Author: cieciwa Date: Tue Apr 11 12:22:03 2006 GMT Module: SOURCES Tag: LINUX_2_6 ---- Log message: - netfilter rpc module.
---- Files affected: SOURCES: pom-ng-rpc-20060329.patch (NONE -> 1.1.2.1) (NEW) ---- Diffs: ================================================================ Index: SOURCES/pom-ng-rpc-20060329.patch diff -u /dev/null SOURCES/pom-ng-rpc-20060329.patch:1.1.2.1 --- /dev/null Tue Apr 11 14:22:03 2006 +++ SOURCES/pom-ng-rpc-20060329.patch Tue Apr 11 14:21:58 2006 @@ -0,0 +1,1705 @@ + include/linux/netfilter_ipv4/ip_conntrack_rpc.h | 71 +++ + include/linux/netfilter_ipv4/ipt_rpc.h | 35 + + net/ipv4/netfilter/Kconfig | 32 + + net/ipv4/netfilter/Makefile | 1 + net/ipv4/netfilter/ip_conntrack_rpc_tcp.c | 554 ++++++++++++++++++++++++ + net/ipv4/netfilter/ip_conntrack_rpc_udp.c | 527 ++++++++++++++++++++++ + net/ipv4/netfilter/ipt_rpc.c | 443 +++++++++++++++++++ + 7 files changed, 1663 insertions(+) + +diff -Nur --exclude '"*.orig"' linux-2.6.16.2.org/include/linux/netfilter_ipv4/ip_conntrack_rpc.h linux-2.6.16.2/include/linux/netfilter_ipv4/ip_conntrack_rpc.h +--- linux-2.6.16.2.org/include/linux/netfilter_ipv4/ip_conntrack_rpc.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.16.2/include/linux/netfilter_ipv4/ip_conntrack_rpc.h 2006-04-11 14:17:00.000000000 +0200 +@@ -0,0 +1,71 @@ ++/* RPC extension for IP connection tracking, Version 2.2 ++ * (C) 2000 by Marcelo Barbosa Lima <[EMAIL PROTECTED]> ++ * - original rpc tracking module ++ * - "recent" connection handling for kernel 2.3+ netfilter ++ * ++ * (C) 2001 by Rusty Russell <[EMAIL PROTECTED]> ++ * - upgraded conntrack modules to oldnat api - kernel 2.4.0+ ++ * ++ * (C) 2002 by Ian (Larry) Latter <[EMAIL PROTECTED]> ++ * - upgraded conntrack modules to newnat api - kernel 2.4.20+ ++ * - extended matching to support filtering on procedures ++ * ++ * (C) 2005 by David Stes <[EMAIL PROTECTED]> ++ * - upgraded to 2.6.13 API ++ * ++ * ip_conntrack_rpc.h,v 2.2 2003/01/12 18:30:00 ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version ++ * 2 of the License, or (at your option) any later version. ++ ** ++ */ ++ ++#include <asm/param.h> ++#include <linux/sched.h> ++#include <linux/timer.h> ++#include <linux/stddef.h> ++#include <linux/list.h> ++ ++#include <linux/netfilter_ipv4/ip_conntrack_helper.h> ++ ++#ifndef _IP_CONNTRACK_RPC_H ++#define _IP_CONNTRACK_RPC_H ++ ++#define RPC_PORT 111 ++ ++ ++/* Datum in RPC packets are encoded in XDR */ ++#define IXDR_GET_INT32(buf) ((u_int32_t) ntohl((uint32_t)*buf)) ++ ++/* Fast timeout, to deny DoS atacks */ ++#define EXP (60 * HZ) ++ ++/* Normal timeouts */ ++#define EXPIRES (180 * HZ) ++ ++/* For future conections RPC, using client's cache bindings ++ * I'll use ip_conntrack_lock to lock these lists */ ++ ++/* This identifies each request and stores protocol */ ++struct request_p { ++ struct list_head list; ++ ++ u_int32_t xid; ++ u_int32_t ip; ++ u_int16_t port; ++ ++ /* Protocol */ ++ u_int16_t proto; ++ ++ struct timer_list timeout; ++}; ++ ++static inline int request_p_cmp(const struct request_p *p, u_int32_t xid, ++ u_int32_t ip, u_int32_t port) { ++ return (p->xid == xid && p->ip == ip && p->port); ++ ++} ++ ++#endif /* _IP_CONNTRACK_RPC_H */ +diff -Nur --exclude '"*.orig"' linux-2.6.16.2.org/include/linux/netfilter_ipv4/ipt_rpc.h linux-2.6.16.2/include/linux/netfilter_ipv4/ipt_rpc.h +--- linux-2.6.16.2.org/include/linux/netfilter_ipv4/ipt_rpc.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.16.2/include/linux/netfilter_ipv4/ipt_rpc.h 2006-04-11 14:17:00.000000000 +0200 +@@ -0,0 +1,35 @@ ++/* RPC extension for IP netfilter matching, Version 2.2 ++ * (C) 2000 by Marcelo Barbosa Lima <[EMAIL PROTECTED]> ++ * - original rpc tracking module ++ * - "recent" connection handling for kernel 2.3+ netfilter ++ * ++ * (C) 2001 by Rusty Russell <[EMAIL PROTECTED]> ++ * - upgraded conntrack modules to oldnat api - kernel 2.4.0+ ++ * ++ * (C) 2002 by Ian (Larry) Latter <[EMAIL PROTECTED]> ++ * - upgraded conntrack modules to newnat api - kernel 2.4.20+ ++ * - extended matching to support filtering on procedures ++ * ++ * ipt_rpc.h.c,v 2.2 2003/01/12 18:30:00 ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version ++ * 2 of the License, or (at your option) any later version. ++ ** ++ */ ++ ++#ifndef _IPT_RPC_H ++#define _IPT_RPC_H ++ ++struct ipt_rpc_data; ++ ++struct ipt_rpc_info { ++ int inverse; ++ int strict; ++ const char c_procs[1408]; ++ int i_procs; ++ struct ipt_rpc_data *data; ++}; ++ ++#endif /* _IPT_RPC_H */ +diff -Nur --exclude '"*.orig"' linux-2.6.16.2.org/net/ipv4/netfilter/Kconfig linux-2.6.16.2/net/ipv4/netfilter/Kconfig +--- linux-2.6.16.2.org/net/ipv4/netfilter/Kconfig 2006-04-07 18:56:47.000000000 +0200 ++++ linux-2.6.16.2/net/ipv4/netfilter/Kconfig 2006-04-11 14:17:00.000000000 +0200 +@@ -606,5 +606,37 @@ + Allows altering the ARP packet payload: source and destination + hardware and network addresses. + ++config IP_NF_MATCH_RPC ++ tristate 'RPC match support' ++ depends on IP_NF_CONNTRACK && IP_NF_IPTABLES ++ help ++ This adds CONFIG_IP_NF_MATCH_RPC, which is the RPC connection ++ matcher and tracker. ++ ++ This option supplies two connection tracking modules; ++ ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which track ++ portmapper requests using UDP and TCP respectively. ++ ++ This option also adds an RPC match module for iptables, which ++ matches both via the old "record match" method and a new ++ "procedure match" method. The older method matches all RPC ++ procedure packets that relate to previously recorded packets ++ seen querying a portmapper. The newer method matches only ++ those RPC procedure packets explicitly specified by the user, ++ and that can then be related to previously recorded packets ++ seen querying a portmapper. ++ ++ These three modules are required if RPCs are to be filtered ++ accurately; as RPCs are allocated pseudo-randomly to UDP and ++ TCP ports as they register with the portmapper. ++ ++ Up to 8 portmapper ports per module, and up to 128 RPC ++ procedures per iptables rule, may be specified by the user, ++ to enable effective RPC management. ++ ++ ++ If you want to compile it as a module, say M here and read ++ <file:Documentation/modules.txt>. If unsure, say `N'. ++ + endmenu + +diff -Nur --exclude '"*.orig"' linux-2.6.16.2.org/net/ipv4/netfilter/Makefile linux-2.6.16.2/net/ipv4/netfilter/Makefile +--- linux-2.6.16.2.org/net/ipv4/netfilter/Makefile 2006-04-07 18:56:47.000000000 +0200 ++++ linux-2.6.16.2/net/ipv4/netfilter/Makefile 2006-04-11 14:17:00.000000000 +0200 +@@ -0,0 +0,1 @@ ++obj-$(CONFIG_IP_NF_MATCH_RPC) += ip_conntrack_rpc_tcp.o ip_conntrack_rpc_udp.o ipt_rpc.o +diff -Nur --exclude '"*.orig"' linux-2.6.16.2.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c linux-2.6.16.2/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c +--- linux-2.6.16.2.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.16.2/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c 2006-04-11 14:17:00.000000000 +0200 +@@ -0,0 +1,554 @@ ++/* RPC extension for IP (TCP) connection tracking, Version 2.2 ++ * (C) 2000 by Marcelo Barbosa Lima <[EMAIL PROTECTED]> ++ * - original rpc tracking module ++ * - "recent" connection handling for kernel 2.3+ netfilter ++ * ++ * (C) 2001 by Rusty Russell <[EMAIL PROTECTED]> ++ * - upgraded conntrack modules to oldnat api - kernel 2.4.0+ ++ * ++ * (C) 2002,2003 by Ian (Larry) Latter <[EMAIL PROTECTED]> ++ * - upgraded conntrack modules to newnat api - kernel 2.4.20+ ++ * - extended matching to support filtering on procedures ++ * ++ * (c) 2004,2005 by David Stes <[EMAIL PROTECTED]> ++ * - add nsrexec option for Legato NetWorker ++ * - upgraded to 2.6.12+ conntrack module api ++ * ++ * (c) 2005 by David Stes <[EMAIL PROTECTED]> ++ * - upgraded to 2.6.13 conntrack module api ++ * ++ * ip_conntrack_rpc_tpc.c,v 2.2 2003/01/12 18:30:00 ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version ++ * 2 of the License, or (at your option) any later version. ++ ** ++ * Module load syntax: ++ * insmod ip_conntrack_rpc_tcp.o nsrexec=<n> ports=port1,...port<MAX_PORTS> ++ * ++ * Please give the ports of all RPC servers you wish to connect to. ++ * For example, ports=111,7938 for Legato NetWorker's portmapper on 7938. ++ * If you don't specify ports, the default will be port 111 (SUN portmap). ++ * ++ * Please specify nsrexec, the TCP port of the rexec() service of ++ * Legato NetWorker. For example, nsrexec=7937 ++ * ++ ** ++ * Note to all: ++ * ++ * RPCs should not be exposed to the internet - ask the Pentagon; ++ * ++ * "The unidentified crackers pleaded guilty in July to charges ++ * of juvenile delinquency stemming from a string of Pentagon ++ * network intrusions in February. ++ * ++ * The youths, going by the names TooShort and Makaveli, used ++ * a common server security hole to break in, according to ++ * Dane Jasper, owner of the California Internet service ++ * provider, Sonic. They used the hole, known as the 'statd' ++ * exploit, to attempt more than 800 break-ins, Jasper said." ++ * ++ * From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998 ++ * URL: http://www.wired.com/news/politics/0,1283,16098,00.html ++ ** ++ */ ++ ++#include <linux/module.h> ++#include <linux/netfilter.h> ++#include <linux/ip.h> ++#include <net/checksum.h> ++#include <net/tcp.h> ++ ++#include <asm/param.h> ++#include <linux/sched.h> ++#include <linux/timer.h> ++#include <linux/stddef.h> ++#include <linux/list.h> ++ ++#include <linux/netfilter_ipv4/ip_tables.h> ++#include <linux/netfilter_ipv4/ip_conntrack_helper.h> ++#include <linux/netfilter_ipv4/ip_conntrack_rpc.h> ++ ++#define MAX_PORTS 8 ++static int ports[MAX_PORTS]; ++static int ports_n_c = 0; ++static int nsrexec = 0; ++ ++#ifdef MODULE_PARM ++module_param(nsrexec,int, 0400); ++MODULE_PARM_DESC(nsrexec, "TCP port of Legato NetWorker's rexec service"); ++module_param_array(ports, int, &ports_n_c, 0400); ++MODULE_PARM_DESC(ports, "port numbers (TCP/UDP) of RPC portmapper servers"); ++#endif ++ ++MODULE_AUTHOR("Marcelo Barbosa Lima <[EMAIL PROTECTED]>"); ++MODULE_DESCRIPTION("RPC TCP connection tracking module"); ++MODULE_LICENSE("GPL"); ++ ++#define PRINTK(format, args...) printk(KERN_DEBUG "ip_conntrack_rpc_tcp: " \ ++ format, ## args) ++ ++#if 0 ++#define DEBUGP(format, args...) printk(KERN_DEBUG "ip_conntrack_rpc_tcp: " \ ++ format, ## args) ++#else ++#define DEBUGP(format, args...) ++#endif ++ ++DEFINE_RWLOCK(ipct_rpc_tcp_lock); ++ ++#define ASSERT_READ_LOCK(x) ++#define ASSERT_WRITE_LOCK(x) ++ ++#include <linux/netfilter_ipv4/listhelp.h> ++ ++/* For future conections RPC, using client's cache bindings ++ * I'll use ip_conntrack_lock to lock these lists */ ++ ++LIST_HEAD(request_p_list_tcp); ++ ++ ++static void delete_request_p(unsigned long request_p_ul) ++{ ++ struct request_p *p = (void *)request_p_ul; ++ ++ write_lock_bh(&ipct_rpc_tcp_lock); ++ LIST_DELETE(&request_p_list_tcp, p); ++ write_unlock_bh(&ipct_rpc_tcp_lock); ++ kfree(p); ++ return; ++} ++ ++ ++static void req_cl(struct request_p * r) ++{ ++ write_lock_bh(&ipct_rpc_tcp_lock); ++ del_timer(&r->timeout); ++ LIST_DELETE(&request_p_list_tcp, r); ++ write_unlock_bh(&ipct_rpc_tcp_lock); ++ kfree(r); ++ return; ++} ++ ++ ++static void clean_request(struct list_head *list) ++{ ++ struct list_head *first = list->prev; ++ struct list_head *temp = list->next; ++ struct list_head *aux; ++ ++ if (list_empty(list)) ++ return; ++ ++ while (first != temp) { ++ aux = temp->next; ++ req_cl((struct request_p *)temp); ++ temp = aux; ++ } ++ req_cl((struct request_p *)temp); ++ return; ++} ++ ++ ++static void alloc_request_p(u_int32_t xid, u_int16_t proto, u_int32_t ip, ++ u_int16_t port) ++{ ++ struct request_p *req_p; ++ ++ /* Verifies if entry already exists */ ++ write_lock_bh(&ipct_rpc_tcp_lock); ++ req_p = LIST_FIND(&request_p_list_tcp, request_p_cmp, ++ struct request_p *, xid, ip, port); ++ ++ if (req_p) { ++ /* Refresh timeout */ ++ if (del_timer(&req_p->timeout)) { ++ req_p->timeout.expires = jiffies + EXP; ++ add_timer(&req_p->timeout); ++ } ++ write_unlock_bh(&ipct_rpc_tcp_lock); ++ return; ++ ++ } ++ write_unlock_bh(&ipct_rpc_tcp_lock); ++ ++ /* Allocate new request_p */ ++ req_p = (struct request_p *) kmalloc(sizeof(struct request_p), GFP_ATOMIC); ++ if (!req_p) { ++ DEBUGP("can't allocate request_p\n"); ++ return; ++ } ++ ++ req_p->list.next = NULL; ++ req_p->list.prev = NULL; ++ req_p->xid = xid; ++ req_p->ip = ip; ++ req_p->port = port; ++ req_p->proto = proto; ++ ++ /* Initialize timer */ ++ init_timer(&req_p->timeout); ++ req_p->timeout.expires = jiffies + EXP; ++ req_p->timeout.data = (unsigned long)req_p; ++ req_p->timeout.function = delete_request_p; ++ add_timer(&req_p->timeout); ++ ++ /* Put in list */ ++ write_lock_bh(&ipct_rpc_tcp_lock); ++ list_prepend(&request_p_list_tcp, req_p); ++ write_unlock_bh(&ipct_rpc_tcp_lock); ++ return; ++} ++ ++ ++static int check_rpc_packet(const u_int32_t *data, ++ int dir, struct ip_conntrack *ct, ++ struct list_head request_p_list) ++{ ++ u_int32_t xid; ++ int ret = NF_ACCEPT; ++ struct request_p *req_p; ++ struct ip_conntrack_expect *exp; ++ ++ ++ if (ct == NULL) { ++ DEBUGP("ct is NULL"); ++ return ret; ++ } ++ ++ /* Translstion's buffer for XDR */ ++ u_int16_t port_buf; ++ ++ /* Get XID */ ++ xid = *data; ++ ++ /* This does sanity checking on RPC payloads, ++ * and permits only the RPC "get port" (3) ++ * in authorised procedures in client ++ * communications with the portmapper. ++ */ ++ ++ /* perform direction dependant RPC work */ ++ if (dir == IP_CT_DIR_ORIGINAL) { ++ ++ data += 5; ++ ++ /* Get RPC requestor */ ++ if (IXDR_GET_INT32(data) != 3) { ++ DEBUGP("RPC packet contains an invalid (non \"get\") requestor. [skip]\n"); ++ return NF_ACCEPT; ++ } ++ DEBUGP("RPC packet contains a \"get\" requestor. [cont]\n"); ++ ++ data++; ++ ++ /* Jump Credentials and Verfifier */ ++ data += IXDR_GET_INT32(data) + 2; ++ data += IXDR_GET_INT32(data) + 2; ++ ++ /* Get RPC procedure */ ++ DEBUGP("RPC packet contains procedure request [%u]. [cont]\n", ++ (unsigned int)IXDR_GET_INT32(data)); ++ ++ /* Get RPC protocol and store against client parameters */ ++ data = data + 2; ++ alloc_request_p(xid, IXDR_GET_INT32(data), ct->tuplehash[dir].tuple.src.ip, ++ ct->tuplehash[dir].tuple.src.u.all); ++ ++ DEBUGP("allocated RPC req_p for xid=%u proto=%u %u.%u.%u.%u:%u\n", ++ xid, IXDR_GET_INT32(data), ++ NIPQUAD(ct->tuplehash[dir].tuple.src.ip), ++ ntohs(ct->tuplehash[dir].tuple.src.u.all)); ++ ++ DEBUGP("allocated RPC request for protocol %u. [done]\n", ++ (unsigned int)IXDR_GET_INT32(data)); ++ ++ } else { ++ ++ /* Check for returning packet's stored counterpart */ ++ req_p = LIST_FIND(&request_p_list_tcp, request_p_cmp, ++ struct request_p *, xid, ++ ct->tuplehash[!dir].tuple.src.ip, ++ ct->tuplehash[!dir].tuple.src.u.all); ++ ++ /* Drop unexpected packets */ ++ if (!req_p) { ++ DEBUGP("packet is not expected. [skip]\n"); ++ return NF_ACCEPT; ++ } ++ ++ /* Verifies if packet is really an RPC reply packet */ ++ data++; ++ if (IXDR_GET_INT32(data) != 1) { ++ DEBUGP("packet is not a valid RPC reply. [skip]\n"); ++ return NF_ACCEPT; ++ } ++ ++ /* Is status accept? */ ++ data++; ++ if (IXDR_GET_INT32(data)) { ++ DEBUGP("packet is not an RPC accept. [skip]\n"); ++ return NF_ACCEPT; ++ } ++ ++ /* Get Verifier length. Jump verifier */ ++ data++; ++ data = data + IXDR_GET_INT32(data) + 2; ++ ++ /* Is accpet status "success"? */ ++ if (IXDR_GET_INT32(data)) { ++ DEBUGP("packet is not an RPC accept status of success. [skip]\n"); ++ return NF_ACCEPT; ++ } ++ ++ /* Get server port number */ ++ data++; ++ port_buf = (u_int16_t) IXDR_GET_INT32(data); ++ ++ /* If a packet has made it this far then it deserves an ++ * expectation ... if port == 0, then this service is ++ * not going to be registered. ++ */ ++ if (port_buf && port_buf != nsrexec) { ++ DEBUGP("port found: %u\n", port_buf); ++ ++ exp = ip_conntrack_expect_alloc(ct); ++ if (!exp) { ++ ret = NF_DROP; ++ goto out; ++ } ++ ++ /* Watch out, Radioactive-Man! */ ++ exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip; ++ exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip; ++ exp->mask.src.ip = 0xffffffff; ++ exp->mask.dst.ip = 0xffffffff; ++ ++ switch (req_p->proto) { ++ case IPPROTO_UDP: ++ exp->tuple.src.u.udp.port = 0; ++ exp->tuple.dst.u.udp.port = htons(port_buf); ++ exp->tuple.dst.protonum = IPPROTO_UDP; ++ exp->mask.src.u.udp.port = 0; ++ exp->mask.dst.u.udp.port = htons(0xffff); ++ exp->mask.dst.protonum = 0xff; ++ break; ++ ++ case IPPROTO_TCP: ++ exp->tuple.src.u.tcp.port = 0; ++ exp->tuple.dst.u.tcp.port = htons(port_buf); ++ exp->tuple.dst.protonum = IPPROTO_TCP; ++ exp->mask.src.u.tcp.port = 0; ++ exp->mask.dst.u.tcp.port = htons(0xffff); ++ exp->mask.dst.protonum = 0xff; ++ break; ++ } ++ exp->expectfn = NULL; ++ exp->master = ct; ++ ++ if (exp->master->helper == NULL) { ++ DEBUGP("master helper NULL"); ++ ret = NF_ACCEPT; ++ } ++ ++ DEBUGP("expect related ip %u.%u.%u.%u:0-%u.%u.%u.%u:%u proto=%u\n", ++ NIPQUAD(exp->tuple.src.ip), ++ NIPQUAD(exp->tuple.dst.ip), ++ port_buf, req_p->proto); ++ ++ DEBUGP("expect related mask %u.%u.%u.%u:0-%u.%u.%u.%u:65535 proto=%u\n", ++ NIPQUAD(exp->mask.src.ip), ++ NIPQUAD(exp->mask.dst.ip), ++ exp->mask.dst.protonum); ++ ++ if (ip_conntrack_expect_related(exp) != 0) { ++ ret = NF_DROP; ++ } ++ ++ } ++ ++out: ++ req_cl(req_p); ++ ++ DEBUGP("packet evaluated. [expect]\n"); ++ } ++ ++ return ret; ++ ++} ++ ++ ++/* RPC TCP helper */ ++/* static int help(const struct iphdr *iph, size_t len, ++ struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) */ ++static int help(struct sk_buff **pskb, ++ struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) ++{ ++ int dir; ++ int crp_ret; ++ struct tcphdr _tcph, *tcph; ++ const u_int32_t *data; ++ size_t tcplen; ++ struct iphdr *iph; ++ size_t len; ++ ++ /* Not whole TCP header? */ ++ iph=(*pskb)->nh.iph; ++ tcph = skb_header_pointer(*pskb,iph->ihl*4,sizeof(_tcph),&_tcph); ++ if (!tcph) ++ return NF_ACCEPT; ++ ++ len = (*pskb)->len; /* stes */ ++ data = (const u_int32_t *)tcph + tcph->doff; ++ tcplen = len - iph->ihl * 4; ++ dir = CTINFO2DIR(ctinfo); ++ ++ DEBUGP("new packet to evaluate ..\n"); ++ ++ /* This works for packets like handshake packets, ignore */ ++ if (len == ((tcph->doff + iph->ihl) * 4)) { ++ DEBUGP("packet has no data (may still be handshaking). [skip]\n"); ++ return NF_ACCEPT; ++ } ++ ++ /* Until there's been traffic both ways, don't look in packets. */ ++ if (ctinfo != IP_CT_ESTABLISHED ++ && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { ++ DEBUGP("connection tracking state is; ctinfo=%u ..\n", ctinfo); <<Diff was trimmed, longer than 597 lines>> _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit