aboutsummaryrefslogtreecommitdiffstats
path: root/package/iptables/patches/008-chaostables.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/iptables/patches/008-chaostables.patch')
-rw-r--r--package/iptables/patches/008-chaostables.patch336
1 files changed, 336 insertions, 0 deletions
diff --git a/package/iptables/patches/008-chaostables.patch b/package/iptables/patches/008-chaostables.patch
new file mode 100644
index 0000000000..7fc1aab456
--- /dev/null
+++ b/package/iptables/patches/008-chaostables.patch
@@ -0,0 +1,336 @@
+diff -ruN iptables-1.3.5.orig/extensions/.CHAOS-test iptables-1.3.5/extensions/.CHAOS-test
+--- iptables-1.3.5.orig/extensions/.CHAOS-test 1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.3.5/extensions/.CHAOS-test 2007-01-09 16:05:23.251885840 +0100
+@@ -0,0 +1,2 @@
++#!/bin/sh
++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS";
+diff -ruN iptables-1.3.5.orig/extensions/.DELUDE-test iptables-1.3.5/extensions/.DELUDE-test
+--- iptables-1.3.5.orig/extensions/.DELUDE-test 1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.3.5/extensions/.DELUDE-test 2007-01-09 16:05:18.104057722 +0100
+@@ -0,0 +1,2 @@
++#!/bin/sh
++echo "DELUDE";
+diff -ruN iptables-1.3.5.orig/extensions/libipt_CHAOS.c iptables-1.3.5/extensions/libipt_CHAOS.c
+--- iptables-1.3.5.orig/extensions/libipt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.3.5/extensions/libipt_CHAOS.c 2007-01-09 16:05:23.251885840 +0100
+@@ -0,0 +1,111 @@
++/*
++ CHAOS target for iptables
++
++ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
++ released under the terms of the GNU General Public
++ License version 2.x and only versions 2.x.
++*/
++#include <getopt.h>
++#include <stdio.h>
++#include <string.h>
++
++#include <iptables.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter/xt_CHAOS.h>
++
++static void libipt_chaos_help(void)
++{
++ printf(
++ "CHAOS target v%s options:\n"
++ " --delude Enable DELUDE processing for TCP\n"
++ " --tarpit Enable TARPIT processing for TCP\n",
++ IPTABLES_VERSION);
++ return;
++}
++
++static int libipt_chaos_parse(int c, char **argv, int invert,
++ unsigned int *flags, const struct ipt_entry *entry,
++ struct ipt_entry_target **target)
++{
++ struct xt_chaos_info *info = (void *)((*target)->data);
++ switch(c) {
++ case 'd':
++ info->variant = XTCHAOS_DELUDE;
++ *flags |= 0x02;
++ return 1;
++ case 't':
++ info->variant = XTCHAOS_TARPIT;
++ *flags |= 0x01;
++ return 1;
++ }
++ return 0;
++}
++
++static void libipt_chaos_check(unsigned int flags)
++{
++ if(flags != 0x03)
++ return;
++ /* If flags == 0x03, both were specified, which should not be. */
++ exit_error(PARAMETER_PROBLEM,
++ "CHAOS: only one of --tarpit or --delude may be specified");
++ return;
++}
++
++static void libipt_chaos_print(const struct ipt_ip *ip,
++ const struct ipt_entry_target *target, int numeric)
++{
++ const struct xt_chaos_info *info = (const void *)target->data;
++ switch(info->variant) {
++ case XTCHAOS_DELUDE:
++ printf("DELUDE ");
++ break;
++ case XTCHAOS_TARPIT:
++ printf("TARPIT ");
++ break;
++ default:
++ break;
++ }
++ return;
++}
++
++static void libipt_chaos_save(const struct ipt_ip *ip,
++ const struct ipt_entry_target *target)
++{
++ const struct xt_chaos_info *info = (const void *)target->data;
++ switch(info->variant) {
++ case XTCHAOS_DELUDE:
++ printf("--delude ");
++ break;
++ case XTCHAOS_TARPIT:
++ printf("--tarpit ");
++ break;
++ default:
++ break;
++ }
++ return;
++}
++
++static struct option libipt_chaos_opts[] = {
++ {"delude", 0, NULL, 'd'},
++ {"tarpit", 0, NULL, 't'},
++ {NULL},
++};
++
++static struct iptables_target libipt_chaos_info = {
++ .name = "CHAOS",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct xt_chaos_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct xt_chaos_info)),
++ .help = libipt_chaos_help,
++ .parse = libipt_chaos_parse,
++ .final_check = libipt_chaos_check,
++ .print = libipt_chaos_print,
++ .save = libipt_chaos_save,
++ .extra_opts = libipt_chaos_opts,
++};
++
++static __attribute__((constructor)) void libipt_chaos_init(void)
++{
++ register_target(&libipt_chaos_info);
++ return;
++}
+diff -ruN iptables-1.3.5.orig/extensions/libipt_DELUDE.c iptables-1.3.5/extensions/libipt_DELUDE.c
+--- iptables-1.3.5.orig/extensions/libipt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.3.5/extensions/libipt_DELUDE.c 2007-01-09 16:05:18.104057722 +0100
+@@ -0,0 +1,66 @@
++/*
++ DELUDE target for iptables
++
++ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
++ released under the terms of the GNU General Public
++ License version 2.x and only versions 2.x.
++*/
++#include <getopt.h>
++#include <stdio.h>
++#include <string.h>
++
++#include <iptables.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++
++static void libipt_delude_help(void)
++{
++ printf("DELUDE takes no options\n");
++ return;
++}
++
++static int libipt_delude_parse(int c, char **argv, int invert,
++ unsigned int *flags, const struct ipt_entry *entry,
++ struct ipt_entry_target **target)
++{
++ return 0;
++}
++
++static void libipt_delude_check(unsigned int flags)
++{
++ return;
++}
++
++static void libipt_delude_print(const struct ipt_ip *ip,
++ const struct ipt_entry_target *target, int numeric)
++{
++ return;
++}
++
++static void libipt_delude_save(const struct ipt_ip *ip,
++ const struct ipt_entry_target *target)
++{
++ return;
++}
++
++static struct option libipt_delude_opts[] = {
++ {NULL},
++};
++
++static struct iptables_target libipt_delude_info = {
++ .name = "DELUDE",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(0),
++ .userspacesize = IPT_ALIGN(0),
++ .help = libipt_delude_help,
++ .parse = libipt_delude_parse,
++ .final_check = libipt_delude_check,
++ .print = libipt_delude_print,
++ .save = libipt_delude_save,
++ .extra_opts = libipt_delude_opts,
++};
++
++static __attribute__((constructor)) void libipt_delude_init(void)
++{
++ register_target(&libipt_delude_info);
++ return;
++}
+diff -ruN iptables-1.3.5.orig/extensions/libipt_portscan.c iptables-1.3.5/extensions/libipt_portscan.c
+--- iptables-1.3.5.orig/extensions/libipt_portscan.c 1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.3.5/extensions/libipt_portscan.c 2007-01-09 16:05:14.228187134 +0100
+@@ -0,0 +1,129 @@
++/*
++ portscan match for iptables
++
++ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
++ released under the terms of the GNU General Public
++ License version 2.x and only versions 2.x.
++*/
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <iptables.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter/xt_portscan.h>
++
++static void libipt_portscan_help(void)
++{
++ printf(
++ "portscan match v%s options:\n"
++ "(Combining them will make them match by OR-logic)\n"
++ " --stealth Match TCP Stealth packets\n"
++ " --synscan Match TCP SYN scans\n"
++ " --cnscan Match TCP Connect scans\n"
++ " --grscan Match Banner Grabbing scans\n",
++ IPTABLES_VERSION);
++ return;
++}
++
++static void libipt_portscan_mtinit(struct ipt_entry_match *match,
++ unsigned int *nfcache)
++{
++ /* Cannot cache this */
++ *nfcache |= NFC_UNKNOWN;
++ return;
++}
++
++static int libipt_portscan_parse(int c, char **argv, int invert,
++ unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfc,
++ struct ipt_entry_match **match)
++{
++ struct xt_portscan_info *info = (void *)((*match)->data);
++
++ switch(c) {
++ case 'c':
++ info->match_cn = 1;
++ return 1;
++ case 'g':
++ info->match_gr = 1;
++ return 1;
++ case 's':
++ info->match_syn = 1;
++ return 1;
++ case 'x':
++ info->match_stealth = 1;
++ return 1;
++ default:
++ return 0;
++ }
++}
++
++static void libipt_portscan_check(unsigned int flags)
++{
++ return;
++}
++
++static void libipt_portscan_print(const struct ipt_ip *ip,
++ const struct ipt_entry_match *match, int numeric)
++{
++ const struct xt_portscan_info *info = (const void *)(match->data);
++ const char *s = "";
++
++ printf("portscan ");
++ if(info->match_stealth) {
++ printf("STEALTH");
++ s = ",";
++ }
++ if(info->match_syn) {
++ printf("%sSYNSCAN", s);
++ s = ",";
++ }
++ if(info->match_cn) {
++ printf("%sCNSCAN", s);
++ s = ",";
++ }
++ if(info->match_gr)
++ printf("%sGRSCAN", s);
++ printf(" ");
++ return;
++}
++
++static void libipt_portscan_save(const struct ipt_ip *ip,
++ const struct ipt_entry_match *match)
++{
++ const struct xt_portscan_info *info = (const void *)(match->data);
++ if(info->match_stealth) printf("--stealth ");
++ if(info->match_syn) printf("--synscan ");
++ if(info->match_cn) printf("--cnscan ");
++ if(info->match_gr) printf("--grscan ");
++ return;
++}
++
++static struct option libipt_portscan_opts[] = {
++ {"stealth", 0, NULL, 'x'},
++ {"synscan", 0, NULL, 's'},
++ {"cnscan", 0, NULL, 'c'},
++ {"grscan", 0, NULL, 'g'},
++ {NULL},
++};
++
++static struct iptables_match libipt_portscan_info = {
++ .name = "portscan",
++ .version = IPTABLES_VERSION,
++ .size = IPT_ALIGN(sizeof(struct xt_portscan_info)),
++ .userspacesize = IPT_ALIGN(sizeof(struct xt_portscan_info)),
++ .help = libipt_portscan_help,
++ .init = libipt_portscan_mtinit,
++ .parse = libipt_portscan_parse,
++ .final_check = libipt_portscan_check,
++ .print = libipt_portscan_print,
++ .save = libipt_portscan_save,
++ .extra_opts = libipt_portscan_opts,
++};
++
++static __attribute__((constructor)) void libipt_portscan_init(void)
++{
++ register_match(&libipt_portscan_info);
++ return;
++}
+diff -ruN iptables-1.3.5.orig/extensions/.portscan-test iptables-1.3.5/extensions/.portscan-test
+--- iptables-1.3.5.orig/extensions/.portscan-test 1970-01-01 01:00:00.000000000 +0100
++++ iptables-1.3.5/extensions/.portscan-test 2007-01-09 16:05:14.228187134 +0100
+@@ -0,0 +1,2 @@
++#!/bin/sh
++[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan";