Xtables-addons 1.18

These are not needed, .bss is zeroed.

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.15])
+AC_INIT([xtables-addons], [1.18])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -79,13 +79,17 @@ krel="${krel#*.}";
 kminor="${krel%%.*}";
 krel="${krel#*.}";
 kmicro="${krel%%.*}";
-krel="${krel#*.}";
+krel2="${krel#*.}";
+if test "$krel" = "$krel2"; then
+	kstable=0;
+else
 	kstable="${krel%%.*}";
 	if test -z "$kstable"; then
 		kstable=0;
 	fi;
+fi;
 echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 30; then
+if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 31; then
 	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
     \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \

doc/README.psd

@@ -0,0 +1,4 @@
+PSD (Portscan Detection) External extensions for Xtables-addons
+
+Example:
+iptables -A INPUT -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 1 --psd-hi-ports-weight 10 -j LOG --log-prefix "PSD: "

doc/changelog.txt

@@ -1,5 +1,30 @@
 
 
+Xtables-addons 1.18 (September 09 2009)
+=======================================
+- build: support for Linux 2.6.31
+- ipset: fast forward to v3.2
+- quota2: support anonymous counters
+- quota2: reduce memory footprint for anonymous counters
+- quota2: extend locked period during cleanup (locking bugfix)
+- quota2: use strtoull instead of strtoul
+- merged xt_ACCOUNT module
+- merged xt_psd module
+
+
+Xtables-addons 1.17 (June 16 2009)
+==================================
+- IPMARK: print missing --shift parameter
+- build: use readlink -f in extensions/ipset/
+- build: support for Linux 2.6.30
+
+
+Xtables-addons 1.16 (May 27 2009)
+=================================
+- RAWNAT: make iptable_rawpost compile with 2.6.30-rc5
+- ipset: fast forward to 3.0
+
+
 Xtables-addons 1.15 (April 30 2009)
 ===================================
 - build: add kernel version check to configure

extensions/GNUmakefile.in

@@ -31,17 +31,14 @@ AM_CFLAGS      := ${regular_CFLAGS} -I${top_srcdir}/include ${xtables_CFLAGS} ${
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
 VU := 0
-am__1verbose_CC_0     = @echo "  CC      " $@;
-am__1verbose_CCLD_0   = @echo "  CCLD    " $@;
-am__1verbose_GEN_0    = @echo "  GEN     " $@;
-am__1verbose_SILENT_0 = @
-am__1verbose_CC_1     = @echo "  CC      " $@ "<-" $<;
-am__1verbose_CCLD_1   = @echo "  CCLD    " $@ "<-" $^;
-am__1verbose_GEN_1    = @echo "  GEN     " $@ "<-" $<;
-am__verbose_CC        = ${am__1verbose_CC_${VU}}
-am__verbose_CCLD      = ${am__1verbose_CCLD_${VU}}
-am__verbose_GEN       = ${am__1verbose_GEN_${VU}}
-am__verbose_SILENT    = ${am__1verbose_GEN_${VU}}
+am__v_CC_0     = @echo "  CC      " $@;
+am__v_CCLD_0   = @echo "  CCLD    " $@;
+am__v_GEN_0    = @echo "  GEN     " $@;
+am__v_SILENT_0 = @
+AM_V_CC        = ${am__v_CC_${VU}}
+AM_V_CCLD      = ${am__v_CCLD_${VU}}
+AM_V_GEN       = ${am__v_GEN_${VU}}
+AM_V_silent    = ${am__v_GEN_${VU}}
 
 
 #
@@ -80,7 +77,7 @@ install: modules_install subdirs-install ${targets_install}
 	install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/";
 
 clean: clean_modules
-	@for i in ${subdirs_list}; do make -C $$i clean; done;
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i clean; done;
 	rm -f *.oo *.so;
 
 distclean: clean
@@ -95,23 +92,23 @@ distclean: clean
 .PHONY: modules modules_install clean_modules
 
 modules:
-	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules; fi;
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules; fi;
 
 modules_install:
-	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install; fi;
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install; fi;
 
 clean_modules:
-	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean; fi;
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean; fi;
 
 
 #
 #	Shared libraries
 #
 lib%.so: lib%.oo
-	${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
+	${AM_V_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
 
 lib%.oo: ${srcdir}/lib%.c
-	${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
 
 
 #
@@ -128,7 +125,7 @@ wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
 	rm -f $@.tmp;
 
 man_run    = \
-	${am__verbose_GEN}for ext in $(1); do \
+	${AM_V_GEN}for ext in $(1); do \
 		f="${srcdir}/libxt_$$ext.man"; \
 		if [ -f "$$f" ]; then \
 			echo ".SS $$ext"; \

extensions/Kbuild

@@ -5,6 +5,7 @@ include ${XA_TOPSRCDIR}/mconfig
 
 obj-m                    += compat_xtables.o
 
+obj-${build_ACCOUNT}     += xt_ACCOUNT.o
 obj-${build_CHAOS}       += xt_CHAOS.o
 obj-${build_DELUDE}      += xt_DELUDE.o
 obj-${build_DHCPMAC}     += xt_DHCPMAC.o
@@ -25,6 +26,7 @@ obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += xt_ipv4options.o
 obj-${build_length2}     += xt_length2.o
 obj-${build_lscan}       += xt_lscan.o
+obj-${build_psd}         += xt_psd.o
 obj-${build_quota2}      += xt_quota2.o
 
 -include ${M}/*.Kbuild

extensions/Mbuild

@@ -1,3 +1,4 @@
+obj-${build_ACCOUNT}     += libxt_ACCOUNT.so
 obj-${build_CHAOS}       += libxt_CHAOS.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
 obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
@@ -18,4 +19,5 @@ obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += libxt_ipv4options.so
 obj-${build_length2}     += libxt_length2.so
 obj-${build_lscan}       += libxt_lscan.so
+obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so

extensions/compat_skbuff.h

@@ -4,6 +4,23 @@
 struct tcphdr;
 struct udphdr;
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 30)
+static inline void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)
+{
+	skb->dst = dst;
+}
+
+static inline struct dst_entry *skb_dst(const struct sk_buff *skb)
+{
+	return skb->dst;
+}
+
+static inline struct rtable *skb_rtable(const struct sk_buff *skb)
+{
+	return (void *)skb->dst;
+}
+#endif
+
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
 #	define skb_ifindex(skb) \
 		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)

extensions/ip6table_rawpost.c

@@ -69,7 +69,9 @@ static int __init rawpost6_table_init(void)
 {
 	int ret;
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
 	rwlock_init(&rawpost6_itable.lock);
+#endif
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
 	rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable,
 	                  &rawpost6_initial.repl);

extensions/ipset/GNUmakefile.in

@@ -3,8 +3,8 @@
 top_srcdir      := @top_srcdir@
 srcdir          := @srcdir@
 datarootdir     := @datarootdir@
-abstop_srcdir   := $(shell readlink -e ${top_srcdir})
-abssrcdir       := $(shell readlink -e ${srcdir})
+abstop_srcdir   := $(shell readlink -f ${top_srcdir})
+abssrcdir       := $(shell readlink -f ${srcdir})
 
 ifeq (${abstop_srcdir},)
 $(error Path resolution of ${top_srcdir} failed)

extensions/ipset/ip_set.c

@@ -493,7 +493,7 @@ ip_set_find_byindex(ip_set_id_t index)
 static inline int
 __ip_set_testip(struct ip_set *set,
 	        const void *data,
-	        size_t size,
+	        u_int32_t size,
 	        ip_set_ip_t *ip)
 {
 	int res;
@@ -508,7 +508,7 @@ __ip_set_testip(struct ip_set *set,
 static int
 __ip_set_addip(ip_set_id_t index,
 	       const void *data,
-	       size_t size)
+	       u_int32_t size)
 {
 	struct ip_set *set = ip_set_list[index];
 	ip_set_ip_t ip;
@@ -529,15 +529,15 @@ __ip_set_addip(ip_set_id_t index,
 static int
 ip_set_addip(ip_set_id_t index,
 	     const void *data,
-	     size_t size)
+	     u_int32_t size)
 {
 	struct ip_set *set = ip_set_list[index];
 
 	IP_SET_ASSERT(set);
 
 	if (size - sizeof(struct ip_set_req_adt) != set->type->reqsize) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      set->type->reqsize,
+		ip_set_printk("data length wrong (want %lu, have %zu)",
+			      (long unsigned)set->type->reqsize,
 			      size - sizeof(struct ip_set_req_adt));
 		return -EINVAL;
 	}
@@ -549,7 +549,7 @@ ip_set_addip(ip_set_id_t index,
 static int
 ip_set_delip(ip_set_id_t index,
 	     const void *data,
-	     size_t size)
+	     u_int32_t size)
 {
 	struct ip_set *set = ip_set_list[index];
 	ip_set_ip_t ip;
@@ -558,8 +558,8 @@ ip_set_delip(ip_set_id_t index,
 	IP_SET_ASSERT(set);
 
 	if (size - sizeof(struct ip_set_req_adt) != set->type->reqsize) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      set->type->reqsize,
+		ip_set_printk("data length wrong (want %lu, have %zu)",
+			      (long unsigned)set->type->reqsize,
 			      size - sizeof(struct ip_set_req_adt));
 		return -EINVAL;
 	}
@@ -576,7 +576,7 @@ ip_set_delip(ip_set_id_t index,
 static int
 ip_set_testip(ip_set_id_t index,
 	      const void *data,
-	      size_t size)
+	      u_int32_t size)
 {
 	struct ip_set *set = ip_set_list[index];
 	ip_set_ip_t ip;
@@ -585,8 +585,8 @@ ip_set_testip(ip_set_id_t index,
 	IP_SET_ASSERT(set);
 	
 	if (size - sizeof(struct ip_set_req_adt) != set->type->reqsize) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      set->type->reqsize,
+		ip_set_printk("data length wrong (want %lu, have %zu)",
+			      (long unsigned)set->type->reqsize,
 			      size - sizeof(struct ip_set_req_adt));
 		return -EINVAL;
 	}
@@ -601,7 +601,7 @@ ip_set_testip(ip_set_id_t index,
 static int
 ip_set_bindip(ip_set_id_t index,
 	      const void *data,
-	      size_t size)
+	      u_int32_t size)
 {
 	struct ip_set *set = ip_set_list[index];
 	const struct ip_set_req_bind *req_bind;
@@ -687,7 +687,7 @@ __unbind_default(struct ip_set *set)
 static int
 ip_set_unbindip(ip_set_id_t index,
 	        const void *data,
-	        size_t size)
+	        u_int32_t size)
 {
 	struct ip_set *set;
 	const struct ip_set_req_bind *req_bind;
@@ -760,7 +760,7 @@ ip_set_unbindip(ip_set_id_t index,
 static int
 ip_set_testbind(ip_set_id_t index,
 	        const void *data,
-	        size_t size)
+	        u_int32_t size)
 {
 	struct ip_set *set = ip_set_list[index];
 	const struct ip_set_req_bind *req_bind;
@@ -862,7 +862,7 @@ ip_set_create(const char *name,
 	      const char *typename,
 	      ip_set_id_t restore,
 	      const void *data,
-	      size_t size)
+	      u_int32_t size)
 {
 	struct ip_set *set;
 	ip_set_id_t index = 0, id;
@@ -915,9 +915,9 @@ ip_set_create(const char *name,
 
 	/* Check request size */
 	if (size != set->type->header_size) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      set->type->header_size,
-			      size);
+		ip_set_printk("data length wrong (want %lu, have %lu)",
+			      (long unsigned)set->type->header_size,
+			      (long unsigned)size);
 		goto put_out;
 	}
 
@@ -1109,7 +1109,7 @@ ip_set_swap(ip_set_id_t from_index, ip_set_id_t to_index)
 
 static inline void
 __set_hash_bindings_size_list(struct ip_set_hash *set_hash,
-			      ip_set_id_t id, size_t *size)
+			      ip_set_id_t id, u_int32_t *size)
 {
 	if (set_hash->id == id)
 		*size += sizeof(struct ip_set_hash_list);
@@ -1117,7 +1117,7 @@ __set_hash_bindings_size_list(struct ip_set_hash *set_hash,
 
 static inline void
 __set_hash_bindings_size_save(struct ip_set_hash *set_hash,
-			      ip_set_id_t id, size_t *size)
+			      ip_set_id_t id, u_int32_t *size)
 {
 	if (set_hash->id == id)
 		*size += sizeof(struct ip_set_hash_save);
@@ -1220,7 +1220,7 @@ static int ip_set_save_set(ip_set_id_t index,
 	*used += sizeof(struct ip_set_save);
 
 	set = ip_set_list[index];
-	DP("set: %s, used: %u(%u) %p %p", set->name, *used, len,
+	DP("set: %s, used: %d(%d) %p %p", set->name, *used, len,
 	   data, data + *used);
 
 	read_lock_bh(&set->lock);
@@ -1237,8 +1237,8 @@ static int ip_set_save_set(ip_set_id_t index,
 	set->type->list_header(set, data + *used);
 	*used += set_save->header_size;
 
-	DP("set header filled: %s, used: %u(%u) %p %p", set->name, *used,
-	   set_save->header_size, data, data + *used);
+	DP("set header filled: %s, used: %d(%lu) %p %p", set->name, *used,
+	   (unsigned long)set_save->header_size, data, data + *used);
 	/* Get and ensure set specific members size */
 	set_save->members_size = set->type->list_members_size(set);
 	if (*used + set_save->members_size > len)
@@ -1248,8 +1248,8 @@ static int ip_set_save_set(ip_set_id_t index,
 	set->type->list_members(set, data + *used);
 	*used += set_save->members_size;
 	read_unlock_bh(&set->lock);
-	DP("set members filled: %s, used: %u(%u) %p %p", set->name, *used,
-	   set_save->members_size, data, data + *used);
+	DP("set members filled: %s, used: %d(%lu) %p %p", set->name, *used,
+	   (unsigned long)set_save->members_size, data, data + *used);
 	return 0;
 
     unlock_set:
@@ -1329,7 +1329,7 @@ static int ip_set_restore(void *data,
 	while (1) {
 		line++;
 		
-		DP("%u %u %u", used, sizeof(struct ip_set_restore), len);
+		DP("%d %zu %d", used, sizeof(struct ip_set_restore), len);
 		/* Get and ensure header size */
 		if (used + sizeof(struct ip_set_restore) > len)
 			return line;
@@ -1367,12 +1367,13 @@ static int ip_set_restore(void *data,
 		/* Try to restore members data */
 		set = ip_set_list[index];
 		members_size = 0;
-		DP("members_size %u reqsize %u",
-		   set_restore->members_size, set->type->reqsize);
+		DP("members_size %lu reqsize %lu",
+		   (unsigned long)set_restore->members_size,
+		   (unsigned long)set->type->reqsize);
 		while (members_size + set->type->reqsize <=
 		       set_restore->members_size) {
 			line++;
-		       	DP("members: %u, line %u", members_size, line);
+		       	DP("members: %d, line %d", members_size, line);
 			res = __ip_set_addip(index,
 					   data + used + members_size,
 					   set->type->reqsize);
@@ -1381,8 +1382,8 @@ static int ip_set_restore(void *data,
 			members_size += set->type->reqsize;
 		}
 
-		DP("members_size %u  %u",
-		   set_restore->members_size, members_size);
+		DP("members_size %lu  %d",
+		   (unsigned long)set_restore->members_size, members_size);
 		if (members_size != set_restore->members_size)
 			return line++;
 		used += set_restore->members_size;		
@@ -1442,10 +1443,10 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
 	struct ip_set_req_adt *req_adt;
 	ip_set_id_t index = IP_SET_INVALID_ID;
 	int (*adtfn)(ip_set_id_t index,
-		     const void *data, size_t size);
+		     const void *data, u_int32_t size);
 	struct fn_table {
 		int (*fn)(ip_set_id_t index,
-			  const void *data, size_t size);
+			  const void *data, u_int32_t size);
 	} adtfn_table[] =
 	{ { ip_set_addip }, { ip_set_delip }, { ip_set_testip},
 	  { ip_set_bindip}, { ip_set_unbindip }, { ip_set_testbind },
@@ -1910,13 +1911,23 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
 		    	res = -ENOENT;
 		    	goto done;
 		}
+
+#define SETLIST(set)	(strcmp(set->type->typename, "setlist") == 0)
+
 		used = 0;
 		if (index == IP_SET_INVALID_ID) {
-			/* Save all sets */
+			/* Save all sets: ugly setlist type dependency */
+			int setlist = 0;
+		setlists:
 			for (i = 0; i < ip_set_max && res == 0; i++) {
-				if (ip_set_list[i] != NULL)
+				if (ip_set_list[i] != NULL
+				    && !(setlist ^ SETLIST(ip_set_list[i])))
 					res = ip_set_save_set(i, data, &used, *len);
 			}
+			if (!setlist) {
+				setlist = 1;
+				goto setlists;
+			}
 		} else {
 			/* Save an individual set */
 			res = ip_set_save_set(index, data, &used, *len);
@@ -1938,14 +1949,14 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
 
 		if (*len < sizeof(struct ip_set_req_setnames)
 		    || *len != req_restore->size) {
-			ip_set_printk("invalid RESTORE (want =%zu, got %d)",
-				      req_restore->size, *len);
+			ip_set_printk("invalid RESTORE (want =%lu, got %d)",
+				      (long unsigned)req_restore->size, *len);
 			res = -EINVAL;
 			goto done;
 		}
 		line = ip_set_restore(data + sizeof(struct ip_set_req_setnames),
 				      req_restore->size - sizeof(struct ip_set_req_setnames));
-		DP("ip_set_restore: %u", line);
+		DP("ip_set_restore: %d", line);
 		if (line != 0) {
 			res = -EAGAIN;
 			req_restore->size = line;
@@ -1960,7 +1971,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
 	}	/* end of switch(op) */
 
     copy:
-   	DP("set %s, copylen %u", index != IP_SET_INVALID_ID
+   	DP("set %s, copylen %d", index != IP_SET_INVALID_ID
    	             		 && ip_set_list[index]
    	             ? ip_set_list[index]->name
    	             : ":all:", copylen);

extensions/ipset/ip_set.h

@@ -48,7 +48,7 @@
 /* 
  * Used so that the kernel module and ipset-binary can match their versions 
  */
-#define IP_SET_PROTOCOL_VERSION 2
+#define IP_SET_PROTOCOL_VERSION 3
 
 #define IP_SET_MAXNAMELEN 32	/* set names and set typenames */
 
@@ -236,7 +236,7 @@ struct ip_set_req_max_sets {
 struct ip_set_req_setnames {
 	unsigned op;
 	ip_set_id_t index;		/* set to list/save */
-	size_t size;			/* size to get setdata/bindings */
+	u_int32_t size;			/* size to get setdata/bindings */
 	/* followed by sets number of struct ip_set_name_list */
 };
 
@@ -258,9 +258,9 @@ struct ip_set_list {
 	ip_set_id_t index;
 	ip_set_id_t binding;
 	u_int32_t ref;
-	size_t header_size;	/* Set header data of header_size */
-	size_t members_size;	/* Set members data of members_size */
-	size_t bindings_size;	/* Set bindings data of bindings_size */
+	u_int32_t header_size;	/* Set header data of header_size */
+	u_int32_t members_size;	/* Set members data of members_size */
+	u_int32_t bindings_size;/* Set bindings data of bindings_size */
 };
 
 struct ip_set_hash_list {
@@ -277,8 +277,8 @@ struct ip_set_hash_list {
 struct ip_set_save {
 	ip_set_id_t index;
 	ip_set_id_t binding;
-	size_t header_size;	/* Set header data of header_size */
-	size_t members_size;	/* Set members data of members_size */
+	u_int32_t header_size;	/* Set header data of header_size */
+	u_int32_t members_size;	/* Set members data of members_size */
 };
 
 /* At restoring, ip == 0 means default binding for the given set: */
@@ -298,8 +298,8 @@ struct ip_set_restore {
 	char name[IP_SET_MAXNAMELEN];
 	char typename[IP_SET_MAXNAMELEN];
 	ip_set_id_t index;
-	size_t header_size;	/* Create data of header_size */
-	size_t members_size;	/* Set members data of members_size */
+	u_int32_t header_size;	/* Create data of header_size */
+	u_int32_t members_size;	/* Set members data of members_size */
 };
 
 static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
@@ -366,14 +366,14 @@ struct ip_set_type {
 	 * return 0 if not in set, 1 if in set.
 	 */
 	int (*testip) (struct ip_set *set,
-		       const void *data, size_t size,
+		       const void *data, u_int32_t size,
 		       ip_set_ip_t *ip);
 
 	/*
 	 * Size of the data structure passed by when
 	 * adding/deletin/testing an entry.
 	 */
-	size_t reqsize;
+	u_int32_t reqsize;
 
 	/* Add IP into set (userspace: ipset -A set IP)
 	 * Return -EEXIST if the address is already in the set,
@@ -381,7 +381,7 @@ struct ip_set_type {
 	 * If the address was not already in the set, 0 is returned.
 	 */
 	int (*addip) (struct ip_set *set, 
-		      const void *data, size_t size,
+		      const void *data, u_int32_t size,
 		      ip_set_ip_t *ip);
 
 	/* Add IP into set (kernel: iptables ... -j SET set src|dst)
@@ -401,7 +401,7 @@ struct ip_set_type {
 	 * If the address really was in the set, 0 is returned.
 	 */
 	int (*delip) (struct ip_set *set, 
-		      const void *data, size_t size,
+		      const void *data, u_int32_t size,
 		      ip_set_ip_t *ip);
 
 	/* remove IP from set (kernel: iptables ... -j SET --entry x)
@@ -418,7 +418,7 @@ struct ip_set_type {
 	/* new set creation - allocated type specific items
 	 */
 	int (*create) (struct ip_set *set,
-		       const void *data, size_t size);
+		       const void *data, u_int32_t size);
 
 	/* retry the operation after successfully tweaking the set
 	 */
@@ -437,7 +437,7 @@ struct ip_set_type {
 
 	/* Listing: size needed for header
 	 */
-	size_t header_size;
+	u_int32_t header_size;
 
 	/* Listing: Get the header
 	 *
@@ -523,7 +523,7 @@ extern int ip_set_testip_kernel(ip_set_id_t id,
 
 #define UADT0(type, adt, args...)					\
 static int								\
-FNAME(type,_u,adt)(struct ip_set *set, const void *data, size_t size,	\
+FNAME(type,_u,adt)(struct ip_set *set, const void *data, u_int32_t size,\
 	     ip_set_ip_t *hash_ip)					\
 {									\
 	const STRUCT(ip_set_req_,type) *req = data;			\

extensions/ipset/ip_set_bitmaps.h

@@ -6,7 +6,7 @@
 #ifdef __KERNEL__
 #define BITMAP_CREATE(type)						\
 static int								\
-type##_create(struct ip_set *set, const void *data, size_t size)	\
+type##_create(struct ip_set *set, const void *data, u_int32_t size)	\
 {									\
 	int newbytes;							\
 	const struct ip_set_req_##type##_create *req = data;		\
@@ -19,8 +19,8 @@ type##_create(struct ip_set *set, const void *data, size_t size)	\
 									\
 	map = kmalloc(sizeof(struct ip_set_##type), GFP_KERNEL);	\
 	if (!map) {							\
-		DP("out of memory for %d bytes",			\
-		   sizeof(struct ip_set_#type));			\
+		DP("out of memory for %zu bytes",			\
+		   sizeof(struct ip_set_##type));			\
 		return -ENOMEM;						\
 	}								\
 	map->first_ip = req->from;					\
@@ -35,7 +35,7 @@ type##_create(struct ip_set *set, const void *data, size_t size)	\
 	map->size = newbytes;						\
 	map->members = ip_set_malloc(newbytes);				\
 	if (!map->members) {						\
-		DP("out of memory for %d bytes", newbytes);		\
+		DP("out of memory for %i bytes", newbytes);		\
 		kfree(map);						\
 		return -ENOMEM;						\
 	}								\

extensions/ipset/ip_set_compat.h

@@ -58,6 +58,7 @@ static inline void *kzalloc(size_t size, gfp_t flags)
 #endif
 
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23)
+#include <linux/netfilter.h>
 #define KMEM_CACHE_CREATE(name, size) \
 	kmem_cache_create(name, size, 0, 0, NULL, NULL)
 #else

extensions/ipset/ip_set_hashes.h

@@ -28,20 +28,22 @@ type##_retry(struct ip_set *set)					\
 		hashsize++;						\
 									\
 	ip_set_printk("rehashing of set %s triggered: "			\
-		      "hashsize grows from %u to %u",			\
-		      set->name, map->hashsize, hashsize);		\
+		      "hashsize grows from %lu to %lu",			\
+		      set->name,					\
+		      (long unsigned)map->hashsize,			\
+		      (long unsigned)hashsize);				\
 		      							\
 	tmp = kmalloc(sizeof(struct ip_set_##type)			\
 		      + map->probes * sizeof(initval_t), GFP_ATOMIC);	\
 	if (!tmp) {							\
-		DP("out of memory for %d bytes",			\
+		DP("out of memory for %zu bytes",			\
 		   sizeof(struct ip_set_##type)				\
 		   + map->probes * sizeof(initval_t));			\
 		return -ENOMEM;						\
 	}								\
 	tmp->members = harray_malloc(hashsize, sizeof(dtype), GFP_ATOMIC);\
 	if (!tmp->members) {						\
-		DP("out of memory for %d bytes", hashsize * sizeof(dtype));\
+		DP("out of memory for %zu bytes", hashsize * sizeof(dtype));\
 		kfree(tmp);						\
 		return -ENOMEM;						\
 	}								\
@@ -88,7 +90,7 @@ type##_retry(struct ip_set *set)					\
 
 #define HASH_CREATE(type, dtype)					\
 static int								\
-type##_create(struct ip_set *set, const void *data, size_t size)	\
+type##_create(struct ip_set *set, const void *data, u_int32_t size)	\
 {									\
 	const struct ip_set_req_##type##_create *req = data;		\
 	struct ip_set_##type *map;					\
@@ -107,7 +109,7 @@ type##_create(struct ip_set *set, const void *data, size_t size)	\
 	map = kmalloc(sizeof(struct ip_set_##type)			\
 		      + req->probes * sizeof(initval_t), GFP_KERNEL);	\
 	if (!map) {							\
-		DP("out of memory for %d bytes",			\
+		DP("out of memory for %zu bytes",			\
 		   sizeof(struct ip_set_##type)				\
 		   + req->probes * sizeof(initval_t));			\
 		return -ENOMEM;						\
@@ -124,7 +126,7 @@ type##_create(struct ip_set *set, const void *data, size_t size)	\
 	}								\
 	map->members = harray_malloc(map->hashsize, sizeof(dtype), GFP_KERNEL);\
 	if (!map->members) {						\
-		DP("out of memory for %d bytes", map->hashsize * sizeof(dtype));\
+		DP("out of memory for %zu bytes", map->hashsize * sizeof(dtype));\
 		kfree(map);						\
 		return -ENOMEM;						\
 	}								\

extensions/ipset/ip_set_ipmap.h

@@ -13,7 +13,7 @@ struct ip_set_ipmap {
 	ip_set_ip_t netmask;		/* subnet netmask */
 	ip_set_ip_t sizeid;		/* size of set in IPs */
 	ip_set_ip_t hosts;		/* number of hosts in a subnet */
-	size_t size;			/* size of the ipmap proper */
+	u_int32_t size;			/* size of the ipmap proper */
 };
 
 struct ip_set_req_ipmap_create {

extensions/ipset/ip_set_ipportnethash.c

@@ -102,7 +102,7 @@ ipportnethash_test(struct ip_set *set, ip_set_ip_t *hash_ip,
 }
 
 static int
-ipportnethash_utest(struct ip_set *set, const void *data, size_t size,
+ipportnethash_utest(struct ip_set *set, const void *data, u_int32_t size,
 		    ip_set_ip_t *hash_ip)
 {
 	const struct ip_set_req_ipportnethash *req = data;

extensions/ipset/ip_set_iptree.c

@@ -10,6 +10,7 @@
 #include <linux/module.h>
 #include <linux/moduleparam.h>
 #include <linux/ip.h>
+#include <linux/jiffies.h>
 #include <linux/skbuff.h>
 #include <linux/slab.h>
 #include <linux/delay.h>
@@ -276,21 +277,21 @@ init_gc_timer(struct ip_set *set)
 }
 
 static int
-iptree_create(struct ip_set *set, const void *data, size_t size)
+iptree_create(struct ip_set *set, const void *data, u_int32_t size)
 {
 	const struct ip_set_req_iptree_create *req = data;
 	struct ip_set_iptree *map;
 
 	if (size != sizeof(struct ip_set_req_iptree_create)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
+		ip_set_printk("data length wrong (want %zu, have %lu)",
 			      sizeof(struct ip_set_req_iptree_create),
-			      size);
+			      (unsigned long)size);
 		return -EINVAL;
 	}
 
 	map = kmalloc(sizeof(struct ip_set_iptree), GFP_KERNEL);
 	if (!map) {
-		DP("out of memory for %d bytes",
+		DP("out of memory for %zu bytes",
 		   sizeof(struct ip_set_iptree));
 		return -ENOMEM;
 	}

extensions/ipset/ip_set_iptreemap.c

@@ -14,6 +14,7 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/ip.h>
+#include <linux/jiffies.h>
 #include <linux/skbuff.h>
 #include <linux/slab.h>
 #include <linux/delay.h>
@@ -338,7 +339,7 @@ KADT(iptreemap, add, ipaddr, ip)
 
 static inline int
 __delip_single(struct ip_set *set, ip_set_ip_t *hash_ip,
-	       ip_set_ip_t ip, unsigned int __nocast flags)
+	       ip_set_ip_t ip, gfp_t flags)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -364,7 +365,7 @@ __delip_single(struct ip_set *set, ip_set_ip_t *hash_ip,
 
 static inline int
 iptreemap_del(struct ip_set *set, ip_set_ip_t *hash_ip,
-	      ip_set_ip_t start, ip_set_ip_t end, unsigned int __nocast flags)
+	      ip_set_ip_t start, ip_set_ip_t end, gfp_t flags)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -470,7 +471,7 @@ init_gc_timer(struct ip_set *set)
 }
 
 static int
-iptreemap_create(struct ip_set *set, const void *data, size_t size)
+iptreemap_create(struct ip_set *set, const void *data, u_int32_t size)
 {
 	const struct ip_set_req_iptreemap_create *req = data;
 	struct ip_set_iptreemap *map;
@@ -567,7 +568,7 @@ iptreemap_list_members_size(const struct ip_set *set)
 	return (count * sizeof(struct ip_set_req_iptreemap));
 }
 
-static inline size_t
+static inline u_int32_t
 add_member(void *data, size_t offset, ip_set_ip_t start, ip_set_ip_t end)
 {
 	struct ip_set_req_iptreemap *entry = data + offset;

extensions/ipset/ip_set_macipmap.c

@@ -22,7 +22,7 @@
 #include "ip_set_macipmap.h"
 
 static int
-macipmap_utest(struct ip_set *set, const void *data, size_t size,
+macipmap_utest(struct ip_set *set, const void *data, u_int32_t size,
 	       ip_set_ip_t *hash_ip)
 {
 	const struct ip_set_macipmap *map = set->data;
@@ -35,8 +35,7 @@ macipmap_utest(struct ip_set *set, const void *data, size_t size,
 	*hash_ip = req->ip;
 	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
 	   set->name, HIPQUAD(req->ip), HIPQUAD(*hash_ip));		
-	if (test_bit(IPSET_MACIP_ISSET,
-		     (void *) &table[req->ip - map->first_ip].flags)) {
+	if (table[req->ip - map->first_ip].match) {
 		return (memcmp(req->ethernet,
 			       &table[req->ip - map->first_ip].ethernet,
 			       ETH_ALEN) == 0);
@@ -64,8 +63,7 @@ macipmap_ktest(struct ip_set *set,
 	*hash_ip = ip;	
 	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
 	   set->name, HIPQUAD(ip), HIPQUAD(*hash_ip));		
-	if (test_bit(IPSET_MACIP_ISSET,
-	    (void *) &table[ip - map->first_ip].flags)) {
+	if (table[ip - map->first_ip].match) {
 		/* Is mac pointer valid?
 		 * If so, compare... */
 		return (skb_mac_header(skb) >= skb->head
@@ -88,13 +86,13 @@ macipmap_add(struct ip_set *set, ip_set_ip_t *hash_ip,
 
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
-	if (test_and_set_bit(IPSET_MACIP_ISSET,
-			     (void *) &table[ip - map->first_ip].flags))
+	if (table[ip - map->first_ip].match)
 		return -EEXIST;
 
 	*hash_ip = ip;
 	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
 	memcpy(&table[ip - map->first_ip].ethernet, ethernet, ETH_ALEN);
+	table[ip - map->first_ip].match = IPSET_MACIP_ISSET;
 	return 0;
 }
 
@@ -114,11 +112,11 @@ macipmap_del(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
-	if (!test_and_clear_bit(IPSET_MACIP_ISSET,
-				(void *)&table[ip - map->first_ip].flags))
+	if (!table[ip - map->first_ip].match)
 		return -EEXIST;
 
 	*hash_ip = ip;
+	table[ip - map->first_ip].match = 0;
 	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
 	return 0;
 }

extensions/ipset/ip_set_macipmap.h

@@ -17,7 +17,7 @@ struct ip_set_macipmap {
 	ip_set_ip_t first_ip;		/* host byte order, included in range */
 	ip_set_ip_t last_ip;		/* host byte order, included in range */
 	u_int32_t flags;
-	size_t size;			/* size of the ipmap proper */
+	u_int32_t size;			/* size of the ipmap proper */
 };
 
 struct ip_set_req_macipmap_create {
@@ -32,7 +32,7 @@ struct ip_set_req_macipmap {
 };
 
 struct ip_set_macip {
-	unsigned short flags;
+	unsigned short match;
 	unsigned char ethernet[ETH_ALEN];
 };
 

extensions/ipset/ip_set_malloc.h

@@ -40,7 +40,7 @@ struct harray {
 };
 
 static inline void * 
-__harray_malloc(size_t hashsize, size_t typesize, int flags)
+__harray_malloc(size_t hashsize, size_t typesize, gfp_t flags)
 {
 	struct harray *harray;
 	size_t max_elements, size, i, j;
@@ -88,7 +88,7 @@ __harray_malloc(size_t hashsize, size_t typesize, int flags)
 }
 
 static inline void *
-harray_malloc(size_t hashsize, size_t typesize, int flags)
+harray_malloc(size_t hashsize, size_t typesize, gfp_t flags)
 {
 	void *harray;
 	

extensions/ipset/ip_set_nethash.c

@@ -80,7 +80,7 @@ nethash_test(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 }
 
 static int
-nethash_utest(struct ip_set *set, const void *data, size_t size,
+nethash_utest(struct ip_set *set, const void *data, u_int32_t size,
 	      ip_set_ip_t *hash_ip)
 {
 	const struct ip_set_req_nethash *req = data;

extensions/ipset/ip_set_portmap.h

@@ -10,7 +10,7 @@ struct ip_set_portmap {
 	void *members;			/* the portmap proper */
 	ip_set_ip_t first_ip;		/* host byte order, included in range */
 	ip_set_ip_t last_ip;		/* host byte order, included in range */
-	size_t size;			/* size of the ipmap proper */
+	u_int32_t size;			/* size of the ipmap proper */
 };
 
 struct ip_set_req_portmap_create {

extensions/ipset/ip_set_setlist.c

@@ -21,14 +21,14 @@
  * after  ==> ref, index
  */
 
-static inline bool
+static inline int
 next_index_eq(const struct ip_set_setlist *map, int i, ip_set_id_t index)
 {
 	return i < map->size && map->index[i] == index;
 }
 
 static int
-setlist_utest(struct ip_set *set, const void *data, size_t size,
+setlist_utest(struct ip_set *set, const void *data, u_int32_t size,
 	       ip_set_ip_t *hash_ip)
 {
 	const struct ip_set_setlist *map = set->data;
@@ -38,18 +38,16 @@ setlist_utest(struct ip_set *set, const void *data, size_t size,
 	struct ip_set *s;
 	
 	if (req->before && req->ref[0] == '\0')
-		return -EINVAL;
+		return 0;
 
 	index = __ip_set_get_byname(req->name, &s);
 	if (index == IP_SET_INVALID_ID)
-		return -EEXIST;
+		return 0;
 	if (req->ref[0] != '\0') {
 		ref = __ip_set_get_byname(req->ref, &s);
-		if (ref == IP_SET_INVALID_ID) {
-			res = -EEXIST;
+		if (ref == IP_SET_INVALID_ID)
 			goto finish;
 	}
-	}
 	for (i = 0; i < map->size
 		    && map->index[i] != IP_SET_INVALID_ID; i++) {
 		if (req->before && map->index[i] == index) {
@@ -109,7 +107,7 @@ insert_setlist(struct ip_set_setlist *map, int i, ip_set_id_t index)
 }
 
 static int
-setlist_uadd(struct ip_set *set, const void *data, size_t size,
+setlist_uadd(struct ip_set *set, const void *data, u_int32_t size,
 	     ip_set_ip_t *hash_ip)
 {
 	struct ip_set_setlist *map = set->data;
@@ -172,7 +170,7 @@ setlist_kadd(struct ip_set *set,
 	return res;
 }
 
-static inline bool
+static inline int
 unshift_setlist(struct ip_set_setlist *map, int i)
 {
 	int j;
@@ -184,7 +182,7 @@ unshift_setlist(struct ip_set_setlist *map, int i)
 }
 
 static int
-setlist_udel(struct ip_set *set, const void *data, size_t size,
+setlist_udel(struct ip_set *set, const void *data, u_int32_t size,
 	     ip_set_ip_t *hash_ip)
 {
 	struct ip_set_setlist *map = set->data;
@@ -251,7 +249,7 @@ setlist_kdel(struct ip_set *set,
 }
 
 static int
-setlist_create(struct ip_set *set, const void *data, size_t size)
+setlist_create(struct ip_set *set, const void *data, u_int32_t size)
 {
 	struct ip_set_setlist *map;
 	const struct ip_set_req_setlist_create *req = data;

extensions/ipset/ipset.8

@@ -50,6 +50,9 @@ IP set bindings pointing to sets and iptables matches and targets
 referring to sets creates references, which protects the given sets in 
 the kernel. A set cannot be removed (destroyed) while there is a single
 reference pointing to it.
+.P
+.B
+Please note, binding sets is a deprecated feature and will be removed in a later release. Switch to the multidata type of sets from using bindings.
 .SH OPTIONS
 The options that are recognized by
 .B ipset

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "2.5.0"
+#define IPSET_VERSION "3.2"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;
@@ -1580,7 +1580,7 @@ static int set_adtip(struct set *set, const char *adt,
 
 	/* Alloc memory for the data to send */
 	size = sizeof(struct ip_set_req_adt) + set->settype->adt_size ;
-	DP("alloc size %i", size);
+	DP("alloc size %d", size);
 	data = ipset_malloc(size);
 
 	/* Fill out the request */
@@ -1666,7 +1666,7 @@ static int set_bind(struct set *set, const char *adt,
 		size += IP_SET_MAXNAMELEN;
 	else if (!(op == IP_SET_OP_UNBIND_SET && set == NULL))
 		size += set->settype->adt_size;
-	DP("alloc size %i", size);
+	DP("alloc size %d", size);
 	data = ipset_malloc(size);
 
 	/* Fill out the request */

extensions/ipset/ipset.h

@@ -95,7 +95,7 @@ struct settype {
 	 */
 
 	/* Size of create data. Will be sent to kernel */
-	size_t create_size;
+	u_int32_t create_size;
 
 	/* Initialize the create. */
 	void (*create_init) (void *data);
@@ -115,7 +115,7 @@ struct settype {
 	 */
 
 	/* Size of data. Will be sent to kernel */
-	size_t adt_size;
+	u_int32_t adt_size;
 
 	/* Function which parses command options */
 	ip_set_ip_t (*adt_parser) (int cmd, const char *optarg, void *data);
@@ -125,7 +125,7 @@ struct settype {
 	 */
 
 	/* Size of header. */
-	size_t header_size;
+	u_int32_t header_size;
 
 	/* Initialize the type-header */
 	void (*initheader) (struct set *set, const void *data);
@@ -134,16 +134,16 @@ struct settype {
 	void (*printheader) (struct set *set, unsigned options);
 
 	/* Pretty print all IPs */
-	void (*printips) (struct set *set, void *data, size_t len, unsigned options);
+	void (*printips) (struct set *set, void *data, u_int32_t len, unsigned options);
 
 	/* Pretty print all IPs sorted */
-	void (*printips_sorted) (struct set *set, void *data, size_t len, unsigned options);
+	void (*printips_sorted) (struct set *set, void *data, u_int32_t len, unsigned options);
 
 	/* Print save arguments for creating the set */
 	void (*saveheader) (struct set *set, unsigned options);
 
 	/* Print save for all IPs */
-	void (*saveips) (struct set *set, void *data, size_t len, unsigned options);
+	void (*saveips) (struct set *set, void *data, u_int32_t len, unsigned options);
 
 	/* Conver a single IP (binding) to string */
 	char * (*bindip_tostring)(struct set *set, ip_set_ip_t ip, unsigned options);
@@ -189,10 +189,13 @@ extern struct set *set_find_byid(ip_set_id_t id);
 
 extern unsigned warn_once;
 
-#define BITSPERBYTE	(8*sizeof(char))
-#define ID2BYTE(id)	((id)/BITSPERBYTE)
-#define ID2MASK(id)	(1 << ((id)%BITSPERBYTE))
-#define test_bit(id, heap)	((((char *)(heap))[ID2BYTE(id)] & ID2MASK(id)) != 0)
+#define BITS_PER_LONG	(8*sizeof(unsigned long))
+#define BIT_WORD(nr)	((nr) / BITS_PER_LONG)
+
+static inline int test_bit(int nr, const unsigned long *addr)
+{
+	return 1UL & (addr[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG-1)));
+}
 
 #define UNUSED __attribute__ ((unused))
 #define CONSTRUCTOR(module) \

extensions/ipset/ipset_iphash.c

@@ -192,7 +192,7 @@ printheader(struct set *set, unsigned options UNUSED)
 }
 
 static void
-printips(struct set *set UNUSED, void *data, size_t len, unsigned options)
+printips(struct set *set UNUSED, void *data, u_int32_t len, unsigned options)
 {
 	size_t offset = 0;
 	ip_set_ip_t *ip;
@@ -221,7 +221,7 @@ saveheader(struct set *set, unsigned options UNUSED)
 
 /* Print save for an IP */
 static void
-saveips(struct set *set UNUSED, void *data, size_t len, unsigned options)
+saveips(struct set *set UNUSED, void *data, u_int32_t len, unsigned options)
 {
 	size_t offset = 0;
 	ip_set_ip_t *ip;

extensions/ipset/ipset_ipmap.c

@@ -225,12 +225,12 @@ initheader(struct set *set, const void *data)
 		mask = range_to_mask(header->from, header->to, &mask_bits);
 		netmask_bits = mask_to_bits(header->netmask);
 
-		DP("bits: %i %i", mask_bits, netmask_bits);
+		DP("bits: %d %d", mask_bits, netmask_bits);
 		map->hosts = 2 << (32 - netmask_bits - 1);
 		map->sizeid = 2 << (netmask_bits - mask_bits - 1);
 	}
 
-	DP("%i %i", map->hosts, map->sizeid );
+	DP("%d %d", map->hosts, map->sizeid );
 }
 
 static void
@@ -248,7 +248,7 @@ printheader(struct set *set, unsigned options)
 
 static void
 printips_sorted(struct set *set, void *data,
-		size_t len UNUSED, unsigned options)
+		u_int32_t len UNUSED, unsigned options)
 {
 	struct ip_set_ipmap *mysetdata = set->settype->header;
 	ip_set_ip_t id;
@@ -279,7 +279,7 @@ saveheader(struct set *set, unsigned options)
 }
 
 static void
-saveips(struct set *set, void *data, size_t len UNUSED, unsigned options)
+saveips(struct set *set, void *data, u_int32_t len UNUSED, unsigned options)
 {
 	struct ip_set_ipmap *mysetdata = set->settype->header;
 	ip_set_ip_t id;

extensions/ipset/ipset_ipporthash.c

@@ -248,7 +248,7 @@ printheader(struct set *set, unsigned options)
 }
 
 static void
-printips(struct set *set, void *data, size_t len, unsigned options)
+printips(struct set *set, void *data, u_int32_t len, unsigned options)
 {
 	struct ip_set_ipporthash *mysetdata = set->settype->header;
 	size_t offset = 0;
@@ -284,7 +284,7 @@ saveheader(struct set *set, unsigned options)
 
 /* Print save for an IP */
 static void
-saveips(struct set *set, void *data, size_t len, unsigned options)
+saveips(struct set *set, void *data, u_int32_t len, unsigned options)
 {
 	struct ip_set_ipporthash *mysetdata = set->settype->header;
 	size_t offset = 0;

extensions/ipset/ipset_ipportiphash.c

@@ -253,7 +253,7 @@ printheader(struct set *set, unsigned options)
 }
 
 static void
-printips(struct set *set, void *data, size_t len, unsigned options)
+printips(struct set *set, void *data, u_int32_t len, unsigned options)
 {
 	struct ip_set_ipportiphash *mysetdata = set->settype->header;
 	size_t offset = 0;
@@ -292,7 +292,7 @@ saveheader(struct set *set, unsigned options)
 
 /* Print save for an IP */
 static void
-saveips(struct set *set, void *data, size_t len, unsigned options)
+saveips(struct set *set, void *data, u_int32_t len, unsigned options)
 {
 	struct ip_set_ipportiphash *mysetdata = set->settype->header;
 	size_t offset = 0;

extensions/ipset/ipset_ipportnethash.c

@@ -318,7 +318,7 @@ unpack_ip_tostring(ip_set_ip_t ip, unsigned options UNUSED)
 }
 
 static void
-printips(struct set *set, void *data, size_t len, unsigned options)
+printips(struct set *set, void *data, u_int32_t len, unsigned options)
 {
 	struct ip_set_ipportnethash *mysetdata = set->settype->header;
 	size_t offset = 0;
@@ -357,7 +357,7 @@ saveheader(struct set *set, unsigned options)
 
 /* Print save for an IP */
 static void
-saveips(struct set *set, void *data, size_t len, unsigned options)
+saveips(struct set *set, void *data, u_int32_t len, unsigned options)
 {
 	struct ip_set_ipportnethash *mysetdata = set->settype->header;
 	size_t offset = 0;

extensions/ipset/ipset_iptree.c

@@ -123,7 +123,7 @@ printheader(struct set *set, unsigned options UNUSED)
 }
 
 static void
-printips_sorted(struct set *set, void *data, size_t len, unsigned options)
+printips_sorted(struct set *set, void *data, u_int32_t len, unsigned options)
 {
 	struct ip_set_iptree *mysetdata = set->settype->header;
 	struct ip_set_req_iptree *req;
@@ -155,7 +155,7 @@ saveheader(struct set *set, unsigned options UNUSED)
 }
 
 static void
-saveips(struct set *set, void *data, size_t len, unsigned options)
+saveips(struct set *set, void *data, u_int32_t len, unsigned options)
 {
 	struct ip_set_iptree *mysetdata = set->settype->header;
 	struct ip_set_req_iptree *req;

extensions/ipset/ipset_iptreemap.c

@@ -115,7 +115,7 @@ printheader(struct set *set, unsigned int options UNUSED)
 
 static void
 printips_sorted(struct set *set UNUSED, void *data,
-		size_t len, unsigned int options)
+		u_int32_t len, unsigned int options)
 {
 	struct ip_set_req_iptreemap *req;
 	size_t offset = 0;
@@ -147,7 +147,7 @@ saveheader(struct set *set, unsigned int options UNUSED)
 
 static void
 saveips(struct set *set UNUSED, void *data,
-	size_t len, unsigned int options)
+	u_int32_t len, unsigned int options)
 {
 	struct ip_set_req_iptreemap *req;
 	size_t offset = 0;

extensions/ipset/ipset_macipmap.c

@@ -245,15 +245,14 @@ print_mac(unsigned char macaddress[ETH_ALEN])
 
 static void
 printips_sorted(struct set *set, void *data,
-		size_t len UNUSED, unsigned options)
+		u_int32_t len UNUSED, unsigned options)
 {
 	struct ip_set_macipmap *mysetdata = set->settype->header;
 	struct ip_set_macip *table = data;
 	u_int32_t addr = mysetdata->first_ip;
 
 	while (addr <= mysetdata->last_ip) {
-		if (test_bit(IPSET_MACIP_ISSET,
-			     (void *)&table[addr - mysetdata->first_ip].flags)) {
+		if (table[addr - mysetdata->first_ip].match) {
 			printf("%s,", ip_tostring(addr, options));
 			print_mac(table[addr - mysetdata->first_ip].
 				  ethernet);
@@ -280,15 +279,14 @@ saveheader(struct set *set, unsigned options)
 
 static void
 saveips(struct set *set, void *data,
-	size_t len UNUSED, unsigned options)
+	u_int32_t len UNUSED, unsigned options)
 {
 	struct ip_set_macipmap *mysetdata = set->settype->header;
 	struct ip_set_macip *table = data;
 	u_int32_t addr = mysetdata->first_ip;
 
 	while (addr <= mysetdata->last_ip) {
-		if (test_bit(IPSET_MACIP_ISSET,
-			     (void *)&table[addr - mysetdata->first_ip].flags)) {
+		if (table[addr - mysetdata->first_ip].match) {
 			printf("-A %s %s,",
 			       set->name, ip_tostring(addr, options));
 			print_mac(table[addr - mysetdata->first_ip].

extensions/ipset/ipset_nethash.c

@@ -224,7 +224,7 @@ unpack_ip_tostring(ip_set_ip_t ip, unsigned options UNUSED)
 }
 
 static void
-printips(struct set *set UNUSED, void *data, size_t len, unsigned options)
+printips(struct set *set UNUSED, void *data, u_int32_t len, unsigned options)
 {
 	size_t offset = 0;
 	ip_set_ip_t *ip;
@@ -249,7 +249,7 @@ saveheader(struct set *set, unsigned options UNUSED)
 
 /* Print save for an IP */
 static void
-saveips(struct set *set UNUSED, void *data, size_t len, unsigned options)
+saveips(struct set *set UNUSED, void *data, u_int32_t len, unsigned options)
 {
 	size_t offset = 0;
 	ip_set_ip_t *ip;

extensions/ipset/ipset_portmap.c

@@ -149,7 +149,7 @@ printheader(struct set *set, unsigned options)
 
 static void
 printports_sorted(struct set *set, void *data,
-		  size_t len UNUSED, unsigned options)
+		  u_int32_t len UNUSED, unsigned options)
 {
 	struct ip_set_portmap *mysetdata = set->settype->header;
 	u_int32_t addr = mysetdata->first_ip;
@@ -184,7 +184,7 @@ saveheader(struct set *set, unsigned options)
 
 static void
 saveports(struct set *set, void *data,
-	  size_t len UNUSED, unsigned options)
+	  u_int32_t len UNUSED, unsigned options)
 {
 	struct ip_set_portmap *mysetdata = set->settype->header;
 	u_int32_t addr = mysetdata->first_ip;

extensions/ipset/ipset_setlist.c

@@ -134,7 +134,7 @@ printheader(struct set *set, unsigned options UNUSED)
 
 static void
 printips_sorted(struct set *set, void *data,
-		size_t len UNUSED, unsigned options UNUSED)
+		u_int32_t len UNUSED, unsigned options UNUSED)
 {
 	struct ip_set_setlist *mysetdata = set->settype->header;
 	int i;
@@ -162,7 +162,7 @@ saveheader(struct set *set, unsigned options UNUSED)
 
 static void
 saveips(struct set *set, void *data,
-	size_t len UNUSED, unsigned options UNUSED)
+	u_int32_t len UNUSED, unsigned options UNUSED)
 {
 	struct ip_set_setlist *mysetdata = set->settype->header;
 	int i;

extensions/iptable_rawpost.c

@@ -70,7 +70,9 @@ static int __init rawpost4_table_init(void)
 {
 	int ret;
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
 	rwlock_init(&rawpost4_itable.lock);
+#endif
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
 	rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
 	                  &rawpost4_initial.repl);

extensions/libxt_ACCOUNT.c

@@ -0,0 +1,168 @@
+/* Shared library add-on to iptables to add ACCOUNT(ing) support.
+   Author: Intra2net AG <opensource@intra2net.com>
+*/
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <getopt.h>
+#include <stddef.h>
+#include <xtables.h>
+#include "xt_ACCOUNT.h"
+
+static struct option account_tg_opts[] = {
+	{ .name = "addr",        .has_arg = 1, .flag = 0, .val = 'a' },
+	{ .name = "tname",       .has_arg = 1, .flag = 0, .val = 't' },
+	{ .name = 0 }
+};
+
+/* Function which prints out usage message. */
+static void account_tg_help(void)
+{
+	printf(
+"ACCOUNT target options:\n"
+" --%s ip/netmask\t\tBase network IP and netmask used for this table\n"
+" --%s name\t\t\tTable name for the userspace library\n",
+account_tg_opts[0].name, account_tg_opts[1].name);
+}
+
+/* Initialize the target. */
+static void
+account_tg_init(struct xt_entry_target *t)
+{
+	struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)t->data;
+
+	accountinfo->table_nr = -1;
+}
+
+#define IPT_ACCOUNT_OPT_ADDR 0x01
+#define IPT_ACCOUNT_OPT_TABLE 0x02
+
+/* Function which parses command options; returns true if it
+   ate an option */
+
+static int account_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+		const void *entry, struct xt_entry_target **target)
+{
+	struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)(*target)->data;
+	struct in_addr *addrs = NULL, mask;
+	unsigned int naddrs = 0;
+
+	switch (c) {
+	case 'a':
+		if (*flags & IPT_ACCOUNT_OPT_ADDR)
+			xtables_error(PARAMETER_PROBLEM, "Can't specify --%s twice",
+				account_tg_opts[0].name);
+
+		if (xtables_check_inverse(optarg, &invert, NULL, 0))
+			xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --%s",
+				account_tg_opts[0].name);
+
+		xtables_ipparse_any(optarg, &addrs, &mask, &naddrs);
+		if (naddrs > 1)
+			xtables_error(PARAMETER_PROBLEM, "multiple IP addresses not allowed");
+
+		accountinfo->net_ip = addrs[0].s_addr;
+		accountinfo->net_mask = mask.s_addr;
+
+		*flags |= IPT_ACCOUNT_OPT_ADDR;
+		break;
+
+	case 't':
+		if (*flags & IPT_ACCOUNT_OPT_TABLE)
+			xtables_error(PARAMETER_PROBLEM,
+				"Can't specify --%s twice",
+				account_tg_opts[1].name);
+
+		if (xtables_check_inverse(optarg, &invert, NULL, 0))
+			xtables_error(PARAMETER_PROBLEM,
+				"Unexpected `!' after --%s",
+				account_tg_opts[1].name);
+
+		if (strlen(optarg) > ACCOUNT_TABLE_NAME_LEN - 1)
+			xtables_error(PARAMETER_PROBLEM,
+				"Maximum table name length %u for --%s",
+				ACCOUNT_TABLE_NAME_LEN - 1,
+				account_tg_opts[1].name);
+
+		strcpy(accountinfo->table_name, optarg);
+		*flags |= IPT_ACCOUNT_OPT_TABLE;
+		break;
+
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void account_tg_check(unsigned int flags)
+{
+	if (!(flags & IPT_ACCOUNT_OPT_ADDR) || !(flags & IPT_ACCOUNT_OPT_TABLE))
+		xtables_error(PARAMETER_PROBLEM, "ACCOUNT: needs --%s and --%s",
+			account_tg_opts[0].name, account_tg_opts[1].name);
+}
+
+static void account_tg_print_it(const void *ip,
+		const struct xt_entry_target *target, char do_prefix)
+{
+	const struct ipt_acc_info *accountinfo
+		= (const struct ipt_acc_info *)target->data;
+	struct in_addr a;
+
+	if (!do_prefix)
+		printf("ACCOUNT ");
+
+	// Network information
+	if (do_prefix)
+		printf("--");
+	printf("%s ", account_tg_opts[0].name);
+
+	a.s_addr = accountinfo->net_ip;
+	printf("%s", xtables_ipaddr_to_numeric(&a));
+	a.s_addr = accountinfo->net_mask;
+	printf("%s", xtables_ipmask_to_numeric(&a));
+
+	printf(" ");
+	if (do_prefix)
+		printf("--");
+
+	printf("%s %s", account_tg_opts[1].name, accountinfo->table_name);
+}
+
+
+static void
+account_tg_print(const void *ip,
+	const struct xt_entry_target *target,
+	int numeric)
+{
+	account_tg_print_it(ip, target, 0);
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void
+account_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+	account_tg_print_it(ip, target, 1);
+}
+
+static struct xtables_target account_tg_reg = {
+	.name          = "ACCOUNT",
+	.family        = AF_INET,
+	.version       = XTABLES_VERSION,
+	.size          = XT_ALIGN(sizeof(struct ipt_acc_info)),
+	.userspacesize = offsetof(struct ipt_acc_info, table_nr),
+	.help          = account_tg_help,
+	.init          = account_tg_init,
+	.parse         = account_tg_parse,
+	.final_check   = account_tg_check,
+	.print         = account_tg_print,
+	.save          = account_tg_save,
+	.extra_opts    = account_tg_opts,
+};
+
+static __attribute__((constructor)) void account_tg_ldr(void)
+{
+	xtables_register_target(&account_tg_reg);
+}

extensions/libxt_ACCOUNT.man

@@ -0,0 +1,72 @@
+The ACCOUNT target is a high performance accounting system for large
+local networks. It allows per-IP accounting in whole prefixes of IPv4
+addresses with size of up to /8 without the need to add individual
+accouting rule for each IP address.
+.PP
+The ACCOUNT is designed to be queried for data every second or at
+least every ten seconds. It is written as kernel module to handle high
+bandwidths without packet loss.
+.PP
+The largest possible subnet size is 24 bit, meaning for example 10.0.0.0/8
+network. ACCOUNT uses fixed internal data structures
+which speeds up the processing of each packet. Furthermore,
+accounting data for one complete 192.168.1.X/24 network takes 4 KB of
+memory. Memory for 16 or 24 bit networks is only allocated when
+needed.
+.PP
+To optimize the kernel<->userspace data transfer a bit more, the
+kernel module only transfers information about IPs, where the src/dst
+packet counter is not 0. This saves precious kernel time.
+.PP
+There is no /proc interface as it would be too slow for continuous access.
+The read-and-flush query operation is the fastest, as no internal data
+snapshot needs to be created&copied for all data. Use the "read"
+operation without flush only for debugging purposes!
+.PP
+Usage:
+.PP
+ACCOUNT takes two mandatory parameters:
+.TP
+\fB\-\-addr\fR \fInetwork\fP\fB/\fP\fInetmask\fR
+where \fInetwork\fP\fB/\fP\fInetmask\fP is the subnet to account for, in CIDR syntax
+.TP
+\fB\-\-tname\fP \fINAME\fP
+where \fINAME\fP is the name of the table where the accounting information
+should be stored
+.PP
+The subnet 0.0.0.0/0 is a special case: all data are then stored in the src_bytes
+and src_packets structure of slot "0". This is useful if you want
+to account the overall traffic to/from your internet provider.
+.PP
+The data can be queried using the userspace libxt_ACCOUNT_cl library,
+and by the reference implementation to show usage of this library,
+the \fBiptaccount\fP(8) tool, which features following options:
+.PP
+[\fB\-u\fP] show kernel handle usage
+.PP
+[\fB\-h\fP] free all kernel handles (experts only!)
+.PP
+[\fB\-a\fP] list all table names
+.PP
+[\fB\-l\fP \fIname\fP] show data in table \fIname\fP
+.PP
+[\fB\-f\fP] flush data after showing
+.PP
+[\fB\-c\fP] loop every second (abort with CTRL+C)
+.PP
+Here is an example of use:
+.PP
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales
+.PP
+This creates two tables called "all_outgoing" and "sales" which can be
+queried using the userspace library/iptaccount tool.
+.PP
+Note that this target is non-terminating \(em the packet destined to it
+will continue traversing the chain in which it has been used.
+.PP
+Also note that once a table has been defined for specific CIDR address/netmask
+block, it can be referenced multiple times using \-j ACCOUNT, provided
+that both the original table name and address/netmask block are specified.
+.PP
+For more information go to http://www.intra2net.com/en/developer/ipt_ACCOUNT/

extensions/libxt_IPMARK.c

@@ -97,6 +97,7 @@ static int ipmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 		if (!xtables_strtoui(optarg, NULL, &n, 0, 128))
 			xtables_param_act(XTF_BAD_VALUE, "IPMARK", "--shift", optarg);
 		info->shift = n;
+		*flags |= FL_SHIFT;
 		return true;
 	}
 
@@ -121,6 +122,8 @@ ipmark_tg_print(const void *entry, const struct xt_entry_target *target,
 	else
 		printf("IPMARK dst ip ");
 
+	if (info->shift != 0)
+		printf("shift %u ", (unsigned int)info->shift);
 	if (info->andmask != ~0U)
 		printf("and 0x%x ", (unsigned int)info->andmask);
 	if (info->ormask != 0)
@@ -137,33 +140,19 @@ ipmark_tg_save(const void *entry, const struct xt_entry_target *target)
 	else
 		printf("--addr dst ");
 
+	if (info->shift != 0)
+		printf("--shift %u ", (unsigned int)info->shift);
 	if (info->andmask != ~0U)
 		printf("--and-mask 0x%x ", (unsigned int)info->andmask);
 	if (info->ormask != 0)
 		printf("--or-mask 0x%x ", (unsigned int)info->ormask);
 }
 
-static struct xtables_target ipmark_tg4_reg = {
+static struct xtables_target ipmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "IPMARK",
-	.family        = PF_INET,
-	.revision      = 0,
-	.size          = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
-	.help          = ipmark_tg_help,
-	.init          = ipmark_tg_init,
-	.parse         = ipmark_tg_parse,
-	.final_check   = ipmark_tg_check,
-	.print         = ipmark_tg_print,
-	.save          = ipmark_tg_save,
-	.extra_opts    = ipmark_tg_opts,
-};
-
-static struct xtables_target ipmark_tg6_reg = {
-	.version       = XTABLES_VERSION,
-	.name          = "IPMARK",
-	.family        = PF_INET6,
-	.revision      = 0,
+	.family        = PF_UNSPEC,
+	.revision      = 1,
 	.size          = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
 	.help          = ipmark_tg_help,
@@ -177,6 +166,5 @@ static struct xtables_target ipmark_tg6_reg = {
 
 static __attribute__((constructor)) void ipmark_tg_ldr(void)
 {
-	xtables_register_target(&ipmark_tg4_reg);
-	xtables_register_target(&ipmark_tg6_reg);
+	xtables_register_target(&ipmark_tg_reg);
 }

extensions/libxt_STEAL.c

@@ -19,7 +19,7 @@ static void steal_tg_check(unsigned int flags)
 static struct xtables_target steal_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "STEAL",
-	.family        = AF_INET,
+	.family        = AF_UNSPEC,
 	.size          = XT_ALIGN(0),
 	.userspacesize = XT_ALIGN(0),
 	.help          = steal_tg_help,

extensions/libxt_SYSRQ.c

@@ -21,21 +21,11 @@ static void sysrq_tg_check(unsigned int flags)
 {
 }
 
-static struct xtables_target sysrq_tg4_reg = {
+static struct xtables_target sysrq_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "SYSRQ",
-	.family        = PF_INET,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
-	.help          = sysrq_tg_help,
-	.parse         = sysrq_tg_parse,
-	.final_check   = sysrq_tg_check,
-};
-
-static struct xtables_target sysrq_tg6_reg = {
-	.version       = XTABLES_VERSION,
-	.name          = "SYSRQ",
-	.family        = PF_INET6,
+	.revision      = 1,
+	.family        = PF_UNSPEC,
 	.size          = XT_ALIGN(0),
 	.userspacesize = XT_ALIGN(0),
 	.help          = sysrq_tg_help,
@@ -45,6 +35,5 @@ static struct xtables_target sysrq_tg6_reg = {
 
 static __attribute__((constructor)) void sysrq_tg_ldr(void)
 {
-	xtables_register_target(&sysrq_tg4_reg);
-	xtables_register_target(&sysrq_tg6_reg);
+	xtables_register_target(&sysrq_tg_reg);
 }

extensions/libxt_condition.c

@@ -79,7 +79,7 @@ static void condition_save(const void *ip, const struct xt_entry_match *match)
 
 static struct xtables_match condition_mt_reg = {
 	.name 		= "condition",
-	.revision	= 0,
+	.revision	= 1,
 	.family		= PF_UNSPEC,
 	.version 	= XTABLES_VERSION,
 	.size 		= XT_ALIGN(sizeof(struct xt_condition_mtinfo)),

extensions/libxt_fuzzy.c

@@ -101,6 +101,7 @@ static void fuzzy_mt_save(const void *ip, const struct xt_entry_match *match)
 
 static struct xtables_match fuzzy_mt_reg = { 
 	.name          = "fuzzy",
+	.revision      = 1,
 	.version       = XTABLES_VERSION,
 	.size          = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
 	.userspacesize = offsetof(struct xt_fuzzy_mtinfo, packets_total),

extensions/libxt_geoip.c

@@ -261,6 +261,7 @@ geoip_save(const void *ip, const struct xt_entry_match *match)
 static struct xtables_match geoip_match = {
 	 .family        = AF_INET,
 	 .name          = "geoip",
+	 .revision      = 1,
 	 .version       = XTABLES_VERSION,
 	 .size          = XT_ALIGN(sizeof(struct xt_geoip_match_info)),
 	 .userspacesize = offsetof(struct xt_geoip_match_info, mem),

extensions/libxt_iface.c

@@ -200,22 +200,7 @@ static struct xtables_match iface_mt_reg = {
 	.version	= XTABLES_VERSION,
 	.name		= "iface",
 	.revision	= 0,
-	.family		= AF_INET,
-	.size		= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
-	.userspacesize	= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
-	.help		= iface_mt_help,
-	.parse		= iface_mt_parse,
-	.final_check	= iface_mt_check,
-	.print		= iface_mt_print,
-	.save		= iface_mt_save,
-	.extra_opts	= iface_mt_opts,
-};
-
-static struct xtables_match iface_mt6_reg = {
-	.version	= XTABLES_VERSION,
-	.name		= "iface",
-	.revision	= 0,
-	.family		= AF_INET6,
+	.family		= AF_UNSPEC,
 	.size		= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
 	.help		= iface_mt_help,
@@ -229,5 +214,4 @@ static struct xtables_match iface_mt6_reg = {
 static void _init(void)
 {
 	xtables_register_match(&iface_mt_reg);
-	xtables_register_match(&iface_mt6_reg);
 }

extensions/libxt_ipp2p.c

@@ -228,7 +228,7 @@ static void ipp2p_mt_save(const void *entry, const struct xt_entry_match *match)
 static struct xtables_match ipp2p_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ipp2p",
-	.revision      = 0,
+	.revision      = 1,
 	.family        = AF_INET,
 	.size          = XT_ALIGN(sizeof(struct ipt_p2p_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct ipt_p2p_info)),

extensions/libxt_psd.c

@@ -0,0 +1,158 @@
+/*
+  Shared library add-on to iptables to add PSD support
+
+  Copyright (C) 2000,2001 astaro AG
+
+  This file is distributed under the terms of the GNU General Public
+  License (GPL). Copies of the GPL can be obtained from:
+     ftp://prep.ai.mit.edu/pub/gnu/GPL
+
+  2000-05-04 Markus Hennig <hennig@astaro.de> : initial
+  2000-08-18 Dennis Koslowski <koslowski@astaro.de> : first release
+  2000-12-01 Dennis Koslowski <koslowski@astaro.de> : UDP scans detection added
+  2001-02-04 Jan Rekorajski <baggins@pld.org.pl> : converted from target to match
+  2003-03-02 Harald Welte <laforge@netfilter.org>: fix 'storage' bug
+  2008-04-03 Mohd Nawawi <nawawi@tracenetworkcorporation.com>: update to 2.6.24 / 1.4 code
+  2008-06-24 Mohd Nawawi <nawawi@tracenetworkcorporation.com>: update to 2.6.24 / 1.4.1 code
+  2009-08-07 Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com> : ported to xtables-addons
+*/
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include "xt_psd.h"
+
+/* Function which prints out usage message. */
+static void psd_mt_help(void) {
+	printf(
+		"psd match options:\n"
+		" --psd-weight-threshold threshhold  Portscan detection weight threshold\n"
+		" --psd-delay-threshold  delay       Portscan detection delay threshold\n"
+		" --psd-lo-ports-weight  lo          Privileged ports weight\n"
+		" --psd-hi-ports-weight  hi          High ports weight\n\n");
+}
+
+static const struct option psd_mt_opts[] = {
+	{.name = "psd-weight-threshold", .has_arg = true, .val = '1'},
+	{.name = "psd-delay-threshold", .has_arg = true, .val = '2'},
+	{.name = "psd-lo-ports-weight", .has_arg = true, .val = '3'},
+	{.name = "psd-hi-ports-weight", .has_arg = true, .val = '4'},
+	{NULL}
+};
+
+/* Initialize the target. */
+static void psd_mt_init(struct xt_entry_match *match) {
+	struct xt_psd_info *psdinfo = (struct xt_psd_info *)match->data;
+	psdinfo->weight_threshold = SCAN_WEIGHT_THRESHOLD;
+	psdinfo->delay_threshold = SCAN_DELAY_THRESHOLD;
+	psdinfo->lo_ports_weight = PORT_WEIGHT_PRIV;
+	psdinfo->hi_ports_weight = PORT_WEIGHT_HIGH;
+}
+
+#define XT_PSD_OPT_CTRESH 0x01
+#define XT_PSD_OPT_DTRESH 0x02
+#define XT_PSD_OPT_LPWEIGHT 0x04
+#define XT_PSD_OPT_HPWEIGHT 0x08
+
+static int psd_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                     const void *entry, struct xt_entry_match **match)
+{
+	struct xt_psd_info *psdinfo = (struct xt_psd_info *)(*match)->data;
+	unsigned int num;
+
+	switch (c) {
+		/* PSD-weight-threshold */
+		case '1':
+			if (*flags & XT_PSD_OPT_CTRESH)
+				xtables_error(PARAMETER_PROBLEM,"Can't specify --psd-weight-threshold twice");
+			if (!xtables_strtoui(optarg, NULL, &num, 0, PSD_MAX_RATE))
+				xtables_error(PARAMETER_PROBLEM, "bad --psd-weight-threshold '%s'", optarg);
+			psdinfo->weight_threshold = num;
+			*flags |= XT_PSD_OPT_CTRESH;
+			return true;
+
+		/* PSD-delay-threshold */
+		case '2':
+			if (*flags & XT_PSD_OPT_DTRESH)
+				xtables_error(PARAMETER_PROBLEM, "Can't specify --psd-delay-threshold twice");
+			if (!xtables_strtoui(optarg, NULL, &num, 0, PSD_MAX_RATE))
+				xtables_error(PARAMETER_PROBLEM, "bad --psd-delay-threshold '%s'", optarg);
+			psdinfo->delay_threshold = num;
+			*flags |= XT_PSD_OPT_DTRESH;
+			return true;
+
+		/* PSD-lo-ports-weight */
+		case '3':
+			if (*flags & XT_PSD_OPT_LPWEIGHT)
+				xtables_error(PARAMETER_PROBLEM, "Can't specify --psd-lo-ports-weight twice");
+			if (!xtables_strtoui(optarg, NULL, &num, 0, PSD_MAX_RATE))
+				xtables_error(PARAMETER_PROBLEM, "bad --psd-lo-ports-weight '%s'", optarg);
+			psdinfo->lo_ports_weight = num;
+			*flags |= XT_PSD_OPT_LPWEIGHT;
+			return true;
+
+		/* PSD-hi-ports-weight */
+		case '4':
+			if (*flags & XT_PSD_OPT_HPWEIGHT)
+				xtables_error(PARAMETER_PROBLEM, "Can't specify --psd-hi-ports-weight twice");
+			if (!xtables_strtoui(optarg, NULL, &num, 0, PSD_MAX_RATE))
+				xtables_error(PARAMETER_PROBLEM, "bad --psd-hi-ports-weight '%s'", optarg);
+			psdinfo->hi_ports_weight = num;
+			*flags |= XT_PSD_OPT_HPWEIGHT;
+			return true;
+	}
+	return false;
+}
+
+/* Final check; nothing. */
+static void psd_mt_final_check(unsigned int flags) {}
+
+/* Prints out the targinfo. */
+static void psd_mt_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_psd_info *psdinfo = (const struct xt_psd_info *)match->data;
+	printf("psd ");
+	printf("weight-threshold: %u ", psdinfo->weight_threshold);
+	printf("delay-threshold: %u ", psdinfo->delay_threshold);
+	printf("lo-ports-weight: %u ", psdinfo->lo_ports_weight);
+	printf("hi-ports-weight: %u ", psdinfo->hi_ports_weight);
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void psd_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_psd_info *psdinfo = (const struct xt_psd_info *)match->data;
+	printf("--psd-weight-threshold %u ", psdinfo->weight_threshold);
+	printf("--psd-delay-threshold %u ", psdinfo->delay_threshold);
+	printf("--psd-lo-ports-weight %u ", psdinfo->lo_ports_weight);
+	printf("--psd-hi-ports-weight %u ", psdinfo->hi_ports_weight);
+}
+
+static struct xtables_match psd_mt_reg = {
+	.name			= "psd",
+	.version		= XTABLES_VERSION,
+	.revision   	= 1,
+	.family			= PF_INET,
+	.size			= XT_ALIGN(sizeof(struct xt_psd_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_psd_info)),
+	.help			= psd_mt_help,
+	.init			= psd_mt_init,
+	.parse			= psd_mt_parse,
+	.final_check	= psd_mt_final_check,
+	.print			= psd_mt_print,
+	.save			= psd_mt_save,
+	.extra_opts		= psd_mt_opts,
+};
+
+static __attribute__((constructor)) void psd_mt_ldr(void)
+{
+	xtables_register_match(&psd_mt_reg);
+}
+

extensions/libxt_psd.man

@@ -0,0 +1,18 @@
+Attempt to detect TCP and UDP port scans. This match was derived from
+Solar Designer's scanlogd.
+.TP
+.BI "--psd-weight-threshold " "threshold"
+Total weight of the latest TCP/UDP packets with different
+destination ports coming from the same host to be treated as port
+scan sequence.
+.TP
+.BI "--psd-delay-threshold " "delay"
+Delay (in hundredths of second) for the packets with different
+destination ports coming from the same host to be treated as
+possible port scan subsequence.
+.TP
+.BI "--psd-lo-ports-weight " "weight"
+Weight of the packet with privileged (<=1024) destination port.
+.TP
+.BI "--psd-hi-ports-weight " "weight"
+Weight of the packet with non-priviliged destination port.

extensions/libxt_quota2.c

@@ -121,7 +121,7 @@ static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
 
 static struct xtables_match quota_mt2_reg = {
 	.family        = AF_UNSPEC,
-	.revision      = 2,
+	.revision      = 3,
 	.name          = "quota2",
 	.version       = XTABLES_VERSION,
 	.size          = XT_ALIGN(sizeof (struct xt_quota_mtinfo2)),

extensions/xt_ACCOUNT.h

@@ -0,0 +1,118 @@
+/***************************************************************************
+ *   Copyright (C) 2004-2006 by Intra2net AG                               *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License                  *
+ *   version 2 as published by the Free Software Foundation;               *
+ *                                                                         *
+ ***************************************************************************/
+
+#ifndef _IPT_ACCOUNT_H
+#define _IPT_ACCOUNT_H
+
+/*
+ * Socket option interface shared between kernel (xt_ACCOUNT) and userspace
+ * library (libxt_ACCOUNT_cl). Hopefully we are unique at least within our
+ * kernel & xtables-addons space.
+ */
+#define SO_ACCOUNT_BASE_CTL 90
+
+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (SO_ACCOUNT_BASE_CTL + 1)
+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (SO_ACCOUNT_BASE_CTL + 2)
+#define IPT_SO_SET_ACCOUNT_MAX		 IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL
+
+#define IPT_SO_GET_ACCOUNT_PREPARE_READ (SO_ACCOUNT_BASE_CTL + 4)
+#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (SO_ACCOUNT_BASE_CTL + 5)
+#define IPT_SO_GET_ACCOUNT_GET_DATA (SO_ACCOUNT_BASE_CTL + 6)
+#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (SO_ACCOUNT_BASE_CTL + 7)
+#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (SO_ACCOUNT_BASE_CTL + 8)
+#define IPT_SO_GET_ACCOUNT_MAX	  IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES
+
+#define ACCOUNT_MAX_TABLES 128
+#define ACCOUNT_TABLE_NAME_LEN 32
+#define ACCOUNT_MAX_HANDLES 10
+
+/* Structure for the userspace part of ipt_ACCOUNT */
+struct ipt_acc_info {
+	uint32_t net_ip;
+	uint32_t net_mask;
+	char table_name[ACCOUNT_TABLE_NAME_LEN];
+	int32_t table_nr;
+};
+
+/* Internal table structure, generated by check_entry() */
+struct ipt_acc_table {
+	char name[ACCOUNT_TABLE_NAME_LEN];	 /* name of the table */
+	uint32_t ip;						  /* base IP of network */
+	uint32_t netmask;					 /* netmask of the network */
+	unsigned char depth;				   /* size of network:
+												 0: 8 bit, 1: 16bit, 2: 24 bit */
+	uint32_t refcount;					/* refcount of this table.
+												 if zero, destroy it */
+	uint32_t itemcount;				   /* number of IPs in this table */
+	void *data;							/* pointer to the actual data,
+												 depending on netmask */
+};
+
+/* Internal handle structure */
+struct ipt_acc_handle {
+	uint32_t ip;						  /* base IP of network. Used for
+												 caculating the final IP during
+												 get_data() */
+	unsigned char depth;				   /* size of network. See above for
+												 details */
+	uint32_t itemcount;				   /* number of IPs in this table */
+	void *data;							/* pointer to the actual data,
+												 depending on size */
+};
+
+/* Handle structure for communication with the userspace library */
+struct ipt_acc_handle_sockopt {
+	uint32_t handle_nr;				   /* Used for HANDLE_FREE */
+	char name[ACCOUNT_TABLE_NAME_LEN];	 /* Used for HANDLE_PREPARE_READ/
+												 HANDLE_READ_FLUSH */
+	uint32_t itemcount;				   /* Used for HANDLE_PREPARE_READ/
+												 HANDLE_READ_FLUSH */
+};
+
+/* Used for every IP entry
+   Size is 16 bytes so that 256 (class C network) * 16
+   fits in one kernel (zero) page */
+struct ipt_acc_ip {
+	uint32_t src_packets;
+	uint32_t src_bytes;
+	uint32_t dst_packets;
+	uint32_t dst_bytes;
+};
+
+/*
+	Used for every IP when returning data
+*/
+struct ipt_acc_handle_ip {
+	uint32_t ip;
+	uint32_t src_packets;
+	uint32_t src_bytes;
+	uint32_t dst_packets;
+	uint32_t dst_bytes;
+};
+
+/*
+	The IPs are organized as an array so that direct slot
+	calculations are possible.
+	Only 8 bit networks are preallocated, 16/24 bit networks
+	allocate their slots when needed -> very efficent.
+*/
+struct ipt_acc_mask_24 {
+	struct ipt_acc_ip ip[256];
+};
+
+struct ipt_acc_mask_16 {
+	struct ipt_acc_mask_24 *mask_24[256];
+};
+
+struct ipt_acc_mask_8 {
+	struct ipt_acc_mask_16 *mask_16[256];
+};
+
+#endif /* _IPT_ACCOUNT_H */

extensions/xt_DELUDE.c

@@ -119,19 +119,18 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
 		addr_type = RTN_LOCAL;
 
 	/* ip_route_me_harder expects skb->dst to be set */
-	dst_hold(oldskb->dst);
-	nskb->dst = oldskb->dst;
+	skb_dst_set(nskb, dst_clone(skb_dst(oldskb)));
 
 	if (ip_route_me_harder(&nskb, addr_type))
 		goto free_nskb;
 	else
 		niph = ip_hdr(nskb);
 
-	niph->ttl       = dst_metric(nskb->dst, RTAX_HOPLIMIT);
+	niph->ttl       = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
 	nskb->ip_summed = CHECKSUM_NONE;
 
 	/* "Never happens" */
-	if (nskb->len > dst_mtu(nskb->dst))
+	if (nskb->len > dst_mtu(skb_dst(nskb)))
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);

extensions/xt_IPMARK.c

@@ -82,7 +82,7 @@ ipmark_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 static struct xt_target ipmark_tg_reg[] __read_mostly = {
 	{
 		.name       = "IPMARK",
-		.revision   = 0,
+		.revision   = 1,
 		.family     = NFPROTO_IPV4,
 		.table      = "mangle",
 		.target     = ipmark_tg4,
@@ -91,7 +91,7 @@ static struct xt_target ipmark_tg_reg[] __read_mostly = {
 	},
 	{
 		.name       = "IPMARK",
-		.revision   = 0,
+		.revision   = 1,
 		.family     = NFPROTO_IPV6,
 		.table      = "mangle",
 		.target     = ipmark_tg6,

extensions/xt_SYSRQ.c

@@ -272,7 +272,7 @@ static bool sysrq_tg_check(const struct xt_tgchk_param *par)
 static struct xt_target sysrq_tg_reg[] __read_mostly = {
 	{
 		.name       = "SYSRQ",
-		.revision   = 0,
+		.revision   = 1,
 		.family     = NFPROTO_IPV4,
 		.target     = sysrq_tg4,
 		.checkentry = sysrq_tg_check,
@@ -280,7 +280,7 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 	},
 	{
 		.name       = "SYSRQ",
-		.revision   = 0,
+		.revision   = 1,
 		.family     = NFPROTO_IPV6,
 		.target     = sysrq_tg6,
 		.checkentry = sysrq_tg_check,

extensions/xt_TARPIT.c

@@ -167,20 +167,20 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook)
 	nskb->ip_summed = CHECKSUM_NONE;
 
 	/* Adjust IP TTL */
-	niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
+	niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
 
 	/* Adjust IP checksum */
 	niph->check = 0;
 	niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl);
 
 	/* "Never happens" */
-	if (nskb->len > dst_mtu(nskb->dst))
+	if (nskb->len > dst_mtu(skb_dst(nskb)))
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);
 
-	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
-		dst_output);
+	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
+		skb_dst(nskb)->dev, dst_output);
 	return;
 
  free_nskb:
@@ -192,7 +192,7 @@ tarpit_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 {
 	const struct sk_buff *skb = *pskb;
 	const struct iphdr *iph = ip_hdr(skb);
-	const struct rtable *rt = (const void *)skb->dst;
+	const struct rtable *rt = skb_rtable(skb);
 
 	/* Do we have an input route cache entry? (Not in PREROUTING.) */
 	if (rt == NULL)

extensions/xt_TEE.c

@@ -79,9 +79,9 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 		return false;
 	}
 
-	dst_release(skb->dst);
-	skb->dst      = &rt->u.dst;
-	skb->dev      = skb->dst->dev;
+	dst_release(skb_dst(skb));
+	skb_dst_set(skb, &rt->u.dst);
+	skb->dev      = rt->u.dst.dev;
 	skb->protocol = htons(ETH_P_IP);
 	return true;
 }
@@ -104,7 +104,7 @@ static inline bool dev_hh_avail(const struct net_device *dev)
  */
 static void tee_tg_send(struct sk_buff *skb)
 {
-	const struct dst_entry *dst  = skb->dst;
+	const struct dst_entry *dst  = skb_dst(skb);
 	const struct net_device *dev = dst->dev;
 	unsigned int hh_len = LL_RESERVED_SPACE(dev);
 
@@ -175,7 +175,7 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	/*
 	 * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
 	 * the original skb, which should continue on its way as if nothing has
-	 * happened. The copy should be independantly delivered to the TEE --gw.
+	 * happened. The copy should be independently delivered to the TEE --gw.
 	 */
 	skb = skb_copy(skb, GFP_ATOMIC);
 	if (skb == NULL) {
@@ -251,9 +251,9 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 		return false;
 	}
 
-	dst_release(skb->dst);
-	skb->dst      = dst;
-	skb->dev      = skb->dst->dev;
+	dst_release(skb_dst(skb));
+	skb_dst_set(skb, dst);
+	skb->dev      = dst->dev;
 	skb->protocol = htons(ETH_P_IPV6);
 	return true;
 }

extensions/xt_condition.c

@@ -206,7 +206,7 @@ static void condition_mt_destroy(const struct xt_mtdtor_param *par)
 static struct xt_match condition_mt_reg[] __read_mostly = {
 	{
 		.name       = "condition",
-		.revision   = 0,
+		.revision   = 1,
 		.family     = NFPROTO_IPV4,
 		.matchsize  = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
 		.match      = condition_mt,
@@ -216,7 +216,7 @@ static struct xt_match condition_mt_reg[] __read_mostly = {
 	},
 	{
 		.name       = "condition",
-		.revision   = 0,
+		.revision   = 1,
 		.family     = NFPROTO_IPV6,
 		.matchsize  = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
 		.match      = condition_mt,

extensions/xt_fuzzy.c

@@ -142,7 +142,7 @@ static bool fuzzy_mt_check(const struct xt_mtchk_param *par)
 static struct xt_match fuzzy_mt_reg[] __read_mostly = {
 	{
 		.name       = "fuzzy",
-		.revision   = 0,
+		.revision   = 1,
 		.family     = NFPROTO_IPV4,
 		.match      = fuzzy_mt,
 		.checkentry = fuzzy_mt_check,
@@ -151,7 +151,7 @@ static struct xt_match fuzzy_mt_reg[] __read_mostly = {
 	},
 	{
 		.name       = "fuzzy",
-		.revision   = 0,
+		.revision   = 1,
 		.family     = NFPROTO_IPV6,
 		.match      = fuzzy_mt,
 		.checkentry = fuzzy_mt_check,

extensions/xt_geoip.c

@@ -222,7 +222,7 @@ static void xt_geoip_mt_destroy(const struct xt_mtdtor_param *par)
 
 static struct xt_match xt_geoip_match __read_mostly = {
 	.name       = "geoip",
-	.revision   = 0,
+	.revision   = 1,
 	.family     = NFPROTO_IPV4,
 	.match      = xt_geoip_mt,
 	.checkentry = xt_geoip_mt_checkentry,

extensions/xt_ipp2p.c

@@ -890,7 +890,7 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 
 static struct xt_match ipp2p_mt_reg __read_mostly = {
 	.name       = "ipp2p",
-	.revision   = 0,
+	.revision   = 1,
 	.family     = NFPROTO_IPV4,
 	.match      = ipp2p_mt,
 	.matchsize  = sizeof(struct ipt_p2p_info),

extensions/xt_psd.Kconfig

@@ -0,0 +1,6 @@
+config NETFILTER_XT_MATCH_PSD
+	tristate  'psd match support'
+	depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
+	---help---
+	This option adds a `psd' match, which allows you to create rules in
+	any iptables table wich will detect TCP and UDP port scans.

extensions/xt_psd.c

@@ -0,0 +1,332 @@
+/*
+  This is a module which is used for PSD (portscan detection)
+  Derived from scanlogd v2.1 written by Solar Designer <solar@false.com>
+  and LOG target module.
+
+  Copyright (C) 2000,2001 astaro AG
+
+  This file is distributed under the terms of the GNU General Public
+  License (GPL). Copies of the GPL can be obtained from:
+     ftp://prep.ai.mit.edu/pub/gnu/GPL
+
+  2000-05-04 Markus Hennig <hennig@astaro.de> : initial
+  2000-08-18 Dennis Koslowski <koslowski@astaro.de> : first release
+  2000-12-01 Dennis Koslowski <koslowski@astaro.de> : UDP scans detection added
+  2001-01-02 Dennis Koslowski <koslowski@astaro.de> : output modified
+  2001-02-04 Jan Rekorajski <baggins@pld.org.pl> : converted from target to match
+  2004-05-05 Martijn Lievaart <m@rtij.nl> : ported to 2.6
+  2007-04-05 Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com> : ported to 2.6.18
+  2008-03-21 Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com> : ported to 2.6.24
+  2009-08-07 Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com> : ported to xtables-addons
+*/
+
+#define pr_fmt(x) KBUILD_MODNAME ": " x
+#include <linux/module.h>
+#include <linux/moduleparam.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/tcp.h>
+#include <linux/spinlock.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
+#include "xt_psd.h"
+#include "compat_xtables.h"
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Dennis Koslowski <koslowski@astaro.com>");
+MODULE_AUTHOR("Martijn Lievaart <m@rtij.nl>");
+MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
+MODULE_AUTHOR(" Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com>");
+MODULE_DESCRIPTION("Xtables: PSD - portscan detection");
+MODULE_ALIAS("ipt_psd");
+
+#define HF_DADDR_CHANGING   0x01
+#define HF_SPORT_CHANGING   0x02
+#define HF_TOS_CHANGING	    0x04
+#define HF_TTL_CHANGING	    0x08
+
+/*
+ * Information we keep per each target port
+ */
+struct port {
+	u_int16_t number;      /* port number */
+	u_int8_t proto;        /* protocol number */
+	u_int8_t and_flags;    /* tcp ANDed flags */
+	u_int8_t or_flags;     /* tcp ORed flags */
+};
+
+/*
+ * Information we keep per each source address.
+ */
+struct host {
+	struct host *next;						/* Next entry with the same hash */
+	unsigned long timestamp;					/* Last update time */
+	struct in_addr src_addr;				/* Source address */
+	struct in_addr dest_addr;				/* Destination address */
+	unsigned short src_port;				/* Source port */
+	int count;								/* Number of ports in the list */
+	int weight;								/* Total weight of ports in the list */
+	struct port ports[SCAN_MAX_COUNT - 1];	/* List of ports */
+	unsigned char tos;						/* TOS */
+	unsigned char ttl;						/* TTL */
+	unsigned char flags;					/* HF_ flags bitmask */
+};
+
+/*
+ * State information.
+ */
+static struct {
+	spinlock_t lock;
+	struct host list[LIST_SIZE];	/* List of source addresses */
+	struct host *hash[HASH_SIZE];	/* Hash: pointers into the list */
+	int index;						/* Oldest entry to be replaced */
+} state;
+
+/*
+ * Convert an IP address into a hash table index.
+ */
+static inline int hashfunc(struct in_addr addr)
+{
+	unsigned int value;
+	int hash;
+
+	value = addr.s_addr;
+	hash = 0;
+	do {
+		hash ^= value;
+	} while ((value >>= HASH_LOG) != 0);
+
+	return hash & (HASH_SIZE - 1);
+}
+
+static bool
+xt_psd_match(const struct sk_buff *pskb, const struct xt_match_param *match)
+{
+	struct iphdr *iph;
+	struct tcphdr *tcph;
+	struct in_addr addr;
+	u_int16_t src_port,dest_port;
+  	u_int8_t tcp_flags, proto;
+	unsigned long now;
+	struct host *curr, *last, **head;
+	int hash, index, count;
+	/* Parameters from userspace */
+	const struct xt_psd_info *psdinfo = match->matchinfo;
+
+	/* IP header */
+	iph = ip_hdr(pskb);
+
+	/* Sanity check */
+	if (ntohs(iph->frag_off) & IP_OFFSET) {
+		pr_debug("sanity check failed\n");
+		return false;
+	}
+
+	/* TCP or UDP ? */
+	proto = iph->protocol;
+
+	if (proto != IPPROTO_TCP && proto != IPPROTO_UDP) {
+		pr_debug("protocol not supported\n");
+		return false;
+	}
+
+	/* Get the source address, source & destination ports, and TCP flags */
+
+	addr.s_addr = iph->saddr;
+
+	tcph = (void *)iph + ip_hdrlen(pskb);
+
+	/* Yep, it's dirty */
+	src_port = tcph->source;
+	dest_port = tcph->dest;
+
+	if (proto == IPPROTO_TCP)
+		tcp_flags = *((u_int8_t*)tcph + 13);
+	else
+		tcp_flags = 0x00;
+
+	/* We're using IP address 0.0.0.0 for a special purpose here, so don't let
+	 * them spoof us. [DHCP needs this feature - HW] */
+	if (addr.s_addr == 0) {
+		pr_debug("spoofed source address (0.0.0.0)\n");
+		return false;
+	}
+
+	/* Use jiffies here not to depend on someone setting the time while we're
+	 * running; we need to be careful with possible return value overflows. */
+	now = jiffies;
+
+	spin_lock(&state.lock);
+
+	/* Do we know this source address already? */
+	count = 0;
+	last = NULL;
+	if ((curr = *(head = &state.hash[hash = hashfunc(addr)])) != NULL)
+		do {
+			if (curr->src_addr.s_addr == addr.s_addr)
+				break;
+			count++;
+			if (curr->next != NULL)
+				last = curr;
+		} while ((curr = curr->next) != NULL);
+
+	if (curr != NULL) {
+
+		/* We know this address, and the entry isn't too old. Update it. */
+		if (now - curr->timestamp <= (psdinfo->delay_threshold*HZ)/100 &&
+		    time_after_eq(now, curr->timestamp)) {
+
+			/* Just update the appropriate list entry if we've seen this port already */
+			for (index = 0; index < curr->count; index++) {
+				if (curr->ports[index].number == dest_port) {
+					curr->ports[index].proto = proto;
+					curr->ports[index].and_flags &= tcp_flags;
+					curr->ports[index].or_flags |= tcp_flags;
+					goto out_no_match;
+				}
+			}
+
+			/* TCP/ACK and/or TCP/RST to a new port? This could be an outgoing connection. */
+			if (proto == IPPROTO_TCP && (tcph->ack || tcph->rst))
+				goto out_no_match;
+
+			/* Packet to a new port, and not TCP/ACK: update the timestamp */
+			curr->timestamp = now;
+
+			/* Logged this scan already? Then drop the packet. */
+			if (curr->weight >= psdinfo->weight_threshold)
+				goto out_match;
+
+			/* Specify if destination address, source port, TOS or TTL are not fixed */
+			if (curr->dest_addr.s_addr != iph->daddr)
+				curr->flags |= HF_DADDR_CHANGING;
+			if (curr->src_port != src_port)
+				curr->flags |= HF_SPORT_CHANGING;
+			if (curr->tos != iph->tos)
+				curr->flags |= HF_TOS_CHANGING;
+			if (curr->ttl != iph->ttl)
+				curr->flags |= HF_TTL_CHANGING;
+
+			/* Update the total weight */
+			curr->weight += (ntohs(dest_port) < 1024) ?
+				psdinfo->lo_ports_weight : psdinfo->hi_ports_weight;
+
+			/* Got enough destination ports to decide that this is a scan? */
+			/* Then log it and drop the packet. */
+			if (curr->weight >= psdinfo->weight_threshold)
+				goto out_match;
+
+			/* Remember the new port */
+			if (curr->count < SCAN_MAX_COUNT) {
+				curr->ports[curr->count].number = dest_port;
+				curr->ports[curr->count].proto = proto;
+				curr->ports[curr->count].and_flags = tcp_flags;
+				curr->ports[curr->count].or_flags = tcp_flags;
+				curr->count++;
+			}
+
+			goto out_no_match;
+		}
+
+		/* We know this address, but the entry is outdated. Mark it unused, and
+		 * remove from the hash table. We'll allocate a new entry instead since
+		 * this one might get re-used too soon. */
+		curr->src_addr.s_addr = 0;
+		if (last != NULL)
+			last->next = last->next->next;
+		else if (*head != NULL)
+			*head = (*head)->next;
+		last = NULL;
+	}
+
+	/* We don't need an ACK from a new source address */
+	if (proto == IPPROTO_TCP && tcph->ack)
+		goto out_no_match;
+
+	/* Got too many source addresses with the same hash value? Then remove the
+	 * oldest one from the hash table, so that they can't take too much of our
+	 * CPU time even with carefully chosen spoofed IP addresses. */
+	if (count >= HASH_MAX && last != NULL)
+		last->next = NULL;
+
+	/* We're going to re-use the oldest list entry, so remove it from the hash
+	 * table first (if it is really already in use, and isn't removed from the
+	 * hash table already because of the HASH_MAX check above). */
+
+	/* First, find it */
+	if (state.list[state.index].src_addr.s_addr != 0)
+		head = &state.hash[hashfunc(state.list[state.index].src_addr)];
+	else
+		head = &last;
+	last = NULL;
+	if ((curr = *head) != NULL)
+		do {
+			if (curr == &state.list[state.index])
+				break;
+			last = curr;
+		} while ((curr = curr->next) != NULL);
+
+	/* Then, remove it */
+	if (curr != NULL) {
+		if (last != NULL)
+			last->next = last->next->next;
+		else if (*head != NULL)
+			*head = (*head)->next;
+	}
+
+	/* Get our list entry */
+	curr = &state.list[state.index++];
+	if (state.index >= LIST_SIZE)
+		state.index = 0;
+
+	/* Link it into the hash table */
+	head = &state.hash[hash];
+	curr->next = *head;
+	*head = curr;
+
+	/* And fill in the fields */
+	curr->timestamp = now;
+	curr->src_addr = addr;
+	curr->dest_addr.s_addr = iph->daddr;
+	curr->src_port = src_port;
+	curr->count = 1;
+	curr->weight = (ntohs(dest_port) < 1024) ? psdinfo->lo_ports_weight : psdinfo->hi_ports_weight;
+	curr->ports[0].number = dest_port;
+	curr->ports[0].proto = proto;
+	curr->ports[0].and_flags = tcp_flags;
+	curr->ports[0].or_flags = tcp_flags;
+	curr->tos = iph->tos;
+	curr->ttl = iph->ttl;
+
+out_no_match:
+	spin_unlock(&state.lock);
+	return false;
+
+out_match:
+	spin_unlock(&state.lock);
+	return true;
+}
+
+static struct xt_match xt_psd_reg __read_mostly = {
+	.name		= "psd",
+    .family		= AF_INET,
+	.revision  = 1,
+	.match		= xt_psd_match,
+	.matchsize	= sizeof(struct xt_psd_info),
+	.me			= THIS_MODULE,
+};
+
+static int __init xt_psd_init(void)
+{
+	spin_lock_init(&(state.lock));
+	return xt_register_match(&xt_psd_reg);
+}
+
+static void __exit xt_psd_exit(void)
+{
+        xt_unregister_match(&xt_psd_reg);
+}
+
+module_init(xt_psd_init);
+module_exit(xt_psd_exit);
+

extensions/xt_psd.h

@@ -0,0 +1,41 @@
+#ifndef _LINUX_NETFILTER_XT_PSD_H
+#define _LINUX_NETFILTER_XT_PSD_H 1
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+/*
+ * High port numbers have a lower weight to reduce the frequency of false
+ * positives, such as from passive mode FTP transfers.
+ */
+#define PORT_WEIGHT_PRIV		3
+#define PORT_WEIGHT_HIGH		1
+#define	PSD_MAX_RATE			10000
+
+/*
+ * Port scan detection thresholds: at least COUNT ports need to be scanned
+ * from the same source, with no longer than DELAY ticks between ports.
+ */
+#define SCAN_MIN_COUNT			7
+#define SCAN_MAX_COUNT			(SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
+#define SCAN_WEIGHT_THRESHOLD		SCAN_MAX_COUNT
+#define SCAN_DELAY_THRESHOLD		(300) /* old usage of HZ here was erroneously and broke under uml */
+
+/*
+ * Keep track of up to LIST_SIZE source addresses, using a hash table of
+ * HASH_SIZE entries for faster lookups, but limiting hash collisions to
+ * HASH_MAX source addresses per the same hash value.
+ */
+#define LIST_SIZE			0x100
+#define HASH_LOG			9
+#define HASH_SIZE			(1 << HASH_LOG)
+#define HASH_MAX			0x10
+
+struct xt_psd_info {
+	__u32 weight_threshold;
+	__u32 delay_threshold;
+	__u16 lo_ports_weight;
+	__u16 hi_ports_weight;
+};
+
+#endif /*_LINUX_NETFILTER_XT_PSD_H*/

extensions/xt_quota2.c

@@ -21,12 +21,15 @@
 #include "xt_quota2.h"
 #include "compat_xtables.h"
 
-struct quota_counter {
+/**
+ * @lock:	lock to protect quota writers from each other
+ */
+struct xt_quota_counter {
 	u_int64_t quota;
 	spinlock_t lock;
 	struct list_head list;
 	atomic_t ref;
-	char name[XT_QUOTA_COUNTER_NAME_LENGTH];
+	char name[sizeof(((struct xt_quota_mtinfo2 *)NULL)->name)];
 	struct proc_dir_entry *procfs_entry;
 };
 
@@ -44,7 +47,7 @@ module_param_named(gid, quota_list_gid, uint, S_IRUGO | S_IWUSR);
 static int quota_proc_read(char *page, char **start, off_t offset,
                            int count, int *eof, void *data)
 {
-	struct quota_counter *e = data;
+	struct xt_quota_counter *e = data;
 	int ret;
 
 	spin_lock_bh(&e->lock);
@@ -56,7 +59,7 @@ static int quota_proc_read(char *page, char **start, off_t offset,
 static int quota_proc_write(struct file *file, const char __user *input,
                             unsigned long size, void *data)
 {
-	struct quota_counter *e = data;
+	struct xt_quota_counter *e = data;
 	char buf[sizeof("18446744073709551616")];
 
 	if (size > sizeof(buf))
@@ -66,45 +69,66 @@ static int quota_proc_write(struct file *file, const char __user *input,
 	buf[sizeof(buf)-1] = '\0';
 
 	spin_lock_bh(&e->lock);
-	e->quota = simple_strtoul(buf, NULL, 0);
+	e->quota = simple_strtoull(buf, NULL, 0);
 	spin_unlock_bh(&e->lock);
 	return size;
 }
 
+static struct xt_quota_counter *
+q2_new_counter(const struct xt_quota_mtinfo2 *q, bool anon)
+{
+	struct xt_quota_counter *e;
+	unsigned int size;
+
+	/* Do not need all the procfs things for anonymous counters. */
+	size = anon ? offsetof(typeof(*e), list) : sizeof(*e);
+	e = kmalloc(size, GFP_KERNEL);
+	if (e == NULL)
+		return NULL;
+
+	e->quota = q->quota;
+	spin_lock_init(&e->lock);
+	if (!anon) {
+		INIT_LIST_HEAD(&e->list);
+		atomic_set(&e->ref, 1);
+		strncpy(e->name, q->name, sizeof(e->name));
+	}
+	return e;
+}
+
 /**
  * q2_get_counter - get ref to counter or create new
  * @name:	name of counter
  */
-static struct quota_counter *q2_get_counter(const struct xt_quota_mtinfo2 *q)
+static struct xt_quota_counter *
+q2_get_counter(const struct xt_quota_mtinfo2 *q)
 {
 	struct proc_dir_entry *p;
-	struct quota_counter *e;
+	struct xt_quota_counter *e;
+
+	if (*q->name == '\0')
+		return q2_new_counter(q, true);
 
 	spin_lock_bh(&counter_list_lock);
-	list_for_each_entry(e, &counter_list, list) {
+	list_for_each_entry(e, &counter_list, list)
 		if (strcmp(e->name, q->name) == 0) {
 			atomic_inc(&e->ref);
 			spin_unlock_bh(&counter_list_lock);
 			return e;
 		}
-	}
 
-	e = kmalloc(sizeof(struct quota_counter), GFP_KERNEL);
+	e = q2_new_counter(q, false);
 	if (e == NULL)
 		goto out;
 
-	e->quota = q->quota;
-	spin_lock_init(&e->lock);
-	INIT_LIST_HEAD(&e->list);
-	atomic_set(&e->ref, 1);
-	strncpy(e->name, q->name, sizeof(e->name));
-
 	p = e->procfs_entry = create_proc_entry(e->name, quota_list_perms,
 	                      proc_xt_quota);
 	if (p == NULL || IS_ERR(p))
 		goto out;
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
 	p->owner        = THIS_MODULE;
+#endif
 	p->data         = e;
 	p->read_proc    = quota_proc_read;
 	p->write_proc   = quota_proc_write;
@@ -128,15 +152,16 @@ static bool quota_mt2_check(const struct xt_mtchk_param *par)
 		return false;
 
 	q->name[sizeof(q->name)-1] = '\0';
-	if (*q->name == '\0' || *q->name == '.' ||
-	    strchr(q->name, '/') != NULL) {
-		printk(KERN_ERR "xt_quota.2: illegal name\n");
+	if (*q->name == '.' || strchr(q->name, '/') != NULL) {
+		printk(KERN_ERR "xt_quota<%u>: illegal name\n",
+		       par->match->revision);
 		return false;
 	}
 
 	q->master = q2_get_counter(q);
 	if (q->master == NULL) {
-		printk(KERN_ERR "xt_quota.2: memory alloc failure\n");
+		printk(KERN_ERR "xt_quota<%u>: memory alloc failure\n",
+		       par->match->revision);
 		return false;
 	}
 
@@ -146,7 +171,12 @@ static bool quota_mt2_check(const struct xt_mtchk_param *par)
 static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
 {
 	struct xt_quota_mtinfo2 *q = par->matchinfo;
-	struct quota_counter *e = q->master;
+	struct xt_quota_counter *e = q->master;
+
+	if (*q->name == '\0') {
+		kfree(e);
+		return;
+	}
 
 	spin_lock_bh(&counter_list_lock);
 	if (!atomic_dec_and_test(&e->ref)) {
@@ -155,8 +185,8 @@ static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
 	}
 
 	list_del(&e->list);
-	spin_unlock_bh(&counter_list_lock);
 	remove_proc_entry(e->name, proc_xt_quota);
+	spin_unlock_bh(&counter_list_lock);
 	kfree(e);
 }
 
@@ -164,17 +194,15 @@ static bool
 quota_mt2(const struct sk_buff *skb, const struct xt_match_param *par)
 {
 	struct xt_quota_mtinfo2 *q = (void *)par->matchinfo;
-	struct quota_counter *e = q->master;
+	struct xt_quota_counter *e = q->master;
 	bool ret = q->flags & XT_QUOTA_INVERT;
 
-	if (q->flags & XT_QUOTA_GROW) {
 	spin_lock_bh(&e->lock);
+	if (q->flags & XT_QUOTA_GROW) {
 		e->quota += (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
 		q->quota = e->quota;
-		spin_unlock_bh(&e->lock);
 		ret = true;
 	} else {
-		spin_lock_bh(&e->lock);
 		if (e->quota >= skb->len) {
 			e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
 			ret = !ret;
@@ -183,16 +211,15 @@ quota_mt2(const struct sk_buff *skb, const struct xt_match_param *par)
 			e->quota = 0;
 		}
 		q->quota = e->quota;
-		spin_unlock_bh(&e->lock);
 	}
-
+	spin_unlock_bh(&e->lock);
 	return ret;
 }
 
 static struct xt_match quota_mt2_reg[] __read_mostly = {
 	{
 		.name       = "quota2",
-		.revision   = 2,
+		.revision   = 3,
 		.family     = NFPROTO_IPV4,
 		.checkentry = quota_mt2_check,
 		.match      = quota_mt2,
@@ -202,7 +229,7 @@ static struct xt_match quota_mt2_reg[] __read_mostly = {
 	},
 	{
 		.name       = "quota2",
-		.revision   = 2,
+		.revision   = 3,
 		.family     = NFPROTO_IPV6,
 		.checkentry = quota_mt2_check,
 		.match      = quota_mt2,

extensions/xt_quota2.h

@@ -6,21 +6,19 @@ enum xt_quota_flags {
 	XT_QUOTA_GROW   = 1 << 1,
 	XT_QUOTA_PACKET = 1 << 2,
 	XT_QUOTA_MASK   = 0x7,
-
-	XT_QUOTA_COUNTER_NAME_LENGTH = 31,
 };
 
-struct quota_counter;
+struct xt_quota_counter;
 
 struct xt_quota_mtinfo2 {
-	char name[XT_QUOTA_COUNTER_NAME_LENGTH];
+	char name[15];
 	u_int8_t flags;
 
 	/* Comparison-invariant */
 	aligned_u64 quota;
 
 	/* Used internally by the kernel */
-	struct quota_counter *master __attribute__((aligned(8)));
+	struct xt_quota_counter *master __attribute__((aligned(8)));
 };
 
 #endif /* _XT_QUOTA_H */

mconfig

@@ -1,5 +1,6 @@
 # -*- Makefile -*-
 #
+build_ACCOUNT=m
 build_CHAOS=m
 build_DELUDE=m
 build_DHCPMAC=m
@@ -20,4 +21,5 @@ build_ipset=m
 build_ipv4options=m
 build_length2=m
 build_lscan=m
+build_psd=m
 build_quota2=m

xtables-addons.8.in

@@ -1,6 +1,6 @@
-.TH xtables\-addons 8 "v1.15 (2009\-04\-30)" "" "v1.15 (2009\-04\-30)"
+.TH xtables-addons 8 "v1.18 (2009-09-09)" "" "v1.18 (2009-09-09)"
 .SH Name
-Xtables\-addons - additional extensions for iptables, ip6tables, etc.
+Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets
 .\" @TARGET@
 .SH Matches