Xtables-addons 1.31

This patch adds a module which is useful to users of grsecurity's RBAC
system. It matches packets based on whether RBAC is enabled or
disabled.

See: http://grsecurity.net/

Signed-off-by: Anthony G. Basile <basile@opensource.dyc.edu>

Jan Engelhardt> Also, I do not see a xt_gradm.c in this patch.

This [xt_gradm.c] is part of the grsecurity patch which not only adds
the Xtables code, but also the RBAC code. Without the entire RBAC
stuff, xt_gradm does not make sense and so it is included with the
grsecurity patch to the kernel, and not this patch to Xtables-addons.

>Can you elaborate a bit on how this is useful in conjunction with
>rulesets? I could imagine it be used with LSM selctx'es for example,
>or another extension that tests for other RBAC attributes.

The idea here is that when the RBAC rulesets are not being enforced,
the system is more vulnerable and the user wants stricter firewall
rules. When RBAC is being enforced, one can relax the firewall and
access to services which are now better protected. In practice this
usually means allowing only access to some trusted IP(s) on boot
before RBAC is turned on.

.gitignore

@@ -6,10 +6,15 @@
 .libs
 Makefile
 Makefile.in
-GNUmakefile
 
 /downloads
 
+/Makefile.iptrules
+/Makefile.mans
+/.*.lst
+/matches.man
+/targets.man
+
 /aclocal.m4
 /autom4te*.cache
 /compile

INSTALL

@@ -4,24 +4,29 @@ Installation instructions for Xtables-addons
 Xtables-addons uses the well-known configure(autotools) infrastructure
 in combination with the kernel's Kbuild system.
 
-	$ ./configure
+	$ ./configure --with-xtlibdir=SEE_BELOW
 	$ make
 	# make install
 
 
-Prerequirements
-===============
+Supported configurations for this release
+=========================================
 
-	* a recent iptables snapshot
-	  - from the "xtables" git repository at dev.medozas.de
-	    (minimum as per git-describe: v1.4.0-77)
-	  - or the subversion repository at netfilter.org (minimum: r7502)
-	  - or the xtables-combined tarball that is currently distributed
+	* iptables >= 1.4.3
 
-	* kernel-source >= 2.6.18.5 with prepared build/output directory
+	* kernel-source >= 2.6.17, no upper bound known
+	  with prepared build/output directory
 	  - CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
 	  - CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
 	    enabled =y or as module (=m)
+	  - CONFIG_CONNECTOR y/m if you wish to receive userspace
+	    notifications from pknock through netlink/connector
+
+Extra notes:
+
+	* in the kernel 2.6.18.x series, >= 2.6.18.5 is required
+
+	* requires that no vendor backports interfere
 
 
 Selecting extensions
@@ -43,23 +48,17 @@ Configuring and compiling
 	/lib/modules/$(running version)/build, which usually points to
 	the right directory. (If not, you need to install something.)
 
---with-xtables=
+	For RPM building, it should be /usr/src/linux-obj/...
+	or whatever location the distro makes use of.
 
-	Specifies the path to the directory where we may find
-	xtables.h, should it not be within the standard C compiler
-	include path (/usr/include), or if you want to override it.
-	The directory will be checked for xtables.h and
-	include/xtables.h. (This is to support the following specs:)
-
-		--with-xtables=/usr/src/xtables
-		--with-xtables=/usr/src/xtables/include
-		--with-xtables=/opt/xtables/include
-
---with-libxtdir=
+--with-xtlibdir=
 
 	Specifies the path to where the newly built extensions should
 	be installed when `make install` is run. It uses the same
-	default as the Xtables package, ${libexecdir}/xtables.
+	default as the Xtables/iptables package, ${libexecdir}/xtables,
+	but you may need to specify this nevertheless, as autotools
+	defaults to using /usr/local as prefix, and distributions put
+	the files in differing locations.
 
 If you want to enable debugging, use
 
@@ -68,6 +67,33 @@ If you want to enable debugging, use
 (-O0 is used to turn off instruction reordering, which makes debugging
 much easier.)
 
+To make use of a libxtables that is not in the default path, either
+
+  a) append the location of the pkg-config files like:
+
+	PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+
+     (Assuming that files have been installed)
+or,
+
+  b) override the pkg-config variables, for example:
+
+	./configure libxtables_CFLAGS="-I../iptables/include" \
+		libxtables_LIBS="-L../iptables/.libs \
+			-Wl,-rpath,../iptables/.libs -lxtables"
+
+     (Use this in case you wish to use it without having to
+     run `make install`. This is because the libxtables.pc pkgconfig
+     file in ../iptables would already point to e.g. /usr/local.)
+
+
+Build-time options
+==================
+
+V= controls the verbosity of make commands.
+V=0	"silent" (output filename)
+V=1	"verbose" (entire gcc command line)
+
 
 Note to distribution packagers
 ==============================
@@ -76,4 +102,5 @@ Except for --with-kbuild, distributions should not have a need to
 supply any other flags (besides --prefix=/usr and perhaps
 --libdir=/usr/lib64, etc.) to configure when all prerequired packages
 are installed. If iptables-devel is installed, necessary headers should
-be in /usr/include, so --with-xtables is not needed.
+already be in /usr/include, so that overriding PKG_CONFIG_PATH,
+libxtables_CFLAGS and libxtables_LIBS variables should not be needed.

Makefile.am

@@ -1,23 +1,30 @@
 # -*- Makefile -*-
 
-AUTOMAKE_OPTIONS = foreign subdir-objects
-SUBDIRS          = extensions extensions/ipset
+ACLOCAL_AMFLAGS  = -I m4
+SUBDIRS          = extensions geoip
 
 man_MANS := xtables-addons.8
 
-xtables-addons.8: ${srcdir}/xtables-addons.8.in extensions/matches.man extensions/targets.man
-	${AM_VERBOSE_GEN} sed -e '/@MATCHES@/ r extensions/matches.man' -e '/@TARGET@/ r extensions/targets.man' $< >$@;
+.PHONY: FORCE
+FORCE:
 
-extensions/%:
-	${MAKE} ${AM_MAKEFLAGS} -C $(@D) $(@F)
+xtables-addons.8: FORCE
+	${MAKE} -f Makefile.mans all;
 
-install-exec-local:
+install-exec-hook:
 	depmod -a || :;
 
+config.status: Makefile.iptrules.in
+
+tmpdir := $(shell mktemp -dtu)
+packer  = xz
+packext = .tar.xz
+
 .PHONY: tarball
 tarball:
-	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
-	pushd ${top_srcdir} && git archive --prefix=xtables-addons-${PACKAGE_VERSION}/ HEAD | tar -C /tmp -x && popd;
-	pushd /tmp/xtables-addons-${PACKAGE_VERSION} && ./autogen.sh && popd;
-	tar -C /tmp -cjf xtables-addons-${PACKAGE_VERSION}.tar.bz2 --owner=root --group=root xtables-addons-${PACKAGE_VERSION}/;
-	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};
+# do not use mkdir_p here.
+	mkdir ${tmpdir}
+	pushd ${top_srcdir} && git archive --prefix=${PACKAGE_NAME}-${PACKAGE_VERSION}/ HEAD | tar -C ${tmpdir} -x && popd;
+	pushd ${tmpdir}/${PACKAGE_NAME}-${PACKAGE_VERSION} && ./autogen.sh && popd;
+	tar --use=${packer} -C ${tmpdir} -cf ${PACKAGE_NAME}-${PACKAGE_VERSION}${packext} --owner=root --group=root ${PACKAGE_NAME}-${PACKAGE_VERSION}/;
+	rm -Rf ${tmpdir};

Makefile.extra

@@ -0,0 +1,29 @@
+# -*- Makefile -*-
+# AUTOMAKE
+
+XA_SRCDIR = ${srcdir}
+XA_TOPSRCDIR = ${top_srcdir}
+XA_ABSTOPSRCDIR = ${abs_top_srcdir}
+export XA_SRCDIR
+export XA_TOPSRCDIR
+export XA_ABSTOPSRCDIR
+
+_mcall = -f ${top_builddir}/Makefile.iptrules
+
+all-local: user-all-local
+
+install-exec-local: user-install-local
+
+clean-local: user-clean-local
+
+user-all-local:
+	${MAKE} ${_mcall} all;
+
+# Have no user-install-data-local ATM
+user-install-local: user-install-exec-local
+
+user-install-exec-local:
+	${MAKE} ${_mcall} install;
+
+user-clean-local:
+	${MAKE} ${_mcall} clean;

Makefile.iptrules.in

@@ -0,0 +1,64 @@
+# -*- Makefile -*-
+# MANUAL
+
+abs_top_srcdir  = @abs_top_srcdir@
+
+prefix          = @prefix@
+exec_prefix     = @exec_prefix@
+libexecdir      = @libexecdir@
+xtlibdir        = @xtlibdir@
+
+CC              = @CC@
+CCLD            = ${CC}
+CFLAGS          = @CFLAGS@
+LDFLAGS         = @LDFLAGS@
+
+regular_CFLAGS  = @regular_CFLAGS@
+libxtables_CFLAGS = @libxtables_CFLAGS@
+libxtables_LIBS   = @libxtables_LIBS@
+AM_CFLAGS         = ${regular_CFLAGS} ${libxtables_CFLAGS} -I${abs_top_srcdir}/extensions
+AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
+
+AM_DEFAULT_VERBOSITY = 0
+am__v_CC_0           = @echo "  CC    " $@;
+am__v_CCLD_0         = @echo "  CCLD  " $@;
+am__v_GEN_0          = @echo "  GEN   " $@;
+am__v_SILENT_0       = @
+am__v_CC_            = ${am__v_CC_${AM_DEFAULT_VERBOSITY}}
+am__v_CCLD_          = ${am__v_CCLD_${AM_DEFAULT_VERBOSITY}}
+am__v_GEN_           = ${am__v_GEN_${AM_DEFAULT_VERBOSITY}}
+am__v_SILENT_        = ${am__v_SILENT_${AM_DEFAULT_VERBOSITY}}
+AM_V_CC              = ${am__v_CC_${V}}
+AM_V_CCLD            = ${am__v_CCLD_${V}}
+AM_V_GEN             = ${am__v_GEN_${V}}
+AM_V_silent          = ${am__v_GEN_${V}}
+
+include ${XA_TOPSRCDIR}/mconfig
+-include ${XA_TOPSRCDIR}/mconfig.*
+include ${XA_SRCDIR}/Mbuild
+-include ${XA_SRCDIR}/Mbuild.*
+
+targets := $(filter-out %/,${obj-m})
+subdirs_list := $(filter %/,${obj-m})
+
+.SECONDARY:
+
+.PHONY: all install clean
+
+all: ${targets}
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i; done;
+
+install: ${targets}
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
+	install -dm0755 "${DESTDIR}/${xtlibdir}";
+	@for i in $^; do install -pm0755 $$i "${DESTDIR}/${xtlibdir}"; done;
+
+clean:
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i $@; done;
+	rm -f *.oo *.so;
+
+lib%.so: lib%.oo
+	${AM_V_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< ${libxtables_LIBS} ${LDLIBS};
+
+%.oo: ${XA_SRCDIR}/%.c
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;

Makefile.mans.in

@@ -0,0 +1,40 @@
+# -*- Makefile -*-
+# MANUAL
+
+srcdir := @srcdir@
+
+wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z]*.man' | sort)
+wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z]*.man' | sort)
+wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
+wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
+
+.PHONY: FORCE
+
+FORCE:
+
+.manpages.lst: FORCE
+	@echo "${wlist_targets} ${wlist_matches}" >$@.tmp; \
+	cmp -s $@ $@.tmp || mv $@.tmp $@; \
+	rm -f $@.tmp;
+
+man_run = \
+	${AM_V_GEN}for ext in $(1); do \
+		name="$${ext%.man}"; \
+		name="$${name\#\#*/libxt_}"; \
+		if [ -f "$$ext" ]; then \
+			echo ".SS $$name"; \
+			cat "$$ext"; \
+			continue; \
+		fi; \
+	done >$@;
+
+all: xtables-addons.8
+
+xtables-addons.8: ${srcdir}/xtables-addons.8.in matches.man targets.man
+	${AM_V_GEN}sed -e '/@MATCHES@/ r matches.man' -e '/@TARGET@/ r targets.man' $< >$@;
+
+matches.man: .manpages.lst ${wcman_matches}
+	$(call man_run,${wlist_matches})
+
+targets.man: .manpages.lst ${wcman_targets}
+	$(call man_run,${wlist_targets})

configure.ac

@@ -1,66 +1,89 @@
 
-AC_INIT([xtables-addons], [1.5.7])
+AC_INIT([xtables-addons], [1.31])
 AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
-AM_INIT_AUTOMAKE
+AM_INIT_AUTOMAKE([1.10.2 -Wall foreign subdir-objects])
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_DISABLE_STATIC
 AC_PROG_LIBTOOL
 
-kbuilddir="/lib/modules/$(uname -r)/build";
 AC_ARG_WITH([kbuild],
 	AS_HELP_STRING([--with-kbuild=PATH],
 	[Path to kernel build directory [[/lib/modules/CURRENT/build]]]),
-	[kbuilddir="$withval"])
-AC_ARG_WITH([ksource],
-	AS_HELP_STRING([--with-ksource=PATH],
-	[Path to kernel source directory [[/lib/modules/CURRENT/source]]]),
-	[ksourcedir="$withval"])
-AC_ARG_WITH([xtables],
-	AS_HELP_STRING([--with-xtables=PATH],
-	[Path to the Xtables includes [[none]]]),
-	[xtables_location="$withval"])
+	[kbuilddir="$withval"],
+	[kbuilddir="/lib/modules/$(uname -r)/build"])
+#
+# check for --without-kbuild
+#
+if [[ "$kbuilddir" == no ]]; then
+	kbuilddir="";
+fi
+
+AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
+	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
+xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
+
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
-	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
-	[xtlibdir="$withval"],
-	[xtlibdir='${libexecdir}/xtables'])
-
-AC_MSG_CHECKING([xtables.h presence])
-if [[ -n "$xtables_location" ]]; then
-	if [[ -f "$xtables_location/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/xtables.h])
-		xtables_CFLAGS="-I $xtables_location";
-	elif [[ -f "$xtables_location/include/xtables.h" ]]; then
-		AC_MSG_RESULT([$xtables_location/include/xtables.h])
-		xtables_CFLAGS="-I $xtables_location/include";
-	fi;
-fi;
-if [[ -z "$xtables_CFLAGS" ]]; then
-	if [[ -f "$includedir/xtables.h" ]]; then
-		AC_MSG_RESULT([$includedir/xtables.h])
-	else
-		AC_MSG_RESULT([no])
-	fi;
-fi;
+	[Path where to install Xtables extensions [[autodetect]]]]),
+	[xtlibdir="$withval"])
+AC_MSG_CHECKING([Xtables module directory])
+AC_MSG_RESULT([$xtlibdir])
 
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
-	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\"";
-kinclude_CFLAGS="";
-if [[ -n "$kbuilddir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $kbuilddir/include";
+	-Winline -pipe -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" \
+	-I\${XA_TOPSRCDIR}/include";
+
+#
+# check kernel version
+#
+if grep -q "CentOS release 5\." /etc/redhat-release 2>/dev/null ||
+    grep -q "Red Hat Enterprise Linux Server release 5" /etc/redhat-release 2>/dev/null; then
+	# しまった!
+	# Well, just a warning. Maybe the admin updated the kernel.
+	echo "WARNING: This distribution's shipped kernel is not supported.";
 fi;
-if [[ -n "$ksourcedir" ]]; then
-	kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
+AC_MSG_CHECKING([kernel version that we will build against])
+krel="$(make -sC ${kbuilddir} kernelrelease)";
+krel="${krel%%-*}";
+kmajor="${krel%%.*}";
+krel="${krel#*.}";
+kminor="${krel%%.*}";
+krel="${krel#*.}";
+kmicro="${krel%%.*}";
+if test "$kmicro" = "$krel"; then
+	kmicro="$(($kmicro+0))"; # Get rid of non numbers ("2.6.36+" -> "2.6.36")
+	kstable=0;
+else
+	kmicro="$(($kmicro+0))";
+	kstable="${krel#*.}";
+	kstable="$(($kstable+0))";
+fi;
+if test -z "$kmajor" -o -z "$kminor" -o -z "$kmicro"; then
+	echo "WARNING: Version detection did not succeed. Continue at own luck.";
+else
+	echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
+	if test "$kmajor" -gt 2 -o "$kminor" -gt 6 -o "$kmicro" -gt 36; then
+		echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
+	elif test \( "$kmajor" -lt 2 -o \
+	    \( "$kmajor" -eq 2 -a "$kminor" -lt 6 \) -o \
+	    \( "$kmajor" -eq 2 -a "$kminor" -eq 0 -a "$kmicro" -lt 17 \) -o \
+	    \( "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -eq 18 -a \
+	    "$kstable" -lt 5 \) \); then
+		echo "ERROR: That kernel version is not supported. Please see INSTALL for minimum configuration.";
+		exit 1;
+	fi;
 fi;
 
 AC_SUBST([regular_CFLAGS])
-AC_SUBST([xtables_CFLAGS])
-AC_SUBST([kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
-AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
-AC_OUTPUT([Makefile extensions/GNUmakefile extensions/ipset/GNUmakefile])
+AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans geoip/Makefile
+	extensions/Makefile extensions/ACCOUNT/Makefile
+	extensions/ipset/Makefile extensions/pknock/Makefile])
+AC_OUTPUT

doc/README.psd

@@ -0,0 +1,4 @@
+PSD (Portscan Detection) External extensions for Xtables-addons
+
+Example:
+iptables -A INPUT -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 1 --psd-hi-ports-weight 10 -j LOG --log-prefix "PSD: "

doc/api/2.6.17.c

@@ -0,0 +1,64 @@
+match:
+
+	/* true/false */
+	int
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		int *hotdrop,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int matchinfosize,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int matchinfosize,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+		void *userdata,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int targinfosize,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int targinfosize,
+	);

doc/api/2.6.19.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	int
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		int *hotdrop,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.23.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		bool *hotdrop,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.24.c

@@ -0,0 +1,59 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		const struct xt_match *match,
+		const void *matchinfo,
+		int offset,
+		unsigned int protoff,
+		bool *hotdrop,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *ip,
+		const struct xt_match *match,
+		void *matchinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_match *match,
+		void *matchinfo,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		unsigned int hooknum,
+		const struct xt_target *target,
+		const void *targinfo,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const char *tablename,
+		const void *entry,
+		const struct xt_target *target,
+		void *targinfo,
+		unsigned int hook_mask,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_target *target,
+		void *targinfo,
+	);

doc/api/2.6.28.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.31.c

@@ -0,0 +1,38 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.32.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		const struct xt_match_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_target_param *,
+	);
+
+	/* true/false */
+	bool
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/2.6.35.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff *skb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/api/xt-a.c

@@ -0,0 +1,39 @@
+match:
+
+	/* true/false */
+	bool
+	(*match)(
+		const struct sk_buff *skb,
+		struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_mtchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_mtdtor_param *,
+	);
+
+target:
+
+	/* verdict */
+	unsigned int
+	(*target)(
+		struct sk_buff **pskb,
+		const struct xt_action_param *,
+	);
+
+	/* error code */
+	int
+	(*checkentry)(
+		const struct xt_tgchk_param *,
+	);
+
+	void
+	(*destroy)(
+		const struct xt_tgdtor_param *,
+	);

doc/changelog.txt

@@ -0,0 +1,316 @@
+
+HEAD
+====
+
+
+v1.31 (November 05 2010)
+========================
+- LOGMARK: print remaining lifetime of cts
+- build: improve detection of kernel version and error handling
+- build: automatically derive Xtables module directory, thus
+  --with-xtlibdir is no longer needed for ./configure in most cases
+  (If I still see a distro using it, I will scold you for not
+  reading this changelog.)
+- xt_iface: allow matching against incoming/outgoing interface
+- libxt_gradm: match packets based on status of grsecurity RBAC
+  (userspace part only - xt_gradm is in the grsec patch)
+
+
+v1.30 (October 02 2010)
+=======================
+- update to ipset 4.4
+  * ipport{,ip,net}hash did not work with mixed "src" and "dst"
+    destination parameters
+- deactivate building xt_TEE and xt_CHECKSUM by default, as these have been
+  merged upstream in Linux 2.6.35 and 2.6.36, respectively.
+  Distros still wishing to build this need to enable it in their build
+  script, e.g. perl -i -pe 's{^build_TEE=.*}{build_TEE=m}' mconfig;
+
+
+v1.29 (September 29 2010)
+=========================
+- compat_xtables: return bool for match_check and target_check in 2.6.23..34
+- ipset: enable building of ip_set_ipport{ip,net}hash.ko
+- support for Linux 2.6.36
+- SYSRQ: resolve compile error with Linux 2.6.36
+- TEE: resolve compile error with Linux 2.6.36
+- add workaround for broken linux-glibc-devel 2.6.34 userspace headers
+  ("implicit declaration of function 'ALIGN'")
+
+
+Xtables-addons 1.28 (July 24 2010)
+==================================
+- RAWNAT: IPv6 variants erroneously rejected masks /33-/128
+- new target xt_CHECKSUM
+- xt_length2: add support for IPv6 jumbograms
+- xt_geoip: fix possible out-of-bounds access
+- import xt_geoip database scripts
+
+
+Xtables-addons 1.27 (May 16 2010)
+=================================
+- further updates for the upcoming 2.6.35 changes
+
+
+Xtables-addons 1.26 (April 30 2010)
+===================================
+- compat_xtables: fix 2.6.34 compile error due to a typo
+
+
+Xtables-addons 1.25 (April 26 2010)
+===================================
+- TEE: do rechecksumming in PREROUTING too
+- TEE: decrease TTL on cloned packet
+- TEE: set dont-fragment on cloned packets
+- TEE: free skb when route lookup failed
+- TEE: do not limit use to mangle table
+- TEE: do not retain iif and mark on cloned packet
+- TEE: new loop detection logic
+- TEE: use less expensive pskb_copy
+- condition: remove unnecessary RCU protection
+
+
+Xtables-addons 1.24 (March 17 2010)
+===================================
+- build: fix build of userspace modules against old (pre-2.6.25)
+  headers from linux-glibc-devel (/usr/include/linux)
+- ipp2p: updated bittorent command recognition
+- SYSRQ: let module load when crypto is unavailable
+- SYSRQ: allow processing of UDP-Lite
+
+
+Xtables-addons 1.23 (February 24 2010)
+======================================
+- build: support for Linux 2.6.34
+- build: remove unused --with-ksource option
+- build: remove unneeded --with-xtables option
+- build: fix compilations in RAWNAT, SYSRQ and length2 when CONFIG_IPV6=n
+- ipset: update to 4.2
+- ECHO: fix compilation w.r.t. skb_dst
+
+
+Xtables-addons 1.22 (January 22 2010)
+=====================================
+- compat_xtables: support for 2.6.33 skb_iif changes
+- geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip
+- ipset: enable build of ip_set_setlist.ko
+- quota2: add the --no-change mode
+
+
+Xtables-addons 1.21 (December 09 2009)
+======================================
+- ACCOUNT: avoid collision with arp_tables setsockopt numbers
+- doc: fix option mismatch --gw/--gateway in libxt_TEE.man
+
+
+Xtables-addons 1.20 (November 19 2009)
+======================================
+- ipp2p: add more boundary checks
+- ipp2p: fix Gnutelle line ending detection
+- LOGMARK: remove unknown options from manpage
+- ACCOUNT: endianess-correctness
+- ipset: install manpage
+- ipset: fast forward to v4.1
+
+
+Xtables-addons 1.19 (October 12 2009)
+=====================================
+- build: compile fixes for 2.6.31-rt
+- build: support for Linux 2.6.32
+- ipp2p: try to address underflows
+- psd: avoid potential crash when dealing with non-linear skbs
+- merge xt_ACCOUNT userspace utilities
+- added reworked xt_pknock module
+  Changes from pknock v0.5:
+  - pknock: "strict" and "checkip" flags were not displayed in `iptables -L`
+  - pknock: the GC expire time's lower bound is now the default gc time
+    (65000 msec) to avoid rendering anti-spoof protection in SPA mode useless
+  - pknock: avoid crash on memory allocation failure and fix memleak
+  - pknock: avoid fillup of peer table during DDoS
+  - pknock: automatic closing of ports
+  - pknock: make non-zero time mandatory for TCP mode
+  - pknock: display only pknock mode and state relevant information in procfs
+  - pknock: check interknock time only for !ST_ALLOWED peers
+  - pknock: preserve time/autoclose values for rules added in
+    reverse/arbitrary order
+  - pknock: add a manpage
+
+
+Xtables-addons 1.18 (September 09 2009)
+=======================================
+- build: support for Linux 2.6.31
+- ipset: fast forward to v3.2
+- quota2: support anonymous counters
+- quota2: reduce memory footprint for anonymous counters
+- quota2: extend locked period during cleanup (locking bugfix)
+- quota2: use strtoull instead of strtoul
+- merged xt_ACCOUNT module
+- merged xt_psd module
+
+
+Xtables-addons 1.17 (June 16 2009)
+==================================
+- IPMARK: print missing --shift parameter
+- build: use readlink -f in extensions/ipset/
+- build: support for Linux 2.6.30
+
+
+Xtables-addons 1.16 (May 27 2009)
+=================================
+- RAWNAT: make iptable_rawpost compile with 2.6.30-rc5
+- ipset: fast forward to 3.0
+
+
+Xtables-addons 1.15 (April 30 2009)
+===================================
+- build: add kernel version check to configure
+- condition: compile fix for 2.6.30-rc
+- condition: fix intrapositional negation sign
+- fuzzy: fix bogus comparison logic leftover from move to new 1.4.3 API
+- ipp2p: fix bogus varargs call
+- ipp2p: fix typo in error message
+- added "iface" match
+- added rawpost table (for use with RAWNAT)
+- added RAWSNAT/RAWDNAT targets
+
+
+Xtables-addons 1.14 (March 31 2009)
+===================================
+- fuzzy: need to account for kernel-level modified variables in .userspacesize
+- geoip: remove XT_ALIGN from .userspacesize when used with offsetof
+- SYSRQ: ignore non-UDP packets
+- SYSRQ: do proper L4 header access in IPv6 code
+  (must not use tcp/udp_hdr in input path)
+- add "STEAL" target
+- dhcpmac: rename from dhcpaddr
+
+
+Xtables-addons 1.13 (March 23 2009)
+===================================
+- added a reworked ipv4options match
+- upgrade to iptables 1.4.3 API
+
+
+Xtables-addons 1.12 (March 07 2009)
+===================================
+- ipset: fix for compilation with 2.6.29-rt
+- ipset: fast forward to 2.5.0
+- rename xt_portscan to xt_lscan ("low-level scan") because
+  "portscan" as a word caused confusion
+- xt_LOGMARK: print incoming interface index
+- revert "TEE: do not use TOS for routing"
+- xt_TEE: resolve unknown symbol error with CONFIG_IPV6=n
+- xt_TEE: enable routing by iif, nfmark and flowlabel
+
+
+Xtables-addons 1.10 (February 18 2009)
+======================================
+- compat: compile fixes for 2.6.29
+- ipset: upgrade to ipset 2.4.9
+
+
+Xtables-addons 1.9 (January 30 2009)
+====================================
+- add the xt_length2 extension
+- xt_TEE: remove intrapositional '!' support
+- ipset: upgrade to ipset 2.4.7
+
+
+Xtables-addons 1.8 (January 10 2009)
+====================================
+- xt_TEE: IPv6 support
+- xt_TEE: do not include TOS value in routing decision
+- xt_TEE: fix switch-case inversion for name/IP display
+- xt_ipp2p: update manpages and help text
+- xt_ipp2p: remove log flooding
+- xt_portscan: update manpage about --grscan option caveats
+
+
+Xtables-addons 1.7 (December 25 2008)
+=====================================
+- xt_ECHO: compile fix
+- avoid the use of "_init" which led to compile errors on some installations
+- build: do not unconditionally install ipset
+- doc: add manpages for xt_ECHO and xt_TEE
+- xt_ipp2p: kazaa detection code cleanup
+- xt_ipp2p: fix newline inspection in kazaa detection
+- xt_ipp2p: ensure better array bounds checking
+- xt_SYSRQ: improve security by hashing password
+
+
+Xtables-addons 1.6 (November 18 2008)
+=====================================
+- build: support for Linux 2.6.17
+- build: compile fixes for 2.6.18 and 2.6.19
+- xt_ECHO: resolve compile errors in xt_ECHO
+- xt_ipp2p: parenthesize unaligned-access macros
+
+
+Xtables-addons 1.5.7 (September 01 2008)
+========================================
+- API layer: fix use of uninitialized 'hotdrop' variable
+- API layer: move to pskb-based signatures
+- xt_SYSRQ: compile fixes for Linux <= 2.6.19
+- ipset: adjust semaphore.h include for Linux >= 2.6.27
+- build: automatically run `depmod -a` on installation
+- add reworked xt_fuzzy module
+- add DHCP address match and mangle module
+- xt_portscan: IPv6 support
+- xt_SYSRQ: add missing module aliases
+
+
+Xtables-addons 1.5.5 (August 03 2008)
+=====================================
+- manpage updates for xt_CHAOS, xt_IPMARK; README updates
+- build: properly recognize external Kbuild/Mbuild files
+- build: remove dependency on CONFIG_NETWORK_SECMARK
+- add the xt_SYSRQ target
+- add the xt_quota2 extension
+- import ipset extension group
+
+
+Xtables-addons 1.5.4.1 (April 26 2008)
+======================================
+- build: fix compile error for 2.6.18-stable
+
+
+Xtables-addons 1.5.4 (April 09 2008)
+====================================
+- build: support building multiple files with one config option
+- API layer: add check for pskb relocation
+- doc: generate manpages
+- xt_ECHO: catch skb_linearize out-of-memory condition
+- xt_LOGMARK: add hook= and ctdir= fields in dump
+- xt_LOGMARK: fix comma output in ctstatus= list
+- xt_TEE: fix address copying bug
+- xt_TEE: make skb writable before attempting checksum update
+- add reworked xt_condition match
+- add reworked xt_ipp2p match
+- add reworked xt_IPMARK target
+
+
+Xtables-addons 1.5.3 (March 22 2008)
+====================================
+- support for Linux 2.6.18
+- add xt_ECHO sample target
+- add reworked xt_geoip match
+
+
+Xtables-addons 1.5.2 (March 04 2008)
+====================================
+- build: support for GNU make < 3.81 which does not have $(realpath)
+
+
+Xtables-addons 1.5.1 (February 21 2008)
+=======================================
+- build: allow user to select what extensions to compile and install
+- build: allow external proejcts to be downloaded into the tree
+- xt_LOGMARK: dump classify mark, ctstate and ctstatus
+- add xt_CHAOS, xt_DELUDE and xt_portscan from Chaostables
+
+
+Xtables-addons 1.5.0 (February 11 2008)
+=======================================
+Initial release with:
+- extensions: xt_LOGMARK, xt_TARPIT, xt_TEE
+- support for Linux >= 2.6.19

extensions/.gitignore

@@ -3,11 +3,10 @@
 .tmp_versions
 *.ko
 *.mod.c
+Module.markers
 Module.symvers
+Modules.symvers
 modules.order
 
-/*.so
-/*.oo
-/matches.man
-/targets.man
-/.manpages.lst
+*.so
+*.oo

extensions/ACCOUNT/.gitignore

@@ -0,0 +1 @@
+/iptaccount

extensions/ACCOUNT/Kbuild

@@ -0,0 +1,5 @@
+# -*- Makefile -*-
+
+EXTRA_CFLAGS = -I${src}/..
+
+obj-m += xt_ACCOUNT.o

extensions/ACCOUNT/Makefile.am

@@ -0,0 +1,8 @@
+# -*- Makefile -*-
+
+include ../../Makefile.extra
+
+sbin_PROGRAMS = iptaccount
+iptaccount_LDADD = libxt_ACCOUNT_cl.la
+
+lib_LTLIBRARIES = libxt_ACCOUNT_cl.la

extensions/ACCOUNT/Mbuild

@@ -0,0 +1,3 @@
+# -*- Makefile -*-
+
+obj-${build_ACCOUNT}     += libxt_ACCOUNT.so

extensions/ACCOUNT/iptaccount.c

@@ -0,0 +1,224 @@
+/***************************************************************************
+ *   Copyright (C) 2004-2006 by Intra2net AG                               *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU Lesser General Public License           *
+ *   version 2.1 as published by the Free Software Foundation;             *
+ *                                                                         *
+ ***************************************************************************/
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <getopt.h>
+#include <signal.h>
+
+#include <arpa/inet.h>
+#include <linux/types.h>
+#include <libxt_ACCOUNT_cl.h>
+
+bool exit_now;
+static void sig_term(int signr)
+{
+	signal(SIGINT, SIG_IGN);
+	signal(SIGQUIT, SIG_IGN);
+	signal(SIGTERM, SIG_IGN);
+
+	exit_now = true;
+}
+
+static char *addr_to_dotted(unsigned int addr)
+{
+	static char buf[16];
+	const unsigned char *bytep;
+
+	addr = htonl(addr);
+	bytep = (const unsigned char *)&addr;
+	snprintf(buf, sizeof(buf), "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]);
+	return buf;
+}
+
+static void show_usage(void)
+{
+	printf("Unknown command line option. Try: [-u] [-h] [-a] [-f] [-c] [-s] [-l name]\n");
+	printf("[-u] show kernel handle usage\n");
+	printf("[-h] free all kernel handles (experts only!)\n\n");
+	printf("[-a] list all table names\n");
+	printf("[-l name] show data in table <name>\n");
+	printf("[-f] flush data after showing\n");
+	printf("[-c] loop every second (abort with CTRL+C)\n");
+	printf("[-s] CSV output (for spreadsheet import)\n");
+	printf("\n");
+}
+
+int main(int argc, char *argv[])
+{
+	struct ipt_ACCOUNT_context ctx;
+	struct ipt_acc_handle_ip *entry;
+	int i;
+	char optchar;
+	bool doHandleUsage = false, doHandleFree = false, doTableNames = false;
+	bool doFlush = false, doContinue = false, doCSV = false;
+
+	char *table_name = NULL;
+	const char *name;
+
+	printf("\nlibxt_ACCOUNT_cl userspace accounting tool v%s\n\n",
+	LIBXT_ACCOUNT_VERSION);
+
+	if (argc == 1)
+	{
+		show_usage();
+		exit(0);
+	}
+
+	while ((optchar = getopt(argc, argv, "uhacfsl:")) != -1)
+	{
+		switch (optchar)
+		{
+		case 'u':
+			doHandleUsage = true;
+			break;
+		case 'h':
+			doHandleFree = true;
+			break;
+		case 'a':
+			doTableNames = true;
+			break;
+		case 'f':
+			doFlush = true;
+			break;
+		case 'c':
+			doContinue = true;
+			break;
+		case 's':
+			doCSV = true;
+			break;
+		case 'l':
+			table_name = strdup(optarg);
+			break;
+		case '?':
+		default:
+			show_usage();
+			exit(0);
+			break;
+		}
+	}
+
+	// install exit handler
+	if (signal(SIGTERM, sig_term) == SIG_ERR)
+	{
+		printf("can't install signal handler for SIGTERM\n");
+		exit(-1);
+	}
+	if (signal(SIGINT, sig_term) == SIG_ERR)
+	{
+		printf("can't install signal handler for SIGINT\n");
+		exit(-1);
+	}
+	if (signal(SIGQUIT, sig_term) == SIG_ERR)
+	{
+		printf("can't install signal handler for SIGQUIT\n");
+		exit(-1);
+	}
+
+	if (ipt_ACCOUNT_init(&ctx))
+	{
+		printf("Init failed: %s\n", ctx.error_str);
+		exit(-1);
+	}
+
+	// Get handle usage?
+	if (doHandleUsage)
+	{
+		int rtn = ipt_ACCOUNT_get_handle_usage(&ctx);
+		if (rtn < 0)
+		{
+			printf("get_handle_usage failed: %s\n", ctx.error_str);
+			exit(-1);
+		}
+
+		printf("Current kernel handle usage: %d\n", ctx.handle.itemcount);
+	}
+
+	if (doHandleFree)
+	{
+		int rtn = ipt_ACCOUNT_free_all_handles(&ctx);
+		if (rtn < 0)
+		{
+			printf("handle_free_all failed: %s\n", ctx.error_str);
+			exit(-1);
+		}
+
+		printf("Freed all handles in kernel space\n");
+	}
+
+	if (doTableNames)
+	{
+		int rtn = ipt_ACCOUNT_get_table_names(&ctx);
+		if (rtn < 0)
+		{
+			printf("get_table_names failed: %s\n", ctx.error_str);
+			exit(-1);
+		}
+		while ((name = ipt_ACCOUNT_get_next_name(&ctx)) != 0)
+			printf("Found table: %s\n", name);
+	}
+
+	if (table_name)
+	{
+		// Read out data
+		if (doCSV)
+			printf("IP;SRC packets;SRC bytes;DST packets;DST bytes\n");
+		else
+			printf("Showing table: %s\n", table_name);
+
+		i = 0;
+		while (!exit_now)
+		{
+			// Get entries from table test
+			if (ipt_ACCOUNT_read_entries(&ctx, table_name, !doFlush))
+			{
+				printf("Read failed: %s\n", ctx.error_str);
+				ipt_ACCOUNT_deinit(&ctx);
+				return EXIT_FAILURE;
+			}
+
+			if (!doCSV)
+				printf("Run #%d - %u %s found\n", i, ctx.handle.itemcount,
+				       ctx.handle.itemcount == 1 ? "item" : "items");
+
+			// Output and free entries
+			while ((entry = ipt_ACCOUNT_get_next_entry(&ctx)) != NULL)
+			{
+				if (doCSV)
+					printf("%s;%u;%u;%u;%u\n",
+					       addr_to_dotted(entry->ip), entry->src_packets, entry->src_bytes,
+					       entry->dst_packets, entry->dst_bytes);
+				else
+					printf("IP: %s SRC packets: %u bytes: %u DST packets: %u bytes: %u\n",
+					       addr_to_dotted(entry->ip), entry->src_packets, entry->src_bytes,
+					       entry->dst_packets, entry->dst_bytes);
+			}
+
+			if (doContinue)
+			{
+				sleep(1);
+				i++;
+			} else
+				exit_now = true;
+		}
+	}
+
+	printf("Finished.\n");
+	ipt_ACCOUNT_deinit(&ctx);
+	return EXIT_SUCCESS;
+}

extensions/ACCOUNT/libxt_ACCOUNT.c

@@ -0,0 +1,162 @@
+/* Shared library add-on to iptables to add ACCOUNT(ing) support.
+   Author: Intra2net AG <opensource@intra2net.com>
+*/
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <getopt.h>
+#include <stddef.h>
+#include <xtables.h>
+#include "xt_ACCOUNT.h"
+#include "compat_user.h"
+
+static struct option account_tg_opts[] = {
+	{.name = "addr",  .has_arg = true, .val = 'a'},
+	{.name = "tname", .has_arg = true, .val = 't'},
+	{NULL},
+};
+
+/* Function which prints out usage message. */
+static void account_tg_help(void)
+{
+	printf(
+"ACCOUNT target options:\n"
+" --%s ip/netmask\t\tBase network IP and netmask used for this table\n"
+" --%s name\t\t\tTable name for the userspace library\n",
+account_tg_opts[0].name, account_tg_opts[1].name);
+}
+
+/* Initialize the target. */
+static void
+account_tg_init(struct xt_entry_target *t)
+{
+	struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)t->data;
+
+	accountinfo->table_nr = -1;
+}
+
+#define IPT_ACCOUNT_OPT_ADDR 0x01
+#define IPT_ACCOUNT_OPT_TABLE 0x02
+
+/* Function which parses command options; returns true if it
+   ate an option */
+
+static int account_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+		const void *entry, struct xt_entry_target **target)
+{
+	struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)(*target)->data;
+	struct in_addr *addrs = NULL, mask;
+	unsigned int naddrs = 0;
+
+	switch (c) {
+	case 'a':
+		if (*flags & IPT_ACCOUNT_OPT_ADDR)
+			xtables_error(PARAMETER_PROBLEM, "Can't specify --%s twice",
+				account_tg_opts[0].name);
+
+		xtables_ipparse_any(optarg, &addrs, &mask, &naddrs);
+		if (naddrs > 1)
+			xtables_error(PARAMETER_PROBLEM, "multiple IP addresses not allowed");
+
+		accountinfo->net_ip = addrs[0].s_addr;
+		accountinfo->net_mask = mask.s_addr;
+
+		*flags |= IPT_ACCOUNT_OPT_ADDR;
+		break;
+
+	case 't':
+		if (*flags & IPT_ACCOUNT_OPT_TABLE)
+			xtables_error(PARAMETER_PROBLEM,
+				"Can't specify --%s twice",
+				account_tg_opts[1].name);
+
+		if (strlen(optarg) > ACCOUNT_TABLE_NAME_LEN - 1)
+			xtables_error(PARAMETER_PROBLEM,
+				"Maximum table name length %u for --%s",
+				ACCOUNT_TABLE_NAME_LEN - 1,
+				account_tg_opts[1].name);
+
+		strcpy(accountinfo->table_name, optarg);
+		*flags |= IPT_ACCOUNT_OPT_TABLE;
+		break;
+
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void account_tg_check(unsigned int flags)
+{
+	if (!(flags & IPT_ACCOUNT_OPT_ADDR) || !(flags & IPT_ACCOUNT_OPT_TABLE))
+		xtables_error(PARAMETER_PROBLEM, "ACCOUNT: needs --%s and --%s",
+			account_tg_opts[0].name, account_tg_opts[1].name);
+}
+
+static void account_tg_print_it(const void *ip,
+		const struct xt_entry_target *target, bool do_prefix)
+{
+	const struct ipt_acc_info *accountinfo
+		= (const struct ipt_acc_info *)target->data;
+	struct in_addr a;
+
+	if (!do_prefix)
+		printf("ACCOUNT ");
+
+	// Network information
+	if (do_prefix)
+		printf("--");
+	printf("%s ", account_tg_opts[0].name);
+
+	a.s_addr = accountinfo->net_ip;
+	printf("%s", xtables_ipaddr_to_numeric(&a));
+	a.s_addr = accountinfo->net_mask;
+	printf("%s", xtables_ipmask_to_numeric(&a));
+
+	printf(" ");
+	if (do_prefix)
+		printf("--");
+
+	printf("%s %s", account_tg_opts[1].name, accountinfo->table_name);
+}
+
+
+static void
+account_tg_print(const void *ip,
+	const struct xt_entry_target *target,
+	int numeric)
+{
+	account_tg_print_it(ip, target, false);
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void
+account_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+	account_tg_print_it(ip, target, true);
+}
+
+static struct xtables_target account_tg_reg = {
+	.name          = "ACCOUNT",
+	.revision      = 1,
+	.family        = NFPROTO_IPV4,
+	.version       = XTABLES_VERSION,
+	.size          = XT_ALIGN(sizeof(struct ipt_acc_info)),
+	.userspacesize = offsetof(struct ipt_acc_info, table_nr),
+	.help          = account_tg_help,
+	.init          = account_tg_init,
+	.parse         = account_tg_parse,
+	.final_check   = account_tg_check,
+	.print         = account_tg_print,
+	.save          = account_tg_save,
+	.extra_opts    = account_tg_opts,
+};
+
+static __attribute__((constructor)) void account_tg_ldr(void)
+{
+	xtables_register_target(&account_tg_reg);
+}

extensions/ACCOUNT/libxt_ACCOUNT.man

@@ -0,0 +1,72 @@
+The ACCOUNT target is a high performance accounting system for large
+local networks. It allows per-IP accounting in whole prefixes of IPv4
+addresses with size of up to /8 without the need to add individual
+accouting rule for each IP address.
+.PP
+The ACCOUNT is designed to be queried for data every second or at
+least every ten seconds. It is written as kernel module to handle high
+bandwidths without packet loss.
+.PP
+The largest possible subnet size is 24 bit, meaning for example 10.0.0.0/8
+network. ACCOUNT uses fixed internal data structures
+which speeds up the processing of each packet. Furthermore,
+accounting data for one complete 192.168.1.X/24 network takes 4 KB of
+memory. Memory for 16 or 24 bit networks is only allocated when
+needed.
+.PP
+To optimize the kernel<->userspace data transfer a bit more, the
+kernel module only transfers information about IPs, where the src/dst
+packet counter is not 0. This saves precious kernel time.
+.PP
+There is no /proc interface as it would be too slow for continuous access.
+The read-and-flush query operation is the fastest, as no internal data
+snapshot needs to be created&copied for all data. Use the "read"
+operation without flush only for debugging purposes!
+.PP
+Usage:
+.PP
+ACCOUNT takes two mandatory parameters:
+.TP
+\fB\-\-addr\fR \fInetwork\fP\fB/\fP\fInetmask\fR
+where \fInetwork\fP\fB/\fP\fInetmask\fP is the subnet to account for, in CIDR syntax
+.TP
+\fB\-\-tname\fP \fINAME\fP
+where \fINAME\fP is the name of the table where the accounting information
+should be stored
+.PP
+The subnet 0.0.0.0/0 is a special case: all data are then stored in the src_bytes
+and src_packets structure of slot "0". This is useful if you want
+to account the overall traffic to/from your internet provider.
+.PP
+The data can be queried using the userspace libxt_ACCOUNT_cl library,
+and by the reference implementation to show usage of this library,
+the \fBiptaccount\fP(8) tool, which features following options:
+.PP
+[\fB\-u\fP] show kernel handle usage
+.PP
+[\fB\-h\fP] free all kernel handles (experts only!)
+.PP
+[\fB\-a\fP] list all table names
+.PP
+[\fB\-l\fP \fIname\fP] show data in table \fIname\fP
+.PP
+[\fB\-f\fP] flush data after showing
+.PP
+[\fB\-c\fP] loop every second (abort with CTRL+C)
+.PP
+Here is an example of use:
+.PP
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing;
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales;
+.PP
+This creates two tables called "all_outgoing" and "sales" which can be
+queried using the userspace library/iptaccount tool.
+.PP
+Note that this target is non-terminating \(em the packet destined to it
+will continue traversing the chain in which it has been used.
+.PP
+Also note that once a table has been defined for specific CIDR address/netmask
+block, it can be referenced multiple times using \-j ACCOUNT, provided
+that both the original table name and address/netmask block are specified.
+.PP
+For more information go to http://www.intra2net.com/en/developer/ipt_ACCOUNT/

extensions/ACCOUNT/libxt_ACCOUNT_cl.c

@@ -0,0 +1,199 @@
+/***************************************************************************
+ *   Copyright (C) 2004 by Intra2net AG                                    *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU Lesser General Public License           *
+ *   version 2.1 as published by the Free Software Foundation;             *
+ *                                                                         *
+ ***************************************************************************/
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <netinet/in.h>
+#include <linux/if.h>
+
+#include <libxt_ACCOUNT_cl.h>
+
+int ipt_ACCOUNT_init(struct ipt_ACCOUNT_context *ctx)
+{
+	memset(ctx, 0, sizeof(struct ipt_ACCOUNT_context));
+	ctx->handle.handle_nr = -1;
+
+	ctx->sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+	if (ctx->sockfd < 0) {
+		ctx->sockfd = -1;
+		ctx->error_str = "Can't open socket to kernel. "
+		                 "Permission denied or ipt_ACCOUNT module not loaded";
+		return -1;
+	}
+
+	// 4096 bytes default buffer should save us from reallocations
+	// as it fits 200 concurrent active clients
+	if ((ctx->data = malloc(IPT_ACCOUNT_MIN_BUFSIZE)) == NULL) {
+		close(ctx->sockfd);
+		ctx->sockfd = -1;
+		ctx->error_str = "Out of memory for data buffer";
+		return -1;
+	}
+	ctx->data_size = IPT_ACCOUNT_MIN_BUFSIZE;
+
+	return 0;
+}
+
+void ipt_ACCOUNT_free_entries(struct ipt_ACCOUNT_context *ctx)
+{
+	if (ctx->handle.handle_nr != -1) {
+		setsockopt(ctx->sockfd, IPPROTO_IP, IPT_SO_SET_ACCOUNT_HANDLE_FREE,
+		           &ctx->handle, sizeof(struct ipt_acc_handle_sockopt));
+		ctx->handle.handle_nr = -1;
+	}
+
+	ctx->handle.itemcount = 0;
+	ctx->pos = 0;
+}
+
+void ipt_ACCOUNT_deinit(struct ipt_ACCOUNT_context *ctx)
+{
+	free(ctx->data);
+	ctx->data = NULL;
+
+	ipt_ACCOUNT_free_entries(ctx);
+
+	close(ctx->sockfd);
+	ctx->sockfd = -1;
+}
+
+int ipt_ACCOUNT_read_entries(struct ipt_ACCOUNT_context *ctx,
+                             const char *table, char dont_flush)
+{
+	unsigned int s = sizeof(struct ipt_acc_handle_sockopt);
+	unsigned int new_size;
+	int rtn;
+
+	strncpy(ctx->handle.name, table, ACCOUNT_TABLE_NAME_LEN-1);
+
+	// Get table information
+	if (!dont_flush)
+		rtn = getsockopt(ctx->sockfd, IPPROTO_IP,
+		      IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH, &ctx->handle, &s);
+	else
+		rtn = getsockopt(ctx->sockfd, IPPROTO_IP, IPT_SO_GET_ACCOUNT_PREPARE_READ,
+		      &ctx->handle, &s);
+
+	if (rtn < 0) {
+		ctx->error_str = "Can't get table information from kernel. "
+		                 "Does it exist?";
+		return -1;
+	}
+
+	// Check data buffer size
+	ctx->pos = 0;
+	new_size = ctx->handle.itemcount * sizeof(struct ipt_acc_handle_ip);
+	// We want to prevent reallocations all the time
+	if (new_size < IPT_ACCOUNT_MIN_BUFSIZE)
+		new_size = IPT_ACCOUNT_MIN_BUFSIZE;
+
+	// Reallocate if it's too small or twice as big
+	if (ctx->data_size < new_size || ctx->data_size > new_size * 2) {
+		// Free old buffer
+		free(ctx->data);
+		ctx->data_size = 0;
+
+		if ((ctx->data = malloc(new_size)) == NULL) {
+			ctx->error_str = "Out of memory for data buffer";
+			ipt_ACCOUNT_free_entries(ctx);
+			return -1;
+		}
+
+		ctx->data_size = new_size;
+	}
+
+	// Copy data from kernel
+	memcpy(ctx->data, &ctx->handle, sizeof(struct ipt_acc_handle_sockopt));
+	rtn = getsockopt(ctx->sockfd, IPPROTO_IP, IPT_SO_GET_ACCOUNT_GET_DATA,
+	      ctx->data, &ctx->data_size);
+	if (rtn < 0) {
+		ctx->error_str = "Can't get data from kernel. "
+		                 "Check /var/log/messages for details.";
+		ipt_ACCOUNT_free_entries(ctx);
+		return -1;
+	}
+
+	// Free kernel handle but don't reset pos/itemcount
+	setsockopt(ctx->sockfd, IPPROTO_IP, IPT_SO_SET_ACCOUNT_HANDLE_FREE,
+	           &ctx->handle, sizeof(struct ipt_acc_handle_sockopt));
+	ctx->handle.handle_nr = -1;
+
+	return 0;
+}
+
+struct ipt_acc_handle_ip *ipt_ACCOUNT_get_next_entry(struct ipt_ACCOUNT_context *ctx)
+{
+	struct ipt_acc_handle_ip *rtn;
+
+	// Empty or no more items left to return?
+	if (!ctx->handle.itemcount || ctx->pos >= ctx->handle.itemcount)
+		return NULL;
+
+	// Get next entry
+	rtn = (struct ipt_acc_handle_ip *)(ctx->data + ctx->pos
+	      * sizeof(struct ipt_acc_handle_ip));
+	ctx->pos++;
+
+	return rtn;
+}
+
+int ipt_ACCOUNT_get_handle_usage(struct ipt_ACCOUNT_context *ctx)
+{
+	unsigned int s = sizeof(struct ipt_acc_handle_sockopt);
+	if (getsockopt(ctx->sockfd, IPPROTO_IP,
+	    IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE, &ctx->handle, &s) < 0) {
+		ctx->error_str = "Can't get handle usage information from kernel";
+		return -1;
+	}
+	ctx->handle.handle_nr = -1;
+
+	return ctx->handle.itemcount;
+ }
+
+int ipt_ACCOUNT_free_all_handles(struct ipt_ACCOUNT_context *ctx)
+{
+	if (setsockopt(ctx->sockfd, IPPROTO_IP,
+	    IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL, NULL, 0) < 0) {
+		ctx->error_str = "Can't free all kernel handles";
+		return -1;
+	}
+
+	return 0;
+}
+
+int ipt_ACCOUNT_get_table_names(struct ipt_ACCOUNT_context *ctx)
+{
+	int rtn = getsockopt(ctx->sockfd, IPPROTO_IP,
+	          IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES,
+	          ctx->data, &ctx->data_size);
+	if (rtn < 0) {
+		ctx->error_str = "Can't get table names from kernel. Out of memory, "
+		                 "MINBUFISZE too small?";
+		return -1;
+	}
+	ctx->pos = 0;
+	return 0;
+}
+
+const char *ipt_ACCOUNT_get_next_name(struct ipt_ACCOUNT_context *ctx)
+{
+	const char *rtn;
+	if (((char *)ctx->data)[ctx->pos] == 0)
+		return 0;
+
+	rtn = ctx->data + ctx->pos;
+	ctx->pos += strlen(ctx->data + ctx->pos) + 1;
+
+	return rtn;
+}

extensions/ACCOUNT/libxt_ACCOUNT_cl.h

@@ -0,0 +1,60 @@
+/***************************************************************************
+ *   Copyright (C) 2004 by Intra2net AG                                    *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU Lesser General Public License           *
+ *   version 2.1 as published by the Free Software Foundation;             *
+ *                                                                         *
+ ***************************************************************************/
+
+#ifndef _xt_ACCOUNT_cl_H
+#define _xt_ACCOUNT_cl_H
+
+#include <xt_ACCOUNT.h>
+
+#define LIBXT_ACCOUNT_VERSION "1.3"
+
+/* Don't set this below the size of struct ipt_account_handle_sockopt */
+#define IPT_ACCOUNT_MIN_BUFSIZE 4096
+
+struct ipt_ACCOUNT_context
+{
+	int sockfd;
+	struct ipt_acc_handle_sockopt handle;
+
+	unsigned int data_size;
+	void *data;
+	unsigned int pos;
+
+	char *error_str;
+};
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int ipt_ACCOUNT_init(struct ipt_ACCOUNT_context *ctx);
+void ipt_ACCOUNT_deinit(struct ipt_ACCOUNT_context *ctx);
+
+void ipt_ACCOUNT_free_entries(struct ipt_ACCOUNT_context *ctx);
+int ipt_ACCOUNT_read_entries(struct ipt_ACCOUNT_context *ctx,
+                             const char *table, char dont_flush);
+struct ipt_acc_handle_ip *ipt_ACCOUNT_get_next_entry(
+                             struct ipt_ACCOUNT_context *ctx);
+
+/* ipt_ACCOUNT_free_entries is for internal use only function as this library
+is constructed to be used in a loop -> Don't allocate memory all the time.
+The data buffer is freed on deinit() */
+
+int ipt_ACCOUNT_get_handle_usage(struct ipt_ACCOUNT_context *ctx);
+int ipt_ACCOUNT_free_all_handles(struct ipt_ACCOUNT_context *ctx);
+int ipt_ACCOUNT_get_table_names(struct ipt_ACCOUNT_context *ctx);
+const char *ipt_ACCOUNT_get_next_name(struct ipt_ACCOUNT_context *ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif

extensions/ACCOUNT/xt_ACCOUNT.Kconfig

@@ -0,0 +1,13 @@
+config NETFILTER_XT_TARGET_ACCOUNT
+	tristate "ACCOUNT target support"
+	depends on NETFILTER_XTABLES
+	---help---
+	This module implements an ACCOUNT target
+
+	The ACCOUNT target is a high performance accounting system for large
+	local networks. It allows per-IP accounting in whole prefixes of IPv4
+	addresses with size of up to /8 without the need to add individual
+	accouting rule for each IP address.
+
+	For more information go to:
+	http://www.intra2net.com/de/produkte/opensource/ipt_account/

extensions/ACCOUNT/xt_ACCOUNT.h

@@ -0,0 +1,69 @@
+/***************************************************************************
+ *   Copyright (C) 2004-2006 by Intra2net AG                               *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License                  *
+ *   version 2 as published by the Free Software Foundation;               *
+ *                                                                         *
+ ***************************************************************************/
+
+#ifndef _IPT_ACCOUNT_H
+#define _IPT_ACCOUNT_H
+
+/*
+ * Socket option interface shared between kernel (xt_ACCOUNT) and userspace
+ * library (libxt_ACCOUNT_cl). Hopefully we are unique at least within our
+ * kernel & xtables-addons space.
+ *
+ * Turned out often enough we are not.
+ * 64-67	used by ip_tables, ip6_tables
+ * 96-100	used by arp_tables
+ * 128-131	used by ebtables
+ */
+#define SO_ACCOUNT_BASE_CTL 70
+
+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (SO_ACCOUNT_BASE_CTL + 1)
+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (SO_ACCOUNT_BASE_CTL + 2)
+#define IPT_SO_SET_ACCOUNT_MAX		 IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL
+
+#define IPT_SO_GET_ACCOUNT_PREPARE_READ (SO_ACCOUNT_BASE_CTL + 4)
+#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (SO_ACCOUNT_BASE_CTL + 5)
+#define IPT_SO_GET_ACCOUNT_GET_DATA (SO_ACCOUNT_BASE_CTL + 6)
+#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (SO_ACCOUNT_BASE_CTL + 7)
+#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (SO_ACCOUNT_BASE_CTL + 8)
+#define IPT_SO_GET_ACCOUNT_MAX	  IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES
+
+#define ACCOUNT_MAX_TABLES 128
+#define ACCOUNT_TABLE_NAME_LEN 32
+#define ACCOUNT_MAX_HANDLES 10
+
+/* Structure for the userspace part of ipt_ACCOUNT */
+struct ipt_acc_info {
+	__be32 net_ip;
+	__be32 net_mask;
+	char table_name[ACCOUNT_TABLE_NAME_LEN];
+	int32_t table_nr;
+};
+
+/* Handle structure for communication with the userspace library */
+struct ipt_acc_handle_sockopt {
+	uint32_t handle_nr;				   /* Used for HANDLE_FREE */
+	char name[ACCOUNT_TABLE_NAME_LEN];	 /* Used for HANDLE_PREPARE_READ/
+												 HANDLE_READ_FLUSH */
+	uint32_t itemcount;				   /* Used for HANDLE_PREPARE_READ/
+												 HANDLE_READ_FLUSH */
+};
+
+/*
+	Used for every IP when returning data
+*/
+struct ipt_acc_handle_ip {
+	__be32 ip;
+	uint32_t src_packets;
+	uint32_t src_bytes;
+	uint32_t dst_packets;
+	uint32_t dst_bytes;
+};
+
+#endif /* _IPT_ACCOUNT_H */

extensions/GNUmakefile.in

@@ -1,133 +0,0 @@
-# -*- Makefile -*-
-
-top_srcdir      := @top_srcdir@
-srcdir          := @srcdir@
-abstop_srcdir   := $(shell readlink -e ${top_srcdir})
-abssrcdir       := $(shell readlink -e ${srcdir})
-
-ifeq (${abstop_srcdir},)
-$(error Path resolution of ${top_srcdir} failed)
-endif
-ifeq (${abssrcdir},)
-$(error Path resolution of ${srcdir} failed)
-endif
-
-prefix          := @prefix@
-exec_prefix     := @exec_prefix@
-libdir          := @libdir@
-libexecdir      := @libexecdir@
-xtlibdir        := @xtlibdir@
-kbuilddir       := @kbuilddir@
-
-CC              := @CC@
-CCLD            := ${CC}
-CFLAGS          := @CFLAGS@
-LDFLAGS         := @LDFLAGS@
-regular_CFLAGS  := @regular_CFLAGS@
-kinclude_CFLAGS := @kinclude_CFLAGS@
-xtables_CFLAGS  := @xtables_CFLAGS@
-
-AM_CFLAGS      := ${regular_CFLAGS} -I${top_srcdir}/include ${xtables_CFLAGS} ${kinclude_CFLAGS}
-AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
-
-ifeq (${V},)
-AM_LIBTOOL_SILENT = --silent
-AM_VERBOSE_CC     = @echo "  CC      " $@;
-AM_VERBOSE_CCLD   = @echo "  CCLD    " $@;
-AM_VERBOSE_CXX    = @echo "  CXX     " $@;
-AM_VERBOSE_CXXLD  = @echo "  CXXLD   " $@;
-AM_VERBOSE_AR     = @echo "  AR      " $@;
-AM_VERBOSE_GEN    = @echo "  GEN     " $@;
-endif
-
-#
-#	Wildcard module list
-#
-include ${top_srcdir}/mconfig
--include ${top_srcdir}/mconfig.*
-include ${srcdir}/Mbuild
--include ${srcdir}/Mbuild.*
--include ${srcdir}/*.Mbuild
-
-
-#
-#	Building blocks
-#
-targets := ${obj-m}
-targets_install := ${obj-m}
-
-.SECONDARY:
-
-.PHONY: all install clean distclean FORCE
-
-all: modules user matches.man targets.man
-
-user: ${targets}
-
-install: modules_install ${targets_install}
-	@mkdir -p "${DESTDIR}${xtlibdir}";
-	install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/";
-
-clean: clean_modules
-	rm -f *.oo *.so;
-
-distclean: clean
-	rm -f .*.d .manpages.lst;
-
--include .*.d
-
-
-#
-#	Call out to kbuild
-#
-.PHONY: modules modules_install clean_modules
-
-modules:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules;
-
-modules_install:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install;
-
-clean_modules:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean;
-
-
-#
-#	Shared libraries
-#
-lib%.so: lib%.oo
-	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
-
-lib%.oo: ${srcdir}/lib%.c
-	${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
-
-
-#
-#	Manpages
-#
-wcman_matches := $(wildcard ${srcdir}/libxt_[a-z]*.man)
-wcman_targets := $(wildcard ${srcdir}/libxt_[A-Z]*.man)
-wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches})
-wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
-
-.manpages.lst: FORCE
-	@echo "${wlist_targets} ${wlist_matches}" >$@.tmp; \
-	cmp -s $@ $@.tmp || mv $@.tmp $@; \
-	rm -f $@.tmp;
-
-man_run    = \
-	${AM_VERBOSE_GEN} \
-	for ext in $(1); do \
-		f="${srcdir}/libxt_$$ext.man"; \
-		if [ -f "$$f" ]; then \
-			echo ".SS $$ext"; \
-			cat "$$f"; \
-			continue; \
-		fi; \
-	done >$@;
-
-matches.man: .manpages.lst ${wcman_matches}
-	$(call man_run,${wlist_matches})
-
-targets.man: .manpages.lst ${wcman_targets}
-	$(call man_run,${wlist_targets})

extensions/Kbuild

@@ -1,25 +1,37 @@
 # -*- Makefile -*-
 
-include ${XA_TOPSRCDIR}/mconfig
--include ${XA_TOPSRCDIR}/mconfig.*
+include ${XA_ABSTOPSRCDIR}/mconfig
+-include ${XA_ABSTOPSRCDIR}/mconfig.*
 
 obj-m                    += compat_xtables.o
 
+obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += xt_CHAOS.o
+obj-${build_CHECKSUM}    += xt_CHECKSUM.o
 obj-${build_DELUDE}      += xt_DELUDE.o
-obj-${build_DHCPADDR}    += xt_DHCPADDR.o
+obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
+obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o
+ifneq (${CONFIG_IPV6},)
+obj-${build_RAWNAT}      += ip6table_rawpost.o
+endif
 obj-${build_SYSRQ}       += xt_SYSRQ.o
+obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o
 obj-${build_TEE}         += xt_TEE.o
 obj-${build_condition}   += xt_condition.o
 obj-${build_fuzzy}       += xt_fuzzy.o
 obj-${build_geoip}       += xt_geoip.o
+obj-${build_iface}       += xt_iface.o
 obj-${build_ipp2p}       += xt_ipp2p.o
 obj-${build_ipset}       += ipset/
-obj-${build_portscan}    += xt_portscan.o
+obj-${build_ipv4options} += xt_ipv4options.o
+obj-${build_length2}     += xt_length2.o
+obj-${build_lscan}       += xt_lscan.o
+obj-${build_pknock}      += pknock/
+obj-${build_psd}         += xt_psd.o
 obj-${build_quota2}      += xt_quota2.o
 
 -include ${M}/*.Kbuild

extensions/Makefile.am

@@ -0,0 +1,26 @@
+# -*- Makefile -*-
+# AUTOMAKE
+
+# Not having Kbuild in Makefile.extra because it will already recurse
+.PHONY: modules modules_install clean_modules
+
+_kcall = -C ${kbuilddir} M=${abs_srcdir}
+
+modules:
+	@echo -n "Xtables-addons ${PACKAGE_VERSION} - Linux "
+	@if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} --no-print-directory -s kernelrelease; fi;
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} modules; fi;
+
+modules_install:
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} INSTALL_MOD_PATH=${DESTDIR} ext-mod-dir='$${INSTALL_MOD_DIR}' modules_install; fi;
+
+clean_modules:
+	${AM_V_silent}if [ -n "${kbuilddir}" ]; then ${MAKE} ${_kcall} clean; fi;
+
+all-local: modules
+
+install-exec-local: modules_install
+
+clean-local: clean_modules
+
+include ../Makefile.extra

extensions/Mbuild

@@ -1,15 +1,28 @@
+# -*- Makefile -*-
+
+obj-${build_ACCOUNT}     += ACCOUNT/
 obj-${build_CHAOS}       += libxt_CHAOS.so
+obj-${build_CHECKSUM}    += libxt_CHECKSUM.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
-obj-${build_DHCPADDR}    += libxt_DHCPADDR.so libxt_dhcpaddr.so
+obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
 obj-${build_ECHO}        += libxt_ECHO.so
 obj-${build_IPMARK}      += libxt_IPMARK.so
 obj-${build_LOGMARK}     += libxt_LOGMARK.so
+obj-${build_RAWNAT}      += libxt_RAWDNAT.so libxt_RAWSNAT.so
+obj-${build_STEAL}       += libxt_STEAL.so
 obj-${build_SYSRQ}       += libxt_SYSRQ.so
 obj-${build_TARPIT}      += libxt_TARPIT.so
 obj-${build_TEE}         += libxt_TEE.so
 obj-${build_condition}   += libxt_condition.so
 obj-${build_fuzzy}       += libxt_fuzzy.so
 obj-${build_geoip}       += libxt_geoip.so
+obj-${build_iface}       += libxt_iface.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
-obj-${build_portscan}    += libxt_portscan.so
+obj-${build_ipset}       += ipset/
+obj-${build_ipv4options} += libxt_ipv4options.so
+obj-${build_length2}     += libxt_length2.so
+obj-${build_lscan}       += libxt_lscan.so
+obj-${build_pknock}      += pknock/
+obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so
+obj-${build_gradm}       += libxt_gradm.so

extensions/compat_rawpost.h

@@ -0,0 +1,87 @@
+#ifndef XTA_COMPAT_RAWPOST_H
+#define XTA_COMPAT_RAWPOST_H 1
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
+typedef struct sk_buff sk_buff_t;
+#else
+typedef struct sk_buff *sk_buff_t;
+#endif
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
+#define XT_TARGET_INIT(__name, __size)					       \
+{									       \
+	.target.u.user = {						       \
+		.target_size	= XT_ALIGN(__size),			       \
+		.name		= __name,				       \
+	},								       \
+}
+
+#define IPT_ENTRY_INIT(__size)						       \
+{									       \
+	.target_offset	= sizeof(struct ipt_entry),			       \
+	.next_offset	= (__size),					       \
+}
+
+#define IPT_STANDARD_INIT(__verdict)					       \
+{									       \
+	.entry		= IPT_ENTRY_INIT(sizeof(struct ipt_standard)),	       \
+	.target		= XT_TARGET_INIT(IPT_STANDARD_TARGET,		       \
+					 sizeof(struct xt_standard_target)),   \
+	.target.verdict	= -(__verdict) - 1,				       \
+}
+
+#define IPT_ERROR_INIT							       \
+{									       \
+	.entry		= IPT_ENTRY_INIT(sizeof(struct ipt_error)),	       \
+	.target		= XT_TARGET_INIT(IPT_ERROR_TARGET,		       \
+					 sizeof(struct ipt_error_target)),     \
+	.target.errorname = "ERROR",					       \
+}
+
+#define IP6T_ENTRY_INIT(__size)						       \
+{									       \
+	.target_offset	= sizeof(struct ip6t_entry),			       \
+	.next_offset	= (__size),					       \
+}
+
+#define IP6T_STANDARD_INIT(__verdict)					       \
+{									       \
+	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
+	.target		= XT_TARGET_INIT(IP6T_STANDARD_TARGET,		       \
+					 sizeof(struct ip6t_standard_target)), \
+	.target.verdict	= -(__verdict) - 1,				       \
+}
+
+#define IP6T_ERROR_INIT							       \
+{									       \
+	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),	       \
+	.target		= XT_TARGET_INIT(IP6T_ERROR_TARGET,		       \
+					 sizeof(struct ip6t_error_target)),    \
+	.target.errorname = "ERROR",					       \
+}
+
+#endif /* 2.6.21 */
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
+#	include <linux/netfilter_ipv6/ip6_tables.h>
+/* Standard entry */
+struct ip6t_standard
+{
+	struct ip6t_entry entry;
+	struct ip6t_standard_target target;
+};
+
+struct ip6t_error_target
+{
+	struct ip6t_entry_target target;
+	char errorname[IP6T_FUNCTION_MAXNAMELEN];
+};
+
+struct ip6t_error
+{
+	struct ip6t_entry entry;
+	struct ip6t_error_target target;
+};
+#endif /* 2.6.20 */
+
+#endif /* XTA_COMPAT_RAWPOST_H */

extensions/compat_skbuff.h

@@ -4,9 +4,32 @@
 struct tcphdr;
 struct udphdr;
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 30)
+static inline void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)
+{
+	skb->dst = dst;
+}
+
+static inline struct dst_entry *skb_dst(const struct sk_buff *skb)
+{
+	return skb->dst;
+}
+
+static inline struct rtable *skb_rtable(const struct sk_buff *skb)
+{
+	return (void *)skb->dst;
+}
+#endif
+
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+#	define skb_ifindex(skb) \
+		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
+#	define skb_ifindex(skb) (skb)->iif
+#	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
 #else
+#	define skb_ifindex(skb) (skb)->skb_iif
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
 #endif
 

extensions/compat_user.h

@@ -0,0 +1,12 @@
+/*
+ *	Userspace-level compat hacks
+ */
+#ifndef _XTABLES_COMPAT_USER_H
+#define _XTABLES_COMPAT_USER_H 1
+
+/* linux-glibc-devel 2.6.34 header screwup */
+#ifndef ALIGN
+#	define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
+#endif
+
+#endif /* _XTABLES_COMPAT_USER_H */

extensions/compat_xtables.c

@@ -1,6 +1,6 @@
 /*
  *	API compat layer
- *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License, either
@@ -25,18 +25,58 @@ static int xtnu_match_run(const struct sk_buff *skb,
     const struct net_device *in, const struct net_device *out,
     const struct xt_match *cm, const void *matchinfo, int offset,
     unsigned int protoff, int *hotdrop)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+static bool xtnu_match_run(const struct sk_buff *skb,
+    const struct net_device *in, const struct net_device *out,
+    const struct xt_match *cm, const void *matchinfo, int offset,
+    unsigned int protoff, bool *hotdrop)
+#endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 {
 	struct xtnu_match *nm = xtcompat_numatch(cm);
-	bool lo_drop = false, lo_ret;
+	bool lo_ret;
+	struct xt_action_param local_par;
+	local_par.in        = in;
+	local_par.out       = out;
+	local_par.match     = cm;
+	local_par.matchinfo = matchinfo;
+	local_par.fragoff   = offset;
+	local_par.thoff     = protoff;
+	local_par.hotdrop   = false;
+	local_par.family    = NFPROTO_UNSPEC; /* don't have that info */
 
 	if (nm == NULL || nm->match == NULL)
 		return false;
-	lo_ret = nm->match(skb, in, out, nm, matchinfo,
-	         offset, protoff, &lo_drop);
-	*hotdrop = lo_drop;
+	lo_ret = nm->match(skb, &local_par);
+	*hotdrop = local_par.hotdrop;
 	return lo_ret;
 }
 #endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_match_run(const struct sk_buff *skb,
+    const struct xt_match_param *par)
+{
+	struct xtnu_match *nm = xtcompat_numatch(par->match);
+	struct xt_action_param local_par;
+	bool ret;
+
+	local_par.in        = par->in;
+	local_par.out       = par->out;
+	local_par.match     = par->match;
+	local_par.matchinfo = par->matchinfo;
+	local_par.fragoff   = par->fragoff;
+	local_par.thoff     = par->thoff;
+	local_par.hotdrop   = false;
+	local_par.family    = par->family;
+
+	if (nm == NULL || nm->match == NULL)
+		return false;
+	ret = nm->match(skb, &local_par);
+	*par->hotdrop = local_par.hotdrop;
+	return ret;
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static int xtnu_match_check(const char *table, const void *entry,
@@ -45,35 +85,68 @@ static int xtnu_match_check(const char *table, const void *entry,
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
 static int xtnu_match_check(const char *table, const void *entry,
     const struct xt_match *cm, void *matchinfo, unsigned int hook_mask)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+static bool xtnu_match_check(const char *table, const void *entry,
+    const struct xt_match *cm, void *matchinfo, unsigned int hook_mask)
 #endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 {
 	struct xtnu_match *nm = xtcompat_numatch(cm);
+	struct xt_mtchk_param local_par = {
+		.table     = table,
+		.entryinfo = entry,
+		.match     = cm,
+		.matchinfo = matchinfo,
+		.hook_mask = hook_mask,
+		.family    = NFPROTO_UNSPEC,
+	};
 
 	if (nm == NULL)
 		return false;
 	if (nm->checkentry == NULL)
 		return true;
-	return nm->checkentry(table, entry, nm, matchinfo, hook_mask);
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
+	return nm->checkentry(&local_par);
+#else
+	return nm->checkentry(&local_par) == 0;
+#endif
+}
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_match_check(const struct xt_mtchk_param *par)
+{
+	struct xtnu_match *nm = xtcompat_numatch(par->match);
+
+	if (nm == NULL)
+		return false;
+	if (nm->checkentry == NULL)
+		return true;
+	return nm->checkentry(par) == 0;
 }
 #endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo,
     unsigned int matchinfosize)
-#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo)
 #endif
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 {
 	struct xtnu_match *nm = xtcompat_numatch(cm);
+	struct xt_mtdtor_param local_par = {
+		.match     = cm,
+		.matchinfo = matchinfo,
+		.family    = NFPROTO_UNSPEC,
+	};
 
 	if (nm != NULL && nm->destroy != NULL)
-		nm->destroy(nm, matchinfo);
+		nm->destroy(&local_par);
 }
 #endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 int xtnu_register_match(struct xtnu_match *nt)
 {
 	struct xt_match *ct;
@@ -95,9 +168,19 @@ int xtnu_register_match(struct xtnu_match *nt)
 	ct->table      = (char *)nt->table;
 	ct->hooks      = nt->hooks;
 	ct->proto      = nt->proto;
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	ct->match      = xtnu_match_run;
 	ct->checkentry = xtnu_match_check;
 	ct->destroy    = xtnu_match_destroy;
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+	ct->match      = xtnu_match_run;
+	ct->checkentry = xtnu_match_check;
+	ct->destroy    = nt->destroy;
+#else
+	ct->match      = nt->match;
+	ct->checkentry = xtnu_match_check;
+	ct->destroy    = nt->destroy;
+#endif
 	ct->matchsize  = nt->matchsize;
 	ct->me         = nt->me;
 
@@ -152,21 +235,59 @@ static unsigned int xtnu_target_run(struct sk_buff **pskb,
 static unsigned int xtnu_target_run(struct sk_buff **pskb,
     const struct net_device *in, const struct net_device *out,
     unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 static unsigned int xtnu_target_run(struct sk_buff *skb,
     const struct net_device *in, const struct net_device *out,
     unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
 #endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 {
 	struct xtnu_target *nt = xtcompat_nutarget(ct);
+	struct xt_action_param local_par;
+
+	local_par.in       = in;
+	local_par.out      = out;
+	local_par.hooknum  = hooknum;
+	local_par.target   = ct;
+	local_par.targinfo = targinfo;
+	local_par.family   = NFPROTO_UNSPEC;
+
 	if (nt != NULL && nt->target != NULL)
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
-		return nt->target(pskb, in, out, hooknum, nt, targinfo);
-#else
-		return nt->target(&skb, in, out, hooknum, nt, targinfo);
+		return nt->target(pskb, &local_par);
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+		return nt->target(&skb, &local_par);
 #endif
 	return XT_CONTINUE;
 }
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static unsigned int
+xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+	struct xt_action_param local_par;
+
+	local_par.in       = par->in;
+	local_par.out      = par->out;
+	local_par.hooknum  = par->hooknum;
+	local_par.target   = par->target;
+	local_par.targinfo = par->targinfo;
+	local_par.family   = par->family;
+
+	return nt->target(&skb, &local_par);
+}
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
+static unsigned int
+xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+
+	return nt->target(&skb, par);
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static int xtnu_target_check(const char *table, const void *entry,
@@ -175,31 +296,68 @@ static int xtnu_target_check(const char *table, const void *entry,
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
 static int xtnu_target_check(const char *table, const void *entry,
     const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 static bool xtnu_target_check(const char *table, const void *entry,
     const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
 #endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 {
 	struct xtnu_target *nt = xtcompat_nutarget(ct);
+	struct xt_tgchk_param local_par = {
+		.table     = table,
+		.entryinfo = entry,
+		.target    = ct,
+		.targinfo  = targinfo,
+		.hook_mask = hook_mask,
+		.family    = NFPROTO_UNSPEC,
+	};
+
 	if (nt == NULL)
 		return false;
 	if (nt->checkentry == NULL)
 		/* this is valid, just like if there was no function */
 		return true;
-	return nt->checkentry(table, entry, nt, targinfo, hook_mask);
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 23)
+	return nt->checkentry(&local_par);
+#else
+	return nt->checkentry(&local_par) == 0;
+#endif
 }
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
+    LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+static bool xtnu_target_check(const struct xt_tgchk_param *par)
+{
+	struct xtnu_target *nt = xtcompat_nutarget(par->target);
+
+	if (nt == NULL)
+		return false;
+	if (nt->checkentry == NULL)
+		return true;
+	return nt->checkentry(par) == 0;
+}
+#endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
 static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo,
     unsigned int targinfosize)
-#else
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo)
 #endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 {
 	struct xtnu_target *nt = xtcompat_nutarget(ct);
+	struct xt_tgdtor_param local_par = {
+		.target   = ct,
+		.targinfo = targinfo,
+		.family   = NFPROTO_UNSPEC,
+	};
+
 	if (nt != NULL && nt->destroy != NULL)
-		nt->destroy(nt, targinfo);
+		nt->destroy(&local_par);
 }
+#endif
 
 int xtnu_register_target(struct xtnu_target *nt)
 {
@@ -223,8 +381,16 @@ int xtnu_register_target(struct xtnu_target *nt)
 	ct->hooks      = nt->hooks;
 	ct->proto      = nt->proto;
 	ct->target     = xtnu_target_run;
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 	ct->checkentry = xtnu_target_check;
 	ct->destroy    = xtnu_target_destroy;
+#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+	ct->checkentry = xtnu_target_check;
+	ct->destroy    = nt->destroy;
+#else
+	ct->checkentry = nt->checkentry;
+	ct->destroy    = nt->destroy;
+#endif
 	ct->targetsize = nt->targetsize;
 	ct->me         = nt->me;
 
@@ -368,6 +534,30 @@ int xtnu_ip_route_output_key(void *net, struct rtable **rp, struct flowi *flp)
 	return ip_route_output_flow(rp, flp, NULL, 0);
 }
 EXPORT_SYMBOL_GPL(xtnu_ip_route_output_key);
+
+void xtnu_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb,
+    __be32 from, __be32 to, bool pseudohdr)
+{
+	__be32 diff[] = {~from, to};
+	const void *dv = diff; /* kludge for < v2.6.19-555-g72685fc */
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+	if (skb->ip_summed != CHECKSUM_PARTIAL) {
+		*sum = csum_fold(csum_partial(dv, sizeof(diff),
+		       ~csum_unfold(*sum)));
+		if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
+			skb->csum = ~csum_partial(dv, sizeof(diff),
+			            ~skb->csum);
+	} else if (pseudohdr) {
+		*sum = ~csum_fold(csum_partial(dv, sizeof(diff),
+		       csum_unfold(*sum)));
+	}
+#else
+	*sum = csum_fold(csum_partial(dv, sizeof(diff),
+	       ~csum_unfold(*sum)));
+#endif
+}
+EXPORT_SYMBOL_GPL(xtnu_proto_csum_replace4);
 #endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
@@ -384,18 +574,45 @@ int xtnu_neigh_hh_output(struct hh_cache *hh, struct sk_buff *skb)
 }
 EXPORT_SYMBOL_GPL(xtnu_neigh_hh_output);
 
-static inline void csum_replace4(__sum16 *sum, __be32 from, __be32 to)
+static inline __wsum xtnu_csum_unfold(__sum16 n)
+{
+	return (__force __wsum)n;
+}
+
+void xtnu_csum_replace4(__sum16 *sum, __be32 from, __be32 to)
 {
 	__be32 diff[] = {~from, to};
 	*sum = csum_fold(csum_partial((char *)diff, sizeof(diff),
-	       ~csum_unfold(*sum)));
+	       ~xtnu_csum_unfold(*sum)));
 }
 
 void xtnu_csum_replace2(__sum16 *sum, __be16 from, __be16 to)
 {
-	csum_replace4(sum, (__force __be32)from, (__force __be32)to);
+	xtnu_csum_replace4(sum, (__force __be32)from, (__force __be32)to);
 }
 EXPORT_SYMBOL_GPL(xtnu_csum_replace2);
 #endif
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
+int xtnu_skb_linearize(struct sk_buff *skb)
+{
+	return skb_linearize(skb, GFP_ATOMIC);
+}
+EXPORT_SYMBOL_GPL(xtnu_skb_linearize);
+#endif
+
+void *HX_memmem(const void *space, size_t spacesize,
+    const void *point, size_t pointsize)
+{
+	size_t i;
+
+	if (pointsize > spacesize)
+		return NULL;
+	for (i = 0; i <= spacesize - pointsize; ++i)
+		if (memcmp(space + i, point, pointsize) == 0)
+			return (void *)space + i;
+	return NULL;
+}
+EXPORT_SYMBOL_GPL(HX_memmem);
+
 MODULE_LICENSE("GPL");

extensions/compat_xtables.h

@@ -1,12 +1,15 @@
 #ifndef _XTABLES_COMPAT_H
 #define _XTABLES_COMPAT_H 1
 
+#include <linux/kernel.h>
 #include <linux/version.h>
 #include "compat_skbuff.h"
 #include "compat_xtnu.h"
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 18)
-#	warning Kernels below 2.6.18.5 not supported.
+#define DEBUGP Use__pr_debug__instead
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 17)
+#	warning Kernels below 2.6.17 not supported.
 #endif
 
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
@@ -26,9 +29,15 @@
 #	warning You need either CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK.
 #endif
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
+#	define skb_init_secmark(skb)
+#	define skb_linearize	xtnu_skb_linearize
+#endif
+
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
 #	define neigh_hh_output xtnu_neigh_hh_output
 #	define IPPROTO_UDPLITE 136
+#	define CSUM_MANGLED_0 ((__force __sum16)0xffff)
 #endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
@@ -51,7 +60,7 @@
 #	define init_net__proc_net     init_net.proc_net
 #endif
 
-#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
 #	define xt_match              xtnu_match
 #	define xt_register_match     xtnu_register_match
 #	define xt_unregister_match   xtnu_unregister_match
@@ -61,8 +70,47 @@
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
 #	define csum_replace2 xtnu_csum_replace2
+#	define csum_replace4 xtnu_csum_replace4
+#	define inet_proto_csum_replace4 xtnu_proto_csum_replace4
 #elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
 #	define csum_replace2 nf_csum_replace2
+#	define csum_replace4 nf_csum_replace4
+#	define inet_proto_csum_replace4 xtnu_proto_csum_replace4
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
+#	define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
+#	define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
+#else
+#	define ipt_unregister_table(tbl) ipt_unregister_table(tbl)
+#	define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+#	define rt_dst(rt)	(&(rt)->dst)
+#else
+#	define rt_dst(rt)	(&(rt)->u.dst)
+#endif
+
+#if !defined(NIP6) && !defined(NIP6_FMT)
+#	define NIP6(addr) \
+		ntohs((addr).s6_addr16[0]), \
+		ntohs((addr).s6_addr16[1]), \
+		ntohs((addr).s6_addr16[2]), \
+		ntohs((addr).s6_addr16[3]), \
+		ntohs((addr).s6_addr16[4]), \
+		ntohs((addr).s6_addr16[5]), \
+		ntohs((addr).s6_addr16[6]), \
+		ntohs((addr).s6_addr16[7])
+#	define NIP6_FMT "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
+#endif
+#if !defined(NIPQUAD) && !defined(NIPQUAD_FMT)
+#	define NIPQUAD(addr) \
+		((const unsigned char *)&addr)[0], \
+		((const unsigned char *)&addr)[1], \
+		((const unsigned char *)&addr)[2], \
+		((const unsigned char *)&addr)[3]
+#	define NIPQUAD_FMT "%u.%u.%u.%u"
 #endif
 
 #define ip_route_me_harder    xtnu_ip_route_me_harder

extensions/compat_xtnu.h

@@ -9,6 +9,10 @@
 typedef _Bool bool;
 enum { false = 0, true = 1, };
 #endif
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+typedef __u16 __bitwise __sum16;
+typedef __u32 __bitwise __wsum;
+#endif
 
 struct flowi;
 struct hh_cache;
@@ -17,38 +21,102 @@ struct net_device;
 struct rtable;
 struct sk_buff;
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
+enum {
+	NFPROTO_UNSPEC =  0,
+	NFPROTO_IPV4   =  2,
+	NFPROTO_ARP    =  3,
+	NFPROTO_BRIDGE =  7,
+	NFPROTO_IPV6   = 10,
+	NFPROTO_DECNET = 12,
+	NFPROTO_NUMPROTO,
+};
+
+struct xt_mtchk_param {
+	const char *table;
+	const void *entryinfo;
+	const struct xt_match *match;
+	void *matchinfo;
+	unsigned int hook_mask;
+	u_int8_t family;
+};
+
+struct xt_mtdtor_param {
+	const struct xt_match *match;
+	void *matchinfo;
+	u_int8_t family;
+};
+
+struct xt_target_param {
+	const struct net_device *in, *out;
+	unsigned int hooknum;
+	const struct xt_target *target;
+	const void *targinfo;
+	u_int8_t family;
+};
+
+struct xt_tgchk_param {
+	const char *table;
+	const void *entryinfo;
+	const struct xt_target *target;
+	void *targinfo;
+	unsigned int hook_mask;
+	u_int8_t family;
+};
+
+struct xt_tgdtor_param {
+	const struct xt_target *target;
+	void *targinfo;
+	u_int8_t family;
+};
+#endif
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
+struct xt_action_param {
+	union {
+		const struct xt_match *match;
+		const struct xt_target *target;
+	};
+	union {
+		const void *matchinfo, *targinfo;
+	};
+	const struct net_device *in, *out;
+	int fragoff;
+	unsigned int thoff, hooknum;
+	u_int8_t family;
+	bool hotdrop;
+};
+#endif
+
 struct xtnu_match {
-	struct list_head list;
-	char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
-	bool (*match)(const struct sk_buff *, const struct net_device *,
-		const struct net_device *, const struct xtnu_match *,
-		const void *, int, unsigned int, bool *);
-	bool (*checkentry)(const char *, const void *,
-		const struct xtnu_match *, void *, unsigned int);
-	void (*destroy)(const struct xtnu_match *, void *);
+	/*
+	 * Making it smaller by sizeof(void *) on purpose to catch
+	 * lossy translation, if any.
+	 */
+	char name[sizeof(((struct xt_match *)NULL)->name) - 1 - sizeof(void *)];
+	uint8_t revision;
+	bool (*match)(const struct sk_buff *, struct xt_action_param *);
+	int (*checkentry)(const struct xt_mtchk_param *);
+	void (*destroy)(const struct xt_mtdtor_param *);
 	struct module *me;
 	const char *table;
 	unsigned int matchsize, hooks;
 	unsigned short proto, family;
-	uint8_t revision;
 
 	void *__compat_match;
 };
 
 struct xtnu_target {
-	struct list_head list;
-	char name[XT_FUNCTION_MAXNAMELEN - 1 - sizeof(void *)];
-	unsigned int (*target)(struct sk_buff **, const struct net_device *,
-		const struct net_device *, unsigned int,
-		const struct xtnu_target *, const void *);
-	bool (*checkentry)(const char *, const void *,
-		const struct xtnu_target *, void *, unsigned int);
-	void (*destroy)(const struct xtnu_target *, void *);
+	char name[sizeof(((struct xt_target *)NULL)->name) - 1 - sizeof(void *)];
+	uint8_t revision;
+	unsigned int (*target)(struct sk_buff **,
+		const struct xt_action_param *);
+	int (*checkentry)(const struct xt_tgchk_param *);
+	void (*destroy)(const struct xt_tgdtor_param *);
 	struct module *me;
 	const char *table;
 	unsigned int targetsize, hooks;
 	unsigned short proto, family;
-	uint8_t revision;
 
 	void *__compat_target;
 };
@@ -67,6 +135,13 @@ static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
 	return q;
 }
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+static inline __wsum csum_unfold(__sum16 n)
+{
+	return (__force __wsum)n;
+}
+#endif
+
 extern int xtnu_ip_local_out(struct sk_buff *);
 extern int xtnu_ip_route_me_harder(struct sk_buff **, unsigned int);
 extern int xtnu_skb_make_writable(struct sk_buff **, unsigned int);
@@ -82,5 +157,12 @@ extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int);
 extern struct xt_match *xtnu_request_find_match(unsigned int,
 	const char *, uint8_t);
 extern int xtnu_neigh_hh_output(struct hh_cache *, struct sk_buff *);
+extern void xtnu_csum_replace2(__u16 __bitwise *, __be16, __be16);
+extern void xtnu_csum_replace4(__u16 __bitwise *, __be32, __be32);
+extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
+	__be32, __be32, bool);
+extern int xtnu_skb_linearize(struct sk_buff *);
+
+extern void *HX_memmem(const void *, size_t, const void *, size_t);
 
 #endif /* _COMPAT_XTNU_H */

extensions/ip6table_rawpost.c

@@ -0,0 +1,107 @@
+/*
+ *	rawpost table for ip6_tables
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	placed in the Public Domain
+ */
+#include <linux/module.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <net/ip.h>
+#include "compat_xtables.h"
+#include "compat_rawpost.h"
+
+enum {
+	RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
+};
+
+static struct {
+	struct ip6t_replace repl;
+	struct ip6t_standard entries[1];
+	struct ip6t_error term;
+} rawpost6_initial __initdata = {
+	.repl = {
+		.name        = "rawpost",
+		.valid_hooks = RAWPOST_VALID_HOOKS,
+		.num_entries = 2,
+		.size        = sizeof(struct ip6t_standard) +
+		               sizeof(struct ip6t_error),
+		.hook_entry  = {
+			[NF_INET_POST_ROUTING] = 0,
+		},
+		.underflow = {
+			[NF_INET_POST_ROUTING] = 0,
+		},
+	},
+	.entries = {
+		IP6T_STANDARD_INIT(NF_ACCEPT),	/* POST_ROUTING */
+	},
+	.term = IP6T_ERROR_INIT,		/* ERROR */
+};
+
+static struct xt_table *rawpost6_ptable;
+
+static struct xt_table rawpost6_itable = {
+	.name        = "rawpost",
+	.af          = NFPROTO_IPV6,
+	.valid_hooks = RAWPOST_VALID_HOOKS,
+	.me          = THIS_MODULE,
+};
+
+static unsigned int rawpost6_hook_fn(unsigned int hook, sk_buff_t *skb,
+    const struct net_device *in, const struct net_device *out,
+    int (*okfn)(struct sk_buff *))
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+	return ip6t_do_table(skb, hook, in, out, rawpost6_ptable);
+#else
+	return ip6t_do_table(skb, hook, in, out, rawpost6_ptable, NULL);
+#endif
+}
+
+static struct nf_hook_ops rawpost6_hook_ops __read_mostly = {
+	.hook     = rawpost6_hook_fn,
+	.pf       = NFPROTO_IPV6,
+	.hooknum  = NF_INET_POST_ROUTING,
+	.priority = NF_IP6_PRI_LAST,
+	.owner    = THIS_MODULE,
+};
+
+static int __init rawpost6_table_init(void)
+{
+	int ret;
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
+	rwlock_init(&rawpost6_itable.lock);
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
+	rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable,
+	                  &rawpost6_initial.repl);
+	if (IS_ERR(rawpost6_ptable))
+		return PTR_ERR(rawpost6_ptable);
+#else
+	ret = ip6t_register_table(&rawpost6_itable, &rawpost6_initial.repl);
+	if (ret < 0)
+		return ret;
+	rawpost6_ptable = &rawpost6_itable;
+#endif
+
+	ret = nf_register_hook(&rawpost6_hook_ops);
+	if (ret < 0)
+		goto out;
+
+	return ret;
+
+ out:
+	ip6t_unregister_table(rawpost6_ptable);
+	return ret;
+}
+
+static void __exit rawpost6_table_exit(void)
+{
+	nf_unregister_hook(&rawpost6_hook_ops);
+	ip6t_unregister_table(rawpost6_ptable);
+}
+
+module_init(rawpost6_table_init);
+module_exit(rawpost6_table_exit);
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_LICENSE("GPL");

extensions/ipset/.gitignore

@@ -1,3 +1 @@
-*.oo
-*.so
 /ipset

extensions/ipset/GNUmakefile.in

@@ -1,84 +0,0 @@
-# -*- Makefile -*-
-
-top_srcdir      := @top_srcdir@
-srcdir          := @srcdir@
-abstop_srcdir   := $(shell readlink -e ${top_srcdir})
-abssrcdir       := $(shell readlink -e ${srcdir})
-
-ifeq (${abstop_srcdir},)
-$(error Path resolution of ${top_srcdir} failed)
-endif
-ifeq (${abssrcdir},)
-$(error Path resolution of ${srcdir} failed)
-endif
-
-prefix          := @prefix@
-exec_prefix     := @exec_prefix@
-sbindir         := @sbindir@
-libdir          := @libdir@
-libexecdir      := @libexecdir@
-xtlibdir        := @xtlibdir@
-kbuilddir       := @kbuilddir@
-man8dir         := @mandir@/man8
-
-CC              := @CC@
-CCLD            := ${CC}
-CFLAGS          := @CFLAGS@
-LDFLAGS         := @LDFLAGS@
-regular_CFLAGS  := @regular_CFLAGS@
-kinclude_CFLAGS := @kinclude_CFLAGS@
-xtables_CFLAGS  := @xtables_CFLAGS@
-
-AM_CFLAGS      := ${regular_CFLAGS} -I${top_srcdir}/include ${xtables_CFLAGS} ${kinclude_CFLAGS} -DXTABLES_LIBDIR=\"${xtlibdir}\"
-AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
-
-ifeq (${V},)
-AM_LIBTOOL_SILENT = --silent
-AM_VERBOSE_CC     = @echo "  CC      " $@;
-AM_VERBOSE_CCLD   = @echo "  CCLD    " $@;
-AM_VERBOSE_CXX    = @echo "  CXX     " $@;
-AM_VERBOSE_CXXLD  = @echo "  CXXLD   " $@;
-AM_VERBOSE_AR     = @echo "  AR      " $@;
-AM_VERBOSE_GEN    = @echo "  GEN     " $@;
-endif
-
-#
-#	Building blocks
-#
-targets := $(addsuffix .so,$(addprefix libipset_,iphash ipmap ipporthash iptree iptreemap macipmap nethash portmap))
-
-.SECONDARY:
-
-.PHONY: all install clean distclean FORCE
-
-all: ipset ${targets}
-
-install: all
-	@mkdir -p "${DESTDIR}${sbindir}" "${DESTDIR}${xtlibdir}" "${DESTDIR}${man8dir}";
-	install -pm0755 ipset "${DESTDIR}${sbindir}/";
-	install -pm0755 ${targets} "${DESTDIR}${xtlibdir}/";
-	install -pm0644 ipset.8 "${DESTDIR}${man8dir}/";
-
-clean:
-	rm -f *.oo *.so *.o ipset;
-
-distclean: clean
-	rm -f .*.d;
-
--include .*.d
-
-
-ipset: ipset.o
-	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} ${LDFLAGS} -o $@ $< -ldl -rdynamic;
-
-#
-#	Shared libraries
-#
-lib%.so: lib%.oo
-	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
-
-libipset_%.oo: ${srcdir}/ipset_%.c
-	${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
-
-%.o: %.c
-	${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} ${CFLAGS} -o $@ -c $<;

extensions/ipset/Kbuild

@@ -3,4 +3,5 @@
 obj-m += ipt_set.o ipt_SET.o
 obj-m += ip_set.o ip_set_ipmap.o ip_set_portmap.o ip_set_macipmap.o
 obj-m += ip_set_iphash.o ip_set_nethash.o ip_set_ipporthash.o
-obj-m += ip_set_iptree.o ip_set_iptreemap.o
+obj-m += ip_set_ipportiphash.o ip_set_ipportnethash.o
+obj-m += ip_set_iptree.o ip_set_iptreemap.o ip_set_setlist.o

extensions/ipset/Makefile.am

@@ -0,0 +1,11 @@
+# -*- Makefile -*-
+
+AM_CFLAGS = ${regular_CFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\"
+
+include ../../Makefile.extra
+
+sbin_PROGRAMS = ipset
+ipset_LDADD   = -ldl
+ipset_LDFLAGS = -rdynamic
+
+man_MANS      = ipset.8

extensions/ipset/Mbuild

@@ -0,0 +1,7 @@
+# -*- Makefile -*-
+
+obj-m += $(addprefix lib,$(patsubst %.c,%.so,$(notdir \
+	$(wildcard ${XA_SRCDIR}/ipset_*.c))))
+
+libipset_%.oo: ${XA_SRCDIR}/ipset_%.c
+	${AM_V_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;

extensions/ipset/ip_set.h

@@ -48,7 +48,8 @@
 /* 
  * Used so that the kernel module and ipset-binary can match their versions 
  */
-#define IP_SET_PROTOCOL_VERSION 2
+#define IP_SET_PROTOCOL_UNALIGNED	3
+#define IP_SET_PROTOCOL_VERSION		4
 
 #define IP_SET_MAXNAMELEN 32	/* set names and set typenames */
 
@@ -95,6 +96,9 @@ typedef uint16_t ip_set_id_t;
 #define IPSET_TYPE_PORT		0x02	/* Port type of set */
 #define IPSET_DATA_SINGLE	0x04	/* Single data storage */
 #define IPSET_DATA_DOUBLE	0x08	/* Double data storage */
+#define IPSET_DATA_TRIPLE	0x10	/* Triple data storage */
+#define IPSET_TYPE_IP1		0x20	/* IP address type of set */
+#define IPSET_TYPE_SETNAME	0x40	/* setname type of set */
 
 /* Reserved keywords */
 #define IPSET_TOKEN_DEFAULT	":default:"
@@ -233,7 +237,7 @@ struct ip_set_req_max_sets {
 struct ip_set_req_setnames {
 	unsigned op;
 	ip_set_id_t index;		/* set to list/save */
-	size_t size;			/* size to get setdata/bindings */
+	u_int32_t size;			/* size to get setdata */
 	/* followed by sets number of struct ip_set_name_list */
 };
 
@@ -255,9 +259,9 @@ struct ip_set_list {
 	ip_set_id_t index;
 	ip_set_id_t binding;
 	u_int32_t ref;
-	size_t header_size;	/* Set header data of header_size */
-	size_t members_size;	/* Set members data of members_size */
-	size_t bindings_size;	/* Set bindings data of bindings_size */
+	u_int32_t header_size;	/* Set header data of header_size */
+	u_int32_t members_size;	/* Set members data of members_size */
+	u_int32_t bindings_size;/* Set bindings data of bindings_size */
 };
 
 struct ip_set_hash_list {
@@ -274,8 +278,8 @@ struct ip_set_hash_list {
 struct ip_set_save {
 	ip_set_id_t index;
 	ip_set_id_t binding;
-	size_t header_size;	/* Set header data of header_size */
-	size_t members_size;	/* Set members data of members_size */
+	u_int32_t header_size;	/* Set header data of header_size */
+	u_int32_t members_size;	/* Set members data of members_size */
 };
 
 /* At restoring, ip == 0 means default binding for the given set: */
@@ -295,8 +299,8 @@ struct ip_set_restore {
 	char name[IP_SET_MAXNAMELEN];
 	char typename[IP_SET_MAXNAMELEN];
 	ip_set_id_t index;
-	size_t header_size;	/* Create data of header_size */
-	size_t members_size;	/* Set members data of members_size */
+	u_int32_t header_size;	/* Create data of header_size */
+	u_int32_t members_size;	/* Set members data of members_size */
 };
 
 static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
@@ -304,7 +308,17 @@ static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
 	return 4 * ((((b - a + 8) / 8) + 3) / 4);
 }
 
+/* General limit for the elements in a set */
+#define MAX_RANGE 0x0000FFFF
+
+/* Alignment: 'unsigned long' unsupported */
+#define IPSET_ALIGNTO		4
+#define	IPSET_ALIGN(len) (((len) + IPSET_ALIGNTO - 1) & ~(IPSET_ALIGNTO - 1))
+#define IPSET_VALIGN(len, old) ((old) ? (len) : IPSET_ALIGN(len))
+
 #ifdef __KERNEL__
+#include "ip_set_compat.h"
+#include "ip_set_malloc.h"
 
 #define ip_set_printk(format, args...) 			\
 	do {							\
@@ -350,22 +364,19 @@ struct ip_set_type {
 	 */
 	int (*testip_kernel) (struct ip_set *set,
 			      const struct sk_buff * skb, 
-			      ip_set_ip_t *ip,
-			      const u_int32_t *flags,
-			      unsigned char index);
+			      const u_int32_t *flags);
 
 	/* test for IP in set (userspace: ipset -T set IP)
 	 * return 0 if not in set, 1 if in set.
 	 */
 	int (*testip) (struct ip_set *set,
-		       const void *data, size_t size,
-		       ip_set_ip_t *ip);
+		       const void *data, u_int32_t size);
 
 	/*
 	 * Size of the data structure passed by when
 	 * adding/deletin/testing an entry.
 	 */
-	size_t reqsize;
+	u_int32_t reqsize;
 
 	/* Add IP into set (userspace: ipset -A set IP)
 	 * Return -EEXIST if the address is already in the set,
@@ -373,8 +384,7 @@ struct ip_set_type {
 	 * If the address was not already in the set, 0 is returned.
 	 */
 	int (*addip) (struct ip_set *set, 
-		      const void *data, size_t size,
-		      ip_set_ip_t *ip);
+		      const void *data, u_int32_t size);
 
 	/* Add IP into set (kernel: iptables ... -j SET set src|dst)
 	 * Return -EEXIST if the address is already in the set,
@@ -382,10 +392,8 @@ struct ip_set_type {
 	 * If the address was not already in the set, 0 is returned.
 	 */
 	int (*addip_kernel) (struct ip_set *set,
-			     const struct sk_buff * skb, 
-			     ip_set_ip_t *ip,
-			     const u_int32_t *flags,
-			     unsigned char index);
+			     const struct sk_buff * skb,
+			     const u_int32_t *flags);
 
 	/* remove IP from set (userspace: ipset -D set --entry x)
 	 * Return -EEXIST if the address is NOT in the set,
@@ -393,8 +401,7 @@ struct ip_set_type {
 	 * If the address really was in the set, 0 is returned.
 	 */
 	int (*delip) (struct ip_set *set, 
-		      const void *data, size_t size,
-		      ip_set_ip_t *ip);
+		      const void *data, u_int32_t size);
 
 	/* remove IP from set (kernel: iptables ... -j SET --entry x)
 	 * Return -EEXIST if the address is NOT in the set,
@@ -402,15 +409,13 @@ struct ip_set_type {
 	 * If the address really was in the set, 0 is returned.
 	 */
 	int (*delip_kernel) (struct ip_set *set,
-			     const struct sk_buff * skb, 
-			     ip_set_ip_t *ip,
-			     const u_int32_t *flags,
-			     unsigned char index);
+			     const struct sk_buff * skb,
+			     const u_int32_t *flags);
 
 	/* new set creation - allocated type specific items
 	 */
 	int (*create) (struct ip_set *set,
-		       const void *data, size_t size);
+		       const void *data, u_int32_t size);
 
 	/* retry the operation after successfully tweaking the set
 	 */
@@ -429,7 +434,7 @@ struct ip_set_type {
 
 	/* Listing: size needed for header
 	 */
-	size_t header_size;
+	u_int32_t header_size;
 
 	/* Listing: Get the header
 	 *
@@ -443,7 +448,7 @@ struct ip_set_type {
 
 	/* Listing: Get the size for the set members
 	 */
-	int (*list_members_size) (const struct ip_set *set);
+	int (*list_members_size) (const struct ip_set *set, char dont_align);
 
 	/* Listing: Get the set members
 	 *
@@ -453,7 +458,7 @@ struct ip_set_type {
 	 * correct. 
 	 */
 	void (*list_members) (const struct ip_set *set,
-			      void *data);
+			      void *data, char dont_align);
 
 	char typename[IP_SET_MAXNAMELEN];
 	unsigned char features;
@@ -471,36 +476,94 @@ struct ip_set {
 	char name[IP_SET_MAXNAMELEN];	/* the name of the set */
 	rwlock_t lock;			/* lock for concurrency control */
 	ip_set_id_t id;			/* set id for swapping */
-	ip_set_id_t binding;		/* default binding for the set */
 	atomic_t ref;			/* in kernel and in hash references */
 	struct ip_set_type *type; 	/* the set types */
 	void *data;			/* pooltype specific data */
 };
 
-/* Structure to bind set elements to sets */
-struct ip_set_hash {
-	struct list_head list;		/* list of clashing entries in hash */
-	ip_set_ip_t ip;			/* ip from set */
-	ip_set_id_t id;			/* set id */
-	ip_set_id_t binding;		/* set we bind the element to */
-};
-
 /* register and unregister set references */
 extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
-extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
-extern void ip_set_put(ip_set_id_t id);
+extern ip_set_id_t ip_set_get_byindex(ip_set_id_t index);
+extern void ip_set_put_byindex(ip_set_id_t index);
+extern ip_set_id_t ip_set_id(ip_set_id_t index);
+extern ip_set_id_t __ip_set_get_byname(const char name[IP_SET_MAXNAMELEN],
+				       struct ip_set **set);
+extern void __ip_set_put_byindex(ip_set_id_t index);
 
 /* API for iptables set match, and SET target */
-extern void ip_set_addip_kernel(ip_set_id_t id,
-				const struct sk_buff *skb,
-				const u_int32_t *flags);
-extern void ip_set_delip_kernel(ip_set_id_t id,
-				const struct sk_buff *skb,
-				const u_int32_t *flags);
+extern int ip_set_addip_kernel(ip_set_id_t id,
+			       const struct sk_buff *skb,
+			       const u_int32_t *flags);
+extern int ip_set_delip_kernel(ip_set_id_t id,
+			       const struct sk_buff *skb,
+			       const u_int32_t *flags);
 extern int ip_set_testip_kernel(ip_set_id_t id,
 				const struct sk_buff *skb,
 				const u_int32_t *flags);
 
+/* Macros to generate functions */
+
+#define STRUCT(pre, type)	CONCAT2(pre, type)
+#define CONCAT2(pre, type)	struct pre##type
+
+#define FNAME(pre, mid, post)	CONCAT3(pre, mid, post)
+#define CONCAT3(pre, mid, post)	pre##mid##post
+
+#define UADT0(type, adt, args...)					\
+static int								\
+FNAME(type,_u,adt)(struct ip_set *set, const void *data, u_int32_t size)\
+{									\
+	const STRUCT(ip_set_req_,type) *req = data;			\
+									\
+	return FNAME(type,_,adt)(set , ## args);			\
+}
+
+#define UADT(type, adt, args...)					\
+	UADT0(type, adt, req->ip , ## args)
+
+#define KADT(type, adt, getfn, args...)					\
+static int								\
+FNAME(type,_k,adt)(struct ip_set *set,					\
+	     const struct sk_buff *skb,					\
+	     const u_int32_t *flags)					\
+{									\
+	ip_set_ip_t ip = getfn(skb, flags);				\
+									\
+	KADT_CONDITION							\
+	return FNAME(type,_,adt)(set, ip , ##args);			\
+}
+
+#define REGISTER_MODULE(type)						\
+static int __init ip_set_##type##_init(void)				\
+{									\
+	init_max_page_size();						\
+	return ip_set_register_set_type(&ip_set_##type);		\
+}									\
+									\
+static void __exit ip_set_##type##_fini(void)				\
+{									\
+	/* FIXME: possible race with ip_set_create() */			\
+	ip_set_unregister_set_type(&ip_set_##type);			\
+}									\
+									\
+module_init(ip_set_##type##_init);					\
+module_exit(ip_set_##type##_fini);
+
+/* Common functions */
+
+static inline ip_set_ip_t
+ipaddr(const struct sk_buff *skb, const u_int32_t *flags)
+{
+	return ntohl(flags[0] & IPSET_SRC ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr);
+}
+
+#define jhash_ip(map, i, ip)	jhash_1word(ip, *(map->initval + i))
+
+#define pack_ip_port(map, ip, port) \
+	(port + ((ip - ((map)->first_ip)) << 16))
+
 #endif				/* __KERNEL__ */
 
+#define UNUSED __attribute__ ((unused))
+
 #endif /*_IP_SET_H*/

extensions/ipset/ip_set_bitmaps.h

@@ -0,0 +1,120 @@
+#ifndef __IP_SET_BITMAPS_H
+#define __IP_SET_BITMAPS_H
+
+/* Macros to generate functions */
+
+#ifdef __KERNEL__
+#define BITMAP_CREATE(type)						\
+static int								\
+type##_create(struct ip_set *set, const void *data, u_int32_t size)	\
+{									\
+	int newbytes;							\
+	const struct ip_set_req_##type##_create *req = data;		\
+	struct ip_set_##type *map;					\
+									\
+	if (req->from > req->to) {					\
+		DP("bad range");					\
+		return -ENOEXEC;					\
+	}								\
+									\
+	map = kmalloc(sizeof(struct ip_set_##type), GFP_KERNEL);	\
+	if (!map) {							\
+		DP("out of memory for %zu bytes",			\
+		   sizeof(struct ip_set_##type));			\
+		return -ENOMEM;						\
+	}								\
+	map->first_ip = req->from;					\
+	map->last_ip = req->to;						\
+									\
+	newbytes = __##type##_create(req, map);				\
+	if (newbytes < 0) {						\
+		kfree(map);						\
+		return newbytes;					\
+	}								\
+									\
+	map->size = newbytes;						\
+	map->members = ip_set_malloc(newbytes);				\
+	if (!map->members) {						\
+		DP("out of memory for %i bytes", newbytes);		\
+		kfree(map);						\
+		return -ENOMEM;						\
+	}								\
+	memset(map->members, 0, newbytes);				\
+									\
+	set->data = map;						\
+	return 0;							\
+}
+
+#define BITMAP_DESTROY(type)						\
+static void								\
+type##_destroy(struct ip_set *set)					\
+{									\
+	struct ip_set_##type *map = set->data;				\
+									\
+	ip_set_free(map->members, map->size);				\
+	kfree(map);							\
+									\
+	set->data = NULL;						\
+}
+
+#define BITMAP_FLUSH(type)						\
+static void								\
+type##_flush(struct ip_set *set)					\
+{									\
+	struct ip_set_##type *map = set->data;				\
+	memset(map->members, 0, map->size);				\
+}
+
+#define BITMAP_LIST_HEADER(type)					\
+static void								\
+type##_list_header(const struct ip_set *set, void *data)		\
+{									\
+	const struct ip_set_##type *map = set->data;			\
+	struct ip_set_req_##type##_create *header = data;		\
+									\
+	header->from = map->first_ip;					\
+	header->to = map->last_ip;					\
+	__##type##_list_header(map, header);				\
+}
+
+#define BITMAP_LIST_MEMBERS_SIZE(type, dtype, sizeid, testfn)		\
+static int								\
+type##_list_members_size(const struct ip_set *set, char dont_align)	\
+{									\
+	const struct ip_set_##type *map = set->data;			\
+	ip_set_ip_t i, elements = 0;					\
+									\
+	if (dont_align)							\
+		return map->size;					\
+									\
+	for (i = 0; i < sizeid; i++)					\
+		if (testfn)						\
+			elements++;					\
+									\
+	return elements * IPSET_ALIGN(sizeof(dtype));			\
+}
+
+#define IP_SET_TYPE(type, __features)					\
+struct ip_set_type ip_set_##type = {					\
+	.typename		= #type,				\
+	.features		= __features,				\
+	.protocol_version	= IP_SET_PROTOCOL_VERSION,		\
+	.create			= &type##_create,			\
+	.destroy		= &type##_destroy,			\
+	.flush			= &type##_flush,			\
+	.reqsize		= sizeof(struct ip_set_req_##type),	\
+	.addip			= &type##_uadd,				\
+	.addip_kernel		= &type##_kadd,				\
+	.delip			= &type##_udel,				\
+	.delip_kernel		= &type##_kdel,				\
+	.testip			= &type##_utest,			\
+	.testip_kernel		= &type##_ktest,			\
+	.header_size		= sizeof(struct ip_set_req_##type##_create),\
+	.list_header		= &type##_list_header,			\
+	.list_members_size	= &type##_list_members_size,		\
+	.list_members		= &type##_list_members,			\
+	.me			= THIS_MODULE,				\
+};
+#endif /* __KERNEL */
+
+#endif /* __IP_SET_BITMAPS_H */

extensions/ipset/ip_set_compat.h

@@ -0,0 +1,92 @@
+#ifndef _IP_SET_COMPAT_H
+#define _IP_SET_COMPAT_H
+
+#ifdef __KERNEL__
+#include <linux/version.h>
+
+/* Arrgh */
+#ifdef MODULE
+#define __MOD_INC(foo)		__MOD_INC_USE_COUNT(foo)
+#define __MOD_DEC(foo)		__MOD_DEC_USE_COUNT(foo)
+#else
+#define __MOD_INC(foo)		1
+#define __MOD_DEC(foo)
+#endif
+
+/* Backward compatibility */
+#ifndef __nocast
+#define __nocast
+#endif
+#ifndef __bitwise__
+#define __bitwise__
+#endif
+
+/* Compatibility glue code */
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
+#include <linux/interrupt.h>
+#define DEFINE_RWLOCK(x)                rwlock_t x = RW_LOCK_UNLOCKED
+#define try_module_get(x)		__MOD_INC(x)
+#define module_put(x)                   __MOD_DEC(x)
+#define __clear_bit(nr, addr)		clear_bit(nr, addr)
+#define __set_bit(nr, addr)		set_bit(nr, addr)
+#define __test_and_set_bit(nr, addr)	test_and_set_bit(nr, addr)
+#define __test_and_clear_bit(nr, addr)	test_and_clear_bit(nr, addr)
+
+typedef unsigned __bitwise__ gfp_t;
+
+static inline void *kzalloc(size_t size, gfp_t flags)
+{
+	void *data = kmalloc(size, flags);
+	
+	if (data)
+		memset(data, 0, size);
+	
+	return data;
+}
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20)
+#define __KMEM_CACHE_T__	kmem_cache_t
+#else
+#define __KMEM_CACHE_T__	struct kmem_cache
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22)
+#define ip_hdr(skb)		((skb)->nh.iph)
+#define skb_mac_header(skb)	((skb)->mac.raw)
+#define eth_hdr(skb)		((struct ethhdr *)skb_mac_header(skb))
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23)
+#include <linux/netfilter.h>
+#define KMEM_CACHE_CREATE(name, size) \
+	kmem_cache_create(name, size, 0, 0, NULL, NULL)
+#else
+#define KMEM_CACHE_CREATE(name, size) \
+	kmem_cache_create(name, size, 0, 0, NULL)
+#endif
+
+#ifndef NIPQUAD
+#define NIPQUAD(addr) \
+	((unsigned char *)&addr)[0], \
+	((unsigned char *)&addr)[1], \
+	((unsigned char *)&addr)[2], \
+	((unsigned char *)&addr)[3]
+#endif
+
+#ifndef HIPQUAD
+#if defined(__LITTLE_ENDIAN)
+#define HIPQUAD(addr) \
+	((unsigned char *)&addr)[3], \
+	((unsigned char *)&addr)[2], \
+	((unsigned char *)&addr)[1], \
+	((unsigned char *)&addr)[0]
+#elif defined(__BIG_ENDIAN)
+#define HIPQUAD NIPQUAD
+#else
+#error "Please fix asm/byteorder.h"
+#endif /* __LITTLE_ENDIAN */
+#endif
+
+#endif /* __KERNEL__ */
+#endif /* _IP_SET_COMPAT_H */   

extensions/ipset/ip_set_getport.h

@@ -0,0 +1,48 @@
+#ifndef _IP_SET_GETPORT_H
+#define _IP_SET_GETPORT_H
+
+#ifdef __KERNEL__
+
+#define INVALID_PORT	(MAX_RANGE + 1)
+
+/* We must handle non-linear skbs */
+static inline ip_set_ip_t
+get_port(const struct sk_buff *skb, const u_int32_t *flags)
+{
+	struct iphdr *iph = ip_hdr(skb);
+	u_int16_t offset = ntohs(iph->frag_off) & IP_OFFSET;
+	switch (iph->protocol) {
+	case IPPROTO_TCP: {
+		struct tcphdr tcph;
+		
+		/* See comments at tcp_match in ip_tables.c */
+		if (offset)
+			return INVALID_PORT;
+
+		if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &tcph, sizeof(tcph)) < 0)
+			/* No choice either */
+			return INVALID_PORT;
+	     	
+	     	return ntohs(flags[0] & IPSET_SRC ?
+			     tcph.source : tcph.dest);
+	    }
+	case IPPROTO_UDP: {
+		struct udphdr udph;
+
+		if (offset)
+			return INVALID_PORT;
+
+		if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &udph, sizeof(udph)) < 0)
+			/* No choice either */
+			return INVALID_PORT;
+	     	
+	     	return ntohs(flags[0] & IPSET_SRC ?
+			     udph.source : udph.dest);
+	    }
+	default:
+		return INVALID_PORT;
+	}
+}
+#endif				/* __KERNEL__ */
+
+#endif /*_IP_SET_GETPORT_H*/

extensions/ipset/ip_set_hashes.h

@@ -0,0 +1,314 @@
+#ifndef __IP_SET_HASHES_H
+#define __IP_SET_HASHES_H
+
+#define initval_t uint32_t
+
+/* Macros to generate functions */
+
+#ifdef __KERNEL__
+#define HASH_RETRY0(type, dtype, cond)					\
+static int								\
+type##_retry(struct ip_set *set)					\
+{									\
+	struct ip_set_##type *map = set->data, *tmp;			\
+	dtype *elem;							\
+	void *members;							\
+	u_int32_t i, hashsize = map->hashsize;				\
+	int res;							\
+									\
+	if (map->resize == 0)						\
+		return -ERANGE;						\
+									\
+    again:								\
+    	res = 0;							\
+    									\
+	/* Calculate new hash size */					\
+	hashsize += (hashsize * map->resize)/100;			\
+	if (hashsize == map->hashsize)					\
+		hashsize++;						\
+									\
+	ip_set_printk("rehashing of set %s triggered: "			\
+		      "hashsize grows from %lu to %lu",			\
+		      set->name,					\
+		      (long unsigned)map->hashsize,			\
+		      (long unsigned)hashsize);				\
+		      							\
+	tmp = kmalloc(sizeof(struct ip_set_##type)			\
+		      + map->probes * sizeof(initval_t), GFP_ATOMIC);	\
+	if (!tmp) {							\
+		DP("out of memory for %zu bytes",			\
+		   sizeof(struct ip_set_##type)				\
+		   + map->probes * sizeof(initval_t));			\
+		return -ENOMEM;						\
+	}								\
+	tmp->members = harray_malloc(hashsize, sizeof(dtype), GFP_ATOMIC);\
+	if (!tmp->members) {						\
+		DP("out of memory for %zu bytes", hashsize * sizeof(dtype));\
+		kfree(tmp);						\
+		return -ENOMEM;						\
+	}								\
+	tmp->hashsize = hashsize;					\
+	tmp->elements = 0;						\
+	tmp->probes = map->probes;					\
+	tmp->resize = map->resize;					\
+	memcpy(tmp->initval, map->initval, map->probes * sizeof(initval_t));\
+	__##type##_retry(tmp, map);					\
+									\
+	write_lock_bh(&set->lock);					\
+	map = set->data; /* Play safe */				\
+	for (i = 0; i < map->hashsize && res == 0; i++) {		\
+		elem = HARRAY_ELEM(map->members, dtype *, i);		\
+		if (cond)						\
+			res = __##type##_add(tmp, elem);		\
+	}								\
+	if (res) {							\
+		/* Failure, try again */				\
+		write_unlock_bh(&set->lock);				\
+		harray_free(tmp->members);				\
+		kfree(tmp);						\
+		goto again;						\
+	}								\
+									\
+	/* Success at resizing! */					\
+	members = map->members;						\
+									\
+	map->hashsize = tmp->hashsize;					\
+	map->members = tmp->members;					\
+	write_unlock_bh(&set->lock);					\
+									\
+	harray_free(members);						\
+	kfree(tmp);							\
+									\
+	return 0;							\
+}
+
+#define HASH_RETRY(type, dtype)						\
+	HASH_RETRY0(type, dtype, *elem)
+
+#define HASH_RETRY2(type, dtype)						\
+	HASH_RETRY0(type, dtype, elem->ip || elem->ip1)
+
+#define HASH_CREATE(type, dtype)					\
+static int								\
+type##_create(struct ip_set *set, const void *data, u_int32_t size)	\
+{									\
+	const struct ip_set_req_##type##_create *req = data;		\
+	struct ip_set_##type *map;					\
+	uint16_t i;							\
+									\
+	if (req->hashsize < 1) {					\
+		ip_set_printk("hashsize too small");			\
+		return -ENOEXEC;					\
+	}								\
+									\
+	if (req->probes < 1) {						\
+		ip_set_printk("probes too small");			\
+		return -ENOEXEC;					\
+	}								\
+									\
+	map = kmalloc(sizeof(struct ip_set_##type)			\
+		      + req->probes * sizeof(initval_t), GFP_KERNEL);	\
+	if (!map) {							\
+		DP("out of memory for %zu bytes",			\
+		   sizeof(struct ip_set_##type)				\
+		   + req->probes * sizeof(initval_t));			\
+		return -ENOMEM;						\
+	}								\
+	for (i = 0; i < req->probes; i++)				\
+		get_random_bytes(((initval_t *) map->initval)+i, 4);	\
+	map->elements = 0;						\
+	map->hashsize = req->hashsize;					\
+	map->probes = req->probes;					\
+	map->resize = req->resize;					\
+	if (__##type##_create(req, map)) {				\
+		kfree(map);						\
+		return -ENOEXEC;					\
+	}								\
+	map->members = harray_malloc(map->hashsize, sizeof(dtype), GFP_KERNEL);\
+	if (!map->members) {						\
+		DP("out of memory for %zu bytes", map->hashsize * sizeof(dtype));\
+		kfree(map);						\
+		return -ENOMEM;						\
+	}								\
+									\
+	set->data = map;						\
+	return 0;							\
+}
+
+#define HASH_DESTROY(type)						\
+static void								\
+type##_destroy(struct ip_set *set)					\
+{									\
+	struct ip_set_##type *map = set->data;				\
+									\
+	harray_free(map->members);					\
+	kfree(map);							\
+									\
+	set->data = NULL;						\
+}
+
+#define HASH_FLUSH(type, dtype)						\
+static void								\
+type##_flush(struct ip_set *set)					\
+{									\
+	struct ip_set_##type *map = set->data;				\
+	harray_flush(map->members, map->hashsize, sizeof(dtype));	\
+	map->elements = 0;						\
+}
+
+#define HASH_FLUSH_CIDR(type, dtype)					\
+static void								\
+type##_flush(struct ip_set *set)					\
+{									\
+	struct ip_set_##type *map = set->data;				\
+	harray_flush(map->members, map->hashsize, sizeof(dtype));	\
+	memset(map->cidr, 0, sizeof(map->cidr));			\
+	memset(map->nets, 0, sizeof(map->nets));			\
+	map->elements = 0;						\
+}
+
+#define HASH_LIST_HEADER(type)						\
+static void								\
+type##_list_header(const struct ip_set *set, void *data)		\
+{									\
+	const struct ip_set_##type *map = set->data;			\
+	struct ip_set_req_##type##_create *header = data;		\
+									\
+	header->hashsize = map->hashsize;				\
+	header->probes = map->probes;					\
+	header->resize = map->resize;					\
+	__##type##_list_header(map, header);				\
+}
+
+#define HASH_LIST_MEMBERS_SIZE(type, dtype)				\
+static int								\
+type##_list_members_size(const struct ip_set *set, char dont_align)	\
+{									\
+	const struct ip_set_##type *map = set->data;			\
+									\
+	return (map->elements * IPSET_VALIGN(sizeof(dtype), dont_align));\
+}
+
+#define HASH_LIST_MEMBERS(type, dtype)					\
+static void								\
+type##_list_members(const struct ip_set *set, void *data, char dont_align)\
+{									\
+	const struct ip_set_##type *map = set->data;			\
+	dtype *elem, *d;						\
+	uint32_t i, n = 0;						\
+									\
+	for (i = 0; i < map->hashsize; i++) {				\
+		elem = HARRAY_ELEM(map->members, dtype *, i);		\
+		if (*elem) {						\
+			d = data + n * IPSET_VALIGN(sizeof(dtype), dont_align);\
+			*d = *elem;					\
+			n++;						\
+		}							\
+	}								\
+}
+
+#define HASH_LIST_MEMBERS_MEMCPY(type, dtype, nonzero)			\
+static void								\
+type##_list_members(const struct ip_set *set, void *data, char dont_align)\
+{									\
+	const struct ip_set_##type *map = set->data;			\
+	dtype *elem;							\
+	uint32_t i, n = 0;						\
+									\
+	for (i = 0; i < map->hashsize; i++) {				\
+		elem = HARRAY_ELEM(map->members, dtype *, i);		\
+		if (nonzero) {						\
+			memcpy(data + n * IPSET_VALIGN(sizeof(dtype), dont_align),\
+			       elem, sizeof(dtype));			\
+			n++;						\
+		}							\
+	}								\
+}
+
+#define IP_SET_RTYPE(type, __features)					\
+struct ip_set_type ip_set_##type = {					\
+	.typename		= #type,				\
+	.features		= __features,				\
+	.protocol_version	= IP_SET_PROTOCOL_VERSION,		\
+	.create			= &type##_create,			\
+	.retry			= &type##_retry,			\
+	.destroy		= &type##_destroy,			\
+	.flush			= &type##_flush,			\
+	.reqsize		= sizeof(struct ip_set_req_##type),	\
+	.addip			= &type##_uadd,				\
+	.addip_kernel		= &type##_kadd,				\
+	.delip			= &type##_udel,				\
+	.delip_kernel		= &type##_kdel,				\
+	.testip			= &type##_utest,			\
+	.testip_kernel		= &type##_ktest,			\
+	.header_size		= sizeof(struct ip_set_req_##type##_create),\
+	.list_header		= &type##_list_header,			\
+	.list_members_size	= &type##_list_members_size,		\
+	.list_members		= &type##_list_members,			\
+	.me			= THIS_MODULE,				\
+};
+
+/* Helper functions */
+static inline void
+add_cidr_size(uint8_t *cidr, uint8_t size)
+{
+	uint8_t next;
+	int i;
+	
+	for (i = 0; i < 30 && cidr[i]; i++) {
+		if (cidr[i] < size) {
+			next = cidr[i];
+			cidr[i] = size;
+			size = next;
+		}
+	}
+	if (i < 30)
+		cidr[i] = size;
+}
+
+static inline void
+del_cidr_size(uint8_t *cidr, uint8_t size)
+{
+	int i;
+	
+	for (i = 0; i < 29 && cidr[i]; i++) {
+		if (cidr[i] == size)
+			cidr[i] = size = cidr[i+1];
+	}
+	cidr[29] = 0;
+}
+#else
+#include <arpa/inet.h>
+#endif /* __KERNEL */
+
+#ifndef UINT16_MAX
+#define UINT16_MAX 65535
+#endif
+
+static unsigned char shifts[] = {255, 253, 249, 241, 225, 193, 129, 1};
+
+static inline ip_set_ip_t 
+pack_ip_cidr(ip_set_ip_t ip, unsigned char cidr)
+{
+	ip_set_ip_t addr, *paddr = &addr;
+	unsigned char n, t, *a;
+
+	addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr))));
+#ifdef __KERNEL__
+	DP("ip:%u.%u.%u.%u/%u", NIPQUAD(addr), cidr);
+#endif
+	n = cidr / 8;
+	t = cidr % 8;	
+	a = &((unsigned char *)paddr)[n];
+	*a = *a /(1 << (8 - t)) + shifts[t];
+#ifdef __KERNEL__
+	DP("n: %u, t: %u, a: %u", n, t, *a);
+	DP("ip:%u.%u.%u.%u/%u, %u.%u.%u.%u",
+	   HIPQUAD(ip), cidr, NIPQUAD(addr));
+#endif
+
+	return ntohl(addr);
+}
+
+
+#endif /* __IP_SET_HASHES_H */

extensions/ipset/ip_set_iphash.c

@@ -1,4 +1,4 @@
-/* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+/* Copyright (C) 2003-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -8,232 +8,105 @@
 /* Kernel module implementing an ip hash set */
 
 #include <linux/module.h>
+#include <linux/moduleparam.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
-#include <linux/version.h>
-#include <linux/jhash.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include "ip_set.h"
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
 #include <linux/spinlock.h>
-#include <linux/vmalloc.h>
 #include <linux/random.h>
 
 #include <net/ip.h>
 
-#include "ip_set_malloc.h"
 #include "ip_set_iphash.h"
 
 static int limit = MAX_RANGE;
 
 static inline __u32
-jhash_ip(const struct ip_set_iphash *map, uint16_t i, ip_set_ip_t ip)
-{
-	return jhash_1word(ip, *(((uint32_t *) map->initval) + i));
-}
-
-static inline __u32
-hash_id(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+iphash_id(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iphash *map = set->data;
 	__u32 id;
 	u_int16_t i;
 	ip_set_ip_t *elem;
 
-	*hash_ip = ip & map->netmask;
-	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), HIPQUAD(*hash_ip), HIPQUAD(map->netmask));
-	
+
+	ip &= map->netmask;	
+	DP("set: %s, ip:%u.%u.%u.%u", set->name, HIPQUAD(ip));
 	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip(map, i, *hash_ip) % map->hashsize;
+		id = jhash_ip(map, i, ip) % map->hashsize;
 		DP("hash key: %u", id);
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
-		if (*elem == *hash_ip)
+		if (*elem == ip)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
 
 static inline int
-__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+iphash_test(struct ip_set *set, ip_set_ip_t ip)
 {
-	return (ip && hash_id(set, ip, hash_ip) != UINT_MAX);
+	return (ip && iphash_id(set, ip) != UINT_MAX);
 }
 
-static int
-testip(struct ip_set *set, const void *data, size_t size,
-       ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_iphash *req = data;
+#define KADT_CONDITION
 
-	if (size != sizeof(struct ip_set_req_iphash)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_iphash),
-			      size);
-		return -EINVAL;
-	}
-	return __testip(set, req->ip, hash_ip);
-}
-
-static int
-testip_kernel(struct ip_set *set,
-	      const struct sk_buff *skb,
-	      ip_set_ip_t *hash_ip,
-	      const u_int32_t *flags,
-	      unsigned char index)
-{
-	return __testip(set,
-			ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-				? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-			hash_ip);
-}
+UADT(iphash, test)
+KADT(iphash, test, ipaddr)
 
 static inline int
-__addip(struct ip_set_iphash *map, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+__iphash_add(struct ip_set_iphash *map, ip_set_ip_t *ip)
 {
 	__u32 probe;
 	u_int16_t i;
-	ip_set_ip_t *elem;
-	
-	if (!ip || map->elements >= limit)
-		return -ERANGE;
-
-	*hash_ip = ip & map->netmask;
+	ip_set_ip_t *elem, *slot = NULL;
 	
 	for (i = 0; i < map->probes; i++) {
-		probe = jhash_ip(map, i, *hash_ip) % map->hashsize;
+		probe = jhash_ip(map, i, *ip) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
-		if (*elem == *hash_ip)
+		if (*elem == *ip)
 			return -EEXIST;
-		if (!*elem) {
-			*elem = *hash_ip;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || *elem))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		*slot = *ip;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;
 }
 
-static int
-addip(struct ip_set *set, const void *data, size_t size,
-        ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_iphash *req = data;
-
-	if (size != sizeof(struct ip_set_req_iphash)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_iphash),
-			      size);
-		return -EINVAL;
-	}
-	return __addip(set->data, req->ip, hash_ip);
-}
-
-static int
-addip_kernel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	return __addip((struct ip_set_iphash *) set->data,
-		       ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-		       		? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-		       hash_ip);
-}
-
-static int retry(struct ip_set *set)
+static inline int
+iphash_add(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iphash *map = set->data;
-	ip_set_ip_t hash_ip, *elem;
-	void *members;
-	u_int32_t i, hashsize = map->hashsize;
-	int res;
-	struct ip_set_iphash *tmp;
 	
-	if (map->resize == 0)
+	if (!ip || map->elements >= limit)
 		return -ERANGE;
 
-    again:
-    	res = 0;
-    	
-	/* Calculate new hash size */
-	hashsize += (hashsize * map->resize)/100;
-	if (hashsize == map->hashsize)
-		hashsize++;
-	
-	ip_set_printk("rehashing of set %s triggered: "
-		      "hashsize grows from %u to %u",
-		      set->name, map->hashsize, hashsize);
-
-	tmp = kmalloc(sizeof(struct ip_set_iphash)
-		      + map->probes * sizeof(uint32_t), GFP_ATOMIC);
-	if (!tmp) {
-		DP("out of memory for %d bytes",
-		   sizeof(struct ip_set_iphash)
-		   + map->probes * sizeof(uint32_t));
-		return -ENOMEM;
-	}
-	tmp->members = harray_malloc(hashsize, sizeof(ip_set_ip_t), GFP_ATOMIC);
-	if (!tmp->members) {
-		DP("out of memory for %d bytes", hashsize * sizeof(ip_set_ip_t));
-		kfree(tmp);
-		return -ENOMEM;
-	}
-	tmp->hashsize = hashsize;
-	tmp->elements = 0;
-	tmp->probes = map->probes;
-	tmp->resize = map->resize;
-	tmp->netmask = map->netmask;
-	memcpy(tmp->initval, map->initval, map->probes * sizeof(uint32_t));
-	
-	write_lock_bh(&set->lock);
-	map = set->data; /* Play safe */
-	for (i = 0; i < map->hashsize && res == 0; i++) {
-		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, i);	
-		if (*elem)
-			res = __addip(tmp, *elem, &hash_ip);
-	}
-	if (res) {
-		/* Failure, try again */
-		write_unlock_bh(&set->lock);
-		harray_free(tmp->members);
-		kfree(tmp);
-		goto again;
-	}
-	
-	/* Success at resizing! */
-	members = map->members;
-
-	map->hashsize = tmp->hashsize;
-	map->members = tmp->members;
-	write_unlock_bh(&set->lock);
-
-	harray_free(members);
-	kfree(tmp);
-
-	return 0;
+	ip &= map->netmask;
+	return __iphash_add(map, &ip);
 }
 
+UADT(iphash, add)
+KADT(iphash, add, ipaddr)
+
+static inline void
+__iphash_retry(struct ip_set_iphash *tmp, struct ip_set_iphash *map)
+{
+	tmp->netmask = map->netmask;
+}
+
+HASH_RETRY(iphash, ip_set_ip_t)
+
 static inline int
-__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+iphash_del(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iphash *map = set->data;
 	ip_set_ip_t id, *elem;
@@ -241,7 +114,7 @@ __delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
 	if (!ip)
 		return -ERANGE;
 
-	id = hash_id(set, ip, hash_ip);
+	id = iphash_id(set, ip);
 	if (id == UINT_MAX)
 		return -EEXIST;
 		
@@ -252,156 +125,35 @@ __delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
 	return 0;
 }
 
-static int
-delip(struct ip_set *set, const void *data, size_t size,
-        ip_set_ip_t *hash_ip)
+UADT(iphash, del)
+KADT(iphash, del, ipaddr)
+
+static inline int
+__iphash_create(const struct ip_set_req_iphash_create *req,
+		struct ip_set_iphash *map)
 {
-	const struct ip_set_req_iphash *req = data;
-
-	if (size != sizeof(struct ip_set_req_iphash)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_iphash),
-			      size);
-		return -EINVAL;
-	}
-	return __delip(set, req->ip, hash_ip);
-}
-
-static int
-delip_kernel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	return __delip(set,
-		       ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-				? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-		       hash_ip);
-}
-
-static int create(struct ip_set *set, const void *data, size_t size)
-{
-	const struct ip_set_req_iphash_create *req = data;
-	struct ip_set_iphash *map;
-	uint16_t i;
-
-	if (size != sizeof(struct ip_set_req_iphash_create)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			       sizeof(struct ip_set_req_iphash_create),
-			       size);
-		return -EINVAL;
-	}
-
-	if (req->hashsize < 1) {
-		ip_set_printk("hashsize too small");
-		return -ENOEXEC;
-	}
-
-	if (req->probes < 1) {
-		ip_set_printk("probes too small");
-		return -ENOEXEC;
-	}
-
-	map = kmalloc(sizeof(struct ip_set_iphash)
-		      + req->probes * sizeof(uint32_t), GFP_KERNEL);
-	if (!map) {
-		DP("out of memory for %d bytes",
-		   sizeof(struct ip_set_iphash)
-		   + req->probes * sizeof(uint32_t));
-		return -ENOMEM;
-	}
-	for (i = 0; i < req->probes; i++)
-		get_random_bytes(((uint32_t *) map->initval)+i, 4);
-	map->elements = 0;
-	map->hashsize = req->hashsize;
-	map->probes = req->probes;
-	map->resize = req->resize;
 	map->netmask = req->netmask;
-	map->members = harray_malloc(map->hashsize, sizeof(ip_set_ip_t), GFP_KERNEL);
-	if (!map->members) {
-		DP("out of memory for %d bytes", map->hashsize * sizeof(ip_set_ip_t));
-		kfree(map);
-		return -ENOMEM;
-	}
-
-	set->data = map;
+	
 	return 0;
 }
 
-static void destroy(struct ip_set *set)
-{
-	struct ip_set_iphash *map = set->data;
+HASH_CREATE(iphash, ip_set_ip_t)
+HASH_DESTROY(iphash)
 
-	harray_free(map->members);
-	kfree(map);
+HASH_FLUSH(iphash, ip_set_ip_t)
 
-	set->data = NULL;
-}
-
-static void flush(struct ip_set *set)
-{
-	struct ip_set_iphash *map = set->data;
-	harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t));
-	map->elements = 0;
-}
-
-static void list_header(const struct ip_set *set, void *data)
-{
-	struct ip_set_iphash *map = set->data;
-	struct ip_set_req_iphash_create *header = data;
-
-	header->hashsize = map->hashsize;
-	header->probes = map->probes;
-	header->resize = map->resize;
+static inline void
+__iphash_list_header(const struct ip_set_iphash *map,
+		     struct ip_set_req_iphash_create *header)
+{    
 	header->netmask = map->netmask;
 }
 
-static int list_members_size(const struct ip_set *set)
-{
-	const struct ip_set_iphash *map = set->data;
+HASH_LIST_HEADER(iphash)
+HASH_LIST_MEMBERS_SIZE(iphash, ip_set_ip_t)
+HASH_LIST_MEMBERS(iphash, ip_set_ip_t)
 
-	return (map->hashsize * sizeof(ip_set_ip_t));
-}
-
-static void list_members(const struct ip_set *set, void *data)
-{
-	const struct ip_set_iphash *map = set->data;
-	ip_set_ip_t i, *elem;
-
-	for (i = 0; i < map->hashsize; i++) {
-		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, i);	
-		((ip_set_ip_t *)data)[i] = *elem;
-	}
-}
-
-static struct ip_set_type ip_set_iphash = {
-	.typename		= SETTYPE_NAME,
-	.features		= IPSET_TYPE_IP | IPSET_DATA_SINGLE,
-	.protocol_version	= IP_SET_PROTOCOL_VERSION,
-	.create			= &create,
-	.destroy		= &destroy,
-	.flush			= &flush,
-	.reqsize		= sizeof(struct ip_set_req_iphash),
-	.addip			= &addip,
-	.addip_kernel		= &addip_kernel,
-	.retry			= &retry,
-	.delip			= &delip,
-	.delip_kernel		= &delip_kernel,
-	.testip			= &testip,
-	.testip_kernel		= &testip_kernel,
-	.header_size		= sizeof(struct ip_set_req_iphash_create),
-	.list_header		= &list_header,
-	.list_members_size	= &list_members_size,
-	.list_members		= &list_members,
-	.me			= THIS_MODULE,
-};
+IP_SET_RTYPE(iphash, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
@@ -409,17 +161,4 @@ MODULE_DESCRIPTION("iphash type of IP sets");
 module_param(limit, int, 0600);
 MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
 
-static int __init ip_set_iphash_init(void)
-{
-	init_max_page_size();
-	return ip_set_register_set_type(&ip_set_iphash);
-}
-
-static void __exit ip_set_iphash_fini(void)
-{
-	/* FIXME: possible race with ip_set_create() */
-	ip_set_unregister_set_type(&ip_set_iphash);
-}
-
-module_init(ip_set_iphash_init);
-module_exit(ip_set_iphash_fini);
+REGISTER_MODULE(iphash)

extensions/ipset/ip_set_iphash.h

@@ -2,9 +2,9 @@
 #define __IP_SET_IPHASH_H
 
 #include "ip_set.h"
+#include "ip_set_hashes.h"
 
-#define SETTYPE_NAME "iphash"
-#define MAX_RANGE 0x0000FFFF
+#define SETTYPE_NAME		"iphash"
 
 struct ip_set_iphash {
 	ip_set_ip_t *members;		/* the iphash proper */
@@ -13,7 +13,7 @@ struct ip_set_iphash {
 	uint16_t probes;		/* max number of probes  */
 	uint16_t resize;		/* resize factor in percent */
 	ip_set_ip_t netmask;		/* netmask */
-	void *initval[0];		/* initvals for jhash_1word */
+	initval_t initval[0];		/* initvals for jhash_1word */
 };
 
 struct ip_set_req_iphash_create {

extensions/ipset/ip_set_ipmap.c

@@ -1,6 +1,6 @@
 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
  *                         Patrick Schaaf <bof@bof.de>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ * Copyright (C) 2003-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -12,9 +12,6 @@
 #include <linux/module.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
-#include <linux/version.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include "ip_set.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -25,188 +22,66 @@
 static inline ip_set_ip_t
 ip_to_id(const struct ip_set_ipmap *map, ip_set_ip_t ip)
 {
-	return (ip - map->first_ip)/map->hosts;
+	return ((ip & map->netmask) - map->first_ip)/map->hosts;
 }
 
 static inline int
-__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+ipmap_test(const struct ip_set *set, ip_set_ip_t ip)
 {
-	struct ip_set_ipmap *map = set->data;
+	const struct ip_set_ipmap *map = set->data;
 	
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	*hash_ip = ip & map->netmask;
-	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), HIPQUAD(*hash_ip));
-	return !!test_bit(ip_to_id(map, *hash_ip), map->members);
+	DP("set: %s, ip:%u.%u.%u.%u", set->name, HIPQUAD(ip));
+	return !!test_bit(ip_to_id(map, ip), map->members);
 }
 
-static int
-testip(struct ip_set *set, const void *data, size_t size,
-       ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_ipmap *req = data;
+#define KADT_CONDITION
 
-	if (size != sizeof(struct ip_set_req_ipmap)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_ipmap),
-			      size);
-		return -EINVAL;
-	}
-	return __testip(set, req->ip, hash_ip);
-}
-
-static int
-testip_kernel(struct ip_set *set,
-	      const struct sk_buff *skb,
-	      ip_set_ip_t *hash_ip,
-	      const u_int32_t *flags,
-	      unsigned char index)
-{
-	int res =  __testip(set,
-			ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-				? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-			hash_ip);
-	return (res < 0 ? 0 : res);
-}
+UADT(ipmap, test)
+KADT(ipmap, test, ipaddr)
 
 static inline int
-__addip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+ipmap_add(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_ipmap *map = set->data;
 
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	*hash_ip = ip & map->netmask;
-	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
-	if (test_and_set_bit(ip_to_id(map, *hash_ip), map->members))
+	DP("set: %s, ip:%u.%u.%u.%u", set->name, HIPQUAD(ip));
+	if (test_and_set_bit(ip_to_id(map, ip), map->members))
 		return -EEXIST;
 
 	return 0;
 }
 
-static int
-addip(struct ip_set *set, const void *data, size_t size,
-      ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_ipmap *req = data;
-
-	if (size != sizeof(struct ip_set_req_ipmap)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_ipmap),
-			      size);
-		return -EINVAL;
-	}
-	DP("%u.%u.%u.%u", HIPQUAD(req->ip));
-	return __addip(set, req->ip, hash_ip);
-}
-
-static int
-addip_kernel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	return __addip(set,
-		       ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-		       		? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-		       hash_ip);
-}
+UADT(ipmap, add)
+KADT(ipmap, add, ipaddr)
 
 static inline int
-__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+ipmap_del(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_ipmap *map = set->data;
 
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	*hash_ip = ip & map->netmask;
-	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
-	if (!test_and_clear_bit(ip_to_id(map, *hash_ip), map->members))
+	DP("set: %s, ip:%u.%u.%u.%u", set->name, HIPQUAD(ip));
+	if (!test_and_clear_bit(ip_to_id(map, ip), map->members))
 		return -EEXIST;
 	
 	return 0;
 }
 
-static int
-delip(struct ip_set *set, const void *data, size_t size,
-      ip_set_ip_t *hash_ip)
+UADT(ipmap, del)
+KADT(ipmap, del, ipaddr)
+
+static inline int
+__ipmap_create(const struct ip_set_req_ipmap_create *req,
+	       struct ip_set_ipmap *map)
 {
-	const struct ip_set_req_ipmap *req = data;
-
-	if (size != sizeof(struct ip_set_req_ipmap)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_ipmap),
-			      size);
-		return -EINVAL;
-	}
-	return __delip(set, req->ip, hash_ip);
-}
-
-static int
-delip_kernel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	return __delip(set,
-		       ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-				? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-		       hash_ip);
-}
-
-static int create(struct ip_set *set, const void *data, size_t size)
-{
-	int newbytes;
-	const struct ip_set_req_ipmap_create *req = data;
-	struct ip_set_ipmap *map;
-
-	if (size != sizeof(struct ip_set_req_ipmap_create)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_ipmap_create),
-			      size);
-		return -EINVAL;
-	}
-
-	DP("from %u.%u.%u.%u to %u.%u.%u.%u",
-	   HIPQUAD(req->from), HIPQUAD(req->to));
-
-	if (req->from > req->to) {
-		DP("bad ip range");
-		return -ENOEXEC;
-	}
-
-	map = kmalloc(sizeof(struct ip_set_ipmap), GFP_KERNEL);
-	if (!map) {
-		DP("out of memory for %d bytes",
-		   sizeof(struct ip_set_ipmap));
-		return -ENOMEM;
-	}
-	map->first_ip = req->from;
-	map->last_ip = req->to;
 	map->netmask = req->netmask;
 
 	if (req->netmask == 0xFFFFFFFF) {
@@ -215,12 +90,12 @@ static int create(struct ip_set *set, const void *data, size_t size)
 	} else {
 		unsigned int mask_bits, netmask_bits;
 		ip_set_ip_t mask;
-		
+
 		map->first_ip &= map->netmask;	/* Should we better bark? */
-		
+
 		mask = range_to_mask(map->first_ip, map->last_ip, &mask_bits);
 		netmask_bits = mask_to_bits(map->netmask);
-		
+
 		if ((!mask && (map->first_ip || map->last_ip != 0xFFFFFFFF))
 		    || netmask_bits <= mask_bits)
 			return -ENOEXEC;
@@ -231,101 +106,53 @@ static int create(struct ip_set *set, const void *data, size_t size)
 		map->sizeid = 2 << (netmask_bits - mask_bits - 1);
 	}
 	if (map->sizeid > MAX_RANGE + 1) {
-		ip_set_printk("range too big (max %d addresses)",
-			       MAX_RANGE+1);
-		kfree(map);
+		ip_set_printk("range too big, %d elements (max %d)",
+			       map->sizeid, MAX_RANGE+1);
 		return -ENOEXEC;
 	}
 	DP("hosts %u, sizeid %u", map->hosts, map->sizeid);
-	newbytes = bitmap_bytes(0, map->sizeid - 1);
-	map->members = kmalloc(newbytes, GFP_KERNEL);
-	if (!map->members) {
-		DP("out of memory for %d bytes", newbytes);
-		kfree(map);
-		return -ENOMEM;
-	}
-	memset(map->members, 0, newbytes);
-	
-	set->data = map;
-	return 0;
-}
-
-static void destroy(struct ip_set *set)
-{
-	struct ip_set_ipmap *map = set->data;
-	
-	kfree(map->members);
-	kfree(map);
-	
-	set->data = NULL;
-}
-
-static void flush(struct ip_set *set)
-{
-	struct ip_set_ipmap *map = set->data;
-	memset(map->members, 0, bitmap_bytes(0, map->sizeid - 1));
-}
-
-static void list_header(const struct ip_set *set, void *data)
-{
-	const struct ip_set_ipmap *map = set->data;
-	struct ip_set_req_ipmap_create *header = data;
-
-	header->from = map->first_ip;
-	header->to = map->last_ip;
-	header->netmask = map->netmask;
-}
-
-static int list_members_size(const struct ip_set *set)
-{
-	const struct ip_set_ipmap *map = set->data;
-
 	return bitmap_bytes(0, map->sizeid - 1);
 }
 
-static void list_members(const struct ip_set *set, void *data)
-{
-	const struct ip_set_ipmap *map = set->data;
-	int bytes = bitmap_bytes(0, map->sizeid - 1);
+BITMAP_CREATE(ipmap)
+BITMAP_DESTROY(ipmap)
+BITMAP_FLUSH(ipmap)
 
-	memcpy(data, map->members, bytes);
+static inline void
+__ipmap_list_header(const struct ip_set_ipmap *map,
+		    struct ip_set_req_ipmap_create *header)
+{
+	header->netmask = map->netmask;
 }
 
-static struct ip_set_type ip_set_ipmap = {
-	.typename		= SETTYPE_NAME,
-	.features		= IPSET_TYPE_IP | IPSET_DATA_SINGLE,
-	.protocol_version	= IP_SET_PROTOCOL_VERSION,
-	.create			= &create,
-	.destroy		= &destroy,
-	.flush			= &flush,
-	.reqsize		= sizeof(struct ip_set_req_ipmap),
-	.addip			= &addip,
-	.addip_kernel		= &addip_kernel,
-	.delip			= &delip,
-	.delip_kernel		= &delip_kernel,
-	.testip			= &testip,
-	.testip_kernel		= &testip_kernel,
-	.header_size		= sizeof(struct ip_set_req_ipmap_create),
-	.list_header		= &list_header,
-	.list_members_size	= &list_members_size,
-	.list_members		= &list_members,
-	.me			= THIS_MODULE,
-};
+BITMAP_LIST_HEADER(ipmap)
+BITMAP_LIST_MEMBERS_SIZE(ipmap, ip_set_ip_t, map->sizeid,
+			 test_bit(i, map->members))
+
+static void
+ipmap_list_members(const struct ip_set *set, void *data, char dont_align)
+{
+	const struct ip_set_ipmap *map = set->data;
+	uint32_t i, n = 0;
+	ip_set_ip_t *d;
+	
+	if (dont_align) {
+		memcpy(data, map->members, map->size);
+		return;
+	}
+	
+	for (i = 0; i < map->sizeid; i++)
+		if (test_bit(i, map->members)) {
+			d = data + n * IPSET_ALIGN(sizeof(ip_set_ip_t));
+			*d = map->first_ip + i * map->hosts;
+			n++;
+		}
+}
+
+IP_SET_TYPE(ipmap, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
 MODULE_DESCRIPTION("ipmap type of IP sets");
 
-static int __init ip_set_ipmap_init(void)
-{
-	return ip_set_register_set_type(&ip_set_ipmap);
-}
-
-static void __exit ip_set_ipmap_fini(void)
-{
-	/* FIXME: possible race with ip_set_create() */
-	ip_set_unregister_set_type(&ip_set_ipmap);
-}
-
-module_init(ip_set_ipmap_init);
-module_exit(ip_set_ipmap_fini);
+REGISTER_MODULE(ipmap)

extensions/ipset/ip_set_ipmap.h

@@ -2,9 +2,9 @@
 #define __IP_SET_IPMAP_H
 
 #include "ip_set.h"
+#include "ip_set_bitmaps.h"
 
-#define SETTYPE_NAME "ipmap"
-#define MAX_RANGE 0x0000FFFF
+#define SETTYPE_NAME		"ipmap"
 
 struct ip_set_ipmap {
 	void *members;			/* the ipmap proper */
@@ -13,6 +13,7 @@ struct ip_set_ipmap {
 	ip_set_ip_t netmask;		/* subnet netmask */
 	ip_set_ip_t sizeid;		/* size of set in IPs */
 	ip_set_ip_t hosts;		/* number of hosts in a subnet */
+	u_int32_t size;			/* size of the ipmap proper */
 };
 
 struct ip_set_req_ipmap_create {
@@ -25,7 +26,7 @@ struct ip_set_req_ipmap {
 	ip_set_ip_t ip;
 };
 
-static unsigned int
+static inline unsigned int
 mask_to_bits(ip_set_ip_t mask)
 {
 	unsigned int bits = 32;
@@ -35,19 +36,19 @@ mask_to_bits(ip_set_ip_t mask)
 		return bits;
 	
 	maskaddr = 0xFFFFFFFE;
-	while (--bits >= 0 && maskaddr != mask)
+	while (--bits > 0 && maskaddr != mask)
 		maskaddr <<= 1;
 	
 	return bits;
 }
 
-static ip_set_ip_t
+static inline ip_set_ip_t
 range_to_mask(ip_set_ip_t from, ip_set_ip_t to, unsigned int *bits)
 {
 	ip_set_ip_t mask = 0xFFFFFFFE;
 	
 	*bits = 32;
-	while (--(*bits) >= 0 && mask && (to & mask) != from)
+	while (--(*bits) > 0 && mask && (to & mask) != from)
 		mask <<= 1;
 		
 	return mask;

extensions/ipset/ip_set_ipporthash.c

@@ -1,4 +1,4 @@
-/* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+/* Copyright (C) 2003-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -8,355 +8,131 @@
 /* Kernel module implementing an ip+port hash set */
 
 #include <linux/module.h>
+#include <linux/moduleparam.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/skbuff.h>
-#include <linux/version.h>
-#include <linux/jhash.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include "ip_set.h"
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
 #include <linux/spinlock.h>
-#include <linux/vmalloc.h>
 #include <linux/random.h>
 
 #include <net/ip.h>
 
-#include "ip_set_malloc.h"
 #include "ip_set_ipporthash.h"
+#include "ip_set_getport.h"
 
 static int limit = MAX_RANGE;
 
-/* We must handle non-linear skbs */
-static inline ip_set_ip_t
-get_port(const struct sk_buff *skb, u_int32_t flags)
-{
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-	struct iphdr *iph = ip_hdr(skb);
-#else
-	struct iphdr *iph = skb->nh.iph;
-#endif
-	u_int16_t offset = ntohs(iph->frag_off) & IP_OFFSET;
-
-	switch (iph->protocol) {
-	case IPPROTO_TCP: {
-		struct tcphdr tcph;
-		
-		/* See comments at tcp_match in ip_tables.c */
-		if (offset)
-			return INVALID_PORT;
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-		if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &tcph, sizeof(tcph)) < 0)
-#else
-		if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &tcph, sizeof(tcph)) < 0)
-#endif
-			/* No choice either */
-			return INVALID_PORT;
-	     	
-	     	return ntohs(flags & IPSET_SRC ?
-			     tcph.source : tcph.dest);
-	    }
-	case IPPROTO_UDP: {
-		struct udphdr udph;
-
-		if (offset)
-			return INVALID_PORT;
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-		if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &udph, sizeof(udph)) < 0)
-#else
-		if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &udph, sizeof(udph)) < 0)
-#endif
-			/* No choice either */
-			return INVALID_PORT;
-	     	
-	     	return ntohs(flags & IPSET_SRC ?
-			     udph.source : udph.dest);
-	    }
-	default:
-		return INVALID_PORT;
-	}
-}
-
 static inline __u32
-jhash_ip(const struct ip_set_ipporthash *map, uint16_t i, ip_set_ip_t ip)
-{
-	return jhash_1word(ip, *(((uint32_t *) map->initval) + i));
-}
-
-#define HASH_IP(map, ip, port) (port + ((ip - ((map)->first_ip)) << 16))
-
-static inline __u32
-hash_id(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port,
-	ip_set_ip_t *hash_ip)
+ipporthash_id(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 {
 	struct ip_set_ipporthash *map = set->data;
 	__u32 id;
 	u_int16_t i;
 	ip_set_ip_t *elem;
 
-	*hash_ip = HASH_IP(map, ip, port);
-	DP("set: %s, ipport:%u.%u.%u.%u:%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), port, HIPQUAD(*hash_ip));
+	ip = pack_ip_port(map, ip, port);
+		
+	if (!ip)
+		return UINT_MAX;
 	
 	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip(map, i, *hash_ip) % map->hashsize;
+		id = jhash_ip(map, i, ip) % map->hashsize;
 		DP("hash key: %u", id);
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
-		if (*elem == *hash_ip)
+		if (*elem == ip)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
 
 static inline int
-__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port,
-	 ip_set_ip_t *hash_ip)
+ipporthash_test(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 {
 	struct ip_set_ipporthash *map = set->data;
 	
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	return (hash_id(set, ip, port, hash_ip) != UINT_MAX);
+	return (ipporthash_id(set, ip, port) != UINT_MAX);
 }
 
-static int
-testip(struct ip_set *set, const void *data, size_t size,
-       ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_ipporthash *req = data;
-
-	if (size != sizeof(struct ip_set_req_ipporthash)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_ipporthash),
-			      size);
-		return -EINVAL;
-	}
-	return __testip(set, req->ip, req->port, hash_ip);
-}
-
-static int
-testip_kernel(struct ip_set *set,
-	      const struct sk_buff *skb,
-	      ip_set_ip_t *hash_ip,
-	      const u_int32_t *flags,
-	      unsigned char index)
-{
-	ip_set_ip_t port;
-	int res;
-
-	if (flags[index+1] == 0)
+#define KADT_CONDITION						\
+	ip_set_ip_t port;					\
+								\
+	if (flags[1] == 0)					\
+		return 0;					\
+								\
+	port = get_port(skb, ++flags);				\
+								\
+	if (port == INVALID_PORT)				\
 		return 0;
-		
-	port = get_port(skb, flags[index+1]);
 
-	DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u",
-	   flags[index] & IPSET_SRC ? "SRC" : "DST",
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-	   NIPQUAD(ip_hdr(skb)->saddr),
-	   NIPQUAD(ip_hdr(skb)->daddr));
-#else
-	   NIPQUAD(skb->nh.iph->saddr),
-	   NIPQUAD(skb->nh.iph->daddr));
-#endif
-	DP("flag %s port %u",
-	   flags[index+1] & IPSET_SRC ? "SRC" : "DST",
-	   port);	
-	if (port == INVALID_PORT)
-		return 0;	
-
-	res =  __testip(set,
-			ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-					? ip_hdr(skb)->saddr
-					: ip_hdr(skb)->daddr),
-#else
-					? skb->nh.iph->saddr
-					: skb->nh.iph->daddr),
-#endif
-			port,
-			hash_ip);
-	return (res < 0 ? 0 : res);
-	
-}
+UADT(ipporthash, test, req->port)
+KADT(ipporthash, test, ipaddr, port)
 
 static inline int
-__add_haship(struct ip_set_ipporthash *map, ip_set_ip_t hash_ip)
+__ipporthash_add(struct ip_set_ipporthash *map, ip_set_ip_t *ip)
 {
 	__u32 probe;
 	u_int16_t i;
-	ip_set_ip_t *elem;
+	ip_set_ip_t *elem, *slot = NULL;
 
 	for (i = 0; i < map->probes; i++) {
-		probe = jhash_ip(map, i, hash_ip) % map->hashsize;
+		probe = jhash_ip(map, i, *ip) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
-		if (*elem == hash_ip)
+		if (*elem == *ip)
 			return -EEXIST;
-		if (!*elem) {
-			*elem = hash_ip;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || *elem))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		*slot = *ip;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;
 }
 
 static inline int
-__addip(struct ip_set_ipporthash *map, ip_set_ip_t ip, ip_set_ip_t port,
-	ip_set_ip_t *hash_ip)
+ipporthash_add(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 {
+	struct ip_set_ipporthash *map = set->data;
 	if (map->elements > limit)
 		return -ERANGE;
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	*hash_ip = HASH_IP(map, ip, port);
-	
-	return __add_haship(map, *hash_ip);
-}
+	ip = pack_ip_port(map, ip, port);
 
-static int
-addip(struct ip_set *set, const void *data, size_t size,
-        ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_ipporthash *req = data;
-
-	if (size != sizeof(struct ip_set_req_ipporthash)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_ipporthash),
-			      size);
-		return -EINVAL;
-	}
-	return __addip(set->data, req->ip, req->port, hash_ip);
-}
-
-static int
-addip_kernel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	ip_set_ip_t port;
-
-	if (flags[index+1] == 0)
-		return -EINVAL;
-		
-	port = get_port(skb, flags[index+1]);
-
-	DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u",
-	   flags[index] & IPSET_SRC ? "SRC" : "DST",
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-	   NIPQUAD(ip_hdr(skb)->saddr),
-	   NIPQUAD(ip_hdr(skb)->daddr));
-#else
-	   NIPQUAD(skb->nh.iph->saddr),
-	   NIPQUAD(skb->nh.iph->daddr));
-#endif
-	DP("flag %s port %u",
-	   flags[index+1] & IPSET_SRC ? "SRC" : "DST",
-	   port);	
-	if (port == INVALID_PORT)
-		return -EINVAL;	
-
-	return __addip(set->data,
-		       ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-		       		? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-		       port,
-		       hash_ip);
-}
-
-static int retry(struct ip_set *set)
-{
-	struct ip_set_ipporthash *map = set->data;
-	ip_set_ip_t *elem;
-	void *members;
-	u_int32_t i, hashsize = map->hashsize;
-	int res;
-	struct ip_set_ipporthash *tmp;
-	
-	if (map->resize == 0)
+	if (!ip)
 		return -ERANGE;
-
-    again:
-    	res = 0;
-    	
-	/* Calculate new hash size */
-	hashsize += (hashsize * map->resize)/100;
-	if (hashsize == map->hashsize)
-		hashsize++;
 	
-	ip_set_printk("rehashing of set %s triggered: "
-		      "hashsize grows from %u to %u",
-		      set->name, map->hashsize, hashsize);
+	return __ipporthash_add(map, &ip);
+}
 
-	tmp = kmalloc(sizeof(struct ip_set_ipporthash)
-		      + map->probes * sizeof(uint32_t), GFP_ATOMIC);
-	if (!tmp) {
-		DP("out of memory for %d bytes",
-		   sizeof(struct ip_set_ipporthash)
-		   + map->probes * sizeof(uint32_t));
-		return -ENOMEM;
-	}
-	tmp->members = harray_malloc(hashsize, sizeof(ip_set_ip_t), GFP_ATOMIC);
-	if (!tmp->members) {
-		DP("out of memory for %d bytes", hashsize * sizeof(ip_set_ip_t));
-		kfree(tmp);
-		return -ENOMEM;
-	}
-	tmp->hashsize = hashsize;
-	tmp->elements = 0;
-	tmp->probes = map->probes;
-	tmp->resize = map->resize;
+UADT(ipporthash, add, req->port)
+KADT(ipporthash, add, ipaddr, port)
+
+static inline void
+__ipporthash_retry(struct ip_set_ipporthash *tmp,
+		   struct ip_set_ipporthash *map)
+{
 	tmp->first_ip = map->first_ip;
 	tmp->last_ip = map->last_ip;
-	memcpy(tmp->initval, map->initval, map->probes * sizeof(uint32_t));
-	
-	write_lock_bh(&set->lock);
-	map = set->data; /* Play safe */
-	for (i = 0; i < map->hashsize && res == 0; i++) {
-		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, i);	
-		if (*elem)
-			res = __add_haship(tmp, *elem);
-	}
-	if (res) {
-		/* Failure, try again */
-		write_unlock_bh(&set->lock);
-		harray_free(tmp->members);
-		kfree(tmp);
-		goto again;
-	}
-	
-	/* Success at resizing! */
-	members = map->members;
-
-	map->hashsize = tmp->hashsize;
-	map->members = tmp->members;
-	write_unlock_bh(&set->lock);
-
-	harray_free(members);
-	kfree(tmp);
-
-	return 0;
 }
 
+HASH_RETRY(ipporthash, ip_set_ip_t)
+
 static inline int
-__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port,
-	ip_set_ip_t *hash_ip)
+ipporthash_del(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port)
 {
 	struct ip_set_ipporthash *map = set->data;
 	ip_set_ip_t id;
@@ -365,7 +141,7 @@ __delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port,
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
 
-	id = hash_id(set, ip, port, hash_ip);
+	id = ipporthash_id(set, ip, port);
 
 	if (id == UINT_MAX)
 		return -EEXIST;
@@ -377,181 +153,40 @@ __delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port,
 	return 0;
 }
 
-static int
-delip(struct ip_set *set, const void *data, size_t size,
-        ip_set_ip_t *hash_ip)
+UADT(ipporthash, del, req->port)
+KADT(ipporthash, del, ipaddr, port)
+
+static inline int
+__ipporthash_create(const struct ip_set_req_ipporthash_create *req,
+		    struct ip_set_ipporthash *map)
 {
-	const struct ip_set_req_ipporthash *req = data;
-
-	if (size != sizeof(struct ip_set_req_ipporthash)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_ipporthash),
-			      size);
-		return -EINVAL;
-	}
-	return __delip(set, req->ip, req->port, hash_ip);
-}
-
-static int
-delip_kernel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	ip_set_ip_t port;
-
-	if (flags[index+1] == 0)
-		return -EINVAL;
-		
-	port = get_port(skb, flags[index+1]);
-
-	DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u",
-	   flags[index] & IPSET_SRC ? "SRC" : "DST",
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-	   NIPQUAD(ip_hdr(skb)->saddr),
-	   NIPQUAD(ip_hdr(skb)->daddr));
-#else
-	   NIPQUAD(skb->nh.iph->saddr),
-	   NIPQUAD(skb->nh.iph->daddr));
-#endif
-	DP("flag %s port %u",
-	   flags[index+1] & IPSET_SRC ? "SRC" : "DST",
-	   port);	
-	if (port == INVALID_PORT)
-		return -EINVAL;	
-
-	return __delip(set,
-		       ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-		       		? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-		       port,
-		       hash_ip);
-}
-
-static int create(struct ip_set *set, const void *data, size_t size)
-{
-	const struct ip_set_req_ipporthash_create *req = data;
-	struct ip_set_ipporthash *map;
-	uint16_t i;
-
-	if (size != sizeof(struct ip_set_req_ipporthash_create)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			       sizeof(struct ip_set_req_ipporthash_create),
-			       size);
-		return -EINVAL;
-	}
-
-	if (req->hashsize < 1) {
-		ip_set_printk("hashsize too small");
+	if (req->to - req->from > MAX_RANGE) {
+		ip_set_printk("range too big, %d elements (max %d)",
+			      req->to - req->from + 1, MAX_RANGE+1);
 		return -ENOEXEC;
 	}
-
-	if (req->probes < 1) {
-		ip_set_printk("probes too small");
-		return -ENOEXEC;
-	}
-
-	map = kmalloc(sizeof(struct ip_set_ipporthash)
-		      + req->probes * sizeof(uint32_t), GFP_KERNEL);
-	if (!map) {
-		DP("out of memory for %d bytes",
-		   sizeof(struct ip_set_ipporthash)
-		   + req->probes * sizeof(uint32_t));
-		return -ENOMEM;
-	}
-	for (i = 0; i < req->probes; i++)
-		get_random_bytes(((uint32_t *) map->initval)+i, 4);
-	map->elements = 0;
-	map->hashsize = req->hashsize;
-	map->probes = req->probes;
-	map->resize = req->resize;
 	map->first_ip = req->from;
 	map->last_ip = req->to;
-	map->members = harray_malloc(map->hashsize, sizeof(ip_set_ip_t), GFP_KERNEL);
-	if (!map->members) {
-		DP("out of memory for %d bytes", map->hashsize * sizeof(ip_set_ip_t));
-		kfree(map);
-		return -ENOMEM;
-	}
-
-	set->data = map;
 	return 0;
 }
 
-static void destroy(struct ip_set *set)
+HASH_CREATE(ipporthash, ip_set_ip_t)
+HASH_DESTROY(ipporthash)
+HASH_FLUSH(ipporthash, ip_set_ip_t)
+
+static inline void
+__ipporthash_list_header(const struct ip_set_ipporthash *map,
+			 struct ip_set_req_ipporthash_create *header)
 {
-	struct ip_set_ipporthash *map = set->data;
-
-	harray_free(map->members);
-	kfree(map);
-
-	set->data = NULL;
-}
-
-static void flush(struct ip_set *set)
-{
-	struct ip_set_ipporthash *map = set->data;
-	harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t));
-	map->elements = 0;
-}
-
-static void list_header(const struct ip_set *set, void *data)
-{
-	const struct ip_set_ipporthash *map = set->data;
-	struct ip_set_req_ipporthash_create *header = data;
-
-	header->hashsize = map->hashsize;
-	header->probes = map->probes;
-	header->resize = map->resize;
 	header->from = map->first_ip;
 	header->to = map->last_ip;
 }
 
-static int list_members_size(const struct ip_set *set)
-{
-	const struct ip_set_ipporthash *map = set->data;
+HASH_LIST_HEADER(ipporthash)
+HASH_LIST_MEMBERS_SIZE(ipporthash, ip_set_ip_t)
+HASH_LIST_MEMBERS(ipporthash, ip_set_ip_t)
 
-	return (map->hashsize * sizeof(ip_set_ip_t));
-}
-
-static void list_members(const struct ip_set *set, void *data)
-{
-	const struct ip_set_ipporthash *map = set->data;
-	ip_set_ip_t i, *elem;
-
-	for (i = 0; i < map->hashsize; i++) {
-		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, i);	
-		((ip_set_ip_t *)data)[i] = *elem;
-	}
-}
-
-static struct ip_set_type ip_set_ipporthash = {
-	.typename		= SETTYPE_NAME,
-	.features		= IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_DATA_DOUBLE,
-	.protocol_version	= IP_SET_PROTOCOL_VERSION,
-	.create			= &create,
-	.destroy		= &destroy,
-	.flush			= &flush,
-	.reqsize		= sizeof(struct ip_set_req_ipporthash),
-	.addip			= &addip,
-	.addip_kernel		= &addip_kernel,
-	.retry			= &retry,
-	.delip			= &delip,
-	.delip_kernel		= &delip_kernel,
-	.testip			= &testip,
-	.testip_kernel		= &testip_kernel,
-	.header_size		= sizeof(struct ip_set_req_ipporthash_create),
-	.list_header		= &list_header,
-	.list_members_size	= &list_members_size,
-	.list_members		= &list_members,
-	.me			= THIS_MODULE,
-};
+IP_SET_RTYPE(ipporthash, IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_DATA_DOUBLE)
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
@@ -559,17 +194,4 @@ MODULE_DESCRIPTION("ipporthash type of IP sets");
 module_param(limit, int, 0600);
 MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
 
-static int __init ip_set_ipporthash_init(void)
-{
-	init_max_page_size();
-	return ip_set_register_set_type(&ip_set_ipporthash);
-}
-
-static void __exit ip_set_ipporthash_fini(void)
-{
-	/* FIXME: possible race with ip_set_create() */
-	ip_set_unregister_set_type(&ip_set_ipporthash);
-}
-
-module_init(ip_set_ipporthash_init);
-module_exit(ip_set_ipporthash_fini);
+REGISTER_MODULE(ipporthash)

extensions/ipset/ip_set_ipporthash.h

@@ -2,10 +2,9 @@
 #define __IP_SET_IPPORTHASH_H
 
 #include "ip_set.h"
+#include "ip_set_hashes.h"
 
-#define SETTYPE_NAME "ipporthash"
-#define MAX_RANGE 0x0000FFFF
-#define INVALID_PORT	(MAX_RANGE + 1)
+#define SETTYPE_NAME			"ipporthash"
 
 struct ip_set_ipporthash {
 	ip_set_ip_t *members;		/* the ipporthash proper */
@@ -15,7 +14,7 @@ struct ip_set_ipporthash {
 	uint16_t resize;		/* resize factor in percent */
 	ip_set_ip_t first_ip;		/* host byte order, included in range */
 	ip_set_ip_t last_ip;		/* host byte order, included in range */
-	void *initval[0];		/* initvals for jhash_1word */
+	initval_t initval[0];		/* initvals for jhash_1word */
 };
 
 struct ip_set_req_ipporthash_create {

extensions/ipset/ip_set_ipportiphash.c

@@ -0,0 +1,215 @@
+/* Copyright (C) 2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+/* Kernel module implementing an ip+port+ip hash set */
+
+#include <linux/module.h>
+#include <linux/moduleparam.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <linux/skbuff.h>
+#include "ip_set_jhash.h"
+#include <linux/errno.h>
+#include <asm/uaccess.h>
+#include <asm/bitops.h>
+#include <linux/spinlock.h>
+#include <linux/random.h>
+
+#include <net/ip.h>
+
+#include "ip_set_ipportiphash.h"
+#include "ip_set_getport.h"
+
+static int limit = MAX_RANGE;
+
+#define jhash_ip2(map, i, ipport, ip1)		\
+	jhash_2words(ipport, ip1, *(map->initval + i))
+
+static inline __u32
+ipportiphash_id(struct ip_set *set,
+		ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
+{
+	struct ip_set_ipportiphash *map = set->data;
+	__u32 id;
+	u_int16_t i;
+	struct ipportip *elem;
+
+	ip = pack_ip_port(map, ip, port);
+	if (!(ip || ip1))
+		return UINT_MAX;
+	
+	for (i = 0; i < map->probes; i++) {
+		id = jhash_ip2(map, i, ip, ip1) % map->hashsize;
+		DP("hash key: %u", id);
+		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
+		if (elem->ip == ip && elem->ip1 == ip1)
+			return id;
+		/* No shortcut - there can be deleted entries. */
+	}
+	return UINT_MAX;
+}
+
+static inline int
+ipportiphash_test(struct ip_set *set,
+		  ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
+{
+	struct ip_set_ipportiphash *map = set->data;
+	
+	if (ip < map->first_ip || ip > map->last_ip)
+		return -ERANGE;
+
+	return (ipportiphash_id(set, ip, port, ip1) != UINT_MAX);
+}
+
+#define KADT_CONDITION						\
+	ip_set_ip_t port, ip1;					\
+								\
+	if (flags[2] == 0)					\
+		return 0;					\
+								\
+	port = get_port(skb, ++flags);				\
+	ip1 = ipaddr(skb, ++flags);				\
+								\
+	if (port == INVALID_PORT)				\
+		return 0;
+
+UADT(ipportiphash, test, req->port, req->ip1)
+KADT(ipportiphash, test, ipaddr, port, ip1)
+
+static inline int
+__ipportip_add(struct ip_set_ipportiphash *map,
+	       ip_set_ip_t ip, ip_set_ip_t ip1)
+{
+	__u32 probe;
+	u_int16_t i;
+	struct ipportip *elem, *slot = NULL;
+
+	for (i = 0; i < map->probes; i++) {
+		probe = jhash_ip2(map, i, ip, ip1) % map->hashsize;
+		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
+		if (elem->ip == ip && elem->ip1 == ip1)
+			return -EEXIST;
+		if (!(slot || elem->ip || elem->ip1))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		slot->ip = ip;
+		slot->ip1 = ip1;
+		map->elements++;
+		return 0;
+	}
+	/* Trigger rehashing */
+	return -EAGAIN;
+}
+
+static inline int
+__ipportiphash_add(struct ip_set_ipportiphash *map,
+		   struct ipportip *elem)
+{
+	return __ipportip_add(map, elem->ip, elem->ip1);
+}
+
+static inline int
+ipportiphash_add(struct ip_set *set,
+		 ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
+{
+	struct ip_set_ipportiphash *map = set->data;
+	
+	if (map->elements > limit)
+		return -ERANGE;
+	if (ip < map->first_ip || ip > map->last_ip)
+		return -ERANGE;
+
+	ip = pack_ip_port(map, ip, port);
+	if (!(ip || ip1))
+		return -ERANGE;
+	
+	return __ipportip_add(map, ip, ip1);
+}
+
+UADT(ipportiphash, add, req->port, req->ip1)
+KADT(ipportiphash, add, ipaddr, port, ip1)
+
+static inline void
+__ipportiphash_retry(struct ip_set_ipportiphash *tmp,
+		     struct ip_set_ipportiphash *map)
+{
+	tmp->first_ip = map->first_ip;
+	tmp->last_ip = map->last_ip;
+}
+
+HASH_RETRY2(ipportiphash, struct ipportip)
+
+static inline int
+ipportiphash_del(struct ip_set *set,
+	       ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
+{
+	struct ip_set_ipportiphash *map = set->data;
+	ip_set_ip_t id;
+	struct ipportip *elem;
+
+	if (ip < map->first_ip || ip > map->last_ip)
+		return -ERANGE;
+
+	id = ipportiphash_id(set, ip, port, ip1);
+
+	if (id == UINT_MAX)
+		return -EEXIST;
+		
+	elem = HARRAY_ELEM(map->members, struct ipportip *, id);
+	elem->ip = elem->ip1 = 0;
+	map->elements--;
+
+	return 0;
+}
+
+UADT(ipportiphash, del, req->port, req->ip1)
+KADT(ipportiphash, del, ipaddr, port, ip1)
+
+static inline int
+__ipportiphash_create(const struct ip_set_req_ipportiphash_create *req,
+		      struct ip_set_ipportiphash *map)
+{
+	if (req->to - req->from > MAX_RANGE) {
+		ip_set_printk("range too big, %d elements (max %d)",
+			      req->to - req->from + 1, MAX_RANGE+1);
+		return -ENOEXEC;
+	}
+	map->first_ip = req->from;
+	map->last_ip = req->to;
+	return 0;
+}
+
+HASH_CREATE(ipportiphash, struct ipportip)
+HASH_DESTROY(ipportiphash)
+HASH_FLUSH(ipportiphash, struct ipportip)
+
+static inline void
+__ipportiphash_list_header(const struct ip_set_ipportiphash *map,
+			   struct ip_set_req_ipportiphash_create *header)
+{
+	header->from = map->first_ip;
+	header->to = map->last_ip;
+}
+
+HASH_LIST_HEADER(ipportiphash)
+HASH_LIST_MEMBERS_SIZE(ipportiphash, struct ipportip)
+HASH_LIST_MEMBERS_MEMCPY(ipportiphash, struct ipportip,
+			 (elem->ip || elem->ip1))
+
+IP_SET_RTYPE(ipportiphash, IPSET_TYPE_IP | IPSET_TYPE_PORT
+			   | IPSET_TYPE_IP1 | IPSET_DATA_TRIPLE)
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("ipportiphash type of IP sets");
+module_param(limit, int, 0600);
+MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
+
+REGISTER_MODULE(ipportiphash)

extensions/ipset/ip_set_ipportiphash.h

@@ -0,0 +1,39 @@
+#ifndef __IP_SET_IPPORTIPHASH_H
+#define __IP_SET_IPPORTIPHASH_H
+
+#include "ip_set.h"
+#include "ip_set_hashes.h"
+
+#define SETTYPE_NAME			"ipportiphash"
+
+struct ipportip {
+	ip_set_ip_t ip;
+	ip_set_ip_t ip1;
+};
+
+struct ip_set_ipportiphash {
+	struct ipportip *members;	/* the ipportip proper */
+	uint32_t elements;		/* number of elements */
+	uint32_t hashsize;		/* hash size */
+	uint16_t probes;		/* max number of probes  */
+	uint16_t resize;		/* resize factor in percent */
+	ip_set_ip_t first_ip;		/* host byte order, included in range */
+	ip_set_ip_t last_ip;		/* host byte order, included in range */
+	initval_t initval[0];		/* initvals for jhash_1word */
+};
+
+struct ip_set_req_ipportiphash_create {
+	uint32_t hashsize;
+	uint16_t probes;
+	uint16_t resize;
+	ip_set_ip_t from;
+	ip_set_ip_t to;
+};
+
+struct ip_set_req_ipportiphash {
+	ip_set_ip_t ip;
+	ip_set_ip_t port;
+	ip_set_ip_t ip1;
+};
+
+#endif	/* __IP_SET_IPPORTIPHASH_H */

extensions/ipset/ip_set_ipportnethash.c

@@ -0,0 +1,298 @@
+/* Copyright (C) 2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+/* Kernel module implementing an ip+port+net hash set */
+
+#include <linux/module.h>
+#include <linux/moduleparam.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <linux/skbuff.h>
+#include "ip_set_jhash.h"
+#include <linux/errno.h>
+#include <asm/uaccess.h>
+#include <asm/bitops.h>
+#include <linux/spinlock.h>
+#include <linux/random.h>
+
+#include <net/ip.h>
+
+#include "ip_set_ipportnethash.h"
+#include "ip_set_getport.h"
+
+static int limit = MAX_RANGE;
+
+#define jhash_ip2(map, i, ipport, ip1)		\
+	jhash_2words(ipport, ip1, *(map->initval + i))
+
+static inline __u32
+ipportnethash_id_cidr(struct ip_set *set,
+		      ip_set_ip_t ip, ip_set_ip_t port,
+		      ip_set_ip_t ip1, uint8_t cidr)
+{
+	struct ip_set_ipportnethash *map = set->data;
+	__u32 id;
+	u_int16_t i;
+	struct ipportip *elem;
+
+	ip = pack_ip_port(map, ip, port);
+	ip1 = pack_ip_cidr(ip1, cidr);
+	if (!(ip || ip1))
+		return UINT_MAX;
+	
+	for (i = 0; i < map->probes; i++) {
+		id = jhash_ip2(map, i, ip, ip1) % map->hashsize;
+		DP("hash key: %u", id);
+		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
+		if (elem->ip == ip && elem->ip1 == ip1)
+			return id;
+		/* No shortcut - there can be deleted entries. */
+	}
+	return UINT_MAX;
+}
+
+static inline __u32
+ipportnethash_id(struct ip_set *set,
+		 ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
+{
+	struct ip_set_ipportnethash *map = set->data;
+	__u32 id = UINT_MAX;
+	int i;
+
+	for (i = 0; i < 30 && map->cidr[i]; i++) {
+		id = ipportnethash_id_cidr(set, ip, port, ip1, map->cidr[i]);
+		if (id != UINT_MAX)
+			break;
+	}
+	return id;
+}
+
+static inline int
+ipportnethash_test_cidr(struct ip_set *set,
+			ip_set_ip_t ip, ip_set_ip_t port,
+			ip_set_ip_t ip1, uint8_t cidr)
+{
+	struct ip_set_ipportnethash *map = set->data;
+	
+	if (ip < map->first_ip || ip > map->last_ip)
+		return -ERANGE;
+
+	return (ipportnethash_id_cidr(set, ip, port, ip1, cidr) != UINT_MAX);
+}
+
+static inline int
+ipportnethash_test(struct ip_set *set,
+		  ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
+{
+	struct ip_set_ipportnethash *map = set->data;
+	
+	if (ip < map->first_ip || ip > map->last_ip)
+		return -ERANGE;
+
+	return (ipportnethash_id(set, ip, port, ip1) != UINT_MAX);
+}
+
+static int
+ipportnethash_utest(struct ip_set *set, const void *data, u_int32_t size)
+{
+	const struct ip_set_req_ipportnethash *req = data;
+
+	if (req->cidr <= 0 || req->cidr > 32)
+		return -EINVAL;
+	return (req->cidr == 32 
+		? ipportnethash_test(set, req->ip, req->port, req->ip1)
+		: ipportnethash_test_cidr(set, req->ip, req->port,
+					  req->ip1, req->cidr));
+}
+
+#define KADT_CONDITION						\
+	ip_set_ip_t port, ip1;					\
+								\
+	if (flags[2] == 0)					\
+		return 0;					\
+								\
+	port = get_port(skb, ++flags);				\
+	ip1 = ipaddr(skb, ++flags);				\
+								\
+	if (port == INVALID_PORT)				\
+		return 0;
+
+KADT(ipportnethash, test, ipaddr, port, ip1)
+
+static inline int
+__ipportnet_add(struct ip_set_ipportnethash *map,
+		ip_set_ip_t ip, ip_set_ip_t ip1)
+{
+	__u32 probe;
+	u_int16_t i;
+	struct ipportip *elem, *slot = NULL;
+
+	for (i = 0; i < map->probes; i++) {
+		probe = jhash_ip2(map, i, ip, ip1) % map->hashsize;
+		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
+		if (elem->ip == ip && elem->ip1 == ip1)
+			return -EEXIST;
+		if (!(slot || elem->ip || elem->ip1))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		slot->ip = ip;
+		slot->ip1 = ip1;
+		map->elements++;
+		return 0;
+	}
+	/* Trigger rehashing */
+	return -EAGAIN;
+}
+
+static inline int
+__ipportnethash_add(struct ip_set_ipportnethash *map,
+		    struct ipportip *elem)
+{
+	return __ipportnet_add(map, elem->ip, elem->ip1);
+}
+
+static inline int
+ipportnethash_add(struct ip_set *set,
+		 ip_set_ip_t ip, ip_set_ip_t port,
+		 ip_set_ip_t ip1, uint8_t cidr)
+{
+	struct ip_set_ipportnethash *map = set->data;
+	struct ipportip;
+	int ret;
+	
+	if (map->elements > limit)
+		return -ERANGE;
+	if (ip < map->first_ip || ip > map->last_ip)
+		return -ERANGE;
+	if (cidr <= 0 || cidr >= 32)
+		return -EINVAL;
+	if (map->nets[cidr-1] == UINT16_MAX)
+		return -ERANGE;
+
+	ip = pack_ip_port(map, ip, port);
+	ip1 = pack_ip_cidr(ip1, cidr);
+	if (!(ip || ip1))
+		return -ERANGE;
+	
+	ret =__ipportnet_add(map, ip, ip1);
+	if (ret == 0) {
+		if (!map->nets[cidr-1]++)
+			add_cidr_size(map->cidr, cidr);
+	}
+	return ret;
+}
+
+#undef KADT_CONDITION
+#define KADT_CONDITION							\
+	struct ip_set_ipportnethash *map = set->data;			\
+	uint8_t cidr = map->cidr[0] ? map->cidr[0] : 31;		\
+	ip_set_ip_t port, ip1;						\
+									\
+	if (flags[2] == 0)						\
+		return 0;						\
+									\
+	port = get_port(skb, flags++);					\
+	ip1 = ipaddr(skb, flags++);					\
+									\
+	if (port == INVALID_PORT)					\
+		return 0;
+
+UADT(ipportnethash, add, req->port, req->ip1, req->cidr)
+KADT(ipportnethash, add, ipaddr, port, ip1, cidr)
+
+static inline void
+__ipportnethash_retry(struct ip_set_ipportnethash *tmp,
+		      struct ip_set_ipportnethash *map)
+{
+	tmp->first_ip = map->first_ip;
+	tmp->last_ip = map->last_ip;
+	memcpy(tmp->cidr, map->cidr, sizeof(tmp->cidr));
+	memcpy(tmp->nets, map->nets, sizeof(tmp->nets));
+}
+
+HASH_RETRY2(ipportnethash, struct ipportip)
+
+static inline int
+ipportnethash_del(struct ip_set *set,
+	          ip_set_ip_t ip, ip_set_ip_t port,
+	          ip_set_ip_t ip1, uint8_t cidr)
+{
+	struct ip_set_ipportnethash *map = set->data;
+	ip_set_ip_t id;
+	struct ipportip *elem;
+
+	if (ip < map->first_ip || ip > map->last_ip)
+		return -ERANGE;
+	if (!ip)
+		return -ERANGE;
+	if (cidr <= 0 || cidr >= 32)
+		return -EINVAL;	
+
+	id = ipportnethash_id_cidr(set, ip, port, ip1, cidr);
+
+	if (id == UINT_MAX)
+		return -EEXIST;
+		
+	elem = HARRAY_ELEM(map->members, struct ipportip *, id);
+	elem->ip = elem->ip1 = 0;
+	map->elements--;
+	if (!map->nets[cidr-1]--)
+		del_cidr_size(map->cidr, cidr);
+
+	return 0;
+}
+
+UADT(ipportnethash, del, req->port, req->ip1, req->cidr)
+KADT(ipportnethash, del, ipaddr, port, ip1, cidr)
+
+static inline int
+__ipportnethash_create(const struct ip_set_req_ipportnethash_create *req,
+		       struct ip_set_ipportnethash *map)
+{
+	if (req->to - req->from > MAX_RANGE) {
+		ip_set_printk("range too big, %d elements (max %d)",
+			      req->to - req->from + 1, MAX_RANGE+1);
+		return -ENOEXEC;
+	}
+	map->first_ip = req->from;
+	map->last_ip = req->to;
+	memset(map->cidr, 0, sizeof(map->cidr));
+	memset(map->nets, 0, sizeof(map->nets));
+	return 0;
+}
+
+HASH_CREATE(ipportnethash, struct ipportip)
+HASH_DESTROY(ipportnethash)
+HASH_FLUSH_CIDR(ipportnethash, struct ipportip);
+
+static inline void
+__ipportnethash_list_header(const struct ip_set_ipportnethash *map,
+			    struct ip_set_req_ipportnethash_create *header)
+{
+	header->from = map->first_ip;
+	header->to = map->last_ip;
+}
+
+HASH_LIST_HEADER(ipportnethash)
+
+HASH_LIST_MEMBERS_SIZE(ipportnethash, struct ipportip)
+HASH_LIST_MEMBERS_MEMCPY(ipportnethash, struct ipportip,
+			 (elem->ip || elem->ip1))
+
+IP_SET_RTYPE(ipportnethash, IPSET_TYPE_IP | IPSET_TYPE_PORT
+			    | IPSET_TYPE_IP1 | IPSET_DATA_TRIPLE)
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("ipportnethash type of IP sets");
+module_param(limit, int, 0600);
+MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
+
+REGISTER_MODULE(ipportnethash)

extensions/ipset/ip_set_ipportnethash.h

@@ -0,0 +1,42 @@
+#ifndef __IP_SET_IPPORTNETHASH_H
+#define __IP_SET_IPPORTNETHASH_H
+
+#include "ip_set.h"
+#include "ip_set_hashes.h"
+
+#define SETTYPE_NAME			"ipportnethash"
+
+struct ipportip {
+	ip_set_ip_t ip;
+	ip_set_ip_t ip1;
+};
+
+struct ip_set_ipportnethash {
+	struct ipportip *members;	/* the ipportip proper */
+	uint32_t elements;		/* number of elements */
+	uint32_t hashsize;		/* hash size */
+	uint16_t probes;		/* max number of probes  */
+	uint16_t resize;		/* resize factor in percent */
+	ip_set_ip_t first_ip;		/* host byte order, included in range */
+	ip_set_ip_t last_ip;		/* host byte order, included in range */
+	uint8_t cidr[30];		/* CIDR sizes */
+	uint16_t nets[30];		/* nr of nets by CIDR sizes */
+	initval_t initval[0];		/* initvals for jhash_1word */
+};
+
+struct ip_set_req_ipportnethash_create {
+	uint32_t hashsize;
+	uint16_t probes;
+	uint16_t resize;
+	ip_set_ip_t from;
+	ip_set_ip_t to;
+};
+
+struct ip_set_req_ipportnethash {
+	ip_set_ip_t ip;
+	ip_set_ip_t port;
+	ip_set_ip_t ip1;
+	uint8_t cidr;
+};
+
+#endif	/* __IP_SET_IPPORTNETHASH_H */

extensions/ipset/ip_set_iptree.c

@@ -1,4 +1,4 @@
-/* Copyright (C) 2005 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+/* Copyright (C) 2005-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -7,24 +7,21 @@
 
 /* Kernel module implementing an IP set type: the iptree type */
 
-#include <linux/version.h>
 #include <linux/module.h>
+#include <linux/moduleparam.h>
 #include <linux/ip.h>
+#include <linux/jiffies.h>
 #include <linux/skbuff.h>
 #include <linux/slab.h>
 #include <linux/delay.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include "ip_set.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
 #include <linux/spinlock.h>
+#include <linux/timer.h>
 
-/* Backward compatibility */
-#ifndef __nocast
-#define __nocast
-#endif
-
+#include "ip_set.h"
+#include "ip_set_bitmaps.h"
 #include "ip_set_iptree.h"
 
 static int limit = MAX_RANGE;
@@ -35,13 +32,9 @@ static int limit = MAX_RANGE;
  * to delete the gc timer at destroying/flushing a set */
 #define IPTREE_DESTROY_SLEEP	100
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,20)
-static struct kmem_cache *branch_cachep;
-static struct kmem_cache *leaf_cachep;
-#else
-static kmem_cache_t *branch_cachep;
-static kmem_cache_t *leaf_cachep;
-#endif
+static __KMEM_CACHE_T__ *branch_cachep;
+static __KMEM_CACHE_T__ *leaf_cachep;
+
 
 #if defined(__LITTLE_ENDIAN)
 #define ABCD(a,b,c,d,addrp) do {		\
@@ -69,7 +62,7 @@ static kmem_cache_t *leaf_cachep;
 } while (0)
 
 static inline int
-__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+iptree_test(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iptree *map = set->data;
 	struct ip_set_iptreeb *btree;
@@ -80,8 +73,7 @@ __testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
 	if (!ip)
 		return -ERANGE;
 	
-	*hash_ip = ip;
-	ABCD(a, b, c, d, hash_ip);
+	ABCD(a, b, c, d, &ip);
 	DP("%u %u %u %u timeout %u", a, b, c, d, map->timeout);
 	TESTIP_WALK(map, a, btree);
 	TESTIP_WALK(btree, b, ctree);
@@ -92,52 +84,10 @@ __testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
 		   || time_after(dtree->expires[d], jiffies));
 }
 
-static int
-testip(struct ip_set *set, const void *data, size_t size,
-       ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_iptree *req = data;
+#define KADT_CONDITION
 
-	if (size != sizeof(struct ip_set_req_iptree)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_iptree),
-			      size);
-		return -EINVAL;
-	}
-	return __testip(set, req->ip, hash_ip);
-}
-
-static int
-testip_kernel(struct ip_set *set,
-	      const struct sk_buff *skb,
-	      ip_set_ip_t *hash_ip,
-	      const u_int32_t *flags,
-	      unsigned char index)
-{
-	int res;
-	
-	DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u",
-	   flags[index] & IPSET_SRC ? "SRC" : "DST",
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-	   NIPQUAD(ip_hdr(skb)->saddr),
-	   NIPQUAD(ip_hdr(skb)->daddr));
-#else
-	   NIPQUAD(skb->nh.iph->saddr),
-	   NIPQUAD(skb->nh.iph->daddr));
-#endif
-
-	res =  __testip(set,
-			ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-				? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-			hash_ip);
-	return (res < 0 ? 0 : res);
-}
+UADT(iptree, test)
+KADT(iptree, test, ipaddr)
 
 #define ADDIP_WALK(map, elem, branch, type, cachep) do {	\
 	if ((map)->tree[elem]) {				\
@@ -155,8 +105,7 @@ testip_kernel(struct ip_set *set,
 } while (0)	
 
 static inline int
-__addip(struct ip_set *set, ip_set_ip_t ip, unsigned int timeout,
-	ip_set_ip_t *hash_ip)
+iptree_add(struct ip_set *set, ip_set_ip_t ip, unsigned int timeout)
 {
 	struct ip_set_iptree *map = set->data;
 	struct ip_set_iptreeb *btree;
@@ -170,8 +119,7 @@ __addip(struct ip_set *set, ip_set_ip_t ip, unsigned int timeout,
 		 * but it's probably overkill */
 		return -ERANGE;
 	
-	*hash_ip = ip;
-	ABCD(a, b, c, d, hash_ip);
+	ABCD(a, b, c, d, &ip);
 	DP("%u %u %u %u timeout %u", a, b, c, d, timeout);
 	ADDIP_WALK(map, a, btree, struct ip_set_iptreeb, branch_cachep);
 	ADDIP_WALK(btree, b, ctree, struct ip_set_iptreec, branch_cachep);
@@ -179,6 +127,8 @@ __addip(struct ip_set *set, ip_set_ip_t ip, unsigned int timeout,
 	if (dtree->expires[d]
 	    && (!map->timeout || time_after(dtree->expires[d], jiffies)))
 	    	ret = -EEXIST;
+	if (map->timeout && timeout == 0)
+		timeout = map->timeout;
 	dtree->expires[d] = map->timeout ? (timeout * HZ + jiffies) : 1;
 	/* Lottery: I won! */
 	if (dtree->expires[d] == 0)
@@ -189,46 +139,8 @@ __addip(struct ip_set *set, ip_set_ip_t ip, unsigned int timeout,
 	return ret;
 }
 
-static int
-addip(struct ip_set *set, const void *data, size_t size,
-      ip_set_ip_t *hash_ip)
-{
-	struct ip_set_iptree *map = set->data;
-	const struct ip_set_req_iptree *req = data;
-
-	if (size != sizeof(struct ip_set_req_iptree)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_iptree),
-			      size);
-		return -EINVAL;
-	}
-	DP("%u.%u.%u.%u %u", HIPQUAD(req->ip), req->timeout);
-	return __addip(set, req->ip,
-		       req->timeout ? req->timeout : map->timeout,
-		       hash_ip);
-}
-
-static int
-addip_kernel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	struct ip_set_iptree *map = set->data;
-
-	return __addip(set,
-		       ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-		       		? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-		       map->timeout,
-		       hash_ip);
-}
+UADT(iptree, add, req->timeout)
+KADT(iptree, add, ipaddr, 0)
 
 #define DELIP_WALK(map, elem, branch) do {	\
 	if ((map)->tree[elem]) {		\
@@ -238,7 +150,7 @@ addip_kernel(struct ip_set *set,
 } while (0)
 
 static inline int
-__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+iptree_del(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iptree *map = set->data;
 	struct ip_set_iptreeb *btree;
@@ -249,8 +161,7 @@ __delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
 	if (!ip)
 		return -ERANGE;
 		
-	*hash_ip = ip;
-	ABCD(a, b, c, d, hash_ip);
+	ABCD(a, b, c, d, &ip);
 	DELIP_WALK(map, a, btree);
 	DELIP_WALK(btree, b, ctree);
 	DELIP_WALK(ctree, c, dtree);
@@ -263,39 +174,8 @@ __delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
 	return -EEXIST;
 }
 
-static int
-delip(struct ip_set *set, const void *data, size_t size,
-      ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_iptree *req = data;
-
-	if (size != sizeof(struct ip_set_req_iptree)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_iptree),
-			      size);
-		return -EINVAL;
-	}
-	return __delip(set, req->ip, hash_ip);
-}
-
-static int
-delip_kernel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	return __delip(set,
-		       ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-		       		? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-		       hash_ip);
-}
+UADT(iptree, del)
+KADT(iptree, del, ipaddr)
 
 #define LOOP_WALK_BEGIN(map, i, branch) \
 	for (i = 0; i < 256; i++) {	\
@@ -305,7 +185,8 @@ delip_kernel(struct ip_set *set,
 
 #define LOOP_WALK_END }
 
-static void ip_tree_gc(unsigned long ul_set)
+static void
+ip_tree_gc(unsigned long ul_set)
 {
 	struct ip_set *set = (struct ip_set *) ul_set;
 	struct ip_set_iptree *map = set->data;
@@ -375,7 +256,8 @@ static void ip_tree_gc(unsigned long ul_set)
 	add_timer(&map->gc);
 }
 
-static inline void init_gc_timer(struct ip_set *set)
+static inline void
+init_gc_timer(struct ip_set *set)
 {
 	struct ip_set_iptree *map = set->data;
 
@@ -390,21 +272,22 @@ static inline void init_gc_timer(struct ip_set *set)
 	add_timer(&map->gc);
 }
 
-static int create(struct ip_set *set, const void *data, size_t size)
+static int
+iptree_create(struct ip_set *set, const void *data, u_int32_t size)
 {
 	const struct ip_set_req_iptree_create *req = data;
 	struct ip_set_iptree *map;
 
 	if (size != sizeof(struct ip_set_req_iptree_create)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
+		ip_set_printk("data length wrong (want %zu, have %lu)",
 			      sizeof(struct ip_set_req_iptree_create),
-			      size);
+			      (unsigned long)size);
 		return -EINVAL;
 	}
 
 	map = kmalloc(sizeof(struct ip_set_iptree), GFP_KERNEL);
 	if (!map) {
-		DP("out of memory for %d bytes",
+		DP("out of memory for %zu bytes",
 		   sizeof(struct ip_set_iptree));
 		return -ENOMEM;
 	}
@@ -418,7 +301,8 @@ static int create(struct ip_set *set, const void *data, size_t size)
 	return 0;
 }
 
-static void __flush(struct ip_set_iptree *map)
+static inline void
+__flush(struct ip_set_iptree *map)
 {
 	struct ip_set_iptreeb *btree;
 	struct ip_set_iptreec *ctree;
@@ -437,7 +321,8 @@ static void __flush(struct ip_set_iptree *map)
 	map->elements = 0;
 }
 
-static void destroy(struct ip_set *set)
+static void
+iptree_destroy(struct ip_set *set)
 {
 	struct ip_set_iptree *map = set->data;
 
@@ -449,7 +334,8 @@ static void destroy(struct ip_set *set)
 	set->data = NULL;
 }
 
-static void flush(struct ip_set *set)
+static void
+iptree_flush(struct ip_set *set)
 {
 	struct ip_set_iptree *map = set->data;
 	unsigned int timeout = map->timeout;
@@ -464,7 +350,8 @@ static void flush(struct ip_set *set)
 	init_gc_timer(set);
 }
 
-static void list_header(const struct ip_set *set, void *data)
+static void
+iptree_list_header(const struct ip_set *set, void *data)
 {
 	const struct ip_set_iptree *map = set->data;
 	struct ip_set_req_iptree_create *header = data;
@@ -472,7 +359,8 @@ static void list_header(const struct ip_set *set, void *data)
 	header->timeout = map->timeout;
 }
 
-static int list_members_size(const struct ip_set *set)
+static int
+iptree_list_members_size(const struct ip_set *set, char dont_align)
 {
 	const struct ip_set_iptree *map = set->data;
 	struct ip_set_iptreeb *btree;
@@ -494,19 +382,21 @@ static int list_members_size(const struct ip_set *set)
 	LOOP_WALK_END;
 
 	DP("members %u", count);
-	return (count * sizeof(struct ip_set_req_iptree));
+	return (count * IPSET_VALIGN(sizeof(struct ip_set_req_iptree), dont_align));
 }
 
-static void list_members(const struct ip_set *set, void *data)
+static void
+iptree_list_members(const struct ip_set *set, void *data, char dont_align)
 {
 	const struct ip_set_iptree *map = set->data;
 	struct ip_set_iptreeb *btree;
 	struct ip_set_iptreec *ctree;
 	struct ip_set_iptreed *dtree;
 	unsigned int a,b,c,d;
-	size_t offset = 0;
+	size_t offset = 0, datasize;
 	struct ip_set_req_iptree *entry;
 
+	datasize = IPSET_VALIGN(sizeof(struct ip_set_req_iptree), dont_align);
 	LOOP_WALK_BEGIN(map, a, btree);
 	LOOP_WALK_BEGIN(btree, b, ctree);
 	LOOP_WALK_BEGIN(ctree, c, dtree);
@@ -517,7 +407,7 @@ static void list_members(const struct ip_set *set, void *data)
 		    	entry->ip = ((a << 24) | (b << 16) | (c << 8) | d);
 		    	entry->timeout = !map->timeout ? 0
 				: (dtree->expires[d] - jiffies)/HZ;
-			offset += sizeof(struct ip_set_req_iptree);
+			offset += datasize;
 		}
 	}
 	LOOP_WALK_END;
@@ -525,26 +415,7 @@ static void list_members(const struct ip_set *set, void *data)
 	LOOP_WALK_END;
 }
 
-static struct ip_set_type ip_set_iptree = {
-	.typename		= SETTYPE_NAME,
-	.features		= IPSET_TYPE_IP | IPSET_DATA_SINGLE,
-	.protocol_version	= IP_SET_PROTOCOL_VERSION,
-	.create			= &create,
-	.destroy		= &destroy,
-	.flush			= &flush,
-	.reqsize		= sizeof(struct ip_set_req_iptree),
-	.addip			= &addip,
-	.addip_kernel		= &addip_kernel,
-	.delip			= &delip,
-	.delip_kernel		= &delip_kernel,
-	.testip			= &testip,
-	.testip_kernel		= &testip_kernel,
-	.header_size		= sizeof(struct ip_set_req_iptree_create),
-	.list_header		= &list_header,
-	.list_members_size	= &list_members_size,
-	.list_members		= &list_members,
-	.me			= THIS_MODULE,
-};
+IP_SET_TYPE(iptree, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
@@ -556,29 +427,15 @@ static int __init ip_set_iptree_init(void)
 {
 	int ret;
 	
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23)
-	branch_cachep = kmem_cache_create("ip_set_iptreeb",
-				sizeof(struct ip_set_iptreeb),
-				0, 0, NULL);
-#else
-	branch_cachep = kmem_cache_create("ip_set_iptreeb",
-				sizeof(struct ip_set_iptreeb),
-				0, 0, NULL, NULL);
-#endif
+	branch_cachep = KMEM_CACHE_CREATE("ip_set_iptreeb",
+					  sizeof(struct ip_set_iptreeb));
 	if (!branch_cachep) {
 		printk(KERN_ERR "Unable to create ip_set_iptreeb slab cache\n");
 		ret = -ENOMEM;
 		goto out;
 	}
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23)
-	leaf_cachep = kmem_cache_create("ip_set_iptreed",
-				sizeof(struct ip_set_iptreed),
-				0, 0, NULL);
-#else
-	leaf_cachep = kmem_cache_create("ip_set_iptreed",
-				sizeof(struct ip_set_iptreed),
-				0, 0, NULL, NULL);
-#endif
+	leaf_cachep = KMEM_CACHE_CREATE("ip_set_iptreed",
+					sizeof(struct ip_set_iptreed));
 	if (!leaf_cachep) {
 		printk(KERN_ERR "Unable to create ip_set_iptreed slab cache\n");
 		ret = -ENOMEM;

extensions/ipset/ip_set_iptree.h

@@ -3,8 +3,7 @@
 
 #include "ip_set.h"
 
-#define SETTYPE_NAME "iptree"
-#define MAX_RANGE 0x0000FFFF
+#define SETTYPE_NAME		"iptree"
 
 struct ip_set_iptreed {
 	unsigned long expires[256];	   	/* x.x.x.ADDR */

extensions/ipset/ip_set_iptreemap.c

@@ -11,34 +11,29 @@
  * index to find the bitmap and the last octet is used as the bit number.
  */
 
-#include <linux/version.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/ip.h>
+#include <linux/jiffies.h>
 #include <linux/skbuff.h>
 #include <linux/slab.h>
 #include <linux/delay.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include "ip_set.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
 #include <linux/spinlock.h>
+#include <linux/timer.h>
 
+#include "ip_set.h"
+#include "ip_set_bitmaps.h"
 #include "ip_set_iptreemap.h"
 
 #define IPTREEMAP_DEFAULT_GC_TIME (5 * 60)
 #define IPTREEMAP_DESTROY_SLEEP (100)
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,20)
-static struct kmem_cache *cachep_b;
-static struct kmem_cache *cachep_c;
-static struct kmem_cache *cachep_d;
-#else
-static kmem_cache_t *cachep_b;
-static kmem_cache_t *cachep_c;
-static kmem_cache_t *cachep_d;
-#endif
+static __KMEM_CACHE_T__ *cachep_b;
+static __KMEM_CACHE_T__ *cachep_c;
+static __KMEM_CACHE_T__ *cachep_d;
 
 static struct ip_set_iptreemap_d *fullbitmap_d;
 static struct ip_set_iptreemap_c *fullbitmap_c;
@@ -256,7 +251,7 @@ free_b(struct ip_set_iptreemap_b *map)
 }
 
 static inline int
-__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+iptreemap_test(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -264,9 +259,7 @@ __testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
 	struct ip_set_iptreemap_d *dtree;
 	unsigned char a, b, c, d;
 
-	*hash_ip = ip;
-
-	ABCD(a, b, c, d, hash_ip);
+	ABCD(a, b, c, d, &ip);
 
 	TESTIP_WALK(map, a, btree, fullbitmap_b);
 	TESTIP_WALK(btree, b, ctree, fullbitmap_c);
@@ -275,40 +268,13 @@ __testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
 	return !!test_bit(d, (void *) dtree->bitmap);
 }
 
-static int
-testip(struct ip_set *set, const void *data, size_t size, ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_iptreemap *req = data;
+#define KADT_CONDITION
 
-	if (size != sizeof(struct ip_set_req_iptreemap)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)", sizeof(struct ip_set_req_iptreemap), size);
-		return -EINVAL;
-	}
-
-	return __testip(set, req->start, hash_ip);
-}
-
-static int
-testip_kernel(struct ip_set *set, const struct sk_buff *skb, ip_set_ip_t *hash_ip, const u_int32_t *flags, unsigned char index)
-{
-	int res;
-
-	res = __testip(set,
-		       ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-				? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-		       hash_ip);
-
-	return (res < 0 ? 0 : res);
-}
+UADT(iptreemap, test)
+KADT(iptreemap, test, ipaddr)
 
 static inline int
-__addip_single(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+__addip_single(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_iptreemap *map = (struct ip_set_iptreemap *) set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -316,9 +282,7 @@ __addip_single(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
 	struct ip_set_iptreemap_d *dtree;
 	unsigned char a, b, c, d;
 
-	*hash_ip = ip;
-
-	ABCD(a, b, c, d, hash_ip);
+	ABCD(a, b, c, d, &ip);
 
 	ADDIP_WALK(map, a, btree, struct ip_set_iptreemap_b, cachep_b, fullbitmap_b);
 	ADDIP_WALK(btree, b, ctree, struct ip_set_iptreemap_c, cachep_c, fullbitmap_c);
@@ -333,7 +297,7 @@ __addip_single(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
 }
 
 static inline int
-__addip_range(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end, ip_set_ip_t *hash_ip)
+iptreemap_add(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -344,9 +308,7 @@ __addip_range(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end, ip_set_ip_
 	unsigned char a2, b2, c2, d2;
 
 	if (start == end)
-		return __addip_single(set, start, hash_ip);
-
-	*hash_ip = start;
+		return __addip_single(set, start);
 
 	ABCD(a1, b1, c1, d1, &start);
 	ABCD(a2, b2, c2, d2, &end);
@@ -365,37 +327,11 @@ __addip_range(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end, ip_set_ip_
 	return 0;
 }
 
-static int
-addip(struct ip_set *set, const void *data, size_t size, ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_iptreemap *req = data;
-
-	if (size != sizeof(struct ip_set_req_iptreemap)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)", sizeof(struct ip_set_req_iptreemap), size);
-		return -EINVAL;
-	}
-
-	return __addip_range(set, min(req->start, req->end), max(req->start, req->end), hash_ip);
-}
-
-static int
-addip_kernel(struct ip_set *set, const struct sk_buff *skb, ip_set_ip_t *hash_ip, const u_int32_t *flags, unsigned char index)
-{
-
-	return __addip_single(set,
-			ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-				? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-			hash_ip);
-}
+UADT0(iptreemap, add, min(req->ip, req->end), max(req->ip, req->end))
+KADT(iptreemap, add, ipaddr, ip)
 
 static inline int
-__delip_single(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip, unsigned int __nocast flags)
+__delip_single(struct ip_set *set, ip_set_ip_t ip, gfp_t flags)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -403,9 +339,7 @@ __delip_single(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip, unsigne
 	struct ip_set_iptreemap_d *dtree;
 	unsigned char a,b,c,d;
 
-	*hash_ip = ip;
-
-	ABCD(a, b, c, d, hash_ip);
+	ABCD(a, b, c, d, &ip);
 
 	DELIP_WALK(map, a, btree, cachep_b, fullbitmap_b, flags);
 	DELIP_WALK(btree, b, ctree, cachep_c, fullbitmap_c, flags);
@@ -420,7 +354,8 @@ __delip_single(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip, unsigne
 }
 
 static inline int
-__delip_range(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end, ip_set_ip_t *hash_ip, unsigned int __nocast flags)
+iptreemap_del(struct ip_set *set,
+	      ip_set_ip_t start, ip_set_ip_t end, gfp_t flags)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -431,9 +366,7 @@ __delip_range(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end, ip_set_ip_
 	unsigned char a2, b2, c2, d2;
 
 	if (start == end)
-		return __delip_single(set, start, hash_ip, flags);
-
-	*hash_ip = start;
+		return __delip_single(set, start, flags);
 
 	ABCD(a1, b1, c1, d1, &start);
 	ABCD(a2, b2, c2, d2, &end);
@@ -452,34 +385,8 @@ __delip_range(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end, ip_set_ip_
 	return 0;
 }
 
-static int
-delip(struct ip_set *set, const void *data, size_t size, ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_iptreemap *req = data;
-
-	if (size != sizeof(struct ip_set_req_iptreemap)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)", sizeof(struct ip_set_req_iptreemap), size);
-		return -EINVAL;
-	}
-
-	return __delip_range(set, min(req->start, req->end), max(req->start, req->end), hash_ip, GFP_KERNEL);
-}
-
-static int
-delip_kernel(struct ip_set *set, const struct sk_buff *skb, ip_set_ip_t *hash_ip, const u_int32_t *flags, unsigned char index)
-{
-	return __delip_single(set,
-			ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-				? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-			hash_ip,
-		        GFP_ATOMIC);
-}
+UADT0(iptreemap, del, min(req->ip, req->end), max(req->ip, req->end), GFP_KERNEL)
+KADT(iptreemap, del, ipaddr, ip, GFP_ATOMIC)
 
 /* Check the status of the bitmap
  * -1 == all bits cleared
@@ -551,16 +458,12 @@ init_gc_timer(struct ip_set *set)
 	add_timer(&map->gc);
 }
 
-static int create(struct ip_set *set, const void *data, size_t size)
+static int
+iptreemap_create(struct ip_set *set, const void *data, u_int32_t size)
 {
 	const struct ip_set_req_iptreemap_create *req = data;
 	struct ip_set_iptreemap *map;
 
-	if (size != sizeof(struct ip_set_req_iptreemap_create)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)", sizeof(struct ip_set_req_iptreemap_create), size);
-		return -EINVAL;
-	}
-
 	map = kzalloc(sizeof(*map), GFP_KERNEL);
 	if (!map)
 		return -ENOMEM;
@@ -573,7 +476,8 @@ static int create(struct ip_set *set, const void *data, size_t size)
 	return 0;
 }
 
-static inline void __flush(struct ip_set_iptreemap *map)
+static inline void
+__flush(struct ip_set_iptreemap *map)
 {
 	struct ip_set_iptreemap_b *btree;
 	unsigned int a;
@@ -584,7 +488,8 @@ static inline void __flush(struct ip_set_iptreemap *map)
 	LOOP_WALK_END();
 }
 
-static void destroy(struct ip_set *set)
+static void
+iptreemap_destroy(struct ip_set *set)
 {
 	struct ip_set_iptreemap *map = set->data;
 
@@ -597,9 +502,11 @@ static void destroy(struct ip_set *set)
 	set->data = NULL;
 }
 
-static void flush(struct ip_set *set)
+static void
+iptreemap_flush(struct ip_set *set)
 {
 	struct ip_set_iptreemap *map = set->data;
+	unsigned int gc_interval = map->gc_interval;
 
 	while (!del_timer(&map->gc))
 		msleep(IPTREEMAP_DESTROY_SLEEP);
@@ -607,11 +514,13 @@ static void flush(struct ip_set *set)
 	__flush(map);
 
 	memset(map, 0, sizeof(*map));
+	map->gc_interval = gc_interval;
 
 	init_gc_timer(set);
 }
 
-static void list_header(const struct ip_set *set, void *data)
+static void
+iptreemap_list_header(const struct ip_set *set, void *data)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_req_iptreemap_create *header = data;
@@ -619,7 +528,8 @@ static void list_header(const struct ip_set *set, void *data)
 	header->gc_interval = map->gc_interval;
 }
 
-static int list_members_size(const struct ip_set *set)
+static int
+iptreemap_list_members_size(const struct ip_set *set, char dont_align)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
@@ -645,29 +555,30 @@ static int list_members_size(const struct ip_set *set)
 	if (inrange)
 		count++;
 
-	return (count * sizeof(struct ip_set_req_iptreemap));
+	return (count * IPSET_VALIGN(sizeof(struct ip_set_req_iptreemap), dont_align));
 }
 
-static inline size_t add_member(void *data, size_t offset, ip_set_ip_t start, ip_set_ip_t end)
+static inline void
+add_member(void *data, size_t offset, ip_set_ip_t start, ip_set_ip_t end)
 {
 	struct ip_set_req_iptreemap *entry = data + offset;
 
-	entry->start = start;
+	entry->ip = start;
 	entry->end = end;
-
-	return sizeof(*entry);
 }
 
-static void list_members(const struct ip_set *set, void *data)
+static void
+iptreemap_list_members(const struct ip_set *set, void *data, char dont_align)
 {
 	struct ip_set_iptreemap *map = set->data;
 	struct ip_set_iptreemap_b *btree;
 	struct ip_set_iptreemap_c *ctree;
 	struct ip_set_iptreemap_d *dtree;
 	unsigned int a, b, c, d, inrange = 0;
-	size_t offset = 0;
+	size_t offset = 0, datasize;
 	ip_set_ip_t start = 0, end = 0, ip;
 
+	datasize = IPSET_VALIGN(sizeof(struct ip_set_req_iptreemap), dont_align);
 	LOOP_WALK_BEGIN(map, a, btree) {
 		LOOP_WALK_BEGIN(btree, b, ctree) {
 			LOOP_WALK_BEGIN(ctree, c, dtree) {
@@ -678,12 +589,14 @@ static void list_members(const struct ip_set *set, void *data)
 							inrange = 1;
 							start = ip;
 						} else if (end < ip - 1) {
-							offset += add_member(data, offset, start, end);
+							add_member(data, offset, start, end);
+							offset += datasize;
 							start = ip;
 						}
 						end = ip;
 					} else if (inrange) {
-						offset += add_member(data, offset, start, end);
+						add_member(data, offset, start, end);
+						offset += datasize;
 						inrange = 0;
 					}
 				}
@@ -695,26 +608,7 @@ static void list_members(const struct ip_set *set, void *data)
 		add_member(data, offset, start, end);
 }
 
-static struct ip_set_type ip_set_iptreemap = {
-	.typename		= SETTYPE_NAME,
-	.features		= IPSET_TYPE_IP | IPSET_DATA_SINGLE,
-	.protocol_version	= IP_SET_PROTOCOL_VERSION,
-	.create			= create,
-	.destroy		= destroy,
-	.flush			= flush,
-	.reqsize		= sizeof(struct ip_set_req_iptreemap),
-	.addip			= addip,
-	.addip_kernel		= addip_kernel,
-	.delip			= delip,
-	.delip_kernel		= delip_kernel,
-	.testip			= testip,
-	.testip_kernel		= testip_kernel,
-	.header_size		= sizeof(struct ip_set_req_iptreemap_create),
-	.list_header		= list_header,
-	.list_members_size	= list_members_size,
-	.list_members		= list_members,
-	.me			= THIS_MODULE,
-};
+IP_SET_TYPE(iptreemap, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Sven Wegener <sven.wegener@stealer.net>");
@@ -725,43 +619,22 @@ static int __init ip_set_iptreemap_init(void)
 	int ret = -ENOMEM;
 	int a;
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23)
-	cachep_b = kmem_cache_create("ip_set_iptreemap_b",
-				     sizeof(struct ip_set_iptreemap_b),
-				     0, 0, NULL);
-#else
-	cachep_b = kmem_cache_create("ip_set_iptreemap_b",
-				     sizeof(struct ip_set_iptreemap_b),
-				     0, 0, NULL, NULL);
-#endif
+	cachep_b = KMEM_CACHE_CREATE("ip_set_iptreemap_b",
+				     sizeof(struct ip_set_iptreemap_b));
 	if (!cachep_b) {
 		ip_set_printk("Unable to create ip_set_iptreemap_b slab cache");
 		goto out;
 	}
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23)
-	cachep_c = kmem_cache_create("ip_set_iptreemap_c",
-				     sizeof(struct ip_set_iptreemap_c),
-				     0, 0, NULL);
-#else
-	cachep_c = kmem_cache_create("ip_set_iptreemap_c",
-				     sizeof(struct ip_set_iptreemap_c),
-				     0, 0, NULL, NULL);
-#endif
+	cachep_c = KMEM_CACHE_CREATE("ip_set_iptreemap_c",
+				     sizeof(struct ip_set_iptreemap_c));
 	if (!cachep_c) {
 		ip_set_printk("Unable to create ip_set_iptreemap_c slab cache");
 		goto outb;
 	}
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23)
-	cachep_d = kmem_cache_create("ip_set_iptreemap_d",
-				     sizeof(struct ip_set_iptreemap_d),
-				     0, 0, NULL);
-#else
-	cachep_d = kmem_cache_create("ip_set_iptreemap_d",
-				     sizeof(struct ip_set_iptreemap_d),
-				     0, 0, NULL, NULL);
-#endif
+	cachep_d = KMEM_CACHE_CREATE("ip_set_iptreemap_d",
+				     sizeof(struct ip_set_iptreemap_d));
 	if (!cachep_d) {
 		ip_set_printk("Unable to create ip_set_iptreemap_d slab cache");
 		goto outc;

extensions/ipset/ip_set_iptreemap.h

@@ -3,7 +3,7 @@
 
 #include "ip_set.h"
 
-#define SETTYPE_NAME "iptreemap"
+#define SETTYPE_NAME		"iptreemap"
 
 #ifdef __KERNEL__
 struct ip_set_iptreemap_d {
@@ -33,7 +33,7 @@ struct ip_set_req_iptreemap_create {
 };
 
 struct ip_set_req_iptreemap {
-	ip_set_ip_t start;
+	ip_set_ip_t ip;
 	ip_set_ip_t end;
 };
 

extensions/ipset/ip_set_jhash.h

@@ -1,148 +1,157 @@
-#ifndef _LINUX_IPSET_JHASH_H
-#define _LINUX_IPSET_JHASH_H
-
-/* This is a copy of linux/jhash.h but the types u32/u8 are changed
- * to __u32/__u8 so that the header file can be included into
- * userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- */
+#ifndef _LINUX_JHASH_H
+#define _LINUX_JHASH_H
 
 /* jhash.h: Jenkins hash support.
  *
- * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net)
+ * Copyright (C) 2006. Bob Jenkins (bob_jenkins@burtleburtle.net)
  *
  * http://burtleburtle.net/bob/hash/
  *
  * These are the credits from Bob's sources:
  *
- * lookup2.c, by Bob Jenkins, December 1996, Public Domain.
- * hash(), hash2(), hash3, and mix() are externally useful functions.
- * Routines to test the hash are included if SELF_TEST is defined.
- * You can use this free for any purpose.  It has no warranty.
+ * lookup3.c, by Bob Jenkins, May 2006, Public Domain.
  *
- * Copyright (C) 2003 David S. Miller (davem@redhat.com)
+ * These are functions for producing 32-bit hashes for hash table lookup.
+ * hashword(), hashlittle(), hashlittle2(), hashbig(), mix(), and final() 
+ * are externally useful functions.  Routines to test the hash are included 
+ * if SELF_TEST is defined.  You can use this free for any purpose.  It's in
+ * the public domain.  It has no warranty.
+ *
+ * Copyright (C) 2009 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
  *
  * I've modified Bob's hash to be useful in the Linux kernel, and
- * any bugs present are surely my fault.  -DaveM
+ * any bugs present are my fault.  Jozsef
  */
 
-/* NOTE: Arguments are modified. */
-#define __jhash_mix(a, b, c) \
+#define __rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
+
+/* __jhash_mix - mix 3 32-bit values reversibly. */
+#define __jhash_mix(a,b,c) \
 { \
-  a -= b; a -= c; a ^= (c>>13); \
-  b -= c; b -= a; b ^= (a<<8); \
-  c -= a; c -= b; c ^= (b>>13); \
-  a -= b; a -= c; a ^= (c>>12);  \
-  b -= c; b -= a; b ^= (a<<16); \
-  c -= a; c -= b; c ^= (b>>5); \
-  a -= b; a -= c; a ^= (c>>3);  \
-  b -= c; b -= a; b ^= (a<<10); \
-  c -= a; c -= b; c ^= (b>>15); \
+  a -= c;  a ^= __rot(c, 4);  c += b; \
+  b -= a;  b ^= __rot(a, 6);  a += c; \
+  c -= b;  c ^= __rot(b, 8);  b += a; \
+  a -= c;  a ^= __rot(c,16);  c += b; \
+  b -= a;  b ^= __rot(a,19);  a += c; \
+  c -= b;  c ^= __rot(b, 4);  b += a; \
+}
+
+/* __jhash_final - final mixing of 3 32-bit values (a,b,c) into c */
+#define __jhash_final(a,b,c) \
+{ \
+  c ^= b; c -= __rot(b,14); \
+  a ^= c; a -= __rot(c,11); \
+  b ^= a; b -= __rot(a,25); \
+  c ^= b; c -= __rot(b,16); \
+  a ^= c; a -= __rot(c,4);  \
+  b ^= a; b -= __rot(a,14); \
+  c ^= b; c -= __rot(b,24); \
 }
 
 /* The golden ration: an arbitrary value */
-#define JHASH_GOLDEN_RATIO	0x9e3779b9
+#define JHASH_GOLDEN_RATIO	0xdeadbeef
 
 /* The most generic version, hashes an arbitrary sequence
  * of bytes.  No alignment or length assumptions are made about
- * the input key.
+ * the input key. The result depends on endianness.
  */
-static inline __u32 jhash(void *key, __u32 length, __u32 initval)
+static inline u32 jhash(const void *key, u32 length, u32 initval)
 {
-	__u32 a, b, c, len;
-	__u8 *k = key;
+	u32 a,b,c;
+	const u8 *k = key;
 
-	len = length;
-	a = b = JHASH_GOLDEN_RATIO;
-	c = initval;
-
-	while (len >= 12) {
-		a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24));
-		b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24));
-		c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24));
-
-		__jhash_mix(a,b,c);
+	/* Set up the internal state */
+	a = b = c = JHASH_GOLDEN_RATIO + length + initval;
 
+	/* all but the last block: affect some 32 bits of (a,b,c) */
+	while (length > 12) {
+    		a += (k[0] + ((u32)k[1]<<8) + ((u32)k[2]<<16) + ((u32)k[3]<<24));
+		b += (k[4] + ((u32)k[5]<<8) + ((u32)k[6]<<16) + ((u32)k[7]<<24));
+		c += (k[8] + ((u32)k[9]<<8) + ((u32)k[10]<<16) + ((u32)k[11]<<24));
+		__jhash_mix(a, b, c);
+		length -= 12;
 		k += 12;
-		len -= 12;
 	}
 
-	c += length;
-	switch (len) {
-	case 11: c += ((__u32)k[10]<<24);
-	case 10: c += ((__u32)k[9]<<16);
-	case 9 : c += ((__u32)k[8]<<8);
-	case 8 : b += ((__u32)k[7]<<24);
-	case 7 : b += ((__u32)k[6]<<16);
-	case 6 : b += ((__u32)k[5]<<8);
+	/* last block: affect all 32 bits of (c) */
+	/* all the case statements fall through */
+	switch (length) {
+	case 12: c += (u32)k[11]<<24;
+	case 11: c += (u32)k[10]<<16;
+	case 10: c += (u32)k[9]<<8;
+	case 9 : c += k[8];
+	case 8 : b += (u32)k[7]<<24;
+	case 7 : b += (u32)k[6]<<16;
+	case 6 : b += (u32)k[5]<<8;
 	case 5 : b += k[4];
-	case 4 : a += ((__u32)k[3]<<24);
-	case 3 : a += ((__u32)k[2]<<16);
-	case 2 : a += ((__u32)k[1]<<8);
+	case 4 : a += (u32)k[3]<<24;
+	case 3 : a += (u32)k[2]<<16;
+	case 2 : a += (u32)k[1]<<8;
 	case 1 : a += k[0];
-	};
-
-	__jhash_mix(a,b,c);
+		__jhash_final(a, b, c);
+	case 0 :
+		break;
+	}
 
 	return c;
 }
 
-/* A special optimized version that handles 1 or more of __u32s.
- * The length parameter here is the number of __u32s in the key.
+/* A special optimized version that handles 1 or more of u32s.
+ * The length parameter here is the number of u32s in the key.
  */
-static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval)
+static inline u32 jhash2(const u32 *k, u32 length, u32 initval)
 {
-	__u32 a, b, c, len;
+	u32 a, b, c;
 
-	a = b = JHASH_GOLDEN_RATIO;
-	c = initval;
-	len = length;
+	/* Set up the internal state */
+	a = b = c = JHASH_GOLDEN_RATIO + (length<<2) + initval;
 
-	while (len >= 3) {
+	/* handle most of the key */
+	while (length > 3) {
 		a += k[0];
 		b += k[1];
 		c += k[2];
 		__jhash_mix(a, b, c);
-		k += 3; len -= 3;
+		length -= 3;
+		k += 3;
 	}
 
-	c += length * 4;
-
-	switch (len) {
-	case 2 : b += k[1];
-	case 1 : a += k[0];
-	};
-
-	__jhash_mix(a,b,c);
+	/* handle the last 3 u32's */
+	/* all the case statements fall through */ 
+	switch (length) {
+	case 3: c += k[2];
+	case 2: b += k[1];
+	case 1: a += k[0];
+		__jhash_final(a, b, c);
+	case 0:     /* case 0: nothing left to add */
+		break;
+	}
 
 	return c;
 }
 
-
 /* A special ultra-optimized versions that knows they are hashing exactly
  * 3, 2 or 1 word(s).
- *
- * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally
- *       done at the end is not done here.
  */
-static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval)
+static inline u32 jhash_3words(u32 a, u32 b, u32 c, u32 initval)
 {
-	a += JHASH_GOLDEN_RATIO;
-	b += JHASH_GOLDEN_RATIO;
-	c += initval;
+	a += JHASH_GOLDEN_RATIO + initval;
+	b += JHASH_GOLDEN_RATIO + initval;
+	c += JHASH_GOLDEN_RATIO + initval;
 
-	__jhash_mix(a, b, c);
+	__jhash_final(a, b, c);
 
 	return c;
 }
 
-static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval)
+static inline u32 jhash_2words(u32 a, u32 b, u32 initval)
 {
-	return jhash_3words(a, b, 0, initval);
+	return jhash_3words(0, a, b, initval);
 }
 
-static inline __u32 jhash_1word(__u32 a, __u32 initval)
+static inline u32 jhash_1word(u32 a, u32 initval)
 {
-	return jhash_3words(a, 0, 0, initval);
+	return jhash_3words(0, 0, a, initval);
 }
 
-#endif /* _LINUX_IPSET_JHASH_H */
+#endif /* _LINUX_JHASH_H */

extensions/ipset/ip_set_macipmap.c

@@ -1,7 +1,7 @@
 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
  *                         Patrick Schaaf <bof@bof.de>
  *                         Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ * Copyright (C) 2003-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -13,41 +13,26 @@
 #include <linux/module.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
-#include <linux/version.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include "ip_set.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
 #include <linux/spinlock.h>
 #include <linux/if_ether.h>
-#include <linux/vmalloc.h>
 
-#include "ip_set_malloc.h"
 #include "ip_set_macipmap.h"
 
 static int
-testip(struct ip_set *set, const void *data, size_t size, ip_set_ip_t *hash_ip)
+macipmap_utest(struct ip_set *set, const void *data, u_int32_t size)
 {
-	struct ip_set_macipmap *map = set->data;
-	struct ip_set_macip *table = map->members;	
+	const struct ip_set_macipmap *map = set->data;
+	const struct ip_set_macip *table = map->members;	
 	const struct ip_set_req_macipmap *req = data;
 
-	if (size != sizeof(struct ip_set_req_macipmap)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_macipmap),
-			      size);
-		return -EINVAL;
-	}
-
 	if (req->ip < map->first_ip || req->ip > map->last_ip)
 		return -ERANGE;
 
-	*hash_ip = req->ip;
-	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(req->ip), HIPQUAD(*hash_ip));		
-	if (test_bit(IPSET_MACIP_ISSET,
-		     (void *) &table[req->ip - map->first_ip].flags)) {
+	DP("set: %s, ip:%u.%u.%u.%u", set->name, HIPQUAD(req->ip));		
+	if (table[req->ip - map->first_ip].match) {
 		return (memcmp(req->ethernet,
 			       &table[req->ip - map->first_ip].ethernet,
 			       ETH_ALEN) == 0);
@@ -57,42 +42,25 @@ testip(struct ip_set *set, const void *data, size_t size, ip_set_ip_t *hash_ip)
 }
 
 static int
-testip_kernel(struct ip_set *set,
-	      const struct sk_buff *skb,
-	      ip_set_ip_t *hash_ip,
-	      const u_int32_t *flags,
-	      unsigned char index)
+macipmap_ktest(struct ip_set *set,
+	       const struct sk_buff *skb,
+	       const u_int32_t *flags)
 {
-	struct ip_set_macipmap *map = set->data;
-	struct ip_set_macip *table = map->members;
+	const struct ip_set_macipmap *map = set->data;
+	const struct ip_set_macip *table = map->members;
 	ip_set_ip_t ip;
 	
-	ip = ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-			? ip_hdr(skb)->saddr
-			: ip_hdr(skb)->daddr);
-#else
-			? skb->nh.iph->saddr
-			: skb->nh.iph->daddr);
-#endif
+	ip = ipaddr(skb, flags);
 
 	if (ip < map->first_ip || ip > map->last_ip)
 		return 0;
 
-	*hash_ip = ip;	
-	DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u",
-	   set->name, HIPQUAD(ip), HIPQUAD(*hash_ip));		
-	if (test_bit(IPSET_MACIP_ISSET,
-	    (void *) &table[ip - map->first_ip].flags)) {
+	DP("set: %s, ip:%u.%u.%u.%u", set->name, HIPQUAD(ip));
+	if (table[ip - map->first_ip].match) {
 		/* Is mac pointer valid?
 		 * If so, compare... */
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
 		return (skb_mac_header(skb) >= skb->head
 			&& (skb_mac_header(skb) + ETH_HLEN) <= skb->data
-#else
-		return (skb->mac.raw >= skb->head
-			&& (skb->mac.raw + ETH_HLEN) <= skb->data
-#endif
 			&& (memcmp(eth_hdr(skb)->h_source,
 				   &table[ip - map->first_ip].ethernet,
 				   ETH_ALEN) == 0));
@@ -103,258 +71,109 @@ testip_kernel(struct ip_set *set,
 
 /* returns 0 on success */
 static inline int
-__addip(struct ip_set *set,
-	ip_set_ip_t ip, const unsigned char *ethernet, ip_set_ip_t *hash_ip)
+macipmap_add(struct ip_set *set,
+	     ip_set_ip_t ip, const unsigned char *ethernet)
 {
 	struct ip_set_macipmap *map = set->data;
 	struct ip_set_macip *table = map->members;
 
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
-	if (test_and_set_bit(IPSET_MACIP_ISSET,
-			     (void *) &table[ip - map->first_ip].flags))
+	if (table[ip - map->first_ip].match)
 		return -EEXIST;
 
-	*hash_ip = ip;
-	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
+	DP("set: %s, ip: %u.%u.%u.%u", set->name, HIPQUAD(ip));
 	memcpy(&table[ip - map->first_ip].ethernet, ethernet, ETH_ALEN);
+	table[ip - map->first_ip].match = IPSET_MACIP_ISSET;
 	return 0;
 }
 
-static int
-addip(struct ip_set *set, const void *data, size_t size,
-      ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_macipmap *req = data;
-
-	if (size != sizeof(struct ip_set_req_macipmap)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_macipmap),
-			      size);
-		return -EINVAL;
-	}
-	return __addip(set, req->ip, req->ethernet, hash_ip);
-}
-
-static int
-addip_kernel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	ip_set_ip_t ip;
-	
-	ip = ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-			? ip_hdr(skb)->saddr
-			: ip_hdr(skb)->daddr);
-#else
-			? skb->nh.iph->saddr
-			: skb->nh.iph->daddr);
-#endif
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-	if (!(skb_mac_header(skb) >= skb->head
-	      && (skb_mac_header(skb) + ETH_HLEN) <= skb->data))
-#else
-	if (!(skb->mac.raw >= skb->head
-	      && (skb->mac.raw + ETH_HLEN) <= skb->data))
-#endif
+#define KADT_CONDITION						\
+	if (!(skb_mac_header(skb) >= skb->head			\
+	      && (skb_mac_header(skb) + ETH_HLEN) <= skb->data))\
 		return -EINVAL;
 
-	return __addip(set, ip, eth_hdr(skb)->h_source, hash_ip);
-}
+UADT(macipmap, add, req->ethernet)
+KADT(macipmap, add, ipaddr, eth_hdr(skb)->h_source)
 
 static inline int
-__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+macipmap_del(struct ip_set *set, ip_set_ip_t ip)
 {
 	struct ip_set_macipmap *map = set->data;
 	struct ip_set_macip *table = map->members;
 
 	if (ip < map->first_ip || ip > map->last_ip)
 		return -ERANGE;
-	if (!test_and_clear_bit(IPSET_MACIP_ISSET,
-				(void *)&table[ip - map->first_ip].flags))
+	if (!table[ip - map->first_ip].match)
 		return -EEXIST;
 
-	*hash_ip = ip;
-	DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip));
+	table[ip - map->first_ip].match = 0;
+	DP("set: %s, ip: %u.%u.%u.%u", set->name, HIPQUAD(ip));
 	return 0;
 }
 
-static int
-delip(struct ip_set *set, const void *data, size_t size,
-     ip_set_ip_t *hash_ip)
+#undef KADT_CONDITION
+#define KADT_CONDITION
+
+UADT(macipmap, del)
+KADT(macipmap, del, ipaddr)
+
+static inline int
+__macipmap_create(const struct ip_set_req_macipmap_create *req,
+		  struct ip_set_macipmap *map)
 {
-	const struct ip_set_req_macipmap *req = data;
-
-	if (size != sizeof(struct ip_set_req_macipmap)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_macipmap),
-			      size);
-		return -EINVAL;
-	}
-	return __delip(set, req->ip, hash_ip);
-}
-
-static int
-delip_kernel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	return __delip(set,
-		       ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-		       		? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-		       hash_ip);
-}
-
-static inline size_t members_size(ip_set_ip_t from, ip_set_ip_t to)
-{
-	return (size_t)((to - from + 1) * sizeof(struct ip_set_macip));
-}
-
-static int create(struct ip_set *set, const void *data, size_t size)
-{
-	size_t newbytes;
-	const struct ip_set_req_macipmap_create *req = data;
-	struct ip_set_macipmap *map;
-
-	if (size != sizeof(struct ip_set_req_macipmap_create)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_macipmap_create),
-			      size);
-		return -EINVAL;
-	}
-
-	DP("from %u.%u.%u.%u to %u.%u.%u.%u",
-	   HIPQUAD(req->from), HIPQUAD(req->to));
-
-	if (req->from > req->to) {
-		DP("bad ip range");
-		return -ENOEXEC;
-	}
-
 	if (req->to - req->from > MAX_RANGE) {
-		ip_set_printk("range too big (max %d addresses)",
-			       MAX_RANGE+1);
+		ip_set_printk("range too big, %d elements (max %d)",
+			      req->to - req->from + 1, MAX_RANGE+1);
 		return -ENOEXEC;
 	}
-
-	map = kmalloc(sizeof(struct ip_set_macipmap), GFP_KERNEL);
-	if (!map) {
-		DP("out of memory for %d bytes",
-		   sizeof(struct ip_set_macipmap));
-		return -ENOMEM;
-	}
 	map->flags = req->flags;
-	map->first_ip = req->from;
-	map->last_ip = req->to;
-	newbytes = members_size(map->first_ip, map->last_ip);
-	map->members = ip_set_malloc(newbytes);
-	DP("members: %u %p", newbytes, map->members);
-	if (!map->members) {
-		DP("out of memory for %d bytes", newbytes);
-		kfree(map);
-		return -ENOMEM;
-	}
-	memset(map->members, 0, newbytes);
-	
-	set->data = map;
-	return 0;
+	return (req->to - req->from + 1) * sizeof(struct ip_set_macip);
 }
 
-static void destroy(struct ip_set *set)
+BITMAP_CREATE(macipmap)
+BITMAP_DESTROY(macipmap)
+BITMAP_FLUSH(macipmap)
+
+static inline void
+__macipmap_list_header(const struct ip_set_macipmap *map,
+		       struct ip_set_req_macipmap_create *header)
 {
-	struct ip_set_macipmap *map = set->data;
-
-	ip_set_free(map->members, members_size(map->first_ip, map->last_ip));
-	kfree(map);
-
-	set->data = NULL;
-}
-
-static void flush(struct ip_set *set)
-{
-	struct ip_set_macipmap *map = set->data;
-	memset(map->members, 0, members_size(map->first_ip, map->last_ip));
-}
-
-static void list_header(const struct ip_set *set, void *data)
-{
-	const struct ip_set_macipmap *map = set->data;
-	struct ip_set_req_macipmap_create *header = data;
-
-	DP("list_header %x %x %u", map->first_ip, map->last_ip,
-	   map->flags);
-
-	header->from = map->first_ip;
-	header->to = map->last_ip;
 	header->flags = map->flags;
 }
 
-static int list_members_size(const struct ip_set *set)
+BITMAP_LIST_HEADER(macipmap)
+BITMAP_LIST_MEMBERS_SIZE(macipmap, struct ip_set_req_macipmap,
+			 (map->last_ip - map->first_ip + 1),
+			 ((const struct ip_set_macip *)map->members)[i].match)
+
+
+static void
+macipmap_list_members(const struct ip_set *set, void *data, char dont_align)
 {
 	const struct ip_set_macipmap *map = set->data;
-
-	DP("%u", members_size(map->first_ip, map->last_ip));
-	return members_size(map->first_ip, map->last_ip);
+	const struct ip_set_macip *table = map->members;
+	uint32_t i, n = 0;
+	struct ip_set_req_macipmap *d;
+	
+	if (dont_align) {
+		memcpy(data, map->members, map->size);
+		return;
+	}
+	
+	for (i = 0; i < map->last_ip - map->first_ip + 1; i++)
+		if (table[i].match) {
+			d = data + n * IPSET_ALIGN(sizeof(struct ip_set_req_macipmap));
+			d->ip = map->first_ip + i;
+			memcpy(d->ethernet, &table[i].ethernet, ETH_ALEN);
+			n++;
+		}
 }
 
-static void list_members(const struct ip_set *set, void *data)
-{
-	const struct ip_set_macipmap *map = set->data;
-
-	int bytes = members_size(map->first_ip, map->last_ip);
-
-	DP("members: %u %p", bytes, map->members);
-	memcpy(data, map->members, bytes);
-}
-
-static struct ip_set_type ip_set_macipmap = {
-	.typename		= SETTYPE_NAME,
-	.features		= IPSET_TYPE_IP | IPSET_DATA_SINGLE,
-	.protocol_version	= IP_SET_PROTOCOL_VERSION,
-	.create			= &create,
-	.destroy		= &destroy,
-	.flush			= &flush,
-	.reqsize		= sizeof(struct ip_set_req_macipmap),
-	.addip			= &addip,
-	.addip_kernel		= &addip_kernel,
-	.delip			= &delip,
-	.delip_kernel		= &delip_kernel,
-	.testip			= &testip,
-	.testip_kernel		= &testip_kernel,
-	.header_size		= sizeof(struct ip_set_req_macipmap_create),
-	.list_header		= &list_header,
-	.list_members_size	= &list_members_size,
-	.list_members		= &list_members,
-	.me			= THIS_MODULE,
-};
+IP_SET_TYPE(macipmap, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
 MODULE_DESCRIPTION("macipmap type of IP sets");
 
-static int __init ip_set_macipmap_init(void)
-{
-	init_max_page_size();
-	return ip_set_register_set_type(&ip_set_macipmap);
-}
-
-static void __exit ip_set_macipmap_fini(void)
-{
-	/* FIXME: possible race with ip_set_create() */
-	ip_set_unregister_set_type(&ip_set_macipmap);
-}
-
-module_init(ip_set_macipmap_init);
-module_exit(ip_set_macipmap_fini);
+REGISTER_MODULE(macipmap)

extensions/ipset/ip_set_macipmap.h

@@ -2,9 +2,9 @@
 #define __IP_SET_MACIPMAP_H
 
 #include "ip_set.h"
+#include "ip_set_bitmaps.h"
 
-#define SETTYPE_NAME "macipmap"
-#define MAX_RANGE 0x0000FFFF
+#define SETTYPE_NAME		"macipmap"
 
 /* general flags */
 #define IPSET_MACIP_MATCHUNSET	1
@@ -17,6 +17,7 @@ struct ip_set_macipmap {
 	ip_set_ip_t first_ip;		/* host byte order, included in range */
 	ip_set_ip_t last_ip;		/* host byte order, included in range */
 	u_int32_t flags;
+	u_int32_t size;			/* size of the ipmap proper */
 };
 
 struct ip_set_req_macipmap_create {
@@ -31,7 +32,7 @@ struct ip_set_req_macipmap {
 };
 
 struct ip_set_macip {
-	unsigned short flags;
+	unsigned short match;
 	unsigned char ethernet[ETH_ALEN];
 };
 

extensions/ipset/ip_set_malloc.h

@@ -2,13 +2,22 @@
 #define _IP_SET_MALLOC_H
 
 #ifdef __KERNEL__
+#include <linux/vmalloc.h> 
 
 static size_t max_malloc_size = 0, max_page_size = 0;
+static size_t default_max_malloc_size = 131072;			/* Guaranteed: slab.c */
 
-static inline unsigned int init_max_page_size(void)
+static inline int init_max_page_size(void)
 {
+/* Compatibility glues to support 2.4.36 */
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
+#define __GFP_NOWARN		0
+
+	/* Guaranteed: slab.c */
+	max_malloc_size = max_page_size = default_max_malloc_size;
+#else
 	size_t page_size = 0;
-	
+
 #define CACHE(x) if (max_page_size == 0 || x < max_page_size)	\
 			page_size = x;
 #include <linux/kmalloc_sizes.h>
@@ -21,6 +30,7 @@ static inline unsigned int init_max_page_size(void)
 
 		return 1;
 	}
+#endif
 	return 0;
 }
 
@@ -30,7 +40,7 @@ struct harray {
 };
 
 static inline void * 
-__harray_malloc(size_t hashsize, size_t typesize, int flags)
+__harray_malloc(size_t hashsize, size_t typesize, gfp_t flags)
 {
 	struct harray *harray;
 	size_t max_elements, size, i, j;
@@ -78,7 +88,7 @@ __harray_malloc(size_t hashsize, size_t typesize, int flags)
 }
 
 static inline void *
-harray_malloc(size_t hashsize, size_t typesize, int flags)
+harray_malloc(size_t hashsize, size_t typesize, gfp_t flags)
 {
 	void *harray;
 	
@@ -122,7 +132,7 @@ static inline void * ip_set_malloc(size_t bytes)
 {
 	BUG_ON(max_malloc_size == 0);
 
-	if (bytes > max_malloc_size)
+	if (bytes > default_max_malloc_size)
 		return vmalloc(bytes);
 	else
 		return kmalloc(bytes, GFP_KERNEL | __GFP_NOWARN);
@@ -132,7 +142,7 @@ static inline void ip_set_free(void * data, size_t bytes)
 {
 	BUG_ON(max_malloc_size == 0);
 
-	if (bytes > max_malloc_size)
+	if (bytes > default_max_malloc_size)
 		vfree(data);
 	else
 		kfree(data);

extensions/ipset/ip_set_nethash.c

@@ -1,4 +1,4 @@
-/* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+/* Copyright (C) 2003-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -8,63 +8,55 @@
 /* Kernel module implementing a cidr nethash set */
 
 #include <linux/module.h>
+#include <linux/moduleparam.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
-#include <linux/version.h>
-#include <linux/jhash.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include "ip_set.h"
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
 #include <linux/spinlock.h>
-#include <linux/vmalloc.h>
 #include <linux/random.h>
 
 #include <net/ip.h>
 
-#include "ip_set_malloc.h"
 #include "ip_set_nethash.h"
 
 static int limit = MAX_RANGE;
 
 static inline __u32
-jhash_ip(const struct ip_set_nethash *map, uint16_t i, ip_set_ip_t ip)
-{
-	return jhash_1word(ip, *(((uint32_t *) map->initval) + i));
-}
-
-static inline __u32
-hash_id_cidr(struct ip_set_nethash *map,
-	     ip_set_ip_t ip,
-	     unsigned char cidr,
-	     ip_set_ip_t *hash_ip)
+nethash_id_cidr(const struct ip_set_nethash *map,
+		ip_set_ip_t ip,
+		uint8_t cidr)
 {
 	__u32 id;
 	u_int16_t i;
 	ip_set_ip_t *elem;
 
-	*hash_ip = pack(ip, cidr);
+	ip = pack_ip_cidr(ip, cidr);
+	if (!ip)
+		return MAX_RANGE;
 	
 	for (i = 0; i < map->probes; i++) {
-		id = jhash_ip(map, i, *hash_ip) % map->hashsize;
+		id = jhash_ip(map, i, ip) % map->hashsize;
 	   	DP("hash key: %u", id);
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
-	   	if (*elem == *hash_ip)
+	   	if (*elem == ip)
 			return id;
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
 
 static inline __u32
-hash_id(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+nethash_id(struct ip_set *set, ip_set_ip_t ip)
 {
-	struct ip_set_nethash *map = set->data;
+	const struct ip_set_nethash *map = set->data;
 	__u32 id = UINT_MAX;
 	int i;
 
 	for (i = 0; i < 30 && map->cidr[i]; i++) {
-		id = hash_id_cidr(map, ip, map->cidr[i], hash_ip);
+		id = nethash_id_cidr(map, ip, map->cidr[i]);
 		if (id != UINT_MAX)
 			break;
 	}
@@ -72,401 +64,150 @@ hash_id(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
 }
 
 static inline int
-__testip_cidr(struct ip_set *set, ip_set_ip_t ip, unsigned char cidr,
-	      ip_set_ip_t *hash_ip)
+nethash_test_cidr(struct ip_set *set, ip_set_ip_t ip, uint8_t cidr)
 {
-	struct ip_set_nethash *map = set->data;
+	const struct ip_set_nethash *map = set->data;
 
-	return (ip && hash_id_cidr(map, ip, cidr, hash_ip) != UINT_MAX);
+	return (nethash_id_cidr(map, ip, cidr) != UINT_MAX);
 }
 
 static inline int
-__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
+nethash_test(struct ip_set *set, ip_set_ip_t ip)
 {
-	return (ip && hash_id(set, ip, hash_ip) != UINT_MAX);
+	return (nethash_id(set, ip) != UINT_MAX);
 }
 
 static int
-testip(struct ip_set *set, const void *data, size_t size,
-       ip_set_ip_t *hash_ip)
+nethash_utest(struct ip_set *set, const void *data, u_int32_t size)
 {
 	const struct ip_set_req_nethash *req = data;
 
-	if (size != sizeof(struct ip_set_req_nethash)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_nethash),
-			      size);
+	if (req->cidr <= 0 || req->cidr > 32)
 		return -EINVAL;
-	}
-	return (req->cidr == 32 ? __testip(set, req->ip, hash_ip)
-		: __testip_cidr(set, req->ip, req->cidr, hash_ip));
+	return (req->cidr == 32 ? nethash_test(set, req->ip)
+		: nethash_test_cidr(set, req->ip, req->cidr));
 }
 
-static int
-testip_kernel(struct ip_set *set,
-	      const struct sk_buff *skb,
-	      ip_set_ip_t *hash_ip,
-	      const u_int32_t *flags,
-	      unsigned char index)
-{
-	return __testip(set,
-			ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-				? ip_hdr(skb)->saddr
-				: ip_hdr(skb)->daddr),
-#else
-				? skb->nh.iph->saddr
-				: skb->nh.iph->daddr),
-#endif
-			hash_ip);
-}
+#define KADT_CONDITION
+
+KADT(nethash, test, ipaddr)
 
 static inline int
-__addip_base(struct ip_set_nethash *map, ip_set_ip_t ip)
+__nethash_add(struct ip_set_nethash *map, ip_set_ip_t *ip)
 {
 	__u32 probe;
 	u_int16_t i;
-	ip_set_ip_t *elem;
+	ip_set_ip_t *elem, *slot = NULL;
 	
 	for (i = 0; i < map->probes; i++) {
-		probe = jhash_ip(map, i, ip) % map->hashsize;
+		probe = jhash_ip(map, i, *ip) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
-		if (*elem == ip)
+		if (*elem == *ip)
 			return -EEXIST;
-		if (!*elem) {
-			*elem = ip;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || *elem))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		*slot = *ip;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;
 }
 
 static inline int
-__addip(struct ip_set_nethash *map, ip_set_ip_t ip, unsigned char cidr,
-	ip_set_ip_t *hash_ip)
+nethash_add(struct ip_set *set, ip_set_ip_t ip, uint8_t cidr)
 {
-	if (!ip || map->elements >= limit)
-		return -ERANGE;
-	
-	*hash_ip = pack(ip, cidr);
-	DP("%u.%u.%u.%u/%u, %u.%u.%u.%u", HIPQUAD(ip), cidr, HIPQUAD(*hash_ip));
-	
-	return __addip_base(map, *hash_ip);
-}
-
-static void
-update_cidr_sizes(struct ip_set_nethash *map, unsigned char cidr)
-{
-	unsigned char next;
-	int i;
-	
-	for (i = 0; i < 30 && map->cidr[i]; i++) {
-		if (map->cidr[i] == cidr) {
-			return;
-		} else if (map->cidr[i] < cidr) {
-			next = map->cidr[i];
-			map->cidr[i] = cidr;
-			cidr = next;
-		}
-	}
-	if (i < 30)
-		map->cidr[i] = cidr;
-}
-
-static int
-addip(struct ip_set *set, const void *data, size_t size,
-        ip_set_ip_t *hash_ip)
-{
-	const struct ip_set_req_nethash *req = data;
+	struct ip_set_nethash *map = set->data;
 	int ret;
-
-	if (size != sizeof(struct ip_set_req_nethash)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_nethash),
-			      size);
+	
+	if (map->elements >= limit || map->nets[cidr-1] == UINT16_MAX)
+		return -ERANGE;	
+	if (cidr <= 0 || cidr >= 32)
 		return -EINVAL;
-	}
-	ret = __addip(set->data, req->ip, req->cidr, hash_ip);
-	
-	if (ret == 0)
-		update_cidr_sizes(set->data, req->cidr);
-	
-	return ret;
-}
-
-static int
-addip_kernel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	struct ip_set_nethash *map = set->data;
-	int ret = -ERANGE;
-	ip_set_ip_t ip = ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-					? ip_hdr(skb)->saddr
-					: ip_hdr(skb)->daddr);
-#else
-					? skb->nh.iph->saddr
-					: skb->nh.iph->daddr);
-#endif
-	
-	if (map->cidr[0])
-		ret = __addip(map, ip, map->cidr[0], hash_ip);
-		
-	return ret;
-}
-
-static int retry(struct ip_set *set)
-{
-	struct ip_set_nethash *map = set->data;
-	ip_set_ip_t *elem;
-	void *members;
-	u_int32_t i, hashsize = map->hashsize;
-	int res;
-	struct ip_set_nethash *tmp;
-	
-	if (map->resize == 0)
-		return -ERANGE;
-
-    again:
-    	res = 0;
-    	
-	/* Calculate new parameters */
-	hashsize += (hashsize * map->resize)/100;
-	if (hashsize == map->hashsize)
-		hashsize++;
-	
-	ip_set_printk("rehashing of set %s triggered: "
-		      "hashsize grows from %u to %u",
-		      set->name, map->hashsize, hashsize);
-
-	tmp = kmalloc(sizeof(struct ip_set_nethash)
-		      + map->probes * sizeof(uint32_t), GFP_ATOMIC);
-	if (!tmp) {
-		DP("out of memory for %d bytes",
-		   sizeof(struct ip_set_nethash)
-		   + map->probes * sizeof(uint32_t));
-		return -ENOMEM;
-	}
-	tmp->members = harray_malloc(hashsize, sizeof(ip_set_ip_t), GFP_ATOMIC);
-	if (!tmp->members) {
-		DP("out of memory for %d bytes", hashsize * sizeof(ip_set_ip_t));
-		kfree(tmp);
-		return -ENOMEM;
-	}
-	tmp->hashsize = hashsize;
-	tmp->elements = 0;
-	tmp->probes = map->probes;
-	tmp->resize = map->resize;
-	memcpy(tmp->initval, map->initval, map->probes * sizeof(uint32_t));
-	memcpy(tmp->cidr, map->cidr, 30 * sizeof(unsigned char));
-	
-	write_lock_bh(&set->lock);
-	map = set->data; /* Play safe */
-	for (i = 0; i < map->hashsize && res == 0; i++) {
-		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, i);	
-		if (*elem)
-			res = __addip_base(tmp, *elem);
-	}
-	if (res) {
-		/* Failure, try again */
-		write_unlock_bh(&set->lock);
-		harray_free(tmp->members);
-		kfree(tmp);
-		goto again;
-	}
-	
-	/* Success at resizing! */
-	members = map->members;
-	
-	map->hashsize = tmp->hashsize;
-	map->members = tmp->members;
-	write_unlock_bh(&set->lock);
-
-	harray_free(members);
-	kfree(tmp);
-
-	return 0;
-}
-
-static inline int
-__delip(struct ip_set_nethash *map, ip_set_ip_t ip, unsigned char cidr,
-	ip_set_ip_t *hash_ip)
-{
-	ip_set_ip_t id, *elem;
 
+	ip = pack_ip_cidr(ip, cidr);
 	if (!ip)
 		return -ERANGE;
 	
-	id = hash_id_cidr(map, ip, cidr, hash_ip);
+	ret = __nethash_add(map, &ip);
+	if (ret == 0) {
+		if (!map->nets[cidr-1]++)
+			add_cidr_size(map->cidr, cidr);
+	}
+	
+	return ret;
+}
+
+#undef KADT_CONDITION
+#define KADT_CONDITION							\
+	struct ip_set_nethash *map = set->data;				\
+	uint8_t cidr = map->cidr[0] ? map->cidr[0] : 31;
+
+UADT(nethash, add, req->cidr)
+KADT(nethash, add, ipaddr, cidr)
+
+static inline void
+__nethash_retry(struct ip_set_nethash *tmp, struct ip_set_nethash *map)
+{
+	memcpy(tmp->cidr, map->cidr, sizeof(tmp->cidr));
+	memcpy(tmp->nets, map->nets, sizeof(tmp->nets));
+}
+
+HASH_RETRY(nethash, ip_set_ip_t)
+
+static inline int
+nethash_del(struct ip_set *set, ip_set_ip_t ip, uint8_t cidr)
+{
+	struct ip_set_nethash *map = set->data;
+	ip_set_ip_t id, *elem;
+
+	if (cidr <= 0 || cidr >= 32)
+		return -EINVAL;	
+	
+	id = nethash_id_cidr(map, ip, cidr);
 	if (id == UINT_MAX)
 		return -EEXIST;
 		
 	elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
 	*elem = 0;
 	map->elements--;
+	if (!map->nets[cidr-1]--)
+		del_cidr_size(map->cidr, cidr);
 	return 0;
 }
 
-static int
-delip(struct ip_set *set, const void *data, size_t size,
-        ip_set_ip_t *hash_ip)
+UADT(nethash, del, req->cidr)
+KADT(nethash, del, ipaddr, cidr)
+
+static inline int
+__nethash_create(const struct ip_set_req_nethash_create *req,
+		 struct ip_set_nethash *map)
 {
-	const struct ip_set_req_nethash *req = data;
-
-	if (size != sizeof(struct ip_set_req_nethash)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_nethash),
-			      size);
-		return -EINVAL;
-	}
-	/* TODO: no garbage collection in map->cidr */		
-	return __delip(set->data, req->ip, req->cidr, hash_ip);
-}
-
-static int
-delip_kernel(struct ip_set *set,
-	     const struct sk_buff *skb,
-	     ip_set_ip_t *hash_ip,
-	     const u_int32_t *flags,
-	     unsigned char index)
-{
-	struct ip_set_nethash *map = set->data;
-	int ret = -ERANGE;
-	ip_set_ip_t ip = ntohl(flags[index] & IPSET_SRC
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-					? ip_hdr(skb)->saddr
-					: ip_hdr(skb)->daddr);
-#else
-					? skb->nh.iph->saddr
-					: skb->nh.iph->daddr);
-#endif
+	memset(map->cidr, 0, sizeof(map->cidr));
+	memset(map->nets, 0, sizeof(map->nets));
 	
-	if (map->cidr[0])
-		ret = __delip(map, ip, map->cidr[0], hash_ip);
-	
-	return ret;
-}
-
-static int create(struct ip_set *set, const void *data, size_t size)
-{
-	const struct ip_set_req_nethash_create *req = data;
-	struct ip_set_nethash *map;
-	uint16_t i;
-
-	if (size != sizeof(struct ip_set_req_nethash_create)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			       sizeof(struct ip_set_req_nethash_create),
-			       size);
-		return -EINVAL;
-	}
-
-	if (req->hashsize < 1) {
-		ip_set_printk("hashsize too small");
-		return -ENOEXEC;
-	}
-	if (req->probes < 1) {
-		ip_set_printk("probes too small");
-		return -ENOEXEC;
-	}
-
-	map = kmalloc(sizeof(struct ip_set_nethash)
-		      + req->probes * sizeof(uint32_t), GFP_KERNEL);
-	if (!map) {
-		DP("out of memory for %d bytes",
-		   sizeof(struct ip_set_nethash)
-		   + req->probes * sizeof(uint32_t));
-		return -ENOMEM;
-	}
-	for (i = 0; i < req->probes; i++)
-		get_random_bytes(((uint32_t *) map->initval)+i, 4);
-	map->elements = 0;
-	map->hashsize = req->hashsize;
-	map->probes = req->probes;
-	map->resize = req->resize;
-	memset(map->cidr, 0, 30 * sizeof(unsigned char));
-	map->members = harray_malloc(map->hashsize, sizeof(ip_set_ip_t), GFP_KERNEL);
-	if (!map->members) {
-		DP("out of memory for %d bytes", map->hashsize * sizeof(ip_set_ip_t));
-		kfree(map);
-		return -ENOMEM;
-	}
-	
-	set->data = map;
 	return 0;
 }
 
-static void destroy(struct ip_set *set)
-{
-	struct ip_set_nethash *map = set->data;
+HASH_CREATE(nethash, ip_set_ip_t)
+HASH_DESTROY(nethash)
 
-	harray_free(map->members);
-	kfree(map);
+HASH_FLUSH_CIDR(nethash, ip_set_ip_t)
 
-	set->data = NULL;
+static inline void
+__nethash_list_header(const struct ip_set_nethash *map,
+		      struct ip_set_req_nethash_create *header)
+{    
 }
 
-static void flush(struct ip_set *set)
-{
-	struct ip_set_nethash *map = set->data;
-	harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t));
-	memset(map->cidr, 0, 30 * sizeof(unsigned char));
-	map->elements = 0;
-}
+HASH_LIST_HEADER(nethash)
+HASH_LIST_MEMBERS_SIZE(nethash, ip_set_ip_t)
+HASH_LIST_MEMBERS(nethash, ip_set_ip_t)
 
-static void list_header(const struct ip_set *set, void *data)
-{
-	const struct ip_set_nethash *map = set->data;
-	struct ip_set_req_nethash_create *header = data;
-
-	header->hashsize = map->hashsize;
-	header->probes = map->probes;
-	header->resize = map->resize;
-}
-
-static int list_members_size(const struct ip_set *set)
-{
-	struct ip_set_nethash *map = set->data;
-
-	return (map->hashsize * sizeof(ip_set_ip_t));
-}
-
-static void list_members(const struct ip_set *set, void *data)
-{
-	const struct ip_set_nethash *map = set->data;
-	ip_set_ip_t i, *elem;
-
-	for (i = 0; i < map->hashsize; i++) {
-		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, i);	
-		((ip_set_ip_t *)data)[i] = *elem;
-	}
-}
-
-static struct ip_set_type ip_set_nethash = {
-	.typename		= SETTYPE_NAME,
-	.features		= IPSET_TYPE_IP | IPSET_DATA_SINGLE,
-	.protocol_version	= IP_SET_PROTOCOL_VERSION,
-	.create			= &create,
-	.destroy		= &destroy,
-	.flush			= &flush,
-	.reqsize		= sizeof(struct ip_set_req_nethash),
-	.addip			= &addip,
-	.addip_kernel		= &addip_kernel,
-	.retry			= &retry,
-	.delip			= &delip,
-	.delip_kernel		= &delip_kernel,
-	.testip			= &testip,
-	.testip_kernel		= &testip_kernel,
-	.header_size		= sizeof(struct ip_set_req_nethash_create),
-	.list_header		= &list_header,
-	.list_members_size	= &list_members_size,
-	.list_members		= &list_members,
-	.me			= THIS_MODULE,
-};
+IP_SET_RTYPE(nethash, IPSET_TYPE_IP | IPSET_DATA_SINGLE)
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
@@ -474,17 +215,4 @@ MODULE_DESCRIPTION("nethash type of IP sets");
 module_param(limit, int, 0600);
 MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
 
-static int __init ip_set_nethash_init(void)
-{
-	init_max_page_size();
-	return ip_set_register_set_type(&ip_set_nethash);
-}
-
-static void __exit ip_set_nethash_fini(void)
-{
-	/* FIXME: possible race with ip_set_create() */
-	ip_set_unregister_set_type(&ip_set_nethash);
-}
-
-module_init(ip_set_nethash_init);
-module_exit(ip_set_nethash_fini);
+REGISTER_MODULE(nethash)

extensions/ipset/ip_set_nethash.h

@@ -2,9 +2,9 @@
 #define __IP_SET_NETHASH_H
 
 #include "ip_set.h"
+#include "ip_set_hashes.h"
 
-#define SETTYPE_NAME "nethash"
-#define MAX_RANGE 0x0000FFFF
+#define SETTYPE_NAME		"nethash"
 
 struct ip_set_nethash {
 	ip_set_ip_t *members;		/* the nethash proper */
@@ -12,8 +12,9 @@ struct ip_set_nethash {
 	uint32_t hashsize;		/* hash size */
 	uint16_t probes;		/* max number of probes  */
 	uint16_t resize;		/* resize factor in percent */
-	unsigned char cidr[30];		/* CIDR sizes */
-	void *initval[0];		/* initvals for jhash_1word */
+	uint8_t cidr[30];		/* CIDR sizes */
+	uint16_t nets[30];		/* nr of nets by CIDR sizes */
+	initval_t initval[0];		/* initvals for jhash_1word */
 };
 
 struct ip_set_req_nethash_create {
@@ -24,32 +25,7 @@ struct ip_set_req_nethash_create {
 
 struct ip_set_req_nethash {
 	ip_set_ip_t ip;
-	unsigned char cidr;
+	uint8_t cidr;
 };
 
-static unsigned char shifts[] = {255, 253, 249, 241, 225, 193, 129, 1};
-
-static inline ip_set_ip_t 
-pack(ip_set_ip_t ip, unsigned char cidr)
-{
-	ip_set_ip_t addr, *paddr = &addr;
-	unsigned char n, t, *a;
-
-	addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr))));
-#ifdef __KERNEL__
-	DP("ip:%u.%u.%u.%u/%u", NIPQUAD(addr), cidr);
-#endif
-	n = cidr / 8;
-	t = cidr % 8;	
-	a = &((unsigned char *)paddr)[n];
-	*a = *a /(1 << (8 - t)) + shifts[t];
-#ifdef __KERNEL__
-	DP("n: %u, t: %u, a: %u", n, t, *a);
-	DP("ip:%u.%u.%u.%u/%u, %u.%u.%u.%u",
-	   HIPQUAD(ip), cidr, NIPQUAD(addr));
-#endif
-
-	return ntohl(addr);
-}
-
 #endif	/* __IP_SET_NETHASH_H */

extensions/ipset/ip_set_portmap.c

@@ -1,4 +1,4 @@
-/* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+/* Copyright (C) 2003-2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -12,9 +12,6 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/skbuff.h>
-#include <linux/version.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include "ip_set.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -23,319 +20,111 @@
 #include <net/ip.h>
 
 #include "ip_set_portmap.h"
-
-/* We must handle non-linear skbs */
-static inline ip_set_ip_t
-get_port(const struct sk_buff *skb, u_int32_t flags)
-{
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-	struct iphdr *iph = ip_hdr(skb);
-#else
-	struct iphdr *iph = skb->nh.iph;
-#endif
-	u_int16_t offset = ntohs(iph->frag_off) & IP_OFFSET;
-	switch (iph->protocol) {
-	case IPPROTO_TCP: {
-		struct tcphdr tcph;
-		
-		/* See comments at tcp_match in ip_tables.c */
-		if (offset)
-			return INVALID_PORT;
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-		if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &tcph, sizeof(tcph)) < 0)
-#else
-		if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &tcph, sizeof(tcph)) < 0)
-#endif
-			/* No choice either */
-			return INVALID_PORT;
-	     	
-	     	return ntohs(flags & IPSET_SRC ?
-			     tcph.source : tcph.dest);
-	    }
-	case IPPROTO_UDP: {
-		struct udphdr udph;
-
-		if (offset)
-			return INVALID_PORT;
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
-		if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &udph, sizeof(udph)) < 0)
-#else
-		if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &udph, sizeof(udph)) < 0)
-#endif
-			/* No choice either */
-			return INVALID_PORT;
-	     	
-	     	return ntohs(flags & IPSET_SRC ?
-			     udph.source : udph.dest);
-	    }
-	default:
-		return INVALID_PORT;
-	}
-}
+#include "ip_set_getport.h"
 
 static inline int
-__testport(struct ip_set *set, ip_set_ip_t port, ip_set_ip_t *hash_port)
+portmap_test(const struct ip_set *set, ip_set_ip_t port)
 {
-	struct ip_set_portmap *map = set->data;
+	const struct ip_set_portmap *map = set->data;
 
-	if (port < map->first_port || port > map->last_port)
+	if (port < map->first_ip || port > map->last_ip)
 		return -ERANGE;
 		
-	*hash_port = port;
-	DP("set: %s, port:%u, %u", set->name, port, *hash_port);
-	return !!test_bit(port - map->first_port, map->members);
+	DP("set: %s, port: %u", set->name, port);
+	return !!test_bit(port - map->first_ip, map->members);
 }
 
-static int
-testport(struct ip_set *set, const void *data, size_t size,
-         ip_set_ip_t *hash_port)
-{
-	const struct ip_set_req_portmap *req = data;
-
-	if (size != sizeof(struct ip_set_req_portmap)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_portmap),
-			      size);
-		return -EINVAL;
-	}
-	return __testport(set, req->port, hash_port);
-}
-
-static int
-testport_kernel(struct ip_set *set,
-	        const struct sk_buff *skb,
-	        ip_set_ip_t *hash_port,
-	        const u_int32_t *flags,
-	        unsigned char index)
-{
-	int res;
-	ip_set_ip_t port = get_port(skb, flags[index]);
-
-	DP("flag %s port %u", flags[index] & IPSET_SRC ? "SRC" : "DST", port);	
-	if (port == INVALID_PORT)
+#define KADT_CONDITION			\
+	if (ip == INVALID_PORT)		\
 		return 0;	
 
-	res =  __testport(set, port, hash_port);
-	
-	return (res < 0 ? 0 : res);
-}
+UADT(portmap, test)
+KADT(portmap, test, get_port)
 
 static inline int
-__addport(struct ip_set *set, ip_set_ip_t port, ip_set_ip_t *hash_port)
+portmap_add(struct ip_set *set, ip_set_ip_t port)
 {
 	struct ip_set_portmap *map = set->data;
 
-	if (port < map->first_port || port > map->last_port)
+	if (port < map->first_ip || port > map->last_ip)
 		return -ERANGE;
-	if (test_and_set_bit(port - map->first_port, map->members))
+	if (test_and_set_bit(port - map->first_ip, map->members))
 		return -EEXIST;
-		
-	*hash_port = port;
-	DP("port %u", port);
+	
+	DP("set: %s, port %u", set->name, port);
 	return 0;
 }
 
-static int
-addport(struct ip_set *set, const void *data, size_t size,
-        ip_set_ip_t *hash_port)
-{
-	const struct ip_set_req_portmap *req = data;
-
-	if (size != sizeof(struct ip_set_req_portmap)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_portmap),
-			      size);
-		return -EINVAL;
-	}
-	return __addport(set, req->port, hash_port);
-}
-
-static int
-addport_kernel(struct ip_set *set,
-	       const struct sk_buff *skb,
-	       ip_set_ip_t *hash_port,
-	       const u_int32_t *flags,
-	       unsigned char index)
-{
-	ip_set_ip_t port = get_port(skb, flags[index]);
-	
-	if (port == INVALID_PORT)
-		return -EINVAL;
-
-	return __addport(set, port, hash_port);
-}
+UADT(portmap, add)
+KADT(portmap, add, get_port)
 
 static inline int
-__delport(struct ip_set *set, ip_set_ip_t port, ip_set_ip_t *hash_port)
+portmap_del(struct ip_set *set, ip_set_ip_t port)
 {
 	struct ip_set_portmap *map = set->data;
 
-	if (port < map->first_port || port > map->last_port)
+	if (port < map->first_ip || port > map->last_ip)
 		return -ERANGE;
-	if (!test_and_clear_bit(port - map->first_port, map->members))
+	if (!test_and_clear_bit(port - map->first_ip, map->members))
 		return -EEXIST;
-		
-	*hash_port = port;
-	DP("port %u", port);
+	
+	DP("set: %s, port %u", set->name, port);
 	return 0;
 }
 
-static int
-delport(struct ip_set *set, const void *data, size_t size,
-        ip_set_ip_t *hash_port)
+UADT(portmap, del)
+KADT(portmap, del, get_port)
+
+static inline int
+__portmap_create(const struct ip_set_req_portmap_create *req,
+		 struct ip_set_portmap *map)
 {
-	const struct ip_set_req_portmap *req = data;
-
-	if (size != sizeof(struct ip_set_req_portmap)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			      sizeof(struct ip_set_req_portmap),
-			      size);
-		return -EINVAL;
-	}
-	return __delport(set, req->port, hash_port);
-}
-
-static int
-delport_kernel(struct ip_set *set,
-	       const struct sk_buff *skb,
-	       ip_set_ip_t *hash_port,
-	       const u_int32_t *flags,
-	       unsigned char index)
-{
-	ip_set_ip_t port = get_port(skb, flags[index]);
-	
-	if (port == INVALID_PORT)
-		return -EINVAL;
-
-	return __delport(set, port, hash_port);
-}
-
-static int create(struct ip_set *set, const void *data, size_t size)
-{
-	int newbytes;
-	const struct ip_set_req_portmap_create *req = data;
-	struct ip_set_portmap *map;
-
-	if (size != sizeof(struct ip_set_req_portmap_create)) {
-		ip_set_printk("data length wrong (want %zu, have %zu)",
-			       sizeof(struct ip_set_req_portmap_create),
-			       size);
-		return -EINVAL;
-	}
-
-	DP("from %u to %u", req->from, req->to);
-
-	if (req->from > req->to) {
-		DP("bad port range");
-		return -ENOEXEC;
-	}
-
 	if (req->to - req->from > MAX_RANGE) {
-		ip_set_printk("range too big (max %d ports)",
-			       MAX_RANGE+1);
+		ip_set_printk("range too big, %d elements (max %d)",
+			      req->to - req->from + 1, MAX_RANGE+1);
 		return -ENOEXEC;
 	}
+	return bitmap_bytes(req->from, req->to);
+}
 
-	map = kmalloc(sizeof(struct ip_set_portmap), GFP_KERNEL);
-	if (!map) {
-		DP("out of memory for %d bytes",
-		   sizeof(struct ip_set_portmap));
-		return -ENOMEM;
+BITMAP_CREATE(portmap)
+BITMAP_DESTROY(portmap)
+BITMAP_FLUSH(portmap)
+
+static inline void
+__portmap_list_header(const struct ip_set_portmap *map,
+		      struct ip_set_req_portmap_create *header)
+{
+}
+
+BITMAP_LIST_HEADER(portmap)
+BITMAP_LIST_MEMBERS_SIZE(portmap, ip_set_ip_t, (map->last_ip - map->first_ip + 1),
+			 test_bit(i, map->members))
+
+static void
+portmap_list_members(const struct ip_set *set, void *data, char dont_align)
+{
+	const struct ip_set_portmap *map = set->data;
+	uint32_t i, n = 0;
+	ip_set_ip_t *d;
+	
+	if (dont_align) {
+		memcpy(data, map->members, map->size);
+		return;
 	}
-	map->first_port = req->from;
-	map->last_port = req->to;
-	newbytes = bitmap_bytes(req->from, req->to);
-	map->members = kmalloc(newbytes, GFP_KERNEL);
-	if (!map->members) {
-		DP("out of memory for %d bytes", newbytes);
-		kfree(map);
-		return -ENOMEM;
-	}
-	memset(map->members, 0, newbytes);
-
-	set->data = map;
-	return 0;
+	
+	for (i = 0; i < map->last_ip - map->first_ip + 1; i++)
+		if (test_bit(i, map->members)) {
+			d = data + n * IPSET_ALIGN(sizeof(ip_set_ip_t));
+			*d = map->first_ip + i;
+			n++;
+		}
 }
 
-static void destroy(struct ip_set *set)
-{
-	struct ip_set_portmap *map = set->data;
-
-	kfree(map->members);
-	kfree(map);
-
-	set->data = NULL;
-}
-
-static void flush(struct ip_set *set)
-{
-	struct ip_set_portmap *map = set->data;
-	memset(map->members, 0, bitmap_bytes(map->first_port, map->last_port));
-}
-
-static void list_header(const struct ip_set *set, void *data)
-{
-	const struct ip_set_portmap *map = set->data;
-	struct ip_set_req_portmap_create *header = data;
-
-	DP("list_header %u %u", map->first_port, map->last_port);
-
-	header->from = map->first_port;
-	header->to = map->last_port;
-}
-
-static int list_members_size(const struct ip_set *set)
-{
-	const struct ip_set_portmap *map = set->data;
-
-	return bitmap_bytes(map->first_port, map->last_port);
-}
-
-static void list_members(const struct ip_set *set, void *data)
-{
-	const struct ip_set_portmap *map = set->data;
-	int bytes = bitmap_bytes(map->first_port, map->last_port);
-
-	memcpy(data, map->members, bytes);
-}
-
-static struct ip_set_type ip_set_portmap = {
-	.typename		= SETTYPE_NAME,
-	.features		= IPSET_TYPE_PORT | IPSET_DATA_SINGLE,
-	.protocol_version	= IP_SET_PROTOCOL_VERSION,
-	.create			= &create,
-	.destroy		= &destroy,
-	.flush			= &flush,
-	.reqsize		= sizeof(struct ip_set_req_portmap),
-	.addip			= &addport,
-	.addip_kernel		= &addport_kernel,
-	.delip			= &delport,
-	.delip_kernel		= &delport_kernel,
-	.testip			= &testport,
-	.testip_kernel		= &testport_kernel,
-	.header_size		= sizeof(struct ip_set_req_portmap_create),
-	.list_header		= &list_header,
-	.list_members_size	= &list_members_size,
-	.list_members		= &list_members,
-	.me			= THIS_MODULE,
-};
+IP_SET_TYPE(portmap, IPSET_TYPE_PORT | IPSET_DATA_SINGLE)
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
 MODULE_DESCRIPTION("portmap type of IP sets");
 
-static int __init ip_set_portmap_init(void)
-{
-	return ip_set_register_set_type(&ip_set_portmap);
-}
-
-static void __exit ip_set_portmap_fini(void)
-{
-	/* FIXME: possible race with ip_set_create() */
-	ip_set_unregister_set_type(&ip_set_portmap);
-}
-
-module_init(ip_set_portmap_init);
-module_exit(ip_set_portmap_fini);
+REGISTER_MODULE(portmap)

extensions/ipset/ip_set_portmap.h

@@ -2,15 +2,15 @@
 #define __IP_SET_PORTMAP_H
 
 #include "ip_set.h"
+#include "ip_set_bitmaps.h"
 
-#define SETTYPE_NAME	"portmap"
-#define MAX_RANGE	0x0000FFFF
-#define INVALID_PORT	(MAX_RANGE + 1)
+#define SETTYPE_NAME		"portmap"
 
 struct ip_set_portmap {
 	void *members;			/* the portmap proper */
-	ip_set_ip_t first_port;		/* host byte order, included in range */
-	ip_set_ip_t last_port;		/* host byte order, included in range */
+	ip_set_ip_t first_ip;		/* host byte order, included in range */
+	ip_set_ip_t last_ip;		/* host byte order, included in range */
+	u_int32_t size;			/* size of the ipmap proper */
 };
 
 struct ip_set_req_portmap_create {
@@ -19,7 +19,7 @@ struct ip_set_req_portmap_create {
 };
 
 struct ip_set_req_portmap {
-	ip_set_ip_t port;
+	ip_set_ip_t ip;
 };
 
 #endif /* __IP_SET_PORTMAP_H */

extensions/ipset/ip_set_setlist.c

@@ -0,0 +1,324 @@
+/* Copyright (C) 2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+/* Kernel module implementing an IP set type: the setlist type */
+
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/errno.h>
+
+#include "ip_set.h"
+#include "ip_set_bitmaps.h"
+#include "ip_set_setlist.h"
+
+/*
+ * before ==> index, ref
+ * after  ==> ref, index
+ */
+
+static inline int
+next_index_eq(const struct ip_set_setlist *map, int i, ip_set_id_t index)
+{
+	return i < map->size && map->index[i] == index;
+}
+
+static int
+setlist_utest(struct ip_set *set, const void *data, u_int32_t size)
+{
+	const struct ip_set_setlist *map = set->data;
+	const struct ip_set_req_setlist *req = data;
+	ip_set_id_t index, ref = IP_SET_INVALID_ID;
+	int i, res = 0;
+	struct ip_set *s;
+	
+	if (req->before && req->ref[0] == '\0')
+		return 0;
+
+	index = __ip_set_get_byname(req->name, &s);
+	if (index == IP_SET_INVALID_ID)
+		return 0;
+	if (req->ref[0] != '\0') {
+		ref = __ip_set_get_byname(req->ref, &s);
+		if (ref == IP_SET_INVALID_ID)
+			goto finish;
+	}
+	for (i = 0; i < map->size
+		    && map->index[i] != IP_SET_INVALID_ID; i++) {
+		if (req->before && map->index[i] == index) {
+		    	res = next_index_eq(map, i + 1, ref);
+		    	break;
+		} else if (!req->before) {
+			if ((ref == IP_SET_INVALID_ID
+			     && map->index[i] == index)
+			    || (map->index[i] == ref
+			        && next_index_eq(map, i + 1, index))) {
+			        res = 1;
+			        break;
+			}
+		}
+	}
+	if (ref != IP_SET_INVALID_ID)
+		__ip_set_put_byindex(ref);
+finish:
+	__ip_set_put_byindex(index);
+	return res;
+}
+
+static int
+setlist_ktest(struct ip_set *set,
+	      const struct sk_buff *skb,
+	      const u_int32_t *flags)
+{
+	struct ip_set_setlist *map = set->data;
+	int i, res = 0;
+	
+	for (i = 0; i < map->size
+		    && map->index[i] != IP_SET_INVALID_ID
+		    && res == 0; i++)
+		res = ip_set_testip_kernel(map->index[i], skb, flags);
+	return res;
+}
+
+static inline int
+insert_setlist(struct ip_set_setlist *map, int i, ip_set_id_t index)
+{
+	ip_set_id_t tmp;
+	int j;
+
+	DP("i: %u, last %u\n", i, map->index[map->size - 1]);	
+	if (i >= map->size || map->index[map->size - 1] != IP_SET_INVALID_ID)
+		return -ERANGE;
+	
+	for (j = i; j < map->size
+		    && index != IP_SET_INVALID_ID; j++) {
+		tmp = map->index[j];
+		map->index[j] = index;
+		index = tmp;
+	}
+	return 0;
+}
+
+static int
+setlist_uadd(struct ip_set *set, const void *data, u_int32_t size)
+{
+	struct ip_set_setlist *map = set->data;
+	const struct ip_set_req_setlist *req = data;
+	ip_set_id_t index, ref = IP_SET_INVALID_ID;
+	int i, res = -ERANGE;
+	struct ip_set *s;
+	
+	if (req->before && req->ref[0] == '\0')
+		return -EINVAL;
+
+	index = __ip_set_get_byname(req->name, &s);
+	if (index == IP_SET_INVALID_ID)
+		return -EEXIST;
+	/* "Loop detection" */
+	if (strcmp(s->type->typename, "setlist") == 0)
+		goto finish;
+
+	if (req->ref[0] != '\0') {
+		ref = __ip_set_get_byname(req->ref, &s);
+		if (ref == IP_SET_INVALID_ID) {
+			res = -EEXIST;
+			goto finish;
+		}
+	}
+	for (i = 0; i < map->size; i++) {
+		if (map->index[i] != ref)
+			continue;
+		if (req->before) 
+			res = insert_setlist(map, i, index);
+		else
+			res = insert_setlist(map,
+				ref == IP_SET_INVALID_ID ? i : i + 1,
+				index);
+		break;
+	}
+	if (ref != IP_SET_INVALID_ID)
+		__ip_set_put_byindex(ref);
+	/* In case of success, we keep the reference to the set */
+finish:
+	if (res != 0)
+		__ip_set_put_byindex(index);
+	return res;
+}
+
+static int
+setlist_kadd(struct ip_set *set,
+	     const struct sk_buff *skb,
+	     const u_int32_t *flags)
+{
+	struct ip_set_setlist *map = set->data;
+	int i, res = -EINVAL;
+	
+	for (i = 0; i < map->size
+		    && map->index[i] != IP_SET_INVALID_ID
+		    && res != 0; i++)
+		res = ip_set_addip_kernel(map->index[i], skb, flags);
+	return res;
+}
+
+static inline int
+unshift_setlist(struct ip_set_setlist *map, int i)
+{
+	int j;
+	
+	for (j = i; j < map->size - 1; j++)
+		map->index[j] = map->index[j+1];
+	map->index[map->size-1] = IP_SET_INVALID_ID;
+	return 0;
+}
+
+static int
+setlist_udel(struct ip_set *set, const void *data, u_int32_t size)
+{
+	struct ip_set_setlist *map = set->data;
+	const struct ip_set_req_setlist *req = data;
+	ip_set_id_t index, ref = IP_SET_INVALID_ID;
+	int i, res = -EEXIST;
+	struct ip_set *s;
+	
+	if (req->before && req->ref[0] == '\0')
+		return -EINVAL;
+
+	index = __ip_set_get_byname(req->name, &s);
+	if (index == IP_SET_INVALID_ID)
+		return -EEXIST;
+	if (req->ref[0] != '\0') {
+		ref = __ip_set_get_byname(req->ref, &s);
+		if (ref == IP_SET_INVALID_ID)
+			goto finish;
+	}
+	for (i = 0; i < map->size
+	            && map->index[i] != IP_SET_INVALID_ID; i++) {
+		if (req->before) {
+			if (map->index[i] == index
+			    && next_index_eq(map, i + 1, ref)) {
+				res = unshift_setlist(map, i);
+				break;
+			}
+		} else if (ref == IP_SET_INVALID_ID) {
+			if (map->index[i] == index) {
+				res = unshift_setlist(map, i);
+				break;
+			}
+		} else if (map->index[i] == ref
+			   && next_index_eq(map, i + 1, index)) {
+			res = unshift_setlist(map, i + 1);
+			break;
+		}
+	}
+	if (ref != IP_SET_INVALID_ID)
+		__ip_set_put_byindex(ref);
+finish:
+	__ip_set_put_byindex(index);
+	/* In case of success, release the reference to the set */
+	if (res == 0)
+		__ip_set_put_byindex(index);
+	return res;
+}
+
+static int
+setlist_kdel(struct ip_set *set,
+	     const struct sk_buff *skb,
+	     const u_int32_t *flags)
+{
+	struct ip_set_setlist *map = set->data;
+	int i, res = -EINVAL;
+	
+	for (i = 0; i < map->size
+		    && map->index[i] != IP_SET_INVALID_ID
+		    && res != 0; i++)
+		res = ip_set_delip_kernel(map->index[i], skb, flags);
+	return res;
+}
+
+static int
+setlist_create(struct ip_set *set, const void *data, u_int32_t size)
+{
+	struct ip_set_setlist *map;
+	const struct ip_set_req_setlist_create *req = data;
+	int i;
+	
+	map = kmalloc(sizeof(struct ip_set_setlist) +
+		      req->size * sizeof(ip_set_id_t), GFP_KERNEL);
+	if (!map)
+		return -ENOMEM;
+	map->size = req->size;
+	for (i = 0; i < map->size; i++)
+		map->index[i] = IP_SET_INVALID_ID;
+	
+	set->data = map;
+	return 0;
+}                        
+
+static void
+setlist_destroy(struct ip_set *set)
+{
+	struct ip_set_setlist *map = set->data;
+	int i;
+	
+	for (i = 0; i < map->size
+		    && map->index[i] != IP_SET_INVALID_ID; i++)
+		__ip_set_put_byindex(map->index[i]);
+
+	kfree(map);
+	set->data = NULL;
+}
+
+static void
+setlist_flush(struct ip_set *set)
+{
+	struct ip_set_setlist *map = set->data;
+	int i;
+	
+	for (i = 0; i < map->size
+		    && map->index[i] != IP_SET_INVALID_ID; i++) {
+		__ip_set_put_byindex(map->index[i]);
+		map->index[i] = IP_SET_INVALID_ID;
+	}
+}
+
+static void
+setlist_list_header(const struct ip_set *set, void *data)
+{
+	const struct ip_set_setlist *map = set->data;
+	struct ip_set_req_setlist_create *header = data;
+	
+	header->size = map->size;
+}
+
+static int
+setlist_list_members_size(const struct ip_set *set, char dont_align)
+{
+	const struct ip_set_setlist *map = set->data;
+	
+	return map->size * IPSET_VALIGN(sizeof(ip_set_id_t), dont_align);
+}
+
+static void
+setlist_list_members(const struct ip_set *set, void *data, char dont_align)
+{
+	struct ip_set_setlist *map = set->data;
+	ip_set_id_t *d;
+	int i;
+	
+	for (i = 0; i < map->size; i++) {
+		d = data + i * IPSET_VALIGN(sizeof(ip_set_id_t), dont_align);
+		*d = ip_set_id(map->index[i]);
+	}
+}
+
+IP_SET_TYPE(setlist, IPSET_TYPE_SETNAME | IPSET_DATA_SINGLE)
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("setlist type of IP sets");
+
+REGISTER_MODULE(setlist)

extensions/ipset/ip_set_setlist.h

@@ -0,0 +1,26 @@
+#ifndef __IP_SET_SETLIST_H
+#define __IP_SET_SETLIST_H
+
+#include "ip_set.h"
+
+#define SETTYPE_NAME			"setlist"
+
+#define IP_SET_SETLIST_ADD_AFTER	0
+#define IP_SET_SETLIST_ADD_BEFORE	1
+
+struct ip_set_setlist {
+	uint8_t size;
+	ip_set_id_t index[0];
+};
+
+struct ip_set_req_setlist_create {
+	uint8_t size;
+};
+
+struct ip_set_req_setlist {
+	char name[IP_SET_MAXNAMELEN];
+	char ref[IP_SET_MAXNAMELEN];
+	uint8_t before;
+};
+
+#endif /* __IP_SET_SETLIST_H */

extensions/ipset/ipset.8

@@ -18,21 +18,21 @@
 .\"
 .\"
 .SH NAME
-ipset \- administration tool for IP sets
+ipset \(em administration tool for IP sets
 .SH SYNOPSIS
-.BR "ipset -N " "set type-specification [options]"
-.br
-.BR "ipset -[XFLSHh] " "[set] [options]"
-.br
-.BR "ipset -[EW] " "from-set to-set"
-.br
-.BR "ipset -[ADU] " "set entry"
-.br
-.BR "ipset -B " "set entry -b binding"
-.br
-.BR "ipset -T " "set entry [-b binding]"
-.br
-.BR "ipset -R "
+.PP
+\fBipset \-N\fP \fIset\fP \fItype-specification\fP [\fIoptions\fP...]
+.PP
+\fBipset\fP {\fB\-F\fP|\fB\-H\fP|\fB\-L\fP|\fB\-S\fP|\fB\-X\fP} [\fIset\fP]
+[\fIoptions\fP...]
+.PP
+\fBipset\fP {\fB\-E\fP|\fB\-W\fP} \fIfrom-set\fP \fIto-set\fP
+.PP
+\fBipset\fP {\fB\-A\fP|\fB\-D\fP|\fB\-T\fP} \fIset\fP \fIentry\fP
+.PP
+\fBipset \-R\fP
+.PP
+\fBipset\fP {\fB-V\fP|\fB\-v\fP}
 .SH DESCRIPTION
 .B ipset
 is used to set up, maintain and inspect so called IP sets in the Linux
@@ -40,16 +40,9 @@ kernel. Depending on the type, an IP set may store IP addresses, (TCP/UDP)
 port numbers or additional informations besides IP addresses: the word IP 
 means a general term here. See the set type definitions below.
 .P
-Any entry in a set can be bound to another set, which forms a relationship
-between a set element and the set it is bound to. In order to define a
-binding it is not required that the entry be already added to the set. 
-The sets may have a default binding, which is valid for every set element 
-for which there is no binding defined at all.
-.P
-IP set bindings pointing to sets and iptables matches and targets 
-referring to sets creates references, which protects the given sets in 
-the kernel. A set cannot be removed (destroyed) while there is a single
-reference pointing to it.
+Iptables matches and targets referring to sets creates references, which
+protects the given sets in the kernel. A set cannot be removed (destroyed)
+while there is a single reference pointing to it.
 .SH OPTIONS
 The options that are recognized by
 .B ipset
@@ -62,139 +55,87 @@ need to use only enough letters to ensure that
 .B ipset
 can differentiate it from all other options.
 .TP
-.BI "-N, --create " "\fIsetname\fP type type-specific-options"
+\fB\-N\fP, \fB\-\-create\fP \fIsetname\fP \fItype\fP \fItype-specific-options\fP
 Create a set identified with setname and specified type. 
 Type-specific options must be supplied.
 .TP
-.BI "-X, --destroy " "[\fIsetname\fP]"
-Destroy the specified set, or all sets if none or the keyword
-.B
-:all:
-is specified.
-Before destroying the set, all bindings belonging to the 
-set elements and the default binding of the set are removed.
+\fB\-X\fP, \fB\-\-destroy\fP [\fIsetname\fP]
+Destroy the specified set or all the sets if none is given.
 
 If the set has got references, nothing is done.
 .TP
-.BI "-F, --flush " "[\fIsetname\fP]"
-Delete all entries from the specified set, or flush
-all sets if none or the keyword
-.B
-:all:
-is given. Bindings are not affected by the flush operation.
+\fB\-F\fP, \fB\-\-flush\fP [\fIsetname\fP]
+Delete all entries from the specified set or flush
+all sets if none is given.
 .TP
-.BI "-E, --rename " "\fIfrom-setname\fP \fIto-setname\fP"
+\fB\-E\fP, \fB\-\-rename\fP \fIfrom-setname\fP \fIto-setname\fP
 Rename a set. Set identified by to-setname must not exist.
 .TP
-.BI "-W, --swap " "\fIfrom-setname\fP \fIto-setname\fP"
-Swap two sets as they referenced in the Linux kernel.
-.B
-iptables
-rules or
-.B
-ipset
-bindings pointing to the content of from-setname will point to 
-the content of to-setname and vice versa. Both sets must exist.
+\fB\-W\fP, \fB\-\-swap\fP \fIfrom-setname\fP \fIto-setname\fP
+Swap the content of two sets, or in another words, 
+exchange the name of two sets. The referred sets must exist and
+identical type of sets can be swapped only.
 .TP
-.BI "-L, --list " "[\fIsetname\fP]"
-List the entries and bindings for the specified set, or for
-all sets if none or the keyword
-.B
-:all:
-is given. The
-.B "-n, --numeric"
-option can be used to suppress name lookups and generate numeric
-output. When the
-.B "-s, --sorted"
+\fB\-L\fP, \fB\-\-list\fP [\fIsetname\fP]
+List the entries for the specified set, or for
+all sets if none is given. The
+\fB\-r\fP/\fB\-\-resolve\fP
+option can be used to force name lookups (which may be slow). When the
+\fB\-s\fP/\fB\-\-sorted\fP
 option is given, the entries are listed sorted (if the given set
 type supports the operation).
 .TP
-.BI "-S, --save " "[\fIsetname\fP]"
-Save the given set, or all sets if none or the keyword
-.B
-:all:
-is specified to stdout in a format that --restore can read.
+\fB\-S\fP, \fB\-\-save\fP [\fIsetname\fP]
+Save the given set, or all sets if none is given
+to stdout in a format that \fB\-\-restore\fP can read.
 .TP
-.BI "-R, --restore "
-Restore a saved session generated by --save. The saved session
+\fB\-R\fP, \fB\-\-restore\fP
+Restore a saved session generated by \fB\-\-save\fP. The saved session
 can be fed from stdin.
 
 When generating a session file please note that the supported commands
-(create set, add element, bind) must appear in a strict order: first create
+(create set and add element) must appear in a strict order: first create
 the set, then add all elements. Then create the next set, add all its elements
-and so on. Finally you can list all binding commands. Also, it is a restore
-operation, so the sets being restored must not exist.
+and so on. Also, it is a restore operation, so the sets being restored must 
+not exist.
 .TP
-.BI "-A, --add " "\fIsetname\fP \fIIP\fP"
-Add an IP to a set.
+\fB\-A\fP, \fB\-\-add\fP \fIsetname\fP \fIentry\fP
+Add an entry to a set.
 .TP
-.BI "-D, --del " "\fIsetname\fP \fIIP\fP"
-Delete an IP from a set. 
+\fB\-D\fP, \fB\-\-del\fP \fIsetname\fP \fIentry\fP
+Delete an entry from a set.
 .TP
-.BI "-T, --test " "\fIsetname\fP \fIIP
-Test wether an IP is in a set or not. Exit status number is zero
-if the tested IP is in the set and nonzero if it is missing from 
+\fB-T\fP, \fB\-\-test\fP \fIsetname\fP \fIentry\fP
+Test wether an entry is in a set or not. Exit status number is zero
+if the tested entry is in the set and nonzero if it is missing from
 the set.
 .TP
-.BI "-T, --test " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
-Test wether the IP belonging to the set points to the specified binding. 
-Exit status number is zero if the binding points to the specified set, 
-otherwise it is nonzero. The keyword
-.B
-:default:
-can be used to test the default binding of the set.
-.TP
-.BI "-B, --bind " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
-Bind the IP in setname to to-setname.
-.TP
-.BI "-U, --unbind " "\fIsetname\fP \fIIP\fP"
-Delete the binding belonging to IP in set setname. 
-.TP
-.BI "-H, --help " "[settype]"
+\fB\-H\fP, \fB\-\-help\fP [\fIsettype\fP]
 Print help and settype specific help if settype specified.
+.TP
+\fB\-V\fP, \fB\-v\fP, \fB\-\-version\fP
+Print program version and protocol version.
 .P
-At the
-.B
--B, -U
-and
-.B 
--T
-commands you can use the token
-.B
-:default:
-to bind, unbind or test the default binding of a set instead
-of an IP. At the
-.B
--U
-command you can use the token
-.B
-:all:
-to destroy the bindings of all elements of a set.
 .SS "OTHER OPTIONS"
 The following additional options can be specified:
 .TP
-.B "-b, --binding setname"
-The option specifies the value of the binding for the
-.B "-B"
-binding command, for which it is a mandatory option.
-You can use it in the
-.B "-T"
-test command as well to test bindings.
-.TP
-.B "-s, --sorted"
-Sorted output. When listing sets, entries are listed sorted.
-.TP
-.B "-n, --numeric"
-Numeric output. When listing sets, bindings, IP addresses and 
-port numbers will be printed in numeric format. By default the 
-program will try to display them as host names, network names 
-or services (whenever applicable), which can trigger
+\fB\-r\fP, \fB\-\-resolve\fP
+When listing sets, enforce name lookup. The 
+program will try to display the IP entries resolved to 
+host names or services (whenever applicable), which can trigger
 .B
 slow
 DNS 
 lookups.
 .TP
-.B "-q, --quiet"
+\fB\-s\fP, \fB\-\-sorted\fP
+Sorted output. When listing sets, entries are listed sorted.
+.TP
+\fB\-n\fP, \fB\-\-numeric\fP
+Numeric output. When listing sets, IP addresses and 
+port numbers will be printed in numeric format. This is the default.
+.TP
+\fB\-q\fP, \fB\-\-quiet\fP
 Suppress any output to stdout and stderr. ipset will still return
 possible errors.
 .SH SET TYPES
@@ -203,62 +144,63 @@ ipset supports the following set types:
 The ipmap set type uses a memory range, where each bit represents
 one IP address. An ipmap set can store up to 65536 (B-class network)
 IP addresses. The ipmap set type is very fast and memory cheap, great
-for use when one want to match certain IPs in a range. Using the
-.B "--netmask"
-option with a CIDR netmask value between 0-32 when creating an ipmap
-set, you will be able to store and match network addresses: i.e an
-IP address will be in the set if the value resulted by masking the address
-with the specified netmask can be found in the set.
+for use when one want to match certain IPs in a range. If the optional
+\fB\-\-netmask\fP
+parameter is specified with a CIDR netmask value between 1-31 then
+network addresses are stored in the given set: i.e an
+IP address will be in the set if the network address, which is resulted
+by masking the address with the specified netmask, can be found in the set.
 .P
 Options to use when creating an ipmap set:
 .TP
-.BR "--from " from-IP
+\fB\-\-from\fP \fIfrom-addr\fP
 .TP
-.BR "--to " to-IP
-Create an ipmap set from the specified range.
+\fB\-\-to\fP \fIto-addr\fP
+Create an ipmap set from the specified address range.
 .TP
-.BR "--network " IP/mask
+\fB\-\-network\fP \fIaddr\fP\fB/\fP\fImask\fP
 Create an ipmap set from the specified network.
 .TP
-.BR "--netmask " CIDR-netmask
+\fB\-\-netmask\fP \fIprefixlen\fP
 When the optional
-.B "--netmask"
+\fB\-\-netmask\fP
 parameter specified, network addresses will be 
-stored in the set instead of IP addresses, and the from-IP parameter
-must be a network address.
+stored in the set instead of IP addresses, and the \fIfrom-addr\fP parameter
+must be a network address. The \fIprefixlen\fP value must be between 1-31.
+.PP
+Example:
+.IP
+ipset \-N test ipmap \-\-network 192.168.0.0/16 
 .SS macipmap
 The macipmap set type uses a memory range, where each 8 bytes
 represents one IP and a MAC addresses. A macipmap set type can store
 up to 65536 (B-class network) IP addresses with MAC.
 When adding an entry to a macipmap set, you must specify the entry as
-.I IP:MAC.
+"\fIaddress\fP\fB,\fP\fImac\fP".
 When deleting or testing macipmap entries, the
-.I :MAC
-part is not mandatory. (The old "%" separation token instead of ":", i.e
-IP%MAC is accepted as well.)
+"\fB,\fP\fImac\fP"
+part is not mandatory.
 .P
 Options to use when creating an macipmap set:
 .TP
-.BR "--from " from-IP
+\fB\-\-from\fP \fIfrom-addr\fP
 .TP
-.BR "--to " to-IP
-Create a macipmap set from the specified range.
+\fB\-\-to\fP \fIto-addr\fP
+Create a macipmap set from the specified address range.
 .TP
-.BR "--network " IP/mask
+\fB\-\-network\fP \fIaddr\fP\fB/\fP\fImask\fP
 Create a macipmap set from the specified network.
 .TP
-.BR "--matchunset"
+\fB\-\-matchunset\fP
 When the optional
-.B "--matchunset"
+\fB\-\-matchunset\fP
 parameter specified, IP addresses which could be stored 
 in the set but not set yet, will always match.
 .P
 Please note, the 
-.I
-set
+"set"
 and
-.I
-SET
+"SET"
 netfilter kernel modules
 .B
 always
@@ -271,98 +213,97 @@ The portmap set type is very fast and memory cheap.
 .P
 Options to use when creating an portmap set:
 .TP
-.BR "--from " from-port
+\fB\-\-from\fP \fIfrom-port\fP
 .TP
-.BR "--to " to-port
-Create a portmap set from the specified range.
+\fB\-\-to\fP \fIto-port\fP
+Create a portmap set from the specified port range.
 .SS iphash
 The iphash set type uses a hash to store IP addresses.
 In order to avoid clashes in the hash double-hashing, and as a last
 resort, dynamic growing of the hash performed. The iphash set type is
-great to store random addresses. By supplyig the
-.B "--netmask"
-option with a CIDR netmask value between 0-32 at creating the set,
-you will be able to store and match network addresses instead: i.e 
-an IP address will be in the set if the value of the address
-masked with the specified netmask can be found in the set.
+great to store random addresses. If the optional
+\fB\-\-netmask\fP
+parameter is specified with a CIDR prefix length value between 1-31 then
+network addresses are stored in the given set: i.e an
+IP address will be in the set if the network address, which is resulted
+by masking the address with the specified netmask, can be found in the set.
 .P
 Options to use when creating an iphash set:
 .TP
-.BR "--hashsize " hashsize
+\fB\-\-hashsize\fP \fIhashsize\fP
 The initial hash size (default 1024)
 .TP
-.BR "--probes " probes
+\fB\-\-probes\fP \fIprobes\fP
 How many times try to resolve clashing at adding an IP to the hash 
 by double-hashing (default 8).
 .TP
-.BR "--resize " percent
+\fB\-\-resize\fP \fIpercent\fP
 Increase the hash size by this many percent (default 50) when adding
 an IP to the hash could not be performed after
-.B
-probes
+\fIprobes\fP
 number of double-hashing. 
 .TP
-.BR "--netmask " CIDR-netmask
+\fB\-\-netmask\fP \fIprefixlen\fP
 When the optional
-.B "--netmask"
+\fB\-\-netmask\fP
 parameter specified, network addresses will be 
-stored in the set instead of IP addresses.
+stored in the set instead of IP addresses. The \fIprefixlen\fP value must
+be between 1-31.
 .P
 The iphash type of sets can store up to 65536 entries. If a set is full,
 no new entries can be added to it.
 .P
 Sets created by zero valued resize parameter won't be resized at all.
-The lookup time in an iphash type of set approximately linearly grows with
+The lookup time in an iphash type of set grows approximately linearly with
 the value of the 
-.B
-probes
-parameter. At the same time higher 
-.B
-probes
-values result a better utilized hash while smaller values 
-produce a larger, sparse hash.
+\fIprobes\fP
+parameter. In general higher 
+\fIprobes\fP
+value results better utilized hash while smaller value
+produces larger, sparser hash.
+.PP
+Example:
+.IP
+ipset \-N test iphash \-\-probes 2
 .SS nethash
 The nethash set type uses a hash to store different size of
 network addresses. The
 .I
-IP
-"address" used in the ipset commands must be in the form
-.I
-IP-address/cidr-size
-where the CIDR block size must be in the inclusive range of 1-31.
+entry
+used in the ipset commands must be in the form
+"\fIaddress\fP\fB/\fP\fIprefixlen\fP"
+where prefixlen must be in the inclusive range of 1-31.
 In order to avoid clashes in the hash 
 double-hashing, and as a last resort, dynamic growing of the hash performed.
 .P
 Options to use when creating an nethash set:
 .TP
-.BR "--hashsize " hashsize
+\fB\-\-hashsize\fP \fIhashsize\fP
 The initial hash size (default 1024)
 .TP
-.BR "--probes " probes
+\fB\-\-probes\fP \fIprobes\fP
 How many times try to resolve clashing at adding an IP to the hash 
 by double-hashing (default 4).
 .TP
-.BR "--resize " percent
+\fB\-\-resize\fP \fIpercent\fP
 Increase the hash size by this many percent (default 50) when adding
 an IP to the hash could not be performed after
 .P
 The nethash type of sets can store up to 65536 entries. If a set is full,
 no new entries can be added to it.
 .P
-An IP address will be in a nethash type of set if it is in any of the
-netblocks added to the set and the matching always start from the smallest
-size of netblock (most specific netmask) to the biggest ones (least
+An IP address will be in a nethash type of set if it belongs to any of the
+netblocks added to the set. The matching always start from the smallest
+size of netblock (most specific netmask) to the largest ones (least
 specific netmasks). When adding/deleting IP addresses
 to a nethash set by the
-.I
-SET
+"SET"
 netfilter kernel module, it will be added/deleted by the smallest
-netblock size which can be found in the set.
+netblock size which can be found in the set, or by /31 if the set is empty.
 .P
-The lookup time in a nethash type of set is approximately linearly 
-grows with the times of the
-.B
-probes
+The lookup time in a nethash type of set grows approximately linearly 
+with the times of the
+\fIprobes\fP
 parameter and the number of different mask parameters in the hash.
 Otherwise the same speed and memory efficiency comments applies here 
 as at the iphash type.
@@ -373,40 +314,115 @@ resort, dynamic growing of the hash performed. An ipporthash set can
 store up to 65536 (B-class network) IP addresses with all possible port
 values. When adding, deleting and testing values in an ipporthash type of
 set, the entries must be specified as
-.B
-"IP:port".
-(Old "IP%port" format accepted as well.)
+"\fIaddress\fP\fB,\fP\fIport\fP".
 .P
 The ipporthash types of sets evaluates two src/dst parameters of the 
-.I
-set
+"set"
 match and 
-.I
-SET
+"SET"
 target. 
 .P
 Options to use when creating an ipporthash set:
 .TP
-.BR "--from " from-IP
+\fB\-\-from\fP \fIfrom-addr\fP
 .TP
-.BR "--to " to-IP
-Create an ipporthash set from the specified range.
+\fB\-\-to\fP \fIto-addr\fP
+Create an ipporthash set from the specified address range.
 .TP
-.BR "--network " IP/mask
+\fB\-\-network\fP \fIaddr\fP\fB/\fP\fImask\fP
 Create an ipporthash set from the specified network.
 .TP
-.BR "--hashsize " hashsize
+\fB\-\-hashsize\fP \fIhashsize\fP
 The initial hash size (default 1024)
 .TP
-.BR "--probes " probes
+\fB\-\-probes\fP \fIprobes\fP
 How many times try to resolve clashing at adding an IP to the hash 
 by double-hashing (default 8).
 .TP
-.BR "--resize " percent
+\fB\-\-resize\fP \fIpercent\fP
 Increase the hash size by this many percent (default 50) when adding
 an IP to the hash could not be performed after
-.B
-probes
+\fIprobes\fP
+number of double-hashing.
+.P
+The same resizing, speed and memory efficiency comments applies here 
+as at the iphash type.
+.SS ipportiphash
+The ipportiphash set type uses a hash to store IP address,port and IP
+address triples. The first IP address must come form a maximum /16
+sized network or range while the port number and the second IP address
+parameters are arbitrary. When adding, deleting and testing values in an 
+ipportiphash type of set, the entries must be specified as
+"\fIaddress\fP\fB,\fP\fIport\fP\fB,\fP\fIaddress\fP".
+.P
+The ipportiphash types of sets evaluates three src/dst parameters of the 
+"set"
+match and 
+"SET"
+target. 
+.P
+Options to use when creating an ipportiphash set:
+.TP
+\fB\-\-from\fP \fIfrom-addr\fP
+.TP
+\fB\-\-to\fP \fIto-addr\fP
+Create an ipportiphash set from the specified address range.
+.TP
+\fB\-\-network\fP \fIaddr\fP\fB/\fP\fImask\fP
+Create an ipportiphash set from the specified network.
+.TP
+\fB\-\-hashsize\fP \fIhashsize\fP
+The initial hash size (default 1024)
+.TP
+\fB\-\-probes\fP \fIprobes\fP
+How many times try to resolve clashing at adding an IP to the hash 
+by double-hashing (default 8).
+.TP
+\fB\-\-resize\fP \fIpercent\fP
+Increase the hash size by this many percent (default 50) when adding
+an IP to the hash could not be performed after
+\fIprobes\fP
+number of double-hashing.
+.P
+The same resizing, speed and memory efficiency comments applies here 
+as at the iphash type.
+.SS ipportnethash
+The ipportnethash set type uses a hash to store IP address, port, and
+network address triples. The IP address must come form a maximum /16
+sized network or range while the port number and the network address
+parameters are arbitrary, but the size of the network address must be
+between /1-/31. When adding, deleting 
+and testing values in an ipportnethash type of set, the entries must be
+specified as
+"\fIaddress\fP\fB,\fP\fIport\fP\fB,\fP\fIaddress\fP\fB/\fP\fIprefixlen\fP".
+.P
+The ipportnethash types of sets evaluates three src/dst parameters of the 
+"set"
+match and 
+"SET"
+target. 
+.P
+Options to use when creating an ipportnethash set:
+.TP
+\fB\-\-from\fP \fIfrom-address\fP
+.TP
+\fB\-\-to\fP \fIto-address\fP
+Create an ipporthash set from the specified range.
+.TP
+\fB\-\-network\fP \fIaddress\fP\fB/\fP\fImask\fP
+Create an ipporthash set from the specified network.
+.TP
+\fB\-\-hashsize\fP \fIhashsize\fP
+The initial hash size (default 1024)
+.TP
+\fB\-\-probes\fP \fIprobes\fP
+How many times try to resolve clashing at adding an IP to the hash 
+by double-hashing (default 8).
+.TP
+\fB\-\-resize\fP \fIpercent\fP
+Increase the hash size by this many percent (default 50) when adding
+an IP to the hash could not be performed after
+\fIprobes\fP
 number of double-hashing.
 .P
 The same resizing, speed and memory efficiency comments applies here 
@@ -417,14 +433,14 @@ with timeout values.
 .P
 Options to use when creating an iptree set:
 .TP
-.BR "--timeout " value
+\fB\-\-timeout\fP \fIvalue\fP
 The timeout value for the entries in seconds (default 0)
 .P
 If a set was created with a nonzero valued 
-.B "--timeout"
+\fB\-\-timeout\fP
 parameter then one may add IP addresses to the set with a specific 
 timeout value using the syntax 
-.I IP:timeout-value.
+"\fIaddress\fP\fB,\fP\fItimeout-value\fP".
 Similarly to the hash types, the iptree type of sets can store up to 65536
 entries.
 .SS iptreemap
@@ -432,12 +448,67 @@ The iptreemap set type uses a tree to store IP addresses or networks,
 where the last octet of an IP address are stored in a bitmap.
 As input entry, you can add IP addresses, CIDR blocks or network ranges
 to the set. Network ranges can be specified in the format
-.I IP1:IP2
+"\fIaddress1\fP\fB-\fP\fIaddress2\fP".
 .P
 Options to use when creating an iptreemap set:
 .TP
-.BR "--gc " value
+\fB\-\-gc\fP \fIvalue\fP
 How often the garbage collection should be called, in seconds (default 300)
+.SS setlist
+The setlist type uses a simple list in which you can store sets. By the
+ipset
+command you can add, delete and test sets in a setlist type of set.
+You can specify the sets as
+"\fIsetname\fP[\fB,\fP{\fBafter\fP|\fBbefore\fP},\fIsetname\fP]".
+By default new sets are added after (appended to) the existing
+elements. Setlist type of sets cannot be added to a setlist type of set.
+.P
+Options to use when creating a setlist type of set:
+.TP
+\fB\-\-size\fP \fIsize\fP
+Create a setlist type of set with the given size (default 8).
+.PP
+By the
+"set"
+match or
+"SET"
+target of
+\fBiptables\fP(8)
+you can test, add or delete entries in the sets. The match
+will try to find a matching IP address/port in the sets and 
+the target will try to add the IP address/port to the first set
+to which it can be added. The number of src,dst options of
+the match and target are important: sets which eats more src,dst
+parameters than specified are skipped, while sets with equal
+or less parameters are checked, elements added. For example
+if
+.I
+a
+and
+.I
+b
+are setlist type of sets then in the command
+.IP
+iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add-set b src,dst
+.PP
+the match and target will skip any set in
+.I a
+and
+.I b
+which stores 
+data triples, but will check all sets with single or double
+data storage in
+.I a
+set and add src to the first single or src,dst to the first double 
+data storage set in
+\fIb\fP.
+You can imagine a setlist type of set as an ordered union of
+the set elements. 
+.P
+Please note: by the ipset command you can add, delete and
+.B test
+the setnames in a setlist type of set, and not the presence of 
+a set's member (such as an IP address).
 .SH GENERAL RESTRICTIONS
 Setnames starting with colon (:) cannot be defined. Zero valued set 
 entries cannot be used with hash type of sets.
@@ -447,6 +518,10 @@ If you want to store same size subnets from a given network
 If you want to store random same size networks (say random /24 blocks), 
 use the iphash set type. If you have got random size of netblocks, 
 use nethash.
+.P
+Old separator tokens (':' and '%") are still accepted.
+.P
+Binding support is removed.
 .SH DIAGNOSTICS
 Various error messages are printed to standard error.  The exit code
 is 0 for correct functioning.  Errors which appear to be caused by
@@ -463,8 +538,4 @@ Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
 .P
 Sven Wegener wrote the iptreemap type.
 .SH LAST REMARK
-.BR "I stand on the shoulder of giants."
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
+.BR "I stand on the shoulders of giants."

extensions/ipset/ipset.h

@@ -20,12 +20,13 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  */
 
-#include <getopt.h>
+#include <getopt.h>			/* struct option */
+#include <stdint.h>
 #include <sys/types.h>
-#include <netdb.h>
 
 #include "ip_set.h"
 
+#define IPSET_LIB_NAME "/libipset_%s.so"
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 
 #define LIST_TRIES 5
@@ -55,8 +56,6 @@ enum set_commands {
 	CMD_ADD,		/* -A */
 	CMD_DEL,		/* -D */
 	CMD_TEST,		/* -T */
-	CMD_BIND,		/* -B */
-	CMD_UNBIND,		/* -U */
 	CMD_HELP,		/* -H */
 	CMD_VERSION,		/* -V */
 	NUMBER_OF_CMD = CMD_VERSION,
@@ -94,7 +93,7 @@ struct settype {
 	 */
 
 	/* Size of create data. Will be sent to kernel */
-	size_t create_size;
+	u_int32_t create_size;
 
 	/* Initialize the create. */
 	void (*create_init) (void *data);
@@ -114,17 +113,17 @@ struct settype {
 	 */
 
 	/* Size of data. Will be sent to kernel */
-	size_t adt_size;
+	u_int32_t adt_size;
 
 	/* Function which parses command options */
-	ip_set_ip_t (*adt_parser) (unsigned cmd, const char *optarg, void *data);
+	ip_set_ip_t (*adt_parser) (int cmd, const char *optarg, void *data);
 
 	/*
 	 * Printing
 	 */
 
 	/* Size of header. */
-	size_t header_size;
+	u_int32_t header_size;
 
 	/* Initialize the type-header */
 	void (*initheader) (struct set *set, const void *data);
@@ -133,22 +132,19 @@ struct settype {
 	void (*printheader) (struct set *set, unsigned options);
 
 	/* Pretty print all IPs */
-	void (*printips) (struct set *set, void *data, size_t len, unsigned options);
+	void (*printips) (struct set *set, void *data, u_int32_t len,
+			  unsigned options, char dont_align);
 
 	/* Pretty print all IPs sorted */
-	void (*printips_sorted) (struct set *set, void *data, size_t len, unsigned options);
+	void (*printips_sorted) (struct set *set, void *data, u_int32_t len,
+				 unsigned options, char dont_align);
 
 	/* Print save arguments for creating the set */
 	void (*saveheader) (struct set *set, unsigned options);
 
 	/* Print save for all IPs */
-	void (*saveips) (struct set *set, void *data, size_t len, unsigned options);
-
-	/* Conver a single IP (binding) to string */
-	char * (*bindip_tostring)(struct set *set, ip_set_ip_t ip, unsigned options);
-	
-	/* Parse an IP at restoring bindings. FIXME */
-	void (*bindip_parse) (const char *str, ip_set_ip_t * ip);
+	void (*saveips) (struct set *set, void *data, u_int32_t len,
+			 unsigned options, char dont_align);
 
 	/* Print usage */
 	void (*usage) (void);
@@ -156,7 +152,7 @@ struct settype {
 	/* Internal data */
 	void *header;
 	void *data;
-	unsigned int option_offset;
+	int option_offset;
 	unsigned int flags;
 };
 
@@ -164,7 +160,7 @@ extern void settype_register(struct settype *settype);
 
 /* extern void unregister_settype(set_type_t *set_type); */
 
-extern void exit_error(enum exittype status, const char *msg, ...);
+extern void exit_error(int status, const char *msg, ...);
 
 extern char *binding_ip_tostring(struct set *set,
 				 ip_set_ip_t ip, unsigned options);
@@ -181,11 +177,24 @@ extern int string_to_number(const char *str, unsigned int min, unsigned int max,
 
 extern void *ipset_malloc(size_t size);
 extern char *ipset_strdup(const char *);
-extern void ipset_free(void **data);
+extern void ipset_free(void *data);
 
-#define BITSPERBYTE	(8*sizeof(char))
-#define ID2BYTE(id)	((id)/BITSPERBYTE)
-#define ID2MASK(id)	(1 << ((id)%BITSPERBYTE))
-#define test_bit(id, heap)	((((char *)(heap))[ID2BYTE(id)] & ID2MASK(id)) != 0)
+extern struct set *set_find_byname(const char *name);
+extern struct set *set_find_byid(ip_set_id_t id);
+
+extern unsigned warn_once;
+
+#define BITS_PER_LONG	(8*sizeof(ip_set_ip_t))
+#define BIT_WORD(nr)	((nr) / BITS_PER_LONG)
+
+static inline int test_bit(int nr, const ip_set_ip_t *addr)
+{
+	return 1 & (addr[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG-1)));
+}
+
+#define UNUSED __attribute__ ((unused))
+#define CONSTRUCTOR(module) \
+void __attribute__ ((constructor)) module##_init(void); \
+void module##_init(void)
 
 #endif	/* __IPSET_H */

extensions/ipset/ipset_iphash.c

@@ -15,24 +15,14 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  */
 
-#include <errno.h>
-#include <limits.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <time.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <asm/types.h>
-
-#include "ip_set_iphash.h"
-#include "ip_set_jhash.h"
+#include <limits.h>			/* UINT_MAX */
+#include <stdio.h>			/* *printf */
+#include <string.h>			/* mem* */
 
 #include "ipset.h"
 
+#include "ip_set_iphash.h"
+
 #define BUFLEN 30;
 
 #define OPT_CREATE_HASHSIZE	0x01U
@@ -41,10 +31,10 @@
 #define OPT_CREATE_NETMASK	0x08U
 
 /* Initialize the create. */
-static void create_init(void *data)
+static void
+iphash_create_init(void *data)
 {
-	struct ip_set_req_iphash_create *mydata =
-	    (struct ip_set_req_iphash_create *) data;
+	struct ip_set_req_iphash_create *mydata = data;
 
 	DP("create INIT");
 
@@ -57,7 +47,8 @@ static void create_init(void *data)
 }
 
 /* Function which parses command options; returns true if it ate an option */
-static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
+static int
+iphash_create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 {
 	struct ip_set_req_iphash_create *mydata =
 	    (struct ip_set_req_iphash_create *) data;
@@ -125,31 +116,25 @@ static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
 }
 
 /* Final check; exit if not ok. */
-static void create_final(void *data, unsigned int flags)
+static void
+iphash_create_final(void *data UNUSED, unsigned int flags UNUSED)
 {
-#ifdef IPSET_DEBUG
-	struct ip_set_req_iphash_create *mydata =
-	    (struct ip_set_req_iphash_create *) data;
-
-	DP("hashsize %u probes %u resize %u",
-	   mydata->hashsize, mydata->probes, mydata->resize);
-#endif
 }
 
 /* Create commandline options */
 static const struct option create_opts[] = {
-	{"hashsize", 1, 0, '1'},
-	{"probes", 1, 0, '2'},
-	{"resize", 1, 0, '3'},
-	{"netmask", 1, 0, '4'},
+	{.name = "hashsize",	.has_arg = required_argument,	.val = '1'},
+	{.name = "probes",	.has_arg = required_argument,	.val = '2'},
+	{.name = "resize",	.has_arg = required_argument,	.val = '3'},
+	{.name = "netmask",	.has_arg = required_argument,	.val = '4'},
 	{NULL},
 };
 
 /* Add, del, test parser */
-static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
+static ip_set_ip_t
+iphash_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
-	struct ip_set_req_iphash *mydata =
-	    (struct ip_set_req_iphash *) data;
+	struct ip_set_req_iphash *mydata = data;
 
 	parse_ip(arg, &mydata->ip);
 	if (!mydata->ip)
@@ -163,12 +148,11 @@ static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
  * Print and save
  */
 
-static void initheader(struct set *set, const void *data)
+static void
+iphash_initheader(struct set *set, const void *data)
 {
-	struct ip_set_req_iphash_create *header =
-	    (struct ip_set_req_iphash_create *) data;
-	struct ip_set_iphash *map =
-		(struct ip_set_iphash *) set->settype->header;
+	const struct ip_set_req_iphash_create *header = data;
+	struct ip_set_iphash *map = set->settype->header;
 
 	memset(map, 0, sizeof(struct ip_set_iphash));
 	map->hashsize = header->hashsize;
@@ -187,16 +171,16 @@ mask_to_bits(ip_set_ip_t mask)
 		return bits;
 	
 	maskaddr = 0xFFFFFFFE;
-	while (--bits >= 0 && maskaddr != mask)
+	while (--bits > 0 && maskaddr != mask)
 		maskaddr <<= 1;
 	
 	return bits;
 }
 
-static void printheader(struct set *set, unsigned int options)
+static void
+iphash_printheader(struct set *set, unsigned options UNUSED)
 {
-	struct ip_set_iphash *mysetdata =
-	    (struct ip_set_iphash *) set->settype->header;
+	struct ip_set_iphash *mysetdata = set->settype->header;
 
 	printf(" hashsize: %u", mysetdata->hashsize);
 	printf(" probes: %u", mysetdata->probes);
@@ -207,24 +191,24 @@ static void printheader(struct set *set, unsigned int options)
 		printf(" netmask: %d\n", mask_to_bits(mysetdata->netmask));
 }
 
-static void printips(struct set *set, void *data, size_t len,
-    unsigned int options)
+static void
+iphash_printips(struct set *set UNUSED, void *data, u_int32_t len,
+		unsigned options, char dont_align)
 {
 	size_t offset = 0;
 	ip_set_ip_t *ip;
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("%s\n", ip_tostring(*ip, options));
-		offset += sizeof(ip_set_ip_t);
+		printf("%s\n", ip_tostring(*ip, options));
+		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
 
-static void saveheader(struct set *set, unsigned int options)
+static void
+iphash_saveheader(struct set *set, unsigned options UNUSED)
 {
-	struct ip_set_iphash *mysetdata =
-	    (struct ip_set_iphash *) set->settype->header;
+	struct ip_set_iphash *mysetdata = set->settype->header;
 
 	printf("-N %s %s --hashsize %u --probes %u --resize %u",
 	       set->name, set->settype->typename,
@@ -236,22 +220,22 @@ static void saveheader(struct set *set, unsigned int options)
 }
 
 /* Print save for an IP */
-static void saveips(struct set *set, void *data, size_t len,
-    unsigned int options)
+static void
+iphash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
+	       unsigned options, char dont_align)
 {
 	size_t offset = 0;
 	ip_set_ip_t *ip;
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("-A %s %s\n", set->name, 
-			       ip_tostring(*ip, options));
-		offset += sizeof(ip_set_ip_t);
+		printf("-A %s %s\n", set->name, ip_tostring(*ip, options));
+		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
 
-static void usage(void)
+static void
+iphash_usage(void)
 {
 	printf
 	    ("-N set iphash [--hashsize hashsize] [--probes probes ]\n"
@@ -267,32 +251,28 @@ static struct settype settype_iphash = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_iphash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = iphash_create_init,
+	.create_parse = iphash_create_parse,
+	.create_final = iphash_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_iphash),
-	.adt_parser = &adt_parser,
+	.adt_parser = iphash_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_iphash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = iphash_initheader,
+	.printheader = iphash_printheader,
+	.printips = iphash_printips,
+	.printips_sorted = iphash_printips,
+	.saveheader = iphash_saveheader,
+	.saveips = iphash_saveips,
 	
-	/* Bindings */
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse = &parse_ip,
-	
-	.usage = &usage,
+	.usage = iphash_usage,
 };
 
-static __attribute__((constructor)) void iphash_init(void)
+CONSTRUCTOR(iphash)
 {
 	settype_register(&settype_iphash);
 

extensions/ipset/ipset_ipmap.c

@@ -17,15 +17,12 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  */
 
-#include <stdio.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-/* #include <asm/bitops.h> */
+#include <stdio.h>			/* *printf */
+#include <string.h>			/* mem* */
+
+#include "ipset.h"
 
 #include "ip_set_ipmap.h"
-#include "ipset.h"
 
 #define BUFLEN 30;
 
@@ -37,20 +34,20 @@
 #define OPT_ADDDEL_IP      0x01U
 
 /* Initialize the create. */
-static void create_init(void *data)
+static void
+ipmap_create_init(void *data)
 {
-	struct ip_set_req_ipmap_create *mydata =
-	    (struct ip_set_req_ipmap_create *) data;
+	struct ip_set_req_ipmap_create *mydata = data;
 
 	DP("create INIT");
 	mydata->netmask = 0xFFFFFFFF;
 }
 
 /* Function which parses command options; returns true if it ate an option */
-static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
+static int
+ipmap_create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 {
-	struct ip_set_req_ipmap_create *mydata =
-	    (struct ip_set_req_ipmap_create *) data;
+	struct ip_set_req_ipmap_create *mydata = data;
 	unsigned int bits;
 
 	DP("create_parse");
@@ -116,15 +113,12 @@ static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
 	return 1;
 }
 
-#define ERRSTRLEN	256
-
 /* Final check; exit if not ok. */
-static void create_final(void *data, unsigned int flags)
+static void
+ipmap_create_final(void *data, unsigned int flags)
 {
-	struct ip_set_req_ipmap_create *mydata =
-	    (struct ip_set_req_ipmap_create *) data;
+	struct ip_set_req_ipmap_create *mydata = data;
 	ip_set_ip_t range;
-	char errstr[ERRSTRLEN];
 
 	if (flags == 0)
 		exit_error(PARAMETER_PROBLEM,
@@ -154,7 +148,7 @@ static void create_final(void *data, unsigned int flags)
 	if (flags & OPT_CREATE_NETMASK) {
 		unsigned int mask_bits, netmask_bits;
 		ip_set_ip_t mask;
-		
+
 		if ((mydata->from & mydata->netmask) != mydata->from)
 			exit_error(PARAMETER_PROBLEM,
 				   "%s is not a network address according to netmask %d\n",
@@ -164,26 +158,14 @@ static void create_final(void *data, unsigned int flags)
 		mask = range_to_mask(mydata->from, mydata->to, &mask_bits);
 		if (!mask
 		    && (mydata->from || mydata->to != 0xFFFFFFFF)) {
-			strncpy(errstr, ip_tostring_numeric(mydata->from),
-				ERRSTRLEN-2);
-			errstr[ERRSTRLEN-1] = '\0';
 			exit_error(PARAMETER_PROBLEM,
-				   "%s-%s is not a full network (%x)\n",
-				   errstr,
-				   ip_tostring_numeric(mydata->to), mask);
+				   "You have to define a full network with --from"
+				   " and --to if you specify the --network option\n");
 		}
 		netmask_bits = mask_to_bits(mydata->netmask);
-		
 		if (netmask_bits <= mask_bits) {
-			strncpy(errstr, ip_tostring_numeric(mydata->from),
-				ERRSTRLEN-2);
-			errstr[ERRSTRLEN-1] = '\0';
 			exit_error(PARAMETER_PROBLEM,
-				   "%d netmask specifies larger or equal netblock than %s-%s (%d)\n",
-				   netmask_bits,
-				   errstr,
-				   ip_tostring_numeric(mydata->to),
-				   mask_bits);
+				   "%d netmask specifies larger or equal netblock than the network itself\n");
 		}
 		range = (1<<(netmask_bits - mask_bits)) - 1;
 	} else {
@@ -197,18 +179,18 @@ static void create_final(void *data, unsigned int flags)
 
 /* Create commandline options */
 static const struct option create_opts[] = {
-	{"from", 1, 0, '1'},
-	{"to", 1, 0, '2'},
-	{"network", 1, 0, '3'},
-	{"netmask", 1, 0, '4'},
+	{.name = "from",	.has_arg = required_argument,	.val = '1'},
+	{.name = "to",		.has_arg = required_argument,	.val = '2'},
+	{.name = "network",	.has_arg = required_argument,	.val = '3'},
+	{.name = "netmask",	.has_arg = required_argument,	.val = '4'},
 	{NULL},
 };
 
 /* Add, del, test parser */
-static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
+static ip_set_ip_t
+ipmap_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
-	struct ip_set_req_ipmap *mydata =
-	    (struct ip_set_req_ipmap *) data;
+	struct ip_set_req_ipmap *mydata = data;
 
 	DP("ipmap: %p %p", arg, data);
 
@@ -222,12 +204,11 @@ static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
  * Print and save
  */
 
-static void initheader(struct set *set, const void *data)
+static void
+ipmap_initheader(struct set *set, const void *data)
 {
-	struct ip_set_req_ipmap_create *header =
-	    (struct ip_set_req_ipmap_create *) data;
-	struct ip_set_ipmap *map =
-		(struct ip_set_ipmap *) set->settype->header;
+	const struct ip_set_req_ipmap_create *header = data;
+	struct ip_set_ipmap *map = set->settype->header;
 		
 	memset(map, 0, sizeof(struct ip_set_ipmap));
 	map->first_ip = header->from;
@@ -244,18 +225,18 @@ static void initheader(struct set *set, const void *data)
 		mask = range_to_mask(header->from, header->to, &mask_bits);
 		netmask_bits = mask_to_bits(header->netmask);
 
-		DP("bits: %i %i", mask_bits, netmask_bits);
+		DP("bits: %d %d", mask_bits, netmask_bits);
 		map->hosts = 2 << (32 - netmask_bits - 1);
 		map->sizeid = 2 << (netmask_bits - mask_bits - 1);
 	}
 
-	DP("%i %i", map->hosts, map->sizeid );
+	DP("%d %d", map->hosts, map->sizeid );
 }
 
-static void printheader(struct set *set, unsigned int options)
+static void
+ipmap_printheader(struct set *set, unsigned options)
 {
-	struct ip_set_ipmap *mysetdata =
-	    (struct ip_set_ipmap *) set->settype->header;
+	struct ip_set_ipmap *mysetdata = set->settype->header;
 
 	printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
 	printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
@@ -265,11 +246,11 @@ static void printheader(struct set *set, unsigned int options)
 		printf(" netmask: %d\n", mask_to_bits(mysetdata->netmask));
 }
 
-static void printips_sorted(struct set *set, void *data, size_t len,
-    unsigned int options)
+static inline void
+__ipmap_printips_sorted(struct set *set, void *data,
+			u_int32_t len UNUSED, unsigned options)
 {
-	struct ip_set_ipmap *mysetdata =
-	    (struct ip_set_ipmap *) set->settype->header;
+	struct ip_set_ipmap *mysetdata = set->settype->header;
 	ip_set_ip_t id;
 
 	for (id = 0; id < mysetdata->sizeid; id++)
@@ -280,10 +261,29 @@ static void printips_sorted(struct set *set, void *data, size_t len,
 					   options));
 }
 
-static void saveheader(struct set *set, unsigned int options)
+static void
+ipmap_printips_sorted(struct set *set, void *data,
+		      u_int32_t len, unsigned options,
+		      char dont_align)
 {
-	struct ip_set_ipmap *mysetdata =
-	    (struct ip_set_ipmap *) set->settype->header;
+	ip_set_ip_t *ip;
+	size_t offset = 0;
+	
+	if (dont_align)
+		return __ipmap_printips_sorted(set, data, len, options);
+	
+	while (offset < len) {
+		DP("offset: %zu, len %u\n", offset, len);
+		ip = data + offset;
+		printf("%s\n", ip_tostring(*ip, options));
+		offset += IPSET_ALIGN(sizeof(ip_set_ip_t));
+	}
+}
+
+static void
+ipmap_saveheader(struct set *set, unsigned options)
+{
+	struct ip_set_ipmap *mysetdata = set->settype->header;
 
 	printf("-N %s %s --from %s",
 	       set->name, set->settype->typename,
@@ -297,11 +297,11 @@ static void saveheader(struct set *set, unsigned int options)
 		       mask_to_bits(mysetdata->netmask));
 }
 
-static void saveips(struct set *set, void *data, size_t len,
-    unsigned int options)
+static inline void
+__ipmap_saveips(struct set *set, void *data, u_int32_t len UNUSED,
+		unsigned options)
 {
-	struct ip_set_ipmap *mysetdata =
-	    (struct ip_set_ipmap *) set->settype->header;
+	struct ip_set_ipmap *mysetdata = set->settype->header;
 	ip_set_ip_t id;
 
 	DP("%s", set->name);
@@ -314,7 +314,25 @@ static void saveips(struct set *set, void *data, size_t len,
 					   options));
 }
 
-static void usage(void)
+static void
+ipmap_saveips(struct set *set, void *data, u_int32_t len,
+	      unsigned options, char dont_align)
+{
+	ip_set_ip_t *ip;
+	size_t offset = 0;
+	
+	if (dont_align)
+		return __ipmap_saveips(set, data, len, options);
+	
+	while (offset < len) {
+		ip = data + offset;
+		printf("-A %s %s\n", set->name, ip_tostring(*ip, options));
+		offset += IPSET_ALIGN(sizeof(ip_set_ip_t));
+	}
+}
+
+static void
+ipmap_usage(void)
 {
 	printf
 	    ("-N set ipmap --from IP --to IP [--netmask CIDR-netmask]\n"
@@ -330,32 +348,28 @@ static struct settype settype_ipmap = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_ipmap_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = ipmap_create_init,
+	.create_parse = ipmap_create_parse,
+	.create_final = ipmap_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_ipmap),
-	.adt_parser = &adt_parser,
+	.adt_parser = ipmap_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_ipmap),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,	/* We only have sorted version */
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = ipmap_initheader,
+	.printheader = ipmap_printheader,
+	.printips = ipmap_printips_sorted,
+	.printips_sorted = ipmap_printips_sorted,
+	.saveheader = ipmap_saveheader,
+	.saveips = ipmap_saveips,
 	
-	/* Bindings */
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse	= &parse_ip,
-
-	.usage = &usage,
+	.usage = ipmap_usage,
 };
 
-static __attribute__((constructor)) void ipmap_init(void)
+CONSTRUCTOR(ipmap)
 {
 	settype_register(&settype_ipmap);
 

extensions/ipset/ipset_ipporthash.c

@@ -15,24 +15,14 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  */
 
-#include <errno.h>
-#include <limits.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <time.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <asm/types.h>
-
-#include "ip_set_ipporthash.h"
-#include "ip_set_jhash.h"
+#include <limits.h>			/* UINT_MAX */
+#include <stdio.h>			/* *printf */
+#include <string.h>			/* mem*, str* */
 
 #include "ipset.h"
 
+#include "ip_set_ipporthash.h"
+
 #define OPT_CREATE_HASHSIZE	0x01U
 #define OPT_CREATE_PROBES	0x02U
 #define OPT_CREATE_RESIZE	0x04U
@@ -41,10 +31,10 @@
 #define OPT_CREATE_TO		0x20U
 
 /* Initialize the create. */
-static void create_init(void *data)
+static void
+ipporthash_create_init(void *data)
 {
-	struct ip_set_req_ipporthash_create *mydata =
-	    (struct ip_set_req_ipporthash_create *) data;
+	struct ip_set_req_ipporthash_create *mydata = data;
 
 	DP("create INIT");
 
@@ -55,10 +45,11 @@ static void create_init(void *data)
 }
 
 /* Function which parses command options; returns true if it ate an option */
-static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
+static int
+ipporthash_create_parse(int c, char *argv[] UNUSED, void *data,
+			unsigned *flags)
 {
-	struct ip_set_req_ipporthash_create *mydata =
-	    (struct ip_set_req_ipporthash_create *) data;
+	struct ip_set_req_ipporthash_create *mydata = data;
 	ip_set_ip_t value;
 
 	DP("create_parse");
@@ -146,10 +137,10 @@ static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
 }
 
 /* Final check; exit if not ok. */
-static void create_final(void *data, unsigned int flags)
+static void
+ipporthash_create_final(void *data, unsigned int flags)
 {
-	struct ip_set_req_ipporthash_create *mydata =
-	    (struct ip_set_req_ipporthash_create *) data;
+	struct ip_set_req_ipporthash_create *mydata = data;
 
 #ifdef IPSET_DEBUG
 	DP("hashsize %u probes %u resize %u",
@@ -188,34 +179,42 @@ static void create_final(void *data, unsigned int flags)
 
 /* Create commandline options */
 static const struct option create_opts[] = {
-	{"hashsize", 1, 0, '1'},
-	{"probes", 1, 0, '2'},
-	{"resize", 1, 0, '3'},
-	{"from", 1, 0, '4'},
-	{"to", 1, 0, '5'},
-	{"network", 1, 0, '6'},
+	{.name = "hashsize",	.has_arg = required_argument,	.val = '1'},
+	{.name = "probes",	.has_arg = required_argument,	.val = '2'},
+	{.name = "resize",	.has_arg = required_argument,	.val = '3'},
+	{.name = "from",	.has_arg = required_argument,	.val = '4'},
+	{.name = "to",		.has_arg = required_argument,	.val = '5'},
+	{.name = "network",	.has_arg = required_argument,	.val = '6'},
 	{NULL},
 };
 
 /* Add, del, test parser */
-static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
+static ip_set_ip_t
+ipporthash_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
-	struct ip_set_req_ipporthash *mydata =
-	    (struct ip_set_req_ipporthash *) data;
+	struct ip_set_req_ipporthash *mydata = data;
 	char *saved = ipset_strdup(arg);
 	char *ptr, *tmp = saved;
 
 	DP("ipporthash: %p %p", arg, data);
 
-	ptr = strsep(&tmp, ":%");
+	if (((ptr = strchr(tmp, ':')) || (ptr = strchr(tmp, '%'))) && ++warn_once == 1)
+		fprintf(stderr, "Warning: please use ',' separator token between ip,port.\n"
+			        "Next release won't support old separator tokens.\n");
+
+	ptr = strsep(&tmp, ":%,");
 	parse_ip(ptr, &mydata->ip);
 
 	if (tmp)
 		parse_port(tmp, &mydata->port);
 	else
 		exit_error(PARAMETER_PROBLEM,
-			   "IP address and port must be specified: ip%%port");
-	free(saved);
+			   "IP address and port must be specified: ip,port");
+
+	if (!(mydata->ip || mydata->port))
+		exit_error(PARAMETER_PROBLEM,
+			  "Zero valued IP address and port `%s' specified", arg);
+	ipset_free(saved);
 	return 1;	
 };
 
@@ -223,12 +222,11 @@ static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
  * Print and save
  */
 
-static void initheader(struct set *set, const void *data)
+static void
+ipporthash_initheader(struct set *set, const void *data)
 {
-	struct ip_set_req_ipporthash_create *header =
-	    (struct ip_set_req_ipporthash_create *) data;
-	struct ip_set_ipporthash *map =
-		(struct ip_set_ipporthash *) set->settype->header;
+	const struct ip_set_req_ipporthash_create *header = data;
+	struct ip_set_ipporthash *map = set->settype->header;
 
 	memset(map, 0, sizeof(struct ip_set_ipporthash));
 	map->hashsize = header->hashsize;
@@ -238,10 +236,10 @@ static void initheader(struct set *set, const void *data)
 	map->last_ip = header->to;
 }
 
-static void printheader(struct set *set, unsigned int options)
+static void
+ipporthash_printheader(struct set *set, unsigned options)
 {
-	struct ip_set_ipporthash *mysetdata =
-	    (struct ip_set_ipporthash *) set->settype->header;
+	struct ip_set_ipporthash *mysetdata = set->settype->header;
 
 	printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
 	printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
@@ -250,32 +248,30 @@ static void printheader(struct set *set, unsigned int options)
 	printf(" resize: %u\n", mysetdata->resize);
 }
 
-static void printips(struct set *set, void *data, size_t len,
-    unsigned int options)
+static void
+ipporthash_printips(struct set *set, void *data, u_int32_t len,
+		    unsigned options, char dont_align)
 {
-	struct ip_set_ipporthash *mysetdata =
-	    (struct ip_set_ipporthash *) set->settype->header;
+	struct ip_set_ipporthash *mysetdata = set->settype->header;
 	size_t offset = 0;
 	ip_set_ip_t *ipptr, ip;
 	uint16_t port;
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (*ipptr) {
-			ip = (*ipptr>>16) + mysetdata->first_ip;
-			port = (uint16_t) *ipptr;
-			printf("%s:%s\n", 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-		}
-		offset += sizeof(ip_set_ip_t);
+		ip = (*ipptr>>16) + mysetdata->first_ip;
+		port = (uint16_t) *ipptr;
+		printf("%s,%s\n", 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
 
-static void saveheader(struct set *set, unsigned int options)
+static void
+ipporthash_saveheader(struct set *set, unsigned options)
 {
-	struct ip_set_ipporthash *mysetdata =
-	    (struct ip_set_ipporthash *) set->settype->header;
+	struct ip_set_ipporthash *mysetdata = set->settype->header;
 
 	printf("-N %s %s --from %s",
 	       set->name, set->settype->typename,
@@ -287,54 +283,37 @@ static void saveheader(struct set *set, unsigned int options)
 }
 
 /* Print save for an IP */
-static void saveips(struct set *set, void *data, size_t len,
-    unsigned int options)
+static void
+ipporthash_saveips(struct set *set, void *data, u_int32_t len,
+		   unsigned options, char dont_align)
 {
-	struct ip_set_ipporthash *mysetdata =
-	    (struct ip_set_ipporthash *) set->settype->header;
+	struct ip_set_ipporthash *mysetdata = set->settype->header;
 	size_t offset = 0;
 	ip_set_ip_t *ipptr, ip;
 	uint16_t port;
 
 	while (offset < len) {
 		ipptr = data + offset;
-		if (*ipptr) {
-			ip = (*ipptr>>16) + mysetdata->first_ip;
-			port = (uint16_t) *ipptr;
-			printf("-A %s %s:%s\n", set->name, 
-			       ip_tostring(ip, options),
-			       port_tostring(port, options));
-		}
-		offset += sizeof(ip_set_ip_t);
+		ip = (*ipptr>>16) + mysetdata->first_ip;
+		port = (uint16_t) *ipptr;
+		printf("-A %s %s,%s\n", set->name, 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
 
-static char buffer[22];
-
-static char * unpack_ipport_tostring(struct set *set, ip_set_ip_t bip, unsigned options)
-{
-	struct ip_set_ipporthash *mysetdata =
-	    (struct ip_set_ipporthash *) set->settype->header;
-	ip_set_ip_t ip, port;
-	
-	ip = (bip>>16) + mysetdata->first_ip;
-	port = (uint16_t) bip;
-	sprintf(buffer, "%s:%s", 
-		ip_tostring(ip, options), port_tostring(port, options));
-		
-	return buffer;
-}
-
-static void usage(void)
+static void
+ipporthash_usage(void)
 {
 	printf
 	    ("-N set ipporthash --from IP --to IP\n"
 	     "   [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
 	     "-N set ipporthash --network IP/mask\n"
 	     "   [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
-	     "-A set IP:port\n"
-	     "-D set IP:port\n"
-	     "-T set IP:port\n");
+	     "-A set IP,port\n"
+	     "-D set IP,port\n"
+	     "-T set IP,port\n");
 }
 
 static struct settype settype_ipporthash = {
@@ -343,32 +322,28 @@ static struct settype settype_ipporthash = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_ipporthash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = ipporthash_create_init,
+	.create_parse = ipporthash_create_parse,
+	.create_final = ipporthash_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_ipporthash),
-	.adt_parser = &adt_parser,
+	.adt_parser = ipporthash_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_ipporthash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = ipporthash_initheader,
+	.printheader = ipporthash_printheader,
+	.printips = ipporthash_printips,
+	.printips_sorted = ipporthash_printips,
+	.saveheader = ipporthash_saveheader,
+	.saveips = ipporthash_saveips,
 	
-	/* Bindings */
-	.bindip_tostring = &unpack_ipport_tostring,
-	.bindip_parse = &parse_ip,
-	
-	.usage = &usage,
+	.usage = ipporthash_usage,
 };
 
-static __attribute__((constructor)) void ipporthash_init(void)
+CONSTRUCTOR(ipporthash)
 {
 	settype_register(&settype_ipporthash);
 

extensions/ipset/ipset_ipportiphash.c

@@ -0,0 +1,361 @@
+/* Copyright 2008 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License as published by   
+ * the Free Software Foundation; either version 2 of the License, or      
+ * (at your option) any later version.                                    
+ *                                                                         
+ * This program is distributed in the hope that it will be useful,        
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of         
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
+ * GNU General Public License for more details.                           
+ *                                                                         
+ * You should have received a copy of the GNU General Public License      
+ * along with this program; if not, write to the Free Software            
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <limits.h>			/* UINT_MAX */
+#include <stdio.h>			/* *printf */
+#include <string.h>			/* mem*, str* */
+
+#include "ipset.h"
+
+#include "ip_set_ipportiphash.h"
+
+#define OPT_CREATE_HASHSIZE	0x01U
+#define OPT_CREATE_PROBES	0x02U
+#define OPT_CREATE_RESIZE	0x04U
+#define OPT_CREATE_NETWORK	0x08U
+#define OPT_CREATE_FROM		0x10U
+#define OPT_CREATE_TO		0x20U
+
+/* Initialize the create. */
+static void
+ipportiphash_create_init(void *data)
+{
+	struct ip_set_req_ipportiphash_create *mydata = data;
+
+	DP("create INIT");
+
+	/* Default create parameters */	
+	mydata->hashsize = 1024;
+	mydata->probes = 8;
+	mydata->resize = 50;
+}
+
+/* Function which parses command options; returns true if it ate an option */
+static int
+ipportiphash_create_parse(int c, char *argv[] UNUSED, void *data,
+			  unsigned *flags)
+{
+	struct ip_set_req_ipportiphash_create *mydata = data;
+	ip_set_ip_t value;
+
+	DP("create_parse");
+
+	switch (c) {
+	case '1':
+
+		if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
+			exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
+
+		*flags |= OPT_CREATE_HASHSIZE;
+
+		DP("--hashsize %u", mydata->hashsize);
+		
+		break;
+
+	case '2':
+
+		if (string_to_number(optarg, 1, 65535, &value))
+			exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
+
+		mydata->probes = value;
+		*flags |= OPT_CREATE_PROBES;
+
+		DP("--probes %u", mydata->probes);
+		
+		break;
+
+	case '3':
+
+		if (string_to_number(optarg, 0, 65535, &value))
+			exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
+
+		mydata->resize = value;
+		*flags |= OPT_CREATE_RESIZE;
+
+		DP("--resize %u", mydata->resize);
+		
+		break;
+
+	case '4':
+		parse_ip(optarg, &mydata->from);
+
+		*flags |= OPT_CREATE_FROM;
+
+		DP("--from %x (%s)", mydata->from,
+		   ip_tostring_numeric(mydata->from));
+
+		break;
+
+	case '5':
+		parse_ip(optarg, &mydata->to);
+
+		*flags |= OPT_CREATE_TO;
+
+		DP("--to %x (%s)", mydata->to,
+		   ip_tostring_numeric(mydata->to));
+
+		break;
+
+	case '6':
+		parse_ipandmask(optarg, &mydata->from, &mydata->to);
+
+		/* Make to the last of from + mask */
+		if (mydata->to)
+			mydata->to = mydata->from | ~(mydata->to);
+		else {
+			mydata->from = 0x00000000;
+			mydata->to = 0xFFFFFFFF;
+		}
+		*flags |= OPT_CREATE_NETWORK;
+
+		DP("--network from %x (%s)", 
+		   mydata->from, ip_tostring_numeric(mydata->from));
+		DP("--network to %x (%s)", 
+		   mydata->to, ip_tostring_numeric(mydata->to));
+
+		break;
+
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+/* Final check; exit if not ok. */
+static void
+ipportiphash_create_final(void *data, unsigned int flags)
+{
+	struct ip_set_req_ipportiphash_create *mydata = data;
+
+#ifdef IPSET_DEBUG
+	DP("hashsize %u probes %u resize %u",
+	   mydata->hashsize, mydata->probes, mydata->resize);
+#endif
+
+	if (flags & OPT_CREATE_NETWORK) {
+		/* --network */
+		if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
+			exit_error(PARAMETER_PROBLEM,
+				   "Can't specify --from or --to with --network\n");
+	} else if (flags & (OPT_CREATE_FROM | OPT_CREATE_TO)) {
+		/* --from --to */
+		if (!(flags & OPT_CREATE_FROM) || !(flags & OPT_CREATE_TO))
+			exit_error(PARAMETER_PROBLEM,
+				   "Need to specify both --from and --to\n");
+	} else {
+		exit_error(PARAMETER_PROBLEM,
+			   "Need to specify --from and --to, or --network\n");
+
+	}
+
+	DP("from : %x to: %x diff: %x", 
+	   mydata->from, mydata->to,
+	   mydata->to - mydata->from);
+
+	if (mydata->from > mydata->to)
+		exit_error(PARAMETER_PROBLEM,
+			   "From can't be higher than to.\n");
+
+	if (mydata->to - mydata->from > MAX_RANGE)
+		exit_error(PARAMETER_PROBLEM,
+			   "Range too large. Max is %d IPs in range\n",
+			   MAX_RANGE+1);
+}
+
+/* Create commandline options */
+static const struct option create_opts[] = {
+	{.name = "hashsize",	.has_arg = required_argument,	.val = '1'},
+	{.name = "probes",	.has_arg = required_argument,	.val = '2'},
+	{.name = "resize",	.has_arg = required_argument,	.val = '3'},
+	{.name = "from",	.has_arg = required_argument,	.val = '4'},
+	{.name = "to",		.has_arg = required_argument,	.val = '5'},
+	{.name = "network",	.has_arg = required_argument,	.val = '6'},
+	{NULL},
+};
+
+/* Add, del, test parser */
+static ip_set_ip_t
+ipportiphash_adt_parser(int cmd UNUSED, const char *arg, void *data)
+{
+	struct ip_set_req_ipportiphash *mydata = data;
+	char *saved = ipset_strdup(arg);
+	char *ptr, *tmp = saved;
+
+	DP("ipportiphash: %p %p", arg, data);
+
+	if (((ptr = strchr(tmp, ':')) || (ptr = strchr(tmp, '%'))) && ++warn_once == 1)
+		fprintf(stderr, "Warning: please use ',' separator token between ip,port,ip.\n"
+			        "Next release won't support old separator tokens.\n");
+
+	ptr = strsep(&tmp, ":%,");
+	parse_ip(ptr, &mydata->ip);
+
+	if (!tmp)
+		exit_error(PARAMETER_PROBLEM,
+			   "IP address, port and IP address must be specified: ip,port,ip");
+
+	ptr = strsep(&tmp, ":%,");
+	parse_port(ptr, &mydata->port);
+	if (tmp)
+		parse_ip(tmp, &mydata->ip1);
+	else
+		exit_error(PARAMETER_PROBLEM,
+			   "IP address, port and IP address must be specified: ip,port,ip");
+	if (!(mydata->ip || mydata->port || mydata->ip1))
+		exit_error(PARAMETER_PROBLEM,
+			  "Zero valued IP address, port and IP address `%s' specified", arg);
+	ipset_free(saved);
+	return 1;	
+};
+
+/*
+ * Print and save
+ */
+
+static void
+ipportiphash_initheader(struct set *set, const void *data)
+{
+	const struct ip_set_req_ipportiphash_create *header = data;
+	struct ip_set_ipportiphash *map = set->settype->header;
+
+	memset(map, 0, sizeof(struct ip_set_ipportiphash));
+	map->hashsize = header->hashsize;
+	map->probes = header->probes;
+	map->resize = header->resize;
+	map->first_ip = header->from;
+	map->last_ip = header->to;
+}
+
+static void
+ipportiphash_printheader(struct set *set, unsigned options)
+{
+	struct ip_set_ipportiphash *mysetdata = set->settype->header;
+
+	printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
+	printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
+	printf(" hashsize: %u", mysetdata->hashsize);
+	printf(" probes: %u", mysetdata->probes);
+	printf(" resize: %u\n", mysetdata->resize);
+}
+
+static void
+ipportiphash_printips(struct set *set, void *data, u_int32_t len,
+		      unsigned options, char dont_align)
+{
+	struct ip_set_ipportiphash *mysetdata = set->settype->header;
+	size_t offset = 0;
+	struct ipportip *ipptr;
+	ip_set_ip_t ip;
+	uint16_t port;
+
+	while (offset < len) {
+		ipptr = data + offset;
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("%s,%s,", 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n", 
+		       ip_tostring(ipptr->ip1, options));
+		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
+	}
+}
+
+static void
+ipportiphash_saveheader(struct set *set, unsigned options)
+{
+	struct ip_set_ipportiphash *mysetdata = set->settype->header;
+
+	printf("-N %s %s --from %s",
+	       set->name, set->settype->typename,
+	       ip_tostring(mysetdata->first_ip, options));
+	printf(" --to %s",
+	       ip_tostring(mysetdata->last_ip, options));
+	printf(" --hashsize %u --probes %u --resize %u\n",
+	       mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
+}
+
+/* Print save for an IP */
+static void
+ipportiphash_saveips(struct set *set, void *data, u_int32_t len,
+		     unsigned options, char dont_align)
+{
+	struct ip_set_ipportiphash *mysetdata = set->settype->header;
+	size_t offset = 0;
+	struct ipportip *ipptr;
+	ip_set_ip_t ip;
+	uint16_t port;
+
+	while (offset < len) {
+		ipptr = data + offset;
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("-A %s %s,%s,", set->name, 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n",
+		       ip_tostring(ipptr->ip1, options));
+		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
+	}
+}
+
+static void
+ipportiphash_usage(void)
+{
+	printf
+	    ("-N set ipportiphash --from IP --to IP\n"
+	     "   [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
+	     "-N set ipportiphash --network IP/mask\n"
+	     "   [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
+	     "-A set IP,port,IP\n"
+	     "-D set IP,port,IP\n"
+	     "-T set IP,port,IP\n");
+}
+
+static struct settype settype_ipportiphash = {
+	.typename = SETTYPE_NAME,
+	.protocol_version = IP_SET_PROTOCOL_VERSION,
+
+	/* Create */
+	.create_size = sizeof(struct ip_set_req_ipportiphash_create),
+	.create_init = ipportiphash_create_init,
+	.create_parse = ipportiphash_create_parse,
+	.create_final = ipportiphash_create_final,
+	.create_opts = create_opts,
+
+	/* Add/del/test */
+	.adt_size = sizeof(struct ip_set_req_ipportiphash),
+	.adt_parser = ipportiphash_adt_parser,
+
+	/* Printing */
+	.header_size = sizeof(struct ip_set_ipportiphash),
+	.initheader = ipportiphash_initheader,
+	.printheader = ipportiphash_printheader,
+	.printips = ipportiphash_printips,
+	.printips_sorted = ipportiphash_printips,
+	.saveheader = ipportiphash_saveheader,
+	.saveips = ipportiphash_saveips,
+	
+	.usage = ipportiphash_usage,
+};
+
+CONSTRUCTOR(ipportiphash)
+{
+	settype_register(&settype_ipportiphash);
+
+}

extensions/ipset/ipset_ipportnethash.c

@@ -0,0 +1,426 @@
+/* Copyright 2008 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License as published by   
+ * the Free Software Foundation; either version 2 of the License, or      
+ * (at your option) any later version.                                    
+ *                                                                         
+ * This program is distributed in the hope that it will be useful,        
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of         
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
+ * GNU General Public License for more details.                           
+ *                                                                         
+ * You should have received a copy of the GNU General Public License      
+ * along with this program; if not, write to the Free Software            
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <limits.h>			/* UINT_MAX */
+#include <stdio.h>			/* *printf */
+#include <string.h>			/* mem*, str* */
+
+#include "ipset.h"
+
+#include "ip_set_ipportnethash.h"
+
+#define OPT_CREATE_HASHSIZE	0x01U
+#define OPT_CREATE_PROBES	0x02U
+#define OPT_CREATE_RESIZE	0x04U
+#define OPT_CREATE_NETWORK	0x08U
+#define OPT_CREATE_FROM		0x10U
+#define OPT_CREATE_TO		0x20U
+
+/* Initialize the create. */
+static void
+ipportnethash_create_init(void *data)
+{
+	struct ip_set_req_ipportnethash_create *mydata = data;
+
+	DP("create INIT");
+
+	/* Default create parameters */	
+	mydata->hashsize = 1024;
+	mydata->probes = 8;
+	mydata->resize = 50;
+}
+
+/* Function which parses command options; returns true if it ate an option */
+static int
+ipportnethash_create_parse(int c, char *argv[] UNUSED, void *data,
+			   unsigned *flags)
+{
+	struct ip_set_req_ipportnethash_create *mydata = data;
+	ip_set_ip_t value;
+
+	DP("create_parse");
+
+	switch (c) {
+	case '1':
+
+		if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
+			exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
+
+		*flags |= OPT_CREATE_HASHSIZE;
+
+		DP("--hashsize %u", mydata->hashsize);
+		
+		break;
+
+	case '2':
+
+		if (string_to_number(optarg, 1, 65535, &value))
+			exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
+
+		mydata->probes = value;
+		*flags |= OPT_CREATE_PROBES;
+
+		DP("--probes %u", mydata->probes);
+		
+		break;
+
+	case '3':
+
+		if (string_to_number(optarg, 0, 65535, &value))
+			exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
+
+		mydata->resize = value;
+		*flags |= OPT_CREATE_RESIZE;
+
+		DP("--resize %u", mydata->resize);
+		
+		break;
+
+	case '4':
+		parse_ip(optarg, &mydata->from);
+
+		*flags |= OPT_CREATE_FROM;
+
+		DP("--from %x (%s)", mydata->from,
+		   ip_tostring_numeric(mydata->from));
+
+		break;
+
+	case '5':
+		parse_ip(optarg, &mydata->to);
+
+		*flags |= OPT_CREATE_TO;
+
+		DP("--to %x (%s)", mydata->to,
+		   ip_tostring_numeric(mydata->to));
+
+		break;
+
+	case '6':
+		parse_ipandmask(optarg, &mydata->from, &mydata->to);
+
+		/* Make to the last of from + mask */
+		if (mydata->to)
+			mydata->to = mydata->from | ~(mydata->to);
+		else {
+			mydata->from = 0x00000000;
+			mydata->to = 0xFFFFFFFF;
+		}
+		*flags |= OPT_CREATE_NETWORK;
+
+		DP("--network from %x (%s)", 
+		   mydata->from, ip_tostring_numeric(mydata->from));
+		DP("--network to %x (%s)", 
+		   mydata->to, ip_tostring_numeric(mydata->to));
+
+		break;
+
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+/* Final check; exit if not ok. */
+static void
+ipportnethash_create_final(void *data, unsigned int flags)
+{
+	struct ip_set_req_ipportnethash_create *mydata = data;
+
+#ifdef IPSET_DEBUG
+	DP("hashsize %u probes %u resize %u",
+	   mydata->hashsize, mydata->probes, mydata->resize);
+#endif
+
+	if (flags & OPT_CREATE_NETWORK) {
+		/* --network */
+		if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
+			exit_error(PARAMETER_PROBLEM,
+				   "Can't specify --from or --to with --network\n");
+	} else if (flags & (OPT_CREATE_FROM | OPT_CREATE_TO)) {
+		/* --from --to */
+		if (!(flags & OPT_CREATE_FROM) || !(flags & OPT_CREATE_TO))
+			exit_error(PARAMETER_PROBLEM,
+				   "Need to specify both --from and --to\n");
+	} else {
+		exit_error(PARAMETER_PROBLEM,
+			   "Need to specify --from and --to, or --network\n");
+
+	}
+
+	DP("from : %x to: %x diff: %x", 
+	   mydata->from, mydata->to,
+	   mydata->to - mydata->from);
+
+	if (mydata->from > mydata->to)
+		exit_error(PARAMETER_PROBLEM,
+			   "From can't be higher than to.\n");
+
+	if (mydata->to - mydata->from > MAX_RANGE)
+		exit_error(PARAMETER_PROBLEM,
+			   "Range too large. Max is %d IPs in range\n",
+			   MAX_RANGE+1);
+}
+
+/* Create commandline options */
+static const struct option create_opts[] = {
+	{.name = "hashsize",	.has_arg = required_argument,	.val = '1'},
+	{.name = "probes",	.has_arg = required_argument,	.val = '2'},
+	{.name = "resize",	.has_arg = required_argument,	.val = '3'},
+	{.name = "from",	.has_arg = required_argument,	.val = '4'},
+	{.name = "to",		.has_arg = required_argument,	.val = '5'},
+	{.name = "network",	.has_arg = required_argument,	.val = '6'},
+	{NULL},
+};
+
+/* Add, del, test parser */
+static ip_set_ip_t
+ipportnethash_adt_parser(int cmd, const char *arg, void *data)
+{
+	struct ip_set_req_ipportnethash *mydata = data;
+	char *saved = ipset_strdup(arg);
+	char *ptr, *tmp = saved;
+	ip_set_ip_t cidr;
+
+	DP("ipportnethash: %p %p", arg, data);
+
+	if (((ptr = strchr(tmp, ':')) || (ptr = strchr(tmp, '%'))) && ++warn_once == 1)
+		fprintf(stderr, "Warning: please use ',' separator token between ip,port,net.\n"
+			        "Next release won't support old separator tokens.\n");
+
+	ptr = strsep(&tmp, ":%,");
+	parse_ip(ptr, &mydata->ip);
+	if (!tmp)
+		exit_error(PARAMETER_PROBLEM,
+			   "IP address, port and network address must be specified: ip,port,net");
+
+	ptr = strsep(&tmp, ":%,");
+	parse_port(ptr, &mydata->port);
+	if (!tmp)
+		exit_error(PARAMETER_PROBLEM,
+			   "IP address, port and network address must be specified: ip,port,net");
+
+	ptr = strsep(&tmp, "/");
+	if (tmp == NULL)
+		if (cmd == CMD_TEST)
+			cidr = 32;
+		else
+			exit_error(PARAMETER_PROBLEM,
+				   "Missing /cidr from `%s'", arg);
+	else
+		if (string_to_number(tmp, 1, 31, &cidr))
+			exit_error(PARAMETER_PROBLEM,
+				   "Out of range cidr `%s' specified", arg);
+	
+	mydata->cidr = cidr;
+
+	parse_ip(ptr, &mydata->ip1);
+	ipset_free(saved);
+	return 1;	
+};
+
+/*
+ * Print and save
+ */
+
+static void
+ipportnethash_initheader(struct set *set, const void *data)
+{
+	const struct ip_set_req_ipportnethash_create *header = data;
+	struct ip_set_ipportnethash *map = set->settype->header;
+
+	memset(map, 0, sizeof(struct ip_set_ipportnethash));
+	map->hashsize = header->hashsize;
+	map->probes = header->probes;
+	map->resize = header->resize;
+	map->first_ip = header->from;
+	map->last_ip = header->to;
+}
+
+static void
+ipportnethash_printheader(struct set *set, unsigned options)
+{
+	struct ip_set_ipportnethash *mysetdata = set->settype->header;
+
+	printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
+	printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
+	printf(" hashsize: %u", mysetdata->hashsize);
+	printf(" probes: %u", mysetdata->probes);
+	printf(" resize: %u\n", mysetdata->resize);
+}
+
+static char buf[20];
+
+static char *
+unpack_ip_tostring(ip_set_ip_t ip, unsigned options UNUSED)
+{
+	int i, j = 3;
+	unsigned char a, b;
+
+	ip = htonl(ip);	
+	for (i = 3; i >= 0; i--)
+		if (((unsigned char *)&ip)[i] != 0) {
+			j = i;
+			break;
+		}
+			
+	a = ((unsigned char *)&ip)[j];
+	if (a <= 128) {
+		a = (a - 1) * 2;
+		b = 7;
+	} else if (a <= 192) {
+		a = (a - 129) * 4;
+		b = 6;
+	} else if (a <= 224) {
+		a = (a - 193) * 8;
+		b = 5;
+	} else if (a <= 240) {
+		a = (a - 225) * 16;
+		b = 4;
+	} else if (a <= 248) {
+		a = (a - 241) * 32;
+		b = 3;
+	} else if (a <= 252) {
+		a = (a - 249) * 64;
+		b = 2;
+	} else if (a <= 254) {
+		a = (a - 253) * 128;
+		b = 1;
+	} else {
+		a = b = 0;
+	}
+	((unsigned char *)&ip)[j] = a;
+	b += j * 8;
+	
+	sprintf(buf, "%u.%u.%u.%u/%u",
+		((unsigned char *)&ip)[0],
+		((unsigned char *)&ip)[1],
+		((unsigned char *)&ip)[2],
+		((unsigned char *)&ip)[3],
+		b);
+
+	DP("%s %s", ip_tostring(ntohl(ip), 0), buf);
+	return buf;
+}
+
+static void
+ipportnethash_printips(struct set *set, void *data, u_int32_t len,
+		       unsigned options, char dont_align)
+{
+	struct ip_set_ipportnethash *mysetdata = set->settype->header;
+	size_t offset = 0;
+	struct ipportip *ipptr;
+	ip_set_ip_t ip;
+	uint16_t port;
+
+	while (offset < len) {
+		ipptr = data + offset;
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("%s,%s,", 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n", 
+		       unpack_ip_tostring(ipptr->ip1, options));
+		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
+	}
+}
+
+static void
+ipportnethash_saveheader(struct set *set, unsigned options)
+{
+	struct ip_set_ipportnethash *mysetdata = set->settype->header;
+
+	printf("-N %s %s --from %s",
+	       set->name, set->settype->typename,
+	       ip_tostring(mysetdata->first_ip, options));
+	printf(" --to %s",
+	       ip_tostring(mysetdata->last_ip, options));
+	printf(" --hashsize %u --probes %u --resize %u\n",
+	       mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
+}
+
+/* Print save for an IP */
+static void
+ipportnethash_saveips(struct set *set, void *data, u_int32_t len,
+		      unsigned options, char dont_align)
+{
+	struct ip_set_ipportnethash *mysetdata = set->settype->header;
+	size_t offset = 0;
+	struct ipportip *ipptr;
+	ip_set_ip_t ip;
+	uint16_t port;
+
+	while (offset < len) {
+		ipptr = data + offset;
+		ip = (ipptr->ip>>16) + mysetdata->first_ip;
+		port = (uint16_t) ipptr->ip;
+		printf("-A %s %s,%s,", set->name, 
+		       ip_tostring(ip, options),
+		       port_tostring(port, options));
+		printf("%s\n",
+		       unpack_ip_tostring(ipptr->ip, options));
+		offset += IPSET_VALIGN(sizeof(struct ipportip), dont_align);
+	}
+}
+
+static void
+ipportnethash_usage(void)
+{
+	printf
+	    ("-N set ipportnethash --from IP --to IP\n"
+	     "   [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
+	     "-N set ipportnethash --network IP/mask\n"
+	     "   [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
+	     "-A set IP,port,IP/net\n"
+	     "-D set IP,port,IP/net\n"
+	     "-T set IP,port,IP[/net]\n");
+}
+
+static struct settype settype_ipportnethash = {
+	.typename = SETTYPE_NAME,
+	.protocol_version = IP_SET_PROTOCOL_VERSION,
+
+	/* Create */
+	.create_size = sizeof(struct ip_set_req_ipportnethash_create),
+	.create_init = ipportnethash_create_init,
+	.create_parse = ipportnethash_create_parse,
+	.create_final = ipportnethash_create_final,
+	.create_opts = create_opts,
+
+	/* Add/del/test */
+	.adt_size = sizeof(struct ip_set_req_ipportnethash),
+	.adt_parser = ipportnethash_adt_parser,
+
+	/* Printing */
+	.header_size = sizeof(struct ip_set_ipportnethash),
+	.initheader = ipportnethash_initheader,
+	.printheader = ipportnethash_printheader,
+	.printips = ipportnethash_printips,
+	.printips_sorted = ipportnethash_printips,
+	.saveheader = ipportnethash_saveheader,
+	.saveips = ipportnethash_saveips,
+	
+	.usage = ipportnethash_usage,
+};
+
+CONSTRUCTOR(ipportnethash)
+{
+	settype_register(&settype_ipportnethash);
+
+}

extensions/ipset/ipset_iptree.c

@@ -15,36 +15,33 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  */
 
-#include <limits.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
+#include <limits.h>			/* UINT_MAX */
+#include <stdio.h>			/* *printf */
+#include <string.h>			/* mem* */
+
+#include "ipset.h"
 
 #include "ip_set_iptree.h"
-#include "ipset.h"
 
 #define BUFLEN 30;
 
 #define OPT_CREATE_TIMEOUT    0x01U
 
 /* Initialize the create. */
-static void create_init(void *data)
+static void
+iptree_create_init(void *data)
 {
-	struct ip_set_req_iptree_create *mydata =
-	    (struct ip_set_req_iptree_create *) data;
+	struct ip_set_req_iptree_create *mydata = data;
 
 	DP("create INIT");
 	mydata->timeout = 0;
 }
 
 /* Function which parses command options; returns true if it ate an option */
-static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
+static int
+iptree_create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 {
-	struct ip_set_req_iptree_create *mydata =
-	    (struct ip_set_req_iptree_create *) data;
+	struct ip_set_req_iptree_create *mydata = data;
 
 	DP("create_parse");
 
@@ -65,27 +62,32 @@ static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
 }
 
 /* Final check; exit if not ok. */
-static void create_final(void *data, unsigned int flags)
+static void
+iptree_create_final(void *data UNUSED, unsigned int flags UNUSED)
 {
 }
 
 /* Create commandline options */
 static const struct option create_opts[] = {
-	{"timeout", 1, 0, '1'},
+	{.name = "timeout",	.has_arg = required_argument,	.val = '1'},
 	{NULL},
 };
 
 /* Add, del, test parser */
-static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
+static ip_set_ip_t
+iptree_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
-	struct ip_set_req_iptree *mydata =
-	    (struct ip_set_req_iptree *) data;
+	struct ip_set_req_iptree *mydata = data;
 	char *saved = ipset_strdup(arg);
 	char *ptr, *tmp = saved;
 
 	DP("iptree: %p %p", arg, data);
 
-	ptr = strsep(&tmp, ":%");
+	if (((ptr = strchr(tmp, ':')) || (ptr = strchr(tmp, '%'))) && ++warn_once == 1)
+		fprintf(stderr, "Warning: please use ',' separator token between ip,timeout.\n"
+			        "Next release won't support old separator tokens.\n");
+
+	ptr = strsep(&tmp, ":%,");
 	parse_ip(ptr, &mydata->ip);
 
 	if (tmp)
@@ -93,7 +95,7 @@ static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
 	else
 		mydata->timeout = 0;	
 
-	free(saved);
+	ipset_free(saved);
 	return 1;	
 }
 
@@ -101,49 +103,48 @@ static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
  * Print and save
  */
 
-static void initheader(struct set *set, const void *data)
+static void
+iptree_initheader(struct set *set, const void *data)
 {
-	struct ip_set_req_iptree_create *header =
-	    (struct ip_set_req_iptree_create *) data;
-	struct ip_set_iptree *map =
-		(struct ip_set_iptree *) set->settype->header;
+	const struct ip_set_req_iptree_create *header = data;
+	struct ip_set_iptree *map = set->settype->header;
 		
 	map->timeout = header->timeout;
 }
 
-static void printheader(struct set *set, unsigned int options)
+static void
+iptree_printheader(struct set *set, unsigned options UNUSED)
 {
-	struct ip_set_iptree *mysetdata =
-	    (struct ip_set_iptree *) set->settype->header;
+	struct ip_set_iptree *mysetdata = set->settype->header;
 
 	if (mysetdata->timeout)
 		printf(" timeout: %u", mysetdata->timeout);
 	printf("\n");
 }
 
-static void printips_sorted(struct set *set, void *data, size_t len,
-    unsigned int options)
+static void
+iptree_printips_sorted(struct set *set, void *data, u_int32_t len,
+		       unsigned options, char dont_align)
 {
-	struct ip_set_iptree *mysetdata =
-	    (struct ip_set_iptree *) set->settype->header;
+	struct ip_set_iptree *mysetdata = set->settype->header;
 	struct ip_set_req_iptree *req;
 	size_t offset = 0;
 
 	while (len >= offset + sizeof(struct ip_set_req_iptree)) {
 		req = (struct ip_set_req_iptree *)(data + offset);
 		if (mysetdata->timeout)
-			printf("%s:%u\n", ip_tostring(req->ip, options),
+			printf("%s,%u\n", ip_tostring(req->ip, options),
 					  req->timeout);
 		else
 			printf("%s\n", ip_tostring(req->ip, options));
-		offset += sizeof(struct ip_set_req_iptree);
+		offset += IPSET_VALIGN(sizeof(struct ip_set_req_iptree), dont_align);
 	}
 }
 
-static void saveheader(struct set *set, unsigned int options)
+static void
+iptree_saveheader(struct set *set, unsigned options UNUSED)
 {
-	struct ip_set_iptree *mysetdata =
-	    (struct ip_set_iptree *) set->settype->header;
+	struct ip_set_iptree *mysetdata = set->settype->header;
 
 	if (mysetdata->timeout)
 		printf("-N %s %s --timeout %u\n",
@@ -154,11 +155,11 @@ static void saveheader(struct set *set, unsigned int options)
 		       set->name, set->settype->typename);
 }
 
-static void saveips(struct set *set, void *data, size_t len,
-    unsigned int options)
+static void
+iptree_saveips(struct set *set, void *data, u_int32_t len,
+	       unsigned options, char dont_align)
 {
-	struct ip_set_iptree *mysetdata =
-	    (struct ip_set_iptree *) set->settype->header;
+	struct ip_set_iptree *mysetdata = set->settype->header;
 	struct ip_set_req_iptree *req;
 	size_t offset = 0;
 
@@ -167,7 +168,7 @@ static void saveips(struct set *set, void *data, size_t len,
 	while (len >= offset + sizeof(struct ip_set_req_iptree)) {
 		req = (struct ip_set_req_iptree *)(data + offset);
 		if (mysetdata->timeout)
-			printf("-A %s %s:%u\n",
+			printf("-A %s %s,%u\n",
 				set->name, 
 				ip_tostring(req->ip, options),
 				req->timeout);
@@ -175,15 +176,16 @@ static void saveips(struct set *set, void *data, size_t len,
 			printf("-A %s %s\n", 
 				set->name,
 				ip_tostring(req->ip, options));
-		offset += sizeof(struct ip_set_req_iptree);
+		offset += IPSET_VALIGN(sizeof(struct ip_set_req_iptree), dont_align);
 	}
 }
 
-static void usage(void)
+static void
+iptree_usage(void)
 {
 	printf
 	    ("-N set iptree [--timeout value]\n"
-	     "-A set IP[:timeout]\n"
+	     "-A set IP[,timeout]\n"
 	     "-D set IP\n"
 	     "-T set IP\n");
 }
@@ -194,32 +196,28 @@ static struct settype settype_iptree = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_iptree_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = iptree_create_init,
+	.create_parse = iptree_create_parse,
+	.create_final = iptree_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_iptree),
-	.adt_parser = &adt_parser,
+	.adt_parser = iptree_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_iptree),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,	/* We only have sorted version */
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = iptree_initheader,
+	.printheader = iptree_printheader,
+	.printips = iptree_printips_sorted,	/* We only have sorted version */
+	.printips_sorted = iptree_printips_sorted,
+	.saveheader = iptree_saveheader,
+	.saveips = iptree_saveips,
 	
-	/* Bindings */
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse	= &parse_ip,
-
-	.usage = &usage,
+	.usage = iptree_usage,
 };
 
-static __attribute__((constructor)) void iptree_init(void)
+CONSTRUCTOR(iptree)
 {
 	settype_register(&settype_iptree);
 

extensions/ipset/ipset_iptreemap.c

@@ -15,21 +15,18 @@
  * Place, Suite 330, Boston, MA 02111-1307 USA
  */
 
-#include <limits.h>
-#include <stdio.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include "ip_set_iptreemap.h"
+#include <limits.h>			/* UINT_MAX */
+#include <stdio.h>			/* *printf */
+#include <string.h>			/* mem* */
 
 #include "ipset.h"
 
+#include "ip_set_iptreemap.h"
+
 #define OPT_CREATE_GC 0x1
 
 static void
-create_init(void *data)
+iptreemap_create_init(void *data)
 {
 	struct ip_set_req_iptreemap_create *mydata = data;
 
@@ -37,7 +34,8 @@ create_init(void *data)
 }
 
 static int
-create_parse(int c, char *argv[], void *data, unsigned int *flags)
+iptreemap_create_parse(int c, char *argv[] UNUSED, void *data,
+		       unsigned int *flags)
 {
 	struct ip_set_req_iptreemap_create *mydata = data;
 
@@ -56,17 +54,17 @@ create_parse(int c, char *argv[], void *data, unsigned int *flags)
 }
 
 static void
-create_final(void *data, unsigned int flags)
+iptreemap_create_final(void *data UNUSED, unsigned int flags UNUSED)
 {
 }
 
 static const struct option create_opts[] = {
-	{"gc", 1, 0, 'g'},
+	{.name = "gc",	.has_arg = required_argument,	.val = 'g'},
 	{NULL},
 };
 
 static ip_set_ip_t
-adt_parser(unsigned int cmd, const char *arg, void *data)
+iptreemap_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
 	struct ip_set_req_iptreemap *mydata = data;
 	ip_set_ip_t mask;
@@ -75,24 +73,29 @@ adt_parser(unsigned int cmd, const char *arg, void *data)
 	char *ptr, *tmp = saved;
 
 	if (strchr(tmp, '/')) {
-		parse_ipandmask(tmp, &mydata->start, &mask);
-		mydata->end = mydata->start | ~mask;
+		parse_ipandmask(tmp, &mydata->ip, &mask);
+		mydata->end = mydata->ip | ~mask;
 	} else {
-		ptr = strsep(&tmp, ":");
-		parse_ip(ptr, &mydata->start);
+		if ((ptr = strchr(tmp, ':')) != NULL && ++warn_once == 1)
+			fprintf(stderr, "Warning: please use '-' separator token between IP range.\n"
+			        "Next release won't support old separator token.\n");
+		ptr = strsep(&tmp, "-:");
+		parse_ip(ptr, &mydata->ip);
 
 		if (tmp) {
 			parse_ip(tmp, &mydata->end);
 		} else {
-			mydata->end = mydata->start;
+			mydata->end = mydata->ip;
 		}
 	}
 
+	ipset_free(saved);
+
 	return 1;
 }
 
 static void
-initheader(struct set *set, const void *data)
+iptreemap_initheader(struct set *set, const void *data)
 {
 	const struct ip_set_req_iptreemap_create *header = data;
 	struct ip_set_iptreemap *map = set->settype->header;
@@ -101,7 +104,7 @@ initheader(struct set *set, const void *data)
 }
 
 static void
-printheader(struct set *set, unsigned int options)
+iptreemap_printheader(struct set *set, unsigned int options UNUSED)
 {
 	struct ip_set_iptreemap *mysetdata = set->settype->header;
 
@@ -112,7 +115,8 @@ printheader(struct set *set, unsigned int options)
 }
 
 static void
-printips_sorted(struct set *set, void *data, size_t len, unsigned int options)
+iptreemap_printips_sorted(struct set *set UNUSED, void *data,
+			  u_int32_t len, unsigned int options, char dont_align)
 {
 	struct ip_set_req_iptreemap *req;
 	size_t offset = 0;
@@ -120,17 +124,17 @@ printips_sorted(struct set *set, void *data, size_t len, unsigned int options)
 	while (len >= offset + sizeof(struct ip_set_req_iptreemap)) {
 		req = data + offset;
 
-		printf("%s", ip_tostring(req->start, options));
-		if (req->start != req->end)
-			printf(":%s", ip_tostring(req->end, options));
+		printf("%s", ip_tostring(req->ip, options));
+		if (req->ip != req->end)
+			printf("-%s", ip_tostring(req->end, options));
 		printf("\n");
 
-		offset += sizeof(struct ip_set_req_iptreemap);
+		offset += IPSET_VALIGN(sizeof(struct ip_set_req_iptreemap), dont_align);
 	}
 }
 
 static void
-saveheader(struct set *set, unsigned int options)
+iptreemap_saveheader(struct set *set, unsigned int options UNUSED)
 {
 	struct ip_set_iptreemap *mysetdata = set->settype->header;
 
@@ -143,7 +147,8 @@ saveheader(struct set *set, unsigned int options)
 }
 
 static void
-saveips(struct set *set, void *data, size_t len, unsigned int options)
+iptreemap_saveips(struct set *set UNUSED, void *data,
+		  u_int32_t len, unsigned int options, char dont_align)
 {
 	struct ip_set_req_iptreemap *req;
 	size_t offset = 0;
@@ -151,19 +156,19 @@ saveips(struct set *set, void *data, size_t len, unsigned int options)
 	while (len >= offset + sizeof(struct ip_set_req_iptreemap)) {
 		req = data + offset;
 
-		printf("-A %s %s", set->name, ip_tostring(req->start, options));
+		printf("-A %s %s", set->name, ip_tostring(req->ip, options));
 
-		if (req->start != req->end)
-			printf(":%s", ip_tostring(req->end, options));
+		if (req->ip != req->end)
+			printf("-%s", ip_tostring(req->end, options));
 
 		printf("\n");
 
-		offset += sizeof(struct ip_set_req_iptreemap);
+		offset += IPSET_VALIGN(sizeof(struct ip_set_req_iptreemap), dont_align);
 	}
 }
 
 static void
-usage(void)
+iptreemap_usage(void)
 {
 	printf(
 		"-N set iptreemap --gc interval\n"
@@ -178,29 +183,26 @@ static struct settype settype_iptreemap = {
 	.protocol_version = IP_SET_PROTOCOL_VERSION,
 
 	.create_size = sizeof(struct ip_set_req_iptreemap_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = iptreemap_create_init,
+	.create_parse = iptreemap_create_parse,
+	.create_final = iptreemap_create_final,
 	.create_opts = create_opts,
 
 	.adt_size = sizeof(struct ip_set_req_iptreemap),
-	.adt_parser = &adt_parser,
+	.adt_parser = iptreemap_adt_parser,
 
 	.header_size = sizeof(struct ip_set_iptreemap),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = iptreemap_initheader,
+	.printheader = iptreemap_printheader,
+	.printips = iptreemap_printips_sorted,
+	.printips_sorted = iptreemap_printips_sorted,
+	.saveheader = iptreemap_saveheader,
+	.saveips = iptreemap_saveips,
 
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse = &parse_ip,
-
-	.usage = &usage,
+	.usage = iptreemap_usage,
 };
 
-static __attribute__((constructor)) void iptreemap_init(void)
+CONSTRUCTOR(iptreemap)
 {
 	settype_register(&settype_iptreemap);
 }

extensions/ipset/ipset_macipmap.c

@@ -18,16 +18,14 @@
  */
 
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <linux/if_ether.h>
+#include <stdio.h>			/* *printf */
+#include <stdlib.h>			/* mem* */
+#include <string.h>			/* str* */
+#include <net/ethernet.h>		/* ETH_ALEN */
+
+#include "ipset.h"
 
 #include "ip_set_macipmap.h"
-#include "ipset.h"
 
 #define BUFLEN 30;
 
@@ -40,17 +38,18 @@
 #define OPT_ADDDEL_MAC     0x02U
 
 /* Initialize the create. */
-static void create_init(void *data)
+static void
+macipmap_create_init(void *data UNUSED)
 {
 	DP("create INIT");
 	/* Nothing */
 }
 
 /* Function which parses command options; returns true if it ate an option */
-static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
+static int
+macipmap_create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 {
-	struct ip_set_req_macipmap_create *mydata =
-	    (struct ip_set_req_macipmap_create *) data;
+	struct ip_set_req_macipmap_create *mydata = data;
 
 	DP("create_parse");
 
@@ -107,10 +106,10 @@ static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
 }
 
 /* Final check; exit if not ok. */
-static void create_final(void *data, unsigned int flags)
+static void
+macipmap_create_final(void *data, unsigned int flags)
 {
-	struct ip_set_req_macipmap_create *mydata =
-	    (struct ip_set_req_macipmap_create *) data;
+	struct ip_set_req_macipmap_create *mydata = data;
 
 	if (flags == 0)
 		exit_error(PARAMETER_PROBLEM,
@@ -146,14 +145,15 @@ static void create_final(void *data, unsigned int flags)
 
 /* Create commandline options */
 static const struct option create_opts[] = {
-	{"from", 1, 0, '1'},
-	{"to", 1, 0, '2'},
-	{"network", 1, 0, '3'},
-	{"matchunset", 0, 0, '4'},
+	{.name = "from",	.has_arg = required_argument,	.val = '1'},
+	{.name = "to",		.has_arg = required_argument,	.val = '2'},
+	{.name = "network",	.has_arg = required_argument,	.val = '3'},
+	{.name = "matchunset",	.has_arg = no_argument,		.val = '4'},
 	{NULL},
 };
 
-static void parse_mac(const char *mac, unsigned char *ethernet)
+static void
+parse_mac(const char *mac, unsigned char *ethernet)
 {
 	unsigned int i = 0;
 
@@ -175,16 +175,23 @@ static void parse_mac(const char *mac, unsigned char *ethernet)
 }
 
 /* Add, del, test parser */
-static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
+static ip_set_ip_t
+macipmap_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
-	struct ip_set_req_macipmap *mydata =
-	    (struct ip_set_req_macipmap *) data;
+	struct ip_set_req_macipmap *mydata = data;
 	char *saved = ipset_strdup(arg);
 	char *ptr, *tmp = saved;
 
 	DP("macipmap: %p %p", arg, data);
 
-	ptr = strsep(&tmp, ":%");
+	ptr = strsep(&tmp, ",");
+	if (!tmp) {
+		tmp = saved;
+		ptr = strsep(&tmp, ":%");	
+		if (tmp && ++warn_once == 1)
+			fprintf(stderr, "Warning: please use ',' separator token between ip,mac.\n"
+				        "Next release won't support old separator tokens.\n");
+	}
 	parse_ip(ptr, &mydata->ip);
 
 	if (tmp)
@@ -193,6 +200,7 @@ static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
 		memset(mydata->ethernet, 0, ETH_ALEN);	
 
 	free(saved);
+
 	return 1;	
 }
 
@@ -200,12 +208,11 @@ static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
  * Print and save
  */
 
-static void initheader(struct set *set, const void *data)
+static void
+macipmap_initheader(struct set *set, const void *data)
 {
-	struct ip_set_req_macipmap_create *header =
-	    (struct ip_set_req_macipmap_create *) data;
-	struct ip_set_macipmap *map =
-		(struct ip_set_macipmap *) set->settype->header;
+	const struct ip_set_req_macipmap_create *header = data;
+	struct ip_set_macipmap *map = set->settype->header;
 
 	memset(map, 0, sizeof(struct ip_set_macipmap));
 	map->first_ip = header->from;
@@ -213,10 +220,10 @@ static void initheader(struct set *set, const void *data)
 	map->flags = header->flags;
 }
 
-static void printheader(struct set *set, unsigned int options)
+static void
+macipmap_printheader(struct set *set, unsigned options)
 {
-	struct ip_set_macipmap *mysetdata =
-	    (struct ip_set_macipmap *) set->settype->header;
+	struct ip_set_macipmap *mysetdata = set->settype->header;
 
 	printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
 	printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
@@ -226,7 +233,8 @@ static void printheader(struct set *set, unsigned int options)
 	printf("\n");
 }
 
-static void print_mac(unsigned char macaddress[ETH_ALEN])
+static void
+print_mac(unsigned char macaddress[ETH_ALEN])
 {
 	unsigned int i;
 
@@ -235,19 +243,17 @@ static void print_mac(unsigned char macaddress[ETH_ALEN])
 		printf(":%02X", macaddress[i]);
 }
 
-static void printips_sorted(struct set *set, void *data, size_t len,
-    unsigned int options)
+static inline void
+__macipmap_printips_sorted(struct set *set, void *data,
+			   u_int32_t len UNUSED, unsigned options)
 {
-	struct ip_set_macipmap *mysetdata =
-	    (struct ip_set_macipmap *) set->settype->header;
-	struct ip_set_macip *table =
-	    (struct ip_set_macip *) data;
+	struct ip_set_macipmap *mysetdata = set->settype->header;
+	struct ip_set_macip *table = data;
 	u_int32_t addr = mysetdata->first_ip;
 
 	while (addr <= mysetdata->last_ip) {
-		if (test_bit(IPSET_MACIP_ISSET,
-			     (void *)&table[addr - mysetdata->first_ip].flags)) {
-			printf("%s:", ip_tostring(addr, options));
+		if (table[addr - mysetdata->first_ip].match) {
+			printf("%s,", ip_tostring(addr, options));
 			print_mac(table[addr - mysetdata->first_ip].
 				  ethernet);
 			printf("\n");
@@ -256,10 +262,30 @@ static void printips_sorted(struct set *set, void *data, size_t len,
 	}
 }
 
-static void saveheader(struct set *set, unsigned int options)
+static void
+macipmap_printips_sorted(struct set *set, void *data,
+			 u_int32_t len, unsigned options,
+			 char dont_align)
 {
-	struct ip_set_macipmap *mysetdata =
-	    (struct ip_set_macipmap *) set->settype->header;
+	struct ip_set_req_macipmap *d;
+	size_t offset = 0;
+	
+	if (dont_align)
+		return __macipmap_printips_sorted(set, data, len, options);
+	
+	while (offset < len) {
+		d = data + offset;
+		printf("%s,", ip_tostring(d->ip, options));
+		print_mac(d->ethernet);
+		printf("\n");
+		offset += IPSET_ALIGN(sizeof(struct ip_set_req_macipmap));
+	}
+}
+
+static void
+macipmap_saveheader(struct set *set, unsigned options)
+{
+	struct ip_set_macipmap *mysetdata = set->settype->header;
 
 	printf("-N %s %s --from %s",
 	       set->name, set->settype->typename,
@@ -271,19 +297,17 @@ static void saveheader(struct set *set, unsigned int options)
 	printf("\n");
 }
 
-static void saveips(struct set *set, void *data, size_t len,
-    unsigned int options)
+static inline void
+__macipmap_saveips(struct set *set, void *data,
+		   u_int32_t len UNUSED, unsigned options)
 {
-	struct ip_set_macipmap *mysetdata =
-	    (struct ip_set_macipmap *) set->settype->header;
-	struct ip_set_macip *table =
-	    (struct ip_set_macip *) data;
+	struct ip_set_macipmap *mysetdata = set->settype->header;
+	struct ip_set_macip *table = data;
 	u_int32_t addr = mysetdata->first_ip;
 
 	while (addr <= mysetdata->last_ip) {
-		if (test_bit(IPSET_MACIP_ISSET,
-			     (void *)&table[addr - mysetdata->first_ip].flags)) {
-			printf("-A %s %s:",
+		if (table[addr - mysetdata->first_ip].match) {
+			printf("-A %s %s,",
 			       set->name, ip_tostring(addr, options));
 			print_mac(table[addr - mysetdata->first_ip].
 				  ethernet);
@@ -293,14 +317,35 @@ static void saveips(struct set *set, void *data, size_t len,
 	}
 }
 
-static void usage(void)
+static void
+macipmap_saveips(struct set *set, void *data,
+		 u_int32_t len, unsigned options,
+		 char dont_align)
+{
+	struct ip_set_req_macipmap *d;
+	size_t offset = 0;
+	
+	if (dont_align)
+		return __macipmap_saveips(set, data, len, options);
+	
+	while (offset < len) {
+		d = data + offset;
+		printf("-A %s %s,", set->name, ip_tostring(d->ip, options));
+		print_mac(d->ethernet);
+		printf("\n");
+		offset += IPSET_ALIGN(sizeof(struct ip_set_req_macipmap));
+	}
+}
+
+static void
+macipmap_usage(void)
 {
 	printf
 	    ("-N set macipmap --from IP --to IP [--matchunset]\n"
 	     "-N set macipmap --network IP/mask [--matchunset]\n"
-	     "-A set IP:MAC\n"
-	     "-D set IP[:MAC]\n"
-	     "-T set IP[:MAC]\n");
+	     "-A set IP[,MAC]\n"
+	     "-D set IP[,MAC]\n"
+	     "-T set IP[,MAC]\n");
 }
 
 static struct settype settype_macipmap = {
@@ -309,32 +354,28 @@ static struct settype settype_macipmap = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_macipmap_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = macipmap_create_init,
+	.create_parse = macipmap_create_parse,
+	.create_final = macipmap_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_macipmap),
-	.adt_parser = &adt_parser,
+	.adt_parser = macipmap_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_macipmap),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips_sorted,	/* We only have sorted version */
-	.printips_sorted = &printips_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = macipmap_initheader,
+	.printheader = macipmap_printheader,
+	.printips = macipmap_printips_sorted,
+	.printips_sorted = macipmap_printips_sorted,
+	.saveheader = macipmap_saveheader,
+	.saveips = macipmap_saveips,
 
-	/* Bindings */
-	.bindip_tostring = &binding_ip_tostring,
-	.bindip_parse = &parse_ip,
-
-	.usage = &usage,
+	.usage = macipmap_usage,
 };
 
-static __attribute__((constructor)) void macipmap_init(void)
+CONSTRUCTOR(macipmap)
 {
 	settype_register(&settype_macipmap);
 

extensions/ipset/ipset_nethash.c

@@ -15,24 +15,14 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  */
 
-#include <errno.h>
-#include <limits.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <time.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <asm/types.h>
-
-#include "ip_set_nethash.h"
-#include "ip_set_jhash.h"
+#include <limits.h>			/* UINT_MAX */
+#include <stdio.h>			/* *printf */
+#include <string.h>			/* mem*, str* */
 
 #include "ipset.h"
 
+#include "ip_set_nethash.h"
+
 #define BUFLEN 30;
 
 #define OPT_CREATE_HASHSIZE	0x01U
@@ -40,10 +30,10 @@
 #define OPT_CREATE_RESIZE	0x04U
 
 /* Initialize the create. */
-static void create_init(void *data)
+static void
+nethash_create_init(void *data)
 {
-	struct ip_set_req_nethash_create *mydata =
-	    (struct ip_set_req_nethash_create *) data;
+	struct ip_set_req_nethash_create *mydata = data;
 
 	DP("create INIT");
 
@@ -54,10 +44,10 @@ static void create_init(void *data)
 }
 
 /* Function which parses command options; returns true if it ate an option */
-static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
+static int
+nethash_create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 {
-	struct ip_set_req_nethash_create *mydata =
-	    (struct ip_set_req_nethash_create *) data;
+	struct ip_set_req_nethash_create *mydata = data;
 	ip_set_ip_t value;
 
 	DP("create_parse");
@@ -106,30 +96,24 @@ static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
 }
 
 /* Final check; exit if not ok. */
-static void create_final(void *data, unsigned int flags)
+static void
+nethash_create_final(void *data UNUSED, unsigned int flags UNUSED)
 {
-#ifdef IPSET_DEBUG
-	struct ip_set_req_nethash_create *mydata =
-	    (struct ip_set_req_nethash_create *) data;
-
-	DP("hashsize %u probes %u resize %u",
-	   mydata->hashsize, mydata->probes, mydata->resize);
-#endif
 }
 
 /* Create commandline options */
 static const struct option create_opts[] = {
-	{"hashsize", 1, 0, '1'},
-	{"probes", 1, 0, '2'},
-	{"resize", 1, 0, '3'},
+	{.name = "hashsize",	.has_arg = required_argument,	.val = '1'},
+	{.name = "probes",	.has_arg = required_argument,	.val = '2'},
+	{.name = "resize",	.has_arg = required_argument,	.val = '3'},
 	{NULL},
 };
 
 /* Add, del, test parser */
-static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
+static ip_set_ip_t
+nethash_adt_parser(int cmd, const char *arg, void *data)
 {
-	struct ip_set_req_nethash *mydata =
-	    (struct ip_set_req_nethash *) data;
+	struct ip_set_req_nethash *mydata = data;
 	char *saved = ipset_strdup(arg);
 	char *ptr, *tmp = saved;
 	ip_set_ip_t cidr;
@@ -149,24 +133,25 @@ static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
 	
 	mydata->cidr = cidr;
 	parse_ip(ptr, &mydata->ip);
+#if 0
 	if (!mydata->ip)
 		exit_error(PARAMETER_PROBLEM,
 			  "Zero valued IP address `%s' specified", ptr);
-	free(saved);
+#endif
+	ipset_free(saved);
 
-	return mydata->ip;	
+	return 1;	
 };
 
 /*
  * Print and save
  */
 
-static void initheader(struct set *set, const void *data)
+static void
+nethash_initheader(struct set *set, const void *data)
 {
-	struct ip_set_req_nethash_create *header =
-	    (struct ip_set_req_nethash_create *) data;
-	struct ip_set_nethash *map =
-		(struct ip_set_nethash *) set->settype->header;
+	const struct ip_set_req_nethash_create *header = data;
+	struct ip_set_nethash *map = set->settype->header;
 
 	memset(map, 0, sizeof(struct ip_set_nethash));
 	map->hashsize = header->hashsize;
@@ -174,10 +159,10 @@ static void initheader(struct set *set, const void *data)
 	map->resize = header->resize;
 }
 
-static void printheader(struct set *set, unsigned int options)
+static void
+nethash_printheader(struct set *set, unsigned options UNUSED)
 {
-	struct ip_set_nethash *mysetdata =
-	    (struct ip_set_nethash *) set->settype->header;
+	struct ip_set_nethash *mysetdata = set->settype->header;
 
 	printf(" hashsize: %u", mysetdata->hashsize);
 	printf(" probes: %u", mysetdata->probes);
@@ -186,7 +171,8 @@ static void printheader(struct set *set, unsigned int options)
 
 static char buf[20];
 
-static char * unpack_ip_tostring(ip_set_ip_t ip, unsigned options)
+static char *
+unpack_ip_tostring(ip_set_ip_t ip, unsigned options UNUSED)
 {
 	int i, j = 3;
 	unsigned char a, b;
@@ -233,28 +219,28 @@ static char * unpack_ip_tostring(ip_set_ip_t ip, unsigned options)
 		((unsigned char *)&ip)[3],
 		b);
 
-	DP("%s %s", ip_tostring(ntohl(ip), options), buf);
+	DP("%s %s", ip_tostring(ntohl(ip), 0), buf);
 	return buf;
 }
 
-static void printips(struct set *set, void *data, size_t len,
-    unsigned int options)
+static void
+nethash_printips(struct set *set UNUSED, void *data, u_int32_t len,
+		 unsigned options, char dont_align)
 {
 	size_t offset = 0;
 	ip_set_ip_t *ip;
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("%s\n", unpack_ip_tostring(*ip, options));
-		offset += sizeof(ip_set_ip_t);
+		printf("%s\n", unpack_ip_tostring(*ip, options));
+		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
 
-static void saveheader(struct set *set, unsigned int options)
+static void
+nethash_saveheader(struct set *set, unsigned options UNUSED)
 {
-	struct ip_set_nethash *mysetdata =
-	    (struct ip_set_nethash *) set->settype->header;
+	struct ip_set_nethash *mysetdata = set->settype->header;
 
 	printf("-N %s %s --hashsize %u --probes %u --resize %u\n",
 	       set->name, set->settype->typename,
@@ -262,49 +248,23 @@ static void saveheader(struct set *set, unsigned int options)
 }
 
 /* Print save for an IP */
-static void saveips(struct set *set, void *data, size_t len,
-    unsigned int options)
+static void
+nethash_saveips(struct set *set UNUSED, void *data, u_int32_t len,
+		unsigned options, char dont_align)
 {
 	size_t offset = 0;
 	ip_set_ip_t *ip;
 
 	while (offset < len) {
 		ip = data + offset;
-		if (*ip)
-			printf("-A %s %s\n", set->name, 
-			       unpack_ip_tostring(*ip, options));
-		offset += sizeof(ip_set_ip_t);
+		printf("-A %s %s\n", set->name,
+		       unpack_ip_tostring(*ip, options));
+		offset += IPSET_VALIGN(sizeof(ip_set_ip_t), dont_align);
 	}
 }
 
-static char * net_tostring(struct set *set, ip_set_ip_t ip, unsigned options)
-{
-	return unpack_ip_tostring(ip, options);
-}
-
-static void parse_net(const char *str, ip_set_ip_t *ip)
-{
-	char *saved = strdup(str);
-	char *ptr, *tmp = saved;
-	ip_set_ip_t cidr;
-
-	ptr = strsep(&tmp, "/");
-	
-	if (tmp == NULL)
-		exit_error(PARAMETER_PROBLEM,
-			   "Missing cidr from `%s'", str);
-
-	if (string_to_number(tmp, 1, 31, &cidr))
-		exit_error(PARAMETER_PROBLEM,
-			   "Out of range cidr `%s' specified", str);
-	
-	parse_ip(ptr, ip);
-	free(saved);
-	
-	*ip = pack(*ip, cidr);
-}
-
-static void usage(void)
+static void
+nethash_usage(void)
 {
 	printf
 	    ("-N set nethash [--hashsize hashsize] [--probes probes ]\n"
@@ -320,32 +280,28 @@ static struct settype settype_nethash = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_nethash_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = nethash_create_init,
+	.create_parse = nethash_create_parse,
+	.create_final = nethash_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_nethash),
-	.adt_parser = &adt_parser,
+	.adt_parser = nethash_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_nethash),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printips,		/* We only have the unsorted version */
-	.printips_sorted = &printips,
-	.saveheader = &saveheader,
-	.saveips = &saveips,
+	.initheader = nethash_initheader,
+	.printheader = nethash_printheader,
+	.printips = nethash_printips,
+	.printips_sorted = nethash_printips,
+	.saveheader = nethash_saveheader,
+	.saveips = nethash_saveips,
 	
-	/* Bindings */
-	.bindip_tostring = &net_tostring,
-	.bindip_parse = &parse_net,
-
-	.usage = &usage,
+	.usage = nethash_usage,
 };
 
-static __attribute__((constructor)) void nethash_init(void)
+CONSTRUCTOR(nethash)
 {
 	settype_register(&settype_nethash);
 

extensions/ipset/ipset_portmap.c

@@ -16,15 +16,12 @@
  */
 
 
-#include <stdio.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
+#include <stdio.h>			/* *printf */
+#include <string.h>			/* mem* */
 
-#include "ip_set_portmap.h"
 #include "ipset.h"
 
+#include "ip_set_portmap.h"
 
 #define BUFLEN 30;
 
@@ -34,17 +31,18 @@
 #define OPT_ADDDEL_PORT      0x01U
 
 /* Initialize the create. */
-static void create_init(void *data)
+static void
+portmap_create_init(void *data UNUSED)
 {
 	DP("create INIT");
 	/* Nothing */
 }
 
 /* Function which parses command options; returns true if it ate an option */
-static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
+static int
+portmap_create_parse(int c, char *argv[] UNUSED, void *data, unsigned *flags)
 {
-	struct ip_set_req_portmap_create *mydata =
-	    (struct ip_set_req_portmap_create *) data;
+	struct ip_set_req_portmap_create *mydata = data;
 
 	DP("create_parse");
 
@@ -77,10 +75,10 @@ static int create_parse(int c, char *argv[], void *data, unsigned int *flags)
 }
 
 /* Final check; exit if not ok. */
-static void create_final(void *data, unsigned int flags)
+static void
+portmap_create_final(void *data, unsigned int flags)
 {
-	struct ip_set_req_portmap_create *mydata =
-	    (struct ip_set_req_portmap_create *) data;
+	struct ip_set_req_portmap_create *mydata = data;
 
 	if (flags == 0) {
 		exit_error(PARAMETER_PROBLEM,
@@ -108,19 +106,19 @@ static void create_final(void *data, unsigned int flags)
 
 /* Create commandline options */
 static const struct option create_opts[] = {
-	{"from", 1, 0, '1'},
-	{"to", 1, 0, '2'},
+	{.name = "from",	.has_arg = required_argument,	.val = '1'},
+	{.name = "to",		.has_arg = required_argument,	.val = '2'},
 	{NULL},
 };
 
 /* Add, del, test parser */
-static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
+static ip_set_ip_t
+portmap_adt_parser(int cmd UNUSED, const char *arg, void *data)
 {
-	struct ip_set_req_portmap *mydata =
-	    (struct ip_set_req_portmap *) data;
+	struct ip_set_req_portmap *mydata = data;
 
-	parse_port(arg, &mydata->port);
-	DP("%s", port_tostring(mydata->port, 0));
+	parse_port(arg, &mydata->ip);
+	DP("%s", port_tostring(mydata->ip, 0));
 
 	return 1;	
 }
@@ -129,70 +127,82 @@ static ip_set_ip_t adt_parser(unsigned int cmd, const char *arg, void *data)
  * Print and save
  */
 
-static void initheader(struct set *set, const void *data)
+static void
+portmap_initheader(struct set *set, const void *data)
 {
-	struct ip_set_req_portmap_create *header =
-	    (struct ip_set_req_portmap_create *) data;
-	struct ip_set_portmap *map =
-		(struct ip_set_portmap *) set->settype->header;
+	const struct ip_set_req_portmap_create *header = data;
+	struct ip_set_portmap *map = set->settype->header;
 
 	memset(map, 0, sizeof(struct ip_set_portmap));
-	map->first_port = header->from;
-	map->last_port = header->to;
+	map->first_ip = header->from;
+	map->last_ip = header->to;
 }
 
-static void printheader(struct set *set, unsigned int options)
+static void
+portmap_printheader(struct set *set, unsigned options)
 {
-	struct ip_set_portmap *mysetdata =
-	    (struct ip_set_portmap *) set->settype->header;
+	struct ip_set_portmap *mysetdata = set->settype->header;
 
-	printf(" from: %s", port_tostring(mysetdata->first_port, options));
-	printf(" to: %s\n", port_tostring(mysetdata->last_port, options));
+	printf(" from: %s", port_tostring(mysetdata->first_ip, options));
+	printf(" to: %s\n", port_tostring(mysetdata->last_ip, options));
 }
 
-static void printports_sorted(struct set *set, void *data, size_t len,
-    unsigned int options)
+static inline void
+__portmap_printips_sorted(struct set *set, void *data,
+			  u_int32_t len UNUSED, unsigned options)
 {
-	struct ip_set_portmap *mysetdata =
-	    (struct ip_set_portmap *) set->settype->header;
-	u_int32_t addr = mysetdata->first_port;
+	struct ip_set_portmap *mysetdata = set->settype->header;
+	ip_set_ip_t addr = mysetdata->first_ip;
 
-	DP("%u -- %u", mysetdata->first_port, mysetdata->last_port);
-	while (addr <= mysetdata->last_port) {
-		if (test_bit(addr - mysetdata->first_port, data))
+	DP("%u -- %u", mysetdata->first_ip, mysetdata->last_ip);
+	while (addr <= mysetdata->last_ip) {
+		if (test_bit(addr - mysetdata->first_ip, data))
 			printf("%s\n", port_tostring(addr, options));
 		addr++;
 	}
 }
 
-static char *binding_port_tostring(struct set *set, ip_set_ip_t ip,
-    unsigned int options)
+static void
+portmap_printips_sorted(struct set *set, void *data,
+			u_int32_t len, unsigned options,
+			char dont_align)
 {
-	return port_tostring(ip, options);
+	ip_set_ip_t *ip;
+	size_t offset = 0;
+	
+	if (dont_align)
+		return __portmap_printips_sorted(set, data, len, options);
+	
+	while (offset < len) {
+		ip = data + offset;
+		printf("%s\n", port_tostring(*ip, options));
+		offset += IPSET_ALIGN(sizeof(ip_set_ip_t));
+	}
 }
 
-static void saveheader(struct set *set, unsigned int options)
+static void
+portmap_saveheader(struct set *set, unsigned options)
 {
-	struct ip_set_portmap *mysetdata =
-	    (struct ip_set_portmap *) set->settype->header;
+	struct ip_set_portmap *mysetdata = set->settype->header;
 
 	printf("-N %s %s --from %s", 
 	       set->name,
 	       set->settype->typename,
-	       port_tostring(mysetdata->first_port, options));
+	       port_tostring(mysetdata->first_ip, options));
 	printf(" --to %s\n", 
-	       port_tostring(mysetdata->last_port, options));
+	       port_tostring(mysetdata->last_ip, options));
 }
 
-static void saveports(struct set *set, void *data, size_t len,
-    unsigned int options)
+static inline void
+__portmap_saveips(struct set *set, void *data,
+		  u_int32_t len UNUSED, unsigned options)
 {
-	struct ip_set_portmap *mysetdata =
-	    (struct ip_set_portmap *) set->settype->header;
-	u_int32_t addr = mysetdata->first_port;
+	struct ip_set_portmap *mysetdata = set->settype->header;
+	ip_set_ip_t addr = mysetdata->first_ip;
 
-	while (addr <= mysetdata->last_port) {
-		if (test_bit(addr - mysetdata->first_port, data))
+	while (addr <= mysetdata->last_ip) {
+		DP("addr: %lu, last_ip %lu", (long unsigned)addr, (long unsigned)mysetdata->last_ip);
+		if (test_bit(addr - mysetdata->first_ip, data))
 			printf("-A %s %s\n",
 			       set->name,
 			       port_tostring(addr, options));
@@ -200,7 +210,26 @@ static void saveports(struct set *set, void *data, size_t len,
 	}
 }
 
-static void usage(void)
+static void
+portmap_saveips(struct set *set, void *data,
+		u_int32_t len, unsigned options,
+		char dont_align)
+{
+	ip_set_ip_t *ip;
+	size_t offset = 0;
+	
+	if (dont_align)
+		return __portmap_saveips(set, data, len, options);
+	
+	while (offset < len) {
+		ip = data + offset;
+		printf("-A %s %s\n", set->name, port_tostring(*ip, options));
+		offset += IPSET_ALIGN(sizeof(ip_set_ip_t));
+	}
+}
+
+static void
+portmap_usage(void)
 {
 	printf
 	    ("-N set portmap --from PORT --to PORT\n"
@@ -215,32 +244,28 @@ static struct settype settype_portmap = {
 
 	/* Create */
 	.create_size = sizeof(struct ip_set_req_portmap_create),
-	.create_init = &create_init,
-	.create_parse = &create_parse,
-	.create_final = &create_final,
+	.create_init = portmap_create_init,
+	.create_parse = portmap_create_parse,
+	.create_final = portmap_create_final,
 	.create_opts = create_opts,
 
 	/* Add/del/test */
 	.adt_size = sizeof(struct ip_set_req_portmap),
-	.adt_parser = &adt_parser,
+	.adt_parser = portmap_adt_parser,
 
 	/* Printing */
 	.header_size = sizeof(struct ip_set_portmap),
-	.initheader = &initheader,
-	.printheader = &printheader,
-	.printips = &printports_sorted,	/* We only have sorted version */
-	.printips_sorted = &printports_sorted,
-	.saveheader = &saveheader,
-	.saveips = &saveports,
+	.initheader = portmap_initheader,
+	.printheader = portmap_printheader,
+	.printips = portmap_printips_sorted,
+	.printips_sorted = portmap_printips_sorted,
+	.saveheader = portmap_saveheader,
+	.saveips = portmap_saveips,
 	
-	/* Bindings */
-	.bindip_tostring = &binding_port_tostring,
-	.bindip_parse = &parse_port,
-
-	.usage = &usage,
+	.usage = portmap_usage,
 };
 
-static __attribute__((constructor)) void portmap_init(void)
+CONSTRUCTOR(portmap)
 {
 	settype_register(&settype_portmap);
 

extensions/ipset/ipset_setlist.c

@@ -0,0 +1,229 @@
+/* Copyright 2008 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify   
+ * it under the terms of the GNU General Public License as published by   
+ * the Free Software Foundation; either version 2 of the License, or      
+ * (at your option) any later version.                                    
+ *                                                                         
+ * This program is distributed in the hope that it will be useful,        
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of         
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          
+ * GNU General Public License for more details.                           
+ *                                                                         
+ * You should have received a copy of the GNU General Public License      
+ * along with this program; if not, write to the Free Software            
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "ip_set_setlist.h"
+#include "ipset.h"
+
+/* Initialize the create. */
+static void
+setlist_create_init(void *data)
+{
+	struct ip_set_req_setlist_create *mydata = data;
+	
+	mydata->size = 8;
+}
+
+/* Function which parses command options; returns true if it ate an option */
+static int
+setlist_create_parse(int c, char *argv[] UNUSED, void *data,
+		     unsigned *flags UNUSED)
+{
+	struct ip_set_req_setlist_create *mydata = data;
+	unsigned int size;
+	
+	switch (c) {
+	case '1':
+		if (string_to_number(optarg, 1, 255, &size))
+			exit_error(PARAMETER_PROBLEM,
+				   "Invalid size '%s specified: must be "
+				   "between 1-255", optarg);
+		mydata->size = size;
+		break;
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+/* Final check; exit if not ok. */
+static void
+setlist_create_final(void *data UNUSED, unsigned int flags UNUSED)
+{
+}
+
+/* Create commandline options */
+static const struct option create_opts[] = {
+	{.name = "size",	.has_arg = required_argument,	.val = '1'},
+	{NULL},
+};
+
+static void
+check_setname(const char *name)
+{
+	if (strlen(name) > IP_SET_MAXNAMELEN - 1)
+		exit_error(PARAMETER_PROBLEM,
+			"Setname %s is longer than %d characters.",
+			name, IP_SET_MAXNAMELEN - 1);
+}
+
+/* Add, del, test parser */
+static ip_set_ip_t
+setlist_adt_parser(int cmd UNUSED, const char *arg, void *data)
+{
+	struct ip_set_req_setlist *mydata = data;
+	char *saved = ipset_strdup(arg);
+	char *ptr, *tmp = saved;
+	
+	DP("setlist: %p %p", arg, data);
+
+	ptr = strsep(&tmp, ",");
+	check_setname(ptr);
+	strcpy(mydata->name, ptr);
+	
+	if (!tmp) {
+		mydata->before = 0;
+		mydata->ref[0] = '\0';
+		return 1;
+	}
+	
+	ptr = strsep(&tmp, ",");
+	
+	if (tmp == NULL || !(strcmp(ptr, "before") == 0 || strcmp(ptr, "after") == 0))
+		exit_error(PARAMETER_PROBLEM,
+			"Syntax error, you must specify elements as setname,[before|after],setname");
+
+	check_setname(tmp);
+	strcpy(mydata->ref, tmp);
+	mydata->before = !strcmp(ptr, "before");
+
+	free(saved);
+
+	return 1;	
+}
+
+/*
+ * Print and save
+ */
+
+static void
+setlist_initheader(struct set *set, const void *data)
+{
+	const struct ip_set_req_setlist_create *header = data;
+	struct ip_set_setlist *map = set->settype->header;
+		
+	memset(map, 0, sizeof(struct ip_set_setlist));
+	map->size = header->size;
+}
+
+static void
+setlist_printheader(struct set *set, unsigned options UNUSED)
+{
+	struct ip_set_setlist *mysetdata = set->settype->header;
+
+	printf(" size: %u\n", mysetdata->size);
+}
+
+static void
+setlist_printips_sorted(struct set *set, void *data,
+			u_int32_t len UNUSED, unsigned options UNUSED,
+			char dont_align)
+{
+	struct ip_set_setlist *mysetdata = set->settype->header;
+	int i, asize;
+	ip_set_id_t *id;
+	struct set *elem;
+
+	asize = IPSET_VALIGN(sizeof(ip_set_id_t), dont_align);
+	for (i = 0; i < mysetdata->size; i++ ) {
+		DP("Try %u", i);
+		id = (ip_set_id_t *)(data + i * asize);
+		DP("Try %u, check", i);
+		if (*id == IP_SET_INVALID_ID)
+			return;
+		elem = set_find_byid(*id);
+		printf("%s\n", elem->name);
+	}
+}
+
+static void
+setlist_saveheader(struct set *set, unsigned options UNUSED)
+{
+	struct ip_set_setlist *mysetdata = set->settype->header;
+
+	printf("-N %s %s --size %u\n",
+	       set->name, set->settype->typename,
+	       mysetdata->size);
+}
+
+static void
+setlist_saveips(struct set *set, void *data,
+		u_int32_t len UNUSED, unsigned options UNUSED, char dont_align)
+{
+	struct ip_set_setlist *mysetdata = set->settype->header;
+	int i, asize;
+	ip_set_id_t *id;
+	struct set *elem;
+
+	asize = IPSET_VALIGN(sizeof(ip_set_id_t), dont_align);
+	for (i = 0; i < mysetdata->size; i++ ) {
+		id = (ip_set_id_t *)(data + i * asize);
+		if (*id == IP_SET_INVALID_ID)
+			return;
+		elem = set_find_byid(*id);
+		printf("-A %s %s\n", set->name, elem->name);
+	}
+}
+
+static void
+setlist_usage(void)
+{
+	printf
+	    ("-N set setlist --size size\n"
+	     "-A set setname[,before|after,setname]\n"
+	     "-D set setname\n"
+	     "-T set setname\n");
+}
+
+static struct settype settype_setlist = {
+	.typename = SETTYPE_NAME,
+	.protocol_version = IP_SET_PROTOCOL_VERSION,
+
+	/* Create */
+	.create_size = sizeof(struct ip_set_req_setlist_create),
+	.create_init = setlist_create_init,
+	.create_parse = setlist_create_parse,
+	.create_final = setlist_create_final,
+	.create_opts = create_opts,
+
+	/* Add/del/test */
+	.adt_size = sizeof(struct ip_set_req_setlist),
+	.adt_parser = setlist_adt_parser,
+
+	/* Printing */
+	.header_size = sizeof(struct ip_set_setlist),
+	.initheader = setlist_initheader,
+	.printheader = setlist_printheader,
+	.printips = setlist_printips_sorted,
+	.printips_sorted = setlist_printips_sorted,
+	.saveheader = setlist_saveheader,
+	.saveips = setlist_saveips,
+	
+	.usage = setlist_usage,
+};
+
+CONSTRUCTOR(setlist)
+{
+	settype_register(&settype_setlist);
+
+}

extensions/ipset/ipt_SET.c

@@ -10,85 +10,51 @@
 
 /* ipt_SET.c - netfilter target to manipulate IP sets */
 
-#include <linux/types.h>
-#include <linux/ip.h>
-#include <linux/timer.h>
 #include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/netdevice.h>
-#include <linux/if.h>
-#include <linux/inetdevice.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
 #include <linux/version.h>
-#include <net/protocol.h>
-#include <net/checksum.h>
+
 #include <linux/netfilter_ipv4.h>
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)
 #include <linux/netfilter_ipv4/ip_tables.h>
+#define xt_register_target	ipt_register_target
+#define xt_unregister_target	ipt_unregister_target
+#define xt_target		ipt_target
+#define XT_CONTINUE		IPT_CONTINUE
+#else
+#include <linux/netfilter/x_tables.h>
+#endif
 #include "ipt_set.h"
+#include "../compat_xtables.h"
 
 static unsigned int
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24)
-target(struct sk_buff *skb,
-#else
-target(struct sk_buff **pskb,
-#endif
-       const struct net_device *in,
-       const struct net_device *out,
-       unsigned int hooknum,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
-       const struct xt_target *target,
-#endif
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
-       const void *targinfo,
-       void *userinfo)
-#else
-       const void *targinfo)
-#endif
+target(struct sk_buff **pskb, const struct xt_action_param *par)
 {
-	const struct ipt_set_info_target *info = targinfo;
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
-	struct sk_buff *skb = *pskb;
-#endif
+	const struct ipt_set_info_target *info = par->targinfo;
 
-	
 	if (info->add_set.index != IP_SET_INVALID_ID)
 		ip_set_addip_kernel(info->add_set.index,
-				    skb,
+				    *pskb,
 				    info->add_set.flags);
 	if (info->del_set.index != IP_SET_INVALID_ID)
 		ip_set_delip_kernel(info->del_set.index,
-				    skb,
+				    *pskb,
 				    info->del_set.flags);
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23)
-static bool
-#else
 static int
-#endif
-checkentry(const char *tablename,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
-	   const void *e,
-#else
-	   const struct ipt_entry *e,
-#endif
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
-	   const struct xt_target *target,
-#endif
-	   void *targinfo,
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
-	   unsigned int targinfosize,
-#endif
-	   unsigned int hook_mask)
+checkentry(const struct xt_tgchk_param *par)
 {
-	struct ipt_set_info_target *info = targinfo;
+	struct ipt_set_info_target *info = par->targinfo;
 	ip_set_id_t index;
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
 	if (targinfosize != IPT_ALIGN(sizeof(*info))) {
 		DP("bad target info size %u", targinfosize);
-		return 0;
+		return -EINVAL;
 	}
 #endif
 
@@ -97,7 +63,7 @@ checkentry(const char *tablename,
 		if (index == IP_SET_INVALID_ID) {
 			ip_set_printk("cannot find add_set index %u as target",
 				      info->add_set.index);
-			return 0;	/* error */
+			return -EINVAL;
 		}
 	}
 
@@ -106,73 +72,66 @@ checkentry(const char *tablename,
 		if (index == IP_SET_INVALID_ID) {
 			ip_set_printk("cannot find del_set index %u as target",
 				      info->del_set.index);
-			return 0;	/* error */
+			return -EINVAL;
 		}
 	}
 	if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0
 	    || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) {
 		ip_set_printk("That's nasty!");
-		return 0;	/* error */
+		return -EINVAL;
 	}
 
-	return 1;
+	return 0;
 }
 
-static void destroy(
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
-		    const struct xt_target *target,
-#endif
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
-		    void *targetinfo, unsigned int targetsize)
-#else
-		    void *targetinfo)
-#endif
+static void destroy(const struct xt_tgdtor_param *par)
 {
-	struct ipt_set_info_target *info = targetinfo;
+	struct ipt_set_info_target *info = par->targinfo;
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
 	if (targetsize != IPT_ALIGN(sizeof(struct ipt_set_info_target))) {
 		ip_set_printk("invalid targetsize %d", targetsize);
 		return;
 	}
 #endif
 	if (info->add_set.index != IP_SET_INVALID_ID)
-		ip_set_put(info->add_set.index);
+		ip_set_put_byindex(info->add_set.index);
 	if (info->del_set.index != IP_SET_INVALID_ID)
-		ip_set_put(info->del_set.index);
+		ip_set_put_byindex(info->del_set.index);
 }
 
-static struct ipt_target SET_target = {
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
+static struct xt_target SET_target = {
 	.name 		= "SET",
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
-	.family		= AF_INET,
-#endif
 	.target 	= target,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
-	.targetsize	= sizeof(struct ipt_set_info_target),
-#endif
 	.checkentry 	= checkentry,
 	.destroy 	= destroy,
 	.me 		= THIS_MODULE
 };
+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) */
+static struct xt_target SET_target = {
+	.name 		= "SET",
+	.family		= AF_INET,
+	.target 	= target,
+	.targetsize	= sizeof(struct ipt_set_info_target),
+	.checkentry 	= checkentry,
+	.destroy 	= destroy,
+	.me 		= THIS_MODULE
+};
+#endif
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
 MODULE_DESCRIPTION("iptables IP set target module");
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
-#define ipt_register_target      xt_register_target
-#define ipt_unregister_target    xt_unregister_target
-#endif
-
 static int __init ipt_SET_init(void)
 {
-	return ipt_register_target(&SET_target);
+	return xt_register_target(&SET_target);
 }
 
 static void __exit ipt_SET_fini(void)
 {
-	ipt_unregister_target(&SET_target);
+	xt_unregister_target(&SET_target);
 }
 
 module_init(ipt_SET_init);

extensions/ipset/ipt_set.c

@@ -15,9 +15,17 @@
 #include <linux/skbuff.h>
 #include <linux/version.h>
 
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)
 #include <linux/netfilter_ipv4/ip_tables.h>
+#define xt_register_match	ipt_register_match
+#define xt_unregister_match	ipt_unregister_match
+#define xt_match		ipt_match
+#else
+#include <linux/netfilter/x_tables.h>
+#endif
 #include "ip_set.h"
 #include "ipt_set.h"
+#include "../compat_xtables.h"
 
 static inline int
 match_set(const struct ipt_set_info *info,
@@ -29,60 +37,26 @@ match_set(const struct ipt_set_info *info,
 	return inv;
 }
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23)
 static bool
-#else
-static int
-#endif
-match(const struct sk_buff *skb,
-      const struct net_device *in,
-      const struct net_device *out,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
-      const struct xt_match *match,
-#endif
-      const void *matchinfo,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23)
-      int offset, unsigned int protoff, bool *hotdrop)
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
-      int offset, unsigned int protoff, int *hotdrop)
-#else
-      int offset, int *hotdrop)
-#endif
+match(const struct sk_buff *skb, struct xt_action_param *par)
 {
-	const struct ipt_set_info_match *info = matchinfo;
+	const struct ipt_set_info_match *info = par->matchinfo;
 		
 	return match_set(&info->match_set,
 			 skb,
 			 info->match_set.flags[0] & IPSET_MATCH_INV);
 }
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23)
-static bool
-#else
 static int
-#endif
-checkentry(const char *tablename,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
-	   const void *inf,
-#else
-	   const struct ipt_ip *ip,
-#endif
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
-	   const struct xt_match *match,
-#endif
-	   void *matchinfo,
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
-	   unsigned int matchsize,
-#endif
-	   unsigned int hook_mask)
+checkentry(const struct xt_mtchk_param *par)
 {
-	struct ipt_set_info_match *info = matchinfo;
+	struct ipt_set_info_match *info = par->matchinfo;
 	ip_set_id_t index;
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
 	if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
 		ip_set_printk("invalid matchsize %d", matchsize);
-		return 0;
+		return -EINVAL;
 	}
 #endif
 
@@ -91,68 +65,61 @@ checkentry(const char *tablename,
 	if (index == IP_SET_INVALID_ID) {
 		ip_set_printk("Cannot find set indentified by id %u to match",
 			      info->match_set.index);
-		return 0;	/* error */
+		return -ENOENT;
 	}
 	if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) {
 		ip_set_printk("That's nasty!");
-		return 0;	/* error */
+		return -EINVAL;
 	}
 
-	return 1;
+	return 0;
 }
 
-static void destroy(
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
-		    const struct xt_match *match,
-#endif
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
-		    void *matchinfo, unsigned int matchsize)
-#else
-		    void *matchinfo)
-#endif
+static void destroy(const struct xt_mtdtor_param *par)
 {
-	struct ipt_set_info_match *info = matchinfo;
+	struct ipt_set_info_match *info = par->matchinfo;
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
 	if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
 		ip_set_printk("invalid matchsize %d", matchsize);
 		return;
 	}
 #endif
-	ip_set_put(info->match_set.index);
+	ip_set_put_byindex(info->match_set.index);
 }
 
-static struct ipt_match set_match = {
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
+static struct xt_match set_match = {
 	.name		= "set",
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
-	.family		= AF_INET,
-#endif
 	.match		= &match,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
-	.matchsize	= sizeof(struct ipt_set_info_match),
-#endif
 	.checkentry	= &checkentry,
 	.destroy	= &destroy,
 	.me		= THIS_MODULE
 };
+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) */
+static struct xt_match set_match = {
+	.name		= "set",
+	.family		= AF_INET,
+	.match		= &match,
+	.matchsize	= sizeof(struct ipt_set_info_match),
+	.checkentry	= &checkentry,
+	.destroy	= &destroy,
+	.me		= THIS_MODULE
+};
+#endif
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
 MODULE_DESCRIPTION("iptables IP set match module");
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21)
-#define ipt_register_match	xt_register_match
-#define ipt_unregister_match	xt_unregister_match
-#endif
-
 static int __init ipt_ipset_init(void)
 {
-	return ipt_register_match(&set_match);
+	return xt_register_match(&set_match);
 }
 
 static void __exit ipt_ipset_fini(void)
 {
-	ipt_unregister_match(&set_match);
+	xt_unregister_match(&set_match);
 }
 
 module_init(ipt_ipset_init);

extensions/iptable_rawpost.c

@@ -0,0 +1,109 @@
+/*
+ *	rawpost table for ip_tables
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	placed in the Public Domain
+ */
+#include <linux/module.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/version.h>
+#include <net/ip.h>
+#include "compat_xtables.h"
+#include "compat_rawpost.h"
+
+enum {
+	RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
+};
+
+static struct {
+	struct ipt_replace repl;
+	struct ipt_standard entries[1];
+	struct ipt_error term;
+} rawpost4_initial __initdata = {
+	.repl = {
+		.name        = "rawpost",
+		.valid_hooks = RAWPOST_VALID_HOOKS,
+		.num_entries = 2,
+		.size        = sizeof(struct ipt_standard) +
+		               sizeof(struct ipt_error),
+		.hook_entry  = {
+			[NF_INET_POST_ROUTING] = 0,
+		},
+		.underflow = {
+			[NF_INET_POST_ROUTING] = 0,
+		},
+	},
+	.entries = {
+		IPT_STANDARD_INIT(NF_ACCEPT),	/* POST_ROUTING */
+	},
+	.term = IPT_ERROR_INIT,			/* ERROR */
+};
+
+static struct xt_table *rawpost4_ptable;
+
+static struct xt_table rawpost4_itable = {
+	.name        = "rawpost",
+	.af          = NFPROTO_IPV4,
+	.valid_hooks = RAWPOST_VALID_HOOKS,
+	.me          = THIS_MODULE,
+};
+
+static unsigned int rawpost4_hook_fn(unsigned int hook, sk_buff_t *skb,
+    const struct net_device *in, const struct net_device *out,
+    int (*okfn)(struct sk_buff *))
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+	return ipt_do_table(skb, hook, in, out, rawpost4_ptable);
+#else
+	return ipt_do_table(skb, hook, in, out, rawpost4_ptable, NULL);
+#endif
+}
+
+static struct nf_hook_ops rawpost4_hook_ops __read_mostly = {
+	.hook     = rawpost4_hook_fn,
+	.pf       = NFPROTO_IPV4,
+	.hooknum  = NF_INET_POST_ROUTING,
+	.priority = NF_IP_PRI_LAST,
+	.owner    = THIS_MODULE,
+};
+
+static int __init rawpost4_table_init(void)
+{
+	int ret;
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
+	rwlock_init(&rawpost4_itable.lock);
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
+	rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
+	                  &rawpost4_initial.repl);
+	if (IS_ERR(rawpost4_ptable))
+		return PTR_ERR(rawpost4_ptable);
+#else
+	ret = ipt_register_table(&rawpost4_itable, &rawpost4_initial.repl);
+	if (ret < 0)
+		return ret;
+	rawpost4_ptable = &rawpost4_itable;
+#endif
+
+	ret = nf_register_hook(&rawpost4_hook_ops);
+	if (ret < 0)
+		goto out;
+
+	return ret;
+
+ out:
+	ipt_unregister_table(rawpost4_ptable);
+	return ret;
+}
+
+static void __exit rawpost4_table_exit(void)
+{
+	nf_unregister_hook(&rawpost4_hook_ops);
+	ipt_unregister_table(rawpost4_ptable);
+}
+
+module_init(rawpost4_table_init);
+module_exit(rawpost4_table_exit);
+MODULE_DESCRIPTION("Xtables: rawpost table for use with RAWNAT");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_LICENSE("GPL");

extensions/libxt_CHAOS.c

@@ -16,6 +16,7 @@
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
 #include "xt_CHAOS.h"
+#include "compat_user.h"
 
 enum {
 	F_DELUDE = 1 << 0,
@@ -25,7 +26,7 @@ enum {
 static const struct option chaos_tg_opts[] = {
 	{.name = "delude", .has_arg = false, .val = 'd'},
 	{.name = "tarpit", .has_arg = false, .val = 't'},
-	{},
+	{NULL},
 };
 
 static void chaos_tg_help(void)
@@ -58,7 +59,7 @@ static void chaos_tg_check(unsigned int flags)
 {
 	if (flags == (F_DELUDE | F_TARPIT))
 		/* If flags == 0x03, both were specified, which should not be. */
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 		           "CHAOS: only one of --tarpit or --delude "
 		           "may be specified");
 }
@@ -95,7 +96,7 @@ static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
 static struct xtables_target chaos_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "CHAOS",
-	.family        = AF_INET,
+	.family        = NFPROTO_IPV4,
 	.size          = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_chaos_tginfo)),
 	.help          = chaos_tg_help,
@@ -106,8 +107,7 @@ static struct xtables_target chaos_tg_reg = {
 	.extra_opts    = chaos_tg_opts,
 };
 
-void _init(void);
-void _init(void)
+static __attribute__((constructor)) void chaos_tg_ldr(void)
 {
 	xtables_register_target(&chaos_tg_reg);
 }

extensions/libxt_CHAOS.man

@@ -1,13 +1,13 @@
 Causes confusion on the other end by doing odd things with incoming packets.
 CHAOS will randomly reply (or not) with one of its configurable subtargets:
 .TP
-\fB--delude\fP
+\fB\-\-delude\fP
 Use the REJECT and DELUDE targets as a base to do a sudden or deferred
 connection reset, fooling some network scanners to return non-deterministic
 (randomly open/closed) results, and in case it is deemed open, it is actually
 closed/filtered.
 .TP
-\fB--tarpit\fP
+\fB\-\-tarpit\fP
 Use the REJECT and TARPIT target as a base to hold the connection until it
 times out. This consumes conntrack entries when connection tracking is loaded
 (which usually is on most machines), and routers inbetween you and the Internet
@@ -18,4 +18,4 @@ The randomness factor of not replying vs. replying can be set during load-time
 of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
 .PP
 See http://jengelh.medozas.de/projects/chaostables/ for more information
-about CHAOS, DELUDE and portscan.
+about CHAOS, DELUDE and lscan.

extensions/libxt_CHECKSUM.c

@@ -0,0 +1,94 @@
+/*
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2010 by Red Hat, Inc
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This program is distributed under the terms of GNU GPL v2, 1991
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include "xt_CHECKSUM.h"
+#include "compat_user.h"
+
+static void CHECKSUM_help(void)
+{
+	printf(
+"CHECKSUM target options\n"
+"  --checksum-fill        Fill in packet checksum.\n");
+}
+
+static const struct option CHECKSUM_opts[] = {
+	{ "checksum-fill", 0, NULL, 'F' },
+	{ .name = NULL }
+};
+
+static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags,
+                     const void *entry, struct xt_entry_target **target)
+{
+	struct xt_CHECKSUM_info *einfo
+		= (struct xt_CHECKSUM_info *)(*target)->data;
+
+	switch (c) {
+	case 'F':
+		xtables_param_act(XTF_ONLY_ONCE, "CHECKSUM", "--checksum-fill",
+			*flags & XT_CHECKSUM_OP_FILL);
+		einfo->operation = XT_CHECKSUM_OP_FILL;
+		*flags |= XT_CHECKSUM_OP_FILL;
+		break;
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void CHECKSUM_check(unsigned int flags)
+{
+	if (!flags)
+		xtables_error(PARAMETER_PROBLEM,
+		           "CHECKSUM target: Parameter --checksum-fill is required");
+}
+
+static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target,
+                      int numeric)
+{
+	const struct xt_CHECKSUM_info *einfo =
+		(const struct xt_CHECKSUM_info *)target->data;
+
+	printf("CHECKSUM ");
+
+	if (einfo->operation & XT_CHECKSUM_OP_FILL)
+		printf("fill ");
+}
+
+static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_CHECKSUM_info *einfo =
+		(const struct xt_CHECKSUM_info *)target->data;
+
+	if (einfo->operation & XT_CHECKSUM_OP_FILL)
+		printf("--checksum-fill ");
+}
+
+static struct xtables_target checksum_tg_reg = {
+	.name          = "CHECKSUM",
+	.version       = XTABLES_VERSION,
+	.family        = NFPROTO_UNSPEC,
+	.size          = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
+	.help          = CHECKSUM_help,
+	.parse         = CHECKSUM_parse,
+	.final_check   = CHECKSUM_check,
+	.print         = CHECKSUM_print,
+	.save          = CHECKSUM_save,
+	.extra_opts    = CHECKSUM_opts,
+};
+
+static __attribute__((constructor)) void _init(void)
+{
+	xtables_register_target(&checksum_tg_reg);
+}

extensions/libxt_CHECKSUM.man

@@ -0,0 +1,8 @@
+This target allows to selectively work around broken/old applications.
+It can only be used in the mangle table.
+.TP
+\fB\-\-checksum\-fill\fP
+Compute and fill in the checksum in a packet that lacks a checksum.
+This is particularly useful, if you need to work around old applications
+such as dhcp clients, that do not work well with checksum offloads,
+but don't want to disable checksum offload in your device.

extensions/libxt_DELUDE.c

@@ -13,6 +13,7 @@
 
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
+#include "compat_user.h"
 
 static void delude_tg_help(void)
 {
@@ -33,16 +34,13 @@ static struct xtables_target delude_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "DELUDE",
 	.revision      = 0,
-	.family        = AF_INET,
-	.size          = XT_ALIGN(0),
-	.userspacesize = XT_ALIGN(0),
+	.family        = NFPROTO_IPV4,
 	.help          = delude_tg_help,
 	.parse         = delude_tg_parse,
 	.final_check   = delude_tg_check,
 };
 
-void _init(void);
-void _init(void)
+static __attribute__((constructor)) void delude_tg_ldr(void)
 {
 	xtables_register_target(&delude_tg_reg);
 }

extensions/libxt_DHCPADDR.c

@@ -1,101 +0,0 @@
-/*
- *	"DHCPADDR" target extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License; either
- *	version 2 of the License, or any later version, as published by the
- *	Free Software Foundation.
- */
-#include <getopt.h>
-#include <stdbool.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <netinet/ether.h>
-#include <xtables.h>
-#include "xt_DHCPADDR.h"
-#include "mac.c"
-
-enum {
-	F_MAC = 1 << 0,
-};
-
-static const struct option dhcpaddr_tg_opts[] = {
-	{.name = "set-mac", .has_arg = true, .val = 'M'},
-	{NULL},
-};
-
-static void dhcpaddr_tg_help(void)
-{
-	printf(
-"DHCPADDDR target options:\n"
-"  --set-mac lladdr[/mask]    Set MAC address in DHCP Client Host field\n"
-	);
-}
-
-static int dhcpaddr_tg_parse(int c, char **argv, int invert,
-    unsigned int *flags, const void *entry, struct xt_entry_target **target)
-{
-	struct dhcpaddr_info *info = (void *)(*target)->data;
-
-	switch (c) {
-	case 'M':
-		param_act(P_ONLY_ONCE, "DHCPADDR", "--set-mac", *flags & F_MAC);
-		param_act(P_NO_INVERT, "DHCPADDR", "--set-mac", invert);
-		if (!mac_parse(optarg, info->addr, &info->mask))
-			param_act(P_BAD_VALUE, "DHCPADDR", "--set-mac", optarg);
-		*flags |= F_MAC;
-		return true;
-	}
-
-	return false;
-}
-
-static void dhcpaddr_tg_check(unsigned int flags)
-{
-	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM, "DHCPADDR target: "
-		           "--set-mac parameter required");
-}
-
-static void dhcpaddr_tg_print(const void *ip,
-    const struct xt_entry_target *target, int numeric)
-{
-	const struct dhcpaddr_info *info = (void *)target->data;
-
-	printf("DHCPADDR %s" DH_MAC_FMT "/%u ",
-	       info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
-}
-
-static void dhcpaddr_tg_save(const void *ip,
-    const struct xt_entry_target *target)
-{
-	const struct dhcpaddr_info *info = (const void *)target->data;
-
-	if (info->invert)
-		printf("! ");
-	printf("--set-mac " DH_MAC_FMT "/%u ",
-	       DH_MAC_HEX(info->addr), info->mask);
-}
-
-static struct xtables_target dhcpaddr_tg_reg = {
-	.version       = XTABLES_VERSION,
-	.name          = "DHCPADDR",
-	.revision      = 0,
-	.family        = PF_INET,
-	.size          = XT_ALIGN(sizeof(struct dhcpaddr_info)),
-	.userspacesize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
-	.help          = dhcpaddr_tg_help,
-	.parse         = dhcpaddr_tg_parse,
-	.final_check   = dhcpaddr_tg_check,
-	.print         = dhcpaddr_tg_print,
-	.save          = dhcpaddr_tg_save,
-	.extra_opts    = dhcpaddr_tg_opts,
-};
-
-static void _init(void)
-{
-	xtables_register_target(&dhcpaddr_tg_reg);
-}