- ipset: fix for compilation with 2.6.29-rt
+- rename xt_portscan to xt_lscan ("low-level scan") because
+ "portscan" as a wor caused confusion
Xtables-addons 1.10 (February 18 2009)
obj-${build_ipp2p} += xt_ipp2p.o
obj-${build_ipset} += ipset/
obj-${build_length2} += xt_length2.o
-obj-${build_portscan} += xt_portscan.o
+obj-${build_lscan} += xt_lscan.o
obj-${build_quota2} += xt_quota2.o
-include ${M}/*.Kbuild
obj-${build_ipp2p} += libxt_ipp2p.so
obj-${build_ipset} += ipset/
obj-${build_length2} += libxt_length2.so
-obj-${build_portscan} += libxt_portscan.so
+obj-${build_lscan} += libxt_lscan.so
obj-${build_quota2} += libxt_quota2.so
of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
.PP
See http://jengelh.medozas.de/projects/chaostables/ for more information
-about CHAOS, DELUDE and portscan.
+about CHAOS, DELUDE and lscan.
/*
- * "portscan" match extension for iptables
- * Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2008
+ * LSCAN match extension for iptables
+ * Copyright © Jan Engelhardt <jengelh [at] medozas de>, 2006 - 2009
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License; either
#include <xtables.h>
#include <linux/netfilter/x_tables.h>
-#include "xt_portscan.h"
+#include "xt_lscan.h"
-static const struct option portscan_mt_opts[] = {
+static const struct option lscan_mt_opts[] = {
{.name = "stealth", .has_arg = false, .val = 'x'},
{.name = "synscan", .has_arg = false, .val = 's'},
{.name = "cnscan", .has_arg = false, .val = 'c'},
{NULL},
};
-static void portscan_mt_help(void)
+static void lscan_mt_help(void)
{
printf(
- "portscan match options:\n"
+ "lscan match options:\n"
"(Combining them will make them match by OR-logic)\n"
" --stealth Match TCP Stealth packets\n"
" --synscan Match TCP SYN scans\n"
" --grscan Match Banner Grabbing scans\n");
}
-static int portscan_mt_parse(int c, char **argv, int invert,
+static int lscan_mt_parse(int c, char **argv, int invert,
unsigned int *flags, const void *entry, struct xt_entry_match **match)
{
- struct xt_portscan_mtinfo *info = (void *)((*match)->data);
+ struct xt_lscan_mtinfo *info = (void *)((*match)->data);
switch (c) {
case 'c':
return false;
}
-static void portscan_mt_check(unsigned int flags)
+static void lscan_mt_check(unsigned int flags)
{
}
-static void portscan_mt_print(const void *ip,
+static void lscan_mt_print(const void *ip,
const struct xt_entry_match *match, int numeric)
{
- const struct xt_portscan_mtinfo *info = (const void *)(match->data);
+ const struct xt_lscan_mtinfo *info = (const void *)(match->data);
const char *s = "";
- printf("portscan ");
+ printf("lscan ");
if (info->match_stealth) {
printf("STEALTH");
s = ",";
printf(" ");
}
-static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
+static void lscan_mt_save(const void *ip, const struct xt_entry_match *match)
{
- const struct xt_portscan_mtinfo *info = (const void *)(match->data);
+ const struct xt_lscan_mtinfo *info = (const void *)(match->data);
if (info->match_stealth)
printf("--stealth ");
printf("--grscan ");
}
-static struct xtables_match portscan_mt_reg = {
+static struct xtables_match lscan_mt_reg = {
.version = XTABLES_VERSION,
- .name = "portscan",
+ .name = "lscan",
.revision = 0,
.family = AF_INET,
- .size = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_portscan_mtinfo)),
- .help = portscan_mt_help,
- .parse = portscan_mt_parse,
- .final_check = portscan_mt_check,
- .print = portscan_mt_print,
- .save = portscan_mt_save,
- .extra_opts = portscan_mt_opts,
+ .size = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_lscan_mtinfo)),
+ .help = lscan_mt_help,
+ .parse = lscan_mt_parse,
+ .final_check = lscan_mt_check,
+ .print = lscan_mt_print,
+ .save = lscan_mt_save,
+ .extra_opts = lscan_mt_opts,
};
-static __attribute__((constructor)) void portscan_mt_ldr(void)
+static __attribute__((constructor)) void lscan_mt_ldr(void)
{
- xtables_register_match(&portscan_mt_reg);
+ xtables_register_match(&lscan_mt_reg);
}
-Detects simple port scan attemps based upon the packet's contents. (This is
+Detects simple low-level scan attemps based upon the packet's contents.
+(This is
different from other implementations, which also try to match the rate of new
connections.) Note that an attempt is only discovered after it has been carried
out, but this information can be used in conjunction with other rules to block
of bytes.
.PP
NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
-so be advised to carefully use xt_portscan in conjunction with blocking rules,
+so be advised to carefully use xt_lscan in conjunction with blocking rules,
as it may lock out your very own internal network.
-config NETFILTER_XT_MATCH_PORTSCAN
- tristate '"portscan" target support'
+config NETFILTER_XT_MATCH_LSCAN
+ tristate '"lscan" match support'
depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
---help---
- The portscan match allows to match on the basic types of nmap
+ The LSCAN match allows to match on the basic types of nmap
scans: Stealth Scan, SYN scan and connect scan. It can also match
"grab-only" connections, i.e. where data flows in only one
direction.
/*
- * portscan match for netfilter
- * Copyright © CC Computer Consultants GmbH, 2006 - 2008
+ * LSCAN match for netfilter
+ * Copyright © Jan Engelhardt, 2006 - 2009
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License; either version
#include <linux/version.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_tcpudp.h>
-//#include <net/netfilter/nf_conntrack.h>
-#include "xt_portscan.h"
+#include "xt_lscan.h"
#include "compat_xtables.h"
#define PFX KBUILD_MODNAME ": "
(TCP_FLAG_SYN | TCP_FLAG_ACK);
}
-/* portscan functions */
-static inline bool portscan_mt_stealth(const struct tcphdr *th)
+/* lscan functions */
+static inline bool lscan_mt_stealth(const struct tcphdr *th)
{
/*
* "Connection refused" replies to our own probes must not be matched.
return !tflg_syn(th);
}
-static inline unsigned int portscan_mt_full(int mark,
+static inline unsigned int lscan_mt_full(int mark,
enum ip_conntrack_info ctstate, bool loopback, const struct tcphdr *tcph,
unsigned int payload_len)
{
}
static bool
-portscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+lscan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{
- const struct xt_portscan_mtinfo *info = par->matchinfo;
+ const struct xt_lscan_mtinfo *info = par->matchinfo;
enum ip_conntrack_info ctstate;
const struct tcphdr *tcph;
struct nf_conn *ctdata;
/* Check for invalid packets: -m conntrack --ctstate INVALID */
if ((ctdata = nf_ct_get(skb, &ctstate)) == NULL) {
if (info->match_stealth)
- return portscan_mt_stealth(tcph);
+ return lscan_mt_stealth(tcph);
/*
* If @ctdata is NULL, we cannot match the other scan
* types, return.
}
/*
- * If -m portscan was previously applied to this packet, the rules we
+ * If -m lscan was previously applied to this packet, the rules we
* simulate must not be run through again. And for speedup, do not call
* it either when the connection is already VALID.
*/
(skb_nfmark(skb) & packet_mask) != mark_seen) {
unsigned int n;
- n = portscan_mt_full(ctdata->mark & connmark_mask, ctstate,
+ n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
par->in == init_net__loopback_dev, tcph,
skb->len - par->thoff - 4 * tcph->doff);
(info->match_gr && ctdata->mark == mark_grscan);
}
-static bool portscan_mt_check(const struct xt_mtchk_param *par)
+static bool lscan_mt_check(const struct xt_mtchk_param *par)
{
- const struct xt_portscan_mtinfo *info = par->matchinfo;
+ const struct xt_lscan_mtinfo *info = par->matchinfo;
if ((info->match_stealth & ~1) || (info->match_syn & ~1) ||
(info->match_cn & ~1) || (info->match_gr & ~1)) {
return true;
}
-static struct xt_match portscan_mt_reg[] __read_mostly = {
+static struct xt_match lscan_mt_reg[] __read_mostly = {
{
- .name = "portscan",
+ .name = "lscan",
.revision = 0,
.family = NFPROTO_IPV4,
- .match = portscan_mt,
- .checkentry = portscan_mt_check,
- .matchsize = sizeof(struct xt_portscan_mtinfo),
+ .match = lscan_mt,
+ .checkentry = lscan_mt_check,
+ .matchsize = sizeof(struct xt_lscan_mtinfo),
.proto = IPPROTO_TCP,
.me = THIS_MODULE,
},
{
- .name = "portscan",
+ .name = "lscan",
.revision = 0,
.family = NFPROTO_IPV6,
- .match = portscan_mt,
- .checkentry = portscan_mt_check,
- .matchsize = sizeof(struct xt_portscan_mtinfo),
+ .match = lscan_mt,
+ .checkentry = lscan_mt_check,
+ .matchsize = sizeof(struct xt_lscan_mtinfo),
.proto = IPPROTO_TCP,
.me = THIS_MODULE,
},
};
-static int __init portscan_mt_init(void)
+static int __init lscan_mt_init(void)
{
- return xt_register_matches(portscan_mt_reg,
- ARRAY_SIZE(portscan_mt_reg));
+ return xt_register_matches(lscan_mt_reg,
+ ARRAY_SIZE(lscan_mt_reg));
}
-static void __exit portscan_mt_exit(void)
+static void __exit lscan_mt_exit(void)
{
- xt_unregister_matches(portscan_mt_reg, ARRAY_SIZE(portscan_mt_reg));
+ xt_unregister_matches(lscan_mt_reg, ARRAY_SIZE(lscan_mt_reg));
}
-module_init(portscan_mt_init);
-module_exit(portscan_mt_exit);
+module_init(lscan_mt_init);
+module_exit(lscan_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_DESCRIPTION("Xtables: \"portscan\" match");
+MODULE_DESCRIPTION("Xtables: Low-level scan (e.g. nmap) match");
MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_portscan");
-MODULE_ALIAS("ip6t_portscan");
+MODULE_ALIAS("ipt_lscan");
+MODULE_ALIAS("ip6t_lscan");
--- /dev/null
+#ifndef _LINUX_NETFILTER_XT_LSCAN_H
+#define _LINUX_NETFILTER_XT_LSCAN_H 1
+
+struct xt_lscan_mtinfo {
+ uint8_t match_stealth, match_syn, match_cn, match_gr;
+};
+
+#endif /* _LINUX_NETFILTER_XT_LSCAN_H */
+++ /dev/null
-#ifndef _LINUX_NETFILTER_XT_PORTSCAN_H
-#define _LINUX_NETFILTER_XT_PORTSCAN_H 1
-
-struct xt_portscan_mtinfo {
- uint8_t match_stealth, match_syn, match_cn, match_gr;
-};
-
-#endif /* _LINUX_NETFILTER_XT_PORTSCAN_H */
build_ipp2p=m
build_ipset=m
build_length2=m
-build_portscan=m
+build_lscan=m
build_quota2=m
projects / thirdparty / xtables-addons.git / commitdiff
