* RE: Kernel 4.1.0 broke the TARPIT & DELUGE targets in xtables-addons-2.6
@ 2015-06-23 10:44 Alexander Petrenas
2015-06-23 11:17 ` Alexander Petrenas
0 siblings, 1 reply; 5+ messages in thread
From: Alexander Petrenas @ 2015-06-23 10:44 UTC (permalink / raw)
To: 'Florian Westphal'; +Cc: netfilter-devel
Thanks a lot, that works like a charm!
Here are diff patches for your convenience. They probably should be submitted to xtables-addons ASAP, so people's firewalls can continue filtering & tarpitting instead of accepting...
#diff -u xt_TARPIT.orig.c xt_TARPIT.c
--- xt_TARPIT.orig.c 2015-06-23 13:31:04.406533833 +0300
+++ xt_TARPIT.c 2015-06-23 13:24:03.103202214 +0300
@@ -250,7 +250,7 @@
#ifdef CONFIG_BRIDGE_NETFILTER
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
- nskb->nf_bridge->mask & BRNF_BRIDGED))
+ nskb->nf_bridge->physoutdev))
#else
if (hook != NF_INET_FORWARD)
#endif
@@ -279,7 +279,7 @@
nf_ct_attach(nskb, oldskb);
- NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
+ NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, NULL, nskb, NULL,
skb_dst(nskb)->dev, dst_output);
return;
@@ -394,7 +394,7 @@
nf_ct_attach(nskb, oldskb);
- NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
+ NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, NULL, nskb, NULL,
skb_dst(nskb)->dev, dst_output);
return;
# diff -u xt_DELUDE.orig.c xt_DELUDE.c
--- xt_DELUDE.orig.c 2015-06-23 13:30:57.166533864 +0300
+++ xt_DELUDE.c 2015-06-23 13:28:11.046534539 +0300
@@ -107,7 +107,7 @@
addr_type = RTN_UNSPEC;
#ifdef CONFIG_BRIDGE_NETFILTER
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
- nskb->nf_bridge->mask & BRNF_BRIDGED))
+ nskb->nf_bridge->physoutdev))
#else
if (hook != NF_INET_FORWARD)
#endif
Yours, Alexander Petrenas.
> -----Original Message-----
> From: netfilter-devel-owner@vger.kernel.org [mailto:netfilter-devel-
> owner@vger.kernel.org] On Behalf Of Florian Westphal
> Sent: Tuesday, June 23, 2015 12:40 PM
> To: Alexander Petrenas
> Cc: netfilter-devel@vger.kernel.org
>
> > Netfilter changes in the recent 4.1.0 kernel update included removal of
> the BRNF_BRIDGED flag:
> >
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=40
> 451fd013878b005ccae767dfebc07dfecf85d9
> >
> > Unfortunately, getting rid of BRNF_BRIDGED flag broke the xtables-addons-
> 2.6 package, which now fails to build TARPIT & DELUGE targets with the
> following errors:
> >
> > xtables-addons-2.6/extensions/xt_TARPIT.c:253:30: error: ‘BRNF_BRIDGED’
> undeclared (first use in this function)
> > nskb->nf_bridge->mask & BRNF_BRIDGED))
> > ^
> >
> > xtables-addons-2.6/extensions/xt_TARPIT.c:282:2: error: too few arguments
> to function ‘NF_HOOK’
> > NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
> > ^
>
> NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, NULL, nskb, NULL,
>
> > xtables-addons-2.6/extensions/xt_TARPIT.c:397:2: error: too few arguments
> to function ‘NF_HOOK’
> > NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
>
> NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, NULL, nskb, NULL,
>
> >
> > #ifdef CONFIG_BRIDGE_NETFILTER
> > if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
> > nskb->nf_bridge->mask & BRNF_BRIDGED))
> > #else
>
> if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
> nskb->nf_bridge->physoutdev))
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Kernel 4.1.0 broke the TARPIT & DELUGE targets in xtables-addons-2.6
2015-06-23 10:44 Kernel 4.1.0 broke the TARPIT & DELUGE targets in xtables-addons-2.6 Alexander Petrenas
@ 2015-06-23 11:17 ` Alexander Petrenas
2015-07-06 3:45 ` Jan Engelhardt
0 siblings, 1 reply; 5+ messages in thread
From: Alexander Petrenas @ 2015-06-23 11:17 UTC (permalink / raw)
To: 'Florian Westphal'; +Cc: netfilter-devel
Well, unfortunately, you should disregard previous message in part of submitting it to xtables-addons ASAP.
While modules compiled without errors, actually applying iptables TARPIT rule results in a connection loss, the nature of which I unfortunately cannot describe at the moment (was trying to apply the update to a remote server without KVM). It kind of looks like a kernel panic though - no messages are written to any logs after adding the TARPIT rule - the server just goes dead.
I guess more research is needed on the matter, I'll try to run some tests on a local machine & post the results.
Yours, Alexander Petrenas.
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Kernel 4.1.0 broke the TARPIT & DELUGE targets in xtables-addons-2.6
2015-06-23 11:17 ` Alexander Petrenas
@ 2015-07-06 3:45 ` Jan Engelhardt
0 siblings, 0 replies; 5+ messages in thread
From: Jan Engelhardt @ 2015-07-06 3:45 UTC (permalink / raw)
To: Alexander Petrenas; +Cc: 'Florian Westphal', netfilter-devel
On Tuesday 2015-06-23 13:17, Alexander Petrenas wrote:
>Well, unfortunately, you should disregard previous message in part of submitting it to xtables-addons ASAP.
>
>While modules compiled without errors, actually applying iptables TARPIT rule results in a connection loss, the nature of which I unfortunately cannot describe at the moment (was trying to apply the update to a remote server without KVM). It kind of looks like a kernel panic though - no messages are written to any logs after adding the TARPIT rule - the server just goes dead.
>
>I guess more research is needed on the matter, I'll try to run some tests on a local machine & post the results.
Yeah you need to also change dst_output to dst_output_sk.
Don't just ignore compiler warnings!
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Kernel 4.1.0 broke the TARPIT & DELUGE targets in xtables-addons-2.6
2015-06-22 21:40 Alexander Petrenas
@ 2015-06-23 9:39 ` Florian Westphal
0 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2015-06-23 9:39 UTC (permalink / raw)
To: Alexander Petrenas; +Cc: netfilter-devel
Alexander Petrenas <zeracles@zeracles.net.ru> wrote:
> Netfilter changes in the recent 4.1.0 kernel update included removal of the BRNF_BRIDGED flag:
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=40451fd013878b005ccae767dfebc07dfecf85d9
>
> Unfortunately, getting rid of BRNF_BRIDGED flag broke the xtables-addons-2.6 package, which now fails to build TARPIT & DELUGE targets with the following errors:
>
> xtables-addons-2.6/extensions/xt_TARPIT.c:253:30: error: ‘BRNF_BRIDGED’ undeclared (first use in this function)
> nskb->nf_bridge->mask & BRNF_BRIDGED))
> ^
>
> xtables-addons-2.6/extensions/xt_TARPIT.c:282:2: error: too few arguments to function ‘NF_HOOK’
> NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
> ^
NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, NULL, nskb, NULL,
> xtables-addons-2.6/extensions/xt_TARPIT.c:397:2: error: too few arguments to function ‘NF_HOOK’
> NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
same
> My kernel hacking skills are non-existant (as well as my C skills), so I expectedly failed to come up with any patch that would replace BRNF_BRIDGED flag with nf_bridge->physoutdev in the following xt_TARPIT.c code:
>
> #ifdef CONFIG_BRIDGE_NETFILTER
> if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
> nskb->nf_bridge->mask & BRNF_BRIDGED))
> #else
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
nskb->nf_bridge->physoutdev))
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* Kernel 4.1.0 broke the TARPIT & DELUGE targets in xtables-addons-2.6
@ 2015-06-22 21:40 Alexander Petrenas
2015-06-23 9:39 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Alexander Petrenas @ 2015-06-22 21:40 UTC (permalink / raw)
To: netfilter-devel
Hi!
Netfilter changes in the recent 4.1.0 kernel update included removal of the BRNF_BRIDGED flag:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=40451fd013878b005ccae767dfebc07dfecf85d9
Unfortunately, getting rid of BRNF_BRIDGED flag broke the xtables-addons-2.6 package, which now fails to build TARPIT & DELUGE targets with the following errors:
xtables-addons-2.6/extensions/xt_TARPIT.c:253:30: error: ‘BRNF_BRIDGED’ undeclared (first use in this function)
nskb->nf_bridge->mask & BRNF_BRIDGED))
^
xtables-addons-2.6/extensions/xt_TARPIT.c:282:2: error: too few arguments to function ‘NF_HOOK’
NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
^
xtables-addons-2.6/extensions/xt_TARPIT.c:397:2: error: too few arguments to function ‘NF_HOOK’
NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
^
scripts/Makefile.build:264: recipe for target 'xtables-addons-2.6/work/xtables-addons-2.6/extensions/xt_TARPIT.o' failed
My kernel hacking skills are non-existant (as well as my C skills), so I expectedly failed to come up with any patch that would replace BRNF_BRIDGED flag with nf_bridge->physoutdev in the following xt_TARPIT.c code:
#ifdef CONFIG_BRIDGE_NETFILTER
if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
nskb->nf_bridge->mask & BRNF_BRIDGED))
#else
http://sourceforge.net/p/xtables-addons/xtables-addons/ci/master/tree/extensions/xt_TARPIT.c#l253
Can someone please show me how it can be fixed? (and hopefully update xtables package with the fix?)
Yours, Alexander Petrenas.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-07-06 3:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-06-23 10:44 Kernel 4.1.0 broke the TARPIT & DELUGE targets in xtables-addons-2.6 Alexander Petrenas
2015-06-23 11:17 ` Alexander Petrenas
2015-07-06 3:45 ` Jan Engelhardt
-- strict thread matches above, loose matches on Subject: below --
2015-06-22 21:40 Alexander Petrenas
2015-06-23 9:39 ` Florian Westphal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.