X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fopenwrt.git;a=blobdiff_plain;f=target%2Flinux%2Fgeneric-2.6%2Fpatches%2F170-netfilter_chaostables.patch;h=aa665211b8614fcbe0fdb97f1aa7210b874c7482;hp=46d48a5d0876360aba3e429b3acadfc67e132d00;hb=615e8af8411e64db4db57d453af00ea9a7ca1fa2;hpb=e1bb43f263ea0a0c72bac8750fb420697ca7866f diff --git a/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch b/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch index 46d48a5d08..aa665211b8 100644 --- a/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch +++ b/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch @@ -1,6 +1,33 @@ -diff -ruN linux-2.6.19.1.orig/include/linux/netfilter/xt_CHAOS.h linux-2.6.19.1/include/linux/netfilter/xt_CHAOS.h ---- linux-2.6.19.1.orig/include/linux/netfilter/xt_CHAOS.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.19.1/include/linux/netfilter/xt_CHAOS.h 2007-01-11 13:28:07.656144799 +0100 +diff -Nur linux-2.6.21.1/include/linux/netfilter/oot_conntrack.h linux-2.6.21.1-owrt/include/linux/netfilter/oot_conntrack.h +--- linux-2.6.21.1/include/linux/netfilter/oot_conntrack.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.1-owrt/include/linux/netfilter/oot_conntrack.h 2007-05-14 14:18:54.000000000 +0200 +@@ -0,0 +1,5 @@ ++#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE) ++# include ++#else /* linux-2.6.20+ */ ++# include ++#endif +diff -Nur linux-2.6.21.1/include/linux/netfilter/oot_trans.h linux-2.6.21.1-owrt/include/linux/netfilter/oot_trans.h +--- linux-2.6.21.1/include/linux/netfilter/oot_trans.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.1-owrt/include/linux/netfilter/oot_trans.h 2007-05-14 14:18:54.000000000 +0200 +@@ -0,0 +1,14 @@ ++/* Out of tree workarounds */ ++#include ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) ++# define HAVE_MATCHINFOSIZE 1 ++# define HAVE_TARGUSERINFO 1 ++# define HAVE_TARGINFOSIZE 1 ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) ++# define nfmark mark ++#endif ++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) ++# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \ ++ tcp_v4_check((tcph_sz), (s), (d), (csp)) ++#endif +diff -Nur linux-2.6.21.1/include/linux/netfilter/xt_CHAOS.h linux-2.6.21.1-owrt/include/linux/netfilter/xt_CHAOS.h +--- linux-2.6.21.1/include/linux/netfilter/xt_CHAOS.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.1-owrt/include/linux/netfilter/xt_CHAOS.h 2007-05-14 14:18:54.000000000 +0200 @@ -0,0 +1,14 @@ +#ifndef _LINUX_XT_CHAOS_H +#define _LINUX_XT_CHAOS_H 1 @@ -16,9 +43,9 @@ diff -ruN linux-2.6.19.1.orig/include/linux/netfilter/xt_CHAOS.h linux-2.6.19.1/ +}; + +#endif /* _LINUX_XT_CHAOS_H */ -diff -ruN linux-2.6.19.1.orig/include/linux/netfilter/xt_portscan.h linux-2.6.19.1/include/linux/netfilter/xt_portscan.h ---- linux-2.6.19.1.orig/include/linux/netfilter/xt_portscan.h 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.19.1/include/linux/netfilter/xt_portscan.h 2007-01-11 13:28:07.656144799 +0100 +diff -Nur linux-2.6.21.1/include/linux/netfilter/xt_portscan.h linux-2.6.21.1-owrt/include/linux/netfilter/xt_portscan.h +--- linux-2.6.21.1/include/linux/netfilter/xt_portscan.h 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.1-owrt/include/linux/netfilter/xt_portscan.h 2007-05-14 14:18:54.000000000 +0200 @@ -0,0 +1,8 @@ +#ifndef _LINUX_XT_PORTSCAN_H +#define _LINUX_XT_PORTSCAN_H 1 @@ -28,10 +55,10 @@ diff -ruN linux-2.6.19.1.orig/include/linux/netfilter/xt_portscan.h linux-2.6.19 +}; + +#endif /* _LINUX_XT_PORTSCAN_H */ -diff -ruN linux-2.6.19.1.orig/net/netfilter/find_match.c linux-2.6.19.1/net/netfilter/find_match.c ---- linux-2.6.19.1.orig/net/netfilter/find_match.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.19.1/net/netfilter/find_match.c 2007-01-11 13:28:12.191994379 +0100 -@@ -0,0 +1,37 @@ +diff -Nur linux-2.6.21.1/net/netfilter/find_match.c linux-2.6.21.1-owrt/net/netfilter/find_match.c +--- linux-2.6.21.1/net/netfilter/find_match.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.1-owrt/net/netfilter/find_match.c 2007-05-14 14:18:54.000000000 +0200 +@@ -0,0 +1,39 @@ +/* + xt_request_find_match + by Jan Engelhardt , 2006 - 2007 @@ -42,7 +69,6 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/find_match.c linux-2.6.19.1/net/netf + it under the terms of the GNU General Public License version 2 as + published by the Free Software Foundation. +*/ -+ +#include +#include +#include @@ -52,7 +78,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/find_match.c linux-2.6.19.1/net/netf + * Yeah this code is sub-optimal, but the function is missing in + * mainline so far. -jengelh + */ -+static struct xt_match *xt_request_find_match(int af, const char *name, ++static struct xt_match *xt_request_find_match_lo(int af, const char *name, + u8 revision) +{ + static const char *const xt_prefix[] = { @@ -69,10 +95,13 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/find_match.c linux-2.6.19.1/net/netf + + return match; +} -diff -ruN linux-2.6.19.1.orig/net/netfilter/Kconfig linux-2.6.19.1/net/netfilter/Kconfig ---- linux-2.6.19.1.orig/net/netfilter/Kconfig 2007-01-11 13:27:24.445577700 +0100 -+++ linux-2.6.19.1/net/netfilter/Kconfig 2007-01-11 13:28:09.092097179 +0100 -@@ -122,6 +122,14 @@ ++ ++/* In case it goes into mainline, let this out-of-tree package compile */ ++#define xt_request_find_match xt_request_find_match_lo +diff -Nur linux-2.6.21.1/net/netfilter/Kconfig linux-2.6.21.1-owrt/net/netfilter/Kconfig +--- linux-2.6.21.1/net/netfilter/Kconfig 2007-04-27 23:49:26.000000000 +0200 ++++ linux-2.6.21.1-owrt/net/netfilter/Kconfig 2007-05-14 14:30:47.000000000 +0200 +@@ -287,6 +287,14 @@ # alphabetically ordered list of targets @@ -87,7 +116,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Kconfig linux-2.6.19.1/net/netfilter config NETFILTER_XT_TARGET_CLASSIFY tristate '"CLASSIFY" target support' depends on NETFILTER_XTABLES -@@ -148,6 +156,14 @@ +@@ -315,6 +323,14 @@ . The module will be called ipt_CONNMARK.o. If unsure, say `N'. @@ -102,7 +131,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Kconfig linux-2.6.19.1/net/netfilter config NETFILTER_XT_TARGET_DSCP tristate '"DSCP" target support' depends on NETFILTER_XTABLES -@@ -355,6 +371,14 @@ +@@ -563,6 +579,14 @@ To compile it as a module, choose M here. If unsure, say N. @@ -117,10 +146,10 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Kconfig linux-2.6.19.1/net/netfilter config NETFILTER_XT_MATCH_MULTIPORT tristate "Multiple port match support" depends on NETFILTER_XTABLES -diff -ruN linux-2.6.19.1.orig/net/netfilter/Makefile linux-2.6.19.1/net/netfilter/Makefile ---- linux-2.6.19.1.orig/net/netfilter/Makefile 2007-01-11 13:27:24.445577700 +0100 -+++ linux-2.6.19.1/net/netfilter/Makefile 2007-01-11 13:28:07.656144799 +0100 -@@ -23,8 +23,10 @@ +diff -Nur linux-2.6.21.1/net/netfilter/Makefile linux-2.6.21.1-owrt/net/netfilter/Makefile +--- linux-2.6.21.1/net/netfilter/Makefile 2007-04-27 23:49:26.000000000 +0200 ++++ linux-2.6.21.1-owrt/net/netfilter/Makefile 2007-05-14 14:30:47.000000000 +0200 +@@ -37,8 +37,10 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o # targets @@ -131,7 +160,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Makefile linux-2.6.19.1/net/netfilte obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o -@@ -47,6 +49,7 @@ +@@ -63,6 +65,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o @@ -139,16 +168,17 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Makefile linux-2.6.19.1/net/netfilte obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o -diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfilter/xt_CHAOS.c ---- linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.19.1/net/netfilter/xt_CHAOS.c 2007-01-11 13:28:14.407920893 +0100 -@@ -0,0 +1,180 @@ +diff -Nur linux-2.6.21.1/net/netfilter/xt_CHAOS.c linux-2.6.21.1-owrt/net/netfilter/xt_CHAOS.c +--- linux-2.6.21.1/net/netfilter/xt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.1-owrt/net/netfilter/xt_CHAOS.c 2007-05-14 14:36:58.000000000 +0200 +@@ -0,0 +1,204 @@ +/* -+ CHAOS target for netfilter ++ CHAOS target for netfilter + -+ Copyright © Jan Engelhardt , 2006 - 2007 -+ released under the terms of the GNU General Public -+ License version 2.x and only versions 2.x. ++ Copyright © Jan Engelhardt , 2006 - 2007 ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License version 2 as ++ published by the Free Software Foundation. +*/ +#include +#include @@ -162,14 +192,9 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil +#include +#include +#include "find_match.c" ++#include +#define PFX KBUILD_MODNAME ": " + -+/* Out of tree workarounds */ -+#include -+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) -+# define HAVE_TARGUSERINFO 1 -+#endif -+ +/* Module parameters */ +static unsigned int reject_percentage = ~0U * .01; +static unsigned int delude_percentage = ~0U * .0101; @@ -180,6 +205,8 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil +static struct xt_match *xm_tcp; +static struct xt_target *xt_delude, *xt_reject, *xt_tarpit; + ++static int have_delude, have_tarpit; ++ +/* Static data for other matches/targets */ +static const struct ipt_reject_info reject_params = { + .with = ICMP_HOST_UNREACH, @@ -226,7 +253,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil + /* Equivalent to: + * -A chaos -m statistic --mode random --probability \ + * $reject_percentage -j REJECT --reject-with host-unreach; -+ * -A chaos -m statistic --mode random --probability \ ++ * -A chaos -p tcp -m statistic --mode random --probability \ + * $delude_percentage -j DELUDE; + * -A chaos -j DROP; + */ @@ -249,9 +276,31 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil + return NF_DROP; +} + ++static int xt_chaos_checkentry(const char *tablename, const void *entry, ++ const struct xt_target *target, void *targinfo, ++#ifdef HAVE_TARGINFOSIZE ++ unsigned int targinfosize, ++#endif ++ unsigned int hook_mask) ++{ ++ const struct xt_chaos_info *info = targinfo; ++ if(info->variant == XTCHAOS_DELUDE && !have_delude) { ++ printk(KERN_WARNING PFX "Error: Cannot use --delude when " ++ "DELUDE module not available\n"); ++ return 0; ++ } ++ if(info->variant == XTCHAOS_TARPIT && !have_tarpit) { ++ printk(KERN_WARNING PFX "Error: Cannot use --tarpit when " ++ "TARPIT module not available\n"); ++ return 0; ++ } ++ return 1; ++} ++ +static struct xt_target xt_chaos_info = { + .name = "CHAOS", + .target = xt_chaos_target, ++ .checkentry = xt_chaos_checkentry, + .table = "filter", + .targetsize = sizeof(struct xt_chaos_info), + .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | @@ -266,41 +315,43 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil + + xm_tcp = xt_request_find_match(AF_INET, "tcp", 0); + if(xm_tcp == NULL) { -+ printk(KERN_WARNING PFX "Could not find \"tcp\" match\n"); ++ printk(KERN_WARNING PFX "Error: Could not find or load " ++ "\"tcp\" match\n"); + return -EINVAL; + } + + xt_reject = xt_request_find_target(AF_INET, "REJECT", 0); + if(xt_reject == NULL) { -+ printk(KERN_WARNING PFX "Could not find \"REJECT\" target\n"); ++ printk(KERN_WARNING PFX "Error: Could not find or load " ++ "\"REJECT\" target\n"); + goto out2; + } + -+ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0); -+ if(xt_tarpit == NULL) { -+ printk(KERN_WARNING PFX "Could not find \"TARPIT\" target\n"); -+ goto out3; -+ } ++ xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0); ++ have_tarpit = xt_tarpit != NULL; ++ if(!have_tarpit) ++ printk(KERN_WARNING PFX "Warning: Could not find or load " ++ "\"TARPIT\" target\n"); + -+ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0); -+ if(xt_delude == NULL) { -+ printk(KERN_WARNING PFX "Could not find \"DELUDE\" target\n"); -+ goto out4; -+ } ++ xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0); ++ have_delude = xt_delude != NULL; ++ if(!have_delude) ++ printk(KERN_WARNING PFX "Warning: Could not find or load " ++ "\"DELUDE\" target\n"); + + if((ret = xt_register_target(&xt_chaos_info)) != 0) { + printk(KERN_WARNING PFX "xt_register_target returned " + "error %d\n", ret); -+ goto out5; ++ goto out3; + } + + return 0; + -+ out5: -+ module_put(xt_delude->me); -+ out4: -+ module_put(xt_tarpit->me); + out3: ++ if(have_delude) ++ module_put(xt_delude->me); ++ if(have_tarpit) ++ module_put(xt_tarpit->me); + module_put(xt_reject->me); + out2: + module_put(xm_tcp->me); @@ -312,8 +363,10 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil + xt_unregister_target(&xt_chaos_info); + module_put(xm_tcp->me); + module_put(xt_reject->me); -+ module_put(xt_delude->me); -+ module_put(xt_tarpit->me); ++ if(have_delude) ++ module_put(xt_delude->me); ++ if(have_tarpit) ++ module_put(xt_tarpit->me); + return; +} + @@ -323,26 +376,28 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil +MODULE_DESCRIPTION("netfilter CHAOS target"); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_CHAOS"); -diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfilter/xt_DELUDE.c ---- linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.19.1/net/netfilter/xt_DELUDE.c 2007-01-11 13:28:07.656144799 +0100 -@@ -0,0 +1,265 @@ +diff -Nur linux-2.6.21.1/net/netfilter/xt_DELUDE.c linux-2.6.21.1-owrt/net/netfilter/xt_DELUDE.c +--- linux-2.6.21.1/net/netfilter/xt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.1-owrt/net/netfilter/xt_DELUDE.c 2007-05-14 14:53:12.000000000 +0200 +@@ -0,0 +1,288 @@ +/* -+ DELUDE target -+ Copyright © Jan Engelhardt , 2007 ++ DELUDE target ++ Copyright © Jan Engelhardt , 2007 + -+ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c: -+ (C) 1999-2001 Paul `Rusty' Russell -+ (C) 2002-2004 Netfilter Core Team ++ Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c: ++ (C) 1999-2001 Paul `Rusty' Russell ++ (C) 2002-2004 Netfilter Core Team + -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+*/ ++ xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN. + ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License version 2 as ++ published by the Free Software Foundation. ++*/ +#include +#include +#include ++#include +#include +#include +#include @@ -353,20 +408,11 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi +#include +#include +#ifdef CONFIG_BRIDGE_NETFILTER -+#include ++# include +#endif ++#include +#define PFX KBUILD_MODNAME ": " + -+/* Out of tree workarounds */ -+#include -+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) -+# define HAVE_TARGINFOSIZE 1 -+# define HAVE_TARGUSERINFO 1 -+#endif -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) -+# define nfmark mark -+#endif -+ +static inline struct rtable *route_reverse(struct sk_buff *skb, + struct tcphdr *tcph, int hook) +{ @@ -430,10 +476,10 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi + struct sk_buff *nskb; + struct iphdr *iph = oldskb->nh.iph; + struct tcphdr _otcph, *oth, *tcph; -+ struct rtable *rt; -+ u_int16_t tmp_port; -+ u_int32_t tmp_addr; -+ int hh_len; ++ __be16 tmp_port; ++ __be32 tmp_addr; ++ int needs_ack; ++ unsigned int addr_type; + + /* IP header checks: fragment. */ + if (oldskb->nh.iph->frag_off & htons(IP_OFFSET)) @@ -442,39 +488,33 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi + oth = skb_header_pointer(oldskb, oldskb->nh.iph->ihl * 4, + sizeof(_otcph), &_otcph); + if (oth == NULL) -+ return; ++ return; + -+ /* DELUDE only answers SYN. */ -+ if(!oth->syn || oth->ack || oth->fin || oth->rst) ++ /* No RST for RST. */ ++ if (oth->rst) + return; + + /* Check checksum */ + if (nf_ip_checksum(oldskb, hook, iph->ihl * 4, IPPROTO_TCP)) + return; + -+ if ((rt = route_reverse(oldskb, oth, hook)) == NULL) -+ return; -+ -+ hh_len = LL_RESERVED_SPACE(rt->u.dst.dev); -+ + /* We need a linear, writeable skb. We also need to expand + headroom in case hh_len of incoming interface < hh_len of + outgoing interface */ -+ nskb = skb_copy_expand(oldskb, hh_len, skb_tailroom(oldskb), ++ nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb), + GFP_ATOMIC); -+ if (!nskb) { -+ dst_release(&rt->u.dst); ++ if (!nskb) + return; -+ } -+ -+ dst_release(nskb->dst); -+ nskb->dst = &rt->u.dst; + + /* This packet will not be the same as the other: clear nf fields */ + nf_reset(nskb); + nskb->nfmark = 0; + skb_init_secmark(nskb); + ++ skb_shinfo(nskb)->gso_size = 0; ++ skb_shinfo(nskb)->gso_segs = 0; ++ skb_shinfo(nskb)->gso_type = 0; ++ + tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl); + + /* Swap source and dest */ @@ -490,12 +530,34 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi + skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr)); + nskb->nh.iph->tot_len = htons(nskb->len); + -+ tcph->seq = oth->ack_seq; -+ tcph->ack_seq = 0; ++ if(oth->syn && !oth->ack && !oth->rst && !oth->fin) { ++ /* DELUDE essential part */ ++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + ++ oldskb->len - oldskb->nh.iph->ihl * 4 - ++ (oth->doff << 2)); ++ tcph->seq = htonl(secure_tcp_sequence_number( ++ nskb->nh.iph->saddr, nskb->nh.iph->daddr, ++ tcph->source, tcph->dest)); ++ tcph->ack = 1; ++ } else { ++ if(!tcph->ack) { ++ needs_ack = 1; ++ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin ++ + oldskb->len - oldskb->nh.iph->ihl*4 ++ - (oth->doff<<2)); ++ tcph->seq = 0; ++ } else { ++ needs_ack = 0; ++ tcph->seq = oth->ack_seq; ++ tcph->ack_seq = 0; ++ } ++ ++ /* Reset flags */ ++ ((u_int8_t *)tcph)[13] = 0; ++ tcph->rst = 1; ++ tcph->ack = needs_ack; ++ } + -+ /* Reset flags */ -+ ((u_int8_t *)tcph)[13] = 0; -+ tcph->syn = tcph->ack = 1; + + tcph->window = 0; + tcph->urg_ptr = 0; @@ -508,12 +570,26 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi + csum_partial((char *)tcph, + sizeof(struct tcphdr), 0)); + -+ /* Adjust IP TTL, DF */ -+ nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); + /* Set DF, id = 0 */ + nskb->nh.iph->frag_off = htons(IP_DF); + nskb->nh.iph->id = 0; + ++ addr_type = RTN_UNSPEC; ++ if (hook != NF_IP_FORWARD ++#ifdef CONFIG_BRIDGE_NETFILTER ++ || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED) ++#endif ++ ) ++ addr_type = RTN_LOCAL; ++ ++ if (ip_route_me_harder(&nskb, addr_type)) ++ goto free_nskb; ++ ++ nskb->ip_summed = CHECKSUM_NONE; ++ ++ /* Adjust IP TTL */ ++ nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); ++ + /* Adjust IP checksum */ + nskb->nh.iph->check = 0; + nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph, @@ -531,7 +607,6 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi + + free_nskb: + kfree_skb(nskb); -+ return; +} + +static unsigned int xt_delude_target(struct sk_buff **pskb, @@ -589,19 +664,21 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi + +module_init(xt_delude_init); +module_exit(xt_delude_exit); -+MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Jan Engelhardt "); +MODULE_DESCRIPTION("netfilter DELUDE target"); -diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_portscan.c linux-2.6.19.1/net/netfilter/xt_portscan.c ---- linux-2.6.19.1.orig/net/netfilter/xt_portscan.c 1970-01-01 01:00:00.000000000 +0100 -+++ linux-2.6.19.1/net/netfilter/xt_portscan.c 2007-01-11 13:28:14.407920893 +0100 -@@ -0,0 +1,282 @@ ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("ipt_DELUDE"); +diff -Nur linux-2.6.21.1/net/netfilter/xt_portscan.c linux-2.6.21.1-owrt/net/netfilter/xt_portscan.c +--- linux-2.6.21.1/net/netfilter/xt_portscan.c 1970-01-01 01:00:00.000000000 +0100 ++++ linux-2.6.21.1-owrt/net/netfilter/xt_portscan.c 2007-05-14 14:37:35.000000000 +0200 +@@ -0,0 +1,272 @@ +/* -+ portscan match for netfilter ++ portscan match for netfilter + -+ Written by Jan Engelhardt, 2006 - 2007 -+ released under the terms of the GNU General Public -+ License version 2.x and only versions 2.x. ++ Written by Jan Engelhardt, 2006 - 2007 ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License version 2 as ++ published by the Free Software Foundation. +*/ +#include +#include @@ -614,22 +691,11 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_portscan.c linux-2.6.19.1/net/net +#include +#include +#include -+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE) -+# include -+#else /* linux-2.6.20+ */ -+# include -+#endif ++#include +#include ++#include +#define PFX KBUILD_MODNAME ": " + -+/* Out of tree workarounds */ -+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) -+# define HAVE_MATCHINFOSIZE 1 -+#endif -+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) -+# define nfmark mark -+#endif -+ +enum { + TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN, + TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,