337 lines
		
	
	
		
			9.2 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			337 lines
		
	
	
		
			9.2 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| diff -ruN iptables-1.3.5.orig/extensions/.CHAOS-test iptables-1.3.5/extensions/.CHAOS-test
 | |
| --- iptables-1.3.5.orig/extensions/.CHAOS-test	1970-01-01 01:00:00.000000000 +0100
 | |
| +++ iptables-1.3.5/extensions/.CHAOS-test	2007-01-09 16:05:23.251885840 +0100
 | |
| @@ -0,0 +1,2 @@
 | |
| +#!/bin/sh
 | |
| +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS";
 | |
| diff -ruN iptables-1.3.5.orig/extensions/.DELUDE-test iptables-1.3.5/extensions/.DELUDE-test
 | |
| --- iptables-1.3.5.orig/extensions/.DELUDE-test	1970-01-01 01:00:00.000000000 +0100
 | |
| +++ iptables-1.3.5/extensions/.DELUDE-test	2007-01-09 16:05:18.104057722 +0100
 | |
| @@ -0,0 +1,2 @@
 | |
| +#!/bin/sh
 | |
| +echo "DELUDE";
 | |
| diff -ruN iptables-1.3.5.orig/extensions/libipt_CHAOS.c iptables-1.3.5/extensions/libipt_CHAOS.c
 | |
| --- iptables-1.3.5.orig/extensions/libipt_CHAOS.c	1970-01-01 01:00:00.000000000 +0100
 | |
| +++ iptables-1.3.5/extensions/libipt_CHAOS.c	2007-01-09 16:05:23.251885840 +0100
 | |
| @@ -0,0 +1,111 @@
 | |
| +/*
 | |
| +    CHAOS target for iptables
 | |
| +
 | |
| +    Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
 | |
| +    released under the terms of the GNU General Public
 | |
| +    License version 2.x and only versions 2.x.
 | |
| +*/
 | |
| +#include <getopt.h>
 | |
| +#include <stdio.h>
 | |
| +#include <string.h>
 | |
| +
 | |
| +#include <iptables.h>
 | |
| +#include <linux/netfilter_ipv4/ip_tables.h>
 | |
| +#include <linux/netfilter/xt_CHAOS.h>
 | |
| +
 | |
| +static void libipt_chaos_help(void)
 | |
| +{
 | |
| +	printf(
 | |
| +		"CHAOS target v%s options:\n"
 | |
| +		"  --delude     Enable DELUDE processing for TCP\n"
 | |
| +		"  --tarpit     Enable TARPIT processing for TCP\n",
 | |
| +		IPTABLES_VERSION);
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static int libipt_chaos_parse(int c, char **argv, int invert,
 | |
| +    unsigned int *flags, const struct ipt_entry *entry,
 | |
| +    struct ipt_entry_target **target)
 | |
| +{
 | |
| +	struct xt_chaos_info *info = (void *)((*target)->data);
 | |
| +	switch(c) {
 | |
| +		case 'd':
 | |
| +			info->variant = XTCHAOS_DELUDE;
 | |
| +			*flags |= 0x02;
 | |
| +			return 1;
 | |
| +		case 't':
 | |
| +			info->variant = XTCHAOS_TARPIT;
 | |
| +			*flags |= 0x01;
 | |
| +			return 1;
 | |
| +	}
 | |
| +	return 0;
 | |
| +}
 | |
| +
 | |
| +static void libipt_chaos_check(unsigned int flags)
 | |
| +{
 | |
| +	if(flags != 0x03)
 | |
| +		return;
 | |
| +	/* If flags == 0x03, both were specified, which should not be. */
 | |
| +	exit_error(PARAMETER_PROBLEM,
 | |
| +	           "CHAOS: only one of --tarpit or --delude may be specified");
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static void libipt_chaos_print(const struct ipt_ip *ip,
 | |
| +    const struct ipt_entry_target *target, int numeric)
 | |
| +{
 | |
| +	const struct xt_chaos_info *info = (const void *)target->data;
 | |
| +	switch(info->variant) {
 | |
| +		case XTCHAOS_DELUDE:
 | |
| +			printf("DELUDE ");
 | |
| +			break;
 | |
| +		case XTCHAOS_TARPIT:
 | |
| +			printf("TARPIT ");
 | |
| +			break;
 | |
| +		default:
 | |
| +			break;
 | |
| +	}
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static void libipt_chaos_save(const struct ipt_ip *ip,
 | |
| +    const struct ipt_entry_target *target)
 | |
| +{
 | |
| +	const struct xt_chaos_info *info = (const void *)target->data;
 | |
| +	switch(info->variant) {
 | |
| +		case XTCHAOS_DELUDE:
 | |
| +			printf("--delude ");
 | |
| +			break;
 | |
| +		case XTCHAOS_TARPIT:
 | |
| +			printf("--tarpit ");
 | |
| +			break;
 | |
| +		default:
 | |
| +			break;
 | |
| +	}
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static struct option libipt_chaos_opts[] = {
 | |
| +	{"delude", 0, NULL, 'd'},
 | |
| +	{"tarpit", 0, NULL, 't'},
 | |
| +	{NULL},
 | |
| +};
 | |
| +
 | |
| +static struct iptables_target libipt_chaos_info = {
 | |
| +	.name          = "CHAOS",
 | |
| +	.version       = IPTABLES_VERSION,
 | |
| +	.size          = IPT_ALIGN(sizeof(struct xt_chaos_info)),
 | |
| +	.userspacesize = IPT_ALIGN(sizeof(struct xt_chaos_info)),
 | |
| +	.help          = libipt_chaos_help,
 | |
| +	.parse         = libipt_chaos_parse,
 | |
| +	.final_check   = libipt_chaos_check,
 | |
| +	.print         = libipt_chaos_print,
 | |
| +	.save          = libipt_chaos_save,
 | |
| +	.extra_opts    = libipt_chaos_opts,
 | |
| +};
 | |
| +
 | |
| +static __attribute__((constructor)) void libipt_chaos_init(void)
 | |
| +{
 | |
| +	register_target(&libipt_chaos_info);
 | |
| +	return;
 | |
| +}
 | |
| diff -ruN iptables-1.3.5.orig/extensions/libipt_DELUDE.c iptables-1.3.5/extensions/libipt_DELUDE.c
 | |
| --- iptables-1.3.5.orig/extensions/libipt_DELUDE.c	1970-01-01 01:00:00.000000000 +0100
 | |
| +++ iptables-1.3.5/extensions/libipt_DELUDE.c	2007-01-09 16:05:18.104057722 +0100
 | |
| @@ -0,0 +1,66 @@
 | |
| +/*
 | |
| +    DELUDE target for iptables
 | |
| +
 | |
| +    Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
 | |
| +    released under the terms of the GNU General Public
 | |
| +    License version 2.x and only versions 2.x.
 | |
| +*/
 | |
| +#include <getopt.h>
 | |
| +#include <stdio.h>
 | |
| +#include <string.h>
 | |
| +
 | |
| +#include <iptables.h>
 | |
| +#include <linux/netfilter_ipv4/ip_tables.h>
 | |
| +
 | |
| +static void libipt_delude_help(void)
 | |
| +{
 | |
| +	printf("DELUDE takes no options\n");
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static int libipt_delude_parse(int c, char **argv, int invert,
 | |
| +    unsigned int *flags, const struct ipt_entry *entry,
 | |
| +    struct ipt_entry_target **target)
 | |
| +{
 | |
| +	return 0;
 | |
| +}
 | |
| +
 | |
| +static void libipt_delude_check(unsigned int flags)
 | |
| +{
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static void libipt_delude_print(const struct ipt_ip *ip,
 | |
| +    const struct ipt_entry_target *target, int numeric)
 | |
| +{
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static void libipt_delude_save(const struct ipt_ip *ip,
 | |
| +    const struct ipt_entry_target *target)
 | |
| +{
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static struct option libipt_delude_opts[] = {
 | |
| +	{NULL},
 | |
| +};
 | |
| +
 | |
| +static struct iptables_target libipt_delude_info = {
 | |
| +	.name          = "DELUDE",
 | |
| +	.version       = IPTABLES_VERSION,
 | |
| +	.size          = IPT_ALIGN(0),
 | |
| +	.userspacesize = IPT_ALIGN(0),
 | |
| +	.help          = libipt_delude_help,
 | |
| +	.parse         = libipt_delude_parse,
 | |
| +	.final_check   = libipt_delude_check,
 | |
| +	.print         = libipt_delude_print,
 | |
| +	.save          = libipt_delude_save,
 | |
| +	.extra_opts    = libipt_delude_opts,
 | |
| +};
 | |
| +
 | |
| +static __attribute__((constructor)) void libipt_delude_init(void)
 | |
| +{
 | |
| +	register_target(&libipt_delude_info);
 | |
| +	return;
 | |
| +}
 | |
| diff -ruN iptables-1.3.5.orig/extensions/libipt_portscan.c iptables-1.3.5/extensions/libipt_portscan.c
 | |
| --- iptables-1.3.5.orig/extensions/libipt_portscan.c	1970-01-01 01:00:00.000000000 +0100
 | |
| +++ iptables-1.3.5/extensions/libipt_portscan.c	2007-01-09 16:05:14.228187134 +0100
 | |
| @@ -0,0 +1,129 @@
 | |
| +/*
 | |
| +    portscan match for iptables
 | |
| +
 | |
| +    Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
 | |
| +    released under the terms of the GNU General Public
 | |
| +    License version 2.x and only versions 2.x.
 | |
| +*/
 | |
| +#include <stdio.h>
 | |
| +#include <string.h>
 | |
| +#include <stdlib.h>
 | |
| +#include <getopt.h>
 | |
| +
 | |
| +#include <iptables.h>
 | |
| +#include <linux/netfilter_ipv4/ip_tables.h>
 | |
| +#include <linux/netfilter/xt_portscan.h>
 | |
| +
 | |
| +static void libipt_portscan_help(void)
 | |
| +{
 | |
| +	printf(
 | |
| +		"portscan match v%s options:\n"
 | |
| +		"(Combining them will make them match by OR-logic)\n"
 | |
| +		"  --stealth    Match TCP Stealth packets\n"
 | |
| +		"  --synscan    Match TCP SYN scans\n"
 | |
| +		"  --cnscan     Match TCP Connect scans\n"
 | |
| +		"  --grscan     Match Banner Grabbing scans\n",
 | |
| +		IPTABLES_VERSION);
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static void libipt_portscan_mtinit(struct ipt_entry_match *match,
 | |
| +    unsigned int *nfcache)
 | |
| +{
 | |
| +	/* Cannot cache this */
 | |
| +	*nfcache |= NFC_UNKNOWN;
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static int libipt_portscan_parse(int c, char **argv, int invert,
 | |
| +    unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfc,
 | |
| +    struct ipt_entry_match **match)
 | |
| +{
 | |
| +	struct xt_portscan_info *info = (void *)((*match)->data);
 | |
| +
 | |
| +	switch(c) {
 | |
| +		case 'c':
 | |
| +			info->match_cn = 1;
 | |
| +			return 1;
 | |
| +		case 'g':
 | |
| +			info->match_gr = 1;
 | |
| +			return 1;
 | |
| +		case 's':
 | |
| +			info->match_syn = 1;
 | |
| +			return 1;
 | |
| +		case 'x':
 | |
| +			info->match_stealth = 1;
 | |
| +			return 1;
 | |
| +		default:
 | |
| +			return 0;
 | |
| +	}
 | |
| +}
 | |
| +
 | |
| +static void libipt_portscan_check(unsigned int flags)
 | |
| +{
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static void libipt_portscan_print(const struct ipt_ip *ip,
 | |
| +    const struct ipt_entry_match *match, int numeric)
 | |
| +{
 | |
| +	const struct xt_portscan_info *info = (const void *)(match->data);
 | |
| +	const char *s = "";
 | |
| +
 | |
| +	printf("portscan ");
 | |
| +	if(info->match_stealth) {
 | |
| +		printf("STEALTH");
 | |
| +		s = ",";
 | |
| +	}
 | |
| +	if(info->match_syn) {
 | |
| +		printf("%sSYNSCAN", s);
 | |
| +		s = ",";
 | |
| +	}
 | |
| +	if(info->match_cn) {
 | |
| +		printf("%sCNSCAN", s);
 | |
| +		s = ",";
 | |
| +	}
 | |
| +	if(info->match_gr)
 | |
| +		printf("%sGRSCAN", s);
 | |
| +	printf(" ");
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static void libipt_portscan_save(const struct ipt_ip *ip,
 | |
| +    const struct ipt_entry_match *match)
 | |
| +{
 | |
| +	const struct xt_portscan_info *info = (const void *)(match->data);
 | |
| +	if(info->match_stealth)	printf("--stealth ");
 | |
| +	if(info->match_syn)	printf("--synscan ");
 | |
| +	if(info->match_cn)	printf("--cnscan ");
 | |
| +	if(info->match_gr)	printf("--grscan ");
 | |
| +	return;
 | |
| +}
 | |
| +
 | |
| +static struct option libipt_portscan_opts[] = {
 | |
| +	{"stealth", 0, NULL, 'x'},
 | |
| +	{"synscan", 0, NULL, 's'},
 | |
| +	{"cnscan",  0, NULL, 'c'},
 | |
| +	{"grscan",  0, NULL, 'g'},
 | |
| +	{NULL},
 | |
| +};
 | |
| +
 | |
| +static struct iptables_match libipt_portscan_info = {
 | |
| +	.name          = "portscan",
 | |
| +	.version       = IPTABLES_VERSION,
 | |
| +	.size          = IPT_ALIGN(sizeof(struct xt_portscan_info)),
 | |
| +	.userspacesize = IPT_ALIGN(sizeof(struct xt_portscan_info)),
 | |
| +	.help          = libipt_portscan_help,
 | |
| +	.init          = libipt_portscan_mtinit,
 | |
| +	.parse         = libipt_portscan_parse,
 | |
| +	.final_check   = libipt_portscan_check,
 | |
| +	.print         = libipt_portscan_print,
 | |
| +	.save          = libipt_portscan_save,
 | |
| +	.extra_opts    = libipt_portscan_opts,
 | |
| +};
 | |
| +
 | |
| +static __attribute__((constructor)) void libipt_portscan_init(void)
 | |
| +{
 | |
| +	register_match(&libipt_portscan_info);
 | |
| +	return;
 | |
| +}
 | |
| diff -ruN iptables-1.3.5.orig/extensions/.portscan-test iptables-1.3.5/extensions/.portscan-test
 | |
| --- iptables-1.3.5.orig/extensions/.portscan-test	1970-01-01 01:00:00.000000000 +0100
 | |
| +++ iptables-1.3.5/extensions/.portscan-test	2007-01-09 16:05:14.228187134 +0100
 | |
| @@ -0,0 +1,2 @@
 | |
| +#!/bin/sh
 | |
| +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan";
 |