From: Jo-Philipp Wich <jow@openwrt.org>
Date: Mon, 5 Apr 2010 22:38:40 +0000 (+0000)
Subject: add kernel support for iptables comment match
X-Git-Tag: reboot~20315
X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=22e3bd0d8b95ca6db63e0370d88433b61d0f370b;p=openwrt%2Fstaging%2Fchunkeey.git

add kernel support for iptables comment match

SVN-Revision: 20720
---

diff --git a/target/linux/generic-2.4/patches/630-netfilter_comment.patch b/target/linux/generic-2.4/patches/630-netfilter_comment.patch
new file mode 100644
index 0000000000..1181d065e6
--- /dev/null
+++ b/target/linux/generic-2.4/patches/630-netfilter_comment.patch
@@ -0,0 +1,95 @@
+--- /dev/null
++++ b/include/linux/netfilter_ipv4/ipt_comment.h
+@@ -0,0 +1,10 @@
++#ifndef _IPT_COMMENT_H
++#define _IPT_COMMENT_H
++
++#define IPT_MAX_COMMENT_LEN 256
++
++struct ipt_comment_info {
++	char comment[IPT_MAX_COMMENT_LEN];
++};
++
++#endif /* _IPT_COMMENT_H */
+--- /dev/null
++++ b/net/ipv4/netfilter/ipt_comment.c
+@@ -0,0 +1,59 @@
++/*
++ * Implements a dummy match to allow attaching comments to rules
++ *
++ * 2003-05-13 Brad Fisher (brad@info-link.net)
++ */
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_comment.h>
++
++MODULE_AUTHOR("Brad Fisher <brad@info-link.net>");
++MODULE_DESCRIPTION("iptables comment match module");
++MODULE_LICENSE("GPL");
++
++static int
++match(const struct sk_buff *skb,
++      const struct net_device *in,
++      const struct net_device *out,
++      const void *matchinfo,
++      int offset,
++      int *hotdrop)
++{
++	/* We always match */
++	return 1;
++}
++
++static int
++checkentry(const char *tablename,
++           const struct ipt_ip *ip,
++           void *matchinfo,
++           unsigned int matchsize,
++           unsigned int hook_mask)
++{
++	/* Check the size */
++	if (matchsize != IPT_ALIGN(sizeof(struct ipt_comment_info)))
++		return 0;
++	return 1;
++}
++
++static struct ipt_match comment_match = {
++	.name		= "comment",
++	.match		= match,
++	.checkentry	= checkentry,
++	.me		= THIS_MODULE
++};
++
++static int __init init(void)
++{
++	return ipt_register_match(&comment_match);
++}
++
++static void __exit fini(void)
++{
++	ipt_unregister_match(&comment_match);
++}
++
++module_init(init);
++module_exit(fini);
+--- a/net/ipv4/netfilter/Makefile
++++ b/net/ipv4/netfilter/Makefile
+@@ -113,6 +113,7 @@ obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt
+ obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o
+ obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
+ obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
++obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o
+ 
+ # targets
+ obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
+--- a/net/ipv4/netfilter/Config.in
++++ b/net/ipv4/netfilter/Config.in
+@@ -44,6 +44,7 @@ if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; 
+   dep_tristate '  LENGTH match support' CONFIG_IP_NF_MATCH_LENGTH $CONFIG_IP_NF_IPTABLES
+   dep_tristate '  TTL match support' CONFIG_IP_NF_MATCH_TTL $CONFIG_IP_NF_IPTABLES
+   dep_tristate '  tcpmss match support' CONFIG_IP_NF_MATCH_TCPMSS $CONFIG_IP_NF_IPTABLES
++  dep_tristate '  comment match support' CONFIG_IP_NF_MATCH_COMMENT $CONFIG_IP_NF_IPTABLES
+   if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
+     dep_tristate '  Helper match support' CONFIG_IP_NF_MATCH_HELPER $CONFIG_IP_NF_IPTABLES
+   fi