anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-20 19:44:56 +02:00
Code Issues Releases Wiki Activity

Compare commits

base: anonfunc:v1.27
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0
...
compare: anonfunc:v1.33
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0

112 Commits
v1.27 ... v1.33

Author SHA1 Message Date
Jan Engelhardt
9f59f21614 Xtables-addons 1.33 2011-02-02 05:21:56 +01:00
Jan Engelhardt
7a8bfed52c xt_geoip: keep compiling for <= 2.6.23 2011-02-02 05:21:56 +01:00
Jan Engelhardt
1edc9b943b build: do not forget including path for compat_user.h 2011-02-02 05:15:09 +01:00
Jan Engelhardt
ebfa77795a build: preliminary support for iptables 1.4.11 2011-02-02 05:09:58 +01:00
Jan Engelhardt
4a8aa505c4 build: support for Linux up to 2.6.38 
No API changes that needed to be taken care of, so just bump the
version check in configure.ac.
 2011-02-02 04:59:58 +01:00
Jan Engelhardt
4654ee127f xt_DNETMAP: disable by default for now 
I wanted xt_DNETMAP to be included in the release already, though
because it only compiled with Linux >= 2.6.34 currently (some work
will be needed), deactive it by default.
 2011-02-02 04:55:34 +01:00
Jan Engelhardt
a7a77d7146 Merge branch 'dnetmap' 2011-02-02 04:54:25 +01:00
Jan Engelhardt
2a61ca7d4b build: fix missing inclusion of dependency rules 2011-02-02 04:53:30 +01:00
Jan Engelhardt
39de351a91 libxt_geoip: update manual page with new tool syntax 2011-02-02 04:51:38 +01:00
Jan Engelhardt
07bf41a294 Merge branch 'geoip' 2011-02-02 04:48:40 +01:00
Jan Engelhardt
07cd29d9ce xt_geoip: IPv6 support 2011-02-02 04:47:28 +01:00
Jan Engelhardt
eb9634aee6 xt_geoip: v4/v6 name preparations 2011-02-02 04:43:36 +01:00
Jan Engelhardt
19f241a09c xt_geoip: cleanups, preparations for IPv6 geoip 2011-02-02 01:55:09 +01:00
Jan Engelhardt
0a29c1d32f xt_DNETMAP: style considerations 
Clean up the files a bit. For one, break dangerously right-indented
function headers, and correct some spaces that should be tab.
 2011-01-27 03:23:22 +01:00
Jan Engelhardt
93a17fdde0 geoipdb builder: get rid of some global variables 2011-01-27 03:05:30 +01:00
Jan Engelhardt
80444b0d31 geoipdb builder: separate into functions 2011-01-27 03:02:39 +01:00
Jan Engelhardt
f180c0e5c6 geoipdb tools: IPv6 support 2011-01-27 02:57:00 +01:00
Jan Engelhardt
ca8ebe4467 Merge remote branch 'origin/master' 2011-01-22 18:10:18 +01:00
Jan Engelhardt
e82410735a xt_DNETMAP: use compat_xtables layer to run on older kernels 2011-01-22 18:09:15 +01:00
Jan Engelhardt
89e72bb0f4 doc: Add version information to README 2011-01-22 17:34:48 +01:00
Jan Engelhardt
77b9f2024c Merge branch 'account' 2011-01-22 17:34:43 +01:00
Jan Engelhardt
0edb572f6e ACCOUNT: update to 1.16 
There are no changes to integrate from ipt_ACCOUNT because xt_ACCOUT
already, by way of the compat_xtables layer, supports multiple kernel
versions.
 2011-01-22 17:34:06 +01:00
Jan Engelhardt
8b1ff64b8b Merge branch 'pknock' 2011-01-22 17:33:45 +01:00
Jan Engelhardt
ebb61aa3c9 pknock: resolve warnings about unused variables 2011-01-22 17:32:38 +01:00
Jan Engelhardt
bd2e6108f3 pknock: use build flags in pknock Makefile 2011-01-22 17:31:53 +01:00
Jan Engelhardt
288492c820 xt_DNETMAP: order mconfig 2011-01-22 17:24:51 +01:00
Jan Engelhardt
e425c8f277 xt_DNETMAP: use more appropriate format specifiers 
Substitute %i -> %d. Use %u for prefix length.
 2011-01-22 17:23:13 +01:00
Jan Engelhardt
e3e88827fb xt_DNETMAP: use permission mnemonic constants 2011-01-22 15:59:15 +01:00
Jan Engelhardt
6c709fd682 Merge branch 'ipset-5' 2011-01-22 15:56:57 +01:00
Jan Engelhardt
1b53724a61 ipset: update to 5.4.1 2011-01-22 15:56:44 +01:00
Jan Engelhardt
983b28fe8e Merge branch 'ipset-5' 2011-01-21 23:26:11 +01:00
Jan Engelhardt
3141b2ff86 ipset: update to 5.3 2011-01-19 02:55:23 +01:00
Jan Engelhardt
980a53348f build: use AM_CPPFLAGS in ipset-5/ 2011-01-19 02:36:26 +01:00
Jan Engelhardt
8ea781e257 build: fix objdir builds for ipset-5 (xt-a specific) 2011-01-19 02:35:49 +01:00
Jan Engelhardt
7e39ee66e0 libxt_length: fix name of manpage file 2011-01-15 05:23:38 +01:00
Jan Engelhardt
65e97a66e6 build: restore functionality of configure's --without-kbuild option 2011-01-13 20:25:00 +01:00
Jan Engelhardt
d82b20ead7 xt_LOGMARK: fix detection of untracked connection for Linux >= 2.6.36 2011-01-12 01:53:38 +01:00
Marek Kierdelewicz
c5d4dd0bcf Import of xt_DNETMAP 2011-01-10 22:59:32 +01:00
Jan Engelhardt
0168f8e8a2 doc: deprecate --with-xtlibdir configure option 2011-01-04 12:47:09 +01:00
Jan Engelhardt
dc22ec7bd1 build: mark Linux 2.6.37 as supported 2011-01-04 12:44:55 +01:00
Jan Engelhardt
80ded69d77 Xtables-addons 1.32 2011-01-04 04:37:58 +01:00
Jan Engelhardt
af1bfd7684 build: relax libmnl checks and document ipset requirements 2011-01-04 04:37:44 +01:00
Jan Engelhardt
b05712a14d Merge branch 'ipset' 2011-01-04 04:32:05 +01:00
Jan Engelhardt
7d8ffffd85 ipset: import ipset 5.2+GENL 
This requires Linux 2.6.35 or newer to build, so it is deactivated by
default in the "mconfig" file.
 2011-01-04 04:31:46 +01:00
Jan Engelhardt
75212f3972 ipset: move ipset to ipset-4 2011-01-04 03:59:25 +01:00
Jan Engelhardt
77027ff8d3 build: use AM_CPPFLAGS 2010-12-30 08:36:15 +01:00
Jan Engelhardt
e9a70bbf15 build: workaround fixdep permission error 
make -C ../../../linux-2.6.36-rc8-32
O=/usr/src/linux-2.6.36-rc8-32-obj/x86_64/desktop/. kernelrelease
  HOSTCC  scripts/basic/fixdep
/usr/src/linux-2.6.36-rc8-32/scripts/basic/fixdep.c:398:1:
fatal error: opening dependency file scripts/basic/.fixdep.d:
Permission denied
 2010-12-30 08:08:24 +01:00
Jan Engelhardt
25bf680ead geoip: put IPv4 geoip data into its own map 2010-12-19 00:48:42 +01:00
Jan Engelhardt
4d547c2bfc geoip: remove -b option, always build both endianesses 2010-12-17 22:47:01 +01:00
Jan Engelhardt
f7c7264a65 geoip: remove %names map 2010-12-17 22:41:08 +01:00
Jan Engelhardt
0f42828fd6 geoip: add manpages to utility programs 2010-12-17 22:29:54 +01:00
Jan Engelhardt
e2da87230a geoip: prefix tools with xt_ 
This is preferable to have when manpages go into system locations.
 2010-12-17 22:08:15 +01:00
Jan Engelhardt
1dc1ae3ec5 build: restore compilation of ipset, add missing CFLAGS 
ipset_iphash.c: In function "iphash_create_init":
ipset_iphash.c:42: error: "IP_NF_SET_HASHSIZE" undeclared (first use
in this function)
 2010-12-11 18:23:44 +01:00
Jan Engelhardt
3bbea41b30 build: pass down AM_CFLAGS to sub-makes 
Honor ipset/Makefile.am's AM_CFLAGS when compiling extensions.
 2010-12-11 18:23:21 +01:00
Jan Engelhardt
549508499c build: stop on error in subcommand 
make only evaluates $? of an entire shell invocation. As such, if any
command in the chain can fail, $? needs to be thrown, and early so.
 2010-12-11 03:36:46 +01:00
Jan Engelhardt
748498038a gradm: fix compile error - add missing include 
Hooray for 2.6.34 ALIGN bug still biting.

libxt_gradm.c:84: warning: implicit declaration of function 'ALIGN'
libxt_gradm.c:84: error: initializer element is not constant
libxt_gradm.c:84: error: (near initialization for 'gradm_mt_reg.size')
 2010-12-11 01:50:29 +01:00
Jan Engelhardt
3ee2b5fb93 doc: cleanup changelog (and use ISO-8601 format) 2010-12-04 16:38:30 +01:00
Jozsef Kadlecsik
5bcdf7f10e ipset: update to 4.5 2010-12-04 16:32:28 +01:00
Jan Engelhardt
6599996ccc build: remove unused -DXTABLES_LIBDIR from CFLAGS 2010-11-23 21:52:45 +01:00
Jan Engelhardt
bf8d44cca4 build: improve kernel version detection again 
Apparently people don't just begin the EXTRAVERSION with a dash.
So rewrite it all and throw out /anything/ non-numeric.
 2010-11-23 21:51:06 +01:00
Jan Engelhardt
1721b76a0f xt_geoip: update manpage with instructions for db build 2010-11-17 15:13:16 +01:00
Jan Engelhardt
81ad2519a9 Xtables-addons 1.31 2010-11-05 19:42:22 +01:00
Jan Engelhardt
f65ea59795 Merge branch 'gradm' 2010-11-03 23:58:59 +01:00
Jan Engelhardt
baf7b1091a Merge remote branch 'origin/iface' 2010-11-03 23:58:35 +01:00
Jan Engelhardt
2ae0413e31 build: properly detect versions like "2.6.36+" 2010-11-03 12:55:09 +01:00
Jan Engelhardt
db76ea9a5c xt_iface: allow matching against incoming/outgoing interface 2010-10-31 01:53:23 +02:00
Jan Engelhardt
3ed1a3cbf0 build: autodetect value for --with-xtlibdir 2010-10-31 01:01:13 +02:00
Anthony G. Basile
9c4c76f9e2 libxt_gradm: match packets based on status of grsecurity RBAC 
This patch adds a module which is useful to users of grsecurity's RBAC
system. It matches packets based on whether RBAC is enabled or
disabled.

See: http://grsecurity.net/

Signed-off-by: Anthony G. Basile <basile@opensource.dyc.edu>

Jan Engelhardt> Also, I do not see a xt_gradm.c in this patch.

This [xt_gradm.c] is part of the grsecurity patch which not only adds
the Xtables code, but also the RBAC code. Without the entire RBAC
stuff, xt_gradm does not make sense and so it is included with the
grsecurity patch to the kernel, and not this patch to Xtables-addons.

>Can you elaborate a bit on how this is useful in conjunction with
>rulesets? I could imagine it be used with LSM selctx'es for example,
>or another extension that tests for other RBAC attributes.

The idea here is that when the RBAC rulesets are not being enforced,
the system is more vulnerable and the user wants stricter firewall
rules. When RBAC is being enforced, one can relax the firewall and
access to services which are now better protected. In practice this
usually means allowing only access to some trusted IP(s) on boot
before RBAC is turned on.
 2010-10-29 14:54:06 +02:00
Jan Engelhardt
7f33590df8 doc: update changelog 2010-10-29 14:48:27 +02:00
Jan Engelhardt
6733265358 xt_iface: reorder code for upcoming address checking 
From now on, info->flags lists the flags to test, not just the flags
to test positively for.
 2010-10-24 18:13:28 +02:00
Jan Engelhardt
f757049112 xt_iface: reduce indent by early return 2010-10-24 16:35:12 +02:00
Jan Engelhardt
21cdf786f7 xt_iface: move XT_IFACE_IFACE out of the public header 
This flag is only used by the userspace component, so remove it from
the kernel header. Also change the value to 1<<16 for the same reason.
 2010-10-24 16:31:26 +02:00
Jan Engelhardt
7c248871f8 build: respect LDFLAGS on make 
Without setting these variables, ./configure LDFLAGS=-m32
would have no effect.
 2010-10-20 19:20:34 +02:00
Jan Engelhardt
3500a38767 build: improve detection of kernel version and error handling 
Thanks to Arkadiusz Miskiewicz from PLD for reporting.

	make: *** kernelrelease: No such file or directory. Stop.
	Found kernel version "...0" in
	ERROR: That kernel version is not supported. Please see
	INSTALL for minimum configuration.
 2010-10-16 15:56:15 +02:00
Jan Engelhardt
cf9b60a57e ACCOUNT: remove uses of obsolete IPT_CONTINUE 
And replace by XT_CONTINUE, to avoid compilation errors in 2.6.37.
 2010-10-16 15:45:31 +02:00
Jan Engelhardt
e5eedb25c2 LOGMARK: print remaining ct lifetime 2010-10-12 17:29:26 +02:00
Jan Engelhardt
e3ae8dcb81 Xtables-addons 1.30 2010-10-02 00:41:47 +02:00
Jan Engelhardt
aca381d3b6 mconfig: deactivate building of xt_TEE and xt_CHECKSUM 2010-10-02 00:41:17 +02:00
Jan Engelhardt
bb15becc88 ipset: update to 4.4 2010-10-02 00:34:38 +02:00
Jan Engelhardt
14458b3a7e Xtables-addons 1.29 2010-09-29 02:51:48 +02:00
Jan Engelhardt
2d36632d4a build: add workaround for beoken linux-glibc-devel (2) 2010-09-29 02:51:26 +02:00
Jan Engelhardt
b5e2c7255a build: add workaround for broken linux-glibc-devel 2.6.34 userspace headers 2010-09-23 02:37:45 +02:00
Jan Engelhardt
376a89e7d1 build: support for Linux 2.6.36 2010-09-22 23:37:34 +02:00
Jan Engelhardt
03ec8a7696 TEE: resolve compile error with Linux 2.6.36-rc 
xt_TEE.c:54:19: error: request for member "dst" in something not a
structure or union
xt_TEE.c:55:20: error: "struct rtable" has no member named "u"

Linux kernel commit v2.6.36-rc1~571^2~616 changed this.
 2010-09-22 23:37:19 +02:00
Jan Engelhardt
442982f04e SYSRQ: resolve compile error with Linux 2.6.36-rc 
xt_SYSRQ.c:156:3: error: too many arguments to function 'handle_sysrq'

Linux kernel commit v2.6.36-rc3~19^2~5 changed it and finally removed
the last unused argument.
 2010-09-22 23:37:02 +02:00
Jan Engelhardt
98b853cea3 ipset: update to 4.3+git3 2010-09-22 22:41:24 +02:00
Jan Engelhardt
59401339b8 ipset: bump version number 
Basically Xtables-addons's copy of ipset is already functionally equal
to ipset 4.3 thanks to our compat_xtables layer (and our modifications
in ipset/ to use it).
 2010-09-22 22:32:50 +02:00
Jan Engelhardt
121836ce80 ipset: enable building of ip_set_ipport{ip,net}hash.ko 2010-09-22 22:30:58 +02:00
Jan Engelhardt
c23df41f6e compat_xtables: return bool for match_check and target_check (doc) 2010-09-22 22:30:10 +02:00
Jan Engelhardt
fb2eea69af compat_xtables: return bool for match_check and target_check in 2.6.23..34 
Reported-by: Tomasz Pala <gotar@polanet.pl>
 2010-09-01 15:02:04 +02:00
Jan Engelhardt
4815e3a8a6 doc: add API helper files 
These files should be a very quick reference to the Xtables APIs of
previous Linux kernel versions and Xtables-addons. Their contents have
been reformatted so as to be usable with diff -u.
 2010-09-01 12:06:27 +02:00
Jan Engelhardt
f9922c6f85 configure: pkglibexecdir requires automake >= 1.10.2 2010-08-28 13:56:12 +02:00
Jan Engelhardt
24491d55d7 Xtables-addons 1.28 2010-07-24 11:33:11 +02:00
Jan Engelhardt
7ab69a17fa geoip: add -D option to geoip_build_dir.pl 
This option allows to specify a particular output directory. This help
Makefiles in that they do not need to use cd.
 2010-07-24 11:22:37 +02:00
Jan Engelhardt
d2339410b2 geoip: add .gitignore 2010-07-24 11:22:37 +02:00
Jan Engelhardt
649caf61e8 geoip: rename original script to build_db 2010-07-24 11:22:37 +02:00
Jan Engelhardt
922a9be87d geoip: import scripts for building the xt_geoip database 2010-07-24 11:22:33 +02:00
Jan Engelhardt
4d48511f01 xt_length2: IPv6 jumbogram support 2010-07-24 10:57:03 +02:00
Jan Engelhardt
6dedbef3d4 doc: keep manpage ordered 
`find` could return entries out of order.
 2010-07-19 11:14:29 +02:00
Patrick McHardy
fe49f9b6a4 xt_CHECKSUM: use xtables_param_act 2010-07-15 12:21:16 +02:00
Patrick McHardy
283974cbbe xt_CHECKSUM: only use __u* in public header files 2010-07-15 12:21:16 +02:00
Patrick McHardy
7deca86132 xt_CHECKSUM: remove unnecessary header inclusions 2010-07-15 12:21:16 +02:00
Jan Engelhardt
7d6435f422 doc: update geoip db url 
My hopto.org zone disappeared after I left it unattended...
 2010-07-12 00:49:23 +02:00
Jan Engelhardt
748f5cfdd0 xt_CHECKSUM: remove pointless $ 2010-07-11 17:59:47 +02:00
Michael S. Tsirkin
d402cec807 xt_CHECKSUM: initial import 
This adds a "CHECKSUM" target, which can be used in the iptables mangle
table.

You can use this target to compute and fill in the checksum in a packet
that lacks a checksum. This is particularly useful, if you need to work
around old applications such as dhcp clients, that do not work well with
checksum offloads, but don't want to disable checksum offload in your
device.

The problem happens in the field with virtualized applications. For
reference, see Red Hat bz 605555, as well as
http://www.spinics.net/lists/kvm/msg37660.html

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 2010-07-11 17:54:54 +02:00
John Haxby
b42190c04b xt_SYSRQ: fix a couple of problems 
The first problem is that the error response from crypto_alloc_hash()
should be extracted from the pointer before setting the pointer to NULL.

The second error is that only the first half of the password hash is
checked which slightly weakens the password checking.

Signed-off-by: John Haxby <john.haxby@oracle.com>
 2010-06-25 12:20:26 +02:00
Jan Engelhardt
4dcefe4b95 xt_geoip: fix possible out-of-bounds access 
It is possible for geoip_bsearch() to pick mid == sizeof(subnets).

Consider a set with a single entry and a "address to test"
higher than the range:

1st call: lo = 0, hi = 1 -> mid will be 0
2nd call: lo = 1, hi = 1 -> mid will be 1

On the 2nd call, we'll examine random data.

Reported-by: Florian Westphal <fw@strlen.de>
 2010-06-13 10:40:07 +02:00
Jan Engelhardt
a2662b0121 RAWNAT: IPv6 variants erroneously rejected masks /33-/128 2010-06-12 09:23:59 +02:00
Jan Engelhardt
03354eed44 build: make configure CFLAGS=-ggdb3 have effect on .so files 2010-06-12 09:22:35 +02:00
Changli Gao
ddda6972a4 RAWNAT: fix incorrect mask in rawnat_ipv6_mask 
I really think it is a typo mistake. :)

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
 2010-05-29 12:35:14 +02:00
Jan Engelhardt
8e7359bb92 Merge remote branch 'sf/master' 2010-05-29 10:16:04 +02:00
Jan Engelhardt
40786af1c0 build: update tarball target 2010-05-19 19:32:28 +02:00
212 changed files with 24938 additions and 397 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -3,6 +3,7 @@
*.loT
*.o
.deps
.dirstamp
.libs
Makefile
Makefile.in

19
INSTALL
View File

@@ -4,7 +4,7 @@ Installation instructions for Xtables-addons
Xtables-addons uses the well-known configure(autotools) infrastructure
in combination with the kernel's Kbuild system.
$ ./configure --with-xtlibdir=SEE_BELOW
$ ./configure
$ make
# make install
@@ -28,6 +28,12 @@ Extra notes:
* requires that no vendor backports interfere
For ipset-5 you need:
* libmnl
* Linux kernel >= 2.6.35
Selecting extensions
====================
@@ -54,11 +60,12 @@ Configuring and compiling
--with-xtlibdir=
Specifies the path to where the newly built extensions should
be installed when `make install` is run. It uses the same
default as the Xtables/iptables package, ${libexecdir}/xtables,
but you may need to specify this nevertheless, as autotools
defaults to using /usr/local as prefix, and distributions put
the files in differing locations.
be installed when `make install` is run. The default is to
use the same path that Xtables/iptables modules use, as
determined by `pkg-config xtables --variable xtlibdir`.
Thus, this option normally does NOT need to be specified
anymore, even if your distribution put modules in a strange
location.
If you want to enable debugging, use

2
Makefile.am
View File

@@ -1,7 +1,7 @@
# -*- Makefile -*-
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = extensions
SUBDIRS = extensions geoip
man_MANS := xtables-addons.8

2
Makefile.extra
View File

@@ -1,6 +1,8 @@
# -*- Makefile -*-
# AUTOMAKE
export AM_CPPFLAGS
export AM_CFLAGS
XA_SRCDIR = ${srcdir}
XA_TOPSRCDIR = ${top_srcdir}
XA_ABSTOPSRCDIR = ${abs_top_srcdir}

14
Makefile.iptrules.in
View File

@@ -1,6 +1,8 @@
# -*- Makefile -*-
# MANUAL
abs_top_srcdir = @abs_top_srcdir@
prefix = @prefix@
exec_prefix = @exec_prefix@
libexecdir = @libexecdir@
@@ -8,11 +10,11 @@ xtlibdir = @xtlibdir@
CC = @CC@
CCLD = ${CC}
CFLAGS = @CFLAGS@
LDFLAGS = @LDFLAGS@
regular_CFLAGS = @regular_CFLAGS@
libxtables_CFLAGS = @libxtables_CFLAGS@
libxtables_LIBS = @libxtables_LIBS@
AM_CFLAGS = ${regular_CFLAGS} ${libxtables_CFLAGS}
AM_DEPFLAGS = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
AM_DEFAULT_VERBOSITY = 0
@@ -42,19 +44,19 @@ subdirs_list := $(filter %/,${obj-m})
.PHONY: all install clean
all: ${targets}
@for i in ${subdirs_list}; do ${MAKE} -C $$i; done;
@for i in ${subdirs_list}; do ${MAKE} -C $$i || exit $$?; done;
install: ${targets}
@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
@for i in ${subdirs_list}; do ${MAKE} -C $$i $@ || exit $$?; done;
install -dm0755 "${DESTDIR}/${xtlibdir}";
@for i in $^; do install -pm0755 $$i "${DESTDIR}/${xtlibdir}"; done;
clean:
@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
@for i in ${subdirs_list}; do ${MAKE} -C $$i $@ || exit $$?; done;
rm -f *.oo *.so;
lib%.so: lib%.oo
${AM_V_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< ${libxtables_LIBS} ${LDLIBS};
%.oo: ${XA_SRCDIR}/%.c
${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CPPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CPPFLAGS} ${CFLAGS} -o $@ -c $<;

6
Makefile.mans.in
View File

@@ -3,8 +3,8 @@
srcdir := @srcdir@
wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man')
wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man')
wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man' | sort)
wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man' | sort)
wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
@@ -23,7 +23,7 @@ man_run = \
name="$${name\#\#*/libxt_}"; \
if [ -f "$$ext" ]; then \
echo ".SS $$name"; \
cat "$$ext"; \
cat "$$ext" || exit $$?; \
continue; \
fi; \
done >$@;

7
README
View File

@@ -16,6 +16,13 @@ sanity checks and incorrect endianess handling have been fixed,
simplified, and sped up.
Included in this package
========================
- ipset 4.5
- ipset 5.4.1
- xt_ACCOUNT 1.16, libxt_ACCOUNT 1.3
Inclusion into a kernel tree
============================

88
configure.ac
View File

@@ -1,9 +1,9 @@
AC_INIT([xtables-addons], [1.27])
AC_INIT([xtables-addons], [1.33])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
AC_PROG_INSTALL
AM_INIT_AUTOMAKE([1.10 -Wall foreign subdir-objects])
AM_INIT_AUTOMAKE([1.10b -Wall foreign subdir-objects])
AC_PROG_CC
AM_PROG_CC_C_O
AC_DISABLE_STATIC
@@ -21,21 +21,24 @@ if [[ "$kbuilddir" == no ]]; then
kbuilddir="";
fi
AC_ARG_WITH([xtlibdir],
AS_HELP_STRING([--with-xtlibdir=PATH],
[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
[xtlibdir="$withval"],
[xtlibdir='${libexecdir}/xtables'])
PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
PKG_CHECK_MODULES([libmnl], [libmnl >= 1], [:], [:])
regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
AC_ARG_WITH([xtlibdir],
AS_HELP_STRING([--with-xtlibdir=PATH],
[Path where to install Xtables extensions [[autodetect]]]]),
[xtlibdir="$withval"])
AC_MSG_CHECKING([Xtables module directory])
AC_MSG_RESULT([$xtlibdir])
regular_CPPFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
-D_REENTRANT -I\${XA_TOPSRCDIR}/include"
regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" \
-I\${XA_TOPSRCDIR}/include";
-Winline -pipe";
#
# check kernel version
@@ -46,35 +49,46 @@ if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
# Well, just a warning. Maybe the admin updated the kernel.
echo "WARNING: This distribution's shipped kernel is not supported.";
fi;
krel="$(make -sC ${kbuilddir} kernelrelease)";
krel="${krel%%-*}";
kmajor="${krel%%.*}";
krel="${krel#*.}";
kminor="${krel%%.*}";
krel="${krel#*.}";
kmicro="${krel%%.*}";
if test "$kmicro" = "$krel"; then
kstable=0;
else
kstable="${krel#*.}";
if test -z "$kstable"; then
kstable=0;
if test -n "$kbuilddir"; then
AC_MSG_CHECKING([kernel version that we will build against])
krel="$(make -sC "$kbuilddir" M=. kernelrelease)";
kmajor="${krel%%[[^0-9]]*}";
kmajor="$(($kmajor+0))";
krel="${krel:${#kmajor}}";
krel="${krel#.}";
kminor="${krel%%[[^0-9]]*}";
kminor="$(($kminor+0))";
krel="${krel:${#kminor}}";
krel="${krel#.}";
kmicro="${krel%%[[^0-9]]*}";
kmicro="$(($kmicro+0))";
krel="${krel:${#kmicro}}";
krel="${krel#.}";
kstable="${krel%%[[^0-9]]*}";
kstable="$(($kstable+0))";
if test -z "$kmajor" -o -z "$kminor" -o -z "$kmicro"; then
echo "WARNING: Version detection did not succeed. Continue at own luck.";
else
echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 38; then
echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
elif test \( "$kmajor" -lt 2 -o \
\( "$kmajor" -eq 2 -a "$kminor" -lt 6 \) -o \
\( "$kmajor" -eq 2 -a "$kminor" -eq 0 -a "$kmicro" -lt 17 \) -o \
\( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
"$kstable" -lt 5 \) \); then
echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
exit 1;
fi;
fi;
fi;
echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 35; then
echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
\( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
"$kstable" -lt 5 \); then
echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
exit 1;
fi;
AC_SUBST([regular_CPPFLAGS])
AC_SUBST([regular_CFLAGS])
AC_SUBST([kbuilddir])
AC_SUBST([xtlibdir])
AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans geoip/Makefile
extensions/Makefile extensions/ACCOUNT/Makefile
extensions/ipset/Makefile extensions/pknock/Makefile])
extensions/ipset-4/Makefile extensions/ipset-5/Makefile
extensions/pknock/Makefile])
AC_OUTPUT

64
doc/api/2.6.17.c Normal file
View File

@@ -0,0 +1,64 @@
match:
/* true/false */
int
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop,
);
/* error code */
int
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
void *userdata,
);
/* error code */
int
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
);

59
doc/api/2.6.19.c Normal file
View File

@@ -0,0 +1,59 @@
match:
/* true/false */
int
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop,
);
/* error code */
int
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
);
/* error code */
int
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
);

59
doc/api/2.6.23.c Normal file
View File

@@ -0,0 +1,59 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
bool *hotdrop,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
);

59
doc/api/2.6.24.c Normal file
View File

@@ -0,0 +1,59 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
bool *hotdrop,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
);

39
doc/api/2.6.28.c Normal file
View File

@@ -0,0 +1,39 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct xt_match_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_target_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

38
doc/api/2.6.31.c Normal file
View File

@@ -0,0 +1,38 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct xt_match_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_target_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

39
doc/api/2.6.32.c Normal file
View File

@@ -0,0 +1,39 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct xt_match_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_target_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

39
doc/api/2.6.35.c Normal file
View File

@@ -0,0 +1,39 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
struct xt_action_param *,
);
/* error code */
int
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_action_param *,
);
/* error code */
int
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

39
doc/api/xt-a.c Normal file
View File

@@ -0,0 +1,39 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
struct xt_action_param *,
);
/* error code */
int
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct xt_action_param *,
);
/* error code */
int
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

195
doc/changelog.txt
View File

@@ -3,18 +3,97 @@ HEAD
====
Xtables-addons 1.27 (May 16 2010)
=================================
v1.33 (2011-02-02)
==================
Fixes:
- build: restore functionality of `configure --without-kbuild`
- build: fix objdir builds for ipset-5 (xt-a specific)
- build: fix missing inclusion of dependency rules
- xt_LOGMARK: fix detection of untracked connection for Linux >= 2.6.36
Enhancements:
- IPv6 support for xt_geoip
- Update to ipset 5.3
* make IPv4 and IPv6 address handling similar
* show correct line numbers in restore output for parser errors
- Update to ipset 5.4
* fixed ICMP and ICMPv6 handling
* fixed trailing whitespaces and pr_* messages
* fixed module loading at create/header commands
- build: support for Linux up to 2.6.38
- build: preliminary support for iptables 1.4.11
v1.32 (2011-01-04)
==================
Fixes:
- Update to ipset 4.5
* the iptreemap type used wrong gfp flags when deleting entries
- Include ipset 5.2 with genetlink patch (beta)
* no kernel patch needed, but requires Linux >= 2.6.35
and thus needs to be manually enabled in mconfig
v1.31 (2010-11-05)
==================
Fixes:
- build: improve detection of kernel version and error handling
Changes:
- build: automatically derive Xtables module directory, thus
--with-xtlibdir is no longer needed for ./configure in most cases
(If I still see a distro using it, I will scold you for not
reading this changelog.)
Enhancements:
- LOGMARK: print remaining lifetime of cts
- xt_iface: allow matching against incoming/outgoing interface
- libxt_gradm: match packets based on status of grsecurity RBAC
(userspace part only - xt_gradm is in the grsec patch)
v1.30 (2010-010-02)
===================
Fixes:
- update to ipset 4.4
* ipport{,ip,net}hash did not work with mixed "src" and "dst"
destination parameters
Changes:
- deactivate building xt_TEE and xt_CHECKSUM by default, as these have been
merged upstream in Linux 2.6.35 and 2.6.36, respectively.
Distros still wishing to build this need to enable it in their build
script, e.g. perl -i -pe 's{^build_TEE=.*}{build_TEE=m}' mconfig;
v1.29 (2010-09-29)
==================
- compat_xtables: return bool for match_check and target_check in 2.6.23..34
- ipset: enable building of ip_set_ipport{ip,net}hash.ko
- support for Linux 2.6.36
- SYSRQ: resolve compile error with Linux 2.6.36
- TEE: resolve compile error with Linux 2.6.36
- add workaround for broken linux-glibc-devel 2.6.34 userspace headers
("implicit declaration of function 'ALIGN'")
v1.28 (2010-07-24)
==================
- RAWNAT: IPv6 variants erroneously rejected masks /33-/128
- new target xt_CHECKSUM
- xt_length2: add support for IPv6 jumbograms
- xt_geoip: fix possible out-of-bounds access
- import xt_geoip database scripts
v1.27 (2010-05-16)
==================
- further updates for the upcoming 2.6.35 changes
Xtables-addons 1.26 (April 30 2010)
===================================
v1.26 (2010-04-30)
==================
- compat_xtables: fix 2.6.34 compile error due to a typo
Xtables-addons 1.25 (April 26 2010)
===================================
v1.25 (2010-04-26)
==================
- TEE: do rechecksumming in PREROUTING too
- TEE: decrease TTL on cloned packet
- TEE: set dont-fragment on cloned packets
@@ -26,8 +105,8 @@ Xtables-addons 1.25 (April 26 2010)
- condition: remove unnecessary RCU protection
Xtables-addons 1.24 (March 17 2010)
===================================
v1.24 (2010-03-17)
==================
- build: fix build of userspace modules against old (pre-2.6.25)
headers from linux-glibc-devel (/usr/include/linux)
- ipp2p: updated bittorent command recognition
@@ -35,8 +114,8 @@ Xtables-addons 1.24 (March 17 2010)
- SYSRQ: allow processing of UDP-Lite
Xtables-addons 1.23 (February 24 2010)
======================================
v1.23 (2010-02-24)
==================
- build: support for Linux 2.6.34
- build: remove unused --with-ksource option
- build: remove unneeded --with-xtables option
@@ -45,22 +124,22 @@ Xtables-addons 1.23 (February 24 2010)
- ECHO: fix compilation w.r.t. skb_dst
Xtables-addons 1.22 (January 22 2010)
=====================================
v1.22 (2010-01-22)
==================
- compat_xtables: support for 2.6.33 skb_iif changes
- geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip
- ipset: enable build of ip_set_setlist.ko
- quota2: add the --no-change mode
Xtables-addons 1.21 (December 09 2009)
======================================
v1.21 (2009-12-09)
==================
- ACCOUNT: avoid collision with arp_tables setsockopt numbers
- doc: fix option mismatch --gw/--gateway in libxt_TEE.man
Xtables-addons 1.20 (November 19 2009)
======================================
v1.20 (2009-11-19)
==================
- ipp2p: add more boundary checks
- ipp2p: fix Gnutelle line ending detection
- LOGMARK: remove unknown options from manpage
@@ -69,8 +148,8 @@ Xtables-addons 1.20 (November 19 2009)
- ipset: fast forward to v4.1
Xtables-addons 1.19 (October 12 2009)
=====================================
v1.19 (2009-10-12)
==================
- build: compile fixes for 2.6.31-rt
- build: support for Linux 2.6.32
- ipp2p: try to address underflows
@@ -92,8 +171,8 @@ Xtables-addons 1.19 (October 12 2009)
- pknock: add a manpage
Xtables-addons 1.18 (September 09 2009)
=======================================
v1.18 (2009-09-09)
==================
- build: support for Linux 2.6.31
- ipset: fast forward to v3.2
- quota2: support anonymous counters
@@ -104,21 +183,21 @@ Xtables-addons 1.18 (September 09 2009)
- merged xt_psd module
Xtables-addons 1.17 (June 16 2009)
==================================
v1.17 (2009-06-16)
==================
- IPMARK: print missing --shift parameter
- build: use readlink -f in extensions/ipset/
- build: support for Linux 2.6.30
Xtables-addons 1.16 (May 27 2009)
=================================
v1.16 (2009-05-27)
==================
- RAWNAT: make iptable_rawpost compile with 2.6.30-rc5
- ipset: fast forward to 3.0
Xtables-addons 1.15 (April 30 2009)
===================================
v1.15 (2009-04-30)
==================
- build: add kernel version check to configure
- condition: compile fix for 2.6.30-rc
- condition: fix intrapositional negation sign
@@ -130,8 +209,8 @@ Xtables-addons 1.15 (April 30 2009)
- added RAWSNAT/RAWDNAT targets
Xtables-addons 1.14 (March 31 2009)
===================================
v1.14 (2009-03-31)
==================
- fuzzy: need to account for kernel-level modified variables in .userspacesize
- geoip: remove XT_ALIGN from .userspacesize when used with offsetof
- SYSRQ: ignore non-UDP packets
@@ -141,14 +220,14 @@ Xtables-addons 1.14 (March 31 2009)
- dhcpmac: rename from dhcpaddr
Xtables-addons 1.13 (March 23 2009)
===================================
v1.13 (2009-03-23)
==================
- added a reworked ipv4options match
- upgrade to iptables 1.4.3 API
Xtables-addons 1.12 (March 07 2009)
===================================
v1.12 (2009-03-07)
==================
- ipset: fix for compilation with 2.6.29-rt
- ipset: fast forward to 2.5.0
- rename xt_portscan to xt_lscan ("low-level scan") because
@@ -159,21 +238,21 @@ Xtables-addons 1.12 (March 07 2009)
- xt_TEE: enable routing by iif, nfmark and flowlabel
Xtables-addons 1.10 (February 18 2009)
======================================
v1.10 (2009-02-18)
==================
- compat: compile fixes for 2.6.29
- ipset: upgrade to ipset 2.4.9
Xtables-addons 1.9 (January 30 2009)
====================================
v1.9 (2009-01-30)
=================
- add the xt_length2 extension
- xt_TEE: remove intrapositional '!' support
- ipset: upgrade to ipset 2.4.7
Xtables-addons 1.8 (January 10 2009)
====================================
v1.8 (2009-01-10)
=================
- xt_TEE: IPv6 support
- xt_TEE: do not include TOS value in routing decision
- xt_TEE: fix switch-case inversion for name/IP display
@@ -182,8 +261,8 @@ Xtables-addons 1.8 (January 10 2009)
- xt_portscan: update manpage about --grscan option caveats
Xtables-addons 1.7 (December 25 2008)
=====================================
v1.7 (2008-12-25)
=================
- xt_ECHO: compile fix
- avoid the use of "_init" which led to compile errors on some installations
- build: do not unconditionally install ipset
@@ -194,16 +273,16 @@ Xtables-addons 1.7 (December 25 2008)
- xt_SYSRQ: improve security by hashing password
Xtables-addons 1.6 (November 18 2008)
=====================================
v1.6 (2008-11-18)
=================
- build: support for Linux 2.6.17
- build: compile fixes for 2.6.18 and 2.6.19
- xt_ECHO: resolve compile errors in xt_ECHO
- xt_ipp2p: parenthesize unaligned-access macros
Xtables-addons 1.5.7 (September 01 2008)
========================================
v1.5.7 (2008-09-01)
===================
- API layer: fix use of uninitialized 'hotdrop' variable
- API layer: move to pskb-based signatures
- xt_SYSRQ: compile fixes for Linux <= 2.6.19
@@ -215,8 +294,8 @@ Xtables-addons 1.5.7 (September 01 2008)
- xt_SYSRQ: add missing module aliases
Xtables-addons 1.5.5 (August 03 2008)
=====================================
v1.5.5 (2008-08-03)
===================
- manpage updates for xt_CHAOS, xt_IPMARK; README updates
- build: properly recognize external Kbuild/Mbuild files
- build: remove dependency on CONFIG_NETWORK_SECMARK
@@ -225,13 +304,13 @@ Xtables-addons 1.5.5 (August 03 2008)
- import ipset extension group
Xtables-addons 1.5.4.1 (April 26 2008)
======================================
v1.5.4.1 (2008-04-26)
=====================
- build: fix compile error for 2.6.18-stable
Xtables-addons 1.5.4 (April 09 2008)
====================================
v1.5.4 (2008-04-09)
===================
- build: support building multiple files with one config option
- API layer: add check for pskb relocation
- doc: generate manpages
@@ -245,28 +324,28 @@ Xtables-addons 1.5.4 (April 09 2008)
- add reworked xt_IPMARK target
Xtables-addons 1.5.3 (March 22 2008)
====================================
v1.5.3 (2008-03-22)
===================
- support for Linux 2.6.18
- add xt_ECHO sample target
- add reworked xt_geoip match
Xtables-addons 1.5.2 (March 04 2008)
====================================
v1.5.2 (2008-03-04)
===================
- build: support for GNU make < 3.81 which does not have $(realpath)
Xtables-addons 1.5.1 (February 21 2008)
=======================================
v1.5.1 (2008-02-21)
===================
- build: allow user to select what extensions to compile and install
- build: allow external proejcts to be downloaded into the tree
- xt_LOGMARK: dump classify mark, ctstate and ctstatus
- add xt_CHAOS, xt_DELUDE and xt_portscan from Chaostables
Xtables-addons 1.5.0 (February 11 2008)
=======================================
v1.5.0 (2008-02-11)
===================
Initial release with:
- extensions: xt_LOGMARK, xt_TARPIT, xt_TEE
- support for Linux >= 2.6.19

3
extensions/ACCOUNT/Makefile.am
View File

@@ -1,5 +1,8 @@
# -*- Makefile -*-
AM_CPPFLAGS = ${regular_CPPFLAGS} -I${abs_top_srcdir}/extensions
AM_CFLAGS = ${regular_CFLAGS}
include ../../Makefile.extra
sbin_PROGRAMS = iptaccount

1
extensions/ACCOUNT/VERSION.txt Normal file
View File

@@ -0,0 +1 @@
1.16

7
extensions/ACCOUNT/libxt_ACCOUNT.c
View File

@@ -12,6 +12,7 @@
#include <stddef.h>
#include <xtables.h>
#include "xt_ACCOUNT.h"
#include "compat_user.h"
static struct option account_tg_opts[] = {
{.name = "addr", .has_arg = true, .val = 'a'},
@@ -104,11 +105,11 @@ static void account_tg_print_it(const void *ip,
struct in_addr a;
if (!do_prefix)
printf("ACCOUNT ");
printf(" ACCOUNT ");
// Network information
if (do_prefix)
printf("--");
printf(" --");
printf("%s ", account_tg_opts[0].name);
a.s_addr = accountinfo->net_ip;
@@ -118,7 +119,7 @@ static void account_tg_print_it(const void *ip,
printf(" ");
if (do_prefix)
printf("--");
printf(" --");
printf("%s %s", account_tg_opts[1].name, accountinfo->table_name);
}

12
extensions/ACCOUNT/xt_ACCOUNT.c
View File

@@ -3,7 +3,7 @@
* See http://www.intra2net.com/opensource/ipt_account *
* for further information *
* *
* Copyright (C) 2004-2008 by Intra2net AG *
* Copyright (C) 2004-2011 by Intra2net AG *
* opensource@intra2net.com *
* *
* This program is free software; you can redistribute it and/or modify *
@@ -494,7 +494,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
"IPs %u.%u.%u.%u/%u.%u.%u.%u\n", info->table_nr,
NIPQUAD(src_ip), NIPQUAD(dst_ip));
spin_unlock_bh(&ipt_acc_lock);
return IPT_CONTINUE;
return XT_CONTINUE;
}
/* 8 bit network or "any" network */
@@ -506,7 +506,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
ipt_acc_tables[info->table_nr].netmask,
src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
spin_unlock_bh(&ipt_acc_lock);
return IPT_CONTINUE;
return XT_CONTINUE;
}
/* 16 bit network */
@@ -517,7 +517,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
ipt_acc_tables[info->table_nr].netmask,
src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
spin_unlock_bh(&ipt_acc_lock);
return IPT_CONTINUE;
return XT_CONTINUE;
}
/* 24 bit network */
@@ -528,7 +528,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
ipt_acc_tables[info->table_nr].netmask,
src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
spin_unlock_bh(&ipt_acc_lock);
return IPT_CONTINUE;
return XT_CONTINUE;
}
printk("ACCOUNT: ipt_acc_target: Unable to process packet. "
@@ -536,7 +536,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
spin_unlock_bh(&ipt_acc_lock);
return IPT_CONTINUE;
return XT_CONTINUE;
}
/*

5
extensions/Kbuild
View File

@@ -7,8 +7,10 @@ obj-m += compat_xtables.o
obj-${build_ACCOUNT} += ACCOUNT/
obj-${build_CHAOS} += xt_CHAOS.o
obj-${build_CHECKSUM} += xt_CHECKSUM.o
obj-${build_DELUDE} += xt_DELUDE.o
obj-${build_DHCPMAC} += xt_DHCPMAC.o
obj-${build_DNETMAP} += xt_DNETMAP.o
obj-${build_ECHO} += xt_ECHO.o
obj-${build_IPMARK} += xt_IPMARK.o
obj-${build_LOGMARK} += xt_LOGMARK.o
@@ -25,7 +27,8 @@ obj-${build_fuzzy} += xt_fuzzy.o
obj-${build_geoip} += xt_geoip.o
obj-${build_iface} += xt_iface.o
obj-${build_ipp2p} += xt_ipp2p.o
obj-${build_ipset} += ipset/
obj-${build_ipset4} += ipset-4/
obj-${build_ipset5} += ipset-5/
obj-${build_ipv4options} += xt_ipv4options.o
obj-${build_length2} += xt_length2.o
obj-${build_lscan} += xt_lscan.o

3
extensions/Makefile.am
View File

@@ -1,6 +1,9 @@
# -*- Makefile -*-
# AUTOMAKE
AM_CPPFLAGS = ${regular_CPPFLAGS} -I${abs_top_srcdir}/extensions
AM_CFLAGS = ${regular_CFLAGS} ${libxtables_CFLAGS}
# Not having Kbuild in Makefile.extra because it will already recurse
.PHONY: modules modules_install clean_modules

6
extensions/Mbuild
View File

@@ -2,8 +2,10 @@
obj-${build_ACCOUNT} += ACCOUNT/
obj-${build_CHAOS} += libxt_CHAOS.so
obj-${build_CHECKSUM} += libxt_CHECKSUM.so
obj-${build_DELUDE} += libxt_DELUDE.so
obj-${build_DHCPMAC} += libxt_DHCPMAC.so libxt_dhcpmac.so
obj-${build_DNETMAP} += libxt_DNETMAP.so
obj-${build_ECHO} += libxt_ECHO.so
obj-${build_IPMARK} += libxt_IPMARK.so
obj-${build_LOGMARK} += libxt_LOGMARK.so
@@ -17,10 +19,12 @@ obj-${build_fuzzy} += libxt_fuzzy.so
obj-${build_geoip} += libxt_geoip.so
obj-${build_iface} += libxt_iface.so
obj-${build_ipp2p} += libxt_ipp2p.so
obj-${build_ipset} += ipset/
obj-${build_ipset4} += ipset-4/
obj-${build_ipset5} += ipset-5/
obj-${build_ipv4options} += libxt_ipv4options.so
obj-${build_length2} += libxt_length2.so
obj-${build_lscan} += libxt_lscan.so
obj-${build_pknock} += pknock/
obj-${build_psd} += libxt_psd.so
obj-${build_quota2} += libxt_quota2.so
obj-${build_gradm} += libxt_gradm.so

12
extensions/compat_user.h Normal file
View File

@@ -0,0 +1,12 @@
/*
* Userspace-level compat hacks
*/
#ifndef _XTABLES_COMPAT_USER_H
#define _XTABLES_COMPAT_USER_H 1
/* linux-glibc-devel 2.6.34 header screwup */
#ifndef ALIGN
# define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
#endif
#endif /* _XTABLES_COMPAT_USER_H */

12
extensions/compat_xtables.c
View File

@@ -105,7 +105,11 @@ static bool xtnu_match_check(const char *table, const void *entry,
return false;
if (nm->checkentry == NULL)
return true;
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
return nm->checkentry(&local_par);
#else
return nm->checkentry(&local_par) == 0;
#endif
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
@@ -118,7 +122,7 @@ static bool xtnu_match_check(const struct xt_mtchk_param *par)
return false;
if (nm->checkentry == NULL)
return true;
return nm->checkentry(par) == 0 ? true : false;
return nm->checkentry(par) == 0;
}
#endif
@@ -313,7 +317,11 @@ static bool xtnu_target_check(const char *table, const void *entry,
if (nt->checkentry == NULL)
/* this is valid, just like if there was no function */
return true;
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
return nt->checkentry(&local_par);
#else
return nt->checkentry(&local_par) == 0;
#endif
}
#endif
@@ -327,7 +335,7 @@ static bool xtnu_target_check(const struct xt_tgchk_param *par)
return false;
if (nt->checkentry == NULL)
return true;
return nt->checkentry(par) == 0 ? true : false;
return nt->checkentry(par) == 0;
}
#endif

5
extensions/compat_xtables.h
View File

@@ -86,6 +86,11 @@
# define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
# define rt_dst(rt) (&(rt)->dst)
#else
# define rt_dst(rt) (&(rt)->u.dst)
#endif
#if !defined(NIP6) && !defined(NIP6_FMT)
# define NIP6(addr) \

0
extensions/ipset/.gitignore → extensions/ipset-4/.gitignore vendored
View File

1
extensions/ipset/Kbuild → extensions/ipset-4/Kbuild
View File

@@ -3,4 +3,5 @@
obj-m += ipt_set.o ipt_SET.o
obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
obj-m += ip_set_ipportiphash.o ip_set_ipportnethash.o
obj-m += ip_set_iptree.o ip_set_iptreemap.o ip_set_setlist.o

4
extensions/ipset/Makefile.am → extensions/ipset-4/Makefile.am
View File

@@ -1,6 +1,8 @@
# -*- Makefile -*-
AM_CFLAGS = ${regular_CFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\"
AM_CPPFLAGS = ${regular_CPPFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\" \
-DIP_NF_SET_HASHSIZE=1024
AM_CFLAGS = ${regular_CFLAGS}
include ../../Makefile.extra

2
extensions/ipset/Mbuild → extensions/ipset-4/Mbuild
View File

@@ -4,4 +4,4 @@ obj-m += $(addprefix lib,$(patsubst %.c,%.so,$(notdir \
$(wildcard ${XA_SRCDIR}/ipset_*.c))))
libipset_%.oo: ${XA_SRCDIR}/ipset_%.c
${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CPPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CPPFLAGS} ${CFLAGS} -o $@ -c $<;

1
extensions/ipset-4/VERSION.txt Normal file
View File

@@ -0,0 +1 @@
4.5

10
extensions/ipset/ip_set.c → extensions/ipset-4/ip_set.c
View File

@@ -929,11 +929,11 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
}
if (copy_from_user(data, user, len) != 0) {
res = -EFAULT;
goto done;
goto cleanup;
}
if (down_interruptible(&ip_set_app_mutex)) {
res = -EINTR;
goto done;
goto cleanup;
}
op = (unsigned *)data;
@@ -1109,6 +1109,7 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
done:
up(&ip_set_app_mutex);
cleanup:
vfree(data);
if (res > 0)
res = 0;
@@ -1142,11 +1143,11 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
}
if (copy_from_user(data, user, *len) != 0) {
res = -EFAULT;
goto done;
goto cleanup;
}
if (down_interruptible(&ip_set_app_mutex)) {
res = -EINTR;
goto done;
goto cleanup;
}
op = (unsigned *) data;
@@ -1439,6 +1440,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
done:
up(&ip_set_app_mutex);
cleanup:
vfree(data);
if (res > 0)
res = 0;

0
extensions/ipset/ip_set.h → extensions/ipset-4/ip_set.h
View File

0
extensions/ipset/ip_set_bitmaps.h → extensions/ipset-4/ip_set_bitmaps.h
View File

0
extensions/ipset/ip_set_compat.h → extensions/ipset-4/ip_set_compat.h
View File

0
extensions/ipset/ip_set_getport.h → extensions/ipset-4/ip_set_getport.h
View File

0
extensions/ipset/ip_set_hashes.h → extensions/ipset-4/ip_set_hashes.h
View File

0
extensions/ipset/ip_set_iphash.c → extensions/ipset-4/ip_set_iphash.c
View File

0
extensions/ipset/ip_set_iphash.h → extensions/ipset-4/ip_set_iphash.h
View File

0
extensions/ipset/ip_set_ipmap.c → extensions/ipset-4/ip_set_ipmap.c
View File

0
extensions/ipset/ip_set_ipmap.h → extensions/ipset-4/ip_set_ipmap.h
View File

2
extensions/ipset/ip_set_ipporthash.c → extensions/ipset-4/ip_set_ipporthash.c
View File

@@ -68,7 +68,7 @@ ipporthash_test(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
if (flags[1] == 0) \
return 0; \
\
port = get_port(skb, flags++); \
port = get_port(skb, ++flags); \
\
if (port == INVALID_PORT) \
return 0;

0
extensions/ipset/ip_set_ipporthash.h → extensions/ipset-4/ip_set_ipporthash.h
View File

4
extensions/ipset/ip_set_ipportiphash.c → extensions/ipset-4/ip_set_ipportiphash.c
View File

@@ -72,8 +72,8 @@ ipportiphash_test(struct ip_set *set,
if (flags[2] == 0) \
return 0; \
\
port = get_port(skb, flags++); \
ip1 = ipaddr(skb, flags++); \
port = get_port(skb, ++flags); \
ip1 = ipaddr(skb, ++flags); \
\
if (port == INVALID_PORT) \
return 0;

0
extensions/ipset/ip_set_ipportiphash.h → extensions/ipset-4/ip_set_ipportiphash.h
View File

4
extensions/ipset/ip_set_ipportnethash.c → extensions/ipset-4/ip_set_ipportnethash.c
View File

@@ -116,8 +116,8 @@ ipportnethash_utest(struct ip_set *set, const void *data, u_int32_t size)
if (flags[2] == 0) \
return 0; \
\
port = get_port(skb, flags++); \
ip1 = ipaddr(skb, flags++); \
port = get_port(skb, ++flags); \
ip1 = ipaddr(skb, ++flags); \
\
if (port == INVALID_PORT) \
return 0;

0
extensions/ipset/ip_set_ipportnethash.h → extensions/ipset-4/ip_set_ipportnethash.h
View File

0
extensions/ipset/ip_set_iptree.c → extensions/ipset-4/ip_set_iptree.c
View File

0
extensions/ipset/ip_set_iptree.h → extensions/ipset-4/ip_set_iptree.h
View File

31
extensions/ipset/ip_set_iptreemap.c → extensions/ipset-4/ip_set_iptreemap.c
View File

@@ -102,13 +102,13 @@ static struct ip_set_iptreemap_b *fullbitmap_b;
} \
}
#define DELIP_WALK(map, elem, branch, cachep, full, flags) \
#define DELIP_WALK(map, elem, branch, cachep, full) \
do { \
branch = (map)->tree[elem]; \
if (!branch) { \
return -EEXIST; \
} else if (branch == full) { \
branch = kmem_cache_alloc(cachep, flags); \
branch = kmem_cache_alloc(cachep, GFP_ATOMIC); \
if (!branch) \
return -ENOMEM; \
memcpy(branch, full, sizeof(*full)); \
@@ -116,7 +116,7 @@ static struct ip_set_iptreemap_b *fullbitmap_b;
} \
} while (0)
#define DELIP_RANGE_LOOP(map, a, a1, a2, hint, branch, full, cachep, free, flags) \
#define DELIP_RANGE_LOOP(map, a, a1, a2, hint, branch, full, cachep, free) \
for (a = a1; a <= a2; a++) { \
branch = (map)->tree[a]; \
if (branch) { \
@@ -126,7 +126,7 @@ static struct ip_set_iptreemap_b *fullbitmap_b;
(map)->tree[a] = NULL; \
continue; \
} else if (branch == full) { \
branch = kmem_cache_alloc(cachep, flags); \
branch = kmem_cache_alloc(cachep, GFP_ATOMIC); \
if (!branch) \
return -ENOMEM; \
memcpy(branch, full, sizeof(*branch)); \
@@ -331,7 +331,7 @@ UADT0(iptreemap, add, min(req->ip, req->end), max(req->ip, req->end))
KADT(iptreemap, add, ipaddr, ip)
static inline int
__delip_single(struct ip_set *set, ip_set_ip_t ip, gfp_t flags)
__delip_single(struct ip_set *set, ip_set_ip_t ip)
{
struct ip_set_iptreemap *map = set->data;
struct ip_set_iptreemap_b *btree;
@@ -341,9 +341,9 @@ __delip_single(struct ip_set *set, ip_set_ip_t ip, gfp_t flags)
ABCD(a, b, c, d, &ip);
DELIP_WALK(map, a, btree, cachep_b, fullbitmap_b, flags);
DELIP_WALK(btree, b, ctree, cachep_c, fullbitmap_c, flags);
DELIP_WALK(ctree, c, dtree, cachep_d, fullbitmap_d, flags);
DELIP_WALK(map, a, btree, cachep_b, fullbitmap_b);
DELIP_WALK(btree, b, ctree, cachep_c, fullbitmap_c);
DELIP_WALK(ctree, c, dtree, cachep_d, fullbitmap_d);
if (!__test_and_clear_bit(d, (void *) dtree->bitmap))
return -EEXIST;
@@ -354,8 +354,7 @@ __delip_single(struct ip_set *set, ip_set_ip_t ip, gfp_t flags)
}
static inline int
iptreemap_del(struct ip_set *set,
ip_set_ip_t start, ip_set_ip_t end, gfp_t flags)
iptreemap_del(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end)
{
struct ip_set_iptreemap *map = set->data;
struct ip_set_iptreemap_b *btree;
@@ -366,15 +365,15 @@ iptreemap_del(struct ip_set *set,
unsigned char a2, b2, c2, d2;
if (start == end)
return __delip_single(set, start, flags);
return __delip_single(set, start);
ABCD(a1, b1, c1, d1, &start);
ABCD(a2, b2, c2, d2, &end);
/* This is sooo ugly... */
DELIP_RANGE_LOOP(map, a, a1, a2, CHECK1(a, a1, a2, b1, b2, c1, c2, d1, d2), btree, fullbitmap_b, cachep_b, free_b, flags) {
DELIP_RANGE_LOOP(btree, b, GETVALUE1(a, a1, b1, 0), GETVALUE1(a, a2, b2, 255), CHECK2(a, b, a1, a2, b1, b2, c1, c2, d1, d2), ctree, fullbitmap_c, cachep_c, free_c, flags) {
DELIP_RANGE_LOOP(ctree, c, GETVALUE2(a, b, a1, b1, c1, 0), GETVALUE2(a, b, a2, b2, c2, 255), CHECK3(a, b, c, a1, a2, b1, b2, c1, c2, d1, d2), dtree, fullbitmap_d, cachep_d, free_d, flags) {
DELIP_RANGE_LOOP(map, a, a1, a2, CHECK1(a, a1, a2, b1, b2, c1, c2, d1, d2), btree, fullbitmap_b, cachep_b, free_b) {
DELIP_RANGE_LOOP(btree, b, GETVALUE1(a, a1, b1, 0), GETVALUE1(a, a2, b2, 255), CHECK2(a, b, a1, a2, b1, b2, c1, c2, d1, d2), ctree, fullbitmap_c, cachep_c, free_c) {
DELIP_RANGE_LOOP(ctree, c, GETVALUE2(a, b, a1, b1, c1, 0), GETVALUE2(a, b, a2, b2, c2, 255), CHECK3(a, b, c, a1, a2, b1, b2, c1, c2, d1, d2), dtree, fullbitmap_d, cachep_d, free_d) {
for (d = GETVALUE3(a, b, c, a1, b1, c1, d1, 0); d <= GETVALUE3(a, b, c, a2, b2, c2, d2, 255); d++)
__clear_bit(d, (void *) dtree->bitmap);
__set_bit(b, (void *) btree->dirty);
@@ -385,8 +384,8 @@ iptreemap_del(struct ip_set *set,
return 0;
}
UADT0(iptreemap, del, min(req->ip, req->end), max(req->ip, req->end), GFP_KERNEL)
KADT(iptreemap, del, ipaddr, ip, GFP_ATOMIC)
UADT0(iptreemap, del, min(req->ip, req->end), max(req->ip, req->end))
KADT(iptreemap, del, ipaddr, ip)
/* Check the status of the bitmap
* -1 == all bits cleared

0
extensions/ipset/ip_set_iptreemap.h → extensions/ipset-4/ip_set_iptreemap.h
View File

0
extensions/ipset/ip_set_jhash.h → extensions/ipset-4/ip_set_jhash.h
View File

0
extensions/ipset/ip_set_macipmap.c → extensions/ipset-4/ip_set_macipmap.c
View File

0
extensions/ipset/ip_set_macipmap.h → extensions/ipset-4/ip_set_macipmap.h
View File

0
extensions/ipset/ip_set_malloc.h → extensions/ipset-4/ip_set_malloc.h
View File

0
extensions/ipset/ip_set_nethash.c → extensions/ipset-4/ip_set_nethash.c
View File

0
extensions/ipset/ip_set_nethash.h → extensions/ipset-4/ip_set_nethash.h
View File

0
extensions/ipset/ip_set_portmap.c → extensions/ipset-4/ip_set_portmap.c
View File

0
extensions/ipset/ip_set_portmap.h → extensions/ipset-4/ip_set_portmap.h
View File

0
extensions/ipset/ip_set_setlist.c → extensions/ipset-4/ip_set_setlist.c
View File

0
extensions/ipset/ip_set_setlist.h → extensions/ipset-4/ip_set_setlist.h
View File

6
extensions/ipset/ipset.8 → extensions/ipset-4/ipset.8
View File

@@ -502,9 +502,13 @@ data storage in
set and add src to the first single or src,dst to the first double
data storage set in
\fIb\fP.
.P
You can imagine a setlist type of set as an ordered union of
the set elements.
.P
Please note: by the ipset command you can add, delete and
.B test
the setnames in a setlist type of set, and not the presence of
a set's member (such as an IP address).
.SH GENERAL RESTRICTIONS
Setnames starting with colon (:) cannot be defined. Zero valued set
entries cannot be used with hash type of sets.

2
extensions/ipset/ipset.c → extensions/ipset-4/ipset.c
View File

@@ -30,7 +30,7 @@
#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
#endif
#define IPSET_VERSION "4.2"
#define IPSET_VERSION "4.5"
char program_name[] = "ipset";
char program_version[] = IPSET_VERSION;

0
extensions/ipset/ipset.h → extensions/ipset-4/ipset.h
View File

2
extensions/ipset/ipset_iphash.c → extensions/ipset-4/ipset_iphash.c
View File

@@ -39,7 +39,7 @@ iphash_create_init(void *data)
DP("create INIT");
/* Default create parameters */
mydata->hashsize = 1024;
mydata->hashsize = IP_NF_SET_HASHSIZE;
mydata->probes = 8;
mydata->resize = 50;

0
extensions/ipset/ipset_ipmap.c → extensions/ipset-4/ipset_ipmap.c
View File

2
extensions/ipset/ipset_ipporthash.c → extensions/ipset-4/ipset_ipporthash.c
View File

@@ -39,7 +39,7 @@ ipporthash_create_init(void *data)
DP("create INIT");
/* Default create parameters */
mydata->hashsize = 1024;
mydata->hashsize = IP_NF_SET_HASHSIZE;
mydata->probes = 8;
mydata->resize = 50;
}

2
extensions/ipset/ipset_ipportiphash.c → extensions/ipset-4/ipset_ipportiphash.c
View File

@@ -39,7 +39,7 @@ ipportiphash_create_init(void *data)
DP("create INIT");
/* Default create parameters */
mydata->hashsize = 1024;
mydata->hashsize = IP_NF_SET_HASHSIZE;
mydata->probes = 8;
mydata->resize = 50;
}

2
extensions/ipset/ipset_ipportnethash.c → extensions/ipset-4/ipset_ipportnethash.c
View File

@@ -39,7 +39,7 @@ ipportnethash_create_init(void *data)
DP("create INIT");
/* Default create parameters */
mydata->hashsize = 1024;
mydata->hashsize = IP_NF_SET_HASHSIZE;
mydata->probes = 8;
mydata->resize = 50;
}

0
extensions/ipset/ipset_iptree.c → extensions/ipset-4/ipset_iptree.c
View File

0
extensions/ipset/ipset_iptreemap.c → extensions/ipset-4/ipset_iptreemap.c
View File

0
extensions/ipset/ipset_macipmap.c → extensions/ipset-4/ipset_macipmap.c
View File

2
extensions/ipset/ipset_nethash.c → extensions/ipset-4/ipset_nethash.c
View File

@@ -38,7 +38,7 @@ nethash_create_init(void *data)
DP("create INIT");
/* Default create parameters */
mydata->hashsize = 1024;
mydata->hashsize = IP_NF_SET_HASHSIZE;
mydata->probes = 4;
mydata->resize = 50;
}

0
extensions/ipset/ipset_portmap.c → extensions/ipset-4/ipset_portmap.c
View File

0
extensions/ipset/ipset_setlist.c → extensions/ipset-4/ipset_setlist.c
View File

0
extensions/ipset/ipt_SET.c → extensions/ipset-4/ipt_SET.c
View File

0
extensions/ipset/ipt_set.c → extensions/ipset-4/ipt_set.c
View File

0
extensions/ipset/ipt_set.h → extensions/ipset-4/ipt_set.h
View File

1
extensions/ipset-5/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
/ipset

11
extensions/ipset-5/Kbuild Normal file
View File

@@ -0,0 +1,11 @@
# -*- Makefile -*-
obj-m += xt_set.o
obj-m += ip_set.o ip_set_bitmap_ip.o ip_set_bitmap_ipmac.o
obj-m += ip_set_bitmap_port.o ip_set_hash_ip.o ip_set_hash_ipport.o
obj-m += ip_set_hash_ipportip.o ip_set_hash_ipportnet.o ip_set_hash_net.o
obj-m += ip_set_hash_netport.o ip_set_list_set.o
ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o
EXTRA_CFLAGS += -DLCONFIG_IP_SET_MAX=256

24
extensions/ipset-5/Makefile.am Normal file
View File

@@ -0,0 +1,24 @@
# -*- Makefile -*-
AM_CPPFLAGS = -I${srcdir}/include -DNDEBUG
AM_CFLAGS = ${regular_CFLAGS} ${libmnl_CFLAGS}
include ../../Makefile.extra
lib_LTLIBRARIES = libipset.la
libipset_la_SOURCES = libipset/data.c libipset/icmp.c libipset/icmpv6.c \
libipset/mnl.c libipset/parse.c libipset/print.c \
libipset/session.c libipset/types.c
libipset_la_LIBADD = ${libmnl_LIBS}
libipset_la_LDFLAGS = -version-info 1:0:0
sbin_PROGRAMS = ipset
ipset_SOURCES = src/ipset.c src/errcode.c src/ui.c src/ipset_bitmap_ip.c \
src/ipset_bitmap_ipmac.c src/ipset_bitmap_port.c \
src/ipset_hash_ip.c src/ipset_hash_ipport.c \
src/ipset_hash_ipportip.c src/ipset_hash_ipportnet.c \
src/ipset_hash_net.c src/ipset_hash_netport.c \
src/ipset_list_set.c
ipset_LDADD = libipset.la
man_MANS = ipset.8

2
extensions/ipset-5/Mbuild Normal file
View File

@@ -0,0 +1,2 @@
# -*- Makefile -*-

1
extensions/ipset-5/VERSION.txt Normal file
View File

@@ -0,0 +1 @@
5.4.1-genl

133
extensions/ipset-5/include/libipset/data.h Normal file
View File

@@ -0,0 +1,133 @@
/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#ifndef LIBIPSET_DATA_H
#define LIBIPSET_DATA_H
#include <stdbool.h> /* bool */
#include <libipset/nf_inet_addr.h> /* union nf_inet_addr */
/* Data options */
enum ipset_opt {
IPSET_OPT_NONE = 0,
/* Common ones */
IPSET_SETNAME,
IPSET_OPT_TYPENAME,
IPSET_OPT_FAMILY,
/* CADT options */
IPSET_OPT_IP,
IPSET_OPT_IP_FROM = IPSET_OPT_IP,
IPSET_OPT_IP_TO,
IPSET_OPT_CIDR,
IPSET_OPT_PORT,
IPSET_OPT_PORT_FROM = IPSET_OPT_PORT,
IPSET_OPT_PORT_TO,
IPSET_OPT_TIMEOUT,
/* Create-specific options */
IPSET_OPT_GC,
IPSET_OPT_HASHSIZE,
IPSET_OPT_MAXELEM,
IPSET_OPT_NETMASK,
IPSET_OPT_PROBES,
IPSET_OPT_RESIZE,
IPSET_OPT_SIZE,
/* Create-specific options, filled out by the kernel */
IPSET_OPT_ELEMENTS,
IPSET_OPT_REFERENCES,
IPSET_OPT_MEMSIZE,
/* ADT-specific options */
IPSET_OPT_ETHER,
IPSET_OPT_NAME,
IPSET_OPT_NAMEREF,
IPSET_OPT_IP2,
IPSET_OPT_CIDR2,
IPSET_OPT_PROTO,
/* Swap/rename to */
IPSET_OPT_SETNAME2,
/* Flags */
IPSET_OPT_EXIST,
IPSET_OPT_BEFORE,
/* Internal options */
IPSET_OPT_FLAGS = 48, /* IPSET_FLAG_EXIST| */
IPSET_OPT_CADT_FLAGS, /* IPSET_FLAG_BEFORE| */
IPSET_OPT_ELEM,
IPSET_OPT_TYPE,
IPSET_OPT_LINENO,
IPSET_OPT_REVISION,
IPSET_OPT_REVISION_MIN,
IPSET_OPT_MAX,
};
#define IPSET_FLAG(opt) (1LL << (opt))
#define IPSET_FLAGS_ALL (~0LL)
#define IPSET_CREATE_FLAGS \
( IPSET_FLAG(IPSET_OPT_FAMILY) \
| IPSET_FLAG(IPSET_OPT_TYPENAME)\
| IPSET_FLAG(IPSET_OPT_TYPE) \
| IPSET_FLAG(IPSET_OPT_IP) \
| IPSET_FLAG(IPSET_OPT_IP_TO) \
| IPSET_FLAG(IPSET_OPT_CIDR) \
| IPSET_FLAG(IPSET_OPT_PORT) \
| IPSET_FLAG(IPSET_OPT_PORT_TO) \
| IPSET_FLAG(IPSET_OPT_TIMEOUT) \
| IPSET_FLAG(IPSET_OPT_GC) \
| IPSET_FLAG(IPSET_OPT_HASHSIZE)\
| IPSET_FLAG(IPSET_OPT_MAXELEM) \
| IPSET_FLAG(IPSET_OPT_NETMASK) \
| IPSET_FLAG(IPSET_OPT_PROBES) \
| IPSET_FLAG(IPSET_OPT_RESIZE) \
| IPSET_FLAG(IPSET_OPT_SIZE))
#define IPSET_ADT_FLAGS \
( IPSET_FLAG(IPSET_OPT_IP) \
| IPSET_FLAG(IPSET_OPT_IP_TO) \
| IPSET_FLAG(IPSET_OPT_CIDR) \
| IPSET_FLAG(IPSET_OPT_PORT) \
| IPSET_FLAG(IPSET_OPT_PORT_TO) \
| IPSET_FLAG(IPSET_OPT_TIMEOUT) \
| IPSET_FLAG(IPSET_OPT_ETHER) \
| IPSET_FLAG(IPSET_OPT_NAME) \
| IPSET_FLAG(IPSET_OPT_NAMEREF) \
| IPSET_FLAG(IPSET_OPT_IP2) \
| IPSET_FLAG(IPSET_OPT_CIDR2) \
| IPSET_FLAG(IPSET_OPT_PROTO) \
| IPSET_FLAG(IPSET_OPT_CADT_FLAGS)\
| IPSET_FLAG(IPSET_OPT_BEFORE))
struct ipset_data;
extern void ipset_strlcpy(char *dst, const char *src, size_t len);
extern bool ipset_data_flags_test(const struct ipset_data *data,
uint64_t flags);
extern void ipset_data_flags_set(struct ipset_data *data, uint64_t flags);
extern void ipset_data_flags_unset(struct ipset_data *data, uint64_t flags);
extern bool ipset_data_ignored(struct ipset_data *data, enum ipset_opt opt);
extern int ipset_data_set(struct ipset_data *data, enum ipset_opt opt,
const void *value);
extern const void * ipset_data_get(const struct ipset_data *data,
enum ipset_opt opt);
static inline bool
ipset_data_test(const struct ipset_data *data, enum ipset_opt opt)
{
return ipset_data_flags_test(data, IPSET_FLAG(opt));
}
/* Shortcuts */
extern const char * ipset_data_setname(const struct ipset_data *data);
extern uint8_t ipset_data_family(const struct ipset_data *data);
extern uint8_t ipset_data_cidr(const struct ipset_data *data);
extern uint64_t ipset_data_flags(const struct ipset_data *data);
extern void ipset_data_reset(struct ipset_data *data);
extern struct ipset_data * ipset_data_init(void);
extern void ipset_data_fini(struct ipset_data *data);
extern size_t ipset_data_sizeof(enum ipset_opt opt, uint8_t family);
#endif /* LIBIPSET_DATA_H */

33
extensions/ipset-5/include/libipset/debug.h Normal file
View File

@@ -0,0 +1,33 @@
/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#ifndef LIBIPSET_DEBUG_H
#define LIBIPSET_DEBUG_H
#ifdef IPSET_DEBUG
#include <stdio.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#define D(fmt, args...) \
fprintf(stderr, "%s: %s: " fmt "\n", __FILE__, __FUNCTION__ , ## args)
#define IF_D(test, fmt, args...) \
if (test) \
D(fmt , ## args)
static inline void
dump_nla(struct nlattr *nla[], int maxlen)
{
int i;
for (i = 0; i < maxlen; i++)
D("nla[%u] does%s exist", i, nla[i] ? "" : " NOT");
}
#else
#define D(fmt, args...)
#define IF_D(test, fmt, args...)
#define dump_nla(nla, maxlen)
#endif
#endif /* LIBIPSET_DEBUG_H */

24
extensions/ipset-5/include/libipset/errcode.h Normal file
View File

@@ -0,0 +1,24 @@
/* Copyright 2007-2008 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#ifndef LIBIPSET_ERRCODE_H
#define LIBIPSET_ERRCODE_H
#include <libipset/linux_ip_set.h> /* enum ipset_cmd */
struct ipset_session;
/* Kernel error code to message table */
struct ipset_errcode_table {
int errcode; /* error code returned by the kernel */
enum ipset_cmd cmd; /* issued command */
const char *message; /* error message the code translated to */
};
extern int ipset_errcode(struct ipset_session *session, enum ipset_cmd cmd,
int errcode);
#endif /* LIBIPSET_ERRCODE_H */

16
extensions/ipset-5/include/libipset/icmp.h Normal file
View File

@@ -0,0 +1,16 @@
/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#ifndef LIBIPSET_ICMP_H
#define LIBIPSET_ICMP_H
#include <stdint.h> /* uintxx_t */
extern const char * id_to_icmp(uint8_t id);
extern const char * icmp_to_name(uint8_t type, uint8_t code);
extern int name_to_icmp(const char *str, uint16_t *typecode);
#endif /* LIBIPSET_ICMP_H */

16
extensions/ipset-5/include/libipset/icmpv6.h Normal file
View File

@@ -0,0 +1,16 @@
/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#ifndef LIBIPSET_ICMPV6_H
#define LIBIPSET_ICMPV6_H
#include <stdint.h> /* uintxx_t */
extern const char * id_to_icmpv6(uint8_t id);
extern const char * icmpv6_to_name(uint8_t type, uint8_t code);
extern int name_to_icmpv6(const char *str, uint16_t *typecode);
#endif /* LIBIPSET_ICMPV6_H */

163
extensions/ipset-5/include/libipset/linux_ip_set.h Normal file
View File

@@ -0,0 +1,163 @@
#ifndef _IP_SET_H
#define _IP_SET_H
/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
* Patrick Schaaf <bof@bof.de>
* Martin Josefsson <gandalf@wlug.westbo.se>
* Copyright (C) 2003-2010 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
/* The protocol version */
#define IPSET_PROTOCOL 5
/* The max length of strings including NUL: set and type identifiers */
#define IPSET_MAXNAMELEN 32
/* Message types and commands */
enum ipset_cmd {
IPSET_CMD_NONE,
IPSET_CMD_PROTOCOL, /* 1: Return protocol version */
IPSET_CMD_CREATE, /* 2: Create a new (empty) set */
IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */
IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */
IPSET_CMD_RENAME, /* 5: Rename a set */
IPSET_CMD_SWAP, /* 6: Swap two sets */
IPSET_CMD_LIST, /* 7: List sets */
IPSET_CMD_SAVE, /* 8: Save sets */
IPSET_CMD_ADD, /* 9: Add an element to a set */
IPSET_CMD_DEL, /* 10: Delete an element from a set */
IPSET_CMD_TEST, /* 11: Test an element in a set */
IPSET_CMD_HEADER, /* 12: Get set header data only */
IPSET_CMD_TYPE, /* 13: Get set type */
IPSET_MSG_MAX, /* Netlink message commands */
/* Commands in userspace: */
IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
IPSET_CMD_HELP, /* 15: Get help */
IPSET_CMD_VERSION, /* 16: Get program version */
IPSET_CMD_QUIT, /* 17: Quit from interactive mode */
IPSET_CMD_MAX,
IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
};
/* Attributes at command level */
enum {
IPSET_ATTR_UNSPEC,
IPSET_ATTR_PROTOCOL, /* 1: Protocol version */
IPSET_ATTR_SETNAME, /* 2: Name of the set */
IPSET_ATTR_TYPENAME, /* 3: Typename */
IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
IPSET_ATTR_REVISION, /* 4: Settype revision */
IPSET_ATTR_FAMILY, /* 5: Settype family */
IPSET_ATTR_FLAGS, /* 6: Flags at command level */
IPSET_ATTR_DATA, /* 7: Nested attributes */
IPSET_ATTR_ADT, /* 8: Multiple data containers */
IPSET_ATTR_LINENO, /* 9: Restore lineno */
IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
__IPSET_ATTR_CMD_MAX,
};
#define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1)
/* CADT specific attributes */
enum {
IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
IPSET_ATTR_IP_TO, /* 2 */
IPSET_ATTR_CIDR, /* 3 */
IPSET_ATTR_PORT, /* 4 */
IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
IPSET_ATTR_PORT_TO, /* 5 */
IPSET_ATTR_TIMEOUT, /* 6 */
IPSET_ATTR_PROTO, /* 7 */
IPSET_ATTR_CADT_FLAGS, /* 8 */
IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */
/* Reserve empty slots */
IPSET_ATTR_CADT_MAX = 16,
/* Create-only specific attributes */
IPSET_ATTR_GC,
IPSET_ATTR_HASHSIZE,
IPSET_ATTR_MAXELEM,
IPSET_ATTR_NETMASK,
IPSET_ATTR_PROBES,
IPSET_ATTR_RESIZE,
IPSET_ATTR_SIZE,
/* Kernel-only */
IPSET_ATTR_ELEMENTS,
IPSET_ATTR_REFERENCES,
IPSET_ATTR_MEMSIZE,
__IPSET_ATTR_CREATE_MAX,
};
#define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1)
/* ADT specific attributes */
enum {
IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
IPSET_ATTR_NAME,
IPSET_ATTR_NAMEREF,
IPSET_ATTR_IP2,
IPSET_ATTR_CIDR2,
__IPSET_ATTR_ADT_MAX,
};
#define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1)
/* IP specific attributes */
enum {
IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
IPSET_ATTR_IPADDR_IPV6,
__IPSET_ATTR_IPADDR_MAX,
};
#define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1)
/* Error codes */
enum ipset_errno {
IPSET_ERR_PRIVATE = 128,
IPSET_ERR_PROTOCOL,
IPSET_ERR_FIND_TYPE,
IPSET_ERR_MAX_SETS,
IPSET_ERR_BUSY,
IPSET_ERR_EXIST_SETNAME2,
IPSET_ERR_TYPE_MISMATCH,
IPSET_ERR_EXIST,
IPSET_ERR_INVALID_CIDR,
IPSET_ERR_INVALID_NETMASK,
IPSET_ERR_INVALID_FAMILY,
IPSET_ERR_TIMEOUT,
IPSET_ERR_REFERENCED,
IPSET_ERR_IPADDR_IPV4,
IPSET_ERR_IPADDR_IPV6,
/* Type specific error codes */
IPSET_ERR_TYPE_SPECIFIC = 160,
};
/* Flags at command level */
enum ipset_cmd_flags {
IPSET_FLAG_BIT_EXIST = 0,
IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST),
};
/* Flags at CADT attribute level */
enum ipset_cadt_flags {
IPSET_FLAG_BIT_BEFORE = 0,
IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE),
};
/* Commands with settype-specific attributes */
enum ipset_adt {
IPSET_ADD,
IPSET_DEL,
IPSET_TEST,
IPSET_ADT_MAX,
IPSET_CREATE = IPSET_ADT_MAX,
IPSET_CADT_MAX,
};
#endif /* __IP_SET_H */

12
extensions/ipset-5/include/libipset/linux_ip_set_bitmap.h Normal file
View File

@@ -0,0 +1,12 @@
#ifndef __IP_SET_BITMAP_H
#define __IP_SET_BITMAP_H
/* Bitmap type specific error codes */
enum {
/* The element is out of the range of the set */
IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC,
/* The range exceeds the size limit of the set type */
IPSET_ERR_BITMAP_RANGE_SIZE,
};
#endif /* __IP_SET_BITMAP_H */

16
extensions/ipset-5/include/libipset/linux_ip_set_hash.h Normal file
View File

@@ -0,0 +1,16 @@
#ifndef __IP_SET_HASH_H
#define __IP_SET_HASH_H
/* Hash type specific error codes */
enum {
/* Hash is full */
IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC,
/* Null-valued element */
IPSET_ERR_HASH_ELEM,
/* Invalid protocol */
IPSET_ERR_INVALID_PROTO,
/* Protocol missing but must be specified */
IPSET_ERR_MISSING_PROTO,
};
#endif /* __IP_SET_HASH_H */

20
extensions/ipset-5/include/libipset/linux_ip_set_list.h Normal file
View File

@@ -0,0 +1,20 @@
#ifndef __IP_SET_LIST_H
#define __IP_SET_LIST_H
/* List type specific error codes */
enum {
/* Set name to be added/deleted/tested does not exist. */
IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC,
/* list:set type is not permitted to add */
IPSET_ERR_LOOP,
/* Missing reference set */
IPSET_ERR_BEFORE,
/* Reference set does not exist */
IPSET_ERR_NAMEREF,
/* Set is full */
IPSET_ERR_LIST_FULL,
/* Reference set is not added to the set */
IPSET_ERR_REF_EXIST,
};
#endif /* __IP_SET_LIST_H */

29
extensions/ipset-5/include/libipset/mnl.h Normal file
View File

@@ -0,0 +1,29 @@
/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#ifndef LIBIPSET_MNL_H
#define LIBIPSET_MNL_H
#include <stdint.h> /* uintxx_t */
#include <libmnl/libmnl.h> /* libmnl backend */
#include <libipset/transport.h> /* struct ipset_transport */
#ifndef NFNETLINK_V0
#define NFNETLINK_V0 0
struct nfgenmsg {
uint8_t nfgen_family;
uint8_t version;
uint16_t res_id;
};
#endif
extern int ipset_get_nlmsg_type(const struct nlmsghdr *nlh);
extern const struct ipset_transport ipset_mnl_transport;
#endif /* LIBIPSET_MNL_H */

22
extensions/ipset-5/include/libipset/nf_inet_addr.h Normal file
View File

@@ -0,0 +1,22 @@
/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#ifndef LIBIPSET_NF_INET_ADDR_H
#define LIBIPSET_NF_INET_ADDR_H
#include <stdint.h> /* uint32_t */
#include <netinet/in.h> /* struct in[6]_addr */
/* The structure to hold IP addresses, same as in linux/netfilter.h */
union nf_inet_addr {
uint32_t all[4];
uint32_t ip;
uint32_t ip6[4];
struct in_addr in;
struct in6_addr in6;
};
#endif /* LIBIPSET_NF_INET_ADDR_H */

96
extensions/ipset-5/include/libipset/parse.h Normal file
View File

@@ -0,0 +1,96 @@
/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#ifndef LIBIPSET_PARSE_H
#define LIBIPSET_PARSE_H
#include <libipset/data.h> /* enum ipset_opt */
/* For parsing/printing data */
#define IPSET_CIDR_SEPARATOR "/"
#define IPSET_RANGE_SEPARATOR "-"
#define IPSET_ELEM_SEPARATOR ","
#define IPSET_NAME_SEPARATOR ","
#define IPSET_PROTO_SEPARATOR ":"
struct ipset_session;
typedef int (*ipset_parsefn)(struct ipset_session *s,
enum ipset_opt opt, const char *str);
extern int ipset_parse_ether(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_port(struct ipset_session *session,
enum ipset_opt opt, const char *str,
const char *proto);
extern int ipset_parse_tcpudp_port(struct ipset_session *session,
enum ipset_opt opt, const char *str,
const char *proto);
extern int ipset_parse_tcp_port(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_single_tcp_port(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_proto(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_icmp(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_icmpv6(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_proto_port(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_family(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_ip(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_single_ip(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_net(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_range(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_netrange(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_iprange(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_ipnet(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_ip4_single6(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_name(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_before(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_after(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_setname(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_uint32(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_uint8(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_netmask(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_flag(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_typename(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_output(struct ipset_session *session,
int opt, const char *str);
extern int ipset_parse_ignored(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_elem(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_call_parser(struct ipset_session *session,
ipset_parsefn parse, const char *optstr,
enum ipset_opt optional, const char *str);
/* Compatibility parser functions */
extern int ipset_parse_iptimeout(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_name_compat(struct ipset_session *session,
enum ipset_opt opt, const char *str);
#endif /* LIBIPSET_PARSE_H */

157
extensions/ipset-5/include/libipset/pfxlen.h Normal file
View File

@@ -0,0 +1,157 @@
#ifndef _NET_PFXLEN_H
#define _NET_PFXLEN_H 1
#include <asm/byteorder.h>
#ifdef HAVE_PFXLEN_H
#include <linux/netfilter/pfxlen.h>
#else
#include <libipset/nf_inet_addr.h> /* union nf_inet_addr */
#define E(a, b, c, d) \
{.ip6 = { \
__constant_htonl(a), __constant_htonl(b), \
__constant_htonl(c), __constant_htonl(d), \
}}
/*
* This table works for both IPv4 and IPv6;
* just use prefixlen_netmask_map[prefixlength].ip.
*/
const union nf_inet_addr prefixlen_netmask_map[] = {
E(0x00000000, 0x00000000, 0x00000000, 0x00000000),
E(0x80000000, 0x00000000, 0x00000000, 0x00000000),
E(0xC0000000, 0x00000000, 0x00000000, 0x00000000),
E(0xE0000000, 0x00000000, 0x00000000, 0x00000000),
E(0xF0000000, 0x00000000, 0x00000000, 0x00000000),
E(0xF8000000, 0x00000000, 0x00000000, 0x00000000),
E(0xFC000000, 0x00000000, 0x00000000, 0x00000000),
E(0xFE000000, 0x00000000, 0x00000000, 0x00000000),
E(0xFF000000, 0x00000000, 0x00000000, 0x00000000),
E(0xFF800000, 0x00000000, 0x00000000, 0x00000000),
E(0xFFC00000, 0x00000000, 0x00000000, 0x00000000),
E(0xFFE00000, 0x00000000, 0x00000000, 0x00000000),
E(0xFFF00000, 0x00000000, 0x00000000, 0x00000000),
E(0xFFF80000, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFC0000, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFE0000, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFF0000, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFF8000, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFC000, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFE000, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFF000, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFF800, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFFC00, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFFE00, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFFF00, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFFF80, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFFFC0, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFFFE0, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFFFF0, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFFFF8, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFFFFC, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFFFFE, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0x80000000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xC0000000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xE0000000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xF0000000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xF8000000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFC000000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFE000000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFF000000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFF800000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFC00000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFE00000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFF00000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFF80000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFC0000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFE0000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFF0000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFF8000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFC000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFE000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFF000, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFF800, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFC00, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFE00, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFF00, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFF80, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFC0, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFE0, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFF0, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFF8, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFC, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFE, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0x80000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x80000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE),
E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF),
};
#endif /* !HAVE_PFXLEN_H */
#define PFXLEN(n) prefixlen_netmask_map[n].ip
#define PFXLEN6(n) prefixlen_netmask_map[n].ip6
#endif

65
extensions/ipset-5/include/libipset/print.h Normal file
View File

@@ -0,0 +1,65 @@
/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#ifndef LIBIPSET_PRINT_H
#define LIBIPSET_PRINT_H
#include <libipset/data.h> /* enum ipset_opt */
typedef int (*ipset_printfn)(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_ether(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_family(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_type(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_ip(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_ipaddr(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_number(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_name(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_port(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_proto(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_icmp(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_icmpv6(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_proto_port(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_flag(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
extern int ipset_print_elem(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
#define ipset_print_portnum ipset_print_number
extern int ipset_print_data(char *buf, unsigned int len,
const struct ipset_data *data,
enum ipset_opt opt, uint8_t env);
#endif /* LIBIPSET_PRINT_H */

95
extensions/ipset-5/include/libipset/session.h Normal file
View File

@@ -0,0 +1,95 @@
/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#ifndef LIBIPSET_SESSION_H
#define LIBIPSET_SESSION_H
#include <stdbool.h> /* bool */
#include <stdint.h> /* uintxx_t */
#include <stdio.h> /* printf */
#include <libipset/linux_ip_set.h> /* enum ipset_cmd */
/* Report and output buffer sizes */
#define IPSET_ERRORBUFLEN 1024
#define IPSET_OUTBUFLEN 8192
struct ipset_session;
struct ipset_data;
struct ipset_handle;
extern struct ipset_data * ipset_session_data(const struct ipset_session *session);
extern struct ipset_handle * ipset_session_handle(const struct ipset_session *session);
extern const struct ipset_type * ipset_saved_type(const struct ipset_session *session);
extern void ipset_session_lineno(struct ipset_session *session, uint32_t lineno);
enum ipset_err_type {
IPSET_ERROR,
IPSET_WARNING,
};
extern int ipset_session_report(struct ipset_session *session,
enum ipset_err_type type,
const char *fmt, ...);
#define ipset_err(session, fmt, args...) \
ipset_session_report(session, IPSET_ERROR, fmt , ## args)
#define ipset_warn(session, fmt, args...) \
ipset_session_report(session, IPSET_WARNING, fmt , ## args)
#define ipset_errptr(session, fmt, args...) ({ \
ipset_session_report(session, IPSET_ERROR, fmt , ## args); \
NULL; \
})
extern void ipset_session_report_reset(struct ipset_session *session);
extern const char * ipset_session_error(const struct ipset_session *session);
extern const char * ipset_session_warning(const struct ipset_session *session);
#define ipset_session_data_set(session, opt, value) \
ipset_data_set(ipset_session_data(session), opt, value)
#define ipset_session_data_get(session, opt) \
ipset_data_get(ipset_session_data(session), opt)
/* Environment option flags */
enum ipset_envopt {
IPSET_ENV_BIT_SORTED = 0,
IPSET_ENV_SORTED = (1 << IPSET_ENV_BIT_SORTED),
IPSET_ENV_BIT_QUIET = 1,
IPSET_ENV_QUIET = (1 << IPSET_ENV_BIT_QUIET),
IPSET_ENV_BIT_RESOLVE = 2,
IPSET_ENV_RESOLVE = (1 << IPSET_ENV_BIT_RESOLVE),
IPSET_ENV_BIT_EXIST = 3,
IPSET_ENV_EXIST = (1 << IPSET_ENV_BIT_EXIST),
};
extern int ipset_envopt_parse(struct ipset_session *session,
int env, const char *str);
extern bool ipset_envopt_test(struct ipset_session *session,
enum ipset_envopt env);
enum ipset_output_mode {
IPSET_LIST_NONE,
IPSET_LIST_PLAIN,
IPSET_LIST_SAVE,
IPSET_LIST_XML,
};
extern int ipset_session_output(struct ipset_session *session,
enum ipset_output_mode mode);
extern int ipset_commit(struct ipset_session *session);
extern int ipset_cmd(struct ipset_session *session, enum ipset_cmd cmd,
uint32_t lineno);
typedef int (*ipset_outfn)(const char *fmt, ...)
__attribute__ ((format (printf, 1, 2)));
extern struct ipset_session * ipset_session_init(ipset_outfn outfn);
extern int ipset_session_fini(struct ipset_session *session);
#endif /* LIBIPSET_SESSION_H */

Some files were not shown because too many files have changed in this diff Show More