Xtables-addons 3.1

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

.gitignore

@@ -3,6 +3,7 @@
 *.lo
 *.loT
 *.o
+.cache.mk
 .deps/
 .dirstamp
 .libs/

INSTALL

@@ -12,16 +12,17 @@ in combination with the kernel's Kbuild system.
 Supported configurations for this release
 =========================================
 
-	* iptables >= 1.4.5
+	* iptables >= 1.6.0
 
-	* kernel-devel >= 3.7
+	* kernel-devel >= 4.15
 	  with prepared build/output directory
 	  - CONFIG_NF_CONNTRACK
 	  - CONFIG_NF_CONNTRACK_MARK enabled =y or as module (=m)
 	  - CONFIG_CONNECTOR y/m if you wish to receive userspace
 	    notifications from pknock through netlink/connector
 
-(Use xtables-addons-1.x if you need support for Linux < 3.7.)
+(Use xtables-addons-1.x if you need support for Linux < 3.7.
+Use xtables-addons-2.x if you need support for Linux < 4.15.)
 
 
 Selecting extensions

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [2.14])
+AC_INIT([xtables-addons], [3.1])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -26,7 +26,7 @@ fi
 
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
 	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
-PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.5])
+PKG_CHECK_MODULES([libxtables], [xtables >= 1.6.0])
 xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
 
 AC_ARG_WITH([xtlibdir],
@@ -57,12 +57,10 @@ if test -n "$kbuilddir"; then
 		echo "WARNING: Version detection did not succeed. Continue at own luck.";
 	else
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-		if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 12; then
+		if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 18; then
 			echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
-		elif test "$kmajor" -eq 4 -a "$kminor" -le 10; then
-			:;
-		elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then
-			:;
+		elif test "$kmajor" -eq 4 -a "$kminor" -ge 18; then
+			:
 		else
 			echo "WARNING: That kernel version is not officially supported.";
 		fi;

doc/changelog.txt

@@ -3,6 +3,20 @@ HEAD
 ====
 
 
+v3.1 (2018-08-14)
+=================
+Enhancements:
+- support for Linux 4.17, 4.18
+
+
+v3.0 (2018-02-12)
+=================
+Enhancements:
+- support for Linux 4.15, 4.16
+Changes:
+- remove support for Linux 3.7--4.14
+
+
 v2.14 (2017-11-22)
 ==================
 Enhancements:
@@ -127,5 +141,5 @@ Changes:
 Enhancements:
 - Support for Linux 3.7
 
-If you want to use Xtables-addons with kernels older than 3.7,
-use the addons 1.x series (maintained but without new features).
+If you want to use Xtables-addons with kernels older than 4.15,
+use the addons 2.x series.

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -482,16 +482,7 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
 static unsigned int
 ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	struct ipt_acc_net *ian = net_generic(par->state->net, ipt_acc_net_id);
-#else
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0)
-	struct ipt_acc_net *ian = net_generic(par->net, ipt_acc_net_id);
-#else
-	struct net *net = dev_net(par->in ? par->in : par->out);
-	struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
-#endif
-#endif
 	struct ipt_acc_table *ipt_acc_tables = ian->ipt_acc_tables;
 	const struct ipt_acc_info *info =
 		par->targinfo;

extensions/compat_xtables.h

@@ -8,12 +8,8 @@
 
 #define DEBUGP Use__pr_debug__instead
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0)
-#	warning Kernels below 3.7 not supported.
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0)
-#	define prandom_u32() random32()
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0)
+#	warning Kernels below 4.15 not supported.
 #endif
 
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
@@ -46,51 +42,13 @@
 #	define NIPQUAD_FMT "%hhu.%hhu.%hhu.%hhu"
 #endif
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0)
-static inline struct inode *file_inode(struct file *f)
-{
-	return f->f_path.dentry->d_inode;
-}
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 10, 0)
-static inline void proc_set_user(struct proc_dir_entry *de,
-    typeof(de->uid) uid, typeof(de->gid) gid)
-{
-	de->uid = uid;
-	de->gid = gid;
-}
-
-static inline void *PDE_DATA(struct inode *inode)
-{
-	return PDE(inode)->data;
-}
-
-static inline void proc_remove(struct proc_dir_entry *de)
-{
-	if (de != NULL)
-		remove_proc_entry(de->name, de->parent);
-}
-#endif
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 4, 0)
-#	define ip6_local_out(xnet, xsk, xskb) ip6_local_out(xskb)
-#	define ip6_route_me_harder(xnet, xskb) ip6_route_me_harder(xskb)
-#	define ip_local_out(xnet, xsk, xskb) ip_local_out(xskb)
-#	define ip_route_me_harder(xnet, xskb, xaddrtype) ip_route_me_harder((xskb), (xaddrtype))
-#endif
-
 static inline struct net *par_net(const struct xt_action_param *par)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
 	return par->state->net;
-#else
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
-	return par->net;
-#else
-	return dev_net((par->in != NULL) ? par->in : par->out);
-#endif
-#endif
 }
 
+#ifndef NF_CT_ASSERT
+#	define NF_CT_ASSERT(x)	WARN_ON(!(x))
+#endif
+
 #endif /* _XTABLES_COMPAT_H */

extensions/libxt_geoip.c

@@ -49,6 +49,38 @@ static struct option geoip_opts[] = {
 	{NULL},
 };
 
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+static void geoip_swap_le16(uint16_t *buf)
+{
+	unsigned char *p = (void *)buf;
+	uint16_t n= p[0] + (p[1] << 8);
+	p[0] = (n >> 8) & 0xff;
+	p[1] = n & 0xff;
+}
+
+static void geoip_swap_in6(struct in6_addr *in6)
+{
+	geoip_swap_le16(&in6->s6_addr16[0]);
+	geoip_swap_le16(&in6->s6_addr16[1]);
+	geoip_swap_le16(&in6->s6_addr16[2]);
+	geoip_swap_le16(&in6->s6_addr16[3]);
+	geoip_swap_le16(&in6->s6_addr16[4]);
+	geoip_swap_le16(&in6->s6_addr16[5]);
+	geoip_swap_le16(&in6->s6_addr16[6]);
+	geoip_swap_le16(&in6->s6_addr16[7]);
+}
+
+static void geoip_swap_le32(uint32_t *buf)
+{
+	unsigned char *p = (void *)buf;
+	uint32_t n = p[0] + (p[1] << 8) + (p[2] << 16) + (p[3] << 24);
+	p[0] = (n >> 24) & 0xff;
+	p[1] = (n >> 16) & 0xff;
+	p[2] = (n >> 8) & 0xff;
+	p[3] = n & 0xff;
+}
+#endif
+
 static void *
 geoip_get_subnets(const char *code, uint32_t *count, uint8_t nfproto)
 {
@@ -56,21 +88,15 @@ geoip_get_subnets(const char *code, uint32_t *count, uint8_t nfproto)
 	struct stat sb;
 	char buf[256];
 	int fd;
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+	unsigned int n;
+#endif
 
 	/* Use simple integer vector files */
-	if (nfproto == NFPROTO_IPV6) {
-#if __BYTE_ORDER == _BIG_ENDIAN
-		snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/BE/%s.iv6", code);
-#else
-		snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/LE/%s.iv6", code);
-#endif
-	} else {
-#if __BYTE_ORDER == _BIG_ENDIAN
-		snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/BE/%s.iv4", code);
-#else
-		snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/LE/%s.iv4", code);
-#endif
-	}
+	if (nfproto == NFPROTO_IPV6)
+		snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/%s.iv6", code);
+	else
+		snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/%s.iv4", code);
 
 	if ((fd = open(buf, O_RDONLY)) < 0) {
 		fprintf(stderr, "Could not open %s: %s\n", buf, strerror(errno));
@@ -98,6 +124,25 @@ geoip_get_subnets(const char *code, uint32_t *count, uint8_t nfproto)
 		xtables_error(OTHER_PROBLEM, "geoip: insufficient memory");
 	read(fd, subnets, sb.st_size);
 	close(fd);
+
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+	for (n = 0; n < *count; ++n) {
+		switch (nfproto) {
+		case NFPROTO_IPV6: {
+			struct geoip_subnet6 *gs6 = &(((struct geoip_subnet6 *)subnets)[n]);
+			geoip_swap_in6(&gs6->begin);
+			geoip_swap_in6(&gs6->end);
+			break;
+		}
+		case NFPROTO_IPV4: {
+			struct geoip_subnet4 *gs4 = &(((struct geoip_subnet4 *)subnets)[n]);
+			geoip_swap_le32(&gs4->begin);
+			geoip_swap_le32(&gs4->end);
+			break;
+		}
+		}
+	}
+#endif
 	return subnets;
 }
 

extensions/pknock/xt_pknock.c

@@ -357,11 +357,10 @@ has_logged_during_this_minute(const struct peer *peer)
  *
  * @r: rule
  */
-static void
-peer_gc(unsigned long r)
+static void peer_gc(struct timer_list *tl)
 {
 	unsigned int i;
-	struct xt_pknock_rule *rule = (struct xt_pknock_rule *)r;
+	struct xt_pknock_rule *rule = from_timer(rule, tl, timer);
 	struct peer *peer;
 	struct list_head *pos, *n;
 
@@ -468,11 +467,7 @@ add_rule(struct xt_pknock_mtinfo *info)
 	rule->peer_head      = alloc_hashtable(peer_hashsize);
 	if (rule->peer_head == NULL)
 		goto out;
-
-	init_timer(&rule->timer);
-	rule->timer.function	= peer_gc;
-	rule->timer.data	= (unsigned long)rule;
-
+	timer_setup(&rule->timer, peer_gc, 0);
 	rule->status_proc = proc_create_data(info->rule_name, 0, pde,
 	                    &pknock_proc_ops, rule);
 	if (rule->status_proc == NULL)
@@ -699,13 +694,7 @@ msg_to_userspace_nl(const struct xt_pknock_mtinfo *info,
 	scnprintf(msg.rule_name, info->rule_name_len + 1, info->rule_name);
 
 	memcpy(m + 1, &msg, m->len);
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 15, 0)
 	cn_netlink_send(m, 0, multicast_group, GFP_ATOMIC);
-#else
-	cn_netlink_send(m, multicast_group, GFP_ATOMIC);
-#endif
-
 	kfree(m);
 #endif
 	return true;

extensions/xt_CHAOS.c

@@ -58,12 +58,7 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 
 	{
 		struct xt_action_param local_par;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		local_par.state    = par->state;
-#else
-		local_par.in        = par->in,
-		local_par.out       = par->out,
-#endif
 		local_par.match     = xm_tcp;
 		local_par.matchinfo = &tcp_params;
 		local_par.fragoff   = fragoff;
@@ -78,14 +73,7 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 	destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
 	{
 		struct xt_action_param local_par;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		local_par.state    = par->state;
-#else
-		local_par.in       = par->in;
-		local_par.out      = par->out;
-		local_par.hooknum  = par->hooknum;
-		local_par.family   = par->family;
-#endif
 		local_par.target   = destiny;
 		local_par.targinfo = par->targinfo;
 		destiny->target(skb, &local_par);
@@ -108,27 +96,15 @@ chaos_tg(struct sk_buff *skb, const struct xt_action_param *par)
 
 	if ((unsigned int)prandom_u32() <= reject_percentage) {
 		struct xt_action_param local_par;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		local_par.state    = par->state;
-#else
-		local_par.in       = par->in;
-		local_par.out      = par->out;
-		local_par.hooknum  = par->hooknum;
-#endif
 		local_par.target   = xt_reject;
 		local_par.targinfo = &reject_params;
 		return xt_reject->target(skb, &local_par);
 	}
 
 	/* TARPIT/DELUDE may not be called from the OUTPUT chain */
-	if (iph->protocol == IPPROTO_TCP &&
-	    info->variant != XTCHAOS_NORMAL &&
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
-	    par->state->hook
-#else
-	    par->hooknum
-#endif
-	    != NF_INET_LOCAL_OUT)
+	if (iph->protocol == IPPROTO_TCP && info->variant != XTCHAOS_NORMAL &&
+	    par->state->hook != NF_INET_LOCAL_OUT)
 		xt_chaos_total(skb, par);
 
 	return NF_DROP;

extensions/xt_DELUDE.c

@@ -107,13 +107,8 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 
 	addr_type = RTN_UNSPEC;
 #ifdef CONFIG_BRIDGE_NETFILTER
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
 	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->physoutdev))
-#else
-	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
-	    nskb->nf_bridge->mask & BRNF_BRIDGED))
-#endif
 #else
 	if (hook != NF_INET_FORWARD)
 #endif
@@ -151,13 +146,7 @@ delude_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	 * a problem, as that is supported since Linux 2.6.35. But since we do not
 	 * actually want to have a connection open, we are still going to drop it.
 	 */
-	delude_send_reset(par_net(par), skb,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
-	                  par->state->hook
-#else
-	                  par->hooknum
-#endif
-	                  );
+	delude_send_reset(par_net(par), skb, par->state->hook);
 	return NF_DROP;
 }
 

extensions/xt_DNETMAP.c

@@ -356,26 +356,22 @@ out:
 static unsigned int
 dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	struct net *net = dev_net(par->state->in ? par->state->in : par->state->out);
-#else
-	struct net *net = dev_net(par->in ? par->in : par->out);
-#endif
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
 	struct nf_conn *ct;
 	enum ip_conntrack_info ctinfo;
 	__be32 prenat_ip, postnat_ip, prenat_ip_prev;
 	const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
 	const struct nf_nat_range *mr = &tginfo->prefix;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 18, 0)
+	struct nf_nat_range2 newrange;
+#else
 	struct nf_nat_range newrange;
+#endif
 	struct dnetmap_entry *e;
 	struct dnetmap_prefix *p;
 	__s32 jttl;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	unsigned int hooknum = par->state->hook;
-#else
-	unsigned int hooknum = par->hooknum;
-#endif
 	ct = nf_ct_get(skb, &ctinfo);
 
 	jttl = tginfo->flags & XT_DNETMAP_TTL ? tginfo->ttl * HZ : jtimeout;
@@ -500,12 +496,7 @@ bind_new_prefix:
 	newrange.max_addr.ip = postnat_ip;
 	newrange.min_proto = mr->min_proto;
 	newrange.max_proto = mr->max_proto;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->state->hook));
-#else
-	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
-#endif
-
 no_rev_map:
 no_free_ip:
 	spin_unlock_bh(&dnetmap_lock);

extensions/xt_ECHO.c

@@ -35,11 +35,7 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 	void *payload;
 	struct flowi6 fl;
 	struct dst_entry *dst = NULL;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	struct net *net = dev_net((par->state->in != NULL) ? par->state->in : par->state->out);
-#else
-	struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
-#endif
 
 	/* This allows us to do the copy operation in fewer lines of code. */
 	if (skb_linearize(oldskb) < 0)

extensions/xt_LOGMARK.c

@@ -64,12 +64,7 @@ static void logmark_ct(const struct nf_conn *ct, enum ip_conntrack_info ctinfo)
 		printk("%s""CONFIRMED", prev ? "," : "");
 		prev = true;
 	}
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,9,0)
 	printk(" lifetime=%lus", nf_ct_expires(ct) / HZ);
-#else
-	printk(" lifetime=%lus",
-	       (jiffies - ct->timeout.expires) / HZ);
-#endif
 }
 
 static unsigned int
@@ -82,21 +77,13 @@ logmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x "
 	       "secmark=0x%x classify=0x%x",
 	       info->level, (unsigned int)sizeof(info->prefix), info->prefix,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	       skb_ifindex(skb), hook_names[par->state->hook],
-#else
-	       skb_ifindex(skb), hook_names[par->hooknum],
-#endif
 	       skb_nfmark(skb), skb_secmark(skb), skb->priority);
 
 	ct = nf_ct_get(skb, &ctinfo);
 	printk(" ctdir=%s", dir_names[ctinfo >= IP_CT_IS_REPLY]);
 	if (ct == NULL)
 		printk(" ct=NULL ctmark=NULL ctstate=INVALID ctstatus=NONE");
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 12, 0)
-	else if (nf_ct_is_untracked(ct))
-		printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE");
-#endif
 	else
 		logmark_ct(ct, ctinfo);
 

extensions/xt_TARPIT.c

@@ -249,13 +249,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		niph->id = ~oldhdr->id + 1;
 
 #ifdef CONFIG_BRIDGE_NETFILTER
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
 	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->physoutdev != NULL))
-#else
-	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
-	    nskb->nf_bridge->mask & BRNF_BRIDGED))
-#endif
 #else
 	if (hook != NF_INET_FORWARD)
 #endif
@@ -283,17 +278,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
 	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
 		skb_dst(nskb)->dev, dst_output);
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
-	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb->sk, nskb, NULL,
-		skb_dst(nskb)->dev, dst_output_sk);
-#else
-	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
-		skb_dst(nskb)->dev, dst_output);
-#endif
 	return;
 
  free_nskb:
@@ -406,17 +392,8 @@ static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
 	nskb->ip_summed = CHECKSUM_NONE;
 
 	nf_ct_attach(nskb, oldskb);
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
 	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
 	        skb_dst(nskb)->dev, dst_output);
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
-	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb->sk, nskb, NULL,
-	        skb_dst(nskb)->dev, dst_output_sk);
-#else
-	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
-	        skb_dst(nskb)->dev, dst_output);
-#endif
 	return;
 
  free_nskb:
@@ -454,12 +431,7 @@ tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 	/* We are not interested in fragments */
 	if (iph->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	tarpit_tcp4(par_net(par), skb, par->state->hook, info->variant);
-#else
-	tarpit_tcp4(par_net(par), skb, par->hooknum, info->variant);
-#endif
 	return NF_DROP;
 }
 
@@ -500,12 +472,7 @@ tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 		pr_debug("addr is not unicast.\n");
 		return NF_DROP;
 	}
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	tarpit_tcp6(par_net(par), skb, par->state->hook, info->variant);
-#else
-	tarpit_tcp6(par_net(par), skb, par->hooknum, info->variant);
-#endif
 	return NF_DROP;
 }
 #endif

extensions/xt_iface.c

@@ -45,17 +45,9 @@ static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
     const struct xt_action_param *par, struct net_device **put)
 {
 	if (info->flags & XT_IFACE_DEV_IN)
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		return par->state->in;
-#else
-		return par->in;
-#endif
 	else if (info->flags & XT_IFACE_DEV_OUT)
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		return par->state->out;
-#else
-		return par->out;
-#endif
 	return *put = dev_get_by_name(&init_net, info->ifname);
 }
 

extensions/xt_lscan.c

@@ -204,11 +204,7 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		unsigned int n;
 
 		n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		    par->state->in == init_net.loopback_dev, tcph,
-#else
-		    par->in == init_net.loopback_dev, tcph,
-#endif
 		    skb->len - par->thoff - 4 * tcph->doff);
 
 		ctdata->mark = (ctdata->mark & ~connmark_mask) | n;

geoip/xt_geoip_build

@@ -1,10 +1,13 @@
 #!/usr/bin/perl
 #
 #	Converter for MaxMind CSV database to binary, for xt_geoip
-#	Copyright © Jan Engelhardt, 2008-2011
+#	Copyright Jan Engelhardt, 2008-2011
+#	Copyright Philip Prindeville, 2018
 #
 use Getopt::Long;
-use IO::Handle;
+use Net::CIDR::Lite;
+use Socket qw(AF_INET AF_INET6 inet_pton);
+use warnings;
 use Text::CSV_XS; # or trade for Text::CSV
 use strict;
 
@@ -24,41 +27,208 @@ if (!-d $target_dir) {
 	print STDERR "Target directory $target_dir does not exist.\n";
 	exit 1;
 }
-foreach (qw(LE BE)) {
-	my $dir = "$target_dir/$_";
-	if (!-e $dir && !mkdir($dir)) {
-		print STDERR "Could not mkdir $dir: $!\n";
-		exit 1;
-	}
-}
+
+my %countryId;
+my %countryName;
+
+my $dir = findVersion();
+
+&loadCountries();
 
 &dump(&collect());
 
+sub findVersion
+{
+	my @dirs = ();
+
+	opendir(my $dh, '.') || die "Can't open .: $!\n";
+
+	while (readdir $dh) {
+		if ($_ =~ m/^GeoLite2-Country-CSV_\d{8}$/) {
+			push(@dirs, $_);
+		}
+	}
+	closedir $dh;
+
+	@dirs = sort @dirs;
+	return pop(@dirs);
+}
+
+sub loadCountries
+{
+	my $file = "$dir/GeoLite2-Country-Locations-en.csv";
+
+	sub id; sub cc; sub long; sub ct; sub cn;
+
+	%countryId = ();
+	%countryName = ();
+
+	open(my $fh, '<', $file) || die "Couldn't open list country names\n";
+
+	# first line is headers
+	my $row = $csv->getline($fh);
+
+	my %header = map { ($row->[$_], $_); } (0..$#{$row});
+
+	my %pairs = (
+		country_iso_code => 'ISO Country Code',
+		geoname_id => 'ID',
+		country_name => 'Country Name',
+		continent_code => 'Continent Code',
+		continent_name => 'Continent Name',
+	);
+
+	# verify that the columns we need are present
+	map { die "Table has no $pairs{$_} column\n" unless (exists $header{$_}); } keys %pairs;
+
+	my %remapping = (
+		id => 'geoname_id',
+		cc => 'country_iso_code',
+		long => 'country_name',
+		ct => 'continent_code',
+		cn => 'continent_name',
+	);
+
+	# now create a function which returns the value of that column #
+	map { eval "sub $_ () { \$header{\$remapping{$_}}; }" ; } keys %remapping;
+
+	while (my $row = $csv->getline($fh)) {
+		if ($row->[cc] eq '' && $row->[long] eq '') {
+			$countryId{$row->[id]} = $row->[ct];
+			$countryName{$row->[ct]} = $row->[cn];
+		} else {
+			$countryId{$row->[id]} = $row->[cc];
+			$countryName{$row->[cc]} = $row->[long];
+		}
+	}
+
+	$countryName{A1} = 'Anonymous Proxy';
+	$countryName{A2} = 'Satellite Provider';
+	$countryName{O1} = 'Other Country';
+
+	close($fh);
+
+	# clean up the namespace
+	undef &id; undef &cc; undef &long; undef &ct; undef &cn;
+}
+
+sub lookupCountry
+{
+	my ($id, $rid, $proxy, $sat) = @_;
+
+	if ($proxy) {
+		return 'A1';
+	} elsif ($sat) {
+		return 'A2';
+	}
+	$id ||= $rid;
+	if ($id eq '') {
+		return 'O1';
+	}
+	die "Unknown id: $id line $.\n" unless (exists $countryId{$id});
+	return $countryId{$id};
+}
+
 sub collect
 {
-	my %country;
+	my ($file, $fh, $row);
+	my (%country, %header);
+
+	sub net; sub id; sub rid; sub proxy; sub sat;
+
+	my %pairs = (
+		network => 'Network',
+		registered_country_geoname_id => 'Registered Country ID',
+		geoname_id => 'Country ID',
+		is_anonymous_proxy => 'Anonymous Proxy',
+		is_satellite_provider => 'Satellite',
+	);
+
+	foreach (sort keys %countryName) {
+		$country{$_} = {
+			name => $countryName{$_},
+			pool_v4 => Net::CIDR::Lite->new(),
+			pool_v6 => Net::CIDR::Lite->new(),
+		};
+	}
+
+	$file = "$dir/GeoLite2-Country-Blocks-IPv4.csv";
+
+	open($fh, '<', $file) || die "Can't open IPv4 database\n";
+
+	# first line is headers
+	$row = $csv->getline($fh);
+
+	%header = map { ($row->[$_], $_); } (0..$#{$row});
+
+	# verify that the columns we need are present
+	map { die "Table has no %pairs{$_} column\n" unless (exists $header{$_}); } keys %pairs;
+
+	my %remapping = (
+		net => 'network',
+		id => 'geoname_id',
+		rid => 'registered_country_geoname_id',
+		proxy => 'is_anonymous_proxy',
+		sat => 'is_satellite_provider',
+	);
+
+	# now create a function which returns the value of that column #
+	map { eval "sub $_ () { \$header{\$remapping{$_}}; }" ; } keys %remapping;
+
+	while ($row = $csv->getline($fh)) {
+		my ($cc, $cidr);
+
+		$cc = lookupCountry($row->[id], $row->[rid], $row->[proxy], $row->[sat]);
+		$cidr = $row->[net];
+		$country{$cc}->{pool_v4}->add($cidr);
 
-	while (my $row = $csv->getline(*ARGV)) {
-		if (!defined($country{$row->[4]})) {
-			$country{$row->[4]} = {
-				name => $row->[5],
-				pool_v4 => [],
-				pool_v6 => [],
-			};
-		}
-		my $c = $country{$row->[4]};
-		if ($row->[0] =~ /:/) {
-			push(@{$c->{pool_v6}},
-			     [&ip6_pack($row->[0]), &ip6_pack($row->[1])]);
-		} else {
-			push(@{$c->{pool_v4}}, [$row->[2], $row->[3]]);
-		}
 		if ($. % 4096 == 0) {
 			print STDERR "\r\e[2K$. entries";
 		}
 	}
 
 	print STDERR "\r\e[2K$. entries total\n";
+
+	close($fh);
+
+	# clean up the namespace
+	undef &net; undef &id; undef &rid; undef &proxy; undef &sat;
+
+	$file = "$dir/GeoLite2-Country-Blocks-IPv6.csv";
+
+	open($fh, '<', $file) || die "Can't open IPv6 database\n";
+
+	# first line is headers
+	$row = $csv->getline($fh);
+
+	%header = map { ($row->[$_], $_); } (0..$#{$row});
+
+	# verify that the columns we need are present
+	map { die "Table has no %pairs{$_} column\n" unless (exists $header{$_}); } keys %pairs;
+
+	# unlikely the IPv6 table has different columns, but just to be sure
+	# create a function which returns the value of that column #
+	map { eval "sub $_ () { \$header{\$remapping{$_}}; }" ; } keys %remapping;
+
+	while ($row = $csv->getline($fh)) {
+		my ($cc, $cidr);
+
+		$cc = lookupCountry($row->[id], $row->[rid], $row->[proxy], $row->[sat]);
+		$cidr = $row->[net];
+		$country{$cc}->{pool_v6}->add($cidr);
+
+		if ($. % 4096 == 0) {
+			print STDERR "\r\e[2K$. entries";
+		}
+	}
+
+	print STDERR "\r\e[2K$. entries total\n";
+
+	close($fh);
+
+	# clean up the namespace
+	undef &net; undef &id; undef &rid; undef &proxy; undef &sat;
+
 	return \%country;
 }
 
@@ -66,7 +236,7 @@ sub dump
 {
 	my $country = shift @_;
 
-	foreach my $iso_code (sort keys %$country) {
+	foreach my $iso_code (sort keys %{$country}) {
 		&dump_one($iso_code, $country->{$iso_code});
 	}
 }
@@ -74,68 +244,41 @@ sub dump
 sub dump_one
 {
 	my($iso_code, $country) = @_;
-	my($file, $fh_le, $fh_be);
+	my @ranges;
 
-	printf "%5u IPv6 ranges for %s %s\n",
-		scalar(@{$country->{pool_v6}}),
-		$iso_code, $country->{name};
+	@ranges = $country->{pool_v4}->list_range();
 
-	$file = "$target_dir/LE/".uc($iso_code).".iv6";
-	if (!open($fh_le, "> $file")) {
-		print STDERR "Error opening $file: $!\n";
-		exit 1;
-	}
-	$file = "$target_dir/BE/".uc($iso_code).".iv6";
-	if (!open($fh_be, "> $file")) {
-		print STDERR "Error opening $file: $!\n";
-		exit 1;
-	}
-	foreach my $range (@{$country->{pool_v6}}) {
-		print $fh_be $range->[0], $range->[1];
-		print $fh_le &ip6_swap($range->[0]), &ip6_swap($range->[1]);
-	}
-	close $fh_le;
-	close $fh_be;
+	writeCountry($iso_code, $country->{name}, AF_INET, @ranges);
 
-	printf "%5u IPv4 ranges for %s %s\n",
-		scalar(@{$country->{pool_v4}}),
-		$iso_code, $country->{name};
+	@ranges = $country->{pool_v6}->list_range();
 
-	$file = "$target_dir/LE/".uc($iso_code).".iv4";
-	if (!open($fh_le, "> $file")) {
-		print STDERR "Error opening $file: $!\n";
-		exit 1;
-	}
-	$file = "$target_dir/BE/".uc($iso_code).".iv4";
-	if (!open($fh_be, "> $file")) {
-		print STDERR "Error opening $file: $!\n";
-		exit 1;
-	}
-	foreach my $range (@{$country->{pool_v4}}) {
-		print $fh_le pack("VV", $range->[0], $range->[1]);
-		print $fh_be pack("NN", $range->[0], $range->[1]);
-	}
-	close $fh_le;
-	close $fh_be;
+	writeCountry($iso_code, $country->{name}, AF_INET6, @ranges);
 }
 
-sub ip6_pack
+sub writeCountry
 {
-	my $addr = shift @_;
-	$addr =~ s{::}{:!:};
-	my @addr = split(/:/, $addr);
-	my @e = (0) x 8;
-	foreach (@addr) {
-		if ($_ eq "!") {
-			$_ = join(':', @e[0..(8-scalar(@addr))]);
-		}
+	my ($iso_code, $name, $family, @ranges) = @_;
+	my $fh;
+
+	printf "%5u IPv%s ranges for %s %s\n",
+		scalar(@ranges),
+		($family == AF_INET ? '4' : '6'),
+		$iso_code, $name;
+
+	my $file = "$target_dir/".uc($iso_code).".iv".($family == AF_INET ? '4' : '6');
+	if (!open($fh, '>', $file)) {
+		print STDERR "Error opening $file: $!\n";
+		exit 1;
 	}
-	@addr = split(/:/, join(':', @addr));
-	$_ = hex($_) foreach @addr;
-	return pack("n*", @addr);
+
+	binmode($fh);
+
+	foreach my $range (@ranges) {
+		my ($start, $end) = split('-', $range);
+		$start = inet_pton($family, $start);
+		$end = inet_pton($family, $end);
+		print $fh $start, $end;
+	}
+	close $fh;
 }
 
-sub ip6_swap
-{
-	return pack("V*", unpack("N*", shift @_));
-}

geoip/xt_geoip_build.1

@@ -5,7 +5,7 @@ xt_geoip_build \(em convert GeoIP.csv to packed format for xt_geoip
 .SH Syntax
 .PP
 \fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_build\fP [\fB\-D\fP
-\fItarget_dir\fP] [\fIfile\fP...]
+\fItarget_dir\fP]
 .SH Description
 .PP
 xt_geoip_build is used to build packed raw representations of the range
@@ -16,7 +16,12 @@ required to be loaded into memory. The ranges in the packed database files are
 also ordered, as xt_geoip relies on this property for its bisection approach to
 work.
 .PP
-Input is processed from the listed files, or if none is given, from stdin.
+It expects to find a directory named
+.IR GeoLite2-Country-CSV_YYYYMMDD
+in the current directory, and will select the most recent if multiple
+instances are found.  The
+.IR xt_geoip_dl
+script can be used to populate this directory.
 .PP
 Since the script is usually installed to the libexec directory of the
 xtables-addons package and this is outside $PATH (on purpose), invoking the

geoip/xt_geoip_dl

@@ -1,8 +1,7 @@
 #!/bin/sh
 
-rm -f GeoIPv6.csv GeoIPv6.csv.gz GeoIPCountryCSV.zip GeoIPCountryWhois.csv;
-wget \
-	http://geolite.maxmind.com/download/geoip/database/GeoIPv6.csv.gz \
-	http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip;
-gzip -d GeoIPv6.csv.gz;
-unzip GeoIPCountryCSV.zip;
+rm -rf GeoLite2-Country-CSV_*
+
+wget -q http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
+unzip -q GeoLite2-Country-CSV.zip
+rm -f GeoLite2-Country-CSV.zip

geoip/xt_geoip_fetch

@@ -0,0 +1,93 @@
+#!/usr/bin/perl
+#
+#	Utility to query GeoIP database
+#	Copyright Philip Prindeville, 2018
+#
+use Getopt::Long;
+use Socket qw(AF_INET AF_INET6 inet_ntop);
+use warnings;
+use strict;
+
+sub AF_INET_SIZE() { 4 }
+sub AF_INET6_SIZE() { 16 }
+
+my $target_dir = ".";
+my $ipv4 = 0;
+my $ipv6 = 0;
+
+&Getopt::Long::Configure(qw(bundling));
+&GetOptions(
+	"D=s" => \$target_dir,
+	"4"   => \$ipv4,
+	"6"   => \$ipv6,
+);
+
+if (!-d $target_dir) {
+	print STDERR "Target directory $target_dir does not exit.\n";
+	exit 1;
+}
+
+# if neither specified, assume both
+if (! $ipv4 && ! $ipv6) {
+	$ipv4 = $ipv6 = 1;
+}
+
+foreach my $cc (@ARGV) {
+	if ($cc !~ m/^([a-z]{2}|a[12]|o1)$/i) {
+		print STDERR "Invalid country code '$cc'\n";
+		exit 1;
+	}
+
+	my $file = $target_dir . '/' . uc($cc) . '.iv4';
+
+	if (! -f $file) {
+		printf STDERR "Can't find data for country '$cc'\n";
+		exit 1;
+	}
+
+	my ($contents, $buffer, $bytes, $fh);
+
+	if ($ipv4) {
+		open($fh, '<', $file) || die "Couldn't open file for '$cc'\n";
+
+		binmode($fh);
+
+		while (($bytes = read($fh, $buffer, AF_INET_SIZE * 2)) == AF_INET_SIZE * 2) {
+			my $start = inet_ntop(AF_INET, substr($buffer, 0, AF_INET_SIZE));
+			my $end = inet_ntop(AF_INET, substr($buffer, AF_INET_SIZE));
+			print $start, '-', $end, "\n";
+		}
+		close($fh);
+		if (! defined $bytes) {
+			printf STDERR "Error reading file for '$cc'\n";
+			exit 1;
+		} elsif ($bytes != 0) {
+			printf STDERR "Short read on file for '$cc'\n";
+			exit 1;
+		}
+	}
+
+	substr($file, -1) = '6';
+
+	if ($ipv6) {
+		open($fh, '<', $file) || die "Couldn't open file for '$cc'\n";
+
+		binmode($fh);
+
+		while (($bytes = read($fh, $buffer, AF_INET6_SIZE * 2)) == AF_INET6_SIZE * 2) {
+			my $start = inet_ntop(AF_INET6, substr($buffer, 0, AF_INET6_SIZE));
+			my $end = inet_ntop(AF_INET6, substr($buffer, AF_INET6_SIZE));
+			print $start, '-', $end, "\n";
+		}
+		close($fh);
+		if (! defined $bytes) {
+			printf STDERR "Error reading file for '$cc'\n";
+			exit 1;
+		} elsif ($bytes != 0) {
+			printf STDERR "Short read on file for '$cc'\n";
+			exit 1;
+		}
+	}
+}
+
+exit 0;

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "" "" "v2.14 (2017-11-22)"
+.TH xtables-addons 8 "Windows" "" "v3.1 (2018-08-14)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets