Xtables-addons 1.24

This reverts commit ab13e58f96.

Whoops. There is no mark at all before 2.6.19.

INSTALL

@@ -51,15 +51,6 @@ Configuring and compiling
 	For RPM building, it should be /usr/src/linux-obj/...
 	or whatever location the distro makes use of.
 
---with-xtables=
-
-	Specifies the path to the directory where we may find
-	xtables.h, should it not be within the standard C compiler
-	include path (/usr/include), or if you want to override it.
-	The directory will be checked for xtables.h and
-	include/xtables.h. (The latter to support both standard
-	/usr/include and the iptables source root.)
-
 --with-xtlibdir=
 
 	Specifies the path to where the newly built extensions should
@@ -73,6 +64,25 @@ If you want to enable debugging, use
 (-O0 is used to turn off instruction reordering, which makes debugging
 much easier.)
 
+To make use of a libxtables that is not in the default path, either
+
+  a) append the location of the pkg-config files like:
+
+	PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+
+     (Assuming that files have been installed)
+or,
+
+  b) override the pkg-config variables, for example:
+
+	./configure libxtables_CFLAGS="-I../iptables/include" \
+		libxtables_LIBS="-L../iptables/.libs \
+			-Wl,-rpath,../iptables/.libs -lxtables"
+
+     (Use this in case you wish to use it without having to
+     run `make install`. This is because the libxtables.pc pkgconfig
+     file in ../iptables would already point to e.g. /usr/local.)
+
 
 Build-time options
 ==================
@@ -89,4 +99,5 @@ Except for --with-kbuild, distributions should not have a need to
 supply any other flags (besides --prefix=/usr and perhaps
 --libdir=/usr/lib64, etc.) to configure when all prerequired packages
 are installed. If iptables-devel is installed, necessary headers should
-be in /usr/include, so --with-xtables is not needed.
+already be in /usr/include, so that overriding PKG_CONFIG_PATH,
+libxtables_CFLAGS and libxtables_LIBS variables should not be needed.

Makefile.iptrules.in

@@ -47,7 +47,7 @@ all: ${targets}
 install: ${targets}
 	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
 	install -dm0755 "${DESTDIR}/${xtlibdir}";
-	install -pm0755 $^ "${DESTDIR}/${xtlibdir}";
+	@for i in $^; do install -pm0755 $$i "${DESTDIR}/${xtlibdir}"; done;
 
 clean:
 	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.20])
+AC_INIT([xtables-addons], [1.24])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -21,56 +21,21 @@ if [[ "$kbuilddir" == no ]]; then
 	kbuilddir="";
 fi
 
-AC_ARG_WITH([ksource],,[ksourcedir="$withval"])
-AC_ARG_WITH([xtables],
-	AS_HELP_STRING([--with-xtables=PATH],
-	[Path to the Xtables includes [[none]]]),
-	[xtables_location="$withval"])
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
 	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
 	[xtlibdir="$withval"],
 	[xtlibdir='${libexecdir}/xtables'])
 
-#
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
-# --with-xtables= overrides a possibly installed pkgconfig file.
-#
-if [[ -n "$xtables_location" ]]; then
-	AC_MSG_CHECKING([xtables.h presence])
-	if [[ -f "$xtables_location/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/xtables.h])
-		libxtables_CFLAGS="-I $xtables_location";
-	elif [[ -f "$xtables_location/include/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/include/xtables.h])
-		libxtables_CFLAGS="-I $xtables_location/include";
-	fi;
-	if [[ -z "$xtables_CFLAGS" ]]; then
-		if [[ -f "$includedir/xtables.h" ]]; then
-			AC_MSG_RESULT([$includedir/xtables.h])
-		else
-			AC_MSG_RESULT([no])
-		fi;
-	fi;
-	libxtables_LIBS="-lxtables";
-	AC_SUBST([libxtables_CFLAGS])
-	AC_SUBST([libxtables_LIBS])
-else
-	PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
-fi;
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
-	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, either through /usr/include or the iptables directory (--with-xtables=)])])
+	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
 
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
+	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" \
-kinclude_CFLAGS="";
+	-I\${XA_TOPSRCDIR}/include";
-if [[ -n "$kbuilddir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
-fi;
-if [[ -n "$ksourcedir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
-fi;
 
 #
 # check kernel version
@@ -97,7 +62,7 @@ else
 	fi;
 fi;
 echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 32; then
+if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 34; then
 	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
     \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
@@ -107,9 +72,7 @@ elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
 fi;
 
 AC_SUBST([regular_CFLAGS])
-AC_SUBST([kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
-AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
 AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
 	extensions/Makefile extensions/ACCOUNT/Makefile

doc/changelog.txt

@@ -3,6 +3,39 @@ HEAD
 ====
 
 
+Xtables-addons 1.24 (March 17 2010)
+===================================
+- build: fix build of userspace modules against old (pre-2.6.25)
+  headers from linux-glibc-devel (/usr/include/linux)
+- ipp2p: updated bittorent command recognition
+- SYSRQ: let module load when crypto is unavailable
+- SYSRQ: allow processing of UDP-Lite
+
+
+Xtables-addons 1.23 (February 24 2010)
+======================================
+- build: support for Linux 2.6.34
+- build: remove unused --with-ksource option
+- build: remove unneeded --with-xtables option
+- build: fix compilations in RAWNAT, SYSRQ and length2 when CONFIG_IPV6=n
+- ipset: update to 4.2
+- ECHO: fix compilation w.r.t. skb_dst
+
+
+Xtables-addons 1.22 (January 22 2010)
+=====================================
+- compat_xtables: support for 2.6.33 skb_iif changes
+- geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip
+- ipset: enable build of ip_set_setlist.ko
+- quota2: add the --no-change mode
+
+
+Xtables-addons 1.21 (December 09 2009)
+======================================
+- ACCOUNT: avoid collision with arp_tables setsockopt numbers
+- doc: fix option mismatch --gw/--gateway in libxt_TEE.man
+
+
 Xtables-addons 1.20 (November 19 2009)
 ======================================
 - ipp2p: add more boundary checks

extensions/ACCOUNT/libxt_ACCOUNT.c

@@ -142,7 +142,7 @@ account_tg_save(const void *ip, const struct xt_entry_target *target)
 static struct xtables_target account_tg_reg = {
 	.name          = "ACCOUNT",
 	.revision      = 1,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.version       = XTABLES_VERSION,
 	.size          = XT_ALIGN(sizeof(struct ipt_acc_info)),
 	.userspacesize = offsetof(struct ipt_acc_info, table_nr),

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -1082,7 +1082,7 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 static struct xt_target xt_acc_reg __read_mostly = {
 	.name = "ACCOUNT",
 	.revision = 1,
-	.family = AF_INET,
+	.family     = NFPROTO_IPV4,
 	.target = ipt_acc_target,
 	.targetsize = sizeof(struct ipt_acc_info),
 	.checkentry = ipt_acc_checkentry,

extensions/ACCOUNT/xt_ACCOUNT.h

@@ -15,8 +15,13 @@
  * Socket option interface shared between kernel (xt_ACCOUNT) and userspace
  * library (libxt_ACCOUNT_cl). Hopefully we are unique at least within our
  * kernel & xtables-addons space.
+ *
+ * Turned out often enough we are not.
+ * 64-67	used by ip_tables, ip6_tables
+ * 96-100	used by arp_tables
+ * 128-131	used by ebtables
  */
-#define SO_ACCOUNT_BASE_CTL 90
+#define SO_ACCOUNT_BASE_CTL 70
 
 #define IPT_SO_SET_ACCOUNT_HANDLE_FREE (SO_ACCOUNT_BASE_CTL + 1)
 #define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (SO_ACCOUNT_BASE_CTL + 2)

extensions/Kbuild

@@ -12,7 +12,10 @@ obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
-obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o ip6table_rawpost.o
+obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o
+ifneq (${CONFIG_IPV6},)
+obj-${build_RAWNAT}      += ip6table_rawpost.o
+endif
 obj-${build_SYSRQ}       += xt_SYSRQ.o
 obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o

extensions/compat_skbuff.h

@@ -25,9 +25,12 @@ static inline struct rtable *skb_rtable(const struct sk_buff *skb)
 #	define skb_ifindex(skb) \
 		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
 #	define skb_ifindex(skb) (skb)->iif
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
+#else
+#	define skb_ifindex(skb) (skb)->skb_iif
+#	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
 #endif
 
 #ifdef CONFIG_NETWORK_SECMARK

extensions/compat_xtables.c

@@ -509,4 +509,18 @@ int xtnu_skb_linearize(struct sk_buff *skb)
 EXPORT_SYMBOL_GPL(xtnu_skb_linearize);
 #endif
 
+void *HX_memmem(const void *space, size_t spacesize,
+    const void *point, size_t pointsize)
+{
+	size_t i;
+
+	if (pointsize > spacesize)
+		return NULL;
+	for (i = 0; i <= spacesize - pointsize; ++i)
+		if (memcmp(space + i, point, pointsize) == 0)
+			return (void *)space + i;
+	return NULL;
+}
+EXPORT_SYMBOL_GPL(HX_memmem);
+
 MODULE_LICENSE("GPL");

extensions/compat_xtables.h

@@ -78,6 +78,15 @@
 #	define inet_proto_csum_replace4 xtnu_proto_csum_replace4
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
+#	define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
+#	define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
+#else
+#	define ipt_unregister_table(tbl) ipt_unregister_table(tbl)
+#	define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
+#endif
+
+
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \
 		ntohs((addr).s6_addr16[0]), \

extensions/compat_xtnu.h

@@ -154,4 +154,6 @@ extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
 	__be32, __be32, bool);
 extern int xtnu_skb_linearize(struct sk_buff *);
 
+extern void *HX_memmem(const void *, size_t, const void *, size_t);
+
 #endif /* _COMPAT_XTNU_H */

extensions/ipset/Kbuild

@@ -3,4 +3,4 @@
 obj-m += ipt_set.o ipt_SET.o
 obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
 obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
-obj-m += ip_set_iptree.o ip_set_iptreemap.o
+obj-m += ip_set_iptree.o ip_set_iptreemap.o ip_set_setlist.o

extensions/ipset/ip_set_ipportnethash.c

@@ -185,7 +185,6 @@ ipportnethash_add(struct ip_set *set,
 	if (ret == 0) {
 		if (!map->nets[cidr-1]++)
 			add_cidr_size(map->cidr, cidr);
-		map->elements++;
 	}
 	return ret;
 }

extensions/ipset/ip_set_nethash.c

@@ -136,7 +136,6 @@ nethash_add(struct ip_set *set, ip_set_ip_t ip, uint8_t cidr)
 	if (ret == 0) {
 		if (!map->nets[cidr-1]++)
 			add_cidr_size(map->cidr, cidr);
-		map->elements++;
 	}
 	
 	return ret;

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "4.1"
+#define IPSET_VERSION "4.2"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;

extensions/ipset/ipset_iphash.c

@@ -200,8 +200,7 @@ iphash_printips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
+		printf("%s\n", ip_tostring(*ip, options));
-			printf("%s\n", ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
@@ -230,9 +229,7 @@ iphash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
+		printf("-A %s %s\n", set->name, ip_tostring(*ip, options));
-			printf("-A %s %s\n", set->name, 
-			       ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }

extensions/ipset/ipset_ipporthash.c

@@ -259,13 +259,11 @@ ipporthash_printips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (*ipptr) {
+		ip = (*ipptr>>16) + mysetdata->first_ip;
-			ip = (*ipptr>>16) + mysetdata->first_ip;
+		port = (uint16_t) *ipptr;
-			port = (uint16_t) *ipptr;
+		printf("%s,%s\n", 
-			printf("%s,%s\n", 
+		       ip_tostring(ip, options),
-			       ip_tostring(ip, options),
+		       port_tostring(port, options));
-			       port_tostring(port, options));
-		}
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
@@ -296,13 +294,11 @@ ipporthash_saveips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (*ipptr) {
+		ip = (*ipptr>>16) + mysetdata->first_ip;
-			ip = (*ipptr>>16) + mysetdata->first_ip;
+		port = (uint16_t) *ipptr;
-			port = (uint16_t) *ipptr;
+		printf("-A %s %s,%s\n", set->name, 
-			printf("-A %s %s,%s\n", set->name, 
+		       ip_tostring(ip, options),
-			       ip_tostring(ip, options),
+		       port_tostring(port, options));
-			       port_tostring(port, options));
-		}
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }

extensions/ipset/ipset_ipportiphash.c

@@ -265,15 +265,13 @@ ipportiphash_printips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip && ipptr->ip1) {
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
-			port = (uint16_t) ipptr->ip;
+		printf("%s,%s,", 
-			printf("%s,%s,", 
+		       ip_tostring(ip, options),
-			       ip_tostring(ip, options),
+		       port_tostring(port, options));
-			       port_tostring(port, options));
+		printf("%s\n", 
-			printf("%s\n", 
+		       ip_tostring(ipptr->ip1, options));
-			       ip_tostring(ipptr->ip1, options));
-		}
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }
@@ -305,15 +303,13 @@ ipportiphash_saveips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip && ipptr->ip1) {
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
-			port = (uint16_t) ipptr->ip;
+		printf("-A %s %s,%s,", set->name, 
-			printf("-A %s %s,%s,", set->name, 
+		       ip_tostring(ip, options),
-			       ip_tostring(ip, options),
+		       port_tostring(port, options));
-			       port_tostring(port, options));
+		printf("%s\n",
-			printf("%s\n",
+		       ip_tostring(ipptr->ip1, options));
-			       ip_tostring(ipptr->ip1, options));
-		}
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }

extensions/ipset/ipset_ipportnethash.c

@@ -330,15 +330,13 @@ ipportnethash_printips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip || ipptr->ip1) {
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
-			port = (uint16_t) ipptr->ip;
+		printf("%s,%s,", 
-			printf("%s,%s,", 
+		       ip_tostring(ip, options),
-			       ip_tostring(ip, options),
+		       port_tostring(port, options));
-			       port_tostring(port, options));
+		printf("%s\n", 
-			printf("%s\n", 
+		       unpack_ip_tostring(ipptr->ip1, options));
-			       unpack_ip_tostring(ipptr->ip1, options));
-		}
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }
@@ -370,15 +368,13 @@ ipportnethash_saveips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr) {
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
-			port = (uint16_t) ipptr->ip;
+		printf("-A %s %s,%s,", set->name, 
-			printf("-A %s %s,%s,", set->name, 
+		       ip_tostring(ip, options),
-			       ip_tostring(ip, options),
+		       port_tostring(port, options));
-			       port_tostring(port, options));
+		printf("%s\n",
-			printf("%s\n",
+		       unpack_ip_tostring(ipptr->ip, options));
-			       unpack_ip_tostring(ipptr->ip, options));
-		}
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }

extensions/ipset/ipset_nethash.c

@@ -232,8 +232,7 @@ nethash_printips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
+		printf("%s\n", unpack_ip_tostring(*ip, options));
-			printf("%s\n", unpack_ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
@@ -258,9 +257,8 @@ nethash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
+		printf("-A %s %s\n", set->name,
-			printf("-A %s %s\n", set->name, 
+		       unpack_ip_tostring(*ip, options));
-			       unpack_ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }

extensions/libxt_CHAOS.c

@@ -95,7 +95,7 @@ static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
 static struct xtables_target chaos_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "CHAOS",
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.help          = chaos_tg_help,

extensions/libxt_DELUDE.c

@@ -33,9 +33,7 @@ static struct xtables_target delude_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "DELUDE",
 	.revision      = 0,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
 	.help          = delude_tg_help,
 	.parse         = delude_tg_parse,
 	.final_check   = delude_tg_check,

extensions/libxt_DHCPMAC.c

@@ -84,7 +84,7 @@ static struct xtables_target dhcpmac_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "DHCPMAC",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.help          = dhcpmac_tg_help,

extensions/libxt_ECHO.c

@@ -29,9 +29,7 @@ static void echo_tg_check(unsigned int flags)
 static struct xtables_target echo_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ECHO",
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
 	.help          = echo_tg_help,
 	.parse         = echo_tg_parse,
 	.final_check   = echo_tg_check,

extensions/libxt_IPMARK.c

@@ -151,7 +151,7 @@ ipmark_tg_save(const void *entry, const struct xt_entry_target *target)
 static struct xtables_target ipmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "IPMARK",
-	.family        = PF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.revision      = 1,
 	.size          = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),

extensions/libxt_LOGMARK.c

@@ -100,7 +100,7 @@ static struct xtables_target logmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "LOGMARK",
 	.revision      = 0,
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
 	.help          = logmark_tg_help,

extensions/libxt_RAWDNAT.c

@@ -154,7 +154,7 @@ static struct xtables_target rawdnat_tg4_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWDNAT",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawdnat_tg_help,
@@ -169,7 +169,7 @@ static struct xtables_target rawdnat_tg6_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWDNAT",
 	.revision      = 0,
-	.family        = PF_INET6,
+	.family        = NFPROTO_IPV6,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawdnat_tg_help,

extensions/libxt_RAWSNAT.c

@@ -154,7 +154,7 @@ static struct xtables_target rawsnat_tg4_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWSNAT",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawsnat_tg_help,
@@ -169,7 +169,7 @@ static struct xtables_target rawsnat_tg6_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWSNAT",
 	.revision      = 0,
-	.family        = PF_INET6,
+	.family        = NFPROTO_IPV6,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawsnat_tg_help,

extensions/libxt_STEAL.c

@@ -19,9 +19,7 @@ static void steal_tg_check(unsigned int flags)
 static struct xtables_target steal_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "STEAL",
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
 	.help          = steal_tg_help,
 	.parse         = steal_tg_parse,
 	.final_check   = steal_tg_check,

extensions/libxt_SYSRQ.c

@@ -25,9 +25,7 @@ static struct xtables_target sysrq_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "SYSRQ",
 	.revision      = 1,
-	.family        = PF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
 	.help          = sysrq_tg_help,
 	.parse         = sysrq_tg_parse,
 	.final_check   = sysrq_tg_check,

extensions/libxt_TARPIT.c

@@ -24,9 +24,7 @@ static void tarpit_tg_check(unsigned int flags)
 static struct xtables_target tarpit_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "TARPIT",
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
 	.help          = tarpit_tg_help,
 	.parse         = tarpit_tg_parse,
 	.final_check   = tarpit_tg_check,

extensions/libxt_TEE.c

@@ -51,7 +51,7 @@ static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 	case 'g':
 		if (*flags & FLAG_GATEWAY)
 			xtables_error(PARAMETER_PROBLEM,
-			           "Cannot specify --gw more than once");
+			           "Cannot specify --gateway more than once");
 
 		ia = xtables_numeric_to_ipaddr(optarg);
 		if (ia == NULL)
@@ -76,7 +76,7 @@ static int tee_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
 	case 'g':
 		if (*flags & FLAG_GATEWAY)
 			xtables_error(PARAMETER_PROBLEM,
-			           "Cannot specify --gw more than once");
+			           "Cannot specify --gateway more than once");
 
 		ia = xtables_numeric_to_ip6addr(optarg);
 		if (ia == NULL)
@@ -138,7 +138,7 @@ static struct xtables_target tee_tg_reg = {
 	.name          = "TEE",
 	.version       = XTABLES_VERSION,
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.help          = tee_tg_help,
@@ -153,7 +153,7 @@ static struct xtables_target tee_tg6_reg = {
 	.name          = "TEE",
 	.version       = XTABLES_VERSION,
 	.revision      = 0,
-	.family        = PF_INET6,
+	.family        = NFPROTO_IPV6,
 	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.help          = tee_tg_help,

extensions/libxt_TEE.man

@@ -3,6 +3,10 @@ machine on the \fBlocal\fP network segment. In other words, the nexthop
 must be the target, or you will have to configure the nexthop to forward it
 further if so desired.
 .TP
-\fB\-\-gw\fP \fIipaddr\fP
+\fB\-\-gateway\fP \fIipaddr\fP
 Send the cloned packet to the host reachable at the given IP address.
 Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
+.PP
+To forward all incoming traffic on eth0 to an Network Layer logging box:
+.PP
+\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1

extensions/libxt_condition.c

@@ -80,7 +80,7 @@ static void condition_save(const void *ip, const struct xt_entry_match *match)
 static struct xtables_match condition_mt_reg = {
 	.name 		= "condition",
 	.revision	= 1,
-	.family		= PF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.version 	= XTABLES_VERSION,
 	.size 		= XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
 	.userspacesize 	= XT_ALIGN(sizeof(struct xt_condition_mtinfo)),

extensions/libxt_dhcpmac.c

@@ -85,7 +85,7 @@ static struct xtables_match dhcpmac_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "dhcpmac",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.help          = dhcpmac_mt_help,

extensions/libxt_fuzzy.c

@@ -103,6 +103,7 @@ static struct xtables_match fuzzy_mt_reg = {
 	.name          = "fuzzy",
 	.revision      = 1,
 	.version       = XTABLES_VERSION,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
 	.userspacesize = offsetof(struct xt_fuzzy_mtinfo, packets_total),
 	.help          = fuzzy_mt_help,

extensions/libxt_geoip.c

@@ -24,7 +24,7 @@
 #include <unistd.h>
 #include <xtables.h>
 #include "xt_geoip.h"
-#define GEOIP_DB_DIR "/var/geoip"
+#define GEOIP_DB_DIR "/usr/share/xt_geoip"
 
 static void geoip_help(void)
 {
@@ -259,7 +259,7 @@ geoip_save(const void *ip, const struct xt_entry_match *match)
 }
 
 static struct xtables_match geoip_match = {
-	 .family        = AF_INET,
+	 .family        = NFPROTO_IPV4,
 	 .name          = "geoip",
 	 .revision      = 1,
 	 .version       = XTABLES_VERSION,

extensions/libxt_geoip.man

@@ -7,10 +7,11 @@ Match packet coming from (one of) the specified country(ies)
 Match packet going to (one of) the specified country(ies)
 .TP
 NOTE:
-The country is inputed by its ISO3166 code.
+The country is inputed by its ISO-3166 code.
-.P
+.PP
 The extra files you will need is the binary database files. They are generated
 from a country-subnet database with the geoip_csv_iv0.pl tool, available at
-http://jengelh.hopto.org/files/geoip/ . The files MUST be moved to /var/geoip/
+http://jengelh.hopto.org/files/geoip/ . The files MUST be moved to
+/usr/share/xt_geoip/
 as the shared library is statically looking for this pathname (e.g.
-/var/geoip/LE/de.iv0).
+/usr/share/xt_geoip/LE/de.iv0).

extensions/libxt_iface.c

@@ -200,7 +200,7 @@ static struct xtables_match iface_mt_reg = {
 	.version	= XTABLES_VERSION,
 	.name		= "iface",
 	.revision	= 0,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.size		= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
 	.help		= iface_mt_help,

extensions/libxt_ipp2p.c

@@ -229,7 +229,7 @@ static struct xtables_match ipp2p_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ipp2p",
 	.revision      = 1,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct ipt_p2p_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct ipt_p2p_info)),
 	.help          = ipp2p_mt_help,

extensions/libxt_ipv4options.c

@@ -161,7 +161,7 @@ static struct xtables_match ipv4options_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ipv4options",
 	.revision      = 1,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
 	.help          = ipv4options_mt_help,

extensions/libxt_length2.c

@@ -155,7 +155,7 @@ static struct xtables_match length2_mt_reg = {
 	.version        = XTABLES_VERSION,
 	.name           = "length2",
 	.revision       = 2,
-	.family         = PF_UNSPEC,
+	.family         = NFPROTO_UNSPEC,
 	.size           = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
 	.userspacesize  = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
 	.init           = length_mt_init,

extensions/libxt_lscan.c

@@ -105,7 +105,7 @@ static struct xtables_match lscan_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "lscan",
 	.revision      = 0,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
 	.help          = lscan_mt_help,

extensions/libxt_psd.c

@@ -139,7 +139,7 @@ static struct xtables_match psd_mt_reg = {
 	.name			= "psd",
 	.version		= XTABLES_VERSION,
 	.revision   	= 1,
-	.family			= PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size			= XT_ALIGN(sizeof(struct xt_psd_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_psd_info)),
 	.help			= psd_mt_help,

extensions/libxt_quota2.c

@@ -17,17 +17,19 @@
 #include "xt_quota2.h"
 
 enum {
-	FL_QUOTA  = 1 << 0,
+	FL_QUOTA     = 1 << 0,
-	FL_NAME   = 1 << 1,
+	FL_NAME      = 1 << 1,
-	FL_GROW   = 1 << 2,
+	FL_GROW      = 1 << 2,
-	FL_PACKET = 1 << 3,
+	FL_PACKET    = 1 << 3,
+	FL_NO_CHANGE = 1 << 4,
 };
 
 static const struct option quota_mt2_opts[] = {
-	{.name = "grow",    .has_arg = false, .val = 'g'},
+	{.name = "grow",      .has_arg = false, .val = 'g'},
-	{.name = "name",    .has_arg = true,  .val = 'n'},
+	{.name = "no-change", .has_arg = false, .val = 'c'},
-	{.name = "quota",   .has_arg = true,  .val = 'q'},
+	{.name = "name",      .has_arg = true,  .val = 'n'},
-	{.name = "packets", .has_arg = false, .val = 'p'},
+	{.name = "quota",     .has_arg = true,  .val = 'q'},
+	{.name = "packets",   .has_arg = false, .val = 'p'},
 	{NULL},
 };
 
@@ -36,6 +38,7 @@ static void quota_mt2_help(void)
 	printf(
 	"quota match options:\n"
 	"    --grow           provide an increasing counter\n"
+	"    --no-change      never change counter/quota value for matching packets\n"
 	"    --name name      name for the file in sysfs\n"
 	"[!] --quota quota    initial quota (bytes or packets)\n"
 	"    --packets        count packets instead of bytes\n"
@@ -56,6 +59,12 @@ quota_mt2_parse(int c, char **argv, int invert, unsigned int *flags,
 		info->flags |= XT_QUOTA_GROW;
 		*flags |= FL_GROW;
 		return true;
+	case 'c': /* no-change */
+		xtables_param_act(XTF_ONLY_ONCE, "quota", "--no-change", *flags & FL_NO_CHANGE);
+		xtables_param_act(XTF_NO_INVERT, "quota", "--no-change", invert);
+		info->flags |= XT_QUOTA_NO_CHANGE;
+		*flags |= FL_NO_CHANGE;
+		return true;
 	case 'n':
 		/* zero termination done on behalf of the kernel module */
 		xtables_param_act(XTF_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
@@ -92,6 +101,8 @@ quota_mt2_save(const void *ip, const struct xt_entry_match *match)
 		printf("! ");
 	if (q->flags & XT_QUOTA_GROW)
 		printf("--grow ");
+	if (q->flags & XT_QUOTA_NO_CHANGE)
+		printf("--no-change ");
 	if (q->flags & XT_QUOTA_PACKET)
 		printf("--packets ");
 	if (*q->name != '\0')
@@ -117,10 +128,12 @@ static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
 		printf("packets ");
 	else
 		printf("bytes ");
+	if (q->flags & XT_QUOTA_NO_CHANGE)
+		printf("(no-change mode) ");
 }
 
 static struct xtables_match quota_mt2_reg = {
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.revision      = 3,
 	.name          = "quota2",
 	.version       = XTABLES_VERSION,

extensions/libxt_quota2.man

@@ -10,6 +10,12 @@ the match will return false, just like the original "quota" match. In growing
 \fB\-\-grow\fP
 Count upwards instead of downwards.
 .TP
+\fB\-\-no\-change\fP
+Makes it so the counter or quota amount is never changed by packets matching
+this rule. This is only really useful in "quota" mode, as it will allow you to
+use complex prerouting rules in association with the quota system, without
+counting a packet twice.
+.TP
 \fB\-\-name\fP \fIname\fP
 Assign the counter a specific name. This option must be present, as an empty
 name is not allowed. Names starting with a dot or names containing a slash are

extensions/pknock/libxt_pknock.c

@@ -326,7 +326,7 @@ static struct xtables_match pknock_mt_reg = {
 	.name		= "pknock",
 	.version	= XTABLES_VERSION,
 	.revision      = 1,
-	.family		= AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
 	.help          = pknock_mt_help,

extensions/xt_DHCPMAC.c

@@ -139,7 +139,7 @@ static struct xt_match dhcpmac_mt_reg __read_mostly = {
 	.family     = NFPROTO_IPV4,
 	.proto      = IPPROTO_UDP,
 	.match      = dhcpmac_mt,
-	.matchsize  = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.matchsize  = sizeof(struct dhcpmac_info),
 	.me         = THIS_MODULE,
 };
 

extensions/xt_ECHO.c

@@ -32,7 +32,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
 	unsigned int addr_type, data_len;
 	void *payload;
 
-	printk(KERN_INFO "dst_out=%p\n", (*poldskb)->dst->output);
+	printk(KERN_INFO "dst_out=%p\n", skb_dst(*poldskb)->output);
 
 	/* This allows us to do the copy operation in fewer lines of code. */
 	if (skb_linearize(*poldskb) < 0)
@@ -84,18 +84,17 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
 #endif
 		addr_type = RTN_LOCAL;
 
-	/* ip_route_me_harder expects skb->dst to be set */
+	/* ip_route_me_harder expects the skb's dst to be set */
-	dst_hold(oldskb->dst);
+	skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
-	newskb->dst = oldskb->dst;
 
 	if (ip_route_me_harder(&newskb, addr_type) < 0)
 		goto free_nskb;
 
-	newip->ttl        = dst_metric(newskb->dst, RTAX_HOPLIMIT);
+	newip->ttl        = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
 	newskb->ip_summed = CHECKSUM_NONE;
 
 	/* "Never happens" (?) */
-	if (newskb->len > dst_mtu(newskb->dst))
+	if (newskb->len > dst_mtu(skb_dst(newskb)))
 		goto free_nskb;
 
 	nf_ct_attach(newskb, *poldskb);
@@ -114,7 +113,6 @@ static struct xt_target echo_tg_reg __read_mostly = {
 	.proto      = IPPROTO_UDP,
 	.table      = "filter",
 	.target     = echo_tg4,
-	.targetsize = XT_ALIGN(0),
 	.me         = THIS_MODULE,
 };
 

extensions/xt_IPMARK.c

@@ -86,7 +86,7 @@ static struct xt_target ipmark_tg_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV4,
 		.table      = "mangle",
 		.target     = ipmark_tg4,
-		.targetsize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
+		.targetsize = sizeof(struct xt_ipmark_tginfo),
 		.me         = THIS_MODULE,
 	},
 	{
@@ -95,7 +95,7 @@ static struct xt_target ipmark_tg_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV6,
 		.table      = "mangle",
 		.target     = ipmark_tg6,
-		.targetsize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
+		.targetsize = sizeof(struct xt_ipmark_tginfo),
 		.me         = THIS_MODULE,
 	},
 };

extensions/xt_RAWNAT.c

@@ -22,6 +22,10 @@
 #include "compat_xtables.h"
 #include "xt_RAWNAT.h"
 
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
+
 static inline __be32
 remask(__be32 addr, __be32 repl, unsigned int shift)
 {
@@ -29,6 +33,7 @@ remask(__be32 addr, __be32 repl, unsigned int shift)
 	return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask));
 }
 
+#ifdef WITH_IPV6
 static void
 rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 {
@@ -72,6 +77,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 		break;
 	}
 }
+#endif
 
 static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
 {
@@ -162,6 +168,7 @@ rawdnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
+#ifdef WITH_IPV6
 static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
     unsigned int *l4proto)
 {
@@ -274,6 +281,7 @@ rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 	memcpy(&iph->daddr, &new_addr, sizeof(new_addr));
 	return XT_CONTINUE;
 }
+#endif
 
 static bool rawnat_tg_check(const struct xt_tgchk_param *par)
 {
@@ -296,6 +304,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "RAWSNAT",
 		.revision   = 0,
@@ -305,6 +314,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 	{
 		.name       = "RAWDNAT",
 		.revision   = 0,
@@ -314,6 +324,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "RAWDNAT",
 		.revision   = 0,
@@ -323,6 +334,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 };
 
 static int __init rawnat_tg_init(void)

extensions/xt_SYSRQ.c

@@ -1,6 +1,6 @@
 /*
  *	"SYSRQ" target extension for Netfilter
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
  *
  *	Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
  *
@@ -23,6 +23,14 @@
 #include <net/ip.h>
 #include "compat_xtables.h"
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19) && \
+    (defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE))
+#	define WITH_CRYPTO 1
+#endif
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
+
 static bool sysrq_once;
 static char sysrq_password[64];
 static char sysrq_hash[16] = "sha1";
@@ -38,7 +46,7 @@ MODULE_PARM_DESC(hash, "hash algorithm, default sha1");
 MODULE_PARM_DESC(seqno, "sequence number for remote sysrq");
 MODULE_PARM_DESC(debug, "debugging: 0=off, 1=on");
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#ifdef WITH_CRYPTO
 static struct crypto_hash *sysrq_tfm;
 static int sysrq_digest_size;
 static unsigned char *sysrq_digest_password;
@@ -200,8 +208,8 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 		return NF_DROP;
 
 	iph = ip_hdr(skb);
-	if (iph->protocol != IPPROTO_UDP)
+	if (iph->protocol != IPPROTO_UDP && iph->protocol != IPPROTO_UDPLITE)
-		return NF_ACCEPT; /* sink it */
+		return NF_DROP;
 
 	udph = (const void *)iph + ip_hdrlen(skb);
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
@@ -214,6 +222,7 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
 }
 
+#ifdef WITH_IPV6
 static unsigned int
 sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 {
@@ -230,7 +239,7 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 	iph = ipv6_hdr(skb);
 	if (ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 ||
 	    frag_off > 0)
-		return NF_ACCEPT; /* sink it */
+		return NF_DROP;
 
 	udph = (const void *)iph + th_off;
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
@@ -242,6 +251,7 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 		       ntohs(udph->dest), len);
 	return sysrq_tg(udph + sizeof(struct udphdr), len);
 }
+#endif
 
 static bool sysrq_tg_check(const struct xt_tgchk_param *par)
 {
@@ -278,6 +288,7 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 		.checkentry = sysrq_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "SYSRQ",
 		.revision   = 1,
@@ -286,12 +297,28 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 		.checkentry = sysrq_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 };
 
-static int __init sysrq_tg_init(void)
+static void sysrq_crypto_exit(void)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#ifdef WITH_CRYPTO
+	if (sysrq_tfm)
+		crypto_free_hash(sysrq_tfm);
+	if (sysrq_digest)
+		kfree(sysrq_digest);
+	if (sysrq_hexdigest)
+		kfree(sysrq_hexdigest);
+	if (sysrq_digest_password)
+		kfree(sysrq_digest_password);
+#endif
+}
+
+static int __init sysrq_crypto_init(void)
+{
+#if defined(WITH_CRYPTO)
 	struct timeval now;
+	int ret;
 
 	sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
 	if (IS_ERR(sysrq_tfm)) {
@@ -299,10 +326,12 @@ static int __init sysrq_tg_init(void)
 			": Error: Could not find or load %s hash\n",
 			sysrq_hash);
 		sysrq_tfm = NULL;
+		ret = PTR_ERR(sysrq_tfm);
 		goto fail;
 	}
 	sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
 	sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
+	ret = -ENOMEM;
 	if (sysrq_digest == NULL) {
 		printk(KERN_WARNING KBUILD_MODNAME
 			": Cannot allocate digest\n");
@@ -322,33 +351,31 @@ static int __init sysrq_tg_init(void)
 	}
 	do_gettimeofday(&now);
 	sysrq_seqno = now.tv_sec;
-	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+	ret = xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+	if (ret < 0)
+		goto fail;
+	return ret;
 
  fail:
-	if (sysrq_tfm)
+	sysrq_crypto_exit();
-		crypto_free_hash(sysrq_tfm);
+	return ret;
-	if (sysrq_digest)
+#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 19)
-		kfree(sysrq_digest);
+	printk(KERN_WARNING "xt_SYSRQ does not provide crypto for < 2.6.19\n");
-	if (sysrq_hexdigest)
-		kfree(sysrq_hexdigest);
-	if (sysrq_digest_password)
-		kfree(sysrq_digest_password);
-	return -EINVAL;
-#else
-	printk(KERN_WARNING "xt_SYSRQ does not provide crypto for <= 2.6.18\n");
-	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
 #endif
+	return -EINVAL;
+}
+
+static int __init sysrq_tg_init(void)
+{
+	if (sysrq_crypto_init() < 0)
+		printk(KERN_WARNING "xt_SYSRQ starting without crypto\n");
+	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
 }
 
 static void __exit sysrq_tg_exit(void)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+	sysrq_crypto_exit();
-	crypto_free_hash(sysrq_tfm);
+	xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
-	kfree(sysrq_digest);
-	kfree(sysrq_hexdigest);
-	kfree(sysrq_digest_password);
-#endif
-	return xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
 }
 
 module_init(sysrq_tg_init);

extensions/xt_TEE.c

@@ -175,7 +175,8 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	/*
 	 * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
 	 * the original skb, which should continue on its way as if nothing has
-	 * happened. The copy should be independently delivered to the TEE --gw.
+	 * happened. The copy should be independently delivered to the TEE
+	 * --gateway.
 	 */
 	skb = skb_copy(skb, GFP_ATOMIC);
 	if (skb == NULL) {
@@ -231,6 +232,7 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 
 	memset(&fl, 0, sizeof(fl));
 	fl.iif = skb_ifindex(skb);
+	/* No mark in flowi before 2.6.19 */
 #if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 19)
 	fl.nl_u.ip6_u.fwmark = skb_nfmark(skb);
 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)

extensions/xt_condition.c

@@ -35,6 +35,7 @@ static unsigned int condition_gid_perms = 0;
 
 MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca>");
 MODULE_AUTHOR("Massimiliano Hofer <max@nucleus.it>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Allows rules to match against condition variables");
 MODULE_LICENSE("GPL");
 module_param(condition_list_perms, uint, S_IRUSR | S_IWUSR);
@@ -55,7 +56,7 @@ struct condition_variable {
 
 /* proc_lock is a user context only semaphore used for write access */
 /*           to the conditions' list.                               */
-static struct semaphore proc_lock;
+static struct mutex proc_lock;
 
 static LIST_HEAD(conditions_list);
 static struct proc_dir_entry *proc_net_condition;
@@ -69,7 +70,6 @@ static int condition_proc_read(char __user *buffer, char **start, off_t offset,
 	buffer[1] = '\n';
 	if (length >= 2)
 		*eof = true;
-
 	return 2;
 }
 
@@ -92,7 +92,6 @@ static int condition_proc_write(struct file *file, const char __user *buffer,
 			break;
 		}
 	}
-
 	return length;
 }
 
@@ -124,18 +123,17 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 		       info->name);
 		return false;
 	}
-
 	/*
 	 * Let's acquire the lock, check for the condition and add it
 	 * or increase the reference counter.
 	 */
-	if (down_interruptible(&proc_lock))
+	if (mutex_lock_interruptible(&proc_lock) != 0)
 		return false;
 
 	list_for_each_entry(var, &conditions_list, list) {
 		if (strcmp(info->name, var->status_proc->name) == 0) {
 			var->refcount++;
-			up(&proc_lock);
+			mutex_unlock(&proc_lock);
 			info->condvar = var;
 			return true;
 		}
@@ -143,19 +141,17 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 
 	/* At this point, we need to allocate a new condition variable. */
 	var = kmalloc(sizeof(struct condition_variable), GFP_KERNEL);
-
 	if (var == NULL) {
-		up(&proc_lock);
+		mutex_unlock(&proc_lock);
 		return false;
 	}
 
 	/* Create the condition variable's proc file entry. */
 	var->status_proc = create_proc_entry(info->name, condition_list_perms,
 	                   proc_net_condition);
-
 	if (var->status_proc == NULL) {
 		kfree(var);
-		up(&proc_lock);
+		mutex_unlock(&proc_lock);
 		return false;
 	}
 
@@ -168,14 +164,10 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 	wmb();
 	var->status_proc->read_proc  = condition_proc_read;
 	var->status_proc->write_proc = condition_proc_write;
-
 	list_add_rcu(&var->list, &conditions_list);
-
 	var->status_proc->uid = condition_uid_perms;
 	var->status_proc->gid = condition_gid_perms;
-
+	mutex_unlock(&proc_lock);
-	up(&proc_lock);
-
 	info->condvar = var;
 	return true;
 }
@@ -185,11 +177,11 @@ static void condition_mt_destroy(const struct xt_mtdtor_param *par)
 	const struct xt_condition_mtinfo *info = par->matchinfo;
 	struct condition_variable *var = info->condvar;
 
-	down(&proc_lock);
+	mutex_lock(&proc_lock);
 	if (--var->refcount == 0) {
 		list_del_rcu(&var->list);
 		remove_proc_entry(var->status_proc->name, proc_net_condition);
-		up(&proc_lock);
+		mutex_unlock(&proc_lock);
 		/*
 		 * synchronize_rcu() would be good enough, but
 		 * synchronize_net() guarantees that no packet
@@ -200,7 +192,7 @@ static void condition_mt_destroy(const struct xt_mtdtor_param *par)
 		kfree(var);
 		return;
 	}
-	up(&proc_lock);
+	mutex_unlock(&proc_lock);
 }
 
 static struct xt_match condition_mt_reg[] __read_mostly = {
@@ -208,7 +200,7 @@ static struct xt_match condition_mt_reg[] __read_mostly = {
 		.name       = "condition",
 		.revision   = 1,
 		.family     = NFPROTO_IPV4,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
+		.matchsize  = sizeof(struct xt_condition_mtinfo),
 		.match      = condition_mt,
 		.checkentry = condition_mt_check,
 		.destroy    = condition_mt_destroy,
@@ -218,7 +210,7 @@ static struct xt_match condition_mt_reg[] __read_mostly = {
 		.name       = "condition",
 		.revision   = 1,
 		.family     = NFPROTO_IPV6,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
+		.matchsize  = sizeof(struct xt_condition_mtinfo),
 		.match      = condition_mt,
 		.checkentry = condition_mt_check,
 		.destroy    = condition_mt_destroy,
@@ -232,7 +224,7 @@ static int __init condition_mt_init(void)
 {
 	int ret;
 
-	sema_init(&proc_lock, 1);
+	mutex_init(&proc_lock);
 	proc_net_condition = proc_mkdir(dir_name, init_net__proc_net);
 	if (proc_net_condition == NULL)
 		return -EACCES;

extensions/xt_fuzzy.c

@@ -146,7 +146,7 @@ static struct xt_match fuzzy_mt_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV4,
 		.match      = fuzzy_mt,
 		.checkentry = fuzzy_mt_check,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
+		.matchsize  = sizeof(struct xt_fuzzy_mtinfo),
 		.me         = THIS_MODULE,
 	},
 	{
@@ -155,7 +155,7 @@ static struct xt_match fuzzy_mt_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV6,
 		.match      = fuzzy_mt,
 		.checkentry = fuzzy_mt_check,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
+		.matchsize  = sizeof(struct xt_fuzzy_mtinfo),
 		.me         = THIS_MODULE,
 	},
 };

extensions/xt_iface.c

@@ -71,7 +71,7 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = {
 		.name       = "iface",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+		.matchsize  = sizeof(struct xt_iface_mtinfo),
 		.match      = xt_iface_mt,
 		.me         = THIS_MODULE,
 	},
@@ -79,7 +79,7 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = {
 		.name       = "iface",
 		.revision   = 0,
 		.family     = NFPROTO_IPV6,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+		.matchsize  = sizeof(struct xt_iface_mtinfo),
 		.match      = xt_iface_mt,
 		.me         = THIS_MODULE,
 	},

extensions/xt_ipp2p.c

@@ -505,19 +505,18 @@ search_bittorrent(const unsigned char *payload, const unsigned int plen)
 		if (payload[0] == 0x13)
 			if (memcmp(payload + 1, "BitTorrent protocol", 19) == 0)
 				return IPP2P_BIT * 100;
-
 		/*
-		 * get tracker commandos, all starts with GET /
+		 * Any tracker command starts with GET / then *may be* some file on web server
-		 * then it can follow: scrape| announce
+		 * (e.g. announce.php or dupa.pl or whatever.cgi or NOTHING for tracker on root dir)
-		 * and then ?hash_info=
+		 * but *must have* one (or more) of strings listed below (true for scrape and announce)
 		 */
 		if (memcmp(payload, "GET /", 5) == 0) {
-			/* message scrape */
+			if (HX_memmem(payload, plen, "info_hash=", 9) != NULL)
-			if (memcmp(payload + 5, "scrape?info_hash=", 17) == 0)
 				return IPP2P_BIT * 100 + 1;
-			/* message announce */
+			if (HX_memmem(payload, plen, "peer_id=", 8) != NULL)
-			if (memcmp(payload + 5, "announce?info_hash=", 19) == 0)
 				return IPP2P_BIT * 100 + 2;
+			if (HX_memmem(payload, plen, "passkey=", 8) != NULL)
+				return IPP2P_BIT * 100 + 4;
 		}
 	} else {
 	    	/* bitcomet encryptes the first packet, so we have to detect another

extensions/xt_ipv4options.c

@@ -50,7 +50,7 @@ static struct xt_match ipv4options_mt_reg __read_mostly = {
 	.revision  = 1,
 	.family    = NFPROTO_IPV4,
 	.match     = ipv4options_mt,
-	.matchsize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
+	.matchsize = sizeof(struct xt_ipv4options_mtinfo1),
 	.me        = THIS_MODULE,
 };
 

extensions/xt_length2.c

@@ -136,6 +136,30 @@ static bool xtlength_layer7(unsigned int *length, const struct sk_buff *skb,
 	}
 }
 
+static bool
+length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	const struct xt_length_mtinfo2 *info = par->matchinfo;
+	const struct iphdr *iph = ip_hdr(skb);
+	unsigned int len = 0;
+	bool hit = true;
+
+	if (info->flags & XT_LENGTH_LAYER3)
+		len = ntohs(iph->tot_len);
+	else if (info->flags & XT_LENGTH_LAYER4)
+		len = ntohs(iph->tot_len) - par->thoff;
+	else if (info->flags & XT_LENGTH_LAYER5)
+		hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
+	else if (info->flags & XT_LENGTH_LAYER7)
+		hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
+	if (!hit)
+		return false;
+
+	return (len >= info->min && len <= info->max) ^
+	       !!(info->flags & XT_LENGTH_INVERT);
+}
+
+#ifdef WITH_IPV6
 /**
  * llayer4_proto - figure out the L4 protocol in an IPv6 packet
  * @skb:	skb pointer
@@ -173,30 +197,6 @@ llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
 	return NEXTHDR_MAX;
 }
 
-static bool
-length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-	const struct xt_length_mtinfo2 *info = par->matchinfo;
-	const struct iphdr *iph = ip_hdr(skb);
-	unsigned int len = 0;
-	bool hit = true;
-
-	if (info->flags & XT_LENGTH_LAYER3)
-		len = ntohs(iph->tot_len);
-	else if (info->flags & XT_LENGTH_LAYER4)
-		len = ntohs(iph->tot_len) - par->thoff;
-	else if (info->flags & XT_LENGTH_LAYER5)
-		hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
-	else if (info->flags & XT_LENGTH_LAYER7)
-		hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
-	if (!hit)
-		return false;
-
-	return (len >= info->min && len <= info->max) ^
-	       !!(info->flags & XT_LENGTH_INVERT);
-}
-
-#ifdef WITH_IPV6
 static bool
 length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 {

extensions/xt_psd.c

@@ -312,7 +312,7 @@ out_match:
 
 static struct xt_match xt_psd_reg __read_mostly = {
 	.name		= "psd",
-    .family		= AF_INET,
+	.family    = NFPROTO_IPV4,
 	.revision  = 1,
 	.match		= xt_psd_match,
 	.matchsize	= sizeof(struct xt_psd_info),

extensions/xt_quota2.Kconfig

@@ -5,4 +5,5 @@ config NETFILTER_XT_MATCH_QUOTA2
 	This option adds the "quota2" match which is an advanced form of
 	xt_quota that also allows counting upwards, and where the counter can
 	be set through procfs. This allows for simple interfacing of
-	accounting information.
+	accounting information. It also allows for a test mode without changing
+	the quota value.

extensions/xt_quota2.c

@@ -199,12 +199,19 @@ quota_mt2(const struct sk_buff *skb, const struct xt_match_param *par)
 
 	spin_lock_bh(&e->lock);
 	if (q->flags & XT_QUOTA_GROW) {
-		e->quota += (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
+		/*
-		q->quota = e->quota;
+		 * While no_change is pointless in "grow" mode, we will
+		 * implement it here simply to have a consistent behavior.
+		 */
+		if (!(q->flags & XT_QUOTA_NO_CHANGE)) {
+			e->quota += (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
+			q->quota = e->quota;
+		}
 		ret = true;
 	} else {
 		if (e->quota >= skb->len) {
-			e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
+			if (!(q->flags & XT_QUOTA_NO_CHANGE))
+				e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
 			ret = !ret;
 		} else {
 			/* we do not allow even small packets from now on */

extensions/xt_quota2.h

@@ -2,10 +2,11 @@
 #define _XT_QUOTA_H
 
 enum xt_quota_flags {
-	XT_QUOTA_INVERT = 1 << 0,
+	XT_QUOTA_INVERT    = 1 << 0,
-	XT_QUOTA_GROW   = 1 << 1,
+	XT_QUOTA_GROW      = 1 << 1,
-	XT_QUOTA_PACKET = 1 << 2,
+	XT_QUOTA_PACKET    = 1 << 2,
-	XT_QUOTA_MASK   = 0x7,
+	XT_QUOTA_NO_CHANGE = 1 << 3,
+	XT_QUOTA_MASK      = 0x0F,
 };
 
 struct xt_quota_counter;

include/linux/netfilter.h

@@ -3,6 +3,7 @@
 
 #include <linux/types.h>
 
+
 /* Responses from hook functions. */
 #define NF_DROP 0
 #define NF_ACCEPT 1
@@ -37,6 +38,16 @@ enum nf_inet_hooks {
 	NF_INET_NUMHOOKS
 };
 
+enum {
+	NFPROTO_UNSPEC =  0,
+	NFPROTO_IPV4   =  2,
+	NFPROTO_ARP    =  3,
+	NFPROTO_BRIDGE =  7,
+	NFPROTO_IPV6   = 10,
+	NFPROTO_DECNET = 12,
+	NFPROTO_NUMPROTO,
+};
+
 union nf_inet_addr {
 	__u32		all[4];
 	__be32		ip;

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.20 (2009-11-19)" "" "v1.20 (2009-11-19)"
+.TH xtables-addons 8 "v1.24 (2010-03-17)" "" "v1.24 (2010-03-17)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets