doc: add xt_quota2 changelog items

Cherry-picked commit v2.4-1-gfb3e550.

.gitignore

@@ -1,3 +1,4 @@
+*.gcno
 *.la
 *.lo
 *.loT

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [1.47])
+AC_INIT([xtables-addons], [1.47.1])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])

doc/changelog.txt

@@ -1,10 +1,59 @@
 
 HEAD
 ====
+Changes
+- remove unmaintained RAWSNAT/RAWDNAT code
+Fixes:
+- xt_quota2: --no-change should not alter quota to zero ever
+- xt_quota2: --packet should not be set to zero based on skb->len
 
 
-v1.47 (2010-10-15)
-==================
+v2.3 (2013-06-18)
+=================
+Enhancements:
+- Support for Linux 3.10
+Fixes:
+- xt_DNETMAP, xt_condition, xt_quota2: resolve compile error when
+  CONFIG_UIDGID_STRICT_TYPE_CHECKS=y
+- xt_RAWNAT: ensure correct operation in the presence of IPv4 options
+- xt_geoip: do not throw a warnings when country database is size 0
+- xt_quota2: print "!" at the correct position during iptables-save
+Changes:
+- Make print (iptables -L) output the same as save (-S)
+
+
+v2.2 (2013-03-31)
+=================
+Enhancements:
+- Support for Linux 3.9
+- iptaccount: fix entire program being erroneously optimized away on PPC
+
+
+v2.1 (2012-11-27)
+=================
+Fixes:
+- DNETMAP: fix compile error with Linux 3.7
+Enhancements:
+- Support for Linux 3.8
+
+
+v2.0 (2012-11-12)
+=================
+Changes:
+- remove support for Linux 2.6.17–3.6
+- remove xt_TEE (this is available upstream since 2.6.35)
+- remove xt_CHECKSUM (this is available upstream since 2.6.36)
+Enhancements:
+- Support for Linux 3.7
+
+If you want to use Xtables-addons with kernels older than 3.7,
+use the addons 1.x series, which continues to be maintained for
+the time being.
+>>>>>>> fb3e550... doc: add xt_quota2 changelog items
+
+
+v1.47.1 (2010-10-15)
+====================
 Enhancements:
 - xt_psd gained IPv6 support
 Notes for this release:

extensions/Kbuild

@@ -16,12 +16,7 @@ obj-${build_ECHO}        += xt_ECHO.o
 endif
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
-obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o
-ifneq (${CONFIG_IP6_NF_IPTABLES},)
-obj-${build_RAWNAT}      += ip6table_rawpost.o
-endif
 obj-${build_SYSRQ}       += xt_SYSRQ.o
-obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o
 obj-${build_TEE}         += xt_TEE.o
 obj-${build_condition}   += xt_condition.o

extensions/Mbuild

@@ -9,8 +9,6 @@ obj-${build_DNETMAP}     += libxt_DNETMAP.so
 obj-${build_ECHO}        += libxt_ECHO.so
 obj-${build_IPMARK}      += libxt_IPMARK.so
 obj-${build_LOGMARK}     += libxt_LOGMARK.so
-obj-${build_RAWNAT}      += libxt_RAWDNAT.so libxt_RAWSNAT.so
-obj-${build_STEAL}       += libxt_STEAL.so
 obj-${build_SYSRQ}       += libxt_SYSRQ.so
 obj-${build_TARPIT}      += libxt_TARPIT.so
 obj-${build_TEE}         += libxt_TEE.so

extensions/compat_rawpost.h

@@ -1,87 +0,0 @@
-#ifndef XTA_COMPAT_RAWPOST_H
-#define XTA_COMPAT_RAWPOST_H 1
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
-typedef struct sk_buff sk_buff_t;
-#else
-typedef struct sk_buff *sk_buff_t;
-#endif
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
-#define XT_TARGET_INIT(__name, __size)					       \
-{									       \
-	.target.u.user = {						       \
-		.target_size	= XT_ALIGN(__size),			       \
-		.name		= __name,				       \
-	},								       \
-}
-
-#define IPT_ENTRY_INIT(__size)						       \
-{									       \
-	.target_offset	= sizeof(struct ipt_entry),			       \
-	.next_offset	= (__size),					       \
-}
-
-#define IPT_STANDARD_INIT(__verdict)					       \
-{									       \
-	.entry		= IPT_ENTRY_INIT(sizeof(struct ipt_standard)),	       \
-	.target		= XT_TARGET_INIT(IPT_STANDARD_TARGET,		       \
-					 sizeof(struct xt_standard_target)),   \
-	.target.verdict	= -(__verdict) - 1,				       \
-}
-
-#define IPT_ERROR_INIT							       \
-{									       \
-	.entry		= IPT_ENTRY_INIT(sizeof(struct ipt_error)),	       \
-	.target		= XT_TARGET_INIT(IPT_ERROR_TARGET,		       \
-					 sizeof(struct ipt_error_target)),     \
-	.target.errorname = "ERROR",					       \
-}
-
-#define IP6T_ENTRY_INIT(__size)						       \
-{									       \
-	.target_offset	= sizeof(struct ip6t_entry),			       \
-	.next_offset	= (__size),					       \
-}
-
-#define IP6T_STANDARD_INIT(__verdict)					       \
-{									       \
-	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
-	.target		= XT_TARGET_INIT(IP6T_STANDARD_TARGET,		       \
-					 sizeof(struct ip6t_standard_target)), \
-	.target.verdict	= -(__verdict) - 1,				       \
-}
-
-#define IP6T_ERROR_INIT							       \
-{									       \
-	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),	       \
-	.target		= XT_TARGET_INIT(IP6T_ERROR_TARGET,		       \
-					 sizeof(struct ip6t_error_target)),    \
-	.target.errorname = "ERROR",					       \
-}
-
-#endif /* 2.6.21 */
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
-#	include <linux/netfilter_ipv6/ip6_tables.h>
-/* Standard entry */
-struct ip6t_standard
-{
-	struct ip6t_entry entry;
-	struct ip6t_standard_target target;
-};
-
-struct ip6t_error_target
-{
-	struct ip6t_entry_target target;
-	char errorname[IP6T_FUNCTION_MAXNAMELEN];
-};
-
-struct ip6t_error
-{
-	struct ip6t_entry entry;
-	struct ip6t_error_target target;
-};
-#endif /* 2.6.20 */
-
-#endif /* XTA_COMPAT_RAWPOST_H */

extensions/compat_xtables.c

@@ -1,6 +1,6 @@
 /*
  *	API compat layer
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
+ *	written by Jan Engelhardt, 2008 - 2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License, either

extensions/ip6table_rawpost.c

@@ -1,107 +0,0 @@
-/*
- *	rawpost table for ip6_tables
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
- *	placed in the Public Domain
- */
-#include <linux/module.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <net/ip.h>
-#include "compat_xtables.h"
-#include "compat_rawpost.h"
-
-enum {
-	RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
-};
-
-static struct {
-	struct ip6t_replace repl;
-	struct ip6t_standard entries[1];
-	struct ip6t_error term;
-} rawpost6_initial __initdata = {
-	.repl = {
-		.name        = "rawpost",
-		.valid_hooks = RAWPOST_VALID_HOOKS,
-		.num_entries = 2,
-		.size        = sizeof(struct ip6t_standard) +
-		               sizeof(struct ip6t_error),
-		.hook_entry  = {
-			[NF_INET_POST_ROUTING] = 0,
-		},
-		.underflow = {
-			[NF_INET_POST_ROUTING] = 0,
-		},
-	},
-	.entries = {
-		IP6T_STANDARD_INIT(NF_ACCEPT),	/* POST_ROUTING */
-	},
-	.term = IP6T_ERROR_INIT,		/* ERROR */
-};
-
-static struct xt_table *rawpost6_ptable;
-
-static struct xt_table rawpost6_itable = {
-	.name        = "rawpost",
-	.af          = NFPROTO_IPV6,
-	.valid_hooks = RAWPOST_VALID_HOOKS,
-	.me          = THIS_MODULE,
-};
-
-static unsigned int rawpost6_hook_fn(unsigned int hook, sk_buff_t *skb,
-    const struct net_device *in, const struct net_device *out,
-    int (*okfn)(struct sk_buff *))
-{
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-	return ip6t_do_table(skb, hook, in, out, rawpost6_ptable);
-#else
-	return ip6t_do_table(skb, hook, in, out, rawpost6_ptable, NULL);
-#endif
-}
-
-static struct nf_hook_ops rawpost6_hook_ops __read_mostly = {
-	.hook     = rawpost6_hook_fn,
-	.pf       = NFPROTO_IPV6,
-	.hooknum  = NF_INET_POST_ROUTING,
-	.priority = NF_IP6_PRI_LAST,
-	.owner    = THIS_MODULE,
-};
-
-static int __init rawpost6_table_init(void)
-{
-	int ret;
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
-	rwlock_init(&rawpost6_itable.lock);
-#endif
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
-	rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable,
-	                  &rawpost6_initial.repl);
-	if (IS_ERR(rawpost6_ptable))
-		return PTR_ERR(rawpost6_ptable);
-#else
-	ret = ip6t_register_table(&rawpost6_itable, &rawpost6_initial.repl);
-	if (ret < 0)
-		return ret;
-	rawpost6_ptable = &rawpost6_itable;
-#endif
-
-	ret = nf_register_hook(&rawpost6_hook_ops);
-	if (ret < 0)
-		goto out;
-
-	return ret;
-
- out:
-	ip6t_unregister_table(rawpost6_ptable);
-	return ret;
-}
-
-static void __exit rawpost6_table_exit(void)
-{
-	nf_unregister_hook(&rawpost6_hook_ops);
-	ip6t_unregister_table(rawpost6_ptable);
-}
-
-module_init(rawpost6_table_init);
-module_exit(rawpost6_table_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_LICENSE("GPL");

extensions/iptable_rawpost.c

@@ -1,109 +0,0 @@
-/*
- *	rawpost table for ip_tables
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
- *	placed in the Public Domain
- */
-#include <linux/module.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/version.h>
-#include <net/ip.h>
-#include "compat_xtables.h"
-#include "compat_rawpost.h"
-
-enum {
-	RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
-};
-
-static struct {
-	struct ipt_replace repl;
-	struct ipt_standard entries[1];
-	struct ipt_error term;
-} rawpost4_initial __initdata = {
-	.repl = {
-		.name        = "rawpost",
-		.valid_hooks = RAWPOST_VALID_HOOKS,
-		.num_entries = 2,
-		.size        = sizeof(struct ipt_standard) +
-		               sizeof(struct ipt_error),
-		.hook_entry  = {
-			[NF_INET_POST_ROUTING] = 0,
-		},
-		.underflow = {
-			[NF_INET_POST_ROUTING] = 0,
-		},
-	},
-	.entries = {
-		IPT_STANDARD_INIT(NF_ACCEPT),	/* POST_ROUTING */
-	},
-	.term = IPT_ERROR_INIT,			/* ERROR */
-};
-
-static struct xt_table *rawpost4_ptable;
-
-static struct xt_table rawpost4_itable = {
-	.name        = "rawpost",
-	.af          = NFPROTO_IPV4,
-	.valid_hooks = RAWPOST_VALID_HOOKS,
-	.me          = THIS_MODULE,
-};
-
-static unsigned int rawpost4_hook_fn(unsigned int hook, sk_buff_t *skb,
-    const struct net_device *in, const struct net_device *out,
-    int (*okfn)(struct sk_buff *))
-{
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-	return ipt_do_table(skb, hook, in, out, rawpost4_ptable);
-#else
-	return ipt_do_table(skb, hook, in, out, rawpost4_ptable, NULL);
-#endif
-}
-
-static struct nf_hook_ops rawpost4_hook_ops __read_mostly = {
-	.hook     = rawpost4_hook_fn,
-	.pf       = NFPROTO_IPV4,
-	.hooknum  = NF_INET_POST_ROUTING,
-	.priority = NF_IP_PRI_LAST,
-	.owner    = THIS_MODULE,
-};
-
-static int __init rawpost4_table_init(void)
-{
-	int ret;
-
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
-	rwlock_init(&rawpost4_itable.lock);
-#endif
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
-	rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
-	                  &rawpost4_initial.repl);
-	if (IS_ERR(rawpost4_ptable))
-		return PTR_ERR(rawpost4_ptable);
-#else
-	ret = ipt_register_table(&rawpost4_itable, &rawpost4_initial.repl);
-	if (ret < 0)
-		return ret;
-	rawpost4_ptable = &rawpost4_itable;
-#endif
-
-	ret = nf_register_hook(&rawpost4_hook_ops);
-	if (ret < 0)
-		goto out;
-
-	return ret;
-
- out:
-	ipt_unregister_table(rawpost4_ptable);
-	return ret;
-}
-
-static void __exit rawpost4_table_exit(void)
-{
-	nf_unregister_hook(&rawpost4_hook_ops);
-	ipt_unregister_table(rawpost4_ptable);
-}
-
-module_init(rawpost4_table_init);
-module_exit(rawpost4_table_exit);
-MODULE_DESCRIPTION("Xtables: rawpost table for use with RAWNAT");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_LICENSE("GPL");

extensions/libxt_CHAOS.c

@@ -1,6 +1,6 @@
 /*
  *	"CHAOS" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ *	Copyright © Jan Engelhardt, 2006 - 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_CHAOS.man

