Xtables-addons 2.15

xt_lscan: add --mirai option
xt_lscan: extend info struct to support more flags (without size change)
2025-09-21 20:14:56 +02:00 · 2021-02-05 19:02:49 +01:00 · 2021-02-05 19:00:13 +01:00 · 2021-01-20 03:09:52 +01:00
18 changed files with 250 additions and 37 deletions
--- a/7
+++ b/7
@@ -12,17 +12,16 @@ in combination with the kernel's Kbuild system.
 Supported configurations for this release
 =========================================
-	* iptables >= 1.6.0
+	* iptables >= 1.4.5
-	* kernel-devel >= 4.15
+	* kernel-devel >= 3.7
 	  with prepared build/output directory
 	  - CONFIG_NF_CONNTRACK
 	  - CONFIG_NF_CONNTRACK_MARK enabled =y or as module (=m)
 	  - CONFIG_CONNECTOR y/m if you wish to receive userspace
 	    notifications from pknock through netlink/connector
-(Use xtables-addons-1.x if you need support for Linux < 3.7.
+(Use xtables-addons-1.x if you need support for Linux < 3.7.)
 Use xtables-addons-2.x if you need support for Linux < 4.15.)
 Selecting extensions
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [3.0])
+AC_INIT([xtables-addons], [2.15])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -57,10 +57,12 @@ if test -n "$kbuilddir"; then
 		echo "WARNING: Version detection did not succeed. Continue at own luck.";
 	else
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-		if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 16; then
+		if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 12; then
 			echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
-		elif test "$kmajor" -eq 4 -a "$kminor" -ge 15; then
+		elif test "$kmajor" -eq 4 -a "$kminor" -le 10; then
-			:
+			:;
 		elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then
 			:;
 		else
 			echo "WARNING: That kernel version is not officially supported.";
 		fi;
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -1,10 +1,9 @@
-HEAD
+v2.15 (2021-02-05)
-====
+==================
 Enhancements:
- support for Linux 4.15, 4.16
+- support for Linux up to 4.15
-Changes:
+- xt_lscan: add --mirai option
 - remove support for Linux 3.7--4.14
 v2.14 (2017-11-22)
@@ -131,5 +130,5 @@ Changes:
 Enhancements:
 - Support for Linux 3.7
-If you want to use Xtables-addons with kernels older than 4.15,
+If you want to use Xtables-addons with kernels older than 3.7,
-use the addons 2.x series.
+use the addons 1.x series (maintained but without new features).
--- a/extensions/ACCOUNT/xt_ACCOUNT.c
+++ b/extensions/ACCOUNT/xt_ACCOUNT.c
@@ -482,7 +482,16 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
 static unsigned int
 ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	struct ipt_acc_net *ian = net_generic(par->state->net, ipt_acc_net_id);
 #else
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0)
 	struct ipt_acc_net *ian = net_generic(par->net, ipt_acc_net_id);
 #else
 	struct net *net = dev_net(par->in ? par->in : par->out);
 	struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
 #endif
 #endif
 	struct ipt_acc_table *ipt_acc_tables = ian->ipt_acc_tables;
 	const struct ipt_acc_info *info =
 		par->targinfo;
--- a/extensions/compat_xtables.h
+++ b/extensions/compat_xtables.h
@@ -8,8 +8,12 @@
 #define DEBUGP Use__pr_debug__instead
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0)
-#	warning Kernels below 4.15 not supported.
+#	warning Kernels below 3.7 not supported.
 #endif
 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0)
 #	define prandom_u32() random32()
 #endif
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
@@ -42,9 +46,51 @@
 #	define NIPQUAD_FMT "%hhu.%hhu.%hhu.%hhu"
 #endif
 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0)
 static inline struct inode *file_inode(struct file *f)
 {
 	return f->f_path.dentry->d_inode;
 }
 #endif
 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 10, 0)
 static inline void proc_set_user(struct proc_dir_entry *de,
    typeof(de->uid) uid, typeof(de->gid) gid)
 {
 	de->uid = uid;
 	de->gid = gid;
 }
 static inline void *PDE_DATA(struct inode *inode)
 {
 	return PDE(inode)->data;
 }
 static inline void proc_remove(struct proc_dir_entry *de)
 {
 	if (de != NULL)
 		remove_proc_entry(de->name, de->parent);
 }
 #endif
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 4, 0)
 #	define ip6_local_out(xnet, xsk, xskb) ip6_local_out(xskb)
 #	define ip6_route_me_harder(xnet, xskb) ip6_route_me_harder(xskb)
 #	define ip_local_out(xnet, xsk, xskb) ip_local_out(xskb)
 #	define ip_route_me_harder(xnet, xskb, xaddrtype) ip_route_me_harder((xskb), (xaddrtype))
 #endif
 static inline struct net *par_net(const struct xt_action_param *par)
 {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
 	return par->state->net;
 #else
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
 	return par->net;
 #else
 	return dev_net((par->in != NULL) ? par->in : par->out);
 #endif
 #endif
 }
 #ifndef NF_CT_ASSERT
--- a/extensions/libxt_lscan.c
+++ b/extensions/libxt_lscan.c
@@ -24,6 +24,7 @@ static const struct option lscan_mt_opts[] = {
 	{.name = "synscan", .has_arg = false, .val = 's'},
 	{.name = "cnscan",  .has_arg = false, .val = 'c'},
 	{.name = "grscan",  .has_arg = false, .val = 'g'},
 	{.name = "mirai",   .has_arg = false, .val = 'm'},
 	{NULL},
 };
@@ -35,7 +36,8 @@ static void lscan_mt_help(void)
 		"  --stealth    Match TCP Stealth packets\n"
 		"  --synscan    Match TCP SYN scans\n"
 		"  --cnscan     Match TCP Connect scans\n"
-		"  --grscan     Match Banner Grabbing scans\n");
+		"  --grscan     Match Banner Grabbing scans\n"
 		"  --mirai      Match TCP scan with ISN = dest. IP\n");
 }
 static int lscan_mt_parse(int c, char **argv, int invert,
@@ -45,16 +47,19 @@ static int lscan_mt_parse(int c, char **argv, int invert,
 	switch (c) {
 	case 'c':
-		info->match_cn = true;
+		info->match_fl3 |= LSCAN_FL3_CN;
 		return true;
 	case 'g':
-		info->match_gr = true;
+		info->match_fl4 |= LSCAN_FL4_GR;
 		return true;
 	case 'm':
 		info->match_fl1 |= LSCAN_FL1_MIRAI;
 		return true;
 	case 's':
-		info->match_syn = true;
+		info->match_fl2 |= LSCAN_FL2_SYN;
 		return true;
 	case 'x':
-		info->match_stealth = true;
+		info->match_fl1 |= LSCAN_FL1_STEALTH;
 		return true;
 	}
 	return false;
@@ -68,14 +73,16 @@ static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
-	if (info->match_stealth)
+	if (info->match_fl1 & LSCAN_FL1_STEALTH)
 		printf(" --stealth ");
-	if (info->match_syn)
+	if (info->match_fl2 & LSCAN_FL2_SYN)
 		printf(" --synscan ");
-	if (info->match_cn)
+	if (info->match_fl3 & LSCAN_FL3_CN)
 		printf(" --cnscan ");
-	if (info->match_gr)
+	if (info->match_fl4 & LSCAN_FL4_GR)
 		printf(" --grscan ");
 	if (info->match_fl1 & LSCAN_FL1_MIRAI)
 		printf(" --mirai ");
 }
 static void lscan_mt_print(const void *ip,
--- a/extensions/libxt_lscan.man
+++ b/extensions/libxt_lscan.man
@@ -27,6 +27,11 @@ warranted single-direction data flows, usually bulk data transfers such as
 FTP DATA connections or IRC DCC. Grab Scan Detection should only be used on
 ports where a protocol runs that is guaranteed to do a bidirectional exchange
 of bytes.
 .TP
 \fB\-\-mirai\fP
 Match if the TCP ISN is equal to the IPv4 destination address; this is used
 by the devices in the Mirai botnet as a form of TCP SYN scan, so you will
 have to explicitly specify --syn for the rule.
 .PP
 NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
 so be advised to carefully use xt_lscan in conjunction with blocking rules,
--- a/extensions/pknock/xt_pknock.c
+++ b/extensions/pknock/xt_pknock.c
@@ -357,10 +357,18 @@ has_logged_during_this_minute(const struct peer *peer)
 *
 * @r: rule
 */
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
 static void peer_gc(struct timer_list *tl)
 #else
 static void peer_gc(unsigned long r)
 #endif
 {
 	unsigned int i;
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
 	struct xt_pknock_rule *rule = from_timer(rule, tl, timer);
 #else
 	struct xt_pknock_rule *rule = (struct xt_pknock_rule *)r;
 #endif
 	struct peer *peer;
 	struct list_head *pos, *n;
@@ -467,7 +475,15 @@ add_rule(struct xt_pknock_mtinfo *info)
 	rule->peer_head      = alloc_hashtable(peer_hashsize);
 	if (rule->peer_head == NULL)
 		goto out;
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
 	timer_setup(&rule->timer, peer_gc, 0);
 #else
 	init_timer(&rule->timer);
 	rule->timer.function	= peer_gc;
 	rule->timer.data	= (unsigned long)rule;
 #endif
 	rule->status_proc = proc_create_data(info->rule_name, 0, pde,
 	                    &pknock_proc_ops, rule);
 	if (rule->status_proc == NULL)
@@ -694,7 +710,13 @@ msg_to_userspace_nl(const struct xt_pknock_mtinfo *info,
 	scnprintf(msg.rule_name, info->rule_name_len + 1, info->rule_name);
 	memcpy(m + 1, &msg, m->len);
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 15, 0)
 	cn_netlink_send(m, 0, multicast_group, GFP_ATOMIC);
 #else
 	cn_netlink_send(m, multicast_group, GFP_ATOMIC);
 #endif
 	kfree(m);
 #endif
 	return true;
--- a/extensions/xt_CHAOS.c
+++ b/extensions/xt_CHAOS.c
@@ -58,7 +58,12 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 	{
 		struct xt_action_param local_par;
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		local_par.state    = par->state;
 #else
 		local_par.in        = par->in,
 		local_par.out       = par->out,
 #endif
 		local_par.match     = xm_tcp;
 		local_par.matchinfo = &tcp_params;
 		local_par.fragoff   = fragoff;
@@ -73,7 +78,14 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 	destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
 	{
 		struct xt_action_param local_par;
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		local_par.state    = par->state;
 #else
 		local_par.in       = par->in;
 		local_par.out      = par->out;
 		local_par.hooknum  = par->hooknum;
 		local_par.family   = par->family;
 #endif
 		local_par.target   = destiny;
 		local_par.targinfo = par->targinfo;
 		destiny->target(skb, &local_par);
@@ -96,15 +108,27 @@ chaos_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	if ((unsigned int)prandom_u32() <= reject_percentage) {
 		struct xt_action_param local_par;
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		local_par.state    = par->state;
 #else
 		local_par.in       = par->in;
 		local_par.out      = par->out;
 		local_par.hooknum  = par->hooknum;
 #endif
 		local_par.target   = xt_reject;
 		local_par.targinfo = &reject_params;
 		return xt_reject->target(skb, &local_par);
 	}
 	/* TARPIT/DELUDE may not be called from the OUTPUT chain */
-	if (iph->protocol == IPPROTO_TCP && info->variant != XTCHAOS_NORMAL &&
+	if (iph->protocol == IPPROTO_TCP &&
-	    par->state->hook != NF_INET_LOCAL_OUT)
+	    info->variant != XTCHAOS_NORMAL &&
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	    par->state->hook
 #else
 	    par->hooknum
 #endif
 	    != NF_INET_LOCAL_OUT)
 		xt_chaos_total(skb, par);
 	return NF_DROP;
--- a/extensions/xt_DELUDE.c
+++ b/extensions/xt_DELUDE.c
@@ -107,8 +107,13 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 	addr_type = RTN_UNSPEC;
 #ifdef CONFIG_BRIDGE_NETFILTER
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
 	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->physoutdev))
 #else
 	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->mask & BRNF_BRIDGED))
 #endif
 #else
 	if (hook != NF_INET_FORWARD)
 #endif
@@ -146,7 +151,13 @@ delude_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	 * a problem, as that is supported since Linux 2.6.35. But since we do not
 	 * actually want to have a connection open, we are still going to drop it.
 	 */
-	delude_send_reset(par_net(par), skb, par->state->hook);
+	delude_send_reset(par_net(par), skb,
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	                  par->state->hook
 #else
 	                  par->hooknum
 #endif
 	                  );
 	return NF_DROP;
 }
--- a/extensions/xt_DNETMAP.c
+++ b/extensions/xt_DNETMAP.c
@@ -356,7 +356,11 @@ out:
 static unsigned int
 dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	struct net *net = dev_net(par->state->in ? par->state->in : par->state->out);
 #else
 	struct net *net = dev_net(par->in ? par->in : par->out);
 #endif
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
 	struct nf_conn *ct;
 	enum ip_conntrack_info ctinfo;
@@ -367,7 +371,11 @@ dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	struct dnetmap_entry *e;
 	struct dnetmap_prefix *p;
 	__s32 jttl;
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	unsigned int hooknum = par->state->hook;
 #else
 	unsigned int hooknum = par->hooknum;
 #endif
 	ct = nf_ct_get(skb, &ctinfo);
 	jttl = tginfo->flags & XT_DNETMAP_TTL ? tginfo->ttl * HZ : jtimeout;
@@ -492,7 +500,12 @@ bind_new_prefix:
 	newrange.max_addr.ip = postnat_ip;
 	newrange.min_proto = mr->min_proto;
 	newrange.max_proto = mr->max_proto;
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->state->hook));
 #else
 	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
 #endif
 no_rev_map:
 no_free_ip:
 	spin_unlock_bh(&dnetmap_lock);
--- a/extensions/xt_ECHO.c
+++ b/extensions/xt_ECHO.c
@@ -35,7 +35,11 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 	void *payload;
 	struct flowi6 fl;
 	struct dst_entry *dst = NULL;
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	struct net *net = dev_net((par->state->in != NULL) ? par->state->in : par->state->out);
 #else
 	struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
 #endif
 	/* This allows us to do the copy operation in fewer lines of code. */
 	if (skb_linearize(oldskb) < 0)
--- a/extensions/xt_LOGMARK.c
+++ b/extensions/xt_LOGMARK.c
@@ -64,7 +64,12 @@ static void logmark_ct(const struct nf_conn *ct, enum ip_conntrack_info ctinfo)
 		printk("%s""CONFIRMED", prev ? "," : "");
 		prev = true;
 	}
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,9,0)
 	printk(" lifetime=%lus", nf_ct_expires(ct) / HZ);
 #else
 	printk(" lifetime=%lus",
 	       (jiffies - ct->timeout.expires) / HZ);
 #endif
 }
 static unsigned int
@@ -77,13 +82,21 @@ logmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x "
 	       "secmark=0x%x classify=0x%x",
 	       info->level, (unsigned int)sizeof(info->prefix), info->prefix,
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	       skb_ifindex(skb), hook_names[par->state->hook],
 #else
 	       skb_ifindex(skb), hook_names[par->hooknum],
 #endif
 	       skb_nfmark(skb), skb_secmark(skb), skb->priority);
 	ct = nf_ct_get(skb, &ctinfo);
 	printk(" ctdir=%s", dir_names[ctinfo >= IP_CT_IS_REPLY]);
 	if (ct == NULL)
 		printk(" ct=NULL ctmark=NULL ctstate=INVALID ctstatus=NONE");
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 12, 0)
 	else if (nf_ct_is_untracked(ct))
 		printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE");
 #endif
 	else
 		logmark_ct(ct, ctinfo);
--- a/extensions/xt_TARPIT.c
+++ b/extensions/xt_TARPIT.c
@@ -249,8 +249,13 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		niph->id = ~oldhdr->id + 1;
 #ifdef CONFIG_BRIDGE_NETFILTER
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
 	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->physoutdev != NULL))
 #else
 	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->mask & BRNF_BRIDGED))
 #endif
 #else
 	if (hook != NF_INET_FORWARD)
 #endif
@@ -278,8 +283,17 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		goto free_nskb;
 	nf_ct_attach(nskb, oldskb);
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
 	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
 		skb_dst(nskb)->dev, dst_output);
 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
 	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb->sk, nskb, NULL,
 		skb_dst(nskb)->dev, dst_output_sk);
 #else
 	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
 		skb_dst(nskb)->dev, dst_output);
 #endif
 	return;
 free_nskb:
@@ -392,8 +406,17 @@ static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
 	nskb->ip_summed = CHECKSUM_NONE;
 	nf_ct_attach(nskb, oldskb);
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
 	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
 	        skb_dst(nskb)->dev, dst_output);
 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
 	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb->sk, nskb, NULL,
 	        skb_dst(nskb)->dev, dst_output_sk);
 #else
 	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
 	        skb_dst(nskb)->dev, dst_output);
 #endif
 	return;
 free_nskb:
@@ -431,7 +454,12 @@ tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 	/* We are not interested in fragments */
 	if (iph->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	tarpit_tcp4(par_net(par), skb, par->state->hook, info->variant);
 #else
 	tarpit_tcp4(par_net(par), skb, par->hooknum, info->variant);
 #endif
 	return NF_DROP;
 }
@@ -472,7 +500,12 @@ tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 		pr_debug("addr is not unicast.\n");
 		return NF_DROP;
 	}
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	tarpit_tcp6(par_net(par), skb, par->state->hook, info->variant);
 #else
 	tarpit_tcp6(par_net(par), skb, par->hooknum, info->variant);
 #endif
 	return NF_DROP;
 }
 #endif
--- a/extensions/xt_iface.c
+++ b/extensions/xt_iface.c
@@ -45,9 +45,17 @@ static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
    const struct xt_action_param *par, struct net_device **put)
 {
 	if (info->flags & XT_IFACE_DEV_IN)
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		return par->state->in;
 #else
 		return par->in;
 #endif
 	else if (info->flags & XT_IFACE_DEV_OUT)
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		return par->state->out;
 #else
 		return par->out;
 #endif
 	return *put = dev_get_by_name(&init_net, info->ifname);
 }
--- a/extensions/xt_lscan.c
+++ b/extensions/xt_lscan.c
@@ -175,6 +175,7 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 	enum ip_conntrack_info ctstate;
 	const struct iphdr *iph = ip_hdr(skb);
 	const struct tcphdr *tcph;
 	struct nf_conn *ctdata;
 	struct tcphdr tcph_buf;
@@ -182,10 +183,13 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	tcph = skb_header_pointer(skb, par->thoff, sizeof(tcph_buf), &tcph_buf);
 	if (tcph == NULL)
 		return false;
 	if (info->match_fl1 & LSCAN_FL1_MIRAI && iph != NULL &&
 	    iph->version == 4 && iph->daddr == tcph->seq)
 		return true;
 	/* Check for invalid packets: -m conntrack --ctstate INVALID */
 	if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
-		if (info->match_stealth)
+		if (info->match_fl1 & LSCAN_FL1_STEALTH)
 			return lscan_mt_stealth(tcph);
 		/*
 		 * If @ctdata is NULL, we cannot match the other scan
@@ -204,24 +208,30 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		unsigned int n;
 		n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		    par->state->in == init_net.loopback_dev, tcph,
 #else
 		    par->in == init_net.loopback_dev, tcph,
 #endif
 		    skb->len - par->thoff - 4 * tcph->doff);
 		ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
 		skb_nfmark(skb) = (skb_nfmark(skb) & ~packet_mask) ^ mark_seen;
 	}
-	return (info->match_syn && ctdata->mark == mark_synscan) ||
+	return (info->match_fl1 & LSCAN_FL1_STEALTH && ctdata->mark == mark_synscan) ||
-	       (info->match_cn && ctdata->mark == mark_cnscan) ||
+	       (info->match_fl3 & LSCAN_FL3_CN && ctdata->mark == mark_cnscan) ||
-	       (info->match_gr && ctdata->mark == mark_grscan);
+	       (info->match_fl4 & LSCAN_FL4_GR && ctdata->mark == mark_grscan);
 }
 static int lscan_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
-	if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
+	if ((info->match_fl1 & ~(LSCAN_FL1_STEALTH | LSCAN_FL1_MIRAI)) ||
-	    (info->match_cn & ~1) || (info->match_gr & ~1)) {
+	    (info->match_fl2 & ~LSCAN_FL2_SYN) ||
 	    (info->match_fl3 & ~LSCAN_FL3_CN) ||
 	    (info->match_fl4 & ~LSCAN_FL4_GR)) {
 		printk(KERN_WARNING PFX "Invalid flags\n");
 		return -EINVAL;
 	}
--- a/extensions/xt_lscan.h
+++ b/extensions/xt_lscan.h
@@ -1,8 +1,16 @@
 #ifndef _LINUX_NETFILTER_XT_LSCAN_H
 #define _LINUX_NETFILTER_XT_LSCAN_H 1
 enum {
 	LSCAN_FL1_STEALTH = 1 << 0,
 	LSCAN_FL1_MIRAI   = 1 << 1,
 	LSCAN_FL2_SYN     = 1 << 0,
 	LSCAN_FL3_CN      = 1 << 0,
 	LSCAN_FL4_GR      = 1 << 0,
 };
 struct xt_lscan_mtinfo {
-	uint8_t match_stealth, match_syn, match_cn, match_gr;
+	uint8_t match_fl1, match_fl2, match_fl3, match_fl4;
 };
 #endif /* _LINUX_NETFILTER_XT_LSCAN_H */
--- a/xtables-addons.8.in
+++ b/xtables-addons.8.in
@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "Lilac" "" "v3.0 (2018-02-12)"
+.TH xtables-addons 8 "" "" "v2.15 (2021-02-05)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets
Author	SHA1	Message	Date
Jan Engelhardt	47f5391a37	Xtables-addons 2.15	2021-02-05 19:02:49 +01:00
Jan Engelhardt	16a64492ae	xt_lscan: add --mirai option	2021-02-05 19:00:13 +01:00
Jan Engelhardt	cdcf874366	xt_lscan: extend info struct to support more flags (without size change)	2021-01-20 03:09:52 +01:00