Xtables-addons 1.12

Resolve compile breakage from commits
36f80be2f7 and
7b9ca945d4.

INSTALL

@@ -53,11 +53,8 @@ Configuring and compiling
 	xtables.h, should it not be within the standard C compiler
 	include path (/usr/include), or if you want to override it.
 	The directory will be checked for xtables.h and
-	include/xtables.h. (This is to support the following specs:)
-
-		--with-xtables=/usr/src/xtables
-		--with-xtables=/usr/src/xtables/include
-		--with-xtables=/opt/xtables/include
+	include/xtables.h. (The latter to support both standard
+	/usr/include and the iptables source root.)
 
 --with-libxtdir=
 

Makefile.am

@@ -15,6 +15,8 @@ extensions/%:
 install-exec-local:
 	depmod -a || :;
 
+config.status: extensions/GNUmakefile.in
+
 .PHONY: tarball
 tarball:
 	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.10])
+AC_INIT([xtables-addons], [1.12])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL

doc/changelog.txt

@@ -0,0 +1,125 @@
+
+
+Xtables-addons 1.12 (March 07 2009)
+===================================
+- ipset: fix for compilation with 2.6.29-rt
+- ipset: fast forward to 2.5.0
+- rename xt_portscan to xt_lscan ("low-level scan") because
+  "portscan" as a wor caused confusion
+- xt_LOGMARK: print incoming interface index
+- revert "TEE: do not use TOS for routing"
+- xt_TEE: resolve unknown symbol error with CONFIG_IPV6=n
+- xt_TEE: enable routing by iif, nfmark and flowlabel
+
+
+Xtables-addons 1.10 (February 18 2009)
+======================================
+- compat: compile fixes for 2.6.29
+- ipset: upgrade to ipset 2.4.9
+
+
+Xtables-addons 1.9 (January 30 2009)
+====================================
+- add the xt_length2 extension
+- xt_TEE: remove intrapositional '!' support
+- ipset: upgrade to ipset 2.4.7
+
+
+Xtables-addons 1.8 (January 10 2009)
+====================================
+- xt_TEE: IPv6 support
+- xt_TEE: do not include TOS value in routing decision
+- xt_TEE: fix switch-case inversion for name/IP display
+- xt_ipp2p: update manpages and help text
+- xt_ipp2p: remove log flooding
+- xt_portscan: update manpage about --grscan option caveats
+
+
+Xtables-addons 1.7 (December 25 2008)
+=====================================
+- xt_ECHO: compile fix
+- avoid the use of "_init" which led to compile errors on some installations
+- build: do not unconditionally install ipset
+- doc: add manpages for xt_ECHO and xt_TEE
+- xt_ipp2p: kazaa detection code cleanup
+- xt_ipp2p: fix newline inspection in kazaa detection
+- xt_ipp2p: ensure better array bounds checking
+- xt_SYSRQ: improve security by hashing password
+
+
+Xtables-addons 1.6 (November 18 2008)
+=====================================
+- build: support for Linux 2.6.17
+- build: compile fixes for 2.6.18 and 2.6.19
+- xt_ECHO: resolve compile errors in xt_ECHO
+- xt_ipp2p: parenthesize unaligned-access macros
+
+
+Xtables-addons 1.5.7 (September 01 2008)
+========================================
+- API layer: fix use of uninitialized 'hotdrop' variable
+- API layer: move to pskb-based signatures
+- xt_SYSRQ: compile fixes for Linux <= 2.6.19
+- ipset: adjust semaphore.h include for Linux >= 2.6.27
+- build: automatically run `depmod -a` on installation
+- add reworked xt_fuzzy module
+- add DHCP address match and mangle module
+- xt_portscan: IPv6 support
+- xt_SYSRQ: add missing module aliases
+
+
+Xtables-addons 1.5.5 (August 03 2008)
+=====================================
+- manpage updates for xt_CHAOS, xt_IPMARK; README updates
+- build: properly recognize external Kbuild/Mbuild files
+- build: remove dependency on CONFIG_NETWORK_SECMARK
+- add the xt_SYSRQ target
+- add the xt_quota2 extension
+- import ipset extension group
+
+
+Xtables-addons 1.5.4.1 (April 26 2008)
+======================================
+- build: fix compile error for 2.6.18-stable
+
+
+Xtables-addons 1.5.4 (April 09 2008)
+====================================
+- build: support building multiple files with one config option
+- API layer: add check for pskb relocation
+- doc: generate manpages
+- xt_ECHO: catch skb_linearize out-of-memory condition
+- xt_LOGMARK: add hook= and ctdir= fields in dump
+- xt_LOGMARK: fix comma output in ctstatus= list
+- xt_TEE: fix address copying bug
+- xt_TEE: make skb writable before attempting checksum update
+- add reworked xt_condition match
+- add reworked xt_ipp2p match
+- add reworked xt_IPMARK target
+
+
+Xtables-addons 1.5.3 (March 22 2008)
+====================================
+- support for Linux 2.6.18
+- add xt_ECHO sample target
+- add reworked xt_geoip match
+
+
+Xtables-addons 1.5.2 (March 04 2008)
+====================================
+- build: support for GNU make < 3.81 which does not have $(realpath)
+
+
+Xtables-addons 1.5.1 (February 21 2008)
+=======================================
+- build: allow user to select what extensions to compile and install
+- build: allow external proejcts to be downloaded into the tree
+- xt_LOGMARK: dump classify mark, ctstate and ctstatus
+- add xt_CHAOS, xt_DELUDE and xt_portscan from Chaostables
+
+
+Xtables-addons 1.5.0 (February 11 2008)
+=======================================
+Initial release with:
+- extensions: xt_LOGMARK, xt_TARPIT, xt_TEE
+- support for Linux >= 2.6.19

extensions/GNUmakefile.in

@@ -34,12 +34,14 @@ VU := 0
 am__1verbose_CC_0     = @echo "  CC      " $@;
 am__1verbose_CCLD_0   = @echo "  CCLD    " $@;
 am__1verbose_GEN_0    = @echo "  GEN     " $@;
+am__1verbose_SILENT_0 = @
 am__1verbose_CC_1     = @echo "  CC      " $@ "<-" $<;
 am__1verbose_CCLD_1   = @echo "  CCLD    " $@ "<-" $^;
 am__1verbose_GEN_1    = @echo "  GEN     " $@ "<-" $<;
 am__verbose_CC        = ${am__1verbose_CC_${VU}}
 am__verbose_CCLD      = ${am__1verbose_CCLD_${VU}}
 am__verbose_GEN       = ${am__1verbose_GEN_${VU}}
+am__verbose_SILENT    = ${am__1verbose_GEN_${VU}}
 
 
 #
@@ -93,13 +95,13 @@ distclean: clean
 .PHONY: modules modules_install clean_modules
 
 modules:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules;
+	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules; fi;
 
 modules_install:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install;
+	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install; fi;
 
 clean_modules:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean;
+	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean; fi;
 
 
 #

extensions/Kbuild

@@ -20,7 +20,7 @@ obj-${build_geoip}       += xt_geoip.o
 obj-${build_ipp2p}       += xt_ipp2p.o
 obj-${build_ipset}       += ipset/
 obj-${build_length2}     += xt_length2.o
-obj-${build_portscan}    += xt_portscan.o
+obj-${build_lscan}       += xt_lscan.o
 obj-${build_quota2}      += xt_quota2.o
 
 -include ${M}/*.Kbuild

extensions/Mbuild

@@ -13,5 +13,5 @@ obj-${build_geoip}       += libxt_geoip.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
 obj-${build_ipset}       += ipset/
 obj-${build_length2}     += libxt_length2.so
-obj-${build_portscan}    += libxt_portscan.so
+obj-${build_lscan}       += libxt_lscan.so
 obj-${build_quota2}      += libxt_quota2.so

extensions/compat_skbuff.h

@@ -5,8 +5,11 @@ struct tcphdr;
 struct udphdr;
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+#	define skb_ifindex(skb) \
+		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
 #else
+#	define skb_ifindex(skb) (skb)->iif
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
 #endif
 

extensions/ipset/GNUmakefile.in

@@ -2,6 +2,7 @@
 
 top_srcdir      := @top_srcdir@
 srcdir          := @srcdir@
+datarootdir     := @datarootdir@
 abstop_srcdir   := $(shell readlink -e ${top_srcdir})
 abssrcdir       := $(shell readlink -e ${srcdir})
 

extensions/ipset/ip_set.c

@@ -877,7 +877,7 @@ ip_set_create(const char *name,
 	set = kmalloc(sizeof(struct ip_set), GFP_KERNEL);
 	if (!set)
 		return -ENOMEM;
-	set->lock = RW_LOCK_UNLOCKED;
+	rwlock_init(&set->lock);
 	strncpy(set->name, name, IP_SET_MAXNAMELEN);
 	set->binding = IP_SET_INVALID_ID;
 	atomic_set(&set->ref, 0);

extensions/ipset/ipset.8

@@ -602,8 +602,4 @@ Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
 .P
 Sven Wegener wrote the iptreemap type.
 .SH LAST REMARK
-.BR "I stand on the shoulder of giants."
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
+.BR "I stand on the shoulders of giants."

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "2.4.9"
+#define IPSET_VERSION "2.5.0"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;
@@ -629,7 +629,8 @@ void parse_ip(const char *str, ip_set_ip_t * ip)
 				   "host/network `%s' resolves to serveral ip-addresses. "
 				   "Please specify one.", str);
 
-		*ip = ntohl(((struct in_addr *) host->h_addr_list[0])->s_addr);
+		memcpy(&addr, host->h_addr_list[0], sizeof(struct in_addr));
+		*ip = ntohl(addr.s_addr);
 		return;
 	}
 

extensions/libxt_CHAOS.man

@@ -18,4 +18,4 @@ The randomness factor of not replying vs. replying can be set during load-time
 of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
 .PP
 See http://jengelh.medozas.de/projects/chaostables/ for more information
-about CHAOS, DELUDE and portscan.
+about CHAOS, DELUDE and lscan.

extensions/libxt_lscan.c

@@ -1,6 +1,6 @@
 /*
- *	"portscan" match extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ *	LSCAN match extension for iptables
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -16,9 +16,9 @@
 
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
-#include "xt_portscan.h"
+#include "xt_lscan.h"
 
-static const struct option portscan_mt_opts[] = {
+static const struct option lscan_mt_opts[] = {
 	{.name = "stealth", .has_arg = false, .val = 'x'},
 	{.name = "synscan", .has_arg = false, .val = 's'},
 	{.name = "cnscan",  .has_arg = false, .val = 'c'},
@@ -26,10 +26,10 @@ static const struct option portscan_mt_opts[] = {
 	{NULL},
 };
 
-static void portscan_mt_help(void)
+static void lscan_mt_help(void)
 {
 	printf(
-		"portscan match options:\n"
+		"lscan match options:\n"
 		"(Combining them will make them match by OR-logic)\n"
 		"  --stealth    Match TCP Stealth packets\n"
 		"  --synscan    Match TCP SYN scans\n"
@@ -37,10 +37,10 @@ static void portscan_mt_help(void)
 		"  --grscan     Match Banner Grabbing scans\n");
 }
 
-static int portscan_mt_parse(int c, char **argv, int invert,
+static int lscan_mt_parse(int c, char **argv, int invert,
     unsigned int *flags, const void *entry, struct xt_entry_match **match)
 {
-	struct xt_portscan_mtinfo *info = (void *)((*match)->data);
+	struct xt_lscan_mtinfo *info = (void *)((*match)->data);
 
 	switch (c) {
 	case 'c':
@@ -59,17 +59,17 @@ static int portscan_mt_parse(int c, char **argv, int invert,
 	return false;
 }
 
-static void portscan_mt_check(unsigned int flags)
+static void lscan_mt_check(unsigned int flags)
 {
 }
 
-static void portscan_mt_print(const void *ip,
+static void lscan_mt_print(const void *ip,
     const struct xt_entry_match *match, int numeric)
 {
-	const struct xt_portscan_mtinfo *info = (const void *)(match->data);
+	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
 	const char *s = "";
 
-	printf("portscan ");
+	printf("lscan ");
 	if (info->match_stealth) {
 		printf("STEALTH");
 		s = ",";
@@ -87,9 +87,9 @@ static void portscan_mt_print(const void *ip,
 	printf(" ");
 }
 
-static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
+static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
 {
-	const struct xt_portscan_mtinfo *info = (const void *)(match->data);
+	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
 
 	if (info->match_stealth)
 		printf("--stealth ");
@@ -101,22 +101,22 @@ static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
 		printf("--grscan ");
 }
 
-static struct xtables_match portscan_mt_reg = {
+static struct xtables_match lscan_mt_reg = {
 	.version       = XTABLES_VERSION,
-	.name          = "portscan",
+	.name          = "lscan",
 	.revision      = 0,
 	.family        = AF_INET,
-	.size          = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)),
-	.help          = portscan_mt_help,
-	.parse         = portscan_mt_parse,
-	.final_check   = portscan_mt_check,
-	.print         = portscan_mt_print,
-	.save          = portscan_mt_save,
-	.extra_opts    = portscan_mt_opts,
+	.size          = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
+	.help          = lscan_mt_help,
+	.parse         = lscan_mt_parse,
+	.final_check   = lscan_mt_check,
+	.print         = lscan_mt_print,
+	.save          = lscan_mt_save,
+	.extra_opts    = lscan_mt_opts,
 };
 
-static __attribute__((constructor)) void portscan_mt_ldr(void)
+static __attribute__((constructor)) void lscan_mt_ldr(void)
 {
-	xtables_register_match(&portscan_mt_reg);
+	xtables_register_match(&lscan_mt_reg);
 }

extensions/libxt_lscan.man

@@ -1,4 +1,5 @@
-Detects simple port scan attemps based upon the packet's contents. (This is
+Detects simple low-level scan attemps based upon the packet's contents.
+(This is
 different from other implementations, which also try to match the rate of new
 connections.) Note that an attempt is only discovered after it has been carried
 out, but this information can be used in conjunction with other rules to block
@@ -27,5 +28,5 @@ ports where a protocol runs that is guaranteed to do a bidirectional exchange
 of bytes.
 .PP
 NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
-so be advised to carefully use xt_portscan in conjunction with blocking rules,
+so be advised to carefully use xt_lscan in conjunction with blocking rules,
 as it may lock out your very own internal network.

extensions/xt_LOGMARK.c

@@ -38,9 +38,10 @@ logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	enum ip_conntrack_info ctinfo;
 	bool prev = false;
 
-	printk("<%u>%.*s""hook=%s nfmark=0x%x secmark=0x%x classify=0x%x",
+	printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x "
+	       "secmark=0x%x classify=0x%x",
 	       info->level, (unsigned int)sizeof(info->prefix), info->prefix,
-	       hook_names[par->hooknum],
+	       skb_ifindex(skb), hook_names[par->hooknum],
 	       skb_nfmark(skb), skb_secmark(skb), skb->priority);
 
 	ct = nf_ct_get(skb, &ctinfo);

extensions/xt_TEE.c

@@ -26,6 +26,9 @@
 #	include <net/netfilter/nf_conntrack.h>
 static struct nf_conn tee_track;
 #endif
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
 
 #include "compat_xtables.h"
 #include "xt_TEE.h"
@@ -51,12 +54,20 @@ static const union nf_inet_addr tee_zero_address;
 static bool
 tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 {
+	const struct iphdr *iph = ip_hdr(skb);
 	int err;
 	struct rtable *rt;
 	struct flowi fl;
 
 	memset(&fl, 0, sizeof(fl));
+	fl.iif = skb_ifindex(skb);
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+	fl.nl_u.ip4_u.fwmark = skb_nfmark(skb);
+#else
+	fl.mark = skb_nfmark(skb);
+#endif
 	fl.nl_u.ip4_u.daddr = info->gw.ip;
+	fl.nl_u.ip4_u.tos   = RT_TOS(iph->tos);
 	fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
 
 	/* Trying to route the packet using the standard routing table. */
@@ -210,14 +221,24 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
+#ifdef WITH_IPV6
 static bool
 tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 {
+	const struct ipv6hdr *iph = ipv6_hdr(skb);
 	struct dst_entry *dst;
 	struct flowi fl;
 
 	memset(&fl, 0, sizeof(fl));
+	fl.iif = skb_ifindex(skb);
+#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 19)
+	fl.nl_u.ip6_u.fwmark = skb_nfmark(skb);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
+	fl.mark = skb_nfmark(skb);
+#endif
 	fl.nl_u.ip6_u.daddr = info->gw.in6;
+	fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
+		(iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 25)
 	dst = ip6_route_output(NULL, &fl);
@@ -263,6 +284,7 @@ tee_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 
 	return XT_CONTINUE;
 }
+#endif /* WITH_IPV6 */
 
 static bool tee_tg_check(const struct xt_tgchk_param *par)
 {
@@ -284,6 +306,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
 		.checkentry = tee_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "TEE",
 		.revision   = 0,
@@ -294,6 +317,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
 		.checkentry = tee_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 };
 
 static int __init tee_tg_init(void)

extensions/xt_lscan.Kconfig

@@ -1,8 +1,8 @@
-config NETFILTER_XT_MATCH_PORTSCAN
-	tristate '"portscan" target support'
+config NETFILTER_XT_MATCH_LSCAN
+	tristate '"lscan" match support'
 	depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
 	---help---
-	The portscan match allows to match on the basic types of nmap
+	The LSCAN match allows to match on the basic types of nmap
 	scans: Stealth Scan, SYN scan and connect scan. It can also match
 	"grab-only" connections, i.e. where data flows in only one
 	direction.

extensions/xt_lscan.c

@@ -1,6 +1,6 @@
 /*
- *	portscan match for netfilter
- *	Copyright © CC Computer Consultants GmbH, 2006 - 2008
+ *	LSCAN match for netfilter
+ *	Copyright © Jan Engelhardt, 2006 - 2009
  *
  *	This program is free software; you can redistribute it and/or modify
  *	it under the terms of the GNU General Public License; either version
@@ -17,8 +17,7 @@
 #include <linux/version.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_tcpudp.h>
-//#include <net/netfilter/nf_conntrack.h>
-#include "xt_portscan.h"
+#include "xt_lscan.h"
 #include "compat_xtables.h"
 #define PFX KBUILD_MODNAME ": "
 
@@ -103,8 +102,8 @@ static inline bool tflg_synack(const struct tcphdr *th)
 	       (TCP_FLAG_SYN | TCP_FLAG_ACK);
 }
 
-/* portscan functions */
-static inline bool portscan_mt_stealth(const struct tcphdr *th)
+/* lscan functions */
+static inline bool lscan_mt_stealth(const struct tcphdr *th)
 {
 	/*
 	 * "Connection refused" replies to our own probes must not be matched.
@@ -126,7 +125,7 @@ static inline bool portscan_mt_stealth(const struct tcphdr *th)
 	return !tflg_syn(th);
 }
 
-static inline unsigned int portscan_mt_full(int mark,
+static inline unsigned int lscan_mt_full(int mark,
     enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
     unsigned int payload_len)
 {
@@ -172,9 +171,9 @@ static inline unsigned int portscan_mt_full(int mark,
 }
 
 static bool
-portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
-	const struct xt_portscan_mtinfo *info = par->matchinfo;
+	const struct xt_lscan_mtinfo *info = par->matchinfo;
 	enum ip_conntrack_info ctstate;
 	const struct tcphdr *tcph;
 	struct nf_conn *ctdata;
@@ -187,7 +186,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	/* Check for invalid packets: -m conntrack --ctstate INVALID */
 	if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
 		if (info->match_stealth)
-			return portscan_mt_stealth(tcph);
+			return lscan_mt_stealth(tcph);
 		/*
 		 * If @ctdata is NULL, we cannot match the other scan
 		 * types, return.
@@ -196,7 +195,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	}
 
 	/*
-	 * If -m portscan was previously applied to this packet, the rules we
+	 * If -m lscan was previously applied to this packet, the rules we
 	 * simulate must not be run through again. And for speedup, do not call
 	 * it either when the connection is already VALID.
 	 */
@@ -204,7 +203,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	     (skb_nfmark(skb) & packet_mask) != mark_seen) {
 		unsigned int n;
 
-		n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
+		n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
 		    par->in == init_net__loopback_dev, tcph,
 		    skb->len - par->thoff - 4 * tcph->doff);
 
@@ -217,9 +216,9 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	       (info->match_gr && ctdata->mark == mark_grscan);
 }
 
-static bool portscan_mt_check(const struct xt_mtchk_param *par)
+static bool lscan_mt_check(const struct xt_mtchk_param *par)
 {
-	const struct xt_portscan_mtinfo *info = par->matchinfo;
+	const struct xt_lscan_mtinfo *info = par->matchinfo;
 
 	if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
 	    (info->match_cn & ~1) || (info->match_gr & ~1)) {
@@ -229,44 +228,44 @@ static bool portscan_mt_check(const struct xt_mtchk_param *par)
 	return true;
 }
 
-static struct xt_match portscan_mt_reg[] __read_mostly = {
+static struct xt_match lscan_mt_reg[] __read_mostly = {
 	{
-		.name       = "portscan",
+		.name       = "lscan",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
-		.match      = portscan_mt,
-		.checkentry = portscan_mt_check,
-		.matchsize  = sizeof(struct xt_portscan_mtinfo),
+		.match      = lscan_mt,
+		.checkentry = lscan_mt_check,
+		.matchsize  = sizeof(struct xt_lscan_mtinfo),
 		.proto      = IPPROTO_TCP,
 		.me         = THIS_MODULE,
 	},
 	{
-		.name       = "portscan",
+		.name       = "lscan",
 		.revision   = 0,
 		.family     = NFPROTO_IPV6,
-		.match      = portscan_mt,
-		.checkentry = portscan_mt_check,
-		.matchsize  = sizeof(struct xt_portscan_mtinfo),
+		.match      = lscan_mt,
+		.checkentry = lscan_mt_check,
+		.matchsize  = sizeof(struct xt_lscan_mtinfo),
 		.proto      = IPPROTO_TCP,
 		.me         = THIS_MODULE,
 	},
 };
 
-static int __init portscan_mt_init(void)
+static int __init lscan_mt_init(void)
 {
-	return xt_register_matches(portscan_mt_reg,
-	       ARRAY_SIZE(portscan_mt_reg));
+	return xt_register_matches(lscan_mt_reg,
+	       ARRAY_SIZE(lscan_mt_reg));
 }
 
-static void __exit portscan_mt_exit(void)
+static void __exit lscan_mt_exit(void)
 {
-	xt_unregister_matches(portscan_mt_reg, ARRAY_SIZE(portscan_mt_reg));
+	xt_unregister_matches(lscan_mt_reg, ARRAY_SIZE(lscan_mt_reg));
 }
 
-module_init(portscan_mt_init);
-module_exit(portscan_mt_exit);
+module_init(lscan_mt_init);
+module_exit(lscan_mt_exit);
 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_DESCRIPTION("Xtables: \"portscan\" match");
+MODULE_DESCRIPTION("Xtables: Low-level scan (e.g. nmap) match");
 MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_portscan");
-MODULE_ALIAS("ip6t_portscan");
+MODULE_ALIAS("ipt_lscan");
+MODULE_ALIAS("ip6t_lscan");

extensions/xt_lscan.h

@@ -0,0 +1,8 @@
+#ifndef _LINUX_NETFILTER_XT_LSCAN_H
+#define _LINUX_NETFILTER_XT_LSCAN_H 1
+
+struct xt_lscan_mtinfo {
+	uint8_t match_stealth, match_syn, match_cn, match_gr;
+};
+
+#endif /* _LINUX_NETFILTER_XT_LSCAN_H */

extensions/xt_portscan.h

@@ -1,8 +0,0 @@
-#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
-#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
-
-struct xt_portscan_mtinfo {
-	uint8_t match_stealth, match_syn, match_cn, match_gr;
-};
-
-#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */

mconfig

@@ -15,5 +15,5 @@ build_geoip=m
 build_ipp2p=m
 build_ipset=m
 build_length2=m
-build_portscan=m
+build_lscan=m
 build_quota2=m

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables\-addons 8 "v1.10 (2009\-02\-18)" "" "v1.10 (2009\-02\-18)"
+.TH xtables\-addons 8 "v1.12 (2009\-03\-07)" "" "v1.12 (2009\-03\-07)"
 .SH Name
 Xtables\-addons - additional extensions for iptables, ip6tables, etc.
 .SH Targets