diff options
Diffstat (limited to 'package/iptables/patches/008-chaostables.patch')
-rw-r--r-- | package/iptables/patches/008-chaostables.patch | 336 |
1 files changed, 336 insertions, 0 deletions
diff --git a/package/iptables/patches/008-chaostables.patch b/package/iptables/patches/008-chaostables.patch new file mode 100644 index 0000000..7fc1aab --- /dev/null +++ b/package/iptables/patches/008-chaostables.patch @@ -0,0 +1,336 @@ +diff -ruN iptables-1.3.5.orig/extensions/.CHAOS-test iptables-1.3.5/extensions/.CHAOS-test +--- iptables-1.3.5.orig/extensions/.CHAOS-test 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.5/extensions/.CHAOS-test 2007-01-09 16:05:23.251885840 +0100 +@@ -0,0 +1,2 @@ ++#!/bin/sh ++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS"; +diff -ruN iptables-1.3.5.orig/extensions/.DELUDE-test iptables-1.3.5/extensions/.DELUDE-test +--- iptables-1.3.5.orig/extensions/.DELUDE-test 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.5/extensions/.DELUDE-test 2007-01-09 16:05:18.104057722 +0100 +@@ -0,0 +1,2 @@ ++#!/bin/sh ++echo "DELUDE"; +diff -ruN iptables-1.3.5.orig/extensions/libipt_CHAOS.c iptables-1.3.5/extensions/libipt_CHAOS.c +--- iptables-1.3.5.orig/extensions/libipt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.5/extensions/libipt_CHAOS.c 2007-01-09 16:05:23.251885840 +0100 +@@ -0,0 +1,111 @@ ++/* ++ CHAOS target for iptables ++ ++ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007 ++ released under the terms of the GNU General Public ++ License version 2.x and only versions 2.x. ++*/ ++#include <getopt.h> ++#include <stdio.h> ++#include <string.h> ++ ++#include <iptables.h> ++#include <linux/netfilter_ipv4/ip_tables.h> ++#include <linux/netfilter/xt_CHAOS.h> ++ ++static void libipt_chaos_help(void) ++{ ++ printf( ++ "CHAOS target v%s options:\n" ++ " --delude Enable DELUDE processing for TCP\n" ++ " --tarpit Enable TARPIT processing for TCP\n", ++ IPTABLES_VERSION); ++ return; ++} ++ ++static int libipt_chaos_parse(int c, char **argv, int invert, ++ unsigned int *flags, const struct ipt_entry *entry, ++ struct ipt_entry_target **target) ++{ ++ struct xt_chaos_info *info = (void *)((*target)->data); ++ switch(c) { ++ case 'd': ++ info->variant = XTCHAOS_DELUDE; ++ *flags |= 0x02; ++ return 1; ++ case 't': ++ info->variant = XTCHAOS_TARPIT; ++ *flags |= 0x01; ++ return 1; ++ } ++ return 0; ++} ++ ++static void libipt_chaos_check(unsigned int flags) ++{ ++ if(flags != 0x03) ++ return; ++ /* If flags == 0x03, both were specified, which should not be. */ ++ exit_error(PARAMETER_PROBLEM, ++ "CHAOS: only one of --tarpit or --delude may be specified"); ++ return; ++} ++ ++static void libipt_chaos_print(const struct ipt_ip *ip, ++ const struct ipt_entry_target *target, int numeric) ++{ ++ const struct xt_chaos_info *info = (const void *)target->data; ++ switch(info->variant) { ++ case XTCHAOS_DELUDE: ++ printf("DELUDE "); ++ break; ++ case XTCHAOS_TARPIT: ++ printf("TARPIT "); ++ break; ++ default: ++ break; ++ } ++ return; ++} ++ ++static void libipt_chaos_save(const struct ipt_ip *ip, ++ const struct ipt_entry_target *target) ++{ ++ const struct xt_chaos_info *info = (const void *)target->data; ++ switch(info->variant) { ++ case XTCHAOS_DELUDE: ++ printf("--delude "); ++ break; ++ case XTCHAOS_TARPIT: ++ printf("--tarpit "); ++ break; ++ default: ++ break; ++ } ++ return; ++} ++ ++static struct option libipt_chaos_opts[] = { ++ {"delude", 0, NULL, 'd'}, ++ {"tarpit", 0, NULL, 't'}, ++ {NULL}, ++}; ++ ++static struct iptables_target libipt_chaos_info = { ++ .name = "CHAOS", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct xt_chaos_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct xt_chaos_info)), ++ .help = libipt_chaos_help, ++ .parse = libipt_chaos_parse, ++ .final_check = libipt_chaos_check, ++ .print = libipt_chaos_print, ++ .save = libipt_chaos_save, ++ .extra_opts = libipt_chaos_opts, ++}; ++ ++static __attribute__((constructor)) void libipt_chaos_init(void) ++{ ++ register_target(&libipt_chaos_info); ++ return; ++} +diff -ruN iptables-1.3.5.orig/extensions/libipt_DELUDE.c iptables-1.3.5/extensions/libipt_DELUDE.c +--- iptables-1.3.5.orig/extensions/libipt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.5/extensions/libipt_DELUDE.c 2007-01-09 16:05:18.104057722 +0100 +@@ -0,0 +1,66 @@ ++/* ++ DELUDE target for iptables ++ ++ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007 ++ released under the terms of the GNU General Public ++ License version 2.x and only versions 2.x. ++*/ ++#include <getopt.h> ++#include <stdio.h> ++#include <string.h> ++ ++#include <iptables.h> ++#include <linux/netfilter_ipv4/ip_tables.h> ++ ++static void libipt_delude_help(void) ++{ ++ printf("DELUDE takes no options\n"); ++ return; ++} ++ ++static int libipt_delude_parse(int c, char **argv, int invert, ++ unsigned int *flags, const struct ipt_entry *entry, ++ struct ipt_entry_target **target) ++{ ++ return 0; ++} ++ ++static void libipt_delude_check(unsigned int flags) ++{ ++ return; ++} ++ ++static void libipt_delude_print(const struct ipt_ip *ip, ++ const struct ipt_entry_target *target, int numeric) ++{ ++ return; ++} ++ ++static void libipt_delude_save(const struct ipt_ip *ip, ++ const struct ipt_entry_target *target) ++{ ++ return; ++} ++ ++static struct option libipt_delude_opts[] = { ++ {NULL}, ++}; ++ ++static struct iptables_target libipt_delude_info = { ++ .name = "DELUDE", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(0), ++ .userspacesize = IPT_ALIGN(0), ++ .help = libipt_delude_help, ++ .parse = libipt_delude_parse, ++ .final_check = libipt_delude_check, ++ .print = libipt_delude_print, ++ .save = libipt_delude_save, ++ .extra_opts = libipt_delude_opts, ++}; ++ ++static __attribute__((constructor)) void libipt_delude_init(void) ++{ ++ register_target(&libipt_delude_info); ++ return; ++} +diff -ruN iptables-1.3.5.orig/extensions/libipt_portscan.c iptables-1.3.5/extensions/libipt_portscan.c +--- iptables-1.3.5.orig/extensions/libipt_portscan.c 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.5/extensions/libipt_portscan.c 2007-01-09 16:05:14.228187134 +0100 +@@ -0,0 +1,129 @@ ++/* ++ portscan match for iptables ++ ++ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007 ++ released under the terms of the GNU General Public ++ License version 2.x and only versions 2.x. ++*/ ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++#include <getopt.h> ++ ++#include <iptables.h> ++#include <linux/netfilter_ipv4/ip_tables.h> ++#include <linux/netfilter/xt_portscan.h> ++ ++static void libipt_portscan_help(void) ++{ ++ printf( ++ "portscan match v%s options:\n" ++ "(Combining them will make them match by OR-logic)\n" ++ " --stealth Match TCP Stealth packets\n" ++ " --synscan Match TCP SYN scans\n" ++ " --cnscan Match TCP Connect scans\n" ++ " --grscan Match Banner Grabbing scans\n", ++ IPTABLES_VERSION); ++ return; ++} ++ ++static void libipt_portscan_mtinit(struct ipt_entry_match *match, ++ unsigned int *nfcache) ++{ ++ /* Cannot cache this */ ++ *nfcache |= NFC_UNKNOWN; ++ return; ++} ++ ++static int libipt_portscan_parse(int c, char **argv, int invert, ++ unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfc, ++ struct ipt_entry_match **match) ++{ ++ struct xt_portscan_info *info = (void *)((*match)->data); ++ ++ switch(c) { ++ case 'c': ++ info->match_cn = 1; ++ return 1; ++ case 'g': ++ info->match_gr = 1; ++ return 1; ++ case 's': ++ info->match_syn = 1; ++ return 1; ++ case 'x': ++ info->match_stealth = 1; ++ return 1; ++ default: ++ return 0; ++ } ++} ++ ++static void libipt_portscan_check(unsigned int flags) ++{ ++ return; ++} ++ ++static void libipt_portscan_print(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match, int numeric) ++{ ++ const struct xt_portscan_info *info = (const void *)(match->data); ++ const char *s = ""; ++ ++ printf("portscan "); ++ if(info->match_stealth) { ++ printf("STEALTH"); ++ s = ","; ++ } ++ if(info->match_syn) { ++ printf("%sSYNSCAN", s); ++ s = ","; ++ } ++ if(info->match_cn) { ++ printf("%sCNSCAN", s); ++ s = ","; ++ } ++ if(info->match_gr) ++ printf("%sGRSCAN", s); ++ printf(" "); ++ return; ++} ++ ++static void libipt_portscan_save(const struct ipt_ip *ip, ++ const struct ipt_entry_match *match) ++{ ++ const struct xt_portscan_info *info = (const void *)(match->data); ++ if(info->match_stealth) printf("--stealth "); ++ if(info->match_syn) printf("--synscan "); ++ if(info->match_cn) printf("--cnscan "); ++ if(info->match_gr) printf("--grscan "); ++ return; ++} ++ ++static struct option libipt_portscan_opts[] = { ++ {"stealth", 0, NULL, 'x'}, ++ {"synscan", 0, NULL, 's'}, ++ {"cnscan", 0, NULL, 'c'}, ++ {"grscan", 0, NULL, 'g'}, ++ {NULL}, ++}; ++ ++static struct iptables_match libipt_portscan_info = { ++ .name = "portscan", ++ .version = IPTABLES_VERSION, ++ .size = IPT_ALIGN(sizeof(struct xt_portscan_info)), ++ .userspacesize = IPT_ALIGN(sizeof(struct xt_portscan_info)), ++ .help = libipt_portscan_help, ++ .init = libipt_portscan_mtinit, ++ .parse = libipt_portscan_parse, ++ .final_check = libipt_portscan_check, ++ .print = libipt_portscan_print, ++ .save = libipt_portscan_save, ++ .extra_opts = libipt_portscan_opts, ++}; ++ ++static __attribute__((constructor)) void libipt_portscan_init(void) ++{ ++ register_match(&libipt_portscan_info); ++ return; ++} +diff -ruN iptables-1.3.5.orig/extensions/.portscan-test iptables-1.3.5/extensions/.portscan-test +--- iptables-1.3.5.orig/extensions/.portscan-test 1970-01-01 01:00:00.000000000 +0100 ++++ iptables-1.3.5/extensions/.portscan-test 2007-01-09 16:05:14.228187134 +0100 +@@ -0,0 +1,2 @@ ++#!/bin/sh ++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan"; |