Xtables-addons 1.27

Since the last merge of the "api35" branch, further changes were
included into nf-next. This set of three commits updates the
xtables-addons API to match that.

INSTALL

@@ -4,7 +4,7 @@ Installation instructions for Xtables-addons
 Xtables-addons uses the well-known configure(autotools) infrastructure
 in combination with the kernel's Kbuild system.
 
-	$ ./configure
+	$ ./configure --with-xtlibdir=SEE_BELOW
 	$ make
 	# make install
 
@@ -55,7 +55,10 @@ Configuring and compiling
 
 	Specifies the path to where the newly built extensions should
 	be installed when `make install` is run. It uses the same
-	default as the Xtables/iptables package, ${libexecdir}/xtables.
+	default as the Xtables/iptables package, ${libexecdir}/xtables,
+	but you may need to specify this nevertheless, as autotools
+	defaults to using /usr/local as prefix, and distributions put
+	the files in differing locations.
 
 If you want to enable debugging, use
 

Makefile.am

@@ -16,10 +16,15 @@ install-exec-hook:
 
 config.status: Makefile.iptrules.in
 
+tmpdir := $(shell mktemp -dtu)
+packer  = xz
+packext = .tar.xz
+
 .PHONY: tarball
 tarball:
-	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
-	pushd ${top_srcdir} && git archive --prefix=xtables-addons-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd;
-	pushd /tmp/xtables-addons-${PACKAGE_VERSION} && ./autogen.sh && popd;
-	tar -C /tmp -cjf xtables-addons-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root xtables-addons-${PACKAGE_VERSION}/;
-	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
+# do not use mkdir_p here.
+	mkdir ${tmpdir}
+	pushd ${top_srcdir} && git archive --prefix=${PACKAGE_NAME}-${PACKAGE_VERSION}/ HEAD | tar -C ${tmpdir} -x && popd;
+	pushd ${tmpdir}/${PACKAGE_NAME}-${PACKAGE_VERSION} && ./autogen.sh && popd;
+	tar --use=${packer} -C ${tmpdir} -cf ${PACKAGE_NAME}-${PACKAGE_VERSION}${packext} --owner=root --group=root ${PACKAGE_NAME}-${PACKAGE_VERSION}/;
+	rm -Rf ${tmpdir};

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.24])
+AC_INIT([xtables-addons], [1.27])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -62,7 +62,7 @@ else
 	fi;
 fi;
 echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 34; then
+if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 35; then
 	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
     \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \

doc/changelog.txt

@@ -3,6 +3,29 @@ HEAD
 ====
 
 
+Xtables-addons 1.27 (May 16 2010)
+=================================
+- further updates for the upcoming 2.6.35 changes
+
+
+Xtables-addons 1.26 (April 30 2010)
+===================================
+- compat_xtables: fix 2.6.34 compile error due to a typo
+
+
+Xtables-addons 1.25 (April 26 2010)
+===================================
+- TEE: do rechecksumming in PREROUTING too
+- TEE: decrease TTL on cloned packet
+- TEE: set dont-fragment on cloned packets
+- TEE: free skb when route lookup failed
+- TEE: do not limit use to mangle table
+- TEE: do not retain iif and mark on cloned packet
+- TEE: new loop detection logic
+- TEE: use less expensive pskb_copy
+- condition: remove unnecessary RCU protection
+
+
 Xtables-addons 1.24 (March 17 2010)
 ===================================
 - build: fix build of userspace modules against old (pre-2.6.25)

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -264,7 +264,7 @@ static int ipt_acc_table_insert(const char *name, __be32 ip, __be32 netmask)
 	return -1;
 }
 
-static bool ipt_acc_checkentry(const struct xt_tgchk_param *par)
+static int ipt_acc_checkentry(const struct xt_tgchk_param *par)
 {
 	struct ipt_acc_info *info = par->targinfo;
 	int table_nr;
@@ -276,13 +276,13 @@ static bool ipt_acc_checkentry(const struct xt_tgchk_param *par)
 
 	if (table_nr == -1) {
 		printk("ACCOUNT: Table insert problem. Aborting\n");
-		return false;
+		return -EINVAL;
 	}
 	/* Table nr caching so we don't have to do an extra string compare
 	   for every packet */
 	info->table_nr = table_nr;
 
-	return true;
+	return 0;
 }
 
 static void ipt_acc_destroy(const struct xt_tgdtor_param *par)
@@ -478,7 +478,7 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
 	}
 }
 
-static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target_param *par)
+static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct ipt_acc_info *info =
 		par->targinfo;

extensions/Makefile.am

@@ -7,6 +7,8 @@
 _kcall = -C ${kbuilddir} M=${abs_srcdir}
 
 modules:
+	@echo -n "Xtables-addons ${PACKAGE_VERSION} - Linux "
+	@if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} --no-print-directory -s kernelrelease; fi;
 	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} modules; fi;
 
 modules_install:

extensions/compat_xtables.c

@@ -1,6 +1,6 @@
 /*
  *	API compat layer
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License, either
@@ -34,25 +34,49 @@ static bool xtnu_match_run(const struct sk_buff *skb,
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 {
 	struct xtnu_match *nm = xtcompat_numatch(cm);
-	bool lo_drop = false, lo_ret;
-	struct xt_match_param local_par = {
-		.in        = in,
-		.out       = out,
-		.match     = cm,
-		.matchinfo = matchinfo,
-		.fragoff   = offset,
-		.thoff     = protoff,
-		.hotdrop   = &lo_drop,
-		.family    = NFPROTO_UNSPEC, /* don't have that info */
-	};
+	bool lo_ret;
+	struct xt_action_param local_par;
+	local_par.in        = in;
+	local_par.out       = out;
+	local_par.match     = cm;
+	local_par.matchinfo = matchinfo;
+	local_par.fragoff   = offset;
+	local_par.thoff     = protoff;
+	local_par.hotdrop   = false;
+	local_par.family    = NFPROTO_UNSPEC; /* don't have that info */
 
 	if (nm == NULL || nm->match == NULL)
 		return false;
 	lo_ret = nm->match(skb, &local_par);
-	*hotdrop = lo_drop;
+	*hotdrop = local_par.hotdrop;
 	return lo_ret;
 }
 #endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_match_run(const struct sk_buff *skb,
+    const struct xt_match_param *par)
+{
+	struct xtnu_match *nm = xtcompat_numatch(par->match);
+	struct xt_action_param local_par;
+	bool ret;
+
+	local_par.in        = par->in;
+	local_par.out       = par->out;
+	local_par.match     = par->match;
+	local_par.matchinfo = par->matchinfo;
+	local_par.fragoff   = par->fragoff;
+	local_par.thoff     = par->thoff;
+	local_par.hotdrop   = false;
+	local_par.family    = par->family;
+
+	if (nm == NULL || nm->match == NULL)
+		return false;
+	ret = nm->match(skb, &local_par);
+	*par->hotdrop = local_par.hotdrop;
+	return ret;
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static int xtnu_match_check(const char *table, const void *entry,
@@ -84,6 +108,19 @@ static bool xtnu_match_check(const char *table, const void *entry,
 	return nm->checkentry(&local_par);
 }
 #endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_match_check(const struct xt_mtchk_param *par)
+{
+	struct xtnu_match *nm = xtcompat_numatch(par->match);
+
+	if (nm == NULL)
+		return false;
+	if (nm->checkentry == NULL)
+		return true;
+	return nm->checkentry(par) == 0 ? true : false;
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo,
@@ -105,7 +142,7 @@ static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo)
 }
 #endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 int xtnu_register_match(struct xtnu_match *nt)
 {
 	struct xt_match *ct;
@@ -127,9 +164,19 @@ int xtnu_register_match(struct xtnu_match *nt)
 	ct->table      = (char *)nt->table;
 	ct->hooks      = nt->hooks;
 	ct->proto      = nt->proto;
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	ct->match      = xtnu_match_run;
 	ct->checkentry = xtnu_match_check;
 	ct->destroy    = xtnu_match_destroy;
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+	ct->match      = xtnu_match_run;
+	ct->checkentry = xtnu_match_check;
+	ct->destroy    = nt->destroy;
+#else
+	ct->match      = nt->match;
+	ct->checkentry = xtnu_match_check;
+	ct->destroy    = nt->destroy;
+#endif
 	ct->matchsize  = nt->matchsize;
 	ct->me         = nt->me;
 
@@ -188,35 +235,55 @@ static unsigned int xtnu_target_run(struct sk_buff **pskb,
 static unsigned int xtnu_target_run(struct sk_buff *skb,
     const struct net_device *in, const struct net_device *out,
     unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
-#else
-static unsigned int
-xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
 #endif
-{
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+{
 	struct xtnu_target *nt = xtcompat_nutarget(ct);
-	struct xt_target_param local_par = {
-		.in       = in,
-		.out      = out,
-		.hooknum  = hooknum,
-		.target   = ct,
-		.targinfo = targinfo,
-		.family   = NFPROTO_UNSPEC,
-	};
-#else
-	struct xtnu_target *nt = xtcompat_nutarget(par->target);
-#endif
+	struct xt_action_param local_par;
+
+	local_par.in       = in;
+	local_par.out      = out;
+	local_par.hooknum  = hooknum;
+	local_par.target   = ct;
+	local_par.targinfo = targinfo;
+	local_par.family   = NFPROTO_UNSPEC;
 
 	if (nt != NULL && nt->target != NULL)
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 		return nt->target(pskb, &local_par);
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 		return nt->target(&skb, &local_par);
-#else
-		return nt->target(&skb, par);
 #endif
 	return XT_CONTINUE;
 }
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static unsigned int
+xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+	struct xt_action_param local_par;
+
+	local_par.in       = par->in;
+	local_par.out      = par->out;
+	local_par.hooknum  = par->hooknum;
+	local_par.target   = par->target;
+	local_par.targinfo = par->targinfo;
+	local_par.family   = par->family;
+
+	return nt->target(&skb, &local_par);
+}
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
+static unsigned int
+xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+
+	return nt->target(&skb, par);
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static int xtnu_target_check(const char *table, const void *entry,
@@ -250,6 +317,20 @@ static bool xtnu_target_check(const char *table, const void *entry,
 }
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_target_check(const struct xt_tgchk_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+
+	if (nt == NULL)
+		return false;
+	if (nt->checkentry == NULL)
+		return true;
+	return nt->checkentry(par) == 0 ? true : false;
+}
+#endif
+
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo,
     unsigned int targinfosize)
@@ -295,6 +376,9 @@ int xtnu_register_target(struct xtnu_target *nt)
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	ct->checkentry = xtnu_target_check;
 	ct->destroy    = xtnu_target_destroy;
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+	ct->checkentry = xtnu_target_check;
+	ct->destroy    = nt->destroy;
 #else
 	ct->checkentry = nt->checkentry;
 	ct->destroy    = nt->destroy;

extensions/compat_xtables.h

@@ -60,7 +60,7 @@
 #	define init_net__proc_net     init_net.proc_net
 #endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 #	define xt_match              xtnu_match
 #	define xt_register_match     xtnu_register_match
 #	define xt_unregister_match   xtnu_unregister_match

extensions/compat_xtnu.h

@@ -32,16 +32,6 @@ enum {
 	NFPROTO_NUMPROTO,
 };
 
-struct xt_match_param {
-	const struct net_device *in, *out;
-	const struct xt_match *match;
-	const void *matchinfo;
-	int fragoff;
-	unsigned int thoff;
-	bool *hotdrop;
-	u_int8_t family;
-};
-
 struct xt_mtchk_param {
 	const char *table;
 	const void *entryinfo;
@@ -81,33 +71,52 @@ struct xt_tgdtor_param {
 };
 #endif
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+struct xt_action_param {
+	union {
+		const struct xt_match *match;
+		const struct xt_target *target;
+	};
+	union {
+		const void *matchinfo, *targinfo;
+	};
+	const struct net_device *in, *out;
+	int fragoff;
+	unsigned int thoff, hooknum;
+	u_int8_t family;
+	bool hotdrop;
+};
+#endif
+
 struct xtnu_match {
-	struct list_head list;
-	char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
-	bool (*match)(const struct sk_buff *, const struct xt_match_param *);
-	bool (*checkentry)(const struct xt_mtchk_param *);
+	/*
+	 * Making it smaller by sizeof(void *) on purpose to catch
+	 * lossy translation, if any.
+	 */
+	char name[sizeof(((struct xt_match *)NULL)->name) - 1 - sizeof(void *)];
+	uint8_t revision;
+	bool (*match)(const struct sk_buff *, struct xt_action_param *);
+	int (*checkentry)(const struct xt_mtchk_param *);
 	void (*destroy)(const struct xt_mtdtor_param *);
 	struct module *me;
 	const char *table;
 	unsigned int matchsize, hooks;
 	unsigned short proto, family;
-	uint8_t revision;
 
 	void *__compat_match;
 };
 
 struct xtnu_target {
-	struct list_head list;
-	char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
+	char name[sizeof(((struct xt_target *)NULL)->name) - 1 - sizeof(void *)];
+	uint8_t revision;
 	unsigned int (*target)(struct sk_buff **,
-		const struct xt_target_param *);
-	bool (*checkentry)(const struct xt_tgchk_param *);
+		const struct xt_action_param *);
+	int (*checkentry)(const struct xt_tgchk_param *);
 	void (*destroy)(const struct xt_tgdtor_param *);
 	struct module *me;
 	const char *table;
 	unsigned int targetsize, hooks;
 	unsigned short proto, family;
-	uint8_t revision;
 
 	void *__compat_target;
 };

extensions/ipset/ipt_SET.c

@@ -29,7 +29,7 @@
 #include "../compat_xtables.h"
 
 static unsigned int
-target(struct sk_buff **pskb, const struct xt_target_param *par)
+target(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct ipt_set_info_target *info = par->targinfo;
 
@@ -45,7 +45,7 @@ target(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
-static bool
+static int
 checkentry(const struct xt_tgchk_param *par)
 {
 	struct ipt_set_info_target *info = par->targinfo;
@@ -54,7 +54,7 @@ checkentry(const struct xt_tgchk_param *par)
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
 	if (targinfosize != IPT_ALIGN(sizeof(*info))) {
 		DP("bad target info size %u", targinfosize);
-		return 0;
+		return -EINVAL;
 	}
 #endif
 
@@ -63,7 +63,7 @@ checkentry(const struct xt_tgchk_param *par)
 		if (index == IP_SET_INVALID_ID) {
 			ip_set_printk("cannot find add_set index %u as target",
 				      info->add_set.index);
-			return 0;	/* error */
+			return -EINVAL;
 		}
 	}
 
@@ -72,16 +72,16 @@ checkentry(const struct xt_tgchk_param *par)
 		if (index == IP_SET_INVALID_ID) {
 			ip_set_printk("cannot find del_set index %u as target",
 				      info->del_set.index);
-			return 0;	/* error */
+			return -EINVAL;
 		}
 	}
 	if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0
 	    || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) {
 		ip_set_printk("That's nasty!");
-		return 0;	/* error */
+		return -EINVAL;
 	}
 
-	return 1;
+	return 0;
 }
 
 static void destroy(const struct xt_tgdtor_param *par)

extensions/ipset/ipt_set.c

@@ -38,7 +38,7 @@ match_set(const struct ipt_set_info *info,
 }
 
 static bool
-match(const struct sk_buff *skb, const struct xt_match_param *par)
+match(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ipt_set_info_match *info = par->matchinfo;
 		
@@ -47,7 +47,7 @@ match(const struct sk_buff *skb, const struct xt_match_param *par)
 			 info->match_set.flags[0] & IPSET_MATCH_INV);
 }
 
-static bool
+static int
 checkentry(const struct xt_mtchk_param *par)
 {
 	struct ipt_set_info_match *info = par->matchinfo;
@@ -56,7 +56,7 @@ checkentry(const struct xt_mtchk_param *par)
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
 	if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
 		ip_set_printk("invalid matchsize %d", matchsize);
-		return 0;
+		return -EINVAL;
 	}
 #endif
 
@@ -65,14 +65,14 @@ checkentry(const struct xt_mtchk_param *par)
 	if (index == IP_SET_INVALID_ID) {
 		ip_set_printk("Cannot find set indentified by id %u to match",
 			      info->match_set.index);
-		return 0;	/* error */
+		return -ENOENT;
 	}
 	if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) {
 		ip_set_printk("That's nasty!");
-		return 0;	/* error */
+		return -EINVAL;
 	}
 
-	return 1;
+	return 0;
 }
 
 static void destroy(const struct xt_mtdtor_param *par)

extensions/pknock/xt_pknock.c

@@ -958,7 +958,7 @@ is_close_knock(const struct peer *peer, const struct xt_pknock_mtinfo *info,
 }
 
 static bool pknock_mt(const struct sk_buff *skb,
-    const struct xt_match_param *par)
+    struct xt_action_param *par)
 {
 	const struct xt_pknock_mtinfo *info = par->matchinfo;
 	struct xt_pknock_rule *rule;
@@ -975,7 +975,7 @@ static bool pknock_mt(const struct sk_buff *skb,
 		/* We've been asked to examine this packet, and we
 		 * can't. Hence, no choice but to drop.
 		 */
-		*par->hotdrop = true;
+		par->hotdrop = true;
 		return false;
 	}
 
@@ -1064,9 +1064,9 @@ out:
 	return ret;
 }
 
-#define RETURN_ERR(err) do { printk(KERN_ERR PKNOCK err); return false; } while (false)
+#define RETURN_ERR(err) do { printk(KERN_ERR PKNOCK err); return -EINVAL; } while (false)
 
-static bool pknock_mt_check(const struct xt_mtchk_param *par)
+static int pknock_mt_check(const struct xt_mtchk_param *par)
 {
 	struct xt_pknock_mtinfo *info = par->matchinfo;
 
@@ -1124,9 +1124,10 @@ static bool pknock_mt_check(const struct xt_mtchk_param *par)
 	}
 
 	if (!add_rule(info))
+		/* should ENOMEM here */
 		RETURN_ERR("add_rule() error in checkentry() function.\n");
 
-	return true;
+	return 0;
 }
 
 static void pknock_mt_destroy(const struct xt_mtdtor_param *par)

extensions/xt_CHAOS.c

@@ -45,7 +45,7 @@ static const struct xt_tcp tcp_params = {
 
 /* CHAOS functions */
 static void
-xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
+xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct xt_chaos_tginfo *info = par->targinfo;
 	const struct iphdr *iph = ip_hdr(skb);
@@ -62,7 +62,7 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	ret = xm_tcp->match(skb, par->in, par->out, xm_tcp, &tcp_params,
 	                    fragoff, thoff, &hotdrop);
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 	{
 		struct xt_match_param local_par = {
 			.in        = par->in,
@@ -75,6 +75,19 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
 		};
 		ret = xm_tcp->match(skb, &local_par);
 	}
+#else
+	{
+		struct xt_action_param local_par;
+		local_par.in        = par->in,
+		local_par.out       = par->out,
+		local_par.match     = xm_tcp;
+		local_par.matchinfo = &tcp_params;
+		local_par.fragoff   = fragoff;
+		local_par.thoff     = thoff;
+		local_par.hotdrop   = false;
+		ret = xm_tcp->match(skb, &local_par);
+		hotdrop = local_par.hotdrop;
+	}
 #endif
 	if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
 		return;
@@ -86,17 +99,34 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
 	destiny->target(&skb, par->in, par->out, par->hooknum, destiny, NULL);
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	destiny->target(skb, par->in, par->out, par->hooknum, destiny, NULL);
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+	{
+		struct xt_target_param local_par = {
+			.in       = par->in,
+			.out      = par->out,
+			.hooknum  = par->hooknum,
+			.target   = destiny,
+			.targinfo = par->targinfo,
+			.family   = par->family,
+		};
+		destiny->target(skb, &local_par);
+	}
 #else
 	{
-		struct xt_target_param local_par = *par;
-		local_par.target = destiny;
+		struct xt_action_param local_par;
+		local_par.in       = par->in;
+		local_par.out      = par->out;
+		local_par.hooknum  = par->hooknum;
+		local_par.target   = destiny;
+		local_par.targinfo = par->targinfo;
+		local_par.family   = par->family;
 		destiny->target(skb, &local_par);
 	}
 #endif
 }
 
 static unsigned int
-chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	/*
 	 * Equivalent to:
@@ -120,7 +150,7 @@ chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 		return xt_reject->target(skb, par->in, par->out, par->hooknum,
 		       xt_reject, &reject_params);
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 		struct xt_target_param local_par = {
 			.in       = par->in,
 			.out      = par->out,
@@ -129,6 +159,14 @@ chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 			.targinfo = &reject_params,
 		};
 		return xt_reject->target(skb, &local_par);
+#else
+		struct xt_action_param local_par;
+		local_par.in       = par->in;
+		local_par.out      = par->out;
+		local_par.hooknum  = par->hooknum;
+		local_par.target   = xt_reject;
+		local_par.targinfo = &reject_params;
+		return xt_reject->target(skb, &local_par);
 #endif
 	}
 
@@ -141,22 +179,22 @@ chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	return NF_DROP;
 }
 
-static bool chaos_tg_check(const struct xt_tgchk_param *par)
+static int chaos_tg_check(const struct xt_tgchk_param *par)
 {
 	const struct xt_chaos_tginfo *info = par->targinfo;
 
 	if (info->variant == XTCHAOS_DELUDE && !have_delude) {
 		printk(KERN_WARNING PFX "Error: Cannot use --delude when "
 		       "DELUDE module not available\n");
-		return false;
+		return -EINVAL;
 	}
 	if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
 		printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
 		       "TARPIT module not available\n");
-		return false;
+		return -EINVAL;
 	}
 
-	return true;
+	return 0;
 }
 
 static struct xt_target chaos_tg_reg = {

extensions/xt_DELUDE.c

@@ -143,7 +143,7 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
 }
 
 static unsigned int
-delude_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+delude_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	/* WARNING: This code causes reentry within iptables.
 	   This means that the iptables jump stack is now crap.  We

extensions/xt_DHCPMAC.c

@@ -69,7 +69,7 @@ static bool ether_cmp(const unsigned char *lh, const unsigned char *rh,
 }
 
 static bool
-dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+dhcpmac_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct dhcpmac_info *info = par->matchinfo;
 	const struct dhcp_message *dh;
@@ -89,7 +89,7 @@ dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 }
 
 static unsigned int
-dhcpmac_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+dhcpmac_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct dhcpmac_info *info = par->targinfo;
 	struct dhcp_message dhcpbuf, *dh;

extensions/xt_ECHO.c

@@ -21,7 +21,7 @@
 #include "compat_xtables.h"
 
 static unsigned int
-echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
+echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 {
 	const struct sk_buff *oldskb = *poldskb;
 	const struct udphdr *oldudp;

extensions/xt_IPMARK.c

@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_IPMARK");
 MODULE_ALIAS("ip6t_IPMARK");
 
 static unsigned int
-ipmark_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+ipmark_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_ipmark_tginfo *ipmarkinfo = par->targinfo;
 	const struct sk_buff *skb = *pskb;
@@ -61,7 +61,7 @@ static __u32 ipmark_from_ip6(const struct in6_addr *a, unsigned int s)
 }
 
 static unsigned int
-ipmark_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+ipmark_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_ipmark_tginfo *info = par->targinfo;
 	const struct sk_buff *skb = *pskb;

extensions/xt_LOGMARK.c

@@ -30,7 +30,7 @@ static const char *const dir_names[] = {
 };
 
 static unsigned int
-logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct sk_buff *skb = *pskb;
 	const struct xt_logmark_tginfo *info = par->targinfo;
@@ -81,17 +81,17 @@ logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
-static bool
+static int
 logmark_tg_check(const struct xt_tgchk_param *par)
 {
 	const struct xt_logmark_tginfo *info = par->targinfo;
 
 	if (info->level >= 8) {
 		pr_debug("LOGMARK: level %u >= 8\n", info->level);
-		return false;
+		return -EINVAL;
 	}
 
-	return true;
+	return 0;
 }
 
 static struct xt_target logmark_tg_reg[] __read_mostly = {

extensions/xt_RAWNAT.c

@@ -125,7 +125,7 @@ static unsigned int rawnat4_writable_part(const struct iphdr *iph)
 }
 
 static unsigned int
-rawsnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+rawsnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
 	struct iphdr *iph;
@@ -147,7 +147,7 @@ rawsnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 }
 
 static unsigned int
-rawdnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+rawdnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
 	struct iphdr *iph;
@@ -241,7 +241,7 @@ static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto,
 }
 
 static unsigned int
-rawsnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+rawsnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
 	unsigned int l4offset, l4proto;
@@ -262,7 +262,7 @@ rawsnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 }
 
 static unsigned int
-rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+rawdnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
 	unsigned int l4offset, l4proto;
@@ -283,15 +283,15 @@ rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 }
 #endif
 
-static bool rawnat_tg_check(const struct xt_tgchk_param *par)
+static int rawnat_tg_check(const struct xt_tgchk_param *par)
 {
 	if (strcmp(par->table, "raw") == 0 ||
 	    strcmp(par->table, "rawpost") == 0)
-		return true;
+		return 0;
 
 	printk(KERN_ERR KBUILD_MODNAME " may only be used in the \"raw\" or "
 	       "\"rawpost\" table.\n");
-	return false;
+	return -EINVAL;
 }
 
 static struct xt_target rawnat_tg_reg[] __read_mostly = {

extensions/xt_STEAL.c

@@ -8,7 +8,7 @@
 #include "compat_xtables.h"
 
 static unsigned int
-steal_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+steal_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	kfree_skb(*pskb);
 	return NF_STOLEN;

extensions/xt_SYSRQ.c

@@ -197,7 +197,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 #endif
 
 static unsigned int
-sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+sysrq_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	struct sk_buff *skb = *pskb;
 	const struct iphdr *iph;
@@ -224,7 +224,7 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 
 #ifdef WITH_IPV6
 static unsigned int
-sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+sysrq_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	struct sk_buff *skb = *pskb;
 	const struct ipv6hdr *iph;
@@ -253,9 +253,8 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 }
 #endif
 
-static bool sysrq_tg_check(const struct xt_tgchk_param *par)
+static int sysrq_tg_check(const struct xt_tgchk_param *par)
 {
-
 	if (par->target->family == NFPROTO_IPV4) {
 		const struct ipt_entry *entry = par->entryinfo;
 
@@ -272,11 +271,11 @@ static bool sysrq_tg_check(const struct xt_tgchk_param *par)
 			goto out;
 	}
 
-	return true;
+	return 0;
 
  out:
 	printk(KERN_ERR KBUILD_MODNAME ": only available for UDP and UDP-Lite");
-	return false;
+	return -EINVAL;
 }
 
 static struct xt_target sysrq_tg_reg[] __read_mostly = {
@@ -332,23 +331,14 @@ static int __init sysrq_crypto_init(void)
 	sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
 	sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
 	ret = -ENOMEM;
-	if (sysrq_digest == NULL) {
-		printk(KERN_WARNING KBUILD_MODNAME
-			": Cannot allocate digest\n");
+	if (sysrq_digest == NULL)
 		goto fail;
-	}
 	sysrq_hexdigest = kmalloc(2 * sysrq_digest_size + 1, GFP_KERNEL);
-	if (sysrq_hexdigest == NULL) {
-		printk(KERN_WARNING KBUILD_MODNAME
-			": Cannot allocate hexdigest\n");
+	if (sysrq_hexdigest == NULL)
 		goto fail;
-	}
 	sysrq_digest_password = kmalloc(sizeof(sysrq_password), GFP_KERNEL);
-	if (sysrq_digest_password == NULL) {
-		printk(KERN_WARNING KBUILD_MODNAME
-			": Cannot allocate password digest space\n");
+	if (sysrq_digest_password == NULL)
 		goto fail;
-	}
 	do_gettimeofday(&now);
 	sysrq_seqno = now.tv_sec;
 	ret = xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));

extensions/xt_TARPIT.c

@@ -188,7 +188,7 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook)
 }
 
 static unsigned int
-tarpit_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+tarpit_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct sk_buff *skb = *pskb;
 	const struct iphdr *iph = ip_hdr(skb);

extensions/xt_TEE.c

@@ -24,7 +24,6 @@
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 #	define WITH_CONNTRACK 1
 #	include <net/netfilter/nf_conntrack.h>
-static struct nf_conn tee_track;
 #endif
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 #	define WITH_IPV6 1
@@ -33,51 +32,23 @@ static struct nf_conn tee_track;
 #include "compat_xtables.h"
 #include "xt_TEE.h"
 
+static bool tee_active[NR_CPUS];
 static const union nf_inet_addr tee_zero_address;
 
-/*
- * Try to route the packet according to the routing keys specified in
- * route_info. Keys are :
- *  - ifindex :
- *      0 if no oif preferred,
- *      otherwise set to the index of the desired oif
- *  - route_info->gateway :
- *      0 if no gateway specified,
- *      otherwise set to the next host to which the pkt must be routed
- * If success, skb->dev is the output device to which the packet must
- * be sent and skb->dst is not NULL
- *
- * RETURN: false - if an error occured
- *         true  - if the packet was succesfully routed to the
- *                 destination desired
- */
 static bool
 tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 {
 	const struct iphdr *iph = ip_hdr(skb);
-	int err;
 	struct rtable *rt;
 	struct flowi fl;
 
 	memset(&fl, 0, sizeof(fl));
-	fl.iif = skb_ifindex(skb);
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-	fl.nl_u.ip4_u.fwmark = skb_nfmark(skb);
-#else
-	fl.mark = skb_nfmark(skb);
-#endif
 	fl.nl_u.ip4_u.daddr = info->gw.ip;
 	fl.nl_u.ip4_u.tos   = RT_TOS(iph->tos);
 	fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
 
-	/* Trying to route the packet using the standard routing table. */
-	err = ip_route_output_key(&init_net, &rt, &fl);
-	if (err != 0) {
-		if (net_ratelimit())
-			pr_debug(KBUILD_MODNAME
-			         ": could not route packet (%d)", err);
+	if (ip_route_output_key(&init_net, &rt, &fl) != 0)
 		return false;
-	}
 
 	dst_release(skb_dst(skb));
 	skb_dst_set(skb, &rt->u.dst);
@@ -123,79 +94,58 @@ static void tee_tg_send(struct sk_buff *skb)
 		skb = skb2;
 	}
 
-	if (dst->hh != NULL) {
+	if (dst->hh != NULL)
 		neigh_hh_output(dst->hh, skb);
-	} else if (dst->neighbour != NULL) {
+	else if (dst->neighbour != NULL)
 		dst->neighbour->output(skb);
-	} else {
-		if (net_ratelimit())
-			pr_debug(KBUILD_MODNAME "no hdr & no neighbour cache!\n");
+	else
 		kfree_skb(skb);
-	}
 }
 
-/*
- * To detect and deter routed packet loopback when using the --tee option, we
- * take a page out of the raw.patch book: on the copied skb, we set up a fake
- * ->nfct entry, pointing to the local &route_tee_track. We skip routing
- * packets when we see they already have that ->nfct.
- */
 static unsigned int
-tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+tee_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 	struct sk_buff *skb = *pskb;
+	struct iphdr *iph;
+	unsigned int cpu = smp_processor_id();
 
-#ifdef WITH_CONNTRACK
-	if (skb->nfct == &tee_track.ct_general) {
-		/*
-		 * Loopback - a packet we already routed, is to be
-		 * routed another time. Avoid that, now.
-		 */
-		if (net_ratelimit())
-			pr_debug(KBUILD_MODNAME "loopback - DROP!\n");
-		return NF_DROP;
-	}
-#endif
-
-	if (!skb_make_writable(pskb, sizeof(struct iphdr)))
-		return NF_DROP;
-	skb = *pskb;
-
-	/*
-	 * If we are in INPUT, the checksum must be recalculated since
-	 * the length could have changed as a result of defragmentation.
-	 */
-	if (par->hooknum == NF_INET_LOCAL_IN) {
-		struct iphdr *iph = ip_hdr(skb);
-		iph->check = 0;
-		iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
-	}
-
+	if (tee_active[cpu])
+		return XT_CONTINUE;
 	/*
 	 * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
 	 * the original skb, which should continue on its way as if nothing has
 	 * happened. The copy should be independently delivered to the TEE
 	 * --gateway.
 	 */
-	skb = skb_copy(skb, GFP_ATOMIC);
-	if (skb == NULL) {
-		if (net_ratelimit())
-			pr_debug(KBUILD_MODNAME "copy failed!\n");
+	skb = pskb_copy(skb, GFP_ATOMIC);
+	if (skb == NULL)
 		return XT_CONTINUE;
-	}
+	/*
+	 * If we are in PREROUTING/INPUT, the checksum must be recalculated
+	 * since the length could have changed as a result of defragmentation.
+	 *
+	 * We also decrease the TTL to mitigate potential TEE loops
+	 * between two hosts.
+	 *
+	 * Set %IP_DF so that the original source is notified of a potentially
+	 * decreased MTU on the clone route. IPv6 does this too.
+	 */
+	iph = ip_hdr(skb);
+	iph->frag_off |= htons(IP_DF);
+	if (par->hooknum == NF_INET_PRE_ROUTING ||
+	    par->hooknum == NF_INET_LOCAL_IN)
+		--iph->ttl;
+	ip_send_check(iph);
 
 #ifdef WITH_CONNTRACK
 	/*
-	 * Tell conntrack to forget this packet since it may get confused
-	 * when a packet is leaving with dst address == our address.
-	 * Good idea? Dunno. Need advice.
-	 *
-	 * NEW: mark the skb with our &tee_track, so we avoid looping
-	 * on any already routed packet.
+	 * Tell conntrack to forget this packet. It may have side effects to
+	 * see the same packet twice, as for example, accounting the original
+	 * connection for the cloned packet.
 	 */
 	nf_conntrack_put(skb->nfct);
-	skb->nfct     = &tee_track.ct_general;
+	skb->nfct     = &nf_conntrack_untracked.ct_general;
 	skb->nfctinfo = IP_CT_NEW;
 	nf_conntrack_get(skb->nfct);
 #endif
@@ -216,9 +166,13 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	 * Also on purpose, no fragmentation is done, to preserve the
 	 * packet as best as possible.
 	 */
-	if (tee_tg_route4(skb, info))
+	if (tee_tg_route4(skb, info)) {
+		tee_active[cpu] = true;
 		tee_tg_send(skb);
-
+		tee_active[cpu] = false;
+	} else {
+		kfree_skb(skb);
+	}
 	return XT_CONTINUE;
 }
 
@@ -231,13 +185,6 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 	struct flowi fl;
 
 	memset(&fl, 0, sizeof(fl));
-	fl.iif = skb_ifindex(skb);
-	/* No mark in flowi before 2.6.19 */
-#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 19)
-	fl.nl_u.ip6_u.fwmark = skb_nfmark(skb);
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
-	fl.mark = skb_nfmark(skb);
-#endif
 	fl.nl_u.ip6_u.daddr = info->gw.in6;
 	fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
 		(iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
@@ -247,11 +194,8 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 #else
 	dst = ip6_route_output(dev_net(skb->dev), NULL, &fl);
 #endif
-	if (dst == NULL) {
-		if (net_ratelimit())
-			printk(KERN_ERR "ip6_route_output failed for tee\n");
+	if (dst == NULL)
 		return false;
-	}
 
 	dst_release(skb_dst(skb));
 	skb_dst_set(skb, dst);
@@ -261,40 +205,47 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 }
 
 static unsigned int
-tee_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+tee_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 	struct sk_buff *skb = *pskb;
+	unsigned int cpu = smp_processor_id();
 
-	/* Try silence. */
-#ifdef WITH_CONNTRACK
-	if (skb->nfct == &tee_track.ct_general)
-		return NF_DROP;
-#endif
-
-	if ((skb = skb_copy(skb, GFP_ATOMIC)) == NULL)
+	if (tee_active[cpu])
+		return XT_CONTINUE;
+	skb = pskb_copy(skb, GFP_ATOMIC);
+	if (skb == NULL)
 		return XT_CONTINUE;
 
 #ifdef WITH_CONNTRACK
 	nf_conntrack_put(skb->nfct);
-	skb->nfct     = &tee_track.ct_general;
+	skb->nfct     = &nf_conntrack_untracked.ct_general;
 	skb->nfctinfo = IP_CT_NEW;
 	nf_conntrack_get(skb->nfct);
 #endif
-	if (tee_tg_route6(skb, info))
+	if (par->hooknum == NF_INET_PRE_ROUTING ||
+	    par->hooknum == NF_INET_LOCAL_IN) {
+		struct ipv6hdr *iph = ipv6_hdr(skb);
+		--iph->hop_limit;
+	}
+	if (tee_tg_route6(skb, info)) {
+		tee_active[cpu] = true;
 		tee_tg_send(skb);
-
+		tee_active[cpu] = false;
+	} else {
+		kfree_skb(skb);
+	}
 	return XT_CONTINUE;
 }
 #endif /* WITH_IPV6 */
 
-static bool tee_tg_check(const struct xt_tgchk_param *par)
+static int tee_tg_check(const struct xt_tgchk_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 
 	/* 0.0.0.0 and :: not allowed */
-	return memcmp(&info->gw, &tee_zero_address,
-	       sizeof(tee_zero_address)) != 0;
+	return (memcmp(&info->gw, &tee_zero_address,
+	       sizeof(tee_zero_address)) == 0) ? -EINVAL : 0;
 }
 
 static struct xt_target tee_tg_reg[] __read_mostly = {
@@ -302,7 +253,6 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
 		.name       = "TEE",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
-		.table      = "mangle",
 		.target     = tee_tg4,
 		.targetsize = sizeof(struct xt_tee_tginfo),
 		.checkentry = tee_tg_check,
@@ -313,7 +263,6 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
 		.name       = "TEE",
 		.revision   = 0,
 		.family     = NFPROTO_IPV6,
-		.table      = "mangle",
 		.target     = tee_tg6,
 		.targetsize = sizeof(struct xt_tee_tginfo),
 		.checkentry = tee_tg_check,
@@ -324,27 +273,12 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
 
 static int __init tee_tg_init(void)
 {
-#ifdef WITH_CONNTRACK
-	/*
-	 * Set up fake conntrack (stolen from raw.patch):
-	 * - to never be deleted, not in any hashes
-	 */
-	atomic_set(&tee_track.ct_general.use, 1);
-
-	/* - and look it like as a confirmed connection */
-	set_bit(IPS_CONFIRMED_BIT, &tee_track.status);
-
-	/* Initialize fake conntrack so that NAT will skip it */
-	tee_track.status |= IPS_NAT_DONE_MASK;
-#endif
-
 	return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
 }
 
 static void __exit tee_tg_exit(void)
 {
 	xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
-	/* [SC]: shoud not we cleanup tee_track here? */
 }
 
 module_init(tee_tg_init);

extensions/xt_condition.c

@@ -56,7 +56,7 @@ struct condition_variable {
 
 /* proc_lock is a user context only semaphore used for write access */
 /*           to the conditions' list.                               */
-static struct mutex proc_lock;
+static DEFINE_MUTEX(proc_lock);
 
 static LIST_HEAD(conditions_list);
 static struct proc_dir_entry *proc_net_condition;
@@ -96,20 +96,15 @@ static int condition_proc_write(struct file *file, const char __user *buffer,
 }
 
 static bool
-condition_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+condition_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_condition_mtinfo *info = par->matchinfo;
 	const struct condition_variable *var   = info->condvar;
-	bool x;
 
-	rcu_read_lock();
-	x = rcu_dereference(var->enabled);
-	rcu_read_unlock();
-
-	return x ^ info->invert;
+	return var->enabled ^ info->invert;
 }
 
-static bool condition_mt_check(const struct xt_mtchk_param *par)
+static int condition_mt_check(const struct xt_mtchk_param *par)
 {
 	struct xt_condition_mtinfo *info = par->matchinfo;
 	struct condition_variable *var;
@@ -121,21 +116,19 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 		printk(KERN_INFO KBUILD_MODNAME ": name not allowed or too "
 		       "long: \"%.*s\"\n", (unsigned int)sizeof(info->name),
 		       info->name);
-		return false;
+		return -EINVAL;
 	}
 	/*
 	 * Let's acquire the lock, check for the condition and add it
 	 * or increase the reference counter.
 	 */
-	if (mutex_lock_interruptible(&proc_lock) != 0)
-		return false;
-
+	mutex_lock(&proc_lock);
 	list_for_each_entry(var, &conditions_list, list) {
 		if (strcmp(info->name, var->status_proc->name) == 0) {
 			var->refcount++;
 			mutex_unlock(&proc_lock);
 			info->condvar = var;
-			return true;
+			return 0;
 		}
 	}
 
@@ -143,7 +136,7 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 	var = kmalloc(sizeof(struct condition_variable), GFP_KERNEL);
 	if (var == NULL) {
 		mutex_unlock(&proc_lock);
-		return false;
+		return -ENOMEM;
 	}
 
 	/* Create the condition variable's proc file entry. */
@@ -152,7 +145,7 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 	if (var->status_proc == NULL) {
 		kfree(var);
 		mutex_unlock(&proc_lock);
-		return false;
+		return -ENOMEM;
 	}
 
 	var->refcount = 1;
@@ -164,12 +157,12 @@ static bool condition_mt_check(const struct xt_mtchk_param *par)
 	wmb();
 	var->status_proc->read_proc  = condition_proc_read;
 	var->status_proc->write_proc = condition_proc_write;
-	list_add_rcu(&var->list, &conditions_list);
+	list_add(&var->list, &conditions_list);
 	var->status_proc->uid = condition_uid_perms;
 	var->status_proc->gid = condition_gid_perms;
 	mutex_unlock(&proc_lock);
 	info->condvar = var;
-	return true;
+	return 0;
 }
 
 static void condition_mt_destroy(const struct xt_mtdtor_param *par)
@@ -179,16 +172,9 @@ static void condition_mt_destroy(const struct xt_mtdtor_param *par)
 
 	mutex_lock(&proc_lock);
 	if (--var->refcount == 0) {
-		list_del_rcu(&var->list);
+		list_del(&var->list);
 		remove_proc_entry(var->status_proc->name, proc_net_condition);
 		mutex_unlock(&proc_lock);
-		/*
-		 * synchronize_rcu() would be good enough, but
-		 * synchronize_net() guarantees that no packet
-		 * will go out with the old rule after
-		 * succesful removal.
-		 */
-		synchronize_net();
 		kfree(var);
 		return;
 	}

extensions/xt_fuzzy.c

@@ -60,7 +60,7 @@ static uint8_t mf_low(uint32_t tx, uint32_t mini, uint32_t maxi)
 }
 
 static bool
-fuzzy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+fuzzy_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	struct xt_fuzzy_mtinfo *info = (void *)par->matchinfo;
 	unsigned long amount;
@@ -125,7 +125,7 @@ fuzzy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return false;
 }
 
-static bool fuzzy_mt_check(const struct xt_mtchk_param *par)
+static int fuzzy_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_fuzzy_mtinfo *info = par->matchinfo;
 
@@ -133,10 +133,10 @@ static bool fuzzy_mt_check(const struct xt_mtchk_param *par)
 	    info->maximum_rate > FUZZY_MAX_RATE ||
 	    info->minimum_rate >= info->maximum_rate) {
 		printk(KERN_INFO KBUILD_MODNAME ": bad values, please check.\n");
-		return false;
+		return -EDOM;
 	}
 
-	return true;
+	return 0;
 }
 
 static struct xt_match fuzzy_mt_reg[] __read_mostly = {

extensions/xt_geoip.c

@@ -46,23 +46,28 @@ geoip_add_node(const struct geoip_country_user __user *umem_ptr)
 	struct geoip_country_user umem;
 	struct geoip_country_kernel *p;
 	struct geoip_subnet *s;
+	int ret;
 
 	if (copy_from_user(&umem, umem_ptr, sizeof(umem)) != 0)
-		return NULL;
+		return ERR_PTR(-EFAULT);
 
 	p = kmalloc(sizeof(struct geoip_country_kernel), GFP_KERNEL);
 	if (p == NULL)
-		return NULL;
+		return ERR_PTR(-ENOMEM);
 
 	p->count   = umem.count;
 	p->cc      = umem.cc;
 
 	s = vmalloc(p->count * sizeof(struct geoip_subnet));
-	if (s == NULL)
+	if (s == NULL) {
+		ret = -ENOMEM;
 		goto free_p;
+	}
 	if (copy_from_user(s, (const void __user *)(unsigned long)umem.subnets,
-	    p->count * sizeof(struct geoip_subnet)) != 0)
+	    p->count * sizeof(struct geoip_subnet)) != 0) {
+		ret = -EFAULT;
 		goto free_s;
+	}
 
 	p->subnets = s;
 	atomic_set(&p->ref, 1);
@@ -78,7 +83,7 @@ geoip_add_node(const struct geoip_country_user __user *umem_ptr)
 	vfree(s);
  free_p:
 	kfree(p);
-	return NULL;
+	return ERR_PTR(ret);
 }
 
 static void geoip_try_remove_node(struct geoip_country_kernel *p)
@@ -136,7 +141,7 @@ static bool geoip_bsearch(const struct geoip_subnet *range,
 }
 
 static bool
-xt_geoip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+xt_geoip_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_geoip_match_info *info = par->matchinfo;
 	const struct geoip_country_kernel *node;
@@ -168,7 +173,7 @@ xt_geoip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return info->flags & XT_GEOIP_INV;
 }
 
-static bool xt_geoip_mt_checkentry(const struct xt_mtchk_param *par)
+static int xt_geoip_mt_checkentry(const struct xt_mtchk_param *par)
 {
 	struct xt_geoip_match_info *info = par->matchinfo;
 	struct geoip_country_kernel *node;
@@ -176,13 +181,15 @@ static bool xt_geoip_mt_checkentry(const struct xt_mtchk_param *par)
 
 	for (i = 0; i < info->count; i++) {
 		node = find_node(info->cc[i]);
-		if (node == NULL)
-			if ((node = geoip_add_node((const void __user *)(unsigned long)info->mem[i].user)) == NULL) {
+		if (node == NULL) {
+			node = geoip_add_node((const void __user *)(unsigned long)info->mem[i].user);
+			if (IS_ERR(node)) {
 				printk(KERN_ERR
-						"xt_geoip: unable to load '%c%c' into memory\n",
-						COUNTRY(info->cc[i]));
-				return false;
+						"xt_geoip: unable to load '%c%c' into memory: %ld\n",
+						COUNTRY(info->cc[i]), PTR_ERR(node));
+				return PTR_ERR(node);
 			}
+		}
 
 		/* Overwrite the now-useless pointer info->mem[i] with
 		 * a pointer to the node's kernelspace structure.
@@ -192,7 +199,7 @@ static bool xt_geoip_mt_checkentry(const struct xt_mtchk_param *par)
 		info->mem[i].kernel = node;
 	}
 
-	return true;
+	return 0;
 }
 
 static void xt_geoip_mt_destroy(const struct xt_mtdtor_param *par)

extensions/xt_iface.c

@@ -41,7 +41,7 @@ static const struct xt_iface_flag_pairs xt_iface_lookup[] =
 };
 
 static bool xt_iface_mt(const struct sk_buff *skb,
-    const struct xt_match_param *par)
+    struct xt_action_param *par)
 {
 	const struct xt_iface_mtinfo *info = par->matchinfo;
 	struct net_device *dev;

extensions/xt_ipp2p.c

@@ -808,7 +808,7 @@ static const struct {
 };
 
 static bool
-ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ipt_p2p_info *info = par->matchinfo;
 	const unsigned char  *haystack;

extensions/xt_ipv4options.c

@@ -29,7 +29,7 @@ static uint32_t ipv4options_rd(const uint8_t *data, int len)
 }
 
 static bool ipv4options_mt(const struct sk_buff *skb,
-    const struct xt_match_param *par)
+    struct xt_action_param *par)
 {
 	const struct xt_ipv4options_mtinfo1 *info = par->matchinfo;
 	const struct iphdr *iph = ip_hdr(skb);

extensions/xt_length2.c

@@ -137,7 +137,7 @@ static bool xtlength_layer7(unsigned int *length, const struct sk_buff *skb,
 }
 
 static bool
-length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+length2_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_length_mtinfo2 *info = par->matchinfo;
 	const struct iphdr *iph = ip_hdr(skb);
@@ -198,7 +198,7 @@ llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
 }
 
 static bool
-length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+length2_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_length_mtinfo2 *info = par->matchinfo;
 	const struct ipv6hdr *iph = ipv6_hdr(skb);
@@ -209,7 +209,7 @@ length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 	if (info->flags & XT_LENGTH_LAYER3) {
 		len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
 	} else {
-		l4proto = llayer4_proto(skb, &thoff, par->hotdrop);
+		l4proto = llayer4_proto(skb, &thoff, &par->hotdrop);
 		if (l4proto == NEXTHDR_MAX)
 			return false;
 		if (info->flags & XT_LENGTH_LAYER4)

extensions/xt_lscan.c

@@ -171,7 +171,7 @@ static inline unsigned int lscan_mt_full(int mark,
 }
 
 static bool
-lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 	enum ip_conntrack_info ctstate;
@@ -216,16 +216,16 @@ lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	       (info->match_gr && ctdata->mark == mark_grscan);
 }
 
-static bool lscan_mt_check(const struct xt_mtchk_param *par)
+static int lscan_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 
 	if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
 	    (info->match_cn & ~1) || (info->match_gr & ~1)) {
 		printk(KERN_WARNING PFX "Invalid flags\n");
-		return false;
+		return -EINVAL;
 	}
-	return true;
+	return 0;
 }
 
 static struct xt_match lscan_mt_reg[] __read_mostly = {

extensions/xt_psd.c

@@ -100,7 +100,7 @@ static inline int hashfunc(struct in_addr addr)
 }
 
 static bool
-xt_psd_match(const struct sk_buff *pskb, const struct xt_match_param *match)
+xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
 {
 	const struct iphdr *iph;
 	const struct tcphdr *tcph;

extensions/xt_quota2.c

@@ -144,28 +144,26 @@ q2_get_counter(const struct xt_quota_mtinfo2 *q)
 	return NULL;
 }
 
-static bool quota_mt2_check(const struct xt_mtchk_param *par)
+static int quota_mt2_check(const struct xt_mtchk_param *par)
 {
 	struct xt_quota_mtinfo2 *q = par->matchinfo;
 
 	if (q->flags & ~XT_QUOTA_MASK)
-		return false;
+		return -EINVAL;
 
 	q->name[sizeof(q->name)-1] = '\0';
 	if (*q->name == '.' || strchr(q->name, '/') != NULL) {
-		printk(KERN_ERR "xt_quota<%u>: illegal name\n",
-		       par->match->revision);
-		return false;
+		printk(KERN_ERR "xt_quota.3: illegal name\n");
+		return -EINVAL;
 	}
 
 	q->master = q2_get_counter(q);
 	if (q->master == NULL) {
-		printk(KERN_ERR "xt_quota<%u>: memory alloc failure\n",
-		       par->match->revision);
-		return false;
+		printk(KERN_ERR "xt_quota.3: memory alloc failure\n");
+		return -ENOMEM;
 	}
 
-	return true;
+	return 0;
 }
 
 static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
@@ -191,7 +189,7 @@ static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
 }
 
 static bool
-quota_mt2(const struct sk_buff *skb, const struct xt_match_param *par)
+quota_mt2(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	struct xt_quota_mtinfo2 *q = (void *)par->matchinfo;
 	struct xt_quota_counter *e = q->master;

xa-download-more

@@ -6,7 +6,7 @@ use strict;
 
 &main(\@ARGV);
 
-sub main ($)
+sub main
 {
 	local *FH;
 
@@ -30,7 +30,7 @@ sub main ($)
 	close FH;
 }
 
-sub process_index ($)
+sub process_index
 {
 	my $top = shift @_;
 	my($agent, $res, $url);
@@ -68,14 +68,14 @@ sub process_index ($)
 	}
 }
 
-sub slash_remove ($)
+sub slash_remove
 {
 	my $s = shift @_;
 	$s =~ s{(\w+://)(.*)}{$1.&slash_remove2($2)}eg;
 	return $s;
 }
 
-sub slash_remove2 ($)
+sub slash_remove2
 {
 	my $s = shift @_;
 	$s =~ s{/+}{/}g;

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.24 (2010-03-17)" "" "v1.24 (2010-03-17)"
+.TH xtables-addons 8 "v1.27 (2010-05-16)" "" "v1.27 (2010-05-16)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets