Xtables-addons 2.14

The hooks are already checked by the xtables core (due to struct
xt_target::hooks).

.gitignore

@@ -1,9 +1,11 @@
+*.gcno
 *.la
 *.lo
 *.loT
 *.o
-.deps
-.libs
+.deps/
+.dirstamp
+.libs/
 Makefile
 Makefile.in
 
@@ -16,14 +18,10 @@ Makefile.in
 /targets.man
 
 /aclocal.m4
-/autom4te*.cache
-/compile
+/autom4te.cache/
+/build-aux/
 /config.*
 /configure
-/depcomp
-/install-sh
 /libtool
-/ltmain.sh
-/missing
 /stamp-h1
 /xtables-addons.8

INSTALL

@@ -12,21 +12,16 @@ in combination with the kernel's Kbuild system.
 Supported configurations for this release
 =========================================
 
-	* iptables >= 1.4.3
+	* iptables >= 1.4.5
 
-	* kernel-source >= 2.6.17, no upper bound known
+	* kernel-devel >= 3.7
 	  with prepared build/output directory
-	  - CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
-	  - CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
-	    enabled =y or as module (=m)
+	  - CONFIG_NF_CONNTRACK
+	  - CONFIG_NF_CONNTRACK_MARK enabled =y or as module (=m)
 	  - CONFIG_CONNECTOR y/m if you wish to receive userspace
 	    notifications from pknock through netlink/connector
 
-Extra notes:
-
-	* in the kernel 2.6.18.x series, >= 2.6.18.5 is required
-
-	* requires that no vendor backports interfere
+(Use xtables-addons-1.x if you need support for Linux < 3.7.)
 
 
 Selecting extensions
@@ -41,6 +36,10 @@ Configuring and compiling
 
 ./configure [options]
 
+--without-kbuild
+
+	Deactivate building kernel modules, and just do userspace parts.
+
 --with-kbuild=
 
 	Specifies the path to the kernel build output directory. We need
@@ -51,20 +50,15 @@ Configuring and compiling
 	For RPM building, it should be /usr/src/linux-obj/...
 	or whatever location the distro makes use of.
 
---with-xtables=
-
-	Specifies the path to the directory where we may find
-	xtables.h, should it not be within the standard C compiler
-	include path (/usr/include), or if you want to override it.
-	The directory will be checked for xtables.h and
-	include/xtables.h. (The latter to support both standard
-	/usr/include and the iptables source root.)
-
 --with-xtlibdir=
 
 	Specifies the path to where the newly built extensions should
-	be installed when `make install` is run. It uses the same
-	default as the Xtables/iptables package, ${libexecdir}/xtables.
+	be installed when `make install` is run. The default is to
+	use the same path that Xtables/iptables modules use, as
+	determined by `pkg-config xtables --variable xtlibdir`.
+	Thus, this option normally does NOT need to be specified
+	anymore, even if your distribution put modules in a strange
+	location.
 
 If you want to enable debugging, use
 
@@ -73,6 +67,25 @@ If you want to enable debugging, use
 (-O0 is used to turn off instruction reordering, which makes debugging
 much easier.)
 
+To make use of a libxtables that is not in the default path, either
+
+  a) append the location of the pkg-config files like:
+
+	PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+
+     (Assuming that files have been installed)
+or,
+
+  b) override the pkg-config variables, for example:
+
+	./configure libxtables_CFLAGS="-I../iptables/include" \
+		libxtables_LIBS="-L../iptables/.libs \
+			-Wl,-rpath,../iptables/.libs -lxtables"
+
+     (Use this in case you wish to use it without having to
+     run `make install`. This is because the libxtables.pc pkgconfig
+     file in ../iptables would already point to e.g. /usr/local.)
+
 
 Build-time options
 ==================
@@ -89,4 +102,5 @@ Except for --with-kbuild, distributions should not have a need to
 supply any other flags (besides --prefix=/usr and perhaps
 --libdir=/usr/lib64, etc.) to configure when all prerequired packages
 are installed. If iptables-devel is installed, necessary headers should
-be in /usr/include, so --with-xtables is not needed.
+already be in /usr/include, so that overriding PKG_CONFIG_PATH,
+libxtables_CFLAGS and libxtables_LIBS variables should not be needed.

Makefile.am

@@ -1,7 +1,7 @@
 # -*- Makefile -*-
 
 ACLOCAL_AMFLAGS  = -I m4
-SUBDIRS          = extensions
+SUBDIRS          = extensions geoip
 
 man_MANS := xtables-addons.8
 
@@ -11,15 +11,22 @@ FORCE:
 xtables-addons.8: FORCE
 	${MAKE} -f Makefile.mans all;
 
-install-exec-hook:
-	depmod -a || :;
+clean-local-mans:
+	${MAKE} -f Makefile.mans clean;
+
+clean-local: clean-local-mans
 
 config.status: Makefile.iptrules.in
 
+tmpdir := $(shell mktemp -dtu)
+packer  = xz
+packext = .tar.xz
+
 .PHONY: tarball
 tarball:
-	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
-	pushd ${top_srcdir} && git archive --prefix=xtables-addons-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd;
-	pushd /tmp/xtables-addons-${PACKAGE_VERSION} && ./autogen.sh && popd;
-	tar -C /tmp -cjf xtables-addons-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root xtables-addons-${PACKAGE_VERSION}/;
-	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
+# do not use mkdir_p here.
+	mkdir ${tmpdir}
+	pushd ${top_srcdir} && git archive --prefix=${PACKAGE_NAME}-${PACKAGE_VERSION}/ HEAD | tar -C ${tmpdir} -x && popd;
+	pushd ${tmpdir}/${PACKAGE_NAME}-${PACKAGE_VERSION} && ./autogen.sh && popd;
+	tar --use=${packer} -C ${tmpdir} -cf ${PACKAGE_NAME}-${PACKAGE_VERSION}${packext} --owner=root --group=root ${PACKAGE_NAME}-${PACKAGE_VERSION}/;
+	rm -Rf ${tmpdir};

Makefile.extra

@@ -1,6 +1,8 @@
 # -*- Makefile -*-
 # AUTOMAKE
 
+export AM_CPPFLAGS
+export AM_CFLAGS
 XA_SRCDIR = ${srcdir}
 XA_TOPSRCDIR = ${top_srcdir}
 XA_ABSTOPSRCDIR = ${abs_top_srcdir}

Makefile.iptrules.in

@@ -1,6 +1,8 @@
 # -*- Makefile -*-
 # MANUAL
 
+abs_top_srcdir  = @abs_top_srcdir@
+
 prefix          = @prefix@
 exec_prefix     = @exec_prefix@
 libexecdir      = @libexecdir@
@@ -8,10 +10,11 @@ xtlibdir        = @xtlibdir@
 
 CC              = @CC@
 CCLD            = ${CC}
+CFLAGS          = @CFLAGS@
+LDFLAGS         = @LDFLAGS@
 
-regular_CFLAGS  = @regular_CFLAGS@
-xtables_CFLAGS  = @xtables_CFLAGS@
-AM_CFLAGS       = ${regular_CFLAGS} ${xtables_CFLAGS}
+libxtables_CFLAGS = @libxtables_CFLAGS@
+libxtables_LIBS   = @libxtables_LIBS@
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
 AM_DEFAULT_VERBOSITY = 0
@@ -41,19 +44,19 @@ subdirs_list := $(filter %/,${obj-m})
 .PHONY: all install clean
 
 all: ${targets}
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i; done;
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i || exit $$?; done;
 
 install: ${targets}
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@ || exit $$?; done;
 	install -dm0755 "${DESTDIR}/${xtlibdir}";
-	install -pm0755 $^ "${DESTDIR}/${xtlibdir}";
+	@for i in $^; do install -pm0755 $$i "${DESTDIR}/${xtlibdir}"; done;
 
 clean:
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@ || exit $$?; done;
 	rm -f *.oo *.so;
 
 lib%.so: lib%.oo
-	${AM_V_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
+	${AM_V_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< ${libxtables_LIBS} ${LDLIBS};
 
 %.oo: ${XA_SRCDIR}/%.c
-	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CPPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CPPFLAGS} ${CFLAGS} -o $@ -c $<;

Makefile.mans.in

@@ -3,8 +3,8 @@
 
 srcdir := @srcdir@
 
-wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man')
-wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man')
+wcman_matches := $(shell find "${srcdir}/extensions" -name 'libxt_[a-z]*.man' -print | sort)
+wcman_targets := $(shell find "${srcdir}/extensions" -name 'libxt_[A-Z]*.man' -print | sort)
 wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
 wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
 
@@ -23,7 +23,7 @@ man_run = \
 		name="$${name\#\#*/libxt_}"; \
 		if [ -f "$$ext" ]; then \
 			echo ".SS $$name"; \
-			cat "$$ext"; \
+			cat "$$ext" || exit $$?; \
 			continue; \
 		fi; \
 	done >$@;
@@ -38,3 +38,6 @@ matches.man: .manpages.lst ${wcman_matches}
 
 targets.man: .manpages.lst ${wcman_targets}
 	$(call man_run,${wlist_targets})
+
+clean:
+	rm -f xtables-addons.8 matches.man targets.man

README

@@ -16,6 +16,11 @@ sanity checks and incorrect endianess handling have been fixed,
 simplified, and sped up.
 
 
+Included in this package
+========================
+- xt_ACCOUNT 1.16, libxt_ACCOUNT 1.3
+
+
 Inclusion into a kernel tree
 ============================
 

configure.ac

@@ -1,106 +1,79 @@
-
-AC_INIT([xtables-addons], [1.19])
+AC_INIT([xtables-addons], [2.14])
+AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
-AM_INIT_AUTOMAKE([1.10 -Wall foreign subdir-objects])
+AM_INIT_AUTOMAKE([1.10b -Wall foreign subdir-objects])
 AC_PROG_CC
 AM_PROG_CC_C_O
+m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
 AC_DISABLE_STATIC
 AC_PROG_LIBTOOL
 
-kbuilddir="/lib/modules/$(uname -r)/build";
 AC_ARG_WITH([kbuild],
 	AS_HELP_STRING([--with-kbuild=PATH],
-	[Path to kernel build directory [[/lib/modules/CURRENT/build]]]),
-	[kbuilddir="$withval"])
-AC_ARG_WITH([ksource],,[ksourcedir="$withval"])
-AC_ARG_WITH([xtables],
-	AS_HELP_STRING([--with-xtables=PATH],
-	[Path to the Xtables includes [[none]]]),
-	[xtables_location="$withval"])
+	[Path to kernel build directory [[/lib/modules/CURRENT/build]]])
+AS_HELP_STRING([--without-kbuild],
+	[Build only userspace tools]),
+	[kbuilddir="$withval"],
+	[kbuilddir="/lib/modules/$(uname -r)/build"])
+#
+# check for --without-kbuild
+#
+if [[ "$kbuilddir" == no ]]; then
+	kbuilddir="";
+fi
+
+AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
+	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.5])
+xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
+
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
-	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
-	[xtlibdir="$withval"],
-	[xtlibdir='${libexecdir}/xtables'])
+	[Path where to install Xtables extensions [[autodetect]]]),
+	[xtlibdir="$withval"])
+AC_MSG_CHECKING([Xtables module directory])
+AC_MSG_RESULT([$xtlibdir])
 
-#
-# --with-xtables= overrides a possibly installed pkgconfig file.
-#
-if [[ -n "$xtables_location" ]]; then
-	AC_MSG_CHECKING([xtables.h presence])
-	if [[ -f "$xtables_location/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/xtables.h])
-		xtables_CFLAGS="-I $xtables_location";
-	elif [[ -f "$xtables_location/include/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/include/xtables.h])
-		xtables_CFLAGS="-I $xtables_location/include";
-	fi;
-	if [[ -z "$xtables_CFLAGS" ]]; then
-		if [[ -f "$includedir/xtables.h" ]]; then
-			AC_MSG_RESULT([$includedir/xtables.h])
+regular_CPPFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
+	-D_REENTRANT -I\${XA_TOPSRCDIR}/include"
+regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
+	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
+	-Winline -pipe";
+
+if test -n "$kbuilddir"; then
+	AC_MSG_CHECKING([kernel version that we will build against])
+	krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease | $AWK -v 'FS=[[^0-9.]]' '{print $1; exit}')"
+	save_IFS="$IFS"
+	IFS='.'
+	set x $krel
+	IFS="$save_IFS"
+	kmajor="$(($2+0))"
+	kminor="$(($3+0))"
+	kmicro="$(($4+0))"
+	kstable="$(($5+0))"
+	if test -z "$kmajor" -o -z "$kminor" -o -z "$kmicro"; then
+		echo "WARNING: Version detection did not succeed. Continue at own luck.";
+	else
+		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
+		if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 12; then
+			echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
+		elif test "$kmajor" -eq 4 -a "$kminor" -le 10; then
+			:;
+		elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then
+			:;
 		else
-			AC_MSG_RESULT([no])
+			echo "WARNING: That kernel version is not officially supported.";
 		fi;
 	fi;
-else
-	PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
-fi;
-
-regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
-	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
-kinclude_CFLAGS="";
-if [[ -n "$kbuilddir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
-fi;
-if [[ -n "$ksourcedir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
-fi;
-
-#
-# check kernel version
-#
-if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
-    grep -q "Red Hat Enterprise Linux Server release 5" /etc/redhat-release 2>/dev/null; then
-	# しまった!
-	# Well, just a warning. Maybe the admin updated the kernel.
-	echo "WARNING: This distribution's shipped kernel is not supported.";
-fi;
-krel="$(make -sC ${kbuilddir} kernelrelease)";
-krel="${krel%%-*}";
-kmajor="${krel%%.*}";
-krel="${krel#*.}";
-kminor="${krel%%.*}";
-krel="${krel#*.}";
-kmicro="${krel%%.*}";
-if test "$kmicro" = "$krel"; then
-	kstable=0;
-else
-	kstable="${krel#*.}";
-	if test -z "$kstable"; then
-		kstable=0;
-	fi;
-fi;
-echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 32; then
-	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
-elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
-    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
-    "$kstable" -lt 5 \); then
-	echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
-	exit 1;
 fi;
 
+AC_SUBST([regular_CPPFLAGS])
 AC_SUBST([regular_CFLAGS])
-AC_SUBST([xtables_CFLAGS])
-AC_SUBST([kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
-AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
-AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
+AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans geoip/Makefile
 	extensions/Makefile extensions/ACCOUNT/Makefile
-	extensions/ipset/Makefile extensions/pknock/Makefile])
+	extensions/pknock/Makefile])
 AC_OUTPUT

doc/api/2.6.35.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/xt-a.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/changelog.txt

@@ -3,204 +3,129 @@ HEAD
 ====
 
 
-Xtables-addons 1.19 (October 12 2009)
-=====================================
-- build: compile fixes for 2.6.31-rt
-- build: support for Linux 2.6.32
-- ipp2p: try to address underflows
-- psd: avoid potential crash when dealing with non-linear skbs
-- merge xt_ACCOUNT userspace utilities
-- added reworked xt_pknock module
-  Changes from pknock v0.5:
-  - pknock: "strict" and "checkip" flags were not displayed in `iptables -L`
-  - pknock: the GC expire time's lower bound is now the default gc time
-    (65000 msec) to avoid rendering anti-spoof protection in SPA mode useless
-  - pknock: avoid crash on memory allocation failure and fix memleak
-  - pknock: avoid fillup of peer table during DDoS
-  - pknock: automatic closing of ports
-  - pknock: make non-zero time mandatory for TCP mode
-  - pknock: display only pknock mode and state relevant information in procfs
-  - pknock: check interknock time only for !ST_ALLOWED peers
-  - pknock: preserve time/autoclose values for rules added in
-    reverse/arbitrary order
-  - pknock: add a manpage
+v2.14 (2017-11-22)
+==================
+Enhancements:
+- support for Linux up to 4.14
+Fixes:
+- xt_DNETMAP: fix some reports from PVSStudio (a static checker)
 
 
-Xtables-addons 1.18 (September 09 2009)
-=======================================
-- build: support for Linux 2.6.31
-- ipset: fast forward to v3.2
-- quota2: support anonymous counters
-- quota2: reduce memory footprint for anonymous counters
-- quota2: extend locked period during cleanup (locking bugfix)
-- quota2: use strtoull instead of strtoul
-- merged xt_ACCOUNT module
-- merged xt_psd module
+v2.13 (2017-06-29)
+==================
+Enhancements:
+- support for Linux up to 4.12
+- xt_condition: namespace support
+Fixes:
+- xt_geoip: check for allocation overflow
+- xt_DNETMAP: fix a buffer overflow
 
 
-Xtables-addons 1.17 (June 16 2009)
-==================================
-- IPMARK: print missing --shift parameter
-- build: use readlink -f in extensions/ipset/
-- build: support for Linux 2.6.30
+v2.12 (2017-01-11)
+==================
+Enhancements:
+- support for Linux up to 4.10
 
 
-Xtables-addons 1.16 (May 27 2009)
-=================================
-- RAWNAT: make iptable_rawpost compile with 2.6.30-rc5
-- ipset: fast forward to 3.0
+v2.11 (2016-05-20)
+==================
+Enhancements:
+- support for Linux 4.5, 4.6
+- xt_ECHO: tentatively support responding to fragments
 
 
-Xtables-addons 1.15 (April 30 2009)
-===================================
-- build: add kernel version check to configure
-- condition: compile fix for 2.6.30-rc
-- condition: fix intrapositional negation sign
-- fuzzy: fix bogus comparison logic leftover from move to new 1.4.3 API
-- ipp2p: fix bogus varargs call
-- ipp2p: fix typo in error message
-- added "iface" match
-- added rawpost table (for use with RAWNAT)
-- added RAWSNAT/RAWDNAT targets
+v2.10 (2015-11-20)
+==================
+Enhancements:
+- Support for Linux 4.4
+Fixes:
+- xt_ACCOUNT: call free_page with the right amount of pages
 
 
-Xtables-addons 1.14 (March 31 2009)
-===================================
-- fuzzy: need to account for kernel-level modified variables in .userspacesize
-- geoip: remove XT_ALIGN from .userspacesize when used with offsetof
-- SYSRQ: ignore non-UDP packets
-- SYSRQ: do proper L4 header access in IPv6 code
-  (must not use tcp/udp_hdr in input path)
-- add "STEAL" target
-- dhcpmac: rename from dhcpaddr
+v2.9 (2015-10-12)
+=================
+Enhancements:
+- Support for Linux 4.3
 
 
-Xtables-addons 1.13 (March 23 2009)
-===================================
-- added a reworked ipv4options match
-- upgrade to iptables 1.4.3 API
+v2.8 (2015-08-19)
+=================
+Enhancements:
+- Support for Linux 4.2
+- Enable xt_ECHO for Linux 4.0+
 
 
-Xtables-addons 1.12 (March 07 2009)
-===================================
-- ipset: fix for compilation with 2.6.29-rt
-- ipset: fast forward to 2.5.0
-- rename xt_portscan to xt_lscan ("low-level scan") because
-  "portscan" as a word caused confusion
-- xt_LOGMARK: print incoming interface index
-- revert "TEE: do not use TOS for routing"
-- xt_TEE: resolve unknown symbol error with CONFIG_IPV6=n
-- xt_TEE: enable routing by iif, nfmark and flowlabel
+v2.7 (2015-07-06)
+=================
+Enhancements:
+- Support for Linux up to 4.1
 
 
-Xtables-addons 1.10 (February 18 2009)
-======================================
-- compat: compile fixes for 2.6.29
-- ipset: upgrade to ipset 2.4.9
+v2.6 (2014-09-29)
+=================
+Enhancements:
+- Support for Linux up to 3.17
+Fixes:
+- xt_pknock: UDP SPA mode erroneously returned an error saying
+  crypto was unavailable
 
 
-Xtables-addons 1.9 (January 30 2009)
-====================================
-- add the xt_length2 extension
-- xt_TEE: remove intrapositional '!' support
-- ipset: upgrade to ipset 2.4.7
+v2.5 (2014-04-18)
+=================
+Enhancements:
+- Support for Linux up to 3.15
+- xt_quota2: introduce support for network namespaces
 
 
-Xtables-addons 1.8 (January 10 2009)
-====================================
-- xt_TEE: IPv6 support
-- xt_TEE: do not include TOS value in routing decision
-- xt_TEE: fix switch-case inversion for name/IP display
-- xt_ipp2p: update manpages and help text
-- xt_ipp2p: remove log flooding
-- xt_portscan: update manpage about --grscan option caveats
+v2.4 (2014-01-09)
+=================
+Enhancements:
+- Support for Linux up to 3.13
+Changes:
+- remove unmaintained RAWSNAT/RAWDNAT code
+- remove unused parts of compat_xtables that served Linux <3.7
+Fixes:
+- xt_quota2: --no-change should not alter quota to zero ever
+- xt_quota2: --packet should not be set to zero based on skb->len
 
 
-Xtables-addons 1.7 (December 25 2008)
-=====================================
-- xt_ECHO: compile fix
-- avoid the use of "_init" which led to compile errors on some installations
-- build: do not unconditionally install ipset
-- doc: add manpages for xt_ECHO and xt_TEE
-- xt_ipp2p: kazaa detection code cleanup
-- xt_ipp2p: fix newline inspection in kazaa detection
-- xt_ipp2p: ensure better array bounds checking
-- xt_SYSRQ: improve security by hashing password
+v2.3 (2013-06-18)
+=================
+Enhancements:
+- Support for Linux 3.10
+Fixes:
+- xt_DNETMAP, xt_condition, xt_quota2: resolve compile error when
+  CONFIG_UIDGID_STRICT_TYPE_CHECKS=y
+- xt_RAWNAT: ensure correct operation in the presence of IPv4 options
+- xt_geoip: do not throw a warnings when country database is size 0
+- xt_quota2: print "!" at the correct position during iptables-save
+Changes:
+- Make print (iptables -L) output the same as save (-S)
 
 
-Xtables-addons 1.6 (November 18 2008)
-=====================================
-- build: support for Linux 2.6.17
-- build: compile fixes for 2.6.18 and 2.6.19
-- xt_ECHO: resolve compile errors in xt_ECHO
-- xt_ipp2p: parenthesize unaligned-access macros
+v2.2 (2013-03-31)
+=================
+Enhancements:
+- Support for Linux 3.9
+- iptaccount: fix entire program being erroneously optimized away on PPC
 
 
-Xtables-addons 1.5.7 (September 01 2008)
-========================================
-- API layer: fix use of uninitialized 'hotdrop' variable
-- API layer: move to pskb-based signatures
-- xt_SYSRQ: compile fixes for Linux <= 2.6.19
-- ipset: adjust semaphore.h include for Linux >= 2.6.27
-- build: automatically run `depmod -a` on installation
-- add reworked xt_fuzzy module
-- add DHCP address match and mangle module
-- xt_portscan: IPv6 support
-- xt_SYSRQ: add missing module aliases
+v2.1 (2012-11-27)
+=================
+Fixes:
+- DNETMAP: fix compile error with Linux 3.7
+Enhancements:
+- Support for Linux 3.8
 
 
-Xtables-addons 1.5.5 (August 03 2008)
-=====================================
-- manpage updates for xt_CHAOS, xt_IPMARK; README updates
-- build: properly recognize external Kbuild/Mbuild files
-- build: remove dependency on CONFIG_NETWORK_SECMARK
-- add the xt_SYSRQ target
-- add the xt_quota2 extension
-- import ipset extension group
+v2.0 (2012-11-12)
+=================
+Changes:
+- remove support for Linux 2.6.17–3.6
+- remove xt_TEE (this is available upstream since 2.6.35)
+- remove xt_CHECKSUM (this is available upstream since 2.6.36)
+Enhancements:
+- Support for Linux 3.7
 
-
-Xtables-addons 1.5.4.1 (April 26 2008)
-======================================
-- build: fix compile error for 2.6.18-stable
-
-
-Xtables-addons 1.5.4 (April 09 2008)
-====================================
-- build: support building multiple files with one config option
-- API layer: add check for pskb relocation
-- doc: generate manpages
-- xt_ECHO: catch skb_linearize out-of-memory condition
-- xt_LOGMARK: add hook= and ctdir= fields in dump
-- xt_LOGMARK: fix comma output in ctstatus= list
-- xt_TEE: fix address copying bug
-- xt_TEE: make skb writable before attempting checksum update
-- add reworked xt_condition match
-- add reworked xt_ipp2p match
-- add reworked xt_IPMARK target
-
-
-Xtables-addons 1.5.3 (March 22 2008)
-====================================
-- support for Linux 2.6.18
-- add xt_ECHO sample target
-- add reworked xt_geoip match
-
-
-Xtables-addons 1.5.2 (March 04 2008)
-====================================
-- build: support for GNU make < 3.81 which does not have $(realpath)
-
-
-Xtables-addons 1.5.1 (February 21 2008)
-=======================================
-- build: allow user to select what extensions to compile and install
-- build: allow external proejcts to be downloaded into the tree
-- xt_LOGMARK: dump classify mark, ctstate and ctstatus
-- add xt_CHAOS, xt_DELUDE and xt_portscan from Chaostables
-
-
-Xtables-addons 1.5.0 (February 11 2008)
-=======================================
-Initial release with:
-- extensions: xt_LOGMARK, xt_TARPIT, xt_TEE
-- support for Linux >= 2.6.19
+If you want to use Xtables-addons with kernels older than 3.7,
+use the addons 1.x series (maintained but without new features).

extensions/.gitignore

@@ -1,6 +1,6 @@
 .*.cmd
 .*.d
-.tmp_versions
+.tmp_versions/
 *.ko
 *.mod.c
 Module.markers

extensions/ACCOUNT/Makefile.am

@@ -1,8 +1,13 @@
 # -*- Makefile -*-
 
+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${abs_top_srcdir}/extensions
+AM_CFLAGS   = ${regular_CFLAGS} ${libxtables_CFLAGS}
+
 include ../../Makefile.extra
 
 sbin_PROGRAMS = iptaccount
 iptaccount_LDADD = libxt_ACCOUNT_cl.la
 
 lib_LTLIBRARIES = libxt_ACCOUNT_cl.la
+
+man_MANS = iptaccount.8

extensions/ACCOUNT/VERSION.txt

@@ -0,0 +1 @@
+1.16

extensions/ACCOUNT/iptaccount.8

@@ -0,0 +1,26 @@
+.TH iptaccount 8 "v1.16" "" "v1.16"
+.SH Name
+iptaccount \(em administrative utility to access xt_ACCOUNT statistics
+.SH Syntax
+\fBiptaccount\fP [\fB\-acfhu\fP] [\fB\-l\fP \fIname\fP]
+.SH Options
+.PP
+\fB\-a\fP
+List all (accounting) table names.
+.PP
+\fB\-c\fP
+Loop every second (abort with CTRL+C).
+.PP
+\fB\-f\fP
+Flush data after display.
+.PP
+\fB\-h\fP
+Free all kernel handles. (Experts only!)
+.PP
+\fB\-l\fP \fIname\fP
+Show data in accounting table called by \fIname\fP.
+.TP
+\fB\-u\fP
+Show kernel handle usage.
+.SH "See also"
+\fBxtables-addons\fP(8)

extensions/ACCOUNT/iptaccount.c

@@ -21,6 +21,8 @@
 #include <getopt.h>
 #include <signal.h>
 
+#include <arpa/inet.h>
+#include <linux/types.h>
 #include <libxt_ACCOUNT_cl.h>
 
 bool exit_now;
@@ -33,15 +35,14 @@ static void sig_term(int signr)
 	exit_now = true;
 }
 
-char *addr_to_dotted(unsigned int);
-char *addr_to_dotted(unsigned int addr)
+static char *addr_to_dotted(unsigned int addr)
 {
-	static char buf[17];
+	static char buf[16];
 	const unsigned char *bytep;
 
+	addr = htonl(addr);
 	bytep = (const unsigned char *)&addr;
-	snprintf(buf, 16, "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]);
-	buf[16] = 0;
+	snprintf(buf, sizeof(buf), "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]);
 	return buf;
 }
 
@@ -63,7 +64,7 @@ int main(int argc, char *argv[])
 	struct ipt_ACCOUNT_context ctx;
 	struct ipt_acc_handle_ip *entry;
 	int i;
-	char optchar;
+	int optchar;
 	bool doHandleUsage = false, doHandleFree = false, doTableNames = false;
 	bool doFlush = false, doContinue = false, doCSV = false;
 
@@ -188,7 +189,7 @@ int main(int argc, char *argv[])
 			{
 				printf("Read failed: %s\n", ctx.error_str);
 				ipt_ACCOUNT_deinit(&ctx);
-				exit(-1);
+				return EXIT_FAILURE;
 			}
 
 			if (!doCSV)
@@ -199,13 +200,19 @@ int main(int argc, char *argv[])
 			while ((entry = ipt_ACCOUNT_get_next_entry(&ctx)) != NULL)
 			{
 				if (doCSV)
-					printf("%s;%u;%u;%u;%u\n",
-					       addr_to_dotted(entry->ip), entry->src_packets, entry->src_bytes,
-					       entry->dst_packets, entry->dst_bytes);
+					printf("%s;%llu;%llu;%llu;%llu\n",
+					       addr_to_dotted(entry->ip),
+					       (unsigned long long)entry->src_packets,
+					       (unsigned long long)entry->src_bytes,
+					       (unsigned long long)entry->dst_packets,
+					       (unsigned long long)entry->dst_bytes);
 				else
-					printf("IP: %s SRC packets: %u bytes: %u DST packets: %u bytes: %u\n",
-					       addr_to_dotted(entry->ip), entry->src_packets, entry->src_bytes,
-					       entry->dst_packets, entry->dst_bytes);
+					printf("IP: %s SRC packets: %llu bytes: %llu DST packets: %llu bytes: %llu\n",
+					       addr_to_dotted(entry->ip),
+					       (unsigned long long)entry->src_packets,
+					       (unsigned long long)entry->src_bytes,
+					       (unsigned long long)entry->dst_packets,
+					       (unsigned long long)entry->dst_bytes);
 			}
 
 			if (doContinue)
@@ -219,5 +226,5 @@ int main(int argc, char *argv[])
 
 	printf("Finished.\n");
 	ipt_ACCOUNT_deinit(&ctx);
-	exit(0);
+	return EXIT_SUCCESS;
 }

extensions/ACCOUNT/libxt_ACCOUNT.c

@@ -2,6 +2,7 @@
    Author: Intra2net AG <opensource@intra2net.com>
 */
 
+#include <stdbool.h>
 #include <stdio.h>
 #include <netdb.h>
 #include <string.h>
@@ -11,11 +12,12 @@
 #include <stddef.h>
 #include <xtables.h>
 #include "xt_ACCOUNT.h"
+#include "compat_user.h"
 
 static struct option account_tg_opts[] = {
-	{ .name = "addr",        .has_arg = 1, .flag = 0, .val = 'a' },
-	{ .name = "tname",       .has_arg = 1, .flag = 0, .val = 't' },
-	{ .name = 0 }
+	{.name = "addr",  .has_arg = true, .val = 'a'},
+	{.name = "tname", .has_arg = true, .val = 't'},
+	{NULL},
 };
 
 /* Function which prints out usage message. */
@@ -56,10 +58,6 @@ static int account_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 			xtables_error(PARAMETER_PROBLEM, "Can't specify --%s twice",
 				account_tg_opts[0].name);
 
-		if (xtables_check_inverse(optarg, &invert, NULL, 0))
-			xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --%s",
-				account_tg_opts[0].name);
-
 		xtables_ipparse_any(optarg, &addrs, &mask, &naddrs);
 		if (naddrs > 1)
 			xtables_error(PARAMETER_PROBLEM, "multiple IP addresses not allowed");
@@ -76,11 +74,6 @@ static int account_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 				"Can't specify --%s twice",
 				account_tg_opts[1].name);
 
-		if (xtables_check_inverse(optarg, &invert, NULL, 0))
-			xtables_error(PARAMETER_PROBLEM,
-				"Unexpected `!' after --%s",
-				account_tg_opts[1].name);
-
 		if (strlen(optarg) > ACCOUNT_TABLE_NAME_LEN - 1)
 			xtables_error(PARAMETER_PROBLEM,
 				"Maximum table name length %u for --%s",
@@ -105,18 +98,18 @@ static void account_tg_check(unsigned int flags)
 }
 
 static void account_tg_print_it(const void *ip,
-		const struct xt_entry_target *target, char do_prefix)
+		const struct xt_entry_target *target, bool do_prefix)
 {
 	const struct ipt_acc_info *accountinfo
 		= (const struct ipt_acc_info *)target->data;
 	struct in_addr a;
 
 	if (!do_prefix)
-		printf("ACCOUNT ");
+		printf(" ACCOUNT ");
 
 	// Network information
 	if (do_prefix)
-		printf("--");
+		printf(" --");
 	printf("%s ", account_tg_opts[0].name);
 
 	a.s_addr = accountinfo->net_ip;
@@ -126,7 +119,7 @@ static void account_tg_print_it(const void *ip,
 
 	printf(" ");
 	if (do_prefix)
-		printf("--");
+		printf(" --");
 
 	printf("%s %s", account_tg_opts[1].name, accountinfo->table_name);
 }
@@ -137,19 +130,20 @@ account_tg_print(const void *ip,
 	const struct xt_entry_target *target,
 	int numeric)
 {
-	account_tg_print_it(ip, target, 0);
+	account_tg_print_it(ip, target, false);
 }
 
 /* Saves the union ipt_targinfo in parsable form to stdout. */
 static void
 account_tg_save(const void *ip, const struct xt_entry_target *target)
 {
-	account_tg_print_it(ip, target, 1);
+	account_tg_print_it(ip, target, true);
 }
 
 static struct xtables_target account_tg_reg = {
 	.name          = "ACCOUNT",
-	.family        = AF_INET,
+	.revision      = 1,
+	.family        = NFPROTO_IPV4,
 	.version       = XTABLES_VERSION,
 	.size          = XT_ALIGN(sizeof(struct ipt_acc_info)),
 	.userspacesize = offsetof(struct ipt_acc_info, table_nr),

extensions/ACCOUNT/libxt_ACCOUNT.man

@@ -40,19 +40,7 @@ to account the overall traffic to/from your internet provider.
 .PP
 The data can be queried using the userspace libxt_ACCOUNT_cl library,
 and by the reference implementation to show usage of this library,
-the \fBiptaccount\fP(8) tool, which features following options:
-.PP
-[\fB\-u\fP] show kernel handle usage
-.PP
-[\fB\-h\fP] free all kernel handles (experts only!)
-.PP
-[\fB\-a\fP] list all table names
-.PP
-[\fB\-l\fP \fIname\fP] show data in table \fIname\fP
-.PP
-[\fB\-f\fP] flush data after showing
-.PP
-[\fB\-c\fP] loop every second (abort with CTRL+C)
+the \fBiptaccount\fP(8) tool.
 .PP
 Here is an example of use:
 .PP

extensions/ACCOUNT/xt_ACCOUNT.Kconfig

@@ -1,13 +0,0 @@
-config NETFILTER_XT_TARGET_ACCOUNT
-	tristate "ACCOUNT target support"
-	depends on NETFILTER_XTABLES
-	---help---
-	This module implements an ACCOUNT target
-
-	The ACCOUNT target is a high performance accounting system for large
-	local networks. It allows per-IP accounting in whole prefixes of IPv4
-	addresses with size of up to /8 without the need to add individual
-	accouting rule for each IP address.
-
-	For more information go to:
-	http://www.intra2net.com/de/produkte/opensource/ipt_account/

extensions/ACCOUNT/xt_ACCOUNT.h

@@ -15,8 +15,13 @@
  * Socket option interface shared between kernel (xt_ACCOUNT) and userspace
  * library (libxt_ACCOUNT_cl). Hopefully we are unique at least within our
  * kernel & xtables-addons space.
+ *
+ * Turned out often enough we are not.
+ * 64-67	used by ip_tables, ip6_tables
+ * 96-100	used by arp_tables
+ * 128-131	used by ebtables
  */
-#define SO_ACCOUNT_BASE_CTL 90
+#define SO_ACCOUNT_BASE_CTL 70
 
 #define IPT_SO_SET_ACCOUNT_HANDLE_FREE (SO_ACCOUNT_BASE_CTL + 1)
 #define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (SO_ACCOUNT_BASE_CTL + 2)
@@ -35,38 +40,12 @@
 
 /* Structure for the userspace part of ipt_ACCOUNT */
 struct ipt_acc_info {
-	uint32_t net_ip;
-	uint32_t net_mask;
+	__be32 net_ip;
+	__be32 net_mask;
 	char table_name[ACCOUNT_TABLE_NAME_LEN];
 	int32_t table_nr;
 };
 
-/* Internal table structure, generated by check_entry() */
-struct ipt_acc_table {
-	char name[ACCOUNT_TABLE_NAME_LEN];	 /* name of the table */
-	uint32_t ip;						  /* base IP of network */
-	uint32_t netmask;					 /* netmask of the network */
-	unsigned char depth;				   /* size of network:
-												 0: 8 bit, 1: 16bit, 2: 24 bit */
-	uint32_t refcount;					/* refcount of this table.
-												 if zero, destroy it */
-	uint32_t itemcount;				   /* number of IPs in this table */
-	void *data;							/* pointer to the actual data,
-												 depending on netmask */
-};
-
-/* Internal handle structure */
-struct ipt_acc_handle {
-	uint32_t ip;						  /* base IP of network. Used for
-												 caculating the final IP during
-												 get_data() */
-	unsigned char depth;				   /* size of network. See above for
-												 details */
-	uint32_t itemcount;				   /* number of IPs in this table */
-	void *data;							/* pointer to the actual data,
-												 depending on size */
-};
-
 /* Handle structure for communication with the userspace library */
 struct ipt_acc_handle_sockopt {
 	uint32_t handle_nr;				   /* Used for HANDLE_FREE */
@@ -76,43 +55,15 @@ struct ipt_acc_handle_sockopt {
 												 HANDLE_READ_FLUSH */
 };
 
-/* Used for every IP entry
-   Size is 16 bytes so that 256 (class C network) * 16
-   fits in one kernel (zero) page */
-struct ipt_acc_ip {
-	uint32_t src_packets;
-	uint32_t src_bytes;
-	uint32_t dst_packets;
-	uint32_t dst_bytes;
-};
-
 /*
 	Used for every IP when returning data
 */
 struct ipt_acc_handle_ip {
-	uint32_t ip;
-	uint32_t src_packets;
-	uint32_t src_bytes;
-	uint32_t dst_packets;
-	uint32_t dst_bytes;
-};
-
-/*
-	The IPs are organized as an array so that direct slot
-	calculations are possible.
-	Only 8 bit networks are preallocated, 16/24 bit networks
-	allocate their slots when needed -> very efficent.
-*/
-struct ipt_acc_mask_24 {
-	struct ipt_acc_ip ip[256];
-};
-
-struct ipt_acc_mask_16 {
-	struct ipt_acc_mask_24 *mask_24[256];
-};
-
-struct ipt_acc_mask_8 {
-	struct ipt_acc_mask_16 *mask_16[256];
+	__be32 ip, __dummy;
+	uint64_t src_packets;
+	uint64_t src_bytes;
+	uint64_t dst_packets;
+	uint64_t dst_bytes;
 };
 
 #endif /* _IPT_ACCOUNT_H */

extensions/Kbuild

@@ -9,20 +9,17 @@ obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += xt_CHAOS.o
 obj-${build_DELUDE}      += xt_DELUDE.o
 obj-${build_DHCPMAC}     += xt_DHCPMAC.o
+obj-${build_DNETMAP}     += xt_DNETMAP.o
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
-obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o ip6table_rawpost.o
 obj-${build_SYSRQ}       += xt_SYSRQ.o
-obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o
-obj-${build_TEE}         += xt_TEE.o
 obj-${build_condition}   += xt_condition.o
 obj-${build_fuzzy}       += xt_fuzzy.o
 obj-${build_geoip}       += xt_geoip.o
 obj-${build_iface}       += xt_iface.o
 obj-${build_ipp2p}       += xt_ipp2p.o
-obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += xt_ipv4options.o
 obj-${build_length2}     += xt_length2.o
 obj-${build_lscan}       += xt_lscan.o

extensions/Makefile.am

@@ -1,12 +1,17 @@
 # -*- Makefile -*-
 # AUTOMAKE
 
+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${abs_top_srcdir}/extensions
+AM_CFLAGS = ${regular_CFLAGS} ${libxtables_CFLAGS}
+
 # Not having Kbuild in Makefile.extra because it will already recurse
 .PHONY: modules modules_install clean_modules
 
 _kcall = -C ${kbuilddir} M=${abs_srcdir}
 
 modules:
+	@echo -n "Xtables-addons ${PACKAGE_VERSION} - Linux "
+	@if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} --no-print-directory -s kernelrelease; fi;
 	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} modules; fi;
 
 modules_install:

extensions/Mbuild

@@ -4,23 +4,21 @@ obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += libxt_CHAOS.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
 obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
+obj-${build_DNETMAP}     += libxt_DNETMAP.so
 obj-${build_ECHO}        += libxt_ECHO.so
 obj-${build_IPMARK}      += libxt_IPMARK.so
 obj-${build_LOGMARK}     += libxt_LOGMARK.so
-obj-${build_RAWNAT}      += libxt_RAWDNAT.so libxt_RAWSNAT.so
-obj-${build_STEAL}       += libxt_STEAL.so
 obj-${build_SYSRQ}       += libxt_SYSRQ.so
 obj-${build_TARPIT}      += libxt_TARPIT.so
-obj-${build_TEE}         += libxt_TEE.so
 obj-${build_condition}   += libxt_condition.so
 obj-${build_fuzzy}       += libxt_fuzzy.so
 obj-${build_geoip}       += libxt_geoip.so
 obj-${build_iface}       += libxt_iface.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
-obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += libxt_ipv4options.so
 obj-${build_length2}     += libxt_length2.so
 obj-${build_lscan}       += libxt_lscan.so
 obj-${build_pknock}      += pknock/
 obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so
+obj-${build_gradm}       += libxt_gradm.so

extensions/compat_nfinetaddr.h

@@ -1,14 +0,0 @@
-#ifndef _COMPAT_NFINETADDR_H
-#define _COMPAT_NFINETADDR_H 1
-
-#include <linux/in.h>
-#include <linux/in6.h>
-
-union nf_inet_addr {
-	__be32 ip;
-	__be32 ip6[4];
-	struct in_addr in;
-	struct in6_addr in6;
-};
-
-#endif /* _COMPAT_NFINETADDR_H */

extensions/compat_rawpost.h

@@ -1,87 +0,0 @@
-#ifndef XTA_COMPAT_RAWPOST_H
-#define XTA_COMPAT_RAWPOST_H 1
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
-typedef struct sk_buff sk_buff_t;
-#else
-typedef struct sk_buff *sk_buff_t;
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
-#define XT_TARGET_INIT(__name, __size)					       \
-{									       \
-	.target.u.user = {						       \
-		.target_size	= XT_ALIGN(__size),			       \
-		.name		= __name,				       \
-	},								       \
-}
-
-#define IPT_ENTRY_INIT(__size)						       \
-{									       \
-	.target_offset	= sizeof(struct ipt_entry),			       \
-	.next_offset	= (__size),					       \
-}
-
-#define IPT_STANDARD_INIT(__verdict)					       \
-{									       \
-	.entry		= IPT_ENTRY_INIT(sizeof(struct ipt_standard)),	       \
-	.target		= XT_TARGET_INIT(IPT_STANDARD_TARGET,		       \
-					 sizeof(struct xt_standard_target)),   \
-	.target.verdict	= -(__verdict) - 1,				       \
-}
-
-#define IPT_ERROR_INIT							       \
-{									       \
-	.entry		= IPT_ENTRY_INIT(sizeof(struct ipt_error)),	       \
-	.target		= XT_TARGET_INIT(IPT_ERROR_TARGET,		       \
-					 sizeof(struct ipt_error_target)),     \
-	.target.errorname = "ERROR",					       \
-}
-
-#define IP6T_ENTRY_INIT(__size)						       \
-{									       \
-	.target_offset	= sizeof(struct ip6t_entry),			       \
-	.next_offset	= (__size),					       \
-}
-
-#define IP6T_STANDARD_INIT(__verdict)					       \
-{									       \
-	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
-	.target		= XT_TARGET_INIT(IP6T_STANDARD_TARGET,		       \
-					 sizeof(struct ip6t_standard_target)), \
-	.target.verdict	= -(__verdict) - 1,				       \
-}
-
-#define IP6T_ERROR_INIT							       \
-{									       \
-	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),	       \
-	.target		= XT_TARGET_INIT(IP6T_ERROR_TARGET,		       \
-					 sizeof(struct ip6t_error_target)),    \
-	.target.errorname = "ERROR",					       \
-}
-
-#endif /* 2.6.21 */
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
-#	include <linux/netfilter_ipv6/ip6_tables.h>
-/* Standard entry */
-struct ip6t_standard
-{
-	struct ip6t_entry entry;
-	struct ip6t_standard_target target;
-};
-
-struct ip6t_error_target
-{
-	struct ip6t_entry_target target;
-	char errorname[IP6T_FUNCTION_MAXNAMELEN];
-};
-
-struct ip6t_error
-{
-	struct ip6t_entry entry;
-	struct ip6t_error_target target;
-};
-#endif /* 2.6.20 */
-
-#endif /* XTA_COMPAT_RAWPOST_H */

extensions/compat_skbuff.h

@@ -4,31 +4,8 @@
 struct tcphdr;
 struct udphdr;
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 30)
-static inline void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)
-{
-	skb->dst = dst;
-}
-
-static inline struct dst_entry *skb_dst(const struct sk_buff *skb)
-{
-	return skb->dst;
-}
-
-static inline struct rtable *skb_rtable(const struct sk_buff *skb)
-{
-	return (void *)skb->dst;
-}
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-#	define skb_ifindex(skb) \
-		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
-#	define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
-#else
-#	define skb_ifindex(skb) (skb)->iif
-#	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
-#endif
+#define skb_ifindex(skb) (skb)->skb_iif
+#define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
 
 #ifdef CONFIG_NETWORK_SECMARK
 #	define skb_secmark(skb) ((skb)->secmark)
@@ -36,24 +13,4 @@ static inline struct rtable *skb_rtable(const struct sk_buff *skb)
 #	define skb_secmark(skb) 0
 #endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
-#	define ip_hdr(skb) ((skb)->nh.iph)
-#	define ip_hdrlen(skb) (ip_hdr(skb)->ihl * 4)
-#	define ipv6_hdr(skb) ((skb)->nh.ipv6h)
-#	define skb_network_header(skb) ((skb)->nh.raw)
-#	define skb_transport_header(skb) ((skb)->h.raw)
-static inline void skb_reset_network_header(struct sk_buff *skb)
-{
-	skb->nh.raw = skb->data;
-}
-static inline struct tcphdr *tcp_hdr(const struct sk_buff *skb)
-{
-	return (void *)skb_transport_header(skb);
-}
-static inline struct udphdr *udp_hdr(const struct sk_buff *skb)
-{
-	return (void *)skb_transport_header(skb);
-}
-#endif
-
 #endif /* COMPAT_SKBUFF_H */

extensions/compat_user.h

@@ -0,0 +1,12 @@
+/*
+ *	Userspace-level compat hacks
+ */
+#ifndef _XTABLES_COMPAT_USER_H
+#define _XTABLES_COMPAT_USER_H 1
+
+/* linux-glibc-devel 2.6.34 header screwup */
+#ifndef ALIGN
+#	define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
+#endif
+
+#endif /* _XTABLES_COMPAT_USER_H */

extensions/compat_xtables.c

@@ -1,6 +1,6 @@
 /*
  *	API compat layer
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	written by Jan Engelhardt, 2008 - 2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License, either
@@ -8,505 +8,38 @@
  */
 #include <linux/ip.h>
 #include <linux/kernel.h>
+#include <linux/kmod.h>
 #include <linux/list.h>
+#include <linux/module.h>
 #include <linux/slab.h>
 #include <linux/spinlock.h>
 #include <linux/version.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_arp.h>
 #include <net/ip.h>
+#include <net/ipv6.h>
 #include <net/route.h>
+#include <linux/export.h>
 #include "compat_skbuff.h"
 #include "compat_xtnu.h"
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
-static int xtnu_match_run(const struct sk_buff *skb,
-    const struct net_device *in, const struct net_device *out,
-    const struct xt_match *cm, const void *matchinfo, int offset,
-    unsigned int protoff, int *hotdrop)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-static bool xtnu_match_run(const struct sk_buff *skb,
-    const struct net_device *in, const struct net_device *out,
-    const struct xt_match *cm, const void *matchinfo, int offset,
-    unsigned int protoff, bool *hotdrop)
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+#	define WITH_IPV6 1
 #endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+
+void *HX_memmem(const void *space, size_t spacesize,
+    const void *point, size_t pointsize)
 {
-	struct xtnu_match *nm = xtcompat_numatch(cm);
-	bool lo_drop = false, lo_ret;
-	struct xt_match_param local_par = {
-		.in        = in,
-		.out       = out,
-		.match     = cm,
-		.matchinfo = matchinfo,
-		.fragoff   = offset,
-		.thoff     = protoff,
-		.hotdrop   = &lo_drop,
-		.family    = NFPROTO_UNSPEC, /* don't have that info */
-	};
+	size_t i;
 
-	if (nm == NULL || nm->match == NULL)
-		return false;
-	lo_ret = nm->match(skb, &local_par);
-	*hotdrop = lo_drop;
-	return lo_ret;
-}
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-static int xtnu_match_check(const char *table, const void *entry,
-    const struct xt_match *cm, void *matchinfo, unsigned int matchinfosize,
-    unsigned int hook_mask)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
-static int xtnu_match_check(const char *table, const void *entry,
-    const struct xt_match *cm, void *matchinfo, unsigned int hook_mask)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-static bool xtnu_match_check(const char *table, const void *entry,
-    const struct xt_match *cm, void *matchinfo, unsigned int hook_mask)
-#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-{
-	struct xtnu_match *nm = xtcompat_numatch(cm);
-	struct xt_mtchk_param local_par = {
-		.table     = table,
-		.entryinfo = entry,
-		.match     = cm,
-		.matchinfo = matchinfo,
-		.hook_mask = hook_mask,
-		.family    = NFPROTO_UNSPEC,
-	};
-
-	if (nm == NULL)
-		return false;
-	if (nm->checkentry == NULL)
-		return true;
-	return nm->checkentry(&local_par);
-}
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo,
-    unsigned int matchinfosize)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo)
-#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-{
-	struct xtnu_match *nm = xtcompat_numatch(cm);
-	struct xt_mtdtor_param local_par = {
-		.match     = cm,
-		.matchinfo = matchinfo,
-		.family    = NFPROTO_UNSPEC,
-	};
-
-	if (nm != NULL && nm->destroy != NULL)
-		nm->destroy(&local_par);
-}
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-int xtnu_register_match(struct xtnu_match *nt)
-{
-	struct xt_match *ct;
-	char *tmp;
-	int ret;
-
-	ct = kzalloc(sizeof(struct xt_match), GFP_KERNEL);
-	if (ct == NULL)
-		return -ENOMEM;
-
-	tmp = (char *)ct->name;
-	memcpy(tmp, nt->name, sizeof(nt->name));
-	tmp = (char *)(ct->name + sizeof(ct->name) - sizeof(void *));
-	*(tmp-1) = '\0';
-	memcpy(tmp, &nt, sizeof(void *));
-
-	ct->revision   = nt->revision;
-	ct->family     = nt->family;
-	ct->table      = (char *)nt->table;
-	ct->hooks      = nt->hooks;
-	ct->proto      = nt->proto;
-	ct->match      = xtnu_match_run;
-	ct->checkentry = xtnu_match_check;
-	ct->destroy    = xtnu_match_destroy;
-	ct->matchsize  = nt->matchsize;
-	ct->me         = nt->me;
-
-	nt->__compat_match = ct;
-	ret = xt_register_match(ct);
-	if (ret != 0)
-		kfree(ct);
-	return ret;
-}
-EXPORT_SYMBOL_GPL(xtnu_register_match);
-
-int xtnu_register_matches(struct xtnu_match *nt, unsigned int num)
-{
-	unsigned int i;
-	int ret;
-
-	for (i = 0; i < num; ++i) {
-		ret = xtnu_register_match(&nt[i]);
-		if (ret < 0) {
-			if (i > 0)
-				xtnu_unregister_matches(nt, i);
-			return ret;
-		}
-	}
-	return 0;
-}
-EXPORT_SYMBOL_GPL(xtnu_register_matches);
-
-void xtnu_unregister_match(struct xtnu_match *nt)
-{
-	xt_unregister_match(nt->__compat_match);
-	kfree(nt->__compat_match);
-}
-EXPORT_SYMBOL_GPL(xtnu_unregister_match);
-
-void xtnu_unregister_matches(struct xtnu_match *nt, unsigned int num)
-{
-	unsigned int i;
-
-	for (i = 0; i < num; ++i)
-		xtnu_unregister_match(&nt[i]);
-}
-EXPORT_SYMBOL_GPL(xtnu_unregister_matches);
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-static unsigned int xtnu_target_run(struct sk_buff **pskb,
-    const struct net_device *in, const struct net_device *out,
-    unsigned int hooknum, const struct xt_target *ct, const void *targinfo,
-    void *userdata)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-static unsigned int xtnu_target_run(struct sk_buff **pskb,
-    const struct net_device *in, const struct net_device *out,
-    unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-static unsigned int xtnu_target_run(struct sk_buff *skb,
-    const struct net_device *in, const struct net_device *out,
-    unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
-#else
-static unsigned int
-xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
-#endif
-{
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-	struct xtnu_target *nt = xtcompat_nutarget(ct);
-	struct xt_target_param local_par = {
-		.in       = in,
-		.out      = out,
-		.hooknum  = hooknum,
-		.target   = ct,
-		.targinfo = targinfo,
-		.family   = NFPROTO_UNSPEC,
-	};
-#else
-	struct xtnu_target *nt = xtcompat_nutarget(par->target);
-#endif
-
-	if (nt != NULL && nt->target != NULL)
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-		return nt->target(pskb, &local_par);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-		return nt->target(&skb, &local_par);
-#else
-		return nt->target(&skb, par);
-#endif
-	return XT_CONTINUE;
-}
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-static int xtnu_target_check(const char *table, const void *entry,
-    const struct xt_target *ct, void *targinfo,
-    unsigned int targinfosize, unsigned int hook_mask)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
-static int xtnu_target_check(const char *table, const void *entry,
-    const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-static bool xtnu_target_check(const char *table, const void *entry,
-    const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
-#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-{
-	struct xtnu_target *nt = xtcompat_nutarget(ct);
-	struct xt_tgchk_param local_par = {
-		.table     = table,
-		.entryinfo = entry,
-		.target    = ct,
-		.targinfo  = targinfo,
-		.hook_mask = hook_mask,
-		.family    = NFPROTO_UNSPEC,
-	};
-
-	if (nt == NULL)
-		return false;
-	if (nt->checkentry == NULL)
-		/* this is valid, just like if there was no function */
-		return true;
-	return nt->checkentry(&local_par);
-}
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo,
-    unsigned int targinfosize)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo)
-#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-{
-	struct xtnu_target *nt = xtcompat_nutarget(ct);
-	struct xt_tgdtor_param local_par = {
-		.target   = ct,
-		.targinfo = targinfo,
-		.family   = NFPROTO_UNSPEC,
-	};
-
-	if (nt != NULL && nt->destroy != NULL)
-		nt->destroy(&local_par);
-}
-#endif
-
-int xtnu_register_target(struct xtnu_target *nt)
-{
-	struct xt_target *ct;
-	char *tmp;
-	int ret;
-
-	ct = kzalloc(sizeof(struct xt_target), GFP_KERNEL);
-	if (ct == NULL)
-		return -ENOMEM;
-
-	tmp = (char *)ct->name;
-	memcpy(tmp, nt->name, sizeof(nt->name));
-	tmp = (char *)(ct->name + sizeof(ct->name) - sizeof(void *));
-	*(tmp-1) = '\0';
-	memcpy(tmp, &nt, sizeof(void *));
-
-	ct->revision   = nt->revision;
-	ct->family     = nt->family;
-	ct->table      = (char *)nt->table;
-	ct->hooks      = nt->hooks;
-	ct->proto      = nt->proto;
-	ct->target     = xtnu_target_run;
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-	ct->checkentry = xtnu_target_check;
-	ct->destroy    = xtnu_target_destroy;
-#else
-	ct->checkentry = nt->checkentry;
-	ct->destroy    = nt->destroy;
-#endif
-	ct->targetsize = nt->targetsize;
-	ct->me         = nt->me;
-
-	nt->__compat_target = ct;
-	ret = xt_register_target(ct);
-	if (ret != 0)
-		kfree(ct);
-	return ret;
-}
-EXPORT_SYMBOL_GPL(xtnu_register_target);
-
-int xtnu_register_targets(struct xtnu_target *nt, unsigned int num)
-{
-	unsigned int i;
-	int ret;
-
-	for (i = 0; i < num; ++i) {
-		ret = xtnu_register_target(&nt[i]);
-		if (ret < 0) {
-			if (i > 0)
-				xtnu_unregister_targets(nt, i);
-			return ret;
-		}
-	}
-	return 0;
-}
-EXPORT_SYMBOL_GPL(xtnu_register_targets);
-
-void xtnu_unregister_target(struct xtnu_target *nt)
-{
-	xt_unregister_target(nt->__compat_target);
-	kfree(nt->__compat_target);
-}
-EXPORT_SYMBOL_GPL(xtnu_unregister_target);
-
-void xtnu_unregister_targets(struct xtnu_target *nt, unsigned int num)
-{
-	unsigned int i;
-
-	for (i = 0; i < num; ++i)
-		xtnu_unregister_target(&nt[i]);
-}
-EXPORT_SYMBOL_GPL(xtnu_unregister_targets);
-
-struct xt_match *xtnu_request_find_match(unsigned int af, const char *name,
-    uint8_t revision)
-{
-	static const char *const xt_prefix[] = {
-		[AF_UNSPEC] = "x",
-		[AF_INET]   = "ip",
-		[AF_INET6]  = "ip6",
-#ifdef AF_ARP
-		[AF_ARP]    = "arp",
-#elif defined(NF_ARP) && NF_ARP != AF_UNSPEC
-		[NF_ARP]    = "arp",
-#endif
-	};
-	struct xt_match *match;
-
-	match = try_then_request_module(xt_find_match(af, name, revision),
-		"%st_%s", xt_prefix[af], name);
-	if (IS_ERR(match) || match == NULL)
+	if (pointsize > spacesize)
 		return NULL;
-
-	return match;
+	for (i = 0; i <= spacesize - pointsize; ++i)
+		if (memcmp(space + i, point, pointsize) == 0)
+			return (void *)space + i;
+	return NULL;
 }
-EXPORT_SYMBOL_GPL(xtnu_request_find_match);
-
-int xtnu_ip_route_me_harder(struct sk_buff **pskb, unsigned int addr_type)
-{
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
-	/* Actually this one is valid up to 2.6.18.4, but changed in 2.6.18.5 */
-	return ip_route_me_harder(pskb);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-	return ip_route_me_harder(pskb, addr_type);
-#else
-	return ip_route_me_harder(*pskb, addr_type);
-#endif
-}
-EXPORT_SYMBOL_GPL(xtnu_ip_route_me_harder);
-
-int xtnu_skb_make_writable(struct sk_buff **pskb, unsigned int len)
-{
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-	return skb_make_writable(pskb, len);
-#else
-	return skb_make_writable(*pskb, len);
-#endif
-}
-EXPORT_SYMBOL_GPL(xtnu_skb_make_writable);
-
-#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 24)
-static int __xtnu_ip_local_out(struct sk_buff *skb)
-{
-	struct iphdr *iph = ip_hdr(skb);
-
-	iph->tot_len = htons(skb->len);
-	ip_send_check(iph);
-	return nf_hook(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,
-	               skb->dst->dev, dst_output);
-}
-
-int xtnu_ip_local_out(struct sk_buff *skb)
-{
-	int err;
-
-	err = __xtnu_ip_local_out(skb);
-	if (likely(err == 1))
-		err = dst_output(skb);
-
-	return err;
-}
-EXPORT_SYMBOL_GPL(xtnu_ip_local_out);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-static int __xtnu_ip_local_out(struct sk_buff **pskb)
-{
-	struct iphdr *iph = ip_hdr(*pskb);
-
-	iph->tot_len = htons((*pskb)->len);
-	ip_send_check(iph);
-	return nf_hook(PF_INET, NF_IP_LOCAL_OUT, pskb, NULL,
-	               (*pskb)->dst->dev, dst_output);
-}
-
-int xtnu_ip_local_out(struct sk_buff *skb)
-{
-	int err;
-
-	err = __xtnu_ip_local_out(&skb);
-	if (likely(err == 1))
-		err = dst_output(skb);
-
-	return err;
-}
-EXPORT_SYMBOL_GPL(xtnu_ip_local_out);
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
-int xtnu_ip_route_output_key(void *net, struct rtable **rp, struct flowi *flp)
-{
-	return ip_route_output_flow(rp, flp, NULL, 0);
-}
-EXPORT_SYMBOL_GPL(xtnu_ip_route_output_key);
-
-void xtnu_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb,
-    __be32 from, __be32 to, bool pseudohdr)
-{
-	__be32 diff[] = {~from, to};
-	const void *dv = diff; /* kludge for < v2.6.19-555-g72685fc */
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-	if (skb->ip_summed != CHECKSUM_PARTIAL) {
-		*sum = csum_fold(csum_partial(dv, sizeof(diff),
-		       ~csum_unfold(*sum)));
-		if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
-			skb->csum = ~csum_partial(dv, sizeof(diff),
-			            ~skb->csum);
-	} else if (pseudohdr) {
-		*sum = ~csum_fold(csum_partial(dv, sizeof(diff),
-		       csum_unfold(*sum)));
-	}
-#else
-	*sum = csum_fold(csum_partial(dv, sizeof(diff),
-	       ~csum_unfold(*sum)));
-#endif
-}
-EXPORT_SYMBOL_GPL(xtnu_proto_csum_replace4);
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-int xtnu_neigh_hh_output(struct hh_cache *hh, struct sk_buff *skb)
-{
-	unsigned int hh_alen;
-
-	read_lock_bh(&hh->hh_lock);
-	hh_alen = HH_DATA_ALIGN(hh->hh_len);
-	memcpy(skb->data - hh_alen, hh->hh_data, hh_alen);
-	read_unlock_bh(&hh->hh_lock);
-	skb_push(skb, hh->hh_len);
-	return hh->hh_output(skb);
-}
-EXPORT_SYMBOL_GPL(xtnu_neigh_hh_output);
-
-static inline __wsum xtnu_csum_unfold(__sum16 n)
-{
-	return (__force __wsum)n;
-}
-
-void xtnu_csum_replace4(__sum16 *sum, __be32 from, __be32 to)
-{
-	__be32 diff[] = {~from, to};
-	*sum = csum_fold(csum_partial((char *)diff, sizeof(diff),
-	       ~xtnu_csum_unfold(*sum)));
-}
-
-void xtnu_csum_replace2(__sum16 *sum, __be16 from, __be16 to)
-{
-	xtnu_csum_replace4(sum, (__force __be32)from, (__force __be32)to);
-}
-EXPORT_SYMBOL_GPL(xtnu_csum_replace2);
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
-int xtnu_skb_linearize(struct sk_buff *skb)
-{
-	return skb_linearize(skb, GFP_ATOMIC);
-}
-EXPORT_SYMBOL_GPL(xtnu_skb_linearize);
-#endif
+EXPORT_SYMBOL_GPL(HX_memmem);
 
 MODULE_LICENSE("GPL");

extensions/compat_xtables.h

@@ -8,8 +8,12 @@
 
 #define DEBUGP Use__pr_debug__instead
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 17)
-#	warning Kernels below 2.6.17 not supported.
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0)
+#	warning Kernels below 3.7 not supported.
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0)
+#	define prandom_u32() random32()
 #endif
 
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
@@ -17,65 +21,8 @@
 #		warning You have CONFIG_NF_CONNTRACK enabled, but CONFIG_NF_CONNTRACK_MARK is not (please enable).
 #	endif
 #	include <net/netfilter/nf_conntrack.h>
-#elif defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
-#	if !defined(CONFIG_IP_NF_CONNTRACK_MARK)
-#		warning You have CONFIG_IP_NF_CONNTRACK enabled, but CONFIG_IP_NF_CONNTRACK_MARK is not (please enable).
-#	endif
-#	include <linux/netfilter_ipv4/ip_conntrack.h>
-#	define nf_conn ip_conntrack
-#	define nf_ct_get ip_conntrack_get
-#	define nf_conntrack_untracked ip_conntrack_untracked
 #else
-#	warning You need either CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK.
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
-#	define skb_init_secmark(skb)
-#	define skb_linearize	xtnu_skb_linearize
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-#	define neigh_hh_output xtnu_neigh_hh_output
-#	define IPPROTO_UDPLITE 136
-#	define CSUM_MANGLED_0 ((__force __sum16)0xffff)
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
-#	define NF_INET_PRE_ROUTING  NF_IP_PRE_ROUTING
-#	define NF_INET_LOCAL_IN     NF_IP_LOCAL_IN
-#	define NF_INET_FORWARD      NF_IP_FORWARD
-#	define NF_INET_LOCAL_OUT    NF_IP_LOCAL_OUT
-#	define NF_INET_POST_ROUTING NF_IP_POST_ROUTING
-#	define ip_local_out         xtnu_ip_local_out
-#	define ip_route_output_key  xtnu_ip_route_output_key
-#	include "compat_nfinetaddr.h"
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-#	define init_net               xtnu_ip_route_output_key /* yes */
-#	define init_net__loopback_dev (&loopback_dev)
-#	define init_net__proc_net     proc_net
-#else
-#	define init_net__loopback_dev init_net.loopback_dev
-#	define init_net__proc_net     init_net.proc_net
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-#	define xt_match              xtnu_match
-#	define xt_register_match     xtnu_register_match
-#	define xt_unregister_match   xtnu_unregister_match
-#	define xt_register_matches   xtnu_register_matches
-#	define xt_unregister_matches xtnu_unregister_matches
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-#	define csum_replace2 xtnu_csum_replace2
-#	define csum_replace4 xtnu_csum_replace4
-#	define inet_proto_csum_replace4 xtnu_proto_csum_replace4
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
-#	define csum_replace2 nf_csum_replace2
-#	define csum_replace4 nf_csum_replace4
-#	define inet_proto_csum_replace4 xtnu_proto_csum_replace4
+#	warning You need CONFIG_NF_CONNTRACK.
 #endif
 
 #if !defined(NIP6) && !defined(NIP6_FMT)
@@ -88,7 +35,7 @@
 		ntohs((addr).s6_addr16[5]), \
 		ntohs((addr).s6_addr16[6]), \
 		ntohs((addr).s6_addr16[7])
-#	define NIP6_FMT "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
+#	define NIP6_FMT "%04hx:%04hx:%04hx:%04hx:%04hx:%04hx:%04hx:%04hx"
 #endif
 #if !defined(NIPQUAD) && !defined(NIPQUAD_FMT)
 #	define NIPQUAD(addr) \
@@ -96,17 +43,54 @@
 		((const unsigned char *)&addr)[1], \
 		((const unsigned char *)&addr)[2], \
 		((const unsigned char *)&addr)[3]
-#	define NIPQUAD_FMT "%u.%u.%u.%u"
+#	define NIPQUAD_FMT "%hhu.%hhu.%hhu.%hhu"
 #endif
 
-#define ip_route_me_harder    xtnu_ip_route_me_harder
-#define skb_make_writable     xtnu_skb_make_writable
-#define xt_target             xtnu_target
-#define xt_register_target    xtnu_register_target
-#define xt_unregister_target  xtnu_unregister_target
-#define xt_register_targets   xtnu_register_targets
-#define xt_unregister_targets xtnu_unregister_targets
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0)
+static inline struct inode *file_inode(struct file *f)
+{
+	return f->f_path.dentry->d_inode;
+}
+#endif
 
-#define xt_request_find_match xtnu_request_find_match
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 10, 0)
+static inline void proc_set_user(struct proc_dir_entry *de,
+    typeof(de->uid) uid, typeof(de->gid) gid)
+{
+	de->uid = uid;
+	de->gid = gid;
+}
+
+static inline void *PDE_DATA(struct inode *inode)
+{
+	return PDE(inode)->data;
+}
+
+static inline void proc_remove(struct proc_dir_entry *de)
+{
+	if (de != NULL)
+		remove_proc_entry(de->name, de->parent);
+}
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 4, 0)
+#	define ip6_local_out(xnet, xsk, xskb) ip6_local_out(xskb)
+#	define ip6_route_me_harder(xnet, xskb) ip6_route_me_harder(xskb)
+#	define ip_local_out(xnet, xsk, xskb) ip_local_out(xskb)
+#	define ip_route_me_harder(xnet, xskb, xaddrtype) ip_route_me_harder((xskb), (xaddrtype))
+#endif
+
+static inline struct net *par_net(const struct xt_action_param *par)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
+	return par->state->net;
+#else
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
+	return par->net;
+#else
+	return dev_net((par->in != NULL) ? par->in : par->out);
+#endif
+#endif
+}
 
 #endif /* _XTABLES_COMPAT_H */

extensions/compat_xtnu.h

@@ -1,113 +1,40 @@
 #ifndef _COMPAT_XTNU_H
 #define _COMPAT_XTNU_H 1
 
-#include <linux/list.h>
 #include <linux/netfilter/x_tables.h>
-#include <linux/spinlock.h>
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-typedef _Bool bool;
-enum { false = 0, true = 1, };
-#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-typedef __u16 __bitwise __sum16;
-typedef __u32 __bitwise __wsum;
-#endif
-
-struct flowi;
-struct hh_cache;
 struct module;
-struct net_device;
-struct rtable;
 struct sk_buff;
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-enum {
-	NFPROTO_UNSPEC =  0,
-	NFPROTO_IPV4   =  2,
-	NFPROTO_ARP    =  3,
-	NFPROTO_BRIDGE =  7,
-	NFPROTO_IPV6   = 10,
-	NFPROTO_DECNET = 12,
-	NFPROTO_NUMPROTO,
-};
-
-struct xt_match_param {
-	const struct net_device *in, *out;
-	const struct xt_match *match;
-	const void *matchinfo;
-	int fragoff;
-	unsigned int thoff;
-	bool *hotdrop;
-	u_int8_t family;
-};
-
-struct xt_mtchk_param {
-	const char *table;
-	const void *entryinfo;
-	const struct xt_match *match;
-	void *matchinfo;
-	unsigned int hook_mask;
-	u_int8_t family;
-};
-
-struct xt_mtdtor_param {
-	const struct xt_match *match;
-	void *matchinfo;
-	u_int8_t family;
-};
-
-struct xt_target_param {
-	const struct net_device *in, *out;
-	unsigned int hooknum;
-	const struct xt_target *target;
-	const void *targinfo;
-	u_int8_t family;
-};
-
-struct xt_tgchk_param {
-	const char *table;
-	const void *entryinfo;
-	const struct xt_target *target;
-	void *targinfo;
-	unsigned int hook_mask;
-	u_int8_t family;
-};
-
-struct xt_tgdtor_param {
-	const struct xt_target *target;
-	void *targinfo;
-	u_int8_t family;
-};
-#endif
-
 struct xtnu_match {
-	struct list_head list;
-	char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
-	bool (*match)(const struct sk_buff *, const struct xt_match_param *);
-	bool (*checkentry)(const struct xt_mtchk_param *);
+	/*
+	 * Making it smaller by sizeof(void *) on purpose to catch
+	 * lossy translation, if any.
+	 */
+	char name[sizeof(((struct xt_match *)NULL)->name) - 1 - sizeof(void *)];
+	uint8_t revision;
+	bool (*match)(const struct sk_buff *, struct xt_action_param *);
+	int (*checkentry)(const struct xt_mtchk_param *);
 	void (*destroy)(const struct xt_mtdtor_param *);
 	struct module *me;
 	const char *table;
 	unsigned int matchsize, hooks;
 	unsigned short proto, family;
-	uint8_t revision;
 
 	void *__compat_match;
 };
 
 struct xtnu_target {
-	struct list_head list;
-	char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
+	char name[sizeof(((struct xt_target *)NULL)->name) - 1 - sizeof(void *)];
+	uint8_t revision;
 	unsigned int (*target)(struct sk_buff **,
-		const struct xt_target_param *);
-	bool (*checkentry)(const struct xt_tgchk_param *);
+		const struct xt_action_param *);
+	int (*checkentry)(const struct xt_tgchk_param *);
 	void (*destroy)(const struct xt_tgdtor_param *);
 	struct module *me;
 	const char *table;
 	unsigned int targetsize, hooks;
 	unsigned short proto, family;
-	uint8_t revision;
 
 	void *__compat_target;
 };
@@ -126,18 +53,7 @@ static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
 	return q;
 }
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-static inline __wsum csum_unfold(__sum16 n)
-{
-	return (__force __wsum)n;
-}
-#endif
-
-extern int xtnu_ip_local_out(struct sk_buff *);
-extern int xtnu_ip_route_me_harder(struct sk_buff **, unsigned int);
-extern int xtnu_skb_make_writable(struct sk_buff **, unsigned int);
 extern int xtnu_register_match(struct xtnu_match *);
-extern int xtnu_ip_route_output_key(void *, struct rtable **, struct flowi *);
 extern void xtnu_unregister_match(struct xtnu_match *);
 extern int xtnu_register_matches(struct xtnu_match *, unsigned int);
 extern void xtnu_unregister_matches(struct xtnu_match *, unsigned int);
@@ -145,13 +61,7 @@ extern int xtnu_register_target(struct xtnu_target *);
 extern void xtnu_unregister_target(struct xtnu_target *);
 extern int xtnu_register_targets(struct xtnu_target *, unsigned int);
 extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int);
-extern struct xt_match *xtnu_request_find_match(unsigned int,
-	const char *, uint8_t);
-extern int xtnu_neigh_hh_output(struct hh_cache *, struct sk_buff *);
-extern void xtnu_csum_replace2(__u16 __bitwise *, __be16, __be16);
-extern void xtnu_csum_replace4(__u16 __bitwise *, __be32, __be32);
-extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
-	__be32, __be32, bool);
-extern int xtnu_skb_linearize(struct sk_buff *);
+
+extern void *HX_memmem(const void *, size_t, const void *, size_t);
 
 #endif /* _COMPAT_XTNU_H */

extensions/ip6table_rawpost.c

@@ -1,107 +0,0 @@
-/*
- *	rawpost table for ip6_tables
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
- *	placed in the Public Domain
- */
-#include <linux/module.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <net/ip.h>
-#include "compat_xtables.h"
-#include "compat_rawpost.h"
-
-enum {
-	RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
-};
-
-static struct {
-	struct ip6t_replace repl;
-	struct ip6t_standard entries[1];
-	struct ip6t_error term;
-} rawpost6_initial __initdata = {
-	.repl = {
-		.name        = "rawpost",
-		.valid_hooks = RAWPOST_VALID_HOOKS,
-		.num_entries = 2,
-		.size        = sizeof(struct ip6t_standard) +
-		               sizeof(struct ip6t_error),
-		.hook_entry  = {
-			[NF_INET_POST_ROUTING] = 0,
-		},
-		.underflow = {
-			[NF_INET_POST_ROUTING] = 0,
-		},
-	},
-	.entries = {
-		IP6T_STANDARD_INIT(NF_ACCEPT),	/* POST_ROUTING */
-	},
-	.term = IP6T_ERROR_INIT,		/* ERROR */
-};
-
-static struct xt_table *rawpost6_ptable;
-
-static struct xt_table rawpost6_itable = {
-	.name        = "rawpost",
-	.af          = NFPROTO_IPV6,
-	.valid_hooks = RAWPOST_VALID_HOOKS,
-	.me          = THIS_MODULE,
-};
-
-static unsigned int rawpost6_hook_fn(unsigned int hook, sk_buff_t *skb,
-    const struct net_device *in, const struct net_device *out,
-    int (*okfn)(struct sk_buff *))
-{
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-	return ip6t_do_table(skb, hook, in, out, rawpost6_ptable);
-#else
-	return ip6t_do_table(skb, hook, in, out, rawpost6_ptable, NULL);
-#endif
-}
-
-static struct nf_hook_ops rawpost6_hook_ops __read_mostly = {
-	.hook     = rawpost6_hook_fn,
-	.pf       = NFPROTO_IPV6,
-	.hooknum  = NF_INET_POST_ROUTING,
-	.priority = NF_IP6_PRI_LAST,
-	.owner    = THIS_MODULE,
-};
-
-static int __init rawpost6_table_init(void)
-{
-	int ret;
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
-	rwlock_init(&rawpost6_itable.lock);
-#endif
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
-	rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable,
-	                  &rawpost6_initial.repl);
-	if (IS_ERR(rawpost6_ptable))
-		return PTR_ERR(rawpost6_ptable);
-#else
-	ret = ip6t_register_table(&rawpost6_itable, &rawpost6_initial.repl);
-	if (ret < 0)
-		return ret;
-	rawpost6_ptable = &rawpost6_itable;
-#endif
-
-	ret = nf_register_hook(&rawpost6_hook_ops);
-	if (ret < 0)
-		goto out;
-
-	return ret;
-
- out:
-	ip6t_unregister_table(rawpost6_ptable);
-	return ret;
-}
-
-static void __exit rawpost6_table_exit(void)
-{
-	nf_unregister_hook(&rawpost6_hook_ops);
-	ip6t_unregister_table(rawpost6_ptable);
-}
-
-module_init(rawpost6_table_init);
-module_exit(rawpost6_table_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_LICENSE("GPL");

extensions/ipset/.gitignore

@@ -1 +0,0 @@
-/ipset

extensions/ipset/Kbuild

@@ -1,6 +0,0 @@
-# -*- Makefile -*-
-
-obj-m += ipt_set.o ipt_SET.o
-obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
-obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
-obj-m += ip_set_iptree.o ip_set_iptreemap.o

extensions/ipset/Makefile.am

@@ -1,9 +0,0 @@
-# -*- Makefile -*-
-
-AM_CFLAGS = ${regular_CFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\"
-
-include ../../Makefile.extra
-
-sbin_PROGRAMS = ipset
-ipset_LDADD   = -ldl
-ipset_LDFLAGS = -rdynamic

extensions/ipset/Mbuild

@@ -1,7 +0,0 @@
-# -*- Makefile -*-
-
-obj-m += $(addprefix lib,$(patsubst %.c,%.so,$(notdir \
-	$(wildcard ${XA_SRCDIR}/ipset_*.c))))
-
-libipset_%.oo: ${XA_SRCDIR}/ipset_%.c
-	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;

extensions/ipset/ip_set.h

@@ -1,582 +0,0 @@
-#ifndef _IP_SET_H
-#define _IP_SET_H
-
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- *                         Patrick Schaaf <bof@bof.de>
- *                         Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.  
- */
-
-#ifndef CONFIG_IP_NF_SET_MAX
-	/* from 2 to 65534 */
-#	define CONFIG_IP_NF_SET_MAX 256
-#endif
-#ifndef CONFIG_IP_NF_SET_HASHSIZE
-#	define CONFIG_IP_NF_SET_HASHSIZE 1024
-#endif
-
-#if 0
-#define IP_SET_DEBUG
-#endif
-
-/*
- * A sockopt of such quality has hardly ever been seen before on the open
- * market!  This little beauty, hardly ever used: above 64, so it's
- * traditionally used for firewalling, not touched (even once!) by the
- * 2.0, 2.2 and 2.4 kernels!
- *
- * Comes with its own certificate of authenticity, valid anywhere in the
- * Free world!
- *
- * Rusty, 19.4.2000
- */
-#define SO_IP_SET 		83
-
-/*
- * Heavily modify by Joakim Axelsson 08.03.2002
- * - Made it more modulebased
- *
- * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
- * - bindings added
- * - in order to "deal with" backward compatibility, renamed to ipset
- */
-
-/* 
- * Used so that the kernel module and ipset-binary can match their versions 
- */
-#define IP_SET_PROTOCOL_VERSION 3
-
-#define IP_SET_MAXNAMELEN 32	/* set names and set typenames */
-
-/* Lets work with our own typedef for representing an IP address.
- * We hope to make the code more portable, possibly to IPv6...
- *
- * The representation works in HOST byte order, because most set types
- * will perform arithmetic operations and compare operations.
- * 
- * For now the type is an uint32_t.
- *
- * Make sure to ONLY use the functions when translating and parsing
- * in order to keep the host byte order and make it more portable:
- *  parse_ip()
- *  parse_mask()
- *  parse_ipandmask()
- *  ip_tostring()
- * (Joakim: where are they???)
- */
-
-typedef uint32_t ip_set_ip_t;
-
-/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
- * and IP_SET_INVALID_ID if you want to increase the max number of sets.
- */
-typedef uint16_t ip_set_id_t;
-
-#define IP_SET_INVALID_ID	65535
-
-/* How deep we follow bindings */
-#define IP_SET_MAX_BINDINGS	6
-
-/*
- * Option flags for kernel operations (ipt_set_info)
- */
-#define IPSET_SRC 		0x01	/* Source match/add */
-#define IPSET_DST		0x02	/* Destination match/add */
-#define IPSET_MATCH_INV		0x04	/* Inverse matching */
-
-/*
- * Set features
- */
-#define IPSET_TYPE_IP		0x01	/* IP address type of set */
-#define IPSET_TYPE_PORT		0x02	/* Port type of set */
-#define IPSET_DATA_SINGLE	0x04	/* Single data storage */
-#define IPSET_DATA_DOUBLE	0x08	/* Double data storage */
-#define IPSET_DATA_TRIPLE	0x10	/* Triple data storage */
-#define IPSET_TYPE_IP1		0x20	/* IP address type of set */
-#define IPSET_TYPE_SETNAME	0x40	/* setname type of set */
-
-/* Reserved keywords */
-#define IPSET_TOKEN_DEFAULT	":default:"
-#define IPSET_TOKEN_ALL		":all:"
-
-/* SO_IP_SET operation constants, and their request struct types.
- *
- * Operation ids:
- *	  0-99:	 commands with version checking
- *	100-199: add/del/test/bind/unbind
- *	200-299: list, save, restore
- */
-
-/* Single shot operations: 
- * version, create, destroy, flush, rename and swap 
- *
- * Sets are identified by name.
- */
-
-#define IP_SET_REQ_STD		\
-	unsigned op;		\
-	unsigned version;	\
-	char name[IP_SET_MAXNAMELEN]
-
-#define IP_SET_OP_CREATE	0x00000001	/* Create a new (empty) set */
-struct ip_set_req_create {
-	IP_SET_REQ_STD;
-	char typename[IP_SET_MAXNAMELEN];
-};
-
-#define IP_SET_OP_DESTROY	0x00000002	/* Remove a (empty) set */
-struct ip_set_req_std {
-	IP_SET_REQ_STD;
-};
-
-#define IP_SET_OP_FLUSH		0x00000003	/* Remove all IPs in a set */
-/* Uses ip_set_req_std */
-
-#define IP_SET_OP_RENAME	0x00000004	/* Rename a set */
-/* Uses ip_set_req_create */
-
-#define IP_SET_OP_SWAP		0x00000005	/* Swap two sets */
-/* Uses ip_set_req_create */
-
-union ip_set_name_index {
-	char name[IP_SET_MAXNAMELEN];
-	ip_set_id_t index;
-};
-
-#define IP_SET_OP_GET_BYNAME	0x00000006	/* Get set index by name */
-struct ip_set_req_get_set {
-	unsigned op;
-	unsigned version;
-	union ip_set_name_index set;
-};
-
-#define IP_SET_OP_GET_BYINDEX	0x00000007	/* Get set name by index */
-/* Uses ip_set_req_get_set */
-
-#define IP_SET_OP_VERSION	0x00000100	/* Ask kernel version */
-struct ip_set_req_version {
-	unsigned op;
-	unsigned version;
-};
-
-/* Double shots operations: 
- * add, del, test, bind and unbind.
- *
- * First we query the kernel to get the index and type of the target set,
- * then issue the command. Validity of IP is checked in kernel in order
- * to minimalize sockopt operations.
- */
-
-/* Get minimal set data for add/del/test/bind/unbind IP */
-#define IP_SET_OP_ADT_GET	0x00000010	/* Get set and type */
-struct ip_set_req_adt_get {
-	unsigned op;
-	unsigned version;
-	union ip_set_name_index set;
-	char typename[IP_SET_MAXNAMELEN];
-};
-
-#define IP_SET_REQ_BYINDEX	\
-	unsigned op;		\
-	ip_set_id_t index;
-
-struct ip_set_req_adt {
-	IP_SET_REQ_BYINDEX;
-};
-
-#define IP_SET_OP_ADD_IP	0x00000101	/* Add an IP to a set */
-/* Uses ip_set_req_adt, with type specific addage */
-
-#define IP_SET_OP_DEL_IP	0x00000102	/* Remove an IP from a set */
-/* Uses ip_set_req_adt, with type specific addage */
-
-#define IP_SET_OP_TEST_IP	0x00000103	/* Test an IP in a set */
-/* Uses ip_set_req_adt, with type specific addage */
-
-#define IP_SET_OP_BIND_SET	0x00000104	/* Bind an IP to a set */
-/* Uses ip_set_req_bind, with type specific addage */
-struct ip_set_req_bind {
-	IP_SET_REQ_BYINDEX;
-	char binding[IP_SET_MAXNAMELEN];
-};
-
-#define IP_SET_OP_UNBIND_SET	0x00000105	/* Unbind an IP from a set */
-/* Uses ip_set_req_bind, with type speficic addage 
- * index = 0 means unbinding for all sets */
-
-#define IP_SET_OP_TEST_BIND_SET	0x00000106	/* Test binding an IP to a set */
-/* Uses ip_set_req_bind, with type specific addage */
-
-/* Multiple shots operations: list, save, restore.
- *
- * - check kernel version and query the max number of sets
- * - get the basic information on all sets
- *   and size required for the next step
- * - get actual set data: header, data, bindings
- */
-
-/* Get max_sets and the index of a queried set
- */
-#define IP_SET_OP_MAX_SETS	0x00000020
-struct ip_set_req_max_sets {
-	unsigned op;
-	unsigned version;
-	ip_set_id_t max_sets;		/* max_sets */
-	ip_set_id_t sets;		/* real number of sets */
-	union ip_set_name_index set;	/* index of set if name used */
-};
-
-/* Get the id and name of the sets plus size for next step */
-#define IP_SET_OP_LIST_SIZE	0x00000201
-#define IP_SET_OP_SAVE_SIZE	0x00000202
-struct ip_set_req_setnames {
-	unsigned op;
-	ip_set_id_t index;		/* set to list/save */
-	u_int32_t size;			/* size to get setdata/bindings */
-	/* followed by sets number of struct ip_set_name_list */
-};
-
-struct ip_set_name_list {
-	char name[IP_SET_MAXNAMELEN];
-	char typename[IP_SET_MAXNAMELEN];
-	ip_set_id_t index;
-	ip_set_id_t id;
-};
-
-/* The actual list operation */
-#define IP_SET_OP_LIST		0x00000203
-struct ip_set_req_list {
-	IP_SET_REQ_BYINDEX;
-	/* sets number of struct ip_set_list in reply */ 
-};
-
-struct ip_set_list {
-	ip_set_id_t index;
-	ip_set_id_t binding;
-	u_int32_t ref;
-	u_int32_t header_size;	/* Set header data of header_size */
-	u_int32_t members_size;	/* Set members data of members_size */
-	u_int32_t bindings_size;/* Set bindings data of bindings_size */
-};
-
-struct ip_set_hash_list {
-	ip_set_ip_t ip;
-	ip_set_id_t binding;
-};
-
-/* The save operation */
-#define IP_SET_OP_SAVE		0x00000204
-/* Uses ip_set_req_list, in the reply replaced by
- * sets number of struct ip_set_save plus a marker
- * ip_set_save followed by ip_set_hash_save structures.
- */
-struct ip_set_save {
-	ip_set_id_t index;
-	ip_set_id_t binding;
-	u_int32_t header_size;	/* Set header data of header_size */
-	u_int32_t members_size;	/* Set members data of members_size */
-};
-
-/* At restoring, ip == 0 means default binding for the given set: */
-struct ip_set_hash_save {
-	ip_set_ip_t ip;
-	ip_set_id_t id;
-	ip_set_id_t binding;
-};
-
-/* The restore operation */
-#define IP_SET_OP_RESTORE	0x00000205
-/* Uses ip_set_req_setnames followed by ip_set_restore structures
- * plus a marker ip_set_restore, followed by ip_set_hash_save 
- * structures.
- */
-struct ip_set_restore {
-	char name[IP_SET_MAXNAMELEN];
-	char typename[IP_SET_MAXNAMELEN];
-	ip_set_id_t index;
-	u_int32_t header_size;	/* Create data of header_size */
-	u_int32_t members_size;	/* Set members data of members_size */
-};
-
-static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
-{
-	return 4 * ((((b - a + 8) / 8) + 3) / 4);
-}
-
-/* General limit for the elements in a set */
-#define MAX_RANGE 0x0000FFFF
-
-#ifdef __KERNEL__
-#include "ip_set_compat.h"
-#include "ip_set_malloc.h"
-
-#define ip_set_printk(format, args...) 			\
-	do {							\
-		printk("%s: %s: ", __FILE__, __FUNCTION__);	\
-		printk(format "\n" , ## args);			\
-	} while (0)
-
-#if defined(IP_SET_DEBUG)
-#define DP(format, args...) 					\
-	do {							\
-		printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
-		printk(format "\n" , ## args);			\
-	} while (0)
-#define IP_SET_ASSERT(x)					\
-	do {							\
-		if (!(x))					\
-			printk("IP_SET_ASSERT: %s:%i(%s)\n",	\
-				__FILE__, __LINE__, __FUNCTION__); \
-	} while (0)
-#else
-#define DP(format, args...)
-#define IP_SET_ASSERT(x)
-#endif
-
-struct ip_set;
-
-/*
- * The ip_set_type definition - one per set type, e.g. "ipmap".
- *
- * Each individual set has a pointer, set->type, going to one
- * of these structures. Function pointers inside the structure implement
- * the real behaviour of the sets.
- *
- * If not mentioned differently, the implementation behind the function
- * pointers of a set_type, is expected to return 0 if ok, and a negative
- * errno (e.g. -EINVAL) on error.
- */
-struct ip_set_type {
-	struct list_head list;	/* next in list of set types */
-
-	/* test for IP in set (kernel: iptables -m set src|dst)
-	 * return 0 if not in set, 1 if in set.
-	 */
-	int (*testip_kernel) (struct ip_set *set,
-			      const struct sk_buff * skb, 
-			      ip_set_ip_t *ip,
-			      const u_int32_t *flags,
-			      unsigned char index);
-
-	/* test for IP in set (userspace: ipset -T set IP)
-	 * return 0 if not in set, 1 if in set.
-	 */
-	int (*testip) (struct ip_set *set,
-		       const void *data, u_int32_t size,
-		       ip_set_ip_t *ip);
-
-	/*
-	 * Size of the data structure passed by when
-	 * adding/deletin/testing an entry.
-	 */
-	u_int32_t reqsize;
-
-	/* Add IP into set (userspace: ipset -A set IP)
-	 * Return -EEXIST if the address is already in the set,
-	 * and -ERANGE if the address lies outside the set bounds.
-	 * If the address was not already in the set, 0 is returned.
-	 */
-	int (*addip) (struct ip_set *set, 
-		      const void *data, u_int32_t size,
-		      ip_set_ip_t *ip);
-
-	/* Add IP into set (kernel: iptables ... -j SET set src|dst)
-	 * Return -EEXIST if the address is already in the set,
-	 * and -ERANGE if the address lies outside the set bounds.
-	 * If the address was not already in the set, 0 is returned.
-	 */
-	int (*addip_kernel) (struct ip_set *set,
-			     const struct sk_buff * skb, 
-			     ip_set_ip_t *ip,
-			     const u_int32_t *flags,
-			     unsigned char index);
-
-	/* remove IP from set (userspace: ipset -D set --entry x)
-	 * Return -EEXIST if the address is NOT in the set,
-	 * and -ERANGE if the address lies outside the set bounds.
-	 * If the address really was in the set, 0 is returned.
-	 */
-	int (*delip) (struct ip_set *set, 
-		      const void *data, u_int32_t size,
-		      ip_set_ip_t *ip);
-
-	/* remove IP from set (kernel: iptables ... -j SET --entry x)
-	 * Return -EEXIST if the address is NOT in the set,
-	 * and -ERANGE if the address lies outside the set bounds.
-	 * If the address really was in the set, 0 is returned.
-	 */
-	int (*delip_kernel) (struct ip_set *set,
-			     const struct sk_buff * skb, 
-			     ip_set_ip_t *ip,
-			     const u_int32_t *flags,
-			     unsigned char index);
-
-	/* new set creation - allocated type specific items
-	 */
-	int (*create) (struct ip_set *set,
-		       const void *data, u_int32_t size);
-
-	/* retry the operation after successfully tweaking the set
-	 */
-	int (*retry) (struct ip_set *set);
-
-	/* set destruction - free type specific items
-	 * There is no return value.
-	 * Can be called only when child sets are destroyed.
-	 */
-	void (*destroy) (struct ip_set *set);
-
-	/* set flushing - reset all bits in the set, or something similar.
-	 * There is no return value.
-	 */
-	void (*flush) (struct ip_set *set);
-
-	/* Listing: size needed for header
-	 */
-	u_int32_t header_size;
-
-	/* Listing: Get the header
-	 *
-	 * Fill in the information in "data".
-	 * This function is always run after list_header_size() under a 
-	 * writelock on the set. Therefor is the length of "data" always 
-	 * correct. 
-	 */
-	void (*list_header) (const struct ip_set *set, 
-			     void *data);
-
-	/* Listing: Get the size for the set members
-	 */
-	int (*list_members_size) (const struct ip_set *set);
-
-	/* Listing: Get the set members
-	 *
-	 * Fill in the information in "data".
-	 * This function is always run after list_member_size() under a 
-	 * writelock on the set. Therefor is the length of "data" always 
-	 * correct. 
-	 */
-	void (*list_members) (const struct ip_set *set,
-			      void *data);
-
-	char typename[IP_SET_MAXNAMELEN];
-	unsigned char features;
-	int protocol_version;
-
-	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
-	struct module *me;
-};
-
-extern int ip_set_register_set_type(struct ip_set_type *set_type);
-extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
-
-/* A generic ipset */
-struct ip_set {
-	char name[IP_SET_MAXNAMELEN];	/* the name of the set */
-	rwlock_t lock;			/* lock for concurrency control */
-	ip_set_id_t id;			/* set id for swapping */
-	ip_set_id_t binding;		/* default binding for the set */
-	atomic_t ref;			/* in kernel and in hash references */
-	struct ip_set_type *type; 	/* the set types */
-	void *data;			/* pooltype specific data */
-};
-
-/* Structure to bind set elements to sets */
-struct ip_set_hash {
-	struct list_head list;		/* list of clashing entries in hash */
-	ip_set_ip_t ip;			/* ip from set */
-	ip_set_id_t id;			/* set id */
-	ip_set_id_t binding;		/* set we bind the element to */
-};
-
-/* register and unregister set references */
-extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
-extern ip_set_id_t ip_set_get_byindex(ip_set_id_t index);
-extern void ip_set_put_byindex(ip_set_id_t index);
-extern ip_set_id_t ip_set_id(ip_set_id_t index);
-extern ip_set_id_t __ip_set_get_byname(const char name[IP_SET_MAXNAMELEN],
-				       struct ip_set **set);
-extern void __ip_set_put_byindex(ip_set_id_t index);
-
-/* API for iptables set match, and SET target */
-extern int ip_set_addip_kernel(ip_set_id_t id,
-			       const struct sk_buff *skb,
-			       const u_int32_t *flags);
-extern int ip_set_delip_kernel(ip_set_id_t id,
-			       const struct sk_buff *skb,
-			       const u_int32_t *flags);
-extern int ip_set_testip_kernel(ip_set_id_t id,
-				const struct sk_buff *skb,
-				const u_int32_t *flags);
-
-/* Macros to generate functions */
-
-#define STRUCT(pre, type)	CONCAT2(pre, type)
-#define CONCAT2(pre, type)	struct pre##type
-
-#define FNAME(pre, mid, post)	CONCAT3(pre, mid, post)
-#define CONCAT3(pre, mid, post)	pre##mid##post
-
-#define UADT0(type, adt, args...)					\
-static int								\
-FNAME(type,_u,adt)(struct ip_set *set, const void *data, u_int32_t size,\
-	     ip_set_ip_t *hash_ip)					\
-{									\
-	const STRUCT(ip_set_req_,type) *req = data;			\
-									\
-	return FNAME(type,_,adt)(set, hash_ip , ## args);		\
-}
-
-#define UADT(type, adt, args...)					\
-	UADT0(type, adt, req->ip , ## args)
-
-#define KADT(type, adt, getfn, args...)					\
-static int								\
-FNAME(type,_k,adt)(struct ip_set *set,					\
-	     const struct sk_buff *skb,					\
-	     ip_set_ip_t *hash_ip,					\
-	     const u_int32_t *flags,					\
-	     unsigned char index)					\
-{									\
-	ip_set_ip_t ip = getfn(skb, flags[index]);			\
-									\
-	KADT_CONDITION							\
-	return FNAME(type,_,adt)(set, hash_ip, ip , ##args);		\
-}
-
-#define REGISTER_MODULE(type)						\
-static int __init ip_set_##type##_init(void)				\
-{									\
-	init_max_page_size();						\
-	return ip_set_register_set_type(&ip_set_##type);		\
-}									\
-									\
-static void __exit ip_set_##type##_fini(void)				\
-{									\
-	/* FIXME: possible race with ip_set_create() */			\
-	ip_set_unregister_set_type(&ip_set_##type);			\
-}									\
-									\
-module_init(ip_set_##type##_init);					\
-module_exit(ip_set_##type##_fini);
-
-/* Common functions */
-
-static inline ip_set_ip_t
-ipaddr(const struct sk_buff *skb, u_int32_t flag)
-{
-	return ntohl(flag & IPSET_SRC ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr);
-}
-
-#define jhash_ip(map, i, ip)	jhash_1word(ip, *(map->initval + i))
-
-#define pack_ip_port(map, ip, port) \
-	(port + ((ip - ((map)->first_ip)) << 16))
-
-#endif				/* __KERNEL__ */
-
-#endif /*_IP_SET_H*/

extensions/ipset/ip_set_bitmaps.h

@@ -1,121 +0,0 @@
-#ifndef __IP_SET_BITMAPS_H
-#define __IP_SET_BITMAPS_H
-
-/* Macros to generate functions */
-
-#ifdef __KERNEL__
-#define BITMAP_CREATE(type)						\
-static int								\
-type##_create(struct ip_set *set, const void *data, u_int32_t size)	\
-{									\
-	int newbytes;							\
-	const struct ip_set_req_##type##_create *req = data;		\
-	struct ip_set_##type *map;					\
-									\
-	if (req->from > req->to) {					\
-		DP("bad range");					\
-		return -ENOEXEC;					\
-	}								\
-									\
-	map = kmalloc(sizeof(struct ip_set_##type), GFP_KERNEL);	\
-	if (!map) {							\
-		DP("out of memory for %zu bytes",			\
-		   sizeof(struct ip_set_##type));			\
-		return -ENOMEM;						\
-	}								\
-	map->first_ip = req->from;					\
-	map->last_ip = req->to;						\
-									\
-	newbytes = __##type##_create(req, map);				\
-	if (newbytes < 0) {						\
-		kfree(map);						\
-		return newbytes;					\
-	}								\
-									\
-	map->size = newbytes;						\
-	map->members = ip_set_malloc(newbytes);				\
-	if (!map->members) {						\
-		DP("out of memory for %i bytes", newbytes);		\
-		kfree(map);						\
-		return -ENOMEM;						\
-	}								\
-	memset(map->members, 0, newbytes);				\
-									\
-	set->data = map;						\
-	return 0;							\
-}
-
-#define BITMAP_DESTROY(type)						\
-static void								\
-type##_destroy(struct ip_set *set)					\
-{									\
-	struct ip_set_##type *map = set->data;				\
-									\
-	ip_set_free(map->members, map->size);				\
-	kfree(map);							\
-									\
-	set->data = NULL;						\
-}
-
-#define BITMAP_FLUSH(type)						\
-static void								\
-type##_flush(struct ip_set *set)					\
-{									\
-	struct ip_set_##type *map = set->data;				\
-	memset(map->members, 0, map->size);				\
-}
-
-#define BITMAP_LIST_HEADER(type)					\
-static void								\
-type##_list_header(const struct ip_set *set, void *data)		\
-{									\
-	const struct ip_set_##type *map = set->data;			\
-	struct ip_set_req_##type##_create *header = data;		\
-									\
-	header->from = map->first_ip;					\
-	header->to = map->last_ip;					\
-	__##type##_list_header(map, header);				\
-}
-
-#define BITMAP_LIST_MEMBERS_SIZE(type)					\
-static int								\
-type##_list_members_size(const struct ip_set *set)			\
-{									\
-	const struct ip_set_##type *map = set->data;			\
-									\
-	return map->size;						\
-}
-
-#define BITMAP_LIST_MEMBERS(type)					\
-static void								\
-type##_list_members(const struct ip_set *set, void *data)		\
-{									\
-	const struct ip_set_##type *map = set->data;			\
-									\
-	memcpy(data, map->members, map->size);				\
-}
-
-#define IP_SET_TYPE(type, __features)					\
-struct ip_set_type ip_set_##type = {					\
-	.typename		= #type,				\
-	.features		= __features,				\
-	.protocol_version	= IP_SET_PROTOCOL_VERSION,		\
-	.create			= &type##_create,			\
-	.destroy		= &type##_destroy,			\
-	.flush			= &type##_flush,			\
-	.reqsize		= sizeof(struct ip_set_req_##type),	\
-	.addip			= &type##_uadd,				\
-	.addip_kernel		= &type##_kadd,				\
-	.delip			= &type##_udel,				\
-	.delip_kernel		= &type##_kdel,				\
-	.testip			= &type##_utest,			\
-	.testip_kernel		= &type##_ktest,			\
-	.header_size		= sizeof(struct ip_set_req_##type##_create),\
-	.list_header		= &type##_list_header,			\
-	.list_members_size	= &type##_list_members_size,		\
-	.list_members		= &type##_list_members,			\
-	.me			= THIS_MODULE,				\
-};
-#endif /* __KERNEL */
-
-#endif /* __IP_SET_BITMAPS_H */

extensions/ipset/ip_set_compat.h

@@ -1,71 +0,0 @@
-#ifndef _IP_SET_COMPAT_H
-#define _IP_SET_COMPAT_H
-
-#ifdef __KERNEL__
-#include <linux/version.h>
-
-/* Arrgh */
-#ifdef MODULE
-#define __MOD_INC(foo)		__MOD_INC_USE_COUNT(foo)
-#define __MOD_DEC(foo)		__MOD_DEC_USE_COUNT(foo)
-#else
-#define __MOD_INC(foo)		1
-#define __MOD_DEC(foo)
-#endif
-
-/* Backward compatibility */
-#ifndef __nocast
-#define __nocast
-#endif
-#ifndef __bitwise__
-#define __bitwise__
-#endif
-
-/* Compatibility glue code */
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
-#include <linux/interrupt.h>
-#define DEFINE_RWLOCK(x)                rwlock_t x = RW_LOCK_UNLOCKED
-#define try_module_get(x)		__MOD_INC(x)
-#define module_put(x)                   __MOD_DEC(x)
-#define __clear_bit(nr, addr)		clear_bit(nr, addr)
-#define __set_bit(nr, addr)		set_bit(nr, addr)
-#define __test_and_set_bit(nr, addr)	test_and_set_bit(nr, addr)
-#define __test_and_clear_bit(nr, addr)	test_and_clear_bit(nr, addr)
-
-typedef unsigned __bitwise__ gfp_t;
-
-static inline void *kzalloc(size_t size, gfp_t flags)
-{
-	void *data = kmalloc(size, flags);
-	
-	if (data)
-		memset(data, 0, size);
-	
-	return data;
-}
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20)
-#define __KMEM_CACHE_T__	kmem_cache_t
-#else
-#define __KMEM_CACHE_T__	struct kmem_cache
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22)
-#define ip_hdr(skb)		((skb)->nh.iph)
-#define skb_mac_header(skb)	((skb)->mac.raw)
-#define eth_hdr(skb)		((struct ethhdr *)skb_mac_header(skb))
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23)
-#include <linux/netfilter.h>
-#define KMEM_CACHE_CREATE(name, size) \
-	kmem_cache_create(name, size, 0, 0, NULL, NULL)
-#else
-#define KMEM_CACHE_CREATE(name, size) \
-	kmem_cache_create(name, size, 0, 0, NULL)
-#endif
-  
-
-#endif /* __KERNEL__ */
-#endif /* _IP_SET_COMPAT_H */   

extensions/ipset/ip_set_getport.h

@@ -1,48 +0,0 @@
-#ifndef _IP_SET_GETPORT_H
-#define _IP_SET_GETPORT_H
-
-#ifdef __KERNEL__
-
-#define INVALID_PORT	(MAX_RANGE + 1)
-
-/* We must handle non-linear skbs */
-static inline ip_set_ip_t
-get_port(const struct sk_buff *skb, u_int32_t flags)
-{
-	struct iphdr *iph = ip_hdr(skb);
-	u_int16_t offset = ntohs(iph->frag_off) & IP_OFFSET;
-	switch (iph->protocol) {
-	case IPPROTO_TCP: {
-		struct tcphdr tcph;
-		
-		/* See comments at tcp_match in ip_tables.c */
-		if (offset)
-			return INVALID_PORT;
-
-		if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &tcph, sizeof(tcph)) < 0)
-			/* No choice either */
-			return INVALID_PORT;
-	     	
-	     	return ntohs(flags & IPSET_SRC ?
-			     tcph.source : tcph.dest);
-	    }
-	case IPPROTO_UDP: {
-		struct udphdr udph;
-
-		if (offset)
-			return INVALID_PORT;
-
-		if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &udph, sizeof(udph)) < 0)
-			/* No choice either */
-			return INVALID_PORT;
-	     	
-	     	return ntohs(flags & IPSET_SRC ?
-			     udph.source : udph.dest);
-	    }
-	default:
-		return INVALID_PORT;
-	}
-}
-#endif				/* __KERNEL__ */
-
-#endif /*_IP_SET_GETPORT_H*/

extensions/ipset/ip_set_hashes.h

@@ -1,306 +0,0 @@
-#ifndef __IP_SET_HASHES_H
-#define __IP_SET_HASHES_H
-
-#define initval_t uint32_t
-
-/* Macros to generate functions */
-
-#ifdef __KERNEL__
-#define HASH_RETRY0(type, dtype, cond)					\
-static int								\
-type##_retry(struct ip_set *set)					\
-{									\
-	struct ip_set_##type *map = set->data, *tmp;			\
-	dtype *elem;							\
-	void *members;							\
-	u_int32_t i, hashsize = map->hashsize;				\
-	int res;							\
-									\
-	if (map->resize == 0)						\
-		return -ERANGE;						\
-									\
-    again:								\
-    	res = 0;							\
-    									\
-	/* Calculate new hash size */					\
-	hashsize += (hashsize * map->resize)/100;			\
-	if (hashsize == map->hashsize)					\
-		hashsize++;						\
-									\
-	ip_set_printk("rehashing of set %s triggered: "			\
-		      "hashsize grows from %lu to %lu",			\
-		      set->name,					\
-		      (long unsigned)map->hashsize,			\
-		      (long unsigned)hashsize);				\
-		      							\
-	tmp = kmalloc(sizeof(struct ip_set_##type)			\
-		      + map->probes * sizeof(initval_t), GFP_ATOMIC);	\
-	if (!tmp) {							\
-		DP("out of memory for %zu bytes",			\
-		   sizeof(struct ip_set_##type)				\
-		   + map->probes * sizeof(initval_t));			\
-		return -ENOMEM;						\
-	}								\
-	tmp->members = harray_malloc(hashsize, sizeof(dtype), GFP_ATOMIC);\
-	if (!tmp->members) {						\
-		DP("out of memory for %zu bytes", hashsize * sizeof(dtype));\
-		kfree(tmp);						\
-		return -ENOMEM;						\
-	}								\
-	tmp->hashsize = hashsize;					\
-	tmp->elements = 0;						\
-	tmp->probes = map->probes;					\
-	tmp->resize = map->resize;					\
-	memcpy(tmp->initval, map->initval, map->probes * sizeof(initval_t));\
-	__##type##_retry(tmp, map);					\
-									\
-	write_lock_bh(&set->lock);					\
-	map = set->data; /* Play safe */				\
-	for (i = 0; i < map->hashsize && res == 0; i++) {		\
-		elem = HARRAY_ELEM(map->members, dtype *, i);		\
-		if (cond)						\
-			res = __##type##_add(tmp, elem);		\
-	}								\
-	if (res) {							\
-		/* Failure, try again */				\
-		write_unlock_bh(&set->lock);				\
-		harray_free(tmp->members);				\
-		kfree(tmp);						\
-		goto again;						\
-	}								\
-									\
-	/* Success at resizing! */					\
-	members = map->members;						\
-									\
-	map->hashsize = tmp->hashsize;					\
-	map->members = tmp->members;					\
-	write_unlock_bh(&set->lock);					\
-									\
-	harray_free(members);						\
-	kfree(tmp);							\
-									\
-	return 0;							\
-}
-
-#define HASH_RETRY(type, dtype)						\
-	HASH_RETRY0(type, dtype, *elem)
-
-#define HASH_RETRY2(type, dtype)						\
-	HASH_RETRY0(type, dtype, elem->ip || elem->ip1)
-
-#define HASH_CREATE(type, dtype)					\
-static int								\
-type##_create(struct ip_set *set, const void *data, u_int32_t size)	\
-{									\
-	const struct ip_set_req_##type##_create *req = data;		\
-	struct ip_set_##type *map;					\
-	uint16_t i;							\
-									\
-	if (req->hashsize < 1) {					\
-		ip_set_printk("hashsize too small");			\
-		return -ENOEXEC;					\
-	}								\
-									\
-	if (req->probes < 1) {						\
-		ip_set_printk("probes too small");			\
-		return -ENOEXEC;					\
-	}								\
-									\
-	map = kmalloc(sizeof(struct ip_set_##type)			\
-		      + req->probes * sizeof(initval_t), GFP_KERNEL);	\
-	if (!map) {							\
-		DP("out of memory for %zu bytes",			\
-		   sizeof(struct ip_set_##type)				\
-		   + req->probes * sizeof(initval_t));			\
-		return -ENOMEM;						\
-	}								\
-	for (i = 0; i < req->probes; i++)				\
-		get_random_bytes(((initval_t *) map->initval)+i, 4);	\
-	map->elements = 0;						\
-	map->hashsize = req->hashsize;					\
-	map->probes = req->probes;					\
-	map->resize = req->resize;					\
-	if (__##type##_create(req, map)) {				\
-		kfree(map);						\
-		return -ENOEXEC;					\
-	}								\
-	map->members = harray_malloc(map->hashsize, sizeof(dtype), GFP_KERNEL);\
-	if (!map->members) {						\
-		DP("out of memory for %zu bytes", map->hashsize * sizeof(dtype));\
-		kfree(map);						\
-		return -ENOMEM;						\
-	}								\
-									\
-	set->data = map;						\
-	return 0;							\
-}
-
-#define HASH_DESTROY(type)						\
-static void								\
-type##_destroy(struct ip_set *set)					\
-{									\
-	struct ip_set_##type *map = set->data;				\
-									\
-	harray_free(map->members);					\
-	kfree(map);							\
-									\
-	set->data = NULL;						\
-}
-
-#define HASH_FLUSH(type, dtype)						\
-static void								\
-type##_flush(struct ip_set *set)					\
-{									\
-	struct ip_set_##type *map = set->data;				\
-	harray_flush(map->members, map->hashsize, sizeof(dtype));	\
-	map->elements = 0;						\
-}
-
-#define HASH_FLUSH_CIDR(type, dtype)					\
-static void								\
-type##_flush(struct ip_set *set)					\
-{									\
-	struct ip_set_##type *map = set->data;				\
-	harray_flush(map->members, map->hashsize, sizeof(dtype));	\
-	memset(map->cidr, 0, sizeof(map->cidr));			\
-	memset(map->nets, 0, sizeof(map->nets));			\
-	map->elements = 0;						\
-}
-
-#define HASH_LIST_HEADER(type)						\
-static void								\
-type##_list_header(const struct ip_set *set, void *data)		\
-{									\
-	const struct ip_set_##type *map = set->data;			\
-	struct ip_set_req_##type##_create *header = data;		\
-									\
-	header->hashsize = map->hashsize;				\
-	header->probes = map->probes;					\
-	header->resize = map->resize;					\
-	__##type##_list_header(map, header);				\
-}
-
-#define HASH_LIST_MEMBERS_SIZE(type, dtype)				\
-static int								\
-type##_list_members_size(const struct ip_set *set)			\
-{									\
-	const struct ip_set_##type *map = set->data;			\
-									\
-	return (map->hashsize * sizeof(dtype));				\
-}
-
-#define HASH_LIST_MEMBERS(type, dtype)					\
-static void								\
-type##_list_members(const struct ip_set *set, void *data)		\
-{									\
-	const struct ip_set_##type *map = set->data;			\
-	dtype *elem;							\
-	uint32_t i;							\
-									\
-	for (i = 0; i < map->hashsize; i++) {				\
-		elem = HARRAY_ELEM(map->members, dtype *, i);		\
-		((dtype *)data)[i] = *elem;				\
-	}								\
-}
-
-#define HASH_LIST_MEMBERS_MEMCPY(type, dtype)				\
-static void								\
-type##_list_members(const struct ip_set *set, void *data)		\
-{									\
-	const struct ip_set_##type *map = set->data;			\
-	dtype *elem;							\
-	uint32_t i;							\
-									\
-	for (i = 0; i < map->hashsize; i++) {				\
-		elem = HARRAY_ELEM(map->members, dtype *, i);		\
-		memcpy((((dtype *)data)+i), elem, sizeof(dtype));	\
-	}								\
-}
-
-#define IP_SET_RTYPE(type, __features)					\
-struct ip_set_type ip_set_##type = {					\
-	.typename		= #type,				\
-	.features		= __features,				\
-	.protocol_version	= IP_SET_PROTOCOL_VERSION,		\
-	.create			= &type##_create,			\
-	.retry			= &type##_retry,			\
-	.destroy		= &type##_destroy,			\
-	.flush			= &type##_flush,			\
-	.reqsize		= sizeof(struct ip_set_req_##type),	\
-	.addip			= &type##_uadd,				\
-	.addip_kernel		= &type##_kadd,				\
-	.delip			= &type##_udel,				\
-	.delip_kernel		= &type##_kdel,				\
-	.testip			= &type##_utest,			\
-	.testip_kernel		= &type##_ktest,			\
-	.header_size		= sizeof(struct ip_set_req_##type##_create),\
-	.list_header		= &type##_list_header,			\
-	.list_members_size	= &type##_list_members_size,		\
-	.list_members		= &type##_list_members,			\
-	.me			= THIS_MODULE,				\
-};
-
-/* Helper functions */
-static inline void
-add_cidr_size(uint8_t *cidr, uint8_t size)
-{
-	uint8_t next;
-	int i;
-	
-	for (i = 0; i < 30 && cidr[i]; i++) {
-		if (cidr[i] < size) {
-			next = cidr[i];
-			cidr[i] = size;
-			size = next;
-		}
-	}
-	if (i < 30)
-		cidr[i] = size;
-}
-
-static inline void
-del_cidr_size(uint8_t *cidr, uint8_t size)
-{
-	int i;
-	
-	for (i = 0; i < 29 && cidr[i]; i++) {
-		if (cidr[i] == size)
-			cidr[i] = size = cidr[i+1];
-	}
-	cidr[29] = 0;
-}
-#else
-#include <arpa/inet.h>
-#endif /* __KERNEL */
-
-#ifndef UINT16_MAX
-#define UINT16_MAX 65535
-#endif
-
-static unsigned char shifts[] = {255, 253, 249, 241, 225, 193, 129, 1};
-
-static inline ip_set_ip_t 
-pack_ip_cidr(ip_set_ip_t ip, unsigned char cidr)
-{
-	ip_set_ip_t addr, *paddr = &addr;
-	unsigned char n, t, *a;
-
-	addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr))));
-#ifdef __KERNEL__
-	DP("ip:%u.%u.%u.%u/%u", NIPQUAD(addr), cidr);
-#endif
-	n = cidr / 8;
-	t = cidr % 8;	
-	a = &((unsigned char *)paddr)[n];
-	*a = *a /(1 << (8 - t)) + shifts[t];
-#ifdef __KERNEL__
-	DP("n: %u, t: %u, a: %u", n, t, *a);
-	DP("ip:%u.%u.%u.%u/%u, %u.%u.%u.%u",
-	   HIPQUAD(ip), cidr, NIPQUAD(addr));
-#endif
-
-	return ntohl(addr);
-}
-
-
-#endif /* __IP_SET_HASHES_H */

extensions/ipset/ip_set_iphash.c

@@ -1,166 +0,0 @@
-/* Copyright (C) 2003-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Kernel module implementing an ip hash set */
-
-#include <linux/module.h>
-#include <linux/moduleparam.h>
-#include <linux/ip.h>
-#include <linux/skbuff.h>
-#include "ip_set_jhash.h"
-#include <linux/errno.h>
-#include <asm/uaccess.h>
-#include <asm/bitops.h>
-#include <linux/spinlock.h>
-#include <linux/random.h>
-
-#include <net/ip.h>
-
-#include "ip_set_iphash.h"
-
-static int limit = MAX_RANGE;
-
-static inline __u32
-iphash_id(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	struct ip_set_iphash *map = set->data;
-	__u32 id;
-	u_int16_t i;
-	ip_set_ip_t *elem;
-
-	*hash_ip = ip & map->netmask;
-	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), HIPQUAD(*hash_ip), HIPQUAD(map->netmask));
-	
-	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip(map, i, *hash_ip) % map->hashsize;
-		DP("hash key: %u", id);
-		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
-		if (*elem == *hash_ip)
-			return id;
-		/* No shortcut - there can be deleted entries. */
-	}
-	return UINT_MAX;
-}
-
-static inline int
-iphash_test(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	return (ip && iphash_id(set, hash_ip, ip) != UINT_MAX);
-}
-
-#define KADT_CONDITION
-
-UADT(iphash, test)
-KADT(iphash, test, ipaddr)
-
-static inline int
-__iphash_add(struct ip_set_iphash *map, ip_set_ip_t *ip)
-{
-	__u32 probe;
-	u_int16_t i;
-	ip_set_ip_t *elem, *slot = NULL;
-	
-	for (i = 0; i < map->probes; i++) {
-		probe = jhash_ip(map, i, *ip) % map->hashsize;
-		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
-		if (*elem == *ip)
-			return -EEXIST;
-		if (!(slot || *elem))
-			slot = elem;
-		/* There can be deleted entries, must check all slots */
-	}
-	if (slot) {
-		*slot = *ip;
-		map->elements++;
-		return 0;
-	}
-	/* Trigger rehashing */
-	return -EAGAIN;
-}
-
-static inline int
-iphash_add(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	struct ip_set_iphash *map = set->data;
-	
-	if (!ip || map->elements >= limit)
-		return -ERANGE;
-
-	*hash_ip = ip & map->netmask;
-	
-	return __iphash_add(map, hash_ip);
-}
-
-UADT(iphash, add)
-KADT(iphash, add, ipaddr)
-
-static inline void
-__iphash_retry(struct ip_set_iphash *tmp, struct ip_set_iphash *map)
-{
-	tmp->netmask = map->netmask;
-}
-
-HASH_RETRY(iphash, ip_set_ip_t)
-
-static inline int
-iphash_del(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	struct ip_set_iphash *map = set->data;
-	ip_set_ip_t id, *elem;
-
-	if (!ip)
-		return -ERANGE;
-
-	id = iphash_id(set, hash_ip, ip);
-	if (id == UINT_MAX)
-		return -EEXIST;
-		
-	elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
-	*elem = 0;
-	map->elements--;
-
-	return 0;
-}
-
-UADT(iphash, del)
-KADT(iphash, del, ipaddr)
-
-static inline int
-__iphash_create(const struct ip_set_req_iphash_create *req,
-		struct ip_set_iphash *map)
-{
-	map->netmask = req->netmask;
-	
-	return 0;
-}
-
-HASH_CREATE(iphash, ip_set_ip_t)
-HASH_DESTROY(iphash)
-
-HASH_FLUSH(iphash, ip_set_ip_t)
-
-static inline void
-__iphash_list_header(const struct ip_set_iphash *map,
-		     struct ip_set_req_iphash_create *header)
-{    
-	header->netmask = map->netmask;
-}
-
-HASH_LIST_HEADER(iphash)
-HASH_LIST_MEMBERS_SIZE(iphash, ip_set_ip_t)
-HASH_LIST_MEMBERS(iphash, ip_set_ip_t)
-
-IP_SET_RTYPE(iphash, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("iphash type of IP sets");
-module_param(limit, int, 0600);
-MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
-
-REGISTER_MODULE(iphash)

extensions/ipset/ip_set_iphash.h

@@ -1,30 +0,0 @@
-#ifndef __IP_SET_IPHASH_H
-#define __IP_SET_IPHASH_H
-
-#include "ip_set.h"
-#include "ip_set_hashes.h"
-
-#define SETTYPE_NAME "iphash"
-
-struct ip_set_iphash {
-	ip_set_ip_t *members;		/* the iphash proper */
-	uint32_t elements;		/* number of elements */
-	uint32_t hashsize;		/* hash size */
-	uint16_t probes;		/* max number of probes  */
-	uint16_t resize;		/* resize factor in percent */
-	ip_set_ip_t netmask;		/* netmask */
-	initval_t initval[0];		/* initvals for jhash_1word */
-};
-
-struct ip_set_req_iphash_create {
-	uint32_t hashsize;
-	uint16_t probes;
-	uint16_t resize;
-	ip_set_ip_t netmask;
-};
-
-struct ip_set_req_iphash {
-	ip_set_ip_t ip;
-};
-
-#endif	/* __IP_SET_IPHASH_H */

extensions/ipset/ip_set_ipmap.c

@@ -1,142 +0,0 @@
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- *                         Patrick Schaaf <bof@bof.de>
- * Copyright (C) 2003-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Kernel module implementing an IP set type: the single bitmap type */
-
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/skbuff.h>
-#include <linux/errno.h>
-#include <asm/uaccess.h>
-#include <asm/bitops.h>
-#include <linux/spinlock.h>
-
-#include "ip_set_ipmap.h"
-
-static inline ip_set_ip_t
-ip_to_id(const struct ip_set_ipmap *map, ip_set_ip_t ip)
-{
-	return (ip - map->first_ip)/map->hosts;
-}
-
-static inline int
-ipmap_test(const struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	const struct ip_set_ipmap *map = set->data;
-	
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-
-	*hash_ip = ip & map->netmask;
-	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), HIPQUAD(*hash_ip));
-	return !!test_bit(ip_to_id(map, *hash_ip), map->members);
-}
-
-#define KADT_CONDITION
-
-UADT(ipmap, test)
-KADT(ipmap, test, ipaddr)
-
-static inline int
-ipmap_add(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	struct ip_set_ipmap *map = set->data;
-
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-
-	*hash_ip = ip & map->netmask;
-	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
-	if (test_and_set_bit(ip_to_id(map, *hash_ip), map->members))
-		return -EEXIST;
-
-	return 0;
-}
-
-UADT(ipmap, add)
-KADT(ipmap, add, ipaddr)
-
-static inline int
-ipmap_del(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	struct ip_set_ipmap *map = set->data;
-
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-
-	*hash_ip = ip & map->netmask;
-	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
-	if (!test_and_clear_bit(ip_to_id(map, *hash_ip), map->members))
-		return -EEXIST;
-	
-	return 0;
-}
-
-UADT(ipmap, del)
-KADT(ipmap, del, ipaddr)
-
-static inline int
-__ipmap_create(const struct ip_set_req_ipmap_create *req,
-	       struct ip_set_ipmap *map)
-{
-	map->netmask = req->netmask;
-
-	if (req->netmask == 0xFFFFFFFF) {
-		map->hosts = 1;
-		map->sizeid = map->last_ip - map->first_ip + 1;
-	} else {
-		unsigned int mask_bits, netmask_bits;
-		ip_set_ip_t mask;
-
-		map->first_ip &= map->netmask;	/* Should we better bark? */
-
-		mask = range_to_mask(map->first_ip, map->last_ip, &mask_bits);
-		netmask_bits = mask_to_bits(map->netmask);
-
-		if ((!mask && (map->first_ip || map->last_ip != 0xFFFFFFFF))
-		    || netmask_bits <= mask_bits)
-			return -ENOEXEC;
-
-		DP("mask_bits %u, netmask_bits %u",
-		   mask_bits, netmask_bits);
-		map->hosts = 2 << (32 - netmask_bits - 1);
-		map->sizeid = 2 << (netmask_bits - mask_bits - 1);
-	}
-	if (map->sizeid > MAX_RANGE + 1) {
-		ip_set_printk("range too big, %d elements (max %d)",
-			       map->sizeid, MAX_RANGE+1);
-		return -ENOEXEC;
-	}
-	DP("hosts %u, sizeid %u", map->hosts, map->sizeid);
-	return bitmap_bytes(0, map->sizeid - 1);
-}
-
-BITMAP_CREATE(ipmap)
-BITMAP_DESTROY(ipmap)
-BITMAP_FLUSH(ipmap)
-
-static inline void
-__ipmap_list_header(const struct ip_set_ipmap *map,
-		    struct ip_set_req_ipmap_create *header)
-{
-	header->netmask = map->netmask;
-}
-
-BITMAP_LIST_HEADER(ipmap)
-BITMAP_LIST_MEMBERS_SIZE(ipmap)
-BITMAP_LIST_MEMBERS(ipmap)
-
-IP_SET_TYPE(ipmap, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("ipmap type of IP sets");
-
-REGISTER_MODULE(ipmap)

extensions/ipset/ip_set_ipmap.h

@@ -1,57 +0,0 @@
-#ifndef __IP_SET_IPMAP_H
-#define __IP_SET_IPMAP_H
-
-#include "ip_set.h"
-#include "ip_set_bitmaps.h"
-
-#define SETTYPE_NAME "ipmap"
-
-struct ip_set_ipmap {
-	void *members;			/* the ipmap proper */
-	ip_set_ip_t first_ip;		/* host byte order, included in range */
-	ip_set_ip_t last_ip;		/* host byte order, included in range */
-	ip_set_ip_t netmask;		/* subnet netmask */
-	ip_set_ip_t sizeid;		/* size of set in IPs */
-	ip_set_ip_t hosts;		/* number of hosts in a subnet */
-	u_int32_t size;			/* size of the ipmap proper */
-};
-
-struct ip_set_req_ipmap_create {
-	ip_set_ip_t from;
-	ip_set_ip_t to;
-	ip_set_ip_t netmask;
-};
-
-struct ip_set_req_ipmap {
-	ip_set_ip_t ip;
-};
-
-static inline unsigned int
-mask_to_bits(ip_set_ip_t mask)
-{
-	unsigned int bits = 32;
-	ip_set_ip_t maskaddr;
-	
-	if (mask == 0xFFFFFFFF)
-		return bits;
-	
-	maskaddr = 0xFFFFFFFE;
-	while (--bits > 0 && maskaddr != mask)
-		maskaddr <<= 1;
-	
-	return bits;
-}
-
-static inline ip_set_ip_t
-range_to_mask(ip_set_ip_t from, ip_set_ip_t to, unsigned int *bits)
-{
-	ip_set_ip_t mask = 0xFFFFFFFE;
-	
-	*bits = 32;
-	while (--(*bits) > 0 && mask && (to & mask) != from)
-		mask <<= 1;
-		
-	return mask;
-}
-	
-#endif /* __IP_SET_IPMAP_H */

extensions/ipset/ip_set_ipporthash.c

@@ -1,203 +0,0 @@
-/* Copyright (C) 2003-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Kernel module implementing an ip+port hash set */
-
-#include <linux/module.h>
-#include <linux/moduleparam.h>
-#include <linux/ip.h>
-#include <linux/tcp.h>
-#include <linux/udp.h>
-#include <linux/skbuff.h>
-#include "ip_set_jhash.h"
-#include <linux/errno.h>
-#include <asm/uaccess.h>
-#include <asm/bitops.h>
-#include <linux/spinlock.h>
-#include <linux/random.h>
-
-#include <net/ip.h>
-
-#include "ip_set_ipporthash.h"
-#include "ip_set_getport.h"
-
-static int limit = MAX_RANGE;
-
-static inline __u32
-ipporthash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
-	      ip_set_ip_t ip, ip_set_ip_t port)
-{
-	struct ip_set_ipporthash *map = set->data;
-	__u32 id;
-	u_int16_t i;
-	ip_set_ip_t *elem;
-
-	*hash_ip = pack_ip_port(map, ip, port);
-		
-	DP("set: %s, ipport:%u.%u.%u.%u:%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), port, HIPQUAD(*hash_ip));
-	if (!*hash_ip)
-		return UINT_MAX;
-	
-	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip(map, i, *hash_ip) % map->hashsize;
-		DP("hash key: %u", id);
-		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
-		if (*elem == *hash_ip)
-			return id;
-		/* No shortcut - there can be deleted entries. */
-	}
-	return UINT_MAX;
-}
-
-static inline int
-ipporthash_test(struct ip_set *set, ip_set_ip_t *hash_ip,
-		ip_set_ip_t ip, ip_set_ip_t port)
-{
-	struct ip_set_ipporthash *map = set->data;
-	
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-
-	return (ipporthash_id(set, hash_ip, ip, port) != UINT_MAX);
-}
-
-#define KADT_CONDITION						\
-	ip_set_ip_t port;					\
-								\
-	if (flags[index+1] == 0)				\
-		return 0;					\
-								\
-	port = get_port(skb, flags[index+1]);			\
-								\
-	if (port == INVALID_PORT)				\
-		return 0;
-
-UADT(ipporthash, test, req->port)
-KADT(ipporthash, test, ipaddr, port)
-
-static inline int
-__ipporthash_add(struct ip_set_ipporthash *map, ip_set_ip_t *ip)
-{
-	__u32 probe;
-	u_int16_t i;
-	ip_set_ip_t *elem, *slot = NULL;
-
-	for (i = 0; i < map->probes; i++) {
-		probe = jhash_ip(map, i, *ip) % map->hashsize;
-		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
-		if (*elem == *ip)
-			return -EEXIST;
-		if (!(slot || *elem))
-			slot = elem;
-		/* There can be deleted entries, must check all slots */
-	}
-	if (slot) {
-		*slot = *ip;
-		map->elements++;
-		return 0;
-	}
-	/* Trigger rehashing */
-	return -EAGAIN;
-}
-
-static inline int
-ipporthash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
-	       ip_set_ip_t ip, ip_set_ip_t port)
-{
-	struct ip_set_ipporthash *map = set->data;
-	if (map->elements > limit)
-		return -ERANGE;
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-
-	*hash_ip = pack_ip_port(map, ip, port);
-
-	if (!*hash_ip)
-		return -ERANGE;
-	
-	return __ipporthash_add(map, hash_ip);
-}
-
-UADT(ipporthash, add, req->port)
-KADT(ipporthash, add, ipaddr, port)
-
-static inline void
-__ipporthash_retry(struct ip_set_ipporthash *tmp,
-		   struct ip_set_ipporthash *map)
-{
-	tmp->first_ip = map->first_ip;
-	tmp->last_ip = map->last_ip;
-}
-
-HASH_RETRY(ipporthash, ip_set_ip_t)
-
-static inline int
-ipporthash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
-	       ip_set_ip_t ip, ip_set_ip_t port)
-{
-	struct ip_set_ipporthash *map = set->data;
-	ip_set_ip_t id;
-	ip_set_ip_t *elem;
-
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-
-	id = ipporthash_id(set, hash_ip, ip, port);
-
-	if (id == UINT_MAX)
-		return -EEXIST;
-		
-	elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
-	*elem = 0;
-	map->elements--;
-
-	return 0;
-}
-
-UADT(ipporthash, del, req->port)
-KADT(ipporthash, del, ipaddr, port)
-
-static inline int
-__ipporthash_create(const struct ip_set_req_ipporthash_create *req,
-		    struct ip_set_ipporthash *map)
-{
-	if (req->to - req->from > MAX_RANGE) {
-		ip_set_printk("range too big, %d elements (max %d)",
-			      req->to - req->from + 1, MAX_RANGE+1);
-		return -ENOEXEC;
-	}
-	map->first_ip = req->from;
-	map->last_ip = req->to;
-	return 0;
-}
-
-HASH_CREATE(ipporthash, ip_set_ip_t)
-HASH_DESTROY(ipporthash)
-HASH_FLUSH(ipporthash, ip_set_ip_t)
-
-static inline void
-__ipporthash_list_header(const struct ip_set_ipporthash *map,
-			 struct ip_set_req_ipporthash_create *header)
-{
-	header->from = map->first_ip;
-	header->to = map->last_ip;
-}
-
-HASH_LIST_HEADER(ipporthash)
-HASH_LIST_MEMBERS_SIZE(ipporthash, ip_set_ip_t)
-HASH_LIST_MEMBERS(ipporthash, ip_set_ip_t)
-
-IP_SET_RTYPE(ipporthash, IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_DATA_DOUBLE)
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("ipporthash type of IP sets");
-module_param(limit, int, 0600);
-MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
-
-REGISTER_MODULE(ipporthash)

extensions/ipset/ip_set_ipporthash.h

@@ -1,33 +0,0 @@
-#ifndef __IP_SET_IPPORTHASH_H
-#define __IP_SET_IPPORTHASH_H
-
-#include "ip_set.h"
-#include "ip_set_hashes.h"
-
-#define SETTYPE_NAME "ipporthash"
-
-struct ip_set_ipporthash {
-	ip_set_ip_t *members;		/* the ipporthash proper */
-	uint32_t elements;		/* number of elements */
-	uint32_t hashsize;		/* hash size */
-	uint16_t probes;		/* max number of probes  */
-	uint16_t resize;		/* resize factor in percent */
-	ip_set_ip_t first_ip;		/* host byte order, included in range */
-	ip_set_ip_t last_ip;		/* host byte order, included in range */
-	initval_t initval[0];		/* initvals for jhash_1word */
-};
-
-struct ip_set_req_ipporthash_create {
-	uint32_t hashsize;
-	uint16_t probes;
-	uint16_t resize;
-	ip_set_ip_t from;
-	ip_set_ip_t to;
-};
-
-struct ip_set_req_ipporthash {
-	ip_set_ip_t ip;
-	ip_set_ip_t port;
-};
-
-#endif	/* __IP_SET_IPPORTHASH_H */

extensions/ipset/ip_set_ipportiphash.c

@@ -1,216 +0,0 @@
-/* Copyright (C) 2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Kernel module implementing an ip+port+ip hash set */
-
-#include <linux/module.h>
-#include <linux/moduleparam.h>
-#include <linux/ip.h>
-#include <linux/tcp.h>
-#include <linux/udp.h>
-#include <linux/skbuff.h>
-#include "ip_set_jhash.h"
-#include <linux/errno.h>
-#include <asm/uaccess.h>
-#include <asm/bitops.h>
-#include <linux/spinlock.h>
-#include <linux/random.h>
-
-#include <net/ip.h>
-
-#include "ip_set_ipportiphash.h"
-#include "ip_set_getport.h"
-
-static int limit = MAX_RANGE;
-
-#define jhash_ip2(map, i, ipport, ip1)		\
-	jhash_2words(ipport, ip1, *(map->initval + i))
-
-static inline __u32
-ipportiphash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
-		ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
-{
-	struct ip_set_ipportiphash *map = set->data;
-	__u32 id;
-	u_int16_t i;
-	struct ipportip *elem;
-
-	*hash_ip = pack_ip_port(map, ip, port);
-	DP("set: %s, ipport:%u.%u.%u.%u:%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), port, HIPQUAD(*hash_ip));
-	if (!(*hash_ip || ip1))
-		return UINT_MAX;
-	
-	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip2(map, i, *hash_ip, ip1) % map->hashsize;
-		DP("hash key: %u", id);
-		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
-		if (elem->ip == *hash_ip && elem->ip1 == ip1)
-			return id;
-		/* No shortcut - there can be deleted entries. */
-	}
-	return UINT_MAX;
-}
-
-static inline int
-ipportiphash_test(struct ip_set *set, ip_set_ip_t *hash_ip,
-		  ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
-{
-	struct ip_set_ipportiphash *map = set->data;
-	
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-
-	return (ipportiphash_id(set, hash_ip, ip, port, ip1) != UINT_MAX);
-}
-
-#define KADT_CONDITION						\
-	ip_set_ip_t port, ip1;					\
-								\
-	if (flags[index+2] == 0)				\
-		return 0;					\
-								\
-	port = get_port(skb, flags[index+1]);			\
-	ip1 = ipaddr(skb, flags[index+2]);			\
-								\
-	if (port == INVALID_PORT)				\
-		return 0;
-
-UADT(ipportiphash, test, req->port, req->ip1)
-KADT(ipportiphash, test, ipaddr, port, ip1)
-
-static inline int
-__ipportip_add(struct ip_set_ipportiphash *map,
-	       ip_set_ip_t hash_ip, ip_set_ip_t ip1)
-{
-	__u32 probe;
-	u_int16_t i;
-	struct ipportip *elem, *slot = NULL;
-
-	for (i = 0; i < map->probes; i++) {
-		probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
-		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
-		if (elem->ip == hash_ip && elem->ip1 == ip1)
-			return -EEXIST;
-		if (!(slot || elem->ip || elem->ip1))
-			slot = elem;
-		/* There can be deleted entries, must check all slots */
-	}
-	if (slot) {
-		slot->ip = hash_ip;
-		slot->ip1 = ip1;
-		map->elements++;
-		return 0;
-	}
-	/* Trigger rehashing */
-	return -EAGAIN;
-}
-
-static inline int
-__ipportiphash_add(struct ip_set_ipportiphash *map,
-		   struct ipportip *elem)
-{
-	return __ipportip_add(map, elem->ip, elem->ip1);
-}
-
-static inline int
-ipportiphash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
-		 ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
-{
-	struct ip_set_ipportiphash *map = set->data;
-	
-	if (map->elements > limit)
-		return -ERANGE;
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-
-	*hash_ip = pack_ip_port(map, ip, port);
-	if (!(*hash_ip || ip1))
-		return -ERANGE;
-	
-	return __ipportip_add(map, *hash_ip, ip1);
-}
-
-UADT(ipportiphash, add, req->port, req->ip1)
-KADT(ipportiphash, add, ipaddr, port, ip1)
-
-static inline void
-__ipportiphash_retry(struct ip_set_ipportiphash *tmp,
-		     struct ip_set_ipportiphash *map)
-{
-	tmp->first_ip = map->first_ip;
-	tmp->last_ip = map->last_ip;
-}
-
-HASH_RETRY2(ipportiphash, struct ipportip)
-
-static inline int
-ipportiphash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
-	       ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
-{
-	struct ip_set_ipportiphash *map = set->data;
-	ip_set_ip_t id;
-	struct ipportip *elem;
-
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-
-	id = ipportiphash_id(set, hash_ip, ip, port, ip1);
-
-	if (id == UINT_MAX)
-		return -EEXIST;
-		
-	elem = HARRAY_ELEM(map->members, struct ipportip *, id);
-	elem->ip = elem->ip1 = 0;
-	map->elements--;
-
-	return 0;
-}
-
-UADT(ipportiphash, del, req->port, req->ip1)
-KADT(ipportiphash, del, ipaddr, port, ip1)
-
-static inline int
-__ipportiphash_create(const struct ip_set_req_ipportiphash_create *req,
-		      struct ip_set_ipportiphash *map)
-{
-	if (req->to - req->from > MAX_RANGE) {
-		ip_set_printk("range too big, %d elements (max %d)",
-			      req->to - req->from + 1, MAX_RANGE+1);
-		return -ENOEXEC;
-	}
-	map->first_ip = req->from;
-	map->last_ip = req->to;
-	return 0;
-}
-
-HASH_CREATE(ipportiphash, struct ipportip)
-HASH_DESTROY(ipportiphash)
-HASH_FLUSH(ipportiphash, struct ipportip)
-
-static inline void
-__ipportiphash_list_header(const struct ip_set_ipportiphash *map,
-			   struct ip_set_req_ipportiphash_create *header)
-{
-	header->from = map->first_ip;
-	header->to = map->last_ip;
-}
-
-HASH_LIST_HEADER(ipportiphash)
-HASH_LIST_MEMBERS_SIZE(ipportiphash, struct ipportip)
-HASH_LIST_MEMBERS_MEMCPY(ipportiphash, struct ipportip)
-
-IP_SET_RTYPE(ipportiphash, IPSET_TYPE_IP | IPSET_TYPE_PORT
-			   | IPSET_TYPE_IP1 | IPSET_DATA_TRIPLE)
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("ipportiphash type of IP sets");
-module_param(limit, int, 0600);
-MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
-
-REGISTER_MODULE(ipportiphash)

extensions/ipset/ip_set_ipportiphash.h

@@ -1,39 +0,0 @@
-#ifndef __IP_SET_IPPORTIPHASH_H
-#define __IP_SET_IPPORTIPHASH_H
-
-#include "ip_set.h"
-#include "ip_set_hashes.h"
-
-#define SETTYPE_NAME "ipportiphash"
-
-struct ipportip {
-	ip_set_ip_t ip;
-	ip_set_ip_t ip1;
-};
-
-struct ip_set_ipportiphash {
-	struct ipportip *members;	/* the ipportip proper */
-	uint32_t elements;		/* number of elements */
-	uint32_t hashsize;		/* hash size */
-	uint16_t probes;		/* max number of probes  */
-	uint16_t resize;		/* resize factor in percent */
-	ip_set_ip_t first_ip;		/* host byte order, included in range */
-	ip_set_ip_t last_ip;		/* host byte order, included in range */
-	initval_t initval[0];		/* initvals for jhash_1word */
-};
-
-struct ip_set_req_ipportiphash_create {
-	uint32_t hashsize;
-	uint16_t probes;
-	uint16_t resize;
-	ip_set_ip_t from;
-	ip_set_ip_t to;
-};
-
-struct ip_set_req_ipportiphash {
-	ip_set_ip_t ip;
-	ip_set_ip_t port;
-	ip_set_ip_t ip1;
-};
-
-#endif	/* __IP_SET_IPPORTIPHASH_H */

extensions/ipset/ip_set_ipportnethash.c

@@ -1,304 +0,0 @@
-/* Copyright (C) 2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Kernel module implementing an ip+port+net hash set */
-
-#include <linux/module.h>
-#include <linux/moduleparam.h>
-#include <linux/ip.h>
-#include <linux/tcp.h>
-#include <linux/udp.h>
-#include <linux/skbuff.h>
-#include "ip_set_jhash.h"
-#include <linux/errno.h>
-#include <asm/uaccess.h>
-#include <asm/bitops.h>
-#include <linux/spinlock.h>
-#include <linux/random.h>
-
-#include <net/ip.h>
-
-#include "ip_set_ipportnethash.h"
-#include "ip_set_getport.h"
-
-static int limit = MAX_RANGE;
-
-#define jhash_ip2(map, i, ipport, ip1)		\
-	jhash_2words(ipport, ip1, *(map->initval + i))
-
-static inline __u32
-ipportnethash_id_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
-		      ip_set_ip_t ip, ip_set_ip_t port,
-		      ip_set_ip_t ip1, uint8_t cidr)
-{
-	struct ip_set_ipportnethash *map = set->data;
-	__u32 id;
-	u_int16_t i;
-	struct ipportip *elem;
-
-	*hash_ip = pack_ip_port(map, ip, port);
-	DP("set: %s, ipport:%u.%u.%u.%u:%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), port, HIPQUAD(*hash_ip));
-	ip1 = pack_ip_cidr(ip1, cidr);
-	if (!(*hash_ip || ip1))
-		return UINT_MAX;
-	
-	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip2(map, i, *hash_ip, ip1) % map->hashsize;
-		DP("hash key: %u", id);
-		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
-		if (elem->ip == *hash_ip && elem->ip1 == ip1)
-			return id;
-		/* No shortcut - there can be deleted entries. */
-	}
-	return UINT_MAX;
-}
-
-static inline __u32
-ipportnethash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
-		 ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
-{
-	struct ip_set_ipportnethash *map = set->data;
-	__u32 id = UINT_MAX;
-	int i;
-
-	for (i = 0; i < 30 && map->cidr[i]; i++) {
-		id = ipportnethash_id_cidr(set, hash_ip, ip, port, ip1, 
-					   map->cidr[i]);
-		if (id != UINT_MAX)
-			break;
-	}
-	return id;
-}
-
-static inline int
-ipportnethash_test_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
-			ip_set_ip_t ip, ip_set_ip_t port,
-			ip_set_ip_t ip1, uint8_t cidr)
-{
-	struct ip_set_ipportnethash *map = set->data;
-	
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-
-	return (ipportnethash_id_cidr(set, hash_ip, ip, port, ip1,
-				      cidr) != UINT_MAX);
-}
-
-static inline int
-ipportnethash_test(struct ip_set *set, ip_set_ip_t *hash_ip,
-		  ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
-{
-	struct ip_set_ipportnethash *map = set->data;
-	
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-
-	return (ipportnethash_id(set, hash_ip, ip, port, ip1) != UINT_MAX);
-}
-
-static int
-ipportnethash_utest(struct ip_set *set, const void *data, u_int32_t size,
-		    ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_ipportnethash *req = data;
-
-	if (req->cidr <= 0 || req->cidr > 32)
-		return -EINVAL;
-	return (req->cidr == 32 
-		? ipportnethash_test(set, hash_ip, req->ip, req->port,
-				     req->ip1)
-		: ipportnethash_test_cidr(set, hash_ip, req->ip, req->port,
-					  req->ip1, req->cidr));
-}
-
-#define KADT_CONDITION						\
-	ip_set_ip_t port, ip1;					\
-								\
-	if (flags[index+2] == 0)				\
-		return 0;					\
-								\
-	port = get_port(skb, flags[index+1]);			\
-	ip1 = ipaddr(skb, flags[index+2]);			\
-								\
-	if (port == INVALID_PORT)				\
-		return 0;
-
-KADT(ipportnethash, test, ipaddr, port, ip1)
-
-static inline int
-__ipportnet_add(struct ip_set_ipportnethash *map,
-		ip_set_ip_t hash_ip, ip_set_ip_t ip1)
-{
-	__u32 probe;
-	u_int16_t i;
-	struct ipportip *elem, *slot = NULL;
-
-	for (i = 0; i < map->probes; i++) {
-		probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
-		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
-		if (elem->ip == hash_ip && elem->ip1 == ip1)
-			return -EEXIST;
-		if (!(slot || elem->ip || elem->ip1))
-			slot = elem;
-		/* There can be deleted entries, must check all slots */
-	}
-	if (slot) {
-		slot->ip = hash_ip;
-		slot->ip1 = ip1;
-		map->elements++;
-		return 0;
-	}
-	/* Trigger rehashing */
-	return -EAGAIN;
-}
-
-static inline int
-__ipportnethash_add(struct ip_set_ipportnethash *map,
-		    struct ipportip *elem)
-{
-	return __ipportnet_add(map, elem->ip, elem->ip1);
-}
-
-static inline int
-ipportnethash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
-		 ip_set_ip_t ip, ip_set_ip_t port,
-		 ip_set_ip_t ip1, uint8_t cidr)
-{
-	struct ip_set_ipportnethash *map = set->data;
-	struct ipportip;
-	int ret;
-	
-	if (map->elements > limit)
-		return -ERANGE;
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-	if (cidr <= 0 || cidr >= 32)
-		return -EINVAL;
-	if (map->nets[cidr-1] == UINT16_MAX)
-		return -ERANGE;
-
-	*hash_ip = pack_ip_port(map, ip, port);
-	ip1 = pack_ip_cidr(ip1, cidr);
-	if (!(*hash_ip || ip1))
-		return -ERANGE;
-	
-	ret =__ipportnet_add(map, *hash_ip, ip1);
-	if (ret == 0) {
-		if (!map->nets[cidr-1]++)
-			add_cidr_size(map->cidr, cidr);
-		map->elements++;
-	}
-	return ret;
-}
-
-#undef KADT_CONDITION
-#define KADT_CONDITION							\
-	struct ip_set_ipportnethash *map = set->data;			\
-	uint8_t cidr = map->cidr[0] ? map->cidr[0] : 31;		\
-	ip_set_ip_t port, ip1;						\
-									\
-	if (flags[index+2] == 0)					\
-		return 0;						\
-									\
-	port = get_port(skb, flags[index+1]);				\
-	ip1 = ipaddr(skb, flags[index+2]);				\
-									\
-	if (port == INVALID_PORT)					\
-		return 0;
-
-UADT(ipportnethash, add, req->port, req->ip1, req->cidr)
-KADT(ipportnethash, add, ipaddr, port, ip1, cidr)
-
-static inline void
-__ipportnethash_retry(struct ip_set_ipportnethash *tmp,
-		      struct ip_set_ipportnethash *map)
-{
-	tmp->first_ip = map->first_ip;
-	tmp->last_ip = map->last_ip;
-	memcpy(tmp->cidr, map->cidr, sizeof(tmp->cidr));
-	memcpy(tmp->nets, map->nets, sizeof(tmp->nets));
-}
-
-HASH_RETRY2(ipportnethash, struct ipportip)
-
-static inline int
-ipportnethash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
-	          ip_set_ip_t ip, ip_set_ip_t port,
-	          ip_set_ip_t ip1, uint8_t cidr)
-{
-	struct ip_set_ipportnethash *map = set->data;
-	ip_set_ip_t id;
-	struct ipportip *elem;
-
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-	if (!ip)
-		return -ERANGE;
-	if (cidr <= 0 || cidr >= 32)
-		return -EINVAL;	
-
-	id = ipportnethash_id_cidr(set, hash_ip, ip, port, ip1, cidr);
-
-	if (id == UINT_MAX)
-		return -EEXIST;
-		
-	elem = HARRAY_ELEM(map->members, struct ipportip *, id);
-	elem->ip = elem->ip1 = 0;
-	map->elements--;
-	if (!map->nets[cidr-1]--)
-		del_cidr_size(map->cidr, cidr);
-
-	return 0;
-}
-
-UADT(ipportnethash, del, req->port, req->ip1, req->cidr)
-KADT(ipportnethash, del, ipaddr, port, ip1, cidr)
-
-static inline int
-__ipportnethash_create(const struct ip_set_req_ipportnethash_create *req,
-		       struct ip_set_ipportnethash *map)
-{
-	if (req->to - req->from > MAX_RANGE) {
-		ip_set_printk("range too big, %d elements (max %d)",
-			      req->to - req->from + 1, MAX_RANGE+1);
-		return -ENOEXEC;
-	}
-	map->first_ip = req->from;
-	map->last_ip = req->to;
-	memset(map->cidr, 0, sizeof(map->cidr));
-	memset(map->nets, 0, sizeof(map->nets));
-	return 0;
-}
-
-HASH_CREATE(ipportnethash, struct ipportip)
-HASH_DESTROY(ipportnethash)
-HASH_FLUSH_CIDR(ipportnethash, struct ipportip);
-
-static inline void
-__ipportnethash_list_header(const struct ip_set_ipportnethash *map,
-			    struct ip_set_req_ipportnethash_create *header)
-{
-	header->from = map->first_ip;
-	header->to = map->last_ip;
-}
-
-HASH_LIST_HEADER(ipportnethash)
-
-HASH_LIST_MEMBERS_SIZE(ipportnethash, struct ipportip)
-HASH_LIST_MEMBERS_MEMCPY(ipportnethash, struct ipportip)
-
-IP_SET_RTYPE(ipportnethash, IPSET_TYPE_IP | IPSET_TYPE_PORT
-			    | IPSET_TYPE_IP1 | IPSET_DATA_TRIPLE)
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("ipportnethash type of IP sets");
-module_param(limit, int, 0600);
-MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
-
-REGISTER_MODULE(ipportnethash)

extensions/ipset/ip_set_ipportnethash.h

@@ -1,42 +0,0 @@
-#ifndef __IP_SET_IPPORTNETHASH_H
-#define __IP_SET_IPPORTNETHASH_H
-
-#include "ip_set.h"
-#include "ip_set_hashes.h"
-
-#define SETTYPE_NAME "ipportnethash"
-
-struct ipportip {
-	ip_set_ip_t ip;
-	ip_set_ip_t ip1;
-};
-
-struct ip_set_ipportnethash {
-	struct ipportip *members;	/* the ipportip proper */
-	uint32_t elements;		/* number of elements */
-	uint32_t hashsize;		/* hash size */
-	uint16_t probes;		/* max number of probes  */
-	uint16_t resize;		/* resize factor in percent */
-	ip_set_ip_t first_ip;		/* host byte order, included in range */
-	ip_set_ip_t last_ip;		/* host byte order, included in range */
-	uint8_t cidr[30];		/* CIDR sizes */
-	uint16_t nets[30];		/* nr of nets by CIDR sizes */
-	initval_t initval[0];		/* initvals for jhash_1word */
-};
-
-struct ip_set_req_ipportnethash_create {
-	uint32_t hashsize;
-	uint16_t probes;
-	uint16_t resize;
-	ip_set_ip_t from;
-	ip_set_ip_t to;
-};
-
-struct ip_set_req_ipportnethash {
-	ip_set_ip_t ip;
-	ip_set_ip_t port;
-	ip_set_ip_t ip1;
-	uint8_t cidr;
-};
-
-#endif	/* __IP_SET_IPPORTNETHASH_H */

extensions/ipset/ip_set_iptree.c

@@ -1,467 +0,0 @@
-/* Copyright (C) 2005-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Kernel module implementing an IP set type: the iptree type */
-
-#include <linux/module.h>
-#include <linux/moduleparam.h>
-#include <linux/ip.h>
-#include <linux/jiffies.h>
-#include <linux/skbuff.h>
-#include <linux/slab.h>
-#include <linux/delay.h>
-#include <linux/errno.h>
-#include <asm/uaccess.h>
-#include <asm/bitops.h>
-#include <linux/spinlock.h>
-#include <linux/timer.h>
-
-#include "ip_set.h"
-#include "ip_set_bitmaps.h"
-#include "ip_set_iptree.h"
-
-static int limit = MAX_RANGE;
-
-/* Garbage collection interval in seconds: */
-#define IPTREE_GC_TIME		5*60
-/* Sleep so many milliseconds before trying again
- * to delete the gc timer at destroying/flushing a set */
-#define IPTREE_DESTROY_SLEEP	100
-
-static __KMEM_CACHE_T__ *branch_cachep;
-static __KMEM_CACHE_T__ *leaf_cachep;
-
-
-#if defined(__LITTLE_ENDIAN)
-#define ABCD(a,b,c,d,addrp) do {		\
-	a = ((unsigned char *)addrp)[3];	\
-	b = ((unsigned char *)addrp)[2];	\
-	c = ((unsigned char *)addrp)[1];	\
-	d = ((unsigned char *)addrp)[0];	\
-} while (0)
-#elif defined(__BIG_ENDIAN)
-#define ABCD(a,b,c,d,addrp) do {		\
-	a = ((unsigned char *)addrp)[0];	\
-	b = ((unsigned char *)addrp)[1];	\
-	c = ((unsigned char *)addrp)[2];	\
-	d = ((unsigned char *)addrp)[3];	\
-} while (0)
-#else
-#error "Please fix asm/byteorder.h"
-#endif /* __LITTLE_ENDIAN */
-
-#define TESTIP_WALK(map, elem, branch) do {	\
-	if ((map)->tree[elem]) {		\
-		branch = (map)->tree[elem];	\
-	} else 					\
-		return 0;			\
-} while (0)
-
-static inline int
-iptree_test(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	struct ip_set_iptree *map = set->data;
-	struct ip_set_iptreeb *btree;
-	struct ip_set_iptreec *ctree;
-	struct ip_set_iptreed *dtree;
-	unsigned char a,b,c,d;
-
-	if (!ip)
-		return -ERANGE;
-	
-	*hash_ip = ip;
-	ABCD(a, b, c, d, hash_ip);
-	DP("%u %u %u %u timeout %u", a, b, c, d, map->timeout);
-	TESTIP_WALK(map, a, btree);
-	TESTIP_WALK(btree, b, ctree);
-	TESTIP_WALK(ctree, c, dtree);
-	DP("%lu %lu", dtree->expires[d], jiffies);
-	return dtree->expires[d]
-	       && (!map->timeout
-		   || time_after(dtree->expires[d], jiffies));
-}
-
-#define KADT_CONDITION
-
-UADT(iptree, test)
-KADT(iptree, test, ipaddr)
-
-#define ADDIP_WALK(map, elem, branch, type, cachep) do {	\
-	if ((map)->tree[elem]) {				\
-		DP("found %u", elem);				\
-		branch = (map)->tree[elem];			\
-	} else {						\
-		branch = (type *)				\
-			kmem_cache_alloc(cachep, GFP_ATOMIC);	\
-		if (branch == NULL)				\
-			return -ENOMEM;				\
-		memset(branch, 0, sizeof(*branch));		\
-		(map)->tree[elem] = branch;			\
-		DP("alloc %u", elem);				\
-	}							\
-} while (0)	
-
-static inline int
-iptree_add(struct ip_set *set, ip_set_ip_t *hash_ip,
-	   ip_set_ip_t ip, unsigned int timeout)
-{
-	struct ip_set_iptree *map = set->data;
-	struct ip_set_iptreeb *btree;
-	struct ip_set_iptreec *ctree;
-	struct ip_set_iptreed *dtree;
-	unsigned char a,b,c,d;
-	int ret = 0;
-	
-	if (!ip || map->elements >= limit)
-		/* We could call the garbage collector
-		 * but it's probably overkill */
-		return -ERANGE;
-	
-	*hash_ip = ip;
-	ABCD(a, b, c, d, hash_ip);
-	DP("%u %u %u %u timeout %u", a, b, c, d, timeout);
-	ADDIP_WALK(map, a, btree, struct ip_set_iptreeb, branch_cachep);
-	ADDIP_WALK(btree, b, ctree, struct ip_set_iptreec, branch_cachep);
-	ADDIP_WALK(ctree, c, dtree, struct ip_set_iptreed, leaf_cachep);
-	if (dtree->expires[d]
-	    && (!map->timeout || time_after(dtree->expires[d], jiffies)))
-	    	ret = -EEXIST;
-	if (map->timeout && timeout == 0)
-		timeout = map->timeout;
-	dtree->expires[d] = map->timeout ? (timeout * HZ + jiffies) : 1;
-	/* Lottery: I won! */
-	if (dtree->expires[d] == 0)
-		dtree->expires[d] = 1;
-	DP("%u %lu", d, dtree->expires[d]);
-	if (ret == 0)
-		map->elements++;
-	return ret;
-}
-
-UADT(iptree, add, req->timeout)
-KADT(iptree, add, ipaddr, 0)
-
-#define DELIP_WALK(map, elem, branch) do {	\
-	if ((map)->tree[elem]) {		\
-		branch = (map)->tree[elem];	\
-	} else 					\
-		return -EEXIST;			\
-} while (0)
-
-static inline int
-iptree_del(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	struct ip_set_iptree *map = set->data;
-	struct ip_set_iptreeb *btree;
-	struct ip_set_iptreec *ctree;
-	struct ip_set_iptreed *dtree;
-	unsigned char a,b,c,d;
-	
-	if (!ip)
-		return -ERANGE;
-		
-	*hash_ip = ip;
-	ABCD(a, b, c, d, hash_ip);
-	DELIP_WALK(map, a, btree);
-	DELIP_WALK(btree, b, ctree);
-	DELIP_WALK(ctree, c, dtree);
-
-	if (dtree->expires[d]) {
-		dtree->expires[d] = 0;
-		map->elements--;
-		return 0;
-	}
-	return -EEXIST;
-}
-
-UADT(iptree, del)
-KADT(iptree, del, ipaddr)
-
-#define LOOP_WALK_BEGIN(map, i, branch) \
-	for (i = 0; i < 256; i++) {	\
-		if (!(map)->tree[i])	\
-			continue;	\
-		branch = (map)->tree[i]
-
-#define LOOP_WALK_END }
-
-static void
-ip_tree_gc(unsigned long ul_set)
-{
-	struct ip_set *set = (struct ip_set *) ul_set;
-	struct ip_set_iptree *map = set->data;
-	struct ip_set_iptreeb *btree;
-	struct ip_set_iptreec *ctree;
-	struct ip_set_iptreed *dtree;
-	unsigned int a,b,c,d;
-	unsigned char i,j,k;
-
-	i = j = k = 0;
-	DP("gc: %s", set->name);
-	write_lock_bh(&set->lock);
-	LOOP_WALK_BEGIN(map, a, btree);
-	LOOP_WALK_BEGIN(btree, b, ctree);
-	LOOP_WALK_BEGIN(ctree, c, dtree);
-	for (d = 0; d < 256; d++) {
-		if (dtree->expires[d]) {
-			DP("gc: %u %u %u %u: expires %lu jiffies %lu",
-			    a, b, c, d,
-			    dtree->expires[d], jiffies);
-			if (map->timeout
-			    && time_before(dtree->expires[d], jiffies)) {
-			    	dtree->expires[d] = 0;
-			    	map->elements--;
-			} else
-				k = 1;
-		}
-	}
-	if (k == 0) {
-		DP("gc: %s: leaf %u %u %u empty",
-		    set->name, a, b, c);
-		kmem_cache_free(leaf_cachep, dtree);
-		ctree->tree[c] = NULL;
-	} else {
-		DP("gc: %s: leaf %u %u %u not empty",
-		    set->name, a, b, c);
-		j = 1;
-		k = 0;
-	}
-	LOOP_WALK_END;
-	if (j == 0) {
-		DP("gc: %s: branch %u %u empty",
-		    set->name, a, b);
-		kmem_cache_free(branch_cachep, ctree);
-		btree->tree[b] = NULL;
-	} else {
-		DP("gc: %s: branch %u %u not empty",
-		    set->name, a, b);
-		i = 1;
-		j = k = 0;
-	}
-	LOOP_WALK_END;
-	if (i == 0) {
-		DP("gc: %s: branch %u empty",
-		    set->name, a);
-		kmem_cache_free(branch_cachep, btree);
-		map->tree[a] = NULL;
-	} else {
-		DP("gc: %s: branch %u not empty",
-		    set->name, a);
-		i = j = k = 0;
-	}
-	LOOP_WALK_END;
-	write_unlock_bh(&set->lock);
-	
-	map->gc.expires = jiffies + map->gc_interval * HZ;
-	add_timer(&map->gc);
-}
-
-static inline void
-init_gc_timer(struct ip_set *set)
-{
-	struct ip_set_iptree *map = set->data;
-
-	/* Even if there is no timeout for the entries,
-	 * we still have to call gc because delete
-	 * do not clean up empty branches */
-	map->gc_interval = IPTREE_GC_TIME;
-	init_timer(&map->gc);
-	map->gc.data = (unsigned long) set;
-	map->gc.function = ip_tree_gc;
-	map->gc.expires = jiffies + map->gc_interval * HZ;
-	add_timer(&map->gc);
-}
-
-static int
-iptree_create(struct ip_set *set, const void *data, u_int32_t size)
-{
-	const struct ip_set_req_iptree_create *req = data;
-	struct ip_set_iptree *map;
-
-	if (size != sizeof(struct ip_set_req_iptree_create)) {
-		ip_set_printk("data length wrong (want %zu, have %lu)",
-			      sizeof(struct ip_set_req_iptree_create),
-			      (unsigned long)size);
-		return -EINVAL;
-	}
-
-	map = kmalloc(sizeof(struct ip_set_iptree), GFP_KERNEL);
-	if (!map) {
-		DP("out of memory for %zu bytes",
-		   sizeof(struct ip_set_iptree));
-		return -ENOMEM;
-	}
-	memset(map, 0, sizeof(*map));
-	map->timeout = req->timeout;
-	map->elements = 0;
-	set->data = map;
-
-	init_gc_timer(set);
-
-	return 0;
-}
-
-static inline void
-__flush(struct ip_set_iptree *map)
-{
-	struct ip_set_iptreeb *btree;
-	struct ip_set_iptreec *ctree;
-	struct ip_set_iptreed *dtree;
-	unsigned int a,b,c;
-
-	LOOP_WALK_BEGIN(map, a, btree);
-	LOOP_WALK_BEGIN(btree, b, ctree);
-	LOOP_WALK_BEGIN(ctree, c, dtree);
-	kmem_cache_free(leaf_cachep, dtree);
-	LOOP_WALK_END;
-	kmem_cache_free(branch_cachep, ctree);
-	LOOP_WALK_END;
-	kmem_cache_free(branch_cachep, btree);
-	LOOP_WALK_END;
-	map->elements = 0;
-}
-
-static void
-iptree_destroy(struct ip_set *set)
-{
-	struct ip_set_iptree *map = set->data;
-
-	/* gc might be running */
-	while (!del_timer(&map->gc))
-		msleep(IPTREE_DESTROY_SLEEP);
-	__flush(map);
-	kfree(map);
-	set->data = NULL;
-}
-
-static void
-iptree_flush(struct ip_set *set)
-{
-	struct ip_set_iptree *map = set->data;
-	unsigned int timeout = map->timeout;
-	
-	/* gc might be running */
-	while (!del_timer(&map->gc))
-		msleep(IPTREE_DESTROY_SLEEP);
-	__flush(map);
-	memset(map, 0, sizeof(*map));
-	map->timeout = timeout;
-
-	init_gc_timer(set);
-}
-
-static void
-iptree_list_header(const struct ip_set *set, void *data)
-{
-	const struct ip_set_iptree *map = set->data;
-	struct ip_set_req_iptree_create *header = data;
-
-	header->timeout = map->timeout;
-}
-
-static int
-iptree_list_members_size(const struct ip_set *set)
-{
-	const struct ip_set_iptree *map = set->data;
-	struct ip_set_iptreeb *btree;
-	struct ip_set_iptreec *ctree;
-	struct ip_set_iptreed *dtree;
-	unsigned int a,b,c,d;
-	unsigned int count = 0;
-
-	LOOP_WALK_BEGIN(map, a, btree);
-	LOOP_WALK_BEGIN(btree, b, ctree);
-	LOOP_WALK_BEGIN(ctree, c, dtree);
-	for (d = 0; d < 256; d++) {
-		if (dtree->expires[d]
-		    && (!map->timeout || time_after(dtree->expires[d], jiffies)))
-		    	count++;
-	}
-	LOOP_WALK_END;
-	LOOP_WALK_END;
-	LOOP_WALK_END;
-
-	DP("members %u", count);
-	return (count * sizeof(struct ip_set_req_iptree));
-}
-
-static void
-iptree_list_members(const struct ip_set *set, void *data)
-{
-	const struct ip_set_iptree *map = set->data;
-	struct ip_set_iptreeb *btree;
-	struct ip_set_iptreec *ctree;
-	struct ip_set_iptreed *dtree;
-	unsigned int a,b,c,d;
-	size_t offset = 0;
-	struct ip_set_req_iptree *entry;
-
-	LOOP_WALK_BEGIN(map, a, btree);
-	LOOP_WALK_BEGIN(btree, b, ctree);
-	LOOP_WALK_BEGIN(ctree, c, dtree);
-	for (d = 0; d < 256; d++) {
-		if (dtree->expires[d]
-		    && (!map->timeout || time_after(dtree->expires[d], jiffies))) {
-		    	entry = data + offset;
-		    	entry->ip = ((a << 24) | (b << 16) | (c << 8) | d);
-		    	entry->timeout = !map->timeout ? 0
-				: (dtree->expires[d] - jiffies)/HZ;
-			offset += sizeof(struct ip_set_req_iptree);
-		}
-	}
-	LOOP_WALK_END;
-	LOOP_WALK_END;
-	LOOP_WALK_END;
-}
-
-IP_SET_TYPE(iptree, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("iptree type of IP sets");
-module_param(limit, int, 0600);
-MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
-
-static int __init ip_set_iptree_init(void)
-{
-	int ret;
-	
-	branch_cachep = KMEM_CACHE_CREATE("ip_set_iptreeb",
-					  sizeof(struct ip_set_iptreeb));
-	if (!branch_cachep) {
-		printk(KERN_ERR "Unable to create ip_set_iptreeb slab cache\n");
-		ret = -ENOMEM;
-		goto out;
-	}
-	leaf_cachep = KMEM_CACHE_CREATE("ip_set_iptreed",
-					sizeof(struct ip_set_iptreed));
-	if (!leaf_cachep) {
-		printk(KERN_ERR "Unable to create ip_set_iptreed slab cache\n");
-		ret = -ENOMEM;
-		goto free_branch;
-	}
-	ret = ip_set_register_set_type(&ip_set_iptree);
-	if (ret == 0)
-		goto out;
-
-	kmem_cache_destroy(leaf_cachep);
-    free_branch:	
-	kmem_cache_destroy(branch_cachep);
-    out:
-	return ret;
-}
-
-static void __exit ip_set_iptree_fini(void)
-{
-	/* FIXME: possible race with ip_set_create() */
-	ip_set_unregister_set_type(&ip_set_iptree);
-	kmem_cache_destroy(leaf_cachep);
-	kmem_cache_destroy(branch_cachep);
-}
-
-module_init(ip_set_iptree_init);
-module_exit(ip_set_iptree_fini);

extensions/ipset/ip_set_iptree.h

@@ -1,39 +0,0 @@
-#ifndef __IP_SET_IPTREE_H
-#define __IP_SET_IPTREE_H
-
-#include "ip_set.h"
-
-#define SETTYPE_NAME "iptree"
-
-struct ip_set_iptreed {
-	unsigned long expires[256];	   	/* x.x.x.ADDR */
-};
-
-struct ip_set_iptreec {
-	struct ip_set_iptreed *tree[256];	/* x.x.ADDR.* */
-};
-
-struct ip_set_iptreeb {
-	struct ip_set_iptreec *tree[256];	/* x.ADDR.*.* */
-};
-
-struct ip_set_iptree {
-	unsigned int timeout;
-	unsigned int gc_interval;
-#ifdef __KERNEL__
-	uint32_t elements;		/* number of elements */
-	struct timer_list gc;
-	struct ip_set_iptreeb *tree[256];	/* ADDR.*.*.* */
-#endif
-};
-
-struct ip_set_req_iptree_create {
-	unsigned int timeout;
-};
-
-struct ip_set_req_iptree {
-	ip_set_ip_t ip;
-	unsigned int timeout;
-};
-
-#endif	/* __IP_SET_IPTREE_H */

extensions/ipset/ip_set_iptreemap.c

@@ -1,709 +0,0 @@
-/* Copyright (C) 2007 Sven Wegener <sven.wegener@stealer.net>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 as published by
- * the Free Software Foundation.
- */
-
-/* This modules implements the iptreemap ipset type. It uses bitmaps to
- * represent every single IPv4 address as a bit. The bitmaps are managed in a
- * tree structure, where the first three octets of an address are used as an
- * index to find the bitmap and the last octet is used as the bit number.
- */
-
-#include <linux/kernel.h>
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/jiffies.h>
-#include <linux/skbuff.h>
-#include <linux/slab.h>
-#include <linux/delay.h>
-#include <linux/errno.h>
-#include <asm/uaccess.h>
-#include <asm/bitops.h>
-#include <linux/spinlock.h>
-#include <linux/timer.h>
-
-#include "ip_set.h"
-#include "ip_set_bitmaps.h"
-#include "ip_set_iptreemap.h"
-
-#define IPTREEMAP_DEFAULT_GC_TIME (5 * 60)
-#define IPTREEMAP_DESTROY_SLEEP (100)
-
-static __KMEM_CACHE_T__ *cachep_b;
-static __KMEM_CACHE_T__ *cachep_c;
-static __KMEM_CACHE_T__ *cachep_d;
-
-static struct ip_set_iptreemap_d *fullbitmap_d;
-static struct ip_set_iptreemap_c *fullbitmap_c;
-static struct ip_set_iptreemap_b *fullbitmap_b;
-
-#if defined(__LITTLE_ENDIAN)
-#define ABCD(a, b, c, d, addr) \
-	do { \
-		a = ((unsigned char *)addr)[3]; \
-		b = ((unsigned char *)addr)[2]; \
-		c = ((unsigned char *)addr)[1]; \
-		d = ((unsigned char *)addr)[0]; \
-	} while (0)
-#elif defined(__BIG_ENDIAN)
-#define ABCD(a,b,c,d,addrp) do {		\
-	a = ((unsigned char *)addrp)[0];	\
-	b = ((unsigned char *)addrp)[1];	\
-	c = ((unsigned char *)addrp)[2];	\
-	d = ((unsigned char *)addrp)[3];	\
-} while (0)
-#else
-#error "Please fix asm/byteorder.h"
-#endif /* __LITTLE_ENDIAN */
-
-#define TESTIP_WALK(map, elem, branch, full) \
-	do { \
-		branch = (map)->tree[elem]; \
-		if (!branch) \
-			return 0; \
-		else if (branch == full) \
-			return 1; \
-	} while (0)
-
-#define ADDIP_WALK(map, elem, branch, type, cachep, full) \
-	do { \
-		branch = (map)->tree[elem]; \
-		if (!branch) { \
-			branch = (type *) kmem_cache_alloc(cachep, GFP_ATOMIC); \
-			if (!branch) \
-				return -ENOMEM; \
-			memset(branch, 0, sizeof(*branch)); \
-			(map)->tree[elem] = branch; \
-		} else if (branch == full) { \
-			return -EEXIST; \
-		} \
-	} while (0)
-
-#define ADDIP_RANGE_LOOP(map, a, a1, a2, hint, branch, full, cachep, free) \
-	for (a = a1; a <= a2; a++) { \
-		branch = (map)->tree[a]; \
-		if (branch != full) { \
-			if ((a > a1 && a < a2) || (hint)) { \
-				if (branch) \
-					free(branch); \
-				(map)->tree[a] = full; \
-				continue; \
-			} else if (!branch) { \
-				branch = kmem_cache_alloc(cachep, GFP_ATOMIC); \
-				if (!branch) \
-					return -ENOMEM; \
-				memset(branch, 0, sizeof(*branch)); \
-				(map)->tree[a] = branch; \
-			}
-
-#define ADDIP_RANGE_LOOP_END() \
-		} \
-	}
-
-#define DELIP_WALK(map, elem, branch, cachep, full, flags) \
-	do { \
-		branch = (map)->tree[elem]; \
-		if (!branch) { \
-			return -EEXIST; \
-		} else if (branch == full) { \
-			branch = kmem_cache_alloc(cachep, flags); \
-			if (!branch) \
-				return -ENOMEM; \
-			memcpy(branch, full, sizeof(*full)); \
-			(map)->tree[elem] = branch; \
-		} \
-	} while (0)
-
-#define DELIP_RANGE_LOOP(map, a, a1, a2, hint, branch, full, cachep, free, flags) \
-	for (a = a1; a <= a2; a++) { \
-		branch = (map)->tree[a]; \
-		if (branch) { \
-			if ((a > a1 && a < a2) || (hint)) { \
-				if (branch != full) \
-					free(branch); \
-				(map)->tree[a] = NULL; \
-				continue; \
-			} else if (branch == full) { \
-				branch = kmem_cache_alloc(cachep, flags); \
-				if (!branch) \
-					return -ENOMEM; \
-				memcpy(branch, full, sizeof(*branch)); \
-				(map)->tree[a] = branch; \
-			}
-
-#define DELIP_RANGE_LOOP_END() \
-		} \
-	}
-
-#define LOOP_WALK_BEGIN(map, i, branch) \
-	for (i = 0; i < 256; i++) { \
-		branch = (map)->tree[i]; \
-		if (likely(!branch)) \
-			continue;
-
-#define LOOP_WALK_END() \
-	}
-
-#define LOOP_WALK_BEGIN_GC(map, i, branch, full, cachep, count) \
-	count = -256; \
-	for (i = 0; i < 256; i++) { \
-		branch = (map)->tree[i]; \
-		if (likely(!branch)) \
-			continue; \
-		count++; \
-		if (branch == full) { \
-			count++; \
-			continue; \
-		}
-
-#define LOOP_WALK_END_GC(map, i, branch, full, cachep, count) \
-		if (-256 == count) { \
-			kmem_cache_free(cachep, branch); \
-			(map)->tree[i] = NULL; \
-		} else if (256 == count) { \
-			kmem_cache_free(cachep, branch); \
-			(map)->tree[i] = full; \
-		} \
-	}
-
-#define LOOP_WALK_BEGIN_COUNT(map, i, branch, inrange, count) \
-	for (i = 0; i < 256; i++) { \
-		if (!(map)->tree[i]) { \
-			if (inrange) { \
-				count++; \
-				inrange = 0; \
-			} \
-			continue; \
-		} \
-		branch = (map)->tree[i];
-
-#define LOOP_WALK_END_COUNT() \
-	}
-
-#define GETVALUE1(a, a1, b1, r) \
-	(a == a1 ? b1 : r)
-
-#define GETVALUE2(a, b, a1, b1, c1, r) \
-	(a == a1 && b == b1 ? c1 : r)
-
-#define GETVALUE3(a, b, c, a1, b1, c1, d1, r) \
-	(a == a1 && b == b1 && c == c1 ? d1 : r)
-
-#define CHECK1(a, a1, a2, b1, b2, c1, c2, d1, d2) \
-	( \
-		GETVALUE1(a, a1, b1, 0) == 0 \
-		&& GETVALUE1(a, a2, b2, 255) == 255 \
-		&& c1 == 0 \
-		&& c2 == 255 \
-		&& d1 == 0 \
-		&& d2 == 255 \
-	)
-
-#define CHECK2(a, b, a1, a2, b1, b2, c1, c2, d1, d2) \
-	( \
-		GETVALUE2(a, b, a1, b1, c1, 0) == 0 \
-		&& GETVALUE2(a, b, a2, b2, c2, 255) == 255 \
-		&& d1 == 0 \
-		&& d2 == 255 \
-	)
-
-#define CHECK3(a, b, c, a1, a2, b1, b2, c1, c2, d1, d2) \
-	( \
-		GETVALUE3(a, b, c, a1, b1, c1, d1, 0) == 0 \
-		&& GETVALUE3(a, b, c, a2, b2, c2, d2, 255) == 255 \
-	)
-
-
-static inline void
-free_d(struct ip_set_iptreemap_d *map)
-{
-	kmem_cache_free(cachep_d, map);
-}
-
-static inline void
-free_c(struct ip_set_iptreemap_c *map)
-{
-	struct ip_set_iptreemap_d *dtree;
-	unsigned int i;
-
-	LOOP_WALK_BEGIN(map, i, dtree) {
-		if (dtree != fullbitmap_d)
-			free_d(dtree);
-	} LOOP_WALK_END();
-
-	kmem_cache_free(cachep_c, map);
-}
-
-static inline void
-free_b(struct ip_set_iptreemap_b *map)
-{
-	struct ip_set_iptreemap_c *ctree;
-	unsigned int i;
-
-	LOOP_WALK_BEGIN(map, i, ctree) {
-		if (ctree != fullbitmap_c)
-			free_c(ctree);
-	} LOOP_WALK_END();
-
-	kmem_cache_free(cachep_b, map);
-}
-
-static inline int
-iptreemap_test(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	struct ip_set_iptreemap *map = set->data;
-	struct ip_set_iptreemap_b *btree;
-	struct ip_set_iptreemap_c *ctree;
-	struct ip_set_iptreemap_d *dtree;
-	unsigned char a, b, c, d;
-
-	*hash_ip = ip;
-
-	ABCD(a, b, c, d, hash_ip);
-
-	TESTIP_WALK(map, a, btree, fullbitmap_b);
-	TESTIP_WALK(btree, b, ctree, fullbitmap_c);
-	TESTIP_WALK(ctree, c, dtree, fullbitmap_d);
-
-	return !!test_bit(d, (void *) dtree->bitmap);
-}
-
-#define KADT_CONDITION
-
-UADT(iptreemap, test)
-KADT(iptreemap, test, ipaddr)
-
-static inline int
-__addip_single(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	struct ip_set_iptreemap *map = (struct ip_set_iptreemap *) set->data;
-	struct ip_set_iptreemap_b *btree;
-	struct ip_set_iptreemap_c *ctree;
-	struct ip_set_iptreemap_d *dtree;
-	unsigned char a, b, c, d;
-
-	*hash_ip = ip;
-
-	ABCD(a, b, c, d, hash_ip);
-
-	ADDIP_WALK(map, a, btree, struct ip_set_iptreemap_b, cachep_b, fullbitmap_b);
-	ADDIP_WALK(btree, b, ctree, struct ip_set_iptreemap_c, cachep_c, fullbitmap_c);
-	ADDIP_WALK(ctree, c, dtree, struct ip_set_iptreemap_d, cachep_d, fullbitmap_d);
-
-	if (__test_and_set_bit(d, (void *) dtree->bitmap))
-		return -EEXIST;
-
-	__set_bit(b, (void *) btree->dirty);
-
-	return 0;
-}
-
-static inline int
-iptreemap_add(struct ip_set *set, ip_set_ip_t *hash_ip,
-	      ip_set_ip_t start, ip_set_ip_t end)
-{
-	struct ip_set_iptreemap *map = set->data;
-	struct ip_set_iptreemap_b *btree;
-	struct ip_set_iptreemap_c *ctree;
-	struct ip_set_iptreemap_d *dtree;
-	unsigned int a, b, c, d;
-	unsigned char a1, b1, c1, d1;
-	unsigned char a2, b2, c2, d2;
-
-	if (start == end)
-		return __addip_single(set, hash_ip, start);
-
-	*hash_ip = start;
-
-	ABCD(a1, b1, c1, d1, &start);
-	ABCD(a2, b2, c2, d2, &end);
-
-	/* This is sooo ugly... */
-	ADDIP_RANGE_LOOP(map, a, a1, a2, CHECK1(a, a1, a2, b1, b2, c1, c2, d1, d2), btree, fullbitmap_b, cachep_b, free_b) {
-		ADDIP_RANGE_LOOP(btree, b, GETVALUE1(a, a1, b1, 0), GETVALUE1(a, a2, b2, 255), CHECK2(a, b, a1, a2, b1, b2, c1, c2, d1, d2), ctree, fullbitmap_c, cachep_c, free_c) {
-			ADDIP_RANGE_LOOP(ctree, c, GETVALUE2(a, b, a1, b1, c1, 0), GETVALUE2(a, b, a2, b2, c2, 255), CHECK3(a, b, c, a1, a2, b1, b2, c1, c2, d1, d2), dtree, fullbitmap_d, cachep_d, free_d) {
-				for (d = GETVALUE3(a, b, c, a1, b1, c1, d1, 0); d <= GETVALUE3(a, b, c, a2, b2, c2, d2, 255); d++)
-					__set_bit(d, (void *) dtree->bitmap);
-				__set_bit(b, (void *) btree->dirty);
-			} ADDIP_RANGE_LOOP_END();
-		} ADDIP_RANGE_LOOP_END();
-	} ADDIP_RANGE_LOOP_END();
-
-	return 0;
-}
-
-UADT0(iptreemap, add, min(req->ip, req->end), max(req->ip, req->end))
-KADT(iptreemap, add, ipaddr, ip)
-
-static inline int
-__delip_single(struct ip_set *set, ip_set_ip_t *hash_ip,
-	       ip_set_ip_t ip, gfp_t flags)
-{
-	struct ip_set_iptreemap *map = set->data;
-	struct ip_set_iptreemap_b *btree;
-	struct ip_set_iptreemap_c *ctree;
-	struct ip_set_iptreemap_d *dtree;
-	unsigned char a,b,c,d;
-
-	*hash_ip = ip;
-
-	ABCD(a, b, c, d, hash_ip);
-
-	DELIP_WALK(map, a, btree, cachep_b, fullbitmap_b, flags);
-	DELIP_WALK(btree, b, ctree, cachep_c, fullbitmap_c, flags);
-	DELIP_WALK(ctree, c, dtree, cachep_d, fullbitmap_d, flags);
-
-	if (!__test_and_clear_bit(d, (void *) dtree->bitmap))
-		return -EEXIST;
-
-	__set_bit(b, (void *) btree->dirty);
-
-	return 0;
-}
-
-static inline int
-iptreemap_del(struct ip_set *set, ip_set_ip_t *hash_ip,
-	      ip_set_ip_t start, ip_set_ip_t end, gfp_t flags)
-{
-	struct ip_set_iptreemap *map = set->data;
-	struct ip_set_iptreemap_b *btree;
-	struct ip_set_iptreemap_c *ctree;
-	struct ip_set_iptreemap_d *dtree;
-	unsigned int a, b, c, d;
-	unsigned char a1, b1, c1, d1;
-	unsigned char a2, b2, c2, d2;
-
-	if (start == end)
-		return __delip_single(set, hash_ip, start, flags);
-
-	*hash_ip = start;
-
-	ABCD(a1, b1, c1, d1, &start);
-	ABCD(a2, b2, c2, d2, &end);
-
-	/* This is sooo ugly... */
-	DELIP_RANGE_LOOP(map, a, a1, a2, CHECK1(a, a1, a2, b1, b2, c1, c2, d1, d2), btree, fullbitmap_b, cachep_b, free_b, flags) {
-		DELIP_RANGE_LOOP(btree, b, GETVALUE1(a, a1, b1, 0), GETVALUE1(a, a2, b2, 255), CHECK2(a, b, a1, a2, b1, b2, c1, c2, d1, d2), ctree, fullbitmap_c, cachep_c, free_c, flags) {
-			DELIP_RANGE_LOOP(ctree, c, GETVALUE2(a, b, a1, b1, c1, 0), GETVALUE2(a, b, a2, b2, c2, 255), CHECK3(a, b, c, a1, a2, b1, b2, c1, c2, d1, d2), dtree, fullbitmap_d, cachep_d, free_d, flags) {
-				for (d = GETVALUE3(a, b, c, a1, b1, c1, d1, 0); d <= GETVALUE3(a, b, c, a2, b2, c2, d2, 255); d++)
-					__clear_bit(d, (void *) dtree->bitmap);
-				__set_bit(b, (void *) btree->dirty);
-			} DELIP_RANGE_LOOP_END();
-		} DELIP_RANGE_LOOP_END();
-	} DELIP_RANGE_LOOP_END();
-
-	return 0;
-}
-
-UADT0(iptreemap, del, min(req->ip, req->end), max(req->ip, req->end), GFP_KERNEL)
-KADT(iptreemap, del, ipaddr, ip, GFP_ATOMIC)
-
-/* Check the status of the bitmap
- * -1 == all bits cleared
- *  1 == all bits set
- *  0 == anything else
- */
-static inline int
-bitmap_status(struct ip_set_iptreemap_d *dtree)
-{
-	unsigned char first = dtree->bitmap[0];
-	int a;
-
-	for (a = 1; a < 32; a++)
-		if (dtree->bitmap[a] != first)
-			return 0;
-
-	return (first == 0 ? -1 : (first == 255 ? 1 : 0));
-}
-
-static void
-gc(unsigned long addr)
-{
-	struct ip_set *set = (struct ip_set *) addr;
-	struct ip_set_iptreemap *map = set->data;
-	struct ip_set_iptreemap_b *btree;
-	struct ip_set_iptreemap_c *ctree;
-	struct ip_set_iptreemap_d *dtree;
-	unsigned int a, b, c;
-	int i, j, k;
-
-	write_lock_bh(&set->lock);
-
-	LOOP_WALK_BEGIN_GC(map, a, btree, fullbitmap_b, cachep_b, i) {
-		LOOP_WALK_BEGIN_GC(btree, b, ctree, fullbitmap_c, cachep_c, j) {
-			if (!__test_and_clear_bit(b, (void *) btree->dirty))
-				continue;
-			LOOP_WALK_BEGIN_GC(ctree, c, dtree, fullbitmap_d, cachep_d, k) {
-				switch (bitmap_status(dtree)) {
-					case -1:
-						kmem_cache_free(cachep_d, dtree);
-						ctree->tree[c] = NULL;
-						k--;
-					break;
-					case 1:
-						kmem_cache_free(cachep_d, dtree);
-						ctree->tree[c] = fullbitmap_d;
-						k++;
-					break;
-				}
-			} LOOP_WALK_END();
-		} LOOP_WALK_END_GC(btree, b, ctree, fullbitmap_c, cachep_c, k);
-	} LOOP_WALK_END_GC(map, a, btree, fullbitmap_b, cachep_b, j);
-
-	write_unlock_bh(&set->lock);
-
-	map->gc.expires = jiffies + map->gc_interval * HZ;
-	add_timer(&map->gc);
-}
-
-static inline void
-init_gc_timer(struct ip_set *set)
-{
-	struct ip_set_iptreemap *map = set->data;
-
-	init_timer(&map->gc);
-	map->gc.data = (unsigned long) set;
-	map->gc.function = gc;
-	map->gc.expires = jiffies + map->gc_interval * HZ;
-	add_timer(&map->gc);
-}
-
-static int
-iptreemap_create(struct ip_set *set, const void *data, u_int32_t size)
-{
-	const struct ip_set_req_iptreemap_create *req = data;
-	struct ip_set_iptreemap *map;
-
-	map = kzalloc(sizeof(*map), GFP_KERNEL);
-	if (!map)
-		return -ENOMEM;
-
-	map->gc_interval = req->gc_interval ? req->gc_interval : IPTREEMAP_DEFAULT_GC_TIME;
-	set->data = map;
-
-	init_gc_timer(set);
-
-	return 0;
-}
-
-static inline void
-__flush(struct ip_set_iptreemap *map)
-{
-	struct ip_set_iptreemap_b *btree;
-	unsigned int a;
-
-	LOOP_WALK_BEGIN(map, a, btree);
-		if (btree != fullbitmap_b)
-			free_b(btree);
-	LOOP_WALK_END();
-}
-
-static void
-iptreemap_destroy(struct ip_set *set)
-{
-	struct ip_set_iptreemap *map = set->data;
-
-	while (!del_timer(&map->gc))
-		msleep(IPTREEMAP_DESTROY_SLEEP);
-
-	__flush(map);
-	kfree(map);
-
-	set->data = NULL;
-}
-
-static void
-iptreemap_flush(struct ip_set *set)
-{
-	struct ip_set_iptreemap *map = set->data;
-
-	while (!del_timer(&map->gc))
-		msleep(IPTREEMAP_DESTROY_SLEEP);
-
-	__flush(map);
-
-	memset(map, 0, sizeof(*map));
-
-	init_gc_timer(set);
-}
-
-static void
-iptreemap_list_header(const struct ip_set *set, void *data)
-{
-	struct ip_set_iptreemap *map = set->data;
-	struct ip_set_req_iptreemap_create *header = data;
-
-	header->gc_interval = map->gc_interval;
-}
-
-static int
-iptreemap_list_members_size(const struct ip_set *set)
-{
-	struct ip_set_iptreemap *map = set->data;
-	struct ip_set_iptreemap_b *btree;
-	struct ip_set_iptreemap_c *ctree;
-	struct ip_set_iptreemap_d *dtree;
-	unsigned int a, b, c, d, inrange = 0, count = 0;
-
-	LOOP_WALK_BEGIN_COUNT(map, a, btree, inrange, count) {
-		LOOP_WALK_BEGIN_COUNT(btree, b, ctree, inrange, count) {
-			LOOP_WALK_BEGIN_COUNT(ctree, c, dtree, inrange, count) {
-				for (d = 0; d < 256; d++) {
-					if (test_bit(d, (void *) dtree->bitmap)) {
-						inrange = 1;
-					} else if (inrange) {
-						count++;
-						inrange = 0;
-					}
-				}
-			} LOOP_WALK_END_COUNT();
-		} LOOP_WALK_END_COUNT();
-	} LOOP_WALK_END_COUNT();
-
-	if (inrange)
-		count++;
-
-	return (count * sizeof(struct ip_set_req_iptreemap));
-}
-
-static inline u_int32_t
-add_member(void *data, size_t offset, ip_set_ip_t start, ip_set_ip_t end)
-{
-	struct ip_set_req_iptreemap *entry = data + offset;
-
-	entry->ip = start;
-	entry->end = end;
-
-	return sizeof(*entry);
-}
-
-static void
-iptreemap_list_members(const struct ip_set *set, void *data)
-{
-	struct ip_set_iptreemap *map = set->data;
-	struct ip_set_iptreemap_b *btree;
-	struct ip_set_iptreemap_c *ctree;
-	struct ip_set_iptreemap_d *dtree;
-	unsigned int a, b, c, d, inrange = 0;
-	size_t offset = 0;
-	ip_set_ip_t start = 0, end = 0, ip;
-
-	LOOP_WALK_BEGIN(map, a, btree) {
-		LOOP_WALK_BEGIN(btree, b, ctree) {
-			LOOP_WALK_BEGIN(ctree, c, dtree) {
-				for (d = 0; d < 256; d++) {
-					if (test_bit(d, (void *) dtree->bitmap)) {
-						ip = ((a << 24) | (b << 16) | (c << 8) | d);
-						if (!inrange) {
-							inrange = 1;
-							start = ip;
-						} else if (end < ip - 1) {
-							offset += add_member(data, offset, start, end);
-							start = ip;
-						}
-						end = ip;
-					} else if (inrange) {
-						offset += add_member(data, offset, start, end);
-						inrange = 0;
-					}
-				}
-			} LOOP_WALK_END();
-		} LOOP_WALK_END();
-	} LOOP_WALK_END();
-
-	if (inrange)
-		add_member(data, offset, start, end);
-}
-
-IP_SET_TYPE(iptreemap, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Sven Wegener <sven.wegener@stealer.net>");
-MODULE_DESCRIPTION("iptreemap type of IP sets");
-
-static int __init ip_set_iptreemap_init(void)
-{
-	int ret = -ENOMEM;
-	int a;
-
-	cachep_b = KMEM_CACHE_CREATE("ip_set_iptreemap_b",
-				     sizeof(struct ip_set_iptreemap_b));
-	if (!cachep_b) {
-		ip_set_printk("Unable to create ip_set_iptreemap_b slab cache");
-		goto out;
-	}
-
-	cachep_c = KMEM_CACHE_CREATE("ip_set_iptreemap_c",
-				     sizeof(struct ip_set_iptreemap_c));
-	if (!cachep_c) {
-		ip_set_printk("Unable to create ip_set_iptreemap_c slab cache");
-		goto outb;
-	}
-
-	cachep_d = KMEM_CACHE_CREATE("ip_set_iptreemap_d",
-				     sizeof(struct ip_set_iptreemap_d));
-	if (!cachep_d) {
-		ip_set_printk("Unable to create ip_set_iptreemap_d slab cache");
-		goto outc;
-	}
-
-	fullbitmap_d = kmem_cache_alloc(cachep_d, GFP_KERNEL);
-	if (!fullbitmap_d)
-		goto outd;
-
-	fullbitmap_c = kmem_cache_alloc(cachep_c, GFP_KERNEL);
-	if (!fullbitmap_c)
-		goto outbitmapd;
-
-	fullbitmap_b = kmem_cache_alloc(cachep_b, GFP_KERNEL);
-	if (!fullbitmap_b)
-		goto outbitmapc;
-
-	ret = ip_set_register_set_type(&ip_set_iptreemap);
-	if (0 > ret)
-		goto outbitmapb;
-
-	/* Now init our global bitmaps */
-	memset(fullbitmap_d->bitmap, 0xff, sizeof(fullbitmap_d->bitmap));
-
-	for (a = 0; a < 256; a++)
-		fullbitmap_c->tree[a] = fullbitmap_d;
-
-	for (a = 0; a < 256; a++)
-		fullbitmap_b->tree[a] = fullbitmap_c;
-	memset(fullbitmap_b->dirty, 0, sizeof(fullbitmap_b->dirty));
-
-	return 0;
-
-outbitmapb:
-	kmem_cache_free(cachep_b, fullbitmap_b);
-outbitmapc:
-	kmem_cache_free(cachep_c, fullbitmap_c);
-outbitmapd:
-	kmem_cache_free(cachep_d, fullbitmap_d);
-outd:
-	kmem_cache_destroy(cachep_d);
-outc:
-	kmem_cache_destroy(cachep_c);
-outb:
-	kmem_cache_destroy(cachep_b);
-out:
-
-	return ret;
-}
-
-static void __exit ip_set_iptreemap_fini(void)
-{
-	ip_set_unregister_set_type(&ip_set_iptreemap);
-	kmem_cache_free(cachep_d, fullbitmap_d);
-	kmem_cache_free(cachep_c, fullbitmap_c);
-	kmem_cache_free(cachep_b, fullbitmap_b);
-	kmem_cache_destroy(cachep_d);
-	kmem_cache_destroy(cachep_c);
-	kmem_cache_destroy(cachep_b);
-}
-
-module_init(ip_set_iptreemap_init);
-module_exit(ip_set_iptreemap_fini);

extensions/ipset/ip_set_iptreemap.h

@@ -1,40 +0,0 @@
-#ifndef __IP_SET_IPTREEMAP_H
-#define __IP_SET_IPTREEMAP_H
-
-#include "ip_set.h"
-
-#define SETTYPE_NAME "iptreemap"
-
-#ifdef __KERNEL__
-struct ip_set_iptreemap_d {
-	unsigned char bitmap[32]; /* x.x.x.y */
-};
-
-struct ip_set_iptreemap_c {
-	struct ip_set_iptreemap_d *tree[256]; /* x.x.y.x */
-};
-
-struct ip_set_iptreemap_b {
-	struct ip_set_iptreemap_c *tree[256]; /* x.y.x.x */
-	unsigned char dirty[32];
-};
-#endif
-
-struct ip_set_iptreemap {
-	unsigned int gc_interval;
-#ifdef __KERNEL__
-	struct timer_list gc;
-	struct ip_set_iptreemap_b *tree[256]; /* y.x.x.x */
-#endif
-};
-
-struct ip_set_req_iptreemap_create {
-	unsigned int gc_interval;
-};
-
-struct ip_set_req_iptreemap {
-	ip_set_ip_t ip;
-	ip_set_ip_t end;
-};
-
-#endif /* __IP_SET_IPTREEMAP_H */

extensions/ipset/ip_set_jhash.h

@@ -1,157 +0,0 @@
-#ifndef _LINUX_JHASH_H
-#define _LINUX_JHASH_H
-
-/* jhash.h: Jenkins hash support.
- *
- * Copyright (C) 2006. Bob Jenkins (bob_jenkins@burtleburtle.net)
- *
- * http://burtleburtle.net/bob/hash/
- *
- * These are the credits from Bob's sources:
- *
- * lookup3.c, by Bob Jenkins, May 2006, Public Domain.
- *
- * These are functions for producing 32-bit hashes for hash table lookup.
- * hashword(), hashlittle(), hashlittle2(), hashbig(), mix(), and final() 
- * are externally useful functions.  Routines to test the hash are included 
- * if SELF_TEST is defined.  You can use this free for any purpose.  It's in
- * the public domain.  It has no warranty.
- *
- * Copyright (C) 2009 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * I've modified Bob's hash to be useful in the Linux kernel, and
- * any bugs present are my fault.  Jozsef
- */
-
-#define __rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
-
-/* __jhash_mix - mix 3 32-bit values reversibly. */
-#define __jhash_mix(a,b,c) \
-{ \
-  a -= c;  a ^= __rot(c, 4);  c += b; \
-  b -= a;  b ^= __rot(a, 6);  a += c; \
-  c -= b;  c ^= __rot(b, 8);  b += a; \
-  a -= c;  a ^= __rot(c,16);  c += b; \
-  b -= a;  b ^= __rot(a,19);  a += c; \
-  c -= b;  c ^= __rot(b, 4);  b += a; \
-}
-
-/* __jhash_final - final mixing of 3 32-bit values (a,b,c) into c */
-#define __jhash_final(a,b,c) \
-{ \
-  c ^= b; c -= __rot(b,14); \
-  a ^= c; a -= __rot(c,11); \
-  b ^= a; b -= __rot(a,25); \
-  c ^= b; c -= __rot(b,16); \
-  a ^= c; a -= __rot(c,4);  \
-  b ^= a; b -= __rot(a,14); \
-  c ^= b; c -= __rot(b,24); \
-}
-
-/* The golden ration: an arbitrary value */
-#define JHASH_GOLDEN_RATIO	0xdeadbeef
-
-/* The most generic version, hashes an arbitrary sequence
- * of bytes.  No alignment or length assumptions are made about
- * the input key. The result depends on endianness.
- */
-static inline u32 jhash(const void *key, u32 length, u32 initval)
-{
-	u32 a,b,c;
-	const u8 *k = key;
-
-	/* Set up the internal state */
-	a = b = c = JHASH_GOLDEN_RATIO + length + initval;
-
-	/* all but the last block: affect some 32 bits of (a,b,c) */
-	while (length > 12) {
-    		a += (k[0] + ((u32)k[1]<<8) + ((u32)k[2]<<16) + ((u32)k[3]<<24));
-		b += (k[4] + ((u32)k[5]<<8) + ((u32)k[6]<<16) + ((u32)k[7]<<24));
-		c += (k[8] + ((u32)k[9]<<8) + ((u32)k[10]<<16) + ((u32)k[11]<<24));
-		__jhash_mix(a, b, c);
-		length -= 12;
-		k += 12;
-	}
-
-	/* last block: affect all 32 bits of (c) */
-	/* all the case statements fall through */
-	switch (length) {
-	case 12: c += (u32)k[11]<<24;
-	case 11: c += (u32)k[10]<<16;
-	case 10: c += (u32)k[9]<<8;
-	case 9 : c += k[8];
-	case 8 : b += (u32)k[7]<<24;
-	case 7 : b += (u32)k[6]<<16;
-	case 6 : b += (u32)k[5]<<8;
-	case 5 : b += k[4];
-	case 4 : a += (u32)k[3]<<24;
-	case 3 : a += (u32)k[2]<<16;
-	case 2 : a += (u32)k[1]<<8;
-	case 1 : a += k[0];
-		__jhash_final(a, b, c);
-	case 0 :
-		break;
-	}
-
-	return c;
-}
-
-/* A special optimized version that handles 1 or more of u32s.
- * The length parameter here is the number of u32s in the key.
- */
-static inline u32 jhash2(const u32 *k, u32 length, u32 initval)
-{
-	u32 a, b, c;
-
-	/* Set up the internal state */
-	a = b = c = JHASH_GOLDEN_RATIO + (length<<2) + initval;
-
-	/* handle most of the key */
-	while (length > 3) {
-		a += k[0];
-		b += k[1];
-		c += k[2];
-		__jhash_mix(a, b, c);
-		length -= 3;
-		k += 3;
-	}
-
-	/* handle the last 3 u32's */
-	/* all the case statements fall through */ 
-	switch (length) {
-	case 3: c += k[2];
-	case 2: b += k[1];
-	case 1: a += k[0];
-		__jhash_final(a, b, c);
-	case 0:     /* case 0: nothing left to add */
-		break;
-	}
-
-	return c;
-}
-
-/* A special ultra-optimized versions that knows they are hashing exactly
- * 3, 2 or 1 word(s).
- */
-static inline u32 jhash_3words(u32 a, u32 b, u32 c, u32 initval)
-{
-	a += JHASH_GOLDEN_RATIO + initval;
-	b += JHASH_GOLDEN_RATIO + initval;
-	c += JHASH_GOLDEN_RATIO + initval;
-
-	__jhash_final(a, b, c);
-
-	return c;
-}
-
-static inline u32 jhash_2words(u32 a, u32 b, u32 initval)
-{
-	return jhash_3words(0, a, b, initval);
-}
-
-static inline u32 jhash_1word(u32 a, u32 initval)
-{
-	return jhash_3words(0, 0, a, initval);
-}
-
-#endif /* _LINUX_JHASH_H */

extensions/ipset/ip_set_macipmap.c

@@ -1,164 +0,0 @@
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- *                         Patrick Schaaf <bof@bof.de>
- *                         Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Kernel module implementing an IP set type: the macipmap type */
-
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/skbuff.h>
-#include <linux/errno.h>
-#include <asm/uaccess.h>
-#include <asm/bitops.h>
-#include <linux/spinlock.h>
-#include <linux/if_ether.h>
-
-#include "ip_set_macipmap.h"
-
-static int
-macipmap_utest(struct ip_set *set, const void *data, u_int32_t size,
-	       ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_macipmap *map = set->data;
-	const struct ip_set_macip *table = map->members;	
-	const struct ip_set_req_macipmap *req = data;
-
-	if (req->ip < map->first_ip || req->ip > map->last_ip)
-		return -ERANGE;
-
-	*hash_ip = req->ip;
-	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(req->ip), HIPQUAD(*hash_ip));		
-	if (table[req->ip - map->first_ip].match) {
-		return (memcmp(req->ethernet,
-			       &table[req->ip - map->first_ip].ethernet,
-			       ETH_ALEN) == 0);
-	} else {
-		return (map->flags & IPSET_MACIP_MATCHUNSET ? 1 : 0);
-	}
-}
-
-static int
-macipmap_ktest(struct ip_set *set,
-	       const struct sk_buff *skb,
-	       ip_set_ip_t *hash_ip,
-	       const u_int32_t *flags,
-	       unsigned char index)
-{
-	const struct ip_set_macipmap *map = set->data;
-	const struct ip_set_macip *table = map->members;
-	ip_set_ip_t ip;
-	
-	ip = ipaddr(skb, flags[index]);
-
-	if (ip < map->first_ip || ip > map->last_ip)
-		return 0;
-
-	*hash_ip = ip;	
-	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), HIPQUAD(*hash_ip));		
-	if (table[ip - map->first_ip].match) {
-		/* Is mac pointer valid?
-		 * If so, compare... */
-		return (skb_mac_header(skb) >= skb->head
-			&& (skb_mac_header(skb) + ETH_HLEN) <= skb->data
-			&& (memcmp(eth_hdr(skb)->h_source,
-				   &table[ip - map->first_ip].ethernet,
-				   ETH_ALEN) == 0));
-	} else {
-		return (map->flags & IPSET_MACIP_MATCHUNSET ? 1 : 0);
-	}
-}
-
-/* returns 0 on success */
-static inline int
-macipmap_add(struct ip_set *set, ip_set_ip_t *hash_ip,
-	     ip_set_ip_t ip, const unsigned char *ethernet)
-{
-	struct ip_set_macipmap *map = set->data;
-	struct ip_set_macip *table = map->members;
-
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-	if (table[ip - map->first_ip].match)
-		return -EEXIST;
-
-	*hash_ip = ip;
-	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
-	memcpy(&table[ip - map->first_ip].ethernet, ethernet, ETH_ALEN);
-	table[ip - map->first_ip].match = IPSET_MACIP_ISSET;
-	return 0;
-}
-
-#define KADT_CONDITION						\
-	if (!(skb_mac_header(skb) >= skb->head			\
-	      && (skb_mac_header(skb) + ETH_HLEN) <= skb->data))\
-		return -EINVAL;
-
-UADT(macipmap, add, req->ethernet)
-KADT(macipmap, add, ipaddr, eth_hdr(skb)->h_source)
-
-static inline int
-macipmap_del(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	struct ip_set_macipmap *map = set->data;
-	struct ip_set_macip *table = map->members;
-
-	if (ip < map->first_ip || ip > map->last_ip)
-		return -ERANGE;
-	if (!table[ip - map->first_ip].match)
-		return -EEXIST;
-
-	*hash_ip = ip;
-	table[ip - map->first_ip].match = 0;
-	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
-	return 0;
-}
-
-#undef KADT_CONDITION
-#define KADT_CONDITION
-
-UADT(macipmap, del)
-KADT(macipmap, del, ipaddr)
-
-static inline int
-__macipmap_create(const struct ip_set_req_macipmap_create *req,
-		  struct ip_set_macipmap *map)
-{
-	if (req->to - req->from > MAX_RANGE) {
-		ip_set_printk("range too big, %d elements (max %d)",
-			      req->to - req->from + 1, MAX_RANGE+1);
-		return -ENOEXEC;
-	}
-	map->flags = req->flags;
-	return (req->to - req->from + 1) * sizeof(struct ip_set_macip);
-}
-
-BITMAP_CREATE(macipmap)
-BITMAP_DESTROY(macipmap)
-BITMAP_FLUSH(macipmap)
-
-static inline void
-__macipmap_list_header(const struct ip_set_macipmap *map,
-		       struct ip_set_req_macipmap_create *header)
-{
-	header->flags = map->flags;
-}
-
-BITMAP_LIST_HEADER(macipmap)
-BITMAP_LIST_MEMBERS_SIZE(macipmap)
-BITMAP_LIST_MEMBERS(macipmap)
-
-IP_SET_TYPE(macipmap, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("macipmap type of IP sets");
-
-REGISTER_MODULE(macipmap)

extensions/ipset/ip_set_macipmap.h

@@ -1,39 +0,0 @@
-#ifndef __IP_SET_MACIPMAP_H
-#define __IP_SET_MACIPMAP_H
-
-#include "ip_set.h"
-#include "ip_set_bitmaps.h"
-
-#define SETTYPE_NAME "macipmap"
-
-/* general flags */
-#define IPSET_MACIP_MATCHUNSET	1
-
-/* per ip flags */
-#define IPSET_MACIP_ISSET	1
-
-struct ip_set_macipmap {
-	void *members;			/* the macipmap proper */
-	ip_set_ip_t first_ip;		/* host byte order, included in range */
-	ip_set_ip_t last_ip;		/* host byte order, included in range */
-	u_int32_t flags;
-	u_int32_t size;			/* size of the ipmap proper */
-};
-
-struct ip_set_req_macipmap_create {
-	ip_set_ip_t from;
-	ip_set_ip_t to;
-	u_int32_t flags;
-};
-
-struct ip_set_req_macipmap {
-	ip_set_ip_t ip;
-	unsigned char ethernet[ETH_ALEN];
-};
-
-struct ip_set_macip {
-	unsigned short match;
-	unsigned char ethernet[ETH_ALEN];
-};
-
-#endif	/* __IP_SET_MACIPMAP_H */

extensions/ipset/ip_set_malloc.h

@@ -1,153 +0,0 @@
-#ifndef _IP_SET_MALLOC_H
-#define _IP_SET_MALLOC_H
-
-#ifdef __KERNEL__
-#include <linux/vmalloc.h> 
-
-static size_t max_malloc_size = 0, max_page_size = 0;
-static size_t default_max_malloc_size = 131072;			/* Guaranteed: slab.c */
-
-static inline int init_max_page_size(void)
-{
-/* Compatibility glues to support 2.4.36 */
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
-#define __GFP_NOWARN		0
-
-	/* Guaranteed: slab.c */
-	max_malloc_size = max_page_size = default_max_malloc_size;
-#else
-	size_t page_size = 0;
-
-#define CACHE(x) if (max_page_size == 0 || x < max_page_size)	\
-			page_size = x;
-#include <linux/kmalloc_sizes.h>
-#undef CACHE
-	if (page_size) {
-		if (max_malloc_size == 0)
-			max_malloc_size = page_size;
-
-		max_page_size = page_size;
-
-		return 1;
-	}
-#endif
-	return 0;
-}
-
-struct harray {
-	size_t max_elements;
-	void *arrays[0];
-};
-
-static inline void * 
-__harray_malloc(size_t hashsize, size_t typesize, gfp_t flags)
-{
-	struct harray *harray;
-	size_t max_elements, size, i, j;
-
-	BUG_ON(max_page_size == 0);
-
-	if (typesize > max_page_size)
-		return NULL;
-
-	max_elements = max_page_size/typesize;
-	size = hashsize/max_elements;
-	if (hashsize % max_elements)
-		size++;
-	
-	/* Last pointer signals end of arrays */
-	harray = kmalloc(sizeof(struct harray) + (size + 1) * sizeof(void *),
-			 flags);
-
-	if (!harray)
-		return NULL;
-	
-	for (i = 0; i < size - 1; i++) {
-		harray->arrays[i] = kmalloc(max_elements * typesize, flags);
-		if (!harray->arrays[i])
-			goto undo;
-		memset(harray->arrays[i], 0, max_elements * typesize);
-	}
-	harray->arrays[i] = kmalloc((hashsize - i * max_elements) * typesize, 
-				    flags);
-	if (!harray->arrays[i])
-		goto undo;
-	memset(harray->arrays[i], 0, (hashsize - i * max_elements) * typesize);
-
-	harray->max_elements = max_elements;
-	harray->arrays[size] = NULL;
-	
-	return (void *)harray;
-
-    undo:
-    	for (j = 0; j < i; j++) {
-    		kfree(harray->arrays[j]);
-    	}
-    	kfree(harray);
-    	return NULL;
-}
-
-static inline void *
-harray_malloc(size_t hashsize, size_t typesize, gfp_t flags)
-{
-	void *harray;
-	
-	do {
-		harray = __harray_malloc(hashsize, typesize, flags|__GFP_NOWARN);
-	} while (harray == NULL && init_max_page_size());
-	
-	return harray;
-}		
-
-static inline void harray_free(void *h)
-{
-	struct harray *harray = (struct harray *) h;
-	size_t i;
-	
-    	for (i = 0; harray->arrays[i] != NULL; i++)
-    		kfree(harray->arrays[i]);
-    	kfree(harray);
-}
-
-static inline void harray_flush(void *h, size_t hashsize, size_t typesize)
-{
-	struct harray *harray = (struct harray *) h;
-	size_t i;
-	
-    	for (i = 0; harray->arrays[i+1] != NULL; i++)
-		memset(harray->arrays[i], 0, harray->max_elements * typesize);
-	memset(harray->arrays[i], 0, 
-	       (hashsize - i * harray->max_elements) * typesize);
-}
-
-#define HARRAY_ELEM(h, type, which)				\
-({								\
-	struct harray *__h = (struct harray *)(h);		\
-	((type)((__h)->arrays[(which)/(__h)->max_elements])	\
-		+ (which)%(__h)->max_elements);			\
-})
-
-/* General memory allocation and deallocation */
-static inline void * ip_set_malloc(size_t bytes)
-{
-	BUG_ON(max_malloc_size == 0);
-
-	if (bytes > default_max_malloc_size)
-		return vmalloc(bytes);
-	else
-		return kmalloc(bytes, GFP_KERNEL | __GFP_NOWARN);
-}
-
-static inline void ip_set_free(void * data, size_t bytes)
-{
-	BUG_ON(max_malloc_size == 0);
-
-	if (bytes > default_max_malloc_size)
-		vfree(data);
-	else
-		kfree(data);
-}
-
-#endif				/* __KERNEL__ */
-
-#endif /*_IP_SET_MALLOC_H*/

extensions/ipset/ip_set_nethash.c

@@ -1,225 +0,0 @@
-/* Copyright (C) 2003-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Kernel module implementing a cidr nethash set */
-
-#include <linux/module.h>
-#include <linux/moduleparam.h>
-#include <linux/ip.h>
-#include <linux/skbuff.h>
-#include "ip_set_jhash.h"
-#include <linux/errno.h>
-#include <asm/uaccess.h>
-#include <asm/bitops.h>
-#include <linux/spinlock.h>
-#include <linux/random.h>
-
-#include <net/ip.h>
-
-#include "ip_set_nethash.h"
-
-static int limit = MAX_RANGE;
-
-static inline __u32
-nethash_id_cidr(const struct ip_set_nethash *map,
-		ip_set_ip_t *hash_ip,
-		ip_set_ip_t ip,
-		uint8_t cidr)
-{
-	__u32 id;
-	u_int16_t i;
-	ip_set_ip_t *elem;
-
-	*hash_ip = pack_ip_cidr(ip, cidr);
-	if (!*hash_ip)
-		return MAX_RANGE;
-	
-	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip(map, i, *hash_ip) % map->hashsize;
-	   	DP("hash key: %u", id);
-		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
-	   	if (*elem == *hash_ip)
-			return id;
-		/* No shortcut - there can be deleted entries. */
-	}
-	return UINT_MAX;
-}
-
-static inline __u32
-nethash_id(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	const struct ip_set_nethash *map = set->data;
-	__u32 id = UINT_MAX;
-	int i;
-
-	for (i = 0; i < 30 && map->cidr[i]; i++) {
-		id = nethash_id_cidr(map, hash_ip, ip, map->cidr[i]);
-		if (id != UINT_MAX)
-			break;
-	}
-	return id;
-}
-
-static inline int
-nethash_test_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
-		  ip_set_ip_t ip, uint8_t cidr)
-{
-	const struct ip_set_nethash *map = set->data;
-
-	return (nethash_id_cidr(map, hash_ip, ip, cidr) != UINT_MAX);
-}
-
-static inline int
-nethash_test(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
-{
-	return (nethash_id(set, hash_ip, ip) != UINT_MAX);
-}
-
-static int
-nethash_utest(struct ip_set *set, const void *data, u_int32_t size,
-	      ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_nethash *req = data;
-
-	if (req->cidr <= 0 || req->cidr > 32)
-		return -EINVAL;
-	return (req->cidr == 32 ? nethash_test(set, hash_ip, req->ip)
-		: nethash_test_cidr(set, hash_ip, req->ip, req->cidr));
-}
-
-#define KADT_CONDITION
-
-KADT(nethash, test, ipaddr)
-
-static inline int
-__nethash_add(struct ip_set_nethash *map, ip_set_ip_t *ip)
-{
-	__u32 probe;
-	u_int16_t i;
-	ip_set_ip_t *elem, *slot = NULL;
-	
-	for (i = 0; i < map->probes; i++) {
-		probe = jhash_ip(map, i, *ip) % map->hashsize;
-		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
-		if (*elem == *ip)
-			return -EEXIST;
-		if (!(slot || *elem))
-			slot = elem;
-		/* There can be deleted entries, must check all slots */
-	}
-	if (slot) {
-		*slot = *ip;
-		map->elements++;
-		return 0;
-	}
-	/* Trigger rehashing */
-	return -EAGAIN;
-}
-
-static inline int
-nethash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
-	    ip_set_ip_t ip, uint8_t cidr)
-{
-	struct ip_set_nethash *map = set->data;
-	int ret;
-	
-	if (map->elements >= limit || map->nets[cidr-1] == UINT16_MAX)
-		return -ERANGE;	
-	if (cidr <= 0 || cidr >= 32)
-		return -EINVAL;
-
-	*hash_ip = pack_ip_cidr(ip, cidr);
-	DP("%u.%u.%u.%u/%u, %u.%u.%u.%u", HIPQUAD(ip), cidr, HIPQUAD(*hash_ip));
-	if (!*hash_ip)
-		return -ERANGE;
-	
-	ret = __nethash_add(map, hash_ip);
-	if (ret == 0) {
-		if (!map->nets[cidr-1]++)
-			add_cidr_size(map->cidr, cidr);
-		map->elements++;
-	}
-	
-	return ret;
-}
-
-#undef KADT_CONDITION
-#define KADT_CONDITION							\
-	struct ip_set_nethash *map = set->data;				\
-	uint8_t cidr = map->cidr[0] ? map->cidr[0] : 31;
-
-UADT(nethash, add, req->cidr)
-KADT(nethash, add, ipaddr, cidr)
-
-static inline void
-__nethash_retry(struct ip_set_nethash *tmp, struct ip_set_nethash *map)
-{
-	memcpy(tmp->cidr, map->cidr, sizeof(tmp->cidr));
-	memcpy(tmp->nets, map->nets, sizeof(tmp->nets));
-}
-
-HASH_RETRY(nethash, ip_set_ip_t)
-
-static inline int
-nethash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
-	    ip_set_ip_t ip, uint8_t cidr)
-{
-	struct ip_set_nethash *map = set->data;
-	ip_set_ip_t id, *elem;
-
-	if (cidr <= 0 || cidr >= 32)
-		return -EINVAL;	
-	
-	id = nethash_id_cidr(map, hash_ip, ip, cidr);
-	if (id == UINT_MAX)
-		return -EEXIST;
-		
-	elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
-	*elem = 0;
-	map->elements--;
-	if (!map->nets[cidr-1]--)
-		del_cidr_size(map->cidr, cidr);
-	return 0;
-}
-
-UADT(nethash, del, req->cidr)
-KADT(nethash, del, ipaddr, cidr)
-
-static inline int
-__nethash_create(const struct ip_set_req_nethash_create *req,
-		 struct ip_set_nethash *map)
-{
-	memset(map->cidr, 0, sizeof(map->cidr));
-	memset(map->nets, 0, sizeof(map->nets));
-	
-	return 0;
-}
-
-HASH_CREATE(nethash, ip_set_ip_t)
-HASH_DESTROY(nethash)
-
-HASH_FLUSH_CIDR(nethash, ip_set_ip_t)
-
-static inline void
-__nethash_list_header(const struct ip_set_nethash *map,
-		      struct ip_set_req_nethash_create *header)
-{    
-}
-
-HASH_LIST_HEADER(nethash)
-HASH_LIST_MEMBERS_SIZE(nethash, ip_set_ip_t)
-HASH_LIST_MEMBERS(nethash, ip_set_ip_t)
-
-IP_SET_RTYPE(nethash, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("nethash type of IP sets");
-module_param(limit, int, 0600);
-MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
-
-REGISTER_MODULE(nethash)

extensions/ipset/ip_set_nethash.h

@@ -1,31 +0,0 @@
-#ifndef __IP_SET_NETHASH_H
-#define __IP_SET_NETHASH_H
-
-#include "ip_set.h"
-#include "ip_set_hashes.h"
-
-#define SETTYPE_NAME "nethash"
-
-struct ip_set_nethash {
-	ip_set_ip_t *members;		/* the nethash proper */
-	uint32_t elements;		/* number of elements */
-	uint32_t hashsize;		/* hash size */
-	uint16_t probes;		/* max number of probes  */
-	uint16_t resize;		/* resize factor in percent */
-	uint8_t cidr[30];		/* CIDR sizes */
-	uint16_t nets[30];		/* nr of nets by CIDR sizes */
-	initval_t initval[0];		/* initvals for jhash_1word */
-};
-
-struct ip_set_req_nethash_create {
-	uint32_t hashsize;
-	uint16_t probes;
-	uint16_t resize;
-};
-
-struct ip_set_req_nethash {
-	ip_set_ip_t ip;
-	uint8_t cidr;
-};
-
-#endif	/* __IP_SET_NETHASH_H */

extensions/ipset/ip_set_portmap.c

@@ -1,114 +0,0 @@
-/* Copyright (C) 2003-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Kernel module implementing a port set type as a bitmap */
-
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/tcp.h>
-#include <linux/udp.h>
-#include <linux/skbuff.h>
-#include <linux/errno.h>
-#include <asm/uaccess.h>
-#include <asm/bitops.h>
-#include <linux/spinlock.h>
-
-#include <net/ip.h>
-
-#include "ip_set_portmap.h"
-#include "ip_set_getport.h"
-
-static inline int
-portmap_test(const struct ip_set *set, ip_set_ip_t *hash_port,
-	     ip_set_ip_t port)
-{
-	const struct ip_set_portmap *map = set->data;
-
-	if (port < map->first_ip || port > map->last_ip)
-		return -ERANGE;
-		
-	*hash_port = port;
-	DP("set: %s, port:%u, %u", set->name, port, *hash_port);
-	return !!test_bit(port - map->first_ip, map->members);
-}
-
-#define KADT_CONDITION			\
-	if (ip == INVALID_PORT)		\
-		return 0;	
-
-UADT(portmap, test)
-KADT(portmap, test, get_port)
-
-static inline int
-portmap_add(struct ip_set *set, ip_set_ip_t *hash_port, ip_set_ip_t port)
-{
-	struct ip_set_portmap *map = set->data;
-
-	if (port < map->first_ip || port > map->last_ip)
-		return -ERANGE;
-	if (test_and_set_bit(port - map->first_ip, map->members))
-		return -EEXIST;
-		
-	*hash_port = port;
-	DP("port %u", port);
-	return 0;
-}
-
-UADT(portmap, add)
-KADT(portmap, add, get_port)
-
-static inline int
-portmap_del(struct ip_set *set, ip_set_ip_t *hash_port, ip_set_ip_t port)
-{
-	struct ip_set_portmap *map = set->data;
-
-	if (port < map->first_ip || port > map->last_ip)
-		return -ERANGE;
-	if (!test_and_clear_bit(port - map->first_ip, map->members))
-		return -EEXIST;
-		
-	*hash_port = port;
-	DP("port %u", port);
-	return 0;
-}
-
-UADT(portmap, del)
-KADT(portmap, del, get_port)
-
-static inline int
-__portmap_create(const struct ip_set_req_portmap_create *req,
-		 struct ip_set_portmap *map)
-{
-	if (req->to - req->from > MAX_RANGE) {
-		ip_set_printk("range too big, %d elements (max %d)",
-			      req->to - req->from + 1, MAX_RANGE+1);
-		return -ENOEXEC;
-	}
-	return bitmap_bytes(req->from, req->to);
-}
-
-BITMAP_CREATE(portmap)
-BITMAP_DESTROY(portmap)
-BITMAP_FLUSH(portmap)
-
-static inline void
-__portmap_list_header(const struct ip_set_portmap *map,
-		      struct ip_set_req_portmap_create *header)
-{
-}
-
-BITMAP_LIST_HEADER(portmap)
-BITMAP_LIST_MEMBERS_SIZE(portmap)
-BITMAP_LIST_MEMBERS(portmap)
-
-IP_SET_TYPE(portmap, IPSET_TYPE_PORT | IPSET_DATA_SINGLE)
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("portmap type of IP sets");
-
-REGISTER_MODULE(portmap)

extensions/ipset/ip_set_portmap.h

@@ -1,25 +0,0 @@
-#ifndef __IP_SET_PORTMAP_H
-#define __IP_SET_PORTMAP_H
-
-#include "ip_set.h"
-#include "ip_set_bitmaps.h"
-
-#define SETTYPE_NAME	"portmap"
-
-struct ip_set_portmap {
-	void *members;			/* the portmap proper */
-	ip_set_ip_t first_ip;		/* host byte order, included in range */
-	ip_set_ip_t last_ip;		/* host byte order, included in range */
-	u_int32_t size;			/* size of the ipmap proper */
-};
-
-struct ip_set_req_portmap_create {
-	ip_set_ip_t from;
-	ip_set_ip_t to;
-};
-
-struct ip_set_req_portmap {
-	ip_set_ip_t ip;
-};
-
-#endif /* __IP_SET_PORTMAP_H */

extensions/ipset/ip_set_setlist.c

@@ -1,330 +0,0 @@
-/* Copyright (C) 2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Kernel module implementing an IP set type: the setlist type */
-
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/skbuff.h>
-#include <linux/errno.h>
-
-#include "ip_set.h"
-#include "ip_set_bitmaps.h"
-#include "ip_set_setlist.h"
-
-/*
- * before ==> index, ref
- * after  ==> ref, index
- */
-
-static inline int
-next_index_eq(const struct ip_set_setlist *map, int i, ip_set_id_t index)
-{
-	return i < map->size && map->index[i] == index;
-}
-
-static int
-setlist_utest(struct ip_set *set, const void *data, u_int32_t size,
-	       ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_setlist *map = set->data;
-	const struct ip_set_req_setlist *req = data;
-	ip_set_id_t index, ref = IP_SET_INVALID_ID;
-	int i, res = 0;
-	struct ip_set *s;
-	
-	if (req->before && req->ref[0] == '\0')
-		return 0;
-
-	index = __ip_set_get_byname(req->name, &s);
-	if (index == IP_SET_INVALID_ID)
-		return 0;
-	if (req->ref[0] != '\0') {
-		ref = __ip_set_get_byname(req->ref, &s);
-		if (ref == IP_SET_INVALID_ID)
-			goto finish;
-	}
-	for (i = 0; i < map->size
-		    && map->index[i] != IP_SET_INVALID_ID; i++) {
-		if (req->before && map->index[i] == index) {
-		    	res = next_index_eq(map, i + 1, ref);
-		    	break;
-		} else if (!req->before) {
-			if ((ref == IP_SET_INVALID_ID
-			     && map->index[i] == index)
-			    || (map->index[i] == ref
-			        && next_index_eq(map, i + 1, index))) {
-			        res = 1;
-			        break;
-			}
-		}
-	}
-	if (ref != IP_SET_INVALID_ID)
-		__ip_set_put_byindex(ref);
-finish:
-	__ip_set_put_byindex(index);
-	return res;
-}
-
-static int
-setlist_ktest(struct ip_set *set,
-	       const struct sk_buff *skb,
-	       ip_set_ip_t *hash_ip,
-	       const u_int32_t *flags,
-	       unsigned char index)
-{
-	struct ip_set_setlist *map = set->data;
-	int i, res = 0;
-	
-	for (i = 0; i < map->size
-		    && map->index[i] != IP_SET_INVALID_ID
-		    && res == 0; i++)
-		res = ip_set_testip_kernel(map->index[i], skb, flags);
-	return res;
-}
-
-static inline int
-insert_setlist(struct ip_set_setlist *map, int i, ip_set_id_t index)
-{
-	ip_set_id_t tmp;
-	int j;
-
-	DP("i: %u, last %u\n", i, map->index[map->size - 1]);	
-	if (i >= map->size || map->index[map->size - 1] != IP_SET_INVALID_ID)
-		return -ERANGE;
-	
-	for (j = i; j < map->size
-		    && index != IP_SET_INVALID_ID; j++) {
-		tmp = map->index[j];
-		map->index[j] = index;
-		index = tmp;
-	}
-	return 0;
-}
-
-static int
-setlist_uadd(struct ip_set *set, const void *data, u_int32_t size,
-	     ip_set_ip_t *hash_ip)
-{
-	struct ip_set_setlist *map = set->data;
-	const struct ip_set_req_setlist *req = data;
-	ip_set_id_t index, ref = IP_SET_INVALID_ID;
-	int i, res = -ERANGE;
-	struct ip_set *s;
-	
-	if (req->before && req->ref[0] == '\0')
-		return -EINVAL;
-
-	index = __ip_set_get_byname(req->name, &s);
-	if (index == IP_SET_INVALID_ID)
-		return -EEXIST;
-	/* "Loop detection" */
-	if (strcmp(s->type->typename, "setlist") == 0)
-		goto finish;
-
-	if (req->ref[0] != '\0') {
-		ref = __ip_set_get_byname(req->ref, &s);
-		if (ref == IP_SET_INVALID_ID) {
-			res = -EEXIST;
-			goto finish;
-		}
-	}
-	for (i = 0; i < map->size; i++) {
-		if (map->index[i] != ref)
-			continue;
-		if (req->before) 
-			res = insert_setlist(map, i, index);
-		else
-			res = insert_setlist(map,
-				ref == IP_SET_INVALID_ID ? i : i + 1,
-				index);
-		break;
-	}
-	if (ref != IP_SET_INVALID_ID)
-		__ip_set_put_byindex(ref);
-	/* In case of success, we keep the reference to the set */
-finish:
-	if (res != 0)
-		__ip_set_put_byindex(index);
-	return res;
-}
-
-static int
-setlist_kadd(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	struct ip_set_setlist *map = set->data;
-	int i, res = -EINVAL;
-	
-	for (i = 0; i < map->size
-		    && map->index[i] != IP_SET_INVALID_ID
-		    && res != 0; i++)
-		res = ip_set_addip_kernel(map->index[i], skb, flags);
-	return res;
-}
-
-static inline int
-unshift_setlist(struct ip_set_setlist *map, int i)
-{
-	int j;
-	
-	for (j = i; j < map->size - 1; j++)
-		map->index[j] = map->index[j+1];
-	map->index[map->size-1] = IP_SET_INVALID_ID;
-	return 0;
-}
-
-static int
-setlist_udel(struct ip_set *set, const void *data, u_int32_t size,
-	     ip_set_ip_t *hash_ip)
-{
-	struct ip_set_setlist *map = set->data;
-	const struct ip_set_req_setlist *req = data;
-	ip_set_id_t index, ref = IP_SET_INVALID_ID;
-	int i, res = -EEXIST;
-	struct ip_set *s;
-	
-	if (req->before && req->ref[0] == '\0')
-		return -EINVAL;
-
-	index = __ip_set_get_byname(req->name, &s);
-	if (index == IP_SET_INVALID_ID)
-		return -EEXIST;
-	if (req->ref[0] != '\0') {
-		ref = __ip_set_get_byname(req->ref, &s);
-		if (ref == IP_SET_INVALID_ID)
-			goto finish;
-	}
-	for (i = 0; i < map->size
-	            && map->index[i] != IP_SET_INVALID_ID; i++) {
-		if (req->before) {
-			if (map->index[i] == index
-			    && next_index_eq(map, i + 1, ref)) {
-				res = unshift_setlist(map, i);
-				break;
-			}
-		} else if (ref == IP_SET_INVALID_ID) {
-			if (map->index[i] == index) {
-				res = unshift_setlist(map, i);
-				break;
-			}
-		} else if (map->index[i] == ref
-			   && next_index_eq(map, i + 1, index)) {
-			res = unshift_setlist(map, i + 1);
-			break;
-		}
-	}
-	if (ref != IP_SET_INVALID_ID)
-		__ip_set_put_byindex(ref);
-finish:
-	__ip_set_put_byindex(index);
-	/* In case of success, release the reference to the set */
-	if (res == 0)
-		__ip_set_put_byindex(index);
-	return res;
-}
-
-static int
-setlist_kdel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	struct ip_set_setlist *map = set->data;
-	int i, res = -EINVAL;
-	
-	for (i = 0; i < map->size
-		    && map->index[i] != IP_SET_INVALID_ID
-		    && res != 0; i++)
-		res = ip_set_delip_kernel(map->index[i], skb, flags);
-	return res;
-}
-
-static int
-setlist_create(struct ip_set *set, const void *data, u_int32_t size)
-{
-	struct ip_set_setlist *map;
-	const struct ip_set_req_setlist_create *req = data;
-	int i;
-	
-	map = kmalloc(sizeof(struct ip_set_setlist) +
-		      req->size * sizeof(ip_set_id_t), GFP_KERNEL);
-	if (!map)
-		return -ENOMEM;
-	map->size = req->size;
-	for (i = 0; i < map->size; i++)
-		map->index[i] = IP_SET_INVALID_ID;
-	
-	set->data = map;
-	return 0;
-}                        
-
-static void
-setlist_destroy(struct ip_set *set)
-{
-	struct ip_set_setlist *map = set->data;
-	int i;
-	
-	for (i = 0; i < map->size
-		    && map->index[i] != IP_SET_INVALID_ID; i++)
-		__ip_set_put_byindex(map->index[i]);
-
-	kfree(map);
-	set->data = NULL;
-}
-
-static void
-setlist_flush(struct ip_set *set)
-{
-	struct ip_set_setlist *map = set->data;
-	int i;
-	
-	for (i = 0; i < map->size
-		    && map->index[i] != IP_SET_INVALID_ID; i++) {
-		__ip_set_put_byindex(map->index[i]);
-		map->index[i] = IP_SET_INVALID_ID;
-	}
-}
-
-static void
-setlist_list_header(const struct ip_set *set, void *data)
-{
-	const struct ip_set_setlist *map = set->data;
-	struct ip_set_req_setlist_create *header = data;
-	
-	header->size = map->size;
-}
-
-static int
-setlist_list_members_size(const struct ip_set *set)
-{
-	const struct ip_set_setlist *map = set->data;
-	
-	return map->size * sizeof(ip_set_id_t);
-}
-
-static void
-setlist_list_members(const struct ip_set *set, void *data)
-{
-	struct ip_set_setlist *map = set->data;
-	int i;
-	
-	for (i = 0; i < map->size; i++)
-		*((ip_set_id_t *)data + i) = ip_set_id(map->index[i]);
-}
-
-IP_SET_TYPE(setlist, IPSET_TYPE_SETNAME | IPSET_DATA_SINGLE)
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("setlist type of IP sets");
-
-REGISTER_MODULE(setlist)

extensions/ipset/ip_set_setlist.h

@@ -1,26 +0,0 @@
-#ifndef __IP_SET_SETLIST_H
-#define __IP_SET_SETLIST_H
-
-#include "ip_set.h"
-
-#define SETTYPE_NAME "setlist"
-
-#define IP_SET_SETLIST_ADD_AFTER	0
-#define IP_SET_SETLIST_ADD_BEFORE	1
-
-struct ip_set_setlist {
-	uint8_t size;
-	ip_set_id_t index[0];
-};
-
-struct ip_set_req_setlist_create {
-	uint8_t size;
-};
-
-struct ip_set_req_setlist {
-	char name[IP_SET_MAXNAMELEN];
-	char ref[IP_SET_MAXNAMELEN];
-	uint8_t before;
-};
-
-#endif /* __IP_SET_SETLIST_H */

extensions/ipset/ipset.8

@@ -1,608 +0,0 @@
-.TH IPSET 8 "Feb 05, 2004" "" ""
-.\"
-.\" Man page written by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-.\"
-.\"	This program is free software; you can redistribute it and/or modify
-.\"	it under the terms of the GNU General Public License as published by
-.\"	the Free Software Foundation; either version 2 of the License, or
-.\"	(at your option) any later version.
-.\"
-.\"	This program is distributed in the hope that it will be useful,
-.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-.\"	GNU General Public License for more details.
-.\"
-.\"	You should have received a copy of the GNU General Public License
-.\"	along with this program; if not, write to the Free Software
-.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.\"
-.\"
-.SH NAME
-ipset \- administration tool for IP sets
-.SH SYNOPSIS
-.BR "ipset -N " "set type-specification [options]"
-.br
-.BR "ipset -[XFLSHh] " "[set] [options]"
-.br
-.BR "ipset -[EW] " "from-set to-set"
-.br
-.BR "ipset -[ADU] " "set entry"
-.br
-.BR "ipset -B " "set entry -b binding"
-.br
-.BR "ipset -T " "set entry [-b binding]"
-.br
-.BR "ipset -R "
-.SH DESCRIPTION
-.B ipset
-is used to set up, maintain and inspect so called IP sets in the Linux
-kernel. Depending on the type, an IP set may store IP addresses, (TCP/UDP)
-port numbers or additional informations besides IP addresses: the word IP 
-means a general term here. See the set type definitions below.
-.P
-Any entry in a set can be bound to another set, which forms a relationship
-between a set element and the set it is bound to. In order to define a
-binding it is not required that the entry be already added to the set. 
-The sets may have a default binding, which is valid for every set element 
-for which there is no binding defined at all.
-.P
-IP set bindings pointing to sets and iptables matches and targets 
-referring to sets creates references, which protects the given sets in 
-the kernel. A set cannot be removed (destroyed) while there is a single
-reference pointing to it.
-.P
-.B
-Please note, binding sets is a deprecated feature and will be removed in a later release. Switch to the multidata type of sets from using bindings.
-.SH OPTIONS
-The options that are recognized by
-.B ipset
-can be divided into several different groups.
-.SS COMMANDS
-These options specify the specific action to perform.  Only one of them
-can be specified on the command line unless otherwise specified
-below.  For all the long versions of the command and option names, you
-need to use only enough letters to ensure that
-.B ipset
-can differentiate it from all other options.
-.TP
-.BI "-N, --create " "\fIsetname\fP type type-specific-options"
-Create a set identified with setname and specified type. 
-Type-specific options must be supplied.
-.TP
-.BI "-X, --destroy " "[\fIsetname\fP]"
-Destroy the specified set, or all sets if none or the keyword
-.B
-:all:
-is specified.
-Before destroying the set, all bindings belonging to the 
-set elements and the default binding of the set are removed.
-
-If the set has got references, nothing is done.
-.TP
-.BI "-F, --flush " "[\fIsetname\fP]"
-Delete all entries from the specified set, or flush
-all sets if none or the keyword
-.B
-:all:
-is given. Bindings are not affected by the flush operation.
-.TP
-.BI "-E, --rename " "\fIfrom-setname\fP \fIto-setname\fP"
-Rename a set. Set identified by to-setname must not exist.
-.TP
-.BI "-W, --swap " "\fIfrom-setname\fP \fIto-setname\fP"
-Swap the content of two sets, or in another words, 
-exchange the name of two sets. The referred sets must exist and
-identical type of sets can be swapped only.
-.TP
-.BI "-L, --list " "[\fIsetname\fP]"
-List the entries and bindings for the specified set, or for
-all sets if none or the keyword
-.B
-:all:
-is given. The
-.B "-n, --numeric"
-option can be used to suppress name lookups and generate numeric
-output. When the
-.B "-s, --sorted"
-option is given, the entries are listed sorted (if the given set
-type supports the operation).
-.TP
-.BI "-S, --save " "[\fIsetname\fP]"
-Save the given set, or all sets if none or the keyword
-.B
-:all:
-is specified to stdout in a format that --restore can read.
-.TP
-.BI "-R, --restore "
-Restore a saved session generated by --save. The saved session
-can be fed from stdin.
-
-When generating a session file please note that the supported commands
-(create set, add element, bind) must appear in a strict order: first create
-the set, then add all elements. Then create the next set, add all its elements
-and so on. Finally you can list all binding commands. Also, it is a restore
-operation, so the sets being restored must not exist.
-.TP
-.BI "-A, --add " "\fIsetname\fP \fIIP\fP"
-Add an IP to a set.
-.TP
-.BI "-D, --del " "\fIsetname\fP \fIIP\fP"
-Delete an IP from a set. 
-.TP
-.BI "-T, --test " "\fIsetname\fP \fIIP
-Test wether an IP is in a set or not. Exit status number is zero
-if the tested IP is in the set and nonzero if it is missing from 
-the set.
-.TP
-.BI "-T, --test " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
-Test wether the IP belonging to the set points to the specified binding. 
-Exit status number is zero if the binding points to the specified set, 
-otherwise it is nonzero. The keyword
-.B
-:default:
-can be used to test the default binding of the set.
-.TP
-.BI "-B, --bind " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
-Bind the IP in setname to to-setname.
-.TP
-.BI "-U, --unbind " "\fIsetname\fP \fIIP\fP"
-Delete the binding belonging to IP in set setname. 
-.TP
-.BI "-H, --help " "[settype]"
-Print help and settype specific help if settype specified.
-.P
-At the
-.B
--B, -U
-and
-.B 
--T
-commands you can use the token
-.B
-:default:
-to bind, unbind or test the default binding of a set instead
-of an IP. At the
-.B
--U
-command you can use the token
-.B
-:all:
-to destroy the bindings of all elements of a set.
-.SS "OTHER OPTIONS"
-The following additional options can be specified:
-.TP
-.B "-b, --binding setname"
-The option specifies the value of the binding for the
-.B "-B"
-binding command, for which it is a mandatory option.
-You can use it in the
-.B "-T"
-test command as well to test bindings.
-.TP
-.B "-s, --sorted"
-Sorted output. When listing sets, entries are listed sorted.
-.TP
-.B "-n, --numeric"
-Numeric output. When listing sets, bindings, IP addresses and 
-port numbers will be printed in numeric format. By default the 
-program will try to display them as host names, network names 
-or services (whenever applicable), which can trigger
-.B
-slow
-DNS 
-lookups.
-.TP
-.B "-q, --quiet"
-Suppress any output to stdout and stderr. ipset will still return
-possible errors.
-.SH SET TYPES
-ipset supports the following set types:
-.SS ipmap
-The ipmap set type uses a memory range, where each bit represents
-one IP address. An ipmap set can store up to 65536 (B-class network)
-IP addresses. The ipmap set type is very fast and memory cheap, great
-for use when one want to match certain IPs in a range. If the optional
-.B "--netmask"
-parameter is specified with a CIDR netmask value between 1-31 then
-network addresses are stored in the given set: i.e an
-IP address will be in the set if the network address, which is resulted
-by masking the address with the specified netmask, can be found in the set.
-.P
-Options to use when creating an ipmap set:
-.TP
-.BR "--from " from-IP
-.TP
-.BR "--to " to-IP
-Create an ipmap set from the specified range.
-.TP
-.BR "--network " IP/mask
-Create an ipmap set from the specified network.
-.TP
-.BR "--netmask " CIDR-netmask
-When the optional
-.B "--netmask"
-parameter specified, network addresses will be 
-stored in the set instead of IP addresses, and the from-IP parameter
-must be a network address. The CIDR-netmask value must be between 1-31.
-.SS macipmap
-The macipmap set type uses a memory range, where each 8 bytes
-represents one IP and a MAC addresses. A macipmap set type can store
-up to 65536 (B-class network) IP addresses with MAC.
-When adding an entry to a macipmap set, you must specify the entry as
-.I IP,MAC.
-When deleting or testing macipmap entries, the
-.I ,MAC
-part is not mandatory.
-.P
-Options to use when creating an macipmap set:
-.TP
-.BR "--from " from-IP
-.TP
-.BR "--to " to-IP
-Create a macipmap set from the specified range.
-.TP
-.BR "--network " IP/mask
-Create a macipmap set from the specified network.
-.TP
-.BR "--matchunset"
-When the optional
-.B "--matchunset"
-parameter specified, IP addresses which could be stored 
-in the set but not set yet, will always match.
-.P
-Please note, the 
-.I
-set
-and
-.I
-SET
-netfilter kernel modules
-.B
-always
-use the source MAC address from the packet to match, add or delete
-entries from a macipmap type of set.
-.SS portmap
-The portmap set type uses a memory range, where each bit represents
-one port. A portmap set type can store up to 65536 ports.
-The portmap set type is very fast and memory cheap.
-.P
-Options to use when creating an portmap set:
-.TP
-.BR "--from " from-port
-.TP
-.BR "--to " to-port
-Create a portmap set from the specified range.
-.SS iphash
-The iphash set type uses a hash to store IP addresses.
-In order to avoid clashes in the hash double-hashing, and as a last
-resort, dynamic growing of the hash performed. The iphash set type is
-great to store random addresses. If the optional
-.B "--netmask"
-parameter is specified with a CIDR netmask value between 1-31 then
-network addresses are stored in the given set: i.e an
-IP address will be in the set if the network address, which is resulted
-by masking the address with the specified netmask, can be found in the set.
-.P
-Options to use when creating an iphash set:
-.TP
-.BR "--hashsize " hashsize
-The initial hash size (default 1024)
-.TP
-.BR "--probes " probes
-How many times try to resolve clashing at adding an IP to the hash 
-by double-hashing (default 8).
-.TP
-.BR "--resize " percent
-Increase the hash size by this many percent (default 50) when adding
-an IP to the hash could not be performed after
-.B
-probes
-number of double-hashing. 
-.TP
-.BR "--netmask " CIDR-netmask
-When the optional
-.B "--netmask"
-parameter specified, network addresses will be 
-stored in the set instead of IP addresses. The CIDR-netmask value must
-be between 1-31.
-.P
-The iphash type of sets can store up to 65536 entries. If a set is full,
-no new entries can be added to it.
-.P
-Sets created by zero valued resize parameter won't be resized at all.
-The lookup time in an iphash type of set grows approximately linearly with
-the value of the 
-.B
-probes
-parameter. In general higher 
-.B
-probe
-value results better utilized hash while smaller value
-produces larger, sparser hash.
-.SS nethash
-The nethash set type uses a hash to store different size of
-network addresses. The
-.I
-IP
-"address" used in the ipset commands must be in the form
-.I
-IP-address/cidr-size
-where the CIDR block size must be in the inclusive range of 1-31.
-In order to avoid clashes in the hash 
-double-hashing, and as a last resort, dynamic growing of the hash performed.
-.P
-Options to use when creating an nethash set:
-.TP
-.BR "--hashsize " hashsize
-The initial hash size (default 1024)
-.TP
-.BR "--probes " probes
-How many times try to resolve clashing at adding an IP to the hash 
-by double-hashing (default 4).
-.TP
-.BR "--resize " percent
-Increase the hash size by this many percent (default 50) when adding
-an IP to the hash could not be performed after
-.P
-The nethash type of sets can store up to 65536 entries. If a set is full,
-no new entries can be added to it.
-.P
-An IP address will be in a nethash type of set if it belongs to any of the
-netblocks added to the set. The matching always start from the smallest
-size of netblock (most specific netmask) to the largest ones (least
-specific netmasks). When adding/deleting IP addresses
-to a nethash set by the
-.I
-SET
-netfilter kernel module, it will be added/deleted by the smallest
-netblock size which can be found in the set, or by /31 if the set is empty.
-.P
-The lookup time in a nethash type of set grows approximately linearly 
-with the times of the
-.B
-probes
-parameter and the number of different mask parameters in the hash.
-Otherwise the same speed and memory efficiency comments applies here 
-as at the iphash type.
-.SS ipporthash
-The ipporthash set type uses a hash to store IP address and port pairs.
-In order to avoid clashes in the hash double-hashing, and as a last
-resort, dynamic growing of the hash performed. An ipporthash set can 
-store up to 65536 (B-class network) IP addresses with all possible port
-values. When adding, deleting and testing values in an ipporthash type of
-set, the entries must be specified as
-.B
-"IP,port".
-.P
-The ipporthash types of sets evaluates two src/dst parameters of the 
-.I
-set
-match and 
-.I
-SET
-target. 
-.P
-Options to use when creating an ipporthash set:
-.TP
-.BR "--from " from-IP
-.TP
-.BR "--to " to-IP
-Create an ipporthash set from the specified range.
-.TP
-.BR "--network " IP/mask
-Create an ipporthash set from the specified network.
-.TP
-.BR "--hashsize " hashsize
-The initial hash size (default 1024)
-.TP
-.BR "--probes " probes
-How many times try to resolve clashing at adding an IP to the hash 
-by double-hashing (default 8).
-.TP
-.BR "--resize " percent
-Increase the hash size by this many percent (default 50) when adding
-an IP to the hash could not be performed after
-.B
-probes
-number of double-hashing.
-.P
-The same resizing, speed and memory efficiency comments applies here 
-as at the iphash type.
-.SS ipportiphash
-The ipportiphash set type uses a hash to store IP address,port and IP
-address triples. The first IP address must come form a maximum /16
-sized network or range while the port number and the second IP address
-parameters are arbitrary. When adding, deleting and testing values in an 
-ipportiphash type of set, the entries must be specified as
-.B
-"IP,port,IP".
-.P
-The ipportiphash types of sets evaluates three src/dst parameters of the 
-.I
-set
-match and 
-.I
-SET
-target. 
-.P
-Options to use when creating an ipportiphash set:
-.TP
-.BR "--from " from-IP
-.TP
-.BR "--to " to-IP
-Create an ipportiphash set from the specified range.
-.TP
-.BR "--network " IP/mask
-Create an ipportiphash set from the specified network.
-.TP
-.BR "--hashsize " hashsize
-The initial hash size (default 1024)
-.TP
-.BR "--probes " probes
-How many times try to resolve clashing at adding an IP to the hash 
-by double-hashing (default 8).
-.TP
-.BR "--resize " percent
-Increase the hash size by this many percent (default 50) when adding
-an IP to the hash could not be performed after
-.B
-probes
-number of double-hashing.
-.P
-The same resizing, speed and memory efficiency comments applies here 
-as at the iphash type.
-.SS ipportnethash
-The ipportnethash set type uses a hash to store IP address, port, and
-network address triples. The IP address must come form a maximum /16
-sized network or range while the port number and the network address
-parameters are arbitrary, but the size of the network address must be
-between /1-/31. When adding, deleting 
-and testing values in an ipportnethash type of set, the entries must be
-specified as
-.B
-"IP,port,IP/cidr-size".
-.P
-The ipportnethash types of sets evaluates three src/dst parameters of the 
-.I
-set
-match and 
-.I
-SET
-target. 
-.P
-Options to use when creating an ipportnethash set:
-.TP
-.BR "--from " from-IP
-.TP
-.BR "--to " to-IP
-Create an ipporthash set from the specified range.
-.TP
-.BR "--network " IP/mask
-Create an ipporthash set from the specified network.
-.TP
-.BR "--hashsize " hashsize
-The initial hash size (default 1024)
-.TP
-.BR "--probes " probes
-How many times try to resolve clashing at adding an IP to the hash 
-by double-hashing (default 8).
-.TP
-.BR "--resize " percent
-Increase the hash size by this many percent (default 50) when adding
-an IP to the hash could not be performed after
-.B
-probes
-number of double-hashing.
-.P
-The same resizing, speed and memory efficiency comments applies here 
-as at the iphash type.
-.SS iptree
-The iptree set type uses a tree to store IP addresses, optionally 
-with timeout values.
-.P
-Options to use when creating an iptree set:
-.TP
-.BR "--timeout " value
-The timeout value for the entries in seconds (default 0)
-.P
-If a set was created with a nonzero valued 
-.B "--timeout"
-parameter then one may add IP addresses to the set with a specific 
-timeout value using the syntax 
-.I IP,timeout-value.
-Similarly to the hash types, the iptree type of sets can store up to 65536
-entries.
-.SS iptreemap
-The iptreemap set type uses a tree to store IP addresses or networks, 
-where the last octet of an IP address are stored in a bitmap.
-As input entry, you can add IP addresses, CIDR blocks or network ranges
-to the set. Network ranges can be specified in the format
-.I IP1-IP2
-.P
-Options to use when creating an iptreemap set:
-.TP
-.BR "--gc " value
-How often the garbage collection should be called, in seconds (default 300)
-.SS setlist
-The setlist type uses a simple list in which you can store sets. By the
-.I
-ipset
-command you can add, delete and test sets in a setlist type of set.
-You can specify the sets as
-.B
-"setname[,after|before,setname]".
-By default new sets are added after (appended to) the existing
-elements. Setlist type of sets cannot be added to a setlist type of set.
-.P
-Options to use when creating a setlist type of set:
-.TP
-.BR "--size " size
-Create a setlist type of set with the given size (default 8).
-.P
-By the
-.I
-set
-match or
-.I
-SET
-target of
-.I
-iptables
-you can test, add or delete entries in the sets. The match
-will try to find a matching IP address/port in the sets and 
-the target will try to add the IP address/port to the first set
-to which it can be added. The number of src,dst options of
-the match and target are important: sets which eats more src,dst
-parameters than specified are skipped, while sets with equal
-or less parameters are checked, elements added. For example
-if
-.I
-a
-and
-.I
-b
-are setlist type of sets then in the command
-.TP
-iptables -m set --match-set a src,dst -j SET --add-set b src,dst
-the match and target will skip any set in
-.I a
-and
-.I b
-which stores 
-data triples, but will check all sets with single or double
-data storage in
-.I a
-set and add src to the first single or src,dst to the first double 
-data storage set in
-.I b.
-.P
-You can imagine a setlist type of set as an ordered union of
-the set elements. 
-.SH GENERAL RESTRICTIONS
-Setnames starting with colon (:) cannot be defined. Zero valued set 
-entries cannot be used with hash type of sets.
-.SH COMMENTS
-If you want to store same size subnets from a given network
-(say /24 blocks from a /8 network), use the ipmap set type.
-If you want to store random same size networks (say random /24 blocks), 
-use the iphash set type. If you have got random size of netblocks, 
-use nethash.
-.P
-Old separator tokens (':' and '%") are still accepted.
-.SH DIAGNOSTICS
-Various error messages are printed to standard error.  The exit code
-is 0 for correct functioning.  Errors which appear to be caused by
-invalid or abused command line parameters cause an exit code of 2, and
-other errors cause an exit code of 1.
-.SH BUGS
-Bugs? No, just funny features. :-)
-OK, just kidding...
-.SH SEE ALSO
-.BR iptables (8),
-.SH AUTHORS
-Jozsef Kadlecsik wrote ipset, which is based on ippool by
-Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
-.P
-Sven Wegener wrote the iptreemap type.
-.SH LAST REMARK
-.BR "I stand on the shoulders of giants."

extensions/ipset/ipset.h

@@ -1,205 +0,0 @@
-#ifndef __IPSET_H
-#define __IPSET_H
-
-/* Copyright 2000-2004 Joakim Axelsson (gozem@linux.nu)
- *                     Patrick Schaaf (bof@bof.de)
- *                     Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify   
- * it under the terms of the GNU General Public License as published by   
- * the Free Software Foundation; either version 2 of the License, or      
- * (at your option) any later version.                                    
- *                                                                         
- * This program is distributed in the hope that it will be useful,        
- * but WITHOUT ANY WARRANTY; without even the implied warranty of         
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
- * GNU General Public License for more details.                           
- *                                                                         
- * You should have received a copy of the GNU General Public License      
- * along with this program; if not, write to the Free Software            
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <getopt.h>			/* struct option */
-#include <stdint.h>
-#include <sys/types.h>
-
-#include "ip_set.h"
-
-#define IPSET_LIB_NAME "/libipset_%s.so"
-#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
-
-#define LIST_TRIES 5
-
-#ifdef IPSET_DEBUG
-extern int option_debug;
-#define DP(format, args...) if (option_debug) 			\
-	do {							\
-		fprintf(stderr, "%s: %s (DBG): ", __FILE__, __FUNCTION__);\
-		fprintf(stderr, format "\n" , ## args);			\
-	} while (0)
-#else
-#define DP(format, args...)
-#endif
-
-/* Commands */
-enum set_commands {
-	CMD_NONE,
-	CMD_CREATE,		/* -N */
-	CMD_DESTROY,		/* -X */
-	CMD_FLUSH,		/* -F */
-	CMD_RENAME,		/* -E */
-	CMD_SWAP,		/* -W */
-	CMD_LIST,		/* -L */
-	CMD_SAVE,		/* -S */
-	CMD_RESTORE,		/* -R */
-	CMD_ADD,		/* -A */
-	CMD_DEL,		/* -D */
-	CMD_TEST,		/* -T */
-	CMD_BIND,		/* -B */
-	CMD_UNBIND,		/* -U */
-	CMD_HELP,		/* -H */
-	CMD_VERSION,		/* -V */
-	NUMBER_OF_CMD = CMD_VERSION,
-	/* Internal commands */
-	CMD_MAX_SETS,
-	CMD_LIST_SIZE,
-	CMD_SAVE_SIZE,
-	CMD_ADT_GET,
-};
-
-enum exittype {
-	OTHER_PROBLEM = 1,
-	PARAMETER_PROBLEM,
-	VERSION_PROBLEM
-};
-
-/* The view of an ipset in userspace */
-struct set {
-	char name[IP_SET_MAXNAMELEN];		/* Name of the set */
-	ip_set_id_t id;				/* Unique set id */
-	ip_set_id_t index;			/* Array index */
-	unsigned ref;				/* References in kernel */
-	struct settype *settype;		/* Pointer to set type functions */
-};
-
-struct settype {
-	struct settype *next;
-
-	char typename[IP_SET_MAXNAMELEN];
-
-	int protocol_version;
-
-	/*
-	 * Create set
-	 */
-
-	/* Size of create data. Will be sent to kernel */
-	u_int32_t create_size;
-
-	/* Initialize the create. */
-	void (*create_init) (void *data);
-
-	/* Function which parses command options; returns true if it ate an option */
-	int (*create_parse) (int c, char *argv[], void *data,
-			     unsigned *flags);
-
-	/* Final check; exit if not ok. */
-	void (*create_final) (void *data, unsigned int flags);
-
-	/* Pointer to list of extra command-line options for create */
-	const struct option *create_opts;
-
-	/*
-	 * Add/del/test IP
-	 */
-
-	/* Size of data. Will be sent to kernel */
-	u_int32_t adt_size;
-
-	/* Function which parses command options */
-	ip_set_ip_t (*adt_parser) (int cmd, const char *optarg, void *data);
-
-	/*
-	 * Printing
-	 */
-
-	/* Size of header. */
-	u_int32_t header_size;
-
-	/* Initialize the type-header */
-	void (*initheader) (struct set *set, const void *data);
-
-	/* Pretty print the type-header */
-	void (*printheader) (struct set *set, unsigned options);
-
-	/* Pretty print all IPs */
-	void (*printips) (struct set *set, void *data, u_int32_t len, unsigned options);
-
-	/* Pretty print all IPs sorted */
-	void (*printips_sorted) (struct set *set, void *data, u_int32_t len, unsigned options);
-
-	/* Print save arguments for creating the set */
-	void (*saveheader) (struct set *set, unsigned options);
-
-	/* Print save for all IPs */
-	void (*saveips) (struct set *set, void *data, u_int32_t len, unsigned options);
-
-	/* Conver a single IP (binding) to string */
-	char * (*bindip_tostring)(struct set *set, ip_set_ip_t ip, unsigned options);
-	
-	/* Parse an IP at restoring bindings. FIXME */
-	void (*bindip_parse) (const char *str, ip_set_ip_t * ip);
-
-	/* Print usage */
-	void (*usage) (void);
-
-	/* Internal data */
-	void *header;
-	void *data;
-	int option_offset;
-	unsigned int flags;
-};
-
-extern void settype_register(struct settype *settype);
-
-/* extern void unregister_settype(set_type_t *set_type); */
-
-extern void exit_error(int status, const char *msg, ...);
-
-extern char *binding_ip_tostring(struct set *set,
-				 ip_set_ip_t ip, unsigned options);
-extern char *ip_tostring(ip_set_ip_t ip, unsigned options);
-extern char *ip_tostring_numeric(ip_set_ip_t ip);
-extern void parse_ip(const char *str, ip_set_ip_t * ip);
-extern void parse_mask(const char *str, ip_set_ip_t * mask);
-extern void parse_ipandmask(const char *str, ip_set_ip_t * ip,
-			    ip_set_ip_t * mask);
-extern char *port_tostring(ip_set_ip_t port, unsigned options);
-extern void parse_port(const char *str, ip_set_ip_t * port);
-extern int string_to_number(const char *str, unsigned int min, unsigned int max,
-		            ip_set_ip_t *port);
-
-extern void *ipset_malloc(size_t size);
-extern char *ipset_strdup(const char *);
-extern void ipset_free(void *data);
-
-extern struct set *set_find_byname(const char *name);
-extern struct set *set_find_byid(ip_set_id_t id);
-
-extern unsigned warn_once;
-
-#define BITS_PER_LONG	(8*sizeof(unsigned long))
-#define BIT_WORD(nr)	((nr) / BITS_PER_LONG)
-
-static inline int test_bit(int nr, const unsigned long *addr)
-{
-	return 1UL & (addr[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG-1)));
-}
-
-#define UNUSED __attribute__ ((unused))
-#define CONSTRUCTOR(module) \
-void __attribute__ ((constructor)) module##_init(void); \
-void module##_init(void)
-
-#endif	/* __IPSET_H */

extensions/ipset/ipset_iphash.c

@@ -1,283 +0,0 @@
-/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify   
- * it under the terms of the GNU General Public License as published by   
- * the Free Software Foundation; either version 2 of the License, or      
- * (at your option) any later version.                                    
- *                                                                         
- * This program is distributed in the hope that it will be useful,        
- * but WITHOUT ANY WARRANTY; without even the implied warranty of         
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
- * GNU General Public License for more details.                           
- *                                                                         
- * You should have received a copy of the GNU General Public License      
- * along with this program; if not, write to the Free Software            
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <limits.h>			/* UINT_MAX */
-#include <stdio.h>			/* *printf */
-#include <string.h>			/* mem* */
-
-#include "ipset.h"
-
-#include "ip_set_iphash.h"
-
-#define BUFLEN 30;
-
-#define OPT_CREATE_HASHSIZE	0x01U
-#define OPT_CREATE_PROBES	0x02U
-#define OPT_CREATE_RESIZE	0x04U
-#define OPT_CREATE_NETMASK	0x08U
-
-/* Initialize the create. */
-static void
-create_init(void *data)
-{
-	struct ip_set_req_iphash_create *mydata = data;
-
-	DP("create INIT");
-
-	/* Default create parameters */	
-	mydata->hashsize = 1024;
-	mydata->probes = 8;
-	mydata->resize = 50;
-	
-	mydata->netmask = 0xFFFFFFFF;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
-{
-	struct ip_set_req_iphash_create *mydata =
-	    (struct ip_set_req_iphash_create *) data;
-	unsigned int bits;
-	ip_set_ip_t value;
-
-	DP("create_parse");
-
-	switch (c) {
-	case '1':
-
-		if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
-			exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
-
-		*flags |= OPT_CREATE_HASHSIZE;
-
-		DP("--hashsize %u", mydata->hashsize);
-		
-		break;
-
-	case '2':
-
-		if (string_to_number(optarg, 1, 65535, &value))
-			exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
-
-		mydata->probes = value;
-		*flags |= OPT_CREATE_PROBES;
-
-		DP("--probes %u", mydata->probes);
-		
-		break;
-
-	case '3':
-
-		if (string_to_number(optarg, 0, 65535, &value))
-			exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
-
-		mydata->resize = value;
-		*flags |= OPT_CREATE_RESIZE;
-
-		DP("--resize %u", mydata->resize);
-		
-		break;
-
-	case '4':
-
-		if (string_to_number(optarg, 0, 32, &bits))
-			exit_error(PARAMETER_PROBLEM, 
-				  "Invalid netmask `%s' specified", optarg);
-		
-		if (bits != 0)
-			mydata->netmask = 0xFFFFFFFF << (32 - bits);
-
-		*flags |= OPT_CREATE_NETMASK;
-
-		DP("--netmask %x", mydata->netmask);
-		
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; exit if not ok. */
-static void
-create_final(void *data UNUSED, unsigned int flags UNUSED)
-{
-}
-
-/* Create commandline options */
-static const struct option create_opts[] = {
-	{.name = "hashsize",	.has_arg = required_argument,	.val = '1'},
-	{.name = "probes",	.has_arg = required_argument,	.val = '2'},
-	{.name = "resize",	.has_arg = required_argument,	.val = '3'},
-	{.name = "netmask",	.has_arg = required_argument,	.val = '4'},
-	{NULL},
-};
-
-/* Add, del, test parser */
-static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
-{
-	struct ip_set_req_iphash *mydata = data;
-
-	parse_ip(arg, &mydata->ip);
-	if (!mydata->ip)
-		exit_error(PARAMETER_PROBLEM,
-			   "Zero valued IP address `%s' specified", arg);
-
-	return mydata->ip;	
-};
-
-/*
- * Print and save
- */
-
-static void
-initheader(struct set *set, const void *data)
-{
-	const struct ip_set_req_iphash_create *header = data;
-	struct ip_set_iphash *map = set->settype->header;
-
-	memset(map, 0, sizeof(struct ip_set_iphash));
-	map->hashsize = header->hashsize;
-	map->probes = header->probes;
-	map->resize = header->resize;
-	map->netmask = header->netmask;
-}
-
-static unsigned int
-mask_to_bits(ip_set_ip_t mask)
-{
-	unsigned int bits = 32;
-	ip_set_ip_t maskaddr;
-	
-	if (mask == 0xFFFFFFFF)
-		return bits;
-	
-	maskaddr = 0xFFFFFFFE;
-	while (--bits > 0 && maskaddr != mask)
-		maskaddr <<= 1;
-	
-	return bits;
-}
-
-static void
-printheader(struct set *set, unsigned options UNUSED)
-{
-	struct ip_set_iphash *mysetdata = set->settype->header;
-
-	printf(" hashsize: %u", mysetdata->hashsize);
-	printf(" probes: %u", mysetdata->probes);
-	printf(" resize: %u", mysetdata->resize);
-	if (mysetdata->netmask == 0xFFFFFFFF)
-		printf("\n");
-	else
-		printf(" netmask: %d\n", mask_to_bits(mysetdata->netmask));
-}
-
-static void
-printips(struct set *set UNUSED, void *data, u_int32_t len, unsigned options)
-{
-	size_t offset = 0;
-	ip_set_ip_t *ip;
-
-	while (offset < len) {
-		ip = data + offset;
-		if (*ip)
-			printf("%s\n", ip_tostring(*ip, options));
-		offset += sizeof(ip_set_ip_t);
-	}
-}
-
-static void
-saveheader(struct set *set, unsigned options UNUSED)
-{
-	struct ip_set_iphash *mysetdata = set->settype->header;
-
-	printf("-N %s %s --hashsize %u --probes %u --resize %u",
-	       set->name, set->settype->typename,
-	       mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
-	if (mysetdata->netmask == 0xFFFFFFFF)
-		printf("\n");
-	else
-		printf(" --netmask %d\n", mask_to_bits(mysetdata->netmask));
-}
-
-/* Print save for an IP */
-static void
-saveips(struct set *set UNUSED, void *data, u_int32_t len, unsigned options)
-{
-	size_t offset = 0;
-	ip_set_ip_t *ip;
-
-	while (offset < len) {
-		ip = data + offset;
-		if (*ip)
-			printf("-A %s %s\n", set->name, 
-			       ip_tostring(*ip, options));
-		offset += sizeof(ip_set_ip_t);
-	}
-}
-
-static void usage(void)
-{
-	printf
-	    ("-N set iphash [--hashsize hashsize] [--probes probes ]\n"
-	     "              [--resize resize] [--netmask CIDR-netmask]\n"
-	     "-A set IP\n"
-	     "-D set IP\n"
-	     "-T set IP\n");
-}
-
-static struct settype settype_iphash = {
-	.typename = SETTYPE_NAME,
-	.protocol_version = IP_SET_PROTOCOL_VERSION,
-
-	/* Create */
-	.create_size = sizeof(struct ip_set_req_iphash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
-	.create_opts = create_opts,
-
-	/* Add/del/test */
-	.adt_size = sizeof(struct ip_set_req_iphash),
-	.adt_parser = &adt_parser,
-
-	/* Printing */
-	.header_size = sizeof(struct ip_set_iphash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
-	
-	/* Bindings */
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse = &parse_ip,
-	
-	.usage = &usage,
-};
-
-CONSTRUCTOR(iphash)
-{
-	settype_register(&settype_iphash);
-
-}

extensions/ipset/ipset_ipmap.c

@@ -1,342 +0,0 @@
-/* Copyright 2000-2004 Joakim Axelsson (gozem@linux.nu)
- *                     Patrick Schaaf (bof@bof.de)
- *                     Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify   
- * it under the terms of the GNU General Public License as published by   
- * the Free Software Foundation; either version 2 of the License, or      
- * (at your option) any later version.                                    
- *                                                                         
- * This program is distributed in the hope that it will be useful,        
- * but WITHOUT ANY WARRANTY; without even the implied warranty of         
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
- * GNU General Public License for more details.                           
- *                                                                         
- * You should have received a copy of the GNU General Public License      
- * along with this program; if not, write to the Free Software            
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <stdio.h>			/* *printf */
-#include <string.h>			/* mem* */
-
-#include "ipset.h"
-
-#include "ip_set_ipmap.h"
-
-#define BUFLEN 30;
-
-#define OPT_CREATE_FROM    0x01U
-#define OPT_CREATE_TO      0x02U
-#define OPT_CREATE_NETWORK 0x04U
-#define OPT_CREATE_NETMASK 0x08U
-
-#define OPT_ADDDEL_IP      0x01U
-
-/* Initialize the create. */
-static void
-create_init(void *data)
-{
-	struct ip_set_req_ipmap_create *mydata = data;
-
-	DP("create INIT");
-	mydata->netmask = 0xFFFFFFFF;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
-{
-	struct ip_set_req_ipmap_create *mydata = data;
-	unsigned int bits;
-
-	DP("create_parse");
-
-	switch (c) {
-	case '1':
-		parse_ip(optarg, &mydata->from);
-
-		*flags |= OPT_CREATE_FROM;
-
-		DP("--from %x (%s)", mydata->from,
-		   ip_tostring_numeric(mydata->from));
-
-		break;
-
-	case '2':
-		parse_ip(optarg, &mydata->to);
-
-		*flags |= OPT_CREATE_TO;
-
-		DP("--to %x (%s)", mydata->to,
-		   ip_tostring_numeric(mydata->to));
-
-		break;
-
-	case '3':
-		parse_ipandmask(optarg, &mydata->from, &mydata->to);
-
-		/* Make to the last of from + mask */
-		if (mydata->to)
-			mydata->to = mydata->from | ~(mydata->to);
-		else {
-			mydata->from = 0x00000000;
-			mydata->to = 0xFFFFFFFF;
-		}
-		*flags |= OPT_CREATE_NETWORK;
-
-		DP("--network from %x (%s)", 
-		   mydata->from, ip_tostring_numeric(mydata->from));
-		DP("--network to %x (%s)", 
-		   mydata->to, ip_tostring_numeric(mydata->to));
-
-		break;
-
-	case '4':
-		if (string_to_number(optarg, 0, 32, &bits))
-			exit_error(PARAMETER_PROBLEM, 
-				  "Invalid netmask `%s' specified", optarg);
-		
-		if (bits != 0)
-			mydata->netmask = 0xFFFFFFFF << (32 - bits);
-
-		*flags |= OPT_CREATE_NETMASK;
-
-		DP("--netmask %x", mydata->netmask);
-		
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; exit if not ok. */
-static void
-create_final(void *data, unsigned int flags)
-{
-	struct ip_set_req_ipmap_create *mydata = data;
-	ip_set_ip_t range;
-
-	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM,
-			   "Need to specify --from and --to, or --network\n");
-
-	if (flags & OPT_CREATE_NETWORK) {
-		/* --network */
-		if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --from or --to with --network\n");
-	} else {
-		/* --from --to */
-		if ((flags & OPT_CREATE_FROM) == 0
-		    || (flags & OPT_CREATE_TO) == 0)
-			exit_error(PARAMETER_PROBLEM,
-				   "Need to specify both --from and --to\n");
-	}
-
-	DP("from : %x to: %x diff: %x", 
-	   mydata->from, mydata->to,
-	   mydata->to - mydata->from);
-
-	if (mydata->from > mydata->to)
-		exit_error(PARAMETER_PROBLEM,
-			   "From can't be lower than to.\n");
-
-	if (flags & OPT_CREATE_NETMASK) {
-		unsigned int mask_bits, netmask_bits;
-		ip_set_ip_t mask;
-
-		if ((mydata->from & mydata->netmask) != mydata->from)
-			exit_error(PARAMETER_PROBLEM,
-				   "%s is not a network address according to netmask %d\n",
-				   ip_tostring_numeric(mydata->from),
-				   mask_to_bits(mydata->netmask));
-		
-		mask = range_to_mask(mydata->from, mydata->to, &mask_bits);
-		if (!mask
-		    && (mydata->from || mydata->to != 0xFFFFFFFF)) {
-			exit_error(PARAMETER_PROBLEM,
-				   "You have to define a full network with --from"
-				   " and --to if you specify the --network option\n");
-		}
-		netmask_bits = mask_to_bits(mydata->netmask);
-		if (netmask_bits <= mask_bits) {
-			exit_error(PARAMETER_PROBLEM,
-				   "%d netmask specifies larger or equal netblock than the network itself\n");
-		}
-		range = (1<<(netmask_bits - mask_bits)) - 1;
-	} else {
-		range = mydata->to - mydata->from;
-	}
-	if (range > MAX_RANGE)
-		exit_error(PARAMETER_PROBLEM,
-			   "Range too large. Max is %d IPs in range\n",
-			   MAX_RANGE+1);
-}
-
-/* Create commandline options */
-static const struct option create_opts[] = {
-	{.name = "from",	.has_arg = required_argument,	.val = '1'},
-	{.name = "to",		.has_arg = required_argument,	.val = '2'},
-	{.name = "network",	.has_arg = required_argument,	.val = '3'},
-	{.name = "netmask",	.has_arg = required_argument,	.val = '4'},
-	{NULL},
-};
-
-/* Add, del, test parser */
-static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
-{
-	struct ip_set_req_ipmap *mydata = data;
-
-	DP("ipmap: %p %p", arg, data);
-
-	parse_ip(arg, &mydata->ip);
-	DP("%s", ip_tostring_numeric(mydata->ip));
-
-	return 1;	
-}
-
-/*
- * Print and save
- */
-
-static void
-initheader(struct set *set, const void *data)
-{
-	const struct ip_set_req_ipmap_create *header = data;
-	struct ip_set_ipmap *map = set->settype->header;
-		
-	memset(map, 0, sizeof(struct ip_set_ipmap));
-	map->first_ip = header->from;
-	map->last_ip = header->to;
-	map->netmask = header->netmask;
-
-	if (map->netmask == 0xFFFFFFFF) {
-		map->hosts = 1;
-		map->sizeid = map->last_ip - map->first_ip + 1;
-	} else {
-		unsigned int mask_bits, netmask_bits;
-		ip_set_ip_t mask;
-	
-		mask = range_to_mask(header->from, header->to, &mask_bits);
-		netmask_bits = mask_to_bits(header->netmask);
-
-		DP("bits: %d %d", mask_bits, netmask_bits);
-		map->hosts = 2 << (32 - netmask_bits - 1);
-		map->sizeid = 2 << (netmask_bits - mask_bits - 1);
-	}
-
-	DP("%d %d", map->hosts, map->sizeid );
-}
-
-static void
-printheader(struct set *set, unsigned options)
-{
-	struct ip_set_ipmap *mysetdata = set->settype->header;
-
-	printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
-	printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
-	if (mysetdata->netmask == 0xFFFFFFFF)
-		printf("\n");
-	else
-		printf(" netmask: %d\n", mask_to_bits(mysetdata->netmask));
-}
-
-static void
-printips_sorted(struct set *set, void *data,
-		u_int32_t len UNUSED, unsigned options)
-{
-	struct ip_set_ipmap *mysetdata = set->settype->header;
-	ip_set_ip_t id;
-
-	for (id = 0; id < mysetdata->sizeid; id++)
-		if (test_bit(id, data))
-			printf("%s\n",
-			       ip_tostring(mysetdata->first_ip
-			       		   + id * mysetdata->hosts,
-					   options));
-}
-
-static void
-saveheader(struct set *set, unsigned options)
-{
-	struct ip_set_ipmap *mysetdata = set->settype->header;
-
-	printf("-N %s %s --from %s",
-	       set->name, set->settype->typename,
-	       ip_tostring(mysetdata->first_ip, options));
-	printf(" --to %s",
-	       ip_tostring(mysetdata->last_ip, options));
-	if (mysetdata->netmask == 0xFFFFFFFF)
-		printf("\n");
-	else
-		printf(" --netmask %d\n",
-		       mask_to_bits(mysetdata->netmask));
-}
-
-static void
-saveips(struct set *set, void *data, u_int32_t len UNUSED, unsigned options)
-{
-	struct ip_set_ipmap *mysetdata = set->settype->header;
-	ip_set_ip_t id;
-
-	DP("%s", set->name);
-	for (id = 0; id < mysetdata->sizeid; id++)
-		if (test_bit(id, data))
-			printf("-A %s %s\n",
-			       set->name,
-			       ip_tostring(mysetdata->first_ip 
-			       		   + id * mysetdata->hosts,
-					   options));
-}
-
-static void usage(void)
-{
-	printf
-	    ("-N set ipmap --from IP --to IP [--netmask CIDR-netmask]\n"
-	     "-N set ipmap --network IP/mask [--netmask CIDR-netmask]\n"
-	     "-A set IP\n"
-	     "-D set IP\n"
-	     "-T set IP\n");
-}
-
-static struct settype settype_ipmap = {
-	.typename = SETTYPE_NAME,
-	.protocol_version = IP_SET_PROTOCOL_VERSION,
-
-	/* Create */
-	.create_size = sizeof(struct ip_set_req_ipmap_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
-	.create_opts = create_opts,
-
-	/* Add/del/test */
-	.adt_size = sizeof(struct ip_set_req_ipmap),
-	.adt_parser = &adt_parser,
-
-	/* Printing */
-	.header_size = sizeof(struct ip_set_ipmap),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,	/* We only have sorted version */
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
-	
-	/* Bindings */
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse	= &parse_ip,
-
-	.usage = &usage,
-};
-
-CONSTRUCTOR(ipmap)
-{
-	settype_register(&settype_ipmap);
-
-}

extensions/ipset/ipset_ipporthash.c

@@ -1,370 +0,0 @@
-/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify   
- * it under the terms of the GNU General Public License as published by   
- * the Free Software Foundation; either version 2 of the License, or      
- * (at your option) any later version.                                    
- *                                                                         
- * This program is distributed in the hope that it will be useful,        
- * but WITHOUT ANY WARRANTY; without even the implied warranty of         
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
- * GNU General Public License for more details.                           
- *                                                                         
- * You should have received a copy of the GNU General Public License      
- * along with this program; if not, write to the Free Software            
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <limits.h>			/* UINT_MAX */
-#include <stdio.h>			/* *printf */
-#include <string.h>			/* mem*, str* */
-
-#include "ipset.h"
-
-#include "ip_set_ipporthash.h"
-
-#define OPT_CREATE_HASHSIZE	0x01U
-#define OPT_CREATE_PROBES	0x02U
-#define OPT_CREATE_RESIZE	0x04U
-#define OPT_CREATE_NETWORK	0x08U
-#define OPT_CREATE_FROM		0x10U
-#define OPT_CREATE_TO		0x20U
-
-/* Initialize the create. */
-static void
-create_init(void *data)
-{
-	struct ip_set_req_ipporthash_create *mydata = data;
-
-	DP("create INIT");
-
-	/* Default create parameters */	
-	mydata->hashsize = 1024;
-	mydata->probes = 8;
-	mydata->resize = 50;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
-{
-	struct ip_set_req_ipporthash_create *mydata = data;
-	ip_set_ip_t value;
-
-	DP("create_parse");
-
-	switch (c) {
-	case '1':
-
-		if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
-			exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
-
-		*flags |= OPT_CREATE_HASHSIZE;
-
-		DP("--hashsize %u", mydata->hashsize);
-		
-		break;
-
-	case '2':
-
-		if (string_to_number(optarg, 1, 65535, &value))
-			exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
-
-		mydata->probes = value;
-		*flags |= OPT_CREATE_PROBES;
-
-		DP("--probes %u", mydata->probes);
-		
-		break;
-
-	case '3':
-
-		if (string_to_number(optarg, 0, 65535, &value))
-			exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
-
-		mydata->resize = value;
-		*flags |= OPT_CREATE_RESIZE;
-
-		DP("--resize %u", mydata->resize);
-		
-		break;
-
-	case '4':
-		parse_ip(optarg, &mydata->from);
-
-		*flags |= OPT_CREATE_FROM;
-
-		DP("--from %x (%s)", mydata->from,
-		   ip_tostring_numeric(mydata->from));
-
-		break;
-
-	case '5':
-		parse_ip(optarg, &mydata->to);
-
-		*flags |= OPT_CREATE_TO;
-
-		DP("--to %x (%s)", mydata->to,
-		   ip_tostring_numeric(mydata->to));
-
-		break;
-
-	case '6':
-		parse_ipandmask(optarg, &mydata->from, &mydata->to);
-
-		/* Make to the last of from + mask */
-		if (mydata->to)
-			mydata->to = mydata->from | ~(mydata->to);
-		else {
-			mydata->from = 0x00000000;
-			mydata->to = 0xFFFFFFFF;
-		}
-		*flags |= OPT_CREATE_NETWORK;
-
-		DP("--network from %x (%s)", 
-		   mydata->from, ip_tostring_numeric(mydata->from));
-		DP("--network to %x (%s)", 
-		   mydata->to, ip_tostring_numeric(mydata->to));
-
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; exit if not ok. */
-static void
-create_final(void *data, unsigned int flags)
-{
-	struct ip_set_req_ipporthash_create *mydata = data;
-
-#ifdef IPSET_DEBUG
-	DP("hashsize %u probes %u resize %u",
-	   mydata->hashsize, mydata->probes, mydata->resize);
-#endif
-
-	if (flags & OPT_CREATE_NETWORK) {
-		/* --network */
-		if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --from or --to with --network\n");
-	} else if (flags & (OPT_CREATE_FROM | OPT_CREATE_TO)) {
-		/* --from --to */
-		if (!(flags & OPT_CREATE_FROM) || !(flags & OPT_CREATE_TO))
-			exit_error(PARAMETER_PROBLEM,
-				   "Need to specify both --from and --to\n");
-	} else {
-		exit_error(PARAMETER_PROBLEM,
-			   "Need to specify --from and --to, or --network\n");
-
-	}
-
-	DP("from : %x to: %x diff: %x", 
-	   mydata->from, mydata->to,
-	   mydata->to - mydata->from);
-
-	if (mydata->from > mydata->to)
-		exit_error(PARAMETER_PROBLEM,
-			   "From can't be higher than to.\n");
-
-	if (mydata->to - mydata->from > MAX_RANGE)
-		exit_error(PARAMETER_PROBLEM,
-			   "Range too large. Max is %d IPs in range\n",
-			   MAX_RANGE+1);
-}
-
-/* Create commandline options */
-static const struct option create_opts[] = {
-	{.name = "hashsize",	.has_arg = required_argument,	.val = '1'},
-	{.name = "probes",	.has_arg = required_argument,	.val = '2'},
-	{.name = "resize",	.has_arg = required_argument,	.val = '3'},
-	{.name = "from",	.has_arg = required_argument,	.val = '4'},
-	{.name = "to",		.has_arg = required_argument,	.val = '5'},
-	{.name = "network",	.has_arg = required_argument,	.val = '6'},
-	{NULL},
-};
-
-/* Add, del, test parser */
-static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
-{
-	struct ip_set_req_ipporthash *mydata = data;
-	char *saved = ipset_strdup(arg);
-	char *ptr, *tmp = saved;
-
-	DP("ipporthash: %p %p", arg, data);
-
-	if (((ptr = strchr(tmp, ':')) || (ptr = strchr(tmp, '%'))) && ++warn_once == 1)
-		fprintf(stderr, "Warning: please use ',' separator token between ip,port.\n"
-			        "Next release won't support old separator tokens.\n");
-
-	ptr = strsep(&tmp, ":%,");
-	parse_ip(ptr, &mydata->ip);
-
-	if (tmp)
-		parse_port(tmp, &mydata->port);
-	else
-		exit_error(PARAMETER_PROBLEM,
-			   "IP address and port must be specified: ip,port");
-
-	if (!(mydata->ip || mydata->port))
-		exit_error(PARAMETER_PROBLEM,
-			  "Zero valued IP address and port `%s' specified", arg);
-	ipset_free(saved);
-	return 1;	
-};
-
-/*
- * Print and save
- */
-
-static void
-initheader(struct set *set, const void *data)
-{
-	const struct ip_set_req_ipporthash_create *header = data;
-	struct ip_set_ipporthash *map = set->settype->header;
-
-	memset(map, 0, sizeof(struct ip_set_ipporthash));
-	map->hashsize = header->hashsize;
-	map->probes = header->probes;
-	map->resize = header->resize;
-	map->first_ip = header->from;
-	map->last_ip = header->to;
-}
-
-static void
-printheader(struct set *set, unsigned options)
-{
-	struct ip_set_ipporthash *mysetdata = set->settype->header;
-
-	printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
-	printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
-	printf(" hashsize: %u", mysetdata->hashsize);
-	printf(" probes: %u", mysetdata->probes);
-	printf(" resize: %u\n", mysetdata->resize);
-}
-
-static void
-printips(struct set *set, void *data, u_int32_t len, unsigned options)
-{
-	struct ip_set_ipporthash *mysetdata = set->settype->header;
-	size_t offset = 0;
-	ip_set_ip_t *ipptr, ip;
-	uint16_t port;
-
-	while (offset < len) {
-		ipptr = data + offset;
-		if (*ipptr) {
-			ip = (*ipptr>>16) + mysetdata->first_ip;
-			port = (uint16_t) *ipptr;
-			printf("%s,%s\n", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-		}
-		offset += sizeof(ip_set_ip_t);
-	}
-}
-
-static void
-saveheader(struct set *set, unsigned options)
-{
-	struct ip_set_ipporthash *mysetdata = set->settype->header;
-
-	printf("-N %s %s --from %s",
-	       set->name, set->settype->typename,
-	       ip_tostring(mysetdata->first_ip, options));
-	printf(" --to %s",
-	       ip_tostring(mysetdata->last_ip, options));
-	printf(" --hashsize %u --probes %u --resize %u\n",
-	       mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
-}
-
-/* Print save for an IP */
-static void
-saveips(struct set *set, void *data, u_int32_t len, unsigned options)
-{
-	struct ip_set_ipporthash *mysetdata = set->settype->header;
-	size_t offset = 0;
-	ip_set_ip_t *ipptr, ip;
-	uint16_t port;
-
-	while (offset < len) {
-		ipptr = data + offset;
-		if (*ipptr) {
-			ip = (*ipptr>>16) + mysetdata->first_ip;
-			port = (uint16_t) *ipptr;
-			printf("-A %s %s,%s\n", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-		}
-		offset += sizeof(ip_set_ip_t);
-	}
-}
-
-static char buffer[22];
-
-static char *
-unpack_ipport_tostring(struct set *set, ip_set_ip_t bip, unsigned options)
-{
-	struct ip_set_ipporthash *mysetdata = set->settype->header;
-	ip_set_ip_t ip, port;
-	
-	ip = (bip>>16) + mysetdata->first_ip;
-	port = (uint16_t) bip;
-	sprintf(buffer, "%s,%s", 
-		ip_tostring(ip, options), port_tostring(port, options));
-		
-	return buffer;
-}
-
-static void usage(void)
-{
-	printf
-	    ("-N set ipporthash --from IP --to IP\n"
-	     "   [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
-	     "-N set ipporthash --network IP/mask\n"
-	     "   [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
-	     "-A set IP,port\n"
-	     "-D set IP,port\n"
-	     "-T set IP,port\n");
-}
-
-static struct settype settype_ipporthash = {
-	.typename = SETTYPE_NAME,
-	.protocol_version = IP_SET_PROTOCOL_VERSION,
-
-	/* Create */
-	.create_size = sizeof(struct ip_set_req_ipporthash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
-	.create_opts = create_opts,
-
-	/* Add/del/test */
-	.adt_size = sizeof(struct ip_set_req_ipporthash),
-	.adt_parser = &adt_parser,
-
-	/* Printing */
-	.header_size = sizeof(struct ip_set_ipporthash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
-	
-	/* Bindings */
-	.bindip_tostring = &unpack_ipport_tostring,
-	.bindip_parse = &parse_ip,
-	
-	.usage = &usage,
-};
-
-CONSTRUCTOR(ipporthash)
-{
-	settype_register(&settype_ipporthash);
-
-}

extensions/ipset/ipset_ipportiphash.c

@@ -1,361 +0,0 @@
-/* Copyright 2008 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify   
- * it under the terms of the GNU General Public License as published by   
- * the Free Software Foundation; either version 2 of the License, or      
- * (at your option) any later version.                                    
- *                                                                         
- * This program is distributed in the hope that it will be useful,        
- * but WITHOUT ANY WARRANTY; without even the implied warranty of         
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
- * GNU General Public License for more details.                           
- *                                                                         
- * You should have received a copy of the GNU General Public License      
- * along with this program; if not, write to the Free Software            
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <limits.h>			/* UINT_MAX */
-#include <stdio.h>			/* *printf */
-#include <string.h>			/* mem*, str* */
-
-#include "ipset.h"
-
-#include "ip_set_ipportiphash.h"
-
-#define OPT_CREATE_HASHSIZE	0x01U
-#define OPT_CREATE_PROBES	0x02U
-#define OPT_CREATE_RESIZE	0x04U
-#define OPT_CREATE_NETWORK	0x08U
-#define OPT_CREATE_FROM		0x10U
-#define OPT_CREATE_TO		0x20U
-
-/* Initialize the create. */
-static void
-create_init(void *data)
-{
-	struct ip_set_req_ipportiphash_create *mydata = data;
-
-	DP("create INIT");
-
-	/* Default create parameters */	
-	mydata->hashsize = 1024;
-	mydata->probes = 8;
-	mydata->resize = 50;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
-{
-	struct ip_set_req_ipportiphash_create *mydata = data;
-	ip_set_ip_t value;
-
-	DP("create_parse");
-
-	switch (c) {
-	case '1':
-
-		if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
-			exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
-
-		*flags |= OPT_CREATE_HASHSIZE;
-
-		DP("--hashsize %u", mydata->hashsize);
-		
-		break;
-
-	case '2':
-
-		if (string_to_number(optarg, 1, 65535, &value))
-			exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
-
-		mydata->probes = value;
-		*flags |= OPT_CREATE_PROBES;
-
-		DP("--probes %u", mydata->probes);
-		
-		break;
-
-	case '3':
-
-		if (string_to_number(optarg, 0, 65535, &value))
-			exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
-
-		mydata->resize = value;
-		*flags |= OPT_CREATE_RESIZE;
-
-		DP("--resize %u", mydata->resize);
-		
-		break;
-
-	case '4':
-		parse_ip(optarg, &mydata->from);
-
-		*flags |= OPT_CREATE_FROM;
-
-		DP("--from %x (%s)", mydata->from,
-		   ip_tostring_numeric(mydata->from));
-
-		break;
-
-	case '5':
-		parse_ip(optarg, &mydata->to);
-
-		*flags |= OPT_CREATE_TO;
-
-		DP("--to %x (%s)", mydata->to,
-		   ip_tostring_numeric(mydata->to));
-
-		break;
-
-	case '6':
-		parse_ipandmask(optarg, &mydata->from, &mydata->to);
-
-		/* Make to the last of from + mask */
-		if (mydata->to)
-			mydata->to = mydata->from | ~(mydata->to);
-		else {
-			mydata->from = 0x00000000;
-			mydata->to = 0xFFFFFFFF;
-		}
-		*flags |= OPT_CREATE_NETWORK;
-
-		DP("--network from %x (%s)", 
-		   mydata->from, ip_tostring_numeric(mydata->from));
-		DP("--network to %x (%s)", 
-		   mydata->to, ip_tostring_numeric(mydata->to));
-
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; exit if not ok. */
-static void
-create_final(void *data, unsigned int flags)
-{
-	struct ip_set_req_ipportiphash_create *mydata = data;
-
-#ifdef IPSET_DEBUG
-	DP("hashsize %u probes %u resize %u",
-	   mydata->hashsize, mydata->probes, mydata->resize);
-#endif
-
-	if (flags & OPT_CREATE_NETWORK) {
-		/* --network */
-		if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --from or --to with --network\n");
-	} else if (flags & (OPT_CREATE_FROM | OPT_CREATE_TO)) {
-		/* --from --to */
-		if (!(flags & OPT_CREATE_FROM) || !(flags & OPT_CREATE_TO))
-			exit_error(PARAMETER_PROBLEM,
-				   "Need to specify both --from and --to\n");
-	} else {
-		exit_error(PARAMETER_PROBLEM,
-			   "Need to specify --from and --to, or --network\n");
-
-	}
-
-	DP("from : %x to: %x diff: %x", 
-	   mydata->from, mydata->to,
-	   mydata->to - mydata->from);
-
-	if (mydata->from > mydata->to)
-		exit_error(PARAMETER_PROBLEM,
-			   "From can't be higher than to.\n");
-
-	if (mydata->to - mydata->from > MAX_RANGE)
-		exit_error(PARAMETER_PROBLEM,
-			   "Range too large. Max is %d IPs in range\n",
-			   MAX_RANGE+1);
-}
-
-/* Create commandline options */
-static const struct option create_opts[] = {
-	{.name = "hashsize",	.has_arg = required_argument,	.val = '1'},
-	{.name = "probes",	.has_arg = required_argument,	.val = '2'},
-	{.name = "resize",	.has_arg = required_argument,	.val = '3'},
-	{.name = "from",	.has_arg = required_argument,	.val = '4'},
-	{.name = "to",		.has_arg = required_argument,	.val = '5'},
-	{.name = "network",	.has_arg = required_argument,	.val = '6'},
-	{NULL},
-};
-
-/* Add, del, test parser */
-static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
-{
-	struct ip_set_req_ipportiphash *mydata = data;
-	char *saved = ipset_strdup(arg);
-	char *ptr, *tmp = saved;
-
-	DP("ipportiphash: %p %p", arg, data);
-
-	if (((ptr = strchr(tmp, ':')) || (ptr = strchr(tmp, '%'))) && ++warn_once == 1)
-		fprintf(stderr, "Warning: please use ',' separator token between ip,port,ip.\n"
-			        "Next release won't support old separator tokens.\n");
-
-	ptr = strsep(&tmp, ":%,");
-	parse_ip(ptr, &mydata->ip);
-
-	if (!tmp)
-		exit_error(PARAMETER_PROBLEM,
-			   "IP address, port and IP address must be specified: ip,port,ip");
-
-	ptr = strsep(&tmp, ":%,");
-	parse_port(ptr, &mydata->port);
-	if (tmp)
-		parse_ip(tmp, &mydata->ip1);
-	else
-		exit_error(PARAMETER_PROBLEM,
-			   "IP address, port and IP address must be specified: ip,port,ip");
-	if (!(mydata->ip || mydata->port || mydata->ip1))
-		exit_error(PARAMETER_PROBLEM,
-			  "Zero valued IP address, port and IP address `%s' specified", arg);
-	ipset_free(saved);
-	return 1;	
-};
-
-/*
- * Print and save
- */
-
-static void
-initheader(struct set *set, const void *data)
-{
-	const struct ip_set_req_ipportiphash_create *header = data;
-	struct ip_set_ipportiphash *map = set->settype->header;
-
-	memset(map, 0, sizeof(struct ip_set_ipportiphash));
-	map->hashsize = header->hashsize;
-	map->probes = header->probes;
-	map->resize = header->resize;
-	map->first_ip = header->from;
-	map->last_ip = header->to;
-}
-
-static void
-printheader(struct set *set, unsigned options)
-{
-	struct ip_set_ipportiphash *mysetdata = set->settype->header;
-
-	printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
-	printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
-	printf(" hashsize: %u", mysetdata->hashsize);
-	printf(" probes: %u", mysetdata->probes);
-	printf(" resize: %u\n", mysetdata->resize);
-}
-
-static void
-printips(struct set *set, void *data, u_int32_t len, unsigned options)
-{
-	struct ip_set_ipportiphash *mysetdata = set->settype->header;
-	size_t offset = 0;
-	struct ipportip *ipptr;
-	ip_set_ip_t ip;
-	uint16_t port;
-
-	while (offset < len) {
-		ipptr = data + offset;
-		if (ipptr->ip && ipptr->ip1) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("%s,%s,", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n", 
-			       ip_tostring(ipptr->ip1, options));
-		}
-		offset += sizeof(struct ipportip);
-	}
-}
-
-static void
-saveheader(struct set *set, unsigned options)
-{
-	struct ip_set_ipportiphash *mysetdata = set->settype->header;
-
-	printf("-N %s %s --from %s",
-	       set->name, set->settype->typename,
-	       ip_tostring(mysetdata->first_ip, options));
-	printf(" --to %s",
-	       ip_tostring(mysetdata->last_ip, options));
-	printf(" --hashsize %u --probes %u --resize %u\n",
-	       mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
-}
-
-/* Print save for an IP */
-static void
-saveips(struct set *set, void *data, u_int32_t len, unsigned options)
-{
-	struct ip_set_ipportiphash *mysetdata = set->settype->header;
-	size_t offset = 0;
-	struct ipportip *ipptr;
-	ip_set_ip_t ip;
-	uint16_t port;
-
-	while (offset < len) {
-		ipptr = data + offset;
-		if (ipptr->ip && ipptr->ip1) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("-A %s %s,%s,", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n",
-			       ip_tostring(ipptr->ip1, options));
-		}
-		offset += sizeof(struct ipportip);
-	}
-}
-
-static void usage(void)
-{
-	printf
-	    ("-N set ipportiphash --from IP --to IP\n"
-	     "   [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
-	     "-N set ipportiphash --network IP/mask\n"
-	     "   [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
-	     "-A set IP,port,IP\n"
-	     "-D set IP,port,IP\n"
-	     "-T set IP,port,IP\n");
-}
-
-static struct settype settype_ipportiphash = {
-	.typename = SETTYPE_NAME,
-	.protocol_version = IP_SET_PROTOCOL_VERSION,
-
-	/* Create */
-	.create_size = sizeof(struct ip_set_req_ipportiphash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
-	.create_opts = create_opts,
-
-	/* Add/del/test */
-	.adt_size = sizeof(struct ip_set_req_ipportiphash),
-	.adt_parser = &adt_parser,
-
-	/* Printing */
-	.header_size = sizeof(struct ip_set_ipportiphash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
-	
-	.usage = &usage,
-};
-
-CONSTRUCTOR(ipportiphash)
-{
-	settype_register(&settype_ipportiphash);
-
-}

extensions/ipset/ipset_ipportnethash.c

@@ -1,426 +0,0 @@
-/* Copyright 2008 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify   
- * it under the terms of the GNU General Public License as published by   
- * the Free Software Foundation; either version 2 of the License, or      
- * (at your option) any later version.                                    
- *                                                                         
- * This program is distributed in the hope that it will be useful,        
- * but WITHOUT ANY WARRANTY; without even the implied warranty of         
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
- * GNU General Public License for more details.                           
- *                                                                         
- * You should have received a copy of the GNU General Public License      
- * along with this program; if not, write to the Free Software            
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <limits.h>			/* UINT_MAX */
-#include <stdio.h>			/* *printf */
-#include <string.h>			/* mem*, str* */
-
-#include "ipset.h"
-
-#include "ip_set_ipportnethash.h"
-
-#define OPT_CREATE_HASHSIZE	0x01U
-#define OPT_CREATE_PROBES	0x02U
-#define OPT_CREATE_RESIZE	0x04U
-#define OPT_CREATE_NETWORK	0x08U
-#define OPT_CREATE_FROM		0x10U
-#define OPT_CREATE_TO		0x20U
-
-/* Initialize the create. */
-static void
-create_init(void *data)
-{
-	struct ip_set_req_ipportnethash_create *mydata = data;
-
-	DP("create INIT");
-
-	/* Default create parameters */	
-	mydata->hashsize = 1024;
-	mydata->probes = 8;
-	mydata->resize = 50;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
-{
-	struct ip_set_req_ipportnethash_create *mydata = data;
-	ip_set_ip_t value;
-
-	DP("create_parse");
-
-	switch (c) {
-	case '1':
-
-		if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
-			exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
-
-		*flags |= OPT_CREATE_HASHSIZE;
-
-		DP("--hashsize %u", mydata->hashsize);
-		
-		break;
-
-	case '2':
-
-		if (string_to_number(optarg, 1, 65535, &value))
-			exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
-
-		mydata->probes = value;
-		*flags |= OPT_CREATE_PROBES;
-
-		DP("--probes %u", mydata->probes);
-		
-		break;
-
-	case '3':
-
-		if (string_to_number(optarg, 0, 65535, &value))
-			exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
-
-		mydata->resize = value;
-		*flags |= OPT_CREATE_RESIZE;
-
-		DP("--resize %u", mydata->resize);
-		
-		break;
-
-	case '4':
-		parse_ip(optarg, &mydata->from);
-
-		*flags |= OPT_CREATE_FROM;
-
-		DP("--from %x (%s)", mydata->from,
-		   ip_tostring_numeric(mydata->from));
-
-		break;
-
-	case '5':
-		parse_ip(optarg, &mydata->to);
-
-		*flags |= OPT_CREATE_TO;
-
-		DP("--to %x (%s)", mydata->to,
-		   ip_tostring_numeric(mydata->to));
-
-		break;
-
-	case '6':
-		parse_ipandmask(optarg, &mydata->from, &mydata->to);
-
-		/* Make to the last of from + mask */
-		if (mydata->to)
-			mydata->to = mydata->from | ~(mydata->to);
-		else {
-			mydata->from = 0x00000000;
-			mydata->to = 0xFFFFFFFF;
-		}
-		*flags |= OPT_CREATE_NETWORK;
-
-		DP("--network from %x (%s)", 
-		   mydata->from, ip_tostring_numeric(mydata->from));
-		DP("--network to %x (%s)", 
-		   mydata->to, ip_tostring_numeric(mydata->to));
-
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; exit if not ok. */
-static void
-create_final(void *data, unsigned int flags)
-{
-	struct ip_set_req_ipportnethash_create *mydata = data;
-
-#ifdef IPSET_DEBUG
-	DP("hashsize %u probes %u resize %u",
-	   mydata->hashsize, mydata->probes, mydata->resize);
-#endif
-
-	if (flags & OPT_CREATE_NETWORK) {
-		/* --network */
-		if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --from or --to with --network\n");
-	} else if (flags & (OPT_CREATE_FROM | OPT_CREATE_TO)) {
-		/* --from --to */
-		if (!(flags & OPT_CREATE_FROM) || !(flags & OPT_CREATE_TO))
-			exit_error(PARAMETER_PROBLEM,
-				   "Need to specify both --from and --to\n");
-	} else {
-		exit_error(PARAMETER_PROBLEM,
-			   "Need to specify --from and --to, or --network\n");
-
-	}
-
-	DP("from : %x to: %x diff: %x", 
-	   mydata->from, mydata->to,
-	   mydata->to - mydata->from);
-
-	if (mydata->from > mydata->to)
-		exit_error(PARAMETER_PROBLEM,
-			   "From can't be higher than to.\n");
-
-	if (mydata->to - mydata->from > MAX_RANGE)
-		exit_error(PARAMETER_PROBLEM,
-			   "Range too large. Max is %d IPs in range\n",
-			   MAX_RANGE+1);
-}
-
-/* Create commandline options */
-static const struct option create_opts[] = {
-	{.name = "hashsize",	.has_arg = required_argument,	.val = '1'},
-	{.name = "probes",	.has_arg = required_argument,	.val = '2'},
-	{.name = "resize",	.has_arg = required_argument,	.val = '3'},
-	{.name = "from",	.has_arg = required_argument,	.val = '4'},
-	{.name = "to",		.has_arg = required_argument,	.val = '5'},
-	{.name = "network",	.has_arg = required_argument,	.val = '6'},
-	{NULL},
-};
-
-/* Add, del, test parser */
-static ip_set_ip_t
-adt_parser(int cmd, const char *arg, void *data)
-{
-	struct ip_set_req_ipportnethash *mydata = data;
-	char *saved = ipset_strdup(arg);
-	char *ptr, *tmp = saved;
-	ip_set_ip_t cidr;
-
-	DP("ipportnethash: %p %p", arg, data);
-
-	if (((ptr = strchr(tmp, ':')) || (ptr = strchr(tmp, '%'))) && ++warn_once == 1)
-		fprintf(stderr, "Warning: please use ',' separator token between ip,port,net.\n"
-			        "Next release won't support old separator tokens.\n");
-
-	ptr = strsep(&tmp, ":%,");
-	parse_ip(ptr, &mydata->ip);
-	if (!tmp)
-		exit_error(PARAMETER_PROBLEM,
-			   "IP address, port and network address must be specified: ip,port,net");
-
-	ptr = strsep(&tmp, ":%,");
-	parse_port(ptr, &mydata->port);
-	if (!tmp)
-		exit_error(PARAMETER_PROBLEM,
-			   "IP address, port and network address must be specified: ip,port,net");
-
-	ptr = strsep(&tmp, "/");
-	if (tmp == NULL)
-		if (cmd == CMD_TEST)
-			cidr = 32;
-		else
-			exit_error(PARAMETER_PROBLEM,
-				   "Missing /cidr from `%s'", arg);
-	else
-		if (string_to_number(tmp, 1, 31, &cidr))
-			exit_error(PARAMETER_PROBLEM,
-				   "Out of range cidr `%s' specified", arg);
-	
-	mydata->cidr = cidr;
-
-	parse_ip(ptr, &mydata->ip1);
-	ipset_free(saved);
-	return 1;	
-};
-
-/*
- * Print and save
- */
-
-static void
-initheader(struct set *set, const void *data)
-{
-	const struct ip_set_req_ipportnethash_create *header = data;
-	struct ip_set_ipportnethash *map = set->settype->header;
-
-	memset(map, 0, sizeof(struct ip_set_ipportnethash));
-	map->hashsize = header->hashsize;
-	map->probes = header->probes;
-	map->resize = header->resize;
-	map->first_ip = header->from;
-	map->last_ip = header->to;
-}
-
-static void
-printheader(struct set *set, unsigned options)
-{
-	struct ip_set_ipportnethash *mysetdata = set->settype->header;
-
-	printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
-	printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
-	printf(" hashsize: %u", mysetdata->hashsize);
-	printf(" probes: %u", mysetdata->probes);
-	printf(" resize: %u\n", mysetdata->resize);
-}
-
-static char buf[20];
-
-static char *
-unpack_ip_tostring(ip_set_ip_t ip, unsigned options UNUSED)
-{
-	int i, j = 3;
-	unsigned char a, b;
-
-	ip = htonl(ip);	
-	for (i = 3; i >= 0; i--)
-		if (((unsigned char *)&ip)[i] != 0) {
-			j = i;
-			break;
-		}
-			
-	a = ((unsigned char *)&ip)[j];
-	if (a <= 128) {
-		a = (a - 1) * 2;
-		b = 7;
-	} else if (a <= 192) {
-		a = (a - 129) * 4;
-		b = 6;
-	} else if (a <= 224) {
-		a = (a - 193) * 8;
-		b = 5;
-	} else if (a <= 240) {
-		a = (a - 225) * 16;
-		b = 4;
-	} else if (a <= 248) {
-		a = (a - 241) * 32;
-		b = 3;
-	} else if (a <= 252) {
-		a = (a - 249) * 64;
-		b = 2;
-	} else if (a <= 254) {
-		a = (a - 253) * 128;
-		b = 1;
-	} else {
-		a = b = 0;
-	}
-	((unsigned char *)&ip)[j] = a;
-	b += j * 8;
-	
-	sprintf(buf, "%u.%u.%u.%u/%u",
-		((unsigned char *)&ip)[0],
-		((unsigned char *)&ip)[1],
-		((unsigned char *)&ip)[2],
-		((unsigned char *)&ip)[3],
-		b);
-
-	DP("%s %s", ip_tostring(ntohl(ip), 0), buf);
-	return buf;
-}
-
-static void
-printips(struct set *set, void *data, u_int32_t len, unsigned options)
-{
-	struct ip_set_ipportnethash *mysetdata = set->settype->header;
-	size_t offset = 0;
-	struct ipportip *ipptr;
-	ip_set_ip_t ip;
-	uint16_t port;
-
-	while (offset < len) {
-		ipptr = data + offset;
-		if (ipptr->ip || ipptr->ip1) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("%s,%s,", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n", 
-			       unpack_ip_tostring(ipptr->ip1, options));
-		}
-		offset += sizeof(struct ipportip);
-	}
-}
-
-static void
-saveheader(struct set *set, unsigned options)
-{
-	struct ip_set_ipportnethash *mysetdata = set->settype->header;
-
-	printf("-N %s %s --from %s",
-	       set->name, set->settype->typename,
-	       ip_tostring(mysetdata->first_ip, options));
-	printf(" --to %s",
-	       ip_tostring(mysetdata->last_ip, options));
-	printf(" --hashsize %u --probes %u --resize %u\n",
-	       mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
-}
-
-/* Print save for an IP */
-static void
-saveips(struct set *set, void *data, u_int32_t len, unsigned options)
-{
-	struct ip_set_ipportnethash *mysetdata = set->settype->header;
-	size_t offset = 0;
-	struct ipportip *ipptr;
-	ip_set_ip_t ip;
-	uint16_t port;
-
-	while (offset < len) {
-		ipptr = data + offset;
-		if (ipptr) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("-A %s %s,%s,", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n",
-			       unpack_ip_tostring(ipptr->ip, options));
-		}
-		offset += sizeof(struct ipportip);
-	}
-}
-
-static void usage(void)
-{
-	printf
-	    ("-N set ipportnethash --from IP --to IP\n"
-	     "   [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
-	     "-N set ipportnethash --network IP/mask\n"
-	     "   [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
-	     "-A set IP,port,IP/net\n"
-	     "-D set IP,port,IP/net\n"
-	     "-T set IP,port,IP[/net]\n");
-}
-
-static struct settype settype_ipportnethash = {
-	.typename = SETTYPE_NAME,
-	.protocol_version = IP_SET_PROTOCOL_VERSION,
-
-	/* Create */
-	.create_size = sizeof(struct ip_set_req_ipportnethash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
-	.create_opts = create_opts,
-
-	/* Add/del/test */
-	.adt_size = sizeof(struct ip_set_req_ipportnethash),
-	.adt_parser = &adt_parser,
-
-	/* Printing */
-	.header_size = sizeof(struct ip_set_ipportnethash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
-	
-	.usage = &usage,
-};
-
-CONSTRUCTOR(ipportnethash)
-{
-	settype_register(&settype_ipportnethash);
-
-}

extensions/ipset/ipset_iptree.c

@@ -1,225 +0,0 @@
-/* Copyright 2005 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify   
- * it under the terms of the GNU General Public License as published by   
- * the Free Software Foundation; either version 2 of the License, or      
- * (at your option) any later version.                                    
- *                                                                         
- * This program is distributed in the hope that it will be useful,        
- * but WITHOUT ANY WARRANTY; without even the implied warranty of         
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
- * GNU General Public License for more details.                           
- *                                                                         
- * You should have received a copy of the GNU General Public License      
- * along with this program; if not, write to the Free Software            
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <limits.h>			/* UINT_MAX */
-#include <stdio.h>			/* *printf */
-#include <string.h>			/* mem* */
-
-#include "ipset.h"
-
-#include "ip_set_iptree.h"
-
-#define BUFLEN 30;
-
-#define OPT_CREATE_TIMEOUT    0x01U
-
-/* Initialize the create. */
-static void
-create_init(void *data)
-{
-	struct ip_set_req_iptree_create *mydata = data;
-
-	DP("create INIT");
-	mydata->timeout = 0;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
-{
-	struct ip_set_req_iptree_create *mydata = data;
-
-	DP("create_parse");
-
-	switch (c) {
-	case '1':
-		string_to_number(optarg, 0, UINT_MAX, &mydata->timeout);
-
-		*flags |= OPT_CREATE_TIMEOUT;
-
-		DP("--timeout %u", mydata->timeout);
-
-		break;
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; exit if not ok. */
-static void
-create_final(void *data UNUSED, unsigned int flags UNUSED)
-{
-}
-
-/* Create commandline options */
-static const struct option create_opts[] = {
-	{.name = "timeout",	.has_arg = required_argument,	.val = '1'},
-	{NULL},
-};
-
-/* Add, del, test parser */
-static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
-{
-	struct ip_set_req_iptree *mydata = data;
-	char *saved = ipset_strdup(arg);
-	char *ptr, *tmp = saved;
-
-	DP("iptree: %p %p", arg, data);
-
-	if (((ptr = strchr(tmp, ':')) || (ptr = strchr(tmp, '%'))) && ++warn_once == 1)
-		fprintf(stderr, "Warning: please use ',' separator token between ip,timeout.\n"
-			        "Next release won't support old separator tokens.\n");
-
-	ptr = strsep(&tmp, ":%,");
-	parse_ip(ptr, &mydata->ip);
-
-	if (tmp)
-		string_to_number(tmp, 0, UINT_MAX, &mydata->timeout);
-	else
-		mydata->timeout = 0;	
-
-	ipset_free(saved);
-	return 1;	
-}
-
-/*
- * Print and save
- */
-
-static void
-initheader(struct set *set, const void *data)
-{
-	const struct ip_set_req_iptree_create *header = data;
-	struct ip_set_iptree *map = set->settype->header;
-		
-	map->timeout = header->timeout;
-}
-
-static void
-printheader(struct set *set, unsigned options UNUSED)
-{
-	struct ip_set_iptree *mysetdata = set->settype->header;
-
-	if (mysetdata->timeout)
-		printf(" timeout: %u", mysetdata->timeout);
-	printf("\n");
-}
-
-static void
-printips_sorted(struct set *set, void *data, u_int32_t len, unsigned options)
-{
-	struct ip_set_iptree *mysetdata = set->settype->header;
-	struct ip_set_req_iptree *req;
-	size_t offset = 0;
-
-	while (len >= offset + sizeof(struct ip_set_req_iptree)) {
-		req = (struct ip_set_req_iptree *)(data + offset);
-		if (mysetdata->timeout)
-			printf("%s,%u\n", ip_tostring(req->ip, options),
-					  req->timeout);
-		else
-			printf("%s\n", ip_tostring(req->ip, options));
-		offset += sizeof(struct ip_set_req_iptree);
-	}
-}
-
-static void
-saveheader(struct set *set, unsigned options UNUSED)
-{
-	struct ip_set_iptree *mysetdata = set->settype->header;
-
-	if (mysetdata->timeout)
-		printf("-N %s %s --timeout %u\n",
-		       set->name, set->settype->typename,
-		       mysetdata->timeout);
-	else
-		printf("-N %s %s\n",
-		       set->name, set->settype->typename);
-}
-
-static void
-saveips(struct set *set, void *data, u_int32_t len, unsigned options)
-{
-	struct ip_set_iptree *mysetdata = set->settype->header;
-	struct ip_set_req_iptree *req;
-	size_t offset = 0;
-
-	DP("%s", set->name);
-
-	while (len >= offset + sizeof(struct ip_set_req_iptree)) {
-		req = (struct ip_set_req_iptree *)(data + offset);
-		if (mysetdata->timeout)
-			printf("-A %s %s,%u\n",
-				set->name, 
-				ip_tostring(req->ip, options),
-				req->timeout);
-		else
-			printf("-A %s %s\n", 
-				set->name,
-				ip_tostring(req->ip, options));
-		offset += sizeof(struct ip_set_req_iptree);
-	}
-}
-
-static void usage(void)
-{
-	printf
-	    ("-N set iptree [--timeout value]\n"
-	     "-A set IP[,timeout]\n"
-	     "-D set IP\n"
-	     "-T set IP\n");
-}
-
-static struct settype settype_iptree = {
-	.typename = SETTYPE_NAME,
-	.protocol_version = IP_SET_PROTOCOL_VERSION,
-
-	/* Create */
-	.create_size = sizeof(struct ip_set_req_iptree_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
-	.create_opts = create_opts,
-
-	/* Add/del/test */
-	.adt_size = sizeof(struct ip_set_req_iptree),
-	.adt_parser = &adt_parser,
-
-	/* Printing */
-	.header_size = sizeof(struct ip_set_iptree),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,	/* We only have sorted version */
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
-	
-	/* Bindings */
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse	= &parse_ip,
-
-	.usage = &usage,
-};
-
-CONSTRUCTOR(iptree)
-{
-	settype_register(&settype_iptree);
-
-}

extensions/ipset/ipset_iptreemap.c

@@ -1,210 +0,0 @@
-/* Copyright 2007 Sven Wegener <sven.wegener@stealer.net>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation; either version 2 of the License, or (at your option)
- * any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <limits.h>			/* UINT_MAX */
-#include <stdio.h>			/* *printf */
-#include <string.h>			/* mem* */
-
-#include "ipset.h"
-
-#include "ip_set_iptreemap.h"
-
-#define OPT_CREATE_GC 0x1
-
-static void
-create_init(void *data)
-{
-	struct ip_set_req_iptreemap_create *mydata = data;
-
-	mydata->gc_interval = 0;
-}
-
-static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned int *flags)
-{
-	struct ip_set_req_iptreemap_create *mydata = data;
-
-	switch (c) {
-		case 'g':
-			string_to_number(optarg, 0, UINT_MAX, &mydata->gc_interval);
-
-			*flags |= OPT_CREATE_GC;
-		break;
-		default:
-			return 0;
-		break;
-	}
-
-	return 1;
-}
-
-static void
-create_final(void *data UNUSED, unsigned int flags UNUSED)
-{
-}
-
-static const struct option create_opts[] = {
-	{.name = "gc",	.has_arg = required_argument,	.val = 'g'},
-	{NULL},
-};
-
-static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
-{
-	struct ip_set_req_iptreemap *mydata = data;
-	ip_set_ip_t mask;
-
-	char *saved = ipset_strdup(arg);
-	char *ptr, *tmp = saved;
-
-	if (strchr(tmp, '/')) {
-		parse_ipandmask(tmp, &mydata->ip, &mask);
-		mydata->end = mydata->ip | ~mask;
-	} else {
-		if ((ptr = strchr(tmp, ':')) != NULL && ++warn_once == 1)
-			fprintf(stderr, "Warning: please use '-' separator token between IP range.\n"
-			        "Next release won't support old separator token.\n");
-		ptr = strsep(&tmp, "-:");
-		parse_ip(ptr, &mydata->ip);
-
-		if (tmp) {
-			parse_ip(tmp, &mydata->end);
-		} else {
-			mydata->end = mydata->ip;
-		}
-	}
-
-	ipset_free(saved);
-
-	return 1;
-}
-
-static void
-initheader(struct set *set, const void *data)
-{
-	const struct ip_set_req_iptreemap_create *header = data;
-	struct ip_set_iptreemap *map = set->settype->header;
-
-	map->gc_interval = header->gc_interval;
-}
-
-static void
-printheader(struct set *set, unsigned int options UNUSED)
-{
-	struct ip_set_iptreemap *mysetdata = set->settype->header;
-
-	if (mysetdata->gc_interval)
-		printf(" gc: %u", mysetdata->gc_interval);
-
-	printf("\n");
-}
-
-static void
-printips_sorted(struct set *set UNUSED, void *data,
-		u_int32_t len, unsigned int options)
-{
-	struct ip_set_req_iptreemap *req;
-	size_t offset = 0;
-
-	while (len >= offset + sizeof(struct ip_set_req_iptreemap)) {
-		req = data + offset;
-
-		printf("%s", ip_tostring(req->ip, options));
-		if (req->ip != req->end)
-			printf("-%s", ip_tostring(req->end, options));
-		printf("\n");
-
-		offset += sizeof(struct ip_set_req_iptreemap);
-	}
-}
-
-static void
-saveheader(struct set *set, unsigned int options UNUSED)
-{
-	struct ip_set_iptreemap *mysetdata = set->settype->header;
-
-	printf("-N %s %s", set->name, set->settype->typename);
-
-	if (mysetdata->gc_interval)
-		printf(" --gc %u", mysetdata->gc_interval);
-
-	printf("\n");
-}
-
-static void
-saveips(struct set *set UNUSED, void *data,
-	u_int32_t len, unsigned int options)
-{
-	struct ip_set_req_iptreemap *req;
-	size_t offset = 0;
-
-	while (len >= offset + sizeof(struct ip_set_req_iptreemap)) {
-		req = data + offset;
-
-		printf("-A %s %s", set->name, ip_tostring(req->ip, options));
-
-		if (req->ip != req->end)
-			printf("-%s", ip_tostring(req->end, options));
-
-		printf("\n");
-
-		offset += sizeof(struct ip_set_req_iptreemap);
-	}
-}
-
-static void
-usage(void)
-{
-	printf(
-		"-N set iptreemap --gc interval\n"
-		"-A set IP\n"
-		"-D set IP\n"
-		"-T set IP\n"
-	);
-}
-
-static struct settype settype_iptreemap = {
-	.typename = SETTYPE_NAME,
-	.protocol_version = IP_SET_PROTOCOL_VERSION,
-
-	.create_size = sizeof(struct ip_set_req_iptreemap_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
-	.create_opts = create_opts,
-
-	.adt_size = sizeof(struct ip_set_req_iptreemap),
-	.adt_parser = &adt_parser,
-
-	.header_size = sizeof(struct ip_set_iptreemap),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
-
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse = &parse_ip,
-
-	.usage = &usage,
-};
-
-CONSTRUCTOR(iptreemap)
-{
-	settype_register(&settype_iptreemap);
-}

extensions/ipset/ipset_macipmap.c

@@ -1,345 +0,0 @@
-/* Copyright 2000, 2001, 2002 Joakim Axelsson (gozem@linux.nu)
- *                            Patrick Schaaf (bof@bof.de)
- *                            Martin Josefsson (gandalf@wlug.westbo.se)
- *
- * This program is free software; you can redistribute it and/or modify   
- * it under the terms of the GNU General Public License as published by   
- * the Free Software Foundation; either version 2 of the License, or      
- * (at your option) any later version.                                    
- *                                                                         
- * This program is distributed in the hope that it will be useful,        
- * but WITHOUT ANY WARRANTY; without even the implied warranty of         
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
- * GNU General Public License for more details.                           
- *                                                                         
- * You should have received a copy of the GNU General Public License      
- * along with this program; if not, write to the Free Software            
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-
-#include <stdio.h>			/* *printf */
-#include <stdlib.h>			/* mem* */
-#include <string.h>			/* str* */
-#include <net/ethernet.h>		/* ETH_ALEN */
-
-#include "ipset.h"
-
-#include "ip_set_macipmap.h"
-
-#define BUFLEN 30;
-
-#define OPT_CREATE_FROM    0x01U
-#define OPT_CREATE_TO      0x02U
-#define OPT_CREATE_NETWORK 0x04U
-#define OPT_CREATE_MATCHUNSET	0x08U
-
-#define OPT_ADDDEL_IP      0x01U
-#define OPT_ADDDEL_MAC     0x02U
-
-/* Initialize the create. */
-static void
-create_init(void *data UNUSED)
-{
-	DP("create INIT");
-	/* Nothing */
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
-{
-	struct ip_set_req_macipmap_create *mydata = data;
-
-	DP("create_parse");
-
-	switch (c) {
-	case '1':
-		parse_ip(optarg, &mydata->from);
-
-		*flags |= OPT_CREATE_FROM;
-
-		DP("--from %x (%s)", mydata->from,
-		   ip_tostring_numeric(mydata->from));
-
-		break;
-
-	case '2':
-		parse_ip(optarg, &mydata->to);
-
-		*flags |= OPT_CREATE_TO;
-
-		DP("--to %x (%s)", mydata->to,
-		   ip_tostring_numeric(mydata->to));
-
-		break;
-
-	case '3':
-		parse_ipandmask(optarg, &mydata->from, &mydata->to);
-
-		/* Make to the last of from + mask */
-		mydata->to = mydata->from | (~mydata->to);
-
-		*flags |= OPT_CREATE_NETWORK;
-
-		DP("--network from %x (%s)", 
-		   mydata->from, ip_tostring_numeric(mydata->from));
-		DP("--network to %x (%s)", 
-		   mydata->to, ip_tostring_numeric(mydata->to));
-
-		break;
-
-	case '4':
-		mydata->flags |= IPSET_MACIP_MATCHUNSET;
-
-		*flags |= OPT_CREATE_MATCHUNSET;
-
-		DP("--matchunset");
-
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; exit if not ok. */
-static void
-create_final(void *data, unsigned int flags)
-{
-	struct ip_set_req_macipmap_create *mydata = data;
-
-	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM,
-			   "Need to specify --from and --to, or --network\n");
-
-	if (flags & OPT_CREATE_NETWORK) {
-		/* --network */
-		if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --from or --to with --network\n");
-	} else {
-		/* --from --to */
-		if ((flags & OPT_CREATE_FROM) == 0
-		    || (flags & OPT_CREATE_TO) == 0)
-			exit_error(PARAMETER_PROBLEM,
-				   "Need to specify both --from and --to\n");
-	}
-
-
-	DP("from : %x to: %x  diff: %d  match unset: %d", mydata->from,
-	   mydata->to, mydata->to - mydata->from,
-	   flags & OPT_CREATE_MATCHUNSET);
-
-	if (mydata->from > mydata->to)
-		exit_error(PARAMETER_PROBLEM,
-			   "From can't be lower than to.\n");
-
-	if (mydata->to - mydata->from > MAX_RANGE)
-		exit_error(PARAMETER_PROBLEM,
-			   "Range too large. Max is %d IPs in range\n",
-			   MAX_RANGE+1);
-}
-
-/* Create commandline options */
-static const struct option create_opts[] = {
-	{.name = "from",	.has_arg = required_argument,	.val = '1'},
-	{.name = "to",		.has_arg = required_argument,	.val = '2'},
-	{.name = "network",	.has_arg = required_argument,	.val = '3'},
-	{.name = "matchunset",	.has_arg = no_argument,		.val = '4'},
-	{NULL},
-};
-
-static void
-parse_mac(const char *mac, unsigned char *ethernet)
-{
-	unsigned int i = 0;
-
-	if (strlen(mac) != ETH_ALEN * 3 - 1)
-		exit_error(PARAMETER_PROBLEM, "Bad mac address `%s'", mac);
-
-	for (i = 0; i < ETH_ALEN; i++) {
-		long number;
-		char *end;
-
-		number = strtol(mac + i * 3, &end, 16);
-
-		if (end == mac + i * 3 + 2 && number >= 0 && number <= 255)
-			ethernet[i] = number;
-		else
-			exit_error(PARAMETER_PROBLEM,
-				   "Bad mac address `%s'", mac);
-	}
-}
-
-/* Add, del, test parser */
-static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
-{
-	struct ip_set_req_macipmap *mydata = data;
-	char *saved = ipset_strdup(arg);
-	char *ptr, *tmp = saved;
-
-	DP("macipmap: %p %p", arg, data);
-
-	ptr = strsep(&tmp, ",");
-	if (!tmp) {
-		tmp = saved;
-		ptr = strsep(&tmp, ":%");	
-		if (tmp && ++warn_once == 1)
-			fprintf(stderr, "Warning: please use ',' separator token between ip,mac.\n"
-				        "Next release won't support old separator tokens.\n");
-	}
-	parse_ip(ptr, &mydata->ip);
-
-	if (tmp)
-		parse_mac(tmp, mydata->ethernet);
-	else
-		memset(mydata->ethernet, 0, ETH_ALEN);	
-
-	free(saved);
-
-	return 1;	
-}
-
-/*
- * Print and save
- */
-
-static void
-initheader(struct set *set, const void *data)
-{
-	const struct ip_set_req_macipmap_create *header = data;
-	struct ip_set_macipmap *map = set->settype->header;
-
-	memset(map, 0, sizeof(struct ip_set_macipmap));
-	map->first_ip = header->from;
-	map->last_ip = header->to;
-	map->flags = header->flags;
-}
-
-static void
-printheader(struct set *set, unsigned options)
-{
-	struct ip_set_macipmap *mysetdata = set->settype->header;
-
-	printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
-	printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
-
-	if (mysetdata->flags & IPSET_MACIP_MATCHUNSET)
-		printf(" matchunset");
-	printf("\n");
-}
-
-static void
-print_mac(unsigned char macaddress[ETH_ALEN])
-{
-	unsigned int i;
-
-	printf("%02X", macaddress[0]);
-	for (i = 1; i < ETH_ALEN; i++)
-		printf(":%02X", macaddress[i]);
-}
-
-static void
-printips_sorted(struct set *set, void *data,
-		u_int32_t len UNUSED, unsigned options)
-{
-	struct ip_set_macipmap *mysetdata = set->settype->header;
-	struct ip_set_macip *table = data;
-	u_int32_t addr = mysetdata->first_ip;
-
-	while (addr <= mysetdata->last_ip) {
-		if (table[addr - mysetdata->first_ip].match) {
-			printf("%s,", ip_tostring(addr, options));
-			print_mac(table[addr - mysetdata->first_ip].
-				  ethernet);
-			printf("\n");
-		}
-		addr++;
-	}
-}
-
-static void
-saveheader(struct set *set, unsigned options)
-{
-	struct ip_set_macipmap *mysetdata = set->settype->header;
-
-	printf("-N %s %s --from %s",
-	       set->name, set->settype->typename,
-	       ip_tostring(mysetdata->first_ip, options));
-	printf(" --to %s", ip_tostring(mysetdata->last_ip, options));
-
-	if (mysetdata->flags & IPSET_MACIP_MATCHUNSET)
-		printf(" --matchunset");
-	printf("\n");
-}
-
-static void
-saveips(struct set *set, void *data,
-	u_int32_t len UNUSED, unsigned options)
-{
-	struct ip_set_macipmap *mysetdata = set->settype->header;
-	struct ip_set_macip *table = data;
-	u_int32_t addr = mysetdata->first_ip;
-
-	while (addr <= mysetdata->last_ip) {
-		if (table[addr - mysetdata->first_ip].match) {
-			printf("-A %s %s,",
-			       set->name, ip_tostring(addr, options));
-			print_mac(table[addr - mysetdata->first_ip].
-				  ethernet);
-			printf("\n");
-		}
-		addr++;
-	}
-}
-
-static void usage(void)
-{
-	printf
-	    ("-N set macipmap --from IP --to IP [--matchunset]\n"
-	     "-N set macipmap --network IP/mask [--matchunset]\n"
-	     "-A set IP[,MAC]\n"
-	     "-D set IP[,MAC]\n"
-	     "-T set IP[,MAC]\n");
-}
-
-static struct settype settype_macipmap = {
-	.typename = SETTYPE_NAME,
-	.protocol_version = IP_SET_PROTOCOL_VERSION,
-
-	/* Create */
-	.create_size = sizeof(struct ip_set_req_macipmap_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
-	.create_opts = create_opts,
-
-	/* Add/del/test */
-	.adt_size = sizeof(struct ip_set_req_macipmap),
-	.adt_parser = &adt_parser,
-
-	/* Printing */
-	.header_size = sizeof(struct ip_set_macipmap),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,	/* We only have sorted version */
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
-
-	/* Bindings */
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse = &parse_ip,
-
-	.usage = &usage,
-};
-
-CONSTRUCTOR(macipmap)
-{
-	settype_register(&settype_macipmap);
-
-}

extensions/ipset/ipset_nethash.c

@@ -1,340 +0,0 @@
-/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify   
- * it under the terms of the GNU General Public License as published by   
- * the Free Software Foundation; either version 2 of the License, or      
- * (at your option) any later version.                                    
- *                                                                         
- * This program is distributed in the hope that it will be useful,        
- * but WITHOUT ANY WARRANTY; without even the implied warranty of         
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
- * GNU General Public License for more details.                           
- *                                                                         
- * You should have received a copy of the GNU General Public License      
- * along with this program; if not, write to the Free Software            
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <limits.h>			/* UINT_MAX */
-#include <stdio.h>			/* *printf */
-#include <string.h>			/* mem*, str* */
-
-#include "ipset.h"
-
-#include "ip_set_nethash.h"
-
-#define BUFLEN 30;
-
-#define OPT_CREATE_HASHSIZE	0x01U
-#define OPT_CREATE_PROBES	0x02U
-#define OPT_CREATE_RESIZE	0x04U
-
-/* Initialize the create. */
-static void
-create_init(void *data)
-{
-	struct ip_set_req_nethash_create *mydata = data;
-
-	DP("create INIT");
-
-	/* Default create parameters */	
-	mydata->hashsize = 1024;
-	mydata->probes = 4;
-	mydata->resize = 50;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
-{
-	struct ip_set_req_nethash_create *mydata = data;
-	ip_set_ip_t value;
-
-	DP("create_parse");
-
-	switch (c) {
-	case '1':
-
-		if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
-			exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
-
-		*flags |= OPT_CREATE_HASHSIZE;
-
-		DP("--hashsize %u", mydata->hashsize);
-		
-		break;
-
-	case '2':
-
-		if (string_to_number(optarg, 1, 65535, &value))
-			exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
-
-		mydata->probes = value;
-		*flags |= OPT_CREATE_PROBES;
-
-		DP("--probes %u", mydata->probes);
-		
-		break;
-
-	case '3':
-
-		if (string_to_number(optarg, 0, 65535, &value))
-			exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
-
-		mydata->resize = value;
-		*flags |= OPT_CREATE_RESIZE;
-
-		DP("--resize %u", mydata->resize);
-		
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; exit if not ok. */
-static void
-create_final(void *data UNUSED, unsigned int flags UNUSED)
-{
-}
-
-/* Create commandline options */
-static const struct option create_opts[] = {
-	{.name = "hashsize",	.has_arg = required_argument,	.val = '1'},
-	{.name = "probes",	.has_arg = required_argument,	.val = '2'},
-	{.name = "resize",	.has_arg = required_argument,	.val = '3'},
-	{NULL},
-};
-
-/* Add, del, test parser */
-static ip_set_ip_t
-adt_parser(int cmd, const char *arg, void *data)
-{
-	struct ip_set_req_nethash *mydata = data;
-	char *saved = ipset_strdup(arg);
-	char *ptr, *tmp = saved;
-	ip_set_ip_t cidr;
-
-	ptr = strsep(&tmp, "/");
-	
-	if (tmp == NULL) {
-		if (cmd == CMD_TEST)
-			cidr = 32;
-		else
-			exit_error(PARAMETER_PROBLEM,
-				   "Missing cidr from `%s'", arg);
-	} else
-		if (string_to_number(tmp, 1, 31, &cidr))
-			exit_error(PARAMETER_PROBLEM,
-				   "Out of range cidr `%s' specified", arg);
-	
-	mydata->cidr = cidr;
-	parse_ip(ptr, &mydata->ip);
-#if 0
-	if (!mydata->ip)
-		exit_error(PARAMETER_PROBLEM,
-			  "Zero valued IP address `%s' specified", ptr);
-#endif
-	ipset_free(saved);
-
-	return 1;	
-};
-
-/*
- * Print and save
- */
-
-static void
-initheader(struct set *set, const void *data)
-{
-	const struct ip_set_req_nethash_create *header = data;
-	struct ip_set_nethash *map = set->settype->header;
-
-	memset(map, 0, sizeof(struct ip_set_nethash));
-	map->hashsize = header->hashsize;
-	map->probes = header->probes;
-	map->resize = header->resize;
-}
-
-static void
-printheader(struct set *set, unsigned options UNUSED)
-{
-	struct ip_set_nethash *mysetdata = set->settype->header;
-
-	printf(" hashsize: %u", mysetdata->hashsize);
-	printf(" probes: %u", mysetdata->probes);
-	printf(" resize: %u\n", mysetdata->resize);
-}
-
-static char buf[20];
-
-static char *
-unpack_ip_tostring(ip_set_ip_t ip, unsigned options UNUSED)
-{
-	int i, j = 3;
-	unsigned char a, b;
-
-	ip = htonl(ip);	
-	for (i = 3; i >= 0; i--)
-		if (((unsigned char *)&ip)[i] != 0) {
-			j = i;
-			break;
-		}
-			
-	a = ((unsigned char *)&ip)[j];
-	if (a <= 128) {
-		a = (a - 1) * 2;
-		b = 7;
-	} else if (a <= 192) {
-		a = (a - 129) * 4;
-		b = 6;
-	} else if (a <= 224) {
-		a = (a - 193) * 8;
-		b = 5;
-	} else if (a <= 240) {
-		a = (a - 225) * 16;
-		b = 4;
-	} else if (a <= 248) {
-		a = (a - 241) * 32;
-		b = 3;
-	} else if (a <= 252) {
-		a = (a - 249) * 64;
-		b = 2;
-	} else if (a <= 254) {
-		a = (a - 253) * 128;
-		b = 1;
-	} else {
-		a = b = 0;
-	}
-	((unsigned char *)&ip)[j] = a;
-	b += j * 8;
-	
-	sprintf(buf, "%u.%u.%u.%u/%u",
-		((unsigned char *)&ip)[0],
-		((unsigned char *)&ip)[1],
-		((unsigned char *)&ip)[2],
-		((unsigned char *)&ip)[3],
-		b);
-
-	DP("%s %s", ip_tostring(ntohl(ip), 0), buf);
-	return buf;
-}
-
-static void
-printips(struct set *set UNUSED, void *data, u_int32_t len, unsigned options)
-{
-	size_t offset = 0;
-	ip_set_ip_t *ip;
-
-	while (offset < len) {
-		ip = data + offset;
-		if (*ip)
-			printf("%s\n", unpack_ip_tostring(*ip, options));
-		offset += sizeof(ip_set_ip_t);
-	}
-}
-
-static void
-saveheader(struct set *set, unsigned options UNUSED)
-{
-	struct ip_set_nethash *mysetdata = set->settype->header;
-
-	printf("-N %s %s --hashsize %u --probes %u --resize %u\n",
-	       set->name, set->settype->typename,
-	       mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
-}
-
-/* Print save for an IP */
-static void
-saveips(struct set *set UNUSED, void *data, u_int32_t len, unsigned options)
-{
-	size_t offset = 0;
-	ip_set_ip_t *ip;
-
-	while (offset < len) {
-		ip = data + offset;
-		if (*ip)
-			printf("-A %s %s\n", set->name, 
-			       unpack_ip_tostring(*ip, options));
-		offset += sizeof(ip_set_ip_t);
-	}
-}
-
-static char *
-net_tostring(struct set *set UNUSED, ip_set_ip_t ip, unsigned options)
-{
-	return unpack_ip_tostring(ip, options);
-}
-
-static void
-parse_net(const char *str, ip_set_ip_t *ip)
-{
-	char *saved = ipset_strdup(str);
-	char *ptr, *tmp = saved;
-	ip_set_ip_t cidr;
-
-	ptr = strsep(&tmp, "/");
-	
-	if (tmp == NULL)
-		exit_error(PARAMETER_PROBLEM,
-			   "Missing cidr from `%s'", str);
-
-	if (string_to_number(tmp, 1, 31, &cidr))
-		exit_error(PARAMETER_PROBLEM,
-			   "Out of range cidr `%s' specified", str);
-	
-	parse_ip(ptr, ip);
-	ipset_free(saved);
-	
-	*ip = pack_ip_cidr(*ip, cidr);
-}
-
-static void usage(void)
-{
-	printf
-	    ("-N set nethash [--hashsize hashsize] [--probes probes ]\n"
-	     "               [--resize resize]\n"
-	     "-A set IP/cidr\n"
-	     "-D set IP/cidr\n"
-	     "-T set IP/cidr\n");
-}
-
-static struct settype settype_nethash = {
-	.typename = SETTYPE_NAME,
-	.protocol_version = IP_SET_PROTOCOL_VERSION,
-
-	/* Create */
-	.create_size = sizeof(struct ip_set_req_nethash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
-	.create_opts = create_opts,
-
-	/* Add/del/test */
-	.adt_size = sizeof(struct ip_set_req_nethash),
-	.adt_parser = &adt_parser,
-
-	/* Printing */
-	.header_size = sizeof(struct ip_set_nethash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
-	
-	/* Bindings */
-	.bindip_tostring = &net_tostring,
-	.bindip_parse = &parse_net,
-
-	.usage = &usage,
-};
-
-CONSTRUCTOR(nethash)
-{
-	settype_register(&settype_nethash);
-
-}

extensions/ipset/ipset_portmap.c

@@ -1,245 +0,0 @@
-/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify   
- * it under the terms of the GNU General Public License as published by   
- * the Free Software Foundation; either version 2 of the License, or      
- * (at your option) any later version.                                    
- *                                                                         
- * This program is distributed in the hope that it will be useful,        
- * but WITHOUT ANY WARRANTY; without even the implied warranty of         
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
- * GNU General Public License for more details.                           
- *                                                                         
- * You should have received a copy of the GNU General Public License      
- * along with this program; if not, write to the Free Software            
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-
-#include <stdio.h>			/* *printf */
-#include <string.h>			/* mem* */
-
-#include "ipset.h"
-
-#include "ip_set_portmap.h"
-
-#define BUFLEN 30;
-
-#define OPT_CREATE_FROM    0x01U
-#define OPT_CREATE_TO      0x02U
-
-#define OPT_ADDDEL_PORT      0x01U
-
-/* Initialize the create. */
-static void
-create_init(void *data UNUSED)
-{
-	DP("create INIT");
-	/* Nothing */
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
-{
-	struct ip_set_req_portmap_create *mydata = data;
-
-	DP("create_parse");
-
-	switch (c) {
-	case '1':
-		parse_port(optarg, &mydata->from);
-
-		*flags |= OPT_CREATE_FROM;
-
-		DP("--from %x (%s)", mydata->from,
-		   port_tostring(mydata->from, 0));
-
-		break;
-
-	case '2':
-		parse_port(optarg, &mydata->to);
-
-		*flags |= OPT_CREATE_TO;
-
-		DP("--to %x (%s)", mydata->to,
-		   port_tostring(mydata->to, 0));
-
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; exit if not ok. */
-static void
-create_final(void *data, unsigned int flags)
-{
-	struct ip_set_req_portmap_create *mydata = data;
-
-	if (flags == 0) {
-		exit_error(PARAMETER_PROBLEM,
-			   "Need to specify --from and --to\n");
-	} else {
-		/* --from --to */
-		if ((flags & OPT_CREATE_FROM) == 0
-		    || (flags & OPT_CREATE_TO) == 0)
-			exit_error(PARAMETER_PROBLEM,
-				   "Need to specify both --from and --to\n");
-	}
-
-	DP("from : %x to: %x  diff: %d", mydata->from, mydata->to,
-	   mydata->to - mydata->from);
-
-	if (mydata->from > mydata->to)
-		exit_error(PARAMETER_PROBLEM,
-			   "From can't be lower than to.\n");
-
-	if (mydata->to - mydata->from > MAX_RANGE)
-		exit_error(PARAMETER_PROBLEM,
-			   "Range too large. Max is %d ports in range\n",
-			   MAX_RANGE+1);
-}
-
-/* Create commandline options */
-static const struct option create_opts[] = {
-	{.name = "from",	.has_arg = required_argument,	.val = '1'},
-	{.name = "to",		.has_arg = required_argument,	.val = '2'},
-	{NULL},
-};
-
-/* Add, del, test parser */
-static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
-{
-	struct ip_set_req_portmap *mydata = data;
-
-	parse_port(arg, &mydata->ip);
-	DP("%s", port_tostring(mydata->ip, 0));
-
-	return 1;	
-}
-
-/*
- * Print and save
- */
-
-static void
-initheader(struct set *set, const void *data)
-{
-	const struct ip_set_req_portmap_create *header = data;
-	struct ip_set_portmap *map = set->settype->header;
-
-	memset(map, 0, sizeof(struct ip_set_portmap));
-	map->first_ip = header->from;
-	map->last_ip = header->to;
-}
-
-static void
-printheader(struct set *set, unsigned options)
-{
-	struct ip_set_portmap *mysetdata = set->settype->header;
-
-	printf(" from: %s", port_tostring(mysetdata->first_ip, options));
-	printf(" to: %s\n", port_tostring(mysetdata->last_ip, options));
-}
-
-static void
-printports_sorted(struct set *set, void *data,
-		  u_int32_t len UNUSED, unsigned options)
-{
-	struct ip_set_portmap *mysetdata = set->settype->header;
-	u_int32_t addr = mysetdata->first_ip;
-
-	DP("%u -- %u", mysetdata->first_ip, mysetdata->last_ip);
-	while (addr <= mysetdata->last_ip) {
-		if (test_bit(addr - mysetdata->first_ip, data))
-			printf("%s\n", port_tostring(addr, options));
-		addr++;
-	}
-}
-
-static char *
-binding_port_tostring(struct set *set UNUSED,
-		      ip_set_ip_t ip, unsigned options)
-{
-	return port_tostring(ip, options);
-}
-
-static void
-saveheader(struct set *set, unsigned options)
-{
-	struct ip_set_portmap *mysetdata = set->settype->header;
-
-	printf("-N %s %s --from %s", 
-	       set->name,
-	       set->settype->typename,
-	       port_tostring(mysetdata->first_ip, options));
-	printf(" --to %s\n", 
-	       port_tostring(mysetdata->last_ip, options));
-}
-
-static void
-saveports(struct set *set, void *data,
-	  u_int32_t len UNUSED, unsigned options)
-{
-	struct ip_set_portmap *mysetdata = set->settype->header;
-	u_int32_t addr = mysetdata->first_ip;
-
-	while (addr <= mysetdata->last_ip) {
-		if (test_bit(addr - mysetdata->first_ip, data))
-			printf("-A %s %s\n",
-			       set->name,
-			       port_tostring(addr, options));
-		addr++;
-	}
-}
-
-static void usage(void)
-{
-	printf
-	    ("-N set portmap --from PORT --to PORT\n"
-	     "-A set PORT\n"
-	     "-D set PORT\n"
-	     "-T set PORT\n");
-}
-
-static struct settype settype_portmap = {
-	.typename = SETTYPE_NAME,
-	.protocol_version = IP_SET_PROTOCOL_VERSION,
-
-	/* Create */
-	.create_size = sizeof(struct ip_set_req_portmap_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
-	.create_opts = create_opts,
-
-	/* Add/del/test */
-	.adt_size = sizeof(struct ip_set_req_portmap),
-	.adt_parser = &adt_parser,
-
-	/* Printing */
-	.header_size = sizeof(struct ip_set_portmap),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printports_sorted,	/* We only have sorted version */
-	.printips_sorted = &printports_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveports,
-	
-	/* Bindings */
-	.bindip_tostring = &binding_port_tostring,
-	.bindip_parse = &parse_port,
-
-	.usage = &usage,
-};
-
-CONSTRUCTOR(portmap)
-{
-	settype_register(&settype_portmap);
-
-}

extensions/ipset/ipset_setlist.c

@@ -1,221 +0,0 @@
-/* Copyright 2008 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- *
- * This program is free software; you can redistribute it and/or modify   
- * it under the terms of the GNU General Public License as published by   
- * the Free Software Foundation; either version 2 of the License, or      
- * (at your option) any later version.                                    
- *                                                                         
- * This program is distributed in the hope that it will be useful,        
- * but WITHOUT ANY WARRANTY; without even the implied warranty of         
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
- * GNU General Public License for more details.                           
- *                                                                         
- * You should have received a copy of the GNU General Public License      
- * along with this program; if not, write to the Free Software            
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include "ip_set_setlist.h"
-#include "ipset.h"
-
-/* Initialize the create. */
-static void
-create_init(void *data)
-{
-	struct ip_set_req_setlist_create *mydata = data;
-	
-	mydata->size = 8;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags UNUSED)
-{
-	struct ip_set_req_setlist_create *mydata = data;
-	unsigned int size;
-	
-	switch (c) {
-	case '1':
-		if (string_to_number(optarg, 1, 255, &size))
-			exit_error(PARAMETER_PROBLEM,
-				   "Invalid size '%s specified: must be "
-				   "between 1-255", optarg);
-		mydata->size = size;
-		break;
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-/* Final check; exit if not ok. */
-static void
-create_final(void *data UNUSED, unsigned int flags UNUSED)
-{
-}
-
-/* Create commandline options */
-static const struct option create_opts[] = {
-	{.name = "size",	.has_arg = required_argument,	.val = '1'},
-	{NULL},
-};
-
-static void check_setname(const char *name)
-{
-	if (strlen(name) > IP_SET_MAXNAMELEN - 1)
-		exit_error(PARAMETER_PROBLEM,
-			"Setname %s is longer than %d characters.",
-			name, IP_SET_MAXNAMELEN - 1);
-}
-
-/* Add, del, test parser */
-static ip_set_ip_t
-adt_parser(int cmd UNUSED, const char *arg, void *data)
-{
-	struct ip_set_req_setlist *mydata = data;
-	char *saved = ipset_strdup(arg);
-	char *ptr, *tmp = saved;
-	
-	DP("setlist: %p %p", arg, data);
-
-	ptr = strsep(&tmp, ",");
-	check_setname(ptr);
-	strcpy(mydata->name, ptr);
-	
-	if (!tmp) {
-		mydata->before = 0;
-		mydata->ref[0] = '\0';
-		return 1;
-	}
-	
-	ptr = strsep(&tmp, ",");
-	
-	if (tmp == NULL || !(strcmp(ptr, "before") == 0 || strcmp(ptr, "after") == 0))
-		exit_error(PARAMETER_PROBLEM,
-			"Syntax error, you must specify elements as setname,[before|after],setname");
-
-	check_setname(tmp);
-	strcpy(mydata->ref, tmp);
-	mydata->before = !strcmp(ptr, "before");
-
-	free(saved);
-
-	return 1;	
-}
-
-/*
- * Print and save
- */
-
-static void
-initheader(struct set *set, const void *data)
-{
-	const struct ip_set_req_setlist_create *header = data;
-	struct ip_set_setlist *map = set->settype->header;
-		
-	memset(map, 0, sizeof(struct ip_set_setlist));
-	map->size = header->size;
-}
-
-static void
-printheader(struct set *set, unsigned options UNUSED)
-{
-	struct ip_set_setlist *mysetdata = set->settype->header;
-
-	printf(" size: %u\n", mysetdata->size);
-}
-
-static void
-printips_sorted(struct set *set, void *data,
-		u_int32_t len UNUSED, unsigned options UNUSED)
-{
-	struct ip_set_setlist *mysetdata = set->settype->header;
-	int i;
-	ip_set_id_t id;
-	struct set *elem;
-
-	for (i = 0; i < mysetdata->size; i++ ) {
-		id = *((ip_set_id_t *)data + i);
-		if (id == IP_SET_INVALID_ID)
-			return;
-		elem = set_find_byid(id);
-		printf("%s\n", elem->name);
-	}
-}
-
-static void
-saveheader(struct set *set, unsigned options UNUSED)
-{
-	struct ip_set_setlist *mysetdata = set->settype->header;
-
-	printf("-N %s %s --size %u\n",
-	       set->name, set->settype->typename,
-	       mysetdata->size);
-}
-
-static void
-saveips(struct set *set, void *data,
-	u_int32_t len UNUSED, unsigned options UNUSED)
-{
-	struct ip_set_setlist *mysetdata = set->settype->header;
-	int i;
-	ip_set_id_t id;
-	struct set *elem;
-
-	for (i = 0; i < mysetdata->size; i++ ) {
-		id = *((ip_set_id_t *)data + i);
-		if (id == IP_SET_INVALID_ID)
-			return;
-		elem = set_find_byid(id);
-		printf("-A %s %s\n", set->name, elem->name);
-	}
-}
-
-static void usage(void)
-{
-	printf
-	    ("-N set setlist --size size\n"
-	     "-A set setname[,before|after,setname]\n"
-	     "-D set setname\n"
-	     "-T set setname\n");
-}
-
-static struct settype settype_setlist = {
-	.typename = SETTYPE_NAME,
-	.protocol_version = IP_SET_PROTOCOL_VERSION,
-
-	/* Create */
-	.create_size = sizeof(struct ip_set_req_setlist_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
-	.create_opts = create_opts,
-
-	/* Add/del/test */
-	.adt_size = sizeof(struct ip_set_req_setlist),
-	.adt_parser = &adt_parser,
-
-	/* Printing */
-	.header_size = sizeof(struct ip_set_setlist),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,	/* We only have sorted version */
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
-	
-	.usage = &usage,
-};
-
-CONSTRUCTOR(setlist)
-{
-	settype_register(&settype_setlist);
-
-}

extensions/ipset/ipt_SET.c

@@ -1,138 +0,0 @@
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- *                         Patrick Schaaf <bof@bof.de>
- *                         Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* ipt_SET.c - netfilter target to manipulate IP sets */
-
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/skbuff.h>
-#include <linux/version.h>
-
-#include <linux/netfilter_ipv4.h>
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)
-#include <linux/netfilter_ipv4/ip_tables.h>
-#define xt_register_target	ipt_register_target
-#define xt_unregister_target	ipt_unregister_target
-#define xt_target		ipt_target
-#define XT_CONTINUE		IPT_CONTINUE
-#else
-#include <linux/netfilter/x_tables.h>
-#endif
-#include "ipt_set.h"
-#include "../compat_xtables.h"
-
-static unsigned int
-target(struct sk_buff **pskb, const struct xt_target_param *par)
-{
-	const struct ipt_set_info_target *info = par->targinfo;
-
-	if (info->add_set.index != IP_SET_INVALID_ID)
-		ip_set_addip_kernel(info->add_set.index,
-				    *pskb,
-				    info->add_set.flags);
-	if (info->del_set.index != IP_SET_INVALID_ID)
-		ip_set_delip_kernel(info->del_set.index,
-				    *pskb,
-				    info->del_set.flags);
-
-	return XT_CONTINUE;
-}
-
-static bool
-checkentry(const struct xt_tgchk_param *par)
-{
-	struct ipt_set_info_target *info = par->targinfo;
-	ip_set_id_t index;
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
-	if (targinfosize != IPT_ALIGN(sizeof(*info))) {
-		DP("bad target info size %u", targinfosize);
-		return 0;
-	}
-#endif
-
-	if (info->add_set.index != IP_SET_INVALID_ID) {
-		index = ip_set_get_byindex(info->add_set.index);
-		if (index == IP_SET_INVALID_ID) {
-			ip_set_printk("cannot find add_set index %u as target",
-				      info->add_set.index);
-			return 0;	/* error */
-		}
-	}
-
-	if (info->del_set.index != IP_SET_INVALID_ID) {
-		index = ip_set_get_byindex(info->del_set.index);
-		if (index == IP_SET_INVALID_ID) {
-			ip_set_printk("cannot find del_set index %u as target",
-				      info->del_set.index);
-			return 0;	/* error */
-		}
-	}
-	if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0
-	    || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) {
-		ip_set_printk("That's nasty!");
-		return 0;	/* error */
-	}
-
-	return 1;
-}
-
-static void destroy(const struct xt_tgdtor_param *par)
-{
-	struct ipt_set_info_target *info = par->targinfo;
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
-	if (targetsize != IPT_ALIGN(sizeof(struct ipt_set_info_target))) {
-		ip_set_printk("invalid targetsize %d", targetsize);
-		return;
-	}
-#endif
-	if (info->add_set.index != IP_SET_INVALID_ID)
-		ip_set_put_byindex(info->add_set.index);
-	if (info->del_set.index != IP_SET_INVALID_ID)
-		ip_set_put_byindex(info->del_set.index);
-}
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
-static struct xt_target SET_target = {
-	.name 		= "SET",
-	.target 	= target,
-	.checkentry 	= checkentry,
-	.destroy 	= destroy,
-	.me 		= THIS_MODULE
-};
-#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) */
-static struct xt_target SET_target = {
-	.name 		= "SET",
-	.family		= AF_INET,
-	.target 	= target,
-	.targetsize	= sizeof(struct ipt_set_info_target),
-	.checkentry 	= checkentry,
-	.destroy 	= destroy,
-	.me 		= THIS_MODULE
-};
-#endif
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("iptables IP set target module");
-
-static int __init ipt_SET_init(void)
-{
-	return xt_register_target(&SET_target);
-}
-
-static void __exit ipt_SET_fini(void)
-{
-	xt_unregister_target(&SET_target);
-}
-
-module_init(ipt_SET_init);
-module_exit(ipt_SET_fini);

extensions/ipset/ipt_set.c

@@ -1,126 +0,0 @@
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- *                         Patrick Schaaf <bof@bof.de>
- *                         Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Kernel module to match an IP set. */
-
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/skbuff.h>
-#include <linux/version.h>
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)
-#include <linux/netfilter_ipv4/ip_tables.h>
-#define xt_register_match	ipt_register_match
-#define xt_unregister_match	ipt_unregister_match
-#define xt_match		ipt_match
-#else
-#include <linux/netfilter/x_tables.h>
-#endif
-#include "ip_set.h"
-#include "ipt_set.h"
-#include "../compat_xtables.h"
-
-static inline int
-match_set(const struct ipt_set_info *info,
-	  const struct sk_buff *skb,
-	  int inv)
-{	
-	if (ip_set_testip_kernel(info->index, skb, info->flags))
-		inv = !inv;
-	return inv;
-}
-
-static bool
-match(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-	const struct ipt_set_info_match *info = par->matchinfo;
-		
-	return match_set(&info->match_set,
-			 skb,
-			 info->match_set.flags[0] & IPSET_MATCH_INV);
-}
-
-static bool
-checkentry(const struct xt_mtchk_param *par)
-{
-	struct ipt_set_info_match *info = par->matchinfo;
-	ip_set_id_t index;
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
-	if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
-		ip_set_printk("invalid matchsize %d", matchsize);
-		return 0;
-	}
-#endif
-
-	index = ip_set_get_byindex(info->match_set.index);
-		
-	if (index == IP_SET_INVALID_ID) {
-		ip_set_printk("Cannot find set indentified by id %u to match",
-			      info->match_set.index);
-		return 0;	/* error */
-	}
-	if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) {
-		ip_set_printk("That's nasty!");
-		return 0;	/* error */
-	}
-
-	return 1;
-}
-
-static void destroy(const struct xt_mtdtor_param *par)
-{
-	struct ipt_set_info_match *info = par->matchinfo;
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
-	if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
-		ip_set_printk("invalid matchsize %d", matchsize);
-		return;
-	}
-#endif
-	ip_set_put_byindex(info->match_set.index);
-}
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
-static struct xt_match set_match = {
-	.name		= "set",
-	.match		= &match,
-	.checkentry	= &checkentry,
-	.destroy	= &destroy,
-	.me		= THIS_MODULE
-};
-#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) */
-static struct xt_match set_match = {
-	.name		= "set",
-	.family		= AF_INET,
-	.match		= &match,
-	.matchsize	= sizeof(struct ipt_set_info_match),
-	.checkentry	= &checkentry,
-	.destroy	= &destroy,
-	.me		= THIS_MODULE
-};
-#endif
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("iptables IP set match module");
-
-static int __init ipt_ipset_init(void)
-{
-	return xt_register_match(&set_match);
-}
-
-static void __exit ipt_ipset_fini(void)
-{
-	xt_unregister_match(&set_match);
-}
-
-module_init(ipt_ipset_init);
-module_exit(ipt_ipset_fini);

extensions/ipset/ipt_set.h

@@ -1,21 +0,0 @@
-#ifndef _IPT_SET_H
-#define _IPT_SET_H
-
-#include "ip_set.h"
-
-struct ipt_set_info {
-	ip_set_id_t index;
-	u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
-};
-
-/* match info */
-struct ipt_set_info_match {
-	struct ipt_set_info match_set;
-};
-
-struct ipt_set_info_target {
-	struct ipt_set_info add_set;
-	struct ipt_set_info del_set;
-};
-
-#endif /*_IPT_SET_H*/

extensions/iptable_rawpost.c

@@ -1,109 +0,0 @@
-/*
- *	rawpost table for ip_tables
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
- *	placed in the Public Domain
- */
-#include <linux/module.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/version.h>
-#include <net/ip.h>
-#include "compat_xtables.h"
-#include "compat_rawpost.h"
-
-enum {
-	RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
-};
-
-static struct {
-	struct ipt_replace repl;
-	struct ipt_standard entries[1];
-	struct ipt_error term;
-} rawpost4_initial __initdata = {
-	.repl = {
-		.name        = "rawpost",
-		.valid_hooks = RAWPOST_VALID_HOOKS,
-		.num_entries = 2,
-		.size        = sizeof(struct ipt_standard) +
-		               sizeof(struct ipt_error),
-		.hook_entry  = {
-			[NF_INET_POST_ROUTING] = 0,
-		},
-		.underflow = {
-			[NF_INET_POST_ROUTING] = 0,
-		},
-	},
-	.entries = {
-		IPT_STANDARD_INIT(NF_ACCEPT),	/* POST_ROUTING */
-	},
-	.term = IPT_ERROR_INIT,			/* ERROR */
-};
-
-static struct xt_table *rawpost4_ptable;
-
-static struct xt_table rawpost4_itable = {
-	.name        = "rawpost",
-	.af          = NFPROTO_IPV4,
-	.valid_hooks = RAWPOST_VALID_HOOKS,
-	.me          = THIS_MODULE,
-};
-
-static unsigned int rawpost4_hook_fn(unsigned int hook, sk_buff_t *skb,
-    const struct net_device *in, const struct net_device *out,
-    int (*okfn)(struct sk_buff *))
-{
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-	return ipt_do_table(skb, hook, in, out, rawpost4_ptable);
-#else
-	return ipt_do_table(skb, hook, in, out, rawpost4_ptable, NULL);
-#endif
-}
-
-static struct nf_hook_ops rawpost4_hook_ops __read_mostly = {
-	.hook     = rawpost4_hook_fn,
-	.pf       = NFPROTO_IPV4,
-	.hooknum  = NF_INET_POST_ROUTING,
-	.priority = NF_IP_PRI_LAST,
-	.owner    = THIS_MODULE,
-};
-
-static int __init rawpost4_table_init(void)
-{
-	int ret;
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
-	rwlock_init(&rawpost4_itable.lock);
-#endif
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
-	rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
-	                  &rawpost4_initial.repl);
-	if (IS_ERR(rawpost4_ptable))
-		return PTR_ERR(rawpost4_ptable);
-#else
-	ret = ipt_register_table(&rawpost4_itable, &rawpost4_initial.repl);
-	if (ret < 0)
-		return ret;
-	rawpost4_ptable = &rawpost4_itable;
-#endif
-
-	ret = nf_register_hook(&rawpost4_hook_ops);
-	if (ret < 0)
-		goto out;
-
-	return ret;
-
- out:
-	ipt_unregister_table(rawpost4_ptable);
-	return ret;
-}
-
-static void __exit rawpost4_table_exit(void)
-{
-	nf_unregister_hook(&rawpost4_hook_ops);
-	ipt_unregister_table(rawpost4_ptable);
-}
-
-module_init(rawpost4_table_init);
-module_exit(rawpost4_table_exit);
-MODULE_DESCRIPTION("Xtables: rawpost table for use with RAWNAT");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_LICENSE("GPL");

extensions/libxt_CHAOS.c

@@ -1,6 +1,6 @@
 /*
  *	"CHAOS" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ *	Copyright © Jan Engelhardt, 2006 - 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -16,6 +16,7 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_CHAOS.h"
+#include "compat_user.h"
 
 enum {
 	F_DELUDE = 1 << 0,
@@ -63,39 +64,31 @@ static void chaos_tg_check(unsigned int flags)
 		           "may be specified");
 }
 
-static void chaos_tg_print(const void *ip,
-    const struct xt_entry_target *target, int numeric)
-{
-	const struct xt_chaos_tginfo *info = (const void *)target->data;
-
-	switch (info->variant) {
-	case XTCHAOS_DELUDE:
-		printf("DELUDE ");
-		break;
-	case XTCHAOS_TARPIT:
-		printf("TARPIT ");
-		break;
-	}
-}
-
 static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
 {
 	const struct xt_chaos_tginfo *info = (const void *)target->data;
 
 	switch (info->variant) {
 	case XTCHAOS_DELUDE:
-		printf("--delude ");
+		printf(" --delude ");
 		break;
 	case XTCHAOS_TARPIT:
-		printf("--tarpit ");
+		printf(" --tarpit ");
 		break;
 	}
 }
 
+static void chaos_tg_print(const void *ip,
+    const struct xt_entry_target *target, int numeric)
+{
+	printf(" -j CHAOS");
+	chaos_tg_save(ip, target);
+}
+
 static struct xtables_target chaos_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "CHAOS",
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.help          = chaos_tg_help,

extensions/libxt_CHAOS.man

@@ -1,3 +1,4 @@
+.PP
 Causes confusion on the other end by doing odd things with incoming packets.
 CHAOS will randomly reply (or not) with one of its configurable subtargets:
 .TP
@@ -17,5 +18,5 @@ connections than they can.
 The randomness factor of not replying vs. replying can be set during load-time
 of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
 .PP
-See http://jengelh.medozas.de/projects/chaostables/ for more information
+See http://inai.de/projects/chaostables/ for more information
 about CHAOS, DELUDE and lscan.

extensions/libxt_DELUDE.c

@@ -1,6 +1,6 @@
 /*
  *	"DELUDE" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ *	Copyright © Jan Engelhardt, 2006 - 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -13,6 +13,7 @@
 
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
+#include "compat_user.h"
 
 static void delude_tg_help(void)
 {
@@ -33,9 +34,7 @@ static struct xtables_target delude_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "DELUDE",
 	.revision      = 0,
-	.family        = AF_INET,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_IPV4,
 	.help          = delude_tg_help,
 	.parse         = delude_tg_parse,
 	.final_check   = delude_tg_check,

extensions/libxt_DELUDE.man

@@ -1,3 +1,4 @@
+.PP
 The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other
 packets with an RST. This will terminate the connection much like REJECT, but
 network scanners doing TCP half-open discovery can be spoofed to make them

extensions/libxt_DHCPMAC.c

@@ -1,6 +1,6 @@
 /*
  *	"DHCPMAC" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -17,6 +17,7 @@
 #include <xtables.h>
 #include "xt_DHCPMAC.h"
 #include "mac.c"
+#include "compat_user.h"
 
 enum {
 	F_MAC = 1 << 0,
@@ -60,31 +61,29 @@ static void dhcpmac_tg_check(unsigned int flags)
 		           "--set-mac parameter required");
 }
 
-static void dhcpmac_tg_print(const void *ip,
-    const struct xt_entry_target *target, int numeric)
-{
-	const struct dhcpmac_info *info = (void *)target->data;
-
-	printf("DHCPMAC %s" DH_MAC_FMT "/%u ",
-	       info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
-}
-
 static void dhcpmac_tg_save(const void *ip,
     const struct xt_entry_target *target)
 {
 	const struct dhcpmac_info *info = (const void *)target->data;
 
 	if (info->invert)
-		printf("! ");
-	printf("--set-mac " DH_MAC_FMT "/%u ",
+		printf(" !");
+	printf(" --set-mac " DH_MAC_FMT "/%u ",
 	       DH_MAC_HEX(info->addr), info->mask);
 }
 
+static void dhcpmac_tg_print(const void *ip,
+    const struct xt_entry_target *target, int numeric)
+{
+	printf(" -j DHCPMAC");
+	dhcpmac_tg_save(ip, target);
+}
+
 static struct xtables_target dhcpmac_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "DHCPMAC",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.help          = dhcpmac_tg_help,

extensions/libxt_DHCPMAC.man

@@ -1,3 +1,4 @@
+.PP
 In conjunction with ebtables, DHCPMAC can be used to completely change all MAC
 addresses from and to a VMware-based virtual machine. This is needed because
 VMware does not allow to set a non-VMware MAC address before an operating

extensions/libxt_DNETMAP.c

@@ -0,0 +1,245 @@
+/* Shared library add-on to iptables to add DNETMAP support.
+ * (C) 2010 Marek Kierdelewicz <marek@koba.pl>
+ *
+ * uses some code from libipt_NETMAP by:
+ * Svenning Soerensen <svenning@post5.tele.dk>
+ */
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/nf_nat.h>
+#include "xt_DNETMAP.h"
+
+#define MODULENAME "DNETMAP"
+
+static const struct option DNETMAP_opts[] = {
+	{"prefix", 1, NULL, 'p'},
+	{"reuse", 0, NULL, 'r'},
+	{"ttl", 1, NULL, 't'},
+	{"static", 0, NULL, 's'},
+	{"persistent", 0, NULL, 'e'},
+	{.name = NULL}
+};
+
+static void DNETMAP_help(void)
+{
+	printf(MODULENAME " target options:\n"
+	       "  --%s address[/mask]\n"
+	       "    Network subnet to map to. If not specified, all existing prefixes are used.\n"
+	       "  --%s\n"
+	       "    Reuse entry for given prenat-ip from any prefix despite bindings ttl < 0.\n"
+	       "  --%s seconds\n"
+	       "    Regenerate bindings ttl value to seconds. If negative value is specified,\n"
+	       "    bindings ttl is kept unchanged. If not specified then default ttl value (600s)\n"
+		"    is used\n"
+		"  --%s\n"
+		"    Match only static entries for this rule. Dynamic entries won't be created.\n"
+		"  --%s\n"
+		"    Set prefix persistent. It won't be removed after deleting last iptables rule.\n\n",
+		DNETMAP_opts[0].name, DNETMAP_opts[1].name,
+		DNETMAP_opts[2].name, DNETMAP_opts[3].name,
+		DNETMAP_opts[4].name);
+}
+
+static u_int32_t bits2netmask(int bits)
+{
+	u_int32_t netmask, bm;
+
+	if (bits >= 32 || bits < 0)
+		return ~0;
+	for (netmask = 0, bm = 0x80000000; bits; bits--, bm >>= 1)
+		netmask |= bm;
+	return htonl(netmask);
+}
+
+static int netmask2bits(u_int32_t netmask)
+{
+	u_int32_t bm;
+	int bits;
+
+	netmask = ntohl(netmask);
+	for (bits = 0, bm = 0x80000000; netmask & bm; netmask <<= 1)
+		bits++;
+	if (netmask)
+		return -1;	/* holes in netmask */
+	return bits;
+}
+
+/* Parses network address */
+static void parse_prefix(char *arg, struct nf_nat_range *range)
+{
+	char *slash;
+	const struct in_addr *ip;
+	u_int32_t netmask;
+	unsigned int bits;
+
+	range->flags |= NF_NAT_RANGE_MAP_IPS;
+	slash = strchr(arg, '/');
+	if (slash)
+		*slash = '\0';
+
+	ip = xtables_numeric_to_ipaddr(arg);
+	if (ip == NULL)
+		xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
+			      arg);
+	range->min_addr.in = *ip;
+	if (slash) {
+		if (strchr(slash + 1, '.')) {
+			ip = xtables_numeric_to_ipmask(slash + 1);
+			if (ip == NULL)
+				xtables_error(PARAMETER_PROBLEM,
+					      "Bad netmask \"%s\"\n",
+					      slash + 1);
+			netmask = ip->s_addr;
+		} else {
+			if (!xtables_strtoui(slash + 1, NULL, &bits, 0, 32))
+				xtables_error(PARAMETER_PROBLEM,
+					      "Bad netmask \"%s\"\n",
+					      slash + 1);
+			netmask = bits2netmask(bits);
+		}
+		/* Don't allow /0 (/1 is probably insane, too) */
+		if (netmask == 0)
+			xtables_error(PARAMETER_PROBLEM, "Netmask needed\n");
+		/* Mask should be <= then /16 */
+		if (bits < 16)
+			xtables_error(PARAMETER_PROBLEM,
+				      "Max netmask size is /16\n");
+	} else
+		netmask = ~0;
+
+	if (range->min_addr.ip & ~netmask) {
+		if (slash)
+			*slash = '/';
+		xtables_error(PARAMETER_PROBLEM, "Bad network address \"%s\"\n",
+			      arg);
+	}
+	range->max_addr.ip = range->min_addr.ip | ~netmask;
+}
+
+static int DNETMAP_parse(int c, char **argv, int invert, unsigned int *flags,
+			 const void *entry, struct xt_entry_target **target)
+{
+	struct xt_DNETMAP_tginfo *tginfo = (void *)(*target)->data;
+	struct nf_nat_range *mr = &tginfo->prefix;
+	char *end;
+
+	switch (c) {
+	case 'p':
+		xtables_param_act(XTF_ONLY_ONCE, MODULENAME, "--prefix",
+				  *flags & XT_DNETMAP_PREFIX);
+		xtables_param_act(XTF_NO_INVERT, MODULENAME, "--prefix",
+				  invert);
+
+		/* TO-DO use xtables_ipparse_any instead? */
+		parse_prefix(optarg, mr);
+		*flags |= XT_DNETMAP_PREFIX;
+		tginfo->flags |= XT_DNETMAP_PREFIX;
+		return 1;
+	case 'r':
+		xtables_param_act(XTF_ONLY_ONCE, MODULENAME, "--reuse",
+				  *flags & XT_DNETMAP_REUSE);
+		xtables_param_act(XTF_NO_INVERT, MODULENAME, "--reuse", invert);
+		*flags |= XT_DNETMAP_REUSE;
+		tginfo->flags |= XT_DNETMAP_REUSE;
+		return 1;
+	case 's':
+		xtables_param_act(XTF_ONLY_ONCE, MODULENAME, "--static",
+				  *flags & XT_DNETMAP_STATIC);
+		xtables_param_act(XTF_NO_INVERT, MODULENAME, "--static", invert);
+		*flags |= XT_DNETMAP_STATIC;
+		tginfo->flags |= XT_DNETMAP_STATIC;
+		return 1;
+	case 'e':
+		xtables_param_act(XTF_ONLY_ONCE, MODULENAME, "--persistent",
+				  *flags & XT_DNETMAP_PERSISTENT);
+		xtables_param_act(XTF_NO_INVERT, MODULENAME, "--persistent", invert);
+		*flags |= XT_DNETMAP_PERSISTENT;
+		tginfo->flags |= XT_DNETMAP_PERSISTENT;
+		return 1;
+	case 't':
+		xtables_param_act(XTF_ONLY_ONCE, MODULENAME, "--ttl",
+				  *flags & XT_DNETMAP_TTL);
+		xtables_param_act(XTF_NO_INVERT, MODULENAME, "--ttl", invert);
+		*flags |= XT_DNETMAP_TTL;
+		tginfo->flags |= XT_DNETMAP_TTL;
+		tginfo->ttl = strtol(optarg, &end, 10);
+		if (*end != '\0')
+			return 0;
+		return 1;
+	default:
+		return 0;
+	}
+}
+
+static void DNETMAP_print_addr(const void *ip,
+			       const struct xt_entry_target *target,
+			       int numeric)
+{
+	struct xt_DNETMAP_tginfo *tginfo = (void *)&target->data;
+	const struct nf_nat_range *r = &tginfo->prefix;
+	struct in_addr a;
+	int bits;
+
+	a = r->min_addr.in;
+	printf("%s", xtables_ipaddr_to_numeric(&a));
+	a.s_addr = ~(r->min_addr.ip ^ r->max_addr.ip);
+	bits = netmask2bits(a.s_addr);
+	if (bits < 0)
+		printf("/%s", xtables_ipaddr_to_numeric(&a));
+	else
+		printf("/%d", bits);
+}
+
+static void DNETMAP_save(const void *ip, const struct xt_entry_target *target)
+{
+	struct xt_DNETMAP_tginfo *tginfo = (void *)&target->data;
+	const __u8 *flags = &tginfo->flags;
+
+	if (*flags & XT_DNETMAP_PREFIX) {
+		printf(" --%s ", DNETMAP_opts[0].name);
+		DNETMAP_print_addr(ip, target, 0);
+	}
+
+	if (*flags & XT_DNETMAP_REUSE)
+		printf(" --reuse ");
+
+	if (*flags & XT_DNETMAP_STATIC)
+		printf(" --static ");
+
+	if (*flags & XT_DNETMAP_PERSISTENT)
+		printf(" --persistent ");
+
+	/* ommited because default value can change as kernel mod param */
+	if (*flags & XT_DNETMAP_TTL)
+		printf(" --ttl %i ", tginfo->ttl);
+}
+
+static void DNETMAP_print(const void *ip, const struct xt_entry_target *target,
+			  int numeric)
+{
+	printf(" -j DNETMAP");
+	DNETMAP_save(ip, target);
+}
+
+static struct xtables_target dnetmap_tg_reg = {
+	.name          = MODULENAME,
+	.version       = XTABLES_VERSION,
+	.family        = NFPROTO_IPV4,
+	.size          = XT_ALIGN(sizeof(struct xt_DNETMAP_tginfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_DNETMAP_tginfo)),
+	.help          = DNETMAP_help,
+	.parse         = DNETMAP_parse,
+	.print         = DNETMAP_print,
+	.save          = DNETMAP_save,
+	.extra_opts    = DNETMAP_opts,
+};
+
+static void _init(void)
+{
+	xtables_register_target(&dnetmap_tg_reg);
+}

extensions/libxt_DNETMAP.man

@@ -0,0 +1,179 @@
+.PP
+The \fBDNETMAP\fR target allows dynamic two-way 1:1 mapping of IPv4 subnets. A
+single rule can map a private subnet to a shorter public subnet, creating and
+maintaining unambiguous private-public IP address bindings. The second rule can
+be used to map new flows to a private subnet according to maintained bindings.
+The target allows efficient public IPv4 space usage and unambiguous NAT at the
+same time.
+.PP
+The target can be used only in the \fBnat\fR table in \fBPOSTROUTING\fR or
+\fBOUTPUT\fR chains for SNAT, and in \fBPREROUTING\fR for DNAT. Only flows
+directed to bound addresses will be DNATed. The packet continues chain
+traversal if there is no free postnat address to be assigned to the prenat
+address. The default binding \fBTTL\fR is \fI10 minutes\fR and can be changed
+using the \fBdefault_ttl\fR module option. The default address hash size is 256
+and can be changed using the \fBhash_size\fR module option.
+.TP
+\fB\-\-prefix\fR \fIaddr\fR\fB/\fR\fImask\fR
+The network subnet to map to. If not specified, all existing prefixes are used.
+.TP
+\fB\-\-reuse\fR
+Reuse the entry for a given prenat address from any prefix even if the
+binding's TTL is < 0.
+.TP
+\fB\-\-persistent\fR
+Set the prefix to be persistent. It will not be removed after deleting the last
+iptables rule. The option is effective only in the first rule for a given
+prefix. If you need to change persistency for an existing prefix, please use
+the procfs interface described below.
+.TP
+\fB\-\-static\fR
+Do not create dynamic mappings using this rule. Use static mappings only. Note
+that you need to create static mappings via the procfs interface for this rule
+for this option to have any effect.
+.TP
+\fB\-\-ttl\fR \fIseconds\fR
+Reset the binding's TTL value to \fIseconds\fR. If a negative value is
+specified, the binding's TTL is kept unchanged. If this option is not
+specified, then the default TTL value (600s) is used.
+.PP
+\fB* /proc interface\fR
+.PP
+The module creates the following entries for each new specified subnet:
+.TP
+\fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR
+Contains the binding table for the given \fIsubnet/mask\fP. Each line contains
+\fBprenat address\fR, \fBpostnat address\fR, \fBttl\fR (seconds until the entry
+times out), \fBlasthit\fR (last hit to the entry in seconds relative to system
+boot time). Please note that the \fBttl\fR and \fBlasthit\fR entries contain an
+'\fBS\fR' in case of a static binding.
+.TP
+\fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR
+Contains statistics for a given \fIsubnet/mask\fP. The line contains four
+numerical values separated by spaces. The first one is the number of currently
+used dynamic addresses (bindings with negative TTL excluded), the second one is
+the number of static assignments, the third one is the number of all usable
+addresses in the subnet, and the fourth one is the mean \fBTTL\fR value for all
+active entries. If the prefix has the persistent flag set, it will be noted as
+fifth entry.
+.PP
+The following write operations are supported via the procfs interface:
+.TP
+echo "+\fIprenat-address\fR:\fIpostnat-address\fR" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR
+Adds a static binding between the prenat and postnap address. If
+postnat_address is already bound, any previous binding will be timed out
+immediately. A static binding is never timed out.
+.TP
+echo "\-\fIaddress\fR" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR
+Removes the binding with \fIaddress\fR as prenat or postnat address. If the
+removed binding is currently static, it will make the entry available for
+dynamic allocation.
+.TP
+echo "+persistent" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR
+Sets the persistent flag for the prefix. It is useful if you do not want
+bindings to get flushed when the firewall is restarted. You can check if the
+prefix is persistent by printing the contents of
+\fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR.
+.TP
+echo "\-persistent" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR
+Unsets the persistent flag for the prefix. In this mode, the prefix will be
+deleted if the last iptables rule for that prefix is removed.
+.TP
+echo "flush" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR
+Flushes all bindings for the specific prefix. All static entries are also
+flushed and become available for dynamic bindings.
+.PP
+Note! Entries are removed if the last iptables rule for a specific prefix is
+deleted unless the persistent flag is set.
+.PP
+\fB* Logging\fR
+.PP
+The module logs binding add/timeout events to klog. This behaviour can be
+disabled using the \fBdisable_log\fR module parameter.
+.PP
+\fB* Examples\fR
+.PP
+\fB1.\fR Map subnet 192.168.0.0/24 to subnets 20.0.0.0/26. SNAT only:
+.PP
+iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
+.PP
+Active hosts from the 192.168.0.0/24 subnet are mapped to 20.0.0.0/26. If the
+packet from a not yet bound prenat address hits the rule and there are no free
+or timed-out (TTL<0) entries in prefix 20.0.0.0/28, then a notice is logged to
+klog and chain traversal continues. If packet from an already-bound prenat
+address hits the rule, the binding's TTL value is reset to default_ttl and SNAT
+is performed.
+.PP
+\fB2.\fR Use of \fB\-\-reuse\fR and \fB\-\-ttl\fR switches, multiple rule
+interaction:
+.PP
+iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix
+20.0.0.0/26 \-\-reuse \-\-ttl 200
+.PP
+iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 30.0.0.0/26
+.PP
+Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26 with TTL =
+200 seconds. If there are no free addresses in first prefix, the next one
+(30.0.0.0/26) is used with the default TTL. It is important to note that the
+first rule SNATs all flows whose source address is already actively bound
+(TTL>0) to ANY prefix. The \fB\-\-reuse\fR parameter makes this functionality
+work even for inactive (TTL<0) entries.
+.PP
+If both subnets are exhausted, then chain traversal continues.
+.PP
+\fB3.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 in a bidirectional way:
+.PP
+iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
+.PP
+iptables \-t nat \-A PREROUTING \-j DNETMAP
+.PP
+If the host 192.168.0.10 generates some traffic, it gets bound to first free
+address in the subnet \(em 20.0.0.0. Now, any traffic directed to 20.0.0.0 gets
+DNATed to 192.168.0.10 as long as there is an active (TTL>0) binding. There is
+no need to specify \fB\-\-prefix\fR parameter in a PREROUTING rule, because
+this way, it DNATs traffic to all active prefixes. You could specify the prefix
+you would like to make DNAT work for a specific prefix only.
+.PP
+\fB4.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 with static assignments
+only:
+.PP
+iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
+\-\-static
+.PP
+echo "+192.168.0.10:20.0.0.1" >/proc/net/xt_DNETMAP/20.0.0.0_26
+.br
+echo "+192.168.0.11:20.0.0.2" >/proc/net/xt_DNETMAP/20.0.0.0_26
+.br
+echo "+192.168.0.51:20.0.0.3" >/proc/net/xt_DNETMAP/20.0.0.0_26
+.PP
+This configuration will allow only preconfigured static bindings to work due to
+the \fBstatic\fR rule option. Without this flag, dynamic bindings would be
+created using non-static entries.
+.PP
+\fB5.\fR Persistent prefix:
+.PP
+iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
+\-\-persistent
+.br
+\fBor\fR
+.br
+iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26
+.br
+echo "+persistent" >/proc/net/xt_DNETMAP/20.0.0.0_26
+.PP
+Now, we can check the persistent flag of the prefix:
+.br
+cat /proc/net/xt_DNETMAP/20.0.0.0_26
+.br
+0 0 64 0 \fBpersistent\fR
+.PP
+Flush the iptables nat table and see that prefix is still in existence:
+.br
+iptables \-F \-t nat
+.br
+ls \-l /proc/net/xt_DNETMAP
+.br
+\-rw\-r\-\-r\-\- 1 root root 0 06\-10 09:01 20.0.0.0_26
+.br
+\-rw\-r\-\-r\-\- 1 root root 0 06\-10 09:01 20.0.0.0_26_stat
+.

extensions/libxt_ECHO.c

@@ -1,6 +1,6 @@
 /*
  *	"ECHO" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -10,6 +10,7 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void echo_tg_help(void)
 {
@@ -29,9 +30,7 @@ static void echo_tg_check(unsigned int flags)
 static struct xtables_target echo_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ECHO",
-	.family        = AF_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_UNSPEC,
 	.help          = echo_tg_help,
 	.parse         = echo_tg_parse,
 	.final_check   = echo_tg_check,

extensions/libxt_ECHO.man

@@ -1,3 +1,4 @@
+.PP
 The \fBECHO\fP target will send back all packets it received. It serves as an
 examples for an Xtables target.
 .PP

extensions/libxt_IPMARK.c

@@ -1,7 +1,7 @@
 /*
  *	"IPMARK" target extension for iptables
  *	Copyright © Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>, 2003
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -14,6 +14,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_IPMARK.h"
+#include "compat_user.h"
 
 enum {
 	FL_ADDR_USED     = 1 << 0,
@@ -111,47 +112,36 @@ static void ipmark_tg_check(unsigned int flags)
 		           "IPMARK target: Parameter --addr is required");
 }
 
-static void
-ipmark_tg_print(const void *entry, const struct xt_entry_target *target,
-                int numeric)
-{
-	const struct xt_ipmark_tginfo *info = (const void *)target->data;
-
-	if (info->selector == XT_IPMARK_SRC)
-		printf("IPMARK src ip ");
-	else
-		printf("IPMARK dst ip ");
-
-	if (info->shift != 0)
-		printf("shift %u ", (unsigned int)info->shift);
-	if (info->andmask != ~0U)
-		printf("and 0x%x ", (unsigned int)info->andmask);
-	if (info->ormask != 0)
-		printf("or 0x%x ", (unsigned int)info->ormask);
-}
-
 static void
 ipmark_tg_save(const void *entry, const struct xt_entry_target *target)
 {
 	const struct xt_ipmark_tginfo *info = (const void *)target->data;
 
 	if (info->selector == XT_IPMARK_SRC)
-		printf("--addr src ");
+		printf(" --addr src ");
 	else
-		printf("--addr dst ");
+		printf(" --addr dst ");
 
 	if (info->shift != 0)
-		printf("--shift %u ", (unsigned int)info->shift);
+		printf(" --shift %u ", (unsigned int)info->shift);
 	if (info->andmask != ~0U)
-		printf("--and-mask 0x%x ", (unsigned int)info->andmask);
+		printf(" --and-mask 0x%x ", (unsigned int)info->andmask);
 	if (info->ormask != 0)
-		printf("--or-mask 0x%x ", (unsigned int)info->ormask);
+		printf(" --or-mask 0x%x ", (unsigned int)info->ormask);
+}
+
+static void
+ipmark_tg_print(const void *entry, const struct xt_entry_target *target,
+                int numeric)
+{
+	printf(" -j IPMARK");
+	ipmark_tg_save(entry, target);
 }
 
 static struct xtables_target ipmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "IPMARK",
-	.family        = PF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.revision      = 1,
 	.size          = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),

extensions/libxt_IPMARK.man

@@ -1,7 +1,8 @@
+.PP
 Allows you to mark a received packet basing on its IP address. This
 can replace many mangle/mark entries with only one, if you use
 firewall based classifier.
-
+.PP
 This target is to be used inside the \fBmangle\fP table.
 .TP
 \fB\-\-addr\fP {\fBsrc\fP|\fBdst\fP}

extensions/libxt_LOGMARK.c

@@ -1,6 +1,6 @@
 /*
  *	"LOGMARK" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -13,6 +13,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_LOGMARK.h"
+#include "compat_user.h"
 
 enum {
 	F_LEVEL  = 1 << 0,
@@ -76,31 +77,30 @@ logmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 	return false;
 }
 
-static void
-logmark_tg_print(const void *ip, const struct xt_entry_target *target,
-                 int numeric)
-{
-	const struct xt_logmark_tginfo *info = (void *)target->data;
-
-	printf("LOGMARK level %u prefix \"%s\" ", info->level, info->prefix);
-}
-
 static void
 logmark_tg_save(const void *ip, const struct xt_entry_target *target)
 {
 	const struct xt_logmark_tginfo *info = (void *)target->data;
 
 	if (info->level != 4)
-		printf("--log-level %u ", info->level);
+		printf(" --log-level %u ", info->level);
 	if (*info->prefix != '\0')
-		printf("--log-prefix \"%s\" ", info->prefix);
+		printf(" --log-prefix \"%s\" ", info->prefix);
+}
+
+static void
+logmark_tg_print(const void *ip, const struct xt_entry_target *target,
+                 int numeric)
+{
+	printf(" -j LOGMARK");
+	logmark_tg_save(ip, target);
 }
 
 static struct xtables_target logmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "LOGMARK",
 	.revision      = 0,
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
 	.help          = logmark_tg_help,

extensions/libxt_LOGMARK.man

@@ -1,3 +1,4 @@
+.PP
 The LOGMARK target will log packet and connection marks to syslog.
 .TP
 \fB\-\-log\-level\fR \fIlevel\fR
@@ -6,12 +7,3 @@ A logging level between 0 and 8 (inclusive).
 \fB\-\-log\-prefix\fR \fIstring\fR
 Prefix log messages with the specified prefix; up to 29 bytes long, and useful
 for distinguishing messages in the logs.
-.TP
-\fB\-\-log\-nfmark\fR
-Include the packet mark in the log.
-.TP
-\fB\-\-log\-ctmark\fR
-Include the connection mark in the log.
-.TP
-\fB\-\-log\-secmark\fR
-Include the packet secmark in the log.

extensions/libxt_RAWDNAT.c

@@ -1,187 +0,0 @@
-/*
- *	"RAWNAT" target extension for iptables
- *	Copyright © Jan Engelhardt, 2008 - 2009
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License; either
- *	version 2 of the License, or any later version, as published by the
- *	Free Software Foundation.
- */
-#include <netinet/in.h>
-#include <getopt.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <string.h>
-#include <xtables.h>
-#include <linux/netfilter.h>
-#include "xt_RAWNAT.h"
-
-enum {
-	FLAGS_TO = 1 << 0,
-};
-
-static const struct option rawdnat_tg_opts[] = {
-	{.name = "to-destination", .has_arg = true, .val = 't'},
-	{},
-};
-
-static void rawdnat_tg_help(void)
-{
-	printf(
-"RAWDNAT target options:\n"
-"    --to-destination addr[/mask]    Address or network to map to\n"
-);
-}
-
-static int
-rawdnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
-                  const void *entry, struct xt_entry_target **target)
-{
-	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
-	struct in_addr *a;
-	unsigned int mask;
-	char *end;
-
-	switch (c) {
-	case 't':
-		info->mask = 32;
-		end = strchr(optarg, '/');
-		if (end != NULL) {
-			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
-				xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
-					"--to-destination", optarg);
-			info->mask = mask;
-		}
-		a = xtables_numeric_to_ipaddr(optarg);
-		if (a == NULL)
-			xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
-				"--to-destination", optarg);
-		memcpy(&info->addr.in, a, sizeof(*a));
-		*flags |= FLAGS_TO;
-		return true;
-	}
-	return false;
-}
-
-static int
-rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
-                  const void *entry, struct xt_entry_target **target)
-{
-	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
-	struct in6_addr *a;
-	unsigned int mask;
-	char *end;
-
-	switch (c) {
-	case 't':
-		info->mask = 128;
-		end = strchr(optarg, '/');
-		if (end != NULL) {
-			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
-				xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
-					"--to-destination", optarg);
-			info->mask = mask;
-		}
-		a = xtables_numeric_to_ip6addr(optarg);
-		if (a == NULL)
-			xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
-				"--to-destination", optarg);
-		memcpy(&info->addr.in6, a, sizeof(*a));
-		*flags |= FLAGS_TO;
-		return true;
-	}
-	return false;
-}
-
-static void rawdnat_tg_check(unsigned int flags)
-{
-	if (!(flags & FLAGS_TO))
-		xtables_error(PARAMETER_PROBLEM, "RAWDNAT: "
-			"\"--to-destination\" is required.");
-}
-
-static void
-rawdnat_tg4_print(const void *entry, const struct xt_entry_target *target,
-                  int numeric)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	if (!numeric && info->mask == 32)
-		printf("to-destination %s ",
-		       xtables_ipaddr_to_anyname(&info->addr.in));
-	else
-		printf("to-destination %s/%u ",
-		       xtables_ipaddr_to_numeric(&info->addr.in), info->mask);
-}
-
-static void
-rawdnat_tg6_print(const void *entry, const struct xt_entry_target *target,
-                  int numeric)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	if (!numeric && info->mask == 128)
-		printf("to-destination %s ",
-		       xtables_ip6addr_to_anyname(&info->addr.in6));
-	else
-		printf("to-destination %s/%u ",
-		       xtables_ip6addr_to_numeric(&info->addr.in6), info->mask);
-}
-
-static void
-rawdnat_tg4_save(const void *entry, const struct xt_entry_target *target)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	printf("--to-destination %s/%u ",
-	       xtables_ipaddr_to_numeric(&info->addr.in),
-	       info->mask);
-}
-
-static void
-rawdnat_tg6_save(const void *entry, const struct xt_entry_target *target)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	printf("--to-destination %s/%u ",
-	       xtables_ip6addr_to_numeric(&info->addr.in6),
-	       info->mask);
-}
-
-static struct xtables_target rawdnat_tg4_reg = {
-	.version       = XTABLES_VERSION,
-	.name          = "RAWDNAT",
-	.revision      = 0,
-	.family        = PF_INET,
-	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-	.help          = rawdnat_tg_help,
-	.parse         = rawdnat_tg4_parse,
-	.final_check   = rawdnat_tg_check,
-	.print         = rawdnat_tg4_print,
-	.save          = rawdnat_tg4_save,
-	.extra_opts    = rawdnat_tg_opts,
-};
-
-static struct xtables_target rawdnat_tg6_reg = {
-	.version       = XTABLES_VERSION,
-	.name          = "RAWDNAT",
-	.revision      = 0,
-	.family        = PF_INET6,
-	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-	.help          = rawdnat_tg_help,
-	.parse         = rawdnat_tg6_parse,
-	.final_check   = rawdnat_tg_check,
-	.print         = rawdnat_tg6_print,
-	.save          = rawdnat_tg6_save,
-	.extra_opts    = rawdnat_tg_opts,
-};
-
-static void _init(void)
-{
-	xtables_register_target(&rawdnat_tg4_reg);
-	xtables_register_target(&rawdnat_tg6_reg);
-}

extensions/libxt_RAWDNAT.man

@@ -1,10 +0,0 @@
-The \fBRAWDNAT\fR target will rewrite the destination address in the IP header,
-much like the \fBNETMAP\fR target.
-.TP
-\fB\-\-to\-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
-Network address to map to. The resulting address will be constructed the
-following way: All 'one' bits in the \fImask\fR are filled in from the new
-\fIaddress\fR. All bits that are zero in the mask are filled in from the
-original address.
-.PP
-See the \fBRAWSNAT\fR help entry for examples and constraints.