1 Index: linux-2.6.23-rc6/include/linux/netfilter/oot_conntrack.h
2 ===================================================================
3 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
4 +++ linux-2.6.23-rc6/include/linux/netfilter/oot_conntrack.h 2007-09-21 16:24:03.000000000 +0800
6 +#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
7 +# include <linux/netfilter_ipv4/ip_conntrack.h>
8 +#else /* linux-2.6.20+ */
9 +# include <net/netfilter/nf_nat_rule.h>
11 Index: linux-2.6.23-rc6/include/linux/netfilter/oot_trans.h
12 ===================================================================
13 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
14 +++ linux-2.6.23-rc6/include/linux/netfilter/oot_trans.h 2007-09-21 16:24:03.000000000 +0800
16 +/* Out of tree workarounds */
17 +#include <linux/version.h>
18 +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
19 +# define HAVE_MATCHINFOSIZE 1
20 +# define HAVE_TARGUSERINFO 1
21 +# define HAVE_TARGINFOSIZE 1
23 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
26 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
27 +# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
28 + tcp_v4_check((tcph_sz), (s), (d), (csp))
30 Index: linux-2.6.23-rc6/include/linux/netfilter/xt_CHAOS.h
31 ===================================================================
32 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
33 +++ linux-2.6.23-rc6/include/linux/netfilter/xt_CHAOS.h 2007-09-21 16:24:03.000000000 +0800
35 +#ifndef _LINUX_XT_CHAOS_H
36 +#define _LINUX_XT_CHAOS_H 1
38 +enum xt_chaos_variant {
44 +struct xt_chaos_info {
45 + enum xt_chaos_variant variant;
48 +#endif /* _LINUX_XT_CHAOS_H */
49 Index: linux-2.6.23-rc6/include/linux/netfilter/xt_portscan.h
50 ===================================================================
51 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
52 +++ linux-2.6.23-rc6/include/linux/netfilter/xt_portscan.h 2007-09-21 16:24:03.000000000 +0800
54 +#ifndef _LINUX_XT_PORTSCAN_H
55 +#define _LINUX_XT_PORTSCAN_H 1
57 +struct xt_portscan_info {
58 + unsigned int match_stealth, match_syn, match_cn, match_gr;
61 +#endif /* _LINUX_XT_PORTSCAN_H */
62 Index: linux-2.6.23-rc6/net/netfilter/find_match.c
63 ===================================================================
64 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
65 +++ linux-2.6.23-rc6/net/netfilter/find_match.c 2007-09-21 16:24:03.000000000 +0800
68 + xt_request_find_match
69 + by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
71 + Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
72 + Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
73 + This program is free software; you can redistribute it and/or modify
74 + it under the terms of the GNU General Public License version 2 as
75 + published by the Free Software Foundation.
77 +#include <linux/err.h>
78 +#include <linux/netfilter_arp.h>
79 +#include <linux/socket.h>
80 +#include <linux/netfilter/x_tables.h>
83 + * Yeah this code is sub-optimal, but the function is missing in
84 + * mainline so far. -jengelh
86 +static struct xt_match *xt_request_find_match_lo(int af, const char *name,
89 + static const char *const xt_prefix[] = {
94 + struct xt_match *match;
96 + match = try_then_request_module(xt_find_match(af, name, revision),
97 + "%st_%s", xt_prefix[af], name);
98 + if(IS_ERR(match) || match == NULL)
104 +/* In case it goes into mainline, let this out-of-tree package compile */
105 +#define xt_request_find_match xt_request_find_match_lo
106 Index: linux-2.6.23-rc6/net/netfilter/Kconfig
107 ===================================================================
108 --- linux-2.6.23-rc6.orig/net/netfilter/Kconfig 2007-09-21 16:23:53.000000000 +0800
109 +++ linux-2.6.23-rc6/net/netfilter/Kconfig 2007-09-21 16:24:03.000000000 +0800
112 # alphabetically ordered list of targets
114 +config NETFILTER_XT_TARGET_CHAOS
115 + tristate '"CHAOS" target support'
116 + depends on NETFILTER_XTABLES
118 + This option adds a `CHAOS' target.
120 + To compile it as a module, choose M here. If unsure, say N.
122 config NETFILTER_XT_TARGET_CLASSIFY
123 tristate '"CLASSIFY" target support'
124 depends on NETFILTER_XTABLES
126 <file:Documentation/kbuild/modules.txt>. The module will be called
127 ipt_CONNMARK.ko. If unsure, say `N'.
129 +config NETFILTER_XT_TARGET_DELUDE
130 + tristate '"DELUDE" target support'
131 + depends on NETFILTER_XTABLES
133 + This option adds a `DELUDE' target.
135 + To compile it as a module, choose M here. If unsure, say N.
137 config NETFILTER_XT_TARGET_DSCP
138 tristate '"DSCP" target support'
139 depends on NETFILTER_XTABLES
142 To compile it as a module, choose M here. If unsure, say N.
144 +config NETFILTER_XT_MATCH_PORTSCAN
145 + tristate '"portscan" match support'
146 + depends on NETFILTER_XTABLES
148 + This option adds a 'portscan' match support.
150 + To compile it as a module, choose M here. If unsure, say N.
152 config NETFILTER_XT_MATCH_MULTIPORT
153 tristate "Multiple port match support"
154 depends on NETFILTER_XTABLES
155 Index: linux-2.6.23-rc6/net/netfilter/Makefile
156 ===================================================================
157 --- linux-2.6.23-rc6.orig/net/netfilter/Makefile 2007-09-21 16:23:53.000000000 +0800
158 +++ linux-2.6.23-rc6/net/netfilter/Makefile 2007-09-21 16:24:03.000000000 +0800
160 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
163 +obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
164 obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
165 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
166 +obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
167 obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
168 obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
169 obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
171 obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
172 obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
173 obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
174 +obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
175 obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
176 obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
177 obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
178 Index: linux-2.6.23-rc6/net/netfilter/xt_CHAOS.c
179 ===================================================================
180 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
181 +++ linux-2.6.23-rc6/net/netfilter/xt_CHAOS.c 2007-09-21 16:24:03.000000000 +0800
184 + CHAOS target for netfilter
186 + Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
187 + This program is free software; you can redistribute it and/or modify
188 + it under the terms of the GNU General Public License version 2 as
189 + published by the Free Software Foundation.
191 +#include <linux/icmp.h>
192 +#include <linux/in.h>
193 +#include <linux/ip.h>
194 +#include <linux/module.h>
195 +#include <linux/skbuff.h>
196 +#include <linux/stat.h>
197 +#include <linux/netfilter/x_tables.h>
198 +#include <linux/netfilter/xt_tcpudp.h>
199 +#include <linux/netfilter_ipv4/ipt_REJECT.h>
201 +#include <linux/netfilter/xt_CHAOS.h>
202 +#include "find_match.c"
203 +#include <linux/netfilter/oot_trans.h>
204 +#define PFX KBUILD_MODNAME ": "
206 +/* Module parameters */
207 +static unsigned int reject_percentage = ~0U * .01;
208 +static unsigned int delude_percentage = ~0U * .0101;
209 +module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
210 +module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
212 +/* References to other matches/targets */
213 +static struct xt_match *xm_tcp;
214 +static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
216 +static int have_delude, have_tarpit;
218 +/* Static data for other matches/targets */
219 +static const struct ipt_reject_info reject_params = {
220 + .with = ICMP_HOST_UNREACH,
223 +static const struct xt_tcp tcp_params = {
228 +/* CHAOS functions */
229 +static void xt_chaos_total(const struct xt_chaos_info *info,
230 + struct sk_buff **pskb, const struct net_device *in,
231 + const struct net_device *out, unsigned int hooknum)
233 + const int protoff = ip_hdrlen(*pskb);
234 + const int offset = ntohs(ip_hdr(*pskb)->frag_off) & IP_OFFSET;
235 + const struct xt_target *destiny;
236 + int hotdrop = 0, ret;
238 + ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
239 + offset, protoff, &hotdrop);
240 + if(!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
243 + destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
244 +#ifdef HAVE_TARGUSERINFO
245 + destiny->target(pskb, in, out, hooknum, destiny, NULL, NULL);
247 + destiny->target(pskb, in, out, hooknum, destiny, NULL);
252 +static unsigned int xt_chaos_target(struct sk_buff **pskb,
253 + const struct net_device *in, const struct net_device *out,
254 + unsigned int hooknum, const struct xt_target *target, const void *targinfo
255 +#ifdef HAVE_TARGUSERINFO
262 + * -A chaos -m statistic --mode random --probability \
263 + * $reject_percentage -j REJECT --reject-with host-unreach;
264 + * -A chaos -p tcp -m statistic --mode random --probability \
265 + * $delude_percentage -j DELUDE;
266 + * -A chaos -j DROP;
268 + const struct xt_chaos_info *info = targinfo;
270 + if((unsigned int)net_random() <= reject_percentage)
271 +#ifdef HAVE_TARGUSERINFO
272 + return xt_reject->target(pskb, in, out, hooknum, target,
273 + &reject_params, userinfo);
275 + return xt_reject->target(pskb, in, out, hooknum, target,
279 + /* TARPIT/DELUDE may not be called from the OUTPUT chain */
280 + if(ip_hdr(*pskb)->protocol == IPPROTO_TCP &&
281 + info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
282 + xt_chaos_total(info, pskb, in, out, hooknum);
287 +static int xt_chaos_checkentry(const char *tablename, const void *entry,
288 + const struct xt_target *target, void *targinfo,
289 +#ifdef HAVE_TARGINFOSIZE
290 + unsigned int targinfosize,
292 + unsigned int hook_mask)
294 + const struct xt_chaos_info *info = targinfo;
295 + if(info->variant == XTCHAOS_DELUDE && !have_delude) {
296 + printk(KERN_WARNING PFX "Error: Cannot use --delude when "
297 + "DELUDE module not available\n");
300 + if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
301 + printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
302 + "TARPIT module not available\n");
308 +static struct xt_target xt_chaos_info = {
310 + .target = xt_chaos_target,
311 + .checkentry = xt_chaos_checkentry,
313 + .targetsize = sizeof(struct xt_chaos_info),
314 + .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
315 + (1 << NF_IP_LOCAL_OUT),
320 +static int __init xt_chaos_init(void)
324 + xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
325 + if(xm_tcp == NULL) {
326 + printk(KERN_WARNING PFX "Error: Could not find or load "
327 + "\"tcp\" match\n");
331 + xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
332 + if(xt_reject == NULL) {
333 + printk(KERN_WARNING PFX "Error: Could not find or load "
334 + "\"REJECT\" target\n");
338 + xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
339 + have_tarpit = xt_tarpit != NULL;
341 + printk(KERN_WARNING PFX "Warning: Could not find or load "
342 + "\"TARPIT\" target\n");
344 + xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
345 + have_delude = xt_delude != NULL;
347 + printk(KERN_WARNING PFX "Warning: Could not find or load "
348 + "\"DELUDE\" target\n");
350 + if((ret = xt_register_target(&xt_chaos_info)) != 0) {
351 + printk(KERN_WARNING PFX "xt_register_target returned "
352 + "error %d\n", ret);
360 + module_put(xt_delude->me);
362 + module_put(xt_tarpit->me);
363 + module_put(xt_reject->me);
365 + module_put(xm_tcp->me);
369 +static void __exit xt_chaos_exit(void)
371 + xt_unregister_target(&xt_chaos_info);
372 + module_put(xm_tcp->me);
373 + module_put(xt_reject->me);
375 + module_put(xt_delude->me);
377 + module_put(xt_tarpit->me);
381 +module_init(xt_chaos_init);
382 +module_exit(xt_chaos_exit);
383 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
384 +MODULE_DESCRIPTION("netfilter CHAOS target");
385 +MODULE_LICENSE("GPL");
386 +MODULE_ALIAS("ipt_CHAOS");
387 Index: linux-2.6.23-rc6/net/netfilter/xt_DELUDE.c
388 ===================================================================
389 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
390 +++ linux-2.6.23-rc6/net/netfilter/xt_DELUDE.c 2007-09-21 16:24:03.000000000 +0800
394 + Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
396 + Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
397 + (C) 1999-2001 Paul `Rusty' Russell
398 + (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
400 + xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
402 + This program is free software; you can redistribute it and/or modify
403 + it under the terms of the GNU General Public License version 2 as
404 + published by the Free Software Foundation.
406 +#include <linux/module.h>
407 +#include <linux/skbuff.h>
408 +#include <linux/ip.h>
409 +#include <linux/random.h>
410 +#include <linux/tcp.h>
411 +#include <linux/udp.h>
412 +#include <linux/icmp.h>
413 +#include <net/icmp.h>
415 +#include <net/tcp.h>
416 +#include <net/route.h>
417 +#include <net/dst.h>
418 +#include <linux/netfilter_ipv4/ip_tables.h>
419 +#ifdef CONFIG_BRIDGE_NETFILTER
420 +# include <linux/netfilter_bridge.h>
422 +#include <linux/netfilter/oot_trans.h>
423 +#define PFX KBUILD_MODNAME ": "
425 +static inline struct rtable *route_reverse(struct sk_buff *skb,
426 + struct tcphdr *tcph, int hook)
428 + struct iphdr *iph = ip_hdr(skb);
429 + struct dst_entry *odst;
430 + struct flowi fl = {};
433 + /* We don't require ip forwarding to be enabled to be able to
434 + * send a RST reply for bridged traffic. */
435 + if (hook != NF_IP_FORWARD
436 +#ifdef CONFIG_BRIDGE_NETFILTER
437 + || (skb->nf_bridge && skb->nf_bridge->mask & BRNF_BRIDGED)
440 + fl.nl_u.ip4_u.daddr = iph->saddr;
441 + if (hook == NF_IP_LOCAL_IN)
442 + fl.nl_u.ip4_u.saddr = iph->daddr;
443 + fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
445 + if (ip_route_output_key(&rt, &fl) != 0)
448 + /* non-local src, find valid iif to satisfy
449 + * rp-filter when calling ip_route_input. */
450 + fl.nl_u.ip4_u.daddr = iph->daddr;
451 + if (ip_route_output_key(&rt, &fl) != 0)
455 + if (ip_route_input(skb, iph->saddr, iph->daddr,
456 + RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
457 + dst_release(&rt->u.dst);
460 + dst_release(&rt->u.dst);
461 + rt = (struct rtable *)skb->dst;
464 + fl.nl_u.ip4_u.daddr = iph->saddr;
465 + fl.nl_u.ip4_u.saddr = iph->daddr;
466 + fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
469 + if (rt->u.dst.error) {
470 + dst_release(&rt->u.dst);
474 + fl.proto = IPPROTO_TCP;
475 + fl.fl_ip_sport = tcph->dest;
476 + fl.fl_ip_dport = tcph->source;
478 + xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0);
483 +static void send_reset(struct sk_buff *oldskb, int hook)
485 + struct sk_buff *nskb;
486 + struct iphdr *iph = ip_hdr(oldskb);
487 + struct tcphdr _otcph, *oth, *tcph;
491 + unsigned int addr_type;
493 + /* IP header checks: fragment. */
494 + if (iph->frag_off & htons(IP_OFFSET))
497 + oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
498 + sizeof(_otcph), &_otcph);
502 + /* No RST for RST. */
506 + /* Check checksum */
507 + if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
510 + /* We need a linear, writeable skb. We also need to expand
511 + headroom in case hh_len of incoming interface < hh_len of
512 + outgoing interface */
513 + nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
518 + /* This packet will not be the same as the other: clear nf fields */
521 + skb_init_secmark(nskb);
523 + skb_shinfo(nskb)->gso_size = 0;
524 + skb_shinfo(nskb)->gso_segs = 0;
525 + skb_shinfo(nskb)->gso_type = 0;
527 + tcph = tcp_hdr(nskb);
529 + /* Swap source and dest */
530 + tmp_addr = ip_hdr(nskb)->saddr;
531 + ip_hdr(nskb)->saddr = ip_hdr(nskb)->daddr;
532 + ip_hdr(nskb)->daddr = tmp_addr;
533 + tmp_port = tcph->source;
534 + tcph->source = tcph->dest;
535 + tcph->dest = tmp_port;
537 + /* Truncate to length (no data) */
538 + tcph->doff = sizeof(struct tcphdr)/4;
539 + skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
540 + ip_hdr(nskb)->tot_len = htons(nskb->len);
542 + if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
543 + /* DELUDE essential part */
544 + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
545 + oldskb->len - ip_hdrlen(oldskb) -
547 + tcph->seq = htonl(secure_tcp_sequence_number(
548 + ip_hdr(nskb)->saddr, ip_hdr(nskb)->daddr,
549 + tcph->source, tcph->dest));
554 + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
555 + + oldskb->len - ip_hdrlen(oldskb)
560 + tcph->seq = oth->ack_seq;
565 + ((u_int8_t *)tcph)[13] = 0;
567 + tcph->ack = needs_ack;
574 + /* Adjust TCP checksum */
576 + tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
577 + ip_hdr(nskb)->saddr,
578 + ip_hdr(nskb)->daddr,
579 + csum_partial((char *)tcph,
580 + sizeof(struct tcphdr), 0));
582 + /* Set DF, id = 0 */
583 + ip_hdr(nskb)->frag_off = htons(IP_DF);
584 + ip_hdr(nskb)->id = 0;
586 + addr_type = RTN_UNSPEC;
587 + if (hook != NF_IP_FORWARD
588 +#ifdef CONFIG_BRIDGE_NETFILTER
589 + || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
592 + addr_type = RTN_LOCAL;
594 + if (ip_route_me_harder(&nskb, addr_type))
597 + nskb->ip_summed = CHECKSUM_NONE;
599 + /* Adjust IP TTL */
600 + ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
602 + /* Adjust IP checksum */
603 + ip_hdr(nskb)->check = 0;
604 + ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)ip_hdr(nskb),
605 + ip_hdr(nskb)->ihl);
607 + /* "Never happens" */
608 + if (nskb->len > dst_mtu(nskb->dst))
611 + nf_ct_attach(nskb, oldskb);
613 + NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
621 +static unsigned int xt_delude_target(struct sk_buff **pskb,
622 + const struct net_device *in, const struct net_device *out,
623 + unsigned int hooknum, const struct xt_target *target, const void *targinfo
624 +#ifdef HAVE_TARGUSERINFO
630 + /* WARNING: This code causes reentry within iptables.
631 + This means that the iptables jump stack is now crap. We
632 + must return an absolute verdict. --RR */
633 + send_reset(*pskb, hooknum);
637 +static int xt_delude_check(const char *tablename, const void *e_void,
638 + const struct xt_target *target, void *targinfo,
639 +#ifdef HAVE_TARGINFOSIZE
640 + unsigned int targinfosize,
642 + unsigned int hook_mask)
644 + if(hook_mask & ~((1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD))) {
645 + printk(KERN_WARNING PFX "DELUDE may not be used in chains "
646 + "other than INPUT and FORWARD\n");
652 +static struct xt_target xt_delude_info = {
654 + .target = xt_delude_target,
655 + .checkentry = xt_delude_check,
657 + .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
658 + (1 << NF_IP_LOCAL_OUT),
659 + .proto = IPPROTO_TCP,
664 +static int __init xt_delude_init(void)
666 + return xt_register_target(&xt_delude_info);
669 +static void __exit xt_delude_exit(void)
671 + xt_unregister_target(&xt_delude_info);
674 +module_init(xt_delude_init);
675 +module_exit(xt_delude_exit);
676 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
677 +MODULE_DESCRIPTION("netfilter DELUDE target");
678 +MODULE_LICENSE("GPL");
679 +MODULE_ALIAS("ipt_DELUDE");
680 Index: linux-2.6.23-rc6/net/netfilter/xt_portscan.c
681 ===================================================================
682 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
683 +++ linux-2.6.23-rc6/net/netfilter/xt_portscan.c 2007-09-21 16:24:03.000000000 +0800
686 + portscan match for netfilter
688 + Written by Jan Engelhardt, 2006 - 2007
689 + This program is free software; you can redistribute it and/or modify
690 + it under the terms of the GNU General Public License version 2 as
691 + published by the Free Software Foundation.
693 +#include <linux/in.h>
694 +#include <linux/ip.h>
695 +#include <linux/module.h>
696 +#include <linux/moduleparam.h>
697 +#include <linux/skbuff.h>
698 +#include <linux/stat.h>
699 +#include <linux/tcp.h>
700 +#include <linux/types.h>
701 +#include <linux/version.h>
702 +#include <linux/netfilter/x_tables.h>
703 +#include <linux/netfilter/xt_tcpudp.h>
704 +#include <linux/netfilter/oot_conntrack.h>
705 +#include <linux/netfilter/xt_portscan.h>
706 +#include <linux/netfilter/oot_trans.h>
707 +#define PFX KBUILD_MODNAME ": "
710 + TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
711 + TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
712 + TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
715 +/* Module parameters */
717 + connmark_mask = ~0,
722 + mark_synscan = 0x3,
729 +module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
730 +module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
731 +module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
732 +module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
733 +module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
734 +module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
735 +module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
736 +module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
737 +module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
738 +module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
739 +module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
740 +MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
741 +MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
742 +MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
743 +MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
744 +MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
745 +MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
746 +MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
747 +MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
748 +MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
749 +MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
750 +MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
752 +/* TCP flag functions */
753 +static inline int tflg_ack4(const struct tcphdr *th)
755 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
758 +static inline int tflg_ack6(const struct tcphdr *th)
760 + return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
763 +static inline int tflg_fin(const struct tcphdr *th)
765 + return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
768 +static inline int tflg_rst(const struct tcphdr *th)
770 + return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
773 +static inline int tflg_rstack(const struct tcphdr *th)
775 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
776 + (TCP_FLAG_ACK | TCP_FLAG_RST);
779 +static inline int tflg_syn(const struct tcphdr *th)
781 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
784 +static inline int tflg_synack(const struct tcphdr *th)
786 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
787 + (TCP_FLAG_SYN | TCP_FLAG_ACK);
790 +/* portscan functions */
791 +static inline int xt_portscan_stealth(const struct tcphdr *th)
794 + * "Connection refused" replies to our own probes must not be matched.
796 + if(tflg_rstack(th))
799 + if(tflg_rst(th) && printk_ratelimit()) {
800 + printk(KERN_WARNING PFX "Warning: Pure RST received\n");
805 + * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
806 + * packets that are not associated with any connection -- this will
807 + * match most scan types (NULL, XMAS, FIN) and ridiculous flag
808 + * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
810 + return !tflg_syn(th);
813 +static inline int xt_portscan_full(int mark, enum ip_conntrack_info ctstate,
814 + int loopback, const struct tcphdr *tcph, int payload_len)
816 + if(mark == mark_estab2) {
818 + * -m connmark --mark $ESTAB2
820 + if(tflg_ack4(tcph) && payload_len == 0)
821 + return mark; /* keep mark */
822 + else if(tflg_rst(tcph) || tflg_fin(tcph))
823 + return mark_grscan;
826 + } else if(mark == mark_estab1) {
828 + * -m connmark --mark $ESTAB1
830 + if(tflg_rst(tcph) || tflg_fin(tcph))
831 + return mark_cnscan;
832 + else if(!loopback && tflg_ack4(tcph) && payload_len == 0)
833 + return mark_estab2;
836 + } else if(mark == mark_synrcv) {
838 + * -m connmark --mark $SYN
840 + if(loopback && tflg_synack(tcph))
841 + return mark; /* keep mark */
842 + else if(loopback && tflg_rstack(tcph))
843 + return mark_closed;
844 + else if(tflg_ack6(tcph))
845 + return mark_estab1;
847 + return mark_synscan;
848 + } else if(ctstate == IP_CT_NEW && tflg_syn(tcph)) {
850 + * -p tcp --syn --ctstate NEW
852 + return mark_synrcv;
857 +static int xt_portscan_match(const struct sk_buff *skb,
858 + const struct net_device *in, const struct net_device *out,
859 + const struct xt_match *match, const void *matchinfo, int offset,
860 + unsigned int protoff, int *hotdrop)
862 + const struct xt_portscan_info *info = matchinfo;
863 + enum ip_conntrack_info ctstate;
864 + struct nf_conn *ctdata;
865 + const struct tcphdr *tcph;
866 + struct tcphdr tcph_buf;
868 + tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
872 + /* Check for invalid packets: -m conntrack --ctstate INVALID */
873 + if((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
874 + if(info->match_stealth)
875 + return xt_portscan_stealth(tcph);
877 + * If @ctdata is NULL, we cannot match the other scan
884 + * If -m portscan was previously applied to this packet, the rules we
885 + * simulate must not be run through again. And for speedup, do not call
886 + * it either when the connection is already VALID.
888 + if((ctdata->mark & connmark_mask) == mark_valid ||
889 + (skb->nfmark & packet_mask) != mark_seen)
892 + n = xt_portscan_full(ctdata->mark & connmark_mask, ctstate,
893 + in == &loopback_dev, tcph,
894 + skb->len - protoff - 4 * tcph->doff);
896 + ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
897 + ((struct sk_buff *)skb)->nfmark =
898 + (skb->nfmark & ~packet_mask) | mark_seen;
901 + return (info->match_syn && ctdata->mark == mark_synscan) ||
902 + (info->match_cn && ctdata->mark == mark_cnscan) ||
903 + (info->match_gr && ctdata->mark == mark_grscan);
906 +static int xt_portscan_checkentry(const char *tablename, const void *entry,
907 + const struct xt_match *match, void *matchinfo,
908 +#ifdef HAVE_MATCHINFOSIZE
909 + unsigned int matchinfosize,
911 + unsigned int hook_mask)
913 + const struct xt_portscan_info *info = matchinfo;
914 +#ifdef HAVE_MATCHINFOSIZE
915 + if(matchinfosize != XT_ALIGN(sizeof(struct xt_portscan_info))) {
916 + printk(KERN_WARNING PFX "matchinfosize %u != %Zu\n",
918 + XT_ALIGN(sizeof(struct xt_portscan_info)));
922 + if((info->match_stealth & ~1) || (info->match_syn & ~1) ||
923 + (info->match_cn & ~1) || (info->match_gr & ~1)) {
924 + printk(KERN_WARNING PFX "Invalid flags\n");
930 +static struct xt_match xt_portscan = {
931 + .name = "portscan",
932 + .match = xt_portscan_match,
933 + .checkentry = xt_portscan_checkentry,
934 + .matchsize = sizeof(struct xt_portscan_info),
935 + .proto = IPPROTO_TCP,
940 +static int __init xt_portscan_init(void)
942 + return xt_register_match(&xt_portscan);
945 +static void __exit xt_portscan_exit(void)
947 + xt_unregister_match(&xt_portscan);
951 +module_init(xt_portscan_init);
952 +module_exit(xt_portscan_exit);
953 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
954 +MODULE_DESCRIPTION("netfilter portscan match module");
955 +MODULE_LICENSE("GPL");
956 +MODULE_ALIAS("ipt_portscan");
957 Index: linux-2.6.23-rc6/drivers/char/random.c
958 ===================================================================
959 --- linux-2.6.23-rc6.orig/drivers/char/random.c 2007-09-21 16:23:53.000000000 +0800
960 +++ linux-2.6.23-rc6/drivers/char/random.c 2007-09-21 16:24:03.000000000 +0800
961 @@ -1562,6 +1562,8 @@
965 +EXPORT_SYMBOL(secure_tcp_sequence_number);
967 /* Generate secure starting point for ephemeral IPV4 transport port search */
968 u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)