Xtables-addons 1.37

Remove mention of netcat from the libxt_SYSRQ manpage.

configure.ac

@@ -1,5 +1,4 @@
-
-AC_INIT([xtables-addons], [1.36])
+AC_INIT([xtables-addons], [1.37])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_PROG_INSTALL
@@ -42,7 +41,7 @@ regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
 
 if test -n "$kbuilddir"; then
 	AC_MSG_CHECKING([kernel version that we will build against])
-	krel="$(make -sC "$kbuilddir" M=. kernelrelease)";
+	krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease)";
 	kmajor="${krel%%[[^0-9]]*}";
 	kmajor="$(($kmajor+0))";
 	krel="${krel:${#kmajor}}";
@@ -65,7 +64,7 @@ if test -n "$kbuilddir"; then
 			echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
 		elif test "$kmajor" -eq 3; then
 			:;
-		elif test "$kmajor" -eq 2 -a "$kminor" -ge 29; then
+		elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 29; then
 			:;
 		else
 			echo "WARNING: That kernel version is not supported.";

doc/changelog.txt

@@ -3,6 +3,14 @@ HEAD
 ====
 
 
+v1.37 (2011-06-25)
+==================
+Fixes:
+- xt_SYSRQ: make IPv6 trigger work again
+- xt_SYSRQ: improve security: include host address in digest
+- xt_TARPIT: fix a kernel oops in --reset mode
+
+
 v1.36 (2011-06-03)
 ==================
 Changes:

extensions/libxt_SYSRQ.man

@@ -36,6 +36,8 @@ The SYSRQ password can be changed through
 .IP
 echo \-n "password" >/sys/module/xt_SYSRQ/parameters/password
 .PP
+The module will not respond to sysrq requests until a password has been set.
+.PP
 Alternatively, the password may be specified at modprobe time, but this is
 insecure as people can possible see it through ps(1). You can use an option
 line in e.g. /etc/modprobe.d/xt_sysrq if it is properly guarded, that is, only
@@ -52,7 +54,7 @@ The xt_SYSRQ module is normally silent unless a successful request is received,
 but the \fIdebug\fP module parameter can be used to find exactly why a
 seemingly correct request is not being processed.
 .PP
-To trigger SYSRQ from a remote host, just use netcat or socat:
+To trigger SYSRQ from a remote host, just use socat:
 .PP
 .nf
 sysrq_key="s"  # the SysRq key(s)
@@ -60,12 +62,11 @@ password="password"
 seqno="$(date +%s)"
 salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null |
     openssl enc \-base64)"
+ipaddr=10.10.25.7
 req="$sysrq_key,$seqno,$salt"
-req="$req,$(echo \-n "$req,$password" | sha1sum | cut \-c1\-40)"
+req="$req,$(echo \-n "$req,$ipaddr,$password" | sha1sum | cut \-c1\-40)"
 
-echo "$req" | socat stdin udp\-sendto:10.10.25.7:9
-# or
-echo "$req" | netcat \-uw1 10.10.25.7 9
+echo "$req" | socat stdin udp\-sendto:$ipaddr:9
 .fi
 .PP
 See the Linux docs for possible sysrq keys. Important ones are: re(b)oot,
@@ -73,8 +74,10 @@ power(o)ff, (s)ync filesystems, (u)mount and remount readonly. More than one
 sysrq key can be used at once, but bear in mind that, for example, a sync may
 not complete before a subsequent reboot or poweroff.
 .PP
+An IPv4 address should have no leading zeros, an IPv6 address should
+be in the form recommended by RFC 5952.  The debug option will log the
+correct form of the address.
+.PP
 The hashing scheme should be enough to prevent mis-use of SYSRQ in many
 environments, but it is not perfect: take reasonable precautions to
-protect your machines.  Most importantly ensure that each machine has a
-different password; there is scant protection for a SYSRQ packet being
-applied to a machine that happens to have the same password.
+protect your machines.

extensions/xt_SYSRQ.c

@@ -4,6 +4,8 @@
  *
  *	Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
  *
+ *	Security additions John Haxby <john.haxby [at] oracle com>
+ *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License
  *	version 2 or 3 as published by the Free Software Foundation.
@@ -58,13 +60,13 @@ static char *sysrq_hexdigest;
  * is a series of sysrq requests; <seqno> is a sequence number that must be
  * greater than the last sequence number; <salt> is some random bytes; and
  * <hash> is the hash of everything up to and including the preceding ","
- * together with the password.
+ * together with "<dstaddr>,<password>".
  *
  * For example
  *
  *   salt=$RANDOM
  *   req="s,$(date +%s),$salt"
- *   echo "$req,$(echo -n $req,secret | sha1sum | cut -c1-40)"
+ *   echo "$req,$(echo -n $req,10.10.25.1,secret | sha1sum | cut -c1-40)"
  *
  * You will want a better salt and password than that though :-)
  */
@@ -121,7 +123,6 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
 	sg_init_table(sg, 2);
 #endif
 	sg_set_buf(&sg[0], data, n);
-	strcpy(sysrq_digest_password, sysrq_password);
 	i = strlen(sysrq_digest_password);
 	sg_set_buf(&sg[1], sysrq_digest_password, i);
 	ret = crypto_hash_digest(&desc, sg, n + i, sysrq_digest);
@@ -223,6 +224,8 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 		       ": " NIPQUAD_FMT ":%u -> :%u len=%u\n",
 		       NIPQUAD(iph->saddr), htons(udph->source),
 		       htons(udph->dest), len);
+	sprintf(sysrq_digest_password, NIPQUAD_FMT ",%s",
+	        NIPQUAD(iph->daddr), sysrq_password);
 	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
 }
 
@@ -253,7 +256,9 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
 		       ": " NIP6_FMT ":%hu -> :%hu len=%u\n",
 		       NIP6(iph->saddr), ntohs(udph->source),
 		       ntohs(udph->dest), len);
-	return sysrq_tg(udph + sizeof(struct udphdr), len);
+	sprintf(sysrq_digest_password, NIP6_FMT ",%s",
+	        NIP6(iph->daddr), sysrq_password);
+	return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
 }
 #endif
 
@@ -340,7 +345,9 @@ static int __init sysrq_crypto_init(void)
 	sysrq_hexdigest = kmalloc(2 * sysrq_digest_size + 1, GFP_KERNEL);
 	if (sysrq_hexdigest == NULL)
 		goto fail;
-	sysrq_digest_password = kmalloc(sizeof(sysrq_password), GFP_KERNEL);
+	sysrq_digest_password =
+	    kmalloc(sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255") +
+		    sizeof(sysrq_password), GFP_KERNEL);
 	if (sysrq_digest_password == NULL)
 		goto fail;
 	do_gettimeofday(&now);
@@ -376,6 +383,7 @@ module_init(sysrq_tg_init);
 module_exit(sysrq_tg_exit);
 MODULE_DESCRIPTION("Xtables: triggering SYSRQ remotely");
 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("John Haxby <john.haxby@oracle.com");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_SYSRQ");
 MODULE_ALIAS("ip6t_SYSRQ");

extensions/xt_TARPIT.c

@@ -58,7 +58,7 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 	struct sk_buff *nskb;
 	const struct iphdr *oldhdr;
 	struct iphdr *niph;
-	u_int16_t tmp;
+	uint16_t tmp, payload;
 
 	/* A truncated TCP header is not going to be useful */
 	if (oldskb->len < ip_hdrlen(oldskb) + sizeof(struct tcphdr))
@@ -69,29 +69,6 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 	if (oth == NULL)
 		return;
 
-	if (mode == XTTARPIT_TARPIT) {
-		/* No replies for RST, FIN or !SYN,!ACK */
-		if (oth->rst || oth->fin || (!oth->syn && !oth->ack))
-			return;
-#if 0
-		/* Rate-limit replies to !SYN,ACKs */
-		if (!oth->syn && oth->ack)
-			if (!xrlim_allow(rt_dst(ort), HZ))
-				return;
-#endif
-	} else  if (mode == XTTARPIT_HONEYPOT) {
-		/* Do not answer any resets regardless of combination */
-		if (oth->rst || oth->seq == 0xDEADBEEF)
-			return;
-	} else if (mode == XTTARPIT_RESET) {
-		tcph->window = 0;
-		tcph->ack = false;
-		tcph->syn = false;
-		tcph->rst = true;
-		tcph->seq = oth->ack_seq;
-		tcph->ack_seq = oth->seq;
-	}
-
 	/* Check checksum. */
 	if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
 		return;
@@ -127,6 +104,9 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 	tcph->source = tcph->dest;
 	tcph->dest   = tmp;
 
+	/* Calculate payload size?? */
+	payload = nskb->len - ip_hdrlen(nskb) - sizeof(struct tcphdr);
+
 	/* Truncate to length (no data) */
 	tcph->doff    = sizeof(struct tcphdr) / 4;
 	skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
@@ -136,7 +116,9 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 	((u_int8_t *)tcph)[13] = 0;
 
 	if (mode == XTTARPIT_TARPIT) {
-		/* Use supplied sequence number or make a new one */
+		/* No replies for RST, FIN or !SYN,!ACK */
+		if (oth->rst || oth->fin || (!oth->syn && !oth->ack))
+			return;
 		tcph->seq = oth->ack ? oth->ack_seq : 0;
 
 		/* Our SYN-ACKs must have a >0 window */
@@ -149,7 +131,16 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 			tcph->ack     = true;
 			tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
 		}
+#if 0
+		/* Rate-limit replies to !SYN,ACKs */
+		if (!oth->syn && oth->ack)
+			if (!xrlim_allow(rt_dst(ort), HZ))
+				return;
+#endif
 	} else if (mode == XTTARPIT_HONEYPOT) {
+		/* Do not answer any resets regardless of combination */
+		if (oth->rst || oth->seq == 0xDEADBEEF)
+			return;
 		/* Send a reset to scanners. They like that. */
 		if (oth->syn && oth->ack) {
 			tcph->window  = 0;
@@ -159,23 +150,29 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 			tcph->seq     = oth->ack_seq;
 			tcph->rst     = true;
 		}
+
 		/* SYN > SYN-ACK */
 		if (oth->syn && !oth->ack) {
 			tcph->syn     = true;
 			tcph->ack     = true;
-			tcph->window  = oth->window;
-			tcph->ack_seq = oth->seq;
-			tcph->seq     = htonl(net_random() | ~oth->seq);
+			tcph->window  = oth->window &
+			                ((net_random() & 0x1f) - 0xf);
+			tcph->seq     = htonl(net_random() & ~oth->seq);
+			tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
 		}
+
 		/* ACK > ACK */
-		if (oth->ack && !oth->fin && !oth->syn) {
+		if (oth->ack && (!(oth->fin || oth->syn))) {
 			tcph->syn     = false;
 			tcph->ack     = true;
 			tcph->window  = oth->window &
 			                ((net_random() & 0x1f) - 0xf);
-			tcph->ack_seq = htonl(ntohl(oth->seq) + 1);
+			tcph->ack_seq = payload > 100 ?
+			                htonl(ntohl(oth->seq) + payload) :
+			                oth->seq;
 			tcph->seq     = oth->ack_seq;
 		}
+
 		/*
 		 * FIN > RST.
 		 * We cannot terminate gracefully so just be abrupt.
@@ -188,6 +185,13 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 			tcph->ack     = false;
 			tcph->rst     = true;
 		}
+	} else if (mode == XTTARPIT_RESET) {
+		tcph->window  = 0;
+		tcph->ack     = false;
+		tcph->syn     = false;
+		tcph->rst     = true;
+		tcph->seq     = oth->ack_seq;
+		tcph->ack_seq = oth->seq;
 	}
 
 	/* Adjust TCP checksum */
@@ -204,7 +208,7 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 
 	/* Set DF, id = 0 */
 	niph->frag_off = htons(IP_DF);
-	if (mode == XTTARPIT_TARPIT)
+	if (mode == XTTARPIT_TARPIT || mode == XTTARPIT_RESET)
 		niph->id = 0;
 	else if (mode == XTTARPIT_HONEYPOT)
 		niph->id = ~oldhdr->id + 1;
@@ -225,7 +229,10 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 	nskb->ip_summed = CHECKSUM_NONE;
 
 	/* Adjust IP TTL */
-	niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
+	if (mode == XTTARPIT_HONEYPOT)
+		niph->ttl = 128;
+	else
+		niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
 
 	/* Adjust IP checksum */
 	niph->check = 0;

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.36 (2011-06-03)" "" "v1.36 (2011-06-03)"
+.TH xtables-addons 8 "v1.37 (2011-06-25)" "" "v1.37 (2011-06-25)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets