Xtables-addons 1.22

In case only modules that are built in subdirectories of extensions
are enabled (and thus nothing is build in extensions directory itself)
installation fails with the error (only build_ACCOUNT=y in mconfig):

install -pm0755
"/vt/portage/tmp/portage/net-firewall/xtables-addons-1.21/image/
//usr/local/libexec/xtables";
install: missing destination file operand after
"/vt/portage/tmp/portage/net-firewall/xtables-addons-1.21/image/
//usr/local/libexec/xtables"
Try `install --help' for more information.
make[3]: *** [install] Error 1

Makefile.iptrules.in

@@ -47,7 +47,7 @@ all: ${targets}
 install: ${targets}
 	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
 	install -dm0755 "${DESTDIR}/${xtlibdir}";
-	install -pm0755 $^ "${DESTDIR}/${xtlibdir}";
+	@for i in $^; do install -pm0755 $$i "${DESTDIR}/${xtlibdir}"; done;
 
 clean:
 	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.21])
+AC_INIT([xtables-addons], [1.22])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL

doc/changelog.txt

@@ -3,6 +3,14 @@ HEAD
 ====
 
 
+Xtables-addons 1.22 (January 22 2009)
+=====================================
+- compat_xtables: support for 2.6.33 skb_iif changes
+- geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip
+- ipset: enable build of ip_set_setlist.ko
+- quota2: add the --no-change mode
+
+
 Xtables-addons 1.21 (December 09 2009)
 ======================================
 - ACCOUNT: avoid collision with arp_tables setsockopt numbers

extensions/compat_skbuff.h

@@ -25,9 +25,12 @@ static inline struct rtable *skb_rtable(const struct sk_buff *skb)
 #	define skb_ifindex(skb) \
 		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
 #	define skb_ifindex(skb) (skb)->iif
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
+#else
+#	define skb_ifindex(skb) (skb)->skb_iif
+#	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
 #endif
 
 #ifdef CONFIG_NETWORK_SECMARK

extensions/ipset/Kbuild

@@ -3,4 +3,4 @@
 obj-m += ipt_set.o ipt_SET.o
 obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
 obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
-obj-m += ip_set_iptree.o ip_set_iptreemap.o
+obj-m += ip_set_iptree.o ip_set_iptreemap.o ip_set_setlist.o

extensions/libxt_geoip.c

@@ -24,7 +24,7 @@
 #include <unistd.h>
 #include <xtables.h>
 #include "xt_geoip.h"
-#define GEOIP_DB_DIR "/var/geoip"
+#define GEOIP_DB_DIR "/usr/share/xt_geoip"
 
 static void geoip_help(void)
 {

extensions/libxt_geoip.man

@@ -7,10 +7,11 @@ Match packet coming from (one of) the specified country(ies)
 Match packet going to (one of) the specified country(ies)
 .TP
 NOTE:
-The country is inputed by its ISO3166 code.
+The country is inputed by its ISO-3166 code.
-.P
+.PP
 The extra files you will need is the binary database files. They are generated
 from a country-subnet database with the geoip_csv_iv0.pl tool, available at
-http://jengelh.hopto.org/files/geoip/ . The files MUST be moved to /var/geoip/
+http://jengelh.hopto.org/files/geoip/ . The files MUST be moved to
+/usr/share/xt_geoip/
 as the shared library is statically looking for this pathname (e.g.
-/var/geoip/LE/de.iv0).
+/usr/share/xt_geoip/LE/de.iv0).

extensions/libxt_quota2.c

@@ -17,17 +17,19 @@
 #include "xt_quota2.h"
 
 enum {
-	FL_QUOTA  = 1 << 0,
+	FL_QUOTA     = 1 << 0,
-	FL_NAME   = 1 << 1,
+	FL_NAME      = 1 << 1,
-	FL_GROW   = 1 << 2,
+	FL_GROW      = 1 << 2,
-	FL_PACKET = 1 << 3,
+	FL_PACKET    = 1 << 3,
+	FL_NO_CHANGE = 1 << 4,
 };
 
 static const struct option quota_mt2_opts[] = {
-	{.name = "grow",    .has_arg = false, .val = 'g'},
+	{.name = "grow",      .has_arg = false, .val = 'g'},
-	{.name = "name",    .has_arg = true,  .val = 'n'},
+	{.name = "no-change", .has_arg = false, .val = 'c'},
-	{.name = "quota",   .has_arg = true,  .val = 'q'},
+	{.name = "name",      .has_arg = true,  .val = 'n'},
-	{.name = "packets", .has_arg = false, .val = 'p'},
+	{.name = "quota",     .has_arg = true,  .val = 'q'},
+	{.name = "packets",   .has_arg = false, .val = 'p'},
 	{NULL},
 };
 
@@ -36,6 +38,7 @@ static void quota_mt2_help(void)
 	printf(
 	"quota match options:\n"
 	"    --grow           provide an increasing counter\n"
+	"    --no-change      never change counter/quota value for matching packets\n"
 	"    --name name      name for the file in sysfs\n"
 	"[!] --quota quota    initial quota (bytes or packets)\n"
 	"    --packets        count packets instead of bytes\n"
@@ -56,6 +59,12 @@ quota_mt2_parse(int c, char **argv, int invert, unsigned int *flags,
 		info->flags |= XT_QUOTA_GROW;
 		*flags |= FL_GROW;
 		return true;
+	case 'c': /* no-change */
+		xtables_param_act(XTF_ONLY_ONCE, "quota", "--no-change", *flags & FL_NO_CHANGE);
+		xtables_param_act(XTF_NO_INVERT, "quota", "--no-change", invert);
+		info->flags |= XT_QUOTA_NO_CHANGE;
+		*flags |= FL_NO_CHANGE;
+		return true;
 	case 'n':
 		/* zero termination done on behalf of the kernel module */
 		xtables_param_act(XTF_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
@@ -92,6 +101,8 @@ quota_mt2_save(const void *ip, const struct xt_entry_match *match)
 		printf("! ");
 	if (q->flags & XT_QUOTA_GROW)
 		printf("--grow ");
+	if (q->flags & XT_QUOTA_NO_CHANGE)
+		printf("--no-change ");
 	if (q->flags & XT_QUOTA_PACKET)
 		printf("--packets ");
 	if (*q->name != '\0')
@@ -117,6 +128,8 @@ static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
 		printf("packets ");
 	else
 		printf("bytes ");
+	if (q->flags & XT_QUOTA_NO_CHANGE)
+		printf("(no-change mode) ");
 }
 
 static struct xtables_match quota_mt2_reg = {

extensions/libxt_quota2.man

@@ -10,6 +10,12 @@ the match will return false, just like the original "quota" match. In growing
 \fB\-\-grow\fP
 Count upwards instead of downwards.
 .TP
+\fB\-\-no\-change\fP
+Makes it so the counter or quota amount is never changed by packets matching
+this rule. This is only really useful in "quota" mode, as it will allow you to
+use complex prerouting rules in association with the quota system, without
+counting a packet twice.
+.TP
 \fB\-\-name\fP \fIname\fP
 Assign the counter a specific name. This option must be present, as an empty
 name is not allowed. Names starting with a dot or names containing a slash are

extensions/xt_quota2.Kconfig

@@ -5,4 +5,5 @@ config NETFILTER_XT_MATCH_QUOTA2
 	This option adds the "quota2" match which is an advanced form of
 	xt_quota that also allows counting upwards, and where the counter can
 	be set through procfs. This allows for simple interfacing of
-	accounting information.
+	accounting information. It also allows for a test mode without changing
+	the quota value.

extensions/xt_quota2.c

@@ -199,12 +199,19 @@ quota_mt2(const struct sk_buff *skb, const struct xt_match_param *par)
 
 	spin_lock_bh(&e->lock);
 	if (q->flags & XT_QUOTA_GROW) {
-		e->quota += (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
+		/*
-		q->quota = e->quota;
+		 * While no_change is pointless in "grow" mode, we will
+		 * implement it here simply to have a consistent behavior.
+		 */
+		if (!(q->flags & XT_QUOTA_NO_CHANGE)) {
+			e->quota += (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
+			q->quota = e->quota;
+		}
 		ret = true;
 	} else {
 		if (e->quota >= skb->len) {
-			e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
+			if (!(q->flags & XT_QUOTA_NO_CHANGE))
+				e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
 			ret = !ret;
 		} else {
 			/* we do not allow even small packets from now on */

extensions/xt_quota2.h

@@ -2,10 +2,11 @@
 #define _XT_QUOTA_H
 
 enum xt_quota_flags {
-	XT_QUOTA_INVERT = 1 << 0,
+	XT_QUOTA_INVERT    = 1 << 0,
-	XT_QUOTA_GROW   = 1 << 1,
+	XT_QUOTA_GROW      = 1 << 1,
-	XT_QUOTA_PACKET = 1 << 2,
+	XT_QUOTA_PACKET    = 1 << 2,
-	XT_QUOTA_MASK   = 0x7,
+	XT_QUOTA_NO_CHANGE = 1 << 3,
+	XT_QUOTA_MASK      = 0x0F,
 };
 
 struct xt_quota_counter;

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.21 (2009-12-09)" "" "v1.21 (2009-12-09)"
+.TH xtables-addons 8 "v1.22 (2010-01-22)" "" "v1.22 (2010-11-22)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets