Added ROUTE patch to get iptables 1.2.9 to compile properly - Bug #32778

4 files changed, 461 insertions, 4 deletions

diff --git a/sys-kernel/gentoo-sources/ChangeLog b/sys-kernel/gentoo-sources/ChangeLog
index 3bc1c0c9a0a7..5857fb7172c0 100644
--- a/sys-kernel/gentoo-sources/ChangeLog
+++ b/sys-kernel/gentoo-sources/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for sys-kernel/gentoo-sources
 # Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/ChangeLog,v 1.37 2003/10/21 16:44:59 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/ChangeLog,v 1.38 2003/11/17 16:35:12 plasmaroo Exp $
+
+  17 Nov 2003; <plasmaroo@gentoo.org> gentoo-sources-2.4.20-r8.ebuild,
+  files/gentoo-sources-2.4.20-ipt-route.patch: Added the new ROUTE patch 
+  required to build iptables-1.2.9 properly.
 
 *gentoo-sources-2.4.20-r8 (21 Oct 2003)
 
diff --git a/sys-kernel/gentoo-sources/Manifest b/sys-kernel/gentoo-sources/Manifest
index 04a7896cfaeb..e886b62a6923 100644
--- a/sys-kernel/gentoo-sources/Manifest
+++ b/sys-kernel/gentoo-sources/Manifest
@@ -1,6 +1,6 @@
-MD5 3a28ca625fa4e11c632d9c80071c3447 ChangeLog 10769
+MD5 5fd75194ed98d9aa7ed96a96809fa563 ChangeLog 10960
 MD5 608fe99985244b0445f76cee44c9ae14 metadata.xml 290
-MD5 73e93003f3d428f0211e324428a73032 gentoo-sources-2.4.20-r8.ebuild 5217
+MD5 df486e3dd2b5ed63bb861d644bb05cd5 gentoo-sources-2.4.20-r8.ebuild 5329
 MD5 d5979ff24ef45e712ff68e48cf7c66c0 gentoo-sources-2.4.19-r10.ebuild 2113
 MD5 401c0e324d9c0a514bf972a76db6b554 gentoo-sources-2.4.20-r7.ebuild 5149
 MD5 4a2e7892431d591f82bb474d737cb4eb gentoo-sources-2.4.20-r5.ebuild 4571
@@ -17,6 +17,7 @@ MD5 6bd1b3d66aca4f2ae0cfd964caa28cc9 files/gentoo-sources-2.4.20-devfs-snd-fix.p
 MD5 849223b7d8e6c9c2a22f84b571aa516c files/digest-gentoo-sources-2.4.20-r7 145
 MD5 3bf2f78421fe7eb5babc154d4ad4dbbd files/security.patch1 14328
 MD5 857ff623313f874e811763a2db96e831 files/lcall-DoS.patch 885
+MD5 012e8ba5d18dbb8d508ac4955e143e3a files/gentoo-sources-2.4.20-ipt-route.patch 13307
 MD5 cbd2a33f15a8d2e7ab700a0b45fac377 files/gentoo-sources-2.4.20-grsec-disabled.patch 562
 MD5 849223b7d8e6c9c2a22f84b571aa516c files/digest-gentoo-sources-2.4.20-r8 145
 MD5 849223b7d8e6c9c2a22f84b571aa516c files/digest-gentoo-sources-2.4.20-r5 145
diff --git a/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.20-ipt-route.patch b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.20-ipt-route.patch
new file mode 100644
index 000000000000..2258b5890663
--- /dev/null
+++ b/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.20-ipt-route.patch
@@ -0,0 +1,449 @@
+diff -Nru linux-2.4.20/Documentation/Configure.help linux-2.4.20-pom2patch/Documentation/Configure.help
+--- linux-2.4.20/Documentation/Configure.help	2003-05-02 12:56:58.000000000 -0500
++++ linux-2.4.20-pom2patch/Documentation/Configure.help	2003-05-02 12:57:00.000000000 -0500
+@@ -3118,6 +3118,24 @@
+   If you want to compile it as a module, say M here and read
+   Documentation/modules.txt.  If unsure, say `N'.
+ 
++ROUTE target support
++CONFIG_IP_NF_TARGET_ROUTE
++  This option adds a `ROUTE' target, which enables you to setup unusual
++  routes not supported by the standard kernel routing table.
++  For example, the ROUTE lets you directly route a received packet through 
++  an interface or towards a host, even if the regular destination of the 
++  packet is the router itself. The ROUTE target is also able to change the 
++  incoming interface of a packet.
++
++  This target does never modify the packet and is a final target.
++  It has to be used inside the mangle table.
++
++  
++  If you want to compile it as a module, say M here and read
++  Documentation/modules.txt.  The module will be called ipt_ROUTE.o.
++  If unsure, say `N'.
++
++
+ LOG target support
+ CONFIG_IP_NF_TARGET_LOG
+   This option adds a `LOG' target, which allows you to create rules in
+diff -Nru linux.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h linux/include/linux/netfilter_ipv4/ipt_ROUTE.h
+--- linux.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h	1970-01-01 01:00:00.000000000 +0100
++++ linux/include/linux/netfilter_ipv4/ipt_ROUTE.h	2003-07-25 11:05:27.000000000 +0200
+@@ -0,0 +1,22 @@
++/* Header file for iptables ipt_ROUTE target
++ *
++ * (C) 2002 by Cédric de Launois <delaunois@info.ucl.ac.be>
++ *
++ * This software is distributed under GNU GPL v2, 1991
++ */
++#ifndef _IPT_ROUTE_H_target
++#define _IPT_ROUTE_H_target
++
++#define IPT_ROUTE_IFNAMSIZ 16
++
++struct ipt_route_target_info {
++	char      oif[IPT_ROUTE_IFNAMSIZ];      /* Output Interface Name */
++	char      iif[IPT_ROUTE_IFNAMSIZ];      /* Input Interface Name  */
++	u_int32_t gw;                           /* IP address of gateway */
++	u_int8_t  flags;
++};
++
++/* Values for "flags" field */
++#define IPT_ROUTE_CONTINUE        0x01
++
++#endif /*_IPT_ROUTE_H_target*/
+diff -Nru linux-2.4.20/net/ipv4/netfilter/Config.in linux-2.4.20-pom2patch/net/ipv4/netfilter/Config.in
+--- linux-2.4.20/net/ipv4/netfilter/Config.in	2003-05-02 12:56:58.000000000 -0500
++++ linux-2.4.20-pom2patch/net/ipv4/netfilter/Config.in	2003-05-02 12:57:00.000000000 -0500
+@@ -116,6 +116,7 @@
+     dep_tristate '    CLASSIFY target support (EXPERIMENTAL)' CONFIG_IP_NF_TARGET_CLASSIFY $CONFIG_IP_NF_FILTER
+   fi
+   dep_tristate '  LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
++  dep_tristate '  ROUTE target support' CONFIG_IP_NF_TARGET_ROUTE $CONFIG_IP_NF_IPTABLES
+   if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
+     dep_tristate '  CONNMARK target support' CONFIG_IP_NF_TARGET_CONNMARK $CONFIG_IP_NF_IPTABLES
+   fi
+diff -Nru linux-2.4.20/net/ipv4/netfilter/Makefile linux-2.4.20-pom2patch/net/ipv4/netfilter/Makefile
+--- linux-2.4.20/net/ipv4/netfilter/Makefile	2003-05-02 12:56:58.000000000 -0500
++++ linux-2.4.20-pom2patch/net/ipv4/netfilter/Makefile	2003-05-02 12:57:01.000000000 -0500
+@@ -110,6 +110,7 @@
+ obj-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK.o
+ obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
+ obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
++obj-$(CONFIG_IP_NF_TARGET_ROUTE) += ipt_ROUTE.o
+ obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o
+ obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
+ obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
+diff -Nru linux.orig/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ipv4/netfilter/ipt_ROUTE.c
+--- linux.orig/net/ipv4/netfilter/ipt_ROUTE.c	1970-01-01 01:00:00.000000000 +0100
++++ linux/net/ipv4/netfilter/ipt_ROUTE.c	2003-07-25 11:07:47.000000000 +0200
+@@ -0,0 +1,369 @@
++/*
++ * This implements the ROUTE target, which enables you to setup unusual
++ * routes not supported by the standard kernel routing table.
++ *
++ * Copyright (C) 2002 Cedric de Launois <delaunois@info.ucl.ac.be>
++ *
++ * v 1.8 2003/07/25
++ *
++ * This software is distributed under GNU GPL v2, 1991
++ */
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ip.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_ROUTE.h>
++#include <linux/netdevice.h>
++#include <linux/route.h>
++#include <net/ip.h>
++#include <net/route.h>
++#include <net/icmp.h>
++
++#if 0
++#define DEBUGP printk
++#else
++#define DEBUGP(format, args...)
++#endif
++
++
++/* Try to route the packet according to the routing keys specified in
++ * route_info. Keys are :
++ *  - ifindex : 
++ *      0 if no oif preferred, 
++ *      otherwise set to the index of the desired oif
++ *  - route_info->gw :
++ *      0 if no gateway specified,
++ *      otherwise set to the next host to which the pkt must be routed
++ * If success, skb->dev is the output device to which the packet must 
++ * be sent and skb->dst is not NULL
++ *
++ * RETURN: -1 if an error occured
++ *          1 if the packet was succesfully routed to the 
++ *            destination desired
++ *          0 if the kernel routing table could not route the packet
++ *            according to the keys specified
++ */
++static int route(struct sk_buff *skb,
++		 unsigned int ifindex,
++		 const struct ipt_route_target_info *route_info)
++{
++	int err;
++	struct rtable *rt;
++	struct iphdr *iph = skb->nh.iph;
++	struct rt_key key = { 
++		dst:iph->daddr,
++		src:0,
++		oif:ifindex, 
++		tos:RT_TOS(iph->tos) 
++	};
++	
++	/* The destination address may be overloaded by the target */
++	if (route_info->gw)
++		key.dst = route_info->gw;
++	
++	/* Trying to route the packet using the standard routing table. */
++	if ((err = ip_route_output_key(&rt, &key))) {
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: couldn't route pkt (err: %i)",err);
++		return -1;
++	}
++	
++	/* Drop old route. */
++	dst_release(skb->dst);
++	skb->dst = NULL;
++
++	/* Success if no oif specified or if the oif correspond to the 
++	 * one desired */
++	if (!ifindex || rt->u.dst.dev->ifindex == ifindex) {
++		skb->dst = &rt->u.dst;
++		skb->dev = skb->dst->dev;
++		return 1;
++	}
++	
++	/* The interface selected by the routing table is not the one
++	 * specified by the user. This may happen because the dst address
++	 * is one of our own addresses.
++	 */
++	if (net_ratelimit()) 
++		DEBUGP("ipt_ROUTE: failed to route as desired gw=%u.%u.%u.%u oif=%i (got oif=%i)\n", 
++		       NIPQUAD(route_info->gw), ifindex, rt->u.dst.dev->ifindex);
++	
++	return 0;
++}
++
++
++/* Stolen from ip_finish_output2
++ * PRE : skb->dev is set to the device we are leaving by
++ *       skb->dst is not NULL
++ * POST: the packet is sent with the link layer header pushed
++ *       the packet is destroyed
++ */
++static void ip_direct_send(struct sk_buff *skb)
++{
++	struct dst_entry *dst = skb->dst;
++	struct hh_cache *hh = dst->hh;
++
++	if (hh) {
++		read_lock_bh(&hh->hh_lock);
++		memcpy(skb->data - 16, hh->hh_data, 16);
++		read_unlock_bh(&hh->hh_lock);
++		skb_push(skb, hh->hh_len);
++		hh->hh_output(skb);
++	} else if (dst->neighbour)
++		dst->neighbour->output(skb);
++	else {
++		if (net_ratelimit())
++			DEBUGP(KERN_DEBUG "ipt_ROUTE: no hdr & no neighbour cache!\n");
++		kfree_skb(skb);
++	}
++}
++
++
++/* PRE : skb->dev is set to the device we are leaving by
++ * POST: - the packet is directly sent to the skb->dev device, without 
++ *         pushing the link layer header.
++ *       - the packet is destroyed
++ */
++static inline int dev_direct_send(struct sk_buff *skb)
++{
++	return dev_queue_xmit(skb);
++}
++
++
++static unsigned int route_oif(const struct ipt_route_target_info *route_info,
++			      struct sk_buff *skb) 
++{
++	unsigned int ifindex = 0;
++	struct net_device *dev_out = NULL;
++
++	/* The user set the interface name to use.
++	 * Getting the current interface index.
++	 */
++	if ((dev_out = dev_get_by_name(route_info->oif))) {
++		ifindex = dev_out->ifindex;
++	} else {
++		/* Unknown interface name : packet dropped */
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: oif interface %s not found\n", route_info->oif);
++		return NF_DROP;
++	}
++
++	/* Trying the standard way of routing packets */
++	switch (route(skb, ifindex, route_info)) {
++	case 1:
++		dev_put(dev_out);
++		if (route_info->flags & IPT_ROUTE_CONTINUE)
++			return IPT_CONTINUE;
++
++		ip_direct_send(skb);
++		return NF_STOLEN;
++
++	case 0:
++		/* Failed to send to oif. Trying the hard way */
++		if (route_info->flags & IPT_ROUTE_CONTINUE)
++			return NF_DROP;
++
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: forcing the use of %i\n",
++			       ifindex);
++
++		/* We have to force the use of an interface.
++		 * This interface must be a tunnel interface since
++		 * otherwise we can't guess the hw address for
++		 * the packet. For a tunnel interface, no hw address
++		 * is needed.
++		 */
++		if ((dev_out->type != ARPHRD_TUNNEL)
++		    && (dev_out->type != ARPHRD_IPGRE)) {
++			if (net_ratelimit()) 
++				DEBUGP("ipt_ROUTE: can't guess the hw addr !\n");
++			dev_put(dev_out);
++			return NF_DROP;
++		}
++	
++		/* Send the packet. This will also free skb
++		 * Do not go through the POST_ROUTING hook because 
++		 * skb->dst is not set and because it will probably
++		 * get confused by the destination IP address.
++		 */
++		skb->dev = dev_out;
++		dev_direct_send(skb);
++		dev_put(dev_out);
++		return NF_STOLEN;
++		
++	default:
++		/* Unexpected error */
++		dev_put(dev_out);
++		return NF_DROP;
++	}
++}
++
++
++static unsigned int route_iif(const struct ipt_route_target_info *route_info,
++			      struct sk_buff *skb) 
++{
++	struct net_device *dev_out = NULL;
++	unsigned int ifindex = 0;
++
++	/* Getting the current interface index. */
++	if ((dev_out = dev_get_by_name(route_info->iif)))
++		ifindex = dev_out->ifindex;
++	else {
++		/* Unknown interface name : packet dropped */
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: iif interface %s not found\n", route_info->oif);
++		return NF_DROP;
++	}
++
++	skb->dev = dev_out;
++	dst_release(skb->dst);
++	skb->dst = NULL;
++		
++	netif_rx(skb);
++
++	return NF_STOLEN;
++}
++
++
++static unsigned int route_gw(const struct ipt_route_target_info *route_info,
++			     struct sk_buff *skb) 
++{
++	if (route(skb, 0, route_info)!=1)
++		return NF_DROP;
++
++	if (route_info->flags & IPT_ROUTE_CONTINUE)
++		return IPT_CONTINUE;
++
++	ip_direct_send(skb);
++	return NF_STOLEN;
++}
++
++
++static unsigned int ipt_route_target(struct sk_buff **pskb,
++				     unsigned int hooknum,
++				     const struct net_device *in,
++				     const struct net_device *out,
++				     const void *targinfo,
++				     void *userinfo)
++{
++	const struct ipt_route_target_info *route_info = targinfo;
++	struct sk_buff *skb = *pskb;
++
++	/* If we are at PREROUTING or INPUT hook
++	 * the TTL isn't decreased by the IP stack
++	 */
++	if (hooknum == NF_IP_PRE_ROUTING ||
++	    hooknum == NF_IP_LOCAL_IN) {
++
++		struct iphdr *iph = skb->nh.iph;
++
++		if (iph->ttl <= 1) {
++			struct rtable *rt;
++
++			if (ip_route_output(&rt, iph->saddr, iph->daddr,
++					    RT_TOS(iph->tos) | RTO_CONN,
++					    0)) {
++				return NF_DROP;
++			}
++
++			if (skb->dev == rt->u.dst.dev) {
++				/* Drop old route. */
++				dst_release(skb->dst);
++				skb->dst = &rt->u.dst;
++
++				/* this will traverse normal stack, and 
++				 * thus call conntrack on the icmp packet */
++				icmp_send(skb, ICMP_TIME_EXCEEDED, 
++					  ICMP_EXC_TTL, 0);
++			}
++
++			return NF_DROP;
++		}
++
++		ip_decrease_ttl(iph);
++	}
++
++	/* Tell conntrack to forget this packet since it may get confused 
++	 * when a packet is leaving with dst address == our address.
++	 * Good idea ? Dunno. Need advice.
++	 */
++	if (!(route_info->flags & IPT_ROUTE_CONTINUE)) {
++		nf_conntrack_put(skb->nfct);
++		skb->nfct = NULL;
++		skb->nfcache = 0;
++#ifdef CONFIG_NETFILTER_DEBUG
++		skb->nf_debug = 0;
++#endif
++	}
++
++	if (route_info->oif[0]) 
++		return route_oif(route_info, *pskb);
++	
++	if (route_info->iif[0]) 
++		return route_iif(route_info, *pskb);
++
++	if (route_info->gw) 
++		return route_gw(route_info, *pskb);
++
++	if (net_ratelimit()) 
++		DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
++
++	return IPT_CONTINUE;
++}
++
++
++static int ipt_route_checkentry(const char *tablename,
++				const struct ipt_entry *e,
++				void *targinfo,
++				unsigned int targinfosize,
++				unsigned int hook_mask)
++{
++	if (strcmp(tablename, "mangle") != 0) {
++		printk("ipt_ROUTE: bad table `%s', use the `mangle' table.\n",
++		       tablename);
++		return 0;
++	}
++
++	if (hook_mask & ~(  (1 << NF_IP_PRE_ROUTING)
++			    | (1 << NF_IP_LOCAL_IN)
++			    | (1 << NF_IP_FORWARD)
++			    | (1 << NF_IP_LOCAL_OUT)
++			    | (1 << NF_IP_POST_ROUTING))) {
++		printk("ipt_ROUTE: bad hook\n");
++		return 0;
++	}
++
++	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_route_target_info))) {
++		printk(KERN_WARNING "ipt_ROUTE: targinfosize %u != %Zu\n",
++		       targinfosize,
++		       IPT_ALIGN(sizeof(struct ipt_route_target_info)));
++		return 0;
++	}
++
++	return 1;
++}
++
++
++static struct ipt_target ipt_route_reg
++= { { NULL, NULL }, "ROUTE", ipt_route_target, ipt_route_checkentry, NULL,
++    THIS_MODULE };
++
++
++static int __init init(void)
++{
++	if (ipt_register_target(&ipt_route_reg))
++		return -EINVAL;
++
++	return 0;
++}
++
++
++static void __exit fini(void)
++{
++	ipt_unregister_target(&ipt_route_reg);
++}
++
++module_init(init);
++module_exit(fini);
++MODULE_LICENSE("GPL");
diff --git a/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r8.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r8.ebuild
index aef9e7a2bccf..9e20c37a15a5 100644
--- a/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r8.ebuild
+++ b/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r8.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2003 Gentoo Technologies, Inc.
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r8.ebuild,v 1.1 2003/10/21 16:44:59 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-2.4.20-r8.ebuild,v 1.2 2003/11/17 16:35:12 plasmaroo Exp $
 
 IUSE="build crypt evms2 aavm usagi"
 
@@ -37,6 +37,9 @@ src_unpack() {
 
 	cd ${WORKDIR}/${KV/8/5}
 
+	# Move over new iptables-ROUTE patch
+	cp ${FILESDIR}/gentoo-sources-2.4.20-ipt-route.patch 727_iptables-ROUTE
+
 	# This is the *ratified* aavm USE flag, enables aavm support in this kernel
 	if [ -z "`use aavm`" ]; then
 		einfo "Setting up kernel for rmap support(default)."