Hello community,

here is the log from the commit of package xtables-addons for openSUSE:Factory 
checked in at 2019-09-11 10:34:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xtables-addons (Old)
 and      /work/SRC/openSUSE:Factory/.xtables-addons.new.7948 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "xtables-addons"

Wed Sep 11 10:34:49 2019 rev:63 rq:729732 version:3.5

Changes:
--------
--- /work/SRC/openSUSE:Factory/xtables-addons/xtables-addons.changes    
2019-08-27 10:21:35.211938765 +0200
+++ /work/SRC/openSUSE:Factory/.xtables-addons.new.7948/xtables-addons.changes  
2019-09-11 10:34:51.883305436 +0200
@@ -1,0 +2,14 @@
+Tue Sep 10 09:14:53 UTC 2019 - Jan Engelhardt <jeng...@inai.de>
+
+- Update to release 3.5
+  * Make xt_DELUDE and xt_TARPIT work under Linux >= 5.0
+    when used in conjunction with bridges.
+
+-------------------------------------------------------------------
+Fri Sep  6 08:45:29 UTC 2019 - Jan Engelhardt <jeng...@inai.de>
+
+- Update to release 3.4
+  * Support for Linux 5.3
+- Drop remove_flags.patch
+
+-------------------------------------------------------------------

Old:
----
  remove_flags.patch
  xtables-addons-3.3.tar.asc
  xtables-addons-3.3.tar.xz

New:
----
  xtables-addons-3.5.tar.asc
  xtables-addons-3.5.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ xtables-addons.spec ++++++
--- /var/tmp/diff_new_pack.OCNicH/_old  2019-09-11 10:34:52.371305295 +0200
+++ /var/tmp/diff_new_pack.OCNicH/_new  2019-09-11 10:34:52.375305293 +0200
@@ -17,12 +17,12 @@
 
 
 Name:           xtables-addons
-Version:        3.3
+Version:        3.5
 Release:        0
 Summary:        IP Packet Filter Administration Extensions
 License:        GPL-2.0-only AND GPL-2.0-or-later
 Group:          Productivity/Networking/Security
-Url:            http://xtables-addons.sf.net/
+URL:            http://xtables-addons.sf.net/
 
 #Git-Clone:    
git://xtables-addons.git.sf.net/gitroot/xtables-addons/xtables-addons
 #Git-Web:      http://xtables-addons.git.sf.net/
@@ -30,8 +30,6 @@
 Source2:        http://downloads.sf.net/%name/%name-%version.tar.asc
 Source3:        %name-preamble
 Source4:        %name.keyring
-Patch0:         remove_flags.patch
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  %kernel_module_package_buildreqs
 BuildRequires:  kernel-syms >= 4.15
 BuildRequires:  pkg-config >= 0.21
@@ -71,8 +69,7 @@
 main kernel/iptables packages.
 
 %prep
-%setup -q
-%patch0 -p1
+%autosetup -p1
 
 %build
 pushd ../
@@ -100,12 +97,11 @@
 %postun -p /sbin/ldconfig
 
 %files
-%defattr(-,root,root)
 %_mandir/man*/*
 %_sbindir/*
 %_libdir/*.so.*
 %xtlibdir/
 %_libexecdir/xtables-addons/
-%doc LICENSE
+%license LICENSE
 
 %changelog

++++++ xtables-addons-3.3.tar.xz -> xtables-addons-3.5.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/aclocal.m4 
new/xtables-addons-3.5/aclocal.m4
--- old/xtables-addons-3.3/aclocal.m4   2019-03-07 10:24:20.472932193 +0100
+++ new/xtables-addons-3.5/aclocal.m4   2019-09-10 11:14:31.577896177 +0200
@@ -21,7 +21,7 @@
 To do so, use the procedure documented by the package, typically 
'autoreconf'.])])
 
 # pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
-# serial 12 (pkg-config-0.29.2)
+# serial 11 (pkg-config-0.29.1)
 
 dnl Copyright © 2004 Scott James Remnant <sc...@netsplit.com>.
 dnl Copyright © 2012-2015 Dan Nicholson <dbn.li...@gmail.com>
@@ -63,7 +63,7 @@
 dnl See the "Since" comment for each macro you use to see what version
 dnl of the macros you require.
 m4_defun([PKG_PREREQ],
-[m4_define([PKG_MACROS_VERSION], [0.29.2])
+[m4_define([PKG_MACROS_VERSION], [0.29.1])
 m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
     [m4_fatal([pkg.m4 version $1 or higher is required but 
]PKG_MACROS_VERSION[ found])])
 ])dnl PKG_PREREQ
@@ -164,7 +164,7 @@
 AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
 
 pkg_failed=no
-AC_MSG_CHECKING([for $2])
+AC_MSG_CHECKING([for $1])
 
 _PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
 _PKG_CONFIG([$1][_LIBS], [libs], [$2])
@@ -174,11 +174,11 @@
 See the pkg-config man page for more details.])
 
 if test $pkg_failed = yes; then
-        AC_MSG_RESULT([no])
+       AC_MSG_RESULT([no])
         _PKG_SHORT_ERRORS_SUPPORTED
         if test $_pkg_short_errors_supported = yes; then
                $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors 
--cflags --libs "$2" 2>&1`
-        else
+        else 
                $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs 
"$2" 2>&1`
         fi
        # Put the nasty error message in config.log where it belongs
@@ -195,7 +195,7 @@
 _PKG_TEXT])[]dnl
         ])
 elif test $pkg_failed = untried; then
-        AC_MSG_RESULT([no])
+       AC_MSG_RESULT([no])
        m4_default([$4], [AC_MSG_FAILURE(
 [The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
@@ -296,6 +296,74 @@
 AS_VAR_IF([$1], [""], [$5], [$4])dnl
 ])dnl PKG_CHECK_VAR
 
+dnl PKG_WITH_MODULES(VARIABLE-PREFIX, MODULES,
+dnl   [ACTION-IF-FOUND],[ACTION-IF-NOT-FOUND],
+dnl   [DESCRIPTION], [DEFAULT])
+dnl ------------------------------------------
+dnl
+dnl Prepare a "--with-" configure option using the lowercase
+dnl [VARIABLE-PREFIX] name, merging the behaviour of AC_ARG_WITH and
+dnl PKG_CHECK_MODULES in a single macro.
+AC_DEFUN([PKG_WITH_MODULES],
+[
+m4_pushdef([with_arg], m4_tolower([$1]))
+
+m4_pushdef([description],
+           [m4_default([$5], [build with ]with_arg[ support])])
+
+m4_pushdef([def_arg], [m4_default([$6], [auto])])
+m4_pushdef([def_action_if_found], [AS_TR_SH([with_]with_arg)=yes])
+m4_pushdef([def_action_if_not_found], [AS_TR_SH([with_]with_arg)=no])
+
+m4_case(def_arg,
+            [yes],[m4_pushdef([with_without], [--without-]with_arg)],
+            [m4_pushdef([with_without],[--with-]with_arg)])
+
+AC_ARG_WITH(with_arg,
+     AS_HELP_STRING(with_without, description[ @<:@default=]def_arg[@:>@]),,
+    [AS_TR_SH([with_]with_arg)=def_arg])
+
+AS_CASE([$AS_TR_SH([with_]with_arg)],
+            [yes],[PKG_CHECK_MODULES([$1],[$2],$3,$4)],
+            [auto],[PKG_CHECK_MODULES([$1],[$2],
+                                        [m4_n([def_action_if_found]) $3],
+                                        [m4_n([def_action_if_not_found]) $4])])
+
+m4_popdef([with_arg])
+m4_popdef([description])
+m4_popdef([def_arg])
+
+])dnl PKG_WITH_MODULES
+
+dnl PKG_HAVE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
+dnl   [DESCRIPTION], [DEFAULT])
+dnl -----------------------------------------------
+dnl
+dnl Convenience macro to trigger AM_CONDITIONAL after PKG_WITH_MODULES
+dnl check._[VARIABLE-PREFIX] is exported as make variable.
+AC_DEFUN([PKG_HAVE_WITH_MODULES],
+[
+PKG_WITH_MODULES([$1],[$2],,,[$3],[$4])
+
+AM_CONDITIONAL([HAVE_][$1],
+               [test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"])
+])dnl PKG_HAVE_WITH_MODULES
+
+dnl PKG_HAVE_DEFINE_WITH_MODULES(VARIABLE-PREFIX, MODULES,
+dnl   [DESCRIPTION], [DEFAULT])
+dnl ------------------------------------------------------
+dnl
+dnl Convenience macro to run AM_CONDITIONAL and AC_DEFINE after
+dnl PKG_WITH_MODULES check. HAVE_[VARIABLE-PREFIX] is exported as make
+dnl and preprocessor variable.
+AC_DEFUN([PKG_HAVE_DEFINE_WITH_MODULES],
+[
+PKG_HAVE_WITH_MODULES([$1],[$2],[$3],[$4])
+
+AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"],
+        [AC_DEFINE([HAVE_][$1], 1, [Enable ]m4_tolower([$1])[ support])])
+])dnl PKG_HAVE_DEFINE_WITH_MODULES
+
 # Copyright (C) 2002-2018 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/configure 
new/xtables-addons-3.5/configure
--- old/xtables-addons-3.3/configure    2019-03-07 10:24:20.884928103 +0100
+++ new/xtables-addons-3.5/configure    2019-09-10 11:14:31.989893172 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for xtables-addons 3.3.
+# Generated by GNU Autoconf 2.69 for xtables-addons 3.5.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
 # Identity of this package.
 PACKAGE_NAME='xtables-addons'
 PACKAGE_TARNAME='xtables-addons'
-PACKAGE_VERSION='3.3'
-PACKAGE_STRING='xtables-addons 3.3'
+PACKAGE_VERSION='3.5'
+PACKAGE_STRING='xtables-addons 3.5'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -1325,7 +1325,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures xtables-addons 3.3 to adapt to many kinds of systems.
+\`configure' configures xtables-addons 3.5 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1395,7 +1395,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of xtables-addons 3.3:";;
+     short | recursive ) echo "Configuration of xtables-addons 3.5:";;
    esac
   cat <<\_ACEOF
 
@@ -1519,7 +1519,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-xtables-addons configure 3.3
+xtables-addons configure 3.5
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1884,7 +1884,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by xtables-addons $as_me 3.3, which was
+It was created by xtables-addons $as_me 3.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2750,7 +2750,7 @@
 
 # Define the identity of the package.
  PACKAGE='xtables-addons'
- VERSION='3.3'
+ VERSION='3.5'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -12315,8 +12315,8 @@
 fi
 
 pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for xtables >= 1.6.0" >&5
-$as_echo_n "checking for xtables >= 1.6.0... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libxtables" >&5
+$as_echo_n "checking for libxtables... " >&6; }
 
 if test -n "$libxtables_CFLAGS"; then
     pkg_cv_libxtables_CFLAGS="$libxtables_CFLAGS"
@@ -12356,7 +12356,7 @@
 
 
 if test $pkg_failed = yes; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+       { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
@@ -12383,7 +12383,7 @@
 and libxtables_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+       { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
        { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
@@ -12439,8 +12439,10 @@
                echo "WARNING: Version detection did not succeed. Continue at 
own luck.";
        else
                echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-               if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 0; 
then
+               if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 3; 
then
                        echo "WARNING: That kernel version is not officially 
supported yet. Continue at own luck.";
+               elif test "$kmajor" -eq 5 -a "$kminor" -ge 0; then
+                       :
                elif test "$kmajor" -eq 4 -a "$kminor" -ge 18; then
                        :
                else
@@ -12985,7 +12987,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by xtables-addons $as_me 3.3, which was
+This file was extended by xtables-addons $as_me 3.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -13051,7 +13053,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-xtables-addons config.status 3.3
+xtables-addons config.status 3.5
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/configure.ac 
new/xtables-addons-3.5/configure.ac
--- old/xtables-addons-3.3/configure.ac 2019-03-07 10:24:08.000000000 +0100
+++ new/xtables-addons-3.5/configure.ac 2019-09-10 11:14:13.000000000 +0200
@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [3.3])
+AC_INIT([xtables-addons], [3.5])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -57,8 +57,10 @@
                echo "WARNING: Version detection did not succeed. Continue at 
own luck.";
        else
                echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
-               if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 0; 
then
+               if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 3; 
then
                        echo "WARNING: That kernel version is not officially 
supported yet. Continue at own luck.";
+               elif test "$kmajor" -eq 5 -a "$kminor" -ge 0; then
+                       :
                elif test "$kmajor" -eq 4 -a "$kminor" -ge 18; then
                        :
                else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/doc/changelog.txt 
new/xtables-addons-3.5/doc/changelog.txt
--- old/xtables-addons-3.3/doc/changelog.txt    2019-03-07 10:24:08.000000000 
+0100
+++ new/xtables-addons-3.5/doc/changelog.txt    2019-09-10 11:14:13.000000000 
+0200
@@ -3,6 +3,20 @@
 ====
 
 
+v3.5 (2019-09-10)
+=================
+Enhancements:
+- xt_DELUDE, xt_TARPIT: added additional code needed to work with
+  bridges from Linux 5.0 onwards.
+
+
+v3.4 (2019-09-06)
+=================
+Enhancements:
+- support for up to Linux 5.3
+- xt_PROTO module
+
+
 v3.3 (2019-03-07)
 =================
 Enhancements:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/extensions/Kbuild 
new/xtables-addons-3.5/extensions/Kbuild
--- old/xtables-addons-3.3/extensions/Kbuild    2019-03-07 10:24:08.000000000 
+0100
+++ new/xtables-addons-3.5/extensions/Kbuild    2019-09-10 11:14:13.000000000 
+0200
@@ -13,6 +13,7 @@
 obj-${build_ECHO}        += xt_ECHO.o
 obj-${build_IPMARK}      += xt_IPMARK.o
 obj-${build_LOGMARK}     += xt_LOGMARK.o
+obj-${build_PROTO}       += xt_PROTO.o
 obj-${build_SYSRQ}       += xt_SYSRQ.o
 obj-${build_TARPIT}      += xt_TARPIT.o
 obj-${build_condition}   += xt_condition.o
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/extensions/Mbuild 
new/xtables-addons-3.5/extensions/Mbuild
--- old/xtables-addons-3.3/extensions/Mbuild    2019-03-07 10:24:08.000000000 
+0100
+++ new/xtables-addons-3.5/extensions/Mbuild    2019-09-10 11:14:13.000000000 
+0200
@@ -8,6 +8,7 @@
 obj-${build_ECHO}        += libxt_ECHO.so
 obj-${build_IPMARK}      += libxt_IPMARK.so
 obj-${build_LOGMARK}     += libxt_LOGMARK.so
+obj-${build_PROTO}       += libxt_PROTO.so
 obj-${build_SYSRQ}       += libxt_SYSRQ.so
 obj-${build_TARPIT}      += libxt_TARPIT.so
 obj-${build_condition}   += libxt_condition.so
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/extensions/libxt_PROTO.c 
new/xtables-addons-3.5/extensions/libxt_PROTO.c
--- old/xtables-addons-3.3/extensions/libxt_PROTO.c     1970-01-01 
01:00:00.000000000 +0100
+++ new/xtables-addons-3.5/extensions/libxt_PROTO.c     2019-09-10 
11:14:13.000000000 +0200
@@ -0,0 +1,105 @@
+/*
+ * PROTO Target module
+ * This program is distributed under the terms of GNU GPL
+ */
+#include <stdio.h>
+#include <xtables.h>
+#include "xt_PROTO.h"
+
+enum {
+       O_PROTO_SET = 0,
+       O_PROTO_STOP_AT_FRAG = 1,
+       O_PROTO_STOP_AT_AUTH = 2,
+       F_PROTO_SET = 1 << O_PROTO_SET,
+       F_PROTO_STOP_AT_FRAG = 1 << O_PROTO_STOP_AT_FRAG,
+       F_PROTO_STOP_AT_AUTH = 1 << O_PROTO_STOP_AT_AUTH,
+};
+
+#define s struct xt_PROTO_info
+static const struct xt_option_entry PROTO_opts[] = {
+       {.name = "proto-set", .type = XTTYPE_UINT8, .id = O_PROTO_SET,
+        .flags = XTOPT_PUT | XTOPT_MAND, XTOPT_POINTER(s, proto)},
+       {.name = "stop-at-frag", .type = XTTYPE_NONE, .id = 
O_PROTO_STOP_AT_FRAG},
+       {.name = "stop-at-auth", .type = XTTYPE_NONE, .id = 
O_PROTO_STOP_AT_AUTH},
+       XTOPT_TABLEEND,
+};
+#undef s
+
+static void PROTO_help(void)
+{
+       printf(
+"PROTO target options\n"
+"  --proto-set value           Set protocol to <value 0-255>\n"
+       );
+}
+
+static void PROTO_parse(struct xt_option_call *cb)
+{
+       struct xt_PROTO_info *info = cb->data;
+
+       xtables_option_parse(cb);
+       switch (cb->entry->id) {
+       case O_PROTO_SET:
+               info->mode |= 1 << XT_PROTO_SET;
+               break;
+       case O_PROTO_STOP_AT_FRAG:
+               info->mode |= 1 << XT_PROTO_STOP_AT_FRAG;
+               break;
+       case O_PROTO_STOP_AT_AUTH:
+               info->mode |= 1 << XT_PROTO_STOP_AT_AUTH;
+               break;
+       }
+}
+
+static void PROTO_check(struct xt_fcheck_call *cb)
+{
+       if (!(cb->xflags & F_PROTO_SET))
+               xtables_error(PARAMETER_PROBLEM,
+                               "PROTO: You must specify the proto to be set");
+}
+
+static void PROTO_save(const void *ip, const struct xt_entry_target *target)
+{
+       const struct xt_PROTO_info *info = (void *)target->data;
+
+       if (info->mode & (1 << XT_PROTO_SET))
+               printf(" --proto-set %u", info->proto);
+       if (info->mode & (1 << XT_PROTO_STOP_AT_FRAG))
+               printf(" --stop-at-frag");
+       if (info->mode & (1 << XT_PROTO_STOP_AT_AUTH))
+               printf(" --stop-at-auth");
+}
+
+static void PROTO_print(const void *ip, const struct xt_entry_target *target,
+                     int numeric)
+{
+       const struct xt_PROTO_info *info = (void *)target->data;
+
+       printf(" PROTO ");
+       if (info->mode & (1 << XT_PROTO_SET))
+               printf("set to %u", info->proto);
+       if (info->mode & (1 << XT_PROTO_STOP_AT_FRAG))
+               printf(" stop-at-frag");
+       if (info->mode & (1 << XT_PROTO_STOP_AT_AUTH))
+               printf(" stop-at-auth");
+}
+
+static struct xtables_target proto_tg_reg = {
+       .name           = "PROTO",
+       .version        = XTABLES_VERSION,
+       .family         = NFPROTO_UNSPEC,
+       .size           = XT_ALIGN(sizeof(struct xt_PROTO_info)),
+       .userspacesize  = XT_ALIGN(sizeof(struct xt_PROTO_info)),
+       .help           = PROTO_help,
+       .print          = PROTO_print,
+       .save           = PROTO_save,
+       .x6_parse       = PROTO_parse,
+       .x6_fcheck      = PROTO_check,
+       .x6_options     = PROTO_opts,
+};
+
+static __attribute__((constructor)) void _init(void)
+{
+       xtables_register_target(&proto_tg_reg);
+
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/extensions/libxt_PROTO.man 
new/xtables-addons-3.5/extensions/libxt_PROTO.man
--- old/xtables-addons-3.3/extensions/libxt_PROTO.man   1970-01-01 
01:00:00.000000000 +0100
+++ new/xtables-addons-3.5/extensions/libxt_PROTO.man   2019-09-10 
11:14:13.000000000 +0200
@@ -0,0 +1,30 @@
+.PP
+The PROTO target modifies the protocol number in IP packet header.
+.TP
+\fB\-\-proto-set\fP \fIproto_num\fP
+This option is mandatory. \fIproto_num\fP is the protocol number to which you 
want to
+modify the packets.
+.TP
+\fB\-\-stop-at-frag\fP
+This option is only valid for IPv6 rules. When specifying this option, the
+fragment extension header will be seen as a non-extension header.
+.TP
+\fB\-\-stop-at-auth\fP
+This option is only valid for IPv6 rules. When specifying this option, the
+authentication extension header will be seen as a non-extension header.
+.PP
+For IPv4 packets, the \fBProtocol\fP field is modified and the checksum is
+re-calculated.
+.PP
+For IPv6 packets, the scenario can be more complex due to the introduction of
+the extension headers mechanism. By default, the PROTO target will scan the 
IPv6
+packet, finding the last extension header and modify its \fBNext-header\fP 
field.
+Normally, the following headers will be seen as an extension header:
+\fINEXTHDR_HOP\fP,
+\fINEXTHDR_ROUTING\fP,
+\fINEXTHDR_FRAGMENT\fP,
+\fINEXTHDR_AUTH\fP,
+\fINEXTHDR_DEST\fP.
+.PP
+For fragmented packets, only the first fragment is processed and other 
fragments
+are not touched.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/extensions/pknock/xt_pknock.c 
new/xtables-addons-3.5/extensions/pknock/xt_pknock.c
--- old/xtables-addons-3.3/extensions/pknock/xt_pknock.c        2019-03-07 
10:24:08.000000000 +0100
+++ new/xtables-addons-3.5/extensions/pknock/xt_pknock.c        2019-09-10 
11:14:13.000000000 +0200
@@ -1125,7 +1125,6 @@
 
        crypto.size = crypto_shash_digestsize(crypto.tfm);
        crypto.desc.tfm = crypto.tfm;
-       crypto.desc.flags = 0;
 
        pde = proc_mkdir("xt_pknock", init_net.proc_net);
        if (pde == NULL) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/extensions/xt_DELUDE.c 
new/xtables-addons-3.5/extensions/xt_DELUDE.c
--- old/xtables-addons-3.3/extensions/xt_DELUDE.c       2019-03-07 
10:24:08.000000000 +0100
+++ new/xtables-addons-3.5/extensions/xt_DELUDE.c       2019-09-10 
11:14:13.000000000 +0200
@@ -107,8 +107,13 @@
 
        addr_type = RTN_UNSPEC;
 #ifdef CONFIG_BRIDGE_NETFILTER
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
+       if (hook != NF_INET_FORWARD || ((struct nf_bridge_info 
*)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
+           ((struct nf_bridge_info *)skb_ext_find(nskb, 
SKB_EXT_BRIDGE_NF))->physoutdev))
+#else
        if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
            nskb->nf_bridge->physoutdev))
+#endif
 #else
        if (hook != NF_INET_FORWARD)
 #endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/extensions/xt_DHCPMAC.c 
new/xtables-addons-3.5/extensions/xt_DHCPMAC.c
--- old/xtables-addons-3.3/extensions/xt_DHCPMAC.c      2019-03-07 
10:24:08.000000000 +0100
+++ new/xtables-addons-3.5/extensions/xt_DHCPMAC.c      2019-09-10 
11:14:13.000000000 +0200
@@ -96,7 +96,8 @@
        struct udphdr udpbuf, *udph;
        unsigned int i;
 
-       if (!skb_make_writable(skb, 0))
+       if (skb_ensure_writable(skb, ip_hdrlen(skb) + sizeof(udpbuf) +
+                                    sizeof(dhcpbuf)))
                return NF_DROP;
 
        udph = skb_header_pointer(skb, ip_hdrlen(skb),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/extensions/xt_PROTO.c 
new/xtables-addons-3.5/extensions/xt_PROTO.c
--- old/xtables-addons-3.3/extensions/xt_PROTO.c        1970-01-01 
01:00:00.000000000 +0100
+++ new/xtables-addons-3.5/extensions/xt_PROTO.c        2019-09-10 
11:14:13.000000000 +0200
@@ -0,0 +1,156 @@
+/*
+ * Protocol modification target for IP tables
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <net/ipv6.h>
+#include <net/checksum.h>
+#include <linux/netfilter/x_tables.h>
+#include "xt_PROTO.h"
+
+MODULE_AUTHOR("Shanker Wang <i...@innull.com>");
+MODULE_DESCRIPTION("Xtables: Protocol field modification target");
+MODULE_LICENSE("GPL");
+
+static unsigned int
+proto_tg(struct sk_buff *skb, const struct xt_action_param *par)
+{
+       struct iphdr *iph;
+       const struct xt_PROTO_info *info = par->targinfo;
+       int new_proto;
+
+       if (skb_ensure_writable(skb, skb->len))
+               return NF_DROP;
+
+       iph = ip_hdr(skb);
+       new_proto = iph->protocol;
+       if (info->mode & (1 << XT_PROTO_SET))
+               new_proto = info->proto;
+       if (new_proto != iph->protocol) {
+               csum_replace2(&iph->check, htons(iph->protocol & 0xff),
+                             htons(new_proto & 0xff));
+               iph->protocol = new_proto;
+       }
+
+       return XT_CONTINUE;
+}
+
+static unsigned int
+proto_tg6(struct sk_buff *skb, const struct xt_action_param *par)
+{
+       struct ipv6hdr *ip6h;
+       const struct xt_PROTO_info *info = par->targinfo;
+       u8 *nexthdr;
+       unsigned int hdr_offset;
+       __be16 *fp;
+
+       if (skb_ensure_writable(skb, skb->len))
+               return NF_DROP;
+
+       ip6h = ipv6_hdr(skb);
+       nexthdr = &ip6h->nexthdr;
+       hdr_offset = sizeof(struct ipv6hdr);
+
+       for (;;) {
+               struct ipv6_opt_hdr _opthdr, *opthp;
+               unsigned int hdrlen;
+               unsigned short _frag_off;
+               if (!ipv6_ext_hdr(*nexthdr) || *nexthdr == NEXTHDR_NONE)
+                       break;
+               opthp = skb_header_pointer(skb, skb_network_offset(skb) + 
hdr_offset, sizeof(_opthdr), &_opthdr);
+               if (!opthp)
+                       return NF_DROP;
+               if (*nexthdr == NEXTHDR_FRAGMENT) {
+                       if (info->mode & (1 << XT_PROTO_STOP_AT_FRAG))
+                               break;
+                       fp = skb_header_pointer(skb, skb_network_offset(skb) +
+                            hdr_offset + offsetof(struct frag_hdr, frag_off),
+                            sizeof(_frag_off), &_frag_off);
+                       if (!fp)
+                               return NF_DROP;
+                       _frag_off = ntohs(*fp) & ~0x7;
+                       if (_frag_off) { // if the packet is not the first 
fragment
+                               if (!ipv6_ext_hdr(opthp->nexthdr) || 
opthp->nexthdr == NEXTHDR_NONE ||
+                                   (info->mode & (1 << XT_PROTO_STOP_AT_AUTH) 
&& opthp->nexthdr == NEXTHDR_AUTH)) {
+                                       nexthdr = &((struct ipv6_opt_hdr 
*)(skb_network_header(skb) + hdr_offset))->nexthdr;
+                                       break;
+                               } else {
+                                       return XT_CONTINUE;
+                               }
+                       }
+                       hdrlen = 8;
+               } else if(*nexthdr == NEXTHDR_AUTH) {
+                       if (info->mode & (1 << XT_PROTO_STOP_AT_AUTH))
+                               break;
+                       hdrlen = (opthp->hdrlen + 2) << 2;
+               } else {
+                       hdrlen = ipv6_optlen(opthp);
+               }
+               nexthdr = &((struct ipv6_opt_hdr *)(skb_network_header(skb) + 
hdr_offset))->nexthdr;
+               hdr_offset += hdrlen;
+       }
+       
+       if (info->mode & (1 << XT_PROTO_SET))
+               *nexthdr = info->proto;
+       return XT_CONTINUE;
+}
+
+static int proto_tg_check(const struct xt_tgchk_param *par)
+{
+       const struct xt_PROTO_info *info = par->targinfo;
+
+       if ((info->mode & (1 << XT_PROTO_SET)) == 0) {
+               pr_info_ratelimited("Did not specify any proto to set\n");
+               return -EINVAL;
+       }
+       if (par->family != NFPROTO_IPV6 && (info->mode & ((1 << 
XT_PROTO_STOP_AT_FRAG) | (1 << XT_PROTO_STOP_AT_AUTH))) != 0) {
+               pr_info_ratelimited("Must not specify stop-at-frag and 
stop-at-auth on non-ipv6 targets\n");
+               return -EPROTOTYPE;
+       }
+       return 0;
+}
+
+static struct xt_target proto_tg_reg[] __read_mostly = {
+       {
+               .name       = "PROTO",
+               .revision   = 0,
+               .family     = NFPROTO_IPV4,
+               .target     = proto_tg,
+               .targetsize = sizeof(struct xt_PROTO_info),
+               .table      = "mangle",
+               .checkentry = proto_tg_check,
+               .me         = THIS_MODULE,
+       },
+       {
+               .name       = "PROTO",
+               .revision   = 0,
+               .family     = NFPROTO_IPV6,
+               .target     = proto_tg6,
+               .targetsize = sizeof(struct xt_PROTO_info),
+               .table      = "mangle",
+               .checkentry = proto_tg_check,
+               .me         = THIS_MODULE,
+       },
+};
+
+static int __init proto_tg_init(void)
+{
+       return xt_register_targets(proto_tg_reg, ARRAY_SIZE(proto_tg_reg));
+}
+
+static void __exit proto_tg_exit(void)
+{
+       xt_unregister_targets(proto_tg_reg, ARRAY_SIZE(proto_tg_reg));
+}
+
+module_init(proto_tg_init);
+module_exit(proto_tg_exit);
+MODULE_ALIAS("ipt_PROTO");
+MODULE_ALIAS("ip6t_PROTO");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/extensions/xt_PROTO.h 
new/xtables-addons-3.5/extensions/xt_PROTO.h
--- old/xtables-addons-3.3/extensions/xt_PROTO.h        1970-01-01 
01:00:00.000000000 +0100
+++ new/xtables-addons-3.5/extensions/xt_PROTO.h        2019-09-10 
11:14:13.000000000 +0200
@@ -0,0 +1,20 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+/* Protocol modification module for IP tables */
+
+#ifndef _XT_PROTO_H
+#define _XT_PROTO_H
+
+#include <linux/types.h>
+
+enum {
+       XT_PROTO_SET = 0,
+       XT_PROTO_STOP_AT_FRAG = 1,
+       XT_PROTO_STOP_AT_AUTH = 2
+};
+
+struct xt_PROTO_info {
+       __u8    mode;
+       __u8    proto;
+};
+
+#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/extensions/xt_SYSRQ.c 
new/xtables-addons-3.5/extensions/xt_SYSRQ.c
--- old/xtables-addons-3.3/extensions/xt_SYSRQ.c        2019-03-07 
10:24:08.000000000 +0100
+++ new/xtables-addons-3.5/extensions/xt_SYSRQ.c        2019-09-10 
11:14:13.000000000 +0200
@@ -114,7 +114,6 @@
        }
 
        desc.tfm   = sysrq_tfm;
-       desc.flags = 0;
        ret = crypto_shash_init(&desc);
        if (ret != 0)
                goto hash_fail;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/extensions/xt_TARPIT.c 
new/xtables-addons-3.5/extensions/xt_TARPIT.c
--- old/xtables-addons-3.3/extensions/xt_TARPIT.c       2019-03-07 
10:24:08.000000000 +0100
+++ new/xtables-addons-3.5/extensions/xt_TARPIT.c       2019-09-10 
11:14:13.000000000 +0200
@@ -249,8 +249,13 @@
                niph->id = ~oldhdr->id + 1;
 
 #ifdef CONFIG_BRIDGE_NETFILTER
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
+       if (hook != NF_INET_FORWARD || ((struct nf_bridge_info 
*)skb_ext_find(nskb, SKB_EXT_BRIDGE_NF) != NULL &&
+           ((struct nf_bridge_info *)skb_ext_find(nskb, 
SKB_EXT_BRIDGE_NF))->physoutdev))
+#else
        if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
            nskb->nf_bridge->physoutdev != NULL))
+#endif
 #else
        if (hook != NF_INET_FORWARD)
 #endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/mconfig 
new/xtables-addons-3.5/mconfig
--- old/xtables-addons-3.3/mconfig      2019-03-07 10:24:08.000000000 +0100
+++ new/xtables-addons-3.5/mconfig      2019-09-10 11:14:13.000000000 +0200
@@ -8,6 +8,7 @@
 build_ECHO=m
 build_IPMARK=m
 build_LOGMARK=m
+build_PROTO=m
 build_SYSRQ=m
 build_TARPIT=m
 build_condition=m
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/xtables-addons-3.3/xtables-addons.8.in 
new/xtables-addons-3.5/xtables-addons.8.in
--- old/xtables-addons-3.3/xtables-addons.8.in  2019-03-07 10:24:08.000000000 
+0100
+++ new/xtables-addons-3.5/xtables-addons.8.in  2019-09-10 11:14:13.000000000 
+0200
@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "" "" "v3.3 (2019-03-07)"
+.TH xtables-addons 8 "" "" "v3.5 (2019-09-10)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets


Reply via email to