@@ -17,5 +17,5 @@ connections than they can.
 The randomness factor of not replying vs. replying can be set during load-time
 of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
 .PP
-See http://jengelh.medozas.de/projects/chaostables/ for more information
+See http://inai.de/projects/chaostables/ for more information
 about CHAOS, DELUDE and lscan.

extensions/libxt_DELUDE.c

@@ -1,6 +1,6 @@
 /*
  *	"DELUDE" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ *	Copyright © Jan Engelhardt, 2006 - 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_DHCPMAC.c

@@ -1,6 +1,6 @@
 /*
  *	"DHCPMAC" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_ECHO.c

@@ -1,6 +1,6 @@
 /*
  *	"ECHO" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_IPMARK.c

@@ -1,7 +1,7 @@
 /*
  *	"IPMARK" target extension for iptables
  *	Copyright © Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>, 2003
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_LOGMARK.c

@@ -1,6 +1,6 @@
 /*
  *	"LOGMARK" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_RAWDNAT.c

@@ -1,189 +0,0 @@
-/*
- *	"RAWNAT" target extension for iptables
- *	Copyright © Jan Engelhardt, 2008 - 2009
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License; either
- *	version 2 of the License, or any later version, as published by the
- *	Free Software Foundation.
- */
-#include <netinet/in.h>
-#include <getopt.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <string.h>
-#include <xtables.h>
-#include <linux/netfilter.h>
-#include "xt_RAWNAT.h"
-#include "compat_user.h"
-
-enum {
-	FLAGS_TO = 1 << 0,
-};
-
-static const struct option rawdnat_tg_opts[] = {
-	{.name = "to-destination", .has_arg = true, .val = 't'},
-	{},
-};
-
-static void rawdnat_tg_help(void)
-{
-	printf(
-"RAWDNAT target options:\n"
-"    --to-destination addr[/mask]    Address or network to map to\n"
-);
-}
-
-static int
-rawdnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
-                  const void *entry, struct xt_entry_target **target)
-{
-	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
-	struct in_addr *a;
-	unsigned int mask;
-	char *end;
-
-	switch (c) {
-	case 't':
-		info->mask = 32;
-		end = strchr(optarg, '/');
-		if (end != NULL) {
-			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
-				xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
-					"--to-destination", optarg);
-			info->mask = mask;
-		}
-		a = xtables_numeric_to_ipaddr(optarg);
-		if (a == NULL)
-			xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
-				"--to-destination", optarg);
-		memcpy(&info->addr.in, a, sizeof(*a));
-		*flags |= FLAGS_TO;
-		return true;
-	}
-	return false;
-}
-
-static int
-rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
-                  const void *entry, struct xt_entry_target **target)
-{
-	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
-	struct in6_addr *a;
-	unsigned int mask;
-	char *end;
-
-	switch (c) {
-	case 't':
-		info->mask = 128;
-		end = strchr(optarg, '/');
-		if (end != NULL) {
-			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 128))
-				xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
-					"--to-destination", optarg);
-			info->mask = mask;
-		}
-		a = xtables_numeric_to_ip6addr(optarg);
-		if (a == NULL)
-			xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
-				"--to-destination", optarg);
-		memcpy(&info->addr.in6, a, sizeof(*a));
-		*flags |= FLAGS_TO;
-		return true;
-	}
-	return false;
-}
-
-static void rawdnat_tg_check(unsigned int flags)
-{
-	if (!(flags & FLAGS_TO))
-		xtables_error(PARAMETER_PROBLEM, "RAWDNAT: "
-			"\"--to-destination\" is required.");
-}
-
-static void
-rawdnat_tg4_print(const void *entry, const struct xt_entry_target *target,
-                  int numeric)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	if (!numeric && info->mask == 32)
-		printf(" to-destination %s ",
-		       xtables_ipaddr_to_anyname(&info->addr.in));
-	else
-		printf(" to-destination %s/%u ",
-		       xtables_ipaddr_to_numeric(&info->addr.in), info->mask);
-}
-
-static void
-rawdnat_tg6_print(const void *entry, const struct xt_entry_target *target,
-                  int numeric)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	if (!numeric && info->mask == 128)
-		printf(" to-destination %s ",
-		       xtables_ip6addr_to_anyname(&info->addr.in6));
-	else
-		printf(" to-destination %s/%u ",
-		       xtables_ip6addr_to_numeric(&info->addr.in6), info->mask);
-}
-
-static void
-rawdnat_tg4_save(const void *entry, const struct xt_entry_target *target)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	printf(" --to-destination %s/%u ",
-	       xtables_ipaddr_to_numeric(&info->addr.in),
-	       info->mask);
-}
-
-static void
-rawdnat_tg6_save(const void *entry, const struct xt_entry_target *target)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	printf(" --to-destination %s/%u ",
-	       xtables_ip6addr_to_numeric(&info->addr.in6),
-	       info->mask);
-}
-
-static struct xtables_target rawdnat_tg_reg[] = {
-	{
-		.version       = XTABLES_VERSION,
-		.name          = "RAWDNAT",
-		.revision      = 0,
-		.family        = NFPROTO_IPV4,
-		.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.help          = rawdnat_tg_help,
-		.parse         = rawdnat_tg4_parse,
-		.final_check   = rawdnat_tg_check,
-		.print         = rawdnat_tg4_print,
-		.save          = rawdnat_tg4_save,
-		.extra_opts    = rawdnat_tg_opts,
-	},
-	{
-		.version       = XTABLES_VERSION,
-		.name          = "RAWDNAT",
-		.revision      = 0,
-		.family        = NFPROTO_IPV6,
-		.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.help          = rawdnat_tg_help,
-		.parse         = rawdnat_tg6_parse,
-		.final_check   = rawdnat_tg_check,
-		.print         = rawdnat_tg6_print,
-		.save          = rawdnat_tg6_save,
-		.extra_opts    = rawdnat_tg_opts,
-	},
-};
-
-static void _init(void)
-{
-	xtables_register_targets(rawdnat_tg_reg,
-		sizeof(rawdnat_tg_reg) / sizeof(*rawdnat_tg_reg));
-}

extensions/libxt_RAWDNAT.man

@@ -1,10 +0,0 @@
-The \fBRAWDNAT\fR target will rewrite the destination address in the IP header,
-much like the \fBNETMAP\fR target.
-.TP
-\fB\-\-to\-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
-Network address to map to. The resulting address will be constructed the
-following way: All 'one' bits in the \fImask\fR are filled in from the new
-\fIaddress\fR. All bits that are zero in the mask are filled in from the
-original address.
-.PP
-See the \fBRAWSNAT\fR help entry for examples and constraints.

extensions/libxt_RAWSNAT.c

@@ -1,189 +0,0 @@
-/*
- *	"RAWNAT" target extension for iptables
- *	Copyright © Jan Engelhardt, 2008 - 2009
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License; either
- *	version 2 of the License, or any later version, as published by the
- *	Free Software Foundation.
- */
-#include <netinet/in.h>
-#include <getopt.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <string.h>
-#include <xtables.h>
-#include <linux/netfilter.h>
-#include "xt_RAWNAT.h"
-#include "compat_user.h"
-
-enum {
-	FLAGS_TO = 1 << 0,
-};
-
-static const struct option rawsnat_tg_opts[] = {
-	{.name = "to-source", .has_arg = true, .val = 't'},
-	{},
-};
-
-static void rawsnat_tg_help(void)
-{
-	printf(
-"RAWSNAT target options:\n"
-"    --to-source addr[/mask]    Address or network to map to\n"
-);
-}
-
-static int
-rawsnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
-                  const void *entry, struct xt_entry_target **target)
-{
-	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
-	struct in_addr *a;
-	unsigned int mask;
-	char *end;
-
-	switch (c) {
-	case 't':
-		info->mask = 32;
-		end = strchr(optarg, '/');
-		if (end != NULL) {
-			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
-				xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
-					"--to-source", optarg);
-			info->mask = mask;
-		}
-		a = xtables_numeric_to_ipaddr(optarg);
-		if (a == NULL)
-			xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
-				"--to-source", optarg);
-		memcpy(&info->addr.in, a, sizeof(*a));
-		*flags |= FLAGS_TO;
-		return true;
-	}
-	return false;
-}
-
-static int
-rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
-                  const void *entry, struct xt_entry_target **target)
-{
-	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
-	struct in6_addr *a;
-	unsigned int mask;
-	char *end;
-
-	switch (c) {
-	case 't':
-		info->mask = 128;
-		end = strchr(optarg, '/');
-		if (end != NULL) {
-			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 128))
-				xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
-					"--to-source", optarg);
-			info->mask = mask;
-		}
-		a = xtables_numeric_to_ip6addr(optarg);
-		if (a == NULL)
-			xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
-				"--to-source", optarg);
-		memcpy(&info->addr.in6, a, sizeof(*a));
-		*flags |= FLAGS_TO;
-		return true;
-	}
-	return false;
-}
-
-static void rawsnat_tg_check(unsigned int flags)
-{
-	if (!(flags & FLAGS_TO))
-		xtables_error(PARAMETER_PROBLEM, "RAWSNAT: "
-			"\"--to-source\" is required.");
-}
-
-static void
-rawsnat_tg4_print(const void *entry, const struct xt_entry_target *target,
-                  int numeric)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	if (!numeric && info->mask == 32)
-		printf(" to-source %s ",
-		       xtables_ipaddr_to_anyname(&info->addr.in));
-	else
-		printf(" to-source %s/%u ",
-		       xtables_ipaddr_to_numeric(&info->addr.in), info->mask);
-}
-
-static void
-rawsnat_tg6_print(const void *entry, const struct xt_entry_target *target,
-                  int numeric)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	if (!numeric && info->mask == 128)
-		printf(" to-source %s ",
-		       xtables_ip6addr_to_anyname(&info->addr.in6));
-	else
-		printf(" to-source %s/%u ",
-		       xtables_ip6addr_to_numeric(&info->addr.in6), info->mask);
-}
-
-static void
-rawsnat_tg4_save(const void *entry, const struct xt_entry_target *target)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	printf(" --to-source %s/%u ",
-	       xtables_ipaddr_to_numeric(&info->addr.in),
-	       info->mask);
-}
-
-static void
-rawsnat_tg6_save(const void *entry, const struct xt_entry_target *target)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	printf(" --to-source %s/%u ",
-	       xtables_ip6addr_to_numeric(&info->addr.in6),
-	       info->mask);
-}
-
-static struct xtables_target rawsnat_tg_reg[] = {
-	{
-		.version       = XTABLES_VERSION,
-		.name          = "RAWSNAT",
-		.revision      = 0,
-		.family        = NFPROTO_IPV4,
-		.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.help          = rawsnat_tg_help,
-		.parse         = rawsnat_tg4_parse,
-		.final_check   = rawsnat_tg_check,
-		.print         = rawsnat_tg4_print,
-		.save          = rawsnat_tg4_save,
-		.extra_opts    = rawsnat_tg_opts,
-	},
-	{
-		.version       = XTABLES_VERSION,
-		.name          = "RAWSNAT",
-		.revision      = 0,
-		.family        = NFPROTO_IPV6,
-		.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.help          = rawsnat_tg_help,
-		.parse         = rawsnat_tg6_parse,
-		.final_check   = rawsnat_tg_check,
-		.print         = rawsnat_tg6_print,
-		.save          = rawsnat_tg6_save,
-		.extra_opts    = rawsnat_tg_opts,
-	},
-};
-
-static void _init(void)
-{
-	xtables_register_targets(rawsnat_tg_reg,
-		sizeof(rawsnat_tg_reg) / sizeof(*rawsnat_tg_reg));
-}

extensions/libxt_RAWSNAT.man

@@ -1,38 +0,0 @@
-The \fBRAWSNAT\fR and \fBRAWDNAT\fP targets provide stateless network address
-translation.
-.PP
-The \fBRAWSNAT\fR target will rewrite the source address in the IP header, much
-like the \fBNETMAP\fP target. \fBRAWSNAT\fP (and \fBRAWDNAT\fP) may only be
-used in the \fBraw\fP or \fBrawpost\fP tables, but can be used in all chains,
-which makes it possible to change the source address either when the packet
-enters the machine or when it leaves it. The reason for this table constraint
-is that RAWNAT must happen outside of connection tracking.
-.TP
-\fB\-\-to\-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
-Network address to map to. The resulting address will be constructed the
-following way: All 'one' bits in the \fImask\fR are filled in from the new
-\fIaddress\fR. All bits that are zero in the mask are filled in from the
-original address.
-.PP
-As an example, changing the destination for packets forwarded from an internal
-LAN to the internet:
-.IP
-\-t raw \-A PREROUTING \-i lan0 \-d 212.201.100.135 \-j RAWDNAT \-\-to\-destination 199.181.132.250;
-\-t rawpost \-A POSTROUTING \-o lan0 \-s 199.181.132.250 \-j RAWSNAT \-\-to\-source 212.201.100.135;
-.PP
-Note that changing addresses may influence the route selection! Specifically,
-it statically NATs packets, not connections, like the normal DNAT/SNAT targets
-would do. Also note that it can transform already-NATed connections \(em as
-said, it is completely external to Netfilter's connection tracking/NAT.
-.PP
-If the machine itself generates packets that are to be rawnat'ed, you need a
-rule in the OUTPUT chain instead, just like you would with the stateful NAT
-targets.
-.PP
-It may be necessary that in doing so, you also need an extra RAWSNAT rule, to
-override the automatic source address selection that the routing code does
-before passing packets to iptables. If the connecting socket has not been
-explicitly bound to an address, as is the common mode of operation, the address
-that will be chosen is the primary address of the device through which the
-packet would be routed with its initial destination address - the address as
-seen before any RAWNAT takes place.

extensions/libxt_STEAL.c

@@ -1,32 +0,0 @@
-#include <stdio.h>
-#include <xtables.h>
-#include "compat_user.h"
-
-static void steal_tg_help(void)
-{
-	printf("STEAL takes no options\n\n");
-}
-
-static int steal_tg_parse(int c, char **argv, int invert, unsigned int *flags,
-                          const void *entry, struct xt_entry_target **target)
-{
-	return 0;
-}
-
-static void steal_tg_check(unsigned int flags)
-{
-}
-
-static struct xtables_target steal_tg_reg = {
-	.version       = XTABLES_VERSION,
-	.name          = "STEAL",
-	.family        = NFPROTO_UNSPEC,
-	.help          = steal_tg_help,
-	.parse         = steal_tg_parse,
-	.final_check   = steal_tg_check,
-};
-
-static void _init(void)
-{
-	xtables_register_target(&steal_tg_reg);
-}

extensions/libxt_STEAL.man

@@ -1,2 +0,0 @@
-Like the DROP target, but does not throw an error like DROP when used in the
-\fBOUTPUT\fP chain.

extensions/libxt_condition.c

@@ -2,7 +2,7 @@
  *	"condition" match extension for iptables
  *	Stephane Ouellette <ouellettes [at] videotron ca>, 2002-10-22
  *	Massimiliano Hofer <max [at] nucleus it>, 2006-05-15
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or modify it
  *	under the terms of the GNU General Public License; either version 2

extensions/libxt_dhcpmac.c

@@ -1,6 +1,6 @@
 /*
  *	"dhcpmac" match extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_geoip.c

@@ -2,7 +2,7 @@
  *	"geoip" match extension for iptables
  *	Copyright © Samuel Jean <peejix [at] people netfilter org>, 2004 - 2008
  *	Copyright © Nicolas Bouliane <acidfu [at] people netfilter org>, 2004 - 2008
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008-2011
+ *	Jan Engelhardt, 2008-2011
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_ipp2p.c

@@ -1,7 +1,7 @@
 /*
  *	"ipp2p" match extension for iptables
  *	Eicke Friedrich/Klaus Degner <ipp2p@ipp2p.org>, 2005 - 2006
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	Jan Engelhardt, 2008 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_lscan.c

@@ -1,6 +1,6 @@
 /*
  *	LSCAN match extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2009
+ *	Copyright © Jan Engelhardt, 2006 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/libxt_quota2.c

@@ -1,7 +1,7 @@
 /*
  *	"quota2" match extension for iptables
  *	Sam Johnston <samj [at] samj net>
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/xt_CHAOS.c

@@ -1,6 +1,6 @@
 /*
  *	"CHAOS" target extension for Xtables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ *	Copyright © Jan Engelhardt, 2006 - 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -274,6 +274,6 @@ static void __exit chaos_tg_exit(void)
 module_init(chaos_tg_init);
 module_exit(chaos_tg_exit);
 MODULE_DESCRIPTION("Xtables: Network scan slowdown with non-deterministic results");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_CHAOS");

extensions/xt_DELUDE.c

@@ -1,6 +1,6 @@
 /*
  *	"DELUDE" target extension for Xtables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
+ *	Copyright © Jan Engelhardt, 2007 - 2008
  *
  *	Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
  *	(C) 1999-2001 Paul `Rusty' Russell
@@ -177,6 +177,6 @@ static void __exit delude_tg_exit(void)
 module_init(delude_tg_init);
 module_exit(delude_tg_exit);
 MODULE_DESCRIPTION("Xtables: Close TCP connections after handshake");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_DELUDE");

extensions/xt_DHCPMAC.c

@@ -1,6 +1,6 @@
 /*
  *	"DHCPMAC" extensions for Xtables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Copyright © Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -167,7 +167,7 @@ static void __exit dhcpmac_exit(void)
 module_init(dhcpmac_init);
 module_exit(dhcpmac_exit);
 MODULE_DESCRIPTION("Xtables: Clamp DHCP MAC to packet MAC addresses");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_DHCPMAC");
 MODULE_ALIAS("ipt_dhcpmac");

extensions/xt_ECHO.c

@@ -1,7 +1,7 @@
 /*
  *	"ECHO" (RFC 862) target extension for Xtables
  *	Sample module for "Writing your own Netfilter Modules"
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2011
+ *	Copyright © Jan Engelhardt, 2008-2011
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -252,7 +252,7 @@ static void __exit echo_tg_exit(void)
 
 module_init(echo_tg_init);
 module_exit(echo_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_DESCRIPTION("Xtables: ECHO diagnosis target");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ip6t_ECHO");

extensions/xt_IPMARK.c

@@ -1,7 +1,7 @@
 /*
  *	"IPMARK" target extension for Xtables
  *	Copyright © Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>, 2003
- *	Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	Jan Engelhardt, 2008
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either

extensions/xt_LOGMARK.c

@@ -2,7 +2,7 @@
  *	"LOGMARK" target extension to Xtables
  *	useful for debugging
  *
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2010
+ *	Copyright © Jan Engelhardt, 2008-2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -141,7 +141,7 @@ static void __exit logmark_tg_exit(void)
 module_init(logmark_tg_init);
 module_exit(logmark_tg_exit);
 MODULE_DESCRIPTION("Xtables: netfilter mark logging to syslog");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_LOGMARK");
 MODULE_ALIAS("ip6t_LOGMARK");

extensions/xt_RAWNAT.c

@@ -1,358 +0,0 @@
-/*
- *	"RAWNAT" target extension for Xtables - untracked NAT
- *	Copyright © Jan Engelhardt, 2008 - 2009
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License; either
- *	version 2 of the License, or any later version, as published by the
- *	Free Software Foundation.
- */
-#include <linux/ip.h>
-#include <linux/ipv6.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/tcp.h>
-#include <linux/udp.h>
-#include <linux/version.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter/nf_conntrack_common.h>
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <net/ip.h>
-#include <net/ipv6.h>
-#include "compat_xtables.h"
-#include "xt_RAWNAT.h"
-#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
-#	define WITH_IPV6 1
-#endif
-
-static inline __be32
-remask(__be32 addr, __be32 repl, unsigned int shift)
-{
-	uint32_t mask = (shift == 32) ? 0 : (~(uint32_t)0 >> shift);
-	return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask));
-}
-
-#ifdef WITH_IPV6
-static void
-rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
-{
-	switch (mask) {
-	case 0:
-		break;
-	case 1 ... 31:
-		addr[0] = remask(addr[0], repl[0], mask);
-		break;
-	case 32:
-		addr[0] = repl[0];
-		break;
-	case 33 ... 63:
-		addr[0] = repl[0];
-		addr[1] = remask(addr[1], repl[1], mask - 32);
-		break;
-	case 64:
-		addr[0] = repl[0];
-		addr[1] = repl[1];
-		break;
-	case 65 ... 95:
-		addr[0] = repl[0];
-		addr[1] = repl[1];
-		addr[2] = remask(addr[2], repl[2], mask - 64);
-	case 96:
-		addr[0] = repl[0];
-		addr[1] = repl[1];
-		addr[2] = repl[2];
-		break;
-	case 97 ... 127:
-		addr[0] = repl[0];
-		addr[1] = repl[1];
-		addr[2] = repl[2];
-		addr[3] = remask(addr[3], repl[3], mask - 96);
-		break;
-	case 128:
-		addr[0] = repl[0];
-		addr[1] = repl[1];
-		addr[2] = repl[2];
-		addr[3] = repl[3];
-		break;
-	}
-}
-#endif
-
-static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
-{
-	struct iphdr *iph = ip_hdr(skb);
-	void *transport_hdr = (void *)iph + ip_hdrlen(skb);
-	struct tcphdr *tcph;
-	struct udphdr *udph;
-	bool cond;
-
-	switch (iph->protocol) {
-	case IPPROTO_TCP:
-		tcph = transport_hdr;
-		inet_proto_csum_replace4(&tcph->check, skb, oldip, newip, true);
-		break;
-	case IPPROTO_UDP:
-	case IPPROTO_UDPLITE:
-		udph = transport_hdr;
-		cond = udph->check != 0;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-		cond |= skb->ip_summed == CHECKSUM_PARTIAL;
-#endif
-		if (cond) {
-			inet_proto_csum_replace4(&udph->check, skb,
-				oldip, newip, true);
-			if (udph->check == 0)
-				udph->check = CSUM_MANGLED_0;
-		}
-		break;
-	}
-}
-
-static unsigned int rawnat4_writable_part(const struct iphdr *iph)
-{
-	unsigned int wlen = sizeof(*iph);
-
-	switch (iph->protocol) {
-	case IPPROTO_TCP:
-		wlen += sizeof(struct tcphdr);
-		break;
-	case IPPROTO_UDP:
-		wlen += sizeof(struct udphdr);
-		break;
-	}
-	return wlen;
-}
-
-static unsigned int
-rawsnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	const struct xt_rawnat_tginfo *info = par->targinfo;
-	struct iphdr *iph;
-	__be32 new_addr;
-
-	iph = ip_hdr(*pskb);
-	new_addr = remask(iph->saddr, info->addr.ip, info->mask);
-	if (iph->saddr == new_addr)
-		return XT_CONTINUE;
-
-	if (!skb_make_writable(pskb, rawnat4_writable_part(iph)))
-		return NF_DROP;
-
-	iph = ip_hdr(*pskb);
-	csum_replace4(&iph->check, iph->saddr, new_addr);
-	rawnat4_update_l4(*pskb, iph->saddr, new_addr);
-	iph->saddr = new_addr;
-	return XT_CONTINUE;
-}
-
-static unsigned int
-rawdnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	const struct xt_rawnat_tginfo *info = par->targinfo;
-	struct iphdr *iph;
-	__be32 new_addr;
-
-	iph = ip_hdr(*pskb);
-	new_addr = remask(iph->daddr, info->addr.ip, info->mask);
-	if (iph->daddr == new_addr)
-		return XT_CONTINUE;
-
-	if (!skb_make_writable(pskb, rawnat4_writable_part(iph)))
-		return NF_DROP;
-
-	iph = ip_hdr(*pskb);
-	csum_replace4(&iph->check, iph->daddr, new_addr);
-	rawnat4_update_l4(*pskb, iph->daddr, new_addr);
-	iph->daddr = new_addr;
-	return XT_CONTINUE;
-}
-
-#ifdef WITH_IPV6
-static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
-    unsigned int *l4proto)
-{
-	static const unsigned int types[] =
-		{IPPROTO_TCP, IPPROTO_UDP, IPPROTO_UDPLITE};
-	unsigned int i;
-	int err;
-
-	*l4proto = NEXTHDR_MAX;
-
-	for (i = 0; i < ARRAY_SIZE(types); ++i) {
-		err = ipv6_find_hdr(*pskb, l4offset, types[i], NULL, NULL);
-		if (err >= 0) {
-			*l4proto = types[i];
-			break;
-		}
-		if (err != -ENOENT)
-			return false;
-	}
-
-	switch (*l4proto) {
-	case IPPROTO_TCP:
-		if (!skb_make_writable(pskb, *l4offset + sizeof(struct tcphdr)))
-			return false;
-		break;
-	case IPPROTO_UDP:
-	case IPPROTO_UDPLITE:
-		if (!skb_make_writable(pskb, *l4offset + sizeof(struct udphdr)))
-			return false;
-		break;
-	}
-
-	return true;
-}
-
-static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto,
-    unsigned int l4offset, const struct in6_addr *oldip,
-    const struct in6_addr *newip)
-{
-	const struct ipv6hdr *iph = ipv6_hdr(skb);
-	struct tcphdr *tcph;
-	struct udphdr *udph;
-	unsigned int i;
-	bool cond;
-
-	switch (l4proto) {
-	case IPPROTO_TCP:
-		tcph = (void *)iph + l4offset;
-		for (i = 0; i < 4; ++i)
-			inet_proto_csum_replace4(&tcph->check, skb,
-				oldip->s6_addr32[i], newip->s6_addr32[i], true);
-		break;
-	case IPPROTO_UDP:
-	case IPPROTO_UDPLITE:
-		udph = (void *)iph + l4offset;
-		cond = udph->check;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
-		cond |= skb->ip_summed == CHECKSUM_PARTIAL;
-#endif
-		if (cond) {
-			for (i = 0; i < 4; ++i)
-				inet_proto_csum_replace4(&udph->check, skb,
-					oldip->s6_addr32[i],
-					newip->s6_addr32[i], true);
-			if (udph->check == 0)
-				udph->check = CSUM_MANGLED_0;
-		}
-		break;
-	}
-}
-
-static unsigned int
-rawsnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	const struct xt_rawnat_tginfo *info = par->targinfo;
-	unsigned int l4offset = 0, l4proto;
-	struct ipv6hdr *iph;
-	struct in6_addr new_addr;
-
-	iph = ipv6_hdr(*pskb);
-	memcpy(&new_addr, &iph->saddr, sizeof(new_addr));
-	rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask);
-	if (ipv6_addr_cmp(&iph->saddr, &new_addr) == 0)
-		return XT_CONTINUE;
-	if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto))
-		return NF_DROP;
-	iph = ipv6_hdr(*pskb);
-	rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->saddr, &new_addr);
-	memcpy(&iph->saddr, &new_addr, sizeof(new_addr));
-	return XT_CONTINUE;
-}
-
-static unsigned int
-rawdnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	const struct xt_rawnat_tginfo *info = par->targinfo;
-	unsigned int l4offset = 0, l4proto;
-	struct ipv6hdr *iph;
-	struct in6_addr new_addr;
-
-	iph = ipv6_hdr(*pskb);
-	memcpy(&new_addr, &iph->daddr, sizeof(new_addr));
-	rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask);
-	if (ipv6_addr_cmp(&iph->daddr, &new_addr) == 0)
-		return XT_CONTINUE;
-	if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto))
-		return NF_DROP;
-	iph = ipv6_hdr(*pskb);
-	rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->daddr, &new_addr);
-	memcpy(&iph->daddr, &new_addr, sizeof(new_addr));
-	return XT_CONTINUE;
-}
-#endif
-
-static int rawnat_tg_check(const struct xt_tgchk_param *par)
-{
-	if (strcmp(par->table, "raw") == 0 ||
-	    strcmp(par->table, "rawpost") == 0)
-		return 0;
-
-	printk(KERN_ERR KBUILD_MODNAME " may only be used in the \"raw\" or "
-	       "\"rawpost\" table.\n");
-	return -EINVAL;
-}
-
-static struct xt_target rawnat_tg_reg[] __read_mostly = {
-	{
-		.name       = "RAWSNAT",
-		.revision   = 0,
-		.family     = NFPROTO_IPV4,
-		.target     = rawsnat_tg4,
-		.targetsize = sizeof(struct xt_rawnat_tginfo),
-		.checkentry = rawnat_tg_check,
-		.me         = THIS_MODULE,
-	},
-#ifdef WITH_IPV6
-	{
-		.name       = "RAWSNAT",
-		.revision   = 0,
-		.family     = NFPROTO_IPV6,
-		.target     = rawsnat_tg6,
-		.targetsize = sizeof(struct xt_rawnat_tginfo),
-		.checkentry = rawnat_tg_check,
-		.me         = THIS_MODULE,
-	},
-#endif
-	{
-		.name       = "RAWDNAT",
-		.revision   = 0,
-		.family     = NFPROTO_IPV4,
-		.target     = rawdnat_tg4,
-		.targetsize = sizeof(struct xt_rawnat_tginfo),
-		.checkentry = rawnat_tg_check,
-		.me         = THIS_MODULE,
-	},
-#ifdef WITH_IPV6
-	{
-		.name       = "RAWDNAT",
-		.revision   = 0,
-		.family     = NFPROTO_IPV6,
-		.target     = rawdnat_tg6,
-		.targetsize = sizeof(struct xt_rawnat_tginfo),
-		.checkentry = rawnat_tg_check,
-		.me         = THIS_MODULE,
-	},
-#endif
-};
-
-static int __init rawnat_tg_init(void)
-{
-	return xt_register_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
-}
-
-static void __exit rawnat_tg_exit(void)
-{
-	xt_unregister_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
-}
-
-module_init(rawnat_tg_init);
-module_exit(rawnat_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_DESCRIPTION("Xtables: conntrack-less raw NAT");
-MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_RAWSNAT");
-MODULE_ALIAS("ipt_RAWDNAT");
-MODULE_ALIAS("ip6t_RAWSNAT");
-MODULE_ALIAS("ip6t_RAWDNAT");

extensions/xt_RAWNAT.h

@@ -1,9 +0,0 @@
-#ifndef _LINUX_NETFILTER_XT_TARGET_RAWNAT
-#define _LINUX_NETFILTER_XT_TARGET_RAWNAT 1
-
-struct xt_rawnat_tginfo {
-	union nf_inet_addr addr;
-	__u8 mask;
-};
-
-#endif /* _LINUX_NETFILTER_XT_TARGET_RAWNAT */

extensions/xt_STEAL.c

@@ -1,67 +0,0 @@
-/*
- *	"STEAL" demo target extension for Xtables
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
- *	placed in the Public Domain
- */
-#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/skbuff.h>
-#include "compat_xtables.h"
-
-static unsigned int
-steal_tg(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	kfree_skb(*pskb);
-	return NF_STOLEN;
-}
-
-static struct xt_target steal_tg_reg[] __read_mostly = {
-	{
-		.name     = "STEAL",
-		.revision = 0,
-		.family   = NFPROTO_UNSPEC,
-		.target   = steal_tg,
-		.me       = THIS_MODULE,
-	},
-	{
-		.name     = "STEAL",
-		.revision = 0,
-		.family   = NFPROTO_IPV6,
-		.target   = steal_tg,
-		.me       = THIS_MODULE,
-	},
-	{
-		.name     = "STEAL",
-		.revision = 0,
-		.family   = NFPROTO_ARP,
-		.target   = steal_tg,
-		.me       = THIS_MODULE,
-	},
-	{
-		.name     = "STEAL",
-		.revision = 0,
-		.family   = NFPROTO_BRIDGE,
-		.target   = steal_tg,
-		.me       = THIS_MODULE,
-	},
-};
-
-static int __init steal_tg_init(void)
-{
-	return xt_register_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
-}
-
-static void __exit steal_tg_exit(void)
-{
-	xt_unregister_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
-}
-
-module_init(steal_tg_init);
-module_exit(steal_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_DESCRIPTION("Xtables: Silently DROP packets on output chain");
-MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_STEAL");
-MODULE_ALIAS("ip6t_STEAL");
-MODULE_ALIAS("arpt_STEAL");
-MODULE_ALIAS("ebt_STEAL");

extensions/xt_SYSRQ.c

@@ -1,6 +1,6 @@
 /*
  *	"SYSRQ" target extension for Xtables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
+ *	Copyright © Jan Engelhardt, 2008 - 2010
  *
  *	Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
  *
@@ -386,7 +386,7 @@ static void __exit sysrq_tg_exit(void)
 module_init(sysrq_tg_init);
 module_exit(sysrq_tg_exit);
 MODULE_DESCRIPTION("Xtables: triggering SYSRQ remotely");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_AUTHOR("John Haxby <john.haxby@oracle.com");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_SYSRQ");

extensions/xt_TARPIT.c

@@ -543,7 +543,7 @@ static void __exit tarpit_tg_exit(void)
 module_init(tarpit_tg_init);
 module_exit(tarpit_tg_exit);
 MODULE_DESCRIPTION("Xtables: \"TARPIT\", capture and hold TCP connections");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_TARPIT");
 MODULE_ALIAS("ip6t_TARPIT");

extensions/xt_condition.c

@@ -35,7 +35,7 @@ static unsigned int condition_gid_perms = 0;
 
 MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca>");
 MODULE_AUTHOR("Massimiliano Hofer <max@nucleus.it>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_DESCRIPTION("Allows rules to match against condition variables");
 MODULE_LICENSE("GPL");
 module_param(condition_list_perms, uint, S_IRUSR | S_IWUSR);

extensions/xt_ipv4options.c

@@ -76,7 +76,7 @@ static void __exit ipv4options_mt_exit(void)
 }
 
 MODULE_DESCRIPTION("Xatblse: IPv4 option match");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_ipv4options");
 module_init(ipv4options_mt_init);

extensions/xt_length2.c

@@ -1,6 +1,6 @@
 /*
  *	xt_length - Xtables module to match packet length
- *	Copyright © Jan Engelhardt <jengelh@medozas.de>, 2007 - 2009
+ *	Copyright © Jan Engelhardt , 2007 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -29,7 +29,7 @@
 #	define NEXTHDR_IPV4 4
 #endif
 
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_DESCRIPTION("Xtables: Packet length (Layer3,4,5) match");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_length2");

extensions/xt_lscan.c

@@ -264,7 +264,7 @@ static void __exit lscan_mt_exit(void)
 
 module_init(lscan_mt_init);
 module_exit(lscan_mt_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_DESCRIPTION("Xtables: Low-level scan (e.g. nmap) match");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_lscan");

extensions/xt_psd.c

@@ -26,6 +26,7 @@
 #include <linux/types.h>
 #include <linux/tcp.h>
 #include <linux/spinlock.h>
+#include <linux/vmalloc.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <net/ip.h>

extensions/xt_quota2.c

@@ -1,7 +1,7 @@
 /*
  * xt_quota2 - enhanced xt_quota that can count upwards and in packets
  * as a minimal accounting match.
- * by Jan Engelhardt <jengelh@medozas.de>, 2008
+ * by Jan Engelhardt , 2008
  *
  * Originally based on xt_quota.c:
  * 	Xtables module to enforce network quotas
@@ -69,6 +69,8 @@ static int quota_proc_write(struct file *file, const char __user *input,
 	if (copy_from_user(buf, input, size) != 0)
 		return -EFAULT;
 	buf[sizeof(buf)-1] = '\0';
+	if (size < sizeof(buf))
+		buf[size] = '\0';
 
 	spin_lock_bh(&e->lock);
 	e->quota = simple_strtoull(buf, NULL, 0);
@@ -209,13 +211,14 @@ quota_mt2(const struct sk_buff *skb, struct xt_action_param *par)
 		}
 		ret = true;
 	} else {
-		if (e->quota >= skb->len) {
+		if (e->quota >= ((q->flags & XT_QUOTA_PACKET) ? 1 : skb->len)) {
 			if (!(q->flags & XT_QUOTA_NO_CHANGE))
 				e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
 			ret = !ret;
 		} else {
 			/* we do not allow even small packets from now on */
-			e->quota = 0;
+			if (!(q->flags & XT_QUOTA_NO_CHANGE))
+				e->quota = 0;
 		}
 		q->quota = e->quota;
 	}
@@ -270,7 +273,7 @@ module_init(quota_mt2_init);
 module_exit(quota_mt2_exit);
 MODULE_DESCRIPTION("Xtables: countdown quota match; up counter");
 MODULE_AUTHOR("Sam Johnston <samj@samj.net>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("Jan Engelhardt ");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_quota2");
 MODULE_ALIAS("ip6t_quota2");

geoip/xt_geoip_build

@@ -1,7 +1,7 @@
 #!/usr/bin/perl
 #
 #	Converter for MaxMind CSV database to binary, for xt_geoip
-#	Copyright © Jan Engelhardt <jengelh@medozas.de>, 2008-2011
+#	Copyright © Jan Engelhardt, 2008-2011
 #
 use Getopt::Long;
 use IO::Handle;

mconfig

@@ -9,8 +9,6 @@ build_DNETMAP=m
 build_ECHO=m
 build_IPMARK=m
 build_LOGMARK=m
-build_RAWNAT=m
-build_STEAL=m
 build_SYSRQ=m
 build_TARPIT=m
 build_TEE=

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.47 (2012-10-15)" "" "v1.47 (2012-10-15)"
+.TH xtables-addons 8 "v1.47.1 (2012-10-15)" "" "v1.47.1 (2012-10-15)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets
@@ -9,5 +9,5 @@ Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 \fBiptables\fP(8), \fBip6tables\fP(8), \fBiptaccount\fP(8)
 .PP
 For developers, the book "Writing Netfilter modules" at
-http://jengelh.medozas.de/documents/Netfilter_Modules.pdf provides detailed
+http://inai.de/documents/Netfilter_Modules.pdf provides detailed
 information on how to write such modules/extensions.