Merge branch 'pknock'

INSTALL

@@ -19,6 +19,8 @@ Supported configurations for this release
 	  - CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
 	  - CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
 	    enabled =y or as module (=m)
+	  - CONFIG_CONNECTOR y/m if you wish to receive userspace
+	    notifications from pknock through netlink/connector
 
 Extra notes:
 

configure.ac

@@ -102,5 +102,5 @@ AC_SUBST([ksourcedir])
 AC_SUBST([xtlibdir])
 AC_CONFIG_FILES([Makefile Makefile.iptrules Makefile.mans
 	extensions/Makefile extensions/ACCOUNT/Makefile
-	extensions/ipset/Makefile])
+	extensions/ipset/Makefile extensions/pknock/Makefile])
 AC_OUTPUT

doc/changelog.txt

@@ -6,6 +6,19 @@ HEAD
 - ipp2p: try to address underflows
 - psd: avoid potential crash when dealing with non-linear skbs
 - merge xt_ACCOUNT userspace utilities
+- added reworked xt_pknock module
+  Changes from pknock v0.5:
+  - pknock: "strict" and "checkip" flags were not displayed in `iptables -L`
+  - pknock: the GC expire time's lower bound is now the default gc time
+    (65000 msec) to avoid rendering anti-spoof protection in SPA mode useless
+  - pknock: avoid crash on memory allocation failure and fix memleak
+  - pknock: avoid fillup of peer table during DDoS
+  - pknock: automatic closing of ports
+  - pknock: make non-zero time mandatory for TCP mode
+  - pknock: display only pknock mode and state relevant information in procfs
+  - pknock: check interknock time only for !ST_ALLOWED peers
+  - pknock: preserve time/autoclose values for rules added in
+    reverse/arbitrary order
 
 
 Xtables-addons 1.18 (September 09 2009)

extensions/Kbuild

@@ -26,6 +26,7 @@ obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += xt_ipv4options.o
 obj-${build_length2}     += xt_length2.o
 obj-${build_lscan}       += xt_lscan.o
+obj-${build_pknock}      += pknock/
 obj-${build_psd}         += xt_psd.o
 obj-${build_quota2}      += xt_quota2.o
 

extensions/Mbuild

@@ -21,5 +21,6 @@ obj-${build_ipset}       += ipset/
 obj-${build_ipv4options} += libxt_ipv4options.so
 obj-${build_length2}     += libxt_length2.so
 obj-${build_lscan}       += libxt_lscan.so
+obj-${build_pknock}      += pknock/
 obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so

extensions/pknock/Kbuild

@@ -0,0 +1,5 @@
+# -*- Makefile -*-
+
+EXTRA_CFLAGS = -I${src}/..
+
+obj-m += xt_pknock.o

extensions/pknock/Makefile.am

@@ -0,0 +1,3 @@
+# -*- Makefile -*-
+
+include ../../Makefile.extra

extensions/pknock/Mbuild

@@ -0,0 +1,3 @@
+# -*- Makefile -*-
+
+obj-${build_pknock}      += libxt_pknock.so

extensions/pknock/libxt_pknock.c

@@ -0,0 +1,343 @@
+/*
+ * Shared library add-on to iptables to add Port Knocking and SPA matching
+ * support.
+ *
+ * (C) 2006-2009 J. Federico Hernandez <fede.hernandez@gmail.com>
+ * (C) 2006 Luis Floreani <luis.floreani@gmail.com>
+ *
+ * This program is released under the terms of GNU GPL version 2.
+ */
+#include <getopt.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include "xt_pknock.h"
+
+static const struct option pknock_mt_opts[] = {
+	/* .name, .has_arg, .flag, .val */
+	{.name = "knockports",  .has_arg = true,  .val = 'k'},
+	{.name = "time",        .has_arg = true,  .val = 't'},
+	{.name = "autoclose",   .has_arg = true,  .val = 'a'},
+	{.name = "name",        .has_arg = true,  .val = 'n'},
+	{.name = "opensecret",  .has_arg = true,  .val = 'o'},
+	{.name = "closesecret", .has_arg = true,  .val = 'z'},
+	{.name = "strict",      .has_arg = false, .val = 'x'},
+	{.name = "checkip",     .has_arg = false, .val = 'c'},
+	{NULL},
+};
+
+static void pknock_mt_help(void)
+{
+	printf("pknock match options:\n"
+		" --knockports port[,port,port,...]	"
+			"Matches destination port(s).\n"
+		" --time seconds\n"
+			"Max allowed time between knocks.\n"
+		" --autoclose minutes\n"
+			"Time after which to automatically close opened\n"
+			"\t\t\t\t\tport(s).\n"
+		" --strict				"
+			"Knocks sequence must be exact.\n"
+		" --name rule_name			"
+			"Rule name.\n"
+		" --checkip				"
+			"Matches if the source ip is in the list.\n"
+		);
+}
+
+static unsigned int
+parse_ports(const char *portstring, uint16_t *ports, const char *proto)
+{
+	char *buffer, *cp, *next;
+	unsigned int i;
+
+	buffer = strdup(portstring);
+	if (buffer == NULL)
+		xtables_error(OTHER_PROBLEM, "strdup failed");
+
+	for (cp = buffer, i = 0; cp != NULL && i < XT_PKNOCK_MAX_PORTS; cp = next, ++i)
+	{
+		next=strchr(cp, ',');
+		if (next != NULL)
+			*next++ = '\0';
+		ports[i] = xtables_parse_port(cp, proto);
+	}
+
+	if (cp != NULL)
+		xtables_error(PARAMETER_PROBLEM, "too many ports specified");
+
+	free(buffer);
+	return i;
+}
+
+static char *
+proto_to_name(uint8_t proto)
+{
+	switch (proto) {
+	case IPPROTO_TCP:
+		return "tcp";
+	case IPPROTO_UDP:
+		return "udp";
+	default:
+		return NULL;
+	}
+}
+
+static const char *
+check_proto(uint16_t pnum, uint8_t invflags)
+{
+	char *proto;
+
+	if (invflags & XT_INV_PROTO)
+		xtables_error(PARAMETER_PROBLEM, PKNOCK "only works with TCP and UDP.");
+
+	if ((proto = proto_to_name(pnum)) != NULL)
+		return proto;
+	else if (pnum == 0)
+		xtables_error(PARAMETER_PROBLEM, PKNOCK "needs `-p tcp' or `-p udp'");
+	else
+		xtables_error(PARAMETER_PROBLEM, PKNOCK "only works with TCP and UDP.");
+}
+
+static int
+__pknock_parse(int c, char **argv, int invert, unsigned int *flags,
+		struct xt_entry_match **match, uint16_t pnum,
+		uint16_t invflags)
+{
+	const char *proto;
+	struct xt_pknock_mtinfo *info = (void *)(*match)->data;
+	unsigned int tmp;
+
+	switch (c) {
+	case 'k': /* --knockports */
+		if (*flags & XT_PKNOCK_KNOCKPORT)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --knockports twice.\n");
+		proto = check_proto(pnum, invflags);
+
+		info->ports_count = parse_ports(optarg, info->port, proto);
+		info->option |= XT_PKNOCK_KNOCKPORT;
+		*flags |= XT_PKNOCK_KNOCKPORT;
+#if DEBUG
+		printf("ports_count: %d\n", info->ports_count);
+#endif
+		break;
+
+	case 't': /* --time */
+		if (*flags & XT_PKNOCK_TIME)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --time twice.\n");
+		info->max_time = atoi(optarg);
+		if (info->max_time == 0)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"--time number must be > 0.\n");
+		info->option |= XT_PKNOCK_TIME;
+		*flags |= XT_PKNOCK_TIME;
+		break;
+
+        case 'a': /* --autoclose */
+		if (*flags & XT_PKNOCK_AUTOCLOSE)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --autoclose twice.\n");
+		if (!xtables_strtoui(optarg, NULL, &tmp, 0, ~0U))
+			xtables_param_act(XTF_BAD_VALUE, PKNOCK,
+				"--autoclose", optarg);
+                info->autoclose_time = tmp;
+                info->option |= XT_PKNOCK_AUTOCLOSE;
+                *flags |= XT_PKNOCK_AUTOCLOSE;
+                break;
+
+	case 'n': /* --name */
+		if (*flags & XT_PKNOCK_NAME)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --name twice.\n");
+		memset(info->rule_name, 0, sizeof(info->rule_name));
+		strncpy(info->rule_name, optarg, sizeof(info->rule_name) - 1);
+
+		info->rule_name_len = strlen(info->rule_name);
+		info->option |= XT_PKNOCK_NAME;
+		*flags |= XT_PKNOCK_NAME;
+#if DEBUG
+		printf("info->rule_name: %s\n", info->rule_name);
+#endif
+		break;
+
+	case 'o': /* --opensecret */
+		if (*flags & XT_PKNOCK_OPENSECRET)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --opensecret twice.\n");
+		memset(info->open_secret, 0, sizeof(info->open_secret));
+		strncpy(info->open_secret, optarg, sizeof(info->open_secret) - 1);
+
+		info->open_secret_len = strlen(info->open_secret);
+		info->option |= XT_PKNOCK_OPENSECRET;
+		*flags |= XT_PKNOCK_OPENSECRET;
+		break;
+
+	case 'z': /* --closesecret */
+		if (*flags & XT_PKNOCK_CLOSESECRET)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --closesecret twice.\n");
+		memset(info->close_secret, 0, sizeof(info->close_secret));
+		strncpy(info->close_secret, optarg, sizeof(info->close_secret) - 1);
+
+		info->close_secret_len = strlen(info->close_secret);
+		info->option |= XT_PKNOCK_CLOSESECRET;
+		*flags |= XT_PKNOCK_CLOSESECRET;
+		break;
+
+	case 'c': /* --checkip */
+		if (*flags & XT_PKNOCK_CHECKIP)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --checkip twice.\n");
+		info->option |= XT_PKNOCK_CHECKIP;
+		*flags |= XT_PKNOCK_CHECKIP;
+		break;
+
+	case 'x': /* --strict */
+		if (*flags & XT_PKNOCK_STRICT)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot use --strict twice.\n");
+		info->option |= XT_PKNOCK_STRICT;
+		*flags |= XT_PKNOCK_STRICT;
+		break;
+
+	default:
+		return 0;
+	}
+
+	if (invert)
+		xtables_error(PARAMETER_PROBLEM, PKNOCK "does not support invert.");
+
+	return 1;
+}
+
+static int pknock_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                		const void *e, struct xt_entry_match **match)
+{
+	const struct ipt_entry *entry = e;
+	return __pknock_parse(c, argv, invert, flags, match,
+			entry->ip.proto, entry->ip.invflags);
+}
+
+static void pknock_mt_check(unsigned int flags)
+{
+	if (!(flags & XT_PKNOCK_NAME))
+		xtables_error(PARAMETER_PROBLEM, PKNOCK
+			"--name option is required.\n");
+
+	if (flags & XT_PKNOCK_KNOCKPORT) {
+		if (flags & XT_PKNOCK_CHECKIP)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot specify --knockports with --checkip.\n");
+		if ((flags & XT_PKNOCK_OPENSECRET)
+			&& !(flags & XT_PKNOCK_CLOSESECRET))
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"--opensecret must go with --closesecret.\n");
+		if ((flags & XT_PKNOCK_CLOSESECRET)
+			&& !(flags & XT_PKNOCK_OPENSECRET))
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"--closesecret must go with --opensecret.\n");
+	}
+
+	if (flags & XT_PKNOCK_CHECKIP) {
+		if (flags & XT_PKNOCK_KNOCKPORT)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot specify --checkip with --knockports.\n");
+		if ((flags & XT_PKNOCK_OPENSECRET)
+			|| (flags & XT_PKNOCK_CLOSESECRET))
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot specify --opensecret and"
+				" --closesecret with --checkip.\n");
+		if (flags & XT_PKNOCK_TIME)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot specify --time with --checkip.\n");
+		if (flags & XT_PKNOCK_AUTOCLOSE)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"cannot specify --autoclose with --checkip.\n");
+	} else if (!(flags & (XT_PKNOCK_OPENSECRET | XT_PKNOCK_TIME))) {
+		xtables_error(PARAMETER_PROBLEM, PKNOCK
+			"you must specify --time.\n");
+	}
+}
+
+static void pknock_mt_print(const void *ip,
+						const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_pknock_mtinfo *info = (void *)match->data;
+	int i;
+
+	printf("pknock ");
+	if (info->option & XT_PKNOCK_KNOCKPORT) {
+		printf("knockports ");
+		for (i = 0; i < info->ports_count; ++i)
+			printf("%s%d", i ? "," : "", info->port[i]);
+		printf(" ");
+	}
+	if (info->option & XT_PKNOCK_TIME)
+		printf("time %ld ", (long)info->max_time);
+	if (info->option & XT_PKNOCK_AUTOCLOSE)
+		printf("autoclose %lu ", (unsigned long)info->autoclose_time);
+	if (info->option & XT_PKNOCK_NAME)
+		printf("name %s ", info->rule_name);
+	if (info->option & XT_PKNOCK_OPENSECRET)
+		printf("opensecret ");
+	if (info->option & XT_PKNOCK_CLOSESECRET)
+		printf("closesecret ");
+	if (info->option & XT_PKNOCK_STRICT)
+		printf("strict ");
+	if (info->option & XT_PKNOCK_CHECKIP)
+		printf("checkip ");
+}
+
+static void pknock_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+	int i;
+	const struct xt_pknock_mtinfo *info = (void *)match->data;
+
+	if (info->option & XT_PKNOCK_KNOCKPORT) {
+		printf("--knockports ");
+		for (i = 0; i < info->ports_count; ++i)
+			printf("%s%d", i ? "," : "", info->port[i]);
+		printf(" ");
+	}
+	if (info->option & XT_PKNOCK_TIME)
+		printf("--time %ld ", (long)info->max_time);
+	if (info->option & XT_PKNOCK_AUTOCLOSE)
+		printf("--autoclose %lu ",
+		       (unsigned long)info->autoclose_time);
+	if (info->option & XT_PKNOCK_NAME)
+		printf("--name %s ", info->rule_name);
+	if (info->option & XT_PKNOCK_OPENSECRET)
+		printf("--opensecret ");
+	if (info->option & XT_PKNOCK_CLOSESECRET)
+		printf("--closesecret ");
+	if (info->option & XT_PKNOCK_STRICT)
+		printf("--strict ");
+	if (info->option & XT_PKNOCK_CHECKIP)
+		printf("--checkip ");
+}
+
+static struct xtables_match pknock_mt_reg = {
+	.name		= "pknock",
+	.version	= XTABLES_VERSION,
+	.revision      = 1,
+	.family		= AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_pknock_mtinfo)),
+	.help          = pknock_mt_help,
+	.parse         = pknock_mt_parse,
+	.final_check   = pknock_mt_check,
+	.print         = pknock_mt_print,
+	.save          = pknock_mt_save,
+	.extra_opts    = pknock_mt_opts,
+};
+
+static __attribute__((constructor)) void pknock_mt_ldr(void)
+{
+	xtables_register_match(&pknock_mt_reg);
+}

extensions/pknock/xt_pknock.Kconfig

@@ -0,0 +1,13 @@
+config NETFILTER_XT_MATCH_PKNOCK
+	tristate "Port knocking match support"
+	depends on NETFILTER_XTABLES && CONNECTOR
+	---help---
+	pknock match implements so-called Port Knocking, a stealthy system
+	for network authentication: client sends packets to selected, closed
+	ports on target machine in a specific sequence. The target machine
+	(which has pknock match rule set up) then decides whether to
+	unblock or block (again) its protected port with listening
+	service. This can be, for instance, used to avoid brute force attacks
+	on ssh or ftp services.
+
+	For more informations go to: http://portknocko.berlios.de/

extensions/pknock/xt_pknock.h

@@ -0,0 +1,53 @@
+/*
+ * Kernel module to implement Port Knocking and SPA matching support.
+ *
+ * (C) 2006-2008 J. Federico Hernandez <fede.hernandez@gmail.com>
+ * (C) 2006 Luis Floreani <luis.floreani@gmail.com>
+ *
+ * $Id$
+ *
+ * This program is released under the terms of GNU GPL version 2.
+ */
+#ifndef _XT_PKNOCK_H
+#define _XT_PKNOCK_H
+
+#define PKNOCK "xt_pknock: "
+
+enum {
+	XT_PKNOCK_KNOCKPORT   = 1 << 0,
+	XT_PKNOCK_TIME        = 1 << 1,
+	XT_PKNOCK_NAME        = 1 << 2,
+	XT_PKNOCK_STRICT      = 1 << 3,
+	XT_PKNOCK_CHECKIP     = 1 << 4,
+	XT_PKNOCK_OPENSECRET  = 1 << 5,
+	XT_PKNOCK_CLOSESECRET = 1 << 6,
+	XT_PKNOCK_AUTOCLOSE   = 1 << 7,
+
+	/* Can never change these, as they are make up the user protocol. */
+	XT_PKNOCK_MAX_PORTS      = 15,
+	XT_PKNOCK_MAX_BUF_LEN    = 31,
+	XT_PKNOCK_MAX_PASSWD_LEN = 31,
+};
+
+#define DEBUG 1
+
+struct xt_pknock_mtinfo {
+	char rule_name[XT_PKNOCK_MAX_BUF_LEN+1];
+	uint32_t			rule_name_len;
+	char open_secret[XT_PKNOCK_MAX_PASSWD_LEN+1];
+	uint32_t			open_secret_len;
+	char close_secret[XT_PKNOCK_MAX_PASSWD_LEN+1];
+	uint32_t			close_secret_len;
+	uint8_t	option;		/* --time, --knock-port, ... */
+	uint8_t	ports_count;	/* number of ports */
+	uint16_t	port[XT_PKNOCK_MAX_PORTS]; /* port[,port,port,...] */
+	uint32_t	max_time;	/* max matching time between ports */
+	uint32_t autoclose_time;
+};
+
+struct xt_pknock_nl_msg {
+	char rule_name[XT_PKNOCK_MAX_BUF_LEN+1];
+	__be32 peer_ip;
+};
+
+#endif /* _XT_PKNOCK_H */

mconfig

@@ -21,5 +21,6 @@ build_ipset=m
 build_ipv4options=m
 build_length2=m
 build_lscan=m
+build_pknock=m
 build_psd=m
 build_quota2=m