diff -urN orig_iptables-1.8.5/configure iptables-1.8.5/configure --- orig_iptables-1.8.5/configure 2020-06-03 19:07:27.000000000 +0800 +++ iptables-1.8.5/configure 2020-06-19 10:01:35.521711807 +0800 @@ -822,6 +822,9 @@ with_kbuild with_ksource with_xtlibdir +with_pfxmods +with_pf4mods +with_pf6mods enable_ipv4 enable_ipv6 enable_largefile @@ -12460,6 +12463,21 @@ xtlibdir="${libdir}/xtables" fi +# Check whether --with-pfxmods was given. +if test "${with_pfxmods+set}" = set; then : + withval=$with_pfxmods; pfxmods="$withval" +fi + +# Check whether --with-pf4mods was given. +if test "${with_pf4mods+set}" = set; then : + withval=$with_pf4mods; pf4mods="$withval" +fi + +# Check whether --with-pf6mods was given. +if test "${with_pf6mods+set}" = set; then : + withval=$with_pf6mods; pf6mods="$withval" +fi + # Check whether --enable-ipv4 was given. if test "${enable_ipv4+set}" = set; then : enableval=$enable_ipv4; enable_ipv4="$enableval" diff -urN orig_iptables-1.8.5/configure.ac iptables-1.8.5/configure.ac --- orig_iptables-1.8.5/configure.ac 2020-06-03 18:32:01.000000000 +0800 +++ iptables-1.8.5/configure.ac 2020-06-19 10:01:35.521711807 +0800 @@ -33,6 +33,21 @@ [Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]), [xtlibdir="$withval"], [xtlibdir="${libdir}/xtables"]) +AC_ARG_WITH([pfxmods], + AS_HELP_STRING([--with-pfxmods=EXTENSIONS], + [Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]), + [pfxmods="$withval"], + [pfxmods=""]) +AC_ARG_WITH([pf4mods], + AS_HELP_STRING([--with-pf4mods=EXTENSIONS], + [Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]), + [pf4mods="$withval"], + [pf4mods=""]) +AC_ARG_WITH([pf6mods], + AS_HELP_STRING([--with-pf6mods=EXTENSIONS], + [Path where to install Xtables extensions [[LIBEXECDIR/xtables]]]), + [pf6mods="$withval"], + [pf6mods=""]) AC_ARG_ENABLE([ipv4], AS_HELP_STRING([--disable-ipv4], [Do not build iptables]), [enable_ipv4="$enableval"], [enable_ipv4="yes"]) @@ -82,6 +97,14 @@ ) LDFLAGS="$saved_LDFLAGS"; +pfx_modules="$pfxmods"; +pf4_modules="$pf4mods"; +pf6_modules="$pf6mods"; + +AC_SUBST([pfx_modules]) +AC_SUBST([pf4_modules]) +AC_SUBST([pf6_modules]) + blacklist_modules="" blacklist_x_modules="" blacklist_b_modules="" diff -urN orig_iptables-1.8.5/extensions/GNUmakefile.in iptables-1.8.5/extensions/GNUmakefile.in --- orig_iptables-1.8.5/extensions/GNUmakefile.in 2020-06-03 18:32:01.000000000 +0800 +++ iptables-1.8.5/extensions/GNUmakefile.in 2020-06-19 10:01:35.521711807 +0800 @@ -50,6 +50,9 @@ pfa_build_mod := $(filter-out @blacklist_modules@ @blacklist_a_modules@,${pfa_build_mod}) pf4_build_mod := $(filter-out @blacklist_modules@ @blacklist_4_modules@,${pf4_build_mod}) pf6_build_mod := $(filter-out @blacklist_modules@ @blacklist_6_modules@,${pf6_build_mod}) +pfx_build_mod := $(filter @pfx_modules@,${pfx_build_mod}) +pf4_build_mod := $(filter @pf4_modules@,${pf4_build_mod}) +pf6_build_mod := $(filter @pf6_modules@,${pf6_build_mod}) pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod}) pfb_objs := $(patsubst %,libebt_%.o,${pfb_build_mod}) pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_mod}) diff -urN orig_iptables-1.8.5/extensions/libipt_MASQUERADE.c iptables-1.8.5/extensions/libipt_MASQUERADE.c --- orig_iptables-1.8.5/extensions/libipt_MASQUERADE.c 2020-06-03 18:32:01.000000000 +0800 +++ iptables-1.8.5/extensions/libipt_MASQUERADE.c 2020-06-19 10:01:35.521711807 +0800 @@ -12,6 +12,7 @@ O_TO_PORTS = 0, O_RANDOM, O_RANDOM_FULLY, + O_MODE, }; static void MASQUERADE_help(void) @@ -23,13 +24,16 @@ " --random\n" " Randomize source port.\n" " --random-fully\n" -" Fully randomize source port.\n"); +" Fully randomize source port.\n" +" --mode \n" +" NAT mode.\n"); } static const struct xt_option_entry MASQUERADE_opts[] = { {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, + {.name = "mode", .id = O_MODE, .type = XTTYPE_STRING}, XTOPT_TABLEEND, }; @@ -90,6 +94,9 @@ else portok = 0; + /* Borrow this field as mode value. The default is symmetric */ + mr->range[0].min_ip = 0; + xtables_option_parse(cb); switch (cb->entry->id) { case O_TO_PORTS: @@ -104,6 +111,15 @@ case O_RANDOM_FULLY: mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; break; + case O_MODE: + if (strcasecmp(cb->arg, "fullcone") == 0) + mr->range[0].min_ip = 1; + else if (strcasecmp(cb->arg, "symmetric") == 0) + mr->range[0].min_ip = 0; + else + xtables_error(PARAMETER_PROBLEM, + "Unknown mode %s", cb->arg); + break; } } @@ -126,6 +142,8 @@ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) printf(" random-fully"); + if (r->min_ip == 1) + printf("mode: fullcone "); } static void @@ -145,6 +163,9 @@ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) printf(" --random-fully"); + + if (r->min_ip == 1) + printf("--mode fullcone "); } static int MASQUERADE_xlate(struct xt_xlate *xl, diff -urN orig_iptables-1.8.5/extensions/libxt_blog.c iptables-1.8.5/extensions/libxt_blog.c --- orig_iptables-1.8.5/extensions/libxt_blog.c 1970-01-01 08:00:00.000000000 +0800 +++ iptables-1.8.5/extensions/libxt_blog.c 2020-06-19 10:01:35.525711768 +0800 @@ -0,0 +1,85 @@ +/* Shared library add-on to iptables to add blog match support. */ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static void blog_match_help(void) +{ + printf( +"blog match options:\n" +"[!] --tcp-pureack match when blog TCP Pure ACK is\n" +" detected.\n"); +} + +static const struct option blog_match_opts[] = { + {.name = "tcp-pureack", .has_arg = false, .val = '1'}, + XT_GETOPT_TABLEEND, +}; + +static int +blog_match_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_blog *bloginfo = (struct xt_blog *)(*match)->data; + + switch (c) { + case '1': + bloginfo->tcp_pure_ack = 1; + bloginfo->invert = invert; + break; + } + + return 1; +} + +static void +blog_match_print(const void *ip, const struct xt_entry_match *match, int numeric) +{ + const struct xt_blog *bloginfo = (struct xt_blog *)match->data; + + printf(" blog"); + if (bloginfo->tcp_pure_ack) + printf(" TCP Pure ACK"); + if (bloginfo->invert) + printf(" not detected"); + else + printf(" detected"); +} + +static void +blog_match_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_blog *bloginfo = (struct xt_blog *)match->data; + + printf(" blog"); + if (bloginfo->tcp_pure_ack) { + if (bloginfo->invert) + printf(" !"); + printf(" --tcp-pureack "); + } +} + +static struct xtables_match blog_match = { + .family = NFPROTO_UNSPEC, + .name = "blog", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_blog)), + .userspacesize = XT_ALIGN(sizeof(struct xt_blog)), + .help = blog_match_help, + .parse = blog_match_parse, + .print = blog_match_print, + .save = blog_match_save, + .extra_opts = blog_match_opts, +}; + +void +_init(void) +{ + xtables_register_match(&blog_match); +} diff -urN orig_iptables-1.8.5/extensions/libxt_flowlabel.c iptables-1.8.5/extensions/libxt_flowlabel.c --- orig_iptables-1.8.5/extensions/libxt_flowlabel.c 1970-01-01 08:00:00.000000000 +0800 +++ iptables-1.8.5/extensions/libxt_flowlabel.c 2020-06-19 10:01:35.525711768 +0800 @@ -0,0 +1,106 @@ +/* + * Shared library add-on to iptables to add IPv6 flowlabel match support + * + * BRCM, Feb, 1. 2019. + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "linux/netfilter/xt_flowlabel.h" + +enum { + O_FLOWLABEL = 1 << 0, +}; + + +static const struct xt_option_entry flowlabel_mt_opts[] = { + {.name = "flowlabel", .id = O_FLOWLABEL, .type = XTTYPE_UINT32, + .flags = XTOPT_INVERT | XTOPT_MAND, .max = XT_FLOWLABEL_MAX}, + XTOPT_TABLEEND, +}; + +static void flowlabel_mt_help(void) +{ + printf( +"flowlabel match options:\n" +"[!] --flowlabel value Match IPv6 flowlabel field value\n" +" Max value: 0x%05X\n", XT_FLOWLABEL_MAX); +} + +static void flowlabel_mt_parse(struct xt_option_call *cb) +{ + struct xt_flowlabel_info *info = cb->data; + + xtables_option_parse(cb); + info->flowlabel = cpu_to_be32(cb->val.u32); + if (cb->invert) + info->invert = true; +} + +static void flowlabel_mt_check(struct xt_fcheck_call *cb) +{ + if (cb->xflags == 0) + xtables_error(PARAMETER_PROBLEM, + "flowlabel match: Parameter --flowlabel is required"); +} + +static int flowlabel_mt_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) +{ + const struct xt_flowlabel_info *info = + (const struct xt_flowlabel_info *)params->match->data; + + xt_xlate_add(xl, "flowlabel %s0x%05X", info->invert ? "!= " : "", + be32_to_cpu(info->flowlabel)); + + return 1; +} + +static void flowlabel_mt_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct xt_flowlabel_info *info = (const void *)match->data; + + printf(" flowlabel match "); + if (info->invert) + printf("!"); + + printf("0x%05X", be32_to_cpu(info->flowlabel)); +} + +static void flowlabel_mt_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_flowlabel_info *info = (const void *)match->data; + + if (info->invert) + printf(" !"); + printf(" --flowlabel 0x%05X", be32_to_cpu(info->flowlabel)); +} + +static struct xtables_match flowlabel_mt_reg = { + .family = NFPROTO_IPV6, + .name = "flowlabel", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_flowlabel_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_flowlabel_info)), + .help = flowlabel_mt_help, + .print = flowlabel_mt_print, + .save = flowlabel_mt_save, + .x6_parse = flowlabel_mt_parse, + .x6_fcheck = flowlabel_mt_check, + .xlate = flowlabel_mt_xlate, + .x6_options = flowlabel_mt_opts, + +}; + +void _init(void) +{ + xtables_register_match(&flowlabel_mt_reg); +} diff -urN orig_iptables-1.8.5/extensions/libxt_mac_extend.c iptables-1.8.5/extensions/libxt_mac_extend.c --- orig_iptables-1.8.5/extensions/libxt_mac_extend.c 1970-01-01 08:00:00.000000000 +0800 +++ iptables-1.8.5/extensions/libxt_mac_extend.c 2020-06-19 10:01:35.525711768 +0800 @@ -0,0 +1,156 @@ + +/* extend from libxt_mac.c for MAC address extend match operations, + * i.e, MAC/mask. + * BRCM, Jan, 31. 2019. + */ + + +#include +#include +#include +#if defined(__GLIBC__) && __GLIBC__ == 2 +#include +#else +#include +#endif +#include +#include + +enum { + O_MAC = 0, +}; + +static void mac_help(void) +{ + printf( +"mac extend match options:\n" +"[!] --mac-source-extend[/mask] XX:XX:XX:XX:XX:XX/FF:FF:FF:00:00:00\n" +" Match source MAC address/mask\n"); +} + +#define s struct xt_mac_info_extend +static const struct xt_option_entry mac_opts[] = { + {.name = "mac-source-extend", .id = O_MAC, .type = XTTYPE_ETHERMAC, + .flags = XTOPT_MAND | XTOPT_INVERT | XTOPT_PUT, + XTOPT_POINTER(s, srcaddr)}, + XTOPT_TABLEEND, +}; +#undef s + +static int mac_mask(char *mask_in, unsigned char *mask_out) +{ + const char *arg = mask_in; + unsigned int i; + char *end; + + for (i = 0; i < ETH_ALEN; ++i) { + mask_out[i] = strtoul(arg, &end, 16); + if (((i < (ETH_ALEN - 1)) && (*end != ':')) || + ((i == (ETH_ALEN - 1)) && (*end != '\0' )) || + (end - arg > 2)) + return -1; + arg = end + 1; + } + return 0; +} + +static void mac_parse(struct xt_option_call *cb) +{ + struct xt_mac_info_extend *macinfo = cb->data; + char *p; + + /* first the mask */ + if ((p = strrchr(cb->arg, '/')) != NULL) { + *p = '\0'; + if (mac_mask(p + 1, macinfo->msk)) { + xtables_error(PARAMETER_PROBLEM, + "Problem with the MAC mask '%s'", p + 1); + return; + } + } else { + /* default mask = FF:FF:FF:FF:FF:FF */ + int i; + for (i = 0; i < ETH_ALEN; i++) { + macinfo->msk[i] = 0xFF; + } + } + + xtables_option_parse(cb); + if (cb->invert) + macinfo->invert = 1; +} + +static void print_mac(const unsigned char *macaddress) +{ + unsigned int i; + + printf(" %02X", macaddress[0]); + for (i = 1; i < ETH_ALEN; ++i) + printf(":%02X", macaddress[i]); +} + +static void +mac_print(const void *ip, const struct xt_entry_match *match, int numeric) +{ + const struct xt_mac_info_extend *info = (void *)match->data; + + printf(" MAC"); + + if (info->invert) + printf(" !"); + + print_mac(info->srcaddr); + printf(" /"); + print_mac(info->msk); +} + +static void mac_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_mac_info_extend *info = (void *)match->data; + + if (info->invert) + printf(" !"); + + printf(" --mac-source"); + print_mac(info->srcaddr); +} + +static void print_mac_xlate(const unsigned char *macaddress, + struct xt_xlate *xl) +{ + unsigned int i; + + xt_xlate_add(xl, "%02x", macaddress[0]); + for (i = 1; i < ETH_ALEN; ++i) + xt_xlate_add(xl, ":%02x", macaddress[i]); +} + +static int mac_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) +{ + const struct xt_mac_info_extend *info = (void *)params->match->data; + + xt_xlate_add(xl, "ether saddr%s ", info->invert ? " !=" : ""); + print_mac_xlate(info->srcaddr, xl); + + return 1; +} + +static struct xtables_match mac_match = { + .family = NFPROTO_UNSPEC, + .name = "mac-extend", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_mac_info_extend)), + .userspacesize = XT_ALIGN(sizeof(struct xt_mac_info_extend)), + .help = mac_help, + .x6_parse = mac_parse, + .print = mac_print, + .save = mac_save, + .x6_options = mac_opts, + .xlate = mac_xlate, +}; + +void _init(void) +{ + xtables_register_match(&mac_match); +} diff -urN orig_iptables-1.8.5/extensions/libxt_SKIPLOG.c iptables-1.8.5/extensions/libxt_SKIPLOG.c --- orig_iptables-1.8.5/extensions/libxt_SKIPLOG.c 1970-01-01 08:00:00.000000000 +0800 +++ iptables-1.8.5/extensions/libxt_SKIPLOG.c 2020-06-19 10:01:35.525711768 +0800 @@ -0,0 +1,51 @@ +/* Shared library add-on to iptables to add SKIPLOG target support. */ +#include +#include +#include +#include + +#include +#include + +/* Function which prints out usage message. */ +static void SKIPLOG_help(void) +{ + printf( +"SKIPLOG target v%s takes no options\n", +XTABLES_VERSION); +} + +/* Function which parses command options; returns true if it + ate an option */ +static int +SKIPLOG_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + return 0; +} + +static struct xtables_target skiplog_target = { + .family = AF_INET, + .name = "SKIPLOG", + .version = XTABLES_VERSION, + .size = XT_ALIGN(0), + .userspacesize = XT_ALIGN(0), + .help = SKIPLOG_help, + .parse = SKIPLOG_parse, +}; + +static struct xtables_target skiplog_target6 = { + .family = AF_INET6, + .name = "SKIPLOG", + .version = XTABLES_VERSION, + .size = XT_ALIGN(0), + .userspacesize = XT_ALIGN(0), + .help = SKIPLOG_help, + .parse = SKIPLOG_parse, +}; + +void _init(void) +{ + xtables_register_target(&skiplog_target); + xtables_register_target(&skiplog_target6); +} diff -urN orig_iptables-1.8.5/extensions/libxt_tcp.c iptables-1.8.5/extensions/libxt_tcp.c --- orig_iptables-1.8.5/extensions/libxt_tcp.c 2020-06-03 18:32:01.000000000 +0800 +++ iptables-1.8.5/extensions/libxt_tcp.c 2020-06-19 10:01:35.525711768 +0800 @@ -23,7 +23,9 @@ "[!] --destination-port port[:port]\n" " --dport ...\n" " match destination port(s)\n" -"[!] --tcp-option number match if TCP option set\n"); +"[!] --tcp-option number match if TCP option set\n" +"[!] --tcp-pureack match when only ACK flag set and\n" +" payload length is zero\n"); } static const struct option tcp_opts[] = { @@ -34,6 +36,7 @@ {.name = "syn", .has_arg = false, .val = '3'}, {.name = "tcp-flags", .has_arg = true, .val = '4'}, {.name = "tcp-option", .has_arg = true, .val = '5'}, + {.name = "tcp-pureack", .has_arg = false, .val = '6'}, XT_GETOPT_TABLEEND, }; @@ -168,7 +171,7 @@ if (*flags & TCP_FLAGS) xtables_error(PARAMETER_PROBLEM, "Only one of `--syn' or `--tcp-flags' " - " allowed"); + " or --tcp-pureack allowed"); parse_tcp_flags(tcpinfo, "SYN,RST,ACK,FIN", "SYN", invert); *flags |= TCP_FLAGS; break; @@ -177,7 +180,7 @@ if (*flags & TCP_FLAGS) xtables_error(PARAMETER_PROBLEM, "Only one of `--syn' or `--tcp-flags' " - " allowed"); + " or --tcp-pureack allowed"); if (!argv[optind] || argv[optind][0] == '-' || argv[optind][0] == '!') xtables_error(PARAMETER_PROBLEM, @@ -198,6 +201,16 @@ tcpinfo->invflags |= XT_TCP_INV_OPTION; *flags |= TCP_OPTION; break; + + case '6': + if (*flags & TCP_FLAGS) + xtables_error(PARAMETER_PROBLEM, + "Only one of `--syn' or `--tcp-flags' " + " or --tcp-pureack allowed"); + parse_tcp_flags(tcpinfo, "SYN,RST,ACK,FIN", "ACK", invert); + tcpinfo->pure_ack = 1; + *flags |= TCP_FLAGS; + break; } return 1; @@ -307,6 +320,8 @@ print_flags(tcp->flg_mask, tcp->flg_cmp, tcp->invflags & XT_TCP_INV_FLAGS, numeric); + if (tcp->pure_ack) + printf(" pure ACK"); if (tcp->invflags & ~XT_TCP_INV_MASK) printf(" Unknown invflags: 0x%X", tcp->invflags & ~XT_TCP_INV_MASK); @@ -360,6 +375,12 @@ printf(" "); print_tcpf(tcpinfo->flg_cmp); } + + if (tcpinfo->pure_ack) { + if (tcpinfo->invflags & XT_TCP_INV_FLAGS) + printf(" !"); + printf(" --tcp-pureack "); + } } static const struct tcp_flag_names tcp_flag_names_xlate[] = { diff -urN orig_iptables-1.8.5/include/linux/netfilter/nf_conntrack_tuple_common.h iptables-1.8.5/include/linux/netfilter/nf_conntrack_tuple_common.h --- orig_iptables-1.8.5/include/linux/netfilter/nf_conntrack_tuple_common.h 2020-06-03 18:32:01.000000000 +0800 +++ iptables-1.8.5/include/linux/netfilter/nf_conntrack_tuple_common.h 2020-06-19 10:01:35.525711768 +0800 @@ -32,6 +32,11 @@ struct { __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */ } gre; +#ifdef SUPPORT_IPSEC_PASSTHROUGH + struct { + __be16 spi; + } esp; +#endif }; #define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL) diff -urN orig_iptables-1.8.5/include/linux/netfilter/xt_blog.h iptables-1.8.5/include/linux/netfilter/xt_blog.h --- orig_iptables-1.8.5/include/linux/netfilter/xt_blog.h 1970-01-01 08:00:00.000000000 +0800 +++ iptables-1.8.5/include/linux/netfilter/xt_blog.h 2020-06-19 10:01:35.525711768 +0800 @@ -0,0 +1,11 @@ +#ifndef _XT_BLOG_H +#define _XT_BLOG_H + +#include + +struct xt_blog { + __u8 tcp_pure_ack; + __u8 invert; +}; + +#endif /*_XT_BLOG_H*/ diff -urN orig_iptables-1.8.5/include/linux/netfilter/xt_flowlabel.h iptables-1.8.5/include/linux/netfilter/xt_flowlabel.h --- orig_iptables-1.8.5/include/linux/netfilter/xt_flowlabel.h 1970-01-01 08:00:00.000000000 +0800 +++ iptables-1.8.5/include/linux/netfilter/xt_flowlabel.h 2020-06-19 10:01:35.525711768 +0800 @@ -0,0 +1,35 @@ +#ifndef _XT_FLOWLABEL_H +#define _XT_FLOWLABEL_H + +/* + * Shared library add-on to iptables to add IPv6 flowlabel match support + * + * BRCM, Feb, 1. 2019. + */ + +#include + + +#if defined(__LITTLE_ENDIAN) && (__BYTE_ORDER == __LITTLE_ENDIAN) +#define be32_to_cpu(x) bswap_32(x) +#define cpu_to_be32(x) bswap_32(x) + +#elif defined(__BIG_ENDIAN) && (__BYTE_ORDER == __BIG_ENDIAN) +#define be32_to_cpu(x) (x) +#define cpu_to_be32(x) (x) + +#else +#error "You must define __BYTE_ORDER to be __LITTLE_ENDIAN or __BIG_ENDIAN." +#endif // defined(__LITTLE_ENDIAN) && (__BYTE_ORDER == __LITTLE_ENDIAN) + + +#define XT_FLOWLABEL_MAX 0x000FFFFF + +/* match info */ +struct xt_flowlabel_info { + __be32 flowlabel; + __u8 invert; +}; + +#endif /*_XT_FLOWLABEL_H*/ + diff -urN orig_iptables-1.8.5/include/linux/netfilter/xt_mac_extend.h iptables-1.8.5/include/linux/netfilter/xt_mac_extend.h --- orig_iptables-1.8.5/include/linux/netfilter/xt_mac_extend.h 1970-01-01 08:00:00.000000000 +0800 +++ iptables-1.8.5/include/linux/netfilter/xt_mac_extend.h 2020-06-19 10:01:35.525711768 +0800 @@ -0,0 +1,14 @@ +#ifndef _XT_MAC_EXTEND_H +#define _XT_MAC_EXTEND_H + +/* extend from xt_mac.h for MAC address extend match operations, + * i.e, MAC/mask. + * BRCM, Jan, 31. 2019. + */ + +struct xt_mac_info_extend { + unsigned char srcaddr[ETH_ALEN]; + unsigned char msk[ETH_ALEN]; + int invert; +}; +#endif /*_XT_MAC_EXTEND_H*/ diff -urN orig_iptables-1.8.5/include/linux/netfilter/xt_tcpudp.h iptables-1.8.5/include/linux/netfilter/xt_tcpudp.h --- orig_iptables-1.8.5/include/linux/netfilter/xt_tcpudp.h 2020-06-03 18:32:01.000000000 +0800 +++ iptables-1.8.5/include/linux/netfilter/xt_tcpudp.h 2020-06-19 10:01:35.525711768 +0800 @@ -11,6 +11,7 @@ __u8 flg_mask; /* TCP flags mask byte */ __u8 flg_cmp; /* TCP flags compare byte */ __u8 invflags; /* Inverse flags */ + __u8 pure_ack; /* Pure ACK packet */ }; /* Values for "inv" field in struct ipt_tcp. */ diff -urN orig_iptables-1.8.5/iptables/Makefile.am iptables-1.8.5/iptables/Makefile.am --- orig_iptables-1.8.5/iptables/Makefile.am 2020-06-03 18:32:01.000000000 +0800 +++ iptables-1.8.5/iptables/Makefile.am 2020-06-19 10:01:35.525711768 +0800 @@ -22,7 +22,7 @@ xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a endif xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c -xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm +xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm -ldl # iptables using nf_tables api if ENABLE_NFTABLES @@ -104,7 +104,6 @@ # Using if..fi avoids an ugly "error (ignored)" message :) install-exec-hook: - -if test -z "${DESTDIR}"; then /sbin/ldconfig; fi; ${INSTALL} -dm0755 "${DESTDIR}${bindir}"; for i in ${vx_bin_links}; do ${LN_S} -f "${sbindir}/xtables-legacy-multi" "${DESTDIR}${bindir}/$$i"; done; for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done; diff -urN orig_iptables-1.8.5/iptables/Makefile.in iptables-1.8.5/iptables/Makefile.in --- orig_iptables-1.8.5/iptables/Makefile.in 2020-06-03 19:07:28.000000000 +0800 +++ iptables-1.8.5/iptables/Makefile.in 2020-06-19 10:01:35.525711768 +0800 @@ -1550,7 +1550,6 @@ # Using if..fi avoids an ugly "error (ignored)" message :) install-exec-hook: - -if test -z "${DESTDIR}"; then /sbin/ldconfig; fi; ${INSTALL} -dm0755 "${DESTDIR}${bindir}"; for i in ${vx_bin_links}; do ${LN_S} -f "${sbindir}/xtables-legacy-multi" "${DESTDIR}${bindir}/$$i"; done; for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done; diff -urN orig_iptables-1.8.5/libxtables/xtoptions.c iptables-1.8.5/libxtables/xtoptions.c --- orig_iptables-1.8.5/libxtables/xtoptions.c 2020-06-03 18:32:01.000000000 +0800 +++ iptables-1.8.5/libxtables/xtoptions.c 2020-06-19 10:01:35.525711768 +0800 @@ -545,6 +545,10 @@ struct addrinfo *res = NULL, *p; int ret; + /* brcm */ + if ((ret = strtol(name, NULL, 0)) > 0) + return ret; + ret = getaddrinfo(NULL, name, NULL, &res); if (ret != 0) return -1; --- orig_iptables-1.8.5/include/linux/netfilter/xt_connlimit.h 2020-06-03 03:32:01.000000000 -0700 +++ iptables-1.8.5/include/linux/netfilter/xt_connlimit.h 2021-05-05 17:29:38.942364440 -0700 @@ -8,6 +8,7 @@ enum { XT_CONNLIMIT_INVERT = 1 << 0, XT_CONNLIMIT_DADDR = 1 << 1, + XT_CONNLIMIT_DADDR_DPORT = 1 << 2, }; struct xt_connlimit_info { --- orig_iptables-1.8.5/extensions/libxt_connlimit.c 2020-06-03 03:32:01.000000000 -0700 +++ iptables-1.8.5/extensions/libxt_connlimit.c 2021-05-05 17:33:44.653129935 -0700 @@ -10,6 +10,7 @@ O_MASK, O_SADDR, O_DADDR, + O_DADDR_DPORT, F_UPTO = 1 << O_UPTO, F_ABOVE = 1 << O_ABOVE, F_MASK = 1 << O_MASK, @@ -25,7 +26,8 @@ " --connlimit-above n match if the number of existing connections is >n\n" " --connlimit-mask n group hosts using prefix length (default: max len)\n" " --connlimit-saddr select source address for grouping\n" -" --connlimit-daddr select destination addresses for grouping\n"); +" --connlimit-daddr select destination addresses for grouping\n" +" --connlimit-daddr-dport select destination addresses for grouping\n"); } #define s struct xt_connlimit_info @@ -42,6 +44,8 @@ .type = XTTYPE_NONE}, {.name = "connlimit-daddr", .id = O_DADDR, .excl = F_SADDR, .type = XTTYPE_NONE}, + {.name = "connlimit-daddr-dport", .id = O_DADDR_DPORT, .excl = F_SADDR, + .type = XTTYPE_NONE}, XTOPT_TABLEEND, }; #undef s @@ -83,6 +87,16 @@ "--connlimit-daddr"); info->flags |= XT_CONNLIMIT_DADDR; break; + case O_DADDR_DPORT: + if (revision < 1) + xtables_error(PARAMETER_PROBLEM, + "xt_connlimit.0 does not support " + "--connlimit-daddr-dport"); + if (family != NFPROTO_IPV4) + xtables_error(PARAMETER_PROBLEM, + " --connlimit-daddr-dport is supported only for IPV4 "); + info->flags |= XT_CONNLIMIT_DADDR_DPORT; + break; } } @@ -131,7 +145,7 @@ const struct xt_connlimit_info *info = (const void *)match->data; printf(" #conn %s/%u %s %u", - (info->flags & XT_CONNLIMIT_DADDR) ? "dst" : "src", + (info->flags & XT_CONNLIMIT_DADDR_DPORT) ? "dstip+dport" : ((info->flags & XT_CONNLIMIT_DADDR) ? "dst" : "src"), count_bits4(info->v4_mask), (info->flags & XT_CONNLIMIT_INVERT) ? "<=" : ">", info->limit); } @@ -158,7 +172,9 @@ printf(" --connlimit-above %u", info->limit); printf(" --connlimit-mask %u", count_bits4(info->v4_mask)); if (revision >= 1) { - if (info->flags & XT_CONNLIMIT_DADDR) + if (info->flags & XT_CONNLIMIT_DADDR_DPORT) + printf(" --connlimit-daddr-dport"); + else if (info->flags & XT_CONNLIMIT_DADDR) printf(" --connlimit-daddr"); else printf(" --connlimit-saddr");