From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Subject: [PATCH 11/11] psd: add ipv6 support
Date: Sun, 16 Sep 2012 23:29:55 +0200 [thread overview]
Message-ID: <1347830995-19226-12-git-send-email-fw@strlen.de> (raw)
In-Reply-To: <1347830995-19226-1-git-send-email-fw@strlen.de>
because most users will probably only use ipv4 psd,
allocate most of the state6 storage when the first ipv6 psd
rule is added, and not at module load time via .bss.
---
extensions/libxt_psd.c | 2 +-
extensions/xt_psd.c | 234 ++++++++++++++++++++++++++++++++++++++++++++---
2 files changed, 220 insertions(+), 16 deletions(-)
diff --git a/extensions/libxt_psd.c b/extensions/libxt_psd.c
index bd03480..3f88ac4 100644
--- a/extensions/libxt_psd.c
+++ b/extensions/libxt_psd.c
@@ -142,7 +142,7 @@ static struct xtables_match psd_mt_reg = {
.name = "psd",
.version = XTABLES_VERSION,
.revision = 1,
- .family = NFPROTO_IPV4,
+ .family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_psd_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_psd_info)),
.help = psd_mt_help,
diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c
index a5729e1..0b72477 100644
--- a/extensions/xt_psd.c
+++ b/extensions/xt_psd.c
@@ -22,13 +22,13 @@
#define pr_fmt(x) KBUILD_MODNAME ": " x
#include <linux/module.h>
-#include <linux/moduleparam.h>
#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <net/tcp.h>
+#include <linux/types.h>
+#include <linux/tcp.h>
#include <linux/spinlock.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/x_tables.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
#include "xt_psd.h"
#include "compat_xtables.h"
@@ -39,6 +39,7 @@ MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
MODULE_AUTHOR(" Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com>");
MODULE_DESCRIPTION("Xtables: PSD - portscan detection");
MODULE_ALIAS("ipt_psd");
+MODULE_ALIAS("ip6t_psd");
/*
* Keep track of up to LIST_SIZE source addresses, using a hash table of
@@ -50,6 +51,10 @@ MODULE_ALIAS("ipt_psd");
#define HASH_SIZE (1 << HASH_LOG)
#define HASH_MAX 0x10
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+# define WITH_IPV6 1
+#endif
+
/*
* Information we keep per each target port
*/
@@ -87,8 +92,13 @@ static struct host4 *host_to_host4(const struct host *h)
return (struct host4 *) h;
}
+struct host6 {
+ struct host host;
+ struct in6_addr saddr;
+};
+
/**
- * State information.
+ * State information for IPv4 portscan detection.
* @list: list of source addresses
* @hash: pointers into the list
* @index: oldest entry to be replaced
@@ -100,6 +110,46 @@ static struct {
int index;
} state;
+#ifdef WITH_IPV6
+/**
+ * State information for IPv6 portscan detection.
+ * @list: list of source addresses
+ * @hash: pointers into the list
+ * @index: oldest entry to be replaced
+ */
+static struct {
+ spinlock_t lock;
+ struct host6 *list;
+ struct host **hash;
+ int index;
+} state6;
+
+static struct host6 *host_to_host6(const struct host *h)
+{
+ return (struct host6 *) h;
+}
+
+/**
+ * allocate state6 memory only when needed
+ */
+static bool state6_alloc_mem(void)
+{
+ if (state6.hash)
+ return true;
+
+ state6.list = vzalloc(LIST_SIZE * sizeof(struct host6));
+ if (!state6.list)
+ return false;
+
+ state6.hash = vzalloc(HASH_SIZE * sizeof(struct host*));
+ if (!state6.hash) {
+ vfree(state6.list);
+ return false;
+ }
+ return true;
+}
+#endif
+
/*
* Convert an IP address into a hash table index.
*/
@@ -117,6 +167,12 @@ static unsigned int hashfunc(__be32 addr)
return hash & (HASH_SIZE - 1);
}
+static inline unsigned int hashfunc6(const struct in6_addr *addr)
+{
+ __be32 h = addr->s6_addr32[0] ^ addr->s6_addr32[1];
+ return hashfunc(h ^ addr->s6_addr32[2] ^ addr->s6_addr32[3]);
+}
+
static bool port_in_list(struct host *host, u8 proto, u16 port)
{
int i;
@@ -338,6 +394,126 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
return matched;
}
+#ifdef WITH_IPV6
+static bool
+handle_packet6(const struct ipv6hdr *ip6h, const struct tcphdr *tcph,
+ const struct xt_psd_info *psdinfo, uint8_t proto, int hash)
+{
+ unsigned long now;
+ struct host *curr, *last = NULL, **head;
+ struct host6 *curr6;
+ int count = 0;
+
+ now = jiffies;
+ head = &state6.hash[hash];
+
+ curr = *head;
+ while (curr != NULL) {
+ curr6 = host_to_host6(curr);
+ if (ipv6_addr_equal(&curr6->saddr, &ip6h->saddr))
+ break;
+ count++;
+ curr = host_get_next(curr, &last);
+ }
+
+ if (curr != NULL) {
+ if (entry_is_recent(curr, psdinfo->delay_threshold, now))
+ return is_portscan(curr, psdinfo, tcph, proto);
+ curr6 = host_to_host6(curr);
+ memset(&curr6->saddr, 0, sizeof(curr6->saddr));
+ ht_unlink(head, last);
+ last = NULL;
+ }
+
+ if (proto == IPPROTO_TCP && tcph->ack)
+ return false;
+
+ if (count >= HASH_MAX && last != NULL)
+ last->next = NULL;
+
+ if (!ipv6_addr_any(&state6.list[state6.index].saddr))
+ head = &state6.hash[hashfunc6(&state6.list[state6.index].saddr)];
+ else
+ head = &last;
+
+ curr6 = &state6.list[state6.index++];
+ curr = &curr6->host;
+ remove_oldest(head, curr);
+ if (state6.index >= LIST_SIZE)
+ state6.index = 0;
+
+ head = &state6.hash[hash];
+ curr->next = *head;
+ *head = curr;
+
+ curr6 = host_to_host6(curr);
+ curr6->saddr = ip6h->saddr;
+ curr->timestamp = now;
+ curr->count = 1;
+ curr->weight = get_port_weight(psdinfo, tcph->dest);
+ curr->ports[0].number = tcph->dest;
+ curr->ports[0].proto = proto;
+ return false;
+}
+
+static void *
+get_header_pointer6(const struct sk_buff *skb, void *mem, uint8_t *proto)
+{
+ static const uint8_t types[] = {IPPROTO_IPV6, IPPROTO_IPIP, IPPROTO_TCP,
+ IPPROTO_UDP, IPPROTO_UDPLITE};
+ unsigned int i, offset = 0;
+ int err;
+ size_t hdrlen;
+
+ for (i = 0; i < ARRAY_SIZE(types); ++i) {
+ err = ipv6_find_hdr(skb, &offset, types[i], NULL, NULL);
+ if (err < 0)
+ continue;
+
+ switch (types[i]) {
+ case IPPROTO_TCP:
+ hdrlen = sizeof(struct tcphdr);
+ break;
+ case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
+ hdrlen = sizeof(struct udphdr);
+ break;
+ default:
+ return NULL;
+ }
+ *proto = types[i];
+ return skb_header_pointer(skb, offset, hdrlen, mem);
+ }
+ return NULL;
+}
+
+static bool
+xt_psd_match6(const struct sk_buff *pskb, struct xt_action_param *match)
+{
+ const struct ipv6hdr *ip6h = ipv6_hdr(pskb);
+ struct tcphdr _tcph;
+ struct tcphdr *tcph;
+ uint8_t proto = 0;
+ bool matched;
+ int hash;
+ const struct xt_psd_info *psdinfo = match->matchinfo;
+
+ if (ipv6_addr_any(&ip6h->saddr))
+ return false;
+
+ tcph = get_header_pointer6(pskb, &_tcph, &proto);
+ if (tcph == NULL)
+ return false;
+
+ hash = hashfunc6(&ip6h->saddr);
+
+ spin_lock(&state6.lock);
+ matched = handle_packet6(ip6h, tcph, psdinfo, proto, hash);
+ spin_unlock(&state6.lock);
+ return matched;
+}
+#endif
+
static int psd_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_psd_info *info = par->matchinfo;
@@ -359,25 +535,53 @@ static int psd_mt_check(const struct xt_mtchk_param *par)
return 0;
}
-static struct xt_match xt_psd_reg __read_mostly = {
- .name = "psd",
- .family = NFPROTO_IPV4,
- .revision = 1,
- .checkentry = psd_mt_check,
- .match = xt_psd_match,
- .matchsize = sizeof(struct xt_psd_info),
- .me = THIS_MODULE,
+#ifdef WITH_IPV6
+static int psd_mt_check6(const struct xt_mtchk_param *par)
+{
+ if (!state6_alloc_mem())
+ return -ENOMEM;
+ return psd_mt_check(par);
+}
+#endif
+
+static struct xt_match xt_psd_reg[] __read_mostly = {
+ {
+ .name = "psd",
+ .family = NFPROTO_IPV4,
+ .revision = 1,
+ .checkentry = psd_mt_check,
+ .match = xt_psd_match,
+ .matchsize = sizeof(struct xt_psd_info),
+ .me = THIS_MODULE,
+#ifdef WITH_IPV6
+ }, {
+ .name = "psd",
+ .family = NFPROTO_IPV6,
+ .revision = 1,
+ .checkentry = psd_mt_check6,
+ .match = xt_psd_match6,
+ .matchsize = sizeof(struct xt_psd_info),
+ .me = THIS_MODULE,
+#endif
+ }
};
static int __init xt_psd_init(void)
{
spin_lock_init(&(state.lock));
- return xt_register_match(&xt_psd_reg);
+#ifdef WITH_IPV6
+ spin_lock_init(&(state6.lock));
+#endif
+ return xt_register_matches(xt_psd_reg, ARRAY_SIZE(xt_psd_reg));
}
static void __exit xt_psd_exit(void)
{
- xt_unregister_match(&xt_psd_reg);
+#ifdef WITH_IPV6
+ vfree(state6.list);
+ vfree(state6.hash);
+#endif
+ xt_unregister_matches(xt_psd_reg, ARRAY_SIZE(xt_psd_reg));
}
module_init(xt_psd_init);
--
1.7.8.6
prev parent reply other threads:[~2012-09-16 21:32 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-16 21:29 [PATCH 00/11][xt-addons] xt_psd: ipv6 support Florian Westphal
2012-09-16 21:29 ` [PATCH 01/11] xt_psd: consider protocol when searching port list Florian Westphal
2012-09-16 21:29 ` [PATCH 02/11] xt_psd: move parts of main match function to helpers Florian Westphal
2012-09-16 21:29 ` [PATCH 03/11] xt_psd: avoid if (c=h) do {..} while (c = c->next) Florian Westphal
2012-09-16 21:29 ` [PATCH 04/11] xt_psd: move match functionality to helpers Florian Westphal
2012-09-16 21:29 ` [PATCH 05/11] xt_psd: remove unneeded variables Florian Westphal
2012-09-17 2:57 ` Jan Engelhardt
2012-09-17 7:35 ` Florian Westphal
2012-09-16 21:29 ` [PATCH 06/11] xt_psd: split struct host into generic and af-dependent structure Florian Westphal
2012-09-16 21:29 ` [PATCH 07/11] xt_psd: move table cleanup into helper Florian Westphal
2012-09-16 21:29 ` [PATCH 08/11] xt_psd: use tcph->dest directly Florian Westphal
2012-09-16 21:29 ` [PATCH 09/11] xt_psd: move l4 header fetching into helper Florian Westphal
2012-09-16 21:29 ` [PATCH 10/11] xt_psd: move ipv4 state locking responsibility to caller Florian Westphal
2012-09-16 21:29 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1347830995-19226-12-git-send-email-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).