anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-20 11:34:57 +02:00
Code Issues Releases Wiki Activity
625 Commits 5 Branches 85 Tags
19f241a09cc76d9d565dc8a91a98b9634bc5894b
Commit Graph

625 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jan Engelhardt
6de54e5fcd pknock: shrink struct peer 2009-10-12 17:01:10 +02:00
Jan Rafaj
a921427746 pknock: display only pknock mode and state relevant information in procfs 
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
 2009-10-12 16:58:31 +02:00
Jan Rafaj
2b2b6246f0 pknock: Make non-zero time mandatory for TCP mode 
This avoids DDoS on the first-in-sequence TCP knockport, which would
otherwise fill up the peer table permanently - especially if the user
does not specify --autoclose - and would thus cause permanent pknock
DoS.

Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
 2009-10-12 01:24:41 +02:00
Jan Engelhardt
98e5dfd6ef pknock: remove some #ifdef PK_CRYPTO guards 
A number of guarded places do not use any crypto functions. So the
userspace does not pass in an info with --opensecret/--closesecret
defined.
 2009-10-12 01:21:26 +02:00
Jan Rafaj
9e5c2e7ee9 pknock: implement automatic closing 
Added the optional "--autoclose" parameter (takes minutes) that
closes the pknock-opened rule in a specified time.

Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
 2009-10-12 01:13:00 +02:00
Jan Rafaj
284c0e9493 pknock: provide better help text for --time option 
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
 2009-10-12 00:58:32 +02:00
Jan Engelhardt
5284b5db92 pknock: remove redundant final check for any-option 
Just below the check that was just removed, the presence of --name is
tested for, as --name is always required. That makes the (flags == 0)
check superfluous, because non-zeroness is ensured by the name check.
 2009-10-12 00:56:55 +02:00
Jan Rafaj
36035d52d3 pknock: purge void --secure option from help text 
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
 2009-10-12 00:51:41 +02:00
Jan Engelhardt
4d94687c15 pknock: use C99 initializers for pknock_mt_opts 2009-10-12 00:50:55 +02:00
Jan Engelhardt
7070678ab4 pknock: remove redundant --chkip parameter 
Similar to commit v1.18-56-g35b00f8, one option for one thing
really is enough.
 2009-10-12 00:48:37 +02:00
Jan Rafaj
f6281d498c pknock: use kernel's get_seconds() directly instead of wrapper 
Use kernel's get_seconds() directly instead of the
get_epoch_minute() wrapper.

Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
 2009-10-12 00:46:02 +02:00
Jan Rafaj
2cab32596a pknock: replace id_port_knocked with accepted_knock_count 
Gives a better sense of the member's use.

Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
 2009-10-12 00:43:50 +02:00
Jan Rafaj
08f6a82bdc pknock: avoid fillup of peer table during DDoS 
In TCP --strict mode, forget the peer which sent the wrong knock in a
sequence, rather than resetting its status to ST_INIT. This avoids
filling up the peer table (which would lead to pknock DoS) in case of
a DDoS attack performed by a set of port-scanning malicious hosts.
 2009-10-11 01:48:20 +02:00
Jan Engelhardt
82a8524f1a pknock: add CONNECTOR guards 2009-10-09 18:15:27 +02:00
Jan Engelhardt
6bb354d3f0 pknock: add Kconfig file 2009-10-09 18:11:49 +02:00
Jan Engelhardt
5184176c3b pknock: move into separate directory 
There will be a number of pknock-related tools, e.g. the trigger
programs, so move that out to its own directory.
 2009-10-09 17:50:05 +02:00
Jan Engelhardt
430723ece1 ipp2p: try to address underflows 
Report by: Christian Blum <chrblum@users.sourceforge.net>

"I have found that they panic in an interrupt within xt_ipp2p, function
search_all_gnu(). It's a bounds checking problem; when I add this [a
check for plen >= 65535] at the beginning [of the function] the
servers run fine (very similar to find_all_kazaa())."
 2009-10-08 17:26:36 +02:00
Jan Engelhardt
f1dc7f960c pknock: peer can never be NULL in the hash iterator 
Given that pos is non-NULL, list_entry won't make it NULL.
 2009-10-07 23:59:44 +02:00
Jan Engelhardt
370f47b000 pknock: reduce indent in remove_rule 2009-10-07 23:59:05 +02:00
Jan Engelhardt
8e812620f0 pknock: avoid crash on memory allocation failure and fix memleak 
If rule->peer_head==NULL due to an unsuccessful allocation, peer_gc
(and perhaps other places) may crash when they try to access it.
Since I see no deferred retry for allocation, the only option is to
fail in add_rule, clean it up, and return false instead.
Independent of that problem, it also needs to free peer_head in case
the status_proc allocation fails.
 2009-10-07 01:12:03 +02:00
Jan Engelhardt
204b612e23 pknock: add_rule must happen after info struct checks 
This avoids unnecessarily creating pknock rules if there is an error
with any of the match parameters.
 2009-10-07 01:12:03 +02:00
Jan Engelhardt
c2c86f4b3d pknock: remove old-style intraposition negation support 2009-10-07 01:12:03 +02:00
Jan Engelhardt
379e685b0f doc: update changelog 
Sometimes I forget to adjust it with the particular commit and then
this piles up a little..
 2009-10-07 00:10:45 +02:00
Jan Engelhardt
69dd0686e2 doc: remove --with-ksource from help text 
--with-ksource should almost never be needed, so do not visibily
offer it.
 2009-10-07 00:07:24 +02:00
Jan Engelhardt
48325a209e build: support for Linux 2.6.32 2009-10-07 00:02:56 +02:00
Jan Engelhardt
96f501ab89 ACCOUNT: move Kconfig file 2009-10-06 23:56:38 +02:00
Jan Engelhardt
3c1bf73e8e ACCOUNT: mark reg structure __read_mostly 2009-10-06 23:42:48 +02:00
Jan Rafaj
e0276b4875 pknock: disallow running peer_gc too early 
It is no longer possible to specify gc_expir_time with a time lower
than its default value (65000 msecs). This is to avoid running
peer_gc() earlier than 1 minute [well, 65 s actually] in the future,
which would otherwise render anti-spoof protection in SPA mode
non-functional.
 2009-10-04 21:00:04 +02:00
Jan Rafaj
1bc7f1be67 pknock: add module parameter descriptions 2009-10-04 21:00:04 +02:00
Jan Engelhardt
3c3adcbd07 pknock: remove some extraneous messages and source lines 
- $Id$ in a comment is pointless.
- remove unneeded/commented-out includes.
- remove warning messages on allocation failure
  (if that happens it is almost too late anyway;
  not wanting to spam the logs)
- remove warning messages about unhandled packets
  (attacker filling up logs)
 2009-10-04 21:00:01 +02:00
Jan Engelhardt
da6a9b932c pknock: use NIPQUAD_FMT 2009-10-04 00:42:13 +02:00
Jan Engelhardt
5f290cd4a0 pknock: mark peer address as __be32 
Since the address is now stored in its original network byte order,
let's annotate that this is indeed the case.
 2009-10-04 00:42:13 +02:00
Jan Rafaj
181a9cab43 pknock: store peer address in network byte order 
The conversions from and to host order can be saved, as nothing
really depends on them.
 2009-10-04 00:42:13 +02:00
Jan Rafaj
a819458cba pknock: do call sg_init_table 2009-10-04 00:42:13 +02:00
Jan Engelhardt
654862af21 pknock: use more efficient method to obtain seconds 2009-10-04 00:42:13 +02:00
Jan Rafaj
0d8ae29a60 pknock: "strict" and "checkip" flags were not displayed in iptables -L 2009-10-04 00:42:13 +02:00
Jan Engelhardt
e05a4d9586 pknock: use sizeof() where meaningful 2009-10-04 00:42:11 +02:00
Jan Engelhardt
0541154a5e doc: properly escape non-hyphens 2009-10-03 21:41:29 +02:00
Jan Rafaj
00199427ac pknock: rename symbols in libxt_pknock 2009-10-03 13:30:56 +02:00
Jan Engelhardt
35b00f8c3f pknock: remove redundant --t parameter 
One can already specify --t on the command line as a synonym for
--time because getopt already allows unambiguous abbrevations.
 2009-10-03 13:08:26 +02:00
Jan Engelhardt
1f3150bdf9 pknock: remove trailing whitespace 2009-10-03 01:43:00 +02:00
Jan Engelhardt
13c73af796 pknock: remove unneeded braces 2009-10-03 01:26:31 +02:00
Jan Engelhardt
ba9a3efec1 pknock: use preincrements where possible 
Preincrements are much less error-prone and even do not need extra
parentheses.
 2009-10-03 01:26:31 +02:00
Jan Engelhardt
f474c7d4d4 pknock: rename IPT_PKNOCK_* -> XT_PKNOCK_* 2009-10-03 01:26:31 +02:00
Jan Engelhardt
4a350ddd03 pknock: move more kernel parts from include file to .c 
All of this does not seem to have a userspace part.
 2009-10-03 01:26:31 +02:00
Jan Engelhardt
628d137f12 pknock: rename struct ipt_pknock -> xt_pknock_mtinfo 
Streamline symbols; use xt_*_mtinfo as other modules do.
 2009-10-03 01:26:31 +02:00
Jan Engelhardt
28ecf45548 pknock: redo inline hints 
The compiler is usually smart enough to decide this on its own.
Some functions however do not warrant even the hint keyword.
 2009-10-03 01:26:31 +02:00
Jan Engelhardt
58839b9b86 pknock: use bools for two-state ints 2009-10-03 01:26:31 +02:00
Jan Engelhardt
e436948ebd pknock: use explicit tests for non-bool types 2009-10-03 01:26:30 +02:00
Jan Engelhardt
79d54ebd7c pknock: split long instructions, esp. allocations in if() 2009-10-03 01:26:28 +02:00