Xtables-addons 2.5

Commit v3.15-rc1~141^2~97 changed the signature for cn_netlink_send.

.gitignore

@@ -1,3 +1,4 @@
+*.gcno
 *.la
 *.lo
 *.loT

Makefile.am

@@ -11,9 +11,6 @@ FORCE:
 xtables-addons.8: FORCE
 	${MAKE} -f Makefile.mans all;
 
-install-exec-hook:
-	depmod -a || :;
-
 clean-local-mans:
 	${MAKE} -f Makefile.mans clean;
 

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [2.3])
+AC_INIT([xtables-addons], [2.5])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -63,7 +63,7 @@ if test -n "$kbuilddir"; then
 		echo "WARNING: Version detection did not succeed. Continue at own luck.";
 	else
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-		if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 10; then
+		if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 15; then
 			echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
 		elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then
 			:;

doc/changelog.txt

@@ -3,6 +3,25 @@ HEAD
 ====
 
 
+v2.5 (2014-04-18)
+=================
+Enhancements:
+- Support for Linux 3.14 and 3.15
+- xt_quota2: introduce support for network namespaces
+
+
+v2.4 (2014-01-09)
+=================
+Enhancements:
+- Support for Linux 3.13
+Changes:
+- remove unmaintained RAWSNAT/RAWDNAT code
+- remove unused parts of compat_xtables that served Linux <3.7
+Fixes:
+- xt_quota2: --no-change should not alter quota to zero ever
+- xt_quota2: --packet should not be set to zero based on skb->len
+
+
 v2.3 (2013-06-18)
 =================
 Enhancements:

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -474,14 +474,15 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
 	}
 }
 
-static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action_param *par)
+static unsigned int
+ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct ipt_acc_info *info =
 		par->targinfo;
 
-	__be32 src_ip = ip_hdr(*pskb)->saddr;
-	__be32 dst_ip = ip_hdr(*pskb)->daddr;
-	uint32_t size = ntohs(ip_hdr(*pskb)->tot_len);
+	__be32 src_ip = ip_hdr(skb)->saddr;
+	__be32 dst_ip = ip_hdr(skb)->daddr;
+	uint32_t size = ntohs(ip_hdr(skb)->tot_len);
 
 	spin_lock_bh(&ipt_acc_lock);
 

extensions/Kbuild

@@ -15,12 +15,7 @@ obj-${build_ECHO}        += xt_ECHO.o
 endif
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
-obj-${build_RAWNAT}      += xt_RAWNAT.o iptable_rawpost.o
-ifneq (${CONFIG_IP6_NF_IPTABLES},)
-obj-${build_RAWNAT}      += ip6table_rawpost.o
-endif
 obj-${build_SYSRQ}       += xt_SYSRQ.o
-obj-${build_STEAL}       += xt_STEAL.o
 obj-${build_TARPIT}      += xt_TARPIT.o
 obj-${build_condition}   += xt_condition.o
 obj-${build_fuzzy}       += xt_fuzzy.o

extensions/Mbuild

@@ -8,8 +8,6 @@ obj-${build_DNETMAP}     += libxt_DNETMAP.so
 obj-${build_ECHO}        += libxt_ECHO.so
 obj-${build_IPMARK}      += libxt_IPMARK.so
 obj-${build_LOGMARK}     += libxt_LOGMARK.so
-obj-${build_RAWNAT}      += libxt_RAWDNAT.so libxt_RAWSNAT.so
-obj-${build_STEAL}       += libxt_STEAL.so
 obj-${build_SYSRQ}       += libxt_SYSRQ.so
 obj-${build_TARPIT}      += libxt_TARPIT.so
 obj-${build_condition}   += libxt_condition.so

extensions/compat_nfinetaddr.h

@@ -1,14 +0,0 @@
-#ifndef _COMPAT_NFINETADDR_H
-#define _COMPAT_NFINETADDR_H 1
-
-#include <linux/in.h>
-#include <linux/in6.h>
-
-union nf_inet_addr {
-	__be32 ip;
-	__be32 ip6[4];
-	struct in_addr in;
-	struct in6_addr in6;
-};
-
-#endif /* _COMPAT_NFINETADDR_H */

extensions/compat_rawpost.h

@@ -1,6 +0,0 @@
-#ifndef XTA_COMPAT_RAWPOST_H
-#define XTA_COMPAT_RAWPOST_H 1
-
-typedef struct sk_buff sk_buff_t;
-
-#endif /* XTA_COMPAT_RAWPOST_H */

extensions/compat_xtables.c

@@ -28,118 +28,6 @@
 #	define WITH_IPV6 1
 #endif
 
-static unsigned int
-xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
-{
-	struct xtnu_target *nt = xtcompat_nutarget(par->target);
-
-	return nt->target(&skb, par);
-}
-
-int xtnu_register_target(struct xtnu_target *nt)
-{
-	struct xt_target *ct;
-	char *tmp;
-	int ret;
-
-	ct = kzalloc(sizeof(struct xt_target), GFP_KERNEL);
-	if (ct == NULL)
-		return -ENOMEM;
-
-	tmp = (char *)ct->name;
-	memcpy(tmp, nt->name, sizeof(nt->name));
-	tmp = (char *)(ct->name + sizeof(ct->name) - sizeof(void *));
-	*(tmp-1) = '\0';
-	memcpy(tmp, &nt, sizeof(void *));
-
-	ct->revision   = nt->revision;
-	ct->family     = nt->family;
-	ct->table      = (char *)nt->table;
-	ct->hooks      = nt->hooks;
-	ct->proto      = nt->proto;
-	ct->target     = xtnu_target_run;
-	ct->checkentry = nt->checkentry;
-	ct->destroy    = nt->destroy;
-	ct->targetsize = nt->targetsize;
-	ct->me         = nt->me;
-
-	nt->__compat_target = ct;
-	ret = xt_register_target(ct);
-	if (ret != 0)
-		kfree(ct);
-	return ret;
-}
-EXPORT_SYMBOL_GPL(xtnu_register_target);
-
-int xtnu_register_targets(struct xtnu_target *nt, unsigned int num)
-{
-	unsigned int i;
-	int ret;
-
-	for (i = 0; i < num; ++i) {
-		ret = xtnu_register_target(&nt[i]);
-		if (ret < 0) {
-			if (i > 0)
-				xtnu_unregister_targets(nt, i);
-			return ret;
-		}
-	}
-	return 0;
-}
-EXPORT_SYMBOL_GPL(xtnu_register_targets);
-
-void xtnu_unregister_target(struct xtnu_target *nt)
-{
-	xt_unregister_target(nt->__compat_target);
-	kfree(nt->__compat_target);
-}
-EXPORT_SYMBOL_GPL(xtnu_unregister_target);
-
-void xtnu_unregister_targets(struct xtnu_target *nt, unsigned int num)
-{
-	unsigned int i;
-
-	for (i = 0; i < num; ++i)
-		xtnu_unregister_target(&nt[i]);
-}
-EXPORT_SYMBOL_GPL(xtnu_unregister_targets);
-
-struct xt_match *xtnu_request_find_match(unsigned int af, const char *name,
-    uint8_t revision)
-{
-	static const char *const xt_prefix[] = {
-		[AF_UNSPEC] = "x",
-		[AF_INET]   = "ip",
-		[AF_INET6]  = "ip6",
-#ifdef AF_ARP
-		[AF_ARP]    = "arp",
-#elif defined(NF_ARP) && NF_ARP != AF_UNSPEC
-		[NF_ARP]    = "arp",
-#endif
-	};
-	struct xt_match *match;
-
-	match = try_then_request_module(xt_find_match(af, name, revision),
-		"%st_%s", xt_prefix[af], name);
-	if (IS_ERR(match) || match == NULL)
-		return NULL;
-
-	return match;
-}
-EXPORT_SYMBOL_GPL(xtnu_request_find_match);
-
-int xtnu_ip_route_me_harder(struct sk_buff **pskb, unsigned int addr_type)
-{
-	return ip_route_me_harder(*pskb, addr_type);
-}
-EXPORT_SYMBOL_GPL(xtnu_ip_route_me_harder);
-
-int xtnu_skb_make_writable(struct sk_buff **pskb, unsigned int len)
-{
-	return skb_make_writable(*pskb, len);
-}
-EXPORT_SYMBOL_GPL(xtnu_skb_make_writable);
-
 void *HX_memmem(const void *space, size_t spacesize,
     const void *point, size_t pointsize)
 {

extensions/compat_xtables.h

@@ -12,6 +12,10 @@
 #	warning Kernels below 3.7 not supported.
 #endif
 
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0)
+#	define prandom_u32() random32()
+#endif
+
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 #	if !defined(CONFIG_NF_CONNTRACK_MARK)
 #		warning You have CONFIG_NF_CONNTRACK enabled, but CONFIG_NF_CONNTRACK_MARK is not (please enable).
@@ -21,9 +25,6 @@
 #	warning You need CONFIG_NF_CONNTRACK.
 #endif
 
-#define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
-#define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
-
 #if !defined(NIP6) && !defined(NIP6_FMT)
 #	define NIP6(addr) \
 		ntohs((addr).s6_addr16[0]), \
@@ -45,16 +46,6 @@
 #	define NIPQUAD_FMT "%u.%u.%u.%u"
 #endif
 
-#define ip_route_me_harder    xtnu_ip_route_me_harder
-#define skb_make_writable     xtnu_skb_make_writable
-#define xt_target             xtnu_target
-#define xt_register_target    xtnu_register_target
-#define xt_unregister_target  xtnu_unregister_target
-#define xt_register_targets   xtnu_register_targets
-#define xt_unregister_targets xtnu_unregister_targets
-
-#define xt_request_find_match xtnu_request_find_match
-
 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0)
 static inline struct inode *file_inode(struct file *f)
 {

extensions/compat_xtnu.h

@@ -1,14 +1,9 @@
 #ifndef _COMPAT_XTNU_H
 #define _COMPAT_XTNU_H 1
 
-#include <linux/list.h>
 #include <linux/netfilter/x_tables.h>
-#include <linux/spinlock.h>
 
-struct flowi;
 struct module;
-struct net_device;
-struct rtable;
 struct sk_buff;
 
 struct xtnu_match {
@@ -58,11 +53,7 @@ static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
 	return q;
 }
 
-extern int xtnu_ip_local_out(struct sk_buff *);
-extern int xtnu_ip_route_me_harder(struct sk_buff **, unsigned int);
-extern int xtnu_skb_make_writable(struct sk_buff **, unsigned int);
 extern int xtnu_register_match(struct xtnu_match *);
-extern int xtnu_ip_route_output_key(void *, struct rtable **, struct flowi *);
 extern void xtnu_unregister_match(struct xtnu_match *);
 extern int xtnu_register_matches(struct xtnu_match *, unsigned int);
 extern void xtnu_unregister_matches(struct xtnu_match *, unsigned int);
@@ -70,14 +61,6 @@ extern int xtnu_register_target(struct xtnu_target *);
 extern void xtnu_unregister_target(struct xtnu_target *);
 extern int xtnu_register_targets(struct xtnu_target *, unsigned int);
 extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int);
-extern struct xt_match *xtnu_request_find_match(unsigned int,
-	const char *, uint8_t);
-extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
-	__be32, __be32, bool);
-extern int xtnu_ipv6_skip_exthdr(const struct sk_buff *, int,
-	uint8_t *, __be16 *);
-extern int xtnu_ipv6_find_hdr(const struct sk_buff *, unsigned int *,
-	int, unsigned short *, int *);
 
 extern void *HX_memmem(const void *, size_t, const void *, size_t);
 

extensions/ip6table_rawpost.c

@@ -1,93 +0,0 @@
-/*
- *	rawpost table for ip6_tables
- *	written by Jan Engelhardt, 2008 - 2009
- *	placed in the Public Domain
- */
-#include <linux/module.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <net/ip.h>
-#include "compat_xtables.h"
-#include "compat_rawpost.h"
-
-enum {
-	RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
-};
-
-static struct {
-	struct ip6t_replace repl;
-	struct ip6t_standard entries[1];
-	struct ip6t_error term;
-} rawpost6_initial __initdata = {
-	.repl = {
-		.name        = "rawpost",
-		.valid_hooks = RAWPOST_VALID_HOOKS,
-		.num_entries = 2,
-		.size        = sizeof(struct ip6t_standard) +
-		               sizeof(struct ip6t_error),
-		.hook_entry  = {
-			[NF_INET_POST_ROUTING] = 0,
-		},
-		.underflow = {
-			[NF_INET_POST_ROUTING] = 0,
-		},
-	},
-	.entries = {
-		IP6T_STANDARD_INIT(NF_ACCEPT),	/* POST_ROUTING */
-	},
-	.term = IP6T_ERROR_INIT,		/* ERROR */
-};
-
-static struct xt_table *rawpost6_ptable;
-
-static struct xt_table rawpost6_itable = {
-	.name        = "rawpost",
-	.af          = NFPROTO_IPV6,
-	.valid_hooks = RAWPOST_VALID_HOOKS,
-	.me          = THIS_MODULE,
-};
-
-static unsigned int rawpost6_hook_fn(unsigned int hook, sk_buff_t *skb,
-    const struct net_device *in, const struct net_device *out,
-    int (*okfn)(struct sk_buff *))
-{
-	return ip6t_do_table(skb, hook, in, out, rawpost6_ptable);
-}
-
-static struct nf_hook_ops rawpost6_hook_ops __read_mostly = {
-	.hook     = rawpost6_hook_fn,
-	.pf       = NFPROTO_IPV6,
-	.hooknum  = NF_INET_POST_ROUTING,
-	.priority = NF_IP6_PRI_LAST,
-	.owner    = THIS_MODULE,
-};
-
-static int __init rawpost6_table_init(void)
-{
-	int ret;
-
-	rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable,
-	                  &rawpost6_initial.repl);
-	if (IS_ERR(rawpost6_ptable))
-		return PTR_ERR(rawpost6_ptable);
-
-	ret = nf_register_hook(&rawpost6_hook_ops);
-	if (ret < 0)
-		goto out;
-
-	return ret;
-
- out:
-	ip6t_unregister_table(rawpost6_ptable);
-	return ret;
-}
-
-static void __exit rawpost6_table_exit(void)
-{
-	nf_unregister_hook(&rawpost6_hook_ops);
-	ip6t_unregister_table(rawpost6_ptable);
-}
-
-module_init(rawpost6_table_init);
-module_exit(rawpost6_table_exit);
-MODULE_AUTHOR("Jan Engelhardt ");
-MODULE_LICENSE("GPL");

extensions/iptable_rawpost.c

@@ -1,95 +0,0 @@
-/*
- *	rawpost table for ip_tables
- *	written by Jan Engelhardt, 2008 - 2009
- *	placed in the Public Domain
- */
-#include <linux/module.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/version.h>
-#include <net/ip.h>
-#include "compat_xtables.h"
-#include "compat_rawpost.h"
-
-enum {
-	RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
-};
-
-static struct {
-	struct ipt_replace repl;
-	struct ipt_standard entries[1];
-	struct ipt_error term;
-} rawpost4_initial __initdata = {
-	.repl = {
-		.name        = "rawpost",
-		.valid_hooks = RAWPOST_VALID_HOOKS,
-		.num_entries = 2,
-		.size        = sizeof(struct ipt_standard) +
-		               sizeof(struct ipt_error),
-		.hook_entry  = {
-			[NF_INET_POST_ROUTING] = 0,
-		},
-		.underflow = {
-			[NF_INET_POST_ROUTING] = 0,
-		},
-	},
-	.entries = {
-		IPT_STANDARD_INIT(NF_ACCEPT),	/* POST_ROUTING */
-	},
-	.term = IPT_ERROR_INIT,			/* ERROR */
-};
-
-static struct xt_table *rawpost4_ptable;
-
-static struct xt_table rawpost4_itable = {
-	.name        = "rawpost",
-	.af          = NFPROTO_IPV4,
-	.valid_hooks = RAWPOST_VALID_HOOKS,
-	.me          = THIS_MODULE,
-};
-
-static unsigned int rawpost4_hook_fn(unsigned int hook, sk_buff_t *skb,
-    const struct net_device *in, const struct net_device *out,
-    int (*okfn)(struct sk_buff *))
-{
-	return ipt_do_table(skb, hook, in, out, rawpost4_ptable);
-}
-
-static struct nf_hook_ops rawpost4_hook_ops __read_mostly = {
-	.hook     = rawpost4_hook_fn,
-	.pf       = NFPROTO_IPV4,
-	.hooknum  = NF_INET_POST_ROUTING,
-	.priority = NF_IP_PRI_LAST,
-	.owner    = THIS_MODULE,
-};
-
-static int __init rawpost4_table_init(void)
-{
-	int ret;
-
-	rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
-	                  &rawpost4_initial.repl);
-	if (IS_ERR(rawpost4_ptable))
-		return PTR_ERR(rawpost4_ptable);
-
-	ret = nf_register_hook(&rawpost4_hook_ops);
-	if (ret < 0)
-		goto out;
-
-	return ret;
-
- out:
-	ipt_unregister_table(rawpost4_ptable);
-	return ret;
-}
-
-static void __exit rawpost4_table_exit(void)
-{
-	nf_unregister_hook(&rawpost4_hook_ops);
-	ipt_unregister_table(rawpost4_ptable);
-}
-
-module_init(rawpost4_table_init);
-module_exit(rawpost4_table_exit);
-MODULE_DESCRIPTION("Xtables: rawpost table for use with RAWNAT");
-MODULE_AUTHOR("Jan Engelhardt ");
-MODULE_LICENSE("GPL");

extensions/libxt_RAWDNAT.c

@@ -1,177 +0,0 @@
-/*
- *	"RAWNAT" target extension for iptables
- *	Copyright © Jan Engelhardt, 2008 - 2009
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License; either
- *	version 2 of the License, or any later version, as published by the
- *	Free Software Foundation.
- */
-#include <netinet/in.h>
-#include <getopt.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <string.h>
-#include <xtables.h>
-#include <linux/netfilter.h>
-#include "xt_RAWNAT.h"
-#include "compat_user.h"
-
-enum {
-	FLAGS_TO = 1 << 0,
-};
-
-static const struct option rawdnat_tg_opts[] = {
-	{.name = "to-destination", .has_arg = true, .val = 't'},
-	{},
-};
-
-static void rawdnat_tg_help(void)
-{
-	printf(
-"RAWDNAT target options:\n"
-"    --to-destination addr[/mask]    Address or network to map to\n"
-);
-}
-
-static int
-rawdnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
-                  const void *entry, struct xt_entry_target **target)
-{
-	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
-	struct in_addr *a;
-	unsigned int mask;
-	char *end;
-
-	switch (c) {
-	case 't':
-		info->mask = 32;
-		end = strchr(optarg, '/');
-		if (end != NULL) {
-			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
-				xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
-					"--to-destination", optarg);
-			info->mask = mask;
-		}
-		a = xtables_numeric_to_ipaddr(optarg);
-		if (a == NULL)
-			xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
-				"--to-destination", optarg);
-		memcpy(&info->addr.in, a, sizeof(*a));
-		*flags |= FLAGS_TO;
-		return true;
-	}
-	return false;
-}
-
-static int
-rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
-                  const void *entry, struct xt_entry_target **target)
-{
-	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
-	struct in6_addr *a;
-	unsigned int mask;
-	char *end;
-
-	switch (c) {
-	case 't':
-		info->mask = 128;
-		end = strchr(optarg, '/');
-		if (end != NULL) {
-			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 128))
-				xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
-					"--to-destination", optarg);
-			info->mask = mask;
-		}
-		a = xtables_numeric_to_ip6addr(optarg);
-		if (a == NULL)
-			xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
-				"--to-destination", optarg);
-		memcpy(&info->addr.in6, a, sizeof(*a));
-		*flags |= FLAGS_TO;
-		return true;
-	}
-	return false;
-}
-
-static void rawdnat_tg_check(unsigned int flags)
-{
-	if (!(flags & FLAGS_TO))
-		xtables_error(PARAMETER_PROBLEM, "RAWDNAT: "
-			"\"--to-destination\" is required.");
-}
-
-static void
-rawdnat_tg4_save(const void *entry, const struct xt_entry_target *target)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	printf(" --to-destination %s/%u ",
-	       xtables_ipaddr_to_numeric(&info->addr.in),
-	       info->mask);
-}
-
-static void
-rawdnat_tg4_print(const void *entry, const struct xt_entry_target *target,
-                  int numeric)
-{
-	printf(" -j RAWDNAT");
-	rawdnat_tg4_save(entry, target);
-}
-
-static void
-rawdnat_tg6_save(const void *entry, const struct xt_entry_target *target)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	printf(" --to-destination %s/%u ",
-	       xtables_ip6addr_to_numeric(&info->addr.in6),
-	       info->mask);
-}
-
-static void
-rawdnat_tg6_print(const void *entry, const struct xt_entry_target *target,
-                  int numeric)
-{
-	printf(" -j RAWDNAT");
-	rawdnat_tg6_save(entry, target);
-}
-
-static struct xtables_target rawdnat_tg_reg[] = {
-	{
-		.version       = XTABLES_VERSION,
-		.name          = "RAWDNAT",
-		.revision      = 0,
-		.family        = NFPROTO_IPV4,
-		.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.help          = rawdnat_tg_help,
-		.parse         = rawdnat_tg4_parse,
-		.final_check   = rawdnat_tg_check,
-		.print         = rawdnat_tg4_print,
-		.save          = rawdnat_tg4_save,
-		.extra_opts    = rawdnat_tg_opts,
-	},
-	{
-		.version       = XTABLES_VERSION,
-		.name          = "RAWDNAT",
-		.revision      = 0,
-		.family        = NFPROTO_IPV6,
-		.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.help          = rawdnat_tg_help,
-		.parse         = rawdnat_tg6_parse,
-		.final_check   = rawdnat_tg_check,
-		.print         = rawdnat_tg6_print,
-		.save          = rawdnat_tg6_save,
-		.extra_opts    = rawdnat_tg_opts,
-	},
-};
-
-static void _init(void)
-{
-	xtables_register_targets(rawdnat_tg_reg,
-		sizeof(rawdnat_tg_reg) / sizeof(*rawdnat_tg_reg));
-}

extensions/libxt_RAWDNAT.man

@@ -1,11 +0,0 @@
-.PP
-The \fBRAWDNAT\fR target will rewrite the destination address in the IP header,
-much like the \fBNETMAP\fR target.
-.TP
-\fB\-\-to\-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
-Network address to map to. The resulting address will be constructed the
-following way: All "one" bits in the \fImask\fR are filled in from the new
-\fIaddress\fR. All bits that are zero in the mask are filled in from the
-original address.
-.PP
-See the \fBRAWSNAT\fR help entry for examples and constraints.

extensions/libxt_RAWSNAT.c

@@ -1,177 +0,0 @@
-/*
- *	"RAWNAT" target extension for iptables
- *	Copyright © Jan Engelhardt, 2008 - 2009
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License; either
- *	version 2 of the License, or any later version, as published by the
- *	Free Software Foundation.
- */
-#include <netinet/in.h>
-#include <getopt.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <string.h>
-#include <xtables.h>
-#include <linux/netfilter.h>
-#include "xt_RAWNAT.h"
-#include "compat_user.h"
-
-enum {
-	FLAGS_TO = 1 << 0,
-};
-
-static const struct option rawsnat_tg_opts[] = {
-	{.name = "to-source", .has_arg = true, .val = 't'},
-	{},
-};
-
-static void rawsnat_tg_help(void)
-{
-	printf(
-"RAWSNAT target options:\n"
-"    --to-source addr[/mask]    Address or network to map to\n"
-);
-}
-
-static int
-rawsnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
-                  const void *entry, struct xt_entry_target **target)
-{
-	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
-	struct in_addr *a;
-	unsigned int mask;
-	char *end;
-
-	switch (c) {
-	case 't':
-		info->mask = 32;
-		end = strchr(optarg, '/');
-		if (end != NULL) {
-			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 32))
-				xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
-					"--to-source", optarg);
-			info->mask = mask;
-		}
-		a = xtables_numeric_to_ipaddr(optarg);
-		if (a == NULL)
-			xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
-				"--to-source", optarg);
-		memcpy(&info->addr.in, a, sizeof(*a));
-		*flags |= FLAGS_TO;
-		return true;
-	}
-	return false;
-}
-
-static int
-rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
-                  const void *entry, struct xt_entry_target **target)
-{
-	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
-	struct in6_addr *a;
-	unsigned int mask;
-	char *end;
-
-	switch (c) {
-	case 't':
-		info->mask = 128;
-		end = strchr(optarg, '/');
-		if (end != NULL) {
-			*end++ = '\0';
-			if (!xtables_strtoui(end, NULL, &mask, 0, 128))
-				xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
-					"--to-source", optarg);
-			info->mask = mask;
-		}
-		a = xtables_numeric_to_ip6addr(optarg);
-		if (a == NULL)
-			xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
-				"--to-source", optarg);
-		memcpy(&info->addr.in6, a, sizeof(*a));
-		*flags |= FLAGS_TO;
-		return true;
-	}
-	return false;
-}
-
-static void rawsnat_tg_check(unsigned int flags)
-{
-	if (!(flags & FLAGS_TO))
-		xtables_error(PARAMETER_PROBLEM, "RAWSNAT: "
-			"\"--to-source\" is required.");
-}
-
-static void
-rawsnat_tg4_save(const void *entry, const struct xt_entry_target *target)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	printf(" --to-source %s/%u ",
-	       xtables_ipaddr_to_numeric(&info->addr.in),
-	       info->mask);
-}
-
-static void
-rawsnat_tg6_save(const void *entry, const struct xt_entry_target *target)
-{
-	const struct xt_rawnat_tginfo *info = (const void *)target->data;
-
-	printf(" --to-source %s/%u ",
-	       xtables_ip6addr_to_numeric(&info->addr.in6),
-	       info->mask);
-}
-
-static void
-rawsnat_tg4_print(const void *entry, const struct xt_entry_target *target,
-                  int numeric)
-{
-	printf(" -j RAWSNAT");
-	rawsnat_tg4_save(entry, target);
-}
-
-static void
-rawsnat_tg6_print(const void *entry, const struct xt_entry_target *target,
-                  int numeric)
-{
-	printf(" -j RAWSNAT");
-	rawsnat_tg6_save(entry, target);
-}
-
-static struct xtables_target rawsnat_tg_reg[] = {
-	{
-		.version       = XTABLES_VERSION,
-		.name          = "RAWSNAT",
-		.revision      = 0,
-		.family        = NFPROTO_IPV4,
-		.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.help          = rawsnat_tg_help,
-		.parse         = rawsnat_tg4_parse,
-		.final_check   = rawsnat_tg_check,
-		.print         = rawsnat_tg4_print,
-		.save          = rawsnat_tg4_save,
-		.extra_opts    = rawsnat_tg_opts,
-	},
-	{
-		.version       = XTABLES_VERSION,
-		.name          = "RAWSNAT",
-		.revision      = 0,
-		.family        = NFPROTO_IPV6,
-		.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
-		.help          = rawsnat_tg_help,
-		.parse         = rawsnat_tg6_parse,
-		.final_check   = rawsnat_tg_check,
-		.print         = rawsnat_tg6_print,
-		.save          = rawsnat_tg6_save,
-		.extra_opts    = rawsnat_tg_opts,
-	},
-};
-
-static void _init(void)
-{
-	xtables_register_targets(rawsnat_tg_reg,
-		sizeof(rawsnat_tg_reg) / sizeof(*rawsnat_tg_reg));
-}

extensions/libxt_RAWSNAT.man

@@ -1,39 +0,0 @@
-.PP
-The \fBRAWSNAT\fR and \fBRAWDNAT\fP targets provide stateless network address
-translation.
-.PP
-The \fBRAWSNAT\fR target will rewrite the source address in the IP header, much
-like the \fBNETMAP\fP target. \fBRAWSNAT\fP (and \fBRAWDNAT\fP) may only be
-used in the \fBraw\fP or \fBrawpost\fP tables, but can be used in all chains,
-which makes it possible to change the source address either when the packet
-enters the machine or when it leaves it. The reason for this table constraint
-is that RAWNAT must happen outside of connection tracking.
-.TP
-\fB\-\-to\-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
-Network address to map to. The resulting address will be constructed the
-following way: All "one" bits in the \fImask\fR are filled in from the new
-\fIaddress\fR. All bits that are zero in the mask are filled in from the
-original address.
-.PP
-As an example, changing the destination for packets forwarded from an internal
-LAN to the internet:
-.IP
-\-t raw \-A PREROUTING \-i lan0 \-d 212.201.100.135 \-j RAWDNAT \-\-to\-destination 199.181.132.250;
-\-t rawpost \-A POSTROUTING \-o lan0 \-s 199.181.132.250 \-j RAWSNAT \-\-to\-source 212.201.100.135;
-.PP
-Note that changing addresses may influence the route selection! Specifically,
-it statically NATs packets, not connections, like the normal DNAT/SNAT targets
-would do. Also note that it can transform already-NATed connections \(em as
-said, it is completely external to Netfilter's connection tracking/NAT.
-.PP
-If the machine itself generates packets that are to be rawnat-ed, you need a
-rule in the OUTPUT chain instead, just like you would with the stateful NAT
-targets.
-.PP
-It may be necessary that in doing so, you also need an extra RAWSNAT rule, to
-override the automatic source address selection that the routing code does
-before passing packets to iptables. If the connecting socket has not been
-explicitly bound to an address, as is the common mode of operation, the address
-that will be chosen is the primary address of the device through which the
-packet would be routed with its initial destination address - the address as
-seen before any RAWNAT takes place.

extensions/libxt_STEAL.c

@@ -1,32 +0,0 @@
-#include <stdio.h>
-#include <xtables.h>
-#include "compat_user.h"
-
-static void steal_tg_help(void)
-{
-	printf("STEAL takes no options\n\n");
-}
-
-static int steal_tg_parse(int c, char **argv, int invert, unsigned int *flags,
-                          const void *entry, struct xt_entry_target **target)
-{
-	return 0;
-}
-
-static void steal_tg_check(unsigned int flags)
-{
-}
-
-static struct xtables_target steal_tg_reg = {
-	.version       = XTABLES_VERSION,
-	.name          = "STEAL",
-	.family        = NFPROTO_UNSPEC,
-	.help          = steal_tg_help,
-	.parse         = steal_tg_parse,
-	.final_check   = steal_tg_check,
-};
-
-static void _init(void)
-{
-	xtables_register_target(&steal_tg_reg);
-}

extensions/libxt_STEAL.man

@@ -1,3 +0,0 @@
-.PP
-Like the DROP target, but does not throw an error like DROP when used in the
-\fBOUTPUT\fP chain.

extensions/pknock/xt_pknock.c

@@ -701,7 +701,11 @@ msg_to_userspace_nl(const struct xt_pknock_mtinfo *info,
 
 	memcpy(m + 1, &msg, m->len);
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 15, 0)
+	cn_netlink_send(m, 0, multicast_group, GFP_ATOMIC);
+#else
 	cn_netlink_send(m, multicast_group, GFP_ATOMIC);
+#endif
 
 	kfree(m);
 #endif

extensions/xt_CHAOS.c

@@ -68,7 +68,7 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 		ret = xm_tcp->match(skb, &local_par);
 		hotdrop = local_par.hotdrop;
 	}
-	if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
+	if (!ret || hotdrop || (unsigned int)prandom_u32() > delude_percentage)
 		return;
 
 	destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
@@ -85,7 +85,7 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 }
 
 static unsigned int
-chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
+chaos_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	/*
 	 * Equivalent to:
@@ -96,10 +96,9 @@ chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 	 * -A chaos -j DROP;
 	 */
 	const struct xt_chaos_tginfo *info = par->targinfo;
-	struct sk_buff *skb = *pskb;
 	const struct iphdr *iph = ip_hdr(skb);
 
-	if ((unsigned int)net_random() <= reject_percentage) {
+	if ((unsigned int)prandom_u32() <= reject_percentage) {
 		struct xt_action_param local_par;
 		local_par.in       = par->in;
 		local_par.out      = par->out;

extensions/xt_DELUDE.c

@@ -116,7 +116,7 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
 	/* ip_route_me_harder expects skb->dst to be set */
 	skb_dst_set(nskb, dst_clone(skb_dst(oldskb)));
 
-	if (ip_route_me_harder(&nskb, addr_type))
+	if (ip_route_me_harder(nskb, addr_type))
 		goto free_nskb;
 	else
 		niph = ip_hdr(nskb);
@@ -138,14 +138,14 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
 }
 
 static unsigned int
-delude_tg(struct sk_buff **pskb, const struct xt_action_param *par)
+delude_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	/*
 	 * Sending the reset causes reentrancy within iptables - and should not pose
 	 * a problem, as that is supported since Linux 2.6.35. But since we do not
 	 * actually want to have a connection open, we are still going to drop it.
 	 */
-	delude_send_reset(*pskb, par->hooknum);
+	delude_send_reset(skb, par->hooknum);
 	return NF_DROP;
 }
 

extensions/xt_DHCPMAC.c

@@ -89,15 +89,14 @@ dhcpmac_mt(const struct sk_buff *skb, struct xt_action_param *par)
 }
 
 static unsigned int
-dhcpmac_tg(struct sk_buff **pskb, const struct xt_action_param *par)
+dhcpmac_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct dhcpmac_info *info = par->targinfo;
 	struct dhcp_message dhcpbuf, *dh;
 	struct udphdr udpbuf, *udph;
-	struct sk_buff *skb = *pskb;
 	unsigned int i;
 
-	if (!skb_make_writable(pskb, 0))
+	if (!skb_make_writable(skb, 0))
 		return NF_DROP;
 
 	udph = skb_header_pointer(skb, ip_hdrlen(skb),

extensions/xt_DNETMAP.c

@@ -353,9 +353,8 @@ out:
 }
 
 static unsigned int
-dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
+dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-	struct sk_buff *skb = *pskb;
 	struct net *net = dev_net(par->in ? par->in : par->out);
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
 	struct nf_conn *ct;
@@ -608,7 +607,6 @@ dnetmap_tg_proc_write(struct file *file, const char __user *input,size_t size, l
 	char buf[sizeof("+192.168.100.100:200.200.200.200")];
 	const char *c = buf;
 	const char *c2;
-	//union nf_inet_addr addr = {};
 	__be32 addr1,addr2;
 	bool add;
 	char str[25];

extensions/xt_ECHO.c

@@ -24,9 +24,8 @@
 #include "compat_xtables.h"
 
 static unsigned int
-echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
+echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 {
-	const struct sk_buff *oldskb = *poldskb;
 	const struct udphdr *oldudp;
 	const struct ipv6hdr *oldip;
 	struct udphdr *newudp, oldudp_buf;
@@ -39,7 +38,7 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
 	struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
 
 	/* This allows us to do the copy operation in fewer lines of code. */
-	if (skb_linearize(*poldskb) < 0)
+	if (skb_linearize(oldskb) < 0)
 		return NF_DROP;
 
 	oldip  = ipv6_hdr(oldskb);
@@ -112,7 +111,7 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
 	if (newskb->len > dst_mtu(skb_dst(newskb)))
 		goto free_nskb;
 
-	nf_ct_attach(newskb, *poldskb);
+	nf_ct_attach(newskb, oldskb);
 	ip6_local_out(newskb);
 	return NF_DROP;
 
@@ -122,9 +121,8 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
 }
 
 static unsigned int
-echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
+echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par)
 {
-	const struct sk_buff *oldskb = *poldskb;
 	const struct udphdr *oldudp;
 	const struct iphdr *oldip;
 	struct udphdr *newudp, oldudp_buf;
@@ -134,7 +132,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 	void *payload;
 
 	/* This allows us to do the copy operation in fewer lines of code. */
-	if (skb_linearize(*poldskb) < 0)
+	if (skb_linearize(oldskb) < 0)
 		return NF_DROP;
 
 	oldip  = ip_hdr(oldskb);
@@ -192,7 +190,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 	/* ip_route_me_harder expects the skb's dst to be set */
 	skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
 
-	if (ip_route_me_harder(&newskb, RTN_UNSPEC) != 0)
+	if (ip_route_me_harder(newskb, RTN_UNSPEC) != 0)
 		goto free_nskb;
 
 	newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));
@@ -202,7 +200,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
 	if (newskb->len > dst_mtu(skb_dst(newskb)))
 		goto free_nskb;
 
-	nf_ct_attach(newskb, *poldskb);
+	nf_ct_attach(newskb, oldskb);
 	ip_local_out(newskb);
 	return NF_DROP;
 

extensions/xt_IPMARK.c

@@ -25,10 +25,9 @@ MODULE_ALIAS("ipt_IPMARK");
 MODULE_ALIAS("ip6t_IPMARK");
 
 static unsigned int
-ipmark_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
+ipmark_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct xt_ipmark_tginfo *ipmarkinfo = par->targinfo;
-	const struct sk_buff *skb = *pskb;
 	const struct iphdr *iph = ip_hdr(skb);
 	__u32 mark;
 
@@ -61,10 +60,9 @@ static __u32 ipmark_from_ip6(const struct in6_addr *a, unsigned int s)
 }
 
 static unsigned int
-ipmark_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
+ipmark_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct xt_ipmark_tginfo *info = par->targinfo;
-	const struct sk_buff *skb = *pskb;
 	const struct ipv6hdr *iph = ipv6_hdr(skb);
 	__u32 mark;
 

extensions/xt_LOGMARK.c

@@ -63,9 +63,8 @@ static void logmark_ct(const struct nf_conn *ct, enum ip_conntrack_info ctinfo)
 }
 
 static unsigned int
-logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
+logmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-	const struct sk_buff *skb = *pskb;
 	const struct xt_logmark_tginfo *info = par->targinfo;
 	const struct nf_conn *ct;
 	enum ip_conntrack_info ctinfo;

extensions/xt_RAWNAT.c

@@ -1,354 +0,0 @@
-/*
- *	"RAWNAT" target extension for Xtables - untracked NAT
- *	Copyright © Jan Engelhardt, 2008 - 2009
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License; either
- *	version 2 of the License, or any later version, as published by the
- *	Free Software Foundation.
- */
-#include <linux/ip.h>
-#include <linux/ipv6.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/tcp.h>
-#include <linux/udp.h>
-#include <linux/version.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter/nf_conntrack_common.h>
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <net/ip.h>
-#include <net/ipv6.h>
-#include "compat_xtables.h"
-#include "xt_RAWNAT.h"
-#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
-#	define WITH_IPV6 1
-#endif
-
-static inline __be32
-remask(__be32 addr, __be32 repl, unsigned int shift)
-{
-	uint32_t mask = (shift == 32) ? 0 : (~(uint32_t)0 >> shift);
-	return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask));
-}
-
-#ifdef WITH_IPV6
-static void
-rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
-{
-	switch (mask) {
-	case 0:
-		break;
-	case 1 ... 31:
-		addr[0] = remask(addr[0], repl[0], mask);
-		break;
-	case 32:
-		addr[0] = repl[0];
-		break;
-	case 33 ... 63:
-		addr[0] = repl[0];
-		addr[1] = remask(addr[1], repl[1], mask - 32);
-		break;
-	case 64:
-		addr[0] = repl[0];
-		addr[1] = repl[1];
-		break;
-	case 65 ... 95:
-		addr[0] = repl[0];
-		addr[1] = repl[1];
-		addr[2] = remask(addr[2], repl[2], mask - 64);
-	case 96:
-		addr[0] = repl[0];
-		addr[1] = repl[1];
-		addr[2] = repl[2];
-		break;
-	case 97 ... 127:
-		addr[0] = repl[0];
-		addr[1] = repl[1];
-		addr[2] = repl[2];
-		addr[3] = remask(addr[3], repl[3], mask - 96);
-		break;
-	case 128:
-		addr[0] = repl[0];
-		addr[1] = repl[1];
-		addr[2] = repl[2];
-		addr[3] = repl[3];
-		break;
-	}
-}
-#endif
-
-static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
-{
-	struct iphdr *iph = ip_hdr(skb);
-	void *transport_hdr = (void *)iph + ip_hdrlen(skb);
-	struct tcphdr *tcph;
-	struct udphdr *udph;
-	bool cond;
-
-	switch (iph->protocol) {
-	case IPPROTO_TCP:
-		tcph = transport_hdr;
-		inet_proto_csum_replace4(&tcph->check, skb, oldip, newip, true);
-		break;
-	case IPPROTO_UDP:
-	case IPPROTO_UDPLITE:
-		udph = transport_hdr;
-		cond = udph->check != 0;
-		cond |= skb->ip_summed == CHECKSUM_PARTIAL;
-		if (cond) {
-			inet_proto_csum_replace4(&udph->check, skb,
-				oldip, newip, true);
-			if (udph->check == 0)
-				udph->check = CSUM_MANGLED_0;
-		}
-		break;
-	}
-}
-
-static unsigned int rawnat4_writable_part(const struct iphdr *iph)
-{
-	unsigned int wlen = iph->ihl * 4;
-
-	switch (iph->protocol) {
-	case IPPROTO_TCP:
-		wlen += sizeof(struct tcphdr);
-		break;
-	case IPPROTO_UDP:
-		wlen += sizeof(struct udphdr);
-		break;
-	}
-	return wlen;
-}
-
-static unsigned int
-rawsnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	const struct xt_rawnat_tginfo *info = par->targinfo;
-	struct iphdr *iph;
-	__be32 new_addr;
-
-	iph = ip_hdr(*pskb);
-	new_addr = remask(iph->saddr, info->addr.ip, info->mask);
-	if (iph->saddr == new_addr)
-		return XT_CONTINUE;
-
-	if (!skb_make_writable(pskb, rawnat4_writable_part(iph)))
-		return NF_DROP;
-
-	iph = ip_hdr(*pskb);
-	csum_replace4(&iph->check, iph->saddr, new_addr);
-	rawnat4_update_l4(*pskb, iph->saddr, new_addr);
-	iph->saddr = new_addr;
-	return XT_CONTINUE;
-}
-
-static unsigned int
-rawdnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	const struct xt_rawnat_tginfo *info = par->targinfo;
-	struct iphdr *iph;
-	__be32 new_addr;
-
-	iph = ip_hdr(*pskb);
-	new_addr = remask(iph->daddr, info->addr.ip, info->mask);
-	if (iph->daddr == new_addr)
-		return XT_CONTINUE;
-
-	if (!skb_make_writable(pskb, rawnat4_writable_part(iph)))
-		return NF_DROP;
-
-	iph = ip_hdr(*pskb);
-	csum_replace4(&iph->check, iph->daddr, new_addr);
-	rawnat4_update_l4(*pskb, iph->daddr, new_addr);
-	iph->daddr = new_addr;
-	return XT_CONTINUE;
-}
-
-#ifdef WITH_IPV6
-static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
-    unsigned int *l4proto)
-{
-	static const unsigned int types[] =
-		{IPPROTO_TCP, IPPROTO_UDP, IPPROTO_UDPLITE};
-	unsigned int i;
-	int err;
-
-	*l4proto = NEXTHDR_MAX;
-
-	for (i = 0; i < ARRAY_SIZE(types); ++i) {
-		err = ipv6_find_hdr(*pskb, l4offset, types[i], NULL, NULL);
-		if (err >= 0) {
-			*l4proto = types[i];
-			break;
-		}
-		if (err != -ENOENT)
-			return false;
-	}
-
-	switch (*l4proto) {
-	case IPPROTO_TCP:
-		if (!skb_make_writable(pskb, *l4offset + sizeof(struct tcphdr)))
-			return false;
-		break;
-	case IPPROTO_UDP:
-	case IPPROTO_UDPLITE:
-		if (!skb_make_writable(pskb, *l4offset + sizeof(struct udphdr)))
-			return false;
-		break;
-	}
-
-	return true;
-}
-
-static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto,
-    unsigned int l4offset, const struct in6_addr *oldip,
-    const struct in6_addr *newip)
-{
-	const struct ipv6hdr *iph = ipv6_hdr(skb);
-	struct tcphdr *tcph;
-	struct udphdr *udph;
-	unsigned int i;
-	bool cond;
-
-	switch (l4proto) {
-	case IPPROTO_TCP:
-		tcph = (void *)iph + l4offset;
-		for (i = 0; i < 4; ++i)
-			inet_proto_csum_replace4(&tcph->check, skb,
-				oldip->s6_addr32[i], newip->s6_addr32[i], true);
-		break;
-	case IPPROTO_UDP:
-	case IPPROTO_UDPLITE:
-		udph = (void *)iph + l4offset;
-		cond = udph->check;
-		cond |= skb->ip_summed == CHECKSUM_PARTIAL;
-		if (cond) {
-			for (i = 0; i < 4; ++i)
-				inet_proto_csum_replace4(&udph->check, skb,
-					oldip->s6_addr32[i],
-					newip->s6_addr32[i], true);
-			if (udph->check == 0)
-				udph->check = CSUM_MANGLED_0;
-		}
-		break;
-	}
-}
-
-static unsigned int
-rawsnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	const struct xt_rawnat_tginfo *info = par->targinfo;
-	unsigned int l4offset = 0, l4proto;
-	struct ipv6hdr *iph;
-	struct in6_addr new_addr;
-
-	iph = ipv6_hdr(*pskb);
-	memcpy(&new_addr, &iph->saddr, sizeof(new_addr));
-	rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask);
-	if (ipv6_addr_cmp(&iph->saddr, &new_addr) == 0)
-		return XT_CONTINUE;
-	if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto))
-		return NF_DROP;
-	iph = ipv6_hdr(*pskb);
-	rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->saddr, &new_addr);
-	memcpy(&iph->saddr, &new_addr, sizeof(new_addr));
-	return XT_CONTINUE;
-}
-
-static unsigned int
-rawdnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	const struct xt_rawnat_tginfo *info = par->targinfo;
-	unsigned int l4offset = 0, l4proto;
-	struct ipv6hdr *iph;
-	struct in6_addr new_addr;
-
-	iph = ipv6_hdr(*pskb);
-	memcpy(&new_addr, &iph->daddr, sizeof(new_addr));
-	rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask);
-	if (ipv6_addr_cmp(&iph->daddr, &new_addr) == 0)
-		return XT_CONTINUE;
-	if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto))
-		return NF_DROP;
-	iph = ipv6_hdr(*pskb);
-	rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->daddr, &new_addr);
-	memcpy(&iph->daddr, &new_addr, sizeof(new_addr));
-	return XT_CONTINUE;
-}
-#endif
-
-static int rawnat_tg_check(const struct xt_tgchk_param *par)
-{
-	if (strcmp(par->table, "raw") == 0 ||
-	    strcmp(par->table, "rawpost") == 0)
-		return 0;
-
-	printk(KERN_ERR KBUILD_MODNAME " may only be used in the \"raw\" or "
-	       "\"rawpost\" table.\n");
-	return -EINVAL;
-}
-
-static struct xt_target rawnat_tg_reg[] __read_mostly = {
-	{
-		.name       = "RAWSNAT",
-		.revision   = 0,
-		.family     = NFPROTO_IPV4,
-		.target     = rawsnat_tg4,
-		.targetsize = sizeof(struct xt_rawnat_tginfo),
-		.checkentry = rawnat_tg_check,
-		.me         = THIS_MODULE,
-	},
-#ifdef WITH_IPV6
-	{
-		.name       = "RAWSNAT",
-		.revision   = 0,
-		.family     = NFPROTO_IPV6,
-		.target     = rawsnat_tg6,
-		.targetsize = sizeof(struct xt_rawnat_tginfo),
-		.checkentry = rawnat_tg_check,
-		.me         = THIS_MODULE,
-	},
-#endif
-	{
-		.name       = "RAWDNAT",
-		.revision   = 0,
-		.family     = NFPROTO_IPV4,
-		.target     = rawdnat_tg4,
-		.targetsize = sizeof(struct xt_rawnat_tginfo),
-		.checkentry = rawnat_tg_check,
-		.me         = THIS_MODULE,
-	},
-#ifdef WITH_IPV6
-	{
-		.name       = "RAWDNAT",
-		.revision   = 0,
-		.family     = NFPROTO_IPV6,
-		.target     = rawdnat_tg6,
-		.targetsize = sizeof(struct xt_rawnat_tginfo),
-		.checkentry = rawnat_tg_check,
-		.me         = THIS_MODULE,
-	},
-#endif
-};
-
-static int __init rawnat_tg_init(void)
-{
-	return xt_register_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
-}
-
-static void __exit rawnat_tg_exit(void)
-{
-	xt_unregister_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
-}
-
-module_init(rawnat_tg_init);
-module_exit(rawnat_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt ");
-MODULE_DESCRIPTION("Xtables: conntrack-less raw NAT");
-MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_RAWSNAT");
-MODULE_ALIAS("ipt_RAWDNAT");
-MODULE_ALIAS("ip6t_RAWSNAT");
-MODULE_ALIAS("ip6t_RAWDNAT");

extensions/xt_RAWNAT.h

@@ -1,9 +0,0 @@
-#ifndef _LINUX_NETFILTER_XT_TARGET_RAWNAT
-#define _LINUX_NETFILTER_XT_TARGET_RAWNAT 1
-
-struct xt_rawnat_tginfo {
-	union nf_inet_addr addr;
-	__u8 mask;
-};
-
-#endif /* _LINUX_NETFILTER_XT_TARGET_RAWNAT */

extensions/xt_STEAL.c

@@ -1,67 +0,0 @@
-/*
- *	"STEAL" demo target extension for Xtables
- *	written by Jan Engelhardt, 2008 - 2009
- *	placed in the Public Domain
- */
-#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/skbuff.h>
-#include "compat_xtables.h"
-
-static unsigned int
-steal_tg(struct sk_buff **pskb, const struct xt_action_param *par)
-{
-	kfree_skb(*pskb);
-	return NF_STOLEN;
-}
-
-static struct xt_target steal_tg_reg[] __read_mostly = {
-	{
-		.name     = "STEAL",
-		.revision = 0,
-		.family   = NFPROTO_UNSPEC,
-		.target   = steal_tg,
-		.me       = THIS_MODULE,
-	},
-	{
-		.name     = "STEAL",
-		.revision = 0,
-		.family   = NFPROTO_IPV6,
-		.target   = steal_tg,
-		.me       = THIS_MODULE,
-	},
-	{
-		.name     = "STEAL",
-		.revision = 0,
-		.family   = NFPROTO_ARP,
-		.target   = steal_tg,
-		.me       = THIS_MODULE,
-	},
-	{
-		.name     = "STEAL",
-		.revision = 0,
-		.family   = NFPROTO_BRIDGE,
-		.target   = steal_tg,
-		.me       = THIS_MODULE,
-	},
-};
-
-static int __init steal_tg_init(void)
-{
-	return xt_register_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
-}
-
-static void __exit steal_tg_exit(void)
-{
-	xt_unregister_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
-}
-
-module_init(steal_tg_init);
-module_exit(steal_tg_exit);
-MODULE_AUTHOR("Jan Engelhardt ");
-MODULE_DESCRIPTION("Xtables: Silently DROP packets on output chain");
-MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_STEAL");
-MODULE_ALIAS("ip6t_STEAL");
-MODULE_ALIAS("arpt_STEAL");
-MODULE_ALIAS("ebt_STEAL");

extensions/xt_SYSRQ.c

@@ -189,9 +189,8 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 #endif
 
 static unsigned int
-sysrq_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
+sysrq_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 {
-	struct sk_buff *skb = *pskb;
 	const struct iphdr *iph;
 	const struct udphdr *udph;
 	uint16_t len;
@@ -220,9 +219,8 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 
 #ifdef WITH_IPV6
 static unsigned int
-sysrq_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
+sysrq_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
-	struct sk_buff *skb = *pskb;
 	const struct ipv6hdr *iph;
 	const struct udphdr *udph;
 	unsigned short frag_off;

extensions/xt_TARPIT.c

@@ -107,8 +107,8 @@ static bool xttarpit_honeypot(struct tcphdr *tcph, const struct tcphdr *oth,
 		tcph->syn     = true;
 		tcph->ack     = true;
 		tcph->window  = oth->window &
-			((net_random() & 0x1f) - 0xf);
-		tcph->seq     = htonl(net_random() & ~oth->seq);
+			((prandom_u32() & 0x1f) - 0xf);
+		tcph->seq     = htonl(prandom_u32() & ~oth->seq);
 		tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
 	}
 
@@ -117,7 +117,7 @@ static bool xttarpit_honeypot(struct tcphdr *tcph, const struct tcphdr *oth,
 		tcph->syn     = false;
 		tcph->ack     = true;
 		tcph->window  = oth->window &
-			((net_random() & 0x1f) - 0xf);
+			((prandom_u32() & 0x1f) - 0xf);
 		tcph->ack_seq = payload > 100 ?
 			htonl(ntohl(oth->seq) + payload) :
 			oth->seq;
@@ -256,7 +256,7 @@ static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
 #endif
 		addr_type = RTN_LOCAL;
 
-	if (ip_route_me_harder(&nskb, addr_type))
+	if (ip_route_me_harder(nskb, addr_type))
 		goto free_nskb;
 	else
 		niph = ip_hdr(nskb);
@@ -404,9 +404,8 @@ static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
 #endif
 
 static unsigned int
-tarpit_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
+tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 {
-	const struct sk_buff *skb = *pskb;
 	const struct iphdr *iph = ip_hdr(skb);
 	const struct rtable *rt = skb_rtable(skb);
 	const struct xt_tarpit_tginfo *info = par->targinfo;
@@ -435,15 +434,14 @@ tarpit_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 	if (iph->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
 
-	tarpit_tcp4(*pskb, par->hooknum, info->variant);
+	tarpit_tcp4(skb, par->hooknum, info->variant);
 	return NF_DROP;
 }
 
 #ifdef WITH_IPV6
 static unsigned int
-tarpit_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
+tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
-	const struct sk_buff *skb = *pskb;
 	const struct ipv6hdr *iph = ipv6_hdr(skb);
 	const struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
 	const struct xt_tarpit_tginfo *info = par->targinfo;
@@ -478,7 +476,7 @@ tarpit_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 		return NF_DROP;
 	}
 
-	tarpit_tcp6(*pskb, par->hooknum, info->variant);
+	tarpit_tcp6(skb, par->hooknum, info->variant);
 	return NF_DROP;
 }
 #endif

extensions/xt_quota2.c

@@ -13,6 +13,7 @@
  */
 #include <linux/list.h>
 #include <linux/module.h>
+#include <linux/nsproxy.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
 #include <linux/skbuff.h>
@@ -20,6 +21,9 @@
 #include <linux/uidgid.h>
 #include <linux/version.h>
 #include <asm/atomic.h>
+#include <net/net_namespace.h>
+#include <net/netns/generic.h>
+#include <net/dst.h>
 
 #include <linux/netfilter/x_tables.h>
 #include "xt_quota2.h"
@@ -37,10 +41,19 @@ struct xt_quota_counter {
 	struct proc_dir_entry *procfs_entry;
 };
 
-static LIST_HEAD(counter_list);
+struct quota2_net {
+	struct list_head counter_list;
+	struct proc_dir_entry *proc_xt_quota;
+};
+
+static int quota2_net_id;
+static inline struct quota2_net *quota2_pernet(struct net *net)
+{
+	return net_generic(net, quota2_net_id);
+}
+
 static DEFINE_SPINLOCK(counter_list_lock);
 
-static struct proc_dir_entry *proc_xt_quota;
 static unsigned int quota_list_perms = S_IRUGO | S_IWUSR;
 static unsigned int quota_list_uid   = 0;
 static unsigned int quota_list_gid   = 0;
@@ -76,6 +89,8 @@ quota_proc_write(struct file *file, const char __user *input,
 	if (copy_from_user(buf, input, size) != 0)
 		return -EFAULT;
 	buf[sizeof(buf)-1] = '\0';
+	if (size < sizeof(buf))
+		buf[size] = '\0';
 
 	spin_lock_bh(&e->lock);
 	e->quota = simple_strtoull(buf, NULL, 0);
@@ -118,16 +133,17 @@ q2_new_counter(const struct xt_quota_mtinfo2 *q, bool anon)
  * @name:	name of counter
  */
 static struct xt_quota_counter *
-q2_get_counter(const struct xt_quota_mtinfo2 *q)
+q2_get_counter(struct net *net, const struct xt_quota_mtinfo2 *q)
 {
 	struct proc_dir_entry *p;
 	struct xt_quota_counter *e;
+	struct quota2_net *quota2_net = quota2_pernet(net);
 
 	if (*q->name == '\0')
 		return q2_new_counter(q, true);
 
 	spin_lock_bh(&counter_list_lock);
-	list_for_each_entry(e, &counter_list, list)
+	list_for_each_entry(e, &quota2_net->counter_list, list)
 		if (strcmp(e->name, q->name) == 0) {
 			atomic_inc(&e->ref);
 			spin_unlock_bh(&counter_list_lock);
@@ -138,7 +154,8 @@ q2_get_counter(const struct xt_quota_mtinfo2 *q)
 	if (e == NULL)
 		goto out;
 
-	p = proc_create_data(e->name, quota_list_perms, proc_xt_quota,
+	p = proc_create_data(e->name, quota_list_perms,
+	                     quota2_net->proc_xt_quota,
 	                     &quota_proc_fops, e);
 	if (p == NULL || IS_ERR(p))
 		goto out;
@@ -146,7 +163,7 @@ q2_get_counter(const struct xt_quota_mtinfo2 *q)
 	e->procfs_entry = p;
 	proc_set_user(p, make_kuid(&init_user_ns, quota_list_uid),
 	              make_kgid(&init_user_ns, quota_list_gid));
-	list_add_tail(&e->list, &counter_list);
+	list_add_tail(&e->list, &quota2_net->counter_list);
 	spin_unlock_bh(&counter_list_lock);
 	return e;
 
@@ -169,7 +186,7 @@ static int quota_mt2_check(const struct xt_mtchk_param *par)
 		return -EINVAL;
 	}
 
-	q->master = q2_get_counter(q);
+	q->master = q2_get_counter(par->net, q);
 	if (q->master == NULL) {
 		printk(KERN_ERR "xt_quota.3: memory alloc failure\n");
 		return -ENOMEM;
@@ -182,6 +199,7 @@ static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
 {
 	struct xt_quota_mtinfo2 *q = par->matchinfo;
 	struct xt_quota_counter *e = q->master;
+	struct quota2_net *quota2_net = quota2_pernet(par->net);
 
 	if (*q->name == '\0') {
 		kfree(e);
@@ -195,7 +213,7 @@ static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
 	}
 
 	list_del(&e->list);
-	remove_proc_entry(e->name, proc_xt_quota);
+	remove_proc_entry(e->name, quota2_net->proc_xt_quota);
 	spin_unlock_bh(&counter_list_lock);
 	kfree(e);
 }
@@ -219,13 +237,14 @@ quota_mt2(const struct sk_buff *skb, struct xt_action_param *par)
 		}
 		ret = true;
 	} else {
-		if (e->quota >= skb->len) {
+		if (e->quota >= ((q->flags & XT_QUOTA_PACKET) ? 1 : skb->len)) {
 			if (!(q->flags & XT_QUOTA_NO_CHANGE))
 				e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
 			ret = !ret;
 		} else {
 			/* we do not allow even small packets from now on */
-			e->quota = 0;
+			if (!(q->flags & XT_QUOTA_NO_CHANGE))
+				e->quota = 0;
 		}
 		q->quota = e->quota;
 	}
@@ -256,24 +275,60 @@ static struct xt_match quota_mt2_reg[] __read_mostly = {
 	},
 };
 
+static int __net_init quota2_net_init(struct net *net)
+{
+	struct quota2_net *quota2_net = quota2_pernet(net);
+	INIT_LIST_HEAD(&quota2_net->counter_list);
+
+	quota2_net->proc_xt_quota = proc_mkdir("xt_quota", net->proc_net);
+	if (quota2_net->proc_xt_quota == NULL)
+		return -EACCES;
+	return 0;
+}
+
+static void __net_exit quota2_net_exit(struct net *net)
+{
+	struct quota2_net *quota2_net = quota2_pernet(net);
+	struct xt_quota_counter *e = NULL;
+	struct list_head *pos, *q;
+
+	remove_proc_entry("xt_quota", net->proc_net);
+
+	/* destroy counter_list while freeing it's content */
+	spin_lock_bh(&counter_list_lock);
+	list_for_each_safe(pos, q, &quota2_net->counter_list) {
+		e = list_entry(pos, struct xt_quota_counter, list);
+		list_del(pos);
+		kfree(e);
+	}
+	spin_unlock_bh(&counter_list_lock);
+}
+
+static struct pernet_operations quota2_net_ops = {
+	.init   = quota2_net_init,
+	.exit   = quota2_net_exit,
+	.id     = &quota2_net_id,
+	.size   = sizeof(struct quota2_net),
+};
+
 static int __init quota_mt2_init(void)
 {
 	int ret;
-
-	proc_xt_quota = proc_mkdir("xt_quota", init_net.proc_net);
-	if (proc_xt_quota == NULL)
-		return -EACCES;
+	ret = register_pernet_subsys(&quota2_net_ops);
+	if (ret < 0)
+		return ret;
 
 	ret = xt_register_matches(quota_mt2_reg, ARRAY_SIZE(quota_mt2_reg));
 	if (ret < 0)
-		remove_proc_entry("xt_quota", init_net.proc_net);
+		unregister_pernet_subsys(&quota2_net_ops);
+
 	return ret;
 }
 
 static void __exit quota_mt2_exit(void)
 {
 	xt_unregister_matches(quota_mt2_reg, ARRAY_SIZE(quota_mt2_reg));
-	remove_proc_entry("xt_quota", init_net.proc_net);
+	unregister_pernet_subsys(&quota2_net_ops);
 }
 
 module_init(quota_mt2_init);

mconfig

@@ -8,8 +8,6 @@ build_DNETMAP=m
 build_ECHO=m
 build_IPMARK=m
 build_LOGMARK=m
-build_RAWNAT=m
-build_STEAL=m
 build_SYSRQ=m
 build_TARPIT=m
 build_condition=m

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "African Heat Edition" "" "v2.3 (2013-06-18)"
+.TH xtables-addons 8 "SFUAN" "" "v2.5 (2014-04-18)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets