Changes - j0ke.net Open Build Service

Changes of Revision 4

[-] [+]	Changed	xtables-addons.changes
@@ -1,4 +1,9 @@ ------------------------------------------------------------------- +Thu Jun 20 20:38:29 UTC 2013 - cs@linux-administrator.com + +- Update to release 2.3 + +------------------------------------------------------------------- Mon Apr 1 09:02:24 UTC 2013 - cs@linux-administrator.com - Update to release 2.2
[-] [+]	Changed	xtables-addons.spec ^
@@ -1,6 +1,6 @@ Name: xtables-addons -Version: 2.2 +Version: 2.3 Release: 1 Group: Productivity/Networking/Security Summary: IP Packet Filter Administration Extensions
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/Makefile.am ^
@@ -14,6 +14,11 @@ install-exec-hook: depmod -a \|\| :; +clean-local-mans: + ${MAKE} -f Makefile.mans clean; + +clean-local: clean-local-mans + config.status: Makefile.iptrules.in tmpdir := $(shell mktemp -dtu)
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/Makefile.in ^
@@ -815,7 +815,7 @@ @echo "it deletes files that may require special tools to rebuild." clean: clean-recursive -clean-am: clean-generic clean-libtool mostlyclean-am +clean-am: clean-generic clean-libtool clean-local mostlyclean-am distclean: distclean-recursive -rm -f $(am__CONFIG_DISTCLEAN_FILES) @@ -892,7 +892,7 @@ .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ all all-am am--refresh check check-am clean clean-cscope \ - clean-generic clean-libtool cscope cscopelist \ + clean-generic clean-libtool clean-local cscope cscopelist \ cscopelist-recursive ctags ctags-recursive dist dist-all \ dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ dist-xz \ dist-zip distcheck distclean distclean-generic distclean-hdr \ @@ -918,6 +918,11 @@ install-exec-hook: depmod -a \|\| :; +clean-local-mans: + ${MAKE} -f Makefile.mans clean; + +clean-local: clean-local-mans + config.status: Makefile.iptrules.in .PHONY: tarball
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/Makefile.mans.in ^
@@ -3,8 +3,8 @@ srcdir := @srcdir@ -wcman_matches := $(shell find "${srcdir}" -name 'libxt_[a-z].man' \| sort) -wcman_targets := $(shell find "${srcdir}" -name 'libxt_[A-Z].man' \| sort) +wcman_matches := $(shell find "${srcdir}/extensions" -name 'libxt_[a-z].man' -print \| sort) +wcman_targets := $(shell find "${srcdir}/extensions" -name 'libxt_[A-Z].man' -print \| sort) wlist_matches := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_matches}) wlist_targets := $(patsubst ${srcdir}/libxt_%.man,%,${wcman_targets}) @@ -38,3 +38,6 @@ targets.man: .manpages.lst ${wcman_targets} $(call man_run,${wlist_targets}) + +clean: + rm -f xtables-addons.8 matches.man targets.man
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/configure ^
@@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for xtables-addons 2.2. +# Generated by GNU Autoconf 2.69 for xtables-addons 2.3. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='xtables-addons' PACKAGE_TARNAME='xtables-addons' -PACKAGE_VERSION='2.2' -PACKAGE_STRING='xtables-addons 2.2' +PACKAGE_VERSION='2.3' +PACKAGE_STRING='xtables-addons 2.3' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1322,7 +1322,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures xtables-addons 2.2 to adapt to many kinds of systems. +\`configure' configures xtables-addons 2.3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1392,7 +1392,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short \| recursive ) echo "Configuration of xtables-addons 2.2:";; + short \| recursive ) echo "Configuration of xtables-addons 2.3:";; esac cat <<\_ACEOF @@ -1511,7 +1511,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -xtables-addons configure 2.2 +xtables-addons configure 2.3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1876,7 +1876,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by xtables-addons $as_me 2.2, which was +It was created by xtables-addons $as_me 2.3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2703,7 +2703,7 @@ # Define the identity of the package. PACKAGE='xtables-addons' - VERSION='2.2' + VERSION='2.3' cat >>confdefs.h <<_ACEOF @@ -11914,7 +11914,7 @@ echo "WARNING: Version detection did not succeed. Continue at own luck."; else echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir"; - if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 9; then + if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 10; then echo "WARNING: That kernel version is not officially supported yet. Continue at own luck."; elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then :; @@ -12460,7 +12460,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by xtables-addons $as_me 2.2, which was +This file was extended by xtables-addons $as_me 2.3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -12526,7 +12526,7 @@ cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -xtables-addons config.status 2.2 +xtables-addons config.status 2.3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\"
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/configure.ac ^
@@ -1,4 +1,4 @@ -AC_INIT([xtables-addons], [2.2]) +AC_INIT([xtables-addons], [2.3]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) @@ -63,7 +63,7 @@ echo "WARNING: Version detection did not succeed. Continue at own luck."; else echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir"; - if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 9; then + if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 10; then echo "WARNING: That kernel version is not officially supported yet. Continue at own luck."; elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then :;
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/doc/changelog.txt ^
@@ -3,6 +3,20 @@ ==== +v2.3 (2013-06-18) +================= +Enhancements: +- Support for Linux 3.10 +Fixes: +- xt_DNETMAP, xt_condition, xt_quota2: resolve compile error when + CONFIG_UIDGID_STRICT_TYPE_CHECKS=y +- xt_RAWNAT: ensure correct operation in the presence of IPv4 options +- xt_geoip: do not throw a warnings when country database is size 0 +- xt_quota2: print "!" at the correct position during iptables-save +Changes: +- Make print (iptables -L) output the same as save (-S) + + v2.2 (2013-03-31) ================= Enhancements:
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/compat_xtables.h ^
@@ -24,8 +24,6 @@ #define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl)) #define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl)) -#define rt_dst(rt) (&(rt)->dst) - #if !defined(NIP6) && !defined(NIP6_FMT) # define NIP6(addr) \ ntohs((addr).s6_addr16[0]), \ @@ -57,4 +55,31 @@ #define xt_request_find_match xtnu_request_find_match +#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0) +static inline struct inode file_inode(struct file f) +{ + return f->f_path.dentry->d_inode; +} +#endif + +#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 10, 0) +static inline void +proc_set_user(struct proc_dir_entry de, kuid_t uid, kgid_t gid) +{ + de->uid = uid; + de->gid = gid; +} + +static inline void PDE_DATA(struct inode inode) +{ + return PDE(inode)->data; +} + +static inline void proc_remove(struct proc_dir_entry de) +{ + if (de != NULL) + remove_proc_entry(de->name, de->parent); +} +#endif + #endif /* _XTABLES_COMPAT_H */
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_CHAOS.c ^
@@ -64,21 +64,6 @@ "may be specified"); } -static void chaos_tg_print(const void ip, - const struct xt_entry_target target, int numeric) -{ - const struct xt_chaos_tginfo info = (const void )target->data; - - switch (info->variant) { - case XTCHAOS_DELUDE: - printf(" DELUDE "); - break; - case XTCHAOS_TARPIT: - printf(" TARPIT "); - break; - } -} - static void chaos_tg_save(const void ip, const struct xt_entry_target target) { const struct xt_chaos_tginfo info = (const void )target->data; @@ -93,6 +78,13 @@ } } +static void chaos_tg_print(const void ip, + const struct xt_entry_target target, int numeric) +{ + printf(" -j CHAOS"); + chaos_tg_save(ip, target); +} + static struct xtables_target chaos_tg_reg = { .version = XTABLES_VERSION, .name = "CHAOS",
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_CHAOS.man ^
@@ -1,3 +1,4 @@ +.PP Causes confusion on the other end by doing odd things with incoming packets. CHAOS will randomly reply (or not) with one of its configurable subtargets: .TP
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_DELUDE.man ^
@@ -1,3 +1,4 @@ +.PP The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other packets with an RST. This will terminate the connection much like REJECT, but network scanners doing TCP half-open discovery can be spoofed to make them
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_DHCPMAC.c ^
@@ -61,15 +61,6 @@ "--set-mac parameter required"); } -static void dhcpmac_tg_print(const void ip, - const struct xt_entry_target target, int numeric) -{ - const struct dhcpmac_info info = (void )target->data; - - printf(" DHCPMAC %s" DH_MAC_FMT "/%u ", - info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask); -} - static void dhcpmac_tg_save(const void ip, const struct xt_entry_target target) { @@ -81,6 +72,13 @@ DH_MAC_HEX(info->addr), info->mask); } +static void dhcpmac_tg_print(const void ip, + const struct xt_entry_target target, int numeric) +{ + printf(" -j DHCPMAC"); + dhcpmac_tg_save(ip, target); +} + static struct xtables_target dhcpmac_tg_reg = { .version = XTABLES_VERSION, .name = "DHCPMAC",
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_DHCPMAC.man ^
@@ -1,3 +1,4 @@ +.PP In conjunction with ebtables, DHCPMAC can be used to completely change all MAC addresses from and to a VMware-based virtual machine. This is needed because VMware does not allow to set a non-VMware MAC address before an operating
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_DNETMAP.c ^
@@ -195,33 +195,6 @@ printf("/%d", bits); } -static void DNETMAP_print(const void ip, const struct xt_entry_target target, - int numeric) -{ - struct xt_DNETMAP_tginfo tginfo = (void )&target->data; - const __u8 flags = &tginfo->flags; - - printf(" prefix "); - if (flags & XT_DNETMAP_PREFIX) - DNETMAP_print_addr(ip, target, numeric); - else - printf("any"); - - if (flags & XT_DNETMAP_REUSE) - printf(" reuse"); - - if (flags & XT_DNETMAP_STATIC) - printf(" static"); - - if (flags & XT_DNETMAP_PERSISTENT) - printf(" persistent"); - - if (flags & XT_DNETMAP_TTL) - printf(" ttl %i", tginfo->ttl); - else - printf(" ttl default"); -} - static void DNETMAP_save(const void ip, const struct xt_entry_target target) { struct xt_DNETMAP_tginfo tginfo = (void )&target->data; @@ -246,6 +219,13 @@ printf(" --ttl %i ", tginfo->ttl); } +static void DNETMAP_print(const void ip, const struct xt_entry_target target, + int numeric) +{ + printf(" -j DNETMAP"); + DNETMAP_save(ip, target); +} + static struct xtables_target dnetmap_tg_reg = { .name = MODULENAME, .version = XTABLES_VERSION,
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_DNETMAP.man ^
@@ -1,172 +1,179 @@ -The \fBDNETMAP\fR target allows dynamic two-way 1:1 mapping of IPv4 subnets. -Single rule can map private subnet to shorter public subnet creating and -maintaining unambigeous private-public ip bindings. Second rule can be used to -map new flows to private subnet according to maintained bindings. Target allows -efficient public IPv4 space usage and unambigeous NAT at the same time. - -Target can be used only in \fBnat\fR table in \fBPOSTROUTING\fR or \fBOUTPUT\fR -chains for SNAT and in \fBPREROUTING\fR for DNAT. Only flows directed to bound -IPs will be DNATed. Packet continues chain traversal if there is no free -postnat-ip to be assigned to prenat-ip. Default binding \fBttl\fR is \fI10 -minutes\fR and can be changed using \fBdefault_ttl\fR module option. Default ip -hash size is 256 and can be changed using \fBhash_size\fR module option. - +.PP +The \fBDNETMAP\fR target allows dynamic two-way 1:1 mapping of IPv4 subnets. A +single rule can map a private subnet to a shorter public subnet, creating and +maintaining unambiguous private-public IP address bindings. The second rule can +be used to map new flows to a private subnet according to maintained bindings. +The target allows efficient public IPv4 space usage and unambiguous NAT at the +same time. +.PP +The target can be used only in the \fBnat\fR table in \fBPOSTROUTING\fR or +\fBOUTPUT\fR chains for SNAT, and in \fBPREROUTING\fR for DNAT. Only flows +directed to bound addresses will be DNATed. The packet continues chain +traversal if there is no free postnat address to be assigned to the prenat +address. The default binding \fBTTL\fR is \fI10 minutes\fR and can be changed +using the \fBdefault_ttl\fR module option. The default address hash size is 256 +and can be changed using the \fBhash_size\fR module option. .TP \fB\-\-prefix\fR \fIaddr\fR\fB/\fR\fImask\fR -Network subnet to map to. If not specified, all existing prefixes are used. +The network subnet to map to. If not specified, all existing prefixes are used. .TP \fB\-\-reuse\fR -Reuse entry for given prenat-ip from any prefix despite bindings ttl < 0. +Reuse the entry for a given prenat address from any prefix even if the +binding's TTL is < 0. .TP \fB\-\-persistent\fR -Set prefix persistent. It won't be removed after deleting last iptables rule. -Option is effective only in the first rule for a given prefix. If you -need to change persistency for existing prefix, please use proc interface -described below. +Set the prefix to be persistent. It will not be removed after deleting the last +iptables rule. The option is effective only in the first rule for a given +prefix. If you need to change persistency for an existing prefix, please use +the procfs interface described below. .TP \fB\-\-static\fR -Don't create dynamic mappings using this rule. Use static mappings only. Note -that you need to create static mappings via proc interface for this rule with -this option to have any effect. +Do not create dynamic mappings using this rule. Use static mappings only. Note +that you need to create static mappings via the procfs interface for this rule +for this option to have any effect. .TP \fB\-\-ttl\fR \fIseconds\fR -Regenerate bindings ttl value to \fIseconds\fR. If negative value is specified, -bindings ttl is kept unchanged. If not specified then default ttl value (600s) -is used. +Reset the binding's TTL value to \fIseconds\fR. If a negative value is +specified, the binding's TTL is kept unchanged. If this option is not +specified, then the default TTL value (600s) is used. .PP \fB* /proc interface\fR - -Module creates following entries for each new specified subnet: +.PP +The module creates the following entries for each new specified subnet: .TP \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR -Contains binding table for subnet/mask. Each line contains \fBprenat-ip\fR, -\fBpostnat-ip\fR,\fBttl\fR (seconds till entry times out), \fBlasthit\fR (last -entry hit in seconds relative to system boot time). Please note that \fBttl\fR -and \fBlasthit\fR entries contain \fBS\fR in case of static binding. +Contains the binding table for the given \fIsubnet/mask\fP. Each line contains +\fBprenat address\fR, \fBpostnat address\fR, \fBttl\fR (seconds until the entry +times out), \fBlasthit\fR (last hit to the entry in seconds relative to system +boot time). Please note that the \fBttl\fR and \fBlasthit\fR entries contain an +'\fBS\fR' in case of a static binding. .TP \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR -Contains statistics for given subnet/mask. Line contains contains four -numerical values separated by spaces. First one is number of currently used -dynamic addresses (bindings with negative ttl excluded), second one is number -static assignments, third one is number of all usable addresses in subnet and -the fourth one is mean \fBttl\fR value for all active entries. If prefix has -persistent flag set it'll be noted as fifth entry. -.PP -Following write operations are supported via proc interface: -.TP -echo "+\fIprenatIP\fR:\fIpostnatIP\fR" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR -Adds static binding between prenatIP nad postnatIP. If postnatIP is already -bound, previous binding will be timedout immediatelly. Static binding is never -timedout. -.TP -echo "-\fIIP\fR" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR -Removes binding with \fIIP\fR as prenat or postnat address. If removed binding -is currently static, it'll make entry available for dynamic allocation. -.TP -echo "+persistent" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR -Sets persistent flag for prefix. It's usefull if you don't want bindings to get -flushed when firewall is restarted. You can check if prefix is persistent by -printing \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR -contents. -.TP -echo "-persistent" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR -Unsets persistent flag for prefix. In this mode prefix will be deleted if the -last iptables rule for that prefix is removed. -.TP -echo "flush" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR -Flushes all bindings for specific prefix. All static entries are also flushed -and are available for dynamic bindings. +Contains statistics for a given \fIsubnet/mask\fP. The line contains four +numerical values separated by spaces. The first one is the number of currently +used dynamic addresses (bindings with negative TTL excluded), the second one is +the number of static assignments, the third one is the number of all usable +addresses in the subnet, and the fourth one is the mean \fBTTL\fR value for all +active entries. If the prefix has the persistent flag set, it will be noted as +fifth entry. +.PP +The following write operations are supported via the procfs interface: +.TP +echo "+\fIprenat-address\fR:\fIpostnat-address\fR" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR +Adds a static binding between the prenat and postnap address. If +postnat_address is already bound, any previous binding will be timed out +immediately. A static binding is never timed out. +.TP +echo "\-\fIaddress\fR" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR +Removes the binding with \fIaddress\fR as prenat or postnat address. If the +removed binding is currently static, it will make the entry available for +dynamic allocation. +.TP +echo "+persistent" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR +Sets the persistent flag for the prefix. It is useful if you do not want +bindings to get flushed when the firewall is restarted. You can check if the +prefix is persistent by printing the contents of +\fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR. +.TP +echo "\-persistent" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR +Unsets the persistent flag for the prefix. In this mode, the prefix will be +deleted if the last iptables rule for that prefix is removed. +.TP +echo "flush" >\fB/proc/net/xt_DNETMAP/subnet_mask\fR +Flushes all bindings for the specific prefix. All static entries are also +flushed and become available for dynamic bindings. .PP Note! Entries are removed if the last iptables rule for a specific prefix is -deleted unless there's persistent flag set. +deleted unless the persistent flag is set. .PP - \fB* Logging\fR - -Module logs binding add/timeout events to klog. This behaviour can be disabled -using \fBdisable_log\fR module parameter. - +.PP +The module logs binding add/timeout events to klog. This behaviour can be +disabled using the \fBdisable_log\fR module parameter. +.PP \fB* Examples\fR - +.PP \fB1.\fR Map subnet 192.168.0.0/24 to subnets 20.0.0.0/26. SNAT only: - -iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26 - -Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26. If packet -from not yet bound prenat-ip hits the rule and there are no free or timed-out -(ttl<0) entries in prefix 20.0.0.0/28, then notice is logged to klog and chain -traversal continues. If packet from already bound prenat-ip hits the rule, -bindings ttl value is regenerated to default_ttl and SNAT is performed. - +.PP +iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 +.PP +Active hosts from the 192.168.0.0/24 subnet are mapped to 20.0.0.0/26. If the +packet from a not yet bound prenat address hits the rule and there are no free +or timed-out (TTL<0) entries in prefix 20.0.0.0/28, then a notice is logged to +klog and chain traversal continues. If packet from an already-bound prenat +address hits the rule, the binding's TTL value is reset to default_ttl and SNAT +is performed. +.PP \fB2.\fR Use of \fB\-\-reuse\fR and \fB\-\-ttl\fR switches, multiple rule interaction: - -iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix -20.0.0.0/26 --reuse --ttl 200 - -iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 30.0.0.0/26 - -Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26 with ttl = -200 seconds. If there are no free addresses in first prefix the next one -(30.0.0.0/26) is used with default ttl. It's important to note that the first -rule SNATs all flows whose source IP is already actively (ttl>0) bound to ANY -prefix. Parameter \fB\-\-reuse\fR makes this functionality work even for -inactive (ttl<0) entries. - -If both subnets are exhaused, then chain traversal continues. - -\fB3.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 bidirectional way: - -iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26 - -iptables -t nat -A PREROUTING -j DNETMAP - -If host 192.168.0.10 generates some traffic, it gets bound to first free IP in -subnet - 20.0.0.0. Now any traffic directed to 20.0.0.0 gets DNATed to -192.168.0.10 as long as there's an active (ttl>0) binding. There's no need to -specify \fB\-\-prefix\fR parameter in PREROUTING rule, because this way it DNATs -traffic to all active prefixes. You could specify prefix it you'd like to make -DNAT work for specific prefix only. - -\fB4.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 with static assignments only: - -iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26 ---static - -echo "+192.168.0.10:20.0.0.1" > /proc/net/xt_DNETMAP/20.0.0.0_26 +.PP +iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix +20.0.0.0/26 \-\-reuse \-\-ttl 200 +.PP +iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 30.0.0.0/26 +.PP +Active hosts from 192.168.0.0/24 subnet are mapped to 20.0.0.0/26 with TTL = +200 seconds. If there are no free addresses in first prefix, the next one +(30.0.0.0/26) is used with the default TTL. It is important to note that the +first rule SNATs all flows whose source address is already actively bound +(TTL>0) to ANY prefix. The \fB\-\-reuse\fR parameter makes this functionality +work even for inactive (TTL<0) entries. +.PP +If both subnets are exhausted, then chain traversal continues. +.PP +\fB3.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 in a bidirectional way: +.PP +iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 +.PP +iptables \-t nat \-A PREROUTING \-j DNETMAP +.PP +If the host 192.168.0.10 generates some traffic, it gets bound to first free +address in the subnet \(em 20.0.0.0. Now, any traffic directed to 20.0.0.0 gets +DNATed to 192.168.0.10 as long as there is an active (TTL>0) binding. There is +no need to specify \fB\-\-prefix\fR parameter in a PREROUTING rule, because +this way, it DNATs traffic to all active prefixes. You could specify the prefix +you would like to make DNAT work for a specific prefix only. +.PP +\fB4.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 with static assignments +only: +.PP +iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 +\-\-static +.PP +echo "+192.168.0.10:20.0.0.1" >/proc/net/xt_DNETMAP/20.0.0.0_26 .br -echo "+192.168.0.11:20.0.0.2" > /proc/net/xt_DNETMAP/20.0.0.0_26 +echo "+192.168.0.11:20.0.0.2" >/proc/net/xt_DNETMAP/20.0.0.0_26 .br -echo "+192.168.0.51:20.0.0.3" > /proc/net/xt_DNETMAP/20.0.0.0_26 - +echo "+192.168.0.51:20.0.0.3" >/proc/net/xt_DNETMAP/20.0.0.0_26 +.PP This configuration will allow only preconfigured static bindings to work due to -\fBstatic\fR rule option. Without this flag dynamic bindings would be created -using non-static entries. - +the \fBstatic\fR rule option. Without this flag, dynamic bindings would be +created using non-static entries. +.PP \fB5.\fR Persistent prefix: - -iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26 ---persistent +.PP +iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 +\-\-persistent .br \fBor\fR .br -iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26 +iptables \-t nat \-A POSTROUTING \-s 192.168.0.0/24 \-j DNETMAP \-\-prefix 20.0.0.0/26 .br -echo "+persistent" > /proc/net/xt_DNETMAP/20.0.0.0_26 - -Now we can check persistent flag of the prefix: +echo "+persistent" >/proc/net/xt_DNETMAP/20.0.0.0_26 +.PP +Now, we can check the persistent flag of the prefix: .br cat /proc/net/xt_DNETMAP/20.0.0.0_26 .br 0 0 64 0 \fBpersistent\fR - -Flush iptables nat table and see that prefix is still in existence: +.PP +Flush the iptables nat table and see that prefix is still in existence: .br -iptables -F -t nat +iptables \-F \-t nat .br -ls -l /proc/net/xt_DNETMAP +ls \-l /proc/net/xt_DNETMAP .br --rw-r--r-- 1 root root 0 06-10 09:01 20.0.0.0_26 +\-rw\-r\-\-r\-\- 1 root root 0 06\-10 09:01 20.0.0.0_26 .br --rw-r--r-- 1 root root 0 06-10 09:01 20.0.0.0_26_stat +\-rw\-r\-\-r\-\- 1 root root 0 06\-10 09:01 20.0.0.0_26_stat .
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_ECHO.man ^
@@ -1,3 +1,4 @@ +.PP The \fBECHO\fP target will send back all packets it received. It serves as an examples for an Xtables target. .PP
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_IPMARK.c ^
@@ -113,25 +113,6 @@ } static void -ipmark_tg_print(const void entry, const struct xt_entry_target target, - int numeric) -{ - const struct xt_ipmark_tginfo info = (const void )target->data; - - if (info->selector == XT_IPMARK_SRC) - printf(" IPMARK src ip "); - else - printf(" IPMARK dst ip "); - - if (info->shift != 0) - printf(" shift %u ", (unsigned int)info->shift); - if (info->andmask != ~0U) - printf(" and 0x%x ", (unsigned int)info->andmask); - if (info->ormask != 0) - printf(" or 0x%x ", (unsigned int)info->ormask); -} - -static void ipmark_tg_save(const void entry, const struct xt_entry_target target) { const struct xt_ipmark_tginfo info = (const void )target->data; @@ -149,6 +130,14 @@ printf(" --or-mask 0x%x ", (unsigned int)info->ormask); } +static void +ipmark_tg_print(const void entry, const struct xt_entry_target target, + int numeric) +{ + printf(" -j IPMARK"); + ipmark_tg_save(entry, target); +} + static struct xtables_target ipmark_tg_reg = { .version = XTABLES_VERSION, .name = "IPMARK",
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_IPMARK.man ^
@@ -1,7 +1,8 @@ +.PP Allows you to mark a received packet basing on its IP address. This can replace many mangle/mark entries with only one, if you use firewall based classifier. - +.PP This target is to be used inside the \fBmangle\fP table. .TP \fB\-\-addr\fP {\fBsrc\fP\|\fBdst\fP}
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_LOGMARK.c ^
@@ -78,15 +78,6 @@ } static void -logmark_tg_print(const void ip, const struct xt_entry_target target, - int numeric) -{ - const struct xt_logmark_tginfo info = (void )target->data; - - printf(" LOGMARK level %u prefix \"%s\" ", info->level, info->prefix); -} - -static void logmark_tg_save(const void ip, const struct xt_entry_target target) { const struct xt_logmark_tginfo info = (void )target->data; @@ -97,6 +88,14 @@ printf(" --log-prefix \"%s\" ", info->prefix); } +static void +logmark_tg_print(const void ip, const struct xt_entry_target target, + int numeric) +{ + printf(" -j LOGMARK"); + logmark_tg_save(ip, target); +} + static struct xtables_target logmark_tg_reg = { .version = XTABLES_VERSION, .name = "LOGMARK",
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_LOGMARK.man ^
@@ -1,3 +1,4 @@ +.PP The LOGMARK target will log packet and connection marks to syslog. .TP \fB\-\-log\-level\fR \fIlevel\fR
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_RAWDNAT.c ^
@@ -104,51 +104,39 @@ } static void -rawdnat_tg4_print(const void entry, const struct xt_entry_target target, - int numeric) +rawdnat_tg4_save(const void entry, const struct xt_entry_target target) { const struct xt_rawnat_tginfo info = (const void )target->data; - if (!numeric && info->mask == 32) - printf(" to-destination %s ", - xtables_ipaddr_to_anyname(&info->addr.in)); - else - printf(" to-destination %s/%u ", - xtables_ipaddr_to_numeric(&info->addr.in), info->mask); + printf(" --to-destination %s/%u ", + xtables_ipaddr_to_numeric(&info->addr.in), + info->mask); } static void -rawdnat_tg6_print(const void entry, const struct xt_entry_target target, +rawdnat_tg4_print(const void entry, const struct xt_entry_target target, int numeric) { - const struct xt_rawnat_tginfo info = (const void )target->data; - - if (!numeric && info->mask == 128) - printf(" to-destination %s ", - xtables_ip6addr_to_anyname(&info->addr.in6)); - else - printf(" to-destination %s/%u ", - xtables_ip6addr_to_numeric(&info->addr.in6), info->mask); + printf(" -j RAWDNAT"); + rawdnat_tg4_save(entry, target); } static void -rawdnat_tg4_save(const void entry, const struct xt_entry_target target) +rawdnat_tg6_save(const void entry, const struct xt_entry_target target) { const struct xt_rawnat_tginfo info = (const void )target->data; printf(" --to-destination %s/%u ", - xtables_ipaddr_to_numeric(&info->addr.in), + xtables_ip6addr_to_numeric(&info->addr.in6), info->mask); } static void -rawdnat_tg6_save(const void entry, const struct xt_entry_target target) +rawdnat_tg6_print(const void entry, const struct xt_entry_target target, + int numeric) { - const struct xt_rawnat_tginfo info = (const void )target->data; - - printf(" --to-destination %s/%u ", - xtables_ip6addr_to_numeric(&info->addr.in6), - info->mask); + printf(" -j RAWDNAT"); + rawdnat_tg6_save(entry, target); } static struct xtables_target rawdnat_tg_reg[] = {
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_RAWDNAT.man ^
@@ -1,9 +1,10 @@ +.PP The \fBRAWDNAT\fR target will rewrite the destination address in the IP header, much like the \fBNETMAP\fR target. .TP \fB\-\-to\-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR] Network address to map to. The resulting address will be constructed the -following way: All 'one' bits in the \fImask\fR are filled in from the new +following way: All "one" bits in the \fImask\fR are filled in from the new \fIaddress\fR. All bits that are zero in the mask are filled in from the original address. .PP
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_RAWSNAT.c ^
@@ -104,34 +104,6 @@ } static void -rawsnat_tg4_print(const void entry, const struct xt_entry_target target, - int numeric) -{ - const struct xt_rawnat_tginfo info = (const void )target->data; - - if (!numeric && info->mask == 32) - printf(" to-source %s ", - xtables_ipaddr_to_anyname(&info->addr.in)); - else - printf(" to-source %s/%u ", - xtables_ipaddr_to_numeric(&info->addr.in), info->mask); -} - -static void -rawsnat_tg6_print(const void entry, const struct xt_entry_target target, - int numeric) -{ - const struct xt_rawnat_tginfo info = (const void )target->data; - - if (!numeric && info->mask == 128) - printf(" to-source %s ", - xtables_ip6addr_to_anyname(&info->addr.in6)); - else - printf(" to-source %s/%u ", - xtables_ip6addr_to_numeric(&info->addr.in6), info->mask); -} - -static void rawsnat_tg4_save(const void entry, const struct xt_entry_target target) { const struct xt_rawnat_tginfo info = (const void )target->data; @@ -151,6 +123,22 @@ info->mask); } +static void +rawsnat_tg4_print(const void entry, const struct xt_entry_target target, + int numeric) +{ + printf(" -j RAWSNAT"); + rawsnat_tg4_save(entry, target); +} + +static void +rawsnat_tg6_print(const void entry, const struct xt_entry_target target, + int numeric) +{ + printf(" -j RAWSNAT"); + rawsnat_tg6_save(entry, target); +} + static struct xtables_target rawsnat_tg_reg[] = { { .version = XTABLES_VERSION,
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_RAWSNAT.man ^
@@ -1,3 +1,4 @@ +.PP The \fBRAWSNAT\fR and \fBRAWDNAT\fP targets provide stateless network address translation. .PP @@ -10,7 +11,7 @@ .TP \fB\-\-to\-source\fR \fIaddr\fR[\fB/\fR\fImask\fR] Network address to map to. The resulting address will be constructed the -following way: All 'one' bits in the \fImask\fR are filled in from the new +following way: All "one" bits in the \fImask\fR are filled in from the new \fIaddress\fR. All bits that are zero in the mask are filled in from the original address. .PP @@ -25,7 +26,7 @@ would do. Also note that it can transform already-NATed connections \(em as said, it is completely external to Netfilter's connection tracking/NAT. .PP -If the machine itself generates packets that are to be rawnat'ed, you need a +If the machine itself generates packets that are to be rawnat-ed, you need a rule in the OUTPUT chain instead, just like you would with the stateful NAT targets. .PP
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_STEAL.man ^
@@ -1,2 +1,3 @@ +.PP Like the DROP target, but does not throw an error like DROP when used in the \fBOUTPUT\fP chain.
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_SYSRQ.man ^
@@ -1,3 +1,4 @@ +.PP The SYSRQ target allows to remotely trigger sysrq on the local machine over the network. This can be useful when vital parts of the machine hang, for example an oops in a filesystem causing locks to be not released and processes to get
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_TARPIT.c ^
@@ -67,24 +67,6 @@ "TARPIT: only one action can be used at a time"); } -static void tarpit_tg_print(const void ip, - const struct xt_entry_target target, int numeric) -{ - const struct xt_tarpit_tginfo info = (void )target->data; - - switch (info->variant) { - case XTTARPIT_HONEYPOT: - printf(" honeypot mode "); - break; - case XTTARPIT_RESET: - printf(" reset mode "); - break; - default: - printf(" tarpit mode "); - break; - } -} - static void tarpit_tg_save(const void ip, const struct xt_entry_target target) { @@ -103,6 +85,13 @@ } } +static void tarpit_tg_print(const void ip, + const struct xt_entry_target target, int numeric) +{ + printf(" -j TARPIT"); + tarpit_tg_save(ip, target); +} + static struct xtables_target tarpit_tg_reg = { .version = XTABLES_VERSION, .name = "TARPIT",
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_TARPIT.man ^
@@ -1,3 +1,4 @@ +.PP Captures and holds incoming TCP connections using no local per-connection resources. .PP
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_condition.c ^
@@ -62,20 +62,18 @@ "Condition match: must specify --condition"); } -static void condition_print(const void ip, const struct xt_entry_match match, - int numeric) +static void condition_save(const void ip, const struct xt_entry_match match) { const struct xt_condition_mtinfo info = (const void )match->data; - printf(" condition %s%s ", (info->invert) ? "!" : "", info->name); + printf("%s --condition \"%s\" ", info->invert ? " !" : "", info->name); } - -static void condition_save(const void ip, const struct xt_entry_match match) +static void condition_print(const void ip, const struct xt_entry_match match, + int numeric) { - const struct xt_condition_mtinfo info = (const void )match->data; - - printf("%s --condition \"%s\" ", info->invert ? " !" : "", info->name); + printf(" -m condition"); + condition_save(ip, match); } static struct xtables_match condition_mt_reg = {
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_condition.man ^
@@ -1,3 +1,4 @@ +.PP This matches if a specific condition variable is (un)set. .TP [\fB!\fP] \fB\-\-condition\fP \fIname\fP
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_dhcpmac.c ^
@@ -62,15 +62,6 @@ "--mac parameter required"); } -static void dhcpmac_mt_print(const void ip, - const struct xt_entry_match match, int numeric) -{ - const struct dhcpmac_info info = (void )match->data; - - printf(" dhcpmac %s" DH_MAC_FMT "/%u ", - info->invert ? "!" : "", DH_MAC_HEX(info->addr), info->mask); -} - static void dhcpmac_mt_save(const void ip, const struct xt_entry_match match) { @@ -82,6 +73,13 @@ DH_MAC_HEX(info->addr), info->mask); } +static void dhcpmac_mt_print(const void ip, + const struct xt_entry_match match, int numeric) +{ + printf(" -m dhcpmac"); + dhcpmac_mt_save(ip, match); +} + static struct xtables_match dhcpmac_mt_reg = { .version = XTABLES_VERSION, .name = "dhcpmac",
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_fuzzy.c ^
@@ -83,15 +83,6 @@ { } -static void fuzzy_mt_print(const void ip, const struct xt_entry_match match, - int numeric) -{ - const struct xt_fuzzy_mtinfo info = (const void )match->data; - - printf(" fuzzy: lower limit = %u pps - upper limit = %u pps ", - info->minimum_rate, info->maximum_rate); -} - static void fuzzy_mt_save(const void ip, const struct xt_entry_match match) { const struct xt_fuzzy_mtinfo info = (const void )match->data; @@ -100,6 +91,13 @@ printf(" --upper-limit %u ", info->maximum_rate); } +static void fuzzy_mt_print(const void ip, const struct xt_entry_match match, + int numeric) +{ + printf(" -m fuzzy"); + fuzzy_mt_save(ip, match); +} + static struct xtables_match fuzzy_mt_reg = { .name = "fuzzy", .revision = 1,
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_fuzzy.man ^
@@ -1,3 +1,4 @@ +.PP This module matches a rate limit based on a fuzzy logic controller (FLC). .TP \fB\-\-lower\-limit\fP \fInumber\fP
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_geoip.c ^
@@ -252,31 +252,6 @@ } static void -geoip_print(const void ip, const struct xt_entry_match match, int numeric) -{ - const struct xt_geoip_match_info info = (void)match->data; - - u_int8_t i; - - if (info->flags & XT_GEOIP_SRC) - printf(" Source "); - else - printf(" Destination "); - - if (info->count > 1) - printf("countries: "); - else - printf("country: "); - - if (info->flags & XT_GEOIP_INV) - printf("! "); - - for (i = 0; i < info->count; i++) - printf("%s%c%c", i ? "," : "", COUNTRY(info->cc[i])); - printf(" "); -} - -static void geoip_save(const void ip, const struct xt_entry_match match) { const struct xt_geoip_match_info info = (void )match->data; @@ -295,6 +270,13 @@ printf(" "); } +static void +geoip_print(const void ip, const struct xt_entry_match match, int numeric) +{ + printf(" -m geoip"); + geoip_save(ip, match); +} + static struct xtables_match geoip_match[] = { { .family = NFPROTO_IPV6,
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_geoip.man ^
@@ -1,3 +1,4 @@ +.PP Match a packet by its source or destination country. .TP [\fB!\fP] \fB\-\-src\-cc\fP, \fB\-\-source\-country\fP \fIcountry\fP[\fB,\fP\fIcountry\fP\fB...\fP] @@ -15,8 +16,8 @@ /usr/lib(exec)/xtables-addons/. The first command retrieves CSV files from MaxMind, while the other two build packed bisectable range files: .PP -mkdir -p /usr/share/xt_geoip; cd /tmp; $path/to/xt_geoip_dl; +mkdir \-p /usr/share/xt_geoip; cd /tmp; $path/to/xt_geoip_dl; .PP -$path/to/xt_geoip_build -D /usr/share/xt_geoip GeoIP.csv; +$path/to/xt_geoip_build \-D /usr/share/xt_geoip GeoIP.csv; .PP The shared library is hardcoded to look in these paths, so use them.
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_gradm.c ^
@@ -57,17 +57,6 @@ { } -static void gradm_mt_print(const void ip, const struct xt_entry_match match, - int numeric) -{ - const struct xt_gradm_mtinfo info = (const void )match->data; - - if (info->invflags) - printf("gradm: disabled"); - else - printf("gradm: enabled"); -} - static void gradm_mt_save(const void ip, const struct xt_entry_match match) { const struct xt_gradm_mtinfo info = (const void )match->data; @@ -78,6 +67,13 @@ printf(" --enabled "); } +static void gradm_mt_print(const void ip, const struct xt_entry_match match, + int numeric) +{ + printf(" -m gradm"); + gradm_mt_save(ip, match); +} + static struct xtables_match gradm_mt_reg = { .family = NFPROTO_UNSPEC, .name = "gradm",
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_gradm.man ^
@@ -1,3 +1,4 @@ +.PP This module matches packets based on grsecurity RBAC status. .TP [\fB!\fP] \fB\-\-enabled\fP
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_iface.c ^
@@ -175,33 +175,6 @@ "iface: You must specify at least one option"); } -static void iface_mt_print(const void ip, const struct xt_entry_match match, - int numeric) -{ - const struct xt_iface_mtinfo info = (const void )match->data; - - printf(" iface: "); - if (info->flags & XT_IFACE_DEV_IN) - printf("(in)"); - else if (info->flags & XT_IFACE_DEV_OUT) - printf("(out)"); - else - printf("%s", info->ifname); - printf(" [state:"); - iface_print_opt(info, XT_IFACE_UP, "up"); - iface_print_opt(info, XT_IFACE_BROADCAST, "broadcast"); - iface_print_opt(info, XT_IFACE_LOOPBACK, "loopback"); - iface_print_opt(info, XT_IFACE_POINTOPOINT, "pointopoint"); - iface_print_opt(info, XT_IFACE_RUNNING, "running"); - iface_print_opt(info, XT_IFACE_NOARP, "noarp"); - iface_print_opt(info, XT_IFACE_PROMISC, "promisc"); - iface_print_opt(info, XT_IFACE_MULTICAST, "multicast"); - iface_print_opt(info, XT_IFACE_DYNAMIC, "dynamic"); - iface_print_opt(info, XT_IFACE_LOWER_UP, "lower_up"); - iface_print_opt(info, XT_IFACE_DORMANT, "dormant"); - printf("] "); -} - static void iface_mt_save(const void ip, const struct xt_entry_match match) { const struct xt_iface_mtinfo info = (const void )match->data; @@ -226,6 +199,13 @@ printf(" "); } +static void iface_mt_print(const void ip, const struct xt_entry_match match, + int numeric) +{ + printf(" -m iface"); + iface_mt_save(ip, match); +} + static struct xtables_match iface_mt_reg = { .version = XTABLES_VERSION, .name = "iface",
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_iface.man ^
@@ -1,3 +1,4 @@ +.PP Allows you to check interface states. First, an interface needs to be selected for comparison. Exactly one option of the following three must be specified: .TP
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_ipp2p.c ^
@@ -217,7 +217,7 @@ static void ipp2p_mt_print(const void entry, const struct xt_entry_match match, int numeric) { - printf(" ipp2p "); + printf(" -m ipp2p "); ipp2p_mt_print1(entry, match, true); }
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_ipp2p.man ^
@@ -1,3 +1,4 @@ +.PP This module matches certain packets in P2P flows. It is not designed to match all packets belonging to a P2P connection \(em use IPP2P together with CONNMARK for this purpose.
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_ipv4options.c ^
@@ -133,17 +133,6 @@ } } -static void ipv4options_mt_print(const void ip, - const struct xt_entry_match match, int numeric) -{ - const struct xt_ipv4options_mtinfo1 info = (void )match->data; - - printf(" ipv4options %s ", - (info->flags & XT_V4OPTS_ANY) ? "any-of" : "all-of"); - ipv4options_print_flags(info, numeric); - printf(" "); -} - static void ipv4options_mt_save(const void ip, const struct xt_entry_match match) { @@ -158,6 +147,13 @@ printf(" "); } +static void ipv4options_mt_print(const void ip, + const struct xt_entry_match match, int numeric) +{ + printf(" -m ipv4options"); + ipv4options_mt_save(ip, match); +} + static struct xtables_match ipv4options_mt_reg = { .version = XTABLES_VERSION, .name = "ipv4options",
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_ipv4options.man ^
@@ -1,3 +1,4 @@ +.PP The "ipv4options" module allows to match against a set of IPv4 header options. .TP \fB\-\-flags\fP [\fB!\fP]\fIsymbol\fP[\fB,\fP[\fB!\fP]\fIsymbol...\fP]
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_length2.c ^
@@ -107,29 +107,6 @@ "--layer3. Consider specifying it explicitly.\n"); } -static void length_mt_print(const void ip, const struct xt_entry_match match, - int numeric) -{ - const struct xt_length_mtinfo2 info = (const void )match->data; - - if (info->flags & XT_LENGTH_LAYER3) - printf(" layer3 "); - else if (info->flags & XT_LENGTH_LAYER4) - printf(" layer4 "); - else if (info->flags & XT_LENGTH_LAYER5) - printf(" layer5 "); - else if (info->flags & XT_LENGTH_LAYER7) - printf(" layer7 "); - printf(" length "); - if (info->flags & XT_LENGTH_INVERT) - printf("! "); - if (info->min == info->max) - printf("%u ", (unsigned int)info->min); - else - printf("%u-%u ", (unsigned int)info->min, - (unsigned int)info->max); -} - static void length_mt_save(const void ip, const struct xt_entry_match match) { const struct xt_length_mtinfo2 info = (const void )match->data; @@ -152,6 +129,13 @@ (unsigned int)info->max); } +static void length_mt_print(const void ip, const struct xt_entry_match match, + int numeric) +{ + printf(" -m length2"); + length_mt_save(ip, match); +} + static struct xtables_match length2_mt_reg = { .version = XTABLES_VERSION, .name = "length2",
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_length2.man ^
@@ -1,3 +1,4 @@ +.PP This module matches the length of a packet against a specific value or range of values. .TP
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_lscan.c ^
@@ -64,30 +64,6 @@ { } -static void lscan_mt_print(const void ip, - const struct xt_entry_match match, int numeric) -{ - const struct xt_lscan_mtinfo info = (const void )(match->data); - const char s = ""; - - printf(" lscan "); - if (info->match_stealth) { - printf("STEALTH"); - s = ","; - } - if (info->match_syn) { - printf("%sSYNSCAN", s); - s = ","; - } - if (info->match_cn) { - printf("%sCNSCAN", s); - s = ","; - } - if (info->match_gr) - printf("%sGRSCAN", s); - printf(" "); -} - static void lscan_mt_save(const void ip, const struct xt_entry_match match) { const struct xt_lscan_mtinfo info = (const void )(match->data); @@ -102,6 +78,13 @@ printf(" --grscan "); } +static void lscan_mt_print(const void ip, + const struct xt_entry_match *match, int numeric) +{ + printf(" -m lscan"); + lscan_mt_save(ip, match); +} + static struct xtables_match lscan_mt_reg = { .version = XTABLES_VERSION, .name = "lscan",
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_lscan.man ^
@@ -1,4 +1,5 @@ -Detects simple low-level scan attemps based upon the packet's contents. +.PP +Detects simple low-level scan attempts based upon the packet's contents. (This is different from other implementations, which also try to match the rate of new connections.) Note that an attempt is only discovered after it has been carried
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_psd.c ^
@@ -117,18 +117,6 @@ /* Final check; nothing. / static void psd_mt_final_check(unsigned int flags) {} -/ Prints out the targinfo. / -static void psd_mt_print(const void ip, const struct xt_entry_match match, int numeric) -{ - const struct xt_psd_info psdinfo = (const struct xt_psd_info )match->data; - printf(" psd "); - printf("weight-threshold: %u ", psdinfo->weight_threshold); - printf("delay-threshold: %u ", psdinfo->delay_threshold); - printf("lo-ports-weight: %u ", psdinfo->lo_ports_weight); - printf("hi-ports-weight: %u ", psdinfo->hi_ports_weight); -} - -/ Saves the union ipt_targinfo in parsable form to stdout. / static void psd_mt_save(const void ip, const struct xt_entry_match match) { const struct xt_psd_info psdinfo = (const struct xt_psd_info )match->data; @@ -138,6 +126,12 @@ printf("--psd-hi-ports-weight %u ", psdinfo->hi_ports_weight); } +static void psd_mt_print(const void ip, const struct xt_entry_match *match, int numeric) +{ + printf(" -m psd"); + psd_mt_save(ip, match); +} + static struct xtables_match psd_mt_reg = { .name = "psd", .version = XTABLES_VERSION,
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_psd.man ^
@@ -1,3 +1,4 @@ +.PP Attempt to detect TCP and UDP port scans. This match was derived from Solar Designer's scanlogd. .TP
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_quota2.c ^
@@ -98,8 +98,6 @@ { const struct xt_quota_mtinfo2 q = (void )match->data; - if (q->flags & XT_QUOTA_INVERT) - printf(" !"); if (q->flags & XT_QUOTA_GROW) printf(" --grow "); if (q->flags & XT_QUOTA_NO_CHANGE) @@ -108,29 +106,16 @@ printf(" --packets "); if (q->name != '\0') printf(" --name %s ", q->name); + if (q->flags & XT_QUOTA_INVERT) + printf(" !"); printf(" --quota %llu ", (unsigned long long)q->quota); } static void quota_mt2_print(const void ip, const struct xt_entry_match match, int numeric) { - const struct xt_quota_mtinfo2 q = (const void )match->data; - - if (q->flags & XT_QUOTA_INVERT) - printf(" !"); - if (q->flags & XT_QUOTA_GROW) - printf(" counter"); - else - printf(" quota"); - if (q->name != '\0') - printf(" %s:", q->name); - printf(" %llu ", (unsigned long long)q->quota); - if (q->flags & XT_QUOTA_PACKET) - printf("packets "); - else - printf("bytes "); - if (q->flags & XT_QUOTA_NO_CHANGE) - printf("(no-change mode) "); + printf(" -m quota"); + quota_mt2_save(ip, match); } static struct xtables_match quota_mt2_reg = {
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/libxt_quota2.man ^
@@ -1,3 +1,4 @@ +.PP The "quota2" implements a named counter which can be increased or decreased on a per-match basis. Available modes are packet counting or byte counting. The value of the counter can be read and reset through procfs, thereby making
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/pknock/libxt_pknock.man ^
@@ -15,10 +15,10 @@ .PP Example 1 (TCP mode, manual closing of opened port not possible): .IP -iptables -P INPUT DROP +iptables \-P INPUT DROP .IP -iptables -A INPUT -p tcp -m pknock --knockports 4002,4001,4004 --strict ---name SSH --time 10 --autoclose 60 --dport 22 -j ACCEPT +iptables \-A INPUT \-p tcp \-m pknock \-\-knockports 4002,4001,4004 \-\-strict +\-\-name SSH \-\-time 10 \-\-autoclose 60 \-\-dport 22 \-j ACCEPT .PP The rule will allow tcp port 22 for the attempting IP address after the successful reception of TCP SYN packets to ports 4002, 4001 and 4004, in this order (a.k.a. port-knocking). @@ -33,10 +33,10 @@ of opened port possible, secure, also called "SPA" = Secure Port Authorization): .IP -iptables -A INPUT -p udp -m pknock --knockports 4000 --name FTP ---opensecret foo --closesecret bar --autoclose 240 -j DROP +iptables \-A INPUT \-p udp \-m pknock \-\-knockports 4000 \-\-name FTP +\-\-opensecret foo \-\-closesecret bar \-\-autoclose 240 \-j DROP .IP -iptables -A INPUT -p tcp -m pknock --checkip --name FTP --dport 21 -j ACCEPT +iptables \-A INPUT \-p tcp \-m pknock \-\-checkip \-\-name FTP \-\-dport 21 \-j ACCEPT .PP The first rule will create an "ALLOWED" record in /proc/net/xt_pknock/FTP after the successful reception of an UDP packet to port 4000. The packet payload must be
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/pknock/xt_pknock.c ^
@@ -190,8 +190,7 @@ static void * pknock_seq_start(struct seq_file s, loff_t pos) { - const struct proc_dir_entry pde = s->private; - const struct xt_pknock_rule rule = pde->data; + const struct xt_pknock_rule rule = s->private; spin_lock_bh(&list_lock); @@ -210,8 +209,7 @@ static void pknock_seq_next(struct seq_file s, void v, loff_t pos) { - const struct proc_dir_entry pde = s->private; - const struct xt_pknock_rule rule = pde->data; + const struct xt_pknock_rule rule = s->private; ++pos; if (pos >= peer_hashsize) @@ -243,8 +241,7 @@ unsigned long time; const struct list_head peer_head = v; - const struct proc_dir_entry pde = s->private; - const struct xt_pknock_rule rule = pde->data; + const struct xt_pknock_rule rule = s->private; list_for_each_safe(pos, n, peer_head) { peer = list_entry(pos, struct peer, head); @@ -295,7 +292,7 @@ int ret = seq_open(file, &pknock_seq_ops); if (ret == 0) { struct seq_file *sf = file->private_data; - sf->private = PDE(inode); + sf->private = PDE_DATA(inode); } return ret; } @@ -478,13 +475,11 @@ rule->timer.function = peer_gc; rule->timer.data = (unsigned long)rule; - rule->status_proc = create_proc_entry(info->rule_name, 0, pde); + rule->status_proc = proc_create_data(info->rule_name, 0, pde, + &pknock_proc_ops, rule); if (rule->status_proc == NULL) goto out; - rule->status_proc->proc_fops = &pknock_proc_ops; - rule->status_proc->data = rule; - list_add(&rule->head, &rule_hashtable[hash]); pr_debug("(A) rule_name: %s - created.\n", rule->rule_name); return true;
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/xt_DNETMAP.c ^
@@ -26,6 +26,8 @@ #include <linux/netfilter.h> #include <linux/netfilter_ipv4.h> #include <linux/netfilter/x_tables.h> +#include <linux/seq_file.h> +#include <linux/uidgid.h> #include <linux/version.h> #include <net/net_namespace.h> #include <net/netns/generic.h> @@ -112,13 +114,9 @@ static DEFINE_MUTEX(dnetmap_mutex); #ifdef CONFIG_PROC_FS -static const struct file_operations dnetmap_tg_fops; +static const struct file_operations dnetmap_tg_fops, dnetmap_stat_proc_fops; #endif -static int dnetmap_stat_proc_read(char __user buffer, char start, - off_t offset, int length, int eof, - void data); - static inline unsigned int dnetmap_entry_hash(const __be32 addr) { return ntohl(addr) & (hash_size - 1); @@ -328,21 +326,20 @@ ret = -ENOMEM; goto out; } - pde_data->uid = proc_uid; - pde_data->gid = proc_gid; + proc_set_user(pde_data, make_kuid(&init_user_ns, proc_uid), + make_kgid(&init_user_ns, proc_gid)); / statistics / - pde_stat = create_proc_entry(p->proc_str_stat, proc_perms, - dnetmap_net->xt_dnetmap); + pde_stat = proc_create_data(p->proc_str_stat, proc_perms, + dnetmap_net->xt_dnetmap, + &dnetmap_stat_proc_fops, p); if (pde_stat == NULL) { kfree(p); ret = -ENOMEM; goto out; } - pde_stat->data = p; - pde_stat->read_proc = dnetmap_stat_proc_read; - pde_stat->uid = proc_uid; - pde_stat->gid = proc_gid; + proc_set_user(pde_stat, make_kuid(&init_user_ns, proc_uid), + make_kgid(&init_user_ns, proc_gid)); #endif spin_lock_bh(&dnetmap_lock); @@ -593,22 +590,20 @@ static int dnetmap_seq_open(struct inode inode, struct file file) { - struct proc_dir_entry pde = PDE(inode); struct dnetmap_iter_state st; st = __seq_open_private(file, &dnetmap_seq_ops, sizeof(st)); if (st == NULL) return -ENOMEM; - st->p = pde->data; + st->p = PDE_DATA(inode); return 0; } static ssize_t dnetmap_tg_proc_write(struct file file, const char __user input,size_t size, loff_t loff) { - const struct proc_dir_entry pde = PDE(file->f_path.dentry->d_inode); - struct dnetmap_prefix p = pde->data; + struct dnetmap_prefix p = PDE_DATA(file_inode(file)); struct dnetmap_entry e; char buf[sizeof("+192.168.100.100:200.200.200.200")]; const char c = buf; @@ -783,11 +778,9 @@ }; /* for statistics / -static int dnetmap_stat_proc_read(char __user buffer, char *start, - off_t offset, int length, int eof, - void data) +static int dnetmap_stat_proc_show(struct seq_file m, void data) { - const struct dnetmap_prefix p = data; + const struct dnetmap_prefix p = m->private; struct dnetmap_entry e; unsigned int used, used_static, all; long int ttl, sum_ttl; @@ -813,16 +806,25 @@ } sum_ttl = used > 0 ? sum_ttl / (used * HZ) : 0; - sprintf(buffer, "%u %u %u %ld %s\n", used, used_static, all, sum_ttl,(p->flags & XT_DNETMAP_PERSISTENT ? "persistent" : "")); - - if (length >= strlen(buffer)) - eof = true; + seq_printf(m, "%u %u %u %ld %s\n", used, used_static, all, sum_ttl,(p->flags & XT_DNETMAP_PERSISTENT ? "persistent" : "")); spin_unlock_bh(&dnetmap_lock); - return strlen(buffer); + return 0; +} + +static int dnetmap_stat_proc_open(struct inode inode, struct file file) +{ + return single_open(file, dnetmap_stat_proc_show, PDE_DATA(inode)); } +static const struct file_operations dnetmap_stat_proc_fops = { + .open = dnetmap_stat_proc_open, + .read = seq_read, + .llseek = seq_lseek, + .release = single_release, +}; + static int __net_init dnetmap_proc_net_init(struct net net) { struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/xt_RAWNAT.c ^
@@ -109,7 +109,7 @@ static unsigned int rawnat4_writable_part(const struct iphdr iph) { - unsigned int wlen = sizeof(iph); + unsigned int wlen = iph->ihl * 4; switch (iph->protocol) { case IPPROTO_TCP:
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/xt_TARPIT.c ^
@@ -79,7 +79,7 @@ #if 0 /* Rate-limit replies to !SYN,ACKs */ if (!oth->syn && oth->ack) - if (!xrlim_allow(rt_dst(ort), HZ)) + if (!xrlim_allow(&ort->dst, HZ)) return false; #endif
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/xt_condition.c ^
@@ -52,6 +52,7 @@ struct proc_dir_entry status_proc; unsigned int refcount; bool enabled; + char name[sizeof(((struct xt_condition_mtinfo )NULL)->name)]; }; /* proc_lock is a user context only semaphore used for write access / @@ -61,22 +62,23 @@ static LIST_HEAD(conditions_list); static struct proc_dir_entry proc_net_condition; -static int condition_proc_read(char __user buffer, char start, off_t offset, - int length, int eof, void data) +static int condition_proc_show(struct seq_file m, void data) { - const struct condition_variable var = data; + const struct condition_variable var = m->private; - buffer[0] = var->enabled ? '1' : '0'; - buffer[1] = '\n'; - if (length >= 2) - eof = true; - return 2; + return seq_printf(m, var->enabled ? "1\n" : "0\n"); } -static int condition_proc_write(struct file file, const char __user buffer, - unsigned long length, void data) +static int condition_proc_open(struct inode inode, struct file file) { - struct condition_variable var = data; + return single_open(file, condition_proc_show, PDE_DATA(inode)); +} + +static ssize_t +condition_proc_write(struct file file, const char __user buffer, + size_t length, loff_t loff) +{ + struct condition_variable var = PDE_DATA(file_inode(file)); char newval; if (length > 0) { @@ -95,6 +97,14 @@ return length; } +static const struct file_operations condition_proc_fops = { + .open = condition_proc_open, + .read = seq_read, + .llseek = seq_lseek, + .write = condition_proc_write, + .release = single_release, +}; + static bool condition_mt(const struct sk_buff skb, struct xt_action_param par) { @@ -124,7 +134,7 @@ / mutex_lock(&proc_lock); list_for_each_entry(var, &conditions_list, list) { - if (strcmp(info->name, var->status_proc->name) == 0) { + if (strcmp(info->name, var->name) == 0) { var->refcount++; mutex_unlock(&proc_lock); info->condvar = var; @@ -139,24 +149,23 @@ return -ENOMEM; } + memcpy(var->name, info->name, sizeof(info->name)); / Create the condition variable's proc file entry. */ - var->status_proc = create_proc_entry(info->name, condition_list_perms, - proc_net_condition); + var->status_proc = proc_create_data(info->name, condition_list_perms, + proc_net_condition, &condition_proc_fops, var); if (var->status_proc == NULL) { kfree(var); mutex_unlock(&proc_lock); return -ENOMEM; } + proc_set_user(var->status_proc, + make_kuid(&init_user_ns, condition_uid_perms), + make_kgid(&init_user_ns, condition_gid_perms)); var->refcount = 1; var->enabled = false; - var->status_proc->data = var; wmb(); - var->status_proc->read_proc = condition_proc_read; - var->status_proc->write_proc = condition_proc_write; list_add(&var->list, &conditions_list); - var->status_proc->uid = condition_uid_perms; - var->status_proc->gid = condition_gid_perms; mutex_unlock(&proc_lock); info->condvar = var; return 0; @@ -170,7 +179,7 @@ mutex_lock(&proc_lock); if (--var->refcount == 0) { list_del(&var->list); - remove_proc_entry(var->status_proc->name, proc_net_condition); + proc_remove(var->status_proc); mutex_unlock(&proc_lock); kfree(var); return;
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/xt_geoip.c ^
@@ -83,10 +83,18 @@ p->count = umem.count; p->cc = umem.cc; size = p->count * geoproto_size[proto]; - subnet = vmalloc(size); - if (subnet == NULL) { - ret = -ENOMEM; - goto free_p; + if (size == 0) { + /* + * Believe it or not, vmalloc prints a warning to dmesg for + * zero-sized allocations :-/ + / + subnet = NULL; + } else { + subnet = vmalloc(size); + if (subnet == NULL) { + ret = -ENOMEM; + goto free_p; + } } if (copy_from_user(subnet, (const void __user )(unsigned long)umem.subnets, size) != 0) {
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/extensions/xt_quota2.c ^
@@ -14,8 +14,10 @@ #include <linux/list.h> #include <linux/module.h> #include <linux/proc_fs.h> +#include <linux/seq_file.h> #include <linux/skbuff.h> #include <linux/spinlock.h> +#include <linux/uidgid.h> #include <linux/version.h> #include <asm/atomic.h> @@ -46,22 +48,27 @@ module_param_named(uid, quota_list_uid, uint, S_IRUGO \| S_IWUSR); module_param_named(gid, quota_list_gid, uint, S_IRUGO \| S_IWUSR); -static int quota_proc_read(char page, char start, off_t offset, - int count, int eof, void data) +static int quota_proc_show(struct seq_file m, void data) { - struct xt_quota_counter e = data; + struct xt_quota_counter e = m->private; int ret; spin_lock_bh(&e->lock); - ret = snprintf(page, PAGE_SIZE, "%llu\n", e->quota); + ret = seq_printf(m, "%llu\n", e->quota); spin_unlock_bh(&e->lock); return ret; } -static int quota_proc_write(struct file file, const char __user input, - unsigned long size, void data) +static int quota_proc_open(struct inode inode, struct file file) { - struct xt_quota_counter e = data; + return single_open(file, quota_proc_show, PDE_DATA(inode)); +} + +static ssize_t +quota_proc_write(struct file file, const char __user input, + size_t size, loff_t loff) +{ + struct xt_quota_counter e = PDE_DATA(file_inode(file)); char buf[sizeof("18446744073709551616")]; if (size > sizeof(buf)) @@ -76,6 +83,14 @@ return size; } +static const struct file_operations quota_proc_fops = { + .open = quota_proc_open, + .read = seq_read, + .llseek = seq_lseek, + .write = quota_proc_write, + .release = single_release, +}; + static struct xt_quota_counter q2_new_counter(const struct xt_quota_mtinfo2 *q, bool anon) { @@ -123,16 +138,14 @@ if (e == NULL) goto out; - p = e->procfs_entry = create_proc_entry(e->name, quota_list_perms, - proc_xt_quota); + p = proc_create_data(e->name, quota_list_perms, proc_xt_quota, + &quota_proc_fops, e); if (p == NULL \|\| IS_ERR(p)) goto out; - p->data = e; - p->read_proc = quota_proc_read; - p->write_proc = quota_proc_write; - p->uid = quota_list_uid; - p->gid = quota_list_gid; + e->procfs_entry = p; + proc_set_user(p, make_kuid(&init_user_ns, quota_list_uid), + make_kgid(&init_user_ns, quota_list_gid)); list_add_tail(&e->list, &counter_list); spin_unlock_bh(&counter_list_lock); return e;
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/geoip/xt_geoip_build.1 ^
@@ -29,7 +29,7 @@ .PP Shell commands to build the databases and put them to where they are expected: .PP -xt_geoip_build -D /usr/share/xt_geoip +xt_geoip_build \-D /usr/share/xt_geoip .SH See also .PP xt_geoip_dl(1)
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/geoip/xt_geoip_dl ^
@@ -1,6 +1,6 @@ #!/bin/sh -rm -f GeoIPv6.csv{,.gz} GeoIPCountryCSV.zip GeoIPCountryWhois.csv; +rm -f GeoIPv6.csv GeoIPv6.csv.gz GeoIPCountryCSV.zip GeoIPCountryWhois.csv; wget \ http://geolite.maxmind.com/download/geoip/database/GeoIPv6.csv.gz \ http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip;
[-] [+]	Changed	xtables-addons-2.3.tar.bz2/xtables-addons.8.in ^
@@ -1,4 +1,4 @@ -.TH xtables-addons 8 "Continuous Snow Edition" "" "v2.2 (2013-03-31)" +.TH xtables-addons 8 "African Heat Edition" "" "v2.3 (2013-06-18)" .SH Name Xtables-addons \(em additional extensions for iptables, ip6tables, etc. .SH Targets