xt_mp2t: fix compile error from v1.30-9-gff80812

libxt_mp2t.c: In function ‘mp2t_mt_help’:
libxt_mp2t.c:50:3: error: ‘version’ undeclared (first use in this function)

It is almost impossible to properly keep version numbers in sync
between kernel and userland components (especially when they are
separated from another), so just remove it.

Makefile.iptrules.in

@@ -11,7 +11,6 @@ xtlibdir        = @xtlibdir@
 CC              = @CC@
 CCLD            = ${CC}
 CFLAGS          = @CFLAGS@
-LDFLAGS         = @LDFLAGS@
 
 regular_CFLAGS  = @regular_CFLAGS@
 libxtables_CFLAGS = @libxtables_CFLAGS@

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.31])
+AC_INIT([xtables-addons], [1.30])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -21,17 +21,15 @@ if [[ "$kbuilddir" == no ]]; then
 	kbuilddir="";
 fi
 
-AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
-	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
-PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
-xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
-
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
-	[Path where to install Xtables extensions [[autodetect]]]]),
-	[xtlibdir="$withval"])
-AC_MSG_CHECKING([Xtables module directory])
-AC_MSG_RESULT([$xtlibdir])
+	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
+	[xtlibdir="$withval"],
+	[xtlibdir='${libexecdir}/xtables'])
+
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
+AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
+	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
 
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
@@ -48,7 +46,6 @@ if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
 	# Well, just a warning. Maybe the admin updated the kernel.
 	echo "WARNING: This distribution's shipped kernel is not supported.";
 fi;
-AC_MSG_CHECKING([kernel version that we will build against])
 krel="$(make -sC ${kbuilddir} kernelrelease)";
 krel="${krel%%-*}";
 kmajor="${krel%%.*}";
@@ -57,28 +54,22 @@ kminor="${krel%%.*}";
 krel="${krel#*.}";
 kmicro="${krel%%.*}";
 if test "$kmicro" = "$krel"; then
-	kmicro="$(($kmicro+0))"; # Get rid of non numbers ("2.6.36+" -> "2.6.36")
 	kstable=0;
 else
-	kmicro="$(($kmicro+0))";
 	kstable="${krel#*.}";
-	kstable="$(($kstable+0))";
-fi;
-if test -z "$kmajor" -o -z "$kminor" -o -z "$kmicro"; then
-	echo "WARNING: Version detection did not succeed. Continue at own luck.";
-else
-	echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-	if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 36; then
-		echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
-	elif test \( "$kmajor" -lt 2 -o \
-	    \( "$kmajor" -eq 2 -a "$kminor" -lt 6 \) -o \
-	    \( "$kmajor" -eq 2 -a "$kminor" -eq 0 -a "$kmicro" -lt 17 \) -o \
-	    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
-	    "$kstable" -lt 5 \) \); then
-		echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
-		exit 1;
+	if test -z "$kstable"; then
+		kstable=0;
 	fi;
 fi;
+echo "Found kernel version $kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
+if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 36; then
+	echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
+elif test \( "$kmajor" -lt 2 -o "$kminor" -lt 6 -o "$kmicro" -lt 17 \) -o \
+    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
+    "$kstable" -lt 5 \); then
+	echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
+	exit 1;
+fi;
 
 AC_SUBST([regular_CFLAGS])
 AC_SUBST([kbuilddir])

doc/changelog.txt

@@ -3,19 +3,6 @@ HEAD
 ====
 
 
-v1.31 (November 05 2010)
-========================
-- LOGMARK: print remaining lifetime of cts
-- build: improve detection of kernel version and error handling
-- build: automatically derive Xtables module directory, thus
-  --with-xtlibdir is no longer needed for ./configure in most cases
-  (If I still see a distro using it, I will scold you for not
-  reading this changelog.)
-- xt_iface: allow matching against incoming/outgoing interface
-- libxt_gradm: match packets based on status of grsecurity RBAC
-  (userspace part only - xt_gradm is in the grsec patch)
-
-
 v1.30 (October 02 2010)
 =======================
 - update to ipset 4.4

extensions/Kbuild

@@ -30,6 +30,7 @@ obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += xt_ipv4options.o
 obj-${build_length2}     += xt_length2.o
 obj-${build_lscan}       += xt_lscan.o
+obj-${build_mp2t}        += xt_mp2t.o
 obj-${build_pknock}      += pknock/
 obj-${build_psd}         += xt_psd.o
 obj-${build_quota2}      += xt_quota2.o

extensions/Mbuild

@@ -22,7 +22,7 @@ obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += libxt_ipv4options.so
 obj-${build_length2}     += libxt_length2.so
 obj-${build_lscan}       += libxt_lscan.so
+obj-${build_mp2t}        += libxt_mp2t.so
 obj-${build_pknock}      += pknock/
 obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so
-obj-${build_gradm}       += libxt_gradm.so

extensions/libxt_gradm.c

@@ -1,98 +0,0 @@
-/*
- *	"gradm" match extension for iptables
- *	Zbigniew Krzystolik <zbyniu@destrukcja.pl>, 2010
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License;
- *	either version 2 of the License, or any later version, as
- *	published by the Free Software Foundation.
- */
-#include <getopt.h>
-#include <netdb.h>
-#include <stddef.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <xtables.h>
-#include "xt_gradm.h"
-
-static void gradm_mt_help(void)
-{
-	printf(
-"gradm match options:\n"
-" [!] --enabled    is Grsecurity RBAC enabled\n"
-" [!] --disabled   is Grsecurity RBAC disabled\n");
-};
-
-static const struct option gradm_mt_opts[] = {
-	{.name = "enabled",  .has_arg = false, .val = '1'},
-	{.name = "disabled", .has_arg = false, .val = '2'},
-	{NULL},
-};
-
-static void gradm_mt_init(struct xt_entry_match *m)
-{
-}
-
-static int gradm_mt_parse(int c, char **argv, int invert, unsigned int *flags,
-                          const void *entry, struct xt_entry_match **match)
-{
-	struct xt_gradm_mtinfo *info = (void *)(*match)->data;
-
-	switch (c) {
-	case '1':
-		if (invert)
-			info->invflags |= 1;
-		return true;
-	case '2':
-		if (!invert)
-			info->invflags |= 1;
-		return true;
-	}
-	return false;
-}
-
-static void gradm_mt_check(unsigned int flags)
-{
-}
-
-static void gradm_mt_print(const void *ip, const struct xt_entry_match *match,
-                           int numeric)
-{
-	const struct xt_gradm_mtinfo *info = (const void *)match->data;
-
-	if (info->invflags)
-		printf("gradm: disabled");
-	else
-		printf("gradm: enabled");
-}
-
-static void gradm_mt_save(const void *ip, const struct xt_entry_match *match)
-{
-	const struct xt_gradm_mtinfo *info = (const void *)match->data;
-
-	if (info->invflags)
-		printf("--disabled ");
-	else
-		printf("--enabled ");
-}
-
-static struct xtables_match gradm_mt_reg = { 
-	.family        = NFPROTO_UNSPEC,
-	.name          = "gradm",
-	.version       = XTABLES_VERSION,
-	.size          = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
-	.help          = gradm_mt_help,
-	.init          = gradm_mt_init,
-	.parse         = gradm_mt_parse,
-	.final_check   = gradm_mt_check,
-	.print         = gradm_mt_print,
-	.save          = gradm_mt_save,
-	.extra_opts    = gradm_mt_opts,
-};
-
-static __attribute__((constructor)) void gradm_mt_ldr(void)
-{
-	xtables_register_match(&gradm_mt_reg);
-}

extensions/libxt_gradm.man

@@ -1,7 +0,0 @@
-This module matches packets based on grsecurity RBAC status.
-.TP
-[\fB!\fP] \fB\-\-enabled\fP
-Matches packets if grsecurity RBAC is enabled.
-.TP
-[\fB!\fP] \fB\-\-disabled\fP
-Matches packets if grsecurity RBAC is disabled.

extensions/libxt_iface.c

@@ -17,14 +17,8 @@
 #include "xt_iface.h"
 #include "compat_user.h"
 
-enum {
-	XT_IFACE_IFACE = 1 << 16,
-};
-
 static const struct option iface_mt_opts[] = {
 	{.name = "iface",        .has_arg = true,  .val = 'i'},
-	{.name = "dev-in",       .has_arg = false, .val = 'I'},
-	{.name = "dev-out",      .has_arg = false, .val = 'O'},
 	{.name = "up",           .has_arg = false, .val = 'u'},
 	{.name = "down",         .has_arg = false, .val = 'U'}, /* not up */
 	{.name = "broadcast",    .has_arg = false, .val = 'b'},
@@ -46,7 +40,9 @@ static void iface_print_opt(const struct xt_iface_mtinfo *info,
     const unsigned int option, const char *command)
 {
 	if (info->flags & option)
-		printf(" %s%s", (info->invflags & option) ? "! " : "", command);
+		printf(" %s", command);
+	if (info->invflags & option)
+		printf(" ! %s", command);
 }
 
 static void iface_setflag(struct xt_iface_mtinfo *info,
@@ -55,9 +51,10 @@ static void iface_setflag(struct xt_iface_mtinfo *info,
 	if (*flags & flag)
 		xtables_error(PARAMETER_PROBLEM,
 			"iface: \"--%s\" flag already specified", command);
-	info->flags |= flag;
 	if (invert)
 		info->invflags |= flag;
+	else
+		info->flags |= flag;
 	*flags |= flag;
 }
 
@@ -72,20 +69,19 @@ static void iface_mt_help(void)
 {
 	printf(
 	"iface match options:\n"
-	"    --iface interface     Name of interface\n"
-	"    --dev-in / --dev-out  Use incoming/outgoing interface instead\n"
-	"[!] --up / --down         match if UP flag (not) set\n"
-	"[!] --broadcast           match if BROADCAST flag (not) set\n"
-	"[!] --loopback            match if LOOPBACK flag (not) set\n"
+	"    --iface interface    Name of interface\n"
+	"[!] --up / --down        match if UP flag (not) set\n"
+	"[!] --broadcast          match if BROADCAST flag (not) set\n"
+	"[!] --loopback           match if LOOPBACK flag (not) set\n"
 	"[!] --pointopoint\n"
-	"[!] --pointtopoint        match if POINTOPOINT flag (not) set\n"
-	"[!] --running             match if RUNNING flag (not) set\n"
-	"[!] --noarp / --arp       match if NOARP flag (not) set\n"
-	"[!] --promisc             match if PROMISC flag (not) set\n"
-	"[!] --multicast           match if MULTICAST flag (not) set\n"
-	"[!] --dynamic             match if DYNAMIC flag (not) set\n"
-	"[!] --lower-up            match if LOWER_UP flag (not) set\n"
-	"[!] --dormant             match if DORMANT flag (not) set\n");
+	"[!] --pointtopoint       match if POINTOPOINT flag (not) set\n"
+	"[!] --running            match if RUNNING flag (not) set\n"
+	"[!] --noarp / --arp      match if NOARP flag (not) set\n"
+	"[!] --promisc            match if PROMISC flag (not) set\n"
+	"[!] --multicast          match if MULTICAST flag (not) set\n"
+	"[!] --dynamic            match if DYNAMIC flag (not) set\n"
+	"[!] --lower-up           match if LOWER_UP flag (not) set\n"
+	"[!] --dormant            match if DORMANT flag (not) set\n");
 }
 
 static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -115,18 +111,6 @@ static int iface_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 		strcpy(info->ifname, optarg);
 		*flags |= XT_IFACE_IFACE;
 		return true;
-	case 'I': /* --dev-in */
-		xtables_param_act(XTF_ONLY_ONCE, "iface", "--dev-in",
-			*flags & XT_IFACE_IFACE);
-		*flags |= XT_IFACE_IFACE;
-		iface_setflag(info, flags, invert, XT_IFACE_DEV_IN, "dev-in");
-		return true;
-	case 'O': /* --dev-out */
-		xtables_param_act(XTF_ONLY_ONCE, "iface", "--dev-out",
-			*flags & XT_IFACE_IFACE);
-		*flags |= XT_IFACE_IFACE;
-		iface_setflag(info, flags, invert, XT_IFACE_DEV_OUT, "dev-out");
-		return true;
 	case 'u': /* UP */
 		iface_setflag(info, flags, invert, XT_IFACE_UP, "up");
 		return true;
@@ -169,8 +153,7 @@ static void iface_mt_check(unsigned int flags)
 	if (!(flags & XT_IFACE_IFACE))
 		xtables_error(PARAMETER_PROBLEM,
 			"iface: You must specify an interface");
-	if ((flags & ~(XT_IFACE_IFACE | XT_IFACE_DEV_IN |
-	    XT_IFACE_DEV_OUT)) == 0)
+	if (flags == 0 || flags == XT_IFACE_IFACE)
 		xtables_error(PARAMETER_PROBLEM,
 			"iface: You must specify at least one option");
 }
@@ -180,14 +163,7 @@ static void iface_mt_print(const void *ip, const struct xt_entry_match *match,
 {
 	const struct xt_iface_mtinfo *info = (const void *)match->data;
 
-	printf("iface: ");
-	if (info->flags & XT_IFACE_DEV_IN)
-		printf("(in)");
-	else if (info->flags & XT_IFACE_DEV_OUT)
-		printf("(out)");
-	else
-		printf("%s", info->ifname);
-	printf(" [state:");
+	printf("iface: \"%s\" [state:", info->ifname);
 	iface_print_opt(info, XT_IFACE_UP,          "up");
 	iface_print_opt(info, XT_IFACE_BROADCAST,   "broadcast");
 	iface_print_opt(info, XT_IFACE_LOOPBACK,    "loopback");
@@ -206,12 +182,7 @@ static void iface_mt_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_iface_mtinfo *info = (const void *)match->data;
 
-	if (info->flags & XT_IFACE_DEV_IN)
-		printf("--dev-in");
-	else if (info->flags & XT_IFACE_DEV_OUT)
-		printf("--dev-out");
-	else
-		printf("--iface %s", info->ifname);
+	printf(" --iface %s", info->ifname);
 	iface_print_opt(info, XT_IFACE_UP,          "--up");
 	iface_print_opt(info, XT_IFACE_BROADCAST,   "--broadcast");
 	iface_print_opt(info, XT_IFACE_LOOPBACK,    "--loopback");

extensions/libxt_iface.man

@@ -1,20 +1,7 @@
-Allows you to check interface states. First, an interface needs to be selected
-for comparison. Exactly one option of the following three must be specified:
+Allows you to check interface states.
 .TP
 \fB\-\-iface\fP \fIname\fP
-Check the states on the given interface.
-.TP
-\fB\-\-dev\-in\fP
-Check the states on the interface on which the packet came in. If the input
-device is not set, because for example you are using \-m iface in the OUTPUT
-chain, this submatch returns false.
-.TP
-\fB\-\-dev\-out\fP
-Check the states on the interface on which the packet will go out. If the
-output device is not set, because for example you are using \-m iface in the
-INPUT chain, this submatch returns false.
-.PP
-Following that, one can select the interface properties to check for:
+Check the states on the given interface. This option is required.
 .TP
 [\fB!\fP] \fB\-\-up\fP, [\fB!\fP] \fB\-\-down\fP
 Check the UP flag.

extensions/libxt_mp2t.c

@@ -0,0 +1,189 @@
+/*
+ * Userspace interface for MPEG2 TS match extension "mp2t" for Xtables.
+ *
+ * Copyright (c) Jesper Dangaard Brouer <jdb@comx.dk>, 2009+
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License; either
+ * version 2 of the License, or any later version, as published by the
+ * Free Software Foundation.
+ *
+ */
+
+#include <getopt.h>
+#include <netdb.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stddef.h>
+
+#include <xtables.h>
+#include "xt_mp2t.h"
+
+/*
+ * Userspace iptables/xtables interface for mp2t module.
+ */
+
+/* FIXME: don't think this compat check does not cover all versions */
+#ifndef XTABLES_VERSION
+#define xtables_error exit_error
+#endif
+
+static const struct option mp2t_mt_opts[] = {
+	{.name = "name",	.has_arg = true,  .val = 'n'},
+	{.name = "drop",	.has_arg = false, .val = 'd'},
+	{.name = "drop-detect",	.has_arg = false, .val = 'd'},
+	{.name = "max",		.has_arg = true,  .val = 'x'},
+	{.name = "max-streams",	.has_arg = true,  .val = 'x'},
+	{NULL},
+};
+
+static void mp2t_mt_help(void)
+{
+	printf(
+"mp2t (MPEG2 Transport Stream) match options:\n"
+"   [--name <name>]        Name for proc file /proc/net/xt_mp2t/rule_NAME\n"
+"   [--drop-detect]        Match lost TS frames (occured before this packet)\n"
+"   [--max-streams <num>]  Track 'max' number of streams (per rule)\n"
+		);
+}
+
+static void mp2t_mt_init(struct xt_entry_match *match)
+{
+	struct xt_mp2t_mtinfo *info = (void *)match->data;
+	/* Enable drop detection per default */
+	info->flags = XT_MP2T_DETECT_DROP;
+}
+
+static int mp2t_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+			 const void *entry, struct xt_entry_match **match)
+{
+	struct xt_mp2t_mtinfo *info = (void *)(*match)->data;
+	uint32_t num;
+
+	switch (c) {
+	case 'n': /* --name */
+		xtables_param_act(XTF_ONLY_ONCE, "mp2t", "--name",
+				  *flags & XT_MP2T_PARAM_NAME);
+		if (invert)
+			xtables_error(PARAMETER_PROBLEM, "Inverting name?");
+		if (strlen(optarg) == 0)
+			xtables_error(PARAMETER_PROBLEM, "Zero-length name?");
+		if (strchr(optarg, '"') != NULL)
+			xtables_error(PARAMETER_PROBLEM,
+				      "Illegal character in name (\")!");
+		strncpy(info->rule_name, optarg, sizeof(info->rule_name));
+		info->flags |= XT_MP2T_PARAM_NAME;
+		*flags |= XT_MP2T_PARAM_NAME;
+		break;
+
+	case 'd': /* --drop-detect */
+		if (*flags & XT_MP2T_DETECT_DROP)
+			xtables_error(PARAMETER_PROBLEM,
+				      "Can't specify --drop option twice");
+		*flags |= XT_MP2T_DETECT_DROP;
+
+		if (invert)
+			info->flags &= ~XT_MP2T_DETECT_DROP;
+		else
+			info->flags |= XT_MP2T_DETECT_DROP;
+
+		break;
+
+	case 'x': /* --max-streams */
+		if (*flags & XT_MP2T_MAX_STREAMS)
+			xtables_error(PARAMETER_PROBLEM,
+				"Can't specify --max-streams option twice");
+		*flags |= XT_MP2T_MAX_STREAMS;
+
+		if (invert) {
+			info->cfg.max = 0;
+			/* printf("inverted\n"); */
+			break;
+		}
+
+		/* OLD iptables style
+		if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
+			xtables_error(PARAMETER_PROBLEM,
+				      "bad --max-stream: `%s'", optarg);
+		*/
+
+		/* C-style
+		char *end;
+		num = strtoul(optarg, &end, 0);
+		*/
+
+		/* New xtables style */
+		if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX))
+			xtables_error(PARAMETER_PROBLEM,
+				      "bad --max-stream: `%s'", optarg);
+
+		/* DEBUG: printf("--max-stream=%lu\n", num); */
+		info->flags |= XT_MP2T_MAX_STREAMS;
+		info->cfg.max = num;
+
+		break;
+
+	default:
+		return false;
+	}
+
+	return true;
+}
+
+static void mp2t_mt_print(const void *entry,
+			  const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_mp2t_mtinfo *info = (const void *)(match->data);
+
+	/* Always indicate this is a mp2t match rule */
+	printf("mp2t match");
+
+	if (info->flags & XT_MP2T_PARAM_NAME)
+		printf(" name:\"%s\"", info->rule_name);
+
+	if (!(info->flags & XT_MP2T_DETECT_DROP))
+		printf(" !drop-detect");
+
+	if (info->flags & XT_MP2T_MAX_STREAMS)
+		printf(" max-streams:%u ", info->cfg.max);
+}
+
+static void mp2t_mt_save(const void *entry,
+			 const struct xt_entry_match *match)
+{
+	const struct xt_mp2t_mtinfo *info = (const void *)(match->data);
+
+	/* We need to handle --name, --drop-detect, and --max-streams. */
+	if (info->flags & XT_MP2T_PARAM_NAME)
+		printf("--name \"%s\" ",  info->rule_name);
+
+	if (!(info->flags & XT_MP2T_DETECT_DROP))
+		printf("! --drop-detect ");
+
+	if (info->flags & XT_MP2T_MAX_STREAMS)
+		printf("--max-streams %u ", info->cfg.max);
+
+}
+
+static struct xtables_match mp2t_mt_reg = {
+	.version        = XTABLES_VERSION,
+	.name           = "mp2t",
+	.revision       = 0,
+	.family         = PF_UNSPEC,
+	.size           = XT_ALIGN(sizeof(struct xt_mp2t_mtinfo)),
+	.userspacesize  = offsetof(struct xt_mp2t_mtinfo, hinfo),
+	.init           = mp2t_mt_init,
+	.help           = mp2t_mt_help,
+	.parse          = mp2t_mt_parse,
+/*	.final_check    = mp2t_mt_check,*/
+	.print          = mp2t_mt_print,
+	.save           = mp2t_mt_save,
+	.extra_opts     = mp2t_mt_opts,
+};
+
+static void _init(void)
+{
+	xtables_register_match(&mp2t_mt_reg);
+}

extensions/xt_gradm.h

@@ -1,9 +0,0 @@
-#ifndef _XT_GRADM_H
-#define _XT_GRADM_H
-
-struct xt_gradm_mtinfo {
-	__u16 flags;
-	__u16 invflags;
-};
-
-#endif

extensions/xt_iface.c

@@ -40,46 +40,29 @@ static const struct xt_iface_flag_pairs xt_iface_lookup[] =
 	{.iface_flag = XT_IFACE_DORMANT,	.iff_flag = IFF_DORMANT},
 };
 
-static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
-    const struct xt_action_param *par, struct net_device **put)
-{
-	if (info->flags & XT_IFACE_DEV_IN)
-		return par->in;
-	else if (info->flags & XT_IFACE_DEV_OUT)
-		return par->out;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
-	return *put = dev_get_by_name(&init_net, info->ifname);
-#else
-	return *put = dev_get_by_name(info->ifname);
-#endif
-}
-
-static bool iface_flagtest(unsigned int devflags, unsigned int flags,
-    unsigned int invflags)
-{
-	unsigned int i;
-
-	for (i = 0; i < ARRAY_SIZE(xt_iface_lookup); ++i)
-		if ((flags & xt_iface_lookup[i].iface_flag) &&
-		    !!(devflags & xt_iface_lookup[i].iff_flag) ^
-		    !(invflags & xt_iface_lookup[i].iface_flag))
-			return false;
-	return true;
-}
-
 static bool xt_iface_mt(const struct sk_buff *skb,
     struct xt_action_param *par)
 {
 	const struct xt_iface_mtinfo *info = par->matchinfo;
-	struct net_device *put = NULL;
-	const struct net_device *dev = iface_get(info, par, &put);
+	struct net_device *dev;
 	bool retval;
+	int i;
 
-	if (dev == NULL)
-		return false;
-	retval = iface_flagtest(dev->flags, info->flags, info->invflags);
-	if (put != NULL)
-		dev_put(put);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
+	dev = dev_get_by_name(&init_net, info->ifname);
+#else
+	dev = dev_get_by_name(info->ifname);
+#endif
+	retval = dev != NULL;
+	if (retval) {
+		for (i = 0; i < ARRAY_SIZE(xt_iface_lookup) && retval; ++i) {
+			if (info->flags & xt_iface_lookup[i].iface_flag)
+				retval &= dev->flags & xt_iface_lookup[i].iff_flag;
+			if (info->invflags & xt_iface_lookup[i].iface_flag)
+				retval &= !(dev->flags & xt_iface_lookup[i].iff_flag);
+		}
+		dev_put(dev);
+	}
 	return retval;
 }
 

extensions/xt_iface.h

@@ -13,8 +13,7 @@ enum {
 	XT_IFACE_DYNAMIC     = 1 << 8,
 	XT_IFACE_LOWER_UP    = 1 << 9,
 	XT_IFACE_DORMANT     = 1 << 10,
-	XT_IFACE_DEV_IN      = 1 << 11,
-	XT_IFACE_DEV_OUT     = 1 << 12,
+	XT_IFACE_IFACE       = 1 << 15,
 };
 
 struct xt_iface_mtinfo {

extensions/xt_mp2t.h

@@ -0,0 +1,58 @@
+/*
+ * Header file for MPEG2 TS match extension "mp2t" for Xtables.
+ *
+ * Copyright (c) Jesper Dangaard Brouer <jdb@comx.dk>, 2009+
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License; either
+ * version 2 of the License, or any later version, as published by the
+ * Free Software Foundation.
+ *
+ */
+#ifndef _LINUX_NETFILTER_XT_MP2T_MATCH_H
+#define _LINUX_NETFILTER_XT_MP2T_MATCH_H 1
+
+enum {
+	XT_MP2T_DETECT_DROP = 1 << 0,
+	XT_MP2T_MAX_STREAMS = 1 << 1,
+	XT_MP2T_PARAM_NAME  = 1 << 2,
+};
+
+/* Details of this hash structure is hidden in kernel space xt_mp2t.c */
+struct xt_rule_mp2t_conn_htable;
+
+struct mp2t_cfg {
+
+	/* Hash table setup */
+	__u32 size;		/* how many hash buckets */
+	__u32 max;		/* max number of entries */
+	__u32 max_list;	/* warn if list searches exceed this number */
+};
+
+
+struct xt_mp2t_mtinfo {
+	__u16 flags;
+
+	/* FIXME:
+
+	   I need to fix the problem, where I have to reallocated data
+	   each time a single rule change occur.
+
+	   The idea with rule_name and rule_id is that the name is
+	   optional, simply to provide a name in /proc/, the rule_id
+	   is the real lookup-key in the internal kernel list of the
+	   rules associated dynamic-allocated-data.
+
+	 */
+	char rule_name[IFNAMSIZ];
+
+	struct mp2t_cfg cfg;
+
+	/** Below used internally by the kernel **/
+	__u32 rule_id;
+
+	/* Hash table pointer */
+	struct xt_rule_mp2t_conn_htable *hinfo __attribute__((aligned(8)));
+};
+
+#endif /* _LINUX_NETFILTER_XT_MP2T_MATCH_H */

mconfig

@@ -16,13 +16,13 @@ build_TEE=
 build_condition=m
 build_fuzzy=m
 build_geoip=m
-build_gradm=m
 build_iface=m
 build_ipp2p=m
 build_ipset=m
 build_ipv4options=m
 build_length2=m
 build_lscan=m
+build_mp2t=m
 build_pknock=m
 build_psd=m
 build_quota2=m

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.31 (2010-11-05)" "" "v1.31 (2010-11-05)"
+.TH xtables-addons 8 "v1.30 (2010-10-02)" "" "v1.30 (2010-10-02)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets