fixed typo in generic squashfs split patch ... shame on you :)
[openwrt/svn-archive/archive.git] / target / linux / generic-2.6 / patches-2.6.23 / 170-netfilter_chaostables.patch
1 Index: linux-2.6.23/include/linux/netfilter/oot_conntrack.h
2 ===================================================================
3 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
4 +++ linux-2.6.23/include/linux/netfilter/oot_conntrack.h 2007-10-10 13:52:59.000000000 +0800
5 @@ -0,0 +1,5 @@
6 +#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
7 +# include <linux/netfilter_ipv4/ip_conntrack.h>
8 +#else /* linux-2.6.20+ */
9 +# include <net/netfilter/nf_nat_rule.h>
10 +#endif
11 Index: linux-2.6.23/include/linux/netfilter/oot_trans.h
12 ===================================================================
13 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
14 +++ linux-2.6.23/include/linux/netfilter/oot_trans.h 2007-10-10 13:52:59.000000000 +0800
15 @@ -0,0 +1,14 @@
16 +/* Out of tree workarounds */
17 +#include <linux/version.h>
18 +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
19 +# define HAVE_MATCHINFOSIZE 1
20 +# define HAVE_TARGUSERINFO 1
21 +# define HAVE_TARGINFOSIZE 1
22 +#endif
23 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
24 +# define nfmark mark
25 +#endif
26 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
27 +# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
28 + tcp_v4_check((tcph_sz), (s), (d), (csp))
29 +#endif
30 Index: linux-2.6.23/include/linux/netfilter/xt_CHAOS.h
31 ===================================================================
32 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
33 +++ linux-2.6.23/include/linux/netfilter/xt_CHAOS.h 2007-10-10 13:52:59.000000000 +0800
34 @@ -0,0 +1,14 @@
35 +#ifndef _LINUX_XT_CHAOS_H
36 +#define _LINUX_XT_CHAOS_H 1
37 +
38 +enum xt_chaos_variant {
39 + XTCHAOS_NORMAL,
40 + XTCHAOS_TARPIT,
41 + XTCHAOS_DELUDE,
42 +};
43 +
44 +struct xt_chaos_info {
45 + enum xt_chaos_variant variant;
46 +};
47 +
48 +#endif /* _LINUX_XT_CHAOS_H */
49 Index: linux-2.6.23/include/linux/netfilter/xt_portscan.h
50 ===================================================================
51 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
52 +++ linux-2.6.23/include/linux/netfilter/xt_portscan.h 2007-10-10 13:52:59.000000000 +0800
53 @@ -0,0 +1,8 @@
54 +#ifndef _LINUX_XT_PORTSCAN_H
55 +#define _LINUX_XT_PORTSCAN_H 1
56 +
57 +struct xt_portscan_info {
58 + unsigned int match_stealth, match_syn, match_cn, match_gr;
59 +};
60 +
61 +#endif /* _LINUX_XT_PORTSCAN_H */
62 Index: linux-2.6.23/net/netfilter/find_match.c
63 ===================================================================
64 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
65 +++ linux-2.6.23/net/netfilter/find_match.c 2007-10-10 13:52:59.000000000 +0800
66 @@ -0,0 +1,39 @@
67 +/*
68 + xt_request_find_match
69 + by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
70 +
71 + Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
72 + Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
73 + This program is free software; you can redistribute it and/or modify
74 + it under the terms of the GNU General Public License version 2 as
75 + published by the Free Software Foundation.
76 +*/
77 +#include <linux/err.h>
78 +#include <linux/netfilter_arp.h>
79 +#include <linux/socket.h>
80 +#include <linux/netfilter/x_tables.h>
81 +
82 +/*
83 + * Yeah this code is sub-optimal, but the function is missing in
84 + * mainline so far. -jengelh
85 + */
86 +static struct xt_match *xt_request_find_match_lo(int af, const char *name,
87 + u8 revision)
88 +{
89 + static const char *const xt_prefix[] = {
90 + [AF_INET] = "ip",
91 + [AF_INET6] = "ip6",
92 + [NF_ARP] = "arp",
93 + };
94 + struct xt_match *match;
95 +
96 + match = try_then_request_module(xt_find_match(af, name, revision),
97 + "%st_%s", xt_prefix[af], name);
98 + if(IS_ERR(match) || match == NULL)
99 + return NULL;
100 +
101 + return match;
102 +}
103 +
104 +/* In case it goes into mainline, let this out-of-tree package compile */
105 +#define xt_request_find_match xt_request_find_match_lo
106 Index: linux-2.6.23/net/netfilter/Kconfig
107 ===================================================================
108 --- linux-2.6.23.orig/net/netfilter/Kconfig 2007-10-10 04:31:38.000000000 +0800
109 +++ linux-2.6.23/net/netfilter/Kconfig 2007-10-10 13:53:04.000000000 +0800
110 @@ -265,6 +265,14 @@
111
112 # alphabetically ordered list of targets
113
114 +config NETFILTER_XT_TARGET_CHAOS
115 + tristate '"CHAOS" target support'
116 + depends on NETFILTER_XTABLES
117 + help
118 + This option adds a `CHAOS' target.
119 +
120 + To compile it as a module, choose M here. If unsure, say N.
121 +
122 config NETFILTER_XT_TARGET_CLASSIFY
123 tristate '"CLASSIFY" target support'
124 depends on NETFILTER_XTABLES
125 @@ -292,6 +300,14 @@
126 <file:Documentation/kbuild/modules.txt>. The module will be called
127 ipt_CONNMARK.ko. If unsure, say `N'.
128
129 +config NETFILTER_XT_TARGET_DELUDE
130 + tristate '"DELUDE" target support'
131 + depends on NETFILTER_XTABLES
132 + help
133 + This option adds a `DELUDE' target.
134 +
135 + To compile it as a module, choose M here. If unsure, say N.
136 +
137 config NETFILTER_XT_TARGET_DSCP
138 tristate '"DSCP" target support'
139 depends on NETFILTER_XTABLES
140 @@ -556,6 +572,14 @@
141
142 To compile it as a module, choose M here. If unsure, say N.
143
144 +config NETFILTER_XT_MATCH_PORTSCAN
145 + tristate '"portscan" match support'
146 + depends on NETFILTER_XTABLES
147 + help
148 + This option adds a 'portscan' match support.
149 +
150 + To compile it as a module, choose M here. If unsure, say N.
151 +
152 config NETFILTER_XT_MATCH_MULTIPORT
153 tristate "Multiple port match support"
154 depends on NETFILTER_XTABLES
155 Index: linux-2.6.23/net/netfilter/Makefile
156 ===================================================================
157 --- linux-2.6.23.orig/net/netfilter/Makefile 2007-10-10 04:31:38.000000000 +0800
158 +++ linux-2.6.23/net/netfilter/Makefile 2007-10-10 13:52:59.000000000 +0800
159 @@ -38,8 +38,10 @@
160 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
161
162 # targets
163 +obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
164 obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
165 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
166 +obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
167 obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
168 obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
169 obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
170 @@ -66,6 +68,7 @@
171 obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
172 obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
173 obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
174 +obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
175 obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
176 obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
177 obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
178 Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
179 ===================================================================
180 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
181 +++ linux-2.6.23/net/netfilter/xt_CHAOS.c 2007-10-10 13:52:59.000000000 +0800
182 @@ -0,0 +1,205 @@
183 +/*
184 + CHAOS target for netfilter
185 +
186 + Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
187 + This program is free software; you can redistribute it and/or modify
188 + it under the terms of the GNU General Public License version 2 as
189 + published by the Free Software Foundation.
190 +*/
191 +#include <linux/icmp.h>
192 +#include <linux/in.h>
193 +#include <linux/ip.h>
194 +#include <linux/module.h>
195 +#include <linux/skbuff.h>
196 +#include <linux/stat.h>
197 +#include <linux/netfilter/x_tables.h>
198 +#include <linux/netfilter/xt_tcpudp.h>
199 +#include <linux/netfilter_ipv4/ipt_REJECT.h>
200 +#include <net/ip.h>
201 +#include <linux/netfilter/xt_CHAOS.h>
202 +#include "find_match.c"
203 +#include <linux/netfilter/oot_trans.h>
204 +#define PFX KBUILD_MODNAME ": "
205 +
206 +/* Module parameters */
207 +static unsigned int reject_percentage = ~0U * .01;
208 +static unsigned int delude_percentage = ~0U * .0101;
209 +module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
210 +module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
211 +
212 +/* References to other matches/targets */
213 +static struct xt_match *xm_tcp;
214 +static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
215 +
216 +static int have_delude, have_tarpit;
217 +
218 +/* Static data for other matches/targets */
219 +static const struct ipt_reject_info reject_params = {
220 + .with = ICMP_HOST_UNREACH,
221 +};
222 +
223 +static const struct xt_tcp tcp_params = {
224 + .spts = {0, ~0},
225 + .dpts = {0, ~0},
226 +};
227 +
228 +/* CHAOS functions */
229 +static void xt_chaos_total(const struct xt_chaos_info *info,
230 + struct sk_buff **pskb, const struct net_device *in,
231 + const struct net_device *out, unsigned int hooknum)
232 +{
233 + const int protoff = ip_hdrlen(*pskb);
234 + const int offset = ntohs(ip_hdr(*pskb)->frag_off) & IP_OFFSET;
235 + const struct xt_target *destiny;
236 + bool hotdrop = false;
237 + int ret;
238 +
239 + ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
240 + offset, protoff, &hotdrop);
241 + if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
242 + return;
243 +
244 + destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
245 +#ifdef HAVE_TARGUSERINFO
246 + destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL);
247 +#else
248 + destiny->target(pskb, in, out, hooknum, destiny, NULL);
249 +#endif
250 + return;
251 +}
252 +
253 +static unsigned int xt_chaos_target(struct sk_buff **pskb,
254 + const struct net_device *in, const struct net_device *out,
255 + unsigned int hooknum, const struct xt_target *target, const void *targinfo
256 +#ifdef HAVE_TARGUSERINFO
257 + ,
258 + void *userinfo
259 +#endif
260 + )
261 +{
262 + /* Equivalent to:
263 + * -A chaos -m statistic --mode random --probability \
264 + * $reject_percentage -j REJECT --reject-with host-unreach;
265 + * -A chaos -p tcp -m statistic --mode random --probability \
266 + * $delude_percentage -j DELUDE;
267 + * -A chaos -j DROP;
268 + */
269 + const struct xt_chaos_info *info = targinfo;
270 +
271 + if((unsigned int)net_random() <= reject_percentage)
272 +#ifdef HAVE_TARGUSERINFO
273 + return xt_reject->target(pskb, in, out, hooknum, target,
274 + &reject_params, userinfo);
275 +#else
276 + return xt_reject->target(pskb, in, out, hooknum, target,
277 + &reject_params);
278 +#endif
279 +
280 + /* TARPIT/DELUDE may not be called from the OUTPUT chain */
281 + if(ip_hdr(*pskb)->protocol == IPPROTO_TCP &&
282 + info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
283 + xt_chaos_total(info, pskb, in, out, hooknum);
284 +
285 + return NF_DROP;
286 +}
287 +
288 +static bool xt_chaos_checkentry(const char *tablename, const void *entry,
289 + const struct xt_target *target, void *targinfo,
290 +#ifdef HAVE_TARGINFOSIZE
291 + unsigned int targinfosize,
292 +#endif
293 + unsigned int hook_mask)
294 +{
295 + const struct xt_chaos_info *info = targinfo;
296 + if(info->variant == XTCHAOS_DELUDE && !have_delude) {
297 + printk(KERN_WARNING PFX "Error: Cannot use --delude when "
298 + "DELUDE module not available\n");
299 + return false;
300 + }
301 + if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
302 + printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
303 + "TARPIT module not available\n");
304 + return false;
305 + }
306 + return true;
307 +}
308 +
309 +static struct xt_target xt_chaos_info = {
310 + .name = "CHAOS",
311 + .target = xt_chaos_target,
312 + .checkentry = xt_chaos_checkentry,
313 + .table = "filter",
314 + .targetsize = sizeof(struct xt_chaos_info),
315 + .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
316 + (1 << NF_IP_LOCAL_OUT),
317 + .family = AF_INET,
318 + .me = THIS_MODULE,
319 +};
320 +
321 +static int __init xt_chaos_init(void)
322 +{
323 + int ret = -EINVAL;
324 +
325 + xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
326 + if(xm_tcp == NULL) {
327 + printk(KERN_WARNING PFX "Error: Could not find or load "
328 + "\"tcp\" match\n");
329 + return -EINVAL;
330 + }
331 +
332 + xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
333 + if(xt_reject == NULL) {
334 + printk(KERN_WARNING PFX "Error: Could not find or load "
335 + "\"REJECT\" target\n");
336 + goto out2;
337 + }
338 +
339 + xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
340 + have_tarpit = xt_tarpit != NULL;
341 + if(!have_tarpit)
342 + printk(KERN_WARNING PFX "Warning: Could not find or load "
343 + "\"TARPIT\" target\n");
344 +
345 + xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
346 + have_delude = xt_delude != NULL;
347 + if(!have_delude)
348 + printk(KERN_WARNING PFX "Warning: Could not find or load "
349 + "\"DELUDE\" target\n");
350 +
351 + if((ret = xt_register_target(&xt_chaos_info)) != 0) {
352 + printk(KERN_WARNING PFX "xt_register_target returned "
353 + "error %d\n", ret);
354 + goto out3;
355 + }
356 +
357 + return 0;
358 +
359 + out3:
360 + if(have_delude)
361 + module_put(xt_delude->me);
362 + if(have_tarpit)
363 + module_put(xt_tarpit->me);
364 + module_put(xt_reject->me);
365 + out2:
366 + module_put(xm_tcp->me);
367 + return ret;
368 +}
369 +
370 +static void __exit xt_chaos_exit(void)
371 +{
372 + xt_unregister_target(&xt_chaos_info);
373 + module_put(xm_tcp->me);
374 + module_put(xt_reject->me);
375 + if(have_delude)
376 + module_put(xt_delude->me);
377 + if(have_tarpit)
378 + module_put(xt_tarpit->me);
379 + return;
380 +}
381 +
382 +module_init(xt_chaos_init);
383 +module_exit(xt_chaos_exit);
384 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
385 +MODULE_DESCRIPTION("netfilter CHAOS target");
386 +MODULE_LICENSE("GPL");
387 +MODULE_ALIAS("ipt_CHAOS");
388 Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
389 ===================================================================
390 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
391 +++ linux-2.6.23/net/netfilter/xt_DELUDE.c 2007-10-10 13:52:59.000000000 +0800
392 @@ -0,0 +1,288 @@
393 +/*
394 + DELUDE target
395 + Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
396 +
397 + Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
398 + (C) 1999-2001 Paul `Rusty' Russell
399 + (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
400 +
401 + xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
402 +
403 + This program is free software; you can redistribute it and/or modify
404 + it under the terms of the GNU General Public License version 2 as
405 + published by the Free Software Foundation.
406 +*/
407 +#include <linux/module.h>
408 +#include <linux/skbuff.h>
409 +#include <linux/ip.h>
410 +#include <linux/random.h>
411 +#include <linux/tcp.h>
412 +#include <linux/udp.h>
413 +#include <linux/icmp.h>
414 +#include <net/icmp.h>
415 +#include <net/ip.h>
416 +#include <net/tcp.h>
417 +#include <net/route.h>
418 +#include <net/dst.h>
419 +#include <linux/netfilter_ipv4/ip_tables.h>
420 +#ifdef CONFIG_BRIDGE_NETFILTER
421 +# include <linux/netfilter_bridge.h>
422 +#endif
423 +#include <linux/netfilter/oot_trans.h>
424 +#define PFX KBUILD_MODNAME ": "
425 +
426 +static inline struct rtable *route_reverse(struct sk_buff *skb,
427 + struct tcphdr *tcph, int hook)
428 +{
429 + struct iphdr *iph = ip_hdr(skb);
430 + struct dst_entry *odst;
431 + struct flowi fl = {};
432 + struct rtable *rt;
433 +
434 + /* We don't require ip forwarding to be enabled to be able to
435 + * send a RST reply for bridged traffic. */
436 + if (hook != NF_IP_FORWARD
437 +#ifdef CONFIG_BRIDGE_NETFILTER
438 + || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
439 +#endif
440 + ) {
441 + fl.nl_u.ip4_u.daddr = iph->saddr;
442 + if (hook == NF_IP_LOCAL_IN)
443 + fl.nl_u.ip4_u.saddr = iph->daddr;
444 + fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
445 +
446 + if (ip_route_output_key(&rt, &fl) != 0)
447 + return NULL;
448 + } else {
449 + /* non-local src, find valid iif to satisfy
450 + * rp-filter when calling ip_route_input. */
451 + fl.nl_u.ip4_u.daddr = iph->daddr;
452 + if (ip_route_output_key(&rt, &fl) != 0)
453 + return NULL;
454 +
455 + odst = skb->dst;
456 + if (ip_route_input(skb, iph->saddr, iph->daddr,
457 + RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
458 + dst_release(&rt->u.dst);
459 + return NULL;
460 + }
461 + dst_release(&rt->u.dst);
462 + rt = (struct rtable *)skb->dst;
463 + skb->dst = odst;
464 +
465 + fl.nl_u.ip4_u.daddr = iph->saddr;
466 + fl.nl_u.ip4_u.saddr = iph->daddr;
467 + fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
468 + }
469 +
470 + if (rt->u.dst.error) {
471 + dst_release(&rt->u.dst);
472 + return NULL;
473 + }
474 +
475 + fl.proto = IPPROTO_TCP;
476 + fl.fl_ip_sport = tcph->dest;
477 + fl.fl_ip_dport = tcph->source;
478 +
479 + xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
480 +
481 + return rt;
482 +}
483 +
484 +static void send_reset(struct sk_buff *oldskb, int hook)
485 +{
486 + struct sk_buff *nskb;
487 + struct iphdr *iph = ip_hdr(oldskb);
488 + struct tcphdr _otcph, *oth, *tcph;
489 + __be16 tmp_port;
490 + __be32 tmp_addr;
491 + int needs_ack;
492 + unsigned int addr_type;
493 +
494 + /* IP header checks: fragment. */
495 + if (iph->frag_off & htons(IP_OFFSET))
496 + return;
497 +
498 + oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
499 + sizeof(_otcph), &_otcph);
500 + if (oth == NULL)
501 + return;
502 +
503 + /* No RST for RST. */
504 + if (oth->rst)
505 + return;
506 +
507 + /* Check checksum */
508 + if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
509 + return;
510 +
511 + /* We need a linear, writeable skb. We also need to expand
512 + headroom in case hh_len of incoming interface < hh_len of
513 + outgoing interface */
514 + nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
515 + GFP_ATOMIC);
516 + if (!nskb)
517 + return;
518 +
519 + /* This packet will not be the same as the other: clear nf fields */
520 + nf_reset(nskb);
521 + nskb->nfmark = 0;
522 + skb_init_secmark(nskb);
523 +
524 + skb_shinfo(nskb)->gso_size = 0;
525 + skb_shinfo(nskb)->gso_segs = 0;
526 + skb_shinfo(nskb)->gso_type = 0;
527 +
528 + tcph = tcp_hdr(nskb);
529 +
530 + /* Swap source and dest */
531 + tmp_addr = ip_hdr(nskb)->saddr;
532 + ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr;
533 + ip_hdr(nskb)->daddr = tmp_addr;
534 + tmp_port = tcph->source;
535 + tcph->source = tcph->dest;
536 + tcph->dest = tmp_port;
537 +
538 + /* Truncate to length (no data) */
539 + tcph->doff = sizeof(struct tcphdr)/4;
540 + skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
541 + ip_hdr(nskb)->tot_len = htons(nskb->len);
542 +
543 + if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
544 + /* DELUDE essential part */
545 + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
546 + oldskb->len - ip_hdrlen(oldskb) -
547 + (oth->doff << 2));
548 + tcph->seq = htonl(secure_tcp_sequence_number(
549 + ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr,
550 + tcph->source, tcph->dest));
551 + tcph->ack = 1;
552 + } else {
553 + if(!tcph->ack) {
554 + needs_ack = 1;
555 + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
556 + + oldskb->len - ip_hdrlen(oldskb)
557 + - (oth->doff<<2));
558 + tcph->seq = 0;
559 + } else {
560 + needs_ack = 0;
561 + tcph->seq = oth->ack_seq;
562 + tcph->ack_seq = 0;
563 + }
564 +
565 + /* Reset flags */
566 + ((u_int8_t *)tcph)[13] = 0;
567 + tcph->rst = 1;
568 + tcph->ack = needs_ack;
569 + }
570 +
571 +
572 + tcph->window = 0;
573 + tcph->urg_ptr = 0;
574 +
575 + /* Adjust TCP checksum */
576 + tcph->check = 0;
577 + tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
578 + ip_hdr(nskb)->saddr,
579 + ip_hdr(nskb)->daddr,
580 + csum_partial((char *)tcph,
581 + sizeof(struct tcphdr), 0));
582 +
583 + /* Set DF, id = 0 */
584 + ip_hdr(nskb)->frag_off = htons(IP_DF);
585 + ip_hdr(nskb)->id = 0;
586 +
587 + addr_type = RTN_UNSPEC;
588 + if (hook != NF_IP_FORWARD
589 +#ifdef CONFIG_BRIDGE_NETFILTER
590 + || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
591 +#endif
592 + )
593 + addr_type = RTN_LOCAL;
594 +
595 + if (ip_route_me_harder(&nskb, addr_type))
596 + goto free_nskb;
597 +
598 + nskb->ip_summed = CHECKSUM_NONE;
599 +
600 + /* Adjust IP TTL */
601 + ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
602 +
603 + /* Adjust IP checksum */
604 + ip_hdr(nskb)->check = 0;
605 + ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb),
606 + ip_hdr(nskb)->ihl);
607 +
608 + /* "Never happens" */
609 + if (nskb->len > dst_mtu(nskb->dst))
610 + goto free_nskb;
611 +
612 + nf_ct_attach(nskb, oldskb);
613 +
614 + NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
615 + dst_output);
616 + return;
617 +
618 + free_nskb:
619 + kfree_skb(nskb);
620 +}
621 +
622 +static unsigned int xt_delude_target(struct sk_buff **pskb,
623 + const struct net_device *in, const struct net_device *out,
624 + unsigned int hooknum, const struct xt_target *target, const void *targinfo
625 +#ifdef HAVE_TARGUSERINFO
626 + ,
627 + void *userinfo
628 +#endif
629 + )
630 +{
631 + /* WARNING: This code causes reentry within iptables.
632 + This means that the iptables jump stack is now crap. We
633 + must return an absolute verdict. --RR */
634 + send_reset(*pskb, hooknum);
635 + return NF_DROP;
636 +}
637 +
638 +static bool xt_delude_check(const char *tablename, const void *e_void,
639 + const struct xt_target *target, void *targinfo,
640 +#ifdef HAVE_TARGINFOSIZE
641 + unsigned int targinfosize,
642 +#endif
643 + unsigned int hook_mask)
644 +{
645 + if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) {
646 + printk(KERN_WARNING PFX "DELUDE may not be used in chains "
647 + "other than INPUT and FORWARD\n");
648 + return false;
649 + }
650 + return true;
651 +}
652 +
653 +static struct xt_target xt_delude_info = {
654 + .name = "DELUDE",
655 + .target = xt_delude_target,
656 + .checkentry = xt_delude_check,
657 + .table = "filter",
658 + .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
659 + (1 << NF_IP_LOCAL_OUT),
660 + .proto = IPPROTO_TCP,
661 + .family = AF_INET,
662 + .me = THIS_MODULE,
663 +};
664 +
665 +static int __init xt_delude_init(void)
666 +{
667 + return xt_register_target(&xt_delude_info);
668 +}
669 +
670 +static void __exit xt_delude_exit(void)
671 +{
672 + xt_unregister_target(&xt_delude_info);
673 +}
674 +
675 +module_init(xt_delude_init);
676 +module_exit(xt_delude_exit);
677 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
678 +MODULE_DESCRIPTION("netfilter DELUDE target");
679 +MODULE_LICENSE("GPL");
680 +MODULE_ALIAS("ipt_DELUDE");
681 Index: linux-2.6.23/net/netfilter/xt_portscan.c
682 ===================================================================
683 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
684 +++ linux-2.6.23/net/netfilter/xt_portscan.c 2007-10-10 13:52:59.000000000 +0800
685 @@ -0,0 +1,272 @@
686 +/*
687 + portscan match for netfilter
688 +
689 + Written by Jan Engelhardt, 2006 - 2007
690 + This program is free software; you can redistribute it and/or modify
691 + it under the terms of the GNU General Public License version 2 as
692 + published by the Free Software Foundation.
693 +*/
694 +#include <linux/in.h>
695 +#include <linux/ip.h>
696 +#include <linux/module.h>
697 +#include <linux/moduleparam.h>
698 +#include <linux/skbuff.h>
699 +#include <linux/stat.h>
700 +#include <linux/tcp.h>
701 +#include <linux/types.h>
702 +#include <linux/version.h>
703 +#include <linux/netfilter/x_tables.h>
704 +#include <linux/netfilter/xt_tcpudp.h>
705 +#include <linux/netfilter/oot_conntrack.h>
706 +#include <linux/netfilter/xt_portscan.h>
707 +#include <linux/netfilter/oot_trans.h>
708 +#define PFX KBUILD_MODNAME ": "
709 +
710 +enum {
711 + TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
712 + TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
713 + TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
714 +};
715 +
716 +/* Module parameters */
717 +static unsigned int
718 + connmark_mask = ~0,
719 + packet_mask = ~0,
720 + mark_seen = 0x9,
721 + mark_synrcv = 0x1,
722 + mark_closed = 0x2,
723 + mark_synscan = 0x3,
724 + mark_estab1 = 0x4,
725 + mark_estab2 = 0x5,
726 + mark_cnscan = 0x6,
727 + mark_grscan = 0x7,
728 + mark_valid = 0x8;
729 +
730 +module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
731 +module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
732 +module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
733 +module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
734 +module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
735 +module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
736 +module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
737 +module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
738 +module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
739 +module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
740 +module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
741 +MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
742 +MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
743 +MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
744 +MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
745 +MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
746 +MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
747 +MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
748 +MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
749 +MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
750 +MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
751 +MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
752 +
753 +/* TCP flag functions */
754 +static inline int tflg_ack4(const struct tcphdr *th)
755 +{
756 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
757 +}
758 +
759 +static inline int tflg_ack6(const struct tcphdr *th)
760 +{
761 + return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
762 +}
763 +
764 +static inline int tflg_fin(const struct tcphdr *th)
765 +{
766 + return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
767 +}
768 +
769 +static inline int tflg_rst(const struct tcphdr *th)
770 +{
771 + return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
772 +}
773 +
774 +static inline int tflg_rstack(const struct tcphdr *th)
775 +{
776 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
777 + (TCP_FLAG_ACK | TCP_FLAG_RST);
778 +}
779 +
780 +static inline int tflg_syn(const struct tcphdr *th)
781 +{
782 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
783 +}
784 +
785 +static inline int tflg_synack(const struct tcphdr *th)
786 +{
787 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
788 + (TCP_FLAG_SYN | TCP_FLAG_ACK);
789 +}
790 +
791 +/* portscan functions */
792 +static inline int xt_portscan_stealth(const struct tcphdr *th)
793 +{
794 + /*
795 + * "Connection refused" replies to our own probes must not be matched.
796 + */
797 + if(tflg_rstack(th))
798 + return 0;
799 +
800 + if(tflg_rst(th) && printk_ratelimit()) {
801 + printk(KERN_WARNING PFX "Warning: Pure RST received\n");
802 + return 0;
803 + }
804 +
805 + /*
806 + * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
807 + * packets that are not associated with any connection -- this will
808 + * match most scan types (NULL, XMAS, FIN) and ridiculous flag
809 + * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
810 + */
811 + return !tflg_syn(th);
812 +}
813 +
814 +static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate,
815 + int loopback, const struct tcphdr *tcph, int payload_len)
816 +{
817 + if(mark == mark_estab2) {
818 + /*
819 + * -m connmark --mark $ESTAB2
820 + */
821 + if(tflg_ack4(tcph) && payload_len == 0)
822 + return mark; /* keep mark */
823 + else if(tflg_rst(tcph) || tflg_fin(tcph))
824 + return mark_grscan;
825 + else
826 + return mark_valid;
827 + } else if(mark == mark_estab1) {
828 + /*
829 + * -m connmark --mark $ESTAB1
830 + */
831 + if(tflg_rst(tcph) || tflg_fin(tcph))
832 + return mark_cnscan;
833 + else if(!loopback && tflg_ack4(tcph) && payload_len == 0)
834 + return mark_estab2;
835 + else
836 + return mark_valid;
837 + } else if(mark == mark_synrcv) {
838 + /*
839 + * -m connmark --mark $SYN
840 + */
841 + if(loopback && tflg_synack(tcph))
842 + return mark; /* keep mark */
843 + else if(loopback && tflg_rstack(tcph))
844 + return mark_closed;
845 + else if(tflg_ack6(tcph))
846 + return mark_estab1;
847 + else
848 + return mark_synscan;
849 + } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) {
850 + /*
851 + * -p tcp --syn --ctstate NEW
852 + */
853 + return mark_synrcv;
854 + }
855 + return mark;
856 +}
857 +
858 +static bool xt_portscan_match(const struct sk_buff *skb,
859 + const struct net_device *in, const struct net_device *out,
860 + const struct xt_match *match, const void *matchinfo, int offset,
861 + unsigned int protoff, bool *hotdrop)
862 +{
863 + const struct xt_portscan_info *info = matchinfo;
864 + enum ip_conntrack_info ctstate;
865 + struct nf_conn *ctdata;
866 + const struct tcphdr *tcph;
867 + struct tcphdr tcph_buf;
868 +
869 + tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
870 + if(tcph == NULL)
871 + return false;
872 +
873 + /* Check for invalid packets: -m conntrack --ctstate INVALID */
874 + if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
875 + if(info->match_stealth)
876 + return xt_portscan_stealth(tcph);
877 + /*
878 + * If @ctdata is NULL, we cannot match the other scan
879 + * types, return.
880 + */
881 + return false;
882 + }
883 +
884 + /*
885 + * If -m portscan was previously applied to this packet, the rules we
886 + * simulate must not be run through again. And for speedup, do not call
887 + * it either when the connection is already VALID.
888 + */
889 + if((ctdata->mark & connmark_mask) == mark_valid ||
890 + (skb->nfmark & packet_mask) != mark_seen)
891 + {
892 + unsigned int n;
893 + n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
894 + in == &loopback_dev, tcph,
895 + skb->len - protoff - 4 * tcph->doff);
896 +
897 + ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
898 + ((struct sk_buff *)skb)->nfmark =
899 + (skb->nfmark & ~packet_mask) | mark_seen;
900 + }
901 +
902 + return (info->match_syn && ctdata->mark == mark_synscan) ||
903 + (info->match_cn && ctdata->mark == mark_cnscan) ||
904 + (info->match_gr && ctdata->mark == mark_grscan);
905 +}
906 +
907 +static bool xt_portscan_checkentry(const char *tablename, const void *entry,
908 + const struct xt_match *match, void *matchinfo,
909 +#ifdef HAVE_MATCHINFOSIZE
910 + unsigned int matchinfosize,
911 +#endif
912 + unsigned int hook_mask)
913 +{
914 + const struct xt_portscan_info *info = matchinfo;
915 +#ifdef HAVE_MATCHINFOSIZE
916 + if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) {
917 + printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n",
918 + matchinfosize,
919 + XT_ALIGN(sizeof(struct xt_portscan_info)));
920 + return false;
921 + }
922 +#endif
923 + if((info->match_stealth & ~1) || (info->match_syn & ~1) ||
924 + (info->match_cn & ~1) || (info->match_gr & ~1)) {
925 + printk(KERN_WARNING PFX "Invalid flags\n");
926 + return false;
927 + }
928 + return true;
929 +}
930 +
931 +static struct xt_match xt_portscan = {
932 + .name = "portscan",
933 + .match = xt_portscan_match,
934 + .checkentry = xt_portscan_checkentry,
935 + .matchsize = sizeof(struct xt_portscan_info),
936 + .proto = IPPROTO_TCP,
937 + .family = AF_INET,
938 + .me = THIS_MODULE,
939 +};
940 +
941 +static int __init xt_portscan_init(void)
942 +{
943 + return xt_register_match(&xt_portscan);
944 +}
945 +
946 +static void __exit xt_portscan_exit(void)
947 +{
948 + xt_unregister_match(&xt_portscan);
949 + return;
950 +}
951 +
952 +module_init(xt_portscan_init);
953 +module_exit(xt_portscan_exit);
954 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
955 +MODULE_DESCRIPTION("netfilter portscan match module");
956 +MODULE_LICENSE("GPL");
957 +MODULE_ALIAS("ipt_portscan");
958 Index: linux-2.6.23/drivers/char/random.c
959 ===================================================================
960 --- linux-2.6.23.orig/drivers/char/random.c 2007-10-10 04:31:38.000000000 +0800
961 +++ linux-2.6.23/drivers/char/random.c 2007-10-10 13:52:59.000000000 +0800
962 @@ -1564,6 +1564,8 @@
963 return seq;
964 }
965
966 +EXPORT_SYMBOL(secure_tcp_sequence_number);
967 +
968 /* Generate secure starting point for ephemeral IPV4 transport port search */
969 u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
970 {