From: Gabor Juhos Date: Sun, 8 Feb 2009 17:25:26 +0000 (+0000) Subject: iptables: remove CHAOS and TARPIT patches X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=2b2541ebad985e416bd9a95e4fb8ccad1407570b;p=openwrt%2Fstaging%2Frobimarko.git iptables: remove CHAOS and TARPIT patches SVN-Revision: 14447 --- diff --git a/package/iptables/Makefile b/package/iptables/Makefile index 55ca0b370f..58b4d722d5 100644 --- a/package/iptables/Makefile +++ b/package/iptables/Makefile @@ -20,7 +20,7 @@ endif ifeq ($(CONFIG_LINUX_2_6),y) PKG_VERSION:=1.4.1.1 - PKG_RELEASE:=1 + PKG_RELEASE:=2 PKG_MD5SUM:=723fa88d8a0915e184f99e03e9bf06cb endif @@ -259,7 +259,7 @@ TARGET_CFLAGS += $(FPIC) CONFIGURE_ARGS += \ --enable-devel \ --with-kernel="$(LINUX_DIR)" \ - --with-xtlibdir=/usr/lib/iptables + --with-xtlibdir=/usr/lib/iptables define Build/Compile mkdir -p $(PKG_INSTALL_DIR) diff --git a/package/iptables/patches/1.4.1.1/006-chaostables_0.8.patch b/package/iptables/patches/1.4.1.1/006-chaostables_0.8.patch deleted file mode 100644 index e1a7fca197..0000000000 --- a/package/iptables/patches/1.4.1.1/006-chaostables_0.8.patch +++ /dev/null @@ -1,393 +0,0 @@ -Index: iptables-1.4.0/extensions/.CHAOS-testx -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/.CHAOS-testx -@@ -0,0 +1,3 @@ -+#! /bin/sh -+ -+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS" -Index: iptables-1.4.0/extensions/libxt_CHAOS.c -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/libxt_CHAOS.c -@@ -0,0 +1,114 @@ -+/* -+ * CHAOS target for iptables -+ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 -+ * Contact: Jan Engelhardt -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License; either version -+ * 2 or 3 as published by the Free Software Foundation. -+ */ -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+enum { -+ F_DELUDE = 1 << 0, -+ F_TARPIT = 1 << 1, -+}; -+ -+static const struct option chaos_tg_opts[] = { -+ {.name = "delude", .has_arg = false, .val = 'd'}, -+ {.name = "tarpit", .has_arg = false, .val = 't'}, -+ {}, -+}; -+ -+static void chaos_tg_help(void) -+{ -+ printf( -+ "CHAOS target v%s options:\n" -+ " --delude Enable DELUDE processing for TCP\n" -+ " --tarpit Enable TARPIT processing for TCP\n", -+ XTABLES_VERSION); -+ return; -+} -+ -+static int chaos_tg_parse(int c, char **argv, int invert, unsigned int *flags, -+ const void *entry, struct xt_entry_target **target) -+{ -+ struct xt_chaos_target_info *info = (void *)((*target)->data); -+ switch (c) { -+ case 'd': -+ info->variant = XTCHAOS_DELUDE; -+ *flags |= F_DELUDE; -+ return true; -+ case 't': -+ info->variant = XTCHAOS_TARPIT; -+ *flags |= F_TARPIT; -+ return true; -+ } -+ return false; -+} -+ -+static void chaos_tg_check(unsigned int flags) -+{ -+ if ((flags & (F_DELUDE | F_TARPIT)) == (F_DELUDE | F_TARPIT)) -+ /* If flags == 0x03, both were specified, which should not be. */ -+ exit_error(PARAMETER_PROBLEM, -+ "CHAOS: only one of --tarpit or --delude " -+ "may be specified"); -+ return; -+} -+ -+static void chaos_tg_print(const void *ip, -+ const struct xt_entry_target *target, int numeric) -+{ -+ const struct xt_chaos_target_info *info = (const void *)target->data; -+ switch (info->variant) { -+ case XTCHAOS_DELUDE: -+ printf("DELUDE "); -+ break; -+ case XTCHAOS_TARPIT: -+ printf("TARPIT "); -+ break; -+ } -+ return; -+} -+ -+static void chaos_tg_save(const void *ip, const struct xt_entry_target *target) -+{ -+ const struct xt_chaos_target_info *info = (const void *)target->data; -+ switch (info->variant) { -+ case XTCHAOS_DELUDE: -+ printf("--delude "); -+ break; -+ case XTCHAOS_TARPIT: -+ printf("--tarpit "); -+ break; -+ } -+ return; -+} -+ -+static struct xtables_target chaos_tg_reg = { -+ .version = XTABLES_VERSION, -+ .name = "CHAOS", -+ .family = AF_INET, -+ .size = XT_ALIGN(sizeof(struct xt_chaos_target_info)), -+ .userspacesize = XT_ALIGN(sizeof(struct xt_chaos_target_info)), -+ .help = chaos_tg_help, -+ .parse = chaos_tg_parse, -+ .final_check = chaos_tg_check, -+ .print = chaos_tg_print, -+ .save = chaos_tg_save, -+ .extra_opts = chaos_tg_opts, -+}; -+ -+void _init(void) -+{ -+ xtables_register_target(&chaos_tg_reg); -+ return; -+} -Index: iptables-1.4.0/extensions/libxt_CHAOS.man -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/libxt_CHAOS.man -@@ -0,0 +1,18 @@ -+Causes confusion on the other end by doing odd things with incoming packets. -+CHAOS will randomly reply (or not) with one of its configurable subtargets: -+.TP -+\fB--delude\fR -+Use the REJECT and DELUDE targets as a base to do a sudden or deferred -+connection reset, fooling some network scanners to return non-deterministic -+(randomly open/closed) results, and in case it is deemed open, it is actually -+closed/filtered. -+.TP -+\fB--tarpit\fR -+Use the REJECT and TARPIT target as a base to hold the connection until it -+times out. This consumes conntrack entries when connection tracking is loaded -+(which usually is on most machines), and routers inbetween you and the Internet -+may fail to do their connection tracking if they have to handle more -+connections than they can. -+.PP -+The randomness factor of not replying vs. replying can be set during load-time -+of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters. -Index: iptables-1.4.0/extensions/.DELUDE-testx -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/.DELUDE-testx -@@ -0,0 +1,3 @@ -+#! /bin/sh -+ -+[ -f "$KERNEL_DIR/net/netfilter/xt_DELUDE.c" ] && echo "DELUDE" -Index: iptables-1.4.0/extensions/libxt_DELUDE.c -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/libxt_DELUDE.c -@@ -0,0 +1,49 @@ -+/* -+ * DELUDE target for iptables -+ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 -+ * Contact: Jan Engelhardt -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License; either version -+ * 2 or 3 as published by the Free Software Foundation. -+ */ -+#include -+#include -+#include -+ -+#include -+#include -+ -+static void delude_tg_help(void) -+{ -+ printf("DELUDE takes no options\n"); -+ return; -+} -+ -+static int delude_tg_parse(int c, char **argv, int invert, unsigned int *flags, -+ const void *entry, struct xt_entry_target **target) -+{ -+ return 0; -+} -+ -+static void delude_tg_check(unsigned int flags) -+{ -+ return; -+} -+ -+static struct xtables_target delude_tg_reg = { -+ .version = XTABLES_VERSION, -+ .name = "DELUDE", -+ .family = AF_INET, -+ .size = XT_ALIGN(0), -+ .userspacesize = XT_ALIGN(0), -+ .help = delude_tg_help, -+ .parse = delude_tg_parse, -+ .final_check = delude_tg_check, -+}; -+ -+void _init(void) -+{ -+ xtables_register_target(&delude_tg_reg); -+ return; -+} -Index: iptables-1.4.0/extensions/libxt_DELUDE.man -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/libxt_DELUDE.man -@@ -0,0 +1,4 @@ -+The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other -+packets with an RST. This will terminate the connection much like REJECT, but -+network scanners doing TCP half-open discovery can be spoofed to make them -+belive the port is open rather than closed/filtered. -Index: iptables-1.4.0/extensions/.portscan-testx -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/.portscan-testx -@@ -0,0 +1,3 @@ -+#! /bin/sh -+ -+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan" -Index: iptables-1.4.0/extensions/libxt_portscan.c -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/libxt_portscan.c -@@ -0,0 +1,127 @@ -+/* -+ * portscan match for iptables -+ * Copyright © CC Computer Consultants GmbH, 2006 - 2007 -+ * Contact: Jan Engelhardt -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License; either version -+ * 2 or 3 as published by the Free Software Foundation. -+ */ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+ -+static const struct option portscan_mt_opts[] = { -+ {.name = "stealth", .has_arg = false, .val = 'x'}, -+ {.name = "synscan", .has_arg = false, .val = 's'}, -+ {.name = "cnscan", .has_arg = false, .val = 'c'}, -+ {.name = "grscan", .has_arg = false, .val = 'g'}, -+ {}, -+}; -+ -+static void portscan_mt_help(void) -+{ -+ printf( -+ "portscan match v%s options:\n" -+ "(Combining them will make them match by OR-logic)\n" -+ " --stealth Match TCP Stealth packets\n" -+ " --synscan Match TCP SYN scans\n" -+ " --cnscan Match TCP Connect scans\n" -+ " --grscan Match Banner Grabbing scans\n", -+ XTABLES_VERSION); -+ return; -+} -+ -+static int portscan_mt_parse(int c, char **argv, int invert, -+ unsigned int *flags, const void *entry, struct xt_entry_match **match) -+{ -+ struct xt_portscan_match_info *info = (void *)((*match)->data); -+ -+ switch (c) { -+ case 'c': -+ info->match_cn = true; -+ return true; -+ case 'g': -+ info->match_gr = true; -+ return true; -+ case 's': -+ info->match_syn = true; -+ return true; -+ case 'x': -+ info->match_stealth = true; -+ return true; -+ } -+ return false; -+} -+ -+static void portscan_mt_check(unsigned int flags) -+{ -+ return; -+} -+ -+static void portscan_mt_print(const void *ip, -+ const struct xt_entry_match *match, int numeric) -+{ -+ const struct xt_portscan_match_info *info = (const void *)(match->data); -+ const char *s = ""; -+ -+ printf("portscan "); -+ if (info->match_stealth) { -+ printf("STEALTH"); -+ s = ","; -+ } -+ if (info->match_syn) { -+ printf("%sSYNSCAN", s); -+ s = ","; -+ } -+ if (info->match_cn) { -+ printf("%sCNSCAN", s); -+ s = ","; -+ } -+ if (info->match_gr) -+ printf("%sGRSCAN", s); -+ printf(" "); -+ return; -+} -+ -+static void portscan_mt_save(const void *ip, const struct xt_entry_match *match) -+{ -+ const struct xt_portscan_match_info *info = (const void *)(match->data); -+ -+ if (info->match_stealth) -+ printf("--stealth "); -+ if (info->match_syn) -+ printf("--synscan "); -+ if (info->match_cn) -+ printf("--cnscan "); -+ if (info->match_gr) -+ printf("--grscan "); -+ return; -+} -+ -+static struct xtables_match portscan_mt_reg = { -+ .version = XTABLES_VERSION, -+ .name = "portscan", -+ .family = AF_INET, -+ .size = XT_ALIGN(sizeof(struct xt_portscan_match_info)), -+ .userspacesize = XT_ALIGN(sizeof(struct xt_portscan_match_info)), -+ .help = portscan_mt_help, -+ .parse = portscan_mt_parse, -+ .final_check = portscan_mt_check, -+ .print = portscan_mt_print, -+ .save = portscan_mt_save, -+ .extra_opts = portscan_mt_opts, -+}; -+ -+void _init(void) -+{ -+ xtables_register_match(&portscan_mt_reg); -+ return; -+} -Index: iptables-1.4.0/extensions/libxt_portscan.man -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/libxt_portscan.man -@@ -0,0 +1,27 @@ -+Detects simple port scan attemps based upon the packet's contents. (This is -+different from other implementations, which also try to match the rate of new -+connections.) Note that an attempt is only discovered after it has been carried -+out, but this information can be used in conjunction with other rules to block -+the remote host's future connections. So this match module will match on the -+(probably) last packet the remote side will send to your machine. -+.TP -+\fB--stealth\fR -+Match if the packet did not belong to any known TCP connection -+(Stealth/FIN/XMAS/NULL scan). -+.TP -+\fB--synscan\fR -+Match if the connection was a TCP half-open discovery (SYN scan), i.e. the -+connection was torn down after the 2nd packet in the 3-way handshake. -+.TP -+\fB--cnscan\fR -+Match if the connection was a TCP full open discovery (connect scan), i.e. the -+connection was torn down after completion of the 3-way handshake. -+.TP -+\fB--grscan\fR -+Match if data in the connection only flew in the direction of the remote side, -+e.g. if the connection was terminated after a locally running daemon sent its -+identification. (e.g. openssh) -+.PP -+NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan, -+so be advised to carefully use xt_portscan in conjunction with blocking rules, -+as it may lock out your very own internal network. diff --git a/package/iptables/patches/1.4.1.1/007-tarpit_support.patch b/package/iptables/patches/1.4.1.1/007-tarpit_support.patch deleted file mode 100644 index 1ff3cbf7b6..0000000000 --- a/package/iptables/patches/1.4.1.1/007-tarpit_support.patch +++ /dev/null @@ -1,106 +0,0 @@ -Index: iptables-1.4.0/extensions/libxt_TARPIT.c -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/libxt_TARPIT.c -@@ -0,0 +1,55 @@ -+/* Shared library add-on to iptables to add TARPIT target support */ -+#include -+#include -+ -+#include -+#include -+ -+static void TARPIT_help(void) -+{ -+ fputs( -+"TARPIT takes no options\n" -+"\n", stdout); -+} -+ -+static struct option TARPIT_opts[] = { -+ { 0 } -+}; -+ -+static int TARPIT_parse(int c, char **argv, int invert, unsigned int *flags, -+ const void *entry, struct xt_entry_target **target) -+{ -+ return 0; -+} -+ -+static void TARPIT_final_check(unsigned int flags) -+{ -+} -+ -+static void TARPIT_print(const void *ip, const struct xt_entry_target *target, -+ int numeric) -+{ -+} -+ -+static void TARPIT_save(const void *ip, const struct xt_entry_target *target) -+{ -+} -+ -+static struct xtables_target tarpit_target = { -+ .family = AF_INET, -+ .name = "TARPIT", -+ .version = XTABLES_VERSION, -+ .size = XT_ALIGN(0), -+ .userspacesize = XT_ALIGN(0), -+ .help = TARPIT_help, -+ .parse = TARPIT_parse, -+ .final_check = TARPIT_final_check, -+ .print = TARPIT_print, -+ .save = TARPIT_save, -+ .extra_opts = TARPIT_opts -+}; -+ -+void _init(void) -+{ -+ xtables_register_target(&tarpit_target); -+} -Index: iptables-1.4.0/extensions/libxt_TARPIT.man -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/libxt_TARPIT.man -@@ -0,0 +1,34 @@ -+Captures and holds incoming TCP connections using no local -+per-connection resources. Connections are accepted, but immediately -+switched to the persist state (0 byte window), in which the remote -+side stops sending data and asks to continue every 60-240 seconds. -+Attempts to close the connection are ignored, forcing the remote side -+to time out the connection in 12-24 minutes. -+ -+This offers similar functionality to LaBrea -+ but doesn't require dedicated -+hardware or IPs. Any TCP port that you would normally DROP or REJECT -+can instead become a tarpit. -+ -+To tarpit connections to TCP port 80 destined for the current machine: -+.IP -+iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT -+.P -+To significantly slow down Code Red/Nimda-style scans of unused address -+space, forward unused ip addresses to a Linux box not acting as a router -+(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP -+forwarding on the Linux box, and add: -+.IP -+iptables -A FORWARD -p tcp -j TARPIT -+.IP -+iptables -A FORWARD -j DROP -+.TP -+NOTE: -+If you use the conntrack module while you are using TARPIT, you should -+also use the NOTRACK target, or the kernel will unnecessarily allocate -+resources for each TARPITted connection. To TARPIT incoming -+connections to the standard IRC port while using conntrack, you could: -+.IP -+iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK -+.IP -+iptables -A INPUT -p tcp --dport 6667 -j TARPIT -Index: iptables-1.4.0/extensions/.TARPIT-testx -=================================================================== ---- /dev/null -+++ iptables-1.4.0/extensions/.TARPIT-testx -@@ -0,0 +1,2 @@ -+#! /bin/sh -+[ -f "$KERNEL_DIR/net/netfilter/xt_TARPIT.c" ] && echo "TARPIT"