diff --git a/net/xtables-addons/Makefile b/net/xtables-addons/Makefile index d81605388..44ca19518 100644 --- a/net/xtables-addons/Makefile +++ b/net/xtables-addons/Makefile @@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=xtables-addons -PKG_VERSION:=2.14 -PKG_RELEASE:=8 -PKG_HASH:=d215a9a8b8e66aae04b982fa2e1228e8a71e7dfe42320df99e34e5000cbdf152 +PKG_VERSION:=3.3 +PKG_RELEASE:=1 +PKG_HASH:=efa62c7df6cd3b82d7195105bf6fe177b605f91f3522e4114d2f4e0ad54320d6 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@SF/xtables-addons diff --git a/net/xtables-addons/patches/002-build-support-for-Linux-4.15.patch b/net/xtables-addons/patches/002-build-support-for-Linux-4.15.patch deleted file mode 100644 index 99b0cfe3b..000000000 --- a/net/xtables-addons/patches/002-build-support-for-Linux-4.15.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 2b76b68c65c97fc11409088c3c30993324df8500 Mon Sep 17 00:00:00 2001 -From: Marcelo Henrique Cerri -Date: Thu, 4 Jan 2018 18:50:50 +0100 -Subject: [PATCH] build: support for Linux 4.15 - -Signed-off-by: Marcelo Henrique Cerri ---- - extensions/pknock/xt_pknock.c | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/extensions/pknock/xt_pknock.c b/extensions/pknock/xt_pknock.c -index 6fbdea4..31d4bc8 100644 ---- a/extensions/pknock/xt_pknock.c -+++ b/extensions/pknock/xt_pknock.c -@@ -358,10 +358,20 @@ has_logged_during_this_minute(const struct peer *peer) - * @r: rule - */ - static void --peer_gc(unsigned long r) -+peer_gc( -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0) -+ struct timer_list *tl -+#else -+ unsigned long r -+#endif -+) - { - unsigned int i; -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0) -+ struct xt_pknock_rule *rule = from_timer(rule, tl, timer); -+#else - struct xt_pknock_rule *rule = (struct xt_pknock_rule *)r; -+#endif - struct peer *peer; - struct list_head *pos, *n; - -@@ -469,9 +479,13 @@ add_rule(struct xt_pknock_mtinfo *info) - if (rule->peer_head == NULL) - goto out; - -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0) -+ timer_setup(&rule->timer, peer_gc, 0); -+#else - init_timer(&rule->timer); - rule->timer.function = peer_gc; - rule->timer.data = (unsigned long)rule; -+#endif - - rule->status_proc = proc_create_data(info->rule_name, 0, pde, - &pknock_proc_ops, rule); diff --git a/net/xtables-addons/patches/002-restore-support-for-Linux-4.14.patch b/net/xtables-addons/patches/002-restore-support-for-Linux-4.14.patch new file mode 100644 index 000000000..f51c84e60 --- /dev/null +++ b/net/xtables-addons/patches/002-restore-support-for-Linux-4.14.patch @@ -0,0 +1,78 @@ +Restore support for kernel 4.14 +This reverts commit bf63a25a64c9223435c26e6543ba749834b47752. +--- + configure.ac | 2 +- + extensions/compat_xtables.h | 4 ++-- + extensions/pknock/xt_pknock.c | 16 ++++++++++++++++ + 3 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 7631f6b..0d3aa72 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -59,7 +59,7 @@ if test -n "$kbuilddir"; then + echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir"; + if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 0; then + echo "WARNING: That kernel version is not officially supported yet. Continue at own luck."; +- elif test "$kmajor" -eq 4 -a "$kminor" -ge 18; then ++ elif test "$kmajor" -eq 4 -a "$kminor" -ge 14; then + : + else + echo "WARNING: That kernel version is not officially supported."; +diff --git a/extensions/compat_xtables.h b/extensions/compat_xtables.h +index d08354a..faf5dd8 100644 +--- a/extensions/compat_xtables.h ++++ b/extensions/compat_xtables.h +@@ -8,8 +8,8 @@ + + #define DEBUGP Use__pr_debug__instead + +-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0) +-# warning Kernels below 4.15 not supported. ++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 0) ++# warning Kernels below 4.14 not supported. + #endif + + #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) +diff --git a/extensions/pknock/xt_pknock.c b/extensions/pknock/xt_pknock.c +index c76901a..7be0345 100644 +--- a/extensions/pknock/xt_pknock.c ++++ b/extensions/pknock/xt_pknock.c +@@ -357,10 +357,18 @@ has_logged_during_this_minute(const struct peer *peer) + * + * @r: rule + */ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0) + static void peer_gc(struct timer_list *tl) ++#else ++static void peer_gc(unsigned long r) ++#endif + { + unsigned int i; ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0) + struct xt_pknock_rule *rule = from_timer(rule, tl, timer); ++#else ++ struct xt_pknock_rule *rule = (struct xt_pknock_rule *)r; ++#endif + struct peer *peer; + struct list_head *pos, *n; + +@@ -467,7 +475,15 @@ add_rule(struct xt_pknock_mtinfo *info) + rule->peer_head = alloc_hashtable(peer_hashsize); + if (rule->peer_head == NULL) + goto out; ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0) + timer_setup(&rule->timer, peer_gc, 0); ++#else ++ init_timer(&rule->timer); ++ rule->timer.function = peer_gc; ++ rule->timer.data = (unsigned long)rule; ++#endif ++ + rule->status_proc = proc_create_data(info->rule_name, 0, pde, + &pknock_proc_ops, rule); + if (rule->status_proc == NULL) +-- +2.21.0 + diff --git a/net/xtables-addons/patches/003-build-add-support-for-Linux-4.18.patch b/net/xtables-addons/patches/003-build-add-support-for-Linux-4.18.patch deleted file mode 100644 index a6f31cf00..000000000 --- a/net/xtables-addons/patches/003-build-add-support-for-Linux-4.18.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 3ea761a1ed338241fbc79bef8e433307e108b6cd Mon Sep 17 00:00:00 2001 -From: Jan Engelhardt -Date: Tue, 14 Aug 2018 14:29:30 +0200 -Subject: [PATCH] build: add support for Linux 4.18 - ---- - extensions/xt_DNETMAP.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/extensions/xt_DNETMAP.c b/extensions/xt_DNETMAP.c -index 1b415c3..de7d4ec 100644 ---- a/extensions/xt_DNETMAP.c -+++ b/extensions/xt_DNETMAP.c -@@ -367,7 +367,11 @@ dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par) - __be32 prenat_ip, postnat_ip, prenat_ip_prev; - const struct xt_DNETMAP_tginfo *tginfo = par->targinfo; - const struct nf_nat_range *mr = &tginfo->prefix; -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 18, 0) -+ struct nf_nat_range2 newrange; -+#else - struct nf_nat_range newrange; -+#endif - struct dnetmap_entry *e; - struct dnetmap_prefix *p; - __s32 jttl; diff --git a/net/xtables-addons/patches/003-restore-support-for-Linux-4.9.patch b/net/xtables-addons/patches/003-restore-support-for-Linux-4.9.patch new file mode 100644 index 000000000..9828f1aa7 --- /dev/null +++ b/net/xtables-addons/patches/003-restore-support-for-Linux-4.9.patch @@ -0,0 +1,312 @@ +Restore support for kernel 4.9 +This reverts commits: +94656621ed269882aedf116f900009f1ccade3f6 +95d4f9e113fae3ef1e161548fe25c43c091392e3 +123e1a14e95f01b6ba2e4a31b3b2a74ff250be57 +f4f3f9860916d2ec88eb8339680d9ca0f64d41a4 +9b1c7c1c047f0e9c6cb4f9abbdb9fd7b86ae6c1b +--- + configure.ac | 2 +- + extensions/ACCOUNT/xt_ACCOUNT.c | 4 ++++ + extensions/compat_xtables.h | 8 ++++++-- + extensions/xt_CHAOS.c | 28 ++++++++++++++++++++++++++-- + extensions/xt_DELUDE.c | 8 +++++++- + extensions/xt_DNETMAP.c | 13 +++++++++++++ + extensions/xt_ECHO.c | 4 ++++ + extensions/xt_LOGMARK.c | 8 ++++++++ + extensions/xt_TARPIT.c | 10 ++++++++++ + extensions/xt_iface.c | 8 ++++++++ + extensions/xt_lscan.c | 4 ++++ + 11 files changed, 91 insertions(+), 6 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 0d3aa72..1cea354 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -59,7 +59,7 @@ if test -n "$kbuilddir"; then + echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir"; + if test "$kmajor" -gt 5 -o "$kmajor" -eq 5 -a "$kminor" -gt 0; then + echo "WARNING: That kernel version is not officially supported yet. Continue at own luck."; +- elif test "$kmajor" -eq 4 -a "$kminor" -ge 14; then ++ elif test "$kmajor" -eq 4 -a "$kminor" -ge 9; then + : + else + echo "WARNING: That kernel version is not officially supported."; +diff --git a/extensions/ACCOUNT/xt_ACCOUNT.c b/extensions/ACCOUNT/xt_ACCOUNT.c +index 019f5bd..8abe8ab 100644 +--- a/extensions/ACCOUNT/xt_ACCOUNT.c ++++ b/extensions/ACCOUNT/xt_ACCOUNT.c +@@ -485,7 +485,11 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8, + static unsigned int + ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par) + { ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + struct ipt_acc_net *ian = net_generic(par->state->net, ipt_acc_net_id); ++#else ++ struct ipt_acc_net *ian = net_generic(par->net, ipt_acc_net_id); ++#endif + struct ipt_acc_table *ipt_acc_tables = ian->ipt_acc_tables; + const struct ipt_acc_info *info = + par->targinfo; +diff --git a/extensions/compat_xtables.h b/extensions/compat_xtables.h +index faf5dd8..23785d9 100644 +--- a/extensions/compat_xtables.h ++++ b/extensions/compat_xtables.h +@@ -8,8 +8,8 @@ + + #define DEBUGP Use__pr_debug__instead + +-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 0) +-# warning Kernels below 4.14 not supported. ++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 0) ++# warning Kernels below 4.9 not supported. + #endif + + #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) +@@ -44,7 +44,11 @@ + + static inline struct net *par_net(const struct xt_action_param *par) + { ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0) + return par->state->net; ++#else ++ return par->net; ++#endif + } + + #ifndef NF_CT_ASSERT +diff --git a/extensions/xt_CHAOS.c b/extensions/xt_CHAOS.c +index eec36d4..cee2026 100644 +--- a/extensions/xt_CHAOS.c ++++ b/extensions/xt_CHAOS.c +@@ -58,7 +58,12 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par) + + { + struct xt_action_param local_par; ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + local_par.state = par->state; ++#else ++ local_par.in = par->in, ++ local_par.out = par->out, ++#endif + local_par.match = xm_tcp; + local_par.matchinfo = &tcp_params; + local_par.fragoff = fragoff; +@@ -73,7 +78,14 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par) + destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude; + { + struct xt_action_param local_par; ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + local_par.state = par->state; ++#else ++ local_par.in = par->in; ++ local_par.out = par->out; ++ local_par.hooknum = par->hooknum; ++ local_par.family = par->family; ++#endif + local_par.target = destiny; + local_par.targinfo = par->targinfo; + destiny->target(skb, &local_par); +@@ -96,15 +108,27 @@ chaos_tg(struct sk_buff *skb, const struct xt_action_param *par) + + if ((unsigned int)prandom_u32() <= reject_percentage) { + struct xt_action_param local_par; ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + local_par.state = par->state; ++#else ++ local_par.in = par->in; ++ local_par.out = par->out; ++ local_par.hooknum = par->hooknum; ++#endif + local_par.target = xt_reject; + local_par.targinfo = &reject_params; + return xt_reject->target(skb, &local_par); + } + + /* TARPIT/DELUDE may not be called from the OUTPUT chain */ +- if (iph->protocol == IPPROTO_TCP && info->variant != XTCHAOS_NORMAL && +- par->state->hook != NF_INET_LOCAL_OUT) ++ if (iph->protocol == IPPROTO_TCP && ++ info->variant != XTCHAOS_NORMAL && ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) ++ par->state->hook ++#else ++ par->hooknum ++#endif ++ != NF_INET_LOCAL_OUT) + xt_chaos_total(skb, par); + + return NF_DROP; +diff --git a/extensions/xt_DELUDE.c b/extensions/xt_DELUDE.c +index 618de5e..221f342 100644 +--- a/extensions/xt_DELUDE.c ++++ b/extensions/xt_DELUDE.c +@@ -146,7 +146,13 @@ delude_tg(struct sk_buff *skb, const struct xt_action_param *par) + * a problem, as that is supported since Linux 2.6.35. But since we do not + * actually want to have a connection open, we are still going to drop it. + */ +- delude_send_reset(par_net(par), skb, par->state->hook); ++ delude_send_reset(par_net(par), skb, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) ++ par->state->hook ++#else ++ par->hooknum ++#endif ++ ); + return NF_DROP; + } + +diff --git a/extensions/xt_DNETMAP.c b/extensions/xt_DNETMAP.c +index de7d4ec..36a59e2 100644 +--- a/extensions/xt_DNETMAP.c ++++ b/extensions/xt_DNETMAP.c +@@ -356,7 +356,11 @@ out: + static unsigned int + dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par) + { ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + struct net *net = dev_net(par->state->in ? par->state->in : par->state->out); ++#else ++ struct net *net = dev_net(par->in ? par->in : par->out); ++#endif + struct dnetmap_net *dnetmap_net = dnetmap_pernet(net); + struct nf_conn *ct; + enum ip_conntrack_info ctinfo; +@@ -371,7 +375,11 @@ dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par) + struct dnetmap_entry *e; + struct dnetmap_prefix *p; + __s32 jttl; ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + unsigned int hooknum = par->state->hook; ++#else ++ unsigned int hooknum = par->hooknum; ++#endif + ct = nf_ct_get(skb, &ctinfo); + + jttl = tginfo->flags & XT_DNETMAP_TTL ? tginfo->ttl * HZ : jtimeout; +@@ -496,7 +504,12 @@ bind_new_prefix: + newrange.max_addr.ip = postnat_ip; + newrange.min_proto = mr->min_proto; + newrange.max_proto = mr->max_proto; ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->state->hook)); ++#else ++ return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum)); ++#endif ++ + no_rev_map: + no_free_ip: + spin_unlock_bh(&dnetmap_lock); +diff --git a/extensions/xt_ECHO.c b/extensions/xt_ECHO.c +index e99312b..60cb815 100644 +--- a/extensions/xt_ECHO.c ++++ b/extensions/xt_ECHO.c +@@ -35,7 +35,11 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par) + void *payload; + struct flowi6 fl; + struct dst_entry *dst = NULL; ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + struct net *net = dev_net((par->state->in != NULL) ? par->state->in : par->state->out); ++#else ++ struct net *net = dev_net((par->in != NULL) ? par->in : par->out); ++#endif + + /* This allows us to do the copy operation in fewer lines of code. */ + if (skb_linearize(oldskb) < 0) +diff --git a/extensions/xt_LOGMARK.c b/extensions/xt_LOGMARK.c +index 0474bf8..02e32be 100644 +--- a/extensions/xt_LOGMARK.c ++++ b/extensions/xt_LOGMARK.c +@@ -77,13 +77,21 @@ logmark_tg(struct sk_buff *skb, const struct xt_action_param *par) + printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x " + "secmark=0x%x classify=0x%x", + info->level, (unsigned int)sizeof(info->prefix), info->prefix, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + skb_ifindex(skb), hook_names[par->state->hook], ++#else ++ skb_ifindex(skb), hook_names[par->hooknum], ++#endif + skb_nfmark(skb), skb_secmark(skb), skb->priority); + + ct = nf_ct_get(skb, &ctinfo); + printk(" ctdir=%s", dir_names[ctinfo >= IP_CT_IS_REPLY]); + if (ct == NULL) + printk(" ct=NULL ctmark=NULL ctstate=INVALID ctstatus=NONE"); ++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 12, 0) ++ else if (nf_ct_is_untracked(ct)) ++ printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE"); ++#endif + else + logmark_ct(ct, ctinfo); + +diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c +index cb98e9e..b78683c 100644 +--- a/extensions/xt_TARPIT.c ++++ b/extensions/xt_TARPIT.c +@@ -431,7 +431,12 @@ tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par) + /* We are not interested in fragments */ + if (iph->frag_off & htons(IP_OFFSET)) + return NF_DROP; ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + tarpit_tcp4(par_net(par), skb, par->state->hook, info->variant); ++#else ++ tarpit_tcp4(par_net(par), skb, par->hooknum, info->variant); ++#endif + return NF_DROP; + } + +@@ -472,7 +477,12 @@ tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par) + pr_debug("addr is not unicast.\n"); + return NF_DROP; + } ++ ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + tarpit_tcp6(par_net(par), skb, par->state->hook, info->variant); ++#else ++ tarpit_tcp6(par_net(par), skb, par->hooknum, info->variant); ++#endif + return NF_DROP; + } + #endif +diff --git a/extensions/xt_iface.c b/extensions/xt_iface.c +index 7704686..be52a52 100644 +--- a/extensions/xt_iface.c ++++ b/extensions/xt_iface.c +@@ -45,9 +45,17 @@ static const struct net_device *iface_get(const struct xt_iface_mtinfo *info, + const struct xt_action_param *par, struct net_device **put) + { + if (info->flags & XT_IFACE_DEV_IN) ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + return par->state->in; ++#else ++ return par->in; ++#endif + else if (info->flags & XT_IFACE_DEV_OUT) ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + return par->state->out; ++#else ++ return par->out; ++#endif + return *put = dev_get_by_name(&init_net, info->ifname); + } + +diff --git a/extensions/xt_lscan.c b/extensions/xt_lscan.c +index 060fe44..3a7d2ed 100644 +--- a/extensions/xt_lscan.c ++++ b/extensions/xt_lscan.c +@@ -204,7 +204,11 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par) + unsigned int n; + + n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate, ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0) + par->state->in == init_net.loopback_dev, tcph, ++#else ++ par->in == init_net.loopback_dev, tcph, ++#endif + skb->len - par->thoff - 4 * tcph->doff); + + ctdata->mark = (ctdata->mark & ~connmark_mask) | n; +-- +2.21.0 + diff --git a/net/xtables-addons/patches/300-geoip-endian-detection.patch b/net/xtables-addons/patches/300-geoip-endian-detection.patch deleted file mode 100644 index 842e7afcc..000000000 --- a/net/xtables-addons/patches/300-geoip-endian-detection.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/extensions/libxt_geoip.c -+++ b/extensions/libxt_geoip.c -@@ -59,13 +59,13 @@ geoip_get_subnets(const char *code, uint - - /* Use simple integer vector files */ - if (nfproto == NFPROTO_IPV6) { --#if __BYTE_ORDER == _BIG_ENDIAN -+#if BYTE_ORDER == BIG_ENDIAN - snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/BE/%s.iv6", code); - #else - snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/LE/%s.iv6", code); - #endif - } else { --#if __BYTE_ORDER == _BIG_ENDIAN -+#if BYTE_ORDER == BIG_ENDIAN - snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/BE/%s.iv4", code); - #else - snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/LE/%s.iv4", code);