|
|
|
@ -1,6 +1,33 @@ |
|
|
|
|
diff -ruN linux-2.6.19.1.orig/include/linux/netfilter/xt_CHAOS.h linux-2.6.19.1/include/linux/netfilter/xt_CHAOS.h
|
|
|
|
|
--- linux-2.6.19.1.orig/include/linux/netfilter/xt_CHAOS.h 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.19.1/include/linux/netfilter/xt_CHAOS.h 2007-01-11 13:28:07.656144799 +0100
|
|
|
|
|
diff -Nur linux-2.6.21.1/include/linux/netfilter/oot_conntrack.h linux-2.6.21.1-owrt/include/linux/netfilter/oot_conntrack.h
|
|
|
|
|
--- linux-2.6.21.1/include/linux/netfilter/oot_conntrack.h 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.21.1-owrt/include/linux/netfilter/oot_conntrack.h 2007-05-14 14:18:54.000000000 +0200
|
|
|
|
|
@@ -0,0 +1,5 @@
|
|
|
|
|
+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
|
|
|
|
|
+# include <linux/netfilter_ipv4/ip_conntrack.h>
|
|
|
|
|
+#else /* linux-2.6.20+ */
|
|
|
|
|
+# include <net/netfilter/nf_nat_rule.h>
|
|
|
|
|
+#endif
|
|
|
|
|
diff -Nur linux-2.6.21.1/include/linux/netfilter/oot_trans.h linux-2.6.21.1-owrt/include/linux/netfilter/oot_trans.h
|
|
|
|
|
--- linux-2.6.21.1/include/linux/netfilter/oot_trans.h 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.21.1-owrt/include/linux/netfilter/oot_trans.h 2007-05-14 14:18:54.000000000 +0200
|
|
|
|
|
@@ -0,0 +1,14 @@
|
|
|
|
|
+/* Out of tree workarounds */
|
|
|
|
|
+#include <linux/version.h>
|
|
|
|
|
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
|
|
|
|
|
+# define HAVE_MATCHINFOSIZE 1
|
|
|
|
|
+# define HAVE_TARGUSERINFO 1
|
|
|
|
|
+# define HAVE_TARGINFOSIZE 1
|
|
|
|
|
+#endif
|
|
|
|
|
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
|
|
|
|
|
+# define nfmark mark
|
|
|
|
|
+#endif
|
|
|
|
|
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
|
|
|
|
|
+# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
|
|
|
|
|
+ tcp_v4_check((tcph_sz), (s), (d), (csp))
|
|
|
|
|
+#endif
|
|
|
|
|
diff -Nur linux-2.6.21.1/include/linux/netfilter/xt_CHAOS.h linux-2.6.21.1-owrt/include/linux/netfilter/xt_CHAOS.h
|
|
|
|
|
--- linux-2.6.21.1/include/linux/netfilter/xt_CHAOS.h 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.21.1-owrt/include/linux/netfilter/xt_CHAOS.h 2007-05-14 14:18:54.000000000 +0200
|
|
|
|
|
@@ -0,0 +1,14 @@
|
|
|
|
|
+#ifndef _LINUX_XT_CHAOS_H
|
|
|
|
|
+#define _LINUX_XT_CHAOS_H 1
|
|
|
|
@ -16,9 +43,9 @@ diff -ruN linux-2.6.19.1.orig/include/linux/netfilter/xt_CHAOS.h linux-2.6.19.1/ |
|
|
|
|
+};
|
|
|
|
|
+
|
|
|
|
|
+#endif /* _LINUX_XT_CHAOS_H */
|
|
|
|
|
diff -ruN linux-2.6.19.1.orig/include/linux/netfilter/xt_portscan.h linux-2.6.19.1/include/linux/netfilter/xt_portscan.h
|
|
|
|
|
--- linux-2.6.19.1.orig/include/linux/netfilter/xt_portscan.h 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.19.1/include/linux/netfilter/xt_portscan.h 2007-01-11 13:28:07.656144799 +0100
|
|
|
|
|
diff -Nur linux-2.6.21.1/include/linux/netfilter/xt_portscan.h linux-2.6.21.1-owrt/include/linux/netfilter/xt_portscan.h
|
|
|
|
|
--- linux-2.6.21.1/include/linux/netfilter/xt_portscan.h 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.21.1-owrt/include/linux/netfilter/xt_portscan.h 2007-05-14 14:18:54.000000000 +0200
|
|
|
|
|
@@ -0,0 +1,8 @@
|
|
|
|
|
+#ifndef _LINUX_XT_PORTSCAN_H
|
|
|
|
|
+#define _LINUX_XT_PORTSCAN_H 1
|
|
|
|
@ -28,10 +55,10 @@ diff -ruN linux-2.6.19.1.orig/include/linux/netfilter/xt_portscan.h linux-2.6.19 |
|
|
|
|
+};
|
|
|
|
|
+
|
|
|
|
|
+#endif /* _LINUX_XT_PORTSCAN_H */
|
|
|
|
|
diff -ruN linux-2.6.19.1.orig/net/netfilter/find_match.c linux-2.6.19.1/net/netfilter/find_match.c
|
|
|
|
|
--- linux-2.6.19.1.orig/net/netfilter/find_match.c 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.19.1/net/netfilter/find_match.c 2007-01-11 13:28:12.191994379 +0100
|
|
|
|
|
@@ -0,0 +1,37 @@
|
|
|
|
|
diff -Nur linux-2.6.21.1/net/netfilter/find_match.c linux-2.6.21.1-owrt/net/netfilter/find_match.c
|
|
|
|
|
--- linux-2.6.21.1/net/netfilter/find_match.c 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.21.1-owrt/net/netfilter/find_match.c 2007-05-14 14:18:54.000000000 +0200
|
|
|
|
|
@@ -0,0 +1,39 @@
|
|
|
|
|
+/*
|
|
|
|
|
+ xt_request_find_match
|
|
|
|
|
+ by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
|
|
|
|
@ -42,7 +69,6 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/find_match.c linux-2.6.19.1/net/netf |
|
|
|
|
+ it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
+ published by the Free Software Foundation.
|
|
|
|
|
+*/
|
|
|
|
|
+
|
|
|
|
|
+#include <linux/err.h>
|
|
|
|
|
+#include <linux/netfilter_arp.h>
|
|
|
|
|
+#include <linux/socket.h>
|
|
|
|
@ -52,7 +78,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/find_match.c linux-2.6.19.1/net/netf |
|
|
|
|
+ * Yeah this code is sub-optimal, but the function is missing in
|
|
|
|
|
+ * mainline so far. -jengelh
|
|
|
|
|
+ */
|
|
|
|
|
+static struct xt_match *xt_request_find_match(int af, const char *name,
|
|
|
|
|
+static struct xt_match *xt_request_find_match_lo(int af, const char *name,
|
|
|
|
|
+ u8 revision)
|
|
|
|
|
+{
|
|
|
|
|
+ static const char *const xt_prefix[] = {
|
|
|
|
@ -69,10 +95,13 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/find_match.c linux-2.6.19.1/net/netf |
|
|
|
|
+
|
|
|
|
|
+ return match;
|
|
|
|
|
+}
|
|
|
|
|
diff -ruN linux-2.6.19.1.orig/net/netfilter/Kconfig linux-2.6.19.1/net/netfilter/Kconfig
|
|
|
|
|
--- linux-2.6.19.1.orig/net/netfilter/Kconfig 2007-01-11 13:27:24.445577700 +0100
|
|
|
|
|
+++ linux-2.6.19.1/net/netfilter/Kconfig 2007-01-11 13:28:09.092097179 +0100
|
|
|
|
|
@@ -122,6 +122,14 @@
|
|
|
|
|
+
|
|
|
|
|
+/* In case it goes into mainline, let this out-of-tree package compile */
|
|
|
|
|
+#define xt_request_find_match xt_request_find_match_lo
|
|
|
|
|
diff -Nur linux-2.6.21.1/net/netfilter/Kconfig linux-2.6.21.1-owrt/net/netfilter/Kconfig
|
|
|
|
|
--- linux-2.6.21.1/net/netfilter/Kconfig 2007-04-27 23:49:26.000000000 +0200
|
|
|
|
|
+++ linux-2.6.21.1-owrt/net/netfilter/Kconfig 2007-05-14 14:30:47.000000000 +0200
|
|
|
|
|
@@ -287,6 +287,14 @@
|
|
|
|
|
|
|
|
|
|
# alphabetically ordered list of targets
|
|
|
|
|
|
|
|
|
@ -87,7 +116,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Kconfig linux-2.6.19.1/net/netfilter |
|
|
|
|
config NETFILTER_XT_TARGET_CLASSIFY
|
|
|
|
|
tristate '"CLASSIFY" target support'
|
|
|
|
|
depends on NETFILTER_XTABLES
|
|
|
|
|
@@ -148,6 +156,14 @@
|
|
|
|
|
@@ -315,6 +323,14 @@
|
|
|
|
|
<file:Documentation/modules.txt>. The module will be called
|
|
|
|
|
ipt_CONNMARK.o. If unsure, say `N'.
|
|
|
|
|
|
|
|
|
@ -102,7 +131,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Kconfig linux-2.6.19.1/net/netfilter |
|
|
|
|
config NETFILTER_XT_TARGET_DSCP
|
|
|
|
|
tristate '"DSCP" target support'
|
|
|
|
|
depends on NETFILTER_XTABLES
|
|
|
|
|
@@ -355,6 +371,14 @@
|
|
|
|
|
@@ -563,6 +579,14 @@
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
@ -117,10 +146,10 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Kconfig linux-2.6.19.1/net/netfilter |
|
|
|
|
config NETFILTER_XT_MATCH_MULTIPORT
|
|
|
|
|
tristate "Multiple port match support"
|
|
|
|
|
depends on NETFILTER_XTABLES
|
|
|
|
|
diff -ruN linux-2.6.19.1.orig/net/netfilter/Makefile linux-2.6.19.1/net/netfilter/Makefile
|
|
|
|
|
--- linux-2.6.19.1.orig/net/netfilter/Makefile 2007-01-11 13:27:24.445577700 +0100
|
|
|
|
|
+++ linux-2.6.19.1/net/netfilter/Makefile 2007-01-11 13:28:07.656144799 +0100
|
|
|
|
|
@@ -23,8 +23,10 @@
|
|
|
|
|
diff -Nur linux-2.6.21.1/net/netfilter/Makefile linux-2.6.21.1-owrt/net/netfilter/Makefile
|
|
|
|
|
--- linux-2.6.21.1/net/netfilter/Makefile 2007-04-27 23:49:26.000000000 +0200
|
|
|
|
|
+++ linux-2.6.21.1-owrt/net/netfilter/Makefile 2007-05-14 14:30:47.000000000 +0200
|
|
|
|
|
@@ -37,8 +37,10 @@
|
|
|
|
|
obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
|
|
|
|
|
|
|
|
|
|
# targets
|
|
|
|
@ -131,7 +160,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Makefile linux-2.6.19.1/net/netfilte |
|
|
|
|
obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
|
|
|
|
|
obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
|
|
|
|
|
obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
|
|
|
|
|
@@ -47,6 +49,7 @@
|
|
|
|
|
@@ -63,6 +65,7 @@
|
|
|
|
|
obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
|
|
|
|
|
obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
|
|
|
|
|
obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
|
|
|
|
@ -139,16 +168,17 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Makefile linux-2.6.19.1/net/netfilte |
|
|
|
|
obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
|
|
|
|
|
obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
|
|
|
|
|
obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
|
|
|
|
|
diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfilter/xt_CHAOS.c
|
|
|
|
|
--- linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.19.1/net/netfilter/xt_CHAOS.c 2007-01-11 13:28:14.407920893 +0100
|
|
|
|
|
@@ -0,0 +1,180 @@
|
|
|
|
|
diff -Nur linux-2.6.21.1/net/netfilter/xt_CHAOS.c linux-2.6.21.1-owrt/net/netfilter/xt_CHAOS.c
|
|
|
|
|
--- linux-2.6.21.1/net/netfilter/xt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.21.1-owrt/net/netfilter/xt_CHAOS.c 2007-05-14 14:36:58.000000000 +0200
|
|
|
|
|
@@ -0,0 +1,204 @@
|
|
|
|
|
+/*
|
|
|
|
|
+ CHAOS target for netfilter
|
|
|
|
|
+ CHAOS target for netfilter
|
|
|
|
|
+
|
|
|
|
|
+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
|
|
|
|
|
+ released under the terms of the GNU General Public
|
|
|
|
|
+ License version 2.x and only versions 2.x.
|
|
|
|
|
+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
|
|
|
|
|
+ This program is free software; you can redistribute it and/or modify
|
|
|
|
|
+ it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
+ published by the Free Software Foundation.
|
|
|
|
|
+*/
|
|
|
|
|
+#include <linux/icmp.h>
|
|
|
|
|
+#include <linux/in.h>
|
|
|
|
@ -162,14 +192,9 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil |
|
|
|
|
+#include <net/ip.h>
|
|
|
|
|
+#include <linux/netfilter/xt_CHAOS.h>
|
|
|
|
|
+#include "find_match.c"
|
|
|
|
|
+#include <linux/netfilter/oot_trans.h>
|
|
|
|
|
+#define PFX KBUILD_MODNAME ": "
|
|
|
|
|
+
|
|
|
|
|
+/* Out of tree workarounds */
|
|
|
|
|
+#include <linux/version.h>
|
|
|
|
|
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
|
|
|
|
|
+# define HAVE_TARGUSERINFO 1
|
|
|
|
|
+#endif
|
|
|
|
|
+
|
|
|
|
|
+/* Module parameters */
|
|
|
|
|
+static unsigned int reject_percentage = ~0U * .01;
|
|
|
|
|
+static unsigned int delude_percentage = ~0U * .0101;
|
|
|
|
@ -180,6 +205,8 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil |
|
|
|
|
+static struct xt_match *xm_tcp;
|
|
|
|
|
+static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
|
|
|
|
|
+
|
|
|
|
|
+static int have_delude, have_tarpit;
|
|
|
|
|
+
|
|
|
|
|
+/* Static data for other matches/targets */
|
|
|
|
|
+static const struct ipt_reject_info reject_params = {
|
|
|
|
|
+ .with = ICMP_HOST_UNREACH,
|
|
|
|
@ -226,7 +253,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil |
|
|
|
|
+ /* Equivalent to:
|
|
|
|
|
+ * -A chaos -m statistic --mode random --probability \
|
|
|
|
|
+ * $reject_percentage -j REJECT --reject-with host-unreach;
|
|
|
|
|
+ * -A chaos -m statistic --mode random --probability \
|
|
|
|
|
+ * -A chaos -p tcp -m statistic --mode random --probability \
|
|
|
|
|
+ * $delude_percentage -j DELUDE;
|
|
|
|
|
+ * -A chaos -j DROP;
|
|
|
|
|
+ */
|
|
|
|
@ -249,9 +276,31 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil |
|
|
|
|
+ return NF_DROP;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+static int xt_chaos_checkentry(const char *tablename, const void *entry,
|
|
|
|
|
+ const struct xt_target *target, void *targinfo,
|
|
|
|
|
+#ifdef HAVE_TARGINFOSIZE
|
|
|
|
|
+ unsigned int targinfosize,
|
|
|
|
|
+#endif
|
|
|
|
|
+ unsigned int hook_mask)
|
|
|
|
|
+{
|
|
|
|
|
+ const struct xt_chaos_info *info = targinfo;
|
|
|
|
|
+ if(info->variant == XTCHAOS_DELUDE && !have_delude) {
|
|
|
|
|
+ printk(KERN_WARNING PFX "Error: Cannot use --delude when "
|
|
|
|
|
+ "DELUDE module not available\n");
|
|
|
|
|
+ return 0;
|
|
|
|
|
+ }
|
|
|
|
|
+ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
|
|
|
|
|
+ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
|
|
|
|
|
+ "TARPIT module not available\n");
|
|
|
|
|
+ return 0;
|
|
|
|
|
+ }
|
|
|
|
|
+ return 1;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+static struct xt_target xt_chaos_info = {
|
|
|
|
|
+ .name = "CHAOS",
|
|
|
|
|
+ .target = xt_chaos_target,
|
|
|
|
|
+ .checkentry = xt_chaos_checkentry,
|
|
|
|
|
+ .table = "filter",
|
|
|
|
|
+ .targetsize = sizeof(struct xt_chaos_info),
|
|
|
|
|
+ .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
|
|
|
|
@ -266,41 +315,43 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil |
|
|
|
|
+
|
|
|
|
|
+ xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
|
|
|
|
|
+ if(xm_tcp == NULL) {
|
|
|
|
|
+ printk(KERN_WARNING PFX "Could not find \"tcp\" match\n");
|
|
|
|
|
+ printk(KERN_WARNING PFX "Error: Could not find or load "
|
|
|
|
|
+ "\"tcp\" match\n");
|
|
|
|
|
+ return -EINVAL;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
|
|
|
|
|
+ if(xt_reject == NULL) {
|
|
|
|
|
+ printk(KERN_WARNING PFX "Could not find \"REJECT\" target\n");
|
|
|
|
|
+ printk(KERN_WARNING PFX "Error: Could not find or load "
|
|
|
|
|
+ "\"REJECT\" target\n");
|
|
|
|
|
+ goto out2;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
|
|
|
|
|
+ if(xt_tarpit == NULL) {
|
|
|
|
|
+ printk(KERN_WARNING PFX "Could not find \"TARPIT\" target\n");
|
|
|
|
|
+ goto out3;
|
|
|
|
|
+ }
|
|
|
|
|
+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
|
|
|
|
|
+ have_tarpit = xt_tarpit != NULL;
|
|
|
|
|
+ if(!have_tarpit)
|
|
|
|
|
+ printk(KERN_WARNING PFX "Warning: Could not find or load "
|
|
|
|
|
+ "\"TARPIT\" target\n");
|
|
|
|
|
+
|
|
|
|
|
+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
|
|
|
|
|
+ if(xt_delude == NULL) {
|
|
|
|
|
+ printk(KERN_WARNING PFX "Could not find \"DELUDE\" target\n");
|
|
|
|
|
+ goto out4;
|
|
|
|
|
+ }
|
|
|
|
|
+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
|
|
|
|
|
+ have_delude = xt_delude != NULL;
|
|
|
|
|
+ if(!have_delude)
|
|
|
|
|
+ printk(KERN_WARNING PFX "Warning: Could not find or load "
|
|
|
|
|
+ "\"DELUDE\" target\n");
|
|
|
|
|
+
|
|
|
|
|
+ if((ret = xt_register_target(&xt_chaos_info)) != 0) {
|
|
|
|
|
+ printk(KERN_WARNING PFX "xt_register_target returned "
|
|
|
|
|
+ "error %d\n", ret);
|
|
|
|
|
+ goto out5;
|
|
|
|
|
+ goto out3;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ return 0;
|
|
|
|
|
+
|
|
|
|
|
+ out5:
|
|
|
|
|
+ module_put(xt_delude->me);
|
|
|
|
|
+ out4:
|
|
|
|
|
+ module_put(xt_tarpit->me);
|
|
|
|
|
+ out3:
|
|
|
|
|
+ if(have_delude)
|
|
|
|
|
+ module_put(xt_delude->me);
|
|
|
|
|
+ if(have_tarpit)
|
|
|
|
|
+ module_put(xt_tarpit->me);
|
|
|
|
|
+ module_put(xt_reject->me);
|
|
|
|
|
+ out2:
|
|
|
|
|
+ module_put(xm_tcp->me);
|
|
|
|
@ -312,8 +363,10 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil |
|
|
|
|
+ xt_unregister_target(&xt_chaos_info);
|
|
|
|
|
+ module_put(xm_tcp->me);
|
|
|
|
|
+ module_put(xt_reject->me);
|
|
|
|
|
+ module_put(xt_delude->me);
|
|
|
|
|
+ module_put(xt_tarpit->me);
|
|
|
|
|
+ if(have_delude)
|
|
|
|
|
+ module_put(xt_delude->me);
|
|
|
|
|
+ if(have_tarpit)
|
|
|
|
|
+ module_put(xt_tarpit->me);
|
|
|
|
|
+ return;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
@ -323,26 +376,28 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil |
|
|
|
|
+MODULE_DESCRIPTION("netfilter CHAOS target");
|
|
|
|
|
+MODULE_LICENSE("GPL");
|
|
|
|
|
+MODULE_ALIAS("ipt_CHAOS");
|
|
|
|
|
diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfilter/xt_DELUDE.c
|
|
|
|
|
--- linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.19.1/net/netfilter/xt_DELUDE.c 2007-01-11 13:28:07.656144799 +0100
|
|
|
|
|
@@ -0,0 +1,265 @@
|
|
|
|
|
diff -Nur linux-2.6.21.1/net/netfilter/xt_DELUDE.c linux-2.6.21.1-owrt/net/netfilter/xt_DELUDE.c
|
|
|
|
|
--- linux-2.6.21.1/net/netfilter/xt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.21.1-owrt/net/netfilter/xt_DELUDE.c 2007-05-14 14:53:12.000000000 +0200
|
|
|
|
|
@@ -0,0 +1,288 @@
|
|
|
|
|
+/*
|
|
|
|
|
+ DELUDE target
|
|
|
|
|
+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
|
|
|
|
|
+ DELUDE target
|
|
|
|
|
+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
|
|
|
|
|
+
|
|
|
|
|
+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
|
|
|
|
|
+ (C) 1999-2001 Paul `Rusty' Russell
|
|
|
|
|
+ (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
|
|
|
|
|
+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
|
|
|
|
|
+ (C) 1999-2001 Paul `Rusty' Russell
|
|
|
|
|
+ (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
|
|
|
|
|
+
|
|
|
|
|
+ This program is free software; you can redistribute it and/or modify
|
|
|
|
|
+ it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
+ published by the Free Software Foundation.
|
|
|
|
|
+*/
|
|
|
|
|
+ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
|
|
|
|
|
+
|
|
|
|
|
+ This program is free software; you can redistribute it and/or modify
|
|
|
|
|
+ it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
+ published by the Free Software Foundation.
|
|
|
|
|
+*/
|
|
|
|
|
+#include <linux/module.h>
|
|
|
|
|
+#include <linux/skbuff.h>
|
|
|
|
|
+#include <linux/ip.h>
|
|
|
|
|
+#include <linux/random.h>
|
|
|
|
|
+#include <linux/tcp.h>
|
|
|
|
|
+#include <linux/udp.h>
|
|
|
|
|
+#include <linux/icmp.h>
|
|
|
|
@ -353,20 +408,11 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi |
|
|
|
|
+#include <net/dst.h>
|
|
|
|
|
+#include <linux/netfilter_ipv4/ip_tables.h>
|
|
|
|
|
+#ifdef CONFIG_BRIDGE_NETFILTER
|
|
|
|
|
+#include <linux/netfilter_bridge.h>
|
|
|
|
|
+# include <linux/netfilter_bridge.h>
|
|
|
|
|
+#endif
|
|
|
|
|
+#include <linux/netfilter/oot_trans.h>
|
|
|
|
|
+#define PFX KBUILD_MODNAME ": "
|
|
|
|
|
+
|
|
|
|
|
+/* Out of tree workarounds */
|
|
|
|
|
+#include <linux/version.h>
|
|
|
|
|
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
|
|
|
|
|
+# define HAVE_TARGINFOSIZE 1
|
|
|
|
|
+# define HAVE_TARGUSERINFO 1
|
|
|
|
|
+#endif
|
|
|
|
|
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
|
|
|
|
|
+# define nfmark mark
|
|
|
|
|
+#endif
|
|
|
|
|
+
|
|
|
|
|
+static inline struct rtable *route_reverse(struct sk_buff *skb,
|
|
|
|
|
+ struct tcphdr *tcph, int hook)
|
|
|
|
|
+{
|
|
|
|
@ -430,10 +476,10 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi |
|
|
|
|
+ struct sk_buff *nskb;
|
|
|
|
|
+ struct iphdr *iph = oldskb->nh.iph;
|
|
|
|
|
+ struct tcphdr _otcph, *oth, *tcph;
|
|
|
|
|
+ struct rtable *rt;
|
|
|
|
|
+ u_int16_t tmp_port;
|
|
|
|
|
+ u_int32_t tmp_addr;
|
|
|
|
|
+ int hh_len;
|
|
|
|
|
+ __be16 tmp_port;
|
|
|
|
|
+ __be32 tmp_addr;
|
|
|
|
|
+ int needs_ack;
|
|
|
|
|
+ unsigned int addr_type;
|
|
|
|
|
+
|
|
|
|
|
+ /* IP header checks: fragment. */
|
|
|
|
|
+ if (oldskb->nh.iph->frag_off & htons(IP_OFFSET))
|
|
|
|
@ -442,39 +488,33 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi |
|
|
|
|
+ oth = skb_header_pointer(oldskb, oldskb->nh.iph->ihl * 4,
|
|
|
|
|
+ sizeof(_otcph), &_otcph);
|
|
|
|
|
+ if (oth == NULL)
|
|
|
|
|
+ return;
|
|
|
|
|
+ return;
|
|
|
|
|
+
|
|
|
|
|
+ /* DELUDE only answers SYN. */
|
|
|
|
|
+ if(!oth->syn || oth->ack || oth->fin || oth->rst)
|
|
|
|
|
+ /* No RST for RST. */
|
|
|
|
|
+ if (oth->rst)
|
|
|
|
|
+ return;
|
|
|
|
|
+
|
|
|
|
|
+ /* Check checksum */
|
|
|
|
|
+ if (nf_ip_checksum(oldskb, hook, iph->ihl * 4, IPPROTO_TCP))
|
|
|
|
|
+ return;
|
|
|
|
|
+
|
|
|
|
|
+ if ((rt = route_reverse(oldskb, oth, hook)) == NULL)
|
|
|
|
|
+ return;
|
|
|
|
|
+
|
|
|
|
|
+ hh_len = LL_RESERVED_SPACE(rt->u.dst.dev);
|
|
|
|
|
+
|
|
|
|
|
+ /* We need a linear, writeable skb. We also need to expand
|
|
|
|
|
+ headroom in case hh_len of incoming interface < hh_len of
|
|
|
|
|
+ outgoing interface */
|
|
|
|
|
+ nskb = skb_copy_expand(oldskb, hh_len, skb_tailroom(oldskb),
|
|
|
|
|
+ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
|
|
|
|
|
+ GFP_ATOMIC);
|
|
|
|
|
+ if (!nskb) {
|
|
|
|
|
+ dst_release(&rt->u.dst);
|
|
|
|
|
+ if (!nskb)
|
|
|
|
|
+ return;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ dst_release(nskb->dst);
|
|
|
|
|
+ nskb->dst = &rt->u.dst;
|
|
|
|
|
+
|
|
|
|
|
+ /* This packet will not be the same as the other: clear nf fields */
|
|
|
|
|
+ nf_reset(nskb);
|
|
|
|
|
+ nskb->nfmark = 0;
|
|
|
|
|
+ skb_init_secmark(nskb);
|
|
|
|
|
+
|
|
|
|
|
+ skb_shinfo(nskb)->gso_size = 0;
|
|
|
|
|
+ skb_shinfo(nskb)->gso_segs = 0;
|
|
|
|
|
+ skb_shinfo(nskb)->gso_type = 0;
|
|
|
|
|
+
|
|
|
|
|
+ tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
|
|
|
|
|
+
|
|
|
|
|
+ /* Swap source and dest */
|
|
|
|
@ -490,12 +530,34 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi |
|
|
|
|
+ skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
|
|
|
|
|
+ nskb->nh.iph->tot_len = htons(nskb->len);
|
|
|
|
|
+
|
|
|
|
|
+ tcph->seq = oth->ack_seq;
|
|
|
|
|
+ tcph->ack_seq = 0;
|
|
|
|
|
+ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
|
|
|
|
|
+ /* DELUDE essential part */
|
|
|
|
|
+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
|
|
|
|
|
+ oldskb->len - oldskb->nh.iph->ihl * 4 -
|
|
|
|
|
+ (oth->doff << 2));
|
|
|
|
|
+ tcph->seq = htonl(secure_tcp_sequence_number(
|
|
|
|
|
+ nskb->nh.iph->saddr, nskb->nh.iph->daddr,
|
|
|
|
|
+ tcph->source, tcph->dest));
|
|
|
|
|
+ tcph->ack = 1;
|
|
|
|
|
+ } else {
|
|
|
|
|
+ if(!tcph->ack) {
|
|
|
|
|
+ needs_ack = 1;
|
|
|
|
|
+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
|
|
|
|
|
+ + oldskb->len - oldskb->nh.iph->ihl*4
|
|
|
|
|
+ - (oth->doff<<2));
|
|
|
|
|
+ tcph->seq = 0;
|
|
|
|
|
+ } else {
|
|
|
|
|
+ needs_ack = 0;
|
|
|
|
|
+ tcph->seq = oth->ack_seq;
|
|
|
|
|
+ tcph->ack_seq = 0;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ /* Reset flags */
|
|
|
|
|
+ ((u_int8_t *)tcph)[13] = 0;
|
|
|
|
|
+ tcph->rst = 1;
|
|
|
|
|
+ tcph->ack = needs_ack;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ /* Reset flags */
|
|
|
|
|
+ ((u_int8_t *)tcph)[13] = 0;
|
|
|
|
|
+ tcph->syn = tcph->ack = 1;
|
|
|
|
|
+
|
|
|
|
|
+ tcph->window = 0;
|
|
|
|
|
+ tcph->urg_ptr = 0;
|
|
|
|
@ -508,12 +570,26 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi |
|
|
|
|
+ csum_partial((char *)tcph,
|
|
|
|
|
+ sizeof(struct tcphdr), 0));
|
|
|
|
|
+
|
|
|
|
|
+ /* Adjust IP TTL, DF */
|
|
|
|
|
+ nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
|
|
|
|
|
+ /* Set DF, id = 0 */
|
|
|
|
|
+ nskb->nh.iph->frag_off = htons(IP_DF);
|
|
|
|
|
+ nskb->nh.iph->id = 0;
|
|
|
|
|
+
|
|
|
|
|
+ addr_type = RTN_UNSPEC;
|
|
|
|
|
+ if (hook != NF_IP_FORWARD
|
|
|
|
|
+#ifdef CONFIG_BRIDGE_NETFILTER
|
|
|
|
|
+ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
|
|
|
|
|
+#endif
|
|
|
|
|
+ )
|
|
|
|
|
+ addr_type = RTN_LOCAL;
|
|
|
|
|
+
|
|
|
|
|
+ if (ip_route_me_harder(&nskb, addr_type))
|
|
|
|
|
+ goto free_nskb;
|
|
|
|
|
+
|
|
|
|
|
+ nskb->ip_summed = CHECKSUM_NONE;
|
|
|
|
|
+
|
|
|
|
|
+ /* Adjust IP TTL */
|
|
|
|
|
+ nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
|
|
|
|
|
+
|
|
|
|
|
+ /* Adjust IP checksum */
|
|
|
|
|
+ nskb->nh.iph->check = 0;
|
|
|
|
|
+ nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
|
|
|
|
@ -531,7 +607,6 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi |
|
|
|
|
+
|
|
|
|
|
+ free_nskb:
|
|
|
|
|
+ kfree_skb(nskb);
|
|
|
|
|
+ return;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+static unsigned int xt_delude_target(struct sk_buff **pskb,
|
|
|
|
@ -589,19 +664,21 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi |
|
|
|
|
+
|
|
|
|
|
+module_init(xt_delude_init);
|
|
|
|
|
+module_exit(xt_delude_exit);
|
|
|
|
|
+MODULE_LICENSE("GPL");
|
|
|
|
|
+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
|
|
|
|
|
+MODULE_DESCRIPTION("netfilter DELUDE target");
|
|
|
|
|
diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_portscan.c linux-2.6.19.1/net/netfilter/xt_portscan.c
|
|
|
|
|
--- linux-2.6.19.1.orig/net/netfilter/xt_portscan.c 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.19.1/net/netfilter/xt_portscan.c 2007-01-11 13:28:14.407920893 +0100
|
|
|
|
|
@@ -0,0 +1,282 @@
|
|
|
|
|
+MODULE_LICENSE("GPL");
|
|
|
|
|
+MODULE_ALIAS("ipt_DELUDE");
|
|
|
|
|
diff -Nur linux-2.6.21.1/net/netfilter/xt_portscan.c linux-2.6.21.1-owrt/net/netfilter/xt_portscan.c
|
|
|
|
|
--- linux-2.6.21.1/net/netfilter/xt_portscan.c 1970-01-01 01:00:00.000000000 +0100
|
|
|
|
|
+++ linux-2.6.21.1-owrt/net/netfilter/xt_portscan.c 2007-05-14 14:37:35.000000000 +0200
|
|
|
|
|
@@ -0,0 +1,272 @@
|
|
|
|
|
+/*
|
|
|
|
|
+ portscan match for netfilter
|
|
|
|
|
+ portscan match for netfilter
|
|
|
|
|
+
|
|
|
|
|
+ Written by Jan Engelhardt, 2006 - 2007
|
|
|
|
|
+ released under the terms of the GNU General Public
|
|
|
|
|
+ License version 2.x and only versions 2.x.
|
|
|
|
|
+ Written by Jan Engelhardt, 2006 - 2007
|
|
|
|
|
+ This program is free software; you can redistribute it and/or modify
|
|
|
|
|
+ it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
+ published by the Free Software Foundation.
|
|
|
|
|
+*/
|
|
|
|
|
+#include <linux/in.h>
|
|
|
|
|
+#include <linux/ip.h>
|
|
|
|
@ -614,22 +691,11 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_portscan.c linux-2.6.19.1/net/net |
|
|
|
|
+#include <linux/version.h>
|
|
|
|
|
+#include <linux/netfilter/x_tables.h>
|
|
|
|
|
+#include <linux/netfilter/xt_tcpudp.h>
|
|
|
|
|
+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
|
|
|
|
|
+# include <linux/netfilter_ipv4/ip_conntrack.h>
|
|
|
|
|
+#else /* linux-2.6.20+ */
|
|
|
|
|
+# include <net/netfilter/nf_nat_rule.h>
|
|
|
|
|
+#endif
|
|
|
|
|
+#include <linux/netfilter/oot_conntrack.h>
|
|
|
|
|
+#include <linux/netfilter/xt_portscan.h>
|
|
|
|
|
+#include <linux/netfilter/oot_trans.h>
|
|
|
|
|
+#define PFX KBUILD_MODNAME ": "
|
|
|
|
|
+
|
|
|
|
|
+/* Out of tree workarounds */
|
|
|
|
|
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
|
|
|
|
|
+# define HAVE_MATCHINFOSIZE 1
|
|
|
|
|
+#endif
|
|
|
|
|
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
|
|
|
|
|
+# define nfmark mark
|
|
|
|
|
+#endif
|
|
|
|
|
+
|
|
|
|
|
+enum {
|
|
|
|
|
+ TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
|
|
|
|
|
+ TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
|
|
|
|
|