ipt_limit patch for iptables-1.3.1 and linux-2.4.22

ipt_limit patch for iptables-1.3.1 and linux-2.4.22

[borg]

Hello.

Here is very small patch adding ! functionnality to
ipt_limit (iptables -m limit).

Thanks to this patch, you can easly filter SYNs attack to
your host.. and also limit your lusers trying to do
SYNs attack.

Simple example:
iptables -t mangle -A FORWARD -i eth0 -s 1.2.3.4 \
-p tcp --tcp-flags SYN SYN \
-m limit ! --limit 2/s -- limit-burst 10 -j DROP
Forwarding only 2 SYNs per second (burst up to 10 conn per sec).
(You can put it in filter table, I used mangle since when packet
is not dropping, it goes to my QoS tables)

To apply this patch simply run:
# cd /usr/src/linux
# patch -p1 < ipt_limit-linux-2.4.22.patch

And patch userland iptables
# cd iptables-1.3.1
# patch -p1 < ipt_limit-iptables-1.3.1.patch

Recompile kernel (dont forget about clean)
recompile and install new iptables
Install kernel.
Reboot.. vioala..

I hope it will get to the mainstream very soon!
Im still suprised why its not here already..
It adds extra functionality w/o security risks nor
performance loss.

Files:
ftp://ftp.benet.uu3.net/pub/linux/ipt_limit-linux-2.4.22.patch
ftp://ftp.benet.uu3.net/pub/linux/ipt_limit-iptables-1.3.1.patch

Regards,
Borg

== File 'ipt_limit-linux-2.4.22.patch' ==============================
--- linux-2.4.22.orig/include/linux/netfilter_ipv4/ipt_limit.h  2005-12-23 13:07:30.000000000 +0100
+++ linux-2.4.22/include/linux/netfilter_ipv4/ipt_limit.h       2005-12-22 13:33:56.000000000 +0100
@@ -10,6 +10,11 @@
        u_int32_t avg;    /* Average secs between packets * scale */
        u_int32_t burst;  /* Period multiplier for upper limit. */
 
+       /* Borg
+       adding invert support
+       */
+       char invert;
+
        /* Used internally by the kernel */
        unsigned long prev;
        u_int32_t credit;
--- linux-2.4.22.orig/net/ipv4/netfilter/ipt_limit.c    2005-12-23 13:07:30.000000000 +0100
+++ linux-2.4.22/net/ipv4/netfilter/ipt_limit.c 2005-12-22 12:40:35.000000000 +0100
@@ -63,11 +63,11 @@
                /* We're not limited. */
                r->credit -= r->cost;
                spin_unlock_bh(&limit_lock);
-               return 1;
+               return 1 ^ r->invert;
        }
 
                spin_unlock_bh(&limit_lock);
-       return 0;
+       return 0 ^ r->invert;
 }
 
 /* Precision saver. */
=====================================================================

== File 'ipt_limit-linux-2.4.22.patch' ==============================
--- iptables-1.3.1-orig/extensions/libipt_limit.c       2005-12-22 11:38:38.000000000 +0100
+++ iptables-1.3.1/extensions/libipt_limit.c    2005-12-22 13:33:03.000000000 +0100
@@ -12,7 +12,8 @@
 #include <stddef.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 /* For 64bit kernel / 32bit userspace */
-#include "../include/linux/netfilter_ipv4/ipt_limit.h"
+//#include "../include/linux/netfilter_ipv4/ipt_limit.h"
+#include "linux/netfilter_ipv4/ipt_limit.h"
 
 #define IPT_LIMIT_AVG  "3/hour"
 #define IPT_LIMIT_BURST        5
@@ -120,9 +121,12 @@
                return 0;
        }
 
-       if (invert)
-               exit_error(PARAMETER_PROBLEM,
-                          "limit does not support invert");
+       if (invert) {
+               /* Borg
+               Adding invert support
+               */
+               r->invert = 1;
+       }
 
        return 1;
 }
=====================================================================

Re: ipt_limit patch for iptables-1.3.1 and linux-2.4.22

[m.innocenti]

borg@uu3.net ha scritto:
> Hello.
> 
> Here is very small patch adding ! functionnality to
> ipt_limit (iptables -m limit).

I've sent in october a similar patch in witch were present the same
errors that are present in yours.
Namely
 - "0 ^ r->invert" and "1 ^ r->invert" are not very clear
 - it break the userspace. This problem is solved using versions.

Look for the thread with the subject
"NETFILTER: add support for invert condition (!) in ipt_limit". My last
patch (20 Oct) should be correct. Please review it.


> Thanks to this patch, you can easly filter SYNs attack to
> your host.. and also limit your lusers trying to do
> SYNs attack.
> 
> Simple example:
> iptables -t mangle -A FORWARD -i eth0 -s 1.2.3.4 \
> -p tcp --tcp-flags SYN SYN \
> -m limit ! --limit 2/s -- limit-burst 10 -j DROP
> Forwarding only 2 SYNs per second (burst up to 10 conn per sec).
> (You can put it in filter table, I used mangle since when packet
> is not dropping, it goes to my QoS tables)
> 
> To apply this patch simply run:
> # cd /usr/src/linux
> # patch -p1 < ipt_limit-linux-2.4.22.patch
> 
> And patch userland iptables
> # cd iptables-1.3.1
> # patch -p1 < ipt_limit-iptables-1.3.1.patch
> 
> Recompile kernel (dont forget about clean)
> recompile and install new iptables
> Install kernel.
> Reboot.. vioala..
> 
> I hope it will get to the mainstream very soon!
> Im still suprised why its not here already..
> It adds extra functionality w/o security risks nor
> performance loss.
> 
> Files:
> ftp://ftp.benet.uu3.net/pub/linux/ipt_limit-linux-2.4.22.patch
> ftp://ftp.benet.uu3.net/pub/linux/ipt_limit-iptables-1.3.1.patch
> 
> Regards,
> Borg
> 
> == File 'ipt_limit-linux-2.4.22.patch' ==============================
> --- linux-2.4.22.orig/include/linux/netfilter_ipv4/ipt_limit.h  2005-12-23 13:07:30.000000000 +0100
> +++ linux-2.4.22/include/linux/netfilter_ipv4/ipt_limit.h       2005-12-22 13:33:56.000000000 +0100
> @@ -10,6 +10,11 @@
>         u_int32_t avg;    /* Average secs between packets * scale */
>         u_int32_t burst;  /* Period multiplier for upper limit. */
>  
> +       /* Borg
> +       adding invert support
> +       */
> +       char invert;
> +
>         /* Used internally by the kernel */
>         unsigned long prev;
>         u_int32_t credit;
> --- linux-2.4.22.orig/net/ipv4/netfilter/ipt_limit.c    2005-12-23 13:07:30.000000000 +0100
> +++ linux-2.4.22/net/ipv4/netfilter/ipt_limit.c 2005-12-22 12:40:35.000000000 +0100
> @@ -63,11 +63,11 @@
>                 /* We're not limited. */
>                 r->credit -= r->cost;
>                 spin_unlock_bh(&limit_lock);
> -               return 1;
> +               return 1 ^ r->invert;
>         }
>  
>                 spin_unlock_bh(&limit_lock);
> -       return 0;
> +       return 0 ^ r->invert;
>  }
>  
>  /* Precision saver. */
> =====================================================================
> 
> == File 'ipt_limit-linux-2.4.22.patch' ==============================
> --- iptables-1.3.1-orig/extensions/libipt_limit.c       2005-12-22 11:38:38.000000000 +0100
> +++ iptables-1.3.1/extensions/libipt_limit.c    2005-12-22 13:33:03.000000000 +0100
> @@ -12,7 +12,8 @@
>  #include <stddef.h>
>  #include <linux/netfilter_ipv4/ip_tables.h>
>  /* For 64bit kernel / 32bit userspace */
> -#include "../include/linux/netfilter_ipv4/ipt_limit.h"
> +//#include "../include/linux/netfilter_ipv4/ipt_limit.h"
> +#include "linux/netfilter_ipv4/ipt_limit.h"
>  
>  #define IPT_LIMIT_AVG  "3/hour"
>  #define IPT_LIMIT_BURST        5
> @@ -120,9 +121,12 @@
>                 return 0;
>         }
>  
> -       if (invert)
> -               exit_error(PARAMETER_PROBLEM,
> -                          "limit does not support invert");
> +       if (invert) {
> +               /* Borg
> +               Adding invert support
> +               */
> +               r->invert = 1;
> +       }
>  
>         return 1;
>  }
> =====================================================================
> 
> 
> 
> 


-- 
**********************************************************************
Marco Innocenti              Gruppo Infrastruttura e Sicurezza
CINECA                       phone:+39 0516171553 / fax:+39 0516132198
Via Magnanelli 6/3           e-mail: innocenti@cineca.it
40033 Casalecchio di Reno    Bologna (Italia)
**********************************************************************

Re[2]: ipt_limit patch for iptables-1.3.1 and linux-2.4.22

[borg]

What do you mean it brakes userspace?
Can you please explain me that?
I've patched both iptables (userland),
and kernel ipt_limit.c and header.
The only mistake I see for now, is that I wrongly
modified include/linux/netfilter_ipv4/ipt_limit.h
I should add that char invert at the end of structrue.

The only userspace program using that is iptables.
Or I am wrong?

Regards,
Borg

----- Original Message -----
From: m.innocenti@cineca.it
To: netfilter-devel@lists.netfilter.org
Date: 23-12-2005, 14:40
Subject: ipt_limit patch for iptables-1.3.1 and linux-2.4.22

borg@uu3.net ha scritto:
> Hello.
> 
> Here is very small patch adding ! functionnality to
> ipt_limit (iptables -m limit).

I've sent in october a similar patch in witch were present the same
errors that are present in yours.
Namely
 - "0 ^ r->invert" and "1 ^ r->invert" are not very clear
 - it break the userspace. This problem is solved using versions.

Look for the thread with the subject
"NETFILTER: add support for invert condition (!) in ipt_limit". My last
patch (20 Oct) should be correct. Please review it.


> Thanks to this patch, you can easly filter SYNs attack to
> your host.. and also limit your lusers trying to do
> SYNs attack.
> 
> Simple example:
> iptables -t mangle -A FORWARD -i eth0 -s 1.2.3.4 \
> -p tcp --tcp-flags SYN SYN \
> -m limit ! --limit 2/s -- limit-burst 10 -j DROP
> Forwarding only 2 SYNs per second (burst up to 10 conn per sec).
> (You can put it in filter table, I used mangle since when packet
> is not dropping, it goes to my QoS tables)
> 
> To apply this patch simply run:
> # cd /usr/src/linux
> # patch -p1 < ipt_limit-linux-2.4.22.patch
> 
> And patch userland iptables
> # cd iptables-1.3.1
> # patch -p1 < ipt_limit-iptables-1.3.1.patch
> 
> Recompile kernel (dont forget about clean)
> recompile and install new iptables
> Install kernel.
> Reboot.. vioala..
> 
> I hope it will get to the mainstream very soon!
> Im still suprised why its not here already..
> It adds extra functionality w/o security risks nor
> performance loss.
> 
> Files:
> ftp://ftp.benet.uu3.net/pub/linux/ipt_limit-linux-2.4.22.patch
> ftp://ftp.benet.uu3.net/pub/linux/ipt_limit-iptables-1.3.1.patch
> 
> Regards,
> Borg
> 
> == File 'ipt_limit-linux-2.4.22.patch' ==============================
> --- linux-2.4.22.orig/include/linux/netfilter_ipv4/ipt_limit.h  2005-12-23 13:07:30.000000000 +0100
> +++ linux-2.4.22/include/linux/netfilter_ipv4/ipt_limit.h       2005-12-22 13:33:56.000000000 +0100
> @@ -10,6 +10,11 @@
>         u_int32_t avg;    /* Average secs between packets * scale */
>         u_int32_t burst;  /* Period multiplier for upper limit. */
>  
> +       /* Borg
> +       adding invert support
> +       */
> +       char invert;
> +
>         /* Used internally by the kernel */
>         unsigned long prev;
>         u_int32_t credit;
> --- linux-2.4.22.orig/net/ipv4/netfilter/ipt_limit.c    2005-12-23 13:07:30.000000000 +0100
> +++ linux-2.4.22/net/ipv4/netfilter/ipt_limit.c 2005-12-22 12:40:35.000000000 +0100
> @@ -63,11 +63,11 @@
>                 /* We're not limited. */
>                 r->credit -= r->cost;
>                 spin_unlock_bh(&limit_lock);
> -               return 1;
> +               return 1 ^ r->invert;
>         }
>  
>                 spin_unlock_bh(&limit_lock);
> -       return 0;
> +       return 0 ^ r->invert;
>  }
>  
>  /* Precision saver. */
> =====================================================================
> 
> == File 'ipt_limit-linux-2.4.22.patch' ==============================
> --- iptables-1.3.1-orig/extensions/libipt_limit.c       2005-12-22 11:38:38.000000000 +0100
> +++ iptables-1.3.1/extensions/libipt_limit.c    2005-12-22 13:33:03.000000000 +0100
> @@ -12,7 +12,8 @@
>  #include <stddef.h>
>  #include <linux/netfilter_ipv4/ip_tables.h>
>  /* For 64bit kernel / 32bit userspace */
> -#include "../include/linux/netfilter_ipv4/ipt_limit.h"
> +//#include "../include/linux/netfilter_ipv4/ipt_limit.h"
> +#include "linux/netfilter_ipv4/ipt_limit.h"
>  
>  #define IPT_LIMIT_AVG  "3/hour"
>  #define IPT_LIMIT_BURST        5
> @@ -120,9 +121,12 @@
>                 return 0;
>         }
>  
> -       if (invert)
> -               exit_error(PARAMETER_PROBLEM,
> -                          "limit does not support invert");
> +       if (invert) {
> +               /* Borg
> +               Adding invert support
> +               */
> +               r->invert = 1;
> +       }
>  
>         return 1;
>  }
> =====================================================================
> 
> 
> 
> 


-- 
**********************************************************************
Marco Innocenti              Gruppo Infrastruttura e Sicurezza
CINECA                       phone:+39 0516171553 / fax:+39 0516132198
Via Magnanelli 6/3           e-mail: innocenti@cineca.it
40033 Casalecchio di Reno    Bologna (Italia)
**********************************************************************

Re: ipt_limit patch for iptables-1.3.1 and linux-2.4.22

[Patrick McHardy]

borg@uu3.net wrote:
> What do you mean it brakes userspace?
> Can you please explain me that?
> I've patched both iptables (userland),
> and kernel ipt_limit.c and header.
> The only mistake I see for now, is that I wrongly
> modified include/linux/netfilter_ipv4/ipt_limit.h
> I should add that char invert at the end of structrue.
> 
> The only userspace program using that is iptables.
> Or I am wrong?

You seem to forget about old versions that don't have your
patch. 2.4 doesn't support revisions, so we can't make
that change.

Re[2]: ipt_limit patch for iptables-1.3.1 and linux-2.4.22

[borg]

Well.. patching only kernel or only userland is pointless indeed.
I still dont understand "brakes userspace"
I assume that we patch both iptables + kernel.
Where is the problem then?

Back to adding that to mainline...
First, ppl must have add this to kernel.
and after kernel.. you can add it to new iptables
its easy to detect what kernel is in use
by #ifdef and you can add/remove support for !
in libipt_limit.c.

Regards,
Borg

----- Original Message -----
From: kaber@trash.net
To: borg@uu3.net
Date: 23-12-2005, 20:26
Subject: ipt_limit patch for iptables-1.3.1 and linux-2.4.22

borg@uu3.net wrote:
> What do you mean it brakes userspace?
> Can you please explain me that?
> I've patched both iptables (userland),
> and kernel ipt_limit.c and header.
> The only mistake I see for now, is that I wrongly
> modified include/linux/netfilter_ipv4/ipt_limit.h
> I should add that char invert at the end of structrue.
> 
> The only userspace program using that is iptables.
> Or I am wrong?

You seem to forget about old versions that don't have your
patch. 2.4 doesn't support revisions, so we can't make
that change.

Re: ipt_limit patch for iptables-1.3.1 and linux-2.4.22

[Phil Oester]

On Fri, Dec 23, 2005 at 09:13:01PM +0100, borg@uu3.net wrote:
> Well.. patching only kernel or only userland is pointless indeed.
> I still dont understand "brakes userspace"
> I assume that we patch both iptables + kernel.

new kernel + old userspace = broken
old kernel + new userspace = broken

> Where is the problem then?

comprehension

Phil

Re[2]: ipt_limit patch for iptables-1.3.1 and linux-2.4.22

[borg]

Okey.. So you saying that my system is broken?
I have patched kernel + iptables.. installed new
kernel + iptables.. but userland is not updated..
It it bad?
I know it is when there are major changes in kernel
so userspace cannot see them. But in that case I think
its not a big problem since this is only used in iptables?

I know that its necessary to rebuild world when new kernel
comes... but I think, this is not a case in that situation.

Or am I wrong again?

Thx for your patience,
Borg

----- Original Message -----
From: kernel@linuxace.com
To: borg@uu3.net
Date: 23-12-2005, 21:19
Subject: ipt_limit patch for iptables-1.3.1 and linux-2.4.22

On Fri, Dec 23, 2005 at 09:13:01PM +0100, borg@uu3.net wrote:
> Well.. patching only kernel or only userland is pointless indeed.
> I still dont understand "brakes userspace"
> I assume that we patch both iptables + kernel.

new kernel + old userspace = broken
old kernel + new userspace = broken

> Where is the problem then?

comprehension

Phil

Re: ipt_limit patch for iptables-1.3.1 and linux-2.4.22

[Phil Oester]

On Fri, Dec 23, 2005 at 09:35:23PM +0100, borg@uu3.net wrote:
> Okey.. So you saying that my system is broken?
> I have patched kernel + iptables.. installed new
> kernel + iptables.. but userland is not updated..
> It it bad?
> I know it is when there are major changes in kernel
> so userspace cannot see them. But in that case I think
> its not a big problem since this is only used in iptables?

iptables == userspace.

If 2.4.33 were to suddenly have a new version of the limit match,
then anyone using an older iptables would be broken if they 
upgraded to it.

So while _you_ may have updated your kernel and iptables,
the rest of the world has not.  Backwards compatibility is
important.

If you need limit inversion, please update to 2.6.x kernels
where this feature exists.  If you still do not understand,
please search the archives for additional information.

Phil

Re: ipt_limit patch for iptables-1.3.1 and linux-2.4.22

[Patrick Schaaf]

> Okey.. So you saying that my system is broken?

No.

The patch would break other people's systems who DONT consistently
patch kernel and userspace. Iptables developers have for years now
resisted to accept patches that behave that way, because they don't want
the "support hell" it creates. That's what people are telling you.
That's why your patch is considered "broken". In this case, "broken"
is a synonym for "not acceptable to our established way of changing
things".

best regards
  Patrick

Re: ipt_limit patch for iptables-1.3.1 and linux-2.4.22

[m.innocenti]

Phil Oester ha scritto:
> If you need limit inversion, please update to 2.6.x kernels
> where this feature exists.

No, it doesn't (yet).




-- 
**********************************************************************
Marco Innocenti              Gruppo Infrastruttura e Sicurezza
CINECA                       phone:+39 0516171553 / fax:+39 0516132198
Via Magnanelli 6/3           e-mail: innocenti@cineca.it
40033 Casalecchio di Reno    Bologna (Italia)
**********************************************************************