anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-06 12:45:13 +02:00
Code Issues Releases Wiki Activity

xt_lscan: rename from xt_portscan

Browse Source
This commit is contained in:
Jan Engelhardt
2009-03-05 01:43:29 +01:00
parent 4a25321191
commit 08e6f23655
11 changed files with 78 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
doc/changelog.txt
View File

@@ -1,6 +1,8 @@
- ipset: fix for compilation with 2.6.29-rt - ipset: fix for compilation with 2.6.29-rt
- rename xt_portscan to xt_lscan ("low-level scan") because
"portscan" as a wor caused confusion
Xtables-addons 1.10 (February 18 2009) Xtables-addons 1.10 (February 18 2009)

2
extensions/Kbuild
View File

@@ -20,7 +20,7 @@ obj-${build_geoip} += xt_geoip.o
obj-${build_ipp2p} += xt_ipp2p.o obj-${build_ipp2p} += xt_ipp2p.o
obj-${build_ipset} += ipset/ obj-${build_ipset} += ipset/
obj-${build_length2} += xt_length2.o obj-${build_length2} += xt_length2.o
obj-${build_portscan} += xt_portscan.o obj-${build_lscan} += xt_lscan.o
obj-${build_quota2} += xt_quota2.o obj-${build_quota2} += xt_quota2.o
-include ${M}/*.Kbuild -include ${M}/*.Kbuild

2
extensions/Mbuild
View File

@@ -13,5 +13,5 @@ obj-${build_geoip} += libxt_geoip.so
obj-${build_ipp2p} += libxt_ipp2p.so obj-${build_ipp2p} += libxt_ipp2p.so
obj-${build_ipset} += ipset/ obj-${build_ipset} += ipset/
obj-${build_length2} += libxt_length2.so obj-${build_length2} += libxt_length2.so
obj-${build_portscan} += libxt_portscan.so obj-${build_lscan} += libxt_lscan.so
obj-${build_quota2} += libxt_quota2.so obj-${build_quota2} += libxt_quota2.so

2
extensions/libxt_CHAOS.man
View File

@@ -18,4 +18,4 @@ The randomness factor of not replying vs. replying can be set during load-time
of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters. of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
.PP .PP
See http://jengelh.medozas.de/projects/chaostables/ for more information See http://jengelh.medozas.de/projects/chaostables/ for more information
about CHAOS, DELUDE and portscan. about CHAOS, DELUDE and lscan.

52
extensions/libxt_portscan.c → extensions/libxt_lscan.c
View File

@@ -1,6 +1,6 @@
/* /*
* "portscan" match extension for iptables * LSCAN match extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008 * Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2009
* *
* This program is free software; you can redistribute it and/or * This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either * modify it under the terms of the GNU General Public License; either
@@ -16,9 +16,9 @@
#include <xtables.h> #include <xtables.h>
#include <linux/netfilter/x_tables.h> #include <linux/netfilter/x_tables.h>
#include "xt_portscan.h" #include "xt_lscan.h"
static const struct option portscan_mt_opts[] = { static const struct option lscan_mt_opts[] = {
{.name = "stealth", .has_arg = false, .val = 'x'}, {.name = "stealth", .has_arg = false, .val = 'x'},
{.name = "synscan", .has_arg = false, .val = 's'}, {.name = "synscan", .has_arg = false, .val = 's'},
{.name = "cnscan", .has_arg = false, .val = 'c'}, {.name = "cnscan", .has_arg = false, .val = 'c'},
@@ -26,10 +26,10 @@ static const struct option portscan_mt_opts[] = {
{NULL}, {NULL},
}; };
static void portscan_mt_help(void) static void lscan_mt_help(void)
{ {
printf( printf(
"portscan match options:\n" "lscan match options:\n"
"(Combining them will make them match by OR-logic)\n" "(Combining them will make them match by OR-logic)\n"
" --stealth Match TCP Stealth packets\n" " --stealth Match TCP Stealth packets\n"
" --synscan Match TCP SYN scans\n" " --synscan Match TCP SYN scans\n"
@@ -37,10 +37,10 @@ static void portscan_mt_help(void)
" --grscan Match Banner Grabbing scans\n"); " --grscan Match Banner Grabbing scans\n");
} }
static int portscan_mt_parse(int c, char **argv, int invert, static int lscan_mt_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_match **match) unsigned int *flags, const void *entry, struct xt_entry_match **match)
{ {
struct xt_portscan_mtinfo *info = (void *)((*match)->data); struct xt_lscan_mtinfo *info = (void *)((*match)->data);
switch (c) { switch (c) {
case 'c': case 'c':
@@ -59,17 +59,17 @@ static int portscan_mt_parse(int c, char **argv, int invert,
return false; return false;
} }
static void portscan_mt_check(unsigned int flags) static void lscan_mt_check(unsigned int flags)
{ {
} }
static void portscan_mt_print(const void *ip, static void lscan_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric) const struct xt_entry_match *match, int numeric)
{ {
const struct xt_portscan_mtinfo *info = (const void *)(match->data); const struct xt_lscan_mtinfo *info = (const void *)(match->data);
const char *s = ""; const char *s = "";
printf("portscan "); printf("lscan ");
if (info->match_stealth) { if (info->match_stealth) {
printf("STEALTH"); printf("STEALTH");
s = ","; s = ",";
@@ -87,9 +87,9 @@ static void portscan_mt_print(const void *ip,
printf(" "); printf(" ");
} }
static void portscan_mt_save(const void *ip, const struct xt_entry_match *match) static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
{ {
const struct xt_portscan_mtinfo *info = (const void *)(match->data); const struct xt_lscan_mtinfo *info = (const void *)(match->data);
if (info->match_stealth) if (info->match_stealth)
printf("--stealth "); printf("--stealth ");
@@ -101,22 +101,22 @@ static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
printf("--grscan "); printf("--grscan ");
} }
static struct xtables_match portscan_mt_reg = { static struct xtables_match lscan_mt_reg = {
.version = XTABLES_VERSION, .version = XTABLES_VERSION,
.name = "portscan", .name = "lscan",
.revision = 0, .revision = 0,
.family = AF_INET, .family = AF_INET,
.size = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)), .size = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)), .userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
.help = portscan_mt_help, .help = lscan_mt_help,
.parse = portscan_mt_parse, .parse = lscan_mt_parse,
.final_check = portscan_mt_check, .final_check = lscan_mt_check,
.print = portscan_mt_print, .print = lscan_mt_print,
.save = portscan_mt_save, .save = lscan_mt_save,
.extra_opts = portscan_mt_opts, .extra_opts = lscan_mt_opts,
}; };
static __attribute__((constructor)) void portscan_mt_ldr(void) static __attribute__((constructor)) void lscan_mt_ldr(void)
{ {
xtables_register_match(&portscan_mt_reg); xtables_register_match(&lscan_mt_reg);
} }

5
extensions/libxt_portscan.man → extensions/libxt_lscan.man
View File

@@ -1,4 +1,5 @@
Detects simple port scan attemps based upon the packet's contents. (This is Detects simple low-level scan attemps based upon the packet's contents.
(This is
different from other implementations, which also try to match the rate of new different from other implementations, which also try to match the rate of new
connections.) Note that an attempt is only discovered after it has been carried connections.) Note that an attempt is only discovered after it has been carried
out, but this information can be used in conjunction with other rules to block out, but this information can be used in conjunction with other rules to block
@@ -27,5 +28,5 @@ ports where a protocol runs that is guaranteed to do a bidirectional exchange
of bytes. of bytes.
.PP .PP
NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan, NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
so be advised to carefully use xt_portscan in conjunction with blocking rules, so be advised to carefully use xt_lscan in conjunction with blocking rules,
as it may lock out your very own internal network. as it may lock out your very own internal network.

6
extensions/xt_portscan.Kconfig → extensions/xt_lscan.Kconfig
View File

@@ -1,8 +1,8 @@
config NETFILTER_XT_MATCH_PORTSCAN config NETFILTER_XT_MATCH_LSCAN
tristate '"portscan" target support' tristate '"lscan" match support'
depends on NETFILTER_XTABLES && NETFILTER_ADVANCED depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
---help--- ---help---
The portscan match allows to match on the basic types of nmap The LSCAN match allows to match on the basic types of nmap
scans: Stealth Scan, SYN scan and connect scan. It can also match scans: Stealth Scan, SYN scan and connect scan. It can also match
"grab-only" connections, i.e. where data flows in only one "grab-only" connections, i.e. where data flows in only one
direction. direction.

65
extensions/xt_portscan.c → extensions/xt_lscan.c
View File

@@ -1,6 +1,6 @@
/* /*
* portscan match for netfilter * LSCAN match for netfilter
* Copyright © CC Computer Consultants GmbH, 2006 - 2008 * Copyright © Jan Engelhardt, 2006 - 2009
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License; either version * it under the terms of the GNU General Public License; either version
@@ -17,8 +17,7 @@
#include <linux/version.h> #include <linux/version.h>
#include <linux/netfilter/x_tables.h> #include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_tcpudp.h> #include <linux/netfilter/xt_tcpudp.h>
//#include <net/netfilter/nf_conntrack.h> #include "xt_lscan.h"
#include "xt_portscan.h"
#include "compat_xtables.h" #include "compat_xtables.h"
#define PFX KBUILD_MODNAME ": " #define PFX KBUILD_MODNAME ": "
@@ -103,8 +102,8 @@ static inline bool tflg_synack(const struct tcphdr *th)
(TCP_FLAG_SYN | TCP_FLAG_ACK); (TCP_FLAG_SYN | TCP_FLAG_ACK);
} }
/* portscan functions */ /* lscan functions */
static inline bool portscan_mt_stealth(const struct tcphdr *th) static inline bool lscan_mt_stealth(const struct tcphdr *th)
{ {
/* /*
* "Connection refused" replies to our own probes must not be matched. * "Connection refused" replies to our own probes must not be matched.
@@ -126,7 +125,7 @@ static inline bool portscan_mt_stealth(const struct tcphdr *th)
return !tflg_syn(th); return !tflg_syn(th);
} }
static inline unsigned int portscan_mt_full(int mark, static inline unsigned int lscan_mt_full(int mark,
enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph, enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
unsigned int payload_len) unsigned int payload_len)
{ {
@@ -172,9 +171,9 @@ static inline unsigned int portscan_mt_full(int mark,
} }
static bool static bool
portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par) lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{ {
const struct xt_portscan_mtinfo *info = par->matchinfo; const struct xt_lscan_mtinfo *info = par->matchinfo;
enum ip_conntrack_info ctstate; enum ip_conntrack_info ctstate;
const struct tcphdr *tcph; const struct tcphdr *tcph;
struct nf_conn *ctdata; struct nf_conn *ctdata;
@@ -187,7 +186,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
/* Check for invalid packets: -m conntrack --ctstate INVALID */ /* Check for invalid packets: -m conntrack --ctstate INVALID */
if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) { if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
if (info->match_stealth) if (info->match_stealth)
return portscan_mt_stealth(tcph); return lscan_mt_stealth(tcph);
/* /*
* If @ctdata is NULL, we cannot match the other scan * If @ctdata is NULL, we cannot match the other scan
* types, return. * types, return.
@@ -196,7 +195,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
} }
/* /*
* If -m portscan was previously applied to this packet, the rules we * If -m lscan was previously applied to this packet, the rules we
* simulate must not be run through again. And for speedup, do not call * simulate must not be run through again. And for speedup, do not call
* it either when the connection is already VALID. * it either when the connection is already VALID.
*/ */
@@ -204,7 +203,7 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
(skb_nfmark(skb) & packet_mask) != mark_seen) { (skb_nfmark(skb) & packet_mask) != mark_seen) {
unsigned int n; unsigned int n;
n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate, n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
par->in == init_net__loopback_dev, tcph, par->in == init_net__loopback_dev, tcph,
skb->len - par->thoff - 4 * tcph->doff); skb->len - par->thoff - 4 * tcph->doff);
@@ -217,9 +216,9 @@ portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
(info->match_gr && ctdata->mark == mark_grscan); (info->match_gr && ctdata->mark == mark_grscan);
} }
static bool portscan_mt_check(const struct xt_mtchk_param *par) static bool lscan_mt_check(const struct xt_mtchk_param *par)
{ {
const struct xt_portscan_mtinfo *info = par->matchinfo; const struct xt_lscan_mtinfo *info = par->matchinfo;
if ((info->match_stealth & ~1) || (info->match_syn & ~1) || if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
(info->match_cn & ~1) || (info->match_gr & ~1)) { (info->match_cn & ~1) || (info->match_gr & ~1)) {
@@ -229,44 +228,44 @@ static bool portscan_mt_check(const struct xt_mtchk_param *par)
return true; return true;
} }
static struct xt_match portscan_mt_reg[] __read_mostly = { static struct xt_match lscan_mt_reg[] __read_mostly = {
{ {
.name = "portscan", .name = "lscan",
.revision = 0, .revision = 0,
.family = NFPROTO_IPV4, .family = NFPROTO_IPV4,
.match = portscan_mt, .match = lscan_mt,
.checkentry = portscan_mt_check, .checkentry = lscan_mt_check,
.matchsize = sizeof(struct xt_portscan_mtinfo), .matchsize = sizeof(struct xt_lscan_mtinfo),
.proto = IPPROTO_TCP, .proto = IPPROTO_TCP,
.me = THIS_MODULE, .me = THIS_MODULE,
}, },
{ {
.name = "portscan", .name = "lscan",
.revision = 0, .revision = 0,
.family = NFPROTO_IPV6, .family = NFPROTO_IPV6,
.match = portscan_mt, .match = lscan_mt,
.checkentry = portscan_mt_check, .checkentry = lscan_mt_check,
.matchsize = sizeof(struct xt_portscan_mtinfo), .matchsize = sizeof(struct xt_lscan_mtinfo),
.proto = IPPROTO_TCP, .proto = IPPROTO_TCP,
.me = THIS_MODULE, .me = THIS_MODULE,
}, },
}; };
static int __init portscan_mt_init(void) static int __init lscan_mt_init(void)
{ {
return xt_register_matches(portscan_mt_reg, return xt_register_matches(lscan_mt_reg,
ARRAY_SIZE(portscan_mt_reg)); ARRAY_SIZE(lscan_mt_reg));
} }
static void __exit portscan_mt_exit(void) static void __exit lscan_mt_exit(void)
{ {
xt_unregister_matches(portscan_mt_reg, ARRAY_SIZE(portscan_mt_reg)); xt_unregister_matches(lscan_mt_reg, ARRAY_SIZE(lscan_mt_reg));
} }
module_init(portscan_mt_init); module_init(lscan_mt_init);
module_exit(portscan_mt_exit); module_exit(lscan_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>"); MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: \"portscan\" match"); MODULE_DESCRIPTION("Xtables: Low-level scan (e.g. nmap) match");
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_portscan"); MODULE_ALIAS("ipt_lscan");
MODULE_ALIAS("ip6t_portscan"); MODULE_ALIAS("ip6t_lscan");

8
extensions/xt_lscan.h Normal file
View File

@@ -0,0 +1,8 @@
#ifndef _LINUX_NETFILTER_XT_LSCAN_H
#define _LINUX_NETFILTER_XT_LSCAN_H 1
struct xt_lscan_mtinfo {
uint8_t match_stealth, match_syn, match_cn, match_gr;
};
#endif /* _LINUX_NETFILTER_XT_LSCAN_H */

8
extensions/xt_portscan.h
View File

@@ -1,8 +0,0 @@
#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
struct xt_portscan_mtinfo {
uint8_t match_stealth, match_syn, match_cn, match_gr;
};
#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */

2
mconfig
View File

@@ -15,5 +15,5 @@ build_geoip=m
build_ipp2p=m build_ipp2p=m
build_ipset=m build_ipset=m
build_length2=m build_length2=m
build_portscan=m build_lscan=m
build_quota2=m build_quota2=m