Package Details: xtables-addons 2.11-1

Git Clone URL: https://aur.archlinux.org/xtables-addons.git (read-only)
Package Base: xtables-addons
Description: Xtables-addons is a set of additional extensions for the Xtables packet filter that is present in the Linux kernel
Upstream URL: https://xtables-addons.sourceforge.net
Keywords: iptablex xtables
Licenses: GPL2
Conflicts: xtables-addons-dkms
Replaces: xtables-addons-dkms
Submitter: None
Maintainer: k0ste
Last Packager: k0ste
Votes: 28
Popularity: 0.295963
First Submitted: 2009-04-20 09:21
Last Updated: 2016-05-21 14:56

Latest Comments

jskier commented on 2016-05-22 20:35

Thanks, appears to work good now.

dtschmitz commented on 2016-05-21 21:05

@nmset,

Thanks for attaching 'your' diff file.
I ran it with no errors.

nmset commented on 2016-05-21 19:16

Well, copy/paste from below gave me weird results too.

You can get the patch with wget or curl at :

{wget,curl} http://nmset.info/xtables_addons.diff

sha256sum : a3a2be4e97f95854e8220aa22cc5e8d7a862f880d5005267d7877ec38545967b

Sorry for the inconveniance.

dtschmitz commented on 2016-05-21 18:03

patch: **** malformed patch at line 151: diff -N -u xtables-addons.ori/pknock_makefile.diff xtables-addons/pknock_makefile.diff

^^ I get the above. Don't see what's wrong. Do you? (yes i have a leading space)

jskier commented on 2016-05-20 17:46

@nmset, better suited for pastebin. I can't get that to work either. Is there an official(s) patch somewhere for iptables1.6 and the latest kernel?

nmset commented on 2016-05-15 13:53

The package would not build due to inclusion problems from glibc's net/if.h, and the kernel's linux/if.h .

This patch is a(n ugly!) workaround to build xtables-addons on Linux 4.5.4.


********************************************************************************
#cat xtables_addons.diff
diff -N -u xtables-addons.ori/if.h.diff xtables-addons/if.h.diff
--- xtables-addons.ori/if.h.diff 1970-01-01 01:00:00.000000000 +0100
+++ xtables-addons/if.h.diff 2016-05-15 13:19:41.000000000 +0200
@@ -0,0 +1,129 @@
+--- if.h.ori 2016-05-15 13:18:46.336064705 +0200
++++ if.h 2016-05-15 13:15:21.000000000 +0200
+@@ -38,48 +38,6 @@
+
+
+ #ifdef __USE_MISC
+-/* Standard interface flags. */
+-enum
+- {
+- IFF_UP = 0x1, /* Interface is up. */
+-# define IFF_UP IFF_UP
+- IFF_BROADCAST = 0x2, /* Broadcast address valid. */
+-# define IFF_BROADCAST IFF_BROADCAST
+- IFF_DEBUG = 0x4, /* Turn on debugging. */
+-# define IFF_DEBUG IFF_DEBUG
+- IFF_LOOPBACK = 0x8, /* Is a loopback net. */
+-# define IFF_LOOPBACK IFF_LOOPBACK
+- IFF_POINTOPOINT = 0x10, /* Interface is point-to-point link. */
+-# define IFF_POINTOPOINT IFF_POINTOPOINT
+- IFF_NOTRAILERS = 0x20, /* Avoid use of trailers. */
+-# define IFF_NOTRAILERS IFF_NOTRAILERS
+- IFF_RUNNING = 0x40, /* Resources allocated. */
+-# define IFF_RUNNING IFF_RUNNING
+- IFF_NOARP = 0x80, /* No address resolution protocol. */
+-# define IFF_NOARP IFF_NOARP
+- IFF_PROMISC = 0x100, /* Receive all packets. */
+-# define IFF_PROMISC IFF_PROMISC
+-
+- /* Not supported */
+- IFF_ALLMULTI = 0x200, /* Receive all multicast packets. */
+-# define IFF_ALLMULTI IFF_ALLMULTI
+-
+- IFF_MASTER = 0x400, /* Master of a load balancer. */
+-# define IFF_MASTER IFF_MASTER
+- IFF_SLAVE = 0x800, /* Slave of a load balancer. */
+-# define IFF_SLAVE IFF_SLAVE
+-
+- IFF_MULTICAST = 0x1000, /* Supports multicast. */
+-# define IFF_MULTICAST IFF_MULTICAST
+-
+- IFF_PORTSEL = 0x2000, /* Can set media type. */
+-# define IFF_PORTSEL IFF_PORTSEL
+- IFF_AUTOMEDIA = 0x4000, /* Auto media select active. */
+-# define IFF_AUTOMEDIA IFF_AUTOMEDIA
+- IFF_DYNAMIC = 0x8000 /* Dialup device with changing addresses. */
+-# define IFF_DYNAMIC IFF_DYNAMIC
+- };
+-
+ /* The ifaddr structure contains information about one address of an
+ interface. They are maintained by the different address families,
+ are allocated and attached when an address is set, and are linked
+@@ -100,54 +58,13 @@
+ # define ifa_broadaddr ifa_ifu.ifu_broadaddr /* broadcast address */
+ # define ifa_dstaddr ifa_ifu.ifu_dstaddr /* other end of link */
+
+-/* Device mapping structure. I'd just gone off and designed a
+- beautiful scheme using only loadable modules with arguments for
+- driver options and along come the PCMCIA people 8)
+-
+- Ah well. The get() side of this is good for WDSETUP, and it'll be
+- handy for debugging things. The set side is fine for now and being
+- very small might be worth keeping for clean configuration. */
+-
+-struct ifmap
+- {
+- unsigned long int mem_start;
+- unsigned long int mem_end;
+- unsigned short int base_addr;
+- unsigned char irq;
+- unsigned char dma;
+- unsigned char port;
+- /* 3 bytes spare */
+- };
+
++ # define IFNAMSIZ IF_NAMESIZE
++
+ /* Interface request structure used for socket ioctl's. All interface
+ ioctl's must have parameter definitions which begin with ifr_name.
+ The remainder may be interface specific. */
+
+-struct ifreq
+- {
+-# define IFHWADDRLEN 6
+-# define IFNAMSIZ IF_NAMESIZE
+- union
+- {
+- char ifrn_name[IFNAMSIZ]; /* Interface name, e.g. "en0". */
+- } ifr_ifrn;
+-
+- union
+- {
+- struct sockaddr ifru_addr;
+- struct sockaddr ifru_dstaddr;
+- struct sockaddr ifru_broadaddr;
+- struct sockaddr ifru_netmask;
+- struct sockaddr ifru_hwaddr;
+- short int ifru_flags;
+- int ifru_ivalue;
+- int ifru_mtu;
+- struct ifmap ifru_map;
+- char ifru_slave[IFNAMSIZ]; /* Just fits the size */
+- char ifru_newname[IFNAMSIZ];
+- __caddr_t ifru_data;
+- } ifr_ifru;
+- };
+ # define ifr_name ifr_ifrn.ifrn_name /* interface name */
+ # define ifr_hwaddr ifr_ifru.ifru_hwaddr /* MAC address */
+ # define ifr_addr ifr_ifru.ifru_addr /* address */
+@@ -168,20 +85,6 @@
+ # define _IOT_ifreq_short _IOT(_IOTS(char),IFNAMSIZ,_IOTS(short),1,0,0)
+ # define _IOT_ifreq_int _IOT(_IOTS(char),IFNAMSIZ,_IOTS(int),1,0,0)
+
+-
+-/* Structure used in SIOCGIFCONF request. Used to retrieve interface
+- configuration for machine (useful for programs which must know all
+- networks accessible). */
+-
+-struct ifconf
+- {
+- int ifc_len; /* Size of buffer. */
+- union
+- {
+- __caddr_t ifcu_buf;
+- struct ifreq *ifcu_req;
+- } ifc_ifcu;
+- };
+ # define ifc_buf ifc_ifcu.ifcu_buf /* Buffer address. */
+ # define ifc_req ifc_ifcu.ifcu_req /* Array of structures. */
+ # define _IOT_ifconf _IOT(_IOTS(struct ifconf),1,0,0,0,0) /* not right */
diff -N -u xtables-addons.ori/PKGBUILD xtables-addons/PKGBUILD
--- xtables-addons.ori/PKGBUILD 2016-04-27 17:27:37.000000000 +0200
+++ xtables-addons/PKGBUILD 2016-05-15 15:04:33.426431964 +0200
@@ -19,6 +19,13 @@

prepare() {
pushd "${srcdir}/${pkgname}-${pkgver}"
+ [ ! -d "${srcdir}/${pkgname}-${pkgver}"/net ] && mkdir "${srcdir}/${pkgname}-${pkgver}"/net
+ rm -f "${srcdir}/${pkgname}-${pkgver}"/net/if.h
+ cp /usr/include/net/if.h "${srcdir}/${pkgname}-${pkgver}"/net/
+ patch "${srcdir}/${pkgname}-${pkgver}"/net/if.h "${srcdir}"/../if.h.diff
+ HERE=$(pwd)
+ "${srcdir}/${pkgname}-${pkgver}"/autogen.sh
+ patch "${srcdir}/${pkgname}-${pkgver}"/extensions/pknock/Makefile.am "${srcdir}"/../pknock_makefile.diff
./configure \
--prefix=/usr \
--sysconfdir=/etc \
diff -N -u xtables-addons.ori/pknock_makefile.diff xtables-addons/pknock_makefile.diff
--- xtables-addons.ori/pknock_makefile.diff 1970-01-01 01:00:00.000000000 +0100
+++ xtables-addons/pknock_makefile.diff 2016-05-15 14:52:25.000000000 +0200
@@ -0,0 +1,12 @@
+--- Makefile.am.ori 2016-05-15 14:51:47.000000000 +0200
++++ Makefile.am 2016-05-15 14:52:22.837922108 +0200
+@@ -1,7 +1,7 @@
+ # -*- Makefile -*-
+
+-AM_CPPFLAGS = ${regular_CPPFLAGS} -I${abs_top_srcdir}/extensions
+-AM_CFLAGS = ${regular_CFLAGS} ${libxtables_CFLAGS}
++AM_CPPFLAGS = -I${abs_top_srcdir} ${regular_CPPFLAGS} -I${abs_top_srcdir}/extensions
++AM_CFLAGS = -I${abs_top_srcdir} ${regular_CFLAGS} ${libxtables_CFLAGS}
+
+ include ../../Makefile.extra
+

********************************************************************************

Usage :
cd to /path/xtables-addons/
patch -p1 < /path/to/xtables_addons.diff

It does the following :
1. patch PKGBUILD.
2. create src/xtables-addons-2.10/net directory, copy net/if.h in it, remove anything conflicting with linux/if.h.
3. patch src/xtables-addons-2.10/extensions/pknock/Makefile.am, to use src/xtables-addons-2.10/net/if.h .

In case it's useful; no warranty, of course.

k0ste commented on 2016-02-27 09:27

@BertVoegele, done. Thanks!

BertVoegele commented on 2016-02-27 09:12

pkg-config should be added to to makedepends

Knight commented on 2015-12-26 03:37

Since 2.10 is available now, the PKBUILD needs to changed as following:

pkgver=2.10
pkgrel=1
md5sums=('727bf0dd4a3d9c65724267bd0d5d80b0')

silvermonk commented on 2015-09-28 10:04

2.8 is available at upstream
thiagoc: FYI: I made it work with

pkgver=2.8
source=(http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/$pkgname-$pkgver.tar.xz)
md5sums=('246ec2f1f75c32c6e04ae9ae75b578c9')

jskier: I'm on arm7h for this, and

yaourt -S xtables-addons -A

built it (after the changes above) while ignoring architecture in the PKGBUILD:

(note the -A)

-f

dcuk commented on 2015-07-16 18:47

Hi, version 2.7 has been released for compatibility with a change in the upstream kernel headers in 4.1.x

Sourceforge seems to be having a few issues at the moment but it should return to service soon.

jskier commented on 2015-06-23 20:07

Would you please add arm support in the pkgbuild?

Amplificator commented on 2015-04-07 01:30

Yes, that and then running "depmod -a" fixed it :)

thiagoc commented on 2015-04-06 13:26

@Amplificator have you tried the latest release?

Amplificator commented on 2015-04-03 21:25

I think Sarens problem is the same as I'm having.

Shorewall reports:
ERROR: A country-code require GeoIP Match in your kernel and iptables /etc/shorewall/rules

And "modprobe xt_geoip" reports:
modprobe: FATAL: Module xt_geoip not found.
..despite it does exist. Is it incompatible with the latest kernel perhaps?

thiagoc commented on 2015-04-02 21:50

Please try the new release.

Saren commented on 2015-04-02 18:43

Does anybody knows why this happens?
/usr/share/xt_geoip/ is already correctly installed.

# iptables -A INPUT -m geoip --src-cc (whatever) -j DROP
iptables: No chain/target/match by that name.

RunningDroid commented on 2015-01-02 05:48

With pacman 4.2:
error: failed to commit transaction (conflicting files)
xtables-addons: /lib exists in filesystem
xtables-addons: /usr/sbin exists in filesystem
Errors occurred, no packages were upgraded.

dcuk commented on 2014-06-18 19:13

Version 2.5 of xtables-addons was released a couple of months ago and seems to compile cleanly against kernel 3.15.1 which cannot be said for 2.4 (at least for me).

disarmer commented on 2014-04-23 21:25

Upload your PKGBUILD please

unforgiven512 commented on 2014-04-23 19:32

Also:

optdepends=('perl-text-csv-xs: required for building GeoIP database')

unforgiven512 commented on 2014-04-23 19:16

I converted your patch to unified diff format.

PKGBUILD modifications:
source=(dkms.conf
make.sh
http://download.sourceforge.net/project/xtables-addons/Xtables-addons/$pkgver/xtables-addons-$pkgver.tar.xz
linux-3.14-net_random-fix.patch)
sha512sums=('bb5e7eff3e402dc0561d917d67af540fb405b2a404dd16a3d553610c7197c4741a583007a97d0ca380b727dc45a818c29ec34996581e1e14dfe1657ee2d17d7a'
'd1e917ac3c15ea8a533686781f6989ef648786f7a6666d06739c96d37debdc44bd2449c332db6e30af0f655540d1df49d4f5b702da4731aa7d550204ac908333'
'650182a9078c2ce9b66a26cc0f6224e1a5fc09bb88a714b44c6d0be9fbb73f83a19ab98d085ac24f22ba564d8614d62507ff71d45c1f305f037734f23a842915'
'229de73f89e76d58ef970827e888e58c6b61fd910987c36f7b203cd1153b025abc970d7700d51b9eb4f636470b8ecceadaf8331485b3c6e0d4c671178db32b7e')

prepare() {
cd "${srcdir}/xtables-addons-${pkgver}"
patch -p2 -i ../linux-3.14-net_random-fix.patch
}

PATCH:
------
diff -ur old/xtables-addons-2.4/extensions/xt_CHAOS.c new/xtables-addons-2.4/extensions/xt_CHAOS.c
--- old/xtables-addons-2.4/extensions/xt_CHAOS.c 2014-01-09 04:37:52.000000000 -0500
+++ new/xtables-addons-2.4/extensions/xt_CHAOS.c 2014-04-23 15:06:34.335470933 -0400
@@ -68,7 +68,7 @@
ret = xm_tcp->match(skb, &local_par);
hotdrop = local_par.hotdrop;
}
- if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
+ if (!ret || hotdrop || (unsigned int)prandom_u32() > delude_percentage)
return;

destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
@@ -98,7 +98,7 @@
const struct xt_chaos_tginfo *info = par->targinfo;
const struct iphdr *iph = ip_hdr(skb);

- if ((unsigned int)net_random() <= reject_percentage) {
+ if ((unsigned int)prandom_u32() <= reject_percentage) {
struct xt_action_param local_par;
local_par.in = par->in;
local_par.out = par->out;
diff -ur old/xtables-addons-2.4/extensions/xt_TARPIT.c new/xtables-addons-2.4/extensions/xt_TARPIT.c
--- old/xtables-addons-2.4/extensions/xt_TARPIT.c 2014-01-09 04:37:52.000000000 -0500
+++ new/xtables-addons-2.4/extensions/xt_TARPIT.c 2014-04-23 15:09:04.827092373 -0400
@@ -107,8 +107,8 @@
tcph->syn = true;
tcph->ack = true;
tcph->window = oth->window &
- ((net_random() & 0x1f) - 0xf);
- tcph->seq = htonl(net_random() & ~oth->seq);
+ ((prandom_u32() & 0x1f) - 0xf);
+ tcph->seq = htonl(prandom_u32() & ~oth->seq);
tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
}

@@ -117,7 +117,7 @@
tcph->syn = false;
tcph->ack = true;
tcph->window = oth->window &
- ((net_random() & 0x1f) - 0xf);
+ ((prandom_u32() & 0x1f) - 0xf);
tcph->ack_seq = payload > 100 ?
htonl(ntohl(oth->seq) + payload) :
oth->seq;

johny77 commented on 2014-04-13 17:58

Problem solved.
Please applicate a patch into PKGBUILD. New kernel 3.14 has a new delarations for the function net_random().


diff -r old/xtables-addons-2.4/extensions/xt_CHAOS.c new/xtables-addons-2.4/extensions/xt_CHAOS.c
71c71
< if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
---
> if (!ret || hotdrop || (unsigned int)prandom_u32() > delude_percentage)
101c101
< if ((unsigned int)net_random() <= reject_percentage) {
---
> if ((unsigned int)prandom_u32() <= reject_percentage) {
diff -r old/xtables-addons-2.4/extensions/xt_TARPIT.c new/xtables-addons-2.4/extensions/xt_TARPIT.c
110,111c110,111
< ((net_random() & 0x1f) - 0xf);
< tcph->seq = htonl(net_random() & ~oth->seq);
---
> ((prandom_u32() & 0x1f) - 0xf);
> tcph->seq = htonl(prandom_u32() & ~oth->seq);
120c120
< ((net_random() & 0x1f) - 0xf);
---
> ((prandom_u32() & 0x1f) - 0xf);

disarmer commented on 2014-04-11 08:51

Updated to 2.4.1

johny77 commented on 2014-04-11 08:02

It is not possible to compile it after upgrade. I am unable to solve this problem. :(


build/xtables-addons/src/xtables-addons-2.4/extensions/xt_CHAOS.c:71:2: error: implicit declaration of function 'net_random' [-Werror=implicit-function-de
claration]
if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
^
cc1: some warnings being treated as errors


Anonymous comment on 2012-10-31 18:09

I have no idea why this is not working:


iptables -A INPUT -p tcp -m lscan --stealth -j DROP
iptables: No chain/target/match by that name.

Anonymous comment on 2012-10-31 18:08

I have no idea why this is not working:


iptables -A INPUT -p tcp -m lscan --stealth -j DROP
iptables: No chain/target/match by that name.

Anonymous comment on 2012-10-12 21:00

Could the conflict/provides/replaces lines for ipset be removed from the package, as ipset is no longer included.
And the descriptio adjusted too :-)

honza801 commented on 2012-08-14 08:30

please add linux-headers to build-dependencies

Anonymous comment on 2012-07-03 20:49

Required linux-headers to successfully build

Anonymous comment on 2012-04-18 22:21

Could the conflict/provides/replaces lines for ipset be removed from the package, as ipset is no longer included.
And the descriptio adjusted too :-)

Anonymous comment on 2011-11-23 21:42

Please update to 1.39.

kang commented on 2011-07-03 11:50

1.37 has been released - just need to bump the version of the PKGBUILD

Anonymous comment on 2011-01-05 00:55

1.32 has been released - http://xtables-addons.git.sf.net/git/gitweb.cgi?p=xtables-addons/xtables-addons;a=commit;h=80ded69d777f69f01065129679c9c0fb3149b057

Anonymous comment on 2010-10-05 06:57

Thank you, PKGBUILD updated.

jinks commented on 2010-10-05 04:48

xtables-addons 1.30 has been released a few days ago an builds fine with 2.6.35.

Anonymous comment on 2010-09-11 14:03

First Submitted: Mon, 20 Apr 2009 09:21:14 +0000
xtables-addons 1.28-1 : Successor to patch-o-matic(-ng). Additional extensions for iptables, ip6tables, etc. CHAOS, TARPIT, TEE, DELUDE and other targets; condition, geoip, ipp2p and other matches. Includes ipset package.
( Unsupported package: Potentially dangerous ! )

Anonymous comment on 2010-09-03 13:46

make[3]: Leaving directory `/usr/src/linux-2.6.35-ARCH'
make -f ../Makefile.iptrules all;
make[3]: Entering directory `/tmp/yaourt-tmp-root/aur-xtables-addons/src/xtables-addons-1.28/extensions'
CC libxt_CHAOS.oo
libxt_CHAOS.c:99:2: 警告:隐式声明函数‘ALIGN’
libxt_CHAOS.c:99:19: 错误:初始值设定元素不是常量
libxt_CHAOS.c:99:19: 错误:(在‘chaos_tg_reg.size’的初始化附近)
libxt_CHAOS.c:100:19: 错误:初始值设定元素不是常量
libxt_CHAOS.c:100:19: 错误:(在‘chaos_tg_reg.userspacesize’的初始化附近)
make[3]: *** [libxt_CHAOS.oo] 错误 1
make[3]: Leaving directory `/tmp/yaourt-tmp-root/aur-xtables-addons/src/xtables-addons-1.28/extensions'
make[2]: *** [user-all-local] 错误 2
make[2]: Leaving directory `/tmp/yaourt-tmp-root/aur-xtables-addons/src/xtables-addons-1.28/extensions'
make[1]: *** [all-recursive] 错误 1
make[1]: Leaving directory `/tmp/yaourt-tmp-root/aur-xtables-addons/src/xtables-addons-1.28'
make: *** [all] 错误 2

Anonymous comment on 2010-07-26 08:01

You can use it with kernel26-lts.

Anonymous comment on 2010-06-22 07:05

xtables-addons now has compilation problem with kernel 2.6.34. Be careful.
http://marc.info/?t=127444218200001&r=1&w=2