Xtables-addons 1.28

This option allows to specify a particular output directory. This help
Makefiles in that they do not need to use cd.

INSTALL

@@ -4,7 +4,7 @@ Installation instructions for Xtables-addons
 Xtables-addons uses the well-known configure(autotools) infrastructure
 in combination with the kernel's Kbuild system.
 
-	$ ./configure
+	$ ./configure --with-xtlibdir=SEE_BELOW
 	$ make
 	# make install
 
@@ -55,7 +55,10 @@ Configuring and compiling
 
 	Specifies the path to where the newly built extensions should
 	be installed when `make install` is run. It uses the same
-	default as the Xtables/iptables package, ${libexecdir}/xtables.
+	default as the Xtables/iptables package, ${libexecdir}/xtables,
+	but you may need to specify this nevertheless, as autotools
+	defaults to using /usr/local as prefix, and distributions put
+	the files in differing locations.
 
 If you want to enable debugging, use
 

Makefile.am

@@ -1,7 +1,7 @@
 # -*- Makefile -*-
 
 ACLOCAL_AMFLAGS  = -I m4
-SUBDIRS          = extensions
+SUBDIRS          = extensions geoip
 
 man_MANS := xtables-addons.8
 
@@ -16,10 +16,15 @@ install-exec-hook:
 
 config.status: Makefile.iptrules.in
 
+tmpdir := $(shell mktemp -dtu)
+packer  = xz
+packext = .tar.xz
+
 .PHONY: tarball
 tarball:
-	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
-	pushd ${top_srcdir} && git archive --prefix=xtables-addons-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd;
-	pushd /tmp/xtables-addons-${PACKAGE_VERSION} && ./autogen.sh && popd;
-	tar -C /tmp -cjf xtables-addons-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root xtables-addons-${PACKAGE_VERSION}/;
-	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
+# do not use mkdir_p here.
+	mkdir ${tmpdir}
+	pushd ${top_srcdir} && git archive --prefix=${PACKAGE_NAME}-${PACKAGE_VERSION}/ HEAD | tar -C ${tmpdir} -x && popd;
+	pushd ${tmpdir}/${PACKAGE_NAME}-${PACKAGE_VERSION} && ./autogen.sh && popd;
+	tar --use=${packer} -C ${tmpdir} -cf ${PACKAGE_NAME}-${PACKAGE_VERSION}${packext} --owner=root --group=root ${PACKAGE_NAME}-${PACKAGE_VERSION}/;
+	rm -Rf ${tmpdir};

Makefile.iptrules.in

@@ -8,6 +8,7 @@ xtlibdir        = @xtlibdir@
 
 CC              = @CC@
 CCLD            = ${CC}
+CFLAGS          = @CFLAGS@
 
 regular_CFLAGS  = @regular_CFLAGS@
 libxtables_CFLAGS = @libxtables_CFLAGS@

Makefile.mans.in

@@ -3,8 +3,8 @@
 
 srcdir := @srcdir@
 
-wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man')
-wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man')
+wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man' | sort)
+wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man' | sort)
 wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
 wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
 

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.23])
+AC_INIT([xtables-addons], [1.28])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -34,7 +34,8 @@ AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
+	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" \
+	-I\${XA_TOPSRCDIR}/include";
 
 #
 # check kernel version
@@ -61,7 +62,7 @@ else
 	fi;
 fi;
 echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 34; then
+if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 35; then
 	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
     \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
@@ -73,7 +74,7 @@ fi;
 AC_SUBST([regular_CFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([xtlibdir])
-AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
+AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans geoip/Makefile
 	extensions/Makefile extensions/ACCOUNT/Makefile
 	extensions/ipset/Makefile extensions/pknock/Makefile])
 AC_OUTPUT

doc/changelog.txt

@@ -3,6 +3,47 @@ HEAD
 ====
 
 
+Xtables-addons 1.28 (July 24 2010)
+==================================
+- RAWNAT: IPv6 variants erroneously rejected masks /33-/128
+- new target xt_CHECKSUM
+- xt_length2: add support for IPv6 jumbograms
+- xt_geoip: fix possible out-of-bounds access
+- import xt_geoip database scripts
+
+
+Xtables-addons 1.27 (May 16 2010)
+=================================
+- further updates for the upcoming 2.6.35 changes
+
+
+Xtables-addons 1.26 (April 30 2010)
+===================================
+- compat_xtables: fix 2.6.34 compile error due to a typo
+
+
+Xtables-addons 1.25 (April 26 2010)
+===================================
+- TEE: do rechecksumming in PREROUTING too
+- TEE: decrease TTL on cloned packet
+- TEE: set dont-fragment on cloned packets
+- TEE: free skb when route lookup failed
+- TEE: do not limit use to mangle table
+- TEE: do not retain iif and mark on cloned packet
+- TEE: new loop detection logic
+- TEE: use less expensive pskb_copy
+- condition: remove unnecessary RCU protection
+
+
+Xtables-addons 1.24 (March 17 2010)
+===================================
+- build: fix build of userspace modules against old (pre-2.6.25)
+  headers from linux-glibc-devel (/usr/include/linux)
+- ipp2p: updated bittorent command recognition
+- SYSRQ: let module load when crypto is unavailable
+- SYSRQ: allow processing of UDP-Lite
+
+
 Xtables-addons 1.23 (February 24 2010)
 ======================================
 - build: support for Linux 2.6.34

extensions/ACCOUNT/libxt_ACCOUNT.c

@@ -142,7 +142,7 @@ account_tg_save(const void *ip, const struct xt_entry_target *target)
 static struct xtables_target account_tg_reg = {
 	.name          = "ACCOUNT",
 	.revision      = 1,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.version       = XTABLES_VERSION,
 	.size          = XT_ALIGN(sizeof(struct ipt_acc_info)),
 	.userspacesize = offsetof(struct ipt_acc_info, table_nr),

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -264,7 +264,7 @@ static int ipt_acc_table_insert(const char *name, __be32 ip, __be32 netmask)
 	return -1;
 }
 
-static bool ipt_acc_checkentry(const struct xt_tgchk_param *par)
+static int ipt_acc_checkentry(const struct xt_tgchk_param *par)
 {
 	struct ipt_acc_info *info = par->targinfo;
 	int table_nr;
@@ -276,13 +276,13 @@ static bool ipt_acc_checkentry(const struct xt_tgchk_param *par)
 
 	if (table_nr == -1) {
 		printk("ACCOUNT: Table insert problem. Aborting\n");
-		return false;
+		return -EINVAL;
 	}
 	/* Table nr caching so we don't have to do an extra string compare
 	   for every packet */
 	info->table_nr = table_nr;
 
-	return true;
+	return 0;
 }
 
 static void ipt_acc_destroy(const struct xt_tgdtor_param *par)
@@ -478,7 +478,7 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
 	}
 }
 
-static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target_param *par)
+static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct ipt_acc_info *info =
 		par->targinfo;
@@ -1082,7 +1082,7 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 static struct xt_target xt_acc_reg __read_mostly = {
 	.name = "ACCOUNT",
 	.revision = 1,
-	.family = AF_INET,
+	.family     = NFPROTO_IPV4,
 	.target = ipt_acc_target,
 	.targetsize = sizeof(struct ipt_acc_info),
 	.checkentry = ipt_acc_checkentry,

extensions/Kbuild

@@ -7,6 +7,7 @@ obj-m                    += compat_xtables.o
 
 obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += xt_CHAOS.o
+obj-${build_CHECKSUM}    += xt_CHECKSUM.o
 obj-${build_DELUDE}      += xt_DELUDE.o
 obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o

extensions/Makefile.am

@@ -7,6 +7,8 @@
 _kcall = -C ${kbuilddir} M=${abs_srcdir}
 
 modules:
+	@echo -n "Xtables-addons ${PACKAGE_VERSION} - Linux "
+	@if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} --no-print-directory -s kernelrelease; fi;
 	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} modules; fi;
 
 modules_install:

extensions/Mbuild

@@ -2,6 +2,7 @@
 
 obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += libxt_CHAOS.so
+obj-${build_CHECKSUM}    += libxt_CHECKSUM.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
 obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
 obj-${build_ECHO}        += libxt_ECHO.so

extensions/compat_xtables.c

@@ -1,6 +1,6 @@
 /*
  *	API compat layer
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License, either
@@ -34,25 +34,49 @@ static bool xtnu_match_run(const struct sk_buff *skb,
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 {
 	struct xtnu_match *nm = xtcompat_numatch(cm);
-	bool lo_drop = false, lo_ret;
-	struct xt_match_param local_par = {
-		.in        = in,
-		.out       = out,
-		.match     = cm,
-		.matchinfo = matchinfo,
-		.fragoff   = offset,
-		.thoff     = protoff,
-		.hotdrop   = &lo_drop,
-		.family    = NFPROTO_UNSPEC, /* don't have that info */
-	};
+	bool lo_ret;
+	struct xt_action_param local_par;
+	local_par.in        = in;
+	local_par.out       = out;
+	local_par.match     = cm;
+	local_par.matchinfo = matchinfo;
+	local_par.fragoff   = offset;
+	local_par.thoff     = protoff;
+	local_par.hotdrop   = false;
+	local_par.family    = NFPROTO_UNSPEC; /* don't have that info */
 
 	if (nm == NULL || nm->match == NULL)
 		return false;
 	lo_ret = nm->match(skb, &local_par);
-	*hotdrop = lo_drop;
+	*hotdrop = local_par.hotdrop;
 	return lo_ret;
 }
 #endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_match_run(const struct sk_buff *skb,
+    const struct xt_match_param *par)
+{
+	struct xtnu_match *nm = xtcompat_numatch(par->match);
+	struct xt_action_param local_par;
+	bool ret;
+
+	local_par.in        = par->in;
+	local_par.out       = par->out;
+	local_par.match     = par->match;
+	local_par.matchinfo = par->matchinfo;
+	local_par.fragoff   = par->fragoff;
+	local_par.thoff     = par->thoff;
+	local_par.hotdrop   = false;
+	local_par.family    = par->family;
+
+	if (nm == NULL || nm->match == NULL)
+		return false;
+	ret = nm->match(skb, &local_par);
+	*par->hotdrop = local_par.hotdrop;
+	return ret;
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static int xtnu_match_check(const char *table, const void *entry,
@@ -84,6 +108,19 @@ static bool xtnu_match_check(const char *table, const void *entry,
 	return nm->checkentry(&local_par);
 }
 #endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_match_check(const struct xt_mtchk_param *par)
+{
+	struct xtnu_match *nm = xtcompat_numatch(par->match);
+
+	if (nm == NULL)
+		return false;
+	if (nm->checkentry == NULL)
+		return true;
+	return nm->checkentry(par) == 0 ? true : false;
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo,
@@ -105,7 +142,7 @@ static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo)
 }
 #endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 int xtnu_register_match(struct xtnu_match *nt)
 {
 	struct xt_match *ct;
@@ -127,9 +164,19 @@ int xtnu_register_match(struct xtnu_match *nt)
 	ct->table      = (char *)nt->table;
 	ct->hooks      = nt->hooks;
 	ct->proto      = nt->proto;
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	ct->match      = xtnu_match_run;
 	ct->checkentry = xtnu_match_check;
 	ct->destroy    = xtnu_match_destroy;
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+	ct->match      = xtnu_match_run;
+	ct->checkentry = xtnu_match_check;
+	ct->destroy    = nt->destroy;
+#else
+	ct->match      = nt->match;
+	ct->checkentry = xtnu_match_check;
+	ct->destroy    = nt->destroy;
+#endif
 	ct->matchsize  = nt->matchsize;
 	ct->me         = nt->me;
 
@@ -188,35 +235,55 @@ static unsigned int xtnu_target_run(struct sk_buff **pskb,
 static unsigned int xtnu_target_run(struct sk_buff *skb,
     const struct net_device *in, const struct net_device *out,
     unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
-#else
-static unsigned int
-xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
 #endif
-{
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+{
 	struct xtnu_target *nt = xtcompat_nutarget(ct);
-	struct xt_target_param local_par = {
-		.in       = in,
-		.out      = out,
-		.hooknum  = hooknum,
-		.target   = ct,
-		.targinfo = targinfo,
-		.family   = NFPROTO_UNSPEC,
-	};
-#else
-	struct xtnu_target *nt = xtcompat_nutarget(par->target);
-#endif
+	struct xt_action_param local_par;
+
+	local_par.in       = in;
+	local_par.out      = out;
+	local_par.hooknum  = hooknum;
+	local_par.target   = ct;
+	local_par.targinfo = targinfo;
+	local_par.family   = NFPROTO_UNSPEC;
 
 	if (nt != NULL && nt->target != NULL)
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 		return nt->target(pskb, &local_par);
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 		return nt->target(&skb, &local_par);
-#else
-		return nt->target(&skb, par);
 #endif
 	return XT_CONTINUE;
 }
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static unsigned int
+xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+	struct xt_action_param local_par;
+
+	local_par.in       = par->in;
+	local_par.out      = par->out;
+	local_par.hooknum  = par->hooknum;
+	local_par.target   = par->target;
+	local_par.targinfo = par->targinfo;
+	local_par.family   = par->family;
+
+	return nt->target(&skb, &local_par);
+}
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
+static unsigned int
+xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+
+	return nt->target(&skb, par);
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static int xtnu_target_check(const char *table, const void *entry,
@@ -250,6 +317,20 @@ static bool xtnu_target_check(const char *table, const void *entry,
 }
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_target_check(const struct xt_tgchk_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+
+	if (nt == NULL)
+		return false;
+	if (nt->checkentry == NULL)
+		return true;
+	return nt->checkentry(par) == 0 ? true : false;
+}
+#endif
+
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo,
     unsigned int targinfosize)
@@ -295,6 +376,9 @@ int xtnu_register_target(struct xtnu_target *nt)
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	ct->checkentry = xtnu_target_check;
 	ct->destroy    = xtnu_target_destroy;
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+	ct->checkentry = xtnu_target_check;
+	ct->destroy    = nt->destroy;
 #else
 	ct->checkentry = nt->checkentry;
 	ct->destroy    = nt->destroy;
@@ -509,4 +593,18 @@ int xtnu_skb_linearize(struct sk_buff *skb)
 EXPORT_SYMBOL_GPL(xtnu_skb_linearize);
 #endif
 
+void *HX_memmem(const void *space, size_t spacesize,
+    const void *point, size_t pointsize)
+{
+	size_t i;
+
+	if (pointsize > spacesize)
+		return NULL;
+	for (i = 0; i <= spacesize - pointsize; ++i)
+		if (memcmp(space + i, point, pointsize) == 0)
+			return (void *)space + i;
+	return NULL;
+}
+EXPORT_SYMBOL_GPL(HX_memmem);
+
 MODULE_LICENSE("GPL");

extensions/compat_xtables.h

@@ -60,7 +60,7 @@
 #	define init_net__proc_net     init_net.proc_net
 #endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 #	define xt_match              xtnu_match
 #	define xt_register_match     xtnu_register_match
 #	define xt_unregister_match   xtnu_unregister_match

extensions/compat_xtnu.h

@@ -32,16 +32,6 @@ enum {
 	NFPROTO_NUMPROTO,
 };
 
-struct xt_match_param {
-	const struct net_device *in, *out;
-	const struct xt_match *match;
-	const void *matchinfo;
-	int fragoff;
-	unsigned int thoff;
-	bool *hotdrop;
-	u_int8_t family;
-};
-
 struct xt_mtchk_param {
 	const char *table;
 	const void *entryinfo;
@@ -81,33 +71,52 @@ struct xt_tgdtor_param {
 };
 #endif
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+struct xt_action_param {
+	union {
+		const struct xt_match *match;
+		const struct xt_target *target;
+	};
+	union {
+		const void *matchinfo, *targinfo;
+	};
+	const struct net_device *in, *out;
+	int fragoff;
+	unsigned int thoff, hooknum;
+	u_int8_t family;
+	bool hotdrop;
+};
+#endif
+
 struct xtnu_match {
-	struct list_head list;
-	char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
-	bool (*match)(const struct sk_buff *, const struct xt_match_param *);
-	bool (*checkentry)(const struct xt_mtchk_param *);
+	/*
+	 * Making it smaller by sizeof(void *) on purpose to catch
+	 * lossy translation, if any.
+	 */
+	char name[sizeof(((struct xt_match *)NULL)->name) - 1 - sizeof(void *)];
+	uint8_t revision;
+	bool (*match)(const struct sk_buff *, struct xt_action_param *);
+	int (*checkentry)(const struct xt_mtchk_param *);
 	void (*destroy)(const struct xt_mtdtor_param *);
 	struct module *me;
 	const char *table;
 	unsigned int matchsize, hooks;
 	unsigned short proto, family;
-	uint8_t revision;
 
 	void *__compat_match;
 };
 
 struct xtnu_target {
-	struct list_head list;
-	char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
+	char name[sizeof(((struct xt_target *)NULL)->name) - 1 - sizeof(void *)];
+	uint8_t revision;
 	unsigned int (*target)(struct sk_buff **,
-		const struct xt_target_param *);
-	bool (*checkentry)(const struct xt_tgchk_param *);
+		const struct xt_action_param *);
+	int (*checkentry)(const struct xt_tgchk_param *);
 	void (*destroy)(const struct xt_tgdtor_param *);
 	struct module *me;
 	const char *table;
 	unsigned int targetsize, hooks;
 	unsigned short proto, family;
-	uint8_t revision;
 
 	void *__compat_target;
 };
@@ -154,4 +163,6 @@ extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
 	__be32, __be32, bool);
 extern int xtnu_skb_linearize(struct sk_buff *);
 
+extern void *HX_memmem(const void *, size_t, const void *, size_t);
+
 #endif /* _COMPAT_XTNU_H */

extensions/ipset/ipt_SET.c

@@ -29,7 +29,7 @@
 #include "../compat_xtables.h"
 
 static unsigned int
-target(struct sk_buff **pskb, const struct xt_target_param *par)
+target(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct ipt_set_info_target *info = par->targinfo;
 
@@ -45,7 +45,7 @@ target(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
-static bool
+static int
 checkentry(const struct xt_tgchk_param *par)
 {
 	struct ipt_set_info_target *info = par->targinfo;
@@ -54,7 +54,7 @@ checkentry(const struct xt_tgchk_param *par)
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
 	if (targinfosize != IPT_ALIGN(sizeof(*info))) {
 		DP("bad target info size %u", targinfosize);
-		return 0;
+		return -EINVAL;
 	}
 #endif
 
@@ -63,7 +63,7 @@ checkentry(const struct xt_tgchk_param *par)
 		if (index == IP_SET_INVALID_ID) {
 			ip_set_printk("cannot find add_set index %u as target",
 				      info->add_set.index);
-			return 0;	/* error */
+			return -EINVAL;
 		}
 	}
 
@@ -72,16 +72,16 @@ checkentry(const struct xt_tgchk_param *par)
 		if (index == IP_SET_INVALID_ID) {
 			ip_set_printk("cannot find del_set index %u as target",
 				      info->del_set.index);
-			return 0;	/* error */
+			return -EINVAL;
 		}
 	}
 	if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0
 	    || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) {
 		ip_set_printk("That's nasty!");
-		return 0;	/* error */
+		return -EINVAL;
 	}
 
-	return 1;
+	return 0;
 }
 
 static void destroy(const struct xt_tgdtor_param *par)

extensions/ipset/ipt_set.c

@@ -38,7 +38,7 @@ match_set(const struct ipt_set_info *info,
 }
 
 static bool
-match(const struct sk_buff *skb, const struct xt_match_param *par)
+match(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ipt_set_info_match *info = par->matchinfo;
 		
@@ -47,7 +47,7 @@ match(const struct sk_buff *skb, const struct xt_match_param *par)
 			 info->match_set.flags[0] & IPSET_MATCH_INV);
 }
 
-static bool
+static int
 checkentry(const struct xt_mtchk_param *par)
 {
 	struct ipt_set_info_match *info = par->matchinfo;
@@ -56,7 +56,7 @@ checkentry(const struct xt_mtchk_param *par)
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
 	if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
 		ip_set_printk("invalid matchsize %d", matchsize);
-		return 0;
+		return -EINVAL;
 	}
 #endif
 
@@ -65,14 +65,14 @@ checkentry(const struct xt_mtchk_param *par)
 	if (index == IP_SET_INVALID_ID) {
 		ip_set_printk("Cannot find set indentified by id %u to match",
 			      info->match_set.index);
-		return 0;	/* error */
+		return -ENOENT;
 	}
 	if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) {
 		ip_set_printk("That's nasty!");
-		return 0;	/* error */
+		return -EINVAL;
 	}
 
-	return 1;
+	return 0;
 }
 
 static void destroy(const struct xt_mtdtor_param *par)

extensions/libxt_CHAOS.c

@@ -95,7 +95,7 @@ static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
 static struct xtables_target chaos_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "CHAOS",
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.help          = chaos_tg_help,

extensions/libxt_CHECKSUM.c

@@ -0,0 +1,93 @@
+/*
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2010 by Red Hat, Inc
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This program is distributed under the terms of GNU GPL v2, 1991
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include "xt_CHECKSUM.h"
+
+static void CHECKSUM_help(void)
+{
+	printf(
+"CHECKSUM target options\n"
+"  --checksum-fill        Fill in packet checksum.\n");
+}
+
+static const struct option CHECKSUM_opts[] = {
+	{ "checksum-fill", 0, NULL, 'F' },
+	{ .name = NULL }
+};
+
+static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags,
+                     const void *entry, struct xt_entry_target **target)
+{
+	struct xt_CHECKSUM_info *einfo
+		= (struct xt_CHECKSUM_info *)(*target)->data;
+
+	switch (c) {
+	case 'F':
+		xtables_param_act(XTF_ONLY_ONCE, "CHECKSUM", "--checksum-fill",
+			*flags & XT_CHECKSUM_OP_FILL);
+		einfo->operation = XT_CHECKSUM_OP_FILL;
+		*flags |= XT_CHECKSUM_OP_FILL;
+		break;
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void CHECKSUM_check(unsigned int flags)
+{
+	if (!flags)
+		xtables_error(PARAMETER_PROBLEM,
+		           "CHECKSUM target: Parameter --checksum-fill is required");
+}
+
+static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target,
+                      int numeric)
+{
+	const struct xt_CHECKSUM_info *einfo =
+		(const struct xt_CHECKSUM_info *)target->data;
+
+	printf("CHECKSUM ");
+
+	if (einfo->operation & XT_CHECKSUM_OP_FILL)
+		printf("fill ");
+}
+
+static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_CHECKSUM_info *einfo =
+		(const struct xt_CHECKSUM_info *)target->data;
+
+	if (einfo->operation & XT_CHECKSUM_OP_FILL)
+		printf("--checksum-fill ");
+}
+
+static struct xtables_target checksum_tg_reg = {
+	.name          = "CHECKSUM",
+	.version       = XTABLES_VERSION,
+	.family        = NFPROTO_UNSPEC,
+	.size          = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
+	.help          = CHECKSUM_help,
+	.parse         = CHECKSUM_parse,
+	.final_check   = CHECKSUM_check,
+	.print         = CHECKSUM_print,
+	.save          = CHECKSUM_save,
+	.extra_opts    = CHECKSUM_opts,
+};
+
+static __attribute__((constructor)) void _init(void)
+{
+	xtables_register_target(&checksum_tg_reg);
+}

extensions/libxt_CHECKSUM.man

@@ -0,0 +1,8 @@
+This target allows to selectively work around broken/old applications.
+It can only be used in the mangle table.
+.TP
+\fB\-\-checksum\-fill\fP
+Compute and fill in the checksum in a packet that lacks a checksum.
+This is particularly useful, if you need to work around old applications
+such as dhcp clients, that do not work well with checksum offloads,
+but don't want to disable checksum offload in your device.

extensions/libxt_DELUDE.c

@@ -33,9 +33,7 @@ static struct xtables_target delude_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "DELUDE",
 	.revision      = 0,
-	.family        = AF_INET,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_IPV4,
 	.help          = delude_tg_help,
 	.parse         = delude_tg_parse,
 	.final_check   = delude_tg_check,

extensions/libxt_DHCPMAC.c

@@ -84,7 +84,7 @@ static struct xtables_target dhcpmac_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "DHCPMAC",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.help          = dhcpmac_tg_help,

extensions/libxt_ECHO.c

@@ -29,9 +29,7 @@ static void echo_tg_check(unsigned int flags)
 static struct xtables_target echo_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ECHO",
-	.family        = AF_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_UNSPEC,
 	.help          = echo_tg_help,
 	.parse         = echo_tg_parse,
 	.final_check   = echo_tg_check,

extensions/libxt_IPMARK.c

@@ -151,7 +151,7 @@ ipmark_tg_save(const void *entry, const struct xt_entry_target *target)
 static struct xtables_target ipmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "IPMARK",
-	.family        = PF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.revision      = 1,
 	.size          = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),

extensions/libxt_LOGMARK.c

@@ -100,7 +100,7 @@ static struct xtables_target logmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "LOGMARK",
 	.revision      = 0,
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
 	.help          = logmark_tg_help,

extensions/libxt_RAWDNAT.c

@@ -79,7 +79,7 @@ rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
 		end = strchr(optarg, '/');
 		if (end != NULL) {
 			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
+			if (!xtables_strtoui(end, NULL, &mask, 0, 128))
 				xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
 					"--to-destination", optarg);
 			info->mask = mask;
@@ -154,7 +154,7 @@ static struct xtables_target rawdnat_tg4_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWDNAT",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawdnat_tg_help,
@@ -169,7 +169,7 @@ static struct xtables_target rawdnat_tg6_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWDNAT",
 	.revision      = 0,
-	.family        = PF_INET6,
+	.family        = NFPROTO_IPV6,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawdnat_tg_help,

extensions/libxt_RAWSNAT.c

@@ -79,7 +79,7 @@ rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
 		end = strchr(optarg, '/');
 		if (end != NULL) {
 			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
+			if (!xtables_strtoui(end, NULL, &mask, 0, 128))
 				xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
 					"--to-source", optarg);
 			info->mask = mask;
@@ -154,7 +154,7 @@ static struct xtables_target rawsnat_tg4_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWSNAT",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawsnat_tg_help,
@@ -169,7 +169,7 @@ static struct xtables_target rawsnat_tg6_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWSNAT",
 	.revision      = 0,
-	.family        = PF_INET6,
+	.family        = NFPROTO_IPV6,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawsnat_tg_help,

extensions/libxt_STEAL.c

@@ -19,9 +19,7 @@ static void steal_tg_check(unsigned int flags)
 static struct xtables_target steal_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "STEAL",
-	.family        = AF_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_UNSPEC,
 	.help          = steal_tg_help,
 	.parse         = steal_tg_parse,
 	.final_check   = steal_tg_check,

extensions/libxt_SYSRQ.c

@@ -25,9 +25,7 @@ static struct xtables_target sysrq_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "SYSRQ",
 	.revision      = 1,
-	.family        = PF_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_UNSPEC,
 	.help          = sysrq_tg_help,
 	.parse         = sysrq_tg_parse,
 	.final_check   = sysrq_tg_check,

extensions/libxt_TARPIT.c

@@ -24,9 +24,7 @@ static void tarpit_tg_check(unsigned int flags)
 static struct xtables_target tarpit_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "TARPIT",
-	.family        = AF_INET,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_IPV4,
 	.help          = tarpit_tg_help,
 	.parse         = tarpit_tg_parse,
 	.final_check   = tarpit_tg_check,

extensions/libxt_TEE.c

@@ -138,7 +138,7 @@ static struct xtables_target tee_tg_reg = {
 	.name          = "TEE",
 	.version       = XTABLES_VERSION,
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.help          = tee_tg_help,
@@ -153,7 +153,7 @@ static struct xtables_target tee_tg6_reg = {
 	.name          = "TEE",
 	.version       = XTABLES_VERSION,
 	.revision      = 0,
-	.family        = PF_INET6,
+	.family        = NFPROTO_IPV6,
 	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.help          = tee_tg_help,

extensions/libxt_condition.c

@@ -80,7 +80,7 @@ static void condition_save(const void *ip, const struct xt_entry_match *match)
 static struct xtables_match condition_mt_reg = {
 	.name 		= "condition",
 	.revision	= 1,
-	.family		= PF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.version 	= XTABLES_VERSION,
 	.size 		= XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
 	.userspacesize 	= XT_ALIGN(sizeof(struct xt_condition_mtinfo)),

extensions/libxt_dhcpmac.c

@@ -85,7 +85,7 @@ static struct xtables_match dhcpmac_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "dhcpmac",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.help          = dhcpmac_mt_help,

extensions/libxt_fuzzy.c

@@ -103,6 +103,7 @@ static struct xtables_match fuzzy_mt_reg = {
 	.name          = "fuzzy",
 	.revision      = 1,
 	.version       = XTABLES_VERSION,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
 	.userspacesize = offsetof(struct xt_fuzzy_mtinfo, packets_total),
 	.help          = fuzzy_mt_help,

extensions/libxt_geoip.c

@@ -259,7 +259,7 @@ geoip_save(const void *ip, const struct xt_entry_match *match)
 }
 
 static struct xtables_match geoip_match = {
-	 .family        = AF_INET,
+	 .family        = NFPROTO_IPV4,
 	 .name          = "geoip",
 	 .revision      = 1,
 	 .version       = XTABLES_VERSION,

extensions/libxt_geoip.man

@@ -10,8 +10,8 @@ NOTE:
 The country is inputed by its ISO-3166 code.
 .PP
 The extra files you will need is the binary database files. They are generated
-from a country-subnet database with the geoip_csv_iv0.pl tool, available at
-http://jengelh.hopto.org/files/geoip/ . The files MUST be moved to
-/usr/share/xt_geoip/
+from a country-subnet database with the geoip_csv_iv0.pl tool that should be
+available in /usr/lib(exec)/xtables-addons/ . The resulting files MUST be moved
+to /usr/share/xt_geoip/
 as the shared library is statically looking for this pathname (e.g.
 /usr/share/xt_geoip/LE/de.iv0).

extensions/libxt_iface.c

@@ -200,7 +200,7 @@ static struct xtables_match iface_mt_reg = {
 	.version	= XTABLES_VERSION,
 	.name		= "iface",
 	.revision	= 0,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.size		= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
 	.help		= iface_mt_help,

extensions/libxt_ipp2p.c

@@ -229,7 +229,7 @@ static struct xtables_match ipp2p_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ipp2p",
 	.revision      = 1,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct ipt_p2p_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct ipt_p2p_info)),
 	.help          = ipp2p_mt_help,

extensions/libxt_ipv4options.c

@@ -161,7 +161,7 @@ static struct xtables_match ipv4options_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ipv4options",
 	.revision      = 1,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
 	.help          = ipv4options_mt_help,

extensions/libxt_length2.c

@@ -155,7 +155,7 @@ static struct xtables_match length2_mt_reg = {
 	.version        = XTABLES_VERSION,
 	.name           = "length2",
 	.revision       = 2,
-	.family         = PF_UNSPEC,
+	.family         = NFPROTO_UNSPEC,
 	.size           = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
 	.userspacesize  = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
 	.init           = length_mt_init,

extensions/libxt_lscan.c

@@ -105,7 +105,7 @@ static struct xtables_match lscan_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "lscan",
 	.revision      = 0,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
 	.help          = lscan_mt_help,

extensions/libxt_psd.c

@@ -139,7 +139,7 @@ static struct xtables_match psd_mt_reg = {
 	.name			= "psd",
 	.version		= XTABLES_VERSION,
 	.revision   	= 1,
-	.family			= PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size			= XT_ALIGN(sizeof(struct xt_psd_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_psd_info)),
 	.help			= psd_mt_help,

extensions/libxt_quota2.c

@@ -133,7 +133,7 @@ static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
 }
 
 static struct xtables_match quota_mt2_reg = {
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.revision      = 3,
 	.name          = "quota2",
 	.version       = XTABLES_VERSION,

extensions/pknock/libxt_pknock.c

@@ -326,7 +326,7 @@ static struct xtables_match pknock_mt_reg = {
 	.name		= "pknock",
 	.version	= XTABLES_VERSION,
 	.revision      = 1,
-	.family		= AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
 	.help          = pknock_mt_help,

extensions/pknock/xt_pknock.c

@@ -958,7 +958,7 @@ is_close_knock(const struct peer *peer, const struct xt_pknock_mtinfo *info,
 }
 
 static bool pknock_mt(const struct sk_buff *skb,
-    const struct xt_match_param *par)
+    struct xt_action_param *par)
 {
 	const struct xt_pknock_mtinfo *info = par->matchinfo;
 	struct xt_pknock_rule *rule;
@@ -975,7 +975,7 @@ static bool pknock_mt(const struct sk_buff *skb,
 		/* We've been asked to examine this packet, and we
 		 * can't. Hence, no choice but to drop.
 		 */
-		*par->hotdrop = true;
+		par->hotdrop = true;
 		return false;
 	}
 
@@ -1064,9 +1064,9 @@ out:
 	return ret;
 }
 
-#define RETURN_ERR(err) do { printk(KERN_ERR PKNOCK err); return false; } while (false)
+#define RETURN_ERR(err) do { printk(KERN_ERR PKNOCK err); return -EINVAL; } while (false)
 
-static bool pknock_mt_check(const struct xt_mtchk_param *par)
+static int pknock_mt_check(const struct xt_mtchk_param *par)
 {
 	struct xt_pknock_mtinfo *info = par->matchinfo;
 
@@ -1124,9 +1124,10 @@ static bool pknock_mt_check(const struct xt_mtchk_param *par)
 	}
 
 	if (!add_rule(info))
+		/* should ENOMEM here */
 		RETURN_ERR("add_rule() error in checkentry() function.\n");
 
-	return true;
+	return 0;
 }
 
 static void pknock_mt_destroy(const struct xt_mtdtor_param *par)

extensions/xt_CHAOS.c

@@ -45,7 +45,7 @@ static const struct xt_tcp tcp_params = {
 
 /* CHAOS functions */
 static void
-xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
+xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct xt_chaos_tginfo *info = par->targinfo;
 	const struct iphdr *iph = ip_hdr(skb);
@@ -62,7 +62,7 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	ret = xm_tcp->match(skb, par->in, par->out, xm_tcp, &tcp_params,
 	                    fragoff, thoff, &hotdrop);
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 	{
 		struct xt_match_param local_par = {
 			.in        = par->in,
@@ -75,6 +75,19 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
 		};
 		ret = xm_tcp->match(skb, &local_par);
 	}
+#else
+	{
+		struct xt_action_param local_par;
+		local_par.in        = par->in,
+		local_par.out       = par->out,
+		local_par.match     = xm_tcp;
+		local_par.matchinfo = &tcp_params;
+		local_par.fragoff   = fragoff;
+		local_par.thoff     = thoff;
+		local_par.hotdrop   = false;
+		ret = xm_tcp->match(skb, &local_par);
+		hotdrop = local_par.hotdrop;
+	}
 #endif
 	if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
 		return;
@@ -86,17 +99,34 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
 	destiny->target(&skb, par->in, par->out, par->hooknum, destiny, NULL);
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	destiny->target(skb, par->in, par->out, par->hooknum, destiny, NULL);
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+	{
+		struct xt_target_param local_par = {
+			.in       = par->in,
+			.out      = par->out,
+			.hooknum  = par->hooknum,
+			.target   = destiny,
+			.targinfo = par->targinfo,
+			.family   = par->family,
+		};
+		destiny->target(skb, &local_par);
+	}
 #else
 	{
-		struct xt_target_param local_par = *par;
-		local_par.target = destiny;
+		struct xt_action_param local_par;
+		local_par.in       = par->in;
+		local_par.out      = par->out;
+		local_par.hooknum  = par->hooknum;
+		local_par.target   = destiny;
+		local_par.targinfo = par->targinfo;
+		local_par.family   = par->family;
 		destiny->target(skb, &local_par);
 	}
 #endif
 }
 
 static unsigned int
-chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	/*
 	 * Equivalent to:
@@ -120,7 +150,7 @@ chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 		return xt_reject->target(skb, par->in, par->out, par->hooknum,
 		       xt_reject, &reject_params);
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 		struct xt_target_param local_par = {
 			.in       = par->in,
 			.out      = par->out,
@@ -129,6 +159,14 @@ chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 			.targinfo = &reject_params,
 		};
 		return xt_reject->target(skb, &local_par);
+#else
+		struct xt_action_param local_par;
+		local_par.in       = par->in;
+		local_par.out      = par->out;
+		local_par.hooknum  = par->hooknum;
+		local_par.target   = xt_reject;
+		local_par.targinfo = &reject_params;
+		return xt_reject->target(skb, &local_par);
 #endif
 	}
 
@@ -141,22 +179,22 @@ chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	return NF_DROP;
 }
 
-static bool chaos_tg_check(const struct xt_tgchk_param *par)
+static int chaos_tg_check(const struct xt_tgchk_param *par)
 {
 	const struct xt_chaos_tginfo *info = par->targinfo;
 
 	if (info->variant == XTCHAOS_DELUDE && !have_delude) {
 		printk(KERN_WARNING PFX "Error: Cannot use --delude when "
 		       "DELUDE module not available\n");
-		return false;
+		return -EINVAL;
 	}
 	if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
 		printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
 		       "TARPIT module not available\n");
-		return false;
+		return -EINVAL;
 	}
 
-	return true;
+	return 0;
 }
 
 static struct xt_target chaos_tg_reg = {

extensions/xt_CHECKSUM.c

@@ -0,0 +1,72 @@
+/*
+ * (C) 2002 by Harald Welte <laforge@netfilter.org>
+ * (C) 2010 Red Hat, Inc.
+ *
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter/x_tables.h>
+#include "xt_CHECKSUM.h"
+#include "compat_xtables.h"
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
+MODULE_DESCRIPTION("Xtables: checksum modification");
+MODULE_ALIAS("ipt_CHECKSUM");
+MODULE_ALIAS("ip6t_CHECKSUM");
+
+static unsigned int
+checksum_tg(struct sk_buff **pskb, const struct xt_action_param *par)
+{
+	struct sk_buff *skb = *pskb;
+
+	if (skb->ip_summed == CHECKSUM_PARTIAL)
+		skb_checksum_help(skb);
+
+	return XT_CONTINUE;
+}
+
+static int checksum_tg_check(const struct xt_tgchk_param *par)
+{
+	const struct xt_CHECKSUM_info *einfo = par->targinfo;
+
+	if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
+		pr_info("unsupported CHECKSUM operation %x\n", einfo->operation);
+		return -EINVAL;
+	}
+	if (!einfo->operation) {
+		pr_info("no CHECKSUM operation enabled\n");
+		return -EINVAL;
+	}
+	return 0;
+}
+
+static struct xt_target checksum_tg_reg __read_mostly = {
+	.name       = "CHECKSUM",
+	.family     = NFPROTO_UNSPEC,
+	.target     = checksum_tg,
+	.targetsize = sizeof(struct xt_CHECKSUM_info),
+	.table      = "mangle",
+	.checkentry = checksum_tg_check,
+	.me         = THIS_MODULE,
+};
+
+static int __init checksum_tg_init(void)
+{
+	return xt_register_target(&checksum_tg_reg);
+}
+
+static void __exit checksum_tg_exit(void)
+{
+	xt_unregister_target(&checksum_tg_reg);
+}
+
+module_init(checksum_tg_init);
+module_exit(checksum_tg_exit);

extensions/xt_CHECKSUM.h

@@ -0,0 +1,18 @@
+/* Header file for iptables ipt_CHECKSUM target
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2010 Red Hat Inc
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+*/
+#ifndef _IPT_CHECKSUM_TARGET_H
+#define _IPT_CHECKSUM_TARGET_H
+
+#define XT_CHECKSUM_OP_FILL	0x01	/* fill in checksum in IP header */
+
+struct xt_CHECKSUM_info {
+	__u8 operation;	/* bitset of operations */
+};
+
+#endif /* _IPT_CHECKSUM_TARGET_H */

extensions/xt_DELUDE.c

@@ -143,7 +143,7 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
 }
 
 static unsigned int
-delude_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+delude_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	/* WARNING: This code causes reentry within iptables.
 	   This means that the iptables jump stack is now crap.  We

extensions/xt_DHCPMAC.c

@@ -69,7 +69,7 @@ static bool ether_cmp(const unsigned char *lh, const unsigned char *rh,
 }
 
 static bool
-dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+dhcpmac_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct dhcpmac_info *info = par->matchinfo;
 	const struct dhcp_message *dh;
@@ -89,7 +89,7 @@ dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 }
 
 static unsigned int
-dhcpmac_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+dhcpmac_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct dhcpmac_info *info = par->targinfo;
 	struct dhcp_message dhcpbuf, *dh;
@@ -139,7 +139,7 @@ static struct xt_match dhcpmac_mt_reg __read_mostly = {
 	.family     = NFPROTO_IPV4,
 	.proto      = IPPROTO_UDP,
 	.match      = dhcpmac_mt,
-	.matchsize  = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.matchsize  = sizeof(struct dhcpmac_info),
 	.me         = THIS_MODULE,
 };
 

extensions/xt_ECHO.c

@@ -21,7 +21,7 @@
 #include "compat_xtables.h"
 
 static unsigned int
-echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
+echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 {
 	const struct sk_buff *oldskb = *poldskb;
 	const struct udphdr *oldudp;
@@ -113,7 +113,6 @@ static struct xt_target echo_tg_reg __read_mostly = {
 	.proto      = IPPROTO_UDP,
 	.table      = "filter",
 	.target     = echo_tg4,
-	.targetsize = XT_ALIGN(0),
 	.me         = THIS_MODULE,
 };
 

extensions/xt_IPMARK.c

@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_IPMARK");
 MODULE_ALIAS("ip6t_IPMARK");
 
 static unsigned int
-ipmark_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+ipmark_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_ipmark_tginfo *ipmarkinfo = par->targinfo;
 	const struct sk_buff *skb = *pskb;
@@ -61,7 +61,7 @@ static __u32 ipmark_from_ip6(const struct in6_addr *a, unsigned int s)
 }
 
 static unsigned int
-ipmark_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+ipmark_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_ipmark_tginfo *info = par->targinfo;
 	const struct sk_buff *skb = *pskb;
@@ -86,7 +86,7 @@ static struct xt_target ipmark_tg_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV4,
 		.table      = "mangle",
 		.target     = ipmark_tg4,
-		.targetsize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
+		.targetsize = sizeof(struct xt_ipmark_tginfo),
 		.me         = THIS_MODULE,
 	},
 	{
@@ -95,7 +95,7 @@ static struct xt_target ipmark_tg_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV6,
 		.table      = "mangle",
 		.target     = ipmark_tg6,
-		.targetsize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
+		.targetsize = sizeof(struct xt_ipmark_tginfo),
 		.me         = THIS_MODULE,
 	},
 };

extensions/xt_LOGMARK.c

@@ -30,7 +30,7 @@ static const char *const dir_names[] = {
 };
 
 static unsigned int
-logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct sk_buff *skb = *pskb;
 	const struct xt_logmark_tginfo *info = par->targinfo;
@@ -81,17 +81,17 @@ logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
-static bool
+static int
 logmark_tg_check(const struct xt_tgchk_param *par)
 {
 	const struct xt_logmark_tginfo *info = par->targinfo;
 
 	if (info->level >= 8) {
 		pr_debug("LOGMARK: level %u >= 8\n", info->level);
-		return false;
+		return -EINVAL;
 	}
 
-	return true;
+	return 0;
 }
 
 static struct xt_target logmark_tg_reg[] __read_mostly = {

extensions/xt_RAWNAT.c

@@ -48,7 +48,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 		break;
 	case 33 ... 63:
 		addr[0] = repl[0];
-		addr[1] = remask(addr[1], repl[1], mask - 64);
+		addr[1] = remask(addr[1], repl[1], mask - 32);
 		break;
 	case 64:
 		addr[0] = repl[0];
@@ -57,7 +57,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 	case 65 ... 95:
 		addr[0] = repl[0];
 		addr[1] = repl[1];
-		addr[2] = remask(addr[2], repl[2], mask - 96);
+		addr[2] = remask(addr[2], repl[2], mask - 64);
 	case 96:
 		addr[0] = repl[0];
 		addr[1] = repl[1];
@@ -67,7 +67,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 		addr[0] = repl[0];
 		addr[1] = repl[1];
 		addr[2] = repl[2];
-		addr[3] = remask(addr[3], repl[3], mask - 128);
+		addr[3] = remask(addr[3], repl[3], mask - 96);
 		break;
 	case 128:
 		addr[0] = repl[0];
@@ -125,7 +125,7 @@ static unsigned int rawnat4_writable_part(const struct iphdr *iph)
 }
 
 static unsigned int
-rawsnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+rawsnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
 	struct iphdr *iph;
@@ -147,7 +147,7 @@ rawsnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 }
 
 static unsigned int
-rawdnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+rawdnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
 	struct iphdr *iph;
@@ -241,7 +241,7 @@ static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto,
 }
 
 static unsigned int
-rawsnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+rawsnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
 	unsigned int l4offset, l4proto;
@@ -262,7 +262,7 @@ rawsnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 }
 
 static unsigned int
-rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+rawdnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
 	unsigned int l4offset, l4proto;
@@ -283,15 +283,15 @@ rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 }
 #endif
 
-static bool rawnat_tg_check(const struct xt_tgchk_param *par)
+static int rawnat_tg_check(const struct xt_tgchk_param *par)
 {
 	if (strcmp(par->table, "raw") == 0 ||
 	    strcmp(par->table, "rawpost") == 0)
-		return true;
+		return 0;
 
 	printk(KERN_ERR KBUILD_MODNAME " may only be used in the \"raw\" or "
 	       "\"rawpost\" table.\n");
-	return false;
+	return -EINVAL;
 }
 
 static struct xt_target rawnat_tg_reg[] __read_mostly = {

extensions/xt_STEAL.c

@@ -8,7 +8,7 @@
 #include "compat_xtables.h"
 
 static unsigned int
-steal_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+steal_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	kfree_skb(*pskb);
 	return NF_STOLEN;

extensions/xt_SYSRQ.c

@@ -1,6 +1,6 @@
 /*
  *	"SYSRQ" target extension for Netfilter
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
  *
  *	Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
  *
@@ -23,6 +23,10 @@
 #include <net/ip.h>
 #include "compat_xtables.h"
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19) && \
+    (defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE))
+#	define WITH_CRYPTO 1
+#endif
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 #	define WITH_IPV6 1
 #endif
@@ -42,7 +46,7 @@ MODULE_PARM_DESC(hash, "hash algorithm, default sha1");
 MODULE_PARM_DESC(seqno, "sequence number for remote sysrq");
 MODULE_PARM_DESC(debug, "debugging: 0=off, 1=on");
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#ifdef WITH_CRYPTO
 static struct crypto_hash *sysrq_tfm;
 static int sysrq_digest_size;
 static unsigned char *sysrq_digest_password;
@@ -131,13 +135,13 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 			"0123456789abcdef"[sysrq_digest[i] & 0xf];
 	}
 	sysrq_hexdigest[2*sysrq_digest_size] = '\0';
-	if (len - n < sysrq_digest_size) {
+	if (len - n < sysrq_digest_size * 2) {
 		if (sysrq_debug)
 			printk(KERN_INFO KBUILD_MODNAME ": Short digest,"
 			       " expected %s\n", sysrq_hexdigest);
 		return NF_DROP;
 	}
-	if (strncmp(data + n, sysrq_hexdigest, sysrq_digest_size) != 0) {
+	if (strncmp(data + n, sysrq_hexdigest, sysrq_digest_size * 2) != 0) {
 		if (sysrq_debug)
 			printk(KERN_INFO KBUILD_MODNAME ": Bad digest,"
 			       " expected %s\n", sysrq_hexdigest);
@@ -193,7 +197,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 #endif
 
 static unsigned int
-sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+sysrq_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	struct sk_buff *skb = *pskb;
 	const struct iphdr *iph;
@@ -204,8 +208,8 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 		return NF_DROP;
 
 	iph = ip_hdr(skb);
-	if (iph->protocol != IPPROTO_UDP)
-		return NF_ACCEPT; /* sink it */
+	if (iph->protocol != IPPROTO_UDP && iph->protocol != IPPROTO_UDPLITE)
+		return NF_DROP;
 
 	udph = (const void *)iph + ip_hdrlen(skb);
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
@@ -220,7 +224,7 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 
 #ifdef WITH_IPV6
 static unsigned int
-sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+sysrq_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	struct sk_buff *skb = *pskb;
 	const struct ipv6hdr *iph;
@@ -235,7 +239,7 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 	iph = ipv6_hdr(skb);
 	if (ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 ||
 	    frag_off > 0)
-		return NF_ACCEPT; /* sink it */
+		return NF_DROP;
 
 	udph = (const void *)iph + th_off;
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
@@ -249,9 +253,8 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 }
 #endif
 
-static bool sysrq_tg_check(const struct xt_tgchk_param *par)
+static int sysrq_tg_check(const struct xt_tgchk_param *par)
 {
-
 	if (par->target->family == NFPROTO_IPV4) {
 		const struct ipt_entry *entry = par->entryinfo;
 
@@ -268,11 +271,11 @@ static bool sysrq_tg_check(const struct xt_tgchk_param *par)
 			goto out;
 	}
 
-	return true;
+	return 0;
 
  out:
 	printk(KERN_ERR KBUILD_MODNAME ": only available for UDP and UDP-Lite");
-	return false;
+	return -EINVAL;
 }
 
 static struct xt_target sysrq_tg_reg[] __read_mostly = {
@@ -296,43 +299,9 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 #endif
 };
 
-static int __init sysrq_tg_init(void)
+static void sysrq_crypto_exit(void)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-	struct timeval now;
-
-	sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
-	if (IS_ERR(sysrq_tfm)) {
-		printk(KERN_WARNING KBUILD_MODNAME
-			": Error: Could not find or load %s hash\n",
-			sysrq_hash);
-		sysrq_tfm = NULL;
-		goto fail;
-	}
-	sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
-	sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
-	if (sysrq_digest == NULL) {
-		printk(KERN_WARNING KBUILD_MODNAME
-			": Cannot allocate digest\n");
-		goto fail;
-	}
-	sysrq_hexdigest = kmalloc(2 * sysrq_digest_size + 1, GFP_KERNEL);
-	if (sysrq_hexdigest == NULL) {
-		printk(KERN_WARNING KBUILD_MODNAME
-			": Cannot allocate hexdigest\n");
-		goto fail;
-	}
-	sysrq_digest_password = kmalloc(sizeof(sysrq_password), GFP_KERNEL);
-	if (sysrq_digest_password == NULL) {
-		printk(KERN_WARNING KBUILD_MODNAME
-			": Cannot allocate password digest space\n");
-		goto fail;
-	}
-	do_gettimeofday(&now);
-	sysrq_seqno = now.tv_sec;
-	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
-
- fail:
+#ifdef WITH_CRYPTO
 	if (sysrq_tfm)
 		crypto_free_hash(sysrq_tfm);
 	if (sysrq_digest)
@@ -341,22 +310,62 @@ static int __init sysrq_tg_init(void)
 		kfree(sysrq_hexdigest);
 	if (sysrq_digest_password)
 		kfree(sysrq_digest_password);
-	return -EINVAL;
-#else
-	printk(KERN_WARNING "xt_SYSRQ does not provide crypto for <= 2.6.18\n");
-	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
 #endif
 }
 
+static int __init sysrq_crypto_init(void)
+{
+#if defined(WITH_CRYPTO)
+	struct timeval now;
+	int ret;
+
+	sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
+	if (IS_ERR(sysrq_tfm)) {
+		printk(KERN_WARNING KBUILD_MODNAME
+			": Error: Could not find or load %s hash\n",
+			sysrq_hash);
+		ret = PTR_ERR(sysrq_tfm);
+		sysrq_tfm = NULL;
+		goto fail;
+	}
+	sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
+	sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
+	ret = -ENOMEM;
+	if (sysrq_digest == NULL)
+		goto fail;
+	sysrq_hexdigest = kmalloc(2 * sysrq_digest_size + 1, GFP_KERNEL);
+	if (sysrq_hexdigest == NULL)
+		goto fail;
+	sysrq_digest_password = kmalloc(sizeof(sysrq_password), GFP_KERNEL);
+	if (sysrq_digest_password == NULL)
+		goto fail;
+	do_gettimeofday(&now);
+	sysrq_seqno = now.tv_sec;
+	ret = xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+	if (ret < 0)
+		goto fail;
+	return ret;
+
+ fail:
+	sysrq_crypto_exit();
+	return ret;
+#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 19)
+	printk(KERN_WARNING "xt_SYSRQ does not provide crypto for < 2.6.19\n");
+#endif
+	return -EINVAL;
+}
+
+static int __init sysrq_tg_init(void)
+{
+	if (sysrq_crypto_init() < 0)
+		printk(KERN_WARNING "xt_SYSRQ starting without crypto\n");
+	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+}
+
 static void __exit sysrq_tg_exit(void)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-	crypto_free_hash(sysrq_tfm);
-	kfree(sysrq_digest);
-	kfree(sysrq_hexdigest);
-	kfree(sysrq_digest_password);
-#endif
-	return xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+	sysrq_crypto_exit();
+	xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
 }
 
 module_init(sysrq_tg_init);

extensions/xt_TARPIT.c

@@ -188,7 +188,7 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook)
 }
 
 static unsigned int
-tarpit_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+tarpit_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct sk_buff *skb = *pskb;
 	const struct iphdr *iph = ip_hdr(skb);

extensions/xt_TEE.c

@@ -24,7 +24,6 @@
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 #	define WITH_CONNTRACK 1
 #	include <net/netfilter/nf_conntrack.h>
-static struct nf_conn tee_track;
 #endif
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 #	define WITH_IPV6 1
@@ -33,51 +32,23 @@ static struct nf_conn tee_track;
 #include "compat_xtables.h"
 #include "xt_TEE.h"
 
+static bool tee_active[NR_CPUS];
 static const union nf_inet_addr tee_zero_address;
 
-/*
- * Try to route the packet according to the routing keys specified in
- * route_info. Keys are :
- *  - ifindex :
- *      0 if no oif preferred,
- *      otherwise set to the index of the desired oif
- *  - route_info->gateway :
- *      0 if no gateway specified,
- *      otherwise set to the next host to which the pkt must be routed
- * If success, skb->dev is the output device to which the packet must
- * be sent and skb->dst is not NULL
- *
- * RETURN: false - if an error occured
- *         true  - if the packet was succesfully routed to the
- *                 destination desired
- */
 static bool
 tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 {
 	const struct iphdr *iph = ip_hdr(skb);
-	int err;
 	struct rtable *rt;
 	struct flowi fl;
 
 	memset(&fl, 0, sizeof(fl));
-	fl.iif = skb_ifindex(skb);
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-	fl.nl_u.ip4_u.fwmark = skb_nfmark(skb);
-#else
-	fl.mark = skb_nfmark(skb);
-#endif
 	fl.nl_u.ip4_u.daddr = info->gw.ip;
 	fl.nl_u.ip4_u.tos   = RT_TOS(iph->tos);
 	fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
 
-	/* Trying to route the packet using the standard routing table. */
-	err = ip_route_output_key(&init_net, &rt, &fl);
-	if (err != 0) {
-		if (net_ratelimit())
-			pr_debug(KBUILD_MODNAME
-			         ": could not route packet (%d)", err);
+	if (ip_route_output_key(&init_net, &rt, &fl) != 0)
 		return false;
-	}
 
 	dst_release(skb_dst(skb));
 	skb_dst_set(skb, &rt->u.dst);
@@ -123,79 +94,58 @@ static void tee_tg_send(struct sk_buff *skb)
 		skb = skb2;
 	}
 
-	if (dst->hh != NULL) {
+	if (dst->hh != NULL)
 		neigh_hh_output(dst->hh, skb);
-	} else if (dst->neighbour != NULL) {
+	else if (dst->neighbour != NULL)
 		dst->neighbour->output(skb);
-	} else {
-		if (net_ratelimit())
-			pr_debug(KBUILD_MODNAME "no hdr & no neighbour cache!\n");
+	else
 		kfree_skb(skb);
-	}
 }
 
-/*
- * To detect and deter routed packet loopback when using the --tee option, we
- * take a page out of the raw.patch book: on the copied skb, we set up a fake
- * ->nfct entry, pointing to the local &route_tee_track. We skip routing
- * packets when we see they already have that ->nfct.
- */
 static unsigned int
-tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+tee_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 	struct sk_buff *skb = *pskb;
+	struct iphdr *iph;
+	unsigned int cpu = smp_processor_id();
 
-#ifdef WITH_CONNTRACK
-	if (skb->nfct == &tee_track.ct_general) {
-		/*
-		 * Loopback - a packet we already routed, is to be
-		 * routed another time. Avoid that, now.
-		 */
-		if (net_ratelimit())
-			pr_debug(KBUILD_MODNAME "loopback - DROP!\n");
-		return NF_DROP;
-	}
-#endif
-
-	if (!skb_make_writable(pskb, sizeof(struct iphdr)))
-		return NF_DROP;
-	skb = *pskb;
-
-	/*
-	 * If we are in INPUT, the checksum must be recalculated since
-	 * the length could have changed as a result of defragmentation.
-	 */
-	if (par->hooknum == NF_INET_LOCAL_IN) {
-		struct iphdr *iph = ip_hdr(skb);
-		iph->check = 0;
-		iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
-	}
-
+	if (tee_active[cpu])
+		return XT_CONTINUE;
 	/*
 	 * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
 	 * the original skb, which should continue on its way as if nothing has
 	 * happened. The copy should be independently delivered to the TEE
 	 * --gateway.
 	 */
-	skb = skb_copy(skb, GFP_ATOMIC);
-	if (skb == NULL) {
-		if (net_ratelimit())
-			pr_debug(KBUILD_MODNAME "copy failed!\n");
+	skb = pskb_copy(skb, GFP_ATOMIC);
+	if (skb == NULL)
 		return XT_CONTINUE;
-	}
+	/*
+	 * If we are in PREROUTING/INPUT, the checksum must be recalculated
+	 * since the length could have changed as a result of defragmentation.
+	 *
+	 * We also decrease the TTL to mitigate potential TEE loops
+	 * between two hosts.
+	 *
+	 * Set %IP_DF so that the original source is notified of a potentially
+	 * decreased MTU on the clone route. IPv6 does this too.
+	 */
+	iph = ip_hdr(skb);
+	iph->frag_off |= htons(IP_DF);
+	if (par->hooknum == NF_INET_PRE_ROUTING ||
+	    par->hooknum == NF_INET_LOCAL_IN)
+		--iph->ttl;
+	ip_send_check(iph);
 
 #ifdef WITH_CONNTRACK
 	/*
-	 * Tell conntrack to forget this packet since it may get confused
-	 * when a packet is leaving with dst address == our address.
-	 * Good idea? Dunno. Need advice.
-	 *
-	 * NEW: mark the skb with our &tee_track, so we avoid looping
-	 * on any already routed packet.
+	 * Tell conntrack to forget this packet. It may have side effects to
+	 * see the same packet twice, as for example, accounting the original
+	 * connection for the cloned packet.
 	 */
 	nf_conntrack_put(skb->nfct);
-	skb->nfct     = &tee_track.ct_general;
+	skb->nfct     = &nf_conntrack_untracked.ct_general;
 	skb->nfctinfo = IP_CT_NEW;
 	nf_conntrack_get(skb->nfct);
 #endif
@@ -216,9 +166,13 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	 * Also on purpose, no fragmentation is done, to preserve the
 	 * packet as best as possible.
 	 */
-	if (tee_tg_route4(skb, info))
+	if (tee_tg_route4(skb, info)) {
+		tee_active[cpu] = true;
 		tee_tg_send(skb);
-
+		tee_active[cpu] = false;
+	} else {
+		kfree_skb(skb);
+	}
 	return XT_CONTINUE;
 }
 
@@ -231,12 +185,6 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 	struct flowi fl;
 
 	memset(&fl, 0, sizeof(fl));
-	fl.iif = skb_ifindex(skb);
-#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 19)
-	fl.nl_u.ip6_u.fwmark = skb_nfmark(skb);
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
-	fl.mark = skb_nfmark(skb);
-#endif
 	fl.nl_u.ip6_u.daddr = info->gw.in6;
 	fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
 		(iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
@@ -246,11 +194,8 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 #else
 	dst = ip6_route_output(dev_net(skb->dev), NULL, &fl);
 #endif
-	if (dst == NULL) {
-		if (net_ratelimit())
-			printk(KERN_ERR "ip6_route_output failed for tee\n");
+	if (dst == NULL)
 		return false;
-	}
 
 	dst_release(skb_dst(skb));
 	skb_dst_set(skb, dst);
@@ -260,40 +205,47 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 }
 
 static unsigned int
-tee_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+tee_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 	struct sk_buff *skb = *pskb;
+	unsigned int cpu = smp_processor_id();
 
-	/* Try silence. */
-#ifdef WITH_CONNTRACK
-	if (skb->nfct == &tee_track.ct_general)
-		return NF_DROP;
-#endif
-
-	if ((skb = skb_copy(skb, GFP_ATOMIC)) == NULL)
+	if (tee_active[cpu])
+		return XT_CONTINUE;
+	skb = pskb_copy(skb, GFP_ATOMIC);
+	if (skb == NULL)
 		return XT_CONTINUE;
 
 #ifdef WITH_CONNTRACK
 	nf_conntrack_put(skb->nfct);
-	skb->nfct     = &tee_track.ct_general;
+	skb->nfct     = &nf_conntrack_untracked.ct_general;
 	skb->nfctinfo = IP_CT_NEW;
 	nf_conntrack_get(skb->nfct);
 #endif
-	if (tee_tg_route6(skb, info))
+	if (par->hooknum == NF_INET_PRE_ROUTING ||
+	    par->hooknum == NF_INET_LOCAL_IN) {
+		struct ipv6hdr *iph = ipv6_hdr(skb);
+		--iph->hop_limit;
+	}
+	if (tee_tg_route6(skb, info)) {
+		tee_active[cpu] = true;
 		tee_tg_send(skb);
-
+		tee_active[cpu] = false;
+	} else {
+		kfree_skb(skb);
+	}
 	return XT_CONTINUE;
 }
 #endif /* WITH_IPV6 */
 
-static bool tee_tg_check(const struct xt_tgchk_param *par)
+static int tee_tg_check(const struct xt_tgchk_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 
 	/* 0.0.0.0 and :: not allowed */
-	return memcmp(&info->gw, &tee_zero_address,
-	       sizeof(tee_zero_address)) != 0;
+	return (memcmp(&info->gw, &tee_zero_address,
+	       sizeof(tee_zero_address)) == 0) ? -EINVAL : 0;
 }
 
 static struct xt_target tee_tg_reg[] __read_mostly = {
@@ -301,7 +253,6 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
 		.name       = "TEE",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
-		.table      = "mangle",
 		.target     = tee_tg4,
 		.targetsize = sizeof(struct xt_tee_tginfo),
 		.checkentry = tee_tg_check,
@@ -312,7 +263,6 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
 		.name       = "TEE",
 		.revision   = 0,
 		.family     = NFPROTO_IPV6,
-		.table      = "mangle",
 		.target     = tee_tg6,
 		.targetsize = sizeof(struct xt_tee_tginfo),
 		.checkentry = tee_tg_check,
@@ -323,27 +273,12 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
 
 static int __init tee_tg_init(void)
 {
-#ifdef WITH_CONNTRACK
-	/*
-	 * Set up fake conntrack (stolen from raw.patch):
-	 * - to never be deleted, not in any hashes
-	 */
-	atomic_set(&tee_track.ct_general.use, 1);
-
-	/* - and look it like as a confirmed connection */
-	set_bit(IPS_CONFIRMED_BIT, &tee_track.status);
-
-	/* Initialize fake conntrack so that NAT will skip it */
-	tee_track.status |= IPS_NAT_DONE_MASK;
-#endif
-
 	return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
 }
 
 static void __exit tee_tg_exit(void)
 {
 	xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
-	/* [SC]: shoud not we cleanup tee_track here? */
 }
 
 module_init(tee_tg_init);

extensions/xt_condition.c

@@ -35,6 +35,7 @@ static unsigned int condition_gid_perms = 0;
 
 MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca>");
 MODULE_AUTHOR("Massimiliano Hofer <max@nucleus.it>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Allows rules to match against condition variables");
 MODULE_LICENSE("GPL");
 module_param(condition_list_perms, uint, S_IRUSR | S_IWUSR);
@@ -55,7 +56,7 @@ struct condition_variable {
 
 /* proc_lock is a user context only semaphore used for write access */
 /*           to the conditions' list.                               */
-static struct semaphore proc_lock;
+static DEFINE_MUTEX(proc_lock);
 
 static LIST_HEAD(conditions_list);
 static struct proc_dir_entry *proc_net_condition;
@@ -69,7 +70,6 @@ static int condition_proc_read(char __user *buffer, char **start, off_t offset,
 	buffer[1] = '\n';
 	if (length >= 2)
 		*eof = true;
-
 	return 2;
 }
 
@@ -92,25 +92,19 @@ static int condition_proc_write(struct file *file, const char __user *buffer,
 			break;
 		}
 	}
-
 	return length;
 }
 
 static bool
-condition_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+condition_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_condition_mtinfo *info = par->matchinfo;
 	const struct condition_variable *var   = info->condvar;
-	bool x;
 
-	rcu_read_lock();
-	x = rcu_dereference(var->enabled);
-	rcu_read_unlock();
-
-	return x ^ info->invert;
+	return var->enabled ^ info->invert;
 }
 
-static bool condition_mt_check(const struct xt_mtchk_param *par)
+static int condition_mt_check(const struct xt_mtchk_param *par)
 {
 	struct xt_condition_mtinfo *info = par->matchinfo;
 	struct condition_variable *var;
@@ -122,41 +116,36 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 		printk(KERN_INFO KBUILD_MODNAME ": name not allowed or too "
 		       "long: \"%.*s\"\n", (unsigned int)sizeof(info->name),
 		       info->name);
-		return false;
+		return -EINVAL;
 	}
-
 	/*
 	 * Let's acquire the lock, check for the condition and add it
 	 * or increase the reference counter.
 	 */
-	if (down_interruptible(&proc_lock))
-		return false;
-
+	mutex_lock(&proc_lock);
 	list_for_each_entry(var, &conditions_list, list) {
 		if (strcmp(info->name, var->status_proc->name) == 0) {
 			var->refcount++;
-			up(&proc_lock);
+			mutex_unlock(&proc_lock);
 			info->condvar = var;
-			return true;
+			return 0;
 		}
 	}
 
 	/* At this point, we need to allocate a new condition variable. */
 	var = kmalloc(sizeof(struct condition_variable), GFP_KERNEL);
-
 	if (var == NULL) {
-		up(&proc_lock);
-		return false;
+		mutex_unlock(&proc_lock);
+		return -ENOMEM;
 	}
 
 	/* Create the condition variable's proc file entry. */
 	var->status_proc = create_proc_entry(info->name, condition_list_perms,
 	                   proc_net_condition);
-
 	if (var->status_proc == NULL) {
 		kfree(var);
-		up(&proc_lock);
-		return false;
+		mutex_unlock(&proc_lock);
+		return -ENOMEM;
 	}
 
 	var->refcount = 1;
@@ -168,16 +157,12 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 	wmb();
 	var->status_proc->read_proc  = condition_proc_read;
 	var->status_proc->write_proc = condition_proc_write;
-
-	list_add_rcu(&var->list, &conditions_list);
-
+	list_add(&var->list, &conditions_list);
 	var->status_proc->uid = condition_uid_perms;
 	var->status_proc->gid = condition_gid_perms;
-
-	up(&proc_lock);
-
+	mutex_unlock(&proc_lock);
 	info->condvar = var;
-	return true;
+	return 0;
 }
 
 static void condition_mt_destroy(const struct xt_mtdtor_param *par)
@@ -185,22 +170,15 @@ static void condition_mt_destroy(const struct xt_mtdtor_param *par)
 	const struct xt_condition_mtinfo *info = par->matchinfo;
 	struct condition_variable *var = info->condvar;
 
-	down(&proc_lock);
+	mutex_lock(&proc_lock);
 	if (--var->refcount == 0) {
-		list_del_rcu(&var->list);
+		list_del(&var->list);
 		remove_proc_entry(var->status_proc->name, proc_net_condition);
-		up(&proc_lock);
-		/*
-		 * synchronize_rcu() would be good enough, but
-		 * synchronize_net() guarantees that no packet
-		 * will go out with the old rule after
-		 * succesful removal.
-		 */
-		synchronize_net();
+		mutex_unlock(&proc_lock);
 		kfree(var);
 		return;
 	}
-	up(&proc_lock);
+	mutex_unlock(&proc_lock);
 }
 
 static struct xt_match condition_mt_reg[] __read_mostly = {
@@ -208,7 +186,7 @@ static struct xt_match condition_mt_reg[] __read_mostly = {
 		.name       = "condition",
 		.revision   = 1,
 		.family     = NFPROTO_IPV4,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
+		.matchsize  = sizeof(struct xt_condition_mtinfo),
 		.match      = condition_mt,
 		.checkentry = condition_mt_check,
 		.destroy    = condition_mt_destroy,
@@ -218,7 +196,7 @@ static struct xt_match condition_mt_reg[] __read_mostly = {
 		.name       = "condition",
 		.revision   = 1,
 		.family     = NFPROTO_IPV6,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
+		.matchsize  = sizeof(struct xt_condition_mtinfo),
 		.match      = condition_mt,
 		.checkentry = condition_mt_check,
 		.destroy    = condition_mt_destroy,
@@ -232,7 +210,7 @@ static int __init condition_mt_init(void)
 {
 	int ret;
 
-	sema_init(&proc_lock, 1);
+	mutex_init(&proc_lock);
 	proc_net_condition = proc_mkdir(dir_name, init_net__proc_net);
 	if (proc_net_condition == NULL)
 		return -EACCES;

extensions/xt_fuzzy.c

@@ -60,7 +60,7 @@ static uint8_t mf_low(uint32_t tx, uint32_t mini, uint32_t maxi)
 }
 
 static bool
-fuzzy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+fuzzy_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	struct xt_fuzzy_mtinfo *info = (void *)par->matchinfo;
 	unsigned long amount;
@@ -125,7 +125,7 @@ fuzzy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return false;
 }
 
-static bool fuzzy_mt_check(const struct xt_mtchk_param *par)
+static int fuzzy_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_fuzzy_mtinfo *info = par->matchinfo;
 
@@ -133,10 +133,10 @@ static bool fuzzy_mt_check(const struct xt_mtchk_param *par)
 	    info->maximum_rate > FUZZY_MAX_RATE ||
 	    info->minimum_rate >= info->maximum_rate) {
 		printk(KERN_INFO KBUILD_MODNAME ": bad values, please check.\n");
-		return false;
+		return -EDOM;
 	}
 
-	return true;
+	return 0;
 }
 
 static struct xt_match fuzzy_mt_reg[] __read_mostly = {
@@ -146,7 +146,7 @@ static struct xt_match fuzzy_mt_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV4,
 		.match      = fuzzy_mt,
 		.checkentry = fuzzy_mt_check,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
+		.matchsize  = sizeof(struct xt_fuzzy_mtinfo),
 		.me         = THIS_MODULE,
 	},
 	{
@@ -155,7 +155,7 @@ static struct xt_match fuzzy_mt_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV6,
 		.match      = fuzzy_mt,
 		.checkentry = fuzzy_mt_check,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
+		.matchsize  = sizeof(struct xt_fuzzy_mtinfo),
 		.me         = THIS_MODULE,
 	},
 };

extensions/xt_geoip.c

@@ -46,23 +46,28 @@ geoip_add_node(const struct geoip_country_user __user *umem_ptr)
 	struct geoip_country_user umem;
 	struct geoip_country_kernel *p;
 	struct geoip_subnet *s;
+	int ret;
 
 	if (copy_from_user(&umem, umem_ptr, sizeof(umem)) != 0)
-		return NULL;
+		return ERR_PTR(-EFAULT);
 
 	p = kmalloc(sizeof(struct geoip_country_kernel), GFP_KERNEL);
 	if (p == NULL)
-		return NULL;
+		return ERR_PTR(-ENOMEM);
 
 	p->count   = umem.count;
 	p->cc      = umem.cc;
 
 	s = vmalloc(p->count * sizeof(struct geoip_subnet));
-	if (s == NULL)
+	if (s == NULL) {
+		ret = -ENOMEM;
 		goto free_p;
+	}
 	if (copy_from_user(s, (const void __user *)(unsigned long)umem.subnets,
-	    p->count * sizeof(struct geoip_subnet)) != 0)
+	    p->count * sizeof(struct geoip_subnet)) != 0) {
+		ret = -EFAULT;
 		goto free_s;
+	}
 
 	p->subnets = s;
 	atomic_set(&p->ref, 1);
@@ -78,7 +83,7 @@ geoip_add_node(const struct geoip_country_user __user *umem_ptr)
 	vfree(s);
  free_p:
 	kfree(p);
-	return NULL;
+	return ERR_PTR(ret);
 }
 
 static void geoip_try_remove_node(struct geoip_country_kernel *p)
@@ -121,13 +126,13 @@ static bool geoip_bsearch(const struct geoip_subnet *range,
 {
 	int mid;
 
-	if (hi < lo)
+	if (hi <= lo)
 		return false;
 	mid = (lo + hi) / 2;
 	if (range[mid].begin <= addr && addr <= range[mid].end)
 		return true;
 	if (range[mid].begin > addr)
-		return geoip_bsearch(range, addr, lo, mid - 1);
+		return geoip_bsearch(range, addr, lo, mid);
 	else if (range[mid].end < addr)
 		return geoip_bsearch(range, addr, mid + 1, hi);
 
@@ -136,7 +141,7 @@ static bool geoip_bsearch(const struct geoip_subnet *range,
 }
 
 static bool
-xt_geoip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+xt_geoip_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_geoip_match_info *info = par->matchinfo;
 	const struct geoip_country_kernel *node;
@@ -168,7 +173,7 @@ xt_geoip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return info->flags & XT_GEOIP_INV;
 }
 
-static bool xt_geoip_mt_checkentry(const struct xt_mtchk_param *par)
+static int xt_geoip_mt_checkentry(const struct xt_mtchk_param *par)
 {
 	struct xt_geoip_match_info *info = par->matchinfo;
 	struct geoip_country_kernel *node;
@@ -176,13 +181,15 @@ static bool xt_geoip_mt_checkentry(const struct xt_mtchk_param *par)
 
 	for (i = 0; i < info->count; i++) {
 		node = find_node(info->cc[i]);
-		if (node == NULL)
-			if ((node = geoip_add_node((const void __user *)(unsigned long)info->mem[i].user)) == NULL) {
+		if (node == NULL) {
+			node = geoip_add_node((const void __user *)(unsigned long)info->mem[i].user);
+			if (IS_ERR(node)) {
 				printk(KERN_ERR
-						"xt_geoip: unable to load '%c%c' into memory\n",
-						COUNTRY(info->cc[i]));
-				return false;
+						"xt_geoip: unable to load '%c%c' into memory: %ld\n",
+						COUNTRY(info->cc[i]), PTR_ERR(node));
+				return PTR_ERR(node);
 			}
+		}
 
 		/* Overwrite the now-useless pointer info->mem[i] with
 		 * a pointer to the node's kernelspace structure.
@@ -192,7 +199,7 @@ static bool xt_geoip_mt_checkentry(const struct xt_mtchk_param *par)
 		info->mem[i].kernel = node;
 	}
 
-	return true;
+	return 0;
 }
 
 static void xt_geoip_mt_destroy(const struct xt_mtdtor_param *par)

extensions/xt_iface.c

@@ -41,7 +41,7 @@ static const struct xt_iface_flag_pairs xt_iface_lookup[] =
 };
 
 static bool xt_iface_mt(const struct sk_buff *skb,
-    const struct xt_match_param *par)
+    struct xt_action_param *par)
 {
 	const struct xt_iface_mtinfo *info = par->matchinfo;
 	struct net_device *dev;
@@ -71,7 +71,7 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = {
 		.name       = "iface",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+		.matchsize  = sizeof(struct xt_iface_mtinfo),
 		.match      = xt_iface_mt,
 		.me         = THIS_MODULE,
 	},
@@ -79,7 +79,7 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = {
 		.name       = "iface",
 		.revision   = 0,
 		.family     = NFPROTO_IPV6,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+		.matchsize  = sizeof(struct xt_iface_mtinfo),
 		.match      = xt_iface_mt,
 		.me         = THIS_MODULE,
 	},

extensions/xt_ipp2p.c

@@ -505,19 +505,18 @@ search_bittorrent(const unsigned char *payload, const unsigned int plen)
 		if (payload[0] == 0x13)
 			if (memcmp(payload + 1, "BitTorrent protocol", 19) == 0)
 				return IPP2P_BIT * 100;
-
 		/*
-		 * get tracker commandos, all starts with GET /
-		 * then it can follow: scrape| announce
-		 * and then ?hash_info=
+		 * Any tracker command starts with GET / then *may be* some file on web server
+		 * (e.g. announce.php or dupa.pl or whatever.cgi or NOTHING for tracker on root dir)
+		 * but *must have* one (or more) of strings listed below (true for scrape and announce)
 		 */
 		if (memcmp(payload, "GET /", 5) == 0) {
-			/* message scrape */
-			if (memcmp(payload + 5, "scrape?info_hash=", 17) == 0)
+			if (HX_memmem(payload, plen, "info_hash=", 9) != NULL)
 				return IPP2P_BIT * 100 + 1;
-			/* message announce */
-			if (memcmp(payload + 5, "announce?info_hash=", 19) == 0)
+			if (HX_memmem(payload, plen, "peer_id=", 8) != NULL)
 				return IPP2P_BIT * 100 + 2;
+			if (HX_memmem(payload, plen, "passkey=", 8) != NULL)
+				return IPP2P_BIT * 100 + 4;
 		}
 	} else {
 	    	/* bitcomet encryptes the first packet, so we have to detect another
@@ -809,7 +808,7 @@ static const struct {
 };
 
 static bool
-ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ipt_p2p_info *info = par->matchinfo;
 	const unsigned char  *haystack;

extensions/xt_ipv4options.c

@@ -29,7 +29,7 @@ static uint32_t ipv4options_rd(const uint8_t *data, int len)
 }
 
 static bool ipv4options_mt(const struct sk_buff *skb,
-    const struct xt_match_param *par)
+    struct xt_action_param *par)
 {
 	const struct xt_ipv4options_mtinfo1 *info = par->matchinfo;
 	const struct iphdr *iph = ip_hdr(skb);
@@ -50,7 +50,7 @@ static struct xt_match ipv4options_mt_reg __read_mostly = {
 	.revision  = 1,
 	.family    = NFPROTO_IPV4,
 	.match     = ipv4options_mt,
-	.matchsize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
+	.matchsize = sizeof(struct xt_ipv4options_mtinfo1),
 	.me        = THIS_MODULE,
 };
 

extensions/xt_length2.c

@@ -137,7 +137,7 @@ static bool xtlength_layer7(unsigned int *length, const struct sk_buff *skb,
 }
 
 static bool
-length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+length2_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_length_mtinfo2 *info = par->matchinfo;
 	const struct iphdr *iph = ip_hdr(skb);
@@ -198,7 +198,7 @@ llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
 }
 
 static bool
-length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+length2_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_length_mtinfo2 *info = par->matchinfo;
 	const struct ipv6hdr *iph = ipv6_hdr(skb);
@@ -207,9 +207,13 @@ length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 	bool hit = true;
 
 	if (info->flags & XT_LENGTH_LAYER3) {
-		len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
+		if (iph->payload_len == 0)
+			/* Jumbogram */
+			len = skb->len;
+		else
+			len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
 	} else {
-		l4proto = llayer4_proto(skb, &thoff, par->hotdrop);
+		l4proto = llayer4_proto(skb, &thoff, &par->hotdrop);
 		if (l4proto == NEXTHDR_MAX)
 			return false;
 		if (info->flags & XT_LENGTH_LAYER4)

extensions/xt_lscan.c

@@ -171,7 +171,7 @@ static inline unsigned int lscan_mt_full(int mark,
 }
 
 static bool
-lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 	enum ip_conntrack_info ctstate;
@@ -216,16 +216,16 @@ lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	       (info->match_gr && ctdata->mark == mark_grscan);
 }
 
-static bool lscan_mt_check(const struct xt_mtchk_param *par)
+static int lscan_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 
 	if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
 	    (info->match_cn & ~1) || (info->match_gr & ~1)) {
 		printk(KERN_WARNING PFX "Invalid flags\n");
-		return false;
+		return -EINVAL;
 	}
-	return true;
+	return 0;
 }
 
 static struct xt_match lscan_mt_reg[] __read_mostly = {

extensions/xt_psd.c

@@ -100,7 +100,7 @@ static inline int hashfunc(struct in_addr addr)
 }
 
 static bool
-xt_psd_match(const struct sk_buff *pskb, const struct xt_match_param *match)
+xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
 {
 	const struct iphdr *iph;
 	const struct tcphdr *tcph;
@@ -312,7 +312,7 @@ out_match:
 
 static struct xt_match xt_psd_reg __read_mostly = {
 	.name		= "psd",
-    .family		= AF_INET,
+	.family    = NFPROTO_IPV4,
 	.revision  = 1,
 	.match		= xt_psd_match,
 	.matchsize	= sizeof(struct xt_psd_info),

extensions/xt_quota2.c

@@ -144,28 +144,26 @@ q2_get_counter(const struct xt_quota_mtinfo2 *q)
 	return NULL;
 }
 
-static bool quota_mt2_check(const struct xt_mtchk_param *par)
+static int quota_mt2_check(const struct xt_mtchk_param *par)
 {
 	struct xt_quota_mtinfo2 *q = par->matchinfo;
 
 	if (q->flags & ~XT_QUOTA_MASK)
-		return false;
+		return -EINVAL;
 
 	q->name[sizeof(q->name)-1] = '\0';
 	if (*q->name == '.' || strchr(q->name, '/') != NULL) {
-		printk(KERN_ERR "xt_quota<%u>: illegal name\n",
-		       par->match->revision);
-		return false;
+		printk(KERN_ERR "xt_quota.3: illegal name\n");
+		return -EINVAL;
 	}
 
 	q->master = q2_get_counter(q);
 	if (q->master == NULL) {
-		printk(KERN_ERR "xt_quota<%u>: memory alloc failure\n",
-		       par->match->revision);
-		return false;
+		printk(KERN_ERR "xt_quota.3: memory alloc failure\n");
+		return -ENOMEM;
 	}
 
-	return true;
+	return 0;
 }
 
 static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
@@ -191,7 +189,7 @@ static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
 }
 
 static bool
-quota_mt2(const struct sk_buff *skb, const struct xt_match_param *par)
+quota_mt2(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	struct xt_quota_mtinfo2 *q = (void *)par->matchinfo;
 	struct xt_quota_counter *e = q->master;

geoip/.gitignore

@@ -0,0 +1,6 @@
+/BE
+/LE
+/GeoIPCountryCSV.zip
+/GeoIPCountryWhois.csv
+/GeoIPv6.csv
+/GeoIPv6.csv.gz

geoip/Makefile.am

@@ -0,0 +1,3 @@
+# -*- Makefile -*-
+
+pkglibexec_SCRIPTS = geoip_build_db.pl geoip_download.sh

geoip/geoip_build_db.pl

@@ -0,0 +1,54 @@
+#!/usr/bin/perl
+#
+#	Converter for MaxMind CSV database to binary, for xt_geoip
+#	Copyright © Jan Engelhardt <jengelh@medozas.de>, 2008
+#
+#	Use -b argument to create big-endian tables.
+#
+use Getopt::Long;
+use IO::Handle;
+use Text::CSV_XS; # or trade for Text::CSV
+use strict;
+
+my %country;
+my %names;
+my $csv = Text::CSV_XS->new({binary => 0, eol => $/}); # or Text::CSV
+my $mode = "VV";
+my $target_dir = ".";
+
+&Getopt::Long::Configure(qw(bundling));
+&GetOptions(
+	"D=s" => \$target_dir,
+	"b"   => sub { $mode = "NN"; },
+);
+
+if (!-d $target_dir) {
+	print STDERR "Target directory $target_dir does not exist.\n";
+	exit 1;
+}
+
+while (my $row = $csv->getline(*ARGV)) {
+	if (!defined($country{$row->[4]})) {
+		$country{$row->[4]} = [];
+		$names{$row->[4]} = $row->[5];
+	}
+	my $c = $country{$row->[4]};
+	push(@$c, [$row->[2], $row->[3]]);
+	if ($. % 4096 == 0) {
+		print STDERR "\r\e[2K$. entries";
+	}
+}
+
+print STDERR "\r\e[2K$. entries total\n";
+
+foreach my $iso_code (sort keys %country) {
+	printf "%5u ranges for %s %s\n",
+		scalar(@{$country{$iso_code}}),
+		$iso_code, $names{$iso_code};
+
+	open(my $fh, "> $target_dir/".uc($iso_code).".iv0");
+	foreach my $range (@{$country{$iso_code}}) {
+		print $fh pack($mode, $range->[0], $range->[1]);
+	}
+	close $fh;
+}

geoip/geoip_download.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+rm -f GeoIPv6.csv{,.gz} GeoIPCountryCSV.zip GeoIPCountryWhois.csv;
+wget \
+	http://geolite.maxmind.com/download/geoip/database/GeoIPv6.csv.gz \
+	http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip;
+gzip -d GeoIPv6.csv.gz;
+unzip GeoIPCountryCSV.zip;

include/linux/netfilter.h

@@ -3,6 +3,7 @@
 
 #include <linux/types.h>
 
+
 /* Responses from hook functions. */
 #define NF_DROP 0
 #define NF_ACCEPT 1
@@ -37,6 +38,16 @@ enum nf_inet_hooks {
 	NF_INET_NUMHOOKS
 };
 
+enum {
+	NFPROTO_UNSPEC =  0,
+	NFPROTO_IPV4   =  2,
+	NFPROTO_ARP    =  3,
+	NFPROTO_BRIDGE =  7,
+	NFPROTO_IPV6   = 10,
+	NFPROTO_DECNET = 12,
+	NFPROTO_NUMPROTO,
+};
+
 union nf_inet_addr {
 	__u32		all[4];
 	__be32		ip;

mconfig

@@ -2,6 +2,7 @@
 #
 build_ACCOUNT=m
 build_CHAOS=m
+build_CHECKSUM=m
 build_DELUDE=m
 build_DHCPMAC=m
 build_ECHO=

xa-download-more

@@ -6,7 +6,7 @@ use strict;
 
 &main(\@ARGV);
 
-sub main ($)
+sub main
 {
 	local *FH;
 
@@ -30,7 +30,7 @@ sub main ($)
 	close FH;
 }
 
-sub process_index ($)
+sub process_index
 {
 	my $top = shift @_;
 	my($agent, $res, $url);
@@ -68,14 +68,14 @@ sub process_index ($)
 	}
 }
 
-sub slash_remove ($)
+sub slash_remove
 {
 	my $s = shift @_;
 	$s =~ s{(\w+://)(.*)}{$1.&slash_remove2($2)}eg;
 	return $s;
 }
 
-sub slash_remove2 ($)
+sub slash_remove2
 {
 	my $s = shift @_;
 	$s =~ s{/+}{/}g;

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.23 (2010-02-24)" "" "v1.23 (2010-02-24)"
+.TH xtables-addons 8 "v1.28 (2010-07-24)" "" "v1.28 (2010-07-24)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets