anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-20 11:34:57 +02:00
Code Issues Releases Wiki Activity

Merge branch 'ipp2p'

Browse Source
This commit is contained in:
Jan Engelhardt
2009-01-10 13:59:43 +01:00
parent 31c01cf107 fbbca68790
commit 10c2b97786
3 changed files with 28 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
extensions/libxt_ipp2p.c
View File

@@ -22,7 +22,7 @@
static void ipp2p_mt_help(void) static void ipp2p_mt_help(void)
{ {
printf( printf(
"IPP2P v%s options:\n" "ipp2p v%s match options:\n"
" --edk [tcp,udp] All known eDonkey/eMule/Overnet packets\n" " --edk [tcp,udp] All known eDonkey/eMule/Overnet packets\n"
" --dc [tcp] All known Direct Connect packets\n" " --dc [tcp] All known Direct Connect packets\n"
" --kazaa [tcp,udp] All known KaZaA packets\n" " --kazaa [tcp,udp] All known KaZaA packets\n"
@@ -32,19 +32,10 @@ static void ipp2p_mt_help(void)
" --winmx [tcp] All known WinMX\n" " --winmx [tcp] All known WinMX\n"
" --soul [tcp] All known SoulSeek\n" " --soul [tcp] All known SoulSeek\n"
" --ares [tcp] All known Ares\n\n" " --ares [tcp] All known Ares\n\n"
"EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n" "EXPERIMENTAL protocols:\n"
" --mute [tcp] All known Mute packets\n" " --mute [tcp] All known Mute packets\n"
" --waste [tcp] All known Waste packets\n" " --waste [tcp] All known Waste packets\n"
" --xdcc [tcp] All known XDCC packets (only xdcc login)\n\n" " --xdcc [tcp] All known XDCC packets (only xdcc login)\n\n"
"DEBUG SUPPPORT, use only if you know why\n"
" --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n"
"\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n"
"You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n"
"\nSee README included with this package for more details or visit http://www.ipp2p.org\n"
"\nExamples:\n"
" iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n"
" iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n"
" iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n"
, IPP2P_VERSION); , IPP2P_VERSION);
} }

18
extensions/libxt_ipp2p.man
View File

@@ -1,12 +1,12 @@
This module matches certain packets in P2P flows. It is not This module matches certain packets in P2P flows. It is not
designed to match all packets belonging to a P2P connection - designed to match all packets belonging to a P2P connection -
use IPP2P together with CONNMARK for this purpose. Also visit use IPP2P together with CONNMARK for this purpose.
http://www.ipp2p.org for detailed information. .PP
Use it together with -p tcp or -p udp to search these protocols Use it together with -p tcp or -p udp to search these protocols
only or without -p switch to search packets of both protocols. only or without -p switch to search packets of both protocols.
.PP
IPP2P provides the following options: IPP2P provides the following options, of which one or more may be specified
on the command line:
.TP .TP
.B "--edk " .B "--edk "
Matches as many eDonkey/eMule packets as possible. Matches as many eDonkey/eMule packets as possible.
@@ -38,3 +38,11 @@ Matches Ares and AresLite packets. Use together with -j DROP only.
.B "--debug " .B "--debug "
Prints some information about each hit into kernel logfile. May Prints some information about each hit into kernel logfile. May
produce huge logfiles so beware! produce huge logfiles so beware!
.PP
Note that ipp2p may not (and often, does not) identify all packets that are
exchanged as a result of running filesharing programs.
.PP
There is more information on http://ipp2p.org/ , but it has not been updated
since September 2006, and the syntax there is different from the ipp2p.c
provided in Xtables-addons; most importantly, the --ipp2p flag was removed due
to its ambiguity to match "all known" protocols.

17
extensions/xt_ipp2p.c
View File

@@ -603,8 +603,13 @@ search_all_kazaa(const unsigned char *payload, const unsigned int plen)
{ {
uint16_t c, end, rem; uint16_t c, end, rem;
if (plen >= 5) { if (plen < 5)
printk(KERN_WARNING KBUILD_MODNAME ": %s: plen (%u) < 5\n", /* too short for anything we test for - early bailout */
return 0;
if (plen >= 65535) {
/* Something seems _really_ fishy */
printk(KERN_WARNING KBUILD_MODNAME ": %s: plen (%u) >= 65535\n",
__func__, plen); __func__, plen);
return 0; return 0;
} }
@@ -618,6 +623,10 @@ search_all_kazaa(const unsigned char *payload, const unsigned int plen)
if (memcmp(payload, "GET /", 5) != 0) if (memcmp(payload, "GET /", 5) != 0)
return 0; return 0;
if (plen < 18)
/* The next tests would not succeed anyhow. */
return 0;
end = plen - 18; end = plen - 18;
rem = plen - 5; rem = plen - 5;
for (c = 5; c < end; ++c, --rem) { for (c = 5; c < end; ++c, --rem) {
@@ -828,7 +837,7 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
switch (ip->protocol) { switch (ip->protocol) {
case IPPROTO_TCP: /* what to do with a TCP packet */ case IPPROTO_TCP: /* what to do with a TCP packet */
{ {
const struct tcphdr *tcph = tcp_hdr(skb); const struct tcphdr *tcph = (const void *)ip + ip_hdrlen(skb);
if (tcph->fin) return 0; /* if FIN bit is set bail out */ if (tcph->fin) return 0; /* if FIN bit is set bail out */
if (tcph->syn) return 0; /* if SYN bit is set bail out */ if (tcph->syn) return 0; /* if SYN bit is set bail out */
@@ -855,7 +864,7 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
case IPPROTO_UDP: /* what to do with an UDP packet */ case IPPROTO_UDP: /* what to do with an UDP packet */
{ {
const struct udphdr *udph = udp_hdr(skb); const struct udphdr *udph = (const void *)ip + ip_hdrlen(skb);
while (udp_list[i].command) { while (udp_list[i].command) {
if ((info->cmd & udp_list[i].command) == udp_list[i].command && if ((info->cmd & udp_list[i].command) == udp_list[i].command &&