Merge branch 'master' of ssh://git.code.sf.net/u/jeffcarlson72/xtables-addons

The LT library name is libxt_ACCOUNT_cl.la, so the variable should be
`libxt_ACCOUNT_cl_la_LDFLAGS`.

Fixes: 81ab0b9586 ("libxt_ACCOUNT_cl: drop padding holes from struct ipt_ACCOUNT_context")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>

INSTALL

@@ -23,6 +23,9 @@ Supported configurations for this release
 
 (Use xtables-addons-1.x if you need support for Linux < 3.7.
 Use xtables-addons-2.x if you need support for Linux < 4.15.)
+Note: xtables-addons regularly fails to build with patched-to-death
+kernels like on RHEL or SLES because the API does not match
+LINUX_KERNEL_VERSION anymore.
 
 
 Selecting extensions

Makefile.am

@@ -1,7 +1,7 @@
 # -*- Makefile -*-
 
 ACLOCAL_AMFLAGS  = -I m4
-SUBDIRS          = extensions geoip
+SUBDIRS          = extensions extensions/ACCOUNT extensions/pknock geoip
 
 man_MANS := xtables-addons.8
 

Makefile.mans.in

@@ -40,4 +40,4 @@ targets.man: .manpages.lst ${wcman_targets}
 	$(call man_run,${wlist_targets})
 
 clean:
-	rm -f xtables-addons.8 matches.man targets.man
+	rm -f xtables-addons.8 matches.man targets.man .manpages.lst

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [3.9])
+AC_INIT([xtables-addons], [3.18])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -27,7 +27,7 @@ fi
 AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
 	[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
 PKG_CHECK_MODULES([libxtables], [xtables >= 1.6.0])
-xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
+xtlibdir="$($PKG_CONFIG --variable=xtlibdir xtables)"
 
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
@@ -57,7 +57,7 @@ if test -n "$kbuilddir"; then
 		echo "WARNING: Version detection did not succeed. Continue at own luck.";
 	else
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-		if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 6; then
+		if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 11; then
 			echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
 		elif test "$kmajor" -eq 5 -a "$kminor" -ge 0; then
 			:

doc/changelog.txt

@@ -1,3 +1,54 @@
+v3.18 (2021-03-11)
+==================
+- xt_pknock: fix a build failure on ARM 32-bit
+
+
+v3.17 (2021-02-28)
+==================
+- xt_pknock: cure a NULL deref
+
+
+v3.16 (2021-02-24)
+==================
+- xt_pknock: build fix for ILP32 targets
+
+
+v3.15 (2021-02-05)
+==================
+- xt_ECHO: support new function signature of security_skb_classify_flow
+- xt_lscan: add --mirai option
+- Support for Linux 5.11
+
+
+v3.14 (2020-11-24)
+==================
+- DELUDE, ECHO, TARPIT: use actual tunnel socket (ip_route_me_harder).
+- geoip: scripts for use with MaxMind DB have been brought back,
+  partly under new names.
+- Gave xt_geoip_fetch a more fitting name, xt_geoip_query.
+
+
+v3.13 (2020-11-20)
+==================
+- Support for Linux 4.19.158 and 5.4.78 (ip_route_me_harder)
+
+
+v3.12 (2020-11-19)
+==================
+- Support for Linux 5.10 and 5.9.9 API
+  (changes to ip_route_me_harder there)
+
+
+v3.11 (2020-09-06)
+==================
+- Support for up to Linux 5.9
+
+
+v3.10 (2020-07-28)
+==================
+- Support for up to Linux 5.8
+
+
 v3.9 (2020-02-25)
 =================
 - Support for Linux 5.6 procfs changes

extensions/ACCOUNT/Makefile.am

@@ -9,5 +9,6 @@ sbin_PROGRAMS = iptaccount
 iptaccount_LDADD = libxt_ACCOUNT_cl.la
 
 lib_LTLIBRARIES = libxt_ACCOUNT_cl.la
+libxt_ACCOUNT_cl_la_LDFLAGS = -version-info 1:0:0
 
 man_MANS = iptaccount.8

extensions/ACCOUNT/libxt_ACCOUNT_cl.c

@@ -34,7 +34,8 @@ int ipt_ACCOUNT_init(struct ipt_ACCOUNT_context *ctx)
 
 	// 4096 bytes default buffer should save us from reallocations
 	// as it fits 200 concurrent active clients
-	if ((ctx->data = malloc(IPT_ACCOUNT_MIN_BUFSIZE)) == NULL) {
+	ctx->data = malloc(IPT_ACCOUNT_MIN_BUFSIZE);
+	if (ctx->data == NULL) {
 		close(ctx->sockfd);
 		ctx->sockfd = -1;
 		ctx->error_str = "Out of memory for data buffer";

extensions/ACCOUNT/libxt_ACCOUNT_cl.h

@@ -7,10 +7,7 @@
  *   version 2.1 as published by the Free Software Foundation;             *
  *                                                                         *
  ***************************************************************************/
-
-#ifndef _xt_ACCOUNT_cl_H
-#define _xt_ACCOUNT_cl_H
-
+#pragma once
 #include <xt_ACCOUNT.h>
 
 #define LIBXT_ACCOUNT_VERSION "1.3"
@@ -23,9 +20,8 @@ struct ipt_ACCOUNT_context
 	int sockfd;
 	struct ipt_acc_handle_sockopt handle;
 
-	unsigned int data_size;
+	unsigned int data_size, pos;
 	void *data;
-	unsigned int pos;
 
 	char *error_str;
 };
@@ -55,6 +51,3 @@ const char *ipt_ACCOUNT_get_next_name(struct ipt_ACCOUNT_context *ctx);
 #ifdef __cplusplus
 }
 #endif
-
-
-#endif

extensions/ACCOUNT/xt_ACCOUNT.c

@@ -28,6 +28,9 @@
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/string.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
+#include <linux/sockptr.h>
+#endif
 #include <linux/spinlock.h>
 #include <asm/uaccess.h>
 #include <net/netns/generic.h>
@@ -184,24 +187,22 @@ static int ipt_acc_table_insert(struct ipt_acc_table *ipt_acc_tables,
 {
 	unsigned int i;
 
-	pr_debug("ACCOUNT: ipt_acc_table_insert: %s, %u.%u.%u.%u/%u.%u.%u.%u\n",
-		name, NIPQUAD(ip), NIPQUAD(netmask));
+	pr_debug("ACCOUNT: ipt_acc_table_insert: %s, %pI4/%pI4\n",
+	         name, &ip, &netmask);
 
 	/* Look for existing table */
 	for (i = 0; i < max_tables_limit; i++) {
 		if (strncmp(ipt_acc_tables[i].name, name,
 		    ACCOUNT_TABLE_NAME_LEN) == 0) {
-			pr_debug("ACCOUNT: Found existing slot: %d - "
-				"%u.%u.%u.%u/%u.%u.%u.%u\n", i,
-				NIPQUAD(ipt_acc_tables[i].ip),
-				NIPQUAD(ipt_acc_tables[i].netmask));
+			pr_debug("ACCOUNT: Found existing slot: %d - %pI4/%pI4\n",
+			         i, &ipt_acc_tables[i].ip, &ipt_acc_tables[i].netmask);
 
 			if (ipt_acc_tables[i].ip != ip
 			    || ipt_acc_tables[i].netmask != netmask) {
 				printk("ACCOUNT: Table %s found, but IP/netmask mismatch. "
-					"IP/netmask found: %u.%u.%u.%u/%u.%u.%u.%u\n",
-					name, NIPQUAD(ipt_acc_tables[i].ip),
-					NIPQUAD(ipt_acc_tables[i].netmask));
+					"IP/netmask found: %pI4/%pI4\n",
+				       name, &ipt_acc_tables[i].ip,
+				       &ipt_acc_tables[i].netmask);
 				return -1;
 			}
 
@@ -340,9 +341,8 @@ static void ipt_acc_depth0_insert(struct ipt_acc_mask_24 *mask_24,
 	/* Check if this entry is new */
 	bool is_src_new_ip = false, is_dst_new_ip = false;
 
-	pr_debug("ACCOUNT: ipt_acc_depth0_insert: %u.%u.%u.%u/%u.%u.%u.%u "
-		"for net %u.%u.%u.%u/%u.%u.%u.%u, size: %u\n", NIPQUAD(src_ip),
-		NIPQUAD(dst_ip), NIPQUAD(net_ip), NIPQUAD(netmask), size);
+	pr_debug("ACCOUNT: ipt_acc_depth0_insert: %pI4/%pI4 for net %pI4/%pI4,"
+	         " size: %u\n", &src_ip, &dst_ip, &net_ip, &netmask, size);
 
 	/* Check if src/dst is inside our network. */
 	/* Special: net_ip = 0.0.0.0/0 gets stored as src in slot 0 */
@@ -354,9 +354,8 @@ static void ipt_acc_depth0_insert(struct ipt_acc_mask_24 *mask_24,
 		is_dst = true;
 
 	if (!is_src && !is_dst) {
-		pr_debug("ACCOUNT: Skipping packet %u.%u.%u.%u/%u.%u.%u.%u "
-			"for net %u.%u.%u.%u/%u.%u.%u.%u\n", NIPQUAD(src_ip),
-			NIPQUAD(dst_ip), NIPQUAD(net_ip), NIPQUAD(netmask));
+		pr_debug("ACCOUNT: Skipping packet %pI4/%pI4 for net %pI4/%pI4\n",
+		         &src_ip, &dst_ip, &net_ip, &netmask);
 		return;
 	}
 
@@ -395,11 +394,11 @@ static void ipt_acc_depth0_insert(struct ipt_acc_mask_24 *mask_24,
 		}
 	} else {
 		if (is_src_new_ip) {
-			pr_debug("ACCOUNT: New src_ip: %u.%u.%u.%u\n", NIPQUAD(src_ip));
+			pr_debug("ACCOUNT: New src_ip: %pI4\n", &src_ip);
 			++*itemcount;
 		}
 		if (is_dst_new_ip) {
-			pr_debug("ACCOUNT: New dst_ip: %u.%u.%u.%u\n", NIPQUAD(dst_ip));
+			pr_debug("ACCOUNT: New dst_ip: %pI4\n", &dst_ip);
 			++*itemcount;
 		}
 	}
@@ -498,8 +497,7 @@ ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 
 	if (ipt_acc_tables[info->table_nr].name[0] == 0) {
 		printk("ACCOUNT: ipt_acc_target: Invalid table id %u. "
-			"IPs %u.%u.%u.%u/%u.%u.%u.%u\n", info->table_nr,
-			NIPQUAD(src_ip), NIPQUAD(dst_ip));
+		       "IPs %pI4/%pI4\n", info->table_nr, &src_ip, &dst_ip);
 		spin_unlock_bh(&ian->ipt_acc_lock);
 		return XT_CONTINUE;
 	}
@@ -538,10 +536,8 @@ ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 		return XT_CONTINUE;
 	}
 
-	printk("ACCOUNT: ipt_acc_target: Unable to process packet. "
-		"Table id %u. IPs %u.%u.%u.%u/%u.%u.%u.%u\n",
-		info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
-
+	printk("ACCOUNT: ipt_acc_target: Unable to process packet. Table id "
+	       "%u. IPs %pI4/%pI4\n", info->table_nr, &src_ip, &dst_ip);
 	spin_unlock_bh(&ian->ipt_acc_lock);
 	return XT_CONTINUE;
 }
@@ -624,7 +620,8 @@ static int ipt_acc_handle_prepare_read(struct ipt_acc_table *ipt_acc_tables,
 	dest->itemcount = ipt_acc_tables[table_nr].itemcount;
 
 	/* allocate "root" table */
-	if ((dest->data = ipt_acc_zalloc_page()) == NULL) {
+	dest->data = ipt_acc_zalloc_page();
+	if (dest->data == NULL) {
 		printk("ACCOUNT: out of memory for root table "
 			"in ipt_acc_handle_prepare_read()\n");
 		return -1;
@@ -722,7 +719,8 @@ static int ipt_acc_handle_prepare_read_flush(struct ipt_acc_table *ipt_acc_table
 	}
 
 	/* Try to allocate memory */
-	if (!(new_data_page = ipt_acc_zalloc_page())) {
+	new_data_page = ipt_acc_zalloc_page();
+	if (new_data_page == NULL) {
 		printk("ACCOUNT: ipt_acc_handle_prepare_read_flush(): "
 			"Out of memory!\n");
 		return -1;
@@ -879,7 +877,12 @@ static int ipt_acc_handle_get_data(struct ipt_acc_net *ian,
 }
 
 static int ipt_acc_set_ctl(struct sock *sk, int cmd,
-			void *user, unsigned int len)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
+			   void *user,
+#else
+			   sockptr_t arg,
+#endif
+			   unsigned int len)
 {
 	struct net *net = sock_net(sk);
 	struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
@@ -898,7 +901,12 @@ static int ipt_acc_set_ctl(struct sock *sk, int cmd,
 			break;
 		}
 
-		if (copy_from_user(&handle, user, len)) {
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
+		if (copy_from_user(&handle, user, len))
+#else
+		if (copy_from_sockptr(&handle, arg, len))
+#endif
+		{
 			printk("ACCOUNT: ipt_acc_set_ctl: copy_from_user failed for "
 				"IPT_SO_SET_HANDLE_FREE\n");
 			break;
@@ -966,7 +974,8 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
 
 		/* Allocate a userspace handle */
 		down(&ian->ipt_acc_userspace_mutex);
-		if ((handle.handle_nr = ipt_acc_handle_find_slot(ian->ipt_acc_handles)) == -1) {
+		handle.handle_nr = ipt_acc_handle_find_slot(ian->ipt_acc_handles);
+		if (handle.handle_nr == -1) {
 			ipt_acc_data_free(dest.data, dest.depth);
 			up(&ian->ipt_acc_userspace_mutex);
 			return -EINVAL;

extensions/ACCOUNT/xt_ACCOUNT.h

@@ -7,9 +7,7 @@
  *   version 2 as published by the Free Software Foundation;               *
  *                                                                         *
  ***************************************************************************/
-
-#ifndef _IPT_ACCOUNT_H
-#define _IPT_ACCOUNT_H
+#pragma once
 
 /*
  * Socket option interface shared between kernel (xt_ACCOUNT) and userspace
@@ -39,8 +37,7 @@
 
 /* Structure for the userspace part of ipt_ACCOUNT */
 struct ipt_acc_info {
-	__be32 net_ip;
-	__be32 net_mask;
+	__be32 net_ip, net_mask;
 	char table_name[ACCOUNT_TABLE_NAME_LEN];
 	int32_t table_nr;
 };
@@ -59,10 +56,5 @@ struct ipt_acc_handle_sockopt {
 */
 struct ipt_acc_handle_ip {
 	__be32 ip, __dummy;
-	uint64_t src_packets;
-	uint64_t src_bytes;
-	uint64_t dst_packets;
-	uint64_t dst_bytes;
+	uint64_t src_packets, src_bytes, dst_packets, dst_bytes;
 };
-
-#endif /* _IPT_ACCOUNT_H */

extensions/compat_skbuff.h

@@ -1,6 +1,4 @@
-#ifndef COMPAT_SKBUFF_H
-#define COMPAT_SKBUFF_H 1
-
+#pragma once
 struct tcphdr;
 struct udphdr;
 
@@ -12,5 +10,3 @@ struct udphdr;
 #else
 #	define skb_secmark(skb) 0
 #endif
-
-#endif /* COMPAT_SKBUFF_H */

extensions/compat_user.h

@@ -1,12 +1,8 @@
 /*
  *	Userspace-level compat hacks
  */
-#ifndef _XTABLES_COMPAT_USER_H
-#define _XTABLES_COMPAT_USER_H 1
-
+#pragma once
 /* linux-glibc-devel 2.6.34 header screwup */
 #ifndef ALIGN
 #	define ALIGN(s, n) (((s) + ((n) - 1)) & ~((n) - 1))
 #endif
-
-#endif /* _XTABLES_COMPAT_USER_H */

extensions/compat_xtables.c

@@ -23,7 +23,6 @@
 #include <net/route.h>
 #include <linux/export.h>
 #include "compat_skbuff.h"
-#include "compat_xtnu.h"
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 #	define WITH_IPV6 1
 #endif

extensions/compat_xtables.h

@@ -1,10 +1,7 @@
-#ifndef _XTABLES_COMPAT_H
-#define _XTABLES_COMPAT_H 1
-
+#pragma once
 #include <linux/kernel.h>
 #include <linux/version.h>
 #include "compat_skbuff.h"
-#include "compat_xtnu.h"
 
 #define DEBUGP Use__pr_debug__instead
 
@@ -21,25 +18,13 @@
 #	warning You need CONFIG_NF_CONNTRACK.
 #endif
 
-#if !defined(NIP6) && !defined(NIP6_FMT)
-#	define NIP6(addr) \
-		ntohs((addr).s6_addr16[0]), \
-		ntohs((addr).s6_addr16[1]), \
-		ntohs((addr).s6_addr16[2]), \
-		ntohs((addr).s6_addr16[3]), \
-		ntohs((addr).s6_addr16[4]), \
-		ntohs((addr).s6_addr16[5]), \
-		ntohs((addr).s6_addr16[6]), \
-		ntohs((addr).s6_addr16[7])
-#	define NIP6_FMT "%04hx:%04hx:%04hx:%04hx:%04hx:%04hx:%04hx:%04hx"
-#endif
-#if !defined(NIPQUAD) && !defined(NIPQUAD_FMT)
-#	define NIPQUAD(addr) \
-		((const unsigned char *)&addr)[0], \
-		((const unsigned char *)&addr)[1], \
-		((const unsigned char *)&addr)[2], \
-		((const unsigned char *)&addr)[3]
-#	define NIPQUAD_FMT "%hhu.%hhu.%hhu.%hhu"
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0) || \
+    LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 9) && LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0) || \
+    LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 78) && LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0) || \
+    LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 158) && LINUX_VERSION_CODE < KERNEL_VERSION(4, 20, 0)
+#else
+#	define ip_route_me_harder(xnet, xsk, xskb, xaddrtype) ip_route_me_harder((xnet), (xskb), (xaddrtype))
+#	define ip6_route_me_harder(xnet, xsk, xskb) ip6_route_me_harder((xnet), (xskb))
 #endif
 
 static inline struct net *par_net(const struct xt_action_param *par)
@@ -60,4 +45,4 @@ static inline struct net *par_net(const struct xt_action_param *par)
 #	define proc_release release
 #endif
 
-#endif /* _XTABLES_COMPAT_H */
+extern void *HX_memmem(const void *, size_t, const void *, size_t);

extensions/compat_xtnu.h

@@ -1,67 +0,0 @@
-#ifndef _COMPAT_XTNU_H
-#define _COMPAT_XTNU_H 1
-
-#include <linux/netfilter/x_tables.h>
-
-struct module;
-struct sk_buff;
-
-struct xtnu_match {
-	/*
-	 * Making it smaller by sizeof(void *) on purpose to catch
-	 * lossy translation, if any.
-	 */
-	char name[sizeof(((struct xt_match *)NULL)->name) - 1 - sizeof(void *)];
-	uint8_t revision;
-	bool (*match)(const struct sk_buff *, struct xt_action_param *);
-	int (*checkentry)(const struct xt_mtchk_param *);
-	void (*destroy)(const struct xt_mtdtor_param *);
-	struct module *me;
-	const char *table;
-	unsigned int matchsize, hooks;
-	unsigned short proto, family;
-
-	void *__compat_match;
-};
-
-struct xtnu_target {
-	char name[sizeof(((struct xt_target *)NULL)->name) - 1 - sizeof(void *)];
-	uint8_t revision;
-	unsigned int (*target)(struct sk_buff **,
-		const struct xt_action_param *);
-	int (*checkentry)(const struct xt_tgchk_param *);
-	void (*destroy)(const struct xt_tgdtor_param *);
-	struct module *me;
-	const char *table;
-	unsigned int targetsize, hooks;
-	unsigned short proto, family;
-
-	void *__compat_target;
-};
-
-static inline struct xtnu_match *xtcompat_numatch(const struct xt_match *m)
-{
-	void *q;
-	memcpy(&q, m->name + sizeof(m->name) - sizeof(void *), sizeof(void *));
-	return q;
-}
-
-static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
-{
-	void *q;
-	memcpy(&q, t->name + sizeof(t->name) - sizeof(void *), sizeof(void *));
-	return q;
-}
-
-extern int xtnu_register_match(struct xtnu_match *);
-extern void xtnu_unregister_match(struct xtnu_match *);
-extern int xtnu_register_matches(struct xtnu_match *, unsigned int);
-extern void xtnu_unregister_matches(struct xtnu_match *, unsigned int);
-extern int xtnu_register_target(struct xtnu_target *);
-extern void xtnu_unregister_target(struct xtnu_target *);
-extern int xtnu_register_targets(struct xtnu_target *, unsigned int);
-extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int);
-
-extern void *HX_memmem(const void *, size_t, const void *, size_t);
-
-#endif /* _COMPAT_XTNU_H */

extensions/libxt_DNETMAP.man

@@ -46,7 +46,7 @@ Contains the binding table for the given \fIsubnet/mask\fP. Each line contains
 \fBprenat address\fR, \fBpostnat address\fR, \fBttl\fR (seconds until the entry
 times out), \fBlasthit\fR (last hit to the entry in seconds relative to system
 boot time). Please note that the \fBttl\fR and \fBlasthit\fR entries contain an
-'\fBS\fR' in case of a static binding.
+\(oq\fBS\fR\(cq in case of a static binding.
 .TP
 \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR
 Contains statistics for a given \fIsubnet/mask\fP. The line contains four

extensions/libxt_geoip.c

@@ -75,7 +75,6 @@ geoip_get_subnets(const char *code, uint32_t *count, uint8_t nfproto)
 	void *subnets;
 	struct stat sb;
 	char buf[256];
-	int fd;
 #if __BYTE_ORDER == __LITTLE_ENDIAN
 	unsigned int n;
 #endif
@@ -86,7 +85,8 @@ geoip_get_subnets(const char *code, uint32_t *count, uint8_t nfproto)
 	else
 		snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/%s.iv4", code);
 
-	if ((fd = open(buf, O_RDONLY)) < 0) {
+	int fd = open(buf, O_RDONLY);
+	if (fd < 0) {
 		fprintf(stderr, "Could not open %s: %s\n", buf, strerror(errno));
 		xtables_error(OTHER_PROBLEM, "Could not read geoip database");
 	}
@@ -203,7 +203,8 @@ static unsigned int parse_geoip_cc(const char *ccstr, uint16_t *cc,
 		next = strchr(cp, ',');
 		if (next) *next++ = '\0';
 
-		if ((cctmp = check_geoip_cc(cp, cc, count)) != 0) {
+		cctmp = check_geoip_cc(cp, cc, count);
+		if (cctmp != 0) {
 			if ((mem[count++].user =
 			    (unsigned long)geoip_load_cc(cp, cctmp, nfproto)) == 0)
 				xtables_error(OTHER_PROBLEM,

extensions/libxt_lscan.c

@@ -24,6 +24,7 @@ static const struct option lscan_mt_opts[] = {
 	{.name = "synscan", .has_arg = false, .val = 's'},
 	{.name = "cnscan",  .has_arg = false, .val = 'c'},
 	{.name = "grscan",  .has_arg = false, .val = 'g'},
+	{.name = "mirai",   .has_arg = false, .val = 'm'},
 	{NULL},
 };
 
@@ -35,7 +36,8 @@ static void lscan_mt_help(void)
 		"  --stealth    Match TCP Stealth packets\n"
 		"  --synscan    Match TCP SYN scans\n"
 		"  --cnscan     Match TCP Connect scans\n"
-		"  --grscan     Match Banner Grabbing scans\n");
+		"  --grscan     Match Banner Grabbing scans\n"
+		"  --mirai      Match TCP scan with ISN = dest. IP\n");
 }
 
 static int lscan_mt_parse(int c, char **argv, int invert,
@@ -45,16 +47,19 @@ static int lscan_mt_parse(int c, char **argv, int invert,
 
 	switch (c) {
 	case 'c':
-		info->match_cn = true;
+		info->match_fl3 |= LSCAN_FL3_CN;
 		return true;
 	case 'g':
-		info->match_gr = true;
+		info->match_fl4 |= LSCAN_FL4_GR;
+		return true;
+	case 'm':
+		info->match_fl1 |= LSCAN_FL1_MIRAI;
 		return true;
 	case 's':
-		info->match_syn = true;
+		info->match_fl2 |= LSCAN_FL2_SYN;
 		return true;
 	case 'x':
-		info->match_stealth = true;
+		info->match_fl1 |= LSCAN_FL1_STEALTH;
 		return true;
 	}
 	return false;
@@ -68,14 +73,16 @@ static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
 
-	if (info->match_stealth)
+	if (info->match_fl1 & LSCAN_FL1_STEALTH)
 		printf(" --stealth ");
-	if (info->match_syn)
+	if (info->match_fl2 & LSCAN_FL2_SYN)
 		printf(" --synscan ");
-	if (info->match_cn)
+	if (info->match_fl3 & LSCAN_FL3_CN)
 		printf(" --cnscan ");
-	if (info->match_gr)
+	if (info->match_fl4 & LSCAN_FL4_GR)
 		printf(" --grscan ");
+	if (info->match_fl1 & LSCAN_FL1_MIRAI)
+		printf(" --mirai ");
 }
 
 static void lscan_mt_print(const void *ip,

extensions/libxt_lscan.man

@@ -27,6 +27,11 @@ warranted single-direction data flows, usually bulk data transfers such as
 FTP DATA connections or IRC DCC. Grab Scan Detection should only be used on
 ports where a protocol runs that is guaranteed to do a bidirectional exchange
 of bytes.
+.TP
+\fB\-\-mirai\fP
+Match if the TCP ISN is equal to the IPv4 destination address; this is used
+by the devices in the Mirai botnet as a form of TCP SYN scan, so you will
+have to explicitly specify --syn for the rule.
 .PP
 NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
 so be advised to carefully use xt_lscan in conjunction with blocking rules,

extensions/libxt_quota2.c

@@ -70,7 +70,7 @@ quota_mt2_parse(int c, char **argv, int invert, unsigned int *flags,
 		/* zero termination done on behalf of the kernel module */
 		xtables_param_act(XTF_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
 		xtables_param_act(XTF_NO_INVERT, "quota", "--name", invert);
-		strncpy(info->name, optarg, sizeof(info->name));
+		snprintf(info->name, sizeof(info->name), "%s", optarg);
 		*flags |= FL_NAME;
 		return true;
 	case 'p':

extensions/pknock/Makefile.am

@@ -5,4 +5,5 @@ AM_CFLAGS   = ${regular_CFLAGS} ${libxtables_CFLAGS}
 
 include ../../Makefile.extra
 
-noinst_PROGRAMS = pknlusr
+sbin_PROGRAMS = pknlusr
+dist_man_MANS = pknlusr.8

extensions/pknock/libxt_pknock.c

@@ -11,7 +11,6 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
-
 #include <xtables.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
@@ -34,18 +33,23 @@ static const struct option pknock_mt_opts[] = {
 static void pknock_mt_help(void)
 {
 	printf("pknock match options:\n"
-		" --knockports port[,port,port,...]	"
-			"Matches destination port(s).\n"
-		" --time seconds\n"
+		"  --knockports port[,port[,port[,...]]]\n"
+			"\t\t\t\tMatches destination port(s).\n"
+		"  --time seconds		"
 			"Max allowed time between knocks.\n"
-		" --autoclose minutes\n"
+		"  --autoclose minutes		"
 			"Time after which to automatically close opened\n"
-			"\t\t\t\t\tport(s).\n"
-		" --strict				"
-			"Knocks sequence must be exact.\n"
-		" --name rule_name			"
+			"\t\t\t\tport(s).\n"
+		"  --name rule_name		"
 			"Rule name.\n"
-		" --checkip				"
+		"  --opensecret secret		"
+			"(UDP only) Secret to activate the rule.\n"
+		"  --closesecret secret		"
+			"(UDP only) Secret to deactivate the\n"
+			"\t\t\t\trule.\n"
+		"  --strict			"
+			"Knocks sequence must be exact.\n"
+		"  --checkip			"
 			"Matches if the source ip is in the list.\n"
 		);
 }
@@ -70,7 +74,6 @@ parse_ports(const char *portstring, uint16_t *ports, const char *proto)
 
 	if (cp != NULL)
 		xtables_error(PARAMETER_PROBLEM, "too many ports specified");
-
 	free(buffer);
 	return i;
 }
@@ -91,12 +94,11 @@ proto_to_name(uint8_t proto)
 static const char *
 check_proto(uint16_t pnum, uint8_t invflags)
 {
-	char *proto;
-
 	if (invflags & XT_INV_PROTO)
 		xtables_error(PARAMETER_PROBLEM, PKNOCK "only works with TCP and UDP.");
 
-	if ((proto = proto_to_name(pnum)) != NULL)
+	const char *proto = proto_to_name(pnum);
+	if (proto != NULL)
 		return proto;
 	else if (pnum == 0)
 		xtables_error(PARAMETER_PROBLEM, PKNOCK "needs `-p tcp' or `-p udp'");
@@ -123,7 +125,7 @@ __pknock_parse(int c, char **argv, int invert, unsigned int *flags,
 		info->ports_count = parse_ports(optarg, info->port, proto);
 		info->option |= XT_PKNOCK_KNOCKPORT;
 		*flags |= XT_PKNOCK_KNOCKPORT;
-#if DEBUG
+#ifdef DEBUG
 		printf("ports_count: %d\n", info->ports_count);
 #endif
 		break;
@@ -162,7 +164,7 @@ __pknock_parse(int c, char **argv, int invert, unsigned int *flags,
 		info->rule_name_len = strlen(info->rule_name);
 		info->option |= XT_PKNOCK_NAME;
 		*flags |= XT_PKNOCK_NAME;
-#if DEBUG
+#ifdef DEBUG
 		printf("info->rule_name: %s\n", info->rule_name);
 #endif
 		break;
@@ -213,7 +215,6 @@ __pknock_parse(int c, char **argv, int invert, unsigned int *flags,
 
 	if (invert)
 		xtables_error(PARAMETER_PROBLEM, PKNOCK "does not support invert.");
-
 	return 1;
 }
 
@@ -267,7 +268,7 @@ static void pknock_mt_check(unsigned int flags)
 }
 
 static void pknock_mt_print(const void *ip,
-						const struct xt_entry_match *match, int numeric)
+    const struct xt_entry_match *match, int numeric)
 {
 	const struct xt_pknock_mtinfo *info = (void *)match->data;
 	int i;

extensions/pknock/pknlusr.8

@@ -0,0 +1,18 @@
+.TH pknlusr 8 "2020-10-22" "xtables-addons" "xtables-addons"
+.SH NAME
+.PP
+pknlusr \(em userspace monitor for successful xt_pknock matches
+.SH Synopsis
+.PP
+\fBpknlusr\fP [\fIgroup-id\fP]
+.SH Description
+\fIxt_pknock\fP is an xtables match extension that implements so-called \fIport
+knocking\fP. It can be configured to send information about each successful
+match via a netlink socket to userspace. \fBpknluser\fP listens for these
+notifications.
+.PP
+By default, \fBpknlusr\fP listens for messages sent to netlink multicast group
+1. Another group ID may be passed as a command-line argument.
+.SH See also
+.PP
+xtables-addons(8)

extensions/pknock/pknlusr.c

@@ -7,85 +7,94 @@
 #include <arpa/inet.h>
 #include <linux/netlink.h>
 #include <linux/connector.h>
+#include <errno.h>
+#include <libgen.h>
+#include <limits.h>
 
 #include "xt_pknock.h"
 
-#define GROUP 1
+#define DEFAULT_GROUP_ID 1
+#define MIN_GROUP_ID DEFAULT_GROUP_ID
+#define MAX_GROUP_ID \
+	(sizeof((struct sockaddr_nl){0}.nl_groups) * CHAR_BIT)
 
-static struct sockaddr_nl src_addr, dest_addr;
-static int sock_fd;
-
-static unsigned char *buf;
-
-static struct xt_pknock_nl_msg *nlmsg;
-
-int main(void)
+int main(int argc, char **argv)
 {
-	socklen_t addrlen;
 	int status;
-	int group = GROUP;
+	unsigned int group_id = DEFAULT_GROUP_ID;
+	struct sockaddr_nl local_addr = {.nl_family = AF_NETLINK};
+	int sock_fd;
+	size_t nlmsg_size;
+	struct nlmgrhdr *nlmsg;
+	struct cn_msg *cn_msg;
+	struct xt_pknock_nl_msg *pknock_msg;
 
-	int buf_size;
+	if (argc > 2) {
+		char *prog = strdup(argv[0]);
+		if (prog == NULL) {
+			perror("strdup()");
+		} else {
+			fprintf(stderr, "%s [ group-id ]\n", basename(prog));
+			free(prog);
+		}
+		exit(EXIT_FAILURE);
+	}
 
-	const char *ip;
-	char ipbuf[48];
+	if (argc == 2) {
+		long n;
+		char *end;
+
+		errno = 0;
+		n = strtol(argv[1], &end, 10);
+		if (*end || (errno && (n == LONG_MIN || n == LONG_MAX)) ||
+		    n < MIN_GROUP_ID || n > MAX_GROUP_ID) {
+			fputs("Group ID invalid.\n", stderr);
+			exit(EXIT_FAILURE);
+		}
+		group_id = n;
+	}
 
 	sock_fd = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR);
-
 	if (sock_fd == -1) {
 		perror("socket()");
-		return 1;
+		exit(EXIT_FAILURE);
 	}
 
-	memset(&src_addr, 0, sizeof(src_addr));
-	src_addr.nl_family = AF_NETLINK;
-	src_addr.nl_pid = getpid();
-	src_addr.nl_groups = group;
-
-	status = bind(sock_fd, (struct sockaddr*)&src_addr, sizeof(src_addr));
-
+	local_addr.nl_groups = 1U << (group_id - 1);
+	status = bind(sock_fd, (struct sockaddr *)&local_addr, sizeof(local_addr));
 	if (status == -1) {
-		close(sock_fd);
 		perror("bind()");
-		return 1;
+		goto err_close_sock;
 	}
 
-	memset(&dest_addr, 0, sizeof(dest_addr));
-	dest_addr.nl_family = AF_NETLINK;
-	dest_addr.nl_pid = 0;
-	dest_addr.nl_groups = group;
-
-	buf_size = sizeof(struct xt_pknock_nl_msg) + sizeof(struct cn_msg) + sizeof(struct nlmsghdr);
-	buf = malloc(buf_size);
-
-	if (!buf) {
+	nlmsg_size = NLMSG_SPACE(sizeof(*cn_msg) + sizeof(*pknock_msg));
+	nlmsg = malloc(nlmsg_size);
+	if (!nlmsg) {
 		perror("malloc()");
-		return 1;
+		goto err_close_sock;
 	}
 
-	addrlen = sizeof(dest_addr);
-
 	while(1) {
+		const char *ip;
+		char ipbuf[INET_ADDRSTRLEN];
 
-		memset(buf, 0, buf_size);
-
-		status = recvfrom(sock_fd, buf, buf_size, 0, (struct sockaddr *)&dest_addr, &addrlen);
-
-		if (status <= 0) {
-			perror("recvfrom()");
-			return 1;
+		memset(nlmsg, 0, nlmsg_size);
+		status = recv(sock_fd, nlmsg, nlmsg_size, 0);
+		if (status < 0) {
+			perror("recv()");
+			goto err_free_msg;
 		}
-
-	nlmsg = (struct xt_pknock_nl_msg *) (buf + sizeof(struct cn_msg) + sizeof(struct nlmsghdr));
-
-		ip = inet_ntop(AF_INET, &nlmsg->peer_ip, ipbuf, sizeof(ipbuf));
-		printf("rule_name: %s - ip %s\n", nlmsg->rule_name, ip);
-
+		if (status == 0)
+			break;
+		cn_msg = NLMSG_DATA(nlmsg);
+		pknock_msg = (struct xt_pknock_nl_msg *)(cn_msg->data);
+		ip = inet_ntop(AF_INET, &pknock_msg->peer_ip, ipbuf, sizeof(ipbuf));
+		printf("rule_name: %s - ip %s\n", pknock_msg->rule_name, ip);
 	}
 
+err_free_msg:
+	free(nlmsg);
+err_close_sock:
 	close(sock_fd);
-
-	free(buf);
-
-	return 0;
+	exit(status == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
 }

extensions/pknock/xt_pknock.c

@@ -90,21 +90,15 @@ enum {
 #define hashtable_for_each_safe(pos, n, head, size, i)	\
 	for ((i) = 0; (i) < (size); ++(i)) \
 		list_for_each_safe((pos), (n), (&head[(i)]))
-
-#define pk_debug(msg, peer) pr_debug( \
-			"(S) peer: " NIPQUAD_FMT " - %s.\n", \
-			NIPQUAD((peer)->ip), msg)
+#define pk_debug(msg, peer) pr_debug("(S) peer: %pI4 - %s.\n", &((peer)->ip), msg)
 
 static uint32_t ipt_pknock_hash_rnd;
-
 static unsigned int rule_hashsize	= DEFAULT_RULE_HASH_SIZE;
 static unsigned int peer_hashsize	= DEFAULT_PEER_HASH_SIZE;
 static unsigned int gc_expir_time = DEFAULT_GC_EXPIRATION_TIME;
 static int nl_multicast_group		= -1;
-
 static struct list_head *rule_hashtable;
 static struct proc_dir_entry *pde;
-
 static DEFINE_SPINLOCK(list_lock);
 
 static struct {
@@ -159,7 +153,6 @@ alloc_hashtable(unsigned int size)
 		return NULL;
 	for (i = 0; i < size; ++i)
 		INIT_LIST_HEAD(&hash[i]);
-
 	return hash;
 }
 
@@ -191,10 +184,8 @@ pknock_seq_start(struct seq_file *s, loff_t *pos)
 	const struct xt_pknock_rule *rule = s->private;
 
 	spin_lock_bh(&list_lock);
-
 	if (*pos >= peer_hashsize)
 		return NULL;
-
 	return rule->peer_head + *pos;
 }
 
@@ -212,7 +203,6 @@ pknock_seq_next(struct seq_file *s, void *v, loff_t *pos)
 	++*pos;
 	if (*pos >= peer_hashsize)
 		return NULL;
-
 	return rule->peer_head + *pos;
 }
 
@@ -238,13 +228,11 @@ pknock_seq_show(struct seq_file *s, void *v)
 	const struct peer *peer;
 	unsigned long time;
 	const struct list_head *peer_head = v;
-
 	const struct xt_pknock_rule *rule = s->private;
 
 	list_for_each_safe(pos, n, peer_head) {
 		peer = list_entry(pos, struct peer, head);
-
-		seq_printf(s, "src=" NIPQUAD_FMT " ", NIPQUAD(peer->ip));
+		seq_printf(s, "src=%pI4 ", &peer->ip);
 		seq_printf(s, "proto=%s ", (peer->proto == IPPROTO_TCP) ?
                                                 "TCP" : "UDP");
 		seq_printf(s, "status=%s ", status_itoa(peer->status));
@@ -259,12 +247,11 @@ pknock_seq_show(struct seq_file *s, void *v)
 			seq_printf(s, "expir_time=%lu [secs] ", time);
 		}
 		if (peer->status == ST_ALLOWED && rule->autoclose_time != 0) {
+			unsigned long x = ktime_get_seconds();
+			unsigned long y = peer->login_sec + rule->autoclose_time * 60;
 			time = 0;
-			if (time_before(get_seconds(), peer->login_sec +
-			    rule->autoclose_time * 60))
-				time = peer->login_sec +
-				       rule->autoclose_time * 60 -
-				       get_seconds();
+			if (time_before(x, y))
+				time = y - x;
 			seq_printf(s, "autoclose_time=%lu [secs] ", time);
 		}
 		seq_printf(s, "\n");
@@ -311,7 +298,6 @@ static void update_rule_gc_timer(struct xt_pknock_rule *rule)
 {
 	if (timer_pending(&rule->timer))
 		del_timer(&rule->timer);
-
 	rule->timer.expires = jiffies + msecs_to_jiffies(gc_expir_time);
 	add_timer(&rule->timer);
 }
@@ -325,8 +311,12 @@ static void update_rule_gc_timer(struct xt_pknock_rule *rule)
 static inline bool
 autoclose_time_passed(const struct peer *peer, unsigned int autoclose_time)
 {
-	return peer != NULL && autoclose_time != 0 && time_after(get_seconds(),
-	       peer->login_sec + autoclose_time * 60);
+	unsigned long x, y;
+	if (peer == NULL || autoclose_time == 0)
+		return false;
+	x = ktime_get_seconds();
+	y = peer->login_sec + autoclose_time * 60;
+	return time_after(x, y);
 }
 
 /**
@@ -348,7 +338,12 @@ is_interknock_time_exceeded(const struct peer *peer, unsigned int max_time)
 static inline bool
 has_logged_during_this_minute(const struct peer *peer)
 {
-	return peer != NULL && peer->login_sec / 60 == get_seconds() / 60;
+	uint64_t x, y;
+	if (peer == NULL)
+		return 0;
+	x = ktime_get_seconds();
+	y = peer->login_sec;
+	return do_div(y, 60) == do_div(x, 60);
 }
 
 /**
@@ -433,7 +428,6 @@ add_rule(struct xt_pknock_mtinfo *info)
 
 	list_for_each_safe(pos, n, &rule_hashtable[hash]) {
 		rule = list_entry(pos, struct xt_pknock_rule, head);
-
 		if (!rulecmp(info, rule))
 			continue;
 		++rule->ref_count;
@@ -442,7 +436,6 @@ add_rule(struct xt_pknock_mtinfo *info)
 			rule->max_time       = info->max_time;
 			rule->autoclose_time = info->autoclose_time;
 		}
-
 		if (info->option & XT_PKNOCK_CHECKIP)
 			pr_debug("add_rule() (AC) rule found: %s - "
 				"ref_count: %d\n",
@@ -450,16 +443,13 @@ add_rule(struct xt_pknock_mtinfo *info)
 		return true;
 	}
 
-	rule = kmalloc(sizeof(*rule), GFP_KERNEL);
+	rule = kzalloc(sizeof(*rule), GFP_KERNEL);
 	if (rule == NULL)
 		return false;
 
 	INIT_LIST_HEAD(&rule->head);
-
-	memset(rule->rule_name, 0, sizeof(rule->rule_name));
 	strncpy(rule->rule_name, info->rule_name, info->rule_name_len);
 	rule->rule_name_len = info->rule_name_len;
-
 	rule->ref_count      = 1;
 	rule->max_time       = info->max_time;
 	rule->autoclose_time = info->autoclose_time;
@@ -502,7 +492,6 @@ remove_rule(struct xt_pknock_mtinfo *info)
 
 	list_for_each_safe(pos, n, &rule_hashtable[hash]) {
 		rule = list_entry(pos, struct xt_pknock_rule, head);
-
 		if (rulecmp(info, rule)) {
 			found = 1;
 			rule->ref_count--;
@@ -528,7 +517,6 @@ remove_rule(struct xt_pknock_mtinfo *info)
 	pr_debug("(D) rule deleted: %s.\n", rule->rule_name);
 	if (timer_pending(&rule->timer))
 		del_timer(&rule->timer);
-
 	list_del(&rule->head);
 	kfree(rule->peer_head);
 	kfree(rule);
@@ -548,7 +536,6 @@ static struct peer *get_peer(struct xt_pknock_rule *rule, __be32 ip)
 	unsigned int hash;
 
 	hash = pknock_hash(&ip, sizeof(ip), ipt_pknock_hash_rnd, peer_hashsize);
-
 	list_for_each_safe(pos, n, &rule->peer_head[hash]) {
 		peer = list_entry(pos, struct peer, head);
 		if (peer->ip == ip)
@@ -582,14 +569,12 @@ static struct peer *new_peer(__be32 ip, uint8_t proto)
 
 	if (peer == NULL)
 		return NULL;
-
 	INIT_LIST_HEAD(&peer->head);
 	peer->ip	= ip;
 	peer->proto	= proto;
 	peer->timestamp = jiffies/HZ;
 	peer->login_sec = 0;
 	reset_knock_status(peer);
-
 	return peer;
 }
 
@@ -677,21 +662,17 @@ static bool
 msg_to_userspace_nl(const struct xt_pknock_mtinfo *info,
                 const struct peer *peer, int multicast_group)
 {
-#if defined(CONFIG_CONNECTOR) || defined(CONFIG_CONNECTOR_MODULE)
+#if IS_ENABLED(CONFIG_CONNECTOR)
 	struct cn_msg *m;
 	struct xt_pknock_nl_msg msg;
 
-	m = kmalloc(sizeof(*m) + sizeof(msg), GFP_ATOMIC);
+	m = kzalloc(sizeof(*m) + sizeof(msg), GFP_ATOMIC);
 	if (m == NULL)
 		return false;
-
-	memset(m, 0, sizeof(*m) + sizeof(msg));
-	m->seq = 0;
 	m->len = sizeof(msg);
 
 	msg.peer_ip = peer->ip;
 	scnprintf(msg.rule_name, info->rule_name_len + 1, info->rule_name);
-
 	memcpy(m + 1, &msg, m->len);
 	cn_netlink_send(m, 0, multicast_group, GFP_ATOMIC);
 	kfree(m);
@@ -731,11 +712,12 @@ static bool
 has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
     const unsigned char *payload, unsigned int payload_len)
 {
-	char result[64]; // 64 bytes * 8 = 512 bits
+	char result[64] = ""; // 64 bytes * 8 = 512 bits
 	char *hexresult;
 	unsigned int hexa_size;
 	int ret;
 	bool fret = false;
+	uint64_t x;
 	unsigned int epoch_min;
 
 	if (payload_len == 0)
@@ -751,15 +733,11 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
 	/* + 1 cause we MUST add NULL in the payload */
 	if (payload_len != hexa_size + 1)
 		return false;
-
-	hexresult = kmalloc(hexa_size, GFP_ATOMIC);
+	hexresult = kzalloc(hexa_size, GFP_ATOMIC);
 	if (hexresult == NULL)
 		return false;
-
-	memset(result, 0, sizeof(result));
-	memset(hexresult, 0, hexa_size);
-
-	epoch_min = get_seconds() / 60;
+	x = ktime_get_seconds();
+	epoch_min = do_div(x, 60);
 
 	ret = crypto_shash_setkey(crypto.tfm, secret, secret_len);
 	if (ret != 0) {
@@ -778,14 +756,11 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
 		printk("crypto_shash_update/final() failed ret=%d\n", ret);
 		goto out;
 	}
-
 	crypt_to_hex(hexresult, result, crypto.size);
-
 	if (memcmp(hexresult, payload, hexa_size) != 0)
 		pr_debug("secret match failed\n");
 	else
 		fret = true;
-
  out:
 	kfree(hexresult);
 	return fret;
@@ -817,7 +792,6 @@ pass_security(struct peer *peer, const struct xt_pknock_mtinfo *info,
 					info->open_secret_len, peer->ip,
 					payload, payload_len))
 		return true;
-
 	return false;
 }
 
@@ -844,7 +818,6 @@ update_peer(struct peer *peer, const struct xt_pknock_mtinfo *info,
 		/* Peer must start the sequence from scratch. */
 		if (info->option & XT_PKNOCK_STRICT)
 			remove_peer(peer);
-
 		return false;
 	}
 
@@ -852,25 +825,20 @@ update_peer(struct peer *peer, const struct xt_pknock_mtinfo *info,
 	if (info->option & XT_PKNOCK_OPENSECRET ) {
 		if (hdr->proto != IPPROTO_UDP && hdr->proto != IPPROTO_UDPLITE)
 			return false;
-
 		if (!pass_security(peer, info, hdr->payload, hdr->payload_len))
 			return false;
 	}
 
 	/* Update the gc timer when there is a state change. */
 	update_rule_gc_timer(rule);
-
 	++peer->accepted_knock_count;
 
 	if (is_last_knock(peer, info)) {
 		peer->status = ST_ALLOWED;
-
 		pk_debug("ALLOWED", peer);
-		peer->login_sec = get_seconds();
-
+		peer->login_sec = ktime_get_seconds();
 		if (nl_multicast_group > 0)
 			msg_to_userspace_nl(info, peer, nl_multicast_group);
-
 		return true;
 	}
 
@@ -947,7 +915,6 @@ static bool pknock_mt(const struct sk_buff *skb,
 	switch (hdr.proto) {
 	case IPPROTO_TCP:
 		break;
-
 	case IPPROTO_UDP:
 	case IPPROTO_UDPLITE:
 		hdr_len = (iph->ihl * 4) + sizeof(struct udphdr);
@@ -969,12 +936,10 @@ static bool pknock_mt(const struct sk_buff *skb,
 
 	/* Gives the peer matching status added to rule depending on ip src. */
 	peer = get_peer(rule, iph->saddr);
-
 	if (info->option & XT_PKNOCK_CHECKIP) {
 		ret = is_allowed(peer);
 		goto out;
 	}
-
 	if (iph->protocol == IPPROTO_UDP || iph->protocol == IPPROTO_UDPLITE) {
 		hdr.payload = (void *)iph + hdr_len;
 		hdr.payload_len = skb->len - hdr_len;
@@ -982,7 +947,8 @@ static bool pknock_mt(const struct sk_buff *skb,
 
 	/* Sets, updates, removes or checks the peer matching status. */
 	if (info->option & XT_PKNOCK_KNOCKPORT) {
-		if ((ret = is_allowed(peer))) {
+		ret = is_allowed(peer);
+		if (ret != 0) {
 			if (info->option & XT_PKNOCK_CLOSESECRET &&
 			    (iph->protocol == IPPROTO_UDP ||
 			    iph->protocol == IPPROTO_UDPLITE))
@@ -1000,10 +966,8 @@ static bool pknock_mt(const struct sk_buff *skb,
 			peer = new_peer(iph->saddr, iph->protocol);
 			add_peer(peer, rule);
 		}
-
 		if (peer == NULL)
 			goto out;
-
 		update_peer(peer, info, rule, &hdr);
 	}
 
@@ -1023,7 +987,7 @@ out:
 	return ret;
 }
 
-#define RETURN_ERR(err) do { printk(KERN_ERR PKNOCK err); return -EINVAL; } while (false)
+#define RETURN_ERR(err) do { pr_err(err); return -EINVAL; } while (false)
 
 static int pknock_mt_check(const struct xt_mtchk_param *par)
 {
@@ -1073,11 +1037,9 @@ static int pknock_mt_check(const struct xt_mtchk_param *par)
 	    memcmp(info->open_secret, info->close_secret,
 	    info->open_secret_len) == 0)
 		RETURN_ERR("opensecret & closesecret cannot be equal.\n");
-
 	if (!add_rule(info))
 		/* should ENOMEM here */
 		RETURN_ERR("add_rule() error in checkentry() function.\n");
-
 	return 0;
 }
 
@@ -1101,7 +1063,7 @@ static struct xt_match xt_pknock_mt_reg __read_mostly = {
 
 static int __init xt_pknock_mt_init(void)
 {
-#if !defined(CONFIG_CONNECTOR) && !defined(CONFIG_CONNECTOR_MODULE)
+#if !IS_ENABLED(CONFIG_CONNECTOR)
 	if (nl_multicast_group != -1)
 		pr_info("CONFIG_CONNECTOR not present; "
 		        "netlink messages disabled\n");
@@ -1110,14 +1072,14 @@ static int __init xt_pknock_mt_init(void)
 	if (gc_expir_time < DEFAULT_GC_EXPIRATION_TIME)
 		gc_expir_time = DEFAULT_GC_EXPIRATION_TIME;
 	if (request_module(crypto.algo) < 0) {
-		printk(KERN_ERR PKNOCK "request_module('%s') error.\n",
+		pr_err("request_module('%s') error.\n",
                         crypto.algo);
 		return -ENXIO;
 	}
 
 	crypto.tfm = crypto_alloc_shash(crypto.algo, 0, 0);
 	if (IS_ERR(crypto.tfm)) {
-		printk(KERN_ERR PKNOCK "failed to load transform for %s\n",
+		pr_err("failed to load transform for %s\n",
 						crypto.algo);
 		return PTR_ERR(crypto.tfm);
 	}
@@ -1127,7 +1089,7 @@ static int __init xt_pknock_mt_init(void)
 
 	pde = proc_mkdir("xt_pknock", init_net.proc_net);
 	if (pde == NULL) {
-		printk(KERN_ERR PKNOCK "proc_mkdir() error in _init().\n");
+		pr_err("proc_mkdir() error in _init().\n");
 		return -ENXIO;
 	}
 	return xt_register_match(&xt_pknock_mt_reg);

extensions/pknock/xt_pknock.h

@@ -8,9 +8,7 @@
  *
  * This program is released under the terms of GNU GPL version 2.
  */
-#ifndef _XT_PKNOCK_H
-#define _XT_PKNOCK_H
-
+#pragma once
 #define PKNOCK "xt_pknock: "
 
 enum {
@@ -29,8 +27,6 @@ enum {
 	XT_PKNOCK_MAX_PASSWD_LEN = 31,
 };
 
-#define DEBUG 1
-
 struct xt_pknock_mtinfo {
 	char rule_name[XT_PKNOCK_MAX_BUF_LEN+1];
 	uint32_t			rule_name_len;
@@ -49,5 +45,3 @@ struct xt_pknock_nl_msg {
 	char rule_name[XT_PKNOCK_MAX_BUF_LEN+1];
 	__be32 peer_ip;
 };
-
-#endif /* _XT_PKNOCK_H */

extensions/xt_CHAOS.c

@@ -171,7 +171,8 @@ static int __init chaos_tg_init(void)
 		printk(KERN_WARNING PFX "Warning: Could not find or load "
 		       "\"DELUDE\" target\n");
 
-	if ((ret = xt_register_target(&chaos_tg_reg)) != 0) {
+	ret = xt_register_target(&chaos_tg_reg);
+	if (ret != 0) {
 		printk(KERN_WARNING PFX "xt_register_target returned "
 		       "error %d\n", ret);
 		goto out3;

extensions/xt_CHAOS.h

@@ -1,6 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_CHAOS_H
-#define _LINUX_NETFILTER_XT_CHAOS_H 1
-
+#pragma once
 enum xt_chaos_target_variant {
 	XTCHAOS_NORMAL,
 	XTCHAOS_TARPIT,
@@ -10,5 +8,3 @@ enum xt_chaos_target_variant {
 struct xt_chaos_tginfo {
 	uint8_t variant;
 };
-
-#endif /* _LINUX_NETFILTER_XT_CHAOS_H */

extensions/xt_DELUDE.c

@@ -25,8 +25,8 @@
 #include "compat_xtables.h"
 #define PFX KBUILD_MODNAME ": "
 
-static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
-    unsigned int hook)
+static void delude_send_reset(struct sk_buff *oldskb,
+    const struct xt_action_param *par)
 {
 	struct tcphdr _otcph, *tcph;
 	const struct tcphdr *oth;
@@ -51,7 +51,8 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 		return;
 
 	/* Check checksum */
-	if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
+	if (nf_ip_checksum(oldskb, par->state->hook, ip_hdrlen(oldskb),
+	    IPPROTO_TCP))
 		return;
 
 	nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
@@ -108,21 +109,21 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 	addr_type = RTN_UNSPEC;
 #ifdef CONFIG_BRIDGE_NETFILTER
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
-	if (hook != NF_INET_FORWARD || ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
+	if (par->state->hook != NF_INET_FORWARD ||
+	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
 	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF))->physoutdev))
 #else
-	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
+	if (par->state->hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->physoutdev))
 #endif
 #else
-	if (hook != NF_INET_FORWARD)
+	if (par->state->hook != NF_INET_FORWARD)
 #endif
 		addr_type = RTN_LOCAL;
 
 	/* ip_route_me_harder expects skb->dst to be set */
 	skb_dst_set(nskb, dst_clone(skb_dst(oldskb)));
-
-	if (ip_route_me_harder(net, nskb, addr_type))
+	if (ip_route_me_harder(par_net(par), par->state->sk, nskb, addr_type))
 		goto free_nskb;
 	else
 		niph = ip_hdr(nskb);
@@ -135,8 +136,7 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);
-
-	ip_local_out(net, nskb->sk, nskb);
+	ip_local_out(par_net(par), nskb->sk, nskb);
 	return;
 
  free_nskb:
@@ -151,7 +151,7 @@ delude_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	 * a problem, as that is supported since Linux 2.6.35. But since we do not
 	 * actually want to have a connection open, we are still going to drop it.
 	 */
-	delude_send_reset(par_net(par), skb, par->state->hook);
+	delude_send_reset(skb, par);
 	return NF_DROP;
 }
 

extensions/xt_DHCPMAC.h

@@ -1,6 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_DHCPMAC_H
-#define _LINUX_NETFILTER_XT_DHCPMAC_H 1
-
+#pragma once
 #define DH_MAC_FMT "%02X:%02X:%02X:%02X:%02X:%02X"
 #define DH_MAC_HEX(z) z[0], z[1], z[2], z[3], z[4], z[5]
 
@@ -8,5 +6,3 @@ struct dhcpmac_info {
 	unsigned char addr[ETH_ALEN];
 	uint8_t mask, invert;
 };
-
-#endif /* _LINUX_NETFILTER_XT_DHCPMAC_H */

extensions/xt_DNETMAP.c

@@ -19,9 +19,10 @@
  */
 
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#ifdef CONFIG_NF_NAT
 #include <linux/inet.h>
 #include <linux/ip.h>
-#include <linux/module.h>
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
@@ -36,12 +37,6 @@
 #include "compat_xtables.h"
 #include "xt_DNETMAP.h"
 
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marek Kierdelewicz <marek@piasta.pl>");
-MODULE_DESCRIPTION(
-	"Xtables: dynamic two-way 1:1 NAT mapping of IPv4 addresses");
-MODULE_ALIAS("ipt_DNETMAP");
-
 static unsigned int default_ttl = 600;
 static unsigned int proc_perms = S_IRUGO | S_IWUSR;
 static unsigned int proc_uid;
@@ -66,14 +61,8 @@ MODULE_PARM_DESC(whole_prefix,
 static unsigned int jtimeout;
 
 struct dnetmap_entry {
-	struct list_head list;
-	/* priv2entry */
-	struct list_head glist;
-	/* pub2entry */
-	struct list_head grlist;
-	struct list_head lru_list;
-	__be32 prenat_addr;
-	__be32 postnat_addr;
+	struct list_head list, glist, grlist, lru_list;
+	__be32 prenat_addr, postnat_addr;
 	__u8 flags;
 	unsigned long stamp;
 	struct dnetmap_prefix *prefix;
@@ -83,8 +72,7 @@ struct dnetmap_prefix {
 	struct nf_nat_range prefix;
 	char prefix_str[20];
 #ifdef CONFIG_PROC_FS
-	char proc_str_data[20];
-	char proc_str_stat[25];
+	char proc_str_data[20], proc_str_stat[25];
 #endif
 	struct list_head elist; // element list head
 	struct list_head list;	// prefix list
@@ -127,9 +115,7 @@ static struct dnetmap_entry *
 dnetmap_entry_lookup(struct dnetmap_net *dnetmap_net, const __be32 addr)
 {
 	struct dnetmap_entry *e;
-	unsigned int h;
-
-	h = dnetmap_entry_hash(addr);
+	unsigned int h = dnetmap_entry_hash(addr);
 
 	list_for_each_entry(e, &dnetmap_net->dnetmap_iphash[h], glist)
 		if (memcmp(&e->prenat_addr, &addr, sizeof(addr)) == 0)
@@ -141,9 +127,7 @@ static struct dnetmap_entry *
 dnetmap_entry_rlookup(struct dnetmap_net *dnetmap_net, const __be32 addr)
 {
 	struct dnetmap_entry *e;
-	unsigned int h;
-
-	h = dnetmap_entry_hash(addr);
+	unsigned int h = dnetmap_entry_hash(addr);
 
 	list_for_each_entry(e, &dnetmap_net->dnetmap_iphash[hash_size + h],
 	    grlist)
@@ -293,12 +277,12 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
 	ip_min = ntohl(mr->min_addr.ip) + (whole_prefix == 0);
 	ip_max = ntohl(mr->max_addr.ip) - (whole_prefix == 0);
 
-	sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->min_addr.ip),
+	sprintf(p->prefix_str, "%pI4/%u", &mr->min_addr.ip,
 		33 - ffs(~(ip_min ^ ip_max)));
 #ifdef CONFIG_PROC_FS
-	sprintf(p->proc_str_data, NIPQUAD_FMT "_%u", NIPQUAD(mr->min_addr.ip),
+	sprintf(p->proc_str_data, "%pI4_%u", &mr->min_addr.ip,
 		33 - ffs(~(ip_min ^ ip_max)));
-	sprintf(p->proc_str_stat, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->min_addr.ip),
+	sprintf(p->proc_str_stat, "%pI4_%u_stat", &mr->min_addr.ip,
 		33 - ffs(~(ip_min ^ ip_max)));
 #endif
 	printk(KERN_INFO KBUILD_MODNAME ": new prefix %s\n", p->prefix_str);
@@ -358,7 +342,6 @@ dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	struct net *net = dev_net(par->state->in ? par->state->in : par->state->out);
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
-	struct nf_conn *ct;
 	enum ip_conntrack_info ctinfo;
 	__be32 prenat_ip, postnat_ip, prenat_ip_prev;
 	const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
@@ -370,11 +353,9 @@ dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 #endif
 	struct dnetmap_entry *e;
 	struct dnetmap_prefix *p;
-	__s32 jttl;
 	unsigned int hooknum = par->state->hook;
-	ct = nf_ct_get(skb, &ctinfo);
-
-	jttl = tginfo->flags & XT_DNETMAP_TTL ? tginfo->ttl * HZ : jtimeout;
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+	__s32 jttl = tginfo->flags & XT_DNETMAP_TTL ? tginfo->ttl * HZ : jtimeout;
 
 	/* in prerouting we try to map postnat-ip to prenat-ip */
 	if (hooknum == NF_INET_PRE_ROUTING) {
@@ -429,8 +410,8 @@ bind_new_prefix:
 		if (e->prenat_addr != 0 && time_before(jiffies, e->stamp)) {
 			if (!disable_log && ! (p->flags & XT_DNETMAP_FULL) ){
 				printk(KERN_INFO KBUILD_MODNAME
-				       ": ip " NIPQUAD_FMT " - no free adresses in prefix %s\n",
-				       NIPQUAD(prenat_ip), p->prefix_str);
+				       ": ip %pI4 - no free adresses in prefix %s\n",
+				       &prenat_ip, p->prefix_str);
 				p->flags |= XT_DNETMAP_FULL;
 			}
 			goto no_free_ip;
@@ -443,8 +424,8 @@ bind_new_prefix:
 			prenat_ip_prev = e->prenat_addr;
 			if (!disable_log)
 				printk(KERN_INFO KBUILD_MODNAME
-				       ": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
-				       NIPQUAD(prenat_ip_prev), NIPQUAD(postnat_ip) );
+				       ": timeout binding %pI4 -> %pI4\n",
+				       &prenat_ip_prev, &postnat_ip);
 			list_del(&e->glist);
 			list_del(&e->grlist);
 		}
@@ -461,18 +442,16 @@ bind_new_prefix:
 							   (postnat_ip)]);
 		if (!disable_log)
 			printk(KERN_INFO KBUILD_MODNAME
-			       ": add binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
-						 NIPQUAD(prenat_ip),NIPQUAD(postnat_ip));
-
+			       ": add binding %pI4 -> %pI4\n",
+			       &prenat_ip, &postnat_ip);
 	} else {
 
 		if (!(tginfo->flags & XT_DNETMAP_REUSE) && !(e->flags & XT_DNETMAP_STATIC))
 			if (time_before(e->stamp, jiffies) && p != e->prefix) {
 				if (!disable_log)
 					printk(KERN_INFO KBUILD_MODNAME
-					       ": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
-					       NIPQUAD(e->prenat_addr),
-					       NIPQUAD(e->postnat_addr));
+					       ": timeout binding %pI4 -> %pI4\n",
+					       &e->prenat_addr, &e->postnat_addr);
 				list_del(&e->glist);
 				list_del(&e->grlist);
 				e->prenat_addr = 0;
@@ -571,12 +550,13 @@ static int dnetmap_seq_show(struct seq_file *seq, void *v)
 	const struct dnetmap_entry *e = v;
 
 	if((e->flags & XT_DNETMAP_STATIC) == 0){
-		seq_printf(seq, NIPQUAD_FMT " -> " NIPQUAD_FMT " --- ttl: %d lasthit: %lu\n",
-				NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr),
-				(int)(e->stamp - jiffies) / HZ, (e->stamp - jtimeout) / HZ);
+		seq_printf(seq, "%pI4 -> %pI4 --- ttl: %d lasthit: %lu\n",
+		           &e->prenat_addr, &e->postnat_addr,
+		           (int)(e->stamp - jiffies) / HZ,
+		           (e->stamp - jtimeout) / HZ);
 	}else{
-		seq_printf(seq, NIPQUAD_FMT " -> " NIPQUAD_FMT " --- ttl: S lasthit: S\n",
-				NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr));
+		seq_printf(seq, "%pI4 -> %pI4 --- ttl: S lasthit: S\n",
+		           &e->prenat_addr, &e->postnat_addr);
 	}
 	return 0;
 }
@@ -698,8 +678,8 @@ dnetmap_tg_proc_write(struct file *file, const char __user *input,size_t size, l
 		if(e != NULL){
 			if (!disable_log)
 				printk(KERN_INFO KBUILD_MODNAME
-				       ": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
-				       NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr) );
+				       ": timeout binding %pI4 -> %pI4\n",
+				       &e->prenat_addr, &e->postnat_addr);
 			list_del(&e->glist);
 			list_del(&e->grlist);
 		}else{
@@ -721,7 +701,7 @@ dnetmap_tg_proc_write(struct file *file, const char __user *input,size_t size, l
 							   (e->postnat_addr)]);
 		list_del(&e->lru_list);
 
-		sprintf(str, NIPQUAD_FMT ":" NIPQUAD_FMT, NIPQUAD(addr1),NIPQUAD(addr2));
+		sprintf(str, "%pI4:%pI4", &addr1, &addr2);
 		printk(KERN_INFO KBUILD_MODNAME ": adding static binding %s\n", str);
 
 	// case of removing binding
@@ -737,8 +717,8 @@ dnetmap_tg_proc_write(struct file *file, const char __user *input,size_t size, l
 		if(e != NULL){
 			if (!disable_log)
 				printk(KERN_INFO KBUILD_MODNAME
-				       ": remove binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
-				       NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr) );
+				       ": remove binding %pI4 -> %pI4\n",
+				       &e->prenat_addr, &e->postnat_addr);
 			list_del(&e->glist);
 			list_del(&e->grlist);
 			if(e->flags & XT_DNETMAP_STATIC){
@@ -936,6 +916,18 @@ static void __exit dnetmap_tg_exit(void)
 	xt_unregister_target(&dnetmap_tg_reg);
 	unregister_pernet_subsys(&dnetmap_net_ops);
 }
+#else /* CONFIG_NF_NAT */
+static int __init dnetmap_tg_init(void)
+{
+	pr_err("CONFIG_NF_NAT is not available in your kernel, hence this module cannot function.");
+	return -EINVAL;
+}
+static void __exit dnetmap_tg_exit(void) {}
+#endif
 
 module_init(dnetmap_tg_init);
 module_exit(dnetmap_tg_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Marek Kierdelewicz <marek@piasta.pl>");
+MODULE_DESCRIPTION("Xtables: dynamic two-way 1:1 NAT mapping of IPv4 addresses");
+MODULE_ALIAS("ipt_DNETMAP");

extensions/xt_DNETMAP.h

@@ -1,6 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_DNETMAP_H
-#define _LINUX_NETFILTER_XT_DNETMAP_H 1
-
+#pragma once
 #define DNETMAP_VERSION 2
 
 enum {
@@ -17,5 +15,3 @@ struct xt_DNETMAP_tginfo {
 	__u8 flags;
 	__s32 ttl;
 };
-
-#endif

extensions/xt_ECHO.c

@@ -97,7 +97,11 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 	memcpy(&fl.daddr, &newip->daddr, sizeof(fl.daddr));
 	fl.fl6_sport = newudp->source;
 	fl.fl6_dport = newudp->dest;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+	security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi_common(&fl));
+#else
 	security_skb_classify_flow((struct sk_buff *)oldskb, flowi6_to_flowi(&fl));
+#endif
 	dst = ip6_route_output(net, NULL, &fl);
 	if (dst == NULL || dst->error != 0) {
 		dst_release(dst);
@@ -113,7 +117,7 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 		goto free_nskb;
 
 	nf_ct_attach(newskb, oldskb);
-	ip6_local_out(par_net(par), newskb->sk, newskb);
+	ip6_local_out(par_net(par), par->state->sk, newskb);
 	return NF_DROP;
 
  free_nskb:
@@ -191,8 +195,8 @@ echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par)
 
 	/* ip_route_me_harder expects the skb's dst to be set */
 	skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
-
-	if (ip_route_me_harder(par_net(par), newskb, RTN_UNSPEC) != 0)
+	if (ip_route_me_harder(par_net(par), par->state->sk, newskb,
+	    RTN_UNSPEC) != 0)
 		goto free_nskb;
 
 	newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));

extensions/xt_IPMARK.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_IPMARK_H
-#define _LINUX_NETFILTER_XT_IPMARK_H 1
+#pragma once
 
 enum {
 	XT_IPMARK_SRC,
@@ -7,10 +6,6 @@ enum {
 };
 
 struct xt_ipmark_tginfo {
-	__u32 andmask;
-	__u32 ormask;
-	__u8 selector;
-	__u8 shift;
+	__u32 andmask, ormask;
+	__u8 selector, shift;
 };
-
-#endif /* _LINUX_NETFILTER_XT_IPMARK_H */

extensions/xt_LOGMARK.h

@@ -1,9 +1,5 @@
-#ifndef _LINUX_NETFILTER_XT_LOGMARK_TARGET_H
-#define _LINUX_NETFILTER_XT_LOGMARK_TARGET_H 1
-
+#pragma once
 struct xt_logmark_tginfo {
 	char prefix[14];
 	u_int8_t level;
 };
-
-#endif /* _LINUX_NETFILTER_XT_LOGMARK_TARGET_H */

extensions/xt_PROTO.h

@@ -1,9 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
 /* Protocol modification module for IP tables */
-
-#ifndef _XT_PROTO_H
-#define _XT_PROTO_H
-
+#pragma once
 #include <linux/types.h>
 
 enum {
@@ -13,8 +10,5 @@ enum {
 };
 
 struct xt_PROTO_info {
-	__u8	mode;
-	__u8	proto;
+	__u8 mode, proto;
 };
-
-#endif

extensions/xt_SYSRQ.c

@@ -204,12 +204,11 @@ sysrq_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 
 	if (sysrq_debug)
 		printk(KERN_INFO KBUILD_MODNAME
-		       ": " NIPQUAD_FMT ":%u -> :%u len=%u\n",
-		       NIPQUAD(iph->saddr), htons(udph->source),
+		       ": %pI4:%hu -> :%hu len=%u\n",
+		       &iph->saddr, htons(udph->source),
 		       htons(udph->dest), len);
 #ifdef WITH_CRYPTO
-	sprintf(sysrq_digest_password, NIPQUAD_FMT ",%s",
-	        NIPQUAD(iph->daddr), sysrq_password);
+	sprintf(sysrq_digest_password, "%pI4,%s", &iph->daddr, sysrq_password);
 #endif
 	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
 }
@@ -238,13 +237,11 @@ sysrq_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 	len  = ntohs(udph->len) - sizeof(struct udphdr);
 
 	if (sysrq_debug)
-		printk(KERN_INFO KBUILD_MODNAME
-		       ": " NIP6_FMT ":%hu -> :%hu len=%u\n",
-		       NIP6(iph->saddr), ntohs(udph->source),
+		printk(KERN_INFO KBUILD_MODNAME ": %pI6:%hu -> :%hu len=%u\n",
+		       &iph->saddr, ntohs(udph->source),
 		       ntohs(udph->dest), len);
 #ifdef WITH_CRYPTO
-	sprintf(sysrq_digest_password, NIP6_FMT ",%s",
-	        NIP6(iph->daddr), sysrq_password);
+	sprintf(sysrq_digest_password, "%pI6,%s", &iph->daddr, sysrq_password);
 #endif
 	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
 }

extensions/xt_TARPIT.c

@@ -170,8 +170,8 @@ static bool tarpit_generic(struct tcphdr *tcph, const struct tcphdr *oth,
 	return true;
 }
 
-static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
-    unsigned int hook, unsigned int mode)
+static void tarpit_tcp4(const struct xt_action_param *par,
+    struct sk_buff *oldskb, unsigned int mode)
 {
 	struct tcphdr _otcph, *tcph;
 	const struct tcphdr *oth;
@@ -191,7 +191,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		return;
 
 	/* Check checksum. */
-	if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
+	if (nf_ip_checksum(oldskb, par->state->hook, ip_hdrlen(oldskb),
+	    IPPROTO_TCP))
 		return;
 
 	/*
@@ -254,18 +255,19 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 
 #ifdef CONFIG_BRIDGE_NETFILTER
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
-	if (hook != NF_INET_FORWARD || ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
+	if (par->state->hook != NF_INET_FORWARD ||
+	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
 	    ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF))->physoutdev))
 #else
-	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
+	if (par->state->hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
 	    nskb->nf_bridge->physoutdev != NULL))
 #endif
 #else
-	if (hook != NF_INET_FORWARD)
+	if (par->state->hook != NF_INET_FORWARD)
 #endif
 		addr_type = RTN_LOCAL;
 
-	if (ip_route_me_harder(net, nskb, addr_type))
+	if (ip_route_me_harder(par_net(par), par->state->sk, nskb, addr_type) != 0)
 		goto free_nskb;
 	else
 		niph = ip_hdr(nskb);
@@ -287,8 +289,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 		goto free_nskb;
 
 	nf_ct_attach(nskb, oldskb);
-	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
-		skb_dst(nskb)->dev, dst_output);
+	NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, par_net(par), nskb->sk, nskb,
+	        NULL, skb_dst(nskb)->dev, dst_output);
 	return;
 
  free_nskb:
@@ -296,8 +298,8 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
 }
 
 #ifdef WITH_IPV6
-static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
-    unsigned int hook, unsigned int mode)
+static void tarpit_tcp6(const struct xt_action_param *par,
+    struct sk_buff *oldskb, unsigned int mode)
 {
 	struct sk_buff *nskb;
 	struct tcphdr *tcph, oth;
@@ -398,15 +400,14 @@ static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
 	              &ipv6_hdr(nskb)->daddr, sizeof(struct tcphdr),
 	              IPPROTO_TCP,
 	              csum_partial(tcph, sizeof(struct tcphdr), 0));
-
-	if (ip6_route_me_harder(net, nskb))
+	if (ip6_route_me_harder(par_net(par), nskb->sk, nskb))
 		goto free_nskb;
 
 	nskb->ip_summed = CHECKSUM_NONE;
 
 	nf_ct_attach(nskb, oldskb);
-	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
-	        skb_dst(nskb)->dev, dst_output);
+	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, par_net(par), nskb->sk, nskb,
+	        NULL, skb_dst(nskb)->dev, dst_output);
 	return;
 
  free_nskb:
@@ -444,7 +445,7 @@ tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 	/* We are not interested in fragments */
 	if (iph->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
-	tarpit_tcp4(par_net(par), skb, par->state->hook, info->variant);
+	tarpit_tcp4(par, skb, info->variant);
 	return NF_DROP;
 }
 
@@ -485,7 +486,7 @@ tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 		pr_debug("addr is not unicast.\n");
 		return NF_DROP;
 	}
-	tarpit_tcp6(par_net(par), skb, par->state->hook, info->variant);
+	tarpit_tcp6(par, skb, info->variant);
 	return NF_DROP;
 }
 #endif

extensions/xt_TARPIT.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_TARPIT_H
-#define _LINUX_NETFILTER_XT_TARPIT_H 1
+#pragma once
 
 enum xt_tarpit_target_variant {
 	XTTARPIT_TARPIT,
@@ -10,5 +9,3 @@ enum xt_tarpit_target_variant {
 struct xt_tarpit_tginfo {
 	uint8_t variant;
 };
-
-#endif /* _LINUX_NETFILTER_XT_TARPIT_H */

extensions/xt_condition.h

@@ -1,5 +1,4 @@
-#ifndef _XT_CONDITION_H
-#define _XT_CONDITION_H
+#pragma once
 
 enum {
 	CONDITION_NAME_LEN = 31,
@@ -12,5 +11,3 @@ struct xt_condition_mtinfo {
 	/* Used internally by the kernel */
 	void *condvar __attribute__((aligned(8)));
 };
-
-#endif /* _XT_CONDITION_H */

extensions/xt_fuzzy.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_FUZZY_H
-#define _LINUX_NETFILTER_XT_FUZZY_H 1
+#pragma once
 
 enum {
 	FUZZY_MIN_RATE = 3,
@@ -7,14 +6,9 @@ enum {
 };
 
 struct xt_fuzzy_mtinfo {
-	uint32_t minimum_rate;
-	uint32_t maximum_rate;
-	uint32_t packets_total;
-	uint32_t bytes_total;
-	uint32_t previous_time;
-	uint32_t present_time;
+	uint32_t minimum_rate, maximum_rate;
+	uint32_t packets_total, bytes_total;
+	uint32_t previous_time, present_time;
 	uint32_t mean_rate;
 	uint8_t acceptance_rate;
 };
-
-#endif /* _LINUX_NETFILTER_XT_FUZZY_H */

extensions/xt_geoip.h

@@ -10,8 +10,7 @@
  * Samuel Jean
  * Nicolas Bouliane
  */
-#ifndef _LINUX_NETFILTER_XT_GEOIP_H
-#define _LINUX_NETFILTER_XT_GEOIP_H 1
+#pragma once
 
 enum {
 	XT_GEOIP_SRC = 1 << 0,	/* Perform check on Source IP */
@@ -23,8 +22,7 @@ enum {
 
 /* Yup, an address range will be passed in with host-order */
 struct geoip_subnet4 {
-	__u32 begin;
-	__u32 end;
+	__u32 begin, end;
 };
 
 struct geoip_subnet6 {
@@ -45,8 +43,7 @@ union geoip_country_group {
 };
 
 struct xt_geoip_match_info {
-	__u8 flags;
-	__u8 count;
+	__u8 flags, count;
 	__u16 cc[XT_GEOIP_MAX];
 
 	/* Used internally by the kernel */
@@ -54,5 +51,3 @@ struct xt_geoip_match_info {
 };
 
 #define COUNTRY(cc) ((cc) >> 8), ((cc) & 0x00FF)
-
-#endif /* _LINUX_NETFILTER_XT_GEOIP_H */

extensions/xt_gradm.h

@@ -1,9 +1,4 @@
-#ifndef _XT_GRADM_H
-#define _XT_GRADM_H
-
+#pragma once
 struct xt_gradm_mtinfo {
-	__u16 flags;
-	__u16 invflags;
+	__u16 flags, invflags;
 };
-
-#endif

extensions/xt_iface.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_IFACE_H
-#define _LINUX_NETFILTER_XT_IFACE_H 1
+#pragma once
 
 enum {
 	XT_IFACE_UP          = 1 << 0,
@@ -19,8 +18,5 @@ enum {
 
 struct xt_iface_mtinfo {
 	char ifname[IFNAMSIZ];
-	__u16 flags;
-	__u16 invflags;
+	__u16 flags, invflags;
 };
-
-#endif

extensions/xt_ipp2p.c

@@ -857,8 +857,11 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 				p2p_result = matchlist[i].function_name(haystack, hlen);
 				if (p2p_result)	{
 					if (info->debug)
-						printk("IPP2P.debug:TCP-match: %i from: %u.%u.%u.%u:%i to: %u.%u.%u.%u:%i Length: %i\n",
-						       p2p_result, NIPQUAD(ip->saddr),ntohs(tcph->source), NIPQUAD(ip->daddr),ntohs(tcph->dest),hlen);
+						printk("IPP2P.debug:TCP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
+						       p2p_result, &ip->saddr,
+						       ntohs(tcph->source),
+						       &ip->daddr,
+						       ntohs(tcph->dest), hlen);
 					return p2p_result;
 				}
 			}
@@ -888,8 +891,11 @@ ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
 				p2p_result = udp_list[i].function_name(haystack, hlen);
 				if (p2p_result) {
 					if (info->debug)
-						printk("IPP2P.debug:UDP-match: %i from: %u.%u.%u.%u:%i to: %u.%u.%u.%u:%i Length: %i\n",
-						       p2p_result, NIPQUAD(ip->saddr), ntohs(udph->source), NIPQUAD(ip->daddr), ntohs(udph->dest), hlen);
+						printk("IPP2P.debug:UDP-match: %d from: %pI4:%hu to: %pI4:%hu Length: %d\n",
+						       p2p_result, &ip->saddr,
+						       ntohs(udph->source),
+						       &ip->daddr,
+						       ntohs(udph->dest), hlen);
 					return p2p_result;
 				}
 			}

extensions/xt_ipp2p.h

@@ -1,5 +1,4 @@
-#ifndef __IPT_IPP2P_H
-#define __IPT_IPP2P_H
+#pragma once
 #define IPP2P_VERSION "0.10"
 
 enum {
@@ -39,8 +38,5 @@ enum {
 };
 
 struct ipt_p2p_info {
-    int cmd;
-    int debug;
+	int32_t cmd, debug;
 };
-
-#endif //__IPT_IPP2P_H

extensions/xt_ipv4options.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_IPV4OPTIONS_H
-#define _LINUX_NETFILTER_XT_IPV4OPTIONS_H 1
+#pragma once
 
 /* IPv4 allows for a 5-bit option number - 32 options */
 
@@ -18,9 +17,6 @@ enum xt_ipv4options_flags {
  * @flags:	see above
  */
 struct xt_ipv4options_mtinfo1 {
-	__u32 map;
-	__u32 invert;
+	__u32 map, invert;
 	__u8 flags;
 };
-
-#endif /* _LINUX_NETFILTER_XT_IPV4OPTIONS_H */

extensions/xt_length2.h

@@ -1,5 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_LENGTH2_H
-#define _LINUX_NETFILTER_XT_LENGTH2_H
+#pragma once
 
 enum {
 	XT_LENGTH_INVERT = 1 << 0,
@@ -18,5 +17,3 @@ struct xt_length_mtinfo2 {
 	u_int32_t min, max;
 	u_int16_t flags;
 };
-
-#endif /* _LINUX_NETFILTER_XT_LENGTH2_H */

extensions/xt_lscan.c

@@ -175,6 +175,7 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 	enum ip_conntrack_info ctstate;
+	const struct iphdr *iph = ip_hdr(skb);
 	const struct tcphdr *tcph;
 	struct nf_conn *ctdata;
 	struct tcphdr tcph_buf;
@@ -182,10 +183,14 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	tcph = skb_header_pointer(skb, par->thoff, sizeof(tcph_buf), &tcph_buf);
 	if (tcph == NULL)
 		return false;
+	if (info->match_fl1 & LSCAN_FL1_MIRAI && iph != NULL &&
+	    iph->version == 4 && iph->daddr == tcph->seq)
+		return true;
 
 	/* Check for invalid packets: -m conntrack --ctstate INVALID */
-	if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
-		if (info->match_stealth)
+	ctdata = nf_ct_get(skb, &ctstate);
+	if (ctdata == NULL) {
+		if (info->match_fl1 & LSCAN_FL1_STEALTH)
 			return lscan_mt_stealth(tcph);
 		/*
 		 * If @ctdata is NULL, we cannot match the other scan
@@ -211,17 +216,19 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		skb_nfmark(skb) = (skb_nfmark(skb) & ~packet_mask) ^ mark_seen;
 	}
 
-	return (info->match_syn && ctdata->mark == mark_synscan) ||
-	       (info->match_cn && ctdata->mark == mark_cnscan) ||
-	       (info->match_gr && ctdata->mark == mark_grscan);
+	return (info->match_fl1 & LSCAN_FL1_STEALTH && ctdata->mark == mark_synscan) ||
+	       (info->match_fl3 & LSCAN_FL3_CN && ctdata->mark == mark_cnscan) ||
+	       (info->match_fl4 & LSCAN_FL4_GR && ctdata->mark == mark_grscan);
 }
 
 static int lscan_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 
-	if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
-	    (info->match_cn & ~1) || (info->match_gr & ~1)) {
+	if ((info->match_fl1 & ~(LSCAN_FL1_STEALTH | LSCAN_FL1_MIRAI)) ||
+	    (info->match_fl2 & ~LSCAN_FL2_SYN) ||
+	    (info->match_fl3 & ~LSCAN_FL3_CN) ||
+	    (info->match_fl4 & ~LSCAN_FL4_GR)) {
 		printk(KERN_WARNING PFX "Invalid flags\n");
 		return -EINVAL;
 	}

extensions/xt_lscan.h

@@ -1,8 +1,13 @@
-#ifndef _LINUX_NETFILTER_XT_LSCAN_H
-#define _LINUX_NETFILTER_XT_LSCAN_H 1
+#pragma once
 
-struct xt_lscan_mtinfo {
-	uint8_t match_stealth, match_syn, match_cn, match_gr;
+enum {
+	LSCAN_FL1_STEALTH = 1 << 0,
+	LSCAN_FL1_MIRAI   = 1 << 1,
+	LSCAN_FL2_SYN     = 1 << 0,
+	LSCAN_FL3_CN      = 1 << 0,
+	LSCAN_FL4_GR      = 1 << 0,
 };
 
-#endif /* _LINUX_NETFILTER_XT_LSCAN_H */
+struct xt_lscan_mtinfo {
+	uint8_t match_fl1, match_fl2, match_fl3, match_fl4;
+};

extensions/xt_psd.h

@@ -1,6 +1,4 @@
-#ifndef _LINUX_NETFILTER_XT_PSD_H
-#define _LINUX_NETFILTER_XT_PSD_H 1
-
+#pragma once
 #include <linux/param.h>
 #include <linux/types.h>
 
@@ -21,10 +19,6 @@
 #define SCAN_WEIGHT_THRESHOLD		SCAN_MAX_COUNT
 
 struct xt_psd_info {
-	__u32 weight_threshold;
-	__u32 delay_threshold;
-	__u16 lo_ports_weight;
-	__u16 hi_ports_weight;
+	__u32 weight_threshold, delay_threshold;
+	__u16 lo_ports_weight, hi_ports_weight;
 };
-
-#endif /*_LINUX_NETFILTER_XT_PSD_H*/

extensions/xt_quota2.h

@@ -1,5 +1,4 @@
-#ifndef _XT_QUOTA_H
-#define _XT_QUOTA_H
+#pragma once
 
 enum xt_quota_flags {
 	XT_QUOTA_INVERT    = 1 << 0,
@@ -21,5 +20,3 @@ struct xt_quota_mtinfo2 {
 	/* Used internally by the kernel */
 	struct xt_quota_counter *master __attribute__((aligned(8)));
 };
-
-#endif /* _XT_QUOTA_H */

geoip/Makefile.am

@@ -1,5 +1,9 @@
 # -*- Makefile -*-
 
-pkglibexec_SCRIPTS = xt_geoip_build xt_geoip_dl
+bin_SCRIPTS = xt_geoip_query
 
-man1_MANS = xt_geoip_build.1 xt_geoip_dl.1
+pkglibexec_SCRIPTS = xt_geoip_build xt_geoip_build_maxmind xt_geoip_dl xt_geoip_dl_maxmind
+
+man1_MANS = xt_geoip_build.1 xt_geoip_dl.1 \
+	    xt_geoip_build_maxmind.1 xt_geoip_dl_maxmind.1 \
+	    xt_geoip_query.1

geoip/xt_geoip_build

@@ -17,19 +17,18 @@ my $csv = Text::CSV_XS->new({
 	binary => 1,
 	eol => $/,
 }); # or Text::CSV
-my $source_dir = ".";
+my $quiet = 0;
+my $input_file = "dbip-country-lite.csv";
 my $target_dir = ".";
 
 &Getopt::Long::Configure(qw(bundling));
 &GetOptions(
 	"D=s" => \$target_dir,
-	"S=s" => \$source_dir,
+	"i=s" => \$input_file,
+	"q" => \$quiet,
+	"s" => sub { $target_dir = "/usr/share/xt_geoip"; },
 );
 
-if (!-d $source_dir) {
-	print STDERR "Source directory \"$source_dir\" does not exist.\n";
-	exit 1;
-}
 if (!-d $target_dir) {
 	print STDERR "Target directory \"$target_dir\" does not exist.\n";
 	exit 1;
@@ -41,9 +40,11 @@ sub collect
 {
 	my ($file, $fh, $row);
 	my (%country);
-
-	$file = "$source_dir/dbip-country-lite.csv";
-	open($fh, '<', $file) || die "Can't open DBIP database\n";
+	if ($input_file eq "-") {
+		open($fh, "<&STDIN");
+	} else {
+		open($fh, "<", $input_file) || die "Cannot open $input_file: $!\n";
+	}
 
 	while ($row = $csv->getline($fh)) {
 		my ($cc, $range);
@@ -63,12 +64,12 @@ sub collect
 			$country{$cc}->{pool_v6}->add_range($range);
 		}
 
-		if ($. % 4096 == 0) {
+		if (!$quiet && $. % 4096 == 0) {
 			print STDERR "\r\e[2K$. entries";
 		}
 	}
 
-	print STDERR "\r\e[2K$. entries total\n";
+	print STDERR "\r\e[2K$. entries total\n" unless ($quiet);
 
 	close($fh);
 
@@ -106,7 +107,7 @@ sub writeCountry
 	printf "%5u IPv%s ranges for %s\n",
 		scalar(@ranges),
 		($family == AF_INET ? '4' : '6'),
-		$iso_code;
+		$iso_code unless ($quiet);
 
 	my $file = "$target_dir/".uc($iso_code).".iv".($family == AF_INET ? '4' : '6');
 	if (!open($fh, '>', $file)) {

geoip/xt_geoip_build.1

@@ -5,7 +5,7 @@ xt_geoip_build \(em convert GeoIP.csv to packed format for xt_geoip
 .SH Syntax
 .PP
 \fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_build\fP [\fB\-D\fP
-\fItarget_dir\fP] [\fB\-S\fP \fIsource_dir\fP]
+\fItarget_dir\fP] [\fB\-i\fP \fIinput_file\fP]
 .SH Description
 .PP
 xt_geoip_build is used to build packed raw representations of the range
@@ -24,16 +24,18 @@ script requires it to be called with a path.
 \fB\-D\fP \fItarget_dir\fP
 Specifies the target directory into which the files are to be put. Defaults to ".".
 .TP
-\fB\-S\fP \fIsource_dir\fP
-Specifies the source directory from which to read the three files by the name
-of \fBGeoLite2\-Country\-Blocks\-IPv4.csv\fP,
-\fBGeoLite2\-Country\-Blocks\-IPv6.csv\fP and
-\fBGeoLite2\-Country\-Locations\-en.csv\fP. Defaults to ".".
+\fB\-i\fP \fIinput_file\fP
+Specifies the source location of the DBIP CSV file. Defaults to
+"dbip-country-lite.csv". Use "-" to read from stdin.
+.TP
+\fB\-s\fP
+"System mode". Equivalent to \fB\-D /usr/share/xt_geoip\fP.
 .SH Application
 .PP
-Shell commands to build the databases and put them to where they are expected:
+Shell commands to build the databases and put them to where they are expected
+(usually run as root):
 .PP
-xt_geoip_build \-D /usr/share/xt_geoip
+xt_geoip_build \-s
 .SH See also
 .PP
 xt_geoip_dl(1)

geoip/xt_geoip_build_maxmind

@@ -0,0 +1,268 @@
+#!/usr/bin/perl
+#
+#	Converter for MaxMind (GeoLite2) CSV database to binary, for xt_geoip
+#	Copyright Jan Engelhardt, 2008-2011
+#	Copyright Philip Prindeville, 2018
+#
+use Getopt::Long;
+use Net::CIDR::Lite;
+use Socket qw(AF_INET AF_INET6 inet_pton);
+use warnings;
+use Text::CSV_XS; # or trade for Text::CSV
+use strict;
+
+my $csv = Text::CSV_XS->new({
+	allow_whitespace => 1,
+	binary => 1,
+	eol => $/,
+}); # or Text::CSV
+my $source_dir = ".";
+my $quiet = 0;
+my $target_dir = ".";
+
+&Getopt::Long::Configure(qw(bundling));
+&GetOptions(
+	"D=s" => \$target_dir,
+	"S=s" => \$source_dir,
+	"q" => \$quiet,
+	"s" => sub { $target_dir = "/usr/share/xt_geoip"; },
+);
+
+if (!-d $source_dir) {
+	print STDERR "Source directory \"$source_dir\" does not exist.\n";
+	exit 1;
+}
+if (!-d $target_dir) {
+	print STDERR "Target directory \"$target_dir\" does not exist.\n";
+	exit 1;
+}
+
+my %countryId;
+my %countryName;
+&loadCountries();
+&dump(&collect());
+
+sub loadCountries
+{
+	sub id; sub cc; sub long; sub ct; sub cn;
+
+	%countryId = ();
+	%countryName = ();
+
+	my $file = "$source_dir/GeoLite2-Country-Locations-en.csv";
+	open(my $fh, '<', $file) || die "Couldn't open list country names\n";
+
+	# first line is headers
+	my $row = $csv->getline($fh);
+
+	my %header = map { ($row->[$_], $_); } (0..$#{$row});
+
+	my %pairs = (
+		country_iso_code => 'ISO Country Code',
+		geoname_id => 'ID',
+		country_name => 'Country Name',
+		continent_code => 'Continent Code',
+		continent_name => 'Continent Name',
+	);
+
+	# verify that the columns we need are present
+	map { die "Table has no $pairs{$_} column\n" unless (exists $header{$_}); } keys %pairs;
+
+	my %remapping = (
+		id => 'geoname_id',
+		cc => 'country_iso_code',
+		long => 'country_name',
+		ct => 'continent_code',
+		cn => 'continent_name',
+	);
+
+	# now create a function which returns the value of that column #
+	map { eval "sub $_ () { \$header{\$remapping{$_}}; }" ; } keys %remapping;
+
+	while (my $row = $csv->getline($fh)) {
+		if ($row->[cc] eq '' && $row->[long] eq '') {
+			$countryId{$row->[id]} = $row->[ct];
+			$countryName{$row->[ct]} = $row->[cn];
+		} else {
+			$countryId{$row->[id]} = $row->[cc];
+			$countryName{$row->[cc]} = $row->[long];
+		}
+	}
+
+	$countryName{A1} = 'Anonymous Proxy';
+	$countryName{A2} = 'Satellite Provider';
+	$countryName{O1} = 'Other Country';
+
+	close($fh);
+
+	# clean up the namespace
+	undef &id; undef &cc; undef &long; undef &ct; undef &cn;
+}
+
+sub lookupCountry
+{
+	my ($id, $rid, $proxy, $sat) = @_;
+
+	if ($proxy) {
+		return 'A1';
+	} elsif ($sat) {
+		return 'A2';
+	}
+	$id ||= $rid;
+	if ($id eq '') {
+		return 'O1';
+	}
+	die "Unknown id: $id line $.\n" unless (exists $countryId{$id});
+	return $countryId{$id};
+}
+
+sub collect
+{
+	my ($file, $fh, $row);
+	my (%country, %header);
+
+	sub net; sub id; sub rid; sub proxy; sub sat;
+
+	my %pairs = (
+		network => 'Network',
+		registered_country_geoname_id => 'Registered Country ID',
+		geoname_id => 'Country ID',
+		is_anonymous_proxy => 'Anonymous Proxy',
+		is_satellite_provider => 'Satellite',
+	);
+
+	foreach (sort keys %countryName) {
+		$country{$_} = {
+			name => $countryName{$_},
+			pool_v4 => Net::CIDR::Lite->new(),
+			pool_v6 => Net::CIDR::Lite->new(),
+		};
+	}
+
+	$file = "$source_dir/GeoLite2-Country-Blocks-IPv4.csv";
+	open($fh, '<', $file) || die "Can't open IPv4 database\n";
+
+	# first line is headers
+	$row = $csv->getline($fh);
+
+	%header = map { ($row->[$_], $_); } (0..$#{$row});
+
+	# verify that the columns we need are present
+	map { die "Table has no %pairs{$_} column\n" unless (exists $header{$_}); } keys %pairs;
+
+	my %remapping = (
+		net => 'network',
+		id => 'geoname_id',
+		rid => 'registered_country_geoname_id',
+		proxy => 'is_anonymous_proxy',
+		sat => 'is_satellite_provider',
+	);
+
+	# now create a function which returns the value of that column #
+	map { eval "sub $_ () { \$header{\$remapping{$_}}; }" ; } keys %remapping;
+
+	while ($row = $csv->getline($fh)) {
+		my ($cc, $cidr);
+
+		$cc = lookupCountry($row->[id], $row->[rid], $row->[proxy], $row->[sat]);
+		$cidr = $row->[net];
+		$country{$cc}->{pool_v4}->add($cidr);
+
+		if ($. % 4096 == 0) {
+			print STDERR "\r\e[2K$. entries";
+		}
+	}
+
+	print STDERR "\r\e[2K$. entries total\n";
+
+	close($fh);
+
+	# clean up the namespace
+	undef &net; undef &id; undef &rid; undef &proxy; undef &sat;
+
+	$file = "$source_dir/GeoLite2-Country-Blocks-IPv6.csv";
+	open($fh, '<', $file) || die "Can't open IPv6 database\n";
+
+	# first line is headers
+	$row = $csv->getline($fh);
+
+	%header = map { ($row->[$_], $_); } (0..$#{$row});
+
+	# verify that the columns we need are present
+	map { die "Table has no %pairs{$_} column\n" unless (exists $header{$_}); } keys %pairs;
+
+	# unlikely the IPv6 table has different columns, but just to be sure
+	# create a function which returns the value of that column #
+	map { eval "sub $_ () { \$header{\$remapping{$_}}; }" ; } keys %remapping;
+
+	while ($row = $csv->getline($fh)) {
+		my ($cc, $cidr);
+
+		$cc = lookupCountry($row->[id], $row->[rid], $row->[proxy], $row->[sat]);
+		$cidr = $row->[net];
+		$country{$cc}->{pool_v6}->add($cidr);
+
+		if (!$quiet && $. % 4096 == 0) {
+			print STDERR "\r\e[2K$. entries";
+		}
+	}
+
+	print STDERR "\r\e[2K$. entries total\n" unless ($quiet);
+
+	close($fh);
+
+	# clean up the namespace
+	undef &net; undef &id; undef &rid; undef &proxy; undef &sat;
+
+	return \%country;
+}
+
+sub dump
+{
+	my $country = shift @_;
+
+	foreach my $iso_code (sort keys %{$country}) {
+		&dump_one($iso_code, $country->{$iso_code});
+	}
+}
+
+sub dump_one
+{
+	my($iso_code, $country) = @_;
+	my @ranges;
+
+	@ranges = $country->{pool_v4}->list_range();
+
+	writeCountry($iso_code, $country->{name}, AF_INET, @ranges);
+
+	@ranges = $country->{pool_v6}->list_range();
+
+	writeCountry($iso_code, $country->{name}, AF_INET6, @ranges);
+}
+
+sub writeCountry
+{
+	my ($iso_code, $name, $family, @ranges) = @_;
+	my $fh;
+
+	printf "%5u IPv%s ranges for %s %s\n",
+		scalar(@ranges),
+		($family == AF_INET ? '4' : '6'),
+		$iso_code, $name unless ($quiet);
+
+	my $file = "$target_dir/".uc($iso_code).".iv".($family == AF_INET ? '4' : '6');
+	if (!open($fh, '>', $file)) {
+		print STDERR "Error opening $file: $!\n";
+		exit 1;
+	}
+
+	binmode($fh);
+
+	foreach my $range (@ranges) {
+		my ($start, $end) = split('-', $range);
+		$start = inet_pton($family, $start);
+		$end = inet_pton($family, $end);
+		print $fh $start, $end;
+	}
+	close $fh;
+}

geoip/xt_geoip_build_maxmind.1

@@ -0,0 +1,40 @@
+.TH xt_geoip_build_maxmind 1 "2010-12-17" "xtables-addons" "xtables-addons"
+.SH Name
+.PP
+xt_geoip_build_maxmind \(em convert GeoIP.csv to packed format for xt_geoip
+.SH Syntax
+.PP
+\fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_build_maxmind\fP [\fB\-D\fP
+\fItarget_dir\fP] [\fB\-S\fP \fIsource_dir\fP]
+.SH Description
+.PP
+xt_geoip_build_maxmind is used to build packed raw representations of the range
+database that the xt_geoip module relies on. Since kernel memory is precious,
+much of the preprocessing is done in userspace by this very building tool. One
+file is produced for each country, so that no more addresses than needed are
+required to be loaded into memory. The ranges in the packed database files are
+also ordered, as xt_geoip relies on this property for its bisection approach to
+work.
+.PP
+Since the script is usually installed to the libexec directory of the
+xtables-addons package and this is outside $PATH (on purpose), invoking the
+script requires it to be called with a path.
+.PP Options
+.TP
+\fB\-D\fP \fItarget_dir\fP
+Specifies the target directory into which the files are to be put. Defaults to ".".
+.TP
+\fB\-S\fP \fIsource_dir\fP
+Specifies the source directory of the MaxMind CSV files. Defaults to ".".
+.TP
+\fB\-s\fP
+"System mode". Equivalent to \fB\-D /usr/share/xt_geoip\fP.
+.SH Application
+.PP
+Shell commands to build the databases and put them to where they are expected
+(usually run as root):
+.PP
+xt_geoip_build_maxmind \-s
+.SH See also
+.PP
+xt_geoip_dl_maxmind(1)

geoip/xt_geoip_dl

@@ -1,7 +1,5 @@
 #!/bin/sh
 
-rm -rf GeoLite2-Country-CSV_*
-
-wget -q http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
-unzip -q GeoLite2-Country-CSV.zip
-rm -f GeoLite2-Country-CSV.zip
+timestamp=$(date "+%Y-%m")
+wget -q "https://download.db-ip.com/free/dbip-country-lite-$timestamp.csv.gz" -O- | \
+	gzip -cd >dbip-country-lite.csv

geoip/xt_geoip_dl.1

@@ -7,8 +7,9 @@ xt_geoip_dl \(em download GeoIP database files
 \fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_dl\fP
 .SH Description
 .PP
-Downloads and unpacks the MaxMind GeoIP Country Lite databases for IPv4 and
-IPv6 and unpacks them to the current directory.
+Downloads the DB-IP Country Lite databases for IPv4 and IPv6 and unpacks them
+to the current directory. The alternate \fBxt_geoip_dl_maxmind\fP script can be
+used for MaxMind formatted CSV databases.
 .PP
 Since the script is usually installed to the libexec directory of the
 xtables-addons package and this is outside $PATH (on purpose), invoking the

geoip/xt_geoip_dl_maxmind

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+if [ $# -eq 1 ]; then
+    exec <$1
+elif [ $# -ne 0 ]; then
+    echo $(basename $0) [ licence_key_file ] 1>&2
+    exit 1
+fi
+
+read licence_key
+
+rm -rf GeoLite2-Country-CSV_*
+
+wget -q -OGeoLite2-Country-CSV.zip "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=${licence_key}&suffix=zip"
+unzip -q GeoLite2-Country-CSV.zip
+rm -f GeoLite2-Country-CSV.zip

geoip/xt_geoip_dl_maxmind.1

@@ -0,0 +1,22 @@
+.TH xt_geoip_dl_maxmind 1 "2010-12-17" "xtables-addons" "xtables-addons"
+.SH Name
+.PP
+xt_geoip_dl_maxmind \(em download MaxMind GeoIP database files
+.SH Syntax
+.PP
+\fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_dl_maxmind\fP [\fI licence-key file\fP]
+.SH Description
+.PP
+Downloads the MaxMind GeoLite2 databases for IPv4 and IPv6 and unpacks them to
+the current directory.  The alternate \fBxt_geoip_dl\fP script can be
+used for the DB-IP Country Lite databases.
+.PP
+Since the script is usually installed to the libexec directory of the
+xtables-addons package and this is outside $PATH (on purpose), invoking the
+script requires it to be called with a path.
+.SH Options
+.PP
+None.
+.SH See also
+.PP
+xt_geoip_build_maxmind(1)

geoip/xt_geoip_query

@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-#	Utility to query GeoIP database
+#	Utility to query GeoIP database (.iv4/.iv6 files)
 #	Copyright Philip Prindeville, 2018
 #
 use Getopt::Long;
@@ -53,8 +53,9 @@ foreach my $cc (@ARGV) {
 		binmode($fh);
 
 		while (($bytes = read($fh, $buffer, AF_INET_SIZE * 2)) == AF_INET_SIZE * 2) {
-			my $start = inet_ntop(AF_INET, substr($buffer, 0, AF_INET_SIZE));
-			my $end = inet_ntop(AF_INET, substr($buffer, AF_INET_SIZE));
+			my ($start, $end) = unpack('a4a4', $buffer);
+			$start = inet_ntop(AF_INET, $start);
+			$end = inet_ntop(AF_INET, $end);
 			print $start, '-', $end, "\n";
 		}
 		close($fh);
@@ -75,8 +76,9 @@ foreach my $cc (@ARGV) {
 		binmode($fh);
 
 		while (($bytes = read($fh, $buffer, AF_INET6_SIZE * 2)) == AF_INET6_SIZE * 2) {
-			my $start = inet_ntop(AF_INET6, substr($buffer, 0, AF_INET6_SIZE));
-			my $end = inet_ntop(AF_INET6, substr($buffer, AF_INET6_SIZE));
+			my ($start, $end) = unpack('a16a16', $buffer);
+			$start = inet_ntop(AF_INET6, $start);
+			$end = inet_ntop(AF_INET6, $end);
 			print $start, '-', $end, "\n";
 		}
 		close($fh);

geoip/xt_geoip_query.1

@@ -0,0 +1,35 @@
+.TH xt_geoip_query 1 "2020-04-30" "xtables-addons" "xtables-addons"
+.SH Name
+.PP
+xt_geoip_query \(em dump a country database to stdout
+.SH Syntax
+.PP
+\fBxt_geoip_query\fP [\fB\-D\fP
+\fIdatabase_dir\fP] [\fB-4\fP] [\fB-6\fP] \fIcc\fP [ \fIcc\fP ... ]
+.SH Description
+.PP
+xt_geoip_query reads a country's IPv4 or IPv6 databases and dumps
+them to standard output as a sorted, non-overlapping list of ranges (which
+is how they are represented in the database), suitable for browsing or
+further processing.
+.PP Options
+.TP
+\fB\-D\fP \fIdatabase_dir\fP
+Specifies the directory into which the files have been put. Defaults to ".".
+.TP
+\fB-4\fP
+Specifies IPv4 data only.
+.TP
+\fB-6\fP
+Specifies IPv6 data only.
+.TP
+\fIcc\fP [ \fIcc\fP ... ]
+The ISO-3166 country code names of the desired countries' databases.
+.SH Application
+.PP
+Shell command to dump the list of Swiss IPv6 address ranges:
+.PP
+xt_geoip_query \-D /usr/share/xt_geoip \-6 ch
+.SH See also
+.PP
+xt_geoip_build(1)

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "" "" "v3.9 (2020-02-25)"
+.TH xtables-addons 8 "" "" "v3.18 (2021-03-11)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets