Xtables-addons 1.12

Resolve compile breakage from commits
36f80be2f7 and
7b9ca945d4.

INSTALL

@@ -9,16 +9,24 @@ in combination with the kernel's Kbuild system.
 	# make install
 
 
-Prerequirements
-===============
+Supported configurations for this release
+=========================================
 
-	* iptables 1.4.1
+	* iptables >= 1.4.1
+	  upper bound: iptables <= 1.4.3-rc1
 
-	* kernel-source >= 2.6.17 with prepared build/output directory
+	* kernel-source >= 2.6.17, no upper bound known
+	  with prepared build/output directory
 	  - CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
 	  - CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
 	    enabled =y or as module (=m)
 
+Extra notes:
+
+	* in the kernel 2.6.18.x series, >= 2.6.18.5 is required
+
+	* requires that no vendor backports interfere
+
 
 Selecting extensions
 ====================
@@ -45,11 +53,8 @@ Configuring and compiling
 	xtables.h, should it not be within the standard C compiler
 	include path (/usr/include), or if you want to override it.
 	The directory will be checked for xtables.h and
-	include/xtables.h. (This is to support the following specs:)
-
-		--with-xtables=/usr/src/xtables
-		--with-xtables=/usr/src/xtables/include
-		--with-xtables=/opt/xtables/include
+	include/xtables.h. (The latter to support both standard
+	/usr/include and the iptables source root.)
 
 --with-libxtdir=
 

Makefile.am

@@ -15,6 +15,8 @@ extensions/%:
 install-exec-local:
 	depmod -a || :;
 
+config.status: extensions/GNUmakefile.in
+
 .PHONY: tarball
 tarball:
 	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.7])
+AC_INIT([xtables-addons], [1.12])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL

doc/changelog.txt

@@ -0,0 +1,125 @@
+
+
+Xtables-addons 1.12 (March 07 2009)
+===================================
+- ipset: fix for compilation with 2.6.29-rt
+- ipset: fast forward to 2.5.0
+- rename xt_portscan to xt_lscan ("low-level scan") because
+  "portscan" as a wor caused confusion
+- xt_LOGMARK: print incoming interface index
+- revert "TEE: do not use TOS for routing"
+- xt_TEE: resolve unknown symbol error with CONFIG_IPV6=n
+- xt_TEE: enable routing by iif, nfmark and flowlabel
+
+
+Xtables-addons 1.10 (February 18 2009)
+======================================
+- compat: compile fixes for 2.6.29
+- ipset: upgrade to ipset 2.4.9
+
+
+Xtables-addons 1.9 (January 30 2009)
+====================================
+- add the xt_length2 extension
+- xt_TEE: remove intrapositional '!' support
+- ipset: upgrade to ipset 2.4.7
+
+
+Xtables-addons 1.8 (January 10 2009)
+====================================
+- xt_TEE: IPv6 support
+- xt_TEE: do not include TOS value in routing decision
+- xt_TEE: fix switch-case inversion for name/IP display
+- xt_ipp2p: update manpages and help text
+- xt_ipp2p: remove log flooding
+- xt_portscan: update manpage about --grscan option caveats
+
+
+Xtables-addons 1.7 (December 25 2008)
+=====================================
+- xt_ECHO: compile fix
+- avoid the use of "_init" which led to compile errors on some installations
+- build: do not unconditionally install ipset
+- doc: add manpages for xt_ECHO and xt_TEE
+- xt_ipp2p: kazaa detection code cleanup
+- xt_ipp2p: fix newline inspection in kazaa detection
+- xt_ipp2p: ensure better array bounds checking
+- xt_SYSRQ: improve security by hashing password
+
+
+Xtables-addons 1.6 (November 18 2008)
+=====================================
+- build: support for Linux 2.6.17
+- build: compile fixes for 2.6.18 and 2.6.19
+- xt_ECHO: resolve compile errors in xt_ECHO
+- xt_ipp2p: parenthesize unaligned-access macros
+
+
+Xtables-addons 1.5.7 (September 01 2008)
+========================================
+- API layer: fix use of uninitialized 'hotdrop' variable
+- API layer: move to pskb-based signatures
+- xt_SYSRQ: compile fixes for Linux <= 2.6.19
+- ipset: adjust semaphore.h include for Linux >= 2.6.27
+- build: automatically run `depmod -a` on installation
+- add reworked xt_fuzzy module
+- add DHCP address match and mangle module
+- xt_portscan: IPv6 support
+- xt_SYSRQ: add missing module aliases
+
+
+Xtables-addons 1.5.5 (August 03 2008)
+=====================================
+- manpage updates for xt_CHAOS, xt_IPMARK; README updates
+- build: properly recognize external Kbuild/Mbuild files
+- build: remove dependency on CONFIG_NETWORK_SECMARK
+- add the xt_SYSRQ target
+- add the xt_quota2 extension
+- import ipset extension group
+
+
+Xtables-addons 1.5.4.1 (April 26 2008)
+======================================
+- build: fix compile error for 2.6.18-stable
+
+
+Xtables-addons 1.5.4 (April 09 2008)
+====================================
+- build: support building multiple files with one config option
+- API layer: add check for pskb relocation
+- doc: generate manpages
+- xt_ECHO: catch skb_linearize out-of-memory condition
+- xt_LOGMARK: add hook= and ctdir= fields in dump
+- xt_LOGMARK: fix comma output in ctstatus= list
+- xt_TEE: fix address copying bug
+- xt_TEE: make skb writable before attempting checksum update
+- add reworked xt_condition match
+- add reworked xt_ipp2p match
+- add reworked xt_IPMARK target
+
+
+Xtables-addons 1.5.3 (March 22 2008)
+====================================
+- support for Linux 2.6.18
+- add xt_ECHO sample target
+- add reworked xt_geoip match
+
+
+Xtables-addons 1.5.2 (March 04 2008)
+====================================
+- build: support for GNU make < 3.81 which does not have $(realpath)
+
+
+Xtables-addons 1.5.1 (February 21 2008)
+=======================================
+- build: allow user to select what extensions to compile and install
+- build: allow external proejcts to be downloaded into the tree
+- xt_LOGMARK: dump classify mark, ctstate and ctstatus
+- add xt_CHAOS, xt_DELUDE and xt_portscan from Chaostables
+
+
+Xtables-addons 1.5.0 (February 11 2008)
+=======================================
+Initial release with:
+- extensions: xt_LOGMARK, xt_TARPIT, xt_TEE
+- support for Linux >= 2.6.19

extensions/.gitignore

@@ -3,6 +3,7 @@
 .tmp_versions
 *.ko
 *.mod.c
+Module.markers
 Module.symvers
 Modules.symvers
 modules.order

extensions/GNUmakefile.in

@@ -34,12 +34,14 @@ VU := 0
 am__1verbose_CC_0     = @echo "  CC      " $@;
 am__1verbose_CCLD_0   = @echo "  CCLD    " $@;
 am__1verbose_GEN_0    = @echo "  GEN     " $@;
+am__1verbose_SILENT_0 = @
 am__1verbose_CC_1     = @echo "  CC      " $@ "<-" $<;
 am__1verbose_CCLD_1   = @echo "  CCLD    " $@ "<-" $^;
 am__1verbose_GEN_1    = @echo "  GEN     " $@ "<-" $<;
 am__verbose_CC        = ${am__1verbose_CC_${VU}}
 am__verbose_CCLD      = ${am__1verbose_CCLD_${VU}}
 am__verbose_GEN       = ${am__1verbose_GEN_${VU}}
+am__verbose_SILENT    = ${am__1verbose_GEN_${VU}}
 
 
 #
@@ -93,13 +95,13 @@ distclean: clean
 .PHONY: modules modules_install clean_modules
 
 modules:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules;
+	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules; fi;
 
 modules_install:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install;
+	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install; fi;
 
 clean_modules:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean;
+	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean; fi;
 
 
 #

extensions/Kbuild

@@ -19,7 +19,8 @@ obj-${build_fuzzy}       += xt_fuzzy.o
 obj-${build_geoip}       += xt_geoip.o
 obj-${build_ipp2p}       += xt_ipp2p.o
 obj-${build_ipset}       += ipset/
-obj-${build_portscan}    += xt_portscan.o
+obj-${build_length2}     += xt_length2.o
+obj-${build_lscan}       += xt_lscan.o
 obj-${build_quota2}      += xt_quota2.o
 
 -include ${M}/*.Kbuild

extensions/Mbuild

@@ -12,5 +12,6 @@ obj-${build_fuzzy}       += libxt_fuzzy.so
 obj-${build_geoip}       += libxt_geoip.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
 obj-${build_ipset}       += ipset/
-obj-${build_portscan}    += libxt_portscan.so
+obj-${build_length2}     += libxt_length2.so
+obj-${build_lscan}       += libxt_lscan.so
 obj-${build_quota2}      += libxt_quota2.so

extensions/compat_skbuff.h

@@ -5,8 +5,11 @@ struct tcphdr;
 struct udphdr;
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+#	define skb_ifindex(skb) \
+		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
 #else
+#	define skb_ifindex(skb) (skb)->iif
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
 #endif
 

extensions/compat_xtables.h

@@ -1,6 +1,7 @@
 #ifndef _XTABLES_COMPAT_H
 #define _XTABLES_COMPAT_H 1
 
+#include <linux/kernel.h>
 #include <linux/version.h>
 #include "compat_skbuff.h"
 #include "compat_xtnu.h"
@@ -70,6 +71,27 @@
 #	define csum_replace2 nf_csum_replace2
 #endif
 
+#if !defined(NIP6) && !defined(NIP6_FMT)
+#	define NIP6(addr) \
+		ntohs((addr).s6_addr16[0]), \
+		ntohs((addr).s6_addr16[1]), \
+		ntohs((addr).s6_addr16[2]), \
+		ntohs((addr).s6_addr16[3]), \
+		ntohs((addr).s6_addr16[4]), \
+		ntohs((addr).s6_addr16[5]), \
+		ntohs((addr).s6_addr16[6]), \
+		ntohs((addr).s6_addr16[7])
+#	define NIP6_FMT "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
+#endif
+#if !defined(NIPQUAD) && !defined(NIPQUAD_FMT)
+#	define NIPQUAD(addr) \
+		((const unsigned char *)&addr)[0], \
+		((const unsigned char *)&addr)[1], \
+		((const unsigned char *)&addr)[2], \
+		((const unsigned char *)&addr)[3]
+#	define NIPQUAD_FMT "%u.%u.%u.%u"
+#endif
+
 #define ip_route_me_harder    xtnu_ip_route_me_harder
 #define skb_make_writable     xtnu_skb_make_writable
 #define xt_target             xtnu_target

extensions/ipset/GNUmakefile.in

@@ -2,6 +2,7 @@
 
 top_srcdir      := @top_srcdir@
 srcdir          := @srcdir@
+datarootdir     := @datarootdir@
 abstop_srcdir   := $(shell readlink -e ${top_srcdir})
 abssrcdir       := $(shell readlink -e ${srcdir})
 

extensions/ipset/ip_set.c

@@ -19,7 +19,7 @@
 #include <linux/ip.h>
 #include <linux/skbuff.h>
 #include <linux/random.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <linux/capability.h>
 #include <asm/uaccess.h>
@@ -877,7 +877,7 @@ ip_set_create(const char *name,
 	set = kmalloc(sizeof(struct ip_set), GFP_KERNEL);
 	if (!set)
 		return -ENOMEM;
-	set->lock = RW_LOCK_UNLOCKED;
+	rwlock_init(&set->lock);
 	strncpy(set->name, name, IP_SET_MAXNAMELEN);
 	set->binding = IP_SET_INVALID_ID;
 	atomic_set(&set->ref, 0);

extensions/ipset/ip_set_iphash.c

@@ -11,7 +11,7 @@
 #include <linux/moduleparam.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -42,8 +42,7 @@ iphash_id(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
 		if (*elem == *hash_ip)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -64,18 +63,21 @@ __iphash_add(struct ip_set_iphash *map, ip_set_ip_t *ip)
 {
 	__u32 probe;
 	u_int16_t i;
-	ip_set_ip_t *elem;
+	ip_set_ip_t *elem, *slot = NULL;
 	
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip(map, i, *ip) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
 		if (*elem == *ip)
 			return -EEXIST;
-		if (!*elem) {
-			*elem = *ip;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || *elem))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		*slot = *ip;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ip_set_ipporthash.c

@@ -13,7 +13,7 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -49,8 +49,7 @@ ipporthash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
 		if (*elem == *hash_ip)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -86,18 +85,21 @@ __ipporthash_add(struct ip_set_ipporthash *map, ip_set_ip_t *ip)
 {
 	__u32 probe;
 	u_int16_t i;
-	ip_set_ip_t *elem;
+	ip_set_ip_t *elem, *slot = NULL;
 
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip(map, i, *ip) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
 		if (*elem == *ip)
 			return -EEXIST;
-		if (!*elem) {
-			*elem = *ip;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || *elem))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		*slot = *ip;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ip_set_ipportiphash.c

@@ -13,7 +13,7 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -51,8 +51,7 @@ ipportiphash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
 		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
 		if (elem->ip == *hash_ip && elem->ip1 == ip1)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -90,19 +89,22 @@ __ipportip_add(struct ip_set_ipportiphash *map,
 {
 	__u32 probe;
 	u_int16_t i;
-	struct ipportip *elem;
+	struct ipportip *elem, *slot = NULL;
 
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
 		if (elem->ip == hash_ip && elem->ip1 == ip1)
 			return -EEXIST;
-		if (!(elem->ip || elem->ip1)) {
-			elem->ip = hash_ip;
-			elem->ip1 = ip1;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || elem->ip || elem->ip1))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		slot->ip = hash_ip;
+		slot->ip1 = ip1;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ip_set_ipportnethash.c

@@ -13,7 +13,7 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -53,8 +53,7 @@ ipportnethash_id_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
 		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
 		if (elem->ip == *hash_ip && elem->ip1 == ip1)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -137,19 +136,22 @@ __ipportnet_add(struct ip_set_ipportnethash *map,
 {
 	__u32 probe;
 	u_int16_t i;
-	struct ipportip *elem;
+	struct ipportip *elem, *slot = NULL;
 
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
 		if (elem->ip == hash_ip && elem->ip1 == ip1)
 			return -EEXIST;
-		if (!(elem->ip || elem->ip1)) {
-			elem->ip = hash_ip;
-			elem->ip1 = ip1;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || elem->ip || elem->ip1))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		slot->ip = hash_ip;
+		slot->ip1 = ip1;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ip_set_jhash.h

@@ -1,148 +1,157 @@
-#ifndef _LINUX_IPSET_JHASH_H
-#define _LINUX_IPSET_JHASH_H
-
-/* This is a copy of linux/jhash.h but the types u32/u8 are changed
- * to __u32/__u8 so that the header file can be included into
- * userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- */
+#ifndef _LINUX_JHASH_H
+#define _LINUX_JHASH_H
 
 /* jhash.h: Jenkins hash support.
  *
- * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net)
+ * Copyright (C) 2006. Bob Jenkins (bob_jenkins@burtleburtle.net)
  *
  * http://burtleburtle.net/bob/hash/
  *
  * These are the credits from Bob's sources:
  *
- * lookup2.c, by Bob Jenkins, December 1996, Public Domain.
- * hash(), hash2(), hash3, and mix() are externally useful functions.
- * Routines to test the hash are included if SELF_TEST is defined.
- * You can use this free for any purpose.  It has no warranty.
+ * lookup3.c, by Bob Jenkins, May 2006, Public Domain.
  *
- * Copyright (C) 2003 David S. Miller (davem@redhat.com)
+ * These are functions for producing 32-bit hashes for hash table lookup.
+ * hashword(), hashlittle(), hashlittle2(), hashbig(), mix(), and final() 
+ * are externally useful functions.  Routines to test the hash are included 
+ * if SELF_TEST is defined.  You can use this free for any purpose.  It's in
+ * the public domain.  It has no warranty.
+ *
+ * Copyright (C) 2009 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
  *
  * I've modified Bob's hash to be useful in the Linux kernel, and
- * any bugs present are surely my fault.  -DaveM
+ * any bugs present are my fault.  Jozsef
  */
 
-/* NOTE: Arguments are modified. */
-#define __jhash_mix(a, b, c) \
+#define __rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
+
+/* __jhash_mix - mix 3 32-bit values reversibly. */
+#define __jhash_mix(a,b,c) \
 { \
-  a -= b; a -= c; a ^= (c>>13); \
-  b -= c; b -= a; b ^= (a<<8); \
-  c -= a; c -= b; c ^= (b>>13); \
-  a -= b; a -= c; a ^= (c>>12);  \
-  b -= c; b -= a; b ^= (a<<16); \
-  c -= a; c -= b; c ^= (b>>5); \
-  a -= b; a -= c; a ^= (c>>3);  \
-  b -= c; b -= a; b ^= (a<<10); \
-  c -= a; c -= b; c ^= (b>>15); \
+  a -= c;  a ^= __rot(c, 4);  c += b; \
+  b -= a;  b ^= __rot(a, 6);  a += c; \
+  c -= b;  c ^= __rot(b, 8);  b += a; \
+  a -= c;  a ^= __rot(c,16);  c += b; \
+  b -= a;  b ^= __rot(a,19);  a += c; \
+  c -= b;  c ^= __rot(b, 4);  b += a; \
+}
+
+/* __jhash_final - final mixing of 3 32-bit values (a,b,c) into c */
+#define __jhash_final(a,b,c) \
+{ \
+  c ^= b; c -= __rot(b,14); \
+  a ^= c; a -= __rot(c,11); \
+  b ^= a; b -= __rot(a,25); \
+  c ^= b; c -= __rot(b,16); \
+  a ^= c; a -= __rot(c,4);  \
+  b ^= a; b -= __rot(a,14); \
+  c ^= b; c -= __rot(b,24); \
 }
 
 /* The golden ration: an arbitrary value */
-#define JHASH_GOLDEN_RATIO	0x9e3779b9
+#define JHASH_GOLDEN_RATIO	0xdeadbeef
 
 /* The most generic version, hashes an arbitrary sequence
  * of bytes.  No alignment or length assumptions are made about
- * the input key.
+ * the input key. The result depends on endianness.
  */
-static inline __u32 jhash(void *key, __u32 length, __u32 initval)
+static inline u32 jhash(const void *key, u32 length, u32 initval)
 {
-	__u32 a, b, c, len;
-	__u8 *k = key;
+	u32 a,b,c;
+	const u8 *k = key;
 
-	len = length;
-	a = b = JHASH_GOLDEN_RATIO;
-	c = initval;
-
-	while (len >= 12) {
-		a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24));
-		b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24));
-		c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24));
-
-		__jhash_mix(a,b,c);
+	/* Set up the internal state */
+	a = b = c = JHASH_GOLDEN_RATIO + length + initval;
 
+	/* all but the last block: affect some 32 bits of (a,b,c) */
+	while (length > 12) {
+    		a += (k[0] + ((u32)k[1]<<8) + ((u32)k[2]<<16) + ((u32)k[3]<<24));
+		b += (k[4] + ((u32)k[5]<<8) + ((u32)k[6]<<16) + ((u32)k[7]<<24));
+		c += (k[8] + ((u32)k[9]<<8) + ((u32)k[10]<<16) + ((u32)k[11]<<24));
+		__jhash_mix(a, b, c);
+		length -= 12;
 		k += 12;
-		len -= 12;
 	}
 
-	c += length;
-	switch (len) {
-	case 11: c += ((__u32)k[10]<<24);
-	case 10: c += ((__u32)k[9]<<16);
-	case 9 : c += ((__u32)k[8]<<8);
-	case 8 : b += ((__u32)k[7]<<24);
-	case 7 : b += ((__u32)k[6]<<16);
-	case 6 : b += ((__u32)k[5]<<8);
+	/* last block: affect all 32 bits of (c) */
+	/* all the case statements fall through */
+	switch (length) {
+	case 12: c += (u32)k[11]<<24;
+	case 11: c += (u32)k[10]<<16;
+	case 10: c += (u32)k[9]<<8;
+	case 9 : c += k[8];
+	case 8 : b += (u32)k[7]<<24;
+	case 7 : b += (u32)k[6]<<16;
+	case 6 : b += (u32)k[5]<<8;
 	case 5 : b += k[4];
-	case 4 : a += ((__u32)k[3]<<24);
-	case 3 : a += ((__u32)k[2]<<16);
-	case 2 : a += ((__u32)k[1]<<8);
+	case 4 : a += (u32)k[3]<<24;
+	case 3 : a += (u32)k[2]<<16;
+	case 2 : a += (u32)k[1]<<8;
 	case 1 : a += k[0];
-	};
-
-	__jhash_mix(a,b,c);
+		__jhash_final(a, b, c);
+	case 0 :
+		break;
+	}
 
 	return c;
 }
 
-/* A special optimized version that handles 1 or more of __u32s.
- * The length parameter here is the number of __u32s in the key.
+/* A special optimized version that handles 1 or more of u32s.
+ * The length parameter here is the number of u32s in the key.
  */
-static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval)
+static inline u32 jhash2(const u32 *k, u32 length, u32 initval)
 {
-	__u32 a, b, c, len;
+	u32 a, b, c;
 
-	a = b = JHASH_GOLDEN_RATIO;
-	c = initval;
-	len = length;
+	/* Set up the internal state */
+	a = b = c = JHASH_GOLDEN_RATIO + (length<<2) + initval;
 
-	while (len >= 3) {
+	/* handle most of the key */
+	while (length > 3) {
 		a += k[0];
 		b += k[1];
 		c += k[2];
 		__jhash_mix(a, b, c);
-		k += 3; len -= 3;
+		length -= 3;
+		k += 3;
 	}
 
-	c += length * 4;
-
-	switch (len) {
-	case 2 : b += k[1];
-	case 1 : a += k[0];
-	};
-
-	__jhash_mix(a,b,c);
+	/* handle the last 3 u32's */
+	/* all the case statements fall through */ 
+	switch (length) {
+	case 3: c += k[2];
+	case 2: b += k[1];
+	case 1: a += k[0];
+		__jhash_final(a, b, c);
+	case 0:     /* case 0: nothing left to add */
+		break;
+	}
 
 	return c;
 }
 
-
 /* A special ultra-optimized versions that knows they are hashing exactly
  * 3, 2 or 1 word(s).
- *
- * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally
- *       done at the end is not done here.
  */
-static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval)
+static inline u32 jhash_3words(u32 a, u32 b, u32 c, u32 initval)
 {
-	a += JHASH_GOLDEN_RATIO;
-	b += JHASH_GOLDEN_RATIO;
-	c += initval;
+	a += JHASH_GOLDEN_RATIO + initval;
+	b += JHASH_GOLDEN_RATIO + initval;
+	c += JHASH_GOLDEN_RATIO + initval;
 
-	__jhash_mix(a, b, c);
+	__jhash_final(a, b, c);
 
 	return c;
 }
 
-static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval)
+static inline u32 jhash_2words(u32 a, u32 b, u32 initval)
 {
-	return jhash_3words(a, b, 0, initval);
+	return jhash_3words(0, a, b, initval);
 }
 
-static inline __u32 jhash_1word(__u32 a, __u32 initval)
+static inline u32 jhash_1word(u32 a, u32 initval)
 {
-	return jhash_3words(a, 0, 0, initval);
+	return jhash_3words(0, 0, a, initval);
 }
 
-#endif /* _LINUX_IPSET_JHASH_H */
+#endif /* _LINUX_JHASH_H */

extensions/ipset/ip_set_nethash.c

@@ -11,7 +11,7 @@
 #include <linux/moduleparam.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -44,6 +44,7 @@ nethash_id_cidr(const struct ip_set_nethash *map,
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
 	   	if (*elem == *hash_ip)
 			return id;
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -99,17 +100,21 @@ __nethash_add(struct ip_set_nethash *map, ip_set_ip_t *ip)
 {
 	__u32 probe;
 	u_int16_t i;
-	ip_set_ip_t *elem;
+	ip_set_ip_t *elem, *slot = NULL;
 	
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip(map, i, *ip) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
 		if (*elem == *ip)
 			return -EEXIST;
-		if (!*elem) {
-			*elem = *ip;
-			return 0;
-		}
+		if (!(slot || *elem))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		*slot = *ip;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ipset.8

@@ -602,8 +602,4 @@ Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
 .P
 Sven Wegener wrote the iptreemap type.
 .SH LAST REMARK
-.BR "I stand on the shoulder of giants."
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
+.BR "I stand on the shoulders of giants."

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "2.4.5"
+#define IPSET_VERSION "2.5.0"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;
@@ -629,7 +629,8 @@ void parse_ip(const char *str, ip_set_ip_t * ip)
 				   "host/network `%s' resolves to serveral ip-addresses. "
 				   "Please specify one.", str);
 
-		*ip = ntohl(((struct in_addr *) host->h_addr_list[0])->s_addr);
+		memcpy(&addr, host->h_addr_list[0], sizeof(struct in_addr));
+		*ip = ntohl(addr.s_addr);
 		return;
 	}
 

extensions/libxt_CHAOS.man

@@ -18,4 +18,4 @@ The randomness factor of not replying vs. replying can be set during load-time
 of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
 .PP
 See http://jengelh.medozas.de/projects/chaostables/ for more information
-about CHAOS, DELUDE and portscan.
+about CHAOS, DELUDE and lscan.

extensions/libxt_TEE.c

@@ -1,7 +1,7 @@
 /*
  *	"TEE" target extension for iptables
  *	Copyright © Sebastian Claßen <sebastian.classen [at] freenet.ag>, 2007
- *	Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
+ *	Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -53,10 +53,6 @@ static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 			exit_error(PARAMETER_PROBLEM,
 			           "Cannot specify --gw more than once");
 
-		if (check_inverse(optarg, &invert, NULL, 0))
-			exit_error(PARAMETER_PROBLEM,
-			           "Unexpected \"!\" after --gateway");
-
 		ia = numeric_to_ipaddr(optarg);
 		if (ia == NULL)
 			exit_error(PARAMETER_PROBLEM,
@@ -70,6 +66,31 @@ static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
 	return false;
 }
 
+static int tee_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_target **target)
+{
+	struct xt_tee_tginfo *info = (void *)(*target)->data;
+	const struct in6_addr *ia;
+
+	switch (c) {
+	case 'g':
+		if (*flags & FLAG_GATEWAY)
+			exit_error(PARAMETER_PROBLEM,
+			           "Cannot specify --gw more than once");
+
+		ia = numeric_to_ip6addr(optarg);
+		if (ia == NULL)
+			exit_error(PARAMETER_PROBLEM,
+			           "Invalid IP address %s", optarg);
+
+		memcpy(&info->gw, ia, sizeof(*ia));
+		*flags |= FLAG_GATEWAY;
+		return true;
+	}
+
+	return false;
+}
+
 static void tee_tg_check(unsigned int flags)
 {
 	if (flags == 0)
@@ -83,9 +104,20 @@ static void tee_tg_print(const void *ip, const struct xt_entry_target *target,
 	const struct xt_tee_tginfo *info = (const void *)target->data;
 
 	if (numeric)
-		printf("TEE gw:%s ", ipaddr_to_anyname(&info->gw.in));
-	else
 		printf("TEE gw:%s ", ipaddr_to_numeric(&info->gw.in));
+	else
+		printf("TEE gw:%s ", ipaddr_to_anyname(&info->gw.in));
+}
+
+static void tee_tg6_print(const void *ip, const struct xt_entry_target *target,
+                          int numeric)
+{
+	const struct xt_tee_tginfo *info = (const void *)target->data;
+
+	if (numeric)
+		printf("TEE gw:%s ", ip6addr_to_numeric(&info->gw.in6));
+	else
+		printf("TEE gw:%s ", ip6addr_to_anyname(&info->gw.in6));
 }
 
 static void tee_tg_save(const void *ip, const struct xt_entry_target *target)
@@ -95,9 +127,18 @@ static void tee_tg_save(const void *ip, const struct xt_entry_target *target)
 	printf("--gateway %s ", ipaddr_to_numeric(&info->gw.in));
 }
 
+static void tee_tg6_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_tee_tginfo *info = (const void *)target->data;
+
+	printf("--gateway %s ", ip6addr_to_numeric(&info->gw.in6));
+}
+
 static struct xtables_target tee_tg_reg = {
 	.name          = "TEE",
 	.version       = XTABLES_VERSION,
+	.revision      = 0,
+	.family        = PF_INET,
 	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
 	.help          = tee_tg_help,
@@ -108,7 +149,23 @@ static struct xtables_target tee_tg_reg = {
 	.extra_opts    = tee_tg_opts,
 };
 
+static struct xtables_target tee_tg6_reg = {
+	.name          = "TEE",
+	.version       = XTABLES_VERSION,
+	.revision      = 0,
+	.family        = PF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
+	.help          = tee_tg_help,
+	.parse         = tee_tg6_parse,
+	.final_check   = tee_tg_check,
+	.print         = tee_tg6_print,
+	.save          = tee_tg6_save,
+	.extra_opts    = tee_tg_opts,
+};
+
 static __attribute__((constructor)) void tee_tg_ldr(void)
 {
 	xtables_register_target(&tee_tg_reg);
+	xtables_register_target(&tee_tg6_reg);
 }

extensions/libxt_ipp2p.c

@@ -22,7 +22,7 @@
 static void ipp2p_mt_help(void)
 {
 	printf(
-	"IPP2P v%s options:\n"
+	"ipp2p v%s match options:\n"
 	"  --edk    [tcp,udp]  All known eDonkey/eMule/Overnet packets\n"
 	"  --dc     [tcp]      All known Direct Connect packets\n"
 	"  --kazaa  [tcp,udp]  All known KaZaA packets\n"
@@ -32,19 +32,10 @@ static void ipp2p_mt_help(void)
 	"  --winmx  [tcp]      All known WinMX\n"
 	"  --soul   [tcp]      All known SoulSeek\n"
 	"  --ares   [tcp]      All known Ares\n\n"
-	"EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) :\n"
+	"EXPERIMENTAL protocols:\n"
 	"  --mute   [tcp]      All known Mute packets\n"
 	"  --waste  [tcp]      All known Waste packets\n"
 	"  --xdcc   [tcp]      All known XDCC packets (only xdcc login)\n\n"
-	"DEBUG SUPPPORT, use only if you know why\n"
-	"  --debug             Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER\n"
-	"\nIPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this.\n"
-	"You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets.\n"
-	"\nSee README included with this package for more details or visit http://www.ipp2p.org\n"
-	"\nExamples:\n"
-	" iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01\n"
-	" iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP\n"
-	" iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP\n\n"
 	, IPP2P_VERSION);
 }
 

extensions/libxt_ipp2p.man

@@ -1,12 +1,12 @@
 This module matches certain packets in P2P flows. It is not
 designed to match all packets belonging to a P2P connection - 
-use IPP2P together with CONNMARK for this purpose. Also visit
-http://www.ipp2p.org for detailed information.
-
+use IPP2P together with CONNMARK for this purpose.
+.PP
 Use it together with -p tcp or -p udp to search these protocols
 only or without -p switch to search packets of both protocols.
-
-IPP2P provides the following options:
+.PP
+IPP2P provides the following options, of which one or more may be specified
+on the command line:
 .TP
 .B "--edk "
 Matches as many eDonkey/eMule packets as possible.
@@ -38,3 +38,11 @@ Matches Ares and AresLite packets. Use together with -j DROP only.
 .B "--debug "
 Prints some information about each hit into kernel logfile. May 
 produce huge logfiles so beware!
+.PP
+Note that ipp2p may not (and often, does not) identify all packets that are
+exchanged as a result of running filesharing programs.
+.PP
+There is more information on http://ipp2p.org/ , but it has not been updated
+since September 2006, and the syntax there is different from the ipp2p.c
+provided in Xtables-addons; most importantly, the --ipp2p flag was removed due
+to its ambiguity to match "all known" protocols.

extensions/libxt_length.man

@@ -0,0 +1,18 @@
+This module matches the length of a packet against a specific value or range of
+values.
+.TP
+[\fB!\fR] \fB--length\fR \fIlength\fR[\fB:\fR\fIlength\fR]
+Match exact length or length range.
+.TP
+\fB--layer3\fR
+Match the layer3 frame size (e.g. IPv4/v6 header plus payload).
+.TP
+\fB--layer4\fR
+Match the layer4 frame size (e.g. TCP/UDP header plus payload).
+.TP
+\fB--layer5\fR
+Match the layer5 frame size (e.g. TCP/UDP payload, often called layer7).
+.PP
+If no --layer* option is given, --layer3 is assumed by default. Note that using
+--layer5 may not match a packet if it is not one of the recognized types
+(currently TCP, UDP, UDPLite, ICMP, AH and ESP) or which has no 5th layer.

extensions/libxt_length2.c

@@ -0,0 +1,173 @@
+#include <getopt.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <xtables.h>
+#include "xt_length2.h"
+
+enum {
+	F_LAYER  = 1 << 0,
+	F_LENGTH = 1 << 1,
+
+	XT_LENGTH_LAYER_MASK = XT_LENGTH_LAYER3 | XT_LENGTH_LAYER4 |
+	                       XT_LENGTH_LAYER5 | XT_LENGTH_LAYER7,
+};
+
+static void length_mt_help(void)
+{
+	printf(
+"length match options:\n"
+"    --layer3          Match against layer3 size (e.g. L4 + IPv6 header)\n"
+"    --layer4          Match against layer4 size (e.g. L5 + SCTP header)\n"
+"    --layer5          Match against layer5 size (e.g. L7 + chunk headers)\n"
+"    --layer7          Match against layer7 payload (e.g. SCTP payload)\n"
+"[!] --length n[:n]    Match packet length against value or range\n"
+"                      of values (inclusive)\n"
+);
+}
+
+static const struct option length_mt_opts[] = {
+	{.name = "layer3", .has_arg = false, .val = '3'},
+	{.name = "layer4", .has_arg = false, .val = '4'},
+	{.name = "layer5", .has_arg = false, .val = '5'},
+	{.name = "layer7", .has_arg = false, .val = '7'},
+	{.name = "length", .has_arg = true,  .val = '='},
+	{NULL},
+};
+
+static void length_mt_init(struct xt_entry_match *match)
+{
+	struct xt_length_mtinfo2 *info = (void *)match->data;
+
+	info->flags = XT_LENGTH_LAYER3;
+}
+
+static int length_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                           const void *entry, struct xt_entry_match **match)
+{
+	struct xt_length_mtinfo2 *info = (void *)(*match)->data;
+	unsigned int from, to;
+	char *end;
+
+	switch (c) {
+	case '3': /* --layer3 */
+		param_act(P_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
+		info->flags &= ~XT_LENGTH_LAYER_MASK;
+		info->flags |= XT_LENGTH_LAYER3;
+		*flags |= F_LAYER;
+		return true;
+	case '4': /* --layer4 */
+		param_act(P_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
+		info->flags &= ~XT_LENGTH_LAYER_MASK;
+		info->flags |= XT_LENGTH_LAYER4;
+		*flags |= F_LAYER;
+		return true;
+	case '5': /* --layer5 */
+		param_act(P_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
+		info->flags &= ~XT_LENGTH_LAYER_MASK;
+		info->flags |= XT_LENGTH_LAYER5;
+		*flags |= F_LAYER;
+		return true;
+	case '7': /* --layer7 */
+		param_act(P_ONLY_ONCE, "length", "--layer*", *flags & F_LAYER);
+		info->flags &= ~XT_LENGTH_LAYER_MASK;
+		info->flags |= XT_LENGTH_LAYER7;
+		*flags |= F_LAYER;
+		return true;
+	case '=': /* --length */
+		param_act(P_ONLY_ONCE, "length", "--length", *flags & F_LENGTH);
+		if (invert)
+			info->flags |= XT_LENGTH_INVERT;
+		if (!strtonum(optarg, &end, &from, 0, ~0U))
+			param_act(P_BAD_VALUE, "length", "--length", optarg);
+		to = from;
+		if (*end == ':')
+			if (!strtonum(end + 1, &end, &to, 0, ~0U))
+				param_act(P_BAD_VALUE, "length",
+				          "--length", optarg);
+		if (*end != '\0')
+			param_act(P_BAD_VALUE, "length", "--length", optarg);
+		info->min = from;
+		info->max = to;
+		*flags |= F_LENGTH;
+		return true;
+	}
+	return false;
+}
+
+static void length_mt_check(unsigned int flags)
+{
+	if (!(flags & F_LENGTH))
+		exit_error(PARAMETER_PROBLEM,
+		           "length: You must specify \"--length\"");
+	if (!(flags & F_LAYER))
+		fprintf(stderr, "iptables: length match: Defaulting to "
+		        "--layer3. Consider specifying it explicitly.\n");
+}
+
+static void length_mt_print(const void *ip, const struct xt_entry_match *match,
+                            int numeric)
+{
+	const struct xt_length_mtinfo2 *info = (const void *)match->data;
+
+	if (info->flags & XT_LENGTH_LAYER3)
+		printf("layer3 ");
+	else if (info->flags & XT_LENGTH_LAYER4)
+		printf("layer4 ");
+	else if (info->flags & XT_LENGTH_LAYER5)
+		printf("layer5 ");
+	else if (info->flags & XT_LENGTH_LAYER7)
+		printf("layer7 ");
+	printf("length ");
+	if (info->flags & XT_LENGTH_INVERT)
+		printf("! ");
+	if (info->min == info->max)
+		printf("%u ", (unsigned int)info->min);
+	else
+		printf("%u-%u ", (unsigned int)info->min,
+		       (unsigned int)info->max);
+}
+
+static void length_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_length_mtinfo2 *info = (const void *)match->data;
+
+	if (info->flags & XT_LENGTH_LAYER3)
+		printf("--layer3 ");
+	else if (info->flags & XT_LENGTH_LAYER4)
+		printf("--layer4 ");
+	else if (info->flags & XT_LENGTH_LAYER5)
+		printf("--layer5 ");
+	else if (info->flags & XT_LENGTH_LAYER7)
+		printf("--layer7 ");
+	if (info->flags & XT_LENGTH_INVERT)
+		printf("! ");
+	printf("--length ");
+	if (info->min == info->max)
+		printf("%u ", (unsigned int)info->min);
+	else
+		printf("%u:%u ", (unsigned int)info->min,
+		       (unsigned int)info->max);
+}
+
+static struct xtables_match length2_mt_reg = {
+	.version        = XTABLES_VERSION,
+	.name           = "length2",
+	.revision       = 2,
+	.family         = PF_UNSPEC,
+	.size           = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
+	.userspacesize  = XT_ALIGN(sizeof(struct xt_length_mtinfo2)),
+	.init           = length_mt_init,
+	.help           = length_mt_help,
+	.parse          = length_mt_parse,
+	.final_check    = length_mt_check,
+	.print          = length_mt_print,
+	.save           = length_mt_save,
+	.extra_opts     = length_mt_opts,
+};
+
+static void _init(void)
+{
+	xtables_register_match(&length2_mt_reg);
+}

extensions/libxt_lscan.c

@@ -1,6 +1,6 @@
 /*
- *	"portscan" match extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ *	LSCAN match extension for iptables
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -16,9 +16,9 @@
 
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
-#include "xt_portscan.h"
+#include "xt_lscan.h"
 
-static const struct option portscan_mt_opts[] = {
+static const struct option lscan_mt_opts[] = {
 	{.name = "stealth", .has_arg = false, .val = 'x'},
 	{.name = "synscan", .has_arg = false, .val = 's'},
 	{.name = "cnscan",  .has_arg = false, .val = 'c'},
@@ -26,10 +26,10 @@ static const struct option portscan_mt_opts[] = {
 	{NULL},
 };
 
-static void portscan_mt_help(void)
+static void lscan_mt_help(void)
 {
 	printf(
-		"portscan match options:\n"
+		"lscan match options:\n"
 		"(Combining them will make them match by OR-logic)\n"
 		"  --stealth    Match TCP Stealth packets\n"
 		"  --synscan    Match TCP SYN scans\n"
@@ -37,10 +37,10 @@ static void portscan_mt_help(void)
 		"  --grscan     Match Banner Grabbing scans\n");
 }
 
-static int portscan_mt_parse(int c, char **argv, int invert,
+static int lscan_mt_parse(int c, char **argv, int invert,
     unsigned int *flags, const void *entry, struct xt_entry_match **match)
 {
-	struct xt_portscan_mtinfo *info = (void *)((*match)->data);
+	struct xt_lscan_mtinfo *info = (void *)((*match)->data);
 
 	switch (c) {
 	case 'c':
@@ -59,17 +59,17 @@ static int portscan_mt_parse(int c, char **argv, int invert,
 	return false;
 }
 
-static void portscan_mt_check(unsigned int flags)
+static void lscan_mt_check(unsigned int flags)
 {
 }
 
-static void portscan_mt_print(const void *ip,
+static void lscan_mt_print(const void *ip,
     const struct xt_entry_match *match, int numeric)
 {
-	const struct xt_portscan_mtinfo *info = (const void *)(match->data);
+	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
 	const char *s = "";
 
-	printf("portscan ");
+	printf("lscan ");
 	if (info->match_stealth) {
 		printf("STEALTH");
 		s = ",";
@@ -87,9 +87,9 @@ static void portscan_mt_print(const void *ip,
 	printf(" ");
 }
 
-static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
+static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
 {
-	const struct xt_portscan_mtinfo *info = (const void *)(match->data);
+	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
 
 	if (info->match_stealth)
 		printf("--stealth ");
@@ -101,22 +101,22 @@ static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
 		printf("--grscan ");
 }
 
-static struct xtables_match portscan_mt_reg = {
+static struct xtables_match lscan_mt_reg = {
 	.version       = XTABLES_VERSION,
-	.name          = "portscan",
+	.name          = "lscan",
 	.revision      = 0,
 	.family        = AF_INET,
-	.size          = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)),
-	.help          = portscan_mt_help,
-	.parse         = portscan_mt_parse,
-	.final_check   = portscan_mt_check,
-	.print         = portscan_mt_print,
-	.save          = portscan_mt_save,
-	.extra_opts    = portscan_mt_opts,
+	.size          = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
+	.help          = lscan_mt_help,
+	.parse         = lscan_mt_parse,
+	.final_check   = lscan_mt_check,
+	.print         = lscan_mt_print,
+	.save          = lscan_mt_save,
+	.extra_opts    = lscan_mt_opts,
 };
 
-static __attribute__((constructor)) void portscan_mt_ldr(void)
+static __attribute__((constructor)) void lscan_mt_ldr(void)
 {
-	xtables_register_match(&portscan_mt_reg);
+	xtables_register_match(&lscan_mt_reg);
 }

extensions/libxt_lscan.man

@@ -1,4 +1,5 @@
-Detects simple port scan attemps based upon the packet's contents. (This is
+Detects simple low-level scan attemps based upon the packet's contents.
+(This is
 different from other implementations, which also try to match the rate of new
 connections.) Note that an attempt is only discovered after it has been carried
 out, but this information can be used in conjunction with other rules to block
@@ -20,8 +21,12 @@ connection was torn down after completion of the 3-way handshake.
 \fB--grscan\fR
 Match if data in the connection only flew in the direction of the remote side,
 e.g. if the connection was terminated after a locally running daemon sent its
-identification. (e.g. openssh)
+identification. (E.g. openssh, smtp, ftpd.) This may falsely trigger on
+warranted single-direction data flows, usually bulk data transfers such as
+FTP DATA connections or IRC DCC. Grab Scan Detection should only be used on
+ports where a protocol runs that is guaranteed to do a bidirectional exchange
+of bytes.
 .PP
 NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
-so be advised to carefully use xt_portscan in conjunction with blocking rules,
+so be advised to carefully use xt_lscan in conjunction with blocking rules,
 as it may lock out your very own internal network.

extensions/xt_LOGMARK.c

@@ -38,9 +38,10 @@ logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	enum ip_conntrack_info ctinfo;
 	bool prev = false;
 
-	printk("<%u>%.*s""hook=%s nfmark=0x%x secmark=0x%x classify=0x%x",
+	printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x "
+	       "secmark=0x%x classify=0x%x",
 	       info->level, (unsigned int)sizeof(info->prefix), info->prefix,
-	       hook_names[par->hooknum],
+	       skb_ifindex(skb), hook_names[par->hooknum],
 	       skb_nfmark(skb), skb_secmark(skb), skb->priority);
 
 	ct = nf_ct_get(skb, &ctinfo);

extensions/xt_TEE.c

@@ -1,7 +1,7 @@
 /*
  *	"TEE" target extension for Xtables
  *	Copyright © Sebastian Claßen <sebastian.classen [at] freenet de>, 2007
- *	Jan Engelhardt <jengelh [at] medozas de>, 2007
+ *	Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
  *
  *	based on ipt_ROUTE.c from Cédric de Launois
  *	<delaunois [at] info ucl ac be>
@@ -17,6 +17,7 @@
 #include <net/checksum.h>
 #include <net/icmp.h>
 #include <net/ip.h>
+#include <net/ip6_route.h>
 #include <net/route.h>
 #include <linux/netfilter/x_tables.h>
 
@@ -25,11 +26,14 @@
 #	include <net/netfilter/nf_conntrack.h>
 static struct nf_conn tee_track;
 #endif
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
 
 #include "compat_xtables.h"
 #include "xt_TEE.h"
 
-static const union nf_inet_addr zero_address;
+static const union nf_inet_addr tee_zero_address;
 
 /*
  * Try to route the packet according to the routing keys specified in
@@ -47,21 +51,24 @@ static const union nf_inet_addr zero_address;
  *         true  - if the packet was succesfully routed to the
  *                 destination desired
  */
-static bool tee_routing(struct sk_buff *skb,
-                        const struct xt_tee_tginfo *info)
+static bool
+tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 {
+	const struct iphdr *iph = ip_hdr(skb);
 	int err;
 	struct rtable *rt;
-	struct iphdr *iph = ip_hdr(skb);
-	struct flowi fl = {
-		.nl_u = {
-			.ip4_u = {
-				.daddr = info->gw.ip,
-				.tos   = RT_TOS(iph->tos),
-				.scope = RT_SCOPE_UNIVERSE,
-			}
-		}
-	};
+	struct flowi fl;
+
+	memset(&fl, 0, sizeof(fl));
+	fl.iif = skb_ifindex(skb);
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+	fl.nl_u.ip4_u.fwmark = skb_nfmark(skb);
+#else
+	fl.mark = skb_nfmark(skb);
+#endif
+	fl.nl_u.ip4_u.daddr = info->gw.ip;
+	fl.nl_u.ip4_u.tos   = RT_TOS(iph->tos);
+	fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
 
 	/* Trying to route the packet using the standard routing table. */
 	err = ip_route_output_key(&init_net, &rt, &fl);
@@ -72,22 +79,14 @@ static bool tee_routing(struct sk_buff *skb,
 		return false;
 	}
 
-	/* Drop old route. */
 	dst_release(skb->dst);
-	skb->dst = NULL;
-
-	/*
-	 * Success if no oif specified or if the oif correspond to the
-	 * one desired.
-	 * [SC]: always the case, because we have no oif.
-	 */
 	skb->dst      = &rt->u.dst;
 	skb->dev      = skb->dst->dev;
 	skb->protocol = htons(ETH_P_IP);
 	return true;
 }
 
-static bool dev_hh_avail(const struct net_device *dev)
+static inline bool dev_hh_avail(const struct net_device *dev)
 {
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 	return dev->hard_header != NULL;
@@ -103,14 +102,14 @@ static bool dev_hh_avail(const struct net_device *dev)
  * POST: the packet is sent with the link layer header pushed
  *       the packet is destroyed
  */
-static void tee_ip_direct_send(struct sk_buff *skb)
+static void tee_tg_send(struct sk_buff *skb)
 {
 	const struct dst_entry *dst  = skb->dst;
 	const struct net_device *dev = dst->dev;
 	unsigned int hh_len = LL_RESERVED_SPACE(dev);
 
 	/* Be paranoid, rather than too clever. */
-	if (unlikely(skb_headroom(skb) < hh_len) && dev_hh_avail(dev)) {
+	if (unlikely(skb_headroom(skb) < hh_len && dev_hh_avail(dev))) {
 		struct sk_buff *skb2;
 
 		skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
@@ -142,7 +141,7 @@ static void tee_ip_direct_send(struct sk_buff *skb)
  * packets when we see they already have that ->nfct.
  */
 static unsigned int
-tee_tg(struct sk_buff **pskb, const struct xt_target_param *par)
+tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 	struct sk_buff *skb = *pskb;
@@ -200,29 +199,125 @@ tee_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	nf_conntrack_get(skb->nfct);
 #endif
 
-	if (tee_routing(skb, info))
-		tee_ip_direct_send(skb);
+	/*
+	 * Normally, we would just use ip_local_out. Because iph->check is
+	 * already correct, we could take a shortcut and call dst_output
+	 * [forwards to ip_output] directly. ip_output however will invoke
+	 * Netfilter hooks and cause reentrancy. So we skip that too and go
+	 * directly to ip_finish_output. Since we should not do XFRM, control
+	 * passes to ip_finish_output2. That function is not exported, so it is
+	 * copied here as tee_ip_direct_send.
+	 *
+	 * We do no XFRM on the cloned packet on purpose! The choice of
+	 * iptables match options will control whether the raw packet or the
+	 * transformed version is cloned.
+	 *
+	 * Also on purpose, no fragmentation is done, to preserve the
+	 * packet as best as possible.
+	 */
+	if (tee_tg_route4(skb, info))
+		tee_tg_send(skb);
 
 	return XT_CONTINUE;
 }
 
+#ifdef WITH_IPV6
+static bool
+tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
+{
+	const struct ipv6hdr *iph = ipv6_hdr(skb);
+	struct dst_entry *dst;
+	struct flowi fl;
+
+	memset(&fl, 0, sizeof(fl));
+	fl.iif = skb_ifindex(skb);
+#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 19)
+	fl.nl_u.ip6_u.fwmark = skb_nfmark(skb);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
+	fl.mark = skb_nfmark(skb);
+#endif
+	fl.nl_u.ip6_u.daddr = info->gw.in6;
+	fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
+		(iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
+
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 25)
+	dst = ip6_route_output(NULL, &fl);
+#else
+	dst = ip6_route_output(dev_net(skb->dev), NULL, &fl);
+#endif
+	if (dst == NULL) {
+		if (net_ratelimit())
+			printk(KERN_ERR "ip6_route_output failed for tee\n");
+		return false;
+	}
+
+	dst_release(skb->dst);
+	skb->dst      = dst;
+	skb->dev      = skb->dst->dev;
+	skb->protocol = htons(ETH_P_IPV6);
+	return true;
+}
+
+static unsigned int
+tee_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
+{
+	const struct xt_tee_tginfo *info = par->targinfo;
+	struct sk_buff *skb = *pskb;
+
+	/* Try silence. */
+#ifdef WITH_CONNTRACK
+	if (skb->nfct == &tee_track.ct_general)
+		return NF_DROP;
+#endif
+
+	if ((skb = skb_copy(skb, GFP_ATOMIC)) == NULL)
+		return XT_CONTINUE;
+
+#ifdef WITH_CONNTRACK
+	nf_conntrack_put(skb->nfct);
+	skb->nfct     = &tee_track.ct_general;
+	skb->nfctinfo = IP_CT_NEW;
+	nf_conntrack_get(skb->nfct);
+#endif
+	if (tee_tg_route6(skb, info))
+		tee_tg_send(skb);
+
+	return XT_CONTINUE;
+}
+#endif /* WITH_IPV6 */
+
 static bool tee_tg_check(const struct xt_tgchk_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 
 	/* 0.0.0.0 and :: not allowed */
-	return memcmp(&info->gw, &zero_address, sizeof(zero_address)) != 0;
+	return memcmp(&info->gw, &tee_zero_address,
+	       sizeof(tee_zero_address)) != 0;
 }
 
-static struct xt_target tee_tg_reg __read_mostly = {
-	.name       = "TEE",
-	.revision   = 0,
-	.family     = NFPROTO_IPV4,
-	.table      = "mangle",
-	.target     = tee_tg,
-	.targetsize = sizeof(struct xt_tee_tginfo),
-	.checkentry = tee_tg_check,
-	.me         = THIS_MODULE,
+static struct xt_target tee_tg_reg[] __read_mostly = {
+	{
+		.name       = "TEE",
+		.revision   = 0,
+		.family     = NFPROTO_IPV4,
+		.table      = "mangle",
+		.target     = tee_tg4,
+		.targetsize = sizeof(struct xt_tee_tginfo),
+		.checkentry = tee_tg_check,
+		.me         = THIS_MODULE,
+	},
+#ifdef WITH_IPV6
+	{
+		.name       = "TEE",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.table      = "mangle",
+		.target     = tee_tg6,
+		.targetsize = sizeof(struct xt_tee_tginfo),
+		.checkentry = tee_tg_check,
+		.me         = THIS_MODULE,
+	},
+#endif
 };
 
 static int __init tee_tg_init(void)
@@ -241,19 +336,20 @@ static int __init tee_tg_init(void)
 	tee_track.status |= IPS_NAT_DONE_MASK;
 #endif
 
-	return xt_register_target(&tee_tg_reg);
+	return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
 }
 
 static void __exit tee_tg_exit(void)
 {
-	xt_unregister_target(&tee_tg_reg);
+	xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
 	/* [SC]: shoud not we cleanup tee_track here? */
 }
 
 module_init(tee_tg_init);
 module_exit(tee_tg_exit);
 MODULE_AUTHOR("Sebastian Claßen <sebastian.classen@freenet.ag>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: Reroute packet copy");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_TEE");
+MODULE_ALIAS("ip6t_TEE");

extensions/xt_ipp2p.c

@@ -603,8 +603,13 @@ search_all_kazaa(const unsigned char *payload, const unsigned int plen)
 {
 	uint16_t c, end, rem;
 
-	if (plen >= 5) {
-		printk(KERN_WARNING KBUILD_MODNAME ": %s: plen (%u) < 5\n",
+	if (plen < 5)
+		/* too short for anything we test for - early bailout */
+		return 0;
+
+	if (plen >= 65535) {
+		/* Something seems _really_ fishy */
+		printk(KERN_WARNING KBUILD_MODNAME ": %s: plen (%u) >= 65535\n",
 		       __func__, plen);
 		return 0;
 	}
@@ -618,6 +623,10 @@ search_all_kazaa(const unsigned char *payload, const unsigned int plen)
 	if (memcmp(payload, "GET /", 5) != 0)
 		return 0;
 
+	if (plen < 18)
+		/* The next tests would not succeed anyhow. */
+		return 0;
+
 	end = plen - 18;
 	rem = plen - 5;
 	for (c = 5; c < end; ++c, --rem) {
@@ -828,7 +837,7 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	switch (ip->protocol) {
 	case IPPROTO_TCP:	/* what to do with a TCP packet */
 	{
-		const struct tcphdr *tcph = tcp_hdr(skb);
+		const struct tcphdr *tcph = (const void *)ip + ip_hdrlen(skb);
 
 		if (tcph->fin) return 0;  /* if FIN bit is set bail out */
 		if (tcph->syn) return 0;  /* if SYN bit is set bail out */
@@ -855,7 +864,7 @@ ipp2p_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 
 	case IPPROTO_UDP:	/* what to do with an UDP packet */
 	{
-		const struct udphdr *udph = udp_hdr(skb);
+		const struct udphdr *udph = (const void *)ip + ip_hdrlen(skb);
 
 		while (udp_list[i].command) {
 			if ((info->cmd & udp_list[i].command) == udp_list[i].command &&

extensions/xt_ipp2p.h

@@ -1,6 +1,6 @@
 #ifndef __IPT_IPP2P_H
 #define __IPT_IPP2P_H
-#define IPP2P_VERSION "0.9"
+#define IPP2P_VERSION "0.10"
 
 enum {
 	IPP2N_EDK,

extensions/xt_length2.c

@@ -0,0 +1,262 @@
+/*
+ *	xt_length - Netfilter module to match packet length
+ *	Copyright © Jan Engelhardt <jengelh@medozas.de>, 2007 - 2009
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License; either
+ *	version 2 of the License, or any later version, as published by the
+ *	Free Software Foundation.
+ */
+#include <linux/dccp.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/icmp.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/sctp.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include "xt_length2.h"
+#include "compat_xtables.h"
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+#	define WITH_IPV6 1
+#endif
+#ifndef NEXTHDR_IPV4
+#	define NEXTHDR_IPV4 4
+#endif
+
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_DESCRIPTION("Xtables: Packet length (Layer3,4,5) match");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_length2");
+MODULE_ALIAS("ip6t_length2");
+
+static bool
+xtlength_layer5_tcp(unsigned int *length, const struct sk_buff *skb,
+                    unsigned int offset)
+{
+	const struct tcphdr *tcph;
+	struct tcphdr buf;
+
+	tcph = skb_header_pointer(skb, offset, sizeof(buf), &buf);
+	if (tcph == NULL)
+		return false;
+
+	*length = skb->len - offset;
+	if (*length >= 4 * tcph->doff)
+		*length -= 4 * tcph->doff;
+	return true;
+}
+
+static bool
+xtlength_layer5_dccp(unsigned int *length, const struct sk_buff *skb,
+                     unsigned int offset)
+{
+	const struct dccp_hdr *dh;
+	struct dccp_hdr dhbuf;
+
+	dh = skb_header_pointer(skb, offset, sizeof(dhbuf), &dhbuf);
+	if (dh == NULL)
+		return false;
+
+	*length = skb->len - offset;
+	if (*length >= 4 * dh->dccph_doff)
+		*length -= 4 * dh->dccph_doff;
+	return true;
+}
+
+static inline bool
+xtlength_layer5(unsigned int *length, const struct sk_buff *skb,
+                unsigned int prot, unsigned int offset)
+{
+	switch (prot) {
+	case IPPROTO_TCP:
+		return xtlength_layer5_tcp(length, skb, offset);
+	case IPPROTO_UDP:
+	case IPPROTO_UDPLITE:
+		*length = skb->len - offset - sizeof(struct udphdr);
+		return true;
+	case IPPROTO_SCTP:
+		*length = skb->len - offset - sizeof(struct sctphdr);
+		return true;
+	case IPPROTO_DCCP:
+		return xtlength_layer5_dccp(length, skb, offset);
+	case IPPROTO_ICMP:
+		*length = skb->len - offset - sizeof(struct icmphdr);
+		return true;
+	case IPPROTO_ICMPV6:
+		*length = skb->len - offset -
+		          offsetof(struct icmp6hdr, icmp6_dataun);
+		return true;
+	case IPPROTO_AH:
+		*length = skb->len - offset - sizeof(struct ip_auth_hdr);
+		return true;
+	case IPPROTO_ESP:
+		*length = skb->len - offset - sizeof(struct ip_esp_hdr);
+		return true;
+	}
+	return false;
+}
+
+static bool
+xtlength_layer7_sctp(unsigned int *length, const struct sk_buff *skb,
+                     unsigned int offset)
+{
+	const struct sctp_chunkhdr *ch;
+	struct sctp_chunkhdr chbuf;
+	unsigned int pos;
+
+	*length = 0;
+	for (pos = sizeof(struct sctphdr); pos < skb->len;
+	     pos += ntohs(ch->length))
+	{
+		ch = skb_header_pointer(skb, offset + pos,
+		     sizeof(chbuf), &chbuf);
+		if (ch == NULL)
+			return false;
+		if (ch->type != SCTP_CID_DATA)
+			continue;
+		*length += ntohs(ch->length);
+	}
+	return true;
+}
+
+static bool xtlength_layer7(unsigned int *length, const struct sk_buff *skb,
+                            unsigned int proto, unsigned int offset)
+{
+	switch (proto) {
+	case IPPROTO_SCTP:
+		return xtlength_layer7_sctp(length, skb, offset);
+	default:
+		return xtlength_layer5(length, skb, proto, offset);
+	}
+}
+
+/**
+ * llayer4_proto - figure out the L4 protocol in an IPv6 packet
+ * @skb:	skb pointer
+ * @offset:	position at which L4 starts (equal to 'protoff' in IPv4 code)
+ * @hotdrop:	hotdrop pointer
+ *
+ * Searches for a recognized L4 header. On success, fills in @offset and
+ * returns the protocol number. If not found, %NEXTHDR_MAX is returned.
+ * On error, @hotdrop is set.
+ */
+static unsigned int
+llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
+{
+	/*
+	 * Do encapsulation first so that %NEXTHDR_TCP does not hit the TCP
+	 * part in an IPv6-in-IPv6 encapsulation.
+	 */
+	static const unsigned int types[] =
+		{IPPROTO_IPV6, IPPROTO_IPIP, IPPROTO_ESP, IPPROTO_AH,
+		IPPROTO_ICMP, IPPROTO_TCP, IPPROTO_UDP, IPPROTO_UDPLITE,
+		IPPROTO_SCTP, IPPROTO_DCCP};
+	unsigned int i;
+	int err;
+
+	for (i = 0; i < ARRAY_SIZE(types); ++i) {
+		err = ipv6_find_hdr(skb, offset, types[i], NULL);
+		if (err >= 0)
+			return types[i];
+		if (err != -ENOENT) {
+			*hotdrop = true;
+			break;
+		}
+	}
+
+	return NEXTHDR_MAX;
+}
+
+static bool
+length2_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	const struct xt_length_mtinfo2 *info = par->matchinfo;
+	const struct iphdr *iph = ip_hdr(skb);
+	unsigned int len = 0;
+	bool hit = true;
+
+	if (info->flags & XT_LENGTH_LAYER3)
+		len = ntohs(iph->tot_len);
+	else if (info->flags & XT_LENGTH_LAYER4)
+		len = ntohs(iph->tot_len) - par->thoff;
+	else if (info->flags & XT_LENGTH_LAYER5)
+		hit = xtlength_layer5(&len, skb, iph->protocol, par->thoff);
+	else if (info->flags & XT_LENGTH_LAYER7)
+		hit = xtlength_layer7(&len, skb, iph->protocol, par->thoff);
+	if (!hit)
+		return false;
+
+	return (len >= info->min && len <= info->max) ^
+	       !!(info->flags & XT_LENGTH_INVERT);
+}
+
+#ifdef WITH_IPV6
+static bool
+length2_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	const struct xt_length_mtinfo2 *info = par->matchinfo;
+	const struct ipv6hdr *iph = ipv6_hdr(skb);
+	unsigned int len = 0, l4proto;
+	unsigned int thoff = par->thoff;
+	bool hit = true;
+
+	if (info->flags & XT_LENGTH_LAYER3) {
+		len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
+	} else {
+		l4proto = llayer4_proto(skb, &thoff, par->hotdrop);
+		if (l4proto == NEXTHDR_MAX)
+			return false;
+		if (info->flags & XT_LENGTH_LAYER4)
+			len = skb->len - thoff;
+		else if (info->flags & XT_LENGTH_LAYER5)
+			hit = xtlength_layer5(&len, skb, l4proto, thoff);
+		else if (info->flags & XT_LENGTH_LAYER7)
+			hit = xtlength_layer7(&len, skb, l4proto, thoff);
+	}
+	if (!hit)
+		return false;
+
+	return (len >= info->min && len <= info->max) ^
+	       !!(info->flags & XT_LENGTH_INVERT);
+}
+#endif
+
+static struct xt_match length2_mt_reg[] __read_mostly = {
+	{
+		.name           = "length2",
+		.revision       = 2,
+		.family         = NFPROTO_IPV4,
+		.match          = length2_mt,
+		.matchsize      = sizeof(struct xt_length_mtinfo2),
+		.me             = THIS_MODULE,
+	},
+#ifdef WITH_IPV6
+	{
+		.name           = "length2",
+		.revision       = 2,
+		.family         = NFPROTO_IPV6,
+		.match          = length2_mt6,
+		.matchsize      = sizeof(struct xt_length_mtinfo2),
+		.me             = THIS_MODULE,
+	},
+#endif
+};
+
+static int __init length2_mt_init(void)
+{
+	return xt_register_matches(length2_mt_reg, ARRAY_SIZE(length2_mt_reg));
+}
+
+static void __exit length2_mt_exit(void)
+{
+	xt_unregister_matches(length2_mt_reg, ARRAY_SIZE(length2_mt_reg));
+}
+
+module_init(length2_mt_init);
+module_exit(length2_mt_exit);

extensions/xt_length2.h

@@ -0,0 +1,22 @@
+#ifndef _LINUX_NETFILTER_XT_LENGTH2_H
+#define _LINUX_NETFILTER_XT_LENGTH2_H
+
+enum {
+	XT_LENGTH_INVERT = 1 << 0,
+
+	/* IP header plus payload */
+	XT_LENGTH_LAYER3 = 1 << 1,
+	/* Strip IP header: */
+	XT_LENGTH_LAYER4 = 1 << 2,
+	/* Strip TCP/UDP/etc. header */
+	XT_LENGTH_LAYER5 = 1 << 3,
+	/* TCP/UDP/SCTP payload */
+	XT_LENGTH_LAYER7 = 1 << 4,
+};
+
+struct xt_length_mtinfo2 {
+	u_int32_t min, max;
+	u_int16_t flags;
+};
+
+#endif /* _LINUX_NETFILTER_XT_LENGTH2_H */

extensions/xt_lscan.Kconfig

@@ -1,8 +1,8 @@
-config NETFILTER_XT_MATCH_PORTSCAN
-	tristate '"portscan" target support'
+config NETFILTER_XT_MATCH_LSCAN
+	tristate '"lscan" match support'
 	depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
 	---help---
-	The portscan match allows to match on the basic types of nmap
+	The LSCAN match allows to match on the basic types of nmap
 	scans: Stealth Scan, SYN scan and connect scan. It can also match
 	"grab-only" connections, i.e. where data flows in only one
 	direction.

extensions/xt_lscan.c

@@ -1,6 +1,6 @@
 /*
- *	portscan match for netfilter
- *	Copyright © CC Computer Consultants GmbH, 2006 - 2008
+ *	LSCAN match for netfilter
+ *	Copyright © Jan Engelhardt, 2006 - 2009
  *
  *	This program is free software; you can redistribute it and/or modify
  *	it under the terms of the GNU General Public License; either version
@@ -17,8 +17,7 @@
 #include <linux/version.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_tcpudp.h>
-//#include <net/netfilter/nf_conntrack.h>
-#include "xt_portscan.h"
+#include "xt_lscan.h"
 #include "compat_xtables.h"
 #define PFX KBUILD_MODNAME ": "
 
@@ -103,8 +102,8 @@ static inline bool tflg_synack(const struct tcphdr *th)
 	       (TCP_FLAG_SYN | TCP_FLAG_ACK);
 }
 
-/* portscan functions */
-static inline bool portscan_mt_stealth(const struct tcphdr *th)
+/* lscan functions */
+static inline bool lscan_mt_stealth(const struct tcphdr *th)
 {
 	/*
 	 * "Connection refused" replies to our own probes must not be matched.
@@ -126,7 +125,7 @@ static inline bool portscan_mt_stealth(const struct tcphdr *th)
 	return !tflg_syn(th);
 }
 
-static inline unsigned int portscan_mt_full(int mark,
+static inline unsigned int lscan_mt_full(int mark,
     enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
     unsigned int payload_len)
 {
@@ -172,9 +171,9 @@ static inline unsigned int portscan_mt_full(int mark,
 }
 
 static bool
-portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
-	const struct xt_portscan_mtinfo *info = par->matchinfo;
+	const struct xt_lscan_mtinfo *info = par->matchinfo;
 	enum ip_conntrack_info ctstate;
 	const struct tcphdr *tcph;
 	struct nf_conn *ctdata;
@@ -187,7 +186,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	/* Check for invalid packets: -m conntrack --ctstate INVALID */
 	if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
 		if (info->match_stealth)
-			return portscan_mt_stealth(tcph);
+			return lscan_mt_stealth(tcph);
 		/*
 		 * If @ctdata is NULL, we cannot match the other scan
 		 * types, return.
@@ -196,7 +195,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	}
 
 	/*
-	 * If -m portscan was previously applied to this packet, the rules we
+	 * If -m lscan was previously applied to this packet, the rules we
 	 * simulate must not be run through again. And for speedup, do not call
 	 * it either when the connection is already VALID.
 	 */
@@ -204,7 +203,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	     (skb_nfmark(skb) & packet_mask) != mark_seen) {
 		unsigned int n;
 
-		n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
+		n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
 		    par->in == init_net__loopback_dev, tcph,
 		    skb->len - par->thoff - 4 * tcph->doff);
 
@@ -217,9 +216,9 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	       (info->match_gr && ctdata->mark == mark_grscan);
 }
 
-static bool portscan_mt_check(const struct xt_mtchk_param *par)
+static bool lscan_mt_check(const struct xt_mtchk_param *par)
 {
-	const struct xt_portscan_mtinfo *info = par->matchinfo;
+	const struct xt_lscan_mtinfo *info = par->matchinfo;
 
 	if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
 	    (info->match_cn & ~1) || (info->match_gr & ~1)) {
@@ -229,44 +228,44 @@ static bool portscan_mt_check(const struct xt_mtchk_param *par)
 	return true;
 }
 
-static struct xt_match portscan_mt_reg[] __read_mostly = {
+static struct xt_match lscan_mt_reg[] __read_mostly = {
 	{
-		.name       = "portscan",
+		.name       = "lscan",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
-		.match      = portscan_mt,
-		.checkentry = portscan_mt_check,
-		.matchsize  = sizeof(struct xt_portscan_mtinfo),
+		.match      = lscan_mt,
+		.checkentry = lscan_mt_check,
+		.matchsize  = sizeof(struct xt_lscan_mtinfo),
 		.proto      = IPPROTO_TCP,
 		.me         = THIS_MODULE,
 	},
 	{
-		.name       = "portscan",
+		.name       = "lscan",
 		.revision   = 0,
 		.family     = NFPROTO_IPV6,
-		.match      = portscan_mt,
-		.checkentry = portscan_mt_check,
-		.matchsize  = sizeof(struct xt_portscan_mtinfo),
+		.match      = lscan_mt,
+		.checkentry = lscan_mt_check,
+		.matchsize  = sizeof(struct xt_lscan_mtinfo),
 		.proto      = IPPROTO_TCP,
 		.me         = THIS_MODULE,
 	},
 };
 
-static int __init portscan_mt_init(void)
+static int __init lscan_mt_init(void)
 {
-	return xt_register_matches(portscan_mt_reg,
-	       ARRAY_SIZE(portscan_mt_reg));
+	return xt_register_matches(lscan_mt_reg,
+	       ARRAY_SIZE(lscan_mt_reg));
 }
 
-static void __exit portscan_mt_exit(void)
+static void __exit lscan_mt_exit(void)
 {
-	xt_unregister_matches(portscan_mt_reg, ARRAY_SIZE(portscan_mt_reg));
+	xt_unregister_matches(lscan_mt_reg, ARRAY_SIZE(lscan_mt_reg));
 }
 
-module_init(portscan_mt_init);
-module_exit(portscan_mt_exit);
+module_init(lscan_mt_init);
+module_exit(lscan_mt_exit);
 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_DESCRIPTION("Xtables: \"portscan\" match");
+MODULE_DESCRIPTION("Xtables: Low-level scan (e.g. nmap) match");
 MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_portscan");
-MODULE_ALIAS("ip6t_portscan");
+MODULE_ALIAS("ipt_lscan");
+MODULE_ALIAS("ip6t_lscan");

extensions/xt_lscan.h

@@ -0,0 +1,8 @@
+#ifndef _LINUX_NETFILTER_XT_LSCAN_H
+#define _LINUX_NETFILTER_XT_LSCAN_H 1
+
+struct xt_lscan_mtinfo {
+	uint8_t match_stealth, match_syn, match_cn, match_gr;
+};
+
+#endif /* _LINUX_NETFILTER_XT_LSCAN_H */

extensions/xt_portscan.h

@@ -1,8 +0,0 @@
-#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
-#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
-
-struct xt_portscan_mtinfo {
-	uint8_t match_stealth, match_syn, match_cn, match_gr;
-};
-
-#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */

mconfig

@@ -14,5 +14,6 @@ build_fuzzy=m
 build_geoip=m
 build_ipp2p=m
 build_ipset=m
-build_portscan=m
+build_length2=m
+build_lscan=m
 build_quota2=m

xtables-addons.8.in

@@ -1,9 +1,9 @@
-.TH xtables\-addons 8 "v1.7 (2008\-12\-25)" "" "v1.7 (2008\-12\-25)"
-.SH NAME
+.TH xtables\-addons 8 "v1.12 (2009\-03\-07)" "" "v1.12 (2009\-03\-07)"
+.SH Name
 Xtables\-addons - additional extensions for iptables, ip6tables, etc.
-.SH TARGETS
+.SH Targets
 .\" @TARGET@
-.SH MATCHES
+.SH Matches
 .\" @MATCHES@
 .SH "SEE ALSO"
 \fBiptables\fP(8), \fBip6tables\fP(8)