Merge branch 'master' of ssh://git.code.sf.net/u/jeffcarlson72/xtables-addons

The LT library name is libxt_ACCOUNT_cl.la, so the variable should be
`libxt_ACCOUNT_cl_la_LDFLAGS`.

Fixes: 81ab0b9586 ("libxt_ACCOUNT_cl: drop padding holes from struct ipt_ACCOUNT_context")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>

INSTALL

@@ -23,6 +23,9 @@ Supported configurations for this release
 
 (Use xtables-addons-1.x if you need support for Linux < 3.7.
 Use xtables-addons-2.x if you need support for Linux < 4.15.)
+Note: xtables-addons regularly fails to build with patched-to-death
+kernels like on RHEL or SLES because the API does not match
+LINUX_KERNEL_VERSION anymore.
 
 
 Selecting extensions

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [3.16])
+AC_INIT([xtables-addons], [3.18])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])

doc/changelog.txt

@@ -1,3 +1,13 @@
+v3.18 (2021-03-11)
+==================
+- xt_pknock: fix a build failure on ARM 32-bit
+
+
+v3.17 (2021-02-28)
+==================
+- xt_pknock: cure a NULL deref
+
+
 v3.16 (2021-02-24)
 ==================
 - xt_pknock: build fix for ILP32 targets

extensions/ACCOUNT/Makefile.am

@@ -9,5 +9,6 @@ sbin_PROGRAMS = iptaccount
 iptaccount_LDADD = libxt_ACCOUNT_cl.la
 
 lib_LTLIBRARIES = libxt_ACCOUNT_cl.la
+libxt_ACCOUNT_cl_la_LDFLAGS = -version-info 1:0:0
 
 man_MANS = iptaccount.8

extensions/ACCOUNT/libxt_ACCOUNT_cl.h

@@ -7,10 +7,7 @@
  *   version 2.1 as published by the Free Software Foundation;             *
  *                                                                         *
  ***************************************************************************/
-
+#pragma once
-#ifndef _xt_ACCOUNT_cl_H
-#define _xt_ACCOUNT_cl_H
-
 #include <xt_ACCOUNT.h>
 
 #define LIBXT_ACCOUNT_VERSION "1.3"
@@ -23,9 +20,8 @@ struct ipt_ACCOUNT_context
 	int sockfd;
 	struct ipt_acc_handle_sockopt handle;
 
-	unsigned int data_size;
+	unsigned int data_size, pos;
 	void *data;
-	unsigned int pos;
 
 	char *error_str;
 };
@@ -55,6 +51,3 @@ const char *ipt_ACCOUNT_get_next_name(struct ipt_ACCOUNT_context *ctx);
 #ifdef __cplusplus
 }
 #endif
-
-
-#endif

extensions/ACCOUNT/xt_ACCOUNT.h

@@ -7,9 +7,7 @@
  *   version 2 as published by the Free Software Foundation;               *
  *                                                                         *
  ***************************************************************************/
-
+#pragma once
-#ifndef _IPT_ACCOUNT_H
-#define _IPT_ACCOUNT_H
 
 /*
  * Socket option interface shared between kernel (xt_ACCOUNT) and userspace
@@ -39,8 +37,7 @@
 
 /* Structure for the userspace part of ipt_ACCOUNT */
 struct ipt_acc_info {
-	__be32 net_ip;
+	__be32 net_ip, net_mask;
-	__be32 net_mask;
 	char table_name[ACCOUNT_TABLE_NAME_LEN];
 	int32_t table_nr;
 };
@@ -59,10 +56,5 @@ struct ipt_acc_handle_sockopt {
 */
 struct ipt_acc_handle_ip {
 	__be32 ip, __dummy;
-	uint64_t src_packets;
+	uint64_t src_packets, src_bytes, dst_packets, dst_bytes;
-	uint64_t src_bytes;
-	uint64_t dst_packets;
-	uint64_t dst_bytes;
 };
-
-#endif /* _IPT_ACCOUNT_H */

extensions/compat_skbuff.h

@@ -1,6 +1,4 @@
-#ifndef COMPAT_SKBUFF_H
+#pragma once
-#define COMPAT_SKBUFF_H 1
-
 struct tcphdr;
 struct udphdr;
 
@@ -12,5 +10,3 @@ struct udphdr;
 #else
 #	define skb_secmark(skb) 0
 #endif
-
-#endif /* COMPAT_SKBUFF_H */

extensions/compat_user.h

@@ -1,12 +1,8 @@
 /*
  *	Userspace-level compat hacks
  */
-#ifndef _XTABLES_COMPAT_USER_H
+#pragma once
-#define _XTABLES_COMPAT_USER_H 1
-
 /* linux-glibc-devel 2.6.34 header screwup */
 #ifndef ALIGN
 #	define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
 #endif
-
-#endif /* _XTABLES_COMPAT_USER_H */

extensions/compat_xtables.c

@@ -23,7 +23,6 @@
 #include <net/route.h>
 #include <linux/export.h>
 #include "compat_skbuff.h"
-#include "compat_xtnu.h"
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 #	define WITH_IPV6 1
 #endif

extensions/compat_xtables.h

@@ -1,10 +1,7 @@
-#ifndef _XTABLES_COMPAT_H
+#pragma once
-#define _XTABLES_COMPAT_H 1
-
 #include <linux/kernel.h>
 #include <linux/version.h>
 #include "compat_skbuff.h"
-#include "compat_xtnu.h"
 
 #define DEBUGP Use__pr_debug__instead
 
@@ -48,4 +45,4 @@ static inline struct net *par_net(const struct xt_action_param *par)
 #	define proc_release release
 #endif
 
-#endif /* _XTABLES_COMPAT_H */
+extern void *HX_memmem(const void *, size_t, const void *, size_t);

extensions/compat_xtnu.h

@@ -1,67 +0,0 @@
-#ifndef _COMPAT_XTNU_H
-#define _COMPAT_XTNU_H 1
-
-#include <linux/netfilter/x_tables.h>
-
-struct module;
-struct sk_buff;
-
-struct xtnu_match {
-	/*
-	 * Making it smaller by sizeof(void *) on purpose to catch
-	 * lossy translation, if any.
-	 */
-	char name[sizeof(((struct xt_match *)NULL)->name) - 1 - sizeof(void *)];
-	uint8_t revision;
-	bool (*match)(const struct sk_buff *, struct xt_action_param *);
-	int (*checkentry)(const struct xt_mtchk_param *);
-	void (*destroy)(const struct xt_mtdtor_param *);
-	struct module *me;
-	const char *table;
-	unsigned int matchsize, hooks;
-	unsigned short proto, family;
-
-	void *__compat_match;
-};
-
-struct xtnu_target {
-	char name[sizeof(((struct xt_target *)NULL)->name) - 1 - sizeof(void *)];
-	uint8_t revision;
-	unsigned int (*target)(struct sk_buff **,
-		const struct xt_action_param *);
-	int (*checkentry)(const struct xt_tgchk_param *);
-	void (*destroy)(const struct xt_tgdtor_param *);
-	struct module *me;
-	const char *table;
-	unsigned int targetsize, hooks;
-	unsigned short proto, family;
-
-	void *__compat_target;
-};
-
-static inline struct xtnu_match *xtcompat_numatch(const struct xt_match *m)
-{
-	void *q;
-	memcpy(&q, m->name + sizeof(m->name) - sizeof(void *), sizeof(void *));
-	return q;
-}
-
-static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
-{
-	void *q;
-	memcpy(&q, t->name + sizeof(t->name) - sizeof(void *), sizeof(void *));
-	return q;
-}
-
-extern int xtnu_register_match(struct xtnu_match *);
-extern void xtnu_unregister_match(struct xtnu_match *);
-extern int xtnu_register_matches(struct xtnu_match *, unsigned int);
-extern void xtnu_unregister_matches(struct xtnu_match *, unsigned int);
-extern int xtnu_register_target(struct xtnu_target *);
-extern void xtnu_unregister_target(struct xtnu_target *);
-extern int xtnu_register_targets(struct xtnu_target *, unsigned int);
-extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int);
-
-extern void *HX_memmem(const void *, size_t, const void *, size_t);
-
-#endif /* _COMPAT_XTNU_H */

extensions/pknock/libxt_pknock.c

@@ -33,17 +33,22 @@ static const struct option pknock_mt_opts[] = {
 static void pknock_mt_help(void)
 {
 	printf("pknock match options:\n"
-		" --knockports port[,port,port,...]	"
+		"  --knockports port[,port[,port[,...]]]\n"
-			"Matches destination port(s).\n"
+			"\t\t\t\tMatches destination port(s).\n"
-		" --time seconds\n"
+		"  --time seconds		"
 			"Max allowed time between knocks.\n"
-		" --autoclose minutes\n"
+		"  --autoclose minutes		"
 			"Time after which to automatically close opened\n"
-			"\t\t\t\t\tport(s).\n"
+			"\t\t\t\tport(s).\n"
-		" --strict				"
-			"Knocks sequence must be exact.\n"
 		"  --name rule_name		"
 			"Rule name.\n"
+		"  --opensecret secret		"
+			"(UDP only) Secret to activate the rule.\n"
+		"  --closesecret secret		"
+			"(UDP only) Secret to deactivate the\n"
+			"\t\t\t\trule.\n"
+		"  --strict			"
+			"Knocks sequence must be exact.\n"
 		"  --checkip			"
 			"Matches if the source ip is in the list.\n"
 		);

extensions/pknock/xt_pknock.c

@@ -311,9 +311,12 @@ static void update_rule_gc_timer(struct xt_pknock_rule *rule)
 static inline bool
 autoclose_time_passed(const struct peer *peer, unsigned int autoclose_time)
 {
-	unsigned long x = ktime_get_seconds();
+	unsigned long x, y;
-	unsigned long y = peer->login_sec + autoclose_time * 60;
+	if (peer == NULL || autoclose_time == 0)
-	return peer != NULL && autoclose_time != 0 && time_after(x, y);
+		return false;
+	x = ktime_get_seconds();
+	y = peer->login_sec + autoclose_time * 60;
+	return time_after(x, y);
 }
 
 /**
@@ -335,8 +338,12 @@ is_interknock_time_exceeded(const struct peer *peer, unsigned int max_time)
 static inline bool
 has_logged_during_this_minute(const struct peer *peer)
 {
-	unsigned long x = ktime_get_seconds(), y = peer->login_sec;
+	uint64_t x, y;
-	return peer != NULL && do_div(y, 60) == do_div(x, 60);
+	if (peer == NULL)
+		return 0;
+	x = ktime_get_seconds();
+	y = peer->login_sec;
+	return do_div(y, 60) == do_div(x, 60);
 }
 
 /**
@@ -710,7 +717,7 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
 	unsigned int hexa_size;
 	int ret;
 	bool fret = false;
-	unsigned long x;
+	uint64_t x;
 	unsigned int epoch_min;
 
 	if (payload_len == 0)

extensions/pknock/xt_pknock.h

@@ -8,9 +8,7 @@
  *
  * This program is released under the terms of GNU GPL version 2.
  */
-#ifndef _XT_PKNOCK_H
+#pragma once
-#define _XT_PKNOCK_H
-
 #define PKNOCK "xt_pknock: "
 
 enum {
@@ -47,5 +45,3 @@ struct xt_pknock_nl_msg {
 	char rule_name[XT_PKNOCK_MAX_BUF_LEN+1];
 	__be32 peer_ip;
 };
-
-#endif /* _XT_PKNOCK_H */

extensions/xt_CHAOS.h

@@ -1,6 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_CHAOS_H
+#pragma once
-#define _LINUX_NETFILTER_XT_CHAOS_H 1
-
 enum xt_chaos_target_variant {
 	XTCHAOS_NORMAL,
 	XTCHAOS_TARPIT,
@@ -10,5 +8,3 @@ enum xt_chaos_target_variant {
 struct xt_chaos_tginfo {
 	uint8_t variant;
 };
-
-#endif /* _LINUX_NETFILTER_XT_CHAOS_H */

extensions/xt_DHCPMAC.h

@@ -1,6 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_DHCPMAC_H
+#pragma once
-#define _LINUX_NETFILTER_XT_DHCPMAC_H 1
-
 #define DH_MAC_FMT "%02X:%02X:%02X:%02X:%02X:%02X"
 #define DH_MAC_HEX(z) z[0], z[1], z[2], z[3], z[4], z[5]
 
@@ -8,5 +6,3 @@ struct dhcpmac_info {
 	unsigned char addr[ETH_ALEN];
 	uint8_t mask, invert;
 };
-
-#endif /* _LINUX_NETFILTER_XT_DHCPMAC_H */

extensions/xt_DNETMAP.h

@@ -1,6 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_DNETMAP_H
+#pragma once
-#define _LINUX_NETFILTER_XT_DNETMAP_H 1
-
 #define DNETMAP_VERSION 2
 
 enum {
@@ -17,5 +15,3 @@ struct xt_DNETMAP_tginfo {
 	__u8 flags;
 	__s32 ttl;
 };
-
-#endif

extensions/xt_IPMARK.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_IPMARK_H
+#pragma once
-#define _LINUX_NETFILTER_XT_IPMARK_H 1
 
 enum {
 	XT_IPMARK_SRC,
@@ -7,10 +6,6 @@ enum {
 };
 
 struct xt_ipmark_tginfo {
-	__u32 andmask;
+	__u32 andmask, ormask;
-	__u32 ormask;
+	__u8 selector, shift;
-	__u8 selector;
-	__u8 shift;
 };
-
-#endif /* _LINUX_NETFILTER_XT_IPMARK_H */

extensions/xt_LOGMARK.h

@@ -1,9 +1,5 @@
-#ifndef _LINUX_NETFILTER_XT_LOGMARK_TARGET_H
+#pragma once
-#define _LINUX_NETFILTER_XT_LOGMARK_TARGET_H 1
-
 struct xt_logmark_tginfo {
 	char prefix[14];
 	u_int8_t level;
 };
-
-#endif /* _LINUX_NETFILTER_XT_LOGMARK_TARGET_H */

extensions/xt_PROTO.h

@@ -1,9 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
 /* Protocol modification module for IP tables */
-
+#pragma once
-#ifndef _XT_PROTO_H
-#define _XT_PROTO_H
-
 #include <linux/types.h>
 
 enum {
@@ -13,8 +10,5 @@ enum {
 };
 
 struct xt_PROTO_info {
-	__u8	mode;
+	__u8 mode, proto;
-	__u8	proto;
 };
-
-#endif

extensions/xt_TARPIT.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_TARPIT_H
+#pragma once
-#define _LINUX_NETFILTER_XT_TARPIT_H 1
 
 enum xt_tarpit_target_variant {
 	XTTARPIT_TARPIT,
@@ -10,5 +9,3 @@ enum xt_tarpit_target_variant {
 struct xt_tarpit_tginfo {
 	uint8_t variant;
 };
-
-#endif /* _LINUX_NETFILTER_XT_TARPIT_H */

extensions/xt_condition.h

@@ -1,5 +1,4 @@
-#ifndef _XT_CONDITION_H
+#pragma once
-#define _XT_CONDITION_H
 
 enum {
 	CONDITION_NAME_LEN = 31,
@@ -12,5 +11,3 @@ struct xt_condition_mtinfo {
 	/* Used internally by the kernel */
 	void *condvar __attribute__((aligned(8)));
 };
-
-#endif /* _XT_CONDITION_H */

extensions/xt_fuzzy.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_FUZZY_H
+#pragma once
-#define _LINUX_NETFILTER_XT_FUZZY_H 1
 
 enum {
 	FUZZY_MIN_RATE = 3,
@@ -7,14 +6,9 @@ enum {
 };
 
 struct xt_fuzzy_mtinfo {
-	uint32_t minimum_rate;
+	uint32_t minimum_rate, maximum_rate;
-	uint32_t maximum_rate;
+	uint32_t packets_total, bytes_total;
-	uint32_t packets_total;
+	uint32_t previous_time, present_time;
-	uint32_t bytes_total;
-	uint32_t previous_time;
-	uint32_t present_time;
 	uint32_t mean_rate;
 	uint8_t acceptance_rate;
 };
-
-#endif /* _LINUX_NETFILTER_XT_FUZZY_H */

extensions/xt_geoip.h

@@ -10,8 +10,7 @@
  * Samuel Jean
  * Nicolas Bouliane
  */
-#ifndef _LINUX_NETFILTER_XT_GEOIP_H
+#pragma once
-#define _LINUX_NETFILTER_XT_GEOIP_H 1
 
 enum {
 	XT_GEOIP_SRC = 1 << 0,	/* Perform check on Source IP */
@@ -23,8 +22,7 @@ enum {
 
 /* Yup, an address range will be passed in with host-order */
 struct geoip_subnet4 {
-	__u32 begin;
+	__u32 begin, end;
-	__u32 end;
 };
 
 struct geoip_subnet6 {
@@ -45,8 +43,7 @@ union geoip_country_group {
 };
 
 struct xt_geoip_match_info {
-	__u8 flags;
+	__u8 flags, count;
-	__u8 count;
 	__u16 cc[XT_GEOIP_MAX];
 
 	/* Used internally by the kernel */
@@ -54,5 +51,3 @@ struct xt_geoip_match_info {
 };
 
 #define COUNTRY(cc) ((cc) >> 8), ((cc) & 0x00FF)
-
-#endif /* _LINUX_NETFILTER_XT_GEOIP_H */

extensions/xt_gradm.h

@@ -1,9 +1,4 @@
-#ifndef _XT_GRADM_H
+#pragma once
-#define _XT_GRADM_H
-
 struct xt_gradm_mtinfo {
-	__u16 flags;
+	__u16 flags, invflags;
-	__u16 invflags;
 };
-
-#endif

extensions/xt_iface.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_IFACE_H
+#pragma once
-#define _LINUX_NETFILTER_XT_IFACE_H 1
 
 enum {
 	XT_IFACE_UP          = 1 << 0,
@@ -19,8 +18,5 @@ enum {
 
 struct xt_iface_mtinfo {
 	char ifname[IFNAMSIZ];
-	__u16 flags;
+	__u16 flags, invflags;
-	__u16 invflags;
 };
-
-#endif

extensions/xt_ipp2p.h

@@ -1,5 +1,4 @@
-#ifndef __IPT_IPP2P_H
+#pragma once
-#define __IPT_IPP2P_H
 #define IPP2P_VERSION "0.10"
 
 enum {
@@ -39,8 +38,5 @@ enum {
 };
 
 struct ipt_p2p_info {
-    int cmd;
+	int32_t cmd, debug;
-    int debug;
 };
-
-#endif //__IPT_IPP2P_H

extensions/xt_ipv4options.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_IPV4OPTIONS_H
+#pragma once
-#define _LINUX_NETFILTER_XT_IPV4OPTIONS_H 1
 
 /* IPv4 allows for a 5-bit option number - 32 options */
 
@@ -18,9 +17,6 @@ enum xt_ipv4options_flags {
  * @flags:	see above
  */
 struct xt_ipv4options_mtinfo1 {
-	__u32 map;
+	__u32 map, invert;
-	__u32 invert;
 	__u8 flags;
 };
-
-#endif /* _LINUX_NETFILTER_XT_IPV4OPTIONS_H */

extensions/xt_length2.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_LENGTH2_H
+#pragma once
-#define _LINUX_NETFILTER_XT_LENGTH2_H
 
 enum {
 	XT_LENGTH_INVERT = 1 << 0,
@@ -18,5 +17,3 @@ struct xt_length_mtinfo2 {
 	u_int32_t min, max;
 	u_int16_t flags;
 };
-
-#endif /* _LINUX_NETFILTER_XT_LENGTH2_H */

extensions/xt_lscan.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_LSCAN_H
+#pragma once
-#define _LINUX_NETFILTER_XT_LSCAN_H 1
 
 enum {
 	LSCAN_FL1_STEALTH = 1 << 0,
@@ -12,5 +11,3 @@ enum {
 struct xt_lscan_mtinfo {
 	uint8_t match_fl1, match_fl2, match_fl3, match_fl4;
 };
-
-#endif /* _LINUX_NETFILTER_XT_LSCAN_H */

extensions/xt_psd.h

@@ -1,6 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_PSD_H
+#pragma once
-#define _LINUX_NETFILTER_XT_PSD_H 1
-
 #include <linux/param.h>
 #include <linux/types.h>
 
@@ -21,10 +19,6 @@
 #define SCAN_WEIGHT_THRESHOLD		SCAN_MAX_COUNT
 
 struct xt_psd_info {
-	__u32 weight_threshold;
+	__u32 weight_threshold, delay_threshold;
-	__u32 delay_threshold;
+	__u16 lo_ports_weight, hi_ports_weight;
-	__u16 lo_ports_weight;
-	__u16 hi_ports_weight;
 };
-
-#endif /*_LINUX_NETFILTER_XT_PSD_H*/

extensions/xt_quota2.h

@@ -1,5 +1,4 @@
-#ifndef _XT_QUOTA_H
+#pragma once
-#define _XT_QUOTA_H
 
 enum xt_quota_flags {
 	XT_QUOTA_INVERT    = 1 << 0,
@@ -21,5 +20,3 @@ struct xt_quota_mtinfo2 {
 	/* Used internally by the kernel */
 	struct xt_quota_counter *master __attribute__((aligned(8)));
 };
-
-#endif /* _XT_QUOTA_H */

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "" "" "v3.16 (2021-02-24)"
+.TH xtables-addons 8 "" "" "v3.18 (2021-03-11)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets