diff --git a/extensions/libxt_ipp2p.c b/extensions/libxt_ipp2p.c index eb0d1f0..5fa1e9c 100644 --- a/extensions/libxt_ipp2p.c +++ b/extensions/libxt_ipp2p.c @@ -22,7 +22,7 @@ static void ipp2p_mt_help(void) { printf( - "IPP2P v%s options:\n" + "ipp2p v%s match options:\n" " --edk [tcp,udp] All known eDonkey/eMule/Overnet packets\n" " --dc [tcp] All known Direct Connect packets\n" " --kazaa [tcp,udp] All known KaZaA packets\n" @@ -32,19 +32,10 @@ static void ipp2p_mt_help(void) " --winmx [tcp] All known WinMX\n" " --soul [tcp] All known SoulSeek\n" " --ares [tcp] All known Ares\n\n" - "EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n" + "EXPERIMENTAL protocols:\n" " --mute [tcp] All known Mute packets\n" " --waste [tcp] All known Waste packets\n" " --xdcc [tcp] All known XDCC packets (only xdcc login)\n\n" - "DEBUG SUPPPORT, use only if you know why\n" - " --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n" - "\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n" - "You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n" - "\nSee README included with this package for more details or visit http://www.ipp2p.org\n" - "\nExamples:\n" - " iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n" - " iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n" - " iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n" , IPP2P_VERSION); } diff --git a/extensions/libxt_ipp2p.man b/extensions/libxt_ipp2p.man index cdaf3c3..9a76451 100644 --- a/extensions/libxt_ipp2p.man +++ b/extensions/libxt_ipp2p.man @@ -1,12 +1,12 @@ This module matches certain packets in P2P flows. It is not designed to match all packets belonging to a P2P connection - -use IPP2P together with CONNMARK for this purpose. Also visit -http://www.ipp2p.org for detailed information. - +use IPP2P together with CONNMARK for this purpose. +.PP Use it together with -p tcp or -p udp to search these protocols only or without -p switch to search packets of both protocols. - -IPP2P provides the following options: +.PP +IPP2P provides the following options, of which one or more may be specified +on the command line: .TP .B "--edk " Matches as many eDonkey/eMule packets as possible. @@ -38,3 +38,11 @@ Matches Ares and AresLite packets. Use together with -j DROP only. .B "--debug " Prints some information about each hit into kernel logfile. May produce huge logfiles so beware! +.PP +Note that ipp2p may not (and often, does not) identify all packets that are +exchanged as a result of running filesharing programs. +.PP +There is more information on http://ipp2p.org/ , but it has not been updated +since September 2006, and the syntax there is different from the ipp2p.c +provided in Xtables-addons; most importantly, the --ipp2p flag was removed due +to its ambiguity to match "all known" protocols. diff --git a/extensions/xt_ipp2p.c b/extensions/xt_ipp2p.c index 9c407ea..83fa201 100644 --- a/extensions/xt_ipp2p.c +++ b/extensions/xt_ipp2p.c @@ -603,8 +603,13 @@ search_all_kazaa(const unsigned char *payload, const unsigned int plen) { uint16_t c, end, rem; - if (plen >= 5) { - printk(KERN_WARNING KBUILD_MODNAME ": %s: plen (%u) < 5\n", + if (plen < 5) + /* too short for anything we test for - early bailout */ + return 0; + + if (plen >= 65535) { + /* Something seems _really_ fishy */ + printk(KERN_WARNING KBUILD_MODNAME ": %s: plen (%u) >= 65535\n", __func__, plen); return 0; } @@ -618,6 +623,10 @@ search_all_kazaa(const unsigned char *payload, const unsigned int plen) if (memcmp(payload, "GET /", 5) != 0) return 0; + if (plen < 18) + /* The next tests would not succeed anyhow. */ + return 0; + end = plen - 18; rem = plen - 5; for (c = 5; c < end; ++c, --rem) { @@ -828,7 +837,7 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par) switch (ip->protocol) { case IPPROTO_TCP: /* what to do with a TCP packet */ { - const struct tcphdr *tcph = tcp_hdr(skb); + const struct tcphdr *tcph = (const void *)ip + ip_hdrlen(skb); if (tcph->fin) return 0; /* if FIN bit is set bail out */ if (tcph->syn) return 0; /* if SYN bit is set bail out */ @@ -855,7 +864,7 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par) case IPPROTO_UDP: /* what to do with an UDP packet */ { - const struct udphdr *udph = udp_hdr(skb); + const struct udphdr *udph = (const void *)ip + ip_hdrlen(skb); while (udp_list[i].command) { if ((info->cmd & udp_list[i].command) == udp_list[i].command &&