Xtables-addons 1.14

As per "Writing Netfilter Modules" e-book 20090326 section 4.8, one
should use pr_debug instead.

INSTALL

@@ -12,8 +12,7 @@ in combination with the kernel's Kbuild system.
 Supported configurations for this release
 =========================================
 
-	* iptables >= 1.4.1
+	* iptables >= 1.4.3
-	  upper bound: iptables <= 1.4.3-rc1
 
 	* kernel-source >= 2.6.17, no upper bound known
 	  with prepared build/output directory

Makefile.am

@@ -1,7 +1,6 @@
 # -*- Makefile -*-
 
 ACLOCAL_AMFLAGS  = -I m4
-AUTOMAKE_OPTIONS = foreign subdir-objects
 SUBDIRS          = extensions
 
 man_MANS := xtables-addons.8

configure.ac

@@ -1,9 +1,9 @@
 
-AC_INIT([xtables-addons], [1.12])
+AC_INIT([xtables-addons], [1.14])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
-AM_INIT_AUTOMAKE([-Wall])
+AM_INIT_AUTOMAKE([-Wall foreign subdir-objects])
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_DISABLE_STATIC
@@ -28,8 +28,11 @@ AC_ARG_WITH([xtlibdir],
 	[xtlibdir="$withval"],
 	[xtlibdir='${libexecdir}/xtables'])
 
-AC_MSG_CHECKING([xtables.h presence])
+#
+# --with-xtables= overrides a possibly installed pkgconfig file.
+#
 if [[ -n "$xtables_location" ]]; then
+	AC_MSG_CHECKING([xtables.h presence])
 	if [[ -f "$xtables_location/xtables.h" ]]; then
 		AC_MSG_RESULT([$xtables_location/xtables.h])
 		xtables_CFLAGS="-I $xtables_location";
@@ -37,13 +40,15 @@ if [[ -n "$xtables_location" ]]; then
 		AC_MSG_RESULT([$xtables_location/include/xtables.h])
 		xtables_CFLAGS="-I $xtables_location/include";
 	fi;
-fi;
+	if [[ -z "$xtables_CFLAGS" ]]; then
-if [[ -z "$xtables_CFLAGS" ]]; then
 		if [[ -f "$includedir/xtables.h" ]]; then
 			AC_MSG_RESULT([$includedir/xtables.h])
 		else
 			AC_MSG_RESULT([no])
 		fi;
+	fi;
+else
+	PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
 fi;
 
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \

doc/changelog.txt

@@ -1,5 +1,22 @@
 
 
+Xtables-addons 1.14 (March 31 2009)
+===================================
+- fuzzy: need to account for kernel-level modified variables in .userspacesize
+- geoip: remove XT_ALIGN from .userspacesize when used with offsetof
+- SYSRQ: ignore non-UDP packets
+- SYSRQ: do proper L4 header access in IPv6 code
+  (must not use tcp/udp_hdr in input path)
+- add "STEAL" target
+- dhcpmac: rename from dhcpaddr
+
+
+Xtables-addons 1.13 (March 23 2009)
+===================================
+- added a reworked ipv4options match
+- upgrade to iptables 1.4.3 API
+
+
 Xtables-addons 1.12 (March 07 2009)
 ===================================
 - ipset: fix for compilation with 2.6.29-rt

extensions/Kbuild

@@ -7,11 +7,12 @@ obj-m                    += compat_xtables.o
 
 obj-${build_CHAOS}       += xt_CHAOS.o
 obj-${build_DELUDE}      += xt_DELUDE.o
-obj-${build_DHCPADDR}    += xt_DHCPADDR.o
+obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
 obj-${build_SYSRQ}       += xt_SYSRQ.o
+obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o
 obj-${build_TEE}         += xt_TEE.o
 obj-${build_condition}   += xt_condition.o
@@ -19,6 +20,7 @@ obj-${build_fuzzy}       += xt_fuzzy.o
 obj-${build_geoip}       += xt_geoip.o
 obj-${build_ipp2p}       += xt_ipp2p.o
 obj-${build_ipset}       += ipset/
+obj-${build_ipv4options} += xt_ipv4options.o
 obj-${build_length2}     += xt_length2.o
 obj-${build_lscan}       += xt_lscan.o
 obj-${build_quota2}      += xt_quota2.o

extensions/Mbuild

@@ -1,9 +1,10 @@
 obj-${build_CHAOS}       += libxt_CHAOS.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
-obj-${build_DHCPADDR}    += libxt_DHCPADDR.so libxt_dhcpaddr.so
+obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
 obj-${build_ECHO}        += libxt_ECHO.so
 obj-${build_IPMARK}      += libxt_IPMARK.so
 obj-${build_LOGMARK}     += libxt_LOGMARK.so
+obj-${build_STEAL}       += libxt_STEAL.so
 obj-${build_SYSRQ}       += libxt_SYSRQ.so
 obj-${build_TARPIT}      += libxt_TARPIT.so
 obj-${build_TEE}         += libxt_TEE.so
@@ -12,6 +13,7 @@ obj-${build_fuzzy}       += libxt_fuzzy.so
 obj-${build_geoip}       += libxt_geoip.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
 obj-${build_ipset}       += ipset/
+obj-${build_ipv4options} += libxt_ipv4options.so
 obj-${build_length2}     += libxt_length2.so
 obj-${build_lscan}       += libxt_lscan.so
 obj-${build_quota2}      += libxt_quota2.so

extensions/compat_xtables.h

@@ -6,6 +6,8 @@
 #include "compat_skbuff.h"
 #include "compat_xtnu.h"
 
+#define DEBUGP Use__pr_debug__instead
+
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 17)
 #	warning Kernels below 2.6.17 not supported.
 #endif

extensions/libxt_CHAOS.c

@@ -58,7 +58,7 @@ static void chaos_tg_check(unsigned int flags)
 {
 	if (flags == (F_DELUDE | F_TARPIT))
 		/* If flags == 0x03, both were specified, which should not be. */
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 		           "CHAOS: only one of --tarpit or --delude "
 		           "may be specified");
 }

extensions/libxt_DHCPMAC.c

@@ -1,5 +1,5 @@
 /*
- *	"DHCPADDR" target extension for iptables
+ *	"DHCPMAC" target extension for iptables
  *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
  *
  *	This program is free software; you can redistribute it and/or
@@ -15,19 +15,19 @@
 #include <string.h>
 #include <netinet/ether.h>
 #include <xtables.h>
-#include "xt_DHCPADDR.h"
+#include "xt_DHCPMAC.h"
 #include "mac.c"
 
 enum {
 	F_MAC = 1 << 0,
 };
 
-static const struct option dhcpaddr_tg_opts[] = {
+static const struct option dhcpmac_tg_opts[] = {
 	{.name = "set-mac", .has_arg = true, .val = 'M'},
 	{NULL},
 };
 
-static void dhcpaddr_tg_help(void)
+static void dhcpmac_tg_help(void)
 {
 	printf(
 "DHCPADDDR target options:\n"
@@ -35,17 +35,17 @@ static void dhcpaddr_tg_help(void)
 	);
 }
 
-static int dhcpaddr_tg_parse(int c, char **argv, int invert,
+static int dhcpmac_tg_parse(int c, char **argv, int invert,
     unsigned int *flags, const void *entry, struct xt_entry_target **target)
 {
-	struct dhcpaddr_info *info = (void *)(*target)->data;
+	struct dhcpmac_info *info = (void *)(*target)->data;
 
 	switch (c) {
 	case 'M':
-		param_act(P_ONLY_ONCE, "DHCPADDR", "--set-mac", *flags & F_MAC);
+		xtables_param_act(XTF_ONLY_ONCE, "DHCPMAC", "--set-mac", *flags & F_MAC);
-		param_act(P_NO_INVERT, "DHCPADDR", "--set-mac", invert);
+		xtables_param_act(XTF_NO_INVERT, "DHCPMAC", "--set-mac", invert);
 		if (!mac_parse(optarg, info->addr, &info->mask))
-			param_act(P_BAD_VALUE, "DHCPADDR", "--set-mac", optarg);
+			xtables_param_act(XTF_BAD_VALUE, "DHCPMAC", "--set-mac", optarg);
 		*flags |= F_MAC;
 		return true;
 	}
@@ -53,26 +53,26 @@ static int dhcpaddr_tg_parse(int c, char **argv, int invert,
 	return false;
 }
 
-static void dhcpaddr_tg_check(unsigned int flags)
+static void dhcpmac_tg_check(unsigned int flags)
 {
 	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM, "DHCPADDR target: "
+		xtables_error(PARAMETER_PROBLEM, "DHCPMAC target: "
 		           "--set-mac parameter required");
 }
 
-static void dhcpaddr_tg_print(const void *ip,
+static void dhcpmac_tg_print(const void *ip,
     const struct xt_entry_target *target, int numeric)
 {
-	const struct dhcpaddr_info *info = (void *)target->data;
+	const struct dhcpmac_info *info = (void *)target->data;
 
-	printf("DHCPADDR %s" DH_MAC_FMT "/%u ",
+	printf("DHCPMAC %s" DH_MAC_FMT "/%u ",
 	       info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
 }
 
-static void dhcpaddr_tg_save(const void *ip,
+static void dhcpmac_tg_save(const void *ip,
     const struct xt_entry_target *target)
 {
-	const struct dhcpaddr_info *info = (const void *)target->data;
+	const struct dhcpmac_info *info = (const void *)target->data;
 
 	if (info->invert)
 		printf("! ");
@@ -80,22 +80,22 @@ static void dhcpaddr_tg_save(const void *ip,
 	       DH_MAC_HEX(info->addr), info->mask);
 }
 
-static struct xtables_target dhcpaddr_tg_reg = {
+static struct xtables_target dhcpmac_tg_reg = {
 	.version       = XTABLES_VERSION,
-	.name          = "DHCPADDR",
+	.name          = "DHCPMAC",
 	.revision      = 0,
 	.family        = PF_INET,
-	.size          = XT_ALIGN(sizeof(struct dhcpaddr_info)),
+	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
-	.userspacesize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
-	.help          = dhcpaddr_tg_help,
+	.help          = dhcpmac_tg_help,
-	.parse         = dhcpaddr_tg_parse,
+	.parse         = dhcpmac_tg_parse,
-	.final_check   = dhcpaddr_tg_check,
+	.final_check   = dhcpmac_tg_check,
-	.print         = dhcpaddr_tg_print,
+	.print         = dhcpmac_tg_print,
-	.save          = dhcpaddr_tg_save,
+	.save          = dhcpmac_tg_save,
-	.extra_opts    = dhcpaddr_tg_opts,
+	.extra_opts    = dhcpmac_tg_opts,
 };
 
-static __attribute__((constructor)) void dhcpaddr_tg_ldr(void)
+static __attribute__((constructor)) void dhcpmac_tg_ldr(void)
 {
-	xtables_register_target(&dhcpaddr_tg_reg);
+	xtables_register_target(&dhcpmac_tg_reg);
 }

extensions/libxt_DHCPMAC.man

@@ -1,4 +1,4 @@
-In conjunction with ebtables, DHCPADDR can be used to completely change all MAC
+In conjunction with ebtables, DHCPMAC can be used to completely change all MAC
 addresses from and to a VMware-based virtual machine. This is needed because
 VMware does not allow to set a non-VMware MAC address before an operating
 system is booted (and the MAC be changed with `ip link set eth0 address
@@ -13,11 +13,11 @@ EXAMPLE, replacing all addresses from one of VMware's assigned vendor IDs
 (00:50:56) addresses with something else:
 .PP
 iptables -t mangle -A FORWARD -p udp --dport 67 -m physdev --physdev-in vmnet1
--m dhcpaddr --mac 00:50:56:00:00:00/24 -j DHCPADDR --set-mac
+-m dhcpmac --mac 00:50:56:00:00:00/24 -j DHCPMAC --set-mac
 ab:cd:ef:00:00:00/24
 .PP
 iptables -t mangle -A FORWARD -p udp --dport 68 -m physdev --physdev-out vmnet1
--m dhcpaddr --mac ab:cd:ef:00:00:00/24 -j DHCPADDR --set-mac
+-m dhcpmac --mac ab:cd:ef:00:00:00/24 -j DHCPMAC --set-mac
 00:50:56:00:00:00/24
 .PP
 (This assumes there is a bridge interface that has vmnet1 as a port. You will

extensions/libxt_IPMARK.c

@@ -58,44 +58,44 @@ static int ipmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	switch (c) {
 	case '1':
-		param_act(P_ONLY_ONCE, "IPMARK", "addr", *flags & FL_ADDR_USED);
+		xtables_param_act(XTF_ONLY_ONCE, "IPMARK", "addr", *flags & FL_ADDR_USED);
-		param_act(P_NO_INVERT, "IPMARK", "addr", invert);
+		xtables_param_act(XTF_NO_INVERT, "IPMARK", "addr", invert);
 		if (strcmp(optarg, "src") == 0)
 			info->selector = XT_IPMARK_SRC;
 		else if (strcmp(optarg, "dst") == 0)
 			info->selector = XT_IPMARK_DST;
 		else
-			exit_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
+			xtables_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
 		*flags |= FL_ADDR_USED;
 		return true;
 
 	case '2':
-		param_act(P_ONLY_ONCE, "IPMARK", "and-mask", *flags & FL_AND_MASK_USED);
+		xtables_param_act(XTF_ONLY_ONCE, "IPMARK", "and-mask", *flags & FL_AND_MASK_USED);
-		param_act(P_NO_INVERT, "IPMARK", "and-mask", invert);
+		xtables_param_act(XTF_NO_INVERT, "IPMARK", "and-mask", invert);
-		if (!strtonum(optarg, NULL, &n, 0, ~0U))
+		if (!xtables_strtoui(optarg, NULL, &n, 0, ~0U))
-			param_act(P_BAD_VALUE, "IPMARK", "and-mask", optarg);
+			xtables_param_act(XTF_BAD_VALUE, "IPMARK", "and-mask", optarg);
 		info->andmask = n;
 		*flags |= FL_AND_MASK_USED;
 		return true;
 
 	case '3':
-		param_act(P_ONLY_ONCE, "IPMARK", "or-mask", *flags & FL_OR_MASK_USED);
+		xtables_param_act(XTF_ONLY_ONCE, "IPMARK", "or-mask", *flags & FL_OR_MASK_USED);
-		param_act(P_NO_INVERT, "IPMARK", "or-mask", invert);
+		xtables_param_act(XTF_NO_INVERT, "IPMARK", "or-mask", invert);
-		if (!strtonum(optarg, NULL, &n, 0, ~0U))
+		if (!xtables_strtoui(optarg, NULL, &n, 0, ~0U))
-			param_act(P_BAD_VALUE, "IPMARK", "or-mask", optarg);
+			xtables_param_act(XTF_BAD_VALUE, "IPMARK", "or-mask", optarg);
 		info->ormask = n;
 		*flags |= FL_OR_MASK_USED;
 		return true;
 
 	case '4':
-		param_act(P_ONLY_ONCE, "IPMARK", "--shift", *flags & FL_SHIFT);
+		xtables_param_act(XTF_ONLY_ONCE, "IPMARK", "--shift", *flags & FL_SHIFT);
-		param_act(P_NO_INVERT, "IPMARK", "--shift", invert);
+		xtables_param_act(XTF_NO_INVERT, "IPMARK", "--shift", invert);
 		/*
 		 * Anything >31 does not make sense for IPv4, but it still
 		 * does the right thing.
 		 */
-		if (!strtonum(optarg, NULL, &n, 0, 128))
+		if (!xtables_strtoui(optarg, NULL, &n, 0, 128))
-			param_act(P_BAD_VALUE, "IPMARK", "--shift", optarg);
+			xtables_param_act(XTF_BAD_VALUE, "IPMARK", "--shift", optarg);
 		info->shift = n;
 		return true;
 	}
@@ -106,7 +106,7 @@ static int ipmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 static void ipmark_tg_check(unsigned int flags)
 {
 	if (!(flags & FL_ADDR_USED))
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 		           "IPMARK target: Parameter --addr is required");
 }
 

extensions/libxt_LOGMARK.c

@@ -51,23 +51,23 @@ logmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	switch (c) {
 	case 'l': /* --log-level */
-		param_act(P_ONLY_ONCE, "LOGMARK", "--log-level", *flags & F_LEVEL);
+		xtables_param_act(XTF_ONLY_ONCE, "LOGMARK", "--log-level", *flags & F_LEVEL);
-		param_act(P_NO_INVERT, "LOGMARK", "--log-level", invert);
+		xtables_param_act(XTF_NO_INVERT, "LOGMARK", "--log-level", invert);
-		if (!strtonum(optarg, NULL, &x, 0, 8))
+		if (!xtables_strtoui(optarg, NULL, &x, 0, 8))
-			param_act(P_BAD_VALUE, "LOGMARK", "--log-level", optarg);
+			xtables_param_act(XTF_BAD_VALUE, "LOGMARK", "--log-level", optarg);
 		info->level = x;
 		*flags |= F_LEVEL;
 		return true;
 
 	case 'p': /* --log-prefix */
-		param_act(P_ONLY_ONCE, "LOGMARK", "--log-prefix", *flags & F_PREFIX);
+		xtables_param_act(XTF_ONLY_ONCE, "LOGMARK", "--log-prefix", *flags & F_PREFIX);
-		param_act(P_NO_INVERT, "LOGMARK", "--log-prefix", invert);
+		xtables_param_act(XTF_NO_INVERT, "LOGMARK", "--log-prefix", invert);
 		if (strlen(optarg) > sizeof(info->prefix))
-			exit_error(PARAMETER_PROBLEM, "LOGMARK: Maximum "
+			xtables_error(PARAMETER_PROBLEM, "LOGMARK: Maximum "
 			           "prefix length is %zu",
 			           sizeof(info->prefix));
 		if (strchr(optarg, '\n'))
-			exit_error(PARAMETER_PROBLEM, "LOGMARK: Newlines not "
+			xtables_error(PARAMETER_PROBLEM, "LOGMARK: Newlines not "
 			           "allowed in log prefix");
 		strncpy(info->prefix, optarg, sizeof(info->prefix));
 		*flags |= F_PREFIX;

extensions/libxt_STEAL.c

@@ -0,0 +1,33 @@
+#include <stdio.h>
+#include <xtables.h>
+
+static void steal_tg_help(void)
+{
+	printf("STEAL takes no options\n\n");
+}
+
+static int steal_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+                          const void *entry, struct xt_entry_target **target)
+{
+	return 0;
+}
+
+static void steal_tg_check(unsigned int flags)
+{
+}
+
+static struct xtables_target steal_tg_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "STEAL",
+	.family        = AF_INET,
+	.size          = XT_ALIGN(0),
+	.userspacesize = XT_ALIGN(0),
+	.help          = steal_tg_help,
+	.parse         = steal_tg_parse,
+	.final_check   = steal_tg_check,
+};
+
+static void _init(void)
+{
+	xtables_register_target(&steal_tg_reg);
+}

extensions/libxt_STEAL.man

@@ -0,0 +1,2 @@
+Like the DROP target, but does not throw an error like DROP when used in the
+\fBOUTPUT\fP chain.

extensions/libxt_TEE.c

@@ -50,12 +50,12 @@ static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 	switch (c) {
 	case 'g':
 		if (*flags & FLAG_GATEWAY)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 			           "Cannot specify --gw more than once");
 
-		ia = numeric_to_ipaddr(optarg);
+		ia = xtables_numeric_to_ipaddr(optarg);
 		if (ia == NULL)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 			           "Invalid IP address %s", optarg);
 
 		memcpy(&info->gw, ia, sizeof(*ia));
@@ -75,12 +75,12 @@ static int tee_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
 	switch (c) {
 	case 'g':
 		if (*flags & FLAG_GATEWAY)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 			           "Cannot specify --gw more than once");
 
-		ia = numeric_to_ip6addr(optarg);
+		ia = xtables_numeric_to_ip6addr(optarg);
 		if (ia == NULL)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 			           "Invalid IP address %s", optarg);
 
 		memcpy(&info->gw, ia, sizeof(*ia));
@@ -94,7 +94,7 @@ static int tee_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
 static void tee_tg_check(unsigned int flags)
 {
 	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM, "TEE target: "
+		xtables_error(PARAMETER_PROBLEM, "TEE target: "
 		           "--gateway parameter required");
 }
 
@@ -104,9 +104,9 @@ static void tee_tg_print(const void *ip, const struct xt_entry_target *target,
 	const struct xt_tee_tginfo *info = (const void *)target->data;
 
 	if (numeric)
-		printf("TEE gw:%s ", ipaddr_to_numeric(&info->gw.in));
+		printf("TEE gw:%s ", xtables_ipaddr_to_numeric(&info->gw.in));
 	else
-		printf("TEE gw:%s ", ipaddr_to_anyname(&info->gw.in));
+		printf("TEE gw:%s ", xtables_ipaddr_to_anyname(&info->gw.in));
 }
 
 static void tee_tg6_print(const void *ip, const struct xt_entry_target *target,
@@ -115,23 +115,23 @@ static void tee_tg6_print(const void *ip, const struct xt_entry_target *target,
 	const struct xt_tee_tginfo *info = (const void *)target->data;
 
 	if (numeric)
-		printf("TEE gw:%s ", ip6addr_to_numeric(&info->gw.in6));
+		printf("TEE gw:%s ", xtables_ip6addr_to_numeric(&info->gw.in6));
 	else
-		printf("TEE gw:%s ", ip6addr_to_anyname(&info->gw.in6));
+		printf("TEE gw:%s ", xtables_ip6addr_to_anyname(&info->gw.in6));
 }
 
 static void tee_tg_save(const void *ip, const struct xt_entry_target *target)
 {
 	const struct xt_tee_tginfo *info = (const void *)target->data;
 
-	printf("--gateway %s ", ipaddr_to_numeric(&info->gw.in));
+	printf("--gateway %s ", xtables_ipaddr_to_numeric(&info->gw.in));
 }
 
 static void tee_tg6_save(const void *ip, const struct xt_entry_target *target)
 {
 	const struct xt_tee_tginfo *info = (const void *)target->data;
 
-	printf("--gateway %s ", ip6addr_to_numeric(&info->gw.in6));
+	printf("--gateway %s ", xtables_ip6addr_to_numeric(&info->gw.in6));
 }
 
 static struct xtables_target tee_tg_reg = {

extensions/libxt_condition.c

@@ -37,13 +37,13 @@ static int condition_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	if (c == 'X') {
 		if (*flags)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				   "Can't specify multiple conditions");
 
 		if (strlen(optarg) < sizeof(info->name))
 			strcpy(info->name, optarg);
 		else
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				   "File name too long");
 
 		info->invert = invert;
@@ -57,7 +57,7 @@ static int condition_parse(int c, char **argv, int invert, unsigned int *flags,
 static void condition_check(unsigned int flags)
 {
 	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 			   "Condition match: must specify --condition");
 }
 

extensions/libxt_dhcpaddr.man

@@ -1,4 +0,0 @@
-.TP
-\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
-Matches the DHCP Client Host address in a DHCP message. \fImask\fP specifies
-the prefix length of the initial portion to match.

extensions/libxt_dhcpmac.c

@@ -1,5 +1,5 @@
 /*
- *	"dhcpaddr" match extension for iptables
+ *	"dhcpmac" match extension for iptables
  *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
  *
  *	This program is free software; you can redistribute it and/or
@@ -14,37 +14,37 @@
 #include <netdb.h>
 #include <net/ethernet.h>
 #include <xtables.h>
-#include "xt_DHCPADDR.h"
+#include "xt_DHCPMAC.h"
 #include "mac.c"
 
 enum {
 	F_MAC = 1 << 0,
 };
 
-static const struct option dhcpaddr_mt_opts[] = {
+static const struct option dhcpmac_mt_opts[] = {
 	{.name = "mac", .has_arg = true, .val = 'M'},
 	{NULL},
 };
 
-static void dhcpaddr_mt_help(void)
+static void dhcpmac_mt_help(void)
 {
 	printf(
-"dhcpaddr match options:\n"
+"dhcpmac match options:\n"
 "[!] --mac lladdr[/mask]    Match on MAC address in DHCP Client Host field\n"
 	);
 }
 
-static int dhcpaddr_mt_parse(int c, char **argv, int invert,
+static int dhcpmac_mt_parse(int c, char **argv, int invert,
     unsigned int *flags, const void *entry, struct xt_entry_match **match)
 {
-	struct dhcpaddr_info *info = (void *)(*match)->data;
+	struct dhcpmac_info *info = (void *)(*match)->data;
 
 	switch (c) {
 	case 'M':
-		param_act(P_ONLY_ONCE, "dhcpaddr", "--mac", *flags & F_MAC);
+		xtables_param_act(XTF_ONLY_ONCE, "dhcpmac", "--mac", *flags & F_MAC);
-		param_act(P_NO_INVERT, "dhcpaddr", "--mac", invert);
+		xtables_param_act(XTF_NO_INVERT, "dhcpmac", "--mac", invert);
 		if (!mac_parse(optarg, info->addr, &info->mask))
-			param_act(P_BAD_VALUE, "dhcpaddr", "--mac", optarg);
+			xtables_param_act(XTF_BAD_VALUE, "dhcpmac", "--mac", optarg);
 		if (invert)
 			info->invert = true;
 		*flags |= F_MAC;
@@ -54,26 +54,26 @@ static int dhcpaddr_mt_parse(int c, char **argv, int invert,
 	return false;
 }
 
-static void dhcpaddr_mt_check(unsigned int flags)
+static void dhcpmac_mt_check(unsigned int flags)
 {
 	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM, "dhcpaddr match: "
+		xtables_error(PARAMETER_PROBLEM, "dhcpmac match: "
 		           "--mac parameter required");
 }
 
-static void dhcpaddr_mt_print(const void *ip,
+static void dhcpmac_mt_print(const void *ip,
     const struct xt_entry_match *match, int numeric)
 {
-	const struct dhcpaddr_info *info = (void *)match->data;
+	const struct dhcpmac_info *info = (void *)match->data;
 
-	printf("dhcpaddr %s" DH_MAC_FMT "/%u ",
+	printf("dhcpmac %s" DH_MAC_FMT "/%u ",
 	       info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
 }
 
-static void dhcpaddr_mt_save(const void *ip,
+static void dhcpmac_mt_save(const void *ip,
     const struct xt_entry_match *match)
 {
-	const struct dhcpaddr_info *info = (void *)match->data;
+	const struct dhcpmac_info *info = (void *)match->data;
 
 	if (info->invert)
 		printf("! ");
@@ -81,22 +81,22 @@ static void dhcpaddr_mt_save(const void *ip,
 	       DH_MAC_HEX(info->addr), info->mask);
 }
 
-static struct xtables_match dhcpaddr_mt_reg = {
+static struct xtables_match dhcpmac_mt_reg = {
 	.version       = XTABLES_VERSION,
-	.name          = "dhcpaddr",
+	.name          = "dhcpmac",
 	.revision      = 0,
 	.family        = PF_INET,
-	.size          = XT_ALIGN(sizeof(struct dhcpaddr_info)),
+	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
-	.userspacesize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
-	.help          = dhcpaddr_mt_help,
+	.help          = dhcpmac_mt_help,
-	.parse         = dhcpaddr_mt_parse,
+	.parse         = dhcpmac_mt_parse,
-	.final_check   = dhcpaddr_mt_check,
+	.final_check   = dhcpmac_mt_check,
-	.print         = dhcpaddr_mt_print,
+	.print         = dhcpmac_mt_print,
-	.save          = dhcpaddr_mt_save,
+	.save          = dhcpmac_mt_save,
-	.extra_opts    = dhcpaddr_mt_opts,
+	.extra_opts    = dhcpmac_mt_opts,
 };
 
-static __attribute__((constructor)) void dhcpaddr_mt_ldr(void)
+static __attribute__((constructor)) void dhcpmac_mt_ldr(void)
 {
-	xtables_register_match(&dhcpaddr_mt_reg);
+	xtables_register_match(&dhcpmac_mt_reg);
 }

extensions/libxt_dhcpmac.man

@@ -0,0 +1,4 @@
+.TP
+\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
+Matches the DHCP "Client Host" address (a MAC address) in a DHCP message.
+\fImask\fP specifies the prefix length of the initial portion to match.

extensions/libxt_fuzzy.c

@@ -9,6 +9,7 @@
  */
 #include <getopt.h>
 #include <netdb.h>
+#include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -54,22 +55,22 @@ static int fuzzy_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 	switch (c) {
 	case '1':
 		if (invert)
-			exit_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
+			xtables_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
 		if (*flags & IPT_FUZZY_OPT_MINIMUM)
-			exit_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
+			xtables_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
-		if (string_to_number(optarg,1,FUZZY_MAX_RATE,&num) == -1 || num < 1)
+		if (!xtables_strtoui(optarg, NULL, &num, 1, FUZZY_MAX_RATE) == -1 || num < 1)
-			exit_error(PARAMETER_PROBLEM,"BAD --lower-limit");
+			xtables_error(PARAMETER_PROBLEM,"BAD --lower-limit");
 		info->minimum_rate = num;
 		*flags |= IPT_FUZZY_OPT_MINIMUM;
 		return true;
 
 	case '2':
 		if (invert)
-			exit_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
+			xtables_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
 		if (*flags & IPT_FUZZY_OPT_MAXIMUM)
-			exit_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
+			xtables_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
-		if (string_to_number(optarg,1,FUZZY_MAX_RATE,&num) == -1 || num < 1)
+		if (!xtables_strtoui(optarg, NULL, &num, 1, FUZZY_MAX_RATE) == -1 || num < 1)
-			exit_error(PARAMETER_PROBLEM,"BAD --upper-limit");
+			xtables_error(PARAMETER_PROBLEM,"BAD --upper-limit");
 		info->maximum_rate = num;
 		*flags |= IPT_FUZZY_OPT_MAXIMUM;
 		return true;
@@ -102,7 +103,7 @@ static struct xtables_match fuzzy_mt_reg = {
 	.name          = "fuzzy",
 	.version       = XTABLES_VERSION,
 	.size          = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
+	.userspacesize = offsetof(struct xt_fuzzy_mtinfo, packets_total),
 	.help          = fuzzy_mt_help,
 	.init          = fuzzy_mt_init,
 	.parse         = fuzzy_mt_parse,

extensions/libxt_geoip.c

@@ -64,16 +64,16 @@ static struct geoip_subnet *geoip_get_subnets(const char *code, uint32_t *count)
 
 	if ((fd = open(buf, O_RDONLY)) < 0) {
 		fprintf(stderr, "Could not open %s: %s\n", buf, strerror(errno));
-		exit_error(OTHER_PROBLEM, "Could not read geoip database");
+		xtables_error(OTHER_PROBLEM, "Could not read geoip database");
 	}
 
 	fstat(fd, &sb);
 	if (sb.st_size % sizeof(struct geoip_subnet) != 0)
-		exit_error(OTHER_PROBLEM, "Database file %s seems to be "
+		xtables_error(OTHER_PROBLEM, "Database file %s seems to be "
 		           "corrupted", buf);
 	subnets = malloc(sb.st_size);
 	if (subnets == NULL)
-		exit_error(OTHER_PROBLEM, "geoip: insufficient memory");
+		xtables_error(OTHER_PROBLEM, "geoip: insufficient memory");
 	read(fd, subnets, sb.st_size);
 	close(fd);
 	*count = sb.st_size / sizeof(struct geoip_subnet);
@@ -103,7 +103,7 @@ check_geoip_cc(char *cc, u_int16_t cc_used[], u_int8_t count)
 
 	if (strlen(cc) != 2) /* Country must be 2 chars long according
 													 to the ISO3166 standard */
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 			"geoip: invalid country code '%s'", cc);
 
 	// Verification will fail if chars aren't uppercased.
@@ -112,7 +112,7 @@ check_geoip_cc(char *cc, u_int16_t cc_used[], u_int8_t count)
 		if (isalnum(cc[i]) != 0)
 			cc[i] = toupper(cc[i]);
 		else
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"geoip:  invalid country code '%s'", cc);
 
 	/* Convert chars into a single 16 bit integer.
@@ -140,7 +140,7 @@ static unsigned int parse_geoip_cc(const char *ccstr, uint16_t *cc,
 
 	buffer = strdup(ccstr);
 	if (!buffer)
-		exit_error(OTHER_PROBLEM,
+		xtables_error(OTHER_PROBLEM,
 			"geoip: insufficient memory available");
 
 	for (cp = buffer, i = 0; cp && i < XT_GEOIP_MAX; cp = next, i++)
@@ -150,19 +150,19 @@ static unsigned int parse_geoip_cc(const char *ccstr, uint16_t *cc,
 
 		if ((cctmp = check_geoip_cc(cp, cc, count)) != 0) {
 			if ((mem[count++].user = (unsigned long)geoip_load_cc(cp, cctmp)) == 0)
-				exit_error(OTHER_PROBLEM,
+				xtables_error(OTHER_PROBLEM,
 					"geoip: insufficient memory available");
 			cc[count-1] = cctmp;
 		}
 	}
 
 	if (cp)
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 			"geoip: too many countries specified");
 	free(buffer);
 
 	if (count == 0)
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 			"geoip: don't know what happened");
 
 	return count;
@@ -176,7 +176,7 @@ static int geoip_parse(int c, char **argv, int invert, unsigned int *flags,
 	switch (c) {
 	case '1':
 		if (*flags & (XT_GEOIP_SRC | XT_GEOIP_DST))
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"geoip: Only exactly one of --source-country "
 				"or --destination-country must be specified!");
 
@@ -190,7 +190,7 @@ static int geoip_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	case '2':
 		if (*flags & (XT_GEOIP_SRC | XT_GEOIP_DST))
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"geoip: Only exactly one of --source-country "
 				"or --destination-country must be specified!");
 
@@ -210,7 +210,7 @@ static void
 geoip_final_check(unsigned int flags)
 {
 	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 			"geoip: missing arguments");
 }
 
@@ -263,7 +263,7 @@ static struct xtables_match geoip_match = {
 	 .name          = "geoip",
 	 .version       = XTABLES_VERSION,
 	 .size          = XT_ALIGN(sizeof(struct xt_geoip_match_info)),
-	 .userspacesize = XT_ALIGN(offsetof(struct xt_geoip_match_info, mem)),
+	 .userspacesize = offsetof(struct xt_geoip_match_info, mem),
 	 .help          = geoip_help,
 	 .parse	        = geoip_parse,
 	 .final_check   = geoip_final_check,

extensions/libxt_ipp2p.c

@@ -63,109 +63,109 @@ static int ipp2p_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	switch (c) {
 	case '2':		/*cmd: edk*/
-		param_act(P_ONLY_ONCE, "--edk", *flags & IPP2P_EDK);
+		xtables_param_act(XTF_ONLY_ONCE, "--edk", *flags & IPP2P_EDK);
-		param_act(P_NO_INVERT, "--edk", invert);
+		xtables_param_act(XTF_NO_INVERT, "--edk", invert);
 		if (*flags & IPP2P_DATA_EDK)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"ipp2p: use `--edk' OR `--edk-data' but not both of them!");
 		*flags    |= IPP2P_EDK;
 		info->cmd |= IPP2P_EDK;
 		break;
 
 	case '7':		/*cmd: dc*/
-		param_act(P_ONLY_ONCE, "--dc", *flags & IPP2P_DC);
+		xtables_param_act(XTF_ONLY_ONCE, "--dc", *flags & IPP2P_DC);
-		param_act(P_NO_INVERT, "--dc", invert);
+		xtables_param_act(XTF_NO_INVERT, "--dc", invert);
 		if (*flags & IPP2P_DATA_DC)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"ipp2p: use `--dc' OR `--dc-data' but not both of them!");
 		*flags    |= IPP2P_DC;
 		info->cmd |= IPP2P_DC;
 		break;
 
 	case '9':		/*cmd: gnu*/
-		param_act(P_ONLY_ONCE, "--gnu", *flags & IPP2P_GNU);
+		xtables_param_act(XTF_ONLY_ONCE, "--gnu", *flags & IPP2P_GNU);
-		param_act(P_NO_INVERT, "--gnu", invert);
+		xtables_param_act(XTF_NO_INVERT, "--gnu", invert);
 		if (*flags & IPP2P_DATA_GNU)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"ipp2p: use `--gnu' OR `--gnu-data' but not both of them!");
 		*flags    |= IPP2P_GNU;
 		info->cmd |= IPP2P_GNU;
 		break;
 
 	case 'a':		/*cmd: kazaa*/
-		param_act(P_ONLY_ONCE, "--kazaa", *flags & IPP2P_KAZAA);
+		xtables_param_act(XTF_ONLY_ONCE, "--kazaa", *flags & IPP2P_KAZAA);
-		param_act(P_NO_INVERT, "--kazaa", invert);
+		xtables_param_act(XTF_NO_INVERT, "--kazaa", invert);
 		if (*flags & IPP2P_DATA_KAZAA)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!");
 		*flags    |= IPP2P_KAZAA;
 		info->cmd |= IPP2P_KAZAA;
 		break;
 
 	case 'b':		/*cmd: bit*/
-		param_act(P_ONLY_ONCE, "--kazaa", *flags & IPP2P_BIT);
+		xtables_param_act(XTF_ONLY_ONCE, "--kazaa", *flags & IPP2P_BIT);
-		param_act(P_NO_INVERT, "--kazaa", invert);
+		xtables_param_act(XTF_NO_INVERT, "--kazaa", invert);
 		*flags    |= IPP2P_BIT;
 		info->cmd |= IPP2P_BIT;
 		break;
 
 	case 'c':		/*cmd: apple*/
-		param_act(P_ONLY_ONCE, "--apple", *flags & IPP2P_APPLE);
+		xtables_param_act(XTF_ONLY_ONCE, "--apple", *flags & IPP2P_APPLE);
-		param_act(P_NO_INVERT, "--apple", invert);
+		xtables_param_act(XTF_NO_INVERT, "--apple", invert);
 		*flags    |= IPP2P_APPLE;
 		info->cmd |= IPP2P_APPLE;
 		break;
 
 	case 'd':		/*cmd: soul*/
-		param_act(P_ONLY_ONCE, "--soul", *flags & IPP2P_SOUL);
+		xtables_param_act(XTF_ONLY_ONCE, "--soul", *flags & IPP2P_SOUL);
-		param_act(P_NO_INVERT, "--soul", invert);
+		xtables_param_act(XTF_NO_INVERT, "--soul", invert);
 		*flags    |= IPP2P_SOUL;
 		info->cmd |= IPP2P_SOUL;
 		break;
 
 	case 'e':		/*cmd: winmx*/
-		param_act(P_ONLY_ONCE, "--winmx", *flags & IPP2P_WINMX);
+		xtables_param_act(XTF_ONLY_ONCE, "--winmx", *flags & IPP2P_WINMX);
-		param_act(P_NO_INVERT, "--winmx", invert);
+		xtables_param_act(XTF_NO_INVERT, "--winmx", invert);
 		*flags    |= IPP2P_WINMX;
 		info->cmd |= IPP2P_WINMX;
 		break;
 
 	case 'f':		/*cmd: ares*/
-		param_act(P_ONLY_ONCE, "--ares", *flags & IPP2P_ARES);
+		xtables_param_act(XTF_ONLY_ONCE, "--ares", *flags & IPP2P_ARES);
-		param_act(P_NO_INVERT, "--ares", invert);
+		xtables_param_act(XTF_NO_INVERT, "--ares", invert);
 		*flags    |= IPP2P_ARES;
 		info->cmd |= IPP2P_ARES;
 		break;
 
 	case 'g':		/*cmd: mute*/
-		param_act(P_ONLY_ONCE, "--mute", *flags & IPP2P_MUTE);
+		xtables_param_act(XTF_ONLY_ONCE, "--mute", *flags & IPP2P_MUTE);
-		param_act(P_NO_INVERT, "--mute", invert);
+		xtables_param_act(XTF_NO_INVERT, "--mute", invert);
 		*flags    |= IPP2P_MUTE;
 		info->cmd |= IPP2P_MUTE;
 		break;
 
 	case 'h':		/*cmd: waste*/
-		param_act(P_ONLY_ONCE, "--waste", *flags & IPP2P_WASTE);
+		xtables_param_act(XTF_ONLY_ONCE, "--waste", *flags & IPP2P_WASTE);
-		param_act(P_NO_INVERT, "--waste", invert);
+		xtables_param_act(XTF_NO_INVERT, "--waste", invert);
 		*flags    |= IPP2P_WASTE;
 		info->cmd |= IPP2P_WASTE;
 		break;
 
 	case 'i':		/*cmd: xdcc*/
-		param_act(P_ONLY_ONCE, "--xdcc", *flags & IPP2P_XDCC);
+		xtables_param_act(XTF_ONLY_ONCE, "--xdcc", *flags & IPP2P_XDCC);
-		param_act(P_NO_INVERT, "--xdcc", invert);
+		xtables_param_act(XTF_NO_INVERT, "--xdcc", invert);
 		*flags    |= IPP2P_XDCC;
 		info->cmd |= IPP2P_XDCC;
 		break;
 
 	case 'j':		/*cmd: debug*/
-		param_act(P_ONLY_ONCE, "--debug", info->debug);
+		xtables_param_act(XTF_ONLY_ONCE, "--debug", info->debug);
-		param_act(P_NO_INVERT, "--debug", invert);
+		xtables_param_act(XTF_NO_INVERT, "--debug", invert);
 		info->debug = 1;
 		break;
 
 	default:
-//		exit_error(PARAMETER_PROBLEM,
+//		xtables_error(PARAMETER_PROBLEM,
 //		"\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
 		return 0;
 	}
@@ -175,7 +175,7 @@ static int ipp2p_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 static void ipp2p_mt_check(unsigned int flags)
 {
 	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 			"\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
 }
 

extensions/libxt_ipv4options.c

@@ -0,0 +1,177 @@
+/*
+ *	"ipv4options" match extension for iptables
+ *	Coprygith © Jan Engelhardt, 2009
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License; either
+ *	version 2 of the License, or any later version, as published by the
+ *	Free Software Foundation.
+ */
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+#include "xt_ipv4options.h"
+
+/*
+ * Overview from http://www.networksorcery.com/enp/protocol/ip.htm
+ * Not providing strings for options that seem to be most distant in the past.
+ */
+static const char *const v4opt_names[32] = {
+	[ 1] = "nop",
+	[ 2] = "security",     /* RFC 1108 */
+	[ 3] = "lsrr",         /* RFC 791 */
+	[ 4] = "timestamp",    /* RFC 781, 791 */
+	[ 7] = "record-route", /* RFC 791 */
+	[ 9] = "ssrr",         /* RFC 791 */
+	[11] = "mtu-probe",    /* RFC 1063 */
+	[12] = "mtu-reply",    /* RFC 1063 */
+	[18] = "traceroute",   /* RFC 1393 */
+	[20] = "router-alert", /* RFC 2113 */
+};
+
+static void ipv4options_mt_help(void)
+{
+	printf(
+"ipv4options match options:\n"
+"--flags [!]symbol[,...]    Match presence/absence (!) of option\n"
+"                           (either by name or number)\n"
+"--any                      Interpret --flags as OR-combined\n\n");
+}
+
+static const struct option ipv4options_mt_opts[] = {
+	{.name = "flags", .has_arg = true,  .val = 'f'},
+	{.name = "any",   .has_arg = false, .val = 'a'},
+	{NULL},
+};
+
+static void ipv4options_parse_flagspec(struct xt_ipv4options_mtinfo1 *info,
+    char *arg)
+{
+	unsigned int i, opt;
+	bool inv;
+	char *p;
+
+	while (true) {
+		p = strchr(arg, ',');
+		if (p != NULL)
+			*p = '\0';
+
+		inv = false;
+		opt = 0;
+		if (*arg == '!') {
+			inv = true;
+			++arg;
+		}
+
+		for (i = 1; i < 32;++i)
+			if (v4opt_names[i] != NULL &&
+			    strcmp(v4opt_names[i], arg) == 0) {
+				opt = i;
+				break;
+			}
+
+		if (opt == 0 &&
+		    !xtables_strtoui(arg, NULL, &opt, 0, UINT8_MAX))
+			xtables_error(PARAMETER_PROBLEM,
+				"ipv4options: Bad option value \"%s\"", arg);
+
+		if (opt == 0)
+			xtables_error(PARAMETER_PROBLEM,
+				"ipv4options: Option value may not be zero");
+
+		info->map |= (1 << opt);
+		if (inv)
+			info->invert |= (1 << opt);
+		if (p == NULL)
+			break;
+		arg = p + 1;
+	}
+}
+
+static int ipv4options_mt_parse(int c, char **argv, int invert,
+    unsigned int *flags, const void *entry, struct xt_entry_match **match)
+{
+	struct xt_ipv4options_mtinfo1 *info = (void *)(*match)->data;
+
+	switch (c) {
+	case 'a': /* --any */
+		xtables_param_act(XTF_NO_INVERT, "ipv4options", "--any", invert);
+		info->flags |= XT_V4OPTS_ANY;
+		return true;
+	case 'f': /* --flags */
+		xtables_param_act(XTF_NO_INVERT, "ipv4options", "--flags", invert);
+		ipv4options_parse_flagspec(info, optarg);
+		return true;
+	}
+
+	return false;
+}
+
+/* no checking of *flags - no IPv4 options is also valid */
+
+static void ipv4options_print_flags(const struct xt_ipv4options_mtinfo1 *info,
+    bool numeric)
+{
+	uint32_t tmp = info->map;
+	unsigned int i;
+
+	for (i = 1; i < 32; ++i)
+		if (tmp & (1 << i)) {
+			if (info->invert & (1 << i))
+				printf("!");
+			if (!numeric && v4opt_names[i] != NULL)
+				printf("%s", v4opt_names[i]);
+			else
+				printf("%u", i);
+			tmp &= ~(1 << i);
+			if (tmp)
+				printf(",");
+		}
+}
+
+static void ipv4options_mt_print(const void *ip,
+    const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_ipv4options_mtinfo1 *info = (void *)match->data;
+
+	printf("ipv4options %s ",
+	       (info->flags & XT_V4OPTS_ANY) ? "any-of" : "all-of");
+	ipv4options_print_flags(info, numeric);
+	printf(" ");
+}
+
+static void ipv4options_mt_save(const void *ip,
+    const struct xt_entry_match *match)
+{
+	const struct xt_ipv4options_mtinfo1 *info = (void *)match->data;
+
+	if (info->map != 0) {
+		printf("--flags ");
+		ipv4options_print_flags(info, true);
+	}
+	if (info->flags & XT_V4OPTS_ANY)
+		printf(" --any");
+	printf(" ");
+}
+
+static struct xtables_match ipv4options_mt_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "ipv4options",
+	.revision      = 1,
+	.family        = PF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
+	.help          = ipv4options_mt_help,
+	.parse         = ipv4options_mt_parse,
+	.print         = ipv4options_mt_print,
+	.save          = ipv4options_mt_save,
+	.extra_opts    = ipv4options_mt_opts,
+};
+
+static __attribute__((constructor)) void ipv4options_mt_ldr(void)
+{
+	xtables_register_match(&ipv4options_mt_reg);
+}

extensions/libxt_ipv4options.man

@@ -0,0 +1,47 @@
+The "ipv4options" module allows to match against a set of IPv4 header options.
+.TP
+\fB\-\-flags\fP [\fB!\fP]\fIsymbol\fP[\fB,\fP[\fB!\fP]\fIsymbol...\fP]
+Specify the options that shall appear or not appear in the header. Each
+symbol specification is delimited by a comma, and a '!' can be prefixed to
+a symbol to negate its presence. Symbols are either the name of an IPv4 option
+or its number. See examples below.
+.TP
+\fB\-\-any\fP
+By default, all of the flags specified must be present/absent, that is, they
+form an AND condition. Use the \-\-any flag instead to use an OR condition
+where only at least one symbol spec must be true.
+.PP
+Known symbol names (and their number):
+.PP
+1 - \fBnop\fP
+.PP
+2 - \fBsecurity\fP - RFC 1108
+.PP
+3 - \fBlsrr\fP - Loose Source Routing, RFC 791
+.PP
+4 - \fBtimestamp\fP - RFC 781, 791
+.PP
+7 - \fBrecord\-route\fP - RFC 791
+.PP
+9 - \fBssrr\fP - Strict Source Routing, RFC 791
+.PP
+11 - \fBmtu\-probe\fP - RFC 1063
+.PP
+12 - \fBmtu\-reply\fP - RFC 1063
+.PP
+18 - \fBtraceroute\fP - RFC 1393
+.PP
+20 - \fBrouter-alert\fP - RFC 2113
+.PP
+Examples:
+.PP
+Match packets that have both Timestamp and NOP:
+\-m ipv4options \-\-flags nop,timestamp
+.PP
+~ that have either of Timestamp or NOP, or both:
+\-\-flags nop,timestamp \-\-any
+.PP
+~ that have Timestamp and no NOP: \-\-flags '!nop,timestamp'
+.PP
+~ that have either no NOP or a timestamp (or both conditions):
+\-\-flags '!nop,timestamp' \-\-any

extensions/libxt_length2.c

@@ -52,42 +52,42 @@ static int length_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	switch (c) {
 	case '3': /* --layer3 */
-		param_act(P_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
+		xtables_param_act(XTF_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
 		info->flags &= ~XT_LENGTH_LAYER_MASK;
 		info->flags |= XT_LENGTH_LAYER3;
 		*flags |= F_LAYER;
 		return true;
 	case '4': /* --layer4 */
-		param_act(P_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
+		xtables_param_act(XTF_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
 		info->flags &= ~XT_LENGTH_LAYER_MASK;
 		info->flags |= XT_LENGTH_LAYER4;
 		*flags |= F_LAYER;
 		return true;
 	case '5': /* --layer5 */
-		param_act(P_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
+		xtables_param_act(XTF_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
 		info->flags &= ~XT_LENGTH_LAYER_MASK;
 		info->flags |= XT_LENGTH_LAYER5;
 		*flags |= F_LAYER;
 		return true;
 	case '7': /* --layer7 */
-		param_act(P_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
+		xtables_param_act(XTF_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
 		info->flags &= ~XT_LENGTH_LAYER_MASK;
 		info->flags |= XT_LENGTH_LAYER7;
 		*flags |= F_LAYER;
 		return true;
 	case '=': /* --length */
-		param_act(P_ONLY_ONCE, "length", "--length", *flags & F_LENGTH);
+		xtables_param_act(XTF_ONLY_ONCE, "length", "--length", *flags & F_LENGTH);
 		if (invert)
 			info->flags |= XT_LENGTH_INVERT;
-		if (!strtonum(optarg, &end, &from, 0, ~0U))
+		if (!xtables_strtoui(optarg, &end, &from, 0, ~0U))
-			param_act(P_BAD_VALUE, "length", "--length", optarg);
+			xtables_param_act(XTF_BAD_VALUE, "length", "--length", optarg);
 		to = from;
 		if (*end == ':')
-			if (!strtonum(end + 1, &end, &to, 0, ~0U))
+			if (!xtables_strtoui(end + 1, &end, &to, 0, ~0U))
-				param_act(P_BAD_VALUE, "length",
+				xtables_param_act(XTF_BAD_VALUE, "length",
 				          "--length", optarg);
 		if (*end != '\0')
-			param_act(P_BAD_VALUE, "length", "--length", optarg);
+			xtables_param_act(XTF_BAD_VALUE, "length", "--length", optarg);
 		info->min = from;
 		info->max = to;
 		*flags |= F_LENGTH;
@@ -99,7 +99,7 @@ static int length_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 static void length_mt_check(unsigned int flags)
 {
 	if (!(flags & F_LENGTH))
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 		           "length: You must specify \"--length\"");
 	if (!(flags & F_LAYER))
 		fprintf(stderr, "iptables: length match: Defaulting to "

extensions/libxt_quota2.c

@@ -51,31 +51,31 @@ quota_mt2_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	switch (c) {
 	case 'g':
-		param_act(P_ONLY_ONCE, "quota", "--grow", *flags & FL_GROW);
+		xtables_param_act(XTF_ONLY_ONCE, "quota", "--grow", *flags & FL_GROW);
-		param_act(P_NO_INVERT, "quota", "--grow", invert);
+		xtables_param_act(XTF_NO_INVERT, "quota", "--grow", invert);
 		info->flags |= XT_QUOTA_GROW;
 		*flags |= FL_GROW;
 		return true;
 	case 'n':
 		/* zero termination done on behalf of the kernel module */
-		param_act(P_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
+		xtables_param_act(XTF_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
-		param_act(P_NO_INVERT, "quota", "--name", invert);
+		xtables_param_act(XTF_NO_INVERT, "quota", "--name", invert);
 		strncpy(info->name, optarg, sizeof(info->name));
 		*flags |= FL_NAME;
 		return true;
 	case 'p':
-		param_act(P_ONLY_ONCE, "quota", "--packets", *flags & FL_PACKET);
+		xtables_param_act(XTF_ONLY_ONCE, "quota", "--packets", *flags & FL_PACKET);
-		param_act(P_NO_INVERT, "quota", "--packets", invert);
+		xtables_param_act(XTF_NO_INVERT, "quota", "--packets", invert);
 		info->flags |= XT_QUOTA_PACKET;
 		*flags |= FL_PACKET;
 		return true;
 	case 'q':
-		param_act(P_ONLY_ONCE, "quota", "--quota", *flags & FL_QUOTA);
+		xtables_param_act(XTF_ONLY_ONCE, "quota", "--quota", *flags & FL_QUOTA);
 		if (invert)
 			info->flags |= XT_QUOTA_INVERT;
 		info->quota = strtoull(optarg, &end, 0);
 		if (*end != '\0')
-			exit_error(PARAMETER_PROBLEM, "quota match: "
+			xtables_error(PARAMETER_PROBLEM, "quota match: "
 			           "invalid value for --quota");
 		*flags |= FL_QUOTA;
 		return true;

extensions/mac.c

@@ -19,7 +19,7 @@ static bool mac_parse(const char *addr, unsigned char *dest, uint8_t *mask)
 
 	*mask = 48;
 	if (*end == '/') {
-		if (!strtonum(end + 1, &end, &value, 0, 48))
+		if (!xtables_strtoui(end + 1, &end, &value, 0, 48))
 			return false;
 		if (*end != '\0')
 			return false;

extensions/xt_CHAOS.c

@@ -234,7 +234,7 @@ static void __exit chaos_tg_exit(void)
 
 module_init(chaos_tg_init);
 module_exit(chaos_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
 MODULE_DESCRIPTION("Xtables: Network scan slowdown with non-deterministic results");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_CHAOS");

extensions/xt_DELUDE.c

@@ -176,7 +176,7 @@ static void __exit delude_tg_exit(void)
 
 module_init(delude_tg_init);
 module_exit(delude_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
 MODULE_DESCRIPTION("Xtables: Close TCP connections after handshake");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_DELUDE");

extensions/xt_DHCPMAC.Kconfig

@@ -0,0 +1,8 @@
+config NETFILTER_XT_DHCPMAC
+	tristate '"DHCPMAC" DHCP address matching and manipulation support'
+	depends on NETFILTER_XTABLES
+	depends on IP_NF_MANGLE || IP6_NF_MANGLE
+	---help---
+	The DHCPMAC extensions allows to match and change the MAC address in
+	a DHCP packet, so as to work around VMware's "inability" to use MAC
+	addresses from a vendor different than VMware at boot time.

extensions/xt_DHCPMAC.c

@@ -1,5 +1,5 @@
 /*
- *	"DHCPADDR" extensions for Xtables
+ *	"DHCPMAC" extensions for Xtables
  *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
  *
  *	This program is free software; you can redistribute it and/or
@@ -14,7 +14,7 @@
 #include <linux/udp.h>
 #include <net/ip.h>
 #include <linux/netfilter/x_tables.h>
-#include "xt_DHCPADDR.h"
+#include "xt_DHCPMAC.h"
 #include "compat_xtables.h"
 
 struct dhcp_message {
@@ -69,9 +69,9 @@ static bool ether_cmp(const unsigned char *lh, const unsigned char *rh,
 }
 
 static bool
-dhcpaddr_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
-	const struct dhcpaddr_info *info = par->matchinfo;
+	const struct dhcpmac_info *info = par->matchinfo;
 	const struct dhcp_message *dh;
 	struct dhcp_message dhcpbuf;
 
@@ -89,9 +89,9 @@ dhcpaddr_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 }
 
 static unsigned int
-dhcpaddr_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+dhcpmac_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 {
-	const struct dhcpaddr_info *info = par->targinfo;
+	const struct dhcpmac_info *info = par->targinfo;
 	struct dhcp_message dhcpbuf, *dh;
 	struct udphdr udpbuf, *udph;
 	struct sk_buff *skb = *pskb;
@@ -122,52 +122,52 @@ dhcpaddr_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
-static struct xt_target dhcpaddr_tg_reg __read_mostly = {
+static struct xt_target dhcpmac_tg_reg __read_mostly = {
-	.name       = "DHCPADDR",
+	.name       = "DHCPMAC",
 	.revision   = 0,
 	.family     = NFPROTO_IPV4,
 	.proto      = IPPROTO_UDP,
 	.table      = "mangle",
-	.target     = dhcpaddr_tg,
+	.target     = dhcpmac_tg,
-	.targetsize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
+	.targetsize = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.me         = THIS_MODULE,
 };
 
-static struct xt_match dhcpaddr_mt_reg __read_mostly = {
+static struct xt_match dhcpmac_mt_reg __read_mostly = {
-	.name       = "dhcpaddr",
+	.name       = "dhcpmac",
 	.revision   = 0,
 	.family     = NFPROTO_IPV4,
 	.proto      = IPPROTO_UDP,
-	.match      = dhcpaddr_mt,
+	.match      = dhcpmac_mt,
-	.matchsize  = XT_ALIGN(sizeof(struct dhcpaddr_info)),
+	.matchsize  = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.me         = THIS_MODULE,
 };
 
-static int __init dhcpaddr_init(void)
+static int __init dhcpmac_init(void)
 {
 	int ret;
 
-	ret = xt_register_target(&dhcpaddr_tg_reg);
+	ret = xt_register_target(&dhcpmac_tg_reg);
 	if (ret != 0)
 		return ret;
-	ret = xt_register_match(&dhcpaddr_mt_reg);
+	ret = xt_register_match(&dhcpmac_mt_reg);
 	if (ret != 0) {
-		xt_unregister_target(&dhcpaddr_tg_reg);
+		xt_unregister_target(&dhcpmac_tg_reg);
 		return ret;
 	}
 	return 0;
 }
 
-static void __exit dhcpaddr_exit(void)
+static void __exit dhcpmac_exit(void)
 {
-	xt_unregister_target(&dhcpaddr_tg_reg);
+	xt_unregister_target(&dhcpmac_tg_reg);
-	xt_unregister_match(&dhcpaddr_mt_reg);
+	xt_unregister_match(&dhcpmac_mt_reg);
 }
 
-module_init(dhcpaddr_init);
+module_init(dhcpmac_init);
-module_exit(dhcpaddr_exit);
+module_exit(dhcpmac_exit);
 MODULE_DESCRIPTION("Xtables: Clamp DHCP MAC to packet MAC addresses");
 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_DHCPADDR");
+MODULE_ALIAS("ipt_DHCPMAC");
-MODULE_ALIAS("ipt_dhcpaddr");
+MODULE_ALIAS("ipt_dhcpmac");

extensions/xt_DHCPMAC.h

@@ -1,12 +1,12 @@
-#ifndef _LINUX_NETFILTER_XT_DHCPADDR_H
+#ifndef _LINUX_NETFILTER_XT_DHCPMAC_H
-#define _LINUX_NETFILTER_XT_DHCPADDR_H 1
+#define _LINUX_NETFILTER_XT_DHCPMAC_H 1
 
 #define DH_MAC_FMT "%02X:%02X:%02X:%02X:%02X:%02X"
 #define DH_MAC_HEX(z) z[0], z[1], z[2], z[3], z[4], z[5]
 
-struct dhcpaddr_info {
+struct dhcpmac_info {
 	unsigned char addr[ETH_ALEN];
 	uint8_t mask, invert;
 };
 
-#endif /* _LINUX_NETFILTER_XT_DHCPADDR_H */
+#endif /* _LINUX_NETFILTER_XT_DHCPMAC_H */

extensions/xt_LOGMARK.c

@@ -128,7 +128,7 @@ static void __exit logmark_tg_exit(void)
 module_init(logmark_tg_init);
 module_exit(logmark_tg_exit);
 MODULE_DESCRIPTION("Xtables: netfilter mark logging to syslog");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_LOGMARK");
 MODULE_ALIAS("ip6t_LOGMARK");

extensions/xt_STEAL.c

@@ -0,0 +1,66 @@
+/*
+ *	"STEAL" demo target extension for Xtables
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	placed in the Public Domain
+ */
+#include <linux/netfilter.h>
+#include <linux/skbuff.h>
+#include "compat_xtables.h"
+
+static unsigned int
+steal_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+{
+	kfree_skb(*pskb);
+	return NF_STOLEN;
+}
+
+static struct xt_target steal_tg_reg[] __read_mostly = {
+	{
+		.name     = "STEAL",
+		.revision = 0,
+		.family   = NFPROTO_UNSPEC,
+		.target   = steal_tg,
+		.me       = THIS_MODULE,
+	},
+	{
+		.name     = "STEAL",
+		.revision = 0,
+		.family   = NFPROTO_IPV6,
+		.target   = steal_tg,
+		.me       = THIS_MODULE,
+	},
+	{
+		.name     = "STEAL",
+		.revision = 0,
+		.family   = NFPROTO_ARP,
+		.target   = steal_tg,
+		.me       = THIS_MODULE,
+	},
+	{
+		.name     = "STEAL",
+		.revision = 0,
+		.family   = NFPROTO_BRIDGE,
+		.target   = steal_tg,
+		.me       = THIS_MODULE,
+	},
+};
+
+static int __init steal_tg_init(void)
+{
+	return xt_register_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
+}
+
+static void __exit steal_tg_exit(void)
+{
+	xt_unregister_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
+}
+
+module_init(steal_tg_init);
+module_exit(steal_tg_exit);
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_DESCRIPTION("Xtables: Silently DROP packets on output chain");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_STEAL");
+MODULE_ALIAS("ip6t_STEAL");
+MODULE_ALIAS("arpt_STEAL");
+MODULE_ALIAS("ebt_STEAL");

extensions/xt_SYSRQ.c

@@ -200,7 +200,10 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 		return NF_DROP;
 
 	iph = ip_hdr(skb);
-	udph = (void *)iph + ip_hdrlen(skb);
+	if (iph->protocol != IPPROTO_UDP)
+		return NF_ACCEPT; /* sink it */
+
+	udph = (const void *)iph + ip_hdrlen(skb);
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
 
 	if (sysrq_debug)
@@ -217,13 +220,19 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 	struct sk_buff *skb = *pskb;
 	const struct ipv6hdr *iph;
 	const struct udphdr *udph;
+	unsigned short frag_off;
+	unsigned int th_off;
 	uint16_t len;
 
 	if (skb_linearize(skb) < 0)
 		return NF_DROP;
 
 	iph = ipv6_hdr(skb);
-	udph = udp_hdr(skb);
+	if (ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 ||
+	    frag_off > 0)
+		return NF_ACCEPT; /* sink it */
+
+	udph = (const void *)iph + th_off;
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
 
 	if (sysrq_debug)

extensions/xt_TARPIT.c

@@ -245,7 +245,7 @@ static void __exit tarpit_tg_exit(void)
 
 module_init(tarpit_tg_init);
 module_exit(tarpit_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
 MODULE_DESCRIPTION("Xtables: \"TARPIT\", capture and hold TCP connections");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_TARPIT");

extensions/xt_ipv4options.Kconfig

@@ -0,0 +1,6 @@
+config NETFILTER_XT_MATCH_IPV4OPTIONS
+	tristate '"ipv4options" IPv4 option match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	The ipv4options match can be used to check on the presence or absence
+	of one or move IPv4 options.

extensions/xt_ipv4options.c

@@ -0,0 +1,72 @@
+/*
+ *	xt_ipv4opts - Netfilter module to match IPv4 options
+ *	Copyright © Jan Engelhardt, 2009
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License; either
+ *	version 2 of the License, or any later version, as published by the
+ *	Free Software Foundation.
+ */
+#include <linux/ip.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter/x_tables.h>
+#include <net/ip.h>
+#include "xt_ipv4options.h"
+#include "compat_xtables.h"
+
+static uint32_t ipv4options_rd(const uint8_t *data, int len)
+{
+	uint32_t opts = 0;
+
+	while (len >= 2) {
+		opts |= 1 << (data[0] & 0x1F);
+		len  -= data[1];
+		data += data[1];
+	}
+
+	return opts;
+}
+
+static bool ipv4options_mt(const struct sk_buff *skb,
+    const struct xt_match_param *par)
+{
+	const struct xt_ipv4options_mtinfo1 *info = par->matchinfo;
+	const struct iphdr *iph = ip_hdr(skb);
+	uint32_t opts = 0;
+	uint16_t len  = ip_hdrlen(skb) - sizeof(struct iphdr);
+
+	if (len > 0)
+		opts = ipv4options_rd((const void *)iph +
+		       sizeof(struct iphdr), len);
+
+	opts ^= info->invert;
+	opts &= info->map;
+	return (info->flags & XT_V4OPTS_ANY) ? opts : opts == info->map;
+}
+
+static struct xt_match ipv4options_mt_reg __read_mostly = {
+	.name      = "ipv4options",
+	.revision  = 1,
+	.family    = NFPROTO_IPV4,
+	.match     = ipv4options_mt,
+	.matchsize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
+	.me        = THIS_MODULE,
+};
+
+static int __init ipv4options_mt_init(void)
+{
+	return xt_register_match(&ipv4options_mt_reg);
+}
+
+static void __exit ipv4options_mt_exit(void)
+{
+	xt_unregister_match(&ipv4options_mt_reg);
+}
+
+MODULE_DESCRIPTION("Xatblse: IPv4 option match");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_ipv4options");
+module_init(ipv4options_mt_init);
+module_exit(ipv4options_mt_exit);

extensions/xt_ipv4options.h

@@ -0,0 +1,26 @@
+#ifndef _LINUX_NETFILTER_XT_IPV4OPTIONS_H
+#define _LINUX_NETFILTER_XT_IPV4OPTIONS_H 1
+
+/* IPv4 allows for a 5-bit option number - 32 options */
+
+/**
+ * %XT_V4OPTS_ALL:	all options in @map must be present (respecting @invert)
+ * %XT_V4OPTS_ANY:	any of the option in @map
+ */
+enum xt_ipv4options_flags {
+	XT_V4OPTS_ALL = 1 << 0,
+	XT_V4OPTS_ANY = 1 << 1,
+};
+
+/**
+ * @map:	bitmask of options that should appear
+ * @invert:	inversion map
+ * @flags:	see above
+ */
+struct xt_ipv4options_mtinfo1 {
+	__u32 map;
+	__u32 invert;
+	__u8 flags;
+};
+
+#endif /* _LINUX_NETFILTER_XT_IPV4OPTIONS_H */

extensions/xt_length2.Kconfig

@@ -0,0 +1,7 @@
+config NETFILTER_XT_MATCH_LENGTH2
+	tristate '"length2" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	This option adds the "length2" match which is an advanced form of
+	xt_length that allows unambiguous layer-4/-5/-7 length matching. It is
+	useful to detect empty packets or for aiding in packet scheduling.

extensions/xt_quota2.Kconfig

@@ -0,0 +1,8 @@
+config NETFILTER_XT_MATCH_QUOTA2
+	tristate '"quota2" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	This option adds the "quota2" match which is an advanced form of
+	xt_quota that also allows counting upwards, and where the counter can
+	be set through procfs. This allows for simple interfacing of
+	accounting information.

mconfig

@@ -2,10 +2,11 @@
 #
 build_CHAOS=m
 build_DELUDE=m
-build_DHCPADDR=m
+build_DHCPMAC=m
 build_ECHO=
 build_IPMARK=m
 build_LOGMARK=m
+build_STEAL=m
 build_SYSRQ=m
 build_TARPIT=m
 build_TEE=m
@@ -14,6 +15,7 @@ build_fuzzy=m
 build_geoip=m
 build_ipp2p=m
 build_ipset=m
+build_ipv4options=m
 build_length2=m
 build_lscan=m
 build_quota2=m

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables\-addons 8 "v1.12 (2009\-03\-07)" "" "v1.12 (2009\-03\-07)"
+.TH xtables\-addons 8 "v1.14 (2009\-03\-31)" "" "v1.14 (2009\-03\-31)"
 .SH Name
 Xtables\-addons - additional extensions for iptables, ip6tables, etc.
 .SH Targets