ipaddr match (from "Writing your own Netfilter module" PDF)

I have been thinking quite a while when to drop support for old
versions. The changes in Linux kernel 3.7 in nf_nat prompted me to
make the cut here, to throw out most of the backwards-compatibility
code and start mostly blank. As future kernels will be released and
supported, no doubt will new code to work with those releases be
added.

If you run with an older kernel, continue to use the Xtables-addons
1.x series.

INSTALL

@@ -14,14 +14,15 @@ Supported configurations for this release
 
 	* iptables >= 1.4.5
 
-	* kernel-devel >= 2.6.32
+	* kernel-devel >= 3.7
 	  with prepared build/output directory
-	  - CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
-	  - CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
-	    enabled =y or as module (=m)
+	  - CONFIG_NF_CONNTRACK
+	  - CONFIG_NF_CONNTRACK_MARK enabled =y or as module (=m)
 	  - CONFIG_CONNECTOR y/m if you wish to receive userspace
 	    notifications from pknock through netlink/connector
 
+(Use xtables-addons-1.x if you need support for Linux < 3.7.)
+
 
 Selecting extensions
 ====================

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [1.44])
+AC_INIT([xtables-addons], [2.1])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -31,7 +31,7 @@ xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
 
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
-	[Path where to install Xtables extensions [[autodetect]]]]),
+	[Path where to install Xtables extensions [[autodetect]]]),
 	[xtlibdir="$withval"])
 AC_MSG_CHECKING([Xtables module directory])
 AC_MSG_RESULT([$xtlibdir])
@@ -63,11 +63,9 @@ if test -n "$kbuilddir"; then
 		echo "WARNING: Version detection did not succeed. Continue at own luck.";
 	else
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-		if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 4; then
-			echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
-		elif test "$kmajor" -eq 3; then
-			:;
-		elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 32; then
+		if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 8; then
+			echo "WARNING: That kernel version is not officially supported.";
+		elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then
 			:;
 		else
 			echo "WARNING: That kernel version is not officially supported.";

doc/api/2.6.17.c

@@ -1,64 +0,0 @@
-match:
-
-	/* true/false */
-	int
-	(*match)(
-		const struct sk_buff *skb,
-		const struct net_device *in,
-		const struct net_device *out,
-		const struct xt_match *match,
-		const void *matchinfo,
-		int offset,
-		unsigned int protoff,
-		int *hotdrop,
-	);
-
-	/* true/false */
-	int
-	(*checkentry)(
-		const char *tablename,
-		const void *ip,
-		const struct xt_match *match,
-		void *matchinfo,
-		unsigned int matchinfosize,
-		unsigned int hook_mask,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_match *match,
-		void *matchinfo,
-		unsigned int matchinfosize,
-	);
-
-target:
-
-	/* verdict */
-	unsigned int
-	(*target)(
-		struct sk_buff **pskb,
-		const struct net_device *in,
-		const struct net_device *out,
-		unsigned int hooknum,
-		const struct xt_target *target,
-		const void *targinfo,
-		void *userdata,
-	);
-
-	/* true/false */
-	int
-	(*checkentry)(
-		const char *tablename,
-		const void *entry,
-		const struct xt_target *target,
-		void *targinfo,
-		unsigned int targinfosize,
-		unsigned int hook_mask,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_target *target,
-		void *targinfo,
-		unsigned int targinfosize,
-	);

doc/api/2.6.19.c

@@ -1,59 +0,0 @@
-match:
-
-	/* true/false */
-	int
-	(*match)(
-		const struct sk_buff *skb,
-		const struct net_device *in,
-		const struct net_device *out,
-		const struct xt_match *match,
-		const void *matchinfo,
-		int offset,
-		unsigned int protoff,
-		int *hotdrop,
-	);
-
-	/* true/false */
-	int
-	(*checkentry)(
-		const char *tablename,
-		const void *ip,
-		const struct xt_match *match,
-		void *matchinfo,
-		unsigned int hook_mask,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_match *match,
-		void *matchinfo,
-	);
-
-target:
-
-	/* verdict */
-	unsigned int
-	(*target)(
-		struct sk_buff **pskb,
-		const struct net_device *in,
-		const struct net_device *out,
-		unsigned int hooknum,
-		const struct xt_target *target,
-		const void *targinfo,
-	);
-
-	/* true/false */
-	int
-	(*checkentry)(
-		const char *tablename,
-		const void *entry,
-		const struct xt_target *target,
-		void *targinfo,
-		unsigned int hook_mask,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_target *target,
-		void *targinfo,
-	);

doc/api/2.6.23.c

@@ -1,59 +0,0 @@
-match:
-
-	/* true/false */
-	bool
-	(*match)(
-		const struct sk_buff *skb,
-		const struct net_device *in,
-		const struct net_device *out,
-		const struct xt_match *match,
-		const void *matchinfo,
-		int offset,
-		unsigned int protoff,
-		bool *hotdrop,
-	);
-
-	/* true/false */
-	bool
-	(*checkentry)(
-		const char *tablename,
-		const void *ip,
-		const struct xt_match *match,
-		void *matchinfo,
-		unsigned int hook_mask,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_match *match,
-		void *matchinfo,
-	);
-
-target:
-
-	/* verdict */
-	unsigned int
-	(*target)(
-		struct sk_buff **pskb,
-		const struct net_device *in,
-		const struct net_device *out,
-		unsigned int hooknum,
-		const struct xt_target *target,
-		const void *targinfo,
-	);
-
-	/* true/false */
-	bool
-	(*checkentry)(
-		const char *tablename,
-		const void *entry,
-		const struct xt_target *target,
-		void *targinfo,
-		unsigned int hook_mask,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_target *target,
-		void *targinfo,
-	);

doc/api/2.6.24.c

@@ -1,59 +0,0 @@
-match:
-
-	/* true/false */
-	bool
-	(*match)(
-		const struct sk_buff *skb,
-		const struct net_device *in,
-		const struct net_device *out,
-		const struct xt_match *match,
-		const void *matchinfo,
-		int offset,
-		unsigned int protoff,
-		bool *hotdrop,
-	);
-
-	/* true/false */
-	bool
-	(*checkentry)(
-		const char *tablename,
-		const void *ip,
-		const struct xt_match *match,
-		void *matchinfo,
-		unsigned int hook_mask,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_match *match,
-		void *matchinfo,
-	);
-
-target:
-
-	/* verdict */
-	unsigned int
-	(*target)(
-		struct sk_buff *skb,
-		const struct net_device *in,
-		const struct net_device *out,
-		unsigned int hooknum,
-		const struct xt_target *target,
-		const void *targinfo,
-	);
-
-	/* true/false */
-	bool
-	(*checkentry)(
-		const char *tablename,
-		const void *entry,
-		const struct xt_target *target,
-		void *targinfo,
-		unsigned int hook_mask,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_target *target,
-		void *targinfo,
-	);

doc/api/2.6.28.c

@@ -1,39 +0,0 @@
-match:
-
-	/* true/false */
-	bool
-	(*match)(
-		const struct sk_buff *skb,
-		const struct xt_match_param *,
-	);
-
-	/* true/false */
-	bool
-	(*checkentry)(
-		const struct xt_mtchk_param *,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_mtdtor_param *,
-	);
-
-target:
-
-	/* verdict */
-	unsigned int
-	(*target)(
-		struct sk_buff *skb,
-		const struct xt_target_param *,
-	);
-
-	/* true/false */
-	bool
-	(*checkentry)(
-		const struct xt_tgchk_param *,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_tgdtor_param *,
-	);

doc/api/2.6.31.c

@@ -1,38 +0,0 @@
-match:
-
-	/* true/false */
-	bool
-	(*match)(
-		const struct sk_buff *skb,
-		const struct xt_match_param *,
-	);
-
-	/* true/false */
-	bool
-	(*checkentry)(
-		const struct xt_mtchk_param *,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_mtdtor_param *,
-	);
-
-target:
-
-	unsigned int
-	(*target)(
-		struct sk_buff *skb,
-		const struct xt_target_param *,
-	);
-
-	/* true/false */
-	bool
-	(*checkentry)(
-		const struct xt_tgchk_param *,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_tgdtor_param *,
-	);

doc/api/2.6.32.c

@@ -1,39 +0,0 @@
-match:
-
-	/* true/false */
-	bool
-	(*match)(
-		const struct sk_buff *skb,
-		const struct xt_match_param *,
-	);
-
-	/* true/false */
-	bool
-	(*checkentry)(
-		const struct xt_mtchk_param *,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_mtdtor_param *,
-	);
-
-target:
-
-	/* verdict */
-	unsigned int
-	(*target)(
-		struct sk_buff *skb,
-		const struct xt_target_param *,
-	);
-
-	/* true/false */
-	bool
-	(*checkentry)(
-		const struct xt_tgchk_param *,
-	);
-
-	void
-	(*destroy)(
-		const struct xt_tgdtor_param *,
-	);

doc/changelog.txt

@@ -3,6 +3,57 @@ HEAD
 ====
 
 
+v2.1 (2012-11-27)
+=================
+Fixes:
+- DNETMAP: fix compile error with Linux 3.7
+Enhancements:
+- Support for Linux 3.8
+
+
+v2.0 (2012-11-12)
+=================
+Changes:
+- remove support for Linux 2.6.17–3.6
+- remove xt_TEE (this is available upstream since 2.6.35)
+- remove xt_CHECKSUM (this is available upstream since 2.6.36)
+Enhancements:
+- Support for Linux 3.7
+
+If you want to use Xtables-addons with kernels older than 3.7,
+use the addons 1.x series, which continues to be maintained for
+the time being.
+
+
+v1.47.1 (2010-10-15)
+====================
+Enhancements:
+- xt_psd gained IPv6 support
+Notes for this release:
+- Linux 3.7+ is expressly unsupported by this release.
+
+
+v1.46 (2012-08-23)
+==================
+Fixes:
+- length2, SYSRQ, RAWNAT: preinitialize values for ipv6_find_hdr
+- TARPIT: fix memory leak when tarpit_generic() fails
+- build: remove extraneous closing bracket in configure.ac
+- doc: update xt_SYSRQ.man to reflect that the full IPv6 address is needed
+Enhancements:
+- Support for Linux 3.6
+
+
+v1.45 (2012-07-16)
+==================
+Fixes:
+- build: export missing functions
+  (fixes: "WARNING 'xtnu_ipv6_find_hdr' [xt_TARPIT.ko] not found")
+- build: avoid use of unexported functions
+  (fixes: "WARNING 'ipv6_find_hdr' [xt_TARPIT.ko] not found"
+  in <= linux-2.6.37)
+
+
 v1.44 (2012-07-15)
 ==================
 Fixes:

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -22,11 +22,7 @@
 #include <net/tcp.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,27)
-    #include <linux/semaphore.h>
-#else
-    #include <asm/semaphore.h>
-#endif
+#include <linux/semaphore.h>
 
 #include <linux/kernel.h>
 #include <linux/mm.h>

extensions/Kbuild

@@ -7,7 +7,6 @@ obj-m                    += compat_xtables.o
 
 obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += xt_CHAOS.o
-obj-${build_CHECKSUM}    += xt_CHECKSUM.o
 obj-${build_DELUDE}      += xt_DELUDE.o
 obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_DNETMAP}     += xt_DNETMAP.o
@@ -23,7 +22,6 @@ endif
 obj-${build_SYSRQ}       += xt_SYSRQ.o
 obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o
-obj-${build_TEE}         += xt_TEE.o
 obj-${build_condition}   += xt_condition.o
 obj-${build_fuzzy}       += xt_fuzzy.o
 obj-${build_geoip}       += xt_geoip.o
@@ -36,5 +34,7 @@ obj-${build_pknock}      += pknock/
 obj-${build_psd}         += xt_psd.o
 obj-${build_quota2}      += xt_quota2.o
 
+obj-${build_ipaddr}   += xt_ipaddr.o
+
 -include ${M}/*.Kbuild
 -include ${M}/Kbuild.*

extensions/Mbuild

@@ -2,7 +2,6 @@
 
 obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += libxt_CHAOS.so
-obj-${build_CHECKSUM}    += libxt_CHECKSUM.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
 obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
 obj-${build_DNETMAP}     += libxt_DNETMAP.so
@@ -13,11 +12,11 @@ obj-${build_RAWNAT}      += libxt_RAWDNAT.so libxt_RAWSNAT.so
 obj-${build_STEAL}       += libxt_STEAL.so
 obj-${build_SYSRQ}       += libxt_SYSRQ.so
 obj-${build_TARPIT}      += libxt_TARPIT.so
-obj-${build_TEE}         += libxt_TEE.so
 obj-${build_condition}   += libxt_condition.so
 obj-${build_fuzzy}       += libxt_fuzzy.so
 obj-${build_geoip}       += libxt_geoip.so
 obj-${build_iface}       += libxt_iface.so
+obj-${build_ipaddr}      += libxt_ipaddr.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
 obj-${build_ipv4options} += libxt_ipv4options.so
 obj-${build_length2}     += libxt_length2.so

extensions/compat_rawpost.h

@@ -1,87 +1,6 @@
 #ifndef XTA_COMPAT_RAWPOST_H
 #define XTA_COMPAT_RAWPOST_H 1
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
 typedef struct sk_buff sk_buff_t;
-#else
-typedef struct sk_buff *sk_buff_t;
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
-#define XT_TARGET_INIT(__name, __size)					       \
-{									       \
-	.target.u.user = {						       \
-		.target_size	= XT_ALIGN(__size),			       \
-		.name		= __name,				       \
-	},								       \
-}
-
-#define IPT_ENTRY_INIT(__size)						       \
-{									       \
-	.target_offset	= sizeof(struct ipt_entry),			       \
-	.next_offset	= (__size),					       \
-}
-
-#define IPT_STANDARD_INIT(__verdict)					       \
-{									       \
-	.entry		= IPT_ENTRY_INIT(sizeof(struct ipt_standard)),	       \
-	.target		= XT_TARGET_INIT(IPT_STANDARD_TARGET,		       \
-					 sizeof(struct xt_standard_target)),   \
-	.target.verdict	= -(__verdict) - 1,				       \
-}
-
-#define IPT_ERROR_INIT							       \
-{									       \
-	.entry		= IPT_ENTRY_INIT(sizeof(struct ipt_error)),	       \
-	.target		= XT_TARGET_INIT(IPT_ERROR_TARGET,		       \
-					 sizeof(struct ipt_error_target)),     \
-	.target.errorname = "ERROR",					       \
-}
-
-#define IP6T_ENTRY_INIT(__size)						       \
-{									       \
-	.target_offset	= sizeof(struct ip6t_entry),			       \
-	.next_offset	= (__size),					       \
-}
-
-#define IP6T_STANDARD_INIT(__verdict)					       \
-{									       \
-	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
-	.target		= XT_TARGET_INIT(IP6T_STANDARD_TARGET,		       \
-					 sizeof(struct ip6t_standard_target)), \
-	.target.verdict	= -(__verdict) - 1,				       \
-}
-
-#define IP6T_ERROR_INIT							       \
-{									       \
-	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),	       \
-	.target		= XT_TARGET_INIT(IP6T_ERROR_TARGET,		       \
-					 sizeof(struct ip6t_error_target)),    \
-	.target.errorname = "ERROR",					       \
-}
-
-#endif /* 2.6.21 */
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
-#	include <linux/netfilter_ipv6/ip6_tables.h>
-/* Standard entry */
-struct ip6t_standard
-{
-	struct ip6t_entry entry;
-	struct ip6t_standard_target target;
-};
-
-struct ip6t_error_target
-{
-	struct ip6t_entry_target target;
-	char errorname[IP6T_FUNCTION_MAXNAMELEN];
-};
-
-struct ip6t_error
-{
-	struct ip6t_entry entry;
-	struct ip6t_error_target target;
-};
-#endif /* 2.6.20 */
 
 #endif /* XTA_COMPAT_RAWPOST_H */

extensions/compat_skbuff.h

@@ -4,34 +4,8 @@
 struct tcphdr;
 struct udphdr;
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 30)
-static inline void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)
-{
-	skb->dst = dst;
-}
-
-static inline struct dst_entry *skb_dst(const struct sk_buff *skb)
-{
-	return skb->dst;
-}
-
-static inline struct rtable *skb_rtable(const struct sk_buff *skb)
-{
-	return (void *)skb->dst;
-}
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-#	define skb_ifindex(skb) \
-		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
-#	define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
-#	define skb_ifindex(skb) (skb)->iif
-#	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
-#else
-#	define skb_ifindex(skb) (skb)->skb_iif
-#	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
-#endif
+#define skb_ifindex(skb) (skb)->skb_iif
+#define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
 
 #ifdef CONFIG_NETWORK_SECMARK
 #	define skb_secmark(skb) ((skb)->secmark)
@@ -39,24 +13,4 @@ static inline struct rtable *skb_rtable(const struct sk_buff *skb)
 #	define skb_secmark(skb) 0
 #endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
-#	define ip_hdr(skb) ((skb)->nh.iph)
-#	define ip_hdrlen(skb) (ip_hdr(skb)->ihl * 4)
-#	define ipv6_hdr(skb) ((skb)->nh.ipv6h)
-#	define skb_network_header(skb) ((skb)->nh.raw)
-#	define skb_transport_header(skb) ((skb)->h.raw)
-static inline void skb_reset_network_header(struct sk_buff *skb)
-{
-	skb->nh.raw = skb->data;
-}
-static inline struct tcphdr *tcp_hdr(const struct sk_buff *skb)
-{
-	return (void *)skb_transport_header(skb);
-}
-static inline struct udphdr *udp_hdr(const struct sk_buff *skb)
-{
-	return (void *)skb_transport_header(skb);
-}
-#endif
-
 #endif /* COMPAT_SKBUFF_H */

extensions/compat_xtables.c

@@ -1,6 +1,6 @@
 /*
  *	API compat layer
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
+ *	written by Jan Engelhardt, 2008 - 2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License, either
@@ -21,271 +21,13 @@
 #include <net/ip.h>
 #include <net/ipv6.h>
 #include <net/route.h>
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 2, 0)
-#	include <linux/export.h>
-#endif
+#include <linux/export.h>
 #include "compat_skbuff.h"
 #include "compat_xtnu.h"
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 #	define WITH_IPV6 1
 #endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
-static int xtnu_match_run(const struct sk_buff *skb,
-    const struct net_device *in, const struct net_device *out,
-    const struct xt_match *cm, const void *matchinfo, int offset,
-    unsigned int protoff, int *hotdrop)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-static bool xtnu_match_run(const struct sk_buff *skb,
-    const struct net_device *in, const struct net_device *out,
-    const struct xt_match *cm, const void *matchinfo, int offset,
-    unsigned int protoff, bool *hotdrop)
-#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-{
-	struct xtnu_match *nm = xtcompat_numatch(cm);
-	bool lo_ret;
-	struct xt_action_param local_par;
-	local_par.in        = in;
-	local_par.out       = out;
-	local_par.match     = cm;
-	local_par.matchinfo = matchinfo;
-	local_par.fragoff   = offset;
-	local_par.thoff     = protoff;
-	local_par.hotdrop   = false;
-	local_par.family    = NFPROTO_UNSPEC; /* don't have that info */
-
-	if (nm == NULL || nm->match == NULL)
-		return false;
-	lo_ret = nm->match(skb, &local_par);
-	*hotdrop = local_par.hotdrop;
-	return lo_ret;
-}
-#endif
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
-    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
-static bool xtnu_match_run(const struct sk_buff *skb,
-    const struct xt_match_param *par)
-{
-	struct xtnu_match *nm = xtcompat_numatch(par->match);
-	struct xt_action_param local_par;
-	bool ret;
-
-	local_par.in        = par->in;
-	local_par.out       = par->out;
-	local_par.match     = par->match;
-	local_par.matchinfo = par->matchinfo;
-	local_par.fragoff   = par->fragoff;
-	local_par.thoff     = par->thoff;
-	local_par.hotdrop   = false;
-	local_par.family    = par->family;
-
-	if (nm == NULL || nm->match == NULL)
-		return false;
-	ret = nm->match(skb, &local_par);
-	*par->hotdrop = local_par.hotdrop;
-	return ret;
-}
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-static int xtnu_match_check(const char *table, const void *entry,
-    const struct xt_match *cm, void *matchinfo, unsigned int matchinfosize,
-    unsigned int hook_mask)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
-static int xtnu_match_check(const char *table, const void *entry,
-    const struct xt_match *cm, void *matchinfo, unsigned int hook_mask)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-static bool xtnu_match_check(const char *table, const void *entry,
-    const struct xt_match *cm, void *matchinfo, unsigned int hook_mask)
-#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-{
-	struct xtnu_match *nm = xtcompat_numatch(cm);
-	struct xt_mtchk_param local_par = {
-		.table     = table,
-		.entryinfo = entry,
-		.match     = cm,
-		.matchinfo = matchinfo,
-		.hook_mask = hook_mask,
-		.family    = NFPROTO_UNSPEC,
-	};
-
-	if (nm == NULL)
-		return false;
-	if (nm->checkentry == NULL)
-		return true;
-	return nm->checkentry(&local_par) == 0;
-}
-#endif
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
-    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
-static bool xtnu_match_check(const struct xt_mtchk_param *par)
-{
-	struct xtnu_match *nm = xtcompat_numatch(par->match);
-
-	if (nm == NULL)
-		return false;
-	if (nm->checkentry == NULL)
-		return true;
-	return nm->checkentry(par) == 0;
-}
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo,
-    unsigned int matchinfosize)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo)
-#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-{
-	struct xtnu_match *nm = xtcompat_numatch(cm);
-	struct xt_mtdtor_param local_par = {
-		.match     = cm,
-		.matchinfo = matchinfo,
-		.family    = NFPROTO_UNSPEC,
-	};
-
-	if (nm != NULL && nm->destroy != NULL)
-		nm->destroy(&local_par);
-}
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
-int xtnu_register_match(struct xtnu_match *nt)
-{
-	struct xt_match *ct;
-	char *tmp;
-	int ret;
-
-	ct = kzalloc(sizeof(struct xt_match), GFP_KERNEL);
-	if (ct == NULL)
-		return -ENOMEM;
-
-	tmp = (char *)ct->name;
-	memcpy(tmp, nt->name, sizeof(nt->name));
-	tmp = (char *)(ct->name + sizeof(ct->name) - sizeof(void *));
-	*(tmp-1) = '\0';
-	memcpy(tmp, &nt, sizeof(void *));
-
-	ct->revision   = nt->revision;
-	ct->family     = nt->family;
-	ct->table      = (char *)nt->table;
-	ct->hooks      = nt->hooks;
-	ct->proto      = nt->proto;
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-	ct->match      = xtnu_match_run;
-	ct->checkentry = xtnu_match_check;
-	ct->destroy    = xtnu_match_destroy;
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
-	ct->match      = xtnu_match_run;
-	ct->checkentry = xtnu_match_check;
-	ct->destroy    = nt->destroy;
-#else
-	ct->match      = nt->match;
-	ct->checkentry = xtnu_match_check;
-	ct->destroy    = nt->destroy;
-#endif
-	ct->matchsize  = nt->matchsize;
-	ct->me         = nt->me;
-
-	nt->__compat_match = ct;
-	ret = xt_register_match(ct);
-	if (ret != 0)
-		kfree(ct);
-	return ret;
-}
-EXPORT_SYMBOL_GPL(xtnu_register_match);
-
-int xtnu_register_matches(struct xtnu_match *nt, unsigned int num)
-{
-	unsigned int i;
-	int ret;
-
-	for (i = 0; i < num; ++i) {
-		ret = xtnu_register_match(&nt[i]);
-		if (ret < 0) {
-			if (i > 0)
-				xtnu_unregister_matches(nt, i);
-			return ret;
-		}
-	}
-	return 0;
-}
-EXPORT_SYMBOL_GPL(xtnu_register_matches);
-
-void xtnu_unregister_match(struct xtnu_match *nt)
-{
-	xt_unregister_match(nt->__compat_match);
-	kfree(nt->__compat_match);
-}
-EXPORT_SYMBOL_GPL(xtnu_unregister_match);
-
-void xtnu_unregister_matches(struct xtnu_match *nt, unsigned int num)
-{
-	unsigned int i;
-
-	for (i = 0; i < num; ++i)
-		xtnu_unregister_match(&nt[i]);
-}
-EXPORT_SYMBOL_GPL(xtnu_unregister_matches);
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-static unsigned int xtnu_target_run(struct sk_buff **pskb,
-    const struct net_device *in, const struct net_device *out,
-    unsigned int hooknum, const struct xt_target *ct, const void *targinfo,
-    void *userdata)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-static unsigned int xtnu_target_run(struct sk_buff **pskb,
-    const struct net_device *in, const struct net_device *out,
-    unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-static unsigned int xtnu_target_run(struct sk_buff *skb,
-    const struct net_device *in, const struct net_device *out,
-    unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
-#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-{
-	struct xtnu_target *nt = xtcompat_nutarget(ct);
-	struct xt_action_param local_par;
-
-	local_par.in       = in;
-	local_par.out      = out;
-	local_par.hooknum  = hooknum;
-	local_par.target   = ct;
-	local_par.targinfo = targinfo;
-	local_par.family   = NFPROTO_UNSPEC;
-
-	if (nt != NULL && nt->target != NULL)
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-		return nt->target(pskb, &local_par);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-		return nt->target(&skb, &local_par);
-#endif
-	return XT_CONTINUE;
-}
-#endif
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
-    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
-static unsigned int
-xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
-{
-	struct xtnu_target *nt = xtcompat_nutarget(par->target);
-	struct xt_action_param local_par;
-
-	local_par.in       = par->in;
-	local_par.out      = par->out;
-	local_par.hooknum  = par->hooknum;
-	local_par.target   = par->target;
-	local_par.targinfo = par->targinfo;
-	local_par.family   = par->family;
-
-	return nt->target(&skb, &local_par);
-}
-#endif
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
 static unsigned int
 xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
 {
@@ -293,73 +35,6 @@ xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
 
 	return nt->target(&skb, par);
 }
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-static int xtnu_target_check(const char *table, const void *entry,
-    const struct xt_target *ct, void *targinfo,
-    unsigned int targinfosize, unsigned int hook_mask)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
-static int xtnu_target_check(const char *table, const void *entry,
-    const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-static bool xtnu_target_check(const char *table, const void *entry,
-    const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
-#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-{
-	struct xtnu_target *nt = xtcompat_nutarget(ct);
-	struct xt_tgchk_param local_par = {
-		.table     = table,
-		.entryinfo = entry,
-		.target    = ct,
-		.targinfo  = targinfo,
-		.hook_mask = hook_mask,
-		.family    = NFPROTO_UNSPEC,
-	};
-
-	if (nt == NULL)
-		return false;
-	if (nt->checkentry == NULL)
-		/* this is valid, just like if there was no function */
-		return true;
-	return nt->checkentry(&local_par) == 0;
-}
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
-    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
-static bool xtnu_target_check(const struct xt_tgchk_param *par)
-{
-	struct xtnu_target *nt = xtcompat_nutarget(par->target);
-
-	if (nt == NULL)
-		return false;
-	if (nt->checkentry == NULL)
-		return true;
-	return nt->checkentry(par) == 0;
-}
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo,
-    unsigned int targinfosize)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo)
-#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-{
-	struct xtnu_target *nt = xtcompat_nutarget(ct);
-	struct xt_tgdtor_param local_par = {
-		.target   = ct,
-		.targinfo = targinfo,
-		.family   = NFPROTO_UNSPEC,
-	};
-
-	if (nt != NULL && nt->destroy != NULL)
-		nt->destroy(&local_par);
-}
-#endif
 
 int xtnu_register_target(struct xtnu_target *nt)
 {
@@ -383,16 +58,8 @@ int xtnu_register_target(struct xtnu_target *nt)
 	ct->hooks      = nt->hooks;
 	ct->proto      = nt->proto;
 	ct->target     = xtnu_target_run;
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-	ct->checkentry = xtnu_target_check;
-	ct->destroy    = xtnu_target_destroy;
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
-	ct->checkentry = xtnu_target_check;
-	ct->destroy    = nt->destroy;
-#else
 	ct->checkentry = nt->checkentry;
 	ct->destroy    = nt->destroy;
-#endif
 	ct->targetsize = nt->targetsize;
 	ct->me         = nt->me;
 
@@ -463,146 +130,16 @@ EXPORT_SYMBOL_GPL(xtnu_request_find_match);
 
 int xtnu_ip_route_me_harder(struct sk_buff **pskb, unsigned int addr_type)
 {
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
-	/* Actually this one is valid up to 2.6.18.4, but changed in 2.6.18.5 */
-	return ip_route_me_harder(pskb);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-	return ip_route_me_harder(pskb, addr_type);
-#else
 	return ip_route_me_harder(*pskb, addr_type);
-#endif
 }
 EXPORT_SYMBOL_GPL(xtnu_ip_route_me_harder);
 
 int xtnu_skb_make_writable(struct sk_buff **pskb, unsigned int len)
 {
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-	return skb_make_writable(pskb, len);
-#else
 	return skb_make_writable(*pskb, len);
-#endif
 }
 EXPORT_SYMBOL_GPL(xtnu_skb_make_writable);
 
-#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 24)
-static int __xtnu_ip_local_out(struct sk_buff *skb)
-{
-	struct iphdr *iph = ip_hdr(skb);
-
-	iph->tot_len = htons(skb->len);
-	ip_send_check(iph);
-	return nf_hook(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,
-	               skb->dst->dev, dst_output);
-}
-
-int xtnu_ip_local_out(struct sk_buff *skb)
-{
-	int err;
-
-	err = __xtnu_ip_local_out(skb);
-	if (likely(err == 1))
-		err = dst_output(skb);
-
-	return err;
-}
-EXPORT_SYMBOL_GPL(xtnu_ip_local_out);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-static int __xtnu_ip_local_out(struct sk_buff **pskb)
-{
-	struct iphdr *iph = ip_hdr(*pskb);
-
-	iph->tot_len = htons((*pskb)->len);
-	ip_send_check(iph);
-	return nf_hook(PF_INET, NF_IP_LOCAL_OUT, pskb, NULL,
-	               (*pskb)->dst->dev, dst_output);
-}
-
-int xtnu_ip_local_out(struct sk_buff *skb)
-{
-	int err;
-
-	err = __xtnu_ip_local_out(&skb);
-	if (likely(err == 1))
-		err = dst_output(skb);
-
-	return err;
-}
-EXPORT_SYMBOL_GPL(xtnu_ip_local_out);
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
-int xtnu_ip_route_output_key(void *net, struct rtable **rp, struct flowi *flp)
-{
-	return ip_route_output_flow(rp, flp, NULL, 0);
-}
-EXPORT_SYMBOL_GPL(xtnu_ip_route_output_key);
-
-void xtnu_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb,
-    __be32 from, __be32 to, bool pseudohdr)
-{
-	__be32 diff[] = {~from, to};
-	const void *dv = diff; /* kludge for < v2.6.19-555-g72685fc */
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-	if (skb->ip_summed != CHECKSUM_PARTIAL) {
-		*sum = csum_fold(csum_partial(dv, sizeof(diff),
-		       ~csum_unfold(*sum)));
-		if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
-			skb->csum = ~csum_partial(dv, sizeof(diff),
-			            ~skb->csum);
-	} else if (pseudohdr) {
-		*sum = ~csum_fold(csum_partial(dv, sizeof(diff),
-		       csum_unfold(*sum)));
-	}
-#else
-	*sum = csum_fold(csum_partial(dv, sizeof(diff),
-	       ~csum_unfold(*sum)));
-#endif
-}
-EXPORT_SYMBOL_GPL(xtnu_proto_csum_replace4);
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-int xtnu_neigh_hh_output(struct hh_cache *hh, struct sk_buff *skb)
-{
-	unsigned int hh_alen;
-
-	read_lock_bh(&hh->hh_lock);
-	hh_alen = HH_DATA_ALIGN(hh->hh_len);
-	memcpy(skb->data - hh_alen, hh->hh_data, hh_alen);
-	read_unlock_bh(&hh->hh_lock);
-	skb_push(skb, hh->hh_len);
-	return hh->hh_output(skb);
-}
-EXPORT_SYMBOL_GPL(xtnu_neigh_hh_output);
-
-static inline __wsum xtnu_csum_unfold(__sum16 n)
-{
-	return (__force __wsum)n;
-}
-
-void xtnu_csum_replace4(__sum16 *sum, __be32 from, __be32 to)
-{
-	__be32 diff[] = {~from, to};
-	*sum = csum_fold(csum_partial((char *)diff, sizeof(diff),
-	       ~xtnu_csum_unfold(*sum)));
-}
-
-void xtnu_csum_replace2(__sum16 *sum, __be16 from, __be16 to)
-{
-	xtnu_csum_replace4(sum, (__force __be32)from, (__force __be32)to);
-}
-EXPORT_SYMBOL_GPL(xtnu_csum_replace2);
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
-int xtnu_skb_linearize(struct sk_buff *skb)
-{
-	return skb_linearize(skb, GFP_ATOMIC);
-}
-EXPORT_SYMBOL_GPL(xtnu_skb_linearize);
-#endif
-
 void *HX_memmem(const void *space, size_t spacesize,
     const void *point, size_t pointsize)
 {
@@ -617,20 +154,4 @@ void *HX_memmem(const void *space, size_t spacesize,
 }
 EXPORT_SYMBOL_GPL(HX_memmem);
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0) && defined(WITH_IPV6)
-int xtnu_ipv6_skip_exthdr(const struct sk_buff *skb, int start,
-    uint8_t *nexthdrp, __be16 *fragoffp)
-{
-	return ipv6_skip_exthdr(skb, start, nexthdrp);
-}
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0) && defined(WITH_IPV6)
-int xtnu_ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
-    int target, unsigned short *fragoff, int *fragflg)
-{
-	return ipv6_find_hdr(skb, offset, target, fragoff);
-}
-#endif
-
 MODULE_LICENSE("GPL");

extensions/compat_xtables.h

@@ -8,8 +8,8 @@
 
 #define DEBUGP Use__pr_debug__instead
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 17)
-#	warning Kernels below 2.6.17 not supported.
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0)
+#	warning Kernels below 3.7 not supported.
 #endif
 
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
@@ -17,87 +17,14 @@
 #		warning You have CONFIG_NF_CONNTRACK enabled, but CONFIG_NF_CONNTRACK_MARK is not (please enable).
 #	endif
 #	include <net/netfilter/nf_conntrack.h>
-#elif defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
-#	if !defined(CONFIG_IP_NF_CONNTRACK_MARK)
-#		warning You have CONFIG_IP_NF_CONNTRACK enabled, but CONFIG_IP_NF_CONNTRACK_MARK is not (please enable).
-#	endif
-#	include <linux/netfilter_ipv4/ip_conntrack.h>
-#	define nf_conn ip_conntrack
-#	define nf_ct_get ip_conntrack_get
-#	define nf_conntrack_untracked ip_conntrack_untracked
 #else
-#	warning You need either CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK.
+#	warning You need CONFIG_NF_CONNTRACK.
 #endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
-#	define skb_init_secmark(skb)
-#	define skb_linearize	xtnu_skb_linearize
-#endif
+#define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
+#define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-#	define neigh_hh_output xtnu_neigh_hh_output
-#	define IPPROTO_UDPLITE 136
-#	define CSUM_MANGLED_0 ((__force __sum16)0xffff)
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
-#	define NF_INET_PRE_ROUTING  NF_IP_PRE_ROUTING
-#	define NF_INET_LOCAL_IN     NF_IP_LOCAL_IN
-#	define NF_INET_FORWARD      NF_IP_FORWARD
-#	define NF_INET_LOCAL_OUT    NF_IP_LOCAL_OUT
-#	define NF_INET_POST_ROUTING NF_IP_POST_ROUTING
-#	define ip_local_out         xtnu_ip_local_out
-#	define ip_route_output_key  xtnu_ip_route_output_key
-#	include "compat_nfinetaddr.h"
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-#	define init_net               xtnu_ip_route_output_key /* yes */
-#	define init_net__loopback_dev (&loopback_dev)
-#	define init_net__proc_net     proc_net
-#else
-#	define init_net__loopback_dev init_net.loopback_dev
-#	define init_net__proc_net     init_net.proc_net
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
-#	define xt_match              xtnu_match
-#	define xt_register_match     xtnu_register_match
-#	define xt_unregister_match   xtnu_unregister_match
-#	define xt_register_matches   xtnu_register_matches
-#	define xt_unregister_matches xtnu_unregister_matches
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-#	define csum_replace2 xtnu_csum_replace2
-#	define csum_replace4 xtnu_csum_replace4
-#	define inet_proto_csum_replace4 xtnu_proto_csum_replace4
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
-#	define csum_replace2 nf_csum_replace2
-#	define csum_replace4 nf_csum_replace4
-#	define inet_proto_csum_replace4 xtnu_proto_csum_replace4
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
-#	define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
-#	define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
-#else
-#	define ipt_unregister_table(tbl) ipt_unregister_table(tbl)
-#	define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
-#	define rt_dst(rt)	(&(rt)->dst)
-#else
-#	define rt_dst(rt)	(&(rt)->u.dst)
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0)
-#	define nf_nat_ipv4_multi_range_compat nf_nat_multi_range_compat
-#	define nf_nat_ipv4_range nf_nat_range
-#	define NF_NAT_RANGE_MAP_IPS IP_NAT_RANGE_MAP_IPS
-#	define ipv6_skip_exthdr xtnu_ipv6_skip_exthdr
-#endif
+#define rt_dst(rt)	(&(rt)->dst)
 
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \
@@ -120,10 +47,6 @@
 #	define NIPQUAD_FMT "%u.%u.%u.%u"
 #endif
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0)
-#	define ipv6_find_hdr xtnu_ipv6_find_hdr
-#endif
-
 #define ip_route_me_harder    xtnu_ip_route_me_harder
 #define skb_make_writable     xtnu_skb_make_writable
 #define xt_target             xtnu_target

extensions/compat_xtnu.h

@@ -5,89 +5,12 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/spinlock.h>
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-typedef _Bool bool;
-enum { false = 0, true = 1, };
-#endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-typedef __u16 __bitwise __sum16;
-typedef __u32 __bitwise __wsum;
-#endif
-
 struct flowi;
-struct hh_cache;
 struct module;
 struct net_device;
 struct rtable;
 struct sk_buff;
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-enum {
-	NFPROTO_UNSPEC =  0,
-	NFPROTO_IPV4   =  2,
-	NFPROTO_ARP    =  3,
-	NFPROTO_BRIDGE =  7,
-	NFPROTO_IPV6   = 10,
-	NFPROTO_DECNET = 12,
-	NFPROTO_NUMPROTO,
-};
-
-struct xt_mtchk_param {
-	const char *table;
-	const void *entryinfo;
-	const struct xt_match *match;
-	void *matchinfo;
-	unsigned int hook_mask;
-	u_int8_t family;
-};
-
-struct xt_mtdtor_param {
-	const struct xt_match *match;
-	void *matchinfo;
-	u_int8_t family;
-};
-
-struct xt_target_param {
-	const struct net_device *in, *out;
-	unsigned int hooknum;
-	const struct xt_target *target;
-	const void *targinfo;
-	u_int8_t family;
-};
-
-struct xt_tgchk_param {
-	const char *table;
-	const void *entryinfo;
-	const struct xt_target *target;
-	void *targinfo;
-	unsigned int hook_mask;
-	u_int8_t family;
-};
-
-struct xt_tgdtor_param {
-	const struct xt_target *target;
-	void *targinfo;
-	u_int8_t family;
-};
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
-struct xt_action_param {
-	union {
-		const struct xt_match *match;
-		const struct xt_target *target;
-	};
-	union {
-		const void *matchinfo, *targinfo;
-	};
-	const struct net_device *in, *out;
-	int fragoff;
-	unsigned int thoff, hooknum;
-	u_int8_t family;
-	bool hotdrop;
-};
-#endif
-
 struct xtnu_match {
 	/*
 	 * Making it smaller by sizeof(void *) on purpose to catch
@@ -135,13 +58,6 @@ static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
 	return q;
 }
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
-static inline __wsum csum_unfold(__sum16 n)
-{
-	return (__force __wsum)n;
-}
-#endif
-
 extern int xtnu_ip_local_out(struct sk_buff *);
 extern int xtnu_ip_route_me_harder(struct sk_buff **, unsigned int);
 extern int xtnu_skb_make_writable(struct sk_buff **, unsigned int);
@@ -156,12 +72,8 @@ extern int xtnu_register_targets(struct xtnu_target *, unsigned int);
 extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int);
 extern struct xt_match *xtnu_request_find_match(unsigned int,
 	const char *, uint8_t);
-extern int xtnu_neigh_hh_output(struct hh_cache *, struct sk_buff *);
-extern void xtnu_csum_replace2(__u16 __bitwise *, __be16, __be16);
-extern void xtnu_csum_replace4(__u16 __bitwise *, __be32, __be32);
 extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
 	__be32, __be32, bool);
-extern int xtnu_skb_linearize(struct sk_buff *);
 extern int xtnu_ipv6_skip_exthdr(const struct sk_buff *, int,
 	uint8_t *, __be16 *);
 extern int xtnu_ipv6_find_hdr(const struct sk_buff *, unsigned int *,

extensions/ip6table_rawpost.c

@@ -1,6 +1,6 @@
 /*
  *	rawpost table for ip6_tables
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	written by Jan Engelhardt, 2008 - 2009
  *	placed in the Public Domain
  */
 #include <linux/module.h>
@@ -50,11 +50,7 @@ static unsigned int rawpost6_hook_fn(unsigned int hook, sk_buff_t *skb,
     const struct net_device *in, const struct net_device *out,
     int (*okfn)(struct sk_buff *))
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
 	return ip6t_do_table(skb, hook, in, out, rawpost6_ptable);
-#else
-	return ip6t_do_table(skb, hook, in, out, rawpost6_ptable, NULL);
-#endif
 }
 
 static struct nf_hook_ops rawpost6_hook_ops __read_mostly = {
@@ -69,20 +65,10 @@ static int __init rawpost6_table_init(void)
 {
 	int ret;
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
-	rwlock_init(&rawpost6_itable.lock);
-#endif
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
 	rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable,
 	                  &rawpost6_initial.repl);
 	if (IS_ERR(rawpost6_ptable))
 		return PTR_ERR(rawpost6_ptable);
-#else
-	ret = ip6t_register_table(&rawpost6_itable, &rawpost6_initial.repl);
-	if (ret < 0)
-		return ret;
-	rawpost6_ptable = &rawpost6_itable;
-#endif
 
 	ret = nf_register_hook(&rawpost6_hook_ops);
 	if (ret < 0)
@@ -103,5 +89,5 @@ static void __exit rawpost6_table_exit(void)
 
 module_init(rawpost6_table_init);
 module_exit(rawpost6_table_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");

extensions/iptable_rawpost.c

@@ -1,6 +1,6 @@
 /*
  *	rawpost table for ip_tables
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	written by Jan Engelhardt, 2008 - 2009
  *	placed in the Public Domain
  */
 #include <linux/module.h>
@@ -51,11 +51,7 @@ static unsigned int rawpost4_hook_fn(unsigned int hook, sk_buff_t *skb,
     const struct net_device *in, const struct net_device *out,
     int (*okfn)(struct sk_buff *))
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
 	return ipt_do_table(skb, hook, in, out, rawpost4_ptable);
-#else
-	return ipt_do_table(skb, hook, in, out, rawpost4_ptable, NULL);
-#endif
 }
 
 static struct nf_hook_ops rawpost4_hook_ops __read_mostly = {
@@ -70,20 +66,10 @@ static int __init rawpost4_table_init(void)
 {
 	int ret;
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
-	rwlock_init(&rawpost4_itable.lock);
-#endif
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
 	rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
 	                  &rawpost4_initial.repl);
 	if (IS_ERR(rawpost4_ptable))
 		return PTR_ERR(rawpost4_ptable);
-#else
-	ret = ipt_register_table(&rawpost4_itable, &rawpost4_initial.repl);
-	if (ret < 0)
-		return ret;
-	rawpost4_ptable = &rawpost4_itable;
-#endif
 
 	ret = nf_register_hook(&rawpost4_hook_ops);
 	if (ret < 0)
@@ -105,5 +91,5 @@ static void __exit rawpost4_table_exit(void)
 module_init(rawpost4_table_init);
 module_exit(rawpost4_table_exit);
 MODULE_DESCRIPTION("Xtables: rawpost table for use with RAWNAT");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");

extensions/libxt_CHAOS.c

@@ -1,6 +1,6 @@
 /*
  *	"CHAOS" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ *	Copyright © Jan Engelhardt, 2006 - 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_CHAOS.man

@@ -17,5 +17,5 @@ connections than they can.
 The randomness factor of not replying vs. replying can be set during load-time
 of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
 .PP
-See http://jengelh.medozas.de/projects/chaostables/ for more information
+See http://inai.de/projects/chaostables/ for more information
 about CHAOS, DELUDE and lscan.

extensions/libxt_CHECKSUM.c

@@ -1,94 +0,0 @@
-/*
- * (C) 2002 by Harald Welte <laforge@gnumonks.org>
- * (C) 2010 by Red Hat, Inc
- * Author: Michael S. Tsirkin <mst@redhat.com>
- *
- * This program is distributed under the terms of GNU GPL v2, 1991
- */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <xtables.h>
-#include "xt_CHECKSUM.h"
-#include "compat_user.h"
-
-static void CHECKSUM_help(void)
-{
-	printf(
-"CHECKSUM target options\n"
-"  --checksum-fill        Fill in packet checksum.\n");
-}
-
-static const struct option CHECKSUM_opts[] = {
-	{ "checksum-fill", 0, NULL, 'F' },
-	{ .name = NULL }
-};
-
-static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags,
-                     const void *entry, struct xt_entry_target **target)
-{
-	struct xt_CHECKSUM_info *einfo
-		= (struct xt_CHECKSUM_info *)(*target)->data;
-
-	switch (c) {
-	case 'F':
-		xtables_param_act(XTF_ONLY_ONCE, "CHECKSUM", "--checksum-fill",
-			*flags & XT_CHECKSUM_OP_FILL);
-		einfo->operation = XT_CHECKSUM_OP_FILL;
-		*flags |= XT_CHECKSUM_OP_FILL;
-		break;
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-static void CHECKSUM_check(unsigned int flags)
-{
-	if (!flags)
-		xtables_error(PARAMETER_PROBLEM,
-		           "CHECKSUM target: Parameter --checksum-fill is required");
-}
-
-static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target,
-                      int numeric)
-{
-	const struct xt_CHECKSUM_info *einfo =
-		(const struct xt_CHECKSUM_info *)target->data;
-
-	printf("CHECKSUM ");
-
-	if (einfo->operation & XT_CHECKSUM_OP_FILL)
-		printf(" fill ");
-}
-
-static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target)
-{
-	const struct xt_CHECKSUM_info *einfo =
-		(const struct xt_CHECKSUM_info *)target->data;
-
-	if (einfo->operation & XT_CHECKSUM_OP_FILL)
-		printf(" --checksum-fill ");
-}
-
-static struct xtables_target checksum_tg_reg = {
-	.name          = "CHECKSUM",
-	.version       = XTABLES_VERSION,
-	.family        = NFPROTO_UNSPEC,
-	.size          = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
-	.help          = CHECKSUM_help,
-	.parse         = CHECKSUM_parse,
-	.final_check   = CHECKSUM_check,
-	.print         = CHECKSUM_print,
-	.save          = CHECKSUM_save,
-	.extra_opts    = CHECKSUM_opts,
-};
-
-static __attribute__((constructor)) void _init(void)
-{
-	xtables_register_target(&checksum_tg_reg);
-}

extensions/libxt_CHECKSUM.man

@@ -1,8 +0,0 @@
-This target allows to selectively work around broken/old applications.
-It can only be used in the mangle table.
-.TP
-\fB\-\-checksum\-fill\fP
-Compute and fill in the checksum in a packet that lacks a checksum.
-This is particularly useful, if you need to work around old applications
-such as dhcp clients, that do not work well with checksum offloads,
-but don't want to disable checksum offload in your device.

extensions/libxt_DELUDE.c

@@ -1,6 +1,6 @@
 /*
  *	"DELUDE" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ *	Copyright © Jan Engelhardt, 2006 - 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_DHCPMAC.c

@@ -1,6 +1,6 @@
 /*
  *	"DHCPMAC" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_DNETMAP.c

@@ -69,19 +69,8 @@ static int netmask2bits(u_int32_t netmask)
 	return bits;
 }
 
-static void DNETMAP_init(struct xt_entry_target *t)
-{
-	struct xt_DNETMAP_tginfo *tginfo = (void *)&t->data;
-	struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
-
-	/* Actually, it's 0, but it's ignored at the moment. */
-	mr->rangesize = 1;
-	tginfo->ttl = 0;
-	tginfo->flags = 0;
-}
-
 /* Parses network address */
-static void parse_prefix(char *arg, struct nf_nat_ipv4_range *range)
+static void parse_prefix(char *arg, struct nf_nat_range *range)
 {
 	char *slash;
 	const struct in_addr *ip;
@@ -97,7 +86,7 @@ static void parse_prefix(char *arg, struct nf_nat_ipv4_range *range)
 	if (ip == NULL)
 		xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
 			      arg);
-	range->min_ip = ip->s_addr;
+	range->min_addr.in = *ip;
 	if (slash) {
 		if (strchr(slash + 1, '.')) {
 			ip = xtables_numeric_to_ipmask(slash + 1);
@@ -123,20 +112,20 @@ static void parse_prefix(char *arg, struct nf_nat_ipv4_range *range)
 	} else
 		netmask = ~0;
 
-	if (range->min_ip & ~netmask) {
+	if (range->min_addr.ip & ~netmask) {
 		if (slash)
 			*slash = '/';
 		xtables_error(PARAMETER_PROBLEM, "Bad network address \"%s\"\n",
 			      arg);
 	}
-	range->max_ip = range->min_ip | ~netmask;
+	range->max_addr.ip = range->min_addr.ip | ~netmask;
 }
 
 static int DNETMAP_parse(int c, char **argv, int invert, unsigned int *flags,
 			 const void *entry, struct xt_entry_target **target)
 {
 	struct xt_DNETMAP_tginfo *tginfo = (void *)(*target)->data;
-	struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
+	struct nf_nat_range *mr = &tginfo->prefix;
 	char *end;
 
 	switch (c) {
@@ -147,7 +136,7 @@ static int DNETMAP_parse(int c, char **argv, int invert, unsigned int *flags,
 				  invert);
 
 		/* TO-DO use xtables_ipparse_any instead? */
-		parse_prefix(optarg, &mr->range[0]);
+		parse_prefix(optarg, mr);
 		*flags |= XT_DNETMAP_PREFIX;
 		tginfo->flags |= XT_DNETMAP_PREFIX;
 		return 1;
@@ -192,14 +181,13 @@ static void DNETMAP_print_addr(const void *ip,
 			       int numeric)
 {
 	struct xt_DNETMAP_tginfo *tginfo = (void *)&target->data;
-	const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
-	const struct nf_nat_ipv4_range *r = &mr->range[0];
+	const struct nf_nat_range *r = &tginfo->prefix;
 	struct in_addr a;
 	int bits;
 
-	a.s_addr = r->min_ip;
+	a = r->min_addr.in;
 	printf("%s", xtables_ipaddr_to_numeric(&a));
-	a.s_addr = ~(r->min_ip ^ r->max_ip);
+	a.s_addr = ~(r->min_addr.ip ^ r->max_addr.ip);
 	bits = netmask2bits(a.s_addr);
 	if (bits < 0)
 		printf("/%s", xtables_ipaddr_to_numeric(&a));
@@ -265,7 +253,6 @@ static struct xtables_target dnetmap_tg_reg = {
 	.size          = XT_ALIGN(sizeof(struct xt_DNETMAP_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_DNETMAP_tginfo)),
 	.help          = DNETMAP_help,
-	.init          = DNETMAP_init,
 	.parse         = DNETMAP_parse,
 	.print         = DNETMAP_print,
 	.save          = DNETMAP_save,

extensions/libxt_ECHO.c

@@ -1,6 +1,6 @@
 /*
  *	"ECHO" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_IPMARK.c

@@ -1,7 +1,7 @@
 /*
  *	"IPMARK" target extension for iptables
  *	Copyright © Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>, 2003
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_LOGMARK.c

@@ -1,6 +1,6 @@
 /*
  *	"LOGMARK" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_SYSRQ.man

@@ -62,7 +62,7 @@ password="password"
 seqno="$(date +%s)"
 salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null |
     openssl enc \-base64)"
-ipaddr=10.10.25.7
+ipaddr="2001:0db8:0000:0000:0000:ff00:0042:8329"
 req="$sysrq_key,$seqno,$salt"
 req="$req,$(echo \-n "$req,$ipaddr,$password" | sha1sum | cut \-c1\-40)"
 
@@ -75,8 +75,8 @@ sysrq key can be used at once, but bear in mind that, for example, a sync may
 not complete before a subsequent reboot or poweroff.
 .PP
 An IPv4 address should have no leading zeros, an IPv6 address should
-be in the form recommended by RFC 5952.  The debug option will log the
-correct form of the address.
+be in the full expanded form (as shown above). The debug option will cause
+output to be emitted in the same form.
 .PP
 The hashing scheme should be enough to prevent mis-use of SYSRQ in many
 environments, but it is not perfect: take reasonable precautions to

extensions/libxt_TEE.c

@@ -1,173 +0,0 @@
-/*
- *	"TEE" target extension for iptables
- *	Copyright © Sebastian Claßen <sebastian.classen [at] freenet.ag>, 2007
- *	Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2009
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License; either
- *	version 2 of the License, or any later version, as published by the
- *	Free Software Foundation.
- */
-#include <sys/socket.h>
-#include <getopt.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <arpa/inet.h>
-#include <net/if.h>
-#include <netinet/in.h>
-
-#include <xtables.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter/x_tables.h>
-#include "xt_TEE.h"
-#include "compat_user.h"
-
-enum {
-	FLAG_GATEWAY = 1 << 0,
-};
-
-static const struct option tee_tg_opts[] = {
-	{.name = "gateway", .has_arg = true, .val = 'g'},
-	{NULL},
-};
-
-static void tee_tg_help(void)
-{
-	printf(
-"TEE target options:\n"
-"  --gateway IPADDR    Route packet via the gateway given by address\n"
-"\n");
-}
-
-static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
-                        const void *entry, struct xt_entry_target **target)
-{
-	struct xt_tee_tginfo *info = (void *)(*target)->data;
-	const struct in_addr *ia;
-
-	switch (c) {
-	case 'g':
-		if (*flags & FLAG_GATEWAY)
-			xtables_error(PARAMETER_PROBLEM,
-			           "Cannot specify --gateway more than once");
-
-		ia = xtables_numeric_to_ipaddr(optarg);
-		if (ia == NULL)
-			xtables_error(PARAMETER_PROBLEM,
-			           "Invalid IP address %s", optarg);
-
-		memcpy(&info->gw, ia, sizeof(*ia));
-		*flags |= FLAG_GATEWAY;
-		return true;
-	}
-
-	return false;
-}
-
-static int tee_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
-                         const void *entry, struct xt_entry_target **target)
-{
-	struct xt_tee_tginfo *info = (void *)(*target)->data;
-	const struct in6_addr *ia;
-
-	switch (c) {
-	case 'g':
-		if (*flags & FLAG_GATEWAY)
-			xtables_error(PARAMETER_PROBLEM,
-			           "Cannot specify --gateway more than once");
-
-		ia = xtables_numeric_to_ip6addr(optarg);
-		if (ia == NULL)
-			xtables_error(PARAMETER_PROBLEM,
-			           "Invalid IP address %s", optarg);
-
-		memcpy(&info->gw, ia, sizeof(*ia));
-		*flags |= FLAG_GATEWAY;
-		return true;
-	}
-
-	return false;
-}
-
-static void tee_tg_check(unsigned int flags)
-{
-	if (flags == 0)
-		xtables_error(PARAMETER_PROBLEM, "TEE target: "
-		           "--gateway parameter required");
-}
-
-static void tee_tg_print(const void *ip, const struct xt_entry_target *target,
-                         int numeric)
-{
-	const struct xt_tee_tginfo *info = (const void *)target->data;
-
-	if (numeric)
-		printf(" TEE gw:%s ", xtables_ipaddr_to_numeric(&info->gw.in));
-	else
-		printf(" TEE gw:%s ", xtables_ipaddr_to_anyname(&info->gw.in));
-}
-
-static void tee_tg6_print(const void *ip, const struct xt_entry_target *target,
-                          int numeric)
-{
-	const struct xt_tee_tginfo *info = (const void *)target->data;
-
-	if (numeric)
-		printf(" TEE gw:%s ", xtables_ip6addr_to_numeric(&info->gw.in6));
-	else
-		printf(" TEE gw:%s ", xtables_ip6addr_to_anyname(&info->gw.in6));
-}
-
-static void tee_tg_save(const void *ip, const struct xt_entry_target *target)
-{
-	const struct xt_tee_tginfo *info = (const void *)target->data;
-
-	printf(" --gateway %s ", xtables_ipaddr_to_numeric(&info->gw.in));
-}
-
-static void tee_tg6_save(const void *ip, const struct xt_entry_target *target)
-{
-	const struct xt_tee_tginfo *info = (const void *)target->data;
-
-	printf(" --gateway %s ", xtables_ip6addr_to_numeric(&info->gw.in6));
-}
-
-static struct xtables_target tee_tg_reg[] = {
-	{
-		.name          = "TEE",
-		.version       = XTABLES_VERSION,
-		.revision      = 0,
-		.family        = NFPROTO_IPV4,
-		.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
-		.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
-		.help          = tee_tg_help,
-		.parse         = tee_tg_parse,
-		.final_check   = tee_tg_check,
-		.print         = tee_tg_print,
-		.save          = tee_tg_save,
-		.extra_opts    = tee_tg_opts,
-	},
-	{
-		.name          = "TEE",
-		.version       = XTABLES_VERSION,
-		.revision      = 0,
-		.family        = NFPROTO_IPV6,
-		.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
-		.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
-		.help          = tee_tg_help,
-		.parse         = tee_tg6_parse,
-		.final_check   = tee_tg_check,
-		.print         = tee_tg6_print,
-		.save          = tee_tg6_save,
-		.extra_opts    = tee_tg_opts,
-	},
-};
-
-static __attribute__((constructor)) void tee_tg_ldr(void)
-{
-	xtables_register_targets(tee_tg_reg,
-		sizeof(tee_tg_reg) / sizeof(*tee_tg_reg));
-}

extensions/libxt_TEE.man

@@ -1,12 +0,0 @@
-The \fBTEE\fP target will clone a packet and redirect this clone to another
-machine on the \fBlocal\fP network segment. In other words, the nexthop
-must be the target, or you will have to configure the nexthop to forward it
-further if so desired.
-.TP
-\fB\-\-gateway\fP \fIipaddr\fP
-Send the cloned packet to the host reachable at the given IP address.
-Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
-.PP
-To forward all incoming traffic on eth0 to an Network Layer logging box:
-.PP
-\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1

extensions/libxt_condition.c

@@ -2,7 +2,7 @@
  *	"condition" match extension for iptables
  *	Stephane Ouellette <ouellettes [at] videotron ca>, 2002-10-22
  *	Massimiliano Hofer <max [at] nucleus it>, 2006-05-15
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or modify it
  *	under the terms of the GNU General Public License; either version 2

extensions/libxt_dhcpmac.c

@@ -1,6 +1,6 @@
 /*
  *	"dhcpmac" match extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_geoip.c

@@ -2,7 +2,7 @@
  *	"geoip" match extension for iptables
  *	Copyright © Samuel Jean <peejix [at] people netfilter org>, 2004 - 2008
  *	Copyright © Nicolas Bouliane <acidfu [at] people netfilter org>, 2004 - 2008
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008-2011
+ *	Jan Engelhardt, 2008-2011
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_ipaddr.c

@@ -0,0 +1,254 @@
+/*
+ *	"ipaddr" demo match extension for iptables
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	released in the Public Domain
+ */
+#include <arpa/inet.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include "xt_ipaddr.h"
+
+static const struct option ipaddr_mt_opts[] = {
+	{.name = "ipsrc", .has_arg = true, .val = '1'},
+	{.name = "ipdst", .has_arg = true, .val = '2'},
+	{NULL},
+};
+
+static void ipaddr_mt_help(void)
+{
+	printf(
+"ipaddr match options:\n"
+"[!] --ipsrc addr    Match source address of packet\n"
+"[!] --ipdst addr    Match destination address of packet\n"
+);
+}
+
+static void ipaddr_mt_init(struct xt_entry_match *match)
+{
+	struct xt_ipaddr_mtinfo *info = (void *)match->data;
+
+	inet_pton(PF_INET, "192.0.2.137", &info->dst.in);
+}
+
+static int ipaddr_mt4_parse(int c, char **argv, int invert,
+    unsigned int *flags, const void *entry, struct xt_entry_match **match)
+{
+	struct xt_ipaddr_mtinfo *info = (void *)(*match)->data;
+	struct in_addr *addrs, mask;
+	unsigned int naddrs;
+
+	switch (c) {
+	case '1': /* --ipsrc */
+		if (*flags & XT_IPADDR_SRC)
+			xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
+				"Only use \"--ipsrc\" once!");
+		*flags |= XT_IPADDR_SRC;
+		info->flags |= XT_IPADDR_SRC;
+		if (invert)
+			info->flags |= XT_IPADDR_SRC_INV;
+		xtables_ipparse_any(optarg, &addrs, &mask, &naddrs);
+		if (naddrs != 1)
+			xtables_error(PARAMETER_PROBLEM,
+				"%s does not resolve to exactly "
+				"one address", optarg);
+		memcpy(&info->src.in, addrs, sizeof(*addrs));
+		return true;
+
+
+	case '2': /* --ipdst */
+		if (*flags & XT_IPADDR_DST)
+			xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
+				"Only use \"--ipdst\" once!");
+		*flags |= XT_IPADDR_DST;
+		info->flags |= XT_IPADDR_DST;
+		if (invert)
+			info->flags |= XT_IPADDR_DST_INV;
+		addrs = xtables_numeric_to_ipaddr(optarg);
+		if (addrs == NULL)
+			xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
+				"Parse error at %s\n", optarg);
+		memcpy(&info->dst.in, addrs, sizeof(*addrs));
+		return true;
+	}
+
+	return false;
+}
+
+static int ipaddr_mt6_parse(int c, char **argv, int invert,
+    unsigned int *flags, const void *entry, struct xt_entry_match **match)
+{
+	struct xt_ipaddr_mtinfo *info = (void *)(*match)->data;
+	struct in6_addr *addrs;
+
+	switch (c) {
+	case '1': /* --ipsrc */
+		if (*flags & XT_IPADDR_SRC)
+			xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
+				"Only use \"--ipsrc\" once!");
+		*flags |= XT_IPADDR_SRC;
+		info->flags |= XT_IPADDR_SRC;
+		if (invert)
+			info->flags |= XT_IPADDR_SRC_INV;
+		addrs = xtables_numeric_to_ip6addr(optarg);
+		if (addrs == NULL)
+			xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
+				"Parse error at %s", optarg);
+		memcpy(&info->src.in6, addrs, sizeof(*addrs));
+		return true;
+
+	case '2': /* --ipdst */
+		if (*flags & XT_IPADDR_DST)
+			xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
+				"Only use \"--ipdst\" once!");
+		*flags |= XT_IPADDR_DST;
+		info->flags |= XT_IPADDR_DST;
+		if (invert)
+			info->flags |= XT_IPADDR_DST_INV;
+		addrs = xtables_numeric_to_ip6addr(optarg);
+		if (addrs == NULL)
+			xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
+				"Parse error at %s", optarg);
+		memcpy(&info->dst.in6, addrs, sizeof(*addrs));
+		return true;
+	}
+
+	return false;
+}
+
+static void ipaddr_mt_check(unsigned int flags)
+{
+	if (flags == 0)
+		xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: You need to "
+			"specify at least \"--ipsrc\" or \"--ipdst\".");
+}
+
+static void ipaddr_mt4_print(const void *entry,
+    const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_ipaddr_mtinfo *info = (const void *)match->data;
+
+	if (info->flags & XT_IPADDR_SRC) {
+		printf("src IP ");
+		if (info->flags & XT_IPADDR_SRC_INV)
+			printf("! ");
+		printf("%s ", numeric ?
+		       xtables_ipaddr_to_numeric(&info->src.in) :
+		       xtables_ipaddr_to_anyname(&info->src.in));
+	}
+
+	if (info->flags & XT_IPADDR_DST) {
+		printf("dst IP ");
+		if (info->flags & XT_IPADDR_DST_INV)
+			printf("! ");
+		printf("%s ", numeric ?
+		       xtables_ipaddr_to_numeric(&info->dst.in) :
+		       xtables_ipaddr_to_anyname(&info->dst.in));
+	}
+}
+
+static void ipaddr_mt6_print(const void *entry,
+    const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_ipaddr_mtinfo *info = (const void *)match->data;
+
+	if (info->flags & XT_IPADDR_SRC) {
+		printf("src IP ");
+		if (info->flags & XT_IPADDR_SRC_INV)
+			printf("! ");
+		printf("%s ", numeric ?
+		       xtables_ip6addr_to_numeric(&info->src.in6) :
+		       xtables_ip6addr_to_anyname(&info->src.in6));
+	}
+
+	if (info->flags & XT_IPADDR_DST) {
+		printf("dst IP ");
+		if (info->flags & XT_IPADDR_DST_INV)
+			printf("! ");
+		printf("%s ", numeric ?
+		       xtables_ip6addr_to_numeric(&info->dst.in6) :
+		       xtables_ip6addr_to_anyname(&info->dst.in6));
+	}
+}
+
+static void ipaddr_mt4_save(const void *entry,
+    const struct xt_entry_match *match)
+{
+	const struct xt_ipaddr_mtinfo *info = (const void *)match->data;
+
+	if (info->flags & XT_IPADDR_SRC) {
+		if (info->flags & XT_IPADDR_SRC_INV)
+			printf("! ");
+		printf("--ipsrc %s ",
+		       xtables_ipaddr_to_numeric(&info->src.in));
+	}
+
+	if (info->flags & XT_IPADDR_DST) {
+		if (info->flags & XT_IPADDR_DST_INV)
+			printf("! ");
+		printf("--ipdst %s ",
+		        xtables_ipaddr_to_numeric(&info->dst.in));
+	}
+}
+
+static void ipaddr_mt6_save(const void *entry,
+    const struct xt_entry_match *match)
+{
+	const struct xt_ipaddr_mtinfo *info = (const void *)match->data;
+
+	if (info->flags & XT_IPADDR_SRC) {
+		if (info->flags & XT_IPADDR_SRC_INV)
+			printf("! ");
+		printf("--ipsrc %s ",
+		       xtables_ip6addr_to_numeric(&info->src.in6));
+	}
+
+	if (info->flags & XT_IPADDR_DST) {
+		if (info->flags & XT_IPADDR_DST_INV)
+			printf("! ");
+		printf("--ipdst %s ",
+		       xtables_ip6addr_to_numeric(&info->dst.in6));
+	}
+}
+
+static struct xtables_match ipaddr_mt_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "ipaddr",
+	.revision      = 0,
+	.family        = PF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_ipaddr_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_ipaddr_mtinfo)),
+	.help          = ipaddr_mt_help,
+	.init          = ipaddr_mt_init,
+	.parse         = ipaddr_mt4_parse,
+	.final_check   = ipaddr_mt_check,
+	.print         = ipaddr_mt4_print,
+	.save          = ipaddr_mt4_save,
+	.extra_opts    = ipaddr_mt_opts,
+};
+
+static struct xtables_match ipaddr_mt6_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "ipaddr",
+	.revision      = 0,
+	.family        = PF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_ipaddr_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_ipaddr_mtinfo)),
+	.help          = ipaddr_mt_help,
+	.init          = ipaddr_mt_init,
+	.parse         = ipaddr_mt6_parse,
+	.final_check   = ipaddr_mt_check,
+	.print         = ipaddr_mt6_print,
+	.save          = ipaddr_mt6_save,
+	.extra_opts    = ipaddr_mt_opts,
+};
+
+static void _init(void)
+{
+	xtables_register_match(&ipaddr_mt_reg);
+	xtables_register_match(&ipaddr_mt6_reg);
+}

extensions/libxt_ipaddr.man

@@ -0,0 +1,9 @@
+.TP
+[\fB!\fP] \fB--ipsrc\fP \fIaddr\fP
+Match packets that have \fIaddr\fP as source address.
+.TP
+[\fB!\fP] \fB--ipdst\fP \fIaddr\fP
+Match packets that have \fIaddr\fP as destination address.
+.PP
+The ipaddr module serves only as a demonstration. It is equivalent to the
+iptables \fB-s\fP and \fB-d\fP options, but ipaddr does not support masks.

extensions/libxt_ipp2p.c

@@ -1,7 +1,7 @@
 /*
  *	"ipp2p" match extension for iptables
  *	Eicke Friedrich/Klaus Degner <ipp2p@ipp2p.org>, 2005 - 2006
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	Jan Engelhardt, 2008 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_lscan.c

@@ -1,6 +1,6 @@
 /*
  *	LSCAN match extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2009
+ *	Copyright © Jan Engelhardt, 2006 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_psd.c

@@ -142,7 +142,7 @@ static struct xtables_match psd_mt_reg = {
 	.name           = "psd",
 	.version        = XTABLES_VERSION,
 	.revision       = 1,
-	.family         = NFPROTO_IPV4,
+	.family         = NFPROTO_UNSPEC,
 	.size           = XT_ALIGN(sizeof(struct xt_psd_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_psd_info)),
 	.help           = psd_mt_help,

extensions/libxt_quota2.c

@@ -1,7 +1,7 @@
 /*
  *	"quota2" match extension for iptables
  *	Sam Johnston <samj [at] samj net>
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/pknock/xt_pknock.c

@@ -32,10 +32,6 @@
 #include "xt_pknock.h"
 #include "compat_xtables.h"
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-#	define PK_CRYPTO 1
-#endif
-
 enum status {
 	ST_INIT = 1,
 	ST_MATCHING,
@@ -113,7 +109,6 @@ static struct proc_dir_entry *pde;
 
 static DEFINE_SPINLOCK(list_lock);
 
-#ifdef PK_CRYPTO
 static struct {
 	const char *algo;
 	struct crypto_hash	*tfm;
@@ -124,7 +119,6 @@ static struct {
 	.tfm	= NULL,
 	.size	= 0
 };
-#endif
 
 module_param(rule_hashsize, int, S_IRUGO);
 MODULE_PARM_DESC(rule_hashsize, "Buckets in rule hash table (default: 8)");
@@ -719,7 +713,6 @@ msg_to_userspace_nl(const struct xt_pknock_mtinfo *info,
 	return true;
 }
 
-#ifdef PK_CRYPTO
 /**
  * Transforms a sequence of characters to hexadecimal.
  *
@@ -783,9 +776,7 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
 
 	epoch_min = get_seconds() / 60;
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
 	sg_init_table(sg, ARRAY_SIZE(sg));
-#endif
 	sg_set_buf(&sg[0], &ipsrc, sizeof(ipsrc));
 	sg_set_buf(&sg[1], &epoch_min, sizeof(epoch_min));
 
@@ -818,7 +809,6 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
 	kfree(hexresult);
 	return fret;
 }
-#endif /* PK_CRYPTO */
 
 /**
  * If the peer pass the security policy.
@@ -841,13 +831,11 @@ pass_security(struct peer *peer, const struct xt_pknock_mtinfo *info,
 		pk_debug("DENIED (anti-spoof protection)", peer);
 		return false;
 	}
-#ifdef PK_CRYPTO
 	/* Check for OPEN secret */
 	if (has_secret(info->open_secret,
 					info->open_secret_len, peer->ip,
 					payload, payload_len))
 		return true;
-#endif
 
 	return false;
 }
@@ -939,7 +927,6 @@ static bool
 is_close_knock(const struct peer *peer, const struct xt_pknock_mtinfo *info,
 		const unsigned char *payload, unsigned int payload_len)
 {
-#ifdef PK_CRYPTO
 	/* Check for CLOSE secret. */
 	if (has_secret(info->close_secret,
 				info->close_secret_len, peer->ip,
@@ -948,7 +935,6 @@ is_close_knock(const struct peer *peer, const struct xt_pknock_mtinfo *info,
 		pk_debug("BLOCKED", peer);
 		return true;
 	}
-#endif
 	return false;
 }
 
@@ -983,14 +969,8 @@ static bool pknock_mt(const struct sk_buff *skb,
 
 	case IPPROTO_UDP:
 	case IPPROTO_UDPLITE:
-#ifdef PK_CRYPTO
 		hdr_len = (iph->ihl * 4) + sizeof(struct udphdr);
 		break;
-#else
-		pr_debug("UDP protocol not supported\n");
-		return false;
-#endif
-
 	default:
 		pr_debug("IP payload protocol is neither tcp nor udp.\n");
 		return false;
@@ -1079,12 +1059,9 @@ static int pknock_mt_check(const struct xt_mtchk_param *par)
 
 	if (!(info->option & XT_PKNOCK_NAME))
 		RETURN_ERR("You must specify --name option.\n");
-
-#ifndef PK_CRYPTO
 	if (info->option & (XT_PKNOCK_OPENSECRET | XT_PKNOCK_CLOSESECRET))
 		RETURN_ERR("No crypto support available; "
 			"cannot use opensecret/closescret\n");
-#endif
 	if (info->option & XT_PKNOCK_OPENSECRET && info->ports_count != 1)
 		RETURN_ERR("--opensecret must have just one knock port\n");
 	if (info->option & XT_PKNOCK_KNOCKPORT) {
@@ -1154,7 +1131,6 @@ static int __init xt_pknock_mt_init(void)
 
 	if (gc_expir_time < DEFAULT_GC_EXPIRATION_TIME)
 		gc_expir_time = DEFAULT_GC_EXPIRATION_TIME;
-#ifdef PK_CRYPTO
 	if (request_module(crypto.algo) < 0) {
 		printk(KERN_ERR PKNOCK "request_module('%s') error.\n",
                         crypto.algo);
@@ -1171,11 +1147,8 @@ static int __init xt_pknock_mt_init(void)
 	crypto.size = crypto_hash_digestsize(crypto.tfm);
 	crypto.desc.tfm = crypto.tfm;
 	crypto.desc.flags = 0;
-#else
-	pr_info("No crypto support for < 2.6.19\n");
-#endif
 
-	pde = proc_mkdir("xt_pknock", init_net__proc_net);
+	pde = proc_mkdir("xt_pknock", init_net.proc_net);
 	if (pde == NULL) {
 		printk(KERN_ERR PKNOCK "proc_mkdir() error in _init().\n");
 		return -ENXIO;
@@ -1185,14 +1158,11 @@ static int __init xt_pknock_mt_init(void)
 
 static void __exit xt_pknock_mt_exit(void)
 {
-	remove_proc_entry("xt_pknock", init_net__proc_net);
+	remove_proc_entry("xt_pknock", init_net.proc_net);
 	xt_unregister_match(&xt_pknock_mt_reg);
 	kfree(rule_hashtable);
-
-#ifdef PK_CRYPTO
 	if (crypto.tfm != NULL)
 		crypto_free_hash(crypto.tfm);
-#endif
 }
 
 module_init(xt_pknock_mt_init);

extensions/xt_CHAOS.c

@@ -1,6 +1,6 @@
 /*
  *	"CHAOS" target extension for Xtables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ *	Copyright © Jan Engelhardt, 2006 - 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -54,29 +54,8 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 	const int fragoff       = ntohs(iph->frag_off) & IP_OFFSET;
 	typeof(xt_tarpit) destiny;
 	bool ret;
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
-	int hotdrop = false;
-#else
 	bool hotdrop = false;
-#endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-	ret = xm_tcp->match(skb, par->in, par->out, xm_tcp, &tcp_params,
-	                    fragoff, thoff, &hotdrop);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
-	{
-		struct xt_match_param local_par = {
-			.in        = par->in,
-			.out       = par->out,
-			.match     = xm_tcp,
-			.matchinfo = &tcp_params,
-			.fragoff   = fragoff,
-			.thoff     = thoff,
-			.hotdrop   = &hotdrop,
-		};
-		ret = xm_tcp->match(skb, &local_par);
-	}
-#else
 	{
 		struct xt_action_param local_par;
 		local_par.in        = par->in,
@@ -89,30 +68,10 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 		ret = xm_tcp->match(skb, &local_par);
 		hotdrop = local_par.hotdrop;
 	}
-#endif
 	if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
 		return;
 
 	destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-	destiny->target(&skb, par->in, par->out, par->hooknum, destiny, NULL, NULL);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-	destiny->target(&skb, par->in, par->out, par->hooknum, destiny, NULL);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-	destiny->target(skb, par->in, par->out, par->hooknum, destiny, NULL);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
-	{
-		struct xt_target_param local_par = {
-			.in       = par->in,
-			.out      = par->out,
-			.hooknum  = par->hooknum,
-			.target   = destiny,
-			.targinfo = par->targinfo,
-			.family   = par->family,
-		};
-		destiny->target(skb, &local_par);
-	}
-#else
 	{
 		struct xt_action_param local_par;
 		local_par.in       = par->in;
@@ -123,7 +82,6 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 		local_par.family   = par->family;
 		destiny->target(skb, &local_par);
 	}
-#endif
 }
 
 static unsigned int
@@ -142,25 +100,6 @@ chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 	const struct iphdr *iph = ip_hdr(skb);
 
 	if ((unsigned int)net_random() <= reject_percentage) {
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-		return xt_reject->target(pskb, par->in, par->out, par->hooknum,
-		       xt_reject, &reject_params, NULL);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-		return xt_reject->target(pskb, par->in, par->out, par->hooknum,
-		       xt_reject, &reject_params);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
-		return xt_reject->target(skb, par->in, par->out, par->hooknum,
-		       xt_reject, &reject_params);
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
-		struct xt_target_param local_par = {
-			.in       = par->in,
-			.out      = par->out,
-			.hooknum  = par->hooknum,
-			.target   = xt_reject,
-			.targinfo = &reject_params,
-		};
-		return xt_reject->target(skb, &local_par);
-#else
 		struct xt_action_param local_par;
 		local_par.in       = par->in;
 		local_par.out      = par->out;
@@ -168,7 +107,6 @@ chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 		local_par.target   = xt_reject;
 		local_par.targinfo = &reject_params;
 		return xt_reject->target(skb, &local_par);
-#endif
 	}
 
 	/* TARPIT/DELUDE may not be called from the OUTPUT chain */
@@ -274,6 +212,6 @@ static void __exit chaos_tg_exit(void)
 module_init(chaos_tg_init);
 module_exit(chaos_tg_exit);
 MODULE_DESCRIPTION("Xtables: Network scan slowdown with non-deterministic results");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_CHAOS");

extensions/xt_CHECKSUM.c

@@ -1,80 +0,0 @@
-/*
- * (C) 2002 by Harald Welte <laforge@netfilter.org>
- * (C) 2010 Red Hat, Inc.
- *
- * Author: Michael S. Tsirkin <mst@redhat.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
-*/
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/version.h>
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
-#	error ----------------------------------------------------------
-#	error This module has been merged into, and is available in the
-#	error mainline since Linux kernel v2.6.36. Please use that.
-#	error ----------------------------------------------------------
-#endif
-
-#include <linux/netfilter/x_tables.h>
-#include "xt_CHECKSUM.h"
-#include "compat_xtables.h"
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
-MODULE_DESCRIPTION("Xtables: checksum modification");
-MODULE_ALIAS("ipt_CHECKSUM");
-MODULE_ALIAS("ip6t_CHECKSUM");
-
-static unsigned int
-checksum_tg(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	struct sk_buff *skb = *pskb;
-
-	if (skb->ip_summed == CHECKSUM_PARTIAL)
-		skb_checksum_help(skb);
-
-	return XT_CONTINUE;
-}
-
-static int checksum_tg_check(const struct xt_tgchk_param *par)
-{
-	const struct xt_CHECKSUM_info *einfo = par->targinfo;
-
-	if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
-		pr_info("unsupported CHECKSUM operation %x\n", einfo->operation);
-		return -EINVAL;
-	}
-	if (!einfo->operation) {
-		pr_info("no CHECKSUM operation enabled\n");
-		return -EINVAL;
-	}
-	return 0;
-}
-
-static struct xt_target checksum_tg_reg __read_mostly = {
-	.name       = "CHECKSUM",
-	.family     = NFPROTO_UNSPEC,
-	.target     = checksum_tg,
-	.targetsize = sizeof(struct xt_CHECKSUM_info),
-	.table      = "mangle",
-	.checkentry = checksum_tg_check,
-	.me         = THIS_MODULE,
-};
-
-static int __init checksum_tg_init(void)
-{
-	return xt_register_target(&checksum_tg_reg);
-}
-
-static void __exit checksum_tg_exit(void)
-{
-	xt_unregister_target(&checksum_tg_reg);
-}
-
-module_init(checksum_tg_init);
-module_exit(checksum_tg_exit);

extensions/xt_CHECKSUM.h

@@ -1,18 +0,0 @@
-/* Header file for iptables ipt_CHECKSUM target
- *
- * (C) 2002 by Harald Welte <laforge@gnumonks.org>
- * (C) 2010 Red Hat Inc
- * Author: Michael S. Tsirkin <mst@redhat.com>
- *
- * This software is distributed under GNU GPL v2, 1991
-*/
-#ifndef _IPT_CHECKSUM_TARGET_H
-#define _IPT_CHECKSUM_TARGET_H
-
-#define XT_CHECKSUM_OP_FILL	0x01	/* fill in checksum in IP header */
-
-struct xt_CHECKSUM_info {
-	__u8 operation;	/* bitset of operations */
-};
-
-#endif /* _IPT_CHECKSUM_TARGET_H */

extensions/xt_DELUDE.c

@@ -1,6 +1,6 @@
 /*
  *	"DELUDE" target extension for Xtables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
+ *	Copyright © Jan Engelhardt, 2007 - 2008
  *
  *	Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
  *	(C) 1999-2001 Paul `Rusty' Russell
@@ -100,15 +100,9 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
 		}
 	}
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
-	tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), niph->saddr,
-	              niph->daddr, csum_partial((char *)tcph,
-	              sizeof(struct tcphdr), 0));
-#else
 	tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
 	              niph->daddr, csum_partial((char *)tcph,
 	              sizeof(struct tcphdr), 0));
-#endif
 
 	addr_type = RTN_UNSPEC;
 #ifdef CONFIG_BRIDGE_NETFILTER
@@ -177,6 +171,6 @@ static void __exit delude_tg_exit(void)
 module_init(delude_tg_init);
 module_exit(delude_tg_exit);
 MODULE_DESCRIPTION("Xtables: Close TCP connections after handshake");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_DELUDE");

extensions/xt_DHCPMAC.c

@@ -1,6 +1,6 @@
 /*
  *	"DHCPMAC" extensions for Xtables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -167,7 +167,7 @@ static void __exit dhcpmac_exit(void)
 module_init(dhcpmac_init);
 module_exit(dhcpmac_exit);
 MODULE_DESCRIPTION("Xtables: Clamp DHCP MAC to packet MAC addresses");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_DHCPMAC");
 MODULE_ALIAS("ipt_dhcpmac");

extensions/xt_DNETMAP.c

@@ -27,16 +27,9 @@
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/version.h>
-#include <net/netfilter/nf_nat_rule.h>
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
 #include <net/net_namespace.h>
 #include <net/netns/generic.h>
-#endif
-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0)
-#	include <net/netfilter/nf_nat.h>
-#else
-#	include <linux/netfilter/nf_nat.h>
-#endif
+#include <net/netfilter/nf_nat.h>
 #include "compat_xtables.h"
 #include "xt_DNETMAP.h"
 
@@ -84,7 +77,7 @@ struct dnetmap_entry {
 };
 
 struct dnetmap_prefix {
-	struct nf_nat_ipv4_multi_range_compat prefix;
+	struct nf_nat_range prefix;
 	char prefix_str[16];
 #ifdef CONFIG_PROC_FS
 	char proc_str_data[20];
@@ -109,16 +102,11 @@ struct dnetmap_net {
 	struct list_head *dnetmap_iphash;
 };
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
 static int dnetmap_net_id;
 static inline struct dnetmap_net *dnetmap_pernet(struct net *net)
 {
 	return net_generic(net, dnetmap_net_id);
 }
-#else
-struct dnetmap_net *dnetmap;
-#define dnetmap_pernet(x) dnetmap
-#endif
 
 static DEFINE_SPINLOCK(dnetmap_lock);
 static DEFINE_MUTEX(dnetmap_mutex);
@@ -179,7 +167,7 @@ dnetmap_addr_in_prefix(struct dnetmap_net *dnetmap_net, const __be32 addr,
 
 static struct dnetmap_prefix *
 dnetmap_prefix_lookup(struct dnetmap_net *dnetmap_net,
-		      const struct nf_nat_ipv4_multi_range_compat *mr)
+		      const struct nf_nat_range *mr)
 {
 	struct dnetmap_prefix *p;
 
@@ -258,7 +246,7 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 {
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(par->net);
 	const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
-	const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
+	const struct nf_nat_range *mr = &tginfo->prefix;
 	struct dnetmap_prefix *p;
 	struct dnetmap_entry *e;
 #ifdef CONFIG_PROC_FS
@@ -274,14 +262,10 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 		return ret;
 	}
 
-	if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) {
+	if (!(mr->flags & NF_NAT_RANGE_MAP_IPS)) {
 		pr_debug("DNETMAP:check: bad MAP_IPS.\n");
 		return -EINVAL;
 	}
-	if (mr->rangesize != 1) {
-		pr_debug("DNETMAP:check: bad rangesize %u.\n", mr->rangesize);
-		return -EINVAL;
-	}
 
 	mutex_lock(&dnetmap_mutex);
 	p = dnetmap_prefix_lookup(dnetmap_net, mr);
@@ -307,15 +291,15 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 	INIT_LIST_HEAD(&p->lru_list);
 	INIT_LIST_HEAD(&p->elist);
 
-	ip_min = ntohl(mr->range[0].min_ip) + (whole_prefix == 0);
-	ip_max = ntohl(mr->range[0].max_ip) - (whole_prefix == 0);
+	ip_min = ntohl(mr->min_addr.ip) + (whole_prefix == 0);
+	ip_max = ntohl(mr->max_addr.ip) - (whole_prefix == 0);
 
-	sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->range[0].min_ip),
+	sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->min_addr.ip),
 		33 - ffs(~(ip_min ^ ip_max)));
 #ifdef CONFIG_PROC_FS
-	sprintf(p->proc_str_data, NIPQUAD_FMT "_%u", NIPQUAD(mr->range[0].min_ip),
+	sprintf(p->proc_str_data, NIPQUAD_FMT "_%u", NIPQUAD(mr->min_addr.ip),
 		33 - ffs(~(ip_min ^ ip_max)));
-	sprintf(p->proc_str_stat, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->range[0].min_ip),
+	sprintf(p->proc_str_stat, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->min_addr.ip),
 		33 - ffs(~(ip_min ^ ip_max)));
 #endif
 	printk(KERN_INFO KBUILD_MODNAME ": new prefix %s\n", p->prefix_str);
@@ -381,8 +365,8 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 	enum ip_conntrack_info ctinfo;
 	__be32 prenat_ip, postnat_ip, prenat_ip_prev;
 	const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
-	const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
-	struct nf_nat_ipv4_range newrange;
+	const struct nf_nat_range *mr = &tginfo->prefix;
+	struct nf_nat_range newrange;
 	struct dnetmap_entry *e;
 	struct dnetmap_prefix *p;
 	__s32 jttl;
@@ -419,15 +403,14 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 
 		spin_unlock_bh(&dnetmap_lock);
 
-		newrange = ((struct nf_nat_ipv4_range) {
-			    mr->range[0].flags | NF_NAT_RANGE_MAP_IPS,
-			    e->prenat_addr, e->prenat_addr,
-			    mr->range[0].min, mr->range[0].max});
-
-		/* Hand modified range to generic setup. */
+		memset(&newrange, 0, sizeof(newrange));
+		newrange.flags = mr->flags | NF_NAT_RANGE_MAP_IPS;
+		newrange.min_addr.ip = e->prenat_addr;
+		newrange.max_addr.ip = e->prenat_addr;
+		newrange.min_proto = mr->min_proto;
+		newrange.max_proto = mr->max_proto;
 		return nf_nat_setup_info(ct, &newrange,
 					 HOOK2MANIP(par->hooknum));
-
 	}
 
 	prenat_ip = ip_hdr(skb)->saddr;
@@ -509,12 +492,12 @@ bind_new_prefix:
 
 	spin_unlock_bh(&dnetmap_lock);
 
-	newrange = ((struct nf_nat_ipv4_range) {
-		    mr->range[0].flags | NF_NAT_RANGE_MAP_IPS,
-		    postnat_ip, postnat_ip,
-		    mr->range[0].min, mr->range[0].max});
-
-	/* Hand modified range to generic setup. */
+	memset(&newrange, 0, sizeof(newrange));
+	newrange.flags = mr->flags | NF_NAT_RANGE_MAP_IPS;
+	newrange.min_addr.ip = postnat_ip;
+	newrange.max_addr.ip = postnat_ip;
+	newrange.min_proto = mr->min_proto;
+	newrange.max_proto = mr->max_proto;
 	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
 
 no_rev_map:
@@ -528,7 +511,7 @@ static void dnetmap_tg_destroy(const struct xt_tgdtor_param *par)
 {
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(par->net);
 	const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
-	const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
+	const struct nf_nat_range *mr = &tginfo->prefix;
 	struct dnetmap_prefix *p;
 
 	if (!(tginfo->flags & XT_DNETMAP_PREFIX))
@@ -871,13 +854,6 @@ static int __net_init dnetmap_net_init(struct net *net)
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
 	int i;
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34)
-	dnetmap = kmalloc(sizeof(struct dnetmap_net),GFP_ATOMIC);
-	if (dnetmap == NULL)
-		return -ENOMEM;
-	dnetmap_net = dnetmap;
-#endif
-
 	dnetmap_net->dnetmap_iphash = kmalloc(sizeof(struct list_head) *
 					      hash_size * 2, GFP_ATOMIC);
 	if (dnetmap_net->dnetmap_iphash == NULL)
@@ -906,20 +882,15 @@ static void __net_exit dnetmap_net_exit(struct net *net)
 	mutex_unlock(&dnetmap_mutex);
 
 	kfree(dnetmap_net->dnetmap_iphash);
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34)
 	kfree(dnetmap_net);
-#endif
-
 	dnetmap_proc_net_exit(net);
 }
 
 static struct pernet_operations dnetmap_net_ops = {
 	.init = dnetmap_net_init,
 	.exit = dnetmap_net_exit,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
 	.id   = &dnetmap_net_id,
 	.size = sizeof(struct dnetmap_net),
-#endif
 };
 
 static struct xt_target dnetmap_tg_reg __read_mostly = {

extensions/xt_DNETMAP.h

@@ -13,7 +13,7 @@ enum {
 };
 
 struct xt_DNETMAP_tginfo {
-	struct nf_nat_ipv4_multi_range_compat prefix;
+	struct nf_nat_range prefix;
 	__u8 flags;
 	__s32 ttl;
 };

extensions/xt_ECHO.c

@@ -1,7 +1,7 @@
 /*
  *	"ECHO" (RFC 862) target extension for Xtables
  *	Sample module for "Writing your own Netfilter Modules"
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2011
+ *	Copyright © Jan Engelhardt, 2008-2011
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -105,11 +105,7 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
 	}
 
 	skb_dst_set(newskb, dst);
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
 	newip->hop_limit = ip6_dst_hoplimit(skb_dst(newskb));
-#else
-	newip->hop_limit = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
-#endif
 	newskb->ip_summed = CHECKSUM_NONE;
 
 	/* "Never happens" (?) */
@@ -199,11 +195,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 	if (ip_route_me_harder(&newskb, RTN_UNSPEC) != 0)
 		goto free_nskb;
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
 	newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));
-#else
-	newip->ttl = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
-#endif
 	newskb->ip_summed = CHECKSUM_NONE;
 
 	/* "Never happens" (?) */
@@ -252,7 +244,7 @@ static void __exit echo_tg_exit(void)
 
 module_init(echo_tg_init);
 module_exit(echo_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_DESCRIPTION("Xtables: ECHO diagnosis target");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ip6t_ECHO");

extensions/xt_IPMARK.c

@@ -1,7 +1,7 @@
 /*
  *	"IPMARK" target extension for Xtables
  *	Copyright © Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>, 2003
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/xt_LOGMARK.c

@@ -2,7 +2,7 @@
  *	"LOGMARK" target extension to Xtables
  *	useful for debugging
  *
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2010
+ *	Copyright © Jan Engelhardt, 2008-2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -80,13 +80,8 @@ logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 	printk(" ctdir=%s", dir_names[ctinfo >= IP_CT_IS_REPLY]);
 	if (ct == NULL)
 		printk(" ct=NULL ctmark=NULL ctstate=INVALID ctstatus=NONE");
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
 	else if (nf_ct_is_untracked(ct))
 		printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE");
-#else
-	else if (ct == &nf_conntrack_untracked)
-		printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE");
-#endif
 	else
 		logmark_ct(ct, ctinfo);
 
@@ -141,7 +136,7 @@ static void __exit logmark_tg_exit(void)
 module_init(logmark_tg_init);
 module_exit(logmark_tg_exit);
 MODULE_DESCRIPTION("Xtables: netfilter mark logging to syslog");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_LOGMARK");
 MODULE_ALIAS("ip6t_LOGMARK");

extensions/xt_RAWNAT.c

@@ -96,9 +96,7 @@ static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
 	case IPPROTO_UDPLITE:
 		udph = transport_hdr;
 		cond = udph->check != 0;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
 		cond |= skb->ip_summed == CHECKSUM_PARTIAL;
-#endif
 		if (cond) {
 			inet_proto_csum_replace4(&udph->check, skb,
 				oldip, newip, true);
@@ -225,9 +223,7 @@ static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto,
 	case IPPROTO_UDPLITE:
 		udph = (void *)iph + l4offset;
 		cond = udph->check;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
 		cond |= skb->ip_summed == CHECKSUM_PARTIAL;
-#endif
 		if (cond) {
 			for (i = 0; i < 4; ++i)
 				inet_proto_csum_replace4(&udph->check, skb,
@@ -244,7 +240,7 @@ static unsigned int
 rawsnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
-	unsigned int l4offset, l4proto;
+	unsigned int l4offset = 0, l4proto;
 	struct ipv6hdr *iph;
 	struct in6_addr new_addr;
 
@@ -265,7 +261,7 @@ static unsigned int
 rawdnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct xt_rawnat_tginfo *info = par->targinfo;
-	unsigned int l4offset, l4proto;
+	unsigned int l4offset = 0, l4proto;
 	struct ipv6hdr *iph;
 	struct in6_addr new_addr;
 
@@ -349,7 +345,7 @@ static void __exit rawnat_tg_exit(void)
 
 module_init(rawnat_tg_init);
 module_exit(rawnat_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_DESCRIPTION("Xtables: conntrack-less raw NAT");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_RAWSNAT");

extensions/xt_STEAL.c

@@ -1,6 +1,6 @@
 /*
  *	"STEAL" demo target extension for Xtables
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	written by Jan Engelhardt, 2008 - 2009
  *	placed in the Public Domain
  */
 #include <linux/module.h>
@@ -58,7 +58,7 @@ static void __exit steal_tg_exit(void)
 
 module_init(steal_tg_init);
 module_exit(steal_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_DESCRIPTION("Xtables: Silently DROP packets on output chain");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_STEAL");

extensions/xt_SYSRQ.c

@@ -1,6 +1,6 @@
 /*
  *	"SYSRQ" target extension for Xtables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
+ *	Copyright © Jan Engelhardt, 2008 - 2012
  *
  *	Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
  *
@@ -24,10 +24,10 @@
 #include <linux/crypto.h>
 #include <linux/scatterlist.h>
 #include <net/ip.h>
+#include <net/ipv6.h>
 #include "compat_xtables.h"
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19) && \
-    (defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE))
+#if defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE)
 #	define WITH_CRYPTO 1
 #endif
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
@@ -120,9 +120,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 	ret = crypto_hash_init(&desc);
 	if (ret != 0)
 		goto hash_fail;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
 	sg_init_table(sg, 2);
-#endif
 	sg_set_buf(&sg[0], data, n);
 	i = strlen(sysrq_digest_password);
 	sg_set_buf(&sg[1], sysrq_digest_password, i);
@@ -154,13 +152,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 	sysrq_seqno = new_seqno;
 	for (i = 0; i < len && data[i] != ','; ++i) {
 		printk(KERN_INFO KBUILD_MODNAME ": SysRq %c\n", data[i]);
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
 		handle_sysrq(data[i]);
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-		handle_sysrq(data[i], NULL);
-#else
-		handle_sysrq(data[i], NULL, NULL);
-#endif
 	}
 	return NF_ACCEPT;
 
@@ -191,13 +183,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 		return NF_DROP;
 	}
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
 	handle_sysrq(c);
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-	handle_sysrq(c, NULL);
-#else
-	handle_sysrq(c, NULL, NULL);
-#endif
 	return NF_ACCEPT;
 }
 #endif
@@ -240,7 +226,7 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 	const struct ipv6hdr *iph;
 	const struct udphdr *udph;
 	unsigned short frag_off;
-	unsigned int th_off;
+	unsigned int th_off = 0;
 	uint16_t len;
 
 	if (skb_linearize(skb) < 0)
@@ -364,8 +350,9 @@ static int __init sysrq_crypto_init(void)
  fail:
 	sysrq_crypto_exit();
 	return ret;
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 19)
-	printk(KERN_WARNING "xt_SYSRQ does not provide crypto for < 2.6.19\n");
+#else
+	printk(KERN_WARNING "Kernel was compiled without crypto, "
+	       "so xt_SYSRQ won't use crypto.\n");
 #endif
 	return -EINVAL;
 }
@@ -386,7 +373,7 @@ static void __exit sysrq_tg_exit(void)
 module_init(sysrq_tg_init);
 module_exit(sysrq_tg_exit);
 MODULE_DESCRIPTION("Xtables: triggering SYSRQ remotely");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_AUTHOR("John Haxby <john.haxby@oracle.com");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_SYSRQ");

extensions/xt_TARPIT.c

@@ -208,13 +208,9 @@ static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
 	nf_reset(nskb);
 	skb_nfmark(nskb) = 0;
 	skb_init_secmark(nskb);
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
 	skb_shinfo(nskb)->gso_size = 0;
 	skb_shinfo(nskb)->gso_segs = 0;
 	skb_shinfo(nskb)->gso_type = 0;
-#endif
-
 	oldhdr = ip_hdr(oldskb);
 	tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
 
@@ -237,19 +233,13 @@ static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
 	((u_int8_t *)tcph)[13] = 0;
 
 	if (!tarpit_generic(tcph, oth, payload, mode))
-		return;
+		goto free_nskb;
 
 	/* Adjust TCP checksum */
 	tcph->check = 0;
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
-	tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), niph->saddr,
-	              niph->daddr, csum_partial((char *)tcph,
-	              sizeof(struct tcphdr), 0));
-#else
 	tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
 	              niph->daddr, csum_partial((char *)tcph,
 	              sizeof(struct tcphdr), 0));
-#endif
 
 	/* Set DF, id = 0 */
 	niph->frag_off = htons(IP_DF);
@@ -277,11 +267,7 @@ static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
 	if (mode == XTTARPIT_HONEYPOT)
 		niph->ttl = 128;
 	else
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
 		niph->ttl = ip4_dst_hoplimit(skb_dst(nskb));
-#else
-		niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
-#endif
 
 	/* Adjust IP checksum */
 	niph->check = 0;
@@ -359,13 +345,9 @@ static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
 	nf_reset(nskb);
 	skb_nfmark(nskb) = 0;
 	skb_init_secmark(nskb);
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
 	skb_shinfo(nskb)->gso_size = 0;
 	skb_shinfo(nskb)->gso_segs = 0;
 	skb_shinfo(nskb)->gso_type = 0;
-#endif
-
 	skb_put(nskb, sizeof(struct ipv6hdr));
 	ip6h = ipv6_hdr(nskb);
 	*(__be32 *)ip6h =  htonl(0x60000000 | (tclass << 20));
@@ -374,16 +356,11 @@ static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
 	ip6h->daddr = oip6h->saddr;
 
 	/* Adjust IP TTL */
-	if (mode == XTTARPIT_HONEYPOT)
+	if (mode == XTTARPIT_HONEYPOT) {
 		ip6h->hop_limit = 128;
-	else
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 26)
+	} else {
 		ip6h->hop_limit = ip6_dst_hoplimit(skb_dst(nskb));
-#else
-		ip6h->hop_limit = dst_metric(dst, RTAX_HOPLIMIT);
-		if (ip6h->hop_limit < 0)
-			ip6h->hop_limit = ipv6_get_hoplimit((skb_dst(nskb))->dev).
-#endif
+	}
 
 	tcph = (struct tcphdr *)(skb_network_header(nskb) +
 	       sizeof(struct ipv6hdr));
@@ -399,7 +376,7 @@ static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
 
 	payload = nskb->len - sizeof(struct ipv6hdr) - sizeof(struct tcphdr);
 	if (!tarpit_generic(&oth, tcph, payload, mode))
-		return;
+		goto free_nskb;
 
 	ip6h->payload_len = htons(sizeof(struct tcphdr));
 	tcph->check = 0;
@@ -544,7 +521,7 @@ static void __exit tarpit_tg_exit(void)
 module_init(tarpit_tg_init);
 module_exit(tarpit_tg_exit);
 MODULE_DESCRIPTION("Xtables: \"TARPIT\", capture and hold TCP connections");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_TARPIT");
 MODULE_ALIAS("ip6t_TARPIT");

extensions/xt_TEE.c

@@ -1,299 +0,0 @@
-/*
- *	"TEE" target extension for Xtables
- *	Copyright © Sebastian Claßen <sebastian.classen [at] freenet de>, 2007
- *	Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
- *
- *	based on ipt_ROUTE.c from Cédric de Launois
- *	<delaunois [at] info ucl ac be>
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License
- *	version 2, as published by the Free Software Foundation.
- */
-#include <linux/ip.h>
-#include <linux/module.h>
-#include <linux/route.h>
-#include <linux/skbuff.h>
-#include <linux/version.h>
-#include <net/checksum.h>
-#include <net/icmp.h>
-#include <net/ip.h>
-#include <net/ip6_route.h>
-#include <net/route.h>
-#include <linux/netfilter/x_tables.h>
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
-#	error ----------------------------------------------------------
-#	error This module has been merged into, and is available in the
-#	error mainline since Linux kernel v2.6.35. Please use that.
-#	error ----------------------------------------------------------
-#endif
-
-#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
-#	define WITH_CONNTRACK 1
-#	include <net/netfilter/nf_conntrack.h>
-#endif
-#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
-#	define WITH_IPV6 1
-#endif
-
-#include "compat_xtables.h"
-#include "xt_TEE.h"
-
-static bool tee_active[NR_CPUS];
-static const union nf_inet_addr tee_zero_address;
-
-static bool
-tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
-{
-	const struct iphdr *iph = ip_hdr(skb);
-	struct rtable *rt;
-	struct flowi fl;
-
-	memset(&fl, 0, sizeof(fl));
-	fl.nl_u.ip4_u.daddr = info->gw.ip;
-	fl.nl_u.ip4_u.tos   = RT_TOS(iph->tos);
-	fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
-
-	if (ip_route_output_key(&init_net, &rt, &fl) != 0)
-		return false;
-
-	dst_release(skb_dst(skb));
-	skb_dst_set(skb, rt_dst(rt));
-	skb->dev      = rt_dst(rt)->dev;
-	skb->protocol = htons(ETH_P_IP);
-	return true;
-}
-
-static inline bool dev_hh_avail(const struct net_device *dev)
-{
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-	return dev->hard_header != NULL;
-#else
-	return dev->header_ops != NULL;
-#endif
-}
-
-/*
- * Stolen from ip_finish_output2
- * PRE : skb->dev is set to the device we are leaving by
- *       skb->dst is not NULL
- * POST: the packet is sent with the link layer header pushed
- *       the packet is destroyed
- */
-static void tee_tg_send(struct sk_buff *skb)
-{
-	const struct dst_entry *dst  = skb_dst(skb);
-	const struct net_device *dev = dst->dev;
-	unsigned int hh_len = LL_RESERVED_SPACE(dev);
-
-	/* Be paranoid, rather than too clever. */
-	if (unlikely(skb_headroom(skb) < hh_len && dev_hh_avail(dev))) {
-		struct sk_buff *skb2;
-
-		skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
-		if (skb2 == NULL) {
-			kfree_skb(skb);
-			return;
-		}
-		if (skb->sk != NULL)
-			skb_set_owner_w(skb2, skb->sk);
-		kfree_skb(skb);
-		skb = skb2;
-	}
-
-	if (dst->hh != NULL)
-		neigh_hh_output(dst->hh, skb);
-	else if (dst->neighbour != NULL)
-		dst->neighbour->output(skb);
-	else
-		kfree_skb(skb);
-}
-
-static unsigned int
-tee_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	const struct xt_tee_tginfo *info = par->targinfo;
-	struct sk_buff *skb = *pskb;
-	struct iphdr *iph;
-	unsigned int cpu = smp_processor_id();
-
-	if (tee_active[cpu])
-		return XT_CONTINUE;
-	/*
-	 * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
-	 * the original skb, which should continue on its way as if nothing has
-	 * happened. The copy should be independently delivered to the TEE
-	 * --gateway.
-	 */
-	skb = pskb_copy(skb, GFP_ATOMIC);
-	if (skb == NULL)
-		return XT_CONTINUE;
-	/*
-	 * If we are in PREROUTING/INPUT, the checksum must be recalculated
-	 * since the length could have changed as a result of defragmentation.
-	 *
-	 * We also decrease the TTL to mitigate potential TEE loops
-	 * between two hosts.
-	 *
-	 * Set %IP_DF so that the original source is notified of a potentially
-	 * decreased MTU on the clone route. IPv6 does this too.
-	 */
-	iph = ip_hdr(skb);
-	iph->frag_off |= htons(IP_DF);
-	if (par->hooknum == NF_INET_PRE_ROUTING ||
-	    par->hooknum == NF_INET_LOCAL_IN)
-		--iph->ttl;
-	ip_send_check(iph);
-
-#ifdef WITH_CONNTRACK
-	/*
-	 * Tell conntrack to forget this packet. It may have side effects to
-	 * see the same packet twice, as for example, accounting the original
-	 * connection for the cloned packet.
-	 */
-	nf_conntrack_put(skb->nfct);
-	skb->nfct     = &nf_conntrack_untracked.ct_general;
-	skb->nfctinfo = IP_CT_NEW;
-	nf_conntrack_get(skb->nfct);
-#endif
-
-	/*
-	 * Normally, we would just use ip_local_out. Because iph->check is
-	 * already correct, we could take a shortcut and call dst_output
-	 * [forwards to ip_output] directly. ip_output however will invoke
-	 * Netfilter hooks and cause reentrancy. So we skip that too and go
-	 * directly to ip_finish_output. Since we should not do XFRM, control
-	 * passes to ip_finish_output2. That function is not exported, so it is
-	 * copied here as tee_ip_direct_send.
-	 *
-	 * We do no XFRM on the cloned packet on purpose! The choice of
-	 * iptables match options will control whether the raw packet or the
-	 * transformed version is cloned.
-	 *
-	 * Also on purpose, no fragmentation is done, to preserve the
-	 * packet as best as possible.
-	 */
-	if (tee_tg_route4(skb, info)) {
-		tee_active[cpu] = true;
-		tee_tg_send(skb);
-		tee_active[cpu] = false;
-	} else {
-		kfree_skb(skb);
-	}
-	return XT_CONTINUE;
-}
-
-#ifdef WITH_IPV6
-static bool
-tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
-{
-	const struct ipv6hdr *iph = ipv6_hdr(skb);
-	struct dst_entry *dst;
-	struct flowi fl;
-
-	memset(&fl, 0, sizeof(fl));
-	fl.nl_u.ip6_u.daddr = info->gw.in6;
-	fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
-		(iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 25)
-	dst = ip6_route_output(NULL, &fl);
-#else
-	dst = ip6_route_output(dev_net(skb->dev), NULL, &fl);
-#endif
-	if (dst == NULL)
-		return false;
-
-	dst_release(skb_dst(skb));
-	skb_dst_set(skb, dst);
-	skb->dev      = dst->dev;
-	skb->protocol = htons(ETH_P_IPV6);
-	return true;
-}
-
-static unsigned int
-tee_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	const struct xt_tee_tginfo *info = par->targinfo;
-	struct sk_buff *skb = *pskb;
-	unsigned int cpu = smp_processor_id();
-
-	if (tee_active[cpu])
-		return XT_CONTINUE;
-	skb = pskb_copy(skb, GFP_ATOMIC);
-	if (skb == NULL)
-		return XT_CONTINUE;
-
-#ifdef WITH_CONNTRACK
-	nf_conntrack_put(skb->nfct);
-	skb->nfct     = &nf_conntrack_untracked.ct_general;
-	skb->nfctinfo = IP_CT_NEW;
-	nf_conntrack_get(skb->nfct);
-#endif
-	if (par->hooknum == NF_INET_PRE_ROUTING ||
-	    par->hooknum == NF_INET_LOCAL_IN) {
-		struct ipv6hdr *iph = ipv6_hdr(skb);
-		--iph->hop_limit;
-	}
-	if (tee_tg_route6(skb, info)) {
-		tee_active[cpu] = true;
-		tee_tg_send(skb);
-		tee_active[cpu] = false;
-	} else {
-		kfree_skb(skb);
-	}
-	return XT_CONTINUE;
-}
-#endif /* WITH_IPV6 */
-
-static int tee_tg_check(const struct xt_tgchk_param *par)
-{
-	const struct xt_tee_tginfo *info = par->targinfo;
-
-	/* 0.0.0.0 and :: not allowed */
-	return (memcmp(&info->gw, &tee_zero_address,
-	       sizeof(tee_zero_address)) == 0) ? -EINVAL : 0;
-}
-
-static struct xt_target tee_tg_reg[] __read_mostly = {
-	{
-		.name       = "TEE",
-		.revision   = 0,
-		.family     = NFPROTO_IPV4,
-		.target     = tee_tg4,
-		.targetsize = sizeof(struct xt_tee_tginfo),
-		.checkentry = tee_tg_check,
-		.me         = THIS_MODULE,
-	},
-#ifdef WITH_IPV6
-	{
-		.name       = "TEE",
-		.revision   = 0,
-		.family     = NFPROTO_IPV6,
-		.target     = tee_tg6,
-		.targetsize = sizeof(struct xt_tee_tginfo),
-		.checkentry = tee_tg_check,
-		.me         = THIS_MODULE,
-	},
-#endif
-};
-
-static int __init tee_tg_init(void)
-{
-	return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
-}
-
-static void __exit tee_tg_exit(void)
-{
-	xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
-}
-
-module_init(tee_tg_init);
-module_exit(tee_tg_exit);
-MODULE_AUTHOR("Sebastian Claßen <sebastian.classen@freenet.ag>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_DESCRIPTION("Xtables: Reroute packet copy");
-MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_TEE");
-MODULE_ALIAS("ip6t_TEE");

extensions/xt_TEE.h

@@ -1,8 +0,0 @@
-#ifndef _XT_TEE_TARGET_H
-#define _XT_TEE_TARGET_H
-
-struct xt_tee_tginfo {
-	union nf_inet_addr gw;
-};
-
-#endif /* _XT_TEE_TARGET_H */

extensions/xt_condition.c

@@ -35,7 +35,7 @@ static unsigned int condition_gid_perms = 0;
 
 MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca>");
 MODULE_AUTHOR("Massimiliano Hofer <max@nucleus.it>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_DESCRIPTION("Allows rules to match against condition variables");
 MODULE_LICENSE("GPL");
 module_param(condition_list_perms, uint, S_IRUSR | S_IWUSR);
@@ -150,9 +150,6 @@ static int condition_mt_check(const struct xt_mtchk_param *par)
 
 	var->refcount = 1;
 	var->enabled  = false;
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
-	var->status_proc->owner = THIS_MODULE;
-#endif
 	var->status_proc->data  = var;
 	wmb();
 	var->status_proc->read_proc  = condition_proc_read;
@@ -211,13 +208,13 @@ static int __init condition_mt_init(void)
 	int ret;
 
 	mutex_init(&proc_lock);
-	proc_net_condition = proc_mkdir(dir_name, init_net__proc_net);
+	proc_net_condition = proc_mkdir(dir_name, init_net.proc_net);
 	if (proc_net_condition == NULL)
 		return -EACCES;
 
 	ret = xt_register_matches(condition_mt_reg, ARRAY_SIZE(condition_mt_reg));
 	if (ret < 0) {
-		remove_proc_entry(dir_name, init_net__proc_net);
+		remove_proc_entry(dir_name, init_net.proc_net);
 		return ret;
 	}
 
@@ -227,7 +224,7 @@ static int __init condition_mt_init(void)
 static void __exit condition_mt_exit(void)
 {
 	xt_unregister_matches(condition_mt_reg, ARRAY_SIZE(condition_mt_reg));
-	remove_proc_entry(dir_name, init_net__proc_net);
+	remove_proc_entry(dir_name, init_net.proc_net);
 }
 
 module_init(condition_mt_init);

extensions/xt_iface.c

@@ -48,11 +48,7 @@ static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
 		return par->in;
 	else if (info->flags & XT_IFACE_DEV_OUT)
 		return par->out;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
 	return *put = dev_get_by_name(&init_net, info->ifname);
-#else
-	return *put = dev_get_by_name(info->ifname);
-#endif
 }
 
 static bool iface_flagtest(unsigned int devflags, unsigned int flags,

extensions/xt_ipaddr.c

@@ -0,0 +1,141 @@
+/*
+ *	"ipaddr" demo match for Xtables
+ *	Copyright © Jan Engelhardt, 2008-2009
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the WTF Public License version 2 or
+ *      (at your option) any later version.
+ */
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/module.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/x_tables.h>
+#include <net/ipv6.h>
+#include "compat_xtables.h"
+#include "xt_ipaddr.h"
+
+static bool ipaddr_mt4(const struct sk_buff *skb, struct xt_action_param *par)
+{
+	const struct xt_ipaddr_mtinfo *info = par->matchinfo;
+	const struct iphdr *iph = ip_hdr(skb);
+
+	printk(KERN_INFO
+	       "xt_ipaddr: IN=%s OUT=%s "
+	       "SRC=" NIPQUAD_FMT " DST=" NIPQUAD_FMT " "
+	       "IPSRC=" NIPQUAD_FMT " IPDST=" NIPQUAD_FMT "\n",
+	       (par->in != NULL) ? par->in->name : "",
+	       (par->out != NULL) ? par->out->name : "",
+	       NIPQUAD(iph->saddr), NIPQUAD(iph->daddr),
+	       NIPQUAD(info->src), NIPQUAD(info->dst));
+
+	if (info->flags & XT_IPADDR_SRC)
+		if ((iph->saddr != info->src.ip) ^
+		    !!(info->flags & XT_IPADDR_SRC_INV)) {
+			printk(KERN_NOTICE "src IP - no match\n");
+			return false;
+		}
+
+	if (info->flags & XT_IPADDR_DST)
+		if ((iph->daddr != info->dst.ip) ^
+		    !!(info->flags & XT_IPADDR_DST_INV)) {
+			printk(KERN_NOTICE "dst IP - no match\n");
+			return false;
+		}
+
+	return true;
+}
+
+static bool ipaddr_mt6(const struct sk_buff *skb, struct xt_action_param *par)
+{
+	const struct xt_ipaddr_mtinfo *info = par->matchinfo;
+	const struct ipv6hdr *iph = ipv6_hdr(skb);
+
+	printk(KERN_INFO
+	       "xt_ipaddr: IN=%s OUT=%s "
+	       "SRC=" NIP6_FMT " DST=" NIP6_FMT " "
+	       "IPSRC=" NIP6_FMT " IPDST=" NIP6_FMT "\n",
+	       (par->in != NULL) ? par->in->name : "",
+	       (par->out != NULL) ? par->out->name : "",
+	       NIP6(iph->saddr), NIP6(iph->daddr),
+	       NIP6(info->src.in6), NIP6(info->dst.in6));
+
+	if (info->flags & XT_IPADDR_SRC)
+		if ((ipv6_addr_cmp(&iph->saddr, &info->src.in6) != 0) ^
+		    !!(info->flags & XT_IPADDR_SRC_INV)) {
+			printk(KERN_NOTICE "src IP - no match\n");
+			return false;
+		}
+
+	if (info->flags & XT_IPADDR_DST)
+		if ((ipv6_addr_cmp(&iph->daddr, &info->dst.in6) != 0) ^
+		    !!(info->flags & XT_IPADDR_DST_INV)) {
+			printk(KERN_NOTICE "dst IP - no match\n");
+			return false;
+		}
+
+	return true;
+}
+
+static int ipaddr_mt_check(const struct xt_mtchk_param *par)
+{
+	const struct xt_ipaddr_mtinfo *info = par->matchinfo;
+
+	printk(KERN_INFO "xt_ipaddr: Added a rule with -m ipaddr in "
+	       "the %s table; this rule is reachable through hooks 0x%x\n",
+	       par->table, par->hook_mask);
+
+	if (par->match->family == NFPROTO_IPV4 &&
+	    ntohl(info->src.ip) == 0xDEADBEEF) {
+		printk(KERN_INFO "xt_ipaddr: I just thought I do not want "
+		       "to let you match on 222.173.190.239\n");
+		return -EPERM;
+	}
+
+	return 0;
+}
+
+static void ipaddr_mt_destroy(const struct xt_mtdtor_param *par)
+{
+	printk(KERN_INFO "One rule with ipaddr match got deleted\n");
+}
+
+static struct xt_match ipaddr_mt_reg[] __read_mostly = {
+	{
+		.name       = "ipaddr",
+		.revision   = 0,
+		.family     = NFPROTO_IPV4,
+		.match      = ipaddr_mt4,
+		.checkentry = ipaddr_mt_check,
+		.destroy    = ipaddr_mt_destroy,
+		.matchsize  = XT_ALIGN(sizeof(struct xt_ipaddr_mtinfo)),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "ipaddr",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.match      = ipaddr_mt6,
+		.checkentry = ipaddr_mt_check,
+		.destroy    = ipaddr_mt_destroy,
+		.matchsize  = XT_ALIGN(sizeof(struct xt_ipaddr_mtinfo)),
+		.me         = THIS_MODULE,
+	},
+};
+
+static int __init ipaddr_mt_init(void)
+{
+	return xt_register_matches(ipaddr_mt_reg, ARRAY_SIZE(ipaddr_mt_reg));
+}
+
+static void __exit ipaddr_mt_exit(void)
+{
+	xt_unregister_matches(ipaddr_mt_reg, ARRAY_SIZE(ipaddr_mt_reg));
+}
+
+module_init(ipaddr_mt_init);
+module_exit(ipaddr_mt_exit);
+MODULE_DESCRIPTION("Xtables: Match source/destination address");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_ipaddr");
+MODULE_ALIAS("ip6t_ipaddr");

extensions/xt_ipaddr.h

@@ -0,0 +1,16 @@
+#ifndef _LINUX_NETFILTER_XT_IPADDR_H
+#define _LINUX_NETFILTER_XT_IPADDR_H 1
+
+enum {
+	XT_IPADDR_SRC     = 1 << 0,
+	XT_IPADDR_DST     = 1 << 1,
+	XT_IPADDR_SRC_INV = 1 << 2,
+	XT_IPADDR_DST_INV = 1 << 3,
+};
+
+struct xt_ipaddr_mtinfo {
+	union nf_inet_addr src, dst;
+	__u8 flags;
+};
+
+#endif /* _LINUX_NETFILTER_XT_IPADDR_H */

extensions/xt_ipv4options.c

@@ -76,7 +76,7 @@ static void __exit ipv4options_mt_exit(void)
 }
 
 MODULE_DESCRIPTION("Xatblse: IPv4 option match");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_ipv4options");
 module_init(ipv4options_mt_init);

extensions/xt_length2.c

@@ -1,6 +1,6 @@
 /*
  *	xt_length - Xtables module to match packet length
- *	Copyright © Jan Engelhardt <jengelh@medozas.de>, 2007 - 2009
+ *	Copyright © Jan Engelhardt , 2007 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -29,7 +29,7 @@
 #	define NEXTHDR_IPV4 4
 #endif
 
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_DESCRIPTION("Xtables: Packet length (Layer3,4,5) match");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_length2");
@@ -203,7 +203,8 @@ length2_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 	const struct xt_length_mtinfo2 *info = par->matchinfo;
 	const struct ipv6hdr *iph = ipv6_hdr(skb);
 	unsigned int len = 0, l4proto;
-	unsigned int thoff = par->thoff;
+	/* par->thoff would only set if ip6tables -p was used; so just use 0 */
+	unsigned int thoff = 0;
 	bool hit = true;
 
 	if (info->flags & XT_LENGTH_LAYER3) {

extensions/xt_lscan.c

@@ -204,7 +204,7 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		unsigned int n;
 
 		n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
-		    par->in == init_net__loopback_dev, tcph,
+		    par->in == init_net.loopback_dev, tcph,
 		    skb->len - par->thoff - 4 * tcph->doff);
 
 		ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
@@ -264,7 +264,7 @@ static void __exit lscan_mt_exit(void)
 
 module_init(lscan_mt_init);
 module_exit(lscan_mt_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_DESCRIPTION("Xtables: Low-level scan (e.g. nmap) match");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_lscan");

extensions/xt_psd.c

@@ -22,13 +22,15 @@
 
 #define pr_fmt(x) KBUILD_MODNAME ": " x
 #include <linux/module.h>
-#include <linux/moduleparam.h>
 #include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <net/tcp.h>
+#include <linux/types.h>
+#include <linux/tcp.h>
 #include <linux/spinlock.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/vmalloc.h>
 #include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
 #include "xt_psd.h"
 #include "compat_xtables.h"
 
@@ -39,6 +41,7 @@ MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
 MODULE_AUTHOR(" Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com>");
 MODULE_DESCRIPTION("Xtables: PSD - portscan detection");
 MODULE_ALIAS("ipt_psd");
+MODULE_ALIAS("ip6t_psd");
 
 /*
  * Keep track of up to LIST_SIZE source addresses, using a hash table of
@@ -50,6 +53,10 @@ MODULE_ALIAS("ipt_psd");
 #define HASH_SIZE			(1 << HASH_LOG)
 #define HASH_MAX			0x10
 
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+#	define WITH_IPV6 1
+#endif
+
 /*
  * Information we keep per each target port
  */
@@ -68,8 +75,6 @@ struct port {
 struct host {
 	struct host *next;
 	unsigned long timestamp;
-	struct in_addr src_addr;
-	struct in_addr dest_addr;
 	__be16 src_port;
 	uint16_t count;
 	uint8_t weight;
@@ -77,27 +82,87 @@ struct host {
 };
 
 /**
- * State information.
+ * Information we keep per ipv4 source address.
+ */
+struct host4 {
+	struct host host;
+	__be32 saddr;
+};
+
+static struct host4 *host_to_host4(const struct host *h)
+{
+	return (struct host4 *)h;
+}
+
+struct host6 {
+	struct host host;
+	struct in6_addr saddr;
+};
+
+/**
+ * State information for IPv4 portscan detection.
  * @list:	list of source addresses
  * @hash:	pointers into the list
  * @index:	oldest entry to be replaced
  */
 static struct {
 	spinlock_t lock;
-	struct host list[LIST_SIZE];
+	struct host4 list[LIST_SIZE];
 	struct host *hash[HASH_SIZE];
 	int index;
 } state;
 
+#ifdef WITH_IPV6
+/**
+ * State information for IPv6 portscan detection.
+ * @list:	list of source addresses
+ * @hash:	pointers into the list
+ * @index:	oldest entry to be replaced
+ */
+static struct {
+	spinlock_t lock;
+	struct host6 *list;
+	struct host **hash;
+	int index;
+} state6;
+
+static struct host6 *host_to_host6(const struct host *h)
+{
+	return (struct host6 *) h;
+}
+
+/**
+ * allocate state6 memory only when needed
+ */
+static bool state6_alloc_mem(void)
+{
+	if (state6.hash != NULL)
+		return true;
+
+	state6.list = vmalloc(LIST_SIZE * sizeof(struct host6));
+	if (state6.list == NULL)
+		return false;
+	memset(state6.list, 0, LIST_SIZE * sizeof(struct host6));
+
+	state6.hash = vmalloc(HASH_SIZE * sizeof(struct host*));
+	if (state6.hash == NULL) {
+		vfree(state6.list);
+		return false;
+	}
+	memset(state6.hash, 0, HASH_SIZE * sizeof(struct host *));
+	return true;
+}
+#endif
+
 /*
  * Convert an IP address into a hash table index.
  */
-static inline int hashfunc(struct in_addr addr)
+static unsigned int hashfunc(__be32 addr)
 {
 	unsigned int value;
-	int hash;
+	unsigned int hash;
 
-	value = addr.s_addr;
+	value = addr;
 	hash = 0;
 	do {
 		hash ^= value;
@@ -106,133 +171,169 @@ static inline int hashfunc(struct in_addr addr)
 	return hash & (HASH_SIZE - 1);
 }
 
-static bool
-xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
+static inline unsigned int hashfunc6(const struct in6_addr *addr)
+{
+	__be32 h = addr->s6_addr32[0] ^ addr->s6_addr32[1];
+	return hashfunc(h ^ addr->s6_addr32[2] ^ addr->s6_addr32[3]);
+}
+
+static bool port_in_list(struct host *host, uint8_t proto, uint16_t port)
+{
+	unsigned int i;
+
+	for (i = 0; i < host->count; ++i) {
+		if (host->ports[i].proto != proto)
+			continue;
+		if (host->ports[i].number == port)
+			return true;
+	}
+	return false;
+}
+
+static uint16_t get_port_weight(const struct xt_psd_info *psd, __be16 port)
+{
+	return ntohs(port) < 1024 ? psd->lo_ports_weight : psd->hi_ports_weight;
+}
+
+static bool
+is_portscan(struct host *host, const struct xt_psd_info *psdinfo,
+            const struct tcphdr *tcph, uint8_t proto)
+{
+	if (port_in_list(host, proto, tcph->dest))
+		return false;
+
+	/*
+	 * TCP/ACK and/or TCP/RST to a new port? This could be an
+	 * outgoing connection.
+	 */
+	if (proto == IPPROTO_TCP && (tcph->ack || tcph->rst))
+		return false;
+
+	host->timestamp = jiffies;
+
+	if (host->weight >= psdinfo->weight_threshold) /* already matched */
+		return true;
+
+	/* Update the total weight */
+	host->weight += get_port_weight(psdinfo, tcph->dest);
+
+	/* Got enough destination ports to decide that this is a scan? */
+	if (host->weight >= psdinfo->weight_threshold)
+		return true;
+
+	/* Remember the new port */
+	if (host->count < ARRAY_SIZE(host->ports)) {
+		host->ports[host->count].number = tcph->dest;
+		host->ports[host->count].proto = proto;
+		host->count++;
+	}
+	return false;
+}
+
+static struct host *host_get_next(struct host *h, struct host **last)
+{
+	if (h->next != NULL)
+		*last = h;
+	return h->next;
+}
+
+static void ht_unlink(struct host **head, struct host *last)
+{
+	if (last != NULL)
+		last->next = last->next->next;
+	else if (*head != NULL)
+		*head = (*head)->next;
+}
+
+static bool
+entry_is_recent(const struct host *h, unsigned long delay_threshold,
+                unsigned long now)
+{
+	return now - h->timestamp <= (delay_threshold * HZ) / 100 &&
+	       time_after_eq(now, h->timestamp);
+}
+
+static void remove_oldest(struct host **head, struct host *curr)
+{
+	struct host *h, *last = NULL;
+
+	/*
+	 * We are going to re-use the oldest list entry, so remove it from the
+	 * hash table first, if it is really already in use.
+	 */
+	h = *head;
+	while (h != NULL) {
+		if (curr == h)
+			break;
+		last = h;
+		h = h->next;
+	}
+
+	/* Then, remove it */
+	if (h != NULL)
+		ht_unlink(head, last);
+}
+
+static void *
+get_header_pointer4(const struct sk_buff *skb, unsigned int thoff, void *mem)
+{
+	const struct iphdr *iph = ip_hdr(skb);
+	int hdrlen;
+
+	switch (iph->protocol) {
+	case IPPROTO_TCP:
+		hdrlen = sizeof(struct tcphdr);
+		break;
+	case IPPROTO_UDP:
+	case IPPROTO_UDPLITE:
+		hdrlen = sizeof(struct udphdr);
+		break;
+	default:
+		return NULL;
+	}
+
+	return skb_header_pointer(skb, thoff, hdrlen, mem);
+}
+
+static bool
+handle_packet4(const struct iphdr *iph, const struct tcphdr *tcph,
+               const struct xt_psd_info *psdinfo, unsigned int hash)
 {
-	const struct iphdr *iph;
-	const struct tcphdr *tcph = NULL;
-	const struct udphdr *udph;
-	union {
-		struct tcphdr tcph;
-		struct udphdr udph;
-	} _buf;
-	struct in_addr addr;
-	u_int16_t src_port,dest_port;
-	u_int8_t proto;
 	unsigned long now;
-	struct host *curr, *last, **head;
-	int hash, index, count;
-	/* Parameters from userspace */
-	const struct xt_psd_info *psdinfo = match->matchinfo;
-
-	iph = ip_hdr(pskb);
-	if (iph->frag_off & htons(IP_OFFSET)) {
-		pr_debug("sanity check failed\n");
-		return false;
-	}
-
-	proto = iph->protocol;
-	addr.s_addr = iph->saddr;
-	/* We're using IP address 0.0.0.0 for a special purpose here, so don't let
-	 * them spoof us. [DHCP needs this feature - HW] */
-	if (addr.s_addr == 0) {
-		pr_debug("spoofed source address (0.0.0.0)\n");
-		return false;
-	}
-
-	if (proto == IPPROTO_TCP) {
-		tcph = skb_header_pointer(pskb, match->thoff,
-		       sizeof(_buf.tcph), &_buf.tcph);
-		if (tcph == NULL)
-			return false;
-
-		/* Yep, it's dirty */
-		src_port = tcph->source;
-		dest_port = tcph->dest;
-	} else if (proto == IPPROTO_UDP || proto == IPPROTO_UDPLITE) {
-		udph = skb_header_pointer(pskb, match->thoff,
-		       sizeof(_buf.udph), &_buf.udph);
-		if (udph == NULL)
-			return false;
-		src_port  = udph->source;
-		dest_port = udph->dest;
-	} else {
-		pr_debug("protocol not supported\n");
-		return false;
-	}
+	struct host *curr, *last = NULL, **head;
+	struct host4 *curr4;
+	int count = 0;
 
 	now = jiffies;
-
-	spin_lock(&state.lock);
+	head = &state.hash[hash];
 
 	/* Do we know this source address already? */
-	count = 0;
-	last = NULL;
-	if ((curr = *(head = &state.hash[hash = hashfunc(addr)])) != NULL)
-		do {
-			if (curr->src_addr.s_addr == addr.s_addr)
-				break;
-			count++;
-			if (curr->next != NULL)
-				last = curr;
-		} while ((curr = curr->next) != NULL);
+	curr = *head;
+	while (curr != NULL) {
+		curr4 = host_to_host4(curr);
+		if (curr4->saddr == iph->saddr)
+			break;
+		count++;
+		curr = host_get_next(curr, &last);
+	}
 
 	if (curr != NULL) {
 		/* We know this address, and the entry isn't too old. Update it. */
-		if (now - curr->timestamp <= (psdinfo->delay_threshold*HZ)/100 &&
-		    time_after_eq(now, curr->timestamp)) {
-
-			/* Just update the appropriate list entry if we've seen this port already */
-			for (index = 0; index < curr->count; index++) {
-				if (curr->ports[index].number == dest_port) {
-					curr->ports[index].proto = proto;
-					goto out_no_match;
-				}
-			}
-
-			/* TCP/ACK and/or TCP/RST to a new port? This could be an outgoing connection. */
-			if (proto == IPPROTO_TCP && (tcph->ack || tcph->rst))
-				goto out_no_match;
-
-			/* Packet to a new port, and not TCP/ACK: update the timestamp */
-			curr->timestamp = now;
-
-			/* Matched this scan already? Then Leave. */
-			if (curr->weight >= psdinfo->weight_threshold)
-				goto out_match;
-
-			/* Update the total weight */
-			curr->weight += (ntohs(dest_port) < 1024) ?
-				psdinfo->lo_ports_weight : psdinfo->hi_ports_weight;
-
-			/* Got enough destination ports to decide that this is a scan? */
-			if (curr->weight >= psdinfo->weight_threshold)
-				goto out_match;
-
-			/* Remember the new port */
-			if (curr->count < ARRAY_SIZE(curr->ports)) {
-				curr->ports[curr->count].number = dest_port;
-				curr->ports[curr->count].proto = proto;
-				curr->count++;
-			}
-
-			goto out_no_match;
-		}
+		if (entry_is_recent(curr, psdinfo->delay_threshold, now))
+			return is_portscan(curr, psdinfo, tcph, iph->protocol);
 
 		/* We know this address, but the entry is outdated. Mark it unused, and
 		 * remove from the hash table. We'll allocate a new entry instead since
 		 * this one might get re-used too soon. */
-		curr->src_addr.s_addr = 0;
-		if (last != NULL)
-			last->next = last->next->next;
-		else if (*head != NULL)
-			*head = (*head)->next;
+		curr4 = host_to_host4(curr);
+		curr4->saddr = 0;
+		ht_unlink(head, last);
 		last = NULL;
 	}
 
 	/* We don't need an ACK from a new source address */
-	if (proto == IPPROTO_TCP && tcph->ack)
-		goto out_no_match;
+	if (iph->protocol == IPPROTO_TCP && tcph->ack)
+		return false;
 
 	/* Got too many source addresses with the same hash value? Then remove the
 	 * oldest one from the hash table, so that they can't take too much of our
@@ -240,33 +341,15 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
 	if (count >= HASH_MAX && last != NULL)
 		last->next = NULL;
 
-	/* We're going to re-use the oldest list entry, so remove it from the hash
-	 * table first (if it is really already in use, and isn't removed from the
-	 * hash table already because of the HASH_MAX check above). */
-
-	/* First, find it */
-	if (state.list[state.index].src_addr.s_addr != 0)
-		head = &state.hash[hashfunc(state.list[state.index].src_addr)];
+	if (state.list[state.index].saddr != 0)
+		head = &state.hash[hashfunc(state.list[state.index].saddr)];
 	else
 		head = &last;
-	last = NULL;
-	if ((curr = *head) != NULL)
-		do {
-			if (curr == &state.list[state.index])
-				break;
-			last = curr;
-		} while ((curr = curr->next) != NULL);
-
-	/* Then, remove it */
-	if (curr != NULL) {
-		if (last != NULL)
-			last->next = last->next->next;
-		else if (*head != NULL)
-			*head = (*head)->next;
-	}
 
 	/* Get our list entry */
-	curr = &state.list[state.index++];
+	curr4 = &state.list[state.index++];
+	curr = &curr4->host;
+	remove_oldest(head, curr);
 	if (state.index >= LIST_SIZE)
 		state.index = 0;
 
@@ -276,24 +359,173 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
 	*head = curr;
 
 	/* And fill in the fields */
+	curr4 = host_to_host4(curr);
+	curr4->saddr = iph->saddr;
 	curr->timestamp = now;
-	curr->src_addr = addr;
-	curr->dest_addr.s_addr = iph->daddr;
-	curr->src_port = src_port;
 	curr->count = 1;
-	curr->weight = (ntohs(dest_port) < 1024) ? psdinfo->lo_ports_weight : psdinfo->hi_ports_weight;
-	curr->ports[0].number = dest_port;
-	curr->ports[0].proto = proto;
-
-out_no_match:
-	spin_unlock(&state.lock);
+	curr->weight = get_port_weight(psdinfo, tcph->dest);
+	curr->ports[0].number = tcph->dest;
+	curr->ports[0].proto = iph->protocol;
 	return false;
-
-out_match:
-	spin_unlock(&state.lock);
-	return true;
 }
 
+static bool
+xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
+{
+	struct iphdr *iph = ip_hdr(pskb);
+	struct tcphdr _tcph;
+	struct tcphdr *tcph;
+	bool matched;
+	unsigned int hash;
+	/* Parameters from userspace */
+	const struct xt_psd_info *psdinfo = match->matchinfo;
+
+	if (iph->frag_off & htons(IP_OFFSET)) {
+		pr_debug("sanity check failed\n");
+		return false;
+	}
+
+	/*
+	 * We are using IP address 0.0.0.0 for a special purpose here, so do
+	 * not let them spoof us. [DHCP needs this feature - HW]
+	 */
+	if (iph->saddr == 0) {
+		pr_debug("spoofed source address (0.0.0.0)\n");
+		return false;
+	}
+
+	tcph = get_header_pointer4(pskb, match->thoff, &_tcph);
+	if (tcph == NULL)
+		return false;
+
+	hash = hashfunc(iph->saddr);
+
+	spin_lock(&state.lock);
+	matched = handle_packet4(iph, tcph, psdinfo, hash);
+	spin_unlock(&state.lock);
+	return matched;
+}
+
+#ifdef WITH_IPV6
+static bool
+handle_packet6(const struct ipv6hdr *ip6h, const struct tcphdr *tcph,
+	       const struct xt_psd_info *psdinfo, uint8_t proto, int hash)
+{
+	unsigned long now;
+	struct host *curr, *last = NULL, **head;
+	struct host6 *curr6;
+	int count = 0;
+
+	now = jiffies;
+	head = &state6.hash[hash];
+
+	curr = *head;
+	while (curr != NULL) {
+		curr6 = host_to_host6(curr);
+		if (ipv6_addr_equal(&curr6->saddr, &ip6h->saddr))
+			break;
+		count++;
+		curr = host_get_next(curr, &last);
+	}
+
+	if (curr != NULL) {
+		if (entry_is_recent(curr, psdinfo->delay_threshold, now))
+			return is_portscan(curr, psdinfo, tcph, proto);
+		curr6 = host_to_host6(curr);
+		memset(&curr6->saddr, 0, sizeof(curr6->saddr));
+		ht_unlink(head, last);
+		last = NULL;
+	}
+
+	if (proto == IPPROTO_TCP && tcph->ack)
+		return false;
+
+	if (count >= HASH_MAX && last != NULL)
+		last->next = NULL;
+
+	if (!ipv6_addr_any(&state6.list[state6.index].saddr))
+		head = &state6.hash[hashfunc6(&state6.list[state6.index].saddr)];
+	else
+		head = &last;
+
+	curr6 = &state6.list[state6.index++];
+	curr = &curr6->host;
+	remove_oldest(head, curr);
+	if (state6.index >= LIST_SIZE)
+		state6.index = 0;
+
+	head = &state6.hash[hash];
+	curr->next = *head;
+	*head = curr;
+
+	curr6 = host_to_host6(curr);
+	curr6->saddr = ip6h->saddr;
+	curr->timestamp = now;
+	curr->count = 1;
+	curr->weight = get_port_weight(psdinfo, tcph->dest);
+	curr->ports[0].number = tcph->dest;
+	curr->ports[0].proto = proto;
+	return false;
+}
+
+static void *
+get_header_pointer6(const struct sk_buff *skb, void *mem, uint8_t *proto)
+{
+	static const uint8_t types[] = {IPPROTO_TCP,
+				        IPPROTO_UDP, IPPROTO_UDPLITE};
+	unsigned int i, offset = 0;
+	int err;
+	size_t hdrlen;
+
+	for (i = 0; i < ARRAY_SIZE(types); ++i) {
+		err = ipv6_find_hdr(skb, &offset, types[i], NULL, NULL);
+		if (err < 0)
+			continue;
+
+		switch (types[i]) {
+		case IPPROTO_TCP:
+			hdrlen = sizeof(struct tcphdr);
+			break;
+		case IPPROTO_UDP:
+		case IPPROTO_UDPLITE:
+			hdrlen = sizeof(struct udphdr);
+			break;
+		default:
+			return NULL;
+		}
+		*proto = types[i];
+		return skb_header_pointer(skb, offset, hdrlen, mem);
+	}
+	return NULL;
+}
+
+static bool
+xt_psd_match6(const struct sk_buff *pskb, struct xt_action_param *match)
+{
+	const struct ipv6hdr *ip6h = ipv6_hdr(pskb);
+	struct tcphdr _tcph;
+	struct tcphdr *tcph;
+	uint8_t proto = 0;
+	bool matched;
+	int hash;
+	const struct xt_psd_info *psdinfo = match->matchinfo;
+
+	if (ipv6_addr_any(&ip6h->saddr))
+		return false;
+
+	tcph = get_header_pointer6(pskb, &_tcph, &proto);
+	if (tcph == NULL)
+		return false;
+
+	hash = hashfunc6(&ip6h->saddr);
+
+	spin_lock(&state6.lock);
+	matched = handle_packet6(ip6h, tcph, psdinfo, proto, hash);
+	spin_unlock(&state6.lock);
+	return matched;
+}
+#endif
+
 static int psd_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_psd_info *info = par->matchinfo;
@@ -315,25 +547,53 @@ static int psd_mt_check(const struct xt_mtchk_param *par)
 	return 0;
 }
 
-static struct xt_match xt_psd_reg __read_mostly = {
-	.name       = "psd",
-	.family     = NFPROTO_IPV4,
-	.revision   = 1,
-	.checkentry = psd_mt_check,
-	.match      = xt_psd_match,
-	.matchsize  = sizeof(struct xt_psd_info),
-	.me         = THIS_MODULE,
+#ifdef WITH_IPV6
+static int psd_mt_check6(const struct xt_mtchk_param *par)
+{
+	if (!state6_alloc_mem())
+		return -ENOMEM;
+	return psd_mt_check(par);
+}
+#endif
+
+static struct xt_match xt_psd_reg[] __read_mostly = {
+	{
+		.name       = "psd",
+		.family     = NFPROTO_IPV4,
+		.revision   = 1,
+		.checkentry = psd_mt_check,
+		.match      = xt_psd_match,
+		.matchsize  = sizeof(struct xt_psd_info),
+		.me         = THIS_MODULE,
+#ifdef WITH_IPV6
+	}, {
+		.name       = "psd",
+		.family     = NFPROTO_IPV6,
+		.revision   = 1,
+		.checkentry = psd_mt_check6,
+		.match      = xt_psd_match6,
+		.matchsize  = sizeof(struct xt_psd_info),
+		.me         = THIS_MODULE,
+#endif
+	}
 };
 
 static int __init xt_psd_init(void)
 {
 	spin_lock_init(&(state.lock));
-	return xt_register_match(&xt_psd_reg);
+#ifdef WITH_IPV6
+	spin_lock_init(&(state6.lock));
+#endif
+	return xt_register_matches(xt_psd_reg, ARRAY_SIZE(xt_psd_reg));
 }
 
 static void __exit xt_psd_exit(void)
 {
-        xt_unregister_match(&xt_psd_reg);
+        xt_unregister_matches(xt_psd_reg, ARRAY_SIZE(xt_psd_reg));
+#ifdef WITH_IPV6
+	vfree(state6.list);
+	vfree(state6.hash);
+#endif
 }
 
 module_init(xt_psd_init);

extensions/xt_quota2.c

@@ -1,7 +1,7 @@
 /*
  * xt_quota2 - enhanced xt_quota that can count upwards and in packets
  * as a minimal accounting match.
- * by Jan Engelhardt <jengelh@medozas.de>, 2008
+ * by Jan Engelhardt , 2008
  *
  * Originally based on xt_quota.c:
  * 	Xtables module to enforce network quotas
@@ -128,9 +128,6 @@ q2_get_counter(const struct xt_quota_mtinfo2 *q)
 	if (p == NULL || IS_ERR(p))
 		goto out;
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
-	p->owner        = THIS_MODULE;
-#endif
 	p->data         = e;
 	p->read_proc    = quota_proc_read;
 	p->write_proc   = quota_proc_write;
@@ -250,27 +247,27 @@ static int __init quota_mt2_init(void)
 {
 	int ret;
 
-	proc_xt_quota = proc_mkdir("xt_quota", init_net__proc_net);
+	proc_xt_quota = proc_mkdir("xt_quota", init_net.proc_net);
 	if (proc_xt_quota == NULL)
 		return -EACCES;
 
 	ret = xt_register_matches(quota_mt2_reg, ARRAY_SIZE(quota_mt2_reg));
 	if (ret < 0)
-		remove_proc_entry("xt_quota", init_net__proc_net);
+		remove_proc_entry("xt_quota", init_net.proc_net);
 	return ret;
 }
 
 static void __exit quota_mt2_exit(void)
 {
 	xt_unregister_matches(quota_mt2_reg, ARRAY_SIZE(quota_mt2_reg));
-	remove_proc_entry("xt_quota", init_net__proc_net);
+	remove_proc_entry("xt_quota", init_net.proc_net);
 }
 
 module_init(quota_mt2_init);
 module_exit(quota_mt2_exit);
 MODULE_DESCRIPTION("Xtables: countdown quota match; up counter");
 MODULE_AUTHOR("Sam Johnston <samj@samj.net>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_quota2");
 MODULE_ALIAS("ip6t_quota2");

geoip/xt_geoip_build

@@ -1,7 +1,7 @@
 #!/usr/bin/perl
 #
 #	Converter for MaxMind CSV database to binary, for xt_geoip
-#	Copyright © Jan Engelhardt <jengelh@medozas.de>, 2008-2011
+#	Copyright © Jan Engelhardt, 2008-2011
 #
 use Getopt::Long;
 use IO::Handle;

include/linux/netfilter/nf_nat.h

@@ -22,4 +22,12 @@ struct nf_nat_ipv4_multi_range_compat {
 	struct nf_nat_ipv4_range	range[1];
 };
 
+struct nf_nat_range {
+	unsigned int			flags;
+	union nf_inet_addr		min_addr;
+	union nf_inet_addr		max_addr;
+	union nf_conntrack_man_proto	min_proto;
+	union nf_conntrack_man_proto	max_proto;
+};
+
 #endif /* _NETFILTER_NF_NAT_H */

mconfig

@@ -2,7 +2,6 @@
 #
 build_ACCOUNT=m
 build_CHAOS=m
-build_CHECKSUM=
 build_DELUDE=m
 build_DHCPMAC=m
 build_DNETMAP=m
@@ -13,12 +12,12 @@ build_RAWNAT=m
 build_STEAL=m
 build_SYSRQ=m
 build_TARPIT=m
-build_TEE=
 build_condition=m
 build_fuzzy=m
 build_geoip=m
 build_gradm=m
 build_iface=m
+build_ipaddr=m
 build_ipp2p=m
 build_ipv4options=m
 build_length2=m

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.44 (2012-07-15)" "" "v1.44 (2012-07-15)"
+.TH xtables-addons 8 "v2.1 (2012-11-27)" "" "v2.1 (2012-11-27)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets
@@ -6,8 +6,9 @@ Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Matches
 .\" @MATCHES@
 .SH "See also"
-\fBiptables\fP(8), \fBip6tables\fP(8), \fBiptaccount\fP(8)
+\fBiptables\fP(8), \fBip6tables\fP(8), \fBiptables-extensions\fP(8),
+\fBiptaccount\fP(8)
 .PP
 For developers, the book "Writing Netfilter modules" at
-http://jengelh.medozas.de/documents/Netfilter_Modules.pdf provides detailed
+http://inai.de/documents/Netfilter_Modules.pdf provides detailed
 information on how to write such modules/extensions.