Xtables-addons 1.19

pknlusr.c: In function "main":
pknlusr.c:81:25: warning: cast to pointer from integer of different size
pknlusr.c:81:7: warning: cast to pointer from integer of different size

.gitignore

@@ -6,10 +6,15 @@
 .libs
 Makefile
 Makefile.in
-GNUmakefile
 
 /downloads
 
+/Makefile.iptrules
+/Makefile.mans
+/.*.lst
+/matches.man
+/targets.man
+
 /aclocal.m4
 /autom4te*.cache
 /compile

INSTALL

@@ -19,6 +19,8 @@ Supported configurations for this release
 	  - CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
 	  - CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
 	    enabled =y or as module (=m)
+	  - CONFIG_CONNECTOR y/m if you wish to receive userspace
+	    notifications from pknock through netlink/connector
 
 Extra notes:
 
@@ -46,6 +48,9 @@ Configuring and compiling
 	/lib/modules/$(running version)/build, which usually points to
 	the right directory. (If not, you need to install something.)
 
+	For RPM building, it should be /usr/src/linux-obj/...
+	or whatever location the distro makes use of.
+
 --with-xtables=
 
 	Specifies the path to the directory where we may find
@@ -55,11 +60,11 @@ Configuring and compiling
 	include/xtables.h. (The latter to support both standard
 	/usr/include and the iptables source root.)
 
---with-libxtdir=
+--with-xtlibdir=
 
 	Specifies the path to where the newly built extensions should
 	be installed when `make install` is run. It uses the same
-	default as the Xtables package, ${libexecdir}/xtables.
+	default as the Xtables/iptables package, ${libexecdir}/xtables.
 
 If you want to enable debugging, use
 
@@ -72,15 +77,10 @@ much easier.)
 Build-time options
 ==================
 
-V= controls the kernel's make verbosity.
+V= controls the verbosity of make commands.
 V=0	"silent" (output filename)
 V=1	"verbose" (entire gcc command line)
 
-VU= controls the Xt-a make verbosity.
-VU=0	output filename
-VU=1	output filename and source file
-VU=2	entire gcc command line
-
 
 Note to distribution packagers
 ==============================

Makefile.am

@@ -5,16 +5,16 @@ SUBDIRS          = extensions
 
 man_MANS := xtables-addons.8
 
-xtables-addons.8: ${srcdir}/xtables-addons.8.in extensions/matches.man extensions/targets.man
-	${am__verbose_GEN}sed -e '/@MATCHES@/ r extensions/matches.man' -e '/@TARGET@/ r extensions/targets.man' $< >$@;
+.PHONY: FORCE
+FORCE:
 
-extensions/%:
-	${MAKE} ${AM_MAKEFLAGS} -C $(@D) $(@F)
+xtables-addons.8: FORCE
+	${MAKE} -f Makefile.mans all;
 
-install-exec-local:
+install-exec-hook:
 	depmod -a || :;
 
-config.status: extensions/GNUmakefile.in
+config.status: Makefile.iptrules.in
 
 .PHONY: tarball
 tarball:

Makefile.extra

@@ -0,0 +1,29 @@
+# -*- Makefile -*-
+# AUTOMAKE
+
+XA_SRCDIR = ${srcdir}
+XA_TOPSRCDIR = ${top_srcdir}
+XA_ABSTOPSRCDIR = ${abs_top_srcdir}
+export XA_SRCDIR
+export XA_TOPSRCDIR
+export XA_ABSTOPSRCDIR
+
+_mcall = -f ${top_builddir}/Makefile.iptrules
+
+all-local: user-all-local
+
+install-exec-local: user-install-local
+
+clean-local: user-clean-local
+
+user-all-local:
+	${MAKE} ${_mcall} all;
+
+# Have no user-install-data-local ATM
+user-install-local: user-install-exec-local
+
+user-install-exec-local:
+	${MAKE} ${_mcall} install;
+
+user-clean-local:
+	${MAKE} ${_mcall} clean;

Makefile.iptrules.in

@@ -0,0 +1,59 @@
+# -*- Makefile -*-
+# MANUAL
+
+prefix          = @prefix@
+exec_prefix     = @exec_prefix@
+libexecdir      = @libexecdir@
+xtlibdir        = @xtlibdir@
+
+CC              = @CC@
+CCLD            = ${CC}
+
+regular_CFLAGS  = @regular_CFLAGS@
+xtables_CFLAGS  = @xtables_CFLAGS@
+AM_CFLAGS       = ${regular_CFLAGS} ${xtables_CFLAGS}
+AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
+
+AM_DEFAULT_VERBOSITY = 0
+am__v_CC_0           = @echo "  CC    " $@;
+am__v_CCLD_0         = @echo "  CCLD  " $@;
+am__v_GEN_0          = @echo "  GEN   " $@;
+am__v_SILENT_0       = @
+am__v_CC_            = ${am__v_CC_${AM_DEFAULT_VERBOSITY}}
+am__v_CCLD_          = ${am__v_CCLD_${AM_DEFAULT_VERBOSITY}}
+am__v_GEN_           = ${am__v_GEN_${AM_DEFAULT_VERBOSITY}}
+am__v_SILENT_        = ${am__v_SILENT_${AM_DEFAULT_VERBOSITY}}
+AM_V_CC              = ${am__v_CC_${V}}
+AM_V_CCLD            = ${am__v_CCLD_${V}}
+AM_V_GEN             = ${am__v_GEN_${V}}
+AM_V_silent          = ${am__v_GEN_${V}}
+
+include ${XA_TOPSRCDIR}/mconfig
+-include ${XA_TOPSRCDIR}/mconfig.*
+include ${XA_SRCDIR}/Mbuild
+-include ${XA_SRCDIR}/Mbuild.*
+
+targets := $(filter-out %/,${obj-m})
+subdirs_list := $(filter %/,${obj-m})
+
+.SECONDARY:
+
+.PHONY: all install clean
+
+all: ${targets}
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i; done;
+
+install: ${targets}
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
+	install -dm0755 "${DESTDIR}/${xtlibdir}";
+	install -pm0755 $^ "${DESTDIR}/${xtlibdir}";
+
+clean:
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
+	rm -f *.oo *.so;
+
+lib%.so: lib%.oo
+	${AM_V_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
+
+%.oo: ${XA_SRCDIR}/%.c
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;

Makefile.mans.in

@@ -0,0 +1,40 @@
+# -*- Makefile -*-
+# MANUAL
+
+srcdir := @srcdir@
+
+wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man')
+wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man')
+wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
+wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
+
+.PHONY: FORCE
+
+FORCE:
+
+.manpages.lst: FORCE
+	@echo "${wlist_targets} ${wlist_matches}" >$@.tmp; \
+	cmp -s $@ $@.tmp || mv $@.tmp $@; \
+	rm -f $@.tmp;
+
+man_run = \
+	${AM_V_GEN}for ext in $(1); do \
+		name="$${ext%.man}"; \
+		name="$${name\#\#*/libxt_}"; \
+		if [ -f "$$ext" ]; then \
+			echo ".SS $$name"; \
+			cat "$$ext"; \
+			continue; \
+		fi; \
+	done >$@;
+
+all: xtables-addons.8
+
+xtables-addons.8: ${srcdir}/xtables-addons.8.in matches.man targets.man
+	${AM_V_GEN}sed -e '/@MATCHES@/ r matches.man' -e '/@TARGET@/ r targets.man' $< >$@;
+
+matches.man: .manpages.lst ${wcman_matches}
+	$(call man_run,${wlist_matches})
+
+targets.man: .manpages.lst ${wcman_targets}
+	$(call man_run,${wlist_targets})

configure.ac

@@ -1,9 +1,9 @@
 
-AC_INIT([xtables-addons], [1.18])
+AC_INIT([xtables-addons], [1.19])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
-AM_INIT_AUTOMAKE([-Wall foreign subdir-objects])
+AM_INIT_AUTOMAKE([1.10 -Wall foreign subdir-objects])
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_DISABLE_STATIC
@@ -14,10 +14,7 @@ AC_ARG_WITH([kbuild],
 	AS_HELP_STRING([--with-kbuild=PATH],
 	[Path to kernel build directory [[/lib/modules/CURRENT/build]]]),
 	[kbuilddir="$withval"])
-AC_ARG_WITH([ksource],
-	AS_HELP_STRING([--with-ksource=PATH],
-	[Path to kernel source directory [[/lib/modules/CURRENT/source]]]),
-	[ksourcedir="$withval"])
+AC_ARG_WITH([ksource],,[ksourcedir="$withval"])
 AC_ARG_WITH([xtables],
 	AS_HELP_STRING([--with-xtables=PATH],
 	[Path to the Xtables includes [[none]]]),
@@ -79,17 +76,16 @@ krel="${krel#*.}";
 kminor="${krel%%.*}";
 krel="${krel#*.}";
 kmicro="${krel%%.*}";
-krel2="${krel#*.}";
-if test "$krel" = "$krel2"; then
+if test "$kmicro" = "$krel"; then
 	kstable=0;
 else
-	kstable="${krel%%.*}";
+	kstable="${krel#*.}";
 	if test -z "$kstable"; then
 		kstable=0;
 	fi;
 fi;
 echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 31; then
+if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 32; then
 	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
     \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
@@ -104,5 +100,7 @@ AC_SUBST([kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
-AC_CONFIG_FILES([Makefile extensions/GNUmakefile extensions/ipset/GNUmakefile])
+AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
+	extensions/Makefile extensions/ACCOUNT/Makefile
+	extensions/ipset/Makefile extensions/pknock/Makefile])
 AC_OUTPUT

doc/changelog.txt

@@ -1,4 +1,30 @@
 
+HEAD
+====
+
+
+Xtables-addons 1.19 (October 12 2009)
+=====================================
+- build: compile fixes for 2.6.31-rt
+- build: support for Linux 2.6.32
+- ipp2p: try to address underflows
+- psd: avoid potential crash when dealing with non-linear skbs
+- merge xt_ACCOUNT userspace utilities
+- added reworked xt_pknock module
+  Changes from pknock v0.5:
+  - pknock: "strict" and "checkip" flags were not displayed in `iptables -L`
+  - pknock: the GC expire time's lower bound is now the default gc time
+    (65000 msec) to avoid rendering anti-spoof protection in SPA mode useless
+  - pknock: avoid crash on memory allocation failure and fix memleak
+  - pknock: avoid fillup of peer table during DDoS
+  - pknock: automatic closing of ports
+  - pknock: make non-zero time mandatory for TCP mode
+  - pknock: display only pknock mode and state relevant information in procfs
+  - pknock: check interknock time only for !ST_ALLOWED peers
+  - pknock: preserve time/autoclose values for rules added in
+    reverse/arbitrary order
+  - pknock: add a manpage
+
 
 Xtables-addons 1.18 (September 09 2009)
 =======================================

extensions/.gitignore

@@ -8,8 +8,5 @@ Module.symvers
 Modules.symvers
 modules.order
 
-/*.so
-/*.oo
-/matches.man
-/targets.man
-/.manpages.lst
+*.so
+*.oo

extensions/ACCOUNT/.gitignore

@@ -0,0 +1 @@
+/iptaccount

extensions/ACCOUNT/Kbuild

@@ -0,0 +1,5 @@
+# -*- Makefile -*-
+
+EXTRA_CFLAGS = -I${src}/..
+
+obj-m += xt_ACCOUNT.o

extensions/ACCOUNT/Makefile.am

@@ -0,0 +1,8 @@
+# -*- Makefile -*-
+
+include ../../Makefile.extra
+
+sbin_PROGRAMS = iptaccount
+iptaccount_LDADD = libxt_ACCOUNT_cl.la
+
+lib_LTLIBRARIES = libxt_ACCOUNT_cl.la

extensions/ACCOUNT/Mbuild

@@ -0,0 +1,3 @@
+# -*- Makefile -*-
+
+obj-${build_ACCOUNT}     += libxt_ACCOUNT.so

extensions/ACCOUNT/iptaccount.c

@@ -0,0 +1,223 @@
+/***************************************************************************
+ *   Copyright (C) 2004-2006 by Intra2net AG                               *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU Lesser General Public License           *
+ *   version 2.1 as published by the Free Software Foundation;             *
+ *                                                                         *
+ ***************************************************************************/
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <getopt.h>
+#include <signal.h>
+
+#include <libxt_ACCOUNT_cl.h>
+
+bool exit_now;
+static void sig_term(int signr)
+{
+	signal(SIGINT, SIG_IGN);
+	signal(SIGQUIT, SIG_IGN);
+	signal(SIGTERM, SIG_IGN);
+
+	exit_now = true;
+}
+
+char *addr_to_dotted(unsigned int);
+char *addr_to_dotted(unsigned int addr)
+{
+	static char buf[17];
+	const unsigned char *bytep;
+
+	bytep = (const unsigned char *)&addr;
+	snprintf(buf, 16, "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]);
+	buf[16] = 0;
+	return buf;
+}
+
+static void show_usage(void)
+{
+	printf("Unknown command line option. Try: [-u] [-h] [-a] [-f] [-c] [-s] [-l name]\n");
+	printf("[-u] show kernel handle usage\n");
+	printf("[-h] free all kernel handles (experts only!)\n\n");
+	printf("[-a] list all table names\n");
+	printf("[-l name] show data in table <name>\n");
+	printf("[-f] flush data after showing\n");
+	printf("[-c] loop every second (abort with CTRL+C)\n");
+	printf("[-s] CSV output (for spreadsheet import)\n");
+	printf("\n");
+}
+
+int main(int argc, char *argv[])
+{
+	struct ipt_ACCOUNT_context ctx;
+	struct ipt_acc_handle_ip *entry;
+	int i;
+	char optchar;
+	bool doHandleUsage = false, doHandleFree = false, doTableNames = false;
+	bool doFlush = false, doContinue = false, doCSV = false;
+
+	char *table_name = NULL;
+	const char *name;
+
+	printf("\nlibxt_ACCOUNT_cl userspace accounting tool v%s\n\n",
+	LIBXT_ACCOUNT_VERSION);
+
+	if (argc == 1)
+	{
+		show_usage();
+		exit(0);
+	}
+
+	while ((optchar = getopt(argc, argv, "uhacfsl:")) != -1)
+	{
+		switch (optchar)
+		{
+		case 'u':
+			doHandleUsage = true;
+			break;
+		case 'h':
+			doHandleFree = true;
+			break;
+		case 'a':
+			doTableNames = true;
+			break;
+		case 'f':
+			doFlush = true;
+			break;
+		case 'c':
+			doContinue = true;
+			break;
+		case 's':
+			doCSV = true;
+			break;
+		case 'l':
+			table_name = strdup(optarg);
+			break;
+		case '?':
+		default:
+			show_usage();
+			exit(0);
+			break;
+		}
+	}
+
+	// install exit handler
+	if (signal(SIGTERM, sig_term) == SIG_ERR)
+	{
+		printf("can't install signal handler for SIGTERM\n");
+		exit(-1);
+	}
+	if (signal(SIGINT, sig_term) == SIG_ERR)
+	{
+		printf("can't install signal handler for SIGINT\n");
+		exit(-1);
+	}
+	if (signal(SIGQUIT, sig_term) == SIG_ERR)
+	{
+		printf("can't install signal handler for SIGQUIT\n");
+		exit(-1);
+	}
+
+	if (ipt_ACCOUNT_init(&ctx))
+	{
+		printf("Init failed: %s\n", ctx.error_str);
+		exit(-1);
+	}
+
+	// Get handle usage?
+	if (doHandleUsage)
+	{
+		int rtn = ipt_ACCOUNT_get_handle_usage(&ctx);
+		if (rtn < 0)
+		{
+			printf("get_handle_usage failed: %s\n", ctx.error_str);
+			exit(-1);
+		}
+
+		printf("Current kernel handle usage: %d\n", ctx.handle.itemcount);
+	}
+
+	if (doHandleFree)
+	{
+		int rtn = ipt_ACCOUNT_free_all_handles(&ctx);
+		if (rtn < 0)
+		{
+			printf("handle_free_all failed: %s\n", ctx.error_str);
+			exit(-1);
+		}
+
+		printf("Freed all handles in kernel space\n");
+	}
+
+	if (doTableNames)
+	{
+		int rtn = ipt_ACCOUNT_get_table_names(&ctx);
+		if (rtn < 0)
+		{
+			printf("get_table_names failed: %s\n", ctx.error_str);
+			exit(-1);
+		}
+		while ((name = ipt_ACCOUNT_get_next_name(&ctx)) != 0)
+			printf("Found table: %s\n", name);
+	}
+
+	if (table_name)
+	{
+		// Read out data
+		if (doCSV)
+			printf("IP;SRC packets;SRC bytes;DST packets;DST bytes\n");
+		else
+			printf("Showing table: %s\n", table_name);
+
+		i = 0;
+		while (!exit_now)
+		{
+			// Get entries from table test
+			if (ipt_ACCOUNT_read_entries(&ctx, table_name, !doFlush))
+			{
+				printf("Read failed: %s\n", ctx.error_str);
+				ipt_ACCOUNT_deinit(&ctx);
+				exit(-1);
+			}
+
+			if (!doCSV)
+				printf("Run #%d - %u %s found\n", i, ctx.handle.itemcount,
+				       ctx.handle.itemcount == 1 ? "item" : "items");
+
+			// Output and free entries
+			while ((entry = ipt_ACCOUNT_get_next_entry(&ctx)) != NULL)
+			{
+				if (doCSV)
+					printf("%s;%u;%u;%u;%u\n",
+					       addr_to_dotted(entry->ip), entry->src_packets, entry->src_bytes,
+					       entry->dst_packets, entry->dst_bytes);
+				else
+					printf("IP: %s SRC packets: %u bytes: %u DST packets: %u bytes: %u\n",
+					       addr_to_dotted(entry->ip), entry->src_packets, entry->src_bytes,
+					       entry->dst_packets, entry->dst_bytes);
+			}
+
+			if (doContinue)
+			{
+				sleep(1);
+				i++;
+			} else
+				exit_now = true;
+		}
+	}
+
+	printf("Finished.\n");
+	ipt_ACCOUNT_deinit(&ctx);
+	exit(0);
+}

extensions/ACCOUNT/libxt_ACCOUNT.man

@@ -56,8 +56,8 @@ the \fBiptaccount\fP(8) tool, which features following options:
 .PP
 Here is an example of use:
 .PP
-iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing
-iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing;
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales;
 .PP
 This creates two tables called "all_outgoing" and "sales" which can be
 queried using the userspace library/iptaccount tool.

extensions/ACCOUNT/libxt_ACCOUNT_cl.c

@@ -0,0 +1,199 @@
+/***************************************************************************
+ *   Copyright (C) 2004 by Intra2net AG                                    *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU Lesser General Public License           *
+ *   version 2.1 as published by the Free Software Foundation;             *
+ *                                                                         *
+ ***************************************************************************/
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <netinet/in.h>
+#include <linux/if.h>
+
+#include <libxt_ACCOUNT_cl.h>
+
+int ipt_ACCOUNT_init(struct ipt_ACCOUNT_context *ctx)
+{
+	memset(ctx, 0, sizeof(struct ipt_ACCOUNT_context));
+	ctx->handle.handle_nr = -1;
+
+	ctx->sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+	if (ctx->sockfd < 0) {
+		ctx->sockfd = -1;
+		ctx->error_str = "Can't open socket to kernel. "
+		                 "Permission denied or ipt_ACCOUNT module not loaded";
+		return -1;
+	}
+
+	// 4096 bytes default buffer should save us from reallocations
+	// as it fits 200 concurrent active clients
+	if ((ctx->data = malloc(IPT_ACCOUNT_MIN_BUFSIZE)) == NULL) {
+		close(ctx->sockfd);
+		ctx->sockfd = -1;
+		ctx->error_str = "Out of memory for data buffer";
+		return -1;
+	}
+	ctx->data_size = IPT_ACCOUNT_MIN_BUFSIZE;
+
+	return 0;
+}
+
+void ipt_ACCOUNT_free_entries(struct ipt_ACCOUNT_context *ctx)
+{
+	if (ctx->handle.handle_nr != -1) {
+		setsockopt(ctx->sockfd, IPPROTO_IP, IPT_SO_SET_ACCOUNT_HANDLE_FREE,
+		           &ctx->handle, sizeof(struct ipt_acc_handle_sockopt));
+		ctx->handle.handle_nr = -1;
+	}
+
+	ctx->handle.itemcount = 0;
+	ctx->pos = 0;
+}
+
+void ipt_ACCOUNT_deinit(struct ipt_ACCOUNT_context *ctx)
+{
+	free(ctx->data);
+	ctx->data = NULL;
+
+	ipt_ACCOUNT_free_entries(ctx);
+
+	close(ctx->sockfd);
+	ctx->sockfd = -1;
+}
+
+int ipt_ACCOUNT_read_entries(struct ipt_ACCOUNT_context *ctx,
+                             const char *table, char dont_flush)
+{
+	unsigned int s = sizeof(struct ipt_acc_handle_sockopt);
+	unsigned int new_size;
+	int rtn;
+
+	strncpy(ctx->handle.name, table, ACCOUNT_TABLE_NAME_LEN-1);
+
+	// Get table information
+	if (!dont_flush)
+		rtn = getsockopt(ctx->sockfd, IPPROTO_IP,
+		      IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH, &ctx->handle, &s);
+	else
+		rtn = getsockopt(ctx->sockfd, IPPROTO_IP, IPT_SO_GET_ACCOUNT_PREPARE_READ,
+		      &ctx->handle, &s);
+
+	if (rtn < 0) {
+		ctx->error_str = "Can't get table information from kernel. "
+		                 "Does it exist?";
+		return -1;
+	}
+
+	// Check data buffer size
+	ctx->pos = 0;
+	new_size = ctx->handle.itemcount * sizeof(struct ipt_acc_handle_ip);
+	// We want to prevent reallocations all the time
+	if (new_size < IPT_ACCOUNT_MIN_BUFSIZE)
+		new_size = IPT_ACCOUNT_MIN_BUFSIZE;
+
+	// Reallocate if it's too small or twice as big
+	if (ctx->data_size < new_size || ctx->data_size > new_size * 2) {
+		// Free old buffer
+		free(ctx->data);
+		ctx->data_size = 0;
+
+		if ((ctx->data = malloc(new_size)) == NULL) {
+			ctx->error_str = "Out of memory for data buffer";
+			ipt_ACCOUNT_free_entries(ctx);
+			return -1;
+		}
+
+		ctx->data_size = new_size;
+	}
+
+	// Copy data from kernel
+	memcpy(ctx->data, &ctx->handle, sizeof(struct ipt_acc_handle_sockopt));
+	rtn = getsockopt(ctx->sockfd, IPPROTO_IP, IPT_SO_GET_ACCOUNT_GET_DATA,
+	      ctx->data, &ctx->data_size);
+	if (rtn < 0) {
+		ctx->error_str = "Can't get data from kernel. "
+		                 "Check /var/log/messages for details.";
+		ipt_ACCOUNT_free_entries(ctx);
+		return -1;
+	}
+
+	// Free kernel handle but don't reset pos/itemcount
+	setsockopt(ctx->sockfd, IPPROTO_IP, IPT_SO_SET_ACCOUNT_HANDLE_FREE,
+	           &ctx->handle, sizeof(struct ipt_acc_handle_sockopt));
+	ctx->handle.handle_nr = -1;
+
+	return 0;
+}
+
+struct ipt_acc_handle_ip *ipt_ACCOUNT_get_next_entry(struct ipt_ACCOUNT_context *ctx)
+{
+	struct ipt_acc_handle_ip *rtn;
+
+	// Empty or no more items left to return?
+	if (!ctx->handle.itemcount || ctx->pos >= ctx->handle.itemcount)
+		return NULL;
+
+	// Get next entry
+	rtn = (struct ipt_acc_handle_ip *)(ctx->data + ctx->pos
+	      * sizeof(struct ipt_acc_handle_ip));
+	ctx->pos++;
+
+	return rtn;
+}
+
+int ipt_ACCOUNT_get_handle_usage(struct ipt_ACCOUNT_context *ctx)
+{
+	unsigned int s = sizeof(struct ipt_acc_handle_sockopt);
+	if (getsockopt(ctx->sockfd, IPPROTO_IP,
+	    IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE, &ctx->handle, &s) < 0) {
+		ctx->error_str = "Can't get handle usage information from kernel";
+		return -1;
+	}
+	ctx->handle.handle_nr = -1;
+
+	return ctx->handle.itemcount;
+ }
+
+int ipt_ACCOUNT_free_all_handles(struct ipt_ACCOUNT_context *ctx)
+{
+	if (setsockopt(ctx->sockfd, IPPROTO_IP,
+	    IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL, NULL, 0) < 0) {
+		ctx->error_str = "Can't free all kernel handles";
+		return -1;
+	}
+
+	return 0;
+}
+
+int ipt_ACCOUNT_get_table_names(struct ipt_ACCOUNT_context *ctx)
+{
+	int rtn = getsockopt(ctx->sockfd, IPPROTO_IP,
+	          IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES,
+	          ctx->data, &ctx->data_size);
+	if (rtn < 0) {
+		ctx->error_str = "Can't get table names from kernel. Out of memory, "
+		                 "MINBUFISZE too small?";
+		return -1;
+	}
+	ctx->pos = 0;
+	return 0;
+}
+
+const char *ipt_ACCOUNT_get_next_name(struct ipt_ACCOUNT_context *ctx)
+{
+	const char *rtn;
+	if (((char *)ctx->data)[ctx->pos] == 0)
+		return 0;
+
+	rtn = ctx->data + ctx->pos;
+	ctx->pos += strlen(ctx->data + ctx->pos) + 1;
+
+	return rtn;
+}

extensions/ACCOUNT/libxt_ACCOUNT_cl.h

@@ -0,0 +1,60 @@
+/***************************************************************************
+ *   Copyright (C) 2004 by Intra2net AG                                    *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU Lesser General Public License           *
+ *   version 2.1 as published by the Free Software Foundation;             *
+ *                                                                         *
+ ***************************************************************************/
+
+#ifndef _xt_ACCOUNT_cl_H
+#define _xt_ACCOUNT_cl_H
+
+#include <xt_ACCOUNT.h>
+
+#define LIBXT_ACCOUNT_VERSION "1.3"
+
+/* Don't set this below the size of struct ipt_account_handle_sockopt */
+#define IPT_ACCOUNT_MIN_BUFSIZE 4096
+
+struct ipt_ACCOUNT_context
+{
+	int sockfd;
+	struct ipt_acc_handle_sockopt handle;
+
+	unsigned int data_size;
+	void *data;
+	unsigned int pos;
+
+	char *error_str;
+};
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int ipt_ACCOUNT_init(struct ipt_ACCOUNT_context *ctx);
+void ipt_ACCOUNT_deinit(struct ipt_ACCOUNT_context *ctx);
+
+void ipt_ACCOUNT_free_entries(struct ipt_ACCOUNT_context *ctx);
+int ipt_ACCOUNT_read_entries(struct ipt_ACCOUNT_context *ctx,
+                             const char *table, char dont_flush);
+struct ipt_acc_handle_ip *ipt_ACCOUNT_get_next_entry(
+                             struct ipt_ACCOUNT_context *ctx);
+
+/* ipt_ACCOUNT_free_entries is for internal use only function as this library
+is constructed to be used in a loop -> Don't allocate memory all the time.
+The data buffer is freed on deinit() */
+
+int ipt_ACCOUNT_get_handle_usage(struct ipt_ACCOUNT_context *ctx);
+int ipt_ACCOUNT_free_all_handles(struct ipt_ACCOUNT_context *ctx);
+int ipt_ACCOUNT_get_table_names(struct ipt_ACCOUNT_context *ctx);
+const char *ipt_ACCOUNT_get_next_name(struct ipt_ACCOUNT_context *ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif

extensions/ACCOUNT/xt_ACCOUNT.Kconfig

@@ -0,0 +1,13 @@
+config NETFILTER_XT_TARGET_ACCOUNT
+	tristate "ACCOUNT target support"
+	depends on NETFILTER_XTABLES
+	---help---
+	This module implements an ACCOUNT target
+
+	The ACCOUNT target is a high performance accounting system for large
+	local networks. It allows per-IP accounting in whole prefixes of IPv4
+	addresses with size of up to /8 without the need to add individual
+	accouting rule for each IP address.
+
+	For more information go to:
+	http://www.intra2net.com/de/produkte/opensource/ipt_account/

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -1015,7 +1015,7 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 	return ret;
 }
 
-static struct xt_target xt_acc_reg = {
+static struct xt_target xt_acc_reg __read_mostly = {
 	.name = "ACCOUNT",
 	.family = AF_INET,
 	.target = ipt_acc_target,
@@ -1037,7 +1037,7 @@ static struct nf_sockopt_ops ipt_acc_sockopts = {
 
 static int __init account_tg_init(void)
 {
-	init_MUTEX(&ipt_acc_userspace_mutex);
+	sema_init(&ipt_acc_userspace_mutex, 1);
 
 	if ((ipt_acc_tables =
 	    kmalloc(ACCOUNT_MAX_TABLES *

extensions/GNUmakefile.in

@@ -1,141 +0,0 @@
-# -*- Makefile -*-
-
-top_srcdir      := @top_srcdir@
-srcdir          := @srcdir@
-abstop_srcdir   := $(shell readlink -f ${top_srcdir})
-abssrcdir       := $(shell readlink -f ${srcdir})
-
-ifeq (${abstop_srcdir},)
-$(error Path resolution of ${top_srcdir} failed)
-endif
-ifeq (${abssrcdir},)
-$(error Path resolution of ${srcdir} failed)
-endif
-
-prefix          := @prefix@
-exec_prefix     := @exec_prefix@
-libdir          := @libdir@
-libexecdir      := @libexecdir@
-xtlibdir        := @xtlibdir@
-kbuilddir       := @kbuilddir@
-
-CC              := @CC@
-CCLD            := ${CC}
-CFLAGS          := @CFLAGS@
-LDFLAGS         := @LDFLAGS@
-regular_CFLAGS  := @regular_CFLAGS@
-kinclude_CFLAGS := @kinclude_CFLAGS@
-xtables_CFLAGS  := @xtables_CFLAGS@
-
-AM_CFLAGS      := ${regular_CFLAGS} -I${top_srcdir}/include ${xtables_CFLAGS} ${kinclude_CFLAGS}
-AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
-
-VU := 0
-am__v_CC_0     = @echo "  CC      " $@;
-am__v_CCLD_0   = @echo "  CCLD    " $@;
-am__v_GEN_0    = @echo "  GEN     " $@;
-am__v_SILENT_0 = @
-AM_V_CC        = ${am__v_CC_${VU}}
-AM_V_CCLD      = ${am__v_CCLD_${VU}}
-AM_V_GEN       = ${am__v_GEN_${VU}}
-AM_V_silent    = ${am__v_GEN_${VU}}
-
-
-#
-#	Wildcard module list
-#
-include ${top_srcdir}/mconfig
--include ${top_srcdir}/mconfig.*
-include ${srcdir}/Mbuild
--include ${srcdir}/Mbuild.*
--include ${srcdir}/*.Mbuild
-
-
-#
-#	Building blocks
-#
-targets := $(filter-out %/,${obj-m})
-targets_install := ${targets}
-subdirs_list := $(filter %/,${obj-m})
-
-.SECONDARY:
-
-.PHONY: all install clean distclean FORCE
-
-all: subdirs modules user matches.man targets.man
-
-subdirs:
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i; done;
-
-subdirs-install:
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i install; done;
-
-user: ${targets}
-
-install: modules_install subdirs-install ${targets_install}
-	@mkdir -p "${DESTDIR}${xtlibdir}";
-	install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/";
-
-clean: clean_modules
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i clean; done;
-	rm -f *.oo *.so;
-
-distclean: clean
-	rm -f .*.d .manpages.lst;
-
--include .*.d
-
-
-#
-#	Call out to kbuild
-#
-.PHONY: modules modules_install clean_modules
-
-modules:
-	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules; fi;
-
-modules_install:
-	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install; fi;
-
-clean_modules:
-	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean; fi;
-
-
-#
-#	Shared libraries
-#
-lib%.so: lib%.oo
-	${AM_V_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
-
-lib%.oo: ${srcdir}/lib%.c
-	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
-
-
-#
-#	Manpages
-#
-wcman_matches := $(wildcard ${srcdir}/libxt_[a-z]*.man)
-wcman_targets := $(wildcard ${srcdir}/libxt_[A-Z]*.man)
-wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
-wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
-
-.manpages.lst: FORCE
-	@echo "${wlist_targets} ${wlist_matches}" >$@.tmp; \
-	cmp -s $@ $@.tmp || mv $@.tmp $@; \
-	rm -f $@.tmp;
-
-man_run    = \
-	${AM_V_GEN}for ext in $(1); do \
-		f="${srcdir}/libxt_$$ext.man"; \
-		if [ -f "$$f" ]; then \
-			echo ".SS $$ext"; \
-			cat "$$f"; \
-			continue; \
-		fi; \
-	done >$@;
-
-matches.man: .manpages.lst ${wcman_matches}
-	$(call man_run,${wlist_matches})
-
-targets.man: .manpages.lst ${wcman_targets}
-	$(call man_run,${wlist_targets})

extensions/Kbuild

@@ -1,11 +1,11 @@
 # -*- Makefile -*-
 
-include ${XA_TOPSRCDIR}/mconfig
--include ${XA_TOPSRCDIR}/mconfig.*
+include ${XA_ABSTOPSRCDIR}/mconfig
+-include ${XA_ABSTOPSRCDIR}/mconfig.*
 
 obj-m                    += compat_xtables.o
 
-obj-${build_ACCOUNT}     += xt_ACCOUNT.o
+obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += xt_CHAOS.o
 obj-${build_DELUDE}      += xt_DELUDE.o
 obj-${build_DHCPMAC}     += xt_DHCPMAC.o
@@ -26,6 +26,7 @@ obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += xt_ipv4options.o
 obj-${build_length2}     += xt_length2.o
 obj-${build_lscan}       += xt_lscan.o
+obj-${build_pknock}      += pknock/
 obj-${build_psd}         += xt_psd.o
 obj-${build_quota2}      += xt_quota2.o
 

extensions/Makefile.am

@@ -0,0 +1,24 @@
+# -*- Makefile -*-
+# AUTOMAKE
+
+# Not having Kbuild in Makefile.extra because it will already recurse
+.PHONY: modules modules_install clean_modules
+
+_kcall = -C ${kbuilddir} M=${abs_srcdir}
+
+modules:
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} modules; fi;
+
+modules_install:
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} INSTALL_MOD_PATH=${DESTDIR} ext-mod-dir='$${INSTALL_MOD_DIR}' modules_install; fi;
+
+clean_modules:
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} clean; fi;
+
+all-local: modules
+
+install-exec-local: modules_install
+
+clean-local: clean_modules
+
+include ../Makefile.extra

extensions/Mbuild

@@ -1,4 +1,6 @@
-obj-${build_ACCOUNT}     += libxt_ACCOUNT.so
+# -*- Makefile -*-
+
+obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += libxt_CHAOS.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
 obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
@@ -19,5 +21,6 @@ obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += libxt_ipv4options.so
 obj-${build_length2}     += libxt_length2.so
 obj-${build_lscan}       += libxt_lscan.so
+obj-${build_pknock}      += pknock/
 obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so

extensions/ipset/.gitignore

@@ -1,3 +1 @@
-*.oo
-*.so
 /ipset

extensions/ipset/GNUmakefile.in

@@ -1,85 +0,0 @@
-# -*- Makefile -*-
-
-top_srcdir      := @top_srcdir@
-srcdir          := @srcdir@
-datarootdir     := @datarootdir@
-abstop_srcdir   := $(shell readlink -f ${top_srcdir})
-abssrcdir       := $(shell readlink -f ${srcdir})
-
-ifeq (${abstop_srcdir},)
-$(error Path resolution of ${top_srcdir} failed)
-endif
-ifeq (${abssrcdir},)
-$(error Path resolution of ${srcdir} failed)
-endif
-
-prefix          := @prefix@
-exec_prefix     := @exec_prefix@
-sbindir         := @sbindir@
-libdir          := @libdir@
-libexecdir      := @libexecdir@
-xtlibdir        := @xtlibdir@
-kbuilddir       := @kbuilddir@
-man8dir         := @mandir@/man8
-
-CC              := @CC@
-CCLD            := ${CC}
-CFLAGS          := @CFLAGS@
-LDFLAGS         := @LDFLAGS@
-regular_CFLAGS  := @regular_CFLAGS@
-kinclude_CFLAGS := @kinclude_CFLAGS@
-xtables_CFLAGS  := @xtables_CFLAGS@
-
-AM_CFLAGS      := ${regular_CFLAGS} -I${top_srcdir}/include ${xtables_CFLAGS} ${kinclude_CFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\"
-AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
-
-VU := 0
-am__1verbose_CC_0     = @echo "  CC      " $@;
-am__1verbose_CCLD_0   = @echo "  CCLD    " $@;
-am__1verbose_CC_1     = @echo "  CC      " $@ "<-" $<;
-am__1verbose_CCLD_1   = @echo "  CCLD    " $@ "<-" $^;
-am__verbose_CC        = ${am__1verbose_CC_${VU}}
-am__verbose_CCLD      = ${am__1verbose_CCLD_${VU}}
-
-#
-#	Building blocks
-#
-targets := $(addsuffix .so,$(addprefix libipset_, \
-	iphash ipmap ipporthash ipportiphash ipportnethash iptree \
-	iptreemap macipmap nethash portmap setlist))
-
-.SECONDARY:
-
-.PHONY: all install clean distclean FORCE
-
-all: ipset ${targets}
-
-install: all
-	@mkdir -p "${DESTDIR}${sbindir}" "${DESTDIR}${xtlibdir}" "${DESTDIR}${man8dir}";
-	install -pm0755 ipset "${DESTDIR}${sbindir}/";
-	install -pm0755 ${targets} "${DESTDIR}${xtlibdir}/";
-	install -pm0644 ipset.8 "${DESTDIR}${man8dir}/";
-
-clean:
-	rm -f *.oo *.so *.o ipset;
-
-distclean: clean
-	rm -f .*.d;
-
--include .*.d
-
-
-ipset: ipset.o
-	${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} ${LDFLAGS} -o $@ $< -ldl -rdynamic;
-
-#
-#	Shared libraries
-#
-lib%.so: lib%.oo
-	${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
-
-libipset_%.oo: ${srcdir}/ipset_%.c
-	${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
-
-%.o: %.c
-	${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} ${CFLAGS} -o $@ -c $<;

extensions/ipset/Makefile.am

@@ -0,0 +1,9 @@
+# -*- Makefile -*-
+
+AM_CFLAGS = ${regular_CFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\"
+
+include ../../Makefile.extra
+
+sbin_PROGRAMS = ipset
+ipset_LDADD   = -ldl
+ipset_LDFLAGS = -rdynamic

extensions/ipset/Mbuild

@@ -0,0 +1,7 @@
+# -*- Makefile -*-
+
+obj-m += $(addprefix lib,$(patsubst %.c,%.so,$(notdir \
+	$(wildcard ${XA_SRCDIR}/ipset_*.c))))
+
+libipset_%.oo: ${XA_SRCDIR}/ipset_%.c
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;

extensions/ipset/ip_set.c

@@ -39,7 +39,7 @@
 static struct list_head set_type_list;		/* all registered sets */
 static struct ip_set **ip_set_list;		/* all individual sets */
 static DEFINE_RWLOCK(ip_set_lock);		/* protects the lists and the hash */
-static DECLARE_MUTEX(ip_set_app_mutex);		/* serializes user access */
+static struct semaphore ip_set_app_mutex;	/* serializes user access */
 static ip_set_id_t ip_set_max = CONFIG_IP_NF_SET_MAX;
 static ip_set_id_t ip_set_bindings_hash_size =  CONFIG_IP_NF_SET_HASHSIZE;
 static struct list_head *ip_set_hash;		/* hash of bindings */
@@ -2016,6 +2016,7 @@ static int __init ip_set_init(void)
 	int res;
 	ip_set_id_t i;
 
+	sema_init(&ip_set_app_mutex, 1);
 	get_random_bytes(&ip_set_hash_random, 4);
 	if (max_sets)
 		ip_set_max = max_sets;

extensions/libxt_CHAOS.man

@@ -1,13 +1,13 @@
 Causes confusion on the other end by doing odd things with incoming packets.
 CHAOS will randomly reply (or not) with one of its configurable subtargets:
 .TP
-\fB--delude\fP
+\fB\-\-delude\fP
 Use the REJECT and DELUDE targets as a base to do a sudden or deferred
 connection reset, fooling some network scanners to return non-deterministic
 (randomly open/closed) results, and in case it is deemed open, it is actually
 closed/filtered.
 .TP
-\fB--tarpit\fP
+\fB\-\-tarpit\fP
 Use the REJECT and TARPIT target as a base to hold the connection until it
 times out. This consumes conntrack entries when connection tracking is loaded
 (which usually is on most machines), and routers inbetween you and the Internet

extensions/libxt_DHCPMAC.man

@@ -4,7 +4,7 @@ VMware does not allow to set a non-VMware MAC address before an operating
 system is booted (and the MAC be changed with `ip link set eth0 address
 aa:bb..`).
 .TP
-\fB--set-mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
+\fB\-\-set\-mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
 Replace the client host MAC address field in the DHCP message with the given
 MAC address. This option is mandatory. The \fImask\fP parameter specifies the
 prefix length of bits to change.
@@ -12,13 +12,13 @@ prefix length of bits to change.
 EXAMPLE, replacing all addresses from one of VMware's assigned vendor IDs
 (00:50:56) addresses with something else:
 .PP
-iptables -t mangle -A FORWARD -p udp --dport 67 -m physdev --physdev-in vmnet1
--m dhcpmac --mac 00:50:56:00:00:00/24 -j DHCPMAC --set-mac
-ab:cd:ef:00:00:00/24
+iptables \-t mangle \-A FORWARD \-p udp \-\-dport 67 \-m physdev
+\-\-physdev\-in vmnet1 \-m dhcpmac \-\-mac 00:50:56:00:00:00/24 \-j DHCPMAC
+\-\-set\-mac ab:cd:ef:00:00:00/24
 .PP
-iptables -t mangle -A FORWARD -p udp --dport 68 -m physdev --physdev-out vmnet1
--m dhcpmac --mac ab:cd:ef:00:00:00/24 -j DHCPMAC --set-mac
-00:50:56:00:00:00/24
+iptables \-t mangle \-A FORWARD \-p udp \-\-dport 68 \-m physdev
+\-\-physdev\-out vmnet1 \-m dhcpmac \-\-mac ab:cd:ef:00:00:00/24 \-j DHCPMAC
+\-\-set\-mac 00:50:56:00:00:00/24
 .PP
 (This assumes there is a bridge interface that has vmnet1 as a port. You will
 also need to add appropriate ebtables rules to change the MAC address of the

extensions/libxt_IPMARK.man

@@ -4,16 +4,16 @@ firewall based classifier.
 
 This target is to be used inside the \fBmangle\fP table.
 .TP
-\fB--addr\fP {\fBsrc\fP|\fBdst\fP}
+\fB\-\-addr\fP {\fBsrc\fP|\fBdst\fP}
 Select source or destination IP address as a basis for the mark.
 .TP
-\fB--and-mask\fP \fImask\fP
+\fB\-\-and\-mask\fP \fImask\fP
 Perform bitwise AND on the IP address and this bitmask.
 .TP
-\fB--or-mask\fP \fImask\fP
+\fB\-\-or\-mask\fP \fImask\fP
 Perform bitwise OR on the IP address and this bitmask.
 .TP
-\fB--shift\fP \fIvalue\fP
+\fB\-\-shift\fP \fIvalue\fP
 Shift addresses to the right by the given number of bits before taking it
 as a mark. (This is done before ANDing or ORing it.) This option is needed
 to select part of an IPv6 address, because marks are only 32 bits in size.
@@ -34,16 +34,16 @@ tc filter add dev eth3 parent 1:0 protocol ip fw
 .PP
 Earlier we had many rules just like below:
 .IP
-iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
---set-mark 0x10502
+iptables \-t mangle \-A POSTROUTING \-o eth3 \-d 192.168.5.2 \-j MARK
+\-\-set\-mark 0x10502
 .IP
-iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
---set-mark 0x10503
+iptables \-t mangle \-A POSTROUTING \-o eth3 \-d 192.168.5.3 \-j MARK
+\-\-set\-mark 0x10503
 .PP
 Using IPMARK target we can replace all the mangle/mark rules with only one:
 .IP
-iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr dst
---and-mask 0xffff --or-mask 0x10000
+iptables \-t mangle \-A POSTROUTING \-o eth3 \-j IPMARK \-\-addr dst
+\-\-and\-mask 0xffff \-\-or\-mask 0x10000
 .PP
 On the routers with hundreds of users there should be significant load
 decrease (e.g. twice).
@@ -52,5 +52,5 @@ decrease (e.g. twice).
 2001:db8:45:1d:20d:93ff:fe9b:e443 and the resulting mark should be 0x93ff,
 then a right-shift of 16 is needed first:
 .IP
--t mangle -A PREROUTING -s 2001:db8::/32 -j IPMARK --addr src --shift 16
---and-mask 0xFFFF
+\-t mangle \-A PREROUTING \-s 2001:db8::/32 \-j IPMARK \-\-addr src \-\-shift
+16 \-\-and\-mask 0xFFFF

extensions/libxt_LOGMARK.man

@@ -1,17 +1,17 @@
 The LOGMARK target will log packet and connection marks to syslog.
 .TP
-\fB--log-level\fR \fIlevel\fR
+\fB\-\-log\-level\fR \fIlevel\fR
 A logging level between 0 and 8 (inclusive).
 .TP
-\fB--log-prefix\fR \fIstring\fR
+\fB\-\-log\-prefix\fR \fIstring\fR
 Prefix log messages with the specified prefix; up to 29 bytes long, and useful
 for distinguishing messages in the logs.
 .TP
-\fB--log-nfmark\fR
+\fB\-\-log\-nfmark\fR
 Include the packet mark in the log.
 .TP
-\fB--log-ctmark\fR
+\fB\-\-log\-ctmark\fR
 Include the connection mark in the log.
 .TP
-\fB--log-secmark\fR
+\fB\-\-log\-secmark\fR
 Include the packet secmark in the log.

extensions/libxt_RAWDNAT.man

@@ -1,7 +1,7 @@
 The \fBRAWDNAT\fR target will rewrite the destination address in the IP header,
 much like the \fBNETMAP\fR target.
 .TP
-\fB--to-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
+\fB\-\-to\-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
 Network address to map to. The resulting address will be constructed the
 following way: All 'one' bits in the \fImask\fR are filled in from the new
 \fIaddress\fR. All bits that are zero in the mask are filled in from the

extensions/libxt_RAWSNAT.man

@@ -8,7 +8,7 @@ which makes it possible to change the source address either when the packet
 enters the machine or when it leaves it. The reason for this table constraint
 is that RAWNAT must happen outside of connection tracking.
 .TP
-\fB--to-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
+\fB\-\-to\-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
 Network address to map to. The resulting address will be constructed the
 following way: All 'one' bits in the \fImask\fR are filled in from the new
 \fIaddress\fR. All bits that are zero in the mask are filled in from the
@@ -17,13 +17,13 @@ original address.
 As an example, changing the destination for packets forwarded from an internal
 LAN to the internet:
 .IP
--t raw -A PREROUTING -i lan0 -d 212.201.100.135 -j RAWDNAT --to-destination 199.181.132.250
--t rawpost -A POSTROUTING -o lan0 -s 199.181.132.250 -j RAWSNAT --to-source 212.201.100.135
+\-t raw \-A PREROUTING \-i lan0 \-d 212.201.100.135 \-j RAWDNAT \-\-to\-destination 199.181.132.250;
+\-t rawpost \-A POSTROUTING \-o lan0 \-s 199.181.132.250 \-j RAWSNAT \-\-to\-source 212.201.100.135;
 .PP
 Note that changing addresses may influence the route selection! Specifically,
 it statically NATs packets, not connections, like the normal DNAT/SNAT targets
-would do. Also note that it can transform already-NATed connections -- as said,
-it is completely external to Netfilter's connection tracking/NAT.
+would do. Also note that it can transform already-NATed connections \(em as
+said, it is completely external to Netfilter's connection tracking/NAT.
 .PP
 If the machine itself generates packets that are to be rawnat'ed, you need a
 rule in the OUTPUT chain instead, just like you would with the stateful NAT

extensions/libxt_SYSRQ.man

@@ -1,7 +1,7 @@
 The SYSRQ target allows to remotely trigger sysrq on the local machine over the
 network. This can be useful when vital parts of the machine hang, for example
 an oops in a filesystem causing locks to be not released and processes to get
-stuck as a result - if still possible, use /proc/sysrq-trigger. Even when
+stuck as a result \(em if still possible, use /proc/sysrq-trigger. Even when
 processes are stuck, interrupts are likely to be still processed, and as such,
 sysrq can be triggered through incoming network packets.
 .PP
@@ -11,30 +11,30 @@ requests. The initial sequence number comes from the time of day so you will
 have a small window of vulnerability should time go backwards at a reboot.
 However, the file /sys/module/xt_SYSREQ/seqno can be used to both query and
 update the current sequence number. Also, you should limit as to who can issue
-commands using \fB-s\fP and/or \fB-m mac\fP, and also that the destination is
-correct using \fB-d\fP (to protect against potential broadcast packets), noting
-that it is still short of MAC/IP spoofing:
+commands using \fB\-s\fP and/or \fB\-m mac\fP, and also that the destination is
+correct using \fB\-d\fP (to protect against potential broadcast packets),
+noting that it is still short of MAC/IP spoofing:
 .IP
--A INPUT -s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
--p udp --dport 9 -j SYSRQ
+\-A INPUT \-s 10.10.25.1 \-m mac \-\-mac\-source aa:bb:cc:dd:ee:ff \-d
+10.10.25.7 \-p udp \-\-dport 9 \-j SYSRQ
 .IP
-(with IPsec) -A INPUT -s 10.10.25.1 -d 10.10.25.7 -m policy --dir in --pol
-ipsec --proto esp --tunnel-src 10.10.25.1 --tunnel-dst 10.10.25.7
--p udp --dport 9 -j SYSRQ
+(with IPsec) \-A INPUT \-s 10.10.25.1 \-d 10.10.25.7 \-m policy \-\-dir in
+\-\-pol ipsec \-\-proto esp \-\-tunnel\-src 10.10.25.1 \-\-tunnel\-dst
+10.10.25.7 \-p udp \-\-dport 9 \-j SYSRQ
 .PP
 You should also limit the rate at which connections can be received to limit
 the CPU time taken by illegal requests, for example:
 .IP
--A INPUT -s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
--p udp --dport 9 -m limit --limit 5/minute -j SYSRQ
+\-A INPUT \-s 10.10.25.1 \-m mac \-\-mac\-source aa:bb:cc:dd:ee:ff \-d
+10.10.25.7 \-p udp \-\-dport 9 \-m limit \-\-limit 5/minute \-j SYSRQ
 .PP
-This extension does not take any options. The \fB-p udp\fP options are
+This extension does not take any options. The \fB\-p udp\fP options are
 required.
 .PP
 The SYSRQ password can be changed through
 /sys/module/xt_SYSRQ/parameters/password, for example:
 .IP
-echo -n "password" >/sys/module/xt_SYSRQ/parameters/password
+echo \-n "password" >/sys/module/xt_SYSRQ/parameters/password
 .PP
 Alternatively, the password may be specified at modprobe time, but this is
 insecure as people can possible see it through ps(1). You can use an option
@@ -59,17 +59,17 @@ sysrq_key="s"  # the SysRq key(s)
 password="password"
 seqno="$(date +%s)"
 salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null |
-    openssl enc -base64)"
+    openssl enc \-base64)"
 req="$sysrq_key,$seqno,$salt"
-req="$req,$(echo -n "$req,$password" | sha1sum | cut -c1-40)"
+req="$req,$(echo \-n "$req,$password" | sha1sum | cut \-c1\-40)"
 
-echo "$req" | socat stdin udp-sendto:10.10.25.7:9
+echo "$req" | socat stdin udp\-sendto:10.10.25.7:9
 # or
-echo "$req" | netcat -uw1 10.10.25.7 9
+echo "$req" | netcat \-uw1 10.10.25.7 9
 .fi
 .PP
 See the Linux docs for possible sysrq keys. Important ones are: re(b)oot,
-power(o)ff, (s)ync filesystems, (u)mount and remount readonly.  More than one
+power(o)ff, (s)ync filesystems, (u)mount and remount readonly. More than one
 sysrq key can be used at once, but bear in mind that, for example, a sync may
 not complete before a subsequent reboot or poweroff.
 .PP

extensions/libxt_TARPIT.man

@@ -11,16 +11,16 @@ tarpit.
 
 To tarpit connections to TCP port 80 destined for the current machine:
 .IP
--A INPUT -p tcp -m tcp --dport 80 -j TARPIT
-.P
+\-A INPUT \-p tcp \-m tcp \-\-dport 80 \-j TARPIT
+.PP
 To significantly slow down Code Red/Nimda-style scans of unused address space,
 forward unused ip addresses to a Linux box not acting as a router (e.g. "ip
 route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP forwarding on
 the Linux box, and add:
 .IP
--A FORWARD -p tcp -j TARPIT
+\-A FORWARD \-p tcp \-j TARPIT
 .IP
--A FORWARD -j DROP
+\-A FORWARD \-j DROP
 .PP
 NOTE:
 If you use the conntrack module while you are using TARPIT, you should also use
@@ -28,6 +28,6 @@ the NOTRACK target, or the kernel will unnecessarily allocate resources for
 each TARPITted connection. To TARPIT incoming connections to the standard IRC
 port while using conntrack, you could:
 .IP
--t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
+\-t raw \-A PREROUTING \-p tcp \-\-dport 6667 \-j NOTRACK
 .IP
--A INPUT -p tcp --dport 6667 -j TARPIT
+\-A INPUT \-p tcp \-\-dport 6667 \-j TARPIT

extensions/libxt_TEE.man

@@ -3,6 +3,6 @@ machine on the \fBlocal\fP network segment. In other words, the nexthop
 must be the target, or you will have to configure the nexthop to forward it
 further if so desired.
 .TP
-\fB--gw\fP \fIipaddr\fP
+\fB\-\-gw\fP \fIipaddr\fP
 Send the cloned packet to the host reachable at the given IP address.
 Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.

extensions/libxt_condition.man

@@ -1,4 +1,4 @@
 This matches if a specific condition variable is (un)set.
 .TP
-[\fB!\fP] \fB--condition\fP \fIname\fP
+[\fB!\fP] \fB\-\-condition\fP \fIname\fP
 Match on boolean value stored in /proc/net/nf_condition/\fIname\fP.

extensions/libxt_dhcpmac.man

@@ -1,4 +1,4 @@
 .TP
-\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
+\fB\-\-mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
 Matches the DHCP "Client Host" address (a MAC address) in a DHCP message.
 \fImask\fP specifies the prefix length of the initial portion to match.

extensions/libxt_fuzzy.man

@@ -1,7 +1,7 @@
 This module matches a rate limit based on a fuzzy logic controller (FLC).
 .TP
-\fB--lower-limit\fP \fInumber\fP
+\fB\-\-lower\-limit\fP \fInumber\fP
 Specifies the lower limit, in packets per second.
 .TP
-\fB--upper-limit\fP \fInumber\fP
+\fB\-\-upper\-limit\fP \fInumber\fP
 Specifies the upper limit, also in packets per second.

extensions/libxt_geoip.man

@@ -1,9 +1,9 @@
 Match a packet by its source or destination country.
 .TP
-[\fB!\fP] \fB--src-cc\fP, \fB--source-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP]
+[\fB!\fP] \fB\-\-src\-cc\fP, \fB\-\-source\-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP]
 Match packet coming from (one of) the specified country(ies)
 .TP
-[\fB!\fP] \fB--dst-cc\fP, \fB--destination-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP]
+[\fB!\fP] \fB\-\-dst\-cc\fP, \fB\-\-destination\-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP]
 Match packet going to (one of) the specified country(ies)
 .TP
 NOTE:

extensions/libxt_iface.man

@@ -30,7 +30,7 @@ Check the MULTICAST flag.
 [\fB!\fP] \fB\-\-dynamic\fP
 Check the DYNAMIC flag.
 .TP
-[\fB!\fP] \fB\-\-lower-up\fP
+[\fB!\fP] \fB\-\-lower\-up\fP
 Check the LOWER_UP flag.
 .TP
 [\fB!\fP] \fB\-\-dormant\fP

extensions/libxt_ipp2p.man

@@ -1,41 +1,41 @@
 This module matches certain packets in P2P flows. It is not
-designed to match all packets belonging to a P2P connection - 
+designed to match all packets belonging to a P2P connection \(em
 use IPP2P together with CONNMARK for this purpose.
 .PP
-Use it together with -p tcp or -p udp to search these protocols
-only or without -p switch to search packets of both protocols.
+Use it together with \-p tcp or \-p udp to search these protocols
+only or without \-p switch to search packets of both protocols.
 .PP
 IPP2P provides the following options, of which one or more may be specified
 on the command line:
 .TP
-.B "--edk "
+\fB\-\-edk\fP
 Matches as many eDonkey/eMule packets as possible.
 .TP
-.B "--kazaa "
+\fB\-\-kazaa\fP
 Matches as many KaZaA packets as possible.
 .TP
-.B "--gnu "
+\fB\-\-gnu\fP
 Matches as many Gnutella packets as possible.
 .TP
-.B "--dc "
+\fB\-\-dc\fP
 Matches as many Direct Connect packets as possible.
 .TP
-.B "--bit "
+\fB\-\-bit\fP
 Matches BitTorrent packets.
 .TP
-.B "--apple "
+\fB\-\-apple\fP
 Matches AppleJuice packets.
 .TP
-.B "--soul "
+\fB\-\-soul\fP
 Matches some SoulSeek packets. Considered as beta, use careful!
 .TP
-.B "--winmx "
+\fB\-\-winmx\fP
 Matches some WinMX packets. Considered as beta, use careful!
 .TP
-.B "--ares "
-Matches Ares and AresLite packets. Use together with -j DROP only.
+\fB\-\-ares\fP
+Matches Ares and AresLite packets. Use together with \-j DROP only.
 .TP
-.B "--debug "
+\fB\-\-debug\fP
 Prints some information about each hit into kernel logfile. May 
 produce huge logfiles so beware!
 .PP
@@ -44,5 +44,5 @@ exchanged as a result of running filesharing programs.
 .PP
 There is more information on http://ipp2p.org/ , but it has not been updated
 since September 2006, and the syntax there is different from the ipp2p.c
-provided in Xtables-addons; most importantly, the --ipp2p flag was removed due
-to its ambiguity to match "all known" protocols.
+provided in Xtables-addons; most importantly, the \-\-ipp2p flag was removed
+due to its ambiguity to match "all known" protocols.

extensions/libxt_ipv4options.man

@@ -13,25 +13,25 @@ where only at least one symbol spec must be true.
 .PP
 Known symbol names (and their number):
 .PP
-1 - \fBnop\fP
+1 \(em \fBnop\fP
 .PP
-2 - \fBsecurity\fP - RFC 1108
+2 \(em \fBsecurity\fP \(em RFC 1108
 .PP
-3 - \fBlsrr\fP - Loose Source Routing, RFC 791
+3 \(em \fBlsrr\fP \(em Loose Source Routing, RFC 791
 .PP
-4 - \fBtimestamp\fP - RFC 781, 791
+4 \(em \fBtimestamp\fP \(em RFC 781, 791
 .PP
-7 - \fBrecord\-route\fP - RFC 791
+7 \(em \fBrecord\-route\fP \em RFC 791
 .PP
-9 - \fBssrr\fP - Strict Source Routing, RFC 791
+9 \(em \fBssrr\fP \(em Strict Source Routing, RFC 791
 .PP
-11 - \fBmtu\-probe\fP - RFC 1063
+11 \(em \fBmtu\-probe\fP \(em RFC 1063
 .PP
-12 - \fBmtu\-reply\fP - RFC 1063
+12 \(em \fBmtu\-reply\fP \(em RFC 1063
 .PP
-18 - \fBtraceroute\fP - RFC 1393
+18 \(em \fBtraceroute\fP \(em RFC 1393
 .PP
-20 - \fBrouter-alert\fP - RFC 2113
+20 \(em \fBrouter-alert\fP \(em RFC 2113
 .PP
 Examples:
 .PP

extensions/libxt_length.man

@@ -1,18 +1,19 @@
 This module matches the length of a packet against a specific value or range of
 values.
 .TP
-[\fB!\fR] \fB--length\fR \fIlength\fR[\fB:\fR\fIlength\fR]
+[\fB!\fR] \fB\-\-length\fR \fIlength\fR[\fB:\fR\fIlength\fR]
 Match exact length or length range.
 .TP
-\fB--layer3\fR
+\fB\-\-layer3\fR
 Match the layer3 frame size (e.g. IPv4/v6 header plus payload).
 .TP
-\fB--layer4\fR
+\fB\-\-layer4\fR
 Match the layer4 frame size (e.g. TCP/UDP header plus payload).
 .TP
-\fB--layer5\fR
+\fB\-\-layer5\fR
 Match the layer5 frame size (e.g. TCP/UDP payload, often called layer7).
 .PP
-If no --layer* option is given, --layer3 is assumed by default. Note that using
---layer5 may not match a packet if it is not one of the recognized types
-(currently TCP, UDP, UDPLite, ICMP, AH and ESP) or which has no 5th layer.
+If no \-\-layer* option is given, \-\-layer3 is assumed by default. Note that
+using \-\-layer5 may not match a packet if it is not one of the recognized
+types (currently TCP, UDP, UDPLite, ICMP, AH and ESP) or which has no 5th
+layer.

extensions/libxt_lscan.man

@@ -6,19 +6,19 @@ out, but this information can be used in conjunction with other rules to block
 the remote host's future connections. So this match module will match on the
 (probably) last packet the remote side will send to your machine.
 .TP
-\fB--stealth\fR
+\fB\-\-stealth\fR
 Match if the packet did not belong to any known TCP connection
 (Stealth/FIN/XMAS/NULL scan).
 .TP
-\fB--synscan\fR
+\fB\-\-synscan\fR
 Match if the connection was a TCP half-open discovery (SYN scan), i.e. the
 connection was torn down after the 2nd packet in the 3-way handshake.
 .TP
-\fB--cnscan\fR
+\fB\-\-cnscan\fR
 Match if the connection was a TCP full open discovery (connect scan), i.e. the
 connection was torn down after completion of the 3-way handshake.
 .TP
-\fB--grscan\fR
+\fB\-\-grscan\fR
 Match if data in the connection only flew in the direction of the remote side,
 e.g. if the connection was terminated after a locally running daemon sent its
 identification. (E.g. openssh, smtp, ftpd.) This may falsely trigger on

extensions/libxt_pknock.man

@@ -0,0 +1,113 @@
+Pknock match implements so-called "port knocking", a stealthy system
+for network authentication: a client sends packets to selected
+ports in a specific sequence (= simple mode, see example 1 below), or a HMAC
+payload to a single port (= complex mode, see example 2 below),
+to a target machine that has pknock rule(s) installed. The target machine
+then decides whether to unblock or block (again) the pknock-protected port(s).
+This can be used, for instance, to avoid brute force
+attacks on ssh or ftp services.
+.PP
+Example prerequisites:
+.IP
+modprobe cn
+.IP
+modprobe xt_pknock
+.PP
+Example 1 (TCP mode, manual closing of opened port not possible):
+.IP
+iptables -P INPUT DROP
+.IP
+iptables -A INPUT -p tcp -m pknock --knockports 4002,4001,4004 --strict
+--name SSH --time 10 --autoclose 60 --dport 22 -j ACCEPT
+.PP
+The rule will allow tcp port 22 for the attempting IP address after the successful reception of TCP SYN packets
+to ports 4002, 4001 and 4004, in this order (a.k.a. port-knocking).
+Port numbers in the connect sequence must follow the exact specification, no
+other ports may be "knocked" inbetween. The rule is named '\fBSSH\fP' \(em a file of
+the same name for tracking port knocking states will be created in
+\fB/proc/net/xt_pknock\fP .
+Successive port knocks must occur with delay of at most 10 seconds. Port 22 (from the example) will
+be automatiaclly dropped after 60 minutes after it was previously allowed.
+.PP
+Example 2 (UDP mode \(em non-replayable and non-spoofable, manual closing
+of opened port possible, secure, also called "SPA" = Secure Port
+Authorization):
+.IP
+iptables -A INPUT -p udp -m pknock --knockports 4000 --name FTP
+--opensecret foo --closesecret bar --autoclose 240 -j DROP
+.IP
+iptables -A INPUT -p tcp -m pknock --checkip --name FTP --dport 21 -j ACCEPT
+.PP
+The first rule will create an "ALLOWED" record in /proc/net/xt_pknock/FTP after
+the successful reception of an UDP packet to port 4000. The packet payload must be
+constructed as a HMAC256 using "foo" as a key. The HMAC content is the particular client's IP address as a 32-bit network byteorder quantity,
+plus the number of minutes since the Unix epoch, also as a 32-bit value.
+(This is known as Simple Packet Authorization, also called "SPA".)
+In such case, any subsequent attempt to connect to port 21 from the client's IP
+address will cause such packets to be accepted in the second rule.
+.PP
+Similarly, upon reception of an UDP packet constructed the same way, but with
+the key "bar", the first rule will remove a previously installed "ALLOWED" state
+record from /proc/net/xt_pknock/FTP, which means that the second rule will
+stop matching for subsequent connection attempts to port 21.
+In case no close-secret packet is received within 4 hours, the first rule
+will remove "ALLOWED" record from /proc/net/xt_pknock/FTP itself.
+.PP
+Things worth noting:
+.PP
+\fBGeneral\fP:
+.PP
+Specifying \fB--autoclose 0\fP means that no automatic close will be performed at all.
+.PP
+xt_pknock is capable of sending information about successful matches
+via a netlink socket to userspace, should you need to implement your own
+way of receiving and handling portknock notifications.
+Be sure to read the documentation in the doc/pknock/ directory,
+or visit the original site \(em http://portknocko.berlios.de/ .
+.PP
+\fBTCP mode\fP:
+.PP
+This mode is not immune against eavesdropping, spoofing and
+replaying of the port knock sequence by someone else (but its use may still
+be sufficient for scenarios where these factors are not necessarily
+this important, such as bare shielding of the SSH port from brute-force attacks).
+However, if you need these features, you should use UDP mode.
+.PP
+It is always wise to specify three or more ports that are not monotonically
+increasing or decreasing with a small stepsize (e.g. 1024,1025,1026)
+to avoid accidentally triggering
+the rule by a portscan.
+.PP
+Specifying the inter-knock timeout with \fB--time\fP is mandatory in TCP mode,
+to avoid permanent denial of services by clogging up the peer knock-state tracking table
+that xt_pknock internally keeps, should there be a DDoS on the
+first-in-row knock port from more hostile IP addresses than what the actual size
+of this table is (defaults to 16, can be changed via the "peer_hasht_ents" module parameter).
+It is also wise to use as short a time as possible (1 second) for \fB--time\fP
+for this very reason. You may also consider increasing the size
+of the peer knock-state tracking table. Using \fB--strict\fP also helps,
+as it requires the knock sequence to be exact. This means that if the
+hostile client sends more knocks to the same port, xt_pknock will
+mark such attempt as failed knock sequence and will forget it immediately.
+To completely thwart this kind of DDoS, knock-ports would need to have
+an additional rate-limit protection. Or you may consider using UDP mode.
+.PP
+\fBUDP mode\fP:
+.PP
+This mode is immune against eavesdropping, replaying and spoofing attacks.
+It is also immune against DDoS attack on the knockport.
+.PP
+For this mode to work, the clock difference on the client and on the server
+must be below 1 minute. Synchronizing time on both ends by means
+of NTP or rdate is strongly suggested.
+.PP
+There is a rate limiter built into xt_pknock which blocks any subsequent
+open attempt in UDP mode should the request arrive within less than one
+minute since the first successful open. This is intentional;
+it thwarts eventual spoofing attacks.
+.PP
+Because the payload value of an UDP knock packet is influenced by client's IP address,
+UDP mode cannot be used across NAT.
+.PP
+For sending UDP "SPA" packets, you may use either \fBknock.sh\fP or
+\fBknock-orig.sh\fP. These may be found in doc/pknock/util.

extensions/libxt_psd.man

@@ -1,18 +1,18 @@
 Attempt to detect TCP and UDP port scans. This match was derived from
 Solar Designer's scanlogd.
 .TP
-.BI "--psd-weight-threshold " "threshold"
+\fB\-\-psd\-weight\-threshold\fP \fIthreshold\fP
 Total weight of the latest TCP/UDP packets with different
 destination ports coming from the same host to be treated as port
 scan sequence.
 .TP
-.BI "--psd-delay-threshold " "delay"
+\fB\-\-psd\-delay\-threshold\fP \fIdelay\fP
 Delay (in hundredths of second) for the packets with different
 destination ports coming from the same host to be treated as
 possible port scan subsequence.
 .TP
-.BI "--psd-lo-ports-weight " "weight"
+\fB\-\-psd\-lo\-ports\-weight\fP \fIweight\fP
 Weight of the packet with privileged (<=1024) destination port.
 .TP
-.BI "--psd-hi-ports-weight " "weight"
+\fB\-\-psd\-hi\-ports\-weight\fP \fIweight\fP
 Weight of the packet with non-priviliged destination port.

extensions/libxt_quota2.man

@@ -7,25 +7,25 @@ When counting down from the initial quota, the counter will stop at 0 and
 the match will return false, just like the original "quota" match. In growing
 (upcounting) mode, it will always return true.
 .TP
-\fB--grow\fP
+\fB\-\-grow\fP
 Count upwards instead of downwards.
 .TP
-\fB--name\fP \fIname\fP
+\fB\-\-name\fP \fIname\fP
 Assign the counter a specific name. This option must be present, as an empty
 name is not allowed. Names starting with a dot or names containing a slash are
 prohibited.
 .TP
-[\fB!\fP] \fB--quota\fP \fIiq\fP
+[\fB!\fP] \fB\-\-quota\fP \fIiq\fP
 Specify the initial quota for this counter. If the counter already exists,
 it is not reset. An "!" may be used to invert the result of the match. The
-negation has no effect when \fB--grow\fP is used.
+negation has no effect when \fB\-\-grow\fP is used.
 .TP
-\fB--packets\fP
+\fB\-\-packets\fP
 Count packets instead of bytes that passed the quota2 match.
 .PP
 Because counters in quota2 can be shared, you can combine them for various
 purposes, for example, a bytebucket filter that only lets as much traffic go
 out as has come in:
 .PP
--A INPUT -p tcp --dport 6881 -m quota --name bt --grow
--A OUTPUT -p tcp --sport 6881 -m quota --name bt
+\-A INPUT \-p tcp \-\-dport 6881 \-m quota \-\-name bt \-\-grow;
+\-A OUTPUT \-p tcp \-\-sport 6881 \-m quota \-\-name bt;

extensions/pknock/.gitignore

@@ -0,0 +1 @@
+/pknlusr

extensions/pknock/Kbuild

@@ -0,0 +1,5 @@
+# -*- Makefile -*-
+
+EXTRA_CFLAGS = -I${src}/..
+
+obj-m += xt_pknock.o

extensions/pknock/Makefile.am

@@ -0,0 +1,5 @@
+# -*- Makefile -*-
+
+include ../../Makefile.extra
+
+noinst_PROGRAMS = pknlusr

extensions/pknock/Mbuild

@@ -0,0 +1,3 @@
+# -*- Makefile -*-
+
+obj-${build_pknock}      += libxt_pknock.so

extensions/pknock/libxt_pknock.c

@@ -0,0 +1,343 @@
+/*
+ * Shared library add-on to iptables to add Port Knocking and SPA matching
+ * support.
+ *
+ * (C) 2006-2009 J. Federico Hernandez <fede.hernandez@gmail.com>
+ * (C) 2006 Luis Floreani <luis.floreani@gmail.com>
+ *
+ * This program is released under the terms of GNU GPL version 2.
+ */
+#include <getopt.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include "xt_pknock.h"
+
+static const struct option pknock_mt_opts[] = {
+	/* .name, .has_arg, .flag, .val */
+	{.name = "knockports",  .has_arg = true,  .val = 'k'},
+	{.name = "time",        .has_arg = true,  .val = 't'},
+	{.name = "autoclose",   .has_arg = true,  .val = 'a'},
+	{.name = "name",        .has_arg = true,  .val = 'n'},
+	{.name = "opensecret",  .has_arg = true,  .val = 'o'},
+	{.name = "closesecret", .has_arg = true,  .val = 'z'},
+	{.name = "strict",      .has_arg = false, .val = 'x'},
+	{.name = "checkip",     .has_arg = false, .val = 'c'},
+	{NULL},
+};
+
+static void pknock_mt_help(void)
+{
+	printf("pknock match options:\n"
+		" --knockports port[,port,port,...]	"
+			"Matches destination port(s).\n"
+		" --time seconds\n"
+			"Max allowed time between knocks.\n"
+		" --autoclose minutes\n"
+			"Time after which to automatically close opened\n"
+			"\t\t\t\t\tport(s).\n"
+		" --strict				"
+			"Knocks sequence must be exact.\n"
+		" --name rule_name			"
+			"Rule name.\n"
+		" --checkip				"
+			"Matches if the source ip is in the list.\n"
+		);
+}
+
+static unsigned int
+parse_ports(const char *portstring, uint16_t *ports, const char *proto)
+{
+	char *buffer, *cp, *next;
+	unsigned int i;
+
+	buffer = strdup(portstring);
+	if (buffer == NULL)
+		xtables_error(OTHER_PROBLEM, "strdup failed");
+
+	for (cp = buffer, i = 0; cp != NULL && i < XT_PKNOCK_MAX_PORTS; cp = next, ++i)
+	{
+		next=strchr(cp, ',');
+		if (next != NULL)
+			*next++ = '\0';
+		ports[i] = xtables_parse_port(cp, proto);
+	}
+
+	if (cp != NULL)
+		xtables_error(PARAMETER_PROBLEM, "too many ports specified");
+
+	free(buffer);
+	return i;
+}
+
+static char *
+proto_to_name(uint8_t proto)
+{
+	switch (proto) {
+	case IPPROTO_TCP:
+		return "tcp";
+	case IPPROTO_UDP:
+		return "udp";
+	default:
+		return NULL;
+	}
+}
+
+static const char *
+check_proto(uint16_t pnum, uint8_t invflags)
+{
+	char *proto;
+
+	if (invflags & XT_INV_PROTO)
+		xtables_error(PARAMETER_PROBLEM, PKNOCK "only works with TCP and UDP.");
+
+	if ((proto = proto_to_name(pnum)) != NULL)
+		return proto;
+	else if (pnum == 0)
+		xtables_error(PARAMETER_PROBLEM, PKNOCK "needs `-p tcp' or `-p udp'");
+	else
+		xtables_error(PARAMETER_PROBLEM, PKNOCK "only works with TCP and UDP.");
+}
+
+static int
+__pknock_parse(int c, char **argv, int invert, unsigned int *flags,
+		struct xt_entry_match **match, uint16_t pnum,
+		uint16_t invflags)
+{
+	const char *proto;
+	struct xt_pknock_mtinfo *info = (void *)(*match)->data;
+	unsigned int tmp;
+
+	switch (c) {
+	case 'k': /* --knockports */
+		if (*flags & XT_PKNOCK_KNOCKPORT)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --knockports twice.\n");
+		proto = check_proto(pnum, invflags);
+
+		info->ports_count = parse_ports(optarg, info->port, proto);
+		info->option |= XT_PKNOCK_KNOCKPORT;
+		*flags |= XT_PKNOCK_KNOCKPORT;
+#if DEBUG
+		printf("ports_count: %d\n", info->ports_count);
+#endif
+		break;
+
+	case 't': /* --time */
+		if (*flags & XT_PKNOCK_TIME)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --time twice.\n");
+		info->max_time = atoi(optarg);
+		if (info->max_time == 0)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"--time number must be > 0.\n");
+		info->option |= XT_PKNOCK_TIME;
+		*flags |= XT_PKNOCK_TIME;
+		break;
+
+        case 'a': /* --autoclose */
+		if (*flags & XT_PKNOCK_AUTOCLOSE)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --autoclose twice.\n");
+		if (!xtables_strtoui(optarg, NULL, &tmp, 0, ~0U))
+			xtables_param_act(XTF_BAD_VALUE, PKNOCK,
+				"--autoclose", optarg);
+                info->autoclose_time = tmp;
+                info->option |= XT_PKNOCK_AUTOCLOSE;
+                *flags |= XT_PKNOCK_AUTOCLOSE;
+                break;
+
+	case 'n': /* --name */
+		if (*flags & XT_PKNOCK_NAME)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --name twice.\n");
+		memset(info->rule_name, 0, sizeof(info->rule_name));
+		strncpy(info->rule_name, optarg, sizeof(info->rule_name) - 1);
+
+		info->rule_name_len = strlen(info->rule_name);
+		info->option |= XT_PKNOCK_NAME;
+		*flags |= XT_PKNOCK_NAME;
+#if DEBUG
+		printf("info->rule_name: %s\n", info->rule_name);
+#endif
+		break;
+
+	case 'o': /* --opensecret */
+		if (*flags & XT_PKNOCK_OPENSECRET)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --opensecret twice.\n");
+		memset(info->open_secret, 0, sizeof(info->open_secret));
+		strncpy(info->open_secret, optarg, sizeof(info->open_secret) - 1);
+
+		info->open_secret_len = strlen(info->open_secret);
+		info->option |= XT_PKNOCK_OPENSECRET;
+		*flags |= XT_PKNOCK_OPENSECRET;
+		break;
+
+	case 'z': /* --closesecret */
+		if (*flags & XT_PKNOCK_CLOSESECRET)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --closesecret twice.\n");
+		memset(info->close_secret, 0, sizeof(info->close_secret));
+		strncpy(info->close_secret, optarg, sizeof(info->close_secret) - 1);
+
+		info->close_secret_len = strlen(info->close_secret);
+		info->option |= XT_PKNOCK_CLOSESECRET;
+		*flags |= XT_PKNOCK_CLOSESECRET;
+		break;
+
+	case 'c': /* --checkip */
+		if (*flags & XT_PKNOCK_CHECKIP)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --checkip twice.\n");
+		info->option |= XT_PKNOCK_CHECKIP;
+		*flags |= XT_PKNOCK_CHECKIP;
+		break;
+
+	case 'x': /* --strict */
+		if (*flags & XT_PKNOCK_STRICT)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --strict twice.\n");
+		info->option |= XT_PKNOCK_STRICT;
+		*flags |= XT_PKNOCK_STRICT;
+		break;
+
+	default:
+		return 0;
+	}
+
+	if (invert)
+		xtables_error(PARAMETER_PROBLEM, PKNOCK "does not support invert.");
+
+	return 1;
+}
+
+static int pknock_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                		const void *e, struct xt_entry_match **match)
+{
+	const struct ipt_entry *entry = e;
+	return __pknock_parse(c, argv, invert, flags, match,
+			entry->ip.proto, entry->ip.invflags);
+}
+
+static void pknock_mt_check(unsigned int flags)
+{
+	if (!(flags & XT_PKNOCK_NAME))
+		xtables_error(PARAMETER_PROBLEM, PKNOCK
+			"--name option is required.\n");
+
+	if (flags & XT_PKNOCK_KNOCKPORT) {
+		if (flags & XT_PKNOCK_CHECKIP)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot specify --knockports with --checkip.\n");
+		if ((flags & XT_PKNOCK_OPENSECRET)
+			&& !(flags & XT_PKNOCK_CLOSESECRET))
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"--opensecret must go with --closesecret.\n");
+		if ((flags & XT_PKNOCK_CLOSESECRET)
+			&& !(flags & XT_PKNOCK_OPENSECRET))
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"--closesecret must go with --opensecret.\n");
+	}
+
+	if (flags & XT_PKNOCK_CHECKIP) {
+		if (flags & XT_PKNOCK_KNOCKPORT)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot specify --checkip with --knockports.\n");
+		if ((flags & XT_PKNOCK_OPENSECRET)
+			|| (flags & XT_PKNOCK_CLOSESECRET))
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot specify --opensecret and"
+				" --closesecret with --checkip.\n");
+		if (flags & XT_PKNOCK_TIME)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot specify --time with --checkip.\n");
+		if (flags & XT_PKNOCK_AUTOCLOSE)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot specify --autoclose with --checkip.\n");
+	} else if (!(flags & (XT_PKNOCK_OPENSECRET | XT_PKNOCK_TIME))) {
+		xtables_error(PARAMETER_PROBLEM, PKNOCK
+			"you must specify --time.\n");
+	}
+}
+
+static void pknock_mt_print(const void *ip,
+						const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_pknock_mtinfo *info = (void *)match->data;
+	int i;
+
+	printf("pknock ");
+	if (info->option & XT_PKNOCK_KNOCKPORT) {
+		printf("knockports ");
+		for (i = 0; i < info->ports_count; ++i)
+			printf("%s%d", i ? "," : "", info->port[i]);
+		printf(" ");
+	}
+	if (info->option & XT_PKNOCK_TIME)
+		printf("time %ld ", (long)info->max_time);
+	if (info->option & XT_PKNOCK_AUTOCLOSE)
+		printf("autoclose %lu ", (unsigned long)info->autoclose_time);
+	if (info->option & XT_PKNOCK_NAME)
+		printf("name %s ", info->rule_name);
+	if (info->option & XT_PKNOCK_OPENSECRET)
+		printf("opensecret ");
+	if (info->option & XT_PKNOCK_CLOSESECRET)
+		printf("closesecret ");
+	if (info->option & XT_PKNOCK_STRICT)
+		printf("strict ");
+	if (info->option & XT_PKNOCK_CHECKIP)
+		printf("checkip ");
+}
+
+static void pknock_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	int i;
+	const struct xt_pknock_mtinfo *info = (void *)match->data;
+
+	if (info->option & XT_PKNOCK_KNOCKPORT) {
+		printf("--knockports ");
+		for (i = 0; i < info->ports_count; ++i)
+			printf("%s%d", i ? "," : "", info->port[i]);
+		printf(" ");
+	}
+	if (info->option & XT_PKNOCK_TIME)
+		printf("--time %ld ", (long)info->max_time);
+	if (info->option & XT_PKNOCK_AUTOCLOSE)
+		printf("--autoclose %lu ",
+		       (unsigned long)info->autoclose_time);
+	if (info->option & XT_PKNOCK_NAME)
+		printf("--name %s ", info->rule_name);
+	if (info->option & XT_PKNOCK_OPENSECRET)
+		printf("--opensecret ");
+	if (info->option & XT_PKNOCK_CLOSESECRET)
+		printf("--closesecret ");
+	if (info->option & XT_PKNOCK_STRICT)
+		printf("--strict ");
+	if (info->option & XT_PKNOCK_CHECKIP)
+		printf("--checkip ");
+}
+
+static struct xtables_match pknock_mt_reg = {
+	.name		= "pknock",
+	.version	= XTABLES_VERSION,
+	.revision      = 1,
+	.family		= AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
+	.help          = pknock_mt_help,
+	.parse         = pknock_mt_parse,
+	.final_check   = pknock_mt_check,
+	.print         = pknock_mt_print,
+	.save          = pknock_mt_save,
+	.extra_opts    = pknock_mt_opts,
+};
+
+static __attribute__((constructor)) void pknock_mt_ldr(void)
+{
+	xtables_register_match(&pknock_mt_reg);
+}

extensions/pknock/pknlusr.c

@@ -0,0 +1,93 @@
+#include <sys/socket.h>
+#include <unistd.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <arpa/inet.h>
+#include <linux/netlink.h>
+#include <linux/connector.h>
+
+#include "xt_pknock.h"
+
+#define GROUP 1
+
+static struct sockaddr_nl src_addr, dest_addr;
+static struct msghdr msg;
+static int sock_fd;
+
+static unsigned char *buf;
+
+static struct xt_pknock_nl_msg *nlmsg;
+
+int main(void)
+{
+	socklen_t addrlen;
+	int status;
+	int group = GROUP;
+	struct cn_msg *cnmsg;
+
+	int i, buf_size;
+
+	const char *ip;
+	char ipbuf[48];
+
+	sock_fd = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR);
+
+	if (sock_fd == -1) {
+		perror("socket()");
+		return 1;
+	}
+
+	memset(&src_addr, 0, sizeof(src_addr));
+	src_addr.nl_family = AF_NETLINK;
+	src_addr.nl_pid = getpid();
+	src_addr.nl_groups = group;
+
+	status = bind(sock_fd, (struct sockaddr*)&src_addr, sizeof(src_addr));
+
+	if (status == -1) {
+		close(sock_fd);
+		perror("bind()");
+		return 1;
+	}
+
+	memset(&dest_addr, 0, sizeof(dest_addr));
+	dest_addr.nl_family = AF_NETLINK;
+	dest_addr.nl_pid = 0;
+	dest_addr.nl_groups = group;
+
+	buf_size = sizeof(struct xt_pknock_nl_msg) + sizeof(struct cn_msg) + sizeof(struct nlmsghdr);
+	buf = malloc(buf_size);
+
+	if (!buf) {
+		perror("malloc()");
+		return 1;
+	}
+
+	addrlen = sizeof(dest_addr);
+
+	while(1) {
+
+		memset(buf, 0, buf_size);
+
+		status = recvfrom(sock_fd, buf, buf_size, 0, (struct sockaddr *)&dest_addr, &addrlen);
+
+		if (status <= 0) {
+			perror("recvfrom()");
+			return 1;
+		}
+
+	nlmsg = (struct xt_pknock_nl_msg *) (buf + sizeof(struct cn_msg) + sizeof(struct nlmsghdr));
+
+		ip = inet_ntop(AF_INET, &nlmsg->peer_ip, ipbuf, sizeof(ipbuf));
+		printf("rule_name: %s - ip %s\n", nlmsg->rule_name, ip);
+
+	}
+
+	close(sock_fd);
+
+	free(buf);
+
+	return 0;
+}

extensions/pknock/xt_pknock.Kconfig

@@ -0,0 +1,13 @@
+config NETFILTER_XT_MATCH_PKNOCK
+	tristate "Port knocking match support"
+	depends on NETFILTER_XTABLES && CONNECTOR
+	---help---
+	pknock match implements so-called Port Knocking, a stealthy system
+	for network authentication: client sends packets to selected, closed
+	ports on target machine in a specific sequence. The target machine
+	(which has pknock match rule set up) then decides whether to
+	unblock or block (again) its protected port with listening
+	service. This can be, for instance, used to avoid brute force attacks
+	on ssh or ftp services.
+
+	For more informations go to: http://portknocko.berlios.de/

extensions/pknock/xt_pknock.h

@@ -0,0 +1,53 @@
+/*
+ * Kernel module to implement Port Knocking and SPA matching support.
+ *
+ * (C) 2006-2008 J. Federico Hernandez <fede.hernandez@gmail.com>
+ * (C) 2006 Luis Floreani <luis.floreani@gmail.com>
+ *
+ * $Id$
+ *
+ * This program is released under the terms of GNU GPL version 2.
+ */
+#ifndef _XT_PKNOCK_H
+#define _XT_PKNOCK_H
+
+#define PKNOCK "xt_pknock: "
+
+enum {
+	XT_PKNOCK_KNOCKPORT   = 1 << 0,
+	XT_PKNOCK_TIME        = 1 << 1,
+	XT_PKNOCK_NAME        = 1 << 2,
+	XT_PKNOCK_STRICT      = 1 << 3,
+	XT_PKNOCK_CHECKIP     = 1 << 4,
+	XT_PKNOCK_OPENSECRET  = 1 << 5,
+	XT_PKNOCK_CLOSESECRET = 1 << 6,
+	XT_PKNOCK_AUTOCLOSE   = 1 << 7,
+
+	/* Can never change these, as they are make up the user protocol. */
+	XT_PKNOCK_MAX_PORTS      = 15,
+	XT_PKNOCK_MAX_BUF_LEN    = 31,
+	XT_PKNOCK_MAX_PASSWD_LEN = 31,
+};
+
+#define DEBUG 1
+
+struct xt_pknock_mtinfo {
+	char rule_name[XT_PKNOCK_MAX_BUF_LEN+1];
+	uint32_t			rule_name_len;
+	char open_secret[XT_PKNOCK_MAX_PASSWD_LEN+1];
+	uint32_t			open_secret_len;
+	char close_secret[XT_PKNOCK_MAX_PASSWD_LEN+1];
+	uint32_t			close_secret_len;
+	uint8_t	option;		/* --time, --knock-port, ... */
+	uint8_t	ports_count;	/* number of ports */
+	uint16_t	port[XT_PKNOCK_MAX_PORTS]; /* port[,port,port,...] */
+	uint32_t	max_time;	/* max matching time between ports */
+	uint32_t autoclose_time;
+};
+
+struct xt_pknock_nl_msg {
+	char rule_name[XT_PKNOCK_MAX_BUF_LEN+1];
+	__be32 peer_ip;
+};
+
+#endif /* _XT_PKNOCK_H */

extensions/xt_condition.c

@@ -55,7 +55,7 @@ struct condition_variable {
 
 /* proc_lock is a user context only semaphore used for write access */
 /*           to the conditions' list.                               */
-static DECLARE_MUTEX(proc_lock);
+static struct semaphore proc_lock;
 
 static LIST_HEAD(conditions_list);
 static struct proc_dir_entry *proc_net_condition;
@@ -232,6 +232,7 @@ static int __init condition_mt_init(void)
 {
 	int ret;
 
+	sema_init(&proc_lock, 1);
 	proc_net_condition = proc_mkdir(dir_name, init_net__proc_net);
 	if (proc_net_condition == NULL)
 		return -EACCES;

extensions/xt_ipp2p.c

@@ -844,7 +844,13 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 		if (tcph->rst) return 0;  /* if RST bit is set bail out */
 
 		haystack += tcph->doff * 4; /* get TCP-Header-Size */
-		hlen -= tcph->doff * 4;
+		if (tcph->doff * 4 > hlen) {
+			if (info->debug)
+				pr_info("TCP header indicated packet larger than it is\n");
+			hlen = 0;
+		} else {
+			hlen -= tcph->doff * 4;
+		}
 		while (matchlist[i].command) {
 			if ((info->cmd & matchlist[i].command) == matchlist[i].command &&
 			    hlen > matchlist[i].packet_len)

extensions/xt_psd.c

@@ -102,8 +102,9 @@ static inline int hashfunc(struct in_addr addr)
 static bool
 xt_psd_match(const struct sk_buff *pskb, const struct xt_match_param *match)
 {
-	struct iphdr *iph;
-	struct tcphdr *tcph;
+	const struct iphdr *iph;
+	const struct tcphdr *tcph;
+	struct tcphdr _tcph;
 	struct in_addr addr;
 	u_int16_t src_port,dest_port;
   	u_int8_t tcp_flags, proto;
@@ -117,7 +118,7 @@ xt_psd_match(const struct sk_buff *pskb, const struct xt_match_param *match)
 	iph = ip_hdr(pskb);
 
 	/* Sanity check */
-	if (ntohs(iph->frag_off) & IP_OFFSET) {
+	if (iph->frag_off & htons(IP_OFFSET)) {
 		pr_debug("sanity check failed\n");
 		return false;
 	}
@@ -134,7 +135,9 @@ xt_psd_match(const struct sk_buff *pskb, const struct xt_match_param *match)
 
 	addr.s_addr = iph->saddr;
 
-	tcph = (void *)iph + ip_hdrlen(pskb);
+	tcph = skb_header_pointer(pskb, match->thoff, sizeof(_tcph), &_tcph);
+	if (tcph == NULL)
+		return false;
 
 	/* Yep, it's dirty */
 	src_port = tcph->source;

mconfig

@@ -21,5 +21,6 @@ build_ipset=m
 build_ipv4options=m
 build_length2=m
 build_lscan=m
+build_pknock=m
 build_psd=m
 build_quota2=m

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.18 (2009-09-09)" "" "v1.18 (2009-09-09)"
+.TH xtables-addons 8 "v1.19 (2009-10-12)" "" "v1.19 (2009-10-12)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets