All of lore.kernel.org
 help / color / mirror / Atom feed
* Patch to make TARPIT compile under 2.6.22
@ 2007-08-02  0:38 Juan Carlos Castro y Castro
  2007-08-02  0:55 ` Juan Carlos Castro y Castro
  2007-08-06 12:55 ` Jan Engelhardt
  0 siblings, 2 replies; 3+ messages in thread
From: Juan Carlos Castro y Castro @ 2007-08-02  0:38 UTC (permalink / raw)
  To: netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 361 bytes --]

Please CC me as I'm not on the list. Here attached is a patch that I 
made to make pom-ng ipt_TARPIT.c compile under kernel 2.6.22+. It is 
against the latest SVN version as of now. Please tell me if this should 
be submitted in another fashion.

I inspired myself in a patch I saw for Gentoo vmware-modules here: 
http://bugs.gentoo.org/show_bug.cgi?id=182595

[-- Attachment #2: tarpit-2-6-22.patch --]
[-- Type: text/x-patch, Size: 5978 bytes --]

--- patchlets/TARPIT/linux-2.6/net/ipv4/netfilter/ipt_TARPIT.c	2007-08-01 20:08:12.000000000 -0300
+++ patchlets/TARPIT/linux-2.6/net/ipv4/netfilter/ipt_TARPIT.c.new	2007-08-01 21:30:12.000000000 -0300
@@ -84,12 +84,22 @@
 	u_int16_t tmp;
 
 	/* A truncated TCP header isn't going to be useful */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+	if (oskb->len < (((struct iphdr *)skb_network_header(oskb))->ihl*4) + sizeof(struct tcphdr))
+#else
 	if (oskb->len < (oskb->nh.iph->ihl*4) + sizeof(struct tcphdr))
+#endif
 		return;
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+	otcph = (struct tcphdr *)((u_int32_t*)((struct iphdr *)skb_network_header(oskb))
+				  + ((struct iphdr *)skb_network_header(oskb))->ihl);
+	otcplen = oskb->len - ((struct iphdr *)skb_network_header(oskb))->ihl*4;
+#else
 	otcph = (struct tcphdr *)((u_int32_t*)oskb->nh.iph
 				  + oskb->nh.iph->ihl);
 	otcplen = oskb->len - oskb->nh.iph->ihl*4;
+#endif
 
 	/* No replies for RST or FIN */
 	if (otcph->rst || otcph->fin)
@@ -100,9 +110,15 @@
 		return;
 
 	/* Check checksum. */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+	if (tcp_v4_check(otcplen, ((struct iphdr *)skb_network_header(oskb))->saddr,
+			 ((struct iphdr *)skb_network_header(oskb))->daddr,
+			 csum_partial((char *)otcph, otcplen, 0)) != 0)
+#else
 	if (tcp_v4_check(otcplen, oskb->nh.iph->saddr,
 			 oskb->nh.iph->daddr,
 			 csum_partial((char *)otcph, otcplen, 0)) != 0)
+#endif
 		return;
 
 	/* Copy skb (even if skb is about to be dropped, we can't just
@@ -119,25 +135,48 @@
 	nskb->nf_debug = 0;
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+	ntcph = (struct tcphdr *)((u_int32_t*)((struct iphdr *)skb_network_header(nskb)) +
+					((struct iphdr *)skb_network_header(nskb))->ihl);
+#else
 	ntcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
+#endif
 
 	/* Truncate to length (no data) */
 	ntcph->doff = sizeof(struct tcphdr)/4;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+	skb_trim(nskb, ((struct iphdr *)skb_network_header(nskb))->ihl*4 + sizeof(struct tcphdr));
+	((struct iphdr *)skb_network_header(nskb))->tot_len = htons(nskb->len);
+#else
 	skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
 	nskb->nh.iph->tot_len = htons(nskb->len);
+#endif
 
 	/* Swap source and dest */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+	((struct iphdr *)skb_network_header(nskb))->daddr =
+		xchg(&((struct iphdr *)skb_network_header(nskb))->saddr, ((struct iphdr *)skb_network_header(nskb))->daddr);
+#else
 	nskb->nh.iph->daddr = xchg(&nskb->nh.iph->saddr, nskb->nh.iph->daddr);
+#endif
 	tmp = ntcph->source;
 	ntcph->source = ntcph->dest;
 	ntcph->dest = tmp;
 
 	/* Use supplied sequence number or make a new one */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+	ntcph->seq = otcph->ack ? otcph->ack_seq
+		: htonl(secure_tcp_sequence_number(((struct iphdr *)skb_network_header(nskb))->saddr,
+						   ((struct iphdr *)skb_network_header(nskb))->daddr,
+						   ntcph->source,
+						   ntcph->dest));
+#else
 	ntcph->seq = otcph->ack ? otcph->ack_seq
 		: htonl(secure_tcp_sequence_number(nskb->nh.iph->saddr,
 						   nskb->nh.iph->daddr,
 						   ntcph->source,
 						   ntcph->dest));
+#endif
 
 	/* Our SYN-ACKs must have a >0 window */
 	ntcph->window = (otcph->syn && !otcph->ack) ? htons(5) : 0;
@@ -158,6 +197,17 @@
 
 	/* Adjust TCP checksum */
 	ntcph->check = 0;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+	ntcph->check = tcp_v4_check(sizeof(struct tcphdr),
+				   ((struct iphdr *)skb_network_header(nskb))->saddr,
+				   ((struct iphdr *)skb_network_header(nskb))->daddr,
+				   csum_partial((char *)ntcph,
+						sizeof(struct tcphdr), 0));
+
+	fl.nl_u.ip4_u.daddr = ((struct iphdr *)skb_network_header(nskb))->daddr;
+	fl.nl_u.ip4_u.saddr = local ? ((struct iphdr *)skb_network_header(nskb))->saddr : 0;
+	fl.nl_u.ip4_u.tos = RT_TOS(((struct iphdr *)skb_network_header(nskb))->tos) | RTO_CONN;
+#else
 	ntcph->check = tcp_v4_check(sizeof(struct tcphdr),
 				   nskb->nh.iph->saddr,
 				   nskb->nh.iph->daddr,
@@ -167,6 +217,7 @@
 	fl.nl_u.ip4_u.daddr = nskb->nh.iph->daddr;
 	fl.nl_u.ip4_u.saddr = local ? nskb->nh.iph->saddr : 0;
 	fl.nl_u.ip4_u.tos = RT_TOS(nskb->nh.iph->tos) | RTO_CONN;
+#endif
 	fl.oif = 0;
 
 	if (ip_route_output_key(&nrt, &fl))
@@ -175,6 +226,20 @@
 	dst_release(nskb->dst);
 	nskb->dst = &nrt->u.dst;
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
+	/* Adjust IP TTL */
+	((struct iphdr *)skb_network_header(nskb))->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
+
+	/* Set DF, id = 0 */
+	((struct iphdr *)skb_network_header(nskb))->frag_off = htons(IP_DF);
+	((struct iphdr *)skb_network_header(nskb))->id = 0;
+
+	/* Adjust IP checksum */
+	((struct iphdr *)skb_network_header(nskb))->check = 0;
+	((struct iphdr *)skb_network_header(nskb))->check =
+			ip_fast_csum((unsigned char *)((struct iphdr *)skb_network_header(nskb)),
+				   ((struct iphdr *)skb_network_header(nskb))->ihl);
+#else
 	/* Adjust IP TTL */
 	nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
 
@@ -186,6 +251,7 @@
 	nskb->nh.iph->check = 0;
 	nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
 					   nskb->nh.iph->ihl);
+#endif
 
 	/* "Never happens" */
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
@@ -228,11 +294,19 @@
 
 	/* Our naive response construction doesn't deal with IP
            options, and probably shouldn't try. */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
+	if (((struct iphdr *)skb_network_header(skb))->ihl*4 != sizeof(struct iphdr))
+#else
 	if (skb->nh.iph->ihl*4 != sizeof(struct iphdr))
+#endif
 		return NF_DROP;
 
 	/* We aren't interested in fragments */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
+	if (((struct iphdr *)skb_network_header(skb))->frag_off & htons(IP_OFFSET))
+#else
 	if (skb->nh.iph->frag_off & htons(IP_OFFSET))
+#endif
 		return NF_DROP;
 
 	tarpit_tcp(skb,rt,hooknum == NF_IP_LOCAL_IN);

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-08-06 12:55 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-08-02  0:38 Patch to make TARPIT compile under 2.6.22 Juan Carlos Castro y Castro
2007-08-02  0:55 ` Juan Carlos Castro y Castro
2007-08-06 12:55 ` Jan Engelhardt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.