recipes/linux/linux-magicbox-2.6.19.2/140-netfilter_time.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241

diff -urN linux-2.6.19.old/include/linux/netfilter_ipv4/ipt_time.h linux-2.6.19.dev/include/linux/netfilter_ipv4/ipt_time.h
--- linux-2.6.19.old/include/linux/netfilter_ipv4/ipt_time.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.19.dev/include/linux/netfilter_ipv4/ipt_time.h	2006-12-14 03:13:45.000000000 +0100
@@ -0,0 +1,18 @@
+#ifndef __ipt_time_h_included__
+#define __ipt_time_h_included__
+
+
+struct ipt_time_info {
+	u_int8_t  days_match;   /* 1 bit per day. -SMTWTFS                      */
+	u_int16_t time_start;   /* 0 < time_start < 23*60+59 = 1439             */
+	u_int16_t time_stop;    /* 0:0 < time_stat < 23:59                      */
+
+				/* FIXME: Keep this one for userspace iptables binary compability: */
+	u_int8_t  kerneltime;   /* ignore skb time (and use kerneltime) or not. */
+
+	time_t    date_start;
+	time_t    date_stop;
+};
+
+
+#endif /* __ipt_time_h_included__ */
diff -urN linux-2.6.19.old/net/ipv4/netfilter/ipt_time.c linux-2.6.19.dev/net/ipv4/netfilter/ipt_time.c
--- linux-2.6.19.old/net/ipv4/netfilter/ipt_time.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.19.dev/net/ipv4/netfilter/ipt_time.c	2006-12-14 03:13:45.000000000 +0100
@@ -0,0 +1,178 @@
+/*
+  This is a module which is used for time matching
+  It is using some modified code from dietlibc (localtime() function)
+  that you can find at http://www.fefe.de/dietlibc/
+  This file is distributed under the terms of the GNU General Public
+  License (GPL). Copies of the GPL can be obtained from: ftp://prep.ai.mit.edu/pub/gnu/GPL
+  2001-05-04 Fabrice MARIE <fabrice@netfilter.org> : initial development.
+  2001-21-05 Fabrice MARIE <fabrice@netfilter.org> : bug fix in the match code,
+     thanks to "Zeng Yu" <zengy@capitel.com.cn> for bug report.
+  2001-26-09 Fabrice MARIE <fabrice@netfilter.org> : force the match to be in LOCAL_IN or PRE_ROUTING only.
+  2001-30-11 Fabrice : added the possibility to use the match in FORWARD/OUTPUT with a little hack,
+     added Nguyen Dang Phuoc Dong <dongnd@tlnet.com.vn> patch to support timezones.
+  2004-05-02 Fabrice : added support for date matching, from an idea of Fabien COELHO.
+*/
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_time.h>
+#include <linux/time.h>
+
+MODULE_AUTHOR("Fabrice MARIE <fabrice@netfilter.org>");
+MODULE_DESCRIPTION("Match arrival timestamp/date");
+MODULE_LICENSE("GPL");
+
+struct tm
+{
+	int tm_sec;                   /* Seconds.     [0-60] (1 leap second) */
+	int tm_min;                   /* Minutes.     [0-59] */
+	int tm_hour;                  /* Hours.       [0-23] */
+	int tm_mday;                  /* Day.         [1-31] */
+	int tm_mon;                   /* Month.       [0-11] */
+	int tm_year;                  /* Year - 1900.  */
+	int tm_wday;                  /* Day of week. [0-6] */
+	int tm_yday;                  /* Days in year.[0-365] */
+	int tm_isdst;                 /* DST.         [-1/0/1]*/
+
+	long int tm_gmtoff;           /* we don't care, we count from GMT */
+	const char *tm_zone;          /* we don't care, we count from GMT */
+};
+
+void
+localtime(const u32 time, struct tm *r);
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const struct xt_match *match,
+      const void *matchinfo,
+      int offset,
+      unsigned int protoff,
+      int *hotdrop)
+{
+	const struct ipt_time_info *info = matchinfo;   /* match info for rule */
+	struct tm currenttime;                          /* time human readable */
+	u_int8_t days_of_week[7] = {64, 32, 16, 8, 4, 2, 1};
+	u_int16_t packet_time;
+
+	/* We might not have a timestamp, get one */
+	if (skb->tstamp.off_sec == 0)
+		__net_timestamp((struct sk_buff *)skb);
+
+	/* First we make sure we are in the date start-stop boundaries */
+	if ((skb->tstamp.off_sec < info->date_start) || (skb->tstamp.off_sec > info->date_stop))
+		return 0; /* We are outside the date boundaries */
+
+	/* Transform the timestamp of the packet, in a human readable form */
+	localtime(skb->tstamp.off_sec, &currenttime);
+
+	/* check if we match this timestamp, we start by the days... */
+	if ((days_of_week[currenttime.tm_wday] & info->days_match) != days_of_week[currenttime.tm_wday])
+		return 0; /* the day doesn't match */
+
+	/* ... check the time now */
+	packet_time = (currenttime.tm_hour * 60) + currenttime.tm_min;
+	if ((packet_time < info->time_start) || (packet_time > info->time_stop))
+		return 0;
+
+	/* here we match ! */
+	return 1;
+}
+
+static int
+checkentry(const char *tablename,
+           const void *ip,
+	   const struct xt_match *match,
+           void *matchinfo,
+           unsigned int hook_mask)
+{
+	struct ipt_time_info *info = matchinfo;   /* match info for rule */
+
+	/* First, check that we are in the correct hooks */
+	if (hook_mask
+            & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | (1 << NF_IP_LOCAL_OUT)))
+	{
+		printk("ipt_time: error, only valid for PRE_ROUTING, LOCAL_IN, FORWARD and OUTPUT)\n");
+		return 0;
+	}
+
+	/* Now check the coherence of the data ... */
+	if ((info->time_start > 1439) ||        /* 23*60+59 = 1439*/
+	    (info->time_stop  > 1439))
+	{
+		printk(KERN_WARNING "ipt_time: invalid argument\n");
+		return 0;
+	}
+
+	return 1;
+}
+
+static struct ipt_match time_match = {
+	.name = "time",
+	.match = &match,
+	.matchsize = sizeof(struct ipt_time_info),
+	.checkentry = &checkentry,
+	.me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+	printk("ipt_time loading\n");
+	return ipt_register_match(&time_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&time_match);
+	printk("ipt_time unloaded\n");
+}
+
+module_init(init);
+module_exit(fini);
+
+
+/* The part below is borowed and modified from dietlibc */
+
+/* seconds per day */
+#define SPD 24*60*60
+
+void
+localtime(const u32 time, struct tm *r) {
+	u32 i, timep;
+	extern struct timezone sys_tz;
+	const unsigned int __spm[12] =
+		{ 0,
+		  (31),
+		  (31+28),
+		  (31+28+31),
+		  (31+28+31+30),
+		  (31+28+31+30+31),
+		  (31+28+31+30+31+30),
+		  (31+28+31+30+31+30+31),
+		  (31+28+31+30+31+30+31+31),
+		  (31+28+31+30+31+30+31+31+30),
+		  (31+28+31+30+31+30+31+31+30+31),
+		  (31+28+31+30+31+30+31+31+30+31+30),
+		};
+	register u32 work;
+
+	timep = time - (sys_tz.tz_minuteswest * 60);
+	work=timep%(SPD);
+	r->tm_sec=work%60; work/=60;
+	r->tm_min=work%60; r->tm_hour=work/60;
+	work=timep/(SPD);
+	r->tm_wday=(4+work)%7;
+	for (i=1970; ; ++i) {
+		register time_t k= (!(i%4) && ((i%100) || !(i%400)))?366:365;
+		if (work>k)
+			work-=k;
+		else
+			break;
+	}
+	r->tm_year=i-1900;
+	for (i=11; i && __spm[i]>work; --i) ;
+	r->tm_mon=i;
+	r->tm_mday=work-__spm[i]+1;
+}
diff -urN linux-2.6.19.old/net/ipv4/netfilter/Kconfig linux-2.6.19.dev/net/ipv4/netfilter/Kconfig
--- linux-2.6.19.old/net/ipv4/netfilter/Kconfig	2006-12-14 03:13:45.000000000 +0100
+++ linux-2.6.19.dev/net/ipv4/netfilter/Kconfig	2006-12-14 03:13:45.000000000 +0100
@@ -263,6 +263,22 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+
+config IP_NF_MATCH_TIME
+	tristate  'TIME match support'
+	depends on IP_NF_IPTABLES
+	help
+	  This option adds a `time' match, which allows you
+	  to match based on the packet arrival time/date
+	  (arrival time/date at the machine which netfilter is running on) or
+	  departure time/date (for locally generated packets).
+
+	  If you say Y here, try iptables -m time --help for more information.
+	  If you want to compile it as a module, say M here and read
+
+	  Documentation/modules.txt.  If unsure, say `N'.
+
+
 config IP_NF_MATCH_RECENT
 	tristate "recent match support"
 	depends on IP_NF_IPTABLES
diff -urN linux-2.6.19.old/net/ipv4/netfilter/Makefile linux-2.6.19.dev/net/ipv4/netfilter/Makefile
--- linux-2.6.19.old/net/ipv4/netfilter/Makefile	2006-12-14 03:13:45.000000000 +0100
+++ linux-2.6.19.dev/net/ipv4/netfilter/Makefile	2006-12-14 03:13:45.000000000 +0100
@@ -58,6 +58,7 @@
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
 obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
 obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
+obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o
 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
 obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o