From 9d93e2a4e063b63cabdaa5eb7b0977bc33c0e39a Mon Sep 17 00:00:00 2001 From: Imre Kaloz Date: Mon, 1 Dec 2008 20:27:46 +0000 Subject: upgrade iptables to 1.4.1.1, needed for proper 2.6.27 support SVN-Revision: 13458 --- .../patches/1.4.1.1/006-chaostables_0.8.patch | 393 +++++++++++++++++++++ 1 file changed, 393 insertions(+) create mode 100644 package/iptables/patches/1.4.1.1/006-chaostables_0.8.patch (limited to 'package/iptables/patches/1.4.1.1/006-chaostables_0.8.patch') diff --git a/package/iptables/patches/1.4.1.1/006-chaostables_0.8.patch b/package/iptables/patches/1.4.1.1/006-chaostables_0.8.patch new file mode 100644 index 0000000000..e1a7fca197 --- /dev/null +++ b/package/iptables/patches/1.4.1.1/006-chaostables_0.8.patch @@ -0,0 +1,393 @@ +Index: iptables-1.4.0/extensions/.CHAOS-testx +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/.CHAOS-testx +@@ -0,0 +1,3 @@ ++#! /bin/sh ++ ++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS" +Index: iptables-1.4.0/extensions/libxt_CHAOS.c +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_CHAOS.c +@@ -0,0 +1,114 @@ ++/* ++ * CHAOS target for iptables ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++enum { ++ F_DELUDE = 1 << 0, ++ F_TARPIT = 1 << 1, ++}; ++ ++static const struct option chaos_tg_opts[] = { ++ {.name = "delude", .has_arg = false, .val = 'd'}, ++ {.name = "tarpit", .has_arg = false, .val = 't'}, ++ {}, ++}; ++ ++static void chaos_tg_help(void) ++{ ++ printf( ++ "CHAOS target v%s options:\n" ++ " --delude Enable DELUDE processing for TCP\n" ++ " --tarpit Enable TARPIT processing for TCP\n", ++ XTABLES_VERSION); ++ return; ++} ++ ++static int chaos_tg_parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_target **target) ++{ ++ struct xt_chaos_target_info *info = (void *)((*target)->data); ++ switch (c) { ++ case 'd': ++ info->variant = XTCHAOS_DELUDE; ++ *flags |= F_DELUDE; ++ return true; ++ case 't': ++ info->variant = XTCHAOS_TARPIT; ++ *flags |= F_TARPIT; ++ return true; ++ } ++ return false; ++} ++ ++static void chaos_tg_check(unsigned int flags) ++{ ++ if ((flags & (F_DELUDE | F_TARPIT)) == (F_DELUDE | F_TARPIT)) ++ /* If flags == 0x03, both were specified, which should not be. */ ++ exit_error(PARAMETER_PROBLEM, ++ "CHAOS: only one of --tarpit or --delude " ++ "may be specified"); ++ return; ++} ++ ++static void chaos_tg_print(const void *ip, ++ const struct xt_entry_target *target, int numeric) ++{ ++ const struct xt_chaos_target_info *info = (const void *)target->data; ++ switch (info->variant) { ++ case XTCHAOS_DELUDE: ++ printf("DELUDE "); ++ break; ++ case XTCHAOS_TARPIT: ++ printf("TARPIT "); ++ break; ++ } ++ return; ++} ++ ++static void chaos_tg_save(const void *ip, const struct xt_entry_target *target) ++{ ++ const struct xt_chaos_target_info *info = (const void *)target->data; ++ switch (info->variant) { ++ case XTCHAOS_DELUDE: ++ printf("--delude "); ++ break; ++ case XTCHAOS_TARPIT: ++ printf("--tarpit "); ++ break; ++ } ++ return; ++} ++ ++static struct xtables_target chaos_tg_reg = { ++ .version = XTABLES_VERSION, ++ .name = "CHAOS", ++ .family = AF_INET, ++ .size = XT_ALIGN(sizeof(struct xt_chaos_target_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_chaos_target_info)), ++ .help = chaos_tg_help, ++ .parse = chaos_tg_parse, ++ .final_check = chaos_tg_check, ++ .print = chaos_tg_print, ++ .save = chaos_tg_save, ++ .extra_opts = chaos_tg_opts, ++}; ++ ++void _init(void) ++{ ++ xtables_register_target(&chaos_tg_reg); ++ return; ++} +Index: iptables-1.4.0/extensions/libxt_CHAOS.man +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_CHAOS.man +@@ -0,0 +1,18 @@ ++Causes confusion on the other end by doing odd things with incoming packets. ++CHAOS will randomly reply (or not) with one of its configurable subtargets: ++.TP ++\fB--delude\fR ++Use the REJECT and DELUDE targets as a base to do a sudden or deferred ++connection reset, fooling some network scanners to return non-deterministic ++(randomly open/closed) results, and in case it is deemed open, it is actually ++closed/filtered. ++.TP ++\fB--tarpit\fR ++Use the REJECT and TARPIT target as a base to hold the connection until it ++times out. This consumes conntrack entries when connection tracking is loaded ++(which usually is on most machines), and routers inbetween you and the Internet ++may fail to do their connection tracking if they have to handle more ++connections than they can. ++.PP ++The randomness factor of not replying vs. replying can be set during load-time ++of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters. +Index: iptables-1.4.0/extensions/.DELUDE-testx +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/.DELUDE-testx +@@ -0,0 +1,3 @@ ++#! /bin/sh ++ ++[ -f "$KERNEL_DIR/net/netfilter/xt_DELUDE.c" ] && echo "DELUDE" +Index: iptables-1.4.0/extensions/libxt_DELUDE.c +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_DELUDE.c +@@ -0,0 +1,49 @@ ++/* ++ * DELUDE target for iptables ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++ ++#include ++#include ++ ++static void delude_tg_help(void) ++{ ++ printf("DELUDE takes no options\n"); ++ return; ++} ++ ++static int delude_tg_parse(int c, char **argv, int invert, unsigned int *flags, ++ const void *entry, struct xt_entry_target **target) ++{ ++ return 0; ++} ++ ++static void delude_tg_check(unsigned int flags) ++{ ++ return; ++} ++ ++static struct xtables_target delude_tg_reg = { ++ .version = XTABLES_VERSION, ++ .name = "DELUDE", ++ .family = AF_INET, ++ .size = XT_ALIGN(0), ++ .userspacesize = XT_ALIGN(0), ++ .help = delude_tg_help, ++ .parse = delude_tg_parse, ++ .final_check = delude_tg_check, ++}; ++ ++void _init(void) ++{ ++ xtables_register_target(&delude_tg_reg); ++ return; ++} +Index: iptables-1.4.0/extensions/libxt_DELUDE.man +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_DELUDE.man +@@ -0,0 +1,4 @@ ++The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other ++packets with an RST. This will terminate the connection much like REJECT, but ++network scanners doing TCP half-open discovery can be spoofed to make them ++belive the port is open rather than closed/filtered. +Index: iptables-1.4.0/extensions/.portscan-testx +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/.portscan-testx +@@ -0,0 +1,3 @@ ++#! /bin/sh ++ ++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan" +Index: iptables-1.4.0/extensions/libxt_portscan.c +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_portscan.c +@@ -0,0 +1,127 @@ ++/* ++ * portscan match for iptables ++ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 ++ * Contact: Jan Engelhardt ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License; either version ++ * 2 or 3 as published by the Free Software Foundation. ++ */ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++static const struct option portscan_mt_opts[] = { ++ {.name = "stealth", .has_arg = false, .val = 'x'}, ++ {.name = "synscan", .has_arg = false, .val = 's'}, ++ {.name = "cnscan", .has_arg = false, .val = 'c'}, ++ {.name = "grscan", .has_arg = false, .val = 'g'}, ++ {}, ++}; ++ ++static void portscan_mt_help(void) ++{ ++ printf( ++ "portscan match v%s options:\n" ++ "(Combining them will make them match by OR-logic)\n" ++ " --stealth Match TCP Stealth packets\n" ++ " --synscan Match TCP SYN scans\n" ++ " --cnscan Match TCP Connect scans\n" ++ " --grscan Match Banner Grabbing scans\n", ++ XTABLES_VERSION); ++ return; ++} ++ ++static int portscan_mt_parse(int c, char **argv, int invert, ++ unsigned int *flags, const void *entry, struct xt_entry_match **match) ++{ ++ struct xt_portscan_match_info *info = (void *)((*match)->data); ++ ++ switch (c) { ++ case 'c': ++ info->match_cn = true; ++ return true; ++ case 'g': ++ info->match_gr = true; ++ return true; ++ case 's': ++ info->match_syn = true; ++ return true; ++ case 'x': ++ info->match_stealth = true; ++ return true; ++ } ++ return false; ++} ++ ++static void portscan_mt_check(unsigned int flags) ++{ ++ return; ++} ++ ++static void portscan_mt_print(const void *ip, ++ const struct xt_entry_match *match, int numeric) ++{ ++ const struct xt_portscan_match_info *info = (const void *)(match->data); ++ const char *s = ""; ++ ++ printf("portscan "); ++ if (info->match_stealth) { ++ printf("STEALTH"); ++ s = ","; ++ } ++ if (info->match_syn) { ++ printf("%sSYNSCAN", s); ++ s = ","; ++ } ++ if (info->match_cn) { ++ printf("%sCNSCAN", s); ++ s = ","; ++ } ++ if (info->match_gr) ++ printf("%sGRSCAN", s); ++ printf(" "); ++ return; ++} ++ ++static void portscan_mt_save(const void *ip, const struct xt_entry_match *match) ++{ ++ const struct xt_portscan_match_info *info = (const void *)(match->data); ++ ++ if (info->match_stealth) ++ printf("--stealth "); ++ if (info->match_syn) ++ printf("--synscan "); ++ if (info->match_cn) ++ printf("--cnscan "); ++ if (info->match_gr) ++ printf("--grscan "); ++ return; ++} ++ ++static struct xtables_match portscan_mt_reg = { ++ .version = XTABLES_VERSION, ++ .name = "portscan", ++ .family = AF_INET, ++ .size = XT_ALIGN(sizeof(struct xt_portscan_match_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_portscan_match_info)), ++ .help = portscan_mt_help, ++ .parse = portscan_mt_parse, ++ .final_check = portscan_mt_check, ++ .print = portscan_mt_print, ++ .save = portscan_mt_save, ++ .extra_opts = portscan_mt_opts, ++}; ++ ++void _init(void) ++{ ++ xtables_register_match(&portscan_mt_reg); ++ return; ++} +Index: iptables-1.4.0/extensions/libxt_portscan.man +=================================================================== +--- /dev/null ++++ iptables-1.4.0/extensions/libxt_portscan.man +@@ -0,0 +1,27 @@ ++Detects simple port scan attemps based upon the packet's contents. (This is ++different from other implementations, which also try to match the rate of new ++connections.) Note that an attempt is only discovered after it has been carried ++out, but this information can be used in conjunction with other rules to block ++the remote host's future connections. So this match module will match on the ++(probably) last packet the remote side will send to your machine. ++.TP ++\fB--stealth\fR ++Match if the packet did not belong to any known TCP connection ++(Stealth/FIN/XMAS/NULL scan). ++.TP ++\fB--synscan\fR ++Match if the connection was a TCP half-open discovery (SYN scan), i.e. the ++connection was torn down after the 2nd packet in the 3-way handshake. ++.TP ++\fB--cnscan\fR ++Match if the connection was a TCP full open discovery (connect scan), i.e. the ++connection was torn down after completion of the 3-way handshake. ++.TP ++\fB--grscan\fR ++Match if data in the connection only flew in the direction of the remote side, ++e.g. if the connection was terminated after a locally running daemon sent its ++identification. (e.g. openssh) ++.PP ++NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan, ++so be advised to carefully use xt_portscan in conjunction with blocking rules, ++as it may lock out your very own internal network. -- cgit v1.2.3