Xtables-addons 2.14

The hooks are already checked by the xtables core (due to struct
xt_target::hooks).

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [2.10])
+AC_INIT([xtables-addons], [2.14])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -44,28 +44,22 @@ regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
 
 if test -n "$kbuilddir"; then
 	AC_MSG_CHECKING([kernel version that we will build against])
-	krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease)";
+	krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease | $AWK -v 'FS=[[^0-9.]]' '{print $1; exit}')"
-	kmajor="${krel%%[[^0-9]]*}";
+	save_IFS="$IFS"
-	kmajor="$(($kmajor+0))";
+	IFS='.'
-	krel="${krel:${#kmajor}}";
+	set x $krel
-	krel="${krel#.}";
+	IFS="$save_IFS"
-	kminor="${krel%%[[^0-9]]*}";
+	kmajor="$(($2+0))"
-	kminor="$(($kminor+0))";
+	kminor="$(($3+0))"
-	krel="${krel:${#kminor}}";
+	kmicro="$(($4+0))"
-	krel="${krel#.}";
+	kstable="$(($5+0))"
-	kmicro="${krel%%[[^0-9]]*}";
-	kmicro="$(($kmicro+0))";
-	krel="${krel:${#kmicro}}";
-	krel="${krel#.}";
-	kstable="${krel%%[[^0-9]]*}";
-	kstable="$(($kstable+0))";
 	if test -z "$kmajor" -o -z "$kminor" -o -z "$kmicro"; then
 		echo "WARNING: Version detection did not succeed. Continue at own luck.";
 	else
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-		if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 3; then
+		if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 12; then
 			echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
-		elif test "$kmajor" -eq 4 -a "$kminor" -le 3; then
+		elif test "$kmajor" -eq 4 -a "$kminor" -le 10; then
 			:;
 		elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then
 			:;

doc/changelog.txt

@@ -3,6 +3,37 @@ HEAD
 ====
 
 
+v2.14 (2017-11-22)
+==================
+Enhancements:
+- support for Linux up to 4.14
+Fixes:
+- xt_DNETMAP: fix some reports from PVSStudio (a static checker)
+
+
+v2.13 (2017-06-29)
+==================
+Enhancements:
+- support for Linux up to 4.12
+- xt_condition: namespace support
+Fixes:
+- xt_geoip: check for allocation overflow
+- xt_DNETMAP: fix a buffer overflow
+
+
+v2.12 (2017-01-11)
+==================
+Enhancements:
+- support for Linux up to 4.10
+
+
+v2.11 (2016-05-20)
+==================
+Enhancements:
+- support for Linux 4.5, 4.6
+- xt_ECHO: tentatively support responding to fragments
+
+
 v2.10 (2015-11-20)
 ==================
 Enhancements:

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -15,6 +15,7 @@
 //#define DEBUG 1
 #include <linux/module.h>
 #include <linux/version.h>
+#include <net/net_namespace.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <net/icmp.h>
@@ -29,6 +30,7 @@
 #include <linux/string.h>
 #include <linux/spinlock.h>
 #include <asm/uaccess.h>
+#include <net/netns/generic.h>
 
 #include <net/route.h>
 #include "xt_ACCOUNT.h"
@@ -100,14 +102,19 @@ struct ipt_acc_mask_8 {
 	struct ipt_acc_mask_16 *mask_16[256];
 };
 
-static struct ipt_acc_table *ipt_acc_tables;
+static int ipt_acc_net_id __read_mostly;
-static struct ipt_acc_handle *ipt_acc_handles;
-static void *ipt_acc_tmpbuf;
 
-/* Spinlock used for manipulating the current accounting tables/data */
+struct ipt_acc_net {
-static DEFINE_SPINLOCK(ipt_acc_lock);
+	/* Spinlock used for manipulating the current accounting tables/data */
-/* Mutex (semaphore) used for manipulating userspace handles/snapshot data */
+	spinlock_t ipt_acc_lock;
-static struct semaphore ipt_acc_userspace_mutex;
+
+	/* Mutex (semaphore) used for manipulating userspace handles/snapshot data */
+	struct semaphore ipt_acc_userspace_mutex;
+
+	struct ipt_acc_table *ipt_acc_tables;
+	struct ipt_acc_handle *ipt_acc_handles;
+	void *ipt_acc_tmpbuf;
+};
 
 /* Allocates a page pair and clears it */
 static void *ipt_acc_zalloc_page(void)
@@ -169,7 +176,8 @@ static void ipt_acc_data_free(void *data, uint8_t depth)
 
 /* Look for existing table / insert new one.
    Return internal ID or -1 on error */
-static int ipt_acc_table_insert(const char *name, __be32 ip, __be32 netmask)
+static int ipt_acc_table_insert(struct ipt_acc_table *ipt_acc_tables,
+				const char *name, __be32 ip, __be32 netmask)
 {
 	unsigned int i;
 
@@ -256,13 +264,15 @@ static int ipt_acc_table_insert(const char *name, __be32 ip, __be32 netmask)
 
 static int ipt_acc_checkentry(const struct xt_tgchk_param *par)
 {
+	struct ipt_acc_net *ian = net_generic(par->net, ipt_acc_net_id);
 	struct ipt_acc_info *info = par->targinfo;
 	int table_nr;
 
-	spin_lock_bh(&ipt_acc_lock);
+	spin_lock_bh(&ian->ipt_acc_lock);
-	table_nr = ipt_acc_table_insert(info->table_name, info->net_ip,
+	table_nr = ipt_acc_table_insert(ian->ipt_acc_tables,
+					info->table_name, info->net_ip,
 		info->net_mask);
-	spin_unlock_bh(&ipt_acc_lock);
+	spin_unlock_bh(&ian->ipt_acc_lock);
 
 	if (table_nr == -1) {
 		printk("ACCOUNT: Table insert problem. Aborting\n");
@@ -277,10 +287,11 @@ static int ipt_acc_checkentry(const struct xt_tgchk_param *par)
 
 static void ipt_acc_destroy(const struct xt_tgdtor_param *par)
 {
+	struct ipt_acc_net *ian = net_generic(par->net, ipt_acc_net_id);
 	unsigned int i;
 	struct ipt_acc_info *info = par->targinfo;
 
-	spin_lock_bh(&ipt_acc_lock);
+	spin_lock_bh(&ian->ipt_acc_lock);
 
 	pr_debug("ACCOUNT: ipt_acc_deleteentry called for table: %s (#%d)\n",
 		info->table_name, info->table_nr);
@@ -289,31 +300,31 @@ static void ipt_acc_destroy(const struct xt_tgdtor_param *par)
 
 	/* Look for table */
 	for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
-		if (strncmp(ipt_acc_tables[i].name, info->table_name,
+		if (strncmp(ian->ipt_acc_tables[i].name, info->table_name,
 		    ACCOUNT_TABLE_NAME_LEN) == 0) {
 			pr_debug("ACCOUNT: Found table at slot: %d\n", i);
 
-			ipt_acc_tables[i].refcount--;
+			ian->ipt_acc_tables[i].refcount--;
 			pr_debug("ACCOUNT: Refcount left: %d\n",
-				ipt_acc_tables[i].refcount);
+				ian->ipt_acc_tables[i].refcount);
 
 			/* Table not needed anymore? */
-			if (ipt_acc_tables[i].refcount == 0) {
+			if (ian->ipt_acc_tables[i].refcount == 0) {
 				pr_debug("ACCOUNT: Destroying table at slot: %d\n", i);
-				ipt_acc_data_free(ipt_acc_tables[i].data,
+				ipt_acc_data_free(ian->ipt_acc_tables[i].data,
-					ipt_acc_tables[i].depth);
+					ian->ipt_acc_tables[i].depth);
-				memset(&ipt_acc_tables[i], 0,
+				memset(&ian->ipt_acc_tables[i], 0,
 					sizeof(struct ipt_acc_table));
 			}
 
-			spin_unlock_bh(&ipt_acc_lock);
+			spin_unlock_bh(&ian->ipt_acc_lock);
 			return;
 		}
 	}
 
 	/* Table not found */
 	printk("ACCOUNT: Table %s not found for destroy\n", info->table_name);
-	spin_unlock_bh(&ipt_acc_lock);
+	spin_unlock_bh(&ian->ipt_acc_lock);
 }
 
 static void ipt_acc_depth0_insert(struct ipt_acc_mask_24 *mask_24,
@@ -471,6 +482,17 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
 static unsigned int
 ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+	struct ipt_acc_net *ian = net_generic(par->state->net, ipt_acc_net_id);
+#else
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0)
+	struct ipt_acc_net *ian = net_generic(par->net, ipt_acc_net_id);
+#else
+	struct net *net = dev_net(par->in ? par->in : par->out);
+	struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
+#endif
+#endif
+	struct ipt_acc_table *ipt_acc_tables = ian->ipt_acc_tables;
 	const struct ipt_acc_info *info =
 		par->targinfo;
 
@@ -478,13 +500,13 @@ ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 	__be32 dst_ip = ip_hdr(skb)->daddr;
 	uint32_t size = ntohs(ip_hdr(skb)->tot_len);
 
-	spin_lock_bh(&ipt_acc_lock);
+	spin_lock_bh(&ian->ipt_acc_lock);
 
 	if (ipt_acc_tables[info->table_nr].name[0] == 0) {
 		printk("ACCOUNT: ipt_acc_target: Invalid table id %u. "
 			"IPs %u.%u.%u.%u/%u.%u.%u.%u\n", info->table_nr,
 			NIPQUAD(src_ip), NIPQUAD(dst_ip));
-		spin_unlock_bh(&ipt_acc_lock);
+		spin_unlock_bh(&ian->ipt_acc_lock);
 		return XT_CONTINUE;
 	}
 
@@ -496,7 +518,7 @@ ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 			ipt_acc_tables[info->table_nr].ip,
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
-		spin_unlock_bh(&ipt_acc_lock);
+		spin_unlock_bh(&ian->ipt_acc_lock);
 		return XT_CONTINUE;
 	}
 
@@ -507,7 +529,7 @@ ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 			ipt_acc_tables[info->table_nr].ip,
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
-		spin_unlock_bh(&ipt_acc_lock);
+		spin_unlock_bh(&ian->ipt_acc_lock);
 		return XT_CONTINUE;
 	}
 
@@ -518,7 +540,7 @@ ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 			ipt_acc_tables[info->table_nr].ip,
 			ipt_acc_tables[info->table_nr].netmask,
 			src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
-		spin_unlock_bh(&ipt_acc_lock);
+		spin_unlock_bh(&ian->ipt_acc_lock);
 		return XT_CONTINUE;
 	}
 
@@ -526,7 +548,7 @@ ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 		"Table id %u. IPs %u.%u.%u.%u/%u.%u.%u.%u\n",
 		info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
 
-	spin_unlock_bh(&ipt_acc_lock);
+	spin_unlock_bh(&ian->ipt_acc_lock);
 	return XT_CONTINUE;
 }
 
@@ -547,7 +569,7 @@ ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 	but there could be two or more applications accessing the data
 	at the same time.
 */
-static int ipt_acc_handle_find_slot(void)
+static int ipt_acc_handle_find_slot(struct ipt_acc_handle *ipt_acc_handles)
 {
 	unsigned int i;
 	/* Insert new table */
@@ -567,7 +589,8 @@ static int ipt_acc_handle_find_slot(void)
 	return -1;
 }
 
-static int ipt_acc_handle_free(unsigned int handle)
+static int ipt_acc_handle_free(struct ipt_acc_handle *ipt_acc_handles,
+			       unsigned int handle)
 {
 	if (handle >= ACCOUNT_MAX_HANDLES) {
 		printk("ACCOUNT: Invalid handle for ipt_acc_handle_free() specified:"
@@ -583,7 +606,8 @@ static int ipt_acc_handle_free(unsigned int handle)
 
 /* Prepare data for read without flush. Use only for debugging!
    Real applications should use read&flush as it's way more efficent */
-static int ipt_acc_handle_prepare_read(char *tablename,
+static int ipt_acc_handle_prepare_read(struct ipt_acc_table *ipt_acc_tables,
+				       char *tablename,
 		 struct ipt_acc_handle *dest, uint32_t *count)
 {
 	int table_nr = -1;
@@ -685,7 +709,8 @@ static int ipt_acc_handle_prepare_read(char *tablename,
 }
 
 /* Prepare data for read and flush it */
-static int ipt_acc_handle_prepare_read_flush(char *tablename,
+static int ipt_acc_handle_prepare_read_flush(struct ipt_acc_table *ipt_acc_tables,
+					     char *tablename,
 			   struct ipt_acc_handle *dest, uint32_t *count)
 {
 	int table_nr;
@@ -726,7 +751,8 @@ static int ipt_acc_handle_prepare_read_flush(char *tablename,
 /* Copy 8 bit network data into a prepared buffer.
    We only copy entries != 0 to increase performance.
 */
-static int ipt_acc_handle_copy_data(void *to_user, unsigned long *to_user_pos,
+static int ipt_acc_handle_copy_data(struct ipt_acc_net *ian,
+				    void *to_user, unsigned long *to_user_pos,
 				unsigned long *tmpbuf_pos,
 				struct ipt_acc_mask_24 *data,
 				uint32_t net_ip, uint32_t net_OR_mask)
@@ -748,13 +774,13 @@ static int ipt_acc_handle_copy_data(void *to_user, unsigned long *to_user_pos,
 
 		/* Temporary buffer full? Flush to userspace */
 		if (*tmpbuf_pos + handle_ip_size >= PAGE_SIZE) {
-			if (copy_to_user(to_user + *to_user_pos, ipt_acc_tmpbuf,
+			if (copy_to_user(to_user + *to_user_pos, ian->ipt_acc_tmpbuf,
 			    *tmpbuf_pos))
 				return -EFAULT;
 			*to_user_pos = *to_user_pos + *tmpbuf_pos;
 			*tmpbuf_pos = 0;
 		}
-		memcpy(ipt_acc_tmpbuf + *tmpbuf_pos, &handle_ip, handle_ip_size);
+		memcpy(ian->ipt_acc_tmpbuf + *tmpbuf_pos, &handle_ip, handle_ip_size);
 		*tmpbuf_pos += handle_ip_size;
 	}
 
@@ -765,7 +791,8 @@ static int ipt_acc_handle_copy_data(void *to_user, unsigned long *to_user_pos,
    We only copy entries != 0 to increase performance.
    Overwrites ipt_acc_tmpbuf.
 */
-static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
+static int ipt_acc_handle_get_data(struct ipt_acc_net *ian,
+				   uint32_t handle, void *to_user)
 {
 	unsigned long to_user_pos = 0, tmpbuf_pos = 0;
 	uint32_t net_ip;
@@ -777,25 +804,25 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
 		return -1;
 	}
 
-	if (ipt_acc_handles[handle].data == NULL) {
+	if (ian->ipt_acc_handles[handle].data == NULL) {
 		printk("ACCOUNT: handle %u is BROKEN: Contains no data\n", handle);
 		return -1;
 	}
 
-	net_ip = ntohl(ipt_acc_handles[handle].ip);
+	net_ip = ntohl(ian->ipt_acc_handles[handle].ip);
-	depth = ipt_acc_handles[handle].depth;
+	depth = ian->ipt_acc_handles[handle].depth;
 
 	/* 8 bit network */
 	if (depth == 0) {
 		struct ipt_acc_mask_24 *network =
-			ipt_acc_handles[handle].data;
+			ian->ipt_acc_handles[handle].data;
-		if (ipt_acc_handle_copy_data(to_user, &to_user_pos, &tmpbuf_pos,
+		if (ipt_acc_handle_copy_data(ian, to_user, &to_user_pos, &tmpbuf_pos,
 		    network, net_ip, 0))
 			return -1;
 
 		/* Flush remaining data to userspace */
 		if (tmpbuf_pos)
-			if (copy_to_user(to_user + to_user_pos, ipt_acc_tmpbuf, tmpbuf_pos))
+			if (copy_to_user(to_user + to_user_pos, ian->ipt_acc_tmpbuf, tmpbuf_pos))
 				return -1;
 
 		return 0;
@@ -804,13 +831,13 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
 	/* 16 bit network */
 	if (depth == 1) {
 		struct ipt_acc_mask_16 *network_16 =
-			ipt_acc_handles[handle].data;
+			ian->ipt_acc_handles[handle].data;
 		unsigned int b;
 		for (b = 0; b <= 255; b++) {
 			if (network_16->mask_24[b]) {
 				struct ipt_acc_mask_24 *network =
 					network_16->mask_24[b];
-				if (ipt_acc_handle_copy_data(to_user, &to_user_pos,
+				if (ipt_acc_handle_copy_data(ian, to_user, &to_user_pos,
 				    &tmpbuf_pos, network, net_ip, (b << 8)))
 					return -1;
 			}
@@ -818,7 +845,7 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
 
 		/* Flush remaining data to userspace */
 		if (tmpbuf_pos)
-			if (copy_to_user(to_user + to_user_pos, ipt_acc_tmpbuf, tmpbuf_pos))
+			if (copy_to_user(to_user + to_user_pos, ian->ipt_acc_tmpbuf, tmpbuf_pos))
 				return -1;
 
 		return 0;
@@ -827,7 +854,7 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
 	/* 24 bit network */
 	if (depth == 2) {
 		struct ipt_acc_mask_8 *network_8 =
-			ipt_acc_handles[handle].data;
+			ian->ipt_acc_handles[handle].data;
 		unsigned int a, b;
 		for (a = 0; a <= 255; a++) {
 			if (network_8->mask_16[a]) {
@@ -837,7 +864,7 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
 					if (network_16->mask_24[b]) {
 						struct ipt_acc_mask_24 *network =
 							network_16->mask_24[b];
-						if (ipt_acc_handle_copy_data(to_user,
+						if (ipt_acc_handle_copy_data(ian, to_user,
 						    &to_user_pos, &tmpbuf_pos,
 						    network, net_ip, (a << 16) | (b << 8)))
 							return -1;
@@ -848,7 +875,7 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
 
 		/* Flush remaining data to userspace */
 		if (tmpbuf_pos)
-			if (copy_to_user(to_user + to_user_pos, ipt_acc_tmpbuf, tmpbuf_pos))
+			if (copy_to_user(to_user + to_user_pos, ian->ipt_acc_tmpbuf, tmpbuf_pos))
 				return -1;
 
 		return 0;
@@ -860,6 +887,8 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
 static int ipt_acc_set_ctl(struct sock *sk, int cmd,
 			void *user, unsigned int len)
 {
+	struct net *net = sock_net(sk);
+	struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
 	struct ipt_acc_handle_sockopt handle;
 	int ret = -EINVAL;
 
@@ -881,16 +910,16 @@ static int ipt_acc_set_ctl(struct sock *sk, int cmd,
 			break;
 		}
 
-		down(&ipt_acc_userspace_mutex);
+		down(&ian->ipt_acc_userspace_mutex);
-		ret = ipt_acc_handle_free(handle.handle_nr);
+		ret = ipt_acc_handle_free(ian->ipt_acc_handles, handle.handle_nr);
-		up(&ipt_acc_userspace_mutex);
+		up(&ian->ipt_acc_userspace_mutex);
 		break;
 	case IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL: {
 		unsigned int i;
-		down(&ipt_acc_userspace_mutex);
+		down(&ian->ipt_acc_userspace_mutex);
 		for (i = 0; i < ACCOUNT_MAX_HANDLES; i++)
-			ipt_acc_handle_free(i);
+			ipt_acc_handle_free(ian->ipt_acc_handles, i);
-		up(&ipt_acc_userspace_mutex);
+		up(&ian->ipt_acc_userspace_mutex);
 		ret = 0;
 		break;
 	}
@@ -903,6 +932,8 @@ static int ipt_acc_set_ctl(struct sock *sk, int cmd,
 
 static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 {
+	struct net *net = sock_net(sk);
+	struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
 	struct ipt_acc_handle_sockopt handle;
 	int ret = -EINVAL;
 
@@ -927,28 +958,28 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 			break;
 		}
 
-		spin_lock_bh(&ipt_acc_lock);
+		spin_lock_bh(&ian->ipt_acc_lock);
 		if (cmd == IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH)
 			ret = ipt_acc_handle_prepare_read_flush(
-				handle.name, &dest, &handle.itemcount);
+				ian->ipt_acc_tables, handle.name, &dest, &handle.itemcount);
 		else
 			ret = ipt_acc_handle_prepare_read(
-				handle.name, &dest, &handle.itemcount);
+				ian->ipt_acc_tables, handle.name, &dest, &handle.itemcount);
-		spin_unlock_bh(&ipt_acc_lock);
+		spin_unlock_bh(&ian->ipt_acc_lock);
 		// Error occured during prepare_read?
 		if (ret == -1)
 			return -EINVAL;
 
 		/* Allocate a userspace handle */
-		down(&ipt_acc_userspace_mutex);
+		down(&ian->ipt_acc_userspace_mutex);
-		if ((handle.handle_nr = ipt_acc_handle_find_slot()) == -1) {
+		if ((handle.handle_nr = ipt_acc_handle_find_slot(ian->ipt_acc_handles)) == -1) {
 			ipt_acc_data_free(dest.data, dest.depth);
-			up(&ipt_acc_userspace_mutex);
+			up(&ian->ipt_acc_userspace_mutex);
 			return -EINVAL;
 		}
-		memcpy(&ipt_acc_handles[handle.handle_nr], &dest,
+		memcpy(&ian->ipt_acc_handles[handle.handle_nr], &dest,
 			sizeof(struct ipt_acc_handle));
-		up(&ipt_acc_userspace_mutex);
+		up(&ian->ipt_acc_userspace_mutex);
 
 		if (copy_to_user(user, &handle,
 		    sizeof(struct ipt_acc_handle_sockopt))) {
@@ -977,19 +1008,19 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 			break;
 		}
 
-		if (*len < ipt_acc_handles[handle.handle_nr].itemcount
+		if (*len < ian->ipt_acc_handles[handle.handle_nr].itemcount
 		    * sizeof(struct ipt_acc_handle_ip)) {
 			printk("ACCOUNT: ipt_acc_get_ctl: not enough space (%u < %zu)"
 				" to store data from IPT_SO_GET_ACCOUNT_GET_DATA\n",
-				*len, ipt_acc_handles[handle.handle_nr].itemcount
+				*len, ian->ipt_acc_handles[handle.handle_nr].itemcount
 				* sizeof(struct ipt_acc_handle_ip));
 			ret = -ENOMEM;
 			break;
 		}
 
-		down(&ipt_acc_userspace_mutex);
+		down(&ian->ipt_acc_userspace_mutex);
-		ret = ipt_acc_handle_get_data(handle.handle_nr, user);
+		ret = ipt_acc_handle_get_data(ian, handle.handle_nr, user);
-		up(&ipt_acc_userspace_mutex);
+		up(&ian->ipt_acc_userspace_mutex);
 		if (ret) {
 			printk("ACCOUNT: ipt_acc_get_ctl: ipt_acc_handle_get_data"
 				" failed for handle %u\n", handle.handle_nr);
@@ -1009,11 +1040,11 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 
 		/* Find out how many handles are in use */
 		handle.itemcount = 0;
-		down(&ipt_acc_userspace_mutex);
+		down(&ian->ipt_acc_userspace_mutex);
 		for (i = 0; i < ACCOUNT_MAX_HANDLES; i++)
-			if (ipt_acc_handles[i].data)
+			if (ian->ipt_acc_handles[i].data)
 				handle.itemcount++;
-		up(&ipt_acc_userspace_mutex);
+		up(&ian->ipt_acc_userspace_mutex);
 
 		if (copy_to_user(user, &handle,
 		    sizeof(struct ipt_acc_handle_sockopt))) {
@@ -1027,38 +1058,38 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 		uint32_t size = 0, i, name_len;
 		char *tnames;
 
-		spin_lock_bh(&ipt_acc_lock);
+		spin_lock_bh(&ian->ipt_acc_lock);
 
 		/* Determine size of table names */
 		for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
-			if (ipt_acc_tables[i].name[0] != 0)
+			if (ian->ipt_acc_tables[i].name[0] != 0)
-				size += strlen(ipt_acc_tables[i].name) + 1;
+				size += strlen(ian->ipt_acc_tables[i].name) + 1;
 		}
 		size += 1;	/* Terminating NULL character */
 
 		if (*len < size || size > PAGE_SIZE) {
-			spin_unlock_bh(&ipt_acc_lock);
+			spin_unlock_bh(&ian->ipt_acc_lock);
 			printk("ACCOUNT: ipt_acc_get_ctl: not enough space (%u < %u < %lu)"
 				" to store table names\n", *len, size, PAGE_SIZE);
 			ret = -ENOMEM;
 			break;
 		}
 		/* Copy table names to userspace */
-		tnames = ipt_acc_tmpbuf;
+		tnames = ian->ipt_acc_tmpbuf;
 		for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
-			if (ipt_acc_tables[i].name[0] != 0) {
+			if (ian->ipt_acc_tables[i].name[0] != 0) {
-				name_len = strlen(ipt_acc_tables[i].name) + 1;
+				name_len = strlen(ian->ipt_acc_tables[i].name) + 1;
-				memcpy(tnames, ipt_acc_tables[i].name, name_len);
+				memcpy(tnames, ian->ipt_acc_tables[i].name, name_len);
 				tnames += name_len;
 			}
 		}
-		spin_unlock_bh(&ipt_acc_lock);
+		spin_unlock_bh(&ian->ipt_acc_lock);
 
 		/* Terminating NULL character */
 		*tnames = 0;
 
 		/* Transfer to userspace */
-		if (copy_to_user(user, ipt_acc_tmpbuf, size))
+		if (copy_to_user(user, ian->ipt_acc_tmpbuf, size))
 			return -EFAULT;
 
 		ret = 0;
@@ -1071,6 +1102,59 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 	return ret;
 }
 
+static int __net_init ipt_acc_net_init(struct net *net)
+{
+	struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
+
+	memset(ian, 0, sizeof(*ian));
+	sema_init(&ian->ipt_acc_userspace_mutex, 1);
+
+	ian->ipt_acc_tables = kcalloc(ACCOUNT_MAX_TABLES,
+		sizeof(struct ipt_acc_table), GFP_KERNEL);
+	if (ian->ipt_acc_tables == NULL) {
+		printk("ACCOUNT: Out of memory allocating account_tables structure");
+		goto error_cleanup;
+	}
+	ian->ipt_acc_handles = kcalloc(ACCOUNT_MAX_HANDLES,
+		sizeof(struct ipt_acc_handle), GFP_KERNEL);
+	if (ian->ipt_acc_handles == NULL) {
+		printk("ACCOUNT: Out of memory allocating account_handles structure");
+		goto error_cleanup;
+	}
+
+	/* Allocate one page as temporary storage */
+	ian->ipt_acc_tmpbuf = (void *)__get_free_pages(GFP_KERNEL, 2);
+	if (ian->ipt_acc_tmpbuf == NULL) {
+		printk("ACCOUNT: Out of memory for temporary buffer page\n");
+		goto error_cleanup;
+	}
+
+	return 0;
+
+ error_cleanup:
+	kfree(ian->ipt_acc_tables);
+	kfree(ian->ipt_acc_handles);
+	free_pages((unsigned long)ian->ipt_acc_tmpbuf, 2);
+
+	return -ENOMEM;
+}
+
+static void __net_exit ipt_acc_net_exit(struct net *net)
+{
+	struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
+
+	kfree(ian->ipt_acc_tables);
+	kfree(ian->ipt_acc_handles);
+	free_pages((unsigned long)ian->ipt_acc_tmpbuf, 2);
+}
+
+static struct pernet_operations ipt_acc_net_ops = {
+	.init = ipt_acc_net_init,
+	.exit = ipt_acc_net_exit,
+	.id   = &ipt_acc_net_id,
+	.size = sizeof(struct ipt_acc_net),
+};
+
 static struct xt_target xt_acc_reg __read_mostly = {
 	.name = "ACCOUNT",
 	.revision = 1,
@@ -1094,63 +1178,41 @@ static struct nf_sockopt_ops ipt_acc_sockopts = {
 
 static int __init account_tg_init(void)
 {
-	sema_init(&ipt_acc_userspace_mutex, 1);
+	int ret;
 
-	if ((ipt_acc_tables =
+	ret = register_pernet_subsys(&ipt_acc_net_ops);
-	    kmalloc(ACCOUNT_MAX_TABLES *
+	if (ret < 0) {
-	    sizeof(struct ipt_acc_table), GFP_KERNEL)) == NULL) {
+		pr_err("ACCOUNT: cannot register per net operations.\n");
-		printk("ACCOUNT: Out of memory allocating account_tables structure");
+		goto error_out;
-		goto error_cleanup;
-	}
-	memset(ipt_acc_tables, 0,
-		ACCOUNT_MAX_TABLES * sizeof(struct ipt_acc_table));
-
-	if ((ipt_acc_handles =
-	    kmalloc(ACCOUNT_MAX_HANDLES *
-	    sizeof(struct ipt_acc_handle), GFP_KERNEL)) == NULL) {
-		printk("ACCOUNT: Out of memory allocating account_handles structure");
-		goto error_cleanup;
-	}
-	memset(ipt_acc_handles, 0,
-		ACCOUNT_MAX_HANDLES * sizeof(struct ipt_acc_handle));
-
-	/* Allocate one page as temporary storage */
-	if ((ipt_acc_tmpbuf = (void *)__get_free_pages(GFP_KERNEL, 2)) == NULL) {
-		printk("ACCOUNT: Out of memory for temporary buffer page\n");
-		goto error_cleanup;
 	}
 
 	/* Register setsockopt */
-	if (nf_register_sockopt(&ipt_acc_sockopts) < 0) {
+	ret = nf_register_sockopt(&ipt_acc_sockopts);
-		printk("ACCOUNT: Can't register sockopts. Aborting\n");
+	if (ret < 0) {
-		goto error_cleanup;
+		pr_err("ACCOUNT: cannot register sockopts.\n");
+		goto unreg_pernet;
 	}
 
-	if (xt_register_target(&xt_acc_reg))
+	ret = xt_register_target(&xt_acc_reg);
-		goto error_cleanup;
+	if (ret < 0) {
-
+		pr_err("ACCOUNT: cannot register sockopts.\n");
+		goto unreg_sockopt;
+	}
 	return 0;
 
-error_cleanup:
+ unreg_sockopt:
-	if (ipt_acc_tables)
+	nf_unregister_sockopt(&ipt_acc_sockopts);
-		kfree(ipt_acc_tables);
+ unreg_pernet:
-	if (ipt_acc_handles)
+	unregister_pernet_subsys(&ipt_acc_net_ops);
-		kfree(ipt_acc_handles);
+ error_out:
-	if (ipt_acc_tmpbuf)
+        return ret;
-		free_pages((unsigned long)ipt_acc_tmpbuf, 2);
-
-	return -EINVAL;
 }
 
 static void __exit account_tg_exit(void)
 {
 	xt_unregister_target(&xt_acc_reg);
-
 	nf_unregister_sockopt(&ipt_acc_sockopts);
-
+	unregister_pernet_subsys(&ipt_acc_net_ops);
-	kfree(ipt_acc_tables);
-	kfree(ipt_acc_handles);
-	free_pages((unsigned long)ipt_acc_tmpbuf, 2);
 }
 
 module_init(account_tg_init);

extensions/compat_xtables.h

@@ -35,7 +35,7 @@
 		ntohs((addr).s6_addr16[5]), \
 		ntohs((addr).s6_addr16[6]), \
 		ntohs((addr).s6_addr16[7])
-#	define NIP6_FMT "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
+#	define NIP6_FMT "%04hx:%04hx:%04hx:%04hx:%04hx:%04hx:%04hx:%04hx"
 #endif
 #if !defined(NIPQUAD) && !defined(NIPQUAD_FMT)
 #	define NIPQUAD(addr) \
@@ -43,7 +43,7 @@
 		((const unsigned char *)&addr)[1], \
 		((const unsigned char *)&addr)[2], \
 		((const unsigned char *)&addr)[3]
-#	define NIPQUAD_FMT "%u.%u.%u.%u"
+#	define NIPQUAD_FMT "%hhu.%hhu.%hhu.%hhu"
 #endif
 
 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0)
@@ -82,11 +82,15 @@ static inline void proc_remove(struct proc_dir_entry *de)
 
 static inline struct net *par_net(const struct xt_action_param *par)
 {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
+	return par->state->net;
+#else
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
 	return par->net;
 #else
 	return dev_net((par->in != NULL) ? par->in : par->out);
 #endif
+#endif
 }
 
 #endif /* _XTABLES_COMPAT_H */

extensions/pknock/gen_hmac.py

@@ -0,0 +1,17 @@
+from Crypto.Hash import SHA256
+from Crypto.Hash import MD5
+import sys
+import hmac
+import struct
+import socket
+from time import time
+
+def gen_hmac(secret, ip):
+    epoch_mins = (long)(time()/60)
+    s = hmac.HMAC(secret, digestmod = SHA256)
+    s.update(socket.inet_aton(socket.gethostbyname(ip)))
+    s.update(struct.pack("i", epoch_mins)) # "i" is for integer
+    print s.hexdigest()
+
+if __name__ == '__main__':
+	gen_hmac(sys.argv[1], sys.argv[2])

extensions/pknock/knock.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+if [ "$#" -ne 4 ]; then
+    echo "usage: $0 <IP src> <IP dst> <PORT dst> <secret>"
+    exit 1
+fi
+python gen_hmac.py "$4" "$1" | socat - "udp-sendto:$2:$3,bind=$1"

extensions/pknock/libxt_pknock.man

@@ -62,8 +62,6 @@ Specifying \fB--autoclose 0\fP means that no automatic close will be performed a
 xt_pknock is capable of sending information about successful matches
 via a netlink socket to userspace, should you need to implement your own
 way of receiving and handling portknock notifications.
-Be sure to read the documentation in the doc/pknock/ directory,
-or visit the original site \(em http://portknocko.berlios.de/ .
 .PP
 \fBTCP mode\fP:
 .PP

extensions/pknock/xt_pknock.c

@@ -19,16 +19,14 @@
 #include <linux/spinlock.h>
 #include <linux/jhash.h>
 #include <linux/random.h>
-#include <linux/crypto.h>
 #include <linux/proc_fs.h>
-#include <linux/scatterlist.h>
 #include <linux/spinlock.h>
 #include <linux/jiffies.h>
 #include <linux/timer.h>
 #include <linux/seq_file.h>
 #include <linux/connector.h>
-
 #include <linux/netfilter/x_tables.h>
+#include <crypto/hash.h>
 #include "xt_pknock.h"
 #include "compat_xtables.h"
 
@@ -111,9 +109,9 @@ static DEFINE_SPINLOCK(list_lock);
 
 static struct {
 	const char *algo;
-	struct crypto_hash	*tfm;
+	struct crypto_shash *tfm;
 	unsigned int size;
-	struct hash_desc	desc;
+	struct shash_desc desc;
 } crypto = {
 	.algo	= "hmac(sha256)",
 	.tfm	= NULL,
@@ -621,9 +619,10 @@ static void add_peer(struct peer *peer, struct xt_pknock_rule *rule)
  */
 static void remove_peer(struct peer *peer)
 {
+	if (peer == NULL)
+		return;
 	list_del(&peer->head);
-	if (peer != NULL)
+	kfree(peer);
-		kfree(peer);
 }
 
 /**
@@ -744,7 +743,6 @@ static bool
 has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
     const unsigned char *payload, unsigned int payload_len)
 {
-	struct scatterlist sg[2];
 	char result[64]; // 64 bytes * 8 = 512 bits
 	char *hexresult;
 	unsigned int hexa_size;
@@ -775,11 +773,7 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
 
 	epoch_min = get_seconds() / 60;
 
-	sg_init_table(sg, ARRAY_SIZE(sg));
+	ret = crypto_shash_setkey(crypto.tfm, secret, secret_len);
-	sg_set_buf(&sg[0], &ipsrc, sizeof(ipsrc));
-	sg_set_buf(&sg[1], &epoch_min, sizeof(epoch_min));
-
-	ret = crypto_hash_setkey(crypto.tfm, secret, secret_len);
 	if (ret != 0) {
 		printk("crypto_hash_setkey() failed ret=%d\n", ret);
 		goto out;
@@ -790,10 +784,10 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
 	 * 4 bytes IP (32 bits) +
 	 * 4 bytes int epoch_min (32 bits)
 	 */
-	ret = crypto_hash_digest(&crypto.desc, sg,
+	if ((ret = crypto_shash_update(&crypto.desc, (const void *)&ipsrc, sizeof(ipsrc))) != 0 ||
-	      sizeof(ipsrc) + sizeof(epoch_min), result);
+	    (ret = crypto_shash_update(&crypto.desc, (const void *)&epoch_min, sizeof(epoch_min))) != 0 ||
-	if (ret != 0) {
+	    (ret = crypto_shash_final(&crypto.desc, result)) != 0) {
-		printk("crypto_hash_digest() failed ret=%d\n", ret);
+		printk("crypto_shash_update/final() failed ret=%d\n", ret);
 		goto out;
 	}
 
@@ -1133,14 +1127,14 @@ static int __init xt_pknock_mt_init(void)
 		return -ENXIO;
 	}
 
-	crypto.tfm = crypto_alloc_hash(crypto.algo, 0, CRYPTO_ALG_ASYNC);
+	crypto.tfm = crypto_alloc_shash(crypto.algo, 0, 0);
 	if (IS_ERR(crypto.tfm)) {
 		printk(KERN_ERR PKNOCK "failed to load transform for %s\n",
 						crypto.algo);
 		return PTR_ERR(crypto.tfm);
 	}
 
-	crypto.size = crypto_hash_digestsize(crypto.tfm);
+	crypto.size = crypto_shash_digestsize(crypto.tfm);
 	crypto.desc.tfm = crypto.tfm;
 	crypto.desc.flags = 0;
 
@@ -1158,7 +1152,7 @@ static void __exit xt_pknock_mt_exit(void)
 	xt_unregister_match(&xt_pknock_mt_reg);
 	kfree(rule_hashtable);
 	if (crypto.tfm != NULL)
-		crypto_free_hash(crypto.tfm);
+		crypto_free_shash(crypto.tfm);
 }
 
 module_init(xt_pknock_mt_init);

extensions/xt_CHAOS.c

@@ -58,8 +58,12 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 
 	{
 		struct xt_action_param local_par;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+		local_par.state    = par->state;
+#else
 		local_par.in        = par->in,
 		local_par.out       = par->out,
+#endif
 		local_par.match     = xm_tcp;
 		local_par.matchinfo = &tcp_params;
 		local_par.fragoff   = fragoff;
@@ -74,12 +78,16 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 	destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
 	{
 		struct xt_action_param local_par;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+		local_par.state    = par->state;
+#else
 		local_par.in       = par->in;
 		local_par.out      = par->out;
 		local_par.hooknum  = par->hooknum;
+		local_par.family   = par->family;
+#endif
 		local_par.target   = destiny;
 		local_par.targinfo = par->targinfo;
-		local_par.family   = par->family;
 		destiny->target(skb, &local_par);
 	}
 }
@@ -100,9 +108,13 @@ chaos_tg(struct sk_buff *skb, const struct xt_action_param *par)
 
 	if ((unsigned int)prandom_u32() <= reject_percentage) {
 		struct xt_action_param local_par;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+		local_par.state    = par->state;
+#else
 		local_par.in       = par->in;
 		local_par.out      = par->out;
 		local_par.hooknum  = par->hooknum;
+#endif
 		local_par.target   = xt_reject;
 		local_par.targinfo = &reject_params;
 		return xt_reject->target(skb, &local_par);
@@ -111,7 +123,12 @@ chaos_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	/* TARPIT/DELUDE may not be called from the OUTPUT chain */
 	if (iph->protocol == IPPROTO_TCP &&
 	    info->variant != XTCHAOS_NORMAL &&
-	    par->hooknum != NF_INET_LOCAL_OUT)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+	    par->state->hook
+#else
+	    par->hooknum
+#endif
+	    != NF_INET_LOCAL_OUT)
 		xt_chaos_total(skb, par);
 
 	return NF_DROP;

extensions/xt_DELUDE.c

@@ -79,7 +79,7 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 	tcph->doff   = sizeof(struct tcphdr) / 4;
 
 	/* DELUDE essential part */
-	if (oth->syn && !oth->ack && !oth->rst && !oth->fin) {
+	if (oth->syn && !oth->ack && !oth->fin) {
 		tcph->syn     = true;
 		tcph->seq     = 0;
 		tcph->ack     = true;
@@ -151,7 +151,13 @@ delude_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	 * a problem, as that is supported since Linux 2.6.35. But since we do not
 	 * actually want to have a connection open, we are still going to drop it.
 	 */
-	delude_send_reset(par_net(par), skb, par->hooknum);
+	delude_send_reset(par_net(par), skb,
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+	                  par->state->hook
+#else
+	                  par->hooknum
+#endif
+	                  );
 	return NF_DROP;
 }
 

extensions/xt_DNETMAP.c

@@ -81,7 +81,7 @@ struct dnetmap_entry {
 
 struct dnetmap_prefix {
 	struct nf_nat_range prefix;
-	char prefix_str[16];
+	char prefix_str[20];
 #ifdef CONFIG_PROC_FS
 	char proc_str_data[20];
 	char proc_str_stat[25];
@@ -356,7 +356,11 @@ out:
 static unsigned int
 dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+	struct net *net = dev_net(par->state->in ? par->state->in : par->state->out);
+#else
 	struct net *net = dev_net(par->in ? par->in : par->out);
+#endif
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
 	struct nf_conn *ct;
 	enum ip_conntrack_info ctinfo;
@@ -367,16 +371,17 @@ dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	struct dnetmap_entry *e;
 	struct dnetmap_prefix *p;
 	__s32 jttl;
-
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
-	NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING ||
+	unsigned int hooknum = par->state->hook;
-		     par->hooknum == NF_INET_LOCAL_OUT ||
+#else
-		     par->hooknum == NF_INET_PRE_ROUTING);
+	unsigned int hooknum = par->hooknum;
+#endif
 	ct = nf_ct_get(skb, &ctinfo);
 
 	jttl = tginfo->flags & XT_DNETMAP_TTL ? tginfo->ttl * HZ : jtimeout;
 
 	/* in prerouting we try to map postnat-ip to prenat-ip */
-	if (par->hooknum == NF_INET_PRE_ROUTING) {
+	if (hooknum == NF_INET_PRE_ROUTING) {
 		postnat_ip = ip_hdr(skb)->daddr;
 
 		spin_lock_bh(&dnetmap_lock);
@@ -389,7 +394,7 @@ dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 		/* if prefix is specified, we check if
 		it matches lookedup entry */
 		if (tginfo->flags & XT_DNETMAP_PREFIX)
-			if (memcmp(mr, &e->prefix, sizeof(*mr)))
+			if (memcmp(mr, &e->prefix->prefix, sizeof(*mr)))
 				goto no_rev_map;
 		/* don't reset ttl if flag is set */
 		if (jttl >= 0 && (! (e->flags & XT_DNETMAP_STATIC) ) ) {
@@ -407,7 +412,7 @@ dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 		newrange.min_proto = mr->min_proto;
 		newrange.max_proto = mr->max_proto;
 		return nf_nat_setup_info(ct, &newrange,
-					 HOOK2MANIP(par->hooknum));
+					 HOOK2MANIP(hooknum));
 	}
 
 	prenat_ip = ip_hdr(skb)->saddr;
@@ -495,7 +500,11 @@ bind_new_prefix:
 	newrange.max_addr.ip = postnat_ip;
 	newrange.min_proto = mr->min_proto;
 	newrange.max_proto = mr->max_proto;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->state->hook));
+#else
 	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
+#endif
 
 no_rev_map:
 no_free_ip:

extensions/xt_ECHO.c

@@ -35,7 +35,11 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 	void *payload;
 	struct flowi6 fl;
 	struct dst_entry *dst = NULL;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+	struct net *net = dev_net((par->state->in != NULL) ? par->state->in : par->state->out);
+#else
 	struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
+#endif
 
 	/* This allows us to do the copy operation in fewer lines of code. */
 	if (skb_linearize(oldskb) < 0)
@@ -76,6 +80,7 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 	payload  = skb_header_pointer(oldskb, par->thoff +
 	           sizeof(*oldudp), data_len, NULL);
 	memcpy(skb_put(newskb, data_len), payload, data_len);
+	newip->payload_len = htons(newskb->len);
 
 #if 0
 	/*
@@ -156,8 +161,8 @@ echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par)
 	newip->version  = oldip->version;
 	newip->ihl      = sizeof(*newip) / 4;
 	newip->tos      = oldip->tos;
-	newip->id       = 0;
+	newip->id       = oldip->id;
-	newip->frag_off = htons(IP_DF);
+	newip->frag_off = 0;
 	newip->protocol = oldip->protocol;
 	newip->check    = 0;
 	newip->saddr    = oldip->daddr;
@@ -173,6 +178,7 @@ echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par)
 	payload  = skb_header_pointer(oldskb, par->thoff +
 	           sizeof(*oldudp), data_len, NULL);
 	memcpy(skb_put(newskb, data_len), payload, data_len);
+	newip->tot_len = htons(newskb->len);
 
 #if 0
 	/*

extensions/xt_LOGMARK.c

@@ -52,14 +52,24 @@ static void logmark_ct(const struct nf_conn *ct, enum ip_conntrack_info ctinfo)
 		printk("EXPECTED");
 		prev = true;
 	}
-	if (ct->status & IPS_SEEN_REPLY)
+	if (ct->status & IPS_SEEN_REPLY) {
-		printk("%s""SEEN_REPLY", prev++ ? "," : "");
+		printk("%s""SEEN_REPLY", prev ? "," : "");
-	if (ct->status & IPS_ASSURED)
+		prev = true;
-		printk("%s""ASSURED", prev++ ? "," : "");
+	}
-	if (ct->status & IPS_CONFIRMED)
+	if (ct->status & IPS_ASSURED) {
-		printk("%s""CONFIRMED", prev++ ? "," : "");
+		printk("%s""ASSURED", prev ? "," : "");
+		prev = true;
+	}
+	if (ct->status & IPS_CONFIRMED) {
+		printk("%s""CONFIRMED", prev ? "," : "");
+		prev = true;
+	}
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,9,0)
+	printk(" lifetime=%lus", nf_ct_expires(ct) / HZ);
+#else
 	printk(" lifetime=%lus",
 	       (jiffies - ct->timeout.expires) / HZ);
+#endif
 }
 
 static unsigned int
@@ -72,15 +82,21 @@ logmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x "
 	       "secmark=0x%x classify=0x%x",
 	       info->level, (unsigned int)sizeof(info->prefix), info->prefix,
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+	       skb_ifindex(skb), hook_names[par->state->hook],
+#else
 	       skb_ifindex(skb), hook_names[par->hooknum],
+#endif
 	       skb_nfmark(skb), skb_secmark(skb), skb->priority);
 
 	ct = nf_ct_get(skb, &ctinfo);
 	printk(" ctdir=%s", dir_names[ctinfo >= IP_CT_IS_REPLY]);
 	if (ct == NULL)
 		printk(" ct=NULL ctmark=NULL ctstate=INVALID ctstatus=NONE");
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 12, 0)
 	else if (nf_ct_is_untracked(ct))
 		printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE");
+#endif
 	else
 		logmark_ct(ct, ctinfo);
 

extensions/xt_SYSRQ.c

@@ -1,6 +1,6 @@
 /*
  *	"SYSRQ" target extension for Xtables
- *	Copyright © Jan Engelhardt, 2008 - 2012
+ *	Copyright Jan Engelhardt, 2016
  *
  *	Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
  *
@@ -21,8 +21,7 @@
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter/x_tables.h>
-#include <linux/crypto.h>
+#include <crypto/hash.h>
-#include <linux/scatterlist.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
 #include "compat_xtables.h"
@@ -50,7 +49,7 @@ MODULE_PARM_DESC(seqno, "sequence number for remote sysrq");
 MODULE_PARM_DESC(debug, "debugging: 0=off, 1=on");
 
 #ifdef WITH_CRYPTO
-static struct crypto_hash *sysrq_tfm;
+static struct crypto_shash *sysrq_tfm;
 static int sysrq_digest_size;
 static unsigned char *sysrq_digest_password;
 static unsigned char *sysrq_digest;
@@ -75,8 +74,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 {
 	const char *data = pdata;
 	int i, n;
-	struct scatterlist sg[2];
+	struct shash_desc desc;
-	struct hash_desc desc;
 	int ret;
 	long new_seqno = 0;
 
@@ -117,15 +115,15 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 
 	desc.tfm   = sysrq_tfm;
 	desc.flags = 0;
-	ret = crypto_hash_init(&desc);
+	ret = crypto_shash_init(&desc);
 	if (ret != 0)
 		goto hash_fail;
-	sg_init_table(sg, 2);
+	if (crypto_shash_update(&desc, data, n) != 0)
-	sg_set_buf(&sg[0], data, n);
+		goto hash_fail;
-	i = strlen(sysrq_digest_password);
+	if (crypto_shash_update(&desc, sysrq_digest_password,
-	sg_set_buf(&sg[1], sysrq_digest_password, i);
+	    strlen(sysrq_digest_password)) != 0)
-	ret = crypto_hash_digest(&desc, sg, n + i, sysrq_digest);
+		goto hash_fail;
-	if (ret != 0)
+	if (crypto_shash_final(&desc, sysrq_digest) != 0)
 		goto hash_fail;
 
 	for (i = 0; i < sysrq_digest_size; ++i) {
@@ -303,7 +301,7 @@ static void sysrq_crypto_exit(void)
 {
 #ifdef WITH_CRYPTO
 	if (sysrq_tfm)
-		crypto_free_hash(sysrq_tfm);
+		crypto_free_shash(sysrq_tfm);
 	if (sysrq_digest)
 		kfree(sysrq_digest);
 	if (sysrq_hexdigest)
@@ -319,7 +317,7 @@ static int __init sysrq_crypto_init(void)
 	struct timeval now;
 	int ret;
 
-	sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
+	sysrq_tfm = crypto_alloc_shash(sysrq_hash, 0, 0);
 	if (IS_ERR(sysrq_tfm)) {
 		printk(KERN_WARNING KBUILD_MODNAME
 			": Error: Could not find or load %s hash\n",
@@ -328,7 +326,7 @@ static int __init sysrq_crypto_init(void)
 		sysrq_tfm = NULL;
 		goto fail;
 	}
-	sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
+	sysrq_digest_size = crypto_shash_digestsize(sysrq_tfm);
 	sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
 	ret = -ENOMEM;
 	if (sysrq_digest == NULL)
@@ -371,7 +369,7 @@ static void __exit sysrq_tg_exit(void)
 module_init(sysrq_tg_init);
 module_exit(sysrq_tg_exit);
 MODULE_DESCRIPTION("Xtables: triggering SYSRQ remotely");
-MODULE_AUTHOR("Jan Engelhardt ");
+MODULE_AUTHOR("Jan Engelhardt");
 MODULE_AUTHOR("John Haxby <john.haxby@oracle.com");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_SYSRQ");

extensions/xt_TARPIT.c

@@ -455,7 +455,11 @@ tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 	if (iph->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+	tarpit_tcp4(par_net(par), skb, par->state->hook, info->variant);
+#else
 	tarpit_tcp4(par_net(par), skb, par->hooknum, info->variant);
+#endif
 	return NF_DROP;
 }
 
@@ -497,7 +501,11 @@ tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 		return NF_DROP;
 	}
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+	tarpit_tcp6(par_net(par), skb, par->state->hook, info->variant);
+#else
 	tarpit_tcp6(par_net(par), skb, par->hooknum, info->variant);
+#endif
 	return NF_DROP;
 }
 #endif

extensions/xt_condition.c

@@ -7,6 +7,7 @@
  *	Authors:
  *	Stephane Ouellette <ouellettes [at] videotron ca>, 2002-10-22
  *	Massimiliano Hofer <max [at] nucleus it>, 2006-05-15
+ *	Grzegorz Kuczyński <grzegorz.kuczynski [at] koba pl>, 2017-02-27
  *
  *	This program is free software; you can redistribute it and/or modify it
  *	under the terms of the GNU General Public License; either version 2
@@ -21,6 +22,8 @@
 #include <linux/version.h>
 #include <linux/netfilter/x_tables.h>
 #include <asm/uaccess.h>
+#include <net/net_namespace.h>
+#include <net/netns/generic.h>
 #include "xt_condition.h"
 #include "compat_xtables.h"
 
@@ -59,8 +62,18 @@ struct condition_variable {
 /*           to the conditions' list.                               */
 static DEFINE_MUTEX(proc_lock);
 
-static LIST_HEAD(conditions_list);
+struct condition_net {
-static struct proc_dir_entry *proc_net_condition;
+	struct list_head conditions_list;
+	struct proc_dir_entry *proc_net_condition;
+	bool after_clear;
+};
+
+static int condition_net_id;
+
+static inline struct condition_net *condition_pernet(struct net *net)
+{
+	return net_generic(net, condition_net_id);
+}
 
 static int condition_proc_show(struct seq_file *m, void *data)
 {
@@ -119,6 +132,7 @@ static int condition_mt_check(const struct xt_mtchk_param *par)
 {
 	struct xt_condition_mtinfo *info = par->matchinfo;
 	struct condition_variable *var;
+	struct condition_net *condition_net = condition_pernet(par->net);
 
 	/* Forbid certain names */
 	if (*info->name == '\0' || *info->name == '.' ||
@@ -134,7 +148,7 @@ static int condition_mt_check(const struct xt_mtchk_param *par)
 	 * or increase the reference counter.
 	 */
 	mutex_lock(&proc_lock);
-	list_for_each_entry(var, &conditions_list, list) {
+	list_for_each_entry(var, &condition_net->conditions_list, list) {
 		if (strcmp(info->name, var->name) == 0) {
 			var->refcount++;
 			mutex_unlock(&proc_lock);
@@ -153,7 +167,7 @@ static int condition_mt_check(const struct xt_mtchk_param *par)
 	memcpy(var->name, info->name, sizeof(info->name));
 	/* Create the condition variable's proc file entry. */
 	var->status_proc = proc_create_data(info->name, condition_list_perms,
-	                   proc_net_condition, &condition_proc_fops, var);
+	                   condition_net->proc_net_condition, &condition_proc_fops, var);
 	if (var->status_proc == NULL) {
 		kfree(var);
 		mutex_unlock(&proc_lock);
@@ -166,7 +180,7 @@ static int condition_mt_check(const struct xt_mtchk_param *par)
 	var->refcount = 1;
 	var->enabled  = false;
 	wmb();
-	list_add(&var->list, &conditions_list);
+	list_add(&var->list, &condition_net->conditions_list);
 	mutex_unlock(&proc_lock);
 	info->condvar = var;
 	return 0;
@@ -176,11 +190,15 @@ static void condition_mt_destroy(const struct xt_mtdtor_param *par)
 {
 	const struct xt_condition_mtinfo *info = par->matchinfo;
 	struct condition_variable *var = info->condvar;
+	struct condition_net *cnet = condition_pernet(par->net);
+
+	if (cnet->after_clear)
+		return;
 
 	mutex_lock(&proc_lock);
 	if (--var->refcount == 0) {
 		list_del(&var->list);
-		proc_remove(var->status_proc);
+		remove_proc_entry(var->name, cnet->proc_net_condition);
 		mutex_unlock(&proc_lock);
 		kfree(var);
 		return;
@@ -213,18 +231,54 @@ static struct xt_match condition_mt_reg[] __read_mostly = {
 
 static const char *const dir_name = "nf_condition";
 
+static int __net_init condition_net_init(struct net *net)
+{
+	struct condition_net *condition_net = condition_pernet(net);
+	INIT_LIST_HEAD(&condition_net->conditions_list);
+	condition_net->proc_net_condition = proc_mkdir(dir_name, net->proc_net);
+	if (condition_net->proc_net_condition == NULL)
+		return -EACCES;
+	condition_net->after_clear = 0;
+	return 0;
+}
+
+static void __net_exit condition_net_exit(struct net *net)
+{
+	struct condition_net *condition_net = condition_pernet(net);
+	struct list_head *pos, *q;
+	struct condition_variable *var = NULL;
+
+	remove_proc_subtree(dir_name, net->proc_net);
+	mutex_lock(&proc_lock);
+	list_for_each_safe(pos, q, &condition_net->conditions_list) {
+		var = list_entry(pos, struct condition_variable, list);
+		list_del(pos);
+		kfree(var);
+	}
+	mutex_unlock(&proc_lock);
+	condition_net->after_clear = true;
+}
+
+static struct pernet_operations condition_net_ops = {
+	.init   = condition_net_init,
+	.exit   = condition_net_exit,
+	.id     = &condition_net_id,
+	.size   = sizeof(struct condition_net),
+};
+
+
 static int __init condition_mt_init(void)
 {
 	int ret;
 
 	mutex_init(&proc_lock);
-	proc_net_condition = proc_mkdir(dir_name, init_net.proc_net);
+	ret = register_pernet_subsys(&condition_net_ops);
-	if (proc_net_condition == NULL)
+	if (ret != 0)
-		return -EACCES;
+		return ret;
 
 	ret = xt_register_matches(condition_mt_reg, ARRAY_SIZE(condition_mt_reg));
 	if (ret < 0) {
-		remove_proc_entry(dir_name, init_net.proc_net);
+		unregister_pernet_subsys(&condition_net_ops);
 		return ret;
 	}
 
@@ -234,7 +288,7 @@ static int __init condition_mt_init(void)
 static void __exit condition_mt_exit(void)
 {
 	xt_unregister_matches(condition_mt_reg, ARRAY_SIZE(condition_mt_reg));
-	remove_proc_entry(dir_name, init_net.proc_net);
+	unregister_pernet_subsys(&condition_net_ops);
 }
 
 module_init(condition_mt_init);

extensions/xt_geoip.c

@@ -75,7 +75,8 @@ geoip_add_node(const struct geoip_country_user __user *umem_ptr,
 
 	if (copy_from_user(&umem, umem_ptr, sizeof(umem)) != 0)
 		return ERR_PTR(-EFAULT);
-
+	if (umem.count > SIZE_MAX / geoproto_size[proto])
+		return ERR_PTR(-E2BIG);
 	p = kmalloc(sizeof(struct geoip_country_kernel), GFP_KERNEL);
 	if (p == NULL)
 		return ERR_PTR(-ENOMEM);

extensions/xt_iface.c

@@ -45,9 +45,17 @@ static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
     const struct xt_action_param *par, struct net_device **put)
 {
 	if (info->flags & XT_IFACE_DEV_IN)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+		return par->state->in;
+#else
 		return par->in;
+#endif
 	else if (info->flags & XT_IFACE_DEV_OUT)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+		return par->state->out;
+#else
 		return par->out;
+#endif
 	return *put = dev_get_by_name(&init_net, info->ifname);
 }
 

extensions/xt_ipp2p.c

@@ -511,7 +511,7 @@ search_bittorrent(const unsigned char *payload, const unsigned int plen)
 		 * but *must have* one (or more) of strings listed below (true for scrape and announce)
 		 */
 		if (memcmp(payload, "GET /", 5) == 0) {
-			if (HX_memmem(payload, plen, "info_hash=", 9) != NULL)
+			if (HX_memmem(payload, plen, "info_hash=", 10) != NULL)
 				return IPP2P_BIT * 100 + 1;
 			if (HX_memmem(payload, plen, "peer_id=", 8) != NULL)
 				return IPP2P_BIT * 100 + 2;

extensions/xt_lscan.c

@@ -204,7 +204,11 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		unsigned int n;
 
 		n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
+		    par->state->in == init_net.loopback_dev, tcph,
+#else
 		    par->in == init_net.loopback_dev, tcph,
+#endif
 		    skb->len - par->thoff - 4 * tcph->doff);
 
 		ctdata->mark = (ctdata->mark & ~connmark_mask) | n;

extensions/xt_psd.c

@@ -45,12 +45,12 @@ MODULE_ALIAS("ip6t_psd");
 
 /*
  * Keep track of up to LIST_SIZE source addresses, using a hash table of
- * HASH_SIZE entries for faster lookups, but limiting hash collisions to
+ * PSD_HASH_SIZE entries for faster lookups, but limiting hash collisions to
  * HASH_MAX source addresses per the same hash value.
  */
 #define LIST_SIZE			0x100
 #define HASH_LOG			9
-#define HASH_SIZE			(1 << HASH_LOG)
+#define PSD_HASH_SIZE			(1 << HASH_LOG)
 #define HASH_MAX			0x10
 
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
@@ -108,7 +108,7 @@ struct host6 {
 static struct {
 	spinlock_t lock;
 	struct host4 list[LIST_SIZE];
-	struct host *hash[HASH_SIZE];
+	struct host *hash[PSD_HASH_SIZE];
 	int index;
 } state;
 
@@ -143,13 +143,12 @@ static bool state6_alloc_mem(void)
 	if (state6.list == NULL)
 		return false;
 	memset(state6.list, 0, LIST_SIZE * sizeof(struct host6));
-
+	state6.hash = vmalloc(PSD_HASH_SIZE * sizeof(struct host *));
-	state6.hash = vmalloc(HASH_SIZE * sizeof(struct host*));
 	if (state6.hash == NULL) {
 		vfree(state6.list);
 		return false;
 	}
-	memset(state6.hash, 0, HASH_SIZE * sizeof(struct host *));
+	memset(state6.hash, 0, PSD_HASH_SIZE * sizeof(struct host *));
 	return true;
 }
 #endif
@@ -167,8 +166,7 @@ static unsigned int hashfunc(__be32 addr)
 	do {
 		hash ^= value;
 	} while ((value >>= HASH_LOG) != 0);
-
+	return hash & (PSD_HASH_SIZE - 1);
-	return hash & (HASH_SIZE - 1);
 }
 
 static inline unsigned int hashfunc6(const struct in6_addr *addr)

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "" "" "v2.10 (2015-11-20)"
+.TH xtables-addons 8 "" "" "v2.14 (2017-11-22)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets