compat update: allow building from 2.6.18 onwards

2025-09-06 04:35:12 +02:00 · 2008-03-11 16:59:49 +01:00
parent 10e3d8fe0d
commit 5fd97e9973
10 changed files with 168 additions and 46 deletions
--- a/4
+++ b/4
@@ -12,9 +12,9 @@ in combination with the kernel's Kbuild system.
 Prerequirements
 ===============

-	* xtables(-devel) 1.5.0
+	* xtables(-devel) 1.5.2

-	* kernel-source >= 2.6.22 with prepared output directory
+	* kernel-source >= 2.6.18 with prepared build/output directory


 Selecting extensions
--- a/extensions/compat_skbuff.h
+++ b/extensions/compat_skbuff.h
@@ -0,0 +1,20 @@
+#ifndef COMPAT_SKBUFF_H
+#define COMPAT_SKBUFF_H 1
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+#	define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
+#else
+#	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
+#endif
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
+#	define ip_hdr(skb) ((skb)->nh.iph)
+#	define ip_hdrlen(skb) (ip_hdr(skb)->ihl * 4)
+#	define skb_network_header(skb) ((skb)->nh.raw)
+static inline void skb_reset_network_header(struct sk_buff *skb)
+{
+	skb->nh.raw = skb->data;
+}
+#endif
+
+#endif /* COMPAT_SKBUFF_H */
--- a/extensions/compat_xtables.c
+++ b/extensions/compat_xtables.c
@@ -1,3 +1,4 @@
+#include <linux/ip.h>
 #include <linux/kernel.h>
 #include <linux/list.h>
 #include <linux/slab.h>
@@ -8,9 +9,10 @@
 #include <linux/netfilter_arp.h>
 #include <net/ip.h>
 #include <net/route.h>
+#include "compat_skbuff.h"
 #include "compat_xtnu.h"

-#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 22)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
 static int xtnu_match_run(const struct sk_buff *skb,
    const struct net_device *in, const struct net_device *out,
    const struct xt_match *cm, const void *matchinfo, int offset,
@@ -26,9 +28,17 @@ static int xtnu_match_run(const struct sk_buff *skb,
 	*hotdrop = lo_drop;
 	return lo_ret;
 }
+#endif

+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+static int xtnu_match_check(const char *table, const void *entry,
+    const struct xt_match *cm, void *matchinfo, unsigned int matchinfosize,
+    unsigned int hook_mask)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
 static int xtnu_match_check(const char *table, const void *entry,
    const struct xt_match *cm, void *matchinfo, unsigned int hook_mask)
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
 {
 	struct xtnu_match *nm = xtcompat_numatch(cm);

@@ -38,15 +48,24 @@ static int xtnu_match_check(const char *table, const void *entry,
 		return true;
 	return nm->checkentry(table, entry, nm, matchinfo, hook_mask);
 }
+#endif

+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo,
+    unsigned int matchinfosize)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
 static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo)
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
 {
 	struct xtnu_match *nm = xtcompat_numatch(cm);

 	if (nm != NULL && nm->destroy != NULL)
 		nm->destroy(nm, matchinfo);
 }
+#endif

+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
 int xtnu_register_match(struct xtnu_match *nt)
 {
 	struct xt_match *ct;
@@ -114,52 +133,65 @@ void xtnu_unregister_matches(struct xtnu_match *nt, unsigned int num)
 		xtnu_unregister_match(&nt[i]);
 }
 EXPORT_SYMBOL_GPL(xtnu_unregister_matches);
-
-static int xtnu_target_check(const char *table, const void *entry,
-    const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
-{
-	struct xtnu_target *nt = xtcompat_nutarget(ct);
-	if (nt == NULL)
-		return false;
-	if (nt->checkentry == NULL)
-		/* this is valid, just like if there was no function */
-		return true;
-	return nt->checkentry(table, entry, nt, targinfo, hook_mask);
-}
 #endif

-#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 23)
-static bool xtnu_target_check(const char *table, const void *entry,
-    const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
-{
-	struct xtnu_target *nt = xtcompat_nutarget(ct);
-	if (nt == NULL)
-		return false;
-	if (nt->checkentry == NULL)
-		/* this is valid, just like if there was no function */
-		return true;
-	return nt->checkentry(table, entry, nt, targinfo, hook_mask);
-}
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+static unsigned int xtnu_target_run(struct sk_buff **pskb,
+    const struct net_device *in, const struct net_device *out,
+    unsigned int hooknum, const struct xt_target *ct, const void *targinfo,
+    void *userdata)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 static unsigned int xtnu_target_run(struct sk_buff **pskb,
    const struct net_device *in, const struct net_device *out,
    unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 {
 	struct xtnu_target *nt = xtcompat_nutarget(ct);
 	if (nt != NULL && nt->target != NULL)
 		return nt->target(*pskb, in, out, hooknum, nt, targinfo);
 	return XT_CONTINUE;
 }
+#endif

+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+static int xtnu_target_check(const char *table, const void *entry,
+    const struct xt_target *ct, void *targinfo,
+    unsigned int targinfosize, unsigned int hook_mask)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
+static int xtnu_target_check(const char *table, const void *entry,
+    const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
+static bool xtnu_target_check(const char *table, const void *entry,
+    const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(ct);
+	if (nt == NULL)
+		return false;
+	if (nt->checkentry == NULL)
+		/* this is valid, just like if there was no function */
+		return true;
+	return nt->checkentry(table, entry, nt, targinfo, hook_mask);
+}
+#endif
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo,
+    unsigned int targinfosize)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo)
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 {
 	struct xtnu_target *nt = xtcompat_nutarget(ct);
 	if (nt != NULL && nt->destroy != NULL)
 		nt->destroy(nt, targinfo);
 }
+#endif

+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 int xtnu_register_target(struct xtnu_target *nt)
 {
 	struct xt_target *ct;
@@ -233,9 +265,14 @@ struct xt_match *xtnu_request_find_match(unsigned int af, const char *name,
    uint8_t revision)
 {
 	static const char *const xt_prefix[] = {
-		[AF_INET]  = "ip",
-		[AF_INET6] = "ip6",
-		[NF_ARP]   = "arp",
+		[AF_UNSPEC] = "x",
+		[AF_INET]   = "ip",
+		[AF_INET6]  = "ip6",
+#ifdef AF_ARP
+		[AF_ARP]    = "arp",
+#elif defined(NF_ARP) && NF_ARP != AF_UNSPEC
+		[NF_ARP]    = "arp",
+#endif
 	};
 	struct xt_match *match;

@@ -251,7 +288,11 @@ EXPORT_SYMBOL_GPL(xtnu_request_find_match);
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 int xtnu_ip_route_me_harder(struct sk_buff *skb, unsigned int addr_type)
 {
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+	return ip_route_me_harder(&skb);
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 	return ip_route_me_harder(&skb, addr_type);
+#endif
 }
 EXPORT_SYMBOL_GPL(xtnu_ip_route_me_harder);
 #endif
@@ -310,4 +351,19 @@ int xtnu_ip_route_output_key(void *net, struct rtable **rp, struct flowi *flp)
 EXPORT_SYMBOL_GPL(xtnu_ip_route_output_key);
 #endif

+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+int xtnu_neigh_hh_output(struct hh_cache *hh, struct sk_buff *skb)
+{
+	unsigned int hh_alen;
+
+	read_lock_bh(&hh->hh_lock);
+	hh_alen = HH_DATA_ALIGN(hh->hh_len);
+	memcpy(skb->data - hh_alen, hh->hh_data, hh_alen);
+	read_unlock_bh(&hh->hh_lock);
+	skb_push(skb, hh->hh_len);
+	return hh->hh_output(skb);
+}
+EXPORT_SYMBOL_GPL(xtnu_neigh_hh_output);
+#endif
+
 MODULE_LICENSE("GPL");
--- a/extensions/compat_xtables.h
+++ b/extensions/compat_xtables.h
@@ -2,10 +2,32 @@
 #define _XTABLES_COMPAT_H 1

 #include <linux/version.h>
+#include "compat_skbuff.h"
 #include "compat_xtnu.h"

-#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 22)
-#	warning Kernels below 2.6.22 not supported anymore
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 18)
+#	warning Kernels below 2.6.18 not supported.
+#endif
+
+#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+#	if !defined(CONFIG_NF_CONNTRACK_MARK) || !defined(CONFIG_NF_CONNTRACK_SECMARK)
+#		warning You have CONFIG_NF_CONNTRACK enabled, but CONFIG_NF_CONNTRACK_MARK or CONFIG_NF_CONNTRACK_SECMARK are not (please enable).
+#	endif
+#	include <net/netfilter/nf_conntrack.h>
+#elif defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
+#	if !defined(CONFIG_IP_NF_CONNTRACK_MARK) || !defined(CONFIG_IP_NF_CONNTRACK_SECMARK)
+#		warning You have CONFIG_IP_NF_CONNTRACK enabled, but CONFIG_IP_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_SECMARK are not (please enable).
+#	endif
+#	include <linux/netfilter_ipv4/ip_conntrack.h>
+#	define nf_conn ip_conntrack
+#	define nf_ct_get ip_conntrack_get
+#	define nf_conntrack_untracked ip_conntrack_untracked
+#else
+#	warning You need either CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK.
+#endif
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+#	define neigh_hh_output xtnu_neigh_hh_output
 #endif

 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
@@ -26,7 +48,7 @@
 #	define init_net__loopback_dev init_net.loopback_dev
 #endif

-#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 22)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
 #	define xt_match              xtnu_match
 #	define xt_register_match     xtnu_register_match
 #	define xt_unregister_match   xtnu_unregister_match
--- a/extensions/compat_xtnu.h
+++ b/extensions/compat_xtnu.h
@@ -5,7 +5,13 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/spinlock.h>

+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+typedef _Bool bool;
+enum { false = 0, true = 1, };
+#endif
+
 struct flowi;
+struct hh_cache;
 struct module;
 struct net_device;
 struct rtable;
@@ -74,5 +80,6 @@ extern int xtnu_register_targets(struct xtnu_target *, unsigned int);
 extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int);
 extern struct xt_match *xtnu_request_find_match(unsigned int,
 	const char *, uint8_t);
+extern int xtnu_neigh_hh_output(struct hh_cache *, struct sk_buff *);

 #endif /* _COMPAT_XTNU_H */
--- a/extensions/xt_CHAOS.c
+++ b/extensions/xt_CHAOS.c
@@ -53,7 +53,7 @@ static void xt_chaos_total(const struct xt_chaos_tginfo *info,
 	const int offset        = ntohs(iph->frag_off) & IP_OFFSET;
 	typeof(xt_tarpit) destiny;
 	bool ret;
-#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 22)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
 	int hotdrop = false;
 #else
 	bool hotdrop = false;
@@ -65,7 +65,9 @@ static void xt_chaos_total(const struct xt_chaos_tginfo *info,
 		return;

 	destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+	destiny->target(&skb, in, out, hooknum, destiny, NULL, NULL);
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 	destiny->target(&skb, in, out, hooknum, destiny, NULL);
 #else
 	destiny->target(skb, in, out, hooknum, destiny, NULL);
@@ -89,7 +91,10 @@ static unsigned int chaos_tg(struct sk_buff *skb, const struct net_device *in,
 	const struct iphdr *iph = ip_hdr(skb);

 	if ((unsigned int)net_random() <= reject_percentage)
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+		return xt_reject->target(&skb, in, out, hooknum,
+		       target->__compat_target, &reject_params, NULL);
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 		return xt_reject->target(&skb, in, out, hooknum,
 		       target->__compat_target, &reject_params);
 #else
--- a/extensions/xt_DELUDE.c
+++ b/extensions/xt_DELUDE.c
@@ -99,9 +99,15 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
 		}
 	}

+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
+	tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), niph->saddr,
+	              niph->daddr, csum_partial((char *)tcph,
+	              sizeof(struct tcphdr), 0));
+#else
 	tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
 	              niph->daddr, csum_partial((char *)tcph,
 	              sizeof(struct tcphdr), 0));
+#endif

 	addr_type = RTN_UNSPEC;
 #ifdef CONFIG_BRIDGE_NETFILTER
--- a/extensions/xt_LOGMARK.c
+++ b/extensions/xt_LOGMARK.c
@@ -11,8 +11,9 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
+#include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/netfilter/x_tables.h>
-#include <net/netfilter/nf_conntrack.h>
+//#include <net/netfilter/nf_conntrack.h>
 #include "compat_xtables.h"
 #include "xt_LOGMARK.h"

@@ -27,7 +28,7 @@ logmark_tg(struct sk_buff *skb, const struct net_device *in,

 	printk("<%u>%.*s""nfmark=0x%x secmark=0x%x classify=0x%x",
 	       info->level, (unsigned int)sizeof(info->prefix), info->prefix,
-	       skb->mark, skb->secmark, skb->priority);
+	       skb_nfmark(skb), skb->secmark, skb->priority);

 	ct = nf_ct_get(skb, &ctinfo);
 	if (ct == NULL) {
--- a/extensions/xt_TARPIT.c
+++ b/extensions/xt_TARPIT.c
@@ -90,7 +90,7 @@ static inline void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook)

 	/* This packet will not be the same as the other: clear nf fields */
 	nf_reset(nskb);
-	nskb->mark = 0;
+	skb_nfmark(nskb) = 0;
 	skb_init_secmark(nskb);

 	skb_shinfo(nskb)->gso_size = 0;
@@ -132,9 +132,15 @@ static inline void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook)

 	/* Adjust TCP checksum */
 	tcph->check = 0;
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
+	tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), niph->saddr,
+	              niph->daddr, csum_partial((char *)tcph,
+	              sizeof(struct tcphdr), 0));
+#else
 	tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
 	              niph->daddr, csum_partial((char *)tcph,
 	              sizeof(struct tcphdr), 0));
+#endif

 	/* Set DF, id = 0 */
 	niph->frag_off = htons(IP_DF);
--- a/extensions/xt_portscan.c
+++ b/extensions/xt_portscan.c
@@ -17,7 +17,7 @@
 #include <linux/version.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_tcpudp.h>
-#include <net/netfilter/nf_nat_rule.h>
+//#include <net/netfilter/nf_conntrack.h>
 #include "xt_portscan.h"
 #include "compat_xtables.h"
 #define PFX KBUILD_MODNAME ": "
@@ -203,7 +203,7 @@ static bool portscan_mt(const struct sk_buff *skb,
 	 * it either when the connection is already VALID.
 	 */
 	if ((ctdata->mark & connmark_mask) == mark_valid ||
-	     (skb->mark & packet_mask) != mark_seen) {
+	     (skb_nfmark(skb) & packet_mask) != mark_seen) {
 		unsigned int n;

 		n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
@@ -211,8 +211,7 @@ static bool portscan_mt(const struct sk_buff *skb,
 		    skb->len - protoff - 4 * tcph->doff);

 		ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
-		((struct sk_buff *)skb)->mark =
-			(skb->mark & ~packet_mask) ^ mark_seen;
+		skb_nfmark(skb) = (skb_nfmark(skb) & ~packet_mask) ^ mark_seen;
 	}

 	return (info->match_syn && ctdata->mark == mark_synscan) ||