From acc0f6cee74c60e0a20300a80e6001c200601c2c Mon Sep 17 00:00:00 2001 From: Gabor Juhos Date: Sun, 8 Feb 2009 17:25:26 +0000 Subject: [package] iptables: remove CHAOS and TARPIT patches git-svn-id: svn://svn.openwrt.org/openwrt/trunk@14447 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- .../patches/1.4.1.1/007-tarpit_support.patch | 106 --------------------- 1 file changed, 106 deletions(-) delete mode 100644 package/iptables/patches/1.4.1.1/007-tarpit_support.patch (limited to 'package/iptables/patches/1.4.1.1/007-tarpit_support.patch') diff --git a/package/iptables/patches/1.4.1.1/007-tarpit_support.patch b/package/iptables/patches/1.4.1.1/007-tarpit_support.patch deleted file mode 100644 index 1ff3cbf7b6..0000000000 --- a/package/iptables/patches/1.4.1.1/007-tarpit_support.patch +++ /dev/null @@ -1,106 +0,0 @@ -Index: iptables-1.4.0/extensions/libxt_TARPIT.c -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/libxt_TARPIT.c -@@ -0,0 +1,55 @@ -+/* Shared library add-on to iptables to add TARPIT target support */ -+#include -+#include -+ -+#include -+#include -+ -+static void TARPIT_help(void) -+{ -+ fputs( -+"TARPIT takes no options\n" -+"\n", stdout); -+} -+ -+static struct option TARPIT_opts[] = { -+ { 0 } -+}; -+ -+static int TARPIT_parse(int c, char **argv, int invert, unsigned int *flags, -+ const void *entry, struct xt_entry_target **target) -+{ -+ return 0; -+} -+ -+static void TARPIT_final_check(unsigned int flags) -+{ -+} -+ -+static void TARPIT_print(const void *ip, const struct xt_entry_target *target, -+ int numeric) -+{ -+} -+ -+static void TARPIT_save(const void *ip, const struct xt_entry_target *target) -+{ -+} -+ -+static struct xtables_target tarpit_target = { -+ .family = AF_INET, -+ .name = "TARPIT", -+ .version = XTABLES_VERSION, -+ .size = XT_ALIGN(0), -+ .userspacesize = XT_ALIGN(0), -+ .help = TARPIT_help, -+ .parse = TARPIT_parse, -+ .final_check = TARPIT_final_check, -+ .print = TARPIT_print, -+ .save = TARPIT_save, -+ .extra_opts = TARPIT_opts -+}; -+ -+void _init(void) -+{ -+ xtables_register_target(&tarpit_target); -+} -Index: iptables-1.4.0/extensions/libxt_TARPIT.man -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/libxt_TARPIT.man -@@ -0,0 +1,34 @@ -+Captures and holds incoming TCP connections using no local -+per-connection resources. Connections are accepted, but immediately -+switched to the persist state (0 byte window), in which the remote -+side stops sending data and asks to continue every 60-240 seconds. -+Attempts to close the connection are ignored, forcing the remote side -+to time out the connection in 12-24 minutes. -+ -+This offers similar functionality to LaBrea -+ but doesn't require dedicated -+hardware or IPs. Any TCP port that you would normally DROP or REJECT -+can instead become a tarpit. -+ -+To tarpit connections to TCP port 80 destined for the current machine: -+.IP -+iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT -+.P -+To significantly slow down Code Red/Nimda-style scans of unused address -+space, forward unused ip addresses to a Linux box not acting as a router -+(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP -+forwarding on the Linux box, and add: -+.IP -+iptables -A FORWARD -p tcp -j TARPIT -+.IP -+iptables -A FORWARD -j DROP -+.TP -+NOTE: -+If you use the conntrack module while you are using TARPIT, you should -+also use the NOTRACK target, or the kernel will unnecessarily allocate -+resources for each TARPITted connection. To TARPIT incoming -+connections to the standard IRC port while using conntrack, you could: -+.IP -+iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK -+.IP -+iptables -A INPUT -p tcp --dport 6667 -j TARPIT -Index: iptables-1.4.0/extensions/.TARPIT-testx -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/.TARPIT-testx -@@ -0,0 +1,2 @@ -+#! /bin/sh -+[ -f "$KERNEL_DIR/net/netfilter/xt_TARPIT.c" ] && echo "TARPIT" -- cgit v1.2.3