geoip: add database query tool for use with ipsets
Add a tool for retrieiving the IPv4 or IPv6 (or both!) CIDR ranges
for a given country, which can then be injected into an ipset if
one doesn't want to use (or have available) the xt_geoip extension.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Requires Net::CIDR::Lite for manipulating CIDR blocks, aggregation, etc.
since database is stored as subnet/mask pairs and may require compaction
into ranges (which can combine adjacent subnets).
We don't use Net::CIDR because it's a clunkier interface.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Jan Engelhardt [Sun, 23 Jul 2017 17:56:30 +0000 (19:56 +0200)]
ipp2p: fix PVSStudio reports
V666 Consider inspecting fourth argument of the function 'HX_memmem'.
It is possible that the value does not correspond with the length of
a string which was passed with the third argument.
Jan Engelhardt [Thu, 15 Jun 2017 10:15:48 +0000 (12:15 +0200)]
xt_DNETMAP: fix a buffer overflow
prefix_str was only 16 bytes, but the largest emitted string could be
"255.255.255.255/32" (19 bytes).
xt_DNETMAP.c: In function "dnetmap_tg_check":
compat_xtables.h:46:22: warning: "%u" directive writing between 1 and 10
bytes into a region of size between 0 and 8 [-Wformat-overflow=]
# define NIPQUAD_FMT "%u.%u.%u.%u"
xt_DNETMAP.c:296:2: note: "sprintf" output between 10 and 27 bytes into
a destination of size 16
sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->min_addr.ip),
33 - ffs(~(ip_min ^ ip_max)));
Ralph Sennhauser [Sun, 14 May 2017 16:16:11 +0000 (18:16 +0200)]
build: support for Linux 4.12
As a result of commit cc41c84b7e7f ("netfilter: kill the fake untracked
conntrack objects") the helper nf_ct_is_untracked always returns false
and commit ab8bc7ed864b ("netfilter: remove nf_ct_is_untracked") removes
it all together.
Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
Jan Engelhardt [Thu, 13 Apr 2017 09:37:44 +0000 (11:37 +0200)]
xt_psd: resolve compiler warning
xt_psd.c:53:0: warning: "HASH_SIZE" redefined
#define HASH_SIZE (1 << HASH_LOG)
linux-4.10.10/include/linux/hashtable.h:26:0:
note: this is the location of the previous definition
#define HASH_SIZE(name) (ARRAY_SIZE(name))
Ralph Sennhauser [Mon, 26 Dec 2016 15:14:02 +0000 (16:14 +0100)]
build: support for Linux 4.10
Commit 613dbd95723aee7abd16860745691b6c7bda20dc (netfilter:
x_tables: move hook state into xt_action_param structure) changes the
struct xt_action_param, accommodate for it.
Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
Andreas Schultz [Tue, 8 Dec 2015 17:41:33 +0000 (18:41 +0100)]
xt_ACCOUNT: make it namespace aware
xt_ACCOUNTing objects create in one network namespace could be
read from all namespaces. Also object with the same name in
different namespaces would collide.
Signed-off-by: Andreas Schultz <aschultz@tpip.net>
build: fix configure compatiblity with POSIX shells
The kernel version detection code uses some bashisms, which makes the
build fail on Debian systems where /bin/sh links to dash. Replace with
POSIX-conforming commands at the cost of requiring awk.
Jan Engelhardt [Mon, 9 Nov 2015 21:33:47 +0000 (22:33 +0100)]
xt_ACCOUNT: call free_pages(x,2) (doc)
Below is the patch with the *rest* of the free_page(X) calls changed
to free_pages(X, 2). xt_ACCOUNT should always allocate memory in page
pairs. And always *free* memory in page pairs.
Neil P. Murphy [Mon, 19 Oct 2015 05:34:54 +0000 (01:34 -0400)]
xt_ACCOUNT: call free_pages(x,2)
Below is the patch with the *rest* of the free_page(X) calls changed
to free_pages(X, 2). xt_ACCOUNT should always allocate memory in page
pairs. And always *free* memory in page pairs.
Sam Liddicott [Tue, 7 Jan 2014 17:48:19 +0000 (09:48 -0800)]
xt_quota2: allow incremental value to be written to quota proc file
As well as writing absolute numeric values to the quota file, you
can now also write numbers preceded by a + sign or a - sign, e.g.
* "+30" would increase the quota by 30
* "+-20" would increase the quota by negative 20,
which is the same as decrease by 20
* "-5" would decrease the quota by 5
Tim Gardner [Mon, 10 Aug 2015 15:25:20 +0000 (17:25 +0200)]
build: support for Linux 4.2
xt_DNETMAP.c: In function "dnetmap_prefix_destroy":
xt_DNETMAP.c:185:2: error: implicit declaration of function
"remove_proc_entry" [-Werror=implicit-function-declaration]
remove_proc_entry(p->proc_str_data, dnetmap_net->xt_dnetmap);
Neal P. Murphy [Thu, 4 Jun 2015 22:04:42 +0000 (18:04 -0400)]
xt_ACCOUNT: make counters 64-bit wide
The Smoothwall Express traffic stats collector (traffiClogger) does
not handle counter rollovers well and does not perform read&flush.
(Yes, the code is somewhat aged.) To change it to perform read&flush
is non-trivial. Then, it occurred to me that it might be easier to
change ipt_ACCOUNT in xtables-addons to use 64-bit counters,
considering it was designed around single kernel pages.
The following submission counts to at least 100 GB, produces no
obvious kernel gripes, and adjacent counters do not seem to interfere
with each other. Yes, it uses more memory, but RAM costs much less
than bugs that grown out of complex software.
The theory:
- Use two kernel pages for the counters for each group of 256
addresses.
- Change counters to 64-bit.
- Change to __get_free_pages/free_pages, using order=2
(two consecutive pages), and zero both pages.
- Change "%u" to "%llu" as needed.
- Everything else pretty much stays the same.
I also changed tmpbuf to two pages (Justin Case's idea), but I
do not know if that's really necessary.
Adam Butcher [Wed, 3 Sep 2014 13:23:29 +0000 (13:23 +0000)]
xt_pknock: fix pknock in UDP SPA mode
When the PK_CRYPTO pre-processor flag got removed in v1.47.1-2-g66f213e, one of the removal cases was misapplied; the body
of an "#ifndef PK_CRYPTO" was left in rather than the whole section
being removed.
Adam Butcher [Wed, 3 Sep 2014 13:23:29 +0000 (13:23 +0000)]
src: work with typeof
Although not officially supported, we have found that the
xtables-addons modules we are interested in work fine on 3.0.4 with a
slight non-invasive mod to compat_xtables.h.
projects / thirdparty / xtables-addons.git / log
