diff options
| -rw-r--r-- | target/linux/generic-2.6/patches-2.6.28/171-netfilter_tarpit.patch | 318 | 
1 files changed, 0 insertions, 318 deletions
| diff --git a/target/linux/generic-2.6/patches-2.6.28/171-netfilter_tarpit.patch b/target/linux/generic-2.6/patches-2.6.28/171-netfilter_tarpit.patch deleted file mode 100644 index 803bad5cc..000000000 --- a/target/linux/generic-2.6/patches-2.6.28/171-netfilter_tarpit.patch +++ /dev/null @@ -1,318 +0,0 @@ ---- a/net/netfilter/Kconfig -+++ b/net/netfilter/Kconfig -@@ -469,6 +469,23 @@ config NETFILTER_XT_TARGET_SECMARK -  - 	  To compile it as a module, choose M here.  If unsure, say N. -  -+config NETFILTER_XT_TARGET_TARPIT -+	tristate '"TARPIT" target support' -+	depends on NETFILTER_XTABLES -+	---help--- -+	  Adds a TARPIT target to iptables, which captures and holds -+	  incoming TCP connections using no local per-connection resources. -+	  Connections are accepted, but immediately switched to the persist -+	  state (0 byte window), in which the remote side stops sending data -+	  and asks to continue every 60-240 seconds. Attempts to close the -+	  connection are ignored, forcing the remote side to time out the -+	  connection in 12-24 minutes. -+ -+	  This offers similar functionality to LaBrea -+	  <http://www.hackbusters.net/LaBrea/>, but does not require dedicated -+	  hardware or IPs. Any TCP port that you would normally DROP or REJECT -+	  can instead become a tarpit. -+ - config NETFILTER_XT_TARGET_TCPMSS - 	tristate '"TCPMSS" target support' - 	depends on (IPV6 || IPV6=n) ---- a/net/netfilter/Makefile -+++ b/net/netfilter/Makefile -@@ -51,6 +51,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE - obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o - obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) += xt_RATEEST.o - obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o -+obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o - obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o - obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o - obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o ---- /dev/null -+++ b/net/netfilter/xt_TARPIT.c -@@ -0,0 +1,279 @@ -+/* -+ * Kernel module to capture and hold incoming TCP connections using -+ * no local per-connection resources. -+ * -+ * Based on ipt_REJECT.c and offering functionality similar to -+ * LaBrea <http://www.hackbusters.net/LaBrea/>. -+ * -+ * Copyright (c) 2002 Aaron Hopkins <tools@die.net> -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -+ * -+ * Goal: -+ * - Allow incoming TCP connections to be established. -+ * - Passing data should result in the connection being switched to the -+ *   persist state (0 byte window), in which the remote side stops sending -+ *   data and asks to continue every 60 seconds. -+ * - Attempts to shut down the connection should be ignored completely, so -+ *   the remote side ends up having to time it out. -+ * -+ * This means: -+ * - Reply to TCP SYN,!ACK,!RST,!FIN with SYN-ACK, window 5 bytes -+ * - Reply to TCP SYN,ACK,!RST,!FIN with RST to prevent spoofing -+ * - Reply to TCP !SYN,!RST,!FIN with ACK, window 0 bytes, rate-limited -+ */ -+ -+#include <linux/version.h> -+#include <linux/module.h> -+#include <linux/skbuff.h> -+#include <linux/ip.h> -+#include <net/ip.h> -+#include <net/tcp.h> -+#include <net/icmp.h> -+struct in_device; -+#include <net/route.h> -+#include <linux/random.h> -+#include <linux/netfilter_ipv4/ip_tables.h> -+ -+#if 0 -+#define DEBUGP printk -+#else -+#define DEBUGP(format, args...) -+#endif -+ -+/* Stolen from ip_finish_output2 */ -+static int ip_direct_send(struct sk_buff *skb) -+{ -+	struct dst_entry *dst = skb->dst; -+ -+        if (dst->hh != NULL) -+		return neigh_hh_output(dst->hh, skb); -+	else if (dst->neighbour != NULL) -+		return dst->neighbour->output(skb); -+ -+	if (net_ratelimit()) -+		printk(KERN_DEBUG "TARPIT ip_direct_send: no header cache and no neighbor!\n"); -+ -+	kfree_skb(skb); -+	return -EINVAL; -+} -+ -+ -+/* Send reply */ -+static void tarpit_tcp(const struct sk_buff *oskb, struct rtable *ort, -+                       unsigned int local) -+{ -+	struct sk_buff *nskb; -+	struct rtable *nrt; -+	struct tcphdr *otcph, *ntcph; -+	struct flowi fl = {}; -+	unsigned int otcplen; -+	u_int16_t tmp; -+ -+	const struct iphdr *oiph = ip_hdr(oskb); -+	struct iphdr *niph; -+ -+	/* A truncated TCP header is not going to be useful */ -+	if (oskb->len < ip_hdrlen(oskb) + sizeof(struct tcphdr)) -+		return; -+ -+	otcph   = (void *)oiph + ip_hdrlen(oskb); -+	otcplen = oskb->len - ip_hdrlen(oskb); -+ -+	/* No replies for RST or FIN */ -+	if (otcph->rst || otcph->fin) -+		return; -+ -+	/* No reply to !SYN,!ACK.  Rate-limit replies to !SYN,ACKs */ -+	if (!otcph->syn && (!otcph->ack || !xrlim_allow(&ort->u.dst, 1*HZ))) -+		return; -+ -+	/* Check checksum. */ -+	if (tcp_v4_check(otcplen, oiph->saddr, oiph->daddr, -+	    csum_partial((char *)otcph, otcplen, 0)) != 0) -+		return; -+ -+	/* -+	 * Copy skb (even if skb is about to be dropped, we cannot just -+	 * clone it because there may be other things, such as tcpdump, -+	 * interested in it) -+	 */ -+	nskb = skb_copy(oskb, GFP_ATOMIC); -+	if (nskb == NULL) -+		return; -+ -+	niph = ip_hdr(nskb); -+ -+	/* This packet will not be the same as the other: clear nf fields */ -+	nf_conntrack_put(nskb->nfct); -+	nskb->nfct = NULL; -+#ifdef CONFIG_NETFILTER_DEBUG -+	nskb->nf_debug = 0; -+#endif -+ -+	ntcph = (void *)niph + ip_hdrlen(nskb); -+ -+	/* Truncate to length (no data) */ -+	ntcph->doff = sizeof(struct tcphdr)/4; -+	skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr)); -+	niph->tot_len = htons(nskb->len); -+ -+	/* Swap source and dest */ -+	niph->daddr = xchg(&niph->saddr, niph->daddr); -+	tmp = ntcph->source; -+	ntcph->source = ntcph->dest; -+	ntcph->dest = tmp; -+ -+	/* Use supplied sequence number or make a new one */ -+	ntcph->seq = otcph->ack ? otcph->ack_seq -+		: htonl(secure_tcp_sequence_number(niph->saddr, -+						   niph->daddr, -+						   ntcph->source, -+						   ntcph->dest)); -+ -+	/* Our SYN-ACKs must have a >0 window */ -+	ntcph->window = (otcph->syn && !otcph->ack) ? htons(5) : 0; -+ -+	ntcph->urg_ptr = 0; -+ -+	/* Reset flags */ -+	((u_int8_t *)ntcph)[13] = 0; -+ -+	if (otcph->syn && otcph->ack) { -+		ntcph->rst = 1; -+		ntcph->ack_seq = 0; -+	} else { -+		ntcph->syn = otcph->syn; -+		ntcph->ack = 1; -+		ntcph->ack_seq = htonl(ntohl(otcph->seq) + otcph->syn); -+	} -+ -+	/* Adjust TCP checksum */ -+	ntcph->check = 0; -+	ntcph->check = tcp_v4_check(sizeof(struct tcphdr), -+				   niph->saddr, -+				   niph->daddr, -+				   csum_partial((char *)ntcph, -+						sizeof(struct tcphdr), 0)); -+ -+	fl.nl_u.ip4_u.daddr = niph->daddr; -+	fl.nl_u.ip4_u.saddr = local ? niph->saddr : 0; -+	fl.nl_u.ip4_u.tos = RT_TOS(niph->tos) | RTO_CONN; -+	fl.oif = 0; -+ -+	if (ip_route_output_key(&init_net, &nrt, &fl)) -+		goto free_nskb; -+ -+	dst_release(nskb->dst); -+	nskb->dst = &nrt->u.dst; -+ -+	/* Adjust IP TTL */ -+	niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); -+ -+	/* Set DF, id = 0 */ -+	niph->frag_off = htons(IP_DF); -+	niph->id = 0; -+ -+	/* Adjust IP checksum */ -+	niph->check = 0; -+	niph->check = ip_fast_csum((unsigned char *)niph, niph->ihl); -+ -+	/* "Never happens" */ -+	if (nskb->len > dst_mtu(nskb->dst)) -+		goto free_nskb; -+ -+	ip_direct_send(nskb); -+	return; -+ -+ free_nskb: -+	kfree_skb(nskb); -+} -+ -+static unsigned int xt_tarpit_target(struct sk_buff *skb, -+                                     const struct net_device *in, -+                                     const struct net_device *out, -+                                     unsigned int hooknum, -+                                     const struct xt_target *target, -+                                     const void *targinfo) -+{ -+	const struct iphdr *iph   = ip_hdr(skb); -+	struct rtable *rt         = (void *)skb->dst; -+ -+	/* Do we have an input route cache entry? */ -+	if (rt == NULL) -+		return NF_DROP; -+ -+	/* No replies to physical multicast/broadcast */ -+	if (skb->pkt_type != PACKET_HOST && skb->pkt_type != PACKET_OTHERHOST) -+		return NF_DROP; -+ -+	/* Now check at the protocol level */ -+	if (rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST)) -+		return NF_DROP; -+ -+	/* -+	 * Our naive response construction does not deal with IP -+	 * options, and probably should not try. -+	 */ -+	if (iph->ihl * 4 != sizeof(struct iphdr)) -+		return NF_DROP; -+ -+	/* We are not interested in fragments */ -+	if (iph->frag_off & htons(IP_OFFSET)) -+		return NF_DROP; -+ -+	tarpit_tcp(skb, rt, hooknum == NF_INET_LOCAL_IN); -+	return NF_DROP; -+} -+ -+static bool xt_tarpit_check(const char *tablename, const void *entry, -+                            const struct xt_target *target, void *targinfo, -+                            unsigned int hook_mask) -+{ -+	bool invalid; -+ -+	if (strcmp(tablename, "raw") == 0 && hook_mask == NF_INET_PRE_ROUTING) -+		return true; -+	if (strcmp(tablename, "filter") != 0) -+		return false; -+	invalid = hook_mask & ~((1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD)); -+	return !invalid; -+} -+ -+static struct xt_target xt_tarpit_reg = { -+	.name       = "TARPIT", -+	.family     = AF_INET, -+	.proto      = IPPROTO_TCP, -+	.target     = xt_tarpit_target, -+	.checkentry = xt_tarpit_check, -+	.me         = THIS_MODULE, -+}; -+ -+static int __init xt_tarpit_init(void) -+{ -+	return xt_register_target(&xt_tarpit_reg); -+} -+ -+static void __exit xt_tarpit_exit(void) -+{ -+	xt_unregister_target(&xt_tarpit_reg); -+} -+ -+module_init(xt_tarpit_init); -+module_exit(xt_tarpit_exit); -+MODULE_DESCRIPTION("netfilter xt_TARPIT target module"); -+MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>"); -+MODULE_LICENSE("GPL"); -+MODULE_ALIAS("ipt_TARPIT"); | 
