Xtables-addons 1.8

The code here is only usable with IPv4.

INSTALL

@@ -65,6 +65,19 @@ If you want to enable debugging, use
 much easier.)
 
 
+Build-time options
+==================
+
+V= controls the kernel's make verbosity.
+V=0	"silent" (output filename)
+V=1	"verbose" (entire gcc command line)
+
+VU= controls the Xt-a make verbosity.
+VU=0	output filename
+VU=1	output filename and source file
+VU=2	entire gcc command line
+
+
 Note to distribution packagers
 ==============================
 

Makefile.am

@@ -1,12 +1,13 @@
 # -*- Makefile -*-
 
+ACLOCAL_AMFLAGS  = -I m4
 AUTOMAKE_OPTIONS = foreign subdir-objects
-SUBDIRS          = extensions extensions/ipset
+SUBDIRS          = extensions
 
 man_MANS := xtables-addons.8
 
 xtables-addons.8: ${srcdir}/xtables-addons.8.in extensions/matches.man extensions/targets.man
-	${AM_VERBOSE_GEN} sed -e '/@MATCHES@/ r extensions/matches.man' -e '/@TARGET@/ r extensions/targets.man' $< >$@;
+	${am__verbose_GEN}sed -e '/@MATCHES@/ r extensions/matches.man' -e '/@TARGET@/ r extensions/targets.man' $< >$@;
 
 extensions/%:
 	${MAKE} ${AM_MAKEFLAGS} -C $(@D) $(@F)

configure.ac

@@ -1,8 +1,9 @@
 
-AC_INIT([xtables-addons], [1.6])
+AC_INIT([xtables-addons], [1.8])
 AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
-AM_INIT_AUTOMAKE
+AM_INIT_AUTOMAKE([-Wall])
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_DISABLE_STATIC
@@ -63,4 +64,5 @@ AC_SUBST([kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
-AC_OUTPUT([Makefile extensions/GNUmakefile extensions/ipset/GNUmakefile])
+AC_CONFIG_FILES([Makefile extensions/GNUmakefile extensions/ipset/GNUmakefile])
+AC_OUTPUT

extensions/GNUmakefile.in

@@ -30,15 +30,17 @@ xtables_CFLAGS  := @xtables_CFLAGS@
 AM_CFLAGS      := ${regular_CFLAGS} -I${top_srcdir}/include ${xtables_CFLAGS} ${kinclude_CFLAGS}
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
-ifeq (${V},)
+VU := 0
-AM_LIBTOOL_SILENT = --silent
+am__1verbose_CC_0     = @echo "  CC      " $@;
-AM_VERBOSE_CC     = @echo "  CC      " $@;
+am__1verbose_CCLD_0   = @echo "  CCLD    " $@;
-AM_VERBOSE_CCLD   = @echo "  CCLD    " $@;
+am__1verbose_GEN_0    = @echo "  GEN     " $@;
-AM_VERBOSE_CXX    = @echo "  CXX     " $@;
+am__1verbose_CC_1     = @echo "  CC      " $@ "<-" $<;
-AM_VERBOSE_CXXLD  = @echo "  CXXLD   " $@;
+am__1verbose_CCLD_1   = @echo "  CCLD    " $@ "<-" $^;
-AM_VERBOSE_AR     = @echo "  AR      " $@;
+am__1verbose_GEN_1    = @echo "  GEN     " $@ "<-" $<;
-AM_VERBOSE_GEN    = @echo "  GEN     " $@;
+am__verbose_CC        = ${am__1verbose_CC_${VU}}
-endif
+am__verbose_CCLD      = ${am__1verbose_CCLD_${VU}}
+am__verbose_GEN       = ${am__1verbose_GEN_${VU}}
+
 
 #
 #	Wildcard module list
@@ -53,22 +55,30 @@ include ${srcdir}/Mbuild
 #
 #	Building blocks
 #
-targets := ${obj-m}
+targets := $(filter-out %/,${obj-m})
-targets_install := ${obj-m}
+targets_install := ${targets}
+subdirs_list := $(filter %/,${obj-m})
 
 .SECONDARY:
 
 .PHONY: all install clean distclean FORCE
 
-all: modules user matches.man targets.man
+all: subdirs modules user matches.man targets.man
+
+subdirs:
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i; done;
+
+subdirs-install:
+	@for i in ${subdirs_list}; do ${MAKE} -C $$i install; done;
 
 user: ${targets}
 
-install: modules_install ${targets_install}
+install: modules_install subdirs-install ${targets_install}
 	@mkdir -p "${DESTDIR}${xtlibdir}";
 	install -pm0755 ${targets_install} "${DESTDIR}${xtlibdir}/";
 
 clean: clean_modules
+	@for i in ${subdirs_list}; do make -C $$i clean; done;
 	rm -f *.oo *.so;
 
 distclean: clean
@@ -96,10 +106,10 @@ clean_modules:
 #	Shared libraries
 #
 lib%.so: lib%.oo
-	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
+	${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
 
 lib%.oo: ${srcdir}/lib%.c
-	${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+	${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
 
 
 #
@@ -116,8 +126,7 @@ wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets})
 	rm -f $@.tmp;
 
 man_run    = \
-	${AM_VERBOSE_GEN} \
+	${am__verbose_GEN}for ext in $(1); do \
-	for ext in $(1); do \
 		f="${srcdir}/libxt_$$ext.man"; \
 		if [ -f "$$f" ]; then \
 			echo ".SS $$ext"; \

extensions/Mbuild

@@ -11,5 +11,6 @@ obj-${build_condition}   += libxt_condition.so
 obj-${build_fuzzy}       += libxt_fuzzy.so
 obj-${build_geoip}       += libxt_geoip.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
+obj-${build_ipset}       += ipset/
 obj-${build_portscan}    += libxt_portscan.so
 obj-${build_quota2}      += libxt_quota2.so

extensions/ipset/GNUmakefile.in

@@ -32,20 +32,20 @@ xtables_CFLAGS  := @xtables_CFLAGS@
 AM_CFLAGS      := ${regular_CFLAGS} -I${top_srcdir}/include ${xtables_CFLAGS} ${kinclude_CFLAGS} -DIPSET_LIB_DIR=\"${xtlibdir}\"
 AM_DEPFLAGS     = -Wp,-MMD,$(@D)/.$(@F).d,-MT,$@
 
-ifeq (${V},)
+VU := 0
-AM_LIBTOOL_SILENT = --silent
+am__1verbose_CC_0     = @echo "  CC      " $@;
-AM_VERBOSE_CC     = @echo "  CC      " $@;
+am__1verbose_CCLD_0   = @echo "  CCLD    " $@;
-AM_VERBOSE_CCLD   = @echo "  CCLD    " $@;
+am__1verbose_CC_1     = @echo "  CC      " $@ "<-" $<;
-AM_VERBOSE_CXX    = @echo "  CXX     " $@;
+am__1verbose_CCLD_1   = @echo "  CCLD    " $@ "<-" $^;
-AM_VERBOSE_CXXLD  = @echo "  CXXLD   " $@;
+am__verbose_CC        = ${am__1verbose_CC_${VU}}
-AM_VERBOSE_AR     = @echo "  AR      " $@;
+am__verbose_CCLD      = ${am__1verbose_CCLD_${VU}}
-AM_VERBOSE_GEN    = @echo "  GEN     " $@;
-endif
 
 #
 #	Building blocks
 #
-targets := $(addsuffix .so,$(addprefix libipset_,iphash ipmap ipporthash iptree iptreemap macipmap nethash portmap))
+targets := $(addsuffix .so,$(addprefix libipset_, \
+	iphash ipmap ipporthash ipportiphash ipportnethash iptree \
+	iptreemap macipmap nethash portmap setlist))
 
 .SECONDARY:
 
@@ -69,16 +69,16 @@ distclean: clean
 
 
 ipset: ipset.o
-	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} ${LDFLAGS} -o $@ $< -ldl -rdynamic;
+	${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} ${LDFLAGS} -o $@ $< -ldl -rdynamic;
 
 #
 #	Shared libraries
 #
 lib%.so: lib%.oo
-	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
+	${am__verbose_CCLD}${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $<;
 
 libipset_%.oo: ${srcdir}/ipset_%.c
-	${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+	${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
 
 %.o: %.c
-	${AM_VERBOSE_CC} ${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} ${CFLAGS} -o $@ -c $<;
+	${am__verbose_CC}${CC} ${AM_DEPFLAGS} ${AM_CFLAGS} ${CFLAGS} -o $@ -c $<;

extensions/libxt_CHAOS.c

@@ -106,8 +106,7 @@ static struct xtables_target chaos_tg_reg = {
 	.extra_opts    = chaos_tg_opts,
 };
 
-void _init(void);
+static __attribute__((constructor)) void chaos_tg_ldr(void)
-void _init(void)
 {
 	xtables_register_target(&chaos_tg_reg);
 }

extensions/libxt_DELUDE.c

@@ -41,8 +41,7 @@ static struct xtables_target delude_tg_reg = {
 	.final_check   = delude_tg_check,
 };
 
-void _init(void);
+static __attribute__((constructor)) void delude_tg_ldr(void)
-void _init(void)
 {
 	xtables_register_target(&delude_tg_reg);
 }

extensions/libxt_DHCPADDR.c

@@ -95,7 +95,7 @@ static struct xtables_target dhcpaddr_tg_reg = {
 	.extra_opts    = dhcpaddr_tg_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void dhcpaddr_tg_ldr(void)
 {
 	xtables_register_target(&dhcpaddr_tg_reg);
 }

extensions/libxt_ECHO.c

@@ -37,7 +37,7 @@ static struct xtables_target echo_tg_reg = {
 	.final_check   = echo_tg_check,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void echo_tg_ldr(void)
 {
 	xtables_register_target(&echo_tg_reg);
 }

extensions/libxt_ECHO.man

@@ -0,0 +1,4 @@
+The \fBECHO\fP target will send back all packets it received. It serves as an
+examples for an Xtables target.
+.PP
+ECHO takes no options.

extensions/libxt_IPMARK.c

@@ -175,7 +175,7 @@ static struct xtables_target ipmark_tg6_reg = {
 	.extra_opts    = ipmark_tg_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void ipmark_tg_ldr(void)
 {
 	xtables_register_target(&ipmark_tg4_reg);
 	xtables_register_target(&ipmark_tg6_reg);

extensions/libxt_LOGMARK.c

@@ -111,8 +111,7 @@ static struct xtables_target logmark_tg_reg = {
 	.extra_opts    = logmark_tg_opts,
 };
 
-void _init(void);
+static __attribute__((constructor)) void logmark_tg_ldr(void)
-void _init(void)
 {
 	xtables_register_target(&logmark_tg_reg);
 }

extensions/libxt_SYSRQ.c

@@ -43,7 +43,7 @@ static struct xtables_target sysrq_tg6_reg = {
 	.final_check   = sysrq_tg_check,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void sysrq_tg_ldr(void)
 {
 	xtables_register_target(&sysrq_tg4_reg);
 	xtables_register_target(&sysrq_tg6_reg);

extensions/libxt_SYSRQ.man

@@ -1,17 +1,19 @@
 The SYSRQ target allows to remotely trigger sysrq on the local machine over the
 network. This can be useful when vital parts of the machine hang, for example
 an oops in a filesystem causing locks to be not released and processes to get
-stuck as a result -- if still possible, use /proc/sysrq-trigger. Even when
+stuck as a result - if still possible, use /proc/sysrq-trigger. Even when
 processes are stuck, interrupts are likely to be still processed, and as such,
 sysrq can be triggered through incoming network packets.
 .PP
-This xt_SYSRQ implementation does not use any encryption, so you should change
+The xt_SYSRQ implementation uses a salted hash and a sequence number to prevent
-the SYSRQ password after use unless you have made sure it was transmitted
+network sniffers from either guessing the password or replaying earlier
-securely and no one sniffed the network, e.g. by use of an IPsec tunnel whose
+requests. The initial sequence number comes from the time of day so you will
-endpoint is at the machine where you want to trigger the sysrq. Also, you
+have a small window of vulnerability should time go backwards at a reboot.
-should limit as to who can issue commands using \fB-s\fP and/or \fB-m mac\fP,
+However, the file /sys/module/xt_SYSREQ/seqno can be used to both query and
-and also that the destination is correct using \fB-d\fP (to protect against
+update the current sequence number. Also, you should limit as to who can issue
-potential broadcast packets), noting that it is still short of MAC/IP spoofing:
+commands using \fB-s\fP and/or \fB-m mac\fP, and also that the destination is
+correct using \fB-d\fP (to protect against potential broadcast packets), noting
+that it is still short of MAC/IP spoofing:
 .IP
 -A INPUT -s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
 -p udp --dport 9 -j SYSRQ
@@ -20,28 +22,59 @@ potential broadcast packets), noting that it is still short of MAC/IP spoofing:
 ipsec --proto esp --tunnel-src 10.10.25.1 --tunnel-dst 10.10.25.7
 -p udp --dport 9 -j SYSRQ
 .PP
+You should also limit the rate at which connections can be received to limit
+the CPU time taken by illegal requests, for example:
+.IP
+-A INPUT 0s 10.10.25.1 -m mac --mac-source aa:bb:cc:dd:ee:ff -d 10.10.25.7
+-p udp --dport 9 -m limit --limit 5/minute -j SYSRQ
+.PP
 This extension does not take any options. The \fB-p udp\fP options are
 required.
 .PP
 The SYSRQ password can be changed through
-/sys/module/xt_SYSRQ/parameters/password; note you need to use `echo -n` to
+/sys/module/xt_SYSRQ/parameters/password, for example:
-not add a newline to the password, i.e.
 .IP
-echo -n "password" >/sys/.../password
+echo -n "password" >/sys/module/xt_SYSRQ/parameters/password
 .PP
 Alternatively, the password may be specified at modprobe time, but this is
 insecure as people can possible see it through ps(1). You can use an option
-line in /etc/modprobe.d/sysrq if it is properly guarded, that is, only readable
+line in e.g. /etc/modprobe.d/xt_sysrq if it is properly guarded, that is, only
-by root.
+readable by root.
 .IP
 options xt_SYSRQ password=cookies
 .PP
-To trigger SYSRQ from a remote host, just use netcat or socat, specifying the
+The hash algorithm can also be specified as a module option, for example, to
-action (only one) as first character, followed by the password:
+use SHA-256 instead of the default SHA-1:
 .IP
-echo -n "scookies" | socat stdin udp-sendto:10.10.25.7:9
+options xt_SYSRQ hash=sha256
-.IP
-echo -n "scookies" | netcat -u 10.10.25.7 9
 .PP
-See the Linux docs for possible sysrq keys. Important ones are:
+The xt_SYSRQ module is normally silent unless a successful request is received,
-re(b)oot, power(o)ff, (s)ync filesystems, (u)mount and remount readonly.
+but the \fIdebug\fP module parameter can be used to find exactly why a
+seemingly correct request is not being processed.
+.PP
+To trigger SYSRQ from a remote host, just use netcat or socat:
+.PP
+.nf
+sysrq_key="s"  # the SysRq key(s)
+password="password"
+seqno="$(date +%s)"
+salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null |
+    openssl enc -base64)"
+req="$sysrq_key,$seqno,$salt"
+req="$req,$(echo -n "$req,$password" | sha1sum | cut -c1-40)"
+
+echo "$req" | socat stdin udp-sendto:10.10.25.7:9
+# or
+echo "$req" | netcat -uw1 10.10.25.7 9
+.fi
+.PP
+See the Linux docs for possible sysrq keys. Important ones are: re(b)oot,
+power(o)ff, (s)ync filesystems, (u)mount and remount readonly.  More than one
+sysrq key can be used at once, but bear in mind that, for example, a sync may
+not complete before a subsequent reboot or poweroff.
+.PP
+The hashing scheme should be enough to prevent mis-use of SYSRQ in many
+environments, but it is not perfect: take reasonable precautions to
+protect your machines.  Most importantly ensure that each machine has a
+different password; there is scant protection for a SYSRQ packet being
+applied to a machine that happens to have the same password.

extensions/libxt_TARPIT.c

@@ -32,7 +32,7 @@ static struct xtables_target tarpit_tg_reg = {
 	.final_check   = tarpit_tg_check,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void tarpit_tg_ldr(void)
 {
 	xtables_register_target(&tarpit_tg_reg);
 }

extensions/libxt_TEE.c

@@ -1,7 +1,7 @@
 /*
  *	"TEE" target extension for iptables
  *	Copyright © Sebastian Claßen <sebastian.classen [at] freenet.ag>, 2007
- *	Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
+ *	Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -70,6 +70,35 @@ static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 	return false;
 }
 
+static int tee_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_target **target)
+{
+	struct xt_tee_tginfo *info = (void *)(*target)->data;
+	const struct in6_addr *ia;
+
+	switch (c) {
+	case 'g':
+		if (*flags & FLAG_GATEWAY)
+			exit_error(PARAMETER_PROBLEM,
+			           "Cannot specify --gw more than once");
+
+		if (check_inverse(optarg, &invert, NULL, 0))
+			exit_error(PARAMETER_PROBLEM,
+			           "Unexpected \"!\" after --gateway");
+
+		ia = numeric_to_ip6addr(optarg);
+		if (ia == NULL)
+			exit_error(PARAMETER_PROBLEM,
+			           "Invalid IP address %s", optarg);
+
+		memcpy(&info->gw, ia, sizeof(*ia));
+		*flags |= FLAG_GATEWAY;
+		return true;
+	}
+
+	return false;
+}
+
 static void tee_tg_check(unsigned int flags)
 {
 	if (flags == 0)
@@ -83,9 +112,20 @@ static void tee_tg_print(const void *ip, const struct xt_entry_target *target,
 	const struct xt_tee_tginfo *info = (const void *)target->data;
 
 	if (numeric)
-		printf("TEE gw:%s ", ipaddr_to_anyname(&info->gw.in));
-	else
 		printf("TEE gw:%s ", ipaddr_to_numeric(&info->gw.in));
+	else
+		printf("TEE gw:%s ", ipaddr_to_anyname(&info->gw.in));
+}
+
+static void tee_tg6_print(const void *ip, const struct xt_entry_target *target,
+                          int numeric)
+{
+	const struct xt_tee_tginfo *info = (const void *)target->data;
+
+	if (numeric)
+		printf("TEE gw:%s ", ip6addr_to_numeric(&info->gw.in6));
+	else
+		printf("TEE gw:%s ", ip6addr_to_anyname(&info->gw.in6));
 }
 
 static void tee_tg_save(const void *ip, const struct xt_entry_target *target)
@@ -95,9 +135,18 @@ static void tee_tg_save(const void *ip, const struct xt_entry_target *target)
 	printf("--gateway %s ", ipaddr_to_numeric(&info->gw.in));
 }
 
+static void tee_tg6_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_tee_tginfo *info = (const void *)target->data;
+
+	printf("--gateway %s ", ip6addr_to_numeric(&info->gw.in6));
+}
+
 static struct xtables_target tee_tg_reg = {
 	.name          = "TEE",
 	.version       = XTABLES_VERSION,
+	.revision      = 0,
+	.family        = PF_INET,
 	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.help          = tee_tg_help,
@@ -108,7 +157,23 @@ static struct xtables_target tee_tg_reg = {
 	.extra_opts    = tee_tg_opts,
 };
 
-static void _init(void)
+static struct xtables_target tee_tg6_reg = {
+	.name          = "TEE",
+	.version       = XTABLES_VERSION,
+	.revision      = 0,
+	.family        = PF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+	.help          = tee_tg_help,
+	.parse         = tee_tg6_parse,
+	.final_check   = tee_tg_check,
+	.print         = tee_tg6_print,
+	.save          = tee_tg6_save,
+	.extra_opts    = tee_tg_opts,
+};
+
+static __attribute__((constructor)) void tee_tg_ldr(void)
 {
 	xtables_register_target(&tee_tg_reg);
+	xtables_register_target(&tee_tg6_reg);
 }

extensions/libxt_TEE.man

@@ -0,0 +1,8 @@
+The \fBTEE\fP target will clone a packet and redirect this clone to another
+machine on the \fBlocal\fP network segment. In other words, the nexthop
+must be the target, or you will have to configure the nexthop to forward it
+further if so desired.
+.TP
+\fB--gw\fP \fIipaddr\fP
+Send the cloned packet to the host reachable at the given IP address.
+Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.

extensions/libxt_condition.c

@@ -92,7 +92,7 @@ static struct xtables_match condition_mt_reg = {
 	.extra_opts 	= condition_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void condition_mt_ldr(void)
 {
 	xtables_register_match(&condition_mt_reg);
 }

extensions/libxt_dhcpaddr.c

@@ -96,7 +96,7 @@ static struct xtables_match dhcpaddr_mt_reg = {
 	.extra_opts    = dhcpaddr_mt_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void dhcpaddr_mt_ldr(void)
 {
 	xtables_register_match(&dhcpaddr_mt_reg);
 }

extensions/libxt_fuzzy.c

@@ -112,7 +112,7 @@ static struct xtables_match fuzzy_mt_reg = {
 	.extra_opts    = fuzzy_mt_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void fuzzy_mt_ldr(void)
 {
 	xtables_register_match(&fuzzy_mt_reg);
 }

extensions/libxt_geoip.c

@@ -272,7 +272,7 @@ static struct xtables_match geoip_match = {
 	 .extra_opts    = geoip_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void geoip_mt_ldr(void)
 {
 	xtables_register_match(&geoip_match);
 }

extensions/libxt_ipp2p.c

@@ -22,7 +22,7 @@
 static void ipp2p_mt_help(void)
 {
 	printf(
-	"IPP2P v%s options:\n"
+	"ipp2p v%s match options:\n"
 	"  --edk    [tcp,udp]  All known eDonkey/eMule/Overnet packets\n"
 	"  --dc     [tcp]      All known Direct Connect packets\n"
 	"  --kazaa  [tcp,udp]  All known KaZaA packets\n"
@@ -32,19 +32,10 @@ static void ipp2p_mt_help(void)
 	"  --winmx  [tcp]      All known WinMX\n"
 	"  --soul   [tcp]      All known SoulSeek\n"
 	"  --ares   [tcp]      All known Ares\n\n"
-	"EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n"
+	"EXPERIMENTAL protocols:\n"
 	"  --mute   [tcp]      All known Mute packets\n"
 	"  --waste  [tcp]      All known Waste packets\n"
 	"  --xdcc   [tcp]      All known XDCC packets (only xdcc login)\n\n"
-	"DEBUG SUPPPORT, use only if you know why\n"
-	"  --debug             Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n"
-	"\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n"
-	"You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n"
-	"\nSee README included with this package for more details or visit http://www.ipp2p.org\n"
-	"\nExamples:\n"
-	" iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n"
-	" iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n"
-	" iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n"
 	, IPP2P_VERSION);
 }
 
@@ -242,7 +233,7 @@ static struct xtables_match ipp2p_mt_reg = {
 	.extra_opts    = ipp2p_mt_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void ipp2p_mt_ldr(void)
 {
 	xtables_register_match(&ipp2p_mt_reg);
 }

extensions/libxt_ipp2p.man

@@ -1,12 +1,12 @@
 This module matches certain packets in P2P flows. It is not
 designed to match all packets belonging to a P2P connection - 
-use IPP2P together with CONNMARK for this purpose. Also visit
+use IPP2P together with CONNMARK for this purpose.
-http://www.ipp2p.org for detailed information.
+.PP
-
 Use it together with -p tcp or -p udp to search these protocols
 only or without -p switch to search packets of both protocols.
-
+.PP
-IPP2P provides the following options:
+IPP2P provides the following options, of which one or more may be specified
+on the command line:
 .TP
 .B "--edk "
 Matches as many eDonkey/eMule packets as possible.
@@ -38,3 +38,11 @@ Matches Ares and AresLite packets. Use together with -j DROP only.
 .B "--debug "
 Prints some information about each hit into kernel logfile. May 
 produce huge logfiles so beware!
+.PP
+Note that ipp2p may not (and often, does not) identify all packets that are
+exchanged as a result of running filesharing programs.
+.PP
+There is more information on http://ipp2p.org/ , but it has not been updated
+since September 2006, and the syntax there is different from the ipp2p.c
+provided in Xtables-addons; most importantly, the --ipp2p flag was removed due
+to its ambiguity to match "all known" protocols.

extensions/libxt_portscan.c

@@ -116,8 +116,7 @@ static struct xtables_match portscan_mt_reg = {
 	.extra_opts    = portscan_mt_opts,
 };
 
-void _init(void);
+static __attribute__((constructor)) void portscan_mt_ldr(void)
-void _init(void)
 {
 	xtables_register_match(&portscan_mt_reg);
 }

extensions/libxt_portscan.man

@@ -20,7 +20,11 @@ connection was torn down after completion of the 3-way handshake.
 \fB--grscan\fR
 Match if data in the connection only flew in the direction of the remote side,
 e.g. if the connection was terminated after a locally running daemon sent its
-identification. (e.g. openssh)
+identification. (E.g. openssh, smtp, ftpd.) This may falsely trigger on
+warranted single-direction data flows, usually bulk data transfers such as
+FTP DATA connections or IRC DCC. Grab Scan Detection should only be used on
+ports where a protocol runs that is guaranteed to do a bidirectional exchange
+of bytes.
 .PP
 NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
 so be advised to carefully use xt_portscan in conjunction with blocking rules,

extensions/libxt_quota2.c

@@ -133,7 +133,7 @@ static struct xtables_match quota_mt2_reg = {
 	.extra_opts    = quota_mt2_opts,
 };
 
-static void _init(void)
+static __attribute__((constructor)) void quota2_mt_ldr(void)
 {
 	xtables_register_match(&quota_mt2_reg);
 }

extensions/xt_ECHO.c

@@ -32,6 +32,8 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
 	unsigned int addr_type, data_len;
 	void *payload;
 
+	printk(KERN_INFO "dst_out=%p\n", (*poldskb)->dst->output);
+
 	/* This allows us to do the copy operation in fewer lines of code. */
 	if (skb_linearize(*poldskb) < 0)
 		return NF_DROP;
@@ -75,10 +77,10 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_target_param *par)
 
 	addr_type = RTN_UNSPEC;
 #ifdef CONFIG_BRIDGE_NETFILTER
-	if (hooknum != NF_INET_FORWARD || (newskb->nf_bridge != NULL &&
+	if (par->hooknum != NF_INET_FORWARD || (newskb->nf_bridge != NULL &&
 	    newskb->nf_bridge->mask & BRNF_BRIDGED))
 #else
-	if (hooknum != NF_INET_FORWARD)
+	if (par->hooknum != NF_INET_FORWARD)
 #endif
 		addr_type = RTN_LOCAL;
 

extensions/xt_SYSRQ.c

@@ -3,7 +3,6 @@
  *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
  *
  *	Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
- *	xt_SYSRQ does not use hashing or timestamps.
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License
@@ -19,15 +18,145 @@
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter/x_tables.h>
+#include <linux/crypto.h>
+#include <linux/scatterlist.h>
 #include <net/ip.h>
 #include "compat_xtables.h"
 
 static bool sysrq_once;
 static char sysrq_password[64];
+static char sysrq_hash[16] = "sha1";
+static long sysrq_seqno;
+static int sysrq_debug;
 module_param_string(password, sysrq_password, sizeof(sysrq_password),
 	S_IRUSR | S_IWUSR);
+module_param_string(hash, sysrq_hash, sizeof(sysrq_hash), S_IRUSR);
+module_param_named(seqno, sysrq_seqno, long, S_IRUSR | S_IWUSR);
+module_param_named(debug, sysrq_debug, int, S_IRUSR | S_IWUSR);
 MODULE_PARM_DESC(password, "password for remote sysrq");
+MODULE_PARM_DESC(hash, "hash algorithm, default sha1");
+MODULE_PARM_DESC(seqno, "sequence number for remote sysrq");
+MODULE_PARM_DESC(debug, "debugging: 0=off, 1=on");
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+static struct crypto_hash *sysrq_tfm;
+static int sysrq_digest_size;
+static unsigned char *sysrq_digest_password;
+static unsigned char *sysrq_digest;
+static char *sysrq_hexdigest;
+
+/*
+ * The data is of the form "<requests>,<seqno>,<salt>,<hash>" where <requests>
+ * is a series of sysrq requests; <seqno> is a sequence number that must be
+ * greater than the last sequence number; <salt> is some random bytes; and
+ * <hash> is the hash of everything up to and including the preceding ","
+ * together with the password.
+ *
+ * For example
+ *
+ *   salt=$RANDOM
+ *   req="s,$(date +%s),$salt"
+ *   echo "$req,$(echo -n $req,secret | sha1sum | cut -c1-40)"
+ *
+ * You will want a better salt and password than that though :-)
+ */
+static unsigned int sysrq_tg(const void *pdata, uint16_t len)
+{
+	const char *data = pdata;
+	int i, n;
+	struct scatterlist sg[2];
+	struct hash_desc desc;
+	int ret;
+	long new_seqno = 0;
+
+	if (*sysrq_password == '\0') {
+		if (!sysrq_once)
+			printk(KERN_INFO KBUILD_MODNAME ": No password set\n");
+		sysrq_once = true;
+		return NF_DROP;
+	}
+	if (len == 0)
+		return NF_DROP;
+
+	for (i = 0; sysrq_password[i] != '\0' &&
+	     sysrq_password[i] != '\n'; ++i)
+		/* loop */;
+	sysrq_password[i] = '\0';
+
+	i = 0;
+	for (n = 0; n < len - 1; ++n) {
+		if (i == 1 && '0' <= data[n] && data[n] <= '9')
+			new_seqno = 10L * new_seqno + data[n] - '0';
+		if (data[n] == ',' && ++i == 3)
+			break;
+	}
+	++n;
+	if (i != 3) {
+		if (sysrq_debug)
+			printk(KERN_WARNING KBUILD_MODNAME
+				": badly formatted request\n");
+		return NF_DROP;
+	}
+	if (sysrq_seqno >= new_seqno) {
+		if (sysrq_debug)
+			printk(KERN_WARNING KBUILD_MODNAME
+				": old sequence number ignored\n");
+		return NF_DROP;
+	}
+
+	desc.tfm   = sysrq_tfm;
+	desc.flags = 0;
+	ret = crypto_hash_init(&desc);
+	if (ret != 0)
+		goto hash_fail;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
+	sg_init_table(sg, 2);
+#endif
+	sg_set_buf(&sg[0], data, n);
+	strcpy(sysrq_digest_password, sysrq_password);
+	i = strlen(sysrq_digest_password);
+	sg_set_buf(&sg[1], sysrq_digest_password, i);
+	ret = crypto_hash_digest(&desc, sg, n + i, sysrq_digest);
+	if (ret != 0)
+		goto hash_fail;
+
+	for (i = 0; i < sysrq_digest_size; ++i) {
+		sysrq_hexdigest[2*i] =
+			"0123456789abcdef"[(sysrq_digest[i] >> 4) & 0xf];
+		sysrq_hexdigest[2*i+1] =
+			"0123456789abcdef"[sysrq_digest[i] & 0xf];
+	}
+	sysrq_hexdigest[2*sysrq_digest_size] = '\0';
+	if (len - n < sysrq_digest_size) {
+		if (sysrq_debug)
+			printk(KERN_INFO KBUILD_MODNAME ": Short digest,"
+			       " expected %s\n", sysrq_hexdigest);
+		return NF_DROP;
+	}
+	if (strncmp(data + n, sysrq_hexdigest, sysrq_digest_size) != 0) {
+		if (sysrq_debug)
+			printk(KERN_INFO KBUILD_MODNAME ": Bad digest,"
+			       " expected %s\n", sysrq_hexdigest);
+		return NF_DROP;
+	}
+
+	/* Now we trust the requester */
+	sysrq_seqno = new_seqno;
+	for (i = 0; i < len && data[i] != ','; ++i) {
+		printk(KERN_INFO KBUILD_MODNAME ": SysRq %c\n", data[i]);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+		handle_sysrq(data[i], NULL);
+#else
+		handle_sysrq(data[i], NULL, NULL);
+#endif
+	}
+	return NF_ACCEPT;
+
+ hash_fail:
+	printk(KERN_WARNING KBUILD_MODNAME ": digest failure\n");
+	return NF_DROP;
+}
+#else
 static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 {
 	const char *data = pdata;
@@ -57,6 +186,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 #endif
 	return NF_ACCEPT;
 }
+#endif
 
 static unsigned int
 sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
@@ -73,9 +203,11 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	udph = (void *)iph + ip_hdrlen(skb);
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
 
-	printk(KERN_INFO KBUILD_MODNAME ": " NIPQUAD_FMT ":%u -> :%u len=%u\n",
+	if (sysrq_debug)
-	       NIPQUAD(iph->saddr), htons(udph->source), htons(udph->dest),
+		printk(KERN_INFO KBUILD_MODNAME
-	       len);
+		       ": " NIPQUAD_FMT ":%u -> :%u len=%u\n",
+		       NIPQUAD(iph->saddr), htons(udph->source),
+		       htons(udph->dest), len);
 	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
 }
 
@@ -94,7 +226,9 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 	udph = udp_hdr(skb);
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
 
-	printk(KERN_INFO KBUILD_MODNAME ": " NIP6_FMT ":%hu -> :%hu len=%u\n",
+	if (sysrq_debug)
+		printk(KERN_INFO KBUILD_MODNAME
+		       ": " NIP6_FMT ":%hu -> :%hu len=%u\n",
 		       NIP6(iph->saddr), ntohs(udph->source),
 		       ntohs(udph->dest), len);
 	return sysrq_tg(udph + sizeof(struct udphdr), len);
@@ -102,6 +236,7 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 
 static bool sysrq_tg_check(const struct xt_tgchk_param *par)
 {
+
 	if (par->target->family == NFPROTO_IPV4) {
 		const struct ipt_entry *entry = par->entryinfo;
 
@@ -146,11 +281,64 @@ static struct xt_target sysrq_tg_reg[] __read_mostly = {
 
 static int __init sysrq_tg_init(void)
 {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+	struct timeval now;
+
+	sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
+	if (IS_ERR(sysrq_tfm)) {
+		printk(KERN_WARNING KBUILD_MODNAME
+			": Error: Could not find or load %s hash\n",
+			sysrq_hash);
+		sysrq_tfm = NULL;
+		goto fail;
+	}
+	sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
+	sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
+	if (sysrq_digest == NULL) {
+		printk(KERN_WARNING KBUILD_MODNAME
+			": Cannot allocate digest\n");
+		goto fail;
+	}
+	sysrq_hexdigest = kmalloc(2 * sysrq_digest_size + 1, GFP_KERNEL);
+	if (sysrq_hexdigest == NULL) {
+		printk(KERN_WARNING KBUILD_MODNAME
+			": Cannot allocate hexdigest\n");
+		goto fail;
+	}
+	sysrq_digest_password = kmalloc(sizeof(sysrq_password), GFP_KERNEL);
+	if (sysrq_digest_password == NULL) {
+		printk(KERN_WARNING KBUILD_MODNAME
+			": Cannot allocate password digest space\n");
+		goto fail;
+	}
+	do_gettimeofday(&now);
+	sysrq_seqno = now.tv_sec;
 	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+
+ fail:
+	if (sysrq_tfm)
+		crypto_free_hash(sysrq_tfm);
+	if (sysrq_digest)
+		kfree(sysrq_digest);
+	if (sysrq_hexdigest)
+		kfree(sysrq_hexdigest);
+	if (sysrq_digest_password)
+		kfree(sysrq_digest_password);
+	return -EINVAL;
+#else
+	printk(KERN_WARNING "xt_SYSRQ does not provide crypto for <= 2.6.18\n");
+	return xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
+#endif
 }
 
 static void __exit sysrq_tg_exit(void)
 {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
+	crypto_free_hash(sysrq_tfm);
+	kfree(sysrq_digest);
+	kfree(sysrq_hexdigest);
+	kfree(sysrq_digest_password);
+#endif
 	return xt_unregister_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
 }
 

extensions/xt_TEE.c

@@ -1,7 +1,7 @@
 /*
  *	"TEE" target extension for Xtables
  *	Copyright © Sebastian Claßen <sebastian.classen [at] freenet de>, 2007
- *	Jan Engelhardt <jengelh [at] medozas de>, 2007
+ *	Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
  *
  *	based on ipt_ROUTE.c from Cédric de Launois
  *	<delaunois [at] info ucl ac be>
@@ -17,6 +17,7 @@
 #include <net/checksum.h>
 #include <net/icmp.h>
 #include <net/ip.h>
+#include <net/ip6_route.h>
 #include <net/route.h>
 #include <linux/netfilter/x_tables.h>
 
@@ -29,7 +30,7 @@ static struct nf_conn tee_track;
 #include "compat_xtables.h"
 #include "xt_TEE.h"
 
-static const union nf_inet_addr zero_address;
+static const union nf_inet_addr tee_zero_address;
 
 /*
  * Try to route the packet according to the routing keys specified in
@@ -47,21 +48,16 @@ static const union nf_inet_addr zero_address;
  *         true  - if the packet was succesfully routed to the
  *                 destination desired
  */
-static bool tee_routing(struct sk_buff *skb,
+static bool
-                        const struct xt_tee_tginfo *info)
+tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 {
 	int err;
 	struct rtable *rt;
-	struct iphdr *iph = ip_hdr(skb);
+	struct flowi fl;
-	struct flowi fl = {
+
-		.nl_u = {
+	memset(&fl, 0, sizeof(fl));
-			.ip4_u = {
+	fl.nl_u.ip4_u.daddr = info->gw.ip;
-				.daddr = info->gw.ip,
+	fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
-				.tos   = RT_TOS(iph->tos),
-				.scope = RT_SCOPE_UNIVERSE,
-			}
-		}
-	};
 
 	/* Trying to route the packet using the standard routing table. */
 	err = ip_route_output_key(&init_net, &rt, &fl);
@@ -72,22 +68,14 @@ static bool tee_routing(struct sk_buff *skb,
 		return false;
 	}
 
-	/* Drop old route. */
 	dst_release(skb->dst);
-	skb->dst = NULL;
-
-	/*
-	 * Success if no oif specified or if the oif correspond to the
-	 * one desired.
-	 * [SC]: always the case, because we have no oif.
-	 */
 	skb->dst      = &rt->u.dst;
 	skb->dev      = skb->dst->dev;
 	skb->protocol = htons(ETH_P_IP);
 	return true;
 }
 
-static bool dev_hh_avail(const struct net_device *dev)
+static inline bool dev_hh_avail(const struct net_device *dev)
 {
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 	return dev->hard_header != NULL;
@@ -103,14 +91,14 @@ static bool dev_hh_avail(const struct net_device *dev)
  * POST: the packet is sent with the link layer header pushed
  *       the packet is destroyed
  */
-static void tee_ip_direct_send(struct sk_buff *skb)
+static void tee_tg_send(struct sk_buff *skb)
 {
 	const struct dst_entry *dst  = skb->dst;
 	const struct net_device *dev = dst->dev;
 	unsigned int hh_len = LL_RESERVED_SPACE(dev);
 
 	/* Be paranoid, rather than too clever. */
-	if (unlikely(skb_headroom(skb) < hh_len) && dev_hh_avail(dev)) {
+	if (unlikely(skb_headroom(skb) < hh_len && dev_hh_avail(dev))) {
 		struct sk_buff *skb2;
 
 		skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
@@ -142,7 +130,7 @@ static void tee_ip_direct_send(struct sk_buff *skb)
  * packets when we see they already have that ->nfct.
  */
 static unsigned int
-tee_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 	struct sk_buff *skb = *pskb;
@@ -200,8 +188,78 @@ tee_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	nf_conntrack_get(skb->nfct);
 #endif
 
-	if (tee_routing(skb, info))
+	/*
-		tee_ip_direct_send(skb);
+	 * Normally, we would just use ip_local_out. Because iph->check is
+	 * already correct, we could take a shortcut and call dst_output
+	 * [forwards to ip_output] directly. ip_output however will invoke
+	 * Netfilter hooks and cause reentrancy. So we skip that too and go
+	 * directly to ip_finish_output. Since we should not do XFRM, control
+	 * passes to ip_finish_output2. That function is not exported, so it is
+	 * copied here as tee_ip_direct_send.
+	 *
+	 * We do no XFRM on the cloned packet on purpose! The choice of
+	 * iptables match options will control whether the raw packet or the
+	 * transformed version is cloned.
+	 *
+	 * Also on purpose, no fragmentation is done, to preserve the
+	 * packet as best as possible.
+	 */
+	if (tee_tg_route4(skb, info))
+		tee_tg_send(skb);
+
+	return XT_CONTINUE;
+}
+
+static bool
+tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
+{
+	struct dst_entry *dst;
+	struct flowi fl;
+
+	memset(&fl, 0, sizeof(fl));
+	fl.nl_u.ip6_u.daddr = info->gw.in6;
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 25)
+	dst = ip6_route_output(NULL, &fl);
+#else
+	dst = ip6_route_output(dev_net(skb->dev), NULL, &fl);
+#endif
+	if (dst == NULL) {
+		if (net_ratelimit())
+			printk(KERN_ERR "ip6_route_output failed for tee\n");
+		return false;
+	}
+
+	dst_release(skb->dst);
+	skb->dst      = dst;
+	skb->dev      = skb->dst->dev;
+	skb->protocol = htons(ETH_P_IPV6);
+	return true;
+}
+
+static unsigned int
+tee_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+{
+	const struct xt_tee_tginfo *info = par->targinfo;
+	struct sk_buff *skb = *pskb;
+
+	/* Try silence. */
+#ifdef WITH_CONNTRACK
+	if (skb->nfct == &tee_track.ct_general)
+		return NF_DROP;
+#endif
+
+	if ((skb = skb_copy(skb, GFP_ATOMIC)) == NULL)
+		return XT_CONTINUE;
+
+#ifdef WITH_CONNTRACK
+	nf_conntrack_put(skb->nfct);
+	skb->nfct     = &tee_track.ct_general;
+	skb->nfctinfo = IP_CT_NEW;
+	nf_conntrack_get(skb->nfct);
+#endif
+	if (tee_tg_route6(skb, info))
+		tee_tg_send(skb);
 
 	return XT_CONTINUE;
 }
@@ -211,18 +269,31 @@ static bool tee_tg_check(const struct xt_tgchk_param *par)
 	const struct xt_tee_tginfo *info = par->targinfo;
 
 	/* 0.0.0.0 and :: not allowed */
-	return memcmp(&info->gw, &zero_address, sizeof(zero_address)) != 0;
+	return memcmp(&info->gw, &tee_zero_address,
+	       sizeof(tee_zero_address)) != 0;
 }
 
-static struct xt_target tee_tg_reg __read_mostly = {
+static struct xt_target tee_tg_reg[] __read_mostly = {
+	{
 		.name       = "TEE",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
 		.table      = "mangle",
-	.target     = tee_tg,
+		.target     = tee_tg4,
 		.targetsize = sizeof(struct xt_tee_tginfo),
 		.checkentry = tee_tg_check,
 		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "TEE",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.table      = "mangle",
+		.target     = tee_tg6,
+		.targetsize = sizeof(struct xt_tee_tginfo),
+		.checkentry = tee_tg_check,
+		.me         = THIS_MODULE,
+	},
 };
 
 static int __init tee_tg_init(void)
@@ -241,19 +312,20 @@ static int __init tee_tg_init(void)
 	tee_track.status |= IPS_NAT_DONE_MASK;
 #endif
 
-	return xt_register_target(&tee_tg_reg);
+	return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
 }
 
 static void __exit tee_tg_exit(void)
 {
-	xt_unregister_target(&tee_tg_reg);
+	xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
 	/* [SC]: shoud not we cleanup tee_track here? */
 }
 
 module_init(tee_tg_init);
 module_exit(tee_tg_exit);
 MODULE_AUTHOR("Sebastian Claßen <sebastian.classen@freenet.ag>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: Reroute packet copy");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_TEE");
+MODULE_ALIAS("ip6t_TEE");

extensions/xt_ipp2p.c

@@ -597,27 +597,51 @@ search_all_gnu(const unsigned char *payload, const unsigned int plen)
 }
 
 /* check for KaZaA download commands and other typical data */
+/* plen is guaranteed to be >= 5 (see @matchlist) */
 static unsigned int
 search_all_kazaa(const unsigned char *payload, const unsigned int plen)
 {
-	if (payload[plen-2] == 0x0d && payload[plen-1] == 0x0a) {
+	uint16_t c, end, rem;
+
+	if (plen < 5)
+		/* too short for anything we test for - early bailout */
+		return 0;
+
+	if (plen >= 65535) {
+		/* Something seems _really_ fishy */
+		printk(KERN_WARNING KBUILD_MODNAME ": %s: plen (%u) >= 65535\n",
+		       __func__, plen);
+		return 0;
+	}
+
+	if (payload[plen-2] != 0x0d || payload[plen-1] != 0x0a)
+		return 0;
+
 	if (memcmp(payload, "GIVE ", 5) == 0)
 		return IPP2P_KAZAA * 100 + 1;
 
-		if (memcmp(payload, "GET /", 5) == 0) {
+	if (memcmp(payload, "GET /", 5) != 0)
-			uint16_t c = 8;
+		return 0;
-			const uint16_t end = plen - 22;
 
-			while (c < end) {
+	if (plen < 18)
-				if (payload[c] == 0x0a &&
+		/* The next tests would not succeed anyhow. */
-				    payload[c+1] == 0x0d &&
+		return 0;
-				    (memcmp(&payload[c+2], "X-Kazaa-Username: ", 18) == 0 ||
+
-				    memcmp(&payload[c+2], "User-Agent: PeerEnabler/", 24) == 0))
+	end = plen - 18;
+	rem = plen - 5;
+	for (c = 5; c < end; ++c, --rem) {
+		if (payload[c] != 0x0d)
+			continue;
+		if (payload[c+1] != 0x0a)
+			continue;
+		if (rem >= 18 &&
+		    memcmp(&payload[c+2], "X-Kazaa-Username: ", 18) == 0)
+			return IPP2P_KAZAA * 100 + 2;
+		if (rem >= 24 &&
+		    memcmp(&payload[c+2], "User-Agent: PeerEnabler/", 24) == 0)
 			return IPP2P_KAZAA * 100 + 2;
-				c++;
-			}
-		}
 	}
+
 	return 0;
 }
 
@@ -813,7 +837,7 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	switch (ip->protocol) {
 	case IPPROTO_TCP:	/* what to do with a TCP packet */
 	{
-		const struct tcphdr *tcph = tcp_hdr(skb);
+		const struct tcphdr *tcph = (const void *)ip + ip_hdrlen(skb);
 
 		if (tcph->fin) return 0;  /* if FIN bit is set bail out */
 		if (tcph->syn) return 0;  /* if SYN bit is set bail out */
@@ -840,7 +864,7 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 
 	case IPPROTO_UDP:	/* what to do with an UDP packet */
 	{
-		const struct udphdr *udph = udp_hdr(skb);
+		const struct udphdr *udph = (const void *)ip + ip_hdrlen(skb);
 
 		while (udp_list[i].command) {
 			if ((info->cmd & udp_list[i].command) == udp_list[i].command &&

m4/.gitignore

@@ -0,0 +1,2 @@
+/libtool.m4
+/lt*.m4

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables\-addons 8 2008\-11\-18
+.TH xtables\-addons 8 "v1.8 (2009\-01\-10)" "" "v1.8 (2009\-01\-10)"
 .SH NAME
 Xtables\-addons - additional extensions for iptables, ip6tables, etc.
 .SH TARGETS