please fix TARPIT

please fix TARPIT

[David S. Miller]

Recently it was reported that the TARPIT target depends upon the
sysctl_ip_default_ttl symbol which is not exported any longer.

Any use is illegal, because the TTL is a property of a route and
should thus be obtained from the RTAX_HOPLIMIT metric.  The only
valid reference is in the ipv4 routing code where it sets the
default value of this route metric.

So, tarpit_tcp() should compute 'nrt' a little earlier and then grab
the RTAX_HOPLIMIT dst metric to store into nskb->nh.iph->ttl field.
(as a side note it should probably use pskb_may_pull() and skb_unshare()
 instead of the dangerously hand-crafted stuff it's using there, skb_copy()
 is overkill especially for non-local packets on a firewall/router, and
 yeah there seems to be nf_debug references in there too :-).

Wheee, there's also a copy of ip_finish_output2() in there as well.
It should probably use dst_output() so that paths over IPSEC and
things like that work.

If someone could take care of this (bonus points for grepping other
code in patch-o-matic for references to this sysctl_ip_default_ttl
symbol) I would really appreciate it.

Thanks.

iptables/netlink/java

[Oscar Mechanic]

Has anyone successfully managed to catch a Netlink packet with Java only
code. 

I would be delighted just to know I am not wasting my time without a
native interface and suprisingly google/freshmeat/sourceforge has little
on the subject.

I am trying to catch ULOG pkts with a Java only (JNI and me do not get
on).

Regards
Oscar

Re: iptables/netlink/java

[Gary W. Smith]

I would think, for performance reasons, that Java would not be the way to
go.  If I recall there was a similar question some months ago.  You might
want to check the archives.


On 12/22/05 12:36 PM, "Oscar Mechanic" <oscar@ufomechanic.net> wrote:

> Has anyone successfully managed to catch a Netlink packet with Java only
> code. 
> 
> I would be delighted just to know I am not wasting my time without a
> native interface and suprisingly google/freshmeat/sourceforge has little
> on the subject.
> 
> I am trying to catch ULOG pkts with a Java only (JNI and me do not get
> on).
> 
> Regards
> Oscar
> 
> 

Re: please fix TARPIT

[Jan Engelhardt]

>Recently it was reported that the TARPIT target depends upon the
>sysctl_ip_default_ttl symbol which is not exported any longer.

How about just adding the EXPORT_SYMBOL back. And that all wrapped up in a 
nice POM patch. Problem gone. (For the short term.)



Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/
| jengelh's site, http://jengelh.hopto.org/

Re: please fix TARPIT

[Patrick McHardy]

Jan Engelhardt wrote:
>>Recently it was reported that the TARPIT target depends upon the
>>sysctl_ip_default_ttl symbol which is not exported any longer.
> 
> 
> How about just adding the EXPORT_SYMBOL back. And that all wrapped up in a 
> nice POM patch. Problem gone. (For the short term.)

The fix is trivial, so I fixed it the right way (well, without
testing).

Re: please fix TARPIT

[David S. Miller]

From: Jan Engelhardt <jengelh@linux01.gwdg.de>
Date: Tue, 3 Jan 2006 08:34:47 +0100 (MET)

> 
> >Recently it was reported that the TARPIT target depends upon the
> >sysctl_ip_default_ttl symbol which is not exported any longer.
> 
> How about just adding the EXPORT_SYMBOL back. And that all wrapped up in a 
> nice POM patch. Problem gone. (For the short term.)

The usage of that symbol is broken.  The fact that I went through
the trouble of explaining exactly how to fix the bug properly,
and yet this kind of suggestion still arises, deeply disturbs me.

Re: please fix TARPIT

[David S. Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 03 Jan 2006 12:22:36 +0100

> Jan Engelhardt wrote:
> >>Recently it was reported that the TARPIT target depends upon the
> >>sysctl_ip_default_ttl symbol which is not exported any longer.
> > 
> > 
> > How about just adding the EXPORT_SYMBOL back. And that all wrapped up in a 
> > nice POM patch. Problem gone. (For the short term.)
> 
> The fix is trivial, so I fixed it the right way (well, without
> testing).

Thank you :-)

[PATCH] use HOPLIMIT metric as TTL of TCP reset sent by REJECT [was: Re: please fix TARPIT]

[Yasuyuki KOZAKAI]

[-- Attachment #1: Type: Text/Plain, Size: 744 bytes --]


Hi,

From: Patrick McHardy <kaber@trash.net>
Date: Tue, 03 Jan 2006 12:22:36 +0100

> Jan Engelhardt wrote:
> >>Recently it was reported that the TARPIT target depends upon the
> >>sysctl_ip_default_ttl symbol which is not exported any longer.
> > 
> > 
> > How about just adding the EXPORT_SYMBOL back. And that all wrapped up in a 
> > nice POM patch. Problem gone. (For the short term.)
> 
> The fix is trivial, so I fixed it the right way (well, without
> testing).

Should ipt_REJECT use metric, too ? ip6_REJECT has already use it.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>

BTW, I'm not familiar with TARPIT, but ipt_REJECT seems to have the codes
to fix the other issues David pointed out.

-- Yasuyuki Kozakai

[-- Attachment #2: 01-reject-ttl.patch --]
[-- Type: Text/Plain, Size: 1171 bytes --]

[NETFILTER] use HOPLIMIT metric as TTL of TCP reset sent by REJECT

HOPLIMIT metric is appropriate to TCP reset sent by REJECT target
than hard-coded max TTL. Thanks to David S. Miller for hint.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>

---
commit e290cc6158560638d4bd446075322b999485d064
tree 200689991a2cc57710642400db47c649be20c00f
parent 67dbb4ea33731415fe09c62149a34f472719ac1d
author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Thu, 29 Dec 2005 00:41:51 +0900
committer Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Thu, 29 Dec 2005 00:41:51 +0900

 net/ipv4/netfilter/ipt_REJECT.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index f057025..6693526 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -203,7 +203,7 @@ static void send_reset(struct sk_buff *o
 						sizeof(struct tcphdr), 0));
 
 	/* Adjust IP TTL, DF */
-	nskb->nh.iph->ttl = MAXTTL;
+	nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
 	/* Set DF, id = 0 */
 	nskb->nh.iph->frag_off = htons(IP_DF);
 	nskb->nh.iph->id = 0;

Re: [PATCH] use HOPLIMIT metric as TTL of TCP reset sent by REJECT [was: Re: please fix TARPIT]

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> Should ipt_REJECT use metric, too ? ip6_REJECT has already use it.

Looks good. Dave, please apply on top of my patches.

> BTW, I'm not familiar with TARPIT, but ipt_REJECT seems to have the codes
> to fix the other issues David pointed out.

Yes, looks like we could use some of the ipt_REJECT code.
But we decided to move TARPIT out of pom after moving to
something apt-get like anyway, so I'd rather spend time
on that.

Re: [PATCH] use HOPLIMIT metric as TTL of TCP reset sent by REJECT

[David S. Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 05 Jan 2006 09:21:12 +0100

> Yasuyuki KOZAKAI wrote:
> > Should ipt_REJECT use metric, too ? ip6_REJECT has already use it.
> 
> Looks good. Dave, please apply on top of my patches.

All 18 patches, and this one, applied and pushed to Linus.
Thanks.