mirror of
git://git.code.sf.net/p/xtables-addons/xtables-addons
synced 2025-09-21 12:04:56 +02:00
Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
47f5391a37 | ||
|
|
16a64492ae | ||
|
|
cdcf874366 |
1
.gitignore
vendored
1
.gitignore
vendored
@@ -3,7 +3,6 @@
|
||||
*.lo
|
||||
*.loT
|
||||
*.o
|
||||
.cache.mk
|
||||
.deps/
|
||||
.dirstamp
|
||||
.libs/
|
||||
|
||||
7
INSTALL
7
INSTALL
@@ -12,17 +12,16 @@ in combination with the kernel's Kbuild system.
|
||||
Supported configurations for this release
|
||||
=========================================
|
||||
|
||||
* iptables >= 1.6.0
|
||||
* iptables >= 1.4.5
|
||||
|
||||
* kernel-devel >= 4.15
|
||||
* kernel-devel >= 3.7
|
||||
with prepared build/output directory
|
||||
- CONFIG_NF_CONNTRACK
|
||||
- CONFIG_NF_CONNTRACK_MARK enabled =y or as module (=m)
|
||||
- CONFIG_CONNECTOR y/m if you wish to receive userspace
|
||||
notifications from pknock through netlink/connector
|
||||
|
||||
(Use xtables-addons-1.x if you need support for Linux < 3.7.
|
||||
Use xtables-addons-2.x if you need support for Linux < 4.15.)
|
||||
(Use xtables-addons-1.x if you need support for Linux < 3.7.)
|
||||
|
||||
|
||||
Selecting extensions
|
||||
|
||||
12
configure.ac
12
configure.ac
@@ -1,4 +1,4 @@
|
||||
AC_INIT([xtables-addons], [3.1])
|
||||
AC_INIT([xtables-addons], [2.15])
|
||||
AC_CONFIG_AUX_DIR([build-aux])
|
||||
AC_CONFIG_HEADERS([config.h])
|
||||
AC_CONFIG_MACRO_DIR([m4])
|
||||
@@ -26,7 +26,7 @@ fi
|
||||
|
||||
AC_CHECK_HEADERS([linux/netfilter/x_tables.h], [],
|
||||
[AC_MSG_ERROR([You need to have linux/netfilter/x_tables.h, see INSTALL file for details])])
|
||||
PKG_CHECK_MODULES([libxtables], [xtables >= 1.6.0])
|
||||
PKG_CHECK_MODULES([libxtables], [xtables >= 1.4.5])
|
||||
xtlibdir="$(pkg-config --variable=xtlibdir xtables)"
|
||||
|
||||
AC_ARG_WITH([xtlibdir],
|
||||
@@ -57,10 +57,12 @@ if test -n "$kbuilddir"; then
|
||||
echo "WARNING: Version detection did not succeed. Continue at own luck.";
|
||||
else
|
||||
echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
|
||||
if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 18; then
|
||||
if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 12; then
|
||||
echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
|
||||
elif test "$kmajor" -eq 4 -a "$kminor" -ge 18; then
|
||||
:
|
||||
elif test "$kmajor" -eq 4 -a "$kminor" -le 10; then
|
||||
:;
|
||||
elif test "$kmajor" -eq 3 -a "$kminor" -ge 7; then
|
||||
:;
|
||||
else
|
||||
echo "WARNING: That kernel version is not officially supported.";
|
||||
fi;
|
||||
|
||||
@@ -1,20 +1,9 @@
|
||||
|
||||
HEAD
|
||||
====
|
||||
|
||||
|
||||
v3.1 (2018-08-14)
|
||||
=================
|
||||
v2.15 (2021-02-05)
|
||||
==================
|
||||
Enhancements:
|
||||
- support for Linux 4.17, 4.18
|
||||
|
||||
|
||||
v3.0 (2018-02-12)
|
||||
=================
|
||||
Enhancements:
|
||||
- support for Linux 4.15, 4.16
|
||||
Changes:
|
||||
- remove support for Linux 3.7--4.14
|
||||
- support for Linux up to 4.15
|
||||
- xt_lscan: add --mirai option
|
||||
|
||||
|
||||
v2.14 (2017-11-22)
|
||||
@@ -141,5 +130,5 @@ Changes:
|
||||
Enhancements:
|
||||
- Support for Linux 3.7
|
||||
|
||||
If you want to use Xtables-addons with kernels older than 4.15,
|
||||
use the addons 2.x series.
|
||||
If you want to use Xtables-addons with kernels older than 3.7,
|
||||
use the addons 1.x series (maintained but without new features).
|
||||
|
||||
@@ -482,7 +482,16 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
|
||||
static unsigned int
|
||||
ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
{
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
struct ipt_acc_net *ian = net_generic(par->state->net, ipt_acc_net_id);
|
||||
#else
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,4,0)
|
||||
struct ipt_acc_net *ian = net_generic(par->net, ipt_acc_net_id);
|
||||
#else
|
||||
struct net *net = dev_net(par->in ? par->in : par->out);
|
||||
struct ipt_acc_net *ian = net_generic(net, ipt_acc_net_id);
|
||||
#endif
|
||||
#endif
|
||||
struct ipt_acc_table *ipt_acc_tables = ian->ipt_acc_tables;
|
||||
const struct ipt_acc_info *info =
|
||||
par->targinfo;
|
||||
|
||||
@@ -8,8 +8,12 @@
|
||||
|
||||
#define DEBUGP Use__pr_debug__instead
|
||||
|
||||
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0)
|
||||
# warning Kernels below 4.15 not supported.
|
||||
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0)
|
||||
# warning Kernels below 3.7 not supported.
|
||||
#endif
|
||||
|
||||
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0)
|
||||
# define prandom_u32() random32()
|
||||
#endif
|
||||
|
||||
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
|
||||
@@ -42,9 +46,51 @@
|
||||
# define NIPQUAD_FMT "%hhu.%hhu.%hhu.%hhu"
|
||||
#endif
|
||||
|
||||
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0)
|
||||
static inline struct inode *file_inode(struct file *f)
|
||||
{
|
||||
return f->f_path.dentry->d_inode;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 10, 0)
|
||||
static inline void proc_set_user(struct proc_dir_entry *de,
|
||||
typeof(de->uid) uid, typeof(de->gid) gid)
|
||||
{
|
||||
de->uid = uid;
|
||||
de->gid = gid;
|
||||
}
|
||||
|
||||
static inline void *PDE_DATA(struct inode *inode)
|
||||
{
|
||||
return PDE(inode)->data;
|
||||
}
|
||||
|
||||
static inline void proc_remove(struct proc_dir_entry *de)
|
||||
{
|
||||
if (de != NULL)
|
||||
remove_proc_entry(de->name, de->parent);
|
||||
}
|
||||
#endif
|
||||
|
||||
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 4, 0)
|
||||
# define ip6_local_out(xnet, xsk, xskb) ip6_local_out(xskb)
|
||||
# define ip6_route_me_harder(xnet, xskb) ip6_route_me_harder(xskb)
|
||||
# define ip_local_out(xnet, xsk, xskb) ip_local_out(xskb)
|
||||
# define ip_route_me_harder(xnet, xskb, xaddrtype) ip_route_me_harder((xskb), (xaddrtype))
|
||||
#endif
|
||||
|
||||
static inline struct net *par_net(const struct xt_action_param *par)
|
||||
{
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
|
||||
return par->state->net;
|
||||
#else
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
|
||||
return par->net;
|
||||
#else
|
||||
return dev_net((par->in != NULL) ? par->in : par->out);
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifndef NF_CT_ASSERT
|
||||
|
||||
@@ -49,38 +49,6 @@ static struct option geoip_opts[] = {
|
||||
{NULL},
|
||||
};
|
||||
|
||||
#if __BYTE_ORDER == __LITTLE_ENDIAN
|
||||
static void geoip_swap_le16(uint16_t *buf)
|
||||
{
|
||||
unsigned char *p = (void *)buf;
|
||||
uint16_t n= p[0] + (p[1] << 8);
|
||||
p[0] = (n >> 8) & 0xff;
|
||||
p[1] = n & 0xff;
|
||||
}
|
||||
|
||||
static void geoip_swap_in6(struct in6_addr *in6)
|
||||
{
|
||||
geoip_swap_le16(&in6->s6_addr16[0]);
|
||||
geoip_swap_le16(&in6->s6_addr16[1]);
|
||||
geoip_swap_le16(&in6->s6_addr16[2]);
|
||||
geoip_swap_le16(&in6->s6_addr16[3]);
|
||||
geoip_swap_le16(&in6->s6_addr16[4]);
|
||||
geoip_swap_le16(&in6->s6_addr16[5]);
|
||||
geoip_swap_le16(&in6->s6_addr16[6]);
|
||||
geoip_swap_le16(&in6->s6_addr16[7]);
|
||||
}
|
||||
|
||||
static void geoip_swap_le32(uint32_t *buf)
|
||||
{
|
||||
unsigned char *p = (void *)buf;
|
||||
uint32_t n = p[0] + (p[1] << 8) + (p[2] << 16) + (p[3] << 24);
|
||||
p[0] = (n >> 24) & 0xff;
|
||||
p[1] = (n >> 16) & 0xff;
|
||||
p[2] = (n >> 8) & 0xff;
|
||||
p[3] = n & 0xff;
|
||||
}
|
||||
#endif
|
||||
|
||||
static void *
|
||||
geoip_get_subnets(const char *code, uint32_t *count, uint8_t nfproto)
|
||||
{
|
||||
@@ -88,15 +56,21 @@ geoip_get_subnets(const char *code, uint32_t *count, uint8_t nfproto)
|
||||
struct stat sb;
|
||||
char buf[256];
|
||||
int fd;
|
||||
#if __BYTE_ORDER == __LITTLE_ENDIAN
|
||||
unsigned int n;
|
||||
#endif
|
||||
|
||||
/* Use simple integer vector files */
|
||||
if (nfproto == NFPROTO_IPV6)
|
||||
snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/%s.iv6", code);
|
||||
else
|
||||
snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/%s.iv4", code);
|
||||
if (nfproto == NFPROTO_IPV6) {
|
||||
#if __BYTE_ORDER == _BIG_ENDIAN
|
||||
snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/BE/%s.iv6", code);
|
||||
#else
|
||||
snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/LE/%s.iv6", code);
|
||||
#endif
|
||||
} else {
|
||||
#if __BYTE_ORDER == _BIG_ENDIAN
|
||||
snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/BE/%s.iv4", code);
|
||||
#else
|
||||
snprintf(buf, sizeof(buf), GEOIP_DB_DIR "/LE/%s.iv4", code);
|
||||
#endif
|
||||
}
|
||||
|
||||
if ((fd = open(buf, O_RDONLY)) < 0) {
|
||||
fprintf(stderr, "Could not open %s: %s\n", buf, strerror(errno));
|
||||
@@ -124,25 +98,6 @@ geoip_get_subnets(const char *code, uint32_t *count, uint8_t nfproto)
|
||||
xtables_error(OTHER_PROBLEM, "geoip: insufficient memory");
|
||||
read(fd, subnets, sb.st_size);
|
||||
close(fd);
|
||||
|
||||
#if __BYTE_ORDER == __LITTLE_ENDIAN
|
||||
for (n = 0; n < *count; ++n) {
|
||||
switch (nfproto) {
|
||||
case NFPROTO_IPV6: {
|
||||
struct geoip_subnet6 *gs6 = &(((struct geoip_subnet6 *)subnets)[n]);
|
||||
geoip_swap_in6(&gs6->begin);
|
||||
geoip_swap_in6(&gs6->end);
|
||||
break;
|
||||
}
|
||||
case NFPROTO_IPV4: {
|
||||
struct geoip_subnet4 *gs4 = &(((struct geoip_subnet4 *)subnets)[n]);
|
||||
geoip_swap_le32(&gs4->begin);
|
||||
geoip_swap_le32(&gs4->end);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
return subnets;
|
||||
}
|
||||
|
||||
|
||||
@@ -24,6 +24,7 @@ static const struct option lscan_mt_opts[] = {
|
||||
{.name = "synscan", .has_arg = false, .val = 's'},
|
||||
{.name = "cnscan", .has_arg = false, .val = 'c'},
|
||||
{.name = "grscan", .has_arg = false, .val = 'g'},
|
||||
{.name = "mirai", .has_arg = false, .val = 'm'},
|
||||
{NULL},
|
||||
};
|
||||
|
||||
@@ -35,7 +36,8 @@ static void lscan_mt_help(void)
|
||||
" --stealth Match TCP Stealth packets\n"
|
||||
" --synscan Match TCP SYN scans\n"
|
||||
" --cnscan Match TCP Connect scans\n"
|
||||
" --grscan Match Banner Grabbing scans\n");
|
||||
" --grscan Match Banner Grabbing scans\n"
|
||||
" --mirai Match TCP scan with ISN = dest. IP\n");
|
||||
}
|
||||
|
||||
static int lscan_mt_parse(int c, char **argv, int invert,
|
||||
@@ -45,16 +47,19 @@ static int lscan_mt_parse(int c, char **argv, int invert,
|
||||
|
||||
switch (c) {
|
||||
case 'c':
|
||||
info->match_cn = true;
|
||||
info->match_fl3 |= LSCAN_FL3_CN;
|
||||
return true;
|
||||
case 'g':
|
||||
info->match_gr = true;
|
||||
info->match_fl4 |= LSCAN_FL4_GR;
|
||||
return true;
|
||||
case 'm':
|
||||
info->match_fl1 |= LSCAN_FL1_MIRAI;
|
||||
return true;
|
||||
case 's':
|
||||
info->match_syn = true;
|
||||
info->match_fl2 |= LSCAN_FL2_SYN;
|
||||
return true;
|
||||
case 'x':
|
||||
info->match_stealth = true;
|
||||
info->match_fl1 |= LSCAN_FL1_STEALTH;
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
@@ -68,14 +73,16 @@ static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
|
||||
{
|
||||
const struct xt_lscan_mtinfo *info = (const void *)(match->data);
|
||||
|
||||
if (info->match_stealth)
|
||||
if (info->match_fl1 & LSCAN_FL1_STEALTH)
|
||||
printf(" --stealth ");
|
||||
if (info->match_syn)
|
||||
if (info->match_fl2 & LSCAN_FL2_SYN)
|
||||
printf(" --synscan ");
|
||||
if (info->match_cn)
|
||||
if (info->match_fl3 & LSCAN_FL3_CN)
|
||||
printf(" --cnscan ");
|
||||
if (info->match_gr)
|
||||
if (info->match_fl4 & LSCAN_FL4_GR)
|
||||
printf(" --grscan ");
|
||||
if (info->match_fl1 & LSCAN_FL1_MIRAI)
|
||||
printf(" --mirai ");
|
||||
}
|
||||
|
||||
static void lscan_mt_print(const void *ip,
|
||||
|
||||
@@ -27,6 +27,11 @@ warranted single-direction data flows, usually bulk data transfers such as
|
||||
FTP DATA connections or IRC DCC. Grab Scan Detection should only be used on
|
||||
ports where a protocol runs that is guaranteed to do a bidirectional exchange
|
||||
of bytes.
|
||||
.TP
|
||||
\fB\-\-mirai\fP
|
||||
Match if the TCP ISN is equal to the IPv4 destination address; this is used
|
||||
by the devices in the Mirai botnet as a form of TCP SYN scan, so you will
|
||||
have to explicitly specify --syn for the rule.
|
||||
.PP
|
||||
NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
|
||||
so be advised to carefully use xt_lscan in conjunction with blocking rules,
|
||||
|
||||
@@ -357,10 +357,18 @@ has_logged_during_this_minute(const struct peer *peer)
|
||||
*
|
||||
* @r: rule
|
||||
*/
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
|
||||
static void peer_gc(struct timer_list *tl)
|
||||
#else
|
||||
static void peer_gc(unsigned long r)
|
||||
#endif
|
||||
{
|
||||
unsigned int i;
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
|
||||
struct xt_pknock_rule *rule = from_timer(rule, tl, timer);
|
||||
#else
|
||||
struct xt_pknock_rule *rule = (struct xt_pknock_rule *)r;
|
||||
#endif
|
||||
struct peer *peer;
|
||||
struct list_head *pos, *n;
|
||||
|
||||
@@ -467,7 +475,15 @@ add_rule(struct xt_pknock_mtinfo *info)
|
||||
rule->peer_head = alloc_hashtable(peer_hashsize);
|
||||
if (rule->peer_head == NULL)
|
||||
goto out;
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
|
||||
timer_setup(&rule->timer, peer_gc, 0);
|
||||
#else
|
||||
init_timer(&rule->timer);
|
||||
rule->timer.function = peer_gc;
|
||||
rule->timer.data = (unsigned long)rule;
|
||||
#endif
|
||||
|
||||
rule->status_proc = proc_create_data(info->rule_name, 0, pde,
|
||||
&pknock_proc_ops, rule);
|
||||
if (rule->status_proc == NULL)
|
||||
@@ -694,7 +710,13 @@ msg_to_userspace_nl(const struct xt_pknock_mtinfo *info,
|
||||
scnprintf(msg.rule_name, info->rule_name_len + 1, info->rule_name);
|
||||
|
||||
memcpy(m + 1, &msg, m->len);
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 15, 0)
|
||||
cn_netlink_send(m, 0, multicast_group, GFP_ATOMIC);
|
||||
#else
|
||||
cn_netlink_send(m, multicast_group, GFP_ATOMIC);
|
||||
#endif
|
||||
|
||||
kfree(m);
|
||||
#endif
|
||||
return true;
|
||||
|
||||
@@ -58,7 +58,12 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
|
||||
{
|
||||
struct xt_action_param local_par;
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
local_par.state = par->state;
|
||||
#else
|
||||
local_par.in = par->in,
|
||||
local_par.out = par->out,
|
||||
#endif
|
||||
local_par.match = xm_tcp;
|
||||
local_par.matchinfo = &tcp_params;
|
||||
local_par.fragoff = fragoff;
|
||||
@@ -73,7 +78,14 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
|
||||
{
|
||||
struct xt_action_param local_par;
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
local_par.state = par->state;
|
||||
#else
|
||||
local_par.in = par->in;
|
||||
local_par.out = par->out;
|
||||
local_par.hooknum = par->hooknum;
|
||||
local_par.family = par->family;
|
||||
#endif
|
||||
local_par.target = destiny;
|
||||
local_par.targinfo = par->targinfo;
|
||||
destiny->target(skb, &local_par);
|
||||
@@ -96,15 +108,27 @@ chaos_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
|
||||
if ((unsigned int)prandom_u32() <= reject_percentage) {
|
||||
struct xt_action_param local_par;
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
local_par.state = par->state;
|
||||
#else
|
||||
local_par.in = par->in;
|
||||
local_par.out = par->out;
|
||||
local_par.hooknum = par->hooknum;
|
||||
#endif
|
||||
local_par.target = xt_reject;
|
||||
local_par.targinfo = &reject_params;
|
||||
return xt_reject->target(skb, &local_par);
|
||||
}
|
||||
|
||||
/* TARPIT/DELUDE may not be called from the OUTPUT chain */
|
||||
if (iph->protocol == IPPROTO_TCP && info->variant != XTCHAOS_NORMAL &&
|
||||
par->state->hook != NF_INET_LOCAL_OUT)
|
||||
if (iph->protocol == IPPROTO_TCP &&
|
||||
info->variant != XTCHAOS_NORMAL &&
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
par->state->hook
|
||||
#else
|
||||
par->hooknum
|
||||
#endif
|
||||
!= NF_INET_LOCAL_OUT)
|
||||
xt_chaos_total(skb, par);
|
||||
|
||||
return NF_DROP;
|
||||
|
||||
@@ -107,8 +107,13 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
|
||||
|
||||
addr_type = RTN_UNSPEC;
|
||||
#ifdef CONFIG_BRIDGE_NETFILTER
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
|
||||
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
|
||||
nskb->nf_bridge->physoutdev))
|
||||
#else
|
||||
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
|
||||
nskb->nf_bridge->mask & BRNF_BRIDGED))
|
||||
#endif
|
||||
#else
|
||||
if (hook != NF_INET_FORWARD)
|
||||
#endif
|
||||
@@ -146,7 +151,13 @@ delude_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
* a problem, as that is supported since Linux 2.6.35. But since we do not
|
||||
* actually want to have a connection open, we are still going to drop it.
|
||||
*/
|
||||
delude_send_reset(par_net(par), skb, par->state->hook);
|
||||
delude_send_reset(par_net(par), skb,
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
par->state->hook
|
||||
#else
|
||||
par->hooknum
|
||||
#endif
|
||||
);
|
||||
return NF_DROP;
|
||||
}
|
||||
|
||||
|
||||
@@ -356,22 +356,26 @@ out:
|
||||
static unsigned int
|
||||
dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
{
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
struct net *net = dev_net(par->state->in ? par->state->in : par->state->out);
|
||||
#else
|
||||
struct net *net = dev_net(par->in ? par->in : par->out);
|
||||
#endif
|
||||
struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
|
||||
struct nf_conn *ct;
|
||||
enum ip_conntrack_info ctinfo;
|
||||
__be32 prenat_ip, postnat_ip, prenat_ip_prev;
|
||||
const struct xt_DNETMAP_tginfo *tginfo = par->targinfo;
|
||||
const struct nf_nat_range *mr = &tginfo->prefix;
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 18, 0)
|
||||
struct nf_nat_range2 newrange;
|
||||
#else
|
||||
struct nf_nat_range newrange;
|
||||
#endif
|
||||
struct dnetmap_entry *e;
|
||||
struct dnetmap_prefix *p;
|
||||
__s32 jttl;
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
unsigned int hooknum = par->state->hook;
|
||||
#else
|
||||
unsigned int hooknum = par->hooknum;
|
||||
#endif
|
||||
ct = nf_ct_get(skb, &ctinfo);
|
||||
|
||||
jttl = tginfo->flags & XT_DNETMAP_TTL ? tginfo->ttl * HZ : jtimeout;
|
||||
@@ -496,7 +500,12 @@ bind_new_prefix:
|
||||
newrange.max_addr.ip = postnat_ip;
|
||||
newrange.min_proto = mr->min_proto;
|
||||
newrange.max_proto = mr->max_proto;
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->state->hook));
|
||||
#else
|
||||
return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
|
||||
#endif
|
||||
|
||||
no_rev_map:
|
||||
no_free_ip:
|
||||
spin_unlock_bh(&dnetmap_lock);
|
||||
|
||||
@@ -35,7 +35,11 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
|
||||
void *payload;
|
||||
struct flowi6 fl;
|
||||
struct dst_entry *dst = NULL;
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
struct net *net = dev_net((par->state->in != NULL) ? par->state->in : par->state->out);
|
||||
#else
|
||||
struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
|
||||
#endif
|
||||
|
||||
/* This allows us to do the copy operation in fewer lines of code. */
|
||||
if (skb_linearize(oldskb) < 0)
|
||||
|
||||
@@ -64,7 +64,12 @@ static void logmark_ct(const struct nf_conn *ct, enum ip_conntrack_info ctinfo)
|
||||
printk("%s""CONFIRMED", prev ? "," : "");
|
||||
prev = true;
|
||||
}
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,9,0)
|
||||
printk(" lifetime=%lus", nf_ct_expires(ct) / HZ);
|
||||
#else
|
||||
printk(" lifetime=%lus",
|
||||
(jiffies - ct->timeout.expires) / HZ);
|
||||
#endif
|
||||
}
|
||||
|
||||
static unsigned int
|
||||
@@ -77,13 +82,21 @@ logmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x "
|
||||
"secmark=0x%x classify=0x%x",
|
||||
info->level, (unsigned int)sizeof(info->prefix), info->prefix,
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
skb_ifindex(skb), hook_names[par->state->hook],
|
||||
#else
|
||||
skb_ifindex(skb), hook_names[par->hooknum],
|
||||
#endif
|
||||
skb_nfmark(skb), skb_secmark(skb), skb->priority);
|
||||
|
||||
ct = nf_ct_get(skb, &ctinfo);
|
||||
printk(" ctdir=%s", dir_names[ctinfo >= IP_CT_IS_REPLY]);
|
||||
if (ct == NULL)
|
||||
printk(" ct=NULL ctmark=NULL ctstate=INVALID ctstatus=NONE");
|
||||
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 12, 0)
|
||||
else if (nf_ct_is_untracked(ct))
|
||||
printk(" ct=UNTRACKED ctmark=NULL ctstate=UNTRACKED ctstatus=NONE");
|
||||
#endif
|
||||
else
|
||||
logmark_ct(ct, ctinfo);
|
||||
|
||||
|
||||
@@ -249,8 +249,13 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
|
||||
niph->id = ~oldhdr->id + 1;
|
||||
|
||||
#ifdef CONFIG_BRIDGE_NETFILTER
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
|
||||
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
|
||||
nskb->nf_bridge->physoutdev != NULL))
|
||||
#else
|
||||
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
|
||||
nskb->nf_bridge->mask & BRNF_BRIDGED))
|
||||
#endif
|
||||
#else
|
||||
if (hook != NF_INET_FORWARD)
|
||||
#endif
|
||||
@@ -278,8 +283,17 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
|
||||
goto free_nskb;
|
||||
|
||||
nf_ct_attach(nskb, oldskb);
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
|
||||
NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
|
||||
skb_dst(nskb)->dev, dst_output);
|
||||
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
|
||||
NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb->sk, nskb, NULL,
|
||||
skb_dst(nskb)->dev, dst_output_sk);
|
||||
#else
|
||||
NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
|
||||
skb_dst(nskb)->dev, dst_output);
|
||||
#endif
|
||||
return;
|
||||
|
||||
free_nskb:
|
||||
@@ -392,8 +406,17 @@ static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
|
||||
nskb->ip_summed = CHECKSUM_NONE;
|
||||
|
||||
nf_ct_attach(nskb, oldskb);
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
|
||||
NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, nskb->sk, nskb, NULL,
|
||||
skb_dst(nskb)->dev, dst_output);
|
||||
#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
|
||||
NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb->sk, nskb, NULL,
|
||||
skb_dst(nskb)->dev, dst_output_sk);
|
||||
#else
|
||||
NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
|
||||
skb_dst(nskb)->dev, dst_output);
|
||||
#endif
|
||||
return;
|
||||
|
||||
free_nskb:
|
||||
@@ -431,7 +454,12 @@ tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
/* We are not interested in fragments */
|
||||
if (iph->frag_off & htons(IP_OFFSET))
|
||||
return NF_DROP;
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
tarpit_tcp4(par_net(par), skb, par->state->hook, info->variant);
|
||||
#else
|
||||
tarpit_tcp4(par_net(par), skb, par->hooknum, info->variant);
|
||||
#endif
|
||||
return NF_DROP;
|
||||
}
|
||||
|
||||
@@ -472,7 +500,12 @@ tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
pr_debug("addr is not unicast.\n");
|
||||
return NF_DROP;
|
||||
}
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
tarpit_tcp6(par_net(par), skb, par->state->hook, info->variant);
|
||||
#else
|
||||
tarpit_tcp6(par_net(par), skb, par->hooknum, info->variant);
|
||||
#endif
|
||||
return NF_DROP;
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -45,9 +45,17 @@ static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
|
||||
const struct xt_action_param *par, struct net_device **put)
|
||||
{
|
||||
if (info->flags & XT_IFACE_DEV_IN)
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
return par->state->in;
|
||||
#else
|
||||
return par->in;
|
||||
#endif
|
||||
else if (info->flags & XT_IFACE_DEV_OUT)
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
return par->state->out;
|
||||
#else
|
||||
return par->out;
|
||||
#endif
|
||||
return *put = dev_get_by_name(&init_net, info->ifname);
|
||||
}
|
||||
|
||||
|
||||
@@ -175,6 +175,7 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
{
|
||||
const struct xt_lscan_mtinfo *info = par->matchinfo;
|
||||
enum ip_conntrack_info ctstate;
|
||||
const struct iphdr *iph = ip_hdr(skb);
|
||||
const struct tcphdr *tcph;
|
||||
struct nf_conn *ctdata;
|
||||
struct tcphdr tcph_buf;
|
||||
@@ -182,10 +183,13 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
tcph = skb_header_pointer(skb, par->thoff, sizeof(tcph_buf), &tcph_buf);
|
||||
if (tcph == NULL)
|
||||
return false;
|
||||
if (info->match_fl1 & LSCAN_FL1_MIRAI && iph != NULL &&
|
||||
iph->version == 4 && iph->daddr == tcph->seq)
|
||||
return true;
|
||||
|
||||
/* Check for invalid packets: -m conntrack --ctstate INVALID */
|
||||
if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
|
||||
if (info->match_stealth)
|
||||
if (info->match_fl1 & LSCAN_FL1_STEALTH)
|
||||
return lscan_mt_stealth(tcph);
|
||||
/*
|
||||
* If @ctdata is NULL, we cannot match the other scan
|
||||
@@ -204,24 +208,30 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
unsigned int n;
|
||||
|
||||
n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
|
||||
par->state->in == init_net.loopback_dev, tcph,
|
||||
#else
|
||||
par->in == init_net.loopback_dev, tcph,
|
||||
#endif
|
||||
skb->len - par->thoff - 4 * tcph->doff);
|
||||
|
||||
ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
|
||||
skb_nfmark(skb) = (skb_nfmark(skb) & ~packet_mask) ^ mark_seen;
|
||||
}
|
||||
|
||||
return (info->match_syn && ctdata->mark == mark_synscan) ||
|
||||
(info->match_cn && ctdata->mark == mark_cnscan) ||
|
||||
(info->match_gr && ctdata->mark == mark_grscan);
|
||||
return (info->match_fl1 & LSCAN_FL1_STEALTH && ctdata->mark == mark_synscan) ||
|
||||
(info->match_fl3 & LSCAN_FL3_CN && ctdata->mark == mark_cnscan) ||
|
||||
(info->match_fl4 & LSCAN_FL4_GR && ctdata->mark == mark_grscan);
|
||||
}
|
||||
|
||||
static int lscan_mt_check(const struct xt_mtchk_param *par)
|
||||
{
|
||||
const struct xt_lscan_mtinfo *info = par->matchinfo;
|
||||
|
||||
if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
|
||||
(info->match_cn & ~1) || (info->match_gr & ~1)) {
|
||||
if ((info->match_fl1 & ~(LSCAN_FL1_STEALTH | LSCAN_FL1_MIRAI)) ||
|
||||
(info->match_fl2 & ~LSCAN_FL2_SYN) ||
|
||||
(info->match_fl3 & ~LSCAN_FL3_CN) ||
|
||||
(info->match_fl4 & ~LSCAN_FL4_GR)) {
|
||||
printk(KERN_WARNING PFX "Invalid flags\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
@@ -1,8 +1,16 @@
|
||||
#ifndef _LINUX_NETFILTER_XT_LSCAN_H
|
||||
#define _LINUX_NETFILTER_XT_LSCAN_H 1
|
||||
|
||||
enum {
|
||||
LSCAN_FL1_STEALTH = 1 << 0,
|
||||
LSCAN_FL1_MIRAI = 1 << 1,
|
||||
LSCAN_FL2_SYN = 1 << 0,
|
||||
LSCAN_FL3_CN = 1 << 0,
|
||||
LSCAN_FL4_GR = 1 << 0,
|
||||
};
|
||||
|
||||
struct xt_lscan_mtinfo {
|
||||
uint8_t match_stealth, match_syn, match_cn, match_gr;
|
||||
uint8_t match_fl1, match_fl2, match_fl3, match_fl4;
|
||||
};
|
||||
|
||||
#endif /* _LINUX_NETFILTER_XT_LSCAN_H */
|
||||
|
||||
@@ -1,234 +1,86 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Converter for MaxMind CSV database to binary, for xt_geoip
|
||||
# Copyright Jan Engelhardt, 2008-2011
|
||||
# Copyright Philip Prindeville, 2018
|
||||
# Copyright © Jan Engelhardt, 2008-2011
|
||||
#
|
||||
use Getopt::Long;
|
||||
use Net::CIDR::Lite;
|
||||
use Socket qw(AF_INET AF_INET6 inet_pton);
|
||||
use warnings;
|
||||
use IO::Handle;
|
||||
use Text::CSV_XS; # or trade for Text::CSV
|
||||
use strict;
|
||||
|
||||
my $le32 = pack("V", 0x10000000);
|
||||
my $be32 = pack("N", 0x10000000);
|
||||
my $u32 = undef;
|
||||
|
||||
sub wantBE { return !$u32 || $u32 eq $be32; }
|
||||
sub wantLE { return !$u32 || $u32 eq $le32; }
|
||||
|
||||
my $csv = Text::CSV_XS->new({
|
||||
allow_whitespace => 1,
|
||||
binary => 1,
|
||||
eol => $/,
|
||||
}); # or Text::CSV
|
||||
my $target_dir = ".";
|
||||
my $native_only = 0;
|
||||
|
||||
&Getopt::Long::Configure(qw(bundling));
|
||||
&GetOptions(
|
||||
"D=s" => \$target_dir,
|
||||
"n" => \$native_only,
|
||||
);
|
||||
|
||||
if (!-d $target_dir) {
|
||||
print STDERR "Target directory $target_dir does not exist.\n";
|
||||
exit 1;
|
||||
}
|
||||
my @dbs = qw(LE BE);
|
||||
if ($native_only) {
|
||||
$u32 = pack("L", 0x10000000);
|
||||
if ($u32 eq $le32) {
|
||||
@dbs = qw(LE);
|
||||
} elsif ($u32 eq $be32) {
|
||||
@dbs = qw(BE);
|
||||
} else {
|
||||
print STDERRR "Cannot determine endianness.\n";
|
||||
exit 1;
|
||||
}
|
||||
}
|
||||
|
||||
my %countryId;
|
||||
my %countryName;
|
||||
|
||||
my $dir = findVersion();
|
||||
|
||||
&loadCountries();
|
||||
foreach (@dbs) {
|
||||
my $dir = "$target_dir/$_";
|
||||
if (!-e $dir && !mkdir($dir)) {
|
||||
print STDERR "Could not mkdir $dir: $!\n";
|
||||
exit 1;
|
||||
}
|
||||
}
|
||||
|
||||
&dump(&collect());
|
||||
|
||||
sub findVersion
|
||||
{
|
||||
my @dirs = ();
|
||||
|
||||
opendir(my $dh, '.') || die "Can't open .: $!\n";
|
||||
|
||||
while (readdir $dh) {
|
||||
if ($_ =~ m/^GeoLite2-Country-CSV_\d{8}$/) {
|
||||
push(@dirs, $_);
|
||||
}
|
||||
}
|
||||
closedir $dh;
|
||||
|
||||
@dirs = sort @dirs;
|
||||
return pop(@dirs);
|
||||
}
|
||||
|
||||
sub loadCountries
|
||||
{
|
||||
my $file = "$dir/GeoLite2-Country-Locations-en.csv";
|
||||
|
||||
sub id; sub cc; sub long; sub ct; sub cn;
|
||||
|
||||
%countryId = ();
|
||||
%countryName = ();
|
||||
|
||||
open(my $fh, '<', $file) || die "Couldn't open list country names\n";
|
||||
|
||||
# first line is headers
|
||||
my $row = $csv->getline($fh);
|
||||
|
||||
my %header = map { ($row->[$_], $_); } (0..$#{$row});
|
||||
|
||||
my %pairs = (
|
||||
country_iso_code => 'ISO Country Code',
|
||||
geoname_id => 'ID',
|
||||
country_name => 'Country Name',
|
||||
continent_code => 'Continent Code',
|
||||
continent_name => 'Continent Name',
|
||||
);
|
||||
|
||||
# verify that the columns we need are present
|
||||
map { die "Table has no $pairs{$_} column\n" unless (exists $header{$_}); } keys %pairs;
|
||||
|
||||
my %remapping = (
|
||||
id => 'geoname_id',
|
||||
cc => 'country_iso_code',
|
||||
long => 'country_name',
|
||||
ct => 'continent_code',
|
||||
cn => 'continent_name',
|
||||
);
|
||||
|
||||
# now create a function which returns the value of that column #
|
||||
map { eval "sub $_ () { \$header{\$remapping{$_}}; }" ; } keys %remapping;
|
||||
|
||||
while (my $row = $csv->getline($fh)) {
|
||||
if ($row->[cc] eq '' && $row->[long] eq '') {
|
||||
$countryId{$row->[id]} = $row->[ct];
|
||||
$countryName{$row->[ct]} = $row->[cn];
|
||||
} else {
|
||||
$countryId{$row->[id]} = $row->[cc];
|
||||
$countryName{$row->[cc]} = $row->[long];
|
||||
}
|
||||
}
|
||||
|
||||
$countryName{A1} = 'Anonymous Proxy';
|
||||
$countryName{A2} = 'Satellite Provider';
|
||||
$countryName{O1} = 'Other Country';
|
||||
|
||||
close($fh);
|
||||
|
||||
# clean up the namespace
|
||||
undef &id; undef &cc; undef &long; undef &ct; undef &cn;
|
||||
}
|
||||
|
||||
sub lookupCountry
|
||||
{
|
||||
my ($id, $rid, $proxy, $sat) = @_;
|
||||
|
||||
if ($proxy) {
|
||||
return 'A1';
|
||||
} elsif ($sat) {
|
||||
return 'A2';
|
||||
}
|
||||
$id ||= $rid;
|
||||
if ($id eq '') {
|
||||
return 'O1';
|
||||
}
|
||||
die "Unknown id: $id line $.\n" unless (exists $countryId{$id});
|
||||
return $countryId{$id};
|
||||
}
|
||||
|
||||
sub collect
|
||||
{
|
||||
my ($file, $fh, $row);
|
||||
my (%country, %header);
|
||||
my %country;
|
||||
|
||||
sub net; sub id; sub rid; sub proxy; sub sat;
|
||||
|
||||
my %pairs = (
|
||||
network => 'Network',
|
||||
registered_country_geoname_id => 'Registered Country ID',
|
||||
geoname_id => 'Country ID',
|
||||
is_anonymous_proxy => 'Anonymous Proxy',
|
||||
is_satellite_provider => 'Satellite',
|
||||
);
|
||||
|
||||
foreach (sort keys %countryName) {
|
||||
$country{$_} = {
|
||||
name => $countryName{$_},
|
||||
pool_v4 => Net::CIDR::Lite->new(),
|
||||
pool_v6 => Net::CIDR::Lite->new(),
|
||||
while (my $row = $csv->getline(*ARGV)) {
|
||||
if (!defined($country{$row->[4]})) {
|
||||
$country{$row->[4]} = {
|
||||
name => $row->[5],
|
||||
pool_v4 => [],
|
||||
pool_v6 => [],
|
||||
};
|
||||
}
|
||||
|
||||
$file = "$dir/GeoLite2-Country-Blocks-IPv4.csv";
|
||||
|
||||
open($fh, '<', $file) || die "Can't open IPv4 database\n";
|
||||
|
||||
# first line is headers
|
||||
$row = $csv->getline($fh);
|
||||
|
||||
%header = map { ($row->[$_], $_); } (0..$#{$row});
|
||||
|
||||
# verify that the columns we need are present
|
||||
map { die "Table has no %pairs{$_} column\n" unless (exists $header{$_}); } keys %pairs;
|
||||
|
||||
my %remapping = (
|
||||
net => 'network',
|
||||
id => 'geoname_id',
|
||||
rid => 'registered_country_geoname_id',
|
||||
proxy => 'is_anonymous_proxy',
|
||||
sat => 'is_satellite_provider',
|
||||
);
|
||||
|
||||
# now create a function which returns the value of that column #
|
||||
map { eval "sub $_ () { \$header{\$remapping{$_}}; }" ; } keys %remapping;
|
||||
|
||||
while ($row = $csv->getline($fh)) {
|
||||
my ($cc, $cidr);
|
||||
|
||||
$cc = lookupCountry($row->[id], $row->[rid], $row->[proxy], $row->[sat]);
|
||||
$cidr = $row->[net];
|
||||
$country{$cc}->{pool_v4}->add($cidr);
|
||||
|
||||
my $c = $country{$row->[4]};
|
||||
if ($row->[0] =~ /:/) {
|
||||
push(@{$c->{pool_v6}},
|
||||
[&ip6_pack($row->[0]), &ip6_pack($row->[1])]);
|
||||
} else {
|
||||
push(@{$c->{pool_v4}}, [$row->[2], $row->[3]]);
|
||||
}
|
||||
if ($. % 4096 == 0) {
|
||||
print STDERR "\r\e[2K$. entries";
|
||||
}
|
||||
}
|
||||
|
||||
print STDERR "\r\e[2K$. entries total\n";
|
||||
|
||||
close($fh);
|
||||
|
||||
# clean up the namespace
|
||||
undef &net; undef &id; undef &rid; undef &proxy; undef &sat;
|
||||
|
||||
$file = "$dir/GeoLite2-Country-Blocks-IPv6.csv";
|
||||
|
||||
open($fh, '<', $file) || die "Can't open IPv6 database\n";
|
||||
|
||||
# first line is headers
|
||||
$row = $csv->getline($fh);
|
||||
|
||||
%header = map { ($row->[$_], $_); } (0..$#{$row});
|
||||
|
||||
# verify that the columns we need are present
|
||||
map { die "Table has no %pairs{$_} column\n" unless (exists $header{$_}); } keys %pairs;
|
||||
|
||||
# unlikely the IPv6 table has different columns, but just to be sure
|
||||
# create a function which returns the value of that column #
|
||||
map { eval "sub $_ () { \$header{\$remapping{$_}}; }" ; } keys %remapping;
|
||||
|
||||
while ($row = $csv->getline($fh)) {
|
||||
my ($cc, $cidr);
|
||||
|
||||
$cc = lookupCountry($row->[id], $row->[rid], $row->[proxy], $row->[sat]);
|
||||
$cidr = $row->[net];
|
||||
$country{$cc}->{pool_v6}->add($cidr);
|
||||
|
||||
if ($. % 4096 == 0) {
|
||||
print STDERR "\r\e[2K$. entries";
|
||||
}
|
||||
}
|
||||
|
||||
print STDERR "\r\e[2K$. entries total\n";
|
||||
|
||||
close($fh);
|
||||
|
||||
# clean up the namespace
|
||||
undef &net; undef &id; undef &rid; undef &proxy; undef &sat;
|
||||
|
||||
return \%country;
|
||||
}
|
||||
|
||||
@@ -236,7 +88,7 @@ sub dump
|
||||
{
|
||||
my $country = shift @_;
|
||||
|
||||
foreach my $iso_code (sort keys %{$country}) {
|
||||
foreach my $iso_code (sort keys %$country) {
|
||||
&dump_one($iso_code, $country->{$iso_code});
|
||||
}
|
||||
}
|
||||
@@ -244,41 +96,80 @@ sub dump
|
||||
sub dump_one
|
||||
{
|
||||
my($iso_code, $country) = @_;
|
||||
my @ranges;
|
||||
my($file, $fh_le, $fh_be);
|
||||
|
||||
@ranges = $country->{pool_v4}->list_range();
|
||||
printf "%5u IPv6 ranges for %s %s\n",
|
||||
scalar(@{$country->{pool_v6}}),
|
||||
$iso_code, $country->{name};
|
||||
|
||||
writeCountry($iso_code, $country->{name}, AF_INET, @ranges);
|
||||
|
||||
@ranges = $country->{pool_v6}->list_range();
|
||||
|
||||
writeCountry($iso_code, $country->{name}, AF_INET6, @ranges);
|
||||
}
|
||||
|
||||
sub writeCountry
|
||||
{
|
||||
my ($iso_code, $name, $family, @ranges) = @_;
|
||||
my $fh;
|
||||
|
||||
printf "%5u IPv%s ranges for %s %s\n",
|
||||
scalar(@ranges),
|
||||
($family == AF_INET ? '4' : '6'),
|
||||
$iso_code, $name;
|
||||
|
||||
my $file = "$target_dir/".uc($iso_code).".iv".($family == AF_INET ? '4' : '6');
|
||||
if (!open($fh, '>', $file)) {
|
||||
if (wantLE) {
|
||||
$file = "$target_dir/LE/".uc($iso_code).".iv6";
|
||||
if (!open($fh_le, "> $file")) {
|
||||
print STDERR "Error opening $file: $!\n";
|
||||
exit 1;
|
||||
}
|
||||
|
||||
binmode($fh);
|
||||
|
||||
foreach my $range (@ranges) {
|
||||
my ($start, $end) = split('-', $range);
|
||||
$start = inet_pton($family, $start);
|
||||
$end = inet_pton($family, $end);
|
||||
print $fh $start, $end;
|
||||
foreach my $range (@{$country->{pool_v6}}) {
|
||||
print $fh_le &ip6_swap($range->[0]), &ip6_swap($range->[1]);
|
||||
}
|
||||
close $fh_le;
|
||||
}
|
||||
if (wantBE) {
|
||||
$file = "$target_dir/BE/".uc($iso_code).".iv6";
|
||||
if (!open($fh_be, "> $file")) {
|
||||
print STDERR "Error opening $file: $!\n";
|
||||
exit 1;
|
||||
}
|
||||
foreach my $range (@{$country->{pool_v6}}) {
|
||||
print $fh_be $range->[0], $range->[1];
|
||||
}
|
||||
close $fh_be;
|
||||
}
|
||||
|
||||
printf "%5u IPv4 ranges for %s %s\n",
|
||||
scalar(@{$country->{pool_v4}}),
|
||||
$iso_code, $country->{name};
|
||||
|
||||
if (wantLE) {
|
||||
$file = "$target_dir/LE/".uc($iso_code).".iv4";
|
||||
if (!open($fh_le, "> $file")) {
|
||||
print STDERR "Error opening $file: $!\n";
|
||||
exit 1;
|
||||
}
|
||||
foreach my $range (@{$country->{pool_v4}}) {
|
||||
print $fh_le pack("VV", $range->[0], $range->[1]);
|
||||
}
|
||||
close $fh_le;
|
||||
}
|
||||
if (wantBE) {
|
||||
$file = "$target_dir/BE/".uc($iso_code).".iv4";
|
||||
if (!open($fh_be, "> $file")) {
|
||||
print STDERR "Error opening $file: $!\n";
|
||||
exit 1;
|
||||
}
|
||||
foreach my $range (@{$country->{pool_v4}}) {
|
||||
print $fh_be pack("NN", $range->[0], $range->[1]);
|
||||
}
|
||||
close $fh_be;
|
||||
}
|
||||
close $fh;
|
||||
}
|
||||
|
||||
sub ip6_pack
|
||||
{
|
||||
my $addr = shift @_;
|
||||
$addr =~ s{::}{:!:};
|
||||
my @addr = split(/:/, $addr);
|
||||
my @e = (0) x 8;
|
||||
foreach (@addr) {
|
||||
if ($_ eq "!") {
|
||||
$_ = join(':', @e[0..(8-scalar(@addr))]);
|
||||
}
|
||||
}
|
||||
@addr = split(/:/, join(':', @addr));
|
||||
$_ = hex($_) foreach @addr;
|
||||
return pack("n*", @addr);
|
||||
}
|
||||
|
||||
sub ip6_swap
|
||||
{
|
||||
return pack("V*", unpack("N*", shift @_));
|
||||
}
|
||||
|
||||
@@ -5,7 +5,7 @@ xt_geoip_build \(em convert GeoIP.csv to packed format for xt_geoip
|
||||
.SH Syntax
|
||||
.PP
|
||||
\fI/usr/libexec/xt_geoip/\fP\fBxt_geoip_build\fP [\fB\-D\fP
|
||||
\fItarget_dir\fP]
|
||||
\fItarget_dir\fP] [\fIfile\fP...]
|
||||
.SH Description
|
||||
.PP
|
||||
xt_geoip_build is used to build packed raw representations of the range
|
||||
@@ -16,12 +16,7 @@ required to be loaded into memory. The ranges in the packed database files are
|
||||
also ordered, as xt_geoip relies on this property for its bisection approach to
|
||||
work.
|
||||
.PP
|
||||
It expects to find a directory named
|
||||
.IR GeoLite2-Country-CSV_YYYYMMDD
|
||||
in the current directory, and will select the most recent if multiple
|
||||
instances are found. The
|
||||
.IR xt_geoip_dl
|
||||
script can be used to populate this directory.
|
||||
Input is processed from the listed files, or if none is given, from stdin.
|
||||
.PP
|
||||
Since the script is usually installed to the libexec directory of the
|
||||
xtables-addons package and this is outside $PATH (on purpose), invoking the
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
#!/bin/sh
|
||||
|
||||
rm -rf GeoLite2-Country-CSV_*
|
||||
|
||||
wget -q http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
|
||||
unzip -q GeoLite2-Country-CSV.zip
|
||||
rm -f GeoLite2-Country-CSV.zip
|
||||
rm -f GeoIPv6.csv GeoIPv6.csv.gz GeoIPCountryCSV.zip GeoIPCountryWhois.csv;
|
||||
wget \
|
||||
http://geolite.maxmind.com/download/geoip/database/GeoIPv6.csv.gz \
|
||||
http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip;
|
||||
gzip -d GeoIPv6.csv.gz;
|
||||
unzip GeoIPCountryCSV.zip;
|
||||
|
||||
@@ -1,93 +0,0 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Utility to query GeoIP database
|
||||
# Copyright Philip Prindeville, 2018
|
||||
#
|
||||
use Getopt::Long;
|
||||
use Socket qw(AF_INET AF_INET6 inet_ntop);
|
||||
use warnings;
|
||||
use strict;
|
||||
|
||||
sub AF_INET_SIZE() { 4 }
|
||||
sub AF_INET6_SIZE() { 16 }
|
||||
|
||||
my $target_dir = ".";
|
||||
my $ipv4 = 0;
|
||||
my $ipv6 = 0;
|
||||
|
||||
&Getopt::Long::Configure(qw(bundling));
|
||||
&GetOptions(
|
||||
"D=s" => \$target_dir,
|
||||
"4" => \$ipv4,
|
||||
"6" => \$ipv6,
|
||||
);
|
||||
|
||||
if (!-d $target_dir) {
|
||||
print STDERR "Target directory $target_dir does not exit.\n";
|
||||
exit 1;
|
||||
}
|
||||
|
||||
# if neither specified, assume both
|
||||
if (! $ipv4 && ! $ipv6) {
|
||||
$ipv4 = $ipv6 = 1;
|
||||
}
|
||||
|
||||
foreach my $cc (@ARGV) {
|
||||
if ($cc !~ m/^([a-z]{2}|a[12]|o1)$/i) {
|
||||
print STDERR "Invalid country code '$cc'\n";
|
||||
exit 1;
|
||||
}
|
||||
|
||||
my $file = $target_dir . '/' . uc($cc) . '.iv4';
|
||||
|
||||
if (! -f $file) {
|
||||
printf STDERR "Can't find data for country '$cc'\n";
|
||||
exit 1;
|
||||
}
|
||||
|
||||
my ($contents, $buffer, $bytes, $fh);
|
||||
|
||||
if ($ipv4) {
|
||||
open($fh, '<', $file) || die "Couldn't open file for '$cc'\n";
|
||||
|
||||
binmode($fh);
|
||||
|
||||
while (($bytes = read($fh, $buffer, AF_INET_SIZE * 2)) == AF_INET_SIZE * 2) {
|
||||
my $start = inet_ntop(AF_INET, substr($buffer, 0, AF_INET_SIZE));
|
||||
my $end = inet_ntop(AF_INET, substr($buffer, AF_INET_SIZE));
|
||||
print $start, '-', $end, "\n";
|
||||
}
|
||||
close($fh);
|
||||
if (! defined $bytes) {
|
||||
printf STDERR "Error reading file for '$cc'\n";
|
||||
exit 1;
|
||||
} elsif ($bytes != 0) {
|
||||
printf STDERR "Short read on file for '$cc'\n";
|
||||
exit 1;
|
||||
}
|
||||
}
|
||||
|
||||
substr($file, -1) = '6';
|
||||
|
||||
if ($ipv6) {
|
||||
open($fh, '<', $file) || die "Couldn't open file for '$cc'\n";
|
||||
|
||||
binmode($fh);
|
||||
|
||||
while (($bytes = read($fh, $buffer, AF_INET6_SIZE * 2)) == AF_INET6_SIZE * 2) {
|
||||
my $start = inet_ntop(AF_INET6, substr($buffer, 0, AF_INET6_SIZE));
|
||||
my $end = inet_ntop(AF_INET6, substr($buffer, AF_INET6_SIZE));
|
||||
print $start, '-', $end, "\n";
|
||||
}
|
||||
close($fh);
|
||||
if (! defined $bytes) {
|
||||
printf STDERR "Error reading file for '$cc'\n";
|
||||
exit 1;
|
||||
} elsif ($bytes != 0) {
|
||||
printf STDERR "Short read on file for '$cc'\n";
|
||||
exit 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
exit 0;
|
||||
@@ -1,4 +1,4 @@
|
||||
.TH xtables-addons 8 "Windows" "" "v3.1 (2018-08-14)"
|
||||
.TH xtables-addons 8 "" "" "v2.15 (2021-02-05)"
|
||||
.SH Name
|
||||
Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
|
||||
.SH Targets
|
||||
|
||||
Reference in New Issue
Block a user