Patch for geoip to make it work with Linux kernel 2.6.22.x

Patch for geoip to make it work with Linux kernel 2.6.22.x

[Svein Olav Bjerkeset]

Hi,

After upgrading to kernel 2.6.22, I found that the geoip patchlet did not 
compile.
I have made a patch that works on my system with kernel 2.6.22.

The patch is against geoip match as of Dec 6th 2006 from 
http://people.netfilter.org/peejix/patchlets/
I made a patch for kernel 2.6.21 as well, but it has not been applied to the 
official geoip patchlet, and is therefor included in this patch.

You can download the patch by using the following URL:
http://bjerkeset.com/patches/geoip-match-2.6.22.patch.gz

Regards
Svein Olav Bjerkeset, 

Re: Patch for geoip to make it work with Linux kernel 2.6.22.x

[Jan Engelhardt]

On Jul 10 2007 17:44, Svein Olav Bjerkeset wrote:
>
> After upgrading to kernel 2.6.22, I found that the geoip patchlet did not
> compile.
> I have made a patch that works on my system with kernel 2.6.22.
>[...]
> You can download the patch by using the following URL:
> http://bjerkeset.com/patches/geoip-match-2.6.22.patch.gz

>diff -urN geoip-20061206/linux-2.6/net/ipv4/netfilter/ipt_geoip.c geoip/linux-2.6/net/ipv4/netfilter/ipt_geoip.c
>--- geoip-20061206/linux-2.6/net/ipv4/netfilter/ipt_geoip.c	2006-12-06 03:47:46.000000000 +0100
>+++ geoip/linux-2.6/net/ipv4/netfilter/ipt_geoip.c	2007-07-10 17:17:11.599991698 +0200
>@@ -110,7 +110,11 @@
> {
>    const struct ipt_geoip_info *info = matchinfo;
>    const struct geoip_info *node; /* This keeps the code sexy */
>+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
>+   const struct iphdr *iph = ip_hdr(skb);
>+#else
>    const struct iphdr *iph = skb->nh.iph;
>+#endif
>    u_int32_t ip, j;
>    u_int8_t i;
> 
>@@ -276,7 +280,10 @@
> }
> 
> static struct ipt_match geoip_match = {

ipt_match is not defined anymore, and hence should have thrown a compile error
right away.

>-   .name    = "geoip",
>+   .name       = "geoip",
>+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
>+   .family     = AF_INET,
>+#endif

.family and is required when using xt_register_match.
xt_register_match exists since at least 2.6.18.

>    .match      = &match,
> #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
>    .matchsize  = sizeof (struct ipt_geoip_info),
>@@ -288,12 +295,20 @@
> 
> static int __init init(void)
> {
>+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
>+   return xt_register_match(&geoip_match);
>+#else
>    return ipt_register_match(&geoip_match);
>+#endif
> }
> 
> static void __exit fini(void)
> {
>+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
>+  xt_unregister_match(&geoip_match);
>+#else
>   ipt_unregister_match(&geoip_match);
>+#endif
>   return;
> }
> 



	Jan
-- 

Re: Patch for geoip to make it work with Linux kernel 2.6.22.x

[Samuel Jean]

On Tue, Jul 10, 2007, Svein Olav Bjerkeset <svein.olav@bjerkeset.com>
said:

> I made a patch for kernel 2.6.21 as well, but it has not been applied to the 
> official geoip patchlet, and is therefor included in this patch.

I am sorry for that, Svein. I merged your patch with my local SVN geoip
version but I had some compiler errors (not related with your patch).

I've got no time to debug, fix, test and release it yet.

> You can download the patch by using the following URL:
> http://bjerkeset.com/patches/geoip-match-2.6.22.patch.gz

Thank you!

Regards,
Samuel

Re: Patch for geoip to make it work with Linux kernel 2.6.22.x

[Svein Olav Bjerkeset]

Hi,

In the kernel (2.6.22) I downloaded from www.kernel.org yesterday, ipt_match 
is certainly defined:

highbury:/opt/kernel> grep ipt_match 
linux-2.6.22/include/linux/netfilter_ipv4/ip_tables.h
#define ipt_match xt_match

Whether the code should use xt_match directly instead of ipt_match, is 
another matter. I have just made the changes needed to get the patchlet to 
compile and work. I do not know the netfilter or geoip code well enough to 
tidy up the code in general. Maybe Samuel can comment on this issue?

As for xt_register_match, it may have existed before 2.6.21, but as far as I 
can recall, it was not until 2.6.21 that ipt_register_match was removed, and 
geoip match compiled/worked with ipt_register_match until 2.6.21. I did not 
quite understand what you were saying about .family and xt_register_match?

Regards,
Svein Olav Bjerkeset

----- Original Message ----- 
From: "Jan Engelhardt" <jengelh@computergmbh.de>
To: "Svein Olav Bjerkeset" <svein.olav@bjerkeset.com>
Cc: <jix@bugmachine.ca>; <netfilter-devel@lists.netfilter.org>
Sent: Tuesday, July 10, 2007 6:58 PM
Subject: Re: Patch for geoip to make it work with Linux kernel 2.6.22.x


>
> On Jul 10 2007 17:44, Svein Olav Bjerkeset wrote:
>>
>> After upgrading to kernel 2.6.22, I found that the geoip patchlet did not
>> compile.
>> I have made a patch that works on my system with kernel 2.6.22.
>>[...]
>> You can download the patch by using the following URL:
>> http://bjerkeset.com/patches/geoip-match-2.6.22.patch.gz
>
>>diff -urN geoip-20061206/linux-2.6/net/ipv4/netfilter/ipt_geoip.c 
>>geoip/linux-2.6/net/ipv4/netfilter/ipt_geoip.c
>>--- geoip-20061206/linux-2.6/net/ipv4/netfilter/ipt_geoip.c 2006-12-06 
>>03:47:46.000000000 +0100
>>+++ geoip/linux-2.6/net/ipv4/netfilter/ipt_geoip.c 2007-07-10 
>>17:17:11.599991698 +0200
>>@@ -110,7 +110,11 @@
>> {
>>    const struct ipt_geoip_info *info = matchinfo;
>>    const struct geoip_info *node; /* This keeps the code sexy */
>>+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
>>+   const struct iphdr *iph = ip_hdr(skb);
>>+#else
>>    const struct iphdr *iph = skb->nh.iph;
>>+#endif
>>    u_int32_t ip, j;
>>    u_int8_t i;
>>
>>@@ -276,7 +280,10 @@
>> }
>>
>> static struct ipt_match geoip_match = {
>
> ipt_match is not defined anymore, and hence should have thrown a compile 
> error
> right away.
>
>>-   .name    = "geoip",
>>+   .name       = "geoip",
>>+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
>>+   .family     = AF_INET,
>>+#endif
>
> .family and is required when using xt_register_match.
> xt_register_match exists since at least 2.6.18.
>
>>    .match      = &match,
>> #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
>>    .matchsize  = sizeof (struct ipt_geoip_info),
>>@@ -288,12 +295,20 @@
>>
>> static int __init init(void)
>> {
>>+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
>>+   return xt_register_match(&geoip_match);
>>+#else
>>    return ipt_register_match(&geoip_match);
>>+#endif
>> }
>>
>> static void __exit fini(void)
>> {
>>+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
>>+  xt_unregister_match(&geoip_match);
>>+#else
>>   ipt_unregister_match(&geoip_match);
>>+#endif
>>   return;
>> }
>>
>
>
>
> Jan
> -- 
> 

Re: Patch for geoip to make it work with Linux kernel 2.6.22.x

[Jan Engelhardt]

On Jul 10 2007 19:57, Svein Olav Bjerkeset wrote:
>
> As for xt_register_match, it may have existed before 2.6.21, but as far as I
> can recall, it was not until 2.6.21 that ipt_register_match was removed, and
> geoip match compiled/worked with ipt_register_match until 2.6.21. I did not
> quite understand what you were saying about .family and xt_register_match?

'was saying that when using xt_register_match(), you _do_ need the ".family"
member in xt_match, because this is what ipt_register_match is:

#define ipt_register_match(x) \
	do { \
		(x)->family = AF_INET; \
		xt_register_match(x); \
	} while (0);


	Jan
-- 

Re: Patch for geoip to make it work with Linux kernel 2.6.22.x

[patric]

Hi,


Just wanted to repost that there is a userspace daemon for this too..

http://bladerunner.mine.nu/CJ/


So if there is a bug in the code only the daemon fails and not the 
entire kernel.. =)

It also eliminates the issues with kernel-revision incompatibility and 
should make  it easier for people to setup. Have not really had any time 
lately to work anything on this, but current release seems to be stable 
and has a current uptime of around a month (my last reboot of that system).


Just don't laugh to much when reading the code... LOTS of really ugly 
code, but it works..  :)


/Patric



Jan Engelhardt wrote:

> On Jul 10 2007 17:44, Svein Olav Bjerkeset wrote:
>   
>> After upgrading to kernel 2.6.22, I found that the geoip patchlet did not
>> compile.
>> I have made a patch that works on my system with kernel 2.6.22.
>> [...]
>> You can download the patch by using the following URL:
>> http://bjerkeset.com/patches/geoip-match-2.6.22.patch.gz
>>     
>
>   
>> diff -urN geoip-20061206/linux-2.6/net/ipv4/netfilter/ipt_geoip.c geoip/linux-2.6/net/ipv4/netfilter/ipt_geoip.c
>> --- geoip-20061206/linux-2.6/net/ipv4/netfilter/ipt_geoip.c	2006-12-06 03:47:46.000000000 +0100
>> +++ geoip/linux-2.6/net/ipv4/netfilter/ipt_geoip.c	2007-07-10 17:17:11.599991698 +0200
>> @@ -110,7 +110,11 @@
>> {
>>    const struct ipt_geoip_info *info = matchinfo;
>>    const struct geoip_info *node; /* This keeps the code sexy */
>> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
>> +   const struct iphdr *iph = ip_hdr(skb);
>> +#else
>>    const struct iphdr *iph = skb->nh.iph;
>> +#endif
>>    u_int32_t ip, j;
>>    u_int8_t i;
>>
>> @@ -276,7 +280,10 @@
>> }
>>
>> static struct ipt_match geoip_match = {
>>     
>
> ipt_match is not defined anymore, and hence should have thrown a compile error
> right away.
>
>   
>> -   .name    = "geoip",
>> +   .name       = "geoip",
>> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
>> +   .family     = AF_INET,
>> +#endif
>>     
>
> .family and is required when using xt_register_match.
> xt_register_match exists since at least 2.6.18.
>
>   
>>    .match      = &match,
>> #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
>>    .matchsize  = sizeof (struct ipt_geoip_info),
>> @@ -288,12 +295,20 @@
>>
>> static int __init init(void)
>> {
>> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
>> +   return xt_register_match(&geoip_match);
>> +#else
>>    return ipt_register_match(&geoip_match);
>> +#endif
>> }
>>
>> static void __exit fini(void)
>> {
>> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
>> +  xt_unregister_match(&geoip_match);
>> +#else
>>   ipt_unregister_match(&geoip_match);
>> +#endif
>>   return;
>> }
>>
>>     
>
>
>
> 	Jan
>   

Re: Patch for geoip to make it work with Linux kernel 2.6.22.x

[Jan Engelhardt]

On Jul 11 2007 01:26, patric wrote:
>
> Just wanted to repost that there is a userspace daemon for this too..
>
> http://bladerunner.mine.nu/CJ/
>
> So if there is a bug in the code only the daemon fails and not the entire
> kernel.. =)
>
> It also eliminates the issues with kernel-revision incompatibility and should
> make  it easier for people to setup.

As far as I know you can only have one NFQUEUE userspace program at a time.

> Have not really had any time lately to
> work anything on this, but current release seems to be stable and has a current
> uptime of around a month (my last reboot of that system).
>
>
> Just don't laugh to much when reading the code... LOTS of really ugly code, but
> it works..  :)
>

	Jan
-- 

Re: Patch for geoip to make it work with Linux kernel 2.6.22.x

[patric]

Yea, that's true as far as i know too.... And that's one con with this...


/Patric


Jan Engelhardt wrote:

> On Jul 11 2007 01:26, patric wrote:
>   
>> Just wanted to repost that there is a userspace daemon for this too..
>>
>> http://bladerunner.mine.nu/CJ/
>>
>> So if there is a bug in the code only the daemon fails and not the entire
>> kernel.. =)
>>
>> It also eliminates the issues with kernel-revision incompatibility and should
>> make  it easier for people to setup.
>>     
>
> As far as I know you can only have one NFQUEUE userspace program at a time.
>
>   
>> Have not really had any time lately to
>> work anything on this, but current release seems to be stable and has a current
>> uptime of around a month (my last reboot of that system).
>>
>>
>> Just don't laugh to much when reading the code... LOTS of really ugly code, but
>> it works..  :)
>>
>>     
>
> 	Jan
>   

Re: Patch for geoip to make it work with Linux kernel 2.6.22.x

[patric]

Or... just did some research on this, and there is a possibility for 
multiple queues...


----------------------------------------------------

NFQUEUE target

The NFQUEUE target is used much the same way as the QUEUE target, and is 
basically an extension of it. The NFQUEUE target allows for sending 
packets for separate and specific queues. The queue is identified by a 
16-bit id.

This target requires the nfnetlink_queue kernel support to run. For more 
information on what you can do with the NFQUEUE target, see the QUEUE 
target.

Table 11-12. NFQUEUE target options
Option    --queue-num
Example    iptables -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE 
--queue-num 30
Explanation    The --queue-num option specifies which queue to use and 
to send the queue'd data to. If this option is skipped, the default 
queue 0 is used. The queue number is a 16 bit unsigned integer, which 
means it can take any value between 0 and 65535. The default 0 queue is 
also used by the QUEUE target.

* Works under Linux kernel 2.6.14 and later.
---------------------------------------------------

So i think it's time to update the kernel and do some mods on my code :)


/Patric




patric wrote:

> Yea, that's true as far as i know too.... And that's one con with this...
>
>
> /Patric
>
>
> Jan Engelhardt wrote:
>
>> On Jul 11 2007 01:26, patric wrote:
>>  
>>> Just wanted to repost that there is a userspace daemon for this too..
>>>
>>> http://bladerunner.mine.nu/CJ/
>>>
>>> So if there is a bug in the code only the daemon fails and not the 
>>> entire
>>> kernel.. =)
>>>
>>> It also eliminates the issues with kernel-revision incompatibility 
>>> and should
>>> make  it easier for people to setup.
>>>     
>>
>> As far as I know you can only have one NFQUEUE userspace program at a 
>> time.
>>
>>  
>>> Have not really had any time lately to
>>> work anything on this, but current release seems to be stable and 
>>> has a current
>>> uptime of around a month (my last reboot of that system).
>>>
>>>
>>> Just don't laugh to much when reading the code... LOTS of really 
>>> ugly code, but
>>> it works..  :)
>>>
>>>     
>>
>>     Jan
>>   
>
>
>