xt_mp2t: fix compile error from v1.30-9-gff80812

libxt_mp2t.c: In function ‘mp2t_mt_help’:
libxt_mp2t.c:50:3: error: ‘version’ undeclared (first use in this function)

It is almost impossible to properly keep version numbers in sync
between kernel and userland components (especially when they are
separated from another), so just remove it.

Makefile.iptrules.in

@@ -1,6 +1,8 @@
 # -*- Makefile -*-
 # MANUAL
 
+abs_top_srcdir  = @abs_top_srcdir@
+
 prefix          = @prefix@
 exec_prefix     = @exec_prefix@
 libexecdir      = @libexecdir@
@@ -13,7 +15,7 @@ CFLAGS          = @CFLAGS@
 regular_CFLAGS  = @regular_CFLAGS@
 libxtables_CFLAGS = @libxtables_CFLAGS@
 libxtables_LIBS   = @libxtables_LIBS@
-AM_CFLAGS         = ${regular_CFLAGS} ${libxtables_CFLAGS}
+AM_CFLAGS         = ${regular_CFLAGS} ${libxtables_CFLAGS} -I${abs_top_srcdir}/extensions
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
 AM_DEFAULT_VERBOSITY = 0

configure.ac

@@ -1,9 +1,9 @@
 
-AC_INIT([xtables-addons], [1.28])
+AC_INIT([xtables-addons], [1.30])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
-AM_INIT_AUTOMAKE([1.10 -Wall foreign subdir-objects])
+AM_INIT_AUTOMAKE([1.10.2 -Wall foreign subdir-objects])
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_DISABLE_STATIC
@@ -62,7 +62,7 @@ else
 	fi;
 fi;
 echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 35; then
+if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 36; then
 	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
     \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \

doc/api/2.6.17.c

@@ -0,0 +1,64 @@
+match:
+
+	/* true/false */
+	int
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		int *hotdrop,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int matchinfosize,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int matchinfosize,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+		void *userdata,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int targinfosize,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int targinfosize,
+	);

doc/api/2.6.19.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	int
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		int *hotdrop,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.23.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		bool *hotdrop,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.24.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		bool *hotdrop,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.28.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.31.c

@@ -0,0 +1,38 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.32.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.35.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/xt-a.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/changelog.txt

@@ -3,6 +3,28 @@ HEAD
 ====
 
 
+v1.30 (October 02 2010)
+=======================
+- update to ipset 4.4
+  * ipport{,ip,net}hash did not work with mixed "src" and "dst"
+    destination parameters
+- deactivate building xt_TEE and xt_CHECKSUM by default, as these have been
+  merged upstream in Linux 2.6.35 and 2.6.36, respectively.
+  Distros still wishing to build this need to enable it in their build
+  script, e.g. perl -i -pe 's{^build_TEE=.*}{build_TEE=m}' mconfig;
+
+
+v1.29 (September 29 2010)
+=========================
+- compat_xtables: return bool for match_check and target_check in 2.6.23..34
+- ipset: enable building of ip_set_ipport{ip,net}hash.ko
+- support for Linux 2.6.36
+- SYSRQ: resolve compile error with Linux 2.6.36
+- TEE: resolve compile error with Linux 2.6.36
+- add workaround for broken linux-glibc-devel 2.6.34 userspace headers
+  ("implicit declaration of function 'ALIGN'")
+
+
 Xtables-addons 1.28 (July 24 2010)
 ==================================
 - RAWNAT: IPv6 variants erroneously rejected masks /33-/128

extensions/ACCOUNT/libxt_ACCOUNT.c

@@ -12,6 +12,7 @@
 #include <stddef.h>
 #include <xtables.h>
 #include "xt_ACCOUNT.h"
+#include "compat_user.h"
 
 static struct option account_tg_opts[] = {
 	{.name = "addr",  .has_arg = true, .val = 'a'},

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -494,7 +494,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 			"IPs %u.%u.%u.%u/%u.%u.%u.%u\n", info->table_nr,
 			NIPQUAD(src_ip), NIPQUAD(dst_ip));
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 8 bit network or "any" network */
@@ -506,7 +506,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 16 bit network */
@@ -517,7 +517,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	/* 24 bit network */
@@ -528,7 +528,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
 		spin_unlock_bh(&ipt_acc_lock);
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 	}
 
 	printk("ACCOUNT: ipt_acc_target: Unable to process packet. "
@@ -536,7 +536,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
 		info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
 
 	spin_unlock_bh(&ipt_acc_lock);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 /*

extensions/Kbuild

@@ -30,6 +30,7 @@ obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += xt_ipv4options.o
 obj-${build_length2}     += xt_length2.o
 obj-${build_lscan}       += xt_lscan.o
+obj-${build_mp2t}        += xt_mp2t.o
 obj-${build_pknock}      += pknock/
 obj-${build_psd}         += xt_psd.o
 obj-${build_quota2}      += xt_quota2.o

extensions/Mbuild

@@ -22,6 +22,7 @@ obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += libxt_ipv4options.so
 obj-${build_length2}     += libxt_length2.so
 obj-${build_lscan}       += libxt_lscan.so
+obj-${build_mp2t}        += libxt_mp2t.so
 obj-${build_pknock}      += pknock/
 obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so

extensions/compat_user.h

@@ -0,0 +1,12 @@
+/*
+ *	Userspace-level compat hacks
+ */
+#ifndef _XTABLES_COMPAT_USER_H
+#define _XTABLES_COMPAT_USER_H 1
+
+/* linux-glibc-devel 2.6.34 header screwup */
+#ifndef ALIGN
+#	define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
+#endif
+
+#endif /* _XTABLES_COMPAT_USER_H */

extensions/compat_xtables.c

@@ -105,7 +105,11 @@ static bool xtnu_match_check(const char *table, const void *entry,
 		return false;
 	if (nm->checkentry == NULL)
 		return true;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
 	return nm->checkentry(&local_par);
+#else
+	return nm->checkentry(&local_par) == 0;
+#endif
 }
 #endif
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
@@ -118,7 +122,7 @@ static bool xtnu_match_check(const struct xt_mtchk_param *par)
 		return false;
 	if (nm->checkentry == NULL)
 		return true;
-	return nm->checkentry(par) == 0 ? true : false;
+	return nm->checkentry(par) == 0;
 }
 #endif
 
@@ -313,7 +317,11 @@ static bool xtnu_target_check(const char *table, const void *entry,
 	if (nt->checkentry == NULL)
 		/* this is valid, just like if there was no function */
 		return true;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
 	return nt->checkentry(&local_par);
+#else
+	return nt->checkentry(&local_par) == 0;
+#endif
 }
 #endif
 
@@ -327,7 +335,7 @@ static bool xtnu_target_check(const struct xt_tgchk_param *par)
 		return false;
 	if (nt->checkentry == NULL)
 		return true;
-	return nt->checkentry(par) == 0 ? true : false;
+	return nt->checkentry(par) == 0;
 }
 #endif
 

extensions/compat_xtables.h

@@ -86,6 +86,11 @@
 #	define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+#	define rt_dst(rt)	(&(rt)->dst)
+#else
+#	define rt_dst(rt)	(&(rt)->u.dst)
+#endif
 
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \

extensions/ipset/Kbuild

@@ -3,4 +3,5 @@
 obj-m += ipt_set.o ipt_SET.o
 obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
 obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
+obj-m += ip_set_ipportiphash.o ip_set_ipportnethash.o
 obj-m += ip_set_iptree.o ip_set_iptreemap.o ip_set_setlist.o

extensions/ipset/ip_set.c

@@ -929,11 +929,11 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
 	}
 	if (copy_from_user(data, user, len) != 0) {
 		res = -EFAULT;
-		goto done;
+		goto cleanup;
 	}
 	if (down_interruptible(&ip_set_app_mutex)) {
 		res = -EINTR;
-		goto done;
+		goto cleanup;
 	}
 
 	op = (unsigned *)data;
@@ -1109,6 +1109,7 @@ ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len)
 
     done:
 	up(&ip_set_app_mutex);
+    cleanup:
 	vfree(data);
 	if (res > 0)
 		res = 0;
@@ -1142,11 +1143,11 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
 	}
 	if (copy_from_user(data, user, *len) != 0) {
 		res = -EFAULT;
-		goto done;
+		goto cleanup;
 	}
 	if (down_interruptible(&ip_set_app_mutex)) {
 		res = -EINTR;
-		goto done;
+		goto cleanup;
 	}
 
 	op = (unsigned *) data;
@@ -1439,6 +1440,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len)
     	
     done:
 	up(&ip_set_app_mutex);
+    cleanup:
 	vfree(data);
 	if (res > 0)
 		res = 0;

extensions/ipset/ip_set_ipporthash.c

@@ -68,7 +68,7 @@ ipporthash_test(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 	if (flags[1] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset/ip_set_ipportiphash.c

@@ -72,8 +72,8 @@ ipportiphash_test(struct ip_set *set,
 	if (flags[2] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
-	ip1 = ipaddr(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
+	ip1 = ipaddr(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset/ip_set_ipportnethash.c

@@ -116,8 +116,8 @@ ipportnethash_utest(struct ip_set *set, const void *data, u_int32_t size)
 	if (flags[2] == 0)					\
 		return 0;					\
 								\
-	port = get_port(skb, flags++);				\
-	ip1 = ipaddr(skb, flags++);				\
+	port = get_port(skb, ++flags);				\
+	ip1 = ipaddr(skb, ++flags);				\
 								\
 	if (port == INVALID_PORT)				\
 		return 0;

extensions/ipset/ipset.8

@@ -502,9 +502,13 @@ data storage in
 set and add src to the first single or src,dst to the first double 
 data storage set in
 \fIb\fP.
-.P
 You can imagine a setlist type of set as an ordered union of
 the set elements. 
+.P
+Please note: by the ipset command you can add, delete and
+.B test
+the setnames in a setlist type of set, and not the presence of 
+a set's member (such as an IP address).
 .SH GENERAL RESTRICTIONS
 Setnames starting with colon (:) cannot be defined. Zero valued set 
 entries cannot be used with hash type of sets.

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "4.2"
+#define IPSET_VERSION "4.4"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;

extensions/libxt_CHAOS.c

@@ -16,6 +16,7 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_CHAOS.h"
+#include "compat_user.h"
 
 enum {
 	F_DELUDE = 1 << 0,

extensions/libxt_CHECKSUM.c

@@ -12,6 +12,7 @@
 
 #include <xtables.h>
 #include "xt_CHECKSUM.h"
+#include "compat_user.h"
 
 static void CHECKSUM_help(void)
 {

extensions/libxt_DELUDE.c

@@ -13,6 +13,7 @@
 
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
+#include "compat_user.h"
 
 static void delude_tg_help(void)
 {

extensions/libxt_DHCPMAC.c

@@ -17,6 +17,7 @@
 #include <xtables.h>
 #include "xt_DHCPMAC.h"
 #include "mac.c"
+#include "compat_user.h"
 
 enum {
 	F_MAC = 1 << 0,

extensions/libxt_ECHO.c

@@ -10,6 +10,7 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void echo_tg_help(void)
 {

extensions/libxt_IPMARK.c

@@ -14,6 +14,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_IPMARK.h"
+#include "compat_user.h"
 
 enum {
 	FL_ADDR_USED     = 1 << 0,

extensions/libxt_LOGMARK.c

@@ -13,6 +13,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_LOGMARK.h"
+#include "compat_user.h"
 
 enum {
 	F_LEVEL  = 1 << 0,

extensions/libxt_RAWDNAT.c

@@ -15,6 +15,7 @@
 #include <xtables.h>
 #include <linux/netfilter.h>
 #include "xt_RAWNAT.h"
+#include "compat_user.h"
 
 enum {
 	FLAGS_TO = 1 << 0,

extensions/libxt_RAWSNAT.c

@@ -15,6 +15,7 @@
 #include <xtables.h>
 #include <linux/netfilter.h>
 #include "xt_RAWNAT.h"
+#include "compat_user.h"
 
 enum {
 	FLAGS_TO = 1 << 0,

extensions/libxt_STEAL.c

@@ -1,5 +1,6 @@
 #include <stdio.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void steal_tg_help(void)
 {

extensions/libxt_SYSRQ.c

@@ -5,6 +5,7 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void sysrq_tg_help(void)
 {

extensions/libxt_TARPIT.c

@@ -5,6 +5,7 @@
 #include <stdio.h>
 #include <getopt.h>
 #include <xtables.h>
+#include "compat_user.h"
 
 static void tarpit_tg_help(void)
 {

extensions/libxt_TEE.c

@@ -23,6 +23,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_TEE.h"
+#include "compat_user.h"
 
 enum {
 	FLAG_GATEWAY = 1 << 0,

extensions/libxt_condition.c

@@ -16,6 +16,7 @@
 #include <getopt.h>
 #include <xtables.h>
 #include "xt_condition.h"
+#include "compat_user.h"
 
 static void condition_help(void)
 {

extensions/libxt_dhcpmac.c

@@ -16,6 +16,7 @@
 #include <xtables.h>
 #include "xt_DHCPMAC.h"
 #include "mac.c"
+#include "compat_user.h"
 
 enum {
 	F_MAC = 1 << 0,

extensions/libxt_fuzzy.c

@@ -15,6 +15,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_fuzzy.h"
+#include "compat_user.h"
 
 static void fuzzy_mt_help(void)
 {

extensions/libxt_geoip.c

@@ -24,6 +24,7 @@
 #include <unistd.h>
 #include <xtables.h>
 #include "xt_geoip.h"
+#include "compat_user.h"
 #define GEOIP_DB_DIR "/usr/share/xt_geoip"
 
 static void geoip_help(void)

extensions/libxt_iface.c

@@ -15,6 +15,7 @@
 
 #include <xtables.h>
 #include "xt_iface.h"
+#include "compat_user.h"
 
 static const struct option iface_mt_opts[] = {
 	{.name = "iface",        .has_arg = true,  .val = 'i'},

extensions/libxt_ipp2p.c

@@ -17,6 +17,7 @@
 #include <ctype.h>
 #include <xtables.h>
 #include "xt_ipp2p.h"
+#include "compat_user.h"
 #define param_act(t, s, f) xtables_param_act((t), "ipp2p", (s), (f))
 
 static void ipp2p_mt_help(void)

extensions/libxt_ipv4options.c

@@ -14,6 +14,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_ipv4options.h"
+#include "compat_user.h"
 
 /*
  * Overview from http://www.networksorcery.com/enp/protocol/ip.htm

extensions/libxt_length2.c

@@ -5,6 +5,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_length2.h"
+#include "compat_user.h"
 
 enum {
 	F_LAYER  = 1 << 0,

extensions/libxt_lscan.c

@@ -17,6 +17,7 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_lscan.h"
+#include "compat_user.h"
 
 static const struct option lscan_mt_opts[] = {
 	{.name = "stealth", .has_arg = false, .val = 'x'},

extensions/libxt_mp2t.c

@@ -0,0 +1,189 @@
+/*
+ * Userspace interface for MPEG2 TS match extension "mp2t" for Xtables.
+ *
+ * Copyright (c) Jesper Dangaard Brouer <jdb@comx.dk>, 2009+
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License; either
+ * version 2 of the License, or any later version, as published by the
+ * Free Software Foundation.
+ *
+ */
+
+#include <getopt.h>
+#include <netdb.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stddef.h>
+
+#include <xtables.h>
+#include "xt_mp2t.h"
+
+/*
+ * Userspace iptables/xtables interface for mp2t module.
+ */
+
+/* FIXME: don't think this compat check does not cover all versions */
+#ifndef XTABLES_VERSION
+#define xtables_error exit_error
+#endif
+
+static const struct option mp2t_mt_opts[] = {
+	{.name = "name",	.has_arg = true,  .val = 'n'},
+	{.name = "drop",	.has_arg = false, .val = 'd'},
+	{.name = "drop-detect",	.has_arg = false, .val = 'd'},
+	{.name = "max",		.has_arg = true,  .val = 'x'},
+	{.name = "max-streams",	.has_arg = true,  .val = 'x'},
+	{NULL},
+};
+
+static void mp2t_mt_help(void)
+{
+	printf(
+"mp2t (MPEG2 Transport Stream) match options:\n"
+"   [--name <name>]        Name for proc file /proc/net/xt_mp2t/rule_NAME\n"
+"   [--drop-detect]        Match lost TS frames (occured before this packet)\n"
+"   [--max-streams <num>]  Track 'max' number of streams (per rule)\n"
+		);
+}
+
+static void mp2t_mt_init(struct xt_entry_match *match)
+{
+	struct xt_mp2t_mtinfo *info = (void *)match->data;
+	/* Enable drop detection per default */
+	info->flags = XT_MP2T_DETECT_DROP;
+}
+
+static int mp2t_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+			 const void *entry, struct xt_entry_match **match)
+{
+	struct xt_mp2t_mtinfo *info = (void *)(*match)->data;
+	uint32_t num;
+
+	switch (c) {
+	case 'n': /* --name */
+		xtables_param_act(XTF_ONLY_ONCE, "mp2t", "--name",
+				  *flags & XT_MP2T_PARAM_NAME);
+		if (invert)
+			xtables_error(PARAMETER_PROBLEM, "Inverting name?");
+		if (strlen(optarg) == 0)
+			xtables_error(PARAMETER_PROBLEM, "Zero-length name?");
+		if (strchr(optarg, '"') != NULL)
+			xtables_error(PARAMETER_PROBLEM,
+				      "Illegal character in name (\")!");
+		strncpy(info->rule_name, optarg, sizeof(info->rule_name));
+		info->flags |= XT_MP2T_PARAM_NAME;
+		*flags |= XT_MP2T_PARAM_NAME;
+		break;
+
+	case 'd': /* --drop-detect */
+		if (*flags & XT_MP2T_DETECT_DROP)
+			xtables_error(PARAMETER_PROBLEM,
+				      "Can't specify --drop option twice");
+		*flags |= XT_MP2T_DETECT_DROP;
+
+		if (invert)
+			info->flags &= ~XT_MP2T_DETECT_DROP;
+		else
+			info->flags |= XT_MP2T_DETECT_DROP;
+
+		break;
+
+	case 'x': /* --max-streams */
+		if (*flags & XT_MP2T_MAX_STREAMS)
+			xtables_error(PARAMETER_PROBLEM,
+				"Can't specify --max-streams option twice");
+		*flags |= XT_MP2T_MAX_STREAMS;
+
+		if (invert) {
+			info->cfg.max = 0;
+			/* printf("inverted\n"); */
+			break;
+		}
+
+		/* OLD iptables style
+		if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
+			xtables_error(PARAMETER_PROBLEM,
+				      "bad --max-stream: `%s'", optarg);
+		*/
+
+		/* C-style
+		char *end;
+		num = strtoul(optarg, &end, 0);
+		*/
+
+		/* New xtables style */
+		if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
+			xtables_error(PARAMETER_PROBLEM,
+				      "bad --max-stream: `%s'", optarg);
+
+		/* DEBUG: printf("--max-stream=%lu\n", num); */
+		info->flags |= XT_MP2T_MAX_STREAMS;
+		info->cfg.max = num;
+
+		break;
+
+	default:
+		return false;
+	}
+
+	return true;
+}
+
+static void mp2t_mt_print(const void *entry,
+			  const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_mp2t_mtinfo *info = (const void *)(match->data);
+
+	/* Always indicate this is a mp2t match rule */
+	printf("mp2t match");
+
+	if (info->flags & XT_MP2T_PARAM_NAME)
+		printf(" name:\"%s\"", info->rule_name);
+
+	if (!(info->flags & XT_MP2T_DETECT_DROP))
+		printf(" !drop-detect");
+
+	if (info->flags & XT_MP2T_MAX_STREAMS)
+		printf(" max-streams:%u ", info->cfg.max);
+}
+
+static void mp2t_mt_save(const void *entry,
+			 const struct xt_entry_match *match)
+{
+	const struct xt_mp2t_mtinfo *info = (const void *)(match->data);
+
+	/* We need to handle --name, --drop-detect, and --max-streams. */
+	if (info->flags & XT_MP2T_PARAM_NAME)
+		printf("--name \"%s\" ",  info->rule_name);
+
+	if (!(info->flags & XT_MP2T_DETECT_DROP))
+		printf("! --drop-detect ");
+
+	if (info->flags & XT_MP2T_MAX_STREAMS)
+		printf("--max-streams %u ", info->cfg.max);
+
+}
+
+static struct xtables_match mp2t_mt_reg = {
+	.version        = XTABLES_VERSION,
+	.name           = "mp2t",
+	.revision       = 0,
+	.family         = PF_UNSPEC,
+	.size           = XT_ALIGN(sizeof(struct xt_mp2t_mtinfo)),
+	.userspacesize  = offsetof(struct xt_mp2t_mtinfo, hinfo),
+	.init           = mp2t_mt_init,
+	.help           = mp2t_mt_help,
+	.parse          = mp2t_mt_parse,
+/*	.final_check    = mp2t_mt_check,*/
+	.print          = mp2t_mt_print,
+	.save           = mp2t_mt_save,
+	.extra_opts     = mp2t_mt_opts,
+};
+
+static void _init(void)
+{
+	xtables_register_match(&mp2t_mt_reg);
+}

extensions/libxt_psd.c

@@ -28,6 +28,7 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_psd.h"
+#include "compat_user.h"
 
 /* Function which prints out usage message. */
 static void psd_mt_help(void) {

extensions/libxt_quota2.c

@@ -15,6 +15,7 @@
 #include <string.h>
 #include <xtables.h>
 #include "xt_quota2.h"
+#include "compat_user.h"
 
 enum {
 	FL_QUOTA     = 1 << 0,

extensions/pknock/libxt_pknock.c

@@ -16,6 +16,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include "xt_pknock.h"
+#include "compat_user.h"
 
 static const struct option pknock_mt_opts[] = {
 	/* .name, .has_arg, .flag, .val */

extensions/xt_LOGMARK.c

@@ -2,7 +2,7 @@
  *	"LOGMARK" target extension to Xtables
  *	useful for debugging
  *
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -75,6 +75,8 @@ logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 			printk("%s""ASSURED", prev++ ? "," : "");
 		if (ct->status & IPS_CONFIRMED)
 			printk("%s""CONFIRMED", prev++ ? "," : "");
+		printk(" lifetime=%lus",
+		       (jiffies - ct->timeout.expires) / HZ);
 	}
 
 	printk("\n");

extensions/xt_SYSRQ.c

@@ -152,7 +152,9 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 	sysrq_seqno = new_seqno;
 	for (i = 0; i < len && data[i] != ','; ++i) {
 		printk(KERN_INFO KBUILD_MODNAME ": SysRq %c\n", data[i]);
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+		handle_sysrq(data[i]);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
 		handle_sysrq(data[i], NULL);
 #else
 		handle_sysrq(data[i], NULL, NULL);
@@ -187,7 +189,9 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 		return NF_DROP;
 	}
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+	handle_sysrq(c);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
 	handle_sysrq(c, NULL);
 #else
 	handle_sysrq(c, NULL, NULL);

extensions/xt_TARPIT.c

@@ -73,7 +73,7 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook)
 	/* Rate-limit replies to !SYN,ACKs */
 #if 0
 	if (!oth->syn && oth->ack)
-		if (!xrlim_allow(&ort->u.dst, HZ))
+		if (!xrlim_allow(rt_dst(ort), HZ))
 			return;
 #endif
 

extensions/xt_TEE.c

@@ -51,8 +51,8 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 		return false;
 
 	dst_release(skb_dst(skb));
-	skb_dst_set(skb, &rt->u.dst);
-	skb->dev      = rt->u.dst.dev;
+	skb_dst_set(skb, rt_dst(rt));
+	skb->dev      = rt_dst(rt)->dev;
 	skb->protocol = htons(ETH_P_IP);
 	return true;
 }

extensions/xt_mp2t.h

@@ -0,0 +1,58 @@
+/*
+ * Header file for MPEG2 TS match extension "mp2t" for Xtables.
+ *
+ * Copyright (c) Jesper Dangaard Brouer <jdb@comx.dk>, 2009+
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License; either
+ * version 2 of the License, or any later version, as published by the
+ * Free Software Foundation.
+ *
+ */
+#ifndef _LINUX_NETFILTER_XT_MP2T_MATCH_H
+#define _LINUX_NETFILTER_XT_MP2T_MATCH_H 1
+
+enum {
+	XT_MP2T_DETECT_DROP = 1 << 0,
+	XT_MP2T_MAX_STREAMS = 1 << 1,
+	XT_MP2T_PARAM_NAME  = 1 << 2,
+};
+
+/* Details of this hash structure is hidden in kernel space xt_mp2t.c */
+struct xt_rule_mp2t_conn_htable;
+
+struct mp2t_cfg {
+
+	/* Hash table setup */
+	__u32 size;		/* how many hash buckets */
+	__u32 max;		/* max number of entries */
+	__u32 max_list;	/* warn if list searches exceed this number */
+};
+
+
+struct xt_mp2t_mtinfo {
+	__u16 flags;
+
+	/* FIXME:
+
+	   I need to fix the problem, where I have to reallocated data
+	   each time a single rule change occur.
+
+	   The idea with rule_name and rule_id is that the name is
+	   optional, simply to provide a name in /proc/, the rule_id
+	   is the real lookup-key in the internal kernel list of the
+	   rules associated dynamic-allocated-data.
+
+	 */
+	char rule_name[IFNAMSIZ];
+
+	struct mp2t_cfg cfg;
+
+	/** Below used internally by the kernel **/
+	__u32 rule_id;
+
+	/* Hash table pointer */
+	struct xt_rule_mp2t_conn_htable *hinfo __attribute__((aligned(8)));
+};
+
+#endif /* _LINUX_NETFILTER_XT_MP2T_MATCH_H */

mconfig

@@ -2,7 +2,7 @@
 #
 build_ACCOUNT=m
 build_CHAOS=m
-build_CHECKSUM=m
+build_CHECKSUM=
 build_DELUDE=m
 build_DHCPMAC=m
 build_ECHO=
@@ -12,7 +12,7 @@ build_RAWNAT=m
 build_STEAL=m
 build_SYSRQ=m
 build_TARPIT=m
-build_TEE=m
+build_TEE=
 build_condition=m
 build_fuzzy=m
 build_geoip=m
@@ -22,6 +22,7 @@ build_ipset=m
 build_ipv4options=m
 build_length2=m
 build_lscan=m
+build_mp2t=m
 build_pknock=m
 build_psd=m
 build_quota2=m

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.28 (2010-07-24)" "" "v1.28 (2010-07-24)"
+.TH xtables-addons 8 "v1.30 (2010-10-02)" "" "v1.30 (2010-10-02)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets