diff --git a/INSTALL b/INSTALL index 1c0af0e..3f6b4ad 100644 --- a/INSTALL +++ b/INSTALL @@ -12,9 +12,9 @@ in combination with the kernel's Kbuild system. Prerequirements =============== - * xtables(-devel) 1.5.0 + * xtables(-devel) 1.5.2 - * kernel-source >= 2.6.22 with prepared output directory + * kernel-source >= 2.6.18 with prepared build/output directory Selecting extensions diff --git a/extensions/compat_skbuff.h b/extensions/compat_skbuff.h new file mode 100644 index 0000000..d201992 --- /dev/null +++ b/extensions/compat_skbuff.h @@ -0,0 +1,20 @@ +#ifndef COMPAT_SKBUFF_H +#define COMPAT_SKBUFF_H 1 + +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19) +# define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark) +#else +# define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark) +#endif + +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21) +# define ip_hdr(skb) ((skb)->nh.iph) +# define ip_hdrlen(skb) (ip_hdr(skb)->ihl * 4) +# define skb_network_header(skb) ((skb)->nh.raw) +static inline void skb_reset_network_header(struct sk_buff *skb) +{ + skb->nh.raw = skb->data; +} +#endif + +#endif /* COMPAT_SKBUFF_H */ diff --git a/extensions/compat_xtables.c b/extensions/compat_xtables.c index 2e3cd60..3952295 100644 --- a/extensions/compat_xtables.c +++ b/extensions/compat_xtables.c @@ -1,3 +1,4 @@ +#include #include #include #include @@ -8,9 +9,10 @@ #include #include #include +#include "compat_skbuff.h" #include "compat_xtnu.h" -#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 22) +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) static int xtnu_match_run(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *cm, const void *matchinfo, int offset, @@ -26,9 +28,17 @@ static int xtnu_match_run(const struct sk_buff *skb, *hotdrop = lo_drop; return lo_ret; } +#endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) +static int xtnu_match_check(const char *table, const void *entry, + const struct xt_match *cm, void *matchinfo, unsigned int matchinfosize, + unsigned int hook_mask) +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) static int xtnu_match_check(const char *table, const void *entry, const struct xt_match *cm, void *matchinfo, unsigned int hook_mask) +#endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) { struct xtnu_match *nm = xtcompat_numatch(cm); @@ -38,15 +48,24 @@ static int xtnu_match_check(const char *table, const void *entry, return true; return nm->checkentry(table, entry, nm, matchinfo, hook_mask); } +#endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) +static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo, + unsigned int matchinfosize) +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo) +#endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) { struct xtnu_match *nm = xtcompat_numatch(cm); if (nm != NULL && nm->destroy != NULL) nm->destroy(nm, matchinfo); } +#endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) int xtnu_register_match(struct xtnu_match *nt) { struct xt_match *ct; @@ -114,52 +133,65 @@ void xtnu_unregister_matches(struct xtnu_match *nt, unsigned int num) xtnu_unregister_match(&nt[i]); } EXPORT_SYMBOL_GPL(xtnu_unregister_matches); - -static int xtnu_target_check(const char *table, const void *entry, - const struct xt_target *ct, void *targinfo, unsigned int hook_mask) -{ - struct xtnu_target *nt = xtcompat_nutarget(ct); - if (nt == NULL) - return false; - if (nt->checkentry == NULL) - /* this is valid, just like if there was no function */ - return true; - return nt->checkentry(table, entry, nt, targinfo, hook_mask); -} #endif -#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 23) -static bool xtnu_target_check(const char *table, const void *entry, - const struct xt_target *ct, void *targinfo, unsigned int hook_mask) -{ - struct xtnu_target *nt = xtcompat_nutarget(ct); - if (nt == NULL) - return false; - if (nt->checkentry == NULL) - /* this is valid, just like if there was no function */ - return true; - return nt->checkentry(table, entry, nt, targinfo, hook_mask); -} -#endif - -#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) +static unsigned int xtnu_target_run(struct sk_buff **pskb, + const struct net_device *in, const struct net_device *out, + unsigned int hooknum, const struct xt_target *ct, const void *targinfo, + void *userdata) +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) static unsigned int xtnu_target_run(struct sk_buff **pskb, const struct net_device *in, const struct net_device *out, unsigned int hooknum, const struct xt_target *ct, const void *targinfo) +#endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) { struct xtnu_target *nt = xtcompat_nutarget(ct); if (nt != NULL && nt->target != NULL) return nt->target(*pskb, in, out, hooknum, nt, targinfo); return XT_CONTINUE; } +#endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) +static int xtnu_target_check(const char *table, const void *entry, + const struct xt_target *ct, void *targinfo, + unsigned int targinfosize, unsigned int hook_mask) +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) +static int xtnu_target_check(const char *table, const void *entry, + const struct xt_target *ct, void *targinfo, unsigned int hook_mask) +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) +static bool xtnu_target_check(const char *table, const void *entry, + const struct xt_target *ct, void *targinfo, unsigned int hook_mask) +#endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) +{ + struct xtnu_target *nt = xtcompat_nutarget(ct); + if (nt == NULL) + return false; + if (nt->checkentry == NULL) + /* this is valid, just like if there was no function */ + return true; + return nt->checkentry(table, entry, nt, targinfo, hook_mask); +} +#endif + +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) +static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo, + unsigned int targinfosize) +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo) +#endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) { struct xtnu_target *nt = xtcompat_nutarget(ct); if (nt != NULL && nt->destroy != NULL) nt->destroy(nt, targinfo); } +#endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) int xtnu_register_target(struct xtnu_target *nt) { struct xt_target *ct; @@ -233,9 +265,14 @@ struct xt_match *xtnu_request_find_match(unsigned int af, const char *name, uint8_t revision) { static const char *const xt_prefix[] = { - [AF_INET] = "ip", - [AF_INET6] = "ip6", - [NF_ARP] = "arp", + [AF_UNSPEC] = "x", + [AF_INET] = "ip", + [AF_INET6] = "ip6", +#ifdef AF_ARP + [AF_ARP] = "arp", +#elif defined(NF_ARP) && NF_ARP != AF_UNSPEC + [NF_ARP] = "arp", +#endif }; struct xt_match *match; @@ -251,7 +288,11 @@ EXPORT_SYMBOL_GPL(xtnu_request_find_match); #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) int xtnu_ip_route_me_harder(struct sk_buff *skb, unsigned int addr_type) { +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) + return ip_route_me_harder(&skb); +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) return ip_route_me_harder(&skb, addr_type); +#endif } EXPORT_SYMBOL_GPL(xtnu_ip_route_me_harder); #endif @@ -310,4 +351,19 @@ int xtnu_ip_route_output_key(void *net, struct rtable **rp, struct flowi *flp) EXPORT_SYMBOL_GPL(xtnu_ip_route_output_key); #endif +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19) +int xtnu_neigh_hh_output(struct hh_cache *hh, struct sk_buff *skb) +{ + unsigned int hh_alen; + + read_lock_bh(&hh->hh_lock); + hh_alen = HH_DATA_ALIGN(hh->hh_len); + memcpy(skb->data - hh_alen, hh->hh_data, hh_alen); + read_unlock_bh(&hh->hh_lock); + skb_push(skb, hh->hh_len); + return hh->hh_output(skb); +} +EXPORT_SYMBOL_GPL(xtnu_neigh_hh_output); +#endif + MODULE_LICENSE("GPL"); diff --git a/extensions/compat_xtables.h b/extensions/compat_xtables.h index e5b1e4c..75741df 100644 --- a/extensions/compat_xtables.h +++ b/extensions/compat_xtables.h @@ -2,10 +2,32 @@ #define _XTABLES_COMPAT_H 1 #include +#include "compat_skbuff.h" #include "compat_xtnu.h" -#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 22) -# warning Kernels below 2.6.22 not supported anymore +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 18) +# warning Kernels below 2.6.18 not supported. +#endif + +#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) +# if !defined(CONFIG_NF_CONNTRACK_MARK) || !defined(CONFIG_NF_CONNTRACK_SECMARK) +# warning You have CONFIG_NF_CONNTRACK enabled, but CONFIG_NF_CONNTRACK_MARK or CONFIG_NF_CONNTRACK_SECMARK are not (please enable). +# endif +# include +#elif defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE) +# if !defined(CONFIG_IP_NF_CONNTRACK_MARK) || !defined(CONFIG_IP_NF_CONNTRACK_SECMARK) +# warning You have CONFIG_IP_NF_CONNTRACK enabled, but CONFIG_IP_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_SECMARK are not (please enable). +# endif +# include +# define nf_conn ip_conntrack +# define nf_ct_get ip_conntrack_get +# define nf_conntrack_untracked ip_conntrack_untracked +#else +# warning You need either CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK. +#endif + +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19) +# define neigh_hh_output xtnu_neigh_hh_output #endif #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24) @@ -26,7 +48,7 @@ # define init_net__loopback_dev init_net.loopback_dev #endif -#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 22) +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) # define xt_match xtnu_match # define xt_register_match xtnu_register_match # define xt_unregister_match xtnu_unregister_match diff --git a/extensions/compat_xtnu.h b/extensions/compat_xtnu.h index 77018e7..c1be614 100644 --- a/extensions/compat_xtnu.h +++ b/extensions/compat_xtnu.h @@ -5,7 +5,13 @@ #include #include +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) +typedef _Bool bool; +enum { false = 0, true = 1, }; +#endif + struct flowi; +struct hh_cache; struct module; struct net_device; struct rtable; @@ -74,5 +80,6 @@ extern int xtnu_register_targets(struct xtnu_target *, unsigned int); extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int); extern struct xt_match *xtnu_request_find_match(unsigned int, const char *, uint8_t); +extern int xtnu_neigh_hh_output(struct hh_cache *, struct sk_buff *); #endif /* _COMPAT_XTNU_H */ diff --git a/extensions/xt_CHAOS.c b/extensions/xt_CHAOS.c index a9ad67b..0a34d86 100644 --- a/extensions/xt_CHAOS.c +++ b/extensions/xt_CHAOS.c @@ -53,7 +53,7 @@ static void xt_chaos_total(const struct xt_chaos_tginfo *info, const int offset = ntohs(iph->frag_off) & IP_OFFSET; typeof(xt_tarpit) destiny; bool ret; -#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 22) +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) int hotdrop = false; #else bool hotdrop = false; @@ -65,7 +65,9 @@ static void xt_chaos_total(const struct xt_chaos_tginfo *info, return; destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude; -#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) + destiny->target(&skb, in, out, hooknum, destiny, NULL, NULL); +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) destiny->target(&skb, in, out, hooknum, destiny, NULL); #else destiny->target(skb, in, out, hooknum, destiny, NULL); @@ -89,7 +91,10 @@ static unsigned int chaos_tg(struct sk_buff *skb, const struct net_device *in, const struct iphdr *iph = ip_hdr(skb); if ((unsigned int)net_random() <= reject_percentage) -#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) + return xt_reject->target(&skb, in, out, hooknum, + target->__compat_target, &reject_params, NULL); +#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) return xt_reject->target(&skb, in, out, hooknum, target->__compat_target, &reject_params); #else diff --git a/extensions/xt_DELUDE.c b/extensions/xt_DELUDE.c index cfa78d3..9f22a0a 100644 --- a/extensions/xt_DELUDE.c +++ b/extensions/xt_DELUDE.c @@ -99,9 +99,15 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook) } } +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20) + tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), niph->saddr, + niph->daddr, csum_partial((char *)tcph, + sizeof(struct tcphdr), 0)); +#else tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr, niph->daddr, csum_partial((char *)tcph, sizeof(struct tcphdr), 0)); +#endif addr_type = RTN_UNSPEC; #ifdef CONFIG_BRIDGE_NETFILTER diff --git a/extensions/xt_LOGMARK.c b/extensions/xt_LOGMARK.c index 3b12747..099b5e9 100644 --- a/extensions/xt_LOGMARK.c +++ b/extensions/xt_LOGMARK.c @@ -11,8 +11,9 @@ #include #include #include +#include #include -#include +//#include #include "compat_xtables.h" #include "xt_LOGMARK.h" @@ -27,7 +28,7 @@ logmark_tg(struct sk_buff *skb, const struct net_device *in, printk("<%u>%.*s""nfmark=0x%x secmark=0x%x classify=0x%x", info->level, (unsigned int)sizeof(info->prefix), info->prefix, - skb->mark, skb->secmark, skb->priority); + skb_nfmark(skb), skb->secmark, skb->priority); ct = nf_ct_get(skb, &ctinfo); if (ct == NULL) { diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c index 3109435..9c0d4e2 100644 --- a/extensions/xt_TARPIT.c +++ b/extensions/xt_TARPIT.c @@ -90,7 +90,7 @@ static inline void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook) /* This packet will not be the same as the other: clear nf fields */ nf_reset(nskb); - nskb->mark = 0; + skb_nfmark(nskb) = 0; skb_init_secmark(nskb); skb_shinfo(nskb)->gso_size = 0; @@ -132,9 +132,15 @@ static inline void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook) /* Adjust TCP checksum */ tcph->check = 0; +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20) + tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), niph->saddr, + niph->daddr, csum_partial((char *)tcph, + sizeof(struct tcphdr), 0)); +#else tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr, niph->daddr, csum_partial((char *)tcph, sizeof(struct tcphdr), 0)); +#endif /* Set DF, id = 0 */ niph->frag_off = htons(IP_DF); diff --git a/extensions/xt_portscan.c b/extensions/xt_portscan.c index d975c60..3e40e81 100644 --- a/extensions/xt_portscan.c +++ b/extensions/xt_portscan.c @@ -17,7 +17,7 @@ #include #include #include -#include +//#include #include "xt_portscan.h" #include "compat_xtables.h" #define PFX KBUILD_MODNAME ": " @@ -203,7 +203,7 @@ static bool portscan_mt(const struct sk_buff *skb, * it either when the connection is already VALID. */ if ((ctdata->mark & connmark_mask) == mark_valid || - (skb->mark & packet_mask) != mark_seen) { + (skb_nfmark(skb) & packet_mask) != mark_seen) { unsigned int n; n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate, @@ -211,8 +211,7 @@ static bool portscan_mt(const struct sk_buff *skb, skb->len - protoff - 4 * tcph->doff); ctdata->mark = (ctdata->mark & ~connmark_mask) | n; - ((struct sk_buff *)skb)->mark = - (skb->mark & ~packet_mask) ^ mark_seen; + skb_nfmark(skb) = (skb_nfmark(skb) & ~packet_mask) ^ mark_seen; } return (info->match_syn && ctdata->mark == mark_synscan) ||