Xtables-addons 2.15

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [2.14])
+AC_INIT([xtables-addons], [2.15])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])

doc/changelog.txt

@@ -1,8 +1,9 @@
 
-HEAD
+v2.15 (2021-02-05)
-====
+==================
 Enhancements:
 - support for Linux up to 4.15
+- xt_lscan: add --mirai option
 
 
 v2.14 (2017-11-22)

extensions/libxt_lscan.c

@@ -24,6 +24,7 @@ static const struct option lscan_mt_opts[] = {
 	{.name = "synscan", .has_arg = false, .val = 's'},
 	{.name = "cnscan",  .has_arg = false, .val = 'c'},
 	{.name = "grscan",  .has_arg = false, .val = 'g'},
+	{.name = "mirai",   .has_arg = false, .val = 'm'},
 	{NULL},
 };
 
@@ -35,7 +36,8 @@ static void lscan_mt_help(void)
 		"  --stealth    Match TCP Stealth packets\n"
 		"  --synscan    Match TCP SYN scans\n"
 		"  --cnscan     Match TCP Connect scans\n"
-		"  --grscan     Match Banner Grabbing scans\n");
+		"  --grscan     Match Banner Grabbing scans\n"
+		"  --mirai      Match TCP scan with ISN = dest. IP\n");
 }
 
 static int lscan_mt_parse(int c, char **argv, int invert,
@@ -45,16 +47,19 @@ static int lscan_mt_parse(int c, char **argv, int invert,
 
 	switch (c) {
 	case 'c':
-		info->match_cn = true;
+		info->match_fl3 |= LSCAN_FL3_CN;
 		return true;
 	case 'g':
-		info->match_gr = true;
+		info->match_fl4 |= LSCAN_FL4_GR;
+		return true;
+	case 'm':
+		info->match_fl1 |= LSCAN_FL1_MIRAI;
 		return true;
 	case 's':
-		info->match_syn = true;
+		info->match_fl2 |= LSCAN_FL2_SYN;
 		return true;
 	case 'x':
-		info->match_stealth = true;
+		info->match_fl1 |= LSCAN_FL1_STEALTH;
 		return true;
 	}
 	return false;
@@ -68,14 +73,16 @@ static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_lscan_mtinfo *info = (const void *)(match->data);
 
-	if (info->match_stealth)
+	if (info->match_fl1 & LSCAN_FL1_STEALTH)
 		printf(" --stealth ");
-	if (info->match_syn)
+	if (info->match_fl2 & LSCAN_FL2_SYN)
 		printf(" --synscan ");
-	if (info->match_cn)
+	if (info->match_fl3 & LSCAN_FL3_CN)
 		printf(" --cnscan ");
-	if (info->match_gr)
+	if (info->match_fl4 & LSCAN_FL4_GR)
 		printf(" --grscan ");
+	if (info->match_fl1 & LSCAN_FL1_MIRAI)
+		printf(" --mirai ");
 }
 
 static void lscan_mt_print(const void *ip,

extensions/libxt_lscan.man

@@ -27,6 +27,11 @@ warranted single-direction data flows, usually bulk data transfers such as
 FTP DATA connections or IRC DCC. Grab Scan Detection should only be used on
 ports where a protocol runs that is guaranteed to do a bidirectional exchange
 of bytes.
+.TP
+\fB\-\-mirai\fP
+Match if the TCP ISN is equal to the IPv4 destination address; this is used
+by the devices in the Mirai botnet as a form of TCP SYN scan, so you will
+have to explicitly specify --syn for the rule.
 .PP
 NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
 so be advised to carefully use xt_lscan in conjunction with blocking rules,

extensions/xt_lscan.c

@@ -175,6 +175,7 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 	enum ip_conntrack_info ctstate;
+	const struct iphdr *iph = ip_hdr(skb);
 	const struct tcphdr *tcph;
 	struct nf_conn *ctdata;
 	struct tcphdr tcph_buf;
@@ -182,10 +183,13 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	tcph = skb_header_pointer(skb, par->thoff, sizeof(tcph_buf), &tcph_buf);
 	if (tcph == NULL)
 		return false;
+	if (info->match_fl1 & LSCAN_FL1_MIRAI && iph != NULL &&
+	    iph->version == 4 && iph->daddr == tcph->seq)
+		return true;
 
 	/* Check for invalid packets: -m conntrack --ctstate INVALID */
 	if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
-		if (info->match_stealth)
+		if (info->match_fl1 & LSCAN_FL1_STEALTH)
 			return lscan_mt_stealth(tcph);
 		/*
 		 * If @ctdata is NULL, we cannot match the other scan
@@ -215,17 +219,19 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		skb_nfmark(skb) = (skb_nfmark(skb) & ~packet_mask) ^ mark_seen;
 	}
 
-	return (info->match_syn && ctdata->mark == mark_synscan) ||
+	return (info->match_fl1 & LSCAN_FL1_STEALTH && ctdata->mark == mark_synscan) ||
-	       (info->match_cn && ctdata->mark == mark_cnscan) ||
+	       (info->match_fl3 & LSCAN_FL3_CN && ctdata->mark == mark_cnscan) ||
-	       (info->match_gr && ctdata->mark == mark_grscan);
+	       (info->match_fl4 & LSCAN_FL4_GR && ctdata->mark == mark_grscan);
 }
 
 static int lscan_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_lscan_mtinfo *info = par->matchinfo;
 
-	if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
+	if ((info->match_fl1 & ~(LSCAN_FL1_STEALTH | LSCAN_FL1_MIRAI)) ||
-	    (info->match_cn & ~1) || (info->match_gr & ~1)) {
+	    (info->match_fl2 & ~LSCAN_FL2_SYN) ||
+	    (info->match_fl3 & ~LSCAN_FL3_CN) ||
+	    (info->match_fl4 & ~LSCAN_FL4_GR)) {
 		printk(KERN_WARNING PFX "Invalid flags\n");
 		return -EINVAL;
 	}

extensions/xt_lscan.h

@@ -1,8 +1,16 @@
 #ifndef _LINUX_NETFILTER_XT_LSCAN_H
 #define _LINUX_NETFILTER_XT_LSCAN_H 1
 
+enum {
+	LSCAN_FL1_STEALTH = 1 << 0,
+	LSCAN_FL1_MIRAI   = 1 << 1,
+	LSCAN_FL2_SYN     = 1 << 0,
+	LSCAN_FL3_CN      = 1 << 0,
+	LSCAN_FL4_GR      = 1 << 0,
+};
+
 struct xt_lscan_mtinfo {
-	uint8_t match_stealth, match_syn, match_cn, match_gr;
+	uint8_t match_fl1, match_fl2, match_fl3, match_fl4;
 };
 
 #endif /* _LINUX_NETFILTER_XT_LSCAN_H */

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "" "" "v2.14 (2017-11-22)"
+.TH xtables-addons 8 "" "" "v2.15 (2021-02-05)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets