Xtables-addons 3.16

libxt_quota2.c:73:3: warning: ‘strncpy’ specified bound 15 equals destination size [-Wstringop-truncation]
   73 |   strncpy(info->name, optarg, sizeof(info->name));

Makefile.am

@@ -1,7 +1,7 @@
 # -*- Makefile -*-
 
 ACLOCAL_AMFLAGS  = -I m4
-SUBDIRS          = extensions geoip
+SUBDIRS          = extensions extensions/ACCOUNT extensions/pknock geoip
 
 man_MANS := xtables-addons.8
 

Makefile.mans.in

@@ -40,4 +40,4 @@ targets.man: .manpages.lst ${wcman_targets}
 	$(call man_run,${wlist_targets})
 
 clean:
-	rm -f xtables-addons.8 matches.man targets.man
+	rm -f xtables-addons.8 matches.man targets.man .manpages.lst

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [3.9])
+AC_INIT([xtables-addons], [3.16])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -27,7 +27,7 @@ fi
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
 	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
 PKG_CHECK_MODULES([libxtables], [xtables >= 1.6.0])
-xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
+xtlibdir="$($PKG_CONFIG --variable=xtlibdir xtables)"
 
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
@@ -57,7 +57,7 @@ if test -n "$kbuilddir"; then
 		echo "WARNING: Version detection did not succeed. Continue at own luck.";
 	else
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-		if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 6; then
+		if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 11; then
 			echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
 		elif test "$kmajor" -eq 5 -a "$kminor" -ge 0; then
 			:

doc/changelog.txt

@@ -1,3 +1,44 @@
+v3.16 (2021-02-24)
+==================
+- xt_pknock: build fix for ILP32 targets
+
+
+v3.15 (2021-02-05)
+==================
+- xt_ECHO: support new function signature of security_skb_classify_flow
+- xt_lscan: add --mirai option
+- Support for Linux 5.11
+
+
+v3.14 (2020-11-24)
+==================
+- DELUDE, ECHO, TARPIT: use actual tunnel socket (ip_route_me_harder).
+- geoip: scripts for use with MaxMind DB have been brought back,
+  partly under new names.
+- Gave xt_geoip_fetch a more fitting name, xt_geoip_query.
+
+
+v3.13 (2020-11-20)
+==================
+- Support for Linux 4.19.158 and 5.4.78 (ip_route_me_harder)
+
+
+v3.12 (2020-11-19)
+==================
+- Support for Linux 5.10 and 5.9.9 API
+  (changes to ip_route_me_harder there)
+
+
+v3.11 (2020-09-06)
+==================
+- Support for up to Linux 5.9
+
+
+v3.10 (2020-07-28)
+==================
+- Support for up to Linux 5.8
+
+
 v3.9 (2020-02-25)
 =================
 - Support for Linux 5.6 procfs changes

extensions/ACCOUNT/libxt_ACCOUNT_cl.c

@@ -34,7 +34,8 @@ int ipt_ACCOUNT_init(struct ipt_ACCOUNT_context *ctx)
 
 	// 4096 bytes default buffer should save us from reallocations
 	// as it fits 200 concurrent active clients
-	if ((ctx->data = malloc(IPT_ACCOUNT_MIN_BUFSIZE)) == NULL) {
+	ctx->data = malloc(IPT_ACCOUNT_MIN_BUFSIZE);
+	if (ctx->data == NULL) {
 		close(ctx->sockfd);
 		ctx->sockfd = -1;
 		ctx->error_str = "Out of memory for data buffer";

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -28,6 +28,9 @@
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/string.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
+#include <linux/sockptr.h>
+#endif
 #include <linux/spinlock.h>
 #include <asm/uaccess.h>
 #include <net/netns/generic.h>
@@ -184,24 +187,22 @@ static int ipt_acc_table_insert(struct ipt_acc_table *ipt_acc_tables,
 {
 	unsigned int i;
 
-	pr_debug("ACCOUNT: ipt_acc_table_insert: %s, %u.%u.%u.%u/%u.%u.%u.%u\n",
-		name, NIPQUAD(ip), NIPQUAD(netmask));
+	pr_debug("ACCOUNT: ipt_acc_table_insert: %s, %pI4/%pI4\n",
+	         name, &ip, &netmask);
 
 	/* Look for existing table */
 	for (i = 0; i < max_tables_limit; i++) {
 		if (strncmp(ipt_acc_tables[i].name, name,
 		    ACCOUNT_TABLE_NAME_LEN) == 0) {
-			pr_debug("ACCOUNT: Found existing slot: %d - "
-				"%u.%u.%u.%u/%u.%u.%u.%u\n", i,
-				NIPQUAD(ipt_acc_tables[i].ip),
-				NIPQUAD(ipt_acc_tables[i].netmask));
+			pr_debug("ACCOUNT: Found existing slot: %d - %pI4/%pI4\n",
+			         i, &ipt_acc_tables[i].ip, &ipt_acc_tables[i].netmask);
 
 			if (ipt_acc_tables[i].ip != ip
 			    || ipt_acc_tables[i].netmask != netmask) {
 				printk("ACCOUNT: Table %s found, but IP/netmask mismatch. "
-					"IP/netmask found: %u.%u.%u.%u/%u.%u.%u.%u\n",
-					name, NIPQUAD(ipt_acc_tables[i].ip),
-					NIPQUAD(ipt_acc_tables[i].netmask));
+					"IP/netmask found: %pI4/%pI4\n",
+				       name, &ipt_acc_tables[i].ip,
+				       &ipt_acc_tables[i].netmask);
 				return -1;
 			}
 
@@ -340,9 +341,8 @@ static void ipt_acc_depth0_insert(struct ipt_acc_mask_24 *mask_24,
 	/* Check if this entry is new */
 	bool is_src_new_ip = false, is_dst_new_ip = false;
 
-	pr_debug("ACCOUNT: ipt_acc_depth0_insert: %u.%u.%u.%u/%u.%u.%u.%u "
-		"for net %u.%u.%u.%u/%u.%u.%u.%u, size: %u\n", NIPQUAD(src_ip),
-		NIPQUAD(dst_ip), NIPQUAD(net_ip), NIPQUAD(netmask), size);
+	pr_debug("ACCOUNT: ipt_acc_depth0_insert: %pI4/%pI4 for net %pI4/%pI4,"
+	         " size: %u\n", &src_ip, &dst_ip, &net_ip, &netmask, size);
 
 	/* Check if src/dst is inside our network. */
 	/* Special: net_ip = 0.0.0.0/0 gets stored as src in slot 0 */
@@ -354,9 +354,8 @@ static void ipt_acc_depth0_insert(struct ipt_acc_mask_24 *mask_24,
 		is_dst = true;
 
 	if (!is_src && !is_dst) {
-		pr_debug("ACCOUNT: Skipping packet %u.%u.%u.%u/%u.%u.%u.%u "
-			"for net %u.%u.%u.%u/%u.%u.%u.%u\n", NIPQUAD(src_ip),
-			NIPQUAD(dst_ip), NIPQUAD(net_ip), NIPQUAD(netmask));
+		pr_debug("ACCOUNT: Skipping packet %pI4/%pI4 for net %pI4/%pI4\n",
+		         &src_ip, &dst_ip, &net_ip, &netmask);
 		return;
 	}
 
@@ -395,11 +394,11 @@ static void ipt_acc_depth0_insert(struct ipt_acc_mask_24 *mask_24,
 		}
 	} else {
 		if (is_src_new_ip) {
-			pr_debug("ACCOUNT: New src_ip: %u.%u.%u.%u\n", NIPQUAD(src_ip));
+			pr_debug("ACCOUNT: New src_ip: %pI4\n", &src_ip);
 			++*itemcount;
 		}
 		if (is_dst_new_ip) {
-			pr_debug("ACCOUNT: New dst_ip: %u.%u.%u.%u\n", NIPQUAD(dst_ip));
+			pr_debug("ACCOUNT: New dst_ip: %pI4\n", &dst_ip);
 			++*itemcount;
 		}
 	}
@@ -498,8 +497,7 @@ ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 
 	if (ipt_acc_tables[info->table_nr].name[0] == 0) {
 		printk("ACCOUNT: ipt_acc_target: Invalid table id %u. "
-			"IPs %u.%u.%u.%u/%u.%u.%u.%u\n", info->table_nr,
-			NIPQUAD(src_ip), NIPQUAD(dst_ip));
+		       "IPs %pI4/%pI4\n", info->table_nr, &src_ip, &dst_ip);
 		spin_unlock_bh(&ian->ipt_acc_lock);
 		return XT_CONTINUE;
 	}
@@ -538,10 +536,8 @@ ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 		return XT_CONTINUE;
 	}
 
-	printk("ACCOUNT: ipt_acc_target: Unable to process packet. "
-		"Table id %u. IPs %u.%u.%u.%u/%u.%u.%u.%u\n",
-		info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
-
+	printk("ACCOUNT: ipt_acc_target: Unable to process packet. Table id "
+	       "%u. IPs %pI4/%pI4\n", info->table_nr, &src_ip, &dst_ip);
 	spin_unlock_bh(&ian->ipt_acc_lock);
 	return XT_CONTINUE;
 }
@@ -624,7 +620,8 @@ static int ipt_acc_handle_prepare_read(struct ipt_acc_table *ipt_acc_tables,
 	dest->itemcount = ipt_acc_tables[table_nr].itemcount;
 
 	/* allocate "root" table */
-	if ((dest->data = ipt_acc_zalloc_page()) == NULL) {
+	dest->data = ipt_acc_zalloc_page();
+	if (dest->data == NULL) {
 		printk("ACCOUNT: out of memory for root table "
 			"in ipt_acc_handle_prepare_read()\n");
 		return -1;
@@ -722,7 +719,8 @@ static int ipt_acc_handle_prepare_read_flush(struct ipt_acc_table *ipt_acc_table
 	}
 
 	/* Try to allocate memory */
-	if (!(new_data_page = ipt_acc_zalloc_page())) {
+	new_data_page = ipt_acc_zalloc_page();
+	if (new_data_page == NULL) {
 		printk("ACCOUNT: ipt_acc_handle_prepare_read_flush(): "
 			"Out of memory!\n");
 		return -1;
@@ -879,7 +877,12 @@ static int ipt_acc_handle_get_data(struct ipt_acc_net *ian,
 }
 
 static int ipt_acc_set_ctl(struct sock *sk, int cmd,
-			void *user, unsigned int len)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
+			   void *user,
+#else
+			   sockptr_t arg,
+#endif
+			   unsigned int len)
 {
 	struct net *net = sock_net(sk);
 	struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
@@ -898,7 +901,12 @@ static int ipt_acc_set_ctl(struct sock *sk, int cmd,
 			break;
 		}
 
-		if (copy_from_user(&handle, user, len)) {
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
+		if (copy_from_user(&handle, user, len))
+#else
+		if (copy_from_sockptr(&handle, arg, len))
+#endif
+		{
 			printk("ACCOUNT: ipt_acc_set_ctl: copy_from_user failed for "
 				"IPT_SO_SET_HANDLE_FREE\n");
 			break;
@@ -966,7 +974,8 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 
 		/* Allocate a userspace handle */
 		down(&ian->ipt_acc_userspace_mutex);
-		if ((handle.handle_nr = ipt_acc_handle_find_slot(ian->ipt_acc_handles)) == -1) {
+		handle.handle_nr = ipt_acc_handle_find_slot(ian->ipt_acc_handles);
+		if (handle.handle_nr == -1) {
 			ipt_acc_data_free(dest.data, dest.depth);
 			up(&ian->ipt_acc_userspace_mutex);
 			return -EINVAL;

extensions/compat_xtables.h

@@ -21,25 +21,13 @@
 #	warning You need CONFIG_NF_CONNTRACK.
 #endif
 
-#if !defined(NIP6) && !defined(NIP6_FMT)
-#	define NIP6(addr) \
-		ntohs((addr).s6_addr16[0]), \
-		ntohs((addr).s6_addr16[1]), \
-		ntohs((addr).s6_addr16[2]), \
-		ntohs((addr).s6_addr16[3]), \
-		ntohs((addr).s6_addr16[4]), \
-		ntohs((addr).s6_addr16[5]), \
-		ntohs((addr).s6_addr16[6]), \
-		ntohs((addr).s6_addr16[7])
-#	define NIP6_FMT "%04hx:%04hx:%04hx:%04hx:%04hx:%04hx:%04hx:%04hx"
-#endif
-#if !defined(NIPQUAD) && !defined(NIPQUAD_FMT)
-#	define NIPQUAD(addr) \
-		((const unsigned char *)&addr)[0], \
-		((const unsigned char *)&addr)[1], \
-		((const unsigned char *)&addr)[2], \
-		((const unsigned char *)&addr)[3]
-#	define NIPQUAD_FMT "%hhu.%hhu.%hhu.%hhu"
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0) || \
+    LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 9) && LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0) || \
+    LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 78) && LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0) || \
+    LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 158) && LINUX_VERSION_CODE < KERNEL_VERSION(4, 20, 0)
+#else
+#	define ip_route_me_harder(xnet, xsk, xskb, xaddrtype) ip_route_me_harder((xnet), (xskb), (xaddrtype))
+#	define ip6_route_me_harder(xnet, xsk, xskb) ip6_route_me_harder((xnet), (xskb))
 #endif
 
 static inline struct net *par_net(const struct xt_action_param *par)

extensions/libxt_DNETMAP.man

@@ -46,7 +46,7 @@ Contains the binding table for the given \fIsubnet/mask\fP. Each line contains
 \fBprenat address\fR, \fBpostnat address\fR, \fBttl\fR (seconds until the entry
 times out), \fBlasthit\fR (last hit to the entry in seconds relative to system
 boot time). Please note that the \fBttl\fR and \fBlasthit\fR entries contain an
-'\fBS\fR' in case of a static binding.
+\(oq\fBS\fR\(cq in case of a static binding.
 .TP
 \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR
 Contains statistics for a given \fIsubnet/mask\fP. The line contains four

extensions/libxt_geoip.c

@@ -75,7 +75,6 @@ geoip_get_subnets(const char *code, uint32_t *count, uint8_t nfproto)
 	void *subnets;
 	struct stat sb;
 	char buf[256];
-	int fd;
 #if __BYTE_ORDER == __LITTLE_ENDIAN
 	unsigned int n;
 #endif
@@ -86,7 +85,8 @@ geoip_get_subnets(const char *code, uint32_t *count, uint8_t nfproto)
 	else
 		snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/%s.iv4", code);
 
-	if ((fd = open(buf, O_RDONLY)) < 0) {
+	int fd = open(buf, O_RDONLY);
+	if (fd < 0) {
 		fprintf(stderr, "Could not open %s: %s\n", buf, strerror(errno));
 		xtables_error(OTHER_PROBLEM, "Could not read geoip database");
 	}
@@ -203,7 +203,8 @@ static unsigned int parse_geoip_cc(const char *ccstr, uint16_t *cc,
 		next = strchr(cp, ',');
 		if (next) *next++ = '\0';
 
-		if ((cctmp = check_geoip_cc(cp, cc, count)) != 0) {
+		cctmp = check_geoip_cc(cp, cc, count);
+		if (cctmp != 0) {
 			if ((mem[count++].user =
 			    (unsigned long)geoip_load_cc(cp, cctmp, nfproto)) == 0)
 				xtables_error(OTHER_PROBLEM,

extensions/libxt_lscan.c

@@ -24,6 +24,7 @@ static const struct option lscan_mt_opts[] = {
 	{.name = "synscan", .has_arg = false, .val = 's'},
 	{.name = "cnscan",  .has_arg = false, .val = 'c'},
 	{.name = "grscan",  .has_arg = false, .val = 'g'},
+	{.name = "mirai",   .has_arg = false, .val = 'm'},
 	{NULL},
 };
 
@@ -35,7 +36,8 @@ static void lscan_mt_help(void)
 		"  --stealth    Match TCP Stealth packets\n"
 		"  --synscan    Match TCP SYN scans\n"
 		"  --cnscan     Match TCP Connect scans\n"
-		"  --grscan     Match Banner Grabbing scans\n");
+		"  --grscan     Match Banner Grabbing scans\n"
+		"  --mirai      Match TCP scan with ISN = dest. IP\n");
 }
 
 static int lscan_mt_parse(int c, char **argv, int invert,
@@ -45,16 +47,19 @@ static int lscan_mt_parse(int c, char **argv, int invert,
 
 	switch (c) {
 	case 'c':
-		info->match_cn = true;
+		info->match_fl3 |= LSCAN_FL3_CN;
 		return true;
 	case 'g':
-		info->match_gr = true;
+		info->match_fl4 |= LSCAN_FL4_GR;
+		return true;
+	case 'm':
+		info->match_fl1 |= LSCAN_FL1_MIRAI;
 		return true;
 	case 's':
-		info->match_syn = true;
+		info->match_fl2 |= LSCAN_FL2_SYN;
 		return true;
 	case 'x':
-		info->match_stealth = true;
+		info->match_fl1 |= LSCAN_FL1_STEALTH;
 		return true;
 	}
 	return false;
@@ -68,14 +73,16 @@ static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
 
-	if (info->match_stealth)
+	if (info->match_fl1 & LSCAN_FL1_STEALTH)
 		printf(" --stealth ");
-	if (info->match_syn)
+	if (info->match_fl2 & LSCAN_FL2_SYN)
 		printf(" --synscan ");
-	if (info->match_cn)
+	if (info->match_fl3 & LSCAN_FL3_CN)
 		printf(" --cnscan ");
-	if (info->match_gr)
+	if (info->match_fl4 & LSCAN_FL4_GR)
 		printf(" --grscan ");
+	if (info->match_fl1 & LSCAN_FL1_MIRAI)
+		printf(" --mirai ");
 }
 
 static void lscan_mt_print(const void *ip,

extensions/libxt_lscan.man

@@ -27,6 +27,11 @@ warranted single-direction data flows, usually bulk data transfers such as
 FTP DATA connections or IRC DCC. Grab Scan Detection should only be used on
 ports where a protocol runs that is guaranteed to do a bidirectional exchange
 of bytes.
+.TP
+\fB\-\-mirai\fP
+Match if the TCP ISN is equal to the IPv4 destination address; this is used
+by the devices in the Mirai botnet as a form of TCP SYN scan, so you will
+have to explicitly specify --syn for the rule.
 .PP
 NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
 so be advised to carefully use xt_lscan in conjunction with blocking rules,

extensions/libxt_quota2.c

@@ -70,7 +70,7 @@ quota_mt2_parse(int c, char **argv, int invert, unsigned int *flags,
 		/* zero termination done on behalf of the kernel module */
 		xtables_param_act(XTF_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
 		xtables_param_act(XTF_NO_INVERT, "quota", "--name", invert);
-		strncpy(info->name, optarg, sizeof(info->name));
+		snprintf(info->name, sizeof(info->name), "%s", optarg);
 		*flags |= FL_NAME;
 		return true;
 	case 'p':

extensions/pknock/Makefile.am

@@ -5,4 +5,5 @@ AM_CFLAGS   = ${regular_CFLAGS} ${libxtables_CFLAGS}
 
 include ../../Makefile.extra
 
-noinst_PROGRAMS = pknlusr
+sbin_PROGRAMS = pknlusr
+dist_man_MANS = pknlusr.8

extensions/pknock/libxt_pknock.c

@@ -11,7 +11,6 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
-
 #include <xtables.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
@@ -70,7 +69,6 @@ parse_ports(const char *portstring, uint16_t *ports, const char *proto)
 
 	if (cp != NULL)
 		xtables_error(PARAMETER_PROBLEM, "too many ports specified");
-
 	free(buffer);
 	return i;
 }
@@ -91,12 +89,11 @@ proto_to_name(uint8_t proto)
 static const char *
 check_proto(uint16_t pnum, uint8_t invflags)
 {
-	char *proto;
-
 	if (invflags & XT_INV_PROTO)
 		xtables_error(PARAMETER_PROBLEM, PKNOCK "only works with TCP and UDP.");
 
-	if ((proto = proto_to_name(pnum)) != NULL)
+	const char *proto = proto_to_name(pnum);
+	if (proto != NULL)
 		return proto;
 	else if (pnum == 0)
 		xtables_error(PARAMETER_PROBLEM, PKNOCK "needs `-p tcp' or `-p udp'");
@@ -123,7 +120,7 @@ __pknock_parse(int c, char **argv, int invert, unsigned int *flags,
 		info->ports_count = parse_ports(optarg, info->port, proto);
 		info->option |= XT_PKNOCK_KNOCKPORT;
 		*flags |= XT_PKNOCK_KNOCKPORT;
-#if DEBUG
+#ifdef DEBUG
 		printf("ports_count: %d\n", info->ports_count);
 #endif
 		break;
@@ -162,7 +159,7 @@ __pknock_parse(int c, char **argv, int invert, unsigned int *flags,
 		info->rule_name_len = strlen(info->rule_name);
 		info->option |= XT_PKNOCK_NAME;
 		*flags |= XT_PKNOCK_NAME;
-#if DEBUG
+#ifdef DEBUG
 		printf("info->rule_name: %s\n", info->rule_name);
 #endif
 		break;
@@ -213,7 +210,6 @@ __pknock_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	if (invert)
 		xtables_error(PARAMETER_PROBLEM, PKNOCK "does not support invert.");
-
 	return 1;
 }
 

extensions/pknock/pknlusr.8

@@ -0,0 +1,18 @@
+.TH pknlusr 8 "2020-10-22" "xtables-addons" "xtables-addons"
+.SH NAME
+.PP
+pknlusr \(em userspace monitor for successful xt_pknock matches
+.SH Synopsis
+.PP
+\fBpknlusr\fP [\fIgroup-id\fP]
+.SH Description
+\fIxt_pknock\fP is an xtables match extension that implements so-called \fIport
+knocking\fP. It can be configured to send information about each successful
+match via a netlink socket to userspace. \fBpknluser\fP listens for these
+notifications.
+.PP
+By default, \fBpknlusr\fP listens for messages sent to netlink multicast group
+1. Another group ID may be passed as a command-line argument.
+.SH See also
+.PP
+xtables-addons(8)

extensions/pknock/pknlusr.c

@@ -7,85 +7,94 @@
 #include <arpa/inet.h>
 #include <linux/netlink.h>
 #include <linux/connector.h>
+#include <errno.h>
+#include <libgen.h>
+#include <limits.h>
 
 #include "xt_pknock.h"
 
-#define GROUP 1
+#define DEFAULT_GROUP_ID 1
+#define MIN_GROUP_ID DEFAULT_GROUP_ID
+#define MAX_GROUP_ID \
+	(sizeof((struct sockaddr_nl){0}.nl_groups) * CHAR_BIT)
 
-static struct sockaddr_nl src_addr, dest_addr;
-static int sock_fd;
-
-static unsigned char *buf;
-
-static struct xt_pknock_nl_msg *nlmsg;
-
-int main(void)
+int main(int argc, char **argv)
 {
-	socklen_t addrlen;
 	int status;
-	int group = GROUP;
+	unsigned int group_id = DEFAULT_GROUP_ID;
+	struct sockaddr_nl local_addr = {.nl_family = AF_NETLINK};
+	int sock_fd;
+	size_t nlmsg_size;
+	struct nlmgrhdr *nlmsg;
+	struct cn_msg *cn_msg;
+	struct xt_pknock_nl_msg *pknock_msg;
 
-	int buf_size;
+	if (argc > 2) {
+		char *prog = strdup(argv[0]);
+		if (prog == NULL) {
+			perror("strdup()");
+		} else {
+			fprintf(stderr, "%s [ group-id ]\n", basename(prog));
+			free(prog);
+		}
+		exit(EXIT_FAILURE);
+	}
 
-	const char *ip;
-	char ipbuf[48];
+	if (argc == 2) {
+		long n;
+		char *end;
+
+		errno = 0;
+		n = strtol(argv[1], &end, 10);
+		if (*end || (errno && (n == LONG_MIN || n == LONG_MAX)) ||
+		    n < MIN_GROUP_ID || n > MAX_GROUP_ID) {
+			fputs("Group ID invalid.\n", stderr);
+			exit(EXIT_FAILURE);
+		}
+		group_id = n;
+	}
 
 	sock_fd = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR);
-
 	if (sock_fd == -1) {
 		perror("socket()");
-		return 1;
+		exit(EXIT_FAILURE);
 	}
 
-	memset(&src_addr, 0, sizeof(src_addr));
-	src_addr.nl_family = AF_NETLINK;
-	src_addr.nl_pid = getpid();
-	src_addr.nl_groups = group;
-
-	status = bind(sock_fd, (struct sockaddr*)&src_addr, sizeof(src_addr));
-
+	local_addr.nl_groups = 1U << (group_id - 1);
+	status = bind(sock_fd, (struct sockaddr *)&local_addr, sizeof(local_addr));
 	if (status == -1) {
-		close(sock_fd);
 		perror("bind()");
-		return 1;
+		goto err_close_sock;
 	}
 
-	memset(&dest_addr, 0, sizeof(dest_addr));
-	dest_addr.nl_family = AF_NETLINK;
-	dest_addr.nl_pid = 0;
-	dest_addr.nl_groups = group;
-
-	buf_size = sizeof(struct xt_pknock_nl_msg) + sizeof(struct cn_msg) + sizeof(struct nlmsghdr);
-	buf = malloc(buf_size);
-
-	if (!buf) {
+	nlmsg_size = NLMSG_SPACE(sizeof(*cn_msg) + sizeof(*pknock_msg));
+	nlmsg = malloc(nlmsg_size);
+	if (!nlmsg) {
 		perror("malloc()");
-		return 1;
+		goto err_close_sock;
 	}
 
-	addrlen = sizeof(dest_addr);
-
 	while(1) {
+		const char *ip;
+		char ipbuf[INET_ADDRSTRLEN];
 
-		memset(buf, 0, buf_size);
-
-		status = recvfrom(sock_fd, buf, buf_size, 0, (struct sockaddr *)&dest_addr, &addrlen);
-
-		if (status <= 0) {
-			perror("recvfrom()");
-			return 1;
-		}
-
-	nlmsg = (struct xt_pknock_nl_msg *) (buf + sizeof(struct cn_msg) + sizeof(struct nlmsghdr));
-
-		ip = inet_ntop(AF_INET, &nlmsg->peer_ip, ipbuf, sizeof(ipbuf));
-		printf("rule_name: %s - ip %s\n", nlmsg->rule_name, ip);
-
+		memset(nlmsg, 0, nlmsg_size);
+		status = recv(sock_fd, nlmsg, nlmsg_size, 0);
+		if (status < 0) {
+			perror("recv()");
+			goto err_free_msg;
+		}
+		if (status == 0)
+			break;
+		cn_msg = NLMSG_DATA(nlmsg);
+		pknock_msg = (struct xt_pknock_nl_msg *)(cn_msg->data);
+		ip = inet_ntop(AF_INET, &pknock_msg->peer_ip, ipbuf, sizeof(ipbuf));
+		printf("rule_name: %s - ip %s\n", pknock_msg->rule_name, ip);
 	}
 
+err_free_msg:
+	free(nlmsg);
+err_close_sock:
 	close(sock_fd);
-
-	free(buf);
-
-	return 0;
+	exit(status == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
 }

extensions/pknock/xt_pknock.c

@@ -90,21 +90,15 @@ enum {
 #define hashtable_for_each_safe(pos, n, head, size, i)	\
 	for ((i) = 0; (i) < (size); ++(i)) \
 		list_for_each_safe((pos), (n), (&head[(i)]))
-
-#define pk_debug(msg, peer) pr_debug( \
-			"(S) peer: " NIPQUAD_FMT " - %s.\n", \
-			NIPQUAD((peer)->ip), msg)
+#define pk_debug(msg, peer) pr_debug("(S) peer: %pI4 - %s.\n", &((peer)->ip), msg)
 
 static uint32_t ipt_pknock_hash_rnd;
-
 static unsigned int rule_hashsize	= DEFAULT_RULE_HASH_SIZE;
 static unsigned int peer_hashsize	= DEFAULT_PEER_HASH_SIZE;
 static unsigned int gc_expir_time = DEFAULT_GC_EXPIRATION_TIME;
 static int nl_multicast_group		= -1;
-
 static struct list_head *rule_hashtable;
 static struct proc_dir_entry *pde;
-
 static DEFINE_SPINLOCK(list_lock);
 
 static struct {
@@ -159,7 +153,6 @@ alloc_hashtable(unsigned int size)
 		return NULL;
 	for (i = 0; i < size; ++i)
 		INIT_LIST_HEAD(&hash[i]);
-
 	return hash;
 }
 
@@ -191,10 +184,8 @@ pknock_seq_start(struct seq_file *s, loff_t *pos)
 	const struct xt_pknock_rule *rule = s->private;
 
 	spin_lock_bh(&list_lock);
-
 	if (*pos >= peer_hashsize)
 		return NULL;
-
 	return rule->peer_head + *pos;
 }
 
@@ -212,7 +203,6 @@ pknock_seq_next(struct seq_file *s, void *v, loff_t *pos)
 	++*pos;
 	if (*pos >= peer_hashsize)
 		return NULL;
-
 	return rule->peer_head + *pos;
 }
 
@@ -238,13 +228,11 @@ pknock_seq_show(struct seq_file *s, void *v)
 	const struct peer *peer;
 	unsigned long time;
 	const struct list_head *peer_head = v;
-
 	const struct xt_pknock_rule *rule = s->private;
 
 	list_for_each_safe(pos, n, peer_head) {
 		peer = list_entry(pos, struct peer, head);
-
-		seq_printf(s, "src=" NIPQUAD_FMT " ", NIPQUAD(peer->ip));
+		seq_printf(s, "src=%pI4 ", &peer->ip);
 		seq_printf(s, "proto=%s ", (peer->proto == IPPROTO_TCP) ?
                                                 "TCP" : "UDP");
 		seq_printf(s, "status=%s ", status_itoa(peer->status));
@@ -259,12 +247,11 @@ pknock_seq_show(struct seq_file *s, void *v)
 			seq_printf(s, "expir_time=%lu [secs] ", time);
 		}
 		if (peer->status == ST_ALLOWED && rule->autoclose_time != 0) {
+			unsigned long x = ktime_get_seconds();
+			unsigned long y = peer->login_sec + rule->autoclose_time * 60;
 			time = 0;
-			if (time_before(get_seconds(), peer->login_sec +
-			    rule->autoclose_time * 60))
-				time = peer->login_sec +
-				       rule->autoclose_time * 60 -
-				       get_seconds();
+			if (time_before(x, y))
+				time = y - x;
 			seq_printf(s, "autoclose_time=%lu [secs] ", time);
 		}
 		seq_printf(s, "\n");
@@ -311,7 +298,6 @@ static void update_rule_gc_timer(struct xt_pknock_rule *rule)
 {
 	if (timer_pending(&rule->timer))
 		del_timer(&rule->timer);
-
 	rule->timer.expires = jiffies + msecs_to_jiffies(gc_expir_time);
 	add_timer(&rule->timer);
 }
@@ -325,8 +311,9 @@ static void update_rule_gc_timer(struct xt_pknock_rule *rule)
 static inline bool
 autoclose_time_passed(const struct peer *peer, unsigned int autoclose_time)
 {
-	return peer != NULL && autoclose_time != 0 && time_after(get_seconds(),
-	       peer->login_sec + autoclose_time * 60);
+	unsigned long x = ktime_get_seconds();
+	unsigned long y = peer->login_sec + autoclose_time * 60;
+	return peer != NULL && autoclose_time != 0 && time_after(x, y);
 }
 
 /**
@@ -348,7 +335,8 @@ is_interknock_time_exceeded(const struct peer *peer, unsigned int max_time)
 static inline bool
 has_logged_during_this_minute(const struct peer *peer)
 {
-	return peer != NULL && peer->login_sec / 60 == get_seconds() / 60;
+	unsigned long x = ktime_get_seconds(), y = peer->login_sec;
+	return peer != NULL && do_div(y, 60) == do_div(x, 60);
 }
 
 /**
@@ -433,7 +421,6 @@ add_rule(struct xt_pknock_mtinfo *info)
 
 	list_for_each_safe(pos, n, &rule_hashtable[hash]) {
 		rule = list_entry(pos, struct xt_pknock_rule, head);
-
 		if (!rulecmp(info, rule))
 			continue;
 		++rule->ref_count;
@@ -442,7 +429,6 @@ add_rule(struct xt_pknock_mtinfo *info)
 			rule->max_time       = info->max_time;
 			rule->autoclose_time = info->autoclose_time;
 		}
-
 		if (info->option & XT_PKNOCK_CHECKIP)
 			pr_debug("add_rule() (AC) rule found: %s - "
 				"ref_count: %d\n",
@@ -450,16 +436,13 @@ add_rule(struct xt_pknock_mtinfo *info)
 		return true;
 	}
 
-	rule = kmalloc(sizeof(*rule), GFP_KERNEL);
+	rule = kzalloc(sizeof(*rule), GFP_KERNEL);
 	if (rule == NULL)
 		return false;
 
 	INIT_LIST_HEAD(&rule->head);
-
-	memset(rule->rule_name, 0, sizeof(rule->rule_name));
 	strncpy(rule->rule_name, info->rule_name, info->rule_name_len);
 	rule->rule_name_len = info->rule_name_len;
-
 	rule->ref_count      = 1;
 	rule->max_time       = info->max_time;
 	rule->autoclose_time = info->autoclose_time;
@@ -502,7 +485,6 @@ remove_rule(struct xt_pknock_mtinfo *info)
 
 	list_for_each_safe(pos, n, &rule_hashtable[hash]) {
 		rule = list_entry(pos, struct xt_pknock_rule, head);
-
 		if (rulecmp(info, rule)) {
 			found = 1;
 			rule->ref_count--;
@@ -528,7 +510,6 @@ remove_rule(struct xt_pknock_mtinfo *info)
 	pr_debug("(D) rule deleted: %s.\n", rule->rule_name);
 	if (timer_pending(&rule->timer))
 		del_timer(&rule->timer);
-
 	list_del(&rule->head);
 	kfree(rule->peer_head);
 	kfree(rule);
@@ -548,7 +529,6 @@ static struct peer *get_peer(struct xt_pknock_rule *rule, __be32 ip)
 	unsigned int hash;
 
 	hash = pknock_hash(&ip, sizeof(ip), ipt_pknock_hash_rnd, peer_hashsize);
-
 	list_for_each_safe(pos, n, &rule->peer_head[hash]) {
 		peer = list_entry(pos, struct peer, head);
 		if (peer->ip == ip)
@@ -582,14 +562,12 @@ static struct peer *new_peer(__be32 ip, uint8_t proto)
 
 	if (peer == NULL)
 		return NULL;
-
 	INIT_LIST_HEAD(&peer->head);
 	peer->ip	= ip;
 	peer->proto	= proto;
 	peer->timestamp = jiffies/HZ;
 	peer->login_sec = 0;
 	reset_knock_status(peer);
-
 	return peer;
 }
 
@@ -677,21 +655,17 @@ static bool
 msg_to_userspace_nl(const struct xt_pknock_mtinfo *info,
                 const struct peer *peer, int multicast_group)
 {
-#if defined(CONFIG_CONNECTOR) || defined(CONFIG_CONNECTOR_MODULE)
+#if IS_ENABLED(CONFIG_CONNECTOR)
 	struct cn_msg *m;
 	struct xt_pknock_nl_msg msg;
 
-	m = kmalloc(sizeof(*m) + sizeof(msg), GFP_ATOMIC);
+	m = kzalloc(sizeof(*m) + sizeof(msg), GFP_ATOMIC);
 	if (m == NULL)
 		return false;
-
-	memset(m, 0, sizeof(*m) + sizeof(msg));
-	m->seq = 0;
 	m->len = sizeof(msg);
 
 	msg.peer_ip = peer->ip;
 	scnprintf(msg.rule_name, info->rule_name_len + 1, info->rule_name);
-
 	memcpy(m + 1, &msg, m->len);
 	cn_netlink_send(m, 0, multicast_group, GFP_ATOMIC);
 	kfree(m);
@@ -731,11 +705,12 @@ static bool
 has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
     const unsigned char *payload, unsigned int payload_len)
 {
-	char result[64]; // 64 bytes * 8 = 512 bits
+	char result[64] = ""; // 64 bytes * 8 = 512 bits
 	char *hexresult;
 	unsigned int hexa_size;
 	int ret;
 	bool fret = false;
+	unsigned long x;
 	unsigned int epoch_min;
 
 	if (payload_len == 0)
@@ -751,15 +726,11 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
 	/* + 1 cause we MUST add NULL in the payload */
 	if (payload_len != hexa_size + 1)
 		return false;
-
-	hexresult = kmalloc(hexa_size, GFP_ATOMIC);
+	hexresult = kzalloc(hexa_size, GFP_ATOMIC);
 	if (hexresult == NULL)
 		return false;
-
-	memset(result, 0, sizeof(result));
-	memset(hexresult, 0, hexa_size);
-
-	epoch_min = get_seconds() / 60;
+	x = ktime_get_seconds();
+	epoch_min = do_div(x, 60);
 
 	ret = crypto_shash_setkey(crypto.tfm, secret, secret_len);
 	if (ret != 0) {
@@ -778,14 +749,11 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
 		printk("crypto_shash_update/final() failed ret=%d\n", ret);
 		goto out;
 	}
-
 	crypt_to_hex(hexresult, result, crypto.size);
-
 	if (memcmp(hexresult, payload, hexa_size) != 0)
 		pr_debug("secret match failed\n");
 	else
 		fret = true;
-
  out:
 	kfree(hexresult);
 	return fret;
@@ -817,7 +785,6 @@ pass_security(struct peer *peer, const struct xt_pknock_mtinfo *info,
 					info->open_secret_len, peer->ip,
 					payload, payload_len))
 		return true;
-
 	return false;
 }
 
@@ -844,7 +811,6 @@ update_peer(struct peer *peer, const struct xt_pknock_mtinfo *info,
 		/* Peer must start the sequence from scratch. */
 		if (info->option & XT_PKNOCK_STRICT)
 			remove_peer(peer);
-
 		return false;
 	}
 
@@ -852,25 +818,20 @@ update_peer(struct peer *peer, const struct xt_pknock_mtinfo *info,
 	if (info->option & XT_PKNOCK_OPENSECRET ) {
 		if (hdr->proto != IPPROTO_UDP && hdr->proto != IPPROTO_UDPLITE)
 			return false;
-
 		if (!pass_security(peer, info, hdr->payload, hdr->payload_len))
 			return false;
 	}
 
 	/* Update the gc timer when there is a state change. */
 	update_rule_gc_timer(rule);
-
 	++peer->accepted_knock_count;
 
 	if (is_last_knock(peer, info)) {
 		peer->status = ST_ALLOWED;
-
 		pk_debug("ALLOWED", peer);
-		peer->login_sec = get_seconds();
-
+		peer->login_sec = ktime_get_seconds();
 		if (nl_multicast_group > 0)
 			msg_to_userspace_nl(info, peer, nl_multicast_group);
-
 		return true;
 	}
 
@@ -947,7 +908,6 @@ static bool pknock_mt(const struct sk_buff *skb,
 	switch (hdr.proto) {
 	case IPPROTO_TCP:
 		break;
-
 	case IPPROTO_UDP:
 	case IPPROTO_UDPLITE:
 		hdr_len = (iph->ihl * 4) + sizeof(struct udphdr);
@@ -969,12 +929,10 @@ static bool pknock_mt(const struct sk_buff *skb,
 
 	/* Gives the peer matching status added to rule depending on ip src. */
 	peer = get_peer(rule, iph->saddr);
-
 	if (info->option & XT_PKNOCK_CHECKIP) {
 		ret = is_allowed(peer);
 		goto out;
 	}
-
 	if (iph->protocol == IPPROTO_UDP || iph->protocol == IPPROTO_UDPLITE) {
 		hdr.payload = (void *)iph + hdr_len;
 		hdr.payload_len = skb->len - hdr_len;
@@ -982,7 +940,8 @@ static bool pknock_mt(const struct sk_buff *skb,
 
 	/* Sets, updates, removes or checks the peer matching status. */
 	if (info->option & XT_PKNOCK_KNOCKPORT) {
-		if ((ret = is_allowed(peer))) {
+		ret = is_allowed(peer);
+		if (ret != 0) {
 			if (info->option & XT_PKNOCK_CLOSESECRET &&
 			    (iph->protocol == IPPROTO_UDP ||
 			    iph->protocol == IPPROTO_UDPLITE))
@@ -1000,10 +959,8 @@ static bool pknock_mt(const struct sk_buff *skb,
 			peer = new_peer(iph->saddr, iph->protocol);
 			add_peer(peer, rule);
 		}
-
 		if (peer == NULL)
 			goto out;
-
 		update_peer(peer, info, rule, &hdr);
 	}
 
@@ -1023,7 +980,7 @@ out:
 	return ret;
 }
 
-#define RETURN_ERR(err) do { printk(KERN_ERR PKNOCK err); return -EINVAL; } while (false)
+#define RETURN_ERR(err) do { pr_err(err); return -EINVAL; } while (false)
 
 static int pknock_mt_check(const struct xt_mtchk_param *par)
 {
@@ -1073,11 +1030,9 @@ static int pknock_mt_check(const struct xt_mtchk_param *par)
 	    memcmp(info->open_secret, info->close_secret,
 	    info->open_secret_len) == 0)
 		RETURN_ERR("opensecret & closesecret cannot be equal.\n");
-
 	if (!add_rule(info))
 		/* should ENOMEM here */
 		RETURN_ERR("add_rule() error in checkentry() function.\n");
-
 	return 0;
 }
 
@@ -1101,7 +1056,7 @@ static struct xt_match xt_pknock_mt_reg __read_mostly = {
 
 static int __init xt_pknock_mt_init(void)
 {
-#if !defined(CONFIG_CONNECTOR) && !defined(CONFIG_CONNECTOR_MODULE)
+#if !IS_ENABLED(CONFIG_CONNECTOR)
 	if (nl_multicast_group != -1)
 		pr_info("CONFIG_CONNECTOR not present; "
 		        "netlink messages disabled\n");
@@ -1110,14 +1065,14 @@ static int __init xt_pknock_mt_init(void)
 	if (gc_expir_time < DEFAULT_GC_EXPIRATION_TIME)
 		gc_expir_time = DEFAULT_GC_EXPIRATION_TIME;
 	if (request_module(crypto.algo) < 0) {
-		printk(KERN_ERR PKNOCK "request_module('%s') error.\n",
+		pr_err("request_module('%s') error.\n",
                         crypto.algo);
 		return -ENXIO;
 	}
 
 	crypto.tfm = crypto_alloc_shash(crypto.algo, 0, 0);
 	if (IS_ERR(crypto.tfm)) {
-		printk(KERN_ERR PKNOCK "failed to load transform for %s\n",
+		pr_err("failed to load transform for %s\n",
 						crypto.algo);
 		return PTR_ERR(crypto.tfm);
 	}
@@ -1127,7 +1082,7 @@ static int __init xt_pknock_mt_init(void)
 
 	pde = proc_mkdir("xt_pknock", init_net.proc_net);
 	if (pde == NULL) {
-		printk(KERN_ERR PKNOCK "proc_mkdir() error in _init().\n");
+		pr_err("proc_mkdir() error in _init().\n");
 		return -ENXIO;
 	}
 	return xt_register_match(&xt_pknock_mt_reg);

extensions/pknock/xt_pknock.h

@@ -29,8 +29,6 @@ enum {
 	XT_PKNOCK_MAX_PASSWD_LEN = 31,
 };
 
-#define DEBUG 1
-
 struct xt_pknock_mtinfo {
 	char rule_name[XT_PKNOCK_MAX_BUF_LEN+1];
 	uint32_t			rule_name_len;

extensions/xt_CHAOS.c

@@ -171,7 +171,8 @@ static int __init chaos_tg_init(void)
 		printk(KERN_WARNING PFX "Warning: Could not find or load "
 		       "\"DELUDE\" target\n");
 
-	if ((ret = xt_register_target(&chaos_tg_reg)) != 0) {
+	ret = xt_register_target(&chaos_tg_reg);
+	if (ret != 0) {
 		printk(KERN_WARNING PFX "xt_register_target returned "
 		       "error %d\n", ret);
 		goto out3;

extensions/xt_DELUDE.c

@@ -25,8 +25,8 @@
 #include "compat_xtables.h"
 #define PFX KBUILD_MODNAME ": "
 
-static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
-    unsigned int hook)
+static void delude_send_reset(struct sk_buff *oldskb,
+    const struct xt_action_param *par)
 {
 	struct tcphdr _otcph, *tcph;
 	const struct tcphdr *oth;
@@ -51,7 +51,8 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 		return;
 
 	/* Check checksum */
-	if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
+	if (nf_ip_checksum(oldskb, par->state->hook, ip_hdrlen(oldskb),
+	    IPPROTO_TCP))
 		return;
 
 	nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
@@ -108,21 +109,21 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 	addr_type = RTN_UNSPEC;
 #ifdef CONFIG_BRIDGE_NETFILTER
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
-	if (hook != NF_INET_FORWARD || ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
+	if (par->state->hook != NF_INET_FORWARD ||
+	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
 	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF))->physoutdev))
 #else
-	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
+	if (par->state->hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->physoutdev))
 #endif
 #else
-	if (hook != NF_INET_FORWARD)
+	if (par->state->hook != NF_INET_FORWARD)
 #endif
 		addr_type = RTN_LOCAL;
 
 	/* ip_route_me_harder expects skb->dst to be set */
 	skb_dst_set(nskb, dst_clone(skb_dst(oldskb)));
-
-	if (ip_route_me_harder(net, nskb, addr_type))
+	if (ip_route_me_harder(par_net(par), par->state->sk, nskb, addr_type))
 		goto free_nskb;
 	else
 		niph = ip_hdr(nskb);
@@ -135,8 +136,7 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);
-
-	ip_local_out(net, nskb->sk, nskb);
+	ip_local_out(par_net(par), nskb->sk, nskb);
 	return;
 
  free_nskb:
@@ -151,7 +151,7 @@ delude_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	 * a problem, as that is supported since Linux 2.6.35. But since we do not
 	 * actually want to have a connection open, we are still going to drop it.
 	 */
-	delude_send_reset(par_net(par), skb, par->state->hook);
+	delude_send_reset(skb, par);
 	return NF_DROP;
 }
 

extensions/xt_DNETMAP.c

@@ -19,9 +19,10 @@
  */
 
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#ifdef CONFIG_NF_NAT
 #include <linux/inet.h>
 #include <linux/ip.h>
-#include <linux/module.h>
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
@@ -36,12 +37,6 @@
 #include "compat_xtables.h"
 #include "xt_DNETMAP.h"
 
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marek Kierdelewicz <marek@piasta.pl>");
-MODULE_DESCRIPTION(
-	"Xtables: dynamic two-way 1:1 NAT mapping of IPv4 addresses");
-MODULE_ALIAS("ipt_DNETMAP");
-
 static unsigned int default_ttl = 600;
 static unsigned int proc_perms = S_IRUGO | S_IWUSR;
 static unsigned int proc_uid;
@@ -66,14 +61,8 @@ MODULE_PARM_DESC(whole_prefix,
 static unsigned int jtimeout;
 
 struct dnetmap_entry {
-	struct list_head list;
-	/* priv2entry */
-	struct list_head glist;
-	/* pub2entry */
-	struct list_head grlist;
-	struct list_head lru_list;
-	__be32 prenat_addr;
-	__be32 postnat_addr;
+	struct list_head list, glist, grlist, lru_list;
+	__be32 prenat_addr, postnat_addr;
 	__u8 flags;
 	unsigned long stamp;
 	struct dnetmap_prefix *prefix;
@@ -83,8 +72,7 @@ struct dnetmap_prefix {
 	struct nf_nat_range prefix;
 	char prefix_str[20];
 #ifdef CONFIG_PROC_FS
-	char proc_str_data[20];
-	char proc_str_stat[25];
+	char proc_str_data[20], proc_str_stat[25];
 #endif
 	struct list_head elist; // element list head
 	struct list_head list;	// prefix list
@@ -127,9 +115,7 @@ static struct dnetmap_entry *
 dnetmap_entry_lookup(struct dnetmap_net *dnetmap_net, const __be32 addr)
 {
 	struct dnetmap_entry *e;
-	unsigned int h;
-
-	h = dnetmap_entry_hash(addr);
+	unsigned int h = dnetmap_entry_hash(addr);
 
 	list_for_each_entry(e, &dnetmap_net->dnetmap_iphash[h], glist)
 		if (memcmp(&e->prenat_addr, &addr, sizeof(addr)) == 0)
@@ -141,9 +127,7 @@ static struct dnetmap_entry *
 dnetmap_entry_rlookup(struct dnetmap_net *dnetmap_net, const __be32 addr)
 {
 	struct dnetmap_entry *e;
-	unsigned int h;
-
-	h = dnetmap_entry_hash(addr);
+	unsigned int h = dnetmap_entry_hash(addr);
 
 	list_for_each_entry(e, &dnetmap_net->dnetmap_iphash[hash_size + h],
 	    grlist)
@@ -293,12 +277,12 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 	ip_min = ntohl(mr->min_addr.ip) + (whole_prefix == 0);
 	ip_max = ntohl(mr->max_addr.ip) - (whole_prefix == 0);
 
-	sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->min_addr.ip),
+	sprintf(p->prefix_str, "%pI4/%u", &mr->min_addr.ip,
 		33 - ffs(~(ip_min ^ ip_max)));
 #ifdef CONFIG_PROC_FS
-	sprintf(p->proc_str_data, NIPQUAD_FMT "_%u", NIPQUAD(mr->min_addr.ip),
+	sprintf(p->proc_str_data, "%pI4_%u", &mr->min_addr.ip,
 		33 - ffs(~(ip_min ^ ip_max)));
-	sprintf(p->proc_str_stat, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->min_addr.ip),
+	sprintf(p->proc_str_stat, "%pI4_%u_stat", &mr->min_addr.ip,
 		33 - ffs(~(ip_min ^ ip_max)));
 #endif
 	printk(KERN_INFO KBUILD_MODNAME ": new prefix %s\n", p->prefix_str);
@@ -358,7 +342,6 @@ dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	struct net *net = dev_net(par->state->in ? par->state->in : par->state->out);
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
-	struct nf_conn *ct;
 	enum ip_conntrack_info ctinfo;
 	__be32 prenat_ip, postnat_ip, prenat_ip_prev;
 	const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
@@ -370,11 +353,9 @@ dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 #endif
 	struct dnetmap_entry *e;
 	struct dnetmap_prefix *p;
-	__s32 jttl;
 	unsigned int hooknum = par->state->hook;
-	ct = nf_ct_get(skb, &ctinfo);
-
-	jttl = tginfo->flags & XT_DNETMAP_TTL ? tginfo->ttl * HZ : jtimeout;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+	__s32 jttl = tginfo->flags & XT_DNETMAP_TTL ? tginfo->ttl * HZ : jtimeout;
 
 	/* in prerouting we try to map postnat-ip to prenat-ip */
 	if (hooknum == NF_INET_PRE_ROUTING) {
@@ -429,8 +410,8 @@ bind_new_prefix:
 		if (e->prenat_addr != 0 && time_before(jiffies, e->stamp)) {
 			if (!disable_log && ! (p->flags & XT_DNETMAP_FULL) ){
 				printk(KERN_INFO KBUILD_MODNAME
-				       ": ip " NIPQUAD_FMT " - no free adresses in prefix %s\n",
-				       NIPQUAD(prenat_ip), p->prefix_str);
+				       ": ip %pI4 - no free adresses in prefix %s\n",
+				       &prenat_ip, p->prefix_str);
 				p->flags |= XT_DNETMAP_FULL;
 			}
 			goto no_free_ip;
@@ -443,8 +424,8 @@ bind_new_prefix:
 			prenat_ip_prev = e->prenat_addr;
 			if (!disable_log)
 				printk(KERN_INFO KBUILD_MODNAME
-				       ": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
-				       NIPQUAD(prenat_ip_prev), NIPQUAD(postnat_ip) );
+				       ": timeout binding %pI4 -> %pI4\n",
+				       &prenat_ip_prev, &postnat_ip);
 			list_del(&e->glist);
 			list_del(&e->grlist);
 		}
@@ -461,18 +442,16 @@ bind_new_prefix:
 							   (postnat_ip)]);
 		if (!disable_log)
 			printk(KERN_INFO KBUILD_MODNAME
-			       ": add binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
-						 NIPQUAD(prenat_ip),NIPQUAD(postnat_ip));
-
+			       ": add binding %pI4 -> %pI4\n",
+			       &prenat_ip, &postnat_ip);
 	} else {
 
 		if (!(tginfo->flags & XT_DNETMAP_REUSE) && !(e->flags & XT_DNETMAP_STATIC))
 			if (time_before(e->stamp, jiffies) && p != e->prefix) {
 				if (!disable_log)
 					printk(KERN_INFO KBUILD_MODNAME
-					       ": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
-					       NIPQUAD(e->prenat_addr),
-					       NIPQUAD(e->postnat_addr));
+					       ": timeout binding %pI4 -> %pI4\n",
+					       &e->prenat_addr, &e->postnat_addr);
 				list_del(&e->glist);
 				list_del(&e->grlist);
 				e->prenat_addr = 0;
@@ -571,12 +550,13 @@ static int dnetmap_seq_show(struct seq_file *seq, void *v)
 	const struct dnetmap_entry *e = v;
 
 	if((e->flags & XT_DNETMAP_STATIC) == 0){
-		seq_printf(seq, NIPQUAD_FMT " -> " NIPQUAD_FMT " --- ttl: %d lasthit: %lu\n",
-				NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr),
-				(int)(e->stamp - jiffies) / HZ, (e->stamp - jtimeout) / HZ);
+		seq_printf(seq, "%pI4 -> %pI4 --- ttl: %d lasthit: %lu\n",
+		           &e->prenat_addr, &e->postnat_addr,
+		           (int)(e->stamp - jiffies) / HZ,
+		           (e->stamp - jtimeout) / HZ);
 	}else{
-		seq_printf(seq, NIPQUAD_FMT " -> " NIPQUAD_FMT " --- ttl: S lasthit: S\n",
-				NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr));
+		seq_printf(seq, "%pI4 -> %pI4 --- ttl: S lasthit: S\n",
+		           &e->prenat_addr, &e->postnat_addr);
 	}
 	return 0;
 }
@@ -698,8 +678,8 @@ dnetmap_tg_proc_write(struct file *file, const char __user *input,size_t size, l
 		if(e != NULL){
 			if (!disable_log)
 				printk(KERN_INFO KBUILD_MODNAME
-				       ": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
-				       NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr) );
+				       ": timeout binding %pI4 -> %pI4\n",
+				       &e->prenat_addr, &e->postnat_addr);
 			list_del(&e->glist);
 			list_del(&e->grlist);
 		}else{
@@ -721,7 +701,7 @@ dnetmap_tg_proc_write(struct file *file, const char __user *input,size_t size, l
 							   (e->postnat_addr)]);
 		list_del(&e->lru_list);
 
-		sprintf(str, NIPQUAD_FMT ":" NIPQUAD_FMT, NIPQUAD(addr1),NIPQUAD(addr2));
+		sprintf(str, "%pI4:%pI4", &addr1, &addr2);
 		printk(KERN_INFO KBUILD_MODNAME ": adding static binding %s\n", str);
 
 	// case of removing binding
@@ -737,8 +717,8 @@ dnetmap_tg_proc_write(struct file *file, const char __user *input,size_t size, l
 		if(e != NULL){
 			if (!disable_log)
 				printk(KERN_INFO KBUILD_MODNAME
-				       ": remove binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
-				       NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr) );
+				       ": remove binding %pI4 -> %pI4\n",
+				       &e->prenat_addr, &e->postnat_addr);
 			list_del(&e->glist);
 			list_del(&e->grlist);
 			if(e->flags & XT_DNETMAP_STATIC){
@@ -936,6 +916,18 @@ static void __exit dnetmap_tg_exit(void)
 	xt_unregister_target(&dnetmap_tg_reg);
 	unregister_pernet_subsys(&dnetmap_net_ops);
 }
+#else /* CONFIG_NF_NAT */
+static int __init dnetmap_tg_init(void)
+{
+	pr_err("CONFIG_NF_NAT is not available in your kernel, hence this module cannot function.");
+	return -EINVAL;
+}
+static void __exit dnetmap_tg_exit(void) {}
+#endif
 
 module_init(dnetmap_tg_init);
 module_exit(dnetmap_tg_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Marek Kierdelewicz <marek@piasta.pl>");
+MODULE_DESCRIPTION("Xtables: dynamic two-way 1:1 NAT mapping of IPv4 addresses");
+MODULE_ALIAS("ipt_DNETMAP");

extensions/xt_ECHO.c

@@ -97,7 +97,11 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 	memcpy(&fl.daddr, &newip->daddr, sizeof(fl.daddr));
 	fl.fl6_sport = newudp->source;
 	fl.fl6_dport = newudp->dest;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+	security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi_common(&fl));
+#else
 	security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi(&fl));
+#endif
 	dst = ip6_route_output(net, NULL, &fl);
 	if (dst == NULL || dst->error != 0) {
 		dst_release(dst);
@@ -113,7 +117,7 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 		goto free_nskb;
 
 	nf_ct_attach(newskb, oldskb);
-	ip6_local_out(par_net(par), newskb->sk, newskb);
+	ip6_local_out(par_net(par), par->state->sk, newskb);
 	return NF_DROP;
 
  free_nskb:
@@ -191,8 +195,8 @@ echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par)
 
 	/* ip_route_me_harder expects the skb's dst to be set */
 	skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
-
-	if (ip_route_me_harder(par_net(par), newskb, RTN_UNSPEC) != 0)
+	if (ip_route_me_harder(par_net(par), par->state->sk, newskb,
+	    RTN_UNSPEC) != 0)
 		goto free_nskb;
 
 	newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));

extensions/xt_SYSRQ.c

@@ -204,12 +204,11 @@ sysrq_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 
 	if (sysrq_debug)
 		printk(KERN_INFO KBUILD_MODNAME
-		       ": " NIPQUAD_FMT ":%u -> :%u len=%u\n",
-		       NIPQUAD(iph->saddr), htons(udph->source),
+		       ": %pI4:%hu -> :%hu len=%u\n",
+		       &iph->saddr, htons(udph->source),
 		       htons(udph->dest), len);
 #ifdef WITH_CRYPTO
-	sprintf(sysrq_digest_password, NIPQUAD_FMT ",%s",
-	        NIPQUAD(iph->daddr), sysrq_password);
+	sprintf(sysrq_digest_password, "%pI4,%s", &iph->daddr, sysrq_password);
 #endif
 	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
 }
@@ -238,13 +237,11 @@ sysrq_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
 
 	if (sysrq_debug)
-		printk(KERN_INFO KBUILD_MODNAME
-		       ": " NIP6_FMT ":%hu -> :%hu len=%u\n",
-		       NIP6(iph->saddr), ntohs(udph->source),
+		printk(KERN_INFO KBUILD_MODNAME ": %pI6:%hu -> :%hu len=%u\n",
+		       &iph->saddr, ntohs(udph->source),
 		       ntohs(udph->dest), len);
 #ifdef WITH_CRYPTO
-	sprintf(sysrq_digest_password, NIP6_FMT ",%s",
-	        NIP6(iph->daddr), sysrq_password);
+	sprintf(sysrq_digest_password, "%pI6,%s", &iph->daddr, sysrq_password);
 #endif
 	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
 }

extensions/xt_TARPIT.c

@@ -170,8 +170,8 @@ static bool tarpit_generic(struct tcphdr *tcph, const struct tcphdr *oth,
 	return true;
 }
 
-static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
-    unsigned int hook, unsigned int mode)
+static void tarpit_tcp4(const struct xt_action_param *par,
+    struct sk_buff *oldskb, unsigned int mode)
 {
 	struct tcphdr _otcph, *tcph;
 	const struct tcphdr *oth;
@@ -191,7 +191,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		return;
 
 	/* Check checksum. */
-	if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
+	if (nf_ip_checksum(oldskb, par->state->hook, ip_hdrlen(oldskb),
+	    IPPROTO_TCP))
 		return;
 
 	/*
@@ -254,18 +255,19 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 
 #ifdef CONFIG_BRIDGE_NETFILTER
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
-	if (hook != NF_INET_FORWARD || ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
+	if (par->state->hook != NF_INET_FORWARD ||
+	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
 	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF))->physoutdev))
 #else
-	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
+	if (par->state->hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->physoutdev != NULL))
 #endif
 #else
-	if (hook != NF_INET_FORWARD)
+	if (par->state->hook != NF_INET_FORWARD)
 #endif
 		addr_type = RTN_LOCAL;
 
-	if (ip_route_me_harder(net, nskb, addr_type))
+	if (ip_route_me_harder(par_net(par), par->state->sk, nskb, addr_type) != 0)
 		goto free_nskb;
 	else
 		niph = ip_hdr(nskb);
@@ -287,8 +289,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);
-	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
-		skb_dst(nskb)->dev, dst_output);
+	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, par_net(par), nskb->sk, nskb,
+	        NULL, skb_dst(nskb)->dev, dst_output);
 	return;
 
  free_nskb:
@@ -296,8 +298,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 }
 
 #ifdef WITH_IPV6
-static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
-    unsigned int hook, unsigned int mode)
+static void tarpit_tcp6(const struct xt_action_param *par,
+    struct sk_buff *oldskb, unsigned int mode)
 {
 	struct sk_buff *nskb;
 	struct tcphdr *tcph, oth;
@@ -398,15 +400,14 @@ static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
 	              &ipv6_hdr(nskb)->daddr, sizeof(struct tcphdr),
 	              IPPROTO_TCP,
 	              csum_partial(tcph, sizeof(struct tcphdr), 0));
-
-	if (ip6_route_me_harder(net, nskb))
+	if (ip6_route_me_harder(par_net(par), nskb->sk, nskb))
 		goto free_nskb;
 
 	nskb->ip_summed = CHECKSUM_NONE;
 
 	nf_ct_attach(nskb, oldskb);
-	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
-	        skb_dst(nskb)->dev, dst_output);
+	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, par_net(par), nskb->sk, nskb,
+	        NULL, skb_dst(nskb)->dev, dst_output);
 	return;
 
  free_nskb:
@@ -444,7 +445,7 @@ tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 	/* We are not interested in fragments */
 	if (iph->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
-	tarpit_tcp4(par_net(par), skb, par->state->hook, info->variant);
+	tarpit_tcp4(par, skb, info->variant);
 	return NF_DROP;
 }
 
@@ -485,7 +486,7 @@ tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 		pr_debug("addr is not unicast.\n");
 		return NF_DROP;
 	}
-	tarpit_tcp6(par_net(par), skb, par->state->hook, info->variant);
+	tarpit_tcp6(par, skb, info->variant);
 	return NF_DROP;
 }
 #endif

extensions/xt_ipp2p.c

@@ -857,8 +857,11 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 				p2p_result = matchlist[i].function_name(haystack, hlen);
 				if (p2p_result)	{
 					if (info->debug)
-						printk("IPP2P.debug:TCP-match: %i from: %u.%u.%u.%u:%i to: %u.%u.%u.%u:%i Length: %i\n",
-						       p2p_result, NIPQUAD(ip->saddr),ntohs(tcph->source), NIPQUAD(ip->daddr),ntohs(tcph->dest),hlen);
+						printk("IPP2P.debug:TCP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
+						       p2p_result, &ip->saddr,
+						       ntohs(tcph->source),
+						       &ip->daddr,
+						       ntohs(tcph->dest), hlen);
 					return p2p_result;
 				}
 			}
@@ -888,8 +891,11 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 				p2p_result = udp_list[i].function_name(haystack, hlen);
 				if (p2p_result) {
 					if (info->debug)
-						printk("IPP2P.debug:UDP-match: %i from: %u.%u.%u.%u:%i to: %u.%u.%u.%u:%i Length: %i\n",
-						       p2p_result, NIPQUAD(ip->saddr), ntohs(udph->source), NIPQUAD(ip->daddr), ntohs(udph->dest), hlen);
+						printk("IPP2P.debug:UDP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
+						       p2p_result, &ip->saddr,
+						       ntohs(udph->source),
+						       &ip->daddr,
+						       ntohs(udph->dest), hlen);
 					return p2p_result;
 				}
 			}

extensions/xt_lscan.c

@@ -175,6 +175,7 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 	enum ip_conntrack_info ctstate;
+	const struct iphdr *iph = ip_hdr(skb);
 	const struct tcphdr *tcph;
 	struct nf_conn *ctdata;
 	struct tcphdr tcph_buf;
@@ -182,10 +183,14 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	tcph = skb_header_pointer(skb, par->thoff, sizeof(tcph_buf), &tcph_buf);
 	if (tcph == NULL)
 		return false;
+	if (info->match_fl1 & LSCAN_FL1_MIRAI && iph != NULL &&
+	    iph->version == 4 && iph->daddr == tcph->seq)
+		return true;
 
 	/* Check for invalid packets: -m conntrack --ctstate INVALID */
-	if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
-		if (info->match_stealth)
+	ctdata = nf_ct_get(skb, &ctstate);
+	if (ctdata == NULL) {
+		if (info->match_fl1 & LSCAN_FL1_STEALTH)
 			return lscan_mt_stealth(tcph);
 		/*
 		 * If @ctdata is NULL, we cannot match the other scan
@@ -211,17 +216,19 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		skb_nfmark(skb) = (skb_nfmark(skb) & ~packet_mask) ^ mark_seen;
 	}
 
-	return (info->match_syn && ctdata->mark == mark_synscan) ||
-	       (info->match_cn && ctdata->mark == mark_cnscan) ||
-	       (info->match_gr && ctdata->mark == mark_grscan);
+	return (info->match_fl1 & LSCAN_FL1_STEALTH && ctdata->mark == mark_synscan) ||
+	       (info->match_fl3 & LSCAN_FL3_CN && ctdata->mark == mark_cnscan) ||
+	       (info->match_fl4 & LSCAN_FL4_GR && ctdata->mark == mark_grscan);
 }
 
 static int lscan_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 
-	if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
-	    (info->match_cn & ~1) || (info->match_gr & ~1)) {
+	if ((info->match_fl1 & ~(LSCAN_FL1_STEALTH | LSCAN_FL1_MIRAI)) ||
+	    (info->match_fl2 & ~LSCAN_FL2_SYN) ||
+	    (info->match_fl3 & ~LSCAN_FL3_CN) ||
+	    (info->match_fl4 & ~LSCAN_FL4_GR)) {
 		printk(KERN_WARNING PFX "Invalid flags\n");
 		return -EINVAL;
 	}

extensions/xt_lscan.h

@@ -1,8 +1,16 @@
 #ifndef _LINUX_NETFILTER_XT_LSCAN_H
 #define _LINUX_NETFILTER_XT_LSCAN_H 1
 
+enum {
+	LSCAN_FL1_STEALTH = 1 << 0,
+	LSCAN_FL1_MIRAI   = 1 << 1,
+	LSCAN_FL2_SYN     = 1 << 0,
+	LSCAN_FL3_CN      = 1 << 0,
+	LSCAN_FL4_GR      = 1 << 0,
+};
+
 struct xt_lscan_mtinfo {
-	uint8_t match_stealth, match_syn, match_cn, match_gr;
+	uint8_t match_fl1, match_fl2, match_fl3, match_fl4;
 };
 
 #endif /* _LINUX_NETFILTER_XT_LSCAN_H */

geoip/Makefile.am

@@ -1,7 +1,9 @@
 # -*- Makefile -*-
 
-bin_SCRIPTS = xt_geoip_fetch
+bin_SCRIPTS = xt_geoip_query
 
-pkglibexec_SCRIPTS = xt_geoip_build xt_geoip_dl
+pkglibexec_SCRIPTS = xt_geoip_build xt_geoip_build_maxmind xt_geoip_dl xt_geoip_dl_maxmind
 
-man1_MANS = xt_geoip_build.1 xt_geoip_dl.1 xt_geoip_fetch.1
+man1_MANS = xt_geoip_build.1 xt_geoip_dl.1 \
+	    xt_geoip_build_maxmind.1 xt_geoip_dl_maxmind.1 \
+	    xt_geoip_query.1

geoip/xt_geoip_build_maxmind

@@ -0,0 +1,268 @@
+#!/usr/bin/perl
+#
+#	Converter for MaxMind (GeoLite2) CSV database to binary, for xt_geoip
+#	Copyright Jan Engelhardt, 2008-2011
+#	Copyright Philip Prindeville, 2018
+#
+use Getopt::Long;
+use Net::CIDR::Lite;
+use Socket qw(AF_INET AF_INET6 inet_pton);
+use warnings;
+use Text::CSV_XS; # or trade for Text::CSV
+use strict;
+
+my $csv = Text::CSV_XS->new({
+	allow_whitespace => 1,
+	binary => 1,
+	eol => $/,
+}); # or Text::CSV
+my $source_dir = ".";
+my $quiet = 0;
+my $target_dir = ".";
+
+&Getopt::Long::Configure(qw(bundling));
+&GetOptions(
+	"D=s" => \$target_dir,
+	"S=s" => \$source_dir,
+	"q" => \$quiet,
+	"s" => sub { $target_dir = "/usr/share/xt_geoip"; },
+);
+
+if (!-d $source_dir) {
+	print STDERR "Source directory \"$source_dir\" does not exist.\n";
+	exit 1;
+}
+if (!-d $target_dir) {
+	print STDERR "Target directory \"$target_dir\" does not exist.\n";
+	exit 1;
+}
+
+my %countryId;
+my %countryName;
+&loadCountries();
+&dump(&collect());
+
+sub loadCountries
+{
+	sub id; sub cc; sub long; sub ct; sub cn;
+
+	%countryId = ();
+	%countryName = ();
+
+	my $file = "$source_dir/GeoLite2-Country-Locations-en.csv";
+	open(my $fh, '<', $file) || die "Couldn't open list country names\n";
+
+	# first line is headers
+	my $row = $csv->getline($fh);
+
+	my %header = map { ($row->[$_], $_); } (0..$#{$row});
+
+	my %pairs = (
+		country_iso_code => 'ISO Country Code',
+		geoname_id => 'ID',
+		country_name => 'Country Name',
+		continent_code => 'Continent Code',
+		continent_name => 'Continent Name',
+	);
+
+	# verify that the columns we need are present
+	map { die "Table has no $pairs{$_} column\n" unless (exists $header{$_}); } keys %pairs;
+
+	my %remapping = (
+		id => 'geoname_id',
+		cc => 'country_iso_code',
+		long => 'country_name',
+		ct => 'continent_code',
+		cn => 'continent_name',
+	);
+
+	# now create a function which returns the value of that column #
+	map { eval "sub $_ () { \$header{\$remapping{$_}}; }" ; } keys %remapping;
+
+	while (my $row = $csv->getline($fh)) {
+		if ($row->[cc] eq '' && $row->[long] eq '') {
+			$countryId{$row->[id]} = $row->[ct];
+			$countryName{$row->[ct]} = $row->[cn];
+		} else {
+			$countryId{$row->[id]} = $row->[cc];
+			$countryName{$row->[cc]} = $row->[long];
+		}
+	}
+
+	$countryName{A1} = 'Anonymous Proxy';
+	$countryName{A2} = 'Satellite Provider';
+	$countryName{O1} = 'Other Country';
+
+	close($fh);
+
+	# clean up the namespace
+	undef &id; undef &cc; undef &long; undef &ct; undef &cn;
+}
+
+sub lookupCountry
+{
+	my ($id, $rid, $proxy, $sat) = @_;
+
+	if ($proxy) {
+		return 'A1';
+	} elsif ($sat) {
+		return 'A2';
+	}
+	$id ||= $rid;
+	if ($id eq '') {
+		return 'O1';
+	}
+	die "Unknown id: $id line $.\n" unless (exists $countryId{$id});
+	return $countryId{$id};
+}
+
+sub collect
+{
+	my ($file, $fh, $row);
+	my (%country, %header);
+
+	sub net; sub id; sub rid; sub proxy; sub sat;
+
+	my %pairs = (
+		network => 'Network',
+		registered_country_geoname_id => 'Registered Country ID',
+		geoname_id => 'Country ID',
+		is_anonymous_proxy => 'Anonymous Proxy',
+		is_satellite_provider => 'Satellite',
+	);
+
+	foreach (sort keys %countryName) {
+		$country{$_} = {
+			name => $countryName{$_},
+			pool_v4 => Net::CIDR::Lite->new(),
+			pool_v6 => Net::CIDR::Lite->new(),
+		};
+	}
+
+	$file = "$source_dir/GeoLite2-Country-Blocks-IPv4.csv";
+	open($fh, '<', $file) || die "Can't open IPv4 database\n";
+
+	# first line is headers
+	$row = $csv->getline($fh);
+
+	%header = map { ($row->[$_], $_); } (0..$#{$row});
+
+	# verify that the columns we need are present
+	map { die "Table has no %pairs{$_} column\n" unless (exists $header{$_}); } keys %pairs;
+
+	my %remapping = (
+		net => 'network',
+		id => 'geoname_id',
+		rid => 'registered_country_geoname_id',
+		proxy => 'is_anonymous_proxy',
+		sat => 'is_satellite_provider',
+	);
+
+	# now create a function which returns the value of that column #
+	map { eval "sub $_ () { \$header{\$remapping{$_}}; }" ; } keys %remapping;
+
+	while ($row = $csv->getline($fh)) {
+		my ($cc, $cidr);
+
+		$cc = lookupCountry($row->[id], $row->[rid], $row->[proxy], $row->[sat]);
+		$cidr = $row->[net];
+		$country{$cc}->{pool_v4}->add($cidr);
+
+		if ($. % 4096 == 0) {
+			print STDERR "\r\e[2K$. entries";
+		}
+	}
+
+	print STDERR "\r\e[2K$. entries total\n";
+
+	close($fh);
+
+	# clean up the namespace
+	undef &net; undef &id; undef &rid; undef &proxy; undef &sat;
+
+	$file = "$source_dir/GeoLite2-Country-Blocks-IPv6.csv";
+	open($fh, '<', $file) || die "Can't open IPv6 database\n";
+
+	# first line is headers
+	$row = $csv->getline($fh);
+
+	%header = map { ($row->[$_], $_); } (0..$#{$row});
+
+	# verify that the columns we need are present
+	map { die "Table has no %pairs{$_} column\n" unless (exists $header{$_}); } keys %pairs;
+
+	# unlikely the IPv6 table has different columns, but just to be sure
+	# create a function which returns the value of that column #
+	map { eval "sub $_ () { \$header{\$remapping{$_}}; }" ; } keys %remapping;
+
+	while ($row = $csv->getline($fh)) {
+		my ($cc, $cidr);
+
+		$cc = lookupCountry($row->[id], $row->[rid], $row->[proxy], $row->[sat]);
+		$cidr = $row->[net];
+		$country{$cc}->{pool_v6}->add($cidr);
+
+		if (!$quiet && $. % 4096 == 0) {
+			print STDERR "\r\e[2K$. entries";
+		}
+	}
+
+	print STDERR "\r\e[2K$. entries total\n" unless ($quiet);
+
+	close($fh);
+
+	# clean up the namespace
+	undef &net; undef &id; undef &rid; undef &proxy; undef &sat;
+
+	return \%country;
+}
+
+sub dump
+{
+	my $country = shift @_;
+
+	foreach my $iso_code (sort keys %{$country}) {
+		&dump_one($iso_code, $country->{$iso_code});
+	}
+}
+
+sub dump_one
+{
+	my($iso_code, $country) = @_;
+	my @ranges;
+
+	@ranges = $country->{pool_v4}->list_range();
+
+	writeCountry($iso_code, $country->{name}, AF_INET, @ranges);
+
+	@ranges = $country->{pool_v6}->list_range();
+
+	writeCountry($iso_code, $country->{name}, AF_INET6, @ranges);
+}
+
+sub writeCountry
+{
+	my ($iso_code, $name, $family, @ranges) = @_;
+	my $fh;
+
+	printf "%5u IPv%s ranges for %s %s\n",
+		scalar(@ranges),
+		($family == AF_INET ? '4' : '6'),
+		$iso_code, $name unless ($quiet);
+
+	my $file = "$target_dir/".uc($iso_code).".iv".($family == AF_INET ? '4' : '6');
+	if (!open($fh, '>', $file)) {
+		print STDERR "Error opening $file: $!\n";
+		exit 1;
+	}
+
+	binmode($fh);
+
+	foreach my $range (@ranges) {
+		my ($start, $end) = split('-', $range);
+		$start = inet_pton($family, $start);
+		$end = inet_pton($family, $end);
+		print $fh $start, $end;
+	}
+	close $fh;
+}

geoip/xt_geoip_build_maxmind.1

@@ -0,0 +1,40 @@
+.TH xt_geoip_build_maxmind 1 "2010-12-17" "xtables-addons" "xtables-addons"
+.SH Name
+.PP
+xt_geoip_build_maxmind \(em convert GeoIP.csv to packed format for xt_geoip
+.SH Syntax
+.PP
+\fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_build_maxmind\fP [\fB\-D\fP
+\fItarget_dir\fP] [\fB\-S\fP \fIsource_dir\fP]
+.SH Description
+.PP
+xt_geoip_build_maxmind is used to build packed raw representations of the range
+database that the xt_geoip module relies on. Since kernel memory is precious,
+much of the preprocessing is done in userspace by this very building tool. One
+file is produced for each country, so that no more addresses than needed are
+required to be loaded into memory. The ranges in the packed database files are
+also ordered, as xt_geoip relies on this property for its bisection approach to
+work.
+.PP
+Since the script is usually installed to the libexec directory of the
+xtables-addons package and this is outside $PATH (on purpose), invoking the
+script requires it to be called with a path.
+.PP Options
+.TP
+\fB\-D\fP \fItarget_dir\fP
+Specifies the target directory into which the files are to be put. Defaults to ".".
+.TP
+\fB\-S\fP \fIsource_dir\fP
+Specifies the source directory of the MaxMind CSV files. Defaults to ".".
+.TP
+\fB\-s\fP
+"System mode". Equivalent to \fB\-D /usr/share/xt_geoip\fP.
+.SH Application
+.PP
+Shell commands to build the databases and put them to where they are expected
+(usually run as root):
+.PP
+xt_geoip_build_maxmind \-s
+.SH See also
+.PP
+xt_geoip_dl_maxmind(1)

geoip/xt_geoip_dl.1

@@ -7,8 +7,9 @@ xt_geoip_dl \(em download GeoIP database files
 \fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_dl\fP
 .SH Description
 .PP
-Downloads and unpacks the MaxMind GeoIP Country Lite databases for IPv4 and
-IPv6 and unpacks them to the current directory.
+Downloads the DB-IP Country Lite databases for IPv4 and IPv6 and unpacks them
+to the current directory. The alternate \fBxt_geoip_dl_maxmind\fP script can be
+used for MaxMind formatted CSV databases.
 .PP
 Since the script is usually installed to the libexec directory of the
 xtables-addons package and this is outside $PATH (on purpose), invoking the

geoip/xt_geoip_dl_maxmind

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+if [ $# -eq 1 ]; then
+    exec <$1
+elif [ $# -ne 0 ]; then
+    echo $(basename $0) [ licence_key_file ] 1>&2
+    exit 1
+fi
+
+read licence_key
+
+rm -rf GeoLite2-Country-CSV_*
+
+wget -q -OGeoLite2-Country-CSV.zip "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=${licence_key}&suffix=zip"
+unzip -q GeoLite2-Country-CSV.zip
+rm -f GeoLite2-Country-CSV.zip

geoip/xt_geoip_dl_maxmind.1

@@ -0,0 +1,22 @@
+.TH xt_geoip_dl_maxmind 1 "2010-12-17" "xtables-addons" "xtables-addons"
+.SH Name
+.PP
+xt_geoip_dl_maxmind \(em download MaxMind GeoIP database files
+.SH Syntax
+.PP
+\fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_dl_maxmind\fP [\fI licence-key file\fP]
+.SH Description
+.PP
+Downloads the MaxMind GeoLite2 databases for IPv4 and IPv6 and unpacks them to
+the current directory.  The alternate \fBxt_geoip_dl\fP script can be
+used for the DB-IP Country Lite databases.
+.PP
+Since the script is usually installed to the libexec directory of the
+xtables-addons package and this is outside $PATH (on purpose), invoking the
+script requires it to be called with a path.
+.SH Options
+.PP
+None.
+.SH See also
+.PP
+xt_geoip_build_maxmind(1)

geoip/xt_geoip_query

@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-#	Utility to query GeoIP database
+#	Utility to query GeoIP database (.iv4/.iv6 files)
 #	Copyright Philip Prindeville, 2018
 #
 use Getopt::Long;

geoip/xt_geoip_query.1

@@ -1,16 +1,16 @@
-.TH xt_geoip_fetch 1 "2020-04-30" "xtables-addons" "xtables-addons"
+.TH xt_geoip_query 1 "2020-04-30" "xtables-addons" "xtables-addons"
 .SH Name
 .PP
-xt_geoip_fetch \(em dump a country database to stdout
+xt_geoip_query \(em dump a country database to stdout
 .SH Syntax
 .PP
-\fBxt_geoip_fetch\fP [\fB\-D\fP
+\fBxt_geoip_query\fP [\fB\-D\fP
 \fIdatabase_dir\fP] [\fB-4\fP] [\fB-6\fP] \fIcc\fP [ \fIcc\fP ... ]
 .SH Description
 .PP
-xt_geoip_fetch unpacks a country's IPv4 or IPv6 databases and dumps
-them to standard output as a sorted, non-overlaping list of ranges (which
-is how they're represented in the database) suitable for browsing or
+xt_geoip_query reads a country's IPv4 or IPv6 databases and dumps
+them to standard output as a sorted, non-overlapping list of ranges (which
+is how they are represented in the database), suitable for browsing or
 further processing.
 .PP Options
 .TP
@@ -29,7 +29,7 @@ The ISO-3166 country code names of the desired countries' databases.
 .PP
 Shell command to dump the list of Swiss IPv6 address ranges:
 .PP
-xt_geoip_fetch \-D /usr/share/xt_geoip \-6 ch
+xt_geoip_query \-D /usr/share/xt_geoip \-6 ch
 .SH See also
 .PP
 xt_geoip_build(1)

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "" "" "v3.9 (2020-02-25)"
+.TH xtables-addons 8 "" "" "v3.16 (2021-02-24)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets