iptables updates

iptables updates

[Jan Engelhardt]

Following are:

╟ Resolve warnings on 64-bit compile──(0e15210)

Wanted.

╟ Wrap dlopen code into NO_SHARED_LIBS──(2727dbd)

Needed for --enable-static.

╟ Remove support for compilation of conditional extensions──(bfc4434)

As before; header files for SET got added.

╟ Resolve libipt_set warnings──(17a9554)

╟ Update documentation about building the package──(d1acf22)

All those new configure options

╟ configure.ac: AC_SUBST must be separate──(06a71a3)

╟ Dynamically create xtables.h.in with version──(f29980f)

External modules need this in xtables.h.

╟ Remove old functions, constants──(7c7d0eb)

Switches to XTABLES_VERSION, removed the  "register_match" wrapper
that wrapped xtables_register_match, and exchanges IPT_ALIGN/IP6T_ALIGN
to XT_ALIGN (since the former two are just an indirect #define).

╟ Move libipt_recent to libxt_recent──(5b015b7)

It's just the rename - no features, please consider applying.

╟ libxt_recent: add missing --rsource,--rdest options to manpage──(a9299b7)

A manpage fix ontop of the rename.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 01/10] Resolve warnings on 64-bit compile

[Jan Engelhardt]

---
 xtables.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xtables.c b/xtables.c
index 21da4b5..b988054 100644
--- a/xtables.c
+++ b/xtables.c
@@ -318,7 +318,7 @@ static void *load_extension(const char *search_path, const char *prefix,
 		if (next == NULL)
 			next = dir + strlen(dir);
 		snprintf(path, sizeof(path), "%.*s/libxt_%s.so",
-		         next - dir, dir, name);
+		         (unsigned int)(next - dir), dir, name);
 
 		if (dlopen(path, RTLD_NOW) != NULL) {
 			/* Found library.  If it didn't register itself,
@@ -335,7 +335,7 @@ static void *load_extension(const char *search_path, const char *prefix,
 			return ptr;
 
 		snprintf(path, sizeof(path), "%.*s/%s%s.so",
-		         next - dir, dir, prefix, name);
+		         (unsigned int)(next - dir), dir, prefix, name);
 		if (dlopen(path, RTLD_NOW) != NULL) {
 			if (is_target)
 				ptr = find_target(name, DONT_LOAD);
-- 
1.5.5.rc3

[PATCH 02/10] Wrap dlopen code into NO_SHARED_LIBS

[Jan Engelhardt]

---
 xtables.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/xtables.c b/xtables.c
index b988054..743c07b 100644
--- a/xtables.c
+++ b/xtables.c
@@ -305,6 +305,7 @@ void parse_interface(const char *arg, char *vianame, unsigned char *mask)
 	}
 }
 
+#ifndef NO_SHARED_LIBS
 static void *load_extension(const char *search_path, const char *prefix,
     const char *name, bool is_target)
 {
@@ -353,6 +354,7 @@ static void *load_extension(const char *search_path, const char *prefix,
 
 	return NULL;
 }
+#endif
 
 struct xtables_match *find_match(const char *name, enum xt_tryload tryload,
 				 struct xtables_rule_match **matches)
-- 
1.5.5.rc3

[PATCH 03/10] Remove support for compilation of conditional extensions

[Jan Engelhardt]

---
 extensions/.condition-test             |    4 -
 extensions/.condition-test6            |    4 -
 extensions/.set-test                   |    4 -
 extensions/GNUmakefile.in              |   27 +--
 extensions/libip6t_condition.c         |   95 -----
 extensions/libip6t_condition.man       |    4 -
 extensions/libipt_condition.c          |   94 -----
 extensions/libipt_condition.man        |    4 -
 include/linux/netfilter_ipv4/ip_set.h  |  498 ++++++++++++++++++++++++
 include/linux/netfilter_ipv4/ipt_set.h |   21 +
 10 files changed, 522 insertions(+), 233 deletions(-)
 delete mode 100755 extensions/.condition-test
 delete mode 100755 extensions/.condition-test6
 delete mode 100755 extensions/.set-test
 delete mode 100644 extensions/libip6t_condition.c
 delete mode 100644 extensions/libip6t_condition.man
 delete mode 100644 extensions/libipt_condition.c
 delete mode 100644 extensions/libipt_condition.man
 create mode 100644 include/linux/netfilter_ipv4/ip_set.h
 create mode 100644 include/linux/netfilter_ipv4/ipt_set.h

diff --git a/extensions/.condition-test b/extensions/.condition-test
deleted file mode 100755
index 2470a18..0000000
--- a/extensions/.condition-test
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-[ "$1" == "provides" -o \
--f "$KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h" ] && \
-echo "condition";
diff --git a/extensions/.condition-test6 b/extensions/.condition-test6
deleted file mode 100755
index 15a0f04..0000000
--- a/extensions/.condition-test6
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-[ "$1" == "provides" -o \
--f "$KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h" ] && \
-echo "condition";
diff --git a/extensions/.set-test b/extensions/.set-test
deleted file mode 100755
index 754abfd..0000000
--- a/extensions/.set-test
+++ /dev/null
@@ -1,4 +0,0 @@
-#! /bin/sh
-[ "$1" == "provides" -o \
--f "$KERNEL_DIR/include/linux/netfilter_ipv4/ip_set.h" ] && \
-echo "set SET";
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index ee20469..31e6fb7 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -32,30 +32,9 @@ endif
 #
 #	Wildcard module list
 #
-pfx_all_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(wildcard ${srcdir}/libxt_*.c))
-pf4_all_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c))
-pf6_all_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c))
-
-#
-#	Conditional module list
-#
-pfx_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-testx),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
-pf4_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-test),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
-pf6_cond_mod := $(foreach i,$(wildcard ${srcdir}/.*-test6),$(shell KERNEL_DIR=${ksourcedir} ${i} provides))
-
-#
-#	Conditional modules to build
-#
-pfx_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-testx),$(shell KERNEL_DIR=${ksourcedir} ${i}))
-pf4_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-test),$(shell KERNEL_DIR=${ksourcedir} ${i}))
-pf6_bc_mod := $(foreach i,$(wildcard ${srcdir}/.*-test6),$(shell KERNEL_DIR=${ksourcedir} ${i}))
-
-#
-#	Total list of modules to build
-#
-pfx_build_mod := $(filter-out ${pfx_cond_mod},${pfx_all_mod}) ${pfx_bc_mod}
-pf4_build_mod := $(filter-out ${pf4_cond_mod},${pf4_all_mod}) ${pf4_bc_mod}
-pf6_build_mod := $(filter-out ${pf6_cond_mod},${pf6_all_mod}) ${pf6_bc_mod}
+pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(wildcard ${srcdir}/libxt_*.c))
+pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(wildcard ${srcdir}/libipt_*.c))
+pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(wildcard ${srcdir}/libip6t_*.c))
 pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
 pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_mod})
 pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_mod})
diff --git a/extensions/libip6t_condition.c b/extensions/libip6t_condition.c
deleted file mode 100644
index 03e2722..0000000
--- a/extensions/libip6t_condition.c
+++ /dev/null
@@ -1,95 +0,0 @@
-/* Shared library add-on to ip6tables for condition match */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include <ip6tables.h>
-
-#include<linux/netfilter_ipv6/ip6_tables.h>
-#include<linux/netfilter_ipv6/ip6t_condition.h>
-
-static void condition_help(void)
-{
-	printf("condition match v%s options:\n"
-	       "--condition [!] filename       "
-	       "Match on boolean value stored in /proc file\n",
-	       IPTABLES_VERSION);
-}
-
-static const struct option condition_opts[] = {
-	{ .name = "condition", .has_arg = 1, .flag = 0, .val = 'X' },
-	{ .name = 0 }
-};
-
-static int
-condition_parse(int c, char **argv, int invert, unsigned int *flags,
-                const void *entry, struct xt_entry_match **match)
-{
-	struct condition6_info *info =
-	    (struct condition6_info *) (*match)->data;
-
-	if (c == 'X') {
-		if (*flags)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify multiple conditions");
-
-		check_inverse(optarg, &invert, &optind, 0);
-
-		if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN)
-			strcpy(info->name, argv[optind - 1]);
-		else
-			exit_error(PARAMETER_PROBLEM,
-				   "File name too long");
-
-		info->invert = invert;
-		*flags = 1;
-		return 1;
-	}
-
-	return 0;
-}
-
-static void condition_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-			   "Condition match: must specify --condition");
-}
-
-static void condition_print(const void *ip, const struct xt_entry_match *match,
-                            int numeric)
-{
-	const struct condition6_info *info =
-	    (const struct condition6_info *) match->data;
-
-	printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
-}
-
-
-static void condition_save(const void *ip, const struct xt_entry_match *match)
-{
-	const struct condition6_info *info =
-	    (const struct condition6_info *) match->data;
-
-	printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
-}
-
-static struct ip6tables_match condition_match6 = {
-	.name = "condition",
-	.version = IPTABLES_VERSION,
-	.size = IP6T_ALIGN(sizeof(struct condition6_info)),
-	.userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)),
-	.help = condition_help,
-	.parse = condition_parse,
-	.final_check = condition_check,
-	.print = condition_print,
-	.save = condition_save,
-	.extra_opts = condition_opts,
-};
-
-
-void
-_init(void)
-{
-	register_match6(&condition_match6);
-}
diff --git a/extensions/libip6t_condition.man b/extensions/libip6t_condition.man
deleted file mode 100644
index e0bba75..0000000
--- a/extensions/libip6t_condition.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This matches if a specific /proc filename is '0' or '1'.
-.TP
-.BR "--condition " "[!] \fIfilename"
-Match on boolean value stored in /proc/net/ip6t_condition/filename file
diff --git a/extensions/libipt_condition.c b/extensions/libipt_condition.c
deleted file mode 100644
index 4a98dd8..0000000
--- a/extensions/libipt_condition.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/* Shared library add-on to iptables for condition match */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include <iptables.h>
-
-#include<linux/netfilter_ipv4/ip_tables.h>
-#include<linux/netfilter_ipv4/ipt_condition.h>
-
-static void condition_help(void)
-{
-	printf("condition match v%s options:\n"
-	       "--condition [!] filename       "
-	       "Match on boolean value stored in /proc file\n",
-	       IPTABLES_VERSION);
-}
-
-static const struct option condition_opts[] = {
-	{ .name = "condition", .has_arg = 1, .flag = 0, .val = 'X' },
-	{ .name = 0 }
-};
-
-static int condition_parse(int c, char **argv, int invert, unsigned int *flags,
-                           const void *entry, struct xt_entry_match **match)
-{
-	struct condition_info *info =
-	    (struct condition_info *) (*match)->data;
-
-	if (c == 'X') {
-		if (*flags)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify multiple conditions");
-
-		check_inverse(optarg, &invert, &optind, 0);
-
-		if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN)
-			strcpy(info->name, argv[optind - 1]);
-		else
-			exit_error(PARAMETER_PROBLEM,
-				   "File name too long");
-
-		info->invert = invert;
-		*flags = 1;
-		return 1;
-	}
-
-	return 0;
-}
-
-static void condition_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-			   "Condition match: must specify --condition");
-}
-
-static void condition_print(const void *ip, const struct xt_entry_match *match,
-                            int numeric)
-{
-	const struct condition_info *info =
-	    (const struct condition_info *) match->data;
-
-	printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
-}
-
-
-static void condition_save(const void *ip, const struct xt_entry_match *match)
-{
-	const struct condition_info *info =
-	    (const struct condition_info *) match->data;
-
-	printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
-}
-
-static struct iptables_match condition_match = {
-	.name 		= "condition",
-	.version 	= IPTABLES_VERSION,
-	.size 		= IPT_ALIGN(sizeof(struct condition_info)),
-	.userspacesize 	= IPT_ALIGN(sizeof(struct condition_info)),
-	.help 		= condition_help,
-	.parse 		= condition_parse,
-	.final_check	= condition_check,
-	.print 		= condition_print,
-	.save 		= condition_save,
-	.extra_opts 	= condition_opts,
-};
-
-
-void
-_init(void)
-{
-	register_match(&condition_match);
-}
diff --git a/extensions/libipt_condition.man b/extensions/libipt_condition.man
deleted file mode 100644
index ce2aa95..0000000
--- a/extensions/libipt_condition.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This matches if a specific /proc filename is '0' or '1'.
-.TP
-.BI "--condition " "[!] \fIfilename\fP"
-Match on boolean value stored in /proc/net/ipt_condition/filename file
diff --git a/include/linux/netfilter_ipv4/ip_set.h b/include/linux/netfilter_ipv4/ip_set.h
new file mode 100644
index 0000000..92a746e
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ip_set.h
@@ -0,0 +1,498 @@
+#ifndef _IP_SET_H
+#define _IP_SET_H
+
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ *                         Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.  
+ */
+
+#if 0
+#define IP_SET_DEBUG
+#endif
+
+/*
+ * A sockopt of such quality has hardly ever been seen before on the open
+ * market!  This little beauty, hardly ever used: above 64, so it's
+ * traditionally used for firewalling, not touched (even once!) by the
+ * 2.0, 2.2 and 2.4 kernels!
+ *
+ * Comes with its own certificate of authenticity, valid anywhere in the
+ * Free world!
+ *
+ * Rusty, 19.4.2000
+ */
+#define SO_IP_SET 		83
+
+/*
+ * Heavily modify by Joakim Axelsson 08.03.2002
+ * - Made it more modulebased
+ *
+ * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
+ * - bindings added
+ * - in order to "deal with" backward compatibility, renamed to ipset
+ */
+
+/* 
+ * Used so that the kernel module and ipset-binary can match their versions 
+ */
+#define IP_SET_PROTOCOL_VERSION 2
+
+#define IP_SET_MAXNAMELEN 32	/* set names and set typenames */
+
+/* Lets work with our own typedef for representing an IP address.
+ * We hope to make the code more portable, possibly to IPv6...
+ *
+ * The representation works in HOST byte order, because most set types
+ * will perform arithmetic operations and compare operations.
+ * 
+ * For now the type is an uint32_t.
+ *
+ * Make sure to ONLY use the functions when translating and parsing
+ * in order to keep the host byte order and make it more portable:
+ *  parse_ip()
+ *  parse_mask()
+ *  parse_ipandmask()
+ *  ip_tostring()
+ * (Joakim: where are they???)
+ */
+
+typedef uint32_t ip_set_ip_t;
+
+/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
+ * and IP_SET_INVALID_ID if you want to increase the max number of sets.
+ */
+typedef uint16_t ip_set_id_t;
+
+#define IP_SET_INVALID_ID	65535
+
+/* How deep we follow bindings */
+#define IP_SET_MAX_BINDINGS	6
+
+/*
+ * Option flags for kernel operations (ipt_set_info)
+ */
+#define IPSET_SRC 		0x01	/* Source match/add */
+#define IPSET_DST		0x02	/* Destination match/add */
+#define IPSET_MATCH_INV		0x04	/* Inverse matching */
+
+/*
+ * Set features
+ */
+#define IPSET_TYPE_IP		0x01	/* IP address type of set */
+#define IPSET_TYPE_PORT		0x02	/* Port type of set */
+#define IPSET_DATA_SINGLE	0x04	/* Single data storage */
+#define IPSET_DATA_DOUBLE	0x08	/* Double data storage */
+
+/* Reserved keywords */
+#define IPSET_TOKEN_DEFAULT	":default:"
+#define IPSET_TOKEN_ALL		":all:"
+
+/* SO_IP_SET operation constants, and their request struct types.
+ *
+ * Operation ids:
+ *	  0-99:	 commands with version checking
+ *	100-199: add/del/test/bind/unbind
+ *	200-299: list, save, restore
+ */
+
+/* Single shot operations: 
+ * version, create, destroy, flush, rename and swap 
+ *
+ * Sets are identified by name.
+ */
+
+#define IP_SET_REQ_STD		\
+	unsigned op;		\
+	unsigned version;	\
+	char name[IP_SET_MAXNAMELEN]
+
+#define IP_SET_OP_CREATE	0x00000001	/* Create a new (empty) set */
+struct ip_set_req_create {
+	IP_SET_REQ_STD;
+	char typename[IP_SET_MAXNAMELEN];
+};
+
+#define IP_SET_OP_DESTROY	0x00000002	/* Remove a (empty) set */
+struct ip_set_req_std {
+	IP_SET_REQ_STD;
+};
+
+#define IP_SET_OP_FLUSH		0x00000003	/* Remove all IPs in a set */
+/* Uses ip_set_req_std */
+
+#define IP_SET_OP_RENAME	0x00000004	/* Rename a set */
+/* Uses ip_set_req_create */
+
+#define IP_SET_OP_SWAP		0x00000005	/* Swap two sets */
+/* Uses ip_set_req_create */
+
+union ip_set_name_index {
+	char name[IP_SET_MAXNAMELEN];
+	ip_set_id_t index;
+};
+
+#define IP_SET_OP_GET_BYNAME	0x00000006	/* Get set index by name */
+struct ip_set_req_get_set {
+	unsigned op;
+	unsigned version;
+	union ip_set_name_index set;
+};
+
+#define IP_SET_OP_GET_BYINDEX	0x00000007	/* Get set name by index */
+/* Uses ip_set_req_get_set */
+
+#define IP_SET_OP_VERSION	0x00000100	/* Ask kernel version */
+struct ip_set_req_version {
+	unsigned op;
+	unsigned version;
+};
+
+/* Double shots operations: 
+ * add, del, test, bind and unbind.
+ *
+ * First we query the kernel to get the index and type of the target set,
+ * then issue the command. Validity of IP is checked in kernel in order
+ * to minimalize sockopt operations.
+ */
+
+/* Get minimal set data for add/del/test/bind/unbind IP */
+#define IP_SET_OP_ADT_GET	0x00000010	/* Get set and type */
+struct ip_set_req_adt_get {
+	unsigned op;
+	unsigned version;
+	union ip_set_name_index set;
+	char typename[IP_SET_MAXNAMELEN];
+};
+
+#define IP_SET_REQ_BYINDEX	\
+	unsigned op;		\
+	ip_set_id_t index;
+
+struct ip_set_req_adt {
+	IP_SET_REQ_BYINDEX;
+};
+
+#define IP_SET_OP_ADD_IP	0x00000101	/* Add an IP to a set */
+/* Uses ip_set_req_adt, with type specific addage */
+
+#define IP_SET_OP_DEL_IP	0x00000102	/* Remove an IP from a set */
+/* Uses ip_set_req_adt, with type specific addage */
+
+#define IP_SET_OP_TEST_IP	0x00000103	/* Test an IP in a set */
+/* Uses ip_set_req_adt, with type specific addage */
+
+#define IP_SET_OP_BIND_SET	0x00000104	/* Bind an IP to a set */
+/* Uses ip_set_req_bind, with type specific addage */
+struct ip_set_req_bind {
+	IP_SET_REQ_BYINDEX;
+	char binding[IP_SET_MAXNAMELEN];
+};
+
+#define IP_SET_OP_UNBIND_SET	0x00000105	/* Unbind an IP from a set */
+/* Uses ip_set_req_bind, with type speficic addage 
+ * index = 0 means unbinding for all sets */
+
+#define IP_SET_OP_TEST_BIND_SET	0x00000106	/* Test binding an IP to a set */
+/* Uses ip_set_req_bind, with type specific addage */
+
+/* Multiple shots operations: list, save, restore.
+ *
+ * - check kernel version and query the max number of sets
+ * - get the basic information on all sets
+ *   and size required for the next step
+ * - get actual set data: header, data, bindings
+ */
+
+/* Get max_sets and the index of a queried set
+ */
+#define IP_SET_OP_MAX_SETS	0x00000020
+struct ip_set_req_max_sets {
+	unsigned op;
+	unsigned version;
+	ip_set_id_t max_sets;		/* max_sets */
+	ip_set_id_t sets;		/* real number of sets */
+	union ip_set_name_index set;	/* index of set if name used */
+};
+
+/* Get the id and name of the sets plus size for next step */
+#define IP_SET_OP_LIST_SIZE	0x00000201
+#define IP_SET_OP_SAVE_SIZE	0x00000202
+struct ip_set_req_setnames {
+	unsigned op;
+	ip_set_id_t index;		/* set to list/save */
+	size_t size;			/* size to get setdata/bindings */
+	/* followed by sets number of struct ip_set_name_list */
+};
+
+struct ip_set_name_list {
+	char name[IP_SET_MAXNAMELEN];
+	char typename[IP_SET_MAXNAMELEN];
+	ip_set_id_t index;
+	ip_set_id_t id;
+};
+
+/* The actual list operation */
+#define IP_SET_OP_LIST		0x00000203
+struct ip_set_req_list {
+	IP_SET_REQ_BYINDEX;
+	/* sets number of struct ip_set_list in reply */ 
+};
+
+struct ip_set_list {
+	ip_set_id_t index;
+	ip_set_id_t binding;
+	u_int32_t ref;
+	size_t header_size;	/* Set header data of header_size */
+	size_t members_size;	/* Set members data of members_size */
+	size_t bindings_size;	/* Set bindings data of bindings_size */
+};
+
+struct ip_set_hash_list {
+	ip_set_ip_t ip;
+	ip_set_id_t binding;
+};
+
+/* The save operation */
+#define IP_SET_OP_SAVE		0x00000204
+/* Uses ip_set_req_list, in the reply replaced by
+ * sets number of struct ip_set_save plus a marker
+ * ip_set_save followed by ip_set_hash_save structures.
+ */
+struct ip_set_save {
+	ip_set_id_t index;
+	ip_set_id_t binding;
+	size_t header_size;	/* Set header data of header_size */
+	size_t members_size;	/* Set members data of members_size */
+};
+
+/* At restoring, ip == 0 means default binding for the given set: */
+struct ip_set_hash_save {
+	ip_set_ip_t ip;
+	ip_set_id_t id;
+	ip_set_id_t binding;
+};
+
+/* The restore operation */
+#define IP_SET_OP_RESTORE	0x00000205
+/* Uses ip_set_req_setnames followed by ip_set_restore structures
+ * plus a marker ip_set_restore, followed by ip_set_hash_save 
+ * structures.
+ */
+struct ip_set_restore {
+	char name[IP_SET_MAXNAMELEN];
+	char typename[IP_SET_MAXNAMELEN];
+	ip_set_id_t index;
+	size_t header_size;	/* Create data of header_size */
+	size_t members_size;	/* Set members data of members_size */
+};
+
+static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
+{
+	return 4 * ((((b - a + 8) / 8) + 3) / 4);
+}
+
+#ifdef __KERNEL__
+
+#define ip_set_printk(format, args...) 			\
+	do {							\
+		printk("%s: %s: ", __FILE__, __FUNCTION__);	\
+		printk(format "\n" , ## args);			\
+	} while (0)
+
+#if defined(IP_SET_DEBUG)
+#define DP(format, args...) 					\
+	do {							\
+		printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
+		printk(format "\n" , ## args);			\
+	} while (0)
+#define IP_SET_ASSERT(x)					\
+	do {							\
+		if (!(x))					\
+			printk("IP_SET_ASSERT: %s:%i(%s)\n",	\
+				__FILE__, __LINE__, __FUNCTION__); \
+	} while (0)
+#else
+#define DP(format, args...)
+#define IP_SET_ASSERT(x)
+#endif
+
+struct ip_set;
+
+/*
+ * The ip_set_type definition - one per set type, e.g. "ipmap".
+ *
+ * Each individual set has a pointer, set->type, going to one
+ * of these structures. Function pointers inside the structure implement
+ * the real behaviour of the sets.
+ *
+ * If not mentioned differently, the implementation behind the function
+ * pointers of a set_type, is expected to return 0 if ok, and a negative
+ * errno (e.g. -EINVAL) on error.
+ */
+struct ip_set_type {
+	struct list_head list;	/* next in list of set types */
+
+	/* test for IP in set (kernel: iptables -m set src|dst)
+	 * return 0 if not in set, 1 if in set.
+	 */
+	int (*testip_kernel) (struct ip_set *set,
+			      const struct sk_buff * skb, 
+			      ip_set_ip_t *ip,
+			      const u_int32_t *flags,
+			      unsigned char index);
+
+	/* test for IP in set (userspace: ipset -T set IP)
+	 * return 0 if not in set, 1 if in set.
+	 */
+	int (*testip) (struct ip_set *set,
+		       const void *data, size_t size,
+		       ip_set_ip_t *ip);
+
+	/*
+	 * Size of the data structure passed by when
+	 * adding/deletin/testing an entry.
+	 */
+	size_t reqsize;
+
+	/* Add IP into set (userspace: ipset -A set IP)
+	 * Return -EEXIST if the address is already in the set,
+	 * and -ERANGE if the address lies outside the set bounds.
+	 * If the address was not already in the set, 0 is returned.
+	 */
+	int (*addip) (struct ip_set *set, 
+		      const void *data, size_t size,
+		      ip_set_ip_t *ip);
+
+	/* Add IP into set (kernel: iptables ... -j SET set src|dst)
+	 * Return -EEXIST if the address is already in the set,
+	 * and -ERANGE if the address lies outside the set bounds.
+	 * If the address was not already in the set, 0 is returned.
+	 */
+	int (*addip_kernel) (struct ip_set *set,
+			     const struct sk_buff * skb, 
+			     ip_set_ip_t *ip,
+			     const u_int32_t *flags,
+			     unsigned char index);
+
+	/* remove IP from set (userspace: ipset -D set --entry x)
+	 * Return -EEXIST if the address is NOT in the set,
+	 * and -ERANGE if the address lies outside the set bounds.
+	 * If the address really was in the set, 0 is returned.
+	 */
+	int (*delip) (struct ip_set *set, 
+		      const void *data, size_t size,
+		      ip_set_ip_t *ip);
+
+	/* remove IP from set (kernel: iptables ... -j SET --entry x)
+	 * Return -EEXIST if the address is NOT in the set,
+	 * and -ERANGE if the address lies outside the set bounds.
+	 * If the address really was in the set, 0 is returned.
+	 */
+	int (*delip_kernel) (struct ip_set *set,
+			     const struct sk_buff * skb, 
+			     ip_set_ip_t *ip,
+			     const u_int32_t *flags,
+			     unsigned char index);
+
+	/* new set creation - allocated type specific items
+	 */
+	int (*create) (struct ip_set *set,
+		       const void *data, size_t size);
+
+	/* retry the operation after successfully tweaking the set
+	 */
+	int (*retry) (struct ip_set *set);
+
+	/* set destruction - free type specific items
+	 * There is no return value.
+	 * Can be called only when child sets are destroyed.
+	 */
+	void (*destroy) (struct ip_set *set);
+
+	/* set flushing - reset all bits in the set, or something similar.
+	 * There is no return value.
+	 */
+	void (*flush) (struct ip_set *set);
+
+	/* Listing: size needed for header
+	 */
+	size_t header_size;
+
+	/* Listing: Get the header
+	 *
+	 * Fill in the information in "data".
+	 * This function is always run after list_header_size() under a 
+	 * writelock on the set. Therefor is the length of "data" always 
+	 * correct. 
+	 */
+	void (*list_header) (const struct ip_set *set, 
+			     void *data);
+
+	/* Listing: Get the size for the set members
+	 */
+	int (*list_members_size) (const struct ip_set *set);
+
+	/* Listing: Get the set members
+	 *
+	 * Fill in the information in "data".
+	 * This function is always run after list_member_size() under a 
+	 * writelock on the set. Therefor is the length of "data" always 
+	 * correct. 
+	 */
+	void (*list_members) (const struct ip_set *set,
+			      void *data);
+
+	char typename[IP_SET_MAXNAMELEN];
+	unsigned char features;
+	int protocol_version;
+
+	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
+	struct module *me;
+};
+
+extern int ip_set_register_set_type(struct ip_set_type *set_type);
+extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
+
+/* A generic ipset */
+struct ip_set {
+	char name[IP_SET_MAXNAMELEN];	/* the name of the set */
+	rwlock_t lock;			/* lock for concurrency control */
+	ip_set_id_t id;			/* set id for swapping */
+	ip_set_id_t binding;		/* default binding for the set */
+	atomic_t ref;			/* in kernel and in hash references */
+	struct ip_set_type *type; 	/* the set types */
+	void *data;			/* pooltype specific data */
+};
+
+/* Structure to bind set elements to sets */
+struct ip_set_hash {
+	struct list_head list;		/* list of clashing entries in hash */
+	ip_set_ip_t ip;			/* ip from set */
+	ip_set_id_t id;			/* set id */
+	ip_set_id_t binding;		/* set we bind the element to */
+};
+
+/* register and unregister set references */
+extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
+extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
+extern void ip_set_put(ip_set_id_t id);
+
+/* API for iptables set match, and SET target */
+extern void ip_set_addip_kernel(ip_set_id_t id,
+				const struct sk_buff *skb,
+				const u_int32_t *flags);
+extern void ip_set_delip_kernel(ip_set_id_t id,
+				const struct sk_buff *skb,
+				const u_int32_t *flags);
+extern int ip_set_testip_kernel(ip_set_id_t id,
+				const struct sk_buff *skb,
+				const u_int32_t *flags);
+
+#endif				/* __KERNEL__ */
+
+#endif /*_IP_SET_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_set.h b/include/linux/netfilter_ipv4/ipt_set.h
new file mode 100644
index 0000000..2a18b93
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_set.h
@@ -0,0 +1,21 @@
+#ifndef _IPT_SET_H
+#define _IPT_SET_H
+
+#include <linux/netfilter_ipv4/ip_set.h>
+
+struct ipt_set_info {
+	ip_set_id_t index;
+	u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
+};
+
+/* match info */
+struct ipt_set_info_match {
+	struct ipt_set_info match_set;
+};
+
+struct ipt_set_info_target {
+	struct ipt_set_info add_set;
+	struct ipt_set_info del_set;
+};
+
+#endif /*_IPT_SET_H*/
-- 
1.5.5.rc3

[PATCH 04/10] Resolve libipt_set warnings

[Jan Engelhardt]

---
 extensions/libipt_set.h |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/extensions/libipt_set.h b/extensions/libipt_set.h
index 02de0fa..3e70d7b 100644
--- a/extensions/libipt_set.h
+++ b/extensions/libipt_set.h
@@ -12,9 +12,9 @@
 #endif
 
 static void
-parse_bindings(const char *optarg, struct ipt_set_info *info)
+parse_bindings(const char *opt_arg, struct ipt_set_info *info)
 {
-	char *saved = strdup(optarg);
+	char *saved = strdup(opt_arg);
 	char *ptr, *tmp = saved;
 	int i = 0;
 	
@@ -66,8 +66,8 @@ static void get_set_byname(const char *setname, struct ipt_set_info *info)
 	if (size != sizeof(struct ip_set_req_get_set))
 		exit_error(OTHER_PROBLEM,
 			   "Incorrect return size from kernel during ipset lookup, "
-			   "(want %ld, got %ld)\n",
-			   sizeof(struct ip_set_req_get_set), size);
+			   "(want %zu, got %zu)\n",
+			   sizeof(struct ip_set_req_get_set), (size_t)size);
 	if (req.set.index == IP_SET_INVALID_ID)
 		exit_error(PARAMETER_PROBLEM,
 			   "Set %s doesn't exist.\n", setname);
@@ -75,7 +75,7 @@ static void get_set_byname(const char *setname, struct ipt_set_info *info)
 	info->index = req.set.index;
 }
 
-static void get_set_byid(char * setname, ip_set_id_t index)
+static void get_set_byid(char * setname, ip_set_id_t idx)
 {
 	struct ip_set_req_get_set req;
 	socklen_t size = sizeof(struct ip_set_req_get_set);
@@ -83,7 +83,7 @@ static void get_set_byid(char * setname, ip_set_id_t index)
 
 	req.op = IP_SET_OP_GET_BYINDEX;
 	req.version = IP_SET_PROTOCOL_VERSION;
-	req.set.index = index;
+	req.set.index = idx;
 	res = get_set_getsockopt(&req, &size);
 	if (res != 0)
 		exit_error(OTHER_PROBLEM,
@@ -92,11 +92,11 @@ static void get_set_byid(char * setname, ip_set_id_t index)
 	if (size != sizeof(struct ip_set_req_get_set))
 		exit_error(OTHER_PROBLEM,
 			   "Incorrect return size from kernel during ipset lookup, "
-			   "(want %ld, got %ld)\n",
-			   sizeof(struct ip_set_req_get_set), size);
+			   "(want %zu, got %zu)\n",
+			   sizeof(struct ip_set_req_get_set), (size_t)size);
 	if (req.set.name[0] == '\0')
 		exit_error(PARAMETER_PROBLEM,
-			   "Set id %i in kernel doesn't exist.\n", index);
+			   "Set id %i in kernel doesn't exist.\n", idx);
 
 	strncpy(setname, req.set.name, IP_SET_MAXNAMELEN);
 }
-- 
1.5.5.rc3

[PATCH 05/10] Update documentation about building the package

[Jan Engelhardt]

---
 INSTALL      |   96 ++++++++++++++++++++++++++++++++------------------
 configure.ac |    4 +-
 2 files changed, 64 insertions(+), 36 deletions(-)

diff --git a/INSTALL b/INSTALL
index a41e0cc..4a44989 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,52 +1,80 @@
-FOLLOW THESE STEPS:
+Installation instructions for iptables
+======================================
 
-0) There may be some outstanding bugfixes or tweaks which are not yet
-   in the official kernel.  Those are now (as of iptables-1.2.7) kept
-   in a seperate package, called patch-o-matic.  It is available from
-   ftp://ftp.netfilter.org/pub/patch-o-matic/
+iptables uses the well-known configure(autotools) infrastructure.
 
-1) Next, make the package. If you use a standard distribution kernel,
-   just run ./configure.
+	$ ./configure
+	$ make
+	# make install
 
-   If you want to build against an own kernel tree:
 
-	$ ./configure --with-kernel=/home/jengelh/mykernel
+Prerequisites
+=============
 
-   or whereever you put it. If you are using a dedicated kernel build
-   directory, you use:
+	* no kernel-source required
 
-	$ ./configure --with-kbuild=<<where-built>> --with-ksource=<<source>>
+	* but obviously a compiler, glibc-devel and linux-kernel-headers
+	  (/usr/include/linux)
 
-2) Finally, you need to install the binaries and shared libraries:
 
-	# make install
+Configuring and compiling
+=========================
 
-That's it!
-================================================================
-PROBLEMS YOU MAY ENCOUNTER:
+./configure [options]
 
-1) This package requires a 2.4.4 kernel, or above.
+--prefix=
 
-2) If you get the kernel directory wrong, you may get compile failures.
+	The prefix to put all installed files under. It defaults to
+	/usr/local, so the binaries will go into /usr/local/bin, sbin,
+	manpages into /usr/local/share/man, etc.
 
-3) If you want to specify alternate directories for installation
-(instead of /usr/local/ bin lib man), do this:
+--with-xtlibdir=
 
-	$ ./configure --prefix=/usr
-	$ make
-	# make install
+	The path to where Xtables extensions should be installed to. It
+	defaults to ${prefix}/libexec/xtables.
+
+--enable-devel (or --disable-devel)
+
+	This option causes development files to be installed to
+	${includedir}, which is needed for building additional packages,
+	such as Xtables-addons or other 3rd-party extensions.
+
+	It is enabled by default.
+
+--enable-libipq
+
+	This option causes libipq to be installed into ${libdir} and
+	${includedir}.
+
+--enable-static
+
+	Enable building single standalone multipurpose binaries,
+	(iptables-static and ip6tables-static), which contain every
+	extension compiled-in (and does not support additional
+	extensions).
+
+--with-ksource=
+
+	Xtables does not depend on kernel headers anymore, but you can
+	optionally specify a search path to include anyway. This is
+	probably only useful for development.
+
+If you want to enable debugging, use
+
+	./configure CFLAGS="-ggdb3 -O0"
 
-4) The make process will automatically build a multipurpose binary under the
-   names iptables-multi and ip6tables-multi.
+(-O0 is used to turn off instruction reordering, which makes debugging
+much easier.)
 
-5) If you want to build a statically linked version of the iptables binary,
-   without the need for loading the plugins at runtime (e.g. for an embedded
-   device or router-on-a-disk), please use
 
-	$ ./configure --enable-static
+Other notes
+===========
 
-   which will build both a semi-static multi binary (iptables-mtss, uses
-   libc but not plugins) and a fully static multi binary (iptables-static).
+The make process will automatically build multipurpose binaries.
+These have the core (iptables), -save, -restore and -xml code
+compiled into one binary, but extensions remain as modules.
 
-6) If you want to install libipq (old interface), add --enable-devel to
-   ./configure.
+If you want to build a statically linked version of the iptables binary,
+without the need for loading the plugins at runtime (e.g. for an
+embedded device or router-on-a-disk), you can use the --enable-static
+configure flag.
diff --git a/configure.ac b/configure.ac
index 10d4380..42fb728 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,9 +22,9 @@ AC_ARG_WITH([ksource],
 	[ksourcedir="$withval"])
 AC_ARG_WITH([xtlibdir],
 	AS_HELP_STRING([--with-xtlibdir=PATH],
-	[Path to iptables modules [[LIBEXECDIR/iptables]]]),
+	[Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]),
 	[xtlibdir="$withval"],
-	[xtlibdir="${libexecdir}/iptables"])
+	[xtlibdir="${libexecdir}/xtables"])
 AC_ARG_ENABLE([devel],
 	AS_HELP_STRING([--enable-devel],
 	[Install Xtables development headers]),
-- 
1.5.5.rc3

[PATCH 06/10] configure.ac: AC_SUBST must be separate

[Jan Engelhardt]

---
 configure.ac |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/configure.ac b/configure.ac
index 42fb728..2d9862e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -51,7 +51,8 @@ if [[ -n "$ksourcedir" ]]; then
 	kinclude_CFLAGS="$kinclude_CFLAGS -I $ksourcedir/include";
 fi;
 
-AC_SUBST([regular_CFLAGS kinclude_CFLAGS])
+AC_SUBST([regular_CFLAGS])
+AC_SUBST([kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
-- 
1.5.5.rc3

[PATCH 07/10] Dynamically create xtables.h.in with version

[Jan Engelhardt]

---
 configure.ac         |    2 +-
 include/xtables.h    |  216 -----------------------------------------
 include/xtables.h.in |  218 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 219 insertions(+), 217 deletions(-)
 delete mode 100644 include/xtables.h
 create mode 100644 include/xtables.h.in

diff --git a/configure.ac b/configure.ac
index 2d9862e..b6afa34 100644
--- a/configure.ac
+++ b/configure.ac
@@ -56,4 +56,4 @@ AC_SUBST([kinclude_CFLAGS])
 AC_SUBST([kbuilddir])
 AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
-AC_OUTPUT([Makefile extensions/GNUmakefile libipq/Makefile])
+AC_OUTPUT([Makefile extensions/GNUmakefile libipq/Makefile include/xtables.h])
diff --git a/include/xtables.h b/include/xtables.h
deleted file mode 100644
index 5eba8ac..0000000
--- a/include/xtables.h
+++ /dev/null
@@ -1,216 +0,0 @@
-#ifndef _XTABLES_H
-#define _XTABLES_H
-
-#include <sys/types.h>
-#include <linux/types.h>
-#include <linux/netfilter/x_tables.h>
-#include <libiptc/libxtc.h>
-#include <stdbool.h>
-
-#ifndef IPPROTO_SCTP
-#define IPPROTO_SCTP 132
-#endif
-#ifndef IPPROTO_DCCP
-#define IPPROTO_DCCP 33
-#endif
-#ifndef IPPROTO_UDPLITE
-#define IPPROTO_UDPLITE	136
-#endif
-
-/* Include file for additions: new matches and targets. */
-struct xtables_match
-{
-	struct xtables_match *next;
-
-	xt_chainlabel name;
-
-	/* Revision of match (0 by default). */
-	u_int8_t revision;
-
-	u_int16_t family;
-
-	const char *version;
-
-	/* Size of match data. */
-	size_t size;
-
-	/* Size of match data relevent for userspace comparison purposes */
-	size_t userspacesize;
-
-	/* Function which prints out usage message. */
-	void (*help)(void);
-
-	/* Initialize the match. */
-	void (*init)(struct xt_entry_match *m);
-
-	/* Function which parses command options; returns true if it
-           ate an option */
-	/* entry is struct ipt_entry for example */
-	int (*parse)(int c, char **argv, int invert, unsigned int *flags,
-		     const void *entry,
-		     struct xt_entry_match **match);
-
-	/* Final check; exit if not ok. */
-	void (*final_check)(unsigned int flags);
-
-	/* Prints out the match iff non-NULL: put space at end */
-	/* ip is struct ipt_ip * for example */
-	void (*print)(const void *ip,
-		      const struct xt_entry_match *match, int numeric);
-
-	/* Saves the match info in parsable form to stdout. */
-	/* ip is struct ipt_ip * for example */
-	void (*save)(const void *ip, const struct xt_entry_match *match);
-
-	/* Pointer to list of extra command-line options */
-	const struct option *extra_opts;
-
-	/* Ignore these men behind the curtain: */
-	unsigned int option_offset;
-	struct xt_entry_match *m;
-	unsigned int mflags;
-#ifdef NO_SHARED_LIBS
-	unsigned int loaded; /* simulate loading so options are merged properly */
-#endif
-};
-
-struct xtables_target
-{
-	struct xtables_target *next;
-
-	xt_chainlabel name;
-
-	/* Revision of target (0 by default). */
-	u_int8_t revision;
-
-	u_int16_t family;
-
-	const char *version;
-
-	/* Size of target data. */
-	size_t size;
-
-	/* Size of target data relevent for userspace comparison purposes */
-	size_t userspacesize;
-
-	/* Function which prints out usage message. */
-	void (*help)(void);
-
-	/* Initialize the target. */
-	void (*init)(struct xt_entry_target *t);
-
-	/* Function which parses command options; returns true if it
-           ate an option */
-	/* entry is struct ipt_entry for example */
-	int (*parse)(int c, char **argv, int invert, unsigned int *flags,
-		     const void *entry,
-		     struct xt_entry_target **targetinfo);
-
-	/* Final check; exit if not ok. */
-	void (*final_check)(unsigned int flags);
-
-	/* Prints out the target iff non-NULL: put space at end */
-	void (*print)(const void *ip,
-		      const struct xt_entry_target *target, int numeric);
-
-	/* Saves the targinfo in parsable form to stdout. */
-	void (*save)(const void *ip,
-		     const struct xt_entry_target *target);
-
-	/* Pointer to list of extra command-line options */
-	const struct option *extra_opts;
-
-	/* Ignore these men behind the curtain: */
-	unsigned int option_offset;
-	struct xt_entry_target *t;
-	unsigned int tflags;
-	unsigned int used;
-#ifdef NO_SHARED_LIBS
-	unsigned int loaded; /* simulate loading so options are merged properly */
-#endif
-};
-
-/* Your shared library should call one of these. */
-extern void xtables_register_match(struct xtables_match *me);
-extern void xtables_register_target(struct xtables_target *me);
-
-extern int string_to_number_ll(const char *s,
-			       unsigned long long min,
-			       unsigned long long max,
-			       unsigned long long *ret);
-extern int string_to_number_l(const char *s,
-			      unsigned long min,
-			      unsigned long max,
-			      unsigned long *ret);
-extern int string_to_number(const char *s,
-			    unsigned int min,
-			    unsigned int max,
-			    unsigned int *ret);
-extern bool strtonuml(const char *, char **, unsigned long *,
-	unsigned long, unsigned long);
-extern bool strtonum(const char *, char **, unsigned int *,
-	unsigned int, unsigned int);
-extern int service_to_port(const char *name, const char *proto);
-extern u_int16_t parse_port(const char *port, const char *proto);
-extern void
-parse_interface(const char *arg, char *vianame, unsigned char *mask);
-
-enum exittype {
-	OTHER_PROBLEM = 1,
-	PARAMETER_PROBLEM,
-	VERSION_PROBLEM,
-	RESOURCE_PROBLEM,
-	P_ONLY_ONCE,
-	P_NO_INVERT,
-	P_BAD_VALUE,
-	P_ONE_ACTION,
-};
-
-/* this is a special 64bit data type that is 8-byte aligned */
-#define aligned_u64 u_int64_t __attribute__((aligned(8)))
-
-int check_inverse(const char option[], int *invert, int *my_optind, int argc);
-void exit_error(enum exittype, const char *, ...)__attribute__((noreturn,
-							  format(printf,2,3)));
-extern void param_act(unsigned int, const char *, ...);
-extern const char *program_name, *program_version;
-
-extern const char *ipaddr_to_numeric(const struct in_addr *);
-extern const char *ipaddr_to_anyname(const struct in_addr *);
-extern const char *ipmask_to_numeric(const struct in_addr *);
-extern struct in_addr *numeric_to_ipaddr(const char *);
-extern struct in_addr *numeric_to_ipmask(const char *);
-extern void ipparse_hostnetworkmask(const char *, struct in_addr **,
-	struct in_addr *, unsigned int *);
-
-extern struct in6_addr *numeric_to_ip6addr(const char *);
-extern const char *ip6addr_to_numeric(const struct in6_addr *);
-extern const char *ip6addr_to_anyname(const struct in6_addr *);
-extern const char *ip6mask_to_numeric(const struct in6_addr *);
-extern void ip6parse_hostnetworkmask(const char *, struct in6_addr **,
-	struct in6_addr *, unsigned int *);
-
-/**
- * Print the specified value to standard output, quoting dangerous
- * characters if required.
- */
-extern void save_string(const char *value);
-
-#ifdef NO_SHARED_LIBS
-#	ifdef _INIT
-#		undef _init
-#		define _init _INIT
-#	endif
-	extern void init_extensions(void);
-#else
-#	define _init __attribute__((constructor)) _INIT
-#endif
-
-/* Present in both iptables.c and ip6tables.c */
-extern u_int16_t parse_protocol(const char *s);
-
-#ifdef XTABLES_INTERNAL
-#	include <xtables/internal.h>
-#endif
-
-#endif /* _XTABLES_H */
diff --git a/include/xtables.h.in b/include/xtables.h.in
new file mode 100644
index 0000000..c8a8746
--- /dev/null
+++ b/include/xtables.h.in
@@ -0,0 +1,218 @@
+#ifndef _XTABLES_H
+#define _XTABLES_H
+
+#include <sys/types.h>
+#include <linux/types.h>
+#include <linux/netfilter/x_tables.h>
+#include <libiptc/libxtc.h>
+#include <stdbool.h>
+
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
+#ifndef IPPROTO_UDPLITE
+#define IPPROTO_UDPLITE	136
+#endif
+
+#define XTABLES_VERSION "@PACKAGE_VERSION@"
+
+/* Include file for additions: new matches and targets. */
+struct xtables_match
+{
+	struct xtables_match *next;
+
+	xt_chainlabel name;
+
+	/* Revision of match (0 by default). */
+	u_int8_t revision;
+
+	u_int16_t family;
+
+	const char *version;
+
+	/* Size of match data. */
+	size_t size;
+
+	/* Size of match data relevent for userspace comparison purposes */
+	size_t userspacesize;
+
+	/* Function which prints out usage message. */
+	void (*help)(void);
+
+	/* Initialize the match. */
+	void (*init)(struct xt_entry_match *m);
+
+	/* Function which parses command options; returns true if it
+           ate an option */
+	/* entry is struct ipt_entry for example */
+	int (*parse)(int c, char **argv, int invert, unsigned int *flags,
+		     const void *entry,
+		     struct xt_entry_match **match);
+
+	/* Final check; exit if not ok. */
+	void (*final_check)(unsigned int flags);
+
+	/* Prints out the match iff non-NULL: put space at end */
+	/* ip is struct ipt_ip * for example */
+	void (*print)(const void *ip,
+		      const struct xt_entry_match *match, int numeric);
+
+	/* Saves the match info in parsable form to stdout. */
+	/* ip is struct ipt_ip * for example */
+	void (*save)(const void *ip, const struct xt_entry_match *match);
+
+	/* Pointer to list of extra command-line options */
+	const struct option *extra_opts;
+
+	/* Ignore these men behind the curtain: */
+	unsigned int option_offset;
+	struct xt_entry_match *m;
+	unsigned int mflags;
+#ifdef NO_SHARED_LIBS
+	unsigned int loaded; /* simulate loading so options are merged properly */
+#endif
+};
+
+struct xtables_target
+{
+	struct xtables_target *next;
+
+	xt_chainlabel name;
+
+	/* Revision of target (0 by default). */
+	u_int8_t revision;
+
+	u_int16_t family;
+
+	const char *version;
+
+	/* Size of target data. */
+	size_t size;
+
+	/* Size of target data relevent for userspace comparison purposes */
+	size_t userspacesize;
+
+	/* Function which prints out usage message. */
+	void (*help)(void);
+
+	/* Initialize the target. */
+	void (*init)(struct xt_entry_target *t);
+
+	/* Function which parses command options; returns true if it
+           ate an option */
+	/* entry is struct ipt_entry for example */
+	int (*parse)(int c, char **argv, int invert, unsigned int *flags,
+		     const void *entry,
+		     struct xt_entry_target **targetinfo);
+
+	/* Final check; exit if not ok. */
+	void (*final_check)(unsigned int flags);
+
+	/* Prints out the target iff non-NULL: put space at end */
+	void (*print)(const void *ip,
+		      const struct xt_entry_target *target, int numeric);
+
+	/* Saves the targinfo in parsable form to stdout. */
+	void (*save)(const void *ip,
+		     const struct xt_entry_target *target);
+
+	/* Pointer to list of extra command-line options */
+	const struct option *extra_opts;
+
+	/* Ignore these men behind the curtain: */
+	unsigned int option_offset;
+	struct xt_entry_target *t;
+	unsigned int tflags;
+	unsigned int used;
+#ifdef NO_SHARED_LIBS
+	unsigned int loaded; /* simulate loading so options are merged properly */
+#endif
+};
+
+/* Your shared library should call one of these. */
+extern void xtables_register_match(struct xtables_match *me);
+extern void xtables_register_target(struct xtables_target *me);
+
+extern int string_to_number_ll(const char *s,
+			       unsigned long long min,
+			       unsigned long long max,
+			       unsigned long long *ret);
+extern int string_to_number_l(const char *s,
+			      unsigned long min,
+			      unsigned long max,
+			      unsigned long *ret);
+extern int string_to_number(const char *s,
+			    unsigned int min,
+			    unsigned int max,
+			    unsigned int *ret);
+extern bool strtonuml(const char *, char **, unsigned long *,
+	unsigned long, unsigned long);
+extern bool strtonum(const char *, char **, unsigned int *,
+	unsigned int, unsigned int);
+extern int service_to_port(const char *name, const char *proto);
+extern u_int16_t parse_port(const char *port, const char *proto);
+extern void
+parse_interface(const char *arg, char *vianame, unsigned char *mask);
+
+enum exittype {
+	OTHER_PROBLEM = 1,
+	PARAMETER_PROBLEM,
+	VERSION_PROBLEM,
+	RESOURCE_PROBLEM,
+	P_ONLY_ONCE,
+	P_NO_INVERT,
+	P_BAD_VALUE,
+	P_ONE_ACTION,
+};
+
+/* this is a special 64bit data type that is 8-byte aligned */
+#define aligned_u64 u_int64_t __attribute__((aligned(8)))
+
+int check_inverse(const char option[], int *invert, int *my_optind, int argc);
+void exit_error(enum exittype, const char *, ...)__attribute__((noreturn,
+							  format(printf,2,3)));
+extern void param_act(unsigned int, const char *, ...);
+extern const char *program_name, *program_version;
+
+extern const char *ipaddr_to_numeric(const struct in_addr *);
+extern const char *ipaddr_to_anyname(const struct in_addr *);
+extern const char *ipmask_to_numeric(const struct in_addr *);
+extern struct in_addr *numeric_to_ipaddr(const char *);
+extern struct in_addr *numeric_to_ipmask(const char *);
+extern void ipparse_hostnetworkmask(const char *, struct in_addr **,
+	struct in_addr *, unsigned int *);
+
+extern struct in6_addr *numeric_to_ip6addr(const char *);
+extern const char *ip6addr_to_numeric(const struct in6_addr *);
+extern const char *ip6addr_to_anyname(const struct in6_addr *);
+extern const char *ip6mask_to_numeric(const struct in6_addr *);
+extern void ip6parse_hostnetworkmask(const char *, struct in6_addr **,
+	struct in6_addr *, unsigned int *);
+
+/**
+ * Print the specified value to standard output, quoting dangerous
+ * characters if required.
+ */
+extern void save_string(const char *value);
+
+#ifdef NO_SHARED_LIBS
+#	ifdef _INIT
+#		undef _init
+#		define _init _INIT
+#	endif
+	extern void init_extensions(void);
+#else
+#	define _init __attribute__((constructor)) _INIT
+#endif
+
+/* Present in both iptables.c and ip6tables.c */
+extern u_int16_t parse_protocol(const char *s);
+
+#ifdef XTABLES_INTERNAL
+#	include <xtables/internal.h>
+#endif
+
+#endif /* _XTABLES_H */
-- 
1.5.5.rc3

[PATCH 09/10] Move libipt_recent to libxt_recent

[Jan Engelhardt]

---
 extensions/libipt_recent.c                |  228 --------------------
 extensions/libipt_recent.man              |   93 ---------
 extensions/libxt_recent.c                 |  229 +++++++++++++++++++++
 extensions/libxt_recent.man               |   93 +++++++++
 include/linux/netfilter/xt_recent.h       |   26 +++
 include/linux/netfilter_ipv4/ipt_recent.h |   27 ---
 6 files changed, 348 insertions(+), 348 deletions(-)
 delete mode 100644 extensions/libipt_recent.c
 delete mode 100644 extensions/libipt_recent.man
 create mode 100644 extensions/libxt_recent.c
 create mode 100644 extensions/libxt_recent.man
 create mode 100644 include/linux/netfilter/xt_recent.h
 delete mode 100644 include/linux/netfilter_ipv4/ipt_recent.h

diff --git a/extensions/libipt_recent.c b/extensions/libipt_recent.c
deleted file mode 100644
index 51b0d15..0000000
--- a/extensions/libipt_recent.c
+++ /dev/null
@@ -1,228 +0,0 @@
-/* Shared library add-on to iptables to add recent matching support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_recent.h>
-
-/* Need these in order to not fail when compiling against an older kernel. */
-#ifndef RECENT_NAME
-#define RECENT_NAME	"ipt_recent"
-#endif /* RECENT_NAME */
-
-#ifndef RECENT_VER
-#define RECENT_VER	"unknown"
-#endif /* RECENT_VER */
-
-#ifndef IPT_RECENT_NAME_LEN
-#define IPT_RECENT_NAME_LEN	200
-#endif /* IPT_RECENT_NAME_LEN */
-
-/* Options for this module */
-static const struct option recent_opts[] = {
-	{ .name = "set",      .has_arg = 0, .val = 201 }, 
-	{ .name = "rcheck",   .has_arg = 0, .val = 202 }, 
-	{ .name = "update",   .has_arg = 0, .val = 203 },
-	{ .name = "seconds",  .has_arg = 1, .val = 204 }, 
-	{ .name = "hitcount", .has_arg = 1, .val = 205 },
-	{ .name = "remove",   .has_arg = 0, .val = 206 },
-	{ .name = "rttl",     .has_arg = 0, .val = 207 },
-	{ .name = "name",     .has_arg = 1, .val = 208 },
-	{ .name = "rsource",  .has_arg = 0, .val = 209 },
-	{ .name = "rdest",    .has_arg = 0, .val = 210 },
-	{ .name = NULL }
-};
-
-/* Function which prints out usage message. */
-static void recent_help(void)
-{
-	printf(
-"recent match options:\n"
-"[!] --set                       Add source address to list, always matches.\n"
-"[!] --rcheck                    Match if source address in list.\n"
-"[!] --update                    Match if source address in list, also update last-seen time.\n"
-"[!] --remove                    Match if source address in list, also removes that address from list.\n"
-"    --seconds seconds           For check and update commands above.\n"
-"                                Specifies that the match will only occur if source address last seen within\n"
-"                                the last 'seconds' seconds.\n"
-"    --hitcount hits             For check and update commands above.\n"
-"                                Specifies that the match will only occur if source address seen hits times.\n"
-"                                May be used in conjunction with the seconds option.\n"
-"    --rttl                      For check and update commands above.\n"
-"                                Specifies that the match will only occur if the source address and the TTL\n"
-"                                match between this packet and the one which was set.\n"
-"                                Useful if you have problems with people spoofing their source address in order\n"
-"                                to DoS you via this module.\n"
-"    --name name                 Name of the recent list to be used.  DEFAULT used if none given.\n"
-"    --rsource                   Match/Save the source address of each packet in the recent list table (default).\n"
-"    --rdest                     Match/Save the destination address of each packet in the recent list table.\n"
-RECENT_NAME " " RECENT_VER ": Stephen Frost <sfrost@snowman.net>.  http://snowman.net/projects/ipt_recent/\n");
-}
-  
-/* Initialize the match. */
-static void recent_init(struct xt_entry_match *match)
-{
-	struct ipt_recent_info *info = (struct ipt_recent_info *)(match)->data;
-
-
-	strncpy(info->name,"DEFAULT",IPT_RECENT_NAME_LEN);
-	/* eventhough IPT_RECENT_NAME_LEN is currently defined as 200,
-	 * better be safe, than sorry */
-	info->name[IPT_RECENT_NAME_LEN-1] = '\0';
-	info->side = IPT_RECENT_SOURCE;
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
-                        const void *entry, struct xt_entry_match **match)
-{
-	struct ipt_recent_info *info = (struct ipt_recent_info *)(*match)->data;
-	switch (c) {
-		case 201:
-			if (*flags) exit_error(PARAMETER_PROBLEM,
-					"recent: only one of `--set', `--rcheck' "
-					"`--update' or `--remove' may be set");
-			check_inverse(optarg, &invert, &optind, 0);
-			info->check_set |= IPT_RECENT_SET;
-			if (invert) info->invert = 1;
-			*flags = 1;
-			break;
-			
-		case 202:
-			if (*flags) exit_error(PARAMETER_PROBLEM,
-					"recent: only one of `--set', `--rcheck' "
-					"`--update' or `--remove' may be set");
-			check_inverse(optarg, &invert, &optind, 0);
-			info->check_set |= IPT_RECENT_CHECK;
-			if(invert) info->invert = 1;
-			*flags = 1;
-			break;
-
-		case 203:
-			if (*flags) exit_error(PARAMETER_PROBLEM,
-					"recent: only one of `--set', `--rcheck' "
-					"`--update' or `--remove' may be set");
-			check_inverse(optarg, &invert, &optind, 0);
-			info->check_set |= IPT_RECENT_UPDATE;
-			if (invert) info->invert = 1;
-			*flags = 1;
-			break;
-
-		case 206:
-			if (*flags) exit_error(PARAMETER_PROBLEM,
-					"recent: only one of `--set', `--rcheck' "
-					"`--update' or `--remove' may be set");
-			check_inverse(optarg, &invert, &optind, 0);
-			info->check_set |= IPT_RECENT_REMOVE;
-			if (invert) info->invert = 1;
-			*flags = 1;
-			break;
-
-		case 204:
-			info->seconds = atoi(optarg);
-			break;
-
-		case 205:
-			info->hit_count = atoi(optarg);
-			break;
-
-		case 207:
-			info->check_set |= IPT_RECENT_TTL;
-			break;
-
-		case 208:
-			strncpy(info->name,optarg,IPT_RECENT_NAME_LEN);
-			info->name[IPT_RECENT_NAME_LEN-1] = '\0';
-			break;
-
-		case 209:
-			info->side = IPT_RECENT_SOURCE;
-			break;
-
-		case 210:
-			info->side = IPT_RECENT_DEST;
-			break;
-
-		default:
-			return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; must have specified a specific option. */
-static void recent_check(unsigned int flags)
-{
-
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-			"recent: you must specify one of `--set', `--rcheck' "
-			"`--update' or `--remove'");
-}
-
-/* Prints out the matchinfo. */
-static void recent_print(const void *ip, const struct xt_entry_match *match,
-                         int numeric)
-{
-	struct ipt_recent_info *info = (struct ipt_recent_info *)match->data;
-
-	if (info->invert)
-		fputc('!', stdout);
-
-	printf("recent: ");
-	if(info->check_set & IPT_RECENT_SET) printf("SET ");
-	if(info->check_set & IPT_RECENT_CHECK) printf("CHECK ");
-	if(info->check_set & IPT_RECENT_UPDATE) printf("UPDATE ");
-	if(info->check_set & IPT_RECENT_REMOVE) printf("REMOVE ");
-	if(info->seconds) printf("seconds: %d ",info->seconds);
-	if(info->hit_count) printf("hit_count: %d ",info->hit_count);
-	if(info->check_set & IPT_RECENT_TTL) printf("TTL-Match ");
-	if(info->name) printf("name: %s ",info->name);
-	if(info->side == IPT_RECENT_SOURCE) printf("side: source ");
-	if(info->side == IPT_RECENT_DEST) printf("side: dest");
-}
-
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void recent_save(const void *ip, const struct xt_entry_match *match)
-{
-	struct ipt_recent_info *info = (struct ipt_recent_info *)match->data;
-
-	if (info->invert)
-		printf("! ");
-
-	if(info->check_set & IPT_RECENT_SET) printf("--set ");
-	if(info->check_set & IPT_RECENT_CHECK) printf("--rcheck ");
-	if(info->check_set & IPT_RECENT_UPDATE) printf("--update ");
-	if(info->check_set & IPT_RECENT_REMOVE) printf("--remove ");
-	if(info->seconds) printf("--seconds %d ",info->seconds);
-	if(info->hit_count) printf("--hitcount %d ",info->hit_count);
-	if(info->check_set & IPT_RECENT_TTL) printf("--rttl ");
-	if(info->name) printf("--name %s ",info->name);
-	if(info->side == IPT_RECENT_SOURCE) printf("--rsource ");
-	if(info->side == IPT_RECENT_DEST) printf("--rdest ");
-}
-
-/* Structure for iptables to use to communicate with module */
-static struct xtables_match recent_mt_reg = {
-    .name          = "recent",
-    .version       = XTABLES_VERSION,
-    .family        = PF_INET,
-    .size          = XT_ALIGN(sizeof(struct ipt_recent_info)),
-    .userspacesize = XT_ALIGN(sizeof(struct ipt_recent_info)),
-    .help          = recent_help,
-    .init          = recent_init,
-    .parse         = recent_parse,
-    .final_check   = recent_check,
-    .print         = recent_print,
-    .save          = recent_save,
-    .extra_opts    = recent_opts,
-};
-
-void _init(void)
-{
-	xtables_register_match(&recent_mt_reg);
-}
diff --git a/extensions/libipt_recent.man b/extensions/libipt_recent.man
deleted file mode 100644
index bf5d710..0000000
--- a/extensions/libipt_recent.man
+++ /dev/null
@@ -1,93 +0,0 @@
-Allows you to dynamically create a list of IP addresses and then match
-against that list in a few different ways.
-
-For example, you can create a `badguy' list out of people attempting
-to connect to port 139 on your firewall and then DROP all future
-packets from them without considering them.
-.TP
-.BI "--name " "name"
-Specify the list to use for the commands. If no name is given then 'DEFAULT'
-will be used.
-.TP
-[\fB!\fR] \fB--set\fR
-This will add the source address of the packet to the list. If the
-source address is already in the list, this will update the existing
-entry. This will always return success (or failure if `!' is passed
-in).
-.TP
-[\fB!\fR] \fB--rcheck\fR
-Check if the source address of the packet is currently in
-the list.
-.TP
-[\fB!\fR] \fB--update\fR
-Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it
-matches.
-.TP
-[\fB!\fR] \fB--remove\fR
-Check if the source address of the packet is currently in the list and
-if so that address will be removed from the list and the rule will
-return true. If the address is not found, false is returned.
-.TP
-[\fB!\fR] \fB--seconds \fIseconds\fR
-This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and was seen within the last given
-number of seconds.
-.TP
-[\fB!\fR] \fB--hitcount \fIhits\fR
-This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and packets had been received greater
-than or equal to the given value. This option may be used along with
-\fB--seconds\fR to create an even narrower match requiring a certain
-number of hits within a specific time frame.
-.TP
-\fB--rttl\fR
-This option must be used in conjunction with one of \fB--rcheck\fR or
-\fB--update\fR. When used, this will narrow the match to only happen
-when the address is in the list and the TTL of the current packet
-matches that of the packet which hit the \fB--set\fR rule. This may be
-useful if you have problems with people faking their source address in
-order to DoS you via this module by disallowing others access to your
-site by sending bogus packets to you.
-.P
-Examples:
-.IP
-# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
-
-# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
-.P
-Official website (http://snowman.net/projects/ipt_recent/) also has
-some examples of usage.
-
-/proc/net/ipt_recent/* are the current lists of addresses and information 
-about each entry of each list.
-
-Each file in /proc/net/ipt_recent/ can be read from to see the current list
-or written two using the following commands to modify the list:
-.TP
-echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Add to the DEFAULT list
-.TP
-echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
-to Remove from the DEFAULT list
-.TP
-echo clear > /proc/net/ipt_recent/DEFAULT
-to empty the DEFAULT list.
-.P
-The module itself accepts parameters, defaults shown:
-.TP
-.BI "ip_list_tot=" "100"
-Number of addresses remembered per table
-.TP
-.BI "ip_pkt_list_tot=" "20"
-Number of packets per address remembered
-.TP
-.BI "ip_list_hash_size=" "0"
-Hash table size. 0 means to calculate it based on ip_list_tot, default: 512
-.TP
-.BI "ip_list_perms=" "0644"
-Permissions for /proc/net/ipt_recent/* files
-.TP
-.BI "debug=" "0"
-Set to 1 to get lots of debugging info
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
new file mode 100644
index 0000000..1c6b8a3
--- /dev/null
+++ b/extensions/libxt_recent.c
@@ -0,0 +1,229 @@
+/* Shared library add-on to iptables to add recent matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_recent.h>
+
+/* Options for this module */
+static const struct option recent_opts[] = {
+	{ .name = "set",      .has_arg = 0, .val = 201 },
+	{ .name = "rcheck",   .has_arg = 0, .val = 202 },
+	{ .name = "update",   .has_arg = 0, .val = 203 },
+	{ .name = "seconds",  .has_arg = 1, .val = 204 },
+	{ .name = "hitcount", .has_arg = 1, .val = 205 },
+	{ .name = "remove",   .has_arg = 0, .val = 206 },
+	{ .name = "rttl",     .has_arg = 0, .val = 207 },
+	{ .name = "name",     .has_arg = 1, .val = 208 },
+	{ .name = "rsource",  .has_arg = 0, .val = 209 },
+	{ .name = "rdest",    .has_arg = 0, .val = 210 },
+	{ .name = NULL }
+};
+
+/* Function which prints out usage message. */
+static void recent_help(void)
+{
+	printf(
+"recent match options:\n"
+"[!] --set                       Add source address to list, always matches.\n"
+"[!] --rcheck                    Match if source address in list.\n"
+"[!] --update                    Match if source address in list, also update last-seen time.\n"
+"[!] --remove                    Match if source address in list, also removes that address from list.\n"
+"    --seconds seconds           For check and update commands above.\n"
+"                                Specifies that the match will only occur if source address last seen within\n"
+"                                the last 'seconds' seconds.\n"
+"    --hitcount hits             For check and update commands above.\n"
+"                                Specifies that the match will only occur if source address seen hits times.\n"
+"                                May be used in conjunction with the seconds option.\n"
+"    --rttl                      For check and update commands above.\n"
+"                                Specifies that the match will only occur if the source address and the TTL\n"
+"                                match between this packet and the one which was set.\n"
+"                                Useful if you have problems with people spoofing their source address in order\n"
+"                                to DoS you via this module.\n"
+"    --name name                 Name of the recent list to be used.  DEFAULT used if none given.\n"
+"    --rsource                   Match/Save the source address of each packet in the recent list table (default).\n"
+"    --rdest                     Match/Save the destination address of each packet in the recent list table.\n"
+"xt_recent by: Stephen Frost <sfrost@snowman.net>.  http://snowman.net/projects/ipt_recent/\n");
+}
+
+/* Initialize the match. */
+static void recent_init(struct xt_entry_match *match)
+{
+	struct xt_recent_mtinfo *info = (void *)(match)->data;
+
+	strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN);
+	/* even though XT_RECENT_NAME_LEN is currently defined as 200,
+	 * better be safe, than sorry */
+	info->name[XT_RECENT_NAME_LEN-1] = '\0';
+	info->side = XT_RECENT_SOURCE;
+}
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
+                        const void *entry, struct xt_entry_match **match)
+{
+	struct xt_recent_mtinfo *info = (void *)(*match)->data;
+
+	switch (c) {
+		case 201:
+			if (*flags) exit_error(PARAMETER_PROBLEM,
+					"recent: only one of `--set', `--rcheck' "
+					"`--update' or `--remove' may be set");
+			check_inverse(optarg, &invert, &optind, 0);
+			info->check_set |= XT_RECENT_SET;
+			if (invert) info->invert = 1;
+			*flags = 1;
+			break;
+
+		case 202:
+			if (*flags) exit_error(PARAMETER_PROBLEM,
+					"recent: only one of `--set', `--rcheck' "
+					"`--update' or `--remove' may be set");
+			check_inverse(optarg, &invert, &optind, 0);
+			info->check_set |= XT_RECENT_CHECK;
+			if(invert) info->invert = 1;
+			*flags = 1;
+			break;
+
+		case 203:
+			if (*flags) exit_error(PARAMETER_PROBLEM,
+					"recent: only one of `--set', `--rcheck' "
+					"`--update' or `--remove' may be set");
+			check_inverse(optarg, &invert, &optind, 0);
+			info->check_set |= XT_RECENT_UPDATE;
+			if (invert) info->invert = 1;
+			*flags = 1;
+			break;
+
+		case 206:
+			if (*flags) exit_error(PARAMETER_PROBLEM,
+					"recent: only one of `--set', `--rcheck' "
+					"`--update' or `--remove' may be set");
+			check_inverse(optarg, &invert, &optind, 0);
+			info->check_set |= XT_RECENT_REMOVE;
+			if (invert) info->invert = 1;
+			*flags = 1;
+			break;
+
+		case 204:
+			info->seconds = atoi(optarg);
+			break;
+
+		case 205:
+			info->hit_count = atoi(optarg);
+			break;
+
+		case 207:
+			info->check_set |= XT_RECENT_TTL;
+			break;
+
+		case 208:
+			strncpy(info->name,optarg, XT_RECENT_NAME_LEN);
+			info->name[XT_RECENT_NAME_LEN-1] = '\0';
+			break;
+
+		case 209:
+			info->side = XT_RECENT_SOURCE;
+			break;
+
+		case 210:
+			info->side = XT_RECENT_DEST;
+			break;
+
+		default:
+			return 0;
+	}
+
+	return 1;
+}
+
+/* Final check; must have specified a specific option. */
+static void recent_check(unsigned int flags)
+{
+
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM,
+			"recent: you must specify one of `--set', `--rcheck' "
+			"`--update' or `--remove'");
+}
+
+/* Prints out the matchinfo. */
+static void recent_print(const void *ip, const struct xt_entry_match *match,
+                         int numeric)
+{
+	const struct xt_recent_mtinfo *info = (const void *)match->data;
+
+	if (info->invert)
+		fputc('!', stdout);
+
+	printf("recent: ");
+	if (info->check_set & XT_RECENT_SET)
+		printf("SET ");
+	if (info->check_set & XT_RECENT_CHECK)
+		printf("CHECK ");
+	if (info->check_set & XT_RECENT_UPDATE)
+		printf("UPDATE ");
+	if (info->check_set & XT_RECENT_REMOVE)
+		printf("REMOVE ");
+	if(info->seconds) printf("seconds: %d ",info->seconds);
+	if(info->hit_count) printf("hit_count: %d ",info->hit_count);
+	if (info->check_set & XT_RECENT_TTL)
+		printf("TTL-Match ");
+	if(info->name) printf("name: %s ",info->name);
+	if (info->side == XT_RECENT_SOURCE)
+		printf("side: source ");
+	if (info->side == XT_RECENT_DEST)
+		printf("side: dest");
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void recent_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_recent_mtinfo *info = (const void *)match->data;
+
+	if (info->invert)
+		printf("! ");
+
+	if (info->check_set & XT_RECENT_SET)
+		printf("--set ");
+	if (info->check_set & XT_RECENT_CHECK)
+		printf("--rcheck ");
+	if (info->check_set & XT_RECENT_UPDATE)
+		printf("--update ");
+	if (info->check_set & XT_RECENT_REMOVE)
+		printf("--remove ");
+	if(info->seconds) printf("--seconds %d ",info->seconds);
+	if(info->hit_count) printf("--hitcount %d ",info->hit_count);
+	if (info->check_set & XT_RECENT_TTL)
+		printf("--rttl ");
+	if(info->name) printf("--name %s ",info->name);
+	if (info->side == XT_RECENT_SOURCE)
+		printf("--rsource ");
+	if (info->side == XT_RECENT_DEST)
+		printf("--rdest ");
+}
+
+/* Structure for iptables to use to communicate with module */
+static struct xtables_match recent_mt_reg = {
+    .name          = "recent",
+    .version       = XTABLES_VERSION,
+    .family        = PF_INET,
+    .size          = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+    .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)),
+    .help          = recent_help,
+    .init          = recent_init,
+    .parse         = recent_parse,
+    .final_check   = recent_check,
+    .print         = recent_print,
+    .save          = recent_save,
+    .extra_opts    = recent_opts,
+};
+
+void _init(void)
+{
+	xtables_register_match(&recent_mt_reg);
+}
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
new file mode 100644
index 0000000..25be677
--- /dev/null
+++ b/extensions/libxt_recent.man
@@ -0,0 +1,93 @@
+Allows you to dynamically create a list of IP addresses and then match
+against that list in a few different ways.
+
+For example, you can create a `badguy' list out of people attempting
+to connect to port 139 on your firewall and then DROP all future
+packets from them without considering them.
+.TP
+.BI "--name " "name"
+Specify the list to use for the commands. If no name is given then 'DEFAULT'
+will be used.
+.TP
+[\fB!\fR] \fB--set\fR
+This will add the source address of the packet to the list. If the
+source address is already in the list, this will update the existing
+entry. This will always return success (or failure if `!' is passed
+in).
+.TP
+[\fB!\fR] \fB--rcheck\fR
+Check if the source address of the packet is currently in
+the list.
+.TP
+[\fB!\fR] \fB--update\fR
+Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it
+matches.
+.TP
+[\fB!\fR] \fB--remove\fR
+Check if the source address of the packet is currently in the list and
+if so that address will be removed from the list and the rule will
+return true. If the address is not found, false is returned.
+.TP
+[\fB!\fR] \fB--seconds \fIseconds\fR
+This option must be used in conjunction with one of \fB--rcheck\fR or
+\fB--update\fR. When used, this will narrow the match to only happen
+when the address is in the list and was seen within the last given
+number of seconds.
+.TP
+[\fB!\fR] \fB--hitcount \fIhits\fR
+This option must be used in conjunction with one of \fB--rcheck\fR or
+\fB--update\fR. When used, this will narrow the match to only happen
+when the address is in the list and packets had been received greater
+than or equal to the given value. This option may be used along with
+\fB--seconds\fR to create an even narrower match requiring a certain
+number of hits within a specific time frame.
+.TP
+\fB--rttl\fR
+This option must be used in conjunction with one of \fB--rcheck\fR or
+\fB--update\fR. When used, this will narrow the match to only happen
+when the address is in the list and the TTL of the current packet
+matches that of the packet which hit the \fB--set\fR rule. This may be
+useful if you have problems with people faking their source address in
+order to DoS you via this module by disallowing others access to your
+site by sending bogus packets to you.
+.P
+Examples:
+.IP
+# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
+
+# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
+.P
+Official website (http://snowman.net/projects/ipt_recent/) also has
+some examples of usage.
+
+/proc/net/ipt_recent/* are the current lists of addresses and information
+about each entry of each list.
+
+Each file in /proc/net/ipt_recent/ can be read from to see the current list
+or written two using the following commands to modify the list:
+.TP
+echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
+to Add to the DEFAULT list
+.TP
+echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
+to Remove from the DEFAULT list
+.TP
+echo clear > /proc/net/ipt_recent/DEFAULT
+to empty the DEFAULT list.
+.P
+The module itself accepts parameters, defaults shown:
+.TP
+.BI "ip_list_tot=" "100"
+Number of addresses remembered per table
+.TP
+.BI "ip_pkt_list_tot=" "20"
+Number of packets per address remembered
+.TP
+.BI "ip_list_hash_size=" "0"
+Hash table size. 0 means to calculate it based on ip_list_tot, default: 512
+.TP
+.BI "ip_list_perms=" "0644"
+Permissions for /proc/net/ipt_recent/* files
+.TP
+.BI "debug=" "0"
+Set to 1 to get lots of debugging info
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
new file mode 100644
index 0000000..5cfeb81
--- /dev/null
+++ b/include/linux/netfilter/xt_recent.h
@@ -0,0 +1,26 @@
+#ifndef _LINUX_NETFILTER_XT_RECENT_H
+#define _LINUX_NETFILTER_XT_RECENT_H 1
+
+enum {
+	XT_RECENT_CHECK    = 1 << 0,
+	XT_RECENT_SET      = 1 << 1,
+	XT_RECENT_UPDATE   = 1 << 2,
+	XT_RECENT_REMOVE   = 1 << 3,
+	XT_RECENT_TTL      = 1 << 4,
+
+	XT_RECENT_SOURCE   = 0,
+	XT_RECENT_DEST     = 1,
+
+	XT_RECENT_NAME_LEN = 200,
+};
+
+struct xt_recent_mtinfo {
+	u_int32_t seconds;
+	u_int32_t hit_count;
+	u_int8_t check_set;
+	u_int8_t invert;
+	char name[XT_RECENT_NAME_LEN];
+	u_int8_t side;
+};
+
+#endif /* _LINUX_NETFILTER_XT_RECENT_H */
diff --git a/include/linux/netfilter_ipv4/ipt_recent.h b/include/linux/netfilter_ipv4/ipt_recent.h
deleted file mode 100644
index 6508a45..0000000
--- a/include/linux/netfilter_ipv4/ipt_recent.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef _IPT_RECENT_H
-#define _IPT_RECENT_H
-
-#define RECENT_NAME	"ipt_recent"
-#define RECENT_VER	"v0.3.1"
-
-#define IPT_RECENT_CHECK  1
-#define IPT_RECENT_SET    2
-#define IPT_RECENT_UPDATE 4
-#define IPT_RECENT_REMOVE 8
-#define IPT_RECENT_TTL   16
-
-#define IPT_RECENT_SOURCE 0
-#define IPT_RECENT_DEST   1
-
-#define IPT_RECENT_NAME_LEN 200
-
-struct ipt_recent_info {
-	u_int32_t   seconds;
-	u_int32_t   hit_count;
-	u_int8_t    check_set;
-	u_int8_t    invert;
-	char        name[IPT_RECENT_NAME_LEN];
-	u_int8_t    side;
-};
-
-#endif /*_IPT_RECENT_H*/
-- 
1.5.5.rc3

[PATCH 10/10] libxt_recent: add missing --rsource,--rdest options to manpage

[Jan Engelhardt]

---
 extensions/libxt_recent.man |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index 25be677..f752577 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -15,6 +15,13 @@ source address is already in the list, this will update the existing
 entry. This will always return success (or failure if `!' is passed
 in).
 .TP
+\fB--rsource\fP
+Match/save the source address of each packet in the recent list table. This
+is the default.
+.TP
+\fB--rdest\fP
+Match/save the destination address of each packet in the recent list table.
+.TP
 [\fB!\fR] \fB--rcheck\fR
 Check if the source address of the packet is currently in
 the list.
-- 
1.5.5.rc3

[PATCH 11] configure.ac: remove already-defined variables

[Jan Engelhardt]

commit e1fea6c3f73ce6f376240bd308dea45c88cfb2e1
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date:   Tue Apr 15 13:17:47 2008 +0200

    configure.ac: remove already-defined variables
    
    This also fixes the inadvertent expansion of ${xtlibdir}.
---
 Makefile.am |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index bb7dc4f..dc45b66 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,8 +2,6 @@
 
 AUTOMAKE_OPTIONS = foreign subdir-objects
 
-regular_CFLAGS  := @regular_CFLAGS@
-kinclude_CFLAGS := @kinclude_CFLAGS@
 AM_CFLAGS        = ${regular_CFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CFLAGS}
 SUBDIRS         := extensions
 if ENABLE_LIBIPQ
@@ -75,7 +73,7 @@ man_MANS         := iptables.8 iptables-restore.8 iptables-save.8 \
 CLEANFILES       := iptables.8 ip6tables.8
 if ENABLE_DEVEL
 include_HEADERS  := include/xtables.h include/iptables.h include/ip6tables.h
-iptcdir          := ${includedir}/libiptc
+iptcdir           = ${includedir}/libiptc
 iptc_HEADERS     := include/libiptc/libxtc.h \
                     include/libiptc/ipt_kernel_headers.h
 endif

Re: [PATCH 01/10] Resolve warnings on 64-bit compile

[Patrick McHardy]

Jan Engelhardt wrote:
> ---
>  xtables.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)

Applied.

Re: [PATCH 02/10] Wrap dlopen code into NO_SHARED_LIBS

[Patrick McHardy]

Jan Engelhardt wrote:
> ---
>  xtables.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)

Applied.

Re: [PATCH 03/10] Remove support for compilation of conditional extensions

[Patrick McHardy]

Jan Engelhardt wrote:
> ---
>  extensions/.condition-test             |    4 -
>  extensions/.condition-test6            |    4 -
>  extensions/.set-test                   |    4 -
>  extensions/GNUmakefile.in              |   27 +--
>  extensions/libip6t_condition.c         |   95 -----
>  extensions/libip6t_condition.man       |    4 -
>  extensions/libipt_condition.c          |   94 -----
>  extensions/libipt_condition.man        |    4 -
>  include/linux/netfilter_ipv4/ip_set.h  |  498 ++++++++++++++++++++++++
>  include/linux/netfilter_ipv4/ipt_set.h |   21 +
>  10 files changed, 522 insertions(+), 233 deletions(-)
>  delete mode 100755 extensions/.condition-test
>  delete mode 100755 extensions/.condition-test6
>  delete mode 100755 extensions/.set-test
>  delete mode 100644 extensions/libip6t_condition.c
>  delete mode 100644 extensions/libip6t_condition.man
>  delete mode 100644 extensions/libipt_condition.c
>  delete mode 100644 extensions/libipt_condition.man
>  create mode 100644 include/linux/netfilter_ipv4/ip_set.h
>  create mode 100644 include/linux/netfilter_ipv4/ipt_set.h

Applied.

Re: [PATCH 04/10] Resolve libipt_set warnings

[Patrick McHardy]

Jan Engelhardt wrote:
> ---
>  extensions/libipt_set.h |   18 +++++++++---------
>  1 files changed, 9 insertions(+), 9 deletions(-)

Applied. Please include the warnings a patch fixes in the
commit message.

Re: [PATCH 05/10] Update documentation about building the package

[Patrick McHardy]

Jan Engelhardt wrote:
> ---
>  INSTALL      |   96 ++++++++++++++++++++++++++++++++------------------
>  configure.ac |    4 +-
>  2 files changed, 64 insertions(+), 36 deletions(-)

Applied.

Re: [PATCH 06/10] configure.ac: AC_SUBST must be separate

[Patrick McHardy]

Jan Engelhardt wrote:
> ---
>  configure.ac |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)

Applied.

Re: [PATCH 07/10] Dynamically create xtables.h.in with version

[Patrick McHardy]

Jan Engelhardt wrote:
> ---
>  configure.ac         |    2 +-
>  include/xtables.h    |  216 -----------------------------------------
>  include/xtables.h.in |  218 ++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 219 insertions(+), 217 deletions(-)
>  delete mode 100644 include/xtables.h
>  create mode 100644 include/xtables.h.in
>

Applied.

Re: [PATCH 08/10] Remove old functions, constants

[Patrick McHardy]

Jan Engelhardt wrote:
>  	printf(
> -"LOG v%s options:\n"
> +"LOG target options:\n"
>  " --log-level level		Level of logging (numeric or see syslog.conf)\n"
> -" --log-prefix prefix		Prefix log messages with this prefix.\n\n"
> -" --log-tcp-sequence		Log TCP sequence numbers.\n\n"
> -" --log-tcp-options		Log TCP options.\n\n"
> -" --log-ip-options		Log IP options.\n\n"
> -" --log-uid			Log UID owning the local socket.\n\n",
> -IPTABLES_VERSION);
> +" --log-prefix prefix		Prefix log messages with this prefix.\n"
> +" --log-tcp-sequence		Log TCP sequence numbers.\n"
> +" --log-tcp-options		Log TCP options.\n"
> +" --log-ip-options		Log IP options.\n"
> +" --log-uid			Log UID owning the local socket.\n");
>  }


This doesn't match the patch description. Why are you
changing help texts?

Re: [PATCH 11] configure.ac: remove already-defined variables

[Patrick McHardy]

Jan Engelhardt wrote:
> commit e1fea6c3f73ce6f376240bd308dea45c88cfb2e1
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date:   Tue Apr 15 13:17:47 2008 +0200
> 
>     configure.ac: remove already-defined variables
>     
>     This also fixes the inadvertent expansion of ${xtlibdir}.

Applied.

Re: [PATCH 08/10] Remove old functions, constants

[Jan Engelhardt]

On Tuesday 2008-04-15 13:47, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> 	printf(
>> -"LOG v%s options:\n"
>> +"LOG target options:\n"
>> " --log-level level		Level of logging (numeric or see
>> syslog.conf)\n"
>> -" --log-prefix prefix		Prefix log messages with this
>> prefix.\n\n"
>> -" --log-tcp-sequence		Log TCP sequence numbers.\n\n"
>> -" --log-tcp-options		Log TCP options.\n\n"
>> -" --log-ip-options		Log IP options.\n\n"
>> -" --log-uid			Log UID owning the local socket.\n\n",
>> -IPTABLES_VERSION);
>> +" --log-prefix prefix		Prefix log messages with this
>> prefix.\n"
>> +" --log-tcp-sequence		Log TCP sequence numbers.\n"
>> +" --log-tcp-options		Log TCP options.\n"
>> +" --log-ip-options		Log IP options.\n"
>> +" --log-uid			Log UID owning the local socket.\n");
>>  }
>
>
> This doesn't match the patch description. Why are you
> changing help texts?
>
These are just the newlines; to follow the style of the other extensions.

Re: [PATCH 08/10] Remove old functions, constants

[Patrick McHardy]

Jan Engelhardt wrote:
> On Tuesday 2008-04-15 13:47, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> 	printf(
>>> -"LOG v%s options:\n"
>>> +"LOG target options:\n"
>>> " --log-level level		Level of logging (numeric or see
>>> syslog.conf)\n"
>>> -" --log-prefix prefix		Prefix log messages with this
>>> prefix.\n\n"
>>> -" --log-tcp-sequence		Log TCP sequence numbers.\n\n"
>>> -" --log-tcp-options		Log TCP options.\n\n"
>>> -" --log-ip-options		Log IP options.\n\n"
>>> -" --log-uid			Log UID owning the local socket.\n\n",
>>> -IPTABLES_VERSION);
>>> +" --log-prefix prefix		Prefix log messages with this
>>> prefix.\n"
>>> +" --log-tcp-sequence		Log TCP sequence numbers.\n"
>>> +" --log-tcp-options		Log TCP options.\n"
>>> +" --log-ip-options		Log IP options.\n"
>>> +" --log-uid			Log UID owning the local socket.\n");
>>>  }
>>
>> This doesn't match the patch description. Why are you
>> changing help texts?
>>
> These are just the newlines; to follow the style of the other extensions.
> 

OK, I'll apply it.