Xtables-addons 1.24

This reverts commit ab13e58f96.

Whoops. There is no mark at all before 2.6.19.

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.23])
+AC_INIT([xtables-addons], [1.24])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -34,7 +34,8 @@ AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
+	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" \
+	-I\${XA_TOPSRCDIR}/include";
 
 #
 # check kernel version

doc/changelog.txt

@@ -3,6 +3,15 @@ HEAD
 ====
 
 
+Xtables-addons 1.24 (March 17 2010)
+===================================
+- build: fix build of userspace modules against old (pre-2.6.25)
+  headers from linux-glibc-devel (/usr/include/linux)
+- ipp2p: updated bittorent command recognition
+- SYSRQ: let module load when crypto is unavailable
+- SYSRQ: allow processing of UDP-Lite
+
+
 Xtables-addons 1.23 (February 24 2010)
 ======================================
 - build: support for Linux 2.6.34

extensions/ACCOUNT/libxt_ACCOUNT.c

@@ -142,7 +142,7 @@ account_tg_save(const void *ip, const struct xt_entry_target *target)
 static struct xtables_target account_tg_reg = {
 	.name          = "ACCOUNT",
 	.revision      = 1,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.version       = XTABLES_VERSION,
 	.size          = XT_ALIGN(sizeof(struct ipt_acc_info)),
 	.userspacesize = offsetof(struct ipt_acc_info, table_nr),

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -1082,7 +1082,7 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 static struct xt_target xt_acc_reg __read_mostly = {
 	.name = "ACCOUNT",
 	.revision = 1,
-	.family = AF_INET,
+	.family     = NFPROTO_IPV4,
 	.target = ipt_acc_target,
 	.targetsize = sizeof(struct ipt_acc_info),
 	.checkentry = ipt_acc_checkentry,

extensions/compat_xtables.c

@@ -509,4 +509,18 @@ int xtnu_skb_linearize(struct sk_buff *skb)
 EXPORT_SYMBOL_GPL(xtnu_skb_linearize);
 #endif
 
+void *HX_memmem(const void *space, size_t spacesize,
+    const void *point, size_t pointsize)
+{
+	size_t i;
+
+	if (pointsize > spacesize)
+		return NULL;
+	for (i = 0; i <= spacesize - pointsize; ++i)
+		if (memcmp(space + i, point, pointsize) == 0)
+			return (void *)space + i;
+	return NULL;
+}
+EXPORT_SYMBOL_GPL(HX_memmem);
+
 MODULE_LICENSE("GPL");

extensions/compat_xtnu.h

@@ -154,4 +154,6 @@ extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
 	__be32, __be32, bool);
 extern int xtnu_skb_linearize(struct sk_buff *);
 
+extern void *HX_memmem(const void *, size_t, const void *, size_t);
+
 #endif /* _COMPAT_XTNU_H */

extensions/libxt_CHAOS.c

@@ -95,7 +95,7 @@ static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
 static struct xtables_target chaos_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "CHAOS",
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.help          = chaos_tg_help,

extensions/libxt_DELUDE.c

@@ -33,9 +33,7 @@ static struct xtables_target delude_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "DELUDE",
 	.revision      = 0,
-	.family        = AF_INET,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_IPV4,
 	.help          = delude_tg_help,
 	.parse         = delude_tg_parse,
 	.final_check   = delude_tg_check,

extensions/libxt_DHCPMAC.c

@@ -84,7 +84,7 @@ static struct xtables_target dhcpmac_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "DHCPMAC",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.help          = dhcpmac_tg_help,

extensions/libxt_ECHO.c

@@ -29,9 +29,7 @@ static void echo_tg_check(unsigned int flags)
 static struct xtables_target echo_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ECHO",
-	.family        = AF_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_UNSPEC,
 	.help          = echo_tg_help,
 	.parse         = echo_tg_parse,
 	.final_check   = echo_tg_check,

extensions/libxt_IPMARK.c

@@ -151,7 +151,7 @@ ipmark_tg_save(const void *entry, const struct xt_entry_target *target)
 static struct xtables_target ipmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "IPMARK",
-	.family        = PF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.revision      = 1,
 	.size          = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),

extensions/libxt_LOGMARK.c

@@ -100,7 +100,7 @@ static struct xtables_target logmark_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "LOGMARK",
 	.revision      = 0,
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_logmark_tginfo)),
 	.help          = logmark_tg_help,

extensions/libxt_RAWDNAT.c

@@ -154,7 +154,7 @@ static struct xtables_target rawdnat_tg4_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWDNAT",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawdnat_tg_help,
@@ -169,7 +169,7 @@ static struct xtables_target rawdnat_tg6_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWDNAT",
 	.revision      = 0,
-	.family        = PF_INET6,
+	.family        = NFPROTO_IPV6,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawdnat_tg_help,

extensions/libxt_RAWSNAT.c

@@ -154,7 +154,7 @@ static struct xtables_target rawsnat_tg4_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWSNAT",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawsnat_tg_help,
@@ -169,7 +169,7 @@ static struct xtables_target rawsnat_tg6_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "RAWSNAT",
 	.revision      = 0,
-	.family        = PF_INET6,
+	.family        = NFPROTO_IPV6,
 	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
 	.help          = rawsnat_tg_help,

extensions/libxt_STEAL.c

@@ -19,9 +19,7 @@ static void steal_tg_check(unsigned int flags)
 static struct xtables_target steal_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "STEAL",
-	.family        = AF_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_UNSPEC,
 	.help          = steal_tg_help,
 	.parse         = steal_tg_parse,
 	.final_check   = steal_tg_check,

extensions/libxt_SYSRQ.c

@@ -25,9 +25,7 @@ static struct xtables_target sysrq_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "SYSRQ",
 	.revision      = 1,
-	.family        = PF_UNSPEC,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_UNSPEC,
 	.help          = sysrq_tg_help,
 	.parse         = sysrq_tg_parse,
 	.final_check   = sysrq_tg_check,

extensions/libxt_TARPIT.c

@@ -24,9 +24,7 @@ static void tarpit_tg_check(unsigned int flags)
 static struct xtables_target tarpit_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "TARPIT",
-	.family        = AF_INET,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_IPV4,
 	.help          = tarpit_tg_help,
 	.parse         = tarpit_tg_parse,
 	.final_check   = tarpit_tg_check,

extensions/libxt_TEE.c

@@ -138,7 +138,7 @@ static struct xtables_target tee_tg_reg = {
 	.name          = "TEE",
 	.version       = XTABLES_VERSION,
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.help          = tee_tg_help,
@@ -153,7 +153,7 @@ static struct xtables_target tee_tg6_reg = {
 	.name          = "TEE",
 	.version       = XTABLES_VERSION,
 	.revision      = 0,
-	.family        = PF_INET6,
+	.family        = NFPROTO_IPV6,
 	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.help          = tee_tg_help,

extensions/libxt_condition.c

@@ -80,7 +80,7 @@ static void condition_save(const void *ip, const struct xt_entry_match *match)
 static struct xtables_match condition_mt_reg = {
 	.name 		= "condition",
 	.revision	= 1,
-	.family		= PF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.version 	= XTABLES_VERSION,
 	.size 		= XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
 	.userspacesize 	= XT_ALIGN(sizeof(struct xt_condition_mtinfo)),

extensions/libxt_dhcpmac.c

@@ -85,7 +85,7 @@ static struct xtables_match dhcpmac_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "dhcpmac",
 	.revision      = 0,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.help          = dhcpmac_mt_help,

extensions/libxt_fuzzy.c

@@ -103,6 +103,7 @@ static struct xtables_match fuzzy_mt_reg = {
 	.name          = "fuzzy",
 	.revision      = 1,
 	.version       = XTABLES_VERSION,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
 	.userspacesize = offsetof(struct xt_fuzzy_mtinfo, packets_total),
 	.help          = fuzzy_mt_help,

extensions/libxt_geoip.c

@@ -259,7 +259,7 @@ geoip_save(const void *ip, const struct xt_entry_match *match)
 }
 
 static struct xtables_match geoip_match = {
-	 .family        = AF_INET,
+	 .family        = NFPROTO_IPV4,
 	 .name          = "geoip",
 	 .revision      = 1,
 	 .version       = XTABLES_VERSION,

extensions/libxt_iface.c

@@ -200,7 +200,7 @@ static struct xtables_match iface_mt_reg = {
 	.version	= XTABLES_VERSION,
 	.name		= "iface",
 	.revision	= 0,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.size		= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
 	.help		= iface_mt_help,

extensions/libxt_ipp2p.c

@@ -229,7 +229,7 @@ static struct xtables_match ipp2p_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ipp2p",
 	.revision      = 1,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct ipt_p2p_info)),
 	.userspacesize = XT_ALIGN(sizeof(struct ipt_p2p_info)),
 	.help          = ipp2p_mt_help,

extensions/libxt_ipv4options.c

@@ -161,7 +161,7 @@ static struct xtables_match ipv4options_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "ipv4options",
 	.revision      = 1,
-	.family        = PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
 	.help          = ipv4options_mt_help,

extensions/libxt_length2.c

@@ -155,7 +155,7 @@ static struct xtables_match length2_mt_reg = {
 	.version        = XTABLES_VERSION,
 	.name           = "length2",
 	.revision       = 2,
-	.family         = PF_UNSPEC,
+	.family         = NFPROTO_UNSPEC,
 	.size           = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
 	.userspacesize  = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
 	.init           = length_mt_init,

extensions/libxt_lscan.c

@@ -105,7 +105,7 @@ static struct xtables_match lscan_mt_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "lscan",
 	.revision      = 0,
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
 	.help          = lscan_mt_help,

extensions/libxt_psd.c

@@ -139,7 +139,7 @@ static struct xtables_match psd_mt_reg = {
 	.name			= "psd",
 	.version		= XTABLES_VERSION,
 	.revision   	= 1,
-	.family			= PF_INET,
+	.family        = NFPROTO_IPV4,
 	.size			= XT_ALIGN(sizeof(struct xt_psd_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_psd_info)),
 	.help			= psd_mt_help,

extensions/libxt_quota2.c

@@ -133,7 +133,7 @@ static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
 }
 
 static struct xtables_match quota_mt2_reg = {
-	.family        = AF_UNSPEC,
+	.family        = NFPROTO_UNSPEC,
 	.revision      = 3,
 	.name          = "quota2",
 	.version       = XTABLES_VERSION,

extensions/pknock/libxt_pknock.c

@@ -326,7 +326,7 @@ static struct xtables_match pknock_mt_reg = {
 	.name		= "pknock",
 	.version	= XTABLES_VERSION,
 	.revision      = 1,
-	.family		= AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
 	.help          = pknock_mt_help,

extensions/xt_DHCPMAC.c

@@ -139,7 +139,7 @@ static struct xt_match dhcpmac_mt_reg __read_mostly = {
 	.family     = NFPROTO_IPV4,
 	.proto      = IPPROTO_UDP,
 	.match      = dhcpmac_mt,
-	.matchsize  = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.matchsize  = sizeof(struct dhcpmac_info),
 	.me         = THIS_MODULE,
 };
 

extensions/xt_ECHO.c

@@ -113,7 +113,6 @@ static struct xt_target echo_tg_reg __read_mostly = {
 	.proto      = IPPROTO_UDP,
 	.table      = "filter",
 	.target     = echo_tg4,
-	.targetsize = XT_ALIGN(0),
 	.me         = THIS_MODULE,
 };
 

extensions/xt_IPMARK.c

@@ -86,7 +86,7 @@ static struct xt_target ipmark_tg_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV4,
 		.table      = "mangle",
 		.target     = ipmark_tg4,
-		.targetsize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
+		.targetsize = sizeof(struct xt_ipmark_tginfo),
 		.me         = THIS_MODULE,
 	},
 	{
@@ -95,7 +95,7 @@ static struct xt_target ipmark_tg_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV6,
 		.table      = "mangle",
 		.target     = ipmark_tg6,
-		.targetsize = XT_ALIGN(sizeof(struct xt_ipmark_tginfo)),
+		.targetsize = sizeof(struct xt_ipmark_tginfo),
 		.me         = THIS_MODULE,
 	},
 };

extensions/xt_SYSRQ.c

@@ -1,6 +1,6 @@
 /*
  *	"SYSRQ" target extension for Netfilter
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
  *
  *	Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
  *
@@ -23,6 +23,10 @@
 #include <net/ip.h>
 #include "compat_xtables.h"
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19) && \
+    (defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE))
+#	define WITH_CRYPTO 1
+#endif
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 #	define WITH_IPV6 1
 #endif
@@ -42,7 +46,7 @@ MODULE_PARM_DESC(hash, "hash algorithm, default sha1");
 MODULE_PARM_DESC(seqno, "sequence number for remote sysrq");
 MODULE_PARM_DESC(debug, "debugging: 0=off, 1=on");
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#ifdef WITH_CRYPTO
 static struct crypto_hash *sysrq_tfm;
 static int sysrq_digest_size;
 static unsigned char *sysrq_digest_password;
@@ -204,8 +208,8 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 		return NF_DROP;
 
 	iph = ip_hdr(skb);
-	if (iph->protocol != IPPROTO_UDP)
-		return NF_ACCEPT; /* sink it */
+	if (iph->protocol != IPPROTO_UDP && iph->protocol != IPPROTO_UDPLITE)
+		return NF_DROP;
 
 	udph = (const void *)iph + ip_hdrlen(skb);
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
@@ -235,7 +239,7 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 	iph = ipv6_hdr(skb);
 	if (ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 ||
 	    frag_off > 0)
-		return NF_ACCEPT; /* sink it */
+		return NF_DROP;
 
 	udph = (const void *)iph + th_off;
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
@@ -296,10 +300,25 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 #endif
 };
 
-static int __init sysrq_tg_init(void)
+static void sysrq_crypto_exit(void)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#ifdef WITH_CRYPTO
+	if (sysrq_tfm)
+		crypto_free_hash(sysrq_tfm);
+	if (sysrq_digest)
+		kfree(sysrq_digest);
+	if (sysrq_hexdigest)
+		kfree(sysrq_hexdigest);
+	if (sysrq_digest_password)
+		kfree(sysrq_digest_password);
+#endif
+}
+
+static int __init sysrq_crypto_init(void)
+{
+#if defined(WITH_CRYPTO)
 	struct timeval now;
+	int ret;
 
 	sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
 	if (IS_ERR(sysrq_tfm)) {
@@ -307,10 +326,12 @@ static int __init sysrq_tg_init(void)
 			": Error: Could not find or load %s hash\n",
 			sysrq_hash);
 		sysrq_tfm = NULL;
+		ret = PTR_ERR(sysrq_tfm);
 		goto fail;
 	}
 	sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
 	sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
+	ret = -ENOMEM;
 	if (sysrq_digest == NULL) {
 		printk(KERN_WARNING KBUILD_MODNAME
 			": Cannot allocate digest\n");
@@ -330,33 +351,31 @@ static int __init sysrq_tg_init(void)
 	}
 	do_gettimeofday(&now);
 	sysrq_seqno = now.tv_sec;
-	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+	ret = xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+	if (ret < 0)
+		goto fail;
+	return ret;
 
  fail:
-	if (sysrq_tfm)
-		crypto_free_hash(sysrq_tfm);
-	if (sysrq_digest)
-		kfree(sysrq_digest);
-	if (sysrq_hexdigest)
-		kfree(sysrq_hexdigest);
-	if (sysrq_digest_password)
-		kfree(sysrq_digest_password);
-	return -EINVAL;
-#else
-	printk(KERN_WARNING "xt_SYSRQ does not provide crypto for <= 2.6.18\n");
-	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+	sysrq_crypto_exit();
+	return ret;
+#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 19)
+	printk(KERN_WARNING "xt_SYSRQ does not provide crypto for < 2.6.19\n");
 #endif
+	return -EINVAL;
+}
+
+static int __init sysrq_tg_init(void)
+{
+	if (sysrq_crypto_init() < 0)
+		printk(KERN_WARNING "xt_SYSRQ starting without crypto\n");
+	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
 }
 
 static void __exit sysrq_tg_exit(void)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-	crypto_free_hash(sysrq_tfm);
-	kfree(sysrq_digest);
-	kfree(sysrq_hexdigest);
-	kfree(sysrq_digest_password);
-#endif
-	return xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+	sysrq_crypto_exit();
+	xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
 }
 
 module_init(sysrq_tg_init);

extensions/xt_TEE.c

@@ -232,6 +232,7 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 
 	memset(&fl, 0, sizeof(fl));
 	fl.iif = skb_ifindex(skb);
+	/* No mark in flowi before 2.6.19 */
 #if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 19)
 	fl.nl_u.ip6_u.fwmark = skb_nfmark(skb);
 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)

extensions/xt_condition.c

@@ -35,6 +35,7 @@ static unsigned int condition_gid_perms = 0;
 
 MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca>");
 MODULE_AUTHOR("Massimiliano Hofer <max@nucleus.it>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Allows rules to match against condition variables");
 MODULE_LICENSE("GPL");
 module_param(condition_list_perms, uint, S_IRUSR | S_IWUSR);
@@ -55,7 +56,7 @@ struct condition_variable {
 
 /* proc_lock is a user context only semaphore used for write access */
 /*           to the conditions' list.                               */
-static struct semaphore proc_lock;
+static struct mutex proc_lock;
 
 static LIST_HEAD(conditions_list);
 static struct proc_dir_entry *proc_net_condition;
@@ -69,7 +70,6 @@ static int condition_proc_read(char __user *buffer, char **start, off_t offset,
 	buffer[1] = '\n';
 	if (length >= 2)
 		*eof = true;
-
 	return 2;
 }
 
@@ -92,7 +92,6 @@ static int condition_proc_write(struct file *file, const char __user *buffer,
 			break;
 		}
 	}
-
 	return length;
 }
 
@@ -124,18 +123,17 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 		       info->name);
 		return false;
 	}
-
 	/*
 	 * Let's acquire the lock, check for the condition and add it
 	 * or increase the reference counter.
 	 */
-	if (down_interruptible(&proc_lock))
+	if (mutex_lock_interruptible(&proc_lock) != 0)
 		return false;
 
 	list_for_each_entry(var, &conditions_list, list) {
 		if (strcmp(info->name, var->status_proc->name) == 0) {
 			var->refcount++;
-			up(&proc_lock);
+			mutex_unlock(&proc_lock);
 			info->condvar = var;
 			return true;
 		}
@@ -143,19 +141,17 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 
 	/* At this point, we need to allocate a new condition variable. */
 	var = kmalloc(sizeof(struct condition_variable), GFP_KERNEL);
-
 	if (var == NULL) {
-		up(&proc_lock);
+		mutex_unlock(&proc_lock);
 		return false;
 	}
 
 	/* Create the condition variable's proc file entry. */
 	var->status_proc = create_proc_entry(info->name, condition_list_perms,
 	                   proc_net_condition);
-
 	if (var->status_proc == NULL) {
 		kfree(var);
-		up(&proc_lock);
+		mutex_unlock(&proc_lock);
 		return false;
 	}
 
@@ -168,14 +164,10 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 	wmb();
 	var->status_proc->read_proc  = condition_proc_read;
 	var->status_proc->write_proc = condition_proc_write;
-
 	list_add_rcu(&var->list, &conditions_list);
-
 	var->status_proc->uid = condition_uid_perms;
 	var->status_proc->gid = condition_gid_perms;
-
-	up(&proc_lock);
-
+	mutex_unlock(&proc_lock);
 	info->condvar = var;
 	return true;
 }
@@ -185,11 +177,11 @@ static void condition_mt_destroy(const struct xt_mtdtor_param *par)
 	const struct xt_condition_mtinfo *info = par->matchinfo;
 	struct condition_variable *var = info->condvar;
 
-	down(&proc_lock);
+	mutex_lock(&proc_lock);
 	if (--var->refcount == 0) {
 		list_del_rcu(&var->list);
 		remove_proc_entry(var->status_proc->name, proc_net_condition);
-		up(&proc_lock);
+		mutex_unlock(&proc_lock);
 		/*
 		 * synchronize_rcu() would be good enough, but
 		 * synchronize_net() guarantees that no packet
@@ -200,7 +192,7 @@ static void condition_mt_destroy(const struct xt_mtdtor_param *par)
 		kfree(var);
 		return;
 	}
-	up(&proc_lock);
+	mutex_unlock(&proc_lock);
 }
 
 static struct xt_match condition_mt_reg[] __read_mostly = {
@@ -208,7 +200,7 @@ static struct xt_match condition_mt_reg[] __read_mostly = {
 		.name       = "condition",
 		.revision   = 1,
 		.family     = NFPROTO_IPV4,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
+		.matchsize  = sizeof(struct xt_condition_mtinfo),
 		.match      = condition_mt,
 		.checkentry = condition_mt_check,
 		.destroy    = condition_mt_destroy,
@@ -218,7 +210,7 @@ static struct xt_match condition_mt_reg[] __read_mostly = {
 		.name       = "condition",
 		.revision   = 1,
 		.family     = NFPROTO_IPV6,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_condition_mtinfo)),
+		.matchsize  = sizeof(struct xt_condition_mtinfo),
 		.match      = condition_mt,
 		.checkentry = condition_mt_check,
 		.destroy    = condition_mt_destroy,
@@ -232,7 +224,7 @@ static int __init condition_mt_init(void)
 {
 	int ret;
 
-	sema_init(&proc_lock, 1);
+	mutex_init(&proc_lock);
 	proc_net_condition = proc_mkdir(dir_name, init_net__proc_net);
 	if (proc_net_condition == NULL)
 		return -EACCES;

extensions/xt_fuzzy.c

@@ -146,7 +146,7 @@ static struct xt_match fuzzy_mt_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV4,
 		.match      = fuzzy_mt,
 		.checkentry = fuzzy_mt_check,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
+		.matchsize  = sizeof(struct xt_fuzzy_mtinfo),
 		.me         = THIS_MODULE,
 	},
 	{
@@ -155,7 +155,7 @@ static struct xt_match fuzzy_mt_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV6,
 		.match      = fuzzy_mt,
 		.checkentry = fuzzy_mt_check,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
+		.matchsize  = sizeof(struct xt_fuzzy_mtinfo),
 		.me         = THIS_MODULE,
 	},
 };

extensions/xt_iface.c

@@ -71,7 +71,7 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = {
 		.name       = "iface",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+		.matchsize  = sizeof(struct xt_iface_mtinfo),
 		.match      = xt_iface_mt,
 		.me         = THIS_MODULE,
 	},
@@ -79,7 +79,7 @@ static struct xt_match xt_iface_mt_reg[] __read_mostly = {
 		.name       = "iface",
 		.revision   = 0,
 		.family     = NFPROTO_IPV6,
-		.matchsize  = XT_ALIGN(sizeof(struct xt_iface_mtinfo)),
+		.matchsize  = sizeof(struct xt_iface_mtinfo),
 		.match      = xt_iface_mt,
 		.me         = THIS_MODULE,
 	},

extensions/xt_ipp2p.c

@@ -505,19 +505,18 @@ search_bittorrent(const unsigned char *payload, const unsigned int plen)
 		if (payload[0] == 0x13)
 			if (memcmp(payload + 1, "BitTorrent protocol", 19) == 0)
 				return IPP2P_BIT * 100;
-
 		/*
-		 * get tracker commandos, all starts with GET /
-		 * then it can follow: scrape| announce
-		 * and then ?hash_info=
+		 * Any tracker command starts with GET / then *may be* some file on web server
+		 * (e.g. announce.php or dupa.pl or whatever.cgi or NOTHING for tracker on root dir)
+		 * but *must have* one (or more) of strings listed below (true for scrape and announce)
 		 */
 		if (memcmp(payload, "GET /", 5) == 0) {
-			/* message scrape */
-			if (memcmp(payload + 5, "scrape?info_hash=", 17) == 0)
+			if (HX_memmem(payload, plen, "info_hash=", 9) != NULL)
 				return IPP2P_BIT * 100 + 1;
-			/* message announce */
-			if (memcmp(payload + 5, "announce?info_hash=", 19) == 0)
+			if (HX_memmem(payload, plen, "peer_id=", 8) != NULL)
 				return IPP2P_BIT * 100 + 2;
+			if (HX_memmem(payload, plen, "passkey=", 8) != NULL)
+				return IPP2P_BIT * 100 + 4;
 		}
 	} else {
 	    	/* bitcomet encryptes the first packet, so we have to detect another

extensions/xt_ipv4options.c

@@ -50,7 +50,7 @@ static struct xt_match ipv4options_mt_reg __read_mostly = {
 	.revision  = 1,
 	.family    = NFPROTO_IPV4,
 	.match     = ipv4options_mt,
-	.matchsize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
+	.matchsize = sizeof(struct xt_ipv4options_mtinfo1),
 	.me        = THIS_MODULE,
 };
 

extensions/xt_psd.c

@@ -312,7 +312,7 @@ out_match:
 
 static struct xt_match xt_psd_reg __read_mostly = {
 	.name		= "psd",
-    .family		= AF_INET,
+	.family    = NFPROTO_IPV4,
 	.revision  = 1,
 	.match		= xt_psd_match,
 	.matchsize	= sizeof(struct xt_psd_info),

include/linux/netfilter.h

@@ -3,6 +3,7 @@
 
 #include <linux/types.h>
 
+
 /* Responses from hook functions. */
 #define NF_DROP 0
 #define NF_ACCEPT 1
@@ -37,6 +38,16 @@ enum nf_inet_hooks {
 	NF_INET_NUMHOOKS
 };
 
+enum {
+	NFPROTO_UNSPEC =  0,
+	NFPROTO_IPV4   =  2,
+	NFPROTO_ARP    =  3,
+	NFPROTO_BRIDGE =  7,
+	NFPROTO_IPV6   = 10,
+	NFPROTO_DECNET = 12,
+	NFPROTO_NUMPROTO,
+};
+
 union nf_inet_addr {
 	__u32		all[4];
 	__be32		ip;

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.23 (2010-02-24)" "" "v1.23 (2010-02-24)"
+.TH xtables-addons 8 "v1.24 (2010-03-17)" "" "v1.24 (2010-03-17)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets