anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-20 19:44:56 +02:00
Code Issues Releases Wiki Activity

Compare commits

base: anonfunc:v2.3
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0
..
compare: anonfunc:v2.12
Branches Tags
anonfunc:master anonfunc:xta-2.x anonfunc:xta-1.x anonfunc:demos anonfunc:mp2t
anonfunc:v3.18 anonfunc:v3.17 anonfunc:v3.16 anonfunc:v3.15 anonfunc:v2.15 anonfunc:v3.14 anonfunc:v3.13 anonfunc:v3.12 anonfunc:v3.11 anonfunc:v3.10 anonfunc:v3.9 anonfunc:v3.8 anonfunc:v3.7 anonfunc:v3.6 anonfunc:v3.5 anonfunc:v3.4 anonfunc:v3.3 anonfunc:v3.2 anonfunc:v3.1 anonfunc:v3.0 anonfunc:v2.14 anonfunc:v2.13 anonfunc:v2.12 anonfunc:v2.11 anonfunc:v2.10 anonfunc:v2.9 anonfunc:v2.8 anonfunc:v2.7 anonfunc:v2.6 anonfunc:v2.5 anonfunc:v2.4 anonfunc:v2.3 anonfunc:v2.2 anonfunc:v2.1 anonfunc:v2.0 anonfunc:v1.47.1 anonfunc:v1.47 anonfunc:v1.46 anonfunc:v1.45 anonfunc:v1.44 anonfunc:v1.43 anonfunc:v1.42 anonfunc:v1.41 anonfunc:v1.40 anonfunc:v1.39 anonfunc:v1.38 anonfunc:v1.37 anonfunc:v1.36 anonfunc:v1.35 anonfunc:v1.34 anonfunc:v1.33 anonfunc:v1.32 anonfunc:v1.31 anonfunc:v1.30 anonfunc:v1.29 anonfunc:v1.28 anonfunc:v1.27 anonfunc:v1.26 anonfunc:v1.25 anonfunc:v1.24 anonfunc:v1.23 anonfunc:v1.22 anonfunc:v1.21 anonfunc:v1.20 anonfunc:v1.19 anonfunc:v1.18 anonfunc:v1.17 anonfunc:v1.16 anonfunc:v1.15 anonfunc:v1.14 anonfunc:v1.13 anonfunc:v1.12 anonfunc:v1.10 anonfunc:v1.9 anonfunc:v1.8 anonfunc:v1.7 anonfunc:v1.6 anonfunc:v1.5.7 anonfunc:v1.5.5 anonfunc:v1.5.4.1 anonfunc:v1.5.4 anonfunc:v1.5.3 anonfunc:v1.5.2 anonfunc:v1.5.1 anonfunc:v1.5.0

59 Commits
v2.3 ... v2.12

Author SHA1 Message Date
Jan Engelhardt
cd410aefe7 Xtables-addons 2.12 2017-01-11 01:39:53 +01:00
Jan Engelhardt
e4b5cef8f0 build: mark Linux 4.10 as supported 2017-01-04 02:44:43 +01:00
Ralph Sennhauser
a8af97b8fa build: support for Linux 4.10 
Commit 613dbd95723aee7abd16860745691b6c7bda20dc (netfilter:
x_tables: move hook state into xt_action_param structure) changes the
struct xt_action_param, accommodate for it.

Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
 2017-01-04 02:40:41 +01:00
Ralph Sennhauser
db234c30cd build: support for Linux 4.9 
Commit f330a7fdbe1611104622faff7e614a246a7d20f0 (netfilter: conntrack:
get rid of conntrack timer) replaces timer_list with an u32, use helper
from commit c8607e020014cf11a61601a0005270bad81cabdf (netfilter: nft_ct:
fix expiration getter).

Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
 2017-01-04 02:04:14 +01:00
Jan Engelhardt
2e6fb73e85 Xtables-addons 2.11 2016-05-20 14:35:46 +02:00
Jan Engelhardt
6024758b28 xt_ECHO: ensure IP header length is set 2016-05-20 10:48:27 +02:00
Jan Engelhardt
69f3f21a32 xt_ECHO: handle fragments 
Since everything is just echoed back verbatim without modification,
supporting fragments seems easy.
 2016-05-20 10:48:00 +02:00
Your Name
7af1b9737c xt_pknock: use shash crypto API 
The old hash API is dropped as of Linux 4.6.
Only build tested.
 2016-05-20 04:46:31 -04:00
Jan Engelhardt
f5e95f35a7 xt_pknock: replace nemesis by socat 
Use a utility much more widely available.
 2016-04-22 22:51:24 +02:00
Jan Engelhardt
80bed0655f xt_pknock: import digest generation utility 2016-04-22 22:48:56 +02:00
Jan Engelhardt
bc6aaf74d8 xt_pknock: remove reference to non-existing documentation 
Even in the old pknock-0.5.tar.gz tarball, there is no doc/pknock/
directory.
 2016-04-22 22:43:17 +02:00
Jan Engelhardt
192243483a xt_SYSRQ: use new shash crypto API 
The "shash" API is not exactly new (Linux 2.6.27), but the "hash" API
was finally thrown out for Linux 4.6.
 2016-04-22 11:11:57 +02:00
Andreas Schultz
e3114d60d5 xt_ACCOUNT: make it namespace aware 
xt_ACCOUNTing objects create in one network namespace could be
read from all namespaces. Also object with the same name in
different namespaces would collide.

Signed-off-by: Andreas Schultz <aschultz@tpip.net>
 2016-04-05 13:30:57 +02:00
Matthias Schiffer
e6f20befad build: fix configure compatiblity with POSIX shells 
The kernel version detection code uses some bashisms, which makes the
build fail on Debian systems where /bin/sh links to dash. Replace with
POSIX-conforming commands at the cost of requiring awk.
 2016-04-05 12:25:13 +02:00
Jan Engelhardt
5038e160f8 Xtables-addons 2.10 2015-11-20 23:30:33 +01:00
Jan Engelhardt
a6289ec3ff build: silence compiler warning in xt_quota2 
xt_quota2.c:67:6: warning: unused variable "ret" [-Wunused-variable]
 2015-11-20 23:17:40 +01:00
Jan Engelhardt
01e7128a80 build: support for Linux 4.4 2015-11-20 23:17:39 +01:00
Jan Engelhardt
1dc2a1c2de xt_ACCOUNT: remove redundant braces 
For single-line statements, the {} are not strictly needed.
 2015-11-09 22:33:49 +01:00
Jan Engelhardt
60b6b1dbef xt_ACCOUNT: indent reduction 
Invert early terminating conditions so the rest of the block can be
de-indented.
 2015-11-09 22:33:49 +01:00
Jan Engelhardt
fcb19403bc xt_ACCOUNT: call free_pages(x,2) (doc) 
Below is the patch with the *rest* of the free_page(X) calls changed
to free_pages(X, 2). xt_ACCOUNT should always allocate memory in page
pairs. And always *free* memory in page pairs.

References: http://www.spinics.net/lists/netfilter-devel/msg39025.html
 2015-11-09 22:33:47 +01:00
Neil P. Murphy
f89f10bbe9 xt_ACCOUNT: call free_pages(x,2) 
Below is the patch with the *rest* of the free_page(X) calls changed
to free_pages(X, 2). xt_ACCOUNT should always allocate memory in page
pairs. And always *free* memory in page pairs.

References: http://www.spinics.net/lists/netfilter-devel/msg39025.html
 2015-11-09 22:25:16 +01:00
Jan Engelhardt
a9358542fe Xtables-addons 2.9 2015-10-12 16:27:59 +02:00
Jan Engelhardt
237fe7c660 build: support for Linux 4.3 2015-10-12 16:27:08 +02:00
Sam Liddicott
939fc901c1 xt_quota2: allow incremental value to be written to quota proc file 
As well as writing absolute numeric values to the quota file, you
can now also write numbers preceded by a + sign or a - sign, e.g.

* "+30" would increase the quota by 30
* "+-20" would increase the quota by negative 20,
  which is the same as decrease by 20
* "-5" would decrease the quota by 5
 2015-09-29 20:54:18 +02:00
Boris Figovsky
a4a077ff86 xt_DHCPMAC: correct L2addr set and compare 2015-09-29 20:40:24 +02:00
Jan Engelhardt
bccf64d820 Xtables-addons 2.8 2015-08-19 12:38:49 +02:00
Jan Engelhardt
7e3e156d92 xt_ECHO: enable for all supported versions 
Linux is now at 4.x.
 2015-08-19 12:36:18 +02:00
Tim Gardner
8f70b9a99d build: support for Linux 4.2 
xt_DNETMAP.c: In function "dnetmap_prefix_destroy":
xt_DNETMAP.c:185:2: error: implicit declaration of function
"remove_proc_entry" [-Werror=implicit-function-declaration]
  remove_proc_entry(p->proc_str_data, dnetmap_net->xt_dnetmap);
 2015-08-19 12:35:01 +02:00
Jan Engelhardt
e277360bcd Xtables-addons 2.7 2015-07-06 05:59:21 +02:00
Jan Engelhardt
672f12b2a6 doc: remove old changelog entries 2015-07-06 05:59:21 +02:00
Jan Engelhardt
8788b6c096 doc: combine kernel version numbers 2015-07-06 05:59:21 +02:00
Alexander Petrenas
96ce5ec488 xt_TARPIT: support for Linux 4.1 2015-07-06 05:59:21 +02:00
Jan Engelhardt
5e22c9c592 xt_ACCOUNT: avoid implicit padding in struct ipt_acc_handle_ip 
Make the structure size so that an ILP32 environment has no problem
taking the raw bytes from an LP64 one.
 2015-06-05 13:52:45 +02:00
Jan Engelhardt
01f97bfdd1 iptaccount: cast from uint64_t to please printf 
%llu wants an "unsigned long long", which is not necessarily
the same as uint64_t.
 2015-06-05 13:51:56 +02:00
Neal P. Murphy
1324442bce xt_ACCOUNT: make counters 64-bit wide 
The Smoothwall Express traffic stats collector (traffiClogger) does
not handle counter rollovers well and does not perform read&flush.
(Yes, the code is somewhat aged.) To change it to perform read&flush
is non-trivial. Then, it occurred to me that it might be easier to
change ipt_ACCOUNT in xtables-addons to use 64-bit counters,
considering it was designed around single kernel pages.

The following submission counts to at least 100 GB, produces no
obvious kernel gripes, and adjacent counters do not seem to interfere
with each other. Yes, it uses more memory, but RAM costs much less
than bugs that grown out of complex software.

The theory:

  - Use two kernel pages for the counters for each group of 256
    addresses.
  - Change counters to 64-bit.
  - Change to __get_free_pages/free_pages, using order=2
    (two consecutive pages), and zero both pages.
  - Change "%u" to "%llu" as needed.
  - Everything else pretty much stays the same.

I also changed tmpbuf to two pages (Justin Case's idea), but I
do not know if that's really necessary.
 2015-06-05 13:51:55 +02:00
Jan Engelhardt
a576f4d43e Xtables-addons 2.6 2014-09-29 10:33:13 +02:00
Jan Engelhardt
cc17e1d0fe build: explicitly support Linux 3.16, 3.17 2014-09-04 18:50:35 +02:00
Adam Butcher
c08835d65c xt_pknock: fix pknock in UDP SPA mode 
When the PK_CRYPTO pre-processor flag got removed in
v1.47.1-2-g66f213e, one of the removal cases was misapplied; the body
of an "#ifndef PK_CRYPTO" was left in rather than the whole section
being removed.
 2014-09-04 18:45:42 +02:00
Adam Butcher
4c21811919 src: work with typeof 
Although not officially supported, we have found that the
xtables-addons modules we are interested in work fine on 3.0.4 with a
slight non-invasive mod to compat_xtables.h.
 2014-09-04 18:44:52 +02:00
Jan Engelhardt
431062c6ec Xtables-addons 2.5 2014-04-18 19:14:59 +02:00
Jan Engelhardt
87adf3461f build: resolve compile error with Linux 3.15 
Commit v3.15-rc1~141^2~97 changed the signature for cn_netlink_send.
 2014-04-18 19:12:51 +02:00
Jan Engelhardt
f2e21e67a5 build: resolve compile error with Linux 3.13 
net_random has been removed in commit v3.14-rc1~94^2~191 and replaced
by its definition, prandom_u32.

prandom_u32 was only introduced in v3.8-rc1~74^2~22, so we will have
an extra ifdef for 3.7 support.
 2014-04-18 19:12:40 +02:00
Daniel Golle
ae307c0bf3 xt_quota2: introduce support for network namespaces 
Initialize a separate xt_quota2 instance for each network
namespace so data limit can be set and enforced per container.
 2014-04-18 15:10:05 +02:00
Jan Engelhardt
ec8c6b8732 doc: add xt_quota2 changelog items 2014-01-18 12:29:09 +01:00
Jan Engelhardt
7916b74a42 Xtables-addons 2.4 2014-01-09 10:37:52 +01:00
Jan Engelhardt
7fbbd0401e build: support for Linux 3.13 2014-01-09 10:25:40 +01:00
Jan Engelhardt
991c0cf4cf compat_xtables: remove no longer needed target API redirection 
Function signature for targets stayed the same since 3.7.
 2014-01-09 10:24:32 +01:00
Jan Engelhardt
b58e78968e compat_xtables: remove unused compat_nfinetaddr.h header 2014-01-09 10:19:48 +01:00
Jan Engelhardt
02eb0e5df9 compat_xtables: remove unused function declarations 2014-01-09 10:19:00 +01:00
Jan Engelhardt
98ea6c538b compat_xtables: remove unused ipt_unregister_table macro 2014-01-09 10:16:42 +01:00
Jan Engelhardt
7cf7250e07 compat_xtables: remove unused xtnu_ip_route_me_harder 2014-01-09 10:16:02 +01:00
Jan Engelhardt
f9b0ee7533 compat_xtables: remove unused xtnu_skb_make_writable 2014-01-09 10:14:36 +01:00
Jan Engelhardt
a82d0ba517 compat_xtables: remove unused xtnu_request_find_match 
The xt_find_match function is also getting unexported in 3.14.
 2014-01-09 10:09:04 +01:00
Sam Liddicott
bc2bcc383c xt_quota2: remove trailing junk which might have a digit in it 
Signed-off-by: Sam Liddicott <sam@liddicott.com>
 2014-01-09 10:00:43 +01:00
Sam Liddicott
c6c70ab30b xt_quota2: fix 2 bugs when not in grow mode 
1. XT_QUOTA_NO_CHANGE should not alter quota to zero ever
2. XT_QUOTA_PACKET should not be set to zero based on skb->len

Signed-off-by: Sam Liddicott <sam@liddicott.com>
 2014-01-09 09:59:04 +01:00
Jan Engelhardt
a0a8fbc091 Update .gitignore 
Looks like GCOV is enabled somewhere.
 2014-01-09 09:58:08 +01:00
Jan Engelhardt
9414a5df34 extensions: remove RAWSNAT/RAWDNAT 2013-08-07 15:42:56 +02:00
Jan Engelhardt
f28cfff138 extensions: remove STEAL target 
There is enough demo code in the "demos" branch.
 2013-08-07 15:40:24 +02:00
Jan Engelhardt
a8d7ec5ad6 build: skip calling depmod 
Calling depmod is no longer needed. (Since sometime in the 2.6
series.)
 2013-06-19 06:09:34 +02:00
44 changed files with 691 additions and 2108 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1,3 +1,4 @@
*.gcno
*.la
*.lo
*.loT

3
Makefile.am
View File

@@ -11,9 +11,6 @@ FORCE:
xtables-addons.8: FORCE
${MAKE} -f Makefile.mans all;
install-exec-hook:
depmod -a || :;
clean-local-mans:
${MAKE} -f Makefile.mans clean;

30
configure.ac
View File

@@ -1,4 +1,4 @@
AC_INIT([xtables-addons], [2.3])
AC_INIT([xtables-addons], [2.12])
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
@@ -44,27 +44,23 @@ regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
if test -n "$kbuilddir"; then
AC_MSG_CHECKING([kernel version that we will build against])
krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease)";
kmajor="${krel%%[[^0-9]]*}";
kmajor="$(($kmajor+0))";
krel="${krel:${#kmajor}}";
krel="${krel#.}";
kminor="${krel%%[[^0-9]]*}";
kminor="$(($kminor+0))";
krel="${krel:${#kminor}}";
krel="${krel#.}";
kmicro="${krel%%[[^0-9]]*}";
kmicro="$(($kmicro+0))";
krel="${krel:${#kmicro}}";
krel="${krel#.}";
kstable="${krel%%[[^0-9]]*}";
kstable="$(($kstable+0))";
krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease | $AWK -v 'FS=[[^0-9.]]' '{print $1; exit}')"
save_IFS="$IFS"
IFS='.'
set x $krel
IFS="$save_IFS"
kmajor="$(($2+0))"
kminor="$(($3+0))"
kmicro="$(($4+0))"
kstable="$(($5+0))"
if test -z "$kmajor" -o -z "$kminor" -o -z "$kmicro"; then
echo "WARNING: Version detection did not succeed. Continue at own luck.";
else
echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
if test "$kmajor" -gt 3 -o "$kmajor" -eq 3 -a "$kminor" -gt 10; then
if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 10; then
echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
elif test "$kmajor" -eq 4 -a "$kminor" -le 10; then
:;
elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then
:;
else

579
doc/changelog.txt
View File

@@ -3,6 +3,74 @@ HEAD
====
v2.12 (2017-01-11)
==================
Enhancements:
- support for Linux up to 4.10
v2.11 (2016-05-20)
==================
Enhancements:
- support for Linux 4.5, 4.6
- xt_ECHO: tentatively support responding to fragments
v2.10 (2015-11-20)
==================
Enhancements:
- Support for Linux 4.4
Fixes:
- xt_ACCOUNT: call free_page with the right amount of pages
v2.9 (2015-10-12)
=================
Enhancements:
- Support for Linux 4.3
v2.8 (2015-08-19)
=================
Enhancements:
- Support for Linux 4.2
- Enable xt_ECHO for Linux 4.0+
v2.7 (2015-07-06)
=================
Enhancements:
- Support for Linux up to 4.1
v2.6 (2014-09-29)
=================
Enhancements:
- Support for Linux up to 3.17
Fixes:
- xt_pknock: UDP SPA mode erroneously returned an error saying
crypto was unavailable
v2.5 (2014-04-18)
=================
Enhancements:
- Support for Linux up to 3.15
- xt_quota2: introduce support for network namespaces
v2.4 (2014-01-09)
=================
Enhancements:
- Support for Linux up to 3.13
Changes:
- remove unmaintained RAWSNAT/RAWDNAT code
- remove unused parts of compat_xtables that served Linux <3.7
Fixes:
- xt_quota2: --no-change should not alter quota to zero ever
- xt_quota2: --packet should not be set to zero based on skb->len
v2.3 (2013-06-18)
=================
Enhancements:
@@ -42,513 +110,4 @@ Enhancements:
- Support for Linux 3.7
If you want to use Xtables-addons with kernels older than 3.7,
use the addons 1.x series, which continues to be maintained for
the time being.
v1.47.1 (2010-10-15)
====================
Enhancements:
- xt_psd gained IPv6 support
Notes for this release:
- Linux 3.7+ is expressly unsupported by this release.
v1.46 (2012-08-23)
==================
Fixes:
- length2, SYSRQ, RAWNAT: preinitialize values for ipv6_find_hdr
- TARPIT: fix memory leak when tarpit_generic() fails
- build: remove extraneous closing bracket in configure.ac
- doc: update xt_SYSRQ.man to reflect that the full IPv6 address is needed
Enhancements:
- Support for Linux 3.6
v1.45 (2012-07-16)
==================
Fixes:
- build: export missing functions
(fixes: "WARNING 'xtnu_ipv6_find_hdr' [xt_TARPIT.ko] not found")
- build: avoid use of unexported functions
(fixes: "WARNING 'ipv6_find_hdr' [xt_TARPIT.ko] not found"
in <= linux-2.6.37)
v1.44 (2012-07-15)
==================
Fixes:
- SYSRQ: fix double target initialization at module load
- build: do not attempt to build IPv6 parts if CONFIG_IP6_NF_IPTABLES=n
Enhancements:
- TARPIT gained IPv6 support
v1.43 (2012-06-30)
==================
Fixes:
- xt_psd: avoid crash due to curr->next corruption
Changes:
- xt_psd: reject invalid match options
Enhancements:
- Support for Linux 3.5
- DNETMAP: new type: static binding
- DNETMAP: new persistent flag option for prefix
- DNETMAP: add write support to procfs interface
v1.42 (2012-04-05)
==================
Fixes:
- compat_xtables: fixed mistranslation of checkentry return values
(affected kernels < 2.6.23)
- xt_SYSRQ: fix compile error when crypto is turned off
Changes:
- ipset6-genl has been dropped from the tree;
the libmnl build-time dependency is thus no longer needed
Enhancements:
- Support for Linux 3.3, 3.4
v1.41 (2012-01-04)
==================
Changes:
- Deactivate build of ipset-genl by default.
I think the original ipset package can now take over, given there are
a handful of kernels (2.6.39 onwards) that do not need patching.
Enhancements:
- Support for Linux 3.2
v1.40 (2011-11-30)
==================
Fixes:
- build: the code actually requires at least iptables 1.4.5 (would yield a
compile error otherwise), make sure configure checks for it; update INSTALL
- xt_ECHO: fix kernel warning about RTAX_HOPLIMIT being used
- xt_ipv4options: fix an infinite loop
Changes:
- xt_ECHO: now calculates UDP checksum
- Linux kernel versions below 2.6.32 are no longer officially
supported, and will not be part of compilation testing.
- update to ipset 6.10
Enhancements:
- xt_ECHO: IPv6 support
v1.39 (2011-09-21)
==================
Fixes:
- libxt_ACCOUNT: fix compilation after missing libxtables_CFLAGS
- build: fix compilation after missing libxtables_CFLAGS in submodules
- build: add missing linux/version.h includes where needed
Changes:
- Remove unsupported ipset 4.x from the Xtables-addons distribution
- ipset: move ipset_errcode from src to library to avoid undefined reference
- update to ipset 6.9.1
v1.38 (2011-08-20)
==================
- xt_CHECKSUM: abort build when the feature is already provided by mainline
- xt_SYSRQ: fix UDPLITE header lookup in IPv6
- xt_TARPIT: fix kernel warning about RTAX_HOPLIMIT being used
- xt_TEE: abort build when the feature is already provided by mainline
- xt_ipp2p: support UDPLITE
- xt_pknock: support UDPLITE
- xt_psd: restore functionality with UDP
- xt_psd: support UDPLITE
- update to ipset 6.8
- support for Linux 3.1
v1.37 (2011-06-25)
==================
Fixes:
- xt_SYSRQ: make IPv6 trigger work again
- xt_SYSRQ: improve security: include host address in digest
- xt_TARPIT: fix a kernel oops in --reset mode
v1.36 (2011-06-03)
==================
Changes:
- xt_geoip: avoid recursive function calls
- xt_TARPIT: unlock for use in all tables
- xt_TARPIT: honeypot and reset modes
- update to ipset 6.7
- support for Linux 3.0
v1.35 (2011-04-11)
==================
Enhancements:
- update to ipset 6.3
* allow "new" as a commad alias to "create"
* resolving IP addresses did not work at listing/saving sets, fixed
* check ICMP and ICMPv6 with the set match and target in the testsuite
* avoid possible syntax clashing at saving hostnames
* fix linking with CONFIG_IPV6=n
* sctp, udplite support for the hash:*port* types
- ipset-genl: handle EAGAIN return value emitted from autoloader
- ipset-genl: resolve nfgenmsg remains and fix spurious protocol abort
v1.34 (2011-04-07)
==================
Fixes:
- xt_pknock: avoid crash when hash TFM could not be allocated
- xt_pknock: avoid inversion of rule lookup that led to warnings
- xt_DNETMAP: add missing module alias
- xt_DNETMAP: support for kernels below 2.6.34
Changes:
- Linux kernel versions below 2.6.29 are no longer officially
supported, and will not be part of compilation testing.
v1.33 (2011-02-02)
==================
Fixes:
- build: restore functionality of `configure --without-kbuild`
- build: fix objdir builds for ipset-5 (xt-a specific)
- build: fix missing inclusion of dependency rules
- xt_LOGMARK: fix detection of untracked connection for Linux >= 2.6.36
Enhancements:
- IPv6 support for xt_geoip
- Update to ipset 5.3
* make IPv4 and IPv6 address handling similar
* show correct line numbers in restore output for parser errors
- Update to ipset 5.4
* fixed ICMP and ICMPv6 handling
* fixed trailing whitespaces and pr_* messages
* fixed module loading at create/header commands
- build: support for Linux up to 2.6.38
- build: preliminary support for iptables 1.4.11
v1.32 (2011-01-04)
==================
Fixes:
- Update to ipset 4.5
* the iptreemap type used wrong gfp flags when deleting entries
- Include ipset 5.2 with genetlink patch (beta)
* no kernel patch needed, but requires Linux >= 2.6.35
and thus needs to be manually enabled in mconfig
v1.31 (2010-11-05)
==================
Fixes:
- build: improve detection of kernel version and error handling
Changes:
- build: automatically derive Xtables module directory, thus
--with-xtlibdir is no longer needed for ./configure in most cases
(If I still see a distro using it, I will scold you for not
reading this changelog.)
Enhancements:
- LOGMARK: print remaining lifetime of cts
- xt_iface: allow matching against incoming/outgoing interface
- libxt_gradm: match packets based on status of grsecurity RBAC
(userspace part only - xt_gradm is in the grsec patch)
v1.30 (2010-010-02)
===================
Fixes:
- update to ipset 4.4
* ipport{,ip,net}hash did not work with mixed "src" and "dst"
destination parameters
Changes:
- deactivate building xt_TEE and xt_CHECKSUM by default, as these have been
merged upstream in Linux 2.6.35 and 2.6.36, respectively.
Distros still wishing to build this need to enable it in their build
script, e.g. perl -i -pe 's{^build_TEE=.*}{build_TEE=m}' mconfig;
v1.29 (2010-09-29)
==================
- compat_xtables: return bool for match_check and target_check in 2.6.23..34
- ipset: enable building of ip_set_ipport{ip,net}hash.ko
- support for Linux 2.6.36
- SYSRQ: resolve compile error with Linux 2.6.36
- TEE: resolve compile error with Linux 2.6.36
- add workaround for broken linux-glibc-devel 2.6.34 userspace headers
("implicit declaration of function 'ALIGN'")
v1.28 (2010-07-24)
==================
- RAWNAT: IPv6 variants erroneously rejected masks /33-/128
- new target xt_CHECKSUM
- xt_length2: add support for IPv6 jumbograms
- xt_geoip: fix possible out-of-bounds access
- import xt_geoip database scripts
v1.27 (2010-05-16)
==================
- further updates for the upcoming 2.6.35 changes
v1.26 (2010-04-30)
==================
- compat_xtables: fix 2.6.34 compile error due to a typo
v1.25 (2010-04-26)
==================
- TEE: do rechecksumming in PREROUTING too
- TEE: decrease TTL on cloned packet
- TEE: set dont-fragment on cloned packets
- TEE: free skb when route lookup failed
- TEE: do not limit use to mangle table
- TEE: do not retain iif and mark on cloned packet
- TEE: new loop detection logic
- TEE: use less expensive pskb_copy
- condition: remove unnecessary RCU protection
v1.24 (2010-03-17)
==================
- build: fix build of userspace modules against old (pre-2.6.25)
headers from linux-glibc-devel (/usr/include/linux)
- ipp2p: updated bittorent command recognition
- SYSRQ: let module load when crypto is unavailable
- SYSRQ: allow processing of UDP-Lite
v1.23 (2010-02-24)
==================
- build: support for Linux 2.6.34
- build: remove unused --with-ksource option
- build: remove unneeded --with-xtables option
- build: fix compilations in RAWNAT, SYSRQ and length2 when CONFIG_IPV6=n
- ipset: update to 4.2
- ECHO: fix compilation w.r.t. skb_dst
v1.22 (2010-01-22)
==================
- compat_xtables: support for 2.6.33 skb_iif changes
- geoip: for FHS compliance use /usr/share/xt_geoip instead of /var/geoip
- ipset: enable build of ip_set_setlist.ko
- quota2: add the --no-change mode
v1.21 (2009-12-09)
==================
- ACCOUNT: avoid collision with arp_tables setsockopt numbers
- doc: fix option mismatch --gw/--gateway in libxt_TEE.man
v1.20 (2009-11-19)
==================
- ipp2p: add more boundary checks
- ipp2p: fix Gnutelle line ending detection
- LOGMARK: remove unknown options from manpage
- ACCOUNT: endianess-correctness
- ipset: install manpage
- ipset: fast forward to v4.1
v1.19 (2009-10-12)
==================
- build: compile fixes for 2.6.31-rt
- build: support for Linux 2.6.32
- ipp2p: try to address underflows
- psd: avoid potential crash when dealing with non-linear skbs
- merge xt_ACCOUNT userspace utilities
- added reworked xt_pknock module
Changes from pknock v0.5:
- pknock: "strict" and "checkip" flags were not displayed in `iptables -L`
- pknock: the GC expire time's lower bound is now the default gc time
(65000 msec) to avoid rendering anti-spoof protection in SPA mode useless
- pknock: avoid crash on memory allocation failure and fix memleak
- pknock: avoid fillup of peer table during DDoS
- pknock: automatic closing of ports
- pknock: make non-zero time mandatory for TCP mode
- pknock: display only pknock mode and state relevant information in procfs
- pknock: check interknock time only for !ST_ALLOWED peers
- pknock: preserve time/autoclose values for rules added in
reverse/arbitrary order
- pknock: add a manpage
v1.18 (2009-09-09)
==================
- build: support for Linux 2.6.31
- ipset: fast forward to v3.2
- quota2: support anonymous counters
- quota2: reduce memory footprint for anonymous counters
- quota2: extend locked period during cleanup (locking bugfix)
- quota2: use strtoull instead of strtoul
- merged xt_ACCOUNT module
- merged xt_psd module
v1.17 (2009-06-16)
==================
- IPMARK: print missing --shift parameter
- build: use readlink -f in extensions/ipset/
- build: support for Linux 2.6.30
v1.16 (2009-05-27)
==================
- RAWNAT: make iptable_rawpost compile with 2.6.30-rc5
- ipset: fast forward to 3.0
v1.15 (2009-04-30)
==================
- build: add kernel version check to configure
- condition: compile fix for 2.6.30-rc
- condition: fix intrapositional negation sign
- fuzzy: fix bogus comparison logic leftover from move to new 1.4.3 API
- ipp2p: fix bogus varargs call
- ipp2p: fix typo in error message
- added "iface" match
- added rawpost table (for use with RAWNAT)
- added RAWSNAT/RAWDNAT targets
v1.14 (2009-03-31)
==================
- fuzzy: need to account for kernel-level modified variables in .userspacesize
- geoip: remove XT_ALIGN from .userspacesize when used with offsetof
- SYSRQ: ignore non-UDP packets
- SYSRQ: do proper L4 header access in IPv6 code
(must not use tcp/udp_hdr in input path)
- add "STEAL" target
- dhcpmac: rename from dhcpaddr
v1.13 (2009-03-23)
==================
- added a reworked ipv4options match
- upgrade to iptables 1.4.3 API
v1.12 (2009-03-07)
==================
- ipset: fix for compilation with 2.6.29-rt
- ipset: fast forward to 2.5.0
- rename xt_portscan to xt_lscan ("low-level scan") because
"portscan" as a word caused confusion
- xt_LOGMARK: print incoming interface index
- revert "TEE: do not use TOS for routing"
- xt_TEE: resolve unknown symbol error with CONFIG_IPV6=n
- xt_TEE: enable routing by iif, nfmark and flowlabel
v1.10 (2009-02-18)
==================
- compat: compile fixes for 2.6.29
- ipset: upgrade to ipset 2.4.9
v1.9 (2009-01-30)
=================
- add the xt_length2 extension
- xt_TEE: remove intrapositional '!' support
- ipset: upgrade to ipset 2.4.7
v1.8 (2009-01-10)
=================
- xt_TEE: IPv6 support
- xt_TEE: do not include TOS value in routing decision
- xt_TEE: fix switch-case inversion for name/IP display
- xt_ipp2p: update manpages and help text
- xt_ipp2p: remove log flooding
- xt_portscan: update manpage about --grscan option caveats
v1.7 (2008-12-25)
=================
- xt_ECHO: compile fix
- avoid the use of "_init" which led to compile errors on some installations
- build: do not unconditionally install ipset
- doc: add manpages for xt_ECHO and xt_TEE
- xt_ipp2p: kazaa detection code cleanup
- xt_ipp2p: fix newline inspection in kazaa detection
- xt_ipp2p: ensure better array bounds checking
- xt_SYSRQ: improve security by hashing password
v1.6 (2008-11-18)
=================
- build: support for Linux 2.6.17
- build: compile fixes for 2.6.18 and 2.6.19
- xt_ECHO: resolve compile errors in xt_ECHO
- xt_ipp2p: parenthesize unaligned-access macros
v1.5.7 (2008-09-01)
===================
- API layer: fix use of uninitialized 'hotdrop' variable
- API layer: move to pskb-based signatures
- xt_SYSRQ: compile fixes for Linux <= 2.6.19
- ipset: adjust semaphore.h include for Linux >= 2.6.27
- build: automatically run `depmod -a` on installation
- add reworked xt_fuzzy module
- add DHCP address match and mangle module
- xt_portscan: IPv6 support
- xt_SYSRQ: add missing module aliases
v1.5.5 (2008-08-03)
===================
- manpage updates for xt_CHAOS, xt_IPMARK; README updates
- build: properly recognize external Kbuild/Mbuild files
- build: remove dependency on CONFIG_NETWORK_SECMARK
- add the xt_SYSRQ target
- add the xt_quota2 extension
- import ipset extension group
v1.5.4.1 (2008-04-26)
=====================
- build: fix compile error for 2.6.18-stable
v1.5.4 (2008-04-09)
===================
- build: support building multiple files with one config option
- API layer: add check for pskb relocation
- doc: generate manpages
- xt_ECHO: catch skb_linearize out-of-memory condition
- xt_LOGMARK: add hook= and ctdir= fields in dump
- xt_LOGMARK: fix comma output in ctstatus= list
- xt_TEE: fix address copying bug
- xt_TEE: make skb writable before attempting checksum update
- add reworked xt_condition match
- add reworked xt_ipp2p match
- add reworked xt_IPMARK target
v1.5.3 (2008-03-22)
===================
- support for Linux 2.6.18
- add xt_ECHO sample target
- add reworked xt_geoip match
v1.5.2 (2008-03-04)
===================
- build: support for GNU make < 3.81 which does not have $(realpath)
v1.5.1 (2008-02-21)
===================
- build: allow user to select what extensions to compile and install
- build: allow external proejcts to be downloaded into the tree
- xt_LOGMARK: dump classify mark, ctstate and ctstatus
- add xt_CHAOS, xt_DELUDE and xt_portscan from Chaostables
v1.5.0 (2008-02-11)
===================
Initial release with:
- extensions: xt_LOGMARK, xt_TARPIT, xt_TEE
- support for Linux >= 2.6.19
use the addons 1.x series (maintained but without new features).

18
extensions/ACCOUNT/iptaccount.c
View File

@@ -200,13 +200,19 @@ int main(int argc, char *argv[])
while ((entry = ipt_ACCOUNT_get_next_entry(&ctx)) != NULL)
{
if (doCSV)
printf("%s;%u;%u;%u;%u\n",
addr_to_dotted(entry->ip), entry->src_packets, entry->src_bytes,
entry->dst_packets, entry->dst_bytes);
printf("%s;%llu;%llu;%llu;%llu\n",
addr_to_dotted(entry->ip),
(unsigned long long)entry->src_packets,
(unsigned long long)entry->src_bytes,
(unsigned long long)entry->dst_packets,
(unsigned long long)entry->dst_bytes);
else
printf("IP: %s SRC packets: %u bytes: %u DST packets: %u bytes: %u\n",
addr_to_dotted(entry->ip), entry->src_packets, entry->src_bytes,
entry->dst_packets, entry->dst_bytes);
printf("IP: %s SRC packets: %llu bytes: %llu DST packets: %llu bytes: %llu\n",
addr_to_dotted(entry->ip),
(unsigned long long)entry->src_packets,
(unsigned long long)entry->src_bytes,
(unsigned long long)entry->dst_packets,
(unsigned long long)entry->dst_bytes);
}
if (doContinue)

464
extensions/ACCOUNT/xt_ACCOUNT.c
View File

@@ -15,6 +15,7 @@
//#define DEBUG 1
#include <linux/module.h>
#include <linux/version.h>
#include <net/net_namespace.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <net/icmp.h>
@@ -29,6 +30,7 @@
#include <linux/string.h>
#include <linux/spinlock.h>
#include <asm/uaccess.h>
#include <net/netns/generic.h>
#include <net/route.h>
#include "xt_ACCOUNT.h"
@@ -73,13 +75,13 @@ struct ipt_acc_handle {
};
/* Used for every IP entry
Size is 16 bytes so that 256 (class C network) * 16
fits in one kernel (zero) page */
Size is 32 bytes so that 256 (class C network) * 16
fits in a double kernel (zero) page (two consecutive kernel pages)*/
struct ipt_acc_ip {
uint32_t src_packets;
uint32_t src_bytes;
uint32_t dst_packets;
uint32_t dst_bytes;
uint64_t src_packets;
uint64_t src_bytes;
uint64_t dst_packets;
uint64_t dst_bytes;
};
/*
@@ -100,25 +102,28 @@ struct ipt_acc_mask_8 {
struct ipt_acc_mask_16 *mask_16[256];
};
static struct ipt_acc_table *ipt_acc_tables;
static struct ipt_acc_handle *ipt_acc_handles;
static void *ipt_acc_tmpbuf;
static int ipt_acc_net_id __read_mostly;
/* Spinlock used for manipulating the current accounting tables/data */
static DEFINE_SPINLOCK(ipt_acc_lock);
/* Mutex (semaphore) used for manipulating userspace handles/snapshot data */
static struct semaphore ipt_acc_userspace_mutex;
struct ipt_acc_net {
/* Spinlock used for manipulating the current accounting tables/data */
spinlock_t ipt_acc_lock;
/* Allocates a page and clears it */
/* Mutex (semaphore) used for manipulating userspace handles/snapshot data */
struct semaphore ipt_acc_userspace_mutex;
struct ipt_acc_table *ipt_acc_tables;
struct ipt_acc_handle *ipt_acc_handles;
void *ipt_acc_tmpbuf;
};
/* Allocates a page pair and clears it */
static void *ipt_acc_zalloc_page(void)
{
// Don't use get_zeroed_page until it's fixed in the kernel.
// get_zeroed_page(GFP_ATOMIC)
void *mem = (void *)__get_free_page(GFP_ATOMIC);
if (mem) {
memset (mem, 0, PAGE_SIZE);
}
void *mem = (void *)__get_free_pages(GFP_ATOMIC, 2);
if (mem != NULL)
memset(mem, 0, 2 *PAGE_SIZE);
return mem;
}
@@ -131,7 +136,7 @@ static void ipt_acc_data_free(void *data, uint8_t depth)
/* Free for 8 bit network */
if (depth == 0) {
free_page((unsigned long)data);
free_pages((unsigned long)data, 2);
return;
}
@@ -139,12 +144,10 @@ static void ipt_acc_data_free(void *data, uint8_t depth)
if (depth == 1) {
struct ipt_acc_mask_16 *mask_16 = data;
unsigned int b;
for (b = 0; b <= 255; b++) {
if (mask_16->mask_24[b]) {
free_page((unsigned long)mask_16->mask_24[b]);
}
}
free_page((unsigned long)data);
for (b = 0; b <= 255; ++b)
if (mask_16->mask_24[b])
free_pages((unsigned long)mask_16->mask_24[b], 2);
free_pages((unsigned long)data, 2);
return;
}
@@ -156,15 +159,13 @@ static void ipt_acc_data_free(void *data, uint8_t depth)
struct ipt_acc_mask_16 *mask_16 =
((struct ipt_acc_mask_8 *)data)->mask_16[a];
for (b = 0; b <= 255; b++) {
if (mask_16->mask_24[b]) {
free_page((unsigned long)mask_16->mask_24[b]);
}
}
free_page((unsigned long)mask_16);
for (b = 0; b <= 255; ++b)
if (mask_16->mask_24[b])
free_pages((unsigned long)mask_16->mask_24[b], 2);
free_pages((unsigned long)mask_16, 2);
}
}
free_page((unsigned long)data);
free_pages((unsigned long)data, 2);
return;
}
@@ -175,7 +176,8 @@ static void ipt_acc_data_free(void *data, uint8_t depth)
/* Look for existing table / insert new one.
Return internal ID or -1 on error */
static int ipt_acc_table_insert(const char *name, __be32 ip, __be32 netmask)
static int ipt_acc_table_insert(struct ipt_acc_table *ipt_acc_tables,
const char *name, __be32 ip, __be32 netmask)
{
unsigned int i;
@@ -262,13 +264,15 @@ static int ipt_acc_table_insert(const char *name, __be32 ip, __be32 netmask)
static int ipt_acc_checkentry(const struct xt_tgchk_param *par)
{
struct ipt_acc_net *ian = net_generic(par->net, ipt_acc_net_id);
struct ipt_acc_info *info = par->targinfo;
int table_nr;
spin_lock_bh(&ipt_acc_lock);
table_nr = ipt_acc_table_insert(info->table_name, info->net_ip,
spin_lock_bh(&ian->ipt_acc_lock);
table_nr = ipt_acc_table_insert(ian->ipt_acc_tables,
info->table_name, info->net_ip,
info->net_mask);
spin_unlock_bh(&ipt_acc_lock);
spin_unlock_bh(&ian->ipt_acc_lock);
if (table_nr == -1) {
printk("ACCOUNT: Table insert problem. Aborting\n");
@@ -283,10 +287,11 @@ static int ipt_acc_checkentry(const struct xt_tgchk_param *par)
static void ipt_acc_destroy(const struct xt_tgdtor_param *par)
{
struct ipt_acc_net *ian = net_generic(par->net, ipt_acc_net_id);
unsigned int i;
struct ipt_acc_info *info = par->targinfo;
spin_lock_bh(&ipt_acc_lock);
spin_lock_bh(&ian->ipt_acc_lock);
pr_debug("ACCOUNT: ipt_acc_deleteentry called for table: %s (#%d)\n",
info->table_name, info->table_nr);
@@ -295,31 +300,31 @@ static void ipt_acc_destroy(const struct xt_tgdtor_param *par)
/* Look for table */
for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
if (strncmp(ipt_acc_tables[i].name, info->table_name,
if (strncmp(ian->ipt_acc_tables[i].name, info->table_name,
ACCOUNT_TABLE_NAME_LEN) == 0) {
pr_debug("ACCOUNT: Found table at slot: %d\n", i);
ipt_acc_tables[i].refcount--;
ian->ipt_acc_tables[i].refcount--;
pr_debug("ACCOUNT: Refcount left: %d\n",
ipt_acc_tables[i].refcount);
ian->ipt_acc_tables[i].refcount);
/* Table not needed anymore? */
if (ipt_acc_tables[i].refcount == 0) {
if (ian->ipt_acc_tables[i].refcount == 0) {
pr_debug("ACCOUNT: Destroying table at slot: %d\n", i);
ipt_acc_data_free(ipt_acc_tables[i].data,
ipt_acc_tables[i].depth);
memset(&ipt_acc_tables[i], 0,
ipt_acc_data_free(ian->ipt_acc_tables[i].data,
ian->ipt_acc_tables[i].depth);
memset(&ian->ipt_acc_tables[i], 0,
sizeof(struct ipt_acc_table));
}
spin_unlock_bh(&ipt_acc_lock);
spin_unlock_bh(&ian->ipt_acc_lock);
return;
}
}
/* Table not found */
printk("ACCOUNT: Table %s not found for destroy\n", info->table_name);
spin_unlock_bh(&ipt_acc_lock);
spin_unlock_bh(&ian->ipt_acc_lock);
}
static void ipt_acc_depth0_insert(struct ipt_acc_mask_24 *mask_24,
@@ -474,22 +479,34 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
}
}
static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action_param *par)
static unsigned int
ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
struct ipt_acc_net *ian = net_generic(par->state->net, ipt_acc_net_id);
#else
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0)
struct ipt_acc_net *ian = net_generic(par->net, ipt_acc_net_id);
#else
struct net *net = dev_net(par->in ? par->in : par->out);
struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
#endif
#endif
struct ipt_acc_table *ipt_acc_tables = ian->ipt_acc_tables;
const struct ipt_acc_info *info =
par->targinfo;
__be32 src_ip = ip_hdr(*pskb)->saddr;
__be32 dst_ip = ip_hdr(*pskb)->daddr;
uint32_t size = ntohs(ip_hdr(*pskb)->tot_len);
__be32 src_ip = ip_hdr(skb)->saddr;
__be32 dst_ip = ip_hdr(skb)->daddr;
uint32_t size = ntohs(ip_hdr(skb)->tot_len);
spin_lock_bh(&ipt_acc_lock);
spin_lock_bh(&ian->ipt_acc_lock);
if (ipt_acc_tables[info->table_nr].name[0] == 0) {
printk("ACCOUNT: ipt_acc_target: Invalid table id %u. "
"IPs %u.%u.%u.%u/%u.%u.%u.%u\n", info->table_nr,
NIPQUAD(src_ip), NIPQUAD(dst_ip));
spin_unlock_bh(&ipt_acc_lock);
spin_unlock_bh(&ian->ipt_acc_lock);
return XT_CONTINUE;
}
@@ -501,7 +518,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
ipt_acc_tables[info->table_nr].ip,
ipt_acc_tables[info->table_nr].netmask,
src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
spin_unlock_bh(&ipt_acc_lock);
spin_unlock_bh(&ian->ipt_acc_lock);
return XT_CONTINUE;
}
@@ -512,7 +529,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
ipt_acc_tables[info->table_nr].ip,
ipt_acc_tables[info->table_nr].netmask,
src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
spin_unlock_bh(&ipt_acc_lock);
spin_unlock_bh(&ian->ipt_acc_lock);
return XT_CONTINUE;
}
@@ -523,7 +540,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
ipt_acc_tables[info->table_nr].ip,
ipt_acc_tables[info->table_nr].netmask,
src_ip, dst_ip, size, &ipt_acc_tables[info->table_nr].itemcount);
spin_unlock_bh(&ipt_acc_lock);
spin_unlock_bh(&ian->ipt_acc_lock);
return XT_CONTINUE;
}
@@ -531,13 +548,13 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
"Table id %u. IPs %u.%u.%u.%u/%u.%u.%u.%u\n",
info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
spin_unlock_bh(&ipt_acc_lock);
spin_unlock_bh(&ian->ipt_acc_lock);
return XT_CONTINUE;
}
/*
Functions dealing with "handles":
Handles are snapshots of a accounting state.
Handles are snapshots of an accounting state.
read snapshots are only for debugging the code
and are very expensive concerning speed/memory
@@ -552,7 +569,7 @@ static unsigned int ipt_acc_target(struct sk_buff **pskb, const struct xt_action
but there could be two or more applications accessing the data
at the same time.
*/
static int ipt_acc_handle_find_slot(void)
static int ipt_acc_handle_find_slot(struct ipt_acc_handle *ipt_acc_handles)
{
unsigned int i;
/* Insert new table */
@@ -572,7 +589,8 @@ static int ipt_acc_handle_find_slot(void)
return -1;
}
static int ipt_acc_handle_free(unsigned int handle)
static int ipt_acc_handle_free(struct ipt_acc_handle *ipt_acc_handles,
unsigned int handle)
{
if (handle >= ACCOUNT_MAX_HANDLES) {
printk("ACCOUNT: Invalid handle for ipt_acc_handle_free() specified:"
@@ -588,7 +606,8 @@ static int ipt_acc_handle_free(unsigned int handle)
/* Prepare data for read without flush. Use only for debugging!
Real applications should use read&flush as it's way more efficent */
static int ipt_acc_handle_prepare_read(char *tablename,
static int ipt_acc_handle_prepare_read(struct ipt_acc_table *ipt_acc_tables,
char *tablename,
struct ipt_acc_handle *dest, uint32_t *count)
{
int table_nr = -1;
@@ -630,18 +649,18 @@ static int ipt_acc_handle_prepare_read(char *tablename,
unsigned int b;
for (b = 0; b <= 255; b++) {
if (src_16->mask_24[b]) {
if ((network_16->mask_24[b] =
ipt_acc_zalloc_page()) == NULL) {
printk("ACCOUNT: out of memory during copy of 16 bit "
"network in ipt_acc_handle_prepare_read()\n");
ipt_acc_data_free(dest->data, depth);
return -1;
}
memcpy(network_16->mask_24[b], src_16->mask_24[b],
sizeof(struct ipt_acc_mask_24));
if (src_16->mask_24[b] == NULL)
continue;
if ((network_16->mask_24[b] =
ipt_acc_zalloc_page()) == NULL) {
printk("ACCOUNT: out of memory during copy of 16 bit "
"network in ipt_acc_handle_prepare_read()\n");
ipt_acc_data_free(dest->data, depth);
return -1;
}
memcpy(network_16->mask_24[b], src_16->mask_24[b],
sizeof(struct ipt_acc_mask_24));
}
} else if (depth == 2) {
struct ipt_acc_mask_8 *src_8 =
@@ -651,35 +670,35 @@ static int ipt_acc_handle_prepare_read(char *tablename,
unsigned int a, b;
for (a = 0; a <= 255; a++) {
if (src_8->mask_16[a]) {
if ((network_8->mask_16[a] =
if (src_8->mask_16[a] == NULL)
continue;
if ((network_8->mask_16[a] =
ipt_acc_zalloc_page()) == NULL) {
printk("ACCOUNT: out of memory during copy of 24 bit network"
" in ipt_acc_handle_prepare_read()\n");
ipt_acc_data_free(dest->data, depth);
return -1;
}
memcpy(network_8->mask_16[a], src_8->mask_16[a],
sizeof(struct ipt_acc_mask_16));
src_16 = src_8->mask_16[a];
network_16 = network_8->mask_16[a];
for (b = 0; b <= 255; b++) {
if (src_16->mask_24[b] == NULL)
continue;
if ((network_16->mask_24[b] =
ipt_acc_zalloc_page()) == NULL) {
printk("ACCOUNT: out of memory during copy of 24 bit network"
" in ipt_acc_handle_prepare_read()\n");
printk("ACCOUNT: out of memory during copy of 16 bit"
" network in ipt_acc_handle_prepare_read()\n");
ipt_acc_data_free(dest->data, depth);
return -1;
}
memcpy(network_8->mask_16[a], src_8->mask_16[a],
sizeof(struct ipt_acc_mask_16));
src_16 = src_8->mask_16[a];
network_16 = network_8->mask_16[a];
for (b = 0; b <= 255; b++) {
if (src_16->mask_24[b]) {
if ((network_16->mask_24[b] =
ipt_acc_zalloc_page()) == NULL) {
printk("ACCOUNT: out of memory during copy of 16 bit"
" network in ipt_acc_handle_prepare_read()\n");
ipt_acc_data_free(dest->data, depth);
return -1;
}
memcpy(network_16->mask_24[b], src_16->mask_24[b],
sizeof(struct ipt_acc_mask_24));
}
}
memcpy(network_16->mask_24[b], src_16->mask_24[b],
sizeof(struct ipt_acc_mask_24));
}
}
}
@@ -690,7 +709,8 @@ static int ipt_acc_handle_prepare_read(char *tablename,
}
/* Prepare data for read and flush it */
static int ipt_acc_handle_prepare_read_flush(char *tablename,
static int ipt_acc_handle_prepare_read_flush(struct ipt_acc_table *ipt_acc_tables,
char *tablename,
struct ipt_acc_handle *dest, uint32_t *count)
{
int table_nr;
@@ -731,7 +751,8 @@ static int ipt_acc_handle_prepare_read_flush(char *tablename,
/* Copy 8 bit network data into a prepared buffer.
We only copy entries != 0 to increase performance.
*/
static int ipt_acc_handle_copy_data(void *to_user, unsigned long *to_user_pos,
static int ipt_acc_handle_copy_data(struct ipt_acc_net *ian,
void *to_user, unsigned long *to_user_pos,
unsigned long *tmpbuf_pos,
struct ipt_acc_mask_24 *data,
uint32_t net_ip, uint32_t net_OR_mask)
@@ -741,25 +762,26 @@ static int ipt_acc_handle_copy_data(void *to_user, unsigned long *to_user_pos,
unsigned int i;
for (i = 0; i <= 255; i++) {
if (data->ip[i].src_packets || data->ip[i].dst_packets) {
handle_ip.ip = net_ip | net_OR_mask | i;
if (data->ip[i].src_packets == 0 &&
data->ip[i].dst_packets == 0)
continue;
handle_ip.src_packets = data->ip[i].src_packets;
handle_ip.src_bytes = data->ip[i].src_bytes;
handle_ip.dst_packets = data->ip[i].dst_packets;
handle_ip.dst_bytes = data->ip[i].dst_bytes;
handle_ip.ip = net_ip | net_OR_mask | i;
handle_ip.src_packets = data->ip[i].src_packets;
handle_ip.src_bytes = data->ip[i].src_bytes;
handle_ip.dst_packets = data->ip[i].dst_packets;
handle_ip.dst_bytes = data->ip[i].dst_bytes;
/* Temporary buffer full? Flush to userspace */
if (*tmpbuf_pos + handle_ip_size >= PAGE_SIZE) {
if (copy_to_user(to_user + *to_user_pos, ipt_acc_tmpbuf,
*tmpbuf_pos))
return -EFAULT;
*to_user_pos = *to_user_pos + *tmpbuf_pos;
*tmpbuf_pos = 0;
}
memcpy(ipt_acc_tmpbuf + *tmpbuf_pos, &handle_ip, handle_ip_size);
*tmpbuf_pos += handle_ip_size;
/* Temporary buffer full? Flush to userspace */
if (*tmpbuf_pos + handle_ip_size >= PAGE_SIZE) {
if (copy_to_user(to_user + *to_user_pos, ian->ipt_acc_tmpbuf,
*tmpbuf_pos))
return -EFAULT;
*to_user_pos = *to_user_pos + *tmpbuf_pos;
*tmpbuf_pos = 0;
}
memcpy(ian->ipt_acc_tmpbuf + *tmpbuf_pos, &handle_ip, handle_ip_size);
*tmpbuf_pos += handle_ip_size;
}
return 0;
@@ -769,7 +791,8 @@ static int ipt_acc_handle_copy_data(void *to_user, unsigned long *to_user_pos,
We only copy entries != 0 to increase performance.
Overwrites ipt_acc_tmpbuf.
*/
static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
static int ipt_acc_handle_get_data(struct ipt_acc_net *ian,
uint32_t handle, void *to_user)
{
unsigned long to_user_pos = 0, tmpbuf_pos = 0;
uint32_t net_ip;
@@ -781,25 +804,25 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
return -1;
}
if (ipt_acc_handles[handle].data == NULL) {
if (ian->ipt_acc_handles[handle].data == NULL) {
printk("ACCOUNT: handle %u is BROKEN: Contains no data\n", handle);
return -1;
}
net_ip = ntohl(ipt_acc_handles[handle].ip);
depth = ipt_acc_handles[handle].depth;
net_ip = ntohl(ian->ipt_acc_handles[handle].ip);
depth = ian->ipt_acc_handles[handle].depth;
/* 8 bit network */
if (depth == 0) {
struct ipt_acc_mask_24 *network =
ipt_acc_handles[handle].data;
if (ipt_acc_handle_copy_data(to_user, &to_user_pos, &tmpbuf_pos,
ian->ipt_acc_handles[handle].data;
if (ipt_acc_handle_copy_data(ian, to_user, &to_user_pos, &tmpbuf_pos,
network, net_ip, 0))
return -1;
/* Flush remaining data to userspace */
if (tmpbuf_pos)
if (copy_to_user(to_user + to_user_pos, ipt_acc_tmpbuf, tmpbuf_pos))
if (copy_to_user(to_user + to_user_pos, ian->ipt_acc_tmpbuf, tmpbuf_pos))
return -1;
return 0;
@@ -808,13 +831,13 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
/* 16 bit network */
if (depth == 1) {
struct ipt_acc_mask_16 *network_16 =
ipt_acc_handles[handle].data;
ian->ipt_acc_handles[handle].data;
unsigned int b;
for (b = 0; b <= 255; b++) {
if (network_16->mask_24[b]) {
struct ipt_acc_mask_24 *network =
network_16->mask_24[b];
if (ipt_acc_handle_copy_data(to_user, &to_user_pos,
if (ipt_acc_handle_copy_data(ian, to_user, &to_user_pos,
&tmpbuf_pos, network, net_ip, (b << 8)))
return -1;
}
@@ -822,7 +845,7 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
/* Flush remaining data to userspace */
if (tmpbuf_pos)
if (copy_to_user(to_user + to_user_pos, ipt_acc_tmpbuf, tmpbuf_pos))
if (copy_to_user(to_user + to_user_pos, ian->ipt_acc_tmpbuf, tmpbuf_pos))
return -1;
return 0;
@@ -831,7 +854,7 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
/* 24 bit network */
if (depth == 2) {
struct ipt_acc_mask_8 *network_8 =
ipt_acc_handles[handle].data;
ian->ipt_acc_handles[handle].data;
unsigned int a, b;
for (a = 0; a <= 255; a++) {
if (network_8->mask_16[a]) {
@@ -841,7 +864,7 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
if (network_16->mask_24[b]) {
struct ipt_acc_mask_24 *network =
network_16->mask_24[b];
if (ipt_acc_handle_copy_data(to_user,
if (ipt_acc_handle_copy_data(ian, to_user,
&to_user_pos, &tmpbuf_pos,
network, net_ip, (a << 16) | (b << 8)))
return -1;
@@ -852,7 +875,7 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
/* Flush remaining data to userspace */
if (tmpbuf_pos)
if (copy_to_user(to_user + to_user_pos, ipt_acc_tmpbuf, tmpbuf_pos))
if (copy_to_user(to_user + to_user_pos, ian->ipt_acc_tmpbuf, tmpbuf_pos))
return -1;
return 0;
@@ -864,6 +887,8 @@ static int ipt_acc_handle_get_data(uint32_t handle, void *to_user)
static int ipt_acc_set_ctl(struct sock *sk, int cmd,
void *user, unsigned int len)
{
struct net *net = sock_net(sk);
struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
struct ipt_acc_handle_sockopt handle;
int ret = -EINVAL;
@@ -885,16 +910,16 @@ static int ipt_acc_set_ctl(struct sock *sk, int cmd,
break;
}
down(&ipt_acc_userspace_mutex);
ret = ipt_acc_handle_free(handle.handle_nr);
up(&ipt_acc_userspace_mutex);
down(&ian->ipt_acc_userspace_mutex);
ret = ipt_acc_handle_free(ian->ipt_acc_handles, handle.handle_nr);
up(&ian->ipt_acc_userspace_mutex);
break;
case IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL: {
unsigned int i;
down(&ipt_acc_userspace_mutex);
down(&ian->ipt_acc_userspace_mutex);
for (i = 0; i < ACCOUNT_MAX_HANDLES; i++)
ipt_acc_handle_free(i);
up(&ipt_acc_userspace_mutex);
ipt_acc_handle_free(ian->ipt_acc_handles, i);
up(&ian->ipt_acc_userspace_mutex);
ret = 0;
break;
}
@@ -907,6 +932,8 @@ static int ipt_acc_set_ctl(struct sock *sk, int cmd,
static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
{
struct net *net = sock_net(sk);
struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
struct ipt_acc_handle_sockopt handle;
int ret = -EINVAL;
@@ -931,28 +958,28 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
break;
}
spin_lock_bh(&ipt_acc_lock);
spin_lock_bh(&ian->ipt_acc_lock);
if (cmd == IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH)
ret = ipt_acc_handle_prepare_read_flush(
handle.name, &dest, &handle.itemcount);
ian->ipt_acc_tables, handle.name, &dest, &handle.itemcount);
else
ret = ipt_acc_handle_prepare_read(
handle.name, &dest, &handle.itemcount);
spin_unlock_bh(&ipt_acc_lock);
ian->ipt_acc_tables, handle.name, &dest, &handle.itemcount);
spin_unlock_bh(&ian->ipt_acc_lock);
// Error occured during prepare_read?
if (ret == -1)
return -EINVAL;
/* Allocate a userspace handle */
down(&ipt_acc_userspace_mutex);
if ((handle.handle_nr = ipt_acc_handle_find_slot()) == -1) {
down(&ian->ipt_acc_userspace_mutex);
if ((handle.handle_nr = ipt_acc_handle_find_slot(ian->ipt_acc_handles)) == -1) {
ipt_acc_data_free(dest.data, dest.depth);
up(&ipt_acc_userspace_mutex);
up(&ian->ipt_acc_userspace_mutex);
return -EINVAL;
}
memcpy(&ipt_acc_handles[handle.handle_nr], &dest,
memcpy(&ian->ipt_acc_handles[handle.handle_nr], &dest,
sizeof(struct ipt_acc_handle));
up(&ipt_acc_userspace_mutex);
up(&ian->ipt_acc_userspace_mutex);
if (copy_to_user(user, &handle,
sizeof(struct ipt_acc_handle_sockopt))) {
@@ -981,19 +1008,19 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
break;
}
if (*len < ipt_acc_handles[handle.handle_nr].itemcount
if (*len < ian->ipt_acc_handles[handle.handle_nr].itemcount
* sizeof(struct ipt_acc_handle_ip)) {
printk("ACCOUNT: ipt_acc_get_ctl: not enough space (%u < %zu)"
" to store data from IPT_SO_GET_ACCOUNT_GET_DATA\n",
*len, ipt_acc_handles[handle.handle_nr].itemcount
*len, ian->ipt_acc_handles[handle.handle_nr].itemcount
* sizeof(struct ipt_acc_handle_ip));
ret = -ENOMEM;
break;
}
down(&ipt_acc_userspace_mutex);
ret = ipt_acc_handle_get_data(handle.handle_nr, user);
up(&ipt_acc_userspace_mutex);
down(&ian->ipt_acc_userspace_mutex);
ret = ipt_acc_handle_get_data(ian, handle.handle_nr, user);
up(&ian->ipt_acc_userspace_mutex);
if (ret) {
printk("ACCOUNT: ipt_acc_get_ctl: ipt_acc_handle_get_data"
" failed for handle %u\n", handle.handle_nr);
@@ -1013,11 +1040,11 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
/* Find out how many handles are in use */
handle.itemcount = 0;
down(&ipt_acc_userspace_mutex);
down(&ian->ipt_acc_userspace_mutex);
for (i = 0; i < ACCOUNT_MAX_HANDLES; i++)
if (ipt_acc_handles[i].data)
if (ian->ipt_acc_handles[i].data)
handle.itemcount++;
up(&ipt_acc_userspace_mutex);
up(&ian->ipt_acc_userspace_mutex);
if (copy_to_user(user, &handle,
sizeof(struct ipt_acc_handle_sockopt))) {
@@ -1031,38 +1058,38 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
uint32_t size = 0, i, name_len;
char *tnames;
spin_lock_bh(&ipt_acc_lock);
spin_lock_bh(&ian->ipt_acc_lock);
/* Determine size of table names */
for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
if (ipt_acc_tables[i].name[0] != 0)
size += strlen(ipt_acc_tables[i].name) + 1;
if (ian->ipt_acc_tables[i].name[0] != 0)
size += strlen(ian->ipt_acc_tables[i].name) + 1;
}
size += 1; /* Terminating NULL character */
if (*len < size || size > PAGE_SIZE) {
spin_unlock_bh(&ipt_acc_lock);
spin_unlock_bh(&ian->ipt_acc_lock);
printk("ACCOUNT: ipt_acc_get_ctl: not enough space (%u < %u < %lu)"
" to store table names\n", *len, size, PAGE_SIZE);
ret = -ENOMEM;
break;
}
/* Copy table names to userspace */
tnames = ipt_acc_tmpbuf;
tnames = ian->ipt_acc_tmpbuf;
for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
if (ipt_acc_tables[i].name[0] != 0) {
name_len = strlen(ipt_acc_tables[i].name) + 1;
memcpy(tnames, ipt_acc_tables[i].name, name_len);
if (ian->ipt_acc_tables[i].name[0] != 0) {
name_len = strlen(ian->ipt_acc_tables[i].name) + 1;
memcpy(tnames, ian->ipt_acc_tables[i].name, name_len);
tnames += name_len;
}
}
spin_unlock_bh(&ipt_acc_lock);
spin_unlock_bh(&ian->ipt_acc_lock);
/* Terminating NULL character */
*tnames = 0;
/* Transfer to userspace */
if (copy_to_user(user, ipt_acc_tmpbuf, size))
if (copy_to_user(user, ian->ipt_acc_tmpbuf, size))
return -EFAULT;
ret = 0;
@@ -1075,6 +1102,59 @@ static int ipt_acc_get_ctl(struct sock *sk, int cmd, void *user, int *len)
return ret;
}
static int __net_init ipt_acc_net_init(struct net *net)
{
struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
memset(ian, 0, sizeof(*ian));
sema_init(&ian->ipt_acc_userspace_mutex, 1);
ian->ipt_acc_tables = kcalloc(ACCOUNT_MAX_TABLES,
sizeof(struct ipt_acc_table), GFP_KERNEL);
if (ian->ipt_acc_tables == NULL) {
printk("ACCOUNT: Out of memory allocating account_tables structure");
goto error_cleanup;
}
ian->ipt_acc_handles = kcalloc(ACCOUNT_MAX_HANDLES,
sizeof(struct ipt_acc_handle), GFP_KERNEL);
if (ian->ipt_acc_handles == NULL) {
printk("ACCOUNT: Out of memory allocating account_handles structure");
goto error_cleanup;
}
/* Allocate one page as temporary storage */
ian->ipt_acc_tmpbuf = (void *)__get_free_pages(GFP_KERNEL, 2);
if (ian->ipt_acc_tmpbuf == NULL) {
printk("ACCOUNT: Out of memory for temporary buffer page\n");
goto error_cleanup;
}
return 0;
error_cleanup:
kfree(ian->ipt_acc_tables);
kfree(ian->ipt_acc_handles);
free_pages((unsigned long)ian->ipt_acc_tmpbuf, 2);
return -ENOMEM;
}
static void __net_exit ipt_acc_net_exit(struct net *net)
{
struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
kfree(ian->ipt_acc_tables);
kfree(ian->ipt_acc_handles);
free_pages((unsigned long)ian->ipt_acc_tmpbuf, 2);
}
static struct pernet_operations ipt_acc_net_ops = {
.init = ipt_acc_net_init,
.exit = ipt_acc_net_exit,
.id = &ipt_acc_net_id,
.size = sizeof(struct ipt_acc_net),
};
static struct xt_target xt_acc_reg __read_mostly = {
.name = "ACCOUNT",
.revision = 1,
@@ -1098,63 +1178,41 @@ static struct nf_sockopt_ops ipt_acc_sockopts = {
static int __init account_tg_init(void)
{
sema_init(&ipt_acc_userspace_mutex, 1);
int ret;
if ((ipt_acc_tables =
kmalloc(ACCOUNT_MAX_TABLES *
sizeof(struct ipt_acc_table), GFP_KERNEL)) == NULL) {
printk("ACCOUNT: Out of memory allocating account_tables structure");
goto error_cleanup;
}
memset(ipt_acc_tables, 0,
ACCOUNT_MAX_TABLES * sizeof(struct ipt_acc_table));
if ((ipt_acc_handles =
kmalloc(ACCOUNT_MAX_HANDLES *
sizeof(struct ipt_acc_handle), GFP_KERNEL)) == NULL) {
printk("ACCOUNT: Out of memory allocating account_handles structure");
goto error_cleanup;
}
memset(ipt_acc_handles, 0,
ACCOUNT_MAX_HANDLES * sizeof(struct ipt_acc_handle));
/* Allocate one page as temporary storage */
if ((ipt_acc_tmpbuf = (void*)__get_free_page(GFP_KERNEL)) == NULL) {
printk("ACCOUNT: Out of memory for temporary buffer page\n");
goto error_cleanup;
ret = register_pernet_subsys(&ipt_acc_net_ops);
if (ret < 0) {
pr_err("ACCOUNT: cannot register per net operations.\n");
goto error_out;
}
/* Register setsockopt */
if (nf_register_sockopt(&ipt_acc_sockopts) < 0) {
printk("ACCOUNT: Can't register sockopts. Aborting\n");
goto error_cleanup;
ret = nf_register_sockopt(&ipt_acc_sockopts);
if (ret < 0) {
pr_err("ACCOUNT: cannot register sockopts.\n");
goto unreg_pernet;
}
if (xt_register_target(&xt_acc_reg))
goto error_cleanup;
ret = xt_register_target(&xt_acc_reg);
if (ret < 0) {
pr_err("ACCOUNT: cannot register sockopts.\n");
goto unreg_sockopt;
}
return 0;
error_cleanup:
if (ipt_acc_tables)
kfree(ipt_acc_tables);
if (ipt_acc_handles)
kfree(ipt_acc_handles);
if (ipt_acc_tmpbuf)
free_page((unsigned long)ipt_acc_tmpbuf);
return -EINVAL;
unreg_sockopt:
nf_unregister_sockopt(&ipt_acc_sockopts);
unreg_pernet:
unregister_pernet_subsys(&ipt_acc_net_ops);
error_out:
return ret;
}
static void __exit account_tg_exit(void)
{
xt_unregister_target(&xt_acc_reg);
nf_unregister_sockopt(&ipt_acc_sockopts);
kfree(ipt_acc_tables);
kfree(ipt_acc_handles);
free_page((unsigned long)ipt_acc_tmpbuf);
unregister_pernet_subsys(&ipt_acc_net_ops);
}
module_init(account_tg_init);

10
extensions/ACCOUNT/xt_ACCOUNT.h
View File

@@ -59,11 +59,11 @@ struct ipt_acc_handle_sockopt {
Used for every IP when returning data
*/
struct ipt_acc_handle_ip {
__be32 ip;
uint32_t src_packets;
uint32_t src_bytes;
uint32_t dst_packets;
uint32_t dst_bytes;
__be32 ip, __dummy;
uint64_t src_packets;
uint64_t src_bytes;
uint64_t dst_packets;
uint64_t dst_bytes;
};
#endif /* _IPT_ACCOUNT_H */

7
extensions/Kbuild
View File

@@ -10,17 +10,10 @@ obj-${build_CHAOS} += xt_CHAOS.o
obj-${build_DELUDE} += xt_DELUDE.o
obj-${build_DHCPMAC} += xt_DHCPMAC.o
obj-${build_DNETMAP} += xt_DNETMAP.o
ifeq (${VERSION},3)
obj-${build_ECHO} += xt_ECHO.o
endif
obj-${build_IPMARK} += xt_IPMARK.o
obj-${build_LOGMARK} += xt_LOGMARK.o
obj-${build_RAWNAT} += xt_RAWNAT.o iptable_rawpost.o
ifneq (${CONFIG_IP6_NF_IPTABLES},)
obj-${build_RAWNAT} += ip6table_rawpost.o
endif
obj-${build_SYSRQ} += xt_SYSRQ.o
obj-${build_STEAL} += xt_STEAL.o
obj-${build_TARPIT} += xt_TARPIT.o
obj-${build_condition} += xt_condition.o
obj-${build_fuzzy} += xt_fuzzy.o

2
extensions/Mbuild
View File

@@ -8,8 +8,6 @@ obj-${build_DNETMAP} += libxt_DNETMAP.so
obj-${build_ECHO} += libxt_ECHO.so
obj-${build_IPMARK} += libxt_IPMARK.so
obj-${build_LOGMARK} += libxt_LOGMARK.so
obj-${build_RAWNAT} += libxt_RAWDNAT.so libxt_RAWSNAT.so
obj-${build_STEAL} += libxt_STEAL.so
obj-${build_SYSRQ} += libxt_SYSRQ.so
obj-${build_TARPIT} += libxt_TARPIT.so
obj-${build_condition} += libxt_condition.so

14
extensions/compat_nfinetaddr.h
View File

@@ -1,14 +0,0 @@
#ifndef _COMPAT_NFINETADDR_H
#define _COMPAT_NFINETADDR_H 1
#include <linux/in.h>
#include <linux/in6.h>
union nf_inet_addr {
__be32 ip;
__be32 ip6[4];
struct in_addr in;
struct in6_addr in6;
};
#endif /* _COMPAT_NFINETADDR_H */

6
extensions/compat_rawpost.h
View File

@@ -1,6 +0,0 @@
#ifndef XTA_COMPAT_RAWPOST_H
#define XTA_COMPAT_RAWPOST_H 1
typedef struct sk_buff sk_buff_t;
#endif /* XTA_COMPAT_RAWPOST_H */

112
extensions/compat_xtables.c
View File

@@ -28,118 +28,6 @@
# define WITH_IPV6 1
#endif
static unsigned int
xtnu_target_run(struct sk_buff *skb, const struct xt_action_param *par)
{
struct xtnu_target *nt = xtcompat_nutarget(par->target);
return nt->target(&skb, par);
}
int xtnu_register_target(struct xtnu_target *nt)
{
struct xt_target *ct;
char *tmp;
int ret;
ct = kzalloc(sizeof(struct xt_target), GFP_KERNEL);
if (ct == NULL)
return -ENOMEM;
tmp = (char *)ct->name;
memcpy(tmp, nt->name, sizeof(nt->name));
tmp = (char *)(ct->name + sizeof(ct->name) - sizeof(void *));
*(tmp-1) = '\0';
memcpy(tmp, &nt, sizeof(void *));
ct->revision = nt->revision;
ct->family = nt->family;
ct->table = (char *)nt->table;
ct->hooks = nt->hooks;
ct->proto = nt->proto;
ct->target = xtnu_target_run;
ct->checkentry = nt->checkentry;
ct->destroy = nt->destroy;
ct->targetsize = nt->targetsize;
ct->me = nt->me;
nt->__compat_target = ct;
ret = xt_register_target(ct);
if (ret != 0)
kfree(ct);
return ret;
}
EXPORT_SYMBOL_GPL(xtnu_register_target);
int xtnu_register_targets(struct xtnu_target *nt, unsigned int num)
{
unsigned int i;
int ret;
for (i = 0; i < num; ++i) {
ret = xtnu_register_target(&nt[i]);
if (ret < 0) {
if (i > 0)
xtnu_unregister_targets(nt, i);
return ret;
}
}
return 0;
}
EXPORT_SYMBOL_GPL(xtnu_register_targets);
void xtnu_unregister_target(struct xtnu_target *nt)
{
xt_unregister_target(nt->__compat_target);
kfree(nt->__compat_target);
}
EXPORT_SYMBOL_GPL(xtnu_unregister_target);
void xtnu_unregister_targets(struct xtnu_target *nt, unsigned int num)
{
unsigned int i;
for (i = 0; i < num; ++i)
xtnu_unregister_target(&nt[i]);
}
EXPORT_SYMBOL_GPL(xtnu_unregister_targets);
struct xt_match *xtnu_request_find_match(unsigned int af, const char *name,
uint8_t revision)
{
static const char *const xt_prefix[] = {
[AF_UNSPEC] = "x",
[AF_INET] = "ip",
[AF_INET6] = "ip6",
#ifdef AF_ARP
[AF_ARP] = "arp",
#elif defined(NF_ARP) && NF_ARP != AF_UNSPEC
[NF_ARP] = "arp",
#endif
};
struct xt_match *match;
match = try_then_request_module(xt_find_match(af, name, revision),
"%st_%s", xt_prefix[af], name);
if (IS_ERR(match) || match == NULL)
return NULL;
return match;
}
EXPORT_SYMBOL_GPL(xtnu_request_find_match);
int xtnu_ip_route_me_harder(struct sk_buff **pskb, unsigned int addr_type)
{
return ip_route_me_harder(*pskb, addr_type);
}
EXPORT_SYMBOL_GPL(xtnu_ip_route_me_harder);
int xtnu_skb_make_writable(struct sk_buff **pskb, unsigned int len)
{
return skb_make_writable(*pskb, len);
}
EXPORT_SYMBOL_GPL(xtnu_skb_make_writable);
void *HX_memmem(const void *space, size_t spacesize,
const void *point, size_t pointsize)
{

41
extensions/compat_xtables.h
View File

@@ -12,6 +12,10 @@
# warning Kernels below 3.7 not supported.
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0)
# define prandom_u32() random32()
#endif
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
# if !defined(CONFIG_NF_CONNTRACK_MARK)
# warning You have CONFIG_NF_CONNTRACK enabled, but CONFIG_NF_CONNTRACK_MARK is not (please enable).
@@ -21,9 +25,6 @@
# warning You need CONFIG_NF_CONNTRACK.
#endif
#define ipt_unregister_table(tbl) ipt_unregister_table(&init_net, (tbl))
#define ip6t_unregister_table(tbl) ip6t_unregister_table(&init_net, (tbl))
#if !defined(NIP6) && !defined(NIP6_FMT)
# define NIP6(addr) \
ntohs((addr).s6_addr16[0]), \
@@ -45,16 +46,6 @@
# define NIPQUAD_FMT "%u.%u.%u.%u"
#endif
#define ip_route_me_harder xtnu_ip_route_me_harder
#define skb_make_writable xtnu_skb_make_writable
#define xt_target xtnu_target
#define xt_register_target xtnu_register_target
#define xt_unregister_target xtnu_unregister_target
#define xt_register_targets xtnu_register_targets
#define xt_unregister_targets xtnu_unregister_targets
#define xt_request_find_match xtnu_request_find_match
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0)
static inline struct inode *file_inode(struct file *f)
{
@@ -63,8 +54,8 @@ static inline struct inode *file_inode(struct file *f)
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 10, 0)
static inline void
proc_set_user(struct proc_dir_entry *de, kuid_t uid, kgid_t gid)
static inline void proc_set_user(struct proc_dir_entry *de,
typeof(de->uid) uid, typeof(de->gid) gid)
{
de->uid = uid;
de->gid = gid;
@@ -82,4 +73,24 @@ static inline void proc_remove(struct proc_dir_entry *de)
}
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 4, 0)
# define ip6_local_out(xnet, xsk, xskb) ip6_local_out(xskb)
# define ip6_route_me_harder(xnet, xskb) ip6_route_me_harder(xskb)
# define ip_local_out(xnet, xsk, xskb) ip_local_out(xskb)
# define ip_route_me_harder(xnet, xskb, xaddrtype) ip_route_me_harder((xskb), (xaddrtype))
#endif
static inline struct net *par_net(const struct xt_action_param *par)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
return par->state->net;
#else
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
return par->net;
#else
return dev_net((par->in != NULL) ? par->in : par->out);
#endif
#endif
}
#endif /* _XTABLES_COMPAT_H */

17
extensions/compat_xtnu.h
View File

@@ -1,14 +1,9 @@
#ifndef _COMPAT_XTNU_H
#define _COMPAT_XTNU_H 1
#include <linux/list.h>
#include <linux/netfilter/x_tables.h>
#include <linux/spinlock.h>
struct flowi;
struct module;
struct net_device;
struct rtable;
struct sk_buff;
struct xtnu_match {
@@ -58,11 +53,7 @@ static inline struct xtnu_target *xtcompat_nutarget(const struct xt_target *t)
return q;
}
extern int xtnu_ip_local_out(struct sk_buff *);
extern int xtnu_ip_route_me_harder(struct sk_buff **, unsigned int);
extern int xtnu_skb_make_writable(struct sk_buff **, unsigned int);
extern int xtnu_register_match(struct xtnu_match *);
extern int xtnu_ip_route_output_key(void *, struct rtable **, struct flowi *);
extern void xtnu_unregister_match(struct xtnu_match *);
extern int xtnu_register_matches(struct xtnu_match *, unsigned int);
extern void xtnu_unregister_matches(struct xtnu_match *, unsigned int);
@@ -70,14 +61,6 @@ extern int xtnu_register_target(struct xtnu_target *);
extern void xtnu_unregister_target(struct xtnu_target *);
extern int xtnu_register_targets(struct xtnu_target *, unsigned int);
extern void xtnu_unregister_targets(struct xtnu_target *, unsigned int);
extern struct xt_match *xtnu_request_find_match(unsigned int,
const char *, uint8_t);
extern void xtnu_proto_csum_replace4(__u16 __bitwise *, struct sk_buff *,
__be32, __be32, bool);
extern int xtnu_ipv6_skip_exthdr(const struct sk_buff *, int,
uint8_t *, __be16 *);
extern int xtnu_ipv6_find_hdr(const struct sk_buff *, unsigned int *,
int, unsigned short *, int *);
extern void *HX_memmem(const void *, size_t, const void *, size_t);

93
extensions/ip6table_rawpost.c
View File

@@ -1,93 +0,0 @@
/*
* rawpost table for ip6_tables
* written by Jan Engelhardt, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ip.h>
#include "compat_xtables.h"
#include "compat_rawpost.h"
enum {
RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
};
static struct {
struct ip6t_replace repl;
struct ip6t_standard entries[1];
struct ip6t_error term;
} rawpost6_initial __initdata = {
.repl = {
.name = "rawpost",
.valid_hooks = RAWPOST_VALID_HOOKS,
.num_entries = 2,
.size = sizeof(struct ip6t_standard) +
sizeof(struct ip6t_error),
.hook_entry = {
[NF_INET_POST_ROUTING] = 0,
},
.underflow = {
[NF_INET_POST_ROUTING] = 0,
},
},
.entries = {
IP6T_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
},
.term = IP6T_ERROR_INIT, /* ERROR */
};
static struct xt_table *rawpost6_ptable;
static struct xt_table rawpost6_itable = {
.name = "rawpost",
.af = NFPROTO_IPV6,
.valid_hooks = RAWPOST_VALID_HOOKS,
.me = THIS_MODULE,
};
static unsigned int rawpost6_hook_fn(unsigned int hook, sk_buff_t *skb,
const struct net_device *in, const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
return ip6t_do_table(skb, hook, in, out, rawpost6_ptable);
}
static struct nf_hook_ops rawpost6_hook_ops __read_mostly = {
.hook = rawpost6_hook_fn,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP6_PRI_LAST,
.owner = THIS_MODULE,
};
static int __init rawpost6_table_init(void)
{
int ret;
rawpost6_ptable = ip6t_register_table(&init_net, &rawpost6_itable,
&rawpost6_initial.repl);
if (IS_ERR(rawpost6_ptable))
return PTR_ERR(rawpost6_ptable);
ret = nf_register_hook(&rawpost6_hook_ops);
if (ret < 0)
goto out;
return ret;
out:
ip6t_unregister_table(rawpost6_ptable);
return ret;
}
static void __exit rawpost6_table_exit(void)
{
nf_unregister_hook(&rawpost6_hook_ops);
ip6t_unregister_table(rawpost6_ptable);
}
module_init(rawpost6_table_init);
module_exit(rawpost6_table_exit);
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");

95
extensions/iptable_rawpost.c
View File

@@ -1,95 +0,0 @@
/*
* rawpost table for ip_tables
* written by Jan Engelhardt, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/version.h>
#include <net/ip.h>
#include "compat_xtables.h"
#include "compat_rawpost.h"
enum {
RAWPOST_VALID_HOOKS = 1 << NF_INET_POST_ROUTING,
};
static struct {
struct ipt_replace repl;
struct ipt_standard entries[1];
struct ipt_error term;
} rawpost4_initial __initdata = {
.repl = {
.name = "rawpost",
.valid_hooks = RAWPOST_VALID_HOOKS,
.num_entries = 2,
.size = sizeof(struct ipt_standard) +
sizeof(struct ipt_error),
.hook_entry = {
[NF_INET_POST_ROUTING] = 0,
},
.underflow = {
[NF_INET_POST_ROUTING] = 0,
},
},
.entries = {
IPT_STANDARD_INIT(NF_ACCEPT), /* POST_ROUTING */
},
.term = IPT_ERROR_INIT, /* ERROR */
};
static struct xt_table *rawpost4_ptable;
static struct xt_table rawpost4_itable = {
.name = "rawpost",
.af = NFPROTO_IPV4,
.valid_hooks = RAWPOST_VALID_HOOKS,
.me = THIS_MODULE,
};
static unsigned int rawpost4_hook_fn(unsigned int hook, sk_buff_t *skb,
const struct net_device *in, const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
return ipt_do_table(skb, hook, in, out, rawpost4_ptable);
}
static struct nf_hook_ops rawpost4_hook_ops __read_mostly = {
.hook = rawpost4_hook_fn,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_LAST,
.owner = THIS_MODULE,
};
static int __init rawpost4_table_init(void)
{
int ret;
rawpost4_ptable = ipt_register_table(&init_net, &rawpost4_itable,
&rawpost4_initial.repl);
if (IS_ERR(rawpost4_ptable))
return PTR_ERR(rawpost4_ptable);
ret = nf_register_hook(&rawpost4_hook_ops);
if (ret < 0)
goto out;
return ret;
out:
ipt_unregister_table(rawpost4_ptable);
return ret;
}
static void __exit rawpost4_table_exit(void)
{
nf_unregister_hook(&rawpost4_hook_ops);
ipt_unregister_table(rawpost4_ptable);
}
module_init(rawpost4_table_init);
module_exit(rawpost4_table_exit);
MODULE_DESCRIPTION("Xtables: rawpost table for use with RAWNAT");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");

177
extensions/libxt_RAWDNAT.c
View File

@@ -1,177 +0,0 @@
/*
* "RAWNAT" target extension for iptables
* Copyright © Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <netinet/in.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <xtables.h>
#include <linux/netfilter.h>
#include "xt_RAWNAT.h"
#include "compat_user.h"
enum {
FLAGS_TO = 1 << 0,
};
static const struct option rawdnat_tg_opts[] = {
{.name = "to-destination", .has_arg = true, .val = 't'},
{},
};
static void rawdnat_tg_help(void)
{
printf(
"RAWDNAT target options:\n"
" --to-destination addr[/mask] Address or network to map to\n"
);
}
static int
rawdnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 32;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ipaddr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
memcpy(&info->addr.in, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static int
rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in6_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 128;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 128))
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ip6addr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWDNAT",
"--to-destination", optarg);
memcpy(&info->addr.in6, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static void rawdnat_tg_check(unsigned int flags)
{
if (!(flags & FLAGS_TO))
xtables_error(PARAMETER_PROBLEM, "RAWDNAT: "
"\"--to-destination\" is required.");
}
static void
rawdnat_tg4_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf(" --to-destination %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in),
info->mask);
}
static void
rawdnat_tg4_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
printf(" -j RAWDNAT");
rawdnat_tg4_save(entry, target);
}
static void
rawdnat_tg6_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf(" --to-destination %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6),
info->mask);
}
static void
rawdnat_tg6_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
printf(" -j RAWDNAT");
rawdnat_tg6_save(entry, target);
}
static struct xtables_target rawdnat_tg_reg[] = {
{
.version = XTABLES_VERSION,
.name = "RAWDNAT",
.revision = 0,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawdnat_tg_help,
.parse = rawdnat_tg4_parse,
.final_check = rawdnat_tg_check,
.print = rawdnat_tg4_print,
.save = rawdnat_tg4_save,
.extra_opts = rawdnat_tg_opts,
},
{
.version = XTABLES_VERSION,
.name = "RAWDNAT",
.revision = 0,
.family = NFPROTO_IPV6,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawdnat_tg_help,
.parse = rawdnat_tg6_parse,
.final_check = rawdnat_tg_check,
.print = rawdnat_tg6_print,
.save = rawdnat_tg6_save,
.extra_opts = rawdnat_tg_opts,
},
};
static void _init(void)
{
xtables_register_targets(rawdnat_tg_reg,
sizeof(rawdnat_tg_reg) / sizeof(*rawdnat_tg_reg));
}

11
extensions/libxt_RAWDNAT.man
View File

@@ -1,11 +0,0 @@
.PP
The \fBRAWDNAT\fR target will rewrite the destination address in the IP header,
much like the \fBNETMAP\fR target.
.TP
\fB\-\-to\-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
Network address to map to. The resulting address will be constructed the
following way: All "one" bits in the \fImask\fR are filled in from the new
\fIaddress\fR. All bits that are zero in the mask are filled in from the
original address.
.PP
See the \fBRAWSNAT\fR help entry for examples and constraints.

177
extensions/libxt_RAWSNAT.c
View File

@@ -1,177 +0,0 @@
/*
* "RAWNAT" target extension for iptables
* Copyright © Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <netinet/in.h>
#include <getopt.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <xtables.h>
#include <linux/netfilter.h>
#include "xt_RAWNAT.h"
#include "compat_user.h"
enum {
FLAGS_TO = 1 << 0,
};
static const struct option rawsnat_tg_opts[] = {
{.name = "to-source", .has_arg = true, .val = 't'},
{},
};
static void rawsnat_tg_help(void)
{
printf(
"RAWSNAT target options:\n"
" --to-source addr[/mask] Address or network to map to\n"
);
}
static int
rawsnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 32;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 32))
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ipaddr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
memcpy(&info->addr.in, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static int
rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
struct xt_rawnat_tginfo *info = (void *)(*target)->data;
struct in6_addr *a;
unsigned int mask;
char *end;
switch (c) {
case 't':
info->mask = 128;
end = strchr(optarg, '/');
if (end != NULL) {
*end++ = '\0';
if (!xtables_strtoui(end, NULL, &mask, 0, 128))
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
info->mask = mask;
}
a = xtables_numeric_to_ip6addr(optarg);
if (a == NULL)
xtables_param_act(XTF_BAD_VALUE, "RAWSNAT",
"--to-source", optarg);
memcpy(&info->addr.in6, a, sizeof(*a));
*flags |= FLAGS_TO;
return true;
}
return false;
}
static void rawsnat_tg_check(unsigned int flags)
{
if (!(flags & FLAGS_TO))
xtables_error(PARAMETER_PROBLEM, "RAWSNAT: "
"\"--to-source\" is required.");
}
static void
rawsnat_tg4_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf(" --to-source %s/%u ",
xtables_ipaddr_to_numeric(&info->addr.in),
info->mask);
}
static void
rawsnat_tg6_save(const void *entry, const struct xt_entry_target *target)
{
const struct xt_rawnat_tginfo *info = (const void *)target->data;
printf(" --to-source %s/%u ",
xtables_ip6addr_to_numeric(&info->addr.in6),
info->mask);
}
static void
rawsnat_tg4_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
printf(" -j RAWSNAT");
rawsnat_tg4_save(entry, target);
}
static void
rawsnat_tg6_print(const void *entry, const struct xt_entry_target *target,
int numeric)
{
printf(" -j RAWSNAT");
rawsnat_tg6_save(entry, target);
}
static struct xtables_target rawsnat_tg_reg[] = {
{
.version = XTABLES_VERSION,
.name = "RAWSNAT",
.revision = 0,
.family = NFPROTO_IPV4,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawsnat_tg_help,
.parse = rawsnat_tg4_parse,
.final_check = rawsnat_tg_check,
.print = rawsnat_tg4_print,
.save = rawsnat_tg4_save,
.extra_opts = rawsnat_tg_opts,
},
{
.version = XTABLES_VERSION,
.name = "RAWSNAT",
.revision = 0,
.family = NFPROTO_IPV6,
.size = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
.help = rawsnat_tg_help,
.parse = rawsnat_tg6_parse,
.final_check = rawsnat_tg_check,
.print = rawsnat_tg6_print,
.save = rawsnat_tg6_save,
.extra_opts = rawsnat_tg_opts,
},
};
static void _init(void)
{
xtables_register_targets(rawsnat_tg_reg,
sizeof(rawsnat_tg_reg) / sizeof(*rawsnat_tg_reg));
}

39
extensions/libxt_RAWSNAT.man
View File

@@ -1,39 +0,0 @@
.PP
The \fBRAWSNAT\fR and \fBRAWDNAT\fP targets provide stateless network address
translation.
.PP
The \fBRAWSNAT\fR target will rewrite the source address in the IP header, much
like the \fBNETMAP\fP target. \fBRAWSNAT\fP (and \fBRAWDNAT\fP) may only be
used in the \fBraw\fP or \fBrawpost\fP tables, but can be used in all chains,
which makes it possible to change the source address either when the packet
enters the machine or when it leaves it. The reason for this table constraint
is that RAWNAT must happen outside of connection tracking.
.TP
\fB\-\-to\-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
Network address to map to. The resulting address will be constructed the
following way: All "one" bits in the \fImask\fR are filled in from the new
\fIaddress\fR. All bits that are zero in the mask are filled in from the
original address.
.PP
As an example, changing the destination for packets forwarded from an internal
LAN to the internet:
.IP
\-t raw \-A PREROUTING \-i lan0 \-d 212.201.100.135 \-j RAWDNAT \-\-to\-destination 199.181.132.250;
\-t rawpost \-A POSTROUTING \-o lan0 \-s 199.181.132.250 \-j RAWSNAT \-\-to\-source 212.201.100.135;
.PP
Note that changing addresses may influence the route selection! Specifically,
it statically NATs packets, not connections, like the normal DNAT/SNAT targets
would do. Also note that it can transform already-NATed connections \(em as
said, it is completely external to Netfilter's connection tracking/NAT.
.PP
If the machine itself generates packets that are to be rawnat-ed, you need a
rule in the OUTPUT chain instead, just like you would with the stateful NAT
targets.
.PP
It may be necessary that in doing so, you also need an extra RAWSNAT rule, to
override the automatic source address selection that the routing code does
before passing packets to iptables. If the connecting socket has not been
explicitly bound to an address, as is the common mode of operation, the address
that will be chosen is the primary address of the device through which the
packet would be routed with its initial destination address - the address as
seen before any RAWNAT takes place.

32
extensions/libxt_STEAL.c
View File

@@ -1,32 +0,0 @@
#include <stdio.h>
#include <xtables.h>
#include "compat_user.h"
static void steal_tg_help(void)
{
printf("STEAL takes no options\n\n");
}
static int steal_tg_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
return 0;
}
static void steal_tg_check(unsigned int flags)
{
}
static struct xtables_target steal_tg_reg = {
.version = XTABLES_VERSION,
.name = "STEAL",
.family = NFPROTO_UNSPEC,
.help = steal_tg_help,
.parse = steal_tg_parse,
.final_check = steal_tg_check,
};
static void _init(void)
{
xtables_register_target(&steal_tg_reg);
}

3
extensions/libxt_STEAL.man
View File

@@ -1,3 +0,0 @@
.PP
Like the DROP target, but does not throw an error like DROP when used in the
\fBOUTPUT\fP chain.

17
extensions/pknock/gen_hmac.py Normal file
View File

@@ -0,0 +1,17 @@
from Crypto.Hash import SHA256
from Crypto.Hash import MD5
import sys
import hmac
import struct
import socket
from time import time
def gen_hmac(secret, ip):
epoch_mins = (long)(time()/60)
s = hmac.HMAC(secret, digestmod = SHA256)
s.update(socket.inet_aton(socket.gethostbyname(ip)))
s.update(struct.pack("i", epoch_mins)) # "i" is for integer
print s.hexdigest()
if __name__ == '__main__':
gen_hmac(sys.argv[1], sys.argv[2])

6
extensions/pknock/knock.sh Executable file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
if [ "$#" -ne 4 ]; then
echo "usage: $0 <IP src> <IP dst> <PORT dst> <secret>"
exit 1
fi
python gen_hmac.py "$4" "$1" | socat - "udp-sendto:$2:$3,bind=$1"

2
extensions/pknock/libxt_pknock.man
View File

@@ -62,8 +62,6 @@ Specifying \fB--autoclose 0\fP means that no automatic close will be performed a
xt_pknock is capable of sending information about successful matches
via a netlink socket to userspace, should you need to implement your own
way of receiving and handling portknock notifications.
Be sure to read the documentation in the doc/pknock/ directory,
or visit the original site \(em http://portknocko.berlios.de/ .
.PP
\fBTCP mode\fP:
.PP

36
extensions/pknock/xt_pknock.c
View File

@@ -19,16 +19,14 @@
#include <linux/spinlock.h>
#include <linux/jhash.h>
#include <linux/random.h>
#include <linux/crypto.h>
#include <linux/proc_fs.h>
#include <linux/scatterlist.h>
#include <linux/spinlock.h>
#include <linux/jiffies.h>
#include <linux/timer.h>
#include <linux/seq_file.h>
#include <linux/connector.h>
#include <linux/netfilter/x_tables.h>
#include <crypto/hash.h>
#include "xt_pknock.h"
#include "compat_xtables.h"
@@ -111,9 +109,9 @@ static DEFINE_SPINLOCK(list_lock);
static struct {
const char *algo;
struct crypto_hash *tfm;
struct crypto_shash *tfm;
unsigned int size;
struct hash_desc desc;
struct shash_desc desc;
} crypto = {
.algo = "hmac(sha256)",
.tfm = NULL,
@@ -701,7 +699,11 @@ msg_to_userspace_nl(const struct xt_pknock_mtinfo *info,
memcpy(m + 1, &msg, m->len);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 15, 0)
cn_netlink_send(m, 0, multicast_group, GFP_ATOMIC);
#else
cn_netlink_send(m, multicast_group, GFP_ATOMIC);
#endif
kfree(m);
#endif
@@ -740,7 +742,6 @@ static bool
has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
const unsigned char *payload, unsigned int payload_len)
{
struct scatterlist sg[2];
char result[64]; // 64 bytes * 8 = 512 bits
char *hexresult;
unsigned int hexa_size;
@@ -771,11 +772,7 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
epoch_min = get_seconds() / 60;
sg_init_table(sg, ARRAY_SIZE(sg));
sg_set_buf(&sg[0], &ipsrc, sizeof(ipsrc));
sg_set_buf(&sg[1], &epoch_min, sizeof(epoch_min));
ret = crypto_hash_setkey(crypto.tfm, secret, secret_len);
ret = crypto_shash_setkey(crypto.tfm, secret, secret_len);
if (ret != 0) {
printk("crypto_hash_setkey() failed ret=%d\n", ret);
goto out;
@@ -786,10 +783,10 @@ has_secret(const unsigned char *secret, unsigned int secret_len, uint32_t ipsrc,
* 4 bytes IP (32 bits) +
* 4 bytes int epoch_min (32 bits)
*/
ret = crypto_hash_digest(&crypto.desc, sg,
sizeof(ipsrc) + sizeof(epoch_min), result);
if (ret != 0) {
printk("crypto_hash_digest() failed ret=%d\n", ret);
if ((ret = crypto_shash_update(&crypto.desc, (const void *)&ipsrc, sizeof(ipsrc))) != 0 ||
(ret = crypto_shash_update(&crypto.desc, (const void *)&epoch_min, sizeof(epoch_min))) != 0 ||
(ret = crypto_shash_final(&crypto.desc, result)) != 0) {
printk("crypto_shash_update/final() failed ret=%d\n", ret);
goto out;
}
@@ -1054,9 +1051,6 @@ static int pknock_mt_check(const struct xt_mtchk_param *par)
if (!(info->option & XT_PKNOCK_NAME))
RETURN_ERR("You must specify --name option.\n");
if (info->option & (XT_PKNOCK_OPENSECRET | XT_PKNOCK_CLOSESECRET))
RETURN_ERR("No crypto support available; "
"cannot use opensecret/closescret\n");
if (info->option & XT_PKNOCK_OPENSECRET && info->ports_count != 1)
RETURN_ERR("--opensecret must have just one knock port\n");
if (info->option & XT_PKNOCK_KNOCKPORT) {
@@ -1132,14 +1126,14 @@ static int __init xt_pknock_mt_init(void)
return -ENXIO;
}
crypto.tfm = crypto_alloc_hash(crypto.algo, 0, CRYPTO_ALG_ASYNC);
crypto.tfm = crypto_alloc_shash(crypto.algo, 0, 0);
if (IS_ERR(crypto.tfm)) {
printk(KERN_ERR PKNOCK "failed to load transform for %s\n",
crypto.algo);
return PTR_ERR(crypto.tfm);
}
crypto.size = crypto_hash_digestsize(crypto.tfm);
crypto.size = crypto_shash_digestsize(crypto.tfm);
crypto.desc.tfm = crypto.tfm;
crypto.desc.flags = 0;
@@ -1157,7 +1151,7 @@ static void __exit xt_pknock_mt_exit(void)
xt_unregister_match(&xt_pknock_mt_reg);
kfree(rule_hashtable);
if (crypto.tfm != NULL)
crypto_free_hash(crypto.tfm);
crypto_free_shash(crypto.tfm);
}
module_init(xt_pknock_mt_init);

28
extensions/xt_CHAOS.c
View File

@@ -58,8 +58,12 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
{
struct xt_action_param local_par;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
local_par.state = par->state;
#else
local_par.in = par->in,
local_par.out = par->out,
#endif
local_par.match = xm_tcp;
local_par.matchinfo = &tcp_params;
local_par.fragoff = fragoff;
@@ -68,24 +72,28 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
ret = xm_tcp->match(skb, &local_par);
hotdrop = local_par.hotdrop;
}
if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
if (!ret || hotdrop || (unsigned int)prandom_u32() > delude_percentage)
return;
destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
{
struct xt_action_param local_par;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
local_par.state = par->state;
#else
local_par.in = par->in;
local_par.out = par->out;
local_par.hooknum = par->hooknum;
local_par.family = par->family;
#endif
local_par.target = destiny;
local_par.targinfo = par->targinfo;
local_par.family = par->family;
destiny->target(skb, &local_par);
}
}
static unsigned int
chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
chaos_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
/*
* Equivalent to:
@@ -96,14 +104,17 @@ chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
* -A chaos -j DROP;
*/
const struct xt_chaos_tginfo *info = par->targinfo;
struct sk_buff *skb = *pskb;
const struct iphdr *iph = ip_hdr(skb);
if ((unsigned int)net_random() <= reject_percentage) {
if ((unsigned int)prandom_u32() <= reject_percentage) {
struct xt_action_param local_par;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
local_par.state = par->state;
#else
local_par.in = par->in;
local_par.out = par->out;
local_par.hooknum = par->hooknum;
#endif
local_par.target = xt_reject;
local_par.targinfo = &reject_params;
return xt_reject->target(skb, &local_par);
@@ -112,7 +123,12 @@ chaos_tg(struct sk_buff **pskb, const struct xt_action_param *par)
/* TARPIT/DELUDE may not be called from the OUTPUT chain */
if (iph->protocol == IPPROTO_TCP &&
info->variant != XTCHAOS_NORMAL &&
par->hooknum != NF_INET_LOCAL_OUT)
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
par->state->hook
#else
par->hooknum
#endif
!= NF_INET_LOCAL_OUT)
xt_chaos_total(skb, par);
return NF_DROP;

22
extensions/xt_DELUDE.c
View File

@@ -25,7 +25,8 @@
#include "compat_xtables.h"
#define PFX KBUILD_MODNAME ": "
static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
unsigned int hook)
{
struct tcphdr _otcph, *tcph;
const struct tcphdr *oth;
@@ -106,8 +107,13 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
addr_type = RTN_UNSPEC;
#ifdef CONFIG_BRIDGE_NETFILTER
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
nskb->nf_bridge->physoutdev))
#else
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
nskb->nf_bridge->mask & BRNF_BRIDGED))
#endif
#else
if (hook != NF_INET_FORWARD)
#endif
@@ -116,7 +122,7 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
/* ip_route_me_harder expects skb->dst to be set */
skb_dst_set(nskb, dst_clone(skb_dst(oldskb)));
if (ip_route_me_harder(&nskb, addr_type))
if (ip_route_me_harder(net, nskb, addr_type))
goto free_nskb;
else
niph = ip_hdr(nskb);
@@ -130,7 +136,7 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
nf_ct_attach(nskb, oldskb);
ip_local_out(nskb);
ip_local_out(net, nskb->sk, nskb);
return;
free_nskb:
@@ -138,14 +144,20 @@ static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
}
static unsigned int
delude_tg(struct sk_buff **pskb, const struct xt_action_param *par)
delude_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
/*
* Sending the reset causes reentrancy within iptables - and should not pose
* a problem, as that is supported since Linux 2.6.35. But since we do not
* actually want to have a connection open, we are still going to drop it.
*/
delude_send_reset(*pskb, par->hooknum);
delude_send_reset(par_net(par), skb,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
par->state->hook
#else
par->hooknum
#endif
);
return NF_DROP;
}

18
extensions/xt_DHCPMAC.c
View File

@@ -34,9 +34,9 @@ static void ether_set(unsigned char *addr, const unsigned char *op,
unsigned int i;
for (i = 0; i < ETH_ALEN && mask > 0; ++i) {
lo_mask = mask % 8;
lo_mask = (mask >= 8) ? 8 : mask;
/* FF << 4 >> 4 = 0F */
lo_mask = ~(uint8_t)0U << lo_mask >> lo_mask;
lo_mask = (uint8_t)(~0U << lo_mask) >> lo_mask;
addr[i] &= lo_mask;
addr[i] |= op[i] & ~lo_mask;
if (mask >= 8)
@@ -55,9 +55,9 @@ static bool ether_cmp(const unsigned char *lh, const unsigned char *rh,
#define ZMACHEX(s) s[0], s[1], s[2], s[3], s[4], s[5]
for (i = 0; i < ETH_ALEN && mask > 0; ++i) {
lo_mask = mask % 8;
lo_mask = (mask >= 8) ? 8 : mask;
/* ~(0xFF << 4 >> 4) = ~0x0F = 0xF0 */
lo_mask = ~(~(uint8_t)0U << lo_mask >> lo_mask);
lo_mask = ~((uint8_t)(~0U << lo_mask) >> lo_mask);
if ((lh[i] ^ rh[i]) & lo_mask)
return false;
if (mask >= 8)
@@ -89,15 +89,14 @@ dhcpmac_mt(const struct sk_buff *skb, struct xt_action_param *par)
}
static unsigned int
dhcpmac_tg(struct sk_buff **pskb, const struct xt_action_param *par)
dhcpmac_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct dhcpmac_info *info = par->targinfo;
struct dhcp_message dhcpbuf, *dh;
struct udphdr udpbuf, *udph;
struct sk_buff *skb = *pskb;
unsigned int i;
if (!skb_make_writable(pskb, 0))
if (!skb_make_writable(skb, 0))
return NF_DROP;
udph = skb_header_pointer(skb, ip_hdrlen(skb),
@@ -111,13 +110,12 @@ dhcpmac_tg(struct sk_buff **pskb, const struct xt_action_param *par)
return NF_DROP;
for (i = 0; i < sizeof(dh->chaddr); i += 2)
csum_replace2(&udph->check, *(const __be16 *)dh->chaddr, 0);
csum_replace2(&udph->check, *(const __be16 *)(dh->chaddr + i), 0);
memset(dh->chaddr, 0, sizeof(dh->chaddr));
ether_set(dh->chaddr, info->addr, info->mask);
for (i = 0; i < sizeof(dh->chaddr); i += 2)
csum_replace2(&udph->check, 0, *(const __be16 *)dh->chaddr);
csum_replace2(&udph->check, 0, *(const __be16 *)(dh->chaddr + i));
return XT_CONTINUE;
}

28
extensions/xt_DNETMAP.c
View File

@@ -26,6 +26,7 @@
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter/x_tables.h>
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
#include <linux/uidgid.h>
#include <linux/version.h>
@@ -353,10 +354,13 @@ out:
}
static unsigned int
dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
struct sk_buff *skb = *pskb;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
struct net *net = dev_net(par->state->in ? par->state->in : par->state->out);
#else
struct net *net = dev_net(par->in ? par->in : par->out);
#endif
struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
@@ -367,16 +371,21 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
struct dnetmap_entry *e;
struct dnetmap_prefix *p;
__s32 jttl;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
unsigned int hooknum = par->state->hook;
#else
unsigned int hooknum = par->hooknum;
#endif
NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING ||
par->hooknum == NF_INET_LOCAL_OUT ||
par->hooknum == NF_INET_PRE_ROUTING);
NF_CT_ASSERT(hooknum == NF_INET_POST_ROUTING ||
hooknum == NF_INET_LOCAL_OUT ||
hooknum == NF_INET_PRE_ROUTING);
ct = nf_ct_get(skb, &ctinfo);
jttl = tginfo->flags & XT_DNETMAP_TTL ? tginfo->ttl * HZ : jtimeout;
/* in prerouting we try to map postnat-ip to prenat-ip */
if (par->hooknum == NF_INET_PRE_ROUTING) {
if (hooknum == NF_INET_PRE_ROUTING) {
postnat_ip = ip_hdr(skb)->daddr;
spin_lock_bh(&dnetmap_lock);
@@ -407,7 +416,7 @@ dnetmap_tg(struct sk_buff **pskb, const struct xt_action_param *par)
newrange.min_proto = mr->min_proto;
newrange.max_proto = mr->max_proto;
return nf_nat_setup_info(ct, &newrange,
HOOK2MANIP(par->hooknum));
HOOK2MANIP(hooknum));
}
prenat_ip = ip_hdr(skb)->saddr;
@@ -495,7 +504,11 @@ bind_new_prefix:
newrange.max_addr.ip = postnat_ip;
newrange.min_proto = mr->min_proto;
newrange.max_proto = mr->max_proto;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->state->hook));
#else
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
#endif
no_rev_map:
no_free_ip:
@@ -608,7 +621,6 @@ dnetmap_tg_proc_write(struct file *file, const char __user *input,size_t size, l
char buf[sizeof("+192.168.100.100:200.200.200.200")];
const char *c = buf;
const char *c2;
//union nf_inet_addr addr = {};
__be32 addr1,addr2;
bool add;
char str[25];

30
extensions/xt_ECHO.c
View File

@@ -24,9 +24,8 @@
#include "compat_xtables.h"
static unsigned int
echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
{
const struct sk_buff *oldskb = *poldskb;
const struct udphdr *oldudp;
const struct ipv6hdr *oldip;
struct udphdr *newudp, oldudp_buf;
@@ -36,10 +35,14 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
void *payload;
struct flowi6 fl;
struct dst_entry *dst = NULL;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
struct net *net = dev_net((par->state->in != NULL) ? par->state->in : par->state->out);
#else
struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
#endif
/* This allows us to do the copy operation in fewer lines of code. */
if (skb_linearize(*poldskb) < 0)
if (skb_linearize(oldskb) < 0)
return NF_DROP;
oldip = ipv6_hdr(oldskb);
@@ -77,6 +80,7 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
payload = skb_header_pointer(oldskb, par->thoff +
sizeof(*oldudp), data_len, NULL);
memcpy(skb_put(newskb, data_len), payload, data_len);
newip->payload_len = htons(newskb->len);
#if 0
/*
@@ -112,8 +116,8 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
if (newskb->len > dst_mtu(skb_dst(newskb)))
goto free_nskb;
nf_ct_attach(newskb, *poldskb);
ip6_local_out(newskb);
nf_ct_attach(newskb, oldskb);
ip6_local_out(par_net(par), newskb->sk, newskb);
return NF_DROP;
free_nskb:
@@ -122,9 +126,8 @@ echo_tg6(struct sk_buff **poldskb, const struct xt_action_param *par)
}
static unsigned int
echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par)
{
const struct sk_buff *oldskb = *poldskb;
const struct udphdr *oldudp;
const struct iphdr *oldip;
struct udphdr *newudp, oldudp_buf;
@@ -134,7 +137,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
void *payload;
/* This allows us to do the copy operation in fewer lines of code. */
if (skb_linearize(*poldskb) < 0)
if (skb_linearize(oldskb) < 0)
return NF_DROP;
oldip = ip_hdr(oldskb);
@@ -158,8 +161,8 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
newip->version = oldip->version;
newip->ihl = sizeof(*newip) / 4;
newip->tos = oldip->tos;
newip->id = 0;
newip->frag_off = htons(IP_DF);
newip->id = oldip->id;
newip->frag_off = 0;
newip->protocol = oldip->protocol;
newip->check = 0;
newip->saddr = oldip->daddr;
@@ -175,6 +178,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
payload = skb_header_pointer(oldskb, par->thoff +
sizeof(*oldudp), data_len, NULL);
memcpy(skb_put(newskb, data_len), payload, data_len);
newip->tot_len = htons(newskb->len);
#if 0
/*
@@ -192,7 +196,7 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
/* ip_route_me_harder expects the skb's dst to be set */
skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
if (ip_route_me_harder(&newskb, RTN_UNSPEC) != 0)
if (ip_route_me_harder(par_net(par), newskb, RTN_UNSPEC) != 0)
goto free_nskb;
newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));
@@ -202,8 +206,8 @@ echo_tg4(struct sk_buff **poldskb, const struct xt_action_param *par)
if (newskb->len > dst_mtu(skb_dst(newskb)))
goto free_nskb;
nf_ct_attach(newskb, *poldskb);
ip_local_out(newskb);
nf_ct_attach(newskb, oldskb);
ip_local_out(par_net(par), newskb->sk, newskb);
return NF_DROP;
free_nskb:

6
extensions/xt_IPMARK.c
View File

@@ -25,10 +25,9 @@ MODULE_ALIAS("ipt_IPMARK");
MODULE_ALIAS("ip6t_IPMARK");
static unsigned int
ipmark_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
ipmark_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_ipmark_tginfo *ipmarkinfo = par->targinfo;
const struct sk_buff *skb = *pskb;
const struct iphdr *iph = ip_hdr(skb);
__u32 mark;
@@ -61,10 +60,9 @@ static __u32 ipmark_from_ip6(const struct in6_addr *a, unsigned int s)
}
static unsigned int
ipmark_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
ipmark_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_ipmark_tginfo *info = par->targinfo;
const struct sk_buff *skb = *pskb;
const struct ipv6hdr *iph = ipv6_hdr(skb);
__u32 mark;

11
extensions/xt_LOGMARK.c
View File

@@ -58,14 +58,17 @@ static void logmark_ct(const struct nf_conn *ct, enum ip_conntrack_info ctinfo)
printk("%s""ASSURED", prev++ ? "," : "");
if (ct->status & IPS_CONFIRMED)
printk("%s""CONFIRMED", prev++ ? "," : "");
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,9,0)
printk(" lifetime=%lus", nf_ct_expires(ct) / HZ);
#else
printk(" lifetime=%lus",
(jiffies - ct->timeout.expires) / HZ);
#endif
}
static unsigned int
logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
logmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct sk_buff *skb = *pskb;
const struct xt_logmark_tginfo *info = par->targinfo;
const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
@@ -73,7 +76,11 @@ logmark_tg(struct sk_buff **pskb, const struct xt_action_param *par)
printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x "
"secmark=0x%x classify=0x%x",
info->level, (unsigned int)sizeof(info->prefix), info->prefix,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
skb_ifindex(skb), hook_names[par->state->hook],
#else
skb_ifindex(skb), hook_names[par->hooknum],
#endif
skb_nfmark(skb), skb_secmark(skb), skb->priority);
ct = nf_ct_get(skb, &ctinfo);

354
extensions/xt_RAWNAT.c
View File

@@ -1,354 +0,0 @@
/*
* "RAWNAT" target extension for Xtables - untracked NAT
* Copyright © Jan Engelhardt, 2008 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
* version 2 of the License, or any later version, as published by the
* Free Software Foundation.
*/
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/version.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include "compat_xtables.h"
#include "xt_RAWNAT.h"
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
# define WITH_IPV6 1
#endif
static inline __be32
remask(__be32 addr, __be32 repl, unsigned int shift)
{
uint32_t mask = (shift == 32) ? 0 : (~(uint32_t)0 >> shift);
return htonl((ntohl(addr) & mask) | (ntohl(repl) & ~mask));
}
#ifdef WITH_IPV6
static void
rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
{
switch (mask) {
case 0:
break;
case 1 ... 31:
addr[0] = remask(addr[0], repl[0], mask);
break;
case 32:
addr[0] = repl[0];
break;
case 33 ... 63:
addr[0] = repl[0];
addr[1] = remask(addr[1], repl[1], mask - 32);
break;
case 64:
addr[0] = repl[0];
addr[1] = repl[1];
break;
case 65 ... 95:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = remask(addr[2], repl[2], mask - 64);
case 96:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
break;
case 97 ... 127:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
addr[3] = remask(addr[3], repl[3], mask - 96);
break;
case 128:
addr[0] = repl[0];
addr[1] = repl[1];
addr[2] = repl[2];
addr[3] = repl[3];
break;
}
}
#endif
static void rawnat4_update_l4(struct sk_buff *skb, __be32 oldip, __be32 newip)
{
struct iphdr *iph = ip_hdr(skb);
void *transport_hdr = (void *)iph + ip_hdrlen(skb);
struct tcphdr *tcph;
struct udphdr *udph;
bool cond;
switch (iph->protocol) {
case IPPROTO_TCP:
tcph = transport_hdr;
inet_proto_csum_replace4(&tcph->check, skb, oldip, newip, true);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
udph = transport_hdr;
cond = udph->check != 0;
cond |= skb->ip_summed == CHECKSUM_PARTIAL;
if (cond) {
inet_proto_csum_replace4(&udph->check, skb,
oldip, newip, true);
if (udph->check == 0)
udph->check = CSUM_MANGLED_0;
}
break;
}
}
static unsigned int rawnat4_writable_part(const struct iphdr *iph)
{
unsigned int wlen = iph->ihl * 4;
switch (iph->protocol) {
case IPPROTO_TCP:
wlen += sizeof(struct tcphdr);
break;
case IPPROTO_UDP:
wlen += sizeof(struct udphdr);
break;
}
return wlen;
}
static unsigned int
rawsnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
struct iphdr *iph;
__be32 new_addr;
iph = ip_hdr(*pskb);
new_addr = remask(iph->saddr, info->addr.ip, info->mask);
if (iph->saddr == new_addr)
return XT_CONTINUE;
if (!skb_make_writable(pskb, rawnat4_writable_part(iph)))
return NF_DROP;
iph = ip_hdr(*pskb);
csum_replace4(&iph->check, iph->saddr, new_addr);
rawnat4_update_l4(*pskb, iph->saddr, new_addr);
iph->saddr = new_addr;
return XT_CONTINUE;
}
static unsigned int
rawdnat_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
struct iphdr *iph;
__be32 new_addr;
iph = ip_hdr(*pskb);
new_addr = remask(iph->daddr, info->addr.ip, info->mask);
if (iph->daddr == new_addr)
return XT_CONTINUE;
if (!skb_make_writable(pskb, rawnat4_writable_part(iph)))
return NF_DROP;
iph = ip_hdr(*pskb);
csum_replace4(&iph->check, iph->daddr, new_addr);
rawnat4_update_l4(*pskb, iph->daddr, new_addr);
iph->daddr = new_addr;
return XT_CONTINUE;
}
#ifdef WITH_IPV6
static bool rawnat6_prepare_l4(struct sk_buff **pskb, unsigned int *l4offset,
unsigned int *l4proto)
{
static const unsigned int types[] =
{IPPROTO_TCP, IPPROTO_UDP, IPPROTO_UDPLITE};
unsigned int i;
int err;
*l4proto = NEXTHDR_MAX;
for (i = 0; i < ARRAY_SIZE(types); ++i) {
err = ipv6_find_hdr(*pskb, l4offset, types[i], NULL, NULL);
if (err >= 0) {
*l4proto = types[i];
break;
}
if (err != -ENOENT)
return false;
}
switch (*l4proto) {
case IPPROTO_TCP:
if (!skb_make_writable(pskb, *l4offset + sizeof(struct tcphdr)))
return false;
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
if (!skb_make_writable(pskb, *l4offset + sizeof(struct udphdr)))
return false;
break;
}
return true;
}
static void rawnat6_update_l4(struct sk_buff *skb, unsigned int l4proto,
unsigned int l4offset, const struct in6_addr *oldip,
const struct in6_addr *newip)
{
const struct ipv6hdr *iph = ipv6_hdr(skb);
struct tcphdr *tcph;
struct udphdr *udph;
unsigned int i;
bool cond;
switch (l4proto) {
case IPPROTO_TCP:
tcph = (void *)iph + l4offset;
for (i = 0; i < 4; ++i)
inet_proto_csum_replace4(&tcph->check, skb,
oldip->s6_addr32[i], newip->s6_addr32[i], true);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
udph = (void *)iph + l4offset;
cond = udph->check;
cond |= skb->ip_summed == CHECKSUM_PARTIAL;
if (cond) {
for (i = 0; i < 4; ++i)
inet_proto_csum_replace4(&udph->check, skb,
oldip->s6_addr32[i],
newip->s6_addr32[i], true);
if (udph->check == 0)
udph->check = CSUM_MANGLED_0;
}
break;
}
}
static unsigned int
rawsnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
unsigned int l4offset = 0, l4proto;
struct ipv6hdr *iph;
struct in6_addr new_addr;
iph = ipv6_hdr(*pskb);
memcpy(&new_addr, &iph->saddr, sizeof(new_addr));
rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask);
if (ipv6_addr_cmp(&iph->saddr, &new_addr) == 0)
return XT_CONTINUE;
if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto))
return NF_DROP;
iph = ipv6_hdr(*pskb);
rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->saddr, &new_addr);
memcpy(&iph->saddr, &new_addr, sizeof(new_addr));
return XT_CONTINUE;
}
static unsigned int
rawdnat_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
{
const struct xt_rawnat_tginfo *info = par->targinfo;
unsigned int l4offset = 0, l4proto;
struct ipv6hdr *iph;
struct in6_addr new_addr;
iph = ipv6_hdr(*pskb);
memcpy(&new_addr, &iph->daddr, sizeof(new_addr));
rawnat_ipv6_mask(new_addr.s6_addr32, info->addr.ip6, info->mask);
if (ipv6_addr_cmp(&iph->daddr, &new_addr) == 0)
return XT_CONTINUE;
if (!rawnat6_prepare_l4(pskb, &l4offset, &l4proto))
return NF_DROP;
iph = ipv6_hdr(*pskb);
rawnat6_update_l4(*pskb, l4proto, l4offset, &iph->daddr, &new_addr);
memcpy(&iph->daddr, &new_addr, sizeof(new_addr));
return XT_CONTINUE;
}
#endif
static int rawnat_tg_check(const struct xt_tgchk_param *par)
{
if (strcmp(par->table, "raw") == 0 ||
strcmp(par->table, "rawpost") == 0)
return 0;
printk(KERN_ERR KBUILD_MODNAME " may only be used in the \"raw\" or "
"\"rawpost\" table.\n");
return -EINVAL;
}
static struct xt_target rawnat_tg_reg[] __read_mostly = {
{
.name = "RAWSNAT",
.revision = 0,
.family = NFPROTO_IPV4,
.target = rawsnat_tg4,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
#ifdef WITH_IPV6
{
.name = "RAWSNAT",
.revision = 0,
.family = NFPROTO_IPV6,
.target = rawsnat_tg6,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
#endif
{
.name = "RAWDNAT",
.revision = 0,
.family = NFPROTO_IPV4,
.target = rawdnat_tg4,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
#ifdef WITH_IPV6
{
.name = "RAWDNAT",
.revision = 0,
.family = NFPROTO_IPV6,
.target = rawdnat_tg6,
.targetsize = sizeof(struct xt_rawnat_tginfo),
.checkentry = rawnat_tg_check,
.me = THIS_MODULE,
},
#endif
};
static int __init rawnat_tg_init(void)
{
return xt_register_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
}
static void __exit rawnat_tg_exit(void)
{
xt_unregister_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
}
module_init(rawnat_tg_init);
module_exit(rawnat_tg_exit);
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_DESCRIPTION("Xtables: conntrack-less raw NAT");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_RAWSNAT");
MODULE_ALIAS("ipt_RAWDNAT");
MODULE_ALIAS("ip6t_RAWSNAT");
MODULE_ALIAS("ip6t_RAWDNAT");

9
extensions/xt_RAWNAT.h
View File

@@ -1,9 +0,0 @@
#ifndef _LINUX_NETFILTER_XT_TARGET_RAWNAT
#define _LINUX_NETFILTER_XT_TARGET_RAWNAT 1
struct xt_rawnat_tginfo {
union nf_inet_addr addr;
__u8 mask;
};
#endif /* _LINUX_NETFILTER_XT_TARGET_RAWNAT */

67
extensions/xt_STEAL.c
View File

@@ -1,67 +0,0 @@
/*
* "STEAL" demo target extension for Xtables
* written by Jan Engelhardt, 2008 - 2009
* placed in the Public Domain
*/
#include <linux/module.h>
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include "compat_xtables.h"
static unsigned int
steal_tg(struct sk_buff **pskb, const struct xt_action_param *par)
{
kfree_skb(*pskb);
return NF_STOLEN;
}
static struct xt_target steal_tg_reg[] __read_mostly = {
{
.name = "STEAL",
.revision = 0,
.family = NFPROTO_UNSPEC,
.target = steal_tg,
.me = THIS_MODULE,
},
{
.name = "STEAL",
.revision = 0,
.family = NFPROTO_IPV6,
.target = steal_tg,
.me = THIS_MODULE,
},
{
.name = "STEAL",
.revision = 0,
.family = NFPROTO_ARP,
.target = steal_tg,
.me = THIS_MODULE,
},
{
.name = "STEAL",
.revision = 0,
.family = NFPROTO_BRIDGE,
.target = steal_tg,
.me = THIS_MODULE,
},
};
static int __init steal_tg_init(void)
{
return xt_register_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
}
static void __exit steal_tg_exit(void)
{
xt_unregister_targets(steal_tg_reg, ARRAY_SIZE(steal_tg_reg));
}
module_init(steal_tg_init);
module_exit(steal_tg_exit);
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_DESCRIPTION("Xtables: Silently DROP packets on output chain");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_STEAL");
MODULE_ALIAS("ip6t_STEAL");
MODULE_ALIAS("arpt_STEAL");
MODULE_ALIAS("ebt_STEAL");

38
extensions/xt_SYSRQ.c
View File

@@ -1,6 +1,6 @@
/*
* "SYSRQ" target extension for Xtables
* Copyright © Jan Engelhardt, 2008 - 2012
* Copyright Jan Engelhardt, 2016
*
* Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
*
@@ -21,8 +21,7 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/crypto.h>
#include <linux/scatterlist.h>
#include <crypto/hash.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include "compat_xtables.h"
@@ -50,7 +49,7 @@ MODULE_PARM_DESC(seqno, "sequence number for remote sysrq");
MODULE_PARM_DESC(debug, "debugging: 0=off, 1=on");
#ifdef WITH_CRYPTO
static struct crypto_hash *sysrq_tfm;
static struct crypto_shash *sysrq_tfm;
static int sysrq_digest_size;
static unsigned char *sysrq_digest_password;
static unsigned char *sysrq_digest;
@@ -75,8 +74,7 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
{
const char *data = pdata;
int i, n;
struct scatterlist sg[2];
struct hash_desc desc;
struct shash_desc desc;
int ret;
long new_seqno = 0;
@@ -117,15 +115,15 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
desc.tfm = sysrq_tfm;
desc.flags = 0;
ret = crypto_hash_init(&desc);
ret = crypto_shash_init(&desc);
if (ret != 0)
goto hash_fail;
sg_init_table(sg, 2);
sg_set_buf(&sg[0], data, n);
i = strlen(sysrq_digest_password);
sg_set_buf(&sg[1], sysrq_digest_password, i);
ret = crypto_hash_digest(&desc, sg, n + i, sysrq_digest);
if (ret != 0)
if (crypto_shash_update(&desc, data, n) != 0)
goto hash_fail;
if (crypto_shash_update(&desc, sysrq_digest_password,
strlen(sysrq_digest_password)) != 0)
goto hash_fail;
if (crypto_shash_final(&desc, sysrq_digest) != 0)
goto hash_fail;
for (i = 0; i < sysrq_digest_size; ++i) {
@@ -189,9 +187,8 @@ static unsigned int sysrq_tg(const void *pdata, uint16_t len)
#endif
static unsigned int
sysrq_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
sysrq_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
struct sk_buff *skb = *pskb;
const struct iphdr *iph;
const struct udphdr *udph;
uint16_t len;
@@ -220,9 +217,8 @@ sysrq_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
#ifdef WITH_IPV6
static unsigned int
sysrq_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
sysrq_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
struct sk_buff *skb = *pskb;
const struct ipv6hdr *iph;
const struct udphdr *udph;
unsigned short frag_off;
@@ -305,7 +301,7 @@ static void sysrq_crypto_exit(void)
{
#ifdef WITH_CRYPTO
if (sysrq_tfm)
crypto_free_hash(sysrq_tfm);
crypto_free_shash(sysrq_tfm);
if (sysrq_digest)
kfree(sysrq_digest);
if (sysrq_hexdigest)
@@ -321,7 +317,7 @@ static int __init sysrq_crypto_init(void)
struct timeval now;
int ret;
sysrq_tfm = crypto_alloc_hash(sysrq_hash, 0, CRYPTO_ALG_ASYNC);
sysrq_tfm = crypto_alloc_shash(sysrq_hash, 0, 0);
if (IS_ERR(sysrq_tfm)) {
printk(KERN_WARNING KBUILD_MODNAME
": Error: Could not find or load %s hash\n",
@@ -330,7 +326,7 @@ static int __init sysrq_crypto_init(void)
sysrq_tfm = NULL;
goto fail;
}
sysrq_digest_size = crypto_hash_digestsize(sysrq_tfm);
sysrq_digest_size = crypto_shash_digestsize(sysrq_tfm);
sysrq_digest = kmalloc(sysrq_digest_size, GFP_KERNEL);
ret = -ENOMEM;
if (sysrq_digest == NULL)
@@ -373,7 +369,7 @@ static void __exit sysrq_tg_exit(void)
module_init(sysrq_tg_init);
module_exit(sysrq_tg_exit);
MODULE_DESCRIPTION("Xtables: triggering SYSRQ remotely");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_AUTHOR("Jan Engelhardt");
MODULE_AUTHOR("John Haxby <john.haxby@oracle.com");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_SYSRQ");

57
extensions/xt_TARPIT.c
View File

@@ -107,8 +107,8 @@ static bool xttarpit_honeypot(struct tcphdr *tcph, const struct tcphdr *oth,
tcph->syn = true;
tcph->ack = true;
tcph->window = oth->window &
((net_random() & 0x1f) - 0xf);
tcph->seq = htonl(net_random() & ~oth->seq);
((prandom_u32() & 0x1f) - 0xf);
tcph->seq = htonl(prandom_u32() & ~oth->seq);
tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
}
@@ -117,7 +117,7 @@ static bool xttarpit_honeypot(struct tcphdr *tcph, const struct tcphdr *oth,
tcph->syn = false;
tcph->ack = true;
tcph->window = oth->window &
((net_random() & 0x1f) - 0xf);
((prandom_u32() & 0x1f) - 0xf);
tcph->ack_seq = payload > 100 ?
htonl(ntohl(oth->seq) + payload) :
oth->seq;
@@ -170,8 +170,8 @@ static bool tarpit_generic(struct tcphdr *tcph, const struct tcphdr *oth,
return true;
}
static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
unsigned int mode)
static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
unsigned int hook, unsigned int mode)
{
struct tcphdr _otcph, *tcph;
const struct tcphdr *oth;
@@ -249,14 +249,19 @@ static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
niph->id = ~oldhdr->id + 1;
#ifdef CONFIG_BRIDGE_NETFILTER
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
nskb->nf_bridge->physoutdev != NULL))
#else
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
nskb->nf_bridge->mask & BRNF_BRIDGED))
#endif
#else
if (hook != NF_INET_FORWARD)
#endif
addr_type = RTN_LOCAL;
if (ip_route_me_harder(&nskb, addr_type))
if (ip_route_me_harder(net, nskb, addr_type))
goto free_nskb;
else
niph = ip_hdr(nskb);
@@ -279,8 +284,16 @@ static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
nf_ct_attach(nskb, oldskb);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
skb_dst(nskb)->dev, dst_output);
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb->sk, nskb, NULL,
skb_dst(nskb)->dev, dst_output_sk);
#else
NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
skb_dst(nskb)->dev, dst_output);
#endif
return;
free_nskb:
@@ -288,8 +301,8 @@ static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
}
#ifdef WITH_IPV6
static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
unsigned int mode)
static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
unsigned int hook, unsigned int mode)
{
struct sk_buff *nskb;
struct tcphdr *tcph, oth;
@@ -387,15 +400,23 @@ static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
IPPROTO_TCP,
csum_partial(tcph, sizeof(struct tcphdr), 0));
if (ip6_route_me_harder(nskb))
if (ip6_route_me_harder(net, nskb))
goto free_nskb;
nskb->ip_summed = CHECKSUM_NONE;
nf_ct_attach(nskb, oldskb);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
skb_dst(nskb)->dev, dst_output);
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb->sk, nskb, NULL,
skb_dst(nskb)->dev, dst_output_sk);
#else
NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
skb_dst(nskb)->dev, dst_output);
#endif
return;
free_nskb:
@@ -404,9 +425,8 @@ static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
#endif
static unsigned int
tarpit_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct sk_buff *skb = *pskb;
const struct iphdr *iph = ip_hdr(skb);
const struct rtable *rt = skb_rtable(skb);
const struct xt_tarpit_tginfo *info = par->targinfo;
@@ -435,15 +455,18 @@ tarpit_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
if (iph->frag_off & htons(IP_OFFSET))
return NF_DROP;
tarpit_tcp4(*pskb, par->hooknum, info->variant);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
tarpit_tcp4(par_net(par), skb, par->state->hook, info->variant);
#else
tarpit_tcp4(par_net(par), skb, par->hooknum, info->variant);
#endif
return NF_DROP;
}
#ifdef WITH_IPV6
static unsigned int
tarpit_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct sk_buff *skb = *pskb;
const struct ipv6hdr *iph = ipv6_hdr(skb);
const struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
const struct xt_tarpit_tginfo *info = par->targinfo;
@@ -478,7 +501,11 @@ tarpit_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
return NF_DROP;
}
tarpit_tcp6(*pskb, par->hooknum, info->variant);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
tarpit_tcp6(par_net(par), skb, par->state->hook, info->variant);
#else
tarpit_tcp6(par_net(par), skb, par->hooknum, info->variant);
#endif
return NF_DROP;
}
#endif

3
extensions/xt_condition.c
View File

@@ -66,7 +66,8 @@ static int condition_proc_show(struct seq_file *m, void *data)
{
const struct condition_variable *var = m->private;
return seq_printf(m, var->enabled ? "1\n" : "0\n");
seq_printf(m, var->enabled ? "1\n" : "0\n");
return 0;
}
static int condition_proc_open(struct inode *inode, struct file *file)

8
extensions/xt_iface.c
View File

@@ -45,9 +45,17 @@ static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
const struct xt_action_param *par, struct net_device **put)
{
if (info->flags & XT_IFACE_DEV_IN)
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
return par->state->in;
#else
return par->in;
#endif
else if (info->flags & XT_IFACE_DEV_OUT)
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
return par->state->out;
#else
return par->out;
#endif
return *put = dev_get_by_name(&init_net, info->ifname);
}

4
extensions/xt_lscan.c
View File

@@ -204,7 +204,11 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
unsigned int n;
n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
par->state->in == init_net.loopback_dev, tcph,
#else
par->in == init_net.loopback_dev, tcph,
#endif
skb->len - par->thoff - 4 * tcph->doff);
ctdata->mark = (ctdata->mark & ~connmark_mask) | n;

120
extensions/xt_quota2.c
View File

@@ -13,6 +13,7 @@
*/
#include <linux/list.h>
#include <linux/module.h>
#include <linux/nsproxy.h>
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
#include <linux/skbuff.h>
@@ -20,6 +21,9 @@
#include <linux/uidgid.h>
#include <linux/version.h>
#include <asm/atomic.h>
#include <net/net_namespace.h>
#include <net/netns/generic.h>
#include <net/dst.h>
#include <linux/netfilter/x_tables.h>
#include "xt_quota2.h"
@@ -37,10 +41,19 @@ struct xt_quota_counter {
struct proc_dir_entry *procfs_entry;
};
static LIST_HEAD(counter_list);
struct quota2_net {
struct list_head counter_list;
struct proc_dir_entry *proc_xt_quota;
};
static int quota2_net_id;
static inline struct quota2_net *quota2_pernet(struct net *net)
{
return net_generic(net, quota2_net_id);
}
static DEFINE_SPINLOCK(counter_list_lock);
static struct proc_dir_entry *proc_xt_quota;
static unsigned int quota_list_perms = S_IRUGO | S_IWUSR;
static unsigned int quota_list_uid = 0;
static unsigned int quota_list_gid = 0;
@@ -51,12 +64,11 @@ module_param_named(gid, quota_list_gid, uint, S_IRUGO | S_IWUSR);
static int quota_proc_show(struct seq_file *m, void *data)
{
struct xt_quota_counter *e = m->private;
int ret;
spin_lock_bh(&e->lock);
ret = seq_printf(m, "%llu\n", e->quota);
seq_printf(m, "%llu\n", e->quota);
spin_unlock_bh(&e->lock);
return ret;
return 0;
}
static int quota_proc_open(struct inode *inode, struct file *file)
@@ -69,17 +81,39 @@ quota_proc_write(struct file *file, const char __user *input,
size_t size, loff_t *loff)
{
struct xt_quota_counter *e = PDE_DATA(file_inode(file));
char buf[sizeof("18446744073709551616")];
char buf[sizeof("+-18446744073709551616")];
if (size > sizeof(buf))
size = sizeof(buf);
if (copy_from_user(buf, input, size) != 0)
return -EFAULT;
buf[sizeof(buf)-1] = '\0';
if (size < sizeof(buf))
buf[size] = '\0';
spin_lock_bh(&e->lock);
e->quota = simple_strtoull(buf, NULL, 0);
spin_unlock_bh(&e->lock);
if (*buf == '+') {
int64_t temp = simple_strtoll(buf + 1, NULL, 0);
spin_lock_bh(&e->lock);
/* Do not let quota become negative if @tmp is very negative */
if (temp > 0 || -temp < e->quota)
e->quota += temp;
else
e->quota = 0;
spin_unlock_bh(&e->lock);
} else if (*buf == '-') {
int64_t temp = simple_strtoll(buf + 1, NULL, 0);
spin_lock_bh(&e->lock);
/* Do not let quota become negative if @tmp is very big */
if (temp < 0 || temp < e->quota)
e->quota -= temp;
else
e->quota = 0;
spin_unlock_bh(&e->lock);
} else {
spin_lock_bh(&e->lock);
e->quota = simple_strtoull(buf, NULL, 0);
spin_unlock_bh(&e->lock);
}
return size;
}
@@ -118,16 +152,17 @@ q2_new_counter(const struct xt_quota_mtinfo2 *q, bool anon)
* @name: name of counter
*/
static struct xt_quota_counter *
q2_get_counter(const struct xt_quota_mtinfo2 *q)
q2_get_counter(struct net *net, const struct xt_quota_mtinfo2 *q)
{
struct proc_dir_entry *p;
struct xt_quota_counter *e;
struct quota2_net *quota2_net = quota2_pernet(net);
if (*q->name == '\0')
return q2_new_counter(q, true);
spin_lock_bh(&counter_list_lock);
list_for_each_entry(e, &counter_list, list)
list_for_each_entry(e, &quota2_net->counter_list, list)
if (strcmp(e->name, q->name) == 0) {
atomic_inc(&e->ref);
spin_unlock_bh(&counter_list_lock);
@@ -138,7 +173,8 @@ q2_get_counter(const struct xt_quota_mtinfo2 *q)
if (e == NULL)
goto out;
p = proc_create_data(e->name, quota_list_perms, proc_xt_quota,
p = proc_create_data(e->name, quota_list_perms,
quota2_net->proc_xt_quota,
&quota_proc_fops, e);
if (p == NULL || IS_ERR(p))
goto out;
@@ -146,7 +182,7 @@ q2_get_counter(const struct xt_quota_mtinfo2 *q)
e->procfs_entry = p;
proc_set_user(p, make_kuid(&init_user_ns, quota_list_uid),
make_kgid(&init_user_ns, quota_list_gid));
list_add_tail(&e->list, &counter_list);
list_add_tail(&e->list, &quota2_net->counter_list);
spin_unlock_bh(&counter_list_lock);
return e;
@@ -169,7 +205,7 @@ static int quota_mt2_check(const struct xt_mtchk_param *par)
return -EINVAL;
}
q->master = q2_get_counter(q);
q->master = q2_get_counter(par->net, q);
if (q->master == NULL) {
printk(KERN_ERR "xt_quota.3: memory alloc failure\n");
return -ENOMEM;
@@ -182,6 +218,7 @@ static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
{
struct xt_quota_mtinfo2 *q = par->matchinfo;
struct xt_quota_counter *e = q->master;
struct quota2_net *quota2_net = quota2_pernet(par->net);
if (*q->name == '\0') {
kfree(e);
@@ -195,7 +232,7 @@ static void quota_mt2_destroy(const struct xt_mtdtor_param *par)
}
list_del(&e->list);
remove_proc_entry(e->name, proc_xt_quota);
remove_proc_entry(e->name, quota2_net->proc_xt_quota);
spin_unlock_bh(&counter_list_lock);
kfree(e);
}
@@ -219,13 +256,14 @@ quota_mt2(const struct sk_buff *skb, struct xt_action_param *par)
}
ret = true;
} else {
if (e->quota >= skb->len) {
if (e->quota >= ((q->flags & XT_QUOTA_PACKET) ? 1 : skb->len)) {
if (!(q->flags & XT_QUOTA_NO_CHANGE))
e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
ret = !ret;
} else {
/* we do not allow even small packets from now on */
e->quota = 0;
if (!(q->flags & XT_QUOTA_NO_CHANGE))
e->quota = 0;
}
q->quota = e->quota;
}
@@ -256,24 +294,60 @@ static struct xt_match quota_mt2_reg[] __read_mostly = {
},
};
static int __net_init quota2_net_init(struct net *net)
{
struct quota2_net *quota2_net = quota2_pernet(net);
INIT_LIST_HEAD(&quota2_net->counter_list);
quota2_net->proc_xt_quota = proc_mkdir("xt_quota", net->proc_net);
if (quota2_net->proc_xt_quota == NULL)
return -EACCES;
return 0;
}
static void __net_exit quota2_net_exit(struct net *net)
{
struct quota2_net *quota2_net = quota2_pernet(net);
struct xt_quota_counter *e = NULL;
struct list_head *pos, *q;
remove_proc_entry("xt_quota", net->proc_net);
/* destroy counter_list while freeing it's content */
spin_lock_bh(&counter_list_lock);
list_for_each_safe(pos, q, &quota2_net->counter_list) {
e = list_entry(pos, struct xt_quota_counter, list);
list_del(pos);
kfree(e);
}
spin_unlock_bh(&counter_list_lock);
}
static struct pernet_operations quota2_net_ops = {
.init = quota2_net_init,
.exit = quota2_net_exit,
.id = &quota2_net_id,
.size = sizeof(struct quota2_net),
};
static int __init quota_mt2_init(void)
{
int ret;
proc_xt_quota = proc_mkdir("xt_quota", init_net.proc_net);
if (proc_xt_quota == NULL)
return -EACCES;
ret = register_pernet_subsys(&quota2_net_ops);
if (ret < 0)
return ret;
ret = xt_register_matches(quota_mt2_reg, ARRAY_SIZE(quota_mt2_reg));
if (ret < 0)
remove_proc_entry("xt_quota", init_net.proc_net);
unregister_pernet_subsys(&quota2_net_ops);
return ret;
}
static void __exit quota_mt2_exit(void)
{
xt_unregister_matches(quota_mt2_reg, ARRAY_SIZE(quota_mt2_reg));
remove_proc_entry("xt_quota", init_net.proc_net);
unregister_pernet_subsys(&quota2_net_ops);
}
module_init(quota_mt2_init);

2
mconfig
View File

@@ -8,8 +8,6 @@ build_DNETMAP=m
build_ECHO=m
build_IPMARK=m
build_LOGMARK=m
build_RAWNAT=m
build_STEAL=m
build_SYSRQ=m
build_TARPIT=m
build_condition=m

2
xtables-addons.8.in
View File

@@ -1,4 +1,4 @@
.TH xtables-addons 8 "African Heat Edition" "" "v2.3 (2013-06-18)"
.TH xtables-addons 8 "Not For Workgroups" "" "v2.12 (2017-01-11)"
.SH Name
Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
.SH Targets