Xtables-addons 1.23

In case the kernel is built without IPv6 support the compilation of
this module fails as it assumes IPv6. This patch makes kernel support
conditional on kernel .config.

INSTALL

@@ -51,15 +51,6 @@ Configuring and compiling
 	For RPM building, it should be /usr/src/linux-obj/...
 	or whatever location the distro makes use of.
 
---with-xtables=
-
-	Specifies the path to the directory where we may find
-	xtables.h, should it not be within the standard C compiler
-	include path (/usr/include), or if you want to override it.
-	The directory will be checked for xtables.h and
-	include/xtables.h. (The latter to support both standard
-	/usr/include and the iptables source root.)
-
 --with-xtlibdir=
 
 	Specifies the path to where the newly built extensions should
@@ -73,6 +64,25 @@ If you want to enable debugging, use
 (-O0 is used to turn off instruction reordering, which makes debugging
 much easier.)
 
+To make use of a libxtables that is not in the default path, either
+
+  a) append the location of the pkg-config files like:
+
+	PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+
+     (Assuming that files have been installed)
+or,
+
+  b) override the pkg-config variables, for example:
+
+	./configure libxtables_CFLAGS="-I../iptables/include" \
+		libxtables_LIBS="-L../iptables/.libs \
+			-Wl,-rpath,../iptables/.libs -lxtables"
+
+     (Use this in case you wish to use it without having to
+     run `make install`. This is because the libxtables.pc pkgconfig
+     file in ../iptables would already point to e.g. /usr/local.)
+
 
 Build-time options
 ==================
@@ -89,4 +99,5 @@ Except for --with-kbuild, distributions should not have a need to
 supply any other flags (besides --prefix=/usr and perhaps
 --libdir=/usr/lib64, etc.) to configure when all prerequired packages
 are installed. If iptables-devel is installed, necessary headers should
-be in /usr/include, so --with-xtables is not needed.
+already be in /usr/include, so that overriding PKG_CONFIG_PATH,
+libxtables_CFLAGS and libxtables_LIBS variables should not be needed.

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.22])
+AC_INIT([xtables-addons], [1.23])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -21,56 +21,20 @@ if [[ "$kbuilddir" == no ]]; then
 	kbuilddir="";
 fi
 
-AC_ARG_WITH([ksource],,[ksourcedir="$withval"])
-AC_ARG_WITH([xtables],
-	AS_HELP_STRING([--with-xtables=PATH],
-	[Path to the Xtables includes [[none]]]),
-	[xtables_location="$withval"])
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
 	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
 	[xtlibdir="$withval"],
 	[xtlibdir='${libexecdir}/xtables'])
 
-#
-# --with-xtables= overrides a possibly installed pkgconfig file.
-#
-if [[ -n "$xtables_location" ]]; then
-	AC_MSG_CHECKING([xtables.h presence])
-	if [[ -f "$xtables_location/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/xtables.h])
-		libxtables_CFLAGS="-I $xtables_location";
-	elif [[ -f "$xtables_location/include/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/include/xtables.h])
-		libxtables_CFLAGS="-I $xtables_location/include";
-	fi;
-	if [[ -z "$xtables_CFLAGS" ]]; then
-		if [[ -f "$includedir/xtables.h" ]]; then
-			AC_MSG_RESULT([$includedir/xtables.h])
-		else
-			AC_MSG_RESULT([no])
-		fi;
-	fi;
-	libxtables_LIBS="-lxtables";
-	AC_SUBST([libxtables_CFLAGS])
-	AC_SUBST([libxtables_LIBS])
-else
-	PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
-fi;
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
-	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, either through /usr/include or the iptables directory (--with-xtables=)])])
+	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
 
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
 	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
-kinclude_CFLAGS="";
-if [[ -n "$kbuilddir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
-fi;
-if [[ -n "$ksourcedir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
-fi;
 
 #
 # check kernel version
@@ -97,7 +61,7 @@ else
 	fi;
 fi;
 echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 32; then
+if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 34; then
 	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
     \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
@@ -107,9 +71,7 @@ elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
 fi;
 
 AC_SUBST([regular_CFLAGS])
-AC_SUBST([kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
-AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
 AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
 	extensions/Makefile extensions/ACCOUNT/Makefile

doc/changelog.txt

@@ -3,7 +3,17 @@ HEAD
 ====
 
 
-Xtables-addons 1.22 (January 22 2009)
+Xtables-addons 1.23 (February 24 2010)
+======================================
+- build: support for Linux 2.6.34
+- build: remove unused --with-ksource option
+- build: remove unneeded --with-xtables option
+- build: fix compilations in RAWNAT, SYSRQ and length2 when CONFIG_IPV6=n
+- ipset: update to 4.2
+- ECHO: fix compilation w.r.t. skb_dst
+
+
+Xtables-addons 1.22 (January 22 2010)
 =====================================
 - compat_xtables: support for 2.6.33 skb_iif changes
 - geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip

extensions/Kbuild

@@ -12,7 +12,10 @@ obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
-obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o ip6table_rawpost.o
+obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o
+ifneq (${CONFIG_IPV6},)
+obj-${build_RAWNAT}      += ip6table_rawpost.o
+endif
 obj-${build_SYSRQ}       += xt_SYSRQ.o
 obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o

extensions/compat_xtables.h

@@ -78,6 +78,15 @@
 #	define inet_proto_csum_replace4 xtnu_proto_csum_replace4
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
+#	define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
+#	define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
+#else
+#	define ipt_unregister_table(tbl) ipt_unregister_table(tbl)
+#	define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
+#endif
+
+
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \
 		ntohs((addr).s6_addr16[0]), \

extensions/ipset/ip_set_ipportnethash.c

@@ -185,7 +185,6 @@ ipportnethash_add(struct ip_set *set,
 	if (ret == 0) {
 		if (!map->nets[cidr-1]++)
 			add_cidr_size(map->cidr, cidr);
-		map->elements++;
 	}
 	return ret;
 }

extensions/ipset/ip_set_nethash.c

@@ -136,7 +136,6 @@ nethash_add(struct ip_set *set, ip_set_ip_t ip, uint8_t cidr)
 	if (ret == 0) {
 		if (!map->nets[cidr-1]++)
 			add_cidr_size(map->cidr, cidr);
-		map->elements++;
 	}
 	
 	return ret;

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "4.1"
+#define IPSET_VERSION "4.2"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;

extensions/ipset/ipset_iphash.c

@@ -200,8 +200,7 @@ iphash_printips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("%s\n", ip_tostring(*ip, options));
+		printf("%s\n", ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
@@ -230,9 +229,7 @@ iphash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("-A %s %s\n", set->name, 
-			       ip_tostring(*ip, options));
+		printf("-A %s %s\n", set->name, ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }

extensions/ipset/ipset_ipporthash.c

@@ -259,13 +259,11 @@ ipporthash_printips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (*ipptr) {
-			ip = (*ipptr>>16) + mysetdata->first_ip;
-			port = (uint16_t) *ipptr;
-			printf("%s,%s\n", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-		}
+		ip = (*ipptr>>16) + mysetdata->first_ip;
+		port = (uint16_t) *ipptr;
+		printf("%s,%s\n", 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
@@ -296,13 +294,11 @@ ipporthash_saveips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (*ipptr) {
-			ip = (*ipptr>>16) + mysetdata->first_ip;
-			port = (uint16_t) *ipptr;
-			printf("-A %s %s,%s\n", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-		}
+		ip = (*ipptr>>16) + mysetdata->first_ip;
+		port = (uint16_t) *ipptr;
+		printf("-A %s %s,%s\n", set->name, 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }

extensions/ipset/ipset_ipportiphash.c

@@ -265,15 +265,13 @@ ipportiphash_printips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip && ipptr->ip1) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("%s,%s,", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n", 
-			       ip_tostring(ipptr->ip1, options));
-		}
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("%s,%s,", 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n", 
+		       ip_tostring(ipptr->ip1, options));
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }
@@ -305,15 +303,13 @@ ipportiphash_saveips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip && ipptr->ip1) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("-A %s %s,%s,", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n",
-			       ip_tostring(ipptr->ip1, options));
-		}
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("-A %s %s,%s,", set->name, 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n",
+		       ip_tostring(ipptr->ip1, options));
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }

extensions/ipset/ipset_ipportnethash.c

@@ -330,15 +330,13 @@ ipportnethash_printips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip || ipptr->ip1) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("%s,%s,", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n", 
-			       unpack_ip_tostring(ipptr->ip1, options));
-		}
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("%s,%s,", 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n", 
+		       unpack_ip_tostring(ipptr->ip1, options));
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }
@@ -370,15 +368,13 @@ ipportnethash_saveips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr) {
-			ip = (ipptr->ip>>16) + mysetdata->first_ip;
-			port = (uint16_t) ipptr->ip;
-			printf("-A %s %s,%s,", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-			printf("%s\n",
-			       unpack_ip_tostring(ipptr->ip, options));
-		}
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("-A %s %s,%s,", set->name, 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n",
+		       unpack_ip_tostring(ipptr->ip, options));
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }

extensions/ipset/ipset_nethash.c

@@ -232,8 +232,7 @@ nethash_printips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("%s\n", unpack_ip_tostring(*ip, options));
+		printf("%s\n", unpack_ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
@@ -258,9 +257,8 @@ nethash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("-A %s %s\n", set->name, 
-			       unpack_ip_tostring(*ip, options));
+		printf("-A %s %s\n", set->name,
+		       unpack_ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }

extensions/xt_ECHO.c

@@ -32,7 +32,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
 	unsigned int addr_type, data_len;
 	void *payload;
 
-	printk(KERN_INFO "dst_out=%p\n", (*poldskb)->dst->output);
+	printk(KERN_INFO "dst_out=%p\n", skb_dst(*poldskb)->output);
 
 	/* This allows us to do the copy operation in fewer lines of code. */
 	if (skb_linearize(*poldskb) < 0)
@@ -84,18 +84,17 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
 #endif
 		addr_type = RTN_LOCAL;
 
-	/* ip_route_me_harder expects skb->dst to be set */
-	dst_hold(oldskb->dst);
-	newskb->dst = oldskb->dst;
+	/* ip_route_me_harder expects the skb's dst to be set */
+	skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
 
 	if (ip_route_me_harder(&newskb, addr_type) < 0)
 		goto free_nskb;
 
-	newip->ttl        = dst_metric(newskb->dst, RTAX_HOPLIMIT);
+	newip->ttl        = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
 	newskb->ip_summed = CHECKSUM_NONE;
 
 	/* "Never happens" (?) */
-	if (newskb->len > dst_mtu(newskb->dst))
+	if (newskb->len > dst_mtu(skb_dst(newskb)))
 		goto free_nskb;
 
 	nf_ct_attach(newskb, *poldskb);

extensions/xt_RAWNAT.c

@@ -22,6 +22,10 @@
 #include "compat_xtables.h"
 #include "xt_RAWNAT.h"
 
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
+
 static inline __be32
 remask(__be32 addr, __be32 repl, unsigned int shift)
 {
@@ -29,6 +33,7 @@ remask(__be32 addr, __be32 repl, unsigned int shift)
 	return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask));
 }
 
+#ifdef WITH_IPV6
 static void
 rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 {
@@ -72,6 +77,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 		break;
 	}
 }
+#endif
 
 static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
 {
@@ -162,6 +168,7 @@ rawdnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
+#ifdef WITH_IPV6
 static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
     unsigned int *l4proto)
 {
@@ -274,6 +281,7 @@ rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 	memcpy(&iph->daddr, &new_addr, sizeof(new_addr));
 	return XT_CONTINUE;
 }
+#endif
 
 static bool rawnat_tg_check(const struct xt_tgchk_param *par)
 {
@@ -296,6 +304,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "RAWSNAT",
 		.revision   = 0,
@@ -305,6 +314,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 	{
 		.name       = "RAWDNAT",
 		.revision   = 0,
@@ -314,6 +324,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "RAWDNAT",
 		.revision   = 0,
@@ -323,6 +334,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 };
 
 static int __init rawnat_tg_init(void)

extensions/xt_SYSRQ.c

@@ -23,6 +23,10 @@
 #include <net/ip.h>
 #include "compat_xtables.h"
 
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
+
 static bool sysrq_once;
 static char sysrq_password[64];
 static char sysrq_hash[16] = "sha1";
@@ -214,6 +218,7 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
 }
 
+#ifdef WITH_IPV6
 static unsigned int
 sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 {
@@ -242,6 +247,7 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 		       ntohs(udph->dest), len);
 	return sysrq_tg(udph + sizeof(struct udphdr), len);
 }
+#endif
 
 static bool sysrq_tg_check(const struct xt_tgchk_param *par)
 {
@@ -278,6 +284,7 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 		.checkentry = sysrq_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "SYSRQ",
 		.revision   = 1,
@@ -286,6 +293,7 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 		.checkentry = sysrq_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 };
 
 static int __init sysrq_tg_init(void)

extensions/xt_length2.c

@@ -136,6 +136,30 @@ static bool xtlength_layer7(unsigned int *length, const struct sk_buff *skb,
 	}
 }
 
+static bool
+length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	const struct xt_length_mtinfo2 *info = par->matchinfo;
+	const struct iphdr *iph = ip_hdr(skb);
+	unsigned int len = 0;
+	bool hit = true;
+
+	if (info->flags & XT_LENGTH_LAYER3)
+		len = ntohs(iph->tot_len);
+	else if (info->flags & XT_LENGTH_LAYER4)
+		len = ntohs(iph->tot_len) - par->thoff;
+	else if (info->flags & XT_LENGTH_LAYER5)
+		hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
+	else if (info->flags & XT_LENGTH_LAYER7)
+		hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
+	if (!hit)
+		return false;
+
+	return (len >= info->min && len <= info->max) ^
+	       !!(info->flags & XT_LENGTH_INVERT);
+}
+
+#ifdef WITH_IPV6
 /**
  * llayer4_proto - figure out the L4 protocol in an IPv6 packet
  * @skb:	skb pointer
@@ -173,30 +197,6 @@ llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
 	return NEXTHDR_MAX;
 }
 
-static bool
-length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-	const struct xt_length_mtinfo2 *info = par->matchinfo;
-	const struct iphdr *iph = ip_hdr(skb);
-	unsigned int len = 0;
-	bool hit = true;
-
-	if (info->flags & XT_LENGTH_LAYER3)
-		len = ntohs(iph->tot_len);
-	else if (info->flags & XT_LENGTH_LAYER4)
-		len = ntohs(iph->tot_len) - par->thoff;
-	else if (info->flags & XT_LENGTH_LAYER5)
-		hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
-	else if (info->flags & XT_LENGTH_LAYER7)
-		hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
-	if (!hit)
-		return false;
-
-	return (len >= info->min && len <= info->max) ^
-	       !!(info->flags & XT_LENGTH_INVERT);
-}
-
-#ifdef WITH_IPV6
 static bool
 length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 {

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.22 (2010-01-22)" "" "v1.22 (2010-11-22)"
+.TH xtables-addons 8 "v1.23 (2010-02-24)" "" "v1.23 (2010-02-24)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets