Xtables-addons 1.34

I would like to move forward a bit, and today, two issues prompted
me to start removing old code:

* make 3.82 does not like mixing normal rules with implicit rules,
  which rejects Makefiles of Linux kernels before 2.6.34.

* xt_DNETMAP uses functionality not available before 2.6.29.

INSTALL

@@ -14,7 +14,7 @@ Supported configurations for this release
 
 	* iptables >= 1.4.3
 
-	* kernel-source >= 2.6.17, no upper bound known
+	* kernel-source >= 2.6.29
 	  with prepared build/output directory
 	  - CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
 	  - CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
@@ -22,12 +22,6 @@ Supported configurations for this release
 	  - CONFIG_CONNECTOR y/m if you wish to receive userspace
 	    notifications from pknock through netlink/connector
 
-Extra notes:
-
-	* in the kernel 2.6.18.x series, >= 2.6.18.5 is required
-
-	* requires that no vendor backports interfere
-
 For ipset-5 you need:
 
 	* libmnl

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.33])
+AC_INIT([xtables-addons], [1.34])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -40,15 +40,6 @@ regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
 	-Winline -pipe";
 
-#
-# check kernel version
-#
-if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
-    grep -q "Red Hat Enterprise Linux Server release 5" /etc/redhat-release 2>/dev/null; then
-	# しまった!
-	# Well, just a warning. Maybe the admin updated the kernel.
-	echo "WARNING: This distribution's shipped kernel is not supported.";
-fi;
 if test -n "$kbuilddir"; then
 	AC_MSG_CHECKING([kernel version that we will build against])
 	krel="$(make -sC "$kbuilddir" M=. kernelrelease)";
@@ -72,13 +63,17 @@ if test -n "$kbuilddir"; then
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
 		if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 38; then
 			echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
+		elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 29; then
+			:; # everything ok
 		elif test \( "$kmajor" -lt 2 -o \
 		    \( "$kmajor" -eq 2 -a "$kminor" -lt 6 \) -o \
 		    \( "$kmajor" -eq 2 -a "$kminor" -eq 0 -a "$kmicro" -lt 17 \) -o \
 		    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
 		    "$kstable" -lt 5 \) \); then
-			echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
+			echo "ERROR: That kernel version is not supported at all. Please see INSTALL for minimum configuration.";
 			exit 1;
+		else
+			echo "WARNING: That kernel version has been recently deprecated for use with Xtables-addons). Compilation may fail.";
 		fi;
 	fi;
 fi;

doc/changelog.txt

@@ -3,6 +3,19 @@ HEAD
 ====
 
 
+v1.34 (2011-04-07)
+==================
+Fixes:
+- xt_pknock: avoid crash when hash TFM could not be allocated
+- xt_pknock: avoid inversion of rule lookup that led to warnings
+- xt_DNETMAP: add missing module alias
+- xt_DNETMAP: support for kernels below 2.6.34
+Changes:
+- Linux kernel versions below 2.6.29 are no longer officially
+  supported, and will not be part of compilation testing.
+  Expect that compat code will be removed shortly.
+
+
 v1.33 (2011-02-02)
 ==================
 Fixes:

extensions/pknock/xt_pknock.c

@@ -398,19 +398,15 @@ peer_gc(unsigned long r)
 
 /**
  * Compares length and name equality for the rules.
- *
- * @info
- * @rule
- * @return: 0 equals, 1 otherwise
  */
 static inline bool
 rulecmp(const struct xt_pknock_mtinfo *info, const struct xt_pknock_rule *rule)
 {
 	if (info->rule_name_len != rule->rule_name_len)
-		return true;
+		return false;
 	if (strncmp(info->rule_name, rule->rule_name, info->rule_name_len) != 0)
-		return true;
-	return false;
+		return false;
+	return true;
 }
 
 /**
@@ -427,9 +423,9 @@ static struct xt_pknock_rule *search_rule(const struct xt_pknock_mtinfo *info)
 					ipt_pknock_hash_rnd, rule_hashsize);
 
 	list_for_each_safe(pos, n, &rule_hashtable[hash]) {
-			rule = list_entry(pos, struct xt_pknock_rule, head);
-			if (rulecmp(info, rule))
-					return rule;
+		rule = list_entry(pos, struct xt_pknock_rule, head);
+		if (rulecmp(info, rule))
+			return rule;
 	}
 	return NULL;
 }
@@ -451,23 +447,20 @@ add_rule(struct xt_pknock_mtinfo *info)
 	list_for_each_safe(pos, n, &rule_hashtable[hash]) {
 		rule = list_entry(pos, struct xt_pknock_rule, head);
 
-		if (rulecmp(info, rule)) {
-			++rule->ref_count;
+		if (!rulecmp(info, rule))
+			continue;
+		++rule->ref_count;
 
