adds rt_tables to files installed by ip ipkg
[openwrt.git] / package / iptables / patches / 1.4.0 / 006-chaostables_0.8.patch
1 Index: iptables-1.4.0/extensions/.CHAOS-testx
2 ===================================================================
3 --- /dev/null
4 +++ iptables-1.4.0/extensions/.CHAOS-testx
5 @@ -0,0 +1,3 @@
6 +#! /bin/sh
7 +
8 +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS"
9 Index: iptables-1.4.0/extensions/libxt_CHAOS.c
10 ===================================================================
11 --- /dev/null
12 +++ iptables-1.4.0/extensions/libxt_CHAOS.c
13 @@ -0,0 +1,114 @@
14 +/*
15 + * CHAOS target for iptables
16 + * Copyright © CC Computer Consultants GmbH, 2006 - 2007
17 + * Contact: Jan Engelhardt <jengelh@computergmbh.de>
18 + *
19 + * This program is free software; you can redistribute it and/or modify
20 + * it under the terms of the GNU General Public License; either version
21 + * 2 or 3 as published by the Free Software Foundation.
22 + */
23 +#include <getopt.h>
24 +#include <stdbool.h>
25 +#include <stdio.h>
26 +#include <string.h>
27 +
28 +#include <xtables.h>
29 +#include <linux/netfilter/x_tables.h>
30 +#include <linux/netfilter/xt_CHAOS.h>
31 +
32 +enum {
33 + F_DELUDE = 1 << 0,
34 + F_TARPIT = 1 << 1,
35 +};
36 +
37 +static const struct option chaos_tg_opts[] = {
38 + {.name = "delude", .has_arg = false, .val = 'd'},
39 + {.name = "tarpit", .has_arg = false, .val = 't'},
40 + {},
41 +};
42 +
43 +static void chaos_tg_help(void)
44 +{
45 + printf(
46 + "CHAOS target v%s options:\n"
47 + " --delude Enable DELUDE processing for TCP\n"
48 + " --tarpit Enable TARPIT processing for TCP\n",
49 + IPTABLES_VERSION);
50 + return;
51 +}
52 +
53 +static int chaos_tg_parse(int c, char **argv, int invert, unsigned int *flags,
54 + const void *entry, struct xt_entry_target **target)
55 +{
56 + struct xt_chaos_target_info *info = (void *)((*target)->data);
57 + switch (c) {
58 + case 'd':
59 + info->variant = XTCHAOS_DELUDE;
60 + *flags |= F_DELUDE;
61 + return true;
62 + case 't':
63 + info->variant = XTCHAOS_TARPIT;
64 + *flags |= F_TARPIT;
65 + return true;
66 + }
67 + return false;
68 +}
69 +
70 +static void chaos_tg_check(unsigned int flags)
71 +{
72 + if ((flags & (F_DELUDE | F_TARPIT)) == (F_DELUDE | F_TARPIT))
73 + /* If flags == 0x03, both were specified, which should not be. */
74 + exit_error(PARAMETER_PROBLEM,
75 + "CHAOS: only one of --tarpit or --delude "
76 + "may be specified");
77 + return;
78 +}
79 +
80 +static void chaos_tg_print(const void *ip,
81 + const struct xt_entry_target *target, int numeric)
82 +{
83 + const struct xt_chaos_target_info *info = (const void *)target->data;
84 + switch (info->variant) {
85 + case XTCHAOS_DELUDE:
86 + printf("DELUDE ");
87 + break;
88 + case XTCHAOS_TARPIT:
89 + printf("TARPIT ");
90 + break;
91 + }
92 + return;
93 +}
94 +
95 +static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
96 +{
97 + const struct xt_chaos_target_info *info = (const void *)target->data;
98 + switch (info->variant) {
99 + case XTCHAOS_DELUDE:
100 + printf("--delude ");
101 + break;
102 + case XTCHAOS_TARPIT:
103 + printf("--tarpit ");
104 + break;
105 + }
106 + return;
107 +}
108 +
109 +static struct xtables_target chaos_tg_reg = {
110 + .version = IPTABLES_VERSION,
111 + .name = "CHAOS",
112 + .family = AF_INET,
113 + .size = XT_ALIGN(sizeof(struct xt_chaos_target_info)),
114 + .userspacesize = XT_ALIGN(sizeof(struct xt_chaos_target_info)),
115 + .help = chaos_tg_help,
116 + .parse = chaos_tg_parse,
117 + .final_check = chaos_tg_check,
118 + .print = chaos_tg_print,
119 + .save = chaos_tg_save,
120 + .extra_opts = chaos_tg_opts,
121 +};
122 +
123 +void _init(void)
124 +{
125 + xtables_register_target(&chaos_tg_reg);
126 + return;
127 +}
128 Index: iptables-1.4.0/extensions/libxt_CHAOS.man
129 ===================================================================
130 --- /dev/null
131 +++ iptables-1.4.0/extensions/libxt_CHAOS.man
132 @@ -0,0 +1,18 @@
133 +Causes confusion on the other end by doing odd things with incoming packets.
134 +CHAOS will randomly reply (or not) with one of its configurable subtargets:
135 +.TP
136 +\fB--delude\fR
137 +Use the REJECT and DELUDE targets as a base to do a sudden or deferred
138 +connection reset, fooling some network scanners to return non-deterministic
139 +(randomly open/closed) results, and in case it is deemed open, it is actually
140 +closed/filtered.
141 +.TP
142 +\fB--tarpit\fR
143 +Use the REJECT and TARPIT target as a base to hold the connection until it
144 +times out. This consumes conntrack entries when connection tracking is loaded
145 +(which usually is on most machines), and routers inbetween you and the Internet
146 +may fail to do their connection tracking if they have to handle more
147 +connections than they can.
148 +.PP
149 +The randomness factor of not replying vs. replying can be set during load-time
150 +of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
151 Index: iptables-1.4.0/extensions/.DELUDE-testx
152 ===================================================================
153 --- /dev/null
154 +++ iptables-1.4.0/extensions/.DELUDE-testx
155 @@ -0,0 +1,3 @@
156 +#! /bin/sh
157 +
158 +[ -f "$KERNEL_DIR/net/netfilter/xt_DELUDE.c" ] && echo "DELUDE"
159 Index: iptables-1.4.0/extensions/libxt_DELUDE.c
160 ===================================================================
161 --- /dev/null
162 +++ iptables-1.4.0/extensions/libxt_DELUDE.c
163 @@ -0,0 +1,49 @@
164 +/*
165 + * DELUDE target for iptables
166 + * Copyright © CC Computer Consultants GmbH, 2006 - 2007
167 + * Contact: Jan Engelhardt <jengelh@computergmbh.de>
168 + *
169 + * This program is free software; you can redistribute it and/or modify
170 + * it under the terms of the GNU General Public License; either version
171 + * 2 or 3 as published by the Free Software Foundation.
172 + */
173 +#include <getopt.h>
174 +#include <stdio.h>
175 +#include <string.h>
176 +
177 +#include <xtables.h>
178 +#include <linux/netfilter/x_tables.h>
179 +
180 +static void delude_tg_help(void)
181 +{
182 + printf("DELUDE takes no options\n");
183 + return;
184 +}
185 +
186 +static int delude_tg_parse(int c, char **argv, int invert, unsigned int *flags,
187 + const void *entry, struct xt_entry_target **target)
188 +{
189 + return 0;
190 +}
191 +
192 +static void delude_tg_check(unsigned int flags)
193 +{
194 + return;
195 +}
196 +
197 +static struct xtables_target delude_tg_reg = {
198 + .version = IPTABLES_VERSION,
199 + .name = "DELUDE",
200 + .family = AF_INET,
201 + .size = XT_ALIGN(0),
202 + .userspacesize = XT_ALIGN(0),
203 + .help = delude_tg_help,
204 + .parse = delude_tg_parse,
205 + .final_check = delude_tg_check,
206 +};
207 +
208 +void _init(void)
209 +{
210 + xtables_register_target(&delude_tg_reg);
211 + return;
212 +}
213 Index: iptables-1.4.0/extensions/libxt_DELUDE.man
214 ===================================================================
215 --- /dev/null
216 +++ iptables-1.4.0/extensions/libxt_DELUDE.man
217 @@ -0,0 +1,4 @@
218 +The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other
219 +packets with an RST. This will terminate the connection much like REJECT, but
220 +network scanners doing TCP half-open discovery can be spoofed to make them
221 +belive the port is open rather than closed/filtered.
222 Index: iptables-1.4.0/extensions/.portscan-testx
223 ===================================================================
224 --- /dev/null
225 +++ iptables-1.4.0/extensions/.portscan-testx
226 @@ -0,0 +1,3 @@
227 +#! /bin/sh
228 +
229 +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan"
230 Index: iptables-1.4.0/extensions/libxt_portscan.c
231 ===================================================================
232 --- /dev/null
233 +++ iptables-1.4.0/extensions/libxt_portscan.c
234 @@ -0,0 +1,127 @@
235 +/*
236 + * portscan match for iptables
237 + * Copyright © CC Computer Consultants GmbH, 2006 - 2007
238 + * Contact: Jan Engelhardt <jengelh@computergmbh.de>
239 + *
240 + * This program is free software; you can redistribute it and/or modify
241 + * it under the terms of the GNU General Public License; either version
242 + * 2 or 3 as published by the Free Software Foundation.
243 + */
244 +#include <stdbool.h>
245 +#include <stdio.h>
246 +#include <string.h>
247 +#include <stdlib.h>
248 +#include <getopt.h>
249 +
250 +#include <xtables.h>
251 +#include <iptables.h>
252 +#include <linux/netfilter/x_tables.h>
253 +#include <linux/netfilter/xt_portscan.h>
254 +
255 +static const struct option portscan_mt_opts[] = {
256 + {.name = "stealth", .has_arg = false, .val = 'x'},
257 + {.name = "synscan", .has_arg = false, .val = 's'},
258 + {.name = "cnscan", .has_arg = false, .val = 'c'},
259 + {.name = "grscan", .has_arg = false, .val = 'g'},
260 + {},
261 +};
262 +
263 +static void portscan_mt_help(void)
264 +{
265 + printf(
266 + "portscan match v%s options:\n"
267 + "(Combining them will make them match by OR-logic)\n"
268 + " --stealth Match TCP Stealth packets\n"
269 + " --synscan Match TCP SYN scans\n"
270 + " --cnscan Match TCP Connect scans\n"
271 + " --grscan Match Banner Grabbing scans\n",
272 + IPTABLES_VERSION);
273 + return;
274 +}
275 +
276 +static int portscan_mt_parse(int c, char **argv, int invert,
277 + unsigned int *flags, const void *entry, struct xt_entry_match **match)
278 +{
279 + struct xt_portscan_match_info *info = (void *)((*match)->data);
280 +
281 + switch (c) {
282 + case 'c':
283 + info->match_cn = true;
284 + return true;
285 + case 'g':
286 + info->match_gr = true;
287 + return true;
288 + case 's':
289 + info->match_syn = true;
290 + return true;
291 + case 'x':
292 + info->match_stealth = true;
293 + return true;
294 + }
295 + return false;
296 +}
297 +
298 +static void portscan_mt_check(unsigned int flags)
299 +{
300 + return;
301 +}
302 +
303 +static void portscan_mt_print(const void *ip,
304 + const struct xt_entry_match *match, int numeric)
305 +{
306 + const struct xt_portscan_match_info *info = (const void *)(match->data);
307 + const char *s = "";
308 +
309 + printf("portscan ");
310 + if (info->match_stealth) {
311 + printf("STEALTH");
312 + s = ",";
313 + }
314 + if (info->match_syn) {
315 + printf("%sSYNSCAN", s);
316 + s = ",";
317 + }
318 + if (info->match_cn) {
319 + printf("%sCNSCAN", s);
320 + s = ",";
321 + }
322 + if (info->match_gr)
323 + printf("%sGRSCAN", s);
324 + printf(" ");
325 + return;
326 +}
327 +
328 +static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
329 +{
330 + const struct xt_portscan_match_info *info = (const void *)(match->data);
331 +
332 + if (info->match_stealth)
333 + printf("--stealth ");
334 + if (info->match_syn)
335 + printf("--synscan ");
336 + if (info->match_cn)
337 + printf("--cnscan ");
338 + if (info->match_gr)
339 + printf("--grscan ");
340 + return;
341 +}
342 +
343 +static struct xtables_match portscan_mt_reg = {
344 + .version = IPTABLES_VERSION,
345 + .name = "portscan",
346 + .family = AF_INET,
347 + .size = XT_ALIGN(sizeof(struct xt_portscan_match_info)),
348 + .userspacesize = XT_ALIGN(sizeof(struct xt_portscan_match_info)),
349 + .help = portscan_mt_help,
350 + .parse = portscan_mt_parse,
351 + .final_check = portscan_mt_check,
352 + .print = portscan_mt_print,
353 + .save = portscan_mt_save,
354 + .extra_opts = portscan_mt_opts,
355 +};
356 +
357 +void _init(void)
358 +{
359 + xtables_register_match(&portscan_mt_reg);
360 + return;
361 +}
362 Index: iptables-1.4.0/extensions/libxt_portscan.man
363 ===================================================================
364 --- /dev/null
365 +++ iptables-1.4.0/extensions/libxt_portscan.man
366 @@ -0,0 +1,27 @@
367 +Detects simple port scan attemps based upon the packet's contents. (This is
368 +different from other implementations, which also try to match the rate of new
369 +connections.) Note that an attempt is only discovered after it has been carried
370 +out, but this information can be used in conjunction with other rules to block
371 +the remote host's future connections. So this match module will match on the
372 +(probably) last packet the remote side will send to your machine.
373 +.TP
374 +\fB--stealth\fR
375 +Match if the packet did not belong to any known TCP connection
376 +(Stealth/FIN/XMAS/NULL scan).
377 +.TP
378 +\fB--synscan\fR
379 +Match if the connection was a TCP half-open discovery (SYN scan), i.e. the
380 +connection was torn down after the 2nd packet in the 3-way handshake.
381 +.TP
382 +\fB--cnscan\fR
383 +Match if the connection was a TCP full open discovery (connect scan), i.e. the
384 +connection was torn down after completion of the 3-way handshake.
385 +.TP
386 +\fB--grscan\fR
387 +Match if data in the connection only flew in the direction of the remote side,
388 +e.g. if the connection was terminated after a locally running daemon sent its
389 +identification. (e.g. openssh)
390 +.PP
391 +NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
392 +so be advised to carefully use xt_portscan in conjunction with blocking rules,
393 +as it may lock out your very own internal network.
This page took 0.06852 seconds and 5 git commands to generate.