From 02d2a047e36ce2a63b2bf822fb21f19aa3b4ff3d Mon Sep 17 00:00:00 2001 From: Sergey Popov Date: Fri, 28 Oct 2011 15:46:10 +0400 Subject: [PATCH] ebuild for ipt_NETFLOW(fixed version of ebuild from barzog-overlay) --- net-analyzer/ipt_netflow/Manifest | 4 + .../files/ipt_netflow-arguments-r1.patch | 389 ++++++++++++++++++ .../ipt_netflow/ipt_netflow-1.7.1.ebuild | 65 +++ .../ipt_netflow/ipt_netflow-9999.ebuild | 64 +++ 4 files changed, 522 insertions(+) create mode 100644 net-analyzer/ipt_netflow/Manifest create mode 100644 net-analyzer/ipt_netflow/files/ipt_netflow-arguments-r1.patch create mode 100644 net-analyzer/ipt_netflow/ipt_netflow-1.7.1.ebuild create mode 100644 net-analyzer/ipt_netflow/ipt_netflow-9999.ebuild diff --git a/net-analyzer/ipt_netflow/Manifest b/net-analyzer/ipt_netflow/Manifest new file mode 100644 index 0000000..e03b42e --- /dev/null +++ b/net-analyzer/ipt_netflow/Manifest @@ -0,0 +1,4 @@ +AUX ipt_netflow-arguments-r1.patch 13323 RMD160 f7f90dbe123b1aa9303a66e198358ef6ae37b417 SHA1 3fcd94ff92e83653a43c2ac0271c0294bb713c39 SHA256 6afd4bc4f2e2ca07c8f8e6249ddcea39e210dfe3aebe629f7f48c42560b29634 +DIST ipt_netflow-1.7.1.tgz 21263 RMD160 ae53cd9374d2419482efa789186dc7c631c6cfd3 SHA1 f244b2595aa39fb5a4100a3df6473b41832cdecb SHA256 d208dec7401404c21950c3d5db286649e17fbf7414d720d9dab7d9a6a88aba4a +EBUILD ipt_netflow-1.7.1.ebuild 1611 RMD160 493137f65ab2cb1e62474e0198d3be3273909d20 SHA1 a89a60af00d66283445d0ceaea6f811c5e105028 SHA256 30eec78388d6293154b982e42341a81600303505c80d0479ea98913cdd6de98a +EBUILD ipt_netflow-9999.ebuild 1631 RMD160 03135f702ecbcb582442beb5eb1a17ffd8ad894b SHA1 e6096bb71413f48a96ad720f2181510fd5f1f6aa SHA256 fe416ddadbd692f224b555bc19cef17d8a5a397a38d17b7149bc6adb1fa066be diff --git a/net-analyzer/ipt_netflow/files/ipt_netflow-arguments-r1.patch b/net-analyzer/ipt_netflow/files/ipt_netflow-arguments-r1.patch new file mode 100644 index 0000000..31d1ad3 --- /dev/null +++ b/net-analyzer/ipt_netflow/files/ipt_netflow-arguments-r1.patch @@ -0,0 +1,389 @@ +--- ipt_NETFLOW.c.orig 2011-05-14 14:53:49.000000000 +0300 ++++ ipt_NETFLOW.c 2011-05-14 14:59:51.000000000 +0300 +@@ -27,6 +27,7 @@ + #include + #include + #include "ipt_NETFLOW.h" ++#include "libipt_NETFLOW.h" + #ifdef CONFIG_BRIDGE_NETFILTER + #include + #endif +@@ -962,6 +963,20 @@ + pdu_traf = 0; + } + ++__u32 __netflow_get_as(const enum ipt_netflow_flags f,const struct ipt_netflow *nf) ++{ ++ __u32 ret=0; ++ switch(f){ ++ case NETFLOW_CLASS: ret=nf->priority;break; ++ case NETFLOW_FWMARK: ret=nf->fwmark;break; ++#ifdef CONFIG_NETWORK_SECMARK ++ case NETFLOW_SECMARK: ret=nf->secmark;break; ++#endif ++ default: ret=~0;break; ++ } ++ return ret; ++} ++ + static void netflow_export_flow(struct ipt_netflow *nf) + { + struct netflow5_record *rec; +@@ -991,10 +1006,29 @@ + rec->tcp_flags = nf->tcp_flags; + rec->protocol = nf->tuple.protocol; + rec->tos = nf->tuple.tos; +- //rec->s_as = 0; +- //rec->d_as = 0; + rec->s_mask = nf->s_mask; + rec->d_mask = nf->d_mask; ++ ++ if (nf->info){ ++ const struct ipt_netflow_info* nfi= (const struct ipt_netflow_info* ) nf->info; ++ __u16 as_src=0; ++ __u16 as_dst=0; ++ if (nfi->flags & NETFLOW_AS_SRC) ++ as_src = nfi->as_src; ++ else ++ as_src = __netflow_get_as(nfi->as_src,nf)>>16; ++ ++ if (nfi->flags & NETFLOW_AS_DST) ++ as_dst = nfi->as_dst; ++ else ++ as_dst = __netflow_get_as(nfi->as_dst,nf); ++ rec->s_as = htons(as_src); ++ rec->d_as = htons(as_dst); ++ }else{ ++ rec->s_as = 0; ++ rec->d_as = 0; ++ } ++ + //rec->padding = 0; + ipt_netflow_free(nf); + +@@ -1119,6 +1153,31 @@ + mod_timer(&rate_timer, jiffies + (HZ * SAMPLERATE)); + } + ++/* ++static int netflow_check(const struct xt_tgchk_param *target) ++{ ++} ++*/ ++ ++static void netflow_destroy(const struct xt_tgdtor_param *target) ++{ ++ __u8 found=0; ++ spin_lock_bh(&ipt_netflow_lock); ++ while (!list_empty(&ipt_netflow_list)) { ++ struct ipt_netflow *nf; ++ ++ nf = list_entry(ipt_netflow_list.prev, struct ipt_netflow, list); ++ if (nf->info != target->targinfo) continue; ++ if (nf->info->flags) ++ found++; ++ else ++ nf->info=NULL; ++ } ++ spin_unlock_bh(&ipt_netflow_lock); ++ if (found) ++ netflow_scan_inactive_timeout(0); ++} ++ + /* packet receiver */ + static unsigned int netflow_target( + #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24) +@@ -1285,6 +1344,9 @@ + nf->s_mask = s_mask; + nf->d_mask = d_mask; + ++ /// @BRIEF save our internal pointer ++ nf->info = (const struct ipt_netflow_info*) par->targinfo; ++ + if (debug > 2) + printk(KERN_INFO "ipt_netflow: new (%u) %hd:%hd SRC=%u.%u.%u.%u:%u DST=%u.%u.%u.%u:%u\n", + atomic_read(&ipt_netflow_count), +@@ -1303,6 +1365,12 @@ + nf->ts_last = jiffies; + nf->tcp_flags |= tcp_flags; + ++ nf->priority = skb->priority; ++ nf->fwmark = skb->mark; ++#ifdef CONFIG_NETWORK_SECMARK ++ nf->secmark = skb->secmark; ++#endif ++ + NETFLOW_STAT_INC(pkt_total); + NETFLOW_STAT_ADD(traf_total, ntohs(iph->tot_len)); + +@@ -1326,6 +1394,9 @@ + static struct ipt_target ipt_netflow_reg = { + .name = "NETFLOW", + .target = netflow_target, ++// .checkentry = netflow_check, ++ .destroy = netflow_destroy, ++ .targetsize = sizeof(struct ipt_netflow_info), + .family = AF_INET, + #ifndef RAW_PROMISC_HACK + .table = "filter", +--- ipt_NETFLOW.h.orig 2011-05-14 15:00:40.000000000 +0300 ++++ ipt_NETFLOW.h 2011-05-14 15:01:40.000000000 +0300 +@@ -83,6 +83,13 @@ + unsigned long ts_first; + unsigned long ts_last; + __u8 tcp_flags; /* `OR' of all tcp flags */ ++ ++#ifdef CONFIG_NETWORK_SECMARK ++ __u32 secmark; ++#endif ++ __u32 fwmark; ++ __u32 priority; ++ const struct ipt_netflow_info *info; + }; + + static inline int ipt_netflow_tuple_equal(const struct ipt_netflow_tuple *t1, +--- libipt_NETFLOW.c.orig 2011-05-14 15:01:57.000000000 +0300 ++++ libipt_NETFLOW.c 2011-05-14 15:09:11.000000000 +0300 +@@ -17,6 +17,8 @@ + #include + #endif + ++#include "libipt_NETFLOW.h" ++ + #ifdef XTABLES_VERSION_CODE // since 1.4.1 + #define MOD140 + #define iptables_target xtables_target +@@ -39,40 +41,177 @@ + #define _IPT_IP struct ipt_ip + #endif + +-static struct option opts[] = { +- {0} ++static struct option NETFLOW_opts[] = { ++ {"netflow-collector", 1, NULL, NETFLOW_COLLECTOR}, ++ {"netflow-class", 1, NULL, NETFLOW_CLASS}, ++ {"netflow-fwmark", 1, NULL, NETFLOW_FWMARK}, ++ {"netflow-secmark", 1, NULL, NETFLOW_SECMARK}, ++ {"netflow-src-as", 1, NULL, NETFLOW_AS_SRC}, ++ {"netflow-dst-as", 1, NULL, NETFLOW_AS_DST}, ++ {0} + }; + +-static void help(void) ++static void NETFLOW_help(void) ++{ ++ printf( "NETFLOW target:\n" ++ "--netflow-collector \"ip:port[,ip:port....]\" where to send theese netflows...\n" ++ "--netflow-class src | dst | full AS source and/or destination is QDISC/CLASS\n" ++ "--netflow-fwmark src | dst | full AS source and/or destination is FWMARK\n" ++ "--netflow-secmark src | dst | full AS source and/or destination is SECMARK\n" ++ "--netflow-src-as ID16 AS source will be filled with this ID\n" ++ "--netflow-dst-as ID16 AS destination will be filled with this ID\n" ++ "\n" ++ ); ++} ++ ++static void NETFLOW_init(struct ipt_entry_target *t) + { +- printf( "NETFLOW target\n"); ++ struct ipt_netflow_info *nf= (struct ipt_netflow_info*) t->data; ++ nf->flags = 0; ++ nf->as_src = 0; ++ nf->as_dst = 0; + } + + //static int parse(int c, char **argv, int invert, unsigned int *flags, + // const _IPT_ENTRY *entry, + // struct ipt_entry_target **target) +-static int parse(int c, char **argv, int invert, unsigned int *flags, ++static int NETFLOW_parse(int c, char **argv, int invert, unsigned int *flags, + const _IPT_ENTRY *entry, + struct ipt_entry_target **targetinfo) ++{ ++ struct ipt_netflow_info *nf= (struct ipt_netflow_info*) (*targetinfo)->data; ++ const char *opt=argv[optind]; ++ ++ xtables_param_act(XTF_ONLY_ONCE, "NETFLOW", opt, *flags & c); ++ xtables_param_act(XTF_NO_INVERT, "NETFLOW", opt, invert); + ++ opt=optarg; ++ ++ switch(c) { ++ case NETFLOW_COLLECTOR: break; ++ case NETFLOW_CLASS: ++ case NETFLOW_FWMARK: ++ case NETFLOW_SECMARK: ++ if ( !opt || strlen(opt) == 0 ) ++ xtables_error(PARAMETER_PROBLEM,"Where do I store this?"); ++ if ( strcmp(opt,"full")==0 ){ ++ if (nf->as_src | nf->as_dst) ++ xtables_error(PARAMETER_PROBLEM, "One of fields is already used"); ++ nf->as_src |= c; ++ nf->as_dst |= c; ++ }else if( strcmp(opt,"src")==0){ ++ if (nf->as_src) ++ xtables_error(PARAMETER_PROBLEM, "AS_SRC field already used"); ++ nf->as_src |= c; ++ }else if( strcmp(opt,"dst")==0){ ++ if (nf->as_dst) ++ xtables_error(PARAMETER_PROBLEM, "AS_DST field already used"); ++ nf->as_dst |= c; ++ }else ++ xtables_error(PARAMETER_PROBLEM, "Unsupported mode %s (valid ones: src, dst, full)",opt); ++ break; ++ case NETFLOW_AS_SRC: ++ case NETFLOW_AS_DST: ++ if ( !opt || strlen(opt)==0) ++ xtables_error(PARAMETER_PROBLEM, "No AS number provided"); ++ __u16 *as=NULL; ++ if (c==NETFLOW_AS_SRC) ++ as=&nf->as_src; ++ else ++ as=&nf->as_dst; ++ if (*as) ++ xtables_error(PARAMETER_PROBLEM, "AS field already in use"); ++ ++ if (! (*as=atoi(optarg))) ++ xtables_error(PARAMETER_PROBLEM, "AS not number or zero"); ++ break; ++ default: return 0; ++ break; ++ } ++ nf->flags |= c; ++ *flags |= c; ++ return 1; ++} ++ ++static void NETFLOW_check(unsigned int flags) + { ++ if (flags & NETFLOW_COLLECTOR) ++ xtables_error(PARAMETER_PROBLEM, "Collector address for now is unsupported"); ++} + +- return 1; ++void check_field(short mode,const struct ipt_netflow_info *nf, const enum ipt_netflow_flags f) ++{ ++ if (mode == 3 && nf->as_src & f && nf->as_dst & f) ++ printf("full "); ++ else if (mode & 1 && nf->as_src & f) ++ printf("src "); ++ else if (mode & 2 && nf->as_dst & f) ++ printf("dst "); ++ else ++ printf("ERROR "); + } + +-static void final_check(unsigned int flags) ++static void NETFLOW_save(const _IPT_IP *ip, const struct ipt_entry_target *target) + { ++ const struct ipt_netflow_info *nf = (const struct ipt_netflow_info*) target->data; ++ ++ __u8 mode=3; ++ if (nf->flags & NETFLOW_AS_SRC){ ++ printf("--netflow-src-as %u ", nf->as_src); ++ mode &= ~1; ++ } ++ if (nf->flags & NETFLOW_AS_DST){ ++ printf("--netflow-dst-as %u ", nf->as_dst); ++ mode &= ~2; ++ } ++ if (nf->flags & NETFLOW_CLASS){ ++ printf("--netflow-class "); ++ check_field(mode,nf,NETFLOW_CLASS); ++ } ++ if (nf->flags & NETFLOW_FWMARK){ ++ printf("--netflow-fwmark "); ++ check_field(mode,nf,NETFLOW_FWMARK); ++ } ++ if (nf->flags & NETFLOW_SECMARK){ ++ printf("--netflow-secmark "); ++ check_field(mode,nf,NETFLOW_SECMARK); ++ } + } + +-static void save(const _IPT_IP *ip, const struct ipt_entry_target *match) ++void check_print(const enum ipt_netflow_flags f) + { ++ switch(f){ ++ case 0: printf("UNUSED ");break; ++ case NETFLOW_CLASS: printf("class ");break; ++ case NETFLOW_FWMARK: printf("fwmark ");break; ++ case NETFLOW_SECMARK: printf("secmark ");break; ++ default: printf("unknown(%0x) ",f);break; ++ } + } + +-static void print(const _IPT_IP *ip, ++static void NETFLOW_print(const _IPT_IP *ip, + const struct ipt_entry_target *target, + int numeric) + { ++ const struct ipt_netflow_info *nf = (const struct ipt_netflow_info*) target->data; + printf("NETFLOW "); ++ if (! nf->flags) ++ return; ++ printf("AS: "); ++ if (nf->flags & NETFLOW_AS_SRC && nf->flags & NETFLOW_AS_DST) ++ printf("AS%u ",(__u32) (nf->as_src<<16)+nf->as_dst); ++ else if (nf->flags & NETFLOW_AS_SRC){ ++ printf("AS%u ",nf->as_src); ++ check_print(nf->as_dst); ++ }else if(nf->flags & NETFLOW_AS_DST){ ++ check_print(nf->as_src); ++ printf("AS%u ",nf->as_dst); ++ }else if(nf->as_src==nf->as_dst) ++ check_print(nf->flags); ++ else{ ++ check_print(nf->as_src); ++ check_print(nf->as_dst); ++ } + } + + static struct iptables_target netflow = { +@@ -86,14 +225,15 @@ + #else + .version = IPTABLES_VERSION, + #endif +- .size = IPT_ALIGN(0), +- .userspacesize = IPT_ALIGN(0), +- .help = &help, +- .parse = &parse, +- .final_check = &final_check, +- .print = &print, +- .save = &save, +- .extra_opts = opts ++ .size = IPT_ALIGN(sizeof(struct ipt_netflow_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct ipt_netflow_info)), ++ .help = NETFLOW_help, ++ .init = NETFLOW_init, ++ .parse = NETFLOW_parse, ++ .final_check = NETFLOW_check, ++ .print = NETFLOW_print, ++ .save = NETFLOW_save, ++ .extra_opts = NETFLOW_opts + }; + + #ifndef _init +--- libipt_NETFLOW.h.orig 1970-01-01 03:00:00.000000000 +0300 ++++ libipt_NETFLOW.h 2011-05-14 15:10:12.000000000 +0300 +@@ -0,0 +1,20 @@ ++#ifndef _LIBIP_NETFLOW_H ++#define _LIBIP_NETFLOW_H ++ ++enum ipt_netflow_flags { ++ NETFLOW_COLLECTOR = 0x01, ++ NETFLOW_FWMARK = 0x02, ++ NETFLOW_SECMARK = 0x04, ++ NETFLOW_CLASS = 0x08, ++ NETFLOW_AS_SRC = 0x10, ++ NETFLOW_AS_DST = 0x20, ++}; ++ ++struct ipt_netflow_info { ++ __u8 flags; ++ __u16 as_src; ++ __u16 as_dst; ++}; ++ ++#endif ++/* vim: set sw=8: */ diff --git a/net-analyzer/ipt_netflow/ipt_netflow-1.7.1.ebuild b/net-analyzer/ipt_netflow/ipt_netflow-1.7.1.ebuild new file mode 100644 index 0000000..9e6b942 --- /dev/null +++ b/net-analyzer/ipt_netflow/ipt_netflow-1.7.1.ebuild @@ -0,0 +1,65 @@ +# Copyright 1999-2010 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/kvm-kmod/kvm-kmod-88-r1.ebuild,v 1.1 2009/07/27 13:57:06 dang Exp $ + +EAPI="2" + +inherit eutils linux-mod multilib + +DESCRIPTION="Netflow iptables module" +HOMEPAGE="http://sourceforge.net/projects/ipt-netflow" + +MY_PN=${PN/_/-} +SRC_URI="mirror://sourceforge/${MY_PN}/${P}.tgz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~x86 ~amd64 ~ppc ~ia64" +IUSE="" + +RDEPEND="net-firewall/iptables" +DEPEND="${RDEPEND} + virtual/linux-sources" + +#S=${WORKDIR}/${PN} + +BUILD_TARGETS="all" +ARCH=$(tc-arch-kernel) +MODULE_NAMES="ipt_NETFLOW(ipt_netflow:${S})" + +pkg_setup() { + linux-info_pkg_setup + CONFIG_CHECK="IP_NF_IPTABLES" + linux-mod_pkg_setup +} + +src_prepare() { + # OK, let's deal with this mess... + sed -i 's:-I$(KDIR)/include::' Makefile.in || die "sed failed" + sed -i 's:gcc -O2:$(CC) $(LDFLAGS) $(CFLAGS):' Makefile.in || die "sed failed!" + sed -i 's:gcc:$(CC) $(LDFLAGS) $(CFLAGS):' Makefile.in || die "sed failed!" + cp "${S}"/Makefile{.in,} + epatch ${FILESDIR}/ipt_netflow-arguments-r1.patch +} + +src_configure() { + cd ${S} + ./configure +} + +src_compile() { + local IPT_VERSION=`pkg-config --modversion xtables` + local IPT_LIB=/usr/$(get_libdir)/xtables + MAKEOPTS="-j1" + emake KDIR="${KV_DIR}" KVERSION="${KV_FULL}" IPTABLES_VERSION="${IPT_VERSION}" \ + IPTABLES_MODULES="${IPT_LIB}" IPTSRC="" all || die "emake failed" +} + +src_install() { + linux-mod_src_install + exeinto /usr/$(get_libdir)/xtables + doexe libipt_NETFLOW.so + insinto /usr/include + doins ipt_NETFLOW.h + dodoc README +} diff --git a/net-analyzer/ipt_netflow/ipt_netflow-9999.ebuild b/net-analyzer/ipt_netflow/ipt_netflow-9999.ebuild new file mode 100644 index 0000000..709efd5 --- /dev/null +++ b/net-analyzer/ipt_netflow/ipt_netflow-9999.ebuild @@ -0,0 +1,64 @@ +# Copyright 1999-2010 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/kvm-kmod/kvm-kmod-88-r1.ebuild,v 1.1 2009/07/27 13:57:06 dang Exp $ + +EAPI="2" + +inherit git eutils linux-mod multilib + +EGIT_PROJECT="ipt_netflow" +EGIT_REPO_URI="git://ipt-netflow.git.sourceforge.net/gitroot/ipt-netflow/ipt-netflow" +DESCRIPTION="Netflow iptables module" +HOMEPAGE="http://sourceforge.net/projects/ipt-netflow" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="" +IUSE="" + +RDEPEND="net-firewall/iptables" +DEPEND="${RDEPEND} + virtual/linux-sources" + +S=${WORKDIR}/${PN} + +BUILD_TARGETS="all" +ARCH=$(tc-arch-kernel) +MODULE_NAMES="ipt_NETFLOW(ipt_netflow:${S})" + +pkg_setup() { + linux-info_pkg_setup + CONFIG_CHECK="IP_NF_IPTABLES" + linux-mod_pkg_setup +} + +src_prepare() { + # OK, let's deal with this mess... + sed -i 's:-I$(KDIR)/include::' Makefile.in || die "sed failed" + sed -i 's:gcc -O2:$(CC) $(LDFLAGS) $(CFLAGS):' Makefile.in || die "sed failed!" + sed -i 's:gcc:$(CC) $(LDFLAGS) $(CFLAGS):' Makefile.in || die "sed failed!" + cp "${S}"/Makefile{.in,} + epatch ${FILESDIR}/ipt_netflow-arguments-r1.patch +} + +src_configure() { + cd ${S} + ./configure +} + +src_compile() { + local IPT_VERSION=`pkg-config --modversion xtables` + local IPT_LIB=/$(get_libdir)/xtables + MAKEOPTS="-j1" + emake KDIR="${KV_DIR}" KVERSION="${KV_FULL}" IPTABLES_VERSION="${IPT_VERSION}" \ + IPTABLES_MODULES="${IPT_LIB}" IPTSRC="" all || die "emake failed" +} + +src_install() { + linux-mod_src_install + exeinto /$(get_libdir)/xtables + doexe libipt_NETFLOW.so + insinto /usr/include + doins ipt_NETFLOW.h + dodoc README +}