Xtables-addons 1.37

Remove mention of netcat from the libxt_SYSRQ manpage.

.gitignore

@@ -3,6 +3,7 @@
 *.loT
 *.o
 .deps
+.dirstamp
 .libs
 Makefile
 Makefile.in

INSTALL

@@ -14,7 +14,7 @@ Supported configurations for this release
 
 	* iptables >= 1.4.3
 
-	* kernel-source >= 2.6.17, no upper bound known
+	* kernel-source >= 2.6.29
 	  with prepared build/output directory
 	  - CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
 	  - CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
@@ -22,11 +22,11 @@ Supported configurations for this release
 	  - CONFIG_CONNECTOR y/m if you wish to receive userspace
 	    notifications from pknock through netlink/connector
 
-Extra notes:
+For ipset-6 you need:
 
-	* in the kernel 2.6.18.x series, >= 2.6.18.5 is required
+	* libmnl
 
-	* requires that no vendor backports interfere
+	* Linux kernel >= 2.6.35
 
 
 Selecting extensions
@@ -54,8 +54,12 @@ Configuring and compiling
 --with-xtlibdir=
 
 	Specifies the path to where the newly built extensions should
-	be installed when `make install` is run. It uses the same
-	default as the Xtables/iptables package, ${libexecdir}/xtables.
+	be installed when `make install` is run. The default is to
+	use the same path that Xtables/iptables modules use, as
+	determined by `pkg-config xtables --variable xtlibdir`.
+	Thus, this option normally does NOT need to be specified
+	anymore, even if your distribution put modules in a strange
+	location.
 
 If you want to enable debugging, use
 

Makefile.am

@@ -1,7 +1,7 @@
 # -*- Makefile -*-
 
 ACLOCAL_AMFLAGS  = -I m4
-SUBDIRS          = extensions
+SUBDIRS          = extensions geoip
 
 man_MANS := xtables-addons.8
 
@@ -16,10 +16,15 @@ install-exec-hook:
 
 config.status: Makefile.iptrules.in
 
+tmpdir := $(shell mktemp -dtu)
+packer  = xz
+packext = .tar.xz
+
 .PHONY: tarball
 tarball:
-	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
-	pushd ${top_srcdir} && git archive --prefix=xtables-addons-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd;
-	pushd /tmp/xtables-addons-${PACKAGE_VERSION} && ./autogen.sh && popd;
-	tar -C /tmp -cjf xtables-addons-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root xtables-addons-${PACKAGE_VERSION}/;
-	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
+# do not use mkdir_p here.
+	mkdir ${tmpdir}
+	pushd ${top_srcdir} && git archive --prefix=${PACKAGE_NAME}-${PACKAGE_VERSION}/ HEAD | tar -C ${tmpdir} -x && popd;
+	pushd ${tmpdir}/${PACKAGE_NAME}-${PACKAGE_VERSION} && ./autogen.sh && popd;
+	tar --use=${packer} -C ${tmpdir} -cf ${PACKAGE_NAME}-${PACKAGE_VERSION}${packext} --owner=root --group=root ${PACKAGE_NAME}-${PACKAGE_VERSION}/;
+	rm -Rf ${tmpdir};

Makefile.extra

@@ -1,6 +1,8 @@
 # -*- Makefile -*-
 # AUTOMAKE
 
+export AM_CPPFLAGS
+export AM_CFLAGS
 XA_SRCDIR = ${srcdir}
 XA_TOPSRCDIR = ${top_srcdir}
 XA_ABSTOPSRCDIR = ${abs_top_srcdir}

Makefile.iptrules.in

@@ -1,6 +1,8 @@
 # -*- Makefile -*-
 # MANUAL
 
+abs_top_srcdir  = @abs_top_srcdir@
+
 prefix          = @prefix@
 exec_prefix     = @exec_prefix@
 libexecdir      = @libexecdir@
@@ -8,11 +10,11 @@ xtlibdir        = @xtlibdir@
 
 CC              = @CC@
 CCLD            = ${CC}
+CFLAGS          = @CFLAGS@
+LDFLAGS         = @LDFLAGS@
 
-regular_CFLAGS  = @regular_CFLAGS@
 libxtables_CFLAGS = @libxtables_CFLAGS@
 libxtables_LIBS   = @libxtables_LIBS@
-AM_CFLAGS         = ${regular_CFLAGS} ${libxtables_CFLAGS}
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
 AM_DEFAULT_VERBOSITY = 0
@@ -42,19 +44,19 @@ subdirs_list := $(filter %/,${obj-m})
 .PHONY: all install clean
 
 all: ${targets}
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i; done;
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i || exit $$?; done;
 
 install: ${targets}
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@ || exit $$?; done;
 	install -dm0755 "${DESTDIR}/${xtlibdir}";
 	@for i in $^; do install -pm0755 $$i "${DESTDIR}/${xtlibdir}"; done;
 
 clean:
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@ || exit $$?; done;
 	rm -f *.oo *.so;
 
 lib%.so: lib%.oo
 	${AM_V_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< ${libxtables_LIBS} ${LDLIBS};
 
 %.oo: ${XA_SRCDIR}/%.c
-	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CPPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CPPFLAGS} ${CFLAGS} -o $@ -c $<;

Makefile.mans.in

@@ -3,8 +3,8 @@
 
 srcdir := @srcdir@
 
-wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man')
-wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man')
+wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man' | sort)
+wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man' | sort)
 wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
 wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
 
@@ -23,7 +23,7 @@ man_run = \
 		name="$${name\#\#*/libxt_}"; \
 		if [ -f "$$ext" ]; then \
 			echo ".SS $$name"; \
-			cat "$$ext"; \
+			cat "$$ext" || exit $$?; \
 			continue; \
 		fi; \
 	done >$@;

README

@@ -16,6 +16,13 @@ sanity checks and incorrect endianess handling have been fixed,
 simplified, and sped up.
 
 
+Included in this package
+========================
+- ipset 4.5
+- ipset 6.7-genl
+- xt_ACCOUNT 1.16, libxt_ACCOUNT 1.3
+
+
 Inclusion into a kernel tree
 ============================
 

configure.ac

@@ -1,9 +1,8 @@
-
-AC_INIT([xtables-addons], [1.24])
+AC_INIT([xtables-addons], [1.37])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
-AM_INIT_AUTOMAKE([1.10 -Wall foreign subdir-objects])
+AM_INIT_AUTOMAKE([1.10b -Wall foreign subdir-objects])
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_DISABLE_STATIC
@@ -21,60 +20,64 @@ if [[ "$kbuilddir" == no ]]; then
 	kbuilddir="";
 fi
 
-AC_ARG_WITH([xtlibdir],
-	AS_HELP_STRING([--with-xtlibdir=PATH],
-	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
-	[xtlibdir="$withval"],
-	[xtlibdir='${libexecdir}/xtables'])
-
-PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
 	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
+xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
+PKG_CHECK_MODULES([libmnl], [libmnl >= 1], [:], [:])
 
-regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
+AC_ARG_WITH([xtlibdir],
+	AS_HELP_STRING([--with-xtlibdir=PATH],
+	[Path where to install Xtables extensions [[autodetect]]]]),
+	[xtlibdir="$withval"])
+AC_MSG_CHECKING([Xtables module directory])
+AC_MSG_RESULT([$xtlibdir])
+
+regular_CPPFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
+	-D_REENTRANT -I\${XA_TOPSRCDIR}/include"
+regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" \
-	-I\${XA_TOPSRCDIR}/include";
+	-Winline -pipe";
 
-#
-# check kernel version
-#
-if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
-    grep -q "Red Hat Enterprise Linux Server release 5" /etc/redhat-release 2>/dev/null; then
-	# しまった!
-	# Well, just a warning. Maybe the admin updated the kernel.
-	echo "WARNING: This distribution's shipped kernel is not supported.";
-fi;
-krel="$(make -sC ${kbuilddir} kernelrelease)";
-krel="${krel%%-*}";
-kmajor="${krel%%.*}";
-krel="${krel#*.}";
-kminor="${krel%%.*}";
-krel="${krel#*.}";
-kmicro="${krel%%.*}";
-if test "$kmicro" = "$krel"; then
-	kstable=0;
-else
-	kstable="${krel#*.}";
-	if test -z "$kstable"; then
-		kstable=0;
+if test -n "$kbuilddir"; then
+	AC_MSG_CHECKING([kernel version that we will build against])
+	krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease)";
+	kmajor="${krel%%[[^0-9]]*}";
+	kmajor="$(($kmajor+0))";
+	krel="${krel:${#kmajor}}";
+	krel="${krel#.}";
+	kminor="${krel%%[[^0-9]]*}";
+	kminor="$(($kminor+0))";
+	krel="${krel:${#kminor}}";
+	krel="${krel#.}";
+	kmicro="${krel%%[[^0-9]]*}";
+	kmicro="$(($kmicro+0))";
+	krel="${krel:${#kmicro}}";
+	krel="${krel#.}";
+	kstable="${krel%%[[^0-9]]*}";
+	kstable="$(($kstable+0))";
+	if test -z "$kmajor" -o -z "$kminor" -o -z "$kmicro"; then
+		echo "WARNING: Version detection did not succeed. Continue at own luck.";
+	else
+		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
+		if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 1; then
+			echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
+		elif test "$kmajor" -eq 3; then
+			:;
+		elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 29; then
+			:;
+		else
+			echo "WARNING: That kernel version is not supported.";
+		fi;
 	fi;
 fi;
-echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 34; then
-	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
-elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
-    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
-    "$kstable" -lt 5 \); then
-	echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
-	exit 1;
-fi;
 
+AC_SUBST([regular_CPPFLAGS])
 AC_SUBST([regular_CFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([xtlibdir])
-AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
+AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans geoip/Makefile
 	extensions/Makefile extensions/ACCOUNT/Makefile
-	extensions/ipset/Makefile extensions/pknock/Makefile])
+	extensions/ipset-4/Makefile extensions/ipset-6/Makefile
+	extensions/pknock/Makefile])
 AC_OUTPUT

doc/api/2.6.17.c

@@ -0,0 +1,64 @@
+match:
+
+	/* true/false */
+	int
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		int *hotdrop,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int matchinfosize,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int matchinfosize,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+		void *userdata,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int targinfosize,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int targinfosize,
+	);

doc/api/2.6.19.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	int
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		int *hotdrop,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.23.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		bool *hotdrop,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.24.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		bool *hotdrop,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.28.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.31.c

@@ -0,0 +1,38 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.32.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.35.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/xt-a.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/changelog.txt

@@ -3,8 +3,155 @@ HEAD
 ====
 
 
-Xtables-addons 1.24 (March 17 2010)
-===================================
+v1.37 (2011-06-25)
+==================
+Fixes:
+- xt_SYSRQ: make IPv6 trigger work again
+- xt_SYSRQ: improve security: include host address in digest
+- xt_TARPIT: fix a kernel oops in --reset mode
+
+
+v1.36 (2011-06-03)
+==================
+Changes:
+- xt_geoip: avoid recursive function calls
+- xt_TARPIT: unlock for use in all tables
+- xt_TARPIT: honeypot and reset modes
+- update to ipset 6.7
+- support for Linux 3.0
+
+
+v1.35 (2011-04-11)
+==================
+Enhancements:
+- update to ipset 6.3
+  * allow "new" as a commad alias to "create"
+  * resolving IP addresses did not work at listing/saving sets, fixed
+  * check ICMP and ICMPv6 with the set match and target in the testsuite
+  * avoid possible syntax clashing at saving hostnames
+  * fix linking with CONFIG_IPV6=n
+  * sctp, udplite support for the hash:*port* types
+- ipset-genl: handle EAGAIN return value emitted from autoloader
+- ipset-genl: resolve nfgenmsg remains and fix spurious protocol abort
+
+
+v1.34 (2011-04-07)
+==================
+Fixes:
+- xt_pknock: avoid crash when hash TFM could not be allocated
+- xt_pknock: avoid inversion of rule lookup that led to warnings
+- xt_DNETMAP: add missing module alias
+- xt_DNETMAP: support for kernels below 2.6.34
+Changes:
+- Linux kernel versions below 2.6.29 are no longer officially
+  supported, and will not be part of compilation testing.
+  Expect that compat code will be removed shortly.
+
+
+v1.33 (2011-02-02)
+==================
+Fixes:
+- build: restore functionality of `configure --without-kbuild`
+- build: fix objdir builds for ipset-5 (xt-a specific)
+- build: fix missing inclusion of dependency rules
+- xt_LOGMARK: fix detection of untracked connection for Linux >= 2.6.36
+Enhancements:
+- IPv6 support for xt_geoip
+- Update to ipset 5.3
+  * make IPv4 and IPv6 address handling similar
+  * show correct line numbers in restore output for parser errors
+- Update to ipset 5.4
+  * fixed ICMP and ICMPv6 handling
+  * fixed trailing whitespaces and pr_* messages
+  * fixed module loading at create/header commands
+- build: support for Linux up to 2.6.38
+- build: preliminary support for iptables 1.4.11
+
+
+v1.32 (2011-01-04)
+==================
+Fixes:
+- Update to ipset 4.5
+  * the iptreemap type used wrong gfp flags when deleting entries
+- Include ipset 5.2 with genetlink patch (beta)
+  * no kernel patch needed, but requires Linux >= 2.6.35
+    and thus needs to be manually enabled in mconfig
+
+
+v1.31 (2010-11-05)
+==================
+Fixes:
+- build: improve detection of kernel version and error handling
+Changes:
+- build: automatically derive Xtables module directory, thus
+  --with-xtlibdir is no longer needed for ./configure in most cases
+  (If I still see a distro using it, I will scold you for not
+  reading this changelog.)
+Enhancements:
+- LOGMARK: print remaining lifetime of cts
+- xt_iface: allow matching against incoming/outgoing interface
+- libxt_gradm: match packets based on status of grsecurity RBAC
+  (userspace part only - xt_gradm is in the grsec patch)
+
+
+v1.30 (2010-010-02)
+===================
+Fixes:
+- update to ipset 4.4
+  * ipport{,ip,net}hash did not work with mixed "src" and "dst"
+    destination parameters
+Changes:
+- deactivate building xt_TEE and xt_CHECKSUM by default, as these have been
+  merged upstream in Linux 2.6.35 and 2.6.36, respectively.
+  Distros still wishing to build this need to enable it in their build
+  script, e.g. perl -i -pe 's{^build_TEE=.*}{build_TEE=m}' mconfig;
+
+
+v1.29 (2010-09-29)
+==================
+- compat_xtables: return bool for match_check and target_check in 2.6.23..34
+- ipset: enable building of ip_set_ipport{ip,net}hash.ko
+- support for Linux 2.6.36
+- SYSRQ: resolve compile error with Linux 2.6.36
+- TEE: resolve compile error with Linux 2.6.36
+- add workaround for broken linux-glibc-devel 2.6.34 userspace headers
+  ("implicit declaration of function 'ALIGN'")
+
+
+v1.28 (2010-07-24)
+==================
+- RAWNAT: IPv6 variants erroneously rejected masks /33-/128
+- new target xt_CHECKSUM
+- xt_length2: add support for IPv6 jumbograms
+- xt_geoip: fix possible out-of-bounds access
+- import xt_geoip database scripts
+
+
+v1.27 (2010-05-16)
+==================
+- further updates for the upcoming 2.6.35 changes
+
+
+v1.26 (2010-04-30)
+==================
+- compat_xtables: fix 2.6.34 compile error due to a typo
+
+
+v1.25 (2010-04-26)
+==================
+- TEE: do rechecksumming in PREROUTING too
+- TEE: decrease TTL on cloned packet
+- TEE: set dont-fragment on cloned packets
+- TEE: free skb when route lookup failed
+- TEE: do not limit use to mangle table
+- TEE: do not retain iif and mark on cloned packet
+- TEE: new loop detection logic
+- TEE: use less expensive pskb_copy
+- condition: remove unnecessary RCU protection
+
+
+v1.24 (2010-03-17)
+==================
 - build: fix build of userspace modules against old (pre-2.6.25)
   headers from linux-glibc-devel (/usr/include/linux)
 - ipp2p: updated bittorent command recognition
@@ -12,8 +159,8 @@ Xtables-addons 1.24 (March 17 2010)
 - SYSRQ: allow processing of UDP-Lite
 
 
-Xtables-addons 1.23 (February 24 2010)
-======================================
+v1.23 (2010-02-24)
+==================
 - build: support for Linux 2.6.34
 - build: remove unused --with-ksource option
 - build: remove unneeded --with-xtables option
@@ -22,22 +169,22 @@ Xtables-addons 1.23 (February 24 2010)
 - ECHO: fix compilation w.r.t. skb_dst
 
 
-Xtables-addons 1.22 (January 22 2010)
-=====================================
+v1.22 (2010-01-22)
+==================
 - compat_xtables: support for 2.6.33 skb_iif changes
 - geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip
 - ipset: enable build of ip_set_setlist.ko
 - quota2: add the --no-change mode
 
 
-Xtables-addons 1.21 (December 09 2009)
-======================================
+v1.21 (2009-12-09)
+==================
 - ACCOUNT: avoid collision with arp_tables setsockopt numbers
 - doc: fix option mismatch --gw/--gateway in libxt_TEE.man
 
 
-Xtables-addons 1.20 (November 19 2009)
-======================================
+v1.20 (2009-11-19)
+==================
 - ipp2p: add more boundary checks
 - ipp2p: fix Gnutelle line ending detection
 - LOGMARK: remove unknown options from manpage
@@ -46,8 +193,8 @@ Xtables-addons 1.20 (November 19 2009)
 - ipset: fast forward to v4.1
 
 
-Xtables-addons 1.19 (October 12 2009)
-=====================================
+v1.19 (2009-10-12)
+==================
 - build: compile fixes for 2.6.31-rt
 - build: support for Linux 2.6.32
 - ipp2p: try to address underflows
@@ -69,8 +216,8 @@ Xtables-addons 1.19 (October 12 2009)
   - pknock: add a manpage
 
 
-Xtables-addons 1.18 (September 09 2009)
-=======================================
+v1.18 (2009-09-09)
+==================
 - build: support for Linux 2.6.31
 - ipset: fast forward to v3.2
 - quota2: support anonymous counters
@@ -81,21 +228,21 @@ Xtables-addons 1.18 (September 09 2009)
 - merged xt_psd module
 
 
-Xtables-addons 1.17 (June 16 2009)
-==================================
+v1.17 (2009-06-16)
+==================
 - IPMARK: print missing --shift parameter
 - build: use readlink -f in extensions/ipset/
 - build: support for Linux 2.6.30
 
 
-Xtables-addons 1.16 (May 27 2009)
-=================================
+v1.16 (2009-05-27)
+==================
 - RAWNAT: make iptable_rawpost compile with 2.6.30-rc5
 - ipset: fast forward to 3.0
 
 
-Xtables-addons 1.15 (April 30 2009)
-===================================
+v1.15 (2009-04-30)
+==================
 - build: add kernel version check to configure
 - condition: compile fix for 2.6.30-rc
 - condition: fix intrapositional negation sign
@@ -107,8 +254,8 @@ Xtables-addons 1.15 (April 30 2009)
 - added RAWSNAT/RAWDNAT targets
 
 
-Xtables-addons 1.14 (March 31 2009)
-===================================
+v1.14 (2009-03-31)
+==================
 - fuzzy: need to account for kernel-level modified variables in .userspacesize
 - geoip: remove XT_ALIGN from .userspacesize when used with offsetof
 - SYSRQ: ignore non-UDP packets
@@ -118,14 +265,14 @@ Xtables-addons 1.14 (March 31 2009)
 - dhcpmac: rename from dhcpaddr
 
 
-Xtables-addons 1.13 (March 23 2009)
-===================================
+v1.13 (2009-03-23)
+==================
 - added a reworked ipv4options match
 - upgrade to iptables 1.4.3 API
 
 
-Xtables-addons 1.12 (March 07 2009)
-===================================
+v1.12 (2009-03-07)
+==================
 - ipset: fix for compilation with 2.6.29-rt
 - ipset: fast forward to 2.5.0
 - rename xt_portscan to xt_lscan ("low-level scan") because
@@ -136,21 +283,21 @@ Xtables-addons 1.12 (March 07 2009)
 - xt_TEE: enable routing by iif, nfmark and flowlabel
 
 
-Xtables-addons 1.10 (February 18 2009)
-======================================
+v1.10 (2009-02-18)
+==================
 - compat: compile fixes for 2.6.29
 - ipset: upgrade to ipset 2.4.9
 
 
-Xtables-addons 1.9 (January 30 2009)
-====================================
+v1.9 (2009-01-30)
+=================
 - add the xt_length2 extension
 - xt_TEE: remove intrapositional '!' support
 - ipset: upgrade to ipset 2.4.7
 
 
-Xtables-addons 1.8 (January 10 2009)
-====================================
+v1.8 (2009-01-10)
+=================
 - xt_TEE: IPv6 support
 - xt_TEE: do not include TOS value in routing decision
 - xt_TEE: fix switch-case inversion for name/IP display
@@ -159,8 +306,8 @@ Xtables-addons 1.8 (January 10 2009)
 - xt_portscan: update manpage about --grscan option caveats
 
 
-Xtables-addons 1.7 (December 25 2008)
-=====================================
+v1.7 (2008-12-25)
+=================
 - xt_ECHO: compile fix
 - avoid the use of "_init" which led to compile errors on some installations
 - build: do not unconditionally install ipset
@@ -171,16 +318,16 @@ Xtables-addons 1.7 (December 25 2008)
 - xt_SYSRQ: improve security by hashing password
 
 
-Xtables-addons 1.6 (November 18 2008)
-=====================================
+v1.6 (2008-11-18)
+=================
 - build: support for Linux 2.6.17
 - build: compile fixes for 2.6.18 and 2.6.19
 - xt_ECHO: resolve compile errors in xt_ECHO
 - xt_ipp2p: parenthesize unaligned-access macros
 
 
-Xtables-addons 1.5.7 (September 01 2008)
-========================================
+v1.5.7 (2008-09-01)
+===================
 - API layer: fix use of uninitialized 'hotdrop' variable
 - API layer: move to pskb-based signatures
 - xt_SYSRQ: compile fixes for Linux <= 2.6.19
@@ -192,8 +339,8 @@ Xtables-addons 1.5.7 (September 01 2008)
 - xt_SYSRQ: add missing module aliases
 
 
-Xtables-addons 1.5.5 (August 03 2008)
-=====================================
+v1.5.5 (2008-08-03)
+===================
 - manpage updates for xt_CHAOS, xt_IPMARK; README updates
 - build: properly recognize external Kbuild/Mbuild files
 - build: remove dependency on CONFIG_NETWORK_SECMARK
@@ -202,13 +349,13 @@ Xtables-addons 1.5.5 (August 03 2008)
 - import ipset extension group
 
 
-Xtables-addons 1.5.4.1 (April 26 2008)
-======================================
+v1.5.4.1 (2008-04-26)
+=====================
 - build: fix compile error for 2.6.18-stable
 
 
-Xtables-addons 1.5.4 (April 09 2008)
-====================================
+v1.5.4 (2008-04-09)
+===================
 - build: support building multiple files with one config option
 - API layer: add check for pskb relocation
 - doc: generate manpages
@@ -222,28 +369,28 @@ Xtables-addons 1.5.4 (April 09 2008)
 - add reworked xt_IPMARK target
 
 
-Xtables-addons 1.5.3 (March 22 2008)
-====================================
+v1.5.3 (2008-03-22)
+===================
 - support for Linux 2.6.18
 - add xt_ECHO sample target
 - add reworked xt_geoip match
 
 
-Xtables-addons 1.5.2 (March 04 2008)
-====================================
+v1.5.2 (2008-03-04)
+===================
 - build: support for GNU make < 3.81 which does not have $(realpath)
 
 
-Xtables-addons 1.5.1 (February 21 2008)
-=======================================
+v1.5.1 (2008-02-21)
+===================
 - build: allow user to select what extensions to compile and install
 - build: allow external proejcts to be downloaded into the tree
 - xt_LOGMARK: dump classify mark, ctstate and ctstatus
 - add xt_CHAOS, xt_DELUDE and xt_portscan from Chaostables
 
 
-Xtables-addons 1.5.0 (February 11 2008)
-=======================================
+v1.5.0 (2008-02-11)
+===================
 Initial release with:
 - extensions: xt_LOGMARK, xt_TARPIT, xt_TEE
 - support for Linux >= 2.6.19

extensions/ACCOUNT/Makefile.am

@@ -1,8 +1,13 @@
 # -*- Makefile -*-
 
+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${abs_top_srcdir}/extensions
+AM_CFLAGS   = ${regular_CFLAGS}
+
 include ../../Makefile.extra
 
 sbin_PROGRAMS = iptaccount
 iptaccount_LDADD = libxt_ACCOUNT_cl.la
 
 lib_LTLIBRARIES = libxt_ACCOUNT_cl.la
+
+man_MANS = iptaccount.8

extensions/ACCOUNT/VERSION.txt

@@ -0,0 +1 @@
+1.16

extensions/ACCOUNT/iptaccount.8

@@ -0,0 +1,26 @@
+.TH iptaccount 8 "v1.16" "" "v1.16"
+.SH Name
+iptaccount \(em administrative utility to access xt_ACCOUNT statistics
+.SH Syntax
+\fBiptaccount\fP [\fB\-acfhu\fP] [\fB\-l\fP \fIname\fP]
+.SH Options
+.PP
+\fB\-a\fP
+List all (accounting) table names.
+.PP
+\fB\-c\fP
+Loop every second (abort with CTRL+C).
+.PP
+\fB\-f\fP
+Flush data after display.
+.PP
+\fB\-h\fP
+Free all kernel handles. (Experts only!)
+.PP
+\fB\-l\fP \fIname\fP
+Show data in accounting table called by \fIname\fP.
+.TP
+\fB\-u\fP
+Show kernel handle usage.
+.SH "See also"
+\fBxtables-addons\fP(8)

extensions/ACCOUNT/libxt_ACCOUNT.c

@@ -12,6 +12,7 @@
 #include <stddef.h>
 #include <xtables.h>
 #include "xt_ACCOUNT.h"
+#include "compat_user.h"
 
 static struct option account_tg_opts[] = {
 	{.name = "addr",  .has_arg = true, .val = 'a'},
@@ -104,11 +105,11 @@ static void account_tg_print_it(const void *ip,
 	struct in_addr a;
 
 	if (!do_prefix)
-		printf("ACCOUNT ");
+		printf(" ACCOUNT ");
 
 	// Network information
 	if (do_prefix)
-		printf("--");
+		printf(" --");
 	printf("%s ", account_tg_opts[0].name);
 
 	a.s_addr = accountinfo->net_ip;
@@ -118,7 +119,7 @@ static void account_tg_print_it(const void *ip,
 
 	printf(" ");
 	if (do_prefix)
-		printf("--");
+		printf(" --");
 
 	printf("%s %s", account_tg_opts[1].name, accountinfo->table_name);
 }

extensions/ACCOUNT/libxt_ACCOUNT.man

@@ -40,19 +40,7 @@ to account the overall traffic to/from your internet provider.
 .PP
 The data can be queried using the userspace libxt_ACCOUNT_cl library,
 and by the reference implementation to show usage of this library,
-the \fBiptaccount\fP(8) tool, which features following options:
-.PP
-[\fB\-u\fP] show kernel handle usage
-.PP
-[\fB\-h\fP] free all kernel handles (experts only!)
-.PP
-[\fB\-a\fP] list all table names
-.PP
-[\fB\-l\fP \fIname\fP] show data in table \fIname\fP
-.PP
-[\fB\-f\fP] flush data after showing
-.PP
-[\fB\-c\fP] loop every second (abort with CTRL+C)
+the \fBiptaccount\fP(8) tool.
 .PP
 Here is an example of use:
 .PP

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -3,7 +3,7 @@
  *   See http://www.intra2net.com/opensource/ipt_account                   *
  *   for further information                                               *
  *                                                                         *
- *   Copyright (C) 2004-2008 by Intra2net AG                               *
+ *   Copyright (C) 2004-2011 by Intra2net AG                               *
  *   opensource@intra2net.com                                              *
  *                                                                         *
  *   This program is free software; you can redistribute it and/or modify  *
@@ -264,7 +264,7 @@ static int ipt_acc_table_insert(const char *name, __be32 ip, __be32 netmask)
 	return -1;
 }
 
-static bool ipt_acc_checkentry(const struct xt_tgchk_param *par)
+static int ipt_acc_checkentry(const struct xt_tgchk_param *par)
 {
 	struct ipt_acc_info *info = par->targinfo;
 	int table_nr;
@@ -276,13 +276,13 @@ static bool ipt_acc_checkentry(const struct xt_tgchk_param *par)
 
 	if (table_nr == -1) {
 		printk("ACCOUNT: Table insert problem. Aborting\n");
-		return false;
+		return -EINVAL;
 	}
 	/* Table nr caching so we don't have to do an extra string compare
 	   for every packet */
 	info->table_nr = table_nr;
 
-	return true;
+	return 0;
 }
 
 static void ipt_acc_destroy(const struct xt_tgdtor_param *par)
@@ -478,7 +478,7 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
 	}
 }
 
-static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target_param *par)
+static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct ipt_acc_info *info =
 		par->targinfo;
@@ -494,7 +494,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
 			"IPs %u.%u.%u.%u/%u.%u.%u.%u\n", info->table_nr,
 			NIPQUAD(src_ip), NIPQUAD(dst_ip));
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 8 bit network or "any" network */
@@ -506,7 +506,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 16 bit network */
@@ -517,7 +517,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 24 bit network */
@@ -528,7 +528,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	printk("ACCOUNT: ipt_acc_target: Unable to process packet. "
@@ -536,7 +536,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
 		info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
 
 	spin_unlock_bh(&ipt_acc_lock);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 /*

extensions/Kbuild

@@ -7,8 +7,10 @@ obj-m                    += compat_xtables.o
 
 obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += xt_CHAOS.o
+obj-${build_CHECKSUM}    += xt_CHECKSUM.o
 obj-${build_DELUDE}      += xt_DELUDE.o
 obj-${build_DHCPMAC}     += xt_DHCPMAC.o
+obj-${build_DNETMAP}     += xt_DNETMAP.o
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
@@ -25,7 +27,8 @@ obj-${build_fuzzy}       += xt_fuzzy.o
 obj-${build_geoip}       += xt_geoip.o
 obj-${build_iface}       += xt_iface.o
 obj-${build_ipp2p}       += xt_ipp2p.o
-obj-${build_ipset}       += ipset/
+obj-${build_ipset4}      += ipset-4/
+obj-${build_ipset6}      += ipset-6/
 obj-${build_ipv4options} += xt_ipv4options.o
 obj-${build_length2}     += xt_length2.o
 obj-${build_lscan}       += xt_lscan.o

extensions/Makefile.am

@@ -1,12 +1,17 @@
 # -*- Makefile -*-
 # AUTOMAKE
 
+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${abs_top_srcdir}/extensions
+AM_CFLAGS = ${regular_CFLAGS} ${libxtables_CFLAGS}
+
 # Not having Kbuild in Makefile.extra because it will already recurse
 .PHONY: modules modules_install clean_modules
 
 _kcall = -C ${kbuilddir} M=${abs_srcdir}
 
 modules:
+	@echo -n "Xtables-addons ${PACKAGE_VERSION} - Linux "
+	@if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} --no-print-directory -s kernelrelease; fi;
 	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} modules; fi;
 
 modules_install:

extensions/Mbuild

@@ -2,8 +2,10 @@
 
 obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += libxt_CHAOS.so
+obj-${build_CHECKSUM}    += libxt_CHECKSUM.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
 obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
+obj-${build_DNETMAP}     += libxt_DNETMAP.so
 obj-${build_ECHO}        += libxt_ECHO.so
 obj-${build_IPMARK}      += libxt_IPMARK.so
 obj-${build_LOGMARK}     += libxt_LOGMARK.so
@@ -17,10 +19,12 @@ obj-${build_fuzzy}       += libxt_fuzzy.so
 obj-${build_geoip}       += libxt_geoip.so
 obj-${build_iface}       += libxt_iface.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
-obj-${build_ipset}       += ipset/
+obj-${build_ipset4}      += ipset-4/
+obj-${build_ipset6}      += ipset-6/
 obj-${build_ipv4options} += libxt_ipv4options.so
 obj-${build_length2}     += libxt_length2.so
 obj-${build_lscan}       += libxt_lscan.so
 obj-${build_pknock}      += pknock/
 obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so
+obj-${build_gradm}       += libxt_gradm.so

extensions/compat_user.h

@@ -0,0 +1,12 @@
+/*
+ *	Userspace-level compat hacks
+ */
+#ifndef _XTABLES_COMPAT_USER_H
+#define _XTABLES_COMPAT_USER_H 1
+
+/* linux-glibc-devel 2.6.34 header screwup */
+#ifndef ALIGN
+#	define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
+#endif
+
+#endif /* _XTABLES_COMPAT_USER_H */

extensions/compat_xtables.c

@@ -1,6 +1,6 @@
 /*
  *	API compat layer
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License, either
@@ -34,25 +34,49 @@ static bool xtnu_match_run(const struct sk_buff *skb,
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 {
 	struct xtnu_match *nm = xtcompat_numatch(cm);
-	bool lo_drop = false, lo_ret;
-	struct xt_match_param local_par = {
-		.in        = in,
-		.out       = out,
-		.match     = cm,
-		.matchinfo = matchinfo,
-		.fragoff   = offset,
-		.thoff     = protoff,
-		.hotdrop   = &lo_drop,
-		.family    = NFPROTO_UNSPEC, /* don't have that info */
-	};
+	bool lo_ret;
+	struct xt_action_param local_par;
+	local_par.in        = in;
+	local_par.out       = out;
+	local_par.match     = cm;
+	local_par.matchinfo = matchinfo;
+	local_par.fragoff   = offset;
+	local_par.thoff     = protoff;
+	local_par.hotdrop   = false;
+	local_par.family    = NFPROTO_UNSPEC; /* don't have that info */
 
 	if (nm == NULL || nm->match == NULL)
 		return false;
 	lo_ret = nm->match(skb, &local_par);
-	*hotdrop = lo_drop;
+	*hotdrop = local_par.hotdrop;
 	return lo_ret;
 }
 #endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_match_run(const struct sk_buff *skb,
+    const struct xt_match_param *par)
+{
+	struct xtnu_match *nm = xtcompat_numatch(par->match);
+	struct xt_action_param local_par;
+	bool ret;
+
+	local_par.in        = par->in;
+	local_par.out       = par->out;
+	local_par.match     = par->match;
+	local_par.matchinfo = par->matchinfo;
+	local_par.fragoff   = par->fragoff;
+	local_par.thoff     = par->thoff;
+	local_par.hotdrop   = false;
+	local_par.family    = par->family;
+
+	if (nm == NULL || nm->match == NULL)
+		return false;
+	ret = nm->match(skb, &local_par);
+	*par->hotdrop = local_par.hotdrop;
+	return ret;
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static int xtnu_match_check(const char *table, const void *entry,
@@ -81,7 +105,24 @@ static bool xtnu_match_check(const char *table, const void *entry,
 		return false;
 	if (nm->checkentry == NULL)
 		return true;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
 	return nm->checkentry(&local_par);
+#else
+	return nm->checkentry(&local_par) == 0;
+#endif
+}
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_match_check(const struct xt_mtchk_param *par)
+{
+	struct xtnu_match *nm = xtcompat_numatch(par->match);
+
+	if (nm == NULL)
+		return false;
+	if (nm->checkentry == NULL)
+		return true;
+	return nm->checkentry(par) == 0;
 }
 #endif
 
@@ -105,7 +146,7 @@ static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo)
 }
 #endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 int xtnu_register_match(struct xtnu_match *nt)
 {
 	struct xt_match *ct;
@@ -127,9 +168,19 @@ int xtnu_register_match(struct xtnu_match *nt)
 	ct->table      = (char *)nt->table;
 	ct->hooks      = nt->hooks;
 	ct->proto      = nt->proto;
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	ct->match      = xtnu_match_run;
 	ct->checkentry = xtnu_match_check;
 	ct->destroy    = xtnu_match_destroy;
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+	ct->match      = xtnu_match_run;
+	ct->checkentry = xtnu_match_check;
+	ct->destroy    = nt->destroy;
+#else
+	ct->match      = nt->match;
+	ct->checkentry = xtnu_match_check;
+	ct->destroy    = nt->destroy;
+#endif
 	ct->matchsize  = nt->matchsize;
 	ct->me         = nt->me;
 
@@ -188,35 +239,55 @@ static unsigned int xtnu_target_run(struct sk_buff **pskb,
 static unsigned int xtnu_target_run(struct sk_buff *skb,
     const struct net_device *in, const struct net_device *out,
     unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
-#else
-static unsigned int
-xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
 #endif
-{
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+{
 	struct xtnu_target *nt = xtcompat_nutarget(ct);
-	struct xt_target_param local_par = {
-		.in       = in,
-		.out      = out,
-		.hooknum  = hooknum,
-		.target   = ct,
-		.targinfo = targinfo,
-		.family   = NFPROTO_UNSPEC,
-	};
-#else
-	struct xtnu_target *nt = xtcompat_nutarget(par->target);
-#endif
+	struct xt_action_param local_par;
+
+	local_par.in       = in;
+	local_par.out      = out;
+	local_par.hooknum  = hooknum;
+	local_par.target   = ct;
+	local_par.targinfo = targinfo;
+	local_par.family   = NFPROTO_UNSPEC;
 
 	if (nt != NULL && nt->target != NULL)
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 		return nt->target(pskb, &local_par);
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 		return nt->target(&skb, &local_par);
-#else
-		return nt->target(&skb, par);
 #endif
 	return XT_CONTINUE;
 }
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static unsigned int
+xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+	struct xt_action_param local_par;
+
+	local_par.in       = par->in;
+	local_par.out      = par->out;
+	local_par.hooknum  = par->hooknum;
+	local_par.target   = par->target;
+	local_par.targinfo = par->targinfo;
+	local_par.family   = par->family;
+
+	return nt->target(&skb, &local_par);
+}
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
+static unsigned int
+xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+
+	return nt->target(&skb, par);
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static int xtnu_target_check(const char *table, const void *entry,
@@ -246,7 +317,25 @@ static bool xtnu_target_check(const char *table, const void *entry,
 	if (nt->checkentry == NULL)
 		/* this is valid, just like if there was no function */
 		return true;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
 	return nt->checkentry(&local_par);
+#else
+	return nt->checkentry(&local_par) == 0;
+#endif
+}
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_target_check(const struct xt_tgchk_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+
+	if (nt == NULL)
+		return false;
+	if (nt->checkentry == NULL)
+		return true;
+	return nt->checkentry(par) == 0;
 }
 #endif
 
@@ -295,6 +384,9 @@ int xtnu_register_target(struct xtnu_target *nt)
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	ct->checkentry = xtnu_target_check;
 	ct->destroy    = xtnu_target_destroy;
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+	ct->checkentry = xtnu_target_check;
+	ct->destroy    = nt->destroy;
 #else
 	ct->checkentry = nt->checkentry;
 	ct->destroy    = nt->destroy;

extensions/compat_xtables.h

@@ -60,7 +60,7 @@
 #	define init_net__proc_net     init_net.proc_net
 #endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 #	define xt_match              xtnu_match
 #	define xt_register_match     xtnu_register_match
 #	define xt_unregister_match   xtnu_unregister_match
@@ -86,6 +86,11 @@
 #	define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+#	define rt_dst(rt)	(&(rt)->dst)
+#else
+#	define rt_dst(rt)	(&(rt)->u.dst)
+#endif
 
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \

extensions/compat_xtnu.h

@@ -32,16 +32,6 @@ enum {
 	NFPROTO_NUMPROTO,
 };
 
-struct xt_match_param {
-	const struct net_device *in, *out;
-	const struct xt_match *match;
-	const void *matchinfo;
-	int fragoff;
-	unsigned int thoff;
-	bool *hotdrop;
-	u_int8_t family;
-};
-
 struct xt_mtchk_param {
 	const char *table;
 	const void *entryinfo;
@@ -81,33 +71,52 @@ struct xt_tgdtor_param {
 };
 #endif
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+struct xt_action_param {
+	union {
+		const struct xt_match *match;
+		const struct xt_target *target;
+	};
+	union {
+		const void *matchinfo, *targinfo;
+	};
+	const struct net_device *in, *out;
+	int fragoff;
+	unsigned int thoff, hooknum;
+	u_int8_t family;
+	bool hotdrop;
+};
+#endif
+
 struct xtnu_match {
-	struct list_head list;
-	char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
-	bool (*match)(const struct sk_buff *, const struct xt_match_param *);
-	bool (*checkentry)(const struct xt_mtchk_param *);
+	/*
+	 * Making it smaller by sizeof(void *) on purpose to catch
+	 * lossy translation, if any.
+	 */
+	char name[sizeof(((struct xt_match *)NULL)->name) - 1 - sizeof(void *)];
+	uint8_t revision;
+	bool (*match)(const struct sk_buff *, struct xt_action_param *);
+	int (*checkentry)(const struct xt_mtchk_param *);
 	void (*destroy)(const struct xt_mtdtor_param *);
 	struct module *me;
 	const char *table;
 	unsigned int matchsize, hooks;
 	unsigned short proto, family;
-	uint8_t revision;
 
 	void *__compat_match;
 };
 
 struct xtnu_target {
-	struct list_head list;
-	char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
+	char name[sizeof(((struct xt_target *)NULL)->name) - 1 - sizeof(void *)];
+	uint8_t revision;
 	unsigned int (*target)(struct sk_buff **,
-		const struct xt_target_param *);
-	bool (*checkentry)(const struct xt_tgchk_param *);
+		const struct xt_action_param *);
+	int (*checkentry)(const struct xt_tgchk_param *);
 	void (*destroy)(const struct xt_tgdtor_param *);
 	struct module *me;
 	const char *table;
 	unsigned int targetsize, hooks;
 	unsigned short proto, family;
-	uint8_t revision;
 
 	void *__compat_target;
 };

extensions/ipset-4/Kbuild

@@ -3,4 +3,5 @@
 obj-m += ipt_set.o ipt_SET.o
 obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
 obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
+obj-m += ip_set_ipportiphash.o ip_set_ipportnethash.o
 obj-m += ip_set_iptree.o ip_set_iptreemap.o ip_set_setlist.o

extensions/ipset-4/Makefile.am

@@ -1,6 +1,8 @@
 # -*- Makefile -*-
 
-AM_CFLAGS = ${regular_CFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\"
+AM_CPPFLAGS = ${regular_CPPFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\" \
+            -DIP_NF_SET_HASHSIZE=1024
+AM_CFLAGS = ${regular_CFLAGS}
 
 include ../../Makefile.extra
 

extensions/ipset-4/Mbuild

@@ -4,4 +4,4 @@ obj-m += $(addprefix lib,$(patsubst %.c,%.so,$(notdir \
 	$(wildcard ${XA_SRCDIR}/ipset_*.c))))
 
 libipset_%.oo: ${XA_SRCDIR}/ipset_%.c
-	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CPPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CPPFLAGS} ${CFLAGS} -o $@ -c $<;

extensions/ipset-4/VERSION.txt

@@ -0,0 +1 @@
+4.5

extensions/ipset-4/ip_set.c

@@ -929,11 +929,11 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
 	}
 	if (copy_from_user(data, user, len) != 0) {
 		res = -EFAULT;
-		goto done;
+		goto cleanup;
 	}
 	if (down_interruptible(&ip_set_app_mutex)) {
 		res = -EINTR;
-		goto done;
+		goto cleanup;
 	}
 
 	op = (unsigned *)data;
@@ -1109,6 +1109,7 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
 
     done:
 	up(&ip_set_app_mutex);
+    cleanup:
 	vfree(data);
 	if (res > 0)
 		res = 0;
@@ -1142,11 +1143,11 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
 	}
 	if (copy_from_user(data, user, *len) != 0) {
 		res = -EFAULT;
-		goto done;
+		goto cleanup;
 	}
 	if (down_interruptible(&ip_set_app_mutex)) {
 		res = -EINTR;
-		goto done;
+		goto cleanup;
 	}
 
 	op = (unsigned *) data;
@@ -1439,6 +1440,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
     	
     done:
 	up(&ip_set_app_mutex);
+    cleanup:
 	vfree(data);
 	if (res > 0)
 		res = 0;

extensions/ipset-4/ip_set_ipporthash.c

@@ -68,7 +68,7 @@ ipporthash_test(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 	if (flags[1] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset-4/ip_set_ipportiphash.c

@@ -72,8 +72,8 @@ ipportiphash_test(struct ip_set *set,
 	if (flags[2] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
-	ip1 = ipaddr(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
+	ip1 = ipaddr(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset-4/ip_set_ipportnethash.c

@@ -116,8 +116,8 @@ ipportnethash_utest(struct ip_set *set, const void *data, u_int32_t size)
 	if (flags[2] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
-	ip1 = ipaddr(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
+	ip1 = ipaddr(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset-4/ip_set_iptreemap.c

@@ -102,13 +102,13 @@ static struct ip_set_iptreemap_b *fullbitmap_b;
 		} \
 	}
 
-#define DELIP_WALK(map, elem, branch, cachep, full, flags) \
+#define DELIP_WALK(map, elem, branch, cachep, full) \
 	do { \
 		branch = (map)->tree[elem]; \
 		if (!branch) { \
 			return -EEXIST; \
 		} else if (branch == full) { \
-			branch = kmem_cache_alloc(cachep, flags); \
+			branch = kmem_cache_alloc(cachep, GFP_ATOMIC); \
 			if (!branch) \
 				return -ENOMEM; \
 			memcpy(branch, full, sizeof(*full)); \
@@ -116,7 +116,7 @@ static struct ip_set_iptreemap_b *fullbitmap_b;
 		} \
 	} while (0)
 
-#define DELIP_RANGE_LOOP(map, a, a1, a2, hint, branch, full, cachep, free, flags) \
+#define DELIP_RANGE_LOOP(map, a, a1, a2, hint, branch, full, cachep, free) \
 	for (a = a1; a <= a2; a++) { \
 		branch = (map)->tree[a]; \
 		if (branch) { \
@@ -126,7 +126,7 @@ static struct ip_set_iptreemap_b *fullbitmap_b;
 				(map)->tree[a] = NULL; \
 				continue; \
 			} else if (branch == full) { \
-				branch = kmem_cache_alloc(cachep, flags); \
+				branch = kmem_cache_alloc(cachep, GFP_ATOMIC); \
 				if (!branch) \
 					return -ENOMEM; \
 				memcpy(branch, full, sizeof(*branch)); \
@@ -331,7 +331,7 @@ UADT0(iptreemap, add, min(req->ip, req->end), max(req->ip, req->end))
 KADT(iptreemap, add, ipaddr, ip)
 
 static inline int
-__delip_single(struct ip_set *set, ip_set_ip_t ip, gfp_t flags)
+__delip_single(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -341,9 +341,9 @@ __delip_single(struct ip_set *set, ip_set_ip_t ip, gfp_t flags)
 
 	ABCD(a, b, c, d, &ip);
 
-	DELIP_WALK(map, a, btree, cachep_b, fullbitmap_b, flags);
-	DELIP_WALK(btree, b, ctree, cachep_c, fullbitmap_c, flags);
-	DELIP_WALK(ctree, c, dtree, cachep_d, fullbitmap_d, flags);
+	DELIP_WALK(map, a, btree, cachep_b, fullbitmap_b);
+	DELIP_WALK(btree, b, ctree, cachep_c, fullbitmap_c);
+	DELIP_WALK(ctree, c, dtree, cachep_d, fullbitmap_d);
 
 	if (!__test_and_clear_bit(d, (void *) dtree->bitmap))
 		return -EEXIST;
@@ -354,8 +354,7 @@ __delip_single(struct ip_set *set, ip_set_ip_t ip, gfp_t flags)
 }
 
 static inline int
-iptreemap_del(struct ip_set *set,
-	      ip_set_ip_t start, ip_set_ip_t end, gfp_t flags)
+iptreemap_del(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -366,15 +365,15 @@ iptreemap_del(struct ip_set *set,
 	unsigned char a2, b2, c2, d2;
 
 	if (start == end)
-		return __delip_single(set, start, flags);
+		return __delip_single(set, start);
 
 	ABCD(a1, b1, c1, d1, &start);
 	ABCD(a2, b2, c2, d2, &end);
 
 	/* This is sooo ugly... */
-	DELIP_RANGE_LOOP(map, a, a1, a2, CHECK1(a, a1, a2, b1, b2, c1, c2, d1, d2), btree, fullbitmap_b, cachep_b, free_b, flags) {
-		DELIP_RANGE_LOOP(btree, b, GETVALUE1(a, a1, b1, 0), GETVALUE1(a, a2, b2, 255), CHECK2(a, b, a1, a2, b1, b2, c1, c2, d1, d2), ctree, fullbitmap_c, cachep_c, free_c, flags) {
-			DELIP_RANGE_LOOP(ctree, c, GETVALUE2(a, b, a1, b1, c1, 0), GETVALUE2(a, b, a2, b2, c2, 255), CHECK3(a, b, c, a1, a2, b1, b2, c1, c2, d1, d2), dtree, fullbitmap_d, cachep_d, free_d, flags) {
+	DELIP_RANGE_LOOP(map, a, a1, a2, CHECK1(a, a1, a2, b1, b2, c1, c2, d1, d2), btree, fullbitmap_b, cachep_b, free_b) {
+		DELIP_RANGE_LOOP(btree, b, GETVALUE1(a, a1, b1, 0), GETVALUE1(a, a2, b2, 255), CHECK2(a, b, a1, a2, b1, b2, c1, c2, d1, d2), ctree, fullbitmap_c, cachep_c, free_c) {
+			DELIP_RANGE_LOOP(ctree, c, GETVALUE2(a, b, a1, b1, c1, 0), GETVALUE2(a, b, a2, b2, c2, 255), CHECK3(a, b, c, a1, a2, b1, b2, c1, c2, d1, d2), dtree, fullbitmap_d, cachep_d, free_d) {
 				for (d = GETVALUE3(a, b, c, a1, b1, c1, d1, 0); d <= GETVALUE3(a, b, c, a2, b2, c2, d2, 255); d++)
 					__clear_bit(d, (void *) dtree->bitmap);
 				__set_bit(b, (void *) btree->dirty);
@@ -385,8 +384,8 @@ iptreemap_del(struct ip_set *set,
 	return 0;
 }
 
-UADT0(iptreemap, del, min(req->ip, req->end), max(req->ip, req->end), GFP_KERNEL)
-KADT(iptreemap, del, ipaddr, ip, GFP_ATOMIC)
+UADT0(iptreemap, del, min(req->ip, req->end), max(req->ip, req->end))
+KADT(iptreemap, del, ipaddr, ip)
 
 /* Check the status of the bitmap
  * -1 == all bits cleared

extensions/ipset-4/ipset.8

@@ -502,9 +502,13 @@ data storage in
 set and add src to the first single or src,dst to the first double 
 data storage set in
 \fIb\fP.
-.P
 You can imagine a setlist type of set as an ordered union of
 the set elements. 
+.P
+Please note: by the ipset command you can add, delete and
+.B test
+the setnames in a setlist type of set, and not the presence of 
+a set's member (such as an IP address).
 .SH GENERAL RESTRICTIONS
 Setnames starting with colon (:) cannot be defined. Zero valued set 
 entries cannot be used with hash type of sets.

extensions/ipset-4/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "4.2"
+#define IPSET_VERSION "4.5"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;

extensions/ipset-4/ipset_iphash.c

@@ -39,7 +39,7 @@ iphash_create_init(void *data)
 	DP("create INIT");
 
 	/* Default create parameters */	
-	mydata->hashsize = 1024;
+	mydata->hashsize = IP_NF_SET_HASHSIZE;
 	mydata->probes = 8;
 	mydata->resize = 50;
 	

extensions/ipset-4/ipset_ipporthash.c

@@ -39,7 +39,7 @@ ipporthash_create_init(void *data)
 	DP("create INIT");
 
 	/* Default create parameters */	
-	mydata->hashsize = 1024;
+	mydata->hashsize = IP_NF_SET_HASHSIZE;
 	mydata->probes = 8;
 	mydata->resize = 50;
 }

extensions/ipset-4/ipset_ipportiphash.c

@@ -39,7 +39,7 @@ ipportiphash_create_init(void *data)
 	DP("create INIT");
 
 	/* Default create parameters */	
-	mydata->hashsize = 1024;
+	mydata->hashsize = IP_NF_SET_HASHSIZE;
 	mydata->probes = 8;
 	mydata->resize = 50;
 }

extensions/ipset-4/ipset_ipportnethash.c

@@ -39,7 +39,7 @@ ipportnethash_create_init(void *data)
 	DP("create INIT");
 
 	/* Default create parameters */	
-	mydata->hashsize = 1024;
+	mydata->hashsize = IP_NF_SET_HASHSIZE;
 	mydata->probes = 8;
 	mydata->resize = 50;
 }

extensions/ipset-4/ipset_nethash.c

@@ -38,7 +38,7 @@ nethash_create_init(void *data)
 	DP("create INIT");
 
 	/* Default create parameters */	
-	mydata->hashsize = 1024;
+	mydata->hashsize = IP_NF_SET_HASHSIZE;
 	mydata->probes = 4;
 	mydata->resize = 50;
 }

extensions/ipset-4/ipt_SET.c

@@ -29,7 +29,7 @@
 #include "../compat_xtables.h"
 
 static unsigned int
-target(struct sk_buff **pskb, const struct xt_target_param *par)
+target(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct ipt_set_info_target *info = par->targinfo;
 
@@ -45,7 +45,7 @@ target(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
-static bool
+static int
 checkentry(const struct xt_tgchk_param *par)
 {
 	struct ipt_set_info_target *info = par->targinfo;
@@ -54,7 +54,7 @@ checkentry(const struct xt_tgchk_param *par)
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
 	if (targinfosize != IPT_ALIGN(sizeof(*info))) {
 		DP("bad target info size %u", targinfosize);
-		return 0;
+		return -EINVAL;
 	}
 #endif
 
@@ -63,7 +63,7 @@ checkentry(const struct xt_tgchk_param *par)
 		if (index == IP_SET_INVALID_ID) {
 			ip_set_printk("cannot find add_set index %u as target",
 				      info->add_set.index);
-			return 0;	/* error */
+			return -EINVAL;
 		}
 	}
 
@@ -72,16 +72,16 @@ checkentry(const struct xt_tgchk_param *par)
 		if (index == IP_SET_INVALID_ID) {
 			ip_set_printk("cannot find del_set index %u as target",
 				      info->del_set.index);
-			return 0;	/* error */
+			return -EINVAL;
 		}
 	}
 	if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0
 	    || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) {
 		ip_set_printk("That's nasty!");
-		return 0;	/* error */
+		return -EINVAL;
 	}
 
-	return 1;
+	return 0;
 }
 
 static void destroy(const struct xt_tgdtor_param *par)

extensions/ipset-4/ipt_set.c

@@ -38,7 +38,7 @@ match_set(const struct ipt_set_info *info,
 }
 
 static bool
-match(const struct sk_buff *skb, const struct xt_match_param *par)
+match(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ipt_set_info_match *info = par->matchinfo;
 		
@@ -47,7 +47,7 @@ match(const struct sk_buff *skb, const struct xt_match_param *par)
 			 info->match_set.flags[0] & IPSET_MATCH_INV);
 }
 
-static bool
+static int
 checkentry(const struct xt_mtchk_param *par)
 {
 	struct ipt_set_info_match *info = par->matchinfo;
@@ -56,7 +56,7 @@ checkentry(const struct xt_mtchk_param *par)
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
 	if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
 		ip_set_printk("invalid matchsize %d", matchsize);
-		return 0;
+		return -EINVAL;
 	}
 #endif
 
@@ -65,14 +65,14 @@ checkentry(const struct xt_mtchk_param *par)
 	if (index == IP_SET_INVALID_ID) {
 		ip_set_printk("Cannot find set indentified by id %u to match",
 			      info->match_set.index);
-		return 0;	/* error */
+		return -ENOENT;
 	}
 	if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) {
 		ip_set_printk("That's nasty!");
-		return 0;	/* error */
+		return -EINVAL;
 	}
 
-	return 1;
+	return 0;
 }
 
 static void destroy(const struct xt_mtdtor_param *par)

extensions/ipset-6/.gitignore

@@ -0,0 +1 @@
+/ipset

extensions/ipset-6/Kbuild

@@ -0,0 +1,11 @@
+# -*- Makefile -*-
+
+obj-m += xt_set.o
+obj-m += ip_set.o ip_set_bitmap_ip.o ip_set_bitmap_ipmac.o
+obj-m += ip_set_bitmap_port.o ip_set_hash_ip.o ip_set_hash_ipport.o
+obj-m += ip_set_hash_ipportip.o ip_set_hash_ipportnet.o ip_set_hash_net.o
+obj-m += ip_set_hash_netiface.o ip_set_hash_netport.o ip_set_list_set.o
+
+ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o
+
+EXTRA_CFLAGS += -DLCONFIG_IP_SET_MAX=256

extensions/ipset-6/Makefile.am

@@ -0,0 +1,25 @@
+# -*- Makefile -*-
+
+AM_CPPFLAGS = -I${srcdir}/include -DNDEBUG
+AM_CFLAGS = ${regular_CFLAGS} ${libmnl_CFLAGS}
+
+include ../../Makefile.extra
+
+lib_LTLIBRARIES = libipset.la
+libipset_la_SOURCES = libipset/data.c libipset/icmp.c libipset/icmpv6.c \
+                      libipset/mnl.c libipset/parse.c libipset/print.c \
+                      libipset/session.c libipset/types.c
+libipset_la_LIBADD  = ${libmnl_LIBS}
+libipset_la_LDFLAGS = -version-info 1:0:0
+
+sbin_PROGRAMS = ipset
+ipset_SOURCES = src/ipset.c src/errcode.c src/ui.c src/ipset_bitmap_ip.c \
+                src/ipset_bitmap_ipmac.c src/ipset_bitmap_port.c \
+                src/ipset_hash_ip.c src/ipset_hash_ipport.c \
+                src/ipset_hash_ipportip.c src/ipset_hash_ipportnet.c \
+                src/ipset_hash_net.c src/ipset_hash_netiface.c \
+                src/ipset_hash_netport.c \
+                src/ipset_list_set.c
+ipset_LDADD   = libipset.la
+
+man_MANS      = src/ipset.8

extensions/ipset-6/Mbuild

@@ -0,0 +1,2 @@
+# -*- Makefile -*-
+

extensions/ipset-6/README

@@ -0,0 +1,88 @@
+This is the ipset source tree. Follow the next steps to install ipset.
+If you upgrade from an earlier 5.x release, please read the UPGRADE
+instructions too.
+
+0. You need the source tree of your kernel (version >= 2.6.34)
+   and it have to be configured with ip6tables support enabled,
+   modules compiled. Please apply the netlink.patch against your kernel
+   tree, which adds the new subsystem identifier for ipset.
+
+   Recompile and install the patched kernel and its modules. Please note,
+   you have to run the patched kernel for ipset to work.
+
+   The ipset source code depends on the libmnl library so the library
+   must be installed. You can download the libmnl library from
+
+	git://git.netfilter.org/libmnl.git
+
+1. Initialize the compiling environment for ipset. The packages automake,
+   autoconf and libtool are required.
+
+   % ./autogen.sh
+
+2. Run `./configure` and then compile the ipset binary and the kernel
+   modules.
+
+   Configure parameters can be used to to override the default path
+   to the kernel source tree (/lib/modules/`uname -r`/build),
+   the maximum number of sets (256), the default hash sizes (1024).
+   See `./configure --help`.
+
+   % ./configure
+   % make
+   % make modules
+
+3. Install the binary and the kernel modules
+
+   # make install
+   # make modules_install
+
+   After installing the modules, you can run the testsuite as well.
+   Please note, several assumptions must be met for the testsuite:
+
+	- no sets defined
+	- iptables/ip6tables rules are not set up
+	- the destination for kernel logs is /var/log/kern.log
+	- the networks 10.255.255.0/24 and 1002:1002:1002:1002::/64
+	  are not in use
+	- sendip utility is installed
+
+   # make tests
+
+4. Cleanup the source tree
+
+   % make clean
+   % make modules_clean
+
+That's it! 
+
+Read the ipset(8) and iptables(8), ip6tables(8) manpages on how to use
+ipset and its match and target from iptables.
+
+Compatibilities and incompatibilities:
+
+- The ipset 6.x userspace utility contains a backward compatibility
+  interface to support the commandline syntax of ipset 4.x.
+  The commandline syntax of ipset 6.x is fully compatible with 5.x.
+- The ipset 6.x userspace utility can't talk to the kernel part of ipset 5.x
+  or 4.x.
+- The ipset 6.x kernel part can't talk to the userspace utility from
+  ipset 5.x or 4.x.
+- The ipset 6.x kernel part can work together with the set match and SET
+  target from iptables 1.4.7 and below, however if you need the IPv6 support
+  from ipset 6.x, then you have to use iptables 1.4.8 or above.
+
+The ipset 6.x can interpret the commandline syntax of ipset 4.x, however
+some internal changes mean different behaviour:
+
+- The "--matchunset" flag for the macipmap type is ignored and not used
+  anymore.
+- The "--probes" and "--resize" parameters of the hash types are ignored
+  and not used anymore.
+- The "--from", "--to" and "--network" parameters of the ipporthash,
+  ipportiphash and ipportnethash types are ignored and not used anymore.
+- The hash types are not resized when new entries are added by the SET
+  target. If you use a set together with the SET target, create it with
+  the proper size because it won't be resized automatically.
+- The iptree, iptreemap types are not implemented in ipset 6.x. The types
+  are automatically substituted with the hash:ip type.

extensions/ipset-6/VERSION.txt

@@ -0,0 +1 @@
+5.4.1-genl

extensions/ipset-6/include/libipset/data.h

@@ -0,0 +1,138 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_DATA_H
+#define LIBIPSET_DATA_H
+
+#include <stdbool.h>				/* bool */
+#include <libipset/nf_inet_addr.h>		/* union nf_inet_addr */
+
+/* Data options */
+enum ipset_opt {
+	IPSET_OPT_NONE = 0,
+	/* Common ones */
+	IPSET_SETNAME,
+	IPSET_OPT_TYPENAME,
+	IPSET_OPT_FAMILY,
+	/* CADT options */
+	IPSET_OPT_IP,
+	IPSET_OPT_IP_FROM = IPSET_OPT_IP,
+	IPSET_OPT_IP_TO,
+	IPSET_OPT_CIDR,
+	IPSET_OPT_PORT,
+	IPSET_OPT_PORT_FROM = IPSET_OPT_PORT,
+	IPSET_OPT_PORT_TO,
+	IPSET_OPT_TIMEOUT,
+	/* Create-specific options */
+	IPSET_OPT_GC,
+	IPSET_OPT_HASHSIZE,
+	IPSET_OPT_MAXELEM,
+	IPSET_OPT_NETMASK,
+	IPSET_OPT_PROBES,
+	IPSET_OPT_RESIZE,
+	IPSET_OPT_SIZE,
+	/* Create-specific options, filled out by the kernel */
+	IPSET_OPT_ELEMENTS,
+	IPSET_OPT_REFERENCES,
+	IPSET_OPT_MEMSIZE,
+	/* ADT-specific options */
+	IPSET_OPT_ETHER,
+	IPSET_OPT_NAME,
+	IPSET_OPT_NAMEREF,
+	IPSET_OPT_IP2,
+	IPSET_OPT_CIDR2,
+	IPSET_OPT_IP2_TO,
+	IPSET_OPT_PROTO,
+	IPSET_OPT_IFACE,
+	/* Swap/rename to */
+	IPSET_OPT_SETNAME2,
+	/* Flags */
+	IPSET_OPT_EXIST,
+	IPSET_OPT_BEFORE,
+	IPSET_OPT_PHYSDEV,
+	/* Internal options */
+	IPSET_OPT_FLAGS = 48,	/* IPSET_FLAG_EXIST| */
+	IPSET_OPT_CADT_FLAGS,	/* IPSET_FLAG_BEFORE| */
+	IPSET_OPT_ELEM,
+	IPSET_OPT_TYPE,
+	IPSET_OPT_LINENO,
+	IPSET_OPT_REVISION,
+	IPSET_OPT_REVISION_MIN,
+	IPSET_OPT_MAX,
+};
+
+#define IPSET_FLAG(opt)		(1LL << (opt))
+#define IPSET_FLAGS_ALL		(~0LL)
+
+#define IPSET_CREATE_FLAGS		\
+	(IPSET_FLAG(IPSET_OPT_FAMILY)	\
+	| IPSET_FLAG(IPSET_OPT_TYPENAME)\
+	| IPSET_FLAG(IPSET_OPT_TYPE)	\
+	| IPSET_FLAG(IPSET_OPT_IP)	\
+	| IPSET_FLAG(IPSET_OPT_IP_TO)	\
+	| IPSET_FLAG(IPSET_OPT_CIDR)	\
+	| IPSET_FLAG(IPSET_OPT_PORT)	\
+	| IPSET_FLAG(IPSET_OPT_PORT_TO)	\
+	| IPSET_FLAG(IPSET_OPT_TIMEOUT)	\
+	| IPSET_FLAG(IPSET_OPT_GC)	\
+	| IPSET_FLAG(IPSET_OPT_HASHSIZE)\
+	| IPSET_FLAG(IPSET_OPT_MAXELEM)	\
+	| IPSET_FLAG(IPSET_OPT_NETMASK)	\
+	| IPSET_FLAG(IPSET_OPT_PROBES)	\
+	| IPSET_FLAG(IPSET_OPT_RESIZE)	\
+	| IPSET_FLAG(IPSET_OPT_SIZE))
+
+#define IPSET_ADT_FLAGS			\
+	(IPSET_FLAG(IPSET_OPT_IP)	\
+	| IPSET_FLAG(IPSET_OPT_IP_TO)	\
+	| IPSET_FLAG(IPSET_OPT_CIDR)	\
+	| IPSET_FLAG(IPSET_OPT_PORT)	\
+	| IPSET_FLAG(IPSET_OPT_PORT_TO)	\
+	| IPSET_FLAG(IPSET_OPT_TIMEOUT)	\
+	| IPSET_FLAG(IPSET_OPT_ETHER)	\
+	| IPSET_FLAG(IPSET_OPT_NAME)	\
+	| IPSET_FLAG(IPSET_OPT_NAMEREF)	\
+	| IPSET_FLAG(IPSET_OPT_IP2)	\
+	| IPSET_FLAG(IPSET_OPT_CIDR2)	\
+	| IPSET_FLAG(IPSET_OPT_PROTO)	\
+	| IPSET_FLAG(IPSET_OPT_IFACE) \
+	| IPSET_FLAG(IPSET_OPT_CADT_FLAGS)\
+	| IPSET_FLAG(IPSET_OPT_BEFORE) \
+	| IPSET_FLAG(IPSET_OPT_PHYSDEV))
+
+struct ipset_data;
+
+extern void ipset_strlcpy(char *dst, const char *src, size_t len);
+extern bool ipset_data_flags_test(const struct ipset_data *data,
+				  uint64_t flags);
+extern void ipset_data_flags_set(struct ipset_data *data, uint64_t flags);
+extern void ipset_data_flags_unset(struct ipset_data *data, uint64_t flags);
+extern bool ipset_data_ignored(struct ipset_data *data, enum ipset_opt opt);
+
+extern int ipset_data_set(struct ipset_data *data, enum ipset_opt opt,
+			  const void *value);
+extern const void *ipset_data_get(const struct ipset_data *data,
+				  enum ipset_opt opt);
+
+static inline bool
+ipset_data_test(const struct ipset_data *data, enum ipset_opt opt)
+{
+	return ipset_data_flags_test(data, IPSET_FLAG(opt));
+}
+
+/* Shortcuts */
+extern const char *ipset_data_setname(const struct ipset_data *data);
+extern uint8_t ipset_data_family(const struct ipset_data *data);
+extern uint8_t ipset_data_cidr(const struct ipset_data *data);
+extern uint64_t ipset_data_flags(const struct ipset_data *data);
+
+extern void ipset_data_reset(struct ipset_data *data);
+extern struct ipset_data *ipset_data_init(void);
+extern void ipset_data_fini(struct ipset_data *data);
+
+extern size_t ipset_data_sizeof(enum ipset_opt opt, uint8_t family);
+
+#endif /* LIBIPSET_DATA_H */

extensions/ipset-6/include/libipset/debug.h

@@ -0,0 +1,33 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_DEBUG_H
+#define LIBIPSET_DEBUG_H
+
+#ifdef IPSET_DEBUG
+#include <stdio.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#define D(fmt, args...) \
+	fprintf(stderr, "%s: %s: " fmt "\n", __FILE__, __func__ , ## args)
+#define IF_D(test, fmt, args...) \
+	if (test)		 \
+		D(fmt , ## args)
+
+static inline void
+dump_nla(struct  nlattr *nla[], int maxlen)
+{
+	int i;
+	for (i = 0; i < maxlen; i++)
+		D("nla[%u] does%s exist", i, nla[i] ? "" : " NOT");
+}
+#else
+#define D(fmt, args...)
+#define IF_D(test, fmt, args...)
+#define dump_nla(nla, maxlen)
+#endif
+
+#endif /* LIBIPSET_DEBUG_H */

extensions/ipset-6/include/libipset/errcode.h

@@ -0,0 +1,24 @@
+/* Copyright 2007-2008 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_ERRCODE_H
+#define LIBIPSET_ERRCODE_H
+
+#include <libipset/linux_ip_set.h>		/* enum ipset_cmd */
+
+struct ipset_session;
+
+/* Kernel error code to message table */
+struct ipset_errcode_table {
+	int errcode;		/* error code returned by the kernel */
+	enum ipset_cmd cmd;	/* issued command */
+	const char *message;	/* error message the code translated to */
+};
+
+extern int ipset_errcode(struct ipset_session *session, enum ipset_cmd cmd,
+			 int errcode);
+
+#endif /* LIBIPSET_ERRCODE_H */

extensions/ipset-6/include/libipset/icmp.h

@@ -0,0 +1,16 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_ICMP_H
+#define LIBIPSET_ICMP_H
+
+#include <stdint.h>				/* uintxx_t */
+
+extern const char *id_to_icmp(uint8_t id);
+extern const char *icmp_to_name(uint8_t type, uint8_t code);
+extern int name_to_icmp(const char *str, uint16_t *typecode);
+
+#endif /* LIBIPSET_ICMP_H */

extensions/ipset-6/include/libipset/icmpv6.h

@@ -0,0 +1,16 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_ICMPV6_H
+#define LIBIPSET_ICMPV6_H
+
+#include <stdint.h>				/* uintxx_t */
+
+extern const char *id_to_icmpv6(uint8_t id);
+extern const char *icmpv6_to_name(uint8_t type, uint8_t code);
+extern int name_to_icmpv6(const char *str, uint16_t *typecode);
+
+#endif /* LIBIPSET_ICMPV6_H */

extensions/ipset-6/include/libipset/linux_ip_set.h

@@ -0,0 +1,171 @@
+#ifndef _IP_SET_H
+#define _IP_SET_H
+
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ *                         Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+/* The protocol version */
+#define IPSET_PROTOCOL		0x60
+
+/* The max length of strings including NUL: set and type identifiers */
+#define IPSET_MAXNAMELEN	32
+
+/* Message types and commands */
+enum ipset_cmd {
+	IPSET_CMD_NONE,
+	IPSET_CMD_PROTOCOL,	/* 1: Return protocol version */
+	IPSET_CMD_CREATE,	/* 2: Create a new (empty) set */
+	IPSET_CMD_DESTROY,	/* 3: Destroy a (empty) set */
+	IPSET_CMD_FLUSH,	/* 4: Remove all elements from a set */
+	IPSET_CMD_RENAME,	/* 5: Rename a set */
+	IPSET_CMD_SWAP,		/* 6: Swap two sets */
+	IPSET_CMD_LIST,		/* 7: List sets */
+	IPSET_CMD_SAVE,		/* 8: Save sets */
+	IPSET_CMD_ADD,		/* 9: Add an element to a set */
+	IPSET_CMD_DEL,		/* 10: Delete an element from a set */
+	IPSET_CMD_TEST,		/* 11: Test an element in a set */
+	IPSET_CMD_HEADER,	/* 12: Get set header data only */
+	IPSET_CMD_TYPE,		/* 13: Get set type */
+	IPSET_MSG_MAX,		/* Netlink message commands */
+
+	/* Commands in userspace: */
+	IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
+	IPSET_CMD_HELP,		/* 15: Get help */
+	IPSET_CMD_VERSION,	/* 16: Get program version */
+	IPSET_CMD_QUIT,		/* 17: Quit from interactive mode */
+
+	IPSET_CMD_MAX,
+
+	IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
+};
+
+/* Attributes at command level */
+enum {
+	IPSET_ATTR_UNSPEC,
+	IPSET_ATTR_PROTOCOL,	/* 1: Protocol version */
+	IPSET_ATTR_SETNAME,	/* 2: Name of the set */
+	IPSET_ATTR_TYPENAME,	/* 3: Typename */
+	IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
+	IPSET_ATTR_REVISION,	/* 4: Settype revision */
+	IPSET_ATTR_FAMILY,	/* 5: Settype family */
+	IPSET_ATTR_FLAGS,	/* 6: Flags at command level */
+	IPSET_ATTR_DATA,	/* 7: Nested attributes */
+	IPSET_ATTR_ADT,		/* 8: Multiple data containers */
+	IPSET_ATTR_LINENO,	/* 9: Restore lineno */
+	IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
+	IPSET_ATTR_REVISION_MIN	= IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
+	__IPSET_ATTR_CMD_MAX,
+};
+#define IPSET_ATTR_CMD_MAX	(__IPSET_ATTR_CMD_MAX - 1)
+
+/* CADT specific attributes */
+enum {
+	IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
+	IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
+	IPSET_ATTR_IP_TO,	/* 2 */
+	IPSET_ATTR_CIDR,	/* 3 */
+	IPSET_ATTR_PORT,	/* 4 */
+	IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
+	IPSET_ATTR_PORT_TO,	/* 5 */
+	IPSET_ATTR_TIMEOUT,	/* 6 */
+	IPSET_ATTR_PROTO,	/* 7 */
+	IPSET_ATTR_CADT_FLAGS,	/* 8 */
+	IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO,	/* 9 */
+	/* Reserve empty slots */
+	IPSET_ATTR_CADT_MAX = 16,
+	/* Create-only specific attributes */
+	IPSET_ATTR_GC,
+	IPSET_ATTR_HASHSIZE,
+	IPSET_ATTR_MAXELEM,
+	IPSET_ATTR_NETMASK,
+	IPSET_ATTR_PROBES,
+	IPSET_ATTR_RESIZE,
+	IPSET_ATTR_SIZE,
+	/* Kernel-only */
+	IPSET_ATTR_ELEMENTS,
+	IPSET_ATTR_REFERENCES,
+	IPSET_ATTR_MEMSIZE,
+
+	__IPSET_ATTR_CREATE_MAX,
+};
+#define IPSET_ATTR_CREATE_MAX	(__IPSET_ATTR_CREATE_MAX - 1)
+
+/* ADT specific attributes */
+enum {
+	IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
+	IPSET_ATTR_NAME,
+	IPSET_ATTR_NAMEREF,
+	IPSET_ATTR_IP2,
+	IPSET_ATTR_CIDR2,
+	IPSET_ATTR_IP2_TO,
+	IPSET_ATTR_IFACE,
+	__IPSET_ATTR_ADT_MAX,
+};
+#define IPSET_ATTR_ADT_MAX	(__IPSET_ATTR_ADT_MAX - 1)
+
+/* IP specific attributes */
+enum {
+	IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
+	IPSET_ATTR_IPADDR_IPV6,
+	__IPSET_ATTR_IPADDR_MAX,
+};
+#define IPSET_ATTR_IPADDR_MAX	(__IPSET_ATTR_IPADDR_MAX - 1)
+
+/* Error codes */
+enum ipset_errno {
+	IPSET_ERR_PRIVATE = 4096,
+	IPSET_ERR_PROTOCOL,
+	IPSET_ERR_FIND_TYPE,
+	IPSET_ERR_MAX_SETS,
+	IPSET_ERR_BUSY,
+	IPSET_ERR_EXIST_SETNAME2,
+	IPSET_ERR_TYPE_MISMATCH,
+	IPSET_ERR_EXIST,
+	IPSET_ERR_INVALID_CIDR,
+	IPSET_ERR_INVALID_NETMASK,
+	IPSET_ERR_INVALID_FAMILY,
+	IPSET_ERR_TIMEOUT,
+	IPSET_ERR_REFERENCED,
+	IPSET_ERR_IPADDR_IPV4,
+	IPSET_ERR_IPADDR_IPV6,
+
+	/* Type specific error codes */
+	IPSET_ERR_TYPE_SPECIFIC = 4352,
+};
+
+/* Flags at command level */
+enum ipset_cmd_flags {
+	IPSET_FLAG_BIT_EXIST	= 0,
+	IPSET_FLAG_EXIST	= (1 << IPSET_FLAG_BIT_EXIST),
+	IPSET_FLAG_BIT_LIST_SETNAME = 1,
+	IPSET_FLAG_LIST_SETNAME	= (1 << IPSET_FLAG_BIT_LIST_SETNAME),
+	IPSET_FLAG_BIT_LIST_HEADER = 2,
+	IPSET_FLAG_LIST_HEADER	= (1 << IPSET_FLAG_BIT_LIST_HEADER),
+};
+
+/* Flags at CADT attribute level */
+enum ipset_cadt_flags {
+	IPSET_FLAG_BIT_BEFORE	= 0,
+	IPSET_FLAG_BEFORE	= (1 << IPSET_FLAG_BIT_BEFORE),
+	IPSET_FLAG_BIT_PHYSDEV	= 1,
+	IPSET_FLAG_PHYSDEV	= (1 << IPSET_FLAG_BIT_PHYSDEV),
+};
+
+/* Commands with settype-specific attributes */
+enum ipset_adt {
+	IPSET_ADD,
+	IPSET_DEL,
+	IPSET_TEST,
+	IPSET_ADT_MAX,
+	IPSET_CREATE = IPSET_ADT_MAX,
+	IPSET_CADT_MAX,
+};
+
+#endif /* __IP_SET_H */

extensions/ipset-6/include/libipset/linux_ip_set_bitmap.h

@@ -0,0 +1,12 @@
+#ifndef __IP_SET_BITMAP_H
+#define __IP_SET_BITMAP_H
+
+/* Bitmap type specific error codes */
+enum {
+	/* The element is out of the range of the set */
+	IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC,
+	/* The range exceeds the size limit of the set type */
+	IPSET_ERR_BITMAP_RANGE_SIZE,
+};
+
+#endif /* __IP_SET_BITMAP_H */

extensions/ipset-6/include/libipset/linux_ip_set_hash.h

@@ -0,0 +1,20 @@
+#ifndef __IP_SET_HASH_H
+#define __IP_SET_HASH_H
+
+/* Hash type specific error codes */
+enum {
+	/* Hash is full */
+	IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC,
+	/* Null-valued element */
+	IPSET_ERR_HASH_ELEM,
+	/* Invalid protocol */
+	IPSET_ERR_INVALID_PROTO,
+	/* Protocol missing but must be specified */
+	IPSET_ERR_MISSING_PROTO,
+	/* Range not supported */
+	IPSET_ERR_HASH_RANGE_UNSUPPORTED,
+	/* Invalid range */
+	IPSET_ERR_HASH_RANGE,
+};
+
+#endif /* __IP_SET_HASH_H */

extensions/ipset-6/include/libipset/linux_ip_set_list.h

@@ -0,0 +1,20 @@
+#ifndef __IP_SET_LIST_H
+#define __IP_SET_LIST_H
+
+/* List type specific error codes */
+enum {
+	/* Set name to be added/deleted/tested does not exist. */
+	IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC,
+	/* list:set type is not permitted to add */
+	IPSET_ERR_LOOP,
+	/* Missing reference set */
+	IPSET_ERR_BEFORE,
+	/* Reference set does not exist */
+	IPSET_ERR_NAMEREF,
+	/* Set is full */
+	IPSET_ERR_LIST_FULL,
+	/* Reference set is not added to the set */
+	IPSET_ERR_REF_EXIST,
+};
+
+#endif /* __IP_SET_LIST_H */

extensions/ipset-6/include/libipset/mnl.h

@@ -0,0 +1,29 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_MNL_H
+#define LIBIPSET_MNL_H
+
+#include <stdint.h>				/* uintxx_t */
+#include <libmnl/libmnl.h>			/* libmnl backend */
+
+#include <libipset/transport.h>			/* struct ipset_transport */
+
+#ifndef NFNETLINK_V0
+#define NFNETLINK_V0		0
+
+struct nfgenmsg {
+	uint8_t nfgen_family;
+	uint8_t version;
+	uint16_t res_id;
+};
+#endif
+
+extern int ipset_get_nlmsg_type(const struct nlmsghdr *nlh);
+
+extern const struct ipset_transport ipset_mnl_transport;
+
+#endif /* LIBIPSET_MNL_H */

extensions/ipset-6/include/libipset/nf_inet_addr.h

@@ -0,0 +1,22 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_NF_INET_ADDR_H
+#define LIBIPSET_NF_INET_ADDR_H
+
+#include <stdint.h>				/* uint32_t */
+#include <netinet/in.h>				/* struct in[6]_addr */
+
+/* The structure to hold IP addresses, same as in linux/netfilter.h */
+union nf_inet_addr {
+	uint32_t	all[4];
+	uint32_t	ip;
+	uint32_t	ip6[4];
+	struct in_addr	in;
+	struct in6_addr in6;
+};
+
+#endif /* LIBIPSET_NF_INET_ADDR_H */