From: Juan Carlos Castro y Castro <jcastro@instant.com.br>
To: netfilter-devel@lists.netfilter.org
Subject: Patch to make TARPIT compile under 2.6.22
Date: Wed, 01 Aug 2007 21:38:34 -0300 [thread overview]
Message-ID: <46B1278A.1050701@instant.com.br> (raw)
[-- Attachment #1: Type: text/plain, Size: 361 bytes --]
Please CC me as I'm not on the list. Here attached is a patch that I
made to make pom-ng ipt_TARPIT.c compile under kernel 2.6.22+. It is
against the latest SVN version as of now. Please tell me if this should
be submitted in another fashion.
I inspired myself in a patch I saw for Gentoo vmware-modules here:
http://bugs.gentoo.org/show_bug.cgi?id=182595
[-- Attachment #2: tarpit-2-6-22.patch --]
[-- Type: text/x-patch, Size: 5978 bytes --]
--- patchlets/TARPIT/linux-2.6/net/ipv4/netfilter/ipt_TARPIT.c 2007-08-01 20:08:12.000000000 -0300
+++ patchlets/TARPIT/linux-2.6/net/ipv4/netfilter/ipt_TARPIT.c.new 2007-08-01 21:30:12.000000000 -0300
@@ -84,12 +84,22 @@
u_int16_t tmp;
/* A truncated TCP header isn't going to be useful */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+ if (oskb->len < (((struct iphdr *)skb_network_header(oskb))->ihl*4) + sizeof(struct tcphdr))
+#else
if (oskb->len < (oskb->nh.iph->ihl*4) + sizeof(struct tcphdr))
+#endif
return;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+ otcph = (struct tcphdr *)((u_int32_t*)((struct iphdr *)skb_network_header(oskb))
+ + ((struct iphdr *)skb_network_header(oskb))->ihl);
+ otcplen = oskb->len - ((struct iphdr *)skb_network_header(oskb))->ihl*4;
+#else
otcph = (struct tcphdr *)((u_int32_t*)oskb->nh.iph
+ oskb->nh.iph->ihl);
otcplen = oskb->len - oskb->nh.iph->ihl*4;
+#endif
/* No replies for RST or FIN */
if (otcph->rst || otcph->fin)
@@ -100,9 +110,15 @@
return;
/* Check checksum. */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+ if (tcp_v4_check(otcplen, ((struct iphdr *)skb_network_header(oskb))->saddr,
+ ((struct iphdr *)skb_network_header(oskb))->daddr,
+ csum_partial((char *)otcph, otcplen, 0)) != 0)
+#else
if (tcp_v4_check(otcplen, oskb->nh.iph->saddr,
oskb->nh.iph->daddr,
csum_partial((char *)otcph, otcplen, 0)) != 0)
+#endif
return;
/* Copy skb (even if skb is about to be dropped, we can't just
@@ -119,25 +135,48 @@
nskb->nf_debug = 0;
#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+ ntcph = (struct tcphdr *)((u_int32_t*)((struct iphdr *)skb_network_header(nskb)) +
+ ((struct iphdr *)skb_network_header(nskb))->ihl);
+#else
ntcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
+#endif
/* Truncate to length (no data) */
ntcph->doff = sizeof(struct tcphdr)/4;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+ skb_trim(nskb, ((struct iphdr *)skb_network_header(nskb))->ihl*4 + sizeof(struct tcphdr));
+ ((struct iphdr *)skb_network_header(nskb))->tot_len = htons(nskb->len);
+#else
skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
nskb->nh.iph->tot_len = htons(nskb->len);
+#endif
/* Swap source and dest */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+ ((struct iphdr *)skb_network_header(nskb))->daddr =
+ xchg(&((struct iphdr *)skb_network_header(nskb))->saddr, ((struct iphdr *)skb_network_header(nskb))->daddr);
+#else
nskb->nh.iph->daddr = xchg(&nskb->nh.iph->saddr, nskb->nh.iph->daddr);
+#endif
tmp = ntcph->source;
ntcph->source = ntcph->dest;
ntcph->dest = tmp;
/* Use supplied sequence number or make a new one */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+ ntcph->seq = otcph->ack ? otcph->ack_seq
+ : htonl(secure_tcp_sequence_number(((struct iphdr *)skb_network_header(nskb))->saddr,
+ ((struct iphdr *)skb_network_header(nskb))->daddr,
+ ntcph->source,
+ ntcph->dest));
+#else
ntcph->seq = otcph->ack ? otcph->ack_seq
: htonl(secure_tcp_sequence_number(nskb->nh.iph->saddr,
nskb->nh.iph->daddr,
ntcph->source,
ntcph->dest));
+#endif
/* Our SYN-ACKs must have a >0 window */
ntcph->window = (otcph->syn && !otcph->ack) ? htons(5) : 0;
@@ -158,6 +197,17 @@
/* Adjust TCP checksum */
ntcph->check = 0;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+ ntcph->check = tcp_v4_check(sizeof(struct tcphdr),
+ ((struct iphdr *)skb_network_header(nskb))->saddr,
+ ((struct iphdr *)skb_network_header(nskb))->daddr,
+ csum_partial((char *)ntcph,
+ sizeof(struct tcphdr), 0));
+
+ fl.nl_u.ip4_u.daddr = ((struct iphdr *)skb_network_header(nskb))->daddr;
+ fl.nl_u.ip4_u.saddr = local ? ((struct iphdr *)skb_network_header(nskb))->saddr : 0;
+ fl.nl_u.ip4_u.tos = RT_TOS(((struct iphdr *)skb_network_header(nskb))->tos) | RTO_CONN;
+#else
ntcph->check = tcp_v4_check(sizeof(struct tcphdr),
nskb->nh.iph->saddr,
nskb->nh.iph->daddr,
@@ -167,6 +217,7 @@
fl.nl_u.ip4_u.daddr = nskb->nh.iph->daddr;
fl.nl_u.ip4_u.saddr = local ? nskb->nh.iph->saddr : 0;
fl.nl_u.ip4_u.tos = RT_TOS(nskb->nh.iph->tos) | RTO_CONN;
+#endif
fl.oif = 0;
if (ip_route_output_key(&nrt, &fl))
@@ -175,6 +226,20 @@
dst_release(nskb->dst);
nskb->dst = &nrt->u.dst;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+ /* Adjust IP TTL */
+ ((struct iphdr *)skb_network_header(nskb))->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
+
+ /* Set DF, id = 0 */
+ ((struct iphdr *)skb_network_header(nskb))->frag_off = htons(IP_DF);
+ ((struct iphdr *)skb_network_header(nskb))->id = 0;
+
+ /* Adjust IP checksum */
+ ((struct iphdr *)skb_network_header(nskb))->check = 0;
+ ((struct iphdr *)skb_network_header(nskb))->check =
+ ip_fast_csum((unsigned char *)((struct iphdr *)skb_network_header(nskb)),
+ ((struct iphdr *)skb_network_header(nskb))->ihl);
+#else
/* Adjust IP TTL */
nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
@@ -186,6 +251,7 @@
nskb->nh.iph->check = 0;
nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
nskb->nh.iph->ihl);
+#endif
/* "Never happens" */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
@@ -228,11 +294,19 @@
/* Our naive response construction doesn't deal with IP
options, and probably shouldn't try. */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
+ if (((struct iphdr *)skb_network_header(skb))->ihl*4 != sizeof(struct iphdr))
+#else
if (skb->nh.iph->ihl*4 != sizeof(struct iphdr))
+#endif
return NF_DROP;
/* We aren't interested in fragments */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
+ if (((struct iphdr *)skb_network_header(skb))->frag_off & htons(IP_OFFSET))
+#else
if (skb->nh.iph->frag_off & htons(IP_OFFSET))
+#endif
return NF_DROP;
tarpit_tcp(skb,rt,hooknum == NF_IP_LOCAL_IN);
next reply other threads:[~2007-08-02 0:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-02 0:38 Juan Carlos Castro y Castro [this message]
2007-08-02 0:55 ` Patch to make TARPIT compile under 2.6.22 Juan Carlos Castro y Castro
2007-08-06 12:55 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46B1278A.1050701@instant.com.br \
--to=jcastro@instant.com.br \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.