Xtables-addons 1.12

Resolve compile breakage from commits
36f80be2f7 and
7b9ca945d4.

INSTALL

@@ -9,16 +9,24 @@ in combination with the kernel's Kbuild system.
 	# make install
 
 
-Prerequirements
-===============
+Supported configurations for this release
+=========================================
 
-	* iptables 1.4.1
+	* iptables >= 1.4.1
+	  upper bound: iptables <= 1.4.3-rc1
 
-	* kernel-source >= 2.6.17 with prepared build/output directory
+	* kernel-source >= 2.6.17, no upper bound known
+	  with prepared build/output directory
 	  - CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
 	  - CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
 	    enabled =y or as module (=m)
 
+Extra notes:
+
+	* in the kernel 2.6.18.x series, >= 2.6.18.5 is required
+
+	* requires that no vendor backports interfere
+
 
 Selecting extensions
 ====================
@@ -45,11 +53,8 @@ Configuring and compiling
 	xtables.h, should it not be within the standard C compiler
 	include path (/usr/include), or if you want to override it.
 	The directory will be checked for xtables.h and
-	include/xtables.h. (This is to support the following specs:)
-
-		--with-xtables=/usr/src/xtables
-		--with-xtables=/usr/src/xtables/include
-		--with-xtables=/opt/xtables/include
+	include/xtables.h. (The latter to support both standard
+	/usr/include and the iptables source root.)
 
 --with-libxtdir=
 

Makefile.am

@@ -15,6 +15,8 @@ extensions/%:
 install-exec-local:
 	depmod -a || :;
 
+config.status: extensions/GNUmakefile.in
+
 .PHONY: tarball
 tarball:
 	rm -Rf /tmp/xtables-addons-${PACKAGE_VERSION};

configure.ac

@@ -1,5 +1,5 @@
 
-AC_INIT([xtables-addons], [1.9])
+AC_INIT([xtables-addons], [1.12])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL

doc/changelog.txt

@@ -0,0 +1,125 @@
+
+
+Xtables-addons 1.12 (March 07 2009)
+===================================
+- ipset: fix for compilation with 2.6.29-rt
+- ipset: fast forward to 2.5.0
+- rename xt_portscan to xt_lscan ("low-level scan") because
+  "portscan" as a wor caused confusion
+- xt_LOGMARK: print incoming interface index
+- revert "TEE: do not use TOS for routing"
+- xt_TEE: resolve unknown symbol error with CONFIG_IPV6=n
+- xt_TEE: enable routing by iif, nfmark and flowlabel
+
+
+Xtables-addons 1.10 (February 18 2009)
+======================================
+- compat: compile fixes for 2.6.29
+- ipset: upgrade to ipset 2.4.9
+
+
+Xtables-addons 1.9 (January 30 2009)
+====================================
+- add the xt_length2 extension
+- xt_TEE: remove intrapositional '!' support
+- ipset: upgrade to ipset 2.4.7
+
+
+Xtables-addons 1.8 (January 10 2009)
+====================================
+- xt_TEE: IPv6 support
+- xt_TEE: do not include TOS value in routing decision
+- xt_TEE: fix switch-case inversion for name/IP display
+- xt_ipp2p: update manpages and help text
+- xt_ipp2p: remove log flooding
+- xt_portscan: update manpage about --grscan option caveats
+
+
+Xtables-addons 1.7 (December 25 2008)
+=====================================
+- xt_ECHO: compile fix
+- avoid the use of "_init" which led to compile errors on some installations
+- build: do not unconditionally install ipset
+- doc: add manpages for xt_ECHO and xt_TEE
+- xt_ipp2p: kazaa detection code cleanup
+- xt_ipp2p: fix newline inspection in kazaa detection
+- xt_ipp2p: ensure better array bounds checking
+- xt_SYSRQ: improve security by hashing password
+
+
+Xtables-addons 1.6 (November 18 2008)
+=====================================
+- build: support for Linux 2.6.17
+- build: compile fixes for 2.6.18 and 2.6.19
+- xt_ECHO: resolve compile errors in xt_ECHO
+- xt_ipp2p: parenthesize unaligned-access macros
+
+
+Xtables-addons 1.5.7 (September 01 2008)
+========================================
+- API layer: fix use of uninitialized 'hotdrop' variable
+- API layer: move to pskb-based signatures
+- xt_SYSRQ: compile fixes for Linux <= 2.6.19
+- ipset: adjust semaphore.h include for Linux >= 2.6.27
+- build: automatically run `depmod -a` on installation
+- add reworked xt_fuzzy module
+- add DHCP address match and mangle module
+- xt_portscan: IPv6 support
+- xt_SYSRQ: add missing module aliases
+
+
+Xtables-addons 1.5.5 (August 03 2008)
+=====================================
+- manpage updates for xt_CHAOS, xt_IPMARK; README updates
+- build: properly recognize external Kbuild/Mbuild files
+- build: remove dependency on CONFIG_NETWORK_SECMARK
+- add the xt_SYSRQ target
+- add the xt_quota2 extension
+- import ipset extension group
+
+
+Xtables-addons 1.5.4.1 (April 26 2008)
+======================================
+- build: fix compile error for 2.6.18-stable
+
+
+Xtables-addons 1.5.4 (April 09 2008)
+====================================
+- build: support building multiple files with one config option
+- API layer: add check for pskb relocation
+- doc: generate manpages
+- xt_ECHO: catch skb_linearize out-of-memory condition
+- xt_LOGMARK: add hook= and ctdir= fields in dump
+- xt_LOGMARK: fix comma output in ctstatus= list
+- xt_TEE: fix address copying bug
+- xt_TEE: make skb writable before attempting checksum update
+- add reworked xt_condition match
+- add reworked xt_ipp2p match
+- add reworked xt_IPMARK target
+
+
+Xtables-addons 1.5.3 (March 22 2008)
+====================================
+- support for Linux 2.6.18
+- add xt_ECHO sample target
+- add reworked xt_geoip match
+
+
+Xtables-addons 1.5.2 (March 04 2008)
+====================================
+- build: support for GNU make < 3.81 which does not have $(realpath)
+
+
+Xtables-addons 1.5.1 (February 21 2008)
+=======================================
+- build: allow user to select what extensions to compile and install
+- build: allow external proejcts to be downloaded into the tree
+- xt_LOGMARK: dump classify mark, ctstate and ctstatus
+- add xt_CHAOS, xt_DELUDE and xt_portscan from Chaostables
+
+
+Xtables-addons 1.5.0 (February 11 2008)
+=======================================
+Initial release with:
+- extensions: xt_LOGMARK, xt_TARPIT, xt_TEE
+- support for Linux >= 2.6.19

extensions/.gitignore

@@ -3,6 +3,7 @@
 .tmp_versions
 *.ko
 *.mod.c
+Module.markers
 Module.symvers
 Modules.symvers
 modules.order

extensions/GNUmakefile.in

@@ -34,12 +34,14 @@ VU := 0
 am__1verbose_CC_0     = @echo "  CC      " $@;
 am__1verbose_CCLD_0   = @echo "  CCLD    " $@;
 am__1verbose_GEN_0    = @echo "  GEN     " $@;
+am__1verbose_SILENT_0 = @
 am__1verbose_CC_1     = @echo "  CC      " $@ "<-" $<;
 am__1verbose_CCLD_1   = @echo "  CCLD    " $@ "<-" $^;
 am__1verbose_GEN_1    = @echo "  GEN     " $@ "<-" $<;
 am__verbose_CC        = ${am__1verbose_CC_${VU}}
 am__verbose_CCLD      = ${am__1verbose_CCLD_${VU}}
 am__verbose_GEN       = ${am__1verbose_GEN_${VU}}
+am__verbose_SILENT    = ${am__1verbose_GEN_${VU}}
 
 
 #
@@ -93,13 +95,13 @@ distclean: clean
 .PHONY: modules modules_install clean_modules
 
 modules:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules;
+	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} modules; fi;
 
 modules_install:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install;
+	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} INSTALL_MOD_PATH=${DESTDIR} modules_install; fi;
 
 clean_modules:
-	make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean;
+	${am__verbose_SILENT}if [ -n "${kbuilddir}" ]; then make -C ${kbuilddir} M=${abssrcdir} XA_TOPSRCDIR=${abstop_srcdir} clean; fi;
 
 
 #

extensions/Kbuild

@@ -20,7 +20,7 @@ obj-${build_geoip}       += xt_geoip.o
 obj-${build_ipp2p}       += xt_ipp2p.o
 obj-${build_ipset}       += ipset/
 obj-${build_length2}     += xt_length2.o
-obj-${build_portscan}    += xt_portscan.o
+obj-${build_lscan}       += xt_lscan.o
 obj-${build_quota2}      += xt_quota2.o
 
 -include ${M}/*.Kbuild

extensions/Mbuild

@@ -13,5 +13,5 @@ obj-${build_geoip}       += libxt_geoip.so
 obj-${build_ipp2p}       += libxt_ipp2p.so
 obj-${build_ipset}       += ipset/
 obj-${build_length2}     += libxt_length2.so
-obj-${build_portscan}    += libxt_portscan.so
+obj-${build_lscan}       += libxt_lscan.so
 obj-${build_quota2}      += libxt_quota2.so

extensions/compat_skbuff.h

@@ -5,8 +5,11 @@ struct tcphdr;
 struct udphdr;
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+#	define skb_ifindex(skb) \
+		(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
 #else
+#	define skb_ifindex(skb) (skb)->iif
 #	define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
 #endif
 

extensions/compat_xtables.h

@@ -1,6 +1,7 @@
 #ifndef _XTABLES_COMPAT_H
 #define _XTABLES_COMPAT_H 1
 
+#include <linux/kernel.h>
 #include <linux/version.h>
 #include "compat_skbuff.h"
 #include "compat_xtnu.h"
@@ -70,6 +71,27 @@
 #	define csum_replace2 nf_csum_replace2
 #endif
 
+#if !defined(NIP6) && !defined(NIP6_FMT)
+#	define NIP6(addr) \
+		ntohs((addr).s6_addr16[0]), \
+		ntohs((addr).s6_addr16[1]), \
+		ntohs((addr).s6_addr16[2]), \
+		ntohs((addr).s6_addr16[3]), \
+		ntohs((addr).s6_addr16[4]), \
+		ntohs((addr).s6_addr16[5]), \
+		ntohs((addr).s6_addr16[6]), \
+		ntohs((addr).s6_addr16[7])
+#	define NIP6_FMT "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
+#endif
+#if !defined(NIPQUAD) && !defined(NIPQUAD_FMT)
+#	define NIPQUAD(addr) \
+		((const unsigned char *)&addr)[0], \
+		((const unsigned char *)&addr)[1], \
+		((const unsigned char *)&addr)[2], \
+		((const unsigned char *)&addr)[3]
+#	define NIPQUAD_FMT "%u.%u.%u.%u"
+#endif
+
 #define ip_route_me_harder    xtnu_ip_route_me_harder
 #define skb_make_writable     xtnu_skb_make_writable
 #define xt_target             xtnu_target

extensions/ipset/GNUmakefile.in

@@ -2,6 +2,7 @@
 
 top_srcdir      := @top_srcdir@
 srcdir          := @srcdir@
+datarootdir     := @datarootdir@
 abstop_srcdir   := $(shell readlink -e ${top_srcdir})
 abssrcdir       := $(shell readlink -e ${srcdir})
 

extensions/ipset/ip_set.c

@@ -19,7 +19,7 @@
 #include <linux/ip.h>
 #include <linux/skbuff.h>
 #include <linux/random.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <linux/capability.h>
 #include <asm/uaccess.h>
@@ -877,7 +877,7 @@ ip_set_create(const char *name,
 	set = kmalloc(sizeof(struct ip_set), GFP_KERNEL);
 	if (!set)
 		return -ENOMEM;
-	set->lock = RW_LOCK_UNLOCKED;
+	rwlock_init(&set->lock);
 	strncpy(set->name, name, IP_SET_MAXNAMELEN);
 	set->binding = IP_SET_INVALID_ID;
 	atomic_set(&set->ref, 0);

extensions/ipset/ip_set_iphash.c

@@ -11,7 +11,7 @@
 #include <linux/moduleparam.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -42,8 +42,7 @@ iphash_id(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t ip)
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
 		if (*elem == *hash_ip)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -64,18 +63,21 @@ __iphash_add(struct ip_set_iphash *map, ip_set_ip_t *ip)
 {
 	__u32 probe;
 	u_int16_t i;
-	ip_set_ip_t *elem;
+	ip_set_ip_t *elem, *slot = NULL;
 	
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip(map, i, *ip) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
 		if (*elem == *ip)
 			return -EEXIST;
-		if (!*elem) {
-			*elem = *ip;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || *elem))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		*slot = *ip;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ip_set_ipporthash.c

@@ -13,7 +13,7 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -49,8 +49,7 @@ ipporthash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
 		if (*elem == *hash_ip)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -86,18 +85,21 @@ __ipporthash_add(struct ip_set_ipporthash *map, ip_set_ip_t *ip)
 {
 	__u32 probe;
 	u_int16_t i;
-	ip_set_ip_t *elem;
+	ip_set_ip_t *elem, *slot = NULL;
 
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip(map, i, *ip) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
 		if (*elem == *ip)
 			return -EEXIST;
-		if (!*elem) {
-			*elem = *ip;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || *elem))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		*slot = *ip;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ip_set_ipportiphash.c

@@ -13,7 +13,7 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -51,8 +51,7 @@ ipportiphash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
 		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
 		if (elem->ip == *hash_ip && elem->ip1 == ip1)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -90,19 +89,22 @@ __ipportip_add(struct ip_set_ipportiphash *map,
 {
 	__u32 probe;
 	u_int16_t i;
-	struct ipportip *elem;
+	struct ipportip *elem, *slot = NULL;
 
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
 		if (elem->ip == hash_ip && elem->ip1 == ip1)
 			return -EEXIST;
-		if (!(elem->ip || elem->ip1)) {
-			elem->ip = hash_ip;
-			elem->ip1 = ip1;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || elem->ip || elem->ip1))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		slot->ip = hash_ip;
+		slot->ip1 = ip1;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ip_set_ipportnethash.c

@@ -13,7 +13,7 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -53,8 +53,7 @@ ipportnethash_id_cidr(struct ip_set *set, ip_set_ip_t *hash_ip,
 		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
 		if (elem->ip == *hash_ip && elem->ip1 == ip1)
 			return id;
-		/* No shortcut at testing - there can be deleted
-		 * entries. */
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -137,19 +136,22 @@ __ipportnet_add(struct ip_set_ipportnethash *map,
 {
 	__u32 probe;
 	u_int16_t i;
-	struct ipportip *elem;
+	struct ipportip *elem, *slot = NULL;
 
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
 		if (elem->ip == hash_ip && elem->ip1 == ip1)
 			return -EEXIST;
-		if (!(elem->ip || elem->ip1)) {
-			elem->ip = hash_ip;
-			elem->ip1 = ip1;
-			map->elements++;
-			return 0;
-		}
+		if (!(slot || elem->ip || elem->ip1))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		slot->ip = hash_ip;
+		slot->ip1 = ip1;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ip_set_jhash.h

@@ -1,148 +1,157 @@
-#ifndef _LINUX_IPSET_JHASH_H
-#define _LINUX_IPSET_JHASH_H
-
-/* This is a copy of linux/jhash.h but the types u32/u8 are changed
- * to __u32/__u8 so that the header file can be included into
- * userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
- */
+#ifndef _LINUX_JHASH_H
+#define _LINUX_JHASH_H
 
 /* jhash.h: Jenkins hash support.
  *
- * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net)
+ * Copyright (C) 2006. Bob Jenkins (bob_jenkins@burtleburtle.net)
  *
  * http://burtleburtle.net/bob/hash/
  *
  * These are the credits from Bob's sources:
  *
- * lookup2.c, by Bob Jenkins, December 1996, Public Domain.
- * hash(), hash2(), hash3, and mix() are externally useful functions.
- * Routines to test the hash are included if SELF_TEST is defined.
- * You can use this free for any purpose.  It has no warranty.
+ * lookup3.c, by Bob Jenkins, May 2006, Public Domain.
  *
- * Copyright (C) 2003 David S. Miller (davem@redhat.com)
+ * These are functions for producing 32-bit hashes for hash table lookup.
+ * hashword(), hashlittle(), hashlittle2(), hashbig(), mix(), and final() 
+ * are externally useful functions.  Routines to test the hash are included 
+ * if SELF_TEST is defined.  You can use this free for any purpose.  It's in
+ * the public domain.  It has no warranty.
+ *
+ * Copyright (C) 2009 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
  *
  * I've modified Bob's hash to be useful in the Linux kernel, and
- * any bugs present are surely my fault.  -DaveM
+ * any bugs present are my fault.  Jozsef
  */
 
-/* NOTE: Arguments are modified. */
-#define __jhash_mix(a, b, c) \
+#define __rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
+
+/* __jhash_mix - mix 3 32-bit values reversibly. */
+#define __jhash_mix(a,b,c) \
 { \
-  a -= b; a -= c; a ^= (c>>13); \
-  b -= c; b -= a; b ^= (a<<8); \
-  c -= a; c -= b; c ^= (b>>13); \
-  a -= b; a -= c; a ^= (c>>12);  \
-  b -= c; b -= a; b ^= (a<<16); \
-  c -= a; c -= b; c ^= (b>>5); \
-  a -= b; a -= c; a ^= (c>>3);  \
-  b -= c; b -= a; b ^= (a<<10); \
-  c -= a; c -= b; c ^= (b>>15); \
+  a -= c;  a ^= __rot(c, 4);  c += b; \
+  b -= a;  b ^= __rot(a, 6);  a += c; \
+  c -= b;  c ^= __rot(b, 8);  b += a; \
+  a -= c;  a ^= __rot(c,16);  c += b; \
+  b -= a;  b ^= __rot(a,19);  a += c; \
+  c -= b;  c ^= __rot(b, 4);  b += a; \
+}
+
+/* __jhash_final - final mixing of 3 32-bit values (a,b,c) into c */
+#define __jhash_final(a,b,c) \
+{ \
+  c ^= b; c -= __rot(b,14); \
+  a ^= c; a -= __rot(c,11); \
+  b ^= a; b -= __rot(a,25); \
+  c ^= b; c -= __rot(b,16); \
+  a ^= c; a -= __rot(c,4);  \
+  b ^= a; b -= __rot(a,14); \
+  c ^= b; c -= __rot(b,24); \
 }
 
 /* The golden ration: an arbitrary value */
-#define JHASH_GOLDEN_RATIO	0x9e3779b9
+#define JHASH_GOLDEN_RATIO	0xdeadbeef
 
 /* The most generic version, hashes an arbitrary sequence
  * of bytes.  No alignment or length assumptions are made about
- * the input key.
+ * the input key. The result depends on endianness.
  */
-static inline __u32 jhash(void *key, __u32 length, __u32 initval)
+static inline u32 jhash(const void *key, u32 length, u32 initval)
 {
-	__u32 a, b, c, len;
-	__u8 *k = key;
+	u32 a,b,c;
+	const u8 *k = key;
 
-	len = length;
-	a = b = JHASH_GOLDEN_RATIO;
-	c = initval;
-
-	while (len >= 12) {
-		a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24));
-		b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24));
-		c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24));
-
-		__jhash_mix(a,b,c);
+	/* Set up the internal state */
+	a = b = c = JHASH_GOLDEN_RATIO + length + initval;
 
+	/* all but the last block: affect some 32 bits of (a,b,c) */
+	while (length > 12) {
+    		a += (k[0] + ((u32)k[1]<<8) + ((u32)k[2]<<16) + ((u32)k[3]<<24));
+		b += (k[4] + ((u32)k[5]<<8) + ((u32)k[6]<<16) + ((u32)k[7]<<24));
+		c += (k[8] + ((u32)k[9]<<8) + ((u32)k[10]<<16) + ((u32)k[11]<<24));
+		__jhash_mix(a, b, c);
+		length -= 12;
 		k += 12;
-		len -= 12;
 	}
 
-	c += length;
-	switch (len) {
-	case 11: c += ((__u32)k[10]<<24);
-	case 10: c += ((__u32)k[9]<<16);
-	case 9 : c += ((__u32)k[8]<<8);
-	case 8 : b += ((__u32)k[7]<<24);
-	case 7 : b += ((__u32)k[6]<<16);
-	case 6 : b += ((__u32)k[5]<<8);
+	/* last block: affect all 32 bits of (c) */
+	/* all the case statements fall through */
+	switch (length) {
+	case 12: c += (u32)k[11]<<24;
+	case 11: c += (u32)k[10]<<16;
+	case 10: c += (u32)k[9]<<8;
+	case 9 : c += k[8];
+	case 8 : b += (u32)k[7]<<24;
+	case 7 : b += (u32)k[6]<<16;
+	case 6 : b += (u32)k[5]<<8;
 	case 5 : b += k[4];
-	case 4 : a += ((__u32)k[3]<<24);
-	case 3 : a += ((__u32)k[2]<<16);
-	case 2 : a += ((__u32)k[1]<<8);
+	case 4 : a += (u32)k[3]<<24;
+	case 3 : a += (u32)k[2]<<16;
+	case 2 : a += (u32)k[1]<<8;
 	case 1 : a += k[0];
-	};
-
-	__jhash_mix(a,b,c);
+		__jhash_final(a, b, c);
+	case 0 :
+		break;
+	}
 
 	return c;
 }
 
-/* A special optimized version that handles 1 or more of __u32s.
- * The length parameter here is the number of __u32s in the key.
+/* A special optimized version that handles 1 or more of u32s.
+ * The length parameter here is the number of u32s in the key.
  */
-static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval)
+static inline u32 jhash2(const u32 *k, u32 length, u32 initval)
 {
-	__u32 a, b, c, len;
+	u32 a, b, c;
 
-	a = b = JHASH_GOLDEN_RATIO;
-	c = initval;
-	len = length;
+	/* Set up the internal state */
+	a = b = c = JHASH_GOLDEN_RATIO + (length<<2) + initval;
 
-	while (len >= 3) {
+	/* handle most of the key */
+	while (length > 3) {
 		a += k[0];
 		b += k[1];
 		c += k[2];
 		__jhash_mix(a, b, c);
-		k += 3; len -= 3;
+		length -= 3;
+		k += 3;
 	}
 
-	c += length * 4;
-
-	switch (len) {
-	case 2 : b += k[1];
-	case 1 : a += k[0];
-	};
-
-	__jhash_mix(a,b,c);
+	/* handle the last 3 u32's */
+	/* all the case statements fall through */ 
+	switch (length) {
+	case 3: c += k[2];
+	case 2: b += k[1];
+	case 1: a += k[0];
+		__jhash_final(a, b, c);
+	case 0:     /* case 0: nothing left to add */
+		break;
+	}
 
 	return c;
 }
 
-
 /* A special ultra-optimized versions that knows they are hashing exactly
  * 3, 2 or 1 word(s).
- *
- * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally
- *       done at the end is not done here.
  */
-static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval)
+static inline u32 jhash_3words(u32 a, u32 b, u32 c, u32 initval)
 {
-	a += JHASH_GOLDEN_RATIO;
-	b += JHASH_GOLDEN_RATIO;
-	c += initval;
+	a += JHASH_GOLDEN_RATIO + initval;
+	b += JHASH_GOLDEN_RATIO + initval;
+	c += JHASH_GOLDEN_RATIO + initval;
 
-	__jhash_mix(a, b, c);
+	__jhash_final(a, b, c);
 
 	return c;
 }
 
-static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval)
+static inline u32 jhash_2words(u32 a, u32 b, u32 initval)
 {
-	return jhash_3words(a, b, 0, initval);
+	return jhash_3words(0, a, b, initval);
 }
 
-static inline __u32 jhash_1word(__u32 a, __u32 initval)
+static inline u32 jhash_1word(u32 a, u32 initval)
 {
-	return jhash_3words(a, 0, 0, initval);
+	return jhash_3words(0, 0, a, initval);
 }
 
-#endif /* _LINUX_IPSET_JHASH_H */
+#endif /* _LINUX_JHASH_H */

extensions/ipset/ip_set_nethash.c

@@ -11,7 +11,7 @@
 #include <linux/moduleparam.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
-#include <linux/jhash.h>
+#include "ip_set_jhash.h"
 #include <linux/errno.h>
 #include <asm/uaccess.h>
 #include <asm/bitops.h>
@@ -44,6 +44,7 @@ nethash_id_cidr(const struct ip_set_nethash *map,
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
 	   	if (*elem == *hash_ip)
 			return id;
+		/* No shortcut - there can be deleted entries. */
 	}
 	return UINT_MAX;
 }
@@ -99,17 +100,21 @@ __nethash_add(struct ip_set_nethash *map, ip_set_ip_t *ip)
 {
 	__u32 probe;
 	u_int16_t i;
-	ip_set_ip_t *elem;
+	ip_set_ip_t *elem, *slot = NULL;
 	
 	for (i = 0; i < map->probes; i++) {
 		probe = jhash_ip(map, i, *ip) % map->hashsize;
 		elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe);
 		if (*elem == *ip)
 			return -EEXIST;
-		if (!*elem) {
-			*elem = *ip;
-			return 0;
-		}
+		if (!(slot || *elem))
+			slot = elem;
+		/* There can be deleted entries, must check all slots */
+	}
+	if (slot) {
+		*slot = *ip;
+		map->elements++;
+		return 0;
 	}
 	/* Trigger rehashing */
 	return -EAGAIN;

extensions/ipset/ipset.8

@@ -602,8 +602,4 @@ Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
 .P
 Sven Wegener wrote the iptreemap type.
 .SH LAST REMARK
-.BR "I stand on the shoulder of giants."
-.\" .. and did I mention that we are incredibly cool people?
-.\" .. sexy, too ..
-.\" .. witty, charming, powerful ..
-.\" .. and most of all, modest ..
+.BR "I stand on the shoulders of giants."

extensions/ipset/ipset.c

@@ -30,7 +30,7 @@
 #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
 #endif
 
-#define IPSET_VERSION "2.4.7"
+#define IPSET_VERSION "2.5.0"
 
 char program_name[] = "ipset";
 char program_version[] = IPSET_VERSION;
@@ -629,7 +629,8 @@ void parse_ip(const char *str, ip_set_ip_t * ip)
 				   "host/network `%s' resolves to serveral ip-addresses. "
 				   "Please specify one.", str);
 
-		*ip = ntohl(((struct in_addr *) host->h_addr_list[0])->s_addr);
+		memcpy(&addr, host->h_addr_list[0], sizeof(struct in_addr));
+		*ip = ntohl(addr.s_addr);
 		return;
 	}
 

extensions/libxt_CHAOS.man

@@ -18,4 +18,4 @@ The randomness factor of not replying vs. replying can be set during load-time
 of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
 .PP
 See http://jengelh.medozas.de/projects/chaostables/ for more information
-about CHAOS, DELUDE and portscan.
+about CHAOS, DELUDE and lscan.

extensions/libxt_lscan.c

@@ -1,6 +1,6 @@
 /*
- *	"portscan" match extension for iptables
- *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ *	LSCAN match extension for iptables
+ *	Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2009
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License; either
@@ -16,9 +16,9 @@
 
 #include <xtables.h>
 #include <linux/netfilter/x_tables.h>
-#include "xt_portscan.h"
+#include "xt_lscan.h"
 
-static const struct option portscan_mt_opts[] = {
+static const struct option lscan_mt_opts[] = {
 	{.name = "stealth", .has_arg = false, .val = 'x'},
 	{.name = "synscan", .has_arg = false, .val = 's'},
 	{.name = "cnscan",  .has_arg = false, .val = 'c'},
@@ -26,10 +26,10 @@ static const struct option portscan_mt_opts[] = {
 	{NULL},
 };
 
-static void portscan_mt_help(void)
+static void lscan_mt_help(void)
 {
 	printf(
-		"portscan match options:\n"
+		"lscan match options:\n"
 		"(Combining them will make them match by OR-logic)\n"
 		"  --stealth    Match TCP Stealth packets\n"
 		"  --synscan    Match TCP SYN scans\n"
@@ -37,10 +37,10 @@ static void portscan_mt_help(void)
 		"  --grscan     Match Banner Grabbing scans\n");
 }
 
-static int portscan_mt_parse(int c, char **argv, int invert,
+static int lscan_mt_parse(int c, char **argv, int invert,
     unsigned int *flags, const void *entry, struct xt_entry_match **match)
 {
-	struct xt_portscan_mtinfo *info = (void *)((*match)->data);
+	struct xt_lscan_mtinfo *info = (void *)((*match)->data);
 
 	switch (c) {
 	case 'c':
@@ -59,17 +59,17 @@ static int portscan_mt_parse(int c, char **argv, int invert,
 	return false;
 }
 
-static void portscan_mt_check(unsigned int flags)
+static void lscan_mt_check(unsigned int flags)
 {
 }
 
-static void portscan_mt_print(const void *ip,
+static void lscan_mt_print(const void *ip,
     const struct xt_entry_match *match, int numeric)
 {
-	const struct xt_portscan_mtinfo *info = (const void *)(match->data);
+	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
 	const char *s = "";
 
-	printf("portscan ");
+	printf("lscan ");
 	if (info->match_stealth) {
 		printf("STEALTH");
 		s = ",";
@@ -87,9 +87,9 @@ static void portscan_mt_print(const void *ip,
 	printf(" ");
 }
 
-static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
+static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
 {
-	const struct xt_portscan_mtinfo *info = (const void *)(match->data);
+	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
 
 	if (info->match_stealth)
 		printf("--stealth ");
@@ -101,22 +101,22 @@ static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
 		printf("--grscan ");
 }
 
-static struct xtables_match portscan_mt_reg = {
+static struct xtables_match lscan_mt_reg = {
 	.version       = XTABLES_VERSION,
-	.name          = "portscan",
+	.name          = "lscan",
 	.revision      = 0,
 	.family        = AF_INET,
-	.size          = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)),
-	.userspacesize = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)),
-	.help          = portscan_mt_help,
-	.parse         = portscan_mt_parse,
-	.final_check   = portscan_mt_check,
-	.print         = portscan_mt_print,
-	.save          = portscan_mt_save,
-	.extra_opts    = portscan_mt_opts,
+	.size          = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
+	.help          = lscan_mt_help,
+	.parse         = lscan_mt_parse,
+	.final_check   = lscan_mt_check,
+	.print         = lscan_mt_print,
+	.save          = lscan_mt_save,
+	.extra_opts    = lscan_mt_opts,
 };
 
-static __attribute__((constructor)) void portscan_mt_ldr(void)
+static __attribute__((constructor)) void lscan_mt_ldr(void)
 {
-	xtables_register_match(&portscan_mt_reg);
+	xtables_register_match(&lscan_mt_reg);
 }

extensions/libxt_lscan.man

@@ -1,4 +1,5 @@
-Detects simple port scan attemps based upon the packet's contents. (This is
+Detects simple low-level scan attemps based upon the packet's contents.
+(This is
 different from other implementations, which also try to match the rate of new
 connections.) Note that an attempt is only discovered after it has been carried
 out, but this information can be used in conjunction with other rules to block
@@ -27,5 +28,5 @@ ports where a protocol runs that is guaranteed to do a bidirectional exchange
 of bytes.
 .PP
 NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
-so be advised to carefully use xt_portscan in conjunction with blocking rules,
+so be advised to carefully use xt_lscan in conjunction with blocking rules,
 as it may lock out your very own internal network.

extensions/xt_LOGMARK.c

@@ -38,9 +38,10 @@ logmark_tg(struct sk_buff **pskb, const struct xt_target_param *par)
 	enum ip_conntrack_info ctinfo;
 	bool prev = false;
 
-	printk("<%u>%.*s""hook=%s nfmark=0x%x secmark=0x%x classify=0x%x",
+	printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x "
+	       "secmark=0x%x classify=0x%x",
 	       info->level, (unsigned int)sizeof(info->prefix), info->prefix,
-	       hook_names[par->hooknum],
+	       skb_ifindex(skb), hook_names[par->hooknum],
 	       skb_nfmark(skb), skb_secmark(skb), skb->priority);
 
 	ct = nf_ct_get(skb, &ctinfo);

extensions/xt_TEE.c

@@ -26,6 +26,9 @@
 #	include <net/netfilter/nf_conntrack.h>
 static struct nf_conn tee_track;
 #endif
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#	define WITH_IPV6 1
+#endif
 
 #include "compat_xtables.h"
 #include "xt_TEE.h"
@@ -51,12 +54,20 @@ static const union nf_inet_addr tee_zero_address;
 static bool
 tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 {
+	const struct iphdr *iph = ip_hdr(skb);
 	int err;
 	struct rtable *rt;
 	struct flowi fl;
 
 	memset(&fl, 0, sizeof(fl));
+	fl.iif = skb_ifindex(skb);
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
+	fl.nl_u.ip4_u.fwmark = skb_nfmark(skb);
+#else
+	fl.mark = skb_nfmark(skb);
+#endif
 	fl.nl_u.ip4_u.daddr = info->gw.ip;
+	fl.nl_u.ip4_u.tos   = RT_TOS(iph->tos);
 	fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
 
 	/* Trying to route the packet using the standard routing table. */
@@ -210,14 +221,24 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	return XT_CONTINUE;
 }
 
+#ifdef WITH_IPV6
 static bool
 tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
 {
+	const struct ipv6hdr *iph = ipv6_hdr(skb);
 	struct dst_entry *dst;
 	struct flowi fl;
 
 	memset(&fl, 0, sizeof(fl));
+	fl.iif = skb_ifindex(skb);
+#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 19)
+	fl.nl_u.ip6_u.fwmark = skb_nfmark(skb);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
+	fl.mark = skb_nfmark(skb);
+#endif
 	fl.nl_u.ip6_u.daddr = info->gw.in6;
+	fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
+		(iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 25)
 	dst = ip6_route_output(NULL, &fl);
@@ -263,6 +284,7 @@ tee_tg6(struct sk_buff **pskb, const struct xt_target_param *par)
 
 	return XT_CONTINUE;
 }
+#endif /* WITH_IPV6 */
 
 static bool tee_tg_check(const struct xt_tgchk_param *par)
 {
@@ -284,6 +306,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
 		.checkentry = tee_tg_check,
 		.me         = THIS_MODULE,
 	},
+#ifdef WITH_IPV6
 	{
 		.name       = "TEE",
 		.revision   = 0,
@@ -294,6 +317,7 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
 		.checkentry = tee_tg_check,
 		.me         = THIS_MODULE,
 	},
+#endif
 };
 
 static int __init tee_tg_init(void)

extensions/xt_lscan.Kconfig

@@ -1,8 +1,8 @@
-config NETFILTER_XT_MATCH_PORTSCAN
-	tristate '"portscan" target support'
+config NETFILTER_XT_MATCH_LSCAN
+	tristate '"lscan" match support'
 	depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
 	---help---
-	The portscan match allows to match on the basic types of nmap
+	The LSCAN match allows to match on the basic types of nmap
 	scans: Stealth Scan, SYN scan and connect scan. It can also match
 	"grab-only" connections, i.e. where data flows in only one
 	direction.

extensions/xt_lscan.c

@@ -1,6 +1,6 @@
 /*
- *	portscan match for netfilter
- *	Copyright © CC Computer Consultants GmbH, 2006 - 2008
+ *	LSCAN match for netfilter
+ *	Copyright © Jan Engelhardt, 2006 - 2009
  *
  *	This program is free software; you can redistribute it and/or modify
  *	it under the terms of the GNU General Public License; either version
@@ -17,8 +17,7 @@
 #include <linux/version.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_tcpudp.h>
-//#include <net/netfilter/nf_conntrack.h>
-#include "xt_portscan.h"
+#include "xt_lscan.h"
 #include "compat_xtables.h"
 #define PFX KBUILD_MODNAME ": "
 
@@ -103,8 +102,8 @@ static inline bool tflg_synack(const struct tcphdr *th)
 	       (TCP_FLAG_SYN | TCP_FLAG_ACK);
 }
 
-/* portscan functions */
-static inline bool portscan_mt_stealth(const struct tcphdr *th)
+/* lscan functions */
+static inline bool lscan_mt_stealth(const struct tcphdr *th)
 {
 	/*
 	 * "Connection refused" replies to our own probes must not be matched.
@@ -126,7 +125,7 @@ static inline bool portscan_mt_stealth(const struct tcphdr *th)
 	return !tflg_syn(th);
 }
 
-static inline unsigned int portscan_mt_full(int mark,
+static inline unsigned int lscan_mt_full(int mark,
     enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
     unsigned int payload_len)
 {
@@ -172,9 +171,9 @@ static inline unsigned int portscan_mt_full(int mark,
 }
 
 static bool
-portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
-	const struct xt_portscan_mtinfo *info = par->matchinfo;
+	const struct xt_lscan_mtinfo *info = par->matchinfo;
 	enum ip_conntrack_info ctstate;
 	const struct tcphdr *tcph;
 	struct nf_conn *ctdata;
@@ -187,7 +186,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	/* Check for invalid packets: -m conntrack --ctstate INVALID */
 	if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
 		if (info->match_stealth)
-			return portscan_mt_stealth(tcph);
+			return lscan_mt_stealth(tcph);
 		/*
 		 * If @ctdata is NULL, we cannot match the other scan
 		 * types, return.
@@ -196,7 +195,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	}
 
 	/*
-	 * If -m portscan was previously applied to this packet, the rules we
+	 * If -m lscan was previously applied to this packet, the rules we
 	 * simulate must not be run through again. And for speedup, do not call
 	 * it either when the connection is already VALID.
 	 */
@@ -204,7 +203,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	     (skb_nfmark(skb) & packet_mask) != mark_seen) {
 		unsigned int n;
 
-		n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
+		n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
 		    par->in == init_net__loopback_dev, tcph,
 		    skb->len - par->thoff - 4 * tcph->doff);
 
@@ -217,9 +216,9 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	       (info->match_gr && ctdata->mark == mark_grscan);
 }
 
-static bool portscan_mt_check(const struct xt_mtchk_param *par)
+static bool lscan_mt_check(const struct xt_mtchk_param *par)
 {
-	const struct xt_portscan_mtinfo *info = par->matchinfo;
+	const struct xt_lscan_mtinfo *info = par->matchinfo;
 
 	if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
 	    (info->match_cn & ~1) || (info->match_gr & ~1)) {
@@ -229,44 +228,44 @@ static bool portscan_mt_check(const struct xt_mtchk_param *par)
 	return true;
 }
 
-static struct xt_match portscan_mt_reg[] __read_mostly = {
+static struct xt_match lscan_mt_reg[] __read_mostly = {
 	{
-		.name       = "portscan",
+		.name       = "lscan",
 		.revision   = 0,
 		.family     = NFPROTO_IPV4,
-		.match      = portscan_mt,
-		.checkentry = portscan_mt_check,
-		.matchsize  = sizeof(struct xt_portscan_mtinfo),
+		.match      = lscan_mt,
+		.checkentry = lscan_mt_check,
+		.matchsize  = sizeof(struct xt_lscan_mtinfo),
 		.proto      = IPPROTO_TCP,
 		.me         = THIS_MODULE,
 	},
 	{
-		.name       = "portscan",
+		.name       = "lscan",
 		.revision   = 0,
 		.family     = NFPROTO_IPV6,
-		.match      = portscan_mt,
-		.checkentry = portscan_mt_check,
-		.matchsize  = sizeof(struct xt_portscan_mtinfo),
+		.match      = lscan_mt,
+		.checkentry = lscan_mt_check,
+		.matchsize  = sizeof(struct xt_lscan_mtinfo),
 		.proto      = IPPROTO_TCP,
 		.me         = THIS_MODULE,
 	},
 };
 
-static int __init portscan_mt_init(void)
+static int __init lscan_mt_init(void)
 {
-	return xt_register_matches(portscan_mt_reg,
-	       ARRAY_SIZE(portscan_mt_reg));
+	return xt_register_matches(lscan_mt_reg,
+	       ARRAY_SIZE(lscan_mt_reg));
 }
 
-static void __exit portscan_mt_exit(void)
+static void __exit lscan_mt_exit(void)
 {
-	xt_unregister_matches(portscan_mt_reg, ARRAY_SIZE(portscan_mt_reg));
+	xt_unregister_matches(lscan_mt_reg, ARRAY_SIZE(lscan_mt_reg));
 }
 
-module_init(portscan_mt_init);
-module_exit(portscan_mt_exit);
+module_init(lscan_mt_init);
+module_exit(lscan_mt_exit);
 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_DESCRIPTION("Xtables: \"portscan\" match");
+MODULE_DESCRIPTION("Xtables: Low-level scan (e.g. nmap) match");
 MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_portscan");
-MODULE_ALIAS("ip6t_portscan");
+MODULE_ALIAS("ipt_lscan");
+MODULE_ALIAS("ip6t_lscan");

extensions/xt_lscan.h

@@ -0,0 +1,8 @@
+#ifndef _LINUX_NETFILTER_XT_LSCAN_H
+#define _LINUX_NETFILTER_XT_LSCAN_H 1
+
+struct xt_lscan_mtinfo {
+	uint8_t match_stealth, match_syn, match_cn, match_gr;
+};
+
+#endif /* _LINUX_NETFILTER_XT_LSCAN_H */

extensions/xt_portscan.h

@@ -1,8 +0,0 @@
-#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
-#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
-
-struct xt_portscan_mtinfo {
-	uint8_t match_stealth, match_syn, match_cn, match_gr;
-};
-
-#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */

mconfig

@@ -15,5 +15,5 @@ build_geoip=m
 build_ipp2p=m
 build_ipset=m
 build_length2=m
-build_portscan=m
+build_lscan=m
 build_quota2=m

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables\-addons 8 "v1.9 (2009\-01\-30)" "" "v1.9 (2009\-01\-30)"
+.TH xtables\-addons 8 "v1.12 (2009\-03\-07)" "" "v1.12 (2009\-03\-07)"
 .SH Name
 Xtables\-addons - additional extensions for iptables, ip6tables, etc.
 .SH Targets