Xtables-addons 1.31

This patch adds a module which is useful to users of grsecurity's RBAC
system. It matches packets based on whether RBAC is enabled or
disabled.

See: http://grsecurity.net/

Signed-off-by: Anthony G. Basile <basile@opensource.dyc.edu>

Jan Engelhardt> Also, I do not see a xt_gradm.c in this patch.

This [xt_gradm.c] is part of the grsecurity patch which not only adds
the Xtables code, but also the RBAC code. Without the entire RBAC
stuff, xt_gradm does not make sense and so it is included with the
grsecurity patch to the kernel, and not this patch to Xtables-addons.

>Can you elaborate a bit on how this is useful in conjunction with
>rulesets? I could imagine it be used with LSM selctx'es for example,
>or another extension that tests for other RBAC attributes.

The idea here is that when the RBAC rulesets are not being enforced,
the system is more vulnerable and the user wants stricter firewall
rules. When RBAC is being enforced, one can relax the firewall and
access to services which are now better protected. In practice this
usually means allowing only access to some trusted IP(s) on boot
before RBAC is turned on.

Makefile.am

@@ -1,7 +1,7 @@
 # -*- Makefile -*-
 
 ACLOCAL_AMFLAGS  = -I m4
-SUBDIRS          = extensions
+SUBDIRS          = extensions geoip
 
 man_MANS := xtables-addons.8
 
@@ -16,10 +16,15 @@ install-exec-hook:
 
 config.status: Makefile.iptrules.in
 
+tmpdir := $(shell mktemp -dtu)
+packer  = xz
+packext = .tar.xz
+
 .PHONY: tarball
 tarball:
-	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
-	pushd ${top_srcdir} && git archive --prefix=xtables-addons-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd;
-	pushd /tmp/xtables-addons-${PACKAGE_VERSION} && ./autogen.sh && popd;
-	tar -C /tmp -cjf xtables-addons-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root xtables-addons-${PACKAGE_VERSION}/;
-	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
+# do not use mkdir_p here.
+	mkdir ${tmpdir}
+	pushd ${top_srcdir} && git archive --prefix=${PACKAGE_NAME}-${PACKAGE_VERSION}/ HEAD | tar -C ${tmpdir} -x && popd;
+	pushd ${tmpdir}/${PACKAGE_NAME}-${PACKAGE_VERSION} && ./autogen.sh && popd;
+	tar --use=${packer} -C ${tmpdir} -cf ${PACKAGE_NAME}-${PACKAGE_VERSION}${packext} --owner=root --group=root ${PACKAGE_NAME}-${PACKAGE_VERSION}/;
+	rm -Rf ${tmpdir};

Makefile.iptrules.in

@@ -1,6 +1,8 @@
 # -*- Makefile -*-
 # MANUAL
 
+abs_top_srcdir  = @abs_top_srcdir@
+
 prefix          = @prefix@
 exec_prefix     = @exec_prefix@
 libexecdir      = @libexecdir@
@@ -8,11 +10,13 @@ xtlibdir        = @xtlibdir@
 
 CC              = @CC@
 CCLD            = ${CC}
+CFLAGS          = @CFLAGS@
+LDFLAGS         = @LDFLAGS@
 
 regular_CFLAGS  = @regular_CFLAGS@
 libxtables_CFLAGS = @libxtables_CFLAGS@
 libxtables_LIBS   = @libxtables_LIBS@
-AM_CFLAGS         = ${regular_CFLAGS} ${libxtables_CFLAGS}
+AM_CFLAGS         = ${regular_CFLAGS} ${libxtables_CFLAGS} -I${abs_top_srcdir}/extensions
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
 AM_DEFAULT_VERBOSITY = 0

Makefile.mans.in

@@ -3,8 +3,8 @@
 
 srcdir := @srcdir@
 
-wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man')
-wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man')
+wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man' | sort)
+wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man' | sort)
 wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
 wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
 

configure.ac

@@ -1,9 +1,9 @@
 
-AC_INIT([xtables-addons], [1.25])
+AC_INIT([xtables-addons], [1.31])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
-AM_INIT_AUTOMAKE([1.10 -Wall foreign subdir-objects])
+AM_INIT_AUTOMAKE([1.10.2 -Wall foreign subdir-objects])
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_DISABLE_STATIC
@@ -21,15 +21,17 @@ if [[ "$kbuilddir" == no ]]; then
 	kbuilddir="";
 fi
 
-AC_ARG_WITH([xtlibdir],
-	AS_HELP_STRING([--with-xtlibdir=PATH],
-	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
-	[xtlibdir="$withval"],
-	[xtlibdir='${libexecdir}/xtables'])
-
-PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
 	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
+xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
+
+AC_ARG_WITH([xtlibdir],
+	AS_HELP_STRING([--with-xtlibdir=PATH],
+	[Path where to install Xtables extensions [[autodetect]]]]),
+	[xtlibdir="$withval"])
+AC_MSG_CHECKING([Xtables module directory])
+AC_MSG_RESULT([$xtlibdir])
 
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
@@ -46,6 +48,7 @@ if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
 	# Well, just a warning. Maybe the admin updated the kernel.
 	echo "WARNING: This distribution's shipped kernel is not supported.";
 fi;
+AC_MSG_CHECKING([kernel version that we will build against])
 krel="$(make -sC ${kbuilddir} kernelrelease)";
 krel="${krel%%-*}";
 kmajor="${krel%%.*}";
@@ -54,27 +57,33 @@ kminor="${krel%%.*}";
 krel="${krel#*.}";
 kmicro="${krel%%.*}";
 if test "$kmicro" = "$krel"; then
+	kmicro="$(($kmicro+0))"; # Get rid of non numbers ("2.6.36+" -> "2.6.36")
 	kstable=0;
 else
+	kmicro="$(($kmicro+0))";
 	kstable="${krel#*.}";
-	if test -z "$kstable"; then
-		kstable=0;
-	fi;
+	kstable="$(($kstable+0))";
 fi;
-echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 34; then
-	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
-elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
-    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
-    "$kstable" -lt 5 \); then
-	echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
-	exit 1;
+if test -z "$kmajor" -o -z "$kminor" -o -z "$kmicro"; then
+	echo "WARNING: Version detection did not succeed. Continue at own luck.";
+else
+	echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
+	if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 36; then
+		echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
+	elif test \( "$kmajor" -lt 2 -o \
+	    \( "$kmajor" -eq 2 -a "$kminor" -lt 6 \) -o \
+	    \( "$kmajor" -eq 2 -a "$kminor" -eq 0 -a "$kmicro" -lt 17 \) -o \
+	    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
+	    "$kstable" -lt 5 \) \); then
+		echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
+		exit 1;
+	fi;
 fi;
 
 AC_SUBST([regular_CFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([xtlibdir])
-AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
+AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans geoip/Makefile
 	extensions/Makefile extensions/ACCOUNT/Makefile
 	extensions/ipset/Makefile extensions/pknock/Makefile])
 AC_OUTPUT

doc/api/2.6.17.c

@@ -0,0 +1,64 @@
+match:
+
+	/* true/false */
+	int
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		int *hotdrop,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int matchinfosize,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int matchinfosize,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+		void *userdata,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int targinfosize,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int targinfosize,
+	);

doc/api/2.6.19.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	int
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		int *hotdrop,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.23.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		bool *hotdrop,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.24.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		bool *hotdrop,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.28.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.31.c

@@ -0,0 +1,38 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.32.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.35.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/xt-a.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/changelog.txt

@@ -3,6 +3,60 @@ HEAD
 ====
 
 
+v1.31 (November 05 2010)
+========================
+- LOGMARK: print remaining lifetime of cts
+- build: improve detection of kernel version and error handling
+- build: automatically derive Xtables module directory, thus
+  --with-xtlibdir is no longer needed for ./configure in most cases
+  (If I still see a distro using it, I will scold you for not
+  reading this changelog.)
+- xt_iface: allow matching against incoming/outgoing interface
+- libxt_gradm: match packets based on status of grsecurity RBAC
+  (userspace part only - xt_gradm is in the grsec patch)
+
+
+v1.30 (October 02 2010)
+=======================
+- update to ipset 4.4
+  * ipport{,ip,net}hash did not work with mixed "src" and "dst"
+    destination parameters
+- deactivate building xt_TEE and xt_CHECKSUM by default, as these have been
+  merged upstream in Linux 2.6.35 and 2.6.36, respectively.
+  Distros still wishing to build this need to enable it in their build
+  script, e.g. perl -i -pe 's{^build_TEE=.*}{build_TEE=m}' mconfig;
+
+
+v1.29 (September 29 2010)
+=========================
+- compat_xtables: return bool for match_check and target_check in 2.6.23..34
+- ipset: enable building of ip_set_ipport{ip,net}hash.ko
+- support for Linux 2.6.36
+- SYSRQ: resolve compile error with Linux 2.6.36
+- TEE: resolve compile error with Linux 2.6.36
+- add workaround for broken linux-glibc-devel 2.6.34 userspace headers
+  ("implicit declaration of function 'ALIGN'")
+
+
+Xtables-addons 1.28 (July 24 2010)
+==================================
+- RAWNAT: IPv6 variants erroneously rejected masks /33-/128
+- new target xt_CHECKSUM
+- xt_length2: add support for IPv6 jumbograms
+- xt_geoip: fix possible out-of-bounds access
+- import xt_geoip database scripts
+
+
+Xtables-addons 1.27 (May 16 2010)
+=================================
+- further updates for the upcoming 2.6.35 changes
+
+
+Xtables-addons 1.26 (April 30 2010)
+===================================
+- compat_xtables: fix 2.6.34 compile error due to a typo
+
+
 Xtables-addons 1.25 (April 26 2010)
 ===================================
 - TEE: do rechecksumming in PREROUTING too

extensions/ACCOUNT/libxt_ACCOUNT.c

@@ -12,6 +12,7 @@
 #include <stddef.h>
 #include <xtables.h>
 #include "xt_ACCOUNT.h"
+#include "compat_user.h"
 
 static struct option account_tg_opts[] = {
 	{.name = "addr",  .has_arg = true, .val = 'a'},

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -478,7 +478,7 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
 	}
 }
 
-static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target_param *par)
+static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct ipt_acc_info *info =
 		par->targinfo;
@@ -494,7 +494,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
 			"IPs %u.%u.%u.%u/%u.%u.%u.%u\n", info->table_nr,
 			NIPQUAD(src_ip), NIPQUAD(dst_ip));
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 8 bit network or "any" network */
@@ -506,7 +506,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 16 bit network */
@@ -517,7 +517,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 24 bit network */
@@ -528,7 +528,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	printk("ACCOUNT: ipt_acc_target: Unable to process packet. "
@@ -536,7 +536,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_target
 		info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
 
 	spin_unlock_bh(&ipt_acc_lock);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 /*

extensions/Kbuild

@@ -7,6 +7,7 @@ obj-m                    += compat_xtables.o
 
 obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += xt_CHAOS.o
+obj-${build_CHECKSUM}    += xt_CHECKSUM.o
 obj-${build_DELUDE}      += xt_DELUDE.o
 obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o

extensions/Mbuild

@@ -2,6 +2,7 @@
 
 obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += libxt_CHAOS.so
+obj-${build_CHECKSUM}    += libxt_CHECKSUM.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
 obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
 obj-${build_ECHO}        += libxt_ECHO.so
@@ -24,3 +25,4 @@ obj-${build_lscan}       += libxt_lscan.so
 obj-${build_pknock}      += pknock/
 obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so
+obj-${build_gradm}       += libxt_gradm.so

extensions/compat_user.h

@@ -0,0 +1,12 @@
+/*
+ *	Userspace-level compat hacks
+ */
+#ifndef _XTABLES_COMPAT_USER_H
+#define _XTABLES_COMPAT_USER_H 1
+
+/* linux-glibc-devel 2.6.34 header screwup */
+#ifndef ALIGN
+#	define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
+#endif
+
+#endif /* _XTABLES_COMPAT_USER_H */

extensions/compat_xtables.c

@@ -1,6 +1,6 @@
 /*
  *	API compat layer
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License, either
@@ -34,25 +34,49 @@ static bool xtnu_match_run(const struct sk_buff *skb,
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 {
 	struct xtnu_match *nm = xtcompat_numatch(cm);
-	bool lo_drop = false, lo_ret;
-	struct xt_match_param local_par = {
-		.in        = in,
-		.out       = out,
-		.match     = cm,
-		.matchinfo = matchinfo,
-		.fragoff   = offset,
-		.thoff     = protoff,
-		.hotdrop   = &lo_drop,
-		.family    = NFPROTO_UNSPEC, /* don't have that info */
-	};
+	bool lo_ret;
+	struct xt_action_param local_par;
+	local_par.in        = in;
+	local_par.out       = out;
+	local_par.match     = cm;
+	local_par.matchinfo = matchinfo;
+	local_par.fragoff   = offset;
+	local_par.thoff     = protoff;
+	local_par.hotdrop   = false;
+	local_par.family    = NFPROTO_UNSPEC; /* don't have that info */
 
 	if (nm == NULL || nm->match == NULL)
 		return false;
 	lo_ret = nm->match(skb, &local_par);
-	*hotdrop = lo_drop;
+	*hotdrop = local_par.hotdrop;
 	return lo_ret;
 }
 #endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_match_run(const struct sk_buff *skb,
+    const struct xt_match_param *par)
+{
+	struct xtnu_match *nm = xtcompat_numatch(par->match);
+	struct xt_action_param local_par;
+	bool ret;
+
+	local_par.in        = par->in;
+	local_par.out       = par->out;
+	local_par.match     = par->match;
+	local_par.matchinfo = par->matchinfo;
+	local_par.fragoff   = par->fragoff;
+	local_par.thoff     = par->thoff;
+	local_par.hotdrop   = false;
+	local_par.family    = par->family;
+
+	if (nm == NULL || nm->match == NULL)
+		return false;
+	ret = nm->match(skb, &local_par);
+	*par->hotdrop = local_par.hotdrop;
+	return ret;
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static int xtnu_match_check(const char *table, const void *entry,
@@ -81,7 +105,11 @@ static bool xtnu_match_check(const char *table, const void *entry,
 		return false;
 	if (nm->checkentry == NULL)
 		return true;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
 	return nm->checkentry(&local_par);
+#else
+	return nm->checkentry(&local_par) == 0;
+#endif
 }
 #endif
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
@@ -94,7 +122,7 @@ static bool xtnu_match_check(const struct xt_mtchk_param *par)
 		return false;
 	if (nm->checkentry == NULL)
 		return true;
-	return nm->checkentry(par) == 0 ? true : false;
+	return nm->checkentry(par) == 0;
 }
 #endif
 
@@ -144,6 +172,10 @@ int xtnu_register_match(struct xtnu_match *nt)
 	ct->match      = xtnu_match_run;
 	ct->checkentry = xtnu_match_check;
 	ct->destroy    = xtnu_match_destroy;
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+	ct->match      = xtnu_match_run;
+	ct->checkentry = xtnu_match_check;
+	ct->destroy    = nt->destroy;
 #else
 	ct->match      = nt->match;
 	ct->checkentry = xtnu_match_check;
@@ -207,35 +239,55 @@ static unsigned int xtnu_target_run(struct sk_buff **pskb,
 static unsigned int xtnu_target_run(struct sk_buff *skb,
     const struct net_device *in, const struct net_device *out,
     unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
-#else
-static unsigned int
-xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
 #endif
-{
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+{
 	struct xtnu_target *nt = xtcompat_nutarget(ct);
-	struct xt_target_param local_par = {
-		.in       = in,
-		.out      = out,
-		.hooknum  = hooknum,
-		.target   = ct,
-		.targinfo = targinfo,
-		.family   = NFPROTO_UNSPEC,
-	};
-#else
-	struct xtnu_target *nt = xtcompat_nutarget(par->target);
-#endif
+	struct xt_action_param local_par;
+
+	local_par.in       = in;
+	local_par.out      = out;
+	local_par.hooknum  = hooknum;
+	local_par.target   = ct;
+	local_par.targinfo = targinfo;
+	local_par.family   = NFPROTO_UNSPEC;
 
 	if (nt != NULL && nt->target != NULL)
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 		return nt->target(pskb, &local_par);
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 		return nt->target(&skb, &local_par);
-#else
-		return nt->target(&skb, par);
 #endif
 	return XT_CONTINUE;
 }
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static unsigned int
+xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+	struct xt_action_param local_par;
+
+	local_par.in       = par->in;
+	local_par.out      = par->out;
+	local_par.hooknum  = par->hooknum;
+	local_par.target   = par->target;
+	local_par.targinfo = par->targinfo;
+	local_par.family   = par->family;
+
+	return nt->target(&skb, &local_par);
+}
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
+static unsigned int
+xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+
+	return nt->target(&skb, par);
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static int xtnu_target_check(const char *table, const void *entry,
@@ -265,12 +317,16 @@ static bool xtnu_target_check(const char *table, const void *entry,
 	if (nt->checkentry == NULL)
 		/* this is valid, just like if there was no function */
 		return true;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
 	return nt->checkentry(&local_par);
+#else
+	return nt->checkentry(&local_par) == 0;
+#endif
 }
 #endif
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
-    LINUX_VERSION_CODE <  KERNEL_VERSION(2, 6, 34)
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 static bool xtnu_target_check(const struct xt_tgchk_param *par)
 {
 	struct xtnu_target *nt = xtcompat_nutarget(par->target);
@@ -279,7 +335,7 @@ static bool xtnu_target_check(const struct xt_tgchk_param *par)
 		return false;
 	if (nt->checkentry == NULL)
 		return true;
-	return nt->checkentry(par) == 0 ? true : false;
+	return nt->checkentry(par) == 0;
 }
 #endif
 

extensions/compat_xtables.h

@@ -86,6 +86,11 @@
 #	define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+#	define rt_dst(rt)	(&(rt)->dst)
+#else
+#	define rt_dst(rt)	(&(rt)->u.dst)
+#endif
 
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \

extensions/compat_xtnu.h

@@ -32,16 +32,6 @@ enum {
 	NFPROTO_NUMPROTO,
 };
 
-struct xt_match_param {
-	const struct net_device *in, *out;
-	const struct xt_match *match;
-	const void *matchinfo;
-	int fragoff;
-	unsigned int thoff;
-	bool *hotdrop;
-	u_int8_t family;
-};
-
 struct xt_mtchk_param {
 	const char *table;
 	const void *entryinfo;
@@ -81,33 +71,52 @@ struct xt_tgdtor_param {
 };
 #endif
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+struct xt_action_param {
+	union {
+		const struct xt_match *match;
+		const struct xt_target *target;
+	};
+	union {
+		const void *matchinfo, *targinfo;
+	};
+	const struct net_device *in, *out;
+	int fragoff;
+	unsigned int thoff, hooknum;
+	u_int8_t family;
+	bool hotdrop;
+};
+#endif
+
 struct xtnu_match {
-	struct list_head list;
-	char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
-	bool (*match)(const struct sk_buff *, const struct xt_match_param *);
+	/*
+	 * Making it smaller by sizeof(void *) on purpose to catch
+	 * lossy translation, if any.
+	 */
+	char name[sizeof(((struct xt_match *)NULL)->name) - 1 - sizeof(void *)];
+	uint8_t revision;
+	bool (*match)(const struct sk_buff *, struct xt_action_param *);
 	int (*checkentry)(const struct xt_mtchk_param *);
 	void (*destroy)(const struct xt_mtdtor_param *);
 	struct module *me;
 	const char *table;
 	unsigned int matchsize, hooks;
 	unsigned short proto, family;
-	uint8_t revision;
 
 	void *__compat_match;
 };
 
 struct xtnu_target {
-	struct list_head list;
-	char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
+	char name[sizeof(((struct xt_target *)NULL)->name) - 1 - sizeof(void *)];
+	uint8_t revision;
 	unsigned int (*target)(struct sk_buff **,
-		const struct xt_target_param *);
+		const struct xt_action_param *);
 	int (*checkentry)(const struct xt_tgchk_param *);
 	void (*destroy)(const struct xt_tgdtor_param *);
 	struct module *me;
 	const char *table;
 	unsigned int targetsize, hooks;
 	unsigned short proto, family;
-	uint8_t revision;
 
 	void *__compat_target;
 };

extensions/ipset/Kbuild

@@ -3,4 +3,5 @@
 obj-m += ipt_set.o ipt_SET.o
 obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
 obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
+obj-m += ip_set_ipportiphash.o ip_set_ipportnethash.o
 obj-m += ip_set_iptree.o ip_set_iptreemap.o ip_set_setlist.o

extensions/ipset/ip_set.c

@@ -929,11 +929,11 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
 	}
 	if (copy_from_user(data, user, len) != 0) {
 		res = -EFAULT;
-		goto done;
+		goto cleanup;
 	}
 	if (down_interruptible(&ip_set_app_mutex)) {
 		res = -EINTR;
-		goto done;
+		goto cleanup;
 	}
 
 	op = (unsigned *)data;
@@ -1109,6 +1109,7 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
 
     done:
 	up(&ip_set_app_mutex);
+    cleanup:
 	vfree(data);
 	if (res > 0)
 		res = 0;
@@ -1142,11 +1143,11 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
 	}
 	if (copy_from_user(data, user, *len) != 0) {
 		res = -EFAULT;
-		goto done;
+		goto cleanup;
 	}
 	if (down_interruptible(&ip_set_app_mutex)) {
 		res = -EINTR;
-		goto done;
+		goto cleanup;
 	}
 
 	op = (unsigned *) data;
@@ -1439,6 +1440,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
     	
     done:
 	up(&ip_set_app_mutex);
+    cleanup:
 	vfree(data);
 	if (res > 0)
 		res = 0;

extensions/ipset/ip_set_ipporthash.c

@@ -68,7 +68,7 @@ ipporthash_test(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 	if (flags[1] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset/ip_set_ipportiphash.c

@@ -72,8 +72,8 @@ ipportiphash_test(struct ip_set *set,
 	if (flags[2] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
-	ip1 = ipaddr(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
+	ip1 = ipaddr(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset/ip_set_ipportnethash.c

@@ -116,8 +116,8 @@ ipportnethash_utest(struct ip_set *set, const void *data, u_int32_t size)
 	if (flags[2] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
-	ip1 = ipaddr(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
+	ip1 = ipaddr(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset/ipset.8

@@ -502,9 +502,13 @@ data storage in
 set and add src to the first single or src,dst to the first double 
 data storage set in
 \fIb\fP.
-.P
 You can imagine a setlist type of set as an ordered union of
 the set elements. 
+.P
+Please note: by the ipset command you can add, delete and
+.B test
+the setnames in a setlist type of set, and not the presence of 
+a set's member (such as an IP address).
 .SH GENERAL RESTRICTIONS
 Setnames starting with colon (:) cannot be defined. Zero valued set 
 entries cannot be used with hash type of sets.

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "4.2"
+#define IPSET_VERSION "4.4"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;

extensions/ipset/ipt_SET.c

@@ -29,7 +29,7 @@
 #include "../compat_xtables.h"
 
 static unsigned int
-target(struct sk_buff **pskb, const struct xt_target_param *par)
+target(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct ipt_set_info_target *info = par->targinfo;
 

extensions/ipset/ipt_set.c

@@ -38,7 +38,7 @@ match_set(const struct ipt_set_info *info,
 }
 
 static bool
-match(const struct sk_buff *skb, const struct xt_match_param *par)
+match(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ipt_set_info_match *info = par->matchinfo;
 		

extensions/libxt_CHAOS.c

@@ -16,6 +16,7 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_CHAOS.h"
+#include "compat_user.h"
 
 enum {
 	F_DELUDE = 1 << 0,

extensions/libxt_CHECKSUM.c

@@ -0,0 +1,94 @@
+/*
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2010 by Red Hat, Inc
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This program is distributed under the terms of GNU GPL v2, 1991
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include "xt_CHECKSUM.h"
+#include "compat_user.h"
+
+static void CHECKSUM_help(void)
+{
+	printf(
+"CHECKSUM target options\n"
+"  --checksum-fill        Fill in packet checksum.\n");
+}
+
+static const struct option CHECKSUM_opts[] = {
+	{ "checksum-fill", 0, NULL, 'F' },
+	{ .name = NULL }
+};
+
+static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags,
+                     const void *entry, struct xt_entry_target **target)
+{
+	struct xt_CHECKSUM_info *einfo
+		= (struct xt_CHECKSUM_info *)(*target)->data;
+
+	switch (c) {
+	case 'F':
+		xtables_param_act(XTF_ONLY_ONCE, "CHECKSUM", "--checksum-fill",
+			*flags & XT_CHECKSUM_OP_FILL);
+		einfo->operation = XT_CHECKSUM_OP_FILL;
+		*flags |= XT_CHECKSUM_OP_FILL;
+		break;
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void CHECKSUM_check(unsigned int flags)
+{
+	if (!flags)
+		xtables_error(PARAMETER_PROBLEM,
+		           "CHECKSUM target: Parameter --checksum-fill is required");
+}
+
+static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target,
+                      int numeric)
+{
+	const struct xt_CHECKSUM_info *einfo =
+		(const struct xt_CHECKSUM_info *)target->data;
+
+	printf("CHECKSUM ");
+
+	if (einfo->operation & XT_CHECKSUM_OP_FILL)
+		printf("fill ");
+}
+
+static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_CHECKSUM_info *einfo =
+		(const struct xt_CHECKSUM_info *)target->data;
+
+	if (einfo->operation & XT_CHECKSUM_OP_FILL)
+		printf("--checksum-fill ");
+}
+
+static struct xtables_target checksum_tg_reg = {
+	.name          = "CHECKSUM",
+	.version       = XTABLES_VERSION,
+	.family        = NFPROTO_UNSPEC,
+	.size          = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
+	.help          = CHECKSUM_help,
+	.parse         = CHECKSUM_parse,
+	.final_check   = CHECKSUM_check,
+	.print         = CHECKSUM_print,
+	.save          = CHECKSUM_save,
+	.extra_opts    = CHECKSUM_opts,
+};
+
+static __attribute__((constructor)) void _init(void)
+{
+	xtables_register_target(&checksum_tg_reg);
+}

extensions/libxt_CHECKSUM.man

@@ -0,0 +1,8 @@
+This target allows to selectively work around broken/old applications.
+It can only be used in the mangle table.
+.TP
+\fB\-\-checksum\-fill\fP
+Compute and fill in the checksum in a packet that lacks a checksum.
+This is particularly useful, if you need to work around old applications
+such as dhcp clients, that do not work well with checksum offloads,
+but don't want to disable checksum offload in your device.

extensions/libxt_DELUDE.c

@@ -13,6 +13,7 @@
 
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
+#include "compat_user.h"
 
 static void delude_tg_help(void)
 {

extensions/libxt_DHCPMAC.c

@@ -17,6 +17,7 @@
 #include <xtables.h>
 #include "xt_DHCPMAC.h"
 #include "mac.c"
+#include "compat_user.h"
 
 enum {
 	F_MAC = 1 << 0,

extensions/libxt_ECHO.c

@@ -10,6 +10,7 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void echo_tg_help(void)
 {

extensions/libxt_IPMARK.c

@@ -14,6 +14,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_IPMARK.h"
+#include "compat_user.h"
 
 enum {
 	FL_ADDR_USED     = 1 << 0,

extensions/libxt_LOGMARK.c

@@ -13,6 +13,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_LOGMARK.h"
+#include "compat_user.h"
 
 enum {
 	F_LEVEL  = 1 << 0,

extensions/libxt_RAWDNAT.c

@@ -15,6 +15,7 @@
 #include <xtables.h>
 #include <linux/netfilter.h>
 #include "xt_RAWNAT.h"
+#include "compat_user.h"
 
 enum {
 	FLAGS_TO = 1 << 0,
@@ -79,7 +80,7 @@ rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
 		end = strchr(optarg, '/');
 		if (end != NULL) {
 			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
+			if (!xtables_strtoui(end, NULL, &mask, 0, 128))
 				xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
 					"--to-destination", optarg);
 			info->mask = mask;

extensions/libxt_RAWSNAT.c

@@ -15,6 +15,7 @@
 #include <xtables.h>
 #include <linux/netfilter.h>
 #include "xt_RAWNAT.h"
+#include "compat_user.h"
 
 enum {
 	FLAGS_TO = 1 << 0,
@@ -79,7 +80,7 @@ rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
 		end = strchr(optarg, '/');
 		if (end != NULL) {
 			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
+			if (!xtables_strtoui(end, NULL, &mask, 0, 128))
 				xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
 					"--to-source", optarg);
 			info->mask = mask;

extensions/libxt_STEAL.c

@@ -1,5 +1,6 @@
 #include <stdio.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void steal_tg_help(void)
 {

extensions/libxt_SYSRQ.c

@@ -5,6 +5,7 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void sysrq_tg_help(void)
 {

extensions/libxt_TARPIT.c

@@ -5,6 +5,7 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void tarpit_tg_help(void)
 {

extensions/libxt_TEE.c

@@ -23,6 +23,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_TEE.h"
+#include "compat_user.h"
 
 enum {
 	FLAG_GATEWAY = 1 << 0,

extensions/libxt_condition.c

@@ -16,6 +16,7 @@
 #include <getopt.h>
 #include <xtables.h>
 #include "xt_condition.h"
+#include "compat_user.h"
 
 static void condition_help(void)
 {

extensions/libxt_dhcpmac.c

@@ -16,6 +16,7 @@
 #include <xtables.h>
 #include "xt_DHCPMAC.h"
 #include "mac.c"
+#include "compat_user.h"
 
 enum {
 	F_MAC = 1 << 0,

extensions/libxt_fuzzy.c

@@ -15,6 +15,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_fuzzy.h"
+#include "compat_user.h"
 
 static void fuzzy_mt_help(void)
 {

extensions/libxt_geoip.c

@@ -24,6 +24,7 @@
 #include <unistd.h>
 #include <xtables.h>
 #include "xt_geoip.h"
+#include "compat_user.h"
 #define GEOIP_DB_DIR "/usr/share/xt_geoip"
 
 static void geoip_help(void)

extensions/libxt_geoip.man

@@ -10,8 +10,8 @@ NOTE:
 The country is inputed by its ISO-3166 code.
 .PP
 The extra files you will need is the binary database files. They are generated
-from a country-subnet database with the geoip_csv_iv0.pl tool, available at
-http://jengelh.hopto.org/files/geoip/ . The files MUST be moved to
-/usr/share/xt_geoip/
+from a country-subnet database with the geoip_csv_iv0.pl tool that should be
+available in /usr/lib(exec)/xtables-addons/ . The resulting files MUST be moved
+to /usr/share/xt_geoip/
 as the shared library is statically looking for this pathname (e.g.
 /usr/share/xt_geoip/LE/de.iv0).

extensions/libxt_gradm.c

@@ -0,0 +1,98 @@
+/*
+ *	"gradm" match extension for iptables
+ *	Zbigniew Krzystolik <zbyniu@destrukcja.pl>, 2010
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License;
+ *	either version 2 of the License, or any later version, as
+ *	published by the Free Software Foundation.
+ */
+#include <getopt.h>
+#include <netdb.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <xtables.h>
+#include "xt_gradm.h"
+
+static void gradm_mt_help(void)
+{
+	printf(
+"gradm match options:\n"
+" [!] --enabled    is Grsecurity RBAC enabled\n"
+" [!] --disabled   is Grsecurity RBAC disabled\n");
+};
+
+static const struct option gradm_mt_opts[] = {
+	{.name = "enabled",  .has_arg = false, .val = '1'},
+	{.name = "disabled", .has_arg = false, .val = '2'},
+	{NULL},
+};
+
+static void gradm_mt_init(struct xt_entry_match *m)
+{
+}
+
+static int gradm_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                          const void *entry, struct xt_entry_match **match)
+{
+	struct xt_gradm_mtinfo *info = (void *)(*match)->data;
+
+	switch (c) {
+	case '1':
+		if (invert)
+			info->invflags |= 1;
+		return true;
+	case '2':
+		if (!invert)
+			info->invflags |= 1;
+		return true;
+	}
+	return false;
+}
+
+static void gradm_mt_check(unsigned int flags)
+{
+}
+
+static void gradm_mt_print(const void *ip, const struct xt_entry_match *match,
+                           int numeric)
+{
+	const struct xt_gradm_mtinfo *info = (const void *)match->data;
+
+	if (info->invflags)
+		printf("gradm: disabled");
+	else
+		printf("gradm: enabled");
+}
+
+static void gradm_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_gradm_mtinfo *info = (const void *)match->data;
+
+	if (info->invflags)
+		printf("--disabled ");
+	else
+		printf("--enabled ");
+}
+
+static struct xtables_match gradm_mt_reg = { 
+	.family        = NFPROTO_UNSPEC,
+	.name          = "gradm",
+	.version       = XTABLES_VERSION,
+	.size          = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
+	.help          = gradm_mt_help,
+	.init          = gradm_mt_init,
+	.parse         = gradm_mt_parse,
+	.final_check   = gradm_mt_check,
+	.print         = gradm_mt_print,
+	.save          = gradm_mt_save,
+	.extra_opts    = gradm_mt_opts,
+};
+
+static __attribute__((constructor)) void gradm_mt_ldr(void)
+{
+	xtables_register_match(&gradm_mt_reg);
+}

extensions/libxt_gradm.man

@@ -0,0 +1,7 @@
+This module matches packets based on grsecurity RBAC status.
+.TP
+[\fB!\fP] \fB\-\-enabled\fP
+Matches packets if grsecurity RBAC is enabled.
+.TP
+[\fB!\fP] \fB\-\-disabled\fP
+Matches packets if grsecurity RBAC is disabled.

extensions/libxt_iface.c

@@ -15,9 +15,16 @@
 
 #include <xtables.h>
 #include "xt_iface.h"
+#include "compat_user.h"
+
+enum {
+	XT_IFACE_IFACE = 1 << 16,
+};
 
 static const struct option iface_mt_opts[] = {
 	{.name = "iface",        .has_arg = true,  .val = 'i'},
+	{.name = "dev-in",       .has_arg = false, .val = 'I'},
+	{.name = "dev-out",      .has_arg = false, .val = 'O'},
 	{.name = "up",           .has_arg = false, .val = 'u'},
 	{.name = "down",         .has_arg = false, .val = 'U'}, /* not up */
 	{.name = "broadcast",    .has_arg = false, .val = 'b'},
@@ -39,9 +46,7 @@ static void iface_print_opt(const struct xt_iface_mtinfo *info,
     const unsigned int option, const char *command)
 {
 	if (info->flags & option)
-		printf(" %s", command);
-	if (info->invflags & option)
-		printf(" ! %s", command);
+		printf(" %s%s", (info->invflags & option) ? "! " : "", command);
 }
 
 static void iface_setflag(struct xt_iface_mtinfo *info,
@@ -50,10 +55,9 @@ static void iface_setflag(struct xt_iface_mtinfo *info,
 	if (*flags & flag)
 		xtables_error(PARAMETER_PROBLEM,
 			"iface: \"--%s\" flag already specified", command);
+	info->flags |= flag;
 	if (invert)
 		info->invflags |= flag;
-	else
-		info->flags |= flag;
 	*flags |= flag;
 }
 
@@ -68,19 +72,20 @@ static void iface_mt_help(void)
 {
 	printf(
 	"iface match options:\n"
-	"    --iface interface    Name of interface\n"
-	"[!] --up / --down        match if UP flag (not) set\n"
-	"[!] --broadcast          match if BROADCAST flag (not) set\n"
-	"[!] --loopback           match if LOOPBACK flag (not) set\n"
+	"    --iface interface     Name of interface\n"
+	"    --dev-in / --dev-out  Use incoming/outgoing interface instead\n"
+	"[!] --up / --down         match if UP flag (not) set\n"
+	"[!] --broadcast           match if BROADCAST flag (not) set\n"
+	"[!] --loopback            match if LOOPBACK flag (not) set\n"
 	"[!] --pointopoint\n"
-	"[!] --pointtopoint       match if POINTOPOINT flag (not) set\n"
-	"[!] --running            match if RUNNING flag (not) set\n"
-	"[!] --noarp / --arp      match if NOARP flag (not) set\n"
-	"[!] --promisc            match if PROMISC flag (not) set\n"
-	"[!] --multicast          match if MULTICAST flag (not) set\n"
-	"[!] --dynamic            match if DYNAMIC flag (not) set\n"
-	"[!] --lower-up           match if LOWER_UP flag (not) set\n"
-	"[!] --dormant            match if DORMANT flag (not) set\n");
+	"[!] --pointtopoint        match if POINTOPOINT flag (not) set\n"
+	"[!] --running             match if RUNNING flag (not) set\n"
+	"[!] --noarp / --arp       match if NOARP flag (not) set\n"
+	"[!] --promisc             match if PROMISC flag (not) set\n"
+	"[!] --multicast           match if MULTICAST flag (not) set\n"
+	"[!] --dynamic             match if DYNAMIC flag (not) set\n"
+	"[!] --lower-up            match if LOWER_UP flag (not) set\n"
+	"[!] --dormant             match if DORMANT flag (not) set\n");
 }
 
 static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -110,6 +115,18 @@ static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 		strcpy(info->ifname, optarg);
 		*flags |= XT_IFACE_IFACE;
 		return true;
+	case 'I': /* --dev-in */
+		xtables_param_act(XTF_ONLY_ONCE, "iface", "--dev-in",
+			*flags & XT_IFACE_IFACE);
+		*flags |= XT_IFACE_IFACE;
+		iface_setflag(info, flags, invert, XT_IFACE_DEV_IN, "dev-in");
+		return true;
+	case 'O': /* --dev-out */
+		xtables_param_act(XTF_ONLY_ONCE, "iface", "--dev-out",
+			*flags & XT_IFACE_IFACE);
+		*flags |= XT_IFACE_IFACE;
+		iface_setflag(info, flags, invert, XT_IFACE_DEV_OUT, "dev-out");
+		return true;
 	case 'u': /* UP */
 		iface_setflag(info, flags, invert, XT_IFACE_UP, "up");
 		return true;
@@ -152,7 +169,8 @@ static void iface_mt_check(unsigned int flags)
 	if (!(flags & XT_IFACE_IFACE))
 		xtables_error(PARAMETER_PROBLEM,
 			"iface: You must specify an interface");
-	if (flags == 0 || flags == XT_IFACE_IFACE)
+	if ((flags & ~(XT_IFACE_IFACE | XT_IFACE_DEV_IN |
+	    XT_IFACE_DEV_OUT)) == 0)
 		xtables_error(PARAMETER_PROBLEM,
 			"iface: You must specify at least one option");
 }
@@ -162,7 +180,14 @@ static void iface_mt_print(const void *ip, const struct xt_entry_match *match,
 {
 	const struct xt_iface_mtinfo *info = (const void *)match->data;
 
-	printf("iface: \"%s\" [state:", info->ifname);
+	printf("iface: ");
+	if (info->flags & XT_IFACE_DEV_IN)
+		printf("(in)");
+	else if (info->flags & XT_IFACE_DEV_OUT)
+		printf("(out)");
+	else
+		printf("%s", info->ifname);
+	printf(" [state:");
 	iface_print_opt(info, XT_IFACE_UP,          "up");
 	iface_print_opt(info, XT_IFACE_BROADCAST,   "broadcast");
 	iface_print_opt(info, XT_IFACE_LOOPBACK,    "loopback");
@@ -181,7 +206,12 @@ static void iface_mt_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_iface_mtinfo *info = (const void *)match->data;
 
-	printf(" --iface %s", info->ifname);
+	if (info->flags & XT_IFACE_DEV_IN)
+		printf("--dev-in");
+	else if (info->flags & XT_IFACE_DEV_OUT)
+		printf("--dev-out");
+	else
+		printf("--iface %s", info->ifname);
 	iface_print_opt(info, XT_IFACE_UP,          "--up");
 	iface_print_opt(info, XT_IFACE_BROADCAST,   "--broadcast");
 	iface_print_opt(info, XT_IFACE_LOOPBACK,    "--loopback");

extensions/libxt_iface.man

@@ -1,7 +1,20 @@
-Allows you to check interface states.
+Allows you to check interface states. First, an interface needs to be selected
+for comparison. Exactly one option of the following three must be specified:
 .TP
 \fB\-\-iface\fP \fIname\fP
-Check the states on the given interface. This option is required.
+Check the states on the given interface.
+.TP
+\fB\-\-dev\-in\fP
+Check the states on the interface on which the packet came in. If the input
+device is not set, because for example you are using \-m iface in the OUTPUT
+chain, this submatch returns false.
+.TP
+\fB\-\-dev\-out\fP
+Check the states on the interface on which the packet will go out. If the
+output device is not set, because for example you are using \-m iface in the
+INPUT chain, this submatch returns false.
+.PP
+Following that, one can select the interface properties to check for:
 .TP
 [\fB!\fP] \fB\-\-up\fP, [\fB!\fP] \fB\-\-down\fP
 Check the UP flag.

extensions/libxt_ipp2p.c

@@ -17,6 +17,7 @@
 #include <ctype.h>
 #include <xtables.h>
 #include "xt_ipp2p.h"
+#include "compat_user.h"
 #define param_act(t, s, f) xtables_param_act((t), "ipp2p", (s), (f))
 
 static void ipp2p_mt_help(void)

extensions/libxt_ipv4options.c

@@ -14,6 +14,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_ipv4options.h"
+#include "compat_user.h"
 
 /*
  * Overview from http://www.networksorcery.com/enp/protocol/ip.htm

extensions/libxt_length2.c

@@ -5,6 +5,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_length2.h"
+#include "compat_user.h"
 
 enum {
 	F_LAYER  = 1 << 0,

extensions/libxt_lscan.c

@@ -17,6 +17,7 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_lscan.h"
+#include "compat_user.h"
 
 static const struct option lscan_mt_opts[] = {
 	{.name = "stealth", .has_arg = false, .val = 'x'},

extensions/libxt_psd.c

@@ -28,6 +28,7 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_psd.h"
+#include "compat_user.h"
 
 /* Function which prints out usage message. */
 static void psd_mt_help(void) {

extensions/libxt_quota2.c

@@ -15,6 +15,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_quota2.h"
+#include "compat_user.h"
 
 enum {
 	FL_QUOTA     = 1 << 0,

extensions/pknock/libxt_pknock.c

@@ -16,6 +16,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include "xt_pknock.h"
+#include "compat_user.h"
 
 static const struct option pknock_mt_opts[] = {
 	/* .name, .has_arg, .flag, .val */

extensions/pknock/xt_pknock.c

@@ -958,7 +958,7 @@ is_close_knock(const struct peer *peer, const struct xt_pknock_mtinfo *info,
 }
 
 static bool pknock_mt(const struct sk_buff *skb,
-    const struct xt_match_param *par)
+    struct xt_action_param *par)
 {
 	const struct xt_pknock_mtinfo *info = par->matchinfo;
 	struct xt_pknock_rule *rule;
@@ -975,7 +975,7 @@ static bool pknock_mt(const struct sk_buff *skb,
 		/* We've been asked to examine this packet, and we
 		 * can't. Hence, no choice but to drop.
 		 */
-		*par->hotdrop = true;
+		par->hotdrop = true;
 		return false;
 	}
 

extensions/xt_CHAOS.c

@@ -45,7 +45,7 @@ static const struct xt_tcp tcp_params = {
 
 /* CHAOS functions */
 static void
-xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
+xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct xt_chaos_tginfo *info = par->targinfo;
 	const struct iphdr *iph = ip_hdr(skb);
@@ -62,7 +62,7 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	ret = xm_tcp->match(skb, par->in, par->out, xm_tcp, &tcp_params,
 	                    fragoff, thoff, &hotdrop);
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 	{
 		struct xt_match_param local_par = {
 			.in        = par->in,
@@ -75,6 +75,19 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
 		};
 		ret = xm_tcp->match(skb, &local_par);
 	}
+#else
+	{
+		struct xt_action_param local_par;
+		local_par.in        = par->in,
+		local_par.out       = par->out,
+		local_par.match     = xm_tcp;
+		local_par.matchinfo = &tcp_params;
+		local_par.fragoff   = fragoff;
+		local_par.thoff     = thoff;
+		local_par.hotdrop   = false;
+		ret = xm_tcp->match(skb, &local_par);
+		hotdrop = local_par.hotdrop;
+	}
 #endif
 	if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
 		return;
@@ -86,17 +99,34 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_target_param *par)
 	destiny->target(&skb, par->in, par->out, par->hooknum, destiny, NULL);
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	destiny->target(skb, par->in, par->out, par->hooknum, destiny, NULL);
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+	{
+		struct xt_target_param local_par = {
+			.in       = par->in,
+			.out      = par->out,
+			.hooknum  = par->hooknum,
+			.target   = destiny,
+			.targinfo = par->targinfo,
+			.family   = par->family,
+		};
+		destiny->target(skb, &local_par);
+	}
 #else
 	{
-		struct xt_target_param local_par = *par;
-		local_par.target = destiny;
+		struct xt_action_param local_par;
+		local_par.in       = par->in;
+		local_par.out      = par->out;
+		local_par.hooknum  = par->hooknum;
+		local_par.target   = destiny;
+		local_par.targinfo = par->targinfo;
+		local_par.family   = par->family;
 		destiny->target(skb, &local_par);
 	}
 #endif
 }
 
 static unsigned int
-chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	/*
 	 * Equivalent to:
@@ -120,7 +150,7 @@ chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 		return xt_reject->target(skb, par->in, par->out, par->hooknum,
 		       xt_reject, &reject_params);
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 		struct xt_target_param local_par = {
 			.in       = par->in,
 			.out      = par->out,
@@ -129,6 +159,14 @@ chaos_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 			.targinfo = &reject_params,
 		};
 		return xt_reject->target(skb, &local_par);
+#else
+		struct xt_action_param local_par;
+		local_par.in       = par->in;
+		local_par.out      = par->out;
+		local_par.hooknum  = par->hooknum;
+		local_par.target   = xt_reject;
+		local_par.targinfo = &reject_params;
+		return xt_reject->target(skb, &local_par);
 #endif
 	}
 

extensions/xt_CHECKSUM.c

@@ -0,0 +1,72 @@
+/*
+ * (C) 2002 by Harald Welte <laforge@netfilter.org>
+ * (C) 2010 Red Hat, Inc.
+ *
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter/x_tables.h>
+#include "xt_CHECKSUM.h"
+#include "compat_xtables.h"
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
+MODULE_DESCRIPTION("Xtables: checksum modification");
+MODULE_ALIAS("ipt_CHECKSUM");
+MODULE_ALIAS("ip6t_CHECKSUM");
+
+static unsigned int
+checksum_tg(struct sk_buff **pskb, const struct xt_action_param *par)
+{
+	struct sk_buff *skb = *pskb;
+
+	if (skb->ip_summed == CHECKSUM_PARTIAL)
+		skb_checksum_help(skb);
+
+	return XT_CONTINUE;
+}
+
+static int checksum_tg_check(const struct xt_tgchk_param *par)
+{
+	const struct xt_CHECKSUM_info *einfo = par->targinfo;
+
+	if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
+		pr_info("unsupported CHECKSUM operation %x\n", einfo->operation);
+		return -EINVAL;
+	}
+	if (!einfo->operation) {
+		pr_info("no CHECKSUM operation enabled\n");
+		return -EINVAL;
+	}
+	return 0;
+}
+
+static struct xt_target checksum_tg_reg __read_mostly = {
+	.name       = "CHECKSUM",
+	.family     = NFPROTO_UNSPEC,
+	.target     = checksum_tg,
+	.targetsize = sizeof(struct xt_CHECKSUM_info),
+	.table      = "mangle",
+	.checkentry = checksum_tg_check,
+	.me         = THIS_MODULE,
+};
+
+static int __init checksum_tg_init(void)
+{
+	return xt_register_target(&checksum_tg_reg);
+}
+
+static void __exit checksum_tg_exit(void)
+{
+	xt_unregister_target(&checksum_tg_reg);
+}
+
+module_init(checksum_tg_init);
+module_exit(checksum_tg_exit);

extensions/xt_CHECKSUM.h

@@ -0,0 +1,18 @@
+/* Header file for iptables ipt_CHECKSUM target
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2010 Red Hat Inc
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+*/
+#ifndef _IPT_CHECKSUM_TARGET_H
+#define _IPT_CHECKSUM_TARGET_H
+
+#define XT_CHECKSUM_OP_FILL	0x01	/* fill in checksum in IP header */
+
+struct xt_CHECKSUM_info {
+	__u8 operation;	/* bitset of operations */
+};
+
+#endif /* _IPT_CHECKSUM_TARGET_H */

extensions/xt_DELUDE.c

@@ -143,7 +143,7 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
 }
 
 static unsigned int
-delude_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+delude_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	/* WARNING: This code causes reentry within iptables.
 	   This means that the iptables jump stack is now crap.  We

extensions/xt_DHCPMAC.c

@@ -69,7 +69,7 @@ static bool ether_cmp(const unsigned char *lh, const unsigned char *rh,
 }
 
 static bool
-dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+dhcpmac_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct dhcpmac_info *info = par->matchinfo;
 	const struct dhcp_message *dh;
@@ -89,7 +89,7 @@ dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 }
 
 static unsigned int
-dhcpmac_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+dhcpmac_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct dhcpmac_info *info = par->targinfo;
 	struct dhcp_message dhcpbuf, *dh;

extensions/xt_ECHO.c

@@ -21,7 +21,7 @@
 #include "compat_xtables.h"
 
 static unsigned int
-echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
+echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 {
 	const struct sk_buff *oldskb = *poldskb;
 	const struct udphdr *oldudp;

extensions/xt_IPMARK.c

@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_IPMARK");
 MODULE_ALIAS("ip6t_IPMARK");
 
 static unsigned int
-ipmark_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+ipmark_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_ipmark_tginfo *ipmarkinfo = par->targinfo;
 	const struct sk_buff *skb = *pskb;
@@ -61,7 +61,7 @@ static __u32 ipmark_from_ip6(const struct in6_addr *a, unsigned int s)
 }
 
 static unsigned int
-ipmark_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+ipmark_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_ipmark_tginfo *info = par->targinfo;
 	const struct sk_buff *skb = *pskb;

extensions/xt_LOGMARK.c

@@ -2,7 +2,7 @@
  *	"LOGMARK" target extension to Xtables
  *	useful for debugging
  *
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -30,7 +30,7 @@ static const char *const dir_names[] = {
 };
 
 static unsigned int
-logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct sk_buff *skb = *pskb;
 	const struct xt_logmark_tginfo *info = par->targinfo;
@@ -75,6 +75,8 @@ logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 			printk("%s""ASSURED", prev++ ? "," : "");
 		if (ct->status & IPS_CONFIRMED)
 			printk("%s""CONFIRMED", prev++ ? "," : "");
+		printk(" lifetime=%lus",
+		       (jiffies - ct->timeout.expires) / HZ);
 	}
 
 	printk("\n");

extensions/xt_RAWNAT.c

@@ -48,7 +48,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 		break;
 	case 33 ... 63:
 		addr[0] = repl[0];
-		addr[1] = remask(addr[1], repl[1], mask - 64);
+		addr[1] = remask(addr[1], repl[1], mask - 32);
 		break;
 	case 64:
 		addr[0] = repl[0];
@@ -57,7 +57,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 	case 65 ... 95:
 		addr[0] = repl[0];
 		addr[1] = repl[1];
-		addr[2] = remask(addr[2], repl[2], mask - 96);
+		addr[2] = remask(addr[2], repl[2], mask - 64);
 	case 96:
 		addr[0] = repl[0];
 		addr[1] = repl[1];
@@ -67,7 +67,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 		addr[0] = repl[0];
 		addr[1] = repl[1];
 		addr[2] = repl[2];
-		addr[3] = remask(addr[3], repl[3], mask - 128);
+		addr[3] = remask(addr[3], repl[3], mask - 96);
 		break;
 	case 128:
 		addr[0] = repl[0];
@@ -125,7 +125,7 @@ static unsigned int rawnat4_writable_part(const struct iphdr *iph)
 }
 
 static unsigned int
-rawsnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+rawsnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
 	struct iphdr *iph;
@@ -147,7 +147,7 @@ rawsnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 }
 
 static unsigned int
-rawdnat_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+rawdnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
 	struct iphdr *iph;
@@ -241,7 +241,7 @@ static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto,
 }
 
 static unsigned int
-rawsnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+rawsnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
 	unsigned int l4offset, l4proto;
@@ -262,7 +262,7 @@ rawsnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 }
 
 static unsigned int
-rawdnat_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+rawdnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
 	unsigned int l4offset, l4proto;

extensions/xt_STEAL.c

@@ -8,7 +8,7 @@
 #include "compat_xtables.h"
 
 static unsigned int
-steal_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+steal_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	kfree_skb(*pskb);
 	return NF_STOLEN;

extensions/xt_SYSRQ.c

@@ -135,13 +135,13 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 			"0123456789abcdef"[sysrq_digest[i] & 0xf];
 	}
 	sysrq_hexdigest[2*sysrq_digest_size] = '\0';
-	if (len - n < sysrq_digest_size) {
+	if (len - n < sysrq_digest_size * 2) {
 		if (sysrq_debug)
 			printk(KERN_INFO KBUILD_MODNAME ": Short digest,"
 			       " expected %s\n", sysrq_hexdigest);
 		return NF_DROP;
 	}
-	if (strncmp(data + n, sysrq_hexdigest, sysrq_digest_size) != 0) {
+	if (strncmp(data + n, sysrq_hexdigest, sysrq_digest_size * 2) != 0) {
 		if (sysrq_debug)
 			printk(KERN_INFO KBUILD_MODNAME ": Bad digest,"
 			       " expected %s\n", sysrq_hexdigest);
@@ -152,7 +152,9 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 	sysrq_seqno = new_seqno;
 	for (i = 0; i < len && data[i] != ','; ++i) {
 		printk(KERN_INFO KBUILD_MODNAME ": SysRq %c\n", data[i]);
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+		handle_sysrq(data[i]);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
 		handle_sysrq(data[i], NULL);
 #else
 		handle_sysrq(data[i], NULL, NULL);
@@ -187,7 +189,9 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 		return NF_DROP;
 	}
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+	handle_sysrq(c);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
 	handle_sysrq(c, NULL);
 #else
 	handle_sysrq(c, NULL, NULL);
@@ -197,7 +201,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 #endif
 
 static unsigned int
-sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+sysrq_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	struct sk_buff *skb = *pskb;
 	const struct iphdr *iph;
@@ -224,7 +228,7 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 
 #ifdef WITH_IPV6
 static unsigned int
-sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+sysrq_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	struct sk_buff *skb = *pskb;
 	const struct ipv6hdr *iph;
@@ -324,8 +328,8 @@ static int __init sysrq_crypto_init(void)
 		printk(KERN_WARNING KBUILD_MODNAME
 			": Error: Could not find or load %s hash\n",
 			sysrq_hash);
-		sysrq_tfm = NULL;
 		ret = PTR_ERR(sysrq_tfm);
+		sysrq_tfm = NULL;
 		goto fail;
 	}
 	sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);

extensions/xt_TARPIT.c

@@ -73,7 +73,7 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook)
 	/* Rate-limit replies to !SYN,ACKs */
 #if 0
 	if (!oth->syn && oth->ack)
-		if (!xrlim_allow(&ort->u.dst, HZ))
+		if (!xrlim_allow(rt_dst(ort), HZ))
 			return;
 #endif
 
@@ -188,7 +188,7 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook)
 }
 
 static unsigned int
-tarpit_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+tarpit_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct sk_buff *skb = *pskb;
 	const struct iphdr *iph = ip_hdr(skb);

extensions/xt_TEE.c

@@ -51,8 +51,8 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 		return false;
 
 	dst_release(skb_dst(skb));
-	skb_dst_set(skb, &rt->u.dst);
-	skb->dev      = rt->u.dst.dev;
+	skb_dst_set(skb, rt_dst(rt));
+	skb->dev      = rt_dst(rt)->dev;
 	skb->protocol = htons(ETH_P_IP);
 	return true;
 }
@@ -103,7 +103,7 @@ static void tee_tg_send(struct sk_buff *skb)
 }
 
 static unsigned int
-tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
+tee_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 	struct sk_buff *skb = *pskb;
@@ -205,7 +205,7 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 }
 
 static unsigned int
-tee_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+tee_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 	struct sk_buff *skb = *pskb;

extensions/xt_condition.c

@@ -96,7 +96,7 @@ static int condition_proc_write(struct file *file, const char __user *buffer,
 }
 
 static bool
-condition_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+condition_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_condition_mtinfo *info = par->matchinfo;
 	const struct condition_variable *var   = info->condvar;

extensions/xt_fuzzy.c

@@ -60,7 +60,7 @@ static uint8_t mf_low(uint32_t tx, uint32_t mini, uint32_t maxi)
 }
 
 static bool
-fuzzy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+fuzzy_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	struct xt_fuzzy_mtinfo *info = (void *)par->matchinfo;
 	unsigned long amount;

extensions/xt_geoip.c

@@ -126,13 +126,13 @@ static bool geoip_bsearch(const struct geoip_subnet *range,
 {
 	int mid;
 
-	if (hi < lo)
+	if (hi <= lo)
 		return false;
 	mid = (lo + hi) / 2;
 	if (range[mid].begin <= addr && addr <= range[mid].end)
 		return true;
 	if (range[mid].begin > addr)
-		return geoip_bsearch(range, addr, lo, mid - 1);
+		return geoip_bsearch(range, addr, lo, mid);
 	else if (range[mid].end < addr)
 		return geoip_bsearch(range, addr, mid + 1, hi);
 
@@ -141,7 +141,7 @@ static bool geoip_bsearch(const struct geoip_subnet *range,
 }
 
 static bool
-xt_geoip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+xt_geoip_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_geoip_match_info *info = par->matchinfo;
 	const struct geoip_country_kernel *node;

extensions/xt_gradm.h

@@ -0,0 +1,9 @@
+#ifndef _XT_GRADM_H
+#define _XT_GRADM_H
+
+struct xt_gradm_mtinfo {
+	__u16 flags;
+	__u16 invflags;
+};
+
+#endif

extensions/xt_iface.c

@@ -40,29 +40,46 @@ static const struct xt_iface_flag_pairs xt_iface_lookup[] =
 	{.iface_flag = XT_IFACE_DORMANT,	.iff_flag = IFF_DORMANT},
 };
 
+static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
+    const struct xt_action_param *par, struct net_device **put)
+{
+	if (info->flags & XT_IFACE_DEV_IN)
+		return par->in;
+	else if (info->flags & XT_IFACE_DEV_OUT)
+		return par->out;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
+	return *put = dev_get_by_name(&init_net, info->ifname);
+#else
+	return *put = dev_get_by_name(info->ifname);
+#endif
+}
+
+static bool iface_flagtest(unsigned int devflags, unsigned int flags,
+    unsigned int invflags)
+{
+	unsigned int i;
+
+	for (i = 0; i < ARRAY_SIZE(xt_iface_lookup); ++i)
+		if ((flags & xt_iface_lookup[i].iface_flag) &&
+		    !!(devflags & xt_iface_lookup[i].iff_flag) ^
+		    !(invflags & xt_iface_lookup[i].iface_flag))
+			return false;
+	return true;
+}
+
 static bool xt_iface_mt(const struct sk_buff *skb,
-    const struct xt_match_param *par)
+    struct xt_action_param *par)
 {
 	const struct xt_iface_mtinfo *info = par->matchinfo;
-	struct net_device *dev;
+	struct net_device *put = NULL;
+	const struct net_device *dev = iface_get(info, par, &put);
 	bool retval;
-	int i;
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
-	dev = dev_get_by_name(&init_net, info->ifname);
-#else
-	dev = dev_get_by_name(info->ifname);
-#endif
-	retval = dev != NULL;
-	if (retval) {
-		for (i = 0; i < ARRAY_SIZE(xt_iface_lookup) && retval; ++i) {
-			if (info->flags & xt_iface_lookup[i].iface_flag)
-				retval &= dev->flags & xt_iface_lookup[i].iff_flag;
-			if (info->invflags & xt_iface_lookup[i].iface_flag)
-				retval &= !(dev->flags & xt_iface_lookup[i].iff_flag);
-		}
-		dev_put(dev);
-	}
+	if (dev == NULL)
+		return false;
+	retval = iface_flagtest(dev->flags, info->flags, info->invflags);
+	if (put != NULL)
+		dev_put(put);
 	return retval;
 }
 

extensions/xt_iface.h

@@ -13,7 +13,8 @@ enum {
 	XT_IFACE_DYNAMIC     = 1 << 8,
 	XT_IFACE_LOWER_UP    = 1 << 9,
 	XT_IFACE_DORMANT     = 1 << 10,
-	XT_IFACE_IFACE       = 1 << 15,
+	XT_IFACE_DEV_IN      = 1 << 11,
+	XT_IFACE_DEV_OUT     = 1 << 12,
 };
 
 struct xt_iface_mtinfo {

extensions/xt_ipp2p.c

@@ -808,7 +808,7 @@ static const struct {
 };
 
 static bool
-ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ipt_p2p_info *info = par->matchinfo;
 	const unsigned char  *haystack;

extensions/xt_ipv4options.c

@@ -29,7 +29,7 @@ static uint32_t ipv4options_rd(const uint8_t *data, int len)
 }
 
 static bool ipv4options_mt(const struct sk_buff *skb,
-    const struct xt_match_param *par)
+    struct xt_action_param *par)
 {
 	const struct xt_ipv4options_mtinfo1 *info = par->matchinfo;
 	const struct iphdr *iph = ip_hdr(skb);

extensions/xt_length2.c

@@ -137,7 +137,7 @@ static bool xtlength_layer7(unsigned int *length, const struct sk_buff *skb,
 }
 
 static bool
-length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+length2_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_length_mtinfo2 *info = par->matchinfo;
 	const struct iphdr *iph = ip_hdr(skb);
@@ -198,7 +198,7 @@ llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
 }
 
 static bool
-length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+length2_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_length_mtinfo2 *info = par->matchinfo;
 	const struct ipv6hdr *iph = ipv6_hdr(skb);
@@ -207,9 +207,13 @@ length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 	bool hit = true;
 
 	if (info->flags & XT_LENGTH_LAYER3) {
-		len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
+		if (iph->payload_len == 0)
+			/* Jumbogram */
+			len = skb->len;
+		else
+			len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
 	} else {
-		l4proto = llayer4_proto(skb, &thoff, par->hotdrop);
+		l4proto = llayer4_proto(skb, &thoff, &par->hotdrop);
 		if (l4proto == NEXTHDR_MAX)
 			return false;
 		if (info->flags & XT_LENGTH_LAYER4)

extensions/xt_lscan.c

@@ -171,7 +171,7 @@ static inline unsigned int lscan_mt_full(int mark,
 }
 
 static bool
-lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 	enum ip_conntrack_info ctstate;

extensions/xt_psd.c

@@ -100,7 +100,7 @@ static inline int hashfunc(struct in_addr addr)
 }
 
 static bool
-xt_psd_match(const struct sk_buff *pskb, const struct xt_match_param *match)
+xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
 {
 	const struct iphdr *iph;
 	const struct tcphdr *tcph;

extensions/xt_quota2.c

@@ -153,15 +153,13 @@ static int quota_mt2_check(const struct xt_mtchk_param *par)
 
 	q->name[sizeof(q->name)-1] = '\0';
 	if (*q->name == '.' || strchr(q->name, '/') != NULL) {
-		printk(KERN_ERR "xt_quota<%u>: illegal name\n",
-		       par->match->revision);
+		printk(KERN_ERR "xt_quota.3: illegal name\n");
 		return -EINVAL;
 	}
 
 	q->master = q2_get_counter(q);
 	if (q->master == NULL) {
-		printk(KERN_ERR "xt_quota<%u>: memory alloc failure\n",
-		       par->match->revision);
+		printk(KERN_ERR "xt_quota.3: memory alloc failure\n");
 		return -ENOMEM;
 	}
 
@@ -191,7 +189,7 @@ static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
 }
 
 static bool
-quota_mt2(const struct sk_buff *skb, const struct xt_match_param *par)
+quota_mt2(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	struct xt_quota_mtinfo2 *q = (void *)par->matchinfo;
 	struct xt_quota_counter *e = q->master;

geoip/.gitignore

@@ -0,0 +1,6 @@
+/BE
+/LE
+/GeoIPCountryCSV.zip
+/GeoIPCountryWhois.csv
+/GeoIPv6.csv
+/GeoIPv6.csv.gz

geoip/Makefile.am

@@ -0,0 +1,3 @@
+# -*- Makefile -*-
+
+pkglibexec_SCRIPTS = geoip_build_db.pl geoip_download.sh

geoip/geoip_build_db.pl

@@ -0,0 +1,54 @@
+#!/usr/bin/perl
+#
+#	Converter for MaxMind CSV database to binary, for xt_geoip
+#	Copyright © Jan Engelhardt <jengelh@medozas.de>, 2008
+#
+#	Use -b argument to create big-endian tables.
+#
+use Getopt::Long;
+use IO::Handle;
+use Text::CSV_XS; # or trade for Text::CSV
+use strict;
+
+my %country;
+my %names;
+my $csv = Text::CSV_XS->new({binary => 0, eol => $/}); # or Text::CSV
+my $mode = "VV";
+my $target_dir = ".";
+
+&Getopt::Long::Configure(qw(bundling));
+&GetOptions(
+	"D=s" => \$target_dir,
+	"b"   => sub { $mode = "NN"; },
+);
+
+if (!-d $target_dir) {
+	print STDERR "Target directory $target_dir does not exist.\n";
+	exit 1;
+}
+
+while (my $row = $csv->getline(*ARGV)) {
+	if (!defined($country{$row->[4]})) {
+		$country{$row->[4]} = [];
+		$names{$row->[4]} = $row->[5];
+	}
+	my $c = $country{$row->[4]};
+	push(@$c, [$row->[2], $row->[3]]);
+	if ($. % 4096 == 0) {
+		print STDERR "\r\e[2K$. entries";
+	}
+}
+
+print STDERR "\r\e[2K$. entries total\n";
+
+foreach my $iso_code (sort keys %country) {
+	printf "%5u ranges for %s %s\n",
+		scalar(@{$country{$iso_code}}),
+		$iso_code, $names{$iso_code};
+
+	open(my $fh, "> $target_dir/".uc($iso_code).".iv0");
+	foreach my $range (@{$country{$iso_code}}) {
+		print $fh pack($mode, $range->[0], $range->[1]);
+	}
+	close $fh;
+}

geoip/geoip_download.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+rm -f GeoIPv6.csv{,.gz} GeoIPCountryCSV.zip GeoIPCountryWhois.csv;
+wget \
+	http://geolite.maxmind.com/download/geoip/database/GeoIPv6.csv.gz \
+	http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip;
+gzip -d GeoIPv6.csv.gz;
+unzip GeoIPCountryCSV.zip;

mconfig

@@ -2,6 +2,7 @@
 #
 build_ACCOUNT=m
 build_CHAOS=m
+build_CHECKSUM=
 build_DELUDE=m
 build_DHCPMAC=m
 build_ECHO=
@@ -11,10 +12,11 @@ build_RAWNAT=m
 build_STEAL=m
 build_SYSRQ=m
 build_TARPIT=m
-build_TEE=m
+build_TEE=
 build_condition=m
 build_fuzzy=m
 build_geoip=m
+build_gradm=m
 build_iface=m
 build_ipp2p=m
 build_ipset=m

xa-download-more

@@ -6,7 +6,7 @@ use strict;
 
 &main(\@ARGV);
 
-sub main ($)
+sub main
 {
 	local *FH;
 
@@ -30,7 +30,7 @@ sub main ($)
 	close FH;
 }
 
-sub process_index ($)
+sub process_index
 {
 	my $top = shift @_;
 	my($agent, $res, $url);
@@ -68,14 +68,14 @@ sub process_index ($)
 	}
 }
 
-sub slash_remove ($)
+sub slash_remove
 {
 	my $s = shift @_;
 	$s =~ s{(\w+://)(.*)}{$1.&slash_remove2($2)}eg;
 	return $s;
 }
 
-sub slash_remove2 ($)
+sub slash_remove2
 {
 	my $s = shift @_;
 	$s =~ s{/+}{/}g;

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.25 (2010-04-26)" "" "v1.25 (2010-04-26)"
+.TH xtables-addons 8 "v1.31 (2010-11-05)" "" "v1.31 (2010-11-05)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets