[-]
[+]
|
Changed |
xtables-addons.spec
|
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/INSTALL
^
|
@@ -22,12 +22,14 @@
- CONFIG_CONNECTOR y/m if you wish to receive userspace
notifications from pknock through netlink/connector
-For ipset-6 you need:
+Compilation of ipset-genl-6.x is enabled by default. This additionally
+requires
* libmnl
-
* Linux kernel >= 2.6.35
+so if you do not have these, turn it off in mconfig before compilation.
+
Selecting extensions
====================
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/configure
^
|
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for xtables-addons 1.37.
+# Generated by GNU Autoconf 2.68 for xtables-addons 1.38.
#
#
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -706,8 +706,8 @@
# Identity of this package.
PACKAGE_NAME='xtables-addons'
PACKAGE_TARNAME='xtables-addons'
-PACKAGE_VERSION='1.37'
-PACKAGE_STRING='xtables-addons 1.37'
+PACKAGE_VERSION='1.38'
+PACKAGE_STRING='xtables-addons 1.38'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1441,7 +1441,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures xtables-addons 1.37 to adapt to many kinds of systems.
+\`configure' configures xtables-addons 1.38 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1511,7 +1511,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of xtables-addons 1.37:";;
+ short | recursive ) echo "Configuration of xtables-addons 1.38:";;
esac
cat <<\_ACEOF
@@ -1628,7 +1628,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-xtables-addons configure 1.37
+xtables-addons configure 1.38
generated by GNU Autoconf 2.68
Copyright (C) 2010 Free Software Foundation, Inc.
@@ -1993,7 +1993,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by xtables-addons $as_me 1.37, which was
+It was created by xtables-addons $as_me 1.38, which was
generated by GNU Autoconf 2.68. Invocation command line was
$ $0 $@
@@ -2811,7 +2811,7 @@
# Define the identity of the package.
PACKAGE='xtables-addons'
- VERSION='1.37'
+ VERSION='1.38'
cat >>confdefs.h <<_ACEOF
@@ -11480,7 +11480,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by xtables-addons $as_me 1.37, which was
+This file was extended by xtables-addons $as_me 1.38, which was
generated by GNU Autoconf 2.68. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -11546,7 +11546,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-xtables-addons config.status 1.37
+xtables-addons config.status 1.38
configured by $0, generated by GNU Autoconf 2.68,
with options \\"\$ac_cs_config\\"
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/configure.ac
^
|
@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [1.37])
+AC_INIT([xtables-addons], [1.38])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
AC_PROG_INSTALL
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/doc/changelog.txt
^
|
@@ -3,6 +3,20 @@
====
+v1.38 (2011-08-20)
+==================
+- xt_CHECKSUM: abort build when the feature is already provided by mainline
+- xt_SYSRQ: fix UDPLITE header lookup in IPv6
+- xt_TARPIT: fix kernel warning about RTAX_HOPLIMIT being used
+- xt_TEE: abort build when the feature is already provided by mainline
+- xt_ipp2p: support UDPLITE
+- xt_pknock: support UDPLITE
+- xt_psd: restore functionality with UDP
+- xt_psd: support UDPLITE
+- update to ipset 6.8
+- support for Linux 3.1
+
+
v1.37 (2011-06-25)
==================
Fixes:
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/ipset-6/ip_set_ahash.h
^
|
@@ -28,7 +28,32 @@
/* Number of elements to store in an initial array block */
#define AHASH_INIT_SIZE 4
/* Max number of elements to store in an array block */
-#define AHASH_MAX_SIZE (3*4)
+#define AHASH_MAX_SIZE (3*AHASH_INIT_SIZE)
+
+/* Max number of elements can be tuned */
+#ifdef IP_SET_HASH_WITH_MULTI
+#define AHASH_MAX(h) ((h)->ahash_max)
+
+static inline u8
+tune_ahash_max(u8 curr, u32 multi)
+{
+ u32 n;
+
+ if (multi < curr)
+ return curr;
+
+ n = curr + AHASH_INIT_SIZE;
+ /* Currently, at listing one hash bucket must fit into a message.
+ * Therefore we have a hard limit here.
+ */
+ return n > curr && n <= 64 ? n : curr;
+}
+#define TUNE_AHASH_MAX(h, multi) \
+ ((h)->ahash_max = tune_ahash_max((h)->ahash_max, multi))
+#else
+#define AHASH_MAX(h) AHASH_MAX_SIZE
+#define TUNE_AHASH_MAX(h, multi)
+#endif
/* A hash bucket */
struct hbucket {
@@ -60,6 +85,9 @@
u32 timeout; /* timeout value, if enabled */
struct timer_list gc; /* garbage collection when timeout enabled */
struct type_pf_next next; /* temporary storage for uadd */
+#ifdef IP_SET_HASH_WITH_MULTI
+ u8 ahash_max; /* max elements in an array block */
+#endif
#ifdef IP_SET_HASH_WITH_NETMASK
u8 netmask; /* netmask value for subnets to store */
#endif
@@ -211,12 +239,16 @@
set->data = NULL;
}
-#define HKEY(data, initval, htable_bits) \
-(jhash2((u32 *)(data), sizeof(struct type_pf_elem)/sizeof(u32), initval) \
- & jhash_mask(htable_bits))
-
#endif /* _IP_SET_AHASH_H */
+#ifndef HKEY_DATALEN
+#define HKEY_DATALEN sizeof(struct type_pf_elem)
+#endif
+
+#define HKEY(data, initval, htable_bits) \
+(jhash2((u32 *)(data), HKEY_DATALEN/sizeof(u32), initval) \
+ & jhash_mask(htable_bits))
+
#define CONCAT(a, b, c) a##b##c
#define TOKEN(a, b, c) CONCAT(a, b, c)
@@ -275,12 +307,13 @@
/* Add an element to the hash table when resizing the set:
* we spare the maintenance of the internal counters. */
static int
-type_pf_elem_add(struct hbucket *n, const struct type_pf_elem *value)
+type_pf_elem_add(struct hbucket *n, const struct type_pf_elem *value,
+ u8 ahash_max)
{
if (n->pos >= n->size) {
void *tmp;
- if (n->size >= AHASH_MAX_SIZE)
+ if (n->size >= ahash_max)
/* Trigger rehashing */
return -EAGAIN;
@@ -335,7 +368,7 @@
for (j = 0; j < n->pos; j++) {
data = ahash_data(n, j);
m = hbucket(t, HKEY(data, h->initval, htable_bits));
- ret = type_pf_elem_add(m, data);
+ ret = type_pf_elem_add(m, data, AHASH_MAX(h));
if (ret < 0) {
read_unlock_bh(&set->lock);
ahash_destroy(t);
@@ -359,7 +392,7 @@
return 0;
}
-static void
+static inline void
type_pf_data_next(struct ip_set_hash *h, const struct type_pf_elem *d);
/* Add an element to a hash and update the internal counters when succeeded,
@@ -372,7 +405,7 @@
const struct type_pf_elem *d = value;
struct hbucket *n;
int i, ret = 0;
- u32 key;
+ u32 key, multi = 0;
if (h->elements >= h->maxelem)
return -IPSET_ERR_HASH_FULL;
@@ -382,12 +415,12 @@
key = HKEY(value, h->initval, t->htable_bits);
n = hbucket(t, key);
for (i = 0; i < n->pos; i++)
- if (type_pf_data_equal(ahash_data(n, i), d)) {
+ if (type_pf_data_equal(ahash_data(n, i), d, &multi)) {
ret = -IPSET_ERR_EXIST;
goto out;
}
-
- ret = type_pf_elem_add(n, value);
+ TUNE_AHASH_MAX(h, multi);
+ ret = type_pf_elem_add(n, value, AHASH_MAX(h));
if (ret != 0) {
if (ret == -EAGAIN)
type_pf_data_next(h, d);
@@ -415,13 +448,13 @@
struct hbucket *n;
int i;
struct type_pf_elem *data;
- u32 key;
+ u32 key, multi = 0;
key = HKEY(value, h->initval, t->htable_bits);
n = hbucket(t, key);
for (i = 0; i < n->pos; i++) {
data = ahash_data(n, i);
- if (!type_pf_data_equal(data, d))
+ if (!type_pf_data_equal(data, d, &multi))
continue;
if (i != n->pos - 1)
/* Not last one */
@@ -462,17 +495,17 @@
struct hbucket *n;
const struct type_pf_elem *data;
int i, j = 0;
- u32 key;
+ u32 key, multi = 0;
u8 host_mask = SET_HOST_MASK(set->family);
pr_debug("test by nets\n");
- for (; j < host_mask && h->nets[j].cidr; j++) {
+ for (; j < host_mask && h->nets[j].cidr && !multi; j++) {
type_pf_data_netmask(d, h->nets[j].cidr);
key = HKEY(d, h->initval, t->htable_bits);
n = hbucket(t, key);
for (i = 0; i < n->pos; i++) {
data = ahash_data(n, i);
- if (type_pf_data_equal(data, d))
+ if (type_pf_data_equal(data, d, &multi))
return 1;
}
}
@@ -490,7 +523,7 @@
struct hbucket *n;
const struct type_pf_elem *data;
int i;
- u32 key;
+ u32 key, multi = 0;
#ifdef IP_SET_HASH_WITH_NETS
/* If we test an IP address and not a network address,
@@ -503,7 +536,7 @@
n = hbucket(t, key);
for (i = 0; i < n->pos; i++) {
data = ahash_data(n, i);
- if (type_pf_data_equal(data, d))
+ if (type_pf_data_equal(data, d, &multi))
return 1;
}
return 0;
@@ -660,14 +693,14 @@
static int
type_pf_elem_tadd(struct hbucket *n, const struct type_pf_elem *value,
- u32 timeout)
+ u8 ahash_max, u32 timeout)
{
struct type_pf_elem *data;
if (n->pos >= n->size) {
void *tmp;
- if (n->size >= AHASH_MAX_SIZE)
+ if (n->size >= ahash_max)
/* Trigger rehashing */
return -EAGAIN;
@@ -772,7 +805,7 @@
for (j = 0; j < n->pos; j++) {
data = ahash_tdata(n, j);
m = hbucket(t, HKEY(data, h->initval, htable_bits));
- ret = type_pf_elem_tadd(m, data,
+ ret = type_pf_elem_tadd(m, data, AHASH_MAX(h),
type_pf_data_timeout(data));
if (ret < 0) {
read_unlock_bh(&set->lock);
@@ -803,9 +836,9 @@
const struct type_pf_elem *d = value;
struct hbucket *n;
struct type_pf_elem *data;
- int ret = 0, i, j = AHASH_MAX_SIZE + 1;
+ int ret = 0, i, j = AHASH_MAX(h) + 1;
bool flag_exist = flags & IPSET_FLAG_EXIST;
- u32 key;
+ u32 key, multi = 0;
if (h->elements >= h->maxelem)
/* FIXME: when set is full, we slow down here */
@@ -819,18 +852,18 @@
n = hbucket(t, key);
for (i = 0; i < n->pos; i++) {
data = ahash_tdata(n, i);
- if (type_pf_data_equal(data, d)) {
+ if (type_pf_data_equal(data, d, &multi)) {
if (type_pf_data_expired(data) || flag_exist)
j = i;
else {
ret = -IPSET_ERR_EXIST;
goto out;
}
- } else if (j == AHASH_MAX_SIZE + 1 &&
+ } else if (j == AHASH_MAX(h) + 1 &&
type_pf_data_expired(data))
j = i;
}
- if (j != AHASH_MAX_SIZE + 1) {
+ if (j != AHASH_MAX(h) + 1) {
data = ahash_tdata(n, j);
#ifdef IP_SET_HASH_WITH_NETS
del_cidr(h, data->cidr, HOST_MASK);
@@ -840,7 +873,8 @@
type_pf_data_timeout_set(data, timeout);
goto out;
}
- ret = type_pf_elem_tadd(n, d, timeout);
+ TUNE_AHASH_MAX(h, multi);
+ ret = type_pf_elem_tadd(n, d, AHASH_MAX(h), timeout);
if (ret != 0) {
if (ret == -EAGAIN)
type_pf_data_next(h, d);
@@ -865,13 +899,13 @@
struct hbucket *n;
int i;
struct type_pf_elem *data;
- u32 key;
+ u32 key, multi = 0;
key = HKEY(value, h->initval, t->htable_bits);
n = hbucket(t, key);
for (i = 0; i < n->pos; i++) {
data = ahash_tdata(n, i);
- if (!type_pf_data_equal(data, d))
+ if (!type_pf_data_equal(data, d, &multi))
continue;
if (type_pf_data_expired(data))
return -IPSET_ERR_EXIST;
@@ -911,16 +945,16 @@
struct type_pf_elem *data;
struct hbucket *n;
int i, j = 0;
- u32 key;
+ u32 key, multi = 0;
u8 host_mask = SET_HOST_MASK(set->family);
- for (; j < host_mask && h->nets[j].cidr; j++) {
+ for (; j < host_mask && h->nets[j].cidr && !multi; j++) {
type_pf_data_netmask(d, h->nets[j].cidr);
key = HKEY(d, h->initval, t->htable_bits);
n = hbucket(t, key);
for (i = 0; i < n->pos; i++) {
data = ahash_tdata(n, i);
- if (type_pf_data_equal(data, d))
+ if (type_pf_data_equal(data, d, &multi))
return !type_pf_data_expired(data);
}
}
@@ -936,7 +970,7 @@
struct type_pf_elem *data, *d = value;
struct hbucket *n;
int i;
- u32 key;
+ u32 key, multi = 0;
#ifdef IP_SET_HASH_WITH_NETS
if (d->cidr == SET_HOST_MASK(set->family))
@@ -946,7 +980,7 @@
n = hbucket(t, key);
for (i = 0; i < n->pos; i++) {
data = ahash_tdata(n, i);
- if (type_pf_data_equal(data, d))
+ if (type_pf_data_equal(data, d, &multi))
return !type_pf_data_expired(data);
}
return 0;
@@ -1054,6 +1088,8 @@
IPSET_GC_PERIOD(h->timeout));
}
+#undef HKEY_DATALEN
+#undef HKEY
#undef type_pf_data_equal
#undef type_pf_data_isnull
#undef type_pf_data_copy
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/ipset-6/ip_set_core.c
^
|
@@ -1160,9 +1160,13 @@
return -IPSET_ERR_PROTOCOL;
genl_unlock();
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 1, 0)
+ ret = netlink_dump_start(ctnl, skb, nlh, ip_set_dump_start, ip_set_dump_done, 0);
+#else
ret = netlink_dump_start(ctnl, skb, nlh,
ip_set_dump_start,
ip_set_dump_done);
+#endif
genl_lock();
return ret;
}
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/ipset-6/ip_set_hash_ip.c
^
|
@@ -53,7 +53,8 @@
static inline bool
hash_ip4_data_equal(const struct hash_ip4_elem *ip1,
- const struct hash_ip4_elem *ip2)
+ const struct hash_ip4_elem *ip2,
+ u32 *multi)
{
return ip1->ip == ip2->ip;
}
@@ -225,7 +226,8 @@
static inline bool
hash_ip6_data_equal(const struct hash_ip6_elem *ip1,
- const struct hash_ip6_elem *ip2)
+ const struct hash_ip6_elem *ip2,
+ u32 *multi)
{
return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0;
}
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/ipset-6/ip_set_hash_ipport.c
^
|
@@ -60,7 +60,8 @@
static inline bool
hash_ipport4_data_equal(const struct hash_ipport4_elem *ip1,
- const struct hash_ipport4_elem *ip2)
+ const struct hash_ipport4_elem *ip2,
+ u32 *multi)
{
return ip1->ip == ip2->ip &&
ip1->port == ip2->port &&
@@ -276,7 +277,8 @@
static inline bool
hash_ipport6_data_equal(const struct hash_ipport6_elem *ip1,
- const struct hash_ipport6_elem *ip2)
+ const struct hash_ipport6_elem *ip2,
+ u32 *multi)
{
return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
ip1->port == ip2->port &&
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/ipset-6/ip_set_hash_ipportip.c
^
|
@@ -62,7 +62,8 @@
static inline bool
hash_ipportip4_data_equal(const struct hash_ipportip4_elem *ip1,
- const struct hash_ipportip4_elem *ip2)
+ const struct hash_ipportip4_elem *ip2,
+ u32 *multi)
{
return ip1->ip == ip2->ip &&
ip1->ip2 == ip2->ip2 &&
@@ -286,7 +287,8 @@
static inline bool
hash_ipportip6_data_equal(const struct hash_ipportip6_elem *ip1,
- const struct hash_ipportip6_elem *ip2)
+ const struct hash_ipportip6_elem *ip2,
+ u32 *multi)
{
return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
ipv6_addr_cmp(&ip1->ip2.in6, &ip2->ip2.in6) == 0 &&
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/ipset-6/ip_set_hash_ipportnet.c
^
|
@@ -62,7 +62,8 @@
static inline bool
hash_ipportnet4_data_equal(const struct hash_ipportnet4_elem *ip1,
- const struct hash_ipportnet4_elem *ip2)
+ const struct hash_ipportnet4_elem *ip2,
+ u32 *multi)
{
return ip1->ip == ip2->ip &&
ip1->ip2 == ip2->ip2 &&
@@ -335,7 +336,8 @@
static inline bool
hash_ipportnet6_data_equal(const struct hash_ipportnet6_elem *ip1,
- const struct hash_ipportnet6_elem *ip2)
+ const struct hash_ipportnet6_elem *ip2,
+ u32 *multi)
{
return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
ipv6_addr_cmp(&ip1->ip2.in6, &ip2->ip2.in6) == 0 &&
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/ipset-6/ip_set_hash_net.c
^
|
@@ -58,7 +58,8 @@
static inline bool
hash_net4_data_equal(const struct hash_net4_elem *ip1,
- const struct hash_net4_elem *ip2)
+ const struct hash_net4_elem *ip2,
+ u32 *multi)
{
return ip1->ip == ip2->ip && ip1->cidr == ip2->cidr;
}
@@ -249,7 +250,8 @@
static inline bool
hash_net6_data_equal(const struct hash_net6_elem *ip1,
- const struct hash_net6_elem *ip2)
+ const struct hash_net6_elem *ip2,
+ u32 *multi)
{
return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
ip1->cidr == ip2->cidr;
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/ipset-6/ip_set_hash_netiface.c
^
|
@@ -99,7 +99,7 @@
while (n) {
const char *d = iface_data(n);
- int res = ifname_compare(*iface, d);
+ long res = ifname_compare(*iface, d);
if (res < 0)
n = n->rb_left;
@@ -121,7 +121,7 @@
while (*n) {
char *ifname = iface_data(*n);
- int res = ifname_compare(*iface, ifname);
+ long res = ifname_compare(*iface, ifname);
p = *n;
if (res < 0)
@@ -159,31 +159,42 @@
/* The type variant functions: IPv4 */
+struct hash_netiface4_elem_hashed {
+ __be32 ip;
+ u8 physdev;
+ u8 cidr;
+ u16 padding;
+};
+
+#define HKEY_DATALEN sizeof(struct hash_netiface4_elem_hashed)
+
/* Member elements without timeout */
struct hash_netiface4_elem {
__be32 ip;
- const char *iface;
u8 physdev;
u8 cidr;
u16 padding;
+ const char *iface;
};
/* Member elements with timeout support */
struct hash_netiface4_telem {
__be32 ip;
- const char *iface;
u8 physdev;
u8 cidr;
u16 padding;
+ const char *iface;
unsigned long timeout;
};
static inline bool
hash_netiface4_data_equal(const struct hash_netiface4_elem *ip1,
- const struct hash_netiface4_elem *ip2)
+ const struct hash_netiface4_elem *ip2,
+ u32 *multi)
{
return ip1->ip == ip2->ip &&
ip1->cidr == ip2->cidr &&
+ (++*multi) &&
ip1->physdev == ip2->physdev &&
ip1->iface == ip2->iface;
}
@@ -257,6 +268,7 @@
#define IP_SET_HASH_WITH_NETS
#define IP_SET_HASH_WITH_RBTREE
+#define IP_SET_HASH_WITH_MULTI
#define PF 4
#define HOST_MASK 32
@@ -424,29 +436,40 @@
/* The type variant functions: IPv6 */
+struct hash_netiface6_elem_hashed {
+ union nf_inet_addr ip;
+ u8 physdev;
+ u8 cidr;
+ u16 padding;
+};
+
+#define HKEY_DATALEN sizeof(struct hash_netiface6_elem_hashed)
+
struct hash_netiface6_elem {
union nf_inet_addr ip;
- const char *iface;
u8 physdev;
u8 cidr;
u16 padding;
+ const char *iface;
};
struct hash_netiface6_telem {
union nf_inet_addr ip;
- const char *iface;
u8 physdev;
u8 cidr;
u16 padding;
+ const char *iface;
unsigned long timeout;
};
static inline bool
hash_netiface6_data_equal(const struct hash_netiface6_elem *ip1,
- const struct hash_netiface6_elem *ip2)
+ const struct hash_netiface6_elem *ip2,
+ u32 *multi)
{
return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
ip1->cidr == ip2->cidr &&
+ (++*multi) &&
ip1->physdev == ip2->physdev &&
ip1->iface == ip2->iface;
}
@@ -681,6 +704,7 @@
h->maxelem = maxelem;
get_random_bytes(&h->initval, sizeof(h->initval));
h->timeout = IPSET_NO_TIMEOUT;
+ h->ahash_max = AHASH_MAX_SIZE;
hbits = htable_bits(hashsize);
h->table = ip_set_alloc(
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/ipset-6/ip_set_hash_netport.c
^
|
@@ -59,7 +59,8 @@
static inline bool
hash_netport4_data_equal(const struct hash_netport4_elem *ip1,
- const struct hash_netport4_elem *ip2)
+ const struct hash_netport4_elem *ip2,
+ u32 *multi)
{
return ip1->ip == ip2->ip &&
ip1->port == ip2->port &&
@@ -300,7 +301,8 @@
static inline bool
hash_netport6_data_equal(const struct hash_netport6_elem *ip1,
- const struct hash_netport6_elem *ip2)
+ const struct hash_netport6_elem *ip2,
+ u32 *multi)
{
return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
ip1->port == ip2->port &&
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/ipset-6/src/ipset.8
^
|
@@ -767,7 +767,11 @@
as the incoming/outgoing bridge port.
.PP
The lookup time grows linearly with the number of the different prefix
-values added to the set.
+values added to the set.
+.PP
+The internal restriction of the \fBhash:net,iface\fR set type is that
+the same network prefix cannot be stored with more than 64 different interfaces
+in a single set.
.PP
Examples:
.IP
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/ipset-6/src/ipset.c
^
|
@@ -23,8 +23,8 @@
#include <libipset/ui.h> /* core options, commands */
#include <libipset/utils.h> /* STREQ */
-static char program_name[] = PACKAGE;
-static char program_version[] = PACKAGE_VERSION;
+static char program_name[] = "ipset";
+static char program_version[] = "6.8-genl-xta";
static struct ipset_session *session;
static uint32_t restore_line;
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/pknock/xt_pknock.c
^
|
@@ -881,7 +881,7 @@
/* If security is needed. */
if (info->option & XT_PKNOCK_OPENSECRET ) {
- if (hdr->proto != IPPROTO_UDP)
+ if (hdr->proto != IPPROTO_UDP && hdr->proto != IPPROTO_UDPLITE)
return false;
if (!pass_security(peer, info, hdr->payload, hdr->payload_len))
@@ -982,6 +982,7 @@
break;
case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
#ifdef PK_CRYPTO
hdr_len = (iph->ihl * 4) + sizeof(struct udphdr);
break;
@@ -1013,7 +1014,7 @@
goto out;
}
- if (iph->protocol == IPPROTO_UDP) {
+ if (iph->protocol == IPPROTO_UDP || iph->protocol == IPPROTO_UDPLITE) {
hdr.payload = (void *)iph + hdr_len;
hdr.payload_len = skb->len - hdr_len;
}
@@ -1022,7 +1023,8 @@
if (info->option & XT_PKNOCK_KNOCKPORT) {
if ((ret = is_allowed(peer))) {
if (info->option & XT_PKNOCK_CLOSESECRET &&
- iph->protocol == IPPROTO_UDP)
+ (iph->protocol == IPPROTO_UDP ||
+ iph->protocol == IPPROTO_UDPLITE))
{
if (is_close_knock(peer, info, hdr.payload, hdr.payload_len))
{
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/xt_CHECKSUM.c
^
|
@@ -12,6 +12,13 @@
#include <linux/module.h>
#include <linux/skbuff.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
+# error ----------------------------------------------------------
+# error This module has been merged into, and is available in the
+# error mainline since Linux kernel v2.6.36. Please use that.
+# error ----------------------------------------------------------
+#endif
+
#include <linux/netfilter/x_tables.h>
#include "xt_CHECKSUM.h"
#include "compat_xtables.h"
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/xt_LOGMARK.c
^
|
@@ -29,6 +29,38 @@
"ORIGINAL", "REPLY",
};
+static void logmark_ct(const struct nf_conn *ct, enum ip_conntrack_info ctinfo)
+{
+ bool prev = false;
+
+ printk(" ct=0x%p ctmark=0x%x ctstate=", ct, ct->mark);
+ ctinfo %= IP_CT_IS_REPLY;
+ if (ctinfo == IP_CT_NEW)
+ printk("NEW");
+ else if (ctinfo == IP_CT_ESTABLISHED)
+ printk("ESTABLISHED");
+ else if (ctinfo == IP_CT_RELATED)
+ printk("RELATED");
+ if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
+ printk(",SNAT");
+ if (test_bit(IPS_DST_NAT_BIT, &ct->status))
+ printk(",DNAT");
+
+ printk(" ctstatus=");
+ if (ct->status & IPS_EXPECTED) {
+ printk("EXPECTED");
+ prev = true;
+ }
+ if (ct->status & IPS_SEEN_REPLY)
+ printk("%s""SEEN_REPLY", prev++ ? "," : "");
+ if (ct->status & IPS_ASSURED)
+ printk("%s""ASSURED", prev++ ? "," : "");
+ if (ct->status & IPS_CONFIRMED)
+ printk("%s""CONFIRMED", prev++ ? "," : "");
+ printk(" lifetime=%lus",
+ (jiffies - ct->timeout.expires) / HZ);
+}
+
static unsigned int
logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
{
@@ -36,7 +68,6 @@
const struct xt_logmark_tginfo *info = par->targinfo;
const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
- bool prev = false;
printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x "
"secmark=0x%x classify=0x%x",
@@ -46,43 +77,17 @@
ct = nf_ct_get(skb, &ctinfo);
printk(" ctdir=%s", dir_names[ctinfo >= IP_CT_IS_REPLY]);
- if (ct == NULL) {
+ if (ct == NULL)
printk(" ct=NULL ctmark=NULL ctstate=INVALID ctstatus=NONE");
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
- } else if (nf_ct_is_untracked(ct)) {
+ else if (nf_ct_is_untracked(ct))
printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE");
#else
- } else if (ct == &nf_conntrack_untracked) {
+ else if (ct == &nf_conntrack_untracked)
printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE");
#endif
- } else {
- printk(" ct=0x%p ctmark=0x%x ctstate=", ct, ct->mark);
- ctinfo %= IP_CT_IS_REPLY;
- if (ctinfo == IP_CT_NEW)
- printk("NEW");
- else if (ctinfo == IP_CT_ESTABLISHED)
- printk("ESTABLISHED");
- else if (ctinfo == IP_CT_RELATED)
- printk("RELATED");
- if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
- printk(",SNAT");
- if (test_bit(IPS_DST_NAT_BIT, &ct->status))
- printk(",DNAT");
-
- printk(" ctstatus=");
- if (ct->status & IPS_EXPECTED) {
- printk("EXPECTED");
- prev = true;
- }
- if (ct->status & IPS_SEEN_REPLY)
- printk("%s""SEEN_REPLY", prev++ ? "," : "");
- if (ct->status & IPS_ASSURED)
- printk("%s""ASSURED", prev++ ? "," : "");
- if (ct->status & IPS_CONFIRMED)
- printk("%s""CONFIRMED", prev++ ? "," : "");
- printk(" lifetime=%lus",
- (jiffies - ct->timeout.expires) / HZ);
- }
+ else
+ logmark_ct(ct, ctinfo);
printk("\n");
return XT_CONTINUE;
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/xt_SYSRQ.c
^
|
@@ -1,5 +1,5 @@
/*
- * "SYSRQ" target extension for Netfilter
+ * "SYSRQ" target extension for Xtables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
*
* Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
@@ -244,7 +244,8 @@
return NF_DROP;
iph = ipv6_hdr(skb);
- if (ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 ||
+ if ((ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 &&
+ ipv6_find_hdr(skb, &th_off, IPPROTO_UDPLITE, &frag_off) < 0) ||
frag_off > 0)
return NF_DROP;
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/xt_TARPIT.c
^
|
@@ -232,7 +232,11 @@
if (mode == XTTARPIT_HONEYPOT)
niph->ttl = 128;
else
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
+ niph->ttl = ip4_dst_hoplimit(skb_dst(nskb));
+#else
niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
+#endif
/* Adjust IP checksum */
niph->check = 0;
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/xt_TEE.c
^
|
@@ -14,6 +14,7 @@
#include <linux/module.h>
#include <linux/route.h>
#include <linux/skbuff.h>
+#include <linux/version.h>
#include <net/checksum.h>
#include <net/icmp.h>
#include <net/ip.h>
@@ -21,6 +22,13 @@
#include <net/route.h>
#include <linux/netfilter/x_tables.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
+# error ----------------------------------------------------------
+# error This module has been merged into, and is available in the
+# error mainline since Linux kernel v2.6.35. Please use that.
+# error ----------------------------------------------------------
+#endif
+
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
# define WITH_CONNTRACK 1
# include <net/netfilter/nf_conntrack.h>
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/xt_ipp2p.c
^
|
@@ -868,6 +868,7 @@
}
case IPPROTO_UDP: /* what to do with an UDP packet */
+ case IPPROTO_UDPLITE:
{
const struct udphdr *udph = (const void *)ip + ip_hdrlen(skb);
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/xt_ipv4options.c
^
|
@@ -1,5 +1,5 @@
/*
- * xt_ipv4opts - Netfilter module to match IPv4 options
+ * xt_ipv4opts - Xtables module to match IPv4 options
* Copyright © Jan Engelhardt, 2009
*
* This program is free software; you can redistribute it and/or
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/xt_length2.c
^
|
@@ -1,5 +1,5 @@
/*
- * xt_length - Netfilter module to match packet length
+ * xt_length - Xtables module to match packet length
* Copyright © Jan Engelhardt <jengelh@medozas.de>, 2007 - 2009
*
* This program is free software; you can redistribute it and/or
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/xt_lscan.c
^
|
@@ -1,5 +1,5 @@
/*
- * LSCAN match for netfilter
+ * LSCAN match for Xtables
* Copyright © Jan Engelhardt, 2006 - 2009
*
* This program is free software; you can redistribute it and/or modify
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/xt_psd.c
^
|
@@ -103,8 +103,12 @@
xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
{
const struct iphdr *iph;
- const struct tcphdr *tcph;
- struct tcphdr _tcph;
+ const struct tcphdr *tcph = NULL;
+ const struct udphdr *udph;
+ union {
+ struct tcphdr tcph;
+ struct udphdr udph;
+ } _buf;
struct in_addr addr;
u_int16_t src_port,dest_port;
u_int8_t tcp_flags, proto;
@@ -125,29 +129,9 @@
/* TCP or UDP ? */
proto = iph->protocol;
-
- if (proto != IPPROTO_TCP && proto != IPPROTO_UDP) {
- pr_debug("protocol not supported\n");
- return false;
- }
-
/* Get the source address, source & destination ports, and TCP flags */
addr.s_addr = iph->saddr;
-
- tcph = skb_header_pointer(pskb, match->thoff, sizeof(_tcph), &_tcph);
- if (tcph == NULL)
- return false;
-
- /* Yep, it's dirty */
- src_port = tcph->source;
- dest_port = tcph->dest;
-
- if (proto == IPPROTO_TCP)
- tcp_flags = *((u_int8_t*)tcph + 13);
- else
- tcp_flags = 0x00;
-
/* We're using IP address 0.0.0.0 for a special purpose here, so don't let
* them spoof us. [DHCP needs this feature - HW] */
if (addr.s_addr == 0) {
@@ -155,6 +139,29 @@
return false;
}
+ if (proto == IPPROTO_TCP) {
+ tcph = skb_header_pointer(pskb, match->thoff,
+ sizeof(_buf.tcph), &_buf.tcph);
+ if (tcph == NULL)
+ return false;
+
+ /* Yep, it's dirty */
+ src_port = tcph->source;
+ dest_port = tcph->dest;
+ tcp_flags = *((u_int8_t*)tcph + 13);
+ } else if (proto == IPPROTO_UDP || proto == IPPROTO_UDPLITE) {
+ udph = skb_header_pointer(pskb, match->thoff,
+ sizeof(_buf.udph), &_buf.udph);
+ if (udph == NULL)
+ return false;
+ src_port = udph->source;
+ dest_port = udph->dest;
+ tcp_flags = 0;
+ } else {
+ pr_debug("protocol not supported\n");
+ return false;
+ }
+
/* Use jiffies here not to depend on someone setting the time while we're
* running; we need to be careful with possible return value overflows. */
now = jiffies;
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/extensions/xt_quota2.c
^
|
@@ -4,7 +4,7 @@
* by Jan Engelhardt <jengelh@medozas.de>, 2008
*
* Originally based on xt_quota.c:
- * netfilter module to enforce network quotas
+ * Xtables module to enforce network quotas
* Sam Johnston <samj@samj.net>
*
* This program is free software; you can redistribute it and/or modify
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/mconfig
^
|
@@ -20,8 +20,8 @@
build_gradm=m
build_iface=m
build_ipp2p=m
-build_ipset4=m
-build_ipset6=
+build_ipset4=
+build_ipset6=m
build_ipv4options=m
build_length2=m
build_lscan=m
|
[-]
[+]
|
Changed |
xtables-addons-1.38.tar.bz2/xtables-addons.8.in
^
|
@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.37 (2011-06-25)" "" "v1.37 (2011-06-25)"
+.TH xtables-addons 8 "v1.38 (2011-08-20)" "" "v1.38 (2011-08-20)"
.SH Name
Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
.SH Targets
|