anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-20 19:44:56 +02:00
Code Issues Releases Wiki Activity

Compare commits

base: anonfunc:v1.22
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0
..
compare: anonfunc:v1.31
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0

126 Commits
v1.22 ... v1.31

Author SHA1 Message Date
Jan Engelhardt
81ad2519a9 Xtables-addons 1.31 2010-11-05 19:42:22 +01:00
Jan Engelhardt
f65ea59795 Merge branch 'gradm' 2010-11-03 23:58:59 +01:00
Jan Engelhardt
baf7b1091a Merge remote branch 'origin/iface' 2010-11-03 23:58:35 +01:00
Jan Engelhardt
2ae0413e31 build: properly detect versions like "2.6.36+" 2010-11-03 12:55:09 +01:00
Jan Engelhardt
db76ea9a5c xt_iface: allow matching against incoming/outgoing interface 2010-10-31 01:53:23 +02:00
Jan Engelhardt
3ed1a3cbf0 build: autodetect value for --with-xtlibdir 2010-10-31 01:01:13 +02:00
Anthony G. Basile
9c4c76f9e2 libxt_gradm: match packets based on status of grsecurity RBAC 
This patch adds a module which is useful to users of grsecurity's RBAC
system. It matches packets based on whether RBAC is enabled or
disabled.

See: http://grsecurity.net/

Signed-off-by: Anthony G. Basile <basile@opensource.dyc.edu>

Jan Engelhardt> Also, I do not see a xt_gradm.c in this patch.

This [xt_gradm.c] is part of the grsecurity patch which not only adds
the Xtables code, but also the RBAC code. Without the entire RBAC
stuff, xt_gradm does not make sense and so it is included with the
grsecurity patch to the kernel, and not this patch to Xtables-addons.

>Can you elaborate a bit on how this is useful in conjunction with
>rulesets? I could imagine it be used with LSM selctx'es for example,
>or another extension that tests for other RBAC attributes.

The idea here is that when the RBAC rulesets are not being enforced,
the system is more vulnerable and the user wants stricter firewall
rules. When RBAC is being enforced, one can relax the firewall and
access to services which are now better protected. In practice this
usually means allowing only access to some trusted IP(s) on boot
before RBAC is turned on.
 2010-10-29 14:54:06 +02:00
Jan Engelhardt
7f33590df8 doc: update changelog 2010-10-29 14:48:27 +02:00
Jan Engelhardt
6733265358 xt_iface: reorder code for upcoming address checking 
From now on, info->flags lists the flags to test, not just the flags
to test positively for.
 2010-10-24 18:13:28 +02:00
Jan Engelhardt
f757049112 xt_iface: reduce indent by early return 2010-10-24 16:35:12 +02:00
Jan Engelhardt
21cdf786f7 xt_iface: move XT_IFACE_IFACE out of the public header 
This flag is only used by the userspace component, so remove it from
the kernel header. Also change the value to 1<<16 for the same reason.
 2010-10-24 16:31:26 +02:00
Jan Engelhardt
7c248871f8 build: respect LDFLAGS on make 
Without setting these variables, ./configure LDFLAGS=-m32
would have no effect.
 2010-10-20 19:20:34 +02:00
Jan Engelhardt
3500a38767 build: improve detection of kernel version and error handling 
Thanks to Arkadiusz Miskiewicz from PLD for reporting.

	make: *** kernelrelease: No such file or directory. Stop.
	Found kernel version "...0" in
	ERROR: That kernel version is not supported. Please see
	INSTALL for minimum configuration.
 2010-10-16 15:56:15 +02:00
Jan Engelhardt
cf9b60a57e ACCOUNT: remove uses of obsolete IPT_CONTINUE 
And replace by XT_CONTINUE, to avoid compilation errors in 2.6.37.
 2010-10-16 15:45:31 +02:00
Jan Engelhardt
e5eedb25c2 LOGMARK: print remaining ct lifetime 2010-10-12 17:29:26 +02:00
Jan Engelhardt
e3ae8dcb81 Xtables-addons 1.30 2010-10-02 00:41:47 +02:00
Jan Engelhardt
aca381d3b6 mconfig: deactivate building of xt_TEE and xt_CHECKSUM 2010-10-02 00:41:17 +02:00
Jan Engelhardt
bb15becc88 ipset: update to 4.4 2010-10-02 00:34:38 +02:00
Jan Engelhardt
14458b3a7e Xtables-addons 1.29 2010-09-29 02:51:48 +02:00
Jan Engelhardt
2d36632d4a build: add workaround for beoken linux-glibc-devel (2) 2010-09-29 02:51:26 +02:00
Jan Engelhardt
b5e2c7255a build: add workaround for broken linux-glibc-devel 2.6.34 userspace headers 2010-09-23 02:37:45 +02:00
Jan Engelhardt
376a89e7d1 build: support for Linux 2.6.36 2010-09-22 23:37:34 +02:00
Jan Engelhardt
03ec8a7696 TEE: resolve compile error with Linux 2.6.36-rc 
xt_TEE.c:54:19: error: request for member "dst" in something not a
structure or union
xt_TEE.c:55:20: error: "struct rtable" has no member named "u"

Linux kernel commit v2.6.36-rc1~571^2~616 changed this.
 2010-09-22 23:37:19 +02:00
Jan Engelhardt
442982f04e SYSRQ: resolve compile error with Linux 2.6.36-rc 
xt_SYSRQ.c:156:3: error: too many arguments to function 'handle_sysrq'

Linux kernel commit v2.6.36-rc3~19^2~5 changed it and finally removed
the last unused argument.
 2010-09-22 23:37:02 +02:00
Jan Engelhardt
98b853cea3 ipset: update to 4.3+git3 2010-09-22 22:41:24 +02:00
Jan Engelhardt
59401339b8 ipset: bump version number 
Basically Xtables-addons's copy of ipset is already functionally equal
to ipset 4.3 thanks to our compat_xtables layer (and our modifications
in ipset/ to use it).
 2010-09-22 22:32:50 +02:00
Jan Engelhardt
121836ce80 ipset: enable building of ip_set_ipport{ip,net}hash.ko 2010-09-22 22:30:58 +02:00
Jan Engelhardt
c23df41f6e compat_xtables: return bool for match_check and target_check (doc) 2010-09-22 22:30:10 +02:00
Jan Engelhardt
fb2eea69af compat_xtables: return bool for match_check and target_check in 2.6.23..34 
Reported-by: Tomasz Pala <gotar@polanet.pl>
 2010-09-01 15:02:04 +02:00
Jan Engelhardt
4815e3a8a6 doc: add API helper files 
These files should be a very quick reference to the Xtables APIs of
previous Linux kernel versions and Xtables-addons. Their contents have
been reformatted so as to be usable with diff -u.
 2010-09-01 12:06:27 +02:00
Jan Engelhardt
f9922c6f85 configure: pkglibexecdir requires automake >= 1.10.2 2010-08-28 13:56:12 +02:00
Jan Engelhardt
24491d55d7 Xtables-addons 1.28 2010-07-24 11:33:11 +02:00
Jan Engelhardt
7ab69a17fa geoip: add -D option to geoip_build_dir.pl 
This option allows to specify a particular output directory. This help
Makefiles in that they do not need to use cd.
 2010-07-24 11:22:37 +02:00
Jan Engelhardt
d2339410b2 geoip: add .gitignore 2010-07-24 11:22:37 +02:00
Jan Engelhardt
649caf61e8 geoip: rename original script to build_db 2010-07-24 11:22:37 +02:00
Jan Engelhardt
922a9be87d geoip: import scripts for building the xt_geoip database 2010-07-24 11:22:33 +02:00
Jan Engelhardt
4d48511f01 xt_length2: IPv6 jumbogram support 2010-07-24 10:57:03 +02:00
Jan Engelhardt
6dedbef3d4 doc: keep manpage ordered 
`find` could return entries out of order.
 2010-07-19 11:14:29 +02:00
Patrick McHardy
fe49f9b6a4 xt_CHECKSUM: use xtables_param_act 2010-07-15 12:21:16 +02:00
Patrick McHardy
283974cbbe xt_CHECKSUM: only use __u* in public header files 2010-07-15 12:21:16 +02:00
Patrick McHardy
7deca86132 xt_CHECKSUM: remove unnecessary header inclusions 2010-07-15 12:21:16 +02:00
Jan Engelhardt
7d6435f422 doc: update geoip db url 
My hopto.org zone disappeared after I left it unattended...
 2010-07-12 00:49:23 +02:00
Jan Engelhardt
748f5cfdd0 xt_CHECKSUM: remove pointless $ 2010-07-11 17:59:47 +02:00
Michael S. Tsirkin
d402cec807 xt_CHECKSUM: initial import 
This adds a "CHECKSUM" target, which can be used in the iptables mangle
table.

You can use this target to compute and fill in the checksum in a packet
that lacks a checksum. This is particularly useful, if you need to work
around old applications such as dhcp clients, that do not work well with
checksum offloads, but don't want to disable checksum offload in your
device.

The problem happens in the field with virtualized applications. For
reference, see Red Hat bz 605555, as well as
http://www.spinics.net/lists/kvm/msg37660.html

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 2010-07-11 17:54:54 +02:00
John Haxby
b42190c04b xt_SYSRQ: fix a couple of problems 
The first problem is that the error response from crypto_alloc_hash()
should be extracted from the pointer before setting the pointer to NULL.

The second error is that only the first half of the password hash is
checked which slightly weakens the password checking.

Signed-off-by: John Haxby <john.haxby@oracle.com>
 2010-06-25 12:20:26 +02:00
Jan Engelhardt
4dcefe4b95 xt_geoip: fix possible out-of-bounds access 
It is possible for geoip_bsearch() to pick mid == sizeof(subnets).

Consider a set with a single entry and a "address to test"
higher than the range:

1st call: lo = 0, hi = 1 -> mid will be 0
2nd call: lo = 1, hi = 1 -> mid will be 1

On the 2nd call, we'll examine random data.

Reported-by: Florian Westphal <fw@strlen.de>
 2010-06-13 10:40:07 +02:00
Jan Engelhardt
a2662b0121 RAWNAT: IPv6 variants erroneously rejected masks /33-/128 2010-06-12 09:23:59 +02:00
Jan Engelhardt
03354eed44 build: make configure CFLAGS=-ggdb3 have effect on .so files 2010-06-12 09:22:35 +02:00
Changli Gao
ddda6972a4 RAWNAT: fix incorrect mask in rawnat_ipv6_mask 
I really think it is a typo mistake. :)

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
 2010-05-29 12:35:14 +02:00
Jan Engelhardt
8e7359bb92 Merge remote branch 'sf/master' 2010-05-29 10:16:04 +02:00
Jan Engelhardt
40786af1c0 build: update tarball target 2010-05-19 19:32:28 +02:00
Jan Engelhardt
f6e2fb815e Xtables-addons 1.27 2010-05-16 22:19:02 +02:00
Jan Engelhardt
f171a0f07e xa-d-m: remove superfluous protos 2010-05-14 13:03:16 +02:00
Jan Engelhardt
d17ddb9c94 Merge branch 'api35' 2010-05-14 11:52:18 +02:00
Jan Engelhardt
54d80a73b4 compat_xtables: more 2.6.35 support 2010-05-14 11:51:34 +02:00
Jan Engelhardt
43921c5834 compat_xtables: move to 2.6.35 xt_action_param (3/3) 
Since the last merge of the "api35" branch, further changes were
included into nf-next. This set of three commits updates the
xtables-addons API to match that.
 2010-05-13 19:45:56 +02:00
Jan Engelhardt
9a18a05d02 compat_xtables: move to 2.6.35 xt_action_param (2/3) 2010-05-13 19:45:52 +02:00
Jan Engelhardt
5b472be9bb compat_xtables: move to 2.6.35 xt_action_param (1/3) 2010-05-13 19:28:37 +02:00
Jan Engelhardt
4dd35fb564 compat_xtables: move 2.6.28+ xtnu_target_run code 2010-05-13 16:52:55 +02:00
Jan Engelhardt
b32d6dad90 compat_xtables: remove unused list member from xtnu_{match,target} 2010-05-13 16:03:05 +02:00
Jan Engelhardt
5b2cb97c06 compat_xtables: annotate struct xtnu_{match,target}->name 2010-05-13 15:58:50 +02:00
Jan Engelhardt
ca894d6687 compat_xtables: improve memory usage in struct xtnu_{match,target} 2010-05-13 15:51:54 +02:00
Jan Engelhardt
db717ec479 xt_quota2: reduce printf complexity 2010-05-13 15:39:29 +02:00
Jan Engelhardt
a46ca95078 Xtables-addons 1.26 2010-04-30 22:54:06 +02:00
Jan Engelhardt
8b2a266db0 compat_xtables: fix 2.6.34 compile error due to a typo 2010-04-30 22:50:52 +02:00
Jan Engelhardt
03e10ff544 Xtables-addons 1.25 2010-04-26 14:14:02 +02:00
Jan Engelhardt
37986fd785 Merge branch 'tee' 2010-04-26 14:12:03 +02:00
Jan Engelhardt
8ff64f4ef4 xt_TEE: move skb cleanup outwards 2010-04-15 23:47:07 +02:00
Jan Engelhardt
93f6c1a312 xt_TEE: remove debug printks 2010-04-15 22:54:05 +02:00
Jan Engelhardt
b535abce2e xt_TEE: use nf_conntrack_untracked 
No reason having to use our own nf_conntrack bucket.
 2010-04-15 21:29:37 +02:00
Jan Engelhardt
5db988626f Merge branch 'condition' 2010-04-15 21:10:36 +02:00
Jan Engelhardt
c6f8f72bf1 xt_condition: use non-interruptible check routine 
Patrick McHardy let's it be known: "No need for interruptible locking,
the section is very short and usually there's only a single iptables
process running at a time."
 2010-04-09 12:38:48 +02:00
Jan Engelhardt
47cbb07162 xt_condition: remove unnecessary RCU protection 
The module does not use the RCU mechanism, so calling
list_add_rcu/list_del_rcu does not make much sense either.
 2010-04-09 12:28:12 +02:00
Jan Engelhardt
79c55ab325 Merge branch 'api35' 2010-04-09 12:24:21 +02:00
Jan Engelhardt
11ab4d0acc compat_xtables: correct compile errors 2010-04-09 12:24:19 +02:00
Jan Engelhardt
8ae9ac5433 xt_TEE: use less expensive pskb_copy 2010-04-07 01:31:18 +02:00
Jan Engelhardt
2060a58912 build: do not print enter/exit during banner 2010-04-05 02:22:49 +02:00
Jan Engelhardt
e1eed2b05e Merge branch 'tee' 2010-04-05 02:15:26 +02:00
Jan Engelhardt
7b077c7459 Merge branch 'api35' 2010-04-05 02:15:24 +02:00
Jan Engelhardt
ad146dbeef compat_xtables: move to 2.6.35 API for targets 2010-04-05 02:15:20 +02:00
Jan Engelhardt
fb4c49d794 xt_TEE: new loop detection logic 2010-04-05 00:47:08 +02:00
Jan Engelhardt
a17203e036 xt_TEE: remove old loop detection 
The loop detection does not work if the kernel is built without
conntrack. In fact, since cloned packets are sent directly and do not
pass through Xtables, there are no loops happening.
 2010-04-05 00:47:08 +02:00
Jan Engelhardt
987402dc61 xt_TEE: do not retain iif and mark on cloned packet 
Patrick McHardy explains in [1] that locally-generated packets (such
as the clones xt_TEE will create) usually start with no iif and no
mark value, and even if cloned packets are a little more special than
locally-generated ones, let's do it that way.

[1] http://marc.info/?l=netfilter-devel&m=127012289008156&w=2
 2010-04-05 00:47:08 +02:00
Jan Engelhardt
295b6b6d73 xt_TEE: do not limit use to mangle table 2010-04-05 00:47:08 +02:00
Jan Engelhardt
7338a2a400 xt_TEE: free skb when route lookup failed 2010-04-05 00:47:08 +02:00
Jan Engelhardt
ba35636718 xt_TEE: set dont-fragment on cloned packets 2010-04-05 00:47:08 +02:00
Jan Engelhardt
fd19a40dbe xt_TEE: avoid making original packet writable 
There is not any real need to make the original packet writable, as it
is not going to be modified anyway.
 2010-04-05 00:47:08 +02:00
Jan Engelhardt
937571bb9d xt_TEE: decrease TTL on cloned packet 2010-04-05 00:47:03 +02:00
Jan Engelhardt
346fc1a376 xt_TEE: do rechecksumming in PREROUTING too 2010-04-05 00:46:12 +02:00
Jan Engelhardt
56535551b3 xt_TEE: use ip_send_check instead of open-coded logic 2010-04-05 00:46:12 +02:00
Jan Engelhardt
dd8fdd09c8 xt_SYSRQ: do not print error messages on ENOMEM 
Memory allocation failures are usually already reported by SLAB and
the ENOMEM error code itself.
 2010-04-05 00:45:28 +02:00
Jan Engelhardt
beb3358297 compat_xtables: move to 2.6.35 API for matches 2010-04-05 00:43:47 +02:00
Jan Engelhardt
02d8bdc3d9 build: add a version banner on make modules 
Because the build error logs of module-assistant are totally useless,
as the tarball filename has been stripped of the version, and
configure is not run either.
 2010-04-05 00:43:32 +02:00
Jan Engelhardt
42b77a386a doc: put --with-xtlibdir in the spotlight 
Too many people forget to specify the proper location...
 2010-04-03 22:08:42 +02:00
Jan Engelhardt
6340363394 Xtables-addons 1.24 2010-03-17 02:50:23 +01:00
Jan Engelhardt
c9b4e9c518 xt_SYSRQ: drop unprocessed packets 2010-03-17 02:50:23 +01:00
Jan Engelhardt
8dd316ed56 Revert "xt_TEE: cosmetic replace a version check" 
This reverts commit ab13e58f96.

Whoops. There is no mark at all before 2.6.19.
 2010-03-17 02:38:22 +01:00
Jan Engelhardt
48327605c6 modules: replace AF/PF with NFPROTO 2010-03-17 02:25:40 +01:00
Jan Engelhardt
414e95ffb1 extensions: replace AF/PF with NFPROTO 
Needs one update of netfilter.h to something recent, too.
 2010-03-17 02:20:39 +01:00
Jan Engelhardt
749e0b788a build: fix build of userspace modules against old headers from linux-glibc-devel 2010-03-17 02:10:56 +01:00
Jan Engelhardt
7512101bca modules: replace AF/PF with NFPROTO 2010-03-16 23:37:05 +01:00
Jan Engelhardt
1a17ed6a45 modules: strip unneeded XT_ALIGN from matchsize/targetsize 
The x_tables kernel part already does calculate it.
 2010-03-16 23:34:25 +01:00
Jan Engelhardt
1aeaadd740 modules: remove XT_ALIGN(0) lines 2010-03-16 23:26:05 +01:00
Jan Engelhardt
0acbe528ac xt_condition: remove some blank lines 2010-03-16 23:22:18 +01:00
Jan Engelhardt
f5fe2dc801 xt_condition: switch semaphore to a mutex 2010-03-16 23:16:07 +01:00
Jan Engelhardt
524201adcc xt_SYSRQ: allow processing of UDP-Lite 2010-03-16 17:27:59 +01:00
Jan Engelhardt
7cfd3b1dbb xt_SYSRQ: fix wrong define for crypto inclusion 2010-03-16 17:20:57 +01:00
Jan Engelhardt
ab13e58f96 xt_TEE: cosmetic replace a version check 2010-03-16 17:01:02 +01:00
Jan Engelhardt
548922388c SYSRQ: let module load when crypto is unavailable 2010-03-01 11:20:59 +01:00
Tomasz Tomkowiak
43864ac6f1 ipp2p: bittorrent commands 
After testing I decide to write my patch to bittorrent GET commands
from xt_ipp2p.c because old procedure is useless for modified and/or
private trackers.

BTW: info_hash may be 3rd argument, passkey (private trackers) may be
1st argument (or not) etc. so we need to search.
 2010-02-28 17:25:49 +01:00
Jan Engelhardt
2ef714cc93 compat_xtables: add a memmem function 
This will be needed by xt_ipp2p right away.
 2010-02-28 17:24:27 +01:00
Jan Engelhardt
8b71d90002 Xtables-addons 1.23 2010-02-24 20:59:38 +01:00
Jan Engelhardt
457e86b908 build: support for Linux 2.6.34 2010-02-24 12:11:10 +01:00
Jan Engelhardt
9b99211326 doc: changelog update 2010-02-24 12:10:26 +01:00
Peter Volkov
c96845a311 SYSRQ: make IPv6 optional 
In case the kernel is built without IPv6 support the compilation of
this module fails as it assumes IPv6. This patch makes kernel support
conditional on kernel .config.
 2010-02-24 00:34:14 +01:00
Peter Volkov
01e4bace4d RAWNAT: make IPv6 optional 
In case the kernel is built without IPv6 support the compilation of
this module fails as it assumes IPv6. This patch makes kernel support
conditional on kernel .config.
 2010-02-24 00:32:44 +01:00
Jan Engelhardt
84704346e7 RAWNAT: do not build ip6table_rawpost if IPv6 is not enabled 2010-02-24 00:31:48 +01:00
Jan Engelhardt
77bd7953fb length2: guard off IPv6-only functions 2010-02-24 00:29:55 +01:00
Jan Engelhardt
8c02b00a33 doc: a few extra words to pkgconfig overriding 2010-02-18 13:00:38 +01:00
Jonas Berlin
1f8b91ce53 doc: improve documentation for using non-standard location of libxtables 
How to use PKG_CONFIG_PATH. Get rid of remaining references to
recently removed --with-xtables flag.
 2010-02-18 12:56:46 +01:00
Jan Engelhardt
dac1b7d506 doc: remove unnecessasry --with-xtables option 2010-02-18 11:14:46 +01:00
Jan Engelhardt
40d0345f1e build: remove unnecessasry --with-xtables option 
Jonas Berlin notes that --with-xtables only emitted a -I parameter
and -L was absent.

On second look, we would also be missing -Wl,-rpath, and that would
all be system-dependent. The --with-xtables option is actually not
needed; one can easily specify extra include directories and linker
flags by means of overriding libxtables_CFLAGS and libxtables_LIBS
(even when there are no installed pkgconfig files for libxtables).
 2010-02-16 22:26:07 +01:00
Jan Engelhardt
3e70d6289d build: remove unused kinclude_CFLAGS 2010-02-16 22:26:07 +01:00
Jan Engelhardt
d99c8570f3 build: remove unused --with-ksource option 2010-02-16 22:26:07 +01:00
Jan Engelhardt
cf7a40fbe7 ECHO: update to use skb_dst 2010-02-03 19:35:33 +01:00
Jan Engelhardt
0de9f38412 ipset: update to 4.2 2010-01-25 11:54:34 +01:00
103 changed files with 1794 additions and 680 deletions
Expand all files Collapse all files

38
INSTALL
View File

@@ -4,7 +4,7 @@ Installation instructions for Xtables-addons
Xtables-addons uses the well-known configure(autotools) infrastructure
in combination with the kernel's Kbuild system.
$ ./configure
$ ./configure --with-xtlibdir=SEE_BELOW
$ make
# make install
@@ -51,20 +51,14 @@ Configuring and compiling
For RPM building, it should be /usr/src/linux-obj/...
or whatever location the distro makes use of.
--with-xtables=
Specifies the path to the directory where we may find
xtables.h, should it not be within the standard C compiler
include path (/usr/include), or if you want to override it.
The directory will be checked for xtables.h and
include/xtables.h. (The latter to support both standard
/usr/include and the iptables source root.)
--with-xtlibdir=
Specifies the path to where the newly built extensions should
be installed when `make install` is run. It uses the same
default as the Xtables/iptables package, ${libexecdir}/xtables.
default as the Xtables/iptables package, ${libexecdir}/xtables,
but you may need to specify this nevertheless, as autotools
defaults to using /usr/local as prefix, and distributions put
the files in differing locations.
If you want to enable debugging, use
@@ -73,6 +67,25 @@ If you want to enable debugging, use
(-O0 is used to turn off instruction reordering, which makes debugging
much easier.)
To make use of a libxtables that is not in the default path, either
a) append the location of the pkg-config files like:
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
(Assuming that files have been installed)
or,
b) override the pkg-config variables, for example:
./configure libxtables_CFLAGS="-I../iptables/include" \
libxtables_LIBS="-L../iptables/.libs \
-Wl,-rpath,../iptables/.libs -lxtables"
(Use this in case you wish to use it without having to
run `make install`. This is because the libxtables.pc pkgconfig
file in ../iptables would already point to e.g. /usr/local.)
Build-time options
==================
@@ -89,4 +102,5 @@ Except for --with-kbuild, distributions should not have a need to
supply any other flags (besides --prefix=/usr and perhaps
--libdir=/usr/lib64, etc.) to configure when all prerequired packages
are installed. If iptables-devel is installed, necessary headers should
be in /usr/include, so --with-xtables is not needed.
already be in /usr/include, so that overriding PKG_CONFIG_PATH,
libxtables_CFLAGS and libxtables_LIBS variables should not be needed.

17
Makefile.am
View File

@@ -1,7 +1,7 @@
# -*- Makefile -*-
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = extensions
SUBDIRS = extensions geoip
man_MANS := xtables-addons.8
@@ -16,10 +16,15 @@ install-exec-hook:
config.status: Makefile.iptrules.in
tmpdir := $(shell mktemp -dtu)
packer = xz
packext = .tar.xz
.PHONY: tarball
tarball:
rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
pushd ${top_srcdir} && git archive --prefix=xtables-addons-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd;
pushd /tmp/xtables-addons-${PACKAGE_VERSION} && ./autogen.sh && popd;
tar -C /tmp -cjf xtables-addons-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root xtables-addons-${PACKAGE_VERSION}/;
rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
# do not use mkdir_p here.
mkdir ${tmpdir}
pushd ${top_srcdir} && git archive --prefix=${PACKAGE_NAME}-${PACKAGE_VERSION}/ HEAD | tar -C ${tmpdir} -x && popd;
pushd ${tmpdir}/${PACKAGE_NAME}-${PACKAGE_VERSION} && ./autogen.sh && popd;
tar --use=${packer} -C ${tmpdir} -cf ${PACKAGE_NAME}-${PACKAGE_VERSION}${packext} --owner=root --group=root ${PACKAGE_NAME}-${PACKAGE_VERSION}/;
rm -Rf ${tmpdir};

6
Makefile.iptrules.in
View File

@@ -1,6 +1,8 @@
# -*- Makefile -*-
# MANUAL
abs_top_srcdir = @abs_top_srcdir@
prefix = @prefix@
exec_prefix = @exec_prefix@
libexecdir = @libexecdir@
@@ -8,11 +10,13 @@ xtlibdir = @xtlibdir@
CC = @CC@
CCLD = ${CC}
CFLAGS = @CFLAGS@
LDFLAGS = @LDFLAGS@
regular_CFLAGS = @regular_CFLAGS@
libxtables_CFLAGS = @libxtables_CFLAGS@
libxtables_LIBS = @libxtables_LIBS@
AM_CFLAGS = ${regular_CFLAGS} ${libxtables_CFLAGS}
AM_CFLAGS = ${regular_CFLAGS} ${libxtables_CFLAGS} -I${abs_top_srcdir}/extensions
AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
AM_DEFAULT_VERBOSITY = 0

4
Makefile.mans.in
View File

@@ -3,8 +3,8 @@
srcdir := @srcdir@
wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man')
wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man')
wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man' | sort)
wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man' | sort)
wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})

92
configure.ac
View File

@@ -1,9 +1,9 @@
AC_INIT([xtables-addons], [1.22])
AC_INIT([xtables-addons], [1.31])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
AC_PROG_INSTALL
AM_INIT_AUTOMAKE([1.10 -Wall foreign subdir-objects])
AM_INIT_AUTOMAKE([1.10.2 -Wall foreign subdir-objects])
AC_PROG_CC
AM_PROG_CC_C_O
AC_DISABLE_STATIC
@@ -21,56 +21,23 @@ if [[ "$kbuilddir" == no ]]; then
kbuilddir="";
fi
AC_ARG_WITH([ksource],,[ksourcedir="$withval"])
AC_ARG_WITH([xtables],
AS_HELP_STRING([--with-xtables=PATH],
[Path to the Xtables includes [[none]]]),
[xtables_location="$withval"])
AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
AC_ARG_WITH([xtlibdir],
AS_HELP_STRING([--with-xtlibdir=PATH],
[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
[xtlibdir="$withval"],
[xtlibdir='${libexecdir}/xtables'])
#
# --with-xtables= overrides a possibly installed pkgconfig file.
#
if [[ -n "$xtables_location" ]]; then
AC_MSG_CHECKING([xtables.h presence])
if [[ -f "$xtables_location/xtables.h" ]]; then
AC_MSG_RESULT([$xtables_location/xtables.h])
libxtables_CFLAGS="-I $xtables_location";
elif [[ -f "$xtables_location/include/xtables.h" ]]; then
AC_MSG_RESULT([$xtables_location/include/xtables.h])
libxtables_CFLAGS="-I $xtables_location/include";
fi;
if [[ -z "$xtables_CFLAGS" ]]; then
if [[ -f "$includedir/xtables.h" ]]; then
AC_MSG_RESULT([$includedir/xtables.h])
else
AC_MSG_RESULT([no])
fi;
fi;
libxtables_LIBS="-lxtables";
AC_SUBST([libxtables_CFLAGS])
AC_SUBST([libxtables_LIBS])
else
PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
fi;
AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, either through /usr/include or the iptables directory (--with-xtables=)])])
[Path where to install Xtables extensions [[autodetect]]]]),
[xtlibdir="$withval"])
AC_MSG_CHECKING([Xtables module directory])
AC_MSG_RESULT([$xtlibdir])
regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
kinclude_CFLAGS="";
if [[ -n "$kbuilddir" ]]; then
kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
fi;
if [[ -n "$ksourcedir" ]]; then
kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
fi;
-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" \
-I\${XA_TOPSRCDIR}/include";
#
# check kernel version
@@ -81,6 +48,7 @@ if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
# Well, just a warning. Maybe the admin updated the kernel.
echo "WARNING: This distribution's shipped kernel is not supported.";
fi;
AC_MSG_CHECKING([kernel version that we will build against])
krel="$(make -sC ${kbuilddir} kernelrelease)";
krel="${krel%%-*}";
kmajor="${krel%%.*}";
@@ -89,29 +57,33 @@ kminor="${krel%%.*}";
krel="${krel#*.}";
kmicro="${krel%%.*}";
if test "$kmicro" = "$krel"; then
kmicro="$(($kmicro+0))"; # Get rid of non numbers ("2.6.36+" -> "2.6.36")
kstable=0;
else
kmicro="$(($kmicro+0))";
kstable="${krel#*.}";
if test -z "$kstable"; then
kstable=0;
fi;
kstable="$(($kstable+0))";
fi;
echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 32; then
echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
\( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
"$kstable" -lt 5 \); then
echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
exit 1;
if test -z "$kmajor" -o -z "$kminor" -o -z "$kmicro"; then
echo "WARNING: Version detection did not succeed. Continue at own luck.";
else
echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 36; then
echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
elif test \( "$kmajor" -lt 2 -o \
\( "$kmajor" -eq 2 -a "$kminor" -lt 6 \) -o \
\( "$kmajor" -eq 2 -a "$kminor" -eq 0 -a "$kmicro" -lt 17 \) -o \
\( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
"$kstable" -lt 5 \) \); then
echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
exit 1;
fi;
fi;
AC_SUBST([regular_CFLAGS])
AC_SUBST([kinclude_CFLAGS])
AC_SUBST([kbuilddir])
AC_SUBST([ksourcedir])
AC_SUBST([xtlibdir])
AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans geoip/Makefile
extensions/Makefile extensions/ACCOUNT/Makefile
extensions/ipset/Makefile extensions/pknock/Makefile])
AC_OUTPUT

64
doc/api/2.6.17.c Normal file
View File

@@ -0,0 +1,64 @@
match:
/* true/false */
int
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop,
);
/* error code */
int
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
void *userdata,
);
/* error code */
int
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
);

59
doc/api/2.6.19.c Normal file
View File

@@ -0,0 +1,59 @@
match:
/* true/false */
int
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop,
);
/* error code */
int
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
);
/* error code */
int
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
);

59
doc/api/2.6.23.c Normal file
View File

@@ -0,0 +1,59 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
bool *hotdrop,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
);

59
doc/api/2.6.24.c Normal file
View File

@@ -0,0 +1,59 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
bool *hotdrop,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
);

39
doc/api/2.6.28.c Normal file
View File

@@ -0,0 +1,39 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct xt_match_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_target_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

38
doc/api/2.6.31.c Normal file
View File

@@ -0,0 +1,38 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct xt_match_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_target_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

39
doc/api/2.6.32.c Normal file
View File

@@ -0,0 +1,39 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct xt_match_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_target_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

39
doc/api/2.6.35.c Normal file
View File

@@ -0,0 +1,39 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
struct xt_action_param *,
);
/* error code */
int
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_action_param *,
);
/* error code */
int
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

39
doc/api/xt-a.c Normal file
View File

@@ -0,0 +1,39 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
struct xt_action_param *,
);
/* error code */
int
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct xt_action_param *,
);
/* error code */
int
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

88
doc/changelog.txt
View File

@@ -3,7 +3,93 @@ HEAD
====
Xtables-addons 1.22 (January 22 2009)
v1.31 (November 05 2010)
========================
- LOGMARK: print remaining lifetime of cts
- build: improve detection of kernel version and error handling
- build: automatically derive Xtables module directory, thus
--with-xtlibdir is no longer needed for ./configure in most cases
(If I still see a distro using it, I will scold you for not
reading this changelog.)
- xt_iface: allow matching against incoming/outgoing interface
- libxt_gradm: match packets based on status of grsecurity RBAC
(userspace part only - xt_gradm is in the grsec patch)
v1.30 (October 02 2010)
=======================
- update to ipset 4.4
* ipport{,ip,net}hash did not work with mixed "src" and "dst"
destination parameters
- deactivate building xt_TEE and xt_CHECKSUM by default, as these have been
merged upstream in Linux 2.6.35 and 2.6.36, respectively.
Distros still wishing to build this need to enable it in their build
script, e.g. perl -i -pe 's{^build_TEE=.*}{build_TEE=m}' mconfig;
v1.29 (September 29 2010)
=========================
- compat_xtables: return bool for match_check and target_check in 2.6.23..34
- ipset: enable building of ip_set_ipport{ip,net}hash.ko
- support for Linux 2.6.36
- SYSRQ: resolve compile error with Linux 2.6.36
- TEE: resolve compile error with Linux 2.6.36
- add workaround for broken linux-glibc-devel 2.6.34 userspace headers
("implicit declaration of function 'ALIGN'")
Xtables-addons 1.28 (July 24 2010)
==================================
- RAWNAT: IPv6 variants erroneously rejected masks /33-/128
- new target xt_CHECKSUM
- xt_length2: add support for IPv6 jumbograms
- xt_geoip: fix possible out-of-bounds access
- import xt_geoip database scripts
Xtables-addons 1.27 (May 16 2010)
=================================
- further updates for the upcoming 2.6.35 changes
Xtables-addons 1.26 (April 30 2010)
===================================
- compat_xtables: fix 2.6.34 compile error due to a typo
Xtables-addons 1.25 (April 26 2010)
===================================
- TEE: do rechecksumming in PREROUTING too
- TEE: decrease TTL on cloned packet
- TEE: set dont-fragment on cloned packets
- TEE: free skb when route lookup failed
- TEE: do not limit use to mangle table
- TEE: do not retain iif and mark on cloned packet
- TEE: new loop detection logic
- TEE: use less expensive pskb_copy
- condition: remove unnecessary RCU protection
Xtables-addons 1.24 (March 17 2010)
===================================
- build: fix build of userspace modules against old (pre-2.6.25)
headers from linux-glibc-devel (/usr/include/linux)
- ipp2p: updated bittorent command recognition
- SYSRQ: let module load when crypto is unavailable
- SYSRQ: allow processing of UDP-Lite
Xtables-addons 1.23 (February 24 2010)
======================================
- build: support for Linux 2.6.34
- build: remove unused --with-ksource option
- build: remove unneeded --with-xtables option
- build: fix compilations in RAWNAT, SYSRQ and length2 when CONFIG_IPV6=n
- ipset: update to 4.2
- ECHO: fix compilation w.r.t. skb_dst
Xtables-addons 1.22 (January 22 2010)
=====================================
- compat_xtables: support for 2.6.33 skb_iif changes
- geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip

3
extensions/ACCOUNT/libxt_ACCOUNT.c
View File

@@ -12,6 +12,7 @@
#include <stddef.h>
#include <xtables.h>
#include "xt_ACCOUNT.h"
#include "compat_user.h"
static struct option account_tg_opts[] = {
{.name = "addr", .has_arg = true, .val = 'a'},
@@ -142,7 +143,7 @@ account_tg_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target account_tg_reg = {
.name = "ACCOUNT",
.revision = 1,
.family = AF_INET,
.family = NFPROTO_IPV4,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct ipt_acc_info)),
.userspacesize = offsetof(struct ipt_acc_info, table_nr),

20
extensions/ACCOUNT/xt_ACCOUNT.c
View File

@@ -264,7 +264,7 @@ static int ipt_acc_table_insert(const char *name, __be32 ip, __be32 netmask)
return -1;
}
static bool ipt_acc_checkentry(const struct xt_tgchk_param *par)
static int ipt_acc_checkentry(const struct xt_tgchk_param *par)
{
struct ipt_acc_info *info = par->targinfo;
int table_nr;
@@ -276,13 +276,13 @@ static bool ipt_acc_checkentry(const struct xt_tgchk_param *par)
if (table_nr == -1) {
printk("ACCOUNT: Table insert problem. Aborting\n");
return false;
return -EINVAL;
}
/* Table nr caching so we don't have to do an extra string compare
for every packet */
info->table_nr = table_nr;
return true;
return 0;
}
static void ipt_acc_destroy(const struct xt_tgdtor_param *par)
@@ -478,7 +478,7 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
}
}
static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target_param *par)
static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct ipt_acc_info *info =
par->targinfo;
@@ -494,7 +494,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
"IPs %u.%u.%u.%u/%u.%u.%u.%u\n", info->table_nr,
NIPQUAD(src_ip), NIPQUAD(dst_ip));
spin_unlock_bh(&ipt_acc_lock);
return IPT_CONTINUE;
return XT_CONTINUE;
}
/* 8 bit network or "any" network */
@@ -506,7 +506,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
ipt_acc_tables[info->table_nr].netmask,
src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
spin_unlock_bh(&ipt_acc_lock);
return IPT_CONTINUE;
return XT_CONTINUE;
}
/* 16 bit network */
@@ -517,7 +517,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
ipt_acc_tables[info->table_nr].netmask,
src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
spin_unlock_bh(&ipt_acc_lock);
return IPT_CONTINUE;
return XT_CONTINUE;
}
/* 24 bit network */
@@ -528,7 +528,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
ipt_acc_tables[info->table_nr].netmask,
src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
spin_unlock_bh(&ipt_acc_lock);
return IPT_CONTINUE;
return XT_CONTINUE;
}
printk("ACCOUNT: ipt_acc_target: Unable to process packet. "
@@ -536,7 +536,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
spin_unlock_bh(&ipt_acc_lock);
return IPT_CONTINUE;
return XT_CONTINUE;
}
/*
@@ -1082,7 +1082,7 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
static struct xt_target xt_acc_reg __read_mostly = {
.name = "ACCOUNT",
.revision = 1,
.family = AF_INET,
.family = NFPROTO_IPV4,
.target = ipt_acc_target,
.targetsize = sizeof(struct ipt_acc_info),
.checkentry = ipt_acc_checkentry,

6
extensions/Kbuild
View File

@@ -7,12 +7,16 @@ obj-m += compat_xtables.o
obj-${build_ACCOUNT} += ACCOUNT/
obj-${build_CHAOS} += xt_CHAOS.o
obj-${build_CHECKSUM} += xt_CHECKSUM.o
obj-${build_DELUDE} += xt_DELUDE.o
obj-${build_DHCPMAC} += xt_DHCPMAC.o
obj-${build_ECHO} += xt_ECHO.o
obj-${build_IPMARK} += xt_IPMARK.o
obj-${build_LOGMARK} += xt_LOGMARK.o
obj-${build_RAWNAT} += xt_RAWNAT.o iptable_rawpost.o ip6table_rawpost.o
obj-${build_RAWNAT} += xt_RAWNAT.o iptable_rawpost.o
ifneq (${CONFIG_IPV6},)
obj-${build_RAWNAT} += ip6table_rawpost.o
endif
obj-${build_SYSRQ} += xt_SYSRQ.o
obj-${build_STEAL} += xt_STEAL.o
obj-${build_TARPIT} += xt_TARPIT.o

2
extensions/Makefile.am
View File

@@ -7,6 +7,8 @@
_kcall = -C ${kbuilddir} M=${abs_srcdir}
modules:
@echo -n "Xtables-addons ${PACKAGE_VERSION} - Linux "
@if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} --no-print-directory -s kernelrelease; fi;
${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} modules; fi;
modules_install:

2
extensions/Mbuild
View File

@@ -2,6 +2,7 @@
obj-${build_ACCOUNT} += ACCOUNT/
obj-${build_CHAOS} += libxt_CHAOS.so
obj-${build_CHECKSUM} += libxt_CHECKSUM.so
obj-${build_DELUDE} += libxt_DELUDE.so
obj-${build_DHCPMAC} += libxt_DHCPMAC.so libxt_dhcpmac.so
obj-${build_ECHO} += libxt_ECHO.so
@@ -24,3 +25,4 @@ obj-${build_lscan} += libxt_lscan.so
obj-${build_pknock} += pknock/
obj-${build_psd} += libxt_psd.so
obj-${build_quota2} += libxt_quota2.so
obj-${build_gradm} += libxt_gradm.so

12
extensions/compat_user.h Normal file
View File

@@ -0,0 +1,12 @@
/*
* Userspace-level compat hacks
*/
#ifndef _XTABLES_COMPAT_USER_H
#define _XTABLES_COMPAT_USER_H 1
/* linux-glibc-devel 2.6.34 header screwup */
#ifndef ALIGN
# define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
#endif
#endif /* _XTABLES_COMPAT_USER_H */

168
extensions/compat_xtables.c
View File

@@ -1,6 +1,6 @@
/*
* API compat layer
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License, either
@@ -34,25 +34,49 @@ static bool xtnu_match_run(const struct sk_buff *skb,
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_match *nm = xtcompat_numatch(cm);
bool lo_drop = false, lo_ret;
struct xt_match_param local_par = {
.in = in,
.out = out,
.match = cm,
.matchinfo = matchinfo,
.fragoff = offset,
.thoff = protoff,
.hotdrop = &lo_drop,
.family = NFPROTO_UNSPEC, /* don't have that info */
};
bool lo_ret;
struct xt_action_param local_par;
local_par.in = in;
local_par.out = out;
local_par.match = cm;
local_par.matchinfo = matchinfo;
local_par.fragoff = offset;
local_par.thoff = protoff;
local_par.hotdrop = false;
local_par.family = NFPROTO_UNSPEC; /* don't have that info */
if (nm == NULL || nm->match == NULL)
return false;
lo_ret = nm->match(skb, &local_par);
*hotdrop = lo_drop;
*hotdrop = local_par.hotdrop;
return lo_ret;
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
static bool xtnu_match_run(const struct sk_buff *skb,
const struct xt_match_param *par)
{
struct xtnu_match *nm = xtcompat_numatch(par->match);
struct xt_action_param local_par;
bool ret;
local_par.in = par->in;
local_par.out = par->out;
local_par.match = par->match;
local_par.matchinfo = par->matchinfo;
local_par.fragoff = par->fragoff;
local_par.thoff = par->thoff;
local_par.hotdrop = false;
local_par.family = par->family;
if (nm == NULL || nm->match == NULL)
return false;
ret = nm->match(skb, &local_par);
*par->hotdrop = local_par.hotdrop;
return ret;
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
static int xtnu_match_check(const char *table, const void *entry,
@@ -81,7 +105,24 @@ static bool xtnu_match_check(const char *table, const void *entry,
return false;
if (nm->checkentry == NULL)
return true;
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
return nm->checkentry(&local_par);
#else
return nm->checkentry(&local_par) == 0;
#endif
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
static bool xtnu_match_check(const struct xt_mtchk_param *par)
{
struct xtnu_match *nm = xtcompat_numatch(par->match);
if (nm == NULL)
return false;
if (nm->checkentry == NULL)
return true;
return nm->checkentry(par) == 0;
}
#endif
@@ -105,7 +146,7 @@ static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo)
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
int xtnu_register_match(struct xtnu_match *nt)
{
struct xt_match *ct;
@@ -127,9 +168,19 @@ int xtnu_register_match(struct xtnu_match *nt)
ct->table = (char *)nt->table;
ct->hooks = nt->hooks;
ct->proto = nt->proto;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
ct->match = xtnu_match_run;
ct->checkentry = xtnu_match_check;
ct->destroy = xtnu_match_destroy;
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
ct->match = xtnu_match_run;
ct->checkentry = xtnu_match_check;
ct->destroy = nt->destroy;
#else
ct->match = nt->match;
ct->checkentry = xtnu_match_check;
ct->destroy = nt->destroy;
#endif
ct->matchsize = nt->matchsize;
ct->me = nt->me;
@@ -188,35 +239,55 @@ static unsigned int xtnu_target_run(struct sk_buff **pskb,
static unsigned int xtnu_target_run(struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
#else
static unsigned int
xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
#endif
{
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_target *nt = xtcompat_nutarget(ct);
struct xt_target_param local_par = {
.in = in,
.out = out,
.hooknum = hooknum,
.target = ct,
.targinfo = targinfo,
.family = NFPROTO_UNSPEC,
};
#else
struct xtnu_target *nt = xtcompat_nutarget(par->target);
#endif
struct xt_action_param local_par;
local_par.in = in;
local_par.out = out;
local_par.hooknum = hooknum;
local_par.target = ct;
local_par.targinfo = targinfo;
local_par.family = NFPROTO_UNSPEC;
if (nt != NULL && nt->target != NULL)
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return nt->target(pskb, &local_par);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
return nt->target(&skb, &local_par);
#else
return nt->target(&skb, par);
#endif
return XT_CONTINUE;
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
static unsigned int
xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
{
struct xtnu_target *nt = xtcompat_nutarget(par->target);
struct xt_action_param local_par;
local_par.in = par->in;
local_par.out = par->out;
local_par.hooknum = par->hooknum;
local_par.target = par->target;
local_par.targinfo = par->targinfo;
local_par.family = par->family;
return nt->target(&skb, &local_par);
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
static unsigned int
xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
{
struct xtnu_target *nt = xtcompat_nutarget(par->target);
return nt->target(&skb, par);
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
static int xtnu_target_check(const char *table, const void *entry,
@@ -246,7 +317,25 @@ static bool xtnu_target_check(const char *table, const void *entry,
if (nt->checkentry == NULL)
/* this is valid, just like if there was no function */
return true;
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
return nt->checkentry(&local_par);
#else
return nt->checkentry(&local_par) == 0;
#endif
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
static bool xtnu_target_check(const struct xt_tgchk_param *par)
{
struct xtnu_target *nt = xtcompat_nutarget(par->target);
if (nt == NULL)
return false;
if (nt->checkentry == NULL)
return true;
return nt->checkentry(par) == 0;
}
#endif
@@ -295,6 +384,9 @@ int xtnu_register_target(struct xtnu_target *nt)
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
ct->checkentry = xtnu_target_check;
ct->destroy = xtnu_target_destroy;
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
ct->checkentry = xtnu_target_check;
ct->destroy = nt->destroy;
#else
ct->checkentry = nt->checkentry;
ct->destroy = nt->destroy;
@@ -509,4 +601,18 @@ int xtnu_skb_linearize(struct sk_buff *skb)
EXPORT_SYMBOL_GPL(xtnu_skb_linearize);
#endif
void *HX_memmem(const void *space, size_t spacesize,
const void *point, size_t pointsize)
{
size_t i;
if (pointsize > spacesize)
return NULL;
for (i = 0; i <= spacesize - pointsize; ++i)
if (memcmp(space + i, point, pointsize) == 0)
return (void *)space + i;
return NULL;
}
EXPORT_SYMBOL_GPL(HX_memmem);
MODULE_LICENSE("GPL");

16
extensions/compat_xtables.h
View File

@@ -60,7 +60,7 @@
# define init_net__proc_net init_net.proc_net
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
# define xt_match xtnu_match
# define xt_register_match xtnu_register_match
# define xt_unregister_match xtnu_unregister_match
@@ -78,6 +78,20 @@
# define inet_proto_csum_replace4 xtnu_proto_csum_replace4
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
# define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
# define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
#else
# define ipt_unregister_table(tbl) ipt_unregister_table(tbl)
# define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
# define rt_dst(rt) (&(rt)->dst)
#else
# define rt_dst(rt) (&(rt)->u.dst)
#endif
#if !defined(NIP6) && !defined(NIP6_FMT)
# define NIP6(addr) \
ntohs((addr).s6_addr16[0]), \

51
extensions/compat_xtnu.h
View File

@@ -32,16 +32,6 @@ enum {
NFPROTO_NUMPROTO,
};
struct xt_match_param {
const struct net_device *in, *out;
const struct xt_match *match;
const void *matchinfo;
int fragoff;
unsigned int thoff;
bool *hotdrop;
u_int8_t family;
};
struct xt_mtchk_param {
const char *table;
const void *entryinfo;
@@ -81,33 +71,52 @@ struct xt_tgdtor_param {
};
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
struct xt_action_param {
union {
const struct xt_match *match;
const struct xt_target *target;
};
union {
const void *matchinfo, *targinfo;
};
const struct net_device *in, *out;
int fragoff;
unsigned int thoff, hooknum;
u_int8_t family;
bool hotdrop;
};
#endif
struct xtnu_match {
struct list_head list;
char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
bool (*match)(const struct sk_buff *, const struct xt_match_param *);
bool (*checkentry)(const struct xt_mtchk_param *);
/*
* Making it smaller by sizeof(void *) on purpose to catch
* lossy translation, if any.
*/
char name[sizeof(((struct xt_match *)NULL)->name) - 1 - sizeof(void *)];
uint8_t revision;
bool (*match)(const struct sk_buff *, struct xt_action_param *);
int (*checkentry)(const struct xt_mtchk_param *);
void (*destroy)(const struct xt_mtdtor_param *);
struct module *me;
const char *table;
unsigned int matchsize, hooks;
unsigned short proto, family;
uint8_t revision;
void *__compat_match;
};
struct xtnu_target {
struct list_head list;
char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
char name[sizeof(((struct xt_target *)NULL)->name) - 1 - sizeof(void *)];
uint8_t revision;
unsigned int (*target)(struct sk_buff **,
const struct xt_target_param *);
bool (*checkentry)(const struct xt_tgchk_param *);
const struct xt_action_param *);
int (*checkentry)(const struct xt_tgchk_param *);
void (*destroy)(const struct xt_tgdtor_param *);
struct module *me;
const char *table;
unsigned int targetsize, hooks;
unsigned short proto, family;
uint8_t revision;
void *__compat_target;
};
@@ -154,4 +163,6 @@ extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
__be32, __be32, bool);
extern int xtnu_skb_linearize(struct sk_buff *);
extern void *HX_memmem(const void *, size_t, const void *, size_t);
#endif /* _COMPAT_XTNU_H */

1
extensions/ipset/Kbuild
View File

@@ -3,4 +3,5 @@
obj-m += ipt_set.o ipt_SET.o
obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
obj-m += ip_set_ipportiphash.o ip_set_ipportnethash.o
obj-m += ip_set_iptree.o ip_set_iptreemap.o ip_set_setlist.o

10
extensions/ipset/ip_set.c
View File

@@ -929,11 +929,11 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
}
if (copy_from_user(data, user, len) != 0) {
res = -EFAULT;
goto done;
goto cleanup;
}
if (down_interruptible(&ip_set_app_mutex)) {
res = -EINTR;
goto done;
goto cleanup;
}
op = (unsigned *)data;
@@ -1109,6 +1109,7 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
done:
up(&ip_set_app_mutex);
cleanup:
vfree(data);
if (res > 0)
res = 0;
@@ -1142,11 +1143,11 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
}
if (copy_from_user(data, user, *len) != 0) {
res = -EFAULT;
goto done;
goto cleanup;
}
if (down_interruptible(&ip_set_app_mutex)) {
res = -EINTR;
goto done;
goto cleanup;
}
op = (unsigned *) data;
@@ -1439,6 +1440,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
done:
up(&ip_set_app_mutex);
cleanup:
vfree(data);
if (res > 0)
res = 0;

2
extensions/ipset/ip_set_ipporthash.c
View File

@@ -68,7 +68,7 @@ ipporthash_test(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
if (flags[1] == 0) \
return 0; \
\
port = get_port(skb, flags++); \
port = get_port(skb, ++flags); \
\
if (port == INVALID_PORT) \
return 0;

4
extensions/ipset/ip_set_ipportiphash.c
View File

@@ -72,8 +72,8 @@ ipportiphash_test(struct ip_set *set,
if (flags[2] == 0) \
return 0; \
\
port = get_port(skb, flags++); \
ip1 = ipaddr(skb, flags++); \
port = get_port(skb, ++flags); \
ip1 = ipaddr(skb, ++flags); \
\
if (port == INVALID_PORT) \
return 0;

5
extensions/ipset/ip_set_ipportnethash.c
View File

@@ -116,8 +116,8 @@ ipportnethash_utest(struct ip_set *set, const void *data, u_int32_t size)
if (flags[2] == 0) \
return 0; \
\
port = get_port(skb, flags++); \
ip1 = ipaddr(skb, flags++); \
port = get_port(skb, ++flags); \
ip1 = ipaddr(skb, ++flags); \
\
if (port == INVALID_PORT) \
return 0;
@@ -185,7 +185,6 @@ ipportnethash_add(struct ip_set *set,
if (ret == 0) {
if (!map->nets[cidr-1]++)
add_cidr_size(map->cidr, cidr);
map->elements++;
}
return ret;
}

1
extensions/ipset/ip_set_nethash.c
View File

@@ -136,7 +136,6 @@ nethash_add(struct ip_set *set, ip_set_ip_t ip, uint8_t cidr)
if (ret == 0) {
if (!map->nets[cidr-1]++)
add_cidr_size(map->cidr, cidr);
map->elements++;
}
return ret;

6
extensions/ipset/ipset.8
View File

@@ -502,9 +502,13 @@ data storage in
set and add src to the first single or src,dst to the first double
data storage set in
\fIb\fP.
.P
You can imagine a setlist type of set as an ordered union of
the set elements.
.P
Please note: by the ipset command you can add, delete and
.B test
the setnames in a setlist type of set, and not the presence of
a set's member (such as an IP address).
.SH GENERAL RESTRICTIONS
Setnames starting with colon (:) cannot be defined. Zero valued set
entries cannot be used with hash type of sets.

2
extensions/ipset/ipset.c
View File

@@ -30,7 +30,7 @@
#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
#endif
#define IPSET_VERSION "4.1"
#define IPSET_VERSION "4.4"
char program_name[] = "ipset";
char program_version[] = IPSET_VERSION;

7
extensions/ipset/ipset_iphash.c
View File

@@ -200,8 +200,7 @@ iphash_printips(struct set *set UNUSED, void *data, u_int32_t len,
while (offset < len) {
ip = data + offset;
if (*ip)
printf("%s\n", ip_tostring(*ip, options));
printf("%s\n", ip_tostring(*ip, options));
offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
}
}
@@ -230,9 +229,7 @@ iphash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
while (offset < len) {
ip = data + offset;
if (*ip)
printf("-A %s %s\n", set->name,
ip_tostring(*ip, options));
printf("-A %s %s\n", set->name, ip_tostring(*ip, options));
offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
}
}

24
extensions/ipset/ipset_ipporthash.c
View File

@@ -259,13 +259,11 @@ ipporthash_printips(struct set *set, void *data, u_int32_t len,
while (offset < len) {
ipptr = data + offset;
if (*ipptr) {
ip = (*ipptr>>16) + mysetdata->first_ip;
port = (uint16_t) *ipptr;
printf("%s,%s\n",
ip_tostring(ip, options),
port_tostring(port, options));
}
ip = (*ipptr>>16) + mysetdata->first_ip;
port = (uint16_t) *ipptr;
printf("%s,%s\n",
ip_tostring(ip, options),
port_tostring(port, options));
offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
}
}
@@ -296,13 +294,11 @@ ipporthash_saveips(struct set *set, void *data, u_int32_t len,
while (offset < len) {
ipptr = data + offset;
if (*ipptr) {
ip = (*ipptr>>16) + mysetdata->first_ip;
port = (uint16_t) *ipptr;
printf("-A %s %s,%s\n", set->name,
ip_tostring(ip, options),
port_tostring(port, options));
}
ip = (*ipptr>>16) + mysetdata->first_ip;
port = (uint16_t) *ipptr;
printf("-A %s %s,%s\n", set->name,
ip_tostring(ip, options),
port_tostring(port, options));
offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
}
}

32
extensions/ipset/ipset_ipportiphash.c
View File

@@ -265,15 +265,13 @@ ipportiphash_printips(struct set *set, void *data, u_int32_t len,
while (offset < len) {
ipptr = data + offset;
if (ipptr->ip && ipptr->ip1) {
ip = (ipptr->ip>>16) + mysetdata->first_ip;
port = (uint16_t) ipptr->ip;
printf("%s,%s,",
ip_tostring(ip, options),
port_tostring(port, options));
printf("%s\n",
ip_tostring(ipptr->ip1, options));
}
ip = (ipptr->ip>>16) + mysetdata->first_ip;
port = (uint16_t) ipptr->ip;
printf("%s,%s,",
ip_tostring(ip, options),
port_tostring(port, options));
printf("%s\n",
ip_tostring(ipptr->ip1, options));
offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
}
}
@@ -305,15 +303,13 @@ ipportiphash_saveips(struct set *set, void *data, u_int32_t len,
while (offset < len) {
ipptr = data + offset;
if (ipptr->ip && ipptr->ip1) {
ip = (ipptr->ip>>16) + mysetdata->first_ip;
port = (uint16_t) ipptr->ip;
printf("-A %s %s,%s,", set->name,
ip_tostring(ip, options),
port_tostring(port, options));
printf("%s\n",
ip_tostring(ipptr->ip1, options));
}
ip = (ipptr->ip>>16) + mysetdata->first_ip;
port = (uint16_t) ipptr->ip;
printf("-A %s %s,%s,", set->name,
ip_tostring(ip, options),
port_tostring(port, options));
printf("%s\n",
ip_tostring(ipptr->ip1, options));
offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
}
}

32
extensions/ipset/ipset_ipportnethash.c
View File

@@ -330,15 +330,13 @@ ipportnethash_printips(struct set *set, void *data, u_int32_t len,
while (offset < len) {
ipptr = data + offset;
if (ipptr->ip || ipptr->ip1) {
ip = (ipptr->ip>>16) + mysetdata->first_ip;
port = (uint16_t) ipptr->ip;
printf("%s,%s,",
ip_tostring(ip, options),
port_tostring(port, options));
printf("%s\n",
unpack_ip_tostring(ipptr->ip1, options));
}
ip = (ipptr->ip>>16) + mysetdata->first_ip;
port = (uint16_t) ipptr->ip;
printf("%s,%s,",
ip_tostring(ip, options),
port_tostring(port, options));
printf("%s\n",
unpack_ip_tostring(ipptr->ip1, options));
offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
}
}
@@ -370,15 +368,13 @@ ipportnethash_saveips(struct set *set, void *data, u_int32_t len,
while (offset < len) {
ipptr = data + offset;
if (ipptr) {
ip = (ipptr->ip>>16) + mysetdata->first_ip;
port = (uint16_t) ipptr->ip;
printf("-A %s %s,%s,", set->name,
ip_tostring(ip, options),
port_tostring(port, options));
printf("%s\n",
unpack_ip_tostring(ipptr->ip, options));
}
ip = (ipptr->ip>>16) + mysetdata->first_ip;
port = (uint16_t) ipptr->ip;
printf("-A %s %s,%s,", set->name,
ip_tostring(ip, options),
port_tostring(port, options));
printf("%s\n",
unpack_ip_tostring(ipptr->ip, options));
offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
}
}

8
extensions/ipset/ipset_nethash.c
View File

@@ -232,8 +232,7 @@ nethash_printips(struct set *set UNUSED, void *data, u_int32_t len,
while (offset < len) {
ip = data + offset;
if (*ip)
printf("%s\n", unpack_ip_tostring(*ip, options));
printf("%s\n", unpack_ip_tostring(*ip, options));
offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
}
}
@@ -258,9 +257,8 @@ nethash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
while (offset < len) {
ip = data + offset;
if (*ip)
printf("-A %s %s\n", set->name,
unpack_ip_tostring(*ip, options));
printf("-A %s %s\n", set->name,
unpack_ip_tostring(*ip, options));
offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
}
}

14
extensions/ipset/ipt_SET.c
View File

@@ -29,7 +29,7 @@
#include "../compat_xtables.h"
static unsigned int
target(struct sk_buff **pskb, const struct xt_target_param *par)
target(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct ipt_set_info_target *info = par->targinfo;
@@ -45,7 +45,7 @@ target(struct sk_buff **pskb, const struct xt_target_param *par)
return XT_CONTINUE;
}
static bool
static int
checkentry(const struct xt_tgchk_param *par)
{
struct ipt_set_info_target *info = par->targinfo;
@@ -54,7 +54,7 @@ checkentry(const struct xt_tgchk_param *par)
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
if (targinfosize != IPT_ALIGN(sizeof(*info))) {
DP("bad target info size %u", targinfosize);
return 0;
return -EINVAL;
}
#endif
@@ -63,7 +63,7 @@ checkentry(const struct xt_tgchk_param *par)
if (index == IP_SET_INVALID_ID) {
ip_set_printk("cannot find add_set index %u as target",
info->add_set.index);
return 0; /* error */
return -EINVAL;
}
}
@@ -72,16 +72,16 @@ checkentry(const struct xt_tgchk_param *par)
if (index == IP_SET_INVALID_ID) {
ip_set_printk("cannot find del_set index %u as target",
info->del_set.index);
return 0; /* error */
return -EINVAL;
}
}
if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0
|| info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) {
ip_set_printk("That's nasty!");
return 0; /* error */
return -EINVAL;
}
return 1;
return 0;
}
static void destroy(const struct xt_tgdtor_param *par)

12
extensions/ipset/ipt_set.c
View File

@@ -38,7 +38,7 @@ match_set(const struct ipt_set_info *info,
}
static bool
match(const struct sk_buff *skb, const struct xt_match_param *par)
match(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ipt_set_info_match *info = par->matchinfo;
@@ -47,7 +47,7 @@ match(const struct sk_buff *skb, const struct xt_match_param *par)
info->match_set.flags[0] & IPSET_MATCH_INV);
}
static bool
static int
checkentry(const struct xt_mtchk_param *par)
{
struct ipt_set_info_match *info = par->matchinfo;
@@ -56,7 +56,7 @@ checkentry(const struct xt_mtchk_param *par)
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
ip_set_printk("invalid matchsize %d", matchsize);
return 0;
return -EINVAL;
}
#endif
@@ -65,14 +65,14 @@ checkentry(const struct xt_mtchk_param *par)
if (index == IP_SET_INVALID_ID) {
ip_set_printk("Cannot find set indentified by id %u to match",
info->match_set.index);
return 0; /* error */
return -ENOENT;
}
if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) {
ip_set_printk("That's nasty!");
return 0; /* error */
return -EINVAL;
}
return 1;
return 0;
}
static void destroy(const struct xt_mtdtor_param *par)

3
extensions/libxt_CHAOS.c
View File

@@ -16,6 +16,7 @@
#include <xtables.h>
#include <linux/netfilter/x_tables.h>
#include "xt_CHAOS.h"
#include "compat_user.h"
enum {
F_DELUDE = 1 << 0,
@@ -95,7 +96,7 @@ static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
static struct xtables_target chaos_tg_reg = {
.version = XTABLES_VERSION,
.name = "CHAOS",
.family = AF_INET,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
.help = chaos_tg_help,

94
extensions/libxt_CHECKSUM.c Normal file
View File

@@ -0,0 +1,94 @@
/*
* (C) 2002 by Harald Welte <laforge@gnumonks.org>
* (C) 2010 by Red Hat, Inc
* Author: Michael S. Tsirkin <mst@redhat.com>
*
* This program is distributed under the terms of GNU GPL v2, 1991
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <getopt.h>
#include <xtables.h>
#include "xt_CHECKSUM.h"
#include "compat_user.h"
static void CHECKSUM_help(void)
{
printf(
"CHECKSUM target options\n"
" --checksum-fill Fill in packet checksum.\n");
}
static const struct option CHECKSUM_opts[] = {
{ "checksum-fill", 0, NULL, 'F' },
{ .name = NULL }
};
static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_CHECKSUM_info *einfo
= (struct xt_CHECKSUM_info *)(*target)->data;
switch (c) {
case 'F':
xtables_param_act(XTF_ONLY_ONCE, "CHECKSUM", "--checksum-fill",
*flags & XT_CHECKSUM_OP_FILL);
einfo->operation = XT_CHECKSUM_OP_FILL;
*flags |= XT_CHECKSUM_OP_FILL;
break;
default:
return 0;
}
return 1;
}
static void CHECKSUM_check(unsigned int flags)
{
if (!flags)
xtables_error(PARAMETER_PROBLEM,
"CHECKSUM target: Parameter --checksum-fill is required");
}
static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
const struct xt_CHECKSUM_info *einfo =
(const struct xt_CHECKSUM_info *)target->data;
printf("CHECKSUM ");
if (einfo->operation & XT_CHECKSUM_OP_FILL)
printf("fill ");
}
static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_CHECKSUM_info *einfo =
(const struct xt_CHECKSUM_info *)target->data;
if (einfo->operation & XT_CHECKSUM_OP_FILL)
printf("--checksum-fill ");
}
static struct xtables_target checksum_tg_reg = {
.name = "CHECKSUM",
.version = XTABLES_VERSION,
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
.help = CHECKSUM_help,
.parse = CHECKSUM_parse,
.final_check = CHECKSUM_check,
.print = CHECKSUM_print,
.save = CHECKSUM_save,
.extra_opts = CHECKSUM_opts,
};
static __attribute__((constructor)) void _init(void)
{
xtables_register_target(&checksum_tg_reg);
}

8
extensions/libxt_CHECKSUM.man Normal file
View File

@@ -0,0 +1,8 @@
This target allows to selectively work around broken/old applications.
It can only be used in the mangle table.
.TP
\fB\-\-checksum\-fill\fP
Compute and fill in the checksum in a packet that lacks a checksum.
This is particularly useful, if you need to work around old applications
such as dhcp clients, that do not work well with checksum offloads,
but don't want to disable checksum offload in your device.

5
extensions/libxt_DELUDE.c
View File

@@ -13,6 +13,7 @@
#include <xtables.h>
#include <linux/netfilter/x_tables.h>
#include "compat_user.h"
static void delude_tg_help(void)
{
@@ -33,9 +34,7 @@ static struct xtables_target delude_tg_reg = {
.version = XTABLES_VERSION,
.name = "DELUDE",
.revision = 0,
.family = AF_INET,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.family = NFPROTO_IPV4,
.help = delude_tg_help,
.parse = delude_tg_parse,
.final_check = delude_tg_check,

3
extensions/libxt_DHCPMAC.c
View File

@@ -17,6 +17,7 @@
#include <xtables.h>
#include "xt_DHCPMAC.h"
#include "mac.c"
#include "compat_user.h"
enum {
F_MAC = 1 << 0,
@@ -84,7 +85,7 @@ static struct xtables_target dhcpmac_tg_reg = {
.version = XTABLES_VERSION,
.name = "DHCPMAC",
.revision = 0,
.family = PF_INET,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct dhcpmac_info)),
.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
.help = dhcpmac_tg_help,

5
extensions/libxt_ECHO.c
View File

@@ -10,6 +10,7 @@
#include <stdio.h>
#include <getopt.h>
#include <xtables.h>
#include "compat_user.h"
static void echo_tg_help(void)
{
@@ -29,9 +30,7 @@ static void echo_tg_check(unsigned int flags)
static struct xtables_target echo_tg_reg = {
.version = XTABLES_VERSION,
.name = "ECHO",
.family = AF_UNSPEC,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.family = NFPROTO_UNSPEC,
.help = echo_tg_help,
.parse = echo_tg_parse,
.final_check = echo_tg_check,

3
extensions/libxt_IPMARK.c
View File

@@ -14,6 +14,7 @@
#include <string.h>
#include <xtables.h>
#include "xt_IPMARK.h"
#include "compat_user.h"
enum {
FL_ADDR_USED = 1 << 0,
@@ -151,7 +152,7 @@ ipmark_tg_save(const void *entry, const struct xt_entry_target *target)
static struct xtables_target ipmark_tg_reg = {
.version = XTABLES_VERSION,
.name = "IPMARK",
.family = PF_UNSPEC,
.family = NFPROTO_UNSPEC,
.revision = 1,
.size = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),

3
extensions/libxt_LOGMARK.c
View File

@@ -13,6 +13,7 @@
#include <string.h>
#include <xtables.h>
#include "xt_LOGMARK.h"
#include "compat_user.h"
enum {
F_LEVEL = 1 << 0,
@@ -100,7 +101,7 @@ static struct xtables_target logmark_tg_reg = {
.version = XTABLES_VERSION,
.name = "LOGMARK",
.revision = 0,
.family = AF_UNSPEC,
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
.help = logmark_tg_help,

7
extensions/libxt_RAWDNAT.c
View File

@@ -15,6 +15,7 @@
#include <xtables.h>
#include <linux/netfilter.h>
#include "xt_RAWNAT.h"
#include "compat_user.h"
enum {
FLAGS_TO = 1 << 0,
@@ -79,7 +80,7 @@ rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
if (!xtables_strtoui(end, NULL, &mask, 0, 128))
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
info->mask = mask;
@@ -154,7 +155,7 @@ static struct xtables_target rawdnat_tg4_reg = {
.version = XTABLES_VERSION,
.name = "RAWDNAT",
.revision = 0,
.family = PF_INET,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawdnat_tg_help,
@@ -169,7 +170,7 @@ static struct xtables_target rawdnat_tg6_reg = {
.version = XTABLES_VERSION,
.name = "RAWDNAT",
.revision = 0,
.family = PF_INET6,
.family = NFPROTO_IPV6,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawdnat_tg_help,

7
extensions/libxt_RAWSNAT.c
View File

@@ -15,6 +15,7 @@
#include <xtables.h>
#include <linux/netfilter.h>
#include "xt_RAWNAT.h"
#include "compat_user.h"
enum {
FLAGS_TO = 1 << 0,
@@ -79,7 +80,7 @@ rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
if (!xtables_strtoui(end, NULL, &mask, 0, 128))
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
info->mask = mask;
@@ -154,7 +155,7 @@ static struct xtables_target rawsnat_tg4_reg = {
.version = XTABLES_VERSION,
.name = "RAWSNAT",
.revision = 0,
.family = PF_INET,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawsnat_tg_help,
@@ -169,7 +170,7 @@ static struct xtables_target rawsnat_tg6_reg = {
.version = XTABLES_VERSION,
.name = "RAWSNAT",
.revision = 0,
.family = PF_INET6,
.family = NFPROTO_IPV6,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawsnat_tg_help,

5
extensions/libxt_STEAL.c
View File

@@ -1,5 +1,6 @@
#include <stdio.h>
#include <xtables.h>
#include "compat_user.h"
static void steal_tg_help(void)
{
@@ -19,9 +20,7 @@ static void steal_tg_check(unsigned int flags)
static struct xtables_target steal_tg_reg = {
.version = XTABLES_VERSION,
.name = "STEAL",
.family = AF_UNSPEC,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.family = NFPROTO_UNSPEC,
.help = steal_tg_help,
.parse = steal_tg_parse,
.final_check = steal_tg_check,

5
extensions/libxt_SYSRQ.c
View File

@@ -5,6 +5,7 @@
#include <stdio.h>
#include <getopt.h>
#include <xtables.h>
#include "compat_user.h"
static void sysrq_tg_help(void)
{
@@ -25,9 +26,7 @@ static struct xtables_target sysrq_tg_reg = {
.version = XTABLES_VERSION,
.name = "SYSRQ",
.revision = 1,
.family = PF_UNSPEC,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.family = NFPROTO_UNSPEC,
.help = sysrq_tg_help,
.parse = sysrq_tg_parse,
.final_check = sysrq_tg_check,

5
extensions/libxt_TARPIT.c
View File

@@ -5,6 +5,7 @@
#include <stdio.h>
#include <getopt.h>
#include <xtables.h>
#include "compat_user.h"
static void tarpit_tg_help(void)
{
@@ -24,9 +25,7 @@ static void tarpit_tg_check(unsigned int flags)
static struct xtables_target tarpit_tg_reg = {
.version = XTABLES_VERSION,
.name = "TARPIT",
.family = AF_INET,
.size = XT_ALIGN(0),
.userspacesize = XT_ALIGN(0),
.family = NFPROTO_IPV4,
.help = tarpit_tg_help,
.parse = tarpit_tg_parse,
.final_check = tarpit_tg_check,

5
extensions/libxt_TEE.c
View File

@@ -23,6 +23,7 @@
#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include "xt_TEE.h"
#include "compat_user.h"
enum {
FLAG_GATEWAY = 1 << 0,
@@ -138,7 +139,7 @@ static struct xtables_target tee_tg_reg = {
.name = "TEE",
.version = XTABLES_VERSION,
.revision = 0,
.family = PF_INET,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.help = tee_tg_help,
@@ -153,7 +154,7 @@ static struct xtables_target tee_tg6_reg = {
.name = "TEE",
.version = XTABLES_VERSION,
.revision = 0,
.family = PF_INET6,
.family = NFPROTO_IPV6,
.size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.help = tee_tg_help,

3
extensions/libxt_condition.c
View File

@@ -16,6 +16,7 @@
#include <getopt.h>
#include <xtables.h>
#include "xt_condition.h"
#include "compat_user.h"
static void condition_help(void)
{
@@ -80,7 +81,7 @@ static void condition_save(const void *ip, const struct xt_entry_match *match)
static struct xtables_match condition_mt_reg = {
.name = "condition",
.revision = 1,
.family = PF_UNSPEC,
.family = NFPROTO_UNSPEC,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),

3
extensions/libxt_dhcpmac.c
View File

@@ -16,6 +16,7 @@
#include <xtables.h>
#include "xt_DHCPMAC.h"
#include "mac.c"
#include "compat_user.h"
enum {
F_MAC = 1 << 0,
@@ -85,7 +86,7 @@ static struct xtables_match dhcpmac_mt_reg = {
.version = XTABLES_VERSION,
.name = "dhcpmac",
.revision = 0,
.family = PF_INET,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct dhcpmac_info)),
.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
.help = dhcpmac_mt_help,

2
extensions/libxt_fuzzy.c
View File

@@ -15,6 +15,7 @@
#include <string.h>
#include <xtables.h>
#include "xt_fuzzy.h"
#include "compat_user.h"
static void fuzzy_mt_help(void)
{
@@ -103,6 +104,7 @@ static struct xtables_match fuzzy_mt_reg = {
.name = "fuzzy",
.revision = 1,
.version = XTABLES_VERSION,
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
.userspacesize = offsetof(struct xt_fuzzy_mtinfo, packets_total),
.help = fuzzy_mt_help,

3
extensions/libxt_geoip.c
View File

@@ -24,6 +24,7 @@
#include <unistd.h>
#include <xtables.h>
#include "xt_geoip.h"
#include "compat_user.h"
#define GEOIP_DB_DIR "/usr/share/xt_geoip"
static void geoip_help(void)
@@ -259,7 +260,7 @@ geoip_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match geoip_match = {
.family = AF_INET,
.family = NFPROTO_IPV4,
.name = "geoip",
.revision = 1,
.version = XTABLES_VERSION,

6
extensions/libxt_geoip.man
View File

@@ -10,8 +10,8 @@ NOTE:
The country is inputed by its ISO-3166 code.
.PP
The extra files you will need is the binary database files. They are generated
from a country-subnet database with the geoip_csv_iv0.pl tool, available at
http://jengelh.hopto.org/files/geoip/ . The files MUST be moved to
/usr/share/xt_geoip/
from a country-subnet database with the geoip_csv_iv0.pl tool that should be
available in /usr/lib(exec)/xtables-addons/ . The resulting files MUST be moved
to /usr/share/xt_geoip/
as the shared library is statically looking for this pathname (e.g.
/usr/share/xt_geoip/LE/de.iv0).

98
extensions/libxt_gradm.c Normal file
View File

@@ -0,0 +1,98 @@
/*
* "gradm" match extension for iptables
* Zbigniew Krzystolik <zbyniu@destrukcja.pl>, 2010
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License;
* either version 2 of the License, or any later version, as
* published by the Free Software Foundation.
*/
#include <getopt.h>
#include <netdb.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <xtables.h>
#include "xt_gradm.h"
static void gradm_mt_help(void)
{
printf(
"gradm match options:\n"
" [!] --enabled is Grsecurity RBAC enabled\n"
" [!] --disabled is Grsecurity RBAC disabled\n");
};
static const struct option gradm_mt_opts[] = {
{.name = "enabled", .has_arg = false, .val = '1'},
{.name = "disabled", .has_arg = false, .val = '2'},
{NULL},
};
static void gradm_mt_init(struct xt_entry_match *m)
{
}
static int gradm_mt_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
struct xt_gradm_mtinfo *info = (void *)(*match)->data;
switch (c) {
case '1':
if (invert)
info->invflags |= 1;
return true;
case '2':
if (!invert)
info->invflags |= 1;
return true;
}
return false;
}
static void gradm_mt_check(unsigned int flags)
{
}
static void gradm_mt_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
const struct xt_gradm_mtinfo *info = (const void *)match->data;
if (info->invflags)
printf("gradm: disabled");
else
printf("gradm: enabled");
}
static void gradm_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_gradm_mtinfo *info = (const void *)match->data;
if (info->invflags)
printf("--disabled ");
else
printf("--enabled ");
}
static struct xtables_match gradm_mt_reg = {
.family = NFPROTO_UNSPEC,
.name = "gradm",
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
.help = gradm_mt_help,
.init = gradm_mt_init,
.parse = gradm_mt_parse,
.final_check = gradm_mt_check,
.print = gradm_mt_print,
.save = gradm_mt_save,
.extra_opts = gradm_mt_opts,
};
static __attribute__((constructor)) void gradm_mt_ldr(void)
{
xtables_register_match(&gradm_mt_reg);
}

7
extensions/libxt_gradm.man Normal file
View File

@@ -0,0 +1,7 @@
This module matches packets based on grsecurity RBAC status.
.TP
[\fB!\fP] \fB\-\-enabled\fP
Matches packets if grsecurity RBAC is enabled.
.TP
[\fB!\fP] \fB\-\-disabled\fP
Matches packets if grsecurity RBAC is disabled.

72
extensions/libxt_iface.c
View File

@@ -15,9 +15,16 @@
#include <xtables.h>
#include "xt_iface.h"
#include "compat_user.h"
enum {
XT_IFACE_IFACE = 1 << 16,
};
static const struct option iface_mt_opts[] = {
{.name = "iface", .has_arg = true, .val = 'i'},
{.name = "dev-in", .has_arg = false, .val = 'I'},
{.name = "dev-out", .has_arg = false, .val = 'O'},
{.name = "up", .has_arg = false, .val = 'u'},
{.name = "down", .has_arg = false, .val = 'U'}, /* not up */
{.name = "broadcast", .has_arg = false, .val = 'b'},
@@ -39,9 +46,7 @@ static void iface_print_opt(const struct xt_iface_mtinfo *info,
const unsigned int option, const char *command)
{
if (info->flags & option)
printf(" %s", command);
if (info->invflags & option)
printf(" ! %s", command);
printf(" %s%s", (info->invflags & option) ? "! " : "", command);
}
static void iface_setflag(struct xt_iface_mtinfo *info,
@@ -50,10 +55,9 @@ static void iface_setflag(struct xt_iface_mtinfo *info,
if (*flags & flag)
xtables_error(PARAMETER_PROBLEM,
"iface: \"--%s\" flag already specified", command);
info->flags |= flag;
if (invert)
info->invflags |= flag;
else
info->flags |= flag;
*flags |= flag;
}
@@ -68,19 +72,20 @@ static void iface_mt_help(void)
{
printf(
"iface match options:\n"
" --iface interface Name of interface\n"
"[!] --up / --down match if UP flag (not) set\n"
"[!] --broadcast match if BROADCAST flag (not) set\n"
"[!] --loopback match if LOOPBACK flag (not) set\n"
" --iface interface Name of interface\n"
" --dev-in / --dev-out Use incoming/outgoing interface instead\n"
"[!] --up / --down match if UP flag (not) set\n"
"[!] --broadcast match if BROADCAST flag (not) set\n"
"[!] --loopback match if LOOPBACK flag (not) set\n"
"[!] --pointopoint\n"
"[!] --pointtopoint match if POINTOPOINT flag (not) set\n"
"[!] --running match if RUNNING flag (not) set\n"
"[!] --noarp / --arp match if NOARP flag (not) set\n"
"[!] --promisc match if PROMISC flag (not) set\n"
"[!] --multicast match if MULTICAST flag (not) set\n"
"[!] --dynamic match if DYNAMIC flag (not) set\n"
"[!] --lower-up match if LOWER_UP flag (not) set\n"
"[!] --dormant match if DORMANT flag (not) set\n");
"[!] --pointtopoint match if POINTOPOINT flag (not) set\n"
"[!] --running match if RUNNING flag (not) set\n"
"[!] --noarp / --arp match if NOARP flag (not) set\n"
"[!] --promisc match if PROMISC flag (not) set\n"
"[!] --multicast match if MULTICAST flag (not) set\n"
"[!] --dynamic match if DYNAMIC flag (not) set\n"
"[!] --lower-up match if LOWER_UP flag (not) set\n"
"[!] --dormant match if DORMANT flag (not) set\n");
}
static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -110,6 +115,18 @@ static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags,
strcpy(info->ifname, optarg);
*flags |= XT_IFACE_IFACE;
return true;
case 'I': /* --dev-in */
xtables_param_act(XTF_ONLY_ONCE, "iface", "--dev-in",
*flags & XT_IFACE_IFACE);
*flags |= XT_IFACE_IFACE;
iface_setflag(info, flags, invert, XT_IFACE_DEV_IN, "dev-in");
return true;
case 'O': /* --dev-out */
xtables_param_act(XTF_ONLY_ONCE, "iface", "--dev-out",
*flags & XT_IFACE_IFACE);
*flags |= XT_IFACE_IFACE;
iface_setflag(info, flags, invert, XT_IFACE_DEV_OUT, "dev-out");
return true;
case 'u': /* UP */
iface_setflag(info, flags, invert, XT_IFACE_UP, "up");
return true;
@@ -152,7 +169,8 @@ static void iface_mt_check(unsigned int flags)
if (!(flags & XT_IFACE_IFACE))
xtables_error(PARAMETER_PROBLEM,
"iface: You must specify an interface");
if (flags == 0 || flags == XT_IFACE_IFACE)
if ((flags & ~(XT_IFACE_IFACE | XT_IFACE_DEV_IN |
XT_IFACE_DEV_OUT)) == 0)
xtables_error(PARAMETER_PROBLEM,
"iface: You must specify at least one option");
}
@@ -162,7 +180,14 @@ static void iface_mt_print(const void *ip, const struct xt_entry_match *match,
{
const struct xt_iface_mtinfo *info = (const void *)match->data;
printf("iface: \"%s\" [state:", info->ifname);
printf("iface: ");
if (info->flags & XT_IFACE_DEV_IN)
printf("(in)");
else if (info->flags & XT_IFACE_DEV_OUT)
printf("(out)");
else
printf("%s", info->ifname);
printf(" [state:");
iface_print_opt(info, XT_IFACE_UP, "up");
iface_print_opt(info, XT_IFACE_BROADCAST, "broadcast");
iface_print_opt(info, XT_IFACE_LOOPBACK, "loopback");
@@ -181,7 +206,12 @@ static void iface_mt_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_iface_mtinfo *info = (const void *)match->data;
printf(" --iface %s", info->ifname);
if (info->flags & XT_IFACE_DEV_IN)
printf("--dev-in");
else if (info->flags & XT_IFACE_DEV_OUT)
printf("--dev-out");
else
printf("--iface %s", info->ifname);
iface_print_opt(info, XT_IFACE_UP, "--up");
iface_print_opt(info, XT_IFACE_BROADCAST, "--broadcast");
iface_print_opt(info, XT_IFACE_LOOPBACK, "--loopback");
@@ -200,7 +230,7 @@ static struct xtables_match iface_mt_reg = {
.version = XTABLES_VERSION,
.name = "iface",
.revision = 0,
.family = AF_UNSPEC,
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
.help = iface_mt_help,

17
extensions/libxt_iface.man
View File

@@ -1,7 +1,20 @@
Allows you to check interface states.
Allows you to check interface states. First, an interface needs to be selected
for comparison. Exactly one option of the following three must be specified:
.TP
\fB\-\-iface\fP \fIname\fP
Check the states on the given interface. This option is required.
Check the states on the given interface.
.TP
\fB\-\-dev\-in\fP
Check the states on the interface on which the packet came in. If the input
device is not set, because for example you are using \-m iface in the OUTPUT
chain, this submatch returns false.
.TP
\fB\-\-dev\-out\fP
Check the states on the interface on which the packet will go out. If the
output device is not set, because for example you are using \-m iface in the
INPUT chain, this submatch returns false.
.PP
Following that, one can select the interface properties to check for:
.TP
[\fB!\fP] \fB\-\-up\fP, [\fB!\fP] \fB\-\-down\fP
Check the UP flag.

3
extensions/libxt_ipp2p.c
View File

@@ -17,6 +17,7 @@
#include <ctype.h>
#include <xtables.h>
#include "xt_ipp2p.h"
#include "compat_user.h"
#define param_act(t, s, f) xtables_param_act((t), "ipp2p", (s), (f))
static void ipp2p_mt_help(void)
@@ -229,7 +230,7 @@ static struct xtables_match ipp2p_mt_reg = {
.version = XTABLES_VERSION,
.name = "ipp2p",
.revision = 1,
.family = AF_INET,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct ipt_p2p_info)),
.userspacesize = XT_ALIGN(sizeof(struct ipt_p2p_info)),
.help = ipp2p_mt_help,

3
extensions/libxt_ipv4options.c
View File

@@ -14,6 +14,7 @@
#include <string.h>
#include <xtables.h>
#include "xt_ipv4options.h"
#include "compat_user.h"
/*
* Overview from http://www.networksorcery.com/enp/protocol/ip.htm
@@ -161,7 +162,7 @@ static struct xtables_match ipv4options_mt_reg = {
.version = XTABLES_VERSION,
.name = "ipv4options",
.revision = 1,
.family = PF_INET,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
.userspacesize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
.help = ipv4options_mt_help,

3
extensions/libxt_length2.c
View File

@@ -5,6 +5,7 @@
#include <string.h>
#include <xtables.h>
#include "xt_length2.h"
#include "compat_user.h"
enum {
F_LAYER = 1 << 0,
@@ -155,7 +156,7 @@ static struct xtables_match length2_mt_reg = {
.version = XTABLES_VERSION,
.name = "length2",
.revision = 2,
.family = PF_UNSPEC,
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
.userspacesize = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
.init = length_mt_init,

3
extensions/libxt_lscan.c
View File

@@ -17,6 +17,7 @@
#include <xtables.h>
#include <linux/netfilter/x_tables.h>
#include "xt_lscan.h"
#include "compat_user.h"
static const struct option lscan_mt_opts[] = {
{.name = "stealth", .has_arg = false, .val = 'x'},
@@ -105,7 +106,7 @@ static struct xtables_match lscan_mt_reg = {
.version = XTABLES_VERSION,
.name = "lscan",
.revision = 0,
.family = AF_INET,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
.help = lscan_mt_help,

3
extensions/libxt_psd.c
View File

@@ -28,6 +28,7 @@
#include <xtables.h>
#include <linux/netfilter/x_tables.h>
#include "xt_psd.h"
#include "compat_user.h"
/* Function which prints out usage message. */
static void psd_mt_help(void) {
@@ -139,7 +140,7 @@ static struct xtables_match psd_mt_reg = {
.name = "psd",
.version = XTABLES_VERSION,
.revision = 1,
.family = PF_INET,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_psd_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_psd_info)),
.help = psd_mt_help,

3
extensions/libxt_quota2.c
View File

@@ -15,6 +15,7 @@
#include <string.h>
#include <xtables.h>
#include "xt_quota2.h"
#include "compat_user.h"
enum {
FL_QUOTA = 1 << 0,
@@ -133,7 +134,7 @@ static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
}
static struct xtables_match quota_mt2_reg = {
.family = AF_UNSPEC,
.family = NFPROTO_UNSPEC,
.revision = 3,
.name = "quota2",
.version = XTABLES_VERSION,

3
extensions/pknock/libxt_pknock.c
View File

@@ -16,6 +16,7 @@
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include "xt_pknock.h"
#include "compat_user.h"
static const struct option pknock_mt_opts[] = {
/* .name, .has_arg, .flag, .val */
@@ -326,7 +327,7 @@ static struct xtables_match pknock_mt_reg = {
.name = "pknock",
.version = XTABLES_VERSION,
.revision = 1,
.family = AF_INET,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
.help = pknock_mt_help,

11
extensions/pknock/xt_pknock.c
View File

@@ -958,7 +958,7 @@ is_close_knock(const struct peer *peer, const struct xt_pknock_mtinfo *info,
}
static bool pknock_mt(const struct sk_buff *skb,
const struct xt_match_param *par)
struct xt_action_param *par)
{
const struct xt_pknock_mtinfo *info = par->matchinfo;
struct xt_pknock_rule *rule;
@@ -975,7 +975,7 @@ static bool pknock_mt(const struct sk_buff *skb,
/* We've been asked to examine this packet, and we
* can't. Hence, no choice but to drop.
*/
*par->hotdrop = true;
par->hotdrop = true;
return false;
}
@@ -1064,9 +1064,9 @@ out:
return ret;
}
#define RETURN_ERR(err) do { printk(KERN_ERR PKNOCK err); return false; } while (false)
#define RETURN_ERR(err) do { printk(KERN_ERR PKNOCK err); return -EINVAL; } while (false)
static bool pknock_mt_check(const struct xt_mtchk_param *par)
static int pknock_mt_check(const struct xt_mtchk_param *par)
{
struct xt_pknock_mtinfo *info = par->matchinfo;
@@ -1124,9 +1124,10 @@ static bool pknock_mt_check(const struct xt_mtchk_param *par)
}
if (!add_rule(info))
/* should ENOMEM here */
RETURN_ERR("add_rule() error in checkentry() function.\n");
return true;
return 0;
}
static void pknock_mt_destroy(const struct xt_mtdtor_param *par)

58
extensions/xt_CHAOS.c
View File

@@ -45,7 +45,7 @@ static const struct xt_tcp tcp_params = {
/* CHAOS functions */
static void
xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_chaos_tginfo *info = par->targinfo;
const struct iphdr *iph = ip_hdr(skb);
@@ -62,7 +62,7 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
ret = xm_tcp->match(skb, par->in, par->out, xm_tcp, &tcp_params,
fragoff, thoff, &hotdrop);
#else
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
{
struct xt_match_param local_par = {
.in = par->in,
@@ -75,6 +75,19 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
};
ret = xm_tcp->match(skb, &local_par);
}
#else
{
struct xt_action_param local_par;
local_par.in = par->in,
local_par.out = par->out,
local_par.match = xm_tcp;
local_par.matchinfo = &tcp_params;
local_par.fragoff = fragoff;
local_par.thoff = thoff;
local_par.hotdrop = false;
ret = xm_tcp->match(skb, &local_par);
hotdrop = local_par.hotdrop;
}
#endif
if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
return;
@@ -86,17 +99,34 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
destiny->target(&skb, par->in, par->out, par->hooknum, destiny, NULL);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
destiny->target(skb, par->in, par->out, par->hooknum, destiny, NULL);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
{
struct xt_target_param local_par = {
.in = par->in,
.out = par->out,
.hooknum = par->hooknum,
.target = destiny,
.targinfo = par->targinfo,
.family = par->family,
};
destiny->target(skb, &local_par);
}
#else
{
struct xt_target_param local_par = *par;
local_par.target = destiny;
struct xt_action_param local_par;
local_par.in = par->in;
local_par.out = par->out;
local_par.hooknum = par->hooknum;
local_par.target = destiny;
local_par.targinfo = par->targinfo;
local_par.family = par->family;
destiny->target(skb, &local_par);
}
#endif
}
static unsigned int
chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
{
/*
* Equivalent to:
@@ -120,7 +150,7 @@ chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
return xt_reject->target(skb, par->in, par->out, par->hooknum,
xt_reject, &reject_params);
#else
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
struct xt_target_param local_par = {
.in = par->in,
.out = par->out,
@@ -129,6 +159,14 @@ chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
.targinfo = &reject_params,
};
return xt_reject->target(skb, &local_par);
#else
struct xt_action_param local_par;
local_par.in = par->in;
local_par.out = par->out;
local_par.hooknum = par->hooknum;
local_par.target = xt_reject;
local_par.targinfo = &reject_params;
return xt_reject->target(skb, &local_par);
#endif
}
@@ -141,22 +179,22 @@ chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
return NF_DROP;
}
static bool chaos_tg_check(const struct xt_tgchk_param *par)
static int chaos_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_chaos_tginfo *info = par->targinfo;
if (info->variant == XTCHAOS_DELUDE && !have_delude) {
printk(KERN_WARNING PFX "Error: Cannot use --delude when "
"DELUDE module not available\n");
return false;
return -EINVAL;
}
if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
"TARPIT module not available\n");
return false;
return -EINVAL;
}
return true;
return 0;
}
static struct xt_target chaos_tg_reg = {

72
extensions/xt_CHECKSUM.c Normal file
View File

@@ -0,0 +1,72 @@
/*
* (C) 2002 by Harald Welte <laforge@netfilter.org>
* (C) 2010 Red Hat, Inc.
*
* Author: Michael S. Tsirkin <mst@redhat.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter/x_tables.h>
#include "xt_CHECKSUM.h"
#include "compat_xtables.h"
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
MODULE_DESCRIPTION("Xtables: checksum modification");
MODULE_ALIAS("ipt_CHECKSUM");
MODULE_ALIAS("ip6t_CHECKSUM");
static unsigned int
checksum_tg(struct sk_buff **pskb, const struct xt_action_param *par)
{
struct sk_buff *skb = *pskb;
if (skb->ip_summed == CHECKSUM_PARTIAL)
skb_checksum_help(skb);
return XT_CONTINUE;
}
static int checksum_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_CHECKSUM_info *einfo = par->targinfo;
if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
pr_info("unsupported CHECKSUM operation %x\n", einfo->operation);
return -EINVAL;
}
if (!einfo->operation) {
pr_info("no CHECKSUM operation enabled\n");
return -EINVAL;
}
return 0;
}
static struct xt_target checksum_tg_reg __read_mostly = {
.name = "CHECKSUM",
.family = NFPROTO_UNSPEC,
.target = checksum_tg,
.targetsize = sizeof(struct xt_CHECKSUM_info),
.table = "mangle",
.checkentry = checksum_tg_check,
.me = THIS_MODULE,
};
static int __init checksum_tg_init(void)
{
return xt_register_target(&checksum_tg_reg);
}
static void __exit checksum_tg_exit(void)
{
xt_unregister_target(&checksum_tg_reg);
}
module_init(checksum_tg_init);
module_exit(checksum_tg_exit);

18
extensions/xt_CHECKSUM.h Normal file
View File

@@ -0,0 +1,18 @@
/* Header file for iptables ipt_CHECKSUM target
*
* (C) 2002 by Harald Welte <laforge@gnumonks.org>
* (C) 2010 Red Hat Inc
* Author: Michael S. Tsirkin <mst@redhat.com>
*
* This software is distributed under GNU GPL v2, 1991
*/
#ifndef _IPT_CHECKSUM_TARGET_H
#define _IPT_CHECKSUM_TARGET_H
#define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */
struct xt_CHECKSUM_info {
__u8 operation; /* bitset of operations */
};
#endif /* _IPT_CHECKSUM_TARGET_H */

2
extensions/xt_DELUDE.c
View File

@@ -143,7 +143,7 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
}
static unsigned int
delude_tg(struct sk_buff **pskb, const struct xt_target_param *par)
delude_tg(struct sk_buff **pskb, const struct xt_action_param *par)
{
/* WARNING: This code causes reentry within iptables.
This means that the iptables jump stack is now crap. We

6
extensions/xt_DHCPMAC.c
View File

@@ -69,7 +69,7 @@ static bool ether_cmp(const unsigned char *lh, const unsigned char *rh,
}
static bool
dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
dhcpmac_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct dhcpmac_info *info = par->matchinfo;
const struct dhcp_message *dh;
@@ -89,7 +89,7 @@ dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
}
static unsigned int
dhcpmac_tg(struct sk_buff **pskb, const struct xt_target_param *par)
dhcpmac_tg(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct dhcpmac_info *info = par->targinfo;
struct dhcp_message dhcpbuf, *dh;
@@ -139,7 +139,7 @@ static struct xt_match dhcpmac_mt_reg __read_mostly = {
.family = NFPROTO_IPV4,
.proto = IPPROTO_UDP,
.match = dhcpmac_mt,
.matchsize = XT_ALIGN(sizeof(struct dhcpmac_info)),
.matchsize = sizeof(struct dhcpmac_info),
.me = THIS_MODULE,
};

14
extensions/xt_ECHO.c
View File

@@ -21,7 +21,7 @@
#include "compat_xtables.h"
static unsigned int
echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
{
const struct sk_buff *oldskb = *poldskb;
const struct udphdr *oldudp;
@@ -32,7 +32,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
unsigned int addr_type, data_len;
void *payload;
printk(KERN_INFO "dst_out=%p\n", (*poldskb)->dst->output);
printk(KERN_INFO "dst_out=%p\n", skb_dst(*poldskb)->output);
/* This allows us to do the copy operation in fewer lines of code. */
if (skb_linearize(*poldskb) < 0)
@@ -84,18 +84,17 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
#endif
addr_type = RTN_LOCAL;
/* ip_route_me_harder expects skb->dst to be set */
dst_hold(oldskb->dst);
newskb->dst = oldskb->dst;
/* ip_route_me_harder expects the skb's dst to be set */
skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
if (ip_route_me_harder(&newskb, addr_type) < 0)
goto free_nskb;
newip->ttl = dst_metric(newskb->dst, RTAX_HOPLIMIT);
newip->ttl = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
newskb->ip_summed = CHECKSUM_NONE;
/* "Never happens" (?) */
if (newskb->len > dst_mtu(newskb->dst))
if (newskb->len > dst_mtu(skb_dst(newskb)))
goto free_nskb;
nf_ct_attach(newskb, *poldskb);
@@ -114,7 +113,6 @@ static struct xt_target echo_tg_reg __read_mostly = {
.proto = IPPROTO_UDP,
.table = "filter",
.target = echo_tg4,
.targetsize = XT_ALIGN(0),
.me = THIS_MODULE,
};

8
extensions/xt_IPMARK.c
View File

@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_IPMARK");
MODULE_ALIAS("ip6t_IPMARK");
static unsigned int
ipmark_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
ipmark_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_ipmark_tginfo *ipmarkinfo = par->targinfo;
const struct sk_buff *skb = *pskb;
@@ -61,7 +61,7 @@ static __u32 ipmark_from_ip6(const struct in6_addr *a, unsigned int s)
}
static unsigned int
ipmark_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
ipmark_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_ipmark_tginfo *info = par->targinfo;
const struct sk_buff *skb = *pskb;
@@ -86,7 +86,7 @@ static struct xt_target ipmark_tg_reg[] __read_mostly = {
.family = NFPROTO_IPV4,
.table = "mangle",
.target = ipmark_tg4,
.targetsize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
.targetsize = sizeof(struct xt_ipmark_tginfo),
.me = THIS_MODULE,
},
{
@@ -95,7 +95,7 @@ static struct xt_target ipmark_tg_reg[] __read_mostly = {
.family = NFPROTO_IPV6,
.table = "mangle",
.target = ipmark_tg6,
.targetsize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
.targetsize = sizeof(struct xt_ipmark_tginfo),
.me = THIS_MODULE,
},
};

12
extensions/xt_LOGMARK.c
View File

@@ -2,7 +2,7 @@
* "LOGMARK" target extension to Xtables
* useful for debugging
*
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2010
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -30,7 +30,7 @@ static const char *const dir_names[] = {
};
static unsigned int
logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct sk_buff *skb = *pskb;
const struct xt_logmark_tginfo *info = par->targinfo;
@@ -75,23 +75,25 @@ logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
printk("%s""ASSURED", prev++ ? "," : "");
if (ct->status & IPS_CONFIRMED)
printk("%s""CONFIRMED", prev++ ? "," : "");
printk(" lifetime=%lus",
(jiffies - ct->timeout.expires) / HZ);
}
printk("\n");
return XT_CONTINUE;
}
static bool
static int
logmark_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_logmark_tginfo *info = par->targinfo;
if (info->level >= 8) {
pr_debug("LOGMARK: level %u >= 8\n", info->level);
return false;
return -EINVAL;
}
return true;
return 0;
}
static struct xt_target logmark_tg_reg[] __read_mostly = {

32
extensions/xt_RAWNAT.c
View File

@@ -22,6 +22,10 @@
#include "compat_xtables.h"
#include "xt_RAWNAT.h"
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
# define WITH_IPV6 1
#endif
static inline __be32
remask(__be32 addr, __be32 repl, unsigned int shift)
{
@@ -29,6 +33,7 @@ remask(__be32 addr, __be32 repl, unsigned int shift)
return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask));
}
#ifdef WITH_IPV6
static void
rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
{
@@ -43,7 +48,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
break;
case 33 ... 63:
addr[0] = repl[0];
addr[1] = remask(addr[1], repl[1], mask - 64);
addr[1] = remask(addr[1], repl[1], mask - 32);
break;
case 64:
addr[0] = repl[0];
@@ -52,7 +57,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
case 65 ... 95:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = remask(addr[2], repl[2], mask - 96);
addr[2] = remask(addr[2], repl[2], mask - 64);
case 96:
addr[0] = repl[0];
addr[1] = repl[1];
@@ -62,7 +67,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
addr[3] = remask(addr[3], repl[3], mask - 128);
addr[3] = remask(addr[3], repl[3], mask - 96);
break;
case 128:
addr[0] = repl[0];
@@ -72,6 +77,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
break;
}
}
#endif
static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
{
@@ -119,7 +125,7 @@ static unsigned int rawnat4_writable_part(const struct iphdr *iph)
}
static unsigned int
rawsnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
rawsnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
struct iphdr *iph;
@@ -141,7 +147,7 @@ rawsnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
}
static unsigned int
rawdnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
rawdnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
struct iphdr *iph;
@@ -162,6 +168,7 @@ rawdnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
return XT_CONTINUE;
}
#ifdef WITH_IPV6
static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
unsigned int *l4proto)
{
@@ -234,7 +241,7 @@ static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto,
}
static unsigned int
rawsnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
rawsnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
unsigned int l4offset, l4proto;
@@ -255,7 +262,7 @@ rawsnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
}
static unsigned int
rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
rawdnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
unsigned int l4offset, l4proto;
@@ -274,16 +281,17 @@ rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
memcpy(&iph->daddr, &new_addr, sizeof(new_addr));
return XT_CONTINUE;
}
#endif
static bool rawnat_tg_check(const struct xt_tgchk_param *par)
static int rawnat_tg_check(const struct xt_tgchk_param *par)
{
if (strcmp(par->table, "raw") == 0 ||
strcmp(par->table, "rawpost") == 0)
return true;
return 0;
printk(KERN_ERR KBUILD_MODNAME " may only be used in the \"raw\" or "
"\"rawpost\" table.\n");
return false;
return -EINVAL;
}
static struct xt_target rawnat_tg_reg[] __read_mostly = {
@@ -296,6 +304,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
#ifdef WITH_IPV6
{
.name = "RAWSNAT",
.revision = 0,
@@ -305,6 +314,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
#endif
{
.name = "RAWDNAT",
.revision = 0,
@@ -314,6 +324,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
#ifdef WITH_IPV6
{
.name = "RAWDNAT",
.revision = 0,
@@ -323,6 +334,7 @@ static struct xt_target rawnat_tg_reg[] __read_mostly = {
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
#endif
};
static int __init rawnat_tg_init(void)

2
extensions/xt_STEAL.c
View File

@@ -8,7 +8,7 @@
#include "compat_xtables.h"
static unsigned int
steal_tg(struct sk_buff **pskb, const struct xt_target_param *par)
steal_tg(struct sk_buff **pskb, const struct xt_action_param *par)
{
kfree_skb(*pskb);
return NF_STOLEN;

145
extensions/xt_SYSRQ.c
View File

@@ -1,6 +1,6 @@
/*
* "SYSRQ" target extension for Netfilter
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
*
* Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
*
@@ -23,6 +23,14 @@
#include <net/ip.h>
#include "compat_xtables.h"
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19) && \
(defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE))
# define WITH_CRYPTO 1
#endif
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
# define WITH_IPV6 1
#endif
static bool sysrq_once;
static char sysrq_password[64];
static char sysrq_hash[16] = "sha1";
@@ -38,7 +46,7 @@ MODULE_PARM_DESC(hash, "hash algorithm, default sha1");
MODULE_PARM_DESC(seqno, "sequence number for remote sysrq");
MODULE_PARM_DESC(debug, "debugging: 0=off, 1=on");
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
#ifdef WITH_CRYPTO
static struct crypto_hash *sysrq_tfm;
static int sysrq_digest_size;
static unsigned char *sysrq_digest_password;
@@ -127,13 +135,13 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
"0123456789abcdef"[sysrq_digest[i] & 0xf];
}
sysrq_hexdigest[2*sysrq_digest_size] = '\0';
if (len - n < sysrq_digest_size) {
if (len - n < sysrq_digest_size * 2) {
if (sysrq_debug)
printk(KERN_INFO KBUILD_MODNAME ": Short digest,"
" expected %s\n", sysrq_hexdigest);
return NF_DROP;
}
if (strncmp(data + n, sysrq_hexdigest, sysrq_digest_size) != 0) {
if (strncmp(data + n, sysrq_hexdigest, sysrq_digest_size * 2) != 0) {
if (sysrq_debug)
printk(KERN_INFO KBUILD_MODNAME ": Bad digest,"
" expected %s\n", sysrq_hexdigest);
@@ -144,7 +152,9 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
sysrq_seqno = new_seqno;
for (i = 0; i < len && data[i] != ','; ++i) {
printk(KERN_INFO KBUILD_MODNAME ": SysRq %c\n", data[i]);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
handle_sysrq(data[i]);
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
handle_sysrq(data[i], NULL);
#else
handle_sysrq(data[i], NULL, NULL);
@@ -179,7 +189,9 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
return NF_DROP;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
handle_sysrq(c);
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
handle_sysrq(c, NULL);
#else
handle_sysrq(c, NULL, NULL);
@@ -189,7 +201,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
#endif
static unsigned int
sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
sysrq_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
{
struct sk_buff *skb = *pskb;
const struct iphdr *iph;
@@ -200,8 +212,8 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
return NF_DROP;
iph = ip_hdr(skb);
if (iph->protocol != IPPROTO_UDP)
return NF_ACCEPT; /* sink it */
if (iph->protocol != IPPROTO_UDP && iph->protocol != IPPROTO_UDPLITE)
return NF_DROP;
udph = (const void *)iph + ip_hdrlen(skb);
len = ntohs(udph->len) - sizeof(struct udphdr);
@@ -214,8 +226,9 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
}
#ifdef WITH_IPV6
static unsigned int
sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
sysrq_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
struct sk_buff *skb = *pskb;
const struct ipv6hdr *iph;
@@ -230,7 +243,7 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
iph = ipv6_hdr(skb);
if (ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 ||
frag_off > 0)
return NF_ACCEPT; /* sink it */
return NF_DROP;
udph = (const void *)iph + th_off;
len = ntohs(udph->len) - sizeof(struct udphdr);
@@ -242,10 +255,10 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
ntohs(udph->dest), len);
return sysrq_tg(udph + sizeof(struct udphdr), len);
}
#endif
static bool sysrq_tg_check(const struct xt_tgchk_param *par)
static int sysrq_tg_check(const struct xt_tgchk_param *par)
{
if (par->target->family == NFPROTO_IPV4) {
const struct ipt_entry *entry = par->entryinfo;
@@ -262,11 +275,11 @@ static bool sysrq_tg_check(const struct xt_tgchk_param *par)
goto out;
}
return true;
return 0;
out:
printk(KERN_ERR KBUILD_MODNAME ": only available for UDP and UDP-Lite");
return false;
return -EINVAL;
}
static struct xt_target sysrq_tg_reg[] __read_mostly = {
@@ -278,6 +291,7 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
.checkentry = sysrq_tg_check,
.me = THIS_MODULE,
},
#ifdef WITH_IPV6
{
.name = "SYSRQ",
.revision = 1,
@@ -286,45 +300,12 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
.checkentry = sysrq_tg_check,
.me = THIS_MODULE,
},
#endif
};
static int __init sysrq_tg_init(void)
static void sysrq_crypto_exit(void)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
struct timeval now;
sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
if (IS_ERR(sysrq_tfm)) {
printk(KERN_WARNING KBUILD_MODNAME
": Error: Could not find or load %s hash\n",
sysrq_hash);
sysrq_tfm = NULL;
goto fail;
}
sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
if (sysrq_digest == NULL) {
printk(KERN_WARNING KBUILD_MODNAME
": Cannot allocate digest\n");
goto fail;
}
sysrq_hexdigest = kmalloc(2 * sysrq_digest_size + 1, GFP_KERNEL);
if (sysrq_hexdigest == NULL) {
printk(KERN_WARNING KBUILD_MODNAME
": Cannot allocate hexdigest\n");
goto fail;
}
sysrq_digest_password = kmalloc(sizeof(sysrq_password), GFP_KERNEL);
if (sysrq_digest_password == NULL) {
printk(KERN_WARNING KBUILD_MODNAME
": Cannot allocate password digest space\n");
goto fail;
}
do_gettimeofday(&now);
sysrq_seqno = now.tv_sec;
return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
fail:
#ifdef WITH_CRYPTO
if (sysrq_tfm)
crypto_free_hash(sysrq_tfm);
if (sysrq_digest)
@@ -333,22 +314,62 @@ static int __init sysrq_tg_init(void)
kfree(sysrq_hexdigest);
if (sysrq_digest_password)
kfree(sysrq_digest_password);
return -EINVAL;
#else
printk(KERN_WARNING "xt_SYSRQ does not provide crypto for <= 2.6.18\n");
return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
#endif
}
static int __init sysrq_crypto_init(void)
{
#if defined(WITH_CRYPTO)
struct timeval now;
int ret;
sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
if (IS_ERR(sysrq_tfm)) {
printk(KERN_WARNING KBUILD_MODNAME
": Error: Could not find or load %s hash\n",
sysrq_hash);
ret = PTR_ERR(sysrq_tfm);
sysrq_tfm = NULL;
goto fail;
}
sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
ret = -ENOMEM;
if (sysrq_digest == NULL)
goto fail;
sysrq_hexdigest = kmalloc(2 * sysrq_digest_size + 1, GFP_KERNEL);
if (sysrq_hexdigest == NULL)
goto fail;
sysrq_digest_password = kmalloc(sizeof(sysrq_password), GFP_KERNEL);
if (sysrq_digest_password == NULL)
goto fail;
do_gettimeofday(&now);
sysrq_seqno = now.tv_sec;
ret = xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
if (ret < 0)
goto fail;
return ret;
fail:
sysrq_crypto_exit();
return ret;
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 19)
printk(KERN_WARNING "xt_SYSRQ does not provide crypto for < 2.6.19\n");
#endif
return -EINVAL;
}
static int __init sysrq_tg_init(void)
{
if (sysrq_crypto_init() < 0)
printk(KERN_WARNING "xt_SYSRQ starting without crypto\n");
return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
}
static void __exit sysrq_tg_exit(void)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
crypto_free_hash(sysrq_tfm);
kfree(sysrq_digest);
kfree(sysrq_hexdigest);
kfree(sysrq_digest_password);
#endif
return xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
sysrq_crypto_exit();
xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
}
module_init(sysrq_tg_init);

4
extensions/xt_TARPIT.c
View File

@@ -73,7 +73,7 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook)
/* Rate-limit replies to !SYN,ACKs */
#if 0
if (!oth->syn && oth->ack)
if (!xrlim_allow(&ort->u.dst, HZ))
if (!xrlim_allow(rt_dst(ort), HZ))
return;
#endif
@@ -188,7 +188,7 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook)
}
static unsigned int
tarpit_tg(struct sk_buff **pskb, const struct xt_target_param *par)
tarpit_tg(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct sk_buff *skb = *pskb;
const struct iphdr *iph = ip_hdr(skb);

189
extensions/xt_TEE.c
View File

@@ -24,7 +24,6 @@
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
# define WITH_CONNTRACK 1
# include <net/netfilter/nf_conntrack.h>
static struct nf_conn tee_track;
#endif
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
# define WITH_IPV6 1
@@ -33,55 +32,27 @@ static struct nf_conn tee_track;
#include "compat_xtables.h"
#include "xt_TEE.h"
static bool tee_active[NR_CPUS];
static const union nf_inet_addr tee_zero_address;
/*
* Try to route the packet according to the routing keys specified in
* route_info. Keys are :
* - ifindex :
* 0 if no oif preferred,
* otherwise set to the index of the desired oif
* - route_info->gateway :
* 0 if no gateway specified,
* otherwise set to the next host to which the pkt must be routed
* If success, skb->dev is the output device to which the packet must
* be sent and skb->dst is not NULL
*
* RETURN: false - if an error occured
* true - if the packet was succesfully routed to the
* destination desired
*/
static bool
tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
{
const struct iphdr *iph = ip_hdr(skb);
int err;
struct rtable *rt;
struct flowi fl;
memset(&fl, 0, sizeof(fl));
fl.iif = skb_ifindex(skb);
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
fl.nl_u.ip4_u.fwmark = skb_nfmark(skb);
#else
fl.mark = skb_nfmark(skb);
#endif
fl.nl_u.ip4_u.daddr = info->gw.ip;
fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
/* Trying to route the packet using the standard routing table. */
err = ip_route_output_key(&init_net, &rt, &fl);
if (err != 0) {
if (net_ratelimit())
pr_debug(KBUILD_MODNAME
": could not route packet (%d)", err);
if (ip_route_output_key(&init_net, &rt, &fl) != 0)
return false;
}
dst_release(skb_dst(skb));
skb_dst_set(skb, &rt->u.dst);
skb->dev = rt->u.dst.dev;
skb_dst_set(skb, rt_dst(rt));
skb->dev = rt_dst(rt)->dev;
skb->protocol = htons(ETH_P_IP);
return true;
}
@@ -123,79 +94,58 @@ static void tee_tg_send(struct sk_buff *skb)
skb = skb2;
}
if (dst->hh != NULL) {
if (dst->hh != NULL)
neigh_hh_output(dst->hh, skb);
} else if (dst->neighbour != NULL) {
else if (dst->neighbour != NULL)
dst->neighbour->output(skb);
} else {
if (net_ratelimit())
pr_debug(KBUILD_MODNAME "no hdr & no neighbour cache!\n");
else
kfree_skb(skb);
}
}
/*
* To detect and deter routed packet loopback when using the --tee option, we
* take a page out of the raw.patch book: on the copied skb, we set up a fake
* ->nfct entry, pointing to the local &route_tee_track. We skip routing
* packets when we see they already have that ->nfct.
*/
static unsigned int
tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
tee_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
struct sk_buff *skb = *pskb;
struct iphdr *iph;
unsigned int cpu = smp_processor_id();
#ifdef WITH_CONNTRACK
if (skb->nfct == &tee_track.ct_general) {
/*
* Loopback - a packet we already routed, is to be
* routed another time. Avoid that, now.
*/
if (net_ratelimit())
pr_debug(KBUILD_MODNAME "loopback - DROP!\n");
return NF_DROP;
}
#endif
if (!skb_make_writable(pskb, sizeof(struct iphdr)))
return NF_DROP;
skb = *pskb;
/*
* If we are in INPUT, the checksum must be recalculated since
* the length could have changed as a result of defragmentation.
*/
if (par->hooknum == NF_INET_LOCAL_IN) {
struct iphdr *iph = ip_hdr(skb);
iph->check = 0;
iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
}
if (tee_active[cpu])
return XT_CONTINUE;
/*
* Copy the skb, and route the copy. Will later return %XT_CONTINUE for
* the original skb, which should continue on its way as if nothing has
* happened. The copy should be independently delivered to the TEE
* --gateway.
*/
skb = skb_copy(skb, GFP_ATOMIC);
if (skb == NULL) {
if (net_ratelimit())
pr_debug(KBUILD_MODNAME "copy failed!\n");
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return XT_CONTINUE;
}
/*
* If we are in PREROUTING/INPUT, the checksum must be recalculated
* since the length could have changed as a result of defragmentation.
*
* We also decrease the TTL to mitigate potential TEE loops
* between two hosts.
*
* Set %IP_DF so that the original source is notified of a potentially
* decreased MTU on the clone route. IPv6 does this too.
*/
iph = ip_hdr(skb);
iph->frag_off |= htons(IP_DF);
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN)
--iph->ttl;
ip_send_check(iph);
#ifdef WITH_CONNTRACK
/*
* Tell conntrack to forget this packet since it may get confused
* when a packet is leaving with dst address == our address.
* Good idea? Dunno. Need advice.
*
* NEW: mark the skb with our &tee_track, so we avoid looping
* on any already routed packet.
* Tell conntrack to forget this packet. It may have side effects to
* see the same packet twice, as for example, accounting the original
* connection for the cloned packet.
*/
nf_conntrack_put(skb->nfct);
skb->nfct = &tee_track.ct_general;
skb->nfct = &nf_conntrack_untracked.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
@@ -216,9 +166,13 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
* Also on purpose, no fragmentation is done, to preserve the
* packet as best as possible.
*/
if (tee_tg_route4(skb, info))
if (tee_tg_route4(skb, info)) {
tee_active[cpu] = true;
tee_tg_send(skb);
tee_active[cpu] = false;
} else {
kfree_skb(skb);
}
return XT_CONTINUE;
}
@@ -231,12 +185,6 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
struct flowi fl;
memset(&fl, 0, sizeof(fl));
fl.iif = skb_ifindex(skb);
#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 19)
fl.nl_u.ip6_u.fwmark = skb_nfmark(skb);
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
fl.mark = skb_nfmark(skb);
#endif
fl.nl_u.ip6_u.daddr = info->gw.in6;
fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
(iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
@@ -246,11 +194,8 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
#else
dst = ip6_route_output(dev_net(skb->dev), NULL, &fl);
#endif
if (dst == NULL) {
if (net_ratelimit())
printk(KERN_ERR "ip6_route_output failed for tee\n");
if (dst == NULL)
return false;
}
dst_release(skb_dst(skb));
skb_dst_set(skb, dst);
@@ -260,40 +205,47 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
}
static unsigned int
tee_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
tee_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
struct sk_buff *skb = *pskb;
unsigned int cpu = smp_processor_id();
/* Try silence. */
#ifdef WITH_CONNTRACK
if (skb->nfct == &tee_track.ct_general)
return NF_DROP;
#endif
if ((skb = skb_copy(skb, GFP_ATOMIC)) == NULL)
if (tee_active[cpu])
return XT_CONTINUE;
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return XT_CONTINUE;
#ifdef WITH_CONNTRACK
nf_conntrack_put(skb->nfct);
skb->nfct = &tee_track.ct_general;
skb->nfct = &nf_conntrack_untracked.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
if (tee_tg_route6(skb, info))
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN) {
struct ipv6hdr *iph = ipv6_hdr(skb);
--iph->hop_limit;
}
if (tee_tg_route6(skb, info)) {
tee_active[cpu] = true;
tee_tg_send(skb);
tee_active[cpu] = false;
} else {
kfree_skb(skb);
}
return XT_CONTINUE;
}
#endif /* WITH_IPV6 */
static bool tee_tg_check(const struct xt_tgchk_param *par)
static int tee_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
/* 0.0.0.0 and :: not allowed */
return memcmp(&info->gw, &tee_zero_address,
sizeof(tee_zero_address)) != 0;
return (memcmp(&info->gw, &tee_zero_address,
sizeof(tee_zero_address)) == 0) ? -EINVAL : 0;
}
static struct xt_target tee_tg_reg[] __read_mostly = {
@@ -301,7 +253,6 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
.name = "TEE",
.revision = 0,
.family = NFPROTO_IPV4,
.table = "mangle",
.target = tee_tg4,
.targetsize = sizeof(struct xt_tee_tginfo),
.checkentry = tee_tg_check,
@@ -312,7 +263,6 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
.name = "TEE",
.revision = 0,
.family = NFPROTO_IPV6,
.table = "mangle",
.target = tee_tg6,
.targetsize = sizeof(struct xt_tee_tginfo),
.checkentry = tee_tg_check,
@@ -323,27 +273,12 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
static int __init tee_tg_init(void)
{
#ifdef WITH_CONNTRACK
/*
* Set up fake conntrack (stolen from raw.patch):
* - to never be deleted, not in any hashes
*/
atomic_set(&tee_track.ct_general.use, 1);
/* - and look it like as a confirmed connection */
set_bit(IPS_CONFIRMED_BIT, &tee_track.status);
/* Initialize fake conntrack so that NAT will skip it */
tee_track.status |= IPS_NAT_DONE_MASK;
#endif
return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
}
static void __exit tee_tg_exit(void)
{
xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
/* [SC]: shoud not we cleanup tee_track here? */
}
module_init(tee_tg_init);

68
extensions/xt_condition.c
View File

@@ -35,6 +35,7 @@ static unsigned int condition_gid_perms = 0;
MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca>");
MODULE_AUTHOR("Massimiliano Hofer <max@nucleus.it>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Allows rules to match against condition variables");
MODULE_LICENSE("GPL");
module_param(condition_list_perms, uint, S_IRUSR | S_IWUSR);
@@ -55,7 +56,7 @@ struct condition_variable {
/* proc_lock is a user context only semaphore used for write access */
/* to the conditions' list. */
static struct semaphore proc_lock;
static DEFINE_MUTEX(proc_lock);
static LIST_HEAD(conditions_list);
static struct proc_dir_entry *proc_net_condition;
@@ -69,7 +70,6 @@ static int condition_proc_read(char __user *buffer, char **start, off_t offset,
buffer[1] = '\n';
if (length >= 2)
*eof = true;
return 2;
}
@@ -92,25 +92,19 @@ static int condition_proc_write(struct file *file, const char __user *buffer,
break;
}
}
return length;
}
static bool
condition_mt(const struct sk_buff *skb, const struct xt_match_param *par)
condition_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_condition_mtinfo *info = par->matchinfo;
const struct condition_variable *var = info->condvar;
bool x;
rcu_read_lock();
x = rcu_dereference(var->enabled);
rcu_read_unlock();
return x ^ info->invert;
return var->enabled ^ info->invert;
}
static bool condition_mt_check(const struct xt_mtchk_param *par)
static int condition_mt_check(const struct xt_mtchk_param *par)
{
struct xt_condition_mtinfo *info = par->matchinfo;
struct condition_variable *var;
@@ -122,41 +116,36 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
printk(KERN_INFO KBUILD_MODNAME ": name not allowed or too "
"long: \"%.*s\"\n", (unsigned int)sizeof(info->name),
info->name);
return false;
return -EINVAL;
}
/*
* Let's acquire the lock, check for the condition and add it
* or increase the reference counter.
*/
if (down_interruptible(&proc_lock))
return false;
mutex_lock(&proc_lock);
list_for_each_entry(var, &conditions_list, list) {
if (strcmp(info->name, var->status_proc->name) == 0) {
var->refcount++;
up(&proc_lock);
mutex_unlock(&proc_lock);
info->condvar = var;
return true;
return 0;
}
}
/* At this point, we need to allocate a new condition variable. */
var = kmalloc(sizeof(struct condition_variable), GFP_KERNEL);
if (var == NULL) {
up(&proc_lock);
return false;
mutex_unlock(&proc_lock);
return -ENOMEM;
}
/* Create the condition variable's proc file entry. */
var->status_proc = create_proc_entry(info->name, condition_list_perms,
proc_net_condition);
if (var->status_proc == NULL) {
kfree(var);
up(&proc_lock);
return false;
mutex_unlock(&proc_lock);
return -ENOMEM;
}
var->refcount = 1;
@@ -168,16 +157,12 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
wmb();
var->status_proc->read_proc = condition_proc_read;
var->status_proc->write_proc = condition_proc_write;
list_add_rcu(&var->list, &conditions_list);
list_add(&var->list, &conditions_list);
var->status_proc->uid = condition_uid_perms;
var->status_proc->gid = condition_gid_perms;
up(&proc_lock);
mutex_unlock(&proc_lock);
info->condvar = var;
return true;
return 0;
}
static void condition_mt_destroy(const struct xt_mtdtor_param *par)
@@ -185,22 +170,15 @@ static void condition_mt_destroy(const struct xt_mtdtor_param *par)
const struct xt_condition_mtinfo *info = par->matchinfo;
struct condition_variable *var = info->condvar;
down(&proc_lock);
mutex_lock(&proc_lock);
if (--var->refcount == 0) {
list_del_rcu(&var->list);
list_del(&var->list);
remove_proc_entry(var->status_proc->name, proc_net_condition);
up(&proc_lock);
/*
* synchronize_rcu() would be good enough, but
* synchronize_net() guarantees that no packet
* will go out with the old rule after
* succesful removal.
*/
synchronize_net();
mutex_unlock(&proc_lock);
kfree(var);
return;
}
up(&proc_lock);
mutex_unlock(&proc_lock);
}
static struct xt_match condition_mt_reg[] __read_mostly = {
@@ -208,7 +186,7 @@ static struct xt_match condition_mt_reg[] __read_mostly = {
.name = "condition",
.revision = 1,
.family = NFPROTO_IPV4,
.matchsize = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
.matchsize = sizeof(struct xt_condition_mtinfo),
.match = condition_mt,
.checkentry = condition_mt_check,
.destroy = condition_mt_destroy,
@@ -218,7 +196,7 @@ static struct xt_match condition_mt_reg[] __read_mostly = {
.name = "condition",
.revision = 1,
.family = NFPROTO_IPV6,
.matchsize = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
.matchsize = sizeof(struct xt_condition_mtinfo),
.match = condition_mt,
.checkentry = condition_mt_check,
.destroy = condition_mt_destroy,
@@ -232,7 +210,7 @@ static int __init condition_mt_init(void)
{
int ret;
sema_init(&proc_lock, 1);
mutex_init(&proc_lock);
proc_net_condition = proc_mkdir(dir_name, init_net__proc_net);
if (proc_net_condition == NULL)
return -EACCES;

12
extensions/xt_fuzzy.c
View File

@@ -60,7 +60,7 @@ static uint8_t mf_low(uint32_t tx, uint32_t mini, uint32_t maxi)
}
static bool
fuzzy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
fuzzy_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
struct xt_fuzzy_mtinfo *info = (void *)par->matchinfo;
unsigned long amount;
@@ -125,7 +125,7 @@ fuzzy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return false;
}
static bool fuzzy_mt_check(const struct xt_mtchk_param *par)
static int fuzzy_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_fuzzy_mtinfo *info = par->matchinfo;
@@ -133,10 +133,10 @@ static bool fuzzy_mt_check(const struct xt_mtchk_param *par)
info->maximum_rate > FUZZY_MAX_RATE ||
info->minimum_rate >= info->maximum_rate) {
printk(KERN_INFO KBUILD_MODNAME ": bad values, please check.\n");
return false;
return -EDOM;
}
return true;
return 0;
}
static struct xt_match fuzzy_mt_reg[] __read_mostly = {
@@ -146,7 +146,7 @@ static struct xt_match fuzzy_mt_reg[] __read_mostly = {
.family = NFPROTO_IPV4,
.match = fuzzy_mt,
.checkentry = fuzzy_mt_check,
.matchsize = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
.matchsize = sizeof(struct xt_fuzzy_mtinfo),
.me = THIS_MODULE,
},
{
@@ -155,7 +155,7 @@ static struct xt_match fuzzy_mt_reg[] __read_mostly = {
.family = NFPROTO_IPV6,
.match = fuzzy_mt,
.checkentry = fuzzy_mt_check,
.matchsize = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
.matchsize = sizeof(struct xt_fuzzy_mtinfo),
.me = THIS_MODULE,
},
};

37
extensions/xt_geoip.c
View File

@@ -46,23 +46,28 @@ geoip_add_node(const struct geoip_country_user __user *umem_ptr)
struct geoip_country_user umem;
struct geoip_country_kernel *p;
struct geoip_subnet *s;
int ret;
if (copy_from_user(&umem, umem_ptr, sizeof(umem)) != 0)
return NULL;
return ERR_PTR(-EFAULT);
p = kmalloc(sizeof(struct geoip_country_kernel), GFP_KERNEL);
if (p == NULL)
return NULL;
return ERR_PTR(-ENOMEM);
p->count = umem.count;
p->cc = umem.cc;
s = vmalloc(p->count * sizeof(struct geoip_subnet));
if (s == NULL)
if (s == NULL) {
ret = -ENOMEM;
goto free_p;
}
if (copy_from_user(s, (const void __user *)(unsigned long)umem.subnets,
p->count * sizeof(struct geoip_subnet)) != 0)
p->count * sizeof(struct geoip_subnet)) != 0) {
ret = -EFAULT;
goto free_s;
}
p->subnets = s;
atomic_set(&p->ref, 1);
@@ -78,7 +83,7 @@ geoip_add_node(const struct geoip_country_user __user *umem_ptr)
vfree(s);
free_p:
kfree(p);
return NULL;
return ERR_PTR(ret);
}
static void geoip_try_remove_node(struct geoip_country_kernel *p)
@@ -121,13 +126,13 @@ static bool geoip_bsearch(const struct geoip_subnet *range,
{
int mid;
if (hi < lo)
if (hi <= lo)
return false;
mid = (lo + hi) / 2;
if (range[mid].begin <= addr && addr <= range[mid].end)
return true;
if (range[mid].begin > addr)
return geoip_bsearch(range, addr, lo, mid - 1);
return geoip_bsearch(range, addr, lo, mid);
else if (range[mid].end < addr)
return geoip_bsearch(range, addr, mid + 1, hi);
@@ -136,7 +141,7 @@ static bool geoip_bsearch(const struct geoip_subnet *range,
}
static bool
xt_geoip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
xt_geoip_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_geoip_match_info *info = par->matchinfo;
const struct geoip_country_kernel *node;
@@ -168,7 +173,7 @@ xt_geoip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return info->flags & XT_GEOIP_INV;
}
static bool xt_geoip_mt_checkentry(const struct xt_mtchk_param *par)
static int xt_geoip_mt_checkentry(const struct xt_mtchk_param *par)
{
struct xt_geoip_match_info *info = par->matchinfo;
struct geoip_country_kernel *node;
@@ -176,13 +181,15 @@ static bool xt_geoip_mt_checkentry(const struct xt_mtchk_param *par)
for (i = 0; i < info->count; i++) {
node = find_node(info->cc[i]);
if (node == NULL)
if ((node = geoip_add_node((const void __user *)(unsigned long)info->mem[i].user)) == NULL) {
if (node == NULL) {
node = geoip_add_node((const void __user *)(unsigned long)info->mem[i].user);
if (IS_ERR(node)) {
printk(KERN_ERR
"xt_geoip: unable to load '%c%c' into memory\n",
COUNTRY(info->cc[i]));
return false;
"xt_geoip: unable to load '%c%c' into memory: %ld\n",
COUNTRY(info->cc[i]), PTR_ERR(node));
return PTR_ERR(node);
}
}
/* Overwrite the now-useless pointer info->mem[i] with
* a pointer to the node's kernelspace structure.
@@ -192,7 +199,7 @@ static bool xt_geoip_mt_checkentry(const struct xt_mtchk_param *par)
info->mem[i].kernel = node;
}
return true;
return 0;
}
static void xt_geoip_mt_destroy(const struct xt_mtdtor_param *par)

9
extensions/xt_gradm.h Normal file
View File

@@ -0,0 +1,9 @@
#ifndef _XT_GRADM_H
#define _XT_GRADM_H
struct xt_gradm_mtinfo {
__u16 flags;
__u16 invflags;
};
#endif

57
extensions/xt_iface.c
View File

@@ -40,29 +40,46 @@ static const struct xt_iface_flag_pairs xt_iface_lookup[] =
{.iface_flag = XT_IFACE_DORMANT, .iff_flag = IFF_DORMANT},
};
static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
const struct xt_action_param *par, struct net_device **put)
{
if (info->flags & XT_IFACE_DEV_IN)
return par->in;
else if (info->flags & XT_IFACE_DEV_OUT)
return par->out;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
return *put = dev_get_by_name(&init_net, info->ifname);
#else
return *put = dev_get_by_name(info->ifname);
#endif
}
static bool iface_flagtest(unsigned int devflags, unsigned int flags,
unsigned int invflags)
{
unsigned int i;
for (i = 0; i < ARRAY_SIZE(xt_iface_lookup); ++i)
if ((flags & xt_iface_lookup[i].iface_flag) &&
!!(devflags & xt_iface_lookup[i].iff_flag) ^
!(invflags & xt_iface_lookup[i].iface_flag))
return false;
return true;
}
static bool xt_iface_mt(const struct sk_buff *skb,
const struct xt_match_param *par)
struct xt_action_param *par)
{
const struct xt_iface_mtinfo *info = par->matchinfo;
struct net_device *dev;
struct net_device *put = NULL;
const struct net_device *dev = iface_get(info, par, &put);
bool retval;
int i;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
dev = dev_get_by_name(&init_net, info->ifname);
#else
dev = dev_get_by_name(info->ifname);
#endif
retval = dev != NULL;
if (retval) {
for (i = 0; i < ARRAY_SIZE(xt_iface_lookup) && retval; ++i) {
if (info->flags & xt_iface_lookup[i].iface_flag)
retval &= dev->flags & xt_iface_lookup[i].iff_flag;
if (info->invflags & xt_iface_lookup[i].iface_flag)
retval &= !(dev->flags & xt_iface_lookup[i].iff_flag);
}
dev_put(dev);
}
if (dev == NULL)
return false;
retval = iface_flagtest(dev->flags, info->flags, info->invflags);
if (put != NULL)
dev_put(put);
return retval;
}
@@ -71,7 +88,7 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = {
.name = "iface",
.revision = 0,
.family = NFPROTO_IPV4,
.matchsize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
.matchsize = sizeof(struct xt_iface_mtinfo),
.match = xt_iface_mt,
.me = THIS_MODULE,
},
@@ -79,7 +96,7 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = {
.name = "iface",
.revision = 0,
.family = NFPROTO_IPV6,
.matchsize = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
.matchsize = sizeof(struct xt_iface_mtinfo),
.match = xt_iface_mt,
.me = THIS_MODULE,
},

3
extensions/xt_iface.h
View File

@@ -13,7 +13,8 @@ enum {
XT_IFACE_DYNAMIC = 1 << 8,
XT_IFACE_LOWER_UP = 1 << 9,
XT_IFACE_DORMANT = 1 << 10,
XT_IFACE_IFACE = 1 << 15,
XT_IFACE_DEV_IN = 1 << 11,
XT_IFACE_DEV_OUT = 1 << 12,
};
struct xt_iface_mtinfo {

17
extensions/xt_ipp2p.c
View File

@@ -505,19 +505,18 @@ search_bittorrent(const unsigned char *payload, const unsigned int plen)
if (payload[0] == 0x13)
if (memcmp(payload + 1, "BitTorrent protocol", 19) == 0)
return IPP2P_BIT * 100;
/*
* get tracker commandos, all starts with GET /
* then it can follow: scrape| announce
* and then ?hash_info=
* Any tracker command starts with GET / then *may be* some file on web server
* (e.g. announce.php or dupa.pl or whatever.cgi or NOTHING for tracker on root dir)
* but *must have* one (or more) of strings listed below (true for scrape and announce)
*/
if (memcmp(payload, "GET /", 5) == 0) {
/* message scrape */
if (memcmp(payload + 5, "scrape?info_hash=", 17) == 0)
if (HX_memmem(payload, plen, "info_hash=", 9) != NULL)
return IPP2P_BIT * 100 + 1;
/* message announce */
if (memcmp(payload + 5, "announce?info_hash=", 19) == 0)
if (HX_memmem(payload, plen, "peer_id=", 8) != NULL)
return IPP2P_BIT * 100 + 2;
if (HX_memmem(payload, plen, "passkey=", 8) != NULL)
return IPP2P_BIT * 100 + 4;
}
} else {
/* bitcomet encryptes the first packet, so we have to detect another
@@ -809,7 +808,7 @@ static const struct {
};
static bool
ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ipt_p2p_info *info = par->matchinfo;
const unsigned char *haystack;

4
extensions/xt_ipv4options.c
View File

@@ -29,7 +29,7 @@ static uint32_t ipv4options_rd(const uint8_t *data, int len)
}
static bool ipv4options_mt(const struct sk_buff *skb,
const struct xt_match_param *par)
struct xt_action_param *par)
{
const struct xt_ipv4options_mtinfo1 *info = par->matchinfo;
const struct iphdr *iph = ip_hdr(skb);
@@ -50,7 +50,7 @@ static struct xt_match ipv4options_mt_reg __read_mostly = {
.revision = 1,
.family = NFPROTO_IPV4,
.match = ipv4options_mt,
.matchsize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
.matchsize = sizeof(struct xt_ipv4options_mtinfo1),
.me = THIS_MODULE,
};

58
extensions/xt_length2.c
View File

@@ -136,6 +136,30 @@ static bool xtlength_layer7(unsigned int *length, const struct sk_buff *skb,
}
}
static bool
length2_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_length_mtinfo2 *info = par->matchinfo;
const struct iphdr *iph = ip_hdr(skb);
unsigned int len = 0;
bool hit = true;
if (info->flags & XT_LENGTH_LAYER3)
len = ntohs(iph->tot_len);
else if (info->flags & XT_LENGTH_LAYER4)
len = ntohs(iph->tot_len) - par->thoff;
else if (info->flags & XT_LENGTH_LAYER5)
hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
else if (info->flags & XT_LENGTH_LAYER7)
hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
if (!hit)
return false;
return (len >= info->min && len <= info->max) ^
!!(info->flags & XT_LENGTH_INVERT);
}
#ifdef WITH_IPV6
/**
* llayer4_proto - figure out the L4 protocol in an IPv6 packet
* @skb: skb pointer
@@ -174,31 +198,7 @@ llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
}
static bool
length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct xt_length_mtinfo2 *info = par->matchinfo;
const struct iphdr *iph = ip_hdr(skb);
unsigned int len = 0;
bool hit = true;
if (info->flags & XT_LENGTH_LAYER3)
len = ntohs(iph->tot_len);
else if (info->flags & XT_LENGTH_LAYER4)
len = ntohs(iph->tot_len) - par->thoff;
else if (info->flags & XT_LENGTH_LAYER5)
hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
else if (info->flags & XT_LENGTH_LAYER7)
hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
if (!hit)
return false;
return (len >= info->min && len <= info->max) ^
!!(info->flags & XT_LENGTH_INVERT);
}
#ifdef WITH_IPV6
static bool
length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
length2_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_length_mtinfo2 *info = par->matchinfo;
const struct ipv6hdr *iph = ipv6_hdr(skb);
@@ -207,9 +207,13 @@ length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
bool hit = true;
if (info->flags & XT_LENGTH_LAYER3) {
len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
if (iph->payload_len == 0)
/* Jumbogram */
len = skb->len;
else
len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
} else {
l4proto = llayer4_proto(skb, &thoff, par->hotdrop);
l4proto = llayer4_proto(skb, &thoff, &par->hotdrop);
if (l4proto == NEXTHDR_MAX)
return false;
if (info->flags & XT_LENGTH_LAYER4)

8
extensions/xt_lscan.c
View File

@@ -171,7 +171,7 @@ static inline unsigned int lscan_mt_full(int mark,
}
static bool
lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_lscan_mtinfo *info = par->matchinfo;
enum ip_conntrack_info ctstate;
@@ -216,16 +216,16 @@ lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
(info->match_gr && ctdata->mark == mark_grscan);
}
static bool lscan_mt_check(const struct xt_mtchk_param *par)
static int lscan_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_lscan_mtinfo *info = par->matchinfo;
if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
(info->match_cn & ~1) || (info->match_gr & ~1)) {
printk(KERN_WARNING PFX "Invalid flags\n");
return false;
return -EINVAL;
}
return true;
return 0;
}
static struct xt_match lscan_mt_reg[] __read_mostly = {

4
extensions/xt_psd.c
View File

@@ -100,7 +100,7 @@ static inline int hashfunc(struct in_addr addr)
}
static bool
xt_psd_match(const struct sk_buff *pskb, const struct xt_match_param *match)
xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
{
const struct iphdr *iph;
const struct tcphdr *tcph;
@@ -312,7 +312,7 @@ out_match:
static struct xt_match xt_psd_reg __read_mostly = {
.name = "psd",
.family = AF_INET,
.family = NFPROTO_IPV4,
.revision = 1,
.match = xt_psd_match,
.matchsize = sizeof(struct xt_psd_info),

18
extensions/xt_quota2.c
View File

@@ -144,28 +144,26 @@ q2_get_counter(const struct xt_quota_mtinfo2 *q)
return NULL;
}
static bool quota_mt2_check(const struct xt_mtchk_param *par)
static int quota_mt2_check(const struct xt_mtchk_param *par)
{
struct xt_quota_mtinfo2 *q = par->matchinfo;
if (q->flags & ~XT_QUOTA_MASK)
return false;
return -EINVAL;
q->name[sizeof(q->name)-1] = '\0';
if (*q->name == '.' || strchr(q->name, '/') != NULL) {
printk(KERN_ERR "xt_quota<%u>: illegal name\n",
par->match->revision);
return false;
printk(KERN_ERR "xt_quota.3: illegal name\n");
return -EINVAL;
}
q->master = q2_get_counter(q);
if (q->master == NULL) {
printk(KERN_ERR "xt_quota<%u>: memory alloc failure\n",
par->match->revision);
return false;
printk(KERN_ERR "xt_quota.3: memory alloc failure\n");
return -ENOMEM;
}
return true;
return 0;
}
static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
@@ -191,7 +189,7 @@ static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
}
static bool
quota_mt2(const struct sk_buff *skb, const struct xt_match_param *par)
quota_mt2(const struct sk_buff *skb, struct xt_action_param *par)
{
struct xt_quota_mtinfo2 *q = (void *)par->matchinfo;
struct xt_quota_counter *e = q->master;

6
geoip/.gitignore vendored Normal file
View File

@@ -0,0 +1,6 @@
/BE
/LE
/GeoIPCountryCSV.zip
/GeoIPCountryWhois.csv
/GeoIPv6.csv
/GeoIPv6.csv.gz

3
geoip/Makefile.am Normal file
View File

@@ -0,0 +1,3 @@
# -*- Makefile -*-
pkglibexec_SCRIPTS = geoip_build_db.pl geoip_download.sh

54
geoip/geoip_build_db.pl Executable file
View File

@@ -0,0 +1,54 @@
#!/usr/bin/perl
#
# Converter for MaxMind CSV database to binary, for xt_geoip
# Copyright © Jan Engelhardt <jengelh@medozas.de>, 2008
#
# Use -b argument to create big-endian tables.
#
use Getopt::Long;
use IO::Handle;
use Text::CSV_XS; # or trade for Text::CSV
use strict;
my %country;
my %names;
my $csv = Text::CSV_XS->new({binary => 0, eol => $/}); # or Text::CSV
my $mode = "VV";
my $target_dir = ".";
&Getopt::Long::Configure(qw(bundling));
&GetOptions(
"D=s" => \$target_dir,
"b" => sub { $mode = "NN"; },
);
if (!-d $target_dir) {
print STDERR "Target directory $target_dir does not exist.\n";
exit 1;
}
while (my $row = $csv->getline(*ARGV)) {
if (!defined($country{$row->[4]})) {
$country{$row->[4]} = [];
$names{$row->[4]} = $row->[5];
}
my $c = $country{$row->[4]};
push(@$c, [$row->[2], $row->[3]]);
if ($. % 4096 == 0) {
print STDERR "\r\e[2K$. entries";
}
}
print STDERR "\r\e[2K$. entries total\n";
foreach my $iso_code (sort keys %country) {
printf "%5u ranges for %s %s\n",
scalar(@{$country{$iso_code}}),
$iso_code, $names{$iso_code};
open(my $fh, "> $target_dir/".uc($iso_code).".iv0");
foreach my $range (@{$country{$iso_code}}) {
print $fh pack($mode, $range->[0], $range->[1]);
}
close $fh;
}

8
geoip/geoip_download.sh Executable file
View File

@@ -0,0 +1,8 @@
#!/bin/sh
rm -f GeoIPv6.csv{,.gz} GeoIPCountryCSV.zip GeoIPCountryWhois.csv;
wget \
http://geolite.maxmind.com/download/geoip/database/GeoIPv6.csv.gz \
http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip;
gzip -d GeoIPv6.csv.gz;
unzip GeoIPCountryCSV.zip;

11
include/linux/netfilter.h
View File

@@ -3,6 +3,7 @@
#include <linux/types.h>
/* Responses from hook functions. */
#define NF_DROP 0
#define NF_ACCEPT 1
@@ -37,6 +38,16 @@ enum nf_inet_hooks {
NF_INET_NUMHOOKS
};
enum {
NFPROTO_UNSPEC = 0,
NFPROTO_IPV4 = 2,
NFPROTO_ARP = 3,
NFPROTO_BRIDGE = 7,
NFPROTO_IPV6 = 10,
NFPROTO_DECNET = 12,
NFPROTO_NUMPROTO,
};
union nf_inet_addr {
__u32 all[4];
__be32 ip;

Some files were not shown because too many files have changed in this diff Show More