Hello community, here is the log from the commit of package xtables-addons for openSUSE:Factory checked in at 2019-09-11 10:34:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xtables-addons (Old) and /work/SRC/openSUSE:Factory/.xtables-addons.new.7948 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xtables-addons" Wed Sep 11 10:34:49 2019 rev:63 rq:729732 version:3.5 Changes: -------- --- /work/SRC/openSUSE:Factory/xtables-addons/xtables-addons.changes 2019-08-27 10:21:35.211938765 +0200 +++ /work/SRC/openSUSE:Factory/.xtables-addons.new.7948/xtables-addons.changes 2019-09-11 10:34:51.883305436 +0200 @@ -1,0 +2,14 @@ +Tue Sep 10 09:14:53 UTC 2019 - Jan Engelhardt <[email protected]> + +- Update to release 3.5 + * Make xt_DELUDE and xt_TARPIT work under Linux >= 5.0 + when used in conjunction with bridges. + +------------------------------------------------------------------- +Fri Sep 6 08:45:29 UTC 2019 - Jan Engelhardt <[email protected]> + +- Update to release 3.4 + * Support for Linux 5.3 +- Drop remove_flags.patch + +------------------------------------------------------------------- Old: ---- remove_flags.patch xtables-addons-3.3.tar.asc xtables-addons-3.3.tar.xz New: ---- xtables-addons-3.5.tar.asc xtables-addons-3.5.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xtables-addons.spec ++++++ --- /var/tmp/diff_new_pack.OCNicH/_old 2019-09-11 10:34:52.371305295 +0200 +++ /var/tmp/diff_new_pack.OCNicH/_new 2019-09-11 10:34:52.375305293 +0200 @@ -17,12 +17,12 @@ Name: xtables-addons -Version: 3.3 +Version: 3.5 Release: 0 Summary: IP Packet Filter Administration Extensions License: GPL-2.0-only AND GPL-2.0-or-later Group: Productivity/Networking/Security -Url: http://xtables-addons.sf.net/ +URL: http://xtables-addons.sf.net/ #Git-Clone: git://xtables-addons.git.sf.net/gitroot/xtables-addons/xtables-addons #Git-Web: http://xtables-addons.git.sf.net/ @@ -30,8 +30,6 @@ Source2: http://downloads.sf.net/%name/%name-%version.tar.asc Source3: %name-preamble Source4: %name.keyring -Patch0: remove_flags.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: %kernel_module_package_buildreqs BuildRequires: kernel-syms >= 4.15 BuildRequires: pkg-config >= 0.21 @@ -71,8 +69,7 @@ main kernel/iptables packages. %prep -%setup -q -%patch0 -p1 +%autosetup -p1 %build pushd ../ @@ -100,12 +97,11 @@ %postun -p /sbin/ldconfig %files -%defattr(-,root,root) %_mandir/man*/* %_sbindir/* %_libdir/*.so.* %xtlibdir/ %_libexecdir/xtables-addons/ -%doc LICENSE +%license LICENSE %changelog ++++++ xtables-addons-3.3.tar.xz -> xtables-addons-3.5.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/aclocal.m4 new/xtables-addons-3.5/aclocal.m4 --- old/xtables-addons-3.3/aclocal.m4 2019-03-07 10:24:20.472932193 +0100 +++ new/xtables-addons-3.5/aclocal.m4 2019-09-10 11:14:31.577896177 +0200 @@ -21,7 +21,7 @@ To do so, use the procedure documented by the package, typically 'autoreconf'.])]) # pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- -# serial 12 (pkg-config-0.29.2) +# serial 11 (pkg-config-0.29.1) dnl Copyright © 2004 Scott James Remnant <[email protected]>. dnl Copyright © 2012-2015 Dan Nicholson <[email protected]> @@ -63,7 +63,7 @@ dnl See the "Since" comment for each macro you use to see what version dnl of the macros you require. m4_defun([PKG_PREREQ], -[m4_define([PKG_MACROS_VERSION], [0.29.2]) +[m4_define([PKG_MACROS_VERSION], [0.29.1]) m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1, [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])]) ])dnl PKG_PREREQ @@ -164,7 +164,7 @@ AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl pkg_failed=no -AC_MSG_CHECKING([for $2]) +AC_MSG_CHECKING([for $1]) _PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) _PKG_CONFIG([$1][_LIBS], [libs], [$2]) @@ -174,11 +174,11 @@ See the pkg-config man page for more details.]) if test $pkg_failed = yes; then - AC_MSG_RESULT([no]) + AC_MSG_RESULT([no]) _PKG_SHORT_ERRORS_SUPPORTED if test $_pkg_short_errors_supported = yes; then $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1` - else + else $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1` fi # Put the nasty error message in config.log where it belongs @@ -195,7 +195,7 @@ _PKG_TEXT])[]dnl ]) elif test $pkg_failed = untried; then - AC_MSG_RESULT([no]) + AC_MSG_RESULT([no]) m4_default([$4], [AC_MSG_FAILURE( [The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full @@ -296,6 +296,74 @@ AS_VAR_IF([$1], [""], [$5], [$4])dnl ])dnl PKG_CHECK_VAR +dnl PKG_WITH_MODULES(VARIABLE-PREFIX, MODULES, +dnl [ACTION-IF-FOUND],[ACTION-IF-NOT-FOUND], +dnl [DESCRIPTION], [DEFAULT]) +dnl ------------------------------------------ +dnl +dnl Prepare a "--with-" configure option using the lowercase +dnl [VARIABLE-PREFIX] name, merging the behaviour of AC_ARG_WITH and +dnl PKG_CHECK_MODULES in a single macro. +AC_DEFUN([PKG_WITH_MODULES], +[ +m4_pushdef([with_arg], m4_tolower([$1])) + +m4_pushdef([description], + [m4_default([$5], [build with ]with_arg[ support])]) + +m4_pushdef([def_arg], [m4_default([$6], [auto])]) +m4_pushdef([def_action_if_found], [AS_TR_SH([with_]with_arg)=yes]) +m4_pushdef([def_action_if_not_found], [AS_TR_SH([with_]with_arg)=no]) + +m4_case(def_arg, + [yes],[m4_pushdef([with_without], [--without-]with_arg)], + [m4_pushdef([with_without],[--with-]with_arg)]) + +AC_ARG_WITH(with_arg, + AS_HELP_STRING(with_without, description[ @<:@default=]def_arg[@:>@]),, + [AS_TR_SH([with_]with_arg)=def_arg]) + +AS_CASE([$AS_TR_SH([with_]with_arg)], + [yes],[PKG_CHECK_MODULES([$1],[$2],$3,$4)], + [auto],[PKG_CHECK_MODULES([$1],[$2], + [m4_n([def_action_if_found]) $3], + [m4_n([def_action_if_not_found]) $4])]) + +m4_popdef([with_arg]) +m4_popdef([description]) +m4_popdef([def_arg]) + +])dnl PKG_WITH_MODULES + +dnl PKG_HAVE_WITH_MODULES(VARIABLE-PREFIX, MODULES, +dnl [DESCRIPTION], [DEFAULT]) +dnl ----------------------------------------------- +dnl +dnl Convenience macro to trigger AM_CONDITIONAL after PKG_WITH_MODULES +dnl check._[VARIABLE-PREFIX] is exported as make variable. +AC_DEFUN([PKG_HAVE_WITH_MODULES], +[ +PKG_WITH_MODULES([$1],[$2],,,[$3],[$4]) + +AM_CONDITIONAL([HAVE_][$1], + [test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"]) +])dnl PKG_HAVE_WITH_MODULES + +dnl PKG_HAVE_DEFINE_WITH_MODULES(VARIABLE-PREFIX, MODULES, +dnl [DESCRIPTION], [DEFAULT]) +dnl ------------------------------------------------------ +dnl +dnl Convenience macro to run AM_CONDITIONAL and AC_DEFINE after +dnl PKG_WITH_MODULES check. HAVE_[VARIABLE-PREFIX] is exported as make +dnl and preprocessor variable. +AC_DEFUN([PKG_HAVE_DEFINE_WITH_MODULES], +[ +PKG_HAVE_WITH_MODULES([$1],[$2],[$3],[$4]) + +AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"], + [AC_DEFINE([HAVE_][$1], 1, [Enable ]m4_tolower([$1])[ support])]) +])dnl PKG_HAVE_DEFINE_WITH_MODULES + # Copyright (C) 2002-2018 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/configure new/xtables-addons-3.5/configure --- old/xtables-addons-3.3/configure 2019-03-07 10:24:20.884928103 +0100 +++ new/xtables-addons-3.5/configure 2019-09-10 11:14:31.989893172 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for xtables-addons 3.3. +# Generated by GNU Autoconf 2.69 for xtables-addons 3.5. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='xtables-addons' PACKAGE_TARNAME='xtables-addons' -PACKAGE_VERSION='3.3' -PACKAGE_STRING='xtables-addons 3.3' +PACKAGE_VERSION='3.5' +PACKAGE_STRING='xtables-addons 3.5' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1325,7 +1325,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures xtables-addons 3.3 to adapt to many kinds of systems. +\`configure' configures xtables-addons 3.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1395,7 +1395,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of xtables-addons 3.3:";; + short | recursive ) echo "Configuration of xtables-addons 3.5:";; esac cat <<\_ACEOF @@ -1519,7 +1519,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -xtables-addons configure 3.3 +xtables-addons configure 3.5 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1884,7 +1884,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by xtables-addons $as_me 3.3, which was +It was created by xtables-addons $as_me 3.5, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2750,7 +2750,7 @@ # Define the identity of the package. PACKAGE='xtables-addons' - VERSION='3.3' + VERSION='3.5' cat >>confdefs.h <<_ACEOF @@ -12315,8 +12315,8 @@ fi pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for xtables >= 1.6.0" >&5 -$as_echo_n "checking for xtables >= 1.6.0... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libxtables" >&5 +$as_echo_n "checking for libxtables... " >&6; } if test -n "$libxtables_CFLAGS"; then pkg_cv_libxtables_CFLAGS="$libxtables_CFLAGS" @@ -12356,7 +12356,7 @@ if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then @@ -12383,7 +12383,7 @@ and libxtables_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details." "$LINENO" 5 elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} @@ -12439,8 +12439,10 @@ echo "WARNING: Version detection did not succeed. Continue at own luck."; else echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir"; - if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 0; then + if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 3; then echo "WARNING: That kernel version is not officially supported yet. Continue at own luck."; + elif test "$kmajor" -eq 5 -a "$kminor" -ge 0; then + : elif test "$kmajor" -eq 4 -a "$kminor" -ge 18; then : else @@ -12985,7 +12987,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by xtables-addons $as_me 3.3, which was +This file was extended by xtables-addons $as_me 3.5, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -13051,7 +13053,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -xtables-addons config.status 3.3 +xtables-addons config.status 3.5 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/configure.ac new/xtables-addons-3.5/configure.ac --- old/xtables-addons-3.3/configure.ac 2019-03-07 10:24:08.000000000 +0100 +++ new/xtables-addons-3.5/configure.ac 2019-09-10 11:14:13.000000000 +0200 @@ -1,4 +1,4 @@ -AC_INIT([xtables-addons], [3.3]) +AC_INIT([xtables-addons], [3.5]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) @@ -57,8 +57,10 @@ echo "WARNING: Version detection did not succeed. Continue at own luck."; else echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir"; - if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 0; then + if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 3; then echo "WARNING: That kernel version is not officially supported yet. Continue at own luck."; + elif test "$kmajor" -eq 5 -a "$kminor" -ge 0; then + : elif test "$kmajor" -eq 4 -a "$kminor" -ge 18; then : else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/doc/changelog.txt new/xtables-addons-3.5/doc/changelog.txt --- old/xtables-addons-3.3/doc/changelog.txt 2019-03-07 10:24:08.000000000 +0100 +++ new/xtables-addons-3.5/doc/changelog.txt 2019-09-10 11:14:13.000000000 +0200 @@ -3,6 +3,20 @@ ==== +v3.5 (2019-09-10) +================= +Enhancements: +- xt_DELUDE, xt_TARPIT: added additional code needed to work with + bridges from Linux 5.0 onwards. + + +v3.4 (2019-09-06) +================= +Enhancements: +- support for up to Linux 5.3 +- xt_PROTO module + + v3.3 (2019-03-07) ================= Enhancements: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/extensions/Kbuild new/xtables-addons-3.5/extensions/Kbuild --- old/xtables-addons-3.3/extensions/Kbuild 2019-03-07 10:24:08.000000000 +0100 +++ new/xtables-addons-3.5/extensions/Kbuild 2019-09-10 11:14:13.000000000 +0200 @@ -13,6 +13,7 @@ obj-${build_ECHO} += xt_ECHO.o obj-${build_IPMARK} += xt_IPMARK.o obj-${build_LOGMARK} += xt_LOGMARK.o +obj-${build_PROTO} += xt_PROTO.o obj-${build_SYSRQ} += xt_SYSRQ.o obj-${build_TARPIT} += xt_TARPIT.o obj-${build_condition} += xt_condition.o diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/extensions/Mbuild new/xtables-addons-3.5/extensions/Mbuild --- old/xtables-addons-3.3/extensions/Mbuild 2019-03-07 10:24:08.000000000 +0100 +++ new/xtables-addons-3.5/extensions/Mbuild 2019-09-10 11:14:13.000000000 +0200 @@ -8,6 +8,7 @@ obj-${build_ECHO} += libxt_ECHO.so obj-${build_IPMARK} += libxt_IPMARK.so obj-${build_LOGMARK} += libxt_LOGMARK.so +obj-${build_PROTO} += libxt_PROTO.so obj-${build_SYSRQ} += libxt_SYSRQ.so obj-${build_TARPIT} += libxt_TARPIT.so obj-${build_condition} += libxt_condition.so diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/extensions/libxt_PROTO.c new/xtables-addons-3.5/extensions/libxt_PROTO.c --- old/xtables-addons-3.3/extensions/libxt_PROTO.c 1970-01-01 01:00:00.000000000 +0100 +++ new/xtables-addons-3.5/extensions/libxt_PROTO.c 2019-09-10 11:14:13.000000000 +0200 @@ -0,0 +1,105 @@ +/* + * PROTO Target module + * This program is distributed under the terms of GNU GPL + */ +#include <stdio.h> +#include <xtables.h> +#include "xt_PROTO.h" + +enum { + O_PROTO_SET = 0, + O_PROTO_STOP_AT_FRAG = 1, + O_PROTO_STOP_AT_AUTH = 2, + F_PROTO_SET = 1 << O_PROTO_SET, + F_PROTO_STOP_AT_FRAG = 1 << O_PROTO_STOP_AT_FRAG, + F_PROTO_STOP_AT_AUTH = 1 << O_PROTO_STOP_AT_AUTH, +}; + +#define s struct xt_PROTO_info +static const struct xt_option_entry PROTO_opts[] = { + {.name = "proto-set", .type = XTTYPE_UINT8, .id = O_PROTO_SET, + .flags = XTOPT_PUT | XTOPT_MAND, XTOPT_POINTER(s, proto)}, + {.name = "stop-at-frag", .type = XTTYPE_NONE, .id = O_PROTO_STOP_AT_FRAG}, + {.name = "stop-at-auth", .type = XTTYPE_NONE, .id = O_PROTO_STOP_AT_AUTH}, + XTOPT_TABLEEND, +}; +#undef s + +static void PROTO_help(void) +{ + printf( +"PROTO target options\n" +" --proto-set value Set protocol to <value 0-255>\n" + ); +} + +static void PROTO_parse(struct xt_option_call *cb) +{ + struct xt_PROTO_info *info = cb->data; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_PROTO_SET: + info->mode |= 1 << XT_PROTO_SET; + break; + case O_PROTO_STOP_AT_FRAG: + info->mode |= 1 << XT_PROTO_STOP_AT_FRAG; + break; + case O_PROTO_STOP_AT_AUTH: + info->mode |= 1 << XT_PROTO_STOP_AT_AUTH; + break; + } +} + +static void PROTO_check(struct xt_fcheck_call *cb) +{ + if (!(cb->xflags & F_PROTO_SET)) + xtables_error(PARAMETER_PROBLEM, + "PROTO: You must specify the proto to be set"); +} + +static void PROTO_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_PROTO_info *info = (void *)target->data; + + if (info->mode & (1 << XT_PROTO_SET)) + printf(" --proto-set %u", info->proto); + if (info->mode & (1 << XT_PROTO_STOP_AT_FRAG)) + printf(" --stop-at-frag"); + if (info->mode & (1 << XT_PROTO_STOP_AT_AUTH)) + printf(" --stop-at-auth"); +} + +static void PROTO_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_PROTO_info *info = (void *)target->data; + + printf(" PROTO "); + if (info->mode & (1 << XT_PROTO_SET)) + printf("set to %u", info->proto); + if (info->mode & (1 << XT_PROTO_STOP_AT_FRAG)) + printf(" stop-at-frag"); + if (info->mode & (1 << XT_PROTO_STOP_AT_AUTH)) + printf(" stop-at-auth"); +} + +static struct xtables_target proto_tg_reg = { + .name = "PROTO", + .version = XTABLES_VERSION, + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_PROTO_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_PROTO_info)), + .help = PROTO_help, + .print = PROTO_print, + .save = PROTO_save, + .x6_parse = PROTO_parse, + .x6_fcheck = PROTO_check, + .x6_options = PROTO_opts, +}; + +static __attribute__((constructor)) void _init(void) +{ + xtables_register_target(&proto_tg_reg); + +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/extensions/libxt_PROTO.man new/xtables-addons-3.5/extensions/libxt_PROTO.man --- old/xtables-addons-3.3/extensions/libxt_PROTO.man 1970-01-01 01:00:00.000000000 +0100 +++ new/xtables-addons-3.5/extensions/libxt_PROTO.man 2019-09-10 11:14:13.000000000 +0200 @@ -0,0 +1,30 @@ +.PP +The PROTO target modifies the protocol number in IP packet header. +.TP +\fB\-\-proto-set\fP \fIproto_num\fP +This option is mandatory. \fIproto_num\fP is the protocol number to which you want to +modify the packets. +.TP +\fB\-\-stop-at-frag\fP +This option is only valid for IPv6 rules. When specifying this option, the +fragment extension header will be seen as a non-extension header. +.TP +\fB\-\-stop-at-auth\fP +This option is only valid for IPv6 rules. When specifying this option, the +authentication extension header will be seen as a non-extension header. +.PP +For IPv4 packets, the \fBProtocol\fP field is modified and the checksum is +re-calculated. +.PP +For IPv6 packets, the scenario can be more complex due to the introduction of +the extension headers mechanism. By default, the PROTO target will scan the IPv6 +packet, finding the last extension header and modify its \fBNext-header\fP field. +Normally, the following headers will be seen as an extension header: +\fINEXTHDR_HOP\fP, +\fINEXTHDR_ROUTING\fP, +\fINEXTHDR_FRAGMENT\fP, +\fINEXTHDR_AUTH\fP, +\fINEXTHDR_DEST\fP. +.PP +For fragmented packets, only the first fragment is processed and other fragments +are not touched. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/extensions/pknock/xt_pknock.c new/xtables-addons-3.5/extensions/pknock/xt_pknock.c --- old/xtables-addons-3.3/extensions/pknock/xt_pknock.c 2019-03-07 10:24:08.000000000 +0100 +++ new/xtables-addons-3.5/extensions/pknock/xt_pknock.c 2019-09-10 11:14:13.000000000 +0200 @@ -1125,7 +1125,6 @@ crypto.size = crypto_shash_digestsize(crypto.tfm); crypto.desc.tfm = crypto.tfm; - crypto.desc.flags = 0; pde = proc_mkdir("xt_pknock", init_net.proc_net); if (pde == NULL) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/extensions/xt_DELUDE.c new/xtables-addons-3.5/extensions/xt_DELUDE.c --- old/xtables-addons-3.3/extensions/xt_DELUDE.c 2019-03-07 10:24:08.000000000 +0100 +++ new/xtables-addons-3.5/extensions/xt_DELUDE.c 2019-09-10 11:14:13.000000000 +0200 @@ -107,8 +107,13 @@ addr_type = RTN_UNSPEC; #ifdef CONFIG_BRIDGE_NETFILTER +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0) + if (hook != NF_INET_FORWARD || ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL && + ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF))->physoutdev)) +#else if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL && nskb->nf_bridge->physoutdev)) +#endif #else if (hook != NF_INET_FORWARD) #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/extensions/xt_DHCPMAC.c new/xtables-addons-3.5/extensions/xt_DHCPMAC.c --- old/xtables-addons-3.3/extensions/xt_DHCPMAC.c 2019-03-07 10:24:08.000000000 +0100 +++ new/xtables-addons-3.5/extensions/xt_DHCPMAC.c 2019-09-10 11:14:13.000000000 +0200 @@ -96,7 +96,8 @@ struct udphdr udpbuf, *udph; unsigned int i; - if (!skb_make_writable(skb, 0)) + if (skb_ensure_writable(skb, ip_hdrlen(skb) + sizeof(udpbuf) + + sizeof(dhcpbuf))) return NF_DROP; udph = skb_header_pointer(skb, ip_hdrlen(skb), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/extensions/xt_PROTO.c new/xtables-addons-3.5/extensions/xt_PROTO.c --- old/xtables-addons-3.3/extensions/xt_PROTO.c 1970-01-01 01:00:00.000000000 +0100 +++ new/xtables-addons-3.5/extensions/xt_PROTO.c 2019-09-10 11:14:13.000000000 +0200 @@ -0,0 +1,156 @@ +/* + * Protocol modification target for IP tables + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt +#include <linux/module.h> +#include <linux/skbuff.h> +#include <linux/ip.h> +#include <linux/ipv6.h> +#include <net/ipv6.h> +#include <net/checksum.h> +#include <linux/netfilter/x_tables.h> +#include "xt_PROTO.h" + +MODULE_AUTHOR("Shanker Wang <[email protected]>"); +MODULE_DESCRIPTION("Xtables: Protocol field modification target"); +MODULE_LICENSE("GPL"); + +static unsigned int +proto_tg(struct sk_buff *skb, const struct xt_action_param *par) +{ + struct iphdr *iph; + const struct xt_PROTO_info *info = par->targinfo; + int new_proto; + + if (skb_ensure_writable(skb, skb->len)) + return NF_DROP; + + iph = ip_hdr(skb); + new_proto = iph->protocol; + if (info->mode & (1 << XT_PROTO_SET)) + new_proto = info->proto; + if (new_proto != iph->protocol) { + csum_replace2(&iph->check, htons(iph->protocol & 0xff), + htons(new_proto & 0xff)); + iph->protocol = new_proto; + } + + return XT_CONTINUE; +} + +static unsigned int +proto_tg6(struct sk_buff *skb, const struct xt_action_param *par) +{ + struct ipv6hdr *ip6h; + const struct xt_PROTO_info *info = par->targinfo; + u8 *nexthdr; + unsigned int hdr_offset; + __be16 *fp; + + if (skb_ensure_writable(skb, skb->len)) + return NF_DROP; + + ip6h = ipv6_hdr(skb); + nexthdr = &ip6h->nexthdr; + hdr_offset = sizeof(struct ipv6hdr); + + for (;;) { + struct ipv6_opt_hdr _opthdr, *opthp; + unsigned int hdrlen; + unsigned short _frag_off; + if (!ipv6_ext_hdr(*nexthdr) || *nexthdr == NEXTHDR_NONE) + break; + opthp = skb_header_pointer(skb, skb_network_offset(skb) + hdr_offset, sizeof(_opthdr), &_opthdr); + if (!opthp) + return NF_DROP; + if (*nexthdr == NEXTHDR_FRAGMENT) { + if (info->mode & (1 << XT_PROTO_STOP_AT_FRAG)) + break; + fp = skb_header_pointer(skb, skb_network_offset(skb) + + hdr_offset + offsetof(struct frag_hdr, frag_off), + sizeof(_frag_off), &_frag_off); + if (!fp) + return NF_DROP; + _frag_off = ntohs(*fp) & ~0x7; + if (_frag_off) { // if the packet is not the first fragment + if (!ipv6_ext_hdr(opthp->nexthdr) || opthp->nexthdr == NEXTHDR_NONE || + (info->mode & (1 << XT_PROTO_STOP_AT_AUTH) && opthp->nexthdr == NEXTHDR_AUTH)) { + nexthdr = &((struct ipv6_opt_hdr *)(skb_network_header(skb) + hdr_offset))->nexthdr; + break; + } else { + return XT_CONTINUE; + } + } + hdrlen = 8; + } else if(*nexthdr == NEXTHDR_AUTH) { + if (info->mode & (1 << XT_PROTO_STOP_AT_AUTH)) + break; + hdrlen = (opthp->hdrlen + 2) << 2; + } else { + hdrlen = ipv6_optlen(opthp); + } + nexthdr = &((struct ipv6_opt_hdr *)(skb_network_header(skb) + hdr_offset))->nexthdr; + hdr_offset += hdrlen; + } + + if (info->mode & (1 << XT_PROTO_SET)) + *nexthdr = info->proto; + return XT_CONTINUE; +} + +static int proto_tg_check(const struct xt_tgchk_param *par) +{ + const struct xt_PROTO_info *info = par->targinfo; + + if ((info->mode & (1 << XT_PROTO_SET)) == 0) { + pr_info_ratelimited("Did not specify any proto to set\n"); + return -EINVAL; + } + if (par->family != NFPROTO_IPV6 && (info->mode & ((1 << XT_PROTO_STOP_AT_FRAG) | (1 << XT_PROTO_STOP_AT_AUTH))) != 0) { + pr_info_ratelimited("Must not specify stop-at-frag and stop-at-auth on non-ipv6 targets\n"); + return -EPROTOTYPE; + } + return 0; +} + +static struct xt_target proto_tg_reg[] __read_mostly = { + { + .name = "PROTO", + .revision = 0, + .family = NFPROTO_IPV4, + .target = proto_tg, + .targetsize = sizeof(struct xt_PROTO_info), + .table = "mangle", + .checkentry = proto_tg_check, + .me = THIS_MODULE, + }, + { + .name = "PROTO", + .revision = 0, + .family = NFPROTO_IPV6, + .target = proto_tg6, + .targetsize = sizeof(struct xt_PROTO_info), + .table = "mangle", + .checkentry = proto_tg_check, + .me = THIS_MODULE, + }, +}; + +static int __init proto_tg_init(void) +{ + return xt_register_targets(proto_tg_reg, ARRAY_SIZE(proto_tg_reg)); +} + +static void __exit proto_tg_exit(void) +{ + xt_unregister_targets(proto_tg_reg, ARRAY_SIZE(proto_tg_reg)); +} + +module_init(proto_tg_init); +module_exit(proto_tg_exit); +MODULE_ALIAS("ipt_PROTO"); +MODULE_ALIAS("ip6t_PROTO"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/extensions/xt_PROTO.h new/xtables-addons-3.5/extensions/xt_PROTO.h --- old/xtables-addons-3.3/extensions/xt_PROTO.h 1970-01-01 01:00:00.000000000 +0100 +++ new/xtables-addons-3.5/extensions/xt_PROTO.h 2019-09-10 11:14:13.000000000 +0200 @@ -0,0 +1,20 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +/* Protocol modification module for IP tables */ + +#ifndef _XT_PROTO_H +#define _XT_PROTO_H + +#include <linux/types.h> + +enum { + XT_PROTO_SET = 0, + XT_PROTO_STOP_AT_FRAG = 1, + XT_PROTO_STOP_AT_AUTH = 2 +}; + +struct xt_PROTO_info { + __u8 mode; + __u8 proto; +}; + +#endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/extensions/xt_SYSRQ.c new/xtables-addons-3.5/extensions/xt_SYSRQ.c --- old/xtables-addons-3.3/extensions/xt_SYSRQ.c 2019-03-07 10:24:08.000000000 +0100 +++ new/xtables-addons-3.5/extensions/xt_SYSRQ.c 2019-09-10 11:14:13.000000000 +0200 @@ -114,7 +114,6 @@ } desc.tfm = sysrq_tfm; - desc.flags = 0; ret = crypto_shash_init(&desc); if (ret != 0) goto hash_fail; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/extensions/xt_TARPIT.c new/xtables-addons-3.5/extensions/xt_TARPIT.c --- old/xtables-addons-3.3/extensions/xt_TARPIT.c 2019-03-07 10:24:08.000000000 +0100 +++ new/xtables-addons-3.5/extensions/xt_TARPIT.c 2019-09-10 11:14:13.000000000 +0200 @@ -249,8 +249,13 @@ niph->id = ~oldhdr->id + 1; #ifdef CONFIG_BRIDGE_NETFILTER +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0) + if (hook != NF_INET_FORWARD || ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL && + ((struct nf_bridge_info *)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF))->physoutdev)) +#else if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL && nskb->nf_bridge->physoutdev != NULL)) +#endif #else if (hook != NF_INET_FORWARD) #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/mconfig new/xtables-addons-3.5/mconfig --- old/xtables-addons-3.3/mconfig 2019-03-07 10:24:08.000000000 +0100 +++ new/xtables-addons-3.5/mconfig 2019-09-10 11:14:13.000000000 +0200 @@ -8,6 +8,7 @@ build_ECHO=m build_IPMARK=m build_LOGMARK=m +build_PROTO=m build_SYSRQ=m build_TARPIT=m build_condition=m diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xtables-addons-3.3/xtables-addons.8.in new/xtables-addons-3.5/xtables-addons.8.in --- old/xtables-addons-3.3/xtables-addons.8.in 2019-03-07 10:24:08.000000000 +0100 +++ new/xtables-addons-3.5/xtables-addons.8.in 2019-09-10 11:14:13.000000000 +0200 @@ -1,4 +1,4 @@ -.TH xtables-addons 8 "" "" "v3.3 (2019-03-07)" +.TH xtables-addons 8 "" "" "v3.5 (2019-09-10)" .SH Name Xtables-addons \(em additional extensions for iptables, ip6tables, etc. .SH Targets
