[PATCH v2 0/6] IPv6 tarpit support

[PATCH v2 0/6] IPv6 tarpit support

[Josh Hunt]

Jan

I believe I've addressed the concerns you raised in the original set.
This version separates out the XTTARPIT_* modes into their own functions
(patches 1-3.) It also changes tarpit_generic to return a bool so we
can now handle the early exits properly.

Thanks
Josh

Josh Hunt (6):
  netfilter: tarpit: Move XTTARPIT_TARPIT mode processing to its own
    function
  netfilter: tarpit: Move XTTARPIT_HONEYPOT mode into its own function
  netfilter: tarpit: Move XTTARPIT_RESET to its own function
  netfilter: tarpit: Make tarpit code generic
  netfilter: tarpit: Add IPv6 support
  netfilter: tarpit: Enable IPv6 userspace support

 extensions/libxt_TARPIT.c |    2 +-
 extensions/xt_TARPIT.c    |  407 +++++++++++++++++++++++++++++++++++----------
 2 files changed, 316 insertions(+), 93 deletions(-)

[PATCH v2 1/6] netfilter: tarpit: Move XTTARPIT_TARPIT mode processing to its own function

[Josh Hunt]

Moves the XTTARPIT_TARPIT mode processing to its own function.

Signed-off-by: Josh Hunt <johunt@akamai.com>
---
 extensions/xt_TARPIT.c |   48 ++++++++++++++++++++++++++++--------------------
 1 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c
index db24f90..3cb61ac 100644
--- a/extensions/xt_TARPIT.c
+++ b/extensions/xt_TARPIT.c
@@ -51,6 +51,33 @@
 #include "compat_xtables.h"
 #include "xt_TARPIT.h"
 
+static bool xttarpit_tarpit(struct tcphdr *oth, struct tcphdr *tcph) {
+
+	/* No replies for RST, FIN or !SYN,!ACK */
+	if (oth->rst || oth->fin || (!oth->syn && !oth->ack))
+		return false;
+	tcph->seq = oth->ack ? oth->ack_seq : 0;
+
+	/* Our SYN-ACKs must have a >0 window */
+	tcph->window  = (oth->syn && !oth->ack) ? htons(5) : 0;
+	if (oth->syn && oth->ack) {
+		tcph->rst     = true;
+		tcph->ack_seq = false;
+	} else {
+		tcph->syn     = oth->syn;
+		tcph->ack     = true;
+		tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
+	}
+#if 0
+	/* Rate-limit replies to !SYN,ACKs */
+	if (!oth->syn && oth->ack)
+		if (!xrlim_allow(rt_dst(ort), HZ))
+			return;
+#endif
+
+	return true;
+}
+
 static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
     unsigned int mode)
 {
@@ -117,27 +144,8 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 	((u_int8_t *)tcph)[13] = 0;
 
 	if (mode == XTTARPIT_TARPIT) {
-		/* No replies for RST, FIN or !SYN,!ACK */
-		if (oth->rst || oth->fin || (!oth->syn && !oth->ack))
+		if (!xttarpit_tarpit(oth, tcph))
 			return;
-		tcph->seq = oth->ack ? oth->ack_seq : 0;
-
-		/* Our SYN-ACKs must have a >0 window */
-		tcph->window  = (oth->syn && !oth->ack) ? htons(5) : 0;
-		if (oth->syn && oth->ack) {
-			tcph->rst     = true;
-			tcph->ack_seq = false;
-		} else {
-			tcph->syn     = oth->syn;
-			tcph->ack     = true;
-			tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
-		}
-#if 0
-		/* Rate-limit replies to !SYN,ACKs */
-		if (!oth->syn && oth->ack)
-			if (!xrlim_allow(rt_dst(ort), HZ))
-				return;
-#endif
 	} else if (mode == XTTARPIT_HONEYPOT) {
 		/* Do not answer any resets regardless of combination */
 		if (oth->rst || oth->seq == 0xDEADBEEF)
-- 
1.7.0.4

[PATCH v2 2/6] netfilter: tarpit: Move XTTARPIT_HONEYPOT mode into its own function

[Josh Hunt]

Moves XTTARPIT_HONEYPOT into its own function.

Signed-off-by: Josh Hunt <johunt@akamai.com>
---
 extensions/xt_TARPIT.c |  102 ++++++++++++++++++++++++++---------------------
 1 files changed, 56 insertions(+), 46 deletions(-)

diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c
index 3cb61ac..6c75184 100644
--- a/extensions/xt_TARPIT.c
+++ b/extensions/xt_TARPIT.c
@@ -78,6 +78,61 @@ static bool xttarpit_tarpit(struct tcphdr *oth, struct tcphdr *tcph) {
 	return true;
 }
 
+static bool xttarpit_honeypot(struct tcphdr *oth, struct tcphdr *tcph,
+	uint16_t payload)
+{
+
+	/* Do not answer any resets regardless of combination */
+	if (oth->rst || oth->seq == 0xDEADBEEF)
+		return false;
+	/* Send a reset to scanners. They like that. */
+	if (oth->syn && oth->ack) {
+		tcph->window  = 0;
+		tcph->ack     = false;
+		tcph->psh     = true;
+		tcph->ack_seq = 0xdeadbeef; /* see if they ack it */
+		tcph->seq     = oth->ack_seq;
+		tcph->rst     = true;
+	}
+
+	/* SYN > SYN-ACK */
+	if (oth->syn && !oth->ack) {
+		tcph->syn     = true;
+		tcph->ack     = true;
+		tcph->window  = oth->window &
+			((net_random() & 0x1f) - 0xf);
+		tcph->seq     = htonl(net_random() & ~oth->seq);
+		tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
+	}
+
+	/* ACK > ACK */
+	if (oth->ack && (!(oth->fin || oth->syn))) {
+		tcph->syn     = false;
+		tcph->ack     = true;
+		tcph->window  = oth->window &
+			((net_random() & 0x1f) - 0xf);
+		tcph->ack_seq = payload > 100 ?
+			htonl(ntohl(oth->seq) + payload) :
+			oth->seq;
+		tcph->seq     = oth->ack_seq;
+	}
+
+	/*
+	* FIN > RST.
+	* We cannot terminate gracefully so just be abrupt.
+	*/
+	if (oth->fin) {
+		tcph->window  = 0;
+		tcph->seq     = oth->ack_seq;
+		tcph->ack_seq = oth->ack_seq;
+		tcph->fin     = false;
+		tcph->ack     = false;
+		tcph->rst     = true;
+	}
+
+	return true;
+}
+
 static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
     unsigned int mode)
 {
@@ -147,53 +202,8 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 		if (!xttarpit_tarpit(oth, tcph))
 			return;
 	} else if (mode == XTTARPIT_HONEYPOT) {
-		/* Do not answer any resets regardless of combination */
-		if (oth->rst || oth->seq == 0xDEADBEEF)
+		if (!xttarpit_honeypot(oth, tcph, payload))
 			return;
-		/* Send a reset to scanners. They like that. */
-		if (oth->syn && oth->ack) {
-			tcph->window  = 0;
-			tcph->ack     = false;
-			tcph->psh     = true;
-			tcph->ack_seq = 0xdeadbeef; /* see if they ack it */
-			tcph->seq     = oth->ack_seq;
-			tcph->rst     = true;
-		}
-
-		/* SYN > SYN-ACK */
-		if (oth->syn && !oth->ack) {
-			tcph->syn     = true;
-			tcph->ack     = true;
-			tcph->window  = oth->window &
-			                ((net_random() & 0x1f) - 0xf);
-			tcph->seq     = htonl(net_random() & ~oth->seq);
-			tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
-		}
-
-		/* ACK > ACK */
-		if (oth->ack && (!(oth->fin || oth->syn))) {
-			tcph->syn     = false;
-			tcph->ack     = true;
-			tcph->window  = oth->window &
-			                ((net_random() & 0x1f) - 0xf);
-			tcph->ack_seq = payload > 100 ?
-			                htonl(ntohl(oth->seq) + payload) :
-			                oth->seq;
-			tcph->seq     = oth->ack_seq;
-		}
-
-		/*
-		 * FIN > RST.
-		 * We cannot terminate gracefully so just be abrupt.
-		 */
-		if (oth->fin) {
-			tcph->window  = 0;
-			tcph->seq     = oth->ack_seq;
-			tcph->ack_seq = oth->ack_seq;
-			tcph->fin     = false;
-			tcph->ack     = false;
-			tcph->rst     = true;
-		}
 	} else if (mode == XTTARPIT_RESET) {
 		tcph->window  = 0;
 		tcph->ack     = false;
-- 
1.7.0.4

[PATCH v2 3/6] netfilter: tarpit: Move XTTARPIT_RESET to its own function

[Josh Hunt]

Moves XTTARPIT_RESET into its own function.

Signed-off-by: Josh Hunt <johunt@akamai.com>
---
 extensions/xt_TARPIT.c |   21 +++++++++++++++------
 1 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c
index 6c75184..5d8af70 100644
--- a/extensions/xt_TARPIT.c
+++ b/extensions/xt_TARPIT.c
@@ -133,6 +133,19 @@ static bool xttarpit_honeypot(struct tcphdr *oth, struct tcphdr *tcph,
 	return true;
 }
 
+static bool xttarpit_reset(struct tcphdr *oth, struct tcphdr *tcph)
+{
+
+	tcph->window  = 0;
+	tcph->ack     = false;
+	tcph->syn     = false;
+	tcph->rst     = true;
+	tcph->seq     = oth->ack_seq;
+	tcph->ack_seq = oth->seq;
+
+	return true;
+}
+
 static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
     unsigned int mode)
 {
@@ -205,12 +218,8 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 		if (!xttarpit_honeypot(oth, tcph, payload))
 			return;
 	} else if (mode == XTTARPIT_RESET) {
-		tcph->window  = 0;
-		tcph->ack     = false;
-		tcph->syn     = false;
-		tcph->rst     = true;
-		tcph->seq     = oth->ack_seq;
-		tcph->ack_seq = oth->seq;
+		if (!xttarpit_reset(oth, tcph))
+			return;
 	}
 
 	/* Adjust TCP checksum */
-- 
1.7.0.4

[PATCH v2 4/6] netfilter: tarpit: Make tarpit code generic

[Josh Hunt]

Creates a generic function to perform the tcp header manipulation in. Done
in preparation for IPv6 support. This allows us to share code between v4 and
v6 processing.

Signed-off-by: Josh Hunt <johunt@akamai.com>
---
 extensions/xt_TARPIT.c |   33 +++++++++++++++++++++++----------
 1 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c
index 5d8af70..528c012 100644
--- a/extensions/xt_TARPIT.c
+++ b/extensions/xt_TARPIT.c
@@ -146,6 +146,27 @@ static bool xttarpit_reset(struct tcphdr *oth, struct tcphdr *tcph)
 	return true;
 }
 
+static bool tarpit_generic(struct tcphdr *oth, struct tcphdr *tcph, uint16_t payload,
+	unsigned int mode)
+{
+	switch(mode) {
+	case XTTARPIT_TARPIT:
+		if (!xttarpit_tarpit(oth, tcph))
+			return false;
+		break;
+	case XTTARPIT_HONEYPOT:
+		if (!xttarpit_honeypot(oth, tcph, payload))
+			return false;
+		break;
+	case XTTARPIT_RESET:
+		if (!xttarpit_reset(oth, tcph))
+			return false;
+		break;
+	}
+
+	return true;
+}
+
 static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
     unsigned int mode)
 {
@@ -211,16 +232,8 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 	/* Reset flags */
 	((u_int8_t *)tcph)[13] = 0;
 
-	if (mode == XTTARPIT_TARPIT) {
-		if (!xttarpit_tarpit(oth, tcph))
-			return;
-	} else if (mode == XTTARPIT_HONEYPOT) {
-		if (!xttarpit_honeypot(oth, tcph, payload))
-			return;
-	} else if (mode == XTTARPIT_RESET) {
-		if (!xttarpit_reset(oth, tcph))
-			return;
-	}
+	if (!tarpit_generic(oth, tcph, payload, mode))
+		return;
 
 	/* Adjust TCP checksum */
 	tcph->check = 0;
-- 
1.7.0.4

[PATCH v2 5/6] netfilter: tarpit: Add IPv6 support

[Josh Hunt]

This adds IPv6 support for the tarpit target. It performs the same
functionality as the v4 version, but with IPv6 connections.

Signed-off-by: Josh Hunt <johunt@akamai.com>
---
 extensions/xt_TARPIT.c |  211 ++++++++++++++++++++++++++++++++++++++++++++---
 1 files changed, 197 insertions(+), 14 deletions(-)

diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c
index 528c012..22d0768 100644
--- a/extensions/xt_TARPIT.c
+++ b/extensions/xt_TARPIT.c
@@ -51,6 +51,12 @@
 #include "compat_xtables.h"
 #include "xt_TARPIT.h"
 
+#include <net/ipv6.h>
+#include <linux/netfilter_ipv6.h>
+#include <net/ip6_route.h>
+#include <net/ip6_checksum.h>
+#include <net/addrconf.h>
+
 static bool xttarpit_tarpit(struct tcphdr *oth, struct tcphdr *tcph) {
 
 	/* No replies for RST, FIN or !SYN,!ACK */
@@ -167,7 +173,7 @@ static bool tarpit_generic(struct tcphdr *oth, struct tcphdr *tcph, uint16_t pay
 	return true;
 }
 
-static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
+static void tarpit_tcp4(struct sk_buff *oldskb, unsigned int hook,
     unsigned int mode)
 {
 	struct tcphdr _otcph, *oth, *tcph;
@@ -297,8 +303,131 @@ static void tarpit_tcp(struct sk_buff *oldskb, unsigned int hook,
 	kfree_skb(nskb);
 }
 
+static void tarpit_tcp6(struct sk_buff *oldskb, unsigned int hook,
+	unsigned int mode)
+{
+	struct sk_buff *nskb;
+	struct tcphdr *tcph, oth;
+	unsigned int otcplen;
+	int tcphoff;
+	const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
+	struct ipv6hdr *ip6h;
+#define DEFAULT_TOS_VALUE       0x0U
+	const __u8 tclass = DEFAULT_TOS_VALUE;
+	u8 proto;
+	uint16_t payload;
+
+	proto = oip6h->nexthdr;
+	tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data), &proto);
+
+	if ((tcphoff < 0) || (tcphoff > oldskb->len)) {
+		pr_debug("Cannot get TCP header.\n");
+		return;
+	}
+
+	otcplen = oldskb->len - tcphoff;
+	
+	/* IP header checks: fragment, too short. */
+	if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) {
+		pr_debug("proto(%d) != IPPROTO_TCP, "
+			 "or too short. otcplen = %d\n",
+			 proto, otcplen);
+		return;
+	}
+
+	if (skb_copy_bits(oldskb, tcphoff, &oth, sizeof(struct tcphdr)))
+		BUG();
+
+	/* Check checksum. */
+	if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
+				skb_checksum(oldskb, tcphoff, otcplen, 0))) {
+		pr_debug("TCP checksum is invalid\n");
+		return;
+	}
+
+	nskb = skb_copy_expand(oldskb, LL_MAX_HEADER,
+	skb_tailroom(oldskb), GFP_ATOMIC);
+	if (!nskb) {
+		if (net_ratelimit())
+			pr_debug("cannot alloc skb\n");
+		return;
+	}
+
+	/* This packet will not be the same as the other: clear nf fields */
+	nf_reset(nskb);
+	skb_nfmark(nskb) = 0;
+	skb_init_secmark(nskb);
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
+	skb_shinfo(nskb)->gso_size = 0;
+	skb_shinfo(nskb)->gso_segs = 0;
+	skb_shinfo(nskb)->gso_type = 0;
+#endif
+
+	skb_put(nskb, sizeof(struct ipv6hdr));
+	ip6h = ipv6_hdr(nskb);
+	*(__be32 *)ip6h =  htonl(0x60000000 | (tclass << 20));
+	ip6h->nexthdr = IPPROTO_TCP;
+	ipv6_addr_copy(&ip6h->saddr, &oip6h->daddr);
+	ipv6_addr_copy(&ip6h->daddr, &oip6h->saddr);
+
+	/* Adjust IP TTL */
+	if (mode == XTTARPIT_HONEYPOT)
+		ip6h->hop_limit = 128;
+	else
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 26)
+		ip6h->hop_limit = ip6_dst_hoplimit(skb_dst(nskb));
+#else
+		ip6h->hop_limit = dst_metric(dst, RTAX_HOPLIMIT);
+		if (ip6h->hop_limit < 0)
+		ip6h->hop_limit = ipv6_get_hoplimit((skb_dst(nskb))->dev).
+#endif
+
+	tcph = (struct tcphdr *)(skb_network_header(nskb) + sizeof(struct ipv6hdr));
+
+	/* Truncate to length (no data) */
+	skb_trim(nskb, sizeof(struct ipv6hdr) + sizeof(struct tcphdr));
+	tcph->doff = sizeof(struct tcphdr)/4;
+	tcph->source = oth.dest;
+	tcph->dest = oth.source;
+
+	tcph->urg_ptr = 0;
+	/* Reset flags */
+	((u_int8_t *)tcph)[13] = 0;
+
+	payload = nskb->len - sizeof(struct ipv6hdr) - sizeof(struct tcphdr);
+	
+	if (!tarpit_generic(&oth, tcph, payload, mode))
+		return;
+	
+	ip6h->payload_len = htons(sizeof(struct tcphdr));
+	tcph->check = 0;
+	
+	/* Adjust TCP checksum */
+	tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr,
+					&ipv6_hdr(nskb)->daddr,
+					sizeof(struct tcphdr), IPPROTO_TCP,
+					csum_partial(tcph,
+					sizeof(struct tcphdr), 0));
+
+	if (ip6_route_me_harder(nskb))
+		goto free_nskb;
+
+	nskb->ip_summed = CHECKSUM_NONE;
+
+	nf_ct_attach(nskb, oldskb);
+
+	NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
+	skb_dst(nskb)->dev, dst_output);
+	return;
+
+free_nskb:
+	kfree_skb(nskb);
+
+}
+
 static unsigned int
-tarpit_tg(struct sk_buff **pskb, const struct xt_action_param *par)
+tarpit_tg4(struct sk_buff **pskb, const struct xt_action_param *par)
 {
 	const struct sk_buff *skb = *pskb;
 	const struct iphdr *iph = ip_hdr(skb);
@@ -329,29 +458,82 @@ tarpit_tg(struct sk_buff **pskb, const struct xt_action_param *par)
 	if (iph->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
 
-	tarpit_tcp(*pskb, par->hooknum, info->variant);
+	tarpit_tcp4(*pskb, par->hooknum, info->variant);
+	return NF_DROP;
+}
+
+
+static unsigned int
+tarpit_tg6(struct sk_buff **pskb, const struct xt_action_param *par)
+{
+	const struct sk_buff *skb = *pskb;
+	const struct ipv6hdr *iph = ipv6_hdr(skb);
+	const struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
+	const struct xt_tarpit_tginfo *info = par->targinfo;
+	u8	proto;
+	
+	/* Do we have an input route cache entry? (Not in PREROUTING.) */
+	if (rt == NULL) {
+		pr_debug("Dropping no input route cache entry\n");
+		return NF_DROP;
+	}
+	
+	/* No replies to physical multicast/broadcast */
+	/* skb != PACKET_OTHERHOST handled by ip_rcv() */
+	if (skb->pkt_type != PACKET_HOST) {
+		pr_debug("type != PACKET_HOST");
+		return NF_DROP;
+	}
+	
+	/*
+	* Our naive response construction does not deal with IP
+	* options, and probably should not try.
+	*/
+	proto = iph->nexthdr;
+	if (ipv6_skip_exthdr(skb, skb_network_header_len(skb), &proto) != sizeof(struct ipv6hdr))
+		return NF_DROP;
+	
+	if ((!(ipv6_addr_type(&iph->saddr) & IPV6_ADDR_UNICAST)) ||
+	    (!(ipv6_addr_type(&iph->daddr) & IPV6_ADDR_UNICAST))) {
+		pr_debug("addr is not unicast.\n");
+		return NF_DROP;
+	}
+	
+	tarpit_tcp6(*pskb, par->hooknum, info->variant);
 	return NF_DROP;
 }
 
-static struct xt_target tarpit_tg_reg __read_mostly = {
-	.name       = "TARPIT",
-	.revision   = 0,
-	.family     = NFPROTO_IPV4,
-	.hooks      = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
-	.proto      = IPPROTO_TCP,
-	.target     = tarpit_tg,
-	.targetsize = sizeof(struct xt_tarpit_tginfo),
-	.me         = THIS_MODULE,
+static struct xt_target tarpit_tg_reg[] __read_mostly = {
+	{
+		.name       = "TARPIT",
+		.revision   = 0,
+		.family     = NFPROTO_IPV4,
+		.hooks      = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
+		.proto      = IPPROTO_TCP,
+		.target     = tarpit_tg4,
+		.targetsize = sizeof(struct xt_tarpit_tginfo),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "TARPIT",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.hooks      = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
+		.proto      = IPPROTO_TCP,
+		.target     = tarpit_tg6,
+		.targetsize = sizeof(struct xt_tarpit_tginfo),
+		.me         = THIS_MODULE,
+	},
 };
 
 static int __init tarpit_tg_init(void)
 {
-	return xt_register_target(&tarpit_tg_reg);
+	return xt_register_targets(tarpit_tg_reg, ARRAY_SIZE(tarpit_tg_reg));
 }
 
 static void __exit tarpit_tg_exit(void)
 {
-	xt_unregister_target(&tarpit_tg_reg);
+	xt_unregister_targets(tarpit_tg_reg, ARRAY_SIZE(tarpit_tg_reg));
 }
 
 module_init(tarpit_tg_init);
@@ -360,3 +542,4 @@ MODULE_DESCRIPTION("Xtables: \"TARPIT\", capture and hold TCP connections");
 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_TARPIT");
+MODULE_ALIAS("ip6t_TARPIT");
-- 
1.7.0.4

[PATCH v2 6/6] netfilter: tarpit: Enable IPv6 userspace support

[Josh Hunt]

Enables userspace IPv6 tarpit support.

Signed-off-by: Josh Hunt <johunt@akamai.com>
---
 extensions/libxt_TARPIT.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_TARPIT.c b/extensions/libxt_TARPIT.c
index 59c190f..6b65b09 100644
--- a/extensions/libxt_TARPIT.c
+++ b/extensions/libxt_TARPIT.c
@@ -106,7 +106,7 @@ static void tarpit_tg_save(const void *ip,
 static struct xtables_target tarpit_tg_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "TARPIT",
-	.family        = NFPROTO_IPV4,
+	.family        = NFPROTO_UNSPEC,
 	.size          = XT_ALIGN(sizeof(struct xt_tarpit_tginfo)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_tarpit_tginfo)),
 	.help          = tarpit_tg_help,
-- 
1.7.0.4

Re: [PATCH v2 5/6] netfilter: tarpit: Add IPv6 support

[Jan Engelhardt]

On Sunday 2012-07-08 20:11, Josh Hunt wrote:

>This adds IPv6 support for the tarpit target. It performs the same
>functionality as the v4 version, but with IPv6 connections.

I have applied the rest so far; see the "tarpit6" branch of the git 
repository,

I have applied the rest so far, with minor modifications regarding 
style. See the "tarpit6" branch of the git repository.

This patch 5 does not compile for Linuxes >= v3.3 due to new arguments 
to ipv6_skip_exthdr and the removal of ipv6_addr_copy. Please send an 
additional patch on top to make it work with Linux 3.5(-rc). There will 
be no need to add #ifdefs for 3.3ish, because compat_xtables* already 
takes care of that mostly.

Re: [PATCH v2 5/6] netfilter: tarpit: Add IPv6 support

[Josh Hunt]

On 07/08/2012 02:36 PM, Jan Engelhardt wrote:
> On Sunday 2012-07-08 20:11, Josh Hunt wrote:
>
>> This adds IPv6 support for the tarpit target. It performs the same
>> functionality as the v4 version, but with IPv6 connections.
>
> I have applied the rest so far; see the "tarpit6" branch of the git
> repository,
>
> I have applied the rest so far, with minor modifications regarding
> style. See the "tarpit6" branch of the git repository.
>
> This patch 5 does not compile for Linuxes >= v3.3 due to new arguments
> to ipv6_skip_exthdr and the removal of ipv6_addr_copy. Please send an
> additional patch on top to make it work with Linux 3.5(-rc). There will
> be no need to add #ifdefs for 3.3ish, because compat_xtables* already
> takes care of that mostly.
>
>
Jan

I just sent a patch doing what you've requested above against the 
tarpit6 branch, and it builds fine now with Linus' latest git. However, 
I did not see the compat layer stuff to keep me from neededing #ifdefs. 
Perhaps I wasn't looking in the right spot.

Also, please let me know if there are any issues with the libxt patch. I 
did not see it in the tarpit6 branch.

Josh

Re: [PATCH v2 5/6] netfilter: tarpit: Add IPv6 support

[Jan Engelhardt]

On Monday 2012-07-09 16:02, Josh Hunt wrote:
>On 07/08/2012 02:36 PM, Jan Engelhardt wrote:
>
>I just sent a patch doing what you've requested above against the
>tarpit6 branch, and it builds fine now with Linus' latest git.
>However, I did not see the compat layer stuff to keep me from
>neededing #ifdefs. Perhaps I wasn't looking in the right spot.

I thought I had added it, but that was xtnu_ipv6_find_hdr.
For TARPIT I had to add xtnu_ipv6_skip_exthdr, and did so now.

>Also, please let me know if there are any issues with the libxt
>patch. I did not see it in the tarpit6 branch.

I held it off; this is now all merged.

Re: [PATCH v2 5/6] netfilter: tarpit: Add IPv6 support

[Josh Hunt]

On 07/09/2012 11:58 AM, Jan Engelhardt wrote:
>
> On Monday 2012-07-09 16:02, Josh Hunt wrote:
>> On 07/08/2012 02:36 PM, Jan Engelhardt wrote:
>>
>> I just sent a patch doing what you've requested above against the
>> tarpit6 branch, and it builds fine now with Linus' latest git.
>> However, I did not see the compat layer stuff to keep me from
>> neededing #ifdefs. Perhaps I wasn't looking in the right spot.
>
> I thought I had added it, but that was xtnu_ipv6_find_hdr.
> For TARPIT I had to add xtnu_ipv6_skip_exthdr, and did so now.

Cool, thanks.

>
>> Also, please let me know if there are any issues with the libxt
>> patch. I did not see it in the tarpit6 branch.
>
> I held it off; this is now all merged.
>

Awesome, thanks!

I know this just got accepted to xtables-addons, but I was wondering 
what the process is to possibly get this merged into Linus' tree? I know 
I've seen some things go from xtables-addons to his tree, xt_TEE comes 
to mind. Is tarpitting (the concept) something that would be accepted?

Josh

Re: [PATCH v2 5/6] netfilter: tarpit: Add IPv6 support

[Jan Engelhardt]

On Monday 2012-07-09 19:28, Josh Hunt wrote:
>> I held it off; this is now all merged.
>
> Awesome, thanks!
>
> I know this just got accepted to xtables-addons, but I was wondering what the
> process is to possibly get this merged into Linus' tree?

You send the files that are in xtables-addons to whoever is taking care
of the Linux kernel business (currently that seems to be Pablo), of course
in a form that is acceptable for the Linux kernel (i.e. minus xtables-addons
lines).

>I know I've seen some things go from xtables-addons to his tree,
>xt_TEE comes to mind. Is tarpitting (the concept) something that
>would be accepted?

It certainly seems well-desired by $users. And normally, inclusion
is to follow demand (that's how squashfs got in, IIRC). Expect
to defend your case when making it upstream. Solicit more "we want
this opinions" :)

Re: [PATCH v2 5/6] netfilter: tarpit: Add IPv6 support

[Josh Hunt]

On 07/09/2012 01:46 PM, Jan Engelhardt wrote:

> You send the files that are in xtables-addons to whoever is taking care
> of the Linux kernel business (currently that seems to be Pablo), of course
> in a form that is acceptable for the Linux kernel (i.e. minus xtables-addons
> lines).

Thanks yeah I wasn't sure if there was a natural progression from addons 
to mainline. Figured I'd ask.

>
> It certainly seems well-desired by $users. And normally, inclusion
> is to follow demand (that's how squashfs got in, IIRC). Expect
> to defend your case when making it upstream. Solicit more "we want
> this opinions" :)
>

Sounds good. Thanks for all your help Jan.

Josh

Re: [PATCH v2 5/6] netfilter: tarpit: Add IPv6 support

[Maciej Żenczykowski]

We want this ;-)

On Mon, Jul 9, 2012 at 11:46 AM, Jan Engelhardt <jengelh@inai.de> wrote:
>
> On Monday 2012-07-09 19:28, Josh Hunt wrote:
>>> I held it off; this is now all merged.
>>
>> Awesome, thanks!
>>
>> I know this just got accepted to xtables-addons, but I was wondering what the
>> process is to possibly get this merged into Linus' tree?
>
> You send the files that are in xtables-addons to whoever is taking care
> of the Linux kernel business (currently that seems to be Pablo), of course
> in a form that is acceptable for the Linux kernel (i.e. minus xtables-addons
> lines).
>
>>I know I've seen some things go from xtables-addons to his tree,
>>xt_TEE comes to mind. Is tarpitting (the concept) something that
>>would be accepted?
>
> It certainly seems well-desired by $users. And normally, inclusion
> is to follow demand (that's how squashfs got in, IIRC). Expect
> to defend your case when making it upstream. Solicit more "we want
> this opinions" :)
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html