Xtables-addons 1.47

The lower support boundary is currently 2.6.32, but vzalloc is only
available since 2.6.37.

INSTALL

@@ -14,7 +14,7 @@ Supported configurations for this release
 
 	* iptables >= 1.4.5
 
-	* kernel-source >= 2.6.29
+	* kernel-devel >= 2.6.32
 	  with prepared build/output directory
 	  - CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
 	  - CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [1.42])
+AC_INIT([xtables-addons], [1.47])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -6,6 +6,7 @@ AC_PROG_INSTALL
 AM_INIT_AUTOMAKE([1.10b -Wall foreign subdir-objects])
 AC_PROG_CC
 AM_PROG_CC_C_O
+m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
 AC_DISABLE_STATIC
 AC_PROG_LIBTOOL
 
@@ -30,7 +31,7 @@ xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
 
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
-	[Path where to install Xtables extensions [[autodetect]]]]),
+	[Path where to install Xtables extensions [[autodetect]]]),
 	[xtlibdir="$withval"])
 AC_MSG_CHECKING([Xtables module directory])
 AC_MSG_RESULT([$xtlibdir])
@@ -62,8 +63,8 @@ if test -n "$kbuilddir"; then
 		echo "WARNING: Version detection did not succeed. Continue at own luck.";
 	else
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-		if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 4; then
-			echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
+		if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 6; then
+			echo "WARNING: That kernel version is not officially supported.";
 		elif test "$kmajor" -eq 3; then
 			:;
 		elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 32; then

doc/changelog.txt

@@ -3,6 +3,57 @@ HEAD
 ====
 
 
+v1.47 (2010-10-15)
+==================
+Enhancements:
+- xt_psd gained IPv6 support
+Notes for this release:
+- Linux 3.7+ is expressly unsupported by this release.
+
+
+v1.46 (2012-08-23)
+==================
+Fixes:
+- length2, SYSRQ, RAWNAT: preinitialize values for ipv6_find_hdr
+- TARPIT: fix memory leak when tarpit_generic() fails
+- build: remove extraneous closing bracket in configure.ac
+- doc: update xt_SYSRQ.man to reflect that the full IPv6 address is needed
+Enhancements:
+- Support for Linux 3.6
+
+
+v1.45 (2012-07-16)
+==================
+Fixes:
+- build: export missing functions
+  (fixes: "WARNING 'xtnu_ipv6_find_hdr' [xt_TARPIT.ko] not found")
+- build: avoid use of unexported functions
+  (fixes: "WARNING 'ipv6_find_hdr' [xt_TARPIT.ko] not found"
+  in <= linux-2.6.37)
+
+
+v1.44 (2012-07-15)
+==================
+Fixes:
+- SYSRQ: fix double target initialization at module load
+- build: do not attempt to build IPv6 parts if CONFIG_IP6_NF_IPTABLES=n
+Enhancements:
+- TARPIT gained IPv6 support
+
+
+v1.43 (2012-06-30)
+==================
+Fixes:
+- xt_psd: avoid crash due to curr->next corruption
+Changes:
+- xt_psd: reject invalid match options
+Enhancements:
+- Support for Linux 3.5
+- DNETMAP: new type: static binding
+- DNETMAP: new persistent flag option for prefix
+- DNETMAP: add write support to procfs interface
+
+
 v1.42 (2012-04-05)
 ==================
 Fixes:

extensions/Kbuild

@@ -11,11 +11,13 @@ obj-${build_CHECKSUM}    += xt_CHECKSUM.o
 obj-${build_DELUDE}      += xt_DELUDE.o
 obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_DNETMAP}     += xt_DNETMAP.o
+ifeq (${VERSION},3)
 obj-${build_ECHO}        += xt_ECHO.o
+endif
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
 obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o
-ifneq (${CONFIG_IPV6},)
+ifneq (${CONFIG_IP6_NF_IPTABLES},)
 obj-${build_RAWNAT}      += ip6table_rawpost.o
 endif
 obj-${build_SYSRQ}       += xt_SYSRQ.o

extensions/compat_xtables.c

@@ -16,14 +16,19 @@
 #include <linux/version.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_arp.h>
 #include <net/ip.h>
+#include <net/ipv6.h>
 #include <net/route.h>
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 2, 0)
 #	include <linux/export.h>
 #endif
 #include "compat_skbuff.h"
 #include "compat_xtnu.h"
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+#	define WITH_IPV6 1
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
 static int xtnu_match_run(const struct sk_buff *skb,
@@ -612,4 +617,22 @@ void *HX_memmem(const void *space, size_t spacesize,
 }
 EXPORT_SYMBOL_GPL(HX_memmem);
 
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0) && defined(WITH_IPV6)
+int xtnu_ipv6_skip_exthdr(const struct sk_buff *skb, int start,
+    uint8_t *nexthdrp, __be16 *fragoffp)
+{
+	return ipv6_skip_exthdr(skb, start, nexthdrp);
+}
+EXPORT_SYMBOL_GPL(xtnu_ipv6_skip_exthdr);
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0) && defined(WITH_IPV6)
+int xtnu_ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
+    int target, unsigned short *fragoff, int *fragflg)
+{
+	return ipv6_find_hdr(skb, offset, target, fragoff);
+}
+EXPORT_SYMBOL_GPL(xtnu_ipv6_find_hdr);
+#endif
+
 MODULE_LICENSE("GPL");

extensions/compat_xtables.h

@@ -96,6 +96,7 @@
 #	define nf_nat_ipv4_multi_range_compat nf_nat_multi_range_compat
 #	define nf_nat_ipv4_range nf_nat_range
 #	define NF_NAT_RANGE_MAP_IPS IP_NAT_RANGE_MAP_IPS
+#	define ipv6_skip_exthdr xtnu_ipv6_skip_exthdr
 #endif
 
 #if !defined(NIP6) && !defined(NIP6_FMT)
@@ -119,6 +120,10 @@
 #	define NIPQUAD_FMT "%u.%u.%u.%u"
 #endif
 
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0)
+#	define ipv6_find_hdr xtnu_ipv6_find_hdr
+#endif
+
 #define ip_route_me_harder    xtnu_ip_route_me_harder
 #define skb_make_writable     xtnu_skb_make_writable
 #define xt_target             xtnu_target

extensions/compat_xtnu.h

@@ -162,6 +162,10 @@ extern void xtnu_csum_replace4(__u16 __bitwise *, __be32, __be32);
 extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
 	__be32, __be32, bool);
 extern int xtnu_skb_linearize(struct sk_buff *);
+extern int xtnu_ipv6_skip_exthdr(const struct sk_buff *, int,
+	uint8_t *, __be16 *);
+extern int xtnu_ipv6_find_hdr(const struct sk_buff *, unsigned int *,
+	int, unsigned short *, int *);
 
 extern void *HX_memmem(const void *, size_t, const void *, size_t);
 

extensions/libxt_DNETMAP.c

@@ -20,6 +20,8 @@ static const struct option DNETMAP_opts[] = {
 	{"prefix", 1, NULL, 'p'},
 	{"reuse", 0, NULL, 'r'},
 	{"ttl", 1, NULL, 't'},
+	{"static", 0, NULL, 's'},
+	{"persistent", 0, NULL, 'e'},
 	{.name = NULL}
 };
 
@@ -33,9 +35,14 @@ static void DNETMAP_help(void)
 	       "  --%s seconds\n"
 	       "    Regenerate bindings ttl value to seconds. If negative value is specified,\n"
 	       "    bindings ttl is kept unchanged. If not specified then default ttl value (600s)\n"
-	       "    is used.\n\n",
-	       DNETMAP_opts[0].name, DNETMAP_opts[1].name,
-	       DNETMAP_opts[2].name);
+		"    is used\n"
+		"  --%s\n"
+		"    Match only static entries for this rule. Dynamic entries won't be created.\n"
+		"  --%s\n"
+		"    Set prefix persistent. It won't be removed after deleting last iptables rule.\n\n",
+		DNETMAP_opts[0].name, DNETMAP_opts[1].name,
+		DNETMAP_opts[2].name, DNETMAP_opts[3].name,
+		DNETMAP_opts[4].name);
 }
 
 static u_int32_t bits2netmask(int bits)
@@ -151,6 +158,20 @@ static int DNETMAP_parse(int c, char **argv, int invert, unsigned int *flags,
 		*flags |= XT_DNETMAP_REUSE;
 		tginfo->flags |= XT_DNETMAP_REUSE;
 		return 1;
+	case 's':
+		xtables_param_act(XTF_ONLY_ONCE, MODULENAME, "--static",
+				  *flags & XT_DNETMAP_STATIC);
+		xtables_param_act(XTF_NO_INVERT, MODULENAME, "--static", invert);
+		*flags |= XT_DNETMAP_STATIC;
+		tginfo->flags |= XT_DNETMAP_STATIC;
+		return 1;
+	case 'e':
+		xtables_param_act(XTF_ONLY_ONCE, MODULENAME, "--persistent",
+				  *flags & XT_DNETMAP_PERSISTENT);
+		xtables_param_act(XTF_NO_INVERT, MODULENAME, "--persistent", invert);
+		*flags |= XT_DNETMAP_PERSISTENT;
+		tginfo->flags |= XT_DNETMAP_PERSISTENT;
+		return 1;
 	case 't':
 		xtables_param_act(XTF_ONLY_ONCE, MODULENAME, "--ttl",
 				  *flags & XT_DNETMAP_TTL);
@@ -198,7 +219,15 @@ static void DNETMAP_print(const void *ip, const struct xt_entry_target *target,
 	else
 		printf("any");
 
-	printf(" reuse %i", (*flags & XT_DNETMAP_REUSE) > 0);
+	if (*flags & XT_DNETMAP_REUSE)
+		printf(" reuse");
+
+	if (*flags & XT_DNETMAP_STATIC)
+		printf(" static");
+
+	if (*flags & XT_DNETMAP_PERSISTENT)
+		printf(" persistent");
+
 	if (*flags & XT_DNETMAP_TTL)
 		printf(" ttl %i", tginfo->ttl);
 	else
@@ -214,7 +243,15 @@ static void DNETMAP_save(const void *ip, const struct xt_entry_target *target)
 		printf(" --%s ", DNETMAP_opts[0].name);
 		DNETMAP_print_addr(ip, target, 0);
 	}
-	printf(" --reuse %i ", *flags & XT_DNETMAP_REUSE);
+
+	if (*flags & XT_DNETMAP_REUSE)
+		printf(" --reuse ");
+
+	if (*flags & XT_DNETMAP_STATIC)
+		printf(" --static ");
+
+	if (*flags & XT_DNETMAP_PERSISTENT)
+		printf(" --persistent ");
 
 	/* ommited because default value can change as kernel mod param */
 	if (*flags & XT_DNETMAP_TTL)

extensions/libxt_DNETMAP.man

@@ -18,6 +18,17 @@ Network subnet to map to. If not specified, all existing prefixes are used.
 \fB\-\-reuse\fR
 Reuse entry for given prenat-ip from any prefix despite bindings ttl < 0.
 .TP
+\fB\-\-persistent\fR
+Set prefix persistent. It won't be removed after deleting last iptables rule.
+Option is effective only in the first rule for a given prefix. If you
+need to change persistency for existing prefix, please use proc interface
+described below.
+.TP
+\fB\-\-static\fR
+Don't create dynamic mappings using this rule. Use static mappings only. Note
+that you need to create static mappings via proc interface for this rule with
+this option to have any effect.
+.TP
 \fB\-\-ttl\fR \fIseconds\fR
 Regenerate bindings ttl value to \fIseconds\fR. If negative value is specified,
 bindings ttl is kept unchanged. If not specified then default ttl value (600s)
@@ -30,16 +41,45 @@ Module creates following entries for each new specified subnet:
 \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR
 Contains binding table for subnet/mask. Each line contains \fBprenat-ip\fR,
 \fBpostnat-ip\fR,\fBttl\fR (seconds till entry times out), \fBlasthit\fR (last
-entry hit in seconds relative to system boot time).
+entry hit in seconds relative to system boot time). Please note that \fBttl\fR
+and \fBlasthit\fR entries contain \fBS\fR in case of static binding.
 .TP
 \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR
-Contains statistics for given subnet/mask. Line contains contains three
+Contains statistics for given subnet/mask. Line contains contains four
 numerical values separated by spaces. First one is number of currently used
-addresses (bindings with negative ttl excluded), second one is number of all
-usable addresses in subnet and third one is mean \fBttl\fR value for all active
-entries.
+dynamic addresses (bindings with negative ttl excluded), second one is number
+static assignments, third one is number of all usable addresses in subnet and
+the fourth one is mean \fBttl\fR value for all active entries. If prefix has
+persistent flag set it'll be noted as fifth entry.
+.PP
+Following write operations are supported via proc interface:
+.TP
+echo "+\fIprenatIP\fR:\fIpostnatIP\fR" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
+Adds static binding between prenatIP nad postnatIP. If postnatIP is already
+bound, previous binding will be timedout immediatelly. Static binding is never
+timedout.
+.TP
+echo "-\fIIP\fR" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
+Removes binding with \fIIP\fR as prenat or postnat address. If removed binding
+is currently static, it'll make entry available for dynamic allocation.
+.TP
+echo "+persistent" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
+Sets persistent flag for prefix. It's usefull if you don't want bindings to get
+flushed when firewall is restarted. You can check if prefix is persistent by
+printing \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR
+contents.
+.TP
+echo "-persistent" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
+Unsets persistent flag for prefix. In this mode prefix will be deleted if the
+last iptables rule for that prefix is removed.
+.TP
+echo "flush" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
+Flushes all bindings for specific prefix. All static entries are also flushed
+and are available for dynamic bindings.
+.PP
+Note! Entries are removed if the last iptables rule for a specific prefix is
+deleted unless there's persistent flag set.
 .PP
-Entries are removed if the last iptables rule for a specific subnet is deleted.
 
 \fB* Logging\fR
 
@@ -88,4 +128,45 @@ specify \fB\-\-prefix\fR parameter in PREROUTING rule, because this way it DNATs
 traffic to all active prefixes. You could specify prefix it you'd like to make
 DNAT work for specific prefix only.
 
+\fB4.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 with static assignments only:
+
+iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
+--static
+
+echo "+192.168.0.10:20.0.0.1" > /proc/net/xt_DNETMAP/20.0.0.0_26
+.br
+echo "+192.168.0.11:20.0.0.2" > /proc/net/xt_DNETMAP/20.0.0.0_26
+.br
+echo "+192.168.0.51:20.0.0.3" > /proc/net/xt_DNETMAP/20.0.0.0_26
+
+This configuration will allow only preconfigured static bindings to work due to
+\fBstatic\fR rule option. Without this flag dynamic bindings would be created
+using non-static entries.
+
+\fB5.\fR Persistent prefix:
+
+iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
+--persistent
+.br
+\fBor\fR
+.br
+iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
+.br
+echo "+persistent" > /proc/net/xt_DNETMAP/20.0.0.0_26
+
+Now we can check persistent flag of the prefix:
+.br
+cat /proc/net/xt_DNETMAP/20.0.0.0_26
+.br
+0 0 64 0 \fBpersistent\fR
+
+Flush iptables nat table and see that prefix is still in existence:
+.br
+iptables -F -t nat
+.br
+ls -l /proc/net/xt_DNETMAP
+.br
+-rw-r--r-- 1 root root 0 06-10 09:01 20.0.0.0_26
+.br
+-rw-r--r-- 1 root root 0 06-10 09:01 20.0.0.0_26_stat
 .

extensions/libxt_SYSRQ.man

@@ -62,7 +62,7 @@ password="password"
 seqno="$(date +%s)"
 salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null |
     openssl enc \-base64)"
-ipaddr=10.10.25.7
+ipaddr="2001:0db8:0000:0000:0000:ff00:0042:8329"
 req="$sysrq_key,$seqno,$salt"
 req="$req,$(echo \-n "$req,$ipaddr,$password" | sha1sum | cut \-c1\-40)"
 
@@ -75,8 +75,8 @@ sysrq key can be used at once, but bear in mind that, for example, a sync may
 not complete before a subsequent reboot or poweroff.
 .PP
 An IPv4 address should have no leading zeros, an IPv6 address should
-be in the form recommended by RFC 5952.  The debug option will log the
-correct form of the address.
+be in the full expanded form (as shown above). The debug option will cause
+output to be emitted in the same form.
 .PP
 The hashing scheme should be enough to prevent mis-use of SYSRQ in many
 environments, but it is not perfect: take reasonable precautions to

extensions/libxt_TARPIT.c

@@ -106,7 +106,7 @@ static void tarpit_tg_save(const void *ip,
 static struct xtables_target tarpit_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "TARPIT",
-	.family        = NFPROTO_IPV4,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct xt_tarpit_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tarpit_tginfo)),
 	.help          = tarpit_tg_help,

extensions/libxt_fuzzy.c

@@ -100,7 +100,7 @@ static void fuzzy_mt_save(const void *ip, const struct xt_entry_match *match)
 	printf(" --upper-limit %u ", info->maximum_rate);
 }
 
-static struct xtables_match fuzzy_mt_reg = { 
+static struct xtables_match fuzzy_mt_reg = {
 	.name          = "fuzzy",
 	.revision      = 1,
 	.version       = XTABLES_VERSION,

extensions/libxt_geoip.c

@@ -100,7 +100,7 @@ geoip_get_subnets(const char *code, uint32_t *count, uint8_t nfproto)
 	close(fd);
 	return subnets;
 }
- 
+
 static struct geoip_country_user *geoip_load_cc(const char *code,
     unsigned short cc, uint8_t nfproto)
 {

extensions/libxt_gradm.c

@@ -78,7 +78,7 @@ static void gradm_mt_save(const void *ip, const struct xt_entry_match *match)
 		printf(" --enabled ");
 }
 
-static struct xtables_match gradm_mt_reg = { 
+static struct xtables_match gradm_mt_reg = {
 	.family        = NFPROTO_UNSPEC,
 	.name          = "gradm",
 	.version       = XTABLES_VERSION,

extensions/libxt_ipp2p.man

@@ -36,7 +36,7 @@ Matches some WinMX packets. Considered as beta, use careful!
 Matches Ares and AresLite packets. Use together with \-j DROP only.
 .TP
 \fB\-\-debug\fP
-Prints some information about each hit into kernel logfile. May 
+Prints some information about each hit into kernel logfile. May
 produce huge logfiles so beware!
 .PP
 Note that ipp2p may not (and often, does not) identify all packets that are

extensions/libxt_psd.c

@@ -30,6 +30,8 @@
 #include "xt_psd.h"
 #include "compat_user.h"
 
+#define SCAN_DELAY_THRESHOLD		300
+
 /* Function which prints out usage message. */
 static void psd_mt_help(void) {
 	printf(
@@ -137,19 +139,19 @@ static void psd_mt_save(const void *ip, const struct xt_entry_match *match)
 }
 
 static struct xtables_match psd_mt_reg = {
-	.name			= "psd",
-	.version		= XTABLES_VERSION,
-	.revision   	= 1,
-	.family        = NFPROTO_IPV4,
-	.size			= XT_ALIGN(sizeof(struct xt_psd_info)),
+	.name           = "psd",
+	.version        = XTABLES_VERSION,
+	.revision       = 1,
+	.family         = NFPROTO_UNSPEC,
+	.size           = XT_ALIGN(sizeof(struct xt_psd_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_psd_info)),
-	.help			= psd_mt_help,
-	.init			= psd_mt_init,
-	.parse			= psd_mt_parse,
-	.final_check	= psd_mt_final_check,
-	.print			= psd_mt_print,
-	.save			= psd_mt_save,
-	.extra_opts		= psd_mt_opts,
+	.help           = psd_mt_help,
+	.init           = psd_mt_init,
+	.parse          = psd_mt_parse,
+	.final_check    = psd_mt_final_check,
+	.print          = psd_mt_print,
+	.save           = psd_mt_save,
+	.extra_opts     = psd_mt_opts,
 };
 
 static __attribute__((constructor)) void psd_mt_ldr(void)

extensions/xt_DNETMAP.c

@@ -3,7 +3,7 @@
  * or destination (PREROUTING),
  */
 
-/* (C) 2011 Marek Kierdelewicz <marek@koba.pl>
+/* (C) 2012 Marek Kierdelewicz <marek@koba.pl>
  *
  * module is dedicated to my wife Eliza and my daughters Jula and Ola :* :* :*
  *
@@ -19,6 +19,7 @@
  */
 
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/inet.h>
 #include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/netdevice.h>
@@ -40,7 +41,7 @@
 #include "xt_DNETMAP.h"
 
 MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marek Kierdelewicz <marek@koba.pl>");
+MODULE_AUTHOR("Marek Kierdelewicz <marek@piasta.pl>");
 MODULE_DESCRIPTION(
 	"Xtables: dynamic two-way 1:1 NAT mapping of IPv4 addresses");
 MODULE_ALIAS("ipt_DNETMAP");
@@ -77,6 +78,7 @@ struct dnetmap_entry {
 	struct list_head lru_list;
 	__be32 prenat_addr;
 	__be32 postnat_addr;
+	__u8 flags;
 	unsigned long stamp;
 	struct dnetmap_prefix *prefix;
 };
@@ -84,12 +86,18 @@ struct dnetmap_entry {
 struct dnetmap_prefix {
 	struct nf_nat_ipv4_multi_range_compat prefix;
 	char prefix_str[16];
-	struct list_head list;
+#ifdef CONFIG_PROC_FS
+	char proc_str_data[20];
+	char proc_str_stat[25];
+#endif
+	struct list_head elist; // element list head
+	struct list_head list;	// prefix list
+	__u8 flags;
 	unsigned int refcnt;
 	/* lru entry list */
 	struct list_head lru_list;
-	/* hash based on prenat-ips */
-	struct list_head iphash[0];
+	/* pointer do dnetmap_net */
+	struct dnetmap_net *dnetmap;
 };
 
 struct dnetmap_net {
@@ -157,6 +165,18 @@ dnetmap_entry_rlookup(struct dnetmap_net *dnetmap_net, const __be32 addr)
 	return NULL;
 }
 
+static int
+dnetmap_addr_in_prefix(struct dnetmap_net *dnetmap_net, const __be32 addr,
+	struct dnetmap_prefix *p)
+{
+	struct dnetmap_entry *e;
+
+	list_for_each_entry(e, &p->elist, list)
+		if (memcmp(&e->postnat_addr, &addr, sizeof(addr)) == 0)
+			return 1;
+	return 0;
+}
+
 static struct dnetmap_prefix *
 dnetmap_prefix_lookup(struct dnetmap_net *dnetmap_net,
 		      const struct nf_nat_ipv4_multi_range_compat *mr)
@@ -169,12 +189,47 @@ dnetmap_prefix_lookup(struct dnetmap_net *dnetmap_net,
 	return NULL;
 }
 
-static void dnetmap_prefix_flush(struct dnetmap_net *dnetmap_net,
+static void dnetmap_prefix_destroy(struct dnetmap_net *dnetmap_net,
 				 struct dnetmap_prefix *p)
 {
 	struct dnetmap_entry *e, *next;
 	unsigned int i;
 
+#ifdef CONFIG_PROC_FS
+	remove_proc_entry(p->proc_str_data, dnetmap_net->xt_dnetmap);
+	remove_proc_entry(p->proc_str_stat, dnetmap_net->xt_dnetmap);
+#endif
+
+	for (i = 0; i < hash_size; i++) {
+		list_for_each_entry_safe(e, next,
+					 &dnetmap_net->dnetmap_iphash[i], glist)
+			if (e->prefix == p)
+				list_del(&e->glist);
+
+		list_for_each_entry_safe(e, next,
+					 &dnetmap_net->
+					 dnetmap_iphash[hash_size + i], grlist)
+			if (e->prefix == p)
+				list_del(&e->grlist);
+	}
+
+	list_for_each_entry_safe(e, next, &p->elist, list) {
+		list_del(&e->list);
+		if(! (e->flags & XT_DNETMAP_STATIC)) list_del(&e->lru_list);
+		kfree(e);
+	}
+
+	list_del(&p->list);
+	kfree(p);
+}
+
+/* function clears bindings without destroying prefix */
+static void dnetmap_prefix_softflush(struct dnetmap_prefix *p)
+{
+	struct dnetmap_net *dnetmap_net = p->dnetmap;
+	struct dnetmap_entry *e, *next;
+	unsigned int i;
+
 	for (i = 0; i < hash_size; i++) {
 		list_for_each_entry_safe(e, next,
 					 &dnetmap_net->dnetmap_iphash[i], glist)
@@ -186,12 +241,16 @@ static void dnetmap_prefix_flush(struct dnetmap_net *dnetmap_net,
 					 dnetmap_iphash[hash_size + i], grlist)
 			if (e->prefix == p)
 				list_del(&e->grlist);
+	}
+	list_for_each_entry_safe(e, next, &p->elist, list) {
 
-		list_for_each_entry_safe(e, next, &p->iphash[i], list) {
-			list_del(&e->list);
-			list_del(&e->lru_list);
-			kfree(e);
+		/* make dynamic entry of any static entry */
+		if(e->flags & XT_DNETMAP_STATIC){
+			list_add_tail(&e->lru_list, &p->lru_list);
+			e->flags&=~XT_DNETMAP_STATIC;
 		}
+		e->stamp=jiffies-1;
+		e->prenat_addr=0;
 	}
 }
 
@@ -204,11 +263,8 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 	struct dnetmap_entry *e;
 #ifdef CONFIG_PROC_FS
 	struct proc_dir_entry *pde_data, *pde_stat;
-	char proc_str_data[20];
-	char proc_str_stat[25];
 #endif
 	int ret = -EINVAL;
-	int i;
 	__be32 a;
 	__u32 ip_min, ip_max, ip;
 
@@ -243,11 +299,13 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 		goto out;
 	}
 	p->refcnt = 1;
+	p->flags = 0;
+	p->flags |= (tginfo->flags & XT_DNETMAP_PERSISTENT);
+	p->dnetmap = dnetmap_net;
 	memcpy(&p->prefix, mr, sizeof(*mr));
 
 	INIT_LIST_HEAD(&p->lru_list);
-	for (i = 0; i < hash_size * 2; i++)
-		INIT_LIST_HEAD(&p->iphash[i]);
+	INIT_LIST_HEAD(&p->elist);
 
 	ip_min = ntohl(mr->range[0].min_ip) + (whole_prefix == 0);
 	ip_max = ntohl(mr->range[0].max_ip) - (whole_prefix == 0);
@@ -255,9 +313,9 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 	sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->range[0].min_ip),
 		33 - ffs(~(ip_min ^ ip_max)));
 #ifdef CONFIG_PROC_FS
-	sprintf(proc_str_data, NIPQUAD_FMT "_%u", NIPQUAD(mr->range[0].min_ip),
+	sprintf(p->proc_str_data, NIPQUAD_FMT "_%u", NIPQUAD(mr->range[0].min_ip),
 		33 - ffs(~(ip_min ^ ip_max)));
-	sprintf(proc_str_stat, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->range[0].min_ip),
+	sprintf(p->proc_str_stat, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->range[0].min_ip),
 		33 - ffs(~(ip_min ^ ip_max)));
 #endif
 	printk(KERN_INFO KBUILD_MODNAME ": new prefix %s\n", p->prefix_str);
@@ -271,12 +329,14 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 		e->prenat_addr = 0;
 		e->stamp = jiffies;
 		e->prefix = p;
+		e->flags = 0;
 		list_add_tail(&e->lru_list, &p->lru_list);
+		list_add_tail(&e->list, &p->elist);
 	}
 
 #ifdef CONFIG_PROC_FS
 	/* data */
-	pde_data = proc_create_data(proc_str_data, proc_perms,
+	pde_data = proc_create_data(p->proc_str_data, proc_perms,
 				    dnetmap_net->xt_dnetmap,
 				    &dnetmap_tg_fops, p);
 	if (pde_data == NULL) {
@@ -288,7 +348,7 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 	pde_data->gid = proc_gid;
 
 	/* statistics */
-	pde_stat = create_proc_entry(proc_str_stat, proc_perms,
+	pde_stat = create_proc_entry(p->proc_str_stat, proc_perms,
 				     dnetmap_net->xt_dnetmap);
 	if (pde_stat == NULL) {
 		kfree(p);
@@ -351,7 +411,7 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 			if (memcmp(mr, &e->prefix, sizeof(*mr)))
 				goto no_rev_map;
 		/* don't reset ttl if flag is set */
-		if (jttl >= 0) {
+		if (jttl >= 0 && (! (e->flags & XT_DNETMAP_STATIC) ) ) {
 			p = e->prefix;
 			e->stamp = jiffies + jttl;
 			list_move_tail(&e->lru_list, &p->lru_list);
@@ -378,17 +438,24 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 
 	if (e == NULL) {	/* need for new binding */
 
+		// finish if it's static only rule
+		if(tginfo->flags & XT_DNETMAP_STATIC)
+			goto no_free_ip;
+
 bind_new_prefix:
 		e = list_entry(p->lru_list.next, struct dnetmap_entry,
 			       lru_list);
 		if (e->prenat_addr != 0 && time_before(jiffies, e->stamp)) {
-			if (!disable_log)
+			if (!disable_log && ! (p->flags & XT_DNETMAP_FULL) ){
 				printk(KERN_INFO KBUILD_MODNAME
 				       ": ip " NIPQUAD_FMT " - no free adresses in prefix %s\n",
 				       NIPQUAD(prenat_ip), p->prefix_str);
+				p->flags |= XT_DNETMAP_FULL;
+			}
 			goto no_free_ip;
 		}
 
+		p->flags &= ~XT_DNETMAP_FULL;
 		postnat_ip = e->postnat_addr;
 
 		if (e->prenat_addr != 0) {
@@ -397,7 +464,6 @@ bind_new_prefix:
 				printk(KERN_INFO KBUILD_MODNAME
 				       ": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
 				       NIPQUAD(prenat_ip_prev), NIPQUAD(postnat_ip) );
-			list_del(&e->list);
 			list_del(&e->glist);
 			list_del(&e->grlist);
 		}
@@ -405,8 +471,6 @@ bind_new_prefix:
 		e->prenat_addr = prenat_ip;
 		e->stamp = jiffies + jttl;
 		list_move_tail(&e->lru_list, &p->lru_list);
-		list_add_tail(&e->list,
-			      &p->iphash[dnetmap_entry_hash(prenat_ip)]);
 		list_add_tail(&e->glist,
 			      &dnetmap_net->
 			      dnetmap_iphash[dnetmap_entry_hash(prenat_ip)]);
@@ -421,21 +485,21 @@ bind_new_prefix:
 
 	} else {
 
-		if (!(tginfo->flags & XT_DNETMAP_REUSE))
+		if (!(tginfo->flags & XT_DNETMAP_REUSE) && !(e->flags & XT_DNETMAP_STATIC))
 			if (time_before(e->stamp, jiffies) && p != e->prefix) {
 				if (!disable_log)
 					printk(KERN_INFO KBUILD_MODNAME
 					       ": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
 					       NIPQUAD(e->prenat_addr),
 					       NIPQUAD(e->postnat_addr));
-				list_del(&e->list);
 				list_del(&e->glist);
 				list_del(&e->grlist);
 				e->prenat_addr = 0;
 				goto bind_new_prefix;
 			}
-		/* don't reset ttl if flag is set */
-		if (jttl >= 0) {
+		/* don't reset ttl if flag is set
+		or it is static entry*/
+		if (jttl >= 0 && ! (e->flags & XT_DNETMAP_STATIC) ) {
 			e->stamp = jiffies + jttl;
 			p = e->prefix;
 			list_move_tail(&e->lru_list, &p->lru_list);
@@ -466,32 +530,17 @@ static void dnetmap_tg_destroy(const struct xt_tgdtor_param *par)
 	const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
 	const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
 	struct dnetmap_prefix *p;
-#ifdef CONFIG_PROC_FS
-	char str[25];
-#endif
 
 	if (!(tginfo->flags & XT_DNETMAP_PREFIX))
 		return;
 
 	mutex_lock(&dnetmap_mutex);
+	spin_lock_bh(&dnetmap_lock);
 	p = dnetmap_prefix_lookup(dnetmap_net, mr);
-	if (--p->refcnt == 0) {
-		spin_lock_bh(&dnetmap_lock);
-		list_del(&p->list);
-		spin_unlock_bh(&dnetmap_lock);
-#ifdef CONFIG_PROC_FS
-		sprintf(str, NIPQUAD_FMT "_%u", NIPQUAD(mr->range[0].min_ip),
-			33 - ffs(~(ntohl(mr->range[0].min_ip ^
-			mr->range[0].max_ip))));
-		remove_proc_entry(str, dnetmap_net->xt_dnetmap);
-		sprintf(str, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->range[0].min_ip),
-			33 - ffs(~(ntohl(mr->range[0].min_ip ^
-			mr->range[0].max_ip))));
-		remove_proc_entry(str, dnetmap_net->xt_dnetmap);
-#endif
-		dnetmap_prefix_flush(dnetmap_net, p);
-		kfree(p);
+	if (--p->refcnt == 0 && (! (p->flags & XT_DNETMAP_PERSISTENT) ) ) {
+		dnetmap_prefix_destroy(dnetmap_net, p);
 	}
+	spin_unlock_bh(&dnetmap_lock);
 	mutex_unlock(&dnetmap_mutex);
 }
 
@@ -511,7 +560,7 @@ __acquires(dnetmap_lock)
 
 	spin_lock_bh(&dnetmap_lock);
 
-	list_for_each_entry(e, &prefix->lru_list, lru_list)
+	list_for_each_entry(e, &prefix->elist, list)
 		if (p-- == 0)
 			return e;
 	return NULL;
@@ -522,13 +571,13 @@ static void *dnetmap_seq_next(struct seq_file *seq, void *v, loff_t * pos)
 	struct dnetmap_iter_state *st = seq->private;
 	const struct dnetmap_prefix *prefix = st->p;
 	const struct dnetmap_entry *e = v;
-	const struct list_head *head = e->lru_list.next;
+	const struct list_head *head = e->list.next;
 
-	if (head == &prefix->lru_list)
+	if (head == &prefix->elist)
 		return NULL;
 
 	++*pos;
-	return list_entry(head, struct dnetmap_entry, lru_list);
+	return list_entry(head, struct dnetmap_entry, list);
 }
 
 static void dnetmap_seq_stop(struct seq_file *s, void *v)
@@ -541,9 +590,14 @@ static int dnetmap_seq_show(struct seq_file *seq, void *v)
 {
 	const struct dnetmap_entry *e = v;
 
-	seq_printf(seq, NIPQUAD_FMT " -> " NIPQUAD_FMT " --- ttl: %d lasthit: %lu\n",
-		   NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr),
-		   (int)(e->stamp - jiffies) / HZ, (e->stamp - jtimeout) / HZ);
+	if((e->flags & XT_DNETMAP_STATIC) == 0){
+		seq_printf(seq, NIPQUAD_FMT " -> " NIPQUAD_FMT " --- ttl: %d lasthit: %lu\n",
+				NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr),
+				(int)(e->stamp - jiffies) / HZ, (e->stamp - jtimeout) / HZ);
+	}else{
+		seq_printf(seq, NIPQUAD_FMT " -> " NIPQUAD_FMT " --- ttl: S lasthit: S\n",
+				NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr));
+	}
 	return 0;
 }
 
