From: "m.innocenti@cineca.it" <m.innocenti@cineca.it>
To: netfilter-devel@lists.netfilter.org
Subject: Re: ipt_limit patch for iptables-1.3.1 and linux-2.4.22
Date: Fri, 23 Dec 2005 14:40:24 +0100 (MET) [thread overview]
Message-ID: <43ABFE4B.6040102@cineca.it> (raw)
In-Reply-To: <5210898791.20051223141249@uu3.net>
borg@uu3.net ha scritto:
> Hello.
>
> Here is very small patch adding ! functionnality to
> ipt_limit (iptables -m limit).
I've sent in october a similar patch in witch were present the same
errors that are present in yours.
Namely
- "0 ^ r->invert" and "1 ^ r->invert" are not very clear
- it break the userspace. This problem is solved using versions.
Look for the thread with the subject
"NETFILTER: add support for invert condition (!) in ipt_limit". My last
patch (20 Oct) should be correct. Please review it.
> Thanks to this patch, you can easly filter SYNs attack to
> your host.. and also limit your lusers trying to do
> SYNs attack.
>
> Simple example:
> iptables -t mangle -A FORWARD -i eth0 -s 1.2.3.4 \
> -p tcp --tcp-flags SYN SYN \
> -m limit ! --limit 2/s -- limit-burst 10 -j DROP
> Forwarding only 2 SYNs per second (burst up to 10 conn per sec).
> (You can put it in filter table, I used mangle since when packet
> is not dropping, it goes to my QoS tables)
>
> To apply this patch simply run:
> # cd /usr/src/linux
> # patch -p1 < ipt_limit-linux-2.4.22.patch
>
> And patch userland iptables
> # cd iptables-1.3.1
> # patch -p1 < ipt_limit-iptables-1.3.1.patch
>
> Recompile kernel (dont forget about clean)
> recompile and install new iptables
> Install kernel.
> Reboot.. vioala..
>
> I hope it will get to the mainstream very soon!
> Im still suprised why its not here already..
> It adds extra functionality w/o security risks nor
> performance loss.
>
> Files:
> ftp://ftp.benet.uu3.net/pub/linux/ipt_limit-linux-2.4.22.patch
> ftp://ftp.benet.uu3.net/pub/linux/ipt_limit-iptables-1.3.1.patch
>
> Regards,
> Borg
>
> == File 'ipt_limit-linux-2.4.22.patch' ==============================
> --- linux-2.4.22.orig/include/linux/netfilter_ipv4/ipt_limit.h 2005-12-23 13:07:30.000000000 +0100
> +++ linux-2.4.22/include/linux/netfilter_ipv4/ipt_limit.h 2005-12-22 13:33:56.000000000 +0100
> @@ -10,6 +10,11 @@
> u_int32_t avg; /* Average secs between packets * scale */
> u_int32_t burst; /* Period multiplier for upper limit. */
>
> + /* Borg
> + adding invert support
> + */
> + char invert;
> +
> /* Used internally by the kernel */
> unsigned long prev;
> u_int32_t credit;
> --- linux-2.4.22.orig/net/ipv4/netfilter/ipt_limit.c 2005-12-23 13:07:30.000000000 +0100
> +++ linux-2.4.22/net/ipv4/netfilter/ipt_limit.c 2005-12-22 12:40:35.000000000 +0100
> @@ -63,11 +63,11 @@
> /* We're not limited. */
> r->credit -= r->cost;
> spin_unlock_bh(&limit_lock);
> - return 1;
> + return 1 ^ r->invert;
> }
>
> spin_unlock_bh(&limit_lock);
> - return 0;
> + return 0 ^ r->invert;
> }
>
> /* Precision saver. */
> =====================================================================
>
> == File 'ipt_limit-linux-2.4.22.patch' ==============================
> --- iptables-1.3.1-orig/extensions/libipt_limit.c 2005-12-22 11:38:38.000000000 +0100
> +++ iptables-1.3.1/extensions/libipt_limit.c 2005-12-22 13:33:03.000000000 +0100
> @@ -12,7 +12,8 @@
> #include <stddef.h>
> #include <linux/netfilter_ipv4/ip_tables.h>
> /* For 64bit kernel / 32bit userspace */
> -#include "../include/linux/netfilter_ipv4/ipt_limit.h"
> +//#include "../include/linux/netfilter_ipv4/ipt_limit.h"
> +#include "linux/netfilter_ipv4/ipt_limit.h"
>
> #define IPT_LIMIT_AVG "3/hour"
> #define IPT_LIMIT_BURST 5
> @@ -120,9 +121,12 @@
> return 0;
> }
>
> - if (invert)
> - exit_error(PARAMETER_PROBLEM,
> - "limit does not support invert");
> + if (invert) {
> + /* Borg
> + Adding invert support
> + */
> + r->invert = 1;
> + }
>
> return 1;
> }
> =====================================================================
>
>
>
>
--
**********************************************************************
Marco Innocenti Gruppo Infrastruttura e Sicurezza
CINECA phone:+39 0516171553 / fax:+39 0516132198
Via Magnanelli 6/3 e-mail: innocenti@cineca.it
40033 Casalecchio di Reno Bologna (Italia)
**********************************************************************
next prev parent reply other threads:[~2005-12-23 13:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-12-23 13:12 ipt_limit patch for iptables-1.3.1 and linux-2.4.22 borg
2005-12-23 13:40 ` m.innocenti [this message]
2005-12-23 15:43 ` Re[2]: " borg
2005-12-23 19:26 ` Patrick McHardy
2005-12-23 20:13 ` Re[2]: " borg
2005-12-23 20:19 ` Phil Oester
2005-12-23 20:35 ` Re[2]: " borg
2005-12-23 20:57 ` Phil Oester
2005-12-27 9:21 ` m.innocenti
2005-12-24 6:27 ` Patrick Schaaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43ABFE4B.6040102@cineca.it \
--to=m.innocenti@cineca.it \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.