[thirdparty/xtables-addons.git] / extensions / xt_CHAOS.c

/*
 *	"CHAOS" target extension for Xtables
 *	Copyright © Jan Engelhardt, 2006 - 2008
 *
 *	This program is free software; you can redistribute it and/or
 *	modify it under the terms of the GNU General Public License; either
 *	version 2 of the License, or any later version, as published by the
 *	Free Software Foundation.
 */
#include <linux/icmp.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/stat.h>
#include <linux/version.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_tcpudp.h>
#include <linux/netfilter_ipv4/ipt_REJECT.h>
#include <net/ip.h>
#include "xt_CHAOS.h"
static struct xt_match *xm_tcp;
static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
#include "compat_xtables.h"
#define PFX KBUILD_MODNAME ": "

/* Module parameters */
static unsigned int reject_percentage = ~0U * .01;
static unsigned int delude_percentage = ~0U * .0101;
module_param(reject_percentage, uint, S_IRUGO | S_IWUSR);
module_param(delude_percentage, uint, S_IRUGO | S_IWUSR);

/* References to other matches/targets */

static int have_delude, have_tarpit;

/* Static data for other matches/targets */
static const struct ipt_reject_info reject_params = {
	.with = ICMP_HOST_UNREACH,
};

static const struct xt_tcp tcp_params = {
	.spts = {0, ~0},
	.dpts = {0, ~0},
};

/* CHAOS functions */
static void
xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
{
	const struct xt_chaos_tginfo *info = par->targinfo;
	const struct iphdr *iph = ip_hdr(skb);
	const int thoff         = 4 * iph->ihl;
	const int fragoff       = ntohs(iph->frag_off) & IP_OFFSET;
	typeof(xt_tarpit) destiny;
	bool ret;
	bool hotdrop = false;

	{
		struct xt_action_param local_par;
		local_par.state    = par->state;
		local_par.match     = xm_tcp;
		local_par.matchinfo = &tcp_params;
		local_par.fragoff   = fragoff;
		local_par.thoff     = thoff;
		local_par.hotdrop   = false;
		ret = xm_tcp->match(skb, &local_par);
		hotdrop = local_par.hotdrop;
	}
	if (!ret || hotdrop || (unsigned int)get_random_u32() > delude_percentage)
		return;

	destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
	{
		struct xt_action_param local_par;
		local_par.state    = par->state;
		local_par.target   = destiny;
		local_par.targinfo = par->targinfo;
		destiny->target(skb, &local_par);
	}
}

static unsigned int
chaos_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
	/*
	 * Equivalent to:
	 * -A chaos -m statistic --mode random --probability \
	 *         $reject_percentage -j REJECT --reject-with host-unreach;
	 * -A chaos -p tcp -m statistic --mode random --probability \
	 *         $delude_percentage -j DELUDE;
	 * -A chaos -j DROP;
	 */
	const struct xt_chaos_tginfo *info = par->targinfo;
	const struct iphdr *iph = ip_hdr(skb);

	if ((unsigned int)get_random_u32() <= reject_percentage) {
		struct xt_action_param local_par;
		local_par.state    = par->state;
		local_par.target   = xt_reject;
		local_par.targinfo = &reject_params;
		return xt_reject->target(skb, &local_par);
	}

	/* TARPIT/DELUDE may not be called from the OUTPUT chain */
	if (iph->protocol == IPPROTO_TCP && info->variant != XTCHAOS_NORMAL &&
	    par->state->hook != NF_INET_LOCAL_OUT)
		xt_chaos_total(skb, par);

	return NF_DROP;
}

static int chaos_tg_check(const struct xt_tgchk_param *par)
{
	const struct xt_chaos_tginfo *info = par->targinfo;

	if (info->variant == XTCHAOS_DELUDE && !have_delude) {
		printk(KERN_WARNING PFX "Error: Cannot use --delude when "
		       "DELUDE module not available\n");
		return -EINVAL;
	}
	if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
		printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
		       "TARPIT module not available\n");
		return -EINVAL;
	}

	return 0;
}

static struct xt_target chaos_tg_reg = {
	.name       = "CHAOS",
	.revision   = 0,
	.family     = NFPROTO_IPV4,
	.table      = "filter",
	.hooks      = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) |
	              (1 << NF_INET_LOCAL_OUT),
	.target     = chaos_tg,
	.checkentry = chaos_tg_check,
	.targetsize = sizeof(struct xt_chaos_tginfo),
	.me         = THIS_MODULE,
};

static int __init chaos_tg_init(void)
{
	int ret = -EINVAL;

	xm_tcp = xt_request_find_match(NFPROTO_IPV4, "tcp", 0);
	if (xm_tcp == NULL) {
		printk(KERN_WARNING PFX "Error: Could not find or load "
		       "\"tcp\" match\n");
		return -EINVAL;
	}

	xt_reject = xt_request_find_target(NFPROTO_IPV4, "REJECT", 0);
	if (xt_reject == NULL) {
		printk(KERN_WARNING PFX "Error: Could not find or load "
		       "\"REJECT\" target\n");
		goto out2;
	}

	xt_tarpit   = xt_request_find_target(NFPROTO_IPV4, "TARPIT", 0);
	have_tarpit = xt_tarpit != NULL;
	if (!have_tarpit)
		printk(KERN_WARNING PFX "Warning: Could not find or load "
		       "\"TARPIT\" target\n");

	xt_delude   = xt_request_find_target(NFPROTO_IPV4, "DELUDE", 0);
	have_delude = xt_delude != NULL;
	if (!have_delude)
		printk(KERN_WARNING PFX "Warning: Could not find or load "
		       "\"DELUDE\" target\n");

	ret = xt_register_target(&chaos_tg_reg);
	if (ret != 0) {
		printk(KERN_WARNING PFX "xt_register_target returned "
		       "error %d\n", ret);
		goto out3;
	}

	return 0;

 out3:
 	if (have_delude)
 		module_put(xt_delude->me);
	if (have_tarpit)
		module_put(xt_tarpit->me);
	module_put(xt_reject->me);
 out2:
	module_put(xm_tcp->me);
	return ret;
}

static void __exit chaos_tg_exit(void)
{
	xt_unregister_target(&chaos_tg_reg);
	module_put(xm_tcp->me);
	module_put(xt_reject->me);
	if (have_delude)
		module_put(xt_delude->me);
	if (have_tarpit)
		module_put(xt_tarpit->me);
}

module_init(chaos_tg_init);
module_exit(chaos_tg_exit);
MODULE_DESCRIPTION("Xtables: Network scan slowdown with non-deterministic results");
MODULE_AUTHOR("Jan Engelhardt ");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_CHAOS");
Commit	Line	Data
2fbfbe6c	1	/*
74880dd6	2	* "CHAOS" target extension for Xtables
bcdb7ed4	3	* Copyright © Jan Engelhardt, 2006 - 2008
2fbfbe6c	4	*
74880dd6 JE	5	* This program is free software; you can redistribute it and/or
	6	* modify it under the terms of the GNU General Public License; either
	7	* version 2 of the License, or any later version, as published by the
	8	* Free Software Foundation.
2fbfbe6c JE	9	*/
	10	#include <linux/icmp.h>
	11	#include <linux/in.h>
	12	#include <linux/ip.h>
	13	#include <linux/module.h>
	14	#include <linux/skbuff.h>
	15	#include <linux/stat.h>
ec97cd6d	16	#include <linux/version.h>
2fbfbe6c JE	17	#include <linux/netfilter/x_tables.h>
	18	#include <linux/netfilter/xt_tcpudp.h>
	19	#include <linux/netfilter_ipv4/ipt_REJECT.h>
	20	#include <net/ip.h>
	21	#include "xt_CHAOS.h"
	22	static struct xt_match *xm_tcp;
	23	static struct xt_target xt_delude, xt_reject, *xt_tarpit;
	24	#include "compat_xtables.h"
	25	#define PFX KBUILD_MODNAME ": "
	26
	27	/* Module parameters */
	28	static unsigned int reject_percentage = ~0U * .01;
	29	static unsigned int delude_percentage = ~0U * .0101;
	30	module_param(reject_percentage, uint, S_IRUGO \| S_IWUSR);
	31	module_param(delude_percentage, uint, S_IRUGO \| S_IWUSR);
	32
	33	/* References to other matches/targets */
	34
	35	static int have_delude, have_tarpit;
	36
	37	/* Static data for other matches/targets */
	38	static const struct ipt_reject_info reject_params = {
	39	.with = ICMP_HOST_UNREACH,
	40	};
	41
	42	static const struct xt_tcp tcp_params = {
	43	.spts = {0, ~0},
	44	.dpts = {0, ~0},
	45	};
	46
	47	/* CHAOS functions */
ee7e4f5a	48	static void
5b472be9	49	xt_chaos_total(struct sk_buff skb, const struct xt_action_param par)
2fbfbe6c	50	{
ee7e4f5a	51	const struct xt_chaos_tginfo *info = par->targinfo;
2fbfbe6c	52	const struct iphdr *iph = ip_hdr(skb);
ee7e4f5a JE	53	const int thoff = 4 * iph->ihl;
ee7e4f5a JE	54	const int fragoff = ntohs(iph->frag_off) & IP_OFFSET;
2fbfbe6c JE	55	typeof(xt_tarpit) destiny;
2fbfbe6c JE	56	bool ret;
2fbfbe6c	57	bool hotdrop = false;
2fbfbe6c	58
54d80a73 JE	59	{
54d80a73 JE	60	struct xt_action_param local_par;
a8af97b8	61	local_par.state = par->state;
54d80a73 JE	62	local_par.match = xm_tcp;
	63	local_par.matchinfo = &tcp_params;
	64	local_par.fragoff = fragoff;
	65	local_par.thoff = thoff;
	66	local_par.hotdrop = false;
	67	ret = xm_tcp->match(skb, &local_par);
	68	hotdrop = local_par.hotdrop;
	69	}
71396f94	70	if (!ret \|\| hotdrop \|\| (unsigned int)get_random_u32() > delude_percentage)
2fbfbe6c JE	71	return;
	72
	73	destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
54d80a73 JE	74	{
54d80a73 JE	75	struct xt_action_param local_par;
a8af97b8	76	local_par.state = par->state;
54d80a73 JE	77	local_par.target = destiny;
54d80a73 JE	78	local_par.targinfo = par->targinfo;
54d80a73 JE	79	destiny->target(skb, &local_par);
54d80a73 JE	80	}
2fbfbe6c JE	81	}
2fbfbe6c JE	82
ee7e4f5a	83	static unsigned int
991c0cf4	84	chaos_tg(struct sk_buff skb, const struct xt_action_param par)
2fbfbe6c JE	85	{
	86	/*
	87	* Equivalent to:
	88	* -A chaos -m statistic --mode random --probability \
	89	* $reject_percentage -j REJECT --reject-with host-unreach;
	90	* -A chaos -p tcp -m statistic --mode random --probability \
	91	* $delude_percentage -j DELUDE;
	92	* -A chaos -j DROP;
	93	*/
ee7e4f5a	94	const struct xt_chaos_tginfo *info = par->targinfo;
2fbfbe6c JE	95	const struct iphdr *iph = ip_hdr(skb);
2fbfbe6c JE	96
71396f94	97	if ((unsigned int)get_random_u32() <= reject_percentage) {
54d80a73	98	struct xt_action_param local_par;
a8af97b8	99	local_par.state = par->state;
54d80a73 JE	100	local_par.target = xt_reject;
	101	local_par.targinfo = &reject_params;
	102	return xt_reject->target(skb, &local_par);
ee7e4f5a	103	}
2fbfbe6c JE	104
2fbfbe6c JE	105	/* TARPIT/DELUDE may not be called from the OUTPUT chain */
9b1c7c1c JE	106	if (iph->protocol == IPPROTO_TCP && info->variant != XTCHAOS_NORMAL &&
9b1c7c1c JE	107	par->state->hook != NF_INET_LOCAL_OUT)
ee7e4f5a	108	xt_chaos_total(skb, par);
2fbfbe6c JE	109
	110	return NF_DROP;
	111	}
	112
ad146dbe	113	static int chaos_tg_check(const struct xt_tgchk_param *par)
2fbfbe6c	114	{
ee7e4f5a	115	const struct xt_chaos_tginfo *info = par->targinfo;
2fbfbe6c JE	116
	117	if (info->variant == XTCHAOS_DELUDE && !have_delude) {
	118	printk(KERN_WARNING PFX "Error: Cannot use --delude when "
	119	"DELUDE module not available\n");
ad146dbe	120	return -EINVAL;
2fbfbe6c JE	121	}
	122	if (info->variant == XTCHAOS_TARPIT && !have_tarpit) {
	123	printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
	124	"TARPIT module not available\n");
ad146dbe	125	return -EINVAL;
2fbfbe6c JE	126	}
2fbfbe6c JE	127
ad146dbe	128	return 0;
2fbfbe6c JE	129	}
	130
	131	static struct xt_target chaos_tg_reg = {
	132	.name = "CHAOS",
be6fbee5 JE	133	.revision = 0,
be6fbee5 JE	134	.family = NFPROTO_IPV4,
2fbfbe6c JE	135	.table = "filter",
	136	.hooks = (1 << NF_INET_LOCAL_IN) \| (1 << NF_INET_FORWARD) \|
	137	(1 << NF_INET_LOCAL_OUT),
	138	.target = chaos_tg,
	139	.checkentry = chaos_tg_check,
	140	.targetsize = sizeof(struct xt_chaos_tginfo),
	141	.me = THIS_MODULE,
	142	};
	143
	144	static int __init chaos_tg_init(void)
	145	{
	146	int ret = -EINVAL;
	147
be6fbee5	148	xm_tcp = xt_request_find_match(NFPROTO_IPV4, "tcp", 0);
2fbfbe6c JE	149	if (xm_tcp == NULL) {
	150	printk(KERN_WARNING PFX "Error: Could not find or load "
	151	"\"tcp\" match\n");
	152	return -EINVAL;
	153	}
	154
be6fbee5	155	xt_reject = xt_request_find_target(NFPROTO_IPV4, "REJECT", 0);
2fbfbe6c JE	156	if (xt_reject == NULL) {
	157	printk(KERN_WARNING PFX "Error: Could not find or load "
	158	"\"REJECT\" target\n");
	159	goto out2;
	160	}
	161
be6fbee5	162	xt_tarpit = xt_request_find_target(NFPROTO_IPV4, "TARPIT", 0);
2fbfbe6c JE	163	have_tarpit = xt_tarpit != NULL;
	164	if (!have_tarpit)
	165	printk(KERN_WARNING PFX "Warning: Could not find or load "
	166	"\"TARPIT\" target\n");
	167
be6fbee5	168	xt_delude = xt_request_find_target(NFPROTO_IPV4, "DELUDE", 0);
2fbfbe6c JE	169	have_delude = xt_delude != NULL;
	170	if (!have_delude)
	171	printk(KERN_WARNING PFX "Warning: Could not find or load "
	172	"\"DELUDE\" target\n");
	173
bfb0516c JE	174	ret = xt_register_target(&chaos_tg_reg);
bfb0516c JE	175	if (ret != 0) {
2fbfbe6c JE	176	printk(KERN_WARNING PFX "xt_register_target returned "
	177	"error %d\n", ret);
	178	goto out3;
	179	}
	180
	181	return 0;
	182
	183	out3:
	184	if (have_delude)
	185	module_put(xt_delude->me);
	186	if (have_tarpit)
	187	module_put(xt_tarpit->me);
	188	module_put(xt_reject->me);
	189	out2:
	190	module_put(xm_tcp->me);
	191	return ret;
	192	}
	193
	194	static void __exit chaos_tg_exit(void)
	195	{
	196	xt_unregister_target(&chaos_tg_reg);
	197	module_put(xm_tcp->me);
	198	module_put(xt_reject->me);
	199	if (have_delude)
	200	module_put(xt_delude->me);
	201	if (have_tarpit)
	202	module_put(xt_tarpit->me);
2fbfbe6c JE	203	}
	204
	205	module_init(chaos_tg_init);
	206	module_exit(chaos_tg_exit);
2fbfbe6c	207	MODULE_DESCRIPTION("Xtables: Network scan slowdown with non-deterministic results");
bcdb7ed4	208	MODULE_AUTHOR("Jan Engelhardt ");
2fbfbe6c JE	209	MODULE_LICENSE("GPL");
2fbfbe6c JE	210	MODULE_ALIAS("ipt_CHAOS");