init(void)
+{
+	if (ip6t_register_target(&ip6t_reject_reg))
+		return -EINVAL;
+	return 0;
+}
+
+static void __exit fini(void)
+{
+	ip6t_unregister_target(&ip6t_reject_reg);
+}
+
+module_init(init);
+module_exit(fini);
Index: pom/REJECT/linux-2.6.9/net/ipv6/netfilter/Kconfig.ladd
===================================================================
--- pom/REJECT/linux-2.6.9/net/ipv6/netfilter/Kconfig.ladd	(revision 0)
+++ pom/REJECT/linux-2.6.9/net/ipv6/netfilter/Kconfig.ladd	(revision 0)
@@ -0,0 +1,10 @@
+config IP6_NF_TARGET_REJECT
+	tristate  'REJECT target support'
+	depends on IP6_NF_FILTER
+	help
+	  The REJECT target allows a filtering rule to specify that an ICMPv6
+	  error should be issued in response to an incoming packet, rather
+	  than silently being dropped.
+	
+	  If you want to compile it as a module, say M here and read
+	  Documentation/modules.txt.  If unsure, say `N'.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] REJECT for 2.6.9+

[Jonas Berlin]

[-- Attachment #1.1: Type: text/plain, Size: 457 bytes --]

Jonas Berlin wrote:

> Because include/linux/netfilter_ipv6/ip6t_REJECT.h was removed in 2.6.9, 
> the
> pom-ng module REJECT does not apply anymore. So this patch adds a 2.6.9
> branch which is identical to 2.6 except the .h file is added.
> 
> The empty patch file is there so that the original patch won't be 
> attempted.

Retry; enigmail produced a badly signed mail.. :/

-- 
- xkr47

(enigmail temporary hack to make mail 8-bit: åäö)

[-- Attachment #1.2: REJECT-2.6.9.patch --]
[-- Type: text/x-patch, Size: 13915 bytes --]

Index: pom/REJECT/linux-2.6.9.patch
===================================================================
Index: pom/REJECT/linux-2.6.9/include/linux/netfilter_ipv6/ip6t_REJECT.h
===================================================================
--- pom/REJECT/linux-2.6.9/include/linux/netfilter_ipv6/ip6t_REJECT.h	(revision 0)
+++ pom/REJECT/linux-2.6.9/include/linux/netfilter_ipv6/ip6t_REJECT.h	(revision 0)
@@ -0,0 +1,18 @@
+#ifndef _IP6T_REJECT_H
+#define _IP6T_REJECT_H
+
+enum ip6t_reject_with {
+	IP6T_ICMP6_NO_ROUTE,
+	IP6T_ICMP6_ADM_PROHIBITED,
+	IP6T_ICMP6_NOT_NEIGHBOUR,
+	IP6T_ICMP6_ADDR_UNREACH,
+	IP6T_ICMP6_PORT_UNREACH,
+	IP6T_ICMP6_ECHOREPLY,
+	IP6T_TCP_RESET
+};
+
+struct ip6t_reject_info {
+	enum ip6t_reject_with with;      /* reject type */
+};
+
+#endif /*_IP6T_REJECT_H*/
Index: pom/REJECT/linux-2.6.9/net/ipv6/netfilter/ip6t_REJECT.c
===================================================================
--- pom/REJECT/linux-2.6.9/net/ipv6/netfilter/ip6t_REJECT.c	(revision 0)
+++ pom/REJECT/linux-2.6.9/net/ipv6/netfilter/ip6t_REJECT.c	(revision 0)
@@ -0,0 +1,459 @@
+/*
+ * IP6 tables REJECT target module
+ * Linux INET6 implementation
+ *
+ * Copyright (C)2003 USAGI/WIDE Project
+ *
+ * Authors:
+ *	Yasuyuki Kozakai	<yasuyuki.kozakai@toshiba.co.jp>
+ *
+ * Based on net/ipv4/netfilter/ipt_REJECT.c
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ */
+
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/icmpv6.h>
+#include <net/ipv6.h>
+#include <net/tcp.h>
+#include <net/icmp.h>
+#include <net/ip6_checksum.h>
+#include <net/ip6_fib.h>
+#include <net/ip6_route.h>
+#include <net/flow.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_REJECT.h>
+
+MODULE_AUTHOR("Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>");
+MODULE_DESCRIPTION("IP6 tables REJECT target module");
+MODULE_LICENSE("GPL");
+
+#if 0
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+#if 0
+static void connection_attach(struct sk_buff *new_skb, struct nf_ct_info *nfct)
+{
+	void (*attach)(struct sk_buff *, struct nf_ct_info *);
+	if (nfct && (attach = ip6_ct_attach) != NULL) {
+		mb();
+		attach(new_skb, nfct);
+	}
+}
+#endif
+
+static int maybe_reroute(struct sk_buff *skb)
+{
+	if (skb->nfcache & NFC_ALTERED){
+		if (ip6_route_me_harder(skb) != 0){
+			kfree_skb(skb);
+			return -EINVAL;
+		}
+	}
+
+	return dst_output(skb);
+}
+
+/* Send RST reply */
+static void send_reset(struct sk_buff *oldskb)
+{
+	struct sk_buff *nskb;
+	struct tcphdr otcph, *tcph;
+	unsigned int otcplen, tcphoff, hh_len;
+	int needs_ack;
+	struct ipv6hdr *oip6h = oldskb->nh.ipv6h, *ip6h;
+	struct dst_entry *dst = NULL;
+	u8 proto;
+	struct flowi fl;
+	proto = oip6h->nexthdr;
+	int err;
+
+	if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
+	    (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) {
+		DEBUGP("ip6t_REJECT: addr is not unicast.\n");
+		return;
+	}
+
+	tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data),
+				   &proto, oldskb->len - ((u8*)(oip6h+1)
+							  - oldskb->data));
+
+	if ((tcphoff < 0) || (tcphoff > oldskb->len)) {
+		DEBUGP("ip6t_REJECT: Can't get TCP header.\n");
+		return;
+	}
+
+	otcplen = oldskb->len - tcphoff;
+
+	/* IP header checks: fragment, too short. */
+	if ((proto != IPPROTO_TCP) || (otcplen < sizeof(struct tcphdr))) {
+		DEBUGP("ip6t_REJECT: proto(%d) != IPPROTO_TCP, or too short. otcplen = %d\n",
+			proto, otcplen);
+		return;
+	}
+
+	if (skb_copy_bits(oldskb, tcphoff, &otcph, sizeof(struct tcphdr))) {
+		if (net_ratelimit())
+			printk("ip6t_REJECT: Can't copy tcp header\n");
+		return;
+	}
+
+	/* No RST for RST. */
+	if (otcph.rst) {
+		DEBUGP("ip6t_REJECT: RST is set\n");
+		return;
+	}
+
+	/* Check checksum. */
+	if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
+			    skb_checksum(oldskb, tcphoff, otcplen, 0))) {
+		DEBUGP("ip6t_REJECT: TCP checksum is invalid\n");
+		return;
+	}
+
+	memset(&fl, 0, sizeof(fl));
+	fl.proto = IPPROTO_TCP;
+	ipv6_addr_copy(&fl.fl6_src, &oip6h->daddr);
+	ipv6_addr_copy(&fl.fl6_dst, &oip6h->saddr);
+	fl.fl_ip_sport = otcph.dest;
+	fl.fl_ip_dport = otcph.source;
+	err = ip6_dst_lookup(NULL, &dst, &fl);
+	if (err) {
+		if (net_ratelimit())
+			printk("ip6t_REJECT: can't find dst. err = %d\n", err);
+		return;
+	}
+
+	hh_len = (dst->dev->hard_header_len + 15)&~15;
+	nskb = alloc_skb(hh_len + 15 + dst->header_len + sizeof(struct ipv6hdr)
+			 + sizeof(struct tcphdr) + dst->trailer_len,
+			 GFP_ATOMIC);
+
+	if (!nskb) {
+		if (net_ratelimit())
+			printk("ip6t_REJECT: Can't alloc skb\n");
+		dst_release(dst);
+		return;
+	}
+
+	nskb->dst = dst;
+	dst_hold(dst);
+
+	skb_reserve(nskb, hh_len + dst->header_len);
+
+	ip6h = nskb->nh.ipv6h = (struct ipv6hdr *)
+					skb_put(nskb, sizeof(struct ipv6hdr));
+	ip6h->version = 6;
+	ip6h->hop_limit = dst_metric(dst, RTAX_HOPLIMIT);
+	ip6h->nexthdr = IPPROTO_TCP;
+	ip6h->payload_len = htons(sizeof(struct tcphdr));
+	ipv6_addr_copy(&ip6h->saddr, &oip6h->daddr);
+	ipv6_addr_copy(&ip6h->daddr, &oip6h->saddr);
+
+	tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
+	/* Truncate to length (no data) */
+	tcph->doff = sizeof(struct tcphdr)/4;
+	tcph->source = otcph.dest;
+	tcph->dest = otcph.source;
+
+	if (otcph.ack) {
+		needs_ack = 0;
+		tcph->seq = otcph.ack_seq;
+		tcph->ack_seq = 0;
+	} else {
+		needs_ack = 1;
+		tcph->ack_seq = htonl(ntohl(otcph.seq) + otcph.syn + otcph.fin
+				      + otcplen - (otcph.doff<<2));
+		tcph->seq = 0;
+	}
+
+	/* Reset flags */
+	((u_int8_t *)tcph)[13] = 0;
+	tcph->rst = 1;
+	tcph->ack = needs_ack;
+	tcph->window = 0;
+	tcph->urg_ptr = 0;
+	tcph->check = 0;
+
+	/* Adjust TCP checksum */
+	tcph->check = csum_ipv6_magic(&nskb->nh.ipv6h->saddr,
+				      &nskb->nh.ipv6h->daddr,
+				      sizeof(struct tcphdr), IPPROTO_TCP,
+				      csum_partial((char *)tcph,
+						   sizeof(struct tcphdr), 0));
+
+#if 0
+	connection_attach(nskb, oldskb->nfct);
+#endif
+
+	NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
+		maybe_reroute);
+
+	dst_release(dst);
+}
+
+static void send_unreach(struct sk_buff *skb_in, unsigned char code)
+{
+	struct ipv6hdr *ip6h, *hdr = skb_in->nh.ipv6h;
+	struct icmp6hdr *icmp6h;
+	struct dst_entry *dst = NULL;
+	struct rt6_info *rt;
+	int tmo;
+	__u32 csum;
+	unsigned int len, datalen, hh_len;
+	int saddr_type, daddr_type;
+	unsigned int ptr, ip6off;
+	u8 proto;
+	struct flowi fl;
+	struct sk_buff *nskb;
+	char *data;
+
+	saddr_type = ipv6_addr_type(&hdr->saddr);
+	daddr_type = ipv6_addr_type(&hdr->daddr);
+
+	if ((!(saddr_type & IPV6_ADDR_UNICAST)) ||
+	    (!(daddr_type & IPV6_ADDR_UNICAST))) {
+		DEBUGP("ip6t_REJECT: addr is not unicast.\n");
+		return;
+	}
+
+	ip6off = skb_in->nh.raw - skb_in->data;
+	proto = hdr->nexthdr;
+	ptr = ipv6_skip_exthdr(skb_in, ip6off + sizeof(struct ipv6hdr), &proto,
+			       skb_in->len - ip6off);
+
+	if ((ptr < 0) || (ptr > skb_in->len)) {
+		ptr = ip6off + sizeof(struct ipv6hdr);
+		proto = hdr->nexthdr;
+	} else if (proto == IPPROTO_ICMPV6) {
+                u8 type;
+
+                if (skb_copy_bits(skb_in, ptr + offsetof(struct icmp6hdr,
+						      icmp6_type), &type, 1)) {
+			DEBUGP("ip6t_REJECT: Can't get ICMPv6 type\n");
+			return;
+		}
+
+		if (!(type & ICMPV6_INFOMSG_MASK)) {
+			DEBUGP("ip6t_REJECT: no reply to icmp error\n");
+			return;
+		}
+        } else if (proto == IPPROTO_UDP) {
+		int plen = skb_in->len - (ptr - ip6off);
+		uint16_t check;
+
+		if (plen < sizeof(struct udphdr)) {
+			DEBUGP("ip6t_REJECT: too short\n");
+			return;
+		}
+
+		if (skb_copy_bits(skb_in, ptr + offsetof(struct udphdr, check),
+				  &check, 2)) {
+			if (net_ratelimit())
+				printk("ip6t_REJECT: can't get copy from skb");
+			return;
+		}
+
+		if (check &&
+		    csum_ipv6_magic(&hdr->saddr, &hdr->daddr, plen,
+				    IPPROTO_UDP,
+				    skb_checksum(skb_in, ptr, plen, 0))) {
+			DEBUGP("ip6t_REJECT: UDP checksum is invalid.\n");
+			return;
+		}
+	}
+
+	memset(&fl, 0, sizeof(fl));
+	fl.proto = IPPROTO_ICMPV6;
+	ipv6_addr_copy(&fl.fl6_src, &hdr->daddr);
+	ipv6_addr_copy(&fl.fl6_dst, &hdr->saddr);
+	fl.fl_icmp_type = ICMPV6_DEST_UNREACH;
+	fl.fl_icmp_code = code;
+
+	if (ip6_dst_lookup(NULL, &dst, &fl)) {
+		return;
+	}
+
+	rt = (struct rt6_info *)dst;
+	tmo = 1*HZ;
+
+	if (rt->rt6i_dst.plen < 128)
+		tmo >>= ((128 - rt->rt6i_dst.plen)>>5);
+
+	if (!xrlim_allow(dst, tmo)) {
+		if (net_ratelimit())
+			printk("ip6t_REJECT: rate limitted\n");
+		goto dst_release_out;
+	}
+
+	len = skb_in->len + sizeof(struct ipv6hdr) + sizeof(struct icmp6hdr);
+
+	if (len > dst_pmtu(dst))
+		len = dst_pmtu(dst);
+	if (len > IPV6_MIN_MTU)
+		len = IPV6_MIN_MTU;
+
+	datalen = len - sizeof(struct ipv6hdr) - sizeof(struct icmp6hdr);
+	hh_len = (rt->u.dst.dev->hard_header_len + 15)&~15;
+
+	nskb = alloc_skb(hh_len + 15 + dst->header_len + dst->trailer_len + len,
+			 GFP_ATOMIC);
+
+	if (!nskb) {
+		if (net_ratelimit())
+			printk("ip6t_REJECT: can't alloc skb\n");
+		goto dst_release_out;
+	}
+
+	nskb->priority = 0;
+	nskb->dst = dst;
+	dst_hold(dst);
+
+	skb_reserve(nskb, hh_len + dst->header_len);
+
+	ip6h = nskb->nh.ipv6h = (struct ipv6hdr *)
+					skb_put(nskb, sizeof(struct ipv6hdr));
+	ip6h->version = 6;
+	ip6h->hop_limit = dst_metric(dst, RTAX_HOPLIMIT);
+	ip6h->nexthdr = IPPROTO_ICMPV6;
+	ip6h->payload_len = htons(datalen + sizeof(struct icmp6hdr));
+	ipv6_addr_copy(&ip6h->saddr, &hdr->daddr);
+	ipv6_addr_copy(&ip6h->daddr, &hdr->saddr);
+
+	icmp6h = (struct icmp6hdr *) skb_put(nskb, sizeof(struct icmp6hdr));
+	icmp6h->icmp6_type = ICMPV6_DEST_UNREACH;
+	icmp6h->icmp6_code = code;
+	icmp6h->icmp6_cksum = 0;
+
+	data = skb_put(nskb, datalen);
+
+	csum = csum_partial((unsigned char *)icmp6h, sizeof(struct icmp6hdr), 0);
+	csum = skb_copy_and_csum_bits(skb_in, ip6off, data, datalen, csum);
+	icmp6h->icmp6_cksum = csum_ipv6_magic(&hdr->saddr, &hdr->daddr,
+					     datalen + sizeof(struct icmp6hdr),
+					     IPPROTO_ICMPV6, csum);
+
+#if 0
+	connection_attach(nskb, skb_in->nfct);
+#endif
+	NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
+		maybe_reroute);
+
+dst_release_out:
+	dst_release(dst);
+}
+
+static unsigned int reject6_target(struct sk_buff **pskb,
+			   unsigned int hooknum,
+			   const struct net_device *in,
+			   const struct net_device *out,
+			   const void *targinfo,
+			   void *userinfo)
+{
+	const struct ip6t_reject_info *reject = targinfo;
+
+	DEBUGP(KERN_DEBUG "%s: medium point\n", __FUNCTION__);
+	/* WARNING: This code causes reentry within ip6tables.
+	   This means that the ip6tables jump stack is now crap.  We
+	   must return an absolute verdict. --RR */
+    	switch (reject->with) {
+    	case IP6T_ICMP6_NO_ROUTE:
+    		send_unreach(*pskb, ICMPV6_NOROUTE);
+    		break;
+    	case IP6T_ICMP6_ADM_PROHIBITED:
+    		send_unreach(*pskb, ICMPV6_ADM_PROHIBITED);
+    		break;
+    	case IP6T_ICMP6_NOT_NEIGHBOUR:
+    		send_unreach(*pskb, ICMPV6_NOT_NEIGHBOUR);
+    		break;
+    	case IP6T_ICMP6_ADDR_UNREACH:
+    		send_unreach(*pskb, ICMPV6_ADDR_UNREACH);
+    		break;
+    	case IP6T_ICMP6_PORT_UNREACH:
+    		send_unreach(*pskb, ICMPV6_PORT_UNREACH);
+    		break;
+    	case IP6T_ICMP6_ECHOREPLY:
+		/* Do nothing */
+		break;
+	case IP6T_TCP_RESET:
+		send_reset(*pskb);
+		break;
+	default:
+		if (net_ratelimit())
+			printk(KERN_WARNING "ip6t_REJECT: case %u not handled yet\n", reject->with);
+		break;
+	}
+
+	return NF_DROP;
+}
+
+static int check(const char *tablename,
+		 const struct ip6t_entry *e,
+		 void *targinfo,
+		 unsigned int targinfosize,
+		 unsigned int hook_mask)
+{
+ 	const struct ip6t_reject_info *rejinfo = targinfo;
+
+ 	if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_reject_info))) {
+  		DEBUGP("ip6t_REJECT: targinfosize %u != 0\n", targinfosize);
+  		return 0;
+  	}
+
+	/* Only allow these for packet filtering. */
+	if (strcmp(tablename, "filter") != 0) {
+		DEBUGP("ip6t_REJECT: bad table `%s'.\n", tablename);
+		return 0;
+	}
+
+	if ((hook_mask & ~((1 << NF_IP6_LOCAL_IN)
+			   | (1 << NF_IP6_FORWARD)
+			   | (1 << NF_IP6_LOCAL_OUT))) != 0) {
+		DEBUGP("ip6t_REJECT: bad hook mask %X\n", hook_mask);
+		return 0;
+	}
+
+	if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
+		printk("ip6t_REJECT: ECHOREPLY is not supported.\n");
+		return 0;
+	} else if (rejinfo->with == IP6T_TCP_RESET) {
+		/* Must specify that it's a TCP packet */
+		if (e->ipv6.proto != IPPROTO_TCP
+		    || (e->ipv6.invflags & IP6T_INV_PROTO)) {
+			DEBUGP("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
+			return 0;
+		}
+	}
+
+	return 1;
+}
+
+static struct ip6t_target ip6t_reject_reg = {
+	.name		= "REJECT",
+	.target		= reject6_target,
+	.checkentry	= check,
+	.me		= THIS_MODULE
+};
+
+static int __init init(void)
+{
+	if (ip6t_register_target(&ip6t_reject_reg))
+		return -EINVAL;
+	return 0;
+}
+
+static void __exit fini(void)
+{
+	ip6t_unregister_target(&ip6t_reject_reg);
+}
+
+module_init(init);
+module_exit(fini);
Index: pom/REJECT/linux-2.6.9/net/ipv6/netfilter/Kconfig.ladd
===================================================================
--- pom/REJECT/linux-2.6.9/net/ipv6/netfilter/Kconfig.ladd	(revision 0)
+++ pom/REJECT/linux-2.6.9/net/ipv6/netfilter/Kconfig.ladd	(revision 0)
@@ -0,0 +1,10 @@
+config IP6_NF_TARGET_REJECT
+	tristate  'REJECT target support'
+	depends on IP6_NF_FILTER
+	help
+	  The REJECT target allows a filtering rule to specify that an ICMPv6
+	  error should be issued in response to an incoming packet, rather
+	  than silently being dropped.
+	
+	  If you want to compile it as a module, say M here and read
+	  Documentation/modules.txt.  If unsure, say `N'.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] REJECT for 2.6.9+

[Jonas Berlin]

[-- Attachment #1: Type: text/plain, Size: 346 bytes --]

Jonas Berlin wrote:

> Because include/linux/netfilter_ipv6/ip6t_REJECT.h was removed in 2.6.9, 

This seems to be a bug in python, which is used by mailman, which is used by 
netfilter-devel.

http://sourceforge.net/tracker/index.php?func=detail&aid=968430&group_id=5470&atid=105470

And there seems to be no activity on the bug :P

-- 
- xkr47

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

building libctnetlink

[Just another UFO mechanic]

Hi

    I have tried to build libctnetlink I have got the current version using svn
as there is no README i do not know how to build it. I had a look around and
thought by running ltmain compile should work. But I am just poking around in 
the dark. I realize it is pre release but I would like to contribute where 
possible. Can someone point me off in the right direction.


Thanks
Danke
TchuB



Aside -------
Also note svn from the website link does not work svn replies unknown URL 
instead use http rather than https

You can access the <a>Subversion</a> server in two ways. For casual
browsing, you can use the ViewCVS web interface. To grab the latest
sources, you can do the following: 

      * Check out the iptables code using: 
        svn co https://svn.netfilter.org/netfilter/trunk/iptables

Re: [PATCH] REJECT for 2.6.9+

[Patrick McHardy]

Jonas Berlin wrote:
> Because include/linux/netfilter_ipv6/ip6t_REJECT.h was removed in 2.6.9, 
> the
> pom-ng module REJECT does not apply anymore. So this patch adds a 2.6.9
> branch which is identical to 2.6 except the .h file is added.
> 
> The empty patch file is there so that the original patch won't be 
> attempted.

Why add a new branch instead of simply restoring that file?
Even better, I think I'm simply going to submit the IPv6
REJECT target of nobody objects.

Regards
Patrick

Re: building libctnetlink

[Just another UFO mechanic]

On Sun, 2005-03-20 at 16:11, Just another UFO mechanic wrote:
> Hi
> 
>     I have tried to build libctnetlink I have got the current version using svn
> as there is no README i do not know how to build it. I had a look around and
> thought by running ltmain compile should work. But I am just poking around in 
> the dark. I realize it is pre release but I would like to contribute where 
> possible. Can someone point me off in the right direction.
> 
> 
> Thanks
> Danke
> TchuB
> 
> 
> 
> Aside -------
> Also note svn from the website link does not work svn replies unknown URL 
> instead use http rather than https
> 
> You can access the <a>Subversion</a> server in two ways. For casual
> browsing, you can use the ViewCVS web interface. To grab the latest
> sources, you can do the following: 
> 
>       * Check out the iptables code using: 
>         svn co https://svn.netfilter.org/netfilter/trunk/iptables

Is it possible the libctnetlink is missing the configure script ?

Re: building libctnetlink

[Pablo Neira]

Just another UFO mechanic wrote:
> Is it possible the libctnetlink is missing the configure script ?

just type autoconf and it will generate it.

--
Pablo

Re: building libctnetlink

[Just another UFO mechanic]

On Sun, 2005-03-20 at 22:29, Pablo Neira wrote:
> Just another UFO mechanic wrote:
> > Is it possible the libctnetlink is missing the configure script ?
> 
> just type autoconf and it will generate it.
> 
> --
> Pablo

Hi 
    Thanks but when I run autoconf it creates the configure script then
when I run configure it says 

creating libtool
configure: creating ./config.status
config.status: creating Makefile
config.status: error: cannot find input file: Makefile.in


Version
autoconf -V
autoconf (GNU Autoconf) 2.57

Any ideas ?

Thanks

Re: building libctnetlink

[Pablo Neira]

Just another UFO mechanic wrote:
> Hi 
>     Thanks but when I run autoconf it creates the configure script then
> when I run configure it says 
> 
> creating libtool
> configure: creating ./config.status
> config.status: creating Makefile
> config.status: error: cannot find input file: Makefile.in

yes, type automake before.

--
Pablo

Re: [PATCH] REJECT for 2.6.9+

[Jonas Berlin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick McHardy wrote:

|> The empty patch file is there so that the original patch won't be
|> attempted.
|
| Why add a new branch instead of simply restoring that file?

Maybe I have not understood the pom-ng functionality correctly/fully. I
thought that plain files in the tree must not exist already and so I thought
I needed to keep the old branch for the <=2.6.8 kernels that still have the
file that was deleted in 2.6.9..

| Even better, I think I'm simply going to submit the IPv6
| REJECT target of nobody objects.

No objections here :)

- --
- - xkr47
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCPzPWxyF48ZTvn+4RAo2ZAJ9RUpp6LzOk2J6vT38QCfulSLODCQCfeu83
m2JTEwyTHKe4iZwPrfkeaiI=
=3VtI
-----END PGP SIGNATURE-----

Re: building libctnetlink

[Just another UFO mechanic]

On Mon, 2005-03-21 at 17:12, Pablo Neira wrote:
> Just another UFO mechanic wrote:
> > Hi 
> >     Thanks but when I run autoconf it creates the configure script then
> > when I run configure it says 
> > 
> > creating libtool
> > configure: creating ./config.status
> > config.status: creating Makefile
> > config.status: error: cannot find input file: Makefile.in
> 
> yes, type automake before.
> 
> --
> Pablo
I am still trying to compile libctnetlink and libnfnetlink I cannot find
a whole lot of info on it. I have 2 questions

When I try compile
I get the error
libctnetlink.c:32:39 linux/nfnetlink_conntrack.h: No such file or
directory

Is there a second lib I am missing ? I have looked around and see only a
reference to old-nfnetlink

Secondly
Because this should be in linux/* this tells me that it may belong to an
older kernel or something that is now deprecated, is that so ? I am
trying to compile on 2.6.10

Thanks

Re: building libctnetlink

[Pablo Neira]

Just another UFO mechanic wrote:
> I am still trying to compile libctnetlink and libnfnetlink I cannot find
> a whole lot of info on it. I have 2 questions
> 
> When I try compile
> I get the error
> libctnetlink.c:32:39 linux/nfnetlink_conntrack.h: No such file or
> directory

Have you applied `nfnetlink-ctnetlink-0.13' in pom-ng? Add 
-I/your/kernel/include/path to your compilation script.


> Secondly
> Because this should be in linux/* this tells me that it may belong to an
> older kernel or something that is now deprecated, is that so ? I am
> trying to compile on 2.6.10

Unfortunately that won't work with your current kernel, AFAIK those 
patches work fine for most 2.4.x releases. Anyhow I'm currently working 
on porting them to 2.6.11 so you could wait until I post them in the 
mailing list.

--
Pablo

Re: building libctnetlink

[Wichert Akkerman]

Previously Pablo Neira wrote:
> yes, type automake before.

Or use autoreconf, which seems to be the magic-du-jour to generate all
the necessary bits.

Wichert.

-- 
Wichert Akkerman <wichert@wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.

Re: [PATCH] REJECT for 2.6.9+

[Yasuyuki KOZAKAI]

[-- Attachment #1: Type: Text/Plain, Size: 993 bytes --]

Hi,

From: Patrick McHardy <kaber@trash.net>
Date: Sun, 20 Mar 2005 17:15:16 +0100

> Why add a new branch instead of simply restoring that file?
> Even better, I think I'm simply going to submit the IPv6
> REJECT target of nobody objects.

I have some thoughts.

I wrote ip6t_REJECT so that the source address of ICMPv6 error was
destination address of original packet. Because of this behavior,
send_unreach could not use icmpv6_send().
But now I have found that the behavior of ipt_REJECT is different.
The source address of ICMP error is its node. I think the behavior of them
should be same. Moreover, ipt_REJECT has changed to use icmp_send() recently.

Then I think ip6t_REJECT can use icmpv6_send() like ipt_REJECT.
Please consider applying attached patch to REJECT in pom-ng.

Signed-off-by: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>

Regards,
-----------------------------------------------------------------
Yasuyuki KOZAKAI @ USAGI Project <yasuyuki.kozakai@toshiba.co.jp>

[-- Attachment #2: reject.patch --]
[-- Type: Text/Plain, Size: 10870 bytes --]

diff -Nur -x.svn REJECT/linux-2.4.patch REJECT-changed/linux-2.4.patch
--- REJECT/linux-2.4.patch	1970-01-01 09:00:00.000000000 +0900
+++ REJECT-changed/linux-2.4.patch	2005-03-30 00:52:52.000000000 +0900
@@ -0,0 +1,28 @@
+diff -Nru linux-2.4.0-test8-ipv6updates/include/linux/netfilter_ipv6/ip6t_REJECT.h linux-2.4.0-test8-REJECTv6/include/linux/netfilter_ipv6/ip6t_REJECT.h
+--- linux-2.4.0-test8-ipv6updates/include/linux/netfilter_ipv6/ip6t_REJECT.h	Sun Nov 12 13:40:30 2000
++++ linux-2.4.0-test8-REJECTv6/include/linux/netfilter_ipv6/ip6t_REJECT.h	Sun Nov 12 13:38:25 2000
+@@ -2,15 +2,17 @@
+ #define _IP6T_REJECT_H
+ 
+ enum ip6t_reject_with {
+-	IP6T_ICMP_NET_UNREACHABLE,
+-	IP6T_ICMP_HOST_UNREACHABLE,
+-	IP6T_ICMP_PROT_UNREACHABLE,
+-	IP6T_ICMP_PORT_UNREACHABLE,
+-	IP6T_ICMP_ECHOREPLY
++	IP6T_ICMP6_NO_ROUTE,
++	IP6T_ICMP6_ADM_PROHIBITED,
++	IP6T_ICMP6_NOT_NEIGHBOUR,
++	IP6T_ICMP6_ADDR_UNREACH,
++	IP6T_ICMP6_PORT_UNREACH,
++	IP6T_ICMP6_ECHOREPLY,
++	IP6T_TCP_RESET
+ };
+ 
+ struct ip6t_reject_info {
+ 	enum ip6t_reject_with with;      /* reject type */
+ };
+ 
+-#endif /*_IPT_REJECT_H*/
++#endif /*_IP6T_REJECT_H*/
+
diff -Nur -x.svn REJECT/linux-2.6/include/linux/netfilter_ipv6/ip6t_REJECT.h REJECT-changed/linux-2.6/include/linux/netfilter_ipv6/ip6t_REJECT.h
--- REJECT/linux-2.6/include/linux/netfilter_ipv6/ip6t_REJECT.h	1970-01-01 09:00:00.000000000 +0900
+++ REJECT-changed/linux-2.6/include/linux/netfilter_ipv6/ip6t_REJECT.h	2005-03-30 00:52:51.000000000 +0900
@@ -0,0 +1,18 @@
+#ifndef _IP6T_REJECT_H
+#define _IP6T_REJECT_H
+
+enum ip6t_reject_with {
+	IP6T_ICMP6_NO_ROUTE,
+	IP6T_ICMP6_ADM_PROHIBITED,
+	IP6T_ICMP6_NOT_NEIGHBOUR,
+	IP6T_ICMP6_ADDR_UNREACH,
+	IP6T_ICMP6_PORT_UNREACH,
+	IP6T_ICMP6_ECHOREPLY,
+	IP6T_TCP_RESET
+};
+
+struct ip6t_reject_info {
+	enum ip6t_reject_with with;      /* reject type */
+};
+
+#endif /*_IP6T_REJECT_H*/
diff -Nur -x.svn REJECT/linux-2.6/net/ipv6/ipv6_syms.c.ladd REJECT-changed/linux-2.6/net/ipv6/ipv6_syms.c.ladd
--- REJECT/linux-2.6/net/ipv6/ipv6_syms.c.ladd	2005-03-30 00:46:26.000000000 +0900
+++ REJECT-changed/linux-2.6/net/ipv6/ipv6_syms.c.ladd	2005-03-30 01:04:42.000000000 +0900
@@ -1 +1,2 @@
+EXPORT_SYMBOL(ipv6_push_nfrag_opts);
 EXPORT_SYMBOL(ip6_dst_lookup);
diff -Nur -x.svn REJECT/linux-2.6/net/ipv6/netfilter/Makefile.ladd REJECT-changed/linux-2.6/net/ipv6/netfilter/Makefile.ladd
--- REJECT/linux-2.6/net/ipv6/netfilter/Makefile.ladd	1970-01-01 09:00:00.000000000 +0900
+++ REJECT-changed/linux-2.6/net/ipv6/netfilter/Makefile.ladd	2005-03-30 01:49:48.000000000 +0900
@@ -0,0 +1,2 @@
+obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
+obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
diff -Nur -x.svn REJECT/linux-2.6/net/ipv6/netfilter/ip6t_REJECT.c REJECT-changed/linux-2.6/net/ipv6/netfilter/ip6t_REJECT.c
--- REJECT/linux-2.6/net/ipv6/netfilter/ip6t_REJECT.c	2005-03-30 00:54:14.000000000 +0900
+++ REJECT-changed/linux-2.6/net/ipv6/netfilter/ip6t_REJECT.c	2005-03-30 00:52:51.000000000 +0900
@@ -19,6 +19,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/icmpv6.h>
+#include <linux/netdevice.h>
 #include <net/ipv6.h>
 #include <net/tcp.h>
 #include <net/icmp.h>
@@ -39,17 +40,6 @@
 #define DEBUGP(format, args...)
 #endif
 
-#if 0
-static void connection_attach(struct sk_buff *new_skb, struct nf_ct_info *nfct)
-{
-	void (*attach)(struct sk_buff *, struct nf_ct_info *);
-	if (nfct && (attach = ip6_ct_attach) != NULL) {
-		mb();
-		attach(new_skb, nfct);
-	}
-}
-#endif
-
 static int maybe_reroute(struct sk_buff *skb)
 {
 	if (skb->nfcache & NFC_ALTERED){
@@ -73,7 +63,6 @@
 	struct dst_entry *dst = NULL;
 	u8 proto;
 	struct flowi fl;
-	proto = oip6h->nexthdr;
 	int err;
 
 	if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
@@ -82,6 +71,7 @@
 		return;
 	}
 
+	proto = oip6h->nexthdr;
 	tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data),
 				   &proto, oldskb->len - ((u8*)(oip6h+1)
 							  - oldskb->data));
@@ -190,171 +180,25 @@
 				      csum_partial((char *)tcph,
 						   sizeof(struct tcphdr), 0));
 
-#if 0
-	connection_attach(nskb, oldskb->nfct);
-#endif
-
 	NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
 		maybe_reroute);
 
 	dst_release(dst);
 }
 
-static void send_unreach(struct sk_buff *skb_in, unsigned char code)
+static inline void
+send_unreach(struct sk_buff *skb_in, unsigned char code, unsigned int hooknum)
 {
-	struct ipv6hdr *ip6h, *hdr = skb_in->nh.ipv6h;
-	struct icmp6hdr *icmp6h;
-	struct dst_entry *dst = NULL;
-	struct rt6_info *rt;
-	int tmo;
-	__u32 csum;
-	unsigned int len, datalen, hh_len;
-	int saddr_type, daddr_type;
-	unsigned int ptr, ip6off;
-	u8 proto;
-	struct flowi fl;
-	struct sk_buff *nskb;
-	char *data;
-
-	saddr_type = ipv6_addr_type(&hdr->saddr);
-	daddr_type = ipv6_addr_type(&hdr->daddr);
-
-	if ((!(saddr_type & IPV6_ADDR_UNICAST)) ||
-	    (!(daddr_type & IPV6_ADDR_UNICAST))) {
-		DEBUGP("ip6t_REJECT: addr is not unicast.\n");
-		return;
-	}
-
-	ip6off = skb_in->nh.raw - skb_in->data;
-	proto = hdr->nexthdr;
-	ptr = ipv6_skip_exthdr(skb_in, ip6off + sizeof(struct ipv6hdr), &proto,
-			       skb_in->len - ip6off);
-
-	if ((ptr < 0) || (ptr > skb_in->len)) {
-		ptr = ip6off + sizeof(struct ipv6hdr);
-		proto = hdr->nexthdr;
-	} else if (proto == IPPROTO_ICMPV6) {
-                u8 type;
-
-                if (skb_copy_bits(skb_in, ptr + offsetof(struct icmp6hdr,
-						      icmp6_type), &type, 1)) {
-			DEBUGP("ip6t_REJECT: Can't get ICMPv6 type\n");
-			return;
-		}
+	if (hooknum == NF_IP6_LOCAL_OUT && skb_in->dev == NULL)
+		skb_in->dev = &loopback_dev;
 
-		if (!(type & ICMPV6_INFOMSG_MASK)) {
-			DEBUGP("ip6t_REJECT: no reply to icmp error\n");
-			return;
-		}
-        } else if (proto == IPPROTO_UDP) {
-		int plen = skb_in->len - (ptr - ip6off);
-		uint16_t check;
-
-		if (plen < sizeof(struct udphdr)) {
-			DEBUGP("ip6t_REJECT: too short\n");
-			return;
-		}
-
-		if (skb_copy_bits(skb_in, ptr + offsetof(struct udphdr, check),
-				  &check, 2)) {
-			if (net_ratelimit())
-				printk("ip6t_REJECT: can't get copy from skb");
-			return;
-		}
-
-		if (check &&
-		    csum_ipv6_magic(&hdr->saddr, &hdr->daddr, plen,
-				    IPPROTO_UDP,
-				    skb_checksum(skb_in, ptr, plen, 0))) {
-			DEBUGP("ip6t_REJECT: UDP checksum is invalid.\n");
-			return;
-		}
-	}
-
-	memset(&fl, 0, sizeof(fl));
-	fl.proto = IPPROTO_ICMPV6;
-	ipv6_addr_copy(&fl.fl6_src, &hdr->daddr);
-	ipv6_addr_copy(&fl.fl6_dst, &hdr->saddr);
-	fl.fl_icmp_type = ICMPV6_DEST_UNREACH;
-	fl.fl_icmp_code = code;
-
-	if (ip6_dst_lookup(NULL, &dst, &fl)) {
-		return;
-	}
-
-	rt = (struct rt6_info *)dst;
-	tmo = 1*HZ;
-
-	if (rt->rt6i_dst.plen < 128)
-		tmo >>= ((128 - rt->rt6i_dst.plen)>>5);
-
-	if (!xrlim_allow(dst, tmo)) {
-		if (net_ratelimit())
-			printk("ip6t_REJECT: rate limitted\n");
-		goto dst_release_out;
-	}
-
-	len = skb_in->len + sizeof(struct ipv6hdr) + sizeof(struct icmp6hdr);
-
-	if (len > dst_pmtu(dst))
-		len = dst_pmtu(dst);
-	if (len > IPV6_MIN_MTU)
-		len = IPV6_MIN_MTU;
-
-	datalen = len - sizeof(struct ipv6hdr) - sizeof(struct icmp6hdr);
-	hh_len = (rt->u.dst.dev->hard_header_len + 15)&~15;
-
-	nskb = alloc_skb(hh_len + 15 + dst->header_len + dst->trailer_len + len,
-			 GFP_ATOMIC);
-
-	if (!nskb) {
-		if (net_ratelimit())
-			printk("ip6t_REJECT: can't alloc skb\n");
-		goto dst_release_out;
-	}
-
-	nskb->priority = 0;
-	nskb->dst = dst;
-	dst_hold(dst);
-
-	skb_reserve(nskb, hh_len + dst->header_len);
-
-	ip6h = nskb->nh.ipv6h = (struct ipv6hdr *)
-					skb_put(nskb, sizeof(struct ipv6hdr));
-	ip6h->version = 6;
-	ip6h->hop_limit = dst_metric(dst, RTAX_HOPLIMIT);
-	ip6h->nexthdr = IPPROTO_ICMPV6;
-	ip6h->payload_len = htons(datalen + sizeof(struct icmp6hdr));
-	ipv6_addr_copy(&ip6h->saddr, &hdr->daddr);
-	ipv6_addr_copy(&ip6h->daddr, &hdr->saddr);
-
-	icmp6h = (struct icmp6hdr *) skb_put(nskb, sizeof(struct icmp6hdr));
-	icmp6h->icmp6_type = ICMPV6_DEST_UNREACH;
-	icmp6h->icmp6_code = code;
-	icmp6h->icmp6_cksum = 0;
-
-	data = skb_put(nskb, datalen);
-
-	csum = csum_partial((unsigned char *)icmp6h, sizeof(struct icmp6hdr), 0);
-	csum = skb_copy_and_csum_bits(skb_in, ip6off, data, datalen, csum);
-	icmp6h->icmp6_cksum = csum_ipv6_magic(&hdr->saddr, &hdr->daddr,
-					     datalen + sizeof(struct icmp6hdr),
-					     IPPROTO_ICMPV6, csum);
-
-#if 0
-	connection_attach(nskb, skb_in->nfct);
-#endif
-	NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
-		maybe_reroute);
-
-dst_release_out:
-	dst_release(dst);
+	icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0, NULL);
 }
 
 static unsigned int reject6_target(struct sk_buff **pskb,
-			   unsigned int hooknum,
 			   const struct net_device *in,
 			   const struct net_device *out,
+			   unsigned int hooknum,
 			   const void *targinfo,
 			   void *userinfo)
 {
@@ -366,19 +210,19 @@
 	   must return an absolute verdict. --RR */
     	switch (reject->with) {
     	case IP6T_ICMP6_NO_ROUTE:
-    		send_unreach(*pskb, ICMPV6_NOROUTE);
+    		send_unreach(*pskb, ICMPV6_NOROUTE, hooknum);
     		break;
     	case IP6T_ICMP6_ADM_PROHIBITED:
-    		send_unreach(*pskb, ICMPV6_ADM_PROHIBITED);
+    		send_unreach(*pskb, ICMPV6_ADM_PROHIBITED, hooknum);
     		break;
     	case IP6T_ICMP6_NOT_NEIGHBOUR:
-    		send_unreach(*pskb, ICMPV6_NOT_NEIGHBOUR);
+    		send_unreach(*pskb, ICMPV6_NOT_NEIGHBOUR, hooknum);
     		break;
     	case IP6T_ICMP6_ADDR_UNREACH:
-    		send_unreach(*pskb, ICMPV6_ADDR_UNREACH);
+    		send_unreach(*pskb, ICMPV6_ADDR_UNREACH, hooknum);
     		break;
     	case IP6T_ICMP6_PORT_UNREACH:
-    		send_unreach(*pskb, ICMPV6_PORT_UNREACH);
+    		send_unreach(*pskb, ICMPV6_PORT_UNREACH, hooknum);
     		break;
     	case IP6T_ICMP6_ECHOREPLY:
 		/* Do nothing */
diff -Nur -x.svn REJECT/linux.patch REJECT-changed/linux.patch
--- REJECT/linux.patch	2005-03-30 00:54:14.000000000 +0900
+++ REJECT-changed/linux.patch	1970-01-01 09:00:00.000000000 +0900
@@ -1,28 +0,0 @@
-diff -Nru linux-2.4.0-test8-ipv6updates/include/linux/netfilter_ipv6/ip6t_REJECT.h linux-2.4.0-test8-REJECTv6/include/linux/netfilter_ipv6/ip6t_REJECT.h
---- linux-2.4.0-test8-ipv6updates/include/linux/netfilter_ipv6/ip6t_REJECT.h	Sun Nov 12 13:40:30 2000
-+++ linux-2.4.0-test8-REJECTv6/include/linux/netfilter_ipv6/ip6t_REJECT.h	Sun Nov 12 13:38:25 2000
-@@ -2,15 +2,17 @@
- #define _IP6T_REJECT_H
- 
- enum ip6t_reject_with {
--	IP6T_ICMP_NET_UNREACHABLE,
--	IP6T_ICMP_HOST_UNREACHABLE,
--	IP6T_ICMP_PROT_UNREACHABLE,
--	IP6T_ICMP_PORT_UNREACHABLE,
--	IP6T_ICMP_ECHOREPLY
-+	IP6T_ICMP6_NO_ROUTE,
-+	IP6T_ICMP6_ADM_PROHIBITED,
-+	IP6T_ICMP6_NOT_NEIGHBOUR,
-+	IP6T_ICMP6_ADDR_UNREACH,
-+	IP6T_ICMP6_PORT_UNREACH,
-+	IP6T_ICMP6_ECHOREPLY,
-+	IP6T_TCP_RESET
- };
- 
- struct ip6t_reject_info {
- 	enum ip6t_reject_with with;      /* reject type */
- };
- 
--#endif /*_IPT_REJECT_H*/
-+#endif /*_IP6T_REJECT_H*/
-

Re: [PATCH] REJECT for 2.6.9+

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1760 bytes --]

On Wed, Mar 30, 2005 at 11:05:40AM +0900, Yasuyuki KOZAKAI wrote:
> Hi,
> 
> From: Patrick McHardy <kaber@trash.net>
> Date: Sun, 20 Mar 2005 17:15:16 +0100
> 
> > Why add a new branch instead of simply restoring that file?
> > Even better, I think I'm simply going to submit the IPv6
> > REJECT target of nobody objects.
> 
> I have some thoughts.
> 
> I wrote ip6t_REJECT so that the source address of ICMPv6 error was
> destination address of original packet. Because of this behavior,
> send_unreach could not use icmpv6_send().
> But now I have found that the behavior of ipt_REJECT is different.
> The source address of ICMP error is its node. I think the behavior of them
> should be same. Moreover, ipt_REJECT has changed to use icmp_send() recently.
> 
> Then I think ip6t_REJECT can use icmpv6_send() like ipt_REJECT.
> Please consider applying attached patch to REJECT in pom-ng.

Thanks, Yasuyuki.  I agree.

However, please note that your patch didn't apply:

laforge@hanuman%pts/3 (8:05) svn/netfilter/patch-o-matic-ng/REJECT > patch -p1 --dry-run < ~/reject.patch 
patching file linux-2.4.patch
patching file linux-2.6/include/linux/netfilter_ipv6/ip6t_REJECT.h
can't find file to patch at input line 58
Perhaps you used the wrong -p or --strip option?

I've fixed it up manually and applied it, please verify that everything
works fine.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] REJECT for 2.6.9+

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> I wrote ip6t_REJECT so that the source address of ICMPv6 error was
> destination address of original packet. Because of this behavior,
> send_unreach could not use icmpv6_send().
> But now I have found that the behavior of ipt_REJECT is different.
> The source address of ICMP error is its node. I think the behavior of them
> should be same. Moreover, ipt_REJECT has changed to use icmp_send() recently.

That makes sense. Do you have any other issues with submitting
this patch?

Regards
Patrick

no ctstat? Re: building libctnetlink

[Sam Liddicott]

Pablo Neira wrote:
> Just another UFO mechanic wrote:
> 
>> I am still trying to compile libctnetlink and libnfnetlink I cannot find
>> a whole lot of info on it. I have 2 questions
>>
>> When I try compile
>> I get the error
>> libctnetlink.c:32:39 linux/nfnetlink_conntrack.h: No such file or
>> directory
> 
> 
> Have you applied `nfnetlink-ctnetlink-0.13' in pom-ng? Add 
> -I/your/kernel/include/path to your compilation script.

Thanks for the tip Pablo; probably a case of user error; but:

When I try to apply nfnetlink-ctnetlink-0.13 from the latest pom-ng 
(20050403), I am told:

nfnetlink-ctnetlink-0.13 has dependency on ctstat, but ctstat is not known
cannot apply (9 rejects out of 42 hunks)

As far as I can tell ctstats was added to pom-ng in around September 
2004 time. There is a ctstat folder in my un-tar'd pom-ng, but it is empty.

I'm running patch-o-matic against iptables 1.2.11 and kernel 2.6.10
source.

Sam

Re: no ctstat? Re: building libctnetlink

[Amin Azez]

Sam Liddicott wrote:
> Pablo Neira wrote:
> 
>> Just another UFO mechanic wrote:
>>
>>> I am still trying to compile libctnetlink and libnfnetlink I cannot find
>>> a whole lot of info on it. I have 2 questions
>>>
>>> When I try compile
>>> I get the error
>>> libctnetlink.c:32:39 linux/nfnetlink_conntrack.h: No such file or
>>> directory
>>
>>
>>
>> Have you applied `nfnetlink-ctnetlink-0.13' in pom-ng? Add 
>> -I/your/kernel/include/path to your compilation script.
> 
> 
> Thanks for the tip Pablo; probably a case of user error; but:
> 
> When I try to apply nfnetlink-ctnetlink-0.13 from the latest pom-ng 
> (20050403), I am told:
> 
> nfnetlink-ctnetlink-0.13 has dependency on ctstat, but ctstat is not known
> cannot apply (9 rejects out of 42 hunks)
> 
> As far as I can tell ctstats was added to pom-ng in around September 
> 2004 time. There is a ctstat folder in my un-tar'd pom-ng, but it is empty.
> 
> I'm running patch-o-matic against iptables 1.2.11 and kernel 2.6.10
> source.

So after much looking, for my part, according to section 6.2 of the 2004 
workshop summary at 
http://www.netfilter.org/documentation/conferences/nf-workshop-2004-summary.html
  ctstat has already been merged with... with....

and there you have it.

I can't tell if ctstat has been merged with any particular kernel 
version or any particular iptables version or both.

This file, 
http://people.netfilter.org/gandalf/old/ctstat/ctstat-040215-2.6, hints 
that ctstat may have been merged with kernel 2.6

So assuming that you do have ctstat merged somehow (and 
ct_cpu_seq_show() seems to be defined in ip_conntrack_standalone.c on 
2.6.10), edit nfnetlink-ctnetlink-0.13/info and remove the dependancy on 
ctstat and then apply with
   ... ... ./runme --batch nfnetlink-ctnetlink-0.13

You'll still get a failure to apply though, which I'm looking into. I'll 
post back when I find out more, I'm going to try it on 2.6.11 and then 
look at the rejects more closely if that doesn't work.

Amin

Re: no ctstat? Re: building libctnetlink

[Amin Azez]

as Soon as my linux 2.6.11.6 source downloaded I tried:
IPTABLES_DIR=../iptables-1.2.11/ KERNEL_DIR=../linux-2.6.11.6 ./runme 
--batch nfnetlink-ctnetlink-0.13

But it just says:

unable to find ladd slot in src 
../linux-2.6.11.6/include/linux/netfilter_ipv4/ip_conntrack.h 
(./nfnetlink-ctnetlink-0.13/li)-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]

I dont know what a ladd slot is (OK, its a line-add slot, but I still 
don't know what it is) but I'll take this to mean the patch was for 2.6.10

The rejected hunks have thinks like:
   #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
   struct notifier_block *ip_conntrack_chain;
   #endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */

in, which makes it look like ct-event is needed, perhaps such as pablo 
posted on 28/03/05 for kernel 2.6.11

I'll take this up on the "[PATCH] ct-event API port to 2.6.11" thread.

Amin

Re: no ctstat? Re: building libctnetlink

[Amin Azez]

Just another UFO mechanic wrote:
> On Wed, 2005-04-06 at 16:48, Amin Azez wrote:
> 
>>as Soon as my linux 2.6.11.6 source downloaded I tried:
>>IPTABLES_DIR=../iptables-1.2.11/ KERNEL_DIR=../linux-2.6.11.6 ./runme 
>>--batch nfnetlink-ctnetlink-0.13
>>
>>But it just says:
>>
>>unable to find ladd slot in src 
>>../linux-2.6.11.6/include/linux/netfilter_ipv4/ip_conntrack.h 
>>(./nfnetlink-ctnetlink-0.13/li)-----------------------------------------------------------------
>>Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
>>
>>I dont know what a ladd slot is (OK, its a line-add slot, but I still 
>>don't know what it is) but I'll take this to mean the patch was for 2.6.10
>>
>>The rejected hunks have thinks like:
>>   #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
>>   struct notifier_block *ip_conntrack_chain;
>>   #endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
>>
>>in, which makes it look like ct-event is needed, perhaps such as pablo 
>>posted on 28/03/05 for kernel 2.6.11
>>
>>I'll take this up on the "[PATCH] ct-event API port to 2.6.11" thread.
> 
> 
>>Amin
> 
> 
> Amin nar nin buzee, as ta den feB. Av ni no bin 2.6.12 kez nip obou
> avayop armal nupiy wen karsanel.
> 
> CONFIG_IP_NF_CONNTRACK_EVENTS=y
> 
> Niki wen swe ning.

Sound as my lovely dad, you do.

On reflection, netfilter patches against specific kernels are likely to 
require it as a minimum version to patch against, I mean there is more 
likelyhood that a patch will patch against the next kernel revision than 
  the previous kernel revision, so yeah, it may mean a skip up to 
2.6.12, if that has ct-event in it

agghh!

thanks

Amin

Re: no ctstat? Re: building libctnetlink

[Just another UFO mechanic]

On Wed, 2005-04-06 at 16:48, Amin Azez wrote:
> as Soon as my linux 2.6.11.6 source downloaded I tried:
> IPTABLES_DIR=../iptables-1.2.11/ KERNEL_DIR=../linux-2.6.11.6 ./runme 
> --batch nfnetlink-ctnetlink-0.13
> 
> But it just says:
> 
> unable to find ladd slot in src 
> ../linux-2.6.11.6/include/linux/netfilter_ipv4/ip_conntrack.h 
> (./nfnetlink-ctnetlink-0.13/li)-----------------------------------------------------------------
> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
> 
> I dont know what a ladd slot is (OK, its a line-add slot, but I still 
> don't know what it is) but I'll take this to mean the patch was for 2.6.10
> 
> The rejected hunks have thinks like:
>    #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
>    struct notifier_block *ip_conntrack_chain;
>    #endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
> 
> in, which makes it look like ct-event is needed, perhaps such as pablo 
> posted on 28/03/05 for kernel 2.6.11
> 
> I'll take this up on the "[PATCH] ct-event API port to 2.6.11" thread.

> Amin

Amin nar nin buzee, as ta den feB. Av ni no bin 2.6.12 kez nip obou
avayop armal nupiy wen karsanel.

CONFIG_IP_NF_CONNTRACK_EVENTS=y

Niki wen swe ning.

Re: [PATCH] REJECT for 2.6.9+

[Yasuyuki KOZAKAI]

[-- Attachment #1: Type: Text/Plain, Size: 964 bytes --]


Hi, Patrick,

Sorry for late replying. I looked other parts.
This patch makes send_reset() look xfrm policy and deletes unnecessary
dst_hold().

	Signed-off-by: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>

Regards,

From: Patrick McHardy <kaber@trash.net>
Date: Sun, 03 Apr 2005 20:26:49 +0200

> Yasuyuki KOZAKAI wrote:
> > I wrote ip6t_REJECT so that the source address of ICMPv6 error was
> > destination address of original packet. Because of this behavior,
> > send_unreach could not use icmpv6_send().
> > But now I have found that the behavior of ipt_REJECT is different.
> > The source address of ICMP error is its node. I think the behavior of them
> > should be same. Moreover, ipt_REJECT has changed to use icmp_send() recently.
> 
> That makes sense. Do you have any other issues with submitting
> this patch?


-----------------------------------------------------------------
Yasuyuki KOZAKAI @ USAGI Project <yasuyuki.kozakai@toshiba.co.jp>


[-- Attachment #2: reject.patch --]
[-- Type: Text/Plain, Size: 799 bytes --]

Index: linux-2.6/net/ipv6/netfilter/ip6t_REJECT.c
===================================================================
--- linux-2.6/net/ipv6/netfilter/ip6t_REJECT.c	(revision 3827)
+++ linux-2.6/net/ipv6/netfilter/ip6t_REJECT.c	(working copy)
@@ -122,6 +122,11 @@
 		return;
 	}
 
+	if (xfrm_lookup(&dst, &fl, NULL, 0)) {
+		dst_release(dst);
+		return;
+	}
+
 	hh_len = (dst->dev->hard_header_len + 15)&~15;
 	nskb = alloc_skb(hh_len + 15 + dst->header_len + sizeof(struct ipv6hdr)
 			 + sizeof(struct tcphdr) + dst->trailer_len,
@@ -135,7 +140,6 @@
 	}
 
 	nskb->dst = dst;
-	dst_hold(dst);
 
 	skb_reserve(nskb, hh_len + dst->header_len);
 
@@ -182,8 +186,6 @@
 
 	NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
 		maybe_reroute);
-
-	dst_release(dst);
 }
 
 static inline void

Re: (usagi-core 22742) Re: [PATCH] REJECT for 2.6.9+

[YOSHIFUJI Hideaki / 吉藤英明]

In article <200504080758.j387wkif011777@toshiba.co.jp> (at Fri, 08 Apr 2005 16:58:45 +0900 (JST)), Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp> says:

> This patch makes send_reset() look xfrm policy and deletes unnecessary
> dst_hold().
> 
> 	Signed-off-by: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>

How about send_unreach()?

--yoshfuji

Re: (usagi-core 22742) Re: [PATCH] REJECT for 2.6.9+

[Yasuyuki KOZAKAI]

It just calls icmpv6_send().

Please see

http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/REJECT/linux-2.6/net/ipv6/netfilter/ip6t_REJECT.c?rev=3812&view=auto

Regards,

-----------------------------------------------------------------
Yasuyuki KOZAKAI @ USAGI Project <yasuyuki.kozakai@toshiba.co.jp>

From: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
Date: Fri, 08 Apr 2005 17:32:06 +0900 (JST)

> In article <200504080758.j387wkif011777@toshiba.co.jp> (at Fri, 08 Apr 2005 16:58:45 +0900 (JST)), Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp> says:
> 
> > This patch makes send_reset() look xfrm policy and deletes unnecessary
> > dst_hold().
> > 
> > 	Signed-off-by: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>
> 
> How about send_unreach()?
> 
> --yoshfuji
> 

Re: (usagi-core 22748) Re: [PATCH] REJECT for 2.6.9+

[YOSHIFUJI Hideaki / 吉藤英明]

In article <200504080941.j389frQT003417@toshiba.co.jp> (at Fri, 08 Apr 2005 18:41:53 +0900 (JST)), Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp> says:

> 
> It just calls icmpv6_send().
> 
> Please see
> 
> http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/REJECT/linux-2.6/net/ipv6/netfilter/ip6t_REJECT.c?rev=3812&view=auto

Ah, ok, thanks.

--yoshfuji

Re: [PATCH] REJECT for 2.6.9+

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> This patch makes send_reset() look xfrm policy and deletes unnecessary
> dst_hold().

Looks good, thanks. I've applied it to pom, but can't commit right
now, there is some permission problem with SVN. I'll commit it once
its working again.

Regards
Patrick