anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-20 19:44:56 +02:00
Code Issues Releases Wiki Activity

Compare commits

base: anonfunc:v1.42
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0
...
compare: anonfunc:demos
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0

98 Commits
v1.42 ... demos

Author SHA1 Message Date
Jan Engelhardt
867a920fd7 ipaddr match (from "Writing your own Netfilter module" PDF) 2012-12-27 08:01:22 +01:00
Jan Engelhardt
48ebf55444 Xtables-addons 2.1 2012-12-27 08:01:00 +01:00
Jan Engelhardt
57c3cc1722 build: support for Linux 3.8 2012-12-27 07:59:34 +01:00
Jan Engelhardt
29141b6e95 xt_DNETMAP: fix compile error with Linux 3.7 2012-12-21 05:45:15 +01:00
Jan Engelhardt
cdac8506c3 Xtables-addons 2.0 
I have been thinking quite a while when to drop support for old
versions. The changes in Linux kernel 3.7 in nf_nat prompted me to
make the cut here, to throw out most of the backwards-compatibility
code and start mostly blank. As future kernels will be released and
supported, no doubt will new code to work with those releases be
added.

If you run with an older kernel, continue to use the Xtables-addons
1.x series.
 2012-11-12 21:47:14 +01:00
Jan Engelhardt
5494bc40f4 Merge branch 'maint' into newage 2012-11-12 19:01:31 +01:00
Jan Engelhardt
bcdb7ed4e9 Update my email address 
To ... none! Whatever is recent is in the git log.
 2012-11-12 19:01:14 +01:00
Jan Engelhardt
1ed86c6bbd build: remove support for Linux 3.6 / switch xt_DNETMAP to nf_nat 2012-11-12 18:42:11 +01:00
Jan Engelhardt
2a5f1099c8 build: remove support for Linux 3.5 2012-11-12 18:31:33 +01:00
Jan Engelhardt
c243c78af4 build: remove support for Linux 3.4 2012-11-12 18:31:28 +01:00
Jan Engelhardt
91da2a0dbd build: remove support for Linux 3.3 2012-11-12 18:31:22 +01:00
Jan Engelhardt
a160a2aa36 build: remove support for Linux 3.2 2012-11-12 18:31:16 +01:00
Jan Engelhardt
b25e96fd49 build: remove support for Linux 3.1 2012-11-12 18:31:08 +01:00
Jan Engelhardt
6d74f76a29 build: remove support for Linux 3.0 2012-11-12 18:31:03 +01:00
Jan Engelhardt
78e47758c6 build: remove support for Linux 2.6.39 2012-11-12 18:30:49 +01:00
Jan Engelhardt
bcdd42f556 build: remove support for Linux 2.6.38 2012-11-12 18:30:42 +01:00
Jan Engelhardt
acf92ff914 build: remove support for Linux 2.6.37 2012-11-12 18:30:36 +01:00
Jan Engelhardt
0e845bf23f build: remove support for Linux 2.6.36 2012-11-12 18:30:30 +01:00
Jan Engelhardt
158e6a26eb xt_CHECKSUM: remove the module 
This is available in upstream Linux 2.6.36+.
 2012-11-12 18:30:20 +01:00
Jan Engelhardt
693c32f414 build: remove support for Linux 2.6.35 2012-11-12 18:30:19 +01:00
Jan Engelhardt
3e337562d7 xt_TEE: remove the module 
This is available in upstream Linux 2.6.35+.
 2012-11-12 18:30:09 +01:00
Jan Engelhardt
bb25bc08c4 build: remove support for Linux 2.6.34 2012-11-12 18:30:08 +01:00
Jan Engelhardt
ea3e4b2ed5 build: remove support for Linux 2.6.33 2012-11-12 18:30:01 +01:00
Jan Engelhardt
557af2177f build: remove support for Linux 2.6.32 2012-11-12 18:29:53 +01:00
Jan Engelhardt
60f5239630 build: remove support for Linux 2.6.31 2012-10-16 04:16:57 +02:00
Jan Engelhardt
3ba7d8c3a9 build: remove support for Linux 2.6.30 2012-10-16 04:16:57 +02:00
Jan Engelhardt
28d12faba8 build: remove support for Linux 2.6.29 2012-10-16 04:16:57 +02:00
Jan Engelhardt
cf7a3d4342 build: remove support for Linux 2.6.28 2012-10-16 04:16:57 +02:00
Jan Engelhardt
fabad77f8f build: remove support for Linux 2.6.27 2012-10-16 04:16:57 +02:00
Jan Engelhardt
5e020d380c build: remove support for Linux 2.6.26 2012-10-16 04:16:57 +02:00
Jan Engelhardt
a7fbf4f4de build: remove support for Linux 2.6.25 2012-10-16 04:16:57 +02:00
Jan Engelhardt
4137f6c111 build: remove support for Linux 2.6.24 2012-10-16 04:16:57 +02:00
Jan Engelhardt
04d8ebe31c build: remove support for Linux 2.6.23 2012-10-16 04:16:56 +02:00
Jan Engelhardt
6ab4c02a54 build: remove support for Linux 2.6.22 2012-10-16 04:16:56 +02:00
Jan Engelhardt
a66e4510b8 build: remove support for Linux 2.6.21 2012-10-16 02:36:14 +02:00
Jan Engelhardt
31aebc134e build: remove support for Linux 2.6.20 2012-10-16 02:36:10 +02:00
Jan Engelhardt
e640a15ec9 build: remove support for Linux 2.6.19 2012-10-16 02:36:06 +02:00
Jan Engelhardt
66f213e324 build: remove support for Linux 2.6.18 2012-10-16 02:36:02 +02:00
Jan Engelhardt
0dcc56bc62 build: remove support for Linux 2.6.17 2012-10-16 02:35:57 +02:00
Jan Engelhardt
8db01220fd Xtables-addons 1.47.1 2012-10-15 21:29:22 +02:00
Jan Engelhardt
95ff9a2de3 build: resolve compiler error 
extensions/xt_psd.c:141:2: error: implicit declaration of function
'vmalloc' [-Werror=implicit-function-declaration]
 2012-10-15 21:15:25 +02:00
Jan Engelhardt
2f1e094125 Xtables-addons 1.47 2012-10-15 20:03:02 +02:00
Jan Engelhardt
37b000182f xt_psd: replace vzalloc by vmalloc+memset 
The lower support boundary is currently 2.6.32, but vzalloc is only
available since 2.6.37.
 2012-10-15 20:02:43 +02:00
Jan Engelhardt
255a310536 Merge branch 'psd' 2012-09-18 07:33:00 +02:00
Florian Westphal
3a6e73e986 xt_psd: add IPv6 support 
Because most users will probably only use IPv4 psd, allocate most of the
state6 storage when the first IPv6 psd rule is added, and not at module
load time via .bss.
 2012-09-18 03:33:37 +02:00
Florian Westphal
0a97126f5b xt_psd: move IPv4 state locking responsibility to caller 
The former psd_match function is now < 72 lines.
 2012-09-18 02:53:02 +02:00
Florian Westphal
2ba833fe47 xt_psd: move L4 header fetching into helper 
Also start splitting psd_match into two functions, one to do initial
sanity checking and header retrieval, one to do the actual work.
 2012-09-18 02:47:30 +02:00
Florian Westphal
77240e0918 xt_psd: use tcph->dest directly 
This allows us to move more code away from the main match function.
 2012-09-18 02:45:17 +02:00
Florian Westphal
651e60f8d7 xt_psd: move table cleanup into helper 2012-09-18 02:43:04 +02:00
Florian Westphal
54ac2a899a xt_psd: split struct host into generic and AF-dependent structure 2012-09-18 02:42:22 +02:00
Florian Westphal
61d2be172d xt_psd: remove unneeded variables, make hash unsigned 
- dest port and dest address were only written, never read
- struct inaddr isn't needed either, just look at iph->saddr
 2012-09-18 02:41:15 +02:00
Florian Westphal
093f3b0a97 xt_psd: move match functionality to helpers 
Reduce line count and to allow code reuse when IPv6 support will be
introduced.
 2012-09-17 04:44:29 +02:00
Florian Westphal
57d25f22f1 xt_psd: avoid if (c=h) do {..} while (c = c->next) 
It is aquivalent to c=h; while (c) { ..; c = c->next; }
which is a bit easier to read.
 2012-09-17 04:42:56 +02:00
Florian Westphal
2f18ab31ec xt_psd: move parts of main match function to helpers 
The match function is way too large, start to split this into smaller
chunks.
 2012-09-17 00:02:49 +02:00
Florian Westphal
12d0a8702c xt_psd: consider protocol when searching port list 
If we saw a TCP packet on port X, and we receive a UDP packet from the
same host to port X, we counted this as "port X", and did not see this
as a new packet.

Change compare to also consider protocol number and move it to a helper
to de-bloat the overlay large match function.

This change makes psd more aggressive with mixed TCP/UDP traffic.
 2012-09-17 00:02:45 +02:00
Jan Engelhardt
35ce1adf5e Xtables-addons 1.46 2012-08-23 15:54:21 +02:00
Jan Engelhardt
e5fe0b9c14 doc: update xt_SYSRQ.man to reflect that the full IPv6 address is needed 
xt_SYSRQ uses NIP6_FMT, so requires the expanded form for the digest.

Reported-by: Jan Krcmar <honza801@gmail.com>
 2012-08-23 15:27:23 +02:00
Arif Hossain
cd7fc84b29 build: remove extraneous closing bracket in configure.ac 
Now autogen.sh will work without complaints.
 2012-08-02 17:49:40 +02:00
Josh Hunt
4ff5a8fbf6 TARPIT: fix memory leak when tarpit_generic() fails 
Currently tarpit_generic() just returns on failure, but this does not
free nskb.

Signed-off-by: Josh Hunt <johunt@akamai.com>
 2012-08-02 17:48:05 +02:00
Florian Westphal
37e3a543a9 extensions: fix ipv6_find_hdr upstream change fallout 
Upstream commit v3.5-rc1~109^2~138^2~4 ("netfilter: ip6_tables: add
flags parameter to ipv6_find_hdr()") changed the offset parameter of
ipv6_find_hdr() to be an input-output value. Moreover, if it is
non-zero, it MUST point to a valid IPv6 header embedded in the
packet.
 2012-07-21 15:42:02 +02:00
Jan Engelhardt
5f6cbbc663 Xtables-addons 1.45 2012-07-16 05:39:32 +02:00
Jan Engelhardt
a2676585da build: avoid use of unexported functions 
Fixes: "WARNING 'ipv6_find_hdr' [xt_TARPIT.ko] not found" in
<= linux-2.6.37.
 2012-07-16 05:36:41 +02:00
Jan Engelhardt
4a8aab6aed fix: "WARNING 'xtnu_ipv6_find_hdr' [.ko] not found" 2012-07-16 05:34:24 +02:00
Jan Engelhardt
dec7d7fc4d Xtables-addons 1.44 2012-07-15 13:58:51 +02:00
Jan Engelhardt
5c615a3c73 build: do not attempt to build IPv6 parts if CONFIG_IP6_NF_IPTABLES=n 
Checking for IPV6 is not sufficient, use IP6_NF_IPTABLES instead.
 2012-07-14 23:19:16 +02:00
Jan Engelhardt
0c1375414d build: do not attempt to build IPv6 parts if CONFIG_IPV6=n 2012-07-14 22:55:39 +02:00
Jan Engelhardt
7e5a8b0501 geoip: remove outdated instructions in xt_geoip_build 
The manpage contains the authoritative description of options
currently supported.
 2012-07-14 02:17:38 +02:00
Jan Engelhardt
cb8050172a SYSRQ: fix double target initialization at module load 2012-07-11 01:42:39 +02:00
Jan Engelhardt
5be4ac8b2b Merge branch 'tarpit6' 2012-07-09 19:07:26 +02:00
Jan Engelhardt
8d5b7c5b7d doc: changelog entry for IPv6 TARPIT 2012-07-09 19:07:24 +02:00
Jan Engelhardt
f9aca7621c compat_xtables: avoid compile abort on <= 2.6.37 2012-07-09 19:06:22 +02:00
Josh Hunt
af940bcbae TARPIT: enable IPv6 userspace support 
Signed-off-by: Josh Hunt <johunt@akamai.com>
 2012-07-09 18:57:41 +02:00
Josh Hunt
06b82c649d TARPIT: resolve build errors with newer kernels 
Adds fragment offset arg to ipv6_skip_exthdr() and also removes usage
of ipv6_addr_copy() in favor or direct assignment.

Signed-off-by: Josh Hunt <johunt@akamai.com>
 2012-07-09 18:55:12 +02:00
Jan Engelhardt
e5093b61cd compat_xtables: add xtnu_ipv6_skip_exthdr 2012-07-09 18:54:22 +02:00
Josh Hunt
7cd01e0b14 TARPIT: add IPv6 support 
This adds IPv6 support for the tarpit target. It performs the same
functionality as the v4 version, but with IPv6 connections.

Signed-off-by: Josh Hunt <johunt@akamai.com>
 2012-07-08 21:22:22 +02:00
Josh Hunt
4eb97c7a01 TARPIT: make tarpit code generic 
Creates a generic function to perform the tcp header manipulation in.
Done in preparation for IPv6 support. This allows us to share code
between v4 and v6 processing.

Signed-off-by: Josh Hunt <johunt@akamai.com>
 2012-07-08 20:54:35 +02:00
Josh Hunt
48fbc6783e TARPIT: move XTTARPIT_RESET to its own function 
Moves XTTARPIT_RESET into its own function.

Signed-off-by: Josh Hunt <johunt@akamai.com>
 2012-07-08 20:51:46 +02:00
Josh Hunt
a9f383daf8 TARPIT: move XTTARPIT_HONEYPOT mode into its own function 
Moves XTTARPIT_HONEYPOT into its own function.

Signed-off-by: Josh Hunt <johunt@akamai.com>
 2012-07-08 20:51:05 +02:00
Josh Hunt
cbe58f55d0 TARPIT: move XTTARPIT_TARPIT mode processing to its own function 
Moves the XTTARPIT_TARPIT mode processing to its own function.

Signed-off-by: Josh Hunt <johunt@akamai.com>
 2012-07-08 20:51:00 +02:00
Jan Engelhardt
d11218815f TARPIT: mark oldtcphdr const 2012-07-08 20:51:00 +02:00
Kevin Locke
911d3d146a build: include <net/ip6_checksum.h> for csum_ipv6_magic 
xt_ECHO fails to build on PPC because csum_ipv6_magic is declared in
<net/ip6_checksum.h>, which is not implicitly included from other
headers on PPC causing build failures due to this function being
undefined. So, include this header explicitly.

Note:  Same cause as <http://bugzilla.netfilter.org/show_bug.cgi?id=307>.
 2012-07-03 22:53:57 +02:00
Jan Engelhardt
e2ecff2071 Xtables-addons 1.43 2012-06-30 19:46:21 +02:00
Jan Engelhardt
b2bcedd1ef build: support for Linux 3.5 2012-06-30 18:38:49 +02:00
Jan Engelhardt
36c349054e build: do not fail if AM_PROG_AR is not known 2012-06-30 15:44:44 +02:00
Jan Engelhardt
95da880d39 build: remove empty warning message 2012-06-21 19:13:13 +02:00
Jan Engelhardt
3be26a731b build: add missing include for xt_DNETMAP 
xt_DNETMAP.c: In function 'dnetmap_tg_proc_write':
xt_DNETMAP.c:703:3: error: implicit declaration of function 'in4_pton'
[-Werror=implicit-function-declaration]
 2012-06-15 15:48:42 +02:00
Jan Engelhardt
38db58adc1 build: automake 1.12 wants me to use AM_PROG_AR 2012-06-15 15:24:29 +02:00
Jan Engelhardt
0f302b7b2f Merge branch 'psd_cleanups' of git://git.breakpoint.cc/fw/xtables-addons 2012-06-15 15:18:57 +02:00
Florian Westphal
d66d07d01d psd: move defines to user/kernelspace part where possible 
Some of these defines have no meaning in userspace, so there
is no need to make those available.
 2012-06-15 15:17:30 +02:00
Florian Westphal
3736a265d8 psd: reduce size of struct host 
We can use u16, saving 8 bytes total (weight cannot exceed
PSD_MAX_RATE, 10000). Also re-format comments & struct initializers.

No functional changes.
 2012-06-15 15:17:21 +02:00
Jan Engelhardt
5b2649b1a2 psd: re-format comments 2012-06-15 15:16:31 +02:00
Florian Westphal
f6b8767228 psd: add basic validation of userspace matchinfo data 
psd multiplies weight_thresh by HZ, so it could overflow.

Userspace libxt_psd refuses values exceeding PSD_MAX_RATE, so check
that on kernel side, too.

Also, setting 0 weight for both privileged and highports will cause
psd to never match at all.

Reject 0 weight threshold, too because it makes no sense (triggers
match for every initial packet).
 2012-06-15 15:11:32 +02:00
Florian Westphal
ac58f2e94b psd: rip out scanlogd leftovers 
scanlogd remembers tcp flags and uses the *_CHANGING values in its
logger function to determine the best log format to use (e.g. TTL is
not logged if HF_TTL_CHANGING was set, as TTL values were different).

As psd does not log at all, we do not need track this.

Also get rid of bogus/misleading comments.
 2012-06-15 15:09:26 +02:00
Jan Engelhardt
7cc774641a all: remove trailing squatspaces 2012-06-10 22:31:10 +02:00
Marek Kierdelewicz
492236f931 DNETMAP version 2 
- new type: static binding
- new persistent flag option for prefix
- add extra information in /proc/net/xt_DNETMAP/prefix_stat that
  includes the count of static bindings and persistent flag
- add proc interface write support (add/del/flush binding)
- updated manual
 2012-06-10 22:27:28 +02:00
Jan Engelhardt
1e8da7c31c build: update installation requirements 
Versions prior to 2.6.32 are not tested anymore due to make 3.82 being
troubled with an old ambiguous Makefile syntax.
 2012-04-21 02:45:10 +02:00
Jan Engelhardt
3f1202c211 build: limit xt_ECHO to kernel 3.x 
(Would also work on 2.6.39, but eh.)
 2012-04-21 02:44:51 +02:00
Florian Westphal
759546f8d0 xt_psd: avoid crash due to curr->next corruption 
curr->ports[] is of size SCAN_MAX_COUNT - 1, so under certain
conditions we wrote past end of array, corrupting ->next pointer
of the adjacent host entry.

Reported-and-tested-by: Serge Leschinsky <serge.leschinsky@gmail.com>
 2012-04-18 14:30:22 +02:00
78 changed files with 1900 additions and 2582 deletions
Expand all files Collapse all files

9
INSTALL
View File

@@ -14,14 +14,15 @@ Supported configurations for this release
* iptables >= 1.4.5
* kernel-source >= 2.6.29
* kernel-devel >= 3.7
with prepared build/output directory
- CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK
- CONFIG_NF_CONNTRACK_MARK or CONFIG_IP_NF_CONNTRACK_MARK
enabled =y or as module (=m)
- CONFIG_NF_CONNTRACK
- CONFIG_NF_CONNTRACK_MARK enabled =y or as module (=m)
- CONFIG_CONNECTOR y/m if you wish to receive userspace
notifications from pknock through netlink/connector
(Use xtables-addons-1.x if you need support for Linux < 3.7.)
Selecting extensions
====================

13
configure.ac
View File

@@ -1,4 +1,4 @@
AC_INIT([xtables-addons], [1.42])
AC_INIT([xtables-addons], [2.1])
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
@@ -6,6 +6,7 @@ AC_PROG_INSTALL
AM_INIT_AUTOMAKE([1.10b -Wall foreign subdir-objects])
AC_PROG_CC
AM_PROG_CC_C_O
m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
AC_DISABLE_STATIC
AC_PROG_LIBTOOL
@@ -30,7 +31,7 @@ xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
AC_ARG_WITH([xtlibdir],
AS_HELP_STRING([--with-xtlibdir=PATH],
[Path where to install Xtables extensions [[autodetect]]]]),
[Path where to install Xtables extensions [[autodetect]]]),
[xtlibdir="$withval"])
AC_MSG_CHECKING([Xtables module directory])
AC_MSG_RESULT([$xtlibdir])
@@ -62,11 +63,9 @@ if test -n "$kbuilddir"; then
echo "WARNING: Version detection did not succeed. Continue at own luck.";
else
echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 4; then
echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
elif test "$kmajor" -eq 3; then
:;
elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 32; then
if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 8; then
echo "WARNING: That kernel version is not officially supported.";
elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then
:;
else
echo "WARNING: That kernel version is not officially supported.";

64
doc/api/2.6.17.c
View File

@@ -1,64 +0,0 @@
match:
/* true/false */
int
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop,
);
/* true/false */
int
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
void *userdata,
);
/* true/false */
int
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
unsigned int targinfosize,
);

59
doc/api/2.6.19.c
View File

@@ -1,59 +0,0 @@
match:
/* true/false */
int
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop,
);
/* true/false */
int
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
);
/* true/false */
int
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
);

59
doc/api/2.6.23.c
View File

@@ -1,59 +0,0 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
bool *hotdrop,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
);

59
doc/api/2.6.24.c
View File

@@ -1,59 +0,0 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
bool *hotdrop,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_match *match,
void *matchinfo,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const struct xt_target *target,
const void *targinfo,
);
/* true/false */
bool
(*checkentry)(
const char *tablename,
const void *entry,
const struct xt_target *target,
void *targinfo,
unsigned int hook_mask,
);
void
(*destroy)(
const struct xt_target *target,
void *targinfo,
);

39
doc/api/2.6.28.c
View File

@@ -1,39 +0,0 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct xt_match_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_target_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

38
doc/api/2.6.31.c
View File

@@ -1,38 +0,0 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct xt_match_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_target_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

39
doc/api/2.6.32.c
View File

@@ -1,39 +0,0 @@
match:
/* true/false */
bool
(*match)(
const struct sk_buff *skb,
const struct xt_match_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_mtchk_param *,
);
void
(*destroy)(
const struct xt_mtdtor_param *,
);
target:
/* verdict */
unsigned int
(*target)(
struct sk_buff *skb,
const struct xt_target_param *,
);
/* true/false */
bool
(*checkentry)(
const struct xt_tgchk_param *,
);
void
(*destroy)(
const struct xt_tgdtor_param *,
);

73
doc/changelog.txt
View File

@@ -3,6 +3,79 @@ HEAD
====
v2.1 (2012-11-27)
=================
Fixes:
- DNETMAP: fix compile error with Linux 3.7
Enhancements:
- Support for Linux 3.8
v2.0 (2012-11-12)
=================
Changes:
- remove support for Linux 2.6.173.6
- remove xt_TEE (this is available upstream since 2.6.35)
- remove xt_CHECKSUM (this is available upstream since 2.6.36)
Enhancements:
- Support for Linux 3.7
If you want to use Xtables-addons with kernels older than 3.7,
use the addons 1.x series, which continues to be maintained for
the time being.
v1.47.1 (2010-10-15)
====================
Enhancements:
- xt_psd gained IPv6 support
Notes for this release:
- Linux 3.7+ is expressly unsupported by this release.
v1.46 (2012-08-23)
==================
Fixes:
- length2, SYSRQ, RAWNAT: preinitialize values for ipv6_find_hdr
- TARPIT: fix memory leak when tarpit_generic() fails
- build: remove extraneous closing bracket in configure.ac
- doc: update xt_SYSRQ.man to reflect that the full IPv6 address is needed
Enhancements:
- Support for Linux 3.6
v1.45 (2012-07-16)
==================
Fixes:
- build: export missing functions
(fixes: "WARNING 'xtnu_ipv6_find_hdr' [xt_TARPIT.ko] not found")
- build: avoid use of unexported functions
(fixes: "WARNING 'ipv6_find_hdr' [xt_TARPIT.ko] not found"
in <= linux-2.6.37)
v1.44 (2012-07-15)
==================
Fixes:
- SYSRQ: fix double target initialization at module load
- build: do not attempt to build IPv6 parts if CONFIG_IP6_NF_IPTABLES=n
Enhancements:
- TARPIT gained IPv6 support
v1.43 (2012-06-30)
==================
Fixes:
- xt_psd: avoid crash due to curr->next corruption
Changes:
- xt_psd: reject invalid match options
Enhancements:
- Support for Linux 3.5
- DNETMAP: new type: static binding
- DNETMAP: new persistent flag option for prefix
- DNETMAP: add write support to procfs interface
v1.42 (2012-04-05)
==================
Fixes:

6
extensions/ACCOUNT/xt_ACCOUNT.c
View File

@@ -22,11 +22,7 @@
#include <net/tcp.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,27)
#include <linux/semaphore.h>
#else
#include <asm/semaphore.h>
#endif
#include <linux/semaphore.h>
#include <linux/kernel.h>
#include <linux/mm.h>

8
extensions/Kbuild
View File

@@ -7,21 +7,21 @@ obj-m += compat_xtables.o
obj-${build_ACCOUNT} += ACCOUNT/
obj-${build_CHAOS} += xt_CHAOS.o
obj-${build_CHECKSUM} += xt_CHECKSUM.o
obj-${build_DELUDE} += xt_DELUDE.o
obj-${build_DHCPMAC} += xt_DHCPMAC.o
obj-${build_DNETMAP} += xt_DNETMAP.o
ifeq (${VERSION},3)
obj-${build_ECHO} += xt_ECHO.o
endif
obj-${build_IPMARK} += xt_IPMARK.o
obj-${build_LOGMARK} += xt_LOGMARK.o
obj-${build_RAWNAT} += xt_RAWNAT.o iptable_rawpost.o
ifneq (${CONFIG_IPV6},)
ifneq (${CONFIG_IP6_NF_IPTABLES},)
obj-${build_RAWNAT} += ip6table_rawpost.o
endif
obj-${build_SYSRQ} += xt_SYSRQ.o
obj-${build_STEAL} += xt_STEAL.o
obj-${build_TARPIT} += xt_TARPIT.o
obj-${build_TEE} += xt_TEE.o
obj-${build_condition} += xt_condition.o
obj-${build_fuzzy} += xt_fuzzy.o
obj-${build_geoip} += xt_geoip.o
@@ -34,5 +34,7 @@ obj-${build_pknock} += pknock/
obj-${build_psd} += xt_psd.o
obj-${build_quota2} += xt_quota2.o
obj-${build_ipaddr} += xt_ipaddr.o
-include ${M}/*.Kbuild
-include ${M}/Kbuild.*

3
extensions/Mbuild
View File

@@ -2,7 +2,6 @@
obj-${build_ACCOUNT} += ACCOUNT/
obj-${build_CHAOS} += libxt_CHAOS.so
obj-${build_CHECKSUM} += libxt_CHECKSUM.so
obj-${build_DELUDE} += libxt_DELUDE.so
obj-${build_DHCPMAC} += libxt_DHCPMAC.so libxt_dhcpmac.so
obj-${build_DNETMAP} += libxt_DNETMAP.so
@@ -13,11 +12,11 @@ obj-${build_RAWNAT} += libxt_RAWDNAT.so libxt_RAWSNAT.so
obj-${build_STEAL} += libxt_STEAL.so
obj-${build_SYSRQ} += libxt_SYSRQ.so
obj-${build_TARPIT} += libxt_TARPIT.so
obj-${build_TEE} += libxt_TEE.so
obj-${build_condition} += libxt_condition.so
obj-${build_fuzzy} += libxt_fuzzy.so
obj-${build_geoip} += libxt_geoip.so
obj-${build_iface} += libxt_iface.so
obj-${build_ipaddr} += libxt_ipaddr.so
obj-${build_ipp2p} += libxt_ipp2p.so
obj-${build_ipv4options} += libxt_ipv4options.so
obj-${build_length2} += libxt_length2.so

81
extensions/compat_rawpost.h
View File

@@ -1,87 +1,6 @@
#ifndef XTA_COMPAT_RAWPOST_H
#define XTA_COMPAT_RAWPOST_H 1
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
typedef struct sk_buff sk_buff_t;
#else
typedef struct sk_buff *sk_buff_t;
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
#define XT_TARGET_INIT(__name, __size) \
{ \
.target.u.user = { \
.target_size = XT_ALIGN(__size), \
.name = __name, \
}, \
}
#define IPT_ENTRY_INIT(__size) \
{ \
.target_offset = sizeof(struct ipt_entry), \
.next_offset = (__size), \
}
#define IPT_STANDARD_INIT(__verdict) \
{ \
.entry = IPT_ENTRY_INIT(sizeof(struct ipt_standard)), \
.target = XT_TARGET_INIT(IPT_STANDARD_TARGET, \
sizeof(struct xt_standard_target)), \
.target.verdict = -(__verdict) - 1, \
}
#define IPT_ERROR_INIT \
{ \
.entry = IPT_ENTRY_INIT(sizeof(struct ipt_error)), \
.target = XT_TARGET_INIT(IPT_ERROR_TARGET, \
sizeof(struct ipt_error_target)), \
.target.errorname = "ERROR", \
}
#define IP6T_ENTRY_INIT(__size) \
{ \
.target_offset = sizeof(struct ip6t_entry), \
.next_offset = (__size), \
}
#define IP6T_STANDARD_INIT(__verdict) \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)), \
.target = XT_TARGET_INIT(IP6T_STANDARD_TARGET, \
sizeof(struct ip6t_standard_target)), \
.target.verdict = -(__verdict) - 1, \
}
#define IP6T_ERROR_INIT \
{ \
.entry = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)), \
.target = XT_TARGET_INIT(IP6T_ERROR_TARGET, \
sizeof(struct ip6t_error_target)), \
.target.errorname = "ERROR", \
}
#endif /* 2.6.21 */
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
# include <linux/netfilter_ipv6/ip6_tables.h>
/* Standard entry */
struct ip6t_standard
{
struct ip6t_entry entry;
struct ip6t_standard_target target;
};
struct ip6t_error_target
{
struct ip6t_entry_target target;
char errorname[IP6T_FUNCTION_MAXNAMELEN];
};
struct ip6t_error
{
struct ip6t_entry entry;
struct ip6t_error_target target;
};
#endif /* 2.6.20 */
#endif /* XTA_COMPAT_RAWPOST_H */

50
extensions/compat_skbuff.h
View File

@@ -4,34 +4,8 @@
struct tcphdr;
struct udphdr;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 30)
static inline void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)
{
skb->dst = dst;
}
static inline struct dst_entry *skb_dst(const struct sk_buff *skb)
{
return skb->dst;
}
static inline struct rtable *skb_rtable(const struct sk_buff *skb)
{
return (void *)skb->dst;
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
# define skb_ifindex(skb) \
(((skb)->input_dev != NULL) ? (skb)->input_dev->ifindex : 0)
# define skb_nfmark(skb) (((struct sk_buff *)(skb))->nfmark)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
# define skb_ifindex(skb) (skb)->iif
# define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
#else
# define skb_ifindex(skb) (skb)->skb_iif
# define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
#endif
#define skb_ifindex(skb) (skb)->skb_iif
#define skb_nfmark(skb) (((struct sk_buff *)(skb))->mark)
#ifdef CONFIG_NETWORK_SECMARK
# define skb_secmark(skb) ((skb)->secmark)
@@ -39,24 +13,4 @@ static inline struct rtable *skb_rtable(const struct sk_buff *skb)
# define skb_secmark(skb) 0
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 21)
# define ip_hdr(skb) ((skb)->nh.iph)
# define ip_hdrlen(skb) (ip_hdr(skb)->ihl * 4)
# define ipv6_hdr(skb) ((skb)->nh.ipv6h)
# define skb_network_header(skb) ((skb)->nh.raw)
# define skb_transport_header(skb) ((skb)->h.raw)
static inline void skb_reset_network_header(struct sk_buff *skb)
{
skb->nh.raw = skb->data;
}
static inline struct tcphdr *tcp_hdr(const struct sk_buff *skb)
{
return (void *)skb_transport_header(skb);
}
static inline struct udphdr *udp_hdr(const struct sk_buff *skb)
{
return (void *)skb_transport_header(skb);
}
#endif
#endif /* COMPAT_SKBUFF_H */

470
extensions/compat_xtables.c
View File

@@ -1,6 +1,6 @@
/*
* API compat layer
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
* written by Jan Engelhardt, 2008 - 2010
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License, either
@@ -16,271 +16,18 @@
#include <linux/version.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/netfilter_arp.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include <net/route.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 2, 0)
# include <linux/export.h>
#endif
#include <linux/export.h>
#include "compat_skbuff.h"
#include "compat_xtnu.h"
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
static int xtnu_match_run(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *cm, const void *matchinfo, int offset,
unsigned int protoff, int *hotdrop)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
static bool xtnu_match_run(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
const struct xt_match *cm, const void *matchinfo, int offset,
unsigned int protoff, bool *hotdrop)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_match *nm = xtcompat_numatch(cm);
bool lo_ret;
struct xt_action_param local_par;
local_par.in = in;
local_par.out = out;
local_par.match = cm;
local_par.matchinfo = matchinfo;
local_par.fragoff = offset;
local_par.thoff = protoff;
local_par.hotdrop = false;
local_par.family = NFPROTO_UNSPEC; /* don't have that info */
if (nm == NULL || nm->match == NULL)
return false;
lo_ret = nm->match(skb, &local_par);
*hotdrop = local_par.hotdrop;
return lo_ret;
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
static bool xtnu_match_run(const struct sk_buff *skb,
const struct xt_match_param *par)
{
struct xtnu_match *nm = xtcompat_numatch(par->match);
struct xt_action_param local_par;
bool ret;
local_par.in = par->in;
local_par.out = par->out;
local_par.match = par->match;
local_par.matchinfo = par->matchinfo;
local_par.fragoff = par->fragoff;
local_par.thoff = par->thoff;
local_par.hotdrop = false;
local_par.family = par->family;
if (nm == NULL || nm->match == NULL)
return false;
ret = nm->match(skb, &local_par);
*par->hotdrop = local_par.hotdrop;
return ret;
}
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
# define WITH_IPV6 1
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
static int xtnu_match_check(const char *table, const void *entry,
const struct xt_match *cm, void *matchinfo, unsigned int matchinfosize,
unsigned int hook_mask)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
static int xtnu_match_check(const char *table, const void *entry,
const struct xt_match *cm, void *matchinfo, unsigned int hook_mask)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
static bool xtnu_match_check(const char *table, const void *entry,
const struct xt_match *cm, void *matchinfo, unsigned int hook_mask)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_match *nm = xtcompat_numatch(cm);
struct xt_mtchk_param local_par = {
.table = table,
.entryinfo = entry,
.match = cm,
.matchinfo = matchinfo,
.hook_mask = hook_mask,
.family = NFPROTO_UNSPEC,
};
if (nm == NULL)
return false;
if (nm->checkentry == NULL)
return true;
return nm->checkentry(&local_par) == 0;
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
static bool xtnu_match_check(const struct xt_mtchk_param *par)
{
struct xtnu_match *nm = xtcompat_numatch(par->match);
if (nm == NULL)
return false;
if (nm->checkentry == NULL)
return true;
return nm->checkentry(par) == 0;
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo,
unsigned int matchinfosize)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
static void xtnu_match_destroy(const struct xt_match *cm, void *matchinfo)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_match *nm = xtcompat_numatch(cm);
struct xt_mtdtor_param local_par = {
.match = cm,
.matchinfo = matchinfo,
.family = NFPROTO_UNSPEC,
};
if (nm != NULL && nm->destroy != NULL)
nm->destroy(&local_par);
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
int xtnu_register_match(struct xtnu_match *nt)
{
struct xt_match *ct;
char *tmp;
int ret;
ct = kzalloc(sizeof(struct xt_match), GFP_KERNEL);
if (ct == NULL)
return -ENOMEM;
tmp = (char *)ct->name;
memcpy(tmp, nt->name, sizeof(nt->name));
tmp = (char *)(ct->name + sizeof(ct->name) - sizeof(void *));
*(tmp-1) = '\0';
memcpy(tmp, &nt, sizeof(void *));
ct->revision = nt->revision;
ct->family = nt->family;
ct->table = (char *)nt->table;
ct->hooks = nt->hooks;
ct->proto = nt->proto;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
ct->match = xtnu_match_run;
ct->checkentry = xtnu_match_check;
ct->destroy = xtnu_match_destroy;
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
ct->match = xtnu_match_run;
ct->checkentry = xtnu_match_check;
ct->destroy = nt->destroy;
#else
ct->match = nt->match;
ct->checkentry = xtnu_match_check;
ct->destroy = nt->destroy;
#endif
ct->matchsize = nt->matchsize;
ct->me = nt->me;
nt->__compat_match = ct;
ret = xt_register_match(ct);
if (ret != 0)
kfree(ct);
return ret;
}
EXPORT_SYMBOL_GPL(xtnu_register_match);
int xtnu_register_matches(struct xtnu_match *nt, unsigned int num)
{
unsigned int i;
int ret;
for (i = 0; i < num; ++i) {
ret = xtnu_register_match(&nt[i]);
if (ret < 0) {
if (i > 0)
xtnu_unregister_matches(nt, i);
return ret;
}
}
return 0;
}
EXPORT_SYMBOL_GPL(xtnu_register_matches);
void xtnu_unregister_match(struct xtnu_match *nt)
{
xt_unregister_match(nt->__compat_match);
kfree(nt->__compat_match);
}
EXPORT_SYMBOL_GPL(xtnu_unregister_match);
void xtnu_unregister_matches(struct xtnu_match *nt, unsigned int num)
{
unsigned int i;
for (i = 0; i < num; ++i)
xtnu_unregister_match(&nt[i]);
}
EXPORT_SYMBOL_GPL(xtnu_unregister_matches);
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
static unsigned int xtnu_target_run(struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out,
unsigned int hooknum, const struct xt_target *ct, const void *targinfo,
void *userdata)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
static unsigned int xtnu_target_run(struct sk_buff **pskb,
const struct net_device *in, const struct net_device *out,
unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
static unsigned int xtnu_target_run(struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
unsigned int hooknum, const struct xt_target *ct, const void *targinfo)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_target *nt = xtcompat_nutarget(ct);
struct xt_action_param local_par;
local_par.in = in;
local_par.out = out;
local_par.hooknum = hooknum;
local_par.target = ct;
local_par.targinfo = targinfo;
local_par.family = NFPROTO_UNSPEC;
if (nt != NULL && nt->target != NULL)
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return nt->target(pskb, &local_par);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
return nt->target(&skb, &local_par);
#endif
return XT_CONTINUE;
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
static unsigned int
xtnu_target_run(struct sk_buff *skb, const struct xt_target_param *par)
{
struct xtnu_target *nt = xtcompat_nutarget(par->target);
struct xt_action_param local_par;
local_par.in = par->in;
local_par.out = par->out;
local_par.hooknum = par->hooknum;
local_par.target = par->target;
local_par.targinfo = par->targinfo;
local_par.family = par->family;
return nt->target(&skb, &local_par);
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
static unsigned int
xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
{
@@ -288,73 +35,6 @@ xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
return nt->target(&skb, par);
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
static int xtnu_target_check(const char *table, const void *entry,
const struct xt_target *ct, void *targinfo,
unsigned int targinfosize, unsigned int hook_mask)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
static int xtnu_target_check(const char *table, const void *entry,
const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
static bool xtnu_target_check(const char *table, const void *entry,
const struct xt_target *ct, void *targinfo, unsigned int hook_mask)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_target *nt = xtcompat_nutarget(ct);
struct xt_tgchk_param local_par = {
.table = table,
.entryinfo = entry,
.target = ct,
.targinfo = targinfo,
.hook_mask = hook_mask,
.family = NFPROTO_UNSPEC,
};
if (nt == NULL)
return false;
if (nt->checkentry == NULL)
/* this is valid, just like if there was no function */
return true;
return nt->checkentry(&local_par) == 0;
}
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) && \
LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
static bool xtnu_target_check(const struct xt_tgchk_param *par)
{
struct xtnu_target *nt = xtcompat_nutarget(par->target);
if (nt == NULL)
return false;
if (nt->checkentry == NULL)
return true;
return nt->checkentry(par) == 0;
}
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo,
unsigned int targinfosize)
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
static void xtnu_target_destroy(const struct xt_target *ct, void *targinfo)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
{
struct xtnu_target *nt = xtcompat_nutarget(ct);
struct xt_tgdtor_param local_par = {
.target = ct,
.targinfo = targinfo,
.family = NFPROTO_UNSPEC,
};
if (nt != NULL && nt->destroy != NULL)
nt->destroy(&local_par);
}
#endif
int xtnu_register_target(struct xtnu_target *nt)
{
@@ -378,16 +58,8 @@ int xtnu_register_target(struct xtnu_target *nt)
ct->hooks = nt->hooks;
ct->proto = nt->proto;
ct->target = xtnu_target_run;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
ct->checkentry = xtnu_target_check;
ct->destroy = xtnu_target_destroy;
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
ct->checkentry = xtnu_target_check;
ct->destroy = nt->destroy;
#else
ct->checkentry = nt->checkentry;
ct->destroy = nt->destroy;
#endif
ct->targetsize = nt->targetsize;
ct->me = nt->me;
@@ -458,146 +130,16 @@ EXPORT_SYMBOL_GPL(xtnu_request_find_match);
int xtnu_ip_route_me_harder(struct sk_buff **pskb, unsigned int addr_type)
{
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
/* Actually this one is valid up to 2.6.18.4, but changed in 2.6.18.5 */
return ip_route_me_harder(pskb);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return ip_route_me_harder(pskb, addr_type);
#else
return ip_route_me_harder(*pskb, addr_type);
#endif
}
EXPORT_SYMBOL_GPL(xtnu_ip_route_me_harder);
int xtnu_skb_make_writable(struct sk_buff **pskb, unsigned int len)
{
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return skb_make_writable(pskb, len);
#else
return skb_make_writable(*pskb, len);
#endif
}
EXPORT_SYMBOL_GPL(xtnu_skb_make_writable);
#if LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 24)
static int __xtnu_ip_local_out(struct sk_buff *skb)
{
struct iphdr *iph = ip_hdr(skb);
iph->tot_len = htons(skb->len);
ip_send_check(iph);
return nf_hook(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,
skb->dst->dev, dst_output);
}
int xtnu_ip_local_out(struct sk_buff *skb)
{
int err;
err = __xtnu_ip_local_out(skb);
if (likely(err == 1))
err = dst_output(skb);
return err;
}
EXPORT_SYMBOL_GPL(xtnu_ip_local_out);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
static int __xtnu_ip_local_out(struct sk_buff **pskb)
{
struct iphdr *iph = ip_hdr(*pskb);
iph->tot_len = htons((*pskb)->len);
ip_send_check(iph);
return nf_hook(PF_INET, NF_IP_LOCAL_OUT, pskb, NULL,
(*pskb)->dst->dev, dst_output);
}
int xtnu_ip_local_out(struct sk_buff *skb)
{
int err;
err = __xtnu_ip_local_out(&skb);
if (likely(err == 1))
err = dst_output(skb);
return err;
}
EXPORT_SYMBOL_GPL(xtnu_ip_local_out);
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
int xtnu_ip_route_output_key(void *net, struct rtable **rp, struct flowi *flp)
{
return ip_route_output_flow(rp, flp, NULL, 0);
}
EXPORT_SYMBOL_GPL(xtnu_ip_route_output_key);
void xtnu_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb,
__be32 from, __be32 to, bool pseudohdr)
{
__be32 diff[] = {~from, to};
const void *dv = diff; /* kludge for < v2.6.19-555-g72685fc */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
if (skb->ip_summed != CHECKSUM_PARTIAL) {
*sum = csum_fold(csum_partial(dv, sizeof(diff),
~csum_unfold(*sum)));
if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
skb->csum = ~csum_partial(dv, sizeof(diff),
~skb->csum);
} else if (pseudohdr) {
*sum = ~csum_fold(csum_partial(dv, sizeof(diff),
csum_unfold(*sum)));
}
#else
*sum = csum_fold(csum_partial(dv, sizeof(diff),
~csum_unfold(*sum)));
#endif
}
EXPORT_SYMBOL_GPL(xtnu_proto_csum_replace4);
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
int xtnu_neigh_hh_output(struct hh_cache *hh, struct sk_buff *skb)
{
unsigned int hh_alen;
read_lock_bh(&hh->hh_lock);
hh_alen = HH_DATA_ALIGN(hh->hh_len);
memcpy(skb->data - hh_alen, hh->hh_data, hh_alen);
read_unlock_bh(&hh->hh_lock);
skb_push(skb, hh->hh_len);
return hh->hh_output(skb);
}
EXPORT_SYMBOL_GPL(xtnu_neigh_hh_output);
static inline __wsum xtnu_csum_unfold(__sum16 n)
{
return (__force __wsum)n;
}
void xtnu_csum_replace4(__sum16 *sum, __be32 from, __be32 to)
{
__be32 diff[] = {~from, to};
*sum = csum_fold(csum_partial((char *)diff, sizeof(diff),
~xtnu_csum_unfold(*sum)));
}
void xtnu_csum_replace2(__sum16 *sum, __be16 from, __be16 to)
{
xtnu_csum_replace4(sum, (__force __be32)from, (__force __be32)to);
}
EXPORT_SYMBOL_GPL(xtnu_csum_replace2);
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
int xtnu_skb_linearize(struct sk_buff *skb)
{
return skb_linearize(skb, GFP_ATOMIC);
}
EXPORT_SYMBOL_GPL(xtnu_skb_linearize);
#endif
void *HX_memmem(const void *space, size_t spacesize,
const void *point, size_t pointsize)
{

84
extensions/compat_xtables.h
View File

@@ -8,8 +8,8 @@
#define DEBUGP Use__pr_debug__instead
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 17)
# warning Kernels below 2.6.17 not supported.
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0)
# warning Kernels below 3.7 not supported.
#endif
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
@@ -17,86 +17,14 @@
# warning You have CONFIG_NF_CONNTRACK enabled, but CONFIG_NF_CONNTRACK_MARK is not (please enable).
# endif
# include <net/netfilter/nf_conntrack.h>
#elif defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
# if !defined(CONFIG_IP_NF_CONNTRACK_MARK)
# warning You have CONFIG_IP_NF_CONNTRACK enabled, but CONFIG_IP_NF_CONNTRACK_MARK is not (please enable).
# endif
# include <linux/netfilter_ipv4/ip_conntrack.h>
# define nf_conn ip_conntrack
# define nf_ct_get ip_conntrack_get
# define nf_conntrack_untracked ip_conntrack_untracked
#else
# warning You need either CONFIG_NF_CONNTRACK or CONFIG_IP_NF_CONNTRACK.
# warning You need CONFIG_NF_CONNTRACK.
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 17)
# define skb_init_secmark(skb)
# define skb_linearize xtnu_skb_linearize
#endif
#define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
#define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
# define neigh_hh_output xtnu_neigh_hh_output
# define IPPROTO_UDPLITE 136
# define CSUM_MANGLED_0 ((__force __sum16)0xffff)
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
# define NF_INET_PRE_ROUTING NF_IP_PRE_ROUTING
# define NF_INET_LOCAL_IN NF_IP_LOCAL_IN
# define NF_INET_FORWARD NF_IP_FORWARD
# define NF_INET_LOCAL_OUT NF_IP_LOCAL_OUT
# define NF_INET_POST_ROUTING NF_IP_POST_ROUTING
# define ip_local_out xtnu_ip_local_out
# define ip_route_output_key xtnu_ip_route_output_key
# include "compat_nfinetaddr.h"
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
# define init_net xtnu_ip_route_output_key /* yes */
# define init_net__loopback_dev (&loopback_dev)
# define init_net__proc_net proc_net
#else
# define init_net__loopback_dev init_net.loopback_dev
# define init_net__proc_net init_net.proc_net
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
# define xt_match xtnu_match
# define xt_register_match xtnu_register_match
# define xt_unregister_match xtnu_unregister_match
# define xt_register_matches xtnu_register_matches
# define xt_unregister_matches xtnu_unregister_matches
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
# define csum_replace2 xtnu_csum_replace2
# define csum_replace4 xtnu_csum_replace4
# define inet_proto_csum_replace4 xtnu_proto_csum_replace4
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
# define csum_replace2 nf_csum_replace2
# define csum_replace4 nf_csum_replace4
# define inet_proto_csum_replace4 xtnu_proto_csum_replace4
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
# define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
# define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
#else
# define ipt_unregister_table(tbl) ipt_unregister_table(tbl)
# define ip6t_unregister_table(tbl) ip6t_unregister_table(tbl)
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
# define rt_dst(rt) (&(rt)->dst)
#else
# define rt_dst(rt) (&(rt)->u.dst)
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0)
# define nf_nat_ipv4_multi_range_compat nf_nat_multi_range_compat
# define nf_nat_ipv4_range nf_nat_range
# define NF_NAT_RANGE_MAP_IPS IP_NAT_RANGE_MAP_IPS
#endif
#define rt_dst(rt) (&(rt)->dst)
#if !defined(NIP6) && !defined(NIP6_FMT)
# define NIP6(addr) \

92
extensions/compat_xtnu.h
View File

@@ -5,89 +5,12 @@
#include <linux/netfilter/x_tables.h>
#include <linux/spinlock.h>
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
typedef _Bool bool;
enum { false = 0, true = 1, };
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
typedef __u16 __bitwise __sum16;
typedef __u32 __bitwise __wsum;
#endif
struct flowi;
struct hh_cache;
struct module;
struct net_device;
struct rtable;
struct sk_buff;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
enum {
NFPROTO_UNSPEC = 0,
NFPROTO_IPV4 = 2,
NFPROTO_ARP = 3,
NFPROTO_BRIDGE = 7,
NFPROTO_IPV6 = 10,
NFPROTO_DECNET = 12,
NFPROTO_NUMPROTO,
};
struct xt_mtchk_param {
const char *table;
const void *entryinfo;
const struct xt_match *match;
void *matchinfo;
unsigned int hook_mask;
u_int8_t family;
};
struct xt_mtdtor_param {
const struct xt_match *match;
void *matchinfo;
u_int8_t family;
};
struct xt_target_param {
const struct net_device *in, *out;
unsigned int hooknum;
const struct xt_target *target;
const void *targinfo;
u_int8_t family;
};
struct xt_tgchk_param {
const char *table;
const void *entryinfo;
const struct xt_target *target;
void *targinfo;
unsigned int hook_mask;
u_int8_t family;
};
struct xt_tgdtor_param {
const struct xt_target *target;
void *targinfo;
u_int8_t family;
};
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
struct xt_action_param {
union {
const struct xt_match *match;
const struct xt_target *target;
};
union {
const void *matchinfo, *targinfo;
};
const struct net_device *in, *out;
int fragoff;
unsigned int thoff, hooknum;
u_int8_t family;
bool hotdrop;
};
#endif
struct xtnu_match {
/*
* Making it smaller by sizeof(void *) on purpose to catch
@@ -135,13 +58,6 @@ static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
return q;
}
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 19)
static inline __wsum csum_unfold(__sum16 n)
{
return (__force __wsum)n;
}
#endif
extern int xtnu_ip_local_out(struct sk_buff *);
extern int xtnu_ip_route_me_harder(struct sk_buff **, unsigned int);
extern int xtnu_skb_make_writable(struct sk_buff **, unsigned int);
@@ -156,12 +72,12 @@ extern int xtnu_register_targets(struct xtnu_target *, unsigned int);
extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int);
extern struct xt_match *xtnu_request_find_match(unsigned int,
const char *, uint8_t);
extern int xtnu_neigh_hh_output(struct hh_cache *, struct sk_buff *);
extern void xtnu_csum_replace2(__u16 __bitwise *, __be16, __be16);
extern void xtnu_csum_replace4(__u16 __bitwise *, __be32, __be32);
extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
__be32, __be32, bool);
extern int xtnu_skb_linearize(struct sk_buff *);
extern int xtnu_ipv6_skip_exthdr(const struct sk_buff *, int,
uint8_t *, __be16 *);
extern int xtnu_ipv6_find_hdr(const struct sk_buff *, unsigned int *,
int, unsigned short *, int *);
extern void *HX_memmem(const void *, size_t, const void *, size_t);

18
extensions/ip6table_rawpost.c
View File

@@ -1,6 +1,6 @@
/*
* rawpost table for ip6_tables
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* written by Jan Engelhardt, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
@@ -50,11 +50,7 @@ static unsigned int rawpost6_hook_fn(unsigned int hook, sk_buff_t *skb,
const struct net_device *in, const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
return ip6t_do_table(skb, hook, in, out, rawpost6_ptable);
#else
return ip6t_do_table(skb, hook, in, out, rawpost6_ptable, NULL);
#endif
}
static struct nf_hook_ops rawpost6_hook_ops __read_mostly = {
@@ -69,20 +65,10 @@ static int __init rawpost6_table_init(void)
{
int ret;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
rwlock_init(&rawpost6_itable.lock);
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable,
&rawpost6_initial.repl);
if (IS_ERR(rawpost6_ptable))
return PTR_ERR(rawpost6_ptable);
#else
ret = ip6t_register_table(&rawpost6_itable, &rawpost6_initial.repl);
if (ret < 0)
return ret;
rawpost6_ptable = &rawpost6_itable;
#endif
ret = nf_register_hook(&rawpost6_hook_ops);
if (ret < 0)
@@ -103,5 +89,5 @@ static void __exit rawpost6_table_exit(void)
module_init(rawpost6_table_init);
module_exit(rawpost6_table_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");

18
extensions/iptable_rawpost.c
View File

@@ -1,6 +1,6 @@
/*
* rawpost table for ip_tables
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* written by Jan Engelhardt, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
@@ -51,11 +51,7 @@ static unsigned int rawpost4_hook_fn(unsigned int hook, sk_buff_t *skb,
const struct net_device *in, const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
return ipt_do_table(skb, hook, in, out, rawpost4_ptable);
#else
return ipt_do_table(skb, hook, in, out, rawpost4_ptable, NULL);
#endif
}
static struct nf_hook_ops rawpost4_hook_ops __read_mostly = {
@@ -70,20 +66,10 @@ static int __init rawpost4_table_init(void)
{
int ret;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
rwlock_init(&rawpost4_itable.lock);
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
&rawpost4_initial.repl);
if (IS_ERR(rawpost4_ptable))
return PTR_ERR(rawpost4_ptable);
#else
ret = ipt_register_table(&rawpost4_itable, &rawpost4_initial.repl);
if (ret < 0)
return ret;
rawpost4_ptable = &rawpost4_itable;
#endif
ret = nf_register_hook(&rawpost4_hook_ops);
if (ret < 0)
@@ -105,5 +91,5 @@ static void __exit rawpost4_table_exit(void)
module_init(rawpost4_table_init);
module_exit(rawpost4_table_exit);
MODULE_DESCRIPTION("Xtables: rawpost table for use with RAWNAT");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");

2
extensions/libxt_CHAOS.c
View File

@@ -1,6 +1,6 @@
/*
* "CHAOS" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
* Copyright © Jan Engelhardt, 2006 - 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

2
extensions/libxt_CHAOS.man
View File

@@ -17,5 +17,5 @@ connections than they can.
The randomness factor of not replying vs. replying can be set during load-time
of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
.PP
See http://jengelh.medozas.de/projects/chaostables/ for more information
See http://inai.de/projects/chaostables/ for more information
about CHAOS, DELUDE and lscan.

94
extensions/libxt_CHECKSUM.c
View File

@@ -1,94 +0,0 @@
/*
* (C) 2002 by Harald Welte <laforge@gnumonks.org>
* (C) 2010 by Red Hat, Inc
* Author: Michael S. Tsirkin <mst@redhat.com>
*
* This program is distributed under the terms of GNU GPL v2, 1991
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <getopt.h>
#include <xtables.h>
#include "xt_CHECKSUM.h"
#include "compat_user.h"
static void CHECKSUM_help(void)
{
printf(
"CHECKSUM target options\n"
" --checksum-fill Fill in packet checksum.\n");
}
static const struct option CHECKSUM_opts[] = {
{ "checksum-fill", 0, NULL, 'F' },
{ .name = NULL }
};
static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_CHECKSUM_info *einfo
= (struct xt_CHECKSUM_info *)(*target)->data;
switch (c) {
case 'F':
xtables_param_act(XTF_ONLY_ONCE, "CHECKSUM", "--checksum-fill",
*flags & XT_CHECKSUM_OP_FILL);
einfo->operation = XT_CHECKSUM_OP_FILL;
*flags |= XT_CHECKSUM_OP_FILL;
break;
default:
return 0;
}
return 1;
}
static void CHECKSUM_check(unsigned int flags)
{
if (!flags)
xtables_error(PARAMETER_PROBLEM,
"CHECKSUM target: Parameter --checksum-fill is required");
}
static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
const struct xt_CHECKSUM_info *einfo =
(const struct xt_CHECKSUM_info *)target->data;
printf("CHECKSUM ");
if (einfo->operation & XT_CHECKSUM_OP_FILL)
printf(" fill ");
}
static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_CHECKSUM_info *einfo =
(const struct xt_CHECKSUM_info *)target->data;
if (einfo->operation & XT_CHECKSUM_OP_FILL)
printf(" --checksum-fill ");
}
static struct xtables_target checksum_tg_reg = {
.name = "CHECKSUM",
.version = XTABLES_VERSION,
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
.help = CHECKSUM_help,
.parse = CHECKSUM_parse,
.final_check = CHECKSUM_check,
.print = CHECKSUM_print,
.save = CHECKSUM_save,
.extra_opts = CHECKSUM_opts,
};
static __attribute__((constructor)) void _init(void)
{
xtables_register_target(&checksum_tg_reg);
}

8
extensions/libxt_CHECKSUM.man
View File

@@ -1,8 +0,0 @@
This target allows to selectively work around broken/old applications.
It can only be used in the mangle table.
.TP
\fB\-\-checksum\-fill\fP
Compute and fill in the checksum in a packet that lacks a checksum.
This is particularly useful, if you need to work around old applications
such as dhcp clients, that do not work well with checksum offloads,
but don't want to disable checksum offload in your device.

2
extensions/libxt_DELUDE.c
View File

@@ -1,6 +1,6 @@
/*
* "DELUDE" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
* Copyright © Jan Engelhardt, 2006 - 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

2
extensions/libxt_DHCPMAC.c
View File

@@ -1,6 +1,6 @@
/*
* "DHCPMAC" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
* Copyright © Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

78
extensions/libxt_DNETMAP.c
View File

@@ -20,6 +20,8 @@ static const struct option DNETMAP_opts[] = {
{"prefix", 1, NULL, 'p'},
{"reuse", 0, NULL, 'r'},
{"ttl", 1, NULL, 't'},
{"static", 0, NULL, 's'},
{"persistent", 0, NULL, 'e'},
{.name = NULL}
};
@@ -33,9 +35,14 @@ static void DNETMAP_help(void)
" --%s seconds\n"
" Regenerate bindings ttl value to seconds. If negative value is specified,\n"
" bindings ttl is kept unchanged. If not specified then default ttl value (600s)\n"
" is used.\n\n",
DNETMAP_opts[0].name, DNETMAP_opts[1].name,
DNETMAP_opts[2].name);
" is used\n"
" --%s\n"
" Match only static entries for this rule. Dynamic entries won't be created.\n"
" --%s\n"
" Set prefix persistent. It won't be removed after deleting last iptables rule.\n\n",
DNETMAP_opts[0].name, DNETMAP_opts[1].name,
DNETMAP_opts[2].name, DNETMAP_opts[3].name,
DNETMAP_opts[4].name);
}
static u_int32_t bits2netmask(int bits)
@@ -62,19 +69,8 @@ static int netmask2bits(u_int32_t netmask)
return bits;
}
static void DNETMAP_init(struct xt_entry_target *t)
{
struct xt_DNETMAP_tginfo *tginfo = (void *)&t->data;
struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
/* Actually, it's 0, but it's ignored at the moment. */
mr->rangesize = 1;
tginfo->ttl = 0;
tginfo->flags = 0;
}
/* Parses network address */
static void parse_prefix(char *arg, struct nf_nat_ipv4_range *range)
static void parse_prefix(char *arg, struct nf_nat_range *range)
{
char *slash;
const struct in_addr *ip;
@@ -90,7 +86,7 @@ static void parse_prefix(char *arg, struct nf_nat_ipv4_range *range)
if (ip == NULL)
xtables_error(PARAMETER_PROBLEM, "Bad IP address \"%s\"\n",
arg);
range->min_ip = ip->s_addr;
range->min_addr.in = *ip;
if (slash) {
if (strchr(slash + 1, '.')) {
ip = xtables_numeric_to_ipmask(slash + 1);
@@ -116,20 +112,20 @@ static void parse_prefix(char *arg, struct nf_nat_ipv4_range *range)
} else
netmask = ~0;
if (range->min_ip & ~netmask) {
if (range->min_addr.ip & ~netmask) {
if (slash)
*slash = '/';
xtables_error(PARAMETER_PROBLEM, "Bad network address \"%s\"\n",
arg);
}
range->max_ip = range->min_ip | ~netmask;
range->max_addr.ip = range->min_addr.ip | ~netmask;
}
static int DNETMAP_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_DNETMAP_tginfo *tginfo = (void *)(*target)->data;
struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
struct nf_nat_range *mr = &tginfo->prefix;
char *end;
switch (c) {
@@ -140,7 +136,7 @@ static int DNETMAP_parse(int c, char **argv, int invert, unsigned int *flags,
invert);
/* TO-DO use xtables_ipparse_any instead? */
parse_prefix(optarg, &mr->range[0]);
parse_prefix(optarg, mr);
*flags |= XT_DNETMAP_PREFIX;
tginfo->flags |= XT_DNETMAP_PREFIX;
return 1;
@@ -151,6 +147,20 @@ static int DNETMAP_parse(int c, char **argv, int invert, unsigned int *flags,
*flags |= XT_DNETMAP_REUSE;
tginfo->flags |= XT_DNETMAP_REUSE;
return 1;
case 's':
xtables_param_act(XTF_ONLY_ONCE, MODULENAME, "--static",
*flags & XT_DNETMAP_STATIC);
xtables_param_act(XTF_NO_INVERT, MODULENAME, "--static", invert);
*flags |= XT_DNETMAP_STATIC;
tginfo->flags |= XT_DNETMAP_STATIC;
return 1;
case 'e':
xtables_param_act(XTF_ONLY_ONCE, MODULENAME, "--persistent",
*flags & XT_DNETMAP_PERSISTENT);
xtables_param_act(XTF_NO_INVERT, MODULENAME, "--persistent", invert);
*flags |= XT_DNETMAP_PERSISTENT;
tginfo->flags |= XT_DNETMAP_PERSISTENT;
return 1;
case 't':
xtables_param_act(XTF_ONLY_ONCE, MODULENAME, "--ttl",
*flags & XT_DNETMAP_TTL);
@@ -171,14 +181,13 @@ static void DNETMAP_print_addr(const void *ip,
int numeric)
{
struct xt_DNETMAP_tginfo *tginfo = (void *)&target->data;
const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
const struct nf_nat_ipv4_range *r = &mr->range[0];
const struct nf_nat_range *r = &tginfo->prefix;
struct in_addr a;
int bits;
a.s_addr = r->min_ip;
a = r->min_addr.in;
printf("%s", xtables_ipaddr_to_numeric(&a));
a.s_addr = ~(r->min_ip ^ r->max_ip);
a.s_addr = ~(r->min_addr.ip ^ r->max_addr.ip);
bits = netmask2bits(a.s_addr);
if (bits < 0)
printf("/%s", xtables_ipaddr_to_numeric(&a));
@@ -198,7 +207,15 @@ static void DNETMAP_print(const void *ip, const struct xt_entry_target *target,
else
printf("any");
printf(" reuse %i", (*flags & XT_DNETMAP_REUSE) > 0);
if (*flags & XT_DNETMAP_REUSE)
printf(" reuse");
if (*flags & XT_DNETMAP_STATIC)
printf(" static");
if (*flags & XT_DNETMAP_PERSISTENT)
printf(" persistent");
if (*flags & XT_DNETMAP_TTL)
printf(" ttl %i", tginfo->ttl);
else
@@ -214,7 +231,15 @@ static void DNETMAP_save(const void *ip, const struct xt_entry_target *target)
printf(" --%s ", DNETMAP_opts[0].name);
DNETMAP_print_addr(ip, target, 0);
}
printf(" --reuse %i ", *flags & XT_DNETMAP_REUSE);
if (*flags & XT_DNETMAP_REUSE)
printf(" --reuse ");
if (*flags & XT_DNETMAP_STATIC)
printf(" --static ");
if (*flags & XT_DNETMAP_PERSISTENT)
printf(" --persistent ");
/* ommited because default value can change as kernel mod param */
if (*flags & XT_DNETMAP_TTL)
@@ -228,7 +253,6 @@ static struct xtables_target dnetmap_tg_reg = {
.size = XT_ALIGN(sizeof(struct xt_DNETMAP_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_DNETMAP_tginfo)),
.help = DNETMAP_help,
.init = DNETMAP_init,
.parse = DNETMAP_parse,
.print = DNETMAP_print,
.save = DNETMAP_save,

93
extensions/libxt_DNETMAP.man
View File

@@ -18,6 +18,17 @@ Network subnet to map to. If not specified, all existing prefixes are used.
\fB\-\-reuse\fR
Reuse entry for given prenat-ip from any prefix despite bindings ttl < 0.
.TP
\fB\-\-persistent\fR
Set prefix persistent. It won't be removed after deleting last iptables rule.
Option is effective only in the first rule for a given prefix. If you
need to change persistency for existing prefix, please use proc interface
described below.
.TP
\fB\-\-static\fR
Don't create dynamic mappings using this rule. Use static mappings only. Note
that you need to create static mappings via proc interface for this rule with
this option to have any effect.
.TP
\fB\-\-ttl\fR \fIseconds\fR
Regenerate bindings ttl value to \fIseconds\fR. If negative value is specified,
bindings ttl is kept unchanged. If not specified then default ttl value (600s)
@@ -30,16 +41,45 @@ Module creates following entries for each new specified subnet:
\fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR
Contains binding table for subnet/mask. Each line contains \fBprenat-ip\fR,
\fBpostnat-ip\fR,\fBttl\fR (seconds till entry times out), \fBlasthit\fR (last
entry hit in seconds relative to system boot time).
entry hit in seconds relative to system boot time). Please note that \fBttl\fR
and \fBlasthit\fR entries contain \fBS\fR in case of static binding.
.TP
\fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR
Contains statistics for given subnet/mask. Line contains contains three
Contains statistics for given subnet/mask. Line contains contains four
numerical values separated by spaces. First one is number of currently used
addresses (bindings with negative ttl excluded), second one is number of all
usable addresses in subnet and third one is mean \fBttl\fR value for all active
entries.
dynamic addresses (bindings with negative ttl excluded), second one is number
static assignments, third one is number of all usable addresses in subnet and
the fourth one is mean \fBttl\fR value for all active entries. If prefix has
persistent flag set it'll be noted as fifth entry.
.PP
Following write operations are supported via proc interface:
.TP
echo "+\fIprenatIP\fR:\fIpostnatIP\fR" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
Adds static binding between prenatIP nad postnatIP. If postnatIP is already
bound, previous binding will be timedout immediatelly. Static binding is never
timedout.
.TP
echo "-\fIIP\fR" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
Removes binding with \fIIP\fR as prenat or postnat address. If removed binding
is currently static, it'll make entry available for dynamic allocation.
.TP
echo "+persistent" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
Sets persistent flag for prefix. It's usefull if you don't want bindings to get
flushed when firewall is restarted. You can check if prefix is persistent by
printing \fB/proc/net/xt_DNETMAP/\fR\fIsubnet\fR\fB_\fR\fImask\fR\fB_stat\fR
contents.
.TP
echo "-persistent" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
Unsets persistent flag for prefix. In this mode prefix will be deleted if the
last iptables rule for that prefix is removed.
.TP
echo "flush" > \fB/proc/net/xt_DNETMAP/subnet_mask\fR
Flushes all bindings for specific prefix. All static entries are also flushed
and are available for dynamic bindings.
.PP
Note! Entries are removed if the last iptables rule for a specific prefix is
deleted unless there's persistent flag set.
.PP
Entries are removed if the last iptables rule for a specific subnet is deleted.
\fB* Logging\fR
@@ -88,4 +128,45 @@ specify \fB\-\-prefix\fR parameter in PREROUTING rule, because this way it DNATs
traffic to all active prefixes. You could specify prefix it you'd like to make
DNAT work for specific prefix only.
\fB4.\fR Map 192.168.0.0/24 to subnets 20.0.0.0/26 with static assignments only:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
--static
echo "+192.168.0.10:20.0.0.1" > /proc/net/xt_DNETMAP/20.0.0.0_26
.br
echo "+192.168.0.11:20.0.0.2" > /proc/net/xt_DNETMAP/20.0.0.0_26
.br
echo "+192.168.0.51:20.0.0.3" > /proc/net/xt_DNETMAP/20.0.0.0_26
This configuration will allow only preconfigured static bindings to work due to
\fBstatic\fR rule option. Without this flag dynamic bindings would be created
using non-static entries.
\fB5.\fR Persistent prefix:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
--persistent
.br
\fBor\fR
.br
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j DNETMAP --prefix 20.0.0.0/26
.br
echo "+persistent" > /proc/net/xt_DNETMAP/20.0.0.0_26
Now we can check persistent flag of the prefix:
.br
cat /proc/net/xt_DNETMAP/20.0.0.0_26
.br
0 0 64 0 \fBpersistent\fR
Flush iptables nat table and see that prefix is still in existence:
.br
iptables -F -t nat
.br
ls -l /proc/net/xt_DNETMAP
.br
-rw-r--r-- 1 root root 0 06-10 09:01 20.0.0.0_26
.br
-rw-r--r-- 1 root root 0 06-10 09:01 20.0.0.0_26_stat
.

2
extensions/libxt_ECHO.c
View File

@@ -1,6 +1,6 @@
/*
* "ECHO" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
* Copyright © Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

2
extensions/libxt_IPMARK.c
View File

@@ -1,7 +1,7 @@
/*
* "IPMARK" target extension for iptables
* Copyright © Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>, 2003
* Jan Engelhardt <jengelh [at] medozas de>, 2008
* Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

2
extensions/libxt_LOGMARK.c
View File

@@ -1,6 +1,6 @@
/*
* "LOGMARK" target extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
* Copyright © Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

6
extensions/libxt_SYSRQ.man
View File

@@ -62,7 +62,7 @@ password="password"
seqno="$(date +%s)"
salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null |
openssl enc \-base64)"
ipaddr=10.10.25.7
ipaddr="2001:0db8:0000:0000:0000:ff00:0042:8329"
req="$sysrq_key,$seqno,$salt"
req="$req,$(echo \-n "$req,$ipaddr,$password" | sha1sum | cut \-c1\-40)"
@@ -75,8 +75,8 @@ sysrq key can be used at once, but bear in mind that, for example, a sync may
not complete before a subsequent reboot or poweroff.
.PP
An IPv4 address should have no leading zeros, an IPv6 address should
be in the form recommended by RFC 5952. The debug option will log the
correct form of the address.
be in the full expanded form (as shown above). The debug option will cause
output to be emitted in the same form.
.PP
The hashing scheme should be enough to prevent mis-use of SYSRQ in many
environments, but it is not perfect: take reasonable precautions to

2
extensions/libxt_TARPIT.c
View File

@@ -106,7 +106,7 @@ static void tarpit_tg_save(const void *ip,
static struct xtables_target tarpit_tg_reg = {
.version = XTABLES_VERSION,
.name = "TARPIT",
.family = NFPROTO_IPV4,
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_tarpit_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tarpit_tginfo)),
.help = tarpit_tg_help,

173
extensions/libxt_TEE.c
View File

@@ -1,173 +0,0 @@
/*
* "TEE" target extension for iptables
* Copyright © Sebastian Claßen <sebastian.classen [at] freenet.ag>, 2007
* Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <sys/socket.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>
#include <net/if.h>
#include <netinet/in.h>
#include <xtables.h>
#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include "xt_TEE.h"
#include "compat_user.h"
enum {
FLAG_GATEWAY = 1 << 0,
};
static const struct option tee_tg_opts[] = {
{.name = "gateway", .has_arg = true, .val = 'g'},
{NULL},
};
static void tee_tg_help(void)
{
printf(
"TEE target options:\n"
" --gateway IPADDR Route packet via the gateway given by address\n"
"\n");
}
static int tee_tg_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_tee_tginfo *info = (void *)(*target)->data;
const struct in_addr *ia;
switch (c) {
case 'g':
if (*flags & FLAG_GATEWAY)
xtables_error(PARAMETER_PROBLEM,
"Cannot specify --gateway more than once");
ia = xtables_numeric_to_ipaddr(optarg);
if (ia == NULL)
xtables_error(PARAMETER_PROBLEM,
"Invalid IP address %s", optarg);
memcpy(&info->gw, ia, sizeof(*ia));
*flags |= FLAG_GATEWAY;
return true;
}
return false;
}
static int tee_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_tee_tginfo *info = (void *)(*target)->data;
const struct in6_addr *ia;
switch (c) {
case 'g':
if (*flags & FLAG_GATEWAY)
xtables_error(PARAMETER_PROBLEM,
"Cannot specify --gateway more than once");
ia = xtables_numeric_to_ip6addr(optarg);
if (ia == NULL)
xtables_error(PARAMETER_PROBLEM,
"Invalid IP address %s", optarg);
memcpy(&info->gw, ia, sizeof(*ia));
*flags |= FLAG_GATEWAY;
return true;
}
return false;
}
static void tee_tg_check(unsigned int flags)
{
if (flags == 0)
xtables_error(PARAMETER_PROBLEM, "TEE target: "
"--gateway parameter required");
}
static void tee_tg_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
const struct xt_tee_tginfo *info = (const void *)target->data;
if (numeric)
printf(" TEE gw:%s ", xtables_ipaddr_to_numeric(&info->gw.in));
else
printf(" TEE gw:%s ", xtables_ipaddr_to_anyname(&info->gw.in));
}
static void tee_tg6_print(const void *ip, const struct xt_entry_target *target,
int numeric)
{
const struct xt_tee_tginfo *info = (const void *)target->data;
if (numeric)
printf(" TEE gw:%s ", xtables_ip6addr_to_numeric(&info->gw.in6));
else
printf(" TEE gw:%s ", xtables_ip6addr_to_anyname(&info->gw.in6));
}
static void tee_tg_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_tee_tginfo *info = (const void *)target->data;
printf(" --gateway %s ", xtables_ipaddr_to_numeric(&info->gw.in));
}
static void tee_tg6_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_tee_tginfo *info = (const void *)target->data;
printf(" --gateway %s ", xtables_ip6addr_to_numeric(&info->gw.in6));
}
static struct xtables_target tee_tg_reg[] = {
{
.name = "TEE",
.version = XTABLES_VERSION,
.revision = 0,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.help = tee_tg_help,
.parse = tee_tg_parse,
.final_check = tee_tg_check,
.print = tee_tg_print,
.save = tee_tg_save,
.extra_opts = tee_tg_opts,
},
{
.name = "TEE",
.version = XTABLES_VERSION,
.revision = 0,
.family = NFPROTO_IPV6,
.size = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_tee_tginfo)),
.help = tee_tg_help,
.parse = tee_tg6_parse,
.final_check = tee_tg_check,
.print = tee_tg6_print,
.save = tee_tg6_save,
.extra_opts = tee_tg_opts,
},
};
static __attribute__((constructor)) void tee_tg_ldr(void)
{
xtables_register_targets(tee_tg_reg,
sizeof(tee_tg_reg) / sizeof(*tee_tg_reg));
}

12
extensions/libxt_TEE.man
View File

@@ -1,12 +0,0 @@
The \fBTEE\fP target will clone a packet and redirect this clone to another
machine on the \fBlocal\fP network segment. In other words, the nexthop
must be the target, or you will have to configure the nexthop to forward it
further if so desired.
.TP
\fB\-\-gateway\fP \fIipaddr\fP
Send the cloned packet to the host reachable at the given IP address.
Use of 0.0.0.0 (for IPv4 packets) or :: (IPv6) is invalid.
.PP
To forward all incoming traffic on eth0 to an Network Layer logging box:
.PP
\-t mangle \-A PREROUTING \-i eth0 \-j TEE \-\-gateway 2001:db8::1

2
extensions/libxt_condition.c
View File

@@ -2,7 +2,7 @@
* "condition" match extension for iptables
* Stephane Ouellette <ouellettes [at] videotron ca>, 2002-10-22
* Massimiliano Hofer <max [at] nucleus it>, 2006-05-15
* Jan Engelhardt <jengelh [at] medozas de>, 2008
* Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License; either version 2

2
extensions/libxt_dhcpmac.c
View File

@@ -1,6 +1,6 @@
/*
* "dhcpmac" match extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
* Copyright © Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

2
extensions/libxt_fuzzy.c
View File

@@ -100,7 +100,7 @@ static void fuzzy_mt_save(const void *ip, const struct xt_entry_match *match)
printf(" --upper-limit %u ", info->maximum_rate);
}
static struct xtables_match fuzzy_mt_reg = {
static struct xtables_match fuzzy_mt_reg = {
.name = "fuzzy",
.revision = 1,
.version = XTABLES_VERSION,

4
extensions/libxt_geoip.c
View File

@@ -2,7 +2,7 @@
* "geoip" match extension for iptables
* Copyright © Samuel Jean <peejix [at] people netfilter org>, 2004 - 2008
* Copyright © Nicolas Bouliane <acidfu [at] people netfilter org>, 2004 - 2008
* Jan Engelhardt <jengelh [at] medozas de>, 2008-2011
* Jan Engelhardt, 2008-2011
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -100,7 +100,7 @@ geoip_get_subnets(const char *code, uint32_t *count, uint8_t nfproto)
close(fd);
return subnets;
}
static struct geoip_country_user *geoip_load_cc(const char *code,
unsigned short cc, uint8_t nfproto)
{

2
extensions/libxt_gradm.c
View File

@@ -78,7 +78,7 @@ static void gradm_mt_save(const void *ip, const struct xt_entry_match *match)
printf(" --enabled ");
}
static struct xtables_match gradm_mt_reg = {
static struct xtables_match gradm_mt_reg = {
.family = NFPROTO_UNSPEC,
.name = "gradm",
.version = XTABLES_VERSION,

254
extensions/libxt_ipaddr.c Normal file
View File

@@ -0,0 +1,254 @@
/*
* "ipaddr" demo match extension for iptables
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* released in the Public Domain
*/
#include <arpa/inet.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <xtables.h>
#include <linux/netfilter.h>
#include "xt_ipaddr.h"
static const struct option ipaddr_mt_opts[] = {
{.name = "ipsrc", .has_arg = true, .val = '1'},
{.name = "ipdst", .has_arg = true, .val = '2'},
{NULL},
};
static void ipaddr_mt_help(void)
{
printf(
"ipaddr match options:\n"
"[!] --ipsrc addr Match source address of packet\n"
"[!] --ipdst addr Match destination address of packet\n"
);
}
static void ipaddr_mt_init(struct xt_entry_match *match)
{
struct xt_ipaddr_mtinfo *info = (void *)match->data;
inet_pton(PF_INET, "192.0.2.137", &info->dst.in);
}
static int ipaddr_mt4_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_match **match)
{
struct xt_ipaddr_mtinfo *info = (void *)(*match)->data;
struct in_addr *addrs, mask;
unsigned int naddrs;
switch (c) {
case '1': /* --ipsrc */
if (*flags & XT_IPADDR_SRC)
xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
"Only use \"--ipsrc\" once!");
*flags |= XT_IPADDR_SRC;
info->flags |= XT_IPADDR_SRC;
if (invert)
info->flags |= XT_IPADDR_SRC_INV;
xtables_ipparse_any(optarg, &addrs, &mask, &naddrs);
if (naddrs != 1)
xtables_error(PARAMETER_PROBLEM,
"%s does not resolve to exactly "
"one address", optarg);
memcpy(&info->src.in, addrs, sizeof(*addrs));
return true;
case '2': /* --ipdst */
if (*flags & XT_IPADDR_DST)
xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
"Only use \"--ipdst\" once!");
*flags |= XT_IPADDR_DST;
info->flags |= XT_IPADDR_DST;
if (invert)
info->flags |= XT_IPADDR_DST_INV;
addrs = xtables_numeric_to_ipaddr(optarg);
if (addrs == NULL)
xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
"Parse error at %s\n", optarg);
memcpy(&info->dst.in, addrs, sizeof(*addrs));
return true;
}
return false;
}
static int ipaddr_mt6_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_match **match)
{
struct xt_ipaddr_mtinfo *info = (void *)(*match)->data;
struct in6_addr *addrs;
switch (c) {
case '1': /* --ipsrc */
if (*flags & XT_IPADDR_SRC)
xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
"Only use \"--ipsrc\" once!");
*flags |= XT_IPADDR_SRC;
info->flags |= XT_IPADDR_SRC;
if (invert)
info->flags |= XT_IPADDR_SRC_INV;
addrs = xtables_numeric_to_ip6addr(optarg);
if (addrs == NULL)
xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
"Parse error at %s", optarg);
memcpy(&info->src.in6, addrs, sizeof(*addrs));
return true;
case '2': /* --ipdst */
if (*flags & XT_IPADDR_DST)
xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
"Only use \"--ipdst\" once!");
*flags |= XT_IPADDR_DST;
info->flags |= XT_IPADDR_DST;
if (invert)
info->flags |= XT_IPADDR_DST_INV;
addrs = xtables_numeric_to_ip6addr(optarg);
if (addrs == NULL)
xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: "
"Parse error at %s", optarg);
memcpy(&info->dst.in6, addrs, sizeof(*addrs));
return true;
}
return false;
}
static void ipaddr_mt_check(unsigned int flags)
{
if (flags == 0)
xtables_error(PARAMETER_PROBLEM, "xt_ipaddr: You need to "
"specify at least \"--ipsrc\" or \"--ipdst\".");
}
static void ipaddr_mt4_print(const void *entry,
const struct xt_entry_match *match, int numeric)
{
const struct xt_ipaddr_mtinfo *info = (const void *)match->data;
if (info->flags & XT_IPADDR_SRC) {
printf("src IP ");
if (info->flags & XT_IPADDR_SRC_INV)
printf("! ");
printf("%s ", numeric ?
xtables_ipaddr_to_numeric(&info->src.in) :
xtables_ipaddr_to_anyname(&info->src.in));
}
if (info->flags & XT_IPADDR_DST) {
printf("dst IP ");
if (info->flags & XT_IPADDR_DST_INV)
printf("! ");
printf("%s ", numeric ?
xtables_ipaddr_to_numeric(&info->dst.in) :
xtables_ipaddr_to_anyname(&info->dst.in));
}
}
static void ipaddr_mt6_print(const void *entry,
const struct xt_entry_match *match, int numeric)
{
const struct xt_ipaddr_mtinfo *info = (const void *)match->data;
if (info->flags & XT_IPADDR_SRC) {
printf("src IP ");
if (info->flags & XT_IPADDR_SRC_INV)
printf("! ");
printf("%s ", numeric ?
xtables_ip6addr_to_numeric(&info->src.in6) :
xtables_ip6addr_to_anyname(&info->src.in6));
}
if (info->flags & XT_IPADDR_DST) {
printf("dst IP ");
if (info->flags & XT_IPADDR_DST_INV)
printf("! ");
printf("%s ", numeric ?
xtables_ip6addr_to_numeric(&info->dst.in6) :
xtables_ip6addr_to_anyname(&info->dst.in6));
}
}
static void ipaddr_mt4_save(const void *entry,
const struct xt_entry_match *match)
{
const struct xt_ipaddr_mtinfo *info = (const void *)match->data;
if (info->flags & XT_IPADDR_SRC) {
if (info->flags & XT_IPADDR_SRC_INV)
printf("! ");
printf("--ipsrc %s ",
xtables_ipaddr_to_numeric(&info->src.in));
}
if (info->flags & XT_IPADDR_DST) {
if (info->flags & XT_IPADDR_DST_INV)
printf("! ");
printf("--ipdst %s ",
xtables_ipaddr_to_numeric(&info->dst.in));
}
}
static void ipaddr_mt6_save(const void *entry,
const struct xt_entry_match *match)
{
const struct xt_ipaddr_mtinfo *info = (const void *)match->data;
if (info->flags & XT_IPADDR_SRC) {
if (info->flags & XT_IPADDR_SRC_INV)
printf("! ");
printf("--ipsrc %s ",
xtables_ip6addr_to_numeric(&info->src.in6));
}
if (info->flags & XT_IPADDR_DST) {
if (info->flags & XT_IPADDR_DST_INV)
printf("! ");
printf("--ipdst %s ",
xtables_ip6addr_to_numeric(&info->dst.in6));
}
}
static struct xtables_match ipaddr_mt_reg = {
.version = XTABLES_VERSION,
.name = "ipaddr",
.revision = 0,
.family = PF_INET,
.size = XT_ALIGN(sizeof(struct xt_ipaddr_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_ipaddr_mtinfo)),
.help = ipaddr_mt_help,
.init = ipaddr_mt_init,
.parse = ipaddr_mt4_parse,
.final_check = ipaddr_mt_check,
.print = ipaddr_mt4_print,
.save = ipaddr_mt4_save,
.extra_opts = ipaddr_mt_opts,
};
static struct xtables_match ipaddr_mt6_reg = {
.version = XTABLES_VERSION,
.name = "ipaddr",
.revision = 0,
.family = PF_INET6,
.size = XT_ALIGN(sizeof(struct xt_ipaddr_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_ipaddr_mtinfo)),
.help = ipaddr_mt_help,
.init = ipaddr_mt_init,
.parse = ipaddr_mt6_parse,
.final_check = ipaddr_mt_check,
.print = ipaddr_mt6_print,
.save = ipaddr_mt6_save,
.extra_opts = ipaddr_mt_opts,
};
static void _init(void)
{
xtables_register_match(&ipaddr_mt_reg);
xtables_register_match(&ipaddr_mt6_reg);
}

9
extensions/libxt_ipaddr.man Normal file
View File

@@ -0,0 +1,9 @@
.TP
[\fB!\fP] \fB--ipsrc\fP \fIaddr\fP
Match packets that have \fIaddr\fP as source address.
.TP
[\fB!\fP] \fB--ipdst\fP \fIaddr\fP
Match packets that have \fIaddr\fP as destination address.
.PP
The ipaddr module serves only as a demonstration. It is equivalent to the
iptables \fB-s\fP and \fB-d\fP options, but ipaddr does not support masks.

2
extensions/libxt_ipp2p.c
View File

@@ -1,7 +1,7 @@
/*
* "ipp2p" match extension for iptables
* Eicke Friedrich/Klaus Degner <ipp2p@ipp2p.org>, 2005 - 2006
* Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

2
extensions/libxt_ipp2p.man
View File

@@ -36,7 +36,7 @@ Matches some WinMX packets. Considered as beta, use careful!
Matches Ares and AresLite packets. Use together with \-j DROP only.
.TP
\fB\-\-debug\fP
Prints some information about each hit into kernel logfile. May
Prints some information about each hit into kernel logfile. May
produce huge logfiles so beware!
.PP
Note that ipp2p may not (and often, does not) identify all packets that are

2
extensions/libxt_lscan.c
View File

@@ -1,6 +1,6 @@
/*
* LSCAN match extension for iptables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2009
* Copyright © Jan Engelhardt, 2006 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

26
extensions/libxt_psd.c
View File

@@ -30,6 +30,8 @@
#include "xt_psd.h"
#include "compat_user.h"
#define SCAN_DELAY_THRESHOLD 300
/* Function which prints out usage message. */
static void psd_mt_help(void) {
printf(
@@ -137,19 +139,19 @@ static void psd_mt_save(const void *ip, const struct xt_entry_match *match)
}
static struct xtables_match psd_mt_reg = {
.name = "psd",
.version = XTABLES_VERSION,
.revision = 1,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_psd_info)),
.name = "psd",
.version = XTABLES_VERSION,
.revision = 1,
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_psd_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_psd_info)),
.help = psd_mt_help,
.init = psd_mt_init,
.parse = psd_mt_parse,
.final_check = psd_mt_final_check,
.print = psd_mt_print,
.save = psd_mt_save,
.extra_opts = psd_mt_opts,
.help = psd_mt_help,
.init = psd_mt_init,
.parse = psd_mt_parse,
.final_check = psd_mt_final_check,
.print = psd_mt_print,
.save = psd_mt_save,
.extra_opts = psd_mt_opts,
};
static __attribute__((constructor)) void psd_mt_ldr(void)

2
extensions/libxt_quota2.c
View File

@@ -1,7 +1,7 @@
/*
* "quota2" match extension for iptables
* Sam Johnston <samj [at] samj net>
* Jan Engelhardt <jengelh [at] medozas de>, 2008
* Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

34
extensions/pknock/xt_pknock.c
View File

@@ -32,10 +32,6 @@
#include "xt_pknock.h"
#include "compat_xtables.h"
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
# define PK_CRYPTO 1
#endif
enum status {
ST_INIT = 1,
ST_MATCHING,
@@ -113,7 +109,6 @@ static struct proc_dir_entry *pde;
static DEFINE_SPINLOCK(list_lock);
#ifdef PK_CRYPTO
static struct {
const char *algo;
struct crypto_hash *tfm;
@@ -124,7 +119,6 @@ static struct {
.tfm = NULL,
.size = 0
};
#endif
module_param(rule_hashsize, int, S_IRUGO);
MODULE_PARM_DESC(rule_hashsize, "Buckets in rule hash table (default: 8)");
@@ -719,7 +713,6 @@ msg_to_userspace_nl(const struct xt_pknock_mtinfo *info,
return true;
}
#ifdef PK_CRYPTO
/**
* Transforms a sequence of characters to hexadecimal.
*
@@ -783,9 +776,7 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
epoch_min = get_seconds() / 60;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
sg_init_table(sg, ARRAY_SIZE(sg));
#endif
sg_set_buf(&sg[0], &ipsrc, sizeof(ipsrc));
sg_set_buf(&sg[1], &epoch_min, sizeof(epoch_min));
@@ -818,7 +809,6 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
kfree(hexresult);
return fret;
}
#endif /* PK_CRYPTO */
/**
* If the peer pass the security policy.
@@ -841,13 +831,11 @@ pass_security(struct peer *peer, const struct xt_pknock_mtinfo *info,
pk_debug("DENIED (anti-spoof protection)", peer);
return false;
}
#ifdef PK_CRYPTO
/* Check for OPEN secret */
if (has_secret(info->open_secret,
info->open_secret_len, peer->ip,
payload, payload_len))
return true;
#endif
return false;
}
@@ -939,7 +927,6 @@ static bool
is_close_knock(const struct peer *peer, const struct xt_pknock_mtinfo *info,
const unsigned char *payload, unsigned int payload_len)
{
#ifdef PK_CRYPTO
/* Check for CLOSE secret. */
if (has_secret(info->close_secret,
info->close_secret_len, peer->ip,
@@ -948,7 +935,6 @@ is_close_knock(const struct peer *peer, const struct xt_pknock_mtinfo *info,
pk_debug("BLOCKED", peer);
return true;
}
#endif
return false;
}
@@ -983,14 +969,8 @@ static bool pknock_mt(const struct sk_buff *skb,
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
#ifdef PK_CRYPTO
hdr_len = (iph->ihl * 4) + sizeof(struct udphdr);
break;
#else
pr_debug("UDP protocol not supported\n");
return false;
#endif
default:
pr_debug("IP payload protocol is neither tcp nor udp.\n");
return false;
@@ -1079,12 +1059,9 @@ static int pknock_mt_check(const struct xt_mtchk_param *par)
if (!(info->option & XT_PKNOCK_NAME))
RETURN_ERR("You must specify --name option.\n");
#ifndef PK_CRYPTO
if (info->option & (XT_PKNOCK_OPENSECRET | XT_PKNOCK_CLOSESECRET))
RETURN_ERR("No crypto support available; "
"cannot use opensecret/closescret\n");
#endif
if (info->option & XT_PKNOCK_OPENSECRET && info->ports_count != 1)
RETURN_ERR("--opensecret must have just one knock port\n");
if (info->option & XT_PKNOCK_KNOCKPORT) {
@@ -1154,7 +1131,6 @@ static int __init xt_pknock_mt_init(void)
if (gc_expir_time < DEFAULT_GC_EXPIRATION_TIME)
gc_expir_time = DEFAULT_GC_EXPIRATION_TIME;
#ifdef PK_CRYPTO
if (request_module(crypto.algo) < 0) {
printk(KERN_ERR PKNOCK "request_module('%s') error.\n",
crypto.algo);
@@ -1171,11 +1147,8 @@ static int __init xt_pknock_mt_init(void)
crypto.size = crypto_hash_digestsize(crypto.tfm);
crypto.desc.tfm = crypto.tfm;
crypto.desc.flags = 0;
#else
pr_info("No crypto support for < 2.6.19\n");
#endif
pde = proc_mkdir("xt_pknock", init_net__proc_net);
pde = proc_mkdir("xt_pknock", init_net.proc_net);
if (pde == NULL) {
printk(KERN_ERR PKNOCK "proc_mkdir() error in _init().\n");
return -ENXIO;
@@ -1185,14 +1158,11 @@ static int __init xt_pknock_mt_init(void)
static void __exit xt_pknock_mt_exit(void)
{
remove_proc_entry("xt_pknock", init_net__proc_net);
remove_proc_entry("xt_pknock", init_net.proc_net);
xt_unregister_match(&xt_pknock_mt_reg);
kfree(rule_hashtable);
#ifdef PK_CRYPTO
if (crypto.tfm != NULL)
crypto_free_hash(crypto.tfm);
#endif
}
module_init(xt_pknock_mt_init);

66
extensions/xt_CHAOS.c
View File

@@ -1,6 +1,6 @@
/*
* "CHAOS" target extension for Xtables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
* Copyright © Jan Engelhardt, 2006 - 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -54,29 +54,8 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
const int fragoff = ntohs(iph->frag_off) & IP_OFFSET;
typeof(xt_tarpit) destiny;
bool ret;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)
int hotdrop = false;
#else
bool hotdrop = false;
#endif
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
ret = xm_tcp->match(skb, par->in, par->out, xm_tcp, &tcp_params,
fragoff, thoff, &hotdrop);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
{
struct xt_match_param local_par = {
.in = par->in,
.out = par->out,
.match = xm_tcp,
.matchinfo = &tcp_params,
.fragoff = fragoff,
.thoff = thoff,
.hotdrop = &hotdrop,
};
ret = xm_tcp->match(skb, &local_par);
}
#else
{
struct xt_action_param local_par;
local_par.in = par->in,
@@ -89,30 +68,10 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
ret = xm_tcp->match(skb, &local_par);
hotdrop = local_par.hotdrop;
}
#endif
if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
return;
destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
destiny->target(&skb, par->in, par->out, par->hooknum, destiny, NULL, NULL);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
destiny->target(&skb, par->in, par->out, par->hooknum, destiny, NULL);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
destiny->target(skb, par->in, par->out, par->hooknum, destiny, NULL);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
{
struct xt_target_param local_par = {
.in = par->in,
.out = par->out,
.hooknum = par->hooknum,
.target = destiny,
.targinfo = par->targinfo,
.family = par->family,
};
destiny->target(skb, &local_par);
}
#else
{
struct xt_action_param local_par;
local_par.in = par->in;
@@ -123,7 +82,6 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
local_par.family = par->family;
destiny->target(skb, &local_par);
}
#endif
}
static unsigned int
@@ -142,25 +100,6 @@ chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
const struct iphdr *iph = ip_hdr(skb);
if ((unsigned int)net_random() <= reject_percentage) {
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
return xt_reject->target(pskb, par->in, par->out, par->hooknum,
xt_reject, &reject_params, NULL);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return xt_reject->target(pskb, par->in, par->out, par->hooknum,
xt_reject, &reject_params);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
return xt_reject->target(skb, par->in, par->out, par->hooknum,
xt_reject, &reject_params);
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 34)
struct xt_target_param local_par = {
.in = par->in,
.out = par->out,
.hooknum = par->hooknum,
.target = xt_reject,
.targinfo = &reject_params,
};
return xt_reject->target(skb, &local_par);
#else
struct xt_action_param local_par;
local_par.in = par->in;
local_par.out = par->out;
@@ -168,7 +107,6 @@ chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
local_par.target = xt_reject;
local_par.targinfo = &reject_params;
return xt_reject->target(skb, &local_par);
#endif
}
/* TARPIT/DELUDE may not be called from the OUTPUT chain */
@@ -274,6 +212,6 @@ static void __exit chaos_tg_exit(void)
module_init(chaos_tg_init);
module_exit(chaos_tg_exit);
MODULE_DESCRIPTION("Xtables: Network scan slowdown with non-deterministic results");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_CHAOS");

80
extensions/xt_CHECKSUM.c
View File

@@ -1,80 +0,0 @@
/*
* (C) 2002 by Harald Welte <laforge@netfilter.org>
* (C) 2010 Red Hat, Inc.
*
* Author: Michael S. Tsirkin <mst@redhat.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/version.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
# error ----------------------------------------------------------
# error This module has been merged into, and is available in the
# error mainline since Linux kernel v2.6.36. Please use that.
# error ----------------------------------------------------------
#endif
#include <linux/netfilter/x_tables.h>
#include "xt_CHECKSUM.h"
#include "compat_xtables.h"
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
MODULE_DESCRIPTION("Xtables: checksum modification");
MODULE_ALIAS("ipt_CHECKSUM");
MODULE_ALIAS("ip6t_CHECKSUM");
static unsigned int
checksum_tg(struct sk_buff **pskb, const struct xt_action_param *par)
{
struct sk_buff *skb = *pskb;
if (skb->ip_summed == CHECKSUM_PARTIAL)
skb_checksum_help(skb);
return XT_CONTINUE;
}
static int checksum_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_CHECKSUM_info *einfo = par->targinfo;
if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
pr_info("unsupported CHECKSUM operation %x\n", einfo->operation);
return -EINVAL;
}
if (!einfo->operation) {
pr_info("no CHECKSUM operation enabled\n");
return -EINVAL;
}
return 0;
}
static struct xt_target checksum_tg_reg __read_mostly = {
.name = "CHECKSUM",
.family = NFPROTO_UNSPEC,
.target = checksum_tg,
.targetsize = sizeof(struct xt_CHECKSUM_info),
.table = "mangle",
.checkentry = checksum_tg_check,
.me = THIS_MODULE,
};
static int __init checksum_tg_init(void)
{
return xt_register_target(&checksum_tg_reg);
}
static void __exit checksum_tg_exit(void)
{
xt_unregister_target(&checksum_tg_reg);
}
module_init(checksum_tg_init);
module_exit(checksum_tg_exit);

18
extensions/xt_CHECKSUM.h
View File

@@ -1,18 +0,0 @@
/* Header file for iptables ipt_CHECKSUM target
*
* (C) 2002 by Harald Welte <laforge@gnumonks.org>
* (C) 2010 Red Hat Inc
* Author: Michael S. Tsirkin <mst@redhat.com>
*
* This software is distributed under GNU GPL v2, 1991
*/
#ifndef _IPT_CHECKSUM_TARGET_H
#define _IPT_CHECKSUM_TARGET_H
#define XT_CHECKSUM_OP_FILL 0x01 /* fill in checksum in IP header */
struct xt_CHECKSUM_info {
__u8 operation; /* bitset of operations */
};
#endif /* _IPT_CHECKSUM_TARGET_H */

10
extensions/xt_DELUDE.c
View File

@@ -1,6 +1,6 @@
/*
* "DELUDE" target extension for Xtables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
* Copyright © Jan Engelhardt, 2007 - 2008
*
* Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
* (C) 1999-2001 Paul `Rusty' Russell
@@ -100,15 +100,9 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
}
}
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), niph->saddr,
niph->daddr, csum_partial((char *)tcph,
sizeof(struct tcphdr), 0));
#else
tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
niph->daddr, csum_partial((char *)tcph,
sizeof(struct tcphdr), 0));
#endif
addr_type = RTN_UNSPEC;
#ifdef CONFIG_BRIDGE_NETFILTER
@@ -177,6 +171,6 @@ static void __exit delude_tg_exit(void)
module_init(delude_tg_init);
module_exit(delude_tg_exit);
MODULE_DESCRIPTION("Xtables: Close TCP connections after handshake");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_DELUDE");

4
extensions/xt_DHCPMAC.c
View File

@@ -1,6 +1,6 @@
/*
* "DHCPMAC" extensions for Xtables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008
* Copyright © Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -167,7 +167,7 @@ static void __exit dhcpmac_exit(void)
module_init(dhcpmac_init);
module_exit(dhcpmac_exit);
MODULE_DESCRIPTION("Xtables: Clamp DHCP MAC to packet MAC addresses");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_DHCPMAC");
MODULE_ALIAS("ipt_dhcpmac");

446
extensions/xt_DNETMAP.c
View File

@@ -3,7 +3,7 @@
* or destination (PREROUTING),
*/
/* (C) 2011 Marek Kierdelewicz <marek@koba.pl>
/* (C) 2012 Marek Kierdelewicz <marek@koba.pl>
*
* module is dedicated to my wife Eliza and my daughters Jula and Ola :* :* :*
*
@@ -19,6 +19,7 @@
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/inet.h>
#include <linux/ip.h>
#include <linux/module.h>
#include <linux/netdevice.h>
@@ -26,21 +27,14 @@
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter/x_tables.h>
#include <linux/version.h>
#include <net/netfilter/nf_nat_rule.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
#include <net/net_namespace.h>
#include <net/netns/generic.h>
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0)
# include <net/netfilter/nf_nat.h>
#else
# include <linux/netfilter/nf_nat.h>
#endif
#include <net/netfilter/nf_nat.h>
#include "compat_xtables.h"
#include "xt_DNETMAP.h"
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marek Kierdelewicz <marek@koba.pl>");
MODULE_AUTHOR("Marek Kierdelewicz <marek@piasta.pl>");
MODULE_DESCRIPTION(
"Xtables: dynamic two-way 1:1 NAT mapping of IPv4 addresses");
MODULE_ALIAS("ipt_DNETMAP");
@@ -77,19 +71,26 @@ struct dnetmap_entry {
struct list_head lru_list;
__be32 prenat_addr;
__be32 postnat_addr;
__u8 flags;
unsigned long stamp;
struct dnetmap_prefix *prefix;
};
struct dnetmap_prefix {
struct nf_nat_ipv4_multi_range_compat prefix;
struct nf_nat_range prefix;
char prefix_str[16];
struct list_head list;
#ifdef CONFIG_PROC_FS
char proc_str_data[20];
char proc_str_stat[25];
#endif
struct list_head elist; // element list head
struct list_head list; // prefix list
__u8 flags;
unsigned int refcnt;
/* lru entry list */
struct list_head lru_list;
/* hash based on prenat-ips */
struct list_head iphash[0];
/* pointer do dnetmap_net */
struct dnetmap_net *dnetmap;
};
struct dnetmap_net {
@@ -101,16 +102,11 @@ struct dnetmap_net {
struct list_head *dnetmap_iphash;
};
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
static int dnetmap_net_id;
static inline struct dnetmap_net *dnetmap_pernet(struct net *net)
{
return net_generic(net, dnetmap_net_id);
}
#else
struct dnetmap_net *dnetmap;
#define dnetmap_pernet(x) dnetmap
#endif
static DEFINE_SPINLOCK(dnetmap_lock);
static DEFINE_MUTEX(dnetmap_mutex);
@@ -157,9 +153,21 @@ dnetmap_entry_rlookup(struct dnetmap_net *dnetmap_net, const __be32 addr)
return NULL;
}
static int
dnetmap_addr_in_prefix(struct dnetmap_net *dnetmap_net, const __be32 addr,
struct dnetmap_prefix *p)
{
struct dnetmap_entry *e;
list_for_each_entry(e, &p->elist, list)
if (memcmp(&e->postnat_addr, &addr, sizeof(addr)) == 0)
return 1;
return 0;
}
static struct dnetmap_prefix *
dnetmap_prefix_lookup(struct dnetmap_net *dnetmap_net,
const struct nf_nat_ipv4_multi_range_compat *mr)
const struct nf_nat_range *mr)
{
struct dnetmap_prefix *p;
@@ -169,12 +177,47 @@ dnetmap_prefix_lookup(struct dnetmap_net *dnetmap_net,
return NULL;
}
static void dnetmap_prefix_flush(struct dnetmap_net *dnetmap_net,
static void dnetmap_prefix_destroy(struct dnetmap_net *dnetmap_net,
struct dnetmap_prefix *p)
{
struct dnetmap_entry *e, *next;
unsigned int i;
#ifdef CONFIG_PROC_FS
remove_proc_entry(p->proc_str_data, dnetmap_net->xt_dnetmap);
remove_proc_entry(p->proc_str_stat, dnetmap_net->xt_dnetmap);
#endif
for (i = 0; i < hash_size; i++) {
list_for_each_entry_safe(e, next,
&dnetmap_net->dnetmap_iphash[i], glist)
if (e->prefix == p)
list_del(&e->glist);
list_for_each_entry_safe(e, next,
&dnetmap_net->
dnetmap_iphash[hash_size + i], grlist)
if (e->prefix == p)
list_del(&e->grlist);
}
list_for_each_entry_safe(e, next, &p->elist, list) {
list_del(&e->list);
if(! (e->flags & XT_DNETMAP_STATIC)) list_del(&e->lru_list);
kfree(e);
}
list_del(&p->list);
kfree(p);
}
/* function clears bindings without destroying prefix */
static void dnetmap_prefix_softflush(struct dnetmap_prefix *p)
{
struct dnetmap_net *dnetmap_net = p->dnetmap;
struct dnetmap_entry *e, *next;
unsigned int i;
for (i = 0; i < hash_size; i++) {
list_for_each_entry_safe(e, next,
&dnetmap_net->dnetmap_iphash[i], glist)
@@ -186,12 +229,16 @@ static void dnetmap_prefix_flush(struct dnetmap_net *dnetmap_net,
dnetmap_iphash[hash_size + i], grlist)
if (e->prefix == p)
list_del(&e->grlist);
}
list_for_each_entry_safe(e, next, &p->elist, list) {
list_for_each_entry_safe(e, next, &p->iphash[i], list) {
list_del(&e->list);
list_del(&e->lru_list);
kfree(e);
/* make dynamic entry of any static entry */
if(e->flags & XT_DNETMAP_STATIC){
list_add_tail(&e->lru_list, &p->lru_list);
e->flags&=~XT_DNETMAP_STATIC;
}
e->stamp=jiffies-1;
e->prenat_addr=0;
}
}
@@ -199,16 +246,13 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
{
struct dnetmap_net *dnetmap_net = dnetmap_pernet(par->net);
const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
const struct nf_nat_range *mr = &tginfo->prefix;
struct dnetmap_prefix *p;
struct dnetmap_entry *e;
#ifdef CONFIG_PROC_FS
struct proc_dir_entry *pde_data, *pde_stat;
char proc_str_data[20];
char proc_str_stat[25];
#endif
int ret = -EINVAL;
int i;
__be32 a;
__u32 ip_min, ip_max, ip;
@@ -218,14 +262,10 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
return ret;
}
if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) {
if (!(mr->flags & NF_NAT_RANGE_MAP_IPS)) {
pr_debug("DNETMAP:check: bad MAP_IPS.\n");
return -EINVAL;
}
if (mr->rangesize != 1) {
pr_debug("DNETMAP:check: bad rangesize %u.\n", mr->rangesize);
return -EINVAL;
}
mutex_lock(&dnetmap_mutex);
p = dnetmap_prefix_lookup(dnetmap_net, mr);
@@ -243,21 +283,23 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
goto out;
}
p->refcnt = 1;
p->flags = 0;
p->flags |= (tginfo->flags & XT_DNETMAP_PERSISTENT);
p->dnetmap = dnetmap_net;
memcpy(&p->prefix, mr, sizeof(*mr));
INIT_LIST_HEAD(&p->lru_list);
for (i = 0; i < hash_size * 2; i++)
INIT_LIST_HEAD(&p->iphash[i]);
INIT_LIST_HEAD(&p->elist);
ip_min = ntohl(mr->range[0].min_ip) + (whole_prefix == 0);
ip_max = ntohl(mr->range[0].max_ip) - (whole_prefix == 0);
ip_min = ntohl(mr->min_addr.ip) + (whole_prefix == 0);
ip_max = ntohl(mr->max_addr.ip) - (whole_prefix == 0);
sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->range[0].min_ip),
sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->min_addr.ip),
33 - ffs(~(ip_min ^ ip_max)));
#ifdef CONFIG_PROC_FS
sprintf(proc_str_data, NIPQUAD_FMT "_%u", NIPQUAD(mr->range[0].min_ip),
sprintf(p->proc_str_data, NIPQUAD_FMT "_%u", NIPQUAD(mr->min_addr.ip),
33 - ffs(~(ip_min ^ ip_max)));
sprintf(proc_str_stat, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->range[0].min_ip),
sprintf(p->proc_str_stat, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->min_addr.ip),
33 - ffs(~(ip_min ^ ip_max)));
#endif
printk(KERN_INFO KBUILD_MODNAME ": new prefix %s\n", p->prefix_str);
@@ -271,12 +313,14 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
e->prenat_addr = 0;
e->stamp = jiffies;
e->prefix = p;
e->flags = 0;
list_add_tail(&e->lru_list, &p->lru_list);
list_add_tail(&e->list, &p->elist);
}
#ifdef CONFIG_PROC_FS
/* data */
pde_data = proc_create_data(proc_str_data, proc_perms,
pde_data = proc_create_data(p->proc_str_data, proc_perms,
dnetmap_net->xt_dnetmap,
&dnetmap_tg_fops, p);
if (pde_data == NULL) {
@@ -288,7 +332,7 @@ static int dnetmap_tg_check(const struct xt_tgchk_param *par)
pde_data->gid = proc_gid;
/* statistics */
pde_stat = create_proc_entry(proc_str_stat, proc_perms,
pde_stat = create_proc_entry(p->proc_str_stat, proc_perms,
dnetmap_net->xt_dnetmap);
if (pde_stat == NULL) {
kfree(p);
@@ -321,8 +365,8 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
enum ip_conntrack_info ctinfo;
__be32 prenat_ip, postnat_ip, prenat_ip_prev;
const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
struct nf_nat_ipv4_range newrange;
const struct nf_nat_range *mr = &tginfo->prefix;
struct nf_nat_range newrange;
struct dnetmap_entry *e;
struct dnetmap_prefix *p;
__s32 jttl;
@@ -351,7 +395,7 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
if (memcmp(mr, &e->prefix, sizeof(*mr)))
goto no_rev_map;
/* don't reset ttl if flag is set */
if (jttl >= 0) {
if (jttl >= 0 && (! (e->flags & XT_DNETMAP_STATIC) ) ) {
p = e->prefix;
e->stamp = jiffies + jttl;
list_move_tail(&e->lru_list, &p->lru_list);
@@ -359,15 +403,14 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
spin_unlock_bh(&dnetmap_lock);
newrange = ((struct nf_nat_ipv4_range) {
mr->range[0].flags | NF_NAT_RANGE_MAP_IPS,
e->prenat_addr, e->prenat_addr,
mr->range[0].min, mr->range[0].max});
/* Hand modified range to generic setup. */
memset(&newrange, 0, sizeof(newrange));
newrange.flags = mr->flags | NF_NAT_RANGE_MAP_IPS;
newrange.min_addr.ip = e->prenat_addr;
newrange.max_addr.ip = e->prenat_addr;
newrange.min_proto = mr->min_proto;
newrange.max_proto = mr->max_proto;
return nf_nat_setup_info(ct, &newrange,
HOOK2MANIP(par->hooknum));
}
prenat_ip = ip_hdr(skb)->saddr;
@@ -378,17 +421,24 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
if (e == NULL) { /* need for new binding */
// finish if it's static only rule
if(tginfo->flags & XT_DNETMAP_STATIC)
goto no_free_ip;
bind_new_prefix:
e = list_entry(p->lru_list.next, struct dnetmap_entry,
lru_list);
if (e->prenat_addr != 0 && time_before(jiffies, e->stamp)) {
if (!disable_log)
if (!disable_log && ! (p->flags & XT_DNETMAP_FULL) ){
printk(KERN_INFO KBUILD_MODNAME
": ip " NIPQUAD_FMT " - no free adresses in prefix %s\n",
NIPQUAD(prenat_ip), p->prefix_str);
p->flags |= XT_DNETMAP_FULL;
}
goto no_free_ip;
}
p->flags &= ~XT_DNETMAP_FULL;
postnat_ip = e->postnat_addr;
if (e->prenat_addr != 0) {
@@ -397,7 +447,6 @@ bind_new_prefix:
printk(KERN_INFO KBUILD_MODNAME
": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
NIPQUAD(prenat_ip_prev), NIPQUAD(postnat_ip) );
list_del(&e->list);
list_del(&e->glist);
list_del(&e->grlist);
}
@@ -405,8 +454,6 @@ bind_new_prefix:
e->prenat_addr = prenat_ip;
e->stamp = jiffies + jttl;
list_move_tail(&e->lru_list, &p->lru_list);
list_add_tail(&e->list,
&p->iphash[dnetmap_entry_hash(prenat_ip)]);
list_add_tail(&e->glist,
&dnetmap_net->
dnetmap_iphash[dnetmap_entry_hash(prenat_ip)]);
@@ -421,21 +468,21 @@ bind_new_prefix:
} else {
if (!(tginfo->flags & XT_DNETMAP_REUSE))
if (!(tginfo->flags & XT_DNETMAP_REUSE) && !(e->flags & XT_DNETMAP_STATIC))
if (time_before(e->stamp, jiffies) && p != e->prefix) {
if (!disable_log)
printk(KERN_INFO KBUILD_MODNAME
": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
NIPQUAD(e->prenat_addr),
NIPQUAD(e->postnat_addr));
list_del(&e->list);
list_del(&e->glist);
list_del(&e->grlist);
e->prenat_addr = 0;
goto bind_new_prefix;
}
/* don't reset ttl if flag is set */
if (jttl >= 0) {
/* don't reset ttl if flag is set
or it is static entry*/
if (jttl >= 0 && ! (e->flags & XT_DNETMAP_STATIC) ) {
e->stamp = jiffies + jttl;
p = e->prefix;
list_move_tail(&e->lru_list, &p->lru_list);
@@ -445,12 +492,12 @@ bind_new_prefix:
spin_unlock_bh(&dnetmap_lock);
newrange = ((struct nf_nat_ipv4_range) {
mr->range[0].flags | NF_NAT_RANGE_MAP_IPS,
postnat_ip, postnat_ip,
mr->range[0].min, mr->range[0].max});
/* Hand modified range to generic setup. */
memset(&newrange, 0, sizeof(newrange));
newrange.flags = mr->flags | NF_NAT_RANGE_MAP_IPS;
newrange.min_addr.ip = postnat_ip;
newrange.max_addr.ip = postnat_ip;
newrange.min_proto = mr->min_proto;
newrange.max_proto = mr->max_proto;
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
no_rev_map:
@@ -464,34 +511,19 @@ static void dnetmap_tg_destroy(const struct xt_tgdtor_param *par)
{
struct dnetmap_net *dnetmap_net = dnetmap_pernet(par->net);
const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
const struct nf_nat_ipv4_multi_range_compat *mr = &tginfo->prefix;
const struct nf_nat_range *mr = &tginfo->prefix;
struct dnetmap_prefix *p;
#ifdef CONFIG_PROC_FS
char str[25];
#endif
if (!(tginfo->flags & XT_DNETMAP_PREFIX))
return;
mutex_lock(&dnetmap_mutex);
spin_lock_bh(&dnetmap_lock);
p = dnetmap_prefix_lookup(dnetmap_net, mr);
if (--p->refcnt == 0) {
spin_lock_bh(&dnetmap_lock);
list_del(&p->list);
spin_unlock_bh(&dnetmap_lock);
#ifdef CONFIG_PROC_FS
sprintf(str, NIPQUAD_FMT "_%u", NIPQUAD(mr->range[0].min_ip),
33 - ffs(~(ntohl(mr->range[0].min_ip ^
mr->range[0].max_ip))));
remove_proc_entry(str, dnetmap_net->xt_dnetmap);
sprintf(str, NIPQUAD_FMT "_%u_stat", NIPQUAD(mr->range[0].min_ip),
33 - ffs(~(ntohl(mr->range[0].min_ip ^
mr->range[0].max_ip))));
remove_proc_entry(str, dnetmap_net->xt_dnetmap);
#endif
dnetmap_prefix_flush(dnetmap_net, p);
kfree(p);
if (--p->refcnt == 0 && (! (p->flags & XT_DNETMAP_PERSISTENT) ) ) {
dnetmap_prefix_destroy(dnetmap_net, p);
}
spin_unlock_bh(&dnetmap_lock);
mutex_unlock(&dnetmap_mutex);
}
@@ -511,7 +543,7 @@ __acquires(dnetmap_lock)
spin_lock_bh(&dnetmap_lock);
list_for_each_entry(e, &prefix->lru_list, lru_list)
list_for_each_entry(e, &prefix->elist, list)
if (p-- == 0)
return e;
return NULL;
@@ -522,13 +554,13 @@ static void *dnetmap_seq_next(struct seq_file *seq, void *v, loff_t * pos)
struct dnetmap_iter_state *st = seq->private;
const struct dnetmap_prefix *prefix = st->p;
const struct dnetmap_entry *e = v;
const struct list_head *head = e->lru_list.next;
const struct list_head *head = e->list.next;
if (head == &prefix->lru_list)
if (head == &prefix->elist)
return NULL;
++*pos;
return list_entry(head, struct dnetmap_entry, lru_list);
return list_entry(head, struct dnetmap_entry, list);
}
static void dnetmap_seq_stop(struct seq_file *s, void *v)
@@ -541,9 +573,14 @@ static int dnetmap_seq_show(struct seq_file *seq, void *v)
{
const struct dnetmap_entry *e = v;
seq_printf(seq, NIPQUAD_FMT " -> " NIPQUAD_FMT " --- ttl: %d lasthit: %lu\n",
NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr),
(int)(e->stamp - jiffies) / HZ, (e->stamp - jtimeout) / HZ);
if((e->flags & XT_DNETMAP_STATIC) == 0){
seq_printf(seq, NIPQUAD_FMT " -> " NIPQUAD_FMT " --- ttl: %d lasthit: %lu\n",
NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr),
(int)(e->stamp - jiffies) / HZ, (e->stamp - jtimeout) / HZ);
}else{
seq_printf(seq, NIPQUAD_FMT " -> " NIPQUAD_FMT " --- ttl: S lasthit: S\n",
NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr));
}
return 0;
}
@@ -567,9 +604,180 @@ static int dnetmap_seq_open(struct inode *inode, struct file *file)
return 0;
}
static ssize_t
dnetmap_tg_proc_write(struct file *file, const char __user *input,size_t size, loff_t *loff)
{
const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
struct dnetmap_prefix *p = pde->data;
struct dnetmap_entry *e;
char buf[sizeof("+192.168.100.100:200.200.200.200")];
const char *c = buf;
const char *c2;
//union nf_inet_addr addr = {};
__be32 addr1,addr2;
bool add;
char str[25];
if (size == 0)
return 0;
if (size > sizeof(buf))
size = sizeof(buf);
if (copy_from_user(buf, input, size) != 0)
return -EFAULT;
if(strcspn(c,"\n") < size)
buf[strcspn(c,"\n")]='\0';
/* Strict protocol! */
if (*loff != 0)
return -ESPIPE;
switch (*c) {
case 'f': /* flush table */
if( strcmp(c,"flush") != 0 )
goto invalid_arg;
printk(KERN_INFO KBUILD_MODNAME ": flushing prefix %s\n", p->prefix_str);
spin_lock_bh(&dnetmap_lock);
dnetmap_prefix_softflush(p);
spin_unlock_bh(&dnetmap_lock);
return size;
case '-': /* remove address or attribute */
if( strcmp(c,"-persistent") == 0){
/* case if persistent flag is already unset */
if( ! (p->flags & XT_DNETMAP_PERSISTENT) ){
printk(KERN_INFO KBUILD_MODNAME ": prefix %s is not persistent already - doing nothing\n", p->prefix_str);
return size;
}
printk(KERN_INFO KBUILD_MODNAME ": prefix %s is now non-persistent\n", p->prefix_str);
spin_lock_bh(&dnetmap_lock);
p->flags &= ~XT_DNETMAP_PERSISTENT;
spin_unlock_bh(&dnetmap_lock);
return size;
}
add = false;
break;
case '+': /* add address or attribute */
if( strcmp(c,"+persistent") == 0){
/* case if persistent flag is already unset */
if( p->flags & XT_DNETMAP_PERSISTENT ){
printk(KERN_INFO KBUILD_MODNAME ": prefix %s is persistent already - doing nothing\n", p->prefix_str);
return size;
}
printk(KERN_INFO KBUILD_MODNAME ": prefix %s is now persistent\n", p->prefix_str);
spin_lock_bh(&dnetmap_lock);
p->flags |= XT_DNETMAP_PERSISTENT;
spin_unlock_bh(&dnetmap_lock);
return size;
}
add = true;
break;
default:
goto invalid_arg;
}
spin_lock_bh(&dnetmap_lock);
// in case static entry is added we need to parse second ip addresses
if (add){
c2 = strchr(c,':');
if(c2 == NULL)
goto invalid_arg_unlock;
c++;
c2++;
if( ! (in4_pton(c2,strlen(c2),(void *)&addr2, '\0', NULL) &&
in4_pton(c,strlen(c),(void *)&addr1, ':', NULL)))
goto invalid_arg_unlock;
// sanity check - prenat ip can't belong to postnat prefix
if ( dnetmap_addr_in_prefix(p->dnetmap, addr1, p)){
printk(KERN_INFO KBUILD_MODNAME ": add static binding operation failed - prenat ip can't belong to postnat prefix\n");
goto invalid_arg_unlock;
}
// make sure postnat ip belongs to postnat prefix
if ( ! dnetmap_addr_in_prefix(p->dnetmap, addr2, p)){
printk(KERN_INFO KBUILD_MODNAME ": add static binding operation failed - postnat ip must belong to postnat prefix\n");
goto invalid_arg_unlock;
}
e = dnetmap_entry_rlookup(p->dnetmap,addr2);
if(e != NULL){
if (!disable_log)
printk(KERN_INFO KBUILD_MODNAME
": timeout binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr) );
list_del(&e->glist);
list_del(&e->grlist);
}else{
// find existing entry in prefix elist
list_for_each_entry(e, &p->elist, list)
if (memcmp(&e->postnat_addr, &addr2, sizeof(addr2)) == 0){
break;
}
}
e->prenat_addr=addr1;
e->flags |= XT_DNETMAP_STATIC;
list_add_tail(&e->glist,
&p->dnetmap->
dnetmap_iphash[dnetmap_entry_hash(e->prenat_addr)]);
list_add_tail(&e->grlist,
&p->dnetmap->dnetmap_iphash[hash_size +
dnetmap_entry_hash
(e->postnat_addr)]);
list_del(&e->lru_list);
sprintf(str, NIPQUAD_FMT ":" NIPQUAD_FMT, NIPQUAD(addr1),NIPQUAD(addr2));
printk(KERN_INFO KBUILD_MODNAME ": adding static binding %s\n", str);
// case of removing binding
}else{
c++;
if( ! in4_pton(c,strlen(c),(void *)&addr1, '\0', NULL))
goto invalid_arg_unlock;
e = dnetmap_entry_rlookup(p->dnetmap,addr1);
if(e == NULL) e = dnetmap_entry_lookup(p->dnetmap,addr1);
if(e != NULL){
if (!disable_log)
printk(KERN_INFO KBUILD_MODNAME
": remove binding " NIPQUAD_FMT " -> " NIPQUAD_FMT "\n",
NIPQUAD(e->prenat_addr), NIPQUAD(e->postnat_addr) );
list_del(&e->glist);
list_del(&e->grlist);
if(e->flags & XT_DNETMAP_STATIC){
list_add_tail(&e->lru_list,&p->lru_list);
e->flags &= ~XT_DNETMAP_STATIC;
}
e->prenat_addr=0;
e->stamp=jiffies-1;
}else{
goto invalid_arg_unlock;
}
}
spin_unlock_bh(&dnetmap_lock);
/* Note we removed one above */
*loff += size + 1;
return size + 1;
invalid_arg_unlock:
spin_unlock_bh(&dnetmap_lock);
invalid_arg:
//printk(KERN_INFO KBUILD_MODNAME ": Need \"+prenat_ip:postnat_ip\", \"-ip\" or \"/\"\n");
printk(KERN_INFO KBUILD_MODNAME ": Error! Invalid option passed via procfs.\n");
return -EINVAL;
}
static const struct file_operations dnetmap_tg_fops = {
.open = dnetmap_seq_open,
.read = seq_read,
.write = dnetmap_tg_proc_write,
.release = seq_release_private,
.owner = THIS_MODULE,
};
@@ -581,27 +789,31 @@ static int dnetmap_stat_proc_read(char __user *buffer, char **start,
{
const struct dnetmap_prefix *p = data;
struct dnetmap_entry *e;
unsigned int used, all;
unsigned int used, used_static, all;
long int ttl, sum_ttl;
used = 0;
all = 0;
sum_ttl = 0;
used=used_static=all=sum_ttl=0;
spin_lock_bh(&dnetmap_lock);
list_for_each_entry(e, &p->lru_list, lru_list) {
list_for_each_entry(e, &p->elist, list) {
ttl = e->stamp - jiffies;
if (e->prenat_addr != 0 && ttl >= 0) {
used++;
sum_ttl += ttl;
if (e->prenat_addr != 0){
if (e->flags & XT_DNETMAP_STATIC){
used_static++;
}else{
ttl = e->stamp - jiffies;
if (e->prenat_addr != 0 && ttl >= 0) {
used++;
sum_ttl += ttl;
}
}
}
all++;
}
sum_ttl = used > 0 ? sum_ttl / (used * HZ) : 0;
sprintf(buffer, "%u %u %ld\n", used, all, sum_ttl);
sprintf(buffer, "%u %u %u %ld %s\n", used, used_static, all, sum_ttl,(p->flags & XT_DNETMAP_PERSISTENT ? "persistent" : ""));
if (length >= strlen(buffer))
*eof = true;
@@ -642,13 +854,6 @@ static int __net_init dnetmap_net_init(struct net *net)
struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
int i;
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34)
dnetmap = kmalloc(sizeof(struct dnetmap_net),GFP_ATOMIC);
if (dnetmap == NULL)
return -ENOMEM;
dnetmap_net = dnetmap;
#endif
dnetmap_net->dnetmap_iphash = kmalloc(sizeof(struct list_head) *
hash_size * 2, GFP_ATOMIC);
if (dnetmap_net->dnetmap_iphash == NULL)
@@ -663,22 +868,29 @@ static int __net_init dnetmap_net_init(struct net *net)
static void __net_exit dnetmap_net_exit(struct net *net)
{
struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
struct dnetmap_prefix *p,*next;
mutex_lock(&dnetmap_mutex);
spin_lock_bh(&dnetmap_lock);
list_for_each_entry_safe(p, next, &dnetmap_net->prefixes, list){
BUG_ON(p->refcnt != 0);
dnetmap_prefix_destroy(dnetmap_net, p);
}
spin_unlock_bh(&dnetmap_lock);
mutex_unlock(&dnetmap_mutex);
BUG_ON(!list_empty(&dnetmap_net->prefixes));
kfree(dnetmap_net->dnetmap_iphash);
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34)
kfree(dnetmap_net);
#endif
dnetmap_proc_net_exit(net);
}
static struct pernet_operations dnetmap_net_ops = {
.init = dnetmap_net_init,
.exit = dnetmap_net_exit,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 34)
.id = &dnetmap_net_id,
.size = sizeof(struct dnetmap_net),
#endif
};
static struct xt_target dnetmap_tg_reg __read_mostly = {
@@ -714,6 +926,8 @@ static int __init dnetmap_tg_init(void)
if (err)
unregister_pernet_subsys(&dnetmap_net_ops);
printk( KERN_INFO KBUILD_MODNAME " INIT successfull (version %d)\n", DNETMAP_VERSION );
return err;
}

15
extensions/xt_DNETMAP.h
View File

@@ -1,16 +1,21 @@
#ifndef _LINUX_NETFILTER_XT_DNETMAP_H
#define _LINUX_NETFILTER_XT_DNETMAP_H 1
#define DNETMAP_VERSION 2
enum {
XT_DNETMAP_TTL = 1 << 0,
XT_DNETMAP_REUSE = 1 << 1,
XT_DNETMAP_PREFIX = 1 << 2,
XT_DNETMAP_TTL = 1 << 0,
XT_DNETMAP_REUSE = 1 << 1,
XT_DNETMAP_PREFIX = 1 << 2,
XT_DNETMAP_STATIC = 1 << 3,
XT_DNETMAP_PERSISTENT = 1 << 4,
XT_DNETMAP_FULL = 1 << 5,
};
struct xt_DNETMAP_tginfo {
struct nf_nat_ipv4_multi_range_compat prefix;
struct nf_nat_range prefix;
__u8 flags;
__s16 ttl;
__s32 ttl;
};
#endif

13
extensions/xt_ECHO.c
View File

@@ -1,7 +1,7 @@
/*
* "ECHO" (RFC 862) target extension for Xtables
* Sample module for "Writing your own Netfilter Modules"
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2011
* Copyright © Jan Engelhardt, 2008-2011
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -18,6 +18,7 @@
# include <linux/netfilter_bridge.h>
#endif
#include <net/ip.h>
#include <net/ip6_checksum.h>
#include <net/ip6_route.h>
#include <net/route.h>
#include "compat_xtables.h"
@@ -104,11 +105,7 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
}
skb_dst_set(newskb, dst);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
newip->hop_limit = ip6_dst_hoplimit(skb_dst(newskb));
#else
newip->hop_limit = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
#endif
newskb->ip_summed = CHECKSUM_NONE;
/* "Never happens" (?) */
@@ -198,11 +195,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
if (ip_route_me_harder(&newskb, RTN_UNSPEC) != 0)
goto free_nskb;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));
#else
newip->ttl = dst_metric(skb_dst(newskb), RTAX_HOPLIMIT);
#endif
newskb->ip_summed = CHECKSUM_NONE;
/* "Never happens" (?) */
@@ -251,7 +244,7 @@ static void __exit echo_tg_exit(void)
module_init(echo_tg_init);
module_exit(echo_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_DESCRIPTION("Xtables: ECHO diagnosis target");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ip6t_ECHO");

2
extensions/xt_IPMARK.c
View File

@@ -1,7 +1,7 @@
/*
* "IPMARK" target extension for Xtables
* Copyright © Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>, 2003
* Jan Engelhardt <jengelh [at] medozas de>, 2008
* Jan Engelhardt, 2008
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either

9
extensions/xt_LOGMARK.c
View File

@@ -2,7 +2,7 @@
* "LOGMARK" target extension to Xtables
* useful for debugging
*
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008-2010
* Copyright © Jan Engelhardt, 2008-2010
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -80,13 +80,8 @@ logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
printk(" ctdir=%s", dir_names[ctinfo >= IP_CT_IS_REPLY]);
if (ct == NULL)
printk(" ct=NULL ctmark=NULL ctstate=INVALID ctstatus=NONE");
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
else if (nf_ct_is_untracked(ct))
printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE");
#else
else if (ct == &nf_conntrack_untracked)
printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE");
#endif
else
logmark_ct(ct, ctinfo);
@@ -141,7 +136,7 @@ static void __exit logmark_tg_exit(void)
module_init(logmark_tg_init);
module_exit(logmark_tg_exit);
MODULE_DESCRIPTION("Xtables: netfilter mark logging to syslog");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_LOGMARK");
MODULE_ALIAS("ip6t_LOGMARK");

15
extensions/xt_RAWNAT.c
View File

@@ -22,8 +22,7 @@
#include <net/ipv6.h>
#include "compat_xtables.h"
#include "xt_RAWNAT.h"
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
# define WITH_IPV6 1
#endif
@@ -97,9 +96,7 @@ static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
case IPPROTO_UDPLITE:
udph = transport_hdr;
cond = udph->check != 0;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
cond |= skb->ip_summed == CHECKSUM_PARTIAL;
#endif
if (cond) {
inet_proto_csum_replace4(&udph->check, skb,
oldip, newip, true);
@@ -181,7 +178,7 @@ static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
*l4proto = NEXTHDR_MAX;
for (i = 0; i < ARRAY_SIZE(types); ++i) {
err = ipv6_find_hdr(*pskb, l4offset, types[i], NULL);
err = ipv6_find_hdr(*pskb, l4offset, types[i], NULL, NULL);
if (err >= 0) {
*l4proto = types[i];
break;
@@ -226,9 +223,7 @@ static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto,
case IPPROTO_UDPLITE:
udph = (void *)iph + l4offset;
cond = udph->check;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
cond |= skb->ip_summed == CHECKSUM_PARTIAL;
#endif
if (cond) {
for (i = 0; i < 4; ++i)
inet_proto_csum_replace4(&udph->check, skb,
@@ -245,7 +240,7 @@ static unsigned int
rawsnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
unsigned int l4offset, l4proto;
unsigned int l4offset = 0, l4proto;
struct ipv6hdr *iph;
struct in6_addr new_addr;
@@ -266,7 +261,7 @@ static unsigned int
rawdnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
unsigned int l4offset, l4proto;
unsigned int l4offset = 0, l4proto;
struct ipv6hdr *iph;
struct in6_addr new_addr;
@@ -350,7 +345,7 @@ static void __exit rawnat_tg_exit(void)
module_init(rawnat_tg_init);
module_exit(rawnat_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_DESCRIPTION("Xtables: conntrack-less raw NAT");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_RAWSNAT");

4
extensions/xt_STEAL.c
View File

@@ -1,6 +1,6 @@
/*
* "STEAL" demo target extension for Xtables
* written by Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2009
* written by Jan Engelhardt, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
@@ -58,7 +58,7 @@ static void __exit steal_tg_exit(void)
module_init(steal_tg_init);
module_exit(steal_tg_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_DESCRIPTION("Xtables: Silently DROP packets on output chain");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_STEAL");

41
extensions/xt_SYSRQ.c
View File

@@ -1,6 +1,6 @@
/*
* "SYSRQ" target extension for Xtables
* Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2008 - 2010
* Copyright © Jan Engelhardt, 2008 - 2012
*
* Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
*
@@ -24,13 +24,13 @@
#include <linux/crypto.h>
#include <linux/scatterlist.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include "compat_xtables.h"
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19) && \
(defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE))
#if defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE)
# define WITH_CRYPTO 1
#endif
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
# define WITH_IPV6 1
#endif
@@ -120,9 +120,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
ret = crypto_hash_init(&desc);
if (ret != 0)
goto hash_fail;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
sg_init_table(sg, 2);
#endif
sg_set_buf(&sg[0], data, n);
i = strlen(sysrq_digest_password);
sg_set_buf(&sg[1], sysrq_digest_password, i);
@@ -154,13 +152,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
sysrq_seqno = new_seqno;
for (i = 0; i < len && data[i] != ','; ++i) {
printk(KERN_INFO KBUILD_MODNAME ": SysRq %c\n", data[i]);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
handle_sysrq(data[i]);
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
handle_sysrq(data[i], NULL);
#else
handle_sysrq(data[i], NULL, NULL);
#endif
}
return NF_ACCEPT;
@@ -191,13 +183,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
return NF_DROP;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
handle_sysrq(c);
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
handle_sysrq(c, NULL);
#else
handle_sysrq(c, NULL, NULL);
#endif
return NF_ACCEPT;
}
#endif
@@ -240,15 +226,16 @@ sysrq_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
const struct ipv6hdr *iph;
const struct udphdr *udph;
unsigned short frag_off;
unsigned int th_off;
unsigned int th_off = 0;
uint16_t len;
if (skb_linearize(skb) < 0)
return NF_DROP;
iph = ipv6_hdr(skb);
if ((ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off) < 0 &&
ipv6_find_hdr(skb, &th_off, IPPROTO_UDPLITE, &frag_off) < 0) ||
/* Should probably be using %IP6T_FH_F_AUTH */
if ((ipv6_find_hdr(skb, &th_off, IPPROTO_UDP, &frag_off, NULL) < 0 &&
ipv6_find_hdr(skb, &th_off, IPPROTO_UDPLITE, &frag_off, NULL) < 0) ||
frag_off > 0)
return NF_DROP;
@@ -358,16 +345,14 @@ static int __init sysrq_crypto_init(void)
goto fail;
do_gettimeofday(&now);
sysrq_seqno = now.tv_sec;
ret = xt_register_targets(sysrq_tg_reg, ARRAY_SIZE(sysrq_tg_reg));
if (ret < 0)
goto fail;
return ret;
return 0;
fail:
sysrq_crypto_exit();
return ret;
#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 19)
printk(KERN_WARNING "xt_SYSRQ does not provide crypto for < 2.6.19\n");
#else
printk(KERN_WARNING "Kernel was compiled without crypto, "
"so xt_SYSRQ won't use crypto.\n");
#endif
return -EINVAL;
}
@@ -388,7 +373,7 @@ static void __exit sysrq_tg_exit(void)
module_init(sysrq_tg_init);
module_exit(sysrq_tg_exit);
MODULE_DESCRIPTION("Xtables: triggering SYSRQ remotely");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_AUTHOR("John Haxby <john.haxby@oracle.com");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_SYSRQ");

421
extensions/xt_TARPIT.c
View File

@@ -42,19 +42,139 @@
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/version.h>
#include <linux/netfilter_ipv6.h>
#include <linux/netfilter/x_tables.h>
#ifdef CONFIG_BRIDGE_NETFILTER
# include <linux/netfilter_bridge.h>
#endif
#include <net/addrconf.h>
#include <net/ip6_checksum.h>
#include <net/ip6_route.h>
#include <net/ipv6.h>
#include <net/route.h>
#include <net/tcp.h>
#include "compat_xtables.h"
#include "xt_TARPIT.h"
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
# define WITH_IPV6 1
#endif
static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
static bool xttarpit_tarpit(struct tcphdr *tcph, const struct tcphdr *oth)
{
/* No replies for RST, FIN or !SYN,!ACK */
if (oth->rst || oth->fin || (!oth->syn && !oth->ack))
return false;
tcph->seq = oth->ack ? oth->ack_seq : 0;
/* Our SYN-ACKs must have a >0 window */
tcph->window = (oth->syn && !oth->ack) ? htons(5) : 0;
if (oth->syn && oth->ack) {
tcph->rst = true;
tcph->ack_seq = false;
} else {
tcph->syn = oth->syn;
tcph->ack = true;
tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
}
#if 0
/* Rate-limit replies to !SYN,ACKs */
if (!oth->syn && oth->ack)
if (!xrlim_allow(rt_dst(ort), HZ))
return false;
#endif
return true;
}
static bool xttarpit_honeypot(struct tcphdr *tcph, const struct tcphdr *oth,
uint16_t payload)
{
/* Do not answer any resets regardless of combination */
if (oth->rst || oth->seq == 0xDEADBEEF)
return false;
/* Send a reset to scanners. They like that. */
if (oth->syn && oth->ack) {
tcph->window = 0;
tcph->ack = false;
tcph->psh = true;
tcph->ack_seq = 0xdeadbeef; /* see if they ack it */
tcph->seq = oth->ack_seq;
tcph->rst = true;
}
/* SYN > SYN-ACK */
if (oth->syn && !oth->ack) {
tcph->syn = true;
tcph->ack = true;
tcph->window = oth->window &
((net_random() & 0x1f) - 0xf);
tcph->seq = htonl(net_random() & ~oth->seq);
tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
}
/* ACK > ACK */
if (oth->ack && (!(oth->fin || oth->syn))) {
tcph->syn = false;
tcph->ack = true;
tcph->window = oth->window &
((net_random() & 0x1f) - 0xf);
tcph->ack_seq = payload > 100 ?
htonl(ntohl(oth->seq) + payload) :
oth->seq;
tcph->seq = oth->ack_seq;
}
/*
* FIN > RST.
* We cannot terminate gracefully so just be abrupt.
*/
if (oth->fin) {
tcph->window = 0;
tcph->seq = oth->ack_seq;
tcph->ack_seq = oth->ack_seq;
tcph->fin = false;
tcph->ack = false;
tcph->rst = true;
}
return true;
}
static void xttarpit_reset(struct tcphdr *tcph, const struct tcphdr *oth)
{
tcph->window = 0;
tcph->ack = false;
tcph->syn = false;
tcph->rst = true;
tcph->seq = oth->ack_seq;
tcph->ack_seq = oth->seq;
}
static bool tarpit_generic(struct tcphdr *tcph, const struct tcphdr *oth,
uint16_t payload, unsigned int mode)
{
switch(mode) {
case XTTARPIT_TARPIT:
if (!xttarpit_tarpit(tcph, oth))
return false;
break;
case XTTARPIT_HONEYPOT:
if (!xttarpit_honeypot(tcph, oth, payload))
return false;
break;
case XTTARPIT_RESET:
xttarpit_reset(tcph, oth);
break;
}
return true;
}
static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
unsigned int mode)
{
struct tcphdr _otcph, *oth, *tcph;
struct tcphdr _otcph, *tcph;
const struct tcphdr *oth;
unsigned int addr_type = RTN_UNSPEC;
struct sk_buff *nskb;
const struct iphdr *oldhdr;
@@ -88,13 +208,9 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
nf_reset(nskb);
skb_nfmark(nskb) = 0;
skb_init_secmark(nskb);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
skb_shinfo(nskb)->gso_size = 0;
skb_shinfo(nskb)->gso_segs = 0;
skb_shinfo(nskb)->gso_type = 0;
#endif
oldhdr = ip_hdr(oldskb);
tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
@@ -116,96 +232,14 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
/* Reset flags */
((u_int8_t *)tcph)[13] = 0;
if (mode == XTTARPIT_TARPIT) {
/* No replies for RST, FIN or !SYN,!ACK */
if (oth->rst || oth->fin || (!oth->syn && !oth->ack))
return;
tcph->seq = oth->ack ? oth->ack_seq : 0;
/* Our SYN-ACKs must have a >0 window */
tcph->window = (oth->syn && !oth->ack) ? htons(5) : 0;
if (oth->syn && oth->ack) {
tcph->rst = true;
tcph->ack_seq = false;
} else {
tcph->syn = oth->syn;
tcph->ack = true;
tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
}
#if 0
/* Rate-limit replies to !SYN,ACKs */
if (!oth->syn && oth->ack)
if (!xrlim_allow(rt_dst(ort), HZ))
return;
#endif
} else if (mode == XTTARPIT_HONEYPOT) {
/* Do not answer any resets regardless of combination */
if (oth->rst || oth->seq == 0xDEADBEEF)
return;
/* Send a reset to scanners. They like that. */
if (oth->syn && oth->ack) {
tcph->window = 0;
tcph->ack = false;
tcph->psh = true;
tcph->ack_seq = 0xdeadbeef; /* see if they ack it */
tcph->seq = oth->ack_seq;
tcph->rst = true;
}
/* SYN > SYN-ACK */
if (oth->syn && !oth->ack) {
tcph->syn = true;
tcph->ack = true;
tcph->window = oth->window &
((net_random() & 0x1f) - 0xf);
tcph->seq = htonl(net_random() & ~oth->seq);
tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
}
/* ACK > ACK */
if (oth->ack && (!(oth->fin || oth->syn))) {
tcph->syn = false;
tcph->ack = true;
tcph->window = oth->window &
((net_random() & 0x1f) - 0xf);
tcph->ack_seq = payload > 100 ?
htonl(ntohl(oth->seq) + payload) :
oth->seq;
tcph->seq = oth->ack_seq;
}
/*
* FIN > RST.
* We cannot terminate gracefully so just be abrupt.
*/
if (oth->fin) {
tcph->window = 0;
tcph->seq = oth->ack_seq;
tcph->ack_seq = oth->ack_seq;
tcph->fin = false;
tcph->ack = false;
tcph->rst = true;
}
} else if (mode == XTTARPIT_RESET) {
tcph->window = 0;
tcph->ack = false;
tcph->syn = false;
tcph->rst = true;
tcph->seq = oth->ack_seq;
tcph->ack_seq = oth->seq;
}
if (!tarpit_generic(tcph, oth, payload, mode))
goto free_nskb;
/* Adjust TCP checksum */
tcph->check = 0;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr), niph->saddr,
niph->daddr, csum_partial((char *)tcph,
sizeof(struct tcphdr), 0));
#else
tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
niph->daddr, csum_partial((char *)tcph,
sizeof(struct tcphdr), 0));
#endif
/* Set DF, id = 0 */
niph->frag_off = htons(IP_DF);
@@ -233,11 +267,7 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
if (mode == XTTARPIT_HONEYPOT)
niph->ttl = 128;
else
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 38)
niph->ttl = ip4_dst_hoplimit(skb_dst(nskb));
#else
niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
#endif
/* Adjust IP checksum */
niph->check = 0;
@@ -257,8 +287,124 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
kfree_skb(nskb);
}
#ifdef WITH_IPV6
static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
unsigned int mode)
{
struct sk_buff *nskb;
struct tcphdr *tcph, oth;
unsigned int otcplen;
int tcphoff;
const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
struct ipv6hdr *ip6h;
const uint8_t tclass = 0;
uint8_t proto;
uint16_t payload;
__be16 frag_off;
proto = oip6h->nexthdr;
tcphoff = ipv6_skip_exthdr(oldskb,
(uint8_t *)(oip6h + 1) - oldskb->data, &proto, &frag_off);
if (tcphoff < 0 || tcphoff > oldskb->len) {
pr_debug("Cannot get TCP header.\n");
return;
}
otcplen = oldskb->len - tcphoff;
/* IP header checks: fragment, too short. */
if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) {
pr_debug("proto(%d) != IPPROTO_TCP, "
"or too short. otcplen = %d\n",
proto, otcplen);
return;
}
if (skb_copy_bits(oldskb, tcphoff, &oth, sizeof(struct tcphdr))) {
WARN_ON(1);
return;
}
/* Check checksum. */
if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
skb_checksum(oldskb, tcphoff, otcplen, 0))) {
pr_debug("TCP checksum is invalid\n");
return;
}
nskb = skb_copy_expand(oldskb, LL_MAX_HEADER,
skb_tailroom(oldskb), GFP_ATOMIC);
if (nskb == NULL) {
if (net_ratelimit())
pr_debug("cannot alloc skb\n");
return;
}
/* This packet will not be the same as the other: clear nf fields */
nf_reset(nskb);
skb_nfmark(nskb) = 0;
skb_init_secmark(nskb);
skb_shinfo(nskb)->gso_size = 0;
skb_shinfo(nskb)->gso_segs = 0;
skb_shinfo(nskb)->gso_type = 0;
skb_put(nskb, sizeof(struct ipv6hdr));
ip6h = ipv6_hdr(nskb);
*(__be32 *)ip6h = htonl(0x60000000 | (tclass << 20));
ip6h->nexthdr = IPPROTO_TCP;
ip6h->saddr = oip6h->daddr;
ip6h->daddr = oip6h->saddr;
/* Adjust IP TTL */
if (mode == XTTARPIT_HONEYPOT) {
ip6h->hop_limit = 128;
} else {
ip6h->hop_limit = ip6_dst_hoplimit(skb_dst(nskb));
}
tcph = (struct tcphdr *)(skb_network_header(nskb) +
sizeof(struct ipv6hdr));
/* Truncate to length (no data) */
skb_trim(nskb, sizeof(struct ipv6hdr) + sizeof(struct tcphdr));
tcph->doff = sizeof(struct tcphdr)/4;
tcph->source = oth.dest;
tcph->dest = oth.source;
tcph->urg_ptr = 0;
/* Reset flags */
((uint8_t *)tcph)[13] = 0;
payload = nskb->len - sizeof(struct ipv6hdr) - sizeof(struct tcphdr);
if (!tarpit_generic(&oth, tcph, payload, mode))
goto free_nskb;
ip6h->payload_len = htons(sizeof(struct tcphdr));
tcph->check = 0;
/* Adjust TCP checksum */
tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr,
&ipv6_hdr(nskb)->daddr, sizeof(struct tcphdr),
IPPROTO_TCP,
csum_partial(tcph, sizeof(struct tcphdr), 0));
if (ip6_route_me_harder(nskb))
goto free_nskb;
nskb->ip_summed = CHECKSUM_NONE;
nf_ct_attach(nskb, oldskb);
NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
skb_dst(nskb)->dev, dst_output);
return;
free_nskb:
kfree_skb(nskb);
}
#endif
static unsigned int
tarpit_tg(struct sk_buff **pskb, const struct xt_action_param *par)
tarpit_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct sk_buff *skb = *pskb;
const struct iphdr *iph = ip_hdr(skb);
@@ -289,34 +435,93 @@ tarpit_tg(struct sk_buff **pskb, const struct xt_action_param *par)
if (iph->frag_off & htons(IP_OFFSET))
return NF_DROP;
tarpit_tcp(*pskb, par->hooknum, info->variant);
tarpit_tcp4(*pskb, par->hooknum, info->variant);
return NF_DROP;
}
static struct xt_target tarpit_tg_reg __read_mostly = {
.name = "TARPIT",
.revision = 0,
.family = NFPROTO_IPV4,
.hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
.proto = IPPROTO_TCP,
.target = tarpit_tg,
.targetsize = sizeof(struct xt_tarpit_tginfo),
.me = THIS_MODULE,
#ifdef WITH_IPV6
static unsigned int
tarpit_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct sk_buff *skb = *pskb;
const struct ipv6hdr *iph = ipv6_hdr(skb);
const struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
const struct xt_tarpit_tginfo *info = par->targinfo;
uint8_t proto;
__be16 frag_off;
/* Do we have an input route cache entry? (Not in PREROUTING.) */
if (rt == NULL) {
pr_debug("Dropping no input route cache entry\n");
return NF_DROP;
}
/* No replies to physical multicast/broadcast */
/* skb != PACKET_OTHERHOST handled by ip_rcv() */
if (skb->pkt_type != PACKET_HOST) {
pr_debug("type != PACKET_HOST");
return NF_DROP;
}
/*
* Our naive response construction does not deal with IP
* options, and probably should not try.
*/
proto = iph->nexthdr;
if (ipv6_skip_exthdr(skb, skb_network_header_len(skb), &proto,
&frag_off) != sizeof(struct ipv6hdr))
return NF_DROP;
if ((!(ipv6_addr_type(&iph->saddr) & IPV6_ADDR_UNICAST)) ||
(!(ipv6_addr_type(&iph->daddr) & IPV6_ADDR_UNICAST))) {
pr_debug("addr is not unicast.\n");
return NF_DROP;
}
tarpit_tcp6(*pskb, par->hooknum, info->variant);
return NF_DROP;
}
#endif
static struct xt_target tarpit_tg_reg[] __read_mostly = {
{
.name = "TARPIT",
.revision = 0,
.family = NFPROTO_IPV4,
.hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
.proto = IPPROTO_TCP,
.target = tarpit_tg4,
.targetsize = sizeof(struct xt_tarpit_tginfo),
.me = THIS_MODULE,
},
#ifdef WITH_IPV6
{
.name = "TARPIT",
.revision = 0,
.family = NFPROTO_IPV6,
.hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
.proto = IPPROTO_TCP,
.target = tarpit_tg6,
.targetsize = sizeof(struct xt_tarpit_tginfo),
.me = THIS_MODULE,
},
#endif
};
static int __init tarpit_tg_init(void)
{
return xt_register_target(&tarpit_tg_reg);
return xt_register_targets(tarpit_tg_reg, ARRAY_SIZE(tarpit_tg_reg));
}
static void __exit tarpit_tg_exit(void)
{
xt_unregister_target(&tarpit_tg_reg);
xt_unregister_targets(tarpit_tg_reg, ARRAY_SIZE(tarpit_tg_reg));
}
module_init(tarpit_tg_init);
module_exit(tarpit_tg_exit);
MODULE_DESCRIPTION("Xtables: \"TARPIT\", capture and hold TCP connections");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_TARPIT");
MODULE_ALIAS("ip6t_TARPIT");

299
extensions/xt_TEE.c
View File

@@ -1,299 +0,0 @@
/*
* "TEE" target extension for Xtables
* Copyright © Sebastian Claßen <sebastian.classen [at] freenet de>, 2007
* Jan Engelhardt <jengelh [at] medozas de>, 2007 - 2008
*
* based on ipt_ROUTE.c from Cédric de Launois
* <delaunois [at] info ucl ac be>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* version 2, as published by the Free Software Foundation.
*/
#include <linux/ip.h>
#include <linux/module.h>
#include <linux/route.h>
#include <linux/skbuff.h>
#include <linux/version.h>
#include <net/checksum.h>
#include <net/icmp.h>
#include <net/ip.h>
#include <net/ip6_route.h>
#include <net/route.h>
#include <linux/netfilter/x_tables.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35)
# error ----------------------------------------------------------
# error This module has been merged into, and is available in the
# error mainline since Linux kernel v2.6.35. Please use that.
# error ----------------------------------------------------------
#endif
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
# define WITH_CONNTRACK 1
# include <net/netfilter/nf_conntrack.h>
#endif
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
# define WITH_IPV6 1
#endif
#include "compat_xtables.h"
#include "xt_TEE.h"
static bool tee_active[NR_CPUS];
static const union nf_inet_addr tee_zero_address;
static bool
tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
{
const struct iphdr *iph = ip_hdr(skb);
struct rtable *rt;
struct flowi fl;
memset(&fl, 0, sizeof(fl));
fl.nl_u.ip4_u.daddr = info->gw.ip;
fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
if (ip_route_output_key(&init_net, &rt, &fl) != 0)
return false;
dst_release(skb_dst(skb));
skb_dst_set(skb, rt_dst(rt));
skb->dev = rt_dst(rt)->dev;
skb->protocol = htons(ETH_P_IP);
return true;
}
static inline bool dev_hh_avail(const struct net_device *dev)
{
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
return dev->hard_header != NULL;
#else
return dev->header_ops != NULL;
#endif
}
/*
* Stolen from ip_finish_output2
* PRE : skb->dev is set to the device we are leaving by
* skb->dst is not NULL
* POST: the packet is sent with the link layer header pushed
* the packet is destroyed
*/
static void tee_tg_send(struct sk_buff *skb)
{
const struct dst_entry *dst = skb_dst(skb);
const struct net_device *dev = dst->dev;
unsigned int hh_len = LL_RESERVED_SPACE(dev);
/* Be paranoid, rather than too clever. */
if (unlikely(skb_headroom(skb) < hh_len && dev_hh_avail(dev))) {
struct sk_buff *skb2;
skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
if (skb2 == NULL) {
kfree_skb(skb);
return;
}
if (skb->sk != NULL)
skb_set_owner_w(skb2, skb->sk);
kfree_skb(skb);
skb = skb2;
}
if (dst->hh != NULL)
neigh_hh_output(dst->hh, skb);
else if (dst->neighbour != NULL)
dst->neighbour->output(skb);
else
kfree_skb(skb);
}
static unsigned int
tee_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
struct sk_buff *skb = *pskb;
struct iphdr *iph;
unsigned int cpu = smp_processor_id();
if (tee_active[cpu])
return XT_CONTINUE;
/*
* Copy the skb, and route the copy. Will later return %XT_CONTINUE for
* the original skb, which should continue on its way as if nothing has
* happened. The copy should be independently delivered to the TEE
* --gateway.
*/
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return XT_CONTINUE;
/*
* If we are in PREROUTING/INPUT, the checksum must be recalculated
* since the length could have changed as a result of defragmentation.
*
* We also decrease the TTL to mitigate potential TEE loops
* between two hosts.
*
* Set %IP_DF so that the original source is notified of a potentially
* decreased MTU on the clone route. IPv6 does this too.
*/
iph = ip_hdr(skb);
iph->frag_off |= htons(IP_DF);
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN)
--iph->ttl;
ip_send_check(iph);
#ifdef WITH_CONNTRACK
/*
* Tell conntrack to forget this packet. It may have side effects to
* see the same packet twice, as for example, accounting the original
* connection for the cloned packet.
*/
nf_conntrack_put(skb->nfct);
skb->nfct = &nf_conntrack_untracked.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
/*
* Normally, we would just use ip_local_out. Because iph->check is
* already correct, we could take a shortcut and call dst_output
* [forwards to ip_output] directly. ip_output however will invoke
* Netfilter hooks and cause reentrancy. So we skip that too and go
* directly to ip_finish_output. Since we should not do XFRM, control
* passes to ip_finish_output2. That function is not exported, so it is
* copied here as tee_ip_direct_send.
*
* We do no XFRM on the cloned packet on purpose! The choice of
* iptables match options will control whether the raw packet or the
* transformed version is cloned.
*
* Also on purpose, no fragmentation is done, to preserve the
* packet as best as possible.
*/
if (tee_tg_route4(skb, info)) {
tee_active[cpu] = true;
tee_tg_send(skb);
tee_active[cpu] = false;
} else {
kfree_skb(skb);
}
return XT_CONTINUE;
}
#ifdef WITH_IPV6
static bool
tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
{
const struct ipv6hdr *iph = ipv6_hdr(skb);
struct dst_entry *dst;
struct flowi fl;
memset(&fl, 0, sizeof(fl));
fl.nl_u.ip6_u.daddr = info->gw.in6;
fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
(iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 25)
dst = ip6_route_output(NULL, &fl);
#else
dst = ip6_route_output(dev_net(skb->dev), NULL, &fl);
#endif
if (dst == NULL)
return false;
dst_release(skb_dst(skb));
skb_dst_set(skb, dst);
skb->dev = dst->dev;
skb->protocol = htons(ETH_P_IPV6);
return true;
}
static unsigned int
tee_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
struct sk_buff *skb = *pskb;
unsigned int cpu = smp_processor_id();
if (tee_active[cpu])
return XT_CONTINUE;
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
return XT_CONTINUE;
#ifdef WITH_CONNTRACK
nf_conntrack_put(skb->nfct);
skb->nfct = &nf_conntrack_untracked.ct_general;
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct);
#endif
if (par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN) {
struct ipv6hdr *iph = ipv6_hdr(skb);
--iph->hop_limit;
}
if (tee_tg_route6(skb, info)) {
tee_active[cpu] = true;
tee_tg_send(skb);
tee_active[cpu] = false;
} else {
kfree_skb(skb);
}
return XT_CONTINUE;
}
#endif /* WITH_IPV6 */
static int tee_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_tee_tginfo *info = par->targinfo;
/* 0.0.0.0 and :: not allowed */
return (memcmp(&info->gw, &tee_zero_address,
sizeof(tee_zero_address)) == 0) ? -EINVAL : 0;
}
static struct xt_target tee_tg_reg[] __read_mostly = {
{
.name = "TEE",
.revision = 0,
.family = NFPROTO_IPV4,
.target = tee_tg4,
.targetsize = sizeof(struct xt_tee_tginfo),
.checkentry = tee_tg_check,
.me = THIS_MODULE,
},
#ifdef WITH_IPV6
{
.name = "TEE",
.revision = 0,
.family = NFPROTO_IPV6,
.target = tee_tg6,
.targetsize = sizeof(struct xt_tee_tginfo),
.checkentry = tee_tg_check,
.me = THIS_MODULE,
},
#endif
};
static int __init tee_tg_init(void)
{
return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
}
static void __exit tee_tg_exit(void)
{
xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
}
module_init(tee_tg_init);
module_exit(tee_tg_exit);
MODULE_AUTHOR("Sebastian Claßen <sebastian.classen@freenet.ag>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: Reroute packet copy");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_TEE");
MODULE_ALIAS("ip6t_TEE");

8
extensions/xt_TEE.h
View File

@@ -1,8 +0,0 @@
#ifndef _XT_TEE_TARGET_H
#define _XT_TEE_TARGET_H
struct xt_tee_tginfo {
union nf_inet_addr gw;
};
#endif /* _XT_TEE_TARGET_H */

11
extensions/xt_condition.c
View File

@@ -35,7 +35,7 @@ static unsigned int condition_gid_perms = 0;
MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca>");
MODULE_AUTHOR("Massimiliano Hofer <max@nucleus.it>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_DESCRIPTION("Allows rules to match against condition variables");
MODULE_LICENSE("GPL");
module_param(condition_list_perms, uint, S_IRUSR | S_IWUSR);
@@ -150,9 +150,6 @@ static int condition_mt_check(const struct xt_mtchk_param *par)
var->refcount = 1;
var->enabled = false;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
var->status_proc->owner = THIS_MODULE;
#endif
var->status_proc->data = var;
wmb();
var->status_proc->read_proc = condition_proc_read;
@@ -211,13 +208,13 @@ static int __init condition_mt_init(void)
int ret;
mutex_init(&proc_lock);
proc_net_condition = proc_mkdir(dir_name, init_net__proc_net);
proc_net_condition = proc_mkdir(dir_name, init_net.proc_net);
if (proc_net_condition == NULL)
return -EACCES;
ret = xt_register_matches(condition_mt_reg, ARRAY_SIZE(condition_mt_reg));
if (ret < 0) {
remove_proc_entry(dir_name, init_net__proc_net);
remove_proc_entry(dir_name, init_net.proc_net);
return ret;
}
@@ -227,7 +224,7 @@ static int __init condition_mt_init(void)
static void __exit condition_mt_exit(void)
{
xt_unregister_matches(condition_mt_reg, ARRAY_SIZE(condition_mt_reg));
remove_proc_entry(dir_name, init_net__proc_net);
remove_proc_entry(dir_name, init_net.proc_net);
}
module_init(condition_mt_init);

4
extensions/xt_iface.c
View File

@@ -48,11 +48,7 @@ static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
return par->in;
else if (info->flags & XT_IFACE_DEV_OUT)
return par->out;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
return *put = dev_get_by_name(&init_net, info->ifname);
#else
return *put = dev_get_by_name(info->ifname);
#endif
}
static bool iface_flagtest(unsigned int devflags, unsigned int flags,

141
extensions/xt_ipaddr.c Normal file
View File

@@ -0,0 +1,141 @@
/*
* "ipaddr" demo match for Xtables
* Copyright © Jan Engelhardt, 2008-2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the WTF Public License version 2 or
* (at your option) any later version.
*/
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/module.h>
#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include <net/ipv6.h>
#include "compat_xtables.h"
#include "xt_ipaddr.h"
static bool ipaddr_mt4(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_ipaddr_mtinfo *info = par->matchinfo;
const struct iphdr *iph = ip_hdr(skb);
printk(KERN_INFO
"xt_ipaddr: IN=%s OUT=%s "
"SRC=" NIPQUAD_FMT " DST=" NIPQUAD_FMT " "
"IPSRC=" NIPQUAD_FMT " IPDST=" NIPQUAD_FMT "\n",
(par->in != NULL) ? par->in->name : "",
(par->out != NULL) ? par->out->name : "",
NIPQUAD(iph->saddr), NIPQUAD(iph->daddr),
NIPQUAD(info->src), NIPQUAD(info->dst));
if (info->flags & XT_IPADDR_SRC)
if ((iph->saddr != info->src.ip) ^
!!(info->flags & XT_IPADDR_SRC_INV)) {
printk(KERN_NOTICE "src IP - no match\n");
return false;
}
if (info->flags & XT_IPADDR_DST)
if ((iph->daddr != info->dst.ip) ^
!!(info->flags & XT_IPADDR_DST_INV)) {
printk(KERN_NOTICE "dst IP - no match\n");
return false;
}
return true;
}
static bool ipaddr_mt6(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_ipaddr_mtinfo *info = par->matchinfo;
const struct ipv6hdr *iph = ipv6_hdr(skb);
printk(KERN_INFO
"xt_ipaddr: IN=%s OUT=%s "
"SRC=" NIP6_FMT " DST=" NIP6_FMT " "
"IPSRC=" NIP6_FMT " IPDST=" NIP6_FMT "\n",
(par->in != NULL) ? par->in->name : "",
(par->out != NULL) ? par->out->name : "",
NIP6(iph->saddr), NIP6(iph->daddr),
NIP6(info->src.in6), NIP6(info->dst.in6));
if (info->flags & XT_IPADDR_SRC)
if ((ipv6_addr_cmp(&iph->saddr, &info->src.in6) != 0) ^
!!(info->flags & XT_IPADDR_SRC_INV)) {
printk(KERN_NOTICE "src IP - no match\n");
return false;
}
if (info->flags & XT_IPADDR_DST)
if ((ipv6_addr_cmp(&iph->daddr, &info->dst.in6) != 0) ^
!!(info->flags & XT_IPADDR_DST_INV)) {
printk(KERN_NOTICE "dst IP - no match\n");
return false;
}
return true;
}
static int ipaddr_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_ipaddr_mtinfo *info = par->matchinfo;
printk(KERN_INFO "xt_ipaddr: Added a rule with -m ipaddr in "
"the %s table; this rule is reachable through hooks 0x%x\n",
par->table, par->hook_mask);
if (par->match->family == NFPROTO_IPV4 &&
ntohl(info->src.ip) == 0xDEADBEEF) {
printk(KERN_INFO "xt_ipaddr: I just thought I do not want "
"to let you match on 222.173.190.239\n");
return -EPERM;
}
return 0;
}
static void ipaddr_mt_destroy(const struct xt_mtdtor_param *par)
{
printk(KERN_INFO "One rule with ipaddr match got deleted\n");
}
static struct xt_match ipaddr_mt_reg[] __read_mostly = {
{
.name = "ipaddr",
.revision = 0,
.family = NFPROTO_IPV4,
.match = ipaddr_mt4,
.checkentry = ipaddr_mt_check,
.destroy = ipaddr_mt_destroy,
.matchsize = XT_ALIGN(sizeof(struct xt_ipaddr_mtinfo)),
.me = THIS_MODULE,
},
{
.name = "ipaddr",
.revision = 0,
.family = NFPROTO_IPV6,
.match = ipaddr_mt6,
.checkentry = ipaddr_mt_check,
.destroy = ipaddr_mt_destroy,
.matchsize = XT_ALIGN(sizeof(struct xt_ipaddr_mtinfo)),
.me = THIS_MODULE,
},
};
static int __init ipaddr_mt_init(void)
{
return xt_register_matches(ipaddr_mt_reg, ARRAY_SIZE(ipaddr_mt_reg));
}
static void __exit ipaddr_mt_exit(void)
{
xt_unregister_matches(ipaddr_mt_reg, ARRAY_SIZE(ipaddr_mt_reg));
}
module_init(ipaddr_mt_init);
module_exit(ipaddr_mt_exit);
MODULE_DESCRIPTION("Xtables: Match source/destination address");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_ipaddr");
MODULE_ALIAS("ip6t_ipaddr");

16
extensions/xt_ipaddr.h Normal file
View File

@@ -0,0 +1,16 @@
#ifndef _LINUX_NETFILTER_XT_IPADDR_H
#define _LINUX_NETFILTER_XT_IPADDR_H 1
enum {
XT_IPADDR_SRC = 1 << 0,
XT_IPADDR_DST = 1 << 1,
XT_IPADDR_SRC_INV = 1 << 2,
XT_IPADDR_DST_INV = 1 << 3,
};
struct xt_ipaddr_mtinfo {
union nf_inet_addr src, dst;
__u8 flags;
};
#endif /* _LINUX_NETFILTER_XT_IPADDR_H */

2
extensions/xt_ipv4options.c
View File

@@ -76,7 +76,7 @@ static void __exit ipv4options_mt_exit(void)
}
MODULE_DESCRIPTION("Xatblse: IPv4 option match");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_ipv4options");
module_init(ipv4options_mt_init);

9
extensions/xt_length2.c
View File

@@ -1,6 +1,6 @@
/*
* xt_length - Xtables module to match packet length
* Copyright © Jan Engelhardt <jengelh@medozas.de>, 2007 - 2009
* Copyright © Jan Engelhardt , 2007 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
@@ -29,7 +29,7 @@
# define NEXTHDR_IPV4 4
#endif
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_DESCRIPTION("Xtables: Packet length (Layer3,4,5) match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_length2");
@@ -185,7 +185,7 @@ llayer4_proto(const struct sk_buff *skb, unsigned int *offset, bool *hotdrop)
int err;
for (i = 0; i < ARRAY_SIZE(types); ++i) {
err = ipv6_find_hdr(skb, offset, types[i], NULL);
err = ipv6_find_hdr(skb, offset, types[i], NULL, NULL);
if (err >= 0)
return types[i];
if (err != -ENOENT) {
@@ -203,7 +203,8 @@ length2_mt6(const struct sk_buff *skb, struct xt_action_param *par)
const struct xt_length_mtinfo2 *info = par->matchinfo;
const struct ipv6hdr *iph = ipv6_hdr(skb);
unsigned int len = 0, l4proto;
unsigned int thoff = par->thoff;
/* par->thoff would only set if ip6tables -p was used; so just use 0 */
unsigned int thoff = 0;
bool hit = true;
if (info->flags & XT_LENGTH_LAYER3) {

4
extensions/xt_lscan.c
View File

@@ -204,7 +204,7 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
unsigned int n;
n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
par->in == init_net__loopback_dev, tcph,
par->in == init_net.loopback_dev, tcph,
skb->len - par->thoff - 4 * tcph->doff);
ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
@@ -264,7 +264,7 @@ static void __exit lscan_mt_exit(void)
module_init(lscan_mt_init);
module_exit(lscan_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_DESCRIPTION("Xtables: Low-level scan (e.g. nmap) match");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_lscan");

689
extensions/xt_psd.c
View File

@@ -22,13 +22,15 @@
#define pr_fmt(x) KBUILD_MODNAME ": " x
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <net/tcp.h>
#include <linux/types.h>
#include <linux/tcp.h>
#include <linux/spinlock.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/vmalloc.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include "xt_psd.h"
#include "compat_xtables.h"
@@ -39,11 +41,21 @@ MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
MODULE_AUTHOR(" Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com>");
MODULE_DESCRIPTION("Xtables: PSD - portscan detection");
MODULE_ALIAS("ipt_psd");
MODULE_ALIAS("ip6t_psd");
#define HF_DADDR_CHANGING 0x01
#define HF_SPORT_CHANGING 0x02
#define HF_TOS_CHANGING 0x04
#define HF_TTL_CHANGING 0x08
/*
* Keep track of up to LIST_SIZE source addresses, using a hash table of
* HASH_SIZE entries for faster lookups, but limiting hash collisions to
* HASH_MAX source addresses per the same hash value.
*/
#define LIST_SIZE 0x100
#define HASH_LOG 9
#define HASH_SIZE (1 << HASH_LOG)
#define HASH_MAX 0x10
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
# define WITH_IPV6 1
#endif
/*
* Information we keep per each target port
@@ -51,46 +63,106 @@ MODULE_ALIAS("ipt_psd");
struct port {
u_int16_t number; /* port number */
u_int8_t proto; /* protocol number */
u_int8_t and_flags; /* tcp ANDed flags */
u_int8_t or_flags; /* tcp ORed flags */
};
/*
/**
* Information we keep per each source address.
* @next: next entry with the same hash
* @timestamp: last update time
* @count: number of ports in the list
* @weight: total weight of ports in the list
*/
struct host {
struct host *next; /* Next entry with the same hash */
unsigned long timestamp; /* Last update time */
struct in_addr src_addr; /* Source address */
struct in_addr dest_addr; /* Destination address */
unsigned short src_port; /* Source port */
int count; /* Number of ports in the list */
int weight; /* Total weight of ports in the list */
struct port ports[SCAN_MAX_COUNT - 1]; /* List of ports */
unsigned char tos; /* TOS */
unsigned char ttl; /* TTL */
unsigned char flags; /* HF_ flags bitmask */
struct host *next;
unsigned long timestamp;
__be16 src_port;
uint16_t count;
uint8_t weight;
struct port ports[SCAN_MAX_COUNT-1];
};
/*
* State information.
/**
* Information we keep per ipv4 source address.
*/
struct host4 {
struct host host;
__be32 saddr;
};
static struct host4 *host_to_host4(const struct host *h)
{
return (struct host4 *)h;
}
struct host6 {
struct host host;
struct in6_addr saddr;
};
/**
* State information for IPv4 portscan detection.
* @list: list of source addresses
* @hash: pointers into the list
* @index: oldest entry to be replaced
*/
static struct {
spinlock_t lock;
struct host list[LIST_SIZE]; /* List of source addresses */
struct host *hash[HASH_SIZE]; /* Hash: pointers into the list */
int index; /* Oldest entry to be replaced */
struct host4 list[LIST_SIZE];
struct host *hash[HASH_SIZE];
int index;
} state;
#ifdef WITH_IPV6
/**
* State information for IPv6 portscan detection.
* @list: list of source addresses
* @hash: pointers into the list
* @index: oldest entry to be replaced
*/
static struct {
spinlock_t lock;
struct host6 *list;
struct host **hash;
int index;
} state6;
static struct host6 *host_to_host6(const struct host *h)
{
return (struct host6 *) h;
}
/**
* allocate state6 memory only when needed
*/
static bool state6_alloc_mem(void)
{
if (state6.hash != NULL)
return true;
state6.list = vmalloc(LIST_SIZE * sizeof(struct host6));
if (state6.list == NULL)
return false;
memset(state6.list, 0, LIST_SIZE * sizeof(struct host6));
state6.hash = vmalloc(HASH_SIZE * sizeof(struct host*));
if (state6.hash == NULL) {
vfree(state6.list);
return false;
}
memset(state6.hash, 0, HASH_SIZE * sizeof(struct host *));
return true;
}
#endif
/*
* Convert an IP address into a hash table index.
*/
static inline int hashfunc(struct in_addr addr)
static unsigned int hashfunc(__be32 addr)
{
unsigned int value;
int hash;
unsigned int hash;
value = addr.s_addr;
value = addr;
hash = 0;
do {
hash ^= value;
@@ -99,159 +171,169 @@ static inline int hashfunc(struct in_addr addr)
return hash & (HASH_SIZE - 1);
}
static bool
xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
static inline unsigned int hashfunc6(const struct in6_addr *addr)
{
__be32 h = addr->s6_addr32[0] ^ addr->s6_addr32[1];
return hashfunc(h ^ addr->s6_addr32[2] ^ addr->s6_addr32[3]);
}
static bool port_in_list(struct host *host, uint8_t proto, uint16_t port)
{
unsigned int i;
for (i = 0; i < host->count; ++i) {
if (host->ports[i].proto != proto)
continue;
if (host->ports[i].number == port)
return true;
}
return false;
}
static uint16_t get_port_weight(const struct xt_psd_info *psd, __be16 port)
{
return ntohs(port) < 1024 ? psd->lo_ports_weight : psd->hi_ports_weight;
}
static bool
is_portscan(struct host *host, const struct xt_psd_info *psdinfo,
const struct tcphdr *tcph, uint8_t proto)
{
if (port_in_list(host, proto, tcph->dest))
return false;
/*
* TCP/ACK and/or TCP/RST to a new port? This could be an
* outgoing connection.
*/
if (proto == IPPROTO_TCP && (tcph->ack || tcph->rst))
return false;
host->timestamp = jiffies;
if (host->weight >= psdinfo->weight_threshold) /* already matched */
return true;
/* Update the total weight */
host->weight += get_port_weight(psdinfo, tcph->dest);
/* Got enough destination ports to decide that this is a scan? */
if (host->weight >= psdinfo->weight_threshold)
return true;
/* Remember the new port */
if (host->count < ARRAY_SIZE(host->ports)) {
host->ports[host->count].number = tcph->dest;
host->ports[host->count].proto = proto;
host->count++;
}
return false;
}
static struct host *host_get_next(struct host *h, struct host **last)
{
if (h->next != NULL)
*last = h;
return h->next;
}
static void ht_unlink(struct host **head, struct host *last)
{
if (last != NULL)
last->next = last->next->next;
else if (*head != NULL)
*head = (*head)->next;
}
static bool
entry_is_recent(const struct host *h, unsigned long delay_threshold,
unsigned long now)
{
return now - h->timestamp <= (delay_threshold * HZ) / 100 &&
time_after_eq(now, h->timestamp);
}
static void remove_oldest(struct host **head, struct host *curr)
{
struct host *h, *last = NULL;
/*
* We are going to re-use the oldest list entry, so remove it from the
* hash table first, if it is really already in use.
*/
h = *head;
while (h != NULL) {
if (curr == h)
break;
last = h;
h = h->next;
}
/* Then, remove it */
if (h != NULL)
ht_unlink(head, last);
}
static void *
get_header_pointer4(const struct sk_buff *skb, unsigned int thoff, void *mem)
{
const struct iphdr *iph = ip_hdr(skb);
int hdrlen;
switch (iph->protocol) {
case IPPROTO_TCP:
hdrlen = sizeof(struct tcphdr);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
hdrlen = sizeof(struct udphdr);
break;
default:
return NULL;
}
return skb_header_pointer(skb, thoff, hdrlen, mem);
}
static bool
handle_packet4(const struct iphdr *iph, const struct tcphdr *tcph,
const struct xt_psd_info *psdinfo, unsigned int hash)
{
const struct iphdr *iph;
const struct tcphdr *tcph = NULL;
const struct udphdr *udph;
union {
struct tcphdr tcph;
struct udphdr udph;
} _buf;
struct in_addr addr;
u_int16_t src_port,dest_port;
u_int8_t tcp_flags, proto;
unsigned long now;
struct host *curr, *last, **head;
int hash, index, count;
/* Parameters from userspace */
const struct xt_psd_info *psdinfo = match->matchinfo;
struct host *curr, *last = NULL, **head;
struct host4 *curr4;
int count = 0;
/* IP header */
iph = ip_hdr(pskb);
/* Sanity check */
if (iph->frag_off & htons(IP_OFFSET)) {
pr_debug("sanity check failed\n");
return false;
}
/* TCP or UDP ? */
proto = iph->protocol;
/* Get the source address, source & destination ports, and TCP flags */
addr.s_addr = iph->saddr;
/* We're using IP address 0.0.0.0 for a special purpose here, so don't let
* them spoof us. [DHCP needs this feature - HW] */
if (addr.s_addr == 0) {
pr_debug("spoofed source address (0.0.0.0)\n");
return false;
}
if (proto == IPPROTO_TCP) {
tcph = skb_header_pointer(pskb, match->thoff,
sizeof(_buf.tcph), &_buf.tcph);
if (tcph == NULL)
return false;
/* Yep, it's dirty */
src_port = tcph->source;
dest_port = tcph->dest;
tcp_flags = *((u_int8_t*)tcph + 13);
} else if (proto == IPPROTO_UDP || proto == IPPROTO_UDPLITE) {
udph = skb_header_pointer(pskb, match->thoff,
sizeof(_buf.udph), &_buf.udph);
if (udph == NULL)
return false;
src_port = udph->source;
dest_port = udph->dest;
tcp_flags = 0;
} else {
pr_debug("protocol not supported\n");
return false;
}
/* Use jiffies here not to depend on someone setting the time while we're
* running; we need to be careful with possible return value overflows. */
now = jiffies;
spin_lock(&state.lock);
head = &state.hash[hash];
/* Do we know this source address already? */
count = 0;
last = NULL;
if ((curr = *(head = &state.hash[hash = hashfunc(addr)])) != NULL)
do {
if (curr->src_addr.s_addr == addr.s_addr)
break;
count++;
if (curr->next != NULL)
last = curr;
} while ((curr = curr->next) != NULL);
curr = *head;
while (curr != NULL) {
curr4 = host_to_host4(curr);
if (curr4->saddr == iph->saddr)
break;
count++;
curr = host_get_next(curr, &last);
}
if (curr != NULL) {
/* We know this address, and the entry isn't too old. Update it. */
if (now - curr->timestamp <= (psdinfo->delay_threshold*HZ)/100 &&
time_after_eq(now, curr->timestamp)) {
/* Just update the appropriate list entry if we've seen this port already */
for (index = 0; index < curr->count; index++) {
if (curr->ports[index].number == dest_port) {
curr->ports[index].proto = proto;
curr->ports[index].and_flags &= tcp_flags;
curr->ports[index].or_flags |= tcp_flags;
goto out_no_match;
}
}
/* TCP/ACK and/or TCP/RST to a new port? This could be an outgoing connection. */
if (proto == IPPROTO_TCP && (tcph->ack || tcph->rst))
goto out_no_match;
/* Packet to a new port, and not TCP/ACK: update the timestamp */
curr->timestamp = now;
/* Logged this scan already? Then drop the packet. */
if (curr->weight >= psdinfo->weight_threshold)
goto out_match;
/* Specify if destination address, source port, TOS or TTL are not fixed */
if (curr->dest_addr.s_addr != iph->daddr)
curr->flags |= HF_DADDR_CHANGING;
if (curr->src_port != src_port)
curr->flags |= HF_SPORT_CHANGING;
if (curr->tos != iph->tos)
curr->flags |= HF_TOS_CHANGING;
if (curr->ttl != iph->ttl)
curr->flags |= HF_TTL_CHANGING;
/* Update the total weight */
curr->weight += (ntohs(dest_port) < 1024) ?
psdinfo->lo_ports_weight : psdinfo->hi_ports_weight;
/* Got enough destination ports to decide that this is a scan? */
/* Then log it and drop the packet. */
if (curr->weight >= psdinfo->weight_threshold)
goto out_match;
/* Remember the new port */
if (curr->count < SCAN_MAX_COUNT) {
curr->ports[curr->count].number = dest_port;
curr->ports[curr->count].proto = proto;
curr->ports[curr->count].and_flags = tcp_flags;
curr->ports[curr->count].or_flags = tcp_flags;
curr->count++;
}
goto out_no_match;
}
if (entry_is_recent(curr, psdinfo->delay_threshold, now))
return is_portscan(curr, psdinfo, tcph, iph->protocol);
/* We know this address, but the entry is outdated. Mark it unused, and
* remove from the hash table. We'll allocate a new entry instead since
* this one might get re-used too soon. */
curr->src_addr.s_addr = 0;
if (last != NULL)
last->next = last->next->next;
else if (*head != NULL)
*head = (*head)->next;
curr4 = host_to_host4(curr);
curr4->saddr = 0;
ht_unlink(head, last);
last = NULL;
}
/* We don't need an ACK from a new source address */
if (proto == IPPROTO_TCP && tcph->ack)
goto out_no_match;
if (iph->protocol == IPPROTO_TCP && tcph->ack)
return false;
/* Got too many source addresses with the same hash value? Then remove the
* oldest one from the hash table, so that they can't take too much of our
@@ -259,33 +341,15 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
if (count >= HASH_MAX && last != NULL)
last->next = NULL;
/* We're going to re-use the oldest list entry, so remove it from the hash
* table first (if it is really already in use, and isn't removed from the
* hash table already because of the HASH_MAX check above). */
/* First, find it */
if (state.list[state.index].src_addr.s_addr != 0)
head = &state.hash[hashfunc(state.list[state.index].src_addr)];
if (state.list[state.index].saddr != 0)
head = &state.hash[hashfunc(state.list[state.index].saddr)];
else
head = &last;
last = NULL;
if ((curr = *head) != NULL)
do {
if (curr == &state.list[state.index])
break;
last = curr;
} while ((curr = curr->next) != NULL);
/* Then, remove it */
if (curr != NULL) {
if (last != NULL)
last->next = last->next->next;
else if (*head != NULL)
*head = (*head)->next;
}
/* Get our list entry */
curr = &state.list[state.index++];
curr4 = &state.list[state.index++];
curr = &curr4->host;
remove_oldest(head, curr);
if (state.index >= LIST_SIZE)
state.index = 0;
@@ -295,46 +359,241 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
*head = curr;
/* And fill in the fields */
curr4 = host_to_host4(curr);
curr4->saddr = iph->saddr;
curr->timestamp = now;
curr->src_addr = addr;
curr->dest_addr.s_addr = iph->daddr;
curr->src_port = src_port;
curr->count = 1;
curr->weight = (ntohs(dest_port) < 1024) ? psdinfo->lo_ports_weight : psdinfo->hi_ports_weight;
curr->ports[0].number = dest_port;
curr->ports[0].proto = proto;
curr->ports[0].and_flags = tcp_flags;
curr->ports[0].or_flags = tcp_flags;
curr->tos = iph->tos;
curr->ttl = iph->ttl;
out_no_match:
spin_unlock(&state.lock);
curr->weight = get_port_weight(psdinfo, tcph->dest);
curr->ports[0].number = tcph->dest;
curr->ports[0].proto = iph->protocol;
return false;
out_match:
spin_unlock(&state.lock);
return true;
}
static struct xt_match xt_psd_reg __read_mostly = {
.name = "psd",
.family = NFPROTO_IPV4,
.revision = 1,
.match = xt_psd_match,
.matchsize = sizeof(struct xt_psd_info),
.me = THIS_MODULE,
static bool
xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
{
struct iphdr *iph = ip_hdr(pskb);
struct tcphdr _tcph;
struct tcphdr *tcph;
bool matched;
unsigned int hash;
/* Parameters from userspace */
const struct xt_psd_info *psdinfo = match->matchinfo;
if (iph->frag_off & htons(IP_OFFSET)) {
pr_debug("sanity check failed\n");
return false;
}
/*
* We are using IP address 0.0.0.0 for a special purpose here, so do
* not let them spoof us. [DHCP needs this feature - HW]
*/
if (iph->saddr == 0) {
pr_debug("spoofed source address (0.0.0.0)\n");
return false;
}
tcph = get_header_pointer4(pskb, match->thoff, &_tcph);
if (tcph == NULL)
return false;
hash = hashfunc(iph->saddr);
spin_lock(&state.lock);
matched = handle_packet4(iph, tcph, psdinfo, hash);
spin_unlock(&state.lock);
return matched;
}
#ifdef WITH_IPV6
static bool
handle_packet6(const struct ipv6hdr *ip6h, const struct tcphdr *tcph,
const struct xt_psd_info *psdinfo, uint8_t proto, int hash)
{
unsigned long now;
struct host *curr, *last = NULL, **head;
struct host6 *curr6;
int count = 0;
now = jiffies;
head = &state6.hash[hash];
curr = *head;
while (curr != NULL) {
curr6 = host_to_host6(curr);
if (ipv6_addr_equal(&curr6->saddr, &ip6h->saddr))
break;
count++;
curr = host_get_next(curr, &last);
}
if (curr != NULL) {
if (entry_is_recent(curr, psdinfo->delay_threshold, now))
return is_portscan(curr, psdinfo, tcph, proto);
curr6 = host_to_host6(curr);
memset(&curr6->saddr, 0, sizeof(curr6->saddr));
ht_unlink(head, last);
last = NULL;
}
if (proto == IPPROTO_TCP && tcph->ack)
return false;
if (count >= HASH_MAX && last != NULL)
last->next = NULL;
if (!ipv6_addr_any(&state6.list[state6.index].saddr))
head = &state6.hash[hashfunc6(&state6.list[state6.index].saddr)];
else
head = &last;
curr6 = &state6.list[state6.index++];
curr = &curr6->host;
remove_oldest(head, curr);
if (state6.index >= LIST_SIZE)
state6.index = 0;
head = &state6.hash[hash];
curr->next = *head;
*head = curr;
curr6 = host_to_host6(curr);
curr6->saddr = ip6h->saddr;
curr->timestamp = now;
curr->count = 1;
curr->weight = get_port_weight(psdinfo, tcph->dest);
curr->ports[0].number = tcph->dest;
curr->ports[0].proto = proto;
return false;
}
static void *
get_header_pointer6(const struct sk_buff *skb, void *mem, uint8_t *proto)
{
static const uint8_t types[] = {IPPROTO_TCP,
IPPROTO_UDP, IPPROTO_UDPLITE};
unsigned int i, offset = 0;
int err;
size_t hdrlen;
for (i = 0; i < ARRAY_SIZE(types); ++i) {
err = ipv6_find_hdr(skb, &offset, types[i], NULL, NULL);
if (err < 0)
continue;
switch (types[i]) {
case IPPROTO_TCP:
hdrlen = sizeof(struct tcphdr);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
hdrlen = sizeof(struct udphdr);
break;
default:
return NULL;
}
*proto = types[i];
return skb_header_pointer(skb, offset, hdrlen, mem);
}
return NULL;
}
static bool
xt_psd_match6(const struct sk_buff *pskb, struct xt_action_param *match)
{
const struct ipv6hdr *ip6h = ipv6_hdr(pskb);
struct tcphdr _tcph;
struct tcphdr *tcph;
uint8_t proto = 0;
bool matched;
int hash;
const struct xt_psd_info *psdinfo = match->matchinfo;
if (ipv6_addr_any(&ip6h->saddr))
return false;
tcph = get_header_pointer6(pskb, &_tcph, &proto);
if (tcph == NULL)
return false;
hash = hashfunc6(&ip6h->saddr);
spin_lock(&state6.lock);
matched = handle_packet6(ip6h, tcph, psdinfo, proto, hash);
spin_unlock(&state6.lock);
return matched;
}
#endif
static int psd_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_psd_info *info = par->matchinfo;
if (info->weight_threshold == 0)
/* 0 would match on every 1st packet */
return -EINVAL;
if ((info->lo_ports_weight | info->hi_ports_weight) == 0)
/* would never match */
return -EINVAL;
if (info->delay_threshold > PSD_MAX_RATE ||
info->weight_threshold > PSD_MAX_RATE ||
info->lo_ports_weight > PSD_MAX_RATE ||
info->hi_ports_weight > PSD_MAX_RATE)
return -EINVAL;
return 0;
}
#ifdef WITH_IPV6
static int psd_mt_check6(const struct xt_mtchk_param *par)
{
if (!state6_alloc_mem())
return -ENOMEM;
return psd_mt_check(par);
}
#endif
static struct xt_match xt_psd_reg[] __read_mostly = {
{
.name = "psd",
.family = NFPROTO_IPV4,
.revision = 1,
.checkentry = psd_mt_check,
.match = xt_psd_match,
.matchsize = sizeof(struct xt_psd_info),
.me = THIS_MODULE,
#ifdef WITH_IPV6
}, {
.name = "psd",
.family = NFPROTO_IPV6,
.revision = 1,
.checkentry = psd_mt_check6,
.match = xt_psd_match6,
.matchsize = sizeof(struct xt_psd_info),
.me = THIS_MODULE,
#endif
}
};
static int __init xt_psd_init(void)
{
spin_lock_init(&(state.lock));
return xt_register_match(&xt_psd_reg);
#ifdef WITH_IPV6
spin_lock_init(&(state6.lock));
#endif
return xt_register_matches(xt_psd_reg, ARRAY_SIZE(xt_psd_reg));
}
static void __exit xt_psd_exit(void)
{
xt_unregister_match(&xt_psd_reg);
xt_unregister_matches(xt_psd_reg, ARRAY_SIZE(xt_psd_reg));
#ifdef WITH_IPV6
vfree(state6.list);
vfree(state6.hash);
#endif
}
module_init(xt_psd_init);

11
extensions/xt_psd.h
View File

@@ -19,17 +19,6 @@
#define SCAN_MIN_COUNT 7
#define SCAN_MAX_COUNT (SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
#define SCAN_WEIGHT_THRESHOLD SCAN_MAX_COUNT
#define SCAN_DELAY_THRESHOLD (300) /* old usage of HZ here was erroneously and broke under uml */
/*
* Keep track of up to LIST_SIZE source addresses, using a hash table of
* HASH_SIZE entries for faster lookups, but limiting hash collisions to
* HASH_MAX source addresses per the same hash value.
*/
#define LIST_SIZE 0x100
#define HASH_LOG 9
#define HASH_SIZE (1 << HASH_LOG)
#define HASH_MAX 0x10
struct xt_psd_info {
__u32 weight_threshold;

17
extensions/xt_quota2.c
View File

@@ -1,7 +1,7 @@
/*
* xt_quota2 - enhanced xt_quota that can count upwards and in packets
* as a minimal accounting match.
* by Jan Engelhardt <jengelh@medozas.de>, 2008
* by Jan Engelhardt , 2008
*
* Originally based on xt_quota.c:
* Xtables module to enforce network quotas
@@ -128,9 +128,6 @@ q2_get_counter(const struct xt_quota_mtinfo2 *q)
if (p == NULL || IS_ERR(p))
goto out;
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 29)
p->owner = THIS_MODULE;
#endif
p->data = e;
p->read_proc = quota_proc_read;
p->write_proc = quota_proc_write;
@@ -230,7 +227,7 @@ static struct xt_match quota_mt2_reg[] __read_mostly = {
.family = NFPROTO_IPV4,
.checkentry = quota_mt2_check,
.match = quota_mt2,
.destroy = quota_mt2_destroy,
.destroy = quota_mt2_destroy,
.matchsize = sizeof(struct xt_quota_mtinfo2),
.me = THIS_MODULE,
},
@@ -240,7 +237,7 @@ static struct xt_match quota_mt2_reg[] __read_mostly = {
.family = NFPROTO_IPV6,
.checkentry = quota_mt2_check,
.match = quota_mt2,
.destroy = quota_mt2_destroy,
.destroy = quota_mt2_destroy,
.matchsize = sizeof(struct xt_quota_mtinfo2),
.me = THIS_MODULE,
},
@@ -250,27 +247,27 @@ static int __init quota_mt2_init(void)
{
int ret;
proc_xt_quota = proc_mkdir("xt_quota", init_net__proc_net);
proc_xt_quota = proc_mkdir("xt_quota", init_net.proc_net);
if (proc_xt_quota == NULL)
return -EACCES;
ret = xt_register_matches(quota_mt2_reg, ARRAY_SIZE(quota_mt2_reg));
if (ret < 0)
remove_proc_entry("xt_quota", init_net__proc_net);
remove_proc_entry("xt_quota", init_net.proc_net);
return ret;
}
static void __exit quota_mt2_exit(void)
{
xt_unregister_matches(quota_mt2_reg, ARRAY_SIZE(quota_mt2_reg));
remove_proc_entry("xt_quota", init_net__proc_net);
remove_proc_entry("xt_quota", init_net.proc_net);
}
module_init(quota_mt2_init);
module_exit(quota_mt2_exit);
MODULE_DESCRIPTION("Xtables: countdown quota match; up counter");
MODULE_AUTHOR("Sam Johnston <samj@samj.net>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_quota2");
MODULE_ALIAS("ip6t_quota2");

4
geoip/xt_geoip_build
View File

@@ -1,9 +1,7 @@
#!/usr/bin/perl
#
# Converter for MaxMind CSV database to binary, for xt_geoip
# Copyright © Jan Engelhardt <jengelh@medozas.de>, 2008-2011
#
# Use -b argument to create big-endian tables.
# Copyright © Jan Engelhardt, 2008-2011
#
use Getopt::Long;
use IO::Handle;

8
include/linux/netfilter/nf_nat.h
View File

@@ -22,4 +22,12 @@ struct nf_nat_ipv4_multi_range_compat {
struct nf_nat_ipv4_range range[1];
};
struct nf_nat_range {
unsigned int flags;
union nf_inet_addr min_addr;
union nf_inet_addr max_addr;
union nf_conntrack_man_proto min_proto;
union nf_conntrack_man_proto max_proto;
};
#endif /* _NETFILTER_NF_NAT_H */

3
mconfig
View File

@@ -2,7 +2,6 @@
#
build_ACCOUNT=m
build_CHAOS=m
build_CHECKSUM=
build_DELUDE=m
build_DHCPMAC=m
build_DNETMAP=m
@@ -13,12 +12,12 @@ build_RAWNAT=m
build_STEAL=m
build_SYSRQ=m
build_TARPIT=m
build_TEE=
build_condition=m
build_fuzzy=m
build_geoip=m
build_gradm=m
build_iface=m
build_ipaddr=m
build_ipp2p=m
build_ipv4options=m
build_length2=m

7
xtables-addons.8.in
View File

@@ -1,4 +1,4 @@
.TH xtables-addons 8 "v1.42 (2012-04-05)" "" "v1.42 (2012-04-05)"
.TH xtables-addons 8 "v2.1 (2012-11-27)" "" "v2.1 (2012-11-27)"
.SH Name
Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
.SH Targets
@@ -6,8 +6,9 @@ Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
.SH Matches
.\" @MATCHES@
.SH "See also"
\fBiptables\fP(8), \fBip6tables\fP(8), \fBiptaccount\fP(8)
\fBiptables\fP(8), \fBip6tables\fP(8), \fBiptables-extensions\fP(8),
\fBiptaccount\fP(8)
.PP
For developers, the book "Writing Netfilter modules" at
http://jengelh.medozas.de/documents/Netfilter_Modules.pdf provides detailed
http://inai.de/documents/Netfilter_Modules.pdf provides detailed
information on how to write such modules/extensions.