Xtables-addons 1.41

References: http://comments.gmane.org/gmane.comp.security.firewalls.netfilter.general/42337

.gitignore

@@ -2,9 +2,9 @@
 *.lo
 *.loT
 *.o
-.deps
+.deps/
 .dirstamp
-.libs
+.libs/
 Makefile
 Makefile.in
 
@@ -17,14 +17,10 @@ Makefile.in
 /targets.man
 
 /aclocal.m4
-/autom4te*.cache
-/compile
+/autom4te.cache/
+/build-aux/
 /config.*
 /configure
-/depcomp
-/install-sh
 /libtool
-/ltmain.sh
-/missing
 /stamp-h1
 /xtables-addons.8

INSTALL

@@ -12,7 +12,7 @@ in combination with the kernel's Kbuild system.
 Supported configurations for this release
 =========================================
 
-	* iptables >= 1.4.3
+	* iptables >= 1.4.5
 
 	* kernel-source >= 2.6.29
 	  with prepared build/output directory
@@ -22,14 +22,12 @@ Supported configurations for this release
 	  - CONFIG_CONNECTOR y/m if you wish to receive userspace
 	    notifications from pknock through netlink/connector
 
-Compilation of ipset-genl-6.x is enabled by default. This additionally
-requires
+Compilation of ipset-genl-6.x is disabled by default. It has
+additional requirements.
 
 	* libmnl
 	* Linux kernel >= 2.6.35
 
-so if you do not have these, turn it off in mconfig before compilation.
-
 
 Selecting extensions
 ====================
@@ -43,6 +41,10 @@ Configuring and compiling
 
 ./configure [options]
 
+--without-kbuild
+
+	Deactivate building kernel modules, and just do userspace parts.
+
 --with-kbuild=
 
 	Specifies the path to the kernel build output directory. We need

README

@@ -18,8 +18,7 @@ simplified, and sped up.
 
 Included in this package
 ========================
-- ipset 4.5
-- ipset 6.7-genl
+- ipset 6.10-genl
 - xt_ACCOUNT 1.16, libxt_ACCOUNT 1.3
 
 

configure.ac

@@ -1,4 +1,5 @@
-AC_INIT([xtables-addons], [1.39])
+AC_INIT([xtables-addons], [1.41])
+AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -10,7 +11,9 @@ AC_PROG_LIBTOOL
 
 AC_ARG_WITH([kbuild],
 	AS_HELP_STRING([--with-kbuild=PATH],
-	[Path to kernel build directory [[/lib/modules/CURRENT/build]]]),
+	[Path to kernel build directory [[/lib/modules/CURRENT/build]]])
+AS_HELP_STRING([--without-kbuild],
+	[Build only userspace tools]),
 	[kbuilddir="$withval"],
 	[kbuilddir="/lib/modules/$(uname -r)/build"])
 #
@@ -22,7 +25,7 @@ fi
 
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
 	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
-PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.5])
 xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
 PKG_CHECK_MODULES([libmnl], [libmnl >= 1], [:], [:])
 
@@ -60,14 +63,14 @@ if test -n "$kbuilddir"; then
 		echo "WARNING: Version detection did not succeed. Continue at own luck.";
 	else
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-		if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 1; then
+		if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 2; then
 			echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 		elif test "$kmajor" -eq 3; then
 			:;
-		elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 29; then
+		elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 32; then
 			:;
 		else
-			echo "WARNING: That kernel version is not supported.";
+			echo "WARNING: That kernel version is not officially supported.";
 		fi;
 	fi;
 fi;

doc/changelog.txt

@@ -3,6 +3,32 @@ HEAD
 ====
 
 
+v1.41 (2012-01-04)
+==================
+Changes:
+- Deactivate build of ipset-genl by default.
+  I think the original ipset package can now take over, given there are
+  a handful of kernels (2.6.39 onwards) that do not need patching.
+Enhancements:
+- Support for Linux 3.2
+
+
+v1.40 (2011-11-30)
+==================
+Fixes:
+- build: the code actually requires at least iptables 1.4.5 (would yield a
+  compile error otherwise), make sure configure checks for it; update INSTALL
+- xt_ECHO: fix kernel warning about RTAX_HOPLIMIT being used
+- xt_ipv4options: fix an infinite loop
+Changes:
+- xt_ECHO: now calculates UDP checksum
+- Linux kernel versions below 2.6.32 are no longer officially
+  supported, and will not be part of compilation testing.
+- update to ipset 6.10
+Enhancements:
+- xt_ECHO: IPv6 support
+
+
 v1.39 (2011-09-21)
 ==================
 Fixes:
@@ -71,7 +97,6 @@ Fixes:
 Changes:
 - Linux kernel versions below 2.6.29 are no longer officially
   supported, and will not be part of compilation testing.
-  Expect that compat code will be removed shortly.
 
 
 v1.33 (2011-02-02)

extensions/.gitignore

@@ -1,6 +1,6 @@
 .*.cmd
 .*.d
-.tmp_versions
+.tmp_versions/
 *.ko
 *.mod.c
 Module.markers

extensions/compat_xtables.c

@@ -8,7 +8,9 @@
  */
 #include <linux/ip.h>
 #include <linux/kernel.h>
+#include <linux/kmod.h>
 #include <linux/list.h>
+#include <linux/module.h>
 #include <linux/slab.h>
 #include <linux/spinlock.h>
 #include <linux/version.h>
@@ -17,6 +19,9 @@
 #include <linux/netfilter_arp.h>
 #include <net/ip.h>
 #include <net/route.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 2, 0)
+#	include <linux/export.h>
+#endif
 #include "compat_skbuff.h"
 #include "compat_xtnu.h"
 

extensions/compat_xtables.h

@@ -92,6 +92,12 @@
 #	define rt_dst(rt)	(&(rt)->u.dst)
 #endif
 
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0)
+#	define nf_nat_ipv4_multi_range_compat nf_nat_multi_range_compat
+#	define nf_nat_ipv4_range nf_nat_range
+#	define NF_NAT_RANGE_MAP_IPS IP_NAT_RANGE_MAP_IPS
+#endif
+
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \
 		ntohs((addr).s6_addr16[0]), \

extensions/ipset-6/Kbuild

@@ -8,4 +8,4 @@ obj-m += ip_set_hash_netiface.o ip_set_hash_netport.o ip_set_list_set.o
 
 ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o
 
-EXTRA_CFLAGS += -DLCONFIG_IP_SET_MAX=256 -DIPSET_EXTERNAL_MODULE=1
+EXTRA_CFLAGS += -DLCONFIG_IP_SET_MAX=256

extensions/ipset-6/ip_set_core.c

@@ -17,7 +17,7 @@
 #include <linux/spinlock.h>
 #include <linux/netlink.h>
 #include <linux/rculist.h>
-#ifdef IPSET_EXTERNAL_MODULE
+#ifndef IPSET_IN_KERNEL_TREE
 #include <linux/version.h>
 #endif
 #include <net/netlink.h>

extensions/ipset-6/ip_set_getport.c

@@ -12,6 +12,7 @@
 #include <linux/icmp.h>
 #include <linux/icmpv6.h>
 #include <linux/sctp.h>
+#include <linux/version.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
@@ -115,9 +116,14 @@ ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
 {
 	int protoff;
 	u8 nexthdr;
+	__be16 frag_off;
 
 	nexthdr = ipv6_hdr(skb)->nexthdr;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 2, 0)
 	protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr);
+#else
+	protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, &frag_off);
+#endif
 	if (protoff < 0)
 		return false;
 

extensions/ipset-6/ip_set_hash_ip.c

@@ -241,7 +241,7 @@ hash_ip6_data_isnull(const struct hash_ip6_elem *elem)
 static inline void
 hash_ip6_data_copy(struct hash_ip6_elem *dst, const struct hash_ip6_elem *src)
 {
-	ipv6_addr_copy(&dst->ip.in6, &src->ip.in6);
+	dst->ip.in6 = src->ip.in6;
 }
 
 static inline void

extensions/ipset-6/ip_set_hash_ipport.c

@@ -158,7 +158,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipport4_elem data = { };
-	u32 ip, ip_to, p = 0, port, port_to;
+	u32 ip, ip_to = 0, p = 0, port, port_to;
 	u32 timeout = h->timeout;
 	bool with_ports = false;
 	int ret;

extensions/ipset-6/ip_set_hash_ipportip.c

@@ -162,7 +162,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipportip4_elem data = { };
-	u32 ip, ip_to, p = 0, port, port_to;
+	u32 ip, ip_to = 0, p = 0, port, port_to;
 	u32 timeout = h->timeout;
 	bool with_ports = false;
 	int ret;

extensions/ipset-6/ip_set_hash_ipportnet.c

@@ -184,7 +184,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipportnet4_elem data = { .cidr = HOST_MASK };
-	u32 ip, ip_to, p = 0, port, port_to;
+	u32 ip, ip_to = 0, p = 0, port, port_to;
 	u32 ip2_from = 0, ip2_to, ip2_last, ip2;
 	u32 timeout = h->timeout;
 	bool with_ports = false;

extensions/ipset-6/ip_set_hash_net.c

@@ -267,7 +267,7 @@ static inline void
 hash_net6_data_copy(struct hash_net6_elem *dst,
 		    const struct hash_net6_elem *src)
 {
-	ipv6_addr_copy(&dst->ip.in6, &src->ip.in6);
+	dst->ip.in6 = src->ip.in6;
 	dst->cidr = src->cidr;
 }
 

extensions/ipset-6/libipset/parse.c

@@ -307,7 +307,7 @@ int
 ipset_parse_tcp_port(struct ipset_session *session,
 		     enum ipset_opt opt, const char *str)
 {
-	return ipset_parse_tcpudp_port(session, opt, str, "TCP");
+	return ipset_parse_tcpudp_port(session, opt, str, "tcp");
 }
 
 /**
@@ -330,7 +330,7 @@ ipset_parse_single_tcp_port(struct ipset_session *session,
 	assert(opt == IPSET_OPT_PORT || opt == IPSET_OPT_PORT_TO);
 	assert(str);
 
-	return ipset_parse_port(session, opt, str, "TCP");
+	return ipset_parse_port(session, opt, str, "tcp");
 }
 
 /**
@@ -391,8 +391,8 @@ parse_icmp_typecode(struct ipset_session *session,
 				 str, family);
 	}
 	*a++ = '\0';
-	if ((err = string_to_u8(session, a, &type)) != 0 ||
-	    (err = string_to_u8(session, tmp, &code)) != 0)
+	if ((err = string_to_u8(session, tmp, &type)) != 0 ||
+	    (err = string_to_u8(session, a, &code)) != 0)
 		goto error;
 
 	typecode = (type << 8) | code;

extensions/ipset-6/src/ipset.c

@@ -24,7 +24,7 @@
 #include <libipset/utils.h>		/* STREQ */
 
 static char program_name[] = "ipset";
-static char program_version[] = "6.9.1-genl-xta";
+static char program_version[] = "6.10-genl-xta";
 
 static struct ipset_session *session;
 static uint32_t restore_line;

extensions/libxt_RAWDNAT.c

@@ -151,7 +151,8 @@ rawdnat_tg6_save(const void *entry, const struct xt_entry_target *target)
 	       info->mask);
 }
 
-static struct xtables_target rawdnat_tg4_reg = {
+static struct xtables_target rawdnat_tg_reg[] = {
+	{
 		.version       = XTABLES_VERSION,
 		.name          = "RAWDNAT",
 		.revision      = 0,
@@ -164,9 +165,8 @@ static struct xtables_target rawdnat_tg4_reg = {
 		.print         = rawdnat_tg4_print,
 		.save          = rawdnat_tg4_save,
 		.extra_opts    = rawdnat_tg_opts,
-};
-
-static struct xtables_target rawdnat_tg6_reg = {
+	},
+	{
 		.version       = XTABLES_VERSION,
 		.name          = "RAWDNAT",
 		.revision      = 0,
@@ -179,10 +179,11 @@ static struct xtables_target rawdnat_tg6_reg = {
 		.print         = rawdnat_tg6_print,
 		.save          = rawdnat_tg6_save,
 		.extra_opts    = rawdnat_tg_opts,
+	},
 };
 
 static void _init(void)
 {
-	xtables_register_target(&rawdnat_tg4_reg);
-	xtables_register_target(&rawdnat_tg6_reg);
+	xtables_register_targets(rawdnat_tg_reg,
+		sizeof(rawdnat_tg_reg) / sizeof(*rawdnat_tg_reg));
 }

extensions/libxt_RAWSNAT.c

@@ -151,7 +151,8 @@ rawsnat_tg6_save(const void *entry, const struct xt_entry_target *target)
 	       info->mask);
 }
 
-static struct xtables_target rawsnat_tg4_reg = {
+static struct xtables_target rawsnat_tg_reg[] = {
+	{
 		.version       = XTABLES_VERSION,
 		.name          = "RAWSNAT",
 		.revision      = 0,
@@ -164,9 +165,8 @@ static struct xtables_target rawsnat_tg4_reg = {
 		.print         = rawsnat_tg4_print,
 		.save          = rawsnat_tg4_save,
 		.extra_opts    = rawsnat_tg_opts,
-};
-
-static struct xtables_target rawsnat_tg6_reg = {
+	},
+	{
 		.version       = XTABLES_VERSION,
 		.name          = "RAWSNAT",
 		.revision      = 0,
@@ -179,10 +179,11 @@ static struct xtables_target rawsnat_tg6_reg = {
 		.print         = rawsnat_tg6_print,
 		.save          = rawsnat_tg6_save,
 		.extra_opts    = rawsnat_tg_opts,
+	},
 };
 
 static void _init(void)
 {
-	xtables_register_target(&rawsnat_tg4_reg);
-	xtables_register_target(&rawsnat_tg6_reg);
+	xtables_register_targets(rawsnat_tg_reg,
+		sizeof(rawsnat_tg_reg) / sizeof(*rawsnat_tg_reg));
 }

extensions/libxt_TEE.c

@@ -135,7 +135,8 @@ static void tee_tg6_save(const void *ip, const struct xt_entry_target *target)
 	printf(" --gateway %s ", xtables_ip6addr_to_numeric(&info->gw.in6));
 }
 
-static struct xtables_target tee_tg_reg = {
+static struct xtables_target tee_tg_reg[] = {
+	{
 		.name          = "TEE",
 		.version       = XTABLES_VERSION,
 		.revision      = 0,
@@ -148,9 +149,8 @@ static struct xtables_target tee_tg_reg = {
 		.print         = tee_tg_print,
 		.save          = tee_tg_save,
 		.extra_opts    = tee_tg_opts,
-};
-
-static struct xtables_target tee_tg6_reg = {
+	},
+	{
 		.name          = "TEE",
 		.version       = XTABLES_VERSION,
 		.revision      = 0,
@@ -163,10 +163,11 @@ static struct xtables_target tee_tg6_reg = {
 		.print         = tee_tg6_print,
 		.save          = tee_tg6_save,
 		.extra_opts    = tee_tg_opts,
+	},
 };
 
 static __attribute__((constructor)) void tee_tg_ldr(void)
 {
-	xtables_register_target(&tee_tg_reg);
-	xtables_register_target(&tee_tg6_reg);
+	xtables_register_targets(tee_tg_reg,
+		sizeof(tee_tg_reg) / sizeof(*tee_tg_reg));
 }

extensions/xt_DNETMAP.c

@@ -31,8 +31,13 @@
 #include <net/net_namespace.h>
 #include <net/netns/generic.h>
 #endif
-#include "xt_DNETMAP.h"
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0)
+#	include <net/netfilter/nf_nat.h>
+#else
+#	include <linux/netfilter/nf_nat.h>
+#endif
 #include "compat_xtables.h"
+#include "xt_DNETMAP.h"
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marek Kierdelewicz <marek@koba.pl>");
@@ -77,7 +82,7 @@ struct dnetmap_entry {
 };
 
 struct dnetmap_prefix {
-	struct nf_nat_multi_range_compat prefix;
+	struct nf_nat_ipv4_multi_range_compat prefix;
 	char prefix_str[16];
 	struct list_head list;
 	unsigned int refcnt;
@@ -154,7 +159,7 @@ dnetmap_entry_rlookup(struct dnetmap_net *dnetmap_net, const __be32 addr)
 
 static struct dnetmap_prefix *
 dnetmap_prefix_lookup(struct dnetmap_net *dnetmap_net,
-		      const struct nf_nat_multi_range_compat *mr)
+		      const struct nf_nat_ipv4_multi_range_compat *mr)
 {
 	struct dnetmap_prefix *p;
 
@@ -194,7 +199,7 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 {
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(par->net);
 	const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
-	const struct nf_nat_multi_range_compat *mr = &tginfo->prefix;
+	const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
 	struct dnetmap_prefix *p;
 	struct dnetmap_entry *e;
 #ifdef CONFIG_PROC_FS
@@ -213,7 +218,7 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 		return ret;
 	}
 
-	if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) {
+	if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) {
 		pr_debug("DNETMAP:check: bad MAP_IPS.\n");
 		return -EINVAL;
 	}
@@ -316,8 +321,8 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 	enum ip_conntrack_info ctinfo;
 	__be32 prenat_ip, postnat_ip, prenat_ip_prev;
 	const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
-	const struct nf_nat_multi_range_compat *mr = &tginfo->prefix;
-	struct nf_nat_range newrange;
+	const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
+	struct nf_nat_ipv4_range newrange;
 	struct dnetmap_entry *e;
 	struct dnetmap_prefix *p;
 	__s32 jttl;
@@ -354,8 +359,8 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 
 		spin_unlock_bh(&dnetmap_lock);
 
-		newrange = ((struct nf_nat_range) {
-			    mr->range[0].flags | IP_NAT_RANGE_MAP_IPS,
+		newrange = ((struct nf_nat_ipv4_range) {
+			    mr->range[0].flags | NF_NAT_RANGE_MAP_IPS,
 			    e->prenat_addr, e->prenat_addr,
 			    mr->range[0].min, mr->range[0].max});
 
@@ -440,8 +445,8 @@ bind_new_prefix:
 
 	spin_unlock_bh(&dnetmap_lock);
 
-	newrange = ((struct nf_nat_range) {
-		    mr->range[0].flags | IP_NAT_RANGE_MAP_IPS,
+	newrange = ((struct nf_nat_ipv4_range) {
+		    mr->range[0].flags | NF_NAT_RANGE_MAP_IPS,
 		    postnat_ip, postnat_ip,
 		    mr->range[0].min, mr->range[0].max});
 
@@ -459,7 +464,7 @@ static void dnetmap_tg_destroy(const struct xt_tgdtor_param *par)
 {
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(par->net);
 	const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
-	const struct nf_nat_multi_range_compat *mr = &tginfo->prefix;
+	const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
 	struct dnetmap_prefix *p;
 #ifdef CONFIG_PROC_FS
 	char str[25];

extensions/xt_DNETMAP.h

@@ -8,7 +8,11 @@ enum {
 };
 
 struct xt_DNETMAP_tginfo {
+#ifdef __KERNEL__
+	struct nf_nat_ipv4_multi_range_compat prefix;
+#else
 	struct nf_nat_multi_range_compat prefix;
+#endif
 	__u8 flags;
 	__s16 ttl;
 };

extensions/xt_ECHO.c

@@ -1,7 +1,7 @@
 /*
  *	"ECHO" (RFC 862) target extension for Xtables
  *	Sample module for "Writing your own Netfilter Modules"
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2011
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -18,8 +18,112 @@
 #	include <linux/netfilter_bridge.h>
 #endif
 #include <net/ip.h>
+#include <net/ip6_route.h>
+#include <net/route.h>
 #include "compat_xtables.h"
 
+static unsigned int
+echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
+{
+	const struct sk_buff *oldskb = *poldskb;
+	const struct udphdr *oldudp;
+	const struct ipv6hdr *oldip;
+	struct udphdr *newudp, oldudp_buf;
+	struct ipv6hdr *newip;
+	struct sk_buff *newskb;
+	unsigned int data_len;
+	void *payload;
+	struct flowi6 fl;
+	struct dst_entry *dst = NULL;
+	struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
+
+	/* This allows us to do the copy operation in fewer lines of code. */
+	if (skb_linearize(*poldskb) < 0)
+		return NF_DROP;
+
+	oldip  = ipv6_hdr(oldskb);
+	oldudp = skb_header_pointer(oldskb, par->thoff,
+	         sizeof(*oldudp), &oldudp_buf);
+	if (oldudp == NULL)
+		return NF_DROP;
+	if (ntohs(oldudp->len) <= sizeof(*oldudp))
+		return NF_DROP;
+
+	newskb = alloc_skb(LL_MAX_HEADER + sizeof(*newip) +
+	         ntohs(oldudp->len), GFP_ATOMIC);
+	if (newskb == NULL)
+		return NF_DROP;
+
+	skb_reserve(newskb, LL_MAX_HEADER);
+	newskb->protocol = oldskb->protocol;
+
+	skb_reset_network_header(newskb);
+	newip = (void *)skb_put(newskb, sizeof(*newip));
+	newip->version  = oldip->version;
+	newip->priority = oldip->priority;
+	memcpy(newip->flow_lbl, oldip->flow_lbl, sizeof(newip->flow_lbl));
+	newip->nexthdr  = par->target->proto;
+	newip->saddr    = oldip->daddr;
+	newip->daddr    = oldip->saddr;
+
+	skb_reset_transport_header(newskb);
+	newudp = (void *)skb_put(newskb, sizeof(*newudp));
+	newudp->source = oldudp->dest;
+	newudp->dest   = oldudp->source;
+	newudp->len    = oldudp->len;
+
+	data_len = htons(oldudp->len) - sizeof(*oldudp);
+	payload  = skb_header_pointer(oldskb, par->thoff +
+	           sizeof(*oldudp), data_len, NULL);
+	memcpy(skb_put(newskb, data_len), payload, data_len);
+
+#if 0
+	/*
+	 * Since no fields are modified (we just swapped things around),
+	 * this works too in our specific echo case.
+	 */
+	newudp->check = oldudp->check;
+#else
+	newudp->check = 0;
+	newudp->check = csum_ipv6_magic(&newip->saddr, &newip->daddr,
+	                ntohs(newudp->len), IPPROTO_UDP,
+	                csum_partial(newudp, ntohs(newudp->len), 0));
+#endif
+
+	memset(&fl, 0, sizeof(fl));
+	fl.flowi6_proto = newip->nexthdr;
+	ipv6_addr_copy(&fl.saddr, &newip->saddr);
+	ipv6_addr_copy(&fl.daddr, &newip->daddr);
+	fl.fl6_sport = newudp->source;
+	fl.fl6_dport = newudp->dest;
+	security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi(&fl));
+	dst = ip6_route_output(net, NULL, &fl);
+	if (dst == NULL || dst->error != 0) {
+		dst_release(dst);
+		goto free_nskb;
+	}
+
+	skb_dst_set(newskb, dst);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
+	newip->hop_limit = ip6_dst_hoplimit(skb_dst(newskb));
+#else
+	newip->hop_limit = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
+#endif
+	newskb->ip_summed = CHECKSUM_NONE;
+
+	/* "Never happens" (?) */
+	if (newskb->len > dst_mtu(skb_dst(newskb)))
+		goto free_nskb;
+
+	nf_ct_attach(newskb, *poldskb);
+	ip6_local_out(newskb);
+	return NF_DROP;
+
+ free_nskb:
+	kfree_skb(newskb);
+	return NF_DROP;
+}
+
 static unsigned int
 echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 {
@@ -29,33 +133,33 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 	struct udphdr *newudp, oldudp_buf;
 	struct iphdr *newip;
 	struct sk_buff *newskb;
-	unsigned int addr_type, data_len;
+	unsigned int data_len;
 	void *payload;
 
-	printk(KERN_INFO "dst_out=%p\n", skb_dst(*poldskb)->output);
-
 	/* This allows us to do the copy operation in fewer lines of code. */
 	if (skb_linearize(*poldskb) < 0)
 		return NF_DROP;
 
 	oldip  = ip_hdr(oldskb);
-	oldudp = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
-	         sizeof(struct udphdr), &oldudp_buf);
+	oldudp = skb_header_pointer(oldskb, par->thoff,
+	         sizeof(*oldudp), &oldudp_buf);
 	if (oldudp == NULL)
 		return NF_DROP;
-	if (ntohs(oldudp->len) <= sizeof(struct udphdr))
+	if (ntohs(oldudp->len) <= sizeof(*oldudp))
 		return NF_DROP;
 
-	newskb = alloc_skb(LL_MAX_HEADER + sizeof(struct iphdr) +
+	newskb = alloc_skb(LL_MAX_HEADER + sizeof(*newip) +
 	         ntohs(oldudp->len), GFP_ATOMIC);
 	if (newskb == NULL)
 		return NF_DROP;
 
 	skb_reserve(newskb, LL_MAX_HEADER);
+	newskb->protocol = oldskb->protocol;
+
 	skb_reset_network_header(newskb);
-	newip = (void *)skb_put(newskb, sizeof(struct iphdr));
-	newip->version  = 4;
-	newip->ihl      = sizeof(struct iphdr) / 4;
+	newip = (void *)skb_put(newskb, sizeof(*newip));
+	newip->version  = oldip->version;
+	newip->ihl      = sizeof(*newip) / 4;
 	newip->tos      = oldip->tos;
 	newip->id       = 0;
 	newip->frag_off = htons(IP_DF);
@@ -64,33 +168,41 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 	newip->saddr    = oldip->daddr;
 	newip->daddr    = oldip->saddr;
 
-	newudp = (void *)skb_put(newskb, sizeof(struct udphdr));
+	skb_reset_transport_header(newskb);
+	newudp = (void *)skb_put(newskb, sizeof(*newudp));
 	newudp->source = oldudp->dest;
 	newudp->dest   = oldudp->source;
 	newudp->len    = oldudp->len;
-	newudp->check  = 0;
 
 	data_len = htons(oldudp->len) - sizeof(*oldudp);
-	payload  = skb_header_pointer(oldskb, ip_hdrlen(oldskb) +
+	payload  = skb_header_pointer(oldskb, par->thoff +
 	           sizeof(*oldudp), data_len, NULL);
 	memcpy(skb_put(newskb, data_len), payload, data_len);
 
-	addr_type = RTN_UNSPEC;
-#ifdef CONFIG_BRIDGE_NETFILTER
-	if (par->hooknum != NF_INET_FORWARD || (newskb->nf_bridge != NULL &&
-	    newskb->nf_bridge->mask & BRNF_BRIDGED))
+#if 0
+	/*
+	 * Since no fields are modified (we just swapped things around),
+	 * this works too in our specific echo case.
+	 */
+	newudp->check = oldudp->check;
 #else
-	if (par->hooknum != NF_INET_FORWARD)
+	newudp->check = 0;
+	newudp->check = csum_tcpudp_magic(newip->saddr, newip->daddr,
+	                ntohs(newudp->len), IPPROTO_UDP,
+	                csum_partial(newudp, ntohs(newudp->len), 0));
 #endif
-		addr_type = RTN_LOCAL;
 
 	/* ip_route_me_harder expects the skb's dst to be set */
 	skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
 
-	if (ip_route_me_harder(&newskb, addr_type) < 0)
+	if (ip_route_me_harder(&newskb, RTN_UNSPEC) != 0)
 		goto free_nskb;
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
+	newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));
+#else
 	newip->ttl = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
+#endif
 	newskb->ip_summed = CHECKSUM_NONE;
 
 	/* "Never happens" (?) */
@@ -106,7 +218,17 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 	return NF_DROP;
 }
 
-static struct xt_target echo_tg_reg __read_mostly = {
+static struct xt_target echo_tg_reg[] __read_mostly = {
+	{
+		.name       = "ECHO",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.proto      = IPPROTO_UDP,
+		.table      = "filter",
+		.target     = echo_tg6,
+		.me         = THIS_MODULE,
+	},
+	{
 		.name       = "ECHO",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
@@ -114,16 +236,17 @@ static struct xt_target echo_tg_reg __read_mostly = {
 		.table      = "filter",
 		.target     = echo_tg4,
 		.me         = THIS_MODULE,
+	},
 };
 
 static int __init echo_tg_init(void)
 {
-	return xt_register_target(&echo_tg_reg);
+	return xt_register_targets(echo_tg_reg, ARRAY_SIZE(echo_tg_reg));
 }
 
 static void __exit echo_tg_exit(void)
 {
-	return xt_unregister_target(&echo_tg_reg);
+	return xt_unregister_targets(echo_tg_reg, ARRAY_SIZE(echo_tg_reg));
 }
 
 module_init(echo_tg_init);
@@ -131,4 +254,5 @@ module_exit(echo_tg_exit);
 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: ECHO diagnosis target");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("ip6t_ECHO");
 MODULE_ALIAS("ipt_ECHO");

extensions/xt_STEAL.c

@@ -3,6 +3,7 @@
  *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
  *	placed in the Public Domain
  */
+#include <linux/module.h>
 #include <linux/netfilter.h>
 #include <linux/skbuff.h>
 #include "compat_xtables.h"

extensions/xt_ipv4options.c

@@ -20,6 +20,17 @@ static uint32_t ipv4options_rd(const uint8_t *data, int len)
 	uint32_t opts = 0;
 
 	while (len >= 2) {
+		switch (data[0]) {
+		case IPOPT_END:
+			return opts;
+		case IPOPT_NOOP:
+			--len;
+			++data;
+			continue;
+		}
+
+		if (data[1] < 2 || data[1] > len)
+			return opts;
 		opts |= 1 << (data[0] & 0x1F);
 		len  -= data[1];
 		data += data[1];

extensions/xt_quota2.c

@@ -8,10 +8,11 @@
  * 	Sam Johnston <samj@samj.net>
  *
  *	This program is free software; you can redistribute it and/or modify
- *	it under the terms of the GNU General Public License; either
- *	version 2 of the License, as published by the Free Software Foundation.
+ *	it under the terms of the GNU General Public License
+ *	version 2, as published by the Free Software Foundation.
  */
 #include <linux/list.h>
+#include <linux/module.h>
 #include <linux/proc_fs.h>
 #include <linux/skbuff.h>
 #include <linux/spinlock.h>

mconfig

@@ -20,7 +20,7 @@ build_geoip=m
 build_gradm=m
 build_iface=m
 build_ipp2p=m
-build_ipset6=m
+build_ipset6=
 build_ipv4options=m
 build_length2=m
 build_lscan=m

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.39 (2011-09-21)" "" "v1.39 (2011-09-21)"
+.TH xtables-addons 8 "v1.41 (2012-01-04)" "" "v1.41 (2012-01-04)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets