1 Index: linux-2.6.23/include/linux/netfilter/oot_conntrack.h
2 ===================================================================
3 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
4 +++ linux-2.6.23/include/linux/netfilter/oot_conntrack.h 2007-10-10 13:52:59.000000000 +0800
6 +#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
7 +# include <linux/netfilter_ipv4/ip_conntrack.h>
8 +#else /* linux-2.6.20+ */
9 +# include <net/netfilter/nf_nat_rule.h>
11 Index: linux-2.6.23/include/linux/netfilter/oot_trans.h
12 ===================================================================
13 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
14 +++ linux-2.6.23/include/linux/netfilter/oot_trans.h 2007-10-10 13:52:59.000000000 +0800
16 +/* Out of tree workarounds */
17 +#include <linux/version.h>
18 +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
19 +# define HAVE_MATCHINFOSIZE 1
20 +# define HAVE_TARGUSERINFO 1
21 +# define HAVE_TARGINFOSIZE 1
23 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
26 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
27 +# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
28 + tcp_v4_check((tcph_sz), (s), (d), (csp))
30 Index: linux-2.6.23/include/linux/netfilter/xt_CHAOS.h
31 ===================================================================
32 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
33 +++ linux-2.6.23/include/linux/netfilter/xt_CHAOS.h 2007-10-10 13:52:59.000000000 +0800
35 +#ifndef _LINUX_XT_CHAOS_H
36 +#define _LINUX_XT_CHAOS_H 1
38 +enum xt_chaos_variant {
44 +struct xt_chaos_info {
45 + enum xt_chaos_variant variant;
48 +#endif /* _LINUX_XT_CHAOS_H */
49 Index: linux-2.6.23/include/linux/netfilter/xt_portscan.h
50 ===================================================================
51 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
52 +++ linux-2.6.23/include/linux/netfilter/xt_portscan.h 2007-10-10 13:52:59.000000000 +0800
54 +#ifndef _LINUX_XT_PORTSCAN_H
55 +#define _LINUX_XT_PORTSCAN_H 1
57 +struct xt_portscan_info {
58 + unsigned int match_stealth, match_syn, match_cn, match_gr;
61 +#endif /* _LINUX_XT_PORTSCAN_H */
62 Index: linux-2.6.23/net/netfilter/find_match.c
63 ===================================================================
64 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
65 +++ linux-2.6.23/net/netfilter/find_match.c 2007-10-10 13:52:59.000000000 +0800
68 + xt_request_find_match
69 + by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
71 + Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
72 + Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
73 + This program is free software; you can redistribute it and/or modify
74 + it under the terms of the GNU General Public License version 2 as
75 + published by the Free Software Foundation.
77 +#include <linux/err.h>
78 +#include <linux/netfilter_arp.h>
79 +#include <linux/socket.h>
80 +#include <linux/netfilter/x_tables.h>
83 + * Yeah this code is sub-optimal, but the function is missing in
84 + * mainline so far. -jengelh
86 +static struct xt_match *xt_request_find_match_lo(int af, const char *name,
89 + static const char *const xt_prefix[] = {
94 + struct xt_match *match;
96 + match = try_then_request_module(xt_find_match(af, name, revision),
97 + "%st_%s", xt_prefix[af], name);
98 + if(IS_ERR(match) || match == NULL)
104 +/* In case it goes into mainline, let this out-of-tree package compile */
105 +#define xt_request_find_match xt_request_find_match_lo
106 Index: linux-2.6.23/net/netfilter/Kconfig
107 ===================================================================
108 --- linux-2.6.23.orig/net/netfilter/Kconfig 2007-10-10 04:31:38.000000000 +0800
109 +++ linux-2.6.23/net/netfilter/Kconfig 2007-10-10 13:53:04.000000000 +0800
112 # alphabetically ordered list of targets
114 +config NETFILTER_XT_TARGET_CHAOS
115 + tristate '"CHAOS" target support'
116 + depends on NETFILTER_XTABLES
118 + This option adds a `CHAOS' target.
120 + To compile it as a module, choose M here. If unsure, say N.
122 config NETFILTER_XT_TARGET_CLASSIFY
123 tristate '"CLASSIFY" target support'
124 depends on NETFILTER_XTABLES
126 <file:Documentation/kbuild/modules.txt>. The module will be called
127 ipt_CONNMARK.ko. If unsure, say `N'.
129 +config NETFILTER_XT_TARGET_DELUDE
130 + tristate '"DELUDE" target support'
131 + depends on NETFILTER_XTABLES
133 + This option adds a `DELUDE' target.
135 + To compile it as a module, choose M here. If unsure, say N.
137 config NETFILTER_XT_TARGET_DSCP
138 tristate '"DSCP" target support'
139 depends on NETFILTER_XTABLES
142 To compile it as a module, choose M here. If unsure, say N.
144 +config NETFILTER_XT_MATCH_PORTSCAN
145 + tristate '"portscan" match support'
146 + depends on NETFILTER_XTABLES
148 + This option adds a 'portscan' match support.
150 + To compile it as a module, choose M here. If unsure, say N.
152 config NETFILTER_XT_MATCH_MULTIPORT
153 tristate "Multiple port match support"
154 depends on NETFILTER_XTABLES
155 Index: linux-2.6.23/net/netfilter/Makefile
156 ===================================================================
157 --- linux-2.6.23.orig/net/netfilter/Makefile 2007-10-10 04:31:38.000000000 +0800
158 +++ linux-2.6.23/net/netfilter/Makefile 2007-10-10 13:52:59.000000000 +0800
160 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
163 +obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
164 obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
165 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
166 +obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
167 obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
168 obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
169 obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
171 obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
172 obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
173 obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
174 +obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
175 obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
176 obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
177 obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
178 Index: linux-2.6.23/net/netfilter/xt_CHAOS.c
179 ===================================================================
180 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
181 +++ linux-2.6.23/net/netfilter/xt_CHAOS.c 2007-10-10 13:52:59.000000000 +0800
184 + CHAOS target for netfilter
186 + Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
187 + This program is free software; you can redistribute it and/or modify
188 + it under the terms of the GNU General Public License version 2 as
189 + published by the Free Software Foundation.
191 +#include <linux/icmp.h>
192 +#include <linux/in.h>
193 +#include <linux/ip.h>
194 +#include <linux/module.h>
195 +#include <linux/skbuff.h>
196 +#include <linux/stat.h>
197 +#include <linux/netfilter/x_tables.h>
198 +#include <linux/netfilter/xt_tcpudp.h>
199 +#include <linux/netfilter_ipv4/ipt_REJECT.h>
201 +#include <linux/netfilter/xt_CHAOS.h>
202 +#include "find_match.c"
203 +#include <linux/netfilter/oot_trans.h>
204 +#define PFX KBUILD_MODNAME ": "
206 +/* Module parameters */
207 +static unsigned int reject_percentage = ~0U * .01;
208 +static unsigned int delude_percentage = ~0U * .0101;
209 +module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
210 +module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
212 +/* References to other matches/targets */
213 +static struct xt_match *xm_tcp;
214 +static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
216 +static int have_delude, have_tarpit;
218 +/* Static data for other matches/targets */
219 +static const struct ipt_reject_info reject_params = {
220 + .with = ICMP_HOST_UNREACH,
223 +static const struct xt_tcp tcp_params = {
228 +/* CHAOS functions */
229 +static void xt_chaos_total(const struct xt_chaos_info *info,
230 + struct sk_buff **pskb, const struct net_device *in,
231 + const struct net_device *out, unsigned int hooknum)
233 + const int protoff = ip_hdrlen(*pskb);
234 + const int offset = ntohs(ip_hdr(*pskb)->frag_off) & IP_OFFSET;
235 + const struct xt_target *destiny;
236 + bool hotdrop = false;
239 + ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
240 + offset, protoff, &hotdrop);
241 + if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
244 + destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
245 +#ifdef HAVE_TARGUSERINFO
246 + destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL);
248 + destiny->target(pskb, in, out, hooknum, destiny, NULL);
253 +static unsigned int xt_chaos_target(struct sk_buff **pskb,
254 + const struct net_device *in, const struct net_device *out,
255 + unsigned int hooknum, const struct xt_target *target, const void *targinfo
256 +#ifdef HAVE_TARGUSERINFO
263 + * -A chaos -m statistic --mode random --probability \
264 + * $reject_percentage -j REJECT --reject-with host-unreach;
265 + * -A chaos -p tcp -m statistic --mode random --probability \
266 + * $delude_percentage -j DELUDE;
267 + * -A chaos -j DROP;
269 + const struct xt_chaos_info *info = targinfo;
271 + if((unsigned int)net_random() <= reject_percentage)
272 +#ifdef HAVE_TARGUSERINFO
273 + return xt_reject->target(pskb, in, out, hooknum, target,
274 + &reject_params, userinfo);
276 + return xt_reject->target(pskb, in, out, hooknum, target,
280 + /* TARPIT/DELUDE may not be called from the OUTPUT chain */
281 + if(ip_hdr(*pskb)->protocol == IPPROTO_TCP &&
282 + info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
283 + xt_chaos_total(info, pskb, in, out, hooknum);
288 +static bool xt_chaos_checkentry(const char *tablename, const void *entry,
289 + const struct xt_target *target, void *targinfo,
290 +#ifdef HAVE_TARGINFOSIZE
291 + unsigned int targinfosize,
293 + unsigned int hook_mask)
295 + const struct xt_chaos_info *info = targinfo;
296 + if(info->variant == XTCHAOS_DELUDE && !have_delude) {
297 + printk(KERN_WARNING PFX "Error: Cannot use --delude when "
298 + "DELUDE module not available\n");
301 + if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
302 + printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
303 + "TARPIT module not available\n");
309 +static struct xt_target xt_chaos_info = {
311 + .target = xt_chaos_target,
312 + .checkentry = xt_chaos_checkentry,
314 + .targetsize = sizeof(struct xt_chaos_info),
315 + .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
316 + (1 << NF_IP_LOCAL_OUT),
321 +static int __init xt_chaos_init(void)
325 + xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
326 + if(xm_tcp == NULL) {
327 + printk(KERN_WARNING PFX "Error: Could not find or load "
328 + "\"tcp\" match\n");
332 + xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
333 + if(xt_reject == NULL) {
334 + printk(KERN_WARNING PFX "Error: Could not find or load "
335 + "\"REJECT\" target\n");
339 + xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
340 + have_tarpit = xt_tarpit != NULL;
342 + printk(KERN_WARNING PFX "Warning: Could not find or load "
343 + "\"TARPIT\" target\n");
345 + xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
346 + have_delude = xt_delude != NULL;
348 + printk(KERN_WARNING PFX "Warning: Could not find or load "
349 + "\"DELUDE\" target\n");
351 + if((ret = xt_register_target(&xt_chaos_info)) != 0) {
352 + printk(KERN_WARNING PFX "xt_register_target returned "
353 + "error %d\n", ret);
361 + module_put(xt_delude->me);
363 + module_put(xt_tarpit->me);
364 + module_put(xt_reject->me);
366 + module_put(xm_tcp->me);
370 +static void __exit xt_chaos_exit(void)
372 + xt_unregister_target(&xt_chaos_info);
373 + module_put(xm_tcp->me);
374 + module_put(xt_reject->me);
376 + module_put(xt_delude->me);
378 + module_put(xt_tarpit->me);
382 +module_init(xt_chaos_init);
383 +module_exit(xt_chaos_exit);
384 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
385 +MODULE_DESCRIPTION("netfilter CHAOS target");
386 +MODULE_LICENSE("GPL");
387 +MODULE_ALIAS("ipt_CHAOS");
388 Index: linux-2.6.23/net/netfilter/xt_DELUDE.c
389 ===================================================================
390 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
391 +++ linux-2.6.23/net/netfilter/xt_DELUDE.c 2007-10-10 13:52:59.000000000 +0800
395 + Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
397 + Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
398 + (C) 1999-2001 Paul `Rusty' Russell
399 + (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
401 + xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
403 + This program is free software; you can redistribute it and/or modify
404 + it under the terms of the GNU General Public License version 2 as
405 + published by the Free Software Foundation.
407 +#include <linux/module.h>
408 +#include <linux/skbuff.h>
409 +#include <linux/ip.h>
410 +#include <linux/random.h>
411 +#include <linux/tcp.h>
412 +#include <linux/udp.h>
413 +#include <linux/icmp.h>
414 +#include <net/icmp.h>
416 +#include <net/tcp.h>
417 +#include <net/route.h>
418 +#include <net/dst.h>
419 +#include <linux/netfilter_ipv4/ip_tables.h>
420 +#ifdef CONFIG_BRIDGE_NETFILTER
421 +# include <linux/netfilter_bridge.h>
423 +#include <linux/netfilter/oot_trans.h>
424 +#define PFX KBUILD_MODNAME ": "
426 +static inline struct rtable *route_reverse(struct sk_buff *skb,
427 + struct tcphdr *tcph, int hook)
429 + struct iphdr *iph = ip_hdr(skb);
430 + struct dst_entry *odst;
431 + struct flowi fl = {};
434 + /* We don't require ip forwarding to be enabled to be able to
435 + * send a RST reply for bridged traffic. */
436 + if (hook != NF_IP_FORWARD
437 +#ifdef CONFIG_BRIDGE_NETFILTER
438 + || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
441 + fl.nl_u.ip4_u.daddr = iph->saddr;
442 + if (hook == NF_IP_LOCAL_IN)
443 + fl.nl_u.ip4_u.saddr = iph->daddr;
444 + fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
446 + if (ip_route_output_key(&rt, &fl) != 0)
449 + /* non-local src, find valid iif to satisfy
450 + * rp-filter when calling ip_route_input. */
451 + fl.nl_u.ip4_u.daddr = iph->daddr;
452 + if (ip_route_output_key(&rt, &fl) != 0)
456 + if (ip_route_input(skb, iph->saddr, iph->daddr,
457 + RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
458 + dst_release(&rt->u.dst);
461 + dst_release(&rt->u.dst);
462 + rt = (struct rtable *)skb->dst;
465 + fl.nl_u.ip4_u.daddr = iph->saddr;
466 + fl.nl_u.ip4_u.saddr = iph->daddr;
467 + fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
470 + if (rt->u.dst.error) {
471 + dst_release(&rt->u.dst);
475 + fl.proto = IPPROTO_TCP;
476 + fl.fl_ip_sport = tcph->dest;
477 + fl.fl_ip_dport = tcph->source;
479 + xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
484 +static void send_reset(struct sk_buff *oldskb, int hook)
486 + struct sk_buff *nskb;
487 + struct iphdr *iph = ip_hdr(oldskb);
488 + struct tcphdr _otcph, *oth, *tcph;
492 + unsigned int addr_type;
494 + /* IP header checks: fragment. */
495 + if (iph->frag_off & htons(IP_OFFSET))
498 + oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
499 + sizeof(_otcph), &_otcph);
503 + /* No RST for RST. */
507 + /* Check checksum */
508 + if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
511 + /* We need a linear, writeable skb. We also need to expand
512 + headroom in case hh_len of incoming interface < hh_len of
513 + outgoing interface */
514 + nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
519 + /* This packet will not be the same as the other: clear nf fields */
522 + skb_init_secmark(nskb);
524 + skb_shinfo(nskb)->gso_size = 0;
525 + skb_shinfo(nskb)->gso_segs = 0;
526 + skb_shinfo(nskb)->gso_type = 0;
528 + tcph = tcp_hdr(nskb);
530 + /* Swap source and dest */
531 + tmp_addr = ip_hdr(nskb)->saddr;
532 + ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr;
533 + ip_hdr(nskb)->daddr = tmp_addr;
534 + tmp_port = tcph->source;
535 + tcph->source = tcph->dest;
536 + tcph->dest = tmp_port;
538 + /* Truncate to length (no data) */
539 + tcph->doff = sizeof(struct tcphdr)/4;
540 + skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
541 + ip_hdr(nskb)->tot_len = htons(nskb->len);
543 + if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
544 + /* DELUDE essential part */
545 + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
546 + oldskb->len - ip_hdrlen(oldskb) -
548 + tcph->seq = htonl(secure_tcp_sequence_number(
549 + ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr,
550 + tcph->source, tcph->dest));
555 + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
556 + + oldskb->len - ip_hdrlen(oldskb)
561 + tcph->seq = oth->ack_seq;
566 + ((u_int8_t *)tcph)[13] = 0;
568 + tcph->ack = needs_ack;
575 + /* Adjust TCP checksum */
577 + tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
578 + ip_hdr(nskb)->saddr,
579 + ip_hdr(nskb)->daddr,
580 + csum_partial((char *)tcph,
581 + sizeof(struct tcphdr), 0));
583 + /* Set DF, id = 0 */
584 + ip_hdr(nskb)->frag_off = htons(IP_DF);
585 + ip_hdr(nskb)->id = 0;
587 + addr_type = RTN_UNSPEC;
588 + if (hook != NF_IP_FORWARD
589 +#ifdef CONFIG_BRIDGE_NETFILTER
590 + || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
593 + addr_type = RTN_LOCAL;
595 + if (ip_route_me_harder(&nskb, addr_type))
598 + nskb->ip_summed = CHECKSUM_NONE;
600 + /* Adjust IP TTL */
601 + ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
603 + /* Adjust IP checksum */
604 + ip_hdr(nskb)->check = 0;
605 + ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb),
606 + ip_hdr(nskb)->ihl);
608 + /* "Never happens" */
609 + if (nskb->len > dst_mtu(nskb->dst))
612 + nf_ct_attach(nskb, oldskb);
614 + NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
622 +static unsigned int xt_delude_target(struct sk_buff **pskb,
623 + const struct net_device *in, const struct net_device *out,
624 + unsigned int hooknum, const struct xt_target *target, const void *targinfo
625 +#ifdef HAVE_TARGUSERINFO
631 + /* WARNING: This code causes reentry within iptables.
632 + This means that the iptables jump stack is now crap. We
633 + must return an absolute verdict. --RR */
634 + send_reset(*pskb, hooknum);
638 +static bool xt_delude_check(const char *tablename, const void *e_void,
639 + const struct xt_target *target, void *targinfo,
640 +#ifdef HAVE_TARGINFOSIZE
641 + unsigned int targinfosize,
643 + unsigned int hook_mask)
645 + if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) {
646 + printk(KERN_WARNING PFX "DELUDE may not be used in chains "
647 + "other than INPUT and FORWARD\n");
653 +static struct xt_target xt_delude_info = {
655 + .target = xt_delude_target,
656 + .checkentry = xt_delude_check,
658 + .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
659 + (1 << NF_IP_LOCAL_OUT),
660 + .proto = IPPROTO_TCP,
665 +static int __init xt_delude_init(void)
667 + return xt_register_target(&xt_delude_info);
670 +static void __exit xt_delude_exit(void)
672 + xt_unregister_target(&xt_delude_info);
675 +module_init(xt_delude_init);
676 +module_exit(xt_delude_exit);
677 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
678 +MODULE_DESCRIPTION("netfilter DELUDE target");
679 +MODULE_LICENSE("GPL");
680 +MODULE_ALIAS("ipt_DELUDE");
681 Index: linux-2.6.23/net/netfilter/xt_portscan.c
682 ===================================================================
683 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
684 +++ linux-2.6.23/net/netfilter/xt_portscan.c 2007-10-10 13:52:59.000000000 +0800
687 + portscan match for netfilter
689 + Written by Jan Engelhardt, 2006 - 2007
690 + This program is free software; you can redistribute it and/or modify
691 + it under the terms of the GNU General Public License version 2 as
692 + published by the Free Software Foundation.
694 +#include <linux/in.h>
695 +#include <linux/ip.h>
696 +#include <linux/module.h>
697 +#include <linux/moduleparam.h>
698 +#include <linux/skbuff.h>
699 +#include <linux/stat.h>
700 +#include <linux/tcp.h>
701 +#include <linux/types.h>
702 +#include <linux/version.h>
703 +#include <linux/netfilter/x_tables.h>
704 +#include <linux/netfilter/xt_tcpudp.h>
705 +#include <linux/netfilter/oot_conntrack.h>
706 +#include <linux/netfilter/xt_portscan.h>
707 +#include <linux/netfilter/oot_trans.h>
708 +#define PFX KBUILD_MODNAME ": "
711 + TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
712 + TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
713 + TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
716 +/* Module parameters */
718 + connmark_mask = ~0,
723 + mark_synscan = 0x3,
730 +module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
731 +module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
732 +module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
733 +module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
734 +module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
735 +module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
736 +module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
737 +module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
738 +module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
739 +module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
740 +module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
741 +MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
742 +MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
743 +MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
744 +MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
745 +MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
746 +MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
747 +MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
748 +MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
749 +MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
750 +MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
751 +MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
753 +/* TCP flag functions */
754 +static inline int tflg_ack4(const struct tcphdr *th)
756 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
759 +static inline int tflg_ack6(const struct tcphdr *th)
761 + return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
764 +static inline int tflg_fin(const struct tcphdr *th)
766 + return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
769 +static inline int tflg_rst(const struct tcphdr *th)
771 + return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
774 +static inline int tflg_rstack(const struct tcphdr *th)
776 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
777 + (TCP_FLAG_ACK | TCP_FLAG_RST);
780 +static inline int tflg_syn(const struct tcphdr *th)
782 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
785 +static inline int tflg_synack(const struct tcphdr *th)
787 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
788 + (TCP_FLAG_SYN | TCP_FLAG_ACK);
791 +/* portscan functions */
792 +static inline int xt_portscan_stealth(const struct tcphdr *th)
795 + * "Connection refused" replies to our own probes must not be matched.
797 + if(tflg_rstack(th))
800 + if(tflg_rst(th) && printk_ratelimit()) {
801 + printk(KERN_WARNING PFX "Warning: Pure RST received\n");
806 + * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
807 + * packets that are not associated with any connection -- this will
808 + * match most scan types (NULL, XMAS, FIN) and ridiculous flag
809 + * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
811 + return !tflg_syn(th);
814 +static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate,
815 + int loopback, const struct tcphdr *tcph, int payload_len)
817 + if(mark == mark_estab2) {
819 + * -m connmark --mark $ESTAB2
821 + if(tflg_ack4(tcph) && payload_len == 0)
822 + return mark; /* keep mark */
823 + else if(tflg_rst(tcph) || tflg_fin(tcph))
824 + return mark_grscan;
827 + } else if(mark == mark_estab1) {
829 + * -m connmark --mark $ESTAB1
831 + if(tflg_rst(tcph) || tflg_fin(tcph))
832 + return mark_cnscan;
833 + else if(!loopback && tflg_ack4(tcph) && payload_len == 0)
834 + return mark_estab2;
837 + } else if(mark == mark_synrcv) {
839 + * -m connmark --mark $SYN
841 + if(loopback && tflg_synack(tcph))
842 + return mark; /* keep mark */
843 + else if(loopback && tflg_rstack(tcph))
844 + return mark_closed;
845 + else if(tflg_ack6(tcph))
846 + return mark_estab1;
848 + return mark_synscan;
849 + } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) {
851 + * -p tcp --syn --ctstate NEW
853 + return mark_synrcv;
858 +static bool xt_portscan_match(const struct sk_buff *skb,
859 + const struct net_device *in, const struct net_device *out,
860 + const struct xt_match *match, const void *matchinfo, int offset,
861 + unsigned int protoff, bool *hotdrop)
863 + const struct xt_portscan_info *info = matchinfo;
864 + enum ip_conntrack_info ctstate;
865 + struct nf_conn *ctdata;
866 + const struct tcphdr *tcph;
867 + struct tcphdr tcph_buf;
869 + tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
873 + /* Check for invalid packets: -m conntrack --ctstate INVALID */
874 + if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
875 + if(info->match_stealth)
876 + return xt_portscan_stealth(tcph);
878 + * If @ctdata is NULL, we cannot match the other scan
885 + * If -m portscan was previously applied to this packet, the rules we
886 + * simulate must not be run through again. And for speedup, do not call
887 + * it either when the connection is already VALID.
889 + if((ctdata->mark & connmark_mask) == mark_valid ||
890 + (skb->nfmark & packet_mask) != mark_seen)
893 + n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
894 + in == &loopback_dev, tcph,
895 + skb->len - protoff - 4 * tcph->doff);
897 + ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
898 + ((struct sk_buff *)skb)->nfmark =
899 + (skb->nfmark & ~packet_mask) | mark_seen;
902 + return (info->match_syn && ctdata->mark == mark_synscan) ||
903 + (info->match_cn && ctdata->mark == mark_cnscan) ||
904 + (info->match_gr && ctdata->mark == mark_grscan);
907 +static bool xt_portscan_checkentry(const char *tablename, const void *entry,
908 + const struct xt_match *match, void *matchinfo,
909 +#ifdef HAVE_MATCHINFOSIZE
910 + unsigned int matchinfosize,
912 + unsigned int hook_mask)
914 + const struct xt_portscan_info *info = matchinfo;
915 +#ifdef HAVE_MATCHINFOSIZE
916 + if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) {
917 + printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n",
919 + XT_ALIGN(sizeof(struct xt_portscan_info)));
923 + if((info->match_stealth & ~1) || (info->match_syn & ~1) ||
924 + (info->match_cn & ~1) || (info->match_gr & ~1)) {
925 + printk(KERN_WARNING PFX "Invalid flags\n");
931 +static struct xt_match xt_portscan = {
932 + .name = "portscan",
933 + .match = xt_portscan_match,
934 + .checkentry = xt_portscan_checkentry,
935 + .matchsize = sizeof(struct xt_portscan_info),
936 + .proto = IPPROTO_TCP,
941 +static int __init xt_portscan_init(void)
943 + return xt_register_match(&xt_portscan);
946 +static void __exit xt_portscan_exit(void)
948 + xt_unregister_match(&xt_portscan);
952 +module_init(xt_portscan_init);
953 +module_exit(xt_portscan_exit);
954 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
955 +MODULE_DESCRIPTION("netfilter portscan match module");
956 +MODULE_LICENSE("GPL");
957 +MODULE_ALIAS("ipt_portscan");
958 Index: linux-2.6.23/drivers/char/random.c
959 ===================================================================
960 --- linux-2.6.23.orig/drivers/char/random.c 2007-10-10 04:31:38.000000000 +0800
961 +++ linux-2.6.23/drivers/char/random.c 2007-10-10 13:52:59.000000000 +0800
962 @@ -1564,6 +1564,8 @@
966 +EXPORT_SYMBOL(secure_tcp_sequence_number);
968 /* Generate secure starting point for ephemeral IPV4 transport port search */
969 u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
projects / openwrt / svn-archive / archive.git / blob