diff --git a/doc/changelog.txt b/doc/changelog.txt index 9c7e668..6f68e8f 100644 --- a/doc/changelog.txt +++ b/doc/changelog.txt @@ -1,6 +1,8 @@ - ipset: fix for compilation with 2.6.29-rt +- rename xt_portscan to xt_lscan ("low-level scan") because + "portscan" as a wor caused confusion Xtables-addons 1.10 (February 18 2009) diff --git a/extensions/Kbuild b/extensions/Kbuild index 25fa72f..7be640f 100644 --- a/extensions/Kbuild +++ b/extensions/Kbuild @@ -20,7 +20,7 @@ obj-${build_geoip} += xt_geoip.o obj-${build_ipp2p} += xt_ipp2p.o obj-${build_ipset} += ipset/ obj-${build_length2} += xt_length2.o -obj-${build_portscan} += xt_portscan.o +obj-${build_lscan} += xt_lscan.o obj-${build_quota2} += xt_quota2.o -include ${M}/*.Kbuild diff --git a/extensions/Mbuild b/extensions/Mbuild index 05f6485..c25d927 100644 --- a/extensions/Mbuild +++ b/extensions/Mbuild @@ -13,5 +13,5 @@ obj-${build_geoip} += libxt_geoip.so obj-${build_ipp2p} += libxt_ipp2p.so obj-${build_ipset} += ipset/ obj-${build_length2} += libxt_length2.so -obj-${build_portscan} += libxt_portscan.so +obj-${build_lscan} += libxt_lscan.so obj-${build_quota2} += libxt_quota2.so diff --git a/extensions/libxt_CHAOS.man b/extensions/libxt_CHAOS.man index 0430c66..d698c1b 100644 --- a/extensions/libxt_CHAOS.man +++ b/extensions/libxt_CHAOS.man @@ -18,4 +18,4 @@ The randomness factor of not replying vs. replying can be set during load-time of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters. .PP See http://jengelh.medozas.de/projects/chaostables/ for more information -about CHAOS, DELUDE and portscan. +about CHAOS, DELUDE and lscan. diff --git a/extensions/libxt_portscan.c b/extensions/libxt_lscan.c similarity index 61% rename from extensions/libxt_portscan.c rename to extensions/libxt_lscan.c index f460e5a..0bcc226 100644 --- a/extensions/libxt_portscan.c +++ b/extensions/libxt_lscan.c @@ -1,6 +1,6 @@ /* - * "portscan" match extension for iptables - * Copyright © Jan Engelhardt , 2006 - 2008 + * LSCAN match extension for iptables + * Copyright © Jan Engelhardt , 2006 - 2009 * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License; either @@ -16,9 +16,9 @@ #include #include -#include "xt_portscan.h" +#include "xt_lscan.h" -static const struct option portscan_mt_opts[] = { +static const struct option lscan_mt_opts[] = { {.name = "stealth", .has_arg = false, .val = 'x'}, {.name = "synscan", .has_arg = false, .val = 's'}, {.name = "cnscan", .has_arg = false, .val = 'c'}, @@ -26,10 +26,10 @@ static const struct option portscan_mt_opts[] = { {NULL}, }; -static void portscan_mt_help(void) +static void lscan_mt_help(void) { printf( - "portscan match options:\n" + "lscan match options:\n" "(Combining them will make them match by OR-logic)\n" " --stealth Match TCP Stealth packets\n" " --synscan Match TCP SYN scans\n" @@ -37,10 +37,10 @@ static void portscan_mt_help(void) " --grscan Match Banner Grabbing scans\n"); } -static int portscan_mt_parse(int c, char **argv, int invert, +static int lscan_mt_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_match **match) { - struct xt_portscan_mtinfo *info = (void *)((*match)->data); + struct xt_lscan_mtinfo *info = (void *)((*match)->data); switch (c) { case 'c': @@ -59,17 +59,17 @@ static int portscan_mt_parse(int c, char **argv, int invert, return false; } -static void portscan_mt_check(unsigned int flags) +static void lscan_mt_check(unsigned int flags) { } -static void portscan_mt_print(const void *ip, +static void lscan_mt_print(const void *ip, const struct xt_entry_match *match, int numeric) { - const struct xt_portscan_mtinfo *info = (const void *)(match->data); + const struct xt_lscan_mtinfo *info = (const void *)(match->data); const char *s = ""; - printf("portscan "); + printf("lscan "); if (info->match_stealth) { printf("STEALTH"); s = ","; @@ -87,9 +87,9 @@ static void portscan_mt_print(const void *ip, printf(" "); } -static void portscan_mt_save(const void *ip, const struct xt_entry_match *match) +static void lscan_mt_save(const void *ip, const struct xt_entry_match *match) { - const struct xt_portscan_mtinfo *info = (const void *)(match->data); + const struct xt_lscan_mtinfo *info = (const void *)(match->data); if (info->match_stealth) printf("--stealth "); @@ -101,22 +101,22 @@ static void portscan_mt_save(const void *ip, const struct xt_entry_match *match) printf("--grscan "); } -static struct xtables_match portscan_mt_reg = { +static struct xtables_match lscan_mt_reg = { .version = XTABLES_VERSION, - .name = "portscan", + .name = "lscan", .revision = 0, .family = AF_INET, - .size = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)), - .userspacesize = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)), - .help = portscan_mt_help, - .parse = portscan_mt_parse, - .final_check = portscan_mt_check, - .print = portscan_mt_print, - .save = portscan_mt_save, - .extra_opts = portscan_mt_opts, + .size = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)), + .help = lscan_mt_help, + .parse = lscan_mt_parse, + .final_check = lscan_mt_check, + .print = lscan_mt_print, + .save = lscan_mt_save, + .extra_opts = lscan_mt_opts, }; -static __attribute__((constructor)) void portscan_mt_ldr(void) +static __attribute__((constructor)) void lscan_mt_ldr(void) { - xtables_register_match(&portscan_mt_reg); + xtables_register_match(&lscan_mt_reg); } diff --git a/extensions/libxt_portscan.man b/extensions/libxt_lscan.man similarity index 90% rename from extensions/libxt_portscan.man rename to extensions/libxt_lscan.man index aaa162f..a39867a 100644 --- a/extensions/libxt_portscan.man +++ b/extensions/libxt_lscan.man @@ -1,4 +1,5 @@ -Detects simple port scan attemps based upon the packet's contents. (This is +Detects simple low-level scan attemps based upon the packet's contents. +(This is different from other implementations, which also try to match the rate of new connections.) Note that an attempt is only discovered after it has been carried out, but this information can be used in conjunction with other rules to block @@ -27,5 +28,5 @@ ports where a protocol runs that is guaranteed to do a bidirectional exchange of bytes. .PP NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan, -so be advised to carefully use xt_portscan in conjunction with blocking rules, +so be advised to carefully use xt_lscan in conjunction with blocking rules, as it may lock out your very own internal network. diff --git a/extensions/xt_portscan.Kconfig b/extensions/xt_lscan.Kconfig similarity index 59% rename from extensions/xt_portscan.Kconfig rename to extensions/xt_lscan.Kconfig index 566d9c3..a6879c6 100644 --- a/extensions/xt_portscan.Kconfig +++ b/extensions/xt_lscan.Kconfig @@ -1,8 +1,8 @@ -config NETFILTER_XT_MATCH_PORTSCAN - tristate '"portscan" target support' +config NETFILTER_XT_MATCH_LSCAN + tristate '"lscan" match support' depends on NETFILTER_XTABLES && NETFILTER_ADVANCED ---help--- - The portscan match allows to match on the basic types of nmap + The LSCAN match allows to match on the basic types of nmap scans: Stealth Scan, SYN scan and connect scan. It can also match "grab-only" connections, i.e. where data flows in only one direction. diff --git a/extensions/xt_portscan.c b/extensions/xt_lscan.c similarity index 81% rename from extensions/xt_portscan.c rename to extensions/xt_lscan.c index 3b133aa..cf63a90 100644 --- a/extensions/xt_portscan.c +++ b/extensions/xt_lscan.c @@ -1,6 +1,6 @@ /* - * portscan match for netfilter - * Copyright © CC Computer Consultants GmbH, 2006 - 2008 + * LSCAN match for netfilter + * Copyright © Jan Engelhardt, 2006 - 2009 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License; either version @@ -17,8 +17,7 @@ #include #include #include -//#include -#include "xt_portscan.h" +#include "xt_lscan.h" #include "compat_xtables.h" #define PFX KBUILD_MODNAME ": " @@ -103,8 +102,8 @@ static inline bool tflg_synack(const struct tcphdr *th) (TCP_FLAG_SYN | TCP_FLAG_ACK); } -/* portscan functions */ -static inline bool portscan_mt_stealth(const struct tcphdr *th) +/* lscan functions */ +static inline bool lscan_mt_stealth(const struct tcphdr *th) { /* * "Connection refused" replies to our own probes must not be matched. @@ -126,7 +125,7 @@ static inline bool portscan_mt_stealth(const struct tcphdr *th) return !tflg_syn(th); } -static inline unsigned int portscan_mt_full(int mark, +static inline unsigned int lscan_mt_full(int mark, enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph, unsigned int payload_len) { @@ -172,9 +171,9 @@ static inline unsigned int portscan_mt_full(int mark, } static bool -portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par) +lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par) { - const struct xt_portscan_mtinfo *info = par->matchinfo; + const struct xt_lscan_mtinfo *info = par->matchinfo; enum ip_conntrack_info ctstate; const struct tcphdr *tcph; struct nf_conn *ctdata; @@ -187,7 +186,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par) /* Check for invalid packets: -m conntrack --ctstate INVALID */ if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) { if (info->match_stealth) - return portscan_mt_stealth(tcph); + return lscan_mt_stealth(tcph); /* * If @ctdata is NULL, we cannot match the other scan * types, return. @@ -196,7 +195,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par) } /* - * If -m portscan was previously applied to this packet, the rules we + * If -m lscan was previously applied to this packet, the rules we * simulate must not be run through again. And for speedup, do not call * it either when the connection is already VALID. */ @@ -204,7 +203,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par) (skb_nfmark(skb) & packet_mask) != mark_seen) { unsigned int n; - n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate, + n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate, par->in == init_net__loopback_dev, tcph, skb->len - par->thoff - 4 * tcph->doff); @@ -217,9 +216,9 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par) (info->match_gr && ctdata->mark == mark_grscan); } -static bool portscan_mt_check(const struct xt_mtchk_param *par) +static bool lscan_mt_check(const struct xt_mtchk_param *par) { - const struct xt_portscan_mtinfo *info = par->matchinfo; + const struct xt_lscan_mtinfo *info = par->matchinfo; if ((info->match_stealth & ~1) || (info->match_syn & ~1) || (info->match_cn & ~1) || (info->match_gr & ~1)) { @@ -229,44 +228,44 @@ static bool portscan_mt_check(const struct xt_mtchk_param *par) return true; } -static struct xt_match portscan_mt_reg[] __read_mostly = { +static struct xt_match lscan_mt_reg[] __read_mostly = { { - .name = "portscan", + .name = "lscan", .revision = 0, .family = NFPROTO_IPV4, - .match = portscan_mt, - .checkentry = portscan_mt_check, - .matchsize = sizeof(struct xt_portscan_mtinfo), + .match = lscan_mt, + .checkentry = lscan_mt_check, + .matchsize = sizeof(struct xt_lscan_mtinfo), .proto = IPPROTO_TCP, .me = THIS_MODULE, }, { - .name = "portscan", + .name = "lscan", .revision = 0, .family = NFPROTO_IPV6, - .match = portscan_mt, - .checkentry = portscan_mt_check, - .matchsize = sizeof(struct xt_portscan_mtinfo), + .match = lscan_mt, + .checkentry = lscan_mt_check, + .matchsize = sizeof(struct xt_lscan_mtinfo), .proto = IPPROTO_TCP, .me = THIS_MODULE, }, }; -static int __init portscan_mt_init(void) +static int __init lscan_mt_init(void) { - return xt_register_matches(portscan_mt_reg, - ARRAY_SIZE(portscan_mt_reg)); + return xt_register_matches(lscan_mt_reg, + ARRAY_SIZE(lscan_mt_reg)); } -static void __exit portscan_mt_exit(void) +static void __exit lscan_mt_exit(void) { - xt_unregister_matches(portscan_mt_reg, ARRAY_SIZE(portscan_mt_reg)); + xt_unregister_matches(lscan_mt_reg, ARRAY_SIZE(lscan_mt_reg)); } -module_init(portscan_mt_init); -module_exit(portscan_mt_exit); +module_init(lscan_mt_init); +module_exit(lscan_mt_exit); MODULE_AUTHOR("Jan Engelhardt "); -MODULE_DESCRIPTION("Xtables: \"portscan\" match"); +MODULE_DESCRIPTION("Xtables: Low-level scan (e.g. nmap) match"); MODULE_LICENSE("GPL"); -MODULE_ALIAS("ipt_portscan"); -MODULE_ALIAS("ip6t_portscan"); +MODULE_ALIAS("ipt_lscan"); +MODULE_ALIAS("ip6t_lscan"); diff --git a/extensions/xt_lscan.h b/extensions/xt_lscan.h new file mode 100644 index 0000000..2cc8b02 --- /dev/null +++ b/extensions/xt_lscan.h @@ -0,0 +1,8 @@ +#ifndef _LINUX_NETFILTER_XT_LSCAN_H +#define _LINUX_NETFILTER_XT_LSCAN_H 1 + +struct xt_lscan_mtinfo { + uint8_t match_stealth, match_syn, match_cn, match_gr; +}; + +#endif /* _LINUX_NETFILTER_XT_LSCAN_H */ diff --git a/extensions/xt_portscan.h b/extensions/xt_portscan.h deleted file mode 100644 index 949a8ae..0000000 --- a/extensions/xt_portscan.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H -#define _LINUX_NETFILTER_XT_PORTSCAN_H 1 - -struct xt_portscan_mtinfo { - uint8_t match_stealth, match_syn, match_cn, match_gr; -}; - -#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */ diff --git a/mconfig b/mconfig index 7dab1a4..27d7557 100644 --- a/mconfig +++ b/mconfig @@ -15,5 +15,5 @@ build_geoip=m build_ipp2p=m build_ipset=m build_length2=m -build_portscan=m +build_lscan=m build_quota2=m