Xtables-addons 1.18

These are not needed, .bss is zeroed.

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.17])
+AC_INIT([xtables-addons], [1.18])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -79,13 +79,17 @@ krel="${krel#*.}";
 kminor="${krel%%.*}";
 krel="${krel#*.}";
 kmicro="${krel%%.*}";
-krel="${krel#*.}";
+krel2="${krel#*.}";
+if test "$krel" = "$krel2"; then
+	kstable=0;
+else
 	kstable="${krel%%.*}";
 	if test -z "$kstable"; then
 		kstable=0;
 	fi;
+fi;
 echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 30; then
+if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 31; then
 	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
     \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \

doc/README.psd

@@ -0,0 +1,4 @@
+PSD (Portscan Detection) External extensions for Xtables-addons
+
+Example:
+iptables -A INPUT -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 1 --psd-hi-ports-weight 10 -j LOG --log-prefix "PSD: "

doc/changelog.txt

@@ -1,5 +1,17 @@
 
 
+Xtables-addons 1.18 (September 09 2009)
+=======================================
+- build: support for Linux 2.6.31
+- ipset: fast forward to v3.2
+- quota2: support anonymous counters
+- quota2: reduce memory footprint for anonymous counters
+- quota2: extend locked period during cleanup (locking bugfix)
+- quota2: use strtoull instead of strtoul
+- merged xt_ACCOUNT module
+- merged xt_psd module
+
+
 Xtables-addons 1.17 (June 16 2009)
 ==================================
 - IPMARK: print missing --shift parameter

extensions/GNUmakefile.in

@@ -77,7 +77,7 @@ install: modules_install subdirs-install ${targets_install}
 	install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/";
 
 clean: clean_modules
-	@for i in ${subdirs_list}; do make -C $$i clean; done;
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i clean; done;
 	rm -f *.oo *.so;
 
 distclean: clean
@@ -92,13 +92,13 @@ distclean: clean
 .PHONY: modules modules_install clean_modules
 
 modules:
-	${AM_V_silent}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules; fi;
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules; fi;
 
 modules_install:
-	${AM_V_silent}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install; fi;
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install; fi;
 
 clean_modules:
-	${AM_V_silent}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean; fi;
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean; fi;
 
 
 #

extensions/Kbuild

@@ -5,6 +5,7 @@ include ${XA_TOPSRCDIR}/mconfig
 
 obj-m                    += compat_xtables.o
 
+obj-${build_ACCOUNT}     += xt_ACCOUNT.o
 obj-${build_CHAOS}       += xt_CHAOS.o
 obj-${build_DELUDE}      += xt_DELUDE.o
 obj-${build_DHCPMAC}     += xt_DHCPMAC.o
@@ -25,6 +26,7 @@ obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += xt_ipv4options.o
 obj-${build_length2}     += xt_length2.o
 obj-${build_lscan}       += xt_lscan.o
+obj-${build_psd}         += xt_psd.o
 obj-${build_quota2}      += xt_quota2.o
 
 -include ${M}/*.Kbuild

extensions/Mbuild

@@ -1,3 +1,4 @@
+obj-${build_ACCOUNT}     += libxt_ACCOUNT.so
 obj-${build_CHAOS}       += libxt_CHAOS.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
 obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
@@ -18,4 +19,5 @@ obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += libxt_ipv4options.so
 obj-${build_length2}     += libxt_length2.so
 obj-${build_lscan}       += libxt_lscan.so
+obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so

extensions/compat_skbuff.h

@@ -4,6 +4,23 @@
 struct tcphdr;
 struct udphdr;
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 30)
+static inline void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)
+{
+	skb->dst = dst;
+}
+
+static inline struct dst_entry *skb_dst(const struct sk_buff *skb)
+{
+	return skb->dst;
+}
+
+static inline struct rtable *skb_rtable(const struct sk_buff *skb)
+{
+	return (void *)skb->dst;
+}
+#endif
+
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
 #	define skb_ifindex(skb) \
 		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)

extensions/ipset/ip_set.c

@@ -1911,13 +1911,23 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
 		    	res = -ENOENT;
 		    	goto done;
 		}
+
+#define SETLIST(set)	(strcmp(set->type->typename, "setlist") == 0)
+
 		used = 0;
 		if (index == IP_SET_INVALID_ID) {
-			/* Save all sets */
+			/* Save all sets: ugly setlist type dependency */
+			int setlist = 0;
+		setlists:
 			for (i = 0; i < ip_set_max && res == 0; i++) {
-				if (ip_set_list[i] != NULL)
+				if (ip_set_list[i] != NULL
+				    && !(setlist ^ SETLIST(ip_set_list[i])))
 					res = ip_set_save_set(i, data, &used, *len);
 			}
+			if (!setlist) {
+				setlist = 1;
+				goto setlists;
+			}
 		} else {
 			/* Save an individual set */
 			res = ip_set_save_set(index, data, &used, *len);

extensions/ipset/ip_set_iptree.c

@@ -10,6 +10,7 @@
 #include <linux/module.h>
 #include <linux/moduleparam.h>
 #include <linux/ip.h>
+#include <linux/jiffies.h>
 #include <linux/skbuff.h>
 #include <linux/slab.h>
 #include <linux/delay.h>

extensions/ipset/ip_set_iptreemap.c

@@ -14,6 +14,7 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/ip.h>
+#include <linux/jiffies.h>
 #include <linux/skbuff.h>
 #include <linux/slab.h>
 #include <linux/delay.h>
@@ -338,7 +339,7 @@ KADT(iptreemap, add, ipaddr, ip)
 
 static inline int
 __delip_single(struct ip_set *set, ip_set_ip_t *hash_ip,
-	       ip_set_ip_t ip, unsigned int __nocast flags)
+	       ip_set_ip_t ip, gfp_t flags)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -364,7 +365,7 @@ __delip_single(struct ip_set *set, ip_set_ip_t *hash_ip,
 
 static inline int
 iptreemap_del(struct ip_set *set, ip_set_ip_t *hash_ip,
-	      ip_set_ip_t start, ip_set_ip_t end, unsigned int __nocast flags)
+	      ip_set_ip_t start, ip_set_ip_t end, gfp_t flags)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;

extensions/ipset/ip_set_malloc.h

@@ -40,7 +40,7 @@ struct harray {
 };
 
 static inline void * 
-__harray_malloc(size_t hashsize, size_t typesize, int flags)
+__harray_malloc(size_t hashsize, size_t typesize, gfp_t flags)
 {
 	struct harray *harray;
 	size_t max_elements, size, i, j;
@@ -88,7 +88,7 @@ __harray_malloc(size_t hashsize, size_t typesize, int flags)
 }
 
 static inline void *
-harray_malloc(size_t hashsize, size_t typesize, int flags)
+harray_malloc(size_t hashsize, size_t typesize, gfp_t flags)
 {
 	void *harray;
 	

extensions/ipset/ip_set_setlist.c

@@ -21,7 +21,7 @@
  * after  ==> ref, index
  */
 
-static inline bool
+static inline int
 next_index_eq(const struct ip_set_setlist *map, int i, ip_set_id_t index)
 {
 	return i < map->size && map->index[i] == index;
@@ -38,18 +38,16 @@ setlist_utest(struct ip_set *set, const void *data, u_int32_t size,
 	struct ip_set *s;
 	
 	if (req->before && req->ref[0] == '\0')
-		return -EINVAL;
+		return 0;
 
 	index = __ip_set_get_byname(req->name, &s);
 	if (index == IP_SET_INVALID_ID)
-		return -EEXIST;
+		return 0;
 	if (req->ref[0] != '\0') {
 		ref = __ip_set_get_byname(req->ref, &s);
-		if (ref == IP_SET_INVALID_ID) {
+		if (ref == IP_SET_INVALID_ID)
-			res = -EEXIST;
 			goto finish;
 	}
-	}
 	for (i = 0; i < map->size
 		    && map->index[i] != IP_SET_INVALID_ID; i++) {
 		if (req->before && map->index[i] == index) {
@@ -172,7 +170,7 @@ setlist_kadd(struct ip_set *set,
 	return res;
 }
 
-static inline bool
+static inline int
 unshift_setlist(struct ip_set_setlist *map, int i)
 {
 	int j;

extensions/ipset/ipset.8

@@ -50,6 +50,9 @@ IP set bindings pointing to sets and iptables matches and targets
 referring to sets creates references, which protects the given sets in 
 the kernel. A set cannot be removed (destroyed) while there is a single
 reference pointing to it.
+.P
+.B
+Please note, binding sets is a deprecated feature and will be removed in a later release. Switch to the multidata type of sets from using bindings.
 .SH OPTIONS
 The options that are recognized by
 .B ipset

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "2.5.0"
+#define IPSET_VERSION "3.2"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;

extensions/libxt_ACCOUNT.c

@@ -0,0 +1,168 @@
+/* Shared library add-on to iptables to add ACCOUNT(ing) support.
+   Author: Intra2net AG <opensource@intra2net.com>
+*/
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <getopt.h>
+#include <stddef.h>
+#include <xtables.h>
+#include "xt_ACCOUNT.h"
+
+static struct option account_tg_opts[] = {
+	{ .name = "addr",        .has_arg = 1, .flag = 0, .val = 'a' },
+	{ .name = "tname",       .has_arg = 1, .flag = 0, .val = 't' },
+	{ .name = 0 }
+};
+
+/* Function which prints out usage message. */
+static void account_tg_help(void)
+{
+	printf(
+"ACCOUNT target options:\n"
+" --%s ip/netmask\t\tBase network IP and netmask used for this table\n"
+" --%s name\t\t\tTable name for the userspace library\n",
+account_tg_opts[0].name, account_tg_opts[1].name);
+}
+
+/* Initialize the target. */
+static void
+account_tg_init(struct xt_entry_target *t)
+{
+	struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)t->data;
+
+	accountinfo->table_nr = -1;
+}
+
+#define IPT_ACCOUNT_OPT_ADDR 0x01
+#define IPT_ACCOUNT_OPT_TABLE 0x02
+
+/* Function which parses command options; returns true if it
+   ate an option */
+
+static int account_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+		const void *entry, struct xt_entry_target **target)
+{
+	struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)(*target)->data;
+	struct in_addr *addrs = NULL, mask;
+	unsigned int naddrs = 0;
+
+	switch (c) {
+	case 'a':
+		if (*flags & IPT_ACCOUNT_OPT_ADDR)
+			xtables_error(PARAMETER_PROBLEM, "Can't specify --%s twice",
+				account_tg_opts[0].name);
+
+		if (xtables_check_inverse(optarg, &invert, NULL, 0))
+			xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --%s",
+				account_tg_opts[0].name);
+
+		xtables_ipparse_any(optarg, &addrs, &mask, &naddrs);
+		if (naddrs > 1)
+			xtables_error(PARAMETER_PROBLEM, "multiple IP addresses not allowed");
+
+		accountinfo->net_ip = addrs[0].s_addr;
+		accountinfo->net_mask = mask.s_addr;
+
+		*flags |= IPT_ACCOUNT_OPT_ADDR;
+		break;
+
+	case 't':
+		if (*flags & IPT_ACCOUNT_OPT_TABLE)
+			xtables_error(PARAMETER_PROBLEM,
+				"Can't specify --%s twice",
+				account_tg_opts[1].name);
+
+		if (xtables_check_inverse(optarg, &invert, NULL, 0))
+			xtables_error(PARAMETER_PROBLEM,
+				"Unexpected `!' after --%s",
+				account_tg_opts[1].name);
+
+		if (strlen(optarg) > ACCOUNT_TABLE_NAME_LEN - 1)
+			xtables_error(PARAMETER_PROBLEM,
+				"Maximum table name length %u for --%s",
+				ACCOUNT_TABLE_NAME_LEN - 1,
+				account_tg_opts[1].name);
+
+		strcpy(accountinfo->table_name, optarg);
+		*flags |= IPT_ACCOUNT_OPT_TABLE;
+		break;
+
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void account_tg_check(unsigned int flags)
+{
+	if (!(flags & IPT_ACCOUNT_OPT_ADDR) || !(flags & IPT_ACCOUNT_OPT_TABLE))
+		xtables_error(PARAMETER_PROBLEM, "ACCOUNT: needs --%s and --%s",
+			account_tg_opts[0].name, account_tg_opts[1].name);
+}
+
+static void account_tg_print_it(const void *ip,
+		const struct xt_entry_target *target, char do_prefix)
+{
+	const struct ipt_acc_info *accountinfo
+		= (const struct ipt_acc_info *)target->data;
+	struct in_addr a;
+
+	if (!do_prefix)
+		printf("ACCOUNT ");
+
+	// Network information
+	if (do_prefix)
+		printf("--");
+	printf("%s ", account_tg_opts[0].name);
+
+	a.s_addr = accountinfo->net_ip;
+	printf("%s", xtables_ipaddr_to_numeric(&a));
+	a.s_addr = accountinfo->net_mask;
+	printf("%s", xtables_ipmask_to_numeric(&a));
+
+	printf(" ");
+	if (do_prefix)
+		printf("--");
+
+	printf("%s %s", account_tg_opts[1].name, accountinfo->table_name);
+}
+
+
+static void
+account_tg_print(const void *ip,
+	const struct xt_entry_target *target,
+	int numeric)
+{
+	account_tg_print_it(ip, target, 0);
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void
+account_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+	account_tg_print_it(ip, target, 1);
+}
+
+static struct xtables_target account_tg_reg = {
+	.name          = "ACCOUNT",
+	.family        = AF_INET,
+	.version       = XTABLES_VERSION,
+	.size          = XT_ALIGN(sizeof(struct ipt_acc_info)),
+	.userspacesize = offsetof(struct ipt_acc_info, table_nr),
+	.help          = account_tg_help,
+	.init          = account_tg_init,
+	.parse         = account_tg_parse,
+	.final_check   = account_tg_check,
+	.print         = account_tg_print,
+	.save          = account_tg_save,
+	.extra_opts    = account_tg_opts,
+};
+
+static __attribute__((constructor)) void account_tg_ldr(void)
+{
+	xtables_register_target(&account_tg_reg);
+}

extensions/libxt_ACCOUNT.man

@@ -0,0 +1,72 @@
+The ACCOUNT target is a high performance accounting system for large
+local networks. It allows per-IP accounting in whole prefixes of IPv4
+addresses with size of up to /8 without the need to add individual
+accouting rule for each IP address.
+.PP
+The ACCOUNT is designed to be queried for data every second or at
+least every ten seconds. It is written as kernel module to handle high
+bandwidths without packet loss.
+.PP
+The largest possible subnet size is 24 bit, meaning for example 10.0.0.0/8
+network. ACCOUNT uses fixed internal data structures
+which speeds up the processing of each packet. Furthermore,
+accounting data for one complete 192.168.1.X/24 network takes 4 KB of
+memory. Memory for 16 or 24 bit networks is only allocated when
+needed.
+.PP
+To optimize the kernel<->userspace data transfer a bit more, the
+kernel module only transfers information about IPs, where the src/dst
+packet counter is not 0. This saves precious kernel time.
+.PP
+There is no /proc interface as it would be too slow for continuous access.
+The read-and-flush query operation is the fastest, as no internal data
+snapshot needs to be created&copied for all data. Use the "read"
+operation without flush only for debugging purposes!
+.PP
+Usage:
+.PP
+ACCOUNT takes two mandatory parameters:
+.TP
+\fB\-\-addr\fR \fInetwork\fP\fB/\fP\fInetmask\fR
+where \fInetwork\fP\fB/\fP\fInetmask\fP is the subnet to account for, in CIDR syntax
+.TP
+\fB\-\-tname\fP \fINAME\fP
+where \fINAME\fP is the name of the table where the accounting information
+should be stored
+.PP
+The subnet 0.0.0.0/0 is a special case: all data are then stored in the src_bytes
+and src_packets structure of slot "0". This is useful if you want
+to account the overall traffic to/from your internet provider.
+.PP
+The data can be queried using the userspace libxt_ACCOUNT_cl library,
+and by the reference implementation to show usage of this library,
+the \fBiptaccount\fP(8) tool, which features following options:
+.PP
+[\fB\-u\fP] show kernel handle usage
+.PP
+[\fB\-h\fP] free all kernel handles (experts only!)
+.PP
+[\fB\-a\fP] list all table names
+.PP
+[\fB\-l\fP \fIname\fP] show data in table \fIname\fP
+.PP
+[\fB\-f\fP] flush data after showing
+.PP
+[\fB\-c\fP] loop every second (abort with CTRL+C)
+.PP
+Here is an example of use:
+.PP
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales
+.PP
+This creates two tables called "all_outgoing" and "sales" which can be
+queried using the userspace library/iptaccount tool.
+.PP
+Note that this target is non-terminating \(em the packet destined to it
+will continue traversing the chain in which it has been used.
+.PP
+Also note that once a table has been defined for specific CIDR address/netmask
+block, it can be referenced multiple times using \-j ACCOUNT, provided
+that both the original table name and address/netmask block are specified.
+.PP
+For more information go to http://www.intra2net.com/en/developer/ipt_ACCOUNT/

extensions/libxt_psd.c

@@ -0,0 +1,158 @@
+/*
+  Shared library add-on to iptables to add PSD support
+
+  Copyright (C) 2000,2001 astaro AG
+
+  This file is distributed under the terms of the GNU General Public
+  License (GPL). Copies of the GPL can be obtained from:
+     ftp://prep.ai.mit.edu/pub/gnu/GPL
+
+  2000-05-04 Markus Hennig <hennig@astaro.de> : initial
+  2000-08-18 Dennis Koslowski <koslowski@astaro.de> : first release
+  2000-12-01 Dennis Koslowski <koslowski@astaro.de> : UDP scans detection added
+  2001-02-04 Jan Rekorajski <baggins@pld.org.pl> : converted from target to match
+  2003-03-02 Harald Welte <laforge@netfilter.org>: fix 'storage' bug
+  2008-04-03 Mohd Nawawi <nawawi@tracenetworkcorporation.com>: update to 2.6.24 / 1.4 code
+  2008-06-24 Mohd Nawawi <nawawi@tracenetworkcorporation.com>: update to 2.6.24 / 1.4.1 code
+  2009-08-07 Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com> : ported to xtables-addons
+*/
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/x_tables.h>
+#include "xt_psd.h"
+
+/* Function which prints out usage message. */
+static void psd_mt_help(void) {
+	printf(
+		"psd match options:\n"
+		" --psd-weight-threshold threshhold  Portscan detection weight threshold\n"
+		" --psd-delay-threshold  delay       Portscan detection delay threshold\n"
+		" --psd-lo-ports-weight  lo          Privileged ports weight\n"
+		" --psd-hi-ports-weight  hi          High ports weight\n\n");
+}
+
+static const struct option psd_mt_opts[] = {
+	{.name = "psd-weight-threshold", .has_arg = true, .val = '1'},
+	{.name = "psd-delay-threshold", .has_arg = true, .val = '2'},
+	{.name = "psd-lo-ports-weight", .has_arg = true, .val = '3'},
+	{.name = "psd-hi-ports-weight", .has_arg = true, .val = '4'},
+	{NULL}
+};
+
+/* Initialize the target. */
+static void psd_mt_init(struct xt_entry_match *match) {
+	struct xt_psd_info *psdinfo = (struct xt_psd_info *)match->data;
+	psdinfo->weight_threshold = SCAN_WEIGHT_THRESHOLD;
+	psdinfo->delay_threshold = SCAN_DELAY_THRESHOLD;
+	psdinfo->lo_ports_weight = PORT_WEIGHT_PRIV;
+	psdinfo->hi_ports_weight = PORT_WEIGHT_HIGH;
+}
+
+#define XT_PSD_OPT_CTRESH 0x01
+#define XT_PSD_OPT_DTRESH 0x02
+#define XT_PSD_OPT_LPWEIGHT 0x04
+#define XT_PSD_OPT_HPWEIGHT 0x08
+
+static int psd_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                     const void *entry, struct xt_entry_match **match)
+{
+	struct xt_psd_info *psdinfo = (struct xt_psd_info *)(*match)->data;
+	unsigned int num;
+
+	switch (c) {
+		/* PSD-weight-threshold */
+		case '1':
+			if (*flags & XT_PSD_OPT_CTRESH)
+				xtables_error(PARAMETER_PROBLEM,"Can't specify --psd-weight-threshold twice");
+			if (!xtables_strtoui(optarg, NULL, &num, 0, PSD_MAX_RATE))
+				xtables_error(PARAMETER_PROBLEM, "bad --psd-weight-threshold '%s'", optarg);
+			psdinfo->weight_threshold = num;
+			*flags |= XT_PSD_OPT_CTRESH;
+			return true;
+
+		/* PSD-delay-threshold */
+		case '2':
+			if (*flags & XT_PSD_OPT_DTRESH)
+				xtables_error(PARAMETER_PROBLEM, "Can't specify --psd-delay-threshold twice");
+			if (!xtables_strtoui(optarg, NULL, &num, 0, PSD_MAX_RATE))
+				xtables_error(PARAMETER_PROBLEM, "bad --psd-delay-threshold '%s'", optarg);
+			psdinfo->delay_threshold = num;
+			*flags |= XT_PSD_OPT_DTRESH;
+			return true;
+
+		/* PSD-lo-ports-weight */
+		case '3':
+			if (*flags & XT_PSD_OPT_LPWEIGHT)
+				xtables_error(PARAMETER_PROBLEM, "Can't specify --psd-lo-ports-weight twice");
+			if (!xtables_strtoui(optarg, NULL, &num, 0, PSD_MAX_RATE))
+				xtables_error(PARAMETER_PROBLEM, "bad --psd-lo-ports-weight '%s'", optarg);
+			psdinfo->lo_ports_weight = num;
+			*flags |= XT_PSD_OPT_LPWEIGHT;
+			return true;
+
+		/* PSD-hi-ports-weight */
+		case '4':
+			if (*flags & XT_PSD_OPT_HPWEIGHT)
+				xtables_error(PARAMETER_PROBLEM, "Can't specify --psd-hi-ports-weight twice");
+			if (!xtables_strtoui(optarg, NULL, &num, 0, PSD_MAX_RATE))
+				xtables_error(PARAMETER_PROBLEM, "bad --psd-hi-ports-weight '%s'", optarg);
+			psdinfo->hi_ports_weight = num;
+			*flags |= XT_PSD_OPT_HPWEIGHT;
+			return true;
+	}
+	return false;
+}
+
+/* Final check; nothing. */
+static void psd_mt_final_check(unsigned int flags) {}
+
+/* Prints out the targinfo. */
+static void psd_mt_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_psd_info *psdinfo = (const struct xt_psd_info *)match->data;
+	printf("psd ");
+	printf("weight-threshold: %u ", psdinfo->weight_threshold);
+	printf("delay-threshold: %u ", psdinfo->delay_threshold);
+	printf("lo-ports-weight: %u ", psdinfo->lo_ports_weight);
+	printf("hi-ports-weight: %u ", psdinfo->hi_ports_weight);
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void psd_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_psd_info *psdinfo = (const struct xt_psd_info *)match->data;
+	printf("--psd-weight-threshold %u ", psdinfo->weight_threshold);
+	printf("--psd-delay-threshold %u ", psdinfo->delay_threshold);
+	printf("--psd-lo-ports-weight %u ", psdinfo->lo_ports_weight);
+	printf("--psd-hi-ports-weight %u ", psdinfo->hi_ports_weight);
+}
+
+static struct xtables_match psd_mt_reg = {
+	.name			= "psd",
+	.version		= XTABLES_VERSION,
+	.revision   	= 1,
+	.family			= PF_INET,
+	.size			= XT_ALIGN(sizeof(struct xt_psd_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_psd_info)),
+	.help			= psd_mt_help,
+	.init			= psd_mt_init,
+	.parse			= psd_mt_parse,
+	.final_check	= psd_mt_final_check,
+	.print			= psd_mt_print,
+	.save			= psd_mt_save,
+	.extra_opts		= psd_mt_opts,
+};
+
+static __attribute__((constructor)) void psd_mt_ldr(void)
+{
+	xtables_register_match(&psd_mt_reg);
+}
+

extensions/libxt_psd.man

@@ -0,0 +1,18 @@
+Attempt to detect TCP and UDP port scans. This match was derived from
+Solar Designer's scanlogd.
+.TP
+.BI "--psd-weight-threshold " "threshold"
+Total weight of the latest TCP/UDP packets with different
+destination ports coming from the same host to be treated as port
+scan sequence.
+.TP
+.BI "--psd-delay-threshold " "delay"
+Delay (in hundredths of second) for the packets with different
+destination ports coming from the same host to be treated as
+possible port scan subsequence.
+.TP
+.BI "--psd-lo-ports-weight " "weight"
+Weight of the packet with privileged (<=1024) destination port.
+.TP
+.BI "--psd-hi-ports-weight " "weight"
+Weight of the packet with non-priviliged destination port.

extensions/libxt_quota2.c

@@ -121,7 +121,7 @@ static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
 
 static struct xtables_match quota_mt2_reg = {
 	.family        = AF_UNSPEC,
-	.revision      = 2,
+	.revision      = 3,
 	.name          = "quota2",
 	.version       = XTABLES_VERSION,
 	.size          = XT_ALIGN(sizeof (struct xt_quota_mtinfo2)),

extensions/xt_ACCOUNT.h

@@ -0,0 +1,118 @@
+/***************************************************************************
+ *   Copyright (C) 2004-2006 by Intra2net AG                               *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License                  *
+ *   version 2 as published by the Free Software Foundation;               *
+ *                                                                         *
+ ***************************************************************************/
+
+#ifndef _IPT_ACCOUNT_H
+#define _IPT_ACCOUNT_H
+
+/*
+ * Socket option interface shared between kernel (xt_ACCOUNT) and userspace
+ * library (libxt_ACCOUNT_cl). Hopefully we are unique at least within our
+ * kernel & xtables-addons space.
+ */
+#define SO_ACCOUNT_BASE_CTL 90
+
+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (SO_ACCOUNT_BASE_CTL + 1)
+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (SO_ACCOUNT_BASE_CTL + 2)
+#define IPT_SO_SET_ACCOUNT_MAX		 IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL
+
+#define IPT_SO_GET_ACCOUNT_PREPARE_READ (SO_ACCOUNT_BASE_CTL + 4)
+#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (SO_ACCOUNT_BASE_CTL + 5)
+#define IPT_SO_GET_ACCOUNT_GET_DATA (SO_ACCOUNT_BASE_CTL + 6)
+#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (SO_ACCOUNT_BASE_CTL + 7)
+#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (SO_ACCOUNT_BASE_CTL + 8)
+#define IPT_SO_GET_ACCOUNT_MAX	  IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES
+
+#define ACCOUNT_MAX_TABLES 128
+#define ACCOUNT_TABLE_NAME_LEN 32
+#define ACCOUNT_MAX_HANDLES 10
+
+/* Structure for the userspace part of ipt_ACCOUNT */
+struct ipt_acc_info {
+	uint32_t net_ip;
+	uint32_t net_mask;
+	char table_name[ACCOUNT_TABLE_NAME_LEN];
+	int32_t table_nr;
+};
+
+/* Internal table structure, generated by check_entry() */
+struct ipt_acc_table {
+	char name[ACCOUNT_TABLE_NAME_LEN];	 /* name of the table */
+	uint32_t ip;						  /* base IP of network */
+	uint32_t netmask;					 /* netmask of the network */
+	unsigned char depth;				   /* size of network:
+												 0: 8 bit, 1: 16bit, 2: 24 bit */
+	uint32_t refcount;					/* refcount of this table.
+												 if zero, destroy it */
+	uint32_t itemcount;				   /* number of IPs in this table */
+	void *data;							/* pointer to the actual data,
+												 depending on netmask */
+};
+
+/* Internal handle structure */
+struct ipt_acc_handle {
+	uint32_t ip;						  /* base IP of network. Used for
+												 caculating the final IP during
+												 get_data() */
+	unsigned char depth;				   /* size of network. See above for
+												 details */
+	uint32_t itemcount;				   /* number of IPs in this table */
+	void *data;							/* pointer to the actual data,
+												 depending on size */
+};
+
+/* Handle structure for communication with the userspace library */
+struct ipt_acc_handle_sockopt {
+	uint32_t handle_nr;				   /* Used for HANDLE_FREE */
+	char name[ACCOUNT_TABLE_NAME_LEN];	 /* Used for HANDLE_PREPARE_READ/
+												 HANDLE_READ_FLUSH */
+	uint32_t itemcount;				   /* Used for HANDLE_PREPARE_READ/
+												 HANDLE_READ_FLUSH */
+};
+
+/* Used for every IP entry
+   Size is 16 bytes so that 256 (class C network) * 16
+   fits in one kernel (zero) page */
+struct ipt_acc_ip {
+	uint32_t src_packets;
+	uint32_t src_bytes;
+	uint32_t dst_packets;
+	uint32_t dst_bytes;
+};
+
+/*
+	Used for every IP when returning data
+*/
+struct ipt_acc_handle_ip {
+	uint32_t ip;
+	uint32_t src_packets;
+	uint32_t src_bytes;
+	uint32_t dst_packets;
+	uint32_t dst_bytes;
+};
+
+/*
+	The IPs are organized as an array so that direct slot
+	calculations are possible.
+	Only 8 bit networks are preallocated, 16/24 bit networks
+	allocate their slots when needed -> very efficent.
+*/
+struct ipt_acc_mask_24 {
+	struct ipt_acc_ip ip[256];
+};
+
+struct ipt_acc_mask_16 {
+	struct ipt_acc_mask_24 *mask_24[256];
+};
+
+struct ipt_acc_mask_8 {
+	struct ipt_acc_mask_16 *mask_16[256];
+};
+
+#endif /* _IPT_ACCOUNT_H */

extensions/xt_DELUDE.c

@@ -119,19 +119,18 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
 		addr_type = RTN_LOCAL;
 
 	/* ip_route_me_harder expects skb->dst to be set */
-	dst_hold(oldskb->dst);
+	skb_dst_set(nskb, dst_clone(skb_dst(oldskb)));
-	nskb->dst = oldskb->dst;
 
 	if (ip_route_me_harder(&nskb, addr_type))
 		goto free_nskb;
 	else
 		niph = ip_hdr(nskb);
 
-	niph->ttl       = dst_metric(nskb->dst, RTAX_HOPLIMIT);
+	niph->ttl       = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
 	nskb->ip_summed = CHECKSUM_NONE;
 
 	/* "Never happens" */
-	if (nskb->len > dst_mtu(nskb->dst))
+	if (nskb->len > dst_mtu(skb_dst(nskb)))
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);

extensions/xt_TARPIT.c

@@ -167,20 +167,20 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook)
 	nskb->ip_summed = CHECKSUM_NONE;
 
 	/* Adjust IP TTL */
-	niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
+	niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
 
 	/* Adjust IP checksum */
 	niph->check = 0;
 	niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl);
 
 	/* "Never happens" */
-	if (nskb->len > dst_mtu(nskb->dst))
+	if (nskb->len > dst_mtu(skb_dst(nskb)))
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);
 
-	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
+	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
-		dst_output);
+		skb_dst(nskb)->dev, dst_output);
 	return;
 
  free_nskb:
@@ -192,7 +192,7 @@ tarpit_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 {
 	const struct sk_buff *skb = *pskb;
 	const struct iphdr *iph = ip_hdr(skb);
-	const struct rtable *rt = (const void *)skb->dst;
+	const struct rtable *rt = skb_rtable(skb);
 
 	/* Do we have an input route cache entry? (Not in PREROUTING.) */
 	if (rt == NULL)

extensions/xt_TEE.c

@@ -79,9 +79,9 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 		return false;
 	}
 
-	dst_release(skb->dst);
+	dst_release(skb_dst(skb));
-	skb->dst      = &rt->u.dst;
+	skb_dst_set(skb, &rt->u.dst);
-	skb->dev      = skb->dst->dev;
+	skb->dev      = rt->u.dst.dev;
 	skb->protocol = htons(ETH_P_IP);
 	return true;
 }
@@ -104,7 +104,7 @@ static inline bool dev_hh_avail(const struct net_device *dev)
  */
 static void tee_tg_send(struct sk_buff *skb)
 {
-	const struct dst_entry *dst  = skb->dst;
+	const struct dst_entry *dst  = skb_dst(skb);
 	const struct net_device *dev = dst->dev;
 	unsigned int hh_len = LL_RESERVED_SPACE(dev);
 
@@ -175,7 +175,7 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	/*
 	 * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
 	 * the original skb, which should continue on its way as if nothing has
-	 * happened. The copy should be independantly delivered to the TEE --gw.
+	 * happened. The copy should be independently delivered to the TEE --gw.
 	 */
 	skb = skb_copy(skb, GFP_ATOMIC);
 	if (skb == NULL) {
@@ -251,9 +251,9 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 		return false;
 	}
 
-	dst_release(skb->dst);
+	dst_release(skb_dst(skb));
-	skb->dst      = dst;
+	skb_dst_set(skb, dst);
-	skb->dev      = skb->dst->dev;
+	skb->dev      = dst->dev;
 	skb->protocol = htons(ETH_P_IPV6);
 	return true;
 }

extensions/xt_psd.Kconfig

@@ -0,0 +1,6 @@
+config NETFILTER_XT_MATCH_PSD
+	tristate  'psd match support'
+	depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
+	---help---
+	This option adds a `psd' match, which allows you to create rules in
+	any iptables table wich will detect TCP and UDP port scans.

extensions/xt_psd.c

@@ -0,0 +1,332 @@
+/*
+  This is a module which is used for PSD (portscan detection)
+  Derived from scanlogd v2.1 written by Solar Designer <solar@false.com>
+  and LOG target module.
+
+  Copyright (C) 2000,2001 astaro AG
+
+  This file is distributed under the terms of the GNU General Public
+  License (GPL). Copies of the GPL can be obtained from:
+     ftp://prep.ai.mit.edu/pub/gnu/GPL
+
+  2000-05-04 Markus Hennig <hennig@astaro.de> : initial
+  2000-08-18 Dennis Koslowski <koslowski@astaro.de> : first release
+  2000-12-01 Dennis Koslowski <koslowski@astaro.de> : UDP scans detection added
+  2001-01-02 Dennis Koslowski <koslowski@astaro.de> : output modified
+  2001-02-04 Jan Rekorajski <baggins@pld.org.pl> : converted from target to match
+  2004-05-05 Martijn Lievaart <m@rtij.nl> : ported to 2.6
+  2007-04-05 Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com> : ported to 2.6.18
+  2008-03-21 Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com> : ported to 2.6.24
+  2009-08-07 Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com> : ported to xtables-addons
+*/
+
+#define pr_fmt(x) KBUILD_MODNAME ": " x
+#include <linux/module.h>
+#include <linux/moduleparam.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/tcp.h>
+#include <linux/spinlock.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
+#include "xt_psd.h"
+#include "compat_xtables.h"
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Dennis Koslowski <koslowski@astaro.com>");
+MODULE_AUTHOR("Martijn Lievaart <m@rtij.nl>");
+MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
+MODULE_AUTHOR(" Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com>");
+MODULE_DESCRIPTION("Xtables: PSD - portscan detection");
+MODULE_ALIAS("ipt_psd");
+
+#define HF_DADDR_CHANGING   0x01
+#define HF_SPORT_CHANGING   0x02
+#define HF_TOS_CHANGING	    0x04
+#define HF_TTL_CHANGING	    0x08
+
+/*
+ * Information we keep per each target port
+ */
+struct port {
+	u_int16_t number;      /* port number */
+	u_int8_t proto;        /* protocol number */
+	u_int8_t and_flags;    /* tcp ANDed flags */
+	u_int8_t or_flags;     /* tcp ORed flags */
+};
+
+/*
+ * Information we keep per each source address.
+ */
+struct host {
+	struct host *next;						/* Next entry with the same hash */
+	unsigned long timestamp;					/* Last update time */
+	struct in_addr src_addr;				/* Source address */
+	struct in_addr dest_addr;				/* Destination address */
+	unsigned short src_port;				/* Source port */
+	int count;								/* Number of ports in the list */
+	int weight;								/* Total weight of ports in the list */
+	struct port ports[SCAN_MAX_COUNT - 1];	/* List of ports */
+	unsigned char tos;						/* TOS */
+	unsigned char ttl;						/* TTL */
+	unsigned char flags;					/* HF_ flags bitmask */
+};
+
+/*
+ * State information.
+ */
+static struct {
+	spinlock_t lock;
+	struct host list[LIST_SIZE];	/* List of source addresses */
+	struct host *hash[HASH_SIZE];	/* Hash: pointers into the list */
+	int index;						/* Oldest entry to be replaced */
+} state;
+
+/*
+ * Convert an IP address into a hash table index.
+ */
+static inline int hashfunc(struct in_addr addr)
+{
+	unsigned int value;
+	int hash;
+
+	value = addr.s_addr;
+	hash = 0;
+	do {
+		hash ^= value;
+	} while ((value >>= HASH_LOG) != 0);
+
+	return hash & (HASH_SIZE - 1);
+}
+
+static bool
+xt_psd_match(const struct sk_buff *pskb, const struct xt_match_param *match)
+{
+	struct iphdr *iph;
+	struct tcphdr *tcph;
+	struct in_addr addr;
+	u_int16_t src_port,dest_port;
+  	u_int8_t tcp_flags, proto;
+	unsigned long now;
+	struct host *curr, *last, **head;
+	int hash, index, count;
+	/* Parameters from userspace */
+	const struct xt_psd_info *psdinfo = match->matchinfo;
+
+	/* IP header */
+	iph = ip_hdr(pskb);
+
+	/* Sanity check */
+	if (ntohs(iph->frag_off) & IP_OFFSET) {
+		pr_debug("sanity check failed\n");
+		return false;
+	}
+
+	/* TCP or UDP ? */
+	proto = iph->protocol;
+
+	if (proto != IPPROTO_TCP && proto != IPPROTO_UDP) {
+		pr_debug("protocol not supported\n");
+		return false;
+	}
+
+	/* Get the source address, source & destination ports, and TCP flags */
+
+	addr.s_addr = iph->saddr;
+
+	tcph = (void *)iph + ip_hdrlen(pskb);
+
+	/* Yep, it's dirty */
+	src_port = tcph->source;
+	dest_port = tcph->dest;
+
+	if (proto == IPPROTO_TCP)
+		tcp_flags = *((u_int8_t*)tcph + 13);
+	else
+		tcp_flags = 0x00;
+
+	/* We're using IP address 0.0.0.0 for a special purpose here, so don't let
+	 * them spoof us. [DHCP needs this feature - HW] */
+	if (addr.s_addr == 0) {
+		pr_debug("spoofed source address (0.0.0.0)\n");
+		return false;
+	}
+
+	/* Use jiffies here not to depend on someone setting the time while we're
+	 * running; we need to be careful with possible return value overflows. */
+	now = jiffies;
+
+	spin_lock(&state.lock);
+
+	/* Do we know this source address already? */
+	count = 0;
+	last = NULL;
+	if ((curr = *(head = &state.hash[hash = hashfunc(addr)])) != NULL)
+		do {
+			if (curr->src_addr.s_addr == addr.s_addr)
+				break;
+			count++;
+			if (curr->next != NULL)
+				last = curr;
+		} while ((curr = curr->next) != NULL);
+
+	if (curr != NULL) {
+
+		/* We know this address, and the entry isn't too old. Update it. */
+		if (now - curr->timestamp <= (psdinfo->delay_threshold*HZ)/100 &&
+		    time_after_eq(now, curr->timestamp)) {
+
+			/* Just update the appropriate list entry if we've seen this port already */
+			for (index = 0; index < curr->count; index++) {
+				if (curr->ports[index].number == dest_port) {
+					curr->ports[index].proto = proto;
+					curr->ports[index].and_flags &= tcp_flags;
+					curr->ports[index].or_flags |= tcp_flags;
+					goto out_no_match;
+				}
+			}
+
+			/* TCP/ACK and/or TCP/RST to a new port? This could be an outgoing connection. */
+			if (proto == IPPROTO_TCP && (tcph->ack || tcph->rst))
+				goto out_no_match;
+
+			/* Packet to a new port, and not TCP/ACK: update the timestamp */
+			curr->timestamp = now;
+
+			/* Logged this scan already? Then drop the packet. */
+			if (curr->weight >= psdinfo->weight_threshold)
+				goto out_match;
+
+			/* Specify if destination address, source port, TOS or TTL are not fixed */
+			if (curr->dest_addr.s_addr != iph->daddr)
+				curr->flags |= HF_DADDR_CHANGING;
+			if (curr->src_port != src_port)
+				curr->flags |= HF_SPORT_CHANGING;
+			if (curr->tos != iph->tos)
+				curr->flags |= HF_TOS_CHANGING;
+			if (curr->ttl != iph->ttl)
+				curr->flags |= HF_TTL_CHANGING;
+
+			/* Update the total weight */
+			curr->weight += (ntohs(dest_port) < 1024) ?
+				psdinfo->lo_ports_weight : psdinfo->hi_ports_weight;
+
+			/* Got enough destination ports to decide that this is a scan? */
+			/* Then log it and drop the packet. */
+			if (curr->weight >= psdinfo->weight_threshold)
+				goto out_match;
+
+			/* Remember the new port */
+			if (curr->count < SCAN_MAX_COUNT) {
+				curr->ports[curr->count].number = dest_port;
+				curr->ports[curr->count].proto = proto;
+				curr->ports[curr->count].and_flags = tcp_flags;
+				curr->ports[curr->count].or_flags = tcp_flags;
+				curr->count++;
+			}
+
+			goto out_no_match;
+		}
+
+		/* We know this address, but the entry is outdated. Mark it unused, and
+		 * remove from the hash table. We'll allocate a new entry instead since
+		 * this one might get re-used too soon. */
+		curr->src_addr.s_addr = 0;
+		if (last != NULL)
+			last->next = last->next->next;
+		else if (*head != NULL)
+			*head = (*head)->next;
+		last = NULL;
+	}
+
+	/* We don't need an ACK from a new source address */
+	if (proto == IPPROTO_TCP && tcph->ack)
+		goto out_no_match;
+
+	/* Got too many source addresses with the same hash value? Then remove the
+	 * oldest one from the hash table, so that they can't take too much of our
+	 * CPU time even with carefully chosen spoofed IP addresses. */
+	if (count >= HASH_MAX && last != NULL)
+		last->next = NULL;
+
+	/* We're going to re-use the oldest list entry, so remove it from the hash
+	 * table first (if it is really already in use, and isn't removed from the
+	 * hash table already because of the HASH_MAX check above). */
+
+	/* First, find it */
+	if (state.list[state.index].src_addr.s_addr != 0)
+		head = &state.hash[hashfunc(state.list[state.index].src_addr)];
+	else
+		head = &last;
+	last = NULL;
+	if ((curr = *head) != NULL)
+		do {
+			if (curr == &state.list[state.index])
+				break;
+			last = curr;
+		} while ((curr = curr->next) != NULL);
+
+	/* Then, remove it */
+	if (curr != NULL) {
+		if (last != NULL)
+			last->next = last->next->next;
+		else if (*head != NULL)
+			*head = (*head)->next;
+	}
+
+	/* Get our list entry */
+	curr = &state.list[state.index++];
+	if (state.index >= LIST_SIZE)
+		state.index = 0;
+
+	/* Link it into the hash table */
+	head = &state.hash[hash];
+	curr->next = *head;
+	*head = curr;
+
+	/* And fill in the fields */
+	curr->timestamp = now;
+	curr->src_addr = addr;
+	curr->dest_addr.s_addr = iph->daddr;
+	curr->src_port = src_port;
+	curr->count = 1;
+	curr->weight = (ntohs(dest_port) < 1024) ? psdinfo->lo_ports_weight : psdinfo->hi_ports_weight;
+	curr->ports[0].number = dest_port;
+	curr->ports[0].proto = proto;
+	curr->ports[0].and_flags = tcp_flags;
+	curr->ports[0].or_flags = tcp_flags;
+	curr->tos = iph->tos;
+	curr->ttl = iph->ttl;
+
+out_no_match:
+	spin_unlock(&state.lock);
+	return false;
+
+out_match:
+	spin_unlock(&state.lock);
+	return true;
+}
+
+static struct xt_match xt_psd_reg __read_mostly = {
+	.name		= "psd",
+    .family		= AF_INET,
+	.revision  = 1,
+	.match		= xt_psd_match,
+	.matchsize	= sizeof(struct xt_psd_info),
+	.me			= THIS_MODULE,
+};
+
+static int __init xt_psd_init(void)
+{
+	spin_lock_init(&(state.lock));
+	return xt_register_match(&xt_psd_reg);
+}
+
+static void __exit xt_psd_exit(void)
+{
+        xt_unregister_match(&xt_psd_reg);
+}
+
+module_init(xt_psd_init);
+module_exit(xt_psd_exit);
+

extensions/xt_psd.h

@@ -0,0 +1,41 @@
+#ifndef _LINUX_NETFILTER_XT_PSD_H
+#define _LINUX_NETFILTER_XT_PSD_H 1
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+/*
+ * High port numbers have a lower weight to reduce the frequency of false
+ * positives, such as from passive mode FTP transfers.
+ */
+#define PORT_WEIGHT_PRIV		3
+#define PORT_WEIGHT_HIGH		1
+#define	PSD_MAX_RATE			10000
+
+/*
+ * Port scan detection thresholds: at least COUNT ports need to be scanned
+ * from the same source, with no longer than DELAY ticks between ports.
+ */
+#define SCAN_MIN_COUNT			7
+#define SCAN_MAX_COUNT			(SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
+#define SCAN_WEIGHT_THRESHOLD		SCAN_MAX_COUNT
+#define SCAN_DELAY_THRESHOLD		(300) /* old usage of HZ here was erroneously and broke under uml */
+
+/*
+ * Keep track of up to LIST_SIZE source addresses, using a hash table of
+ * HASH_SIZE entries for faster lookups, but limiting hash collisions to
+ * HASH_MAX source addresses per the same hash value.
+ */
+#define LIST_SIZE			0x100
+#define HASH_LOG			9
+#define HASH_SIZE			(1 << HASH_LOG)
+#define HASH_MAX			0x10
+
+struct xt_psd_info {
+	__u32 weight_threshold;
+	__u32 delay_threshold;
+	__u16 lo_ports_weight;
+	__u16 hi_ports_weight;
+};
+
+#endif /*_LINUX_NETFILTER_XT_PSD_H*/

extensions/xt_quota2.c

@@ -21,12 +21,15 @@
 #include "xt_quota2.h"
 #include "compat_xtables.h"
 
-struct quota_counter {
+/**
+ * @lock:	lock to protect quota writers from each other
+ */
+struct xt_quota_counter {
 	u_int64_t quota;
 	spinlock_t lock;
 	struct list_head list;
 	atomic_t ref;
-	char name[XT_QUOTA_COUNTER_NAME_LENGTH];
+	char name[sizeof(((struct xt_quota_mtinfo2 *)NULL)->name)];
 	struct proc_dir_entry *procfs_entry;
 };
 
@@ -44,7 +47,7 @@ module_param_named(gid, quota_list_gid, uint, S_IRUGO | S_IWUSR);
 static int quota_proc_read(char *page, char **start, off_t offset,
                            int count, int *eof, void *data)
 {
-	struct quota_counter *e = data;
+	struct xt_quota_counter *e = data;
 	int ret;
 
 	spin_lock_bh(&e->lock);
@@ -56,7 +59,7 @@ static int quota_proc_read(char *page, char **start, off_t offset,
 static int quota_proc_write(struct file *file, const char __user *input,
                             unsigned long size, void *data)
 {
-	struct quota_counter *e = data;
+	struct xt_quota_counter *e = data;
 	char buf[sizeof("18446744073709551616")];
 
 	if (size > sizeof(buf))
@@ -66,39 +69,58 @@ static int quota_proc_write(struct file *file, const char __user *input,
 	buf[sizeof(buf)-1] = '\0';
 
 	spin_lock_bh(&e->lock);
-	e->quota = simple_strtoul(buf, NULL, 0);
+	e->quota = simple_strtoull(buf, NULL, 0);
 	spin_unlock_bh(&e->lock);
 	return size;
 }
 
+static struct xt_quota_counter *
+q2_new_counter(const struct xt_quota_mtinfo2 *q, bool anon)
+{
+	struct xt_quota_counter *e;
+	unsigned int size;
+
+	/* Do not need all the procfs things for anonymous counters. */
+	size = anon ? offsetof(typeof(*e), list) : sizeof(*e);
+	e = kmalloc(size, GFP_KERNEL);
+	if (e == NULL)
+		return NULL;
+
+	e->quota = q->quota;
+	spin_lock_init(&e->lock);
+	if (!anon) {
+		INIT_LIST_HEAD(&e->list);
+		atomic_set(&e->ref, 1);
+		strncpy(e->name, q->name, sizeof(e->name));
+	}
+	return e;
+}
+
 /**
  * q2_get_counter - get ref to counter or create new
  * @name:	name of counter
  */
-static struct quota_counter *q2_get_counter(const struct xt_quota_mtinfo2 *q)
+static struct xt_quota_counter *
+q2_get_counter(const struct xt_quota_mtinfo2 *q)
 {
 	struct proc_dir_entry *p;
-	struct quota_counter *e;
+	struct xt_quota_counter *e;
+
+	if (*q->name == '\0')
+		return q2_new_counter(q, true);
 
 	spin_lock_bh(&counter_list_lock);
-	list_for_each_entry(e, &counter_list, list) {
+	list_for_each_entry(e, &counter_list, list)
 		if (strcmp(e->name, q->name) == 0) {
 			atomic_inc(&e->ref);
 			spin_unlock_bh(&counter_list_lock);
 			return e;
 		}
-	}
 
-	e = kmalloc(sizeof(struct quota_counter), GFP_KERNEL);
+	e = q2_new_counter(q, false);
 	if (e == NULL)
 		goto out;
 
-	e->quota = q->quota;
-	spin_lock_init(&e->lock);
-	INIT_LIST_HEAD(&e->list);
-	atomic_set(&e->ref, 1);
-	strncpy(e->name, q->name, sizeof(e->name));
-
 	p = e->procfs_entry = create_proc_entry(e->name, quota_list_perms,
 	                      proc_xt_quota);
 	if (p == NULL || IS_ERR(p))
@@ -130,15 +152,16 @@ static bool quota_mt2_check(const struct xt_mtchk_param *par)
 		return false;
 
 	q->name[sizeof(q->name)-1] = '\0';
-	if (*q->name == '\0' || *q->name == '.' ||
+	if (*q->name == '.' || strchr(q->name, '/') != NULL) {
-	    strchr(q->name, '/') != NULL) {
+		printk(KERN_ERR "xt_quota<%u>: illegal name\n",
-		printk(KERN_ERR "xt_quota.2: illegal name\n");
+		       par->match->revision);
 		return false;
 	}
 
 	q->master = q2_get_counter(q);
 	if (q->master == NULL) {
-		printk(KERN_ERR "xt_quota.2: memory alloc failure\n");
+		printk(KERN_ERR "xt_quota<%u>: memory alloc failure\n",
+		       par->match->revision);
 		return false;
 	}
 
@@ -148,7 +171,12 @@ static bool quota_mt2_check(const struct xt_mtchk_param *par)
 static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
 {
 	struct xt_quota_mtinfo2 *q = par->matchinfo;
-	struct quota_counter *e = q->master;
+	struct xt_quota_counter *e = q->master;
+
+	if (*q->name == '\0') {
+		kfree(e);
+		return;
+	}
 
 	spin_lock_bh(&counter_list_lock);
 	if (!atomic_dec_and_test(&e->ref)) {
@@ -157,8 +185,8 @@ static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
 	}
 
 	list_del(&e->list);
-	spin_unlock_bh(&counter_list_lock);
 	remove_proc_entry(e->name, proc_xt_quota);
+	spin_unlock_bh(&counter_list_lock);
 	kfree(e);
 }
 
@@ -166,17 +194,15 @@ static bool
 quota_mt2(const struct sk_buff *skb, const struct xt_match_param *par)
 {
 	struct xt_quota_mtinfo2 *q = (void *)par->matchinfo;
-	struct quota_counter *e = q->master;
+	struct xt_quota_counter *e = q->master;
 	bool ret = q->flags & XT_QUOTA_INVERT;
 
-	if (q->flags & XT_QUOTA_GROW) {
 	spin_lock_bh(&e->lock);
+	if (q->flags & XT_QUOTA_GROW) {
 		e->quota += (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
 		q->quota = e->quota;
-		spin_unlock_bh(&e->lock);
 		ret = true;
 	} else {
-		spin_lock_bh(&e->lock);
 		if (e->quota >= skb->len) {
 			e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
 			ret = !ret;
@@ -185,16 +211,15 @@ quota_mt2(const struct sk_buff *skb, const struct xt_match_param *par)
 			e->quota = 0;
 		}
 		q->quota = e->quota;
-		spin_unlock_bh(&e->lock);
 	}
-
+	spin_unlock_bh(&e->lock);
 	return ret;
 }
 
 static struct xt_match quota_mt2_reg[] __read_mostly = {
 	{
 		.name       = "quota2",
-		.revision   = 2,
+		.revision   = 3,
 		.family     = NFPROTO_IPV4,
 		.checkentry = quota_mt2_check,
 		.match      = quota_mt2,
@@ -204,7 +229,7 @@ static struct xt_match quota_mt2_reg[] __read_mostly = {
 	},
 	{
 		.name       = "quota2",
-		.revision   = 2,
+		.revision   = 3,
 		.family     = NFPROTO_IPV6,
 		.checkentry = quota_mt2_check,
 		.match      = quota_mt2,

extensions/xt_quota2.h

@@ -6,21 +6,19 @@ enum xt_quota_flags {
 	XT_QUOTA_GROW   = 1 << 1,
 	XT_QUOTA_PACKET = 1 << 2,
 	XT_QUOTA_MASK   = 0x7,
-
-	XT_QUOTA_COUNTER_NAME_LENGTH = 31,
 };
 
-struct quota_counter;
+struct xt_quota_counter;
 
 struct xt_quota_mtinfo2 {
-	char name[XT_QUOTA_COUNTER_NAME_LENGTH];
+	char name[15];
 	u_int8_t flags;
 
 	/* Comparison-invariant */
 	aligned_u64 quota;
 
 	/* Used internally by the kernel */
-	struct quota_counter *master __attribute__((aligned(8)));
+	struct xt_quota_counter *master __attribute__((aligned(8)));
 };
 
 #endif /* _XT_QUOTA_H */

mconfig

@@ -1,5 +1,6 @@
 # -*- Makefile -*-
 #
+build_ACCOUNT=m
 build_CHAOS=m
 build_DELUDE=m
 build_DHCPMAC=m
@@ -20,4 +21,5 @@ build_ipset=m
 build_ipv4options=m
 build_length2=m
 build_lscan=m
+build_psd=m
 build_quota2=m

xtables-addons.8.in

@@ -1,6 +1,6 @@
-.TH xtables\-addons 8 "v1.17 (2009\-06\-16)" "" "v1.17 (2009\-06\-16)"
+.TH xtables-addons 8 "v1.18 (2009-09-09)" "" "v1.18 (2009-09-09)"
 .SH Name
-Xtables\-addons - additional extensions for iptables, ip6tables, etc.
+Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets
 .\" @TARGET@
 .SH Matches