Xtables-addons 1.14

As per "Writing Netfilter Modules" e-book 20090326 section 4.8, one
should use pr_debug instead.

INSTALL

@@ -9,16 +9,23 @@ in combination with the kernel's Kbuild system.
 	# make install
 
 
-Prerequirements
-===============
+Supported configurations for this release
+=========================================
 
-	* iptables 1.4.1
+	* iptables >= 1.4.3
 
-	* kernel-source >= 2.6.17 with prepared build/output directory
+	* kernel-source >= 2.6.17, no upper bound known
+	  with prepared build/output directory
 	  - CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
 	  - CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
 	    enabled =y or as module (=m)
 
+Extra notes:
+
+	* in the kernel 2.6.18.x series, >= 2.6.18.5 is required
+
+	* requires that no vendor backports interfere
+
 
 Selecting extensions
 ====================
@@ -45,11 +52,8 @@ Configuring and compiling
 	xtables.h, should it not be within the standard C compiler
 	include path (/usr/include), or if you want to override it.
 	The directory will be checked for xtables.h and
-	include/xtables.h. (This is to support the following specs:)
-
-		--with-xtables=/usr/src/xtables
-		--with-xtables=/usr/src/xtables/include
-		--with-xtables=/opt/xtables/include
+	include/xtables.h. (The latter to support both standard
+	/usr/include and the iptables source root.)
 
 --with-libxtdir=
 
@@ -65,6 +69,19 @@ If you want to enable debugging, use
 much easier.)
 
 
+Build-time options
+==================
+
+V= controls the kernel's make verbosity.
+V=0	"silent" (output filename)
+V=1	"verbose" (entire gcc command line)
+
+VU= controls the Xt-a make verbosity.
+VU=0	output filename
+VU=1	output filename and source file
+VU=2	entire gcc command line
+
+
 Note to distribution packagers
 ==============================
 

Makefile.am

@@ -1,12 +1,12 @@
 # -*- Makefile -*-
 
-AUTOMAKE_OPTIONS = foreign subdir-objects
-SUBDIRS          = extensions extensions/ipset
+ACLOCAL_AMFLAGS  = -I m4
+SUBDIRS          = extensions
 
 man_MANS := xtables-addons.8
 
 xtables-addons.8: ${srcdir}/xtables-addons.8.in extensions/matches.man extensions/targets.man
-	${AM_VERBOSE_GEN} sed -e '/@MATCHES@/ r extensions/matches.man' -e '/@TARGET@/ r extensions/targets.man' $< >$@;
+	${am__verbose_GEN}sed -e '/@MATCHES@/ r extensions/matches.man' -e '/@TARGET@/ r extensions/targets.man' $< >$@;
 
 extensions/%:
 	${MAKE} ${AM_MAKEFLAGS} -C $(@D) $(@F)
@@ -14,6 +14,8 @@ extensions/%:
 install-exec-local:
 	depmod -a || :;
 
+config.status: extensions/GNUmakefile.in
+
 .PHONY: tarball
 tarball:
 	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};

configure.ac

@@ -1,8 +1,9 @@
 
-AC_INIT([xtables-addons], [1.6])
+AC_INIT([xtables-addons], [1.14])
 AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
-AM_INIT_AUTOMAKE
+AM_INIT_AUTOMAKE([-Wall foreign subdir-objects])
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_DISABLE_STATIC
@@ -27,8 +28,11 @@ AC_ARG_WITH([xtlibdir],
 	[xtlibdir="$withval"],
 	[xtlibdir='${libexecdir}/xtables'])
 
-AC_MSG_CHECKING([xtables.h presence])
+#
+# --with-xtables= overrides a possibly installed pkgconfig file.
+#
 if [[ -n "$xtables_location" ]]; then
+	AC_MSG_CHECKING([xtables.h presence])
 	if [[ -f "$xtables_location/xtables.h" ]]; then
 		AC_MSG_RESULT([$xtables_location/xtables.h])
 		xtables_CFLAGS="-I $xtables_location";
@@ -36,13 +40,15 @@ if [[ -n "$xtables_location" ]]; then
 		AC_MSG_RESULT([$xtables_location/include/xtables.h])
 		xtables_CFLAGS="-I $xtables_location/include";
 	fi;
-fi;
-if [[ -z "$xtables_CFLAGS" ]]; then
-	if [[ -f "$includedir/xtables.h" ]]; then
-		AC_MSG_RESULT([$includedir/xtables.h])
-	else
-		AC_MSG_RESULT([no])
+	if [[ -z "$xtables_CFLAGS" ]]; then
+		if [[ -f "$includedir/xtables.h" ]]; then
+			AC_MSG_RESULT([$includedir/xtables.h])
+		else
+			AC_MSG_RESULT([no])
+		fi;
 	fi;
+else
+	PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.3])
 fi;
 
 regular_CFLAGS="-D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \
@@ -63,4 +69,5 @@ AC_SUBST([kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
-AC_OUTPUT([Makefile extensions/GNUmakefile extensions/ipset/GNUmakefile])
+AC_CONFIG_FILES([Makefile extensions/GNUmakefile extensions/ipset/GNUmakefile])
+AC_OUTPUT

doc/changelog.txt

@@ -0,0 +1,142 @@
+
+
+Xtables-addons 1.14 (March 31 2009)
+===================================
+- fuzzy: need to account for kernel-level modified variables in .userspacesize
+- geoip: remove XT_ALIGN from .userspacesize when used with offsetof
+- SYSRQ: ignore non-UDP packets
+- SYSRQ: do proper L4 header access in IPv6 code
+  (must not use tcp/udp_hdr in input path)
+- add "STEAL" target
+- dhcpmac: rename from dhcpaddr
+
+
+Xtables-addons 1.13 (March 23 2009)
+===================================
+- added a reworked ipv4options match
+- upgrade to iptables 1.4.3 API
+
+
+Xtables-addons 1.12 (March 07 2009)
+===================================
+- ipset: fix for compilation with 2.6.29-rt
+- ipset: fast forward to 2.5.0
+- rename xt_portscan to xt_lscan ("low-level scan") because
+  "portscan" as a wor caused confusion
+- xt_LOGMARK: print incoming interface index
+- revert "TEE: do not use TOS for routing"
+- xt_TEE: resolve unknown symbol error with CONFIG_IPV6=n
+- xt_TEE: enable routing by iif, nfmark and flowlabel
+
+
+Xtables-addons 1.10 (February 18 2009)
+======================================
+- compat: compile fixes for 2.6.29
+- ipset: upgrade to ipset 2.4.9
+
+
+Xtables-addons 1.9 (January 30 2009)
+====================================
+- add the xt_length2 extension
+- xt_TEE: remove intrapositional '!' support
+- ipset: upgrade to ipset 2.4.7
+
+
+Xtables-addons 1.8 (January 10 2009)
+====================================
+- xt_TEE: IPv6 support
+- xt_TEE: do not include TOS value in routing decision
+- xt_TEE: fix switch-case inversion for name/IP display
+- xt_ipp2p: update manpages and help text
+- xt_ipp2p: remove log flooding
+- xt_portscan: update manpage about --grscan option caveats
+
+
+Xtables-addons 1.7 (December 25 2008)
+=====================================
+- xt_ECHO: compile fix
+- avoid the use of "_init" which led to compile errors on some installations
+- build: do not unconditionally install ipset
+- doc: add manpages for xt_ECHO and xt_TEE
+- xt_ipp2p: kazaa detection code cleanup
+- xt_ipp2p: fix newline inspection in kazaa detection
+- xt_ipp2p: ensure better array bounds checking
+- xt_SYSRQ: improve security by hashing password
+
+
+Xtables-addons 1.6 (November 18 2008)
+=====================================
+- build: support for Linux 2.6.17
+- build: compile fixes for 2.6.18 and 2.6.19
+- xt_ECHO: resolve compile errors in xt_ECHO
+- xt_ipp2p: parenthesize unaligned-access macros
+
+
+Xtables-addons 1.5.7 (September 01 2008)
+========================================
+- API layer: fix use of uninitialized 'hotdrop' variable
+- API layer: move to pskb-based signatures
+- xt_SYSRQ: compile fixes for Linux <= 2.6.19
+- ipset: adjust semaphore.h include for Linux >= 2.6.27
+- build: automatically run `depmod -a` on installation
+- add reworked xt_fuzzy module
+- add DHCP address match and mangle module
+- xt_portscan: IPv6 support
+- xt_SYSRQ: add missing module aliases
+
+
+Xtables-addons 1.5.5 (August 03 2008)
+=====================================
+- manpage updates for xt_CHAOS, xt_IPMARK; README updates
+- build: properly recognize external Kbuild/Mbuild files
+- build: remove dependency on CONFIG_NETWORK_SECMARK
+- add the xt_SYSRQ target
+- add the xt_quota2 extension
+- import ipset extension group
+
+
+Xtables-addons 1.5.4.1 (April 26 2008)
+======================================
+- build: fix compile error for 2.6.18-stable
+
+
+Xtables-addons 1.5.4 (April 09 2008)
+====================================
+- build: support building multiple files with one config option
+- API layer: add check for pskb relocation
+- doc: generate manpages
+- xt_ECHO: catch skb_linearize out-of-memory condition
+- xt_LOGMARK: add hook= and ctdir= fields in dump
+- xt_LOGMARK: fix comma output in ctstatus= list
+- xt_TEE: fix address copying bug
+- xt_TEE: make skb writable before attempting checksum update
+- add reworked xt_condition match
+- add reworked xt_ipp2p match
+- add reworked xt_IPMARK target
+
+
+Xtables-addons 1.5.3 (March 22 2008)
+====================================
+- support for Linux 2.6.18
+- add xt_ECHO sample target
+- add reworked xt_geoip match
+
+
+Xtables-addons 1.5.2 (March 04 2008)
+====================================
+- build: support for GNU make < 3.81 which does not have $(realpath)
+
+
+Xtables-addons 1.5.1 (February 21 2008)
+=======================================
+- build: allow user to select what extensions to compile and install
+- build: allow external proejcts to be downloaded into the tree
+- xt_LOGMARK: dump classify mark, ctstate and ctstatus
+- add xt_CHAOS, xt_DELUDE and xt_portscan from Chaostables
+
+
+Xtables-addons 1.5.0 (February 11 2008)
+=======================================
+Initial release with:
+- extensions: xt_LOGMARK, xt_TARPIT, xt_TEE
+- support for Linux >= 2.6.19

extensions/.gitignore

@@ -3,6 +3,7 @@
 .tmp_versions
 *.ko
 *.mod.c
+Module.markers
 Module.symvers
 Modules.symvers
 modules.order

extensions/GNUmakefile.in

@@ -30,15 +30,19 @@ xtables_CFLAGS  := @xtables_CFLAGS@
 AM_CFLAGS      := ${regular_CFLAGS} -I${top_srcdir}/include ${xtables_CFLAGS} ${kinclude_CFLAGS}
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
-ifeq (${V},)
-AM_LIBTOOL_SILENT = --silent
-AM_VERBOSE_CC     = @echo "  CC      " $@;
-AM_VERBOSE_CCLD   = @echo "  CCLD    " $@;
-AM_VERBOSE_CXX    = @echo "  CXX     " $@;
-AM_VERBOSE_CXXLD  = @echo "  CXXLD   " $@;
-AM_VERBOSE_AR     = @echo "  AR      " $@;
-AM_VERBOSE_GEN    = @echo "  GEN     " $@;
-endif
+VU := 0
+am__1verbose_CC_0     = @echo "  CC      " $@;
+am__1verbose_CCLD_0   = @echo "  CCLD    " $@;
+am__1verbose_GEN_0    = @echo "  GEN     " $@;
+am__1verbose_SILENT_0 = @
+am__1verbose_CC_1     = @echo "  CC      " $@ "<-" $<;
+am__1verbose_CCLD_1   = @echo "  CCLD    " $@ "<-" $^;
+am__1verbose_GEN_1    = @echo "  GEN     " $@ "<-" $<;
+am__verbose_CC        = ${am__1verbose_CC_${VU}}
+am__verbose_CCLD      = ${am__1verbose_CCLD_${VU}}
+am__verbose_GEN       = ${am__1verbose_GEN_${VU}}
+am__verbose_SILENT    = ${am__1verbose_GEN_${VU}}
+
 
 #
 #	Wildcard module list
@@ -53,22 +57,30 @@ include ${srcdir}/Mbuild
 #
 #	Building blocks
 #
-targets := ${obj-m}
-targets_install := ${obj-m}
+targets := $(filter-out %/,${obj-m})
+targets_install := ${targets}
+subdirs_list := $(filter %/,${obj-m})
 
 .SECONDARY:
 
 .PHONY: all install clean distclean FORCE
 
-all: modules user matches.man targets.man
+all: subdirs modules user matches.man targets.man
+
+subdirs:
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i; done;
+
+subdirs-install:
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i install; done;
 
 user: ${targets}
 
-install: modules_install ${targets_install}
+install: modules_install subdirs-install ${targets_install}
 	@mkdir -p "${DESTDIR}${xtlibdir}";
 	install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/";
 
 clean: clean_modules
+	@for i in ${subdirs_list}; do make -C $$i clean; done;
 	rm -f *.oo *.so;
 
 distclean: clean
@@ -83,23 +95,23 @@ distclean: clean
 .PHONY: modules modules_install clean_modules
 
 modules:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules;
+	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules; fi;
 
 modules_install:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install;
+	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install; fi;
 
 clean_modules:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean;
+	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean; fi;
 
 
 #
 #	Shared libraries
 #
 lib%.so: lib%.oo
-	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
+	${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
 
 lib%.oo: ${srcdir}/lib%.c
-	${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+	${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
 
 
 #
@@ -116,8 +128,7 @@ wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
 	rm -f $@.tmp;
 
 man_run    = \
-	${AM_VERBOSE_GEN} \
-	for ext in $(1); do \
+	${am__verbose_GEN}for ext in $(1); do \
 		f="${srcdir}/libxt_$$ext.man"; \
 		if [ -f "$$f" ]; then \
 			echo ".SS $$ext"; \

extensions/Kbuild

@@ -7,11 +7,12 @@ obj-m                    += compat_xtables.o
 
 obj-${build_CHAOS}       += xt_CHAOS.o
 obj-${build_DELUDE}      += xt_DELUDE.o
-obj-${build_DHCPADDR}    += xt_DHCPADDR.o
+obj-${build_DHCPMAC}     += xt_DHCPMAC.o
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
 obj-${build_SYSRQ}       += xt_SYSRQ.o
+obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o
 obj-${build_TEE}         += xt_TEE.o
 obj-${build_condition}   += xt_condition.o
@@ -19,7 +20,9 @@ obj-${build_fuzzy}       += xt_fuzzy.o
 obj-${build_geoip}       += xt_geoip.o
 obj-${build_ipp2p}       += xt_ipp2p.o
 obj-${build_ipset}       += ipset/
-obj-${build_portscan}    += xt_portscan.o
+obj-${build_ipv4options} += xt_ipv4options.o
+obj-${build_length2}     += xt_length2.o
+obj-${build_lscan}       += xt_lscan.o
 obj-${build_quota2}      += xt_quota2.o
 
 -include ${M}/*.Kbuild

extensions/Mbuild

@@ -1,9 +1,10 @@
 obj-${build_CHAOS}       += libxt_CHAOS.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
-obj-${build_DHCPADDR}    += libxt_DHCPADDR.so libxt_dhcpaddr.so
+obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so
 obj-${build_ECHO}        += libxt_ECHO.so
 obj-${build_IPMARK}      += libxt_IPMARK.so
 obj-${build_LOGMARK}     += libxt_LOGMARK.so
+obj-${build_STEAL}       += libxt_STEAL.so
 obj-${build_SYSRQ}       += libxt_SYSRQ.so
 obj-${build_TARPIT}      += libxt_TARPIT.so
 obj-${build_TEE}         += libxt_TEE.so
@@ -11,5 +12,8 @@ obj-${build_condition}   += libxt_condition.so
 obj-${build_fuzzy}       += libxt_fuzzy.so
 obj-${build_geoip}       += libxt_geoip.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
-obj-${build_portscan}    += libxt_portscan.so
+obj-${build_ipset}       += ipset/
+obj-${build_ipv4options} += libxt_ipv4options.so
+obj-${build_length2}     += libxt_length2.so
+obj-${build_lscan}       += libxt_lscan.so
 obj-${build_quota2}      += libxt_quota2.so

extensions/compat_skbuff.h

@@ -5,8 +5,11 @@ struct tcphdr;
 struct udphdr;
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+#	define skb_ifindex(skb) \
+		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
 #else
+#	define skb_ifindex(skb) (skb)->iif
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
 #endif
 

extensions/compat_xtables.h

@@ -1,10 +1,13 @@
 #ifndef _XTABLES_COMPAT_H
 #define _XTABLES_COMPAT_H 1
 
+#include <linux/kernel.h>
 #include <linux/version.h>
 #include "compat_skbuff.h"
 #include "compat_xtnu.h"
 
+#define DEBUGP Use__pr_debug__instead
+
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 17)
 #	warning Kernels below 2.6.17 not supported.
 #endif
@@ -70,6 +73,27 @@
 #	define csum_replace2 nf_csum_replace2
 #endif
 
+#if !defined(NIP6) && !defined(NIP6_FMT)
+#	define NIP6(addr) \
+		ntohs((addr).s6_addr16[0]), \
+		ntohs((addr).s6_addr16[1]), \
+		ntohs((addr).s6_addr16[2]), \
+		ntohs((addr).s6_addr16[3]), \
+		ntohs((addr).s6_addr16[4]), \
+		ntohs((addr).s6_addr16[5]), \
+		ntohs((addr).s6_addr16[6]), \
+		ntohs((addr).s6_addr16[7])
+#	define NIP6_FMT "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
+#endif
+#if !defined(NIPQUAD) && !defined(NIPQUAD_FMT)
+#	define NIPQUAD(addr) \
+		((const unsigned char *)&addr)[0], \
+		((const unsigned char *)&addr)[1], \
+		((const unsigned char *)&addr)[2], \
+		((const unsigned char *)&addr)[3]
+#	define NIPQUAD_FMT "%u.%u.%u.%u"
+#endif
+
 #define ip_route_me_harder    xtnu_ip_route_me_harder
 #define skb_make_writable     xtnu_skb_make_writable
 #define xt_target             xtnu_target

extensions/ipset/GNUmakefile.in

@@ -2,6 +2,7 @@
 
 top_srcdir      := @top_srcdir@
 srcdir          := @srcdir@
+datarootdir     := @datarootdir@
 abstop_srcdir   := $(shell readlink -e ${top_srcdir})
 abssrcdir       := $(shell readlink -e ${srcdir})
 
@@ -32,20 +33,20 @@ xtables_CFLAGS  := @xtables_CFLAGS@
 AM_CFLAGS      := ${regular_CFLAGS} -I${top_srcdir}/include ${xtables_CFLAGS} ${kinclude_CFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\"
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
-ifeq (${V},)
-AM_LIBTOOL_SILENT = --silent
-AM_VERBOSE_CC     = @echo "  CC      " $@;
-AM_VERBOSE_CCLD   = @echo "  CCLD    " $@;
-AM_VERBOSE_CXX    = @echo "  CXX     " $@;
-AM_VERBOSE_CXXLD  = @echo "  CXXLD   " $@;
-AM_VERBOSE_AR     = @echo "  AR      " $@;
-AM_VERBOSE_GEN    = @echo "  GEN     " $@;
-endif
+VU := 0
+am__1verbose_CC_0     = @echo "  CC      " $@;
+am__1verbose_CCLD_0   = @echo "  CCLD    " $@;
+am__1verbose_CC_1     = @echo "  CC      " $@ "<-" $<;
+am__1verbose_CCLD_1   = @echo "  CCLD    " $@ "<-" $^;
+am__verbose_CC        = ${am__1verbose_CC_${VU}}
+am__verbose_CCLD      = ${am__1verbose_CCLD_${VU}}
 
 #
 #	Building blocks
 #
-targets := $(addsuffix .so,$(addprefix libipset_,iphash ipmap ipporthash iptree iptreemap macipmap nethash portmap))
+targets := $(addsuffix .so,$(addprefix libipset_, \
+	iphash ipmap ipporthash ipportiphash ipportnethash iptree \
+	iptreemap macipmap nethash portmap setlist))
 
 .SECONDARY:
 
@@ -69,16 +70,16 @@ distclean: clean
 
 
 ipset: ipset.o
-	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} ${LDFLAGS} -o $@ $< -ldl -rdynamic;
+	${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} ${LDFLAGS} -o $@ $< -ldl -rdynamic;
 
 #
 #	Shared libraries
 #
 lib%.so: lib%.oo
-	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
+	${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
 
 libipset_%.oo: ${srcdir}/ipset_%.c
-	${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+	${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
 
 %.o: %.c
-	${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} ${CFLAGS} -o $@ -c $<;
+	${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} ${CFLAGS} -o $@ -c $<;

extensions/ipset/ip_set.c

@@ -19,7 +19,7 @@
 #include <linux/ip.h>
 #include <linux/skbuff.h>
 #include <linux/random.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <linux/capability.h>
 #include <asm/uaccess.h>
@@ -877,7 +877,7 @@ ip_set_create(const char *name,
 	set = kmalloc(sizeof(struct ip_set), GFP_KERNEL);
 	if (!set)
 		return -ENOMEM;
-	set->lock = RW_LOCK_UNLOCKED;
+	rwlock_init(&set->lock);
 	strncpy(set->name, name, IP_SET_MAXNAMELEN);
 	set->binding = IP_SET_INVALID_ID;
 	atomic_set(&set->ref, 0);

extensions/ipset/ip_set_iphash.c

@@ -11,7 +11,7 @@
 #include <linux/moduleparam.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -42,8 +42,7 @@ iphash_id(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
 		if (*elem == *hash_ip)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -64,18 +63,21 @@ __iphash_add(struct ip_set_iphash *map, ip_set_ip_t *ip)
 {
 	__u32 probe;
 	u_int16_t i;
-	ip_set_ip_t *elem;
+	ip_set_ip_t *elem, *slot = NULL;
 	
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip(map, i, *ip) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
 		if (*elem == *ip)
 			return -EEXIST;
-		if (!*elem) {
-			*elem = *ip;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || *elem))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		*slot = *ip;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ip_set_ipporthash.c

@@ -13,7 +13,7 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -49,8 +49,7 @@ ipporthash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
 		if (*elem == *hash_ip)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -86,18 +85,21 @@ __ipporthash_add(struct ip_set_ipporthash *map, ip_set_ip_t *ip)
 {
 	__u32 probe;
 	u_int16_t i;
-	ip_set_ip_t *elem;
+	ip_set_ip_t *elem, *slot = NULL;
 
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip(map, i, *ip) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
 		if (*elem == *ip)
 			return -EEXIST;
-		if (!*elem) {
-			*elem = *ip;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || *elem))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		*slot = *ip;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ip_set_ipportiphash.c

@@ -13,7 +13,7 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -51,8 +51,7 @@ ipportiphash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
 		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
 		if (elem->ip == *hash_ip && elem->ip1 == ip1)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -90,19 +89,22 @@ __ipportip_add(struct ip_set_ipportiphash *map,
 {
 	__u32 probe;
 	u_int16_t i;
-	struct ipportip *elem;
+	struct ipportip *elem, *slot = NULL;
 
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
 		if (elem->ip == hash_ip && elem->ip1 == ip1)
 			return -EEXIST;
-		if (!(elem->ip || elem->ip1)) {
-			elem->ip = hash_ip;
-			elem->ip1 = ip1;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || elem->ip || elem->ip1))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		slot->ip = hash_ip;
+		slot->ip1 = ip1;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ip_set_ipportnethash.c

@@ -13,7 +13,7 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -53,8 +53,7 @@ ipportnethash_id_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
 		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
 		if (elem->ip == *hash_ip && elem->ip1 == ip1)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -137,19 +136,22 @@ __ipportnet_add(struct ip_set_ipportnethash *map,
 {
 	__u32 probe;
 	u_int16_t i;
-	struct ipportip *elem;
+	struct ipportip *elem, *slot = NULL;
 
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
 		if (elem->ip == hash_ip && elem->ip1 == ip1)
 			return -EEXIST;
-		if (!(elem->ip || elem->ip1)) {
-			elem->ip = hash_ip;
-			elem->ip1 = ip1;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || elem->ip || elem->ip1))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		slot->ip = hash_ip;
+		slot->ip1 = ip1;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ip_set_jhash.h

@@ -1,148 +1,157 @@
-#ifndef _LINUX_IPSET_JHASH_H
-#define _LINUX_IPSET_JHASH_H
-
-/* This is a copy of linux/jhash.h but the types u32/u8 are changed
- * to __u32/__u8 so that the header file can be included into
- * userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- */
+#ifndef _LINUX_JHASH_H
+#define _LINUX_JHASH_H
 
 /* jhash.h: Jenkins hash support.
  *
- * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net)
+ * Copyright (C) 2006. Bob Jenkins (bob_jenkins@burtleburtle.net)
  *
  * http://burtleburtle.net/bob/hash/
  *
  * These are the credits from Bob's sources:
  *
- * lookup2.c, by Bob Jenkins, December 1996, Public Domain.
- * hash(), hash2(), hash3, and mix() are externally useful functions.
- * Routines to test the hash are included if SELF_TEST is defined.
- * You can use this free for any purpose.  It has no warranty.
+ * lookup3.c, by Bob Jenkins, May 2006, Public Domain.
  *
- * Copyright (C) 2003 David S. Miller (davem@redhat.com)
+ * These are functions for producing 32-bit hashes for hash table lookup.
+ * hashword(), hashlittle(), hashlittle2(), hashbig(), mix(), and final() 
+ * are externally useful functions.  Routines to test the hash are included 
+ * if SELF_TEST is defined.  You can use this free for any purpose.  It's in
+ * the public domain.  It has no warranty.
+ *
+ * Copyright (C) 2009 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
  *
  * I've modified Bob's hash to be useful in the Linux kernel, and
- * any bugs present are surely my fault.  -DaveM
+ * any bugs present are my fault.  Jozsef
  */
 
-/* NOTE: Arguments are modified. */
-#define __jhash_mix(a, b, c) \
+#define __rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
+
+/* __jhash_mix - mix 3 32-bit values reversibly. */
+#define __jhash_mix(a,b,c) \
 { \
-  a -= b; a -= c; a ^= (c>>13); \
-  b -= c; b -= a; b ^= (a<<8); \
-  c -= a; c -= b; c ^= (b>>13); \
-  a -= b; a -= c; a ^= (c>>12);  \
-  b -= c; b -= a; b ^= (a<<16); \
-  c -= a; c -= b; c ^= (b>>5); \
-  a -= b; a -= c; a ^= (c>>3);  \
-  b -= c; b -= a; b ^= (a<<10); \
-  c -= a; c -= b; c ^= (b>>15); \
+  a -= c;  a ^= __rot(c, 4);  c += b; \
+  b -= a;  b ^= __rot(a, 6);  a += c; \
+  c -= b;  c ^= __rot(b, 8);  b += a; \
+  a -= c;  a ^= __rot(c,16);  c += b; \
+  b -= a;  b ^= __rot(a,19);  a += c; \
+  c -= b;  c ^= __rot(b, 4);  b += a; \
+}
+
+/* __jhash_final - final mixing of 3 32-bit values (a,b,c) into c */
+#define __jhash_final(a,b,c) \
+{ \
+  c ^= b; c -= __rot(b,14); \
+  a ^= c; a -= __rot(c,11); \
+  b ^= a; b -= __rot(a,25); \
+  c ^= b; c -= __rot(b,16); \
+  a ^= c; a -= __rot(c,4);  \
+  b ^= a; b -= __rot(a,14); \
+  c ^= b; c -= __rot(b,24); \
 }
 
 /* The golden ration: an arbitrary value */
-#define JHASH_GOLDEN_RATIO	0x9e3779b9
+#define JHASH_GOLDEN_RATIO	0xdeadbeef
 
 /* The most generic version, hashes an arbitrary sequence
  * of bytes.  No alignment or length assumptions are made about
- * the input key.
+ * the input key. The result depends on endianness.
  */
-static inline __u32 jhash(void *key, __u32 length, __u32 initval)
+static inline u32 jhash(const void *key, u32 length, u32 initval)
 {
-	__u32 a, b, c, len;
-	__u8 *k = key;
+	u32 a,b,c;
+	const u8 *k = key;
 
-	len = length;
-	a = b = JHASH_GOLDEN_RATIO;
-	c = initval;
-
-	while (len >= 12) {
-		a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24));
-		b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24));
-		c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24));
-
-		__jhash_mix(a,b,c);
+	/* Set up the internal state */
+	a = b = c = JHASH_GOLDEN_RATIO + length + initval;
 
+	/* all but the last block: affect some 32 bits of (a,b,c) */
+	while (length > 12) {
+    		a += (k[0] + ((u32)k[1]<<8) + ((u32)k[2]<<16) + ((u32)k[3]<<24));
+		b += (k[4] + ((u32)k[5]<<8) + ((u32)k[6]<<16) + ((u32)k[7]<<24));
+		c += (k[8] + ((u32)k[9]<<8) + ((u32)k[10]<<16) + ((u32)k[11]<<24));
+		__jhash_mix(a, b, c);
+		length -= 12;
 		k += 12;
-		len -= 12;
 	}
 
-	c += length;
-	switch (len) {
-	case 11: c += ((__u32)k[10]<<24);
-	case 10: c += ((__u32)k[9]<<16);
-	case 9 : c += ((__u32)k[8]<<8);
-	case 8 : b += ((__u32)k[7]<<24);
-	case 7 : b += ((__u32)k[6]<<16);
-	case 6 : b += ((__u32)k[5]<<8);
+	/* last block: affect all 32 bits of (c) */
+	/* all the case statements fall through */
+	switch (length) {
+	case 12: c += (u32)k[11]<<24;
+	case 11: c += (u32)k[10]<<16;
+	case 10: c += (u32)k[9]<<8;
+	case 9 : c += k[8];
+	case 8 : b += (u32)k[7]<<24;
+	case 7 : b += (u32)k[6]<<16;
+	case 6 : b += (u32)k[5]<<8;
 	case 5 : b += k[4];
-	case 4 : a += ((__u32)k[3]<<24);
-	case 3 : a += ((__u32)k[2]<<16);
-	case 2 : a += ((__u32)k[1]<<8);
+	case 4 : a += (u32)k[3]<<24;
+	case 3 : a += (u32)k[2]<<16;
+	case 2 : a += (u32)k[1]<<8;
 	case 1 : a += k[0];
-	};
-
-	__jhash_mix(a,b,c);
+		__jhash_final(a, b, c);
+	case 0 :
+		break;
+	}
 
 	return c;
 }
 
-/* A special optimized version that handles 1 or more of __u32s.
- * The length parameter here is the number of __u32s in the key.
+/* A special optimized version that handles 1 or more of u32s.
+ * The length parameter here is the number of u32s in the key.
  */
-static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval)
+static inline u32 jhash2(const u32 *k, u32 length, u32 initval)
 {
-	__u32 a, b, c, len;
+	u32 a, b, c;
 
-	a = b = JHASH_GOLDEN_RATIO;
-	c = initval;
-	len = length;
+	/* Set up the internal state */
+	a = b = c = JHASH_GOLDEN_RATIO + (length<<2) + initval;
 
-	while (len >= 3) {
+	/* handle most of the key */
+	while (length > 3) {
 		a += k[0];
 		b += k[1];
 		c += k[2];
 		__jhash_mix(a, b, c);
-		k += 3; len -= 3;
+		length -= 3;
+		k += 3;
 	}
 
-	c += length * 4;
-
-	switch (len) {
-	case 2 : b += k[1];
-	case 1 : a += k[0];
-	};
-
-	__jhash_mix(a,b,c);
+	/* handle the last 3 u32's */
+	/* all the case statements fall through */ 
+	switch (length) {
+	case 3: c += k[2];
+	case 2: b += k[1];
+	case 1: a += k[0];
+		__jhash_final(a, b, c);
+	case 0:     /* case 0: nothing left to add */
+		break;
+	}
 
 	return c;
 }
 
-
 /* A special ultra-optimized versions that knows they are hashing exactly
  * 3, 2 or 1 word(s).
- *
- * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally
- *       done at the end is not done here.
  */
-static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval)
+static inline u32 jhash_3words(u32 a, u32 b, u32 c, u32 initval)
 {
-	a += JHASH_GOLDEN_RATIO;
-	b += JHASH_GOLDEN_RATIO;
-	c += initval;
+	a += JHASH_GOLDEN_RATIO + initval;
+	b += JHASH_GOLDEN_RATIO + initval;
+	c += JHASH_GOLDEN_RATIO + initval;
 
-	__jhash_mix(a, b, c);
+	__jhash_final(a, b, c);
 
 	return c;
 }
 
-static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval)
+static inline u32 jhash_2words(u32 a, u32 b, u32 initval)
 {
-	return jhash_3words(a, b, 0, initval);
+	return jhash_3words(0, a, b, initval);
 }
 
-static inline __u32 jhash_1word(__u32 a, __u32 initval)
+static inline u32 jhash_1word(u32 a, u32 initval)
 {
-	return jhash_3words(a, 0, 0, initval);
+	return jhash_3words(0, 0, a, initval);
 }
 
-#endif /* _LINUX_IPSET_JHASH_H */
+#endif /* _LINUX_JHASH_H */

extensions/ipset/ip_set_nethash.c

@@ -11,7 +11,7 @@
 #include <linux/moduleparam.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -44,6 +44,7 @@ nethash_id_cidr(const struct ip_set_nethash *map,
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
 	   	if (*elem == *hash_ip)
 			return id;
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -99,17 +100,21 @@ __nethash_add(struct ip_set_nethash *map, ip_set_ip_t *ip)
 {
 	__u32 probe;
 	u_int16_t i;
-	ip_set_ip_t *elem;
+	ip_set_ip_t *elem, *slot = NULL;
 	
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip(map, i, *ip) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
 		if (*elem == *ip)
 			return -EEXIST;
-		if (!*elem) {
-			*elem = *ip;
-			return 0;
-		}
+		if (!(slot || *elem))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		*slot = *ip;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ipset.8

@@ -602,8 +602,4 @@ Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
 .P
 Sven Wegener wrote the iptreemap type.
 .SH LAST REMARK
-.BR "I stand on the shoulder of giants."
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
+.BR "I stand on the shoulders of giants."

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "2.4.5"
+#define IPSET_VERSION "2.5.0"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;
@@ -629,7 +629,8 @@ void parse_ip(const char *str, ip_set_ip_t * ip)
 				   "host/network `%s' resolves to serveral ip-addresses. "
 				   "Please specify one.", str);
 
-		*ip = ntohl(((struct in_addr *) host->h_addr_list[0])->s_addr);
+		memcpy(&addr, host->h_addr_list[0], sizeof(struct in_addr));
+		*ip = ntohl(addr.s_addr);
 		return;
 	}
 

extensions/libxt_CHAOS.c

@@ -58,7 +58,7 @@ static void chaos_tg_check(unsigned int flags)
 {
 	if (flags == (F_DELUDE | F_TARPIT))
 		/* If flags == 0x03, both were specified, which should not be. */
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 		           "CHAOS: only one of --tarpit or --delude "
 		           "may be specified");
 }
@@ -106,8 +106,7 @@ static struct xtables_target chaos_tg_reg = {
 	.extra_opts    = chaos_tg_opts,
 };
 
-void _init(void);
-void _init(void)
+static __attribute__((constructor)) void chaos_tg_ldr(void)
 {
 	xtables_register_target(&chaos_tg_reg);
 }

extensions/libxt_CHAOS.man

@@ -18,4 +18,4 @@ The randomness factor of not replying vs. replying can be set during load-time
 of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
 .PP
 See http://jengelh.medozas.de/projects/chaostables/ for more information
-about CHAOS, DELUDE and portscan.
+about CHAOS, DELUDE and lscan.

extensions/libxt_DELUDE.c

@@ -41,8 +41,7 @@ static struct xtables_target delude_tg_reg = {
 	.final_check   = delude_tg_check,
 };
 
-void _init(void);
-void _init(void)
+static __attribute__((constructor)) void delude_tg_ldr(void)
 {
 	xtables_register_target(&delude_tg_reg);
 }

extensions/libxt_DHCPMAC.c

@@ -1,5 +1,5 @@
 /*
- *	"DHCPADDR" target extension for iptables
+ *	"DHCPMAC" target extension for iptables
  *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
  *
  *	This program is free software; you can redistribute it and/or
@@ -15,19 +15,19 @@
 #include <string.h>
 #include <netinet/ether.h>
 #include <xtables.h>
-#include "xt_DHCPADDR.h"
+#include "xt_DHCPMAC.h"
 #include "mac.c"
 
 enum {
 	F_MAC = 1 << 0,
 };
 
-static const struct option dhcpaddr_tg_opts[] = {
+static const struct option dhcpmac_tg_opts[] = {
 	{.name = "set-mac", .has_arg = true, .val = 'M'},
 	{NULL},
 };
 
-static void dhcpaddr_tg_help(void)
+static void dhcpmac_tg_help(void)
 {
 	printf(
 "DHCPADDDR target options:\n"
@@ -35,17 +35,17 @@ static void dhcpaddr_tg_help(void)
 	);
 }
 
-static int dhcpaddr_tg_parse(int c, char **argv, int invert,
+static int dhcpmac_tg_parse(int c, char **argv, int invert,
     unsigned int *flags, const void *entry, struct xt_entry_target **target)
 {
-	struct dhcpaddr_info *info = (void *)(*target)->data;
+	struct dhcpmac_info *info = (void *)(*target)->data;
 
 	switch (c) {
 	case 'M':
-		param_act(P_ONLY_ONCE, "DHCPADDR", "--set-mac", *flags & F_MAC);
-		param_act(P_NO_INVERT, "DHCPADDR", "--set-mac", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "DHCPMAC", "--set-mac", *flags & F_MAC);
+		xtables_param_act(XTF_NO_INVERT, "DHCPMAC", "--set-mac", invert);
 		if (!mac_parse(optarg, info->addr, &info->mask))
-			param_act(P_BAD_VALUE, "DHCPADDR", "--set-mac", optarg);
+			xtables_param_act(XTF_BAD_VALUE, "DHCPMAC", "--set-mac", optarg);
 		*flags |= F_MAC;
 		return true;
 	}
@@ -53,26 +53,26 @@ static int dhcpaddr_tg_parse(int c, char **argv, int invert,
 	return false;
 }
 
-static void dhcpaddr_tg_check(unsigned int flags)
+static void dhcpmac_tg_check(unsigned int flags)
 {
 	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM, "DHCPADDR target: "
+		xtables_error(PARAMETER_PROBLEM, "DHCPMAC target: "
 		           "--set-mac parameter required");
 }
 
-static void dhcpaddr_tg_print(const void *ip,
+static void dhcpmac_tg_print(const void *ip,
     const struct xt_entry_target *target, int numeric)
 {
-	const struct dhcpaddr_info *info = (void *)target->data;
+	const struct dhcpmac_info *info = (void *)target->data;
 
-	printf("DHCPADDR %s" DH_MAC_FMT "/%u ",
+	printf("DHCPMAC %s" DH_MAC_FMT "/%u ",
 	       info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
 }
 
-static void dhcpaddr_tg_save(const void *ip,
+static void dhcpmac_tg_save(const void *ip,
     const struct xt_entry_target *target)
 {
-	const struct dhcpaddr_info *info = (const void *)target->data;
+	const struct dhcpmac_info *info = (const void *)target->data;
 
 	if (info->invert)
 		printf("! ");
@@ -80,22 +80,22 @@ static void dhcpaddr_tg_save(const void *ip,
 	       DH_MAC_HEX(info->addr), info->mask);
 }
 
-static struct xtables_target dhcpaddr_tg_reg = {
+static struct xtables_target dhcpmac_tg_reg = {
 	.version       = XTABLES_VERSION,
-	.name          = "DHCPADDR",
+	.name          = "DHCPMAC",
 	.revision      = 0,
 	.family        = PF_INET,
-	.size          = XT_ALIGN(sizeof(struct dhcpaddr_info)),
-	.userspacesize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
-	.help          = dhcpaddr_tg_help,
-	.parse         = dhcpaddr_tg_parse,
-	.final_check   = dhcpaddr_tg_check,
-	.print         = dhcpaddr_tg_print,
-	.save          = dhcpaddr_tg_save,
-	.extra_opts    = dhcpaddr_tg_opts,
+	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.help          = dhcpmac_tg_help,
+	.parse         = dhcpmac_tg_parse,
+	.final_check   = dhcpmac_tg_check,
+	.print         = dhcpmac_tg_print,
+	.save          = dhcpmac_tg_save,
+	.extra_opts    = dhcpmac_tg_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void dhcpmac_tg_ldr(void)
 {
-	xtables_register_target(&dhcpaddr_tg_reg);
+	xtables_register_target(&dhcpmac_tg_reg);
 }

extensions/libxt_DHCPMAC.man

@@ -1,4 +1,4 @@
-In conjunction with ebtables, DHCPADDR can be used to completely change all MAC
+In conjunction with ebtables, DHCPMAC can be used to completely change all MAC
 addresses from and to a VMware-based virtual machine. This is needed because
 VMware does not allow to set a non-VMware MAC address before an operating
 system is booted (and the MAC be changed with `ip link set eth0 address
@@ -13,11 +13,11 @@ EXAMPLE, replacing all addresses from one of VMware's assigned vendor IDs
 (00:50:56) addresses with something else:
 .PP
 iptables -t mangle -A FORWARD -p udp --dport 67 -m physdev --physdev-in vmnet1
--m dhcpaddr --mac 00:50:56:00:00:00/24 -j DHCPADDR --set-mac
+-m dhcpmac --mac 00:50:56:00:00:00/24 -j DHCPMAC --set-mac
 ab:cd:ef:00:00:00/24
 .PP
 iptables -t mangle -A FORWARD -p udp --dport 68 -m physdev --physdev-out vmnet1
--m dhcpaddr --mac ab:cd:ef:00:00:00/24 -j DHCPADDR --set-mac
+-m dhcpmac --mac ab:cd:ef:00:00:00/24 -j DHCPMAC --set-mac
 00:50:56:00:00:00/24
 .PP
 (This assumes there is a bridge interface that has vmnet1 as a port. You will

extensions/libxt_ECHO.c

@@ -37,7 +37,7 @@ static struct xtables_target echo_tg_reg = {
 	.final_check   = echo_tg_check,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void echo_tg_ldr(void)
 {
 	xtables_register_target(&echo_tg_reg);
 }

extensions/libxt_ECHO.man

@@ -0,0 +1,4 @@
+The \fBECHO\fP target will send back all packets it received. It serves as an
+examples for an Xtables target.
+.PP
+ECHO takes no options.

extensions/libxt_IPMARK.c

@@ -58,44 +58,44 @@ static int ipmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	switch (c) {
 	case '1':
-		param_act(P_ONLY_ONCE, "IPMARK", "addr", *flags & FL_ADDR_USED);
-		param_act(P_NO_INVERT, "IPMARK", "addr", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "IPMARK", "addr", *flags & FL_ADDR_USED);
+		xtables_param_act(XTF_NO_INVERT, "IPMARK", "addr", invert);
 		if (strcmp(optarg, "src") == 0)
 			info->selector = XT_IPMARK_SRC;
 		else if (strcmp(optarg, "dst") == 0)
 			info->selector = XT_IPMARK_DST;
 		else
-			exit_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
+			xtables_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
 		*flags |= FL_ADDR_USED;
 		return true;
-	
+
 	case '2':
-		param_act(P_ONLY_ONCE, "IPMARK", "and-mask", *flags & FL_AND_MASK_USED);
-		param_act(P_NO_INVERT, "IPMARK", "and-mask", invert);
-		if (!strtonum(optarg, NULL, &n, 0, ~0U))
-			param_act(P_BAD_VALUE, "IPMARK", "and-mask", optarg);
+		xtables_param_act(XTF_ONLY_ONCE, "IPMARK", "and-mask", *flags & FL_AND_MASK_USED);
+		xtables_param_act(XTF_NO_INVERT, "IPMARK", "and-mask", invert);
+		if (!xtables_strtoui(optarg, NULL, &n, 0, ~0U))
+			xtables_param_act(XTF_BAD_VALUE, "IPMARK", "and-mask", optarg);
 		info->andmask = n;
 		*flags |= FL_AND_MASK_USED;
 		return true;
 
 	case '3':
-		param_act(P_ONLY_ONCE, "IPMARK", "or-mask", *flags & FL_OR_MASK_USED);
-		param_act(P_NO_INVERT, "IPMARK", "or-mask", invert);
-		if (!strtonum(optarg, NULL, &n, 0, ~0U))
-			param_act(P_BAD_VALUE, "IPMARK", "or-mask", optarg);
+		xtables_param_act(XTF_ONLY_ONCE, "IPMARK", "or-mask", *flags & FL_OR_MASK_USED);
+		xtables_param_act(XTF_NO_INVERT, "IPMARK", "or-mask", invert);
+		if (!xtables_strtoui(optarg, NULL, &n, 0, ~0U))
+			xtables_param_act(XTF_BAD_VALUE, "IPMARK", "or-mask", optarg);
 		info->ormask = n;
 		*flags |= FL_OR_MASK_USED;
 		return true;
 
 	case '4':
-		param_act(P_ONLY_ONCE, "IPMARK", "--shift", *flags & FL_SHIFT);
-		param_act(P_NO_INVERT, "IPMARK", "--shift", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "IPMARK", "--shift", *flags & FL_SHIFT);
+		xtables_param_act(XTF_NO_INVERT, "IPMARK", "--shift", invert);
 		/*
 		 * Anything >31 does not make sense for IPv4, but it still
 		 * does the right thing.
 		 */
-		if (!strtonum(optarg, NULL, &n, 0, 128))
-			param_act(P_BAD_VALUE, "IPMARK", "--shift", optarg);
+		if (!xtables_strtoui(optarg, NULL, &n, 0, 128))
+			xtables_param_act(XTF_BAD_VALUE, "IPMARK", "--shift", optarg);
 		info->shift = n;
 		return true;
 	}
@@ -106,7 +106,7 @@ static int ipmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 static void ipmark_tg_check(unsigned int flags)
 {
 	if (!(flags & FL_ADDR_USED))
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 		           "IPMARK target: Parameter --addr is required");
 }
 
@@ -175,7 +175,7 @@ static struct xtables_target ipmark_tg6_reg = {
 	.extra_opts    = ipmark_tg_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void ipmark_tg_ldr(void)
 {
 	xtables_register_target(&ipmark_tg4_reg);
 	xtables_register_target(&ipmark_tg6_reg);

extensions/libxt_LOGMARK.c

@@ -51,23 +51,23 @@ logmark_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	switch (c) {
 	case 'l': /* --log-level */
-		param_act(P_ONLY_ONCE, "LOGMARK", "--log-level", *flags & F_LEVEL);
-		param_act(P_NO_INVERT, "LOGMARK", "--log-level", invert);
-		if (!strtonum(optarg, NULL, &x, 0, 8))
-			param_act(P_BAD_VALUE, "LOGMARK", "--log-level", optarg);
+		xtables_param_act(XTF_ONLY_ONCE, "LOGMARK", "--log-level", *flags & F_LEVEL);
+		xtables_param_act(XTF_NO_INVERT, "LOGMARK", "--log-level", invert);
+		if (!xtables_strtoui(optarg, NULL, &x, 0, 8))
+			xtables_param_act(XTF_BAD_VALUE, "LOGMARK", "--log-level", optarg);
 		info->level = x;
 		*flags |= F_LEVEL;
 		return true;
 
 	case 'p': /* --log-prefix */
-		param_act(P_ONLY_ONCE, "LOGMARK", "--log-prefix", *flags & F_PREFIX);
-		param_act(P_NO_INVERT, "LOGMARK", "--log-prefix", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "LOGMARK", "--log-prefix", *flags & F_PREFIX);
+		xtables_param_act(XTF_NO_INVERT, "LOGMARK", "--log-prefix", invert);
 		if (strlen(optarg) > sizeof(info->prefix))
-			exit_error(PARAMETER_PROBLEM, "LOGMARK: Maximum "
+			xtables_error(PARAMETER_PROBLEM, "LOGMARK: Maximum "
 			           "prefix length is %zu",
 			           sizeof(info->prefix));
 		if (strchr(optarg, '\n'))
-			exit_error(PARAMETER_PROBLEM, "LOGMARK: Newlines not "
+			xtables_error(PARAMETER_PROBLEM, "LOGMARK: Newlines not "
 			           "allowed in log prefix");
 		strncpy(info->prefix, optarg, sizeof(info->prefix));
 		*flags |= F_PREFIX;
@@ -111,8 +111,7 @@ static struct xtables_target logmark_tg_reg = {
 	.extra_opts    = logmark_tg_opts,
 };
 
-void _init(void);
-void _init(void)
+static __attribute__((constructor)) void logmark_tg_ldr(void)
 {
 	xtables_register_target(&logmark_tg_reg);
 }

extensions/libxt_STEAL.c

@@ -0,0 +1,33 @@
+#include <stdio.h>
+#include <xtables.h>
+
+static void steal_tg_help(void)
+{
+	printf("STEAL takes no options\n\n");
+}
+
+static int steal_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+                          const void *entry, struct xt_entry_target **target)
+{
+	return 0;
+}
+
+static void steal_tg_check(unsigned int flags)
+{
+}
+
+static struct xtables_target steal_tg_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "STEAL",
+	.family        = AF_INET,
+	.size          = XT_ALIGN(0),
+	.userspacesize = XT_ALIGN(0),
+	.help          = steal_tg_help,
+	.parse         = steal_tg_parse,
+	.final_check   = steal_tg_check,
+};
+
+static void _init(void)
+{
+	xtables_register_target(&steal_tg_reg);
+}

extensions/libxt_STEAL.man

@@ -0,0 +1,2 @@
+Like the DROP target, but does not throw an error like DROP when used in the
+\fBOUTPUT\fP chain.

extensions/libxt_SYSRQ.c

@@ -43,7 +43,7 @@ static struct xtables_target sysrq_tg6_reg = {
 	.final_check   = sysrq_tg_check,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void sysrq_tg_ldr(void)
 {
 	xtables_register_target(&sysrq_tg4_reg);
 	xtables_register_target(&sysrq_tg6_reg);

extensions/libxt_SYSRQ.man

@@ -1,17 +1,19 @@
 The SYSRQ target allows to remotely trigger sysrq on the local machine over the
 network. This can be useful when vital parts of the machine hang, for example
 an oops in a filesystem causing locks to be not released and processes to get
-stuck as a result -- if still possible, use /proc/sysrq-trigger. Even when
+stuck as a result - if still possible, use /proc/sysrq-trigger. Even when
 processes are stuck, interrupts are likely to be still processed, and as such,
 sysrq can be triggered through incoming network packets.
 .PP
-This xt_SYSRQ implementation does not use any encryption, so you should change
-the SYSRQ password after use unless you have made sure it was transmitted
-securely and no one sniffed the network, e.g. by use of an IPsec tunnel whose
-endpoint is at the machine where you want to trigger the sysrq. Also, you
-should limit as to who can issue commands using \fB-s\fP and/or \fB-m mac\fP,
-and also that the destination is correct using \fB-d\fP (to protect against
-potential broadcast packets), noting that it is still short of MAC/IP spoofing:
+The xt_SYSRQ implementation uses a salted hash and a sequence number to prevent
+network sniffers from either guessing the password or replaying earlier
+requests. The initial sequence number comes from the time of day so you will
+have a small window of vulnerability should time go backwards at a reboot.
+However, the file /sys/module/xt_SYSREQ/seqno can be used to both query and
+update the current sequence number. Also, you should limit as to who can issue
+commands using \fB-s\fP and/or \fB-m mac\fP, and also that the destination is
+correct using \fB-d\fP (to protect against potential broadcast packets), noting
+that it is still short of MAC/IP spoofing:
 .IP
 -A INPUT -s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
 -p udp --dport 9 -j SYSRQ
@@ -20,28 +22,59 @@ potential broadcast packets), noting that it is still short of MAC/IP spoofing:
 ipsec --proto esp --tunnel-src 10.10.25.1 --tunnel-dst 10.10.25.7
 -p udp --dport 9 -j SYSRQ
 .PP
+You should also limit the rate at which connections can be received to limit
+the CPU time taken by illegal requests, for example:
+.IP
+-A INPUT 0s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
+-p udp --dport 9 -m limit --limit 5/minute -j SYSRQ
+.PP
 This extension does not take any options. The \fB-p udp\fP options are
 required.
 .PP
 The SYSRQ password can be changed through
-/sys/module/xt_SYSRQ/parameters/password; note you need to use `echo -n` to
-not add a newline to the password, i.e.
+/sys/module/xt_SYSRQ/parameters/password, for example:
 .IP
-echo -n "password" >/sys/.../password
+echo -n "password" >/sys/module/xt_SYSRQ/parameters/password
 .PP
 Alternatively, the password may be specified at modprobe time, but this is
 insecure as people can possible see it through ps(1). You can use an option
-line in /etc/modprobe.d/sysrq if it is properly guarded, that is, only readable
-by root.
+line in e.g. /etc/modprobe.d/xt_sysrq if it is properly guarded, that is, only
+readable by root.
 .IP
 options xt_SYSRQ password=cookies
 .PP
-To trigger SYSRQ from a remote host, just use netcat or socat, specifying the
-action (only one) as first character, followed by the password:
+The hash algorithm can also be specified as a module option, for example, to
+use SHA-256 instead of the default SHA-1:
 .IP
-echo -n "scookies" | socat stdin udp-sendto:10.10.25.7:9
-.IP
-echo -n "scookies" | netcat -u 10.10.25.7 9
+options xt_SYSRQ hash=sha256
 .PP
-See the Linux docs for possible sysrq keys. Important ones are:
-re(b)oot, power(o)ff, (s)ync filesystems, (u)mount and remount readonly.
+The xt_SYSRQ module is normally silent unless a successful request is received,
+but the \fIdebug\fP module parameter can be used to find exactly why a
+seemingly correct request is not being processed.
+.PP
+To trigger SYSRQ from a remote host, just use netcat or socat:
+.PP
+.nf
+sysrq_key="s"  # the SysRq key(s)
+password="password"
+seqno="$(date +%s)"
+salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null |
+    openssl enc -base64)"
+req="$sysrq_key,$seqno,$salt"
+req="$req,$(echo -n "$req,$password" | sha1sum | cut -c1-40)"
+
+echo "$req" | socat stdin udp-sendto:10.10.25.7:9
+# or
+echo "$req" | netcat -uw1 10.10.25.7 9
+.fi
+.PP
+See the Linux docs for possible sysrq keys. Important ones are: re(b)oot,
+power(o)ff, (s)ync filesystems, (u)mount and remount readonly.  More than one
+sysrq key can be used at once, but bear in mind that, for example, a sync may
+not complete before a subsequent reboot or poweroff.
+.PP
+The hashing scheme should be enough to prevent mis-use of SYSRQ in many
+environments, but it is not perfect: take reasonable precautions to
+protect your machines.  Most importantly ensure that each machine has a
+different password; there is scant protection for a SYSRQ packet being
+applied to a machine that happens to have the same password.

extensions/libxt_TARPIT.c

@@ -32,7 +32,7 @@ static struct xtables_target tarpit_tg_reg = {
 	.final_check   = tarpit_tg_check,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void tarpit_tg_ldr(void)
 {
 	xtables_register_target(&tarpit_tg_reg);
 }

extensions/libxt_TEE.c

@@ -1,7 +1,7 @@
 /*
  *	"TEE" target extension for iptables
  *	Copyright © Sebastian Claßen <sebastian.classen [at] freenet.ag>, 2007
- *	Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
+ *	Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -50,16 +50,37 @@ static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 	switch (c) {
 	case 'g':
 		if (*flags & FLAG_GATEWAY)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 			           "Cannot specify --gw more than once");
 
-		if (check_inverse(optarg, &invert, NULL, 0))
-			exit_error(PARAMETER_PROBLEM,
-			           "Unexpected \"!\" after --gateway");
-
-		ia = numeric_to_ipaddr(optarg);
+		ia = xtables_numeric_to_ipaddr(optarg);
 		if (ia == NULL)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
+			           "Invalid IP address %s", optarg);
+
+		memcpy(&info->gw, ia, sizeof(*ia));
+		*flags |= FLAG_GATEWAY;
+		return true;
+	}
+
+	return false;
+}
+
+static int tee_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_target **target)
+{
+	struct xt_tee_tginfo *info = (void *)(*target)->data;
+	const struct in6_addr *ia;
+
+	switch (c) {
+	case 'g':
+		if (*flags & FLAG_GATEWAY)
+			xtables_error(PARAMETER_PROBLEM,
+			           "Cannot specify --gw more than once");
+
+		ia = xtables_numeric_to_ip6addr(optarg);
+		if (ia == NULL)
+			xtables_error(PARAMETER_PROBLEM,
 			           "Invalid IP address %s", optarg);
 
 		memcpy(&info->gw, ia, sizeof(*ia));
@@ -73,7 +94,7 @@ static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 static void tee_tg_check(unsigned int flags)
 {
 	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM, "TEE target: "
+		xtables_error(PARAMETER_PROBLEM, "TEE target: "
 		           "--gateway parameter required");
 }
 
@@ -83,21 +104,41 @@ static void tee_tg_print(const void *ip, const struct xt_entry_target *target,
 	const struct xt_tee_tginfo *info = (const void *)target->data;
 
 	if (numeric)
-		printf("TEE gw:%s ", ipaddr_to_anyname(&info->gw.in));
+		printf("TEE gw:%s ", xtables_ipaddr_to_numeric(&info->gw.in));
 	else
-		printf("TEE gw:%s ", ipaddr_to_numeric(&info->gw.in));
+		printf("TEE gw:%s ", xtables_ipaddr_to_anyname(&info->gw.in));
+}
+
+static void tee_tg6_print(const void *ip, const struct xt_entry_target *target,
+                          int numeric)
+{
+	const struct xt_tee_tginfo *info = (const void *)target->data;
+
+	if (numeric)
+		printf("TEE gw:%s ", xtables_ip6addr_to_numeric(&info->gw.in6));
+	else
+		printf("TEE gw:%s ", xtables_ip6addr_to_anyname(&info->gw.in6));
 }
 
 static void tee_tg_save(const void *ip, const struct xt_entry_target *target)
 {
 	const struct xt_tee_tginfo *info = (const void *)target->data;
 
-	printf("--gateway %s ", ipaddr_to_numeric(&info->gw.in));
+	printf("--gateway %s ", xtables_ipaddr_to_numeric(&info->gw.in));
+}
+
+static void tee_tg6_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_tee_tginfo *info = (const void *)target->data;
+
+	printf("--gateway %s ", xtables_ip6addr_to_numeric(&info->gw.in6));
 }
 
 static struct xtables_target tee_tg_reg = {
 	.name          = "TEE",
 	.version       = XTABLES_VERSION,
+	.revision      = 0,
+	.family        = PF_INET,
 	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.help          = tee_tg_help,
@@ -108,7 +149,23 @@ static struct xtables_target tee_tg_reg = {
 	.extra_opts    = tee_tg_opts,
 };
 
-static void _init(void)
+static struct xtables_target tee_tg6_reg = {
+	.name          = "TEE",
+	.version       = XTABLES_VERSION,
+	.revision      = 0,
+	.family        = PF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+	.help          = tee_tg_help,
+	.parse         = tee_tg6_parse,
+	.final_check   = tee_tg_check,
+	.print         = tee_tg6_print,
+	.save          = tee_tg6_save,
+	.extra_opts    = tee_tg_opts,
+};
+
+static __attribute__((constructor)) void tee_tg_ldr(void)
 {
 	xtables_register_target(&tee_tg_reg);
+	xtables_register_target(&tee_tg6_reg);
 }

extensions/libxt_TEE.man

@@ -0,0 +1,8 @@
+The \fBTEE\fP target will clone a packet and redirect this clone to another
+machine on the \fBlocal\fP network segment. In other words, the nexthop
+must be the target, or you will have to configure the nexthop to forward it
+further if so desired.
+.TP
+\fB--gw\fP \fIipaddr\fP
+Send the cloned packet to the host reachable at the given IP address.
+Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.

extensions/libxt_condition.c

@@ -37,13 +37,13 @@ static int condition_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	if (c == 'X') {
 		if (*flags)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				   "Can't specify multiple conditions");
 
 		if (strlen(optarg) < sizeof(info->name))
 			strcpy(info->name, optarg);
 		else
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				   "File name too long");
 
 		info->invert = invert;
@@ -57,7 +57,7 @@ static int condition_parse(int c, char **argv, int invert, unsigned int *flags,
 static void condition_check(unsigned int flags)
 {
 	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 			   "Condition match: must specify --condition");
 }
 
@@ -92,7 +92,7 @@ static struct xtables_match condition_mt_reg = {
 	.extra_opts 	= condition_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void condition_mt_ldr(void)
 {
 	xtables_register_match(&condition_mt_reg);
 }

extensions/libxt_dhcpaddr.man

@@ -1,4 +0,0 @@
-.TP
-\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
-Matches the DHCP Client Host address in a DHCP message. \fImask\fP specifies
-the prefix length of the initial portion to match.

extensions/libxt_dhcpmac.c

@@ -1,5 +1,5 @@
 /*
- *	"dhcpaddr" match extension for iptables
+ *	"dhcpmac" match extension for iptables
  *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
  *
  *	This program is free software; you can redistribute it and/or
@@ -14,37 +14,37 @@
 #include <netdb.h>
 #include <net/ethernet.h>
 #include <xtables.h>
-#include "xt_DHCPADDR.h"
+#include "xt_DHCPMAC.h"
 #include "mac.c"
 
 enum {
 	F_MAC = 1 << 0,
 };
 
-static const struct option dhcpaddr_mt_opts[] = {
+static const struct option dhcpmac_mt_opts[] = {
 	{.name = "mac", .has_arg = true, .val = 'M'},
 	{NULL},
 };
 
-static void dhcpaddr_mt_help(void)
+static void dhcpmac_mt_help(void)
 {
 	printf(
-"dhcpaddr match options:\n"
+"dhcpmac match options:\n"
 "[!] --mac lladdr[/mask]    Match on MAC address in DHCP Client Host field\n"
 	);
 }
 
-static int dhcpaddr_mt_parse(int c, char **argv, int invert,
+static int dhcpmac_mt_parse(int c, char **argv, int invert,
     unsigned int *flags, const void *entry, struct xt_entry_match **match)
 {
-	struct dhcpaddr_info *info = (void *)(*match)->data;
+	struct dhcpmac_info *info = (void *)(*match)->data;
 
 	switch (c) {
 	case 'M':
-		param_act(P_ONLY_ONCE, "dhcpaddr", "--mac", *flags & F_MAC);
-		param_act(P_NO_INVERT, "dhcpaddr", "--mac", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "dhcpmac", "--mac", *flags & F_MAC);
+		xtables_param_act(XTF_NO_INVERT, "dhcpmac", "--mac", invert);
 		if (!mac_parse(optarg, info->addr, &info->mask))
-			param_act(P_BAD_VALUE, "dhcpaddr", "--mac", optarg);
+			xtables_param_act(XTF_BAD_VALUE, "dhcpmac", "--mac", optarg);
 		if (invert)
 			info->invert = true;
 		*flags |= F_MAC;
@@ -54,26 +54,26 @@ static int dhcpaddr_mt_parse(int c, char **argv, int invert,
 	return false;
 }
 
-static void dhcpaddr_mt_check(unsigned int flags)
+static void dhcpmac_mt_check(unsigned int flags)
 {
 	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM, "dhcpaddr match: "
+		xtables_error(PARAMETER_PROBLEM, "dhcpmac match: "
 		           "--mac parameter required");
 }
 
-static void dhcpaddr_mt_print(const void *ip,
+static void dhcpmac_mt_print(const void *ip,
     const struct xt_entry_match *match, int numeric)
 {
-	const struct dhcpaddr_info *info = (void *)match->data;
+	const struct dhcpmac_info *info = (void *)match->data;
 
-	printf("dhcpaddr %s" DH_MAC_FMT "/%u ",
+	printf("dhcpmac %s" DH_MAC_FMT "/%u ",
 	       info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask);
 }
 
-static void dhcpaddr_mt_save(const void *ip,
+static void dhcpmac_mt_save(const void *ip,
     const struct xt_entry_match *match)
 {
-	const struct dhcpaddr_info *info = (void *)match->data;
+	const struct dhcpmac_info *info = (void *)match->data;
 
 	if (info->invert)
 		printf("! ");
@@ -81,22 +81,22 @@ static void dhcpaddr_mt_save(const void *ip,
 	       DH_MAC_HEX(info->addr), info->mask);
 }
 
-static struct xtables_match dhcpaddr_mt_reg = {
+static struct xtables_match dhcpmac_mt_reg = {
 	.version       = XTABLES_VERSION,
-	.name          = "dhcpaddr",
+	.name          = "dhcpmac",
 	.revision      = 0,
 	.family        = PF_INET,
-	.size          = XT_ALIGN(sizeof(struct dhcpaddr_info)),
-	.userspacesize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
-	.help          = dhcpaddr_mt_help,
-	.parse         = dhcpaddr_mt_parse,
-	.final_check   = dhcpaddr_mt_check,
-	.print         = dhcpaddr_mt_print,
-	.save          = dhcpaddr_mt_save,
-	.extra_opts    = dhcpaddr_mt_opts,
+	.size          = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.userspacesize = XT_ALIGN(sizeof(struct dhcpmac_info)),
+	.help          = dhcpmac_mt_help,
+	.parse         = dhcpmac_mt_parse,
+	.final_check   = dhcpmac_mt_check,
+	.print         = dhcpmac_mt_print,
+	.save          = dhcpmac_mt_save,
+	.extra_opts    = dhcpmac_mt_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void dhcpmac_mt_ldr(void)
 {
-	xtables_register_match(&dhcpaddr_mt_reg);
+	xtables_register_match(&dhcpmac_mt_reg);
 }

extensions/libxt_dhcpmac.man

@@ -0,0 +1,4 @@
+.TP
+\fB--mac\fP \fIaa:bb:cc:dd:ee:ff\fP[\fB/\fP\fImask\fP]
+Matches the DHCP "Client Host" address (a MAC address) in a DHCP message.
+\fImask\fP specifies the prefix length of the initial portion to match.

extensions/libxt_fuzzy.c

@@ -9,6 +9,7 @@
  */
 #include <getopt.h>
 #include <netdb.h>
+#include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -54,22 +55,22 @@ static int fuzzy_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 	switch (c) {
 	case '1':
 		if (invert)
-			exit_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
+			xtables_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
 		if (*flags & IPT_FUZZY_OPT_MINIMUM)
-			exit_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
-		if (string_to_number(optarg,1,FUZZY_MAX_RATE,&num) == -1 || num < 1)
-			exit_error(PARAMETER_PROBLEM,"BAD --lower-limit");
+			xtables_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
+		if (!xtables_strtoui(optarg, NULL, &num, 1, FUZZY_MAX_RATE) == -1 || num < 1)
+			xtables_error(PARAMETER_PROBLEM,"BAD --lower-limit");
 		info->minimum_rate = num;
 		*flags |= IPT_FUZZY_OPT_MINIMUM;
 		return true;
 
 	case '2':
 		if (invert)
-			exit_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
+			xtables_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
 		if (*flags & IPT_FUZZY_OPT_MAXIMUM)
-			exit_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
-		if (string_to_number(optarg,1,FUZZY_MAX_RATE,&num) == -1 || num < 1)
-			exit_error(PARAMETER_PROBLEM,"BAD --upper-limit");
+			xtables_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
+		if (!xtables_strtoui(optarg, NULL, &num, 1, FUZZY_MAX_RATE) == -1 || num < 1)
+			xtables_error(PARAMETER_PROBLEM,"BAD --upper-limit");
 		info->maximum_rate = num;
 		*flags |= IPT_FUZZY_OPT_MAXIMUM;
 		return true;
@@ -102,7 +103,7 @@ static struct xtables_match fuzzy_mt_reg = {
 	.name          = "fuzzy",
 	.version       = XTABLES_VERSION,
 	.size          = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_fuzzy_mtinfo)),
+	.userspacesize = offsetof(struct xt_fuzzy_mtinfo, packets_total),
 	.help          = fuzzy_mt_help,
 	.init          = fuzzy_mt_init,
 	.parse         = fuzzy_mt_parse,
@@ -112,7 +113,7 @@ static struct xtables_match fuzzy_mt_reg = {
 	.extra_opts    = fuzzy_mt_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void fuzzy_mt_ldr(void)
 {
 	xtables_register_match(&fuzzy_mt_reg);
 }

extensions/libxt_geoip.c

@@ -64,16 +64,16 @@ static struct geoip_subnet *geoip_get_subnets(const char *code, uint32_t *count)
 
 	if ((fd = open(buf, O_RDONLY)) < 0) {
 		fprintf(stderr, "Could not open %s: %s\n", buf, strerror(errno));
-		exit_error(OTHER_PROBLEM, "Could not read geoip database");
+		xtables_error(OTHER_PROBLEM, "Could not read geoip database");
 	}
 
 	fstat(fd, &sb);
 	if (sb.st_size % sizeof(struct geoip_subnet) != 0)
-		exit_error(OTHER_PROBLEM, "Database file %s seems to be "
+		xtables_error(OTHER_PROBLEM, "Database file %s seems to be "
 		           "corrupted", buf);
 	subnets = malloc(sb.st_size);
 	if (subnets == NULL)
-		exit_error(OTHER_PROBLEM, "geoip: insufficient memory");
+		xtables_error(OTHER_PROBLEM, "geoip: insufficient memory");
 	read(fd, subnets, sb.st_size);
 	close(fd);
 	*count = sb.st_size / sizeof(struct geoip_subnet);
@@ -103,7 +103,7 @@ check_geoip_cc(char *cc, u_int16_t cc_used[], u_int8_t count)
 
 	if (strlen(cc) != 2) /* Country must be 2 chars long according
 													 to the ISO3166 standard */
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 			"geoip: invalid country code '%s'", cc);
 
 	// Verification will fail if chars aren't uppercased.
@@ -112,7 +112,7 @@ check_geoip_cc(char *cc, u_int16_t cc_used[], u_int8_t count)
 		if (isalnum(cc[i]) != 0)
 			cc[i] = toupper(cc[i]);
 		else
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"geoip:  invalid country code '%s'", cc);
 
 	/* Convert chars into a single 16 bit integer.
@@ -140,7 +140,7 @@ static unsigned int parse_geoip_cc(const char *ccstr, uint16_t *cc,
 
 	buffer = strdup(ccstr);
 	if (!buffer)
-		exit_error(OTHER_PROBLEM,
+		xtables_error(OTHER_PROBLEM,
 			"geoip: insufficient memory available");
 
 	for (cp = buffer, i = 0; cp && i < XT_GEOIP_MAX; cp = next, i++)
@@ -150,19 +150,19 @@ static unsigned int parse_geoip_cc(const char *ccstr, uint16_t *cc,
 
 		if ((cctmp = check_geoip_cc(cp, cc, count)) != 0) {
 			if ((mem[count++].user = (unsigned long)geoip_load_cc(cp, cctmp)) == 0)
-				exit_error(OTHER_PROBLEM,
+				xtables_error(OTHER_PROBLEM,
 					"geoip: insufficient memory available");
 			cc[count-1] = cctmp;
 		}
 	}
 
 	if (cp)
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 			"geoip: too many countries specified");
 	free(buffer);
 
 	if (count == 0)
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 			"geoip: don't know what happened");
 
 	return count;
@@ -176,7 +176,7 @@ static int geoip_parse(int c, char **argv, int invert, unsigned int *flags,
 	switch (c) {
 	case '1':
 		if (*flags & (XT_GEOIP_SRC | XT_GEOIP_DST))
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"geoip: Only exactly one of --source-country "
 				"or --destination-country must be specified!");
 
@@ -190,7 +190,7 @@ static int geoip_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	case '2':
 		if (*flags & (XT_GEOIP_SRC | XT_GEOIP_DST))
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"geoip: Only exactly one of --source-country "
 				"or --destination-country must be specified!");
 
@@ -210,7 +210,7 @@ static void
 geoip_final_check(unsigned int flags)
 {
 	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 			"geoip: missing arguments");
 }
 
@@ -263,7 +263,7 @@ static struct xtables_match geoip_match = {
 	 .name          = "geoip",
 	 .version       = XTABLES_VERSION,
 	 .size          = XT_ALIGN(sizeof(struct xt_geoip_match_info)),
-	 .userspacesize = XT_ALIGN(offsetof(struct xt_geoip_match_info, mem)),
+	 .userspacesize = offsetof(struct xt_geoip_match_info, mem),
 	 .help          = geoip_help,
 	 .parse	        = geoip_parse,
 	 .final_check   = geoip_final_check,
@@ -272,7 +272,7 @@ static struct xtables_match geoip_match = {
 	 .extra_opts    = geoip_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void geoip_mt_ldr(void)
 {
 	xtables_register_match(&geoip_match);
 }

extensions/libxt_ipp2p.c

@@ -22,7 +22,7 @@
 static void ipp2p_mt_help(void)
 {
 	printf(
-	"IPP2P v%s options:\n"
+	"ipp2p v%s match options:\n"
 	"  --edk    [tcp,udp]  All known eDonkey/eMule/Overnet packets\n"
 	"  --dc     [tcp]      All known Direct Connect packets\n"
 	"  --kazaa  [tcp,udp]  All known KaZaA packets\n"
@@ -32,19 +32,10 @@ static void ipp2p_mt_help(void)
 	"  --winmx  [tcp]      All known WinMX\n"
 	"  --soul   [tcp]      All known SoulSeek\n"
 	"  --ares   [tcp]      All known Ares\n\n"
-	"EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n"
+	"EXPERIMENTAL protocols:\n"
 	"  --mute   [tcp]      All known Mute packets\n"
 	"  --waste  [tcp]      All known Waste packets\n"
 	"  --xdcc   [tcp]      All known XDCC packets (only xdcc login)\n\n"
-	"DEBUG SUPPPORT, use only if you know why\n"
-	"  --debug             Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n"
-	"\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n"
-	"You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n"
-	"\nSee README included with this package for more details or visit http://www.ipp2p.org\n"
-	"\nExamples:\n"
-	" iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n"
-	" iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n"
-	" iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n"
 	, IPP2P_VERSION);
 }
 
@@ -72,109 +63,109 @@ static int ipp2p_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	switch (c) {
 	case '2':		/*cmd: edk*/
-		param_act(P_ONLY_ONCE, "--edk", *flags & IPP2P_EDK);
-		param_act(P_NO_INVERT, "--edk", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--edk", *flags & IPP2P_EDK);
+		xtables_param_act(XTF_NO_INVERT, "--edk", invert);
 		if (*flags & IPP2P_DATA_EDK)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"ipp2p: use `--edk' OR `--edk-data' but not both of them!");
 		*flags    |= IPP2P_EDK;
 		info->cmd |= IPP2P_EDK;
 		break;
 
 	case '7':		/*cmd: dc*/
-		param_act(P_ONLY_ONCE, "--dc", *flags & IPP2P_DC);
-		param_act(P_NO_INVERT, "--dc", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--dc", *flags & IPP2P_DC);
+		xtables_param_act(XTF_NO_INVERT, "--dc", invert);
 		if (*flags & IPP2P_DATA_DC)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"ipp2p: use `--dc' OR `--dc-data' but not both of them!");
 		*flags    |= IPP2P_DC;
 		info->cmd |= IPP2P_DC;
 		break;
 
 	case '9':		/*cmd: gnu*/
-		param_act(P_ONLY_ONCE, "--gnu", *flags & IPP2P_GNU);
-		param_act(P_NO_INVERT, "--gnu", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--gnu", *flags & IPP2P_GNU);
+		xtables_param_act(XTF_NO_INVERT, "--gnu", invert);
 		if (*flags & IPP2P_DATA_GNU)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"ipp2p: use `--gnu' OR `--gnu-data' but not both of them!");
 		*flags    |= IPP2P_GNU;
 		info->cmd |= IPP2P_GNU;
 		break;
 
 	case 'a':		/*cmd: kazaa*/
-		param_act(P_ONLY_ONCE, "--kazaa", *flags & IPP2P_KAZAA);
-		param_act(P_NO_INVERT, "--kazaa", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--kazaa", *flags & IPP2P_KAZAA);
+		xtables_param_act(XTF_NO_INVERT, "--kazaa", invert);
 		if (*flags & IPP2P_DATA_KAZAA)
-			exit_error(PARAMETER_PROBLEM,
+			xtables_error(PARAMETER_PROBLEM,
 				"ipp2p: use `--kazaa' OR `--kazaa-data' but not both of them!");
 		*flags    |= IPP2P_KAZAA;
 		info->cmd |= IPP2P_KAZAA;
 		break;
 
 	case 'b':		/*cmd: bit*/
-		param_act(P_ONLY_ONCE, "--kazaa", *flags & IPP2P_BIT);
-		param_act(P_NO_INVERT, "--kazaa", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--kazaa", *flags & IPP2P_BIT);
+		xtables_param_act(XTF_NO_INVERT, "--kazaa", invert);
 		*flags    |= IPP2P_BIT;
 		info->cmd |= IPP2P_BIT;
 		break;
 
 	case 'c':		/*cmd: apple*/
-		param_act(P_ONLY_ONCE, "--apple", *flags & IPP2P_APPLE);
-		param_act(P_NO_INVERT, "--apple", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--apple", *flags & IPP2P_APPLE);
+		xtables_param_act(XTF_NO_INVERT, "--apple", invert);
 		*flags    |= IPP2P_APPLE;
 		info->cmd |= IPP2P_APPLE;
 		break;
 
 	case 'd':		/*cmd: soul*/
-		param_act(P_ONLY_ONCE, "--soul", *flags & IPP2P_SOUL);
-		param_act(P_NO_INVERT, "--soul", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--soul", *flags & IPP2P_SOUL);
+		xtables_param_act(XTF_NO_INVERT, "--soul", invert);
 		*flags    |= IPP2P_SOUL;
 		info->cmd |= IPP2P_SOUL;
 		break;
 
 	case 'e':		/*cmd: winmx*/
-		param_act(P_ONLY_ONCE, "--winmx", *flags & IPP2P_WINMX);
-		param_act(P_NO_INVERT, "--winmx", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--winmx", *flags & IPP2P_WINMX);
+		xtables_param_act(XTF_NO_INVERT, "--winmx", invert);
 		*flags    |= IPP2P_WINMX;
 		info->cmd |= IPP2P_WINMX;
 		break;
 
 	case 'f':		/*cmd: ares*/
-		param_act(P_ONLY_ONCE, "--ares", *flags & IPP2P_ARES);
-		param_act(P_NO_INVERT, "--ares", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--ares", *flags & IPP2P_ARES);
+		xtables_param_act(XTF_NO_INVERT, "--ares", invert);
 		*flags    |= IPP2P_ARES;
 		info->cmd |= IPP2P_ARES;
 		break;
 
 	case 'g':		/*cmd: mute*/
-		param_act(P_ONLY_ONCE, "--mute", *flags & IPP2P_MUTE);
-		param_act(P_NO_INVERT, "--mute", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--mute", *flags & IPP2P_MUTE);
+		xtables_param_act(XTF_NO_INVERT, "--mute", invert);
 		*flags    |= IPP2P_MUTE;
 		info->cmd |= IPP2P_MUTE;
 		break;
 
 	case 'h':		/*cmd: waste*/
-		param_act(P_ONLY_ONCE, "--waste", *flags & IPP2P_WASTE);
-		param_act(P_NO_INVERT, "--waste", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--waste", *flags & IPP2P_WASTE);
+		xtables_param_act(XTF_NO_INVERT, "--waste", invert);
 		*flags    |= IPP2P_WASTE;
 		info->cmd |= IPP2P_WASTE;
 		break;
 
 	case 'i':		/*cmd: xdcc*/
-		param_act(P_ONLY_ONCE, "--xdcc", *flags & IPP2P_XDCC);
-		param_act(P_NO_INVERT, "--xdcc", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--xdcc", *flags & IPP2P_XDCC);
+		xtables_param_act(XTF_NO_INVERT, "--xdcc", invert);
 		*flags    |= IPP2P_XDCC;
 		info->cmd |= IPP2P_XDCC;
 		break;
 
 	case 'j':		/*cmd: debug*/
-		param_act(P_ONLY_ONCE, "--debug", info->debug);
-		param_act(P_NO_INVERT, "--debug", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "--debug", info->debug);
+		xtables_param_act(XTF_NO_INVERT, "--debug", invert);
 		info->debug = 1;
 		break;
 
 	default:
-//		exit_error(PARAMETER_PROBLEM,
+//		xtables_error(PARAMETER_PROBLEM,
 //		"\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
 		return 0;
 	}
@@ -184,7 +175,7 @@ static int ipp2p_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 static void ipp2p_mt_check(unsigned int flags)
 {
 	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
+		xtables_error(PARAMETER_PROBLEM,
 			"\nipp2p-parameter problem: for ipp2p usage type: iptables -m ipp2p --help\n");
 }
 
@@ -242,7 +233,7 @@ static struct xtables_match ipp2p_mt_reg = {
 	.extra_opts    = ipp2p_mt_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void ipp2p_mt_ldr(void)
 {
 	xtables_register_match(&ipp2p_mt_reg);
 }

extensions/libxt_ipp2p.man

@@ -1,12 +1,12 @@
 This module matches certain packets in P2P flows. It is not
 designed to match all packets belonging to a P2P connection - 
-use IPP2P together with CONNMARK for this purpose. Also visit
-http://www.ipp2p.org for detailed information.
-
+use IPP2P together with CONNMARK for this purpose.
+.PP
 Use it together with -p tcp or -p udp to search these protocols
 only or without -p switch to search packets of both protocols.
-
-IPP2P provides the following options:
+.PP
+IPP2P provides the following options, of which one or more may be specified
+on the command line:
 .TP
 .B "--edk "
 Matches as many eDonkey/eMule packets as possible.
@@ -38,3 +38,11 @@ Matches Ares and AresLite packets. Use together with -j DROP only.
 .B "--debug "
 Prints some information about each hit into kernel logfile. May 
 produce huge logfiles so beware!
+.PP
+Note that ipp2p may not (and often, does not) identify all packets that are
+exchanged as a result of running filesharing programs.
+.PP
+There is more information on http://ipp2p.org/ , but it has not been updated
+since September 2006, and the syntax there is different from the ipp2p.c
+provided in Xtables-addons; most importantly, the --ipp2p flag was removed due
+to its ambiguity to match "all known" protocols.

extensions/libxt_ipv4options.c

@@ -0,0 +1,177 @@
+/*
+ *	"ipv4options" match extension for iptables
+ *	Coprygith © Jan Engelhardt, 2009
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License; either
+ *	version 2 of the License, or any later version, as published by the
+ *	Free Software Foundation.
+ */
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+#include "xt_ipv4options.h"
+
+/*
+ * Overview from http://www.networksorcery.com/enp/protocol/ip.htm
+ * Not providing strings for options that seem to be most distant in the past.
+ */
+static const char *const v4opt_names[32] = {
+	[ 1] = "nop",
+	[ 2] = "security",     /* RFC 1108 */
+	[ 3] = "lsrr",         /* RFC 791 */
+	[ 4] = "timestamp",    /* RFC 781, 791 */
+	[ 7] = "record-route", /* RFC 791 */
+	[ 9] = "ssrr",         /* RFC 791 */
+	[11] = "mtu-probe",    /* RFC 1063 */
+	[12] = "mtu-reply",    /* RFC 1063 */
+	[18] = "traceroute",   /* RFC 1393 */
+	[20] = "router-alert", /* RFC 2113 */
+};
+
+static void ipv4options_mt_help(void)
+{
+	printf(
+"ipv4options match options:\n"
+"--flags [!]symbol[,...]    Match presence/absence (!) of option\n"
+"                           (either by name or number)\n"
+"--any                      Interpret --flags as OR-combined\n\n");
+}
+
+static const struct option ipv4options_mt_opts[] = {
+	{.name = "flags", .has_arg = true,  .val = 'f'},
+	{.name = "any",   .has_arg = false, .val = 'a'},
+	{NULL},
+};
+
+static void ipv4options_parse_flagspec(struct xt_ipv4options_mtinfo1 *info,
+    char *arg)
+{
+	unsigned int i, opt;
+	bool inv;
+	char *p;
+
+	while (true) {
+		p = strchr(arg, ',');
+		if (p != NULL)
+			*p = '\0';
+
+		inv = false;
+		opt = 0;
+		if (*arg == '!') {
+			inv = true;
+			++arg;
+		}
+
+		for (i = 1; i < 32;++i)
+			if (v4opt_names[i] != NULL &&
+			    strcmp(v4opt_names[i], arg) == 0) {
+				opt = i;
+				break;
+			}
+
+		if (opt == 0 &&
+		    !xtables_strtoui(arg, NULL, &opt, 0, UINT8_MAX))
+			xtables_error(PARAMETER_PROBLEM,
+				"ipv4options: Bad option value \"%s\"", arg);
+
+		if (opt == 0)
+			xtables_error(PARAMETER_PROBLEM,
+				"ipv4options: Option value may not be zero");
+
+		info->map |= (1 << opt);
+		if (inv)
+			info->invert |= (1 << opt);
+		if (p == NULL)
+			break;
+		arg = p + 1;
+	}
+}
+
+static int ipv4options_mt_parse(int c, char **argv, int invert,
+    unsigned int *flags, const void *entry, struct xt_entry_match **match)
+{
+	struct xt_ipv4options_mtinfo1 *info = (void *)(*match)->data;
+
+	switch (c) {
+	case 'a': /* --any */
+		xtables_param_act(XTF_NO_INVERT, "ipv4options", "--any", invert);
+		info->flags |= XT_V4OPTS_ANY;
+		return true;
+	case 'f': /* --flags */
+		xtables_param_act(XTF_NO_INVERT, "ipv4options", "--flags", invert);
+		ipv4options_parse_flagspec(info, optarg);
+		return true;
+	}
+
+	return false;
+}
+
+/* no checking of *flags - no IPv4 options is also valid */
+
+static void ipv4options_print_flags(const struct xt_ipv4options_mtinfo1 *info,
+    bool numeric)
+{
+	uint32_t tmp = info->map;
+	unsigned int i;
+
+	for (i = 1; i < 32; ++i)
+		if (tmp & (1 << i)) {
+			if (info->invert & (1 << i))
+				printf("!");
+			if (!numeric && v4opt_names[i] != NULL)
+				printf("%s", v4opt_names[i]);
+			else
+				printf("%u", i);
+			tmp &= ~(1 << i);
+			if (tmp)
+				printf(",");
+		}
+}
+
+static void ipv4options_mt_print(const void *ip,
+    const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_ipv4options_mtinfo1 *info = (void *)match->data;
+
+	printf("ipv4options %s ",
+	       (info->flags & XT_V4OPTS_ANY) ? "any-of" : "all-of");
+	ipv4options_print_flags(info, numeric);
+	printf(" ");
+}
+
+static void ipv4options_mt_save(const void *ip,
+    const struct xt_entry_match *match)
+{
+	const struct xt_ipv4options_mtinfo1 *info = (void *)match->data;
+
+	if (info->map != 0) {
+		printf("--flags ");
+		ipv4options_print_flags(info, true);
+	}
+	if (info->flags & XT_V4OPTS_ANY)
+		printf(" --any");
+	printf(" ");
+}
+
+static struct xtables_match ipv4options_mt_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "ipv4options",
+	.revision      = 1,
+	.family        = PF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
+	.help          = ipv4options_mt_help,
+	.parse         = ipv4options_mt_parse,
+	.print         = ipv4options_mt_print,
+	.save          = ipv4options_mt_save,
+	.extra_opts    = ipv4options_mt_opts,
+};
+
+static __attribute__((constructor)) void ipv4options_mt_ldr(void)
+{
+	xtables_register_match(&ipv4options_mt_reg);
+}

extensions/libxt_ipv4options.man

@@ -0,0 +1,47 @@
+The "ipv4options" module allows to match against a set of IPv4 header options.
+.TP
+\fB\-\-flags\fP [\fB!\fP]\fIsymbol\fP[\fB,\fP[\fB!\fP]\fIsymbol...\fP]
+Specify the options that shall appear or not appear in the header. Each
+symbol specification is delimited by a comma, and a '!' can be prefixed to
+a symbol to negate its presence. Symbols are either the name of an IPv4 option
+or its number. See examples below.
+.TP
+\fB\-\-any\fP
+By default, all of the flags specified must be present/absent, that is, they
+form an AND condition. Use the \-\-any flag instead to use an OR condition
+where only at least one symbol spec must be true.
+.PP
+Known symbol names (and their number):
+.PP
+1 - \fBnop\fP
+.PP
+2 - \fBsecurity\fP - RFC 1108
+.PP
+3 - \fBlsrr\fP - Loose Source Routing, RFC 791
+.PP
+4 - \fBtimestamp\fP - RFC 781, 791
+.PP
+7 - \fBrecord\-route\fP - RFC 791
+.PP
+9 - \fBssrr\fP - Strict Source Routing, RFC 791
+.PP
+11 - \fBmtu\-probe\fP - RFC 1063
+.PP
+12 - \fBmtu\-reply\fP - RFC 1063
+.PP
+18 - \fBtraceroute\fP - RFC 1393
+.PP
+20 - \fBrouter-alert\fP - RFC 2113
+.PP
+Examples:
+.PP
+Match packets that have both Timestamp and NOP:
+\-m ipv4options \-\-flags nop,timestamp
+.PP
+~ that have either of Timestamp or NOP, or both:
+\-\-flags nop,timestamp \-\-any
+.PP
+~ that have Timestamp and no NOP: \-\-flags '!nop,timestamp'
+.PP
+~ that have either no NOP or a timestamp (or both conditions):
+\-\-flags '!nop,timestamp' \-\-any

extensions/libxt_length.man

@@ -0,0 +1,18 @@
+This module matches the length of a packet against a specific value or range of
+values.
+.TP
+[\fB!\fR] \fB--length\fR \fIlength\fR[\fB:\fR\fIlength\fR]
+Match exact length or length range.
+.TP
+\fB--layer3\fR
+Match the layer3 frame size (e.g. IPv4/v6 header plus payload).
+.TP
+\fB--layer4\fR
+Match the layer4 frame size (e.g. TCP/UDP header plus payload).
+.TP
+\fB--layer5\fR
+Match the layer5 frame size (e.g. TCP/UDP payload, often called layer7).
+.PP
+If no --layer* option is given, --layer3 is assumed by default. Note that using
+--layer5 may not match a packet if it is not one of the recognized types
+(currently TCP, UDP, UDPLite, ICMP, AH and ESP) or which has no 5th layer.

extensions/libxt_length2.c

@@ -0,0 +1,173 @@
+#include <getopt.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <xtables.h>
+#include "xt_length2.h"
+
+enum {
+	F_LAYER  = 1 << 0,
+	F_LENGTH = 1 << 1,
+
+	XT_LENGTH_LAYER_MASK = XT_LENGTH_LAYER3 | XT_LENGTH_LAYER4 |
+	                       XT_LENGTH_LAYER5 | XT_LENGTH_LAYER7,
+};
+
+static void length_mt_help(void)
+{
+	printf(
+"length match options:\n"
+"    --layer3          Match against layer3 size (e.g. L4 + IPv6 header)\n"
+"    --layer4          Match against layer4 size (e.g. L5 + SCTP header)\n"
+"    --layer5          Match against layer5 size (e.g. L7 + chunk headers)\n"
+"    --layer7          Match against layer7 payload (e.g. SCTP payload)\n"
+"[!] --length n[:n]    Match packet length against value or range\n"
+"                      of values (inclusive)\n"
+);
+}
+
+static const struct option length_mt_opts[] = {
+	{.name = "layer3", .has_arg = false, .val = '3'},
+	{.name = "layer4", .has_arg = false, .val = '4'},
+	{.name = "layer5", .has_arg = false, .val = '5'},
+	{.name = "layer7", .has_arg = false, .val = '7'},
+	{.name = "length", .has_arg = true,  .val = '='},
+	{NULL},
+};
+
+static void length_mt_init(struct xt_entry_match *match)
+{
+	struct xt_length_mtinfo2 *info = (void *)match->data;
+
+	info->flags = XT_LENGTH_LAYER3;
+}
+
+static int length_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                           const void *entry, struct xt_entry_match **match)
+{
+	struct xt_length_mtinfo2 *info = (void *)(*match)->data;
+	unsigned int from, to;
+	char *end;
+
+	switch (c) {
+	case '3': /* --layer3 */
+		xtables_param_act(XTF_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
+		info->flags &= ~XT_LENGTH_LAYER_MASK;
+		info->flags |= XT_LENGTH_LAYER3;
+		*flags |= F_LAYER;
+		return true;
+	case '4': /* --layer4 */
+		xtables_param_act(XTF_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
+		info->flags &= ~XT_LENGTH_LAYER_MASK;
+		info->flags |= XT_LENGTH_LAYER4;
+		*flags |= F_LAYER;
+		return true;
+	case '5': /* --layer5 */
+		xtables_param_act(XTF_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
+		info->flags &= ~XT_LENGTH_LAYER_MASK;
+		info->flags |= XT_LENGTH_LAYER5;
+		*flags |= F_LAYER;
+		return true;
+	case '7': /* --layer7 */
+		xtables_param_act(XTF_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
+		info->flags &= ~XT_LENGTH_LAYER_MASK;
+		info->flags |= XT_LENGTH_LAYER7;
+		*flags |= F_LAYER;
+		return true;
+	case '=': /* --length */
+		xtables_param_act(XTF_ONLY_ONCE, "length", "--length", *flags & F_LENGTH);
+		if (invert)
+			info->flags |= XT_LENGTH_INVERT;
+		if (!xtables_strtoui(optarg, &end, &from, 0, ~0U))
+			xtables_param_act(XTF_BAD_VALUE, "length", "--length", optarg);
+		to = from;
+		if (*end == ':')
+			if (!xtables_strtoui(end + 1, &end, &to, 0, ~0U))
+				xtables_param_act(XTF_BAD_VALUE, "length",
+				          "--length", optarg);
+		if (*end != '\0')
+			xtables_param_act(XTF_BAD_VALUE, "length", "--length", optarg);
+		info->min = from;
+		info->max = to;
+		*flags |= F_LENGTH;
+		return true;
+	}
+	return false;
+}
+
+static void length_mt_check(unsigned int flags)
+{
+	if (!(flags & F_LENGTH))
+		xtables_error(PARAMETER_PROBLEM,
+		           "length: You must specify \"--length\"");
+	if (!(flags & F_LAYER))
+		fprintf(stderr, "iptables: length match: Defaulting to "
+		        "--layer3. Consider specifying it explicitly.\n");
+}
+
+static void length_mt_print(const void *ip, const struct xt_entry_match *match,
+                            int numeric)
+{
+	const struct xt_length_mtinfo2 *info = (const void *)match->data;
+
+	if (info->flags & XT_LENGTH_LAYER3)
+		printf("layer3 ");
+	else if (info->flags & XT_LENGTH_LAYER4)
+		printf("layer4 ");
+	else if (info->flags & XT_LENGTH_LAYER5)
+		printf("layer5 ");
+	else if (info->flags & XT_LENGTH_LAYER7)
+		printf("layer7 ");
+	printf("length ");
+	if (info->flags & XT_LENGTH_INVERT)
+		printf("! ");
+	if (info->min == info->max)
+		printf("%u ", (unsigned int)info->min);
+	else
+		printf("%u-%u ", (unsigned int)info->min,
+		       (unsigned int)info->max);
+}
+
+static void length_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_length_mtinfo2 *info = (const void *)match->data;
+
+	if (info->flags & XT_LENGTH_LAYER3)
+		printf("--layer3 ");
+	else if (info->flags & XT_LENGTH_LAYER4)
+		printf("--layer4 ");
+	else if (info->flags & XT_LENGTH_LAYER5)
+		printf("--layer5 ");
+	else if (info->flags & XT_LENGTH_LAYER7)
+		printf("--layer7 ");
+	if (info->flags & XT_LENGTH_INVERT)
+		printf("! ");
+	printf("--length ");
+	if (info->min == info->max)
+		printf("%u ", (unsigned int)info->min);
+	else
+		printf("%u:%u ", (unsigned int)info->min,
+		       (unsigned int)info->max);
+}
+
+static struct xtables_match length2_mt_reg = {
+	.version        = XTABLES_VERSION,
+	.name           = "length2",
+	.revision       = 2,
+	.family         = PF_UNSPEC,
+	.size           = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
+	.userspacesize  = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
+	.init           = length_mt_init,
+	.help           = length_mt_help,
+	.parse          = length_mt_parse,
+	.final_check    = length_mt_check,
+	.print          = length_mt_print,
+	.save           = length_mt_save,
+	.extra_opts     = length_mt_opts,
+};
+
+static void _init(void)
+{
+	xtables_register_match(&length2_mt_reg);
+}

extensions/libxt_lscan.c

@@ -1,6 +1,6 @@
 /*
- *	"portscan" match extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ *	LSCAN match extension for iptables
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -16,9 +16,9 @@
 
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
-#include "xt_portscan.h"
+#include "xt_lscan.h"
 
-static const struct option portscan_mt_opts[] = {
+static const struct option lscan_mt_opts[] = {
 	{.name = "stealth", .has_arg = false, .val = 'x'},
 	{.name = "synscan", .has_arg = false, .val = 's'},
 	{.name = "cnscan",  .has_arg = false, .val = 'c'},
@@ -26,10 +26,10 @@ static const struct option portscan_mt_opts[] = {
 	{NULL},
 };
 
-static void portscan_mt_help(void)
+static void lscan_mt_help(void)
 {
 	printf(
-		"portscan match options:\n"
+		"lscan match options:\n"
 		"(Combining them will make them match by OR-logic)\n"
 		"  --stealth    Match TCP Stealth packets\n"
 		"  --synscan    Match TCP SYN scans\n"
@@ -37,10 +37,10 @@ static void portscan_mt_help(void)
 		"  --grscan     Match Banner Grabbing scans\n");
 }
 
-static int portscan_mt_parse(int c, char **argv, int invert,
+static int lscan_mt_parse(int c, char **argv, int invert,
     unsigned int *flags, const void *entry, struct xt_entry_match **match)
 {
-	struct xt_portscan_mtinfo *info = (void *)((*match)->data);
+	struct xt_lscan_mtinfo *info = (void *)((*match)->data);
 
 	switch (c) {
 	case 'c':
@@ -59,17 +59,17 @@ static int portscan_mt_parse(int c, char **argv, int invert,
 	return false;
 }
 
-static void portscan_mt_check(unsigned int flags)
+static void lscan_mt_check(unsigned int flags)
 {
 }
 
-static void portscan_mt_print(const void *ip,
+static void lscan_mt_print(const void *ip,
     const struct xt_entry_match *match, int numeric)
 {
-	const struct xt_portscan_mtinfo *info = (const void *)(match->data);
+	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
 	const char *s = "";
 
-	printf("portscan ");
+	printf("lscan ");
 	if (info->match_stealth) {
 		printf("STEALTH");
 		s = ",";
@@ -87,9 +87,9 @@ static void portscan_mt_print(const void *ip,
 	printf(" ");
 }
 
-static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
+static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
 {
-	const struct xt_portscan_mtinfo *info = (const void *)(match->data);
+	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
 
 	if (info->match_stealth)
 		printf("--stealth ");
@@ -101,23 +101,22 @@ static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
 		printf("--grscan ");
 }
 
-static struct xtables_match portscan_mt_reg = {
+static struct xtables_match lscan_mt_reg = {
 	.version       = XTABLES_VERSION,
-	.name          = "portscan",
+	.name          = "lscan",
 	.revision      = 0,
 	.family        = AF_INET,
-	.size          = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)),
-	.help          = portscan_mt_help,
-	.parse         = portscan_mt_parse,
-	.final_check   = portscan_mt_check,
-	.print         = portscan_mt_print,
-	.save          = portscan_mt_save,
-	.extra_opts    = portscan_mt_opts,
+	.size          = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
+	.help          = lscan_mt_help,
+	.parse         = lscan_mt_parse,
+	.final_check   = lscan_mt_check,
+	.print         = lscan_mt_print,
+	.save          = lscan_mt_save,
+	.extra_opts    = lscan_mt_opts,
 };
 
-void _init(void);
-void _init(void)
+static __attribute__((constructor)) void lscan_mt_ldr(void)
 {
-	xtables_register_match(&portscan_mt_reg);
+	xtables_register_match(&lscan_mt_reg);
 }

extensions/libxt_lscan.man

@@ -1,4 +1,5 @@
-Detects simple port scan attemps based upon the packet's contents. (This is
+Detects simple low-level scan attemps based upon the packet's contents.
+(This is
 different from other implementations, which also try to match the rate of new
 connections.) Note that an attempt is only discovered after it has been carried
 out, but this information can be used in conjunction with other rules to block
@@ -20,8 +21,12 @@ connection was torn down after completion of the 3-way handshake.
 \fB--grscan\fR
 Match if data in the connection only flew in the direction of the remote side,
 e.g. if the connection was terminated after a locally running daemon sent its
-identification. (e.g. openssh)
+identification. (E.g. openssh, smtp, ftpd.) This may falsely trigger on
+warranted single-direction data flows, usually bulk data transfers such as
+FTP DATA connections or IRC DCC. Grab Scan Detection should only be used on
+ports where a protocol runs that is guaranteed to do a bidirectional exchange
+of bytes.
 .PP
 NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
-so be advised to carefully use xt_portscan in conjunction with blocking rules,
+so be advised to carefully use xt_lscan in conjunction with blocking rules,
 as it may lock out your very own internal network.

extensions/libxt_quota2.c

@@ -51,31 +51,31 @@ quota_mt2_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	switch (c) {
 	case 'g':
-		param_act(P_ONLY_ONCE, "quota", "--grow", *flags & FL_GROW);
-		param_act(P_NO_INVERT, "quota", "--grow", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "quota", "--grow", *flags & FL_GROW);
+		xtables_param_act(XTF_NO_INVERT, "quota", "--grow", invert);
 		info->flags |= XT_QUOTA_GROW;
 		*flags |= FL_GROW;
 		return true;
 	case 'n':
 		/* zero termination done on behalf of the kernel module */
-		param_act(P_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
-		param_act(P_NO_INVERT, "quota", "--name", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
+		xtables_param_act(XTF_NO_INVERT, "quota", "--name", invert);
 		strncpy(info->name, optarg, sizeof(info->name));
 		*flags |= FL_NAME;
 		return true;
 	case 'p':
-		param_act(P_ONLY_ONCE, "quota", "--packets", *flags & FL_PACKET);
-		param_act(P_NO_INVERT, "quota", "--packets", invert);
+		xtables_param_act(XTF_ONLY_ONCE, "quota", "--packets", *flags & FL_PACKET);
+		xtables_param_act(XTF_NO_INVERT, "quota", "--packets", invert);
 		info->flags |= XT_QUOTA_PACKET;
 		*flags |= FL_PACKET;
 		return true;
 	case 'q':
-		param_act(P_ONLY_ONCE, "quota", "--quota", *flags & FL_QUOTA);
+		xtables_param_act(XTF_ONLY_ONCE, "quota", "--quota", *flags & FL_QUOTA);
 		if (invert)
 			info->flags |= XT_QUOTA_INVERT;
 		info->quota = strtoull(optarg, &end, 0);
 		if (*end != '\0')
-			exit_error(PARAMETER_PROBLEM, "quota match: "
+			xtables_error(PARAMETER_PROBLEM, "quota match: "
 			           "invalid value for --quota");
 		*flags |= FL_QUOTA;
 		return true;
@@ -133,7 +133,7 @@ static struct xtables_match quota_mt2_reg = {
 	.extra_opts    = quota_mt2_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void quota2_mt_ldr(void)
 {
 	xtables_register_match(&quota_mt2_reg);
 }

extensions/mac.c

@@ -19,7 +19,7 @@ static bool mac_parse(const char *addr, unsigned char *dest, uint8_t *mask)
 
 	*mask = 48;
 	if (*end == '/') {
-		if (!strtonum(end + 1, &end, &value, 0, 48))
+		if (!xtables_strtoui(end + 1, &end, &value, 0, 48))
 			return false;
 		if (*end != '\0')
 			return false;

extensions/xt_CHAOS.c

@@ -234,7 +234,7 @@ static void __exit chaos_tg_exit(void)
 
 module_init(chaos_tg_init);
 module_exit(chaos_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
 MODULE_DESCRIPTION("Xtables: Network scan slowdown with non-deterministic results");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_CHAOS");

extensions/xt_DELUDE.c

@@ -176,7 +176,7 @@ static void __exit delude_tg_exit(void)
 
 module_init(delude_tg_init);
 module_exit(delude_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
 MODULE_DESCRIPTION("Xtables: Close TCP connections after handshake");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_DELUDE");

extensions/xt_DHCPMAC.Kconfig

@@ -0,0 +1,8 @@
+config NETFILTER_XT_DHCPMAC
+	tristate '"DHCPMAC" DHCP address matching and manipulation support'
+	depends on NETFILTER_XTABLES
+	depends on IP_NF_MANGLE || IP6_NF_MANGLE
+	---help---
+	The DHCPMAC extensions allows to match and change the MAC address in
+	a DHCP packet, so as to work around VMware's "inability" to use MAC
+	addresses from a vendor different than VMware at boot time.

extensions/xt_DHCPMAC.c

@@ -1,5 +1,5 @@
 /*
- *	"DHCPADDR" extensions for Xtables
+ *	"DHCPMAC" extensions for Xtables
  *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
  *
  *	This program is free software; you can redistribute it and/or
@@ -14,7 +14,7 @@
 #include <linux/udp.h>
 #include <net/ip.h>
 #include <linux/netfilter/x_tables.h>
-#include "xt_DHCPADDR.h"
+#include "xt_DHCPMAC.h"
 #include "compat_xtables.h"
 
 struct dhcp_message {
@@ -69,9 +69,9 @@ static bool ether_cmp(const unsigned char *lh, const unsigned char *rh,
 }
 
 static bool
-dhcpaddr_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+dhcpmac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
-	const struct dhcpaddr_info *info = par->matchinfo;
+	const struct dhcpmac_info *info = par->matchinfo;
 	const struct dhcp_message *dh;
 	struct dhcp_message dhcpbuf;
 
@@ -89,9 +89,9 @@ dhcpaddr_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 }
 
 static unsigned int
-dhcpaddr_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+dhcpmac_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 {
-	const struct dhcpaddr_info *info = par->targinfo;
+	const struct dhcpmac_info *info = par->targinfo;
 	struct dhcp_message dhcpbuf, *dh;
 	struct udphdr udpbuf, *udph;
 	struct sk_buff *skb = *pskb;
@@ -122,52 +122,52 @@ dhcpaddr_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
-static struct xt_target dhcpaddr_tg_reg __read_mostly = {
-	.name       = "DHCPADDR",
+static struct xt_target dhcpmac_tg_reg __read_mostly = {
+	.name       = "DHCPMAC",
 	.revision   = 0,
 	.family     = NFPROTO_IPV4,
 	.proto      = IPPROTO_UDP,
 	.table      = "mangle",
-	.target     = dhcpaddr_tg,
-	.targetsize = XT_ALIGN(sizeof(struct dhcpaddr_info)),
+	.target     = dhcpmac_tg,
+	.targetsize = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.me         = THIS_MODULE,
 };
 
-static struct xt_match dhcpaddr_mt_reg __read_mostly = {
-	.name       = "dhcpaddr",
+static struct xt_match dhcpmac_mt_reg __read_mostly = {
+	.name       = "dhcpmac",
 	.revision   = 0,
 	.family     = NFPROTO_IPV4,
 	.proto      = IPPROTO_UDP,
-	.match      = dhcpaddr_mt,
-	.matchsize  = XT_ALIGN(sizeof(struct dhcpaddr_info)),
+	.match      = dhcpmac_mt,
+	.matchsize  = XT_ALIGN(sizeof(struct dhcpmac_info)),
 	.me         = THIS_MODULE,
 };
 
-static int __init dhcpaddr_init(void)
+static int __init dhcpmac_init(void)
 {
 	int ret;
 
-	ret = xt_register_target(&dhcpaddr_tg_reg);
+	ret = xt_register_target(&dhcpmac_tg_reg);
 	if (ret != 0)
 		return ret;
-	ret = xt_register_match(&dhcpaddr_mt_reg);
+	ret = xt_register_match(&dhcpmac_mt_reg);
 	if (ret != 0) {
-		xt_unregister_target(&dhcpaddr_tg_reg);
+		xt_unregister_target(&dhcpmac_tg_reg);
 		return ret;
 	}
 	return 0;
 }
 
-static void __exit dhcpaddr_exit(void)
+static void __exit dhcpmac_exit(void)
 {
-	xt_unregister_target(&dhcpaddr_tg_reg);
-	xt_unregister_match(&dhcpaddr_mt_reg);
+	xt_unregister_target(&dhcpmac_tg_reg);
+	xt_unregister_match(&dhcpmac_mt_reg);
 }
 
-module_init(dhcpaddr_init);
-module_exit(dhcpaddr_exit);
+module_init(dhcpmac_init);
+module_exit(dhcpmac_exit);
 MODULE_DESCRIPTION("Xtables: Clamp DHCP MAC to packet MAC addresses");
 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_DHCPADDR");
-MODULE_ALIAS("ipt_dhcpaddr");
+MODULE_ALIAS("ipt_DHCPMAC");
+MODULE_ALIAS("ipt_dhcpmac");

extensions/xt_DHCPMAC.h

@@ -1,12 +1,12 @@
-#ifndef _LINUX_NETFILTER_XT_DHCPADDR_H
-#define _LINUX_NETFILTER_XT_DHCPADDR_H 1
+#ifndef _LINUX_NETFILTER_XT_DHCPMAC_H
+#define _LINUX_NETFILTER_XT_DHCPMAC_H 1
 
 #define DH_MAC_FMT "%02X:%02X:%02X:%02X:%02X:%02X"
 #define DH_MAC_HEX(z) z[0], z[1], z[2], z[3], z[4], z[5]
 
-struct dhcpaddr_info {
+struct dhcpmac_info {
 	unsigned char addr[ETH_ALEN];
 	uint8_t mask, invert;
 };
 
-#endif /* _LINUX_NETFILTER_XT_DHCPADDR_H */
+#endif /* _LINUX_NETFILTER_XT_DHCPMAC_H */

extensions/xt_ECHO.c

@@ -32,6 +32,8 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
 	unsigned int addr_type, data_len;
 	void *payload;
 
+	printk(KERN_INFO "dst_out=%p\n", (*poldskb)->dst->output);
+
 	/* This allows us to do the copy operation in fewer lines of code. */
 	if (skb_linearize(*poldskb) < 0)
 		return NF_DROP;
@@ -75,10 +77,10 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
 
 	addr_type = RTN_UNSPEC;
 #ifdef CONFIG_BRIDGE_NETFILTER
-	if (hooknum != NF_INET_FORWARD || (newskb->nf_bridge != NULL &&
+	if (par->hooknum != NF_INET_FORWARD || (newskb->nf_bridge != NULL &&
 	    newskb->nf_bridge->mask & BRNF_BRIDGED))
 #else
-	if (hooknum != NF_INET_FORWARD)
+	if (par->hooknum != NF_INET_FORWARD)
 #endif
 		addr_type = RTN_LOCAL;
 

extensions/xt_LOGMARK.c

@@ -38,9 +38,10 @@ logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	enum ip_conntrack_info ctinfo;
 	bool prev = false;
 
-	printk("<%u>%.*s""hook=%s nfmark=0x%x secmark=0x%x classify=0x%x",
+	printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x "
+	       "secmark=0x%x classify=0x%x",
 	       info->level, (unsigned int)sizeof(info->prefix), info->prefix,
-	       hook_names[par->hooknum],
+	       skb_ifindex(skb), hook_names[par->hooknum],
 	       skb_nfmark(skb), skb_secmark(skb), skb->priority);
 
 	ct = nf_ct_get(skb, &ctinfo);
@@ -127,7 +128,7 @@ static void __exit logmark_tg_exit(void)
 module_init(logmark_tg_init);
 module_exit(logmark_tg_exit);
 MODULE_DESCRIPTION("Xtables: netfilter mark logging to syslog");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_LOGMARK");
 MODULE_ALIAS("ip6t_LOGMARK");

extensions/xt_STEAL.c

@@ -0,0 +1,66 @@
+/*
+ *	"STEAL" demo target extension for Xtables
+ *	written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
+ *	placed in the Public Domain
+ */
+#include <linux/netfilter.h>
+#include <linux/skbuff.h>
+#include "compat_xtables.h"
+
+static unsigned int
+steal_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+{
+	kfree_skb(*pskb);
+	return NF_STOLEN;
+}
+
+static struct xt_target steal_tg_reg[] __read_mostly = {
+	{
+		.name     = "STEAL",
+		.revision = 0,
+		.family   = NFPROTO_UNSPEC,
+		.target   = steal_tg,
+		.me       = THIS_MODULE,
+	},
+	{
+		.name     = "STEAL",
+		.revision = 0,
+		.family   = NFPROTO_IPV6,
+		.target   = steal_tg,
+		.me       = THIS_MODULE,
+	},
+	{
+		.name     = "STEAL",
+		.revision = 0,
+		.family   = NFPROTO_ARP,
+		.target   = steal_tg,
+		.me       = THIS_MODULE,
+	},
+	{
+		.name     = "STEAL",
+		.revision = 0,
+		.family   = NFPROTO_BRIDGE,
+		.target   = steal_tg,
+		.me       = THIS_MODULE,
+	},
+};
+
+static int __init steal_tg_init(void)
+{
+	return xt_register_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
+}
+
+static void __exit steal_tg_exit(void)
+{
+	xt_unregister_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
+}
+
+module_init(steal_tg_init);
+module_exit(steal_tg_exit);
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_DESCRIPTION("Xtables: Silently DROP packets on output chain");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_STEAL");
+MODULE_ALIAS("ip6t_STEAL");
+MODULE_ALIAS("arpt_STEAL");
+MODULE_ALIAS("ebt_STEAL");

extensions/xt_SYSRQ.c

@@ -3,7 +3,6 @@
  *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
  *
  *	Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
- *	xt_SYSRQ does not use hashing or timestamps.
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License
@@ -19,15 +18,145 @@
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter/x_tables.h>
+#include <linux/crypto.h>
+#include <linux/scatterlist.h>
 #include <net/ip.h>
 #include "compat_xtables.h"
 
 static bool sysrq_once;
 static char sysrq_password[64];
+static char sysrq_hash[16] = "sha1";
+static long sysrq_seqno;
+static int sysrq_debug;
 module_param_string(password, sysrq_password, sizeof(sysrq_password),
 	S_IRUSR | S_IWUSR);
+module_param_string(hash, sysrq_hash, sizeof(sysrq_hash), S_IRUSR);
+module_param_named(seqno, sysrq_seqno, long, S_IRUSR | S_IWUSR);
+module_param_named(debug, sysrq_debug, int, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(password, "password for remote sysrq");
+MODULE_PARM_DESC(hash, "hash algorithm, default sha1");
+MODULE_PARM_DESC(seqno, "sequence number for remote sysrq");
+MODULE_PARM_DESC(debug, "debugging: 0=off, 1=on");
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+static struct crypto_hash *sysrq_tfm;
+static int sysrq_digest_size;
+static unsigned char *sysrq_digest_password;
+static unsigned char *sysrq_digest;
+static char *sysrq_hexdigest;
+
+/*
+ * The data is of the form "<requests>,<seqno>,<salt>,<hash>" where <requests>
+ * is a series of sysrq requests; <seqno> is a sequence number that must be
+ * greater than the last sequence number; <salt> is some random bytes; and
+ * <hash> is the hash of everything up to and including the preceding ","
+ * together with the password.
+ *
+ * For example
+ *
+ *   salt=$RANDOM
+ *   req="s,$(date +%s),$salt"
+ *   echo "$req,$(echo -n $req,secret | sha1sum | cut -c1-40)"
+ *
+ * You will want a better salt and password than that though :-)
+ */
+static unsigned int sysrq_tg(const void *pdata, uint16_t len)
+{
+	const char *data = pdata;
+	int i, n;
+	struct scatterlist sg[2];
+	struct hash_desc desc;
+	int ret;
+	long new_seqno = 0;
+
+	if (*sysrq_password == '\0') {
+		if (!sysrq_once)
+			printk(KERN_INFO KBUILD_MODNAME ": No password set\n");
+		sysrq_once = true;
+		return NF_DROP;
+	}
+	if (len == 0)
+		return NF_DROP;
+
+	for (i = 0; sysrq_password[i] != '\0' &&
+	     sysrq_password[i] != '\n'; ++i)
+		/* loop */;
+	sysrq_password[i] = '\0';
+
+	i = 0;
+	for (n = 0; n < len - 1; ++n) {
+		if (i == 1 && '0' <= data[n] && data[n] <= '9')
+			new_seqno = 10L * new_seqno + data[n] - '0';
+		if (data[n] == ',' && ++i == 3)
+			break;
+	}
+	++n;
+	if (i != 3) {
+		if (sysrq_debug)
+			printk(KERN_WARNING KBUILD_MODNAME
+				": badly formatted request\n");
+		return NF_DROP;
+	}
+	if (sysrq_seqno >= new_seqno) {
+		if (sysrq_debug)
+			printk(KERN_WARNING KBUILD_MODNAME
+				": old sequence number ignored\n");
+		return NF_DROP;
+	}
+
+	desc.tfm   = sysrq_tfm;
+	desc.flags = 0;
+	ret = crypto_hash_init(&desc);
+	if (ret != 0)
+		goto hash_fail;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
+	sg_init_table(sg, 2);
+#endif
+	sg_set_buf(&sg[0], data, n);
+	strcpy(sysrq_digest_password, sysrq_password);
+	i = strlen(sysrq_digest_password);
+	sg_set_buf(&sg[1], sysrq_digest_password, i);
+	ret = crypto_hash_digest(&desc, sg, n + i, sysrq_digest);
+	if (ret != 0)
+		goto hash_fail;
+
+	for (i = 0; i < sysrq_digest_size; ++i) {
+		sysrq_hexdigest[2*i] =
+			"0123456789abcdef"[(sysrq_digest[i] >> 4) & 0xf];
+		sysrq_hexdigest[2*i+1] =
+			"0123456789abcdef"[sysrq_digest[i] & 0xf];
+	}
+	sysrq_hexdigest[2*sysrq_digest_size] = '\0';
+	if (len - n < sysrq_digest_size) {
+		if (sysrq_debug)
+			printk(KERN_INFO KBUILD_MODNAME ": Short digest,"
+			       " expected %s\n", sysrq_hexdigest);
+		return NF_DROP;
+	}
+	if (strncmp(data + n, sysrq_hexdigest, sysrq_digest_size) != 0) {
+		if (sysrq_debug)
+			printk(KERN_INFO KBUILD_MODNAME ": Bad digest,"
+			       " expected %s\n", sysrq_hexdigest);
+		return NF_DROP;
+	}
+
+	/* Now we trust the requester */
+	sysrq_seqno = new_seqno;
+	for (i = 0; i < len && data[i] != ','; ++i) {
+		printk(KERN_INFO KBUILD_MODNAME ": SysRq %c\n", data[i]);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+		handle_sysrq(data[i], NULL);
+#else
+		handle_sysrq(data[i], NULL, NULL);
+#endif
+	}
+	return NF_ACCEPT;
+
+ hash_fail:
+	printk(KERN_WARNING KBUILD_MODNAME ": digest failure\n");
+	return NF_DROP;
+}
+#else
 static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 {
 	const char *data = pdata;
@@ -57,6 +186,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 #endif
 	return NF_ACCEPT;
 }
+#endif
 
 static unsigned int
 sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
@@ -69,13 +199,18 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	if (skb_linearize(skb) < 0)
 		return NF_DROP;
 
-	iph  = ip_hdr(skb);
-	udph = (void *)iph + ip_hdrlen(skb);
+	iph = ip_hdr(skb);
+	if (iph->protocol != IPPROTO_UDP)
+		return NF_ACCEPT; /* sink it */
+
+	udph = (const void *)iph + ip_hdrlen(skb);
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
 
-	printk(KERN_INFO KBUILD_MODNAME ": " NIPQUAD_FMT ":%u -> :%u len=%u\n",
-	       NIPQUAD(iph->saddr), htons(udph->source), htons(udph->dest),
-	       len);
+	if (sysrq_debug)
+		printk(KERN_INFO KBUILD_MODNAME
+		       ": " NIPQUAD_FMT ":%u -> :%u len=%u\n",
+		       NIPQUAD(iph->saddr), htons(udph->source),
+		       htons(udph->dest), len);
 	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
 }
 
@@ -85,23 +220,32 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 	struct sk_buff *skb = *pskb;
 	const struct ipv6hdr *iph;
 	const struct udphdr *udph;
+	unsigned short frag_off;
+	unsigned int th_off;
 	uint16_t len;
 
 	if (skb_linearize(skb) < 0)
 		return NF_DROP;
 
-	iph  = ipv6_hdr(skb);
-	udph = udp_hdr(skb);
+	iph = ipv6_hdr(skb);
+	if (ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 ||
+	    frag_off > 0)
+		return NF_ACCEPT; /* sink it */
+
+	udph = (const void *)iph + th_off;
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
 
-	printk(KERN_INFO KBUILD_MODNAME ": " NIP6_FMT ":%hu -> :%hu len=%u\n",
-	       NIP6(iph->saddr), ntohs(udph->source),
-	       ntohs(udph->dest), len);
+	if (sysrq_debug)
+		printk(KERN_INFO KBUILD_MODNAME
+		       ": " NIP6_FMT ":%hu -> :%hu len=%u\n",
+		       NIP6(iph->saddr), ntohs(udph->source),
+		       ntohs(udph->dest), len);
 	return sysrq_tg(udph + sizeof(struct udphdr), len);
 }
 
 static bool sysrq_tg_check(const struct xt_tgchk_param *par)
 {
+
 	if (par->target->family == NFPROTO_IPV4) {
 		const struct ipt_entry *entry = par->entryinfo;
 
@@ -146,11 +290,64 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 
 static int __init sysrq_tg_init(void)
 {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+	struct timeval now;
+
+	sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
+	if (IS_ERR(sysrq_tfm)) {
+		printk(KERN_WARNING KBUILD_MODNAME
+			": Error: Could not find or load %s hash\n",
+			sysrq_hash);
+		sysrq_tfm = NULL;
+		goto fail;
+	}
+	sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
+	sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
+	if (sysrq_digest == NULL) {
+		printk(KERN_WARNING KBUILD_MODNAME
+			": Cannot allocate digest\n");
+		goto fail;
+	}
+	sysrq_hexdigest = kmalloc(2 * sysrq_digest_size + 1, GFP_KERNEL);
+	if (sysrq_hexdigest == NULL) {
+		printk(KERN_WARNING KBUILD_MODNAME
+			": Cannot allocate hexdigest\n");
+		goto fail;
+	}
+	sysrq_digest_password = kmalloc(sizeof(sysrq_password), GFP_KERNEL);
+	if (sysrq_digest_password == NULL) {
+		printk(KERN_WARNING KBUILD_MODNAME
+			": Cannot allocate password digest space\n");
+		goto fail;
+	}
+	do_gettimeofday(&now);
+	sysrq_seqno = now.tv_sec;
 	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+
+ fail:
+	if (sysrq_tfm)
+		crypto_free_hash(sysrq_tfm);
+	if (sysrq_digest)
+		kfree(sysrq_digest);
+	if (sysrq_hexdigest)
+		kfree(sysrq_hexdigest);
+	if (sysrq_digest_password)
+		kfree(sysrq_digest_password);
+	return -EINVAL;
+#else
+	printk(KERN_WARNING "xt_SYSRQ does not provide crypto for <= 2.6.18\n");
+	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+#endif
 }
 
 static void __exit sysrq_tg_exit(void)
 {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+	crypto_free_hash(sysrq_tfm);
+	kfree(sysrq_digest);
+	kfree(sysrq_hexdigest);
+	kfree(sysrq_digest_password);
+#endif
 	return xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
 }
 

extensions/xt_TARPIT.c

@@ -245,7 +245,7 @@ static void __exit tarpit_tg_exit(void)
 
 module_init(tarpit_tg_init);
 module_exit(tarpit_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
 MODULE_DESCRIPTION("Xtables: \"TARPIT\", capture and hold TCP connections");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_TARPIT");

extensions/xt_TEE.c

@@ -1,7 +1,7 @@
 /*
  *	"TEE" target extension for Xtables
  *	Copyright © Sebastian Claßen <sebastian.classen [at] freenet de>, 2007
- *	Jan Engelhardt <jengelh [at] medozas de>, 2007
+ *	Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
  *
  *	based on ipt_ROUTE.c from Cédric de Launois
  *	<delaunois [at] info ucl ac be>
@@ -17,6 +17,7 @@
 #include <net/checksum.h>
 #include <net/icmp.h>
 #include <net/ip.h>
+#include <net/ip6_route.h>
 #include <net/route.h>
 #include <linux/netfilter/x_tables.h>
 
@@ -25,11 +26,14 @@
 #	include <net/netfilter/nf_conntrack.h>
 static struct nf_conn tee_track;
 #endif
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
 
 #include "compat_xtables.h"
 #include "xt_TEE.h"
 
-static const union nf_inet_addr zero_address;
+static const union nf_inet_addr tee_zero_address;
 
 /*
  * Try to route the packet according to the routing keys specified in
@@ -47,21 +51,24 @@ static const union nf_inet_addr zero_address;
  *         true  - if the packet was succesfully routed to the
  *                 destination desired
  */
-static bool tee_routing(struct sk_buff *skb,
-                        const struct xt_tee_tginfo *info)
+static bool
+tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 {
+	const struct iphdr *iph = ip_hdr(skb);
 	int err;
 	struct rtable *rt;
-	struct iphdr *iph = ip_hdr(skb);
-	struct flowi fl = {
-		.nl_u = {
-			.ip4_u = {
-				.daddr = info->gw.ip,
-				.tos   = RT_TOS(iph->tos),
-				.scope = RT_SCOPE_UNIVERSE,
-			}
-		}
-	};
+	struct flowi fl;
+
+	memset(&fl, 0, sizeof(fl));
+	fl.iif = skb_ifindex(skb);
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+	fl.nl_u.ip4_u.fwmark = skb_nfmark(skb);
+#else
+	fl.mark = skb_nfmark(skb);
+#endif
+	fl.nl_u.ip4_u.daddr = info->gw.ip;
+	fl.nl_u.ip4_u.tos   = RT_TOS(iph->tos);
+	fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
 
 	/* Trying to route the packet using the standard routing table. */
 	err = ip_route_output_key(&init_net, &rt, &fl);
@@ -72,22 +79,14 @@ static bool tee_routing(struct sk_buff *skb,
 		return false;
 	}
 
-	/* Drop old route. */
 	dst_release(skb->dst);
-	skb->dst = NULL;
-
-	/*
-	 * Success if no oif specified or if the oif correspond to the
-	 * one desired.
-	 * [SC]: always the case, because we have no oif.
-	 */
 	skb->dst      = &rt->u.dst;
 	skb->dev      = skb->dst->dev;
 	skb->protocol = htons(ETH_P_IP);
 	return true;
 }
 
-static bool dev_hh_avail(const struct net_device *dev)
+static inline bool dev_hh_avail(const struct net_device *dev)
 {
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 	return dev->hard_header != NULL;
@@ -103,14 +102,14 @@ static bool dev_hh_avail(const struct net_device *dev)
  * POST: the packet is sent with the link layer header pushed
  *       the packet is destroyed
  */
-static void tee_ip_direct_send(struct sk_buff *skb)
+static void tee_tg_send(struct sk_buff *skb)
 {
 	const struct dst_entry *dst  = skb->dst;
 	const struct net_device *dev = dst->dev;
 	unsigned int hh_len = LL_RESERVED_SPACE(dev);
 
 	/* Be paranoid, rather than too clever. */
-	if (unlikely(skb_headroom(skb) < hh_len) && dev_hh_avail(dev)) {
+	if (unlikely(skb_headroom(skb) < hh_len && dev_hh_avail(dev))) {
 		struct sk_buff *skb2;
 
 		skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
@@ -142,7 +141,7 @@ static void tee_ip_direct_send(struct sk_buff *skb)
  * packets when we see they already have that ->nfct.
  */
 static unsigned int
-tee_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 	struct sk_buff *skb = *pskb;
@@ -200,29 +199,125 @@ tee_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	nf_conntrack_get(skb->nfct);
 #endif
 
-	if (tee_routing(skb, info))
-		tee_ip_direct_send(skb);
+	/*
+	 * Normally, we would just use ip_local_out. Because iph->check is
+	 * already correct, we could take a shortcut and call dst_output
+	 * [forwards to ip_output] directly. ip_output however will invoke
+	 * Netfilter hooks and cause reentrancy. So we skip that too and go
+	 * directly to ip_finish_output. Since we should not do XFRM, control
+	 * passes to ip_finish_output2. That function is not exported, so it is
+	 * copied here as tee_ip_direct_send.
+	 *
+	 * We do no XFRM on the cloned packet on purpose! The choice of
+	 * iptables match options will control whether the raw packet or the
+	 * transformed version is cloned.
+	 *
+	 * Also on purpose, no fragmentation is done, to preserve the
+	 * packet as best as possible.
+	 */
+	if (tee_tg_route4(skb, info))
+		tee_tg_send(skb);
 
 	return XT_CONTINUE;
 }
 
+#ifdef WITH_IPV6
+static bool
+tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
+{
+	const struct ipv6hdr *iph = ipv6_hdr(skb);
+	struct dst_entry *dst;
+	struct flowi fl;
+
+	memset(&fl, 0, sizeof(fl));
+	fl.iif = skb_ifindex(skb);
+#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 19)
+	fl.nl_u.ip6_u.fwmark = skb_nfmark(skb);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
+	fl.mark = skb_nfmark(skb);
+#endif
+	fl.nl_u.ip6_u.daddr = info->gw.in6;
+	fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
+		(iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 25)
+	dst = ip6_route_output(NULL, &fl);
+#else
+	dst = ip6_route_output(dev_net(skb->dev), NULL, &fl);
+#endif
+	if (dst == NULL) {
+		if (net_ratelimit())
+			printk(KERN_ERR "ip6_route_output failed for tee\n");
+		return false;
+	}
+
+	dst_release(skb->dst);
+	skb->dst      = dst;
+	skb->dev      = skb->dst->dev;
+	skb->protocol = htons(ETH_P_IPV6);
+	return true;
+}
+
+static unsigned int
+tee_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+{
+	const struct xt_tee_tginfo *info = par->targinfo;
+	struct sk_buff *skb = *pskb;
+
+	/* Try silence. */
+#ifdef WITH_CONNTRACK
+	if (skb->nfct == &tee_track.ct_general)
+		return NF_DROP;
+#endif
+
+	if ((skb = skb_copy(skb, GFP_ATOMIC)) == NULL)
+		return XT_CONTINUE;
+
+#ifdef WITH_CONNTRACK
+	nf_conntrack_put(skb->nfct);
+	skb->nfct     = &tee_track.ct_general;
+	skb->nfctinfo = IP_CT_NEW;
+	nf_conntrack_get(skb->nfct);
+#endif
+	if (tee_tg_route6(skb, info))
+		tee_tg_send(skb);
+
+	return XT_CONTINUE;
+}
+#endif /* WITH_IPV6 */
+
 static bool tee_tg_check(const struct xt_tgchk_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 
 	/* 0.0.0.0 and :: not allowed */
-	return memcmp(&info->gw, &zero_address, sizeof(zero_address)) != 0;
+	return memcmp(&info->gw, &tee_zero_address,
+	       sizeof(tee_zero_address)) != 0;
 }
 
-static struct xt_target tee_tg_reg __read_mostly = {
-	.name       = "TEE",
-	.revision   = 0,
-	.family     = NFPROTO_IPV4,
-	.table      = "mangle",
-	.target     = tee_tg,
-	.targetsize = sizeof(struct xt_tee_tginfo),
-	.checkentry = tee_tg_check,
-	.me         = THIS_MODULE,
+static struct xt_target tee_tg_reg[] __read_mostly = {
+	{
+		.name       = "TEE",
+		.revision   = 0,
+		.family     = NFPROTO_IPV4,
+		.table      = "mangle",
+		.target     = tee_tg4,
+		.targetsize = sizeof(struct xt_tee_tginfo),
+		.checkentry = tee_tg_check,
+		.me         = THIS_MODULE,
+	},
+#ifdef WITH_IPV6
+	{
+		.name       = "TEE",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.table      = "mangle",
+		.target     = tee_tg6,
+		.targetsize = sizeof(struct xt_tee_tginfo),
+		.checkentry = tee_tg_check,
+		.me         = THIS_MODULE,
+	},
+#endif
 };
 
 static int __init tee_tg_init(void)
@@ -241,19 +336,20 @@ static int __init tee_tg_init(void)
 	tee_track.status |= IPS_NAT_DONE_MASK;
 #endif
 
-	return xt_register_target(&tee_tg_reg);
+	return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
 }
 
 static void __exit tee_tg_exit(void)
 {
-	xt_unregister_target(&tee_tg_reg);
+	xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
 	/* [SC]: shoud not we cleanup tee_track here? */
 }
 
 module_init(tee_tg_init);
 module_exit(tee_tg_exit);
 MODULE_AUTHOR("Sebastian Claßen <sebastian.classen@freenet.ag>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: Reroute packet copy");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_TEE");
+MODULE_ALIAS("ip6t_TEE");

extensions/xt_ipp2p.c

@@ -597,27 +597,51 @@ search_all_gnu(const unsigned char *payload, const unsigned int plen)
 }
 
 /* check for KaZaA download commands and other typical data */
+/* plen is guaranteed to be >= 5 (see @matchlist) */
 static unsigned int
 search_all_kazaa(const unsigned char *payload, const unsigned int plen)
 {
-	if (payload[plen-2] == 0x0d && payload[plen-1] == 0x0a) {
-		if (memcmp(payload, "GIVE ", 5) == 0)
-			return IPP2P_KAZAA * 100 + 1;
+	uint16_t c, end, rem;
 
-		if (memcmp(payload, "GET /", 5) == 0) {
-			uint16_t c = 8;
-			const uint16_t end = plen - 22;
+	if (plen < 5)
+		/* too short for anything we test for - early bailout */
+		return 0;
 
-			while (c < end) {
-				if (payload[c] == 0x0a &&
-				    payload[c+1] == 0x0d &&
-				    (memcmp(&payload[c+2], "X-Kazaa-Username: ", 18) == 0 ||
-				    memcmp(&payload[c+2], "User-Agent: PeerEnabler/", 24) == 0))
-					return IPP2P_KAZAA * 100 + 2;
-				c++;
-			}
-		}
+	if (plen >= 65535) {
+		/* Something seems _really_ fishy */
+		printk(KERN_WARNING KBUILD_MODNAME ": %s: plen (%u) >= 65535\n",
+		       __func__, plen);
+		return 0;
 	}
+
+	if (payload[plen-2] != 0x0d || payload[plen-1] != 0x0a)
+		return 0;
+
+	if (memcmp(payload, "GIVE ", 5) == 0)
+		return IPP2P_KAZAA * 100 + 1;
+
+	if (memcmp(payload, "GET /", 5) != 0)
+		return 0;
+
+	if (plen < 18)
+		/* The next tests would not succeed anyhow. */
+		return 0;
+
+	end = plen - 18;
+	rem = plen - 5;
+	for (c = 5; c < end; ++c, --rem) {
+		if (payload[c] != 0x0d)
+			continue;
+		if (payload[c+1] != 0x0a)
+			continue;
+		if (rem >= 18 &&
+		    memcmp(&payload[c+2], "X-Kazaa-Username: ", 18) == 0)
+			return IPP2P_KAZAA * 100 + 2;
+		if (rem >= 24 &&
+		    memcmp(&payload[c+2], "User-Agent: PeerEnabler/", 24) == 0)
+			return IPP2P_KAZAA * 100 + 2;
+	}
+
 	return 0;
 }
 
@@ -813,7 +837,7 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	switch (ip->protocol) {
 	case IPPROTO_TCP:	/* what to do with a TCP packet */
 	{
-		const struct tcphdr *tcph = tcp_hdr(skb);
+		const struct tcphdr *tcph = (const void *)ip + ip_hdrlen(skb);
 
 		if (tcph->fin) return 0;  /* if FIN bit is set bail out */
 		if (tcph->syn) return 0;  /* if SYN bit is set bail out */
@@ -840,7 +864,7 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 
 	case IPPROTO_UDP:	/* what to do with an UDP packet */
 	{
-		const struct udphdr *udph = udp_hdr(skb);
+		const struct udphdr *udph = (const void *)ip + ip_hdrlen(skb);
 
 		while (udp_list[i].command) {
 			if ((info->cmd & udp_list[i].command) == udp_list[i].command &&

extensions/xt_ipp2p.h

@@ -1,6 +1,6 @@
 #ifndef __IPT_IPP2P_H
 #define __IPT_IPP2P_H
-#define IPP2P_VERSION "0.9"
+#define IPP2P_VERSION "0.10"
 
 enum {
 	IPP2N_EDK,

extensions/xt_ipv4options.Kconfig

@@ -0,0 +1,6 @@
+config NETFILTER_XT_MATCH_IPV4OPTIONS
+	tristate '"ipv4options" IPv4 option match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	The ipv4options match can be used to check on the presence or absence
+	of one or move IPv4 options.

extensions/xt_ipv4options.c

@@ -0,0 +1,72 @@
+/*
+ *	xt_ipv4opts - Netfilter module to match IPv4 options
+ *	Copyright © Jan Engelhardt, 2009
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License; either
+ *	version 2 of the License, or any later version, as published by the
+ *	Free Software Foundation.
+ */
+#include <linux/ip.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter/x_tables.h>
+#include <net/ip.h>
+#include "xt_ipv4options.h"
+#include "compat_xtables.h"
+
+static uint32_t ipv4options_rd(const uint8_t *data, int len)
+{
+	uint32_t opts = 0;
+
+	while (len >= 2) {
+		opts |= 1 << (data[0] & 0x1F);
+		len  -= data[1];
+		data += data[1];
+	}
+
+	return opts;
+}
+
+static bool ipv4options_mt(const struct sk_buff *skb,
+    const struct xt_match_param *par)
+{
+	const struct xt_ipv4options_mtinfo1 *info = par->matchinfo;
+	const struct iphdr *iph = ip_hdr(skb);
+	uint32_t opts = 0;
+	uint16_t len  = ip_hdrlen(skb) - sizeof(struct iphdr);
+
+	if (len > 0)
+		opts = ipv4options_rd((const void *)iph +
+		       sizeof(struct iphdr), len);
+
+	opts ^= info->invert;
+	opts &= info->map;
+	return (info->flags & XT_V4OPTS_ANY) ? opts : opts == info->map;
+}
+
+static struct xt_match ipv4options_mt_reg __read_mostly = {
+	.name      = "ipv4options",
+	.revision  = 1,
+	.family    = NFPROTO_IPV4,
+	.match     = ipv4options_mt,
+	.matchsize = XT_ALIGN(sizeof(struct xt_ipv4options_mtinfo1)),
+	.me        = THIS_MODULE,
+};
+
+static int __init ipv4options_mt_init(void)
+{
+	return xt_register_match(&ipv4options_mt_reg);
+}
+
+static void __exit ipv4options_mt_exit(void)
+{
+	xt_unregister_match(&ipv4options_mt_reg);
+}
+
+MODULE_DESCRIPTION("Xatblse: IPv4 option match");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_ipv4options");
+module_init(ipv4options_mt_init);
+module_exit(ipv4options_mt_exit);

extensions/xt_ipv4options.h

@@ -0,0 +1,26 @@
+#ifndef _LINUX_NETFILTER_XT_IPV4OPTIONS_H
+#define _LINUX_NETFILTER_XT_IPV4OPTIONS_H 1
+
+/* IPv4 allows for a 5-bit option number - 32 options */
+
+/**
+ * %XT_V4OPTS_ALL:	all options in @map must be present (respecting @invert)
+ * %XT_V4OPTS_ANY:	any of the option in @map
+ */
+enum xt_ipv4options_flags {
+	XT_V4OPTS_ALL = 1 << 0,
+	XT_V4OPTS_ANY = 1 << 1,
+};
+
+/**
+ * @map:	bitmask of options that should appear
+ * @invert:	inversion map
+ * @flags:	see above
+ */
+struct xt_ipv4options_mtinfo1 {
+	__u32 map;
+	__u32 invert;
+	__u8 flags;
+};
+
+#endif /* _LINUX_NETFILTER_XT_IPV4OPTIONS_H */

extensions/xt_length2.Kconfig

@@ -0,0 +1,7 @@
+config NETFILTER_XT_MATCH_LENGTH2
+	tristate '"length2" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	This option adds the "length2" match which is an advanced form of
+	xt_length that allows unambiguous layer-4/-5/-7 length matching. It is
+	useful to detect empty packets or for aiding in packet scheduling.

extensions/xt_length2.c

@@ -0,0 +1,262 @@
+/*
+ *	xt_length - Netfilter module to match packet length
+ *	Copyright © Jan Engelhardt <jengelh@medozas.de>, 2007 - 2009
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License; either
+ *	version 2 of the License, or any later version, as published by the
+ *	Free Software Foundation.
+ */
+#include <linux/dccp.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/icmp.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/sctp.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include "xt_length2.h"
+#include "compat_xtables.h"
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+#	define WITH_IPV6 1
+#endif
+#ifndef NEXTHDR_IPV4
+#	define NEXTHDR_IPV4 4
+#endif
+
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_DESCRIPTION("Xtables: Packet length (Layer3,4,5) match");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_length2");
+MODULE_ALIAS("ip6t_length2");
+
+static bool
+xtlength_layer5_tcp(unsigned int *length, const struct sk_buff *skb,
+                    unsigned int offset)
+{
+	const struct tcphdr *tcph;
+	struct tcphdr buf;
+
+	tcph = skb_header_pointer(skb, offset, sizeof(buf), &buf);
+	if (tcph == NULL)
+		return false;
+
+	*length = skb->len - offset;
+	if (*length >= 4 * tcph->doff)
+		*length -= 4 * tcph->doff;
+	return true;
+}
+
+static bool
+xtlength_layer5_dccp(unsigned int *length, const struct sk_buff *skb,
+                     unsigned int offset)
+{
+	const struct dccp_hdr *dh;
+	struct dccp_hdr dhbuf;
+
+	dh = skb_header_pointer(skb, offset, sizeof(dhbuf), &dhbuf);
+	if (dh == NULL)
+		return false;
+
+	*length = skb->len - offset;
+	if (*length >= 4 * dh->dccph_doff)
+		*length -= 4 * dh->dccph_doff;
+	return true;
+}
+
+static inline bool
+xtlength_layer5(unsigned int *length, const struct sk_buff *skb,
+                unsigned int prot, unsigned int offset)
+{
+	switch (prot) {
+	case IPPROTO_TCP:
+		return xtlength_layer5_tcp(length, skb, offset);
+	case IPPROTO_UDP:
+	case IPPROTO_UDPLITE:
+		*length = skb->len - offset - sizeof(struct udphdr);
+		return true;
+	case IPPROTO_SCTP:
+		*length = skb->len - offset - sizeof(struct sctphdr);
+		return true;
+	case IPPROTO_DCCP:
+		return xtlength_layer5_dccp(length, skb, offset);
+	case IPPROTO_ICMP:
+		*length = skb->len - offset - sizeof(struct icmphdr);
+		return true;
+	case IPPROTO_ICMPV6:
+		*length = skb->len - offset -
+		          offsetof(struct icmp6hdr, icmp6_dataun);
+		return true;
+	case IPPROTO_AH:
+		*length = skb->len - offset - sizeof(struct ip_auth_hdr);
+		return true;
+	case IPPROTO_ESP:
+		*length = skb->len - offset - sizeof(struct ip_esp_hdr);
+		return true;
+	}
+	return false;
+}
+
+static bool
+xtlength_layer7_sctp(unsigned int *length, const struct sk_buff *skb,
+                     unsigned int offset)
+{
+	const struct sctp_chunkhdr *ch;
+	struct sctp_chunkhdr chbuf;
+	unsigned int pos;
+
+	*length = 0;
+	for (pos = sizeof(struct sctphdr); pos < skb->len;
+	     pos += ntohs(ch->length))
+	{
+		ch = skb_header_pointer(skb, offset + pos,
+		     sizeof(chbuf), &chbuf);
+		if (ch == NULL)
+			return false;
+		if (ch->type != SCTP_CID_DATA)
+			continue;
+		*length += ntohs(ch->length);
+	}
+	return true;
+}
+
+static bool xtlength_layer7(unsigned int *length, const struct sk_buff *skb,
+                            unsigned int proto, unsigned int offset)
+{
+	switch (proto) {
+	case IPPROTO_SCTP:
+		return xtlength_layer7_sctp(length, skb, offset);
+	default:
+		return xtlength_layer5(length, skb, proto, offset);
+	}
+}
+
+/**
+ * llayer4_proto - figure out the L4 protocol in an IPv6 packet
+ * @skb:	skb pointer
+ * @offset:	position at which L4 starts (equal to 'protoff' in IPv4 code)
+ * @hotdrop:	hotdrop pointer
+ *
+ * Searches for a recognized L4 header. On success, fills in @offset and
+ * returns the protocol number. If not found, %NEXTHDR_MAX is returned.
+ * On error, @hotdrop is set.
+ */
+static unsigned int
+llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
+{
+	/*
+	 * Do encapsulation first so that %NEXTHDR_TCP does not hit the TCP
+	 * part in an IPv6-in-IPv6 encapsulation.
+	 */
+	static const unsigned int types[] =
+		{IPPROTO_IPV6, IPPROTO_IPIP, IPPROTO_ESP, IPPROTO_AH,
+		IPPROTO_ICMP, IPPROTO_TCP, IPPROTO_UDP, IPPROTO_UDPLITE,
+		IPPROTO_SCTP, IPPROTO_DCCP};
+	unsigned int i;
+	int err;
+
+	for (i = 0; i < ARRAY_SIZE(types); ++i) {
+		err = ipv6_find_hdr(skb, offset, types[i], NULL);
+		if (err >= 0)
+			return types[i];
+		if (err != -ENOENT) {
+			*hotdrop = true;
+			break;
+		}
+	}
+
+	return NEXTHDR_MAX;
+}
+
+static bool
+length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	const struct xt_length_mtinfo2 *info = par->matchinfo;
+	const struct iphdr *iph = ip_hdr(skb);
+	unsigned int len = 0;
+	bool hit = true;
+
+	if (info->flags & XT_LENGTH_LAYER3)
+		len = ntohs(iph->tot_len);
+	else if (info->flags & XT_LENGTH_LAYER4)
+		len = ntohs(iph->tot_len) - par->thoff;
+	else if (info->flags & XT_LENGTH_LAYER5)
+		hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
+	else if (info->flags & XT_LENGTH_LAYER7)
+		hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
+	if (!hit)
+		return false;
+
+	return (len >= info->min && len <= info->max) ^
+	       !!(info->flags & XT_LENGTH_INVERT);
+}
+
+#ifdef WITH_IPV6
+static bool
+length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	const struct xt_length_mtinfo2 *info = par->matchinfo;
+	const struct ipv6hdr *iph = ipv6_hdr(skb);
+	unsigned int len = 0, l4proto;
+	unsigned int thoff = par->thoff;
+	bool hit = true;
+
+	if (info->flags & XT_LENGTH_LAYER3) {
+		len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
+	} else {
+		l4proto = llayer4_proto(skb, &thoff, par->hotdrop);
+		if (l4proto == NEXTHDR_MAX)
+			return false;
+		if (info->flags & XT_LENGTH_LAYER4)
+			len = skb->len - thoff;
+		else if (info->flags & XT_LENGTH_LAYER5)
+			hit = xtlength_layer5(&len, skb, l4proto, thoff);
+		else if (info->flags & XT_LENGTH_LAYER7)
+			hit = xtlength_layer7(&len, skb, l4proto, thoff);
+	}
+	if (!hit)
+		return false;
+
+	return (len >= info->min && len <= info->max) ^
+	       !!(info->flags & XT_LENGTH_INVERT);
+}
+#endif
+
+static struct xt_match length2_mt_reg[] __read_mostly = {
+	{
+		.name           = "length2",
+		.revision       = 2,
+		.family         = NFPROTO_IPV4,
+		.match          = length2_mt,
+		.matchsize      = sizeof(struct xt_length_mtinfo2),
+		.me             = THIS_MODULE,
+	},
+#ifdef WITH_IPV6
+	{
+		.name           = "length2",
+		.revision       = 2,
+		.family         = NFPROTO_IPV6,
+		.match          = length2_mt6,
+		.matchsize      = sizeof(struct xt_length_mtinfo2),
+		.me             = THIS_MODULE,
+	},
+#endif
+};
+
+static int __init length2_mt_init(void)
+{
+	return xt_register_matches(length2_mt_reg, ARRAY_SIZE(length2_mt_reg));
+}
+
+static void __exit length2_mt_exit(void)
+{
+	xt_unregister_matches(length2_mt_reg, ARRAY_SIZE(length2_mt_reg));
+}
+
+module_init(length2_mt_init);
+module_exit(length2_mt_exit);

extensions/xt_length2.h

@@ -0,0 +1,22 @@
+#ifndef _LINUX_NETFILTER_XT_LENGTH2_H
+#define _LINUX_NETFILTER_XT_LENGTH2_H
+
+enum {
+	XT_LENGTH_INVERT = 1 << 0,
+
+	/* IP header plus payload */
+	XT_LENGTH_LAYER3 = 1 << 1,
+	/* Strip IP header: */
+	XT_LENGTH_LAYER4 = 1 << 2,
+	/* Strip TCP/UDP/etc. header */
+	XT_LENGTH_LAYER5 = 1 << 3,
+	/* TCP/UDP/SCTP payload */
+	XT_LENGTH_LAYER7 = 1 << 4,
+};
+
+struct xt_length_mtinfo2 {
+	u_int32_t min, max;
+	u_int16_t flags;
+};
+
+#endif /* _LINUX_NETFILTER_XT_LENGTH2_H */

extensions/xt_lscan.Kconfig

@@ -1,8 +1,8 @@
-config NETFILTER_XT_MATCH_PORTSCAN
-	tristate '"portscan" target support'
+config NETFILTER_XT_MATCH_LSCAN
+	tristate '"lscan" match support'
 	depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
 	---help---
-	The portscan match allows to match on the basic types of nmap
+	The LSCAN match allows to match on the basic types of nmap
 	scans: Stealth Scan, SYN scan and connect scan. It can also match
 	"grab-only" connections, i.e. where data flows in only one
 	direction.

extensions/xt_lscan.c

@@ -1,6 +1,6 @@
 /*
- *	portscan match for netfilter
- *	Copyright © CC Computer Consultants GmbH, 2006 - 2008
+ *	LSCAN match for netfilter
+ *	Copyright © Jan Engelhardt, 2006 - 2009
  *
  *	This program is free software; you can redistribute it and/or modify
  *	it under the terms of the GNU General Public License; either version
@@ -17,8 +17,7 @@
 #include <linux/version.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_tcpudp.h>
-//#include <net/netfilter/nf_conntrack.h>
-#include "xt_portscan.h"
+#include "xt_lscan.h"
 #include "compat_xtables.h"
 #define PFX KBUILD_MODNAME ": "
 
@@ -103,8 +102,8 @@ static inline bool tflg_synack(const struct tcphdr *th)
 	       (TCP_FLAG_SYN | TCP_FLAG_ACK);
 }
 
-/* portscan functions */
-static inline bool portscan_mt_stealth(const struct tcphdr *th)
+/* lscan functions */
+static inline bool lscan_mt_stealth(const struct tcphdr *th)
 {
 	/*
 	 * "Connection refused" replies to our own probes must not be matched.
@@ -126,7 +125,7 @@ static inline bool portscan_mt_stealth(const struct tcphdr *th)
 	return !tflg_syn(th);
 }
 
-static inline unsigned int portscan_mt_full(int mark,
+static inline unsigned int lscan_mt_full(int mark,
     enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
     unsigned int payload_len)
 {
@@ -172,9 +171,9 @@ static inline unsigned int portscan_mt_full(int mark,
 }
 
 static bool
-portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
-	const struct xt_portscan_mtinfo *info = par->matchinfo;
+	const struct xt_lscan_mtinfo *info = par->matchinfo;
 	enum ip_conntrack_info ctstate;
 	const struct tcphdr *tcph;
 	struct nf_conn *ctdata;
@@ -187,7 +186,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	/* Check for invalid packets: -m conntrack --ctstate INVALID */
 	if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
 		if (info->match_stealth)
-			return portscan_mt_stealth(tcph);
+			return lscan_mt_stealth(tcph);
 		/*
 		 * If @ctdata is NULL, we cannot match the other scan
 		 * types, return.
@@ -196,7 +195,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	}
 
 	/*
-	 * If -m portscan was previously applied to this packet, the rules we
+	 * If -m lscan was previously applied to this packet, the rules we
 	 * simulate must not be run through again. And for speedup, do not call
 	 * it either when the connection is already VALID.
 	 */
@@ -204,7 +203,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	     (skb_nfmark(skb) & packet_mask) != mark_seen) {
 		unsigned int n;
 
-		n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
+		n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
 		    par->in == init_net__loopback_dev, tcph,
 		    skb->len - par->thoff - 4 * tcph->doff);
 
@@ -217,9 +216,9 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	       (info->match_gr && ctdata->mark == mark_grscan);
 }
 
-static bool portscan_mt_check(const struct xt_mtchk_param *par)
+static bool lscan_mt_check(const struct xt_mtchk_param *par)
 {
-	const struct xt_portscan_mtinfo *info = par->matchinfo;
+	const struct xt_lscan_mtinfo *info = par->matchinfo;
 
 	if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
 	    (info->match_cn & ~1) || (info->match_gr & ~1)) {
@@ -229,44 +228,44 @@ static bool portscan_mt_check(const struct xt_mtchk_param *par)
 	return true;
 }
 
-static struct xt_match portscan_mt_reg[] __read_mostly = {
+static struct xt_match lscan_mt_reg[] __read_mostly = {
 	{
-		.name       = "portscan",
+		.name       = "lscan",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
-		.match      = portscan_mt,
-		.checkentry = portscan_mt_check,
-		.matchsize  = sizeof(struct xt_portscan_mtinfo),
+		.match      = lscan_mt,
+		.checkentry = lscan_mt_check,
+		.matchsize  = sizeof(struct xt_lscan_mtinfo),
 		.proto      = IPPROTO_TCP,
 		.me         = THIS_MODULE,
 	},
 	{
-		.name       = "portscan",
+		.name       = "lscan",
 		.revision   = 0,
 		.family     = NFPROTO_IPV6,
-		.match      = portscan_mt,
-		.checkentry = portscan_mt_check,
-		.matchsize  = sizeof(struct xt_portscan_mtinfo),
+		.match      = lscan_mt,
+		.checkentry = lscan_mt_check,
+		.matchsize  = sizeof(struct xt_lscan_mtinfo),
 		.proto      = IPPROTO_TCP,
 		.me         = THIS_MODULE,
 	},
 };
 
-static int __init portscan_mt_init(void)
+static int __init lscan_mt_init(void)
 {
-	return xt_register_matches(portscan_mt_reg,
-	       ARRAY_SIZE(portscan_mt_reg));
+	return xt_register_matches(lscan_mt_reg,
+	       ARRAY_SIZE(lscan_mt_reg));
 }
 
-static void __exit portscan_mt_exit(void)
+static void __exit lscan_mt_exit(void)
 {
-	xt_unregister_matches(portscan_mt_reg, ARRAY_SIZE(portscan_mt_reg));
+	xt_unregister_matches(lscan_mt_reg, ARRAY_SIZE(lscan_mt_reg));
 }
 
-module_init(portscan_mt_init);
-module_exit(portscan_mt_exit);
+module_init(lscan_mt_init);
+module_exit(lscan_mt_exit);
 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_DESCRIPTION("Xtables: \"portscan\" match");
+MODULE_DESCRIPTION("Xtables: Low-level scan (e.g. nmap) match");
 MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_portscan");
-MODULE_ALIAS("ip6t_portscan");
+MODULE_ALIAS("ipt_lscan");
+MODULE_ALIAS("ip6t_lscan");

extensions/xt_lscan.h

@@ -0,0 +1,8 @@
+#ifndef _LINUX_NETFILTER_XT_LSCAN_H
+#define _LINUX_NETFILTER_XT_LSCAN_H 1
+
+struct xt_lscan_mtinfo {
+	uint8_t match_stealth, match_syn, match_cn, match_gr;
+};
+
+#endif /* _LINUX_NETFILTER_XT_LSCAN_H */

extensions/xt_portscan.h

@@ -1,8 +0,0 @@
-#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
-#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
-
-struct xt_portscan_mtinfo {
-	uint8_t match_stealth, match_syn, match_cn, match_gr;
-};
-
-#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */

extensions/xt_quota2.Kconfig

@@ -0,0 +1,8 @@
+config NETFILTER_XT_MATCH_QUOTA2
+	tristate '"quota2" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	This option adds the "quota2" match which is an advanced form of
+	xt_quota that also allows counting upwards, and where the counter can
+	be set through procfs. This allows for simple interfacing of
+	accounting information.

m4/.gitignore

@@ -0,0 +1,2 @@
+/libtool.m4
+/lt*.m4

mconfig

@@ -2,10 +2,11 @@
 #
 build_CHAOS=m
 build_DELUDE=m
-build_DHCPADDR=m
+build_DHCPMAC=m
 build_ECHO=
 build_IPMARK=m
 build_LOGMARK=m
+build_STEAL=m
 build_SYSRQ=m
 build_TARPIT=m
 build_TEE=m
@@ -14,5 +15,7 @@ build_fuzzy=m
 build_geoip=m
 build_ipp2p=m
 build_ipset=m
-build_portscan=m
+build_ipv4options=m
+build_length2=m
+build_lscan=m
 build_quota2=m

xtables-addons.8.in

@@ -1,9 +1,9 @@
-.TH xtables\-addons 8 2008\-11\-18
-.SH NAME
+.TH xtables\-addons 8 "v1.14 (2009\-03\-31)" "" "v1.14 (2009\-03\-31)"
+.SH Name
 Xtables\-addons - additional extensions for iptables, ip6tables, etc.
-.SH TARGETS
+.SH Targets
 .\" @TARGET@
-.SH MATCHES
+.SH Matches
 .\" @MATCHES@
 .SH "SEE ALSO"
 \fBiptables\fP(8), \fBip6tables\fP(8)