Merge branch 'master' of ssh://git.code.sf.net/u/jeffcarlson72/xtables-addons

The LT library name is libxt_ACCOUNT_cl.la, so the variable should be
`libxt_ACCOUNT_cl_la_LDFLAGS`.

Fixes: 81ab0b9586 ("libxt_ACCOUNT_cl: drop padding holes from struct ipt_ACCOUNT_context")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>

INSTALL

@@ -23,6 +23,9 @@ Supported configurations for this release
 
 (Use xtables-addons-1.x if you need support for Linux < 3.7.
 Use xtables-addons-2.x if you need support for Linux < 4.15.)
+Note: xtables-addons regularly fails to build with patched-to-death
+kernels like on RHEL or SLES because the API does not match
+LINUX_KERNEL_VERSION anymore.
 
 
 Selecting extensions

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [3.13])
+AC_INIT([xtables-addons], [3.18])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -57,7 +57,7 @@ if test -n "$kbuilddir"; then
 		echo "WARNING: Version detection did not succeed. Continue at own luck.";
 	else
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-		if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 10; then
+		if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 11; then
 			echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
 		elif test "$kmajor" -eq 5 -a "$kminor" -ge 0; then
 			:

doc/changelog.txt

@@ -1,3 +1,33 @@
+v3.18 (2021-03-11)
+==================
+- xt_pknock: fix a build failure on ARM 32-bit
+
+
+v3.17 (2021-02-28)
+==================
+- xt_pknock: cure a NULL deref
+
+
+v3.16 (2021-02-24)
+==================
+- xt_pknock: build fix for ILP32 targets
+
+
+v3.15 (2021-02-05)
+==================
+- xt_ECHO: support new function signature of security_skb_classify_flow
+- xt_lscan: add --mirai option
+- Support for Linux 5.11
+
+
+v3.14 (2020-11-24)
+==================
+- DELUDE, ECHO, TARPIT: use actual tunnel socket (ip_route_me_harder).
+- geoip: scripts for use with MaxMind DB have been brought back,
+  partly under new names.
+- Gave xt_geoip_fetch a more fitting name, xt_geoip_query.
+
+
 v3.13 (2020-11-20)
 ==================
 - Support for Linux 4.19.158 and 5.4.78 (ip_route_me_harder)

extensions/ACCOUNT/Makefile.am

@@ -9,5 +9,6 @@ sbin_PROGRAMS = iptaccount
 iptaccount_LDADD = libxt_ACCOUNT_cl.la
 
 lib_LTLIBRARIES = libxt_ACCOUNT_cl.la
+libxt_ACCOUNT_cl_la_LDFLAGS = -version-info 1:0:0
 
 man_MANS = iptaccount.8

extensions/ACCOUNT/libxt_ACCOUNT_cl.h

@@ -7,10 +7,7 @@
  *   version 2.1 as published by the Free Software Foundation;             *
  *                                                                         *
  ***************************************************************************/
-
-#ifndef _xt_ACCOUNT_cl_H
-#define _xt_ACCOUNT_cl_H
-
+#pragma once
 #include <xt_ACCOUNT.h>
 
 #define LIBXT_ACCOUNT_VERSION "1.3"
@@ -23,9 +20,8 @@ struct ipt_ACCOUNT_context
 	int sockfd;
 	struct ipt_acc_handle_sockopt handle;
 
-	unsigned int data_size;
+	unsigned int data_size, pos;
 	void *data;
-	unsigned int pos;
 
 	char *error_str;
 };
@@ -55,6 +51,3 @@ const char *ipt_ACCOUNT_get_next_name(struct ipt_ACCOUNT_context *ctx);
 #ifdef __cplusplus
 }
 #endif
-
-
-#endif

extensions/ACCOUNT/xt_ACCOUNT.h

@@ -7,9 +7,7 @@
  *   version 2 as published by the Free Software Foundation;               *
  *                                                                         *
  ***************************************************************************/
-
-#ifndef _IPT_ACCOUNT_H
-#define _IPT_ACCOUNT_H
+#pragma once
 
 /*
  * Socket option interface shared between kernel (xt_ACCOUNT) and userspace
@@ -39,8 +37,7 @@
 
 /* Structure for the userspace part of ipt_ACCOUNT */
 struct ipt_acc_info {
-	__be32 net_ip;
-	__be32 net_mask;
+	__be32 net_ip, net_mask;
 	char table_name[ACCOUNT_TABLE_NAME_LEN];
 	int32_t table_nr;
 };
@@ -59,10 +56,5 @@ struct ipt_acc_handle_sockopt {
 */
 struct ipt_acc_handle_ip {
 	__be32 ip, __dummy;
-	uint64_t src_packets;
-	uint64_t src_bytes;
-	uint64_t dst_packets;
-	uint64_t dst_bytes;
+	uint64_t src_packets, src_bytes, dst_packets, dst_bytes;
 };
-
-#endif /* _IPT_ACCOUNT_H */

extensions/compat_skbuff.h

@@ -1,6 +1,4 @@
-#ifndef COMPAT_SKBUFF_H
-#define COMPAT_SKBUFF_H 1
-
+#pragma once
 struct tcphdr;
 struct udphdr;
 
@@ -12,5 +10,3 @@ struct udphdr;
 #else
 #	define skb_secmark(skb) 0
 #endif
-
-#endif /* COMPAT_SKBUFF_H */

extensions/compat_user.h

@@ -1,12 +1,8 @@
 /*
  *	Userspace-level compat hacks
  */
-#ifndef _XTABLES_COMPAT_USER_H
-#define _XTABLES_COMPAT_USER_H 1
-
+#pragma once
 /* linux-glibc-devel 2.6.34 header screwup */
 #ifndef ALIGN
 #	define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
 #endif
-
-#endif /* _XTABLES_COMPAT_USER_H */

extensions/compat_xtables.c

@@ -23,7 +23,6 @@
 #include <net/route.h>
 #include <linux/export.h>
 #include "compat_skbuff.h"
-#include "compat_xtnu.h"
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 #	define WITH_IPV6 1
 #endif

extensions/compat_xtables.h

@@ -1,10 +1,7 @@
-#ifndef _XTABLES_COMPAT_H
-#define _XTABLES_COMPAT_H 1
-
+#pragma once
 #include <linux/kernel.h>
 #include <linux/version.h>
 #include "compat_skbuff.h"
-#include "compat_xtnu.h"
 
 #define DEBUGP Use__pr_debug__instead
 
@@ -48,4 +45,4 @@ static inline struct net *par_net(const struct xt_action_param *par)
 #	define proc_release release
 #endif
 
-#endif /* _XTABLES_COMPAT_H */
+extern void *HX_memmem(const void *, size_t, const void *, size_t);

extensions/compat_xtnu.h

@@ -1,67 +0,0 @@
-#ifndef _COMPAT_XTNU_H
-#define _COMPAT_XTNU_H 1
-
-#include <linux/netfilter/x_tables.h>
-
-struct module;
-struct sk_buff;
-
-struct xtnu_match {
-	/*
-	 * Making it smaller by sizeof(void *) on purpose to catch
-	 * lossy translation, if any.
-	 */
-	char name[sizeof(((struct xt_match *)NULL)->name) - 1 - sizeof(void *)];
-	uint8_t revision;
-	bool (*match)(const struct sk_buff *, struct xt_action_param *);
-	int (*checkentry)(const struct xt_mtchk_param *);
-	void (*destroy)(const struct xt_mtdtor_param *);
-	struct module *me;
-	const char *table;
-	unsigned int matchsize, hooks;
-	unsigned short proto, family;
-
-	void *__compat_match;
-};
-
-struct xtnu_target {
-	char name[sizeof(((struct xt_target *)NULL)->name) - 1 - sizeof(void *)];
-	uint8_t revision;
-	unsigned int (*target)(struct sk_buff **,
-		const struct xt_action_param *);
-	int (*checkentry)(const struct xt_tgchk_param *);
-	void (*destroy)(const struct xt_tgdtor_param *);
-	struct module *me;
-	const char *table;
-	unsigned int targetsize, hooks;
-	unsigned short proto, family;
-
-	void *__compat_target;
-};
-
-static inline struct xtnu_match *xtcompat_numatch(const struct xt_match *m)
-{
-	void *q;
-	memcpy(&q, m->name + sizeof(m->name) - sizeof(void *), sizeof(void *));
-	return q;
-}
-
-static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
-{
-	void *q;
-	memcpy(&q, t->name + sizeof(t->name) - sizeof(void *), sizeof(void *));
-	return q;
-}
-
-extern int xtnu_register_match(struct xtnu_match *);
-extern void xtnu_unregister_match(struct xtnu_match *);
-extern int xtnu_register_matches(struct xtnu_match *, unsigned int);
-extern void xtnu_unregister_matches(struct xtnu_match *, unsigned int);
-extern int xtnu_register_target(struct xtnu_target *);
-extern void xtnu_unregister_target(struct xtnu_target *);
-extern int xtnu_register_targets(struct xtnu_target *, unsigned int);
-extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int);
-
-extern void *HX_memmem(const void *, size_t, const void *, size_t);
-
-#endif /* _COMPAT_XTNU_H */

extensions/libxt_lscan.c

@@ -24,6 +24,7 @@ static const struct option lscan_mt_opts[] = {
 	{.name = "synscan", .has_arg = false, .val = 's'},
 	{.name = "cnscan",  .has_arg = false, .val = 'c'},
 	{.name = "grscan",  .has_arg = false, .val = 'g'},
+	{.name = "mirai",   .has_arg = false, .val = 'm'},
 	{NULL},
 };
 
@@ -35,7 +36,8 @@ static void lscan_mt_help(void)
 		"  --stealth    Match TCP Stealth packets\n"
 		"  --synscan    Match TCP SYN scans\n"
 		"  --cnscan     Match TCP Connect scans\n"
-		"  --grscan     Match Banner Grabbing scans\n");
+		"  --grscan     Match Banner Grabbing scans\n"
+		"  --mirai      Match TCP scan with ISN = dest. IP\n");
 }
 
 static int lscan_mt_parse(int c, char **argv, int invert,
@@ -45,16 +47,19 @@ static int lscan_mt_parse(int c, char **argv, int invert,
 
 	switch (c) {
 	case 'c':
-		info->match_cn = true;
+		info->match_fl3 |= LSCAN_FL3_CN;
 		return true;
 	case 'g':
-		info->match_gr = true;
+		info->match_fl4 |= LSCAN_FL4_GR;
+		return true;
+	case 'm':
+		info->match_fl1 |= LSCAN_FL1_MIRAI;
 		return true;
 	case 's':
-		info->match_syn = true;
+		info->match_fl2 |= LSCAN_FL2_SYN;
 		return true;
 	case 'x':
-		info->match_stealth = true;
+		info->match_fl1 |= LSCAN_FL1_STEALTH;
 		return true;
 	}
 	return false;
@@ -68,14 +73,16 @@ static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
 
-	if (info->match_stealth)
+	if (info->match_fl1 & LSCAN_FL1_STEALTH)
 		printf(" --stealth ");
-	if (info->match_syn)
+	if (info->match_fl2 & LSCAN_FL2_SYN)
 		printf(" --synscan ");
-	if (info->match_cn)
+	if (info->match_fl3 & LSCAN_FL3_CN)
 		printf(" --cnscan ");
-	if (info->match_gr)
+	if (info->match_fl4 & LSCAN_FL4_GR)
 		printf(" --grscan ");
+	if (info->match_fl1 & LSCAN_FL1_MIRAI)
+		printf(" --mirai ");
 }
 
 static void lscan_mt_print(const void *ip,

extensions/libxt_lscan.man

@@ -27,6 +27,11 @@ warranted single-direction data flows, usually bulk data transfers such as
 FTP DATA connections or IRC DCC. Grab Scan Detection should only be used on
 ports where a protocol runs that is guaranteed to do a bidirectional exchange
 of bytes.
+.TP
+\fB\-\-mirai\fP
+Match if the TCP ISN is equal to the IPv4 destination address; this is used
+by the devices in the Mirai botnet as a form of TCP SYN scan, so you will
+have to explicitly specify --syn for the rule.
 .PP
 NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
 so be advised to carefully use xt_lscan in conjunction with blocking rules,

extensions/libxt_quota2.c

@@ -70,7 +70,7 @@ quota_mt2_parse(int c, char **argv, int invert, unsigned int *flags,
 		/* zero termination done on behalf of the kernel module */
 		xtables_param_act(XTF_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
 		xtables_param_act(XTF_NO_INVERT, "quota", "--name", invert);
-		strncpy(info->name, optarg, sizeof(info->name));
+		snprintf(info->name, sizeof(info->name), "%s", optarg);
 		*flags |= FL_NAME;
 		return true;
 	case 'p':

extensions/pknock/libxt_pknock.c

@@ -33,18 +33,23 @@ static const struct option pknock_mt_opts[] = {
 static void pknock_mt_help(void)
 {
 	printf("pknock match options:\n"
-		" --knockports port[,port,port,...]	"
-			"Matches destination port(s).\n"
-		" --time seconds\n"
+		"  --knockports port[,port[,port[,...]]]\n"
+			"\t\t\t\tMatches destination port(s).\n"
+		"  --time seconds		"
 			"Max allowed time between knocks.\n"
-		" --autoclose minutes\n"
+		"  --autoclose minutes		"
 			"Time after which to automatically close opened\n"
-			"\t\t\t\t\tport(s).\n"
-		" --strict				"
-			"Knocks sequence must be exact.\n"
-		" --name rule_name			"
+			"\t\t\t\tport(s).\n"
+		"  --name rule_name		"
 			"Rule name.\n"
-		" --checkip				"
+		"  --opensecret secret		"
+			"(UDP only) Secret to activate the rule.\n"
+		"  --closesecret secret		"
+			"(UDP only) Secret to deactivate the\n"
+			"\t\t\t\trule.\n"
+		"  --strict			"
+			"Knocks sequence must be exact.\n"
+		"  --checkip			"
 			"Matches if the source ip is in the list.\n"
 		);
 }

extensions/pknock/xt_pknock.c

@@ -247,12 +247,11 @@ pknock_seq_show(struct seq_file *s, void *v)
 			seq_printf(s, "expir_time=%lu [secs] ", time);
 		}
 		if (peer->status == ST_ALLOWED && rule->autoclose_time != 0) {
+			unsigned long x = ktime_get_seconds();
+			unsigned long y = peer->login_sec + rule->autoclose_time * 60;
 			time = 0;
-			if (time_before(get_seconds(), peer->login_sec +
-			    rule->autoclose_time * 60))
-				time = peer->login_sec +
-				       rule->autoclose_time * 60 -
-				       get_seconds();
+			if (time_before(x, y))
+				time = y - x;
 			seq_printf(s, "autoclose_time=%lu [secs] ", time);
 		}
 		seq_printf(s, "\n");
@@ -312,8 +311,12 @@ static void update_rule_gc_timer(struct xt_pknock_rule *rule)
 static inline bool
 autoclose_time_passed(const struct peer *peer, unsigned int autoclose_time)
 {
-	return peer != NULL && autoclose_time != 0 && time_after(get_seconds(),
-	       peer->login_sec + autoclose_time * 60);
+	unsigned long x, y;
+	if (peer == NULL || autoclose_time == 0)
+		return false;
+	x = ktime_get_seconds();
+	y = peer->login_sec + autoclose_time * 60;
+	return time_after(x, y);
 }
 
 /**
@@ -335,7 +338,12 @@ is_interknock_time_exceeded(const struct peer *peer, unsigned int max_time)
 static inline bool
 has_logged_during_this_minute(const struct peer *peer)
 {
-	return peer != NULL && peer->login_sec / 60 == get_seconds() / 60;
+	uint64_t x, y;
+	if (peer == NULL)
+		return 0;
+	x = ktime_get_seconds();
+	y = peer->login_sec;
+	return do_div(y, 60) == do_div(x, 60);
 }
 
 /**
@@ -709,6 +717,7 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
 	unsigned int hexa_size;
 	int ret;
 	bool fret = false;
+	uint64_t x;
 	unsigned int epoch_min;
 
 	if (payload_len == 0)
@@ -727,7 +736,8 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
 	hexresult = kzalloc(hexa_size, GFP_ATOMIC);
 	if (hexresult == NULL)
 		return false;
-	epoch_min = get_seconds() / 60;
+	x = ktime_get_seconds();
+	epoch_min = do_div(x, 60);
 
 	ret = crypto_shash_setkey(crypto.tfm, secret, secret_len);
 	if (ret != 0) {
@@ -826,7 +836,7 @@ update_peer(struct peer *peer, const struct xt_pknock_mtinfo *info,
 	if (is_last_knock(peer, info)) {
 		peer->status = ST_ALLOWED;
 		pk_debug("ALLOWED", peer);
-		peer->login_sec = get_seconds();
+		peer->login_sec = ktime_get_seconds();
 		if (nl_multicast_group > 0)
 			msg_to_userspace_nl(info, peer, nl_multicast_group);
 		return true;

extensions/pknock/xt_pknock.h

@@ -8,9 +8,7 @@
  *
  * This program is released under the terms of GNU GPL version 2.
  */
-#ifndef _XT_PKNOCK_H
-#define _XT_PKNOCK_H
-
+#pragma once
 #define PKNOCK "xt_pknock: "
 
 enum {
@@ -47,5 +45,3 @@ struct xt_pknock_nl_msg {
 	char rule_name[XT_PKNOCK_MAX_BUF_LEN+1];
 	__be32 peer_ip;
 };
-
-#endif /* _XT_PKNOCK_H */

extensions/xt_CHAOS.h

@@ -1,6 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_CHAOS_H
-#define _LINUX_NETFILTER_XT_CHAOS_H 1
-
+#pragma once
 enum xt_chaos_target_variant {
 	XTCHAOS_NORMAL,
 	XTCHAOS_TARPIT,
@@ -10,5 +8,3 @@ enum xt_chaos_target_variant {
 struct xt_chaos_tginfo {
 	uint8_t variant;
 };
-
-#endif /* _LINUX_NETFILTER_XT_CHAOS_H */

extensions/xt_DELUDE.c

@@ -25,8 +25,8 @@
 #include "compat_xtables.h"
 #define PFX KBUILD_MODNAME ": "
 
-static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
-    unsigned int hook)
+static void delude_send_reset(struct sk_buff *oldskb,
+    const struct xt_action_param *par)
 {
 	struct tcphdr _otcph, *tcph;
 	const struct tcphdr *oth;
@@ -51,7 +51,8 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 		return;
 
 	/* Check checksum */
-	if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
+	if (nf_ip_checksum(oldskb, par->state->hook, ip_hdrlen(oldskb),
+	    IPPROTO_TCP))
 		return;
 
 	nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
@@ -108,20 +109,21 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 	addr_type = RTN_UNSPEC;
 #ifdef CONFIG_BRIDGE_NETFILTER
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
-	if (hook != NF_INET_FORWARD || ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
+	if (par->state->hook != NF_INET_FORWARD ||
+	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
 	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF))->physoutdev))
 #else
-	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
+	if (par->state->hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->physoutdev))
 #endif
 #else
-	if (hook != NF_INET_FORWARD)
+	if (par->state->hook != NF_INET_FORWARD)
 #endif
 		addr_type = RTN_LOCAL;
 
 	/* ip_route_me_harder expects skb->dst to be set */
 	skb_dst_set(nskb, dst_clone(skb_dst(oldskb)));
-	if (ip_route_me_harder(net, nskb->sk, nskb, addr_type))
+	if (ip_route_me_harder(par_net(par), par->state->sk, nskb, addr_type))
 		goto free_nskb;
 	else
 		niph = ip_hdr(nskb);
@@ -134,8 +136,7 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);
-
-	ip_local_out(net, nskb->sk, nskb);
+	ip_local_out(par_net(par), nskb->sk, nskb);
 	return;
 
  free_nskb:
@@ -150,7 +151,7 @@ delude_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	 * a problem, as that is supported since Linux 2.6.35. But since we do not
 	 * actually want to have a connection open, we are still going to drop it.
 	 */
-	delude_send_reset(par_net(par), skb, par->state->hook);
+	delude_send_reset(skb, par);
 	return NF_DROP;
 }
 

extensions/xt_DHCPMAC.h

@@ -1,6 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_DHCPMAC_H
-#define _LINUX_NETFILTER_XT_DHCPMAC_H 1
-
+#pragma once
 #define DH_MAC_FMT "%02X:%02X:%02X:%02X:%02X:%02X"
 #define DH_MAC_HEX(z) z[0], z[1], z[2], z[3], z[4], z[5]
 
@@ -8,5 +6,3 @@ struct dhcpmac_info {
 	unsigned char addr[ETH_ALEN];
 	uint8_t mask, invert;
 };
-
-#endif /* _LINUX_NETFILTER_XT_DHCPMAC_H */

extensions/xt_DNETMAP.c

@@ -19,9 +19,10 @@
  */
 
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#ifdef CONFIG_NF_NAT
 #include <linux/inet.h>
 #include <linux/ip.h>
-#include <linux/module.h>
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
@@ -36,12 +37,6 @@
 #include "compat_xtables.h"
 #include "xt_DNETMAP.h"
 
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marek Kierdelewicz <marek@piasta.pl>");
-MODULE_DESCRIPTION(
-	"Xtables: dynamic two-way 1:1 NAT mapping of IPv4 addresses");
-MODULE_ALIAS("ipt_DNETMAP");
-
 static unsigned int default_ttl = 600;
 static unsigned int proc_perms = S_IRUGO | S_IWUSR;
 static unsigned int proc_uid;
@@ -921,6 +916,18 @@ static void __exit dnetmap_tg_exit(void)
 	xt_unregister_target(&dnetmap_tg_reg);
 	unregister_pernet_subsys(&dnetmap_net_ops);
 }
+#else /* CONFIG_NF_NAT */
+static int __init dnetmap_tg_init(void)
+{
+	pr_err("CONFIG_NF_NAT is not available in your kernel, hence this module cannot function.");
+	return -EINVAL;
+}
+static void __exit dnetmap_tg_exit(void) {}
+#endif
 
 module_init(dnetmap_tg_init);
 module_exit(dnetmap_tg_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Marek Kierdelewicz <marek@piasta.pl>");
+MODULE_DESCRIPTION("Xtables: dynamic two-way 1:1 NAT mapping of IPv4 addresses");
+MODULE_ALIAS("ipt_DNETMAP");

extensions/xt_DNETMAP.h

@@ -1,6 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_DNETMAP_H
-#define _LINUX_NETFILTER_XT_DNETMAP_H 1
-
+#pragma once
 #define DNETMAP_VERSION 2
 
 enum {
@@ -17,5 +15,3 @@ struct xt_DNETMAP_tginfo {
 	__u8 flags;
 	__s32 ttl;
 };
-
-#endif

extensions/xt_ECHO.c

@@ -97,7 +97,11 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 	memcpy(&fl.daddr, &newip->daddr, sizeof(fl.daddr));
 	fl.fl6_sport = newudp->source;
 	fl.fl6_dport = newudp->dest;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+	security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi_common(&fl));
+#else
 	security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi(&fl));
+#endif
 	dst = ip6_route_output(net, NULL, &fl);
 	if (dst == NULL || dst->error != 0) {
 		dst_release(dst);
@@ -113,7 +117,7 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 		goto free_nskb;
 
 	nf_ct_attach(newskb, oldskb);
-	ip6_local_out(par_net(par), newskb->sk, newskb);
+	ip6_local_out(par_net(par), par->state->sk, newskb);
 	return NF_DROP;
 
  free_nskb:
@@ -191,7 +195,8 @@ echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par)
 
 	/* ip_route_me_harder expects the skb's dst to be set */
 	skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
-	if (ip_route_me_harder(par_net(par), newskb->sk, newskb, RTN_UNSPEC) != 0)
+	if (ip_route_me_harder(par_net(par), par->state->sk, newskb,
+	    RTN_UNSPEC) != 0)
 		goto free_nskb;
 
 	newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));

extensions/xt_IPMARK.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_IPMARK_H
-#define _LINUX_NETFILTER_XT_IPMARK_H 1
+#pragma once
 
 enum {
 	XT_IPMARK_SRC,
@@ -7,10 +6,6 @@ enum {
 };
 
 struct xt_ipmark_tginfo {
-	__u32 andmask;
-	__u32 ormask;
-	__u8 selector;
-	__u8 shift;
+	__u32 andmask, ormask;
+	__u8 selector, shift;
 };
-
-#endif /* _LINUX_NETFILTER_XT_IPMARK_H */

extensions/xt_LOGMARK.h

@@ -1,9 +1,5 @@
-#ifndef _LINUX_NETFILTER_XT_LOGMARK_TARGET_H
-#define _LINUX_NETFILTER_XT_LOGMARK_TARGET_H 1
-
+#pragma once
 struct xt_logmark_tginfo {
 	char prefix[14];
 	u_int8_t level;
 };
-
-#endif /* _LINUX_NETFILTER_XT_LOGMARK_TARGET_H */

extensions/xt_PROTO.h

@@ -1,9 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
 /* Protocol modification module for IP tables */
-
-#ifndef _XT_PROTO_H
-#define _XT_PROTO_H
-
+#pragma once
 #include <linux/types.h>
 
 enum {
@@ -13,8 +10,5 @@ enum {
 };
 
 struct xt_PROTO_info {
-	__u8	mode;
-	__u8	proto;
+	__u8 mode, proto;
 };
-
-#endif

extensions/xt_TARPIT.c

@@ -170,8 +170,8 @@ static bool tarpit_generic(struct tcphdr *tcph, const struct tcphdr *oth,
 	return true;
 }
 
-static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
-    unsigned int hook, unsigned int mode)
+static void tarpit_tcp4(const struct xt_action_param *par,
+    struct sk_buff *oldskb, unsigned int mode)
 {
 	struct tcphdr _otcph, *tcph;
 	const struct tcphdr *oth;
@@ -191,7 +191,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		return;
 
 	/* Check checksum. */
-	if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
+	if (nf_ip_checksum(oldskb, par->state->hook, ip_hdrlen(oldskb),
+	    IPPROTO_TCP))
 		return;
 
 	/*
@@ -254,18 +255,19 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 
 #ifdef CONFIG_BRIDGE_NETFILTER
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
-	if (hook != NF_INET_FORWARD || ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
+	if (par->state->hook != NF_INET_FORWARD ||
+	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
 	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF))->physoutdev))
 #else
-	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
+	if (par->state->hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->physoutdev != NULL))
 #endif
 #else
-	if (hook != NF_INET_FORWARD)
+	if (par->state->hook != NF_INET_FORWARD)
 #endif
 		addr_type = RTN_LOCAL;
 
-	if (ip_route_me_harder(net, nskb->sk, nskb, addr_type))
+	if (ip_route_me_harder(par_net(par), par->state->sk, nskb, addr_type) != 0)
 		goto free_nskb;
 	else
 		niph = ip_hdr(nskb);
@@ -287,8 +289,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);
-	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
-		skb_dst(nskb)->dev, dst_output);
+	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, par_net(par), nskb->sk, nskb,
+	        NULL, skb_dst(nskb)->dev, dst_output);
 	return;
 
  free_nskb:
@@ -296,8 +298,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 }
 
 #ifdef WITH_IPV6
-static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
-    unsigned int hook, unsigned int mode)
+static void tarpit_tcp6(const struct xt_action_param *par,
+    struct sk_buff *oldskb, unsigned int mode)
 {
 	struct sk_buff *nskb;
 	struct tcphdr *tcph, oth;
@@ -398,14 +400,14 @@ static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
 	              &ipv6_hdr(nskb)->daddr, sizeof(struct tcphdr),
 	              IPPROTO_TCP,
 	              csum_partial(tcph, sizeof(struct tcphdr), 0));
-	if (ip6_route_me_harder(net, nskb->sk, nskb))
+	if (ip6_route_me_harder(par_net(par), nskb->sk, nskb))
 		goto free_nskb;
 
 	nskb->ip_summed = CHECKSUM_NONE;
 
 	nf_ct_attach(nskb, oldskb);
-	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
-	        skb_dst(nskb)->dev, dst_output);
+	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, par_net(par), nskb->sk, nskb,
+	        NULL, skb_dst(nskb)->dev, dst_output);
 	return;
 
  free_nskb:
@@ -443,7 +445,7 @@ tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 	/* We are not interested in fragments */
 	if (iph->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
-	tarpit_tcp4(par_net(par), skb, par->state->hook, info->variant);
+	tarpit_tcp4(par, skb, info->variant);
 	return NF_DROP;
 }
 
@@ -484,7 +486,7 @@ tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 		pr_debug("addr is not unicast.\n");
 		return NF_DROP;
 	}
-	tarpit_tcp6(par_net(par), skb, par->state->hook, info->variant);
+	tarpit_tcp6(par, skb, info->variant);
 	return NF_DROP;
 }
 #endif

extensions/xt_TARPIT.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_TARPIT_H
-#define _LINUX_NETFILTER_XT_TARPIT_H 1
+#pragma once
 
 enum xt_tarpit_target_variant {
 	XTTARPIT_TARPIT,
@@ -10,5 +9,3 @@ enum xt_tarpit_target_variant {
 struct xt_tarpit_tginfo {
 	uint8_t variant;
 };
-
-#endif /* _LINUX_NETFILTER_XT_TARPIT_H */

extensions/xt_condition.h

@@ -1,5 +1,4 @@
-#ifndef _XT_CONDITION_H
-#define _XT_CONDITION_H
+#pragma once
 
 enum {
 	CONDITION_NAME_LEN = 31,
@@ -12,5 +11,3 @@ struct xt_condition_mtinfo {
 	/* Used internally by the kernel */
 	void *condvar __attribute__((aligned(8)));
 };
-
-#endif /* _XT_CONDITION_H */

extensions/xt_fuzzy.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_FUZZY_H
-#define _LINUX_NETFILTER_XT_FUZZY_H 1
+#pragma once
 
 enum {
 	FUZZY_MIN_RATE = 3,
@@ -7,14 +6,9 @@ enum {
 };
 
 struct xt_fuzzy_mtinfo {
-	uint32_t minimum_rate;
-	uint32_t maximum_rate;
-	uint32_t packets_total;
-	uint32_t bytes_total;
-	uint32_t previous_time;
-	uint32_t present_time;
+	uint32_t minimum_rate, maximum_rate;
+	uint32_t packets_total, bytes_total;
+	uint32_t previous_time, present_time;
 	uint32_t mean_rate;
 	uint8_t acceptance_rate;
 };
-
-#endif /* _LINUX_NETFILTER_XT_FUZZY_H */

extensions/xt_geoip.h

@@ -10,8 +10,7 @@
  * Samuel Jean
  * Nicolas Bouliane
  */
-#ifndef _LINUX_NETFILTER_XT_GEOIP_H
-#define _LINUX_NETFILTER_XT_GEOIP_H 1
+#pragma once
 
 enum {
 	XT_GEOIP_SRC = 1 << 0,	/* Perform check on Source IP */
@@ -23,8 +22,7 @@ enum {
 
 /* Yup, an address range will be passed in with host-order */
 struct geoip_subnet4 {
-	__u32 begin;
-	__u32 end;
+	__u32 begin, end;
 };
 
 struct geoip_subnet6 {
@@ -45,8 +43,7 @@ union geoip_country_group {
 };
 
 struct xt_geoip_match_info {
-	__u8 flags;
-	__u8 count;
+	__u8 flags, count;
 	__u16 cc[XT_GEOIP_MAX];
 
 	/* Used internally by the kernel */
@@ -54,5 +51,3 @@ struct xt_geoip_match_info {
 };
 
 #define COUNTRY(cc) ((cc) >> 8), ((cc) & 0x00FF)
-
-#endif /* _LINUX_NETFILTER_XT_GEOIP_H */

extensions/xt_gradm.h

@@ -1,9 +1,4 @@
-#ifndef _XT_GRADM_H
-#define _XT_GRADM_H
-
+#pragma once
 struct xt_gradm_mtinfo {
-	__u16 flags;
-	__u16 invflags;
+	__u16 flags, invflags;
 };
-
-#endif

extensions/xt_iface.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_IFACE_H
-#define _LINUX_NETFILTER_XT_IFACE_H 1
+#pragma once
 
 enum {
 	XT_IFACE_UP          = 1 << 0,
@@ -19,8 +18,5 @@ enum {
 
 struct xt_iface_mtinfo {
 	char ifname[IFNAMSIZ];
-	__u16 flags;
-	__u16 invflags;
+	__u16 flags, invflags;
 };
-
-#endif

extensions/xt_ipp2p.h

@@ -1,5 +1,4 @@
-#ifndef __IPT_IPP2P_H
-#define __IPT_IPP2P_H
+#pragma once
 #define IPP2P_VERSION "0.10"
 
 enum {
@@ -39,8 +38,5 @@ enum {
 };
 
 struct ipt_p2p_info {
-    int cmd;
-    int debug;
+	int32_t cmd, debug;
 };
-
-#endif //__IPT_IPP2P_H

extensions/xt_ipv4options.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_IPV4OPTIONS_H
-#define _LINUX_NETFILTER_XT_IPV4OPTIONS_H 1
+#pragma once
 
 /* IPv4 allows for a 5-bit option number - 32 options */
 
@@ -18,9 +17,6 @@ enum xt_ipv4options_flags {
  * @flags:	see above
  */
 struct xt_ipv4options_mtinfo1 {
-	__u32 map;
-	__u32 invert;
+	__u32 map, invert;
 	__u8 flags;
 };
-
-#endif /* _LINUX_NETFILTER_XT_IPV4OPTIONS_H */

extensions/xt_length2.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_LENGTH2_H
-#define _LINUX_NETFILTER_XT_LENGTH2_H
+#pragma once
 
 enum {
 	XT_LENGTH_INVERT = 1 << 0,
@@ -18,5 +17,3 @@ struct xt_length_mtinfo2 {
 	u_int32_t min, max;
 	u_int16_t flags;
 };
-
-#endif /* _LINUX_NETFILTER_XT_LENGTH2_H */

extensions/xt_lscan.c

@@ -175,6 +175,7 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 	enum ip_conntrack_info ctstate;
+	const struct iphdr *iph = ip_hdr(skb);
 	const struct tcphdr *tcph;
 	struct nf_conn *ctdata;
 	struct tcphdr tcph_buf;
@@ -182,11 +183,14 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	tcph = skb_header_pointer(skb, par->thoff, sizeof(tcph_buf), &tcph_buf);
 	if (tcph == NULL)
 		return false;
+	if (info->match_fl1 & LSCAN_FL1_MIRAI && iph != NULL &&
+	    iph->version == 4 && iph->daddr == tcph->seq)
+		return true;
 
 	/* Check for invalid packets: -m conntrack --ctstate INVALID */
 	ctdata = nf_ct_get(skb, &ctstate);
 	if (ctdata == NULL) {
-		if (info->match_stealth)
+		if (info->match_fl1 & LSCAN_FL1_STEALTH)
 			return lscan_mt_stealth(tcph);
 		/*
 		 * If @ctdata is NULL, we cannot match the other scan
@@ -212,17 +216,19 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		skb_nfmark(skb) = (skb_nfmark(skb) & ~packet_mask) ^ mark_seen;
 	}
 
-	return (info->match_syn && ctdata->mark == mark_synscan) ||
-	       (info->match_cn && ctdata->mark == mark_cnscan) ||
-	       (info->match_gr && ctdata->mark == mark_grscan);
+	return (info->match_fl1 & LSCAN_FL1_STEALTH && ctdata->mark == mark_synscan) ||
+	       (info->match_fl3 & LSCAN_FL3_CN && ctdata->mark == mark_cnscan) ||
+	       (info->match_fl4 & LSCAN_FL4_GR && ctdata->mark == mark_grscan);
 }
 
 static int lscan_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 
-	if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
-	    (info->match_cn & ~1) || (info->match_gr & ~1)) {
+	if ((info->match_fl1 & ~(LSCAN_FL1_STEALTH | LSCAN_FL1_MIRAI)) ||
+	    (info->match_fl2 & ~LSCAN_FL2_SYN) ||
+	    (info->match_fl3 & ~LSCAN_FL3_CN) ||
+	    (info->match_fl4 & ~LSCAN_FL4_GR)) {
 		printk(KERN_WARNING PFX "Invalid flags\n");
 		return -EINVAL;
 	}

extensions/xt_lscan.h

@@ -1,8 +1,13 @@
-#ifndef _LINUX_NETFILTER_XT_LSCAN_H
-#define _LINUX_NETFILTER_XT_LSCAN_H 1
+#pragma once
 
-struct xt_lscan_mtinfo {
-	uint8_t match_stealth, match_syn, match_cn, match_gr;
+enum {
+	LSCAN_FL1_STEALTH = 1 << 0,
+	LSCAN_FL1_MIRAI   = 1 << 1,
+	LSCAN_FL2_SYN     = 1 << 0,
+	LSCAN_FL3_CN      = 1 << 0,
+	LSCAN_FL4_GR      = 1 << 0,
 };
 
-#endif /* _LINUX_NETFILTER_XT_LSCAN_H */
+struct xt_lscan_mtinfo {
+	uint8_t match_fl1, match_fl2, match_fl3, match_fl4;
+};

extensions/xt_psd.h

@@ -1,6 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_PSD_H
-#define _LINUX_NETFILTER_XT_PSD_H 1
-
+#pragma once
 #include <linux/param.h>
 #include <linux/types.h>
 
@@ -21,10 +19,6 @@
 #define SCAN_WEIGHT_THRESHOLD		SCAN_MAX_COUNT
 
 struct xt_psd_info {
-	__u32 weight_threshold;
-	__u32 delay_threshold;
-	__u16 lo_ports_weight;
-	__u16 hi_ports_weight;
+	__u32 weight_threshold, delay_threshold;
+	__u16 lo_ports_weight, hi_ports_weight;
 };
-
-#endif /*_LINUX_NETFILTER_XT_PSD_H*/

extensions/xt_quota2.h

@@ -1,5 +1,4 @@
-#ifndef _XT_QUOTA_H
-#define _XT_QUOTA_H
+#pragma once
 
 enum xt_quota_flags {
 	XT_QUOTA_INVERT    = 1 << 0,
@@ -21,5 +20,3 @@ struct xt_quota_mtinfo2 {
 	/* Used internally by the kernel */
 	struct xt_quota_counter *master __attribute__((aligned(8)));
 };
-
-#endif /* _XT_QUOTA_H */

geoip/Makefile.am

@@ -1,7 +1,9 @@
 # -*- Makefile -*-
 
-bin_SCRIPTS = xt_geoip_fetch xt_geoip_fetch_maxmind
+bin_SCRIPTS = xt_geoip_query
 
 pkglibexec_SCRIPTS = xt_geoip_build xt_geoip_build_maxmind xt_geoip_dl xt_geoip_dl_maxmind
 
-man1_MANS = xt_geoip_build.1 xt_geoip_dl.1 xt_geoip_fetch.1
+man1_MANS = xt_geoip_build.1 xt_geoip_dl.1 \
+	    xt_geoip_build_maxmind.1 xt_geoip_dl_maxmind.1 \
+	    xt_geoip_query.1

geoip/xt_geoip_build_maxmind.1

@@ -0,0 +1,40 @@
+.TH xt_geoip_build_maxmind 1 "2010-12-17" "xtables-addons" "xtables-addons"
+.SH Name
+.PP
+xt_geoip_build_maxmind \(em convert GeoIP.csv to packed format for xt_geoip
+.SH Syntax
+.PP
+\fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_build_maxmind\fP [\fB\-D\fP
+\fItarget_dir\fP] [\fB\-S\fP \fIsource_dir\fP]
+.SH Description
+.PP
+xt_geoip_build_maxmind is used to build packed raw representations of the range
+database that the xt_geoip module relies on. Since kernel memory is precious,
+much of the preprocessing is done in userspace by this very building tool. One
+file is produced for each country, so that no more addresses than needed are
+required to be loaded into memory. The ranges in the packed database files are
+also ordered, as xt_geoip relies on this property for its bisection approach to
+work.
+.PP
+Since the script is usually installed to the libexec directory of the
+xtables-addons package and this is outside $PATH (on purpose), invoking the
+script requires it to be called with a path.
+.PP Options
+.TP
+\fB\-D\fP \fItarget_dir\fP
+Specifies the target directory into which the files are to be put. Defaults to ".".
+.TP
+\fB\-S\fP \fIsource_dir\fP
+Specifies the source directory of the MaxMind CSV files. Defaults to ".".
+.TP
+\fB\-s\fP
+"System mode". Equivalent to \fB\-D /usr/share/xt_geoip\fP.
+.SH Application
+.PP
+Shell commands to build the databases and put them to where they are expected
+(usually run as root):
+.PP
+xt_geoip_build_maxmind \-s
+.SH See also
+.PP
+xt_geoip_dl_maxmind(1)

geoip/xt_geoip_dl_maxmind

@@ -1,7 +1,16 @@
 #!/bin/sh
 
+if [ $# -eq 1 ]; then
+    exec <$1
+elif [ $# -ne 0 ]; then
+    echo $(basename $0) [ licence_key_file ] 1>&2
+    exit 1
+fi
+
+read licence_key
+
 rm -rf GeoLite2-Country-CSV_*
 
-wget -q http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
+wget -q -OGeoLite2-Country-CSV.zip "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=${licence_key}&suffix=zip"
 unzip -q GeoLite2-Country-CSV.zip
 rm -f GeoLite2-Country-CSV.zip

geoip/xt_geoip_dl_maxmind.1

@@ -0,0 +1,22 @@
+.TH xt_geoip_dl_maxmind 1 "2010-12-17" "xtables-addons" "xtables-addons"
+.SH Name
+.PP
+xt_geoip_dl_maxmind \(em download MaxMind GeoIP database files
+.SH Syntax
+.PP
+\fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_dl_maxmind\fP [\fI licence-key file\fP]
+.SH Description
+.PP
+Downloads the MaxMind GeoLite2 databases for IPv4 and IPv6 and unpacks them to
+the current directory.  The alternate \fBxt_geoip_dl\fP script can be
+used for the DB-IP Country Lite databases.
+.PP
+Since the script is usually installed to the libexec directory of the
+xtables-addons package and this is outside $PATH (on purpose), invoking the
+script requires it to be called with a path.
+.SH Options
+.PP
+None.
+.SH See also
+.PP
+xt_geoip_build_maxmind(1)

geoip/xt_geoip_fetch_maxmind

@@ -1,95 +0,0 @@
-#!/usr/bin/perl
-#
-#	Utility to query GeoIP database
-#	Copyright Philip Prindeville, 2018
-#
-use Getopt::Long;
-use Socket qw(AF_INET AF_INET6 inet_ntop);
-use warnings;
-use strict;
-
-sub AF_INET_SIZE() { 4 }
-sub AF_INET6_SIZE() { 16 }
-
-my $target_dir = ".";
-my $ipv4 = 0;
-my $ipv6 = 0;
-
-&Getopt::Long::Configure(qw(bundling));
-&GetOptions(
-	"D=s" => \$target_dir,
-	"4"   => \$ipv4,
-	"6"   => \$ipv6,
-);
-
-if (!-d $target_dir) {
-	print STDERR "Target directory $target_dir does not exit.\n";
-	exit 1;
-}
-
-# if neither specified, assume both
-if (! $ipv4 && ! $ipv6) {
-	$ipv4 = $ipv6 = 1;
-}
-
-foreach my $cc (@ARGV) {
-	if ($cc !~ m/^([a-z]{2}|a[12]|o1)$/i) {
-		print STDERR "Invalid country code '$cc'\n";
-		exit 1;
-	}
-
-	my $file = $target_dir . '/' . uc($cc) . '.iv4';
-
-	if (! -f $file) {
-		printf STDERR "Can't find data for country '$cc'\n";
-		exit 1;
-	}
-
-	my ($contents, $buffer, $bytes, $fh);
-
-	if ($ipv4) {
-		open($fh, '<', $file) || die "Couldn't open file for '$cc'\n";
-
-		binmode($fh);
-
-		while (($bytes = read($fh, $buffer, AF_INET_SIZE * 2)) == AF_INET_SIZE * 2) {
-			my ($start, $end) = unpack('a4a4', $buffer);
-			$start = inet_ntop(AF_INET, $start);
-			$end = inet_ntop(AF_INET, $end);
-			print $start, '-', $end, "\n";
-		}
-		close($fh);
-		if (! defined $bytes) {
-			printf STDERR "Error reading file for '$cc'\n";
-			exit 1;
-		} elsif ($bytes != 0) {
-			printf STDERR "Short read on file for '$cc'\n";
-			exit 1;
-		}
-	}
-
-	substr($file, -1) = '6';
-
-	if ($ipv6) {
-		open($fh, '<', $file) || die "Couldn't open file for '$cc'\n";
-
-		binmode($fh);
-
-		while (($bytes = read($fh, $buffer, AF_INET6_SIZE * 2)) == AF_INET6_SIZE * 2) {
-			my ($start, $end) = unpack('a16a16', $buffer);
-			$start = inet_ntop(AF_INET6, $start);
-			$end = inet_ntop(AF_INET6, $end);
-			print $start, '-', $end, "\n";
-		}
-		close($fh);
-		if (! defined $bytes) {
-			printf STDERR "Error reading file for '$cc'\n";
-			exit 1;
-		} elsif ($bytes != 0) {
-			printf STDERR "Short read on file for '$cc'\n";
-			exit 1;
-		}
-	}
-}
-
-exit 0;

geoip/xt_geoip_query

@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-#	Utility to query GeoIP database
+#	Utility to query GeoIP database (.iv4/.iv6 files)
 #	Copyright Philip Prindeville, 2018
 #
 use Getopt::Long;

geoip/xt_geoip_query.1

@@ -1,16 +1,16 @@
-.TH xt_geoip_fetch 1 "2020-04-30" "xtables-addons" "xtables-addons"
+.TH xt_geoip_query 1 "2020-04-30" "xtables-addons" "xtables-addons"
 .SH Name
 .PP
-xt_geoip_fetch \(em dump a country database to stdout
+xt_geoip_query \(em dump a country database to stdout
 .SH Syntax
 .PP
-\fBxt_geoip_fetch\fP [\fB\-D\fP
+\fBxt_geoip_query\fP [\fB\-D\fP
 \fIdatabase_dir\fP] [\fB-4\fP] [\fB-6\fP] \fIcc\fP [ \fIcc\fP ... ]
 .SH Description
 .PP
-xt_geoip_fetch unpacks a country's IPv4 or IPv6 databases and dumps
-them to standard output as a sorted, non-overlaping list of ranges (which
-is how they're represented in the database) suitable for browsing or
+xt_geoip_query reads a country's IPv4 or IPv6 databases and dumps
+them to standard output as a sorted, non-overlapping list of ranges (which
+is how they are represented in the database), suitable for browsing or
 further processing.
 .PP Options
 .TP
@@ -29,7 +29,7 @@ The ISO-3166 country code names of the desired countries' databases.
 .PP
 Shell command to dump the list of Swiss IPv6 address ranges:
 .PP
-xt_geoip_fetch \-D /usr/share/xt_geoip \-6 ch
+xt_geoip_query \-D /usr/share/xt_geoip \-6 ch
 .SH See also
 .PP
 xt_geoip_build(1)

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "" "" "v3.13 (2020-11-20)"
+.TH xtables-addons 8 "" "" "v3.18 (2021-03-11)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets