The xt_SYSRQ hash now includes the destination IPv4 or IPv6 address
which makes it harder to replay a request to many different machines
in the hope that some of them are using the same password.
1. Moved misplaced code that was causing kernel oops in reset mode.
2. Added payload size calc to honeypot mode, so ack sequence may ACK
the length of client's sent payload packets correctly.
3. Modified TTL for honeypot mode so we look more like a Windows
machine.
I would like to move forward a bit, and today, two issues prompted
me to start removing old code:
* make 3.82 does not like mixing normal rules with implicit rules,
which rejects Makefiles of Linux kernels before 2.6.34.
* xt_DNETMAP uses functionality not available before 2.6.29.
This patch adds a module which is useful to users of grsecurity's RBAC
system. It matches packets based on whether RBAC is enabled or
disabled.
See: http://grsecurity.net/
Signed-off-by: Anthony G. Basile <basile@opensource.dyc.edu>
Jan Engelhardt> Also, I do not see a xt_gradm.c in this patch.
This [xt_gradm.c] is part of the grsecurity patch which not only adds
the Xtables code, but also the RBAC code. Without the entire RBAC
stuff, xt_gradm does not make sense and so it is included with the
grsecurity patch to the kernel, and not this patch to Xtables-addons.
>Can you elaborate a bit on how this is useful in conjunction with
>rulesets? I could imagine it be used with LSM selctx'es for example,
>or another extension that tests for other RBAC attributes.
The idea here is that when the RBAC rulesets are not being enforced,
the system is more vulnerable and the user wants stricter firewall
rules. When RBAC is being enforced, one can relax the firewall and
access to services which are now better protected. In practice this
usually means allowing only access to some trusted IP(s) on boot
before RBAC is turned on.
