1 --- a/include/linux/netfilter/Kbuild
2 +++ b/include/linux/netfilter/Kbuild
4 header-y += nfnetlink_conntrack.h
5 header-y += nfnetlink_log.h
6 header-y += nfnetlink_queue.h
7 +header-y += xt_CHAOS.h
8 header-y += xt_CLASSIFY.h
9 header-y += xt_comment.h
10 header-y += xt_connbytes.h
11 Index: linux-2.6.21.7/include/linux/netfilter/oot_conntrack.h
12 ===================================================================
14 +++ linux-2.6.21.7/include/linux/netfilter/oot_conntrack.h
16 +#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
17 +# include <linux/netfilter_ipv4/ip_conntrack.h>
18 +#else /* linux-2.6.20+ */
19 +# include <net/netfilter/nf_nat_rule.h>
21 Index: linux-2.6.21.7/include/linux/netfilter/oot_trans.h
22 ===================================================================
24 +++ linux-2.6.21.7/include/linux/netfilter/oot_trans.h
26 +/* Out of tree workarounds */
27 +#include <linux/version.h>
28 +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
29 +# define HAVE_MATCHINFOSIZE 1
30 +# define HAVE_TARGUSERINFO 1
31 +# define HAVE_TARGINFOSIZE 1
33 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
36 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
37 +# define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
38 + tcp_v4_check((tcph_sz), (s), (d), (csp))
40 Index: linux-2.6.21.7/include/linux/netfilter/xt_CHAOS.h
41 ===================================================================
43 +++ linux-2.6.21.7/include/linux/netfilter/xt_CHAOS.h
45 +#ifndef _LINUX_NETFILTER_XT_CHAOS_H
46 +#define _LINUX_NETFILTER_XT_CHAOS_H 1
48 +enum xt_chaos_target_variant {
54 +struct xt_chaos_target_info {
58 +#endif /* _LINUX_NETFILTER_XT_CHAOS_H */
59 Index: linux-2.6.21.7/include/linux/netfilter/xt_portscan.h
60 ===================================================================
62 +++ linux-2.6.21.7/include/linux/netfilter/xt_portscan.h
64 +#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
65 +#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
67 +struct xt_portscan_match_info {
68 + uint8_t match_stealth, match_syn, match_cn, match_gr;
71 +#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */
72 Index: linux-2.6.21.7/net/netfilter/find_match.c
73 ===================================================================
75 +++ linux-2.6.21.7/net/netfilter/find_match.c
78 + xt_request_find_match
79 + by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
81 + Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
82 + Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
83 + This program is free software; you can redistribute it and/or modify
84 + it under the terms of the GNU General Public License version 2 as
85 + published by the Free Software Foundation.
87 +#include <linux/err.h>
88 +#include <linux/netfilter_arp.h>
89 +#include <linux/socket.h>
90 +#include <linux/netfilter/x_tables.h>
93 + * Yeah this code is sub-optimal, but the function is missing in
94 + * mainline so far. -jengelh
96 +static struct xt_match *xt_request_find_match_lo(int af, const char *name,
99 + static const char *const xt_prefix[] = {
101 + [AF_INET6] = "ip6",
104 + struct xt_match *match;
106 + match = try_then_request_module(xt_find_match(af, name, revision),
107 + "%st_%s", xt_prefix[af], name);
108 + if (IS_ERR(match) || match == NULL)
114 +/* In case it goes into mainline, let this out-of-tree package compile */
115 +#define xt_request_find_match xt_request_find_match_lo
116 Index: linux-2.6.21.7/net/netfilter/Kconfig
117 ===================================================================
118 --- linux-2.6.21.7.orig/net/netfilter/Kconfig
119 +++ linux-2.6.21.7/net/netfilter/Kconfig
120 @@ -287,6 +287,14 @@ config NETFILTER_XTABLES
122 # alphabetically ordered list of targets
124 +config NETFILTER_XT_TARGET_CHAOS
125 + tristate '"CHAOS" target support'
126 + depends on NETFILTER_XTABLES
128 + This option adds a `CHAOS' target.
130 + To compile it as a module, choose M here. If unsure, say N.
132 config NETFILTER_XT_TARGET_CLASSIFY
133 tristate '"CLASSIFY" target support'
134 depends on NETFILTER_XTABLES
135 @@ -315,6 +323,14 @@ config NETFILTER_XT_TARGET_CONNMARK
136 <file:Documentation/modules.txt>. The module will be called
137 ipt_CONNMARK.o. If unsure, say `N'.
139 +config NETFILTER_XT_TARGET_DELUDE
140 + tristate '"DELUDE" target support'
141 + depends on NETFILTER_XTABLES
143 + This option adds a `DELUDE' target.
145 + To compile it as a module, choose M here. If unsure, say N.
147 config NETFILTER_XT_TARGET_DSCP
148 tristate '"DSCP" target support'
149 depends on NETFILTER_XTABLES
150 @@ -563,6 +579,14 @@ config NETFILTER_XT_MATCH_POLICY
152 To compile it as a module, choose M here. If unsure, say N.
154 +config NETFILTER_XT_MATCH_PORTSCAN
155 + tristate '"portscan" match support'
156 + depends on NETFILTER_XTABLES
158 + This option adds a 'portscan' match support.
160 + To compile it as a module, choose M here. If unsure, say N.
162 config NETFILTER_XT_MATCH_MULTIPORT
163 tristate "Multiple port match support"
164 depends on NETFILTER_XTABLES
165 Index: linux-2.6.21.7/net/netfilter/Makefile
166 ===================================================================
167 --- linux-2.6.21.7.orig/net/netfilter/Makefile
168 +++ linux-2.6.21.7/net/netfilter/Makefile
169 @@ -47,6 +47,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK
170 obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
171 obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
172 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
173 +obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
174 +obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
177 obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
178 @@ -74,3 +76,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING)
179 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
180 obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
181 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
182 +obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
183 Index: linux-2.6.21.7/net/netfilter/xt_CHAOS.c
184 ===================================================================
186 +++ linux-2.6.21.7/net/netfilter/xt_CHAOS.c
189 + * CHAOS target for netfilter
190 + * Copyright © CC Computer Consultants GmbH, 2006 - 2007
191 + * Contact: Jan Engelhardt <jengelh@computergmbh.de>
193 + * This program is free software; you can redistribute it and/or modify
194 + * it under the terms of the GNU General Public License; either version
195 + * 2 or 3 as published by the Free Software Foundation.
197 +#include <linux/icmp.h>
198 +#include <linux/in.h>
199 +#include <linux/ip.h>
200 +#include <linux/module.h>
201 +#include <linux/skbuff.h>
202 +#include <linux/stat.h>
203 +#include <linux/netfilter/x_tables.h>
204 +#include <linux/netfilter/xt_tcpudp.h>
205 +#include <linux/netfilter_ipv4/ipt_REJECT.h>
208 +# include "xt_CHAOS.h"
209 +# include "find_match.c"
210 +#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \
211 + defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE)
212 +# include <linux/netfilter/xt_CHAOS.h>
213 +# include "find_match.c"
215 +# include "xt_CHAOS.h"
216 +# include "find_match.c"
218 +#define PFX KBUILD_MODNAME ": "
220 +/* Module parameters */
221 +static unsigned int reject_percentage = ~0U * .01;
222 +static unsigned int delude_percentage = ~0U * .0101;
223 +module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
224 +module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
226 +/* References to other matches/targets */
227 +static struct xt_match *xm_tcp;
228 +static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
230 +static int have_delude, have_tarpit;
232 +/* Static data for other matches/targets */
233 +static const struct ipt_reject_info reject_params = {
234 + .with = ICMP_HOST_UNREACH,
237 +static const struct xt_tcp tcp_params = {
242 +/* CHAOS functions */
243 +static void xt_chaos_total(const struct xt_chaos_target_info *info,
244 + struct sk_buff **pskb, const struct net_device *in,
245 + const struct net_device *out, unsigned int hooknum)
247 + const struct iphdr *iph = ip_hdr(*pskb);
248 + const int protoff = 4 * iph->ihl;
249 + const int offset = ntohs(iph->frag_off) & IP_OFFSET;
250 + const struct xt_target *destiny;
251 + int hotdrop = 0, ret;
253 + ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
254 + offset, protoff, &hotdrop);
255 + if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
258 + destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
259 + destiny->target(pskb, in, out, hooknum, destiny, NULL);
263 +static unsigned int chaos_tg(struct sk_buff **pskb,
264 + const struct net_device *in, const struct net_device *out,
265 + unsigned int hooknum, const struct xt_target *target, const void *targinfo)
269 + * -A chaos -m statistic --mode random --probability \
270 + * $reject_percentage -j REJECT --reject-with host-unreach;
271 + * -A chaos -p tcp -m statistic --mode random --probability \
272 + * $delude_percentage -j DELUDE;
273 + * -A chaos -j DROP;
275 + const struct xt_chaos_target_info *info = targinfo;
276 + const struct iphdr *iph = ip_hdr(*pskb);
278 + if ((unsigned int)net_random() <= reject_percentage)
279 + return xt_reject->target(pskb, in, out, hooknum, target,
282 + /* TARPIT/DELUDE may not be called from the OUTPUT chain */
283 + if (iph->protocol == IPPROTO_TCP &&
284 + info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
285 + xt_chaos_total(info, pskb, in, out, hooknum);
290 +static int chaos_tg_check(const char *tablename, const void *entry,
291 + const struct xt_target *target, void *targinfo, unsigned int hook_mask)
293 + const struct xt_chaos_target_info *info = targinfo;
295 + if (info->variant == XTCHAOS_DELUDE && !have_delude) {
296 + printk(KERN_WARNING PFX "Error: Cannot use --delude when "
297 + "DELUDE module not available\n");
300 + if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
301 + printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
302 + "TARPIT module not available\n");
309 +static struct xt_target chaos_tg_reg = {
313 + .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
314 + (1 << NF_IP_LOCAL_OUT),
315 + .checkentry = chaos_tg_check,
316 + .target = chaos_tg,
317 + .targetsize = sizeof(struct xt_chaos_target_info),
321 +static int __init chaos_tg_init(void)
325 + xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
326 + if (xm_tcp == NULL) {
327 + printk(KERN_WARNING PFX "Error: Could not find or load "
328 + "\"tcp\" match\n");
332 + xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
333 + if (xt_reject == NULL) {
334 + printk(KERN_WARNING PFX "Error: Could not find or load "
335 + "\"REJECT\" target\n");
339 + xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
340 + have_tarpit = xt_tarpit != NULL;
342 + printk(KERN_WARNING PFX "Warning: Could not find or load "
343 + "\"TARPIT\" target\n");
345 + xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
346 + have_delude = xt_delude != NULL;
348 + printk(KERN_WARNING PFX "Warning: Could not find or load "
349 + "\"DELUDE\" target\n");
351 + if ((ret = xt_register_target(&chaos_tg_reg)) != 0) {
352 + printk(KERN_WARNING PFX "xt_register_target returned "
353 + "error %d\n", ret);
361 + module_put(xt_delude->me);
363 + module_put(xt_tarpit->me);
364 + module_put(xt_reject->me);
366 + module_put(xm_tcp->me);
370 +static void __exit chaos_tg_exit(void)
372 + xt_unregister_target(&chaos_tg_reg);
373 + module_put(xm_tcp->me);
374 + module_put(xt_reject->me);
376 + module_put(xt_delude->me);
378 + module_put(xt_tarpit->me);
382 +module_init(chaos_tg_init);
383 +module_exit(chaos_tg_exit);
384 +MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
385 +MODULE_DESCRIPTION("netfilter \"CHAOS\" target");
386 +MODULE_LICENSE("GPL");
387 +MODULE_ALIAS("ipt_CHAOS");
388 Index: linux-2.6.21.7/net/netfilter/xt_DELUDE.c
389 ===================================================================
391 +++ linux-2.6.21.7/net/netfilter/xt_DELUDE.c
395 + * Copyright © CC Computer Consultants GmbH, 2007
396 + * Contact: Jan Engelhardt <jengelh@computergmbh.de>
398 + * Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
399 + * (C) 1999-2001 Paul `Rusty' Russell
400 + * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
402 + * xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
404 + * This program is free software; you can redistribute it and/or modify
405 + * it under the terms of the GNU General Public License version 2 as
406 + * published by the Free Software Foundation.
408 +#include <linux/module.h>
409 +#include <linux/skbuff.h>
410 +#include <linux/ip.h>
411 +#include <linux/tcp.h>
412 +#include <linux/netfilter/x_tables.h>
413 +#ifdef CONFIG_BRIDGE_NETFILTER
414 +# include <linux/netfilter_bridge.h>
416 +#include <net/tcp.h>
417 +#define PFX KBUILD_MODNAME ": "
419 +static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
421 + struct tcphdr _otcph, *oth, *tcph;
422 + unsigned int addr_type;
423 + struct sk_buff *nskb;
424 + u_int16_t tmp_port;
425 + u_int32_t tmp_addr;
426 + struct iphdr *niph;
429 + /* IP header checks: fragment. */
430 + if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
433 + oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
434 + sizeof(_otcph), &_otcph);
438 + /* No RST for RST. */
442 + /* Check checksum */
443 + if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
446 + /* We need a linear, writeable skb. We also need to expand
447 + headroom in case hh_len of incoming interface < hh_len of
448 + outgoing interface */
449 + nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
454 + /* This packet will not be the same as the other: clear nf fields */
457 + skb_init_secmark(nskb);
459 + skb_shinfo(nskb)->gso_size = 0;
460 + skb_shinfo(nskb)->gso_segs = 0;
461 + skb_shinfo(nskb)->gso_type = 0;
463 + tcph = (struct tcphdr *)(skb_network_header(nskb) + ip_hdrlen(nskb));
465 + /* Swap source and dest */
466 + niph = ip_hdr(nskb);
467 + tmp_addr = niph->saddr;
468 + niph->saddr = niph->daddr;
469 + niph->daddr = tmp_addr;
470 + tmp_port = tcph->source;
471 + tcph->source = tcph->dest;
472 + tcph->dest = tmp_port;
474 + /* Truncate to length (no data) */
475 + tcph->doff = sizeof(struct tcphdr) / 4;
476 + skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
477 + niph->tot_len = htons(nskb->len);
479 + if (oth->syn && !oth->ack && !oth->rst && !oth->fin) {
480 + /* DELUDE essential part */
481 + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
482 + oldskb->len - ip_hdrlen(oldskb) -
489 + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn +
490 + oth->fin + oldskb->len -
491 + ip_hdrlen(oldskb) - (oth->doff<<2));
495 + tcph->seq = oth->ack_seq;
496 + tcph->ack_seq = false;
500 + ((u_int8_t *)tcph)[13] = 0;
502 + tcph->ack = needs_ack;
508 + /* Adjust TCP checksum */
510 + tcph->check = tcp_v4_check(sizeof(struct tcphdr), niph->saddr,
511 + niph->daddr, csum_partial((char *)tcph,
512 + sizeof(struct tcphdr), 0));
514 + /* Set DF, id = 0 */
515 + niph->frag_off = htons(IP_DF);
518 + addr_type = RTN_UNSPEC;
519 +#ifdef CONFIG_BRIDGE_NETFILTER
520 + if (hook != NF_IP_FORWARD || (nskb->nf_bridge != NULL &&
521 + nskb->nf_bridge->mask & BRNF_BRIDGED))
523 + if (hook != NF_IP_FORWARD)
525 + addr_type = RTN_LOCAL;
527 + if (ip_route_me_harder(&nskb, addr_type))
530 + nskb->ip_summed = CHECKSUM_NONE;
532 + /* Adjust IP TTL */
533 + niph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
535 + /* Adjust IP checksum */
537 + niph->check = ip_fast_csum(skb_network_header(nskb), niph->ihl);
539 + /* "Never happens" */
540 + if (nskb->len > dst_mtu(nskb->dst))
543 + nf_ct_attach(nskb, oldskb);
545 + NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
553 +static unsigned int delude_tg(struct sk_buff **pskb,
554 + const struct net_device *in, const struct net_device *out,
555 + unsigned int hooknum, const struct xt_target *target, const void *targinfo)
557 + /* WARNING: This code causes reentry within iptables.
558 + This means that the iptables jump stack is now crap. We
559 + must return an absolute verdict. --RR */
560 + delude_send_reset(*pskb, hooknum);
564 +static struct xt_target delude_tg_reg = {
568 + .hooks = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD),
569 + .target = delude_tg,
570 + .proto = IPPROTO_TCP,
574 +static int __init delude_tg_init(void)
576 + return xt_register_target(&delude_tg_reg);
579 +static void __exit delude_tg_exit(void)
581 + xt_unregister_target(&delude_tg_reg);
584 +module_init(delude_tg_init);
585 +module_exit(delude_tg_exit);
586 +MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
587 +MODULE_DESCRIPTION("netfilter \"DELUDE\" target");
588 +MODULE_LICENSE("GPL");
589 +MODULE_ALIAS("ipt_DELUDE");
590 Index: linux-2.6.21.7/net/netfilter/xt_portscan.c
591 ===================================================================
593 +++ linux-2.6.21.7/net/netfilter/xt_portscan.c
596 + * portscan match for netfilter
597 + * Copyright © CC Computer Consultants GmbH, 2006 - 2007
598 + * Contact: Jan Engelhardt <jengelh@computergmbh.de>
600 + * This program is free software; you can redistribute it and/or modify
601 + * it under the terms of the GNU General Public License; either version
602 + * 2 or 3 as published by the Free Software Foundation.
604 +#include <linux/in.h>
605 +#include <linux/ip.h>
606 +#include <linux/module.h>
607 +#include <linux/moduleparam.h>
608 +#include <linux/skbuff.h>
609 +#include <linux/stat.h>
610 +#include <linux/tcp.h>
611 +#include <linux/types.h>
612 +#include <linux/version.h>
613 +#include <linux/netfilter/x_tables.h>
614 +#include <linux/netfilter/xt_tcpudp.h>
615 +#include <net/netfilter/nf_nat_rule.h>
617 +# include "xt_portscan.h"
618 +#elif defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) || \
619 + defined(CONFIG_NETFILTER_XT_MATCH_PORTSCAN_MODULE)
620 +# include <linux/netfilter/xt_portscan.h>
622 +# include "xt_portscan.h"
624 +#define PFX KBUILD_MODNAME ": "
627 + TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
628 + TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,
629 + TCP_FLAGS_ALL6 = TCP_FLAGS_ALL4 | TCP_FLAG_PSH | TCP_FLAG_URG,
632 +/* Module parameters */
634 + connmark_mask = ~0,
639 + mark_synscan = 0x3,
646 +module_param(connmark_mask, uint, S_IRUGO | S_IWUSR);
647 +module_param(packet_mask, uint, S_IRUGO | S_IWUSR);
648 +module_param(mark_seen, uint, S_IRUGO | S_IWUSR);
649 +module_param(mark_synrcv, uint, S_IRUGO | S_IWUSR);
650 +module_param(mark_closed, uint, S_IRUGO | S_IWUSR);
651 +module_param(mark_synscan, uint, S_IRUGO | S_IWUSR);
652 +module_param(mark_estab1, uint, S_IRUGO | S_IWUSR);
653 +module_param(mark_estab2, uint, S_IRUGO | S_IWUSR);
654 +module_param(mark_cnscan, uint, S_IRUGO | S_IWUSR);
655 +module_param(mark_grscan, uint, S_IRUGO | S_IWUSR);
656 +module_param(mark_valid, uint, S_IRUGO | S_IWUSR);
657 +MODULE_PARM_DESC(connmark_mask, "only set specified bits in connection mark");
658 +MODULE_PARM_DESC(packet_mask, "only set specified bits in packet mark");
659 +MODULE_PARM_DESC(mark_seen, "nfmark value for packet-seen state");
660 +MODULE_PARM_DESC(mark_synrcv, "connmark value for SYN Received state");
661 +MODULE_PARM_DESC(mark_closed, "connmark value for closed state");
662 +MODULE_PARM_DESC(mark_synscan, "connmark value for SYN Scan state");
663 +MODULE_PARM_DESC(mark_estab1, "connmark value for Established-1 state");
664 +MODULE_PARM_DESC(mark_estab2, "connmark value for Established-2 state");
665 +MODULE_PARM_DESC(mark_cnscan, "connmark value for Connect Scan state");
666 +MODULE_PARM_DESC(mark_grscan, "connmark value for Grab Scan state");
667 +MODULE_PARM_DESC(mark_valid, "connmark value for Valid state");
669 +/* TCP flag functions */
670 +static inline bool tflg_ack4(const struct tcphdr *th)
672 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_ACK;
675 +static inline bool tflg_ack6(const struct tcphdr *th)
677 + return (tcp_flag_word(th) & TCP_FLAGS_ALL6) == TCP_FLAG_ACK;
680 +static inline bool tflg_fin(const struct tcphdr *th)
682 + return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_FIN;
685 +static inline bool tflg_rst(const struct tcphdr *th)
687 + return (tcp_flag_word(th) & TCP_FLAGS_ALL3) == TCP_FLAG_RST;
690 +static inline bool tflg_rstack(const struct tcphdr *th)
692 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
693 + (TCP_FLAG_ACK | TCP_FLAG_RST);
696 +static inline bool tflg_syn(const struct tcphdr *th)
698 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) == TCP_FLAG_SYN;
701 +static inline bool tflg_synack(const struct tcphdr *th)
703 + return (tcp_flag_word(th) & TCP_FLAGS_ALL4) ==
704 + (TCP_FLAG_SYN | TCP_FLAG_ACK);
707 +/* portscan functions */
708 +static inline bool portscan_mt_stealth(const struct tcphdr *th)
711 + * "Connection refused" replies to our own probes must not be matched.
713 + if (tflg_rstack(th))
716 + if (tflg_rst(th) && printk_ratelimit()) {
717 + printk(KERN_WARNING PFX "Warning: Pure RST received\n");
722 + * -p tcp ! --syn -m conntrack --ctstate INVALID: Looking for non-start
723 + * packets that are not associated with any connection -- this will
724 + * match most scan types (NULL, XMAS, FIN) and ridiculous flag
725 + * combinations (SYN-RST, SYN-FIN, SYN-FIN-RST, FIN-RST, etc.).
727 + return !tflg_syn(th);
730 +static inline unsigned int portscan_mt_full(int mark,
731 + enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
732 + unsigned int payload_len)
734 + if (mark == mark_estab2) {
736 + * -m connmark --mark $ESTAB2
738 + if (tflg_ack4(tcph) && payload_len == 0)
739 + return mark; /* keep mark */
740 + else if (tflg_rst(tcph) || tflg_fin(tcph))
741 + return mark_grscan;
744 + } else if (mark == mark_estab1) {
746 + * -m connmark --mark $ESTAB1
748 + if (tflg_rst(tcph) || tflg_fin(tcph))
749 + return mark_cnscan;
750 + else if (!loopback && tflg_ack4(tcph) && payload_len == 0)
751 + return mark_estab2;
754 + } else if (mark == mark_synrcv) {
756 + * -m connmark --mark $SYN
758 + if (loopback && tflg_synack(tcph))
759 + return mark; /* keep mark */
760 + else if (loopback && tflg_rstack(tcph))
761 + return mark_closed;
762 + else if (tflg_ack6(tcph))
763 + return mark_estab1;
765 + return mark_synscan;
766 + } else if (ctstate == IP_CT_NEW && tflg_syn(tcph)) {
768 + * -p tcp --syn --ctstate NEW
770 + return mark_synrcv;
775 +static int portscan_mt(const struct sk_buff *skb,
776 + const struct net_device *in, const struct net_device *out,
777 + const struct xt_match *match, const void *matchinfo, int offset,
778 + unsigned int protoff, int *hotdrop)
780 + const struct xt_portscan_match_info *info = matchinfo;
781 + enum ip_conntrack_info ctstate;
782 + const struct tcphdr *tcph;
783 + struct nf_conn *ctdata;
784 + struct tcphdr tcph_buf;
786 + tcph = skb_header_pointer(skb, protoff, sizeof(tcph_buf), &tcph_buf);
790 + /* Check for invalid packets: -m conntrack --ctstate INVALID */
791 + if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
792 + if (info->match_stealth)
793 + return portscan_mt_stealth(tcph);
795 + * If @ctdata is NULL, we cannot match the other scan
802 + * If -m portscan was previously applied to this packet, the rules we
803 + * simulate must not be run through again. And for speedup, do not call
804 + * it either when the connection is already VALID.
806 + if ((ctdata->mark & connmark_mask) == mark_valid ||
807 + (skb->mark & packet_mask) != mark_seen) {
810 + n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
811 + in == &loopback_dev, tcph,
812 + skb->len - protoff - 4 * tcph->doff);
814 + ctdata->mark = (ctdata->mark & ~connmark_mask) | n;
815 + ((struct sk_buff *)skb)->mark =
816 + (skb->mark & ~packet_mask) ^ mark_seen;
819 + return (info->match_syn && ctdata->mark == mark_synscan) ||
820 + (info->match_cn && ctdata->mark == mark_cnscan) ||
821 + (info->match_gr && ctdata->mark == mark_grscan);
824 +static int portscan_mt_check(const char *tablename, const void *entry,
825 + const struct xt_match *match, void *matchinfo, unsigned int hook_mask)
827 + const struct xt_portscan_match_info *info = matchinfo;
829 + if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
830 + (info->match_cn & ~1) || (info->match_gr & ~1)) {
831 + printk(KERN_WARNING PFX "Invalid flags\n");
837 +static struct xt_match portscan_mt_reg __read_mostly = {
838 + .name = "portscan",
840 + .match = portscan_mt,
841 + .checkentry = portscan_mt_check,
842 + .matchsize = sizeof(struct xt_portscan_match_info),
843 + .proto = IPPROTO_TCP,
847 +static int __init portscan_mt_init(void)
849 + return xt_register_match(&portscan_mt_reg);
852 +static void __exit portscan_mt_exit(void)
854 + xt_unregister_match(&portscan_mt_reg);
858 +module_init(portscan_mt_init);
859 +module_exit(portscan_mt_exit);
860 +MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
861 +MODULE_DESCRIPTION("netfilter \"portscan\" match");
862 +MODULE_LICENSE("GPL");
863 +MODULE_ALIAS("ipt_portscan");