Xtables-addons 1.24

This reverts commit ab13e58f96.

Whoops. There is no mark at all before 2.6.19.

.gitignore

@@ -6,10 +6,15 @@
 .libs
 Makefile
 Makefile.in
-GNUmakefile
 
 /downloads
 
+/Makefile.iptrules
+/Makefile.mans
+/.*.lst
+/matches.man
+/targets.man
+
 /aclocal.m4
 /autom4te*.cache
 /compile

INSTALL

@@ -19,6 +19,8 @@ Supported configurations for this release
 	  - CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
 	  - CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
 	    enabled =y or as module (=m)
+	  - CONFIG_CONNECTOR y/m if you wish to receive userspace
+	    notifications from pknock through netlink/connector
 
 Extra notes:
 
@@ -46,20 +48,14 @@ Configuring and compiling
 	/lib/modules/$(running version)/build, which usually points to
 	the right directory. (If not, you need to install something.)
 
---with-xtables=
+	For RPM building, it should be /usr/src/linux-obj/...
+	or whatever location the distro makes use of.
 
-	Specifies the path to the directory where we may find
-	xtables.h, should it not be within the standard C compiler
-	include path (/usr/include), or if you want to override it.
-	The directory will be checked for xtables.h and
-	include/xtables.h. (The latter to support both standard
-	/usr/include and the iptables source root.)
-
---with-libxtdir=
+--with-xtlibdir=
 
 	Specifies the path to where the newly built extensions should
 	be installed when `make install` is run. It uses the same
-	default as the Xtables package, ${libexecdir}/xtables.
+	default as the Xtables/iptables package, ${libexecdir}/xtables.
 
 If you want to enable debugging, use
 
@@ -68,19 +64,33 @@ If you want to enable debugging, use
 (-O0 is used to turn off instruction reordering, which makes debugging
 much easier.)
 
+To make use of a libxtables that is not in the default path, either
+
+  a) append the location of the pkg-config files like:
+
+	PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+
+     (Assuming that files have been installed)
+or,
+
+  b) override the pkg-config variables, for example:
+
+	./configure libxtables_CFLAGS="-I../iptables/include" \
+		libxtables_LIBS="-L../iptables/.libs \
+			-Wl,-rpath,../iptables/.libs -lxtables"
+
+     (Use this in case you wish to use it without having to
+     run `make install`. This is because the libxtables.pc pkgconfig
+     file in ../iptables would already point to e.g. /usr/local.)
+
 
 Build-time options
 ==================
 
-V= controls the kernel's make verbosity.
+V= controls the verbosity of make commands.
 V=0	"silent" (output filename)
 V=1	"verbose" (entire gcc command line)
 
-VU= controls the Xt-a make verbosity.
-VU=0	output filename
-VU=1	output filename and source file
-VU=2	entire gcc command line
-
 
 Note to distribution packagers
 ==============================
@@ -89,4 +99,5 @@ Except for --with-kbuild, distributions should not have a need to
 supply any other flags (besides --prefix=/usr and perhaps
 --libdir=/usr/lib64, etc.) to configure when all prerequired packages
 are installed. If iptables-devel is installed, necessary headers should
-be in /usr/include, so --with-xtables is not needed.
+already be in /usr/include, so that overriding PKG_CONFIG_PATH,
+libxtables_CFLAGS and libxtables_LIBS variables should not be needed.

Makefile.am

@@ -5,16 +5,16 @@ SUBDIRS          = extensions
 
 man_MANS := xtables-addons.8
 
-xtables-addons.8: ${srcdir}/xtables-addons.8.in extensions/matches.man extensions/targets.man
-	${am__verbose_GEN}sed -e '/@MATCHES@/ r extensions/matches.man' -e '/@TARGET@/ r extensions/targets.man' $< >$@;
+.PHONY: FORCE
+FORCE:
 
-extensions/%:
-	${MAKE} ${AM_MAKEFLAGS} -C $(@D) $(@F)
+xtables-addons.8: FORCE
+	${MAKE} -f Makefile.mans all;
 
-install-exec-local:
+install-exec-hook:
 	depmod -a || :;
 
-config.status: extensions/GNUmakefile.in
+config.status: Makefile.iptrules.in
 
 .PHONY: tarball
 tarball:

Makefile.extra

@@ -0,0 +1,29 @@
+# -*- Makefile -*-
+# AUTOMAKE
+
+XA_SRCDIR = ${srcdir}
+XA_TOPSRCDIR = ${top_srcdir}
+XA_ABSTOPSRCDIR = ${abs_top_srcdir}
+export XA_SRCDIR
+export XA_TOPSRCDIR
+export XA_ABSTOPSRCDIR
+
+_mcall = -f ${top_builddir}/Makefile.iptrules
+
+all-local: user-all-local
+
+install-exec-local: user-install-local
+
+clean-local: user-clean-local
+
+user-all-local:
+	${MAKE} ${_mcall} all;
+
+# Have no user-install-data-local ATM
+user-install-local: user-install-exec-local
+
+user-install-exec-local:
+	${MAKE} ${_mcall} install;
+
+user-clean-local:
+	${MAKE} ${_mcall} clean;

Makefile.iptrules.in

@@ -0,0 +1,60 @@
+# -*- Makefile -*-
+# MANUAL
+
+prefix          = @prefix@
+exec_prefix     = @exec_prefix@
+libexecdir      = @libexecdir@
+xtlibdir        = @xtlibdir@
+
+CC              = @CC@
+CCLD            = ${CC}
+
+regular_CFLAGS  = @regular_CFLAGS@
+libxtables_CFLAGS = @libxtables_CFLAGS@
+libxtables_LIBS   = @libxtables_LIBS@
+AM_CFLAGS         = ${regular_CFLAGS} ${libxtables_CFLAGS}
+AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
+
+AM_DEFAULT_VERBOSITY = 0
+am__v_CC_0           = @echo "  CC    " $@;
+am__v_CCLD_0         = @echo "  CCLD  " $@;
+am__v_GEN_0          = @echo "  GEN   " $@;
+am__v_SILENT_0       = @
+am__v_CC_            = ${am__v_CC_${AM_DEFAULT_VERBOSITY}}
+am__v_CCLD_          = ${am__v_CCLD_${AM_DEFAULT_VERBOSITY}}
+am__v_GEN_           = ${am__v_GEN_${AM_DEFAULT_VERBOSITY}}
+am__v_SILENT_        = ${am__v_SILENT_${AM_DEFAULT_VERBOSITY}}
+AM_V_CC              = ${am__v_CC_${V}}
+AM_V_CCLD            = ${am__v_CCLD_${V}}
+AM_V_GEN             = ${am__v_GEN_${V}}
+AM_V_silent          = ${am__v_GEN_${V}}
+
+include ${XA_TOPSRCDIR}/mconfig
+-include ${XA_TOPSRCDIR}/mconfig.*
+include ${XA_SRCDIR}/Mbuild
+-include ${XA_SRCDIR}/Mbuild.*
+
+targets := $(filter-out %/,${obj-m})
+subdirs_list := $(filter %/,${obj-m})
+
+.SECONDARY:
+
+.PHONY: all install clean
+
+all: ${targets}
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i; done;
+
+install: ${targets}
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
+	install -dm0755 "${DESTDIR}/${xtlibdir}";
+	@for i in $^; do install -pm0755 $$i "${DESTDIR}/${xtlibdir}"; done;
+
+clean:
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
+	rm -f *.oo *.so;
+
+lib%.so: lib%.oo
+	${AM_V_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< ${libxtables_LIBS} ${LDLIBS};
+
+%.oo: ${XA_SRCDIR}/%.c
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;

Makefile.mans.in

@@ -0,0 +1,40 @@
+# -*- Makefile -*-
+# MANUAL
+
+srcdir := @srcdir@
+
+wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man')
+wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man')
+wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
+wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
+
+.PHONY: FORCE
+
+FORCE:
+
+.manpages.lst: FORCE
+	@echo "${wlist_targets} ${wlist_matches}" >$@.tmp; \
+	cmp -s $@ $@.tmp || mv $@.tmp $@; \
+	rm -f $@.tmp;
+
+man_run = \
+	${AM_V_GEN}for ext in $(1); do \
+		name="$${ext%.man}"; \
+		name="$${name\#\#*/libxt_}"; \
+		if [ -f "$$ext" ]; then \
+			echo ".SS $$name"; \
+			cat "$$ext"; \
+			continue; \
+		fi; \
+	done >$@;
+
+all: xtables-addons.8
+
+xtables-addons.8: ${srcdir}/xtables-addons.8.in matches.man targets.man
+	${AM_V_GEN}sed -e '/@MATCHES@/ r matches.man' -e '/@TARGET@/ r targets.man' $< >$@;
+
+matches.man: .manpages.lst ${wcman_matches}
+	$(call man_run,${wlist_matches})
+
+targets.man: .manpages.lst ${wcman_targets}
+	$(call man_run,${wlist_targets})

configure.ac

@@ -1,73 +1,80 @@
 
-AC_INIT([xtables-addons], [1.13])
+AC_INIT([xtables-addons], [1.24])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
-AM_INIT_AUTOMAKE([-Wall foreign subdir-objects])
+AM_INIT_AUTOMAKE([1.10 -Wall foreign subdir-objects])
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_DISABLE_STATIC
 AC_PROG_LIBTOOL
 
-kbuilddir="/lib/modules/$(uname -r)/build";
 AC_ARG_WITH([kbuild],
 	AS_HELP_STRING([--with-kbuild=PATH],
 	[Path to kernel build directory [[/lib/modules/CURRENT/build]]]),
-	[kbuilddir="$withval"])
-AC_ARG_WITH([ksource],
-	AS_HELP_STRING([--with-ksource=PATH],
-	[Path to kernel source directory [[/lib/modules/CURRENT/source]]]),
-	[ksourcedir="$withval"])
-AC_ARG_WITH([xtables],
-	AS_HELP_STRING([--with-xtables=PATH],
-	[Path to the Xtables includes [[none]]]),
-	[xtables_location="$withval"])
+	[kbuilddir="$withval"],
+	[kbuilddir="/lib/modules/$(uname -r)/build"])
+#
+# check for --without-kbuild
+#
+if [[ "$kbuilddir" == no ]]; then
+	kbuilddir="";
+fi
+
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
 	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
 	[xtlibdir="$withval"],
 	[xtlibdir='${libexecdir}/xtables'])
 
-#
-# --with-xtables= overrides a possibly installed pkgconfig file.
-#
-if [[ -n "$xtables_location" ]]; then
-	AC_MSG_CHECKING([xtables.h presence])
-	if [[ -f "$xtables_location/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/xtables.h])
-		xtables_CFLAGS="-I $xtables_location";
-	elif [[ -f "$xtables_location/include/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/include/xtables.h])
-		xtables_CFLAGS="-I $xtables_location/include";
-	fi;
-	if [[ -z "$xtables_CFLAGS" ]]; then
-		if [[ -f "$includedir/xtables.h" ]]; then
-			AC_MSG_RESULT([$includedir/xtables.h])
-		else
-			AC_MSG_RESULT([no])
-		fi;
-	fi;
-else
-	PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
-fi;
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
+AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
+	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
 
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
-kinclude_CFLAGS="";
-if [[ -n "$kbuilddir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
+	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" \
+	-I\${XA_TOPSRCDIR}/include";
+
+#
+# check kernel version
+#
+if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
+    grep -q "Red Hat Enterprise Linux Server release 5" /etc/redhat-release 2>/dev/null; then
+	# しまった!
+	# Well, just a warning. Maybe the admin updated the kernel.
+	echo "WARNING: This distribution's shipped kernel is not supported.";
 fi;
-if [[ -n "$ksourcedir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
+krel="$(make -sC ${kbuilddir} kernelrelease)";
+krel="${krel%%-*}";
+kmajor="${krel%%.*}";
+krel="${krel#*.}";
+kminor="${krel%%.*}";
+krel="${krel#*.}";
+kmicro="${krel%%.*}";
+if test "$kmicro" = "$krel"; then
+	kstable=0;
+else
+	kstable="${krel#*.}";
+	if test -z "$kstable"; then
+		kstable=0;
+	fi;
+fi;
+echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
+if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 34; then
+	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
+elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
+    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
+    "$kstable" -lt 5 \); then
+	echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
+	exit 1;
 fi;
 
 AC_SUBST([regular_CFLAGS])
-AC_SUBST([xtables_CFLAGS])
-AC_SUBST([kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
-AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
-AC_CONFIG_FILES([Makefile extensions/GNUmakefile extensions/ipset/GNUmakefile])
+AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
+	extensions/Makefile extensions/ACCOUNT/Makefile
+	extensions/ipset/Makefile extensions/pknock/Makefile])
 AC_OUTPUT

doc/README.psd

@@ -0,0 +1,4 @@
+PSD (Portscan Detection) External extensions for Xtables-addons
+
+Example:
+iptables -A INPUT -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 1 --psd-hi-ports-weight 10 -j LOG --log-prefix "PSD: "

doc/changelog.txt

@@ -1,4 +1,122 @@
 
+HEAD
+====
+
+
+Xtables-addons 1.24 (March 17 2010)
+===================================
+- build: fix build of userspace modules against old (pre-2.6.25)
+  headers from linux-glibc-devel (/usr/include/linux)
+- ipp2p: updated bittorent command recognition
+- SYSRQ: let module load when crypto is unavailable
+- SYSRQ: allow processing of UDP-Lite
+
+
+Xtables-addons 1.23 (February 24 2010)
+======================================
+- build: support for Linux 2.6.34
+- build: remove unused --with-ksource option
+- build: remove unneeded --with-xtables option
+- build: fix compilations in RAWNAT, SYSRQ and length2 when CONFIG_IPV6=n
+- ipset: update to 4.2
+- ECHO: fix compilation w.r.t. skb_dst
+
+
+Xtables-addons 1.22 (January 22 2010)
+=====================================
+- compat_xtables: support for 2.6.33 skb_iif changes
+- geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip
+- ipset: enable build of ip_set_setlist.ko
+- quota2: add the --no-change mode
+
+
+Xtables-addons 1.21 (December 09 2009)
+======================================
+- ACCOUNT: avoid collision with arp_tables setsockopt numbers
+- doc: fix option mismatch --gw/--gateway in libxt_TEE.man
+
+
+Xtables-addons 1.20 (November 19 2009)
+======================================
+- ipp2p: add more boundary checks
+- ipp2p: fix Gnutelle line ending detection
+- LOGMARK: remove unknown options from manpage
+- ACCOUNT: endianess-correctness
+- ipset: install manpage
+- ipset: fast forward to v4.1
+
+
+Xtables-addons 1.19 (October 12 2009)
+=====================================
+- build: compile fixes for 2.6.31-rt
+- build: support for Linux 2.6.32
+- ipp2p: try to address underflows
+- psd: avoid potential crash when dealing with non-linear skbs
+- merge xt_ACCOUNT userspace utilities
+- added reworked xt_pknock module
+  Changes from pknock v0.5:
+  - pknock: "strict" and "checkip" flags were not displayed in `iptables -L`
+  - pknock: the GC expire time's lower bound is now the default gc time
+    (65000 msec) to avoid rendering anti-spoof protection in SPA mode useless
+  - pknock: avoid crash on memory allocation failure and fix memleak
+  - pknock: avoid fillup of peer table during DDoS
+  - pknock: automatic closing of ports
+  - pknock: make non-zero time mandatory for TCP mode
+  - pknock: display only pknock mode and state relevant information in procfs
+  - pknock: check interknock time only for !ST_ALLOWED peers
+  - pknock: preserve time/autoclose values for rules added in
+    reverse/arbitrary order
+  - pknock: add a manpage
+
+
+Xtables-addons 1.18 (September 09 2009)
+=======================================
+- build: support for Linux 2.6.31
+- ipset: fast forward to v3.2
+- quota2: support anonymous counters
+- quota2: reduce memory footprint for anonymous counters
+- quota2: extend locked period during cleanup (locking bugfix)
+- quota2: use strtoull instead of strtoul
+- merged xt_ACCOUNT module
+- merged xt_psd module
+
+
+Xtables-addons 1.17 (June 16 2009)
+==================================
+- IPMARK: print missing --shift parameter
+- build: use readlink -f in extensions/ipset/
+- build: support for Linux 2.6.30
+
+
+Xtables-addons 1.16 (May 27 2009)
+=================================
+- RAWNAT: make iptable_rawpost compile with 2.6.30-rc5
+- ipset: fast forward to 3.0
+
+
+Xtables-addons 1.15 (April 30 2009)
+===================================
+- build: add kernel version check to configure
+- condition: compile fix for 2.6.30-rc
+- condition: fix intrapositional negation sign
+- fuzzy: fix bogus comparison logic leftover from move to new 1.4.3 API
+- ipp2p: fix bogus varargs call
+- ipp2p: fix typo in error message
+- added "iface" match
+- added rawpost table (for use with RAWNAT)
+- added RAWSNAT/RAWDNAT targets
+
+
+Xtables-addons 1.14 (March 31 2009)
+===================================
+- fuzzy: need to account for kernel-level modified variables in .userspacesize
+- geoip: remove XT_ALIGN from .userspacesize when used with offsetof
+- SYSRQ: ignore non-UDP packets
+- SYSRQ: do proper L4 header access in IPv6 code
+  (must not use tcp/udp_hdr in input path)
+- add "STEAL" target
+- dhcpmac: rename from dhcpaddr
+
 
 Xtables-addons 1.13 (March 23 2009)
 ===================================
@@ -11,7 +129,7 @@ Xtables-addons 1.12 (March 07 2009)
 - ipset: fix for compilation with 2.6.29-rt
 - ipset: fast forward to 2.5.0
 - rename xt_portscan to xt_lscan ("low-level scan") because
-  "portscan" as a wor caused confusion
+  "portscan" as a word caused confusion
 - xt_LOGMARK: print incoming interface index
 - revert "TEE: do not use TOS for routing"
 - xt_TEE: resolve unknown symbol error with CONFIG_IPV6=n

extensions/.gitignore

@@ -8,8 +8,5 @@ Module.symvers
 Modules.symvers
 modules.order
 
-/*.so
-/*.oo
-/matches.man
-/targets.man
-/.manpages.lst
+*.so
+*.oo

extensions/ACCOUNT/.gitignore

@@ -0,0 +1 @@
+/iptaccount

extensions/ACCOUNT/Kbuild

@@ -0,0 +1,5 @@
+# -*- Makefile -*-
+
+EXTRA_CFLAGS = -I${src}/..
+
+obj-m += xt_ACCOUNT.o

extensions/ACCOUNT/Makefile.am

@@ -0,0 +1,8 @@
+# -*- Makefile -*-
+
+include ../../Makefile.extra
+
+sbin_PROGRAMS = iptaccount
+iptaccount_LDADD = libxt_ACCOUNT_cl.la
+
+lib_LTLIBRARIES = libxt_ACCOUNT_cl.la

extensions/ACCOUNT/Mbuild

@@ -0,0 +1,3 @@
+# -*- Makefile -*-
+
+obj-${build_ACCOUNT}     += libxt_ACCOUNT.so

extensions/ACCOUNT/iptaccount.c

@@ -0,0 +1,224 @@
+/***************************************************************************
+ *   Copyright (C) 2004-2006 by Intra2net AG                               *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU Lesser General Public License           *
+ *   version 2.1 as published by the Free Software Foundation;             *
+ *                                                                         *
+ ***************************************************************************/
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <getopt.h>
+#include <signal.h>
+
+#include <arpa/inet.h>
+#include <linux/types.h>
+#include <libxt_ACCOUNT_cl.h>
+
+bool exit_now;
+static void sig_term(int signr)
+{
+	signal(SIGINT, SIG_IGN);
+	signal(SIGQUIT, SIG_IGN);
+	signal(SIGTERM, SIG_IGN);
+
+	exit_now = true;
+}
+
+static char *addr_to_dotted(unsigned int addr)
+{
+	static char buf[16];
+	const unsigned char *bytep;
+
+	addr = htonl(addr);
+	bytep = (const unsigned char *)&addr;
+	snprintf(buf, sizeof(buf), "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]);
+	return buf;
+}
+
+static void show_usage(void)
+{
+	printf("Unknown command line option. Try: [-u] [-h] [-a] [-f] [-c] [-s] [-l name]\n");
+	printf("[-u] show kernel handle usage\n");
+	printf("[-h] free all kernel handles (experts only!)\n\n");
+	printf("[-a] list all table names\n");
+	printf("[-l name] show data in table <name>\n");
+	printf("[-f] flush data after showing\n");
+	printf("[-c] loop every second (abort with CTRL+C)\n");
+	printf("[-s] CSV output (for spreadsheet import)\n");
+	printf("\n");
+}
+
+int main(int argc, char *argv[])
+{
+	struct ipt_ACCOUNT_context ctx;
+	struct ipt_acc_handle_ip *entry;
+	int i;
+	char optchar;
+	bool doHandleUsage = false, doHandleFree = false, doTableNames = false;
+	bool doFlush = false, doContinue = false, doCSV = false;
+
+	char *table_name = NULL;
+	const char *name;
+
+	printf("\nlibxt_ACCOUNT_cl userspace accounting tool v%s\n\n",
+	LIBXT_ACCOUNT_VERSION);
+
+	if (argc == 1)
+	{
+		show_usage();
+		exit(0);
+	}
+
+	while ((optchar = getopt(argc, argv, "uhacfsl:")) != -1)
+	{
+		switch (optchar)
+		{
+		case 'u':
+			doHandleUsage = true;
+			break;
+		case 'h':
+			doHandleFree = true;
+			break;
+		case 'a':
+			doTableNames = true;
+			break;
+		case 'f':
+			doFlush = true;
+			break;
+		case 'c':
+			doContinue = true;
+			break;
+		case 's':
+			doCSV = true;
+			break;
+		case 'l':
+			table_name = strdup(optarg);
+			break;
+		case '?':
+		default:
+			show_usage();
+			exit(0);
+			break;
+		}
+	}
+
+	// install exit handler
+	if (signal(SIGTERM, sig_term) == SIG_ERR)
+	{
+		printf("can't install signal handler for SIGTERM\n");
+		exit(-1);
+	}
+	if (signal(SIGINT, sig_term) == SIG_ERR)
+	{
+		printf("can't install signal handler for SIGINT\n");
+		exit(-1);
+	}
+	if (signal(SIGQUIT, sig_term) == SIG_ERR)
+	{
+		printf("can't install signal handler for SIGQUIT\n");
+		exit(-1);
+	}
+
+	if (ipt_ACCOUNT_init(&ctx))
+	{
+		printf("Init failed: %s\n", ctx.error_str);
+		exit(-1);
+	}
+
+	// Get handle usage?
+	if (doHandleUsage)
+	{
+		int rtn = ipt_ACCOUNT_get_handle_usage(&ctx);
+		if (rtn < 0)
+		{
+			printf("get_handle_usage failed: %s\n", ctx.error_str);
+			exit(-1);
+		}
+
+		printf("Current kernel handle usage: %d\n", ctx.handle.itemcount);
+	}
+
+	if (doHandleFree)
+	{
+		int rtn = ipt_ACCOUNT_free_all_handles(&ctx);
+		if (rtn < 0)
+		{
+			printf("handle_free_all failed: %s\n", ctx.error_str);
+			exit(-1);
+		}
+
+		printf("Freed all handles in kernel space\n");
+	}
+
+	if (doTableNames)
+	{
+		int rtn = ipt_ACCOUNT_get_table_names(&ctx);
+		if (rtn < 0)
+		{
+			printf("get_table_names failed: %s\n", ctx.error_str);
+			exit(-1);
+		}
+		while ((name = ipt_ACCOUNT_get_next_name(&ctx)) != 0)
+			printf("Found table: %s\n", name);
+	}
+
+	if (table_name)
+	{
+		// Read out data
+		if (doCSV)
+			printf("IP;SRC packets;SRC bytes;DST packets;DST bytes\n");
+		else
+			printf("Showing table: %s\n", table_name);
+
+		i = 0;
+		while (!exit_now)
+		{
+			// Get entries from table test
+			if (ipt_ACCOUNT_read_entries(&ctx, table_name, !doFlush))
+			{
+				printf("Read failed: %s\n", ctx.error_str);
+				ipt_ACCOUNT_deinit(&ctx);
+				return EXIT_FAILURE;
+			}
+
+			if (!doCSV)
+				printf("Run #%d - %u %s found\n", i, ctx.handle.itemcount,
+				       ctx.handle.itemcount == 1 ? "item" : "items");
+
+			// Output and free entries
+			while ((entry = ipt_ACCOUNT_get_next_entry(&ctx)) != NULL)
+			{
+				if (doCSV)
+					printf("%s;%u;%u;%u;%u\n",
+					       addr_to_dotted(entry->ip), entry->src_packets, entry->src_bytes,
+					       entry->dst_packets, entry->dst_bytes);
+				else
+					printf("IP: %s SRC packets: %u bytes: %u DST packets: %u bytes: %u\n",
+					       addr_to_dotted(entry->ip), entry->src_packets, entry->src_bytes,
+					       entry->dst_packets, entry->dst_bytes);
+			}
+
+			if (doContinue)
+			{
+				sleep(1);
+				i++;
+			} else
+				exit_now = true;
+		}
+	}
+
+	printf("Finished.\n");
+	ipt_ACCOUNT_deinit(&ctx);
+	return EXIT_SUCCESS;
+}

extensions/ACCOUNT/libxt_ACCOUNT.c

@@ -0,0 +1,161 @@
+/* Shared library add-on to iptables to add ACCOUNT(ing) support.
+   Author: Intra2net AG <opensource@intra2net.com>
+*/
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <getopt.h>
+#include <stddef.h>
+#include <xtables.h>
+#include "xt_ACCOUNT.h"
+
+static struct option account_tg_opts[] = {
+	{.name = "addr",  .has_arg = true, .val = 'a'},
+	{.name = "tname", .has_arg = true, .val = 't'},
+	{NULL},
+};
+
+/* Function which prints out usage message. */
+static void account_tg_help(void)
+{
+	printf(
+"ACCOUNT target options:\n"
+" --%s ip/netmask\t\tBase network IP and netmask used for this table\n"
+" --%s name\t\t\tTable name for the userspace library\n",
+account_tg_opts[0].name, account_tg_opts[1].name);
+}
+
+/* Initialize the target. */
+static void
+account_tg_init(struct xt_entry_target *t)
+{
+	struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)t->data;
+
+	accountinfo->table_nr = -1;
+}
+
+#define IPT_ACCOUNT_OPT_ADDR 0x01
+#define IPT_ACCOUNT_OPT_TABLE 0x02
+
+/* Function which parses command options; returns true if it
+   ate an option */
+
+static int account_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+		const void *entry, struct xt_entry_target **target)
+{
+	struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)(*target)->data;
+	struct in_addr *addrs = NULL, mask;
+	unsigned int naddrs = 0;
+
+	switch (c) {
+	case 'a':
+		if (*flags & IPT_ACCOUNT_OPT_ADDR)
+			xtables_error(PARAMETER_PROBLEM, "Can't specify --%s twice",
+				account_tg_opts[0].name);
+
+		xtables_ipparse_any(optarg, &addrs, &mask, &naddrs);
+		if (naddrs > 1)
+			xtables_error(PARAMETER_PROBLEM, "multiple IP addresses not allowed");
+
+		accountinfo->net_ip = addrs[0].s_addr;
+		accountinfo->net_mask = mask.s_addr;
+
+		*flags |= IPT_ACCOUNT_OPT_ADDR;
+		break;
+
+	case 't':
+		if (*flags & IPT_ACCOUNT_OPT_TABLE)
+			xtables_error(PARAMETER_PROBLEM,
+				"Can't specify --%s twice",
+				account_tg_opts[1].name);
+
+		if (strlen(optarg) > ACCOUNT_TABLE_NAME_LEN - 1)
+			xtables_error(PARAMETER_PROBLEM,
+				"Maximum table name length %u for --%s",
+				ACCOUNT_TABLE_NAME_LEN - 1,
+				account_tg_opts[1].name);
+
+		strcpy(accountinfo->table_name, optarg);
+		*flags |= IPT_ACCOUNT_OPT_TABLE;
+		break;
+
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void account_tg_check(unsigned int flags)
+{
+	if (!(flags & IPT_ACCOUNT_OPT_ADDR) || !(flags & IPT_ACCOUNT_OPT_TABLE))
+		xtables_error(PARAMETER_PROBLEM, "ACCOUNT: needs --%s and --%s",
+			account_tg_opts[0].name, account_tg_opts[1].name);
+}
+
+static void account_tg_print_it(const void *ip,
+		const struct xt_entry_target *target, bool do_prefix)
+{
+	const struct ipt_acc_info *accountinfo
+		= (const struct ipt_acc_info *)target->data;
+	struct in_addr a;
+
+	if (!do_prefix)
+		printf("ACCOUNT ");
+
+	// Network information
+	if (do_prefix)
+		printf("--");
+	printf("%s ", account_tg_opts[0].name);
+
+	a.s_addr = accountinfo->net_ip;
+	printf("%s", xtables_ipaddr_to_numeric(&a));
+	a.s_addr = accountinfo->net_mask;
+	printf("%s", xtables_ipmask_to_numeric(&a));
+
+	printf(" ");
+	if (do_prefix)
+		printf("--");
+
+	printf("%s %s", account_tg_opts[1].name, accountinfo->table_name);
+}
+
+
+static void
+account_tg_print(const void *ip,
+	const struct xt_entry_target *target,
+	int numeric)
+{
+	account_tg_print_it(ip, target, false);
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void
+account_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+	account_tg_print_it(ip, target, true);
+}
+
+static struct xtables_target account_tg_reg = {
+	.name          = "ACCOUNT",
+	.revision      = 1,
+	.family        = NFPROTO_IPV4,
+	.version       = XTABLES_VERSION,
+	.size          = XT_ALIGN(sizeof(struct ipt_acc_info)),
+	.userspacesize = offsetof(struct ipt_acc_info, table_nr),
+	.help          = account_tg_help,
+	.init          = account_tg_init,
+	.parse         = account_tg_parse,
+	.final_check   = account_tg_check,
+	.print         = account_tg_print,
+	.save          = account_tg_save,
+	.extra_opts    = account_tg_opts,
+};
+
+static __attribute__((constructor)) void account_tg_ldr(void)
+{
+	xtables_register_target(&account_tg_reg);
+}

extensions/ACCOUNT/libxt_ACCOUNT.man

@@ -0,0 +1,72 @@
+The ACCOUNT target is a high performance accounting system for large
+local networks. It allows per-IP accounting in whole prefixes of IPv4
+addresses with size of up to /8 without the need to add individual
+accouting rule for each IP address.
+.PP
+The ACCOUNT is designed to be queried for data every second or at
+least every ten seconds. It is written as kernel module to handle high
+bandwidths without packet loss.
+.PP
+The largest possible subnet size is 24 bit, meaning for example 10.0.0.0/8
+network. ACCOUNT uses fixed internal data structures
+which speeds up the processing of each packet. Furthermore,
+accounting data for one complete 192.168.1.X/24 network takes 4 KB of
+memory. Memory for 16 or 24 bit networks is only allocated when
+needed.
+.PP
+To optimize the kernel<->userspace data transfer a bit more, the
+kernel module only transfers information about IPs, where the src/dst
+packet counter is not 0. This saves precious kernel time.
+.PP
+There is no /proc interface as it would be too slow for continuous access.
+The read-and-flush query operation is the fastest, as no internal data
+snapshot needs to be created&copied for all data. Use the "read"
+operation without flush only for debugging purposes!
+.PP
+Usage:
+.PP
+ACCOUNT takes two mandatory parameters:
+.TP
+\fB\-\-addr\fR \fInetwork\fP\fB/\fP\fInetmask\fR
+where \fInetwork\fP\fB/\fP\fInetmask\fP is the subnet to account for, in CIDR syntax
+.TP
+\fB\-\-tname\fP \fINAME\fP
+where \fINAME\fP is the name of the table where the accounting information
+should be stored
+.PP
+The subnet 0.0.0.0/0 is a special case: all data are then stored in the src_bytes
+and src_packets structure of slot "0". This is useful if you want
+to account the overall traffic to/from your internet provider.
+.PP
+The data can be queried using the userspace libxt_ACCOUNT_cl library,
+and by the reference implementation to show usage of this library,
+the \fBiptaccount\fP(8) tool, which features following options:
+.PP
+[\fB\-u\fP] show kernel handle usage
+.PP
+[\fB\-h\fP] free all kernel handles (experts only!)
+.PP
+[\fB\-a\fP] list all table names
+.PP
+[\fB\-l\fP \fIname\fP] show data in table \fIname\fP
+.PP
+[\fB\-f\fP] flush data after showing
+.PP
+[\fB\-c\fP] loop every second (abort with CTRL+C)
+.PP
+Here is an example of use:
+.PP
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing;
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales;
+.PP
+This creates two tables called "all_outgoing" and "sales" which can be
+queried using the userspace library/iptaccount tool.
+.PP
+Note that this target is non-terminating \(em the packet destined to it
+will continue traversing the chain in which it has been used.
+.PP
+Also note that once a table has been defined for specific CIDR address/netmask
+block, it can be referenced multiple times using \-j ACCOUNT, provided
+that both the original table name and address/netmask block are specified.
+.PP
+For more information go to http://www.intra2net.com/en/developer/ipt_ACCOUNT/

extensions/ACCOUNT/libxt_ACCOUNT_cl.c

@@ -0,0 +1,199 @@
+/***************************************************************************
+ *   Copyright (C) 2004 by Intra2net AG                                    *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU Lesser General Public License           *
+ *   version 2.1 as published by the Free Software Foundation;             *
+ *                                                                         *
+ ***************************************************************************/
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <netinet/in.h>
+#include <linux/if.h>
+
+#include <libxt_ACCOUNT_cl.h>
+
+int ipt_ACCOUNT_init(struct ipt_ACCOUNT_context *ctx)
+{
+	memset(ctx, 0, sizeof(struct ipt_ACCOUNT_context));
+	ctx->handle.handle_nr = -1;
+
+	ctx->sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+	if (ctx->sockfd < 0) {
+		ctx->sockfd = -1;
+		ctx->error_str = "Can't open socket to kernel. "
+		                 "Permission denied or ipt_ACCOUNT module not loaded";
+		return -1;
+	}
+
+	// 4096 bytes default buffer should save us from reallocations
+	// as it fits 200 concurrent active clients
+	if ((ctx->data = malloc(IPT_ACCOUNT_MIN_BUFSIZE)) == NULL) {
+		close(ctx->sockfd);
+		ctx->sockfd = -1;
+		ctx->error_str = "Out of memory for data buffer";
+		return -1;
+	}
+	ctx->data_size = IPT_ACCOUNT_MIN_BUFSIZE;
+
+	return 0;
+}
+
+void ipt_ACCOUNT_free_entries(struct ipt_ACCOUNT_context *ctx)
+{
+	if (ctx->handle.handle_nr != -1) {
+		setsockopt(ctx->sockfd, IPPROTO_IP, IPT_SO_SET_ACCOUNT_HANDLE_FREE,
+		           &ctx->handle, sizeof(struct ipt_acc_handle_sockopt));
+		ctx->handle.handle_nr = -1;
+	}
+
+	ctx->handle.itemcount = 0;
+	ctx->pos = 0;
+}
+
+void ipt_ACCOUNT_deinit(struct ipt_ACCOUNT_context *ctx)
+{
+	free(ctx->data);
+	ctx->data = NULL;
+
+	ipt_ACCOUNT_free_entries(ctx);
+
+	close(ctx->sockfd);
+	ctx->sockfd = -1;
+}
+
+int ipt_ACCOUNT_read_entries(struct ipt_ACCOUNT_context *ctx,
+                             const char *table, char dont_flush)
+{
+	unsigned int s = sizeof(struct ipt_acc_handle_sockopt);
+	unsigned int new_size;
+	int rtn;
+
+	strncpy(ctx->handle.name, table, ACCOUNT_TABLE_NAME_LEN-1);
+
+	// Get table information
+	if (!dont_flush)
+		rtn = getsockopt(ctx->sockfd, IPPROTO_IP,
+		      IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH, &ctx->handle, &s);
+	else
+		rtn = getsockopt(ctx->sockfd, IPPROTO_IP, IPT_SO_GET_ACCOUNT_PREPARE_READ,
+		      &ctx->handle, &s);
+
+	if (rtn < 0) {
+		ctx->error_str = "Can't get table information from kernel. "
+		                 "Does it exist?";
+		return -1;
+	}
+
+	// Check data buffer size
+	ctx->pos = 0;
+	new_size = ctx->handle.itemcount * sizeof(struct ipt_acc_handle_ip);
+	// We want to prevent reallocations all the time
+	if (new_size < IPT_ACCOUNT_MIN_BUFSIZE)
+		new_size = IPT_ACCOUNT_MIN_BUFSIZE;
+
+	// Reallocate if it's too small or twice as big
+	if (ctx->data_size < new_size || ctx->data_size > new_size * 2) {
+		// Free old buffer
+		free(ctx->data);
+		ctx->data_size = 0;
+
+		if ((ctx->data = malloc(new_size)) == NULL) {
+			ctx->error_str = "Out of memory for data buffer";
+			ipt_ACCOUNT_free_entries(ctx);
+			return -1;
+		}
+
+		ctx->data_size = new_size;
+	}
+
+	// Copy data from kernel
+	memcpy(ctx->data, &ctx->handle, sizeof(struct ipt_acc_handle_sockopt));
+	rtn = getsockopt(ctx->sockfd, IPPROTO_IP, IPT_SO_GET_ACCOUNT_GET_DATA,
+	      ctx->data, &ctx->data_size);
+	if (rtn < 0) {
+		ctx->error_str = "Can't get data from kernel. "
+		                 "Check /var/log/messages for details.";
+		ipt_ACCOUNT_free_entries(ctx);
+		return -1;
+	}
+
+	// Free kernel handle but don't reset pos/itemcount
+	setsockopt(ctx->sockfd, IPPROTO_IP, IPT_SO_SET_ACCOUNT_HANDLE_FREE,
+	           &ctx->handle, sizeof(struct ipt_acc_handle_sockopt));
+	ctx->handle.handle_nr = -1;
+
+	return 0;
+}
+
+struct ipt_acc_handle_ip *ipt_ACCOUNT_get_next_entry(struct ipt_ACCOUNT_context *ctx)
+{
+	struct ipt_acc_handle_ip *rtn;
+
+	// Empty or no more items left to return?
+	if (!ctx->handle.itemcount || ctx->pos >= ctx->handle.itemcount)
+		return NULL;
+
+	// Get next entry
+	rtn = (struct ipt_acc_handle_ip *)(ctx->data + ctx->pos
+	      * sizeof(struct ipt_acc_handle_ip));
+	ctx->pos++;
+
+	return rtn;
+}
+
+int ipt_ACCOUNT_get_handle_usage(struct ipt_ACCOUNT_context *ctx)
+{
+	unsigned int s = sizeof(struct ipt_acc_handle_sockopt);
+	if (getsockopt(ctx->sockfd, IPPROTO_IP,
+	    IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE, &ctx->handle, &s) < 0) {
+		ctx->error_str = "Can't get handle usage information from kernel";
+		return -1;
+	}
+	ctx->handle.handle_nr = -1;
+
+	return ctx->handle.itemcount;
+ }
+
+int ipt_ACCOUNT_free_all_handles(struct ipt_ACCOUNT_context *ctx)
+{
+	if (setsockopt(ctx->sockfd, IPPROTO_IP,
+	    IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL, NULL, 0) < 0) {
+		ctx->error_str = "Can't free all kernel handles";
+		return -1;
+	}
+
+	return 0;
+}
+
+int ipt_ACCOUNT_get_table_names(struct ipt_ACCOUNT_context *ctx)
+{
+	int rtn = getsockopt(ctx->sockfd, IPPROTO_IP,
+	          IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES,
+	          ctx->data, &ctx->data_size);
+	if (rtn < 0) {
+		ctx->error_str = "Can't get table names from kernel. Out of memory, "
+		                 "MINBUFISZE too small?";
+		return -1;
+	}
+	ctx->pos = 0;
+	return 0;
+}
+
+const char *ipt_ACCOUNT_get_next_name(struct ipt_ACCOUNT_context *ctx)
+{
+	const char *rtn;
+	if (((char *)ctx->data)[ctx->pos] == 0)
+		return 0;
+
+	rtn = ctx->data + ctx->pos;
+	ctx->pos += strlen(ctx->data + ctx->pos) + 1;
+
+	return rtn;
+}

extensions/ACCOUNT/libxt_ACCOUNT_cl.h

@@ -0,0 +1,60 @@
+/***************************************************************************
+ *   Copyright (C) 2004 by Intra2net AG                                    *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU Lesser General Public License           *
+ *   version 2.1 as published by the Free Software Foundation;             *
+ *                                                                         *
+ ***************************************************************************/
+
+#ifndef _xt_ACCOUNT_cl_H
+#define _xt_ACCOUNT_cl_H
+
+#include <xt_ACCOUNT.h>
+
+#define LIBXT_ACCOUNT_VERSION "1.3"
+
+/* Don't set this below the size of struct ipt_account_handle_sockopt */
+#define IPT_ACCOUNT_MIN_BUFSIZE 4096
+
+struct ipt_ACCOUNT_context
+{
+	int sockfd;
+	struct ipt_acc_handle_sockopt handle;
+
+	unsigned int data_size;
+	void *data;
+	unsigned int pos;
+
+	char *error_str;
+};
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int ipt_ACCOUNT_init(struct ipt_ACCOUNT_context *ctx);
+void ipt_ACCOUNT_deinit(struct ipt_ACCOUNT_context *ctx);
+
+void ipt_ACCOUNT_free_entries(struct ipt_ACCOUNT_context *ctx);
+int ipt_ACCOUNT_read_entries(struct ipt_ACCOUNT_context *ctx,
+                             const char *table, char dont_flush);
+struct ipt_acc_handle_ip *ipt_ACCOUNT_get_next_entry(
+                             struct ipt_ACCOUNT_context *ctx);
+
+/* ipt_ACCOUNT_free_entries is for internal use only function as this library
+is constructed to be used in a loop -> Don't allocate memory all the time.
+The data buffer is freed on deinit() */
+
+int ipt_ACCOUNT_get_handle_usage(struct ipt_ACCOUNT_context *ctx);
+int ipt_ACCOUNT_free_all_handles(struct ipt_ACCOUNT_context *ctx);
+int ipt_ACCOUNT_get_table_names(struct ipt_ACCOUNT_context *ctx);
+const char *ipt_ACCOUNT_get_next_name(struct ipt_ACCOUNT_context *ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif

extensions/ACCOUNT/xt_ACCOUNT.Kconfig

@@ -0,0 +1,13 @@
+config NETFILTER_XT_TARGET_ACCOUNT
+	tristate "ACCOUNT target support"
+	depends on NETFILTER_XTABLES
+	---help---
+	This module implements an ACCOUNT target
+
+	The ACCOUNT target is a high performance accounting system for large
+	local networks. It allows per-IP accounting in whole prefixes of IPv4
+	addresses with size of up to /8 without the need to add individual
+	accouting rule for each IP address.
+
+	For more information go to:
+	http://www.intra2net.com/de/produkte/opensource/ipt_account/

extensions/ACCOUNT/xt_ACCOUNT.h

@@ -0,0 +1,69 @@
+/***************************************************************************
+ *   Copyright (C) 2004-2006 by Intra2net AG                               *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License                  *
+ *   version 2 as published by the Free Software Foundation;               *
+ *                                                                         *
+ ***************************************************************************/
+
+#ifndef _IPT_ACCOUNT_H
+#define _IPT_ACCOUNT_H
+
+/*
+ * Socket option interface shared between kernel (xt_ACCOUNT) and userspace
+ * library (libxt_ACCOUNT_cl). Hopefully we are unique at least within our
+ * kernel & xtables-addons space.
+ *
+ * Turned out often enough we are not.
+ * 64-67	used by ip_tables, ip6_tables
+ * 96-100	used by arp_tables
+ * 128-131	used by ebtables
+ */
+#define SO_ACCOUNT_BASE_CTL 70
+
+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (SO_ACCOUNT_BASE_CTL + 1)
+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (SO_ACCOUNT_BASE_CTL + 2)
+#define IPT_SO_SET_ACCOUNT_MAX		 IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL
+
+#define IPT_SO_GET_ACCOUNT_PREPARE_READ (SO_ACCOUNT_BASE_CTL + 4)
+#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (SO_ACCOUNT_BASE_CTL + 5)
+#define IPT_SO_GET_ACCOUNT_GET_DATA (SO_ACCOUNT_BASE_CTL + 6)
+#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (SO_ACCOUNT_BASE_CTL + 7)
+#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (SO_ACCOUNT_BASE_CTL + 8)
+#define IPT_SO_GET_ACCOUNT_MAX	  IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES
+
+#define ACCOUNT_MAX_TABLES 128
+#define ACCOUNT_TABLE_NAME_LEN 32
+#define ACCOUNT_MAX_HANDLES 10
+
+/* Structure for the userspace part of ipt_ACCOUNT */
+struct ipt_acc_info {
+	__be32 net_ip;
+	__be32 net_mask;
+	char table_name[ACCOUNT_TABLE_NAME_LEN];
+	int32_t table_nr;
+};
+
+/* Handle structure for communication with the userspace library */
+struct ipt_acc_handle_sockopt {
+	uint32_t handle_nr;				   /* Used for HANDLE_FREE */
+	char name[ACCOUNT_TABLE_NAME_LEN];	 /* Used for HANDLE_PREPARE_READ/
+												 HANDLE_READ_FLUSH */
+	uint32_t itemcount;				   /* Used for HANDLE_PREPARE_READ/
+												 HANDLE_READ_FLUSH */
+};
+
+/*
+	Used for every IP when returning data
+*/
+struct ipt_acc_handle_ip {
+	__be32 ip;
+	uint32_t src_packets;
+	uint32_t src_bytes;
+	uint32_t dst_packets;
+	uint32_t dst_bytes;
+};
+
+#endif /* _IPT_ACCOUNT_H */

extensions/GNUmakefile.in

@@ -1,144 +0,0 @@
-# -*- Makefile -*-
-
-top_srcdir      := @top_srcdir@
-srcdir          := @srcdir@
-abstop_srcdir   := $(shell readlink -f ${top_srcdir})
-abssrcdir       := $(shell readlink -f ${srcdir})
-
-ifeq (${abstop_srcdir},)
-$(error Path resolution of ${top_srcdir} failed)
-endif
-ifeq (${abssrcdir},)
-$(error Path resolution of ${srcdir} failed)
-endif
-
-prefix          := @prefix@
-exec_prefix     := @exec_prefix@
-libdir          := @libdir@
-libexecdir      := @libexecdir@
-xtlibdir        := @xtlibdir@
-kbuilddir       := @kbuilddir@
-
-CC              := @CC@
-CCLD            := ${CC}
-CFLAGS          := @CFLAGS@
-LDFLAGS         := @LDFLAGS@
-regular_CFLAGS  := @regular_CFLAGS@
-kinclude_CFLAGS := @kinclude_CFLAGS@
-xtables_CFLAGS  := @xtables_CFLAGS@
-
-AM_CFLAGS      := ${regular_CFLAGS} -I${top_srcdir}/include ${xtables_CFLAGS} ${kinclude_CFLAGS}
-AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
-
-VU := 0
-am__1verbose_CC_0     = @echo "  CC      " $@;
-am__1verbose_CCLD_0   = @echo "  CCLD    " $@;
-am__1verbose_GEN_0    = @echo "  GEN     " $@;
-am__1verbose_SILENT_0 = @
-am__1verbose_CC_1     = @echo "  CC      " $@ "<-" $<;
-am__1verbose_CCLD_1   = @echo "  CCLD    " $@ "<-" $^;
-am__1verbose_GEN_1    = @echo "  GEN     " $@ "<-" $<;
-am__verbose_CC        = ${am__1verbose_CC_${VU}}
-am__verbose_CCLD      = ${am__1verbose_CCLD_${VU}}
-am__verbose_GEN       = ${am__1verbose_GEN_${VU}}
-am__verbose_SILENT    = ${am__1verbose_GEN_${VU}}
-
-
-#
-#	Wildcard module list
-#
-include ${top_srcdir}/mconfig
--include ${top_srcdir}/mconfig.*
-include ${srcdir}/Mbuild
--include ${srcdir}/Mbuild.*
--include ${srcdir}/*.Mbuild
-
-
-#
-#	Building blocks
-#
-targets := $(filter-out %/,${obj-m})
-targets_install := ${targets}
-subdirs_list := $(filter %/,${obj-m})
-
-.SECONDARY:
-
-.PHONY: all install clean distclean FORCE
-
-all: subdirs modules user matches.man targets.man
-
-subdirs:
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i; done;
-
-subdirs-install:
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i install; done;
-
-user: ${targets}
-
-install: modules_install subdirs-install ${targets_install}
-	@mkdir -p "${DESTDIR}${xtlibdir}";
-	install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/";
-
-clean: clean_modules
-	@for i in ${subdirs_list}; do make -C $$i clean; done;
-	rm -f *.oo *.so;
-
-distclean: clean
-	rm -f .*.d .manpages.lst;
-
--include .*.d
-
-
-#
-#	Call out to kbuild
-#
-.PHONY: modules modules_install clean_modules
-
-modules:
-	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules; fi;
-
-modules_install:
-	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install; fi;
-
-clean_modules:
-	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean; fi;
-
-
-#
-#	Shared libraries
-#
-lib%.so: lib%.oo
-	${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
-
-lib%.oo: ${srcdir}/lib%.c
-	${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
-
-
-#
-#	Manpages
-#
-wcman_matches := $(wildcard ${srcdir}/libxt_[a-z]*.man)
-wcman_targets := $(wildcard ${srcdir}/libxt_[A-Z]*.man)
-wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
-wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
-
-.manpages.lst: FORCE
-	@echo "${wlist_targets} ${wlist_matches}" >$@.tmp; \
-	cmp -s $@ $@.tmp || mv $@.tmp $@; \
-	rm -f $@.tmp;
-
-man_run    = \
-	${am__verbose_GEN}for ext in $(1); do \
-		f="${srcdir}/libxt_$$ext.man"; \
-		if [ -f "$$f" ]; then \
-			echo ".SS $$ext"; \
-			cat "$$f"; \
-			continue; \
-		fi; \
-	done >$@;
-
-matches.man: .manpages.lst ${wcman_matches}
-	$(call man_run,${wlist_matches})
-
-targets.man: .manpages.lst ${wcman_targets}
-	$(call man_run,${wlist_targets})

extensions/Kbuild

@@ -1,27 +1,36 @@
 # -*- Makefile -*-
 
-include ${XA_TOPSRCDIR}/mconfig
--include ${XA_TOPSRCDIR}/mconfig.*
+include ${XA_ABSTOPSRCDIR}/mconfig
+-include ${XA_ABSTOPSRCDIR}/mconfig.*
 
 obj-m                    += compat_xtables.o
 
+obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += xt_CHAOS.o
 obj-${build_DELUDE}      += xt_DELUDE.o
-obj-${build_DHCPADDR}    += xt_DHCPADDR.o
+obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
+obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o
+ifneq (${CONFIG_IPV6},)
+obj-${build_RAWNAT}      += ip6table_rawpost.o
+endif
 obj-${build_SYSRQ}       += xt_SYSRQ.o
+obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o
 obj-${build_TEE}         += xt_TEE.o
 obj-${build_condition}   += xt_condition.o
 obj-${build_fuzzy}       += xt_fuzzy.o
 obj-${build_geoip}       += xt_geoip.o
+obj-${build_iface}       += xt_iface.o
 obj-${build_ipp2p}       += xt_ipp2p.o
 obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += xt_ipv4options.o
 obj-${build_length2}     += xt_length2.o
 obj-${build_lscan}       += xt_lscan.o
+obj-${build_pknock}      += pknock/
+obj-${build_psd}         += xt_psd.o
 obj-${build_quota2}      += xt_quota2.o
 
 -include ${M}/*.Kbuild

extensions/Makefile.am

@@ -0,0 +1,24 @@
+# -*- Makefile -*-
+# AUTOMAKE
+
+# Not having Kbuild in Makefile.extra because it will already recurse
+.PHONY: modules modules_install clean_modules
+
+_kcall = -C ${kbuilddir} M=${abs_srcdir}
+
+modules:
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} modules; fi;
+
+modules_install:
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} INSTALL_MOD_PATH=${DESTDIR} ext-mod-dir='$${INSTALL_MOD_DIR}' modules_install; fi;
+
+clean_modules:
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} clean; fi;
+
+all-local: modules
+
+install-exec-local: modules_install
+
+clean-local: clean_modules
+
+include ../Makefile.extra

extensions/Mbuild

@@ -1,18 +1,26 @@
+# -*- Makefile -*-
+
+obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += libxt_CHAOS.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
-obj-${build_DHCPADDR}    += libxt_DHCPADDR.so libxt_dhcpaddr.so
+obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
 obj-${build_ECHO}        += libxt_ECHO.so
 obj-${build_IPMARK}      += libxt_IPMARK.so
 obj-${build_LOGMARK}     += libxt_LOGMARK.so
+obj-${build_RAWNAT}      += libxt_RAWDNAT.so libxt_RAWSNAT.so
+obj-${build_STEAL}       += libxt_STEAL.so
 obj-${build_SYSRQ}       += libxt_SYSRQ.so
 obj-${build_TARPIT}      += libxt_TARPIT.so
 obj-${build_TEE}         += libxt_TEE.so
 obj-${build_condition}   += libxt_condition.so
 obj-${build_fuzzy}       += libxt_fuzzy.so
 obj-${build_geoip}       += libxt_geoip.so
+obj-${build_iface}       += libxt_iface.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
 obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += libxt_ipv4options.so
 obj-${build_length2}     += libxt_length2.so
 obj-${build_lscan}       += libxt_lscan.so
+obj-${build_pknock}      += pknock/
+obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so

extensions/compat_rawpost.h

@@ -0,0 +1,87 @@
+#ifndef XTA_COMPAT_RAWPOST_H
+#define XTA_COMPAT_RAWPOST_H 1
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
+typedef struct sk_buff sk_buff_t;
+#else
+typedef struct sk_buff *sk_buff_t;
+#endif
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
+#define XT_TARGET_INIT(__name, __size)					       \
+{									       \
+	.target.u.user = {						       \
+		.target_size	= XT_ALIGN(__size),			       \
+		.name		= __name,				       \
+	},								       \
+}
+
+#define IPT_ENTRY_INIT(__size)						       \
+{									       \
+	.target_offset	= sizeof(struct ipt_entry),			       \
+	.next_offset	= (__size),					       \
+}
+
+#define IPT_STANDARD_INIT(__verdict)					       \
+{									       \
+	.entry		= IPT_ENTRY_INIT(sizeof(struct ipt_standard)),	       \
+	.target		= XT_TARGET_INIT(IPT_STANDARD_TARGET,		       \
+					 sizeof(struct xt_standard_target)),   \
+	.target.verdict	= -(__verdict) - 1,				       \
+}
+
+#define IPT_ERROR_INIT							       \
+{									       \
+	.entry		= IPT_ENTRY_INIT(sizeof(struct ipt_error)),	       \
+	.target		= XT_TARGET_INIT(IPT_ERROR_TARGET,		       \
+					 sizeof(struct ipt_error_target)),     \
+	.target.errorname = "ERROR",					       \
+}
+
+#define IP6T_ENTRY_INIT(__size)						       \
+{									       \
+	.target_offset	= sizeof(struct ip6t_entry),			       \
+	.next_offset	= (__size),					       \
+}
+
+#define IP6T_STANDARD_INIT(__verdict)					       \
+{									       \
+	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
+	.target		= XT_TARGET_INIT(IP6T_STANDARD_TARGET,		       \
+					 sizeof(struct ip6t_standard_target)), \
+	.target.verdict	= -(__verdict) - 1,				       \
+}
+
+#define IP6T_ERROR_INIT							       \
+{									       \
+	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),	       \
+	.target		= XT_TARGET_INIT(IP6T_ERROR_TARGET,		       \
+					 sizeof(struct ip6t_error_target)),    \
+	.target.errorname = "ERROR",					       \
+}
+
+#endif /* 2.6.21 */
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
+#	include <linux/netfilter_ipv6/ip6_tables.h>
+/* Standard entry */
+struct ip6t_standard
+{
+	struct ip6t_entry entry;
+	struct ip6t_standard_target target;
+};
+
+struct ip6t_error_target
+{
+	struct ip6t_entry_target target;
+	char errorname[IP6T_FUNCTION_MAXNAMELEN];
+};
+
+struct ip6t_error
+{
+	struct ip6t_entry entry;
+	struct ip6t_error_target target;
+};
+#endif /* 2.6.20 */
+
+#endif /* XTA_COMPAT_RAWPOST_H */

extensions/compat_skbuff.h

@@ -4,13 +4,33 @@
 struct tcphdr;
 struct udphdr;
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 30)
+static inline void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)
+{
+	skb->dst = dst;
+}
+
+static inline struct dst_entry *skb_dst(const struct sk_buff *skb)
+{
+	return skb->dst;
+}
+
+static inline struct rtable *skb_rtable(const struct sk_buff *skb)
+{
+	return (void *)skb->dst;
+}
+#endif
+
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
 #	define skb_ifindex(skb) \
 		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
 #	define skb_ifindex(skb) (skb)->iif
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
+#else
+#	define skb_ifindex(skb) (skb)->skb_iif
+#	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
 #endif
 
 #ifdef CONFIG_NETWORK_SECMARK

extensions/compat_xtables.c

@@ -20,11 +20,6 @@
 #include "compat_skbuff.h"
 #include "compat_xtnu.h"
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-typedef __u16 __bitwise __sum16;
-typedef __u32 __bitwise __wsum;
-#endif
-
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
 static int xtnu_match_run(const struct sk_buff *skb,
     const struct net_device *in, const struct net_device *out,
@@ -447,6 +442,30 @@ int xtnu_ip_route_output_key(void *net, struct rtable **rp, struct flowi *flp)
 	return ip_route_output_flow(rp, flp, NULL, 0);
 }
 EXPORT_SYMBOL_GPL(xtnu_ip_route_output_key);
+
+void xtnu_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb,
+    __be32 from, __be32 to, bool pseudohdr)
+{
+	__be32 diff[] = {~from, to};
+	const void *dv = diff; /* kludge for < v2.6.19-555-g72685fc */
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+	if (skb->ip_summed != CHECKSUM_PARTIAL) {
+		*sum = csum_fold(csum_partial(dv, sizeof(diff),
+		       ~csum_unfold(*sum)));
+		if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
+			skb->csum = ~csum_partial(dv, sizeof(diff),
+			            ~skb->csum);
+	} else if (pseudohdr) {
+		*sum = ~csum_fold(csum_partial(dv, sizeof(diff),
+		       csum_unfold(*sum)));
+	}
+#else
+	*sum = csum_fold(csum_partial(dv, sizeof(diff),
+	       ~csum_unfold(*sum)));
+#endif
+}
+EXPORT_SYMBOL_GPL(xtnu_proto_csum_replace4);
 #endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
@@ -468,7 +487,7 @@ static inline __wsum xtnu_csum_unfold(__sum16 n)
 	return (__force __wsum)n;
 }
 
-static inline void xtnu_csum_replace4(__sum16 *sum, __be32 from, __be32 to)
+void xtnu_csum_replace4(__sum16 *sum, __be32 from, __be32 to)
 {
 	__be32 diff[] = {~from, to};
 	*sum = csum_fold(csum_partial((char *)diff, sizeof(diff),
@@ -490,4 +509,18 @@ int xtnu_skb_linearize(struct sk_buff *skb)
 EXPORT_SYMBOL_GPL(xtnu_skb_linearize);
 #endif
 
+void *HX_memmem(const void *space, size_t spacesize,
+    const void *point, size_t pointsize)
+{
+	size_t i;
+
+	if (pointsize > spacesize)
+		return NULL;
+	for (i = 0; i <= spacesize - pointsize; ++i)
+		if (memcmp(space + i, point, pointsize) == 0)
+			return (void *)space + i;
+	return NULL;
+}
+EXPORT_SYMBOL_GPL(HX_memmem);
+
 MODULE_LICENSE("GPL");

extensions/compat_xtables.h

@@ -6,6 +6,8 @@
 #include "compat_skbuff.h"
 #include "compat_xtnu.h"
 
+#define DEBUGP Use__pr_debug__instead
+
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 17)
 #	warning Kernels below 2.6.17 not supported.
 #endif
@@ -35,6 +37,7 @@
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
 #	define neigh_hh_output xtnu_neigh_hh_output
 #	define IPPROTO_UDPLITE 136
+#	define CSUM_MANGLED_0 ((__force __sum16)0xffff)
 #endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
@@ -67,10 +70,23 @@
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
 #	define csum_replace2 xtnu_csum_replace2
+#	define csum_replace4 xtnu_csum_replace4
+#	define inet_proto_csum_replace4 xtnu_proto_csum_replace4
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
 #	define csum_replace2 nf_csum_replace2
+#	define csum_replace4 nf_csum_replace4
+#	define inet_proto_csum_replace4 xtnu_proto_csum_replace4
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
+#	define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
+#	define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
+#else
+#	define ipt_unregister_table(tbl) ipt_unregister_table(tbl)
+#	define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
+#endif
+
+
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \
 		ntohs((addr).s6_addr16[0]), \

extensions/compat_xtnu.h

@@ -9,6 +9,10 @@
 typedef _Bool bool;
 enum { false = 0, true = 1, };
 #endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+typedef __u16 __bitwise __sum16;
+typedef __u32 __bitwise __wsum;
+#endif
 
 struct flowi;
 struct hh_cache;
@@ -122,6 +126,13 @@ static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
 	return q;
 }
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+static inline __wsum csum_unfold(__sum16 n)
+{
+	return (__force __wsum)n;
+}
+#endif
+
 extern int xtnu_ip_local_out(struct sk_buff *);
 extern int xtnu_ip_route_me_harder(struct sk_buff **, unsigned int);
 extern int xtnu_skb_make_writable(struct sk_buff **, unsigned int);
@@ -138,6 +149,11 @@ extern struct xt_match *xtnu_request_find_match(unsigned int,
 	const char *, uint8_t);
 extern int xtnu_neigh_hh_output(struct hh_cache *, struct sk_buff *);
 extern void xtnu_csum_replace2(__u16 __bitwise *, __be16, __be16);
+extern void xtnu_csum_replace4(__u16 __bitwise *, __be32, __be32);
+extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
+	__be32, __be32, bool);
 extern int xtnu_skb_linearize(struct sk_buff *);
 
+extern void *HX_memmem(const void *, size_t, const void *, size_t);
+
 #endif /* _COMPAT_XTNU_H */

extensions/ip6table_rawpost.c

@@ -0,0 +1,107 @@
+/*
+ *	rawpost table for ip6_tables
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	placed in the Public Domain
+ */
+#include <linux/module.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <net/ip.h>
+#include "compat_xtables.h"
+#include "compat_rawpost.h"
+
+enum {
+	RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
+};
+
+static struct {
+	struct ip6t_replace repl;
+	struct ip6t_standard entries[1];
+	struct ip6t_error term;
+} rawpost6_initial __initdata = {
+	.repl = {
+		.name        = "rawpost",
+		.valid_hooks = RAWPOST_VALID_HOOKS,
+		.num_entries = 2,
+		.size        = sizeof(struct ip6t_standard) +
+		               sizeof(struct ip6t_error),
+		.hook_entry  = {
+			[NF_INET_POST_ROUTING] = 0,
+		},
+		.underflow = {
+			[NF_INET_POST_ROUTING] = 0,
+		},
+	},
+	.entries = {
+		IP6T_STANDARD_INIT(NF_ACCEPT),	/* POST_ROUTING */
+	},
+	.term = IP6T_ERROR_INIT,		/* ERROR */
+};
+
+static struct xt_table *rawpost6_ptable;
+
+static struct xt_table rawpost6_itable = {
+	.name        = "rawpost",
+	.af          = NFPROTO_IPV6,
+	.valid_hooks = RAWPOST_VALID_HOOKS,
+	.me          = THIS_MODULE,
+};
+
+static unsigned int rawpost6_hook_fn(unsigned int hook, sk_buff_t *skb,
+    const struct net_device *in, const struct net_device *out,
+    int (*okfn)(struct sk_buff *))
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+	return ip6t_do_table(skb, hook, in, out, rawpost6_ptable);
+#else
+	return ip6t_do_table(skb, hook, in, out, rawpost6_ptable, NULL);
+#endif
+}
+
+static struct nf_hook_ops rawpost6_hook_ops __read_mostly = {
+	.hook     = rawpost6_hook_fn,
+	.pf       = NFPROTO_IPV6,
+	.hooknum  = NF_INET_POST_ROUTING,
+	.priority = NF_IP6_PRI_LAST,
+	.owner    = THIS_MODULE,
+};
+
+static int __init rawpost6_table_init(void)
+{
+	int ret;
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
+	rwlock_init(&rawpost6_itable.lock);
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
+	rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable,
+	                  &rawpost6_initial.repl);
+	if (IS_ERR(rawpost6_ptable))
+		return PTR_ERR(rawpost6_ptable);
+#else
+	ret = ip6t_register_table(&rawpost6_itable, &rawpost6_initial.repl);
+	if (ret < 0)
+		return ret;
+	rawpost6_ptable = &rawpost6_itable;
+#endif
+
+	ret = nf_register_hook(&rawpost6_hook_ops);
+	if (ret < 0)
+		goto out;
+
+	return ret;
+
+ out:
+	ip6t_unregister_table(rawpost6_ptable);
+	return ret;
+}
+
+static void __exit rawpost6_table_exit(void)
+{
+	nf_unregister_hook(&rawpost6_hook_ops);
+	ip6t_unregister_table(rawpost6_ptable);
+}
+
+module_init(rawpost6_table_init);
+module_exit(rawpost6_table_exit);
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_LICENSE("GPL");

extensions/ipset/.gitignore

@@ -1,3 +1 @@
-*.oo
-*.so
 /ipset

extensions/ipset/GNUmakefile.in

@@ -1,85 +0,0 @@
-# -*- Makefile -*-
-
-top_srcdir      := @top_srcdir@
-srcdir          := @srcdir@
-datarootdir     := @datarootdir@
-abstop_srcdir   := $(shell readlink -e ${top_srcdir})
-abssrcdir       := $(shell readlink -e ${srcdir})
-
-ifeq (${abstop_srcdir},)
-$(error Path resolution of ${top_srcdir} failed)
-endif
-ifeq (${abssrcdir},)
-$(error Path resolution of ${srcdir} failed)
-endif
-
-prefix          := @prefix@
-exec_prefix     := @exec_prefix@
-sbindir         := @sbindir@
-libdir          := @libdir@
-libexecdir      := @libexecdir@
-xtlibdir        := @xtlibdir@
-kbuilddir       := @kbuilddir@
-man8dir         := @mandir@/man8
-
-CC              := @CC@
-CCLD            := ${CC}
-CFLAGS          := @CFLAGS@
-LDFLAGS         := @LDFLAGS@
-regular_CFLAGS  := @regular_CFLAGS@
-kinclude_CFLAGS := @kinclude_CFLAGS@
-xtables_CFLAGS  := @xtables_CFLAGS@
-
-AM_CFLAGS      := ${regular_CFLAGS} -I${top_srcdir}/include ${xtables_CFLAGS} ${kinclude_CFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\"
-AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
-
-VU := 0
-am__1verbose_CC_0     = @echo "  CC      " $@;
-am__1verbose_CCLD_0   = @echo "  CCLD    " $@;
-am__1verbose_CC_1     = @echo "  CC      " $@ "<-" $<;
-am__1verbose_CCLD_1   = @echo "  CCLD    " $@ "<-" $^;
-am__verbose_CC        = ${am__1verbose_CC_${VU}}
-am__verbose_CCLD      = ${am__1verbose_CCLD_${VU}}
-
-#
-#	Building blocks
-#
-targets := $(addsuffix .so,$(addprefix libipset_, \
-	iphash ipmap ipporthash ipportiphash ipportnethash iptree \
-	iptreemap macipmap nethash portmap setlist))
-
-.SECONDARY:
-
-.PHONY: all install clean distclean FORCE
-
-all: ipset ${targets}
-
-install: all
-	@mkdir -p "${DESTDIR}${sbindir}" "${DESTDIR}${xtlibdir}" "${DESTDIR}${man8dir}";
-	install -pm0755 ipset "${DESTDIR}${sbindir}/";
-	install -pm0755 ${targets} "${DESTDIR}${xtlibdir}/";
-	install -pm0644 ipset.8 "${DESTDIR}${man8dir}/";
-
-clean:
-	rm -f *.oo *.so *.o ipset;
-
-distclean: clean
-	rm -f .*.d;
-
--include .*.d
-
-
-ipset: ipset.o
-	${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} ${LDFLAGS} -o $@ $< -ldl -rdynamic;
-
-#
-#	Shared libraries
-#
-lib%.so: lib%.oo
-	${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
-
-libipset_%.oo: ${srcdir}/ipset_%.c
-	${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
-
-%.o: %.c
-	${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} ${CFLAGS} -o $@ -c $<;

extensions/ipset/Kbuild

@@ -3,4 +3,4 @@
 obj-m += ipt_set.o ipt_SET.o
 obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
 obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
-obj-m += ip_set_iptree.o ip_set_iptreemap.o
+obj-m += ip_set_iptree.o ip_set_iptreemap.o ip_set_setlist.o

extensions/ipset/Makefile.am

@@ -0,0 +1,11 @@
+# -*- Makefile -*-
+
+AM_CFLAGS = ${regular_CFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\"
+
+include ../../Makefile.extra
+
+sbin_PROGRAMS = ipset
+ipset_LDADD   = -ldl
+ipset_LDFLAGS = -rdynamic
+
+man_MANS      = ipset.8

extensions/ipset/Mbuild

@@ -0,0 +1,7 @@
+# -*- Makefile -*-
+
+obj-m += $(addprefix lib,$(patsubst %.c,%.so,$(notdir \
+	$(wildcard ${XA_SRCDIR}/ipset_*.c))))
+
+libipset_%.oo: ${XA_SRCDIR}/ipset_%.c
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;

extensions/ipset/ip_set.h

@@ -48,7 +48,8 @@
 /* 
  * Used so that the kernel module and ipset-binary can match their versions 
  */
-#define IP_SET_PROTOCOL_VERSION 2
+#define IP_SET_PROTOCOL_UNALIGNED	3
+#define IP_SET_PROTOCOL_VERSION		4
 
 #define IP_SET_MAXNAMELEN 32	/* set names and set typenames */
 
@@ -236,7 +237,7 @@ struct ip_set_req_max_sets {
 struct ip_set_req_setnames {
 	unsigned op;
 	ip_set_id_t index;		/* set to list/save */
-	size_t size;			/* size to get setdata/bindings */
+	u_int32_t size;			/* size to get setdata */
 	/* followed by sets number of struct ip_set_name_list */
 };
 
@@ -258,9 +259,9 @@ struct ip_set_list {
 	ip_set_id_t index;
 	ip_set_id_t binding;
 	u_int32_t ref;
-	size_t header_size;	/* Set header data of header_size */
-	size_t members_size;	/* Set members data of members_size */
-	size_t bindings_size;	/* Set bindings data of bindings_size */
+	u_int32_t header_size;	/* Set header data of header_size */
+	u_int32_t members_size;	/* Set members data of members_size */
+	u_int32_t bindings_size;/* Set bindings data of bindings_size */
 };
 
 struct ip_set_hash_list {
@@ -277,8 +278,8 @@ struct ip_set_hash_list {
 struct ip_set_save {
 	ip_set_id_t index;
 	ip_set_id_t binding;
-	size_t header_size;	/* Set header data of header_size */
-	size_t members_size;	/* Set members data of members_size */
+	u_int32_t header_size;	/* Set header data of header_size */
+	u_int32_t members_size;	/* Set members data of members_size */
 };
 
 /* At restoring, ip == 0 means default binding for the given set: */
@@ -298,8 +299,8 @@ struct ip_set_restore {
 	char name[IP_SET_MAXNAMELEN];
 	char typename[IP_SET_MAXNAMELEN];
 	ip_set_id_t index;
-	size_t header_size;	/* Create data of header_size */
-	size_t members_size;	/* Set members data of members_size */
+	u_int32_t header_size;	/* Create data of header_size */
+	u_int32_t members_size;	/* Set members data of members_size */
 };
 
 static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
@@ -310,6 +311,11 @@ static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
 /* General limit for the elements in a set */
 #define MAX_RANGE 0x0000FFFF
 
+/* Alignment: 'unsigned long' unsupported */
+#define IPSET_ALIGNTO		4
+#define	IPSET_ALIGN(len) (((len) + IPSET_ALIGNTO - 1) & ~(IPSET_ALIGNTO - 1))
+#define IPSET_VALIGN(len, old) ((old) ? (len) : IPSET_ALIGN(len))
+
 #ifdef __KERNEL__
 #include "ip_set_compat.h"
 #include "ip_set_malloc.h"
@@ -358,22 +364,19 @@ struct ip_set_type {
 	 */
 	int (*testip_kernel) (struct ip_set *set,
 			      const struct sk_buff * skb, 
-			      ip_set_ip_t *ip,
-			      const u_int32_t *flags,
-			      unsigned char index);
+			      const u_int32_t *flags);
 
 	/* test for IP in set (userspace: ipset -T set IP)
 	 * return 0 if not in set, 1 if in set.
 	 */
 	int (*testip) (struct ip_set *set,
-		       const void *data, size_t size,
-		       ip_set_ip_t *ip);
+		       const void *data, u_int32_t size);
 
 	/*
 	 * Size of the data structure passed by when
 	 * adding/deletin/testing an entry.
 	 */
-	size_t reqsize;
+	u_int32_t reqsize;
 
 	/* Add IP into set (userspace: ipset -A set IP)
 	 * Return -EEXIST if the address is already in the set,
@@ -381,8 +384,7 @@ struct ip_set_type {
 	 * If the address was not already in the set, 0 is returned.
 	 */
 	int (*addip) (struct ip_set *set, 
-		      const void *data, size_t size,
-		      ip_set_ip_t *ip);
+		      const void *data, u_int32_t size);
 
 	/* Add IP into set (kernel: iptables ... -j SET set src|dst)
 	 * Return -EEXIST if the address is already in the set,
@@ -390,10 +392,8 @@ struct ip_set_type {
 	 * If the address was not already in the set, 0 is returned.
 	 */
 	int (*addip_kernel) (struct ip_set *set,
-			     const struct sk_buff * skb, 
-			     ip_set_ip_t *ip,
-			     const u_int32_t *flags,
-			     unsigned char index);
+			     const struct sk_buff * skb,
+			     const u_int32_t *flags);
 
 	/* remove IP from set (userspace: ipset -D set --entry x)
 	 * Return -EEXIST if the address is NOT in the set,
@@ -401,8 +401,7 @@ struct ip_set_type {
 	 * If the address really was in the set, 0 is returned.
 	 */
 	int (*delip) (struct ip_set *set, 
-		      const void *data, size_t size,
-		      ip_set_ip_t *ip);
+		      const void *data, u_int32_t size);
 
 	/* remove IP from set (kernel: iptables ... -j SET --entry x)
 	 * Return -EEXIST if the address is NOT in the set,
@@ -410,15 +409,13 @@ struct ip_set_type {
 	 * If the address really was in the set, 0 is returned.
 	 */
 	int (*delip_kernel) (struct ip_set *set,
-			     const struct sk_buff * skb, 
-			     ip_set_ip_t *ip,
-			     const u_int32_t *flags,
-			     unsigned char index);
+			     const struct sk_buff * skb,
+			     const u_int32_t *flags);
 
 	/* new set creation - allocated type specific items
 	 */
 	int (*create) (struct ip_set *set,
-		       const void *data, size_t size);
+		       const void *data, u_int32_t size);
 
 	/* retry the operation after successfully tweaking the set
 	 */
@@ -437,7 +434,7 @@ struct ip_set_type {
 
 	/* Listing: size needed for header
 	 */
-	size_t header_size;
+	u_int32_t header_size;
 
 	/* Listing: Get the header
 	 *
@@ -451,7 +448,7 @@ struct ip_set_type {
 
 	/* Listing: Get the size for the set members
 	 */
-	int (*list_members_size) (const struct ip_set *set);
+	int (*list_members_size) (const struct ip_set *set, char dont_align);
 
 	/* Listing: Get the set members
 	 *
@@ -461,7 +458,7 @@ struct ip_set_type {
 	 * correct. 
 	 */
 	void (*list_members) (const struct ip_set *set,
-			      void *data);
+			      void *data, char dont_align);
 
 	char typename[IP_SET_MAXNAMELEN];
 	unsigned char features;
@@ -479,20 +476,11 @@ struct ip_set {
 	char name[IP_SET_MAXNAMELEN];	/* the name of the set */
 	rwlock_t lock;			/* lock for concurrency control */
 	ip_set_id_t id;			/* set id for swapping */
-	ip_set_id_t binding;		/* default binding for the set */
 	atomic_t ref;			/* in kernel and in hash references */
 	struct ip_set_type *type; 	/* the set types */
 	void *data;			/* pooltype specific data */
 };
 
-/* Structure to bind set elements to sets */
-struct ip_set_hash {
-	struct list_head list;		/* list of clashing entries in hash */
-	ip_set_ip_t ip;			/* ip from set */
-	ip_set_id_t id;			/* set id */
-	ip_set_id_t binding;		/* set we bind the element to */
-};
-
 /* register and unregister set references */
 extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
 extern ip_set_id_t ip_set_get_byindex(ip_set_id_t index);
@@ -523,12 +511,11 @@ extern int ip_set_testip_kernel(ip_set_id_t id,
 
 #define UADT0(type, adt, args...)					\
 static int								\
-FNAME(type,_u,adt)(struct ip_set *set, const void *data, size_t size,	\
-	     ip_set_ip_t *hash_ip)					\
+FNAME(type,_u,adt)(struct ip_set *set, const void *data, u_int32_t size)\
 {									\
 	const STRUCT(ip_set_req_,type) *req = data;			\
 									\
-	return FNAME(type,_,adt)(set, hash_ip , ## args);		\
+	return FNAME(type,_,adt)(set , ## args);			\
 }
 
 #define UADT(type, adt, args...)					\
@@ -538,14 +525,12 @@ FNAME(type,_u,adt)(struct ip_set *set, const void *data, size_t size,	\
 static int								\
 FNAME(type,_k,adt)(struct ip_set *set,					\
 	     const struct sk_buff *skb,					\
-	     ip_set_ip_t *hash_ip,					\
-	     const u_int32_t *flags,					\
-	     unsigned char index)					\
+	     const u_int32_t *flags)					\
 {									\
-	ip_set_ip_t ip = getfn(skb, flags[index]);			\
+	ip_set_ip_t ip = getfn(skb, flags);				\
 									\
 	KADT_CONDITION							\
-	return FNAME(type,_,adt)(set, hash_ip, ip , ##args);		\
+	return FNAME(type,_,adt)(set, ip , ##args);			\
 }
 
 #define REGISTER_MODULE(type)						\
@@ -567,9 +552,9 @@ module_exit(ip_set_##type##_fini);
 /* Common functions */
 
 static inline ip_set_ip_t
-ipaddr(const struct sk_buff *skb, u_int32_t flag)
+ipaddr(const struct sk_buff *skb, const u_int32_t *flags)
 {
-	return ntohl(flag & IPSET_SRC ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr);
+	return ntohl(flags[0] & IPSET_SRC ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr);
 }
 
 #define jhash_ip(map, i, ip)	jhash_1word(ip, *(map->initval + i))
@@ -579,4 +564,6 @@ ipaddr(const struct sk_buff *skb, u_int32_t flag)
 
 #endif				/* __KERNEL__ */
 
+#define UNUSED __attribute__ ((unused))
+
 #endif /*_IP_SET_H*/

extensions/ipset/ip_set_bitmaps.h

@@ -6,7 +6,7 @@
 #ifdef __KERNEL__
 #define BITMAP_CREATE(type)						\
 static int								\
-type##_create(struct ip_set *set, const void *data, size_t size)	\
+type##_create(struct ip_set *set, const void *data, u_int32_t size)	\
 {									\
 	int newbytes;							\
 	const struct ip_set_req_##type##_create *req = data;		\
@@ -19,8 +19,8 @@ type##_create(struct ip_set *set, const void *data, size_t size)	\
 									\
 	map = kmalloc(sizeof(struct ip_set_##type), GFP_KERNEL);	\
 	if (!map) {							\
-		DP("out of memory for %d bytes",			\
-		   sizeof(struct ip_set_#type));			\
+		DP("out of memory for %zu bytes",			\
+		   sizeof(struct ip_set_##type));			\
 		return -ENOMEM;						\
 	}								\
 	map->first_ip = req->from;					\
@@ -35,7 +35,7 @@ type##_create(struct ip_set *set, const void *data, size_t size)	\
 	map->size = newbytes;						\
 	map->members = ip_set_malloc(newbytes);				\
 	if (!map->members) {						\
-		DP("out of memory for %d bytes", newbytes);		\
+		DP("out of memory for %i bytes", newbytes);		\
 		kfree(map);						\
 		return -ENOMEM;						\
 	}								\
@@ -77,22 +77,21 @@ type##_list_header(const struct ip_set *set, void *data)		\
 	__##type##_list_header(map, header);				\
 }
 
-#define BITMAP_LIST_MEMBERS_SIZE(type)					\
+#define BITMAP_LIST_MEMBERS_SIZE(type, dtype, sizeid, testfn)		\
 static int								\
-type##_list_members_size(const struct ip_set *set)			\
+type##_list_members_size(const struct ip_set *set, char dont_align)	\
 {									\
 	const struct ip_set_##type *map = set->data;			\
+	ip_set_ip_t i, elements = 0;					\
 									\
-	return map->size;						\
-}
-
-#define BITMAP_LIST_MEMBERS(type)					\
-static void								\
-type##_list_members(const struct ip_set *set, void *data)		\
-{									\
-	const struct ip_set_##type *map = set->data;			\
+	if (dont_align)							\
+		return map->size;					\
 									\
-	memcpy(data, map->members, map->size);				\
+	for (i = 0; i < sizeid; i++)					\
+		if (testfn)						\
+			elements++;					\
+									\
+	return elements * IPSET_ALIGN(sizeof(dtype));			\
 }
 
 #define IP_SET_TYPE(type, __features)					\

extensions/ipset/ip_set_compat.h

@@ -58,13 +58,35 @@ static inline void *kzalloc(size_t size, gfp_t flags)
 #endif
 
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23)
+#include <linux/netfilter.h>
 #define KMEM_CACHE_CREATE(name, size) \
 	kmem_cache_create(name, size, 0, 0, NULL, NULL)
 #else
 #define KMEM_CACHE_CREATE(name, size) \
 	kmem_cache_create(name, size, 0, 0, NULL)
 #endif
-  
+
+#ifndef NIPQUAD
+#define NIPQUAD(addr) \
+	((unsigned char *)&addr)[0], \
+	((unsigned char *)&addr)[1], \
+	((unsigned char *)&addr)[2], \
+	((unsigned char *)&addr)[3]
+#endif
+
+#ifndef HIPQUAD
+#if defined(__LITTLE_ENDIAN)
+#define HIPQUAD(addr) \
+	((unsigned char *)&addr)[3], \
+	((unsigned char *)&addr)[2], \
+	((unsigned char *)&addr)[1], \
+	((unsigned char *)&addr)[0]
+#elif defined(__BIG_ENDIAN)
+#define HIPQUAD NIPQUAD
+#else
+#error "Please fix asm/byteorder.h"
+#endif /* __LITTLE_ENDIAN */
+#endif
 
 #endif /* __KERNEL__ */
 #endif /* _IP_SET_COMPAT_H */   

extensions/ipset/ip_set_getport.h

@@ -7,7 +7,7 @@
 
 /* We must handle non-linear skbs */
 static inline ip_set_ip_t
-get_port(const struct sk_buff *skb, u_int32_t flags)
+get_port(const struct sk_buff *skb, const u_int32_t *flags)
 {
 	struct iphdr *iph = ip_hdr(skb);
 	u_int16_t offset = ntohs(iph->frag_off) & IP_OFFSET;
@@ -23,7 +23,7 @@ get_port(const struct sk_buff *skb, u_int32_t flags)
 			/* No choice either */
 			return INVALID_PORT;
 	     	
-	     	return ntohs(flags & IPSET_SRC ?
+	     	return ntohs(flags[0] & IPSET_SRC ?
 			     tcph.source : tcph.dest);
 	    }
 	case IPPROTO_UDP: {
@@ -36,7 +36,7 @@ get_port(const struct sk_buff *skb, u_int32_t flags)
 			/* No choice either */
 			return INVALID_PORT;
 	     	
-	     	return ntohs(flags & IPSET_SRC ?
+	     	return ntohs(flags[0] & IPSET_SRC ?
 			     udph.source : udph.dest);
 	    }
 	default:

extensions/ipset/ip_set_hashes.h

@@ -28,20 +28,22 @@ type##_retry(struct ip_set *set)					\
 		hashsize++;						\
 									\
 	ip_set_printk("rehashing of set %s triggered: "			\
-		      "hashsize grows from %u to %u",			\
-		      set->name, map->hashsize, hashsize);		\
+		      "hashsize grows from %lu to %lu",			\
+		      set->name,					\
+		      (long unsigned)map->hashsize,			\
+		      (long unsigned)hashsize);				\
 		      							\
 	tmp = kmalloc(sizeof(struct ip_set_##type)			\
 		      + map->probes * sizeof(initval_t), GFP_ATOMIC);	\
 	if (!tmp) {							\
-		DP("out of memory for %d bytes",			\
+		DP("out of memory for %zu bytes",			\
 		   sizeof(struct ip_set_##type)				\
 		   + map->probes * sizeof(initval_t));			\
 		return -ENOMEM;						\
 	}								\
 	tmp->members = harray_malloc(hashsize, sizeof(dtype), GFP_ATOMIC);\
 	if (!tmp->members) {						\
-		DP("out of memory for %d bytes", hashsize * sizeof(dtype));\
+		DP("out of memory for %zu bytes", hashsize * sizeof(dtype));\
 		kfree(tmp);						\
 		return -ENOMEM;						\
 	}								\
@@ -88,7 +90,7 @@ type##_retry(struct ip_set *set)					\
 
 #define HASH_CREATE(type, dtype)					\
 static int								\
-type##_create(struct ip_set *set, const void *data, size_t size)	\
+type##_create(struct ip_set *set, const void *data, u_int32_t size)	\
 {									\
 	const struct ip_set_req_##type##_create *req = data;		\
 	struct ip_set_##type *map;					\
@@ -107,7 +109,7 @@ type##_create(struct ip_set *set, const void *data, size_t size)	\
 	map = kmalloc(sizeof(struct ip_set_##type)			\
 		      + req->probes * sizeof(initval_t), GFP_KERNEL);	\
 	if (!map) {							\
-		DP("out of memory for %d bytes",			\
+		DP("out of memory for %zu bytes",			\
 		   sizeof(struct ip_set_##type)				\
 		   + req->probes * sizeof(initval_t));			\
 		return -ENOMEM;						\
@@ -124,7 +126,7 @@ type##_create(struct ip_set *set, const void *data, size_t size)	\
 	}								\
 	map->members = harray_malloc(map->hashsize, sizeof(dtype), GFP_KERNEL);\
 	if (!map->members) {						\
-		DP("out of memory for %d bytes", map->hashsize * sizeof(dtype));\
+		DP("out of memory for %zu bytes", map->hashsize * sizeof(dtype));\
 		kfree(map);						\
 		return -ENOMEM;						\
 	}								\
@@ -180,38 +182,46 @@ type##_list_header(const struct ip_set *set, void *data)		\
 
 #define HASH_LIST_MEMBERS_SIZE(type, dtype)				\
 static int								\
-type##_list_members_size(const struct ip_set *set)			\
+type##_list_members_size(const struct ip_set *set, char dont_align)	\
 {									\
 	const struct ip_set_##type *map = set->data;			\
 									\
-	return (map->hashsize * sizeof(dtype));				\
+	return (map->elements * IPSET_VALIGN(sizeof(dtype), dont_align));\
 }
 
 #define HASH_LIST_MEMBERS(type, dtype)					\
 static void								\
-type##_list_members(const struct ip_set *set, void *data)		\
+type##_list_members(const struct ip_set *set, void *data, char dont_align)\
 {									\
 	const struct ip_set_##type *map = set->data;			\
-	dtype *elem;							\
-	uint32_t i;							\
+	dtype *elem, *d;						\
+	uint32_t i, n = 0;						\
 									\
 	for (i = 0; i < map->hashsize; i++) {				\
 		elem = HARRAY_ELEM(map->members, dtype *, i);		\
-		((dtype *)data)[i] = *elem;				\
+		if (*elem) {						\
+			d = data + n * IPSET_VALIGN(sizeof(dtype), dont_align);\
+			*d = *elem;					\
+			n++;						\
+		}							\
 	}								\
 }
 
-#define HASH_LIST_MEMBERS_MEMCPY(type, dtype)				\
+#define HASH_LIST_MEMBERS_MEMCPY(type, dtype, nonzero)			\
 static void								\
-type##_list_members(const struct ip_set *set, void *data)		\
+type##_list_members(const struct ip_set *set, void *data, char dont_align)\
 {									\
 	const struct ip_set_##type *map = set->data;			\
 	dtype *elem;							\
-	uint32_t i;							\
+	uint32_t i, n = 0;						\
 									\
 	for (i = 0; i < map->hashsize; i++) {				\
 		elem = HARRAY_ELEM(map->members, dtype *, i);		\
-		memcpy((((dtype *)data)+i), elem, sizeof(dtype));	\
+		if (nonzero) {						\
+			memcpy(data + n * IPSET_VALIGN(sizeof(dtype), dont_align),\
+			       elem, sizeof(dtype));			\
+			n++;						\
+		}							\
 	}								\
 }
 

extensions/ipset/ip_set_iphash.c

@@ -25,22 +25,21 @@
 static int limit = MAX_RANGE;
 
 static inline __u32
-iphash_id(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+iphash_id(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iphash *map = set->data;
 	__u32 id;
 	u_int16_t i;
 	ip_set_ip_t *elem;
 
-	*hash_ip = ip & map->netmask;
-	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), HIPQUAD(*hash_ip), HIPQUAD(map->netmask));
-	
+
+	ip &= map->netmask;	
+	DP("set: %s, ip:%u.%u.%u.%u", set->name, HIPQUAD(ip));
 	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip(map, i, *hash_ip) % map->hashsize;
+		id = jhash_ip(map, i, ip) % map->hashsize;
 		DP("hash key: %u", id);
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
-		if (*elem == *hash_ip)
+		if (*elem == ip)
 			return id;
 		/* No shortcut - there can be deleted entries. */
 	}
@@ -48,9 +47,9 @@ iphash_id(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 }
 
 static inline int
-iphash_test(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+iphash_test(struct ip_set *set, ip_set_ip_t ip)
 {
-	return (ip && iphash_id(set, hash_ip, ip) != UINT_MAX);
+	return (ip && iphash_id(set, ip) != UINT_MAX);
 }
 
 #define KADT_CONDITION
@@ -84,16 +83,15 @@ __iphash_add(struct ip_set_iphash *map, ip_set_ip_t *ip)
 }
 
 static inline int
-iphash_add(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+iphash_add(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iphash *map = set->data;
 	
 	if (!ip || map->elements >= limit)
 		return -ERANGE;
 
-	*hash_ip = ip & map->netmask;
-	
-	return __iphash_add(map, hash_ip);
+	ip &= map->netmask;
+	return __iphash_add(map, &ip);
 }
 
 UADT(iphash, add)
@@ -108,7 +106,7 @@ __iphash_retry(struct ip_set_iphash *tmp, struct ip_set_iphash *map)
 HASH_RETRY(iphash, ip_set_ip_t)
 
 static inline int
-iphash_del(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+iphash_del(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iphash *map = set->data;
 	ip_set_ip_t id, *elem;
@@ -116,7 +114,7 @@ iphash_del(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 	if (!ip)
 		return -ERANGE;
 
-	id = iphash_id(set, hash_ip, ip);
+	id = iphash_id(set, ip);
 	if (id == UINT_MAX)
 		return -EEXIST;
 		

extensions/ipset/ip_set_iphash.h

@@ -4,7 +4,7 @@
 #include "ip_set.h"
 #include "ip_set_hashes.h"
 
-#define SETTYPE_NAME "iphash"
+#define SETTYPE_NAME		"iphash"
 
 struct ip_set_iphash {
 	ip_set_ip_t *members;		/* the iphash proper */

extensions/ipset/ip_set_ipmap.c

@@ -22,21 +22,19 @@
 static inline ip_set_ip_t
 ip_to_id(const struct ip_set_ipmap *map, ip_set_ip_t ip)
 {
-	return (ip - map->first_ip)/map->hosts;
+	return ((ip & map->netmask) - map->first_ip)/map->hosts;
 }
 
 static inline int
-ipmap_test(const struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+ipmap_test(const struct ip_set *set, ip_set_ip_t ip)
 {
 	const struct ip_set_ipmap *map = set->data;
 	
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	*hash_ip = ip & map->netmask;
-	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), HIPQUAD(*hash_ip));
-	return !!test_bit(ip_to_id(map, *hash_ip), map->members);
+	DP("set: %s, ip:%u.%u.%u.%u", set->name, HIPQUAD(ip));
+	return !!test_bit(ip_to_id(map, ip), map->members);
 }
 
 #define KADT_CONDITION
@@ -45,16 +43,15 @@ UADT(ipmap, test)
 KADT(ipmap, test, ipaddr)
 
 static inline int
-ipmap_add(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+ipmap_add(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_ipmap *map = set->data;
 
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	*hash_ip = ip & map->netmask;
-	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
-	if (test_and_set_bit(ip_to_id(map, *hash_ip), map->members))
+	DP("set: %s, ip:%u.%u.%u.%u", set->name, HIPQUAD(ip));
+	if (test_and_set_bit(ip_to_id(map, ip), map->members))
 		return -EEXIST;
 
 	return 0;
@@ -64,16 +61,15 @@ UADT(ipmap, add)
 KADT(ipmap, add, ipaddr)
 
 static inline int
-ipmap_del(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+ipmap_del(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_ipmap *map = set->data;
 
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	*hash_ip = ip & map->netmask;
-	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
-	if (!test_and_clear_bit(ip_to_id(map, *hash_ip), map->members))
+	DP("set: %s, ip:%u.%u.%u.%u", set->name, HIPQUAD(ip));
+	if (!test_and_clear_bit(ip_to_id(map, ip), map->members))
 		return -EEXIST;
 	
 	return 0;
@@ -130,8 +126,28 @@ __ipmap_list_header(const struct ip_set_ipmap *map,
 }
 
 BITMAP_LIST_HEADER(ipmap)
-BITMAP_LIST_MEMBERS_SIZE(ipmap)
-BITMAP_LIST_MEMBERS(ipmap)
+BITMAP_LIST_MEMBERS_SIZE(ipmap, ip_set_ip_t, map->sizeid,
+			 test_bit(i, map->members))
+
+static void
+ipmap_list_members(const struct ip_set *set, void *data, char dont_align)
+{
+	const struct ip_set_ipmap *map = set->data;
+	uint32_t i, n = 0;
+	ip_set_ip_t *d;
+	
+	if (dont_align) {
+		memcpy(data, map->members, map->size);
+		return;
+	}
+	
+	for (i = 0; i < map->sizeid; i++)
+		if (test_bit(i, map->members)) {
+			d = data + n * IPSET_ALIGN(sizeof(ip_set_ip_t));
+			*d = map->first_ip + i * map->hosts;
+			n++;
+		}
+}
 
 IP_SET_TYPE(ipmap, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
 

extensions/ipset/ip_set_ipmap.h

@@ -4,7 +4,7 @@
 #include "ip_set.h"
 #include "ip_set_bitmaps.h"
 
-#define SETTYPE_NAME "ipmap"
+#define SETTYPE_NAME		"ipmap"
 
 struct ip_set_ipmap {
 	void *members;			/* the ipmap proper */
@@ -13,7 +13,7 @@ struct ip_set_ipmap {
 	ip_set_ip_t netmask;		/* subnet netmask */
 	ip_set_ip_t sizeid;		/* size of set in IPs */
 	ip_set_ip_t hosts;		/* number of hosts in a subnet */
-	size_t size;			/* size of the ipmap proper */
+	u_int32_t size;			/* size of the ipmap proper */
 };
 
 struct ip_set_req_ipmap_create {

extensions/ipset/ip_set_ipporthash.c

@@ -28,26 +28,23 @@
 static int limit = MAX_RANGE;
 
 static inline __u32
-ipporthash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
-	      ip_set_ip_t ip, ip_set_ip_t port)
+ipporthash_id(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 {
 	struct ip_set_ipporthash *map = set->data;
 	__u32 id;
 	u_int16_t i;
 	ip_set_ip_t *elem;
 
-	*hash_ip = pack_ip_port(map, ip, port);
+	ip = pack_ip_port(map, ip, port);
 		
-	DP("set: %s, ipport:%u.%u.%u.%u:%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), port, HIPQUAD(*hash_ip));
-	if (!*hash_ip)
+	if (!ip)
 		return UINT_MAX;
 	
 	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip(map, i, *hash_ip) % map->hashsize;
+		id = jhash_ip(map, i, ip) % map->hashsize;
 		DP("hash key: %u", id);
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
-		if (*elem == *hash_ip)
+		if (*elem == ip)
 			return id;
 		/* No shortcut - there can be deleted entries. */
 	}
@@ -55,24 +52,23 @@ ipporthash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
 }
 
 static inline int
-ipporthash_test(struct ip_set *set, ip_set_ip_t *hash_ip,
-		ip_set_ip_t ip, ip_set_ip_t port)
+ipporthash_test(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 {
 	struct ip_set_ipporthash *map = set->data;
 	
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	return (ipporthash_id(set, hash_ip, ip, port) != UINT_MAX);
+	return (ipporthash_id(set, ip, port) != UINT_MAX);
 }
 
 #define KADT_CONDITION						\
 	ip_set_ip_t port;					\
 								\
-	if (flags[index+1] == 0)				\
+	if (flags[1] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags[index+1]);			\
+	port = get_port(skb, flags++);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;
@@ -106,8 +102,7 @@ __ipporthash_add(struct ip_set_ipporthash *map, ip_set_ip_t *ip)
 }
 
 static inline int
-ipporthash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
-	       ip_set_ip_t ip, ip_set_ip_t port)
+ipporthash_add(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 {
 	struct ip_set_ipporthash *map = set->data;
 	if (map->elements > limit)
@@ -115,12 +110,12 @@ ipporthash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	*hash_ip = pack_ip_port(map, ip, port);
+	ip = pack_ip_port(map, ip, port);
 
-	if (!*hash_ip)
+	if (!ip)
 		return -ERANGE;
 	
-	return __ipporthash_add(map, hash_ip);
+	return __ipporthash_add(map, &ip);
 }
 
 UADT(ipporthash, add, req->port)
@@ -137,8 +132,7 @@ __ipporthash_retry(struct ip_set_ipporthash *tmp,
 HASH_RETRY(ipporthash, ip_set_ip_t)
 
 static inline int
-ipporthash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
-	       ip_set_ip_t ip, ip_set_ip_t port)
+ipporthash_del(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 {
 	struct ip_set_ipporthash *map = set->data;
 	ip_set_ip_t id;
@@ -147,7 +141,7 @@ ipporthash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	id = ipporthash_id(set, hash_ip, ip, port);
+	id = ipporthash_id(set, ip, port);
 
 	if (id == UINT_MAX)
 		return -EEXIST;

extensions/ipset/ip_set_ipporthash.h

@@ -4,7 +4,7 @@
 #include "ip_set.h"
 #include "ip_set_hashes.h"
 
-#define SETTYPE_NAME "ipporthash"
+#define SETTYPE_NAME			"ipporthash"
 
 struct ip_set_ipporthash {
 	ip_set_ip_t *members;		/* the ipporthash proper */

extensions/ipset/ip_set_ipportiphash.c

@@ -31,7 +31,7 @@ static int limit = MAX_RANGE;
 	jhash_2words(ipport, ip1, *(map->initval + i))
 
 static inline __u32
-ipportiphash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
+ipportiphash_id(struct ip_set *set,
 		ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
 {
 	struct ip_set_ipportiphash *map = set->data;
@@ -39,17 +39,15 @@ ipportiphash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
 	u_int16_t i;
 	struct ipportip *elem;
 
-	*hash_ip = pack_ip_port(map, ip, port);
-	DP("set: %s, ipport:%u.%u.%u.%u:%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), port, HIPQUAD(*hash_ip));
-	if (!(*hash_ip || ip1))
+	ip = pack_ip_port(map, ip, port);
+	if (!(ip || ip1))
 		return UINT_MAX;
 	
 	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip2(map, i, *hash_ip, ip1) % map->hashsize;
+		id = jhash_ip2(map, i, ip, ip1) % map->hashsize;
 		DP("hash key: %u", id);
 		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
-		if (elem->ip == *hash_ip && elem->ip1 == ip1)
+		if (elem->ip == ip && elem->ip1 == ip1)
 			return id;
 		/* No shortcut - there can be deleted entries. */
 	}
@@ -57,7 +55,7 @@ ipportiphash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
 }
 
 static inline int
-ipportiphash_test(struct ip_set *set, ip_set_ip_t *hash_ip,
+ipportiphash_test(struct ip_set *set,
 		  ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
 {
 	struct ip_set_ipportiphash *map = set->data;
@@ -65,17 +63,17 @@ ipportiphash_test(struct ip_set *set, ip_set_ip_t *hash_ip,
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	return (ipportiphash_id(set, hash_ip, ip, port, ip1) != UINT_MAX);
+	return (ipportiphash_id(set, ip, port, ip1) != UINT_MAX);
 }
 
 #define KADT_CONDITION						\
 	ip_set_ip_t port, ip1;					\
 								\
-	if (flags[index+2] == 0)				\
+	if (flags[2] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags[index+1]);			\
-	ip1 = ipaddr(skb, flags[index+2]);			\
+	port = get_port(skb, flags++);				\
+	ip1 = ipaddr(skb, flags++);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;
@@ -85,23 +83,23 @@ KADT(ipportiphash, test, ipaddr, port, ip1)
 
 static inline int
 __ipportip_add(struct ip_set_ipportiphash *map,
-	       ip_set_ip_t hash_ip, ip_set_ip_t ip1)
+	       ip_set_ip_t ip, ip_set_ip_t ip1)
 {
 	__u32 probe;
 	u_int16_t i;
 	struct ipportip *elem, *slot = NULL;
 
 	for (i = 0; i < map->probes; i++) {
-		probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
+		probe = jhash_ip2(map, i, ip, ip1) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
-		if (elem->ip == hash_ip && elem->ip1 == ip1)
+		if (elem->ip == ip && elem->ip1 == ip1)
 			return -EEXIST;
 		if (!(slot || elem->ip || elem->ip1))
 			slot = elem;
 		/* There can be deleted entries, must check all slots */
 	}
 	if (slot) {
-		slot->ip = hash_ip;
+		slot->ip = ip;
 		slot->ip1 = ip1;
 		map->elements++;
 		return 0;
@@ -118,7 +116,7 @@ __ipportiphash_add(struct ip_set_ipportiphash *map,
 }
 
 static inline int
-ipportiphash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
+ipportiphash_add(struct ip_set *set,
 		 ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
 {
 	struct ip_set_ipportiphash *map = set->data;
@@ -128,11 +126,11 @@ ipportiphash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	*hash_ip = pack_ip_port(map, ip, port);
-	if (!(*hash_ip || ip1))
+	ip = pack_ip_port(map, ip, port);
+	if (!(ip || ip1))
 		return -ERANGE;
 	
-	return __ipportip_add(map, *hash_ip, ip1);
+	return __ipportip_add(map, ip, ip1);
 }
 
 UADT(ipportiphash, add, req->port, req->ip1)
@@ -149,7 +147,7 @@ __ipportiphash_retry(struct ip_set_ipportiphash *tmp,
 HASH_RETRY2(ipportiphash, struct ipportip)
 
 static inline int
-ipportiphash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
+ipportiphash_del(struct ip_set *set,
 	       ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
 {
 	struct ip_set_ipportiphash *map = set->data;
@@ -159,7 +157,7 @@ ipportiphash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	id = ipportiphash_id(set, hash_ip, ip, port, ip1);
+	id = ipportiphash_id(set, ip, port, ip1);
 
 	if (id == UINT_MAX)
 		return -EEXIST;
@@ -202,7 +200,8 @@ __ipportiphash_list_header(const struct ip_set_ipportiphash *map,
 
 HASH_LIST_HEADER(ipportiphash)
 HASH_LIST_MEMBERS_SIZE(ipportiphash, struct ipportip)
-HASH_LIST_MEMBERS_MEMCPY(ipportiphash, struct ipportip)
+HASH_LIST_MEMBERS_MEMCPY(ipportiphash, struct ipportip,
+			 (elem->ip || elem->ip1))
 
 IP_SET_RTYPE(ipportiphash, IPSET_TYPE_IP | IPSET_TYPE_PORT
 			   | IPSET_TYPE_IP1 | IPSET_DATA_TRIPLE)

extensions/ipset/ip_set_ipportiphash.h

@@ -4,7 +4,7 @@
 #include "ip_set.h"
 #include "ip_set_hashes.h"
 
-#define SETTYPE_NAME "ipportiphash"
+#define SETTYPE_NAME			"ipportiphash"
 
 struct ipportip {
 	ip_set_ip_t ip;

extensions/ipset/ip_set_ipportnethash.c

@@ -31,7 +31,7 @@ static int limit = MAX_RANGE;
 	jhash_2words(ipport, ip1, *(map->initval + i))
 
 static inline __u32
-ipportnethash_id_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
+ipportnethash_id_cidr(struct ip_set *set,
 		      ip_set_ip_t ip, ip_set_ip_t port,
 		      ip_set_ip_t ip1, uint8_t cidr)
 {
@@ -40,18 +40,16 @@ ipportnethash_id_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
 	u_int16_t i;
 	struct ipportip *elem;
 
-	*hash_ip = pack_ip_port(map, ip, port);
-	DP("set: %s, ipport:%u.%u.%u.%u:%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), port, HIPQUAD(*hash_ip));
+	ip = pack_ip_port(map, ip, port);
 	ip1 = pack_ip_cidr(ip1, cidr);
-	if (!(*hash_ip || ip1))
+	if (!(ip || ip1))
 		return UINT_MAX;
 	
 	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip2(map, i, *hash_ip, ip1) % map->hashsize;
+		id = jhash_ip2(map, i, ip, ip1) % map->hashsize;
 		DP("hash key: %u", id);
 		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
-		if (elem->ip == *hash_ip && elem->ip1 == ip1)
+		if (elem->ip == ip && elem->ip1 == ip1)
 			return id;
 		/* No shortcut - there can be deleted entries. */
 	}
@@ -59,7 +57,7 @@ ipportnethash_id_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
 }
 
 static inline __u32
-ipportnethash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
+ipportnethash_id(struct ip_set *set,
 		 ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
 {
 	struct ip_set_ipportnethash *map = set->data;
@@ -67,8 +65,7 @@ ipportnethash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
 	int i;
 
 	for (i = 0; i < 30 && map->cidr[i]; i++) {
-		id = ipportnethash_id_cidr(set, hash_ip, ip, port, ip1, 
-					   map->cidr[i]);
+		id = ipportnethash_id_cidr(set, ip, port, ip1, map->cidr[i]);
 		if (id != UINT_MAX)
 			break;
 	}
@@ -76,7 +73,7 @@ ipportnethash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
 }
 
 static inline int
-ipportnethash_test_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
+ipportnethash_test_cidr(struct ip_set *set,
 			ip_set_ip_t ip, ip_set_ip_t port,
 			ip_set_ip_t ip1, uint8_t cidr)
 {
@@ -85,12 +82,11 @@ ipportnethash_test_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	return (ipportnethash_id_cidr(set, hash_ip, ip, port, ip1,
-				      cidr) != UINT_MAX);
+	return (ipportnethash_id_cidr(set, ip, port, ip1, cidr) != UINT_MAX);
 }
 
 static inline int
-ipportnethash_test(struct ip_set *set, ip_set_ip_t *hash_ip,
+ipportnethash_test(struct ip_set *set,
 		  ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
 {
 	struct ip_set_ipportnethash *map = set->data;
@@ -98,32 +94,30 @@ ipportnethash_test(struct ip_set *set, ip_set_ip_t *hash_ip,
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	return (ipportnethash_id(set, hash_ip, ip, port, ip1) != UINT_MAX);
+	return (ipportnethash_id(set, ip, port, ip1) != UINT_MAX);
 }
 
 static int
-ipportnethash_utest(struct ip_set *set, const void *data, size_t size,
-		    ip_set_ip_t *hash_ip)
+ipportnethash_utest(struct ip_set *set, const void *data, u_int32_t size)
 {
 	const struct ip_set_req_ipportnethash *req = data;
 
 	if (req->cidr <= 0 || req->cidr > 32)
 		return -EINVAL;
 	return (req->cidr == 32 
-		? ipportnethash_test(set, hash_ip, req->ip, req->port,
-				     req->ip1)
-		: ipportnethash_test_cidr(set, hash_ip, req->ip, req->port,
+		? ipportnethash_test(set, req->ip, req->port, req->ip1)
+		: ipportnethash_test_cidr(set, req->ip, req->port,
 					  req->ip1, req->cidr));
 }
 
 #define KADT_CONDITION						\
 	ip_set_ip_t port, ip1;					\
 								\
-	if (flags[index+2] == 0)				\
+	if (flags[2] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags[index+1]);			\
-	ip1 = ipaddr(skb, flags[index+2]);			\
+	port = get_port(skb, flags++);				\
+	ip1 = ipaddr(skb, flags++);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;
@@ -132,23 +126,23 @@ KADT(ipportnethash, test, ipaddr, port, ip1)
 
 static inline int
 __ipportnet_add(struct ip_set_ipportnethash *map,
-		ip_set_ip_t hash_ip, ip_set_ip_t ip1)
+		ip_set_ip_t ip, ip_set_ip_t ip1)
 {
 	__u32 probe;
 	u_int16_t i;
 	struct ipportip *elem, *slot = NULL;
 
 	for (i = 0; i < map->probes; i++) {
-		probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
+		probe = jhash_ip2(map, i, ip, ip1) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
-		if (elem->ip == hash_ip && elem->ip1 == ip1)
+		if (elem->ip == ip && elem->ip1 == ip1)
 			return -EEXIST;
 		if (!(slot || elem->ip || elem->ip1))
 			slot = elem;
 		/* There can be deleted entries, must check all slots */
 	}
 	if (slot) {
-		slot->ip = hash_ip;
+		slot->ip = ip;
 		slot->ip1 = ip1;
 		map->elements++;
 		return 0;
@@ -165,7 +159,7 @@ __ipportnethash_add(struct ip_set_ipportnethash *map,
 }
 
 static inline int
-ipportnethash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
+ipportnethash_add(struct ip_set *set,
 		 ip_set_ip_t ip, ip_set_ip_t port,
 		 ip_set_ip_t ip1, uint8_t cidr)
 {
@@ -182,16 +176,15 @@ ipportnethash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
 	if (map->nets[cidr-1] == UINT16_MAX)
 		return -ERANGE;
 
-	*hash_ip = pack_ip_port(map, ip, port);
+	ip = pack_ip_port(map, ip, port);
 	ip1 = pack_ip_cidr(ip1, cidr);
-	if (!(*hash_ip || ip1))
+	if (!(ip || ip1))
 		return -ERANGE;
 	
-	ret =__ipportnet_add(map, *hash_ip, ip1);
+	ret =__ipportnet_add(map, ip, ip1);
 	if (ret == 0) {
 		if (!map->nets[cidr-1]++)
 			add_cidr_size(map->cidr, cidr);
-		map->elements++;
 	}
 	return ret;
 }
@@ -202,11 +195,11 @@ ipportnethash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
 	uint8_t cidr = map->cidr[0] ? map->cidr[0] : 31;		\
 	ip_set_ip_t port, ip1;						\
 									\
-	if (flags[index+2] == 0)					\
+	if (flags[2] == 0)						\
 		return 0;						\
 									\
-	port = get_port(skb, flags[index+1]);				\
-	ip1 = ipaddr(skb, flags[index+2]);				\
+	port = get_port(skb, flags++);					\
+	ip1 = ipaddr(skb, flags++);					\
 									\
 	if (port == INVALID_PORT)					\
 		return 0;
@@ -227,7 +220,7 @@ __ipportnethash_retry(struct ip_set_ipportnethash *tmp,
 HASH_RETRY2(ipportnethash, struct ipportip)
 
 static inline int
-ipportnethash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
+ipportnethash_del(struct ip_set *set,
 	          ip_set_ip_t ip, ip_set_ip_t port,
 	          ip_set_ip_t ip1, uint8_t cidr)
 {
@@ -242,7 +235,7 @@ ipportnethash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
 	if (cidr <= 0 || cidr >= 32)
 		return -EINVAL;	
 
-	id = ipportnethash_id_cidr(set, hash_ip, ip, port, ip1, cidr);
+	id = ipportnethash_id_cidr(set, ip, port, ip1, cidr);
 
 	if (id == UINT_MAX)
 		return -EEXIST;
@@ -290,7 +283,8 @@ __ipportnethash_list_header(const struct ip_set_ipportnethash *map,
 HASH_LIST_HEADER(ipportnethash)
 
 HASH_LIST_MEMBERS_SIZE(ipportnethash, struct ipportip)
-HASH_LIST_MEMBERS_MEMCPY(ipportnethash, struct ipportip)
+HASH_LIST_MEMBERS_MEMCPY(ipportnethash, struct ipportip,
+			 (elem->ip || elem->ip1))
 
 IP_SET_RTYPE(ipportnethash, IPSET_TYPE_IP | IPSET_TYPE_PORT
 			    | IPSET_TYPE_IP1 | IPSET_DATA_TRIPLE)

extensions/ipset/ip_set_ipportnethash.h

@@ -4,7 +4,7 @@
 #include "ip_set.h"
 #include "ip_set_hashes.h"
 
-#define SETTYPE_NAME "ipportnethash"
+#define SETTYPE_NAME			"ipportnethash"
 
 struct ipportip {
 	ip_set_ip_t ip;

extensions/ipset/ip_set_iptree.c

@@ -10,6 +10,7 @@
 #include <linux/module.h>
 #include <linux/moduleparam.h>
 #include <linux/ip.h>
+#include <linux/jiffies.h>
 #include <linux/skbuff.h>
 #include <linux/slab.h>
 #include <linux/delay.h>
@@ -61,7 +62,7 @@ static __KMEM_CACHE_T__ *leaf_cachep;
 } while (0)
 
 static inline int
-iptree_test(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+iptree_test(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iptree *map = set->data;
 	struct ip_set_iptreeb *btree;
@@ -72,8 +73,7 @@ iptree_test(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 	if (!ip)
 		return -ERANGE;
 	
-	*hash_ip = ip;
-	ABCD(a, b, c, d, hash_ip);
+	ABCD(a, b, c, d, &ip);
 	DP("%u %u %u %u timeout %u", a, b, c, d, map->timeout);
 	TESTIP_WALK(map, a, btree);
 	TESTIP_WALK(btree, b, ctree);
@@ -105,8 +105,7 @@ KADT(iptree, test, ipaddr)
 } while (0)	
 
 static inline int
-iptree_add(struct ip_set *set, ip_set_ip_t *hash_ip,
-	   ip_set_ip_t ip, unsigned int timeout)
+iptree_add(struct ip_set *set, ip_set_ip_t ip, unsigned int timeout)
 {
 	struct ip_set_iptree *map = set->data;
 	struct ip_set_iptreeb *btree;
@@ -120,8 +119,7 @@ iptree_add(struct ip_set *set, ip_set_ip_t *hash_ip,
 		 * but it's probably overkill */
 		return -ERANGE;
 	
-	*hash_ip = ip;
-	ABCD(a, b, c, d, hash_ip);
+	ABCD(a, b, c, d, &ip);
 	DP("%u %u %u %u timeout %u", a, b, c, d, timeout);
 	ADDIP_WALK(map, a, btree, struct ip_set_iptreeb, branch_cachep);
 	ADDIP_WALK(btree, b, ctree, struct ip_set_iptreec, branch_cachep);
@@ -152,7 +150,7 @@ KADT(iptree, add, ipaddr, 0)
 } while (0)
 
 static inline int
-iptree_del(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+iptree_del(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iptree *map = set->data;
 	struct ip_set_iptreeb *btree;
@@ -163,8 +161,7 @@ iptree_del(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 	if (!ip)
 		return -ERANGE;
 		
-	*hash_ip = ip;
-	ABCD(a, b, c, d, hash_ip);
+	ABCD(a, b, c, d, &ip);
 	DELIP_WALK(map, a, btree);
 	DELIP_WALK(btree, b, ctree);
 	DELIP_WALK(ctree, c, dtree);
@@ -276,21 +273,21 @@ init_gc_timer(struct ip_set *set)
 }
 
 static int
-iptree_create(struct ip_set *set, const void *data, size_t size)
+iptree_create(struct ip_set *set, const void *data, u_int32_t size)
 {
 	const struct ip_set_req_iptree_create *req = data;
 	struct ip_set_iptree *map;
 
 	if (size != sizeof(struct ip_set_req_iptree_create)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
+		ip_set_printk("data length wrong (want %zu, have %lu)",
 			      sizeof(struct ip_set_req_iptree_create),
-			      size);
+			      (unsigned long)size);
 		return -EINVAL;
 	}
 
 	map = kmalloc(sizeof(struct ip_set_iptree), GFP_KERNEL);
 	if (!map) {
-		DP("out of memory for %d bytes",
+		DP("out of memory for %zu bytes",
 		   sizeof(struct ip_set_iptree));
 		return -ENOMEM;
 	}
@@ -363,7 +360,7 @@ iptree_list_header(const struct ip_set *set, void *data)
 }
 
 static int
-iptree_list_members_size(const struct ip_set *set)
+iptree_list_members_size(const struct ip_set *set, char dont_align)
 {
 	const struct ip_set_iptree *map = set->data;
 	struct ip_set_iptreeb *btree;
@@ -385,20 +382,21 @@ iptree_list_members_size(const struct ip_set *set)
 	LOOP_WALK_END;
 
 	DP("members %u", count);
-	return (count * sizeof(struct ip_set_req_iptree));
+	return (count * IPSET_VALIGN(sizeof(struct ip_set_req_iptree), dont_align));
 }
 
 static void
-iptree_list_members(const struct ip_set *set, void *data)
+iptree_list_members(const struct ip_set *set, void *data, char dont_align)
 {
 	const struct ip_set_iptree *map = set->data;
 	struct ip_set_iptreeb *btree;
 	struct ip_set_iptreec *ctree;
 	struct ip_set_iptreed *dtree;
 	unsigned int a,b,c,d;
-	size_t offset = 0;
+	size_t offset = 0, datasize;
 	struct ip_set_req_iptree *entry;
 
+	datasize = IPSET_VALIGN(sizeof(struct ip_set_req_iptree), dont_align);
 	LOOP_WALK_BEGIN(map, a, btree);
 	LOOP_WALK_BEGIN(btree, b, ctree);
 	LOOP_WALK_BEGIN(ctree, c, dtree);
@@ -409,7 +407,7 @@ iptree_list_members(const struct ip_set *set, void *data)
 		    	entry->ip = ((a << 24) | (b << 16) | (c << 8) | d);
 		    	entry->timeout = !map->timeout ? 0
 				: (dtree->expires[d] - jiffies)/HZ;
-			offset += sizeof(struct ip_set_req_iptree);
+			offset += datasize;
 		}
 	}
 	LOOP_WALK_END;

extensions/ipset/ip_set_iptree.h

@@ -3,7 +3,7 @@
 
 #include "ip_set.h"
 
-#define SETTYPE_NAME "iptree"
+#define SETTYPE_NAME		"iptree"
 
 struct ip_set_iptreed {
 	unsigned long expires[256];	   	/* x.x.x.ADDR */

extensions/ipset/ip_set_iptreemap.c

@@ -14,6 +14,7 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/ip.h>
+#include <linux/jiffies.h>
 #include <linux/skbuff.h>
 #include <linux/slab.h>
 #include <linux/delay.h>
@@ -250,7 +251,7 @@ free_b(struct ip_set_iptreemap_b *map)
 }
 
 static inline int
-iptreemap_test(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+iptreemap_test(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -258,9 +259,7 @@ iptreemap_test(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 	struct ip_set_iptreemap_d *dtree;
 	unsigned char a, b, c, d;
 
-	*hash_ip = ip;
-
-	ABCD(a, b, c, d, hash_ip);
+	ABCD(a, b, c, d, &ip);
 
 	TESTIP_WALK(map, a, btree, fullbitmap_b);
 	TESTIP_WALK(btree, b, ctree, fullbitmap_c);
@@ -275,7 +274,7 @@ UADT(iptreemap, test)
 KADT(iptreemap, test, ipaddr)
 
 static inline int
-__addip_single(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+__addip_single(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iptreemap *map = (struct ip_set_iptreemap *) set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -283,9 +282,7 @@ __addip_single(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 	struct ip_set_iptreemap_d *dtree;
 	unsigned char a, b, c, d;
 
-	*hash_ip = ip;
-
-	ABCD(a, b, c, d, hash_ip);
+	ABCD(a, b, c, d, &ip);
 
 	ADDIP_WALK(map, a, btree, struct ip_set_iptreemap_b, cachep_b, fullbitmap_b);
 	ADDIP_WALK(btree, b, ctree, struct ip_set_iptreemap_c, cachep_c, fullbitmap_c);
@@ -300,8 +297,7 @@ __addip_single(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 }
 
 static inline int
-iptreemap_add(struct ip_set *set, ip_set_ip_t *hash_ip,
-	      ip_set_ip_t start, ip_set_ip_t end)
+iptreemap_add(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -312,9 +308,7 @@ iptreemap_add(struct ip_set *set, ip_set_ip_t *hash_ip,
 	unsigned char a2, b2, c2, d2;
 
 	if (start == end)
-		return __addip_single(set, hash_ip, start);
-
-	*hash_ip = start;
+		return __addip_single(set, start);
 
 	ABCD(a1, b1, c1, d1, &start);
 	ABCD(a2, b2, c2, d2, &end);
@@ -337,8 +331,7 @@ UADT0(iptreemap, add, min(req->ip, req->end), max(req->ip, req->end))
 KADT(iptreemap, add, ipaddr, ip)
 
 static inline int
-__delip_single(struct ip_set *set, ip_set_ip_t *hash_ip,
-	       ip_set_ip_t ip, unsigned int __nocast flags)
+__delip_single(struct ip_set *set, ip_set_ip_t ip, gfp_t flags)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -346,9 +339,7 @@ __delip_single(struct ip_set *set, ip_set_ip_t *hash_ip,
 	struct ip_set_iptreemap_d *dtree;
 	unsigned char a,b,c,d;
 
-	*hash_ip = ip;
-
-	ABCD(a, b, c, d, hash_ip);
+	ABCD(a, b, c, d, &ip);
 
 	DELIP_WALK(map, a, btree, cachep_b, fullbitmap_b, flags);
 	DELIP_WALK(btree, b, ctree, cachep_c, fullbitmap_c, flags);
@@ -363,8 +354,8 @@ __delip_single(struct ip_set *set, ip_set_ip_t *hash_ip,
 }
 
 static inline int
-iptreemap_del(struct ip_set *set, ip_set_ip_t *hash_ip,
-	      ip_set_ip_t start, ip_set_ip_t end, unsigned int __nocast flags)
+iptreemap_del(struct ip_set *set,
+	      ip_set_ip_t start, ip_set_ip_t end, gfp_t flags)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -375,9 +366,7 @@ iptreemap_del(struct ip_set *set, ip_set_ip_t *hash_ip,
 	unsigned char a2, b2, c2, d2;
 
 	if (start == end)
-		return __delip_single(set, hash_ip, start, flags);
-
-	*hash_ip = start;
+		return __delip_single(set, start, flags);
 
 	ABCD(a1, b1, c1, d1, &start);
 	ABCD(a2, b2, c2, d2, &end);
@@ -470,7 +459,7 @@ init_gc_timer(struct ip_set *set)
 }
 
 static int
-iptreemap_create(struct ip_set *set, const void *data, size_t size)
+iptreemap_create(struct ip_set *set, const void *data, u_int32_t size)
 {
 	const struct ip_set_req_iptreemap_create *req = data;
 	struct ip_set_iptreemap *map;
@@ -517,6 +506,7 @@ static void
 iptreemap_flush(struct ip_set *set)
 {
 	struct ip_set_iptreemap *map = set->data;
+	unsigned int gc_interval = map->gc_interval;
 
 	while (!del_timer(&map->gc))
 		msleep(IPTREEMAP_DESTROY_SLEEP);
@@ -524,6 +514,7 @@ iptreemap_flush(struct ip_set *set)
 	__flush(map);
 
 	memset(map, 0, sizeof(*map));
+	map->gc_interval = gc_interval;
 
 	init_gc_timer(set);
 }
@@ -538,7 +529,7 @@ iptreemap_list_header(const struct ip_set *set, void *data)
 }
 
 static int
-iptreemap_list_members_size(const struct ip_set *set)
+iptreemap_list_members_size(const struct ip_set *set, char dont_align)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -564,31 +555,30 @@ iptreemap_list_members_size(const struct ip_set *set)
 	if (inrange)
 		count++;
 
-	return (count * sizeof(struct ip_set_req_iptreemap));
+	return (count * IPSET_VALIGN(sizeof(struct ip_set_req_iptreemap), dont_align));
 }
 
-static inline size_t
+static inline void
 add_member(void *data, size_t offset, ip_set_ip_t start, ip_set_ip_t end)
 {
 	struct ip_set_req_iptreemap *entry = data + offset;
 
 	entry->ip = start;
 	entry->end = end;
-
-	return sizeof(*entry);
 }
 
 static void
-iptreemap_list_members(const struct ip_set *set, void *data)
+iptreemap_list_members(const struct ip_set *set, void *data, char dont_align)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
 	struct ip_set_iptreemap_c *ctree;
 	struct ip_set_iptreemap_d *dtree;
 	unsigned int a, b, c, d, inrange = 0;
-	size_t offset = 0;
+	size_t offset = 0, datasize;
 	ip_set_ip_t start = 0, end = 0, ip;
 
+	datasize = IPSET_VALIGN(sizeof(struct ip_set_req_iptreemap), dont_align);
 	LOOP_WALK_BEGIN(map, a, btree) {
 		LOOP_WALK_BEGIN(btree, b, ctree) {
 			LOOP_WALK_BEGIN(ctree, c, dtree) {
@@ -599,12 +589,14 @@ iptreemap_list_members(const struct ip_set *set, void *data)
 							inrange = 1;
 							start = ip;
 						} else if (end < ip - 1) {
-							offset += add_member(data, offset, start, end);
+							add_member(data, offset, start, end);
+							offset += datasize;
 							start = ip;
 						}
 						end = ip;
 					} else if (inrange) {
-						offset += add_member(data, offset, start, end);
+						add_member(data, offset, start, end);
+						offset += datasize;
 						inrange = 0;
 					}
 				}

extensions/ipset/ip_set_iptreemap.h

@@ -3,7 +3,7 @@
 
 #include "ip_set.h"
 
-#define SETTYPE_NAME "iptreemap"
+#define SETTYPE_NAME		"iptreemap"
 
 #ifdef __KERNEL__
 struct ip_set_iptreemap_d {

extensions/ipset/ip_set_macipmap.c

@@ -22,8 +22,7 @@
 #include "ip_set_macipmap.h"
 
 static int
-macipmap_utest(struct ip_set *set, const void *data, size_t size,
-	       ip_set_ip_t *hash_ip)
+macipmap_utest(struct ip_set *set, const void *data, u_int32_t size)
 {
 	const struct ip_set_macipmap *map = set->data;
 	const struct ip_set_macip *table = map->members;	
@@ -32,11 +31,8 @@ macipmap_utest(struct ip_set *set, const void *data, size_t size,
 	if (req->ip < map->first_ip || req->ip > map->last_ip)
 		return -ERANGE;
 
-	*hash_ip = req->ip;
-	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(req->ip), HIPQUAD(*hash_ip));		
-	if (test_bit(IPSET_MACIP_ISSET,
-		     (void *) &table[req->ip - map->first_ip].flags)) {
+	DP("set: %s, ip:%u.%u.%u.%u", set->name, HIPQUAD(req->ip));		
+	if (table[req->ip - map->first_ip].match) {
 		return (memcmp(req->ethernet,
 			       &table[req->ip - map->first_ip].ethernet,
 			       ETH_ALEN) == 0);
@@ -48,24 +44,19 @@ macipmap_utest(struct ip_set *set, const void *data, size_t size,
 static int
 macipmap_ktest(struct ip_set *set,
 	       const struct sk_buff *skb,
-	       ip_set_ip_t *hash_ip,
-	       const u_int32_t *flags,
-	       unsigned char index)
+	       const u_int32_t *flags)
 {
 	const struct ip_set_macipmap *map = set->data;
 	const struct ip_set_macip *table = map->members;
 	ip_set_ip_t ip;
 	
-	ip = ipaddr(skb, flags[index]);
+	ip = ipaddr(skb, flags);
 
 	if (ip < map->first_ip || ip > map->last_ip)
 		return 0;
 
-	*hash_ip = ip;	
-	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), HIPQUAD(*hash_ip));		
-	if (test_bit(IPSET_MACIP_ISSET,
-	    (void *) &table[ip - map->first_ip].flags)) {
+	DP("set: %s, ip:%u.%u.%u.%u", set->name, HIPQUAD(ip));
+	if (table[ip - map->first_ip].match) {
 		/* Is mac pointer valid?
 		 * If so, compare... */
 		return (skb_mac_header(skb) >= skb->head
@@ -80,7 +71,7 @@ macipmap_ktest(struct ip_set *set,
 
 /* returns 0 on success */
 static inline int
-macipmap_add(struct ip_set *set, ip_set_ip_t *hash_ip,
+macipmap_add(struct ip_set *set,
 	     ip_set_ip_t ip, const unsigned char *ethernet)
 {
 	struct ip_set_macipmap *map = set->data;
@@ -88,13 +79,12 @@ macipmap_add(struct ip_set *set, ip_set_ip_t *hash_ip,
 
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
-	if (test_and_set_bit(IPSET_MACIP_ISSET,
-			     (void *) &table[ip - map->first_ip].flags))
+	if (table[ip - map->first_ip].match)
 		return -EEXIST;
 
-	*hash_ip = ip;
-	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
+	DP("set: %s, ip: %u.%u.%u.%u", set->name, HIPQUAD(ip));
 	memcpy(&table[ip - map->first_ip].ethernet, ethernet, ETH_ALEN);
+	table[ip - map->first_ip].match = IPSET_MACIP_ISSET;
 	return 0;
 }
 
@@ -107,19 +97,18 @@ UADT(macipmap, add, req->ethernet)
 KADT(macipmap, add, ipaddr, eth_hdr(skb)->h_source)
 
 static inline int
-macipmap_del(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+macipmap_del(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_macipmap *map = set->data;
 	struct ip_set_macip *table = map->members;
 
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
-	if (!test_and_clear_bit(IPSET_MACIP_ISSET,
-				(void *)&table[ip - map->first_ip].flags))
+	if (!table[ip - map->first_ip].match)
 		return -EEXIST;
 
-	*hash_ip = ip;
-	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
+	table[ip - map->first_ip].match = 0;
+	DP("set: %s, ip: %u.%u.%u.%u", set->name, HIPQUAD(ip));
 	return 0;
 }
 
@@ -154,8 +143,32 @@ __macipmap_list_header(const struct ip_set_macipmap *map,
 }
 
 BITMAP_LIST_HEADER(macipmap)
-BITMAP_LIST_MEMBERS_SIZE(macipmap)
-BITMAP_LIST_MEMBERS(macipmap)
+BITMAP_LIST_MEMBERS_SIZE(macipmap, struct ip_set_req_macipmap,
+			 (map->last_ip - map->first_ip + 1),
+			 ((const struct ip_set_macip *)map->members)[i].match)
+
+
+static void
+macipmap_list_members(const struct ip_set *set, void *data, char dont_align)
+{
+	const struct ip_set_macipmap *map = set->data;
+	const struct ip_set_macip *table = map->members;
+	uint32_t i, n = 0;
+	struct ip_set_req_macipmap *d;
+	
+	if (dont_align) {
+		memcpy(data, map->members, map->size);
+		return;
+	}
+	
+	for (i = 0; i < map->last_ip - map->first_ip + 1; i++)
+		if (table[i].match) {
+			d = data + n * IPSET_ALIGN(sizeof(struct ip_set_req_macipmap));
+			d->ip = map->first_ip + i;
+			memcpy(d->ethernet, &table[i].ethernet, ETH_ALEN);
+			n++;
+		}
+}
 
 IP_SET_TYPE(macipmap, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
 

extensions/ipset/ip_set_macipmap.h

@@ -4,7 +4,7 @@
 #include "ip_set.h"
 #include "ip_set_bitmaps.h"
 
-#define SETTYPE_NAME "macipmap"
+#define SETTYPE_NAME		"macipmap"
 
 /* general flags */
 #define IPSET_MACIP_MATCHUNSET	1
@@ -17,7 +17,7 @@ struct ip_set_macipmap {
 	ip_set_ip_t first_ip;		/* host byte order, included in range */
 	ip_set_ip_t last_ip;		/* host byte order, included in range */
 	u_int32_t flags;
-	size_t size;			/* size of the ipmap proper */
+	u_int32_t size;			/* size of the ipmap proper */
 };
 
 struct ip_set_req_macipmap_create {
@@ -32,7 +32,7 @@ struct ip_set_req_macipmap {
 };
 
 struct ip_set_macip {
-	unsigned short flags;
+	unsigned short match;
 	unsigned char ethernet[ETH_ALEN];
 };
 

extensions/ipset/ip_set_malloc.h

@@ -40,7 +40,7 @@ struct harray {
 };
 
 static inline void * 
-__harray_malloc(size_t hashsize, size_t typesize, int flags)
+__harray_malloc(size_t hashsize, size_t typesize, gfp_t flags)
 {
 	struct harray *harray;
 	size_t max_elements, size, i, j;
@@ -88,7 +88,7 @@ __harray_malloc(size_t hashsize, size_t typesize, int flags)
 }
 
 static inline void *
-harray_malloc(size_t hashsize, size_t typesize, int flags)
+harray_malloc(size_t hashsize, size_t typesize, gfp_t flags)
 {
 	void *harray;
 	

extensions/ipset/ip_set_nethash.c

@@ -26,7 +26,6 @@ static int limit = MAX_RANGE;
 
 static inline __u32
 nethash_id_cidr(const struct ip_set_nethash *map,
-		ip_set_ip_t *hash_ip,
 		ip_set_ip_t ip,
 		uint8_t cidr)
 {
@@ -34,15 +33,15 @@ nethash_id_cidr(const struct ip_set_nethash *map,
 	u_int16_t i;
 	ip_set_ip_t *elem;
 
-	*hash_ip = pack_ip_cidr(ip, cidr);
-	if (!*hash_ip)
+	ip = pack_ip_cidr(ip, cidr);
+	if (!ip)
 		return MAX_RANGE;
 	
 	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip(map, i, *hash_ip) % map->hashsize;
+		id = jhash_ip(map, i, ip) % map->hashsize;
 	   	DP("hash key: %u", id);
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
-	   	if (*elem == *hash_ip)
+	   	if (*elem == ip)
 			return id;
 		/* No shortcut - there can be deleted entries. */
 	}
@@ -50,14 +49,14 @@ nethash_id_cidr(const struct ip_set_nethash *map,
 }
 
 static inline __u32
-nethash_id(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+nethash_id(struct ip_set *set, ip_set_ip_t ip)
 {
 	const struct ip_set_nethash *map = set->data;
 	__u32 id = UINT_MAX;
 	int i;
 
 	for (i = 0; i < 30 && map->cidr[i]; i++) {
-		id = nethash_id_cidr(map, hash_ip, ip, map->cidr[i]);
+		id = nethash_id_cidr(map, ip, map->cidr[i]);
 		if (id != UINT_MAX)
 			break;
 	}
@@ -65,30 +64,28 @@ nethash_id(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 }
 
 static inline int
-nethash_test_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
-		  ip_set_ip_t ip, uint8_t cidr)
+nethash_test_cidr(struct ip_set *set, ip_set_ip_t ip, uint8_t cidr)
 {
 	const struct ip_set_nethash *map = set->data;
 
-	return (nethash_id_cidr(map, hash_ip, ip, cidr) != UINT_MAX);
+	return (nethash_id_cidr(map, ip, cidr) != UINT_MAX);
 }
 
 static inline int
-nethash_test(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
+nethash_test(struct ip_set *set, ip_set_ip_t ip)
 {
-	return (nethash_id(set, hash_ip, ip) != UINT_MAX);
+	return (nethash_id(set, ip) != UINT_MAX);
 }
 
 static int
-nethash_utest(struct ip_set *set, const void *data, size_t size,
-	      ip_set_ip_t *hash_ip)
+nethash_utest(struct ip_set *set, const void *data, u_int32_t size)
 {
 	const struct ip_set_req_nethash *req = data;
 
 	if (req->cidr <= 0 || req->cidr > 32)
 		return -EINVAL;
-	return (req->cidr == 32 ? nethash_test(set, hash_ip, req->ip)
-		: nethash_test_cidr(set, hash_ip, req->ip, req->cidr));
+	return (req->cidr == 32 ? nethash_test(set, req->ip)
+		: nethash_test_cidr(set, req->ip, req->cidr));
 }
 
 #define KADT_CONDITION
@@ -121,8 +118,7 @@ __nethash_add(struct ip_set_nethash *map, ip_set_ip_t *ip)
 }
 
 static inline int
-nethash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
-	    ip_set_ip_t ip, uint8_t cidr)
+nethash_add(struct ip_set *set, ip_set_ip_t ip, uint8_t cidr)
 {
 	struct ip_set_nethash *map = set->data;
 	int ret;
@@ -132,16 +128,14 @@ nethash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
 	if (cidr <= 0 || cidr >= 32)
 		return -EINVAL;
 
-	*hash_ip = pack_ip_cidr(ip, cidr);
-	DP("%u.%u.%u.%u/%u, %u.%u.%u.%u", HIPQUAD(ip), cidr, HIPQUAD(*hash_ip));
-	if (!*hash_ip)
+	ip = pack_ip_cidr(ip, cidr);
+	if (!ip)
 		return -ERANGE;
 	
-	ret = __nethash_add(map, hash_ip);
+	ret = __nethash_add(map, &ip);
 	if (ret == 0) {
 		if (!map->nets[cidr-1]++)
 			add_cidr_size(map->cidr, cidr);
-		map->elements++;
 	}
 	
 	return ret;
@@ -165,8 +159,7 @@ __nethash_retry(struct ip_set_nethash *tmp, struct ip_set_nethash *map)
 HASH_RETRY(nethash, ip_set_ip_t)
 
 static inline int
-nethash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
-	    ip_set_ip_t ip, uint8_t cidr)
+nethash_del(struct ip_set *set, ip_set_ip_t ip, uint8_t cidr)
 {
 	struct ip_set_nethash *map = set->data;
 	ip_set_ip_t id, *elem;
@@ -174,7 +167,7 @@ nethash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
 	if (cidr <= 0 || cidr >= 32)
 		return -EINVAL;	
 	
-	id = nethash_id_cidr(map, hash_ip, ip, cidr);
+	id = nethash_id_cidr(map, ip, cidr);
 	if (id == UINT_MAX)
 		return -EEXIST;
 		

extensions/ipset/ip_set_nethash.h

@@ -4,7 +4,7 @@
 #include "ip_set.h"
 #include "ip_set_hashes.h"
 
-#define SETTYPE_NAME "nethash"
+#define SETTYPE_NAME		"nethash"
 
 struct ip_set_nethash {
 	ip_set_ip_t *members;		/* the nethash proper */

extensions/ipset/ip_set_portmap.c

@@ -23,16 +23,14 @@
 #include "ip_set_getport.h"
 
 static inline int
-portmap_test(const struct ip_set *set, ip_set_ip_t *hash_port,
-	     ip_set_ip_t port)
+portmap_test(const struct ip_set *set, ip_set_ip_t port)
 {
 	const struct ip_set_portmap *map = set->data;
 
 	if (port < map->first_ip || port > map->last_ip)
 		return -ERANGE;
 		
-	*hash_port = port;
-	DP("set: %s, port:%u, %u", set->name, port, *hash_port);
+	DP("set: %s, port: %u", set->name, port);
 	return !!test_bit(port - map->first_ip, map->members);
 }
 
@@ -44,7 +42,7 @@ UADT(portmap, test)
 KADT(portmap, test, get_port)
 
 static inline int
-portmap_add(struct ip_set *set, ip_set_ip_t *hash_port, ip_set_ip_t port)
+portmap_add(struct ip_set *set, ip_set_ip_t port)
 {
 	struct ip_set_portmap *map = set->data;
 
@@ -52,9 +50,8 @@ portmap_add(struct ip_set *set, ip_set_ip_t *hash_port, ip_set_ip_t port)
 		return -ERANGE;
 	if (test_and_set_bit(port - map->first_ip, map->members))
 		return -EEXIST;
-		
-	*hash_port = port;
-	DP("port %u", port);
+	
+	DP("set: %s, port %u", set->name, port);
 	return 0;
 }
 
@@ -62,7 +59,7 @@ UADT(portmap, add)
 KADT(portmap, add, get_port)
 
 static inline int
-portmap_del(struct ip_set *set, ip_set_ip_t *hash_port, ip_set_ip_t port)
+portmap_del(struct ip_set *set, ip_set_ip_t port)
 {
 	struct ip_set_portmap *map = set->data;
 
@@ -70,9 +67,8 @@ portmap_del(struct ip_set *set, ip_set_ip_t *hash_port, ip_set_ip_t port)
 		return -ERANGE;
 	if (!test_and_clear_bit(port - map->first_ip, map->members))
 		return -EEXIST;
-		
-	*hash_port = port;
-	DP("port %u", port);
+	
+	DP("set: %s, port %u", set->name, port);
 	return 0;
 }
 
@@ -102,8 +98,28 @@ __portmap_list_header(const struct ip_set_portmap *map,
 }
 
 BITMAP_LIST_HEADER(portmap)
-BITMAP_LIST_MEMBERS_SIZE(portmap)
-BITMAP_LIST_MEMBERS(portmap)
+BITMAP_LIST_MEMBERS_SIZE(portmap, ip_set_ip_t, (map->last_ip - map->first_ip + 1),
+			 test_bit(i, map->members))
+
+static void
+portmap_list_members(const struct ip_set *set, void *data, char dont_align)
+{
+	const struct ip_set_portmap *map = set->data;
+	uint32_t i, n = 0;
+	ip_set_ip_t *d;
+	
+	if (dont_align) {
+		memcpy(data, map->members, map->size);
+		return;
+	}
+	
+	for (i = 0; i < map->last_ip - map->first_ip + 1; i++)
+		if (test_bit(i, map->members)) {
+			d = data + n * IPSET_ALIGN(sizeof(ip_set_ip_t));
+			*d = map->first_ip + i;
+			n++;
+		}
+}
 
 IP_SET_TYPE(portmap, IPSET_TYPE_PORT | IPSET_DATA_SINGLE)
 

extensions/ipset/ip_set_portmap.h

@@ -4,13 +4,13 @@
 #include "ip_set.h"
 #include "ip_set_bitmaps.h"
 
-#define SETTYPE_NAME	"portmap"
+#define SETTYPE_NAME		"portmap"
 
 struct ip_set_portmap {
 	void *members;			/* the portmap proper */
 	ip_set_ip_t first_ip;		/* host byte order, included in range */
 	ip_set_ip_t last_ip;		/* host byte order, included in range */
-	size_t size;			/* size of the ipmap proper */
+	u_int32_t size;			/* size of the ipmap proper */
 };
 
 struct ip_set_req_portmap_create {

extensions/ipset/ip_set_setlist.c

@@ -21,15 +21,14 @@
  * after  ==> ref, index
  */
 
-static inline bool
+static inline int
 next_index_eq(const struct ip_set_setlist *map, int i, ip_set_id_t index)
 {
 	return i < map->size && map->index[i] == index;
 }
 
 static int
-setlist_utest(struct ip_set *set, const void *data, size_t size,
-	       ip_set_ip_t *hash_ip)
+setlist_utest(struct ip_set *set, const void *data, u_int32_t size)
 {
 	const struct ip_set_setlist *map = set->data;
 	const struct ip_set_req_setlist *req = data;
@@ -38,17 +37,15 @@ setlist_utest(struct ip_set *set, const void *data, size_t size,
 	struct ip_set *s;
 	
 	if (req->before && req->ref[0] == '\0')
-		return -EINVAL;
+		return 0;
 
 	index = __ip_set_get_byname(req->name, &s);
 	if (index == IP_SET_INVALID_ID)
-		return -EEXIST;
+		return 0;
 	if (req->ref[0] != '\0') {
 		ref = __ip_set_get_byname(req->ref, &s);
-		if (ref == IP_SET_INVALID_ID) {
-			res = -EEXIST;
+		if (ref == IP_SET_INVALID_ID)
 			goto finish;
-		}
 	}
 	for (i = 0; i < map->size
 		    && map->index[i] != IP_SET_INVALID_ID; i++) {
@@ -74,10 +71,8 @@ finish:
 
 static int
 setlist_ktest(struct ip_set *set,
-	       const struct sk_buff *skb,
-	       ip_set_ip_t *hash_ip,
-	       const u_int32_t *flags,
-	       unsigned char index)
+	      const struct sk_buff *skb,
+	      const u_int32_t *flags)
 {
 	struct ip_set_setlist *map = set->data;
 	int i, res = 0;
@@ -109,8 +104,7 @@ insert_setlist(struct ip_set_setlist *map, int i, ip_set_id_t index)
 }
 
 static int
-setlist_uadd(struct ip_set *set, const void *data, size_t size,
-	     ip_set_ip_t *hash_ip)
+setlist_uadd(struct ip_set *set, const void *data, u_int32_t size)
 {
 	struct ip_set_setlist *map = set->data;
 	const struct ip_set_req_setlist *req = data;
@@ -158,9 +152,7 @@ finish:
 static int
 setlist_kadd(struct ip_set *set,
 	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
+	     const u_int32_t *flags)
 {
 	struct ip_set_setlist *map = set->data;
 	int i, res = -EINVAL;
@@ -172,7 +164,7 @@ setlist_kadd(struct ip_set *set,
 	return res;
 }
 
-static inline bool
+static inline int
 unshift_setlist(struct ip_set_setlist *map, int i)
 {
 	int j;
@@ -184,8 +176,7 @@ unshift_setlist(struct ip_set_setlist *map, int i)
 }
 
 static int
-setlist_udel(struct ip_set *set, const void *data, size_t size,
-	     ip_set_ip_t *hash_ip)
+setlist_udel(struct ip_set *set, const void *data, u_int32_t size)
 {
 	struct ip_set_setlist *map = set->data;
 	const struct ip_set_req_setlist *req = data;
@@ -236,9 +227,7 @@ finish:
 static int
 setlist_kdel(struct ip_set *set,
 	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
+	     const u_int32_t *flags)
 {
 	struct ip_set_setlist *map = set->data;
 	int i, res = -EINVAL;
@@ -251,7 +240,7 @@ setlist_kdel(struct ip_set *set,
 }
 
 static int
-setlist_create(struct ip_set *set, const void *data, size_t size)
+setlist_create(struct ip_set *set, const void *data, u_int32_t size)
 {
 	struct ip_set_setlist *map;
 	const struct ip_set_req_setlist_create *req = data;
@@ -306,21 +295,24 @@ setlist_list_header(const struct ip_set *set, void *data)
 }
 
 static int
-setlist_list_members_size(const struct ip_set *set)
+setlist_list_members_size(const struct ip_set *set, char dont_align)
 {
 	const struct ip_set_setlist *map = set->data;
 	
-	return map->size * sizeof(ip_set_id_t);
+	return map->size * IPSET_VALIGN(sizeof(ip_set_id_t), dont_align);
 }
 
 static void
-setlist_list_members(const struct ip_set *set, void *data)
+setlist_list_members(const struct ip_set *set, void *data, char dont_align)
 {
 	struct ip_set_setlist *map = set->data;
+	ip_set_id_t *d;
 	int i;
 	
-	for (i = 0; i < map->size; i++)
-		*((ip_set_id_t *)data + i) = ip_set_id(map->index[i]);
+	for (i = 0; i < map->size; i++) {
+		d = data + i * IPSET_VALIGN(sizeof(ip_set_id_t), dont_align);
+		*d = ip_set_id(map->index[i]);
+	}
 }
 
 IP_SET_TYPE(setlist, IPSET_TYPE_SETNAME | IPSET_DATA_SINGLE)

extensions/ipset/ip_set_setlist.h

@@ -3,7 +3,7 @@
 
 #include "ip_set.h"
 
-#define SETTYPE_NAME "setlist"
+#define SETTYPE_NAME			"setlist"
 
 #define IP_SET_SETLIST_ADD_AFTER	0
 #define IP_SET_SETLIST_ADD_BEFORE	1

extensions/ipset/ipset.8

@@ -18,21 +18,21 @@
 .\"
 .\"
 .SH NAME
-ipset \- administration tool for IP sets
+ipset \(em administration tool for IP sets
 .SH SYNOPSIS
-.BR "ipset -N " "set type-specification [options]"
-.br
-.BR "ipset -[XFLSHh] " "[set] [options]"
-.br
-.BR "ipset -[EW] " "from-set to-set"
-.br
-.BR "ipset -[ADU] " "set entry"
-.br
-.BR "ipset -B " "set entry -b binding"
-.br
-.BR "ipset -T " "set entry [-b binding]"
-.br
-.BR "ipset -R "
+.PP
+\fBipset \-N\fP \fIset\fP \fItype-specification\fP [\fIoptions\fP...]
+.PP
+\fBipset\fP {\fB\-F\fP|\fB\-H\fP|\fB\-L\fP|\fB\-S\fP|\fB\-X\fP} [\fIset\fP]
+[\fIoptions\fP...]
+.PP
+\fBipset\fP {\fB\-E\fP|\fB\-W\fP} \fIfrom-set\fP \fIto-set\fP
+.PP
+\fBipset\fP {\fB\-A\fP|\fB\-D\fP|\fB\-T\fP} \fIset\fP \fIentry\fP
+.PP
+\fBipset \-R\fP
+.PP
+\fBipset\fP {\fB-V\fP|\fB\-v\fP}
 .SH DESCRIPTION
 .B ipset
 is used to set up, maintain and inspect so called IP sets in the Linux
@@ -40,16 +40,9 @@ kernel. Depending on the type, an IP set may store IP addresses, (TCP/UDP)
 port numbers or additional informations besides IP addresses: the word IP 
 means a general term here. See the set type definitions below.
 .P
-Any entry in a set can be bound to another set, which forms a relationship
-between a set element and the set it is bound to. In order to define a
-binding it is not required that the entry be already added to the set. 
-The sets may have a default binding, which is valid for every set element 
-for which there is no binding defined at all.
-.P
-IP set bindings pointing to sets and iptables matches and targets 
-referring to sets creates references, which protects the given sets in 
-the kernel. A set cannot be removed (destroyed) while there is a single
-reference pointing to it.
+Iptables matches and targets referring to sets creates references, which
+protects the given sets in the kernel. A set cannot be removed (destroyed)
+while there is a single reference pointing to it.
 .SH OPTIONS
 The options that are recognized by
 .B ipset
@@ -62,134 +55,87 @@ need to use only enough letters to ensure that
 .B ipset
 can differentiate it from all other options.
 .TP
-.BI "-N, --create " "\fIsetname\fP type type-specific-options"
+\fB\-N\fP, \fB\-\-create\fP \fIsetname\fP \fItype\fP \fItype-specific-options\fP
 Create a set identified with setname and specified type. 
 Type-specific options must be supplied.
 .TP
-.BI "-X, --destroy " "[\fIsetname\fP]"
-Destroy the specified set, or all sets if none or the keyword
-.B
-:all:
-is specified.
-Before destroying the set, all bindings belonging to the 
-set elements and the default binding of the set are removed.
+\fB\-X\fP, \fB\-\-destroy\fP [\fIsetname\fP]
+Destroy the specified set or all the sets if none is given.
 
 If the set has got references, nothing is done.
 .TP
-.BI "-F, --flush " "[\fIsetname\fP]"
-Delete all entries from the specified set, or flush
-all sets if none or the keyword
-.B
-:all:
-is given. Bindings are not affected by the flush operation.
+\fB\-F\fP, \fB\-\-flush\fP [\fIsetname\fP]
+Delete all entries from the specified set or flush
+all sets if none is given.
 .TP
-.BI "-E, --rename " "\fIfrom-setname\fP \fIto-setname\fP"
+\fB\-E\fP, \fB\-\-rename\fP \fIfrom-setname\fP \fIto-setname\fP
 Rename a set. Set identified by to-setname must not exist.
 .TP
-.BI "-W, --swap " "\fIfrom-setname\fP \fIto-setname\fP"
+\fB\-W\fP, \fB\-\-swap\fP \fIfrom-setname\fP \fIto-setname\fP
 Swap the content of two sets, or in another words, 
 exchange the name of two sets. The referred sets must exist and
 identical type of sets can be swapped only.
 .TP
-.BI "-L, --list " "[\fIsetname\fP]"
-List the entries and bindings for the specified set, or for
-all sets if none or the keyword
-.B
-:all:
-is given. The
-.B "-n, --numeric"
-option can be used to suppress name lookups and generate numeric
-output. When the
-.B "-s, --sorted"
+\fB\-L\fP, \fB\-\-list\fP [\fIsetname\fP]
+List the entries for the specified set, or for
+all sets if none is given. The
+\fB\-r\fP/\fB\-\-resolve\fP
+option can be used to force name lookups (which may be slow). When the
+\fB\-s\fP/\fB\-\-sorted\fP
 option is given, the entries are listed sorted (if the given set
 type supports the operation).
 .TP
-.BI "-S, --save " "[\fIsetname\fP]"
-Save the given set, or all sets if none or the keyword
-.B
-:all:
-is specified to stdout in a format that --restore can read.
+\fB\-S\fP, \fB\-\-save\fP [\fIsetname\fP]
+Save the given set, or all sets if none is given
+to stdout in a format that \fB\-\-restore\fP can read.
 .TP
-.BI "-R, --restore "
-Restore a saved session generated by --save. The saved session
+\fB\-R\fP, \fB\-\-restore\fP
+Restore a saved session generated by \fB\-\-save\fP. The saved session
 can be fed from stdin.
 
 When generating a session file please note that the supported commands
-(create set, add element, bind) must appear in a strict order: first create
+(create set and add element) must appear in a strict order: first create
 the set, then add all elements. Then create the next set, add all its elements
-and so on. Finally you can list all binding commands. Also, it is a restore
-operation, so the sets being restored must not exist.
+and so on. Also, it is a restore operation, so the sets being restored must 
+not exist.
 .TP
-.BI "-A, --add " "\fIsetname\fP \fIIP\fP"
-Add an IP to a set.
+\fB\-A\fP, \fB\-\-add\fP \fIsetname\fP \fIentry\fP
+Add an entry to a set.
 .TP
-.BI "-D, --del " "\fIsetname\fP \fIIP\fP"
-Delete an IP from a set. 
+\fB\-D\fP, \fB\-\-del\fP \fIsetname\fP \fIentry\fP
+Delete an entry from a set.
 .TP
-.BI "-T, --test " "\fIsetname\fP \fIIP
-Test wether an IP is in a set or not. Exit status number is zero
-if the tested IP is in the set and nonzero if it is missing from 
+\fB-T\fP, \fB\-\-test\fP \fIsetname\fP \fIentry\fP
+Test wether an entry is in a set or not. Exit status number is zero
+if the tested entry is in the set and nonzero if it is missing from
 the set.
 .TP
-.BI "-T, --test " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
-Test wether the IP belonging to the set points to the specified binding. 
-Exit status number is zero if the binding points to the specified set, 
-otherwise it is nonzero. The keyword
-.B
-:default:
-can be used to test the default binding of the set.
-.TP
-.BI "-B, --bind " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
-Bind the IP in setname to to-setname.
-.TP
-.BI "-U, --unbind " "\fIsetname\fP \fIIP\fP"
-Delete the binding belonging to IP in set setname. 
-.TP
-.BI "-H, --help " "[settype]"
+\fB\-H\fP, \fB\-\-help\fP [\fIsettype\fP]
 Print help and settype specific help if settype specified.
+.TP
+\fB\-V\fP, \fB\-v\fP, \fB\-\-version\fP
+Print program version and protocol version.
 .P
-At the
-.B
--B, -U
-and
-.B 
--T
-commands you can use the token
-.B
-:default:
-to bind, unbind or test the default binding of a set instead
-of an IP. At the
-.B
--U
-command you can use the token
-.B
-:all:
-to destroy the bindings of all elements of a set.
 .SS "OTHER OPTIONS"
 The following additional options can be specified:
 .TP
-.B "-b, --binding setname"
-The option specifies the value of the binding for the
-.B "-B"
-binding command, for which it is a mandatory option.
-You can use it in the
-.B "-T"
-test command as well to test bindings.
-.TP
-.B "-s, --sorted"
-Sorted output. When listing sets, entries are listed sorted.
-.TP
-.B "-n, --numeric"
-Numeric output. When listing sets, bindings, IP addresses and 
-port numbers will be printed in numeric format. By default the 
-program will try to display them as host names, network names 
-or services (whenever applicable), which can trigger
+\fB\-r\fP, \fB\-\-resolve\fP
+When listing sets, enforce name lookup. The 
+program will try to display the IP entries resolved to 
+host names or services (whenever applicable), which can trigger
 .B
 slow
 DNS 
 lookups.
 .TP
-.B "-q, --quiet"
+\fB\-s\fP, \fB\-\-sorted\fP
+Sorted output. When listing sets, entries are listed sorted.
+.TP
+\fB\-n\fP, \fB\-\-numeric\fP
+Numeric output. When listing sets, IP addresses and 
+port numbers will be printed in numeric format. This is the default.
+.TP
+\fB\-q\fP, \fB\-\-quiet\fP
 Suppress any output to stdout and stderr. ipset will still return
 possible errors.
 .SH SET TYPES
@@ -199,7 +145,7 @@ The ipmap set type uses a memory range, where each bit represents
 one IP address. An ipmap set can store up to 65536 (B-class network)
 IP addresses. The ipmap set type is very fast and memory cheap, great
 for use when one want to match certain IPs in a range. If the optional
-.B "--netmask"
+\fB\-\-netmask\fP
 parameter is specified with a CIDR netmask value between 1-31 then
 network addresses are stored in the given set: i.e an
 IP address will be in the set if the network address, which is resulted
@@ -207,52 +153,54 @@ by masking the address with the specified netmask, can be found in the set.
 .P
 Options to use when creating an ipmap set:
 .TP
-.BR "--from " from-IP
+\fB\-\-from\fP \fIfrom-addr\fP
 .TP
-.BR "--to " to-IP
-Create an ipmap set from the specified range.
+\fB\-\-to\fP \fIto-addr\fP
+Create an ipmap set from the specified address range.
 .TP
-.BR "--network " IP/mask
+\fB\-\-network\fP \fIaddr\fP\fB/\fP\fImask\fP
 Create an ipmap set from the specified network.
 .TP
-.BR "--netmask " CIDR-netmask
+\fB\-\-netmask\fP \fIprefixlen\fP
 When the optional
-.B "--netmask"
+\fB\-\-netmask\fP
 parameter specified, network addresses will be 
-stored in the set instead of IP addresses, and the from-IP parameter
-must be a network address. The CIDR-netmask value must be between 1-31.
+stored in the set instead of IP addresses, and the \fIfrom-addr\fP parameter
+must be a network address. The \fIprefixlen\fP value must be between 1-31.
+.PP
+Example:
+.IP
+ipset \-N test ipmap \-\-network 192.168.0.0/16 
 .SS macipmap
 The macipmap set type uses a memory range, where each 8 bytes
 represents one IP and a MAC addresses. A macipmap set type can store
 up to 65536 (B-class network) IP addresses with MAC.
 When adding an entry to a macipmap set, you must specify the entry as
-.I IP,MAC.
+"\fIaddress\fP\fB,\fP\fImac\fP".
 When deleting or testing macipmap entries, the
-.I ,MAC
+"\fB,\fP\fImac\fP"
 part is not mandatory.
 .P
 Options to use when creating an macipmap set:
 .TP
-.BR "--from " from-IP
+\fB\-\-from\fP \fIfrom-addr\fP
 .TP
-.BR "--to " to-IP
-Create a macipmap set from the specified range.
+\fB\-\-to\fP \fIto-addr\fP
+Create a macipmap set from the specified address range.
 .TP
-.BR "--network " IP/mask
+\fB\-\-network\fP \fIaddr\fP\fB/\fP\fImask\fP
 Create a macipmap set from the specified network.
 .TP
-.BR "--matchunset"
+\fB\-\-matchunset\fP
 When the optional
-.B "--matchunset"
+\fB\-\-matchunset\fP
 parameter specified, IP addresses which could be stored 
 in the set but not set yet, will always match.
 .P
 Please note, the 
-.I
-set
+"set"
 and
-.I
-SET
+"SET"
 netfilter kernel modules
 .B
 always
@@ -265,42 +213,41 @@ The portmap set type is very fast and memory cheap.
 .P
 Options to use when creating an portmap set:
 .TP
-.BR "--from " from-port
+\fB\-\-from\fP \fIfrom-port\fP
 .TP
-.BR "--to " to-port
-Create a portmap set from the specified range.
+\fB\-\-to\fP \fIto-port\fP
+Create a portmap set from the specified port range.
 .SS iphash
 The iphash set type uses a hash to store IP addresses.
 In order to avoid clashes in the hash double-hashing, and as a last
 resort, dynamic growing of the hash performed. The iphash set type is
 great to store random addresses. If the optional
-.B "--netmask"
-parameter is specified with a CIDR netmask value between 1-31 then
+\fB\-\-netmask\fP
+parameter is specified with a CIDR prefix length value between 1-31 then
 network addresses are stored in the given set: i.e an
 IP address will be in the set if the network address, which is resulted
 by masking the address with the specified netmask, can be found in the set.
 .P
 Options to use when creating an iphash set:
 .TP
-.BR "--hashsize " hashsize
+\fB\-\-hashsize\fP \fIhashsize\fP
 The initial hash size (default 1024)
 .TP
-.BR "--probes " probes
+\fB\-\-probes\fP \fIprobes\fP
 How many times try to resolve clashing at adding an IP to the hash 
 by double-hashing (default 8).
 .TP
-.BR "--resize " percent
+\fB\-\-resize\fP \fIpercent\fP
 Increase the hash size by this many percent (default 50) when adding
 an IP to the hash could not be performed after
-.B
-probes
+\fIprobes\fP
 number of double-hashing. 
 .TP
-.BR "--netmask " CIDR-netmask
+\fB\-\-netmask\fP \fIprefixlen\fP
 When the optional
-.B "--netmask"
+\fB\-\-netmask\fP
 parameter specified, network addresses will be 
-stored in the set instead of IP addresses. The CIDR-netmask value must
+stored in the set instead of IP addresses. The \fIprefixlen\fP value must
 be between 1-31.
 .P
 The iphash type of sets can store up to 65536 entries. If a set is full,
@@ -309,35 +256,36 @@ no new entries can be added to it.
 Sets created by zero valued resize parameter won't be resized at all.
 The lookup time in an iphash type of set grows approximately linearly with
 the value of the 
-.B
-probes
+\fIprobes\fP
 parameter. In general higher 
-.B
-probe
+\fIprobes\fP
 value results better utilized hash while smaller value
 produces larger, sparser hash.
+.PP
+Example:
+.IP
+ipset \-N test iphash \-\-probes 2
 .SS nethash
 The nethash set type uses a hash to store different size of
 network addresses. The
 .I
-IP
-"address" used in the ipset commands must be in the form
-.I
-IP-address/cidr-size
-where the CIDR block size must be in the inclusive range of 1-31.
+entry
+used in the ipset commands must be in the form
+"\fIaddress\fP\fB/\fP\fIprefixlen\fP"
+where prefixlen must be in the inclusive range of 1-31.
 In order to avoid clashes in the hash 
 double-hashing, and as a last resort, dynamic growing of the hash performed.
 .P
 Options to use when creating an nethash set:
 .TP
-.BR "--hashsize " hashsize
+\fB\-\-hashsize\fP \fIhashsize\fP
 The initial hash size (default 1024)
 .TP
-.BR "--probes " probes
+\fB\-\-probes\fP \fIprobes\fP
 How many times try to resolve clashing at adding an IP to the hash 
 by double-hashing (default 4).
 .TP
-.BR "--resize " percent
+\fB\-\-resize\fP \fIpercent\fP
 Increase the hash size by this many percent (default 50) when adding
 an IP to the hash could not be performed after
 .P
@@ -349,15 +297,13 @@ netblocks added to the set. The matching always start from the smallest
 size of netblock (most specific netmask) to the largest ones (least
 specific netmasks). When adding/deleting IP addresses
 to a nethash set by the
-.I
-SET
+"SET"
 netfilter kernel module, it will be added/deleted by the smallest
 netblock size which can be found in the set, or by /31 if the set is empty.
 .P
 The lookup time in a nethash type of set grows approximately linearly 
 with the times of the
-.B
-probes
+\fIprobes\fP
 parameter and the number of different mask parameters in the hash.
 Otherwise the same speed and memory efficiency comments applies here 
 as at the iphash type.
@@ -368,39 +314,35 @@ resort, dynamic growing of the hash performed. An ipporthash set can
 store up to 65536 (B-class network) IP addresses with all possible port
 values. When adding, deleting and testing values in an ipporthash type of
 set, the entries must be specified as
-.B
-"IP,port".
+"\fIaddress\fP\fB,\fP\fIport\fP".
 .P
 The ipporthash types of sets evaluates two src/dst parameters of the 
-.I
-set
+"set"
 match and 
-.I
-SET
+"SET"
 target. 
 .P
 Options to use when creating an ipporthash set:
 .TP
-.BR "--from " from-IP
+\fB\-\-from\fP \fIfrom-addr\fP
 .TP
-.BR "--to " to-IP
-Create an ipporthash set from the specified range.
+\fB\-\-to\fP \fIto-addr\fP
+Create an ipporthash set from the specified address range.
 .TP
-.BR "--network " IP/mask
+\fB\-\-network\fP \fIaddr\fP\fB/\fP\fImask\fP
 Create an ipporthash set from the specified network.
 .TP
-.BR "--hashsize " hashsize
+\fB\-\-hashsize\fP \fIhashsize\fP
 The initial hash size (default 1024)
 .TP
-.BR "--probes " probes
+\fB\-\-probes\fP \fIprobes\fP
 How many times try to resolve clashing at adding an IP to the hash 
 by double-hashing (default 8).
 .TP
-.BR "--resize " percent
+\fB\-\-resize\fP \fIpercent\fP
 Increase the hash size by this many percent (default 50) when adding
 an IP to the hash could not be performed after
-.B
-probes
+\fIprobes\fP
 number of double-hashing.
 .P
 The same resizing, speed and memory efficiency comments applies here 
@@ -411,39 +353,35 @@ address triples. The first IP address must come form a maximum /16
 sized network or range while the port number and the second IP address
 parameters are arbitrary. When adding, deleting and testing values in an 
 ipportiphash type of set, the entries must be specified as
-.B
-"IP,port,IP".
+"\fIaddress\fP\fB,\fP\fIport\fP\fB,\fP\fIaddress\fP".
 .P
 The ipportiphash types of sets evaluates three src/dst parameters of the 
-.I
-set
+"set"
 match and 
-.I
-SET
+"SET"
 target. 
 .P
 Options to use when creating an ipportiphash set:
 .TP
-.BR "--from " from-IP
+\fB\-\-from\fP \fIfrom-addr\fP
 .TP
-.BR "--to " to-IP
-Create an ipportiphash set from the specified range.
+\fB\-\-to\fP \fIto-addr\fP
+Create an ipportiphash set from the specified address range.
 .TP
-.BR "--network " IP/mask
+\fB\-\-network\fP \fIaddr\fP\fB/\fP\fImask\fP
 Create an ipportiphash set from the specified network.
 .TP
-.BR "--hashsize " hashsize
+\fB\-\-hashsize\fP \fIhashsize\fP
 The initial hash size (default 1024)
 .TP
-.BR "--probes " probes
+\fB\-\-probes\fP \fIprobes\fP
 How many times try to resolve clashing at adding an IP to the hash 
 by double-hashing (default 8).
 .TP
-.BR "--resize " percent
+\fB\-\-resize\fP \fIpercent\fP
 Increase the hash size by this many percent (default 50) when adding
 an IP to the hash could not be performed after
-.B
-probes
+\fIprobes\fP
 number of double-hashing.
 .P
 The same resizing, speed and memory efficiency comments applies here 
@@ -456,39 +394,35 @@ parameters are arbitrary, but the size of the network address must be
 between /1-/31. When adding, deleting 
 and testing values in an ipportnethash type of set, the entries must be
 specified as
-.B
-"IP,port,IP/cidr-size".
+"\fIaddress\fP\fB,\fP\fIport\fP\fB,\fP\fIaddress\fP\fB/\fP\fIprefixlen\fP".
 .P
 The ipportnethash types of sets evaluates three src/dst parameters of the 
-.I
-set
+"set"
 match and 
-.I
-SET
+"SET"
 target. 
 .P
 Options to use when creating an ipportnethash set:
 .TP
-.BR "--from " from-IP
+\fB\-\-from\fP \fIfrom-address\fP
 .TP
-.BR "--to " to-IP
+\fB\-\-to\fP \fIto-address\fP
 Create an ipporthash set from the specified range.
 .TP
-.BR "--network " IP/mask
+\fB\-\-network\fP \fIaddress\fP\fB/\fP\fImask\fP
 Create an ipporthash set from the specified network.
 .TP
-.BR "--hashsize " hashsize
+\fB\-\-hashsize\fP \fIhashsize\fP
 The initial hash size (default 1024)
 .TP
-.BR "--probes " probes
+\fB\-\-probes\fP \fIprobes\fP
 How many times try to resolve clashing at adding an IP to the hash 
 by double-hashing (default 8).
 .TP
-.BR "--resize " percent
+\fB\-\-resize\fP \fIpercent\fP
 Increase the hash size by this many percent (default 50) when adding
 an IP to the hash could not be performed after
-.B
-probes
+\fIprobes\fP
 number of double-hashing.
 .P
 The same resizing, speed and memory efficiency comments applies here 
@@ -499,14 +433,14 @@ with timeout values.
 .P
 Options to use when creating an iptree set:
 .TP
-.BR "--timeout " value
+\fB\-\-timeout\fP \fIvalue\fP
 The timeout value for the entries in seconds (default 0)
 .P
 If a set was created with a nonzero valued 
-.B "--timeout"
+\fB\-\-timeout\fP
 parameter then one may add IP addresses to the set with a specific 
 timeout value using the syntax 
-.I IP,timeout-value.
+"\fIaddress\fP\fB,\fP\fItimeout-value\fP".
 Similarly to the hash types, the iptree type of sets can store up to 65536
 entries.
 .SS iptreemap
@@ -514,37 +448,32 @@ The iptreemap set type uses a tree to store IP addresses or networks,
 where the last octet of an IP address are stored in a bitmap.
 As input entry, you can add IP addresses, CIDR blocks or network ranges
 to the set. Network ranges can be specified in the format
-.I IP1-IP2
+"\fIaddress1\fP\fB-\fP\fIaddress2\fP".
 .P
 Options to use when creating an iptreemap set:
 .TP
-.BR "--gc " value
+\fB\-\-gc\fP \fIvalue\fP
 How often the garbage collection should be called, in seconds (default 300)
 .SS setlist
 The setlist type uses a simple list in which you can store sets. By the
-.I
 ipset
 command you can add, delete and test sets in a setlist type of set.
 You can specify the sets as
-.B
-"setname[,after|before,setname]".
+"\fIsetname\fP[\fB,\fP{\fBafter\fP|\fBbefore\fP},\fIsetname\fP]".
 By default new sets are added after (appended to) the existing
 elements. Setlist type of sets cannot be added to a setlist type of set.
 .P
 Options to use when creating a setlist type of set:
 .TP
-.BR "--size " size
+\fB\-\-size\fP \fIsize\fP
 Create a setlist type of set with the given size (default 8).
-.P
+.PP
 By the
-.I
-set
+"set"
 match or
-.I
-SET
+"SET"
 target of
-.I
-iptables
+\fBiptables\fP(8)
 you can test, add or delete entries in the sets. The match
 will try to find a matching IP address/port in the sets and 
 the target will try to add the IP address/port to the first set
@@ -559,8 +488,9 @@ and
 .I
 b
 are setlist type of sets then in the command
-.TP
-iptables -m set --match-set a src,dst -j SET --add-set b src,dst
+.IP
+iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add-set b src,dst
+.PP
 the match and target will skip any set in
 .I a
 and
@@ -571,7 +501,7 @@ data storage in
 .I a
 set and add src to the first single or src,dst to the first double 
 data storage set in
-.I b.
+\fIb\fP.
 .P
 You can imagine a setlist type of set as an ordered union of
 the set elements. 
@@ -586,6 +516,8 @@ use the iphash set type. If you have got random size of netblocks,
 use nethash.
 .P
 Old separator tokens (':' and '%") are still accepted.
+.P
+Binding support is removed.
 .SH DIAGNOSTICS
 Various error messages are printed to standard error.  The exit code
 is 0 for correct functioning.  Errors which appear to be caused by

extensions/ipset/ipset.c

@@ -30,11 +30,15 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "2.5.0"
+#define IPSET_VERSION "4.2"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;
-const char *ipset_libdir = IPSET_LIB_DIR;
+static int protocol_version = 0;
+
+#define STREQ(a,b)	(strncmp(a,b,IP_SET_MAXNAMELEN) == 0)
+#define DONT_ALIGN	(protocol_version == IP_SET_PROTOCOL_UNALIGNED)
+#define ALIGNED(len)	IPSET_VALIGN(len, DONT_ALIGN)
 
 /* The list of loaded set types */
 static struct settype *all_settypes = NULL;
@@ -68,7 +72,7 @@ static unsigned int global_option_offset = 0;
 
 static const char cmdflags[] = { ' ',			/* CMD_NONE */ 
 	'N', 'X', 'F', 'E', 'W', 'L', 'S', 'R', 
-	'A', 'D', 'T', 'B', 'U', 'H', 'V',
+	'A', 'D', 'T', 'H', 'V',
 };
 
 /* Options */
@@ -77,11 +81,10 @@ static const char cmdflags[] = { ' ',			/* CMD_NONE */
 #define OPT_SORTED		0x0002U		/* -s */
 #define OPT_QUIET		0x0004U		/* -q */
 #define OPT_DEBUG		0x0008U		/* -z */
-#define OPT_BINDING		0x0010U		/* -b */
 #define OPT_RESOLVE		0x0020U		/* -r */
-#define NUMBER_OF_OPT 6
+#define NUMBER_OF_OPT 5
 static const char optflags[] =
-    { 'n', 's', 'q', 'z', 'b', 'r' };
+    { 'n', 's', 'q', 'z', 'r' };
 
 static struct option opts_long[] = {
 	/* set operations */
@@ -100,15 +103,10 @@ static struct option opts_long[] = {
 	{"del",     1, 0, 'D'},
 	{"test",    1, 0, 'T'},
 	
-	/* binding operations */
-	{"bind",    1, 0, 'B'},
-	{"unbind",  1, 0, 'U'},
-	
 	/* free options */
 	{"numeric", 0, 0, 'n'},
 	{"sorted",  0, 0, 's'},
 	{"quiet",   0, 0, 'q'},
-	{"binding", 1, 0, 'b'},
 	{"resolve", 0, 0, 'r'},
 
 #ifdef IPSET_DEBUG
@@ -125,7 +123,7 @@ static struct option opts_long[] = {
 };
 
 static char opts_short[] =
-    "-N:X::F::E:W:L::S::RA:D:T:B:U:nrsqzb:Vh::H::";
+    "-N:X::F::E:W:L::S::RA:D:T:nrsqzvVh::H::";
 
 /* Table of legal combinations of commands and options. If any of the
  * given commands make an option legal, that option is legal.
@@ -136,22 +134,20 @@ static char opts_short[] =
  */
 
 static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] = {
-	/*            -n   -s   -q   -z   -b  */
-	 /*CREATE*/  {'x', 'x', ' ', ' ', 'x', 'x'},
-	 /*DESTROY*/ {'x', 'x', ' ', ' ', 'x', 'x'},
-	 /*FLUSH*/   {'x', 'x', ' ', ' ', 'x', 'x'},
-	 /*RENAME*/  {'x', 'x', ' ', ' ', 'x', 'x'},
-	 /*SWAP*/    {'x', 'x', ' ', ' ', 'x', 'x'},
-	 /*LIST*/    {' ', ' ', 'x', ' ', 'x', ' '},
-	 /*SAVE*/    {'x', 'x', ' ', ' ', 'x', 'x'},
-	 /*RESTORE*/ {'x', 'x', ' ', ' ', 'x', 'x'},
-	 /*ADD*/     {'x', 'x', ' ', ' ', 'x', 'x'},
-	 /*DEL*/     {'x', 'x', ' ', ' ', 'x', 'x'},
-	 /*TEST*/    {'x', 'x', ' ', ' ', ' ', 'x'},
-	 /*BIND*/    {'x', 'x', ' ', ' ', '+', 'x'},
-	 /*UNBIND*/  {'x', 'x', ' ', ' ', 'x', 'x'},
-	 /*HELP*/    {'x', 'x', 'x', ' ', 'x', 'x'},
-	 /*VERSION*/ {'x', 'x', 'x', ' ', 'x', 'x'},
+	/*            -n   -s   -q   -z   -r */
+	 /*CREATE*/  {'x', 'x', ' ', ' ', 'x'},
+	 /*DESTROY*/ {'x', 'x', ' ', ' ', 'x'},
+	 /*FLUSH*/   {'x', 'x', ' ', ' ', 'x'},
+	 /*RENAME*/  {'x', 'x', ' ', ' ', 'x'},
+	 /*SWAP*/    {'x', 'x', ' ', ' ', 'x'},
+	 /*LIST*/    {' ', ' ', 'x', ' ', ' '},
+	 /*SAVE*/    {'x', 'x', ' ', ' ', 'x'},
+	 /*RESTORE*/ {'x', 'x', ' ', ' ', 'x'},
+	 /*ADD*/     {'x', 'x', ' ', ' ', 'x'},
+	 /*DEL*/     {'x', 'x', ' ', ' ', 'x'},
+	 /*TEST*/    {'x', 'x', ' ', ' ', 'x'},
+	 /*HELP*/    {'x', 'x', 'x', ' ', 'x'},
+	 /*VERSION*/ {'x', 'x', 'x', ' ', 'x'},
 };
 
 /* Main parser function */
@@ -454,25 +450,26 @@ static void check_protocolversion(void)
 {
 	struct ip_set_req_version req_version;
 	socklen_t size = sizeof(struct ip_set_req_version);
-	int sockfd = kernel_getsocket();
 	int res;
 
-	req_version.op = IP_SET_OP_VERSION;
-	res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req_version, &size);
-
-	if (res != 0) {
-		ipset_printf("I'm of protocol version %u.\n"
-			     "Kernel module is not loaded in, "
-			     "cannot verify kernel version.",
-			     IP_SET_PROTOCOL_VERSION);
+	if (protocol_version)
 		return;
-	}
-	if (req_version.version != IP_SET_PROTOCOL_VERSION)
+	
+	req_version.op = IP_SET_OP_VERSION;
+	res = wrapped_getsockopt(&req_version, &size);
+
+	if (res != 0)
 		exit_error(OTHER_PROBLEM,
-			   "Kernel ipset code is of protocol version %u."
+			   "Couldn't verify kernel module version!");
+
+	if (!(req_version.version == IP_SET_PROTOCOL_VERSION
+	      || req_version.version == IP_SET_PROTOCOL_UNALIGNED))
+		exit_error(OTHER_PROBLEM,
+			   "Kernel ip_set module is of protocol version %u."
 			   "I'm of protocol version %u.\n"
 			   "Please upgrade your kernel and/or ipset(8) utillity.",
 			   req_version.version, IP_SET_PROTOCOL_VERSION);
+	protocol_version = req_version.version;
 }
 
 static void set_command(int *cmd, int newcmd)
@@ -594,11 +591,6 @@ char *ip_tostring(ip_set_ip_t ip, unsigned options)
 	return inet_ntoa(addr);
 }
 
-char *binding_ip_tostring(struct set *set UNUSED,
-			  ip_set_ip_t ip, unsigned options)
-{
-	return ip_tostring(ip, options);
-}
 char *ip_tostring_numeric(ip_set_ip_t ip)
 {
 	return ip_tostring(ip, OPT_NUMERIC);
@@ -763,8 +755,7 @@ static struct settype *settype_find(const char *typename)
 	DP("%s", typename);
 
 	while (runner != NULL) {
-		if (strncmp(runner->typename, typename, 
-			    IP_SET_MAXNAMELEN) == 0)
+		if (STREQ(runner->typename, typename))
 			return runner;
 
 		runner = runner->next;
@@ -886,9 +877,7 @@ struct set *set_find_byname(const char *name)
 	ip_set_id_t i;
 	
 	for (i = 0; i < max_sets; i++)
-		if (set_list[i]
-		    && strncmp(set_list[i]->name, name,
-		    	       IP_SET_MAXNAMELEN) == 0) {
+		if (set_list[i] != NULL && STREQ(set_list[i]->name, name)) {
 			set = set_list[i];
 			break;
 		}
@@ -906,9 +895,7 @@ static ip_set_id_t set_find_free_index(const char *name)
 		if (idx == IP_SET_INVALID_ID
 		    && set_list[i] == NULL)
 			idx = i;
-		if (set_list[i] != NULL
-		    && strncmp(set_list[i]->name, name,
-			       IP_SET_MAXNAMELEN) == 0)
+		if (set_list[i] != NULL && STREQ(set_list[i]->name, name))
 			exit_error(PARAMETER_PROBLEM,
    				   "Set %s is already defined, cannot be restored",
    				   name);
@@ -935,7 +922,7 @@ static void set_create(const char *name, struct settype *settype)
 	DP("%s %s", name, settype->typename);
 
 	req_create.op = IP_SET_OP_CREATE;
-	req_create.version = IP_SET_PROTOCOL_VERSION;
+	req_create.version = protocol_version;
 	strcpy(req_create.name, name);
 	strcpy(req_create.typename, settype->typename);
 
@@ -959,14 +946,14 @@ static void set_restore_create(const char *name, struct settype *settype)
 {
 	struct set *set;
 	
-	DP("%s %s %u %u %u %u", name, settype->typename,
+	DP("%s %s %zu %zu %u %u", name, settype->typename,
 	   restore_offset, sizeof(struct ip_set_restore),
 	   settype->create_size, restore_size);
 
 	/* Sanity checking */
 	if (restore_offset
-	    + sizeof(struct ip_set_restore)
-	    + settype->create_size > restore_size)
+	    + ALIGNED(sizeof(struct ip_set_restore))
+	    + ALIGNED(settype->create_size) > restore_size)
 	    	exit_error(PARAMETER_PROBLEM,
 	    		   "Giving up, restore file is screwed up!");
 	    		   
@@ -985,11 +972,11 @@ static void set_restore_create(const char *name, struct settype *settype)
 	DP("name %s, restore index %u", restore_set->name, restore_set->index);
 	/* Add settype data */
 	
-	memcpy(restore_data + restore_offset + sizeof(struct ip_set_restore),
-	       settype->data, settype->create_size);
+	restore_offset += ALIGNED(sizeof(struct ip_set_restore));
+	memcpy(restore_data + restore_offset, settype->data, settype->create_size);
 
-	restore_offset += sizeof(struct ip_set_restore)
-			  + settype->create_size;	
+	restore_offset += ALIGNED(settype->create_size);
+	DP("restore_offset: %zu", restore_offset);
 	
 	/* Add set to set_list */
 	set = ipset_malloc(sizeof(struct set));
@@ -1009,7 +996,7 @@ static void set_destroy(const char *name, unsigned op, unsigned cmd)
 	DP("%s %s", cmd == CMD_DESTROY ? "destroy" : "flush", name);
 
 	req.op = op;
-	req.version = IP_SET_PROTOCOL_VERSION;
+	req.version = protocol_version;
 	strcpy(req.name, name);
 
 	kernel_sendto(cmd, &req, sizeof(struct ip_set_req_std));
@@ -1027,7 +1014,7 @@ static void set_rename(const char *name, const char *newname,
 		       name, newname);
 
 	req.op = op;
-	req.version = IP_SET_PROTOCOL_VERSION;
+	req.version = protocol_version;
 	strcpy(req.name, name);
 	strcpy(req.typename, newname);
 
@@ -1065,7 +1052,7 @@ tryagain:
 	}
 	/* Get max_sets */
 	req_max_sets.op = IP_SET_OP_MAX_SETS;
-	req_max_sets.version = IP_SET_PROTOCOL_VERSION;
+	req_max_sets.version = protocol_version;
 	strcpy(req_max_sets.set.name, name);
 	size = sizeof(req_max_sets);
 	kernel_getfrom(CMD_MAX_SETS, &req_max_sets, &size);
@@ -1083,8 +1070,8 @@ tryagain:
 		return 0;
 
 	/* Get setnames */
-	size = req_size = sizeof(struct ip_set_req_setnames) 
-			  + req_max_sets.sets * sizeof(struct ip_set_name_list);
+	size = req_size = ALIGNED(sizeof(struct ip_set_req_setnames)) 
+			  + req_max_sets.sets * ALIGNED(sizeof(struct ip_set_name_list));
 	data = ipset_malloc(size);
 	((struct ip_set_req_setnames *) data)->op = op;
 	((struct ip_set_req_setnames *) data)->index = *idx;
@@ -1102,8 +1089,8 @@ tryagain:
 	}
 		
 	/* Load in setnames */
-	size = sizeof(struct ip_set_req_setnames);			
-	while (size + sizeof(struct ip_set_name_list) <= req_size) {
+	size = ALIGNED(sizeof(struct ip_set_req_setnames));			
+	while (size + ALIGNED(sizeof(struct ip_set_name_list)) <= req_size) {
 		name_list = (struct ip_set_name_list *)
 			(data + size);
 		set = ipset_malloc(sizeof(struct set));
@@ -1114,9 +1101,9 @@ tryagain:
 		set_list[name_list->index] = set;
 		DP("loaded %s, type %s, index %u",
 		   set->name, set->settype->typename, set->index);
-		size += sizeof(struct ip_set_name_list);
+		size += ALIGNED(sizeof(struct ip_set_name_list));
 	}
-	/* Size to get set members, bindings */
+	/* Size to get set members  */
 	size = ((struct ip_set_req_setnames *)data)->size;
 	free(data);
 	
@@ -1126,36 +1113,7 @@ tryagain:
 /*
  * Save operation
  */
-static size_t save_bindings(void *data, size_t offset, size_t len)
-{
-	struct ip_set_hash_save *hash =
-		(struct ip_set_hash_save *) (data + offset);
-	struct set *set;
-
-	DP("offset %u, len %u", offset, len);
-	if (offset + sizeof(struct ip_set_hash_save) > len)
-		exit_error(OTHER_PROBLEM,
-			   "Save operation failed, try again later.");
-
-	set = set_find_byid(hash->id);
-	if (!(set && set_list[hash->binding]))
-		exit_error(OTHER_PROBLEM,
-			   "Save binding failed, try again later.");
-	if (!set->settype->bindip_tostring)
-		exit_error(OTHER_PROBLEM,
-			   "Internal error, binding is not supported with set %s"
-			   " of settype %s\n",
-			   set->name, set->settype->typename);
-	printf("-B %s %s -b %s\n",
-		set->name,
-		set->settype->bindip_tostring(set, hash->ip, OPT_NUMERIC),
-		set_list[hash->binding]->name);
-
-	return sizeof(struct ip_set_hash_save);
-}		
-
-static size_t save_set(void *data, int *bindings,
-		       size_t offset, size_t len)
+static size_t save_set(void *data, size_t offset, size_t len)
 {
 	struct ip_set_save *set_save =
 		(struct ip_set_save *) (data + offset);
@@ -1163,12 +1121,12 @@ static size_t save_set(void *data, int *bindings,
 	struct settype *settype;
 	size_t used;
 	
-	DP("offset %u (%u/%u/%u), len %u", offset,
+	DP("offset %zu (%zu/%u/%u), len %zu", offset,
 	   sizeof(struct ip_set_save), 
 	   set_save->header_size, set_save->members_size, 
 	   len);
-	if (offset + sizeof(struct ip_set_save) > len
-	    || offset + sizeof(struct ip_set_save)
+	if (offset + ALIGNED(sizeof(struct ip_set_save)) > len
+	    || offset + ALIGNED(sizeof(struct ip_set_save))
 	       + set_save->header_size + set_save->members_size > len)
 		exit_error(OTHER_PROBLEM,
 			   "Save operation failed, try again later.");
@@ -1176,8 +1134,7 @@ static size_t save_set(void *data, int *bindings,
 	DP("index: %u", set_save->index);
 	if (set_save->index == IP_SET_INVALID_ID) {
 		/* Marker */
-		*bindings = 1;
-		return sizeof(struct ip_set_save);
+		return ALIGNED(sizeof(struct ip_set_save));
 	}
 	set = set_list[set_save->index];
 	if (!set)
@@ -1186,7 +1143,7 @@ static size_t save_set(void *data, int *bindings,
 	settype = set->settype;
 
 	/* Init set header */
-	used = sizeof(struct ip_set_save);
+	used = ALIGNED(sizeof(struct ip_set_save));
 	settype->initheader(set, data + offset + used);
 
 	/* Print create set */
@@ -1195,44 +1152,18 @@ static size_t save_set(void *data, int *bindings,
 	/* Print add IPs */
 	used += set_save->header_size;
 	settype->saveips(set, data + offset + used,
-			 set_save->members_size, OPT_NUMERIC);
+			 set_save->members_size, OPT_NUMERIC,
+			 DONT_ALIGN);
 
 	return (used + set_save->members_size);
 }
 
-static size_t save_default_bindings(void *data, int *bindings)
-{
-	struct ip_set_save *set_save = (struct ip_set_save *) data;
-	struct set *set;
-	
-	if (set_save->index == IP_SET_INVALID_ID) {
-		/* Marker */
-		*bindings = 1;
-		return sizeof(struct ip_set_save);
-	}
-
-	set = set_list[set_save->index];
-	DP("%s, binding %u", set->name, set_save->binding);
-	if (set_save->binding != IP_SET_INVALID_ID) {
-		if (!set_list[set_save->binding])
-			exit_error(OTHER_PROBLEM,
-				   "Save set failed, try again later.");
-
-		printf("-B %s %s -b %s\n",
-			set->name, IPSET_TOKEN_DEFAULT, 
-			set_list[set_save->binding]->name);
-	}
-	return (sizeof(struct ip_set_save)
-	        + set_save->header_size
-	        + set_save->members_size);
-}
-
 static int try_save_sets(const char name[IP_SET_MAXNAMELEN])
 {
 	void *data = NULL;
 	socklen_t size, req_size = 0;
 	ip_set_id_t idx;
-	int res = 0, bindings = 0;
+	int res = 0;
 	time_t now = time(NULL);
 
 	/* Load set_list from kernel */
@@ -1240,15 +1171,17 @@ static int try_save_sets(const char name[IP_SET_MAXNAMELEN])
 			     IP_SET_OP_SAVE_SIZE, CMD_SAVE);
 	
 	if (size) {
-		/* Get sets, bindings and print them */
+		/* Get sets and print them */
 		/* Take into account marker */
-		req_size = (size += sizeof(struct ip_set_save));
+		req_size = (size += ALIGNED(sizeof(struct ip_set_save)));
 		data = ipset_malloc(size);
 		((struct ip_set_req_list *) data)->op = IP_SET_OP_SAVE;
 		((struct ip_set_req_list *) data)->index = idx;
 		res = kernel_getfrom_handleerrno(CMD_SAVE, data, &size);
 
 		if (res != 0 || size != req_size) {
+			DP("Try again: res: %i, size %u, req_size: %u",
+			   res, size, req_size);
 			free(data);
 			return -EAGAIN;
 		}
@@ -1258,17 +1191,8 @@ static int try_save_sets(const char name[IP_SET_MAXNAMELEN])
 	size = 0;
 	while (size < req_size) {
 		DP("size: %u, req_size: %u", size, req_size);
-		if (bindings)
-			size += save_bindings(data, size, req_size);
-		else
-			size += save_set(data, &bindings, size, req_size);
+		size += save_set(data, size, req_size);
 	}
-	/* Re-read data to save default bindings */
-	bindings = 0;
-	size = 0;
-	while (size < req_size && bindings == 0)
-		size += save_default_bindings(data + size, &bindings);
-
 	printf("COMMIT\n");
 	now = time(NULL);
 	printf("# Completed on %s", ctime(&now));
@@ -1366,7 +1290,7 @@ static void set_restore(char *argv0)
 	char buffer[1024];	
 	char *ptr, *name = NULL;
 	char cmd = ' ';
-	int first_pass, i, bindings = 0;
+	int first_pass, i;
 	struct settype *settype = NULL;
 	struct ip_set_req_setnames *header;
 	ip_set_id_t idx;
@@ -1381,8 +1305,7 @@ static void set_restore(char *argv0)
 		      IP_SET_OP_LIST_SIZE, CMD_RESTORE);
 	
 	restore_line = 0;
-	restore_size = sizeof(struct ip_set_req_setnames)/* header */
-		       + sizeof(struct ip_set_restore);  /* marker */
+	restore_size = ALIGNED(sizeof(struct ip_set_req_setnames)); /* header */
 	DP("restore_size: %u", restore_size);
 	/* First pass: calculate required amount of data */
 	while (fgets(buffer, sizeof(buffer), in)) {
@@ -1429,13 +1352,9 @@ static void set_restore(char *argv0)
 			        exit_error(PARAMETER_PROBLEM,
 			        	   "Missing settype in line %u\n",
 		        		   restore_line);
-			if (bindings)
-			        exit_error(PARAMETER_PROBLEM,
-			        	   "Invalid line %u: create must precede bindings\n",
-		        		   restore_line);
 			settype = check_set_typename(ptr);
-			restore_size += sizeof(struct ip_set_restore)
-					+ settype->create_size;
+			restore_size += ALIGNED(sizeof(struct ip_set_restore))
+					+ ALIGNED(settype->create_size);
 			DP("restore_size (N): %u", restore_size);
 			break; 
 		}
@@ -1446,20 +1365,10 @@ static void set_restore(char *argv0)
 			        	   "Add IP to set %s in line %u without "
 					   "preceding corresponding create set line\n",
 		        		   ptr, restore_line);
-			if (bindings)
-			        exit_error(PARAMETER_PROBLEM,
-			        	   "Invalid line %u: adding entries must precede bindings\n",
-		        		   restore_line);
-			restore_size += settype->adt_size;
+			restore_size += ALIGNED(settype->adt_size);
 			DP("restore_size (A): %u", restore_size);
 			break;
 		}
-		case 'B': {
-			bindings = 1;
-			restore_size += sizeof(struct ip_set_hash_save);
-			DP("restore_size (B): %u", restore_size);
-			break;
-		}
 		default: {
 			exit_error(PARAMETER_PROBLEM,
 		       		   "Unrecognized restore command in line %u\n",
@@ -1471,12 +1380,13 @@ static void set_restore(char *argv0)
 	if (!restore)
 		exit_error(PARAMETER_PROBLEM,
 		      	   "Missing COMMIT line\n");
+	restore_size += ALIGNED(sizeof(struct ip_set_restore)); /* marker */
 	DP("restore_size: %u", restore_size);
 	restore_data = ipset_malloc(restore_size);
 	header = (struct ip_set_req_setnames *) restore_data;
 	header->op = IP_SET_OP_RESTORE; 
 	header->size = restore_size; 
-	restore_offset = sizeof(struct ip_set_req_setnames);
+	restore_offset = ALIGNED(sizeof(struct ip_set_req_setnames));
 
 	/* Rewind to scan the file again */
 	fseek(in, 0L, SEEK_SET);
@@ -1508,17 +1418,15 @@ static void set_restore(char *argv0)
 	exit_error(PARAMETER_PROBLEM,
 	      	   "Broken restore file\n");
    do_restore:
-   	if (bindings == 0
-   	    && restore_size == 
-   	       (restore_offset + sizeof(struct ip_set_restore))) {
+   	if (restore_size == (restore_offset + ALIGNED(sizeof(struct ip_set_restore)))) {
    		/* No bindings */
 		struct ip_set_restore *marker = 
 			(struct ip_set_restore *) (restore_data + restore_offset);
 
-		DP("restore marker");
 		marker->index = IP_SET_INVALID_ID;
 		marker->header_size = marker->members_size = 0;
-		restore_offset += sizeof(struct ip_set_restore);
+		restore_offset += ALIGNED(sizeof(struct ip_set_restore));
+		DP("restore marker, restore_offset: %zu", restore_offset);
 	}
 	if (restore_size != restore_offset)
 		exit_error(PARAMETER_PROBLEM,
@@ -1550,8 +1458,10 @@ static struct set *set_adt_get(const char *name)
 
 	DP("%s", name);
 
+	check_protocolversion();
+
 	req_adt_get.op = IP_SET_OP_ADT_GET;
-	req_adt_get.version = IP_SET_PROTOCOL_VERSION;
+	req_adt_get.version = protocol_version;
 	strcpy(req_adt_get.set.name, name);
 	size = sizeof(struct ip_set_req_adt_get);
 
@@ -1579,15 +1489,15 @@ static int set_adtip(struct set *set, const char *adt,
 	DP("%s -> %s", set->name, adt);
 
 	/* Alloc memory for the data to send */
-	size = sizeof(struct ip_set_req_adt) + set->settype->adt_size ;
-	DP("alloc size %i", size);
+	size = ALIGNED(sizeof(struct ip_set_req_adt)) + set->settype->adt_size ;
+	DP("alloc size %zu", size);
 	data = ipset_malloc(size);
 
 	/* Fill out the request */
 	req_adt = (struct ip_set_req_adt *) data;
 	req_adt->op = op;
 	req_adt->index = set->index;
-	memcpy(data + sizeof(struct ip_set_req_adt),
+	memcpy(data + ALIGNED(sizeof(struct ip_set_req_adt)),
 	       set->settype->data, set->settype->adt_size);
 	
 	if (kernel_sendto_handleerrno(cmd, data, size) == -1)
@@ -1625,155 +1535,22 @@ static void set_restore_add(struct set *set, const char *adt UNUSED)
 {
 	DP("%s %s", set->name, adt);
 	/* Sanity checking */
-	if (restore_offset + set->settype->adt_size > restore_size)
+	if (restore_offset + ALIGNED(set->settype->adt_size) > restore_size)
 	    	exit_error(PARAMETER_PROBLEM,
 	    		   "Giving up, restore file is screwed up!");
 	    		   
 	memcpy(restore_data + restore_offset,
 	       set->settype->data, set->settype->adt_size);
-	restore_set->members_size += set->settype->adt_size;
-	restore_offset += set->settype->adt_size;
-}
+	restore_set->members_size += ALIGNED(set->settype->adt_size);
+	restore_offset += ALIGNED(set->settype->adt_size);
 
-/*
- * Send bind/unbind/test binding order to kernel for a set
- */
-static int set_bind(struct set *set, const char *adt,
-		    const char *binding,
-		    unsigned op, unsigned cmd)
-{
-	struct ip_set_req_bind *req_bind;
-	size_t size;
-	void *data;
-	int res = 0;
-
-	/* set may be null: '-U :all: :all:|:default:' */
-	DP("(%s, %s) -> %s", set ? set->name : IPSET_TOKEN_ALL, adt, binding);
-
-	/* Ugly */
-	if (set != NULL
-	    && ((strcmp(set->settype->typename, "iptreemap") == 0)
-	        || (strcmp(set->settype->typename, "ipportiphash") == 0)
-	        || (strcmp(set->settype->typename, "ipportnethash") == 0)
-	        || (strcmp(set->settype->typename, "setlist") == 0)))
-		exit_error(PARAMETER_PROBLEM,
-			"%s type of sets cannot be used at binding operations\n",
-			set->settype->typename);
-	/* Alloc memory for the data to send */
-	size = sizeof(struct ip_set_req_bind);
-	if (op != IP_SET_OP_UNBIND_SET && adt[0] == ':')
-		/* Set default binding */
-		size += IP_SET_MAXNAMELEN;
-	else if (!(op == IP_SET_OP_UNBIND_SET && set == NULL))
-		size += set->settype->adt_size;
-	DP("alloc size %i", size);
-	data = ipset_malloc(size);
-
-	/* Fill out the request */
-	req_bind = (struct ip_set_req_bind *) data;
-	req_bind->op = op;
-	req_bind->index = set ? set->index : IP_SET_INVALID_ID;
-	if (adt[0] == ':') {
-		/* ':default:' and ':all:' */
-		strncpy(req_bind->binding, adt, IP_SET_MAXNAMELEN);
-		if (op != IP_SET_OP_UNBIND_SET && adt[0] == ':')
-			strncpy(data + sizeof(struct ip_set_req_bind),
-				binding, IP_SET_MAXNAMELEN);
-	} else {
-		strncpy(req_bind->binding, binding, IP_SET_MAXNAMELEN);
-		memcpy(data + sizeof(struct ip_set_req_bind),
-		       set->settype->data, set->settype->adt_size);
-	}
-
-	if (op == IP_SET_OP_TEST_BIND_SET) {
-		if (kernel_sendto_handleerrno(cmd, data, size) == -1) {
-			ipset_printf("%s in set %s is bound to %s.",
-				     adt, set->name, binding);
-			res = 0;
-		} else {
-			ipset_printf("%s in set %s is NOT bound to %s.",
-				     adt, set->name, binding);
-			res = 1;
-		}
-	} else 	
-		kernel_sendto(cmd, data, size);
-	free(data);
-
-	return res;
-}
-
-static void set_restore_bind(struct set *set,
-			     const char *adt,
-			     const char *binding)
-{
-	struct ip_set_hash_save *hash_restore;
-
-	if (restore == 1) {
-		/* Marker */
-		struct ip_set_restore *marker = 
-			(struct ip_set_restore *) (restore_data + restore_offset);
-
-		DP("restore marker");
-		if (restore_offset + sizeof(struct ip_set_restore) 
-		    > restore_size)
-		    	exit_error(PARAMETER_PROBLEM,
-		    		   "Giving up, restore file is screwed up!");
-		marker->index = IP_SET_INVALID_ID;
-		marker->header_size = marker->members_size = 0;
-		restore_offset += sizeof(struct ip_set_restore);
-		restore = 2;
-	}
-	/* Sanity checking */
-	if (restore_offset + sizeof(struct ip_set_hash_save) > restore_size)
-	    	exit_error(PARAMETER_PROBLEM,
-	    		   "Giving up, restore file is screwed up!");
-
-	hash_restore = (struct ip_set_hash_save *) (restore_data + restore_offset);
-	DP("%s -> %s", adt, binding);
-	if (strcmp(adt, IPSET_TOKEN_DEFAULT) == 0)
-		hash_restore->ip = 0;
-	else {
-		if (!set->settype->bindip_parse)
-			exit_error(OTHER_PROBLEM,
-				   "Internal error, binding is not supported with set %s"
-				   " of settype %s\n",
-				   set->name, set->settype->typename);
-		set->settype->bindip_parse(adt, &hash_restore->ip);
-	}
-	hash_restore->id = set->index;	    		   
-	hash_restore->binding = (set_find_byname(binding))->index;	
-	DP("id %u, ip %u, binding %u",
-	   hash_restore->id, hash_restore->ip, hash_restore->binding);
-	restore_offset += sizeof(struct ip_set_hash_save);
+	DP("restore_offset: %zu", restore_offset);
 }
 
 /*
  * Print operation
  */
 
-static void print_bindings(struct set *set,
-			   void *data, size_t size, unsigned options,
-			   char * (*printip)(struct set *set, 
-					     ip_set_ip_t ip, unsigned options))
-{
-	size_t offset = 0;
-	struct ip_set_hash_list *hash;
-
-	if (offset < size && !printip)
-		exit_error(OTHER_PROBLEM,
-			   "Internal error, binding is not supported with set %s"
-			   " of settype %s\n",
-			   set->name, set->settype->typename);
-
-	while (offset < size) {
-		hash = (struct ip_set_hash_list *) (data + offset);
-		printf("%s -> %s\n", 
-			printip(set, hash->ip, options),
-			set_list[hash->binding]->name);
-		offset += sizeof(struct ip_set_hash_list);
-	}
-}
-
 /* Help function to set_list() */
 static size_t print_set(void *data, unsigned options)
 {
@@ -1783,15 +1560,14 @@ static size_t print_set(void *data, unsigned options)
 	size_t offset;
 
 	/* Pretty print the set */
+	DP("header size: %u, members size: %u",
+	   setlist->header_size, setlist->members_size);
 	printf("Name: %s\n", set->name);
 	printf("Type: %s\n", settype->typename);
 	printf("References: %d\n", setlist->ref);
-	printf("Default binding: %s\n",
-	       setlist->binding == IP_SET_INVALID_ID ? ""
-	       : set_list[setlist->binding]->name);
 
 	/* Init header */
-	offset = sizeof(struct ip_set_list);
+	offset = ALIGNED(sizeof(struct ip_set_list));
 	settype->initheader(set, data + offset);
 
 	/* Pretty print the type header */
@@ -1801,24 +1577,20 @@ static size_t print_set(void *data, unsigned options)
 	/* Pretty print all IPs */
 	printf("Members:\n");
 	offset += setlist->header_size;
+	DP("Aligned: %u, offset: %zu, members_size %u\n", !DONT_ALIGN, offset,
+	   setlist->members_size);
 	if (options & OPT_SORTED)
 		settype->printips_sorted(set, data + offset,
-					 setlist->members_size, options);
+					 setlist->members_size, options,
+					 DONT_ALIGN);
 	else
 		settype->printips(set, data + offset,
-				  setlist->members_size, options);
-
-	/* Print bindings */
-	printf("Bindings:\n");
-	offset += setlist->members_size;
-	if (set->settype->bindip_tostring)
-		print_bindings(set,
-		       data + offset, setlist->bindings_size, options,
-		       settype->bindip_tostring);
+				  setlist->members_size, options,
+				  DONT_ALIGN);
 
 	printf("\n");		/* One newline between sets */
 	
-	return (offset + setlist->bindings_size);
+	return (offset + setlist->members_size);
 }
 
 static int try_list_sets(const char name[IP_SET_MAXNAMELEN],
@@ -1889,9 +1661,9 @@ static void set_help(const struct settype *settype)
 	       "Usage: %s -N new-set settype [options]\n"
 	       "       %s -[XFLSH] [set] [options]\n"
 	       "       %s -[EW] from-set to-set\n"
-	       "       %s -[ADTU] set IP\n"
-	       "       %s -B set IP option\n"
+	       "       %s -[ADT] set IP\n"
 	       "       %s -R\n"
+	       "       %s -v\n"
 	       "       %s -h (print this help information)\n\n",
 	       program_name, program_version, 
 	       program_name, program_name, program_name,
@@ -1922,13 +1694,6 @@ static void set_help(const struct settype *settype)
 	       "                    Deletes an IP from a set\n"
 	       "  --test    -T setname IP \n"
 	       "                    Tests if an IP exists in a set.\n"
-	       "  --bind    -B setname IP|:default: -b bind-setname\n"
-	       "                    Bind the IP in setname to bind-setname.\n"
-	       "  --unbind  -U setname IP|:all:|:default:\n"
-	       "                    Delete binding belonging to IP,\n"
-	       "                    all bindings or default binding of setname.\n"
-	       "  --unbind  -U :all: :all:|:default:\n"
-	       "                    Delete all bindings or all default bindings.\n"
 	       "  --help    -H [settype]\n"
 	       "                    Prints this help, and settype specific help\n"
 	       "  --version -V\n"
@@ -1937,8 +1702,7 @@ static void set_help(const struct settype *settype)
 	       "  --sorted     -s   Numeric sort of the IPs in -L\n"
 	       "  --numeric    -n   Numeric output of addresses in a -L (default)\n"
 	       "  --resolve    -r   Try to resolve addresses in a -L\n"
-	       "  --quiet      -q   Suppress any output to stdout and stderr.\n"
-	       "  --binding    -b   Specifies the binding for -B\n");
+	       "  --quiet      -q   Suppress any output to stdout and stderr.\n");
 #ifdef IPSET_DEBUG
 	printf("  --debug      -z   Enable debugging\n\n");
 #else
@@ -1970,40 +1734,13 @@ static int parse_adt_cmdline(int command,
 {
 	int res = 0;
 
-	/* -U :all: :all:|:default: */
-	if (command == CMD_UNBIND) {
-		if (strcmp(name, IPSET_TOKEN_ALL) == 0) {
-			if (strcmp(adt, IPSET_TOKEN_DEFAULT) == 0
-			    || strcmp(adt, IPSET_TOKEN_ALL) == 0) {
-			    	*set = NULL;
-			    	*settype = NULL;
-			    	return 1;
-			} else
-				exit_error(PARAMETER_PROBLEM,
-					   "-U %s requires %s or %s as binding name",
-					   IPSET_TOKEN_ALL,
-					   IPSET_TOKEN_DEFAULT,
-					   IPSET_TOKEN_ALL);
-		}
-	}
-	*set = restore ? set_find_byname(name)
-		       : set_adt_get(name);
+	*set = restore ? set_find_byname(name) : set_adt_get(name);
 					
 	/* Reset space for adt data */
 	*settype = (*set)->settype;
 	memset((*settype)->data, 0, (*settype)->adt_size);
 
-	if ((command == CMD_TEST
-	     || command == CMD_BIND
-	     || command == CMD_UNBIND)
-	    && (strcmp(adt, IPSET_TOKEN_DEFAULT) == 0
-		|| strcmp(adt, IPSET_TOKEN_ALL) == 0))
-		res = 1;
-	else
-		res = (*settype)->adt_parser(
-				command,
-				adt,
-				(*settype)->data);
+	res = (*settype)->adt_parser(command, adt, (*settype)->data);
 
 	return res;
 }
@@ -2018,9 +1755,8 @@ int parse_commandline(int argc, char *argv[])
 	
 	char *name = NULL;		/* All except -H, -R */
 	char *newname = NULL;		/* -E, -W */
-	char *adt = NULL;		/* -A, -D, -T, -B, -U */
-	char *binding = NULL;		/* -B */
-	struct set *set = NULL;		/* -A, -D, -T, -B, -U */
+	char *adt = NULL;		/* -A, -D, -T */
+	struct set *set = NULL;		/* -A, -D, -T */
 	struct settype *settype = NULL;	/* -N, -H */
 	char all_sets[] = IPSET_TOKEN_ALL;
 	
@@ -2054,11 +1790,14 @@ int parse_commandline(int argc, char *argv[])
 				break;
 			}
 
-		case 'V':{	/* Version */
-				printf("%s v%s Protocol version %u.\n",
+		case 'V':
+		case 'v': {	/* Version */
+				printf("%s v%s, protocol version %u.\n",
 				       program_name, program_version,
 				       IP_SET_PROTOCOL_VERSION);
 				check_protocolversion();
+				printf("Kernel module protocol version %u.\n",
+				       protocol_version);
 				exit(0);
 			}
 
@@ -2067,7 +1806,7 @@ int parse_commandline(int argc, char *argv[])
 
 				name = check_set_name(optarg);
 				
-				/* Protect reserved names (binding) */
+				/* Protect reserved names */
 				if (name[0] == ':')
 					exit_error(PARAMETER_PROBLEM,
 						   "setname might not start with colon",
@@ -2142,9 +1881,7 @@ int parse_commandline(int argc, char *argv[])
 
 		case 'A':	/* Add IP */
 		case 'D':	/* Del IP */
-		case 'T':	/* Test IP */
-		case 'B':	/* Bind IP */
-		case 'U':{	/* Unbind IP */
+		case 'T':{	/* Test IP */
 				set_command(&command, find_cmd(c));
 
 				name = check_set_name(optarg);
@@ -2197,11 +1934,6 @@ int parse_commandline(int argc, char *argv[])
 			break;
 #endif
 
-		case 'b':
-			add_option(&options, OPT_BINDING);
-			binding = check_set_name(optarg);
-			break;
-
 		case 1:	/* non option */
 			printf("Bad argument `%s'\n", optarg);
 			exit_tryhelp(PARAMETER_PROBLEM);
@@ -2248,6 +1980,8 @@ int parse_commandline(int argc, char *argv[])
 	generic_opt_check(command, options);
 
 	DP("cmd: %c", cmd2char(command));
+	
+	check_protocolversion();
 
 	switch (command) {
 	case CMD_CREATE:
@@ -2298,26 +2032,7 @@ int parse_commandline(int argc, char *argv[])
 		break;
 
 	case CMD_TEST:
-		if (binding)
-			res = set_bind(set, adt, binding, 
-				       IP_SET_OP_TEST_BIND_SET, CMD_TEST);
-		else
-			res = set_adtip(set, adt, 
-					IP_SET_OP_TEST_IP, CMD_TEST);
-		break;
-
-	case CMD_BIND:
-		fprintf(stderr, "Warning: binding will be removed from the next release.\n"
-			        "Please replace bindigs with sets of ipportmap and ipportiphash types\n");
-		if (restore)
-			set_restore_bind(set, adt, binding);
-		else
-			set_bind(set, adt, binding,
-				 IP_SET_OP_BIND_SET, CMD_BIND);
-		break;
-
-	case CMD_UNBIND:
-		set_bind(set, adt, "", IP_SET_OP_UNBIND_SET, CMD_UNBIND);
+		res = set_adtip(set, adt, IP_SET_OP_TEST_IP, CMD_TEST);
 		break;
 
 	case CMD_HELP:

extensions/ipset/ipset.h

@@ -56,8 +56,6 @@ enum set_commands {
 	CMD_ADD,		/* -A */
 	CMD_DEL,		/* -D */
 	CMD_TEST,		/* -T */
-	CMD_BIND,		/* -B */
-	CMD_UNBIND,		/* -U */
 	CMD_HELP,		/* -H */
 	CMD_VERSION,		/* -V */
 	NUMBER_OF_CMD = CMD_VERSION,
@@ -95,7 +93,7 @@ struct settype {
 	 */
 
 	/* Size of create data. Will be sent to kernel */
-	size_t create_size;
+	u_int32_t create_size;
 
 	/* Initialize the create. */
 	void (*create_init) (void *data);
@@ -115,7 +113,7 @@ struct settype {
 	 */
 
 	/* Size of data. Will be sent to kernel */
-	size_t adt_size;
+	u_int32_t adt_size;
 
 	/* Function which parses command options */
 	ip_set_ip_t (*adt_parser) (int cmd, const char *optarg, void *data);
@@ -125,7 +123,7 @@ struct settype {
 	 */
 
 	/* Size of header. */
-	size_t header_size;
+	u_int32_t header_size;
 
 	/* Initialize the type-header */
 	void (*initheader) (struct set *set, const void *data);
@@ -134,22 +132,19 @@ struct settype {
 	void (*printheader) (struct set *set, unsigned options);
 
 	/* Pretty print all IPs */
-	void (*printips) (struct set *set, void *data, size_t len, unsigned options);
+	void (*printips) (struct set *set, void *data, u_int32_t len,
+			  unsigned options, char dont_align);
 
 	/* Pretty print all IPs sorted */
-	void (*printips_sorted) (struct set *set, void *data, size_t len, unsigned options);
+	void (*printips_sorted) (struct set *set, void *data, u_int32_t len,
+				 unsigned options, char dont_align);
 
 	/* Print save arguments for creating the set */
 	void (*saveheader) (struct set *set, unsigned options);
 
 	/* Print save for all IPs */
-	void (*saveips) (struct set *set, void *data, size_t len, unsigned options);
-
-	/* Conver a single IP (binding) to string */
-	char * (*bindip_tostring)(struct set *set, ip_set_ip_t ip, unsigned options);
-	
-	/* Parse an IP at restoring bindings. FIXME */
-	void (*bindip_parse) (const char *str, ip_set_ip_t * ip);
+	void (*saveips) (struct set *set, void *data, u_int32_t len,
+			 unsigned options, char dont_align);
 
 	/* Print usage */
 	void (*usage) (void);
@@ -189,10 +184,13 @@ extern struct set *set_find_byid(ip_set_id_t id);
 
 extern unsigned warn_once;
 
-#define BITSPERBYTE	(8*sizeof(char))
-#define ID2BYTE(id)	((id)/BITSPERBYTE)
-#define ID2MASK(id)	(1 << ((id)%BITSPERBYTE))
-#define test_bit(id, heap)	((((char *)(heap))[ID2BYTE(id)] & ID2MASK(id)) != 0)
+#define BITS_PER_LONG	(8*sizeof(ip_set_ip_t))
+#define BIT_WORD(nr)	((nr) / BITS_PER_LONG)
+
+static inline int test_bit(int nr, const ip_set_ip_t *addr)
+{
+	return 1 & (addr[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG-1)));
+}
 
 #define UNUSED __attribute__ ((unused))
 #define CONSTRUCTOR(module) \

extensions/ipset/ipset_iphash.c

@@ -32,7 +32,7 @@
 
 /* Initialize the create. */
 static void
-create_init(void *data)
+iphash_create_init(void *data)
 {
 	struct ip_set_req_iphash_create *mydata = data;
 
@@ -48,7 +48,7 @@ create_init(void *data)
 
 /* Function which parses command options; returns true if it ate an option */
 static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
+iphash_create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 {
 	struct ip_set_req_iphash_create *mydata =
 	    (struct ip_set_req_iphash_create *) data;
@@ -117,7 +117,7 @@ create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 
 /* Final check; exit if not ok. */
 static void
-create_final(void *data UNUSED, unsigned int flags UNUSED)
+iphash_create_final(void *data UNUSED, unsigned int flags UNUSED)
 {
 }
 
@@ -132,7 +132,7 @@ static const struct option create_opts[] = {
 
 /* Add, del, test parser */
 static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
+iphash_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
 	struct ip_set_req_iphash *mydata = data;
 
@@ -149,7 +149,7 @@ adt_parser(int cmd UNUSED, const char *arg, void *data)
  */
 
 static void
-initheader(struct set *set, const void *data)
+iphash_initheader(struct set *set, const void *data)
 {
 	const struct ip_set_req_iphash_create *header = data;
 	struct ip_set_iphash *map = set->settype->header;
@@ -178,7 +178,7 @@ mask_to_bits(ip_set_ip_t mask)
 }
 
 static void
-printheader(struct set *set, unsigned options UNUSED)
+iphash_printheader(struct set *set, unsigned options UNUSED)
 {
 	struct ip_set_iphash *mysetdata = set->settype->header;
 
@@ -192,21 +192,21 @@ printheader(struct set *set, unsigned options UNUSED)
 }
 
 static void
-printips(struct set *set UNUSED, void *data, size_t len, unsigned options)
+iphash_printips(struct set *set UNUSED, void *data, u_int32_t len,
+		unsigned options, char dont_align)
 {
 	size_t offset = 0;
 	ip_set_ip_t *ip;
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("%s\n", ip_tostring(*ip, options));
-		offset += sizeof(ip_set_ip_t);
+		printf("%s\n", ip_tostring(*ip, options));
+		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
 
 static void
-saveheader(struct set *set, unsigned options UNUSED)
+iphash_saveheader(struct set *set, unsigned options UNUSED)
 {
 	struct ip_set_iphash *mysetdata = set->settype->header;
 
@@ -221,21 +221,21 @@ saveheader(struct set *set, unsigned options UNUSED)
 
 /* Print save for an IP */
 static void
-saveips(struct set *set UNUSED, void *data, size_t len, unsigned options)
+iphash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
+	       unsigned options, char dont_align)
 {
 	size_t offset = 0;
 	ip_set_ip_t *ip;
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("-A %s %s\n", set->name, 
-			       ip_tostring(*ip, options));
-		offset += sizeof(ip_set_ip_t);
+		printf("-A %s %s\n", set->name, ip_tostring(*ip, options));
+		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
 
-static void usage(void)
+static void
+iphash_usage(void)
 {
 	printf
 	    ("-N set iphash [--hashsize hashsize] [--probes probes ]\n"
@@ -251,29 +251,25 @@ static struct settype settype_iphash = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_iphash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = iphash_create_init,
+	.create_parse = iphash_create_parse,
+	.create_final = iphash_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_iphash),
-	.adt_parser = &adt_parser,
+	.adt_parser = iphash_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_iphash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = iphash_initheader,
+	.printheader = iphash_printheader,
+	.printips = iphash_printips,
+	.printips_sorted = iphash_printips,
+	.saveheader = iphash_saveheader,
+	.saveips = iphash_saveips,
 	
-	/* Bindings */
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse = &parse_ip,
-	
-	.usage = &usage,
+	.usage = iphash_usage,
 };
 
 CONSTRUCTOR(iphash)

extensions/ipset/ipset_ipmap.c

@@ -35,7 +35,7 @@
 
 /* Initialize the create. */
 static void
-create_init(void *data)
+ipmap_create_init(void *data)
 {
 	struct ip_set_req_ipmap_create *mydata = data;
 
@@ -45,7 +45,7 @@ create_init(void *data)
 
 /* Function which parses command options; returns true if it ate an option */
 static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
+ipmap_create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 {
 	struct ip_set_req_ipmap_create *mydata = data;
 	unsigned int bits;
@@ -115,7 +115,7 @@ create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 
 /* Final check; exit if not ok. */
 static void
-create_final(void *data, unsigned int flags)
+ipmap_create_final(void *data, unsigned int flags)
 {
 	struct ip_set_req_ipmap_create *mydata = data;
 	ip_set_ip_t range;
@@ -188,7 +188,7 @@ static const struct option create_opts[] = {
 
 /* Add, del, test parser */
 static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
+ipmap_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
 	struct ip_set_req_ipmap *mydata = data;
 
@@ -205,7 +205,7 @@ adt_parser(int cmd UNUSED, const char *arg, void *data)
  */
 
 static void
-initheader(struct set *set, const void *data)
+ipmap_initheader(struct set *set, const void *data)
 {
 	const struct ip_set_req_ipmap_create *header = data;
 	struct ip_set_ipmap *map = set->settype->header;
@@ -225,16 +225,16 @@ initheader(struct set *set, const void *data)
 		mask = range_to_mask(header->from, header->to, &mask_bits);
 		netmask_bits = mask_to_bits(header->netmask);
 
-		DP("bits: %i %i", mask_bits, netmask_bits);
+		DP("bits: %d %d", mask_bits, netmask_bits);
 		map->hosts = 2 << (32 - netmask_bits - 1);
 		map->sizeid = 2 << (netmask_bits - mask_bits - 1);
 	}
 
-	DP("%i %i", map->hosts, map->sizeid );
+	DP("%d %d", map->hosts, map->sizeid );
 }
 
 static void
-printheader(struct set *set, unsigned options)
+ipmap_printheader(struct set *set, unsigned options)
 {
 	struct ip_set_ipmap *mysetdata = set->settype->header;
 
@@ -246,9 +246,9 @@ printheader(struct set *set, unsigned options)
 		printf(" netmask: %d\n", mask_to_bits(mysetdata->netmask));
 }
 
-static void
-printips_sorted(struct set *set, void *data,
-		size_t len UNUSED, unsigned options)
+static inline void
+__ipmap_printips_sorted(struct set *set, void *data,
+			u_int32_t len UNUSED, unsigned options)
 {
 	struct ip_set_ipmap *mysetdata = set->settype->header;
 	ip_set_ip_t id;
@@ -262,7 +262,26 @@ printips_sorted(struct set *set, void *data,
 }
 
 static void
-saveheader(struct set *set, unsigned options)
+ipmap_printips_sorted(struct set *set, void *data,
+		      u_int32_t len, unsigned options,
+		      char dont_align)
+{
+	ip_set_ip_t *ip;
+	size_t offset = 0;
+	
+	if (dont_align)
+		return __ipmap_printips_sorted(set, data, len, options);
+	
+	while (offset < len) {
+		DP("offset: %zu, len %u\n", offset, len);
+		ip = data + offset;
+		printf("%s\n", ip_tostring(*ip, options));
+		offset += IPSET_ALIGN(sizeof(ip_set_ip_t));
+	}
+}
+
+static void
+ipmap_saveheader(struct set *set, unsigned options)
 {
 	struct ip_set_ipmap *mysetdata = set->settype->header;
 
@@ -278,8 +297,9 @@ saveheader(struct set *set, unsigned options)
 		       mask_to_bits(mysetdata->netmask));
 }
 
-static void
-saveips(struct set *set, void *data, size_t len UNUSED, unsigned options)
+static inline void
+__ipmap_saveips(struct set *set, void *data, u_int32_t len UNUSED,
+		unsigned options)
 {
 	struct ip_set_ipmap *mysetdata = set->settype->header;
 	ip_set_ip_t id;
@@ -294,7 +314,25 @@ saveips(struct set *set, void *data, size_t len UNUSED, unsigned options)
 					   options));
 }
 
-static void usage(void)
+static void
+ipmap_saveips(struct set *set, void *data, u_int32_t len,
+	      unsigned options, char dont_align)
+{
+	ip_set_ip_t *ip;
+	size_t offset = 0;
+	
+	if (dont_align)
+		return __ipmap_saveips(set, data, len, options);
+	
+	while (offset < len) {
+		ip = data + offset;
+		printf("-A %s %s\n", set->name, ip_tostring(*ip, options));
+		offset += IPSET_ALIGN(sizeof(ip_set_ip_t));
+	}
+}
+
+static void
+ipmap_usage(void)
 {
 	printf
 	    ("-N set ipmap --from IP --to IP [--netmask CIDR-netmask]\n"
@@ -310,29 +348,25 @@ static struct settype settype_ipmap = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_ipmap_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = ipmap_create_init,
+	.create_parse = ipmap_create_parse,
+	.create_final = ipmap_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_ipmap),
-	.adt_parser = &adt_parser,
+	.adt_parser = ipmap_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_ipmap),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,	/* We only have sorted version */
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = ipmap_initheader,
+	.printheader = ipmap_printheader,
+	.printips = ipmap_printips_sorted,
+	.printips_sorted = ipmap_printips_sorted,
+	.saveheader = ipmap_saveheader,
+	.saveips = ipmap_saveips,
 	
-	/* Bindings */
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse	= &parse_ip,
-
-	.usage = &usage,
+	.usage = ipmap_usage,
 };
 
 CONSTRUCTOR(ipmap)

extensions/ipset/ipset_ipporthash.c

@@ -32,7 +32,7 @@
 
 /* Initialize the create. */
 static void
-create_init(void *data)
+ipporthash_create_init(void *data)
 {
 	struct ip_set_req_ipporthash_create *mydata = data;
 
@@ -46,7 +46,8 @@ create_init(void *data)
 
 /* Function which parses command options; returns true if it ate an option */
 static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
+ipporthash_create_parse(int c, char *argv[] UNUSED, void *data,
+			unsigned *flags)
 {
 	struct ip_set_req_ipporthash_create *mydata = data;
 	ip_set_ip_t value;
@@ -137,7 +138,7 @@ create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 
 /* Final check; exit if not ok. */
 static void
-create_final(void *data, unsigned int flags)
+ipporthash_create_final(void *data, unsigned int flags)
 {
 	struct ip_set_req_ipporthash_create *mydata = data;
 
@@ -189,7 +190,7 @@ static const struct option create_opts[] = {
 
 /* Add, del, test parser */
 static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
+ipporthash_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
 	struct ip_set_req_ipporthash *mydata = data;
 	char *saved = ipset_strdup(arg);
@@ -222,7 +223,7 @@ adt_parser(int cmd UNUSED, const char *arg, void *data)
  */
 
 static void
-initheader(struct set *set, const void *data)
+ipporthash_initheader(struct set *set, const void *data)
 {
 	const struct ip_set_req_ipporthash_create *header = data;
 	struct ip_set_ipporthash *map = set->settype->header;
@@ -236,7 +237,7 @@ initheader(struct set *set, const void *data)
 }
 
 static void
-printheader(struct set *set, unsigned options)
+ipporthash_printheader(struct set *set, unsigned options)
 {
 	struct ip_set_ipporthash *mysetdata = set->settype->header;
 
@@ -248,7 +249,8 @@ printheader(struct set *set, unsigned options)
 }
 
 static void
-printips(struct set *set, void *data, size_t len, unsigned options)
+ipporthash_printips(struct set *set, void *data, u_int32_t len,
+		    unsigned options, char dont_align)
 {
 	struct ip_set_ipporthash *mysetdata = set->settype->header;
 	size_t offset = 0;
@@ -257,19 +259,17 @@ printips(struct set *set, void *data, size_t len, unsigned options)
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (*ipptr) {
-			ip = (*ipptr>>16) + mysetdata->first_ip;
-			port = (uint16_t) *ipptr;
-			printf("%s,%s\n", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-		}
-		offset += sizeof(ip_set_ip_t);
+		ip = (*ipptr>>16) + mysetdata->first_ip;
+		port = (uint16_t) *ipptr;
+		printf("%s,%s\n", 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
 
 static void
-saveheader(struct set *set, unsigned options)
+ipporthash_saveheader(struct set *set, unsigned options)
 {
 	struct ip_set_ipporthash *mysetdata = set->settype->header;
 
@@ -284,7 +284,8 @@ saveheader(struct set *set, unsigned options)
 
 /* Print save for an IP */
 static void
-saveips(struct set *set, void *data, size_t len, unsigned options)
+ipporthash_saveips(struct set *set, void *data, u_int32_t len,
+		   unsigned options, char dont_align)
 {
 	struct ip_set_ipporthash *mysetdata = set->settype->header;
 	size_t offset = 0;
@@ -293,34 +294,17 @@ saveips(struct set *set, void *data, size_t len, unsigned options)
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (*ipptr) {
-			ip = (*ipptr>>16) + mysetdata->first_ip;
-			port = (uint16_t) *ipptr;
-			printf("-A %s %s,%s\n", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-		}
-		offset += sizeof(ip_set_ip_t);
+		ip = (*ipptr>>16) + mysetdata->first_ip;
+		port = (uint16_t) *ipptr;
+		printf("-A %s %s,%s\n", set->name, 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
 
-static char buffer[22];
-
-static char *
-unpack_ipport_tostring(struct set *set, ip_set_ip_t bip, unsigned options)
-{
-	struct ip_set_ipporthash *mysetdata = set->settype->header;
-	ip_set_ip_t ip, port;
-	
-	ip = (bip>>16) + mysetdata->first_ip;
-	port = (uint16_t) bip;
-	sprintf(buffer, "%s,%s", 
-		ip_tostring(ip, options), port_tostring(port, options));
-		
-	return buffer;
-}
-
-static void usage(void)
+static void
+ipporthash_usage(void)
 {
 	printf
 	    ("-N set ipporthash --from IP --to IP\n"
@@ -338,29 +322,25 @@ static struct settype settype_ipporthash = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_ipporthash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = ipporthash_create_init,
+	.create_parse = ipporthash_create_parse,
+	.create_final = ipporthash_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_ipporthash),
-	.adt_parser = &adt_parser,
+	.adt_parser = ipporthash_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_ipporthash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = ipporthash_initheader,
+	.printheader = ipporthash_printheader,
+	.printips = ipporthash_printips,
+	.printips_sorted = ipporthash_printips,
+	.saveheader = ipporthash_saveheader,
+	.saveips = ipporthash_saveips,
 	
-	/* Bindings */
-	.bindip_tostring = &unpack_ipport_tostring,
-	.bindip_parse = &parse_ip,
-	
-	.usage = &usage,
+	.usage = ipporthash_usage,
 };
 
 CONSTRUCTOR(ipporthash)

extensions/ipset/ipset_ipportiphash.c

@@ -32,7 +32,7 @@
 
 /* Initialize the create. */
 static void
-create_init(void *data)
+ipportiphash_create_init(void *data)
 {
 	struct ip_set_req_ipportiphash_create *mydata = data;
 
@@ -46,7 +46,8 @@ create_init(void *data)
 
 /* Function which parses command options; returns true if it ate an option */
 static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
+ipportiphash_create_parse(int c, char *argv[] UNUSED, void *data,
+			  unsigned *flags)
 {
 	struct ip_set_req_ipportiphash_create *mydata = data;
 	ip_set_ip_t value;
@@ -137,7 +138,7 @@ create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 
 /* Final check; exit if not ok. */
 static void
-create_final(void *data, unsigned int flags)
+ipportiphash_create_final(void *data, unsigned int flags)
 {
 	struct ip_set_req_ipportiphash_create *mydata = data;
 
@@ -189,7 +190,7 @@ static const struct option create_opts[] = {
 
 /* Add, del, test parser */
 static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
+ipportiphash_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
 	struct ip_set_req_ipportiphash *mydata = data;
 	char *saved = ipset_strdup(arg);
@@ -227,7 +228,7 @@ adt_parser(int cmd UNUSED, const char *arg, void *data)
  */
 
 static void
-initheader(struct set *set, const void *data)
+ipportiphash_initheader(struct set *set, const void *data)
 {
 	const struct ip_set_req_ipportiphash_create *header = data;
 	struct ip_set_ipportiphash *map = set->settype->header;
@@ -241,7 +242,7 @@ initheader(struct set *set, const void *data)
 }
 
 static void
-printheader(struct set *set, unsigned options)
+ipportiphash_printheader(struct set *set, unsigned options)
 {
 	struct ip_set_ipportiphash *mysetdata = set->settype->header;
 
@@ -253,7 +254,8 @@ printheader(struct set *set, unsigned options)
 }
 
 static void
-printips(struct set *set, void *data, size_t len, unsigned options)
+ipportiphash_printips(struct set *set, void *data, u_int32_t len,
+		      unsigned options, char dont_align)
 {
 	struct ip_set_ipportiphash *mysetdata = set->settype->header;
 	size_t offset = 0;
@@ -263,21 +265,19 @@ printips(struct set *set, void *data, size_t len, unsigned options)
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip && ipptr->ip1) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("%s,%s,", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n", 
-			       ip_tostring(ipptr->ip1, options));
-		}
-		offset += sizeof(struct ipportip);
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("%s,%s,", 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n", 
+		       ip_tostring(ipptr->ip1, options));
+		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }
 
 static void
-saveheader(struct set *set, unsigned options)
+ipportiphash_saveheader(struct set *set, unsigned options)
 {
 	struct ip_set_ipportiphash *mysetdata = set->settype->header;
 
@@ -292,7 +292,8 @@ saveheader(struct set *set, unsigned options)
 
 /* Print save for an IP */
 static void
-saveips(struct set *set, void *data, size_t len, unsigned options)
+ipportiphash_saveips(struct set *set, void *data, u_int32_t len,
+		     unsigned options, char dont_align)
 {
 	struct ip_set_ipportiphash *mysetdata = set->settype->header;
 	size_t offset = 0;
@@ -302,20 +303,19 @@ saveips(struct set *set, void *data, size_t len, unsigned options)
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip && ipptr->ip1) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("-A %s %s,%s,", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n",
-			       ip_tostring(ipptr->ip1, options));
-		}
-		offset += sizeof(struct ipportip);
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("-A %s %s,%s,", set->name, 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n",
+		       ip_tostring(ipptr->ip1, options));
+		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }
 
-static void usage(void)
+static void
+ipportiphash_usage(void)
 {
 	printf
 	    ("-N set ipportiphash --from IP --to IP\n"
@@ -333,25 +333,25 @@ static struct settype settype_ipportiphash = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_ipportiphash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = ipportiphash_create_init,
+	.create_parse = ipportiphash_create_parse,
+	.create_final = ipportiphash_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_ipportiphash),
-	.adt_parser = &adt_parser,
+	.adt_parser = ipportiphash_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_ipportiphash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = ipportiphash_initheader,
+	.printheader = ipportiphash_printheader,
+	.printips = ipportiphash_printips,
+	.printips_sorted = ipportiphash_printips,
+	.saveheader = ipportiphash_saveheader,
+	.saveips = ipportiphash_saveips,
 	
-	.usage = &usage,
+	.usage = ipportiphash_usage,
 };
 
 CONSTRUCTOR(ipportiphash)

extensions/ipset/ipset_ipportnethash.c

@@ -32,7 +32,7 @@
 
 /* Initialize the create. */
 static void
-create_init(void *data)
+ipportnethash_create_init(void *data)
 {
 	struct ip_set_req_ipportnethash_create *mydata = data;
 
@@ -46,7 +46,8 @@ create_init(void *data)
 
 /* Function which parses command options; returns true if it ate an option */
 static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
+ipportnethash_create_parse(int c, char *argv[] UNUSED, void *data,
+			   unsigned *flags)
 {
 	struct ip_set_req_ipportnethash_create *mydata = data;
 	ip_set_ip_t value;
@@ -137,7 +138,7 @@ create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 
 /* Final check; exit if not ok. */
 static void
-create_final(void *data, unsigned int flags)
+ipportnethash_create_final(void *data, unsigned int flags)
 {
 	struct ip_set_req_ipportnethash_create *mydata = data;
 
@@ -189,7 +190,7 @@ static const struct option create_opts[] = {
 
 /* Add, del, test parser */
 static ip_set_ip_t
-adt_parser(int cmd, const char *arg, void *data)
+ipportnethash_adt_parser(int cmd, const char *arg, void *data)
 {
 	struct ip_set_req_ipportnethash *mydata = data;
 	char *saved = ipset_strdup(arg);
@@ -238,7 +239,7 @@ adt_parser(int cmd, const char *arg, void *data)
  */
 
 static void
-initheader(struct set *set, const void *data)
+ipportnethash_initheader(struct set *set, const void *data)
 {
 	const struct ip_set_req_ipportnethash_create *header = data;
 	struct ip_set_ipportnethash *map = set->settype->header;
@@ -252,7 +253,7 @@ initheader(struct set *set, const void *data)
 }
 
 static void
-printheader(struct set *set, unsigned options)
+ipportnethash_printheader(struct set *set, unsigned options)
 {
 	struct ip_set_ipportnethash *mysetdata = set->settype->header;
 
@@ -318,7 +319,8 @@ unpack_ip_tostring(ip_set_ip_t ip, unsigned options UNUSED)
 }
 
 static void
-printips(struct set *set, void *data, size_t len, unsigned options)
+ipportnethash_printips(struct set *set, void *data, u_int32_t len,
+		       unsigned options, char dont_align)
 {
 	struct ip_set_ipportnethash *mysetdata = set->settype->header;
 	size_t offset = 0;
@@ -328,21 +330,19 @@ printips(struct set *set, void *data, size_t len, unsigned options)
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip || ipptr->ip1) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("%s,%s,", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n", 
-			       unpack_ip_tostring(ipptr->ip1, options));
-		}
-		offset += sizeof(struct ipportip);
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("%s,%s,", 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n", 
+		       unpack_ip_tostring(ipptr->ip1, options));
+		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }
 
 static void
-saveheader(struct set *set, unsigned options)
+ipportnethash_saveheader(struct set *set, unsigned options)
 {
 	struct ip_set_ipportnethash *mysetdata = set->settype->header;
 
@@ -357,7 +357,8 @@ saveheader(struct set *set, unsigned options)
 
 /* Print save for an IP */
 static void
-saveips(struct set *set, void *data, size_t len, unsigned options)
+ipportnethash_saveips(struct set *set, void *data, u_int32_t len,
+		      unsigned options, char dont_align)
 {
 	struct ip_set_ipportnethash *mysetdata = set->settype->header;
 	size_t offset = 0;
@@ -367,20 +368,19 @@ saveips(struct set *set, void *data, size_t len, unsigned options)
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("-A %s %s,%s,", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n",
-			       unpack_ip_tostring(ipptr->ip, options));
-		}
-		offset += sizeof(struct ipportip);
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("-A %s %s,%s,", set->name, 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n",
+		       unpack_ip_tostring(ipptr->ip, options));
+		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }
 
-static void usage(void)
+static void
+ipportnethash_usage(void)
 {
 	printf
 	    ("-N set ipportnethash --from IP --to IP\n"
@@ -398,25 +398,25 @@ static struct settype settype_ipportnethash = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_ipportnethash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = ipportnethash_create_init,
+	.create_parse = ipportnethash_create_parse,
+	.create_final = ipportnethash_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_ipportnethash),
-	.adt_parser = &adt_parser,
+	.adt_parser = ipportnethash_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_ipportnethash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = ipportnethash_initheader,
+	.printheader = ipportnethash_printheader,
+	.printips = ipportnethash_printips,
+	.printips_sorted = ipportnethash_printips,
+	.saveheader = ipportnethash_saveheader,
+	.saveips = ipportnethash_saveips,
 	
-	.usage = &usage,
+	.usage = ipportnethash_usage,
 };
 
 CONSTRUCTOR(ipportnethash)

extensions/ipset/ipset_iptree.c

@@ -29,7 +29,7 @@
 
 /* Initialize the create. */
 static void
-create_init(void *data)
+iptree_create_init(void *data)
 {
 	struct ip_set_req_iptree_create *mydata = data;
 
@@ -39,7 +39,7 @@ create_init(void *data)
 
 /* Function which parses command options; returns true if it ate an option */
 static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
+iptree_create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 {
 	struct ip_set_req_iptree_create *mydata = data;
 
@@ -63,7 +63,7 @@ create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 
 /* Final check; exit if not ok. */
 static void
-create_final(void *data UNUSED, unsigned int flags UNUSED)
+iptree_create_final(void *data UNUSED, unsigned int flags UNUSED)
 {
 }
 
@@ -75,7 +75,7 @@ static const struct option create_opts[] = {
 
 /* Add, del, test parser */
 static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
+iptree_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
 	struct ip_set_req_iptree *mydata = data;
 	char *saved = ipset_strdup(arg);
@@ -104,7 +104,7 @@ adt_parser(int cmd UNUSED, const char *arg, void *data)
  */
 
 static void
-initheader(struct set *set, const void *data)
+iptree_initheader(struct set *set, const void *data)
 {
 	const struct ip_set_req_iptree_create *header = data;
 	struct ip_set_iptree *map = set->settype->header;
@@ -113,7 +113,7 @@ initheader(struct set *set, const void *data)
 }
 
 static void
-printheader(struct set *set, unsigned options UNUSED)
+iptree_printheader(struct set *set, unsigned options UNUSED)
 {
 	struct ip_set_iptree *mysetdata = set->settype->header;
 
@@ -123,7 +123,8 @@ printheader(struct set *set, unsigned options UNUSED)
 }
 
 static void
-printips_sorted(struct set *set, void *data, size_t len, unsigned options)
+iptree_printips_sorted(struct set *set, void *data, u_int32_t len,
+		       unsigned options, char dont_align)
 {
 	struct ip_set_iptree *mysetdata = set->settype->header;
 	struct ip_set_req_iptree *req;
@@ -136,12 +137,12 @@ printips_sorted(struct set *set, void *data, size_t len, unsigned options)
 					  req->timeout);
 		else
 			printf("%s\n", ip_tostring(req->ip, options));
-		offset += sizeof(struct ip_set_req_iptree);
+		offset += IPSET_VALIGN(sizeof(struct ip_set_req_iptree), dont_align);
 	}
 }
 
 static void
-saveheader(struct set *set, unsigned options UNUSED)
+iptree_saveheader(struct set *set, unsigned options UNUSED)
 {
 	struct ip_set_iptree *mysetdata = set->settype->header;
 
@@ -155,7 +156,8 @@ saveheader(struct set *set, unsigned options UNUSED)
 }
 
 static void
-saveips(struct set *set, void *data, size_t len, unsigned options)
+iptree_saveips(struct set *set, void *data, u_int32_t len,
+	       unsigned options, char dont_align)
 {
 	struct ip_set_iptree *mysetdata = set->settype->header;
 	struct ip_set_req_iptree *req;
@@ -174,11 +176,12 @@ saveips(struct set *set, void *data, size_t len, unsigned options)
 			printf("-A %s %s\n", 
 				set->name,
 				ip_tostring(req->ip, options));
-		offset += sizeof(struct ip_set_req_iptree);
+		offset += IPSET_VALIGN(sizeof(struct ip_set_req_iptree), dont_align);
 	}
 }
 
-static void usage(void)
+static void
+iptree_usage(void)
 {
 	printf
 	    ("-N set iptree [--timeout value]\n"
@@ -193,29 +196,25 @@ static struct settype settype_iptree = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_iptree_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = iptree_create_init,
+	.create_parse = iptree_create_parse,
+	.create_final = iptree_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_iptree),
-	.adt_parser = &adt_parser,
+	.adt_parser = iptree_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_iptree),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,	/* We only have sorted version */
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = iptree_initheader,
+	.printheader = iptree_printheader,
+	.printips = iptree_printips_sorted,	/* We only have sorted version */
+	.printips_sorted = iptree_printips_sorted,
+	.saveheader = iptree_saveheader,
+	.saveips = iptree_saveips,
 	
-	/* Bindings */
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse	= &parse_ip,
-
-	.usage = &usage,
+	.usage = iptree_usage,
 };
 
 CONSTRUCTOR(iptree)

extensions/ipset/ipset_iptreemap.c

@@ -26,7 +26,7 @@
 #define OPT_CREATE_GC 0x1
 
 static void
-create_init(void *data)
+iptreemap_create_init(void *data)
 {
 	struct ip_set_req_iptreemap_create *mydata = data;
 
@@ -34,7 +34,8 @@ create_init(void *data)
 }
 
 static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned int *flags)
+iptreemap_create_parse(int c, char *argv[] UNUSED, void *data,
+		       unsigned int *flags)
 {
 	struct ip_set_req_iptreemap_create *mydata = data;
 
@@ -53,7 +54,7 @@ create_parse(int c, char *argv[] UNUSED, void *data, unsigned int *flags)
 }
 
 static void
-create_final(void *data UNUSED, unsigned int flags UNUSED)
+iptreemap_create_final(void *data UNUSED, unsigned int flags UNUSED)
 {
 }
 
@@ -63,7 +64,7 @@ static const struct option create_opts[] = {
 };
 
 static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
+iptreemap_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
 	struct ip_set_req_iptreemap *mydata = data;
 	ip_set_ip_t mask;
@@ -94,7 +95,7 @@ adt_parser(int cmd UNUSED, const char *arg, void *data)
 }
 
 static void
-initheader(struct set *set, const void *data)
+iptreemap_initheader(struct set *set, const void *data)
 {
 	const struct ip_set_req_iptreemap_create *header = data;
 	struct ip_set_iptreemap *map = set->settype->header;
@@ -103,7 +104,7 @@ initheader(struct set *set, const void *data)
 }
 
 static void
-printheader(struct set *set, unsigned int options UNUSED)
+iptreemap_printheader(struct set *set, unsigned int options UNUSED)
 {
 	struct ip_set_iptreemap *mysetdata = set->settype->header;
 
@@ -114,8 +115,8 @@ printheader(struct set *set, unsigned int options UNUSED)
 }
 
 static void
-printips_sorted(struct set *set UNUSED, void *data,
-		size_t len, unsigned int options)
+iptreemap_printips_sorted(struct set *set UNUSED, void *data,
+			  u_int32_t len, unsigned int options, char dont_align)
 {
 	struct ip_set_req_iptreemap *req;
 	size_t offset = 0;
@@ -128,12 +129,12 @@ printips_sorted(struct set *set UNUSED, void *data,
 			printf("-%s", ip_tostring(req->end, options));
 		printf("\n");
 
-		offset += sizeof(struct ip_set_req_iptreemap);
+		offset += IPSET_VALIGN(sizeof(struct ip_set_req_iptreemap), dont_align);
 	}
 }
 
 static void
-saveheader(struct set *set, unsigned int options UNUSED)
+iptreemap_saveheader(struct set *set, unsigned int options UNUSED)
 {
 	struct ip_set_iptreemap *mysetdata = set->settype->header;
 
@@ -146,8 +147,8 @@ saveheader(struct set *set, unsigned int options UNUSED)
 }
 
 static void
-saveips(struct set *set UNUSED, void *data,
-	size_t len, unsigned int options)
+iptreemap_saveips(struct set *set UNUSED, void *data,
+		  u_int32_t len, unsigned int options, char dont_align)
 {
 	struct ip_set_req_iptreemap *req;
 	size_t offset = 0;
@@ -162,12 +163,12 @@ saveips(struct set *set UNUSED, void *data,
 
 		printf("\n");
 
-		offset += sizeof(struct ip_set_req_iptreemap);
+		offset += IPSET_VALIGN(sizeof(struct ip_set_req_iptreemap), dont_align);
 	}
 }
 
 static void
-usage(void)
+iptreemap_usage(void)
 {
 	printf(
 		"-N set iptreemap --gc interval\n"
@@ -182,26 +183,23 @@ static struct settype settype_iptreemap = {
 	.protocol_version = IP_SET_PROTOCOL_VERSION,
 
 	.create_size = sizeof(struct ip_set_req_iptreemap_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = iptreemap_create_init,
+	.create_parse = iptreemap_create_parse,
+	.create_final = iptreemap_create_final,
 	.create_opts = create_opts,
 
 	.adt_size = sizeof(struct ip_set_req_iptreemap),
-	.adt_parser = &adt_parser,
+	.adt_parser = iptreemap_adt_parser,
 
 	.header_size = sizeof(struct ip_set_iptreemap),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = iptreemap_initheader,
+	.printheader = iptreemap_printheader,
+	.printips = iptreemap_printips_sorted,
+	.printips_sorted = iptreemap_printips_sorted,
+	.saveheader = iptreemap_saveheader,
+	.saveips = iptreemap_saveips,
 
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse = &parse_ip,
-
-	.usage = &usage,
+	.usage = iptreemap_usage,
 };
 
 CONSTRUCTOR(iptreemap)

extensions/ipset/ipset_macipmap.c

@@ -39,7 +39,7 @@
 
 /* Initialize the create. */
 static void
-create_init(void *data UNUSED)
+macipmap_create_init(void *data UNUSED)
 {
 	DP("create INIT");
 	/* Nothing */
@@ -47,7 +47,7 @@ create_init(void *data UNUSED)
 
 /* Function which parses command options; returns true if it ate an option */
 static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
+macipmap_create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 {
 	struct ip_set_req_macipmap_create *mydata = data;
 
@@ -107,7 +107,7 @@ create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 
 /* Final check; exit if not ok. */
 static void
-create_final(void *data, unsigned int flags)
+macipmap_create_final(void *data, unsigned int flags)
 {
 	struct ip_set_req_macipmap_create *mydata = data;
 
@@ -176,7 +176,7 @@ parse_mac(const char *mac, unsigned char *ethernet)
 
 /* Add, del, test parser */
 static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
+macipmap_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
 	struct ip_set_req_macipmap *mydata = data;
 	char *saved = ipset_strdup(arg);
@@ -209,7 +209,7 @@ adt_parser(int cmd UNUSED, const char *arg, void *data)
  */
 
 static void
-initheader(struct set *set, const void *data)
+macipmap_initheader(struct set *set, const void *data)
 {
 	const struct ip_set_req_macipmap_create *header = data;
 	struct ip_set_macipmap *map = set->settype->header;
@@ -221,7 +221,7 @@ initheader(struct set *set, const void *data)
 }
 
 static void
-printheader(struct set *set, unsigned options)
+macipmap_printheader(struct set *set, unsigned options)
 {
 	struct ip_set_macipmap *mysetdata = set->settype->header;
 
@@ -243,17 +243,16 @@ print_mac(unsigned char macaddress[ETH_ALEN])
 		printf(":%02X", macaddress[i]);
 }
 
-static void
-printips_sorted(struct set *set, void *data,
-		size_t len UNUSED, unsigned options)
+static inline void
+__macipmap_printips_sorted(struct set *set, void *data,
+			   u_int32_t len UNUSED, unsigned options)
 {
 	struct ip_set_macipmap *mysetdata = set->settype->header;
 	struct ip_set_macip *table = data;
 	u_int32_t addr = mysetdata->first_ip;
 
 	while (addr <= mysetdata->last_ip) {
-		if (test_bit(IPSET_MACIP_ISSET,
-			     (void *)&table[addr - mysetdata->first_ip].flags)) {
+		if (table[addr - mysetdata->first_ip].match) {
 			printf("%s,", ip_tostring(addr, options));
 			print_mac(table[addr - mysetdata->first_ip].
 				  ethernet);
@@ -264,7 +263,27 @@ printips_sorted(struct set *set, void *data,
 }
 
 static void
-saveheader(struct set *set, unsigned options)
+macipmap_printips_sorted(struct set *set, void *data,
+			 u_int32_t len, unsigned options,
+			 char dont_align)
+{
+	struct ip_set_req_macipmap *d;
+	size_t offset = 0;
+	
+	if (dont_align)
+		return __macipmap_printips_sorted(set, data, len, options);
+	
+	while (offset < len) {
+		d = data + offset;
+		printf("%s,", ip_tostring(d->ip, options));
+		print_mac(d->ethernet);
+		printf("\n");
+		offset += IPSET_ALIGN(sizeof(struct ip_set_req_macipmap));
+	}
+}
+
+static void
+macipmap_saveheader(struct set *set, unsigned options)
 {
 	struct ip_set_macipmap *mysetdata = set->settype->header;
 
@@ -278,17 +297,16 @@ saveheader(struct set *set, unsigned options)
 	printf("\n");
 }
 
-static void
-saveips(struct set *set, void *data,
-	size_t len UNUSED, unsigned options)
+static inline void
+__macipmap_saveips(struct set *set, void *data,
+		   u_int32_t len UNUSED, unsigned options)
 {
 	struct ip_set_macipmap *mysetdata = set->settype->header;
 	struct ip_set_macip *table = data;
 	u_int32_t addr = mysetdata->first_ip;
 
 	while (addr <= mysetdata->last_ip) {
-		if (test_bit(IPSET_MACIP_ISSET,
-			     (void *)&table[addr - mysetdata->first_ip].flags)) {
+		if (table[addr - mysetdata->first_ip].match) {
 			printf("-A %s %s,",
 			       set->name, ip_tostring(addr, options));
 			print_mac(table[addr - mysetdata->first_ip].
@@ -299,7 +317,28 @@ saveips(struct set *set, void *data,
 	}
 }
 
-static void usage(void)
+static void
+macipmap_saveips(struct set *set, void *data,
+		 u_int32_t len, unsigned options,
+		 char dont_align)
+{
+	struct ip_set_req_macipmap *d;
+	size_t offset = 0;
+	
+	if (dont_align)
+		return __macipmap_saveips(set, data, len, options);
+	
+	while (offset < len) {
+		d = data + offset;
+		printf("-A %s %s,", set->name, ip_tostring(d->ip, options));
+		print_mac(d->ethernet);
+		printf("\n");
+		offset += IPSET_ALIGN(sizeof(struct ip_set_req_macipmap));
+	}
+}
+
+static void
+macipmap_usage(void)
 {
 	printf
 	    ("-N set macipmap --from IP --to IP [--matchunset]\n"
@@ -315,29 +354,25 @@ static struct settype settype_macipmap = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_macipmap_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = macipmap_create_init,
+	.create_parse = macipmap_create_parse,
+	.create_final = macipmap_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_macipmap),
-	.adt_parser = &adt_parser,
+	.adt_parser = macipmap_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_macipmap),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,	/* We only have sorted version */
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = macipmap_initheader,
+	.printheader = macipmap_printheader,
+	.printips = macipmap_printips_sorted,
+	.printips_sorted = macipmap_printips_sorted,
+	.saveheader = macipmap_saveheader,
+	.saveips = macipmap_saveips,
 
-	/* Bindings */
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse = &parse_ip,
-
-	.usage = &usage,
+	.usage = macipmap_usage,
 };
 
 CONSTRUCTOR(macipmap)

extensions/ipset/ipset_nethash.c

@@ -31,7 +31,7 @@
 
 /* Initialize the create. */
 static void
-create_init(void *data)
+nethash_create_init(void *data)
 {
 	struct ip_set_req_nethash_create *mydata = data;
 
@@ -45,7 +45,7 @@ create_init(void *data)
 
 /* Function which parses command options; returns true if it ate an option */
 static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
+nethash_create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 {
 	struct ip_set_req_nethash_create *mydata = data;
 	ip_set_ip_t value;
@@ -97,7 +97,7 @@ create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 
 /* Final check; exit if not ok. */
 static void
-create_final(void *data UNUSED, unsigned int flags UNUSED)
+nethash_create_final(void *data UNUSED, unsigned int flags UNUSED)
 {
 }
 
@@ -111,7 +111,7 @@ static const struct option create_opts[] = {
 
 /* Add, del, test parser */
 static ip_set_ip_t
-adt_parser(int cmd, const char *arg, void *data)
+nethash_adt_parser(int cmd, const char *arg, void *data)
 {
 	struct ip_set_req_nethash *mydata = data;
 	char *saved = ipset_strdup(arg);
@@ -148,7 +148,7 @@ adt_parser(int cmd, const char *arg, void *data)
  */
 
 static void
-initheader(struct set *set, const void *data)
+nethash_initheader(struct set *set, const void *data)
 {
 	const struct ip_set_req_nethash_create *header = data;
 	struct ip_set_nethash *map = set->settype->header;
@@ -160,7 +160,7 @@ initheader(struct set *set, const void *data)
 }
 
 static void
-printheader(struct set *set, unsigned options UNUSED)
+nethash_printheader(struct set *set, unsigned options UNUSED)
 {
 	struct ip_set_nethash *mysetdata = set->settype->header;
 
@@ -224,21 +224,21 @@ unpack_ip_tostring(ip_set_ip_t ip, unsigned options UNUSED)
 }
 
 static void
-printips(struct set *set UNUSED, void *data, size_t len, unsigned options)
+nethash_printips(struct set *set UNUSED, void *data, u_int32_t len,
+		 unsigned options, char dont_align)
 {
 	size_t offset = 0;
 	ip_set_ip_t *ip;
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("%s\n", unpack_ip_tostring(*ip, options));
-		offset += sizeof(ip_set_ip_t);
+		printf("%s\n", unpack_ip_tostring(*ip, options));
+		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
 
 static void
-saveheader(struct set *set, unsigned options UNUSED)
+nethash_saveheader(struct set *set, unsigned options UNUSED)
 {
 	struct ip_set_nethash *mysetdata = set->settype->header;
 
@@ -249,50 +249,22 @@ saveheader(struct set *set, unsigned options UNUSED)
 
 /* Print save for an IP */
 static void
-saveips(struct set *set UNUSED, void *data, size_t len, unsigned options)
+nethash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
+		unsigned options, char dont_align)
 {
 	size_t offset = 0;
 	ip_set_ip_t *ip;
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("-A %s %s\n", set->name, 
-			       unpack_ip_tostring(*ip, options));
-		offset += sizeof(ip_set_ip_t);
+		printf("-A %s %s\n", set->name,
+		       unpack_ip_tostring(*ip, options));
+		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
 
-static char *
-net_tostring(struct set *set UNUSED, ip_set_ip_t ip, unsigned options)
-{
-	return unpack_ip_tostring(ip, options);
-}
-
 static void
-parse_net(const char *str, ip_set_ip_t *ip)
-{
-	char *saved = ipset_strdup(str);
-	char *ptr, *tmp = saved;
-	ip_set_ip_t cidr;
-
-	ptr = strsep(&tmp, "/");
-	
-	if (tmp == NULL)
-		exit_error(PARAMETER_PROBLEM,
-			   "Missing cidr from `%s'", str);
-
-	if (string_to_number(tmp, 1, 31, &cidr))
-		exit_error(PARAMETER_PROBLEM,
-			   "Out of range cidr `%s' specified", str);
-	
-	parse_ip(ptr, ip);
-	ipset_free(saved);
-	
-	*ip = pack_ip_cidr(*ip, cidr);
-}
-
-static void usage(void)
+nethash_usage(void)
 {
 	printf
 	    ("-N set nethash [--hashsize hashsize] [--probes probes ]\n"
@@ -308,29 +280,25 @@ static struct settype settype_nethash = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_nethash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = nethash_create_init,
+	.create_parse = nethash_create_parse,
+	.create_final = nethash_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_nethash),
-	.adt_parser = &adt_parser,
+	.adt_parser = nethash_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_nethash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = nethash_initheader,
+	.printheader = nethash_printheader,
+	.printips = nethash_printips,
+	.printips_sorted = nethash_printips,
+	.saveheader = nethash_saveheader,
+	.saveips = nethash_saveips,
 	
-	/* Bindings */
-	.bindip_tostring = &net_tostring,
-	.bindip_parse = &parse_net,
-
-	.usage = &usage,
+	.usage = nethash_usage,
 };
 
 CONSTRUCTOR(nethash)

extensions/ipset/ipset_portmap.c

@@ -32,7 +32,7 @@
 
 /* Initialize the create. */
 static void
-create_init(void *data UNUSED)
+portmap_create_init(void *data UNUSED)
 {
 	DP("create INIT");
 	/* Nothing */
@@ -40,7 +40,7 @@ create_init(void *data UNUSED)
 
 /* Function which parses command options; returns true if it ate an option */
 static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
+portmap_create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 {
 	struct ip_set_req_portmap_create *mydata = data;
 
@@ -76,7 +76,7 @@ create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 
 /* Final check; exit if not ok. */
 static void
-create_final(void *data, unsigned int flags)
+portmap_create_final(void *data, unsigned int flags)
 {
 	struct ip_set_req_portmap_create *mydata = data;
 
@@ -113,7 +113,7 @@ static const struct option create_opts[] = {
 
 /* Add, del, test parser */
 static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
+portmap_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
 	struct ip_set_req_portmap *mydata = data;
 
@@ -128,7 +128,7 @@ adt_parser(int cmd UNUSED, const char *arg, void *data)
  */
 
 static void
-initheader(struct set *set, const void *data)
+portmap_initheader(struct set *set, const void *data)
 {
 	const struct ip_set_req_portmap_create *header = data;
 	struct ip_set_portmap *map = set->settype->header;
@@ -139,7 +139,7 @@ initheader(struct set *set, const void *data)
 }
 
 static void
-printheader(struct set *set, unsigned options)
+portmap_printheader(struct set *set, unsigned options)
 {
 	struct ip_set_portmap *mysetdata = set->settype->header;
 
@@ -147,12 +147,12 @@ printheader(struct set *set, unsigned options)
 	printf(" to: %s\n", port_tostring(mysetdata->last_ip, options));
 }
 
-static void
-printports_sorted(struct set *set, void *data,
-		  size_t len UNUSED, unsigned options)
+static inline void
+__portmap_printips_sorted(struct set *set, void *data,
+			  u_int32_t len UNUSED, unsigned options)
 {
 	struct ip_set_portmap *mysetdata = set->settype->header;
-	u_int32_t addr = mysetdata->first_ip;
+	ip_set_ip_t addr = mysetdata->first_ip;
 
 	DP("%u -- %u", mysetdata->first_ip, mysetdata->last_ip);
 	while (addr <= mysetdata->last_ip) {
@@ -162,15 +162,26 @@ printports_sorted(struct set *set, void *data,
 	}
 }
 
-static char *
-binding_port_tostring(struct set *set UNUSED,
-		      ip_set_ip_t ip, unsigned options)
+static void
+portmap_printips_sorted(struct set *set, void *data,
+			u_int32_t len, unsigned options,
+			char dont_align)
 {
-	return port_tostring(ip, options);
+	ip_set_ip_t *ip;
+	size_t offset = 0;
+	
+	if (dont_align)
+		return __portmap_printips_sorted(set, data, len, options);
+	
+	while (offset < len) {
+		ip = data + offset;
+		printf("%s\n", port_tostring(*ip, options));
+		offset += IPSET_ALIGN(sizeof(ip_set_ip_t));
+	}
 }
 
 static void
-saveheader(struct set *set, unsigned options)
+portmap_saveheader(struct set *set, unsigned options)
 {
 	struct ip_set_portmap *mysetdata = set->settype->header;
 
@@ -182,14 +193,15 @@ saveheader(struct set *set, unsigned options)
 	       port_tostring(mysetdata->last_ip, options));
 }
 
-static void
-saveports(struct set *set, void *data,
-	  size_t len UNUSED, unsigned options)
+static inline void
+__portmap_saveips(struct set *set, void *data,
+		  u_int32_t len UNUSED, unsigned options)
 {
 	struct ip_set_portmap *mysetdata = set->settype->header;
-	u_int32_t addr = mysetdata->first_ip;
+	ip_set_ip_t addr = mysetdata->first_ip;
 
 	while (addr <= mysetdata->last_ip) {
+		DP("addr: %lu, last_ip %lu", (long unsigned)addr, (long unsigned)mysetdata->last_ip);
 		if (test_bit(addr - mysetdata->first_ip, data))
 			printf("-A %s %s\n",
 			       set->name,
@@ -198,7 +210,26 @@ saveports(struct set *set, void *data,
 	}
 }
 
-static void usage(void)
+static void
+portmap_saveips(struct set *set, void *data,
+		u_int32_t len, unsigned options,
+		char dont_align)
+{
+	ip_set_ip_t *ip;
+	size_t offset = 0;
+	
+	if (dont_align)
+		return __portmap_saveips(set, data, len, options);
+	
+	while (offset < len) {
+		ip = data + offset;
+		printf("-A %s %s\n", set->name, port_tostring(*ip, options));
+		offset += IPSET_ALIGN(sizeof(ip_set_ip_t));
+	}
+}
+
+static void
+portmap_usage(void)
 {
 	printf
 	    ("-N set portmap --from PORT --to PORT\n"
@@ -213,29 +244,25 @@ static struct settype settype_portmap = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_portmap_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = portmap_create_init,
+	.create_parse = portmap_create_parse,
+	.create_final = portmap_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_portmap),
-	.adt_parser = &adt_parser,
+	.adt_parser = portmap_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_portmap),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printports_sorted,	/* We only have sorted version */
-	.printips_sorted = &printports_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveports,
+	.initheader = portmap_initheader,
+	.printheader = portmap_printheader,
+	.printips = portmap_printips_sorted,
+	.printips_sorted = portmap_printips_sorted,
+	.saveheader = portmap_saveheader,
+	.saveips = portmap_saveips,
 	
-	/* Bindings */
-	.bindip_tostring = &binding_port_tostring,
-	.bindip_parse = &parse_port,
-
-	.usage = &usage,
+	.usage = portmap_usage,
 };
 
 CONSTRUCTOR(portmap)

extensions/ipset/ipset_setlist.c

@@ -27,7 +27,7 @@
 
 /* Initialize the create. */
 static void
-create_init(void *data)
+setlist_create_init(void *data)
 {
 	struct ip_set_req_setlist_create *mydata = data;
 	
@@ -36,7 +36,8 @@ create_init(void *data)
 
 /* Function which parses command options; returns true if it ate an option */
 static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags UNUSED)
+setlist_create_parse(int c, char *argv[] UNUSED, void *data,
+		     unsigned *flags UNUSED)
 {
 	struct ip_set_req_setlist_create *mydata = data;
 	unsigned int size;
@@ -57,7 +58,7 @@ create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags UNUSED)
 
 /* Final check; exit if not ok. */
 static void
-create_final(void *data UNUSED, unsigned int flags UNUSED)
+setlist_create_final(void *data UNUSED, unsigned int flags UNUSED)
 {
 }
 
@@ -67,7 +68,8 @@ static const struct option create_opts[] = {
 	{NULL},
 };
 
-static void check_setname(const char *name)
+static void
+check_setname(const char *name)
 {
 	if (strlen(name) > IP_SET_MAXNAMELEN - 1)
 		exit_error(PARAMETER_PROBLEM,
@@ -77,7 +79,7 @@ static void check_setname(const char *name)
 
 /* Add, del, test parser */
 static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
+setlist_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
 	struct ip_set_req_setlist *mydata = data;
 	char *saved = ipset_strdup(arg);
@@ -115,7 +117,7 @@ adt_parser(int cmd UNUSED, const char *arg, void *data)
  */
 
 static void
-initheader(struct set *set, const void *data)
+setlist_initheader(struct set *set, const void *data)
 {
 	const struct ip_set_req_setlist_create *header = data;
 	struct ip_set_setlist *map = set->settype->header;
@@ -125,7 +127,7 @@ initheader(struct set *set, const void *data)
 }
 
 static void
-printheader(struct set *set, unsigned options UNUSED)
+setlist_printheader(struct set *set, unsigned options UNUSED)
 {
 	struct ip_set_setlist *mysetdata = set->settype->header;
 
@@ -133,25 +135,29 @@ printheader(struct set *set, unsigned options UNUSED)
 }
 
 static void
-printips_sorted(struct set *set, void *data,
-		size_t len UNUSED, unsigned options UNUSED)
+setlist_printips_sorted(struct set *set, void *data,
+			u_int32_t len UNUSED, unsigned options UNUSED,
+			char dont_align)
 {
 	struct ip_set_setlist *mysetdata = set->settype->header;
-	int i;
-	ip_set_id_t id;
+	int i, asize;
+	ip_set_id_t *id;
 	struct set *elem;
 
+	asize = IPSET_VALIGN(sizeof(ip_set_id_t), dont_align);
 	for (i = 0; i < mysetdata->size; i++ ) {
-		id = *((ip_set_id_t *)data + i);
-		if (id == IP_SET_INVALID_ID)
+		DP("Try %u", i);
+		id = (ip_set_id_t *)(data + i * asize);
+		DP("Try %u, check", i);
+		if (*id == IP_SET_INVALID_ID)
 			return;
-		elem = set_find_byid(id);
+		elem = set_find_byid(*id);
 		printf("%s\n", elem->name);
 	}
 }
 
 static void
-saveheader(struct set *set, unsigned options UNUSED)
+setlist_saveheader(struct set *set, unsigned options UNUSED)
 {
 	struct ip_set_setlist *mysetdata = set->settype->header;
 
@@ -161,24 +167,26 @@ saveheader(struct set *set, unsigned options UNUSED)
 }
 
 static void
-saveips(struct set *set, void *data,
-	size_t len UNUSED, unsigned options UNUSED)
+setlist_saveips(struct set *set, void *data,
+		u_int32_t len UNUSED, unsigned options UNUSED, char dont_align)
 {
 	struct ip_set_setlist *mysetdata = set->settype->header;
-	int i;
-	ip_set_id_t id;
+	int i, asize;
+	ip_set_id_t *id;
 	struct set *elem;
 
+	asize = IPSET_VALIGN(sizeof(ip_set_id_t), dont_align);
 	for (i = 0; i < mysetdata->size; i++ ) {
-		id = *((ip_set_id_t *)data + i);
-		if (id == IP_SET_INVALID_ID)
+		id = (ip_set_id_t *)(data + i * asize);
+		if (*id == IP_SET_INVALID_ID)
 			return;
-		elem = set_find_byid(id);
+		elem = set_find_byid(*id);
 		printf("-A %s %s\n", set->name, elem->name);
 	}
 }
 
-static void usage(void)
+static void
+setlist_usage(void)
 {
 	printf
 	    ("-N set setlist --size size\n"
@@ -193,25 +201,25 @@ static struct settype settype_setlist = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_setlist_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = setlist_create_init,
+	.create_parse = setlist_create_parse,
+	.create_final = setlist_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_setlist),
-	.adt_parser = &adt_parser,
+	.adt_parser = setlist_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_setlist),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,	/* We only have sorted version */
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = setlist_initheader,
+	.printheader = setlist_printheader,
+	.printips = setlist_printips_sorted,
+	.printips_sorted = setlist_printips_sorted,
+	.saveheader = setlist_saveheader,
+	.saveips = setlist_saveips,
 	
-	.usage = &usage,
+	.usage = setlist_usage,
 };
 
 CONSTRUCTOR(setlist)

extensions/iptable_rawpost.c

@@ -0,0 +1,109 @@
+/*
+ *	rawpost table for ip_tables
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	placed in the Public Domain
+ */
+#include <linux/module.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/version.h>
+#include <net/ip.h>
+#include "compat_xtables.h"
+#include "compat_rawpost.h"
+
+enum {
+	RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
+};
+
+static struct {
+	struct ipt_replace repl;
+	struct ipt_standard entries[1];
+	struct ipt_error term;
+} rawpost4_initial __initdata = {
+	.repl = {
+		.name        = "rawpost",
+		.valid_hooks = RAWPOST_VALID_HOOKS,
+		.num_entries = 2,
+		.size        = sizeof(struct ipt_standard) +
+		               sizeof(struct ipt_error),
+		.hook_entry  = {
+			[NF_INET_POST_ROUTING] = 0,
+		},
+		.underflow = {
+			[NF_INET_POST_ROUTING] = 0,
+		},
+	},
+	.entries = {
+		IPT_STANDARD_INIT(NF_ACCEPT),	/* POST_ROUTING */
+	},
+	.term = IPT_ERROR_INIT,			/* ERROR */
+};
+
+static struct xt_table *rawpost4_ptable;
+
+static struct xt_table rawpost4_itable = {
+	.name        = "rawpost",
+	.af          = NFPROTO_IPV4,
+	.valid_hooks = RAWPOST_VALID_HOOKS,
+	.me          = THIS_MODULE,
+};
+
+static unsigned int rawpost4_hook_fn(unsigned int hook, sk_buff_t *skb,
+    const struct net_device *in, const struct net_device *out,
+    int (*okfn)(struct sk_buff *))
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+	return ipt_do_table(skb, hook, in, out, rawpost4_ptable);
+#else
+	return ipt_do_table(skb, hook, in, out, rawpost4_ptable, NULL);
+#endif
+}
+
+static struct nf_hook_ops rawpost4_hook_ops __read_mostly = {
+	.hook     = rawpost4_hook_fn,
+	.pf       = NFPROTO_IPV4,
+	.hooknum  = NF_INET_POST_ROUTING,
+	.priority = NF_IP_PRI_LAST,
+	.owner    = THIS_MODULE,
+};
+
+static int __init rawpost4_table_init(void)
+{
+	int ret;
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
+	rwlock_init(&rawpost4_itable.lock);
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
+	rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
+	                  &rawpost4_initial.repl);
+	if (IS_ERR(rawpost4_ptable))
+		return PTR_ERR(rawpost4_ptable);
+#else
+	ret = ipt_register_table(&rawpost4_itable, &rawpost4_initial.repl);
+	if (ret < 0)
+		return ret;
+	rawpost4_ptable = &rawpost4_itable;
+#endif
+
+	ret = nf_register_hook(&rawpost4_hook_ops);
+	if (ret < 0)
+		goto out;
+
+	return ret;
+
+ out:
+	ipt_unregister_table(rawpost4_ptable);
+	return ret;
+}
+
+static void __exit rawpost4_table_exit(void)
+{
+	nf_unregister_hook(&rawpost4_hook_ops);
+	ipt_unregister_table(rawpost4_ptable);
+}
+
+module_init(rawpost4_table_init);
+module_exit(rawpost4_table_exit);
+MODULE_DESCRIPTION("Xtables: rawpost table for use with RAWNAT");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_LICENSE("GPL");

extensions/libxt_CHAOS.c

@@ -95,7 +95,7 @@ static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
 static struct xtables_target chaos_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "CHAOS",
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.help          = chaos_tg_help,

extensions/libxt_CHAOS.man

@@ -1,13 +1,13 @@
 Causes confusion on the other end by doing odd things with incoming packets.
 CHAOS will randomly reply (or not) with one of its configurable subtargets:
 .TP
-\fB--delude\fP
+\fB\-\-delude\fP
 Use the REJECT and DELUDE targets as a base to do a sudden or deferred
 connection reset, fooling some network scanners to return non-deterministic
 (randomly open/closed) results, and in case it is deemed open, it is actually
 closed/filtered.
 .TP
-\fB--tarpit\fP
+\fB\-\-tarpit\fP
 Use the REJECT and TARPIT target as a base to hold the connection until it
 times out. This consumes conntrack entries when connection tracking is loaded
 (which usually is on most machines), and routers inbetween you and the Internet

extensions/libxt_DELUDE.c

@@ -33,9 +33,7 @@ static struct xtables_target delude_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "DELUDE",
 	.revision      = 0,
-	.family        = AF_INET,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_IPV4,
 	.help          = delude_tg_help,
 	.parse         = delude_tg_parse,
 	.final_check   = delude_tg_check,

extensions/libxt_DHCPADDR.c

@@ -1,101 +0,0 @@
-/*
- *	"DHCPADDR" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License; either
- *	version 2 of the License, or any later version, as published by the
- *	Free Software Foundation.
- */
-#include <getopt.h>
-#include <stdbool.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <netinet/ether.h>
-#include <xtables.h>
-#include "xt_DHCPADDR.h"
-#include "mac.c"
-
-enum {
-	F_MAC = 1 << 0,
-};
-
-static const struct option dhcpaddr_tg_opts[] = {
-	{.name = "set-mac", .has_arg = true, .val = 'M'},
-	{NULL},
-};
-
-static void dhcpaddr_tg_help(void)
-{
-	printf(
-"DHCPADDDR target options:\n"
-"  --set-mac lladdr[/mask]    Set MAC address in DHCP Client Host field\n"
-	);
-}
-
-static int dhcpaddr_tg_parse(int c, char **argv, int invert,
-    unsigned int *flags, const void *entry, struct xt_entry_target **target)
-{
-	struct dhcpaddr_info *info = (void *)(*target)->data;
-
-	switch (c) {
-	case 'M':
-		xtables_param_act(XTF_ONLY_ONCE, "DHCPADDR", "--set-mac", *flags & F_MAC);
-		xtables_param_act(XTF_NO_INVERT, "DHCPADDR", "--set-mac", invert);
-		if (!mac_parse(optarg, info->addr, &info->mask))
-			xtables_param_act(XTF_BAD_VALUE, "DHCPADDR", "--set-mac", optarg);
-		*flags |= F_MAC;
-		return true;
-	}
-
-	return false;
-}
-
-static void dhcpaddr_tg_check(unsigned int flags)
-{
-	if (flags == 0)
-		xtables_error(PARAMETER_PROBLEM, "DHCPADDR target: "
-		           "--set-mac parameter required");
-}
-
-static void dhcpaddr_tg_print(const void *ip,
-    const struct xt_entry_target *target, int numeric)
-{
-	const struct dhcpaddr_info *info = (void *)target->data;
-
-	printf("DHCPADDR %s" DH_MAC_FMT "/%u ",
-	       info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
-}
-
-static void dhcpaddr_tg_save(const void *ip,
-    const struct xt_entry_target *target)
-{
-	const struct dhcpaddr_info *info = (const void *)target->data;
-
-	if (info->invert)
-		printf("! ");
-	printf("--set-mac " DH_MAC_FMT "/%u ",
-	       DH_MAC_HEX(info->addr), info->mask);
-}
-
-static struct xtables_target dhcpaddr_tg_reg = {
-	.version       = XTABLES_VERSION,
-	.name          = "DHCPADDR",
-	.revision      = 0,
-	.family        = PF_INET,
-	.size          = XT_ALIGN(sizeof(struct dhcpaddr_info)),
-	.userspacesize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
-	.help          = dhcpaddr_tg_help,
-	.parse         = dhcpaddr_tg_parse,
-	.final_check   = dhcpaddr_tg_check,
-	.print         = dhcpaddr_tg_print,
-	.save          = dhcpaddr_tg_save,
-	.extra_opts    = dhcpaddr_tg_opts,
-};
-
-static __attribute__((constructor)) void dhcpaddr_tg_ldr(void)
-{
-	xtables_register_target(&dhcpaddr_tg_reg);
-}

extensions/libxt_DHCPMAC.c

@@ -0,0 +1,101 @@
+/*
+ *	"DHCPMAC" target extension for iptables
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License; either
+ *	version 2 of the License, or any later version, as published by the
+ *	Free Software Foundation.
+ */
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netinet/ether.h>
+#include <xtables.h>
+#include "xt_DHCPMAC.h"
+#include "mac.c"
+
+enum {
+	F_MAC = 1 << 0,
+};
+
+static const struct option dhcpmac_tg_opts[] = {
+	{.name = "set-mac", .has_arg = true, .val = 'M'},
+	{NULL},
+};
+
+static void dhcpmac_tg_help(void)
+{
+	printf(
+"DHCPMAC target options:\n"
+"  --set-mac lladdr[/mask]    Set MAC address in DHCP Client Host field\n"
+	);
+}
+
+static int dhcpmac_tg_parse(int c, char **argv, int invert,
+    unsigned int *flags, const void *entry, struct xt_entry_target **target)
+{
+	struct dhcpmac_info *info = (void *)(*target)->data;
+
+	switch (c) {
+	case 'M':
+		xtables_param_act(XTF_ONLY_ONCE, "DHCPMAC", "--set-mac", *flags & F_MAC);
+		xtables_param_act(XTF_NO_INVERT, "DHCPMAC", "--set-mac", invert);
+		if (!mac_parse(optarg, info->addr, &info->mask))
+			xtables_param_act(XTF_BAD_VALUE, "DHCPMAC", "--set-mac", optarg);
+		*flags |= F_MAC;
+		return true;
+	}
+
+	return false;
+}
+
+static void dhcpmac_tg_check(unsigned int flags)
+{
+	if (flags == 0)
+		xtables_error(PARAMETER_PROBLEM, "DHCPMAC target: "
+		           "--set-mac parameter required");
+}
+
+static void dhcpmac_tg_print(const void *ip,
+    const struct xt_entry_target *target, int numeric)
+{
+	const struct dhcpmac_info *info = (void *)target->data;
+
+	printf("DHCPMAC %s" DH_MAC_FMT "/%u ",
+	       info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
+}
+
+static void dhcpmac_tg_save(const void *ip,
+    const struct xt_entry_target *target)
+{
+	const struct dhcpmac_info *info = (const void *)target->data;
+
+	if (info->invert)
+		printf("! ");
+	printf("--set-mac " DH_MAC_FMT "/%u ",
+	       DH_MAC_HEX(info->addr), info->mask);
+}
+
+static struct xtables_target dhcpmac_tg_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "DHCPMAC",
+	.revision      = 0,
+	.family        = NFPROTO_IPV4,
+	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.help          = dhcpmac_tg_help,
+	.parse         = dhcpmac_tg_parse,
+	.final_check   = dhcpmac_tg_check,
+	.print         = dhcpmac_tg_print,
+	.save          = dhcpmac_tg_save,
+	.extra_opts    = dhcpmac_tg_opts,
+};
+
+static __attribute__((constructor)) void dhcpmac_tg_ldr(void)
+{
+	xtables_register_target(&dhcpmac_tg_reg);
+}

extensions/libxt_DHCPMAC.man

@@ -1,10 +1,10 @@
-In conjunction with ebtables, DHCPADDR can be used to completely change all MAC
+In conjunction with ebtables, DHCPMAC can be used to completely change all MAC
 addresses from and to a VMware-based virtual machine. This is needed because
 VMware does not allow to set a non-VMware MAC address before an operating
 system is booted (and the MAC be changed with `ip link set eth0 address
 aa:bb..`).
 .TP
-\fB--set-mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
+\fB\-\-set\-mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
 Replace the client host MAC address field in the DHCP message with the given
 MAC address. This option is mandatory. The \fImask\fP parameter specifies the
 prefix length of bits to change.
@@ -12,13 +12,13 @@ prefix length of bits to change.
 EXAMPLE, replacing all addresses from one of VMware's assigned vendor IDs
 (00:50:56) addresses with something else:
 .PP
-iptables -t mangle -A FORWARD -p udp --dport 67 -m physdev --physdev-in vmnet1
--m dhcpaddr --mac 00:50:56:00:00:00/24 -j DHCPADDR --set-mac
-ab:cd:ef:00:00:00/24
+iptables \-t mangle \-A FORWARD \-p udp \-\-dport 67 \-m physdev
+\-\-physdev\-in vmnet1 \-m dhcpmac \-\-mac 00:50:56:00:00:00/24 \-j DHCPMAC
+\-\-set\-mac ab:cd:ef:00:00:00/24
 .PP
-iptables -t mangle -A FORWARD -p udp --dport 68 -m physdev --physdev-out vmnet1
--m dhcpaddr --mac ab:cd:ef:00:00:00/24 -j DHCPADDR --set-mac
-00:50:56:00:00:00/24
+iptables \-t mangle \-A FORWARD \-p udp \-\-dport 68 \-m physdev
+\-\-physdev\-out vmnet1 \-m dhcpmac \-\-mac ab:cd:ef:00:00:00/24 \-j DHCPMAC
+\-\-set\-mac 00:50:56:00:00:00/24
 .PP
 (This assumes there is a bridge interface that has vmnet1 as a port. You will
 also need to add appropriate ebtables rules to change the MAC address of the

extensions/libxt_ECHO.c

@@ -29,9 +29,7 @@ static void echo_tg_check(unsigned int flags)
 static struct xtables_target echo_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ECHO",
-	.family        = AF_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_UNSPEC,
 	.help          = echo_tg_help,
 	.parse         = echo_tg_parse,
 	.final_check   = echo_tg_check,

extensions/libxt_IPMARK.c

@@ -97,6 +97,7 @@ static int ipmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 		if (!xtables_strtoui(optarg, NULL, &n, 0, 128))
 			xtables_param_act(XTF_BAD_VALUE, "IPMARK", "--shift", optarg);
 		info->shift = n;
+		*flags |= FL_SHIFT;
 		return true;
 	}
 
@@ -117,14 +118,16 @@ ipmark_tg_print(const void *entry, const struct xt_entry_target *target,
 	const struct xt_ipmark_tginfo *info = (const void *)target->data;
 
 	if (info->selector == XT_IPMARK_SRC)
-		printf("IPMARK src ip");
+		printf("IPMARK src ip ");
 	else
-		printf("IPMARK dst ip");
+		printf("IPMARK dst ip ");
 
+	if (info->shift != 0)
+		printf("shift %u ", (unsigned int)info->shift);
 	if (info->andmask != ~0U)
-		printf(" and 0x%x ", (unsigned int)info->andmask);
+		printf("and 0x%x ", (unsigned int)info->andmask);
 	if (info->ormask != 0)
-		printf(" or 0x%x ", (unsigned int)info->ormask);
+		printf("or 0x%x ", (unsigned int)info->ormask);
 }
 
 static void
@@ -137,33 +140,19 @@ ipmark_tg_save(const void *entry, const struct xt_entry_target *target)
 	else
 		printf("--addr dst ");
 
+	if (info->shift != 0)
+		printf("--shift %u ", (unsigned int)info->shift);
 	if (info->andmask != ~0U)
 		printf("--and-mask 0x%x ", (unsigned int)info->andmask);
 	if (info->ormask != 0)
 		printf("--or-mask 0x%x ", (unsigned int)info->ormask);
 }
 
-static struct xtables_target ipmark_tg4_reg = {
+static struct xtables_target ipmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "IPMARK",
-	.family        = PF_INET,
-	.revision      = 0,
-	.size          = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
-	.help          = ipmark_tg_help,
-	.init          = ipmark_tg_init,
-	.parse         = ipmark_tg_parse,
-	.final_check   = ipmark_tg_check,
-	.print         = ipmark_tg_print,
-	.save          = ipmark_tg_save,
-	.extra_opts    = ipmark_tg_opts,
-};
-
-static struct xtables_target ipmark_tg6_reg = {
-	.version       = XTABLES_VERSION,
-	.name          = "IPMARK",
-	.family        = PF_INET6,
-	.revision      = 0,
+	.family        = NFPROTO_UNSPEC,
+	.revision      = 1,
 	.size          = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
 	.help          = ipmark_tg_help,
@@ -177,6 +166,5 @@ static struct xtables_target ipmark_tg6_reg = {
 
 static __attribute__((constructor)) void ipmark_tg_ldr(void)
 {
-	xtables_register_target(&ipmark_tg4_reg);
-	xtables_register_target(&ipmark_tg6_reg);
+	xtables_register_target(&ipmark_tg_reg);
 }

extensions/libxt_IPMARK.man

@@ -4,16 +4,16 @@ firewall based classifier.
 
 This target is to be used inside the \fBmangle\fP table.
 .TP
-\fB--addr\fP {\fBsrc\fP|\fBdst\fP}
+\fB\-\-addr\fP {\fBsrc\fP|\fBdst\fP}
 Select source or destination IP address as a basis for the mark.
 .TP
-\fB--and-mask\fP \fImask\fP
+\fB\-\-and\-mask\fP \fImask\fP
 Perform bitwise AND on the IP address and this bitmask.
 .TP
-\fB--or-mask\fP \fImask\fP
+\fB\-\-or\-mask\fP \fImask\fP
 Perform bitwise OR on the IP address and this bitmask.
 .TP
-\fB--shift\fP \fIvalue\fP
+\fB\-\-shift\fP \fIvalue\fP
 Shift addresses to the right by the given number of bits before taking it
 as a mark. (This is done before ANDing or ORing it.) This option is needed
 to select part of an IPv6 address, because marks are only 32 bits in size.
@@ -34,16 +34,16 @@ tc filter add dev eth3 parent 1:0 protocol ip fw
 .PP
 Earlier we had many rules just like below:
 .IP
-iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
---set-mark 0x10502
+iptables \-t mangle \-A POSTROUTING \-o eth3 \-d 192.168.5.2 \-j MARK
+\-\-set\-mark 0x10502
 .IP
-iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
---set-mark 0x10503
+iptables \-t mangle \-A POSTROUTING \-o eth3 \-d 192.168.5.3 \-j MARK
+\-\-set\-mark 0x10503
 .PP
 Using IPMARK target we can replace all the mangle/mark rules with only one:
 .IP
-iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr dst
---and-mask 0xffff --or-mask 0x10000
+iptables \-t mangle \-A POSTROUTING \-o eth3 \-j IPMARK \-\-addr dst
+\-\-and\-mask 0xffff \-\-or\-mask 0x10000
 .PP
 On the routers with hundreds of users there should be significant load
 decrease (e.g. twice).
@@ -52,5 +52,5 @@ decrease (e.g. twice).
 2001:db8:45:1d:20d:93ff:fe9b:e443 and the resulting mark should be 0x93ff,
 then a right-shift of 16 is needed first:
 .IP
--t mangle -A PREROUTING -s 2001:db8::/32 -j IPMARK --addr src --shift 16
---and-mask 0xFFFF
+\-t mangle \-A PREROUTING \-s 2001:db8::/32 \-j IPMARK \-\-addr src \-\-shift
+16 \-\-and\-mask 0xFFFF

extensions/libxt_LOGMARK.c

@@ -100,7 +100,7 @@ static struct xtables_target logmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "LOGMARK",
 	.revision      = 0,
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
 	.help          = logmark_tg_help,

extensions/libxt_LOGMARK.man

@@ -1,17 +1,8 @@
 The LOGMARK target will log packet and connection marks to syslog.
 .TP
-\fB--log-level\fR \fIlevel\fR
+\fB\-\-log\-level\fR \fIlevel\fR
 A logging level between 0 and 8 (inclusive).
 .TP
-\fB--log-prefix\fR \fIstring\fR
+\fB\-\-log\-prefix\fR \fIstring\fR
 Prefix log messages with the specified prefix; up to 29 bytes long, and useful
 for distinguishing messages in the logs.
-.TP
-\fB--log-nfmark\fR
-Include the packet mark in the log.
-.TP
-\fB--log-ctmark\fR
-Include the connection mark in the log.
-.TP
-\fB--log-secmark\fR
-Include the packet secmark in the log.

extensions/libxt_RAWDNAT.c

@@ -0,0 +1,187 @@
+/*
+ *	"RAWNAT" target extension for iptables
+ *	Copyright © Jan Engelhardt, 2008 - 2009
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License; either
+ *	version 2 of the License, or any later version, as published by the
+ *	Free Software Foundation.
+ */
+#include <netinet/in.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include "xt_RAWNAT.h"
+
+enum {
+	FLAGS_TO = 1 << 0,
+};
+
+static const struct option rawdnat_tg_opts[] = {
+	{.name = "to-destination", .has_arg = true, .val = 't'},
+	{},
+};
+
+static void rawdnat_tg_help(void)
+{
+	printf(
+"RAWDNAT target options:\n"
+"    --to-destination addr[/mask]    Address or network to map to\n"
+);
+}
+
+static int
+rawdnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
+                  const void *entry, struct xt_entry_target **target)
+{
+	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
+	struct in_addr *a;
+	unsigned int mask;
+	char *end;
+
+	switch (c) {
+	case 't':
+		info->mask = 32;
+		end = strchr(optarg, '/');
+		if (end != NULL) {
+			*end++ = '\0';
+			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
+				xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
+					"--to-destination", optarg);
+			info->mask = mask;
+		}
+		a = xtables_numeric_to_ipaddr(optarg);
+		if (a == NULL)
+			xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
+				"--to-destination", optarg);
+		memcpy(&info->addr.in, a, sizeof(*a));
+		*flags |= FLAGS_TO;
+		return true;
+	}
+	return false;
+}
+
+static int
+rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
+                  const void *entry, struct xt_entry_target **target)
+{
+	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
+	struct in6_addr *a;
+	unsigned int mask;
+	char *end;
+
+	switch (c) {
+	case 't':
+		info->mask = 128;
+		end = strchr(optarg, '/');
+		if (end != NULL) {
+			*end++ = '\0';
+			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
+				xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
+					"--to-destination", optarg);
+			info->mask = mask;
+		}
+		a = xtables_numeric_to_ip6addr(optarg);
+		if (a == NULL)
+			xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
+				"--to-destination", optarg);
+		memcpy(&info->addr.in6, a, sizeof(*a));
+		*flags |= FLAGS_TO;
+		return true;
+	}
+	return false;
+}
+
+static void rawdnat_tg_check(unsigned int flags)
+{
+	if (!(flags & FLAGS_TO))
+		xtables_error(PARAMETER_PROBLEM, "RAWDNAT: "
+			"\"--to-destination\" is required.");
+}
+
+static void
+rawdnat_tg4_print(const void *entry, const struct xt_entry_target *target,
+                  int numeric)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	if (!numeric && info->mask == 32)
+		printf("to-destination %s ",
+		       xtables_ipaddr_to_anyname(&info->addr.in));
+	else
+		printf("to-destination %s/%u ",
+		       xtables_ipaddr_to_numeric(&info->addr.in), info->mask);
+}
+
+static void
+rawdnat_tg6_print(const void *entry, const struct xt_entry_target *target,
+                  int numeric)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	if (!numeric && info->mask == 128)
+		printf("to-destination %s ",
+		       xtables_ip6addr_to_anyname(&info->addr.in6));
+	else
+		printf("to-destination %s/%u ",
+		       xtables_ip6addr_to_numeric(&info->addr.in6), info->mask);
+}
+
+static void
+rawdnat_tg4_save(const void *entry, const struct xt_entry_target *target)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	printf("--to-destination %s/%u ",
+	       xtables_ipaddr_to_numeric(&info->addr.in),
+	       info->mask);
+}
+
+static void
+rawdnat_tg6_save(const void *entry, const struct xt_entry_target *target)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	printf("--to-destination %s/%u ",
+	       xtables_ip6addr_to_numeric(&info->addr.in6),
+	       info->mask);
+}
+
+static struct xtables_target rawdnat_tg4_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "RAWDNAT",
+	.revision      = 0,
+	.family        = NFPROTO_IPV4,
+	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.help          = rawdnat_tg_help,
+	.parse         = rawdnat_tg4_parse,
+	.final_check   = rawdnat_tg_check,
+	.print         = rawdnat_tg4_print,
+	.save          = rawdnat_tg4_save,
+	.extra_opts    = rawdnat_tg_opts,
+};
+
+static struct xtables_target rawdnat_tg6_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "RAWDNAT",
+	.revision      = 0,
+	.family        = NFPROTO_IPV6,
+	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.help          = rawdnat_tg_help,
+	.parse         = rawdnat_tg6_parse,
+	.final_check   = rawdnat_tg_check,
+	.print         = rawdnat_tg6_print,
+	.save          = rawdnat_tg6_save,
+	.extra_opts    = rawdnat_tg_opts,
+};
+
+static void _init(void)
+{
+	xtables_register_target(&rawdnat_tg4_reg);
+	xtables_register_target(&rawdnat_tg6_reg);
+}

extensions/libxt_RAWDNAT.man

@@ -0,0 +1,10 @@
+The \fBRAWDNAT\fR target will rewrite the destination address in the IP header,
+much like the \fBNETMAP\fR target.
+.TP
+\fB\-\-to\-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
+Network address to map to. The resulting address will be constructed the
+following way: All 'one' bits in the \fImask\fR are filled in from the new
+\fIaddress\fR. All bits that are zero in the mask are filled in from the
+original address.
+.PP
+See the \fBRAWSNAT\fR help entry for examples and constraints.

extensions/libxt_RAWSNAT.c

@@ -0,0 +1,187 @@
+/*
+ *	"RAWNAT" target extension for iptables
+ *	Copyright © Jan Engelhardt, 2008 - 2009
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License; either
+ *	version 2 of the License, or any later version, as published by the
+ *	Free Software Foundation.
+ */
+#include <netinet/in.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include "xt_RAWNAT.h"
+
+enum {
+	FLAGS_TO = 1 << 0,
+};
+
+static const struct option rawsnat_tg_opts[] = {
+	{.name = "to-source", .has_arg = true, .val = 't'},
+	{},
+};
+
+static void rawsnat_tg_help(void)
+{
+	printf(
+"RAWSNAT target options:\n"
+"    --to-source addr[/mask]    Address or network to map to\n"
+);
+}
+
+static int
+rawsnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
+                  const void *entry, struct xt_entry_target **target)
+{
+	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
+	struct in_addr *a;
+	unsigned int mask;
+	char *end;
+
+	switch (c) {
+	case 't':
+		info->mask = 32;
+		end = strchr(optarg, '/');
+		if (end != NULL) {
+			*end++ = '\0';
+			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
+				xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
+					"--to-source", optarg);
+			info->mask = mask;
+		}
+		a = xtables_numeric_to_ipaddr(optarg);
+		if (a == NULL)
+			xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
+				"--to-source", optarg);
+		memcpy(&info->addr.in, a, sizeof(*a));
+		*flags |= FLAGS_TO;
+		return true;
+	}
+	return false;
+}
+
+static int
+rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
+                  const void *entry, struct xt_entry_target **target)
+{
+	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
+	struct in6_addr *a;
+	unsigned int mask;
+	char *end;
+
+	switch (c) {
+	case 't':
+		info->mask = 128;
+		end = strchr(optarg, '/');
+		if (end != NULL) {
+			*end++ = '\0';
+			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
+				xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
+					"--to-source", optarg);
+			info->mask = mask;
+		}
+		a = xtables_numeric_to_ip6addr(optarg);
+		if (a == NULL)
+			xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
+				"--to-source", optarg);
+		memcpy(&info->addr.in6, a, sizeof(*a));
+		*flags |= FLAGS_TO;
+		return true;
+	}
+	return false;
+}
+
+static void rawsnat_tg_check(unsigned int flags)
+{
+	if (!(flags & FLAGS_TO))
+		xtables_error(PARAMETER_PROBLEM, "RAWSNAT: "
+			"\"--to-source\" is required.");
+}
+
+static void
+rawsnat_tg4_print(const void *entry, const struct xt_entry_target *target,
+                  int numeric)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	if (!numeric && info->mask == 32)
+		printf("to-source %s ",
+		       xtables_ipaddr_to_anyname(&info->addr.in));
+	else
+		printf("to-source %s/%u ",
+		       xtables_ipaddr_to_numeric(&info->addr.in), info->mask);
+}
+
+static void
+rawsnat_tg6_print(const void *entry, const struct xt_entry_target *target,
+                  int numeric)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	if (!numeric && info->mask == 128)
+		printf("to-source %s ",
+		       xtables_ip6addr_to_anyname(&info->addr.in6));
+	else
+		printf("to-source %s/%u ",
+		       xtables_ip6addr_to_numeric(&info->addr.in6), info->mask);
+}
+
+static void
+rawsnat_tg4_save(const void *entry, const struct xt_entry_target *target)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	printf("--to-source %s/%u ",
+	       xtables_ipaddr_to_numeric(&info->addr.in),
+	       info->mask);
+}
+
+static void
+rawsnat_tg6_save(const void *entry, const struct xt_entry_target *target)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	printf("--to-source %s/%u ",
+	       xtables_ip6addr_to_numeric(&info->addr.in6),
+	       info->mask);
+}
+
+static struct xtables_target rawsnat_tg4_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "RAWSNAT",
+	.revision      = 0,
+	.family        = NFPROTO_IPV4,
+	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.help          = rawsnat_tg_help,
+	.parse         = rawsnat_tg4_parse,
+	.final_check   = rawsnat_tg_check,
+	.print         = rawsnat_tg4_print,
+	.save          = rawsnat_tg4_save,
+	.extra_opts    = rawsnat_tg_opts,
+};
+
+static struct xtables_target rawsnat_tg6_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "RAWSNAT",
+	.revision      = 0,
+	.family        = NFPROTO_IPV6,
+	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.help          = rawsnat_tg_help,
+	.parse         = rawsnat_tg6_parse,
+	.final_check   = rawsnat_tg_check,
+	.print         = rawsnat_tg6_print,
+	.save          = rawsnat_tg6_save,
+	.extra_opts    = rawsnat_tg_opts,
+};
+
+static void _init(void)
+{
+	xtables_register_target(&rawsnat_tg4_reg);
+	xtables_register_target(&rawsnat_tg6_reg);
+}

extensions/libxt_RAWSNAT.man

@@ -0,0 +1,38 @@
+The \fBRAWSNAT\fR and \fBRAWDNAT\fP targets provide stateless network address
+translation.
+.PP
+The \fBRAWSNAT\fR target will rewrite the source address in the IP header, much
+like the \fBNETMAP\fP target. \fBRAWSNAT\fP (and \fBRAWDNAT\fP) may only be
+used in the \fBraw\fP or \fBrawpost\fP tables, but can be used in all chains,
+which makes it possible to change the source address either when the packet
+enters the machine or when it leaves it. The reason for this table constraint
+is that RAWNAT must happen outside of connection tracking.
+.TP
+\fB\-\-to\-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
+Network address to map to. The resulting address will be constructed the
+following way: All 'one' bits in the \fImask\fR are filled in from the new
+\fIaddress\fR. All bits that are zero in the mask are filled in from the
+original address.
+.PP
+As an example, changing the destination for packets forwarded from an internal
+LAN to the internet:
+.IP
+\-t raw \-A PREROUTING \-i lan0 \-d 212.201.100.135 \-j RAWDNAT \-\-to\-destination 199.181.132.250;
+\-t rawpost \-A POSTROUTING \-o lan0 \-s 199.181.132.250 \-j RAWSNAT \-\-to\-source 212.201.100.135;
+.PP
+Note that changing addresses may influence the route selection! Specifically,
+it statically NATs packets, not connections, like the normal DNAT/SNAT targets
+would do. Also note that it can transform already-NATed connections \(em as
+said, it is completely external to Netfilter's connection tracking/NAT.
+.PP
+If the machine itself generates packets that are to be rawnat'ed, you need a
+rule in the OUTPUT chain instead, just like you would with the stateful NAT
+targets.
+.PP
+It may be necessary that in doing so, you also need an extra RAWSNAT rule, to
+override the automatic source address selection that the routing code does
+before passing packets to iptables. If the connecting socket has not been
+explicitly bound to an address, as is the common mode of operation, the address
+that will be chosen is the primary address of the device through which the
+packet would be routed with its initial destination address - the address as
+seen before any RAWNAT takes place.

extensions/libxt_STEAL.c

@@ -0,0 +1,31 @@
+#include <stdio.h>
+#include <xtables.h>
+
+static void steal_tg_help(void)
+{
+	printf("STEAL takes no options\n\n");
+}
+
+static int steal_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+                          const void *entry, struct xt_entry_target **target)
+{
+	return 0;
+}
+
+static void steal_tg_check(unsigned int flags)
+{
+}
+
+static struct xtables_target steal_tg_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "STEAL",
+	.family        = NFPROTO_UNSPEC,
+	.help          = steal_tg_help,
+	.parse         = steal_tg_parse,
+	.final_check   = steal_tg_check,
+};
+
+static void _init(void)
+{
+	xtables_register_target(&steal_tg_reg);
+}

extensions/libxt_STEAL.man

@@ -0,0 +1,2 @@
+Like the DROP target, but does not throw an error like DROP when used in the
+\fBOUTPUT\fP chain.

extensions/libxt_SYSRQ.c

@@ -21,23 +21,11 @@ static void sysrq_tg_check(unsigned int flags)
 {
 }
 
-static struct xtables_target sysrq_tg4_reg = {
+static struct xtables_target sysrq_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "SYSRQ",
-	.family        = PF_INET,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
-	.help          = sysrq_tg_help,
-	.parse         = sysrq_tg_parse,
-	.final_check   = sysrq_tg_check,
-};
-
-static struct xtables_target sysrq_tg6_reg = {
-	.version       = XTABLES_VERSION,
-	.name          = "SYSRQ",
-	.family        = PF_INET6,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.revision      = 1,
+	.family        = NFPROTO_UNSPEC,
 	.help          = sysrq_tg_help,
 	.parse         = sysrq_tg_parse,
 	.final_check   = sysrq_tg_check,
@@ -45,6 +33,5 @@ static struct xtables_target sysrq_tg6_reg = {
 
 static __attribute__((constructor)) void sysrq_tg_ldr(void)
 {
-	xtables_register_target(&sysrq_tg4_reg);
-	xtables_register_target(&sysrq_tg6_reg);
+	xtables_register_target(&sysrq_tg_reg);
 }

extensions/libxt_SYSRQ.man

@@ -1,7 +1,7 @@
 The SYSRQ target allows to remotely trigger sysrq on the local machine over the
 network. This can be useful when vital parts of the machine hang, for example
 an oops in a filesystem causing locks to be not released and processes to get
-stuck as a result - if still possible, use /proc/sysrq-trigger. Even when
+stuck as a result \(em if still possible, use /proc/sysrq-trigger. Even when
 processes are stuck, interrupts are likely to be still processed, and as such,
 sysrq can be triggered through incoming network packets.
 .PP
@@ -11,30 +11,30 @@ requests. The initial sequence number comes from the time of day so you will
 have a small window of vulnerability should time go backwards at a reboot.
 However, the file /sys/module/xt_SYSREQ/seqno can be used to both query and
 update the current sequence number. Also, you should limit as to who can issue
-commands using \fB-s\fP and/or \fB-m mac\fP, and also that the destination is
-correct using \fB-d\fP (to protect against potential broadcast packets), noting
-that it is still short of MAC/IP spoofing:
+commands using \fB\-s\fP and/or \fB\-m mac\fP, and also that the destination is
+correct using \fB\-d\fP (to protect against potential broadcast packets),
+noting that it is still short of MAC/IP spoofing:
 .IP
--A INPUT -s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
--p udp --dport 9 -j SYSRQ
+\-A INPUT \-s 10.10.25.1 \-m mac \-\-mac\-source aa:bb:cc:dd:ee:ff \-d
+10.10.25.7 \-p udp \-\-dport 9 \-j SYSRQ
 .IP
-(with IPsec) -A INPUT -s 10.10.25.1 -d 10.10.25.7 -m policy --dir in --pol
-ipsec --proto esp --tunnel-src 10.10.25.1 --tunnel-dst 10.10.25.7
--p udp --dport 9 -j SYSRQ
+(with IPsec) \-A INPUT \-s 10.10.25.1 \-d 10.10.25.7 \-m policy \-\-dir in
+\-\-pol ipsec \-\-proto esp \-\-tunnel\-src 10.10.25.1 \-\-tunnel\-dst
+10.10.25.7 \-p udp \-\-dport 9 \-j SYSRQ
 .PP
 You should also limit the rate at which connections can be received to limit
 the CPU time taken by illegal requests, for example:
 .IP
--A INPUT 0s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
--p udp --dport 9 -m limit --limit 5/minute -j SYSRQ
+\-A INPUT \-s 10.10.25.1 \-m mac \-\-mac\-source aa:bb:cc:dd:ee:ff \-d
+10.10.25.7 \-p udp \-\-dport 9 \-m limit \-\-limit 5/minute \-j SYSRQ
 .PP
-This extension does not take any options. The \fB-p udp\fP options are
+This extension does not take any options. The \fB\-p udp\fP options are
 required.
 .PP
 The SYSRQ password can be changed through
 /sys/module/xt_SYSRQ/parameters/password, for example:
 .IP
-echo -n "password" >/sys/module/xt_SYSRQ/parameters/password
+echo \-n "password" >/sys/module/xt_SYSRQ/parameters/password
 .PP
 Alternatively, the password may be specified at modprobe time, but this is
 insecure as people can possible see it through ps(1). You can use an option
@@ -59,17 +59,17 @@ sysrq_key="s"  # the SysRq key(s)
 password="password"
 seqno="$(date +%s)"
 salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null |
-    openssl enc -base64)"
+    openssl enc \-base64)"
 req="$sysrq_key,$seqno,$salt"
-req="$req,$(echo -n "$req,$password" | sha1sum | cut -c1-40)"
+req="$req,$(echo \-n "$req,$password" | sha1sum | cut \-c1\-40)"
 
-echo "$req" | socat stdin udp-sendto:10.10.25.7:9
+echo "$req" | socat stdin udp\-sendto:10.10.25.7:9
 # or
-echo "$req" | netcat -uw1 10.10.25.7 9
+echo "$req" | netcat \-uw1 10.10.25.7 9
 .fi
 .PP
 See the Linux docs for possible sysrq keys. Important ones are: re(b)oot,
-power(o)ff, (s)ync filesystems, (u)mount and remount readonly.  More than one
+power(o)ff, (s)ync filesystems, (u)mount and remount readonly. More than one
 sysrq key can be used at once, but bear in mind that, for example, a sync may
 not complete before a subsequent reboot or poweroff.
 .PP