Because most users will probably only use IPv4 psd, allocate most of the
state6 storage when the first IPv6 psd rule is added, and not at module
load time via .bss.
If we saw a TCP packet on port X, and we receive a UDP packet from the
same host to port X, we counted this as "port X", and did not see this
as a new packet.
Change compare to also consider protocol number and move it to a helper
to de-bloat the overlay large match function.
This change makes psd more aggressive with mixed TCP/UDP traffic.
Upstream commit v3.5-rc1~109^2~138^2~4 ("netfilter: ip6_tables: add
flags parameter to ipv6_find_hdr()") changed the offset parameter of
ipv6_find_hdr() to be an input-output value. Moreover, if it is
non-zero, it MUST point to a valid IPv6 header embedded in the
packet.
Adds fragment offset arg to ipv6_skip_exthdr() and also removes usage
of ipv6_addr_copy() in favor or direct assignment.
Signed-off-by: Josh Hunt <johunt@akamai.com>
This adds IPv6 support for the tarpit target. It performs the same
functionality as the v4 version, but with IPv6 connections.
Signed-off-by: Josh Hunt <johunt@akamai.com>
Creates a generic function to perform the tcp header manipulation in.
Done in preparation for IPv6 support. This allows us to share code
between v4 and v6 processing.
Signed-off-by: Josh Hunt <johunt@akamai.com>
xt_ECHO fails to build on PPC because csum_ipv6_magic is declared in
<net/ip6_checksum.h>, which is not implicitly included from other
headers on PPC causing build failures due to this function being
undefined. So, include this header explicitly.
Note: Same cause as <http://bugzilla.netfilter.org/show_bug.cgi?id=307>.
xt_DNETMAP.c: In function 'dnetmap_tg_proc_write':
xt_DNETMAP.c:703:3: error: implicit declaration of function 'in4_pton'
[-Werror=implicit-function-declaration]
psd multiplies weight_thresh by HZ, so it could overflow.
Userspace libxt_psd refuses values exceeding PSD_MAX_RATE, so check
that on kernel side, too.
Also, setting 0 weight for both privileged and highports will cause
psd to never match at all.
Reject 0 weight threshold, too because it makes no sense (triggers
match for every initial packet).
scanlogd remembers tcp flags and uses the *_CHANGING values in its
logger function to determine the best log format to use (e.g. TTL is
not logged if HF_TTL_CHANGING was set, as TTL values were different).
As psd does not log at all, we do not need track this.
Also get rid of bogus/misleading comments.
