Mailing List Archive

(Again, CC me in replies) Hm, it seems I jumped the gun, now I get this
in make modules.

ERROR: "secure_tcp_sequence_number" [net/ipv4/netfilter/ipt_TARPIT.ko]
undefined!
make[1]: *** [__modpost] Error 1
make: *** [modules] Error 2

And... it seems that function was unexported from the kernel circa March
2007 because "no one was using it." Bleh. I re-exported it (it was in
drivers/char/random.c), recompiled and all seems well now. What's the
long-term solution for that? Begging the kernel people to re-export the
function? Using an alternative to that function?

Juan Carlos Castro y Castro escreveu:
> Please CC me as I'm not on the list. Here attached is a patch that I
> made to make pom-ng ipt_TARPIT.c compile under kernel 2.6.22+. It is
> against the latest SVN version as of now. Please tell me if this
> should be submitted in another fashion.
>
> I inspired myself in a patch I saw for Gentoo vmware-modules here:
> http://bugs.gentoo.org/show_bug.cgi?id=182595
> ------------------------------------------------------------------------
>
> --- patchlets/TARPIT/linux-2.6/net/ipv4/netfilter/ipt_TARPIT.c 2007-08-01 20:08:12.000000000 -0300
> +++ patchlets/TARPIT/linux-2.6/net/ipv4/netfilter/ipt_TARPIT.c.new 2007-08-01 21:30:12.000000000 -0300
> @@ -84,12 +84,22 @@
> u_int16_t tmp;
>
> /* A truncated TCP header isn't going to be useful */
> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
> + if (oskb->len < (((struct iphdr *)skb_network_header(oskb))->ihl*4) + sizeof(struct tcphdr))
> +#else
> if (oskb->len < (oskb->nh.iph->ihl*4) + sizeof(struct tcphdr))
> +#endif
> return;
>
> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
> + otcph = (struct tcphdr *)((u_int32_t*)((struct iphdr *)skb_network_header(oskb))
> + + ((struct iphdr *)skb_network_header(oskb))->ihl);
> + otcplen = oskb->len - ((struct iphdr *)skb_network_header(oskb))->ihl*4;
> +#else
> otcph = (struct tcphdr *)((u_int32_t*)oskb->nh.iph
> + oskb->nh.iph->ihl);
> otcplen = oskb->len - oskb->nh.iph->ihl*4;
> +#endif
>
> /* No replies for RST or FIN */
> if (otcph->rst || otcph->fin)
> @@ -100,9 +110,15 @@
> return;
>
> /* Check checksum. */
> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
> + if (tcp_v4_check(otcplen, ((struct iphdr *)skb_network_header(oskb))->saddr,
> + ((struct iphdr *)skb_network_header(oskb))->daddr,
> + csum_partial((char *)otcph, otcplen, 0)) != 0)
> +#else
> if (tcp_v4_check(otcplen, oskb->nh.iph->saddr,
> oskb->nh.iph->daddr,
> csum_partial((char *)otcph, otcplen, 0)) != 0)
> +#endif
> return;
>
> /* Copy skb (even if skb is about to be dropped, we can't just
> @@ -119,25 +135,48 @@
> nskb->nf_debug = 0;
> #endif
>
> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
> + ntcph = (struct tcphdr *)((u_int32_t*)((struct iphdr *)skb_network_header(nskb)) +
> + ((struct iphdr *)skb_network_header(nskb))->ihl);
> +#else
> ntcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
> +#endif
>
> /* Truncate to length (no data) */
> ntcph->doff = sizeof(struct tcphdr)/4;
> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
> + skb_trim(nskb, ((struct iphdr *)skb_network_header(nskb))->ihl*4 + sizeof(struct tcphdr));
> + ((struct iphdr *)skb_network_header(nskb))->tot_len = htons(nskb->len);
> +#else
> skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
> nskb->nh.iph->tot_len = htons(nskb->len);
> +#endif
>
> /* Swap source and dest */
> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
> + ((struct iphdr *)skb_network_header(nskb))->daddr =
> + xchg(&((struct iphdr *)skb_network_header(nskb))->saddr, ((struct iphdr *)skb_network_header(nskb))->daddr);
> +#else
> nskb->nh.iph->daddr = xchg(&nskb->nh.iph->saddr, nskb->nh.iph->daddr);
> +#endif
> tmp = ntcph->source;
> ntcph->source = ntcph->dest;
> ntcph->dest = tmp;
>
> /* Use supplied sequence number or make a new one */
> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
> + ntcph->seq = otcph->ack ? otcph->ack_seq
> + : htonl(secure_tcp_sequence_number(((struct iphdr *)skb_network_header(nskb))->saddr,
> + ((struct iphdr *)skb_network_header(nskb))->daddr,
> + ntcph->source,
> + ntcph->dest));
> +#else
> ntcph->seq = otcph->ack ? otcph->ack_seq
> : htonl(secure_tcp_sequence_number(nskb->nh.iph->saddr,
> nskb->nh.iph->daddr,
> ntcph->source,
> ntcph->dest));
> +#endif
>
> /* Our SYN-ACKs must have a >0 window */
> ntcph->window = (otcph->syn && !otcph->ack) ? htons(5) : 0;
> @@ -158,6 +197,17 @@
>
> /* Adjust TCP checksum */
> ntcph->check = 0;
> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
> + ntcph->check = tcp_v4_check(sizeof(struct tcphdr),
> + ((struct iphdr *)skb_network_header(nskb))->saddr,
> + ((struct iphdr *)skb_network_header(nskb))->daddr,
> + csum_partial((char *)ntcph,
> + sizeof(struct tcphdr), 0));
> +
> + fl.nl_u.ip4_u.daddr = ((struct iphdr *)skb_network_header(nskb))->daddr;
> + fl.nl_u.ip4_u.saddr = local ? ((struct iphdr *)skb_network_header(nskb))->saddr : 0;
> + fl.nl_u.ip4_u.tos = RT_TOS(((struct iphdr *)skb_network_header(nskb))->tos) | RTO_CONN;
> +#else
> ntcph->check = tcp_v4_check(sizeof(struct tcphdr),
> nskb->nh.iph->saddr,
> nskb->nh.iph->daddr,
> @@ -167,6 +217,7 @@
> fl.nl_u.ip4_u.daddr = nskb->nh.iph->daddr;
> fl.nl_u.ip4_u.saddr = local ? nskb->nh.iph->saddr : 0;
> fl.nl_u.ip4_u.tos = RT_TOS(nskb->nh.iph->tos) | RTO_CONN;
> +#endif
> fl.oif = 0;
>
> if (ip_route_output_key(&nrt, &fl))
> @@ -175,6 +226,20 @@
> dst_release(nskb->dst);
> nskb->dst = &nrt->u.dst;
>
> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22)
> + /* Adjust IP TTL */
> + ((struct iphdr *)skb_network_header(nskb))->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
> +
> + /* Set DF, id = 0 */
> + ((struct iphdr *)skb_network_header(nskb))->frag_off = htons(IP_DF);
> + ((struct iphdr *)skb_network_header(nskb))->id = 0;
> +
> + /* Adjust IP checksum */
> + ((struct iphdr *)skb_network_header(nskb))->check = 0;
> + ((struct iphdr *)skb_network_header(nskb))->check =
> + ip_fast_csum((unsigned char *)((struct iphdr *)skb_network_header(nskb)),
> + ((struct iphdr *)skb_network_header(nskb))->ihl);
> +#else
> /* Adjust IP TTL */
> nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
>
> @@ -186,6 +251,7 @@
> nskb->nh.iph->check = 0;
> nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
> nskb->nh.iph->ihl);
> +#endif
>
> /* "Never happens" */
> #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
> @@ -228,11 +294,19 @@
>
> /* Our naive response construction doesn't deal with IP
> options, and probably shouldn't try. */
> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
> + if (((struct iphdr *)skb_network_header(skb))->ihl*4 != sizeof(struct iphdr))
> +#else
> if (skb->nh.iph->ihl*4 != sizeof(struct iphdr))
> +#endif
> return NF_DROP;
>
> /* We aren't interested in fragments */
> +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
> + if (((struct iphdr *)skb_network_header(skb))->frag_off & htons(IP_OFFSET))
> +#else
> if (skb->nh.iph->frag_off & htons(IP_OFFSET))
> +#endif
> return NF_DROP;
>
> tarpit_tcp(skb,rt,hooknum == NF_IP_LOCAL_IN);
>

On Aug 1 2007 21:38, Juan Carlos Castro y Castro wrote:
>
> Please CC me as I'm not on the list. Here attached is a patch that I made to
> make pom-ng ipt_TARPIT.c compile under kernel 2.6.22+. It is against the latest
> SVN version as of now. Please tell me if this should be submitted in another
> fashion.

See https://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028781.html
but I shall post an updated one.


Jan
--