@@ -567,9 +621,180 @@ static int dnetmap_seq_open(struct inode *inode, struct file *file)
 	return 0;
 }
 
+static ssize_t
+dnetmap_tg_proc_write(struct file *file, const char __user *input,size_t size, loff_t *loff)
+{
+	const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
+	struct dnetmap_prefix *p = pde->data;
+	struct dnetmap_entry *e;
+	char buf[sizeof("+192.168.100.100:200.200.200.200")];
+	const char *c = buf;
+	const char *c2;
+	//union nf_inet_addr addr = {};
+	__be32 addr1,addr2;
+	bool add;
+	char str[25];
+
+	if (size == 0)
+		return 0;
+	if (size > sizeof(buf))
+		size = sizeof(buf);
+	if (copy_from_user(buf, input, size) != 0)
+		return -EFAULT;
+	if(strcspn(c,"\n") < size)
+		buf[strcspn(c,"\n")]='\0';
+
+	/* Strict protocol! */
+	if (*loff != 0)
+		return -ESPIPE;
+	switch (*c) {
+		case 'f': /* flush table */
+			if( strcmp(c,"flush") != 0 )
+				goto invalid_arg;
+			printk(KERN_INFO KBUILD_MODNAME ": flushing prefix %s\n", p->prefix_str);
+			spin_lock_bh(&dnetmap_lock);
+			dnetmap_prefix_softflush(p);
+			spin_unlock_bh(&dnetmap_lock);
+			return size;
+		case '-': /* remove address or attribute */
+			if( strcmp(c,"-persistent") == 0){
+				/* case if persistent flag is already unset */
+				if( ! (p->flags & XT_DNETMAP_PERSISTENT) ){
+					printk(KERN_INFO KBUILD_MODNAME ": prefix %s is not persistent already - doing nothing\n", p->prefix_str);
+					return size;
+				}
+				printk(KERN_INFO KBUILD_MODNAME ": prefix %s is now non-persistent\n", p->prefix_str);
+				spin_lock_bh(&dnetmap_lock);
+				p->flags &= ~XT_DNETMAP_PERSISTENT;
+				spin_unlock_bh(&dnetmap_lock);
+				return size;
+			}
+			add = false;
+			break;
+		case '+': /* add address or attribute */
+			if( strcmp(c,"+persistent") == 0){
+				/* case if persistent flag is already unset */
+				if( p->flags & XT_DNETMAP_PERSISTENT ){
+					printk(KERN_INFO KBUILD_MODNAME ": prefix %s is persistent already - doing nothing\n", p->prefix_str);
+					return size;
+				}
+				printk(KERN_INFO KBUILD_MODNAME ": prefix %s is now persistent\n", p->prefix_str);
+				spin_lock_bh(&dnetmap_lock);
+				p->flags |= XT_DNETMAP_PERSISTENT;
+				spin_unlock_bh(&dnetmap_lock);
+				return size;
+			}
+			add = true;
+			break;
+		default:
+			goto invalid_arg;
+	}
+
+	spin_lock_bh(&dnetmap_lock);
+
+	// in case static entry is added we need to parse second ip addresses
+	if (add){
+		c2 = strchr(c,':');
+		if(c2 == NULL)
+			goto invalid_arg_unlock;
+
+		c++;
+		c2++;
+
+		if( ! (in4_pton(c2,strlen(c2),(void *)&addr2, '\0', NULL) &&
+			  in4_pton(c,strlen(c),(void *)&addr1, ':', NULL)))
+			goto invalid_arg_unlock;
+
+		// sanity check - prenat ip can't belong to postnat prefix
+		if ( dnetmap_addr_in_prefix(p->dnetmap, addr1, p)){
+			printk(KERN_INFO KBUILD_MODNAME ": add static binding operation failed - prenat ip can't belong to postnat prefix\n");
+			goto invalid_arg_unlock;
+		}
+
+		// make sure postnat ip belongs to postnat prefix
+		if ( ! dnetmap_addr_in_prefix(p->dnetmap, addr2, p)){
+			printk(KERN_INFO KBUILD_MODNAME ": add static binding operation failed - postnat ip must belong to postnat prefix\n");
+			goto invalid_arg_unlock;
+		}
+
+		e = dnetmap_entry_rlookup(p->dnetmap,addr2);
+		if(e != NULL){
+			if (!disable_log)
+				printk(KERN_INFO KBUILD_MODNAME
+				       ": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
+				       NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr) );
+			list_del(&e->glist);
+			list_del(&e->grlist);
+		}else{
+			// find existing entry in prefix elist
+			list_for_each_entry(e, &p->elist, list)
+				if (memcmp(&e->postnat_addr, &addr2, sizeof(addr2)) == 0){
+					break;
+				}
+		}
+
+		e->prenat_addr=addr1;
+		e->flags |= XT_DNETMAP_STATIC;
+		list_add_tail(&e->glist,
+			      &p->dnetmap->
+			      dnetmap_iphash[dnetmap_entry_hash(e->prenat_addr)]);
+		list_add_tail(&e->grlist,
+			      &p->dnetmap->dnetmap_iphash[hash_size +
+							   dnetmap_entry_hash
+							   (e->postnat_addr)]);
+		list_del(&e->lru_list);
+
+		sprintf(str, NIPQUAD_FMT ":" NIPQUAD_FMT, NIPQUAD(addr1),NIPQUAD(addr2));
+		printk(KERN_INFO KBUILD_MODNAME ": adding static binding %s\n", str);
+
+	// case of removing binding
+	}else{
+
+		c++;
+		if( ! in4_pton(c,strlen(c),(void *)&addr1, '\0', NULL))
+			goto invalid_arg_unlock;
+
+		e = dnetmap_entry_rlookup(p->dnetmap,addr1);
+		if(e == NULL) e = dnetmap_entry_lookup(p->dnetmap,addr1);
+
+		if(e != NULL){
+			if (!disable_log)
+				printk(KERN_INFO KBUILD_MODNAME
+				       ": remove binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
+				       NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr) );
+			list_del(&e->glist);
+			list_del(&e->grlist);
+			if(e->flags & XT_DNETMAP_STATIC){
+				list_add_tail(&e->lru_list,&p->lru_list);
+				e->flags &= ~XT_DNETMAP_STATIC;
+			}
+			e->prenat_addr=0;
+			e->stamp=jiffies-1;
+		}else{
+			goto invalid_arg_unlock;
+		}
+	}
+
+	spin_unlock_bh(&dnetmap_lock);
+
+	/* Note we removed one above */
+	*loff += size + 1;
+	return size + 1;
+
+	invalid_arg_unlock:
+		spin_unlock_bh(&dnetmap_lock);
+
+	invalid_arg:
+		//printk(KERN_INFO KBUILD_MODNAME ": Need \"+prenat_ip:postnat_ip\", \"-ip\" or \"/\"\n");
+		printk(KERN_INFO KBUILD_MODNAME ": Error! Invalid option passed via procfs.\n");
+		return -EINVAL;
+}
+
+
 static const struct file_operations dnetmap_tg_fops = {
 	.open = dnetmap_seq_open,
 	.read = seq_read,
+	.write   = dnetmap_tg_proc_write,
 	.release = seq_release_private,
 	.owner = THIS_MODULE,
 };
@@ -581,27 +806,31 @@ static int dnetmap_stat_proc_read(char __user *buffer, char **start,
 {
 	const struct dnetmap_prefix *p = data;
 	struct dnetmap_entry *e;
-	unsigned int used, all;
+	unsigned int used, used_static, all;
 	long int ttl, sum_ttl;
 
-	used = 0;
-	all = 0;
-	sum_ttl = 0;
+	used=used_static=all=sum_ttl=0;
 
 	spin_lock_bh(&dnetmap_lock);
 
-	list_for_each_entry(e, &p->lru_list, lru_list) {
+	list_for_each_entry(e, &p->elist, list) {
 
-		ttl = e->stamp - jiffies;
-		if (e->prenat_addr != 0 && ttl >= 0) {
-			used++;
-			sum_ttl += ttl;
+		if (e->prenat_addr != 0){
+			if (e->flags & XT_DNETMAP_STATIC){
+				used_static++;
+			}else{
+				ttl = e->stamp - jiffies;
+				if (e->prenat_addr != 0 && ttl >= 0) {
+					used++;
+					sum_ttl += ttl;
+				}
+			}
 		}
 		all++;
 	}
 
 	sum_ttl = used > 0 ? sum_ttl / (used * HZ) : 0;
-	sprintf(buffer, "%u %u %ld\n", used, all, sum_ttl);
+	sprintf(buffer, "%u %u %u %ld %s\n", used, used_static, all, sum_ttl,(p->flags & XT_DNETMAP_PERSISTENT ? "persistent" : ""));
 
 	if (length >= strlen(buffer))
 		*eof = true;
@@ -663,12 +892,24 @@ static int __net_init dnetmap_net_init(struct net *net)
 static void __net_exit dnetmap_net_exit(struct net *net)
 {
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
+	struct dnetmap_prefix *p,*next;
+
+	mutex_lock(&dnetmap_mutex);
+	spin_lock_bh(&dnetmap_lock);
+
+	list_for_each_entry_safe(p, next, &dnetmap_net->prefixes, list){
+		BUG_ON(p->refcnt != 0);
+		dnetmap_prefix_destroy(dnetmap_net, p);
+	}
+
+	spin_unlock_bh(&dnetmap_lock);
+	mutex_unlock(&dnetmap_mutex);
 
-	BUG_ON(!list_empty(&dnetmap_net->prefixes));
 	kfree(dnetmap_net->dnetmap_iphash);
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34)
 	kfree(dnetmap_net);
 #endif
+
 	dnetmap_proc_net_exit(net);
 }
 
@@ -714,6 +955,8 @@ static int __init dnetmap_tg_init(void)
 	if (err)
 		unregister_pernet_subsys(&dnetmap_net_ops);
 
+	printk( KERN_INFO KBUILD_MODNAME " INIT successfull (version %d)\n", DNETMAP_VERSION );
+
 	return err;
 }
 

extensions/xt_DNETMAP.h

@@ -1,16 +1,21 @@
 #ifndef _LINUX_NETFILTER_XT_DNETMAP_H
 #define _LINUX_NETFILTER_XT_DNETMAP_H 1
 
+#define DNETMAP_VERSION 2
+
 enum {
-	XT_DNETMAP_TTL = 1 << 0,
-	XT_DNETMAP_REUSE = 1 << 1,
-	XT_DNETMAP_PREFIX = 1 << 2,
+	XT_DNETMAP_TTL 					= 1 << 0,
+	XT_DNETMAP_REUSE 				= 1 << 1,
+	XT_DNETMAP_PREFIX 			= 1 << 2,
+	XT_DNETMAP_STATIC 			= 1 << 3,
+	XT_DNETMAP_PERSISTENT 	= 1 << 4,
+	XT_DNETMAP_FULL				 	= 1 << 5,
 };
 
 struct xt_DNETMAP_tginfo {
 	struct nf_nat_ipv4_multi_range_compat prefix;
 	__u8 flags;
-	__s16 ttl;
+	__s32 ttl;
 };
 
 #endif

extensions/xt_ECHO.c

@@ -18,6 +18,7 @@
 #	include <linux/netfilter_bridge.h>
 #endif
 #include <net/ip.h>
+#include <net/ip6_checksum.h>
 #include <net/ip6_route.h>
 #include <net/route.h>
 #include "compat_xtables.h"

extensions/xt_RAWNAT.c

@@ -22,8 +22,7 @@
 #include <net/ipv6.h>
 #include "compat_xtables.h"
 #include "xt_RAWNAT.h"
-
-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 #	define WITH_IPV6 1
 #endif
 
@@ -181,7 +180,7 @@ static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
 	*l4proto = NEXTHDR_MAX;
 
 	for (i = 0; i < ARRAY_SIZE(types); ++i) {
-		err = ipv6_find_hdr(*pskb, l4offset, types[i], NULL);
+		err = ipv6_find_hdr(*pskb, l4offset, types[i], NULL, NULL);
 		if (err >= 0) {
 			*l4proto = types[i];
 			break;
@@ -245,7 +244,7 @@ static unsigned int
 rawsnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
-	unsigned int l4offset, l4proto;
+	unsigned int l4offset = 0, l4proto;
 	struct ipv6hdr *iph;
 	struct in6_addr new_addr;
 
@@ -266,7 +265,7 @@ static unsigned int
 rawdnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
-	unsigned int l4offset, l4proto;
+	unsigned int l4offset = 0, l4proto;
 	struct ipv6hdr *iph;
 	struct in6_addr new_addr;
 

extensions/xt_SYSRQ.c

@@ -30,7 +30,7 @@
     (defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE))
 #	define WITH_CRYPTO 1
 #endif
-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 #	define WITH_IPV6 1
 #endif
 
@@ -240,15 +240,16 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 	const struct ipv6hdr *iph;
 	const struct udphdr *udph;
 	unsigned short frag_off;
-	unsigned int th_off;
+	unsigned int th_off = 0;
 	uint16_t len;
 
 	if (skb_linearize(skb) < 0)
 		return NF_DROP;
 
 	iph = ipv6_hdr(skb);
-	if ((ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 &&
-	    ipv6_find_hdr(skb, &th_off, IPPROTO_UDPLITE, &frag_off) < 0) ||
+	/* Should probably be using %IP6T_FH_F_AUTH */
+	if ((ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off, NULL) < 0 &&
+	    ipv6_find_hdr(skb, &th_off, IPPROTO_UDPLITE, &frag_off, NULL) < 0) ||
 	    frag_off > 0)
 		return NF_DROP;
 
@@ -358,10 +359,7 @@ static int __init sysrq_crypto_init(void)
 		goto fail;
 	do_gettimeofday(&now);
 	sysrq_seqno = now.tv_sec;
-	ret = xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
-	if (ret < 0)
-		goto fail;
-	return ret;
+	return 0;
 
  fail:
 	sysrq_crypto_exit();

extensions/xt_TARPIT.c

@@ -42,19 +42,139 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/version.h>
+#include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_BRIDGE_NETFILTER
 #	include <linux/netfilter_bridge.h>
 #endif
+#include <net/addrconf.h>
+#include <net/ip6_checksum.h>
+#include <net/ip6_route.h>
+#include <net/ipv6.h>
 #include <net/route.h>
 #include <net/tcp.h>
 #include "compat_xtables.h"
 #include "xt_TARPIT.h"
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+#	define WITH_IPV6 1
+#endif
 
-static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
+static bool xttarpit_tarpit(struct tcphdr *tcph, const struct tcphdr *oth)
+{
+	/* No replies for RST, FIN or !SYN,!ACK */
+	if (oth->rst || oth->fin || (!oth->syn && !oth->ack))
+		return false;
+	tcph->seq = oth->ack ? oth->ack_seq : 0;
+
+	/* Our SYN-ACKs must have a >0 window */
+	tcph->window = (oth->syn && !oth->ack) ? htons(5) : 0;
+	if (oth->syn && oth->ack) {
+		tcph->rst     = true;
+		tcph->ack_seq = false;
+	} else {
+		tcph->syn     = oth->syn;
+		tcph->ack     = true;
+		tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
+	}
+#if 0
+	/* Rate-limit replies to !SYN,ACKs */
+	if (!oth->syn && oth->ack)
+		if (!xrlim_allow(rt_dst(ort), HZ))
+			return false;
+#endif
+
+	return true;
+}
+
+static bool xttarpit_honeypot(struct tcphdr *tcph, const struct tcphdr *oth,
+    uint16_t payload)
+{
+	/* Do not answer any resets regardless of combination */
+	if (oth->rst || oth->seq == 0xDEADBEEF)
+		return false;
+	/* Send a reset to scanners. They like that. */
+	if (oth->syn && oth->ack) {
+		tcph->window  = 0;
+		tcph->ack     = false;
+		tcph->psh     = true;
+		tcph->ack_seq = 0xdeadbeef; /* see if they ack it */
+		tcph->seq     = oth->ack_seq;
+		tcph->rst     = true;
+	}
+
+	/* SYN > SYN-ACK */
+	if (oth->syn && !oth->ack) {
+		tcph->syn     = true;
+		tcph->ack     = true;
+		tcph->window  = oth->window &
+			((net_random() & 0x1f) - 0xf);
+		tcph->seq     = htonl(net_random() & ~oth->seq);
+		tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
+	}
+
+	/* ACK > ACK */
+	if (oth->ack && (!(oth->fin || oth->syn))) {
+		tcph->syn     = false;
+		tcph->ack     = true;
+		tcph->window  = oth->window &
+			((net_random() & 0x1f) - 0xf);
+		tcph->ack_seq = payload > 100 ?
+			htonl(ntohl(oth->seq) + payload) :
+			oth->seq;
+		tcph->seq     = oth->ack_seq;
+	}
+
+	/*
+	 * FIN > RST.
+	 * We cannot terminate gracefully so just be abrupt.
+	 */
+	if (oth->fin) {
+		tcph->window  = 0;
+		tcph->seq     = oth->ack_seq;
+		tcph->ack_seq = oth->ack_seq;
+		tcph->fin     = false;
+		tcph->ack     = false;
+		tcph->rst     = true;
+	}
+
+	return true;
+}
+
+static void xttarpit_reset(struct tcphdr *tcph, const struct tcphdr *oth)
+{
+	tcph->window  = 0;
+	tcph->ack     = false;
+	tcph->syn     = false;
+	tcph->rst     = true;
+	tcph->seq     = oth->ack_seq;
+	tcph->ack_seq = oth->seq;
+}
+
+static bool tarpit_generic(struct tcphdr *tcph, const struct tcphdr *oth,
+    uint16_t payload, unsigned int mode)
+{
+	switch(mode) {
+	case XTTARPIT_TARPIT:
+		if (!xttarpit_tarpit(tcph, oth))
+			return false;
+		break;
+	case XTTARPIT_HONEYPOT:
+		if (!xttarpit_honeypot(tcph, oth, payload))
+			return false;
+		break;
+	case XTTARPIT_RESET:
+		xttarpit_reset(tcph, oth);
+		break;
+	}
+
+	return true;
+}
+
+static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
     unsigned int mode)
 {
-	struct tcphdr _otcph, *oth, *tcph;
+	struct tcphdr _otcph, *tcph;
+	const struct tcphdr *oth;
 	unsigned int addr_type = RTN_UNSPEC;
 	struct sk_buff *nskb;
 	const struct iphdr *oldhdr;
@@ -116,84 +236,8 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 	/* Reset flags */
 	((u_int8_t *)tcph)[13] = 0;
 
-	if (mode == XTTARPIT_TARPIT) {
-		/* No replies for RST, FIN or !SYN,!ACK */
-		if (oth->rst || oth->fin || (!oth->syn && !oth->ack))
-			return;
-		tcph->seq = oth->ack ? oth->ack_seq : 0;
-
-		/* Our SYN-ACKs must have a >0 window */
-		tcph->window  = (oth->syn && !oth->ack) ? htons(5) : 0;
-		if (oth->syn && oth->ack) {
-			tcph->rst     = true;
-			tcph->ack_seq = false;
-		} else {
-			tcph->syn     = oth->syn;
-			tcph->ack     = true;
-			tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
-		}
-#if 0
-		/* Rate-limit replies to !SYN,ACKs */
-		if (!oth->syn && oth->ack)
-			if (!xrlim_allow(rt_dst(ort), HZ))
-				return;
-#endif
-	} else if (mode == XTTARPIT_HONEYPOT) {
-		/* Do not answer any resets regardless of combination */
-		if (oth->rst || oth->seq == 0xDEADBEEF)
-			return;
-		/* Send a reset to scanners. They like that. */
-		if (oth->syn && oth->ack) {
-			tcph->window  = 0;
-			tcph->ack     = false;
-			tcph->psh     = true;
-			tcph->ack_seq = 0xdeadbeef; /* see if they ack it */
-			tcph->seq     = oth->ack_seq;
-			tcph->rst     = true;
-		}
-
-		/* SYN > SYN-ACK */
-		if (oth->syn && !oth->ack) {
-			tcph->syn     = true;
-			tcph->ack     = true;
-			tcph->window  = oth->window &
-			                ((net_random() & 0x1f) - 0xf);
-			tcph->seq     = htonl(net_random() & ~oth->seq);
-			tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
-		}
-
-		/* ACK > ACK */
-		if (oth->ack && (!(oth->fin || oth->syn))) {
-			tcph->syn     = false;
-			tcph->ack     = true;
-			tcph->window  = oth->window &
-			                ((net_random() & 0x1f) - 0xf);
-			tcph->ack_seq = payload > 100 ?
-			                htonl(ntohl(oth->seq) + payload) :
-			                oth->seq;
-			tcph->seq     = oth->ack_seq;
-		}
-
-		/*
-		 * FIN > RST.
-		 * We cannot terminate gracefully so just be abrupt.
-		 */
-		if (oth->fin) {
-			tcph->window  = 0;
-			tcph->seq     = oth->ack_seq;
-			tcph->ack_seq = oth->ack_seq;
-			tcph->fin     = false;
-			tcph->ack     = false;
-			tcph->rst     = true;
-		}
-	} else if (mode == XTTARPIT_RESET) {
-		tcph->window  = 0;
-		tcph->ack     = false;
-		tcph->syn     = false;
-		tcph->rst     = true;
-		tcph->seq     = oth->ack_seq;
-		tcph->ack_seq = oth->seq;
-	}
+	if (!tarpit_generic(tcph, oth, payload, mode))
+		goto free_nskb;
 
 	/* Adjust TCP checksum */
 	tcph->check = 0;
@@ -257,8 +301,132 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 	kfree_skb(nskb);
 }
 
+#ifdef WITH_IPV6
+static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
+    unsigned int mode)
+{
+	struct sk_buff *nskb;
+	struct tcphdr *tcph, oth;
+	unsigned int otcplen;
+	int tcphoff;
+	const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
+	struct ipv6hdr *ip6h;
+	const uint8_t tclass = 0;
+	uint8_t proto;
+	uint16_t payload;
+	__be16 frag_off;
+
+	proto   = oip6h->nexthdr;
+	tcphoff = ipv6_skip_exthdr(oldskb,
+	          (uint8_t *)(oip6h + 1) - oldskb->data, &proto, &frag_off);
+
+	if (tcphoff < 0 || tcphoff > oldskb->len) {
+		pr_debug("Cannot get TCP header.\n");
+		return;
+	}
+
+	otcplen = oldskb->len - tcphoff;
+
+	/* IP header checks: fragment, too short. */
+	if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) {
+		pr_debug("proto(%d) != IPPROTO_TCP, "
+		         "or too short. otcplen = %d\n",
+		         proto, otcplen);
+		return;
+	}
+
+	if (skb_copy_bits(oldskb, tcphoff, &oth, sizeof(struct tcphdr))) {
+		WARN_ON(1);
+		return;
+	}
+
+	/* Check checksum. */
+	if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
+	    skb_checksum(oldskb, tcphoff, otcplen, 0))) {
+		pr_debug("TCP checksum is invalid\n");
+		return;
+	}
+
+	nskb = skb_copy_expand(oldskb, LL_MAX_HEADER,
+	       skb_tailroom(oldskb), GFP_ATOMIC);
+	if (nskb == NULL) {
+		if (net_ratelimit())
+			pr_debug("cannot alloc skb\n");
+		return;
+	}
+
+	/* This packet will not be the same as the other: clear nf fields */
+	nf_reset(nskb);
+	skb_nfmark(nskb) = 0;
+	skb_init_secmark(nskb);
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
+	skb_shinfo(nskb)->gso_size = 0;
+	skb_shinfo(nskb)->gso_segs = 0;
+	skb_shinfo(nskb)->gso_type = 0;
+#endif
+
+	skb_put(nskb, sizeof(struct ipv6hdr));
+	ip6h = ipv6_hdr(nskb);
+	*(__be32 *)ip6h =  htonl(0x60000000 | (tclass << 20));
+	ip6h->nexthdr = IPPROTO_TCP;
+	ip6h->saddr = oip6h->daddr;
+	ip6h->daddr = oip6h->saddr;
+
+	/* Adjust IP TTL */
+	if (mode == XTTARPIT_HONEYPOT) {
+		ip6h->hop_limit = 128;
+	} else {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
+		ip6h->hop_limit = ip6_dst_hoplimit(skb_dst(nskb));
+#else
+		ip6h->hop_limit = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
+#endif
+	}
+
+	tcph = (struct tcphdr *)(skb_network_header(nskb) +
+	       sizeof(struct ipv6hdr));
+
+	/* Truncate to length (no data) */
+	skb_trim(nskb, sizeof(struct ipv6hdr) + sizeof(struct tcphdr));
+	tcph->doff    = sizeof(struct tcphdr)/4;
+	tcph->source  = oth.dest;
+	tcph->dest    = oth.source;
+	tcph->urg_ptr = 0;
+	/* Reset flags */
+	((uint8_t *)tcph)[13] = 0;
+
+	payload = nskb->len - sizeof(struct ipv6hdr) - sizeof(struct tcphdr);
+	if (!tarpit_generic(&oth, tcph, payload, mode))
+		goto free_nskb;
+
+	ip6h->payload_len = htons(sizeof(struct tcphdr));
+	tcph->check = 0;
+
+	/* Adjust TCP checksum */
+	tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr,
+	              &ipv6_hdr(nskb)->daddr, sizeof(struct tcphdr),
+	              IPPROTO_TCP,
+	              csum_partial(tcph, sizeof(struct tcphdr), 0));
+
+	if (ip6_route_me_harder(nskb))
+		goto free_nskb;
+
+	nskb->ip_summed = CHECKSUM_NONE;
+
+	nf_ct_attach(nskb, oldskb);
+
+	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
+	        skb_dst(nskb)->dev, dst_output);
+	return;
+
+ free_nskb:
+	kfree_skb(nskb);
+}
+#endif
+
 static unsigned int
-tarpit_tg(struct sk_buff **pskb, const struct xt_action_param *par)
+tarpit_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct sk_buff *skb = *pskb;
 	const struct iphdr *iph = ip_hdr(skb);
@@ -289,29 +457,87 @@ tarpit_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 	if (iph->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
 
-	tarpit_tcp(*pskb, par->hooknum, info->variant);
+	tarpit_tcp4(*pskb, par->hooknum, info->variant);
 	return NF_DROP;
 }
 
-static struct xt_target tarpit_tg_reg __read_mostly = {
-	.name       = "TARPIT",
-	.revision   = 0,
-	.family     = NFPROTO_IPV4,
-	.hooks      = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
-	.proto      = IPPROTO_TCP,
-	.target     = tarpit_tg,
-	.targetsize = sizeof(struct xt_tarpit_tginfo),
-	.me         = THIS_MODULE,
+#ifdef WITH_IPV6
+static unsigned int
+tarpit_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
+{
+	const struct sk_buff *skb = *pskb;
+	const struct ipv6hdr *iph = ipv6_hdr(skb);
+	const struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
+	const struct xt_tarpit_tginfo *info = par->targinfo;
+	uint8_t proto;
+	__be16 frag_off;
+
+	/* Do we have an input route cache entry? (Not in PREROUTING.) */
+	if (rt == NULL) {
+		pr_debug("Dropping no input route cache entry\n");
+		return NF_DROP;
+	}
+
+	/* No replies to physical multicast/broadcast */
+	/* skb != PACKET_OTHERHOST handled by ip_rcv() */
+	if (skb->pkt_type != PACKET_HOST) {
+		pr_debug("type != PACKET_HOST");
+		return NF_DROP;
+	}
+
+	/*
+	 * Our naive response construction does not deal with IP
+	 * options, and probably should not try.
+	 */
+	proto = iph->nexthdr;
+	if (ipv6_skip_exthdr(skb, skb_network_header_len(skb), &proto,
+	    &frag_off) != sizeof(struct ipv6hdr))
+		return NF_DROP;
+
+	if ((!(ipv6_addr_type(&iph->saddr) & IPV6_ADDR_UNICAST)) ||
+	    (!(ipv6_addr_type(&iph->daddr) & IPV6_ADDR_UNICAST))) {
+		pr_debug("addr is not unicast.\n");
+		return NF_DROP;
+	}
+
+	tarpit_tcp6(*pskb, par->hooknum, info->variant);
+	return NF_DROP;
+}
+#endif
+
+static struct xt_target tarpit_tg_reg[] __read_mostly = {
+	{
+		.name       = "TARPIT",
+		.revision   = 0,
+		.family     = NFPROTO_IPV4,
+		.hooks      = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
+		.proto      = IPPROTO_TCP,
+		.target     = tarpit_tg4,
+		.targetsize = sizeof(struct xt_tarpit_tginfo),
+		.me         = THIS_MODULE,
+	},
+#ifdef WITH_IPV6
+	{
+		.name       = "TARPIT",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.hooks      = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
+		.proto      = IPPROTO_TCP,
+		.target     = tarpit_tg6,
+		.targetsize = sizeof(struct xt_tarpit_tginfo),
+		.me         = THIS_MODULE,
+	},
+#endif
 };
 
 static int __init tarpit_tg_init(void)
 {
-	return xt_register_target(&tarpit_tg_reg);
+	return xt_register_targets(tarpit_tg_reg, ARRAY_SIZE(tarpit_tg_reg));
 }
 
 static void __exit tarpit_tg_exit(void)
 {
-	xt_unregister_target(&tarpit_tg_reg);
+	xt_unregister_targets(tarpit_tg_reg, ARRAY_SIZE(tarpit_tg_reg));
 }
 
 module_init(tarpit_tg_init);
@@ -320,3 +546,4 @@ MODULE_DESCRIPTION("Xtables: \"TARPIT\", capture and hold TCP connections");
 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_TARPIT");
+MODULE_ALIAS("ip6t_TARPIT");

extensions/xt_TEE.c

@@ -33,7 +33,7 @@
 #	define WITH_CONNTRACK 1
 #	include <net/netfilter/nf_conntrack.h>
 #endif
-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 #	define WITH_IPV6 1
 #endif
 

extensions/xt_length2.c

@@ -185,7 +185,7 @@ llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
 	int err;
 
 	for (i = 0; i < ARRAY_SIZE(types); ++i) {
-		err = ipv6_find_hdr(skb, offset, types[i], NULL);
+		err = ipv6_find_hdr(skb, offset, types[i], NULL, NULL);
 		if (err >= 0)
 			return types[i];
 		if (err != -ENOENT) {
@@ -203,7 +203,8 @@ length2_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 	const struct xt_length_mtinfo2 *info = par->matchinfo;
 	const struct ipv6hdr *iph = ipv6_hdr(skb);
 	unsigned int len = 0, l4proto;
-	unsigned int thoff = par->thoff;
+	/* par->thoff would only set if ip6tables -p was used; so just use 0 */
+	unsigned int thoff = 0;
 	bool hit = true;
 
 	if (info->flags & XT_LENGTH_LAYER3) {

extensions/xt_psd.c

@@ -22,13 +22,14 @@
 
 #define pr_fmt(x) KBUILD_MODNAME ": " x
 #include <linux/module.h>
-#include <linux/moduleparam.h>
 #include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <net/tcp.h>
+#include <linux/types.h>
+#include <linux/tcp.h>
 #include <linux/spinlock.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
 #include "xt_psd.h"
 #include "compat_xtables.h"
 
@@ -39,11 +40,21 @@ MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
 MODULE_AUTHOR(" Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com>");
 MODULE_DESCRIPTION("Xtables: PSD - portscan detection");
 MODULE_ALIAS("ipt_psd");
+MODULE_ALIAS("ip6t_psd");
 
-#define HF_DADDR_CHANGING   0x01
-#define HF_SPORT_CHANGING   0x02
-#define HF_TOS_CHANGING	    0x04
-#define HF_TTL_CHANGING	    0x08
+/*
+ * Keep track of up to LIST_SIZE source addresses, using a hash table of
+ * HASH_SIZE entries for faster lookups, but limiting hash collisions to
+ * HASH_MAX source addresses per the same hash value.
+ */
+#define LIST_SIZE			0x100
+#define HASH_LOG			9
+#define HASH_SIZE			(1 << HASH_LOG)
+#define HASH_MAX			0x10
+
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+#	define WITH_IPV6 1
+#endif
 
 /*
  * Information we keep per each target port
@@ -51,46 +62,106 @@ MODULE_ALIAS("ipt_psd");
 struct port {
 	u_int16_t number;      /* port number */
 	u_int8_t proto;        /* protocol number */
-	u_int8_t and_flags;    /* tcp ANDed flags */
-	u_int8_t or_flags;     /* tcp ORed flags */
 };
 
-/*
+/**
  * Information we keep per each source address.
+ * @next:	next entry with the same hash
+ * @timestamp:	last update time
+ * @count:	number of ports in the list
+ * @weight:	total weight of ports in the list
  */
 struct host {
-	struct host *next;						/* Next entry with the same hash */
-	unsigned long timestamp;					/* Last update time */
-	struct in_addr src_addr;				/* Source address */
-	struct in_addr dest_addr;				/* Destination address */
-	unsigned short src_port;				/* Source port */
-	int count;								/* Number of ports in the list */
-	int weight;								/* Total weight of ports in the list */
-	struct port ports[SCAN_MAX_COUNT - 1];	/* List of ports */
-	unsigned char tos;						/* TOS */
-	unsigned char ttl;						/* TTL */
-	unsigned char flags;					/* HF_ flags bitmask */
+	struct host *next;
+	unsigned long timestamp;
+	__be16 src_port;
+	uint16_t count;
+	uint8_t weight;
+	struct port ports[SCAN_MAX_COUNT-1];
 };
 
-/*
- * State information.
+/**
+ * Information we keep per ipv4 source address.
+ */
+struct host4 {
+	struct host host;
+	__be32 saddr;
+};
+
+static struct host4 *host_to_host4(const struct host *h)
+{
+	return (struct host4 *)h;
+}
+
+struct host6 {
+	struct host host;
+	struct in6_addr saddr;
+};
+
+/**
+ * State information for IPv4 portscan detection.
+ * @list:	list of source addresses
+ * @hash:	pointers into the list
+ * @index:	oldest entry to be replaced
  */
 static struct {
 	spinlock_t lock;
-	struct host list[LIST_SIZE];	/* List of source addresses */
-	struct host *hash[HASH_SIZE];	/* Hash: pointers into the list */
-	int index;						/* Oldest entry to be replaced */
+	struct host4 list[LIST_SIZE];
+	struct host *hash[HASH_SIZE];
+	int index;
 } state;
 
+#ifdef WITH_IPV6
+/**
+ * State information for IPv6 portscan detection.
+ * @list:	list of source addresses
+ * @hash:	pointers into the list
+ * @index:	oldest entry to be replaced
+ */
+static struct {
+	spinlock_t lock;
+	struct host6 *list;
+	struct host **hash;
+	int index;
+} state6;
+
+static struct host6 *host_to_host6(const struct host *h)
+{
+	return (struct host6 *) h;
+}
+
+/**
+ * allocate state6 memory only when needed
+ */
+static bool state6_alloc_mem(void)
+{
+	if (state6.hash != NULL)
+		return true;
+
+	state6.list = vmalloc(LIST_SIZE * sizeof(struct host6));
+	if (state6.list == NULL)
+		return false;
+	memset(state6.list, 0, LIST_SIZE * sizeof(struct host6));
+
+	state6.hash = vmalloc(HASH_SIZE * sizeof(struct host*));
+	if (state6.hash == NULL) {
+		vfree(state6.list);
+		return false;
+	}
+	memset(state6.hash, 0, HASH_SIZE * sizeof(struct host *));
+	return true;
+}
+#endif
+
 /*
  * Convert an IP address into a hash table index.
  */
-static inline int hashfunc(struct in_addr addr)
+static unsigned int hashfunc(__be32 addr)
 {
 	unsigned int value;
-	int hash;
+	unsigned int hash;
 
-	value = addr.s_addr;
+	value = addr;
 	hash = 0;
 	do {
 		hash ^= value;
@@ -99,159 +170,169 @@ static inline int hashfunc(struct in_addr addr)
 	return hash & (HASH_SIZE - 1);
 }
 
-static bool
-xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
+static inline unsigned int hashfunc6(const struct in6_addr *addr)
+{
+	__be32 h = addr->s6_addr32[0] ^ addr->s6_addr32[1];
+	return hashfunc(h ^ addr->s6_addr32[2] ^ addr->s6_addr32[3]);
+}
+
+static bool port_in_list(struct host *host, uint8_t proto, uint16_t port)
+{
+	unsigned int i;
+
+	for (i = 0; i < host->count; ++i) {
+		if (host->ports[i].proto != proto)
+			continue;
+		if (host->ports[i].number == port)
+			return true;
+	}
+	return false;
+}
+
+static uint16_t get_port_weight(const struct xt_psd_info *psd, __be16 port)
+{
+	return ntohs(port) < 1024 ? psd->lo_ports_weight : psd->hi_ports_weight;
+}
+
+static bool
+is_portscan(struct host *host, const struct xt_psd_info *psdinfo,
+            const struct tcphdr *tcph, uint8_t proto)
+{
+	if (port_in_list(host, proto, tcph->dest))
+		return false;
+
+	/*
+	 * TCP/ACK and/or TCP/RST to a new port? This could be an
+	 * outgoing connection.
+	 */
+	if (proto == IPPROTO_TCP && (tcph->ack || tcph->rst))
+		return false;
+
+	host->timestamp = jiffies;
+
+	if (host->weight >= psdinfo->weight_threshold) /* already matched */
+		return true;
+
+	/* Update the total weight */
+	host->weight += get_port_weight(psdinfo, tcph->dest);
+
+	/* Got enough destination ports to decide that this is a scan? */
+	if (host->weight >= psdinfo->weight_threshold)
+		return true;
+
+	/* Remember the new port */
+	if (host->count < ARRAY_SIZE(host->ports)) {
+		host->ports[host->count].number = tcph->dest;
+		host->ports[host->count].proto = proto;
+		host->count++;
+	}
+	return false;
+}
+
+static struct host *host_get_next(struct host *h, struct host **last)
+{
+	if (h->next != NULL)
+		*last = h;
+	return h->next;
+}
+
+static void ht_unlink(struct host **head, struct host *last)
+{
+	if (last != NULL)
+		last->next = last->next->next;
+	else if (*head != NULL)
+		*head = (*head)->next;
+}
+
+static bool
+entry_is_recent(const struct host *h, unsigned long delay_threshold,
+                unsigned long now)
+{
+	return now - h->timestamp <= (delay_threshold * HZ) / 100 &&
+	       time_after_eq(now, h->timestamp);
+}
+
+static void remove_oldest(struct host **head, struct host *curr)
+{
+	struct host *h, *last = NULL;
+
+	/*
+	 * We are going to re-use the oldest list entry, so remove it from the
+	 * hash table first, if it is really already in use.
+	 */
+	h = *head;
+	while (h != NULL) {
+		if (curr == h)
+			break;
+		last = h;
+		h = h->next;
+	}
+
+	/* Then, remove it */
+	if (h != NULL)
+		ht_unlink(head, last);
+}
+
+static void *
+get_header_pointer4(const struct sk_buff *skb, unsigned int thoff, void *mem)
+{
+	const struct iphdr *iph = ip_hdr(skb);
+	int hdrlen;
+
+	switch (iph->protocol) {
+	case IPPROTO_TCP:
+		hdrlen = sizeof(struct tcphdr);
+		break;
+	case IPPROTO_UDP:
+	case IPPROTO_UDPLITE:
+		hdrlen = sizeof(struct udphdr);
+		break;
+	default:
+		return NULL;
+	}
+
+	return skb_header_pointer(skb, thoff, hdrlen, mem);
+}
+
+static bool
+handle_packet4(const struct iphdr *iph, const struct tcphdr *tcph,
+               const struct xt_psd_info *psdinfo, unsigned int hash)
 {
-	const struct iphdr *iph;
-	const struct tcphdr *tcph = NULL;
-	const struct udphdr *udph;
-	union {
-		struct tcphdr tcph;
-		struct udphdr udph;
-	} _buf;
-	struct in_addr addr;
-	u_int16_t src_port,dest_port;
-  	u_int8_t tcp_flags, proto;
 	unsigned long now;
-	struct host *curr, *last, **head;
-	int hash, index, count;
-	/* Parameters from userspace */
-	const struct xt_psd_info *psdinfo = match->matchinfo;
+	struct host *curr, *last = NULL, **head;
+	struct host4 *curr4;
+	int count = 0;
 
-	/* IP header */
-	iph = ip_hdr(pskb);
-
-	/* Sanity check */
-	if (iph->frag_off & htons(IP_OFFSET)) {
-		pr_debug("sanity check failed\n");
-		return false;
-	}
-
-	/* TCP or UDP ? */
-	proto = iph->protocol;
-	/* Get the source address, source & destination ports, and TCP flags */
-
-	addr.s_addr = iph->saddr;
-	/* We're using IP address 0.0.0.0 for a special purpose here, so don't let
-	 * them spoof us. [DHCP needs this feature - HW] */
-	if (addr.s_addr == 0) {
-		pr_debug("spoofed source address (0.0.0.0)\n");
-		return false;
-	}
-
-	if (proto == IPPROTO_TCP) {
-		tcph = skb_header_pointer(pskb, match->thoff,
-		       sizeof(_buf.tcph), &_buf.tcph);
-		if (tcph == NULL)
-			return false;
-
-		/* Yep, it's dirty */
-		src_port = tcph->source;
-		dest_port = tcph->dest;
-		tcp_flags = *((u_int8_t*)tcph + 13);
-	} else if (proto == IPPROTO_UDP || proto == IPPROTO_UDPLITE) {
-		udph = skb_header_pointer(pskb, match->thoff,
-		       sizeof(_buf.udph), &_buf.udph);
-		if (udph == NULL)
-			return false;
-		src_port  = udph->source;
-		dest_port = udph->dest;
-		tcp_flags = 0;
-	} else {
-		pr_debug("protocol not supported\n");
-		return false;
-	}
-
-	/* Use jiffies here not to depend on someone setting the time while we're
-	 * running; we need to be careful with possible return value overflows. */
 	now = jiffies;
-
-	spin_lock(&state.lock);
+	head = &state.hash[hash];
 
 	/* Do we know this source address already? */
-	count = 0;
-	last = NULL;
-	if ((curr = *(head = &state.hash[hash = hashfunc(addr)])) != NULL)
-		do {
-			if (curr->src_addr.s_addr == addr.s_addr)
-				break;
-			count++;
-			if (curr->next != NULL)
-				last = curr;
-		} while ((curr = curr->next) != NULL);
+	curr = *head;
+	while (curr != NULL) {
+		curr4 = host_to_host4(curr);
+		if (curr4->saddr == iph->saddr)
+			break;
+		count++;
+		curr = host_get_next(curr, &last);
+	}
 
 	if (curr != NULL) {
-
 		/* We know this address, and the entry isn't too old. Update it. */
-		if (now - curr->timestamp <= (psdinfo->delay_threshold*HZ)/100 &&
-		    time_after_eq(now, curr->timestamp)) {
-
-			/* Just update the appropriate list entry if we've seen this port already */
-			for (index = 0; index < curr->count; index++) {
-				if (curr->ports[index].number == dest_port) {
-					curr->ports[index].proto = proto;
-					curr->ports[index].and_flags &= tcp_flags;
-					curr->ports[index].or_flags |= tcp_flags;
-					goto out_no_match;
-				}
-			}
-
-			/* TCP/ACK and/or TCP/RST to a new port? This could be an outgoing connection. */
-			if (proto == IPPROTO_TCP && (tcph->ack || tcph->rst))
-				goto out_no_match;
-
-			/* Packet to a new port, and not TCP/ACK: update the timestamp */
-			curr->timestamp = now;
-
-			/* Logged this scan already? Then drop the packet. */
-			if (curr->weight >= psdinfo->weight_threshold)
-				goto out_match;
-
-			/* Specify if destination address, source port, TOS or TTL are not fixed */
-			if (curr->dest_addr.s_addr != iph->daddr)
-				curr->flags |= HF_DADDR_CHANGING;
-			if (curr->src_port != src_port)
-				curr->flags |= HF_SPORT_CHANGING;
-			if (curr->tos != iph->tos)
-				curr->flags |= HF_TOS_CHANGING;
-			if (curr->ttl != iph->ttl)
-				curr->flags |= HF_TTL_CHANGING;
-
-			/* Update the total weight */
-			curr->weight += (ntohs(dest_port) < 1024) ?
-				psdinfo->lo_ports_weight : psdinfo->hi_ports_weight;
-
-			/* Got enough destination ports to decide that this is a scan? */
-			/* Then log it and drop the packet. */
-			if (curr->weight >= psdinfo->weight_threshold)
-				goto out_match;
-
-			/* Remember the new port */
-			if (curr->count < SCAN_MAX_COUNT) {
-				curr->ports[curr->count].number = dest_port;
-				curr->ports[curr->count].proto = proto;
-				curr->ports[curr->count].and_flags = tcp_flags;
-				curr->ports[curr->count].or_flags = tcp_flags;
-				curr->count++;
-			}
-
-			goto out_no_match;
-		}
+		if (entry_is_recent(curr, psdinfo->delay_threshold, now))
+			return is_portscan(curr, psdinfo, tcph, iph->protocol);
 
 		/* We know this address, but the entry is outdated. Mark it unused, and
 		 * remove from the hash table. We'll allocate a new entry instead since
 		 * this one might get re-used too soon. */
-		curr->src_addr.s_addr = 0;
-		if (last != NULL)
-			last->next = last->next->next;
-		else if (*head != NULL)
-			*head = (*head)->next;
+		curr4 = host_to_host4(curr);
+		curr4->saddr = 0;
+		ht_unlink(head, last);
 		last = NULL;
 	}
 
 	/* We don't need an ACK from a new source address */
-	if (proto == IPPROTO_TCP && tcph->ack)
-		goto out_no_match;
+	if (iph->protocol == IPPROTO_TCP && tcph->ack)
+		return false;
 
 	/* Got too many source addresses with the same hash value? Then remove the
 	 * oldest one from the hash table, so that they can't take too much of our
@@ -259,33 +340,15 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
 	if (count >= HASH_MAX && last != NULL)
 		last->next = NULL;
 
-	/* We're going to re-use the oldest list entry, so remove it from the hash
-	 * table first (if it is really already in use, and isn't removed from the
-	 * hash table already because of the HASH_MAX check above). */
-
-	/* First, find it */
-	if (state.list[state.index].src_addr.s_addr != 0)
-		head = &state.hash[hashfunc(state.list[state.index].src_addr)];
+	if (state.list[state.index].saddr != 0)
+		head = &state.hash[hashfunc(state.list[state.index].saddr)];
 	else
 		head = &last;
-	last = NULL;
-	if ((curr = *head) != NULL)
-		do {
-			if (curr == &state.list[state.index])
-				break;
-			last = curr;
-		} while ((curr = curr->next) != NULL);
-
-	/* Then, remove it */
-	if (curr != NULL) {
-		if (last != NULL)
-			last->next = last->next->next;
-		else if (*head != NULL)
-			*head = (*head)->next;
-	}
 
 	/* Get our list entry */
-	curr = &state.list[state.index++];
+	curr4 = &state.list[state.index++];
+	curr = &curr4->host;
+	remove_oldest(head, curr);
 	if (state.index >= LIST_SIZE)
 		state.index = 0;
 
@@ -295,46 +358,241 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
 	*head = curr;
 
 	/* And fill in the fields */
+	curr4 = host_to_host4(curr);
+	curr4->saddr = iph->saddr;
 	curr->timestamp = now;
-	curr->src_addr = addr;
-	curr->dest_addr.s_addr = iph->daddr;
-	curr->src_port = src_port;
 	curr->count = 1;
-	curr->weight = (ntohs(dest_port) < 1024) ? psdinfo->lo_ports_weight : psdinfo->hi_ports_weight;
-	curr->ports[0].number = dest_port;
-	curr->ports[0].proto = proto;
-	curr->ports[0].and_flags = tcp_flags;
-	curr->ports[0].or_flags = tcp_flags;
-	curr->tos = iph->tos;
-	curr->ttl = iph->ttl;
-
-out_no_match:
-	spin_unlock(&state.lock);
+	curr->weight = get_port_weight(psdinfo, tcph->dest);
+	curr->ports[0].number = tcph->dest;
+	curr->ports[0].proto = iph->protocol;
 	return false;
-
-out_match:
-	spin_unlock(&state.lock);
-	return true;
 }
 
-static struct xt_match xt_psd_reg __read_mostly = {
-	.name		= "psd",
-	.family    = NFPROTO_IPV4,
-	.revision  = 1,
-	.match		= xt_psd_match,
-	.matchsize	= sizeof(struct xt_psd_info),
-	.me			= THIS_MODULE,
+static bool
+xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
+{
+	struct iphdr *iph = ip_hdr(pskb);
+	struct tcphdr _tcph;
+	struct tcphdr *tcph;
+	bool matched;
+	unsigned int hash;
+	/* Parameters from userspace */
+	const struct xt_psd_info *psdinfo = match->matchinfo;
+
+	if (iph->frag_off & htons(IP_OFFSET)) {
+		pr_debug("sanity check failed\n");
+		return false;
+	}
+
+	/*
+	 * We are using IP address 0.0.0.0 for a special purpose here, so do
+	 * not let them spoof us. [DHCP needs this feature - HW]
+	 */
+	if (iph->saddr == 0) {
+		pr_debug("spoofed source address (0.0.0.0)\n");
+		return false;
+	}
+
+	tcph = get_header_pointer4(pskb, match->thoff, &_tcph);
+	if (tcph == NULL)
+		return false;
+
+	hash = hashfunc(iph->saddr);
+
+	spin_lock(&state.lock);
+	matched = handle_packet4(iph, tcph, psdinfo, hash);
+	spin_unlock(&state.lock);
+	return matched;
+}
+
+#ifdef WITH_IPV6
+static bool
+handle_packet6(const struct ipv6hdr *ip6h, const struct tcphdr *tcph,
+	       const struct xt_psd_info *psdinfo, uint8_t proto, int hash)
+{
+	unsigned long now;
+	struct host *curr, *last = NULL, **head;
+	struct host6 *curr6;
+	int count = 0;
+
+	now = jiffies;
+	head = &state6.hash[hash];
+
+	curr = *head;
+	while (curr != NULL) {
+		curr6 = host_to_host6(curr);
+		if (ipv6_addr_equal(&curr6->saddr, &ip6h->saddr))
+			break;
+		count++;
+		curr = host_get_next(curr, &last);
+	}
+
+	if (curr != NULL) {
+		if (entry_is_recent(curr, psdinfo->delay_threshold, now))
+			return is_portscan(curr, psdinfo, tcph, proto);
+		curr6 = host_to_host6(curr);
+		memset(&curr6->saddr, 0, sizeof(curr6->saddr));
+		ht_unlink(head, last);
+		last = NULL;
+	}
+
+	if (proto == IPPROTO_TCP && tcph->ack)
+		return false;
+
+	if (count >= HASH_MAX && last != NULL)
+		last->next = NULL;
+
+	if (!ipv6_addr_any(&state6.list[state6.index].saddr))
+		head = &state6.hash[hashfunc6(&state6.list[state6.index].saddr)];
+	else
+		head = &last;
+
+	curr6 = &state6.list[state6.index++];
+	curr = &curr6->host;
+	remove_oldest(head, curr);
+	if (state6.index >= LIST_SIZE)
+		state6.index = 0;
+
+	head = &state6.hash[hash];
+	curr->next = *head;
+	*head = curr;
+
+	curr6 = host_to_host6(curr);
+	curr6->saddr = ip6h->saddr;
+	curr->timestamp = now;
+	curr->count = 1;
+	curr->weight = get_port_weight(psdinfo, tcph->dest);
+	curr->ports[0].number = tcph->dest;
+	curr->ports[0].proto = proto;
+	return false;
+}
+
+static void *
+get_header_pointer6(const struct sk_buff *skb, void *mem, uint8_t *proto)
+{
+	static const uint8_t types[] = {IPPROTO_TCP,
+				        IPPROTO_UDP, IPPROTO_UDPLITE};
+	unsigned int i, offset = 0;
+	int err;
+	size_t hdrlen;
+
+	for (i = 0; i < ARRAY_SIZE(types); ++i) {
+		err = ipv6_find_hdr(skb, &offset, types[i], NULL, NULL);
+		if (err < 0)
+			continue;
+
+		switch (types[i]) {
+		case IPPROTO_TCP:
+			hdrlen = sizeof(struct tcphdr);
+			break;
+		case IPPROTO_UDP:
+		case IPPROTO_UDPLITE:
+			hdrlen = sizeof(struct udphdr);
+			break;
+		default:
+			return NULL;
+		}
+		*proto = types[i];
+		return skb_header_pointer(skb, offset, hdrlen, mem);
+	}
+	return NULL;
+}
+
+static bool
+xt_psd_match6(const struct sk_buff *pskb, struct xt_action_param *match)
+{
+	const struct ipv6hdr *ip6h = ipv6_hdr(pskb);
+	struct tcphdr _tcph;
+	struct tcphdr *tcph;
+	uint8_t proto = 0;
+	bool matched;
+	int hash;
+	const struct xt_psd_info *psdinfo = match->matchinfo;
+
+	if (ipv6_addr_any(&ip6h->saddr))
+		return false;
+
+	tcph = get_header_pointer6(pskb, &_tcph, &proto);
+	if (tcph == NULL)
+		return false;
+
+	hash = hashfunc6(&ip6h->saddr);
+
+	spin_lock(&state6.lock);
+	matched = handle_packet6(ip6h, tcph, psdinfo, proto, hash);
+	spin_unlock(&state6.lock);
+	return matched;
+}
+#endif
+
+static int psd_mt_check(const struct xt_mtchk_param *par)
+{
+	const struct xt_psd_info *info = par->matchinfo;
+
+	if (info->weight_threshold == 0)
+		/* 0 would match on every 1st packet */
+		return -EINVAL;
+
+	if ((info->lo_ports_weight | info->hi_ports_weight) == 0)
+		/* would never match */
+		return -EINVAL;
+
+	if (info->delay_threshold > PSD_MAX_RATE ||
+	    info->weight_threshold > PSD_MAX_RATE ||
+	    info->lo_ports_weight > PSD_MAX_RATE ||
+	    info->hi_ports_weight > PSD_MAX_RATE)
+		return -EINVAL;
+
+	return 0;
+}
+
+#ifdef WITH_IPV6
+static int psd_mt_check6(const struct xt_mtchk_param *par)
+{
+	if (!state6_alloc_mem())
+		return -ENOMEM;
+	return psd_mt_check(par);
+}
+#endif
+
+static struct xt_match xt_psd_reg[] __read_mostly = {
+	{
+		.name       = "psd",
+		.family     = NFPROTO_IPV4,
+		.revision   = 1,
+		.checkentry = psd_mt_check,
+		.match      = xt_psd_match,
+		.matchsize  = sizeof(struct xt_psd_info),
+		.me         = THIS_MODULE,
+#ifdef WITH_IPV6
+	}, {
+		.name       = "psd",
+		.family     = NFPROTO_IPV6,
+		.revision   = 1,
+		.checkentry = psd_mt_check6,
+		.match      = xt_psd_match6,
+		.matchsize  = sizeof(struct xt_psd_info),
+		.me         = THIS_MODULE,
+#endif
+	}
 };
 
 static int __init xt_psd_init(void)
 {
 	spin_lock_init(&(state.lock));
-	return xt_register_match(&xt_psd_reg);
+#ifdef WITH_IPV6
+	spin_lock_init(&(state6.lock));
+#endif
+	return xt_register_matches(xt_psd_reg, ARRAY_SIZE(xt_psd_reg));
 }
 
 static void __exit xt_psd_exit(void)
 {
-        xt_unregister_match(&xt_psd_reg);
+        xt_unregister_matches(xt_psd_reg, ARRAY_SIZE(xt_psd_reg));
+#ifdef WITH_IPV6
+	vfree(state6.list);
+	vfree(state6.hash);
+#endif
 }
 
 module_init(xt_psd_init);

extensions/xt_psd.h

@@ -19,17 +19,6 @@
 #define SCAN_MIN_COUNT			7
 #define SCAN_MAX_COUNT			(SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
 #define SCAN_WEIGHT_THRESHOLD		SCAN_MAX_COUNT
-#define SCAN_DELAY_THRESHOLD		(300) /* old usage of HZ here was erroneously and broke under uml */
-
-/*
- * Keep track of up to LIST_SIZE source addresses, using a hash table of
- * HASH_SIZE entries for faster lookups, but limiting hash collisions to
- * HASH_MAX source addresses per the same hash value.
- */
-#define LIST_SIZE			0x100
-#define HASH_LOG			9
-#define HASH_SIZE			(1 << HASH_LOG)
-#define HASH_MAX			0x10
 
 struct xt_psd_info {
 	__u32 weight_threshold;

extensions/xt_quota2.c

@@ -230,7 +230,7 @@ static struct xt_match quota_mt2_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV4,
 		.checkentry = quota_mt2_check,
 		.match      = quota_mt2,
-		.destroy    = quota_mt2_destroy,  
+		.destroy    = quota_mt2_destroy,
 		.matchsize  = sizeof(struct xt_quota_mtinfo2),
 		.me         = THIS_MODULE,
 	},
@@ -240,7 +240,7 @@ static struct xt_match quota_mt2_reg[] __read_mostly = {
 		.family     = NFPROTO_IPV6,
 		.checkentry = quota_mt2_check,
 		.match      = quota_mt2,
-		.destroy    = quota_mt2_destroy,  
+		.destroy    = quota_mt2_destroy,
 		.matchsize  = sizeof(struct xt_quota_mtinfo2),
 		.me         = THIS_MODULE,
 	},

geoip/xt_geoip_build

@@ -3,8 +3,6 @@
 #	Converter for MaxMind CSV database to binary, for xt_geoip
 #	Copyright © Jan Engelhardt <jengelh@medozas.de>, 2008-2011
 #
-#	Use -b argument to create big-endian tables.
-#
 use Getopt::Long;
 use IO::Handle;
 use Text::CSV_XS; # or trade for Text::CSV

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.42 (2012-04-05)" "" "v1.42 (2012-04-05)"
+.TH xtables-addons 8 "v1.47 (2012-10-15)" "" "v1.47 (2012-10-15)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets