Xtables-addons 1.24

This reverts commit ab13e58f96.

Whoops. There is no mark at all before 2.6.19.

INSTALL

@@ -51,15 +51,6 @@ Configuring and compiling
 	For RPM building, it should be /usr/src/linux-obj/...
 	or whatever location the distro makes use of.
 
---with-xtables=
-
-	Specifies the path to the directory where we may find
-	xtables.h, should it not be within the standard C compiler
-	include path (/usr/include), or if you want to override it.
-	The directory will be checked for xtables.h and
-	include/xtables.h. (The latter to support both standard
-	/usr/include and the iptables source root.)
-
 --with-xtlibdir=
 
 	Specifies the path to where the newly built extensions should
@@ -73,6 +64,25 @@ If you want to enable debugging, use
 (-O0 is used to turn off instruction reordering, which makes debugging
 much easier.)
 
+To make use of a libxtables that is not in the default path, either
+
+  a) append the location of the pkg-config files like:
+
+	PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+
+     (Assuming that files have been installed)
+or,
+
+  b) override the pkg-config variables, for example:
+
+	./configure libxtables_CFLAGS="-I../iptables/include" \
+		libxtables_LIBS="-L../iptables/.libs \
+			-Wl,-rpath,../iptables/.libs -lxtables"
+
+     (Use this in case you wish to use it without having to
+     run `make install`. This is because the libxtables.pc pkgconfig
+     file in ../iptables would already point to e.g. /usr/local.)
+
 
 Build-time options
 ==================
@@ -89,4 +99,5 @@ Except for --with-kbuild, distributions should not have a need to
 supply any other flags (besides --prefix=/usr and perhaps
 --libdir=/usr/lib64, etc.) to configure when all prerequired packages
 are installed. If iptables-devel is installed, necessary headers should
-be in /usr/include, so --with-xtables is not needed.
+already be in /usr/include, so that overriding PKG_CONFIG_PATH,
+libxtables_CFLAGS and libxtables_LIBS variables should not be needed.

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.22])
+AC_INIT([xtables-addons], [1.24])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -21,56 +21,21 @@ if [[ "$kbuilddir" == no ]]; then
 	kbuilddir="";
 fi
 
-AC_ARG_WITH([ksource],,[ksourcedir="$withval"])
-AC_ARG_WITH([xtables],
-	AS_HELP_STRING([--with-xtables=PATH],
-	[Path to the Xtables includes [[none]]]),
-	[xtables_location="$withval"])
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
 	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
 	[xtlibdir="$withval"],
 	[xtlibdir='${libexecdir}/xtables'])
 
-#
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
-# --with-xtables= overrides a possibly installed pkgconfig file.
-#
-if [[ -n "$xtables_location" ]]; then
-	AC_MSG_CHECKING([xtables.h presence])
-	if [[ -f "$xtables_location/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/xtables.h])
-		libxtables_CFLAGS="-I $xtables_location";
-	elif [[ -f "$xtables_location/include/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/include/xtables.h])
-		libxtables_CFLAGS="-I $xtables_location/include";
-	fi;
-	if [[ -z "$xtables_CFLAGS" ]]; then
-		if [[ -f "$includedir/xtables.h" ]]; then
-			AC_MSG_RESULT([$includedir/xtables.h])
-		else
-			AC_MSG_RESULT([no])
-		fi;
-	fi;
-	libxtables_LIBS="-lxtables";
-	AC_SUBST([libxtables_CFLAGS])
-	AC_SUBST([libxtables_LIBS])
-else
-	PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
-fi;
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
-	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, either through /usr/include or the iptables directory (--with-xtables=)])])
+	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
 
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
+	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" \
-kinclude_CFLAGS="";
+	-I\${XA_TOPSRCDIR}/include";
-if [[ -n "$kbuilddir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
-fi;
-if [[ -n "$ksourcedir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
-fi;
 
 #
 # check kernel version
@@ -97,7 +62,7 @@ else
 	fi;
 fi;
 echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 32; then
+if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 34; then
 	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
     \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
@@ -107,9 +72,7 @@ elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
 fi;
 
 AC_SUBST([regular_CFLAGS])
-AC_SUBST([kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
-AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
 AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
 	extensions/Makefile extensions/ACCOUNT/Makefile

doc/changelog.txt

@@ -3,7 +3,26 @@ HEAD
 ====
 
 
-Xtables-addons 1.22 (January 22 2009)
+Xtables-addons 1.24 (March 17 2010)
+===================================
+- build: fix build of userspace modules against old (pre-2.6.25)
+  headers from linux-glibc-devel (/usr/include/linux)
+- ipp2p: updated bittorent command recognition
+- SYSRQ: let module load when crypto is unavailable
+- SYSRQ: allow processing of UDP-Lite
+
+
+Xtables-addons 1.23 (February 24 2010)
+======================================
+- build: support for Linux 2.6.34
+- build: remove unused --with-ksource option
+- build: remove unneeded --with-xtables option
+- build: fix compilations in RAWNAT, SYSRQ and length2 when CONFIG_IPV6=n
+- ipset: update to 4.2
+- ECHO: fix compilation w.r.t. skb_dst
+
+
+Xtables-addons 1.22 (January 22 2010)
 =====================================
 - compat_xtables: support for 2.6.33 skb_iif changes
 - geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip

extensions/ACCOUNT/libxt_ACCOUNT.c

@@ -142,7 +142,7 @@ account_tg_save(const void *ip, const struct xt_entry_target *target)
 static struct xtables_target account_tg_reg = {
 	.name          = "ACCOUNT",
 	.revision      = 1,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.version       = XTABLES_VERSION,
 	.size          = XT_ALIGN(sizeof(struct ipt_acc_info)),
 	.userspacesize = offsetof(struct ipt_acc_info, table_nr),

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -1082,7 +1082,7 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 static struct xt_target xt_acc_reg __read_mostly = {
 	.name = "ACCOUNT",
 	.revision = 1,
-	.family = AF_INET,
+	.family     = NFPROTO_IPV4,
 	.target = ipt_acc_target,
 	.targetsize = sizeof(struct ipt_acc_info),
 	.checkentry = ipt_acc_checkentry,

extensions/Kbuild

@@ -12,7 +12,10 @@ obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
-obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o ip6table_rawpost.o
+obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o
+ifneq (${CONFIG_IPV6},)
+obj-${build_RAWNAT}      += ip6table_rawpost.o
+endif
 obj-${build_SYSRQ}       += xt_SYSRQ.o
 obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o

extensions/compat_xtables.c

@@ -509,4 +509,18 @@ int xtnu_skb_linearize(struct sk_buff *skb)
 EXPORT_SYMBOL_GPL(xtnu_skb_linearize);
 #endif
 
+void *HX_memmem(const void *space, size_t spacesize,
+    const void *point, size_t pointsize)
+{
+	size_t i;
+
+	if (pointsize > spacesize)
+		return NULL;
+	for (i = 0; i <= spacesize - pointsize; ++i)
+		if (memcmp(space + i, point, pointsize) == 0)
+			return (void *)space + i;
+	return NULL;
+}
+EXPORT_SYMBOL_GPL(HX_memmem);
+
 MODULE_LICENSE("GPL");

extensions/compat_xtables.h

@@ -78,6 +78,15 @@
 #	define inet_proto_csum_replace4 xtnu_proto_csum_replace4
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
+#	define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
+#	define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
+#else
+#	define ipt_unregister_table(tbl) ipt_unregister_table(tbl)
+#	define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
+#endif
+
+
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \
 		ntohs((addr).s6_addr16[0]), \

extensions/compat_xtnu.h

@@ -154,4 +154,6 @@ extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
 	__be32, __be32, bool);
 extern int xtnu_skb_linearize(struct sk_buff *);
 
+extern void *HX_memmem(const void *, size_t, const void *, size_t);
+
 #endif /* _COMPAT_XTNU_H */

extensions/ipset/ip_set_ipportnethash.c

@@ -185,7 +185,6 @@ ipportnethash_add(struct ip_set *set,
 	if (ret == 0) {
 		if (!map->nets[cidr-1]++)
 			add_cidr_size(map->cidr, cidr);
-		map->elements++;
 	}
 	return ret;
 }

extensions/ipset/ip_set_nethash.c

@@ -136,7 +136,6 @@ nethash_add(struct ip_set *set, ip_set_ip_t ip, uint8_t cidr)
 	if (ret == 0) {
 		if (!map->nets[cidr-1]++)
 			add_cidr_size(map->cidr, cidr);
-		map->elements++;
 	}
 	
 	return ret;

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "4.1"
+#define IPSET_VERSION "4.2"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;

extensions/ipset/ipset_iphash.c

@@ -200,7 +200,6 @@ iphash_printips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
 		printf("%s\n", ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
@@ -230,9 +229,7 @@ iphash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
+		printf("-A %s %s\n", set->name, ip_tostring(*ip, options));
-			printf("-A %s %s\n", set->name, 
-			       ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }

extensions/ipset/ipset_ipporthash.c

@@ -259,13 +259,11 @@ ipporthash_printips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (*ipptr) {
 		ip = (*ipptr>>16) + mysetdata->first_ip;
 		port = (uint16_t) *ipptr;
 		printf("%s,%s\n", 
 		       ip_tostring(ip, options),
 		       port_tostring(port, options));
-		}
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
@@ -296,13 +294,11 @@ ipporthash_saveips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (*ipptr) {
 		ip = (*ipptr>>16) + mysetdata->first_ip;
 		port = (uint16_t) *ipptr;
 		printf("-A %s %s,%s\n", set->name, 
 		       ip_tostring(ip, options),
 		       port_tostring(port, options));
-		}
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }

extensions/ipset/ipset_ipportiphash.c

@@ -265,7 +265,6 @@ ipportiphash_printips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip && ipptr->ip1) {
 		ip = (ipptr->ip>>16) + mysetdata->first_ip;
 		port = (uint16_t) ipptr->ip;
 		printf("%s,%s,", 
@@ -273,7 +272,6 @@ ipportiphash_printips(struct set *set, void *data, u_int32_t len,
 		       port_tostring(port, options));
 		printf("%s\n", 
 		       ip_tostring(ipptr->ip1, options));
-		}
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }
@@ -305,7 +303,6 @@ ipportiphash_saveips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip && ipptr->ip1) {
 		ip = (ipptr->ip>>16) + mysetdata->first_ip;
 		port = (uint16_t) ipptr->ip;
 		printf("-A %s %s,%s,", set->name, 
@@ -313,7 +310,6 @@ ipportiphash_saveips(struct set *set, void *data, u_int32_t len,
 		       port_tostring(port, options));
 		printf("%s\n",
 		       ip_tostring(ipptr->ip1, options));
-		}
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }

extensions/ipset/ipset_ipportnethash.c

@@ -330,7 +330,6 @@ ipportnethash_printips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr->ip || ipptr->ip1) {
 		ip = (ipptr->ip>>16) + mysetdata->first_ip;
 		port = (uint16_t) ipptr->ip;
 		printf("%s,%s,", 
@@ -338,7 +337,6 @@ ipportnethash_printips(struct set *set, void *data, u_int32_t len,
 		       port_tostring(port, options));
 		printf("%s\n", 
 		       unpack_ip_tostring(ipptr->ip1, options));
-		}
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }
@@ -370,7 +368,6 @@ ipportnethash_saveips(struct set *set, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (ipptr) {
 		ip = (ipptr->ip>>16) + mysetdata->first_ip;
 		port = (uint16_t) ipptr->ip;
 		printf("-A %s %s,%s,", set->name, 
@@ -378,7 +375,6 @@ ipportnethash_saveips(struct set *set, void *data, u_int32_t len,
 		       port_tostring(port, options));
 		printf("%s\n",
 		       unpack_ip_tostring(ipptr->ip, options));
-		}
 		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
 	}
 }

extensions/ipset/ipset_nethash.c

@@ -232,7 +232,6 @@ nethash_printips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
 		printf("%s\n", unpack_ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
@@ -258,7 +257,6 @@ nethash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
 		printf("-A %s %s\n", set->name,
 		       unpack_ip_tostring(*ip, options));
 		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);

extensions/libxt_CHAOS.c

@@ -95,7 +95,7 @@ static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
 static struct xtables_target chaos_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "CHAOS",
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.help          = chaos_tg_help,

extensions/libxt_DELUDE.c

@@ -33,9 +33,7 @@ static struct xtables_target delude_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "DELUDE",
 	.revision      = 0,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
 	.help          = delude_tg_help,
 	.parse         = delude_tg_parse,
 	.final_check   = delude_tg_check,

extensions/libxt_DHCPMAC.c

@@ -84,7 +84,7 @@ static struct xtables_target dhcpmac_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "DHCPMAC",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.help          = dhcpmac_tg_help,

extensions/libxt_ECHO.c

@@ -29,9 +29,7 @@ static void echo_tg_check(unsigned int flags)
 static struct xtables_target echo_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ECHO",
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
 	.help          = echo_tg_help,
 	.parse         = echo_tg_parse,
 	.final_check   = echo_tg_check,

extensions/libxt_IPMARK.c

@@ -151,7 +151,7 @@ ipmark_tg_save(const void *entry, const struct xt_entry_target *target)
 static struct xtables_target ipmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "IPMARK",
-	.family        = PF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.revision      = 1,
 	.size          = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),

extensions/libxt_LOGMARK.c

@@ -100,7 +100,7 @@ static struct xtables_target logmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "LOGMARK",
 	.revision      = 0,
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
 	.help          = logmark_tg_help,

extensions/libxt_RAWDNAT.c

@@ -154,7 +154,7 @@ static struct xtables_target rawdnat_tg4_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWDNAT",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawdnat_tg_help,
@@ -169,7 +169,7 @@ static struct xtables_target rawdnat_tg6_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWDNAT",
 	.revision      = 0,
-	.family        = PF_INET6,
+	.family        = NFPROTO_IPV6,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawdnat_tg_help,

extensions/libxt_RAWSNAT.c

@@ -154,7 +154,7 @@ static struct xtables_target rawsnat_tg4_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWSNAT",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawsnat_tg_help,
@@ -169,7 +169,7 @@ static struct xtables_target rawsnat_tg6_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWSNAT",
 	.revision      = 0,
-	.family        = PF_INET6,
+	.family        = NFPROTO_IPV6,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawsnat_tg_help,

extensions/libxt_STEAL.c

@@ -19,9 +19,7 @@ static void steal_tg_check(unsigned int flags)
 static struct xtables_target steal_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "STEAL",
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
 	.help          = steal_tg_help,
 	.parse         = steal_tg_parse,
 	.final_check   = steal_tg_check,

extensions/libxt_SYSRQ.c

@@ -25,9 +25,7 @@ static struct xtables_target sysrq_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "SYSRQ",
 	.revision      = 1,
-	.family        = PF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
 	.help          = sysrq_tg_help,
 	.parse         = sysrq_tg_parse,
 	.final_check   = sysrq_tg_check,

extensions/libxt_TARPIT.c

@@ -24,9 +24,7 @@ static void tarpit_tg_check(unsigned int flags)
 static struct xtables_target tarpit_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "TARPIT",
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
 	.help          = tarpit_tg_help,
 	.parse         = tarpit_tg_parse,
 	.final_check   = tarpit_tg_check,

extensions/libxt_TEE.c

@@ -138,7 +138,7 @@ static struct xtables_target tee_tg_reg = {
 	.name          = "TEE",
 	.version       = XTABLES_VERSION,
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.help          = tee_tg_help,
@@ -153,7 +153,7 @@ static struct xtables_target tee_tg6_reg = {
 	.name          = "TEE",
 	.version       = XTABLES_VERSION,
 	.revision      = 0,
-	.family        = PF_INET6,
+	.family        = NFPROTO_IPV6,
 	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.help          = tee_tg_help,

extensions/libxt_condition.c

@@ -80,7 +80,7 @@ static void condition_save(const void *ip, const struct xt_entry_match *match)
 static struct xtables_match condition_mt_reg = {
 	.name 		= "condition",
 	.revision	= 1,
-	.family		= PF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.version 	= XTABLES_VERSION,
 	.size 		= XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
 	.userspacesize 	= XT_ALIGN(sizeof(struct xt_condition_mtinfo)),

extensions/libxt_dhcpmac.c

@@ -85,7 +85,7 @@ static struct xtables_match dhcpmac_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "dhcpmac",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.help          = dhcpmac_mt_help,

extensions/libxt_fuzzy.c

@@ -103,6 +103,7 @@ static struct xtables_match fuzzy_mt_reg = {
 	.name          = "fuzzy",
 	.revision      = 1,
 	.version       = XTABLES_VERSION,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
 	.userspacesize = offsetof(struct xt_fuzzy_mtinfo, packets_total),
 	.help          = fuzzy_mt_help,

extensions/libxt_geoip.c

@@ -259,7 +259,7 @@ geoip_save(const void *ip, const struct xt_entry_match *match)
 }
 
 static struct xtables_match geoip_match = {
-	 .family        = AF_INET,
+	 .family        = NFPROTO_IPV4,
 	 .name          = "geoip",
 	 .revision      = 1,
 	 .version       = XTABLES_VERSION,

extensions/libxt_iface.c

@@ -200,7 +200,7 @@ static struct xtables_match iface_mt_reg = {
 	.version	= XTABLES_VERSION,
 	.name		= "iface",
 	.revision	= 0,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.size		= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
 	.help		= iface_mt_help,

extensions/libxt_ipp2p.c

@@ -229,7 +229,7 @@ static struct xtables_match ipp2p_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ipp2p",
 	.revision      = 1,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct ipt_p2p_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct ipt_p2p_info)),
 	.help          = ipp2p_mt_help,

extensions/libxt_ipv4options.c

@@ -161,7 +161,7 @@ static struct xtables_match ipv4options_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ipv4options",
 	.revision      = 1,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
 	.help          = ipv4options_mt_help,

extensions/libxt_length2.c

@@ -155,7 +155,7 @@ static struct xtables_match length2_mt_reg = {
 	.version        = XTABLES_VERSION,
 	.name           = "length2",
 	.revision       = 2,
-	.family         = PF_UNSPEC,
+	.family         = NFPROTO_UNSPEC,
 	.size           = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
 	.userspacesize  = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
 	.init           = length_mt_init,

extensions/libxt_lscan.c

@@ -105,7 +105,7 @@ static struct xtables_match lscan_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "lscan",
 	.revision      = 0,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
 	.help          = lscan_mt_help,

extensions/libxt_psd.c

@@ -139,7 +139,7 @@ static struct xtables_match psd_mt_reg = {
 	.name			= "psd",
 	.version		= XTABLES_VERSION,
 	.revision   	= 1,
-	.family			= PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size			= XT_ALIGN(sizeof(struct xt_psd_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_psd_info)),
 	.help			= psd_mt_help,

extensions/libxt_quota2.c

@@ -133,7 +133,7 @@ static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
 }
 
 static struct xtables_match quota_mt2_reg = {
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.revision      = 3,
 	.name          = "quota2",
 	.version       = XTABLES_VERSION,

extensions/pknock/libxt_pknock.c

@@ -326,7 +326,7 @@ static struct xtables_match pknock_mt_reg = {
 	.name		= "pknock",
 	.version	= XTABLES_VERSION,
 	.revision      = 1,
-	.family		= AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
 	.help          = pknock_mt_help,

extensions/xt_DHCPMAC.c

@@ -139,7 +139,7 @@ static struct xt_match dhcpmac_mt_reg __read_mostly = {
 	.family     = NFPROTO_IPV4,
 	.proto      = IPPROTO_UDP,
 	.match      = dhcpmac_mt,
-	.matchsize  = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.matchsize  = sizeof(struct dhcpmac_info),
 	.me         = THIS_MODULE,
 };
 

extensions/xt_ECHO.c

@@ -32,7 +32,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
 	unsigned int addr_type, data_len;
 	void *payload;
 
-	printk(KERN_INFO "dst_out=%p\n", (*poldskb)->dst->output);
+	printk(KERN_INFO "dst_out=%p\n", skb_dst(*poldskb)->output);
 
 	/* This allows us to do the copy operation in fewer lines of code. */
 	if (skb_linearize(*poldskb) < 0)
@@ -84,18 +84,17 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
 #endif
 		addr_type = RTN_LOCAL;
 
-	/* ip_route_me_harder expects skb->dst to be set */
+	/* ip_route_me_harder expects the skb's dst to be set */
-	dst_hold(oldskb->dst);
+	skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
-	newskb->dst = oldskb->dst;
 
 	if (ip_route_me_harder(&newskb, addr_type) < 0)
 		goto free_nskb;
 
-	newip->ttl        = dst_metric(newskb->dst, RTAX_HOPLIMIT);
+	newip->ttl        = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
 	newskb->ip_summed = CHECKSUM_NONE;
 
 	/* "Never happens" (?) */
-	if (newskb->len > dst_mtu(newskb->dst))
+	if (newskb->len > dst_mtu(skb_dst(newskb)))
 		goto free_nskb;
 
 	nf_ct_attach(newskb, *poldskb);
@@ -114,7 +113,6 @@ static struct xt_target echo_tg_reg __read_mostly = {
 	.proto      = IPPROTO_UDP,
 	.table      = "filter",
 	.target     = echo_tg4,
-	.targetsize = XT_ALIGN(0),
 	.me         = THIS_MODULE,
 };
 

extensions/xt_IPMARK.c

@@ -86,7 +86,7 @@ static struct xt_target ipmark_tg_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV4,
 		.table      = "mangle",
 		.target     = ipmark_tg4,
-		.targetsize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
+		.targetsize = sizeof(struct xt_ipmark_tginfo),
 		.me         = THIS_MODULE,
 	},
 	{
@@ -95,7 +95,7 @@ static struct xt_target ipmark_tg_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV6,
 		.table      = "mangle",
 		.target     = ipmark_tg6,
-		.targetsize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
+		.targetsize = sizeof(struct xt_ipmark_tginfo),
 		.me         = THIS_MODULE,
 	},
 };

extensions/xt_RAWNAT.c

@@ -22,6 +22,10 @@
 #include "compat_xtables.h"
 #include "xt_RAWNAT.h"
 
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
+
 static inline __be32
 remask(__be32 addr, __be32 repl, unsigned int shift)
 {
@@ -29,6 +33,7 @@ remask(__be32 addr, __be32 repl, unsigned int shift)
 	return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask));
 }
 
+#ifdef WITH_IPV6
 static void
 rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 {
@@ -72,6 +77,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 		break;
 	}
 }
+#endif
 
 static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
 {
@@ -162,6 +168,7 @@ rawdnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
+#ifdef WITH_IPV6
 static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
     unsigned int *l4proto)
 {
@@ -274,6 +281,7 @@ rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 	memcpy(&iph->daddr, &new_addr, sizeof(new_addr));
 	return XT_CONTINUE;
 }
+#endif
 
 static bool rawnat_tg_check(const struct xt_tgchk_param *par)
 {
@@ -296,6 +304,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "RAWSNAT",
 		.revision   = 0,
@@ -305,6 +314,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 	{
 		.name       = "RAWDNAT",
 		.revision   = 0,
@@ -314,6 +324,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "RAWDNAT",
 		.revision   = 0,
@@ -323,6 +334,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
 		.checkentry = rawnat_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 };
 
 static int __init rawnat_tg_init(void)

extensions/xt_SYSRQ.c

@@ -1,6 +1,6 @@
 /*
  *	"SYSRQ" target extension for Netfilter
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
  *
  *	Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
  *
@@ -23,6 +23,14 @@
 #include <net/ip.h>
 #include "compat_xtables.h"
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19) && \
+    (defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE))
+#	define WITH_CRYPTO 1
+#endif
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
+
 static bool sysrq_once;
 static char sysrq_password[64];
 static char sysrq_hash[16] = "sha1";
@@ -38,7 +46,7 @@ MODULE_PARM_DESC(hash, "hash algorithm, default sha1");
 MODULE_PARM_DESC(seqno, "sequence number for remote sysrq");
 MODULE_PARM_DESC(debug, "debugging: 0=off, 1=on");
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#ifdef WITH_CRYPTO
 static struct crypto_hash *sysrq_tfm;
 static int sysrq_digest_size;
 static unsigned char *sysrq_digest_password;
@@ -200,8 +208,8 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 		return NF_DROP;
 
 	iph = ip_hdr(skb);
-	if (iph->protocol != IPPROTO_UDP)
+	if (iph->protocol != IPPROTO_UDP && iph->protocol != IPPROTO_UDPLITE)
-		return NF_ACCEPT; /* sink it */
+		return NF_DROP;
 
 	udph = (const void *)iph + ip_hdrlen(skb);
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
@@ -214,6 +222,7 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
 }
 
+#ifdef WITH_IPV6
 static unsigned int
 sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 {
@@ -230,7 +239,7 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 	iph = ipv6_hdr(skb);
 	if (ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 ||
 	    frag_off > 0)
-		return NF_ACCEPT; /* sink it */
+		return NF_DROP;
 
 	udph = (const void *)iph + th_off;
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
@@ -242,6 +251,7 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 		       ntohs(udph->dest), len);
 	return sysrq_tg(udph + sizeof(struct udphdr), len);
 }
+#endif
 
 static bool sysrq_tg_check(const struct xt_tgchk_param *par)
 {
@@ -278,6 +288,7 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 		.checkentry = sysrq_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "SYSRQ",
 		.revision   = 1,
@@ -286,12 +297,28 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 		.checkentry = sysrq_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 };
 
-static int __init sysrq_tg_init(void)
+static void sysrq_crypto_exit(void)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#ifdef WITH_CRYPTO
+	if (sysrq_tfm)
+		crypto_free_hash(sysrq_tfm);
+	if (sysrq_digest)
+		kfree(sysrq_digest);
+	if (sysrq_hexdigest)
+		kfree(sysrq_hexdigest);
+	if (sysrq_digest_password)
+		kfree(sysrq_digest_password);
+#endif
+}
+
+static int __init sysrq_crypto_init(void)
+{
+#if defined(WITH_CRYPTO)
 	struct timeval now;
+	int ret;
 
 	sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
 	if (IS_ERR(sysrq_tfm)) {
@@ -299,10 +326,12 @@ static int __init sysrq_tg_init(void)
 			": Error: Could not find or load %s hash\n",
 			sysrq_hash);
 		sysrq_tfm = NULL;
+		ret = PTR_ERR(sysrq_tfm);
 		goto fail;
 	}
 	sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
 	sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
+	ret = -ENOMEM;
 	if (sysrq_digest == NULL) {
 		printk(KERN_WARNING KBUILD_MODNAME
 			": Cannot allocate digest\n");
@@ -322,33 +351,31 @@ static int __init sysrq_tg_init(void)
 	}
 	do_gettimeofday(&now);
 	sysrq_seqno = now.tv_sec;
-	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+	ret = xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+	if (ret < 0)
+		goto fail;
+	return ret;
 
  fail:
-	if (sysrq_tfm)
+	sysrq_crypto_exit();
-		crypto_free_hash(sysrq_tfm);
+	return ret;
-	if (sysrq_digest)
+#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 19)
-		kfree(sysrq_digest);
+	printk(KERN_WARNING "xt_SYSRQ does not provide crypto for < 2.6.19\n");
-	if (sysrq_hexdigest)
-		kfree(sysrq_hexdigest);
-	if (sysrq_digest_password)
-		kfree(sysrq_digest_password);
-	return -EINVAL;
-#else
-	printk(KERN_WARNING "xt_SYSRQ does not provide crypto for <= 2.6.18\n");
-	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
 #endif
+	return -EINVAL;
+}
+
+static int __init sysrq_tg_init(void)
+{
+	if (sysrq_crypto_init() < 0)
+		printk(KERN_WARNING "xt_SYSRQ starting without crypto\n");
+	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
 }
 
 static void __exit sysrq_tg_exit(void)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+	sysrq_crypto_exit();
-	crypto_free_hash(sysrq_tfm);
+	xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
-	kfree(sysrq_digest);
-	kfree(sysrq_hexdigest);
-	kfree(sysrq_digest_password);
-#endif
-	return xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
 }
 
 module_init(sysrq_tg_init);

extensions/xt_TEE.c

@@ -232,6 +232,7 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 
 	memset(&fl, 0, sizeof(fl));
 	fl.iif = skb_ifindex(skb);
+	/* No mark in flowi before 2.6.19 */
 #if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 19)
 	fl.nl_u.ip6_u.fwmark = skb_nfmark(skb);
 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)

extensions/xt_condition.c

@@ -35,6 +35,7 @@ static unsigned int condition_gid_perms = 0;
 
 MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca>");
 MODULE_AUTHOR("Massimiliano Hofer <max@nucleus.it>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Allows rules to match against condition variables");
 MODULE_LICENSE("GPL");
 module_param(condition_list_perms, uint, S_IRUSR | S_IWUSR);
@@ -55,7 +56,7 @@ struct condition_variable {
 
 /* proc_lock is a user context only semaphore used for write access */
 /*           to the conditions' list.                               */
-static struct semaphore proc_lock;
+static struct mutex proc_lock;
 
 static LIST_HEAD(conditions_list);
 static struct proc_dir_entry *proc_net_condition;
@@ -69,7 +70,6 @@ static int condition_proc_read(char __user *buffer, char **start, off_t offset,
 	buffer[1] = '\n';
 	if (length >= 2)
 		*eof = true;
-
 	return 2;
 }
 
@@ -92,7 +92,6 @@ static int condition_proc_write(struct file *file, const char __user *buffer,
 			break;
 		}
 	}
-
 	return length;
 }
 
@@ -124,18 +123,17 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 		       info->name);
 		return false;
 	}
-
 	/*
 	 * Let's acquire the lock, check for the condition and add it
 	 * or increase the reference counter.
 	 */
-	if (down_interruptible(&proc_lock))
+	if (mutex_lock_interruptible(&proc_lock) != 0)
 		return false;
 
 	list_for_each_entry(var, &conditions_list, list) {
 		if (strcmp(info->name, var->status_proc->name) == 0) {
 			var->refcount++;
-			up(&proc_lock);
+			mutex_unlock(&proc_lock);
 			info->condvar = var;
 			return true;
 		}
@@ -143,19 +141,17 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 
 	/* At this point, we need to allocate a new condition variable. */
 	var = kmalloc(sizeof(struct condition_variable), GFP_KERNEL);
-
 	if (var == NULL) {
-		up(&proc_lock);
+		mutex_unlock(&proc_lock);
 		return false;
 	}
 
 	/* Create the condition variable's proc file entry. */
 	var->status_proc = create_proc_entry(info->name, condition_list_perms,
 	                   proc_net_condition);
-
 	if (var->status_proc == NULL) {
 		kfree(var);
-		up(&proc_lock);
+		mutex_unlock(&proc_lock);
 		return false;
 	}
 
@@ -168,14 +164,10 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 	wmb();
 	var->status_proc->read_proc  = condition_proc_read;
 	var->status_proc->write_proc = condition_proc_write;
-
 	list_add_rcu(&var->list, &conditions_list);
-
 	var->status_proc->uid = condition_uid_perms;
 	var->status_proc->gid = condition_gid_perms;
-
+	mutex_unlock(&proc_lock);
-	up(&proc_lock);
-
 	info->condvar = var;
 	return true;
 }
@@ -185,11 +177,11 @@ static void condition_mt_destroy(const struct xt_mtdtor_param *par)
 	const struct xt_condition_mtinfo *info = par->matchinfo;
 	struct condition_variable *var = info->condvar;
 
-	down(&proc_lock);
+	mutex_lock(&proc_lock);
 	if (--var->refcount == 0) {
 		list_del_rcu(&var->list);
 		remove_proc_entry(var->status_proc->name, proc_net_condition);
-		up(&proc_lock);
+		mutex_unlock(&proc_lock);
 		/*
 		 * synchronize_rcu() would be good enough, but
 		 * synchronize_net() guarantees that no packet
@@ -200,7 +192,7 @@ static void condition_mt_destroy(const struct xt_mtdtor_param *par)
 		kfree(var);
 		return;
 	}
-	up(&proc_lock);
+	mutex_unlock(&proc_lock);
 }
 
 static struct xt_match condition_mt_reg[] __read_mostly = {
@@ -208,7 +200,7 @@ static struct xt_match condition_mt_reg[] __read_mostly = {
 		.name       = "condition",
 		.revision   = 1,
 		.family     = NFPROTO_IPV4,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
+		.matchsize  = sizeof(struct xt_condition_mtinfo),
 		.match      = condition_mt,
 		.checkentry = condition_mt_check,
 		.destroy    = condition_mt_destroy,
@@ -218,7 +210,7 @@ static struct xt_match condition_mt_reg[] __read_mostly = {
 		.name       = "condition",
 		.revision   = 1,
 		.family     = NFPROTO_IPV6,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
+		.matchsize  = sizeof(struct xt_condition_mtinfo),
 		.match      = condition_mt,
 		.checkentry = condition_mt_check,
 		.destroy    = condition_mt_destroy,
@@ -232,7 +224,7 @@ static int __init condition_mt_init(void)
 {
 	int ret;
 
-	sema_init(&proc_lock, 1);
+	mutex_init(&proc_lock);
 	proc_net_condition = proc_mkdir(dir_name, init_net__proc_net);
 	if (proc_net_condition == NULL)
 		return -EACCES;

extensions/xt_fuzzy.c

@@ -146,7 +146,7 @@ static struct xt_match fuzzy_mt_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV4,
 		.match      = fuzzy_mt,
 		.checkentry = fuzzy_mt_check,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
+		.matchsize  = sizeof(struct xt_fuzzy_mtinfo),
 		.me         = THIS_MODULE,
 	},
 	{
@@ -155,7 +155,7 @@ static struct xt_match fuzzy_mt_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV6,
 		.match      = fuzzy_mt,
 		.checkentry = fuzzy_mt_check,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
+		.matchsize  = sizeof(struct xt_fuzzy_mtinfo),
 		.me         = THIS_MODULE,
 	},
 };

extensions/xt_iface.c

@@ -71,7 +71,7 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = {
 		.name       = "iface",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+		.matchsize  = sizeof(struct xt_iface_mtinfo),
 		.match      = xt_iface_mt,
 		.me         = THIS_MODULE,
 	},
@@ -79,7 +79,7 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = {
 		.name       = "iface",
 		.revision   = 0,
 		.family     = NFPROTO_IPV6,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+		.matchsize  = sizeof(struct xt_iface_mtinfo),
 		.match      = xt_iface_mt,
 		.me         = THIS_MODULE,
 	},

extensions/xt_ipp2p.c

@@ -505,19 +505,18 @@ search_bittorrent(const unsigned char *payload, const unsigned int plen)
 		if (payload[0] == 0x13)
 			if (memcmp(payload + 1, "BitTorrent protocol", 19) == 0)
 				return IPP2P_BIT * 100;
-
 		/*
-		 * get tracker commandos, all starts with GET /
+		 * Any tracker command starts with GET / then *may be* some file on web server
-		 * then it can follow: scrape| announce
+		 * (e.g. announce.php or dupa.pl or whatever.cgi or NOTHING for tracker on root dir)
-		 * and then ?hash_info=
+		 * but *must have* one (or more) of strings listed below (true for scrape and announce)
 		 */
 		if (memcmp(payload, "GET /", 5) == 0) {
-			/* message scrape */
+			if (HX_memmem(payload, plen, "info_hash=", 9) != NULL)
-			if (memcmp(payload + 5, "scrape?info_hash=", 17) == 0)
 				return IPP2P_BIT * 100 + 1;
-			/* message announce */
+			if (HX_memmem(payload, plen, "peer_id=", 8) != NULL)
-			if (memcmp(payload + 5, "announce?info_hash=", 19) == 0)
 				return IPP2P_BIT * 100 + 2;
+			if (HX_memmem(payload, plen, "passkey=", 8) != NULL)
+				return IPP2P_BIT * 100 + 4;
 		}
 	} else {
 	    	/* bitcomet encryptes the first packet, so we have to detect another

extensions/xt_ipv4options.c

@@ -50,7 +50,7 @@ static struct xt_match ipv4options_mt_reg __read_mostly = {
 	.revision  = 1,
 	.family    = NFPROTO_IPV4,
 	.match     = ipv4options_mt,
-	.matchsize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
+	.matchsize = sizeof(struct xt_ipv4options_mtinfo1),
 	.me        = THIS_MODULE,
 };
 

extensions/xt_length2.c

@@ -136,6 +136,30 @@ static bool xtlength_layer7(unsigned int *length, const struct sk_buff *skb,
 	}
 }
 
+static bool
+length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	const struct xt_length_mtinfo2 *info = par->matchinfo;
+	const struct iphdr *iph = ip_hdr(skb);
+	unsigned int len = 0;
+	bool hit = true;
+
+	if (info->flags & XT_LENGTH_LAYER3)
+		len = ntohs(iph->tot_len);
+	else if (info->flags & XT_LENGTH_LAYER4)
+		len = ntohs(iph->tot_len) - par->thoff;
+	else if (info->flags & XT_LENGTH_LAYER5)
+		hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
+	else if (info->flags & XT_LENGTH_LAYER7)
+		hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
+	if (!hit)
+		return false;
+
+	return (len >= info->min && len <= info->max) ^
+	       !!(info->flags & XT_LENGTH_INVERT);
+}
+
+#ifdef WITH_IPV6
 /**
  * llayer4_proto - figure out the L4 protocol in an IPv6 packet
  * @skb:	skb pointer
@@ -173,30 +197,6 @@ llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
 	return NEXTHDR_MAX;
 }
 
-static bool
-length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-	const struct xt_length_mtinfo2 *info = par->matchinfo;
-	const struct iphdr *iph = ip_hdr(skb);
-	unsigned int len = 0;
-	bool hit = true;
-
-	if (info->flags & XT_LENGTH_LAYER3)
-		len = ntohs(iph->tot_len);
-	else if (info->flags & XT_LENGTH_LAYER4)
-		len = ntohs(iph->tot_len) - par->thoff;
-	else if (info->flags & XT_LENGTH_LAYER5)
-		hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
-	else if (info->flags & XT_LENGTH_LAYER7)
-		hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
-	if (!hit)
-		return false;
-
-	return (len >= info->min && len <= info->max) ^
-	       !!(info->flags & XT_LENGTH_INVERT);
-}
-
-#ifdef WITH_IPV6
 static bool
 length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 {

extensions/xt_psd.c

@@ -312,7 +312,7 @@ out_match:
 
 static struct xt_match xt_psd_reg __read_mostly = {
 	.name		= "psd",
-    .family		= AF_INET,
+	.family    = NFPROTO_IPV4,
 	.revision  = 1,
 	.match		= xt_psd_match,
 	.matchsize	= sizeof(struct xt_psd_info),

include/linux/netfilter.h

@@ -3,6 +3,7 @@
 
 #include <linux/types.h>
 
+
 /* Responses from hook functions. */
 #define NF_DROP 0
 #define NF_ACCEPT 1
@@ -37,6 +38,16 @@ enum nf_inet_hooks {
 	NF_INET_NUMHOOKS
 };
 
+enum {
+	NFPROTO_UNSPEC =  0,
+	NFPROTO_IPV4   =  2,
+	NFPROTO_ARP    =  3,
+	NFPROTO_BRIDGE =  7,
+	NFPROTO_IPV6   = 10,
+	NFPROTO_DECNET = 12,
+	NFPROTO_NUMPROTO,
+};
+
 union nf_inet_addr {
 	__u32		all[4];
 	__be32		ip;

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.22 (2010-01-22)" "" "v1.22 (2010-11-22)"
+.TH xtables-addons 8 "v1.24 (2010-03-17)" "" "v1.24 (2010-03-17)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets