[openwrt.git] / package / iptables / patches / 08-chaostables.patch

diff -ruN iptables-1.3.5.orig/extensions/.CHAOS-test iptables-1.3.5/extensions/.CHAOS-test
--- iptables-1.3.5.orig/extensions/.CHAOS-test  1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.5/extensions/.CHAOS-test       2007-01-09 16:05:23.251885840 +0100
@@ -0,0 +1,2 @@
+#!/bin/sh
+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS";
diff -ruN iptables-1.3.5.orig/extensions/.DELUDE-test iptables-1.3.5/extensions/.DELUDE-test
--- iptables-1.3.5.orig/extensions/.DELUDE-test 1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.5/extensions/.DELUDE-test      2007-01-09 16:05:18.104057722 +0100
@@ -0,0 +1,2 @@
+#!/bin/sh
+echo "DELUDE";
diff -ruN iptables-1.3.5.orig/extensions/libipt_CHAOS.c iptables-1.3.5/extensions/libipt_CHAOS.c
--- iptables-1.3.5.orig/extensions/libipt_CHAOS.c       1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.5/extensions/libipt_CHAOS.c    2007-01-09 16:05:23.251885840 +0100
@@ -0,0 +1,111 @@
+/*
+    CHAOS target for iptables
+
+    Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
+    released under the terms of the GNU General Public
+    License version 2.x and only versions 2.x.
+*/
+#include <getopt.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/xt_CHAOS.h>
+
+static void libipt_chaos_help(void)
+{
+       printf(
+               "CHAOS target v%s options:\n"
+               "  --delude     Enable DELUDE processing for TCP\n"
+               "  --tarpit     Enable TARPIT processing for TCP\n",
+               IPTABLES_VERSION);
+       return;
+}
+
+static int libipt_chaos_parse(int c, char **argv, int invert,
+    unsigned int *flags, const struct ipt_entry *entry,
+    struct ipt_entry_target **target)
+{
+       struct xt_chaos_info *info = (void *)((*target)->data);
+       switch(c) {
+               case 'd':
+                       info->variant = XTCHAOS_DELUDE;
+                       *flags |= 0x02;
+                       return 1;
+               case 't':
+                       info->variant = XTCHAOS_TARPIT;
+                       *flags |= 0x01;
+                       return 1;
+       }
+       return 0;
+}
+
+static void libipt_chaos_check(unsigned int flags)
+{
+       if(flags != 0x03)
+               return;
+       /* If flags == 0x03, both were specified, which should not be. */
+       exit_error(PARAMETER_PROBLEM,
+                  "CHAOS: only one of --tarpit or --delude may be specified");
+       return;
+}
+
+static void libipt_chaos_print(const struct ipt_ip *ip,
+    const struct ipt_entry_target *target, int numeric)
+{
+       const struct xt_chaos_info *info = (const void *)target->data;
+       switch(info->variant) {
+               case XTCHAOS_DELUDE:
+                       printf("DELUDE ");
+                       break;
+               case XTCHAOS_TARPIT:
+                       printf("TARPIT ");
+                       break;
+               default:
+                       break;
+       }
+       return;
+}
+
+static void libipt_chaos_save(const struct ipt_ip *ip,
+    const struct ipt_entry_target *target)
+{
+       const struct xt_chaos_info *info = (const void *)target->data;
+       switch(info->variant) {
+               case XTCHAOS_DELUDE:
+                       printf("--delude ");
+                       break;
+               case XTCHAOS_TARPIT:
+                       printf("--tarpit ");
+                       break;
+               default:
+                       break;
+       }
+       return;
+}
+
+static struct option libipt_chaos_opts[] = {
+       {"delude", 0, NULL, 'd'},
+       {"tarpit", 0, NULL, 't'},
+       {NULL},
+};
+
+static struct iptables_target libipt_chaos_info = {
+       .name          = "CHAOS",
+       .version       = IPTABLES_VERSION,
+       .size          = IPT_ALIGN(sizeof(struct xt_chaos_info)),
+       .userspacesize = IPT_ALIGN(sizeof(struct xt_chaos_info)),
+       .help          = libipt_chaos_help,
+       .parse         = libipt_chaos_parse,
+       .final_check   = libipt_chaos_check,
+       .print         = libipt_chaos_print,
+       .save          = libipt_chaos_save,
+       .extra_opts    = libipt_chaos_opts,
+};
+
+static __attribute__((constructor)) void libipt_chaos_init(void)
+{
+       register_target(&libipt_chaos_info);
+       return;
+}
diff -ruN iptables-1.3.5.orig/extensions/libipt_DELUDE.c iptables-1.3.5/extensions/libipt_DELUDE.c
--- iptables-1.3.5.orig/extensions/libipt_DELUDE.c      1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.5/extensions/libipt_DELUDE.c   2007-01-09 16:05:18.104057722 +0100
@@ -0,0 +1,66 @@
+/*
+    DELUDE target for iptables
+
+    Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
+    released under the terms of the GNU General Public
+    License version 2.x and only versions 2.x.
+*/
+#include <getopt.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+static void libipt_delude_help(void)
+{
+       printf("DELUDE takes no options\n");
+       return;
+}
+
+static int libipt_delude_parse(int c, char **argv, int invert,
+    unsigned int *flags, const struct ipt_entry *entry,
+    struct ipt_entry_target **target)
+{
+       return 0;
+}
+
+static void libipt_delude_check(unsigned int flags)
+{
+       return;
+}
+
+static void libipt_delude_print(const struct ipt_ip *ip,
+    const struct ipt_entry_target *target, int numeric)
+{
+       return;
+}
+
+static void libipt_delude_save(const struct ipt_ip *ip,
+    const struct ipt_entry_target *target)
+{
+       return;
+}
+
+static struct option libipt_delude_opts[] = {
+       {NULL},
+};
+
+static struct iptables_target libipt_delude_info = {
+       .name          = "DELUDE",
+       .version       = IPTABLES_VERSION,
+       .size          = IPT_ALIGN(0),
+       .userspacesize = IPT_ALIGN(0),
+       .help          = libipt_delude_help,
+       .parse         = libipt_delude_parse,
+       .final_check   = libipt_delude_check,
+       .print         = libipt_delude_print,
+       .save          = libipt_delude_save,
+       .extra_opts    = libipt_delude_opts,
+};
+
+static __attribute__((constructor)) void libipt_delude_init(void)
+{
+       register_target(&libipt_delude_info);
+       return;
+}
diff -ruN iptables-1.3.5.orig/extensions/libipt_portscan.c iptables-1.3.5/extensions/libipt_portscan.c
--- iptables-1.3.5.orig/extensions/libipt_portscan.c    1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.5/extensions/libipt_portscan.c 2007-01-09 16:05:14.228187134 +0100
@@ -0,0 +1,129 @@
+/*
+    portscan match for iptables
+
+    Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
+    released under the terms of the GNU General Public
+    License version 2.x and only versions 2.x.
+*/
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/xt_portscan.h>
+
+static void libipt_portscan_help(void)
+{
+       printf(
+               "portscan match v%s options:\n"
+               "(Combining them will make them match by OR-logic)\n"
+               "  --stealth    Match TCP Stealth packets\n"
+               "  --synscan    Match TCP SYN scans\n"
+               "  --cnscan     Match TCP Connect scans\n"
+               "  --grscan     Match Banner Grabbing scans\n",
+               IPTABLES_VERSION);
+       return;
+}
+
+static void libipt_portscan_mtinit(struct ipt_entry_match *match,
+    unsigned int *nfcache)
+{
+       /* Cannot cache this */
+       *nfcache |= NFC_UNKNOWN;
+       return;
+}
+
+static int libipt_portscan_parse(int c, char **argv, int invert,
+    unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfc,
+    struct ipt_entry_match **match)
+{
+       struct xt_portscan_info *info = (void *)((*match)->data);
+
+       switch(c) {
+               case 'c':
+                       info->match_cn = 1;
+                       return 1;
+               case 'g':
+                       info->match_gr = 1;
+                       return 1;
+               case 's':
+                       info->match_syn = 1;
+                       return 1;
+               case 'x':
+                       info->match_stealth = 1;
+                       return 1;
+               default:
+                       return 0;
+       }
+}
+
+static void libipt_portscan_check(unsigned int flags)
+{
+       return;
+}
+
+static void libipt_portscan_print(const struct ipt_ip *ip,
+    const struct ipt_entry_match *match, int numeric)
+{
+       const struct xt_portscan_info *info = (const void *)(match->data);
+       const char *s = "";
+
+       printf("portscan ");
+       if(info->match_stealth) {
+               printf("STEALTH");
+               s = ",";
+       }
+       if(info->match_syn) {
+               printf("%sSYNSCAN", s);
+               s = ",";
+       }
+       if(info->match_cn) {
+               printf("%sCNSCAN", s);
+               s = ",";
+       }
+       if(info->match_gr)
+               printf("%sGRSCAN", s);
+       printf(" ");
+       return;
+}
+
+static void libipt_portscan_save(const struct ipt_ip *ip,
+    const struct ipt_entry_match *match)
+{
+       const struct xt_portscan_info *info = (const void *)(match->data);
+       if(info->match_stealth) printf("--stealth ");
+       if(info->match_syn)     printf("--synscan ");
+       if(info->match_cn)      printf("--cnscan ");
+       if(info->match_gr)      printf("--grscan ");
+       return;
+}
+
+static struct option libipt_portscan_opts[] = {
+       {"stealth", 0, NULL, 'x'},
+       {"synscan", 0, NULL, 's'},
+       {"cnscan",  0, NULL, 'c'},
+       {"grscan",  0, NULL, 'g'},
+       {NULL},
+};
+
+static struct iptables_match libipt_portscan_info = {
+       .name          = "portscan",
+       .version       = IPTABLES_VERSION,
+       .size          = IPT_ALIGN(sizeof(struct xt_portscan_info)),
+       .userspacesize = IPT_ALIGN(sizeof(struct xt_portscan_info)),
+       .help          = libipt_portscan_help,
+       .init          = libipt_portscan_mtinit,
+       .parse         = libipt_portscan_parse,
+       .final_check   = libipt_portscan_check,
+       .print         = libipt_portscan_print,
+       .save          = libipt_portscan_save,
+       .extra_opts    = libipt_portscan_opts,
+};
+
+static __attribute__((constructor)) void libipt_portscan_init(void)
+{
+       register_match(&libipt_portscan_info);
+       return;
+}
diff -ruN iptables-1.3.5.orig/extensions/.portscan-test iptables-1.3.5/extensions/.portscan-test
--- iptables-1.3.5.orig/extensions/.portscan-test       1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.5/extensions/.portscan-test    2007-01-09 16:05:14.228187134 +0100
@@ -0,0 +1,2 @@
+#!/bin/sh
+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan";