Peter Volkov [Fri, 19 Feb 2010 11:06:00 +0000 (14:06 +0300)]
RAWNAT: make IPv6 optional
In case the kernel is built without IPv6 support the compilation of
this module fails as it assumes IPv6. This patch makes kernel support
conditional on kernel .config.
Jan Engelhardt [Tue, 16 Feb 2010 21:16:28 +0000 (22:16 +0100)]
build: remove unnecessasry --with-xtables option
Jonas Berlin notes that --with-xtables only emitted a -I parameter
and -L was absent.
On second look, we would also be missing -Wl,-rpath, and that would
all be system-dependent. The --with-xtables option is actually not
needed; one can easily specify extra include directories and linker
flags by means of overriding libxtables_CFLAGS and libxtables_LIBS
(even when there are no installed pkgconfig files for libxtables).
Peter Volkov [Mon, 18 Jan 2010 09:08:36 +0000 (12:08 +0300)]
build: fix installation when only modules in subdirs are enabled
In case only modules that are built in subdirectories of extensions
are enabled (and thus nothing is build in extensions directory itself)
installation fails with the error (only build_ACCOUNT=y in mconfig):
install -pm0755
"/vt/portage/tmp/portage/net-firewall/xtables-addons-1.21/image/
//usr/local/libexec/xtables";
install: missing destination file operand after
"/vt/portage/tmp/portage/net-firewall/xtables-addons-1.21/image/
//usr/local/libexec/xtables"
Try `install --help' for more information.
make[3]: *** [install] Error 1
Michael Farrell [Mon, 28 Dec 2009 15:23:57 +0000 (01:53 +1030)]
quota2: add a no-change mode
This commit adds an option to xt_quota2 called "no-change". The
effect of this option, when used, is that it will skip incrementing
or decrementing the quota counter, effectively providing a quota test
only.
The reason for implementing this is so that I could have a rule check
if quota is available for a rule in the PREROUTING tables, without
actually decrementing the amount of available quota. I only wanted to
decrement the amount of available quota in the FORWARD rule.
Otherwise, the first packet of every connection would be counted
twice.
Jan Engelhardt [Thu, 19 Nov 2009 11:13:12 +0000 (12:13 +0100)]
pknock: avoid compiler warnings for !PK_CRYPTO case
xt_pknock.c: In function "update_peer":
xt_pknock.c:890:3: warning: implicit declaration of function "pass_security"
xt_pknock.c: In function "pknock_mt":
xt_pknock.c:1030:5: warning: implicit declaration of function "is_close_knock"
Jan Engelhardt [Wed, 11 Nov 2009 10:48:34 +0000 (11:48 +0100)]
ipset/doc: make emphasis markup consistent
Consistently apply markup so that only replaceable items are italic,
and only items to be typed verbatim are bold. Also apply the command
syntax "BNF" (where and when to use [], {}) that is used in the
iptables manpages to ipset.8.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Natanael Copa [Tue, 3 Nov 2009 13:54:57 +0000 (13:54 +0000)]
build: fix --without-kbuild semantics
The --without-build option is useful when your distro has multiple
kernels and/or you want to build a common package for userspace stuff
only. Support this option properly.
Chris Blum [Thu, 15 Oct 2009 14:27:06 +0000 (16:27 +0200)]
ipp2p: fix Gnutella line ending detection
There is another mistake in the code. I have checked the Gnutella
protocol specification -- looks like the line separation is 0x0d-0x0a
and not 0x0a-0x0d (it seemed obvious but I was not sure and thought
they cannot have possibly got that wrong...). It would certainly
explain why I have never seen a match on any of my systems.
Jan Engelhardt [Mon, 12 Oct 2009 16:52:02 +0000 (18:52 +0200)]
pknock: fix pknlusr compile warnings
pknlusr.c: In function "main":
pknlusr.c:81:25: warning: cast to pointer from integer of different size
pknlusr.c:81:7: warning: cast to pointer from integer of different size
Jan Rafaj [Sun, 11 Oct 2009 22:01:35 +0000 (00:01 +0200)]
pknock: check interknock time only for !ST_ALLOWED peers
Fixes a bug whereby an ST_ALLOWED peer existing for a time greater
than gc_expir_time would be gc-deleted, because both
!has_logged_during_this_minute(peer) and
is_interknock_time_exceeded(peer, rule->max_time) would be satisfied
for ST_ALLOWED hosts.
We also no longer test for !has_logged_during_this_minute(peer) in
peer_gc(), since there is really no need for this: the anti-spoof
minute check is performed (and subsequent remove_peer(peer) called if
needed) for each passing UDP-mode peer with expired autoclose in
pknock_mt(), given that --autoclose has been specified. If autoclose
has not been set, it will be subject to reset_knock_status(peer)
called from knock_mt() upon receiving the first closing secret - so it
is still guaranteed to disappear at the closest opportunity.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Jan Rafaj [Sun, 11 Oct 2009 22:01:32 +0000 (00:01 +0200)]
pknock: Make non-zero time mandatory for TCP mode
This avoids DDoS on the first-in-sequence TCP knockport, which would
otherwise fill up the peer table permanently - especially if the user
does not specify --autoclose - and would thus cause permanent pknock
DoS.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Jan Engelhardt [Sun, 11 Oct 2009 22:56:55 +0000 (00:56 +0200)]
pknock: remove redundant final check for any-option
Just below the check that was just removed, the presence of --name is
tested for, as --name is always required. That makes the (flags == 0)
check superfluous, because non-zeroness is ensured by the name check.
Jan Rafaj [Sat, 10 Oct 2009 22:05:17 +0000 (00:05 +0200)]
pknock: avoid fillup of peer table during DDoS
In TCP --strict mode, forget the peer which sent the wrong knock in a
sequence, rather than resetting its status to ST_INIT. This avoids
filling up the peer table (which would lead to pknock DoS) in case of
a DDoS attack performed by a set of port-scanning malicious hosts.
Jan Engelhardt [Thu, 8 Oct 2009 15:26:36 +0000 (17:26 +0200)]
ipp2p: try to address underflows
Report by: Christian Blum <chrblum@users.sourceforge.net>
"I have found that they panic in an interrupt within xt_ipp2p, function
search_all_gnu(). It's a bounds checking problem; when I add this [a
check for plen >= 65535] at the beginning [of the function] the
servers run fine (very similar to find_all_kazaa())."
Jan Engelhardt [Tue, 6 Oct 2009 22:59:37 +0000 (00:59 +0200)]
pknock: avoid crash on memory allocation failure and fix memleak
If rule->peer_head==NULL due to an unsuccessful allocation, peer_gc
(and perhaps other places) may crash when they try to access it.
Since I see no deferred retry for allocation, the only option is to
fail in add_rule, clean it up, and return false instead.
Independent of that problem, it also needs to free peer_head in case
the status_proc allocation fails.
Jan Rafaj [Tue, 1 Sep 2009 17:52:48 +0000 (19:52 +0200)]
pknock: disallow running peer_gc too early
It is no longer possible to specify gc_expir_time with a time lower
than its default value (65000 msecs). This is to avoid running
peer_gc() earlier than 1 minute [well, 65 s actually] in the future,
which would otherwise render anti-spoof protection in SPA mode
non-functional.
Jan Engelhardt [Sat, 3 Oct 2009 22:08:34 +0000 (00:08 +0200)]
pknock: remove some extraneous messages and source lines
- $Id$ in a comment is pointless.
- remove unneeded/commented-out includes.
- remove warning messages on allocation failure
(if that happens it is almost too late anyway;
not wanting to spam the logs)
- remove warning messages about unhandled packets
(attacker filling up logs)
projects / thirdparty / xtables-addons.git / log
