diff -urN netfilter.orig/userspace/libiptc/libip4tc.c netfilter/userspace/libiptc/libip4tc.c --- netfilter.orig/userspace/libiptc/libip4tc.c Fri Jan 5 15:22:59 2001 +++ netfilter/userspace/libiptc/libip4tc.c Wed Nov 7 18:19:36 2001 @@ -38,6 +38,9 @@ #ifdef NF_IP_DROPPING #define HOOK_DROPPING NF_IP_DROPPING #endif +#ifdef NF_IP_PROMISC +#define HOOK_PROMISC NF_IP_PROMISC +#endif #define STRUCT_ENTRY_TARGET struct ipt_entry_target #define STRUCT_ENTRY struct ipt_entry @@ -349,7 +352,8 @@ assert(h->info.valid_hooks == (1 << NF_IP_LOCAL_IN | 1 << NF_IP_FORWARD - | 1 << NF_IP_LOCAL_OUT)); + | 1 << NF_IP_LOCAL_OUT + | 1 << NF_IP_PROMISC)); /* Hooks should be first three */ assert(h->info.hook_entry[NF_IP_LOCAL_IN] == 0); @@ -362,7 +366,11 @@ n += get_entry(h, n)->next_offset; assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n); - user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT]; + n=get_chain_end(h, n); + n+=get_entry(h, n)->next_offset; + assert(h->info.hook_entry[NF_IP_PROMISC] == n); + + user_offset=h->info.hook_emtry[NF_IP_PROMISC]; } else if (strcmp(h->info.name, "nat") == 0) { assert(h->info.valid_hooks == (1 << NF_IP_PRE_ROUTING diff -urN netfilter.orig/userspace/libiptc/libiptc.c netfilter/userspace/libiptc/libiptc.c --- netfilter.orig/userspace/libiptc/libiptc.c Mon Jul 30 16:12:43 2001 +++ netfilter/userspace/libiptc/libiptc.c Wed Nov 7 18:19:36 2001 @@ -31,9 +31,12 @@ [HOOK_LOCAL_IN] "INPUT", [HOOK_FORWARD] "FORWARD", [HOOK_LOCAL_OUT] "OUTPUT", - [HOOK_POST_ROUTING] "POSTROUTING", + [HOOK_POST_ROUTING] "POSTROUTING" #ifdef HOOK_DROPPING - [HOOK_DROPPING] "DROPPING" + ,[HOOK_DROPPING] "DROPPING" +#endif +#ifdef HOOK_PROMISC + ,[HOOK_PROMISC] "PROMISC" #endif }; diff -urN netfilter.orig/userspace/patch-o-matic/PROMISC.patch netfilter/userspace/patch-o-matic/PROMISC.patch --- netfilter.orig/userspace/patch-o-matic/PROMISC.patch Thu Jan 1 01:00:00 1970 +++ netfilter/userspace/patch-o-matic/PROMISC.patch Wed Nov 7 18:03:04 2001 @@ -0,0 +1,161 @@ +diff -urN linux.orig/include/linux/netfilter_ipv4.h linux/include/linux/netfilter_ipv4.h +--- linux.orig/include/linux/netfilter_ipv4.h Mon Nov 5 20:44:46 2001 ++++ linux/include/linux/netfilter_ipv4.h Wed Nov 7 16:14:51 2001 +@@ -47,7 +47,9 @@ + #define NF_IP_LOCAL_OUT 3 + /* Packets about to hit the wire. */ + #define NF_IP_POST_ROUTING 4 +-#define NF_IP_NUMHOOKS 5 ++/* If the packet isn't for us at all */ ++#define NF_IP_PROMISC 5 ++#define NF_IP_NUMHOOKS 6 + + enum nf_ip_hook_priorities { + NF_IP_PRI_FIRST = INT_MIN, +diff -urN linux.orig/net/ipv4/ip_input.c linux/net/ipv4/ip_input.c +--- linux.orig/net/ipv4/ip_input.c Thu Apr 12 20:11:39 2001 ++++ linux/net/ipv4/ip_input.c Wed Nov 7 16:18:10 2001 +@@ -307,6 +307,12 @@ + ip_local_deliver_finish); + } + ++static inline int ip_prcv_finish(struct sk_buff *skb) ++{ ++ kfree_skb(skb); ++ return NET_RX_BAD; ++} ++ + static inline int ip_rcv_finish(struct sk_buff *skb) + { + struct net_device *dev = skb->dev; +@@ -385,16 +391,11 @@ + { + struct iphdr *iph = skb->nh.iph; + +- /* When the interface is in promisc. mode, drop all the crap +- * that it receives, do not try to analyse it. +- */ +- if (skb->pkt_type == PACKET_OTHERHOST) +- goto drop; +- +- IP_INC_STATS_BH(IpInReceives); +- +- if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) +- goto out; ++ if (skb->pkt_type != PACKET_OTHERHOST) { ++ IP_INC_STATS_BH(IpInReceives); ++ if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) ++ goto out; ++ } + + if (!pskb_may_pull(skb, sizeof(struct iphdr))) + goto inhdr_error; +@@ -418,7 +419,7 @@ + if (!pskb_may_pull(skb, iph->ihl*4)) + goto inhdr_error; + +- if (ip_fast_csum((u8 *)iph, iph->ihl) != 0) ++ if (skb->pkt_type != PACKET_OTHERHOST && ip_fast_csum((u8 *)iph, iph->ihl) != 0) + goto inhdr_error; + + { +@@ -437,12 +438,16 @@ + } + } + +- return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL, +- ip_rcv_finish); ++ if (skb->pkt_type == PACKET_OTHERHOST) { ++ return NF_HOOK(PF_INET, NF_IP_PROMISC, skb, dev, NULL, ++ ip_prcv_finish); ++ } else { ++ return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL, ++ ip_rcv_finish); ++ } + + inhdr_error: + IP_INC_STATS_BH(IpInHdrErrors); +-drop: + kfree_skb(skb); + out: + return NET_RX_DROP; +diff -urN linux.orig/net/ipv4/netfilter/iptable_filter.c linux/net/ipv4/netfilter/iptable_filter.c +--- linux.orig/net/ipv4/netfilter/iptable_filter.c Sun Sep 30 20:26:08 2001 ++++ linux/net/ipv4/netfilter/iptable_filter.c Wed Nov 7 16:13:57 2001 +@@ -6,7 +6,8 @@ + #include + #include + +-#define FILTER_VALID_HOOKS ((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | (1 << NF_IP_LOCAL_OUT)) ++#define FILTER_VALID_HOOKS ((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | \ ++ (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_PROMISC)) + + /* Standard entry. */ + struct ipt_standard +@@ -30,17 +31,19 @@ + static struct + { + struct ipt_replace repl; +- struct ipt_standard entries[3]; ++ struct ipt_standard entries[4]; + struct ipt_error term; + } initial_table __initdata +-= { { "filter", FILTER_VALID_HOOKS, 4, +- sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error), ++= { { "filter", FILTER_VALID_HOOKS, 5, ++ sizeof(struct ipt_standard) * 4 + sizeof(struct ipt_error), + { [NF_IP_LOCAL_IN] 0, + [NF_IP_FORWARD] sizeof(struct ipt_standard), +- [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) * 2 }, ++ [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) * 2, ++ [NF_IP_PROMISC] sizeof(struct ipt_standard) * 3 }, + { [NF_IP_LOCAL_IN] 0, + [NF_IP_FORWARD] sizeof(struct ipt_standard), +- [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) * 2 }, ++ [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) * 2, ++ [NF_IP_PROMISC] sizeof(struct ipt_standard) * 3 }, + 0, NULL, { } }, + { + /* LOCAL_IN */ +@@ -66,7 +69,15 @@ + sizeof(struct ipt_standard), + 0, { 0, 0 }, { } }, + { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, +- -NF_ACCEPT - 1 } } ++ -NF_ACCEPT - 1 } }, ++ /* PROMISC */ ++ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, ++ 0, ++ sizeof(struct ipt_entry), ++ sizeof(struct ipt_standard), ++ 0, { 0, 0 }, { } }, ++ { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, ++ -NF_ACCEPT - 1 } } + }, + /* ERROR */ + { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, +@@ -118,7 +129,8 @@ + = { { { NULL, NULL }, ipt_hook, PF_INET, NF_IP_LOCAL_IN, NF_IP_PRI_FILTER }, + { { NULL, NULL }, ipt_hook, PF_INET, NF_IP_FORWARD, NF_IP_PRI_FILTER }, + { { NULL, NULL }, ipt_local_out_hook, PF_INET, NF_IP_LOCAL_OUT, +- NF_IP_PRI_FILTER } ++ NF_IP_PRI_FILTER }, ++ { { NULL, NULL }, ipt_hook, PF_INET, NF_IP_PROMISC, NF_IP_PRI_FILTER } + }; + + /* Default to forward because I got too much mail already. */ +@@ -155,8 +167,14 @@ + if (ret < 0) + goto cleanup_hook1; + ++ ret = nf_register_hook(&ipt_ops[3]); ++ if (ret < 0) ++ goto cleanup_hook2; ++ + return ret; + ++ cleanup_hook2: ++ nf_unregister_hook(&ipt_ops[2]); + cleanup_hook1: + nf_unregister_hook(&ipt_ops[1]); + cleanup_hook0: diff -urN netfilter.orig/userspace/patch-o-matic/PROMISC.patch.help netfilter/userspace/patch-o-matic/PROMISC.patch.help --- netfilter.orig/userspace/patch-o-matic/PROMISC.patch.help Thu Jan 1 01:00:00 1970 +++ netfilter/userspace/patch-o-matic/PROMISC.patch.help Wed Nov 7 18:27:59 2001 @@ -0,0 +1,7 @@ +Author: Gianni Tedesco +Status: Pretty much complete :) + + This adds a hook/chain to netfilter so that it can see PACKET_OTHERHOST + packets, picked up in promiscous mode. + +THIS PATCH WILL MOST LIKELY BREAK DROPPED-TABLE!