Xtables-addons 1.31

This patch adds a module which is useful to users of grsecurity's RBAC
system. It matches packets based on whether RBAC is enabled or
disabled.

See: http://grsecurity.net/

Signed-off-by: Anthony G. Basile <basile@opensource.dyc.edu>

Jan Engelhardt> Also, I do not see a xt_gradm.c in this patch.

This [xt_gradm.c] is part of the grsecurity patch which not only adds
the Xtables code, but also the RBAC code. Without the entire RBAC
stuff, xt_gradm does not make sense and so it is included with the
grsecurity patch to the kernel, and not this patch to Xtables-addons.

>Can you elaborate a bit on how this is useful in conjunction with
>rulesets? I could imagine it be used with LSM selctx'es for example,
>or another extension that tests for other RBAC attributes.

The idea here is that when the RBAC rulesets are not being enforced,
the system is more vulnerable and the user wants stricter firewall
rules. When RBAC is being enforced, one can relax the firewall and
access to services which are now better protected. In practice this
usually means allowing only access to some trusted IP(s) on boot
before RBAC is turned on.

Makefile.am

@@ -1,7 +1,7 @@
 # -*- Makefile -*-
 
 ACLOCAL_AMFLAGS  = -I m4
-SUBDIRS          = extensions
+SUBDIRS          = extensions geoip
 
 man_MANS := xtables-addons.8
 

Makefile.iptrules.in

@@ -1,6 +1,8 @@
 # -*- Makefile -*-
 # MANUAL
 
+abs_top_srcdir  = @abs_top_srcdir@
+
 prefix          = @prefix@
 exec_prefix     = @exec_prefix@
 libexecdir      = @libexecdir@
@@ -8,11 +10,13 @@ xtlibdir        = @xtlibdir@
 
 CC              = @CC@
 CCLD            = ${CC}
+CFLAGS          = @CFLAGS@
+LDFLAGS         = @LDFLAGS@
 
 regular_CFLAGS  = @regular_CFLAGS@
 libxtables_CFLAGS = @libxtables_CFLAGS@
 libxtables_LIBS   = @libxtables_LIBS@
-AM_CFLAGS         = ${regular_CFLAGS} ${libxtables_CFLAGS}
+AM_CFLAGS         = ${regular_CFLAGS} ${libxtables_CFLAGS} -I${abs_top_srcdir}/extensions
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
 AM_DEFAULT_VERBOSITY = 0

Makefile.mans.in

@@ -3,8 +3,8 @@
 
 srcdir := @srcdir@
 
-wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man')
+wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man' | sort)
-wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man')
+wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man' | sort)
 wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
 wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
 

configure.ac

@@ -1,9 +1,9 @@
 
-AC_INIT([xtables-addons], [1.27])
+AC_INIT([xtables-addons], [1.31])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
-AM_INIT_AUTOMAKE([1.10 -Wall foreign subdir-objects])
+AM_INIT_AUTOMAKE([1.10.2 -Wall foreign subdir-objects])
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_DISABLE_STATIC
@@ -21,15 +21,17 @@ if [[ "$kbuilddir" == no ]]; then
 	kbuilddir="";
 fi
 
-AC_ARG_WITH([xtlibdir],
-	AS_HELP_STRING([--with-xtlibdir=PATH],
-	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
-	[xtlibdir="$withval"],
-	[xtlibdir='${libexecdir}/xtables'])
-
-PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
 	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
+xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
+
+AC_ARG_WITH([xtlibdir],
+	AS_HELP_STRING([--with-xtlibdir=PATH],
+	[Path where to install Xtables extensions [[autodetect]]]]),
+	[xtlibdir="$withval"])
+AC_MSG_CHECKING([Xtables module directory])
+AC_MSG_RESULT([$xtlibdir])
 
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
@@ -46,6 +48,7 @@ if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
 	# Well, just a warning. Maybe the admin updated the kernel.
 	echo "WARNING: This distribution's shipped kernel is not supported.";
 fi;
+AC_MSG_CHECKING([kernel version that we will build against])
 krel="$(make -sC ${kbuilddir} kernelrelease)";
 krel="${krel%%-*}";
 kmajor="${krel%%.*}";
@@ -54,27 +57,33 @@ kminor="${krel%%.*}";
 krel="${krel#*.}";
 kmicro="${krel%%.*}";
 if test "$kmicro" = "$krel"; then
+	kmicro="$(($kmicro+0))"; # Get rid of non numbers ("2.6.36+" -> "2.6.36")
 	kstable=0;
 else
+	kmicro="$(($kmicro+0))";
 	kstable="${krel#*.}";
-	if test -z "$kstable"; then
+	kstable="$(($kstable+0))";
-		kstable=0;
-	fi;
 fi;
-echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
+if test -z "$kmajor" -o -z "$kminor" -o -z "$kmicro"; then
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 35; then
+	echo "WARNING: Version detection did not succeed. Continue at own luck.";
-	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
+else
-elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
+	echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
+	if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 36; then
-    "$kstable" -lt 5 \); then
+		echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
-	echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
+	elif test \( "$kmajor" -lt 2 -o \
-	exit 1;
+	    \( "$kmajor" -eq 2 -a "$kminor" -lt 6 \) -o \
+	    \( "$kmajor" -eq 2 -a "$kminor" -eq 0 -a "$kmicro" -lt 17 \) -o \
+	    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
+	    "$kstable" -lt 5 \) \); then
+		echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
+		exit 1;
+	fi;
 fi;
 
 AC_SUBST([regular_CFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([xtlibdir])
-AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
+AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans geoip/Makefile
 	extensions/Makefile extensions/ACCOUNT/Makefile
 	extensions/ipset/Makefile extensions/pknock/Makefile])
 AC_OUTPUT

doc/api/2.6.17.c

@@ -0,0 +1,64 @@
+match:
+
+	/* true/false */
+	int
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		int *hotdrop,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int matchinfosize,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int matchinfosize,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+		void *userdata,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int targinfosize,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int targinfosize,
+	);

doc/api/2.6.19.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	int
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		int *hotdrop,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.23.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		bool *hotdrop,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.24.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		bool *hotdrop,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.28.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.31.c

@@ -0,0 +1,38 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.32.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.35.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/xt-a.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/changelog.txt

@@ -3,6 +3,50 @@ HEAD
 ====
 
 
+v1.31 (November 05 2010)
+========================
+- LOGMARK: print remaining lifetime of cts
+- build: improve detection of kernel version and error handling
+- build: automatically derive Xtables module directory, thus
+  --with-xtlibdir is no longer needed for ./configure in most cases
+  (If I still see a distro using it, I will scold you for not
+  reading this changelog.)
+- xt_iface: allow matching against incoming/outgoing interface
+- libxt_gradm: match packets based on status of grsecurity RBAC
+  (userspace part only - xt_gradm is in the grsec patch)
+
+
+v1.30 (October 02 2010)
+=======================
+- update to ipset 4.4
+  * ipport{,ip,net}hash did not work with mixed "src" and "dst"
+    destination parameters
+- deactivate building xt_TEE and xt_CHECKSUM by default, as these have been
+  merged upstream in Linux 2.6.35 and 2.6.36, respectively.
+  Distros still wishing to build this need to enable it in their build
+  script, e.g. perl -i -pe 's{^build_TEE=.*}{build_TEE=m}' mconfig;
+
+
+v1.29 (September 29 2010)
+=========================
+- compat_xtables: return bool for match_check and target_check in 2.6.23..34
+- ipset: enable building of ip_set_ipport{ip,net}hash.ko
+- support for Linux 2.6.36
+- SYSRQ: resolve compile error with Linux 2.6.36
+- TEE: resolve compile error with Linux 2.6.36
+- add workaround for broken linux-glibc-devel 2.6.34 userspace headers
+  ("implicit declaration of function 'ALIGN'")
+
+
+Xtables-addons 1.28 (July 24 2010)
+==================================
+- RAWNAT: IPv6 variants erroneously rejected masks /33-/128
+- new target xt_CHECKSUM
+- xt_length2: add support for IPv6 jumbograms
+- xt_geoip: fix possible out-of-bounds access
+- import xt_geoip database scripts
+
+
 Xtables-addons 1.27 (May 16 2010)
 =================================
 - further updates for the upcoming 2.6.35 changes

extensions/ACCOUNT/libxt_ACCOUNT.c

@@ -12,6 +12,7 @@
 #include <stddef.h>
 #include <xtables.h>
 #include "xt_ACCOUNT.h"
+#include "compat_user.h"
 
 static struct option account_tg_opts[] = {
 	{.name = "addr",  .has_arg = true, .val = 'a'},

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -494,7 +494,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 			"IPs %u.%u.%u.%u/%u.%u.%u.%u\n", info->table_nr,
 			NIPQUAD(src_ip), NIPQUAD(dst_ip));
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 8 bit network or "any" network */
@@ -506,7 +506,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 16 bit network */
@@ -517,7 +517,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 24 bit network */
@@ -528,7 +528,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	printk("ACCOUNT: ipt_acc_target: Unable to process packet. "
@@ -536,7 +536,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 		info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
 
 	spin_unlock_bh(&ipt_acc_lock);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 /*

extensions/Kbuild

@@ -7,6 +7,7 @@ obj-m                    += compat_xtables.o
 
 obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += xt_CHAOS.o
+obj-${build_CHECKSUM}    += xt_CHECKSUM.o
 obj-${build_DELUDE}      += xt_DELUDE.o
 obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o

extensions/Mbuild

@@ -2,6 +2,7 @@
 
 obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += libxt_CHAOS.so
+obj-${build_CHECKSUM}    += libxt_CHECKSUM.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
 obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
 obj-${build_ECHO}        += libxt_ECHO.so
@@ -24,3 +25,4 @@ obj-${build_lscan}       += libxt_lscan.so
 obj-${build_pknock}      += pknock/
 obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so
+obj-${build_gradm}       += libxt_gradm.so

extensions/compat_user.h

@@ -0,0 +1,12 @@
+/*
+ *	Userspace-level compat hacks
+ */
+#ifndef _XTABLES_COMPAT_USER_H
+#define _XTABLES_COMPAT_USER_H 1
+
+/* linux-glibc-devel 2.6.34 header screwup */
+#ifndef ALIGN
+#	define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
+#endif
+
+#endif /* _XTABLES_COMPAT_USER_H */

extensions/compat_xtables.c

@@ -105,7 +105,11 @@ static bool xtnu_match_check(const char *table, const void *entry,
 		return false;
 	if (nm->checkentry == NULL)
 		return true;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
 	return nm->checkentry(&local_par);
+#else
+	return nm->checkentry(&local_par) == 0;
+#endif
 }
 #endif
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
@@ -118,7 +122,7 @@ static bool xtnu_match_check(const struct xt_mtchk_param *par)
 		return false;
 	if (nm->checkentry == NULL)
 		return true;
-	return nm->checkentry(par) == 0 ? true : false;
+	return nm->checkentry(par) == 0;
 }
 #endif
 
@@ -313,7 +317,11 @@ static bool xtnu_target_check(const char *table, const void *entry,
 	if (nt->checkentry == NULL)
 		/* this is valid, just like if there was no function */
 		return true;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
 	return nt->checkentry(&local_par);
+#else
+	return nt->checkentry(&local_par) == 0;
+#endif
 }
 #endif
 
@@ -327,7 +335,7 @@ static bool xtnu_target_check(const struct xt_tgchk_param *par)
 		return false;
 	if (nt->checkentry == NULL)
 		return true;
-	return nt->checkentry(par) == 0 ? true : false;
+	return nt->checkentry(par) == 0;
 }
 #endif
 

extensions/compat_xtables.h

@@ -86,6 +86,11 @@
 #	define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+#	define rt_dst(rt)	(&(rt)->dst)
+#else
+#	define rt_dst(rt)	(&(rt)->u.dst)
+#endif
 
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \

extensions/ipset/Kbuild

@@ -3,4 +3,5 @@
 obj-m += ipt_set.o ipt_SET.o
 obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
 obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
+obj-m += ip_set_ipportiphash.o ip_set_ipportnethash.o
 obj-m += ip_set_iptree.o ip_set_iptreemap.o ip_set_setlist.o

extensions/ipset/ip_set.c

@@ -929,11 +929,11 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
 	}
 	if (copy_from_user(data, user, len) != 0) {
 		res = -EFAULT;
-		goto done;
+		goto cleanup;
 	}
 	if (down_interruptible(&ip_set_app_mutex)) {
 		res = -EINTR;
-		goto done;
+		goto cleanup;
 	}
 
 	op = (unsigned *)data;
@@ -1109,6 +1109,7 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
 
     done:
 	up(&ip_set_app_mutex);
+    cleanup:
 	vfree(data);
 	if (res > 0)
 		res = 0;
@@ -1142,11 +1143,11 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
 	}
 	if (copy_from_user(data, user, *len) != 0) {
 		res = -EFAULT;
-		goto done;
+		goto cleanup;
 	}
 	if (down_interruptible(&ip_set_app_mutex)) {
 		res = -EINTR;
-		goto done;
+		goto cleanup;
 	}
 
 	op = (unsigned *) data;
@@ -1439,6 +1440,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
     	
     done:
 	up(&ip_set_app_mutex);
+    cleanup:
 	vfree(data);
 	if (res > 0)
 		res = 0;

extensions/ipset/ip_set_ipporthash.c

@@ -68,7 +68,7 @@ ipporthash_test(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 	if (flags[1] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset/ip_set_ipportiphash.c

@@ -72,8 +72,8 @@ ipportiphash_test(struct ip_set *set,
 	if (flags[2] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
-	ip1 = ipaddr(skb, flags++);				\
+	ip1 = ipaddr(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset/ip_set_ipportnethash.c

@@ -116,8 +116,8 @@ ipportnethash_utest(struct ip_set *set, const void *data, u_int32_t size)
 	if (flags[2] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
-	ip1 = ipaddr(skb, flags++);				\
+	ip1 = ipaddr(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset/ipset.8

@@ -502,9 +502,13 @@ data storage in
 set and add src to the first single or src,dst to the first double 
 data storage set in
 \fIb\fP.
-.P
 You can imagine a setlist type of set as an ordered union of
 the set elements. 
+.P
+Please note: by the ipset command you can add, delete and
+.B test
+the setnames in a setlist type of set, and not the presence of 
+a set's member (such as an IP address).
 .SH GENERAL RESTRICTIONS
 Setnames starting with colon (:) cannot be defined. Zero valued set 
 entries cannot be used with hash type of sets.

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "4.2"
+#define IPSET_VERSION "4.4"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;

extensions/libxt_CHAOS.c

@@ -16,6 +16,7 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_CHAOS.h"
+#include "compat_user.h"
 
 enum {
 	F_DELUDE = 1 << 0,

extensions/libxt_CHECKSUM.c

@@ -0,0 +1,94 @@
+/*
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2010 by Red Hat, Inc
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This program is distributed under the terms of GNU GPL v2, 1991
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include "xt_CHECKSUM.h"
+#include "compat_user.h"
+
+static void CHECKSUM_help(void)
+{
+	printf(
+"CHECKSUM target options\n"
+"  --checksum-fill        Fill in packet checksum.\n");
+}
+
+static const struct option CHECKSUM_opts[] = {
+	{ "checksum-fill", 0, NULL, 'F' },
+	{ .name = NULL }
+};
+
+static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags,
+                     const void *entry, struct xt_entry_target **target)
+{
+	struct xt_CHECKSUM_info *einfo
+		= (struct xt_CHECKSUM_info *)(*target)->data;
+
+	switch (c) {
+	case 'F':
+		xtables_param_act(XTF_ONLY_ONCE, "CHECKSUM", "--checksum-fill",
+			*flags & XT_CHECKSUM_OP_FILL);
+		einfo->operation = XT_CHECKSUM_OP_FILL;
+		*flags |= XT_CHECKSUM_OP_FILL;
+		break;
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void CHECKSUM_check(unsigned int flags)
+{
+	if (!flags)
+		xtables_error(PARAMETER_PROBLEM,
+		           "CHECKSUM target: Parameter --checksum-fill is required");
+}
+
+static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target,
+                      int numeric)
+{
+	const struct xt_CHECKSUM_info *einfo =
+		(const struct xt_CHECKSUM_info *)target->data;
+
+	printf("CHECKSUM ");
+
+	if (einfo->operation & XT_CHECKSUM_OP_FILL)
+		printf("fill ");
+}
+
+static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_CHECKSUM_info *einfo =
+		(const struct xt_CHECKSUM_info *)target->data;
+
+	if (einfo->operation & XT_CHECKSUM_OP_FILL)
+		printf("--checksum-fill ");
+}
+
+static struct xtables_target checksum_tg_reg = {
+	.name          = "CHECKSUM",
+	.version       = XTABLES_VERSION,
+	.family        = NFPROTO_UNSPEC,
+	.size          = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
+	.help          = CHECKSUM_help,
+	.parse         = CHECKSUM_parse,
+	.final_check   = CHECKSUM_check,
+	.print         = CHECKSUM_print,
+	.save          = CHECKSUM_save,
+	.extra_opts    = CHECKSUM_opts,
+};
+
+static __attribute__((constructor)) void _init(void)
+{
+	xtables_register_target(&checksum_tg_reg);
+}

extensions/libxt_CHECKSUM.man

@@ -0,0 +1,8 @@
+This target allows to selectively work around broken/old applications.
+It can only be used in the mangle table.
+.TP
+\fB\-\-checksum\-fill\fP
+Compute and fill in the checksum in a packet that lacks a checksum.
+This is particularly useful, if you need to work around old applications
+such as dhcp clients, that do not work well with checksum offloads,
+but don't want to disable checksum offload in your device.

extensions/libxt_DELUDE.c

@@ -13,6 +13,7 @@
 
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
+#include "compat_user.h"
 
 static void delude_tg_help(void)
 {

extensions/libxt_DHCPMAC.c

@@ -17,6 +17,7 @@
 #include <xtables.h>
 #include "xt_DHCPMAC.h"
 #include "mac.c"
+#include "compat_user.h"
 
 enum {
 	F_MAC = 1 << 0,

extensions/libxt_ECHO.c

@@ -10,6 +10,7 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void echo_tg_help(void)
 {

extensions/libxt_IPMARK.c

@@ -14,6 +14,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_IPMARK.h"
+#include "compat_user.h"
 
 enum {
 	FL_ADDR_USED     = 1 << 0,

extensions/libxt_LOGMARK.c

@@ -13,6 +13,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_LOGMARK.h"
+#include "compat_user.h"
 
 enum {
 	F_LEVEL  = 1 << 0,

extensions/libxt_RAWDNAT.c

@@ -15,6 +15,7 @@
 #include <xtables.h>
 #include <linux/netfilter.h>
 #include "xt_RAWNAT.h"
+#include "compat_user.h"
 
 enum {
 	FLAGS_TO = 1 << 0,
@@ -79,7 +80,7 @@ rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
 		end = strchr(optarg, '/');
 		if (end != NULL) {
 			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
+			if (!xtables_strtoui(end, NULL, &mask, 0, 128))
 				xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
 					"--to-destination", optarg);
 			info->mask = mask;

extensions/libxt_RAWSNAT.c

@@ -15,6 +15,7 @@
 #include <xtables.h>
 #include <linux/netfilter.h>
 #include "xt_RAWNAT.h"
+#include "compat_user.h"
 
 enum {
 	FLAGS_TO = 1 << 0,
@@ -79,7 +80,7 @@ rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
 		end = strchr(optarg, '/');
 		if (end != NULL) {
 			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
+			if (!xtables_strtoui(end, NULL, &mask, 0, 128))
 				xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
 					"--to-source", optarg);
 			info->mask = mask;

extensions/libxt_STEAL.c

@@ -1,5 +1,6 @@
 #include <stdio.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void steal_tg_help(void)
 {

extensions/libxt_SYSRQ.c

@@ -5,6 +5,7 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void sysrq_tg_help(void)
 {

extensions/libxt_TARPIT.c

@@ -5,6 +5,7 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void tarpit_tg_help(void)
 {

extensions/libxt_TEE.c

@@ -23,6 +23,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_TEE.h"
+#include "compat_user.h"
 
 enum {
 	FLAG_GATEWAY = 1 << 0,

extensions/libxt_condition.c

@@ -16,6 +16,7 @@
 #include <getopt.h>
 #include <xtables.h>
 #include "xt_condition.h"
+#include "compat_user.h"
 
 static void condition_help(void)
 {

extensions/libxt_dhcpmac.c

@@ -16,6 +16,7 @@
 #include <xtables.h>
 #include "xt_DHCPMAC.h"
 #include "mac.c"
+#include "compat_user.h"
 
 enum {
 	F_MAC = 1 << 0,

extensions/libxt_fuzzy.c

@@ -15,6 +15,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_fuzzy.h"
+#include "compat_user.h"
 
 static void fuzzy_mt_help(void)
 {

extensions/libxt_geoip.c

@@ -24,6 +24,7 @@
 #include <unistd.h>
 #include <xtables.h>
 #include "xt_geoip.h"
+#include "compat_user.h"
 #define GEOIP_DB_DIR "/usr/share/xt_geoip"
 
 static void geoip_help(void)

extensions/libxt_geoip.man

@@ -10,8 +10,8 @@ NOTE:
 The country is inputed by its ISO-3166 code.
 .PP
 The extra files you will need is the binary database files. They are generated
-from a country-subnet database with the geoip_csv_iv0.pl tool, available at
+from a country-subnet database with the geoip_csv_iv0.pl tool that should be
-http://jengelh.hopto.org/files/geoip/ . The files MUST be moved to
+available in /usr/lib(exec)/xtables-addons/ . The resulting files MUST be moved
-/usr/share/xt_geoip/
+to /usr/share/xt_geoip/
 as the shared library is statically looking for this pathname (e.g.
 /usr/share/xt_geoip/LE/de.iv0).

extensions/libxt_gradm.c

@@ -0,0 +1,98 @@
+/*
+ *	"gradm" match extension for iptables
+ *	Zbigniew Krzystolik <zbyniu@destrukcja.pl>, 2010
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License;
+ *	either version 2 of the License, or any later version, as
+ *	published by the Free Software Foundation.
+ */
+#include <getopt.h>
+#include <netdb.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <xtables.h>
+#include "xt_gradm.h"
+
+static void gradm_mt_help(void)
+{
+	printf(
+"gradm match options:\n"
+" [!] --enabled    is Grsecurity RBAC enabled\n"
+" [!] --disabled   is Grsecurity RBAC disabled\n");
+};
+
+static const struct option gradm_mt_opts[] = {
+	{.name = "enabled",  .has_arg = false, .val = '1'},
+	{.name = "disabled", .has_arg = false, .val = '2'},
+	{NULL},
+};
+
+static void gradm_mt_init(struct xt_entry_match *m)
+{
+}
+
+static int gradm_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                          const void *entry, struct xt_entry_match **match)
+{
+	struct xt_gradm_mtinfo *info = (void *)(*match)->data;
+
+	switch (c) {
+	case '1':
+		if (invert)
+			info->invflags |= 1;
+		return true;
+	case '2':
+		if (!invert)
+			info->invflags |= 1;
+		return true;
+	}
+	return false;
+}
+
+static void gradm_mt_check(unsigned int flags)
+{
+}
+
+static void gradm_mt_print(const void *ip, const struct xt_entry_match *match,
+                           int numeric)
+{
+	const struct xt_gradm_mtinfo *info = (const void *)match->data;
+
+	if (info->invflags)
+		printf("gradm: disabled");
+	else
+		printf("gradm: enabled");
+}
+
+static void gradm_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_gradm_mtinfo *info = (const void *)match->data;
+
+	if (info->invflags)
+		printf("--disabled ");
+	else
+		printf("--enabled ");
+}
+
+static struct xtables_match gradm_mt_reg = { 
+	.family        = NFPROTO_UNSPEC,
+	.name          = "gradm",
+	.version       = XTABLES_VERSION,
+	.size          = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
+	.help          = gradm_mt_help,
+	.init          = gradm_mt_init,
+	.parse         = gradm_mt_parse,
+	.final_check   = gradm_mt_check,
+	.print         = gradm_mt_print,
+	.save          = gradm_mt_save,
+	.extra_opts    = gradm_mt_opts,
+};
+
+static __attribute__((constructor)) void gradm_mt_ldr(void)
+{
+	xtables_register_match(&gradm_mt_reg);
+}

extensions/libxt_gradm.man

@@ -0,0 +1,7 @@
+This module matches packets based on grsecurity RBAC status.
+.TP
+[\fB!\fP] \fB\-\-enabled\fP
+Matches packets if grsecurity RBAC is enabled.
+.TP
+[\fB!\fP] \fB\-\-disabled\fP
+Matches packets if grsecurity RBAC is disabled.

extensions/libxt_iface.c

@@ -15,9 +15,16 @@
 
 #include <xtables.h>
 #include "xt_iface.h"
+#include "compat_user.h"
+
+enum {
+	XT_IFACE_IFACE = 1 << 16,
+};
 
 static const struct option iface_mt_opts[] = {
 	{.name = "iface",        .has_arg = true,  .val = 'i'},
+	{.name = "dev-in",       .has_arg = false, .val = 'I'},
+	{.name = "dev-out",      .has_arg = false, .val = 'O'},
 	{.name = "up",           .has_arg = false, .val = 'u'},
 	{.name = "down",         .has_arg = false, .val = 'U'}, /* not up */
 	{.name = "broadcast",    .has_arg = false, .val = 'b'},
@@ -39,9 +46,7 @@ static void iface_print_opt(const struct xt_iface_mtinfo *info,
     const unsigned int option, const char *command)
 {
 	if (info->flags & option)
-		printf(" %s", command);
+		printf(" %s%s", (info->invflags & option) ? "! " : "", command);
-	if (info->invflags & option)
-		printf(" ! %s", command);
 }
 
 static void iface_setflag(struct xt_iface_mtinfo *info,
@@ -50,10 +55,9 @@ static void iface_setflag(struct xt_iface_mtinfo *info,
 	if (*flags & flag)
 		xtables_error(PARAMETER_PROBLEM,
 			"iface: \"--%s\" flag already specified", command);
+	info->flags |= flag;
 	if (invert)
 		info->invflags |= flag;
-	else
-		info->flags |= flag;
 	*flags |= flag;
 }
 
@@ -68,19 +72,20 @@ static void iface_mt_help(void)
 {
 	printf(
 	"iface match options:\n"
-	"    --iface interface    Name of interface\n"
+	"    --iface interface     Name of interface\n"
-	"[!] --up / --down        match if UP flag (not) set\n"
+	"    --dev-in / --dev-out  Use incoming/outgoing interface instead\n"
-	"[!] --broadcast          match if BROADCAST flag (not) set\n"
+	"[!] --up / --down         match if UP flag (not) set\n"
-	"[!] --loopback           match if LOOPBACK flag (not) set\n"
+	"[!] --broadcast           match if BROADCAST flag (not) set\n"
+	"[!] --loopback            match if LOOPBACK flag (not) set\n"
 	"[!] --pointopoint\n"
-	"[!] --pointtopoint       match if POINTOPOINT flag (not) set\n"
+	"[!] --pointtopoint        match if POINTOPOINT flag (not) set\n"
-	"[!] --running            match if RUNNING flag (not) set\n"
+	"[!] --running             match if RUNNING flag (not) set\n"
-	"[!] --noarp / --arp      match if NOARP flag (not) set\n"
+	"[!] --noarp / --arp       match if NOARP flag (not) set\n"
-	"[!] --promisc            match if PROMISC flag (not) set\n"
+	"[!] --promisc             match if PROMISC flag (not) set\n"
-	"[!] --multicast          match if MULTICAST flag (not) set\n"
+	"[!] --multicast           match if MULTICAST flag (not) set\n"
-	"[!] --dynamic            match if DYNAMIC flag (not) set\n"
+	"[!] --dynamic             match if DYNAMIC flag (not) set\n"
-	"[!] --lower-up           match if LOWER_UP flag (not) set\n"
+	"[!] --lower-up            match if LOWER_UP flag (not) set\n"
-	"[!] --dormant            match if DORMANT flag (not) set\n");
+	"[!] --dormant             match if DORMANT flag (not) set\n");
 }
 
 static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -110,6 +115,18 @@ static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 		strcpy(info->ifname, optarg);
 		*flags |= XT_IFACE_IFACE;
 		return true;
+	case 'I': /* --dev-in */
+		xtables_param_act(XTF_ONLY_ONCE, "iface", "--dev-in",
+			*flags & XT_IFACE_IFACE);
+		*flags |= XT_IFACE_IFACE;
+		iface_setflag(info, flags, invert, XT_IFACE_DEV_IN, "dev-in");
+		return true;
+	case 'O': /* --dev-out */
+		xtables_param_act(XTF_ONLY_ONCE, "iface", "--dev-out",
+			*flags & XT_IFACE_IFACE);
+		*flags |= XT_IFACE_IFACE;
+		iface_setflag(info, flags, invert, XT_IFACE_DEV_OUT, "dev-out");
+		return true;
 	case 'u': /* UP */
 		iface_setflag(info, flags, invert, XT_IFACE_UP, "up");
 		return true;
@@ -152,7 +169,8 @@ static void iface_mt_check(unsigned int flags)
 	if (!(flags & XT_IFACE_IFACE))
 		xtables_error(PARAMETER_PROBLEM,
 			"iface: You must specify an interface");
-	if (flags == 0 || flags == XT_IFACE_IFACE)
+	if ((flags & ~(XT_IFACE_IFACE | XT_IFACE_DEV_IN |
+	    XT_IFACE_DEV_OUT)) == 0)
 		xtables_error(PARAMETER_PROBLEM,
 			"iface: You must specify at least one option");
 }
@@ -162,7 +180,14 @@ static void iface_mt_print(const void *ip, const struct xt_entry_match *match,
 {
 	const struct xt_iface_mtinfo *info = (const void *)match->data;
 
-	printf("iface: \"%s\" [state:", info->ifname);
+	printf("iface: ");
+	if (info->flags & XT_IFACE_DEV_IN)
+		printf("(in)");
+	else if (info->flags & XT_IFACE_DEV_OUT)
+		printf("(out)");
+	else
+		printf("%s", info->ifname);
+	printf(" [state:");
 	iface_print_opt(info, XT_IFACE_UP,          "up");
 	iface_print_opt(info, XT_IFACE_BROADCAST,   "broadcast");
 	iface_print_opt(info, XT_IFACE_LOOPBACK,    "loopback");
@@ -181,7 +206,12 @@ static void iface_mt_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_iface_mtinfo *info = (const void *)match->data;
 
-	printf(" --iface %s", info->ifname);
+	if (info->flags & XT_IFACE_DEV_IN)
+		printf("--dev-in");
+	else if (info->flags & XT_IFACE_DEV_OUT)
+		printf("--dev-out");
+	else
+		printf("--iface %s", info->ifname);
 	iface_print_opt(info, XT_IFACE_UP,          "--up");
 	iface_print_opt(info, XT_IFACE_BROADCAST,   "--broadcast");
 	iface_print_opt(info, XT_IFACE_LOOPBACK,    "--loopback");

extensions/libxt_iface.man

@@ -1,7 +1,20 @@
-Allows you to check interface states.
+Allows you to check interface states. First, an interface needs to be selected
+for comparison. Exactly one option of the following three must be specified:
 .TP
 \fB\-\-iface\fP \fIname\fP
-Check the states on the given interface. This option is required.
+Check the states on the given interface.
+.TP
+\fB\-\-dev\-in\fP
+Check the states on the interface on which the packet came in. If the input
+device is not set, because for example you are using \-m iface in the OUTPUT
+chain, this submatch returns false.
+.TP
+\fB\-\-dev\-out\fP
+Check the states on the interface on which the packet will go out. If the
+output device is not set, because for example you are using \-m iface in the
+INPUT chain, this submatch returns false.
+.PP
+Following that, one can select the interface properties to check for:
 .TP
 [\fB!\fP] \fB\-\-up\fP, [\fB!\fP] \fB\-\-down\fP
 Check the UP flag.

extensions/libxt_ipp2p.c

@@ -17,6 +17,7 @@
 #include <ctype.h>
 #include <xtables.h>
 #include "xt_ipp2p.h"
+#include "compat_user.h"
 #define param_act(t, s, f) xtables_param_act((t), "ipp2p", (s), (f))
 
 static void ipp2p_mt_help(void)

extensions/libxt_ipv4options.c

@@ -14,6 +14,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_ipv4options.h"
+#include "compat_user.h"
 
 /*
  * Overview from http://www.networksorcery.com/enp/protocol/ip.htm

extensions/libxt_length2.c

@@ -5,6 +5,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_length2.h"
+#include "compat_user.h"
 
 enum {
 	F_LAYER  = 1 << 0,

extensions/libxt_lscan.c

@@ -17,6 +17,7 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_lscan.h"
+#include "compat_user.h"
 
 static const struct option lscan_mt_opts[] = {
 	{.name = "stealth", .has_arg = false, .val = 'x'},

extensions/libxt_psd.c

@@ -28,6 +28,7 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_psd.h"
+#include "compat_user.h"
 
 /* Function which prints out usage message. */
 static void psd_mt_help(void) {

extensions/libxt_quota2.c

@@ -15,6 +15,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_quota2.h"
+#include "compat_user.h"
 
 enum {
 	FL_QUOTA     = 1 << 0,

extensions/pknock/libxt_pknock.c

@@ -16,6 +16,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include "xt_pknock.h"
+#include "compat_user.h"
 
 static const struct option pknock_mt_opts[] = {
 	/* .name, .has_arg, .flag, .val */

extensions/xt_CHECKSUM.c

@@ -0,0 +1,72 @@
+/*
+ * (C) 2002 by Harald Welte <laforge@netfilter.org>
+ * (C) 2010 Red Hat, Inc.
+ *
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter/x_tables.h>
+#include "xt_CHECKSUM.h"
+#include "compat_xtables.h"
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
+MODULE_DESCRIPTION("Xtables: checksum modification");
+MODULE_ALIAS("ipt_CHECKSUM");
+MODULE_ALIAS("ip6t_CHECKSUM");
+
+static unsigned int
+checksum_tg(struct sk_buff **pskb, const struct xt_action_param *par)
+{
+	struct sk_buff *skb = *pskb;
+
+	if (skb->ip_summed == CHECKSUM_PARTIAL)
+		skb_checksum_help(skb);
+
+	return XT_CONTINUE;
+}
+
+static int checksum_tg_check(const struct xt_tgchk_param *par)
+{
+	const struct xt_CHECKSUM_info *einfo = par->targinfo;
+
+	if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
+		pr_info("unsupported CHECKSUM operation %x\n", einfo->operation);
+		return -EINVAL;
+	}
+	if (!einfo->operation) {
+		pr_info("no CHECKSUM operation enabled\n");
+		return -EINVAL;
+	}
+	return 0;
+}
+
+static struct xt_target checksum_tg_reg __read_mostly = {
+	.name       = "CHECKSUM",
+	.family     = NFPROTO_UNSPEC,
+	.target     = checksum_tg,
+	.targetsize = sizeof(struct xt_CHECKSUM_info),
+	.table      = "mangle",
+	.checkentry = checksum_tg_check,
+	.me         = THIS_MODULE,
+};
+
+static int __init checksum_tg_init(void)
+{
+	return xt_register_target(&checksum_tg_reg);
+}
+
+static void __exit checksum_tg_exit(void)
+{
+	xt_unregister_target(&checksum_tg_reg);
+}
+
+module_init(checksum_tg_init);
+module_exit(checksum_tg_exit);

extensions/xt_CHECKSUM.h

@@ -0,0 +1,18 @@
+/* Header file for iptables ipt_CHECKSUM target
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2010 Red Hat Inc
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+*/
+#ifndef _IPT_CHECKSUM_TARGET_H
+#define _IPT_CHECKSUM_TARGET_H
+
+#define XT_CHECKSUM_OP_FILL	0x01	/* fill in checksum in IP header */
+
+struct xt_CHECKSUM_info {
+	__u8 operation;	/* bitset of operations */
+};
+
+#endif /* _IPT_CHECKSUM_TARGET_H */

extensions/xt_LOGMARK.c

@@ -2,7 +2,7 @@
  *	"LOGMARK" target extension to Xtables
  *	useful for debugging
  *
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -75,6 +75,8 @@ logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 			printk("%s""ASSURED", prev++ ? "," : "");
 		if (ct->status & IPS_CONFIRMED)
 			printk("%s""CONFIRMED", prev++ ? "," : "");
+		printk(" lifetime=%lus",
+		       (jiffies - ct->timeout.expires) / HZ);
 	}
 
 	printk("\n");

extensions/xt_RAWNAT.c

@@ -48,7 +48,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 		break;
 	case 33 ... 63:
 		addr[0] = repl[0];
-		addr[1] = remask(addr[1], repl[1], mask - 64);
+		addr[1] = remask(addr[1], repl[1], mask - 32);
 		break;
 	case 64:
 		addr[0] = repl[0];
@@ -57,7 +57,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 	case 65 ... 95:
 		addr[0] = repl[0];
 		addr[1] = repl[1];
-		addr[2] = remask(addr[2], repl[2], mask - 96);
+		addr[2] = remask(addr[2], repl[2], mask - 64);
 	case 96:
 		addr[0] = repl[0];
 		addr[1] = repl[1];
@@ -67,7 +67,7 @@ rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
 		addr[0] = repl[0];
 		addr[1] = repl[1];
 		addr[2] = repl[2];
-		addr[3] = remask(addr[3], repl[3], mask - 128);
+		addr[3] = remask(addr[3], repl[3], mask - 96);
 		break;
 	case 128:
 		addr[0] = repl[0];

extensions/xt_SYSRQ.c

@@ -135,13 +135,13 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 			"0123456789abcdef"[sysrq_digest[i] & 0xf];
 	}
 	sysrq_hexdigest[2*sysrq_digest_size] = '\0';
-	if (len - n < sysrq_digest_size) {
+	if (len - n < sysrq_digest_size * 2) {
 		if (sysrq_debug)
 			printk(KERN_INFO KBUILD_MODNAME ": Short digest,"
 			       " expected %s\n", sysrq_hexdigest);
 		return NF_DROP;
 	}
-	if (strncmp(data + n, sysrq_hexdigest, sysrq_digest_size) != 0) {
+	if (strncmp(data + n, sysrq_hexdigest, sysrq_digest_size * 2) != 0) {
 		if (sysrq_debug)
 			printk(KERN_INFO KBUILD_MODNAME ": Bad digest,"
 			       " expected %s\n", sysrq_hexdigest);
@@ -152,7 +152,9 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 	sysrq_seqno = new_seqno;
 	for (i = 0; i < len && data[i] != ','; ++i) {
 		printk(KERN_INFO KBUILD_MODNAME ": SysRq %c\n", data[i]);
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+		handle_sysrq(data[i]);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
 		handle_sysrq(data[i], NULL);
 #else
 		handle_sysrq(data[i], NULL, NULL);
@@ -187,7 +189,9 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 		return NF_DROP;
 	}
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+	handle_sysrq(c);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
 	handle_sysrq(c, NULL);
 #else
 	handle_sysrq(c, NULL, NULL);
@@ -324,8 +328,8 @@ static int __init sysrq_crypto_init(void)
 		printk(KERN_WARNING KBUILD_MODNAME
 			": Error: Could not find or load %s hash\n",
 			sysrq_hash);
-		sysrq_tfm = NULL;
 		ret = PTR_ERR(sysrq_tfm);
+		sysrq_tfm = NULL;
 		goto fail;
 	}
 	sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);

extensions/xt_TARPIT.c

@@ -73,7 +73,7 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook)
 	/* Rate-limit replies to !SYN,ACKs */
 #if 0
 	if (!oth->syn && oth->ack)
-		if (!xrlim_allow(&ort->u.dst, HZ))
+		if (!xrlim_allow(rt_dst(ort), HZ))
 			return;
 #endif
 

extensions/xt_TEE.c

@@ -51,8 +51,8 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 		return false;
 
 	dst_release(skb_dst(skb));
-	skb_dst_set(skb, &rt->u.dst);
+	skb_dst_set(skb, rt_dst(rt));
-	skb->dev      = rt->u.dst.dev;
+	skb->dev      = rt_dst(rt)->dev;
 	skb->protocol = htons(ETH_P_IP);
 	return true;
 }

extensions/xt_geoip.c

@@ -126,13 +126,13 @@ static bool geoip_bsearch(const struct geoip_subnet *range,
 {
 	int mid;
 
-	if (hi < lo)
+	if (hi <= lo)
 		return false;
 	mid = (lo + hi) / 2;
 	if (range[mid].begin <= addr && addr <= range[mid].end)
 		return true;
 	if (range[mid].begin > addr)
-		return geoip_bsearch(range, addr, lo, mid - 1);
+		return geoip_bsearch(range, addr, lo, mid);
 	else if (range[mid].end < addr)
 		return geoip_bsearch(range, addr, mid + 1, hi);
 

extensions/xt_gradm.h

@@ -0,0 +1,9 @@
+#ifndef _XT_GRADM_H
+#define _XT_GRADM_H
+
+struct xt_gradm_mtinfo {
+	__u16 flags;
+	__u16 invflags;
+};
+
+#endif

extensions/xt_iface.c

@@ -40,29 +40,46 @@ static const struct xt_iface_flag_pairs xt_iface_lookup[] =
 	{.iface_flag = XT_IFACE_DORMANT,	.iff_flag = IFF_DORMANT},
 };
 
+static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
+    const struct xt_action_param *par, struct net_device **put)
+{
+	if (info->flags & XT_IFACE_DEV_IN)
+		return par->in;
+	else if (info->flags & XT_IFACE_DEV_OUT)
+		return par->out;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
+	return *put = dev_get_by_name(&init_net, info->ifname);
+#else
+	return *put = dev_get_by_name(info->ifname);
+#endif
+}
+
+static bool iface_flagtest(unsigned int devflags, unsigned int flags,
+    unsigned int invflags)
+{
+	unsigned int i;
+
+	for (i = 0; i < ARRAY_SIZE(xt_iface_lookup); ++i)
+		if ((flags & xt_iface_lookup[i].iface_flag) &&
+		    !!(devflags & xt_iface_lookup[i].iff_flag) ^
+		    !(invflags & xt_iface_lookup[i].iface_flag))
+			return false;
+	return true;
+}
+
 static bool xt_iface_mt(const struct sk_buff *skb,
     struct xt_action_param *par)
 {
 	const struct xt_iface_mtinfo *info = par->matchinfo;
-	struct net_device *dev;
+	struct net_device *put = NULL;
+	const struct net_device *dev = iface_get(info, par, &put);
 	bool retval;
-	int i;
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
+	if (dev == NULL)
-	dev = dev_get_by_name(&init_net, info->ifname);
+		return false;
-#else
+	retval = iface_flagtest(dev->flags, info->flags, info->invflags);
-	dev = dev_get_by_name(info->ifname);
+	if (put != NULL)
-#endif
+		dev_put(put);
-	retval = dev != NULL;
-	if (retval) {
-		for (i = 0; i < ARRAY_SIZE(xt_iface_lookup) && retval; ++i) {
-			if (info->flags & xt_iface_lookup[i].iface_flag)
-				retval &= dev->flags & xt_iface_lookup[i].iff_flag;
-			if (info->invflags & xt_iface_lookup[i].iface_flag)
-				retval &= !(dev->flags & xt_iface_lookup[i].iff_flag);
-		}
-		dev_put(dev);
-	}
 	return retval;
 }
 

extensions/xt_iface.h

@@ -13,7 +13,8 @@ enum {
 	XT_IFACE_DYNAMIC     = 1 << 8,
 	XT_IFACE_LOWER_UP    = 1 << 9,
 	XT_IFACE_DORMANT     = 1 << 10,
-	XT_IFACE_IFACE       = 1 << 15,
+	XT_IFACE_DEV_IN      = 1 << 11,
+	XT_IFACE_DEV_OUT     = 1 << 12,
 };
 
 struct xt_iface_mtinfo {

extensions/xt_length2.c

@@ -207,7 +207,11 @@ length2_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 	bool hit = true;
 
 	if (info->flags & XT_LENGTH_LAYER3) {
-		len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
+		if (iph->payload_len == 0)
+			/* Jumbogram */
+			len = skb->len;
+		else
+			len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
 	} else {
 		l4proto = llayer4_proto(skb, &thoff, &par->hotdrop);
 		if (l4proto == NEXTHDR_MAX)

geoip/.gitignore

@@ -0,0 +1,6 @@
+/BE
+/LE
+/GeoIPCountryCSV.zip
+/GeoIPCountryWhois.csv
+/GeoIPv6.csv
+/GeoIPv6.csv.gz

geoip/Makefile.am

@@ -0,0 +1,3 @@
+# -*- Makefile -*-
+
+pkglibexec_SCRIPTS = geoip_build_db.pl geoip_download.sh

geoip/geoip_build_db.pl

@@ -0,0 +1,54 @@
+#!/usr/bin/perl
+#
+#	Converter for MaxMind CSV database to binary, for xt_geoip
+#	Copyright © Jan Engelhardt <jengelh@medozas.de>, 2008
+#
+#	Use -b argument to create big-endian tables.
+#
+use Getopt::Long;
+use IO::Handle;
+use Text::CSV_XS; # or trade for Text::CSV
+use strict;
+
+my %country;
+my %names;
+my $csv = Text::CSV_XS->new({binary => 0, eol => $/}); # or Text::CSV
+my $mode = "VV";
+my $target_dir = ".";
+
+&Getopt::Long::Configure(qw(bundling));
+&GetOptions(
+	"D=s" => \$target_dir,
+	"b"   => sub { $mode = "NN"; },
+);
+
+if (!-d $target_dir) {
+	print STDERR "Target directory $target_dir does not exist.\n";
+	exit 1;
+}
+
+while (my $row = $csv->getline(*ARGV)) {
+	if (!defined($country{$row->[4]})) {
+		$country{$row->[4]} = [];
+		$names{$row->[4]} = $row->[5];
+	}
+	my $c = $country{$row->[4]};
+	push(@$c, [$row->[2], $row->[3]]);
+	if ($. % 4096 == 0) {
+		print STDERR "\r\e[2K$. entries";
+	}
+}
+
+print STDERR "\r\e[2K$. entries total\n";
+
+foreach my $iso_code (sort keys %country) {
+	printf "%5u ranges for %s %s\n",
+		scalar(@{$country{$iso_code}}),
+		$iso_code, $names{$iso_code};
+
+	open(my $fh, "> $target_dir/".uc($iso_code).".iv0");
+	foreach my $range (@{$country{$iso_code}}) {
+		print $fh pack($mode, $range->[0], $range->[1]);
+	}
+	close $fh;
+}

geoip/geoip_download.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+rm -f GeoIPv6.csv{,.gz} GeoIPCountryCSV.zip GeoIPCountryWhois.csv;
+wget \
+	http://geolite.maxmind.com/download/geoip/database/GeoIPv6.csv.gz \
+	http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip;
+gzip -d GeoIPv6.csv.gz;
+unzip GeoIPCountryCSV.zip;

mconfig

@@ -2,6 +2,7 @@
 #
 build_ACCOUNT=m
 build_CHAOS=m
+build_CHECKSUM=
 build_DELUDE=m
 build_DHCPMAC=m
 build_ECHO=
@@ -11,10 +12,11 @@ build_RAWNAT=m
 build_STEAL=m
 build_SYSRQ=m
 build_TARPIT=m
-build_TEE=m
+build_TEE=
 build_condition=m
 build_fuzzy=m
 build_geoip=m
+build_gradm=m
 build_iface=m
 build_ipp2p=m
 build_ipset=m

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.27 (2010-05-16)" "" "v1.27 (2010-05-16)"
+.TH xtables-addons 8 "v1.31 (2010-11-05)" "" "v1.31 (2010-11-05)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets