Xtables-addons 1.23

In case the kernel is built without IPv6 support the compilation of
this module fails as it assumes IPv6. This patch makes kernel support
conditional on kernel .config.

INSTALL

@@ -51,15 +51,6 @@ Configuring and compiling
 	For RPM building, it should be /usr/src/linux-obj/...
 	or whatever location the distro makes use of.
 
---with-xtables=
-
-	Specifies the path to the directory where we may find
-	xtables.h, should it not be within the standard C compiler
-	include path (/usr/include), or if you want to override it.
-	The directory will be checked for xtables.h and
-	include/xtables.h. (The latter to support both standard
-	/usr/include and the iptables source root.)
-
 --with-xtlibdir=
 
 	Specifies the path to where the newly built extensions should
@@ -73,6 +64,25 @@ If you want to enable debugging, use
 (-O0 is used to turn off instruction reordering, which makes debugging
 much easier.)
 
+To make use of a libxtables that is not in the default path, either
+
+  a) append the location of the pkg-config files like:
+
+	PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+
+     (Assuming that files have been installed)
+or,
+
+  b) override the pkg-config variables, for example:
+
+	./configure libxtables_CFLAGS="-I../iptables/include" \
+		libxtables_LIBS="-L../iptables/.libs \
+			-Wl,-rpath,../iptables/.libs -lxtables"
+
+     (Use this in case you wish to use it without having to
+     run `make install`. This is because the libxtables.pc pkgconfig
+     file in ../iptables would already point to e.g. /usr/local.)
+
 
 Build-time options
 ==================
@@ -89,4 +99,5 @@ Except for --with-kbuild, distributions should not have a need to
 supply any other flags (besides --prefix=/usr and perhaps
 --libdir=/usr/lib64, etc.) to configure when all prerequired packages
 are installed. If iptables-devel is installed, necessary headers should
-be in /usr/include, so --with-xtables is not needed.
+already be in /usr/include, so that overriding PKG_CONFIG_PATH,
+libxtables_CFLAGS and libxtables_LIBS variables should not be needed.

Makefile.iptrules.in

@@ -47,7 +47,7 @@ all: ${targets}
 install: ${targets}
 	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
 	install -dm0755 "${DESTDIR}/${xtlibdir}";
-	install -pm0755 $^ "${DESTDIR}/${xtlibdir}";
+	@for i in $^; do install -pm0755 $$i "${DESTDIR}/${xtlibdir}"; done;
 
 clean:
 	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.21])
+AC_INIT([xtables-addons], [1.23])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -21,56 +21,20 @@ if [[ "$kbuilddir" == no ]]; then
 	kbuilddir="";
 fi
 
-AC_ARG_WITH([ksource],,[ksourcedir="$withval"])
-AC_ARG_WITH([xtables],
-	AS_HELP_STRING([--with-xtables=PATH],
-	[Path to the Xtables includes [[none]]]),
-	[xtables_location="$withval"])
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
 	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
 	[xtlibdir="$withval"],
 	[xtlibdir='${libexecdir}/xtables'])
 
-#
-# --with-xtables= overrides a possibly installed pkgconfig file.
-#
-if [[ -n "$xtables_location" ]]; then
-	AC_MSG_CHECKING([xtables.h presence])
-	if [[ -f "$xtables_location/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/xtables.h])
-		libxtables_CFLAGS="-I $xtables_location";
-	elif [[ -f "$xtables_location/include/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/include/xtables.h])
-		libxtables_CFLAGS="-I $xtables_location/include";
-	fi;
-	if [[ -z "$xtables_CFLAGS" ]]; then
-		if [[ -f "$includedir/xtables.h" ]]; then
-			AC_MSG_RESULT([$includedir/xtables.h])
-		else
-			AC_MSG_RESULT([no])
-		fi;
-	fi;
-	libxtables_LIBS="-lxtables";
-	AC_SUBST([libxtables_CFLAGS])
-	AC_SUBST([libxtables_LIBS])
-else
-	PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
-fi;
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
-	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, either through /usr/include or the iptables directory (--with-xtables=)])])
+	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
 
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
 	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
-kinclude_CFLAGS="";
-if [[ -n "$kbuilddir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
-fi;
-if [[ -n "$ksourcedir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
-fi;
 
 #
 # check kernel version
@@ -97,7 +61,7 @@ else
 	fi;
 fi;
 echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 32; then
+if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 34; then
 	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
     \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
@@ -107,9 +71,7 @@ elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
 fi;
 
 AC_SUBST([regular_CFLAGS])
-AC_SUBST([kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
-AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
 AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
 	extensions/Makefile extensions/ACCOUNT/Makefile

doc/changelog.txt

@@ -3,6 +3,24 @@ HEAD
 ====
 
 
+Xtables-addons 1.23 (February 24 2010)
+======================================
+- build: support for Linux 2.6.34
+- build: remove unused --with-ksource option
+- build: remove unneeded --with-xtables option
+- build: fix compilations in RAWNAT, SYSRQ and length2 when CONFIG_IPV6=n
+- ipset: update to 4.2
+- ECHO: fix compilation w.r.t. skb_dst
+
+
+Xtables-addons 1.22 (January 22 2010)
+=====================================
+- compat_xtables: support for 2.6.33 skb_iif changes
+- geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip
+- ipset: enable build of ip_set_setlist.ko
+- quota2: add the --no-change mode
+
+
 Xtables-addons 1.21 (December 09 2009)
 ======================================
 - ACCOUNT: avoid collision with arp_tables setsockopt numbers

extensions/Kbuild

@@ -12,7 +12,10 @@ obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
-obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o ip6table_rawpost.o
+obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o
+ifneq (${CONFIG_IPV6},)
+obj-${build_RAWNAT}      += ip6table_rawpost.o
+endif
 obj-${build_SYSRQ}       += xt_SYSRQ.o
 obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o

extensions/compat_skbuff.h

@@ -25,9 +25,12 @@ static inline struct rtable *skb_rtable(const struct sk_buff *skb)
 #	define skb_ifindex(skb) \
 		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
 #	define skb_ifindex(skb) (skb)->iif
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
+#else
+#	define skb_ifindex(skb) (skb)->skb_iif
+#	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
 #endif
 
 #ifdef CONFIG_NETWORK_SECMARK

extensions/compat_xtables.h

@@ -78,6 +78,15 @@
 #	define inet_proto_csum_replace4 xtnu_proto_csum_replace4
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
+#	define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
+#	define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
+#else
+#	define ipt_unregister_table(tbl) ipt_unregister_table(tbl)
+#	define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
+#endif
+
+
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \
 		ntohs((addr).s6_addr16[0]), \

extensions/ipset/Kbuild

@@ -3,4 +3,4 @@
 obj-m += ipt_set.o ipt_SET.o
 obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
 obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
-obj-m += ip_set_iptree.o ip_set_iptreemap.o
+obj-m += ip_set_iptree.o ip_set_iptreemap.o ip_set_setlist.o

extensions/ipset/ip_set_ipportnethash.c

@@ -185,7 +185,6 @@ ipportnethash_add(struct ip_set *set,
 	if (ret == 0) {
 		if (!map->nets[cidr-1]++)
 			add_cidr_size(map->cidr, cidr);
-		map->elements++;
 	}
 	return ret;
 }

extensions/ipset/ip_set_nethash.c

@@ -136,7 +136,6 @@ nethash_add(struct ip_set *set, ip_set_ip_t ip, uint8_t cidr)
 	if (ret == 0) {
 		if (!map->nets[cidr-1]++)
 			add_cidr_size(map->cidr, cidr);
-		map->elements++;
 	}
 	
 	return ret;

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "4.1"
+#define IPSET_VERSION "4.2"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;

extensions/ipset/ipset_iphash.c

@@ -200,8 +200,7 @@ iphash_printips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("%s\n", ip_tostring(*ip, options));
+		printf("%s\n", ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
@@ -230,9 +229,7 @@ iphash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("-A %s %s\n", set->name, 
-			       ip_tostring(*ip, options));
+		printf("-A %s %s\n", set->name, ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }

extensions/ipset/ipset_ipporthash.c

@@ -259,13 +259,11 @@ ipporthash_printips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (*ipptr) {
-			ip = (*ipptr>>16) + mysetdata->first_ip;
-			port = (uint16_t) *ipptr;
-			printf("%s,%s\n", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-		}
+		ip = (*ipptr>>16) + mysetdata->first_ip;
+		port = (uint16_t) *ipptr;
+		printf("%s,%s\n", 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
@@ -296,13 +294,11 @@ ipporthash_saveips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (*ipptr) {
-			ip = (*ipptr>>16) + mysetdata->first_ip;
-			port = (uint16_t) *ipptr;
-			printf("-A %s %s,%s\n", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-		}
+		ip = (*ipptr>>16) + mysetdata->first_ip;
+		port = (uint16_t) *ipptr;
+		printf("-A %s %s,%s\n", set->name, 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }

extensions/ipset/ipset_ipportiphash.c

@@ -265,15 +265,13 @@ ipportiphash_printips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip && ipptr->ip1) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("%s,%s,", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n", 
-			       ip_tostring(ipptr->ip1, options));
-		}
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("%s,%s,", 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n", 
+		       ip_tostring(ipptr->ip1, options));
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }
@@ -305,15 +303,13 @@ ipportiphash_saveips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip && ipptr->ip1) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("-A %s %s,%s,", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n",
-			       ip_tostring(ipptr->ip1, options));
-		}
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("-A %s %s,%s,", set->name, 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n",
+		       ip_tostring(ipptr->ip1, options));
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }

extensions/ipset/ipset_ipportnethash.c

@@ -330,15 +330,13 @@ ipportnethash_printips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip || ipptr->ip1) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("%s,%s,", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n", 
-			       unpack_ip_tostring(ipptr->ip1, options));
-		}
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("%s,%s,", 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n", 
+		       unpack_ip_tostring(ipptr->ip1, options));
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }
@@ -370,15 +368,13 @@ ipportnethash_saveips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("-A %s %s,%s,", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n",
-			       unpack_ip_tostring(ipptr->ip, options));
-		}
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("-A %s %s,%s,", set->name, 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n",
+		       unpack_ip_tostring(ipptr->ip, options));
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }

extensions/ipset/ipset_nethash.c

@@ -232,8 +232,7 @@ nethash_printips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("%s\n", unpack_ip_tostring(*ip, options));
+		printf("%s\n", unpack_ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
@@ -258,9 +257,8 @@ nethash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("-A %s %s\n", set->name, 
-			       unpack_ip_tostring(*ip, options));
+		printf("-A %s %s\n", set->name,
+		       unpack_ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }

extensions/libxt_geoip.c

@@ -24,7 +24,7 @@
 #include <unistd.h>
 #include <xtables.h>
 #include "xt_geoip.h"
-#define GEOIP_DB_DIR "/var/geoip"
+#define GEOIP_DB_DIR "/usr/share/xt_geoip"
 
 static void geoip_help(void)
 {

extensions/libxt_geoip.man

@@ -7,10 +7,11 @@ Match packet coming from (one of) the specified country(ies)
 Match packet going to (one of) the specified country(ies)
 .TP
 NOTE:
-The country is inputed by its ISO3166 code.
-.P
+The country is inputed by its ISO-3166 code.
+.PP
 The extra files you will need is the binary database files. They are generated
 from a country-subnet database with the geoip_csv_iv0.pl tool, available at
-http://jengelh.hopto.org/files/geoip/ . The files MUST be moved to /var/geoip/
+http://jengelh.hopto.org/files/geoip/ . The files MUST be moved to
+/usr/share/xt_geoip/
 as the shared library is statically looking for this pathname (e.g.
-/var/geoip/LE/de.iv0).
+/usr/share/xt_geoip/LE/de.iv0).

extensions/libxt_quota2.c

@@ -17,17 +17,19 @@
 #include "xt_quota2.h"
 
 enum {
-	FL_QUOTA  = 1 << 0,
-	FL_NAME   = 1 << 1,
-	FL_GROW   = 1 << 2,
-	FL_PACKET = 1 << 3,
+	FL_QUOTA     = 1 << 0,
+	FL_NAME      = 1 << 1,
+	FL_GROW      = 1 << 2,
+	FL_PACKET    = 1 << 3,
+	FL_NO_CHANGE = 1 << 4,
 };
 
 static const struct option quota_mt2_opts[] = {
-	{.name = "grow",    .has_arg = false, .val = 'g'},
-	{.name = "name",    .has_arg = true,  .val = 'n'},
-	{.name = "quota",   .has_arg = true,  .val = 'q'},
-	{.name = "packets", .has_arg = false, .val = 'p'},
+	{.name = "grow",      .has_arg = false, .val = 'g'},
+	{.name = "no-change", .has_arg = false, .val = 'c'},
+	{.name = "name",      .has_arg = true,  .val = 'n'},
+	{.name = "quota",     .has_arg = true,  .val = 'q'},
+	{.name = "packets",   .has_arg = false, .val = 'p'},
 	{NULL},
 };
 
@@ -36,6 +38,7 @@ static void quota_mt2_help(void)
 	printf(
 	"quota match options:\n"
 	"    --grow           provide an increasing counter\n"
+	"    --no-change      never change counter/quota value for matching packets\n"
 	"    --name name      name for the file in sysfs\n"
 	"[!] --quota quota    initial quota (bytes or packets)\n"
 	"    --packets        count packets instead of bytes\n"
@@ -56,6 +59,12 @@ quota_mt2_parse(int c, char **argv, int invert, unsigned int *flags,
 		info->flags |= XT_QUOTA_GROW;
 		*flags |= FL_GROW;
 		return true;
+	case 'c': /* no-change */
+		xtables_param_act(XTF_ONLY_ONCE, "quota", "--no-change", *flags & FL_NO_CHANGE);
+		xtables_param_act(XTF_NO_INVERT, "quota", "--no-change", invert);
+		info->flags |= XT_QUOTA_NO_CHANGE;
+		*flags |= FL_NO_CHANGE;
+		return true;
 	case 'n':
 		/* zero termination done on behalf of the kernel module */
 		xtables_param_act(XTF_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
@@ -92,6 +101,8 @@ quota_mt2_save(const void *ip, const struct xt_entry_match *match)
 		printf("! ");
 	if (q->flags & XT_QUOTA_GROW)
 		printf("--grow ");
+	if (q->flags & XT_QUOTA_NO_CHANGE)
+		printf("--no-change ");
 	if (q->flags & XT_QUOTA_PACKET)
 		printf("--packets ");
 	if (*q->name != '\0')
@@ -117,6 +128,8 @@ static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
 		printf("packets ");
 	else
 		printf("bytes ");
+	if (q->flags & XT_QUOTA_NO_CHANGE)
+		printf("(no-change mode) ");
 }
 
 static struct xtables_match quota_mt2_reg = {

extensions/libxt_quota2.man

@@ -10,6 +10,12 @@ the match will return false, just like the original "quota" match. In growing
 \fB\-\-grow\fP
 Count upwards instead of downwards.
 .TP
+\fB\-\-no\-change\fP
+Makes it so the counter or quota amount is never changed by packets matching
+this rule. This is only really useful in "quota" mode, as it will allow you to
+use complex prerouting rules in association with the quota system, without
+counting a packet twice.
+.TP
 \fB\-\-name\fP \fIname\fP
 Assign the counter a specific name. This option must be present, as an empty
 name is not allowed. Names starting with a dot or names containing a slash are

extensions/xt_ECHO.c

@@ -32,7 +32,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
 	unsigned int addr_type, data_len;
 	void *payload;
 
-	printk(KERN_INFO "dst_out=%p\n", (*poldskb)->dst->output);
+	printk(KERN_INFO "dst_out=%p\n", skb_dst(*poldskb)->output);
 
 	/* This allows us to do the copy operation in fewer lines of code. */
 	if (skb_linearize(*poldskb) < 0)
@@ -84,18 +84,17 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
 #endif
 		addr_type = RTN_LOCAL;
 
-	/* ip_route_me_harder expects skb->dst to be set */
-	dst_hold(oldskb->dst);
-	newskb->dst = oldskb->dst;
+	/* ip_route_me_harder expects the skb's dst to be set */
+	skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
 
 	if (ip_route_me_harder(&newskb, addr_type) < 0)
 		goto free_nskb;
 
-	newip->ttl        = dst_metric(newskb->dst, RTAX_HOPLIMIT);
+	newip->ttl        = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
 	newskb->ip_summed = CHECKSUM_NONE;
 
 	/* "Never happens" (?) */
-	if (newskb->len > dst_mtu(newskb->dst))
+	if (newskb->len > dst_mtu(skb_dst(newskb)))
 		goto free_nskb;
 
 	nf_ct_attach(newskb, *poldskb);

extensions/xt_RAWNAT.c

@@ -22,6 +22,10 @@
 #include "compat_xtables.h"
 #include "xt_RAWNAT.h"
 
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
+
 static inline __be32
 remask(__be32 addr, __be32 repl, unsigned int shift)
 {
@@ -29,6 +33,7 @@ remask(__be32 addr, __be32 repl, unsigned int shift)
 	return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask));
 }
 
+#ifdef WITH_IPV6
 static void
 rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 {
@@ -72,6 +77,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 		break;
 	}
 }
+#endif
 
 static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
 {
@@ -162,6 +168,7 @@ rawdnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
+#ifdef WITH_IPV6
 static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
     unsigned int *l4proto)
 {
@@ -274,6 +281,7 @@ rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 	memcpy(&iph->daddr, &new_addr, sizeof(new_addr));
 	return XT_CONTINUE;
 }
+#endif
 
 static bool rawnat_tg_check(const struct xt_tgchk_param *par)
 {
@@ -296,6 +304,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "RAWSNAT",
 		.revision   = 0,
@@ -305,6 +314,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 	{
 		.name       = "RAWDNAT",
 		.revision   = 0,
@@ -314,6 +324,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "RAWDNAT",
 		.revision   = 0,
@@ -323,6 +334,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 };
 
 static int __init rawnat_tg_init(void)

extensions/xt_SYSRQ.c

@@ -23,6 +23,10 @@
 #include <net/ip.h>
 #include "compat_xtables.h"
 
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
+
 static bool sysrq_once;
 static char sysrq_password[64];
 static char sysrq_hash[16] = "sha1";
@@ -214,6 +218,7 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
 }
 
+#ifdef WITH_IPV6
 static unsigned int
 sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 {
@@ -242,6 +247,7 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 		       ntohs(udph->dest), len);
 	return sysrq_tg(udph + sizeof(struct udphdr), len);
 }
+#endif
 
 static bool sysrq_tg_check(const struct xt_tgchk_param *par)
 {
@@ -278,6 +284,7 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 		.checkentry = sysrq_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "SYSRQ",
 		.revision   = 1,
@@ -286,6 +293,7 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 		.checkentry = sysrq_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 };
 
 static int __init sysrq_tg_init(void)

extensions/xt_length2.c

@@ -136,6 +136,30 @@ static bool xtlength_layer7(unsigned int *length, const struct sk_buff *skb,
 	}
 }
 
+static bool
+length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	const struct xt_length_mtinfo2 *info = par->matchinfo;
+	const struct iphdr *iph = ip_hdr(skb);
+	unsigned int len = 0;
+	bool hit = true;
+
+	if (info->flags & XT_LENGTH_LAYER3)
+		len = ntohs(iph->tot_len);
+	else if (info->flags & XT_LENGTH_LAYER4)
+		len = ntohs(iph->tot_len) - par->thoff;
+	else if (info->flags & XT_LENGTH_LAYER5)
+		hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
+	else if (info->flags & XT_LENGTH_LAYER7)
+		hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
+	if (!hit)
+		return false;
+
+	return (len >= info->min && len <= info->max) ^
+	       !!(info->flags & XT_LENGTH_INVERT);
+}
+
+#ifdef WITH_IPV6
 /**
  * llayer4_proto - figure out the L4 protocol in an IPv6 packet
  * @skb:	skb pointer
@@ -173,30 +197,6 @@ llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
 	return NEXTHDR_MAX;
 }
 
-static bool
-length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-	const struct xt_length_mtinfo2 *info = par->matchinfo;
-	const struct iphdr *iph = ip_hdr(skb);
-	unsigned int len = 0;
-	bool hit = true;
-
-	if (info->flags & XT_LENGTH_LAYER3)
-		len = ntohs(iph->tot_len);
-	else if (info->flags & XT_LENGTH_LAYER4)
-		len = ntohs(iph->tot_len) - par->thoff;
-	else if (info->flags & XT_LENGTH_LAYER5)
-		hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
-	else if (info->flags & XT_LENGTH_LAYER7)
-		hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
-	if (!hit)
-		return false;
-
-	return (len >= info->min && len <= info->max) ^
-	       !!(info->flags & XT_LENGTH_INVERT);
-}
-
-#ifdef WITH_IPV6
 static bool
 length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 {

extensions/xt_quota2.Kconfig

@@ -5,4 +5,5 @@ config NETFILTER_XT_MATCH_QUOTA2
 	This option adds the "quota2" match which is an advanced form of
 	xt_quota that also allows counting upwards, and where the counter can
 	be set through procfs. This allows for simple interfacing of
-	accounting information.
+	accounting information. It also allows for a test mode without changing
+	the quota value.

extensions/xt_quota2.c

@@ -199,12 +199,19 @@ quota_mt2(const struct sk_buff *skb, const struct xt_match_param *par)
 
 	spin_lock_bh(&e->lock);
 	if (q->flags & XT_QUOTA_GROW) {
-		e->quota += (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
-		q->quota = e->quota;
+		/*
+		 * While no_change is pointless in "grow" mode, we will
+		 * implement it here simply to have a consistent behavior.
+		 */
+		if (!(q->flags & XT_QUOTA_NO_CHANGE)) {
+			e->quota += (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
+			q->quota = e->quota;
+		}
 		ret = true;
 	} else {
 		if (e->quota >= skb->len) {
-			e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
+			if (!(q->flags & XT_QUOTA_NO_CHANGE))
+				e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
 			ret = !ret;
 		} else {
 			/* we do not allow even small packets from now on */

extensions/xt_quota2.h

@@ -2,10 +2,11 @@
 #define _XT_QUOTA_H
 
 enum xt_quota_flags {
-	XT_QUOTA_INVERT = 1 << 0,
-	XT_QUOTA_GROW   = 1 << 1,
-	XT_QUOTA_PACKET = 1 << 2,
-	XT_QUOTA_MASK   = 0x7,
+	XT_QUOTA_INVERT    = 1 << 0,
+	XT_QUOTA_GROW      = 1 << 1,
+	XT_QUOTA_PACKET    = 1 << 2,
+	XT_QUOTA_NO_CHANGE = 1 << 3,
+	XT_QUOTA_MASK      = 0x0F,
 };
 
 struct xt_quota_counter;

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.21 (2009-12-09)" "" "v1.21 (2009-12-09)"
+.TH xtables-addons 8 "v1.23 (2010-02-24)" "" "v1.23 (2010-02-24)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets