Xtables-addons 3.14

The download URL for the GeoLite2 DBs has changed and includes a
licence key. Update the download script to read the key from file or
stdin and use the correct URL.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [3.13])
+AC_INIT([xtables-addons], [3.14])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])

doc/changelog.txt

@@ -1,3 +1,11 @@
+v3.14 (2020-11-24)
+==================
+- DELUDE, ECHO, TARPIT: use actual tunnel socket (ip_route_me_harder).
+- geoip: scripts for use with MaxMind DB have been brought back,
+  partly under new names.
+- Gave xt_geoip_fetch a more fitting name, xt_geoip_query.
+
+
 v3.13 (2020-11-20)
 ==================
 - Support for Linux 4.19.158 and 5.4.78 (ip_route_me_harder)

extensions/xt_DELUDE.c

@@ -25,8 +25,8 @@
 #include "compat_xtables.h"
 #define PFX KBUILD_MODNAME ": "
 
-static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
-    unsigned int hook)
+static void delude_send_reset(struct sk_buff *oldskb,
+    const struct xt_action_param *par)
 {
 	struct tcphdr _otcph, *tcph;
 	const struct tcphdr *oth;
@@ -51,7 +51,8 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 		return;
 
 	/* Check checksum */
-	if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
+	if (nf_ip_checksum(oldskb, par->state->hook, ip_hdrlen(oldskb),
+	    IPPROTO_TCP))
 		return;
 
 	nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
@@ -108,20 +109,21 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 	addr_type = RTN_UNSPEC;
 #ifdef CONFIG_BRIDGE_NETFILTER
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
-	if (hook != NF_INET_FORWARD || ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
+	if (par->state->hook != NF_INET_FORWARD ||
+	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
 	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF))->physoutdev))
 #else
-	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
+	if (par->state->hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->physoutdev))
 #endif
 #else
-	if (hook != NF_INET_FORWARD)
+	if (par->state->hook != NF_INET_FORWARD)
 #endif
 		addr_type = RTN_LOCAL;
 
 	/* ip_route_me_harder expects skb->dst to be set */
 	skb_dst_set(nskb, dst_clone(skb_dst(oldskb)));
-	if (ip_route_me_harder(net, nskb->sk, nskb, addr_type))
+	if (ip_route_me_harder(par_net(par), par->state->sk, nskb, addr_type))
 		goto free_nskb;
 	else
 		niph = ip_hdr(nskb);
@@ -134,8 +136,7 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);
-
-	ip_local_out(net, nskb->sk, nskb);
+	ip_local_out(par_net(par), nskb->sk, nskb);
 	return;
 
  free_nskb:
@@ -150,7 +151,7 @@ delude_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	 * a problem, as that is supported since Linux 2.6.35. But since we do not
 	 * actually want to have a connection open, we are still going to drop it.
 	 */
-	delude_send_reset(par_net(par), skb, par->state->hook);
+	delude_send_reset(skb, par);
 	return NF_DROP;
 }
 

extensions/xt_DNETMAP.c

@@ -19,9 +19,10 @@
  */
 
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#ifdef CONFIG_NF_NAT
 #include <linux/inet.h>
 #include <linux/ip.h>
-#include <linux/module.h>
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
@@ -36,12 +37,6 @@
 #include "compat_xtables.h"
 #include "xt_DNETMAP.h"
 
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marek Kierdelewicz <marek@piasta.pl>");
-MODULE_DESCRIPTION(
-	"Xtables: dynamic two-way 1:1 NAT mapping of IPv4 addresses");
-MODULE_ALIAS("ipt_DNETMAP");
-
 static unsigned int default_ttl = 600;
 static unsigned int proc_perms = S_IRUGO | S_IWUSR;
 static unsigned int proc_uid;
@@ -921,6 +916,18 @@ static void __exit dnetmap_tg_exit(void)
 	xt_unregister_target(&dnetmap_tg_reg);
 	unregister_pernet_subsys(&dnetmap_net_ops);
 }
+#else /* CONFIG_NF_NAT */
+static int __init dnetmap_tg_init(void)
+{
+	pr_err("CONFIG_NF_NAT is not available in your kernel, hence this module cannot function.");
+	return -EINVAL;
+}
+static void __exit dnetmap_tg_exit(void) {}
+#endif
 
 module_init(dnetmap_tg_init);
 module_exit(dnetmap_tg_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Marek Kierdelewicz <marek@piasta.pl>");
+MODULE_DESCRIPTION("Xtables: dynamic two-way 1:1 NAT mapping of IPv4 addresses");
+MODULE_ALIAS("ipt_DNETMAP");

extensions/xt_ECHO.c

@@ -113,7 +113,7 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 		goto free_nskb;
 
 	nf_ct_attach(newskb, oldskb);
-	ip6_local_out(par_net(par), newskb->sk, newskb);
+	ip6_local_out(par_net(par), par->state->sk, newskb);
 	return NF_DROP;
 
  free_nskb:
@@ -191,7 +191,8 @@ echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par)
 
 	/* ip_route_me_harder expects the skb's dst to be set */
 	skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
-	if (ip_route_me_harder(par_net(par), newskb->sk, newskb, RTN_UNSPEC) != 0)
+	if (ip_route_me_harder(par_net(par), par->state->sk, newskb,
+	    RTN_UNSPEC) != 0)
 		goto free_nskb;
 
 	newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));

extensions/xt_TARPIT.c

@@ -170,8 +170,8 @@ static bool tarpit_generic(struct tcphdr *tcph, const struct tcphdr *oth,
 	return true;
 }
 
-static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
-    unsigned int hook, unsigned int mode)
+static void tarpit_tcp4(const struct xt_action_param *par,
+    struct sk_buff *oldskb, unsigned int mode)
 {
 	struct tcphdr _otcph, *tcph;
 	const struct tcphdr *oth;
@@ -191,7 +191,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		return;
 
 	/* Check checksum. */
-	if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
+	if (nf_ip_checksum(oldskb, par->state->hook, ip_hdrlen(oldskb),
+	    IPPROTO_TCP))
 		return;
 
 	/*
@@ -254,18 +255,19 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 
 #ifdef CONFIG_BRIDGE_NETFILTER
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
-	if (hook != NF_INET_FORWARD || ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
+	if (par->state->hook != NF_INET_FORWARD ||
+	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
 	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF))->physoutdev))
 #else
-	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
+	if (par->state->hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->physoutdev != NULL))
 #endif
 #else
-	if (hook != NF_INET_FORWARD)
+	if (par->state->hook != NF_INET_FORWARD)
 #endif
 		addr_type = RTN_LOCAL;
 
-	if (ip_route_me_harder(net, nskb->sk, nskb, addr_type))
+	if (ip_route_me_harder(par_net(par), par->state->sk, nskb, addr_type) != 0)
 		goto free_nskb;
 	else
 		niph = ip_hdr(nskb);
@@ -287,8 +289,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);
-	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
-		skb_dst(nskb)->dev, dst_output);
+	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, par_net(par), nskb->sk, nskb,
+	        NULL, skb_dst(nskb)->dev, dst_output);
 	return;
 
  free_nskb:
@@ -296,8 +298,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 }
 
 #ifdef WITH_IPV6
-static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
-    unsigned int hook, unsigned int mode)
+static void tarpit_tcp6(const struct xt_action_param *par,
+    struct sk_buff *oldskb, unsigned int mode)
 {
 	struct sk_buff *nskb;
 	struct tcphdr *tcph, oth;
@@ -398,14 +400,14 @@ static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
 	              &ipv6_hdr(nskb)->daddr, sizeof(struct tcphdr),
 	              IPPROTO_TCP,
 	              csum_partial(tcph, sizeof(struct tcphdr), 0));
-	if (ip6_route_me_harder(net, nskb->sk, nskb))
+	if (ip6_route_me_harder(par_net(par), nskb->sk, nskb))
 		goto free_nskb;
 
 	nskb->ip_summed = CHECKSUM_NONE;
 
 	nf_ct_attach(nskb, oldskb);
-	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
-	        skb_dst(nskb)->dev, dst_output);
+	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, par_net(par), nskb->sk, nskb,
+	        NULL, skb_dst(nskb)->dev, dst_output);
 	return;
 
  free_nskb:
@@ -443,7 +445,7 @@ tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 	/* We are not interested in fragments */
 	if (iph->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
-	tarpit_tcp4(par_net(par), skb, par->state->hook, info->variant);
+	tarpit_tcp4(par, skb, info->variant);
 	return NF_DROP;
 }
 
@@ -484,7 +486,7 @@ tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 		pr_debug("addr is not unicast.\n");
 		return NF_DROP;
 	}
-	tarpit_tcp6(par_net(par), skb, par->state->hook, info->variant);
+	tarpit_tcp6(par, skb, info->variant);
 	return NF_DROP;
 }
 #endif

geoip/Makefile.am

@@ -1,7 +1,9 @@
 # -*- Makefile -*-
 
-bin_SCRIPTS = xt_geoip_fetch xt_geoip_fetch_maxmind
+bin_SCRIPTS = xt_geoip_query
 
 pkglibexec_SCRIPTS = xt_geoip_build xt_geoip_build_maxmind xt_geoip_dl xt_geoip_dl_maxmind
 
-man1_MANS = xt_geoip_build.1 xt_geoip_dl.1 xt_geoip_fetch.1
+man1_MANS = xt_geoip_build.1 xt_geoip_dl.1 \
+	    xt_geoip_build_maxmind.1 xt_geoip_dl_maxmind.1 \
+	    xt_geoip_query.1

geoip/xt_geoip_build_maxmind.1

@@ -0,0 +1,40 @@
+.TH xt_geoip_build_maxmind 1 "2010-12-17" "xtables-addons" "xtables-addons"
+.SH Name
+.PP
+xt_geoip_build_maxmind \(em convert GeoIP.csv to packed format for xt_geoip
+.SH Syntax
+.PP
+\fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_build_maxmind\fP [\fB\-D\fP
+\fItarget_dir\fP] [\fB\-S\fP \fIsource_dir\fP]
+.SH Description
+.PP
+xt_geoip_build_maxmind is used to build packed raw representations of the range
+database that the xt_geoip module relies on. Since kernel memory is precious,
+much of the preprocessing is done in userspace by this very building tool. One
+file is produced for each country, so that no more addresses than needed are
+required to be loaded into memory. The ranges in the packed database files are
+also ordered, as xt_geoip relies on this property for its bisection approach to
+work.
+.PP
+Since the script is usually installed to the libexec directory of the
+xtables-addons package and this is outside $PATH (on purpose), invoking the
+script requires it to be called with a path.
+.PP Options
+.TP
+\fB\-D\fP \fItarget_dir\fP
+Specifies the target directory into which the files are to be put. Defaults to ".".
+.TP
+\fB\-S\fP \fIsource_dir\fP
+Specifies the source directory of the MaxMind CSV files. Defaults to ".".
+.TP
+\fB\-s\fP
+"System mode". Equivalent to \fB\-D /usr/share/xt_geoip\fP.
+.SH Application
+.PP
+Shell commands to build the databases and put them to where they are expected
+(usually run as root):
+.PP
+xt_geoip_build_maxmind \-s
+.SH See also
+.PP
+xt_geoip_dl_maxmind(1)

geoip/xt_geoip_dl_maxmind

@@ -1,7 +1,16 @@
 #!/bin/sh
 
+if [ $# -eq 1 ]; then
+    exec <$1
+elif [ $# -ne 0 ]; then
+    echo $(basename $0) [ licence_key_file ] 1>&2
+    exit 1
+fi
+
+read licence_key
+
 rm -rf GeoLite2-Country-CSV_*
 
-wget -q http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
+wget -q -OGeoLite2-Country-CSV.zip "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=${licence_key}&suffix=zip"
 unzip -q GeoLite2-Country-CSV.zip
 rm -f GeoLite2-Country-CSV.zip

geoip/xt_geoip_dl_maxmind.1

@@ -0,0 +1,22 @@
+.TH xt_geoip_dl_maxmind 1 "2010-12-17" "xtables-addons" "xtables-addons"
+.SH Name
+.PP
+xt_geoip_dl_maxmind \(em download MaxMind GeoIP database files
+.SH Syntax
+.PP
+\fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_dl_maxmind\fP [\fI licence-key file\fP]
+.SH Description
+.PP
+Downloads the MaxMind GeoLite2 databases for IPv4 and IPv6 and unpacks them to
+the current directory.  The alternate \fBxt_geoip_dl\fP script can be
+used for the DB-IP Country Lite databases.
+.PP
+Since the script is usually installed to the libexec directory of the
+xtables-addons package and this is outside $PATH (on purpose), invoking the
+script requires it to be called with a path.
+.SH Options
+.PP
+None.
+.SH See also
+.PP
+xt_geoip_build_maxmind(1)

geoip/xt_geoip_fetch_maxmind

@@ -1,95 +0,0 @@
-#!/usr/bin/perl
-#
-#	Utility to query GeoIP database
-#	Copyright Philip Prindeville, 2018
-#
-use Getopt::Long;
-use Socket qw(AF_INET AF_INET6 inet_ntop);
-use warnings;
-use strict;
-
-sub AF_INET_SIZE() { 4 }
-sub AF_INET6_SIZE() { 16 }
-
-my $target_dir = ".";
-my $ipv4 = 0;
-my $ipv6 = 0;
-
-&Getopt::Long::Configure(qw(bundling));
-&GetOptions(
-	"D=s" => \$target_dir,
-	"4"   => \$ipv4,
-	"6"   => \$ipv6,
-);
-
-if (!-d $target_dir) {
-	print STDERR "Target directory $target_dir does not exit.\n";
-	exit 1;
-}
-
-# if neither specified, assume both
-if (! $ipv4 && ! $ipv6) {
-	$ipv4 = $ipv6 = 1;
-}
-
-foreach my $cc (@ARGV) {
-	if ($cc !~ m/^([a-z]{2}|a[12]|o1)$/i) {
-		print STDERR "Invalid country code '$cc'\n";
-		exit 1;
-	}
-
-	my $file = $target_dir . '/' . uc($cc) . '.iv4';
-
-	if (! -f $file) {
-		printf STDERR "Can't find data for country '$cc'\n";
-		exit 1;
-	}
-
-	my ($contents, $buffer, $bytes, $fh);
-
-	if ($ipv4) {
-		open($fh, '<', $file) || die "Couldn't open file for '$cc'\n";
-
-		binmode($fh);
-
-		while (($bytes = read($fh, $buffer, AF_INET_SIZE * 2)) == AF_INET_SIZE * 2) {
-			my ($start, $end) = unpack('a4a4', $buffer);
-			$start = inet_ntop(AF_INET, $start);
-			$end = inet_ntop(AF_INET, $end);
-			print $start, '-', $end, "\n";
-		}
-		close($fh);
-		if (! defined $bytes) {
-			printf STDERR "Error reading file for '$cc'\n";
-			exit 1;
-		} elsif ($bytes != 0) {
-			printf STDERR "Short read on file for '$cc'\n";
-			exit 1;
-		}
-	}
-
-	substr($file, -1) = '6';
-
-	if ($ipv6) {
-		open($fh, '<', $file) || die "Couldn't open file for '$cc'\n";
-
-		binmode($fh);
-
-		while (($bytes = read($fh, $buffer, AF_INET6_SIZE * 2)) == AF_INET6_SIZE * 2) {
-			my ($start, $end) = unpack('a16a16', $buffer);
-			$start = inet_ntop(AF_INET6, $start);
-			$end = inet_ntop(AF_INET6, $end);
-			print $start, '-', $end, "\n";
-		}
-		close($fh);
-		if (! defined $bytes) {
-			printf STDERR "Error reading file for '$cc'\n";
-			exit 1;
-		} elsif ($bytes != 0) {
-			printf STDERR "Short read on file for '$cc'\n";
-			exit 1;
-		}
-	}
-}
-
-exit 0;

geoip/xt_geoip_query

@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-#	Utility to query GeoIP database
+#	Utility to query GeoIP database (.iv4/.iv6 files)
 #	Copyright Philip Prindeville, 2018
 #
 use Getopt::Long;

geoip/xt_geoip_query.1

@@ -1,16 +1,16 @@
-.TH xt_geoip_fetch 1 "2020-04-30" "xtables-addons" "xtables-addons"
+.TH xt_geoip_query 1 "2020-04-30" "xtables-addons" "xtables-addons"
 .SH Name
 .PP
-xt_geoip_fetch \(em dump a country database to stdout
+xt_geoip_query \(em dump a country database to stdout
 .SH Syntax
 .PP
-\fBxt_geoip_fetch\fP [\fB\-D\fP
+\fBxt_geoip_query\fP [\fB\-D\fP
 \fIdatabase_dir\fP] [\fB-4\fP] [\fB-6\fP] \fIcc\fP [ \fIcc\fP ... ]
 .SH Description
 .PP
-xt_geoip_fetch unpacks a country's IPv4 or IPv6 databases and dumps
-them to standard output as a sorted, non-overlaping list of ranges (which
-is how they're represented in the database) suitable for browsing or
+xt_geoip_query reads a country's IPv4 or IPv6 databases and dumps
+them to standard output as a sorted, non-overlapping list of ranges (which
+is how they are represented in the database), suitable for browsing or
 further processing.
 .PP Options
 .TP
@@ -29,7 +29,7 @@ The ISO-3166 country code names of the desired countries' databases.
 .PP
 Shell command to dump the list of Swiss IPv6 address ranges:
 .PP
-xt_geoip_fetch \-D /usr/share/xt_geoip \-6 ch
+xt_geoip_query \-D /usr/share/xt_geoip \-6 ch
 .SH See also
 .PP
 xt_geoip_build(1)

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "" "" "v3.13 (2020-11-20)"
+.TH xtables-addons 8 "" "Caketime" "v3.14 (2020-11-24)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets