Xtables-addons 1.40

GPL3 did not exist back when Sam's xt_quota was written, therefore it
should be assumed that MODULE_LICENSE("GPL") intended to mean just
GPL2.

INSTALL

@@ -12,7 +12,7 @@ in combination with the kernel's Kbuild system.
 Supported configurations for this release
 =========================================
 
-	* iptables >= 1.4.3
+	* iptables >= 1.4.5
 
 	* kernel-source >= 2.6.29
 	  with prepared build/output directory

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [1.39])
+AC_INIT([xtables-addons], [1.40])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -22,7 +22,7 @@ fi
 
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
 	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
-PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.5])
 xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
 PKG_CHECK_MODULES([libmnl], [libmnl >= 1], [:], [:])
 
@@ -64,10 +64,10 @@ if test -n "$kbuilddir"; then
 			echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 		elif test "$kmajor" -eq 3; then
 			:;
-		elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 29; then
+		elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 32; then
 			:;
 		else
-			echo "WARNING: That kernel version is not supported.";
+			echo "WARNING: That kernel version is not officially supported.";
 		fi;
 	fi;
 fi;

doc/changelog.txt

@@ -3,6 +3,22 @@ HEAD
 ====
 
 
+v1.40 (2011-11-30)
+==================
+Fixes:
+- build: the code actually requires at least iptables 1.4.5 (would yield a
+  compile error otherwise), make sure configure checks for it; update INSTALL
+- xt_ECHO: fix kernel warning about RTAX_HOPLIMIT being used
+- xt_ipv4options: fix an infinite loop
+Changes:
+- xt_ECHO: now calculates UDP checksum
+- Linux kernel versions below 2.6.32 are no longer officially
+  supported, and will not be part of compilation testing.
+- update to ipset 6.10
+Enhancements:
+- xt_ECHO: IPv6 support
+
+
 v1.39 (2011-09-21)
 ==================
 Fixes:
@@ -71,7 +87,6 @@ Fixes:
 Changes:
 - Linux kernel versions below 2.6.29 are no longer officially
   supported, and will not be part of compilation testing.
-  Expect that compat code will be removed shortly.
 
 
 v1.33 (2011-02-02)

extensions/ipset-6/Kbuild

@@ -8,4 +8,4 @@ obj-m += ip_set_hash_netiface.o ip_set_hash_netport.o ip_set_list_set.o
 
 ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o
 
-EXTRA_CFLAGS += -DLCONFIG_IP_SET_MAX=256 -DIPSET_EXTERNAL_MODULE=1
+EXTRA_CFLAGS += -DLCONFIG_IP_SET_MAX=256

extensions/ipset-6/ip_set_core.c

@@ -17,7 +17,7 @@
 #include <linux/spinlock.h>
 #include <linux/netlink.h>
 #include <linux/rculist.h>
-#ifdef IPSET_EXTERNAL_MODULE
+#ifndef IPSET_IN_KERNEL_TREE
 #include <linux/version.h>
 #endif
 #include <net/netlink.h>

extensions/ipset-6/ip_set_hash_ipport.c

@@ -158,7 +158,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipport4_elem data = { };
-	u32 ip, ip_to, p = 0, port, port_to;
+	u32 ip, ip_to = 0, p = 0, port, port_to;
 	u32 timeout = h->timeout;
 	bool with_ports = false;
 	int ret;

extensions/ipset-6/ip_set_hash_ipportip.c

@@ -162,7 +162,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipportip4_elem data = { };
-	u32 ip, ip_to, p = 0, port, port_to;
+	u32 ip, ip_to = 0, p = 0, port, port_to;
 	u32 timeout = h->timeout;
 	bool with_ports = false;
 	int ret;

extensions/ipset-6/ip_set_hash_ipportnet.c

@@ -184,7 +184,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipportnet4_elem data = { .cidr = HOST_MASK };
-	u32 ip, ip_to, p = 0, port, port_to;
+	u32 ip, ip_to = 0, p = 0, port, port_to;
 	u32 ip2_from = 0, ip2_to, ip2_last, ip2;
 	u32 timeout = h->timeout;
 	bool with_ports = false;

extensions/ipset-6/libipset/parse.c

@@ -307,7 +307,7 @@ int
 ipset_parse_tcp_port(struct ipset_session *session,
 		     enum ipset_opt opt, const char *str)
 {
-	return ipset_parse_tcpudp_port(session, opt, str, "TCP");
+	return ipset_parse_tcpudp_port(session, opt, str, "tcp");
 }
 
 /**
@@ -330,7 +330,7 @@ ipset_parse_single_tcp_port(struct ipset_session *session,
 	assert(opt == IPSET_OPT_PORT || opt == IPSET_OPT_PORT_TO);
 	assert(str);
 
-	return ipset_parse_port(session, opt, str, "TCP");
+	return ipset_parse_port(session, opt, str, "tcp");
 }
 
 /**
@@ -391,8 +391,8 @@ parse_icmp_typecode(struct ipset_session *session,
 				 str, family);
 	}
 	*a++ = '\0';
-	if ((err = string_to_u8(session, a, &type)) != 0 ||
+	if ((err = string_to_u8(session, tmp, &type)) != 0 ||
-	    (err = string_to_u8(session, tmp, &code)) != 0)
+	    (err = string_to_u8(session, a, &code)) != 0)
 		goto error;
 
 	typecode = (type << 8) | code;

extensions/ipset-6/src/ipset.c

@@ -24,7 +24,7 @@
 #include <libipset/utils.h>		/* STREQ */
 
 static char program_name[] = "ipset";
-static char program_version[] = "6.9.1-genl-xta";
+static char program_version[] = "6.10-genl-xta";
 
 static struct ipset_session *session;
 static uint32_t restore_line;

extensions/libxt_RAWDNAT.c

@@ -151,7 +151,8 @@ rawdnat_tg6_save(const void *entry, const struct xt_entry_target *target)
 	       info->mask);
 }
 
-static struct xtables_target rawdnat_tg4_reg = {
+static struct xtables_target rawdnat_tg_reg[] = {
+	{
 		.version       = XTABLES_VERSION,
 		.name          = "RAWDNAT",
 		.revision      = 0,
@@ -164,9 +165,8 @@ static struct xtables_target rawdnat_tg4_reg = {
 		.print         = rawdnat_tg4_print,
 		.save          = rawdnat_tg4_save,
 		.extra_opts    = rawdnat_tg_opts,
-};
+	},
-
+	{
-static struct xtables_target rawdnat_tg6_reg = {
 		.version       = XTABLES_VERSION,
 		.name          = "RAWDNAT",
 		.revision      = 0,
@@ -179,10 +179,11 @@ static struct xtables_target rawdnat_tg6_reg = {
 		.print         = rawdnat_tg6_print,
 		.save          = rawdnat_tg6_save,
 		.extra_opts    = rawdnat_tg_opts,
+	},
 };
 
 static void _init(void)
 {
-	xtables_register_target(&rawdnat_tg4_reg);
+	xtables_register_targets(rawdnat_tg_reg,
-	xtables_register_target(&rawdnat_tg6_reg);
+		sizeof(rawdnat_tg_reg) / sizeof(*rawdnat_tg_reg));
 }

extensions/libxt_RAWSNAT.c

@@ -151,7 +151,8 @@ rawsnat_tg6_save(const void *entry, const struct xt_entry_target *target)
 	       info->mask);
 }
 
-static struct xtables_target rawsnat_tg4_reg = {
+static struct xtables_target rawsnat_tg_reg[] = {
+	{
 		.version       = XTABLES_VERSION,
 		.name          = "RAWSNAT",
 		.revision      = 0,
@@ -164,9 +165,8 @@ static struct xtables_target rawsnat_tg4_reg = {
 		.print         = rawsnat_tg4_print,
 		.save          = rawsnat_tg4_save,
 		.extra_opts    = rawsnat_tg_opts,
-};
+	},
-
+	{
-static struct xtables_target rawsnat_tg6_reg = {
 		.version       = XTABLES_VERSION,
 		.name          = "RAWSNAT",
 		.revision      = 0,
@@ -179,10 +179,11 @@ static struct xtables_target rawsnat_tg6_reg = {
 		.print         = rawsnat_tg6_print,
 		.save          = rawsnat_tg6_save,
 		.extra_opts    = rawsnat_tg_opts,
+	},
 };
 
 static void _init(void)
 {
-	xtables_register_target(&rawsnat_tg4_reg);
+	xtables_register_targets(rawsnat_tg_reg,
-	xtables_register_target(&rawsnat_tg6_reg);
+		sizeof(rawsnat_tg_reg) / sizeof(*rawsnat_tg_reg));
 }

extensions/libxt_TEE.c

@@ -135,7 +135,8 @@ static void tee_tg6_save(const void *ip, const struct xt_entry_target *target)
 	printf(" --gateway %s ", xtables_ip6addr_to_numeric(&info->gw.in6));
 }
 
-static struct xtables_target tee_tg_reg = {
+static struct xtables_target tee_tg_reg[] = {
+	{
 		.name          = "TEE",
 		.version       = XTABLES_VERSION,
 		.revision      = 0,
@@ -148,9 +149,8 @@ static struct xtables_target tee_tg_reg = {
 		.print         = tee_tg_print,
 		.save          = tee_tg_save,
 		.extra_opts    = tee_tg_opts,
-};
+	},
-
+	{
-static struct xtables_target tee_tg6_reg = {
 		.name          = "TEE",
 		.version       = XTABLES_VERSION,
 		.revision      = 0,
@@ -163,10 +163,11 @@ static struct xtables_target tee_tg6_reg = {
 		.print         = tee_tg6_print,
 		.save          = tee_tg6_save,
 		.extra_opts    = tee_tg_opts,
+	},
 };
 
 static __attribute__((constructor)) void tee_tg_ldr(void)
 {
-	xtables_register_target(&tee_tg_reg);
+	xtables_register_targets(tee_tg_reg,
-	xtables_register_target(&tee_tg6_reg);
+		sizeof(tee_tg_reg) / sizeof(*tee_tg_reg));
 }

extensions/xt_ECHO.c

@@ -1,7 +1,7 @@
 /*
  *	"ECHO" (RFC 862) target extension for Xtables
  *	Sample module for "Writing your own Netfilter Modules"
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2011
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -18,8 +18,112 @@
 #	include <linux/netfilter_bridge.h>
 #endif
 #include <net/ip.h>
+#include <net/ip6_route.h>
+#include <net/route.h>
 #include "compat_xtables.h"
 
+static unsigned int
+echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
+{
+	const struct sk_buff *oldskb = *poldskb;
+	const struct udphdr *oldudp;
+	const struct ipv6hdr *oldip;
+	struct udphdr *newudp, oldudp_buf;
+	struct ipv6hdr *newip;
+	struct sk_buff *newskb;
+	unsigned int data_len;
+	void *payload;
+	struct flowi6 fl;
+	struct dst_entry *dst = NULL;
+	struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
+
+	/* This allows us to do the copy operation in fewer lines of code. */
+	if (skb_linearize(*poldskb) < 0)
+		return NF_DROP;
+
+	oldip  = ipv6_hdr(oldskb);
+	oldudp = skb_header_pointer(oldskb, par->thoff,
+	         sizeof(*oldudp), &oldudp_buf);
+	if (oldudp == NULL)
+		return NF_DROP;
+	if (ntohs(oldudp->len) <= sizeof(*oldudp))
+		return NF_DROP;
+
+	newskb = alloc_skb(LL_MAX_HEADER + sizeof(*newip) +
+	         ntohs(oldudp->len), GFP_ATOMIC);
+	if (newskb == NULL)
+		return NF_DROP;
+
+	skb_reserve(newskb, LL_MAX_HEADER);
+	newskb->protocol = oldskb->protocol;
+
+	skb_reset_network_header(newskb);
+	newip = (void *)skb_put(newskb, sizeof(*newip));
+	newip->version  = oldip->version;
+	newip->priority = oldip->priority;
+	memcpy(newip->flow_lbl, oldip->flow_lbl, sizeof(newip->flow_lbl));
+	newip->nexthdr  = par->target->proto;
+	newip->saddr    = oldip->daddr;
+	newip->daddr    = oldip->saddr;
+
+	skb_reset_transport_header(newskb);
+	newudp = (void *)skb_put(newskb, sizeof(*newudp));
+	newudp->source = oldudp->dest;
+	newudp->dest   = oldudp->source;
+	newudp->len    = oldudp->len;
+
+	data_len = htons(oldudp->len) - sizeof(*oldudp);
+	payload  = skb_header_pointer(oldskb, par->thoff +
+	           sizeof(*oldudp), data_len, NULL);
+	memcpy(skb_put(newskb, data_len), payload, data_len);
+
+#if 0
+	/*
+	 * Since no fields are modified (we just swapped things around),
+	 * this works too in our specific echo case.
+	 */
+	newudp->check = oldudp->check;
+#else
+	newudp->check = 0;
+	newudp->check = csum_ipv6_magic(&newip->saddr, &newip->daddr,
+	                ntohs(newudp->len), IPPROTO_UDP,
+	                csum_partial(newudp, ntohs(newudp->len), 0));
+#endif
+
+	memset(&fl, 0, sizeof(fl));
+	fl.flowi6_proto = newip->nexthdr;
+	ipv6_addr_copy(&fl.saddr, &newip->saddr);
+	ipv6_addr_copy(&fl.daddr, &newip->daddr);
+	fl.fl6_sport = newudp->source;
+	fl.fl6_dport = newudp->dest;
+	security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi(&fl));
+	dst = ip6_route_output(net, NULL, &fl);
+	if (dst == NULL || dst->error != 0) {
+		dst_release(dst);
+		goto free_nskb;
+	}
+
+	skb_dst_set(newskb, dst);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
+	newip->hop_limit = ip6_dst_hoplimit(skb_dst(newskb));
+#else
+	newip->hop_limit = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
+#endif
+	newskb->ip_summed = CHECKSUM_NONE;
+
+	/* "Never happens" (?) */
+	if (newskb->len > dst_mtu(skb_dst(newskb)))
+		goto free_nskb;
+
+	nf_ct_attach(newskb, *poldskb);
+	ip6_local_out(newskb);
+	return NF_DROP;
+
+ free_nskb:
+	kfree_skb(newskb);
+	return NF_DROP;
+}
+
 static unsigned int
 echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 {
@@ -29,33 +133,33 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 	struct udphdr *newudp, oldudp_buf;
 	struct iphdr *newip;
 	struct sk_buff *newskb;
-	unsigned int addr_type, data_len;
+	unsigned int data_len;
 	void *payload;
 
-	printk(KERN_INFO "dst_out=%p\n", skb_dst(*poldskb)->output);
-
 	/* This allows us to do the copy operation in fewer lines of code. */
 	if (skb_linearize(*poldskb) < 0)
 		return NF_DROP;
 
 	oldip  = ip_hdr(oldskb);
-	oldudp = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
+	oldudp = skb_header_pointer(oldskb, par->thoff,
-	         sizeof(struct udphdr), &oldudp_buf);
+	         sizeof(*oldudp), &oldudp_buf);
 	if (oldudp == NULL)
 		return NF_DROP;
-	if (ntohs(oldudp->len) <= sizeof(struct udphdr))
+	if (ntohs(oldudp->len) <= sizeof(*oldudp))
 		return NF_DROP;
 
-	newskb = alloc_skb(LL_MAX_HEADER + sizeof(struct iphdr) +
+	newskb = alloc_skb(LL_MAX_HEADER + sizeof(*newip) +
 	         ntohs(oldudp->len), GFP_ATOMIC);
 	if (newskb == NULL)
 		return NF_DROP;
 
 	skb_reserve(newskb, LL_MAX_HEADER);
+	newskb->protocol = oldskb->protocol;
+
 	skb_reset_network_header(newskb);
-	newip = (void *)skb_put(newskb, sizeof(struct iphdr));
+	newip = (void *)skb_put(newskb, sizeof(*newip));
-	newip->version  = 4;
+	newip->version  = oldip->version;
-	newip->ihl      = sizeof(struct iphdr) / 4;
+	newip->ihl      = sizeof(*newip) / 4;
 	newip->tos      = oldip->tos;
 	newip->id       = 0;
 	newip->frag_off = htons(IP_DF);
@@ -64,33 +168,41 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 	newip->saddr    = oldip->daddr;
 	newip->daddr    = oldip->saddr;
 
-	newudp = (void *)skb_put(newskb, sizeof(struct udphdr));
+	skb_reset_transport_header(newskb);
+	newudp = (void *)skb_put(newskb, sizeof(*newudp));
 	newudp->source = oldudp->dest;
 	newudp->dest   = oldudp->source;
 	newudp->len    = oldudp->len;
-	newudp->check  = 0;
 
 	data_len = htons(oldudp->len) - sizeof(*oldudp);
-	payload  = skb_header_pointer(oldskb, ip_hdrlen(oldskb) +
+	payload  = skb_header_pointer(oldskb, par->thoff +
 	           sizeof(*oldudp), data_len, NULL);
 	memcpy(skb_put(newskb, data_len), payload, data_len);
 
-	addr_type = RTN_UNSPEC;
+#if 0
-#ifdef CONFIG_BRIDGE_NETFILTER
+	/*
-	if (par->hooknum != NF_INET_FORWARD || (newskb->nf_bridge != NULL &&
+	 * Since no fields are modified (we just swapped things around),
-	    newskb->nf_bridge->mask & BRNF_BRIDGED))
+	 * this works too in our specific echo case.
+	 */
+	newudp->check = oldudp->check;
 #else
-	if (par->hooknum != NF_INET_FORWARD)
+	newudp->check = 0;
+	newudp->check = csum_tcpudp_magic(newip->saddr, newip->daddr,
+	                ntohs(newudp->len), IPPROTO_UDP,
+	                csum_partial(newudp, ntohs(newudp->len), 0));
 #endif
-		addr_type = RTN_LOCAL;
 
 	/* ip_route_me_harder expects the skb's dst to be set */
 	skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
 
-	if (ip_route_me_harder(&newskb, addr_type) < 0)
+	if (ip_route_me_harder(&newskb, RTN_UNSPEC) != 0)
 		goto free_nskb;
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
+	newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));
+#else
 	newip->ttl = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
+#endif
 	newskb->ip_summed = CHECKSUM_NONE;
 
 	/* "Never happens" (?) */
@@ -106,7 +218,17 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 	return NF_DROP;
 }
 
-static struct xt_target echo_tg_reg __read_mostly = {
+static struct xt_target echo_tg_reg[] __read_mostly = {
+	{
+		.name       = "ECHO",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.proto      = IPPROTO_UDP,
+		.table      = "filter",
+		.target     = echo_tg6,
+		.me         = THIS_MODULE,
+	},
+	{
 		.name       = "ECHO",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
@@ -114,16 +236,17 @@ static struct xt_target echo_tg_reg __read_mostly = {
 		.table      = "filter",
 		.target     = echo_tg4,
 		.me         = THIS_MODULE,
+	},
 };
 
 static int __init echo_tg_init(void)
 {
-	return xt_register_target(&echo_tg_reg);
+	return xt_register_targets(echo_tg_reg, ARRAY_SIZE(echo_tg_reg));
 }
 
 static void __exit echo_tg_exit(void)
 {
-	return xt_unregister_target(&echo_tg_reg);
+	return xt_unregister_targets(echo_tg_reg, ARRAY_SIZE(echo_tg_reg));
 }
 
 module_init(echo_tg_init);
@@ -131,4 +254,5 @@ module_exit(echo_tg_exit);
 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: ECHO diagnosis target");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("ip6t_ECHO");
 MODULE_ALIAS("ipt_ECHO");

extensions/xt_ipv4options.c

@@ -20,6 +20,17 @@ static uint32_t ipv4options_rd(const uint8_t *data, int len)
 	uint32_t opts = 0;
 
 	while (len >= 2) {
+		switch (data[0]) {
+		case IPOPT_END:
+			return opts;
+		case IPOPT_NOOP:
+			--len;
+			++data;
+			continue;
+		}
+
+		if (data[1] < 2 || data[1] > len)
+			return opts;
 		opts |= 1 << (data[0] & 0x1F);
 		len  -= data[1];
 		data += data[1];

extensions/xt_quota2.c

@@ -8,8 +8,8 @@
  * 	Sam Johnston <samj@samj.net>
  *
  *	This program is free software; you can redistribute it and/or modify
- *	it under the terms of the GNU General Public License; either
+ *	it under the terms of the GNU General Public License
- *	version 2 of the License, as published by the Free Software Foundation.
+ *	version 2, as published by the Free Software Foundation.
  */
 #include <linux/list.h>
 #include <linux/proc_fs.h>

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.39 (2011-09-21)" "" "v1.39 (2011-09-21)"
+.TH xtables-addons 8 "v1.40 (2011-11-30)" "" "v1.40 (2011-11-30)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets