Xtables-addons 1.14

As per "Writing Netfilter Modules" e-book 20090326 section 4.8, one
should use pr_debug instead.

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.13])
+AC_INIT([xtables-addons], [1.14])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL

doc/changelog.txt

@@ -1,5 +1,16 @@
 
 
+Xtables-addons 1.14 (March 31 2009)
+===================================
+- fuzzy: need to account for kernel-level modified variables in .userspacesize
+- geoip: remove XT_ALIGN from .userspacesize when used with offsetof
+- SYSRQ: ignore non-UDP packets
+- SYSRQ: do proper L4 header access in IPv6 code
+  (must not use tcp/udp_hdr in input path)
+- add "STEAL" target
+- dhcpmac: rename from dhcpaddr
+
+
 Xtables-addons 1.13 (March 23 2009)
 ===================================
 - added a reworked ipv4options match

extensions/Kbuild

@@ -7,11 +7,12 @@ obj-m                    += compat_xtables.o
 
 obj-${build_CHAOS}       += xt_CHAOS.o
 obj-${build_DELUDE}      += xt_DELUDE.o
-obj-${build_DHCPADDR}    += xt_DHCPADDR.o
+obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
 obj-${build_SYSRQ}       += xt_SYSRQ.o
+obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o
 obj-${build_TEE}         += xt_TEE.o
 obj-${build_condition}   += xt_condition.o

extensions/Mbuild

@@ -1,9 +1,10 @@
 obj-${build_CHAOS}       += libxt_CHAOS.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
-obj-${build_DHCPADDR}    += libxt_DHCPADDR.so libxt_dhcpaddr.so
+obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
 obj-${build_ECHO}        += libxt_ECHO.so
 obj-${build_IPMARK}      += libxt_IPMARK.so
 obj-${build_LOGMARK}     += libxt_LOGMARK.so
+obj-${build_STEAL}       += libxt_STEAL.so
 obj-${build_SYSRQ}       += libxt_SYSRQ.so
 obj-${build_TARPIT}      += libxt_TARPIT.so
 obj-${build_TEE}         += libxt_TEE.so

extensions/compat_xtables.h

@@ -6,6 +6,8 @@
 #include "compat_skbuff.h"
 #include "compat_xtnu.h"
 
+#define DEBUGP Use__pr_debug__instead
+
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 17)
 #	warning Kernels below 2.6.17 not supported.
 #endif

extensions/libxt_DHCPMAC.c

@@ -1,5 +1,5 @@
 /*
- *	"DHCPADDR" target extension for iptables
+ *	"DHCPMAC" target extension for iptables
  *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
  *
  *	This program is free software; you can redistribute it and/or
@@ -15,19 +15,19 @@
 #include <string.h>
 #include <netinet/ether.h>
 #include <xtables.h>
-#include "xt_DHCPADDR.h"
+#include "xt_DHCPMAC.h"
 #include "mac.c"
 
 enum {
 	F_MAC = 1 << 0,
 };
 
-static const struct option dhcpaddr_tg_opts[] = {
+static const struct option dhcpmac_tg_opts[] = {
 	{.name = "set-mac", .has_arg = true, .val = 'M'},
 	{NULL},
 };
 
-static void dhcpaddr_tg_help(void)
+static void dhcpmac_tg_help(void)
 {
 	printf(
 "DHCPADDDR target options:\n"
@@ -35,17 +35,17 @@ static void dhcpaddr_tg_help(void)
 	);
 }
 
-static int dhcpaddr_tg_parse(int c, char **argv, int invert,
+static int dhcpmac_tg_parse(int c, char **argv, int invert,
     unsigned int *flags, const void *entry, struct xt_entry_target **target)
 {
-	struct dhcpaddr_info *info = (void *)(*target)->data;
+	struct dhcpmac_info *info = (void *)(*target)->data;
 
 	switch (c) {
 	case 'M':
-		xtables_param_act(XTF_ONLY_ONCE, "DHCPADDR", "--set-mac", *flags & F_MAC);
-		xtables_param_act(XTF_NO_INVERT, "DHCPADDR", "--set-mac", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "DHCPMAC", "--set-mac", *flags & F_MAC);
+		xtables_param_act(XTF_NO_INVERT, "DHCPMAC", "--set-mac", invert);
 		if (!mac_parse(optarg, info->addr, &info->mask))
-			xtables_param_act(XTF_BAD_VALUE, "DHCPADDR", "--set-mac", optarg);
+			xtables_param_act(XTF_BAD_VALUE, "DHCPMAC", "--set-mac", optarg);
 		*flags |= F_MAC;
 		return true;
 	}
@@ -53,26 +53,26 @@ static int dhcpaddr_tg_parse(int c, char **argv, int invert,
 	return false;
 }
 
-static void dhcpaddr_tg_check(unsigned int flags)
+static void dhcpmac_tg_check(unsigned int flags)
 {
 	if (flags == 0)
-		xtables_error(PARAMETER_PROBLEM, "DHCPADDR target: "
+		xtables_error(PARAMETER_PROBLEM, "DHCPMAC target: "
 		           "--set-mac parameter required");
 }
 
-static void dhcpaddr_tg_print(const void *ip,
+static void dhcpmac_tg_print(const void *ip,
     const struct xt_entry_target *target, int numeric)
 {
-	const struct dhcpaddr_info *info = (void *)target->data;
+	const struct dhcpmac_info *info = (void *)target->data;
 
-	printf("DHCPADDR %s" DH_MAC_FMT "/%u ",
+	printf("DHCPMAC %s" DH_MAC_FMT "/%u ",
 	       info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
 }
 
-static void dhcpaddr_tg_save(const void *ip,
+static void dhcpmac_tg_save(const void *ip,
     const struct xt_entry_target *target)
 {
-	const struct dhcpaddr_info *info = (const void *)target->data;
+	const struct dhcpmac_info *info = (const void *)target->data;
 
 	if (info->invert)
 		printf("! ");
@@ -80,22 +80,22 @@ static void dhcpaddr_tg_save(const void *ip,
 	       DH_MAC_HEX(info->addr), info->mask);
 }
 
-static struct xtables_target dhcpaddr_tg_reg = {
+static struct xtables_target dhcpmac_tg_reg = {
 	.version       = XTABLES_VERSION,
-	.name          = "DHCPADDR",
+	.name          = "DHCPMAC",
 	.revision      = 0,
 	.family        = PF_INET,
-	.size          = XT_ALIGN(sizeof(struct dhcpaddr_info)),
-	.userspacesize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
-	.help          = dhcpaddr_tg_help,
-	.parse         = dhcpaddr_tg_parse,
-	.final_check   = dhcpaddr_tg_check,
-	.print         = dhcpaddr_tg_print,
-	.save          = dhcpaddr_tg_save,
-	.extra_opts    = dhcpaddr_tg_opts,
+	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.help          = dhcpmac_tg_help,
+	.parse         = dhcpmac_tg_parse,
+	.final_check   = dhcpmac_tg_check,
+	.print         = dhcpmac_tg_print,
+	.save          = dhcpmac_tg_save,
+	.extra_opts    = dhcpmac_tg_opts,
 };
 
-static __attribute__((constructor)) void dhcpaddr_tg_ldr(void)
+static __attribute__((constructor)) void dhcpmac_tg_ldr(void)
 {
-	xtables_register_target(&dhcpaddr_tg_reg);
+	xtables_register_target(&dhcpmac_tg_reg);
 }

extensions/libxt_DHCPMAC.man

@@ -1,4 +1,4 @@
-In conjunction with ebtables, DHCPADDR can be used to completely change all MAC
+In conjunction with ebtables, DHCPMAC can be used to completely change all MAC
 addresses from and to a VMware-based virtual machine. This is needed because
 VMware does not allow to set a non-VMware MAC address before an operating
 system is booted (and the MAC be changed with `ip link set eth0 address
@@ -13,11 +13,11 @@ EXAMPLE, replacing all addresses from one of VMware's assigned vendor IDs
 (00:50:56) addresses with something else:
 .PP
 iptables -t mangle -A FORWARD -p udp --dport 67 -m physdev --physdev-in vmnet1
--m dhcpaddr --mac 00:50:56:00:00:00/24 -j DHCPADDR --set-mac
+-m dhcpmac --mac 00:50:56:00:00:00/24 -j DHCPMAC --set-mac
 ab:cd:ef:00:00:00/24
 .PP
 iptables -t mangle -A FORWARD -p udp --dport 68 -m physdev --physdev-out vmnet1
--m dhcpaddr --mac ab:cd:ef:00:00:00/24 -j DHCPADDR --set-mac
+-m dhcpmac --mac ab:cd:ef:00:00:00/24 -j DHCPMAC --set-mac
 00:50:56:00:00:00/24
 .PP
 (This assumes there is a bridge interface that has vmnet1 as a port. You will

extensions/libxt_STEAL.c

@@ -0,0 +1,33 @@
+#include <stdio.h>
+#include <xtables.h>
+
+static void steal_tg_help(void)
+{
+	printf("STEAL takes no options\n\n");
+}
+
+static int steal_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+                          const void *entry, struct xt_entry_target **target)
+{
+	return 0;
+}
+
+static void steal_tg_check(unsigned int flags)
+{
+}
+
+static struct xtables_target steal_tg_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "STEAL",
+	.family        = AF_INET,
+	.size          = XT_ALIGN(0),
+	.userspacesize = XT_ALIGN(0),
+	.help          = steal_tg_help,
+	.parse         = steal_tg_parse,
+	.final_check   = steal_tg_check,
+};
+
+static void _init(void)
+{
+	xtables_register_target(&steal_tg_reg);
+}

extensions/libxt_STEAL.man

@@ -0,0 +1,2 @@
+Like the DROP target, but does not throw an error like DROP when used in the
+\fBOUTPUT\fP chain.

extensions/libxt_dhcpaddr.c

@@ -1,102 +0,0 @@
-/*
- *	"dhcpaddr" match extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License; either
- *	version 2 of the License, or any later version, as published by the
- *	Free Software Foundation.
- */
-#include <getopt.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <netdb.h>
-#include <net/ethernet.h>
-#include <xtables.h>
-#include "xt_DHCPADDR.h"
-#include "mac.c"
-
-enum {
-	F_MAC = 1 << 0,
-};
-
-static const struct option dhcpaddr_mt_opts[] = {
-	{.name = "mac", .has_arg = true, .val = 'M'},
-	{NULL},
-};
-
-static void dhcpaddr_mt_help(void)
-{
-	printf(
-"dhcpaddr match options:\n"
-"[!] --mac lladdr[/mask]    Match on MAC address in DHCP Client Host field\n"
-	);
-}
-
-static int dhcpaddr_mt_parse(int c, char **argv, int invert,
-    unsigned int *flags, const void *entry, struct xt_entry_match **match)
-{
-	struct dhcpaddr_info *info = (void *)(*match)->data;
-
-	switch (c) {
-	case 'M':
-		xtables_param_act(XTF_ONLY_ONCE, "dhcpaddr", "--mac", *flags & F_MAC);
-		xtables_param_act(XTF_NO_INVERT, "dhcpaddr", "--mac", invert);
-		if (!mac_parse(optarg, info->addr, &info->mask))
-			xtables_param_act(XTF_BAD_VALUE, "dhcpaddr", "--mac", optarg);
-		if (invert)
-			info->invert = true;
-		*flags |= F_MAC;
-		return true;
-	}
-
-	return false;
-}
-
-static void dhcpaddr_mt_check(unsigned int flags)
-{
-	if (flags == 0)
-		xtables_error(PARAMETER_PROBLEM, "dhcpaddr match: "
-		           "--mac parameter required");
-}
-
-static void dhcpaddr_mt_print(const void *ip,
-    const struct xt_entry_match *match, int numeric)
-{
-	const struct dhcpaddr_info *info = (void *)match->data;
-
-	printf("dhcpaddr %s" DH_MAC_FMT "/%u ",
-	       info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
-}
-
-static void dhcpaddr_mt_save(const void *ip,
-    const struct xt_entry_match *match)
-{
-	const struct dhcpaddr_info *info = (void *)match->data;
-
-	if (info->invert)
-		printf("! ");
-	printf("--mac " DH_MAC_FMT "/%u ",
-	       DH_MAC_HEX(info->addr), info->mask);
-}
-
-static struct xtables_match dhcpaddr_mt_reg = {
-	.version       = XTABLES_VERSION,
-	.name          = "dhcpaddr",
-	.revision      = 0,
-	.family        = PF_INET,
-	.size          = XT_ALIGN(sizeof(struct dhcpaddr_info)),
-	.userspacesize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
-	.help          = dhcpaddr_mt_help,
-	.parse         = dhcpaddr_mt_parse,
-	.final_check   = dhcpaddr_mt_check,
-	.print         = dhcpaddr_mt_print,
-	.save          = dhcpaddr_mt_save,
-	.extra_opts    = dhcpaddr_mt_opts,
-};
-
-static __attribute__((constructor)) void dhcpaddr_mt_ldr(void)
-{
-	xtables_register_match(&dhcpaddr_mt_reg);
-}

extensions/libxt_dhcpaddr.man

@@ -1,4 +0,0 @@
-.TP
-\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
-Matches the DHCP Client Host address in a DHCP message. \fImask\fP specifies
-the prefix length of the initial portion to match.

extensions/libxt_dhcpmac.c

@@ -0,0 +1,102 @@
+/*
+ *	"dhcpmac" match extension for iptables
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License; either
+ *	version 2 of the License, or any later version, as published by the
+ *	Free Software Foundation.
+ */
+#include <getopt.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+#include <net/ethernet.h>
+#include <xtables.h>
+#include "xt_DHCPMAC.h"
+#include "mac.c"
+
+enum {
+	F_MAC = 1 << 0,
+};
+
+static const struct option dhcpmac_mt_opts[] = {
+	{.name = "mac", .has_arg = true, .val = 'M'},
+	{NULL},
+};
+
+static void dhcpmac_mt_help(void)
+{
+	printf(
+"dhcpmac match options:\n"
+"[!] --mac lladdr[/mask]    Match on MAC address in DHCP Client Host field\n"
+	);
+}
+
+static int dhcpmac_mt_parse(int c, char **argv, int invert,
+    unsigned int *flags, const void *entry, struct xt_entry_match **match)
+{
+	struct dhcpmac_info *info = (void *)(*match)->data;
+
+	switch (c) {
+	case 'M':
+		xtables_param_act(XTF_ONLY_ONCE, "dhcpmac", "--mac", *flags & F_MAC);
+		xtables_param_act(XTF_NO_INVERT, "dhcpmac", "--mac", invert);
+		if (!mac_parse(optarg, info->addr, &info->mask))
+			xtables_param_act(XTF_BAD_VALUE, "dhcpmac", "--mac", optarg);
+		if (invert)
+			info->invert = true;
+		*flags |= F_MAC;
+		return true;
+	}
+
+	return false;
+}
+
+static void dhcpmac_mt_check(unsigned int flags)
+{
+	if (flags == 0)
+		xtables_error(PARAMETER_PROBLEM, "dhcpmac match: "
+		           "--mac parameter required");
+}
+
+static void dhcpmac_mt_print(const void *ip,
+    const struct xt_entry_match *match, int numeric)
+{
+	const struct dhcpmac_info *info = (void *)match->data;
+
+	printf("dhcpmac %s" DH_MAC_FMT "/%u ",
+	       info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
+}
+
+static void dhcpmac_mt_save(const void *ip,
+    const struct xt_entry_match *match)
+{
+	const struct dhcpmac_info *info = (void *)match->data;
+
+	if (info->invert)
+		printf("! ");
+	printf("--mac " DH_MAC_FMT "/%u ",
+	       DH_MAC_HEX(info->addr), info->mask);
+}
+
+static struct xtables_match dhcpmac_mt_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "dhcpmac",
+	.revision      = 0,
+	.family        = PF_INET,
+	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.help          = dhcpmac_mt_help,
+	.parse         = dhcpmac_mt_parse,
+	.final_check   = dhcpmac_mt_check,
+	.print         = dhcpmac_mt_print,
+	.save          = dhcpmac_mt_save,
+	.extra_opts    = dhcpmac_mt_opts,
+};
+
+static __attribute__((constructor)) void dhcpmac_mt_ldr(void)
+{
+	xtables_register_match(&dhcpmac_mt_reg);
+}

extensions/libxt_dhcpmac.man

@@ -0,0 +1,4 @@
+.TP
+\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
+Matches the DHCP "Client Host" address (a MAC address) in a DHCP message.
+\fImask\fP specifies the prefix length of the initial portion to match.

extensions/libxt_fuzzy.c

@@ -9,6 +9,7 @@
  */
 #include <getopt.h>
 #include <netdb.h>
+#include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -102,7 +103,7 @@ static struct xtables_match fuzzy_mt_reg = {
 	.name          = "fuzzy",
 	.version       = XTABLES_VERSION,
 	.size          = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
+	.userspacesize = offsetof(struct xt_fuzzy_mtinfo, packets_total),
 	.help          = fuzzy_mt_help,
 	.init          = fuzzy_mt_init,
 	.parse         = fuzzy_mt_parse,

extensions/libxt_geoip.c

@@ -263,7 +263,7 @@ static struct xtables_match geoip_match = {
 	 .name          = "geoip",
 	 .version       = XTABLES_VERSION,
 	 .size          = XT_ALIGN(sizeof(struct xt_geoip_match_info)),
-	 .userspacesize = XT_ALIGN(offsetof(struct xt_geoip_match_info, mem)),
+	 .userspacesize = offsetof(struct xt_geoip_match_info, mem),
 	 .help          = geoip_help,
 	 .parse	        = geoip_parse,
 	 .final_check   = geoip_final_check,

extensions/xt_CHAOS.c

@@ -234,7 +234,7 @@ static void __exit chaos_tg_exit(void)
 
 module_init(chaos_tg_init);
 module_exit(chaos_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
 MODULE_DESCRIPTION("Xtables: Network scan slowdown with non-deterministic results");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_CHAOS");

extensions/xt_DELUDE.c

@@ -176,7 +176,7 @@ static void __exit delude_tg_exit(void)
 
 module_init(delude_tg_init);
 module_exit(delude_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
 MODULE_DESCRIPTION("Xtables: Close TCP connections after handshake");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_DELUDE");

extensions/xt_DHCPMAC.Kconfig

@@ -0,0 +1,8 @@
+config NETFILTER_XT_DHCPMAC
+	tristate '"DHCPMAC" DHCP address matching and manipulation support'
+	depends on NETFILTER_XTABLES
+	depends on IP_NF_MANGLE || IP6_NF_MANGLE
+	---help---
+	The DHCPMAC extensions allows to match and change the MAC address in
+	a DHCP packet, so as to work around VMware's "inability" to use MAC
+	addresses from a vendor different than VMware at boot time.

extensions/xt_DHCPMAC.c

@@ -1,5 +1,5 @@
 /*
- *	"DHCPADDR" extensions for Xtables
+ *	"DHCPMAC" extensions for Xtables
  *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
  *
  *	This program is free software; you can redistribute it and/or
@@ -14,7 +14,7 @@
 #include <linux/udp.h>
 #include <net/ip.h>
 #include <linux/netfilter/x_tables.h>
-#include "xt_DHCPADDR.h"
+#include "xt_DHCPMAC.h"
 #include "compat_xtables.h"
 
 struct dhcp_message {
@@ -69,9 +69,9 @@ static bool ether_cmp(const unsigned char *lh, const unsigned char *rh,
 }
 
 static bool
-dhcpaddr_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
-	const struct dhcpaddr_info *info = par->matchinfo;
+	const struct dhcpmac_info *info = par->matchinfo;
 	const struct dhcp_message *dh;
 	struct dhcp_message dhcpbuf;
 
@@ -89,9 +89,9 @@ dhcpaddr_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 }
 
 static unsigned int
-dhcpaddr_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+dhcpmac_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 {
-	const struct dhcpaddr_info *info = par->targinfo;
+	const struct dhcpmac_info *info = par->targinfo;
 	struct dhcp_message dhcpbuf, *dh;
 	struct udphdr udpbuf, *udph;
 	struct sk_buff *skb = *pskb;
@@ -122,52 +122,52 @@ dhcpaddr_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
-static struct xt_target dhcpaddr_tg_reg __read_mostly = {
-	.name       = "DHCPADDR",
+static struct xt_target dhcpmac_tg_reg __read_mostly = {
+	.name       = "DHCPMAC",
 	.revision   = 0,
 	.family     = NFPROTO_IPV4,
 	.proto      = IPPROTO_UDP,
 	.table      = "mangle",
-	.target     = dhcpaddr_tg,
-	.targetsize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
+	.target     = dhcpmac_tg,
+	.targetsize = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.me         = THIS_MODULE,
 };
 
-static struct xt_match dhcpaddr_mt_reg __read_mostly = {
-	.name       = "dhcpaddr",
+static struct xt_match dhcpmac_mt_reg __read_mostly = {
+	.name       = "dhcpmac",
 	.revision   = 0,
 	.family     = NFPROTO_IPV4,
 	.proto      = IPPROTO_UDP,
-	.match      = dhcpaddr_mt,
-	.matchsize  = XT_ALIGN(sizeof(struct dhcpaddr_info)),
+	.match      = dhcpmac_mt,
+	.matchsize  = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.me         = THIS_MODULE,
 };
 
-static int __init dhcpaddr_init(void)
+static int __init dhcpmac_init(void)
 {
 	int ret;
 
-	ret = xt_register_target(&dhcpaddr_tg_reg);
+	ret = xt_register_target(&dhcpmac_tg_reg);
 	if (ret != 0)
 		return ret;
-	ret = xt_register_match(&dhcpaddr_mt_reg);
+	ret = xt_register_match(&dhcpmac_mt_reg);
 	if (ret != 0) {
-		xt_unregister_target(&dhcpaddr_tg_reg);
+		xt_unregister_target(&dhcpmac_tg_reg);
 		return ret;
 	}
 	return 0;
 }
 
-static void __exit dhcpaddr_exit(void)
+static void __exit dhcpmac_exit(void)
 {
-	xt_unregister_target(&dhcpaddr_tg_reg);
-	xt_unregister_match(&dhcpaddr_mt_reg);
+	xt_unregister_target(&dhcpmac_tg_reg);
+	xt_unregister_match(&dhcpmac_mt_reg);
 }
 
-module_init(dhcpaddr_init);
-module_exit(dhcpaddr_exit);
+module_init(dhcpmac_init);
+module_exit(dhcpmac_exit);
 MODULE_DESCRIPTION("Xtables: Clamp DHCP MAC to packet MAC addresses");
 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_DHCPADDR");
-MODULE_ALIAS("ipt_dhcpaddr");
+MODULE_ALIAS("ipt_DHCPMAC");
+MODULE_ALIAS("ipt_dhcpmac");

extensions/xt_DHCPMAC.h

@@ -1,12 +1,12 @@
-#ifndef _LINUX_NETFILTER_XT_DHCPADDR_H
-#define _LINUX_NETFILTER_XT_DHCPADDR_H 1
+#ifndef _LINUX_NETFILTER_XT_DHCPMAC_H
+#define _LINUX_NETFILTER_XT_DHCPMAC_H 1
 
 #define DH_MAC_FMT "%02X:%02X:%02X:%02X:%02X:%02X"
 #define DH_MAC_HEX(z) z[0], z[1], z[2], z[3], z[4], z[5]
 
-struct dhcpaddr_info {
+struct dhcpmac_info {
 	unsigned char addr[ETH_ALEN];
 	uint8_t mask, invert;
 };
 
-#endif /* _LINUX_NETFILTER_XT_DHCPADDR_H */
+#endif /* _LINUX_NETFILTER_XT_DHCPMAC_H */

extensions/xt_LOGMARK.c

@@ -128,7 +128,7 @@ static void __exit logmark_tg_exit(void)
 module_init(logmark_tg_init);
 module_exit(logmark_tg_exit);
 MODULE_DESCRIPTION("Xtables: netfilter mark logging to syslog");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_LOGMARK");
 MODULE_ALIAS("ip6t_LOGMARK");

extensions/xt_STEAL.c

@@ -0,0 +1,66 @@
+/*
+ *	"STEAL" demo target extension for Xtables
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	placed in the Public Domain
+ */
+#include <linux/netfilter.h>
+#include <linux/skbuff.h>
+#include "compat_xtables.h"
+
+static unsigned int
+steal_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+{
+	kfree_skb(*pskb);
+	return NF_STOLEN;
+}
+
+static struct xt_target steal_tg_reg[] __read_mostly = {
+	{
+		.name     = "STEAL",
+		.revision = 0,
+		.family   = NFPROTO_UNSPEC,
+		.target   = steal_tg,
+		.me       = THIS_MODULE,
+	},
+	{
+		.name     = "STEAL",
+		.revision = 0,
+		.family   = NFPROTO_IPV6,
+		.target   = steal_tg,
+		.me       = THIS_MODULE,
+	},
+	{
+		.name     = "STEAL",
+		.revision = 0,
+		.family   = NFPROTO_ARP,
+		.target   = steal_tg,
+		.me       = THIS_MODULE,
+	},
+	{
+		.name     = "STEAL",
+		.revision = 0,
+		.family   = NFPROTO_BRIDGE,
+		.target   = steal_tg,
+		.me       = THIS_MODULE,
+	},
+};
+
+static int __init steal_tg_init(void)
+{
+	return xt_register_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
+}
+
+static void __exit steal_tg_exit(void)
+{
+	xt_unregister_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
+}
+
+module_init(steal_tg_init);
+module_exit(steal_tg_exit);
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_DESCRIPTION("Xtables: Silently DROP packets on output chain");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_STEAL");
+MODULE_ALIAS("ip6t_STEAL");
+MODULE_ALIAS("arpt_STEAL");
+MODULE_ALIAS("ebt_STEAL");

extensions/xt_SYSRQ.c

@@ -199,8 +199,11 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	if (skb_linearize(skb) < 0)
 		return NF_DROP;
 
-	iph  = ip_hdr(skb);
-	udph = (void *)iph + ip_hdrlen(skb);
+	iph = ip_hdr(skb);
+	if (iph->protocol != IPPROTO_UDP)
+		return NF_ACCEPT; /* sink it */
+
+	udph = (const void *)iph + ip_hdrlen(skb);
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
 
 	if (sysrq_debug)
@@ -217,13 +220,19 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 	struct sk_buff *skb = *pskb;
 	const struct ipv6hdr *iph;
 	const struct udphdr *udph;
+	unsigned short frag_off;
+	unsigned int th_off;
 	uint16_t len;
 
 	if (skb_linearize(skb) < 0)
 		return NF_DROP;
 
-	iph  = ipv6_hdr(skb);
-	udph = udp_hdr(skb);
+	iph = ipv6_hdr(skb);
+	if (ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 ||
+	    frag_off > 0)
+		return NF_ACCEPT; /* sink it */
+
+	udph = (const void *)iph + th_off;
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
 
 	if (sysrq_debug)

extensions/xt_TARPIT.c

@@ -245,7 +245,7 @@ static void __exit tarpit_tg_exit(void)
 
 module_init(tarpit_tg_init);
 module_exit(tarpit_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
 MODULE_DESCRIPTION("Xtables: \"TARPIT\", capture and hold TCP connections");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_TARPIT");

extensions/xt_ipv4options.Kconfig

@@ -0,0 +1,6 @@
+config NETFILTER_XT_MATCH_IPV4OPTIONS
+	tristate '"ipv4options" IPv4 option match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	The ipv4options match can be used to check on the presence or absence
+	of one or move IPv4 options.

extensions/xt_length2.Kconfig

@@ -0,0 +1,7 @@
+config NETFILTER_XT_MATCH_LENGTH2
+	tristate '"length2" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	This option adds the "length2" match which is an advanced form of
+	xt_length that allows unambiguous layer-4/-5/-7 length matching. It is
+	useful to detect empty packets or for aiding in packet scheduling.

extensions/xt_quota2.Kconfig

@@ -0,0 +1,8 @@
+config NETFILTER_XT_MATCH_QUOTA2
+	tristate '"quota2" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	This option adds the "quota2" match which is an advanced form of
+	xt_quota that also allows counting upwards, and where the counter can
+	be set through procfs. This allows for simple interfacing of
+	accounting information.

mconfig

@@ -2,10 +2,11 @@
 #
 build_CHAOS=m
 build_DELUDE=m
-build_DHCPADDR=m
+build_DHCPMAC=m
 build_ECHO=
 build_IPMARK=m
 build_LOGMARK=m
+build_STEAL=m
 build_SYSRQ=m
 build_TARPIT=m
 build_TEE=m

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables\-addons 8 "v1.12 (2009\-03\-23)" "" "v1.13 (2009\-03\-23)"
+.TH xtables\-addons 8 "v1.14 (2009\-03\-31)" "" "v1.14 (2009\-03\-31)"
 .SH Name
 Xtables\-addons - additional extensions for iptables, ip6tables, etc.
 .SH Targets