170-netfilter_chaostables_0.8.patch

Linux Home Server 是专门为家庭和SOHO/SMB 设计的高性价比的ISCSI 存储服务器, 具有如下的特色： 强大的iscsi 存储服务器软件； 混合iscsi 和NAS 服务；

Index: linux-2.6.21.7/include/linux/netfilter/oot_conntrack.h
===================================================================
--- /dev/null
+++ linux-2.6.21.7/include/linux/netfilter/oot_conntrack.h
@@ -0,0 +1,5 @@
+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
+#	include <linux/netfilter_ipv4/ip_conntrack.h>
+#else /* linux-2.6.20+ */
+#	include <net/netfilter/nf_nat_rule.h>
+#endif
Index: linux-2.6.21.7/include/linux/netfilter/oot_trans.h
===================================================================
--- /dev/null
+++ linux-2.6.21.7/include/linux/netfilter/oot_trans.h
@@ -0,0 +1,14 @@
+/* Out of tree workarounds */
+#include <linux/version.h>
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
+#	define HAVE_MATCHINFOSIZE 1
+#	define HAVE_TARGUSERINFO 1
+#	define HAVE_TARGINFOSIZE 1
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
+#	define nfmark mark
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
+#	define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
+		tcp_v4_check((tcph_sz), (s), (d), (csp))
+#endif
Index: linux-2.6.21.7/include/linux/netfilter/xt_CHAOS.h
===================================================================
--- /dev/null
+++ linux-2.6.21.7/include/linux/netfilter/xt_CHAOS.h
@@ -0,0 +1,14 @@
+#ifndef _LINUX_NETFILTER_XT_CHAOS_H
+#define _LINUX_NETFILTER_XT_CHAOS_H 1
+
+enum xt_chaos_target_variant {
+	XTCHAOS_NORMAL,
+	XTCHAOS_TARPIT,
+	XTCHAOS_DELUDE,
+};
+
+struct xt_chaos_target_info {
+	uint8_t variant;
+};
+
+#endif /* _LINUX_NETFILTER_XT_CHAOS_H */
Index: linux-2.6.21.7/include/linux/netfilter/xt_portscan.h
===================================================================
--- /dev/null
+++ linux-2.6.21.7/include/linux/netfilter/xt_portscan.h
@@ -0,0 +1,8 @@
+#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
+#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
+
+struct xt_portscan_match_info {
+	uint8_t match_stealth, match_syn, match_cn, match_gr;
+};
+
+#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */
Index: linux-2.6.21.7/net/netfilter/find_match.c
===================================================================
--- /dev/null
+++ linux-2.6.21.7/net/netfilter/find_match.c
@@ -0,0 +1,39 @@
+/*
+    xt_request_find_match
+    by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
+
+    Based upon linux-2.6.18.5/net/netfilter/x_tables.c:
+    Copyright (C) 2006-2006 Harald Welte <laforge@netfilter.org>
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License version 2 as
+    published by the Free Software Foundation.
+*/
+#include <linux/err.h>
+#include <linux/netfilter_arp.h>
+#include <linux/socket.h>
+#include <linux/netfilter/x_tables.h>
+
+/*
+ * Yeah this code is sub-optimal, but the function is missing in
+ * mainline so far. -jengelh
+ */
+static struct xt_match *xt_request_find_match_lo(int af, const char *name,
+    u8 revision)
+{
+	static const char *const xt_prefix[] = {
+		[AF_INET]  = "ip",
+		[AF_INET6] = "ip6",
+		[NF_ARP]   = "arp",
+	};
+	struct xt_match *match;
+
+	match = try_then_request_module(xt_find_match(af, name, revision),
+		"%st_%s", xt_prefix[af], name);
+	if (IS_ERR(match) || match == NULL)
+		return NULL;
+
+	return match;
+}
+
+/* In case it goes into mainline, let this out-of-tree package compile */
+#define xt_request_find_match xt_request_find_match_lo
Index: linux-2.6.21.7/net/netfilter/Kconfig
===================================================================
--- linux-2.6.21.7.orig/net/netfilter/Kconfig
+++ linux-2.6.21.7/net/netfilter/Kconfig
@@ -287,6 +287,14 @@ config NETFILTER_XTABLES
 
 # alphabetically ordered list of targets
 
+config NETFILTER_XT_TARGET_CHAOS
+	tristate '"CHAOS" target support'
+	depends on NETFILTER_XTABLES
+	help
+	  This option adds a `CHAOS' target.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_TARGET_CLASSIFY
 	tristate '"CLASSIFY" target support'
 	depends on NETFILTER_XTABLES
@@ -315,6 +323,14 @@ config NETFILTER_XT_TARGET_CONNMARK
 	  <file:Documentation/modules.txt>.  The module will be called
 	  ipt_CONNMARK.o.  If unsure, say `N'.
 
+config NETFILTER_XT_TARGET_DELUDE
+	tristate '"DELUDE" target support'
+	depends on NETFILTER_XTABLES
+	help
+	  This option adds a `DELUDE' target.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_TARGET_DSCP
 	tristate '"DSCP" target support'
 	depends on NETFILTER_XTABLES
@@ -563,6 +579,14 @@ config NETFILTER_XT_MATCH_POLICY
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_MATCH_PORTSCAN
+	tristate '"portscan" match support'
+	depends on NETFILTER_XTABLES
+	help
+	  This option adds a 'portscan' match support.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_MATCH_MULTIPORT
 	tristate "Multiple port match support"
 	depends on NETFILTER_XTABLES
Index: linux-2.6.21.7/net/netfilter/Makefile
===================================================================
--- linux-2.6.21.7.orig/net/netfilter/Makefile
+++ linux-2.6.21.7/net/netfilter/Makefile
@@ -47,6 +47,8 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK
 obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_CHAOS) += xt_CHAOS.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_DELUDE) += xt_DELUDE.o
 
 # matches
 obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
@@ -74,3 +76,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) 
 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_PORTSCAN) += xt_portscan.o
Index: linux-2.6.21.7/net/netfilter/xt_CHAOS.c
===================================================================
--- /dev/null
+++ linux-2.6.21.7/net/netfilter/xt_CHAOS.c
@@ -0,0 +1,200 @@
+/*
+ *	CHAOS target for netfilter
+ *	Copyright 漏 CC Computer Consultants GmbH, 2006 - 2007
+ *	Contact: Jan Engelhardt <jengelh@computergmbh.de>
+ *
+ *	This program is free software; you can redistribute it and/or modify
+ *	it under the terms of the GNU General Public License; either version
+ *	2 or 3 as published by the Free Software Foundation.
+ */
+#include <linux/icmp.h>
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/stat.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_tcpudp.h>
+#include <linux/netfilter_ipv4/ipt_REJECT.h>
+#include <net/ip.h>
+#if defined(_LOCAL)
+#	include "xt_CHAOS.h"
+#	include "find_match.c"
+#elif defined(CONFIG_NETFILTER_XT_TARGET_CHAOS) || \
+    defined(CONFIG_NETFILTER_XT_TARGET_CHAOS_MODULE)
+#	include <linux/netfilter/xt_CHAOS.h>
+#	include "find_match.c"
+#else
+#	include "xt_CHAOS.h"
+#	include "find_match.c"
+#endif
+#define PFX KBUILD_MODNAME ": "
+
+/* Module parameters */
+static unsigned int reject_percentage = ~0U * .01;
+static unsigned int delude_percentage = ~0U * .0101;
+module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
+module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);
+
+/* References to other matches/targets */
+static struct xt_match *xm_tcp;
+static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
+
+static int have_delude, have_tarpit;
+
+/* Static data for other matches/targets */
+static const struct ipt_reject_info reject_params = {
+	.with = ICMP_HOST_UNREACH,
+};
+
+static const struct xt_tcp tcp_params = {
+	.spts = {0, ~0},
+	.dpts = {0, ~0},
+};
+
+/* CHAOS functions */
+static void xt_chaos_total(const struct xt_chaos_target_info *info,
+    struct sk_buff **pskb, const struct net_device *in,
+    const struct net_device *out, unsigned int hooknum)
+{
+	const struct iphdr *iph = ip_hdr(*pskb);
+	const int protoff       = 4 * iph->ihl;
+	const int offset        = ntohs(iph->frag_off) & IP_OFFSET;
+	const struct xt_target *destiny;
+	int hotdrop = 0, ret;
+
+	ret = xm_tcp->match(*pskb, in, out, xm_tcp, &tcp_params,
+	                    offset, protoff, &hotdrop);
+	if (!ret || hotdrop || (unsigned int)net_random() > delude_percentage)
+		return;
+
+	destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
+	destiny->target(pskb, in, out, hooknum, destiny, NULL);
+	return;
+}
+
+static unsigned int chaos_tg(struct sk_buff **pskb,
+    const struct net_device *in, const struct net_device *out,
+    unsigned int hooknum, const struct xt_target *target, const void *targinfo)
+{
+	/*
+	 * Equivalent to:
+	 * -A chaos -m statistic --mode random --probability \
+	 *         $reject_percentage -j REJECT --reject-with host-unreach;
+	 * -A chaos -p tcp -m statistic --mode random --probability \
+	 *         $delude_percentage -j DELUDE;
+	 * -A chaos -j DROP;
+	 */
+	const struct xt_chaos_target_info *info = targinfo;
+	const struct iphdr *iph = ip_hdr(*pskb);
+
+	if ((unsigned int)net_random() <= reject_percentage)
+		return xt_reject->target(pskb, in, out, hooknum, target,
+		       &reject_params);
+
+	/* TARPIT/DELUDE may not be called from the OUTPUT chain */
+	if (iph->protocol == IPPROTO_TCP &&
+	    info->variant != XTCHAOS_NORMAL && hooknum != NF_IP_LOCAL_OUT)
+		xt_chaos_total(info, pskb, in, out, hooknum);
+
+	return NF_DROP;
+}
+
+static int chaos_tg_check(const char *tablename, const void *entry,
+    const struct xt_target *target, void *targinfo, unsigned int hook_mask)
+{
+	const struct xt_chaos_target_info *info = targinfo;
+
+	if (info->variant == XTCHAOS_DELUDE && !have_delude) {
+		printk(KERN_WARNING PFX "Error: Cannot use --delude when "
+		       "DELUDE module not available\n");
+		return false;
+	}
+	if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
+		printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
+		       "TARPIT module not available\n");
+		return false;
+	}
+
+	return true;
+}
+
+static struct xt_target chaos_tg_reg = {
+	.name       = "CHAOS",
+	.family     = AF_INET,
+	.table      = "filter",
+	.hooks      = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
+	              (1 << NF_IP_LOCAL_OUT),
+	.checkentry = chaos_tg_check,
+	.target     = chaos_tg,
+	.targetsize = sizeof(struct xt_chaos_target_info),
+	.me         = THIS_MODULE,
+};
+
+static int __init chaos_tg_init(void)
+{
+	int ret = -EINVAL;
+
+	xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
+	if (xm_tcp == NULL) {
+		printk(KERN_WARNING PFX "Error: Could not find or load "
+		       "\"tcp\" match\n");
+		return -EINVAL;
+	}
+
+	xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
+	if (xt_reject == NULL) {
+		printk(KERN_WARNING PFX "Error: Could not find or load "
+		       "\"REJECT\" target\n");
+		goto out2;
+	}
+
+	xt_tarpit   = xt_request_find_target(AF_INET, "TARPIT", 0);
+	have_tarpit = xt_tarpit != NULL;
+	if (!have_tarpit)
+		printk(KERN_WARNING PFX "Warning: Could not find or load "
+		       "\"TARPIT\" target\n");
+
+	xt_delude   = xt_request_find_target(AF_INET, "DELUDE", 0);
+	have_delude = xt_delude != NULL;
+	if (!have_delude)
+		printk(KERN_WARNING PFX "Warning: Could not find or load "
+		       "\"DELUDE\" target\n");
+
+	if ((ret = xt_register_target(&chaos_tg_reg)) != 0) {
+		printk(KERN_WARNING PFX "xt_register_target returned "
+		       "error %d\n", ret);
+		goto out3;
+	}
+
+	return 0;
+
+ out3:
+ 	if (have_delude)
+ 		module_put(xt_delude->me);
+	if (have_tarpit)
+		module_put(xt_tarpit->me);
+	module_put(xt_reject->me);
+ out2:
+	module_put(xm_tcp->me);
+	return ret;
+}
+
+static void __exit chaos_tg_exit(void)
+{
+	xt_unregister_target(&chaos_tg_reg);
+	module_put(xm_tcp->me);
+	module_put(xt_reject->me);
+	if (have_delude)
+		module_put(xt_delude->me);
+	if (have_tarpit)
+		module_put(xt_tarpit->me);
+	return;
+}
+
+module_init(chaos_tg_init);
+module_exit(chaos_tg_exit);
+MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_DESCRIPTION("netfilter \"CHAOS\" target");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_CHAOS");
Index: linux-2.6.21.7/net/netfilter/xt_DELUDE.c
===================================================================
--- /dev/null
+++ linux-2.6.21.7/net/netfilter/xt_DELUDE.c
@@ -0,0 +1,197 @@
+/*
+ *	DELUDE target
+ *	Copyright 漏 CC Computer Consultants GmbH, 2007
+ *	Contact: Jan Engelhardt <jengelh@computergmbh.de>
+ *
+ *	Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
+ *	(C) 1999-2001 Paul `Rusty' Russell
+ *	(C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
+ *
+ *	xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
+ *
+ *	This program is free software; you can redistribute it and/or modify
+ *	it under the terms of the GNU General Public License version 2 as
+ *	published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/netfilter/x_tables.h>
+#ifdef CONFIG_BRIDGE_NETFILTER
+#	include <linux/netfilter_bridge.h>
+#endif
+#include <net/tcp.h>
+#define PFX KBUILD_MODNAME ": "
+
+static void delude_send_reset(struct sk_buff *oldskb, unsigned int hook)
+{
+	struct tcphdr _otcph, *oth, *tcph;
+	unsigned int addr_type;
+	struct sk_buff *nskb;
+	u_int16_t tmp_port;
+	u_int32_t tmp_addr;
+	struct iphdr *niph;
+	bool needs_ack;
+
+	/* IP header checks: fragment. */
+	if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
+		return;
+
+	oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
+				 sizeof(_otcph), &_otcph);
+	if (oth == NULL)
+		return;
+