ef34ae4793a9dea3f6aeb6790aee33b8f1bd31a2
[openwrt/svn-archive/archive.git] / target / linux / generic-2.6 / patches-2.6.23 / 170-netfilter_chaostables.patch
1 Index: linux-2.6.23-rc6/include/linux/netfilter/oot_conntrack.h
2 ===================================================================
3 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
4 +++ linux-2.6.23-rc6/include/linux/netfilter/oot_conntrack.h 2007-09-21 16:24:03.000000000 +0800
5 @@ -0,0 +1,5 @@
6 +#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
7 +# include <linux/netfilter_ipv4/ip_conntrack.h>
8 +#else /* linux-2.6.20+ */
9 +# include <net/netfilter/nf_nat_rule.h>
10 +#endif
11 Index: linux-2.6.23-rc6/include/linux/netfilter/oot_trans.h
12 ===================================================================
13 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
14 +++ linux-2.6.23-rc6/include/linux/netfilter/oot_trans.h 2007-09-21 16:24:03.000000000 +0800
15 @@ -0,0 +1,14 @@
16 +/* Out of tree workarounds */
17 +#include <linux/version.h>
18 +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
19 +# define HAVE_MATCHINFOSIZE 1
20 +# define HAVE_TARGUSERINFO 1
21 +# define HAVE_TARGINFOSIZE 1
22 +#endif
23 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
24 +# define nfmark mark
25 +#endif
26 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
27 +# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
28 + tcp_v4_check((tcph_sz), (s), (d), (csp))
29 +#endif
30 Index: linux-2.6.23-rc6/include/linux/netfilter/xt_CHAOS.h
31 ===================================================================
32 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
33 +++ linux-2.6.23-rc6/include/linux/netfilter/xt_CHAOS.h 2007-09-21 16:24:03.000000000 +0800
34 @@ -0,0 +1,14 @@
35 +#ifndef _LINUX_XT_CHAOS_H
36 +#define _LINUX_XT_CHAOS_H 1
37 +
38 +enum xt_chaos_variant {
39 + XTCHAOS_NORMAL,
40 + XTCHAOS_TARPIT,
41 + XTCHAOS_DELUDE,
42 +};
43 +
44 +struct xt_chaos_info {
45 + enum xt_chaos_variant variant;
46 +};
47 +
48 +#endif /* _LINUX_XT_CHAOS_H */
49 Index: linux-2.6.23-rc6/include/linux/netfilter/xt_portscan.h
50 ===================================================================
51 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
52 +++ linux-2.6.23-rc6/include/linux/netfilter/xt_portscan.h 2007-09-21 16:24:03.000000000 +0800
53 @@ -0,0 +1,8 @@
54 +#ifndef _LINUX_XT_PORTSCAN_H
55 +#define _LINUX_XT_PORTSCAN_H 1
56 +
57 +struct xt_portscan_info {
58 + unsigned int match_stealth, match_syn, match_cn, match_gr;
59 +};
60 +
61 +#endif /* _LINUX_XT_PORTSCAN_H */
62 Index: linux-2.6.23-rc6/net/netfilter/find_match.c
63 ===================================================================
64 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
65 +++ linux-2.6.23-rc6/net/netfilter/find_match.c 2007-09-21 16:24:03.000000000 +0800
66 @@ -0,0 +1,39 @@
67 +/*
68 + xt_request_find_match
69 + by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
70 +
71 + Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
72 + Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
73 + This program is free software; you can redistribute it and/or modify
74 + it under the terms of the GNU General Public License version 2 as
75 + published by the Free Software Foundation.
76 +*/
77 +#include <linux/err.h>
78 +#include <linux/netfilter_arp.h>
79 +#include <linux/socket.h>
80 +#include <linux/netfilter/x_tables.h>
81 +
82 +/*
83 + * Yeah this code is sub-optimal, but the function is missing in
84 + * mainline so far. -jengelh
85 + */
86 +static struct xt_match *xt_request_find_match_lo(int af, const char *name,
87 + u8 revision)
88 +{
89 + static const char *const xt_prefix[] = {
90 + [AF_INET] = "ip",
91 + [AF_INET6] = "ip6",
92 + [NF_ARP] = "arp",
93 + };
94 + struct xt_match *match;
95 +
96 + match = try_then_request_module(xt_find_match(af, name, revision),
97 + "%st_%s", xt_prefix[af], name);
98 + if(IS_ERR(match) || match == NULL)
99 + return NULL;
100 +
101 + return match;
102 +}
103 +
104 +/* In case it goes into mainline, let this out-of-tree package compile */
105 +#define xt_request_find_match xt_request_find_match_lo
106 Index: linux-2.6.23-rc6/net/netfilter/Kconfig
107 ===================================================================
108 --- linux-2.6.23-rc6.orig/net/netfilter/Kconfig 2007-09-21 16:23:53.000000000 +0800
109 +++ linux-2.6.23-rc6/net/netfilter/Kconfig 2007-09-21 16:24:03.000000000 +0800
110 @@ -265,6 +265,14 @@
111
112 # alphabetically ordered list of targets
113
114 +config NETFILTER_XT_TARGET_CHAOS
115 + tristate '"CHAOS" target support'
116 + depends on NETFILTER_XTABLES
117 + help
118 + This option adds a `CHAOS' target.
119 +
120 + To compile it as a module, choose M here. If unsure, say N.
121 +
122 config NETFILTER_XT_TARGET_CLASSIFY
123 tristate '"CLASSIFY" target support'
124 depends on NETFILTER_XTABLES
125 @@ -292,6 +300,14 @@
126 <file:Documentation/kbuild/modules.txt>. The module will be called
127 ipt_CONNMARK.ko. If unsure, say `N'.
128
129 +config NETFILTER_XT_TARGET_DELUDE
130 + tristate '"DELUDE" target support'
131 + depends on NETFILTER_XTABLES
132 + help
133 + This option adds a `DELUDE' target.
134 +
135 + To compile it as a module, choose M here. If unsure, say N.
136 +
137 config NETFILTER_XT_TARGET_DSCP
138 tristate '"DSCP" target support'
139 depends on NETFILTER_XTABLES
140 @@ -556,6 +572,14 @@
141
142 To compile it as a module, choose M here. If unsure, say N.
143
144 +config NETFILTER_XT_MATCH_PORTSCAN
145 + tristate '"portscan" match support'
146 + depends on NETFILTER_XTABLES
147 + help
148 + This option adds a 'portscan' match support.
149 +
150 + To compile it as a module, choose M here. If unsure, say N.
151 +
152 config NETFILTER_XT_MATCH_MULTIPORT
153 tristate "Multiple port match support"
154 depends on NETFILTER_XTABLES
155 Index: linux-2.6.23-rc6/net/netfilter/Makefile
156 ===================================================================
157 --- linux-2.6.23-rc6.orig/net/netfilter/Makefile 2007-09-21 16:23:53.000000000 +0800
158 +++ linux-2.6.23-rc6/net/netfilter/Makefile 2007-09-21 16:24:03.000000000 +0800
159 @@ -38,8 +38,10 @@
160 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
161
162 # targets
163 +obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
164 obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
165 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
166 +obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
167 obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
168 obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
169 obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
170 @@ -66,6 +68,7 @@
171 obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
172 obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
173 obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
174 +obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
175 obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
176 obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
177 obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
178 Index: linux-2.6.23-rc6/net/netfilter/xt_CHAOS.c
179 ===================================================================
180 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
181 +++ linux-2.6.23-rc6/net/netfilter/xt_CHAOS.c 2007-09-21 16:24:03.000000000 +0800
182 @@ -0,0 +1,204 @@
183 +/*
184 + CHAOS target for netfilter
185 +
186 + Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
187 + This program is free software; you can redistribute it and/or modify
188 + it under the terms of the GNU General Public License version 2 as
189 + published by the Free Software Foundation.
190 +*/
191 +#include <linux/icmp.h>
192 +#include <linux/in.h>
193 +#include <linux/ip.h>
194 +#include <linux/module.h>
195 +#include <linux/skbuff.h>
196 +#include <linux/stat.h>
197 +#include <linux/netfilter/x_tables.h>
198 +#include <linux/netfilter/xt_tcpudp.h>
199 +#include <linux/netfilter_ipv4/ipt_REJECT.h>
200 +#include <net/ip.h>
201 +#include <linux/netfilter/xt_CHAOS.h>
202 +#include "find_match.c"
203 +#include <linux/netfilter/oot_trans.h>
204 +#define PFX KBUILD_MODNAME ": "
205 +
206 +/* Module parameters */
207 +static unsigned int reject_percentage = ~0U * .01;
208 +static unsigned int delude_percentage = ~0U * .0101;
209 +module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
210 +module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
211 +
212 +/* References to other matches/targets */
213 +static struct xt_match *xm_tcp;
214 +static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
215 +
216 +static int have_delude, have_tarpit;
217 +
218 +/* Static data for other matches/targets */
219 +static const struct ipt_reject_info reject_params = {
220 + .with = ICMP_HOST_UNREACH,
221 +};
222 +
223 +static const struct xt_tcp tcp_params = {
224 + .spts = {0, ~0},
225 + .dpts = {0, ~0},
226 +};
227 +
228 +/* CHAOS functions */
229 +static void xt_chaos_total(const struct xt_chaos_info *info,
230 + struct sk_buff **pskb, const struct net_device *in,
231 + const struct net_device *out, unsigned int hooknum)
232 +{
233 + const int protoff = ip_hdrlen(*pskb);
234 + const int offset = ntohs(ip_hdr(*pskb)->frag_off) & IP_OFFSET;
235 + const struct xt_target *destiny;
236 + int hotdrop = 0, ret;
237 +
238 + ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
239 + offset, protoff, &hotdrop);
240 + if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
241 + return;
242 +
243 + destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
244 +#ifdef HAVE_TARGUSERINFO
245 + destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL);
246 +#else
247 + destiny->target(pskb, in, out, hooknum, destiny, NULL);
248 +#endif
249 + return;
250 +}
251 +
252 +static unsigned int xt_chaos_target(struct sk_buff **pskb,
253 + const struct net_device *in, const struct net_device *out,
254 + unsigned int hooknum, const struct xt_target *target, const void *targinfo
255 +#ifdef HAVE_TARGUSERINFO
256 + ,
257 + void *userinfo
258 +#endif
259 + )
260 +{
261 + /* Equivalent to:
262 + * -A chaos -m statistic --mode random --probability \
263 + * $reject_percentage -j REJECT --reject-with host-unreach;
264 + * -A chaos -p tcp -m statistic --mode random --probability \
265 + * $delude_percentage -j DELUDE;
266 + * -A chaos -j DROP;
267 + */
268 + const struct xt_chaos_info *info = targinfo;
269 +
270 + if((unsigned int)net_random() <= reject_percentage)
271 +#ifdef HAVE_TARGUSERINFO
272 + return xt_reject->target(pskb, in, out, hooknum, target,
273 + &reject_params, userinfo);
274 +#else
275 + return xt_reject->target(pskb, in, out, hooknum, target,
276 + &reject_params);
277 +#endif
278 +
279 + /* TARPIT/DELUDE may not be called from the OUTPUT chain */
280 + if(ip_hdr(*pskb)->protocol == IPPROTO_TCP &&
281 + info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
282 + xt_chaos_total(info, pskb, in, out, hooknum);
283 +
284 + return NF_DROP;
285 +}
286 +
287 +static int xt_chaos_checkentry(const char *tablename, const void *entry,
288 + const struct xt_target *target, void *targinfo,
289 +#ifdef HAVE_TARGINFOSIZE
290 + unsigned int targinfosize,
291 +#endif
292 + unsigned int hook_mask)
293 +{
294 + const struct xt_chaos_info *info = targinfo;
295 + if(info->variant == XTCHAOS_DELUDE && !have_delude) {
296 + printk(KERN_WARNING PFX "Error: Cannot use --delude when "
297 + "DELUDE module not available\n");
298 + return 0;
299 + }
300 + if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
301 + printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
302 + "TARPIT module not available\n");
303 + return 0;
304 + }
305 + return 1;
306 +}
307 +
308 +static struct xt_target xt_chaos_info = {
309 + .name = "CHAOS",
310 + .target = xt_chaos_target,
311 + .checkentry = xt_chaos_checkentry,
312 + .table = "filter",
313 + .targetsize = sizeof(struct xt_chaos_info),
314 + .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
315 + (1 << NF_IP_LOCAL_OUT),
316 + .family = AF_INET,
317 + .me = THIS_MODULE,
318 +};
319 +
320 +static int __init xt_chaos_init(void)
321 +{
322 + int ret = -EINVAL;
323 +
324 + xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
325 + if(xm_tcp == NULL) {
326 + printk(KERN_WARNING PFX "Error: Could not find or load "
327 + "\"tcp\" match\n");
328 + return -EINVAL;
329 + }
330 +
331 + xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
332 + if(xt_reject == NULL) {
333 + printk(KERN_WARNING PFX "Error: Could not find or load "
334 + "\"REJECT\" target\n");
335 + goto out2;
336 + }
337 +
338 + xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
339 + have_tarpit = xt_tarpit != NULL;
340 + if(!have_tarpit)
341 + printk(KERN_WARNING PFX "Warning: Could not find or load "
342 + "\"TARPIT\" target\n");
343 +
344 + xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
345 + have_delude = xt_delude != NULL;
346 + if(!have_delude)
347 + printk(KERN_WARNING PFX "Warning: Could not find or load "
348 + "\"DELUDE\" target\n");
349 +
350 + if((ret = xt_register_target(&xt_chaos_info)) != 0) {
351 + printk(KERN_WARNING PFX "xt_register_target returned "
352 + "error %d\n", ret);
353 + goto out3;
354 + }
355 +
356 + return 0;
357 +
358 + out3:
359 + if(have_delude)
360 + module_put(xt_delude->me);
361 + if(have_tarpit)
362 + module_put(xt_tarpit->me);
363 + module_put(xt_reject->me);
364 + out2:
365 + module_put(xm_tcp->me);
366 + return ret;
367 +}
368 +
369 +static void __exit xt_chaos_exit(void)
370 +{
371 + xt_unregister_target(&xt_chaos_info);
372 + module_put(xm_tcp->me);
373 + module_put(xt_reject->me);
374 + if(have_delude)
375 + module_put(xt_delude->me);
376 + if(have_tarpit)
377 + module_put(xt_tarpit->me);
378 + return;
379 +}
380 +
381 +module_init(xt_chaos_init);
382 +module_exit(xt_chaos_exit);
383 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
384 +MODULE_DESCRIPTION("netfilter CHAOS target");
385 +MODULE_LICENSE("GPL");
386 +MODULE_ALIAS("ipt_CHAOS");
387 Index: linux-2.6.23-rc6/net/netfilter/xt_DELUDE.c
388 ===================================================================
389 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
390 +++ linux-2.6.23-rc6/net/netfilter/xt_DELUDE.c 2007-09-21 16:24:03.000000000 +0800
391 @@ -0,0 +1,288 @@
392 +/*
393 + DELUDE target
394 + Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
395 +
396 + Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
397 + (C) 1999-2001 Paul `Rusty' Russell
398 + (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
399 +
400 + xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
401 +
402 + This program is free software; you can redistribute it and/or modify
403 + it under the terms of the GNU General Public License version 2 as
404 + published by the Free Software Foundation.
405 +*/
406 +#include <linux/module.h>
407 +#include <linux/skbuff.h>
408 +#include <linux/ip.h>
409 +#include <linux/random.h>
410 +#include <linux/tcp.h>
411 +#include <linux/udp.h>
412 +#include <linux/icmp.h>
413 +#include <net/icmp.h>
414 +#include <net/ip.h>
415 +#include <net/tcp.h>
416 +#include <net/route.h>
417 +#include <net/dst.h>
418 +#include <linux/netfilter_ipv4/ip_tables.h>
419 +#ifdef CONFIG_BRIDGE_NETFILTER
420 +# include <linux/netfilter_bridge.h>
421 +#endif
422 +#include <linux/netfilter/oot_trans.h>
423 +#define PFX KBUILD_MODNAME ": "
424 +
425 +static inline struct rtable *route_reverse(struct sk_buff *skb,
426 + struct tcphdr *tcph, int hook)
427 +{
428 + struct iphdr *iph = ip_hdr(skb);
429 + struct dst_entry *odst;
430 + struct flowi fl = {};
431 + struct rtable *rt;
432 +
433 + /* We don't require ip forwarding to be enabled to be able to
434 + * send a RST reply for bridged traffic. */
435 + if (hook != NF_IP_FORWARD
436 +#ifdef CONFIG_BRIDGE_NETFILTER
437 + || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
438 +#endif
439 + ) {
440 + fl.nl_u.ip4_u.daddr = iph->saddr;
441 + if (hook == NF_IP_LOCAL_IN)
442 + fl.nl_u.ip4_u.saddr = iph->daddr;
443 + fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
444 +
445 + if (ip_route_output_key(&rt, &fl) != 0)
446 + return NULL;
447 + } else {
448 + /* non-local src, find valid iif to satisfy
449 + * rp-filter when calling ip_route_input. */
450 + fl.nl_u.ip4_u.daddr = iph->daddr;
451 + if (ip_route_output_key(&rt, &fl) != 0)
452 + return NULL;
453 +
454 + odst = skb->dst;
455 + if (ip_route_input(skb, iph->saddr, iph->daddr,
456 + RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
457 + dst_release(&rt->u.dst);
458 + return NULL;
459 + }
460 + dst_release(&rt->u.dst);
461 + rt = (struct rtable *)skb->dst;
462 + skb->dst = odst;
463 +
464 + fl.nl_u.ip4_u.daddr = iph->saddr;
465 + fl.nl_u.ip4_u.saddr = iph->daddr;
466 + fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
467 + }
468 +
469 + if (rt->u.dst.error) {
470 + dst_release(&rt->u.dst);
471 + return NULL;
472 + }
473 +
474 + fl.proto = IPPROTO_TCP;
475 + fl.fl_ip_sport = tcph->dest;
476 + fl.fl_ip_dport = tcph->source;
477 +
478 + xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
479 +
480 + return rt;
481 +}
482 +
483 +static void send_reset(struct sk_buff *oldskb, int hook)
484 +{
485 + struct sk_buff *nskb;
486 + struct iphdr *iph = ip_hdr(oldskb);
487 + struct tcphdr _otcph, *oth, *tcph;
488 + __be16 tmp_port;
489 + __be32 tmp_addr;
490 + int needs_ack;
491 + unsigned int addr_type;
492 +
493 + /* IP header checks: fragment. */
494 + if (iph->frag_off & htons(IP_OFFSET))
495 + return;
496 +
497 + oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
498 + sizeof(_otcph), &_otcph);
499 + if (oth == NULL)
500 + return;
501 +
502 + /* No RST for RST. */
503 + if (oth->rst)
504 + return;
505 +
506 + /* Check checksum */
507 + if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
508 + return;
509 +
510 + /* We need a linear, writeable skb. We also need to expand
511 + headroom in case hh_len of incoming interface < hh_len of
512 + outgoing interface */
513 + nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
514 + GFP_ATOMIC);
515 + if (!nskb)
516 + return;
517 +
518 + /* This packet will not be the same as the other: clear nf fields */
519 + nf_reset(nskb);
520 + nskb->nfmark = 0;
521 + skb_init_secmark(nskb);
522 +
523 + skb_shinfo(nskb)->gso_size = 0;
524 + skb_shinfo(nskb)->gso_segs = 0;
525 + skb_shinfo(nskb)->gso_type = 0;
526 +
527 + tcph = tcp_hdr(nskb);
528 +
529 + /* Swap source and dest */
530 + tmp_addr = ip_hdr(nskb)->saddr;
531 + ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr;
532 + ip_hdr(nskb)->daddr = tmp_addr;
533 + tmp_port = tcph->source;
534 + tcph->source = tcph->dest;
535 + tcph->dest = tmp_port;
536 +
537 + /* Truncate to length (no data) */
538 + tcph->doff = sizeof(struct tcphdr)/4;
539 + skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
540 + ip_hdr(nskb)->tot_len = htons(nskb->len);
541 +
542 + if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
543 + /* DELUDE essential part */
544 + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
545 + oldskb->len - ip_hdrlen(oldskb) -
546 + (oth->doff << 2));
547 + tcph->seq = htonl(secure_tcp_sequence_number(
548 + ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr,
549 + tcph->source, tcph->dest));
550 + tcph->ack = 1;
551 + } else {
552 + if(!tcph->ack) {
553 + needs_ack = 1;
554 + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
555 + + oldskb->len - ip_hdrlen(oldskb)
556 + - (oth->doff<<2));
557 + tcph->seq = 0;
558 + } else {
559 + needs_ack = 0;
560 + tcph->seq = oth->ack_seq;
561 + tcph->ack_seq = 0;
562 + }
563 +
564 + /* Reset flags */
565 + ((u_int8_t *)tcph)[13] = 0;
566 + tcph->rst = 1;
567 + tcph->ack = needs_ack;
568 + }
569 +
570 +
571 + tcph->window = 0;
572 + tcph->urg_ptr = 0;
573 +
574 + /* Adjust TCP checksum */
575 + tcph->check = 0;
576 + tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
577 + ip_hdr(nskb)->saddr,
578 + ip_hdr(nskb)->daddr,
579 + csum_partial((char *)tcph,
580 + sizeof(struct tcphdr), 0));
581 +
582 + /* Set DF, id = 0 */
583 + ip_hdr(nskb)->frag_off = htons(IP_DF);
584 + ip_hdr(nskb)->id = 0;
585 +
586 + addr_type = RTN_UNSPEC;
587 + if (hook != NF_IP_FORWARD
588 +#ifdef CONFIG_BRIDGE_NETFILTER
589 + || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
590 +#endif
591 + )
592 + addr_type = RTN_LOCAL;
593 +
594 + if (ip_route_me_harder(&nskb, addr_type))
595 + goto free_nskb;
596 +
597 + nskb->ip_summed = CHECKSUM_NONE;
598 +
599 + /* Adjust IP TTL */
600 + ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
601 +
602 + /* Adjust IP checksum */
603 + ip_hdr(nskb)->check = 0;
604 + ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb),
605 + ip_hdr(nskb)->ihl);
606 +
607 + /* "Never happens" */
608 + if (nskb->len > dst_mtu(nskb->dst))
609 + goto free_nskb;
610 +
611 + nf_ct_attach(nskb, oldskb);
612 +
613 + NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
614 + dst_output);
615 + return;
616 +
617 + free_nskb:
618 + kfree_skb(nskb);
619 +}
620 +
621 +static unsigned int xt_delude_target(struct sk_buff **pskb,
622 + const struct net_device *in, const struct net_device *out,
623 + unsigned int hooknum, const struct xt_target *target, const void *targinfo
624 +#ifdef HAVE_TARGUSERINFO
625 + ,
626 + void *userinfo
627 +#endif
628 + )
629 +{
630 + /* WARNING: This code causes reentry within iptables.
631 + This means that the iptables jump stack is now crap. We
632 + must return an absolute verdict. --RR */
633 + send_reset(*pskb, hooknum);
634 + return NF_DROP;
635 +}
636 +
637 +static int xt_delude_check(const char *tablename, const void *e_void,
638 + const struct xt_target *target, void *targinfo,
639 +#ifdef HAVE_TARGINFOSIZE
640 + unsigned int targinfosize,
641 +#endif
642 + unsigned int hook_mask)
643 +{
644 + if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) {
645 + printk(KERN_WARNING PFX "DELUDE may not be used in chains "
646 + "other than INPUT and FORWARD\n");
647 + return 0;
648 + }
649 + return 1;
650 +}
651 +
652 +static struct xt_target xt_delude_info = {
653 + .name = "DELUDE",
654 + .target = xt_delude_target,
655 + .checkentry = xt_delude_check,
656 + .table = "filter",
657 + .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
658 + (1 << NF_IP_LOCAL_OUT),
659 + .proto = IPPROTO_TCP,
660 + .family = AF_INET,
661 + .me = THIS_MODULE,
662 +};
663 +
664 +static int __init xt_delude_init(void)
665 +{
666 + return xt_register_target(&xt_delude_info);
667 +}
668 +
669 +static void __exit xt_delude_exit(void)
670 +{
671 + xt_unregister_target(&xt_delude_info);
672 +}
673 +
674 +module_init(xt_delude_init);
675 +module_exit(xt_delude_exit);
676 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
677 +MODULE_DESCRIPTION("netfilter DELUDE target");
678 +MODULE_LICENSE("GPL");
679 +MODULE_ALIAS("ipt_DELUDE");
680 Index: linux-2.6.23-rc6/net/netfilter/xt_portscan.c
681 ===================================================================
682 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
683 +++ linux-2.6.23-rc6/net/netfilter/xt_portscan.c 2007-09-21 16:24:03.000000000 +0800
684 @@ -0,0 +1,272 @@
685 +/*
686 + portscan match for netfilter
687 +
688 + Written by Jan Engelhardt, 2006 - 2007
689 + This program is free software; you can redistribute it and/or modify
690 + it under the terms of the GNU General Public License version 2 as
691 + published by the Free Software Foundation.
692 +*/
693 +#include <linux/in.h>
694 +#include <linux/ip.h>
695 +#include <linux/module.h>
696 +#include <linux/moduleparam.h>
697 +#include <linux/skbuff.h>
698 +#include <linux/stat.h>
699 +#include <linux/tcp.h>
700 +#include <linux/types.h>
701 +#include <linux/version.h>
702 +#include <linux/netfilter/x_tables.h>
703 +#include <linux/netfilter/xt_tcpudp.h>
704 +#include <linux/netfilter/oot_conntrack.h>
705 +#include <linux/netfilter/xt_portscan.h>
706 +#include <linux/netfilter/oot_trans.h>
707 +#define PFX KBUILD_MODNAME ": "
708 +
709 +enum {
710 + TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
711 + TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
712 + TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
713 +};
714 +
715 +/* Module parameters */
716 +static unsigned int
717 + connmark_mask = ~0,
718 + packet_mask = ~0,
719 + mark_seen = 0x9,
720 + mark_synrcv = 0x1,
721 + mark_closed = 0x2,
722 + mark_synscan = 0x3,
723 + mark_estab1 = 0x4,
724 + mark_estab2 = 0x5,
725 + mark_cnscan = 0x6,
726 + mark_grscan = 0x7,
727 + mark_valid = 0x8;
728 +
729 +module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
730 +module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
731 +module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
732 +module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
733 +module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
734 +module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
735 +module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
736 +module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
737 +module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
738 +module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
739 +module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
740 +MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
741 +MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
742 +MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
743 +MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
744 +MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
745 +MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
746 +MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
747 +MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
748 +MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
749 +MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
750 +MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
751 +
752 +/* TCP flag functions */
753 +static inline int tflg_ack4(const struct tcphdr *th)
754 +{
755 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
756 +}
757 +
758 +static inline int tflg_ack6(const struct tcphdr *th)
759 +{
760 + return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
761 +}
762 +
763 +static inline int tflg_fin(const struct tcphdr *th)
764 +{
765 + return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
766 +}
767 +
768 +static inline int tflg_rst(const struct tcphdr *th)
769 +{
770 + return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
771 +}
772 +
773 +static inline int tflg_rstack(const struct tcphdr *th)
774 +{
775 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
776 + (TCP_FLAG_ACK | TCP_FLAG_RST);
777 +}
778 +
779 +static inline int tflg_syn(const struct tcphdr *th)
780 +{
781 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
782 +}
783 +
784 +static inline int tflg_synack(const struct tcphdr *th)
785 +{
786 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
787 + (TCP_FLAG_SYN | TCP_FLAG_ACK);
788 +}
789 +
790 +/* portscan functions */
791 +static inline int xt_portscan_stealth(const struct tcphdr *th)
792 +{
793 + /*
794 + * "Connection refused" replies to our own probes must not be matched.
795 + */
796 + if(tflg_rstack(th))
797 + return 0;
798 +
799 + if(tflg_rst(th) && printk_ratelimit()) {
800 + printk(KERN_WARNING PFX "Warning: Pure RST received\n");
801 + return 0;
802 + }
803 +
804 + /*
805 + * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
806 + * packets that are not associated with any connection -- this will
807 + * match most scan types (NULL, XMAS, FIN) and ridiculous flag
808 + * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
809 + */
810 + return !tflg_syn(th);
811 +}
812 +
813 +static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate,
814 + int loopback, const struct tcphdr *tcph, int payload_len)
815 +{
816 + if(mark == mark_estab2) {
817 + /*
818 + * -m connmark --mark $ESTAB2
819 + */
820 + if(tflg_ack4(tcph) && payload_len == 0)
821 + return mark; /* keep mark */
822 + else if(tflg_rst(tcph) || tflg_fin(tcph))
823 + return mark_grscan;
824 + else
825 + return mark_valid;
826 + } else if(mark == mark_estab1) {
827 + /*
828 + * -m connmark --mark $ESTAB1
829 + */
830 + if(tflg_rst(tcph) || tflg_fin(tcph))
831 + return mark_cnscan;
832 + else if(!loopback && tflg_ack4(tcph) && payload_len == 0)
833 + return mark_estab2;
834 + else
835 + return mark_valid;
836 + } else if(mark == mark_synrcv) {
837 + /*
838 + * -m connmark --mark $SYN
839 + */
840 + if(loopback && tflg_synack(tcph))
841 + return mark; /* keep mark */
842 + else if(loopback && tflg_rstack(tcph))
843 + return mark_closed;
844 + else if(tflg_ack6(tcph))
845 + return mark_estab1;
846 + else
847 + return mark_synscan;
848 + } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) {
849 + /*
850 + * -p tcp --syn --ctstate NEW
851 + */
852 + return mark_synrcv;
853 + }
854 + return mark;
855 +}
856 +
857 +static int xt_portscan_match(const struct sk_buff *skb,
858 + const struct net_device *in, const struct net_device *out,
859 + const struct xt_match *match, const void *matchinfo, int offset,
860 + unsigned int protoff, int *hotdrop)
861 +{
862 + const struct xt_portscan_info *info = matchinfo;
863 + enum ip_conntrack_info ctstate;
864 + struct nf_conn *ctdata;
865 + const struct tcphdr *tcph;
866 + struct tcphdr tcph_buf;
867 +
868 + tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
869 + if(tcph == NULL)
870 + return 0;
871 +
872 + /* Check for invalid packets: -m conntrack --ctstate INVALID */
873 + if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
874 + if(info->match_stealth)
875 + return xt_portscan_stealth(tcph);
876 + /*
877 + * If @ctdata is NULL, we cannot match the other scan
878 + * types, return.
879 + */
880 + return 0;
881 + }
882 +
883 + /*
884 + * If -m portscan was previously applied to this packet, the rules we
885 + * simulate must not be run through again. And for speedup, do not call
886 + * it either when the connection is already VALID.
887 + */
888 + if((ctdata->mark & connmark_mask) == mark_valid ||
889 + (skb->nfmark & packet_mask) != mark_seen)
890 + {
891 + unsigned int n;
892 + n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
893 + in == &loopback_dev, tcph,
894 + skb->len - protoff - 4 * tcph->doff);
895 +
896 + ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
897 + ((struct sk_buff *)skb)->nfmark =
898 + (skb->nfmark & ~packet_mask) | mark_seen;
899 + }
900 +
901 + return (info->match_syn && ctdata->mark == mark_synscan) ||
902 + (info->match_cn && ctdata->mark == mark_cnscan) ||
903 + (info->match_gr && ctdata->mark == mark_grscan);
904 +}
905 +
906 +static int xt_portscan_checkentry(const char *tablename, const void *entry,
907 + const struct xt_match *match, void *matchinfo,
908 +#ifdef HAVE_MATCHINFOSIZE
909 + unsigned int matchinfosize,
910 +#endif
911 + unsigned int hook_mask)
912 +{
913 + const struct xt_portscan_info *info = matchinfo;
914 +#ifdef HAVE_MATCHINFOSIZE
915 + if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) {
916 + printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n",
917 + matchinfosize,
918 + XT_ALIGN(sizeof(struct xt_portscan_info)));
919 + return 0;
920 + }
921 +#endif
922 + if((info->match_stealth & ~1) || (info->match_syn & ~1) ||
923 + (info->match_cn & ~1) || (info->match_gr & ~1)) {
924 + printk(KERN_WARNING PFX "Invalid flags\n");
925 + return 0;
926 + }
927 + return 1;
928 +}
929 +
930 +static struct xt_match xt_portscan = {
931 + .name = "portscan",
932 + .match = xt_portscan_match,
933 + .checkentry = xt_portscan_checkentry,
934 + .matchsize = sizeof(struct xt_portscan_info),
935 + .proto = IPPROTO_TCP,
936 + .family = AF_INET,
937 + .me = THIS_MODULE,
938 +};
939 +
940 +static int __init xt_portscan_init(void)
941 +{
942 + return xt_register_match(&xt_portscan);
943 +}
944 +
945 +static void __exit xt_portscan_exit(void)
946 +{
947 + xt_unregister_match(&xt_portscan);
948 + return;
949 +}
950 +
951 +module_init(xt_portscan_init);
952 +module_exit(xt_portscan_exit);
953 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
954 +MODULE_DESCRIPTION("netfilter portscan match module");
955 +MODULE_LICENSE("GPL");
956 +MODULE_ALIAS("ipt_portscan");
957 Index: linux-2.6.23-rc6/drivers/char/random.c
958 ===================================================================
959 --- linux-2.6.23-rc6.orig/drivers/char/random.c 2007-09-21 16:23:53.000000000 +0800
960 +++ linux-2.6.23-rc6/drivers/char/random.c 2007-09-21 16:24:03.000000000 +0800
961 @@ -1562,6 +1562,8 @@
962 return seq;
963 }
964
965 +EXPORT_SYMBOL(secure_tcp_sequence_number);
966 +
967 /* Generate secure starting point for ephemeral IPV4 transport port search */
968 u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
969 {