-			if (info->option & XT_PKNOCK_OPENSECRET) {
-				rule->max_time       = info->max_time;
-				rule->autoclose_time = info->autoclose_time;
-			}
-
-			if (info->option & XT_PKNOCK_CHECKIP) {
-				pr_debug("add_rule() (AC)"
-					" rule found: %s - "
-					"ref_count: %d\n",
-					rule->rule_name,
-					rule->ref_count);
-			}
-			return true;
+		if (info->option & XT_PKNOCK_OPENSECRET) {
+			rule->max_time       = info->max_time;
+			rule->autoclose_time = info->autoclose_time;
 		}
+
+		if (info->option & XT_PKNOCK_CHECKIP)
+			pr_debug("add_rule() (AC) rule found: %s - "
+				"ref_count: %d\n",
+				rule->rule_name, rule->ref_count);
+		return true;
 	}
 
 	rule = kmalloc(sizeof(*rule), GFP_KERNEL);
@@ -523,7 +516,8 @@ remove_rule(struct xt_pknock_mtinfo *info)
 	unsigned int hash = pknock_hash(info->rule_name, info->rule_name_len,
                                 ipt_pknock_hash_rnd, rule_hashsize);
 
-	if (list_empty(&rule_hashtable[hash])) return;
+	if (list_empty(&rule_hashtable[hash]))
+		return;
 
 	list_for_each_safe(pos, n, &rule_hashtable[hash]) {
 		rule = list_entry(pos, struct xt_pknock_rule, head);
@@ -576,7 +570,8 @@ static struct peer *get_peer(struct xt_pknock_rule *rule, __be32 ip)
 
 	list_for_each_safe(pos, n, &rule->peer_head[hash]) {
 		peer = list_entry(pos, struct peer, head);
-		if (peer->ip == ip) return peer;
+		if (peer->ip == ip)
+			return peer;
 	}
 	return NULL;
 }
@@ -1043,7 +1038,8 @@ static bool pknock_mt(const struct sk_buff *skb,
 			add_peer(peer, rule);
 		}
 
-		if (peer == NULL) goto out;
+		if (peer == NULL)
+			goto out;
 
 		update_peer(peer, info, rule, &hdr);
 	}
@@ -1087,15 +1083,15 @@ static int pknock_mt_check(const struct xt_mtchk_param *par)
 		RETURN_ERR("No crypto support available; "
 			"cannot use opensecret/closescret\n");
 #endif
-	if ((info->option & XT_PKNOCK_OPENSECRET) && (info->ports_count != 1))
+	if (info->option & XT_PKNOCK_OPENSECRET && info->ports_count != 1)
 		RETURN_ERR("--opensecret must have just one knock port\n");
 	if (info->option & XT_PKNOCK_KNOCKPORT) {
 		if (info->option & XT_PKNOCK_CHECKIP)
 			RETURN_ERR("Can't specify --knockports with --checkip.\n");
-		if ((info->option & XT_PKNOCK_OPENSECRET) &&
+		if (info->option & XT_PKNOCK_OPENSECRET &&
 				!(info->option & XT_PKNOCK_CLOSESECRET))
 			RETURN_ERR("--opensecret must go with --closesecret.\n");
-		if ((info->option & XT_PKNOCK_CLOSESECRET) &&
+		if (info->option & XT_PKNOCK_CLOSESECRET &&
 				!(info->option & XT_PKNOCK_OPENSECRET))
 			RETURN_ERR("--closesecret must go with --opensecret.\n");
 	}
@@ -1115,13 +1111,11 @@ static int pknock_mt_check(const struct xt_mtchk_param *par)
 		RETURN_ERR("you must specify --time.\n");
 	}
 
-	if (info->option & XT_PKNOCK_OPENSECRET) {
-		if (info->open_secret_len == info->close_secret_len) {
-			if (memcmp(info->open_secret, info->close_secret,
-						info->open_secret_len) == 0)
-				RETURN_ERR("opensecret & closesecret cannot be equal.\n");
-		}
-	}
+	if (info->option & XT_PKNOCK_OPENSECRET &&
+	    info->open_secret_len == info->close_secret_len &&
+	    memcmp(info->open_secret, info->close_secret,
+	    info->open_secret_len) == 0)
+		RETURN_ERR("opensecret & closesecret cannot be equal.\n");
 
 	if (!add_rule(info))
 		/* should ENOMEM here */
@@ -1166,11 +1160,10 @@ static int __init xt_pknock_mt_init(void)
 	}
 
 	crypto.tfm = crypto_alloc_hash(crypto.algo, 0, CRYPTO_ALG_ASYNC);
-
-	if (crypto.tfm == NULL) {
+	if (IS_ERR(crypto.tfm)) {
 		printk(KERN_ERR PKNOCK "failed to load transform for %s\n",
 						crypto.algo);
-		return -ENXIO;
+		return PTR_ERR(crypto.tfm);
 	}
 
 	crypto.size = crypto_hash_digestsize(crypto.tfm);
@@ -1195,7 +1188,8 @@ static void __exit xt_pknock_mt_exit(void)
 	kfree(rule_hashtable);
 
 #ifdef PK_CRYPTO
-	if (crypto.tfm != NULL) crypto_free_hash(crypto.tfm);
+	if (crypto.tfm != NULL)
+		crypto_free_hash(crypto.tfm);
 #endif
 }
 

extensions/xt_DNETMAP.c

@@ -3,10 +3,12 @@
  * or destination (PREROUTING),
  */
 
-/* (C) 2010 Marek Kierdelewicz <marek@koba.pl>
+/* (C) 2011 Marek Kierdelewicz <marek@koba.pl>
  *
  * module is dedicated to my wife Eliza and my daughters Jula and Ola :* :* :*
  *
+ * module audited and cleaned-up by Jan Engelhardt
+ *
  * module uses some code and ideas from following modules:
  * - "NETMAP" module by Svenning Soerensen <svenning@post5.tele.dk>
  * - "recent" module by Stephen Frost <sfrost@snowman.net>
@@ -23,9 +25,12 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter/x_tables.h>
+#include <linux/version.h>
 #include <net/netfilter/nf_nat_rule.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
 #include <net/net_namespace.h>
 #include <net/netns/generic.h>
+#endif
 #include "xt_DNETMAP.h"
 #include "compat_xtables.h"
 
@@ -33,6 +38,7 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marek Kierdelewicz <marek@koba.pl>");
 MODULE_DESCRIPTION(
 	"Xtables: dynamic two-way 1:1 NAT mapping of IPv4 addresses");
+MODULE_ALIAS("ipt_DNETMAP");
 
 static unsigned int default_ttl = 600;
 static unsigned int proc_perms = S_IRUGO | S_IWUSR;
@@ -90,11 +96,16 @@ struct dnetmap_net {
 	struct list_head *dnetmap_iphash;
 };
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
 static int dnetmap_net_id;
 static inline struct dnetmap_net *dnetmap_pernet(struct net *net)
 {
 	return net_generic(net, dnetmap_net_id);
 }
+#else
+struct dnetmap_net *dnetmap;
+#define dnetmap_pernet(x) dnetmap
+#endif
 
 static DEFINE_SPINLOCK(dnetmap_lock);
 static DEFINE_MUTEX(dnetmap_mutex);
@@ -236,12 +247,12 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 	ip_min = ntohl(mr->range[0].min_ip) + (whole_prefix == 0);
 	ip_max = ntohl(mr->range[0].max_ip) - (whole_prefix == 0);
 
-	sprintf(p->prefix_str, "%pI4/%u", &mr->range[0].min_ip,
+	sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->range[0].min_ip),
 		33 - ffs(~(ip_min ^ ip_max)));
 #ifdef CONFIG_PROC_FS
-	sprintf(proc_str_data, "%pI4_%u", &mr->range[0].min_ip,
+	sprintf(proc_str_data, NIPQUAD_FMT "_%u", NIPQUAD(mr->range[0].min_ip),
 		33 - ffs(~(ip_min ^ ip_max)));
-	sprintf(proc_str_stat, "%pI4_%u_stat", &mr->range[0].min_ip,
+	sprintf(proc_str_stat, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->range[0].min_ip),
 		33 - ffs(~(ip_min ^ ip_max)));
 #endif
 	printk(KERN_INFO KBUILD_MODNAME ": new prefix %s\n", p->prefix_str);
@@ -368,8 +379,8 @@ bind_new_prefix:
 		if (e->prenat_addr != 0 && time_before(jiffies, e->stamp)) {
 			if (!disable_log)
 				printk(KERN_INFO KBUILD_MODNAME
-				       ": ip %pI4 - no free adresses in prefix %s\n",
-				       &prenat_ip, p->prefix_str);
+				       ": ip " NIPQUAD_FMT " - no free adresses in prefix %s\n",
+				       NIPQUAD(prenat_ip), p->prefix_str);
 			goto no_free_ip;
 		}
 
@@ -379,8 +390,8 @@ bind_new_prefix:
 			prenat_ip_prev = e->prenat_addr;
 			if (!disable_log)
 				printk(KERN_INFO KBUILD_MODNAME
-				       ": timeout binding %pI4 -> %pI4\n",
-				       &prenat_ip_prev, &postnat_ip);
+				       ": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
+				       NIPQUAD(prenat_ip_prev), NIPQUAD(postnat_ip) );
 			list_del(&e->list);
 			list_del(&e->glist);
 			list_del(&e->grlist);
@@ -400,8 +411,8 @@ bind_new_prefix:
 							   (postnat_ip)]);
 		if (!disable_log)
 			printk(KERN_INFO KBUILD_MODNAME
-			       ": add binding %pI4 -> %pI4\n", &prenat_ip,
-			       &postnat_ip);
+			       ": add binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
+						 NIPQUAD(prenat_ip),NIPQUAD(postnat_ip));
 
 	} else {
 
@@ -409,9 +420,9 @@ bind_new_prefix:
 			if (time_before(e->stamp, jiffies) && p != e->prefix) {
 				if (!disable_log)
 					printk(KERN_INFO KBUILD_MODNAME
-					       ": timeout binding %pI4 -> %pI4\n",
-					       &e->prenat_addr,
-					       &e->postnat_addr);
+					       ": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
+					       NIPQUAD(e->prenat_addr),
+					       NIPQUAD(e->postnat_addr));
 				list_del(&e->list);
 				list_del(&e->glist);
 				list_del(&e->grlist);
@@ -464,11 +475,11 @@ static void dnetmap_tg_destroy(const struct xt_tgdtor_param *par)
 		list_del(&p->list);
 		spin_unlock_bh(&dnetmap_lock);
 #ifdef CONFIG_PROC_FS
-		sprintf(str, "%pI4_%u", &mr->range[0].min_ip,
+		sprintf(str, NIPQUAD_FMT "_%u", NIPQUAD(mr->range[0].min_ip),
 			33 - ffs(~(ntohl(mr->range[0].min_ip ^
 			mr->range[0].max_ip))));
 		remove_proc_entry(str, dnetmap_net->xt_dnetmap);
-		sprintf(str, "%pI4_%u_stat", &mr->range[0].min_ip,
+		sprintf(str, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->range[0].min_ip),
 			33 - ffs(~(ntohl(mr->range[0].min_ip ^
 			mr->range[0].max_ip))));
 		remove_proc_entry(str, dnetmap_net->xt_dnetmap);
@@ -525,8 +536,8 @@ static int dnetmap_seq_show(struct seq_file *seq, void *v)
 {
 	const struct dnetmap_entry *e = v;
 
-	seq_printf(seq, "%pI4 -> %pI4 --- ttl: %d lasthit: %lu\n",
-		   &e->prenat_addr, &e->postnat_addr,
+	seq_printf(seq, NIPQUAD_FMT " -> " NIPQUAD_FMT " --- ttl: %d lasthit: %lu\n",
+		   NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr),
 		   (int)(e->stamp - jiffies) / HZ, (e->stamp - jtimeout) / HZ);
 	return 0;
 }
@@ -609,6 +620,7 @@ static void __net_exit dnetmap_proc_net_exit(struct net *net)
 {
 	proc_net_remove(net, "xt_DNETMAP");
 }
+
 #else
 static inline int dnetmap_proc_net_init(struct net *net)
 {
@@ -618,7 +630,6 @@ static inline int dnetmap_proc_net_init(struct net *net)
 static inline void dnetmap_proc_net_exit(struct net *net)
 {
 }
-
 #endif /* CONFIG_PROC_FS */
 
 static int __net_init dnetmap_net_init(struct net *net)
@@ -626,6 +637,13 @@ static int __net_init dnetmap_net_init(struct net *net)
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
 	int i;
 
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34)
+	dnetmap = kmalloc(sizeof(struct dnetmap_net),GFP_ATOMIC);
+	if (dnetmap == NULL)
+		return -ENOMEM;
+	dnetmap_net = dnetmap;
+#endif
+
 	dnetmap_net->dnetmap_iphash = kmalloc(sizeof(struct list_head) *
 					      hash_size * 2, GFP_ATOMIC);
 	if (dnetmap_net->dnetmap_iphash == NULL)
@@ -643,14 +661,19 @@ static void __net_exit dnetmap_net_exit(struct net *net)
 
 	BUG_ON(!list_empty(&dnetmap_net->prefixes));
 	kfree(dnetmap_net->dnetmap_iphash);
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34)
+	kfree(dnetmap_net);
+#endif
 	dnetmap_proc_net_exit(net);
 }
 
 static struct pernet_operations dnetmap_net_ops = {
 	.init = dnetmap_net_init,
 	.exit = dnetmap_net_exit,
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
 	.id   = &dnetmap_net_id,
 	.size = sizeof(struct dnetmap_net),
+#endif
 };
 
 static struct xt_target dnetmap_tg_reg __read_mostly = {

mconfig

@@ -5,7 +5,7 @@ build_CHAOS=m
 build_CHECKSUM=
 build_DELUDE=m
 build_DHCPMAC=m
-build_DNETMAP=
+build_DNETMAP=m
 build_ECHO=
 build_IPMARK=m
 build_LOGMARK=m