Xtables-addons 1.32

This requires Linux 2.6.35 or newer to build, so it is deactivated by
default in the "mconfig" file.

.gitignore

@@ -3,6 +3,7 @@
 *.loT
 *.o
 .deps
+.dirstamp
 .libs
 Makefile
 Makefile.in

INSTALL

@@ -28,6 +28,12 @@ Extra notes:
 
 	* requires that no vendor backports interfere
 
+For ipset-5 you need:
+
+	* libmnl
+
+	* Linux kernel >= 2.6.35
+
 
 Selecting extensions
 ====================

Makefile.am

@@ -1,7 +1,7 @@
 # -*- Makefile -*-
 
 ACLOCAL_AMFLAGS  = -I m4
-SUBDIRS          = extensions
+SUBDIRS          = extensions geoip
 
 man_MANS := xtables-addons.8
 

Makefile.extra

@@ -1,6 +1,8 @@
 # -*- Makefile -*-
 # AUTOMAKE
 
+export AM_CPPFLAGS
+export AM_CFLAGS
 XA_SRCDIR = ${srcdir}
 XA_TOPSRCDIR = ${top_srcdir}
 XA_ABSTOPSRCDIR = ${abs_top_srcdir}

Makefile.iptrules.in

@@ -1,6 +1,8 @@
 # -*- Makefile -*-
 # MANUAL
 
+abs_top_srcdir  = @abs_top_srcdir@
+
 prefix          = @prefix@
 exec_prefix     = @exec_prefix@
 libexecdir      = @libexecdir@
@@ -8,11 +10,11 @@ xtlibdir        = @xtlibdir@
 
 CC              = @CC@
 CCLD            = ${CC}
+CFLAGS          = @CFLAGS@
+LDFLAGS         = @LDFLAGS@
 
-regular_CFLAGS  = @regular_CFLAGS@
 libxtables_CFLAGS = @libxtables_CFLAGS@
 libxtables_LIBS   = @libxtables_LIBS@
-AM_CFLAGS         = ${regular_CFLAGS} ${libxtables_CFLAGS}
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
 AM_DEFAULT_VERBOSITY = 0
@@ -42,19 +44,19 @@ subdirs_list := $(filter %/,${obj-m})
 .PHONY: all install clean
 
 all: ${targets}
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i; done;
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i || exit $$?; done;
 
 install: ${targets}
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@ || exit $$?; done;
 	install -dm0755 "${DESTDIR}/${xtlibdir}";
 	@for i in $^; do install -pm0755 $$i "${DESTDIR}/${xtlibdir}"; done;
 
 clean:
-	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@ || exit $$?; done;
 	rm -f *.oo *.so;
 
 lib%.so: lib%.oo
 	${AM_V_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< ${libxtables_LIBS} ${LDLIBS};
 
 %.oo: ${XA_SRCDIR}/%.c
-	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CPPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CPPFLAGS} ${CFLAGS} -o $@ -c $<;

Makefile.mans.in

@@ -3,8 +3,8 @@
 
 srcdir := @srcdir@
 
-wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man')
-wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man')
+wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man' | sort)
+wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man' | sort)
 wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
 wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
 
@@ -23,7 +23,7 @@ man_run = \
 		name="$${name\#\#*/libxt_}"; \
 		if [ -f "$$ext" ]; then \
 			echo ".SS $$name"; \
-			cat "$$ext"; \
+			cat "$$ext" || exit $$?; \
 			continue; \
 		fi; \
 	done >$@;

configure.ac

@@ -1,9 +1,9 @@
 
-AC_INIT([xtables-addons], [1.27])
+AC_INIT([xtables-addons], [1.32])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
-AM_INIT_AUTOMAKE([1.10 -Wall foreign subdir-objects])
+AM_INIT_AUTOMAKE([1.10.2 -Wall foreign subdir-objects])
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_DISABLE_STATIC
@@ -21,21 +21,24 @@ if [[ "$kbuilddir" == no ]]; then
 	kbuilddir="";
 fi
 
-AC_ARG_WITH([xtlibdir],
-	AS_HELP_STRING([--with-xtlibdir=PATH],
-	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
-	[xtlibdir="$withval"],
-	[xtlibdir='${libexecdir}/xtables'])
-
-PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
 	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
+xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
+PKG_CHECK_MODULES([libmnl], [libmnl >= 1], [:], [:])
 
-regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
+AC_ARG_WITH([xtlibdir],
+	AS_HELP_STRING([--with-xtlibdir=PATH],
+	[Path where to install Xtables extensions [[autodetect]]]]),
+	[xtlibdir="$withval"])
+AC_MSG_CHECKING([Xtables module directory])
+AC_MSG_RESULT([$xtlibdir])
+
+regular_CPPFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
+	-D_REENTRANT -I\${XA_TOPSRCDIR}/include"
+regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" \
-	-I\${XA_TOPSRCDIR}/include";
+	-Winline -pipe";
 
 #
 # check kernel version
@@ -46,35 +49,44 @@ if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
 	# Well, just a warning. Maybe the admin updated the kernel.
 	echo "WARNING: This distribution's shipped kernel is not supported.";
 fi;
-krel="$(make -sC ${kbuilddir} kernelrelease)";
-krel="${krel%%-*}";
-kmajor="${krel%%.*}";
-krel="${krel#*.}";
-kminor="${krel%%.*}";
-krel="${krel#*.}";
-kmicro="${krel%%.*}";
-if test "$kmicro" = "$krel"; then
-	kstable=0;
+AC_MSG_CHECKING([kernel version that we will build against])
+krel="$(make -sC "$kbuilddir" M=. kernelrelease)";
+kmajor="${krel%%[[^0-9]]*}";
+kmajor="$(($kmajor+0))";
+krel="${krel:${#kmajor}}";
+krel="${krel#.}";
+kminor="${krel%%[[^0-9]]*}";
+kminor="$(($kminor+0))";
+krel="${krel:${#kminor}}";
+krel="${krel#.}";
+kmicro="${krel%%[[^0-9]]*}";
+kmicro="$(($kmicro+0))";
+krel="${krel:${#kmicro}}";
+krel="${krel#.}";
+kstable="${krel%%[[^0-9]]*}";
+kstable="$(($kstable+0))";
+if test -z "$kmajor" -o -z "$kminor" -o -z "$kmicro"; then
+	echo "WARNING: Version detection did not succeed. Continue at own luck.";
 else
-	kstable="${krel#*.}";
-	if test -z "$kstable"; then
-		kstable=0;
+	echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
+	if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 36; then
+		echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
+	elif test \( "$kmajor" -lt 2 -o \
+	    \( "$kmajor" -eq 2 -a "$kminor" -lt 6 \) -o \
+	    \( "$kmajor" -eq 2 -a "$kminor" -eq 0 -a "$kmicro" -lt 17 \) -o \
+	    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
+	    "$kstable" -lt 5 \) \); then
+		echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
+		exit 1;
 	fi;
 fi;
-echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 35; then
-	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
-elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
-    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
-    "$kstable" -lt 5 \); then
-	echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
-	exit 1;
-fi;
 
+AC_SUBST([regular_CPPFLAGS])
 AC_SUBST([regular_CFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([xtlibdir])
-AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
+AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans geoip/Makefile
 	extensions/Makefile extensions/ACCOUNT/Makefile
-	extensions/ipset/Makefile extensions/pknock/Makefile])
+	extensions/ipset-4/Makefile extensions/ipset-5/Makefile
+	extensions/pknock/Makefile])
 AC_OUTPUT

doc/api/2.6.17.c

@@ -0,0 +1,64 @@
+match:
+
+	/* true/false */
+	int
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		int *hotdrop,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int matchinfosize,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int matchinfosize,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+		void *userdata,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int targinfosize,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int targinfosize,
+	);

doc/api/2.6.19.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	int
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		int *hotdrop,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.23.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		bool *hotdrop,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.24.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		bool *hotdrop,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.28.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.31.c

@@ -0,0 +1,38 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.32.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.35.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/xt-a.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/changelog.txt

@@ -3,18 +3,77 @@ HEAD
 ====
 
 
-Xtables-addons 1.27 (May 16 2010)
-=================================
+v1.32 (2011-01-04)
+==================
+Fixes:
+- Update to ipset 4.5
+  * the iptreemap type used wrong gfp flags when deleting entries
+- Include ipset 5.2 with genetlink patch (beta)
+  * no kernel patch needed, but requires Linux >= 2.6.35
+    and thus needs to be manually enabled in mconfig
+
+
+v1.31 (2010-11-05)
+==================
+Fixes:
+- build: improve detection of kernel version and error handling
+Changes:
+- build: automatically derive Xtables module directory, thus
+  --with-xtlibdir is no longer needed for ./configure in most cases
+  (If I still see a distro using it, I will scold you for not
+  reading this changelog.)
+Enhancements:
+- LOGMARK: print remaining lifetime of cts
+- xt_iface: allow matching against incoming/outgoing interface
+- libxt_gradm: match packets based on status of grsecurity RBAC
+  (userspace part only - xt_gradm is in the grsec patch)
+
+
+v1.30 (2010-010-02)
+===================
+Fixes:
+- update to ipset 4.4
+  * ipport{,ip,net}hash did not work with mixed "src" and "dst"
+    destination parameters
+Changes:
+- deactivate building xt_TEE and xt_CHECKSUM by default, as these have been
+  merged upstream in Linux 2.6.35 and 2.6.36, respectively.
+  Distros still wishing to build this need to enable it in their build
+  script, e.g. perl -i -pe 's{^build_TEE=.*}{build_TEE=m}' mconfig;
+
+
+v1.29 (2010-09-29)
+==================
+- compat_xtables: return bool for match_check and target_check in 2.6.23..34
+- ipset: enable building of ip_set_ipport{ip,net}hash.ko
+- support for Linux 2.6.36
+- SYSRQ: resolve compile error with Linux 2.6.36
+- TEE: resolve compile error with Linux 2.6.36
+- add workaround for broken linux-glibc-devel 2.6.34 userspace headers
+  ("implicit declaration of function 'ALIGN'")
+
+
+v1.28 (2010-07-24)
+==================
+- RAWNAT: IPv6 variants erroneously rejected masks /33-/128
+- new target xt_CHECKSUM
+- xt_length2: add support for IPv6 jumbograms
+- xt_geoip: fix possible out-of-bounds access
+- import xt_geoip database scripts
+
+
+v1.27 (2010-05-16)
+==================
 - further updates for the upcoming 2.6.35 changes
 
 
-Xtables-addons 1.26 (April 30 2010)
-===================================
+v1.26 (2010-04-30)
+==================
 - compat_xtables: fix 2.6.34 compile error due to a typo
 
 
-Xtables-addons 1.25 (April 26 2010)
-===================================
+v1.25 (2010-04-26)
+==================
 - TEE: do rechecksumming in PREROUTING too
 - TEE: decrease TTL on cloned packet
 - TEE: set dont-fragment on cloned packets
@@ -26,8 +85,8 @@ Xtables-addons 1.25 (April 26 2010)
 - condition: remove unnecessary RCU protection
 
 
-Xtables-addons 1.24 (March 17 2010)
-===================================
+v1.24 (2010-03-17)
+==================
 - build: fix build of userspace modules against old (pre-2.6.25)
   headers from linux-glibc-devel (/usr/include/linux)
 - ipp2p: updated bittorent command recognition
@@ -35,8 +94,8 @@ Xtables-addons 1.24 (March 17 2010)
 - SYSRQ: allow processing of UDP-Lite
 
 
-Xtables-addons 1.23 (February 24 2010)
-======================================
+v1.23 (2010-02-24)
+==================
 - build: support for Linux 2.6.34
 - build: remove unused --with-ksource option
 - build: remove unneeded --with-xtables option
@@ -45,22 +104,22 @@ Xtables-addons 1.23 (February 24 2010)
 - ECHO: fix compilation w.r.t. skb_dst
 
 
-Xtables-addons 1.22 (January 22 2010)
-=====================================
+v1.22 (2010-01-22)
+==================
 - compat_xtables: support for 2.6.33 skb_iif changes
 - geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip
 - ipset: enable build of ip_set_setlist.ko
 - quota2: add the --no-change mode
 
 
-Xtables-addons 1.21 (December 09 2009)
-======================================
+v1.21 (2009-12-09)
+==================
 - ACCOUNT: avoid collision with arp_tables setsockopt numbers
 - doc: fix option mismatch --gw/--gateway in libxt_TEE.man
 
 
-Xtables-addons 1.20 (November 19 2009)
-======================================
+v1.20 (2009-11-19)
+==================
 - ipp2p: add more boundary checks
 - ipp2p: fix Gnutelle line ending detection
 - LOGMARK: remove unknown options from manpage
@@ -69,8 +128,8 @@ Xtables-addons 1.20 (November 19 2009)
 - ipset: fast forward to v4.1
 
 
-Xtables-addons 1.19 (October 12 2009)
-=====================================
+v1.19 (2009-10-12)
+==================
 - build: compile fixes for 2.6.31-rt
 - build: support for Linux 2.6.32
 - ipp2p: try to address underflows
@@ -92,8 +151,8 @@ Xtables-addons 1.19 (October 12 2009)
   - pknock: add a manpage
 
 
-Xtables-addons 1.18 (September 09 2009)
-=======================================
+v1.18 (2009-09-09)
+==================
 - build: support for Linux 2.6.31
 - ipset: fast forward to v3.2
 - quota2: support anonymous counters
@@ -104,21 +163,21 @@ Xtables-addons 1.18 (September 09 2009)
 - merged xt_psd module
 
 
-Xtables-addons 1.17 (June 16 2009)
-==================================
+v1.17 (2009-06-16)
+==================
 - IPMARK: print missing --shift parameter
 - build: use readlink -f in extensions/ipset/
 - build: support for Linux 2.6.30
 
 
-Xtables-addons 1.16 (May 27 2009)
-=================================
+v1.16 (2009-05-27)
+==================
 - RAWNAT: make iptable_rawpost compile with 2.6.30-rc5
 - ipset: fast forward to 3.0
 
 
-Xtables-addons 1.15 (April 30 2009)
-===================================
+v1.15 (2009-04-30)
+==================
 - build: add kernel version check to configure
 - condition: compile fix for 2.6.30-rc
 - condition: fix intrapositional negation sign
@@ -130,8 +189,8 @@ Xtables-addons 1.15 (April 30 2009)
 - added RAWSNAT/RAWDNAT targets
 
 
-Xtables-addons 1.14 (March 31 2009)
-===================================
+v1.14 (2009-03-31)
+==================
 - fuzzy: need to account for kernel-level modified variables in .userspacesize
 - geoip: remove XT_ALIGN from .userspacesize when used with offsetof
 - SYSRQ: ignore non-UDP packets
@@ -141,14 +200,14 @@ Xtables-addons 1.14 (March 31 2009)
 - dhcpmac: rename from dhcpaddr
 
 
-Xtables-addons 1.13 (March 23 2009)
-===================================
+v1.13 (2009-03-23)
+==================
 - added a reworked ipv4options match
 - upgrade to iptables 1.4.3 API
 
 
-Xtables-addons 1.12 (March 07 2009)
-===================================
+v1.12 (2009-03-07)
+==================
 - ipset: fix for compilation with 2.6.29-rt
 - ipset: fast forward to 2.5.0
 - rename xt_portscan to xt_lscan ("low-level scan") because
@@ -159,21 +218,21 @@ Xtables-addons 1.12 (March 07 2009)
 - xt_TEE: enable routing by iif, nfmark and flowlabel
 
 
-Xtables-addons 1.10 (February 18 2009)
-======================================
+v1.10 (2009-02-18)
+==================
 - compat: compile fixes for 2.6.29
 - ipset: upgrade to ipset 2.4.9
 
 
-Xtables-addons 1.9 (January 30 2009)
-====================================
+v1.9 (2009-01-30)
+=================
 - add the xt_length2 extension
 - xt_TEE: remove intrapositional '!' support
 - ipset: upgrade to ipset 2.4.7
 
 
-Xtables-addons 1.8 (January 10 2009)
-====================================
+v1.8 (2009-01-10)
+=================
 - xt_TEE: IPv6 support
 - xt_TEE: do not include TOS value in routing decision
 - xt_TEE: fix switch-case inversion for name/IP display
@@ -182,8 +241,8 @@ Xtables-addons 1.8 (January 10 2009)
 - xt_portscan: update manpage about --grscan option caveats
 
 
-Xtables-addons 1.7 (December 25 2008)
-=====================================
+v1.7 (2008-12-25)
+=================
 - xt_ECHO: compile fix
 - avoid the use of "_init" which led to compile errors on some installations
 - build: do not unconditionally install ipset
@@ -194,16 +253,16 @@ Xtables-addons 1.7 (December 25 2008)
 - xt_SYSRQ: improve security by hashing password
 
 
-Xtables-addons 1.6 (November 18 2008)
-=====================================
+v1.6 (2008-11-18)
+=================
 - build: support for Linux 2.6.17
 - build: compile fixes for 2.6.18 and 2.6.19
 - xt_ECHO: resolve compile errors in xt_ECHO
 - xt_ipp2p: parenthesize unaligned-access macros
 
 
-Xtables-addons 1.5.7 (September 01 2008)
-========================================
+v1.5.7 (2008-09-01)
+===================
 - API layer: fix use of uninitialized 'hotdrop' variable
 - API layer: move to pskb-based signatures
 - xt_SYSRQ: compile fixes for Linux <= 2.6.19
@@ -215,8 +274,8 @@ Xtables-addons 1.5.7 (September 01 2008)
 - xt_SYSRQ: add missing module aliases
 
 
-Xtables-addons 1.5.5 (August 03 2008)
-=====================================
+v1.5.5 (2008-08-03)
+===================
 - manpage updates for xt_CHAOS, xt_IPMARK; README updates
 - build: properly recognize external Kbuild/Mbuild files
 - build: remove dependency on CONFIG_NETWORK_SECMARK
@@ -225,13 +284,13 @@ Xtables-addons 1.5.5 (August 03 2008)
 - import ipset extension group
 
 
-Xtables-addons 1.5.4.1 (April 26 2008)
-======================================
+v1.5.4.1 (2008-04-26)
+=====================
 - build: fix compile error for 2.6.18-stable
 
 
-Xtables-addons 1.5.4 (April 09 2008)
-====================================
+v1.5.4 (2008-04-09)
+===================
 - build: support building multiple files with one config option
 - API layer: add check for pskb relocation
 - doc: generate manpages
@@ -245,28 +304,28 @@ Xtables-addons 1.5.4 (April 09 2008)
 - add reworked xt_IPMARK target
 
 
-Xtables-addons 1.5.3 (March 22 2008)
-====================================
+v1.5.3 (2008-03-22)
+===================
 - support for Linux 2.6.18
 - add xt_ECHO sample target
 - add reworked xt_geoip match
 
 
-Xtables-addons 1.5.2 (March 04 2008)
-====================================
+v1.5.2 (2008-03-04)
+===================
 - build: support for GNU make < 3.81 which does not have $(realpath)
 
 
-Xtables-addons 1.5.1 (February 21 2008)
-=======================================
+v1.5.1 (2008-02-21)
+===================
 - build: allow user to select what extensions to compile and install
 - build: allow external proejcts to be downloaded into the tree
 - xt_LOGMARK: dump classify mark, ctstate and ctstatus
 - add xt_CHAOS, xt_DELUDE and xt_portscan from Chaostables
 
 
-Xtables-addons 1.5.0 (February 11 2008)
-=======================================
+v1.5.0 (2008-02-11)
+===================
 Initial release with:
 - extensions: xt_LOGMARK, xt_TARPIT, xt_TEE
 - support for Linux >= 2.6.19

extensions/ACCOUNT/libxt_ACCOUNT.c

@@ -12,6 +12,7 @@
 #include <stddef.h>
 #include <xtables.h>
 #include "xt_ACCOUNT.h"
+#include "compat_user.h"
 
 static struct option account_tg_opts[] = {
 	{.name = "addr",  .has_arg = true, .val = 'a'},

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -494,7 +494,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 			"IPs %u.%u.%u.%u/%u.%u.%u.%u\n", info->table_nr,
 			NIPQUAD(src_ip), NIPQUAD(dst_ip));
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 8 bit network or "any" network */
@@ -506,7 +506,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 16 bit network */
@@ -517,7 +517,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 24 bit network */
@@ -528,7 +528,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	printk("ACCOUNT: ipt_acc_target: Unable to process packet. "
@@ -536,7 +536,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 		info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
 
 	spin_unlock_bh(&ipt_acc_lock);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 /*

extensions/Kbuild

@@ -7,6 +7,7 @@ obj-m                    += compat_xtables.o
 
 obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += xt_CHAOS.o
+obj-${build_CHECKSUM}    += xt_CHECKSUM.o
 obj-${build_DELUDE}      += xt_DELUDE.o
 obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o
@@ -25,7 +26,8 @@ obj-${build_fuzzy}       += xt_fuzzy.o
 obj-${build_geoip}       += xt_geoip.o
 obj-${build_iface}       += xt_iface.o
 obj-${build_ipp2p}       += xt_ipp2p.o
-obj-${build_ipset}       += ipset/
+obj-${build_ipset4}      += ipset-4/
+obj-${build_ipset5}      += ipset-5/
 obj-${build_ipv4options} += xt_ipv4options.o
 obj-${build_length2}     += xt_length2.o
 obj-${build_lscan}       += xt_lscan.o

extensions/Makefile.am

@@ -1,6 +1,9 @@
 # -*- Makefile -*-
 # AUTOMAKE
 
+AM_CPPFLAGS = ${regular_CPPFLAGS} -I${abs_top_srcdir}/extensions
+AM_CFLAGS = ${regular_CFLAGS} ${libxtables_CFLAGS}
+
 # Not having Kbuild in Makefile.extra because it will already recurse
 .PHONY: modules modules_install clean_modules
 

extensions/Mbuild

@@ -2,6 +2,7 @@
 
 obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += libxt_CHAOS.so
+obj-${build_CHECKSUM}    += libxt_CHECKSUM.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
 obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
 obj-${build_ECHO}        += libxt_ECHO.so
@@ -17,10 +18,12 @@ obj-${build_fuzzy}       += libxt_fuzzy.so
 obj-${build_geoip}       += libxt_geoip.so
 obj-${build_iface}       += libxt_iface.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
-obj-${build_ipset}       += ipset/
+obj-${build_ipset4}      += ipset-4/
+obj-${build_ipset5}      += ipset-5/
 obj-${build_ipv4options} += libxt_ipv4options.so
 obj-${build_length2}     += libxt_length2.so
 obj-${build_lscan}       += libxt_lscan.so
 obj-${build_pknock}      += pknock/
 obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so
+obj-${build_gradm}       += libxt_gradm.so

extensions/compat_user.h

@@ -0,0 +1,12 @@
+/*
+ *	Userspace-level compat hacks
+ */
+#ifndef _XTABLES_COMPAT_USER_H
+#define _XTABLES_COMPAT_USER_H 1
+
+/* linux-glibc-devel 2.6.34 header screwup */
+#ifndef ALIGN
+#	define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
+#endif
+
+#endif /* _XTABLES_COMPAT_USER_H */

extensions/compat_xtables.c

@@ -105,7 +105,11 @@ static bool xtnu_match_check(const char *table, const void *entry,
 		return false;
 	if (nm->checkentry == NULL)
 		return true;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
 	return nm->checkentry(&local_par);
+#else
+	return nm->checkentry(&local_par) == 0;
+#endif
 }
 #endif
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
@@ -118,7 +122,7 @@ static bool xtnu_match_check(const struct xt_mtchk_param *par)
 		return false;
 	if (nm->checkentry == NULL)
 		return true;
-	return nm->checkentry(par) == 0 ? true : false;
+	return nm->checkentry(par) == 0;
 }
 #endif
 
@@ -313,7 +317,11 @@ static bool xtnu_target_check(const char *table, const void *entry,
 	if (nt->checkentry == NULL)
 		/* this is valid, just like if there was no function */
 		return true;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
 	return nt->checkentry(&local_par);
+#else
+	return nt->checkentry(&local_par) == 0;
+#endif
 }
 #endif
 
@@ -327,7 +335,7 @@ static bool xtnu_target_check(const struct xt_tgchk_param *par)
 		return false;
 	if (nt->checkentry == NULL)
 		return true;
-	return nt->checkentry(par) == 0 ? true : false;
+	return nt->checkentry(par) == 0;
 }
 #endif
 

extensions/compat_xtables.h

@@ -86,6 +86,11 @@
 #	define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+#	define rt_dst(rt)	(&(rt)->dst)
+#else
+#	define rt_dst(rt)	(&(rt)->u.dst)
+#endif
 
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \

extensions/ipset-4/Kbuild

@@ -3,4 +3,5 @@
 obj-m += ipt_set.o ipt_SET.o
 obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
 obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
+obj-m += ip_set_ipportiphash.o ip_set_ipportnethash.o
 obj-m += ip_set_iptree.o ip_set_iptreemap.o ip_set_setlist.o

extensions/ipset-4/Makefile.am

@@ -1,6 +1,8 @@
 # -*- Makefile -*-
 
-AM_CFLAGS = ${regular_CFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\"
+AM_CPPFLAGS = ${regular_CPPFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\" \
+            -DIP_NF_SET_HASHSIZE=1024
+AM_CFLAGS = ${regular_CFLAGS}
 
 include ../../Makefile.extra
 

extensions/ipset-4/Mbuild

@@ -4,4 +4,4 @@ obj-m += $(addprefix lib,$(patsubst %.c,%.so,$(notdir \
 	$(wildcard ${XA_SRCDIR}/ipset_*.c))))
 
 libipset_%.oo: ${XA_SRCDIR}/ipset_%.c
-	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CPPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CPPFLAGS} ${CFLAGS} -o $@ -c $<;

extensions/ipset-4/ip_set.c

@@ -929,11 +929,11 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
 	}
 	if (copy_from_user(data, user, len) != 0) {
 		res = -EFAULT;
-		goto done;
+		goto cleanup;
 	}
 	if (down_interruptible(&ip_set_app_mutex)) {
 		res = -EINTR;
-		goto done;
+		goto cleanup;
 	}
 
 	op = (unsigned *)data;
@@ -1109,6 +1109,7 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
 
     done:
 	up(&ip_set_app_mutex);
+    cleanup:
 	vfree(data);
 	if (res > 0)
 		res = 0;
@@ -1142,11 +1143,11 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
 	}
 	if (copy_from_user(data, user, *len) != 0) {
 		res = -EFAULT;
-		goto done;
+		goto cleanup;
 	}
 	if (down_interruptible(&ip_set_app_mutex)) {
 		res = -EINTR;
-		goto done;
+		goto cleanup;
 	}
 
 	op = (unsigned *) data;
@@ -1439,6 +1440,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
     	
     done:
 	up(&ip_set_app_mutex);
+    cleanup:
 	vfree(data);
 	if (res > 0)
 		res = 0;

extensions/ipset-4/ip_set_ipporthash.c

@@ -68,7 +68,7 @@ ipporthash_test(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 	if (flags[1] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset-4/ip_set_ipportiphash.c

@@ -72,8 +72,8 @@ ipportiphash_test(struct ip_set *set,
 	if (flags[2] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
-	ip1 = ipaddr(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
+	ip1 = ipaddr(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset-4/ip_set_ipportnethash.c

@@ -116,8 +116,8 @@ ipportnethash_utest(struct ip_set *set, const void *data, u_int32_t size)
 	if (flags[2] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
-	ip1 = ipaddr(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
+	ip1 = ipaddr(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset-4/ip_set_iptreemap.c

@@ -102,13 +102,13 @@ static struct ip_set_iptreemap_b *fullbitmap_b;
 		} \
 	}
 
-#define DELIP_WALK(map, elem, branch, cachep, full, flags) \
+#define DELIP_WALK(map, elem, branch, cachep, full) \
 	do { \
 		branch = (map)->tree[elem]; \
 		if (!branch) { \
 			return -EEXIST; \
 		} else if (branch == full) { \
-			branch = kmem_cache_alloc(cachep, flags); \
+			branch = kmem_cache_alloc(cachep, GFP_ATOMIC); \
 			if (!branch) \
 				return -ENOMEM; \
 			memcpy(branch, full, sizeof(*full)); \
@@ -116,7 +116,7 @@ static struct ip_set_iptreemap_b *fullbitmap_b;
 		} \
 	} while (0)
 
-#define DELIP_RANGE_LOOP(map, a, a1, a2, hint, branch, full, cachep, free, flags) \
+#define DELIP_RANGE_LOOP(map, a, a1, a2, hint, branch, full, cachep, free) \
 	for (a = a1; a <= a2; a++) { \
 		branch = (map)->tree[a]; \
 		if (branch) { \
@@ -126,7 +126,7 @@ static struct ip_set_iptreemap_b *fullbitmap_b;
 				(map)->tree[a] = NULL; \
 				continue; \
 			} else if (branch == full) { \
-				branch = kmem_cache_alloc(cachep, flags); \
+				branch = kmem_cache_alloc(cachep, GFP_ATOMIC); \
 				if (!branch) \
 					return -ENOMEM; \
 				memcpy(branch, full, sizeof(*branch)); \
@@ -331,7 +331,7 @@ UADT0(iptreemap, add, min(req->ip, req->end), max(req->ip, req->end))
 KADT(iptreemap, add, ipaddr, ip)
 
 static inline int
-__delip_single(struct ip_set *set, ip_set_ip_t ip, gfp_t flags)
+__delip_single(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -341,9 +341,9 @@ __delip_single(struct ip_set *set, ip_set_ip_t ip, gfp_t flags)
 
 	ABCD(a, b, c, d, &ip);
 
-	DELIP_WALK(map, a, btree, cachep_b, fullbitmap_b, flags);
-	DELIP_WALK(btree, b, ctree, cachep_c, fullbitmap_c, flags);
-	DELIP_WALK(ctree, c, dtree, cachep_d, fullbitmap_d, flags);
+	DELIP_WALK(map, a, btree, cachep_b, fullbitmap_b);
+	DELIP_WALK(btree, b, ctree, cachep_c, fullbitmap_c);
+	DELIP_WALK(ctree, c, dtree, cachep_d, fullbitmap_d);
 
 	if (!__test_and_clear_bit(d, (void *) dtree->bitmap))
 		return -EEXIST;
@@ -354,8 +354,7 @@ __delip_single(struct ip_set *set, ip_set_ip_t ip, gfp_t flags)
 }
 
 static inline int
-iptreemap_del(struct ip_set *set,
-	      ip_set_ip_t start, ip_set_ip_t end, gfp_t flags)
+iptreemap_del(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -366,15 +365,15 @@ iptreemap_del(struct ip_set *set,
 	unsigned char a2, b2, c2, d2;
 
 	if (start == end)
-		return __delip_single(set, start, flags);
+		return __delip_single(set, start);
 
 	ABCD(a1, b1, c1, d1, &start);
 	ABCD(a2, b2, c2, d2, &end);
 
 	/* This is sooo ugly... */
-	DELIP_RANGE_LOOP(map, a, a1, a2, CHECK1(a, a1, a2, b1, b2, c1, c2, d1, d2), btree, fullbitmap_b, cachep_b, free_b, flags) {
-		DELIP_RANGE_LOOP(btree, b, GETVALUE1(a, a1, b1, 0), GETVALUE1(a, a2, b2, 255), CHECK2(a, b, a1, a2, b1, b2, c1, c2, d1, d2), ctree, fullbitmap_c, cachep_c, free_c, flags) {
-			DELIP_RANGE_LOOP(ctree, c, GETVALUE2(a, b, a1, b1, c1, 0), GETVALUE2(a, b, a2, b2, c2, 255), CHECK3(a, b, c, a1, a2, b1, b2, c1, c2, d1, d2), dtree, fullbitmap_d, cachep_d, free_d, flags) {
+	DELIP_RANGE_LOOP(map, a, a1, a2, CHECK1(a, a1, a2, b1, b2, c1, c2, d1, d2), btree, fullbitmap_b, cachep_b, free_b) {
+		DELIP_RANGE_LOOP(btree, b, GETVALUE1(a, a1, b1, 0), GETVALUE1(a, a2, b2, 255), CHECK2(a, b, a1, a2, b1, b2, c1, c2, d1, d2), ctree, fullbitmap_c, cachep_c, free_c) {
+			DELIP_RANGE_LOOP(ctree, c, GETVALUE2(a, b, a1, b1, c1, 0), GETVALUE2(a, b, a2, b2, c2, 255), CHECK3(a, b, c, a1, a2, b1, b2, c1, c2, d1, d2), dtree, fullbitmap_d, cachep_d, free_d) {
 				for (d = GETVALUE3(a, b, c, a1, b1, c1, d1, 0); d <= GETVALUE3(a, b, c, a2, b2, c2, d2, 255); d++)
 					__clear_bit(d, (void *) dtree->bitmap);
 				__set_bit(b, (void *) btree->dirty);
@@ -385,8 +384,8 @@ iptreemap_del(struct ip_set *set,
 	return 0;
 }
 
-UADT0(iptreemap, del, min(req->ip, req->end), max(req->ip, req->end), GFP_KERNEL)
-KADT(iptreemap, del, ipaddr, ip, GFP_ATOMIC)
+UADT0(iptreemap, del, min(req->ip, req->end), max(req->ip, req->end))
+KADT(iptreemap, del, ipaddr, ip)
 
 /* Check the status of the bitmap
  * -1 == all bits cleared

extensions/ipset-4/ipset.8

@@ -502,9 +502,13 @@ data storage in
 set and add src to the first single or src,dst to the first double 
 data storage set in
 \fIb\fP.
-.P
 You can imagine a setlist type of set as an ordered union of
 the set elements. 
+.P
+Please note: by the ipset command you can add, delete and
+.B test
+the setnames in a setlist type of set, and not the presence of 
+a set's member (such as an IP address).
 .SH GENERAL RESTRICTIONS
 Setnames starting with colon (:) cannot be defined. Zero valued set 
 entries cannot be used with hash type of sets.

extensions/ipset-4/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "4.2"
+#define IPSET_VERSION "4.5"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;

extensions/ipset-4/ipset_iphash.c

@@ -39,7 +39,7 @@ iphash_create_init(void *data)
 	DP("create INIT");
 
 	/* Default create parameters */	
-	mydata->hashsize = 1024;
+	mydata->hashsize = IP_NF_SET_HASHSIZE;
 	mydata->probes = 8;
 	mydata->resize = 50;
 	

extensions/ipset-4/ipset_ipporthash.c

@@ -39,7 +39,7 @@ ipporthash_create_init(void *data)
 	DP("create INIT");
 
 	/* Default create parameters */	
-	mydata->hashsize = 1024;
+	mydata->hashsize = IP_NF_SET_HASHSIZE;
 	mydata->probes = 8;
 	mydata->resize = 50;
 }

extensions/ipset-4/ipset_ipportiphash.c

@@ -39,7 +39,7 @@ ipportiphash_create_init(void *data)
 	DP("create INIT");
 
 	/* Default create parameters */	
-	mydata->hashsize = 1024;
+	mydata->hashsize = IP_NF_SET_HASHSIZE;
 	mydata->probes = 8;
 	mydata->resize = 50;
 }

extensions/ipset-4/ipset_ipportnethash.c

@@ -39,7 +39,7 @@ ipportnethash_create_init(void *data)
 	DP("create INIT");
 
 	/* Default create parameters */	
-	mydata->hashsize = 1024;
+	mydata->hashsize = IP_NF_SET_HASHSIZE;
 	mydata->probes = 8;
 	mydata->resize = 50;
 }

extensions/ipset-4/ipset_nethash.c

@@ -38,7 +38,7 @@ nethash_create_init(void *data)
 	DP("create INIT");
 
 	/* Default create parameters */	
-	mydata->hashsize = 1024;
+	mydata->hashsize = IP_NF_SET_HASHSIZE;
 	mydata->probes = 4;
 	mydata->resize = 50;
 }

extensions/ipset-5/.gitignore

@@ -0,0 +1 @@
+/ipset

extensions/ipset-5/Kbuild

@@ -0,0 +1,7 @@
+# -*- Makefile -*-
+
+obj-m += xt_set.o
+obj-m += ip_set.o ip_set_bitmap_ip.o ip_set_bitmap_ipmac.o
+obj-m += ip_set_bitmap_port.o ip_set_hash_ip.o ip_set_hash_ipport.o
+obj-m += ip_set_hash_ipportip.o ip_set_hash_ipportnet.o ip_set_hash_net.o
+obj-m += ip_set_hash_netport.o ip_set_list_set.o

extensions/ipset-5/Makefile.am

@@ -0,0 +1,23 @@
+# -*- Makefile -*-
+
+AM_CFLAGS = ${regular_CFLAGS} ${libmnl_CFLAGS} -Iinclude
+
+include ../../Makefile.extra
+
+lib_LTLIBRARIES = libipset.la
+libipset_la_SOURCES = libipset/data.c libipset/icmp.c libipset/icmpv6.c \
+                      libipset/mnl.c libipset/parse.c libipset/print.c \
+                      libipset/session.c libipset/types.c
+libipset_la_LIBADD  = ${libmnl_LIBS}
+libipset_la_LDFLAGS = -version-info 1:0:0
+
+sbin_PROGRAMS = ipset
+ipset_SOURCES = src/ipset.c src/errcode.c src/ui.c src/ipset_bitmap_ip.c \
+                src/ipset_bitmap_ipmac.c src/ipset_bitmap_port.c \
+                src/ipset_hash_ip.c src/ipset_hash_ipport.c \
+                src/ipset_hash_ipportip.c src/ipset_hash_ipportnet.c \
+                src/ipset_hash_net.c src/ipset_hash_netport.c \
+                src/ipset_list_set.c
+ipset_LDADD   = libipset.la
+
+man_MANS      = ipset.8

extensions/ipset-5/Mbuild

@@ -0,0 +1,2 @@
+# -*- Makefile -*-
+

extensions/ipset-5/include/libipset/data.h

@@ -0,0 +1,133 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_DATA_H
+#define LIBIPSET_DATA_H
+
+#include <stdbool.h>				/* bool */
+#include <libipset/nf_inet_addr.h>		/* union nf_inet_addr */
+
+/* Data options */
+enum ipset_opt {
+	IPSET_OPT_NONE = 0,
+	/* Common ones */
+	IPSET_SETNAME,
+	IPSET_OPT_TYPENAME,
+	IPSET_OPT_FAMILY,
+	/* CADT options */
+	IPSET_OPT_IP,
+	IPSET_OPT_IP_FROM = IPSET_OPT_IP,
+	IPSET_OPT_IP_TO,
+	IPSET_OPT_CIDR,
+	IPSET_OPT_PORT,
+	IPSET_OPT_PORT_FROM = IPSET_OPT_PORT,
+	IPSET_OPT_PORT_TO,
+	IPSET_OPT_TIMEOUT,
+	/* Create-specific options */
+	IPSET_OPT_GC,
+	IPSET_OPT_HASHSIZE,
+	IPSET_OPT_MAXELEM,
+	IPSET_OPT_NETMASK,
+	IPSET_OPT_PROBES,
+	IPSET_OPT_RESIZE,
+	IPSET_OPT_SIZE,
+	/* Create-specific options, filled out by the kernel */
+	IPSET_OPT_ELEMENTS,
+	IPSET_OPT_REFERENCES,
+	IPSET_OPT_MEMSIZE,
+	/* ADT-specific options */
+	IPSET_OPT_ETHER,
+	IPSET_OPT_NAME,
+	IPSET_OPT_NAMEREF,
+	IPSET_OPT_IP2,
+	IPSET_OPT_CIDR2,
+	IPSET_OPT_PROTO,
+	/* Swap/rename to */
+	IPSET_OPT_SETNAME2,
+	/* Flags */
+	IPSET_OPT_EXIST,
+	IPSET_OPT_BEFORE,
+	/* Internal options */
+	IPSET_OPT_FLAGS = 48,	/* IPSET_FLAG_EXIST| */
+	IPSET_OPT_CADT_FLAGS,	/* IPSET_FLAG_BEFORE| */
+	IPSET_OPT_ELEM,
+	IPSET_OPT_TYPE,
+	IPSET_OPT_LINENO,
+	IPSET_OPT_REVISION,
+	IPSET_OPT_REVISION_MIN,
+	IPSET_OPT_MAX,
+};
+
+#define IPSET_FLAG(opt)		(1LL << (opt))
+#define IPSET_FLAGS_ALL		(~0LL)
+
+#define IPSET_CREATE_FLAGS		\
+	( IPSET_FLAG(IPSET_OPT_FAMILY)	\
+	| IPSET_FLAG(IPSET_OPT_TYPENAME)\
+	| IPSET_FLAG(IPSET_OPT_TYPE)	\
+	| IPSET_FLAG(IPSET_OPT_IP)	\
+	| IPSET_FLAG(IPSET_OPT_IP_TO)	\
+	| IPSET_FLAG(IPSET_OPT_CIDR)	\
+	| IPSET_FLAG(IPSET_OPT_PORT)	\
+	| IPSET_FLAG(IPSET_OPT_PORT_TO)	\
+	| IPSET_FLAG(IPSET_OPT_TIMEOUT)	\
+	| IPSET_FLAG(IPSET_OPT_GC)	\
+	| IPSET_FLAG(IPSET_OPT_HASHSIZE)\
+	| IPSET_FLAG(IPSET_OPT_MAXELEM)	\
+	| IPSET_FLAG(IPSET_OPT_NETMASK)	\
+	| IPSET_FLAG(IPSET_OPT_PROBES)	\
+	| IPSET_FLAG(IPSET_OPT_RESIZE)	\
+	| IPSET_FLAG(IPSET_OPT_SIZE))
+
+#define IPSET_ADT_FLAGS			\
+	( IPSET_FLAG(IPSET_OPT_IP)	\
+	| IPSET_FLAG(IPSET_OPT_IP_TO)	\
+	| IPSET_FLAG(IPSET_OPT_CIDR)	\
+	| IPSET_FLAG(IPSET_OPT_PORT)	\
+	| IPSET_FLAG(IPSET_OPT_PORT_TO)	\
+	| IPSET_FLAG(IPSET_OPT_TIMEOUT)	\
+	| IPSET_FLAG(IPSET_OPT_ETHER)	\
+	| IPSET_FLAG(IPSET_OPT_NAME)	\
+	| IPSET_FLAG(IPSET_OPT_NAMEREF)	\
+	| IPSET_FLAG(IPSET_OPT_IP2)	\
+	| IPSET_FLAG(IPSET_OPT_CIDR2)	\
+	| IPSET_FLAG(IPSET_OPT_PROTO)	\
+	| IPSET_FLAG(IPSET_OPT_CADT_FLAGS)\
+	| IPSET_FLAG(IPSET_OPT_BEFORE))
+
+struct ipset_data;
+
+extern void ipset_strlcpy(char *dst, const char *src, size_t len);
+extern bool ipset_data_flags_test(const struct ipset_data *data,
+				  uint64_t flags);
+extern void ipset_data_flags_set(struct ipset_data *data, uint64_t flags);
+extern void ipset_data_flags_unset(struct ipset_data *data, uint64_t flags);
+extern bool ipset_data_ignored(struct ipset_data *data, enum ipset_opt opt);
+
+extern int ipset_data_set(struct ipset_data *data, enum ipset_opt opt,
+			  const void *value);
+extern const void * ipset_data_get(const struct ipset_data *data,
+				   enum ipset_opt opt);
+
+static inline bool
+ipset_data_test(const struct ipset_data *data, enum ipset_opt opt)
+{
+	return ipset_data_flags_test(data, IPSET_FLAG(opt));
+}
+
+/* Shortcuts */
+extern const char * ipset_data_setname(const struct ipset_data *data);
+extern uint8_t ipset_data_family(const struct ipset_data *data);
+extern uint8_t ipset_data_cidr(const struct ipset_data *data);
+extern uint64_t ipset_data_flags(const struct ipset_data *data);
+
+extern void ipset_data_reset(struct ipset_data *data);
+extern struct ipset_data * ipset_data_init(void);
+extern void ipset_data_fini(struct ipset_data *data);
+
+extern size_t ipset_data_sizeof(enum ipset_opt opt, uint8_t family);
+
+#endif /* LIBIPSET_DATA_H */

extensions/ipset-5/include/libipset/debug.h

@@ -0,0 +1,33 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_DEBUG_H
+#define LIBIPSET_DEBUG_H
+
+#ifdef IPSET_DEBUG
+#include <stdio.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#define D(fmt, args...) \
+	fprintf(stderr, "%s: %s: " fmt "\n", __FILE__, __FUNCTION__ , ## args)
+#define IF_D(test, fmt, args...) \
+	if (test)		 \
+		D(fmt , ## args)
+
+static inline void
+dump_nla(struct  nlattr *nla[], int maxlen)
+{
+	int i;
+	for (i = 0; i < maxlen; i++)
+		D("nla[%u] does%s exist", i, nla[i] ? "" : " NOT");
+}
+#else
+#define D(fmt, args...)
+#define IF_D(test, fmt, args...)
+#define dump_nla(nla, maxlen)
+#endif
+
+#endif /* LIBIPSET_DEBUG_H */

extensions/ipset-5/include/libipset/errcode.h

@@ -0,0 +1,24 @@
+/* Copyright 2007-2008 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_ERRCODE_H
+#define LIBIPSET_ERRCODE_H
+
+#include <libipset/linux_ip_set.h>		/* enum ipset_cmd */
+
+struct ipset_session;
+
+/* Kernel error code to message table */
+struct ipset_errcode_table {
+	int errcode;				/* error code returned by the kernel */
+	enum ipset_cmd cmd;			/* issued command */
+	const char *message;			/* error message the code translated to */
+};
+
+extern int ipset_errcode(struct ipset_session *session, enum ipset_cmd cmd,
+			 int errcode);
+
+#endif /* LIBIPSET_ERRCODE_H */

extensions/ipset-5/include/libipset/icmp.h

@@ -0,0 +1,16 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_ICMP_H
+#define LIBIPSET_ICMP_H
+
+#include <stdint.h>				/* uintxx_t */
+
+extern const char * id_to_icmp(uint8_t id);
+extern const char * icmp_to_name(uint8_t type, uint8_t code);
+extern int name_to_icmp(const char *str, uint16_t *typecode);
+
+#endif /* LIBIPSET_ICMP_H */

extensions/ipset-5/include/libipset/icmpv6.h

@@ -0,0 +1,16 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_ICMPV6_H
+#define LIBIPSET_ICMPV6_H
+
+#include <stdint.h>				/* uintxx_t */
+
+extern const char * id_to_icmpv6(uint8_t id);
+extern const char * icmpv6_to_name(uint8_t type, uint8_t code);
+extern int name_to_icmpv6(const char *str, uint16_t *typecode);
+
+#endif /* LIBIPSET_ICMPV6_H */

extensions/ipset-5/include/libipset/linux_ip_set.h

@@ -0,0 +1,163 @@
+#ifndef _IP_SET_H
+#define _IP_SET_H
+
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ *                         Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2010 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+/* The protocol version */
+#define IPSET_PROTOCOL		5
+
+/* The max length of strings including NUL: set and type identifiers */
+#define IPSET_MAXNAMELEN	32
+
+/* Message types and commands */
+enum ipset_cmd {
+	IPSET_CMD_NONE,
+	IPSET_CMD_PROTOCOL,	/* 1: Return protocol version */
+	IPSET_CMD_CREATE,	/* 2: Create a new (empty) set */
+	IPSET_CMD_DESTROY,	/* 3: Destroy a (empty) set */
+	IPSET_CMD_FLUSH,	/* 4: Remove all elements from a set */
+	IPSET_CMD_RENAME,	/* 5: Rename a set */
+	IPSET_CMD_SWAP,		/* 6: Swap two sets */
+	IPSET_CMD_LIST,		/* 7: List sets */
+	IPSET_CMD_SAVE,		/* 8: Save sets */
+	IPSET_CMD_ADD,		/* 9: Add an element to a set */
+	IPSET_CMD_DEL,		/* 10: Delete an element from a set */
+	IPSET_CMD_TEST,		/* 11: Test an element in a set */
+	IPSET_CMD_HEADER,	/* 12: Get set header data only */
+	IPSET_CMD_TYPE,		/* 13: Get set type */
+	IPSET_MSG_MAX,		/* Netlink message commands */
+
+	/* Commands in userspace: */
+	IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
+	IPSET_CMD_HELP,		/* 15: Get help */
+	IPSET_CMD_VERSION,	/* 16: Get program version */
+	IPSET_CMD_QUIT,		/* 17: Quit from interactive mode */
+
+	IPSET_CMD_MAX,
+
+	IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
+};
+
+/* Attributes at command level */
+enum {
+	IPSET_ATTR_UNSPEC,
+	IPSET_ATTR_PROTOCOL,	/* 1: Protocol version */
+	IPSET_ATTR_SETNAME,	/* 2: Name of the set */
+	IPSET_ATTR_TYPENAME,	/* 3: Typename */
+	IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
+	IPSET_ATTR_REVISION,	/* 4: Settype revision */
+	IPSET_ATTR_FAMILY,	/* 5: Settype family */
+	IPSET_ATTR_FLAGS,	/* 6: Flags at command level */
+	IPSET_ATTR_DATA,	/* 7: Nested attributes */
+	IPSET_ATTR_ADT,		/* 8: Multiple data containers */
+	IPSET_ATTR_LINENO,	/* 9: Restore lineno */
+	IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
+	IPSET_ATTR_REVISION_MIN	= IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
+	__IPSET_ATTR_CMD_MAX,
+};
+#define IPSET_ATTR_CMD_MAX	(__IPSET_ATTR_CMD_MAX - 1)
+
+/* CADT specific attributes */
+enum {
+	IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
+	IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
+	IPSET_ATTR_IP_TO,	/* 2 */
+	IPSET_ATTR_CIDR,	/* 3 */
+	IPSET_ATTR_PORT,	/* 4 */
+	IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
+	IPSET_ATTR_PORT_TO,	/* 5 */
+	IPSET_ATTR_TIMEOUT,	/* 6 */
+	IPSET_ATTR_PROTO,	/* 7 */
+	IPSET_ATTR_CADT_FLAGS,	/* 8 */
+	IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO,	/* 9 */
+	/* Reserve empty slots */
+	IPSET_ATTR_CADT_MAX = 16,
+	/* Create-only specific attributes */
+	IPSET_ATTR_GC,
+	IPSET_ATTR_HASHSIZE,
+	IPSET_ATTR_MAXELEM,
+	IPSET_ATTR_NETMASK,
+	IPSET_ATTR_PROBES,
+	IPSET_ATTR_RESIZE,
+	IPSET_ATTR_SIZE,
+	/* Kernel-only */
+	IPSET_ATTR_ELEMENTS,
+	IPSET_ATTR_REFERENCES,
+	IPSET_ATTR_MEMSIZE,
+
+	__IPSET_ATTR_CREATE_MAX,
+};
+#define IPSET_ATTR_CREATE_MAX	(__IPSET_ATTR_CREATE_MAX - 1)
+
+/* ADT specific attributes */
+enum {
+	IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
+	IPSET_ATTR_NAME,
+	IPSET_ATTR_NAMEREF,
+	IPSET_ATTR_IP2,
+	IPSET_ATTR_CIDR2,
+	__IPSET_ATTR_ADT_MAX,
+};
+#define IPSET_ATTR_ADT_MAX	(__IPSET_ATTR_ADT_MAX - 1)
+
+/* IP specific attributes */
+enum {
+	IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
+	IPSET_ATTR_IPADDR_IPV6,
+	__IPSET_ATTR_IPADDR_MAX,
+};
+#define IPSET_ATTR_IPADDR_MAX	(__IPSET_ATTR_IPADDR_MAX - 1)
+
+/* Error codes */
+enum ipset_errno {
+	IPSET_ERR_PRIVATE = 128,
+	IPSET_ERR_PROTOCOL,
+	IPSET_ERR_FIND_TYPE,
+	IPSET_ERR_MAX_SETS,
+	IPSET_ERR_BUSY,
+	IPSET_ERR_EXIST_SETNAME2,
+	IPSET_ERR_TYPE_MISMATCH,
+	IPSET_ERR_EXIST,
+	IPSET_ERR_INVALID_CIDR,
+	IPSET_ERR_INVALID_NETMASK,
+	IPSET_ERR_INVALID_FAMILY,
+	IPSET_ERR_TIMEOUT,
+	IPSET_ERR_REFERENCED,
+	IPSET_ERR_IPADDR_IPV4,
+	IPSET_ERR_IPADDR_IPV6,
+
+	/* Type specific error codes */
+	IPSET_ERR_TYPE_SPECIFIC = 160,
+};
+
+/* Flags at command level */
+enum ipset_cmd_flags {
+	IPSET_FLAG_BIT_EXIST	= 0,
+	IPSET_FLAG_EXIST	= (1 << IPSET_FLAG_BIT_EXIST),
+};
+
+/* Flags at CADT attribute level */
+enum ipset_cadt_flags {
+	IPSET_FLAG_BIT_BEFORE	= 0,
+	IPSET_FLAG_BEFORE	= (1 << IPSET_FLAG_BIT_BEFORE),
+};
+
+/* Commands with settype-specific attributes */
+enum ipset_adt {
+	IPSET_ADD,
+	IPSET_DEL,
+	IPSET_TEST,
+	IPSET_ADT_MAX,
+	IPSET_CREATE = IPSET_ADT_MAX,
+	IPSET_CADT_MAX,
+};
+
+#endif /* __IP_SET_H */

extensions/ipset-5/include/libipset/linux_ip_set_bitmap.h

@@ -0,0 +1,12 @@
+#ifndef __IP_SET_BITMAP_H
+#define __IP_SET_BITMAP_H
+
+/* Bitmap type specific error codes */
+enum {
+	/* The element is out of the range of the set */
+	IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC,
+	/* The range exceeds the size limit of the set type */
+	IPSET_ERR_BITMAP_RANGE_SIZE,
+};
+
+#endif /* __IP_SET_BITMAP_H */

extensions/ipset-5/include/libipset/linux_ip_set_hash.h

@@ -0,0 +1,16 @@
+#ifndef __IP_SET_HASH_H
+#define __IP_SET_HASH_H
+
+/* Hash type specific error codes */
+enum {
+	/* Hash is full */
+	IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC,
+	/* Null-valued element */
+	IPSET_ERR_HASH_ELEM,
+	/* Invalid protocol */
+	IPSET_ERR_INVALID_PROTO,
+	/* Protocol missing but must be specified */
+	IPSET_ERR_MISSING_PROTO,
+};
+
+#endif /* __IP_SET_HASH_H */

extensions/ipset-5/include/libipset/linux_ip_set_list.h

@@ -0,0 +1,20 @@
+#ifndef __IP_SET_LIST_H
+#define __IP_SET_LIST_H
+
+/* List type specific error codes */
+enum {
+	/* Set name to be added/deleted/tested does not exist. */
+	IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC,
+	/* list:set type is not permitted to add */
+	IPSET_ERR_LOOP,
+	/* Missing reference set */
+	IPSET_ERR_BEFORE,
+	/* Reference set does not exist */
+	IPSET_ERR_NAMEREF,
+	/* Set is full */
+	IPSET_ERR_LIST_FULL,
+	/* Reference set is not added to the set */
+	IPSET_ERR_REF_EXIST,
+};
+
+#endif /* __IP_SET_LIST_H */

extensions/ipset-5/include/libipset/mnl.h

@@ -0,0 +1,29 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_MNL_H
+#define LIBIPSET_MNL_H
+
+#include <stdint.h>				/* uintxx_t */
+#include <libmnl/libmnl.h>			/* libmnl backend */
+
+#include <libipset/transport.h>			/* struct ipset_transport */
+
+#ifndef NFNETLINK_V0
+#define NFNETLINK_V0		0
+
+struct nfgenmsg {
+	uint8_t nfgen_family;
+	uint8_t version;
+	uint16_t res_id;
+};
+#endif
+
+extern int ipset_get_nlmsg_type(const struct nlmsghdr *nlh);
+
+extern const struct ipset_transport ipset_mnl_transport;
+
+#endif /* LIBIPSET_MNL_H */

extensions/ipset-5/include/libipset/nf_inet_addr.h

@@ -0,0 +1,22 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_NF_INET_ADDR_H
+#define LIBIPSET_NF_INET_ADDR_H
+
+#include <stdint.h>				/* uint32_t */
+#include <netinet/in.h>				/* struct in[6]_addr */
+
+/* The structure to hold IP addresses, same as in linux/netfilter.h */
+union nf_inet_addr {
+	uint32_t	all[4];
+	uint32_t	ip;
+	uint32_t	ip6[4];
+	struct in_addr	in;
+	struct in6_addr in6;
+};
+
+#endif /* LIBIPSET_NF_INET_ADDR_H */

extensions/ipset-5/include/libipset/parse.h

@@ -0,0 +1,96 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_PARSE_H
+#define LIBIPSET_PARSE_H
+
+#include <libipset/data.h>			/* enum ipset_opt */
+
+/* For parsing/printing data */
+#define IPSET_CIDR_SEPARATOR	"/"
+#define IPSET_RANGE_SEPARATOR	"-"
+#define IPSET_ELEM_SEPARATOR	","
+#define IPSET_NAME_SEPARATOR	","
+#define IPSET_PROTO_SEPARATOR	":"
+
+struct ipset_session;
+
+typedef int (*ipset_parsefn)(struct ipset_session *s,
+			     enum ipset_opt opt, const char *str);
+
+extern int ipset_parse_ether(struct ipset_session *session,
+                             enum ipset_opt opt, const char *str);
+extern int ipset_parse_port(struct ipset_session *session,
+			    enum ipset_opt opt, const char *str,
+			    const char *proto);
+extern int ipset_parse_tcpudp_port(struct ipset_session *session,
+				   enum ipset_opt opt, const char *str,
+				   const char *proto);
+extern int ipset_parse_tcp_port(struct ipset_session *session,
+				enum ipset_opt opt, const char *str);
+extern int ipset_parse_single_tcp_port(struct ipset_session *session,
+				       enum ipset_opt opt, const char *str);
+extern int ipset_parse_proto(struct ipset_session *session,
+                             enum ipset_opt opt, const char *str);
+extern int ipset_parse_icmp(struct ipset_session *session,
+                            enum ipset_opt opt, const char *str);
+extern int ipset_parse_icmpv6(struct ipset_session *session,
+                              enum ipset_opt opt, const char *str);
+extern int ipset_parse_proto_port(struct ipset_session *session,
+				  enum ipset_opt opt, const char *str);
+extern int ipset_parse_family(struct ipset_session *session,
+                              enum ipset_opt opt, const char *str);
+extern int ipset_parse_ip(struct ipset_session *session,
+                          enum ipset_opt opt, const char *str);
+extern int ipset_parse_single_ip(struct ipset_session *session,
+				 enum ipset_opt opt, const char *str);
+extern int ipset_parse_net(struct ipset_session *session,
+                           enum ipset_opt opt, const char *str);
+extern int ipset_parse_range(struct ipset_session *session,
+                             enum ipset_opt opt, const char *str);
+extern int ipset_parse_netrange(struct ipset_session *session,
+				enum ipset_opt opt, const char *str);
+extern int ipset_parse_iprange(struct ipset_session *session,
+			       enum ipset_opt opt, const char *str);
+extern int ipset_parse_ipnet(struct ipset_session *session,
+			     enum ipset_opt opt, const char *str);
+extern int ipset_parse_ip4_single6(struct ipset_session *session,
+				enum ipset_opt opt, const char *str);
+extern int ipset_parse_name(struct ipset_session *session,
+                            enum ipset_opt opt, const char *str);
+extern int ipset_parse_before(struct ipset_session *session,
+                              enum ipset_opt opt, const char *str);
+extern int ipset_parse_after(struct ipset_session *session,
+                             enum ipset_opt opt, const char *str);
+extern int ipset_parse_setname(struct ipset_session *session,
+                               enum ipset_opt opt, const char *str);
+extern int ipset_parse_uint32(struct ipset_session *session,
+                              enum ipset_opt opt, const char *str);
+extern int ipset_parse_uint8(struct ipset_session *session,
+                             enum ipset_opt opt, const char *str);
+extern int ipset_parse_netmask(struct ipset_session *session,
+                               enum ipset_opt opt, const char *str);
+extern int ipset_parse_flag(struct ipset_session *session,
+                            enum ipset_opt opt, const char *str);
+extern int ipset_parse_typename(struct ipset_session *session,
+				enum ipset_opt opt, const char *str);
+extern int ipset_parse_output(struct ipset_session *session,
+                              int opt, const char *str);
+extern int ipset_parse_ignored(struct ipset_session *session,
+                               enum ipset_opt opt, const char *str);
+extern int ipset_parse_elem(struct ipset_session *session,
+                            enum ipset_opt opt, const char *str);
+extern int ipset_call_parser(struct ipset_session *session,
+			     ipset_parsefn parse, const char *optstr,
+			     enum ipset_opt optional, const char *str);
+
+/* Compatibility parser functions */
+extern int ipset_parse_iptimeout(struct ipset_session *session,
+				 enum ipset_opt opt, const char *str);
+extern int ipset_parse_name_compat(struct ipset_session *session,
+				   enum ipset_opt opt, const char *str);
+
+#endif /* LIBIPSET_PARSE_H */

extensions/ipset-5/include/libipset/pfxlen.h

@@ -0,0 +1,157 @@
+#ifndef _NET_PFXLEN_H
+#define _NET_PFXLEN_H 1
+
+#include <asm/byteorder.h>
+#ifdef HAVE_PFXLEN_H
+#include <linux/netfilter/pfxlen.h>
+#else
+
+#include <libipset/nf_inet_addr.h>	/* union nf_inet_addr */
+
+#define E(a, b, c, d) \
+	{.ip6 = { \
+		__constant_htonl(a), __constant_htonl(b), \
+		__constant_htonl(c), __constant_htonl(d), \
+	}}
+
+/*
+ * This table works for both IPv4 and IPv6;
+ * just use prefixlen_netmask_map[prefixlength].ip.
+ */
+const union nf_inet_addr prefixlen_netmask_map[] = {
+	E(0x00000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0x80000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xC0000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xE0000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xF0000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xF8000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFC000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFE000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFF000000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFF800000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFC00000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFE00000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFF00000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFF80000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFC0000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFE0000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFF0000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFF8000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFC000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFE000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFF000, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFF800, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFC00, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFE00, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFF00, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFF80, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFC0, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFE0, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFF0, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFF8, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFC, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFE, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0x80000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xC0000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xE0000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xF0000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xF8000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFC000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFE000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFF000000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFF800000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFC00000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFE00000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFF00000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFF80000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFC0000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFE0000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFF0000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFF8000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFC000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFE000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFF000, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFF800, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFC00, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFE00, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFF00, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFF80, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFC0, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFE0, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFF0, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFF8, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFC, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFE, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0x80000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x80000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE),
+	E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF),
+};
+#endif /* !HAVE_PFXLEN_H */
+
+#define PFXLEN(n)	prefixlen_netmask_map[n].ip
+#define PFXLEN6(n)	prefixlen_netmask_map[n].ip6
+
+#endif

extensions/ipset-5/include/libipset/print.h

@@ -0,0 +1,65 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_PRINT_H
+#define LIBIPSET_PRINT_H
+
+#include <libipset/data.h>			/* enum ipset_opt */
+
+typedef int (*ipset_printfn)(char *buf, unsigned int len,
+			     const struct ipset_data *data,
+			     enum ipset_opt opt, uint8_t env);
+
+extern int ipset_print_ether(char *buf, unsigned int len,
+			     const struct ipset_data *data,
+			     enum ipset_opt opt, uint8_t env);
+extern int ipset_print_family(char *buf, unsigned int len,
+			      const struct ipset_data *data,
+			      enum ipset_opt opt, uint8_t env);
+extern int ipset_print_type(char *buf, unsigned int len,
+			    const struct ipset_data *data,
+			    enum ipset_opt opt, uint8_t env);
+extern int ipset_print_ip(char *buf, unsigned int len,
+			  const struct ipset_data *data,
+			  enum ipset_opt opt, uint8_t env);
+extern int ipset_print_ipaddr(char *buf, unsigned int len,
+			      const struct ipset_data *data,
+			      enum ipset_opt opt, uint8_t env);
+extern int ipset_print_number(char *buf, unsigned int len,
+			      const struct ipset_data *data,
+			      enum ipset_opt opt, uint8_t env);
+extern int ipset_print_name(char *buf, unsigned int len,
+			    const struct ipset_data *data,
+			    enum ipset_opt opt, uint8_t env);
+extern int ipset_print_port(char *buf, unsigned int len,
+			    const struct ipset_data *data,
+			    enum ipset_opt opt, uint8_t env);
+extern int ipset_print_proto(char *buf, unsigned int len,
+			     const struct ipset_data *data,
+			     enum ipset_opt opt, uint8_t env);
+extern int ipset_print_icmp(char *buf, unsigned int len,
+			    const struct ipset_data *data,
+			    enum ipset_opt opt, uint8_t env);
+extern int ipset_print_icmpv6(char *buf, unsigned int len,
+			      const struct ipset_data *data,
+			      enum ipset_opt opt, uint8_t env);
+extern int ipset_print_proto_port(char *buf, unsigned int len,
+				  const struct ipset_data *data,
+				  enum ipset_opt opt, uint8_t env);
+extern int ipset_print_flag(char *buf, unsigned int len,
+			    const struct ipset_data *data,
+			    enum ipset_opt opt, uint8_t env);
+extern int ipset_print_elem(char *buf, unsigned int len,
+			    const struct ipset_data *data,
+			    enum ipset_opt opt, uint8_t env);
+
+#define ipset_print_portnum	ipset_print_number
+
+extern int ipset_print_data(char *buf, unsigned int len,
+			    const struct ipset_data *data,
+			    enum ipset_opt opt, uint8_t env);
+
+#endif /* LIBIPSET_PRINT_H */

extensions/ipset-5/include/libipset/session.h

@@ -0,0 +1,94 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_SESSION_H
+#define LIBIPSET_SESSION_H
+
+#include <stdbool.h>				/* bool */
+#include <stdint.h>				/* uintxx_t */
+#include <stdio.h>				/* printf */
+
+#include <libipset/linux_ip_set.h>		/* enum ipset_cmd */
+
+/* Report and output buffer sizes */
+#define IPSET_ERRORBUFLEN		1024
+#define IPSET_OUTBUFLEN			8192
+
+struct ipset_session;
+struct ipset_data;
+struct ipset_handle;
+
+extern struct ipset_data * ipset_session_data(const struct ipset_session *session);
+extern struct ipset_handle * ipset_session_handle(const struct ipset_session *session);
+extern const struct ipset_type * ipset_saved_type(const struct ipset_session *session);
+
+enum ipset_err_type {
+	IPSET_ERROR,
+	IPSET_WARNING,
+};
+
+extern int ipset_session_report(struct ipset_session *session,
+				enum ipset_err_type type,
+				const char *fmt, ...);
+
+#define ipset_err(session, fmt, args...) \
+	ipset_session_report(session, IPSET_ERROR, fmt , ## args)
+
+#define ipset_warn(session, fmt, args...) \
+	ipset_session_report(session, IPSET_WARNING, fmt , ## args)
+
+#define ipset_errptr(session, fmt, args...) ({				\
+	ipset_session_report(session, IPSET_ERROR, fmt , ## args);	\
+	NULL;								\
+})
+
+extern void ipset_session_report_reset(struct ipset_session *session);
+extern const char * ipset_session_error(const struct ipset_session *session);
+extern const char * ipset_session_warning(const struct ipset_session *session);
+
+#define ipset_session_data_set(session, opt, value)	\
+	ipset_data_set(ipset_session_data(session), opt, value)
+#define ipset_session_data_get(session, opt)		\
+	ipset_data_get(ipset_session_data(session), opt)
+
+/* Environment option flags */
+enum ipset_envopt {
+	IPSET_ENV_BIT_SORTED	= 0,
+	IPSET_ENV_SORTED	= (1 << IPSET_ENV_BIT_SORTED),
+	IPSET_ENV_BIT_QUIET	= 1,
+	IPSET_ENV_QUIET		= (1 << IPSET_ENV_BIT_QUIET),
+	IPSET_ENV_BIT_RESOLVE	= 2,
+	IPSET_ENV_RESOLVE	= (1 << IPSET_ENV_BIT_RESOLVE),
+	IPSET_ENV_BIT_EXIST	= 3,
+	IPSET_ENV_EXIST		= (1 << IPSET_ENV_BIT_EXIST),
+};
+
+extern int ipset_envopt_parse(struct ipset_session *session,
+			      int env, const char *str);
+extern bool ipset_envopt_test(struct ipset_session *session,
+			      enum ipset_envopt env);
+
+enum ipset_output_mode {
+	IPSET_LIST_NONE,
+	IPSET_LIST_PLAIN,
+	IPSET_LIST_SAVE,
+	IPSET_LIST_XML,
+};
+
+extern int ipset_session_output(struct ipset_session *session,
+				enum ipset_output_mode mode);
+
+extern int ipset_commit(struct ipset_session *session);
+extern int ipset_cmd(struct ipset_session *session, enum ipset_cmd cmd,
+		     uint32_t lineno);
+
+typedef int (*ipset_outfn)(const char *fmt, ...)
+	__attribute__ ((format (printf, 1, 2)));
+
+extern struct ipset_session * ipset_session_init(ipset_outfn outfn);
+extern int ipset_session_fini(struct ipset_session *session);
+
+#endif /* LIBIPSET_SESSION_H */

extensions/ipset-5/include/libipset/transport.h

@@ -0,0 +1,27 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_TRANSPORT_H
+#define LIBIPSET_TRANSPORT_H
+
+#include <stdint.h>				/* uintxx_t */
+#include <linux/netlink.h>			/* struct nlmsghdr  */
+
+#include <libmnl/libmnl.h>			/* mnl_cb_t */
+
+#include <libipset/linux_ip_set.h> 		/* enum ipset_cmd */
+
+struct ipset_handle;
+
+struct ipset_transport {
+	struct ipset_handle * (*init)(mnl_cb_t *cb_ctl, void *data);
+	int (*fini)(struct ipset_handle *handle);
+	void (*fill_hdr)(struct ipset_handle *handle, enum ipset_cmd cmd,
+			 void *buffer, size_t len, uint8_t envflags);
+	int (*query)(struct ipset_handle *handle, void *buffer, size_t len);
+};
+
+#endif /* LIBIPSET_TRANSPORT_H */

extensions/ipset-5/include/libipset/types.h

@@ -0,0 +1,110 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_TYPES_H
+#define LIBIPSET_TYPES_H
+
+#include <stddef.h>				/* NULL */
+#include <stdint.h>				/* uintxx_t */
+
+#include <libipset/data.h>			/* enum ipset_opt */
+#include <libipset/parse.h>			/* ipset_parsefn */
+#include <libipset/print.h>			/* ipset_printfn */
+#include <libipset/linux_ip_set.h>		/* IPSET_MAXNAMELEN */
+
+#define AF_INET46		255
+
+/* Family rules:
+ * - AF_UNSPEC:	type is family-neutral
+ * - AF_INET:	type supports IPv4 only
+ * - AF_INET6:	type supports IPv6 only
+ * - AF_INET46:	type supports both IPv4 and IPv6
+ */
+
+/* Set dimensions */
+enum {
+	IPSET_DIM_ONE,			/* foo */
+	IPSET_DIM_TWO,			/* foo,bar */
+	IPSET_DIM_THREE,		/* foo,bar,fie */
+	IPSET_DIM_MAX,
+};
+
+/* Parser options */
+enum {
+	IPSET_NO_ARG = -1,
+	IPSET_OPTIONAL_ARG,
+	IPSET_MANDATORY_ARG,
+	IPSET_MANDATORY_ARG2,
+};
+
+struct ipset_session;
+
+/* Parse and print type-specific arguments */
+struct ipset_arg {
+	const char *name[2];		/* option names */
+	int has_arg;			/* mandatory/optional/no arg */
+	enum ipset_opt opt;		/* argumentum type */
+	ipset_parsefn parse;		/* parser function */
+	ipset_printfn print;		/* printing function */
+};
+
+/* Type check against the kernel */
+enum {
+	IPSET_KERNEL_MISMATCH = -1,
+	IPSET_KERNEL_CHECK_NEEDED,
+	IPSET_KERNEL_OK,
+};
+
+/* How element parts are parsed */
+struct ipset_elem {
+	ipset_parsefn parse;			/* elem parser function */
+	ipset_printfn print;			/* elem print function */
+	enum ipset_opt opt;			/* elem option */
+};
+
+/* The set types in userspace
+ * we could collapse 'args' and 'mandatory' to two-element lists
+ * but for the readability the full list is supported.
+  */
+struct ipset_type {
+	char name[IPSET_MAXNAMELEN];		/* type name */
+	uint8_t revision;			/* revision number */
+	uint8_t family;				/* supported family */
+	uint8_t dimension;			/* elem dimension */
+	int8_t kernel_check;			/* kernel check */
+	bool last_elem_optional;		/* last element optional */
+	struct ipset_elem elem[IPSET_DIM_MAX];	/* parse elem */
+	ipset_parsefn compat_parse_elem;	/* compatibility parser */
+	const struct ipset_arg *args[IPSET_CADT_MAX]; /* create/ADT args besides elem */
+	uint64_t mandatory[IPSET_CADT_MAX];	/* create/ADT mandatory flags */
+	uint64_t full[IPSET_CADT_MAX];		/* full args flags */
+	const char *usage;			/* terse usage */
+	void (*usagefn)(void);			/* additional usage */
+
+	struct ipset_type *next;
+	const char *alias[];			/* name alias(es) */
+};
+
+extern int ipset_cache_add(const char *name, const struct ipset_type *type,
+			   uint8_t family);
+extern int ipset_cache_del(const char *name);
+extern int ipset_cache_rename(const char *from, const char *to);
+extern int ipset_cache_swap(const char *from, const char *to);
+
+extern int ipset_cache_init(void);
+extern void ipset_cache_fini(void);
+
+extern const struct ipset_type * ipset_type_get(struct ipset_session *session,
+						enum ipset_cmd cmd);
+extern const struct ipset_type * ipset_type_check(struct ipset_session *session);
+
+extern int ipset_type_add(struct ipset_type *type);
+extern const struct ipset_type * ipset_types(void);
+extern const char * ipset_typename_resolve(const char *str);
+extern bool ipset_match_typename(const char *str,
+				 const struct ipset_type *t);
+
+#endif /* LIBIPSET_TYPES_H */

extensions/ipset-5/include/libipset/ui.h

@@ -0,0 +1,44 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_UI_H
+#define LIBIPSET_UI_H
+
+#include <libipset/linux_ip_set.h>		/* enum ipset_cmd */
+
+/* Commands in userspace */
+struct ipset_commands {
+	enum ipset_cmd cmd;
+	int has_arg;
+	const char *name[2];
+	const char *help;
+};
+
+extern const struct ipset_commands ipset_commands[];
+
+struct ipset_session;
+struct ipset_data;
+
+/* Environment options */
+struct ipset_envopts {
+	int flag;
+	int has_arg;
+	const char *name[2];
+	const char *help;
+	int (*parse)(struct ipset_session *s, int flag, const char *str);
+	int (*print)(char *buf, unsigned int len,
+		     const struct ipset_data *data, int flag, uint8_t env);
+};
+
+extern const struct ipset_envopts ipset_envopts[];
+
+extern bool ipset_match_cmd(const char *arg, const char * const name[]);
+extern bool ipset_match_option(const char *arg, const char * const name[]);
+extern bool ipset_match_envopt(const char *arg, const char * const name[]);
+extern void ipset_shift_argv(int *argc, char *argv[], int from);
+extern void ipset_port_usage(void);
+
+#endif /* LIBIPSET_UI_H */

extensions/ipset-5/include/libipset/utils.h

@@ -0,0 +1,45 @@
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License version 2 as 
+ * published by the Free Software Foundation.
+ */
+#ifndef LIBIPSET_UTILS_H
+#define LIBIPSET_UTILS_H
+
+#include <string.h>				/* strcmp */
+#include <netinet/in.h>				/* struct in[6]_addr */
+
+/* String equality tests */
+#define STREQ(a,b)		(strcmp(a,b) == 0)
+#define STRNEQ(a,b,n)		(strncmp(a,b,n) == 0)
+#define STRCASEQ(a,b)		(strcasecmp(a,b) == 0)
+#define STRNCASEQ(a,b,n)	(strncasecmp(a,b,n) == 0)
+
+/* Stringify tokens */
+#define _STR(c)			#c
+#define STR(c)			_STR(c)
+
+/* Min/max */
+#define MIN(a, b)		(a < b ? a : b)
+#define MAX(a, b)		(a > b ? a : b)
+
+#define UNUSED			__attribute__ ((unused))
+
+#ifndef ARRAY_SIZE
+#define ARRAY_SIZE(x)		(sizeof(x) / sizeof(*(x)))
+#endif
+
+static inline void
+in4cpy(struct in_addr *dest, const struct in_addr *src)
+{
+	dest->s_addr = src->s_addr;
+}
+
+static inline void
+in6cpy(struct in6_addr *dest, const struct in6_addr *src)
+{
+	memcpy(dest, src, sizeof(struct in6_addr));
+}
+
+#endif	/* LIBIPSET_UTILS_H */