Xtables-addons 3.7

The Perl script that builds the GeoIP DBs uses inet_pton(3) to convert
the addresses to network byte order. This converts

  "1234:5678::90ab:cdef"

to:

  0x12 0x34 0x56 0x78 .. 0xcd 0xef, interpreted by an LE machine
  accessing this in uint32_t-sized chunks as
  8765:4321::fedc:ba09

The kernel module compares the addresses in packets with the ranges from
the DB in host byte order using binary search. It uses 32-bit swaps
when converting the addresses.

libxt_geoip, however, which the module uses to load the ranges from the
DB and convert them from NBO to HBO, uses 16-bit swaps to do so, and
this means that:

  1234:5678::90ab:cdef

becomes:

  4321:8765::ba09:fedc

Obviously, this is inconsistent with the kernel module and DB build
script and breaks the binary search.

Fixes: b91dbd03c7 ("geoip: store database in network byte order")
Reported-by: "Thomas B. Clark" <kernel@clark.bz>
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>

.gitignore

@@ -2,6 +2,7 @@
 *.la
 *.lo
 *.loT
+*.mod
 *.o
 .cache.mk
 .deps/

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [3.5])
+AC_INIT([xtables-addons], [3.7])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -57,7 +57,7 @@ if test -n "$kbuilddir"; then
 		echo "WARNING: Version detection did not succeed. Continue at own luck.";
 	else
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-		if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 3; then
+		if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 4; then
 			echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
 		elif test "$kmajor" -eq 5 -a "$kminor" -ge 0; then
 			:

doc/changelog.txt

@@ -1,6 +1,14 @@
 
-HEAD
+v3.7 (2019-12-01)
-====
+=================
+Fixes:
+- xt_geoip: fix in6_addr little-endian byte swapping
+
+
+v3.6 (2019-11-20)
+=================
+Enhancements:
+- support for up to Linux 5.4
 
 
 v3.5 (2019-09-10)

extensions/libxt_geoip.c

@@ -50,26 +50,6 @@ static struct option geoip_opts[] = {
 };
 
 #if __BYTE_ORDER == __LITTLE_ENDIAN
-static void geoip_swap_le16(uint16_t *buf)
-{
-	unsigned char *p = (void *)buf;
-	uint16_t n= p[0] + (p[1] << 8);
-	p[0] = (n >> 8) & 0xff;
-	p[1] = n & 0xff;
-}
-
-static void geoip_swap_in6(struct in6_addr *in6)
-{
-	geoip_swap_le16(&in6->s6_addr16[0]);
-	geoip_swap_le16(&in6->s6_addr16[1]);
-	geoip_swap_le16(&in6->s6_addr16[2]);
-	geoip_swap_le16(&in6->s6_addr16[3]);
-	geoip_swap_le16(&in6->s6_addr16[4]);
-	geoip_swap_le16(&in6->s6_addr16[5]);
-	geoip_swap_le16(&in6->s6_addr16[6]);
-	geoip_swap_le16(&in6->s6_addr16[7]);
-}
-
 static void geoip_swap_le32(uint32_t *buf)
 {
 	unsigned char *p = (void *)buf;
@@ -79,6 +59,14 @@ static void geoip_swap_le32(uint32_t *buf)
 	p[2] = (n >> 8) & 0xff;
 	p[3] = n & 0xff;
 }
+
+static void geoip_swap_in6(struct in6_addr *in6)
+{
+	geoip_swap_le32(&in6->s6_addr32[0]);
+	geoip_swap_le32(&in6->s6_addr32[1]);
+	geoip_swap_le32(&in6->s6_addr32[2]);
+	geoip_swap_le32(&in6->s6_addr32[3]);
+}
 #endif
 
 static void *

extensions/xt_TARPIT.c

@@ -205,7 +205,11 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		return;
 
 	/* This packet will not be the same as the other: clear nf fields */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 0)
+	nf_reset_ct(nskb);
+#else
 	nf_reset(nskb);
+#endif
 	skb_nfmark(nskb) = 0;
 	skb_init_secmark(nskb);
 	skb_shinfo(nskb)->gso_size = 0;
@@ -346,7 +350,11 @@ static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
 	}
 
 	/* This packet will not be the same as the other: clear nf fields */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 0)
+	nf_reset_ct(nskb);
+#else
 	nf_reset(nskb);
+#endif
 	skb_nfmark(nskb) = 0;
 	skb_init_secmark(nskb);
 	skb_shinfo(nskb)->gso_size = 0;

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "" "" "v3.5 (2019-09-10)"
+.TH xtables-addons 8 "" "" "v3.7 (2019-12-01)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets