Xtables-addons 3.4

shash_desc::flags was removed from the kernel in 5.1.

That assignment was actually superfluous anyway, because crypto.desc
is zero-initialized when crypto is initialized (xt_pknock.c, ll.
110ff.).

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>

README

@@ -1,57 +1,15 @@
 Xtables-addons
 ==============
 
-Xtables-addons is the proclaimed successor to patch-o-matic(-ng). It
-contains extensions that were not accepted in the main Xtables
-package.
+Xtables-addons is a set of extensions that were not accepted in the
+Linux kernel and/or main Xtables/iptables package.
 
-Xtables-addons is different from patch-o-matic in that you do not
-have to patch or recompile either kernel or Xtables(iptables). But
-please see the INSTALL file for the minimum requirements of this
-package.
-
-All code imported from patch-o-matic has been reviewed and all
-apparent bugs like binary stability across multiarches, missing
-sanity checks and incorrect endianess handling have been fixed,
-simplified, and sped up.
+It superseded the earlier patch-o-matic(-ng) package in that no
+patching and/or recompilation of either the kernel or
+Xtables/iptables is required. However, do see the INSTALL file for
+the minimum requirements of Xtables-addons.
 
 
 Included in this package
 ========================
 - xt_ACCOUNT 1.16, libxt_ACCOUNT 1.3
-
-
-Inclusion into a kernel tree
-============================
-
-
-
-
-External extensions
-===================
-
-The program "xa-download-more" can be used to download more
-extensions from 3rd parties into the source tree. The URLs are listed
-in the "sources" file. If the "sources" file contains an entry like
-
-	http://foobar.org/xa/
-
-xa-download-more will inspect http://foobar.org/xa/xa-index.txt for
-files to download. That file may contain
-
-	foobar.tar.bz2
-
-and xa-download-more will then retrieve and unpack
-http://foobar.org/xa/foobar.tar.bz2.
-
-Files that should be contained in the tarball are an mconfig and
-Kbuild files to control building the extension, libxt_foobar.c for
-the userspace extension and xt_foobar.c for the kernel extension.
-
-	mconfig.foobar
-	extensions/Kbuild.foobar
-	extensions/Mbuild.foobar
-	extensions/libxt_foobar.c
-	extensions/libxt_foobar.man
-	extensions/xt_foobar.c
-	extensions/xt_foobar.h

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [3.1])
+AC_INIT([xtables-addons], [3.4])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -57,8 +57,10 @@ if test -n "$kbuilddir"; then
 		echo "WARNING: Version detection did not succeed. Continue at own luck.";
 	else
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-		if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 18; then
+		if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 3; then
 			echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
+		elif test "$kmajor" -eq 5 -a "$kminor" -ge 0; then
+			:
 		elif test "$kmajor" -eq 4 -a "$kminor" -ge 18; then
 			:
 		else

doc/changelog.txt

@@ -3,6 +3,26 @@ HEAD
 ====
 
 
+v3.4 (2019-09-06)
+=================
+Enhancements:
+- support for up to Linux 5.3
+- xt_PROTO module
+
+
+v3.3 (2019-03-07)
+=================
+Enhancements:
+- support for Linux 5.0
+
+
+v3.2 (2018-09-07)
+=================
+Changes:
+- rework xt_geoip_build to scan the immediate directory for .csv,
+  not to scan for GeoLite2-Country-CSV_\d+.
+
+
 v3.1 (2018-08-14)
 =================
 Enhancements:

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -40,6 +40,9 @@
 #error "ipt_ACCOUNT needs at least a PAGE_SIZE of 4096"
 #endif
 
+static unsigned int max_tables_limit = 128;
+module_param(max_tables_limit, uint, 0);
+
 /**
  * Internal table structure, generated by check_entry()
  * @name:	name of the table
@@ -185,7 +188,7 @@ static int ipt_acc_table_insert(struct ipt_acc_table *ipt_acc_tables,
 		name, NIPQUAD(ip), NIPQUAD(netmask));
 
 	/* Look for existing table */
-	for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
+	for (i = 0; i < max_tables_limit; i++) {
 		if (strncmp(ipt_acc_tables[i].name, name,
 		    ACCOUNT_TABLE_NAME_LEN) == 0) {
 			pr_debug("ACCOUNT: Found existing slot: %d - "
@@ -209,7 +212,7 @@ static int ipt_acc_table_insert(struct ipt_acc_table *ipt_acc_tables,
 	}
 
 	/* Insert new table */
-	for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
+	for (i = 0; i < max_tables_limit; i++) {
 		/* Found free slot */
 		if (ipt_acc_tables[i].name[0] == 0) {
 			unsigned int netsize = 0;
@@ -258,7 +261,7 @@ static int ipt_acc_table_insert(struct ipt_acc_table *ipt_acc_tables,
 
 	/* No free slot found */
 	printk("ACCOUNT: No free table slot found (max: %d). "
-		"Please increase ACCOUNT_MAX_TABLES.\n", ACCOUNT_MAX_TABLES);
+		"Please increase the \"max_tables_limit\" module parameter.\n", max_tables_limit);
 	return -1;
 }
 
@@ -299,7 +302,7 @@ static void ipt_acc_destroy(const struct xt_tgdtor_param *par)
 	info->table_nr = -1;	/* Set back to original state */
 
 	/* Look for table */
-	for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
+	for (i = 0; i < max_tables_limit; i++) {
 		if (strncmp(ian->ipt_acc_tables[i].name, info->table_name,
 		    ACCOUNT_TABLE_NAME_LEN) == 0) {
 			pr_debug("ACCOUNT: Found table at slot: %d\n", i);
@@ -604,12 +607,12 @@ static int ipt_acc_handle_prepare_read(struct ipt_acc_table *ipt_acc_tables,
 	int table_nr = -1;
 	uint8_t depth;
 
-	for (table_nr = 0; table_nr < ACCOUNT_MAX_TABLES; table_nr++)
+	for (table_nr = 0; table_nr < max_tables_limit; table_nr++)
 		if (strncmp(ipt_acc_tables[table_nr].name, tablename,
 		    ACCOUNT_TABLE_NAME_LEN) == 0)
 			break;
 
-	if (table_nr == ACCOUNT_MAX_TABLES) {
+	if (table_nr == max_tables_limit) {
 		printk("ACCOUNT: ipt_acc_handle_prepare_read(): "
 			"Table %s not found\n", tablename);
 		return -1;
@@ -707,12 +710,12 @@ static int ipt_acc_handle_prepare_read_flush(struct ipt_acc_table *ipt_acc_table
 	int table_nr;
 	void *new_data_page;
 
-	for (table_nr = 0; table_nr < ACCOUNT_MAX_TABLES; table_nr++)
+	for (table_nr = 0; table_nr < max_tables_limit; table_nr++)
 		if (strncmp(ipt_acc_tables[table_nr].name, tablename,
 		    ACCOUNT_TABLE_NAME_LEN) == 0)
 			break;
 
-	if (table_nr == ACCOUNT_MAX_TABLES) {
+	if (table_nr == max_tables_limit) {
 		printk("ACCOUNT: ipt_acc_handle_prepare_read_flush(): "
 			"Table %s not found\n", tablename);
 		return -1;
@@ -1052,7 +1055,7 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 		spin_lock_bh(&ian->ipt_acc_lock);
 
 		/* Determine size of table names */
-		for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
+		for (i = 0; i < max_tables_limit; i++) {
 			if (ian->ipt_acc_tables[i].name[0] != 0)
 				size += strlen(ian->ipt_acc_tables[i].name) + 1;
 		}
@@ -1067,7 +1070,7 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 		}
 		/* Copy table names to userspace */
 		tnames = ian->ipt_acc_tmpbuf;
-		for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
+		for (i = 0; i < max_tables_limit; i++) {
 			if (ian->ipt_acc_tables[i].name[0] != 0) {
 				name_len = strlen(ian->ipt_acc_tables[i].name) + 1;
 				memcpy(tnames, ian->ipt_acc_tables[i].name, name_len);
@@ -1100,7 +1103,7 @@ static int __net_init ipt_acc_net_init(struct net *net)
 	memset(ian, 0, sizeof(*ian));
 	sema_init(&ian->ipt_acc_userspace_mutex, 1);
 
-	ian->ipt_acc_tables = kcalloc(ACCOUNT_MAX_TABLES,
+	ian->ipt_acc_tables = kcalloc(max_tables_limit,
 		sizeof(struct ipt_acc_table), GFP_KERNEL);
 	if (ian->ipt_acc_tables == NULL) {
 		printk("ACCOUNT: Out of memory allocating account_tables structure");

extensions/ACCOUNT/xt_ACCOUNT.h

@@ -34,7 +34,6 @@
 #define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (SO_ACCOUNT_BASE_CTL + 8)
 #define IPT_SO_GET_ACCOUNT_MAX	  IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES
 
-#define ACCOUNT_MAX_TABLES 128
 #define ACCOUNT_TABLE_NAME_LEN 32
 #define ACCOUNT_MAX_HANDLES 10
 

extensions/Kbuild

@@ -13,6 +13,7 @@ obj-${build_DNETMAP}     += xt_DNETMAP.o
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
+obj-${build_PROTO}       += xt_PROTO.o
 obj-${build_SYSRQ}       += xt_SYSRQ.o
 obj-${build_TARPIT}      += xt_TARPIT.o
 obj-${build_condition}   += xt_condition.o

extensions/Mbuild

@@ -8,6 +8,7 @@ obj-${build_DNETMAP}     += libxt_DNETMAP.so
 obj-${build_ECHO}        += libxt_ECHO.so
 obj-${build_IPMARK}      += libxt_IPMARK.so
 obj-${build_LOGMARK}     += libxt_LOGMARK.so
+obj-${build_PROTO}       += libxt_PROTO.so
 obj-${build_SYSRQ}       += libxt_SYSRQ.so
 obj-${build_TARPIT}      += libxt_TARPIT.so
 obj-${build_condition}   += libxt_condition.so

extensions/libxt_PROTO.c

@@ -0,0 +1,105 @@
+/*
+ * PROTO Target module
+ * This program is distributed under the terms of GNU GPL
+ */
+#include <stdio.h>
+#include <xtables.h>
+#include "xt_PROTO.h"
+
+enum {
+	O_PROTO_SET = 0,
+	O_PROTO_STOP_AT_FRAG = 1,
+	O_PROTO_STOP_AT_AUTH = 2,
+	F_PROTO_SET = 1 << O_PROTO_SET,
+	F_PROTO_STOP_AT_FRAG = 1 << O_PROTO_STOP_AT_FRAG,
+	F_PROTO_STOP_AT_AUTH = 1 << O_PROTO_STOP_AT_AUTH,
+};
+
+#define s struct xt_PROTO_info
+static const struct xt_option_entry PROTO_opts[] = {
+	{.name = "proto-set", .type = XTTYPE_UINT8, .id = O_PROTO_SET,
+	 .flags = XTOPT_PUT | XTOPT_MAND, XTOPT_POINTER(s, proto)},
+	{.name = "stop-at-frag", .type = XTTYPE_NONE, .id = O_PROTO_STOP_AT_FRAG},
+	{.name = "stop-at-auth", .type = XTTYPE_NONE, .id = O_PROTO_STOP_AT_AUTH},
+	XTOPT_TABLEEND,
+};
+#undef s
+
+static void PROTO_help(void)
+{
+	printf(
+"PROTO target options\n"
+"  --proto-set value		Set protocol to <value 0-255>\n"
+	);
+}
+
+static void PROTO_parse(struct xt_option_call *cb)
+{
+	struct xt_PROTO_info *info = cb->data;
+
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_PROTO_SET:
+		info->mode |= 1 << XT_PROTO_SET;
+		break;
+	case O_PROTO_STOP_AT_FRAG:
+		info->mode |= 1 << XT_PROTO_STOP_AT_FRAG;
+		break;
+	case O_PROTO_STOP_AT_AUTH:
+		info->mode |= 1 << XT_PROTO_STOP_AT_AUTH;
+		break;
+	}
+}
+
+static void PROTO_check(struct xt_fcheck_call *cb)
+{
+	if (!(cb->xflags & F_PROTO_SET))
+		xtables_error(PARAMETER_PROBLEM,
+				"PROTO: You must specify the proto to be set");
+}
+
+static void PROTO_save(const void *ip, const struct xt_entry_target *target)
+{
+	const struct xt_PROTO_info *info = (void *)target->data;
+
+	if (info->mode & (1 << XT_PROTO_SET))
+		printf(" --proto-set %u", info->proto);
+	if (info->mode & (1 << XT_PROTO_STOP_AT_FRAG))
+		printf(" --stop-at-frag");
+	if (info->mode & (1 << XT_PROTO_STOP_AT_AUTH))
+		printf(" --stop-at-auth");
+}
+
+static void PROTO_print(const void *ip, const struct xt_entry_target *target,
+                     int numeric)
+{
+	const struct xt_PROTO_info *info = (void *)target->data;
+
+	printf(" PROTO ");
+	if (info->mode & (1 << XT_PROTO_SET))
+		printf("set to %u", info->proto);
+	if (info->mode & (1 << XT_PROTO_STOP_AT_FRAG))
+		printf(" stop-at-frag");
+	if (info->mode & (1 << XT_PROTO_STOP_AT_AUTH))
+		printf(" stop-at-auth");
+}
+
+static struct xtables_target proto_tg_reg = {
+	.name 		= "PROTO",
+	.version	= XTABLES_VERSION,
+	.family		= NFPROTO_UNSPEC,
+	.size		= XT_ALIGN(sizeof(struct xt_PROTO_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_PROTO_info)),
+	.help		= PROTO_help,
+	.print		= PROTO_print,
+	.save		= PROTO_save,
+	.x6_parse	= PROTO_parse,
+	.x6_fcheck	= PROTO_check,
+	.x6_options	= PROTO_opts,
+};
+
+static __attribute__((constructor)) void _init(void)
+{
+	xtables_register_target(&proto_tg_reg);
+
+}

extensions/libxt_PROTO.man

@@ -0,0 +1,30 @@
+.PP
+The PROTO target modifies the protocol number in IP packet header.
+.TP
+\fB\-\-proto-set\fP \fIproto_num\fP
+This option is mandatory. \fIproto_num\fP is the protocol number to which you want to
+modify the packets.
+.TP
+\fB\-\-stop-at-frag\fP
+This option is only valid for IPv6 rules. When specifying this option, the
+fragment extension header will be seen as a non-extension header.
+.TP
+\fB\-\-stop-at-auth\fP
+This option is only valid for IPv6 rules. When specifying this option, the
+authentication extension header will be seen as a non-extension header.
+.PP
+For IPv4 packets, the \fBProtocol\fP field is modified and the checksum is
+re-calculated.
+.PP
+For IPv6 packets, the scenario can be more complex due to the introduction of
+the extension headers mechanism. By default, the PROTO target will scan the IPv6
+packet, finding the last extension header and modify its \fBNext-header\fP field.
+Normally, the following headers will be seen as an extension header:
+\fINEXTHDR_HOP\fP,
+\fINEXTHDR_ROUTING\fP,
+\fINEXTHDR_FRAGMENT\fP,
+\fINEXTHDR_AUTH\fP,
+\fINEXTHDR_DEST\fP.
+.PP
+For fragmented packets, only the first fragment is processed and other fragments
+are not touched.

extensions/libxt_geoip.c

@@ -180,7 +180,7 @@ check_geoip_cc(char *cc, u_int16_t cc_used[], u_int8_t count)
 			cc[i] = toupper(cc[i]);
 		else
 			xtables_error(PARAMETER_PROBLEM,
-				"geoip:  invalid country code '%s'", cc);
+				"geoip: invalid country code '%s'", cc);
 
 	/* Convert chars into a single 16 bit integer.
 	 * FIXME:	This assumes that a country code is

extensions/pknock/xt_pknock.c

@@ -1125,7 +1125,6 @@ static int __init xt_pknock_mt_init(void)
 
 	crypto.size = crypto_shash_digestsize(crypto.tfm);
 	crypto.desc.tfm = crypto.tfm;
-	crypto.desc.flags = 0;
 
 	pde = proc_mkdir("xt_pknock", init_net.proc_net);
 	if (pde == NULL) {

extensions/xt_DHCPMAC.c

@@ -96,7 +96,8 @@ dhcpmac_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	struct udphdr udpbuf, *udph;
 	unsigned int i;
 
-	if (!skb_make_writable(skb, 0))
+	if (skb_ensure_writable(skb, ip_hdrlen(skb) + sizeof(udpbuf) +
+				     sizeof(dhcpbuf)))
 		return NF_DROP;
 
 	udph = skb_header_pointer(skb, ip_hdrlen(skb),

extensions/xt_PROTO.c

@@ -0,0 +1,156 @@
+/*
+ * Protocol modification target for IP tables
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <net/ipv6.h>
+#include <net/checksum.h>
+#include <linux/netfilter/x_tables.h>
+#include "xt_PROTO.h"
+
+MODULE_AUTHOR("Shanker Wang <i@innull.com>");
+MODULE_DESCRIPTION("Xtables: Protocol field modification target");
+MODULE_LICENSE("GPL");
+
+static unsigned int
+proto_tg(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	struct iphdr *iph;
+	const struct xt_PROTO_info *info = par->targinfo;
+	int new_proto;
+
+	if (skb_ensure_writable(skb, skb->len))
+		return NF_DROP;
+
+	iph = ip_hdr(skb);
+	new_proto = iph->protocol;
+	if (info->mode & (1 << XT_PROTO_SET))
+		new_proto = info->proto;
+	if (new_proto != iph->protocol) {
+		csum_replace2(&iph->check, htons(iph->protocol & 0xff),
+		              htons(new_proto & 0xff));
+		iph->protocol = new_proto;
+	}
+
+	return XT_CONTINUE;
+}
+
+static unsigned int
+proto_tg6(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	struct ipv6hdr *ip6h;
+	const struct xt_PROTO_info *info = par->targinfo;
+	u8 *nexthdr;
+	unsigned int hdr_offset;
+	__be16 *fp;
+
+	if (skb_ensure_writable(skb, skb->len))
+		return NF_DROP;
+
+	ip6h = ipv6_hdr(skb);
+	nexthdr = &ip6h->nexthdr;
+	hdr_offset = sizeof(struct ipv6hdr);
+
+	for (;;) {
+		struct ipv6_opt_hdr _opthdr, *opthp;
+		unsigned int hdrlen;
+		unsigned short _frag_off;
+		if (!ipv6_ext_hdr(*nexthdr) || *nexthdr == NEXTHDR_NONE)
+			break;
+		opthp = skb_header_pointer(skb, skb_network_offset(skb) + hdr_offset, sizeof(_opthdr), &_opthdr);
+		if (!opthp)
+			return NF_DROP;
+		if (*nexthdr == NEXTHDR_FRAGMENT) {
+			if (info->mode & (1 << XT_PROTO_STOP_AT_FRAG))
+				break;
+			fp = skb_header_pointer(skb, skb_network_offset(skb) +
+			     hdr_offset + offsetof(struct frag_hdr, frag_off),
+			     sizeof(_frag_off), &_frag_off);
+			if (!fp)
+				return NF_DROP;
+			_frag_off = ntohs(*fp) & ~0x7;
+			if (_frag_off) { // if the packet is not the first fragment
+				if (!ipv6_ext_hdr(opthp->nexthdr) || opthp->nexthdr == NEXTHDR_NONE ||
+				    (info->mode & (1 << XT_PROTO_STOP_AT_AUTH) && opthp->nexthdr == NEXTHDR_AUTH)) {
+					nexthdr = &((struct ipv6_opt_hdr *)(skb_network_header(skb) + hdr_offset))->nexthdr;
+					break;
+				} else {
+					return XT_CONTINUE;
+				}
+			}
+			hdrlen = 8;
+		} else if(*nexthdr == NEXTHDR_AUTH) {
+			if (info->mode & (1 << XT_PROTO_STOP_AT_AUTH))
+				break;
+			hdrlen = (opthp->hdrlen + 2) << 2;
+		} else {
+			hdrlen = ipv6_optlen(opthp);
+		}
+		nexthdr = &((struct ipv6_opt_hdr *)(skb_network_header(skb) + hdr_offset))->nexthdr;
+		hdr_offset += hdrlen;
+	}
+	
+	if (info->mode & (1 << XT_PROTO_SET))
+		*nexthdr = info->proto;
+	return XT_CONTINUE;
+}
+
+static int proto_tg_check(const struct xt_tgchk_param *par)
+{
+	const struct xt_PROTO_info *info = par->targinfo;
+
+	if ((info->mode & (1 << XT_PROTO_SET)) == 0) {
+		pr_info_ratelimited("Did not specify any proto to set\n");
+		return -EINVAL;
+	}
+	if (par->family != NFPROTO_IPV6 && (info->mode & ((1 << XT_PROTO_STOP_AT_FRAG) | (1 << XT_PROTO_STOP_AT_AUTH))) != 0) {
+		pr_info_ratelimited("Must not specify stop-at-frag and stop-at-auth on non-ipv6 targets\n");
+		return -EPROTOTYPE;
+	}
+	return 0;
+}
+
+static struct xt_target proto_tg_reg[] __read_mostly = {
+	{
+		.name       = "PROTO",
+		.revision   = 0,
+		.family     = NFPROTO_IPV4,
+		.target     = proto_tg,
+		.targetsize = sizeof(struct xt_PROTO_info),
+		.table      = "mangle",
+		.checkentry = proto_tg_check,
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "PROTO",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.target     = proto_tg6,
+		.targetsize = sizeof(struct xt_PROTO_info),
+		.table      = "mangle",
+		.checkentry = proto_tg_check,
+		.me         = THIS_MODULE,
+	},
+};
+
+static int __init proto_tg_init(void)
+{
+	return xt_register_targets(proto_tg_reg, ARRAY_SIZE(proto_tg_reg));
+}
+
+static void __exit proto_tg_exit(void)
+{
+	xt_unregister_targets(proto_tg_reg, ARRAY_SIZE(proto_tg_reg));
+}
+
+module_init(proto_tg_init);
+module_exit(proto_tg_exit);
+MODULE_ALIAS("ipt_PROTO");
+MODULE_ALIAS("ip6t_PROTO");

extensions/xt_PROTO.h

@@ -0,0 +1,20 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+/* Protocol modification module for IP tables */
+
+#ifndef _XT_PROTO_H
+#define _XT_PROTO_H
+
+#include <linux/types.h>
+
+enum {
+	XT_PROTO_SET = 0,
+	XT_PROTO_STOP_AT_FRAG = 1,
+	XT_PROTO_STOP_AT_AUTH = 2
+};
+
+struct xt_PROTO_info {
+	__u8	mode;
+	__u8	proto;
+};
+
+#endif

extensions/xt_SYSRQ.c

@@ -114,7 +114,6 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 	}
 
 	desc.tfm   = sysrq_tfm;
-	desc.flags = 0;
 	ret = crypto_shash_init(&desc);
 	if (ret != 0)
 		goto hash_fail;
@@ -314,7 +313,7 @@ static void sysrq_crypto_exit(void)
 static int __init sysrq_crypto_init(void)
 {
 #if defined(WITH_CRYPTO)
-	struct timeval now;
+	struct timespec64 now;
 	int ret;
 
 	sysrq_tfm = crypto_alloc_shash(sysrq_hash, 0, 0);
@@ -339,7 +338,7 @@ static int __init sysrq_crypto_init(void)
 		    sizeof(sysrq_password), GFP_KERNEL);
 	if (sysrq_digest_password == NULL)
 		goto fail;
-	do_gettimeofday(&now);
+	ktime_get_real_ts64(&now);
 	sysrq_seqno = now.tv_sec;
 	return 0;
 

geoip/xt_geoip_build

@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-#	Converter for MaxMind CSV database to binary, for xt_geoip
+#	Converter for MaxMind (GeoLite2) CSV database to binary, for xt_geoip
 #	Copyright Jan Engelhardt, 2008-2011
 #	Copyright Philip Prindeville, 2018
 #
@@ -16,53 +16,37 @@ my $csv = Text::CSV_XS->new({
 	binary => 1,
 	eol => $/,
 }); # or Text::CSV
+my $source_dir = ".";
 my $target_dir = ".";
 
 &Getopt::Long::Configure(qw(bundling));
 &GetOptions(
 	"D=s" => \$target_dir,
+	"S=s" => \$source_dir,
 );
 
+if (!-d $source_dir) {
+	print STDERR "Source directory \"$source_dir\" does not exist.\n";
+	exit 1;
+}
 if (!-d $target_dir) {
-	print STDERR "Target directory $target_dir does not exist.\n";
+	print STDERR "Target directory \"$target_dir\" does not exist.\n";
 	exit 1;
 }
 
 my %countryId;
 my %countryName;
-
-my $dir = findVersion();
-
 &loadCountries();
-
 &dump(&collect());
 
-sub findVersion
-{
-	my @dirs = ();
-
-	opendir(my $dh, '.') || die "Can't open .: $!\n";
-
-	while (readdir $dh) {
-		if ($_ =~ m/^GeoLite2-Country-CSV_\d{8}$/) {
-			push(@dirs, $_);
-		}
-	}
-	closedir $dh;
-
-	@dirs = sort @dirs;
-	return pop(@dirs);
-}
-
 sub loadCountries
 {
-	my $file = "$dir/GeoLite2-Country-Locations-en.csv";
-
 	sub id; sub cc; sub long; sub ct; sub cn;
 
 	%countryId = ();
 	%countryName = ();
 
+	my $file = "$source_dir/GeoLite2-Country-Locations-en.csv";
 	open(my $fh, '<', $file) || die "Couldn't open list country names\n";
 
 	# first line is headers
@@ -152,8 +136,7 @@ sub collect
 		};
 	}
 
-	$file = "$dir/GeoLite2-Country-Blocks-IPv4.csv";
-
+	$file = "$source_dir/GeoLite2-Country-Blocks-IPv4.csv";
 	open($fh, '<', $file) || die "Can't open IPv4 database\n";
 
 	# first line is headers
@@ -194,8 +177,7 @@ sub collect
 	# clean up the namespace
 	undef &net; undef &id; undef &rid; undef &proxy; undef &sat;
 
-	$file = "$dir/GeoLite2-Country-Blocks-IPv6.csv";
-
+	$file = "$source_dir/GeoLite2-Country-Blocks-IPv6.csv";
 	open($fh, '<', $file) || die "Can't open IPv6 database\n";
 
 	# first line is headers
@@ -281,4 +263,3 @@ sub writeCountry
 	}
 	close $fh;
 }
-

geoip/xt_geoip_build.1

@@ -5,7 +5,7 @@ xt_geoip_build \(em convert GeoIP.csv to packed format for xt_geoip
 .SH Syntax
 .PP
 \fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_build\fP [\fB\-D\fP
-\fItarget_dir\fP]
+\fItarget_dir\fP] [\fB\-S\fP \fIsource_dir\fP]
 .SH Description
 .PP
 xt_geoip_build is used to build packed raw representations of the range
@@ -16,20 +16,19 @@ required to be loaded into memory. The ranges in the packed database files are
 also ordered, as xt_geoip relies on this property for its bisection approach to
 work.
 .PP
-It expects to find a directory named
-.IR GeoLite2-Country-CSV_YYYYMMDD
-in the current directory, and will select the most recent if multiple
-instances are found.  The
-.IR xt_geoip_dl
-script can be used to populate this directory.
-.PP
 Since the script is usually installed to the libexec directory of the
 xtables-addons package and this is outside $PATH (on purpose), invoking the
 script requires it to be called with a path.
 .PP Options
 .TP
 \fB\-D\fP \fItarget_dir\fP
-Specify a target directory into which the files are to be put.
+Specifies the target directory into which the files are to be put. Defaults to ".".
+.TP
+\fB\-S\fP \fIsource_dir\fP
+Specifies the source directory from which to read the three files by the name
+of \fBGeoLite2\-Country\-Blocks\-IPv4.csv\fP,
+\fBGeoLite2\-Country\-Blocks\-IPv6.csv\fP and
+\fBGeoLite2\-Country\-Locations\-en.csv\fP. Defaults to ".".
 .SH Application
 .PP
 Shell commands to build the databases and put them to where they are expected:

mconfig

@@ -8,6 +8,7 @@ build_DNETMAP=m
 build_ECHO=m
 build_IPMARK=m
 build_LOGMARK=m
+build_PROTO=m
 build_SYSRQ=m
 build_TARPIT=m
 build_condition=m

sources

@@ -1,3 +0,0 @@
-#
-# Source URLs for external patchlets
-#

xa-download-more

@@ -1,83 +0,0 @@
-#!/usr/bin/perl -w
-
-use HTTP::Request;
-use LWP::UserAgent;
-use strict;
-
-&main(\@ARGV);
-
-sub main
-{
-	local *FH;
-
-	if (!-d "downloads") {
-		if (!mkdir("downloads")) {
-			die "Could not create downloads/ directory";
-		}
-	}
-
-	open(FH, "<sources");
-	while (defined($_ = <FH>)) {
-		chomp $_;
-		$_ =~ s/#.*//gs;
-		$_ =~ s/^\s+|\s+$//gs;
-		if (length($_) == 0) {
-			next;
-		}
-		&process_index($_);
-	}
-
-	close FH;
-}
-
-sub process_index
-{
-	my $top = shift @_;
-	my($agent, $res, $url);
-	local *FH;
-
-	$agent = LWP::UserAgent->new();
-	$agent->env_proxy();
-
-	$url = &slash_remove("$top/xa-index.txt");
-	print "  GET     $url\n";
-	$res = $agent->get($url);
-	if (!$res->is_success()) {
-		print STDERR "  `->     ", $res->status_line(), "\n";
-		return;
-	}
-
-	foreach my $ext (split(/\s+/, $res->content())) {
-		my($ex_url, $ex_res);
-
-		$ex_url = &slash_remove("$top/$ext");
-		print "  GET     $ex_url\n";
-
-		$ex_res = $agent->mirror($ex_url, "downloads/$ext");
-		if ($ex_res->code() == 304) {
-			# "Not modified" = up to date
-			next;
-		}
-		if (!$ex_res->is_success()) {
-			print STDERR "  `->     ", $ex_res->status_line(), "\n";
-			next;
-		}
-
-		print "  UNPACK  downloads/$ext\n";
-		system "tar", "-xjf", "downloads/$ext";
-	}
-}
-
-sub slash_remove
-{
-	my $s = shift @_;
-	$s =~ s{(\w+://)(.*)}{$1.&slash_remove2($2)}eg;
-	return $s;
-}
-
-sub slash_remove2
-{
-	my $s = shift @_;
-	$s =~ s{/+}{/}g;
-	return $s;
-}

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "Windows" "" "v3.1 (2018-08-14)"
+.TH xtables-addons 8 "" "" "v3.4 (2019-09-06)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets