[-]
[+]
|
Changed |
xtables-addons.spec
|
|
[-]
[+]
|
Changed |
xtables-addons-1.37.tar.bz2/configure
^
|
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for xtables-addons 1.36.
+# Generated by GNU Autoconf 2.68 for xtables-addons 1.37.
#
#
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -706,8 +706,8 @@
# Identity of this package.
PACKAGE_NAME='xtables-addons'
PACKAGE_TARNAME='xtables-addons'
-PACKAGE_VERSION='1.36'
-PACKAGE_STRING='xtables-addons 1.36'
+PACKAGE_VERSION='1.37'
+PACKAGE_STRING='xtables-addons 1.37'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1441,7 +1441,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures xtables-addons 1.36 to adapt to many kinds of systems.
+\`configure' configures xtables-addons 1.37 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1511,7 +1511,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of xtables-addons 1.36:";;
+ short | recursive ) echo "Configuration of xtables-addons 1.37:";;
esac
cat <<\_ACEOF
@@ -1628,7 +1628,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-xtables-addons configure 1.36
+xtables-addons configure 1.37
generated by GNU Autoconf 2.68
Copyright (C) 2010 Free Software Foundation, Inc.
@@ -1993,7 +1993,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by xtables-addons $as_me 1.36, which was
+It was created by xtables-addons $as_me 1.37, which was
generated by GNU Autoconf 2.68. Invocation command line was
$ $0 $@
@@ -2811,7 +2811,7 @@
# Define the identity of the package.
PACKAGE='xtables-addons'
- VERSION='1.36'
+ VERSION='1.37'
cat >>confdefs.h <<_ACEOF
@@ -10909,7 +10909,7 @@
if test -n "$kbuilddir"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel version that we will build against" >&5
$as_echo_n "checking kernel version that we will build against... " >&6; }
- krel="$(make -sC "$kbuilddir" M=. kernelrelease)";
+ krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease)";
kmajor="${krel%%[^0-9]*}";
kmajor="$(($kmajor+0))";
krel="${krel:${#kmajor}}";
@@ -10932,7 +10932,7 @@
echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
elif test "$kmajor" -eq 3; then
:;
- elif test "$kmajor" -eq 2 -a "$kminor" -ge 29; then
+ elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 29; then
:;
else
echo "WARNING: That kernel version is not supported.";
@@ -11480,7 +11480,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by xtables-addons $as_me 1.36, which was
+This file was extended by xtables-addons $as_me 1.37, which was
generated by GNU Autoconf 2.68. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -11546,7 +11546,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-xtables-addons config.status 1.36
+xtables-addons config.status 1.37
configured by $0, generated by GNU Autoconf 2.68,
with options \\"\$ac_cs_config\\"
|
[-]
[+]
|
Changed |
xtables-addons-1.37.tar.bz2/configure.ac
^
|
@@ -1,5 +1,4 @@
-
-AC_INIT([xtables-addons], [1.36])
+AC_INIT([xtables-addons], [1.37])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
AC_PROG_INSTALL
@@ -42,7 +41,7 @@
if test -n "$kbuilddir"; then
AC_MSG_CHECKING([kernel version that we will build against])
- krel="$(make -sC "$kbuilddir" M=. kernelrelease)";
+ krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease)";
kmajor="${krel%%[[^0-9]]*}";
kmajor="$(($kmajor+0))";
krel="${krel:${#kmajor}}";
@@ -65,7 +64,7 @@
echo "WARNING: You are trying a newer kernel. Results may vary. :-)";
elif test "$kmajor" -eq 3; then
:;
- elif test "$kmajor" -eq 2 -a "$kminor" -ge 29; then
+ elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 29; then
:;
else
echo "WARNING: That kernel version is not supported.";
|
[-]
[+]
|
Changed |
xtables-addons-1.37.tar.bz2/doc/changelog.txt
^
|
@@ -3,6 +3,14 @@
====
+v1.37 (2011-06-25)
+==================
+Fixes:
+- xt_SYSRQ: make IPv6 trigger work again
+- xt_SYSRQ: improve security: include host address in digest
+- xt_TARPIT: fix a kernel oops in --reset mode
+
+
v1.36 (2011-06-03)
==================
Changes:
|
[-]
[+]
|
Changed |
xtables-addons-1.37.tar.bz2/extensions/libxt_SYSRQ.man
^
|
@@ -36,6 +36,8 @@
.IP
echo \-n "password" >/sys/module/xt_SYSRQ/parameters/password
.PP
+The module will not respond to sysrq requests until a password has been set.
+.PP
Alternatively, the password may be specified at modprobe time, but this is
insecure as people can possible see it through ps(1). You can use an option
line in e.g. /etc/modprobe.d/xt_sysrq if it is properly guarded, that is, only
@@ -52,7 +54,7 @@
but the \fIdebug\fP module parameter can be used to find exactly why a
seemingly correct request is not being processed.
.PP
-To trigger SYSRQ from a remote host, just use netcat or socat:
+To trigger SYSRQ from a remote host, just use socat:
.PP
.nf
sysrq_key="s" # the SysRq key(s)
@@ -60,12 +62,11 @@
seqno="$(date +%s)"
salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null |
openssl enc \-base64)"
+ipaddr=10.10.25.7
req="$sysrq_key,$seqno,$salt"
-req="$req,$(echo \-n "$req,$password" | sha1sum | cut \-c1\-40)"
+req="$req,$(echo \-n "$req,$ipaddr,$password" | sha1sum | cut \-c1\-40)"
-echo "$req" | socat stdin udp\-sendto:10.10.25.7:9
-# or
-echo "$req" | netcat \-uw1 10.10.25.7 9
+echo "$req" | socat stdin udp\-sendto:$ipaddr:9
.fi
.PP
See the Linux docs for possible sysrq keys. Important ones are: re(b)oot,
@@ -73,8 +74,10 @@
sysrq key can be used at once, but bear in mind that, for example, a sync may
not complete before a subsequent reboot or poweroff.
.PP
+An IPv4 address should have no leading zeros, an IPv6 address should
+be in the form recommended by RFC 5952. The debug option will log the
+correct form of the address.
+.PP
The hashing scheme should be enough to prevent mis-use of SYSRQ in many
environments, but it is not perfect: take reasonable precautions to
-protect your machines. Most importantly ensure that each machine has a
-different password; there is scant protection for a SYSRQ packet being
-applied to a machine that happens to have the same password.
+protect your machines.
|
[-]
[+]
|
Changed |
xtables-addons-1.37.tar.bz2/extensions/xt_SYSRQ.c
^
|
@@ -4,6 +4,8 @@
*
* Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk>
*
+ * Security additions John Haxby <john.haxby [at] oracle com>
+ *
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* version 2 or 3 as published by the Free Software Foundation.
@@ -58,13 +60,13 @@
* is a series of sysrq requests; <seqno> is a sequence number that must be
* greater than the last sequence number; <salt> is some random bytes; and
* <hash> is the hash of everything up to and including the preceding ","
- * together with the password.
+ * together with "<dstaddr>,<password>".
*
* For example
*
* salt=$RANDOM
* req="s,$(date +%s),$salt"
- * echo "$req,$(echo -n $req,secret | sha1sum | cut -c1-40)"
+ * echo "$req,$(echo -n $req,10.10.25.1,secret | sha1sum | cut -c1-40)"
*
* You will want a better salt and password than that though :-)
*/
@@ -121,7 +123,6 @@
sg_init_table(sg, 2);
#endif
sg_set_buf(&sg[0], data, n);
- strcpy(sysrq_digest_password, sysrq_password);
i = strlen(sysrq_digest_password);
sg_set_buf(&sg[1], sysrq_digest_password, i);
ret = crypto_hash_digest(&desc, sg, n + i, sysrq_digest);
@@ -223,6 +224,8 @@
": " NIPQUAD_FMT ":%u -> :%u len=%u\n",
NIPQUAD(iph->saddr), htons(udph->source),
htons(udph->dest), len);
+ sprintf(sysrq_digest_password, NIPQUAD_FMT ",%s",
+ NIPQUAD(iph->daddr), sysrq_password);
return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
}
@@ -253,7 +256,9 @@
": " NIP6_FMT ":%hu -> :%hu len=%u\n",
NIP6(iph->saddr), ntohs(udph->source),
ntohs(udph->dest), len);
- return sysrq_tg(udph + sizeof(struct udphdr), len);
+ sprintf(sysrq_digest_password, NIP6_FMT ",%s",
+ NIP6(iph->daddr), sysrq_password);
+ return sysrq_tg((void *)udph + sizeof(struct udphdr), len);
}
#endif
@@ -340,7 +345,9 @@
sysrq_hexdigest = kmalloc(2 * sysrq_digest_size + 1, GFP_KERNEL);
if (sysrq_hexdigest == NULL)
goto fail;
- sysrq_digest_password = kmalloc(sizeof(sysrq_password), GFP_KERNEL);
+ sysrq_digest_password =
+ kmalloc(sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255") +
+ sizeof(sysrq_password), GFP_KERNEL);
if (sysrq_digest_password == NULL)
goto fail;
do_gettimeofday(&now);
@@ -376,6 +383,7 @@
module_exit(sysrq_tg_exit);
MODULE_DESCRIPTION("Xtables: triggering SYSRQ remotely");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_AUTHOR("John Haxby <john.haxby@oracle.com");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_SYSRQ");
MODULE_ALIAS("ip6t_SYSRQ");
|
[-]
[+]
|
Changed |
xtables-addons-1.37.tar.bz2/extensions/xt_TARPIT.c
^
|
@@ -58,7 +58,7 @@
struct sk_buff *nskb;
const struct iphdr *oldhdr;
struct iphdr *niph;
- u_int16_t tmp;
+ uint16_t tmp, payload;
/* A truncated TCP header is not going to be useful */
if (oldskb->len < ip_hdrlen(oldskb) + sizeof(struct tcphdr))
@@ -69,29 +69,6 @@
if (oth == NULL)
return;
- if (mode == XTTARPIT_TARPIT) {
- /* No replies for RST, FIN or !SYN,!ACK */
- if (oth->rst || oth->fin || (!oth->syn && !oth->ack))
- return;
-#if 0
- /* Rate-limit replies to !SYN,ACKs */
- if (!oth->syn && oth->ack)
- if (!xrlim_allow(rt_dst(ort), HZ))
- return;
-#endif
- } else if (mode == XTTARPIT_HONEYPOT) {
- /* Do not answer any resets regardless of combination */
- if (oth->rst || oth->seq == 0xDEADBEEF)
- return;
- } else if (mode == XTTARPIT_RESET) {
- tcph->window = 0;
- tcph->ack = false;
- tcph->syn = false;
- tcph->rst = true;
- tcph->seq = oth->ack_seq;
- tcph->ack_seq = oth->seq;
- }
-
/* Check checksum. */
if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP))
return;
@@ -127,6 +104,9 @@
tcph->source = tcph->dest;
tcph->dest = tmp;
+ /* Calculate payload size?? */
+ payload = nskb->len - ip_hdrlen(nskb) - sizeof(struct tcphdr);
+
/* Truncate to length (no data) */
tcph->doff = sizeof(struct tcphdr) / 4;
skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr));
@@ -136,7 +116,9 @@
((u_int8_t *)tcph)[13] = 0;
if (mode == XTTARPIT_TARPIT) {
- /* Use supplied sequence number or make a new one */
+ /* No replies for RST, FIN or !SYN,!ACK */
+ if (oth->rst || oth->fin || (!oth->syn && !oth->ack))
+ return;
tcph->seq = oth->ack ? oth->ack_seq : 0;
/* Our SYN-ACKs must have a >0 window */
@@ -149,7 +131,16 @@
tcph->ack = true;
tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
}
+#if 0
+ /* Rate-limit replies to !SYN,ACKs */
+ if (!oth->syn && oth->ack)
+ if (!xrlim_allow(rt_dst(ort), HZ))
+ return;
+#endif
} else if (mode == XTTARPIT_HONEYPOT) {
+ /* Do not answer any resets regardless of combination */
+ if (oth->rst || oth->seq == 0xDEADBEEF)
+ return;
/* Send a reset to scanners. They like that. */
if (oth->syn && oth->ack) {
tcph->window = 0;
@@ -159,23 +150,29 @@
tcph->seq = oth->ack_seq;
tcph->rst = true;
}
+
/* SYN > SYN-ACK */
if (oth->syn && !oth->ack) {
tcph->syn = true;
tcph->ack = true;
- tcph->window = oth->window;
- tcph->ack_seq = oth->seq;
- tcph->seq = htonl(net_random() | ~oth->seq);
+ tcph->window = oth->window &
+ ((net_random() & 0x1f) - 0xf);
+ tcph->seq = htonl(net_random() & ~oth->seq);
+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn);
}
+
/* ACK > ACK */
- if (oth->ack && !oth->fin && !oth->syn) {
+ if (oth->ack && (!(oth->fin || oth->syn))) {
tcph->syn = false;
tcph->ack = true;
tcph->window = oth->window &
((net_random() & 0x1f) - 0xf);
- tcph->ack_seq = htonl(ntohl(oth->seq) + 1);
+ tcph->ack_seq = payload > 100 ?
+ htonl(ntohl(oth->seq) + payload) :
+ oth->seq;
tcph->seq = oth->ack_seq;
}
+
/*
* FIN > RST.
* We cannot terminate gracefully so just be abrupt.
@@ -188,6 +185,13 @@
tcph->ack = false;
tcph->rst = true;
}
+ } else if (mode == XTTARPIT_RESET) {
+ tcph->window = 0;
+ tcph->ack = false;
+ tcph->syn = false;
+ tcph->rst = true;
+ tcph->seq = oth->ack_seq;
+ tcph->ack_seq = oth->seq;
}
/* Adjust TCP checksum */
@@ -204,7 +208,7 @@
/* Set DF, id = 0 */
niph->frag_off = htons(IP_DF);
- if (mode == XTTARPIT_TARPIT)
+ if (mode == XTTARPIT_TARPIT || mode == XTTARPIT_RESET)
niph->id = 0;
else if (mode == XTTARPIT_HONEYPOT)
niph->id = ~oldhdr->id + 1;
@@ -225,7 +229,10 @@
nskb->ip_summed = CHECKSUM_NONE;
/* Adjust IP TTL */
- niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
+ if (mode == XTTARPIT_HONEYPOT)
+ niph->ttl = 128;
+ else
+ niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT);
/* Adjust IP checksum */
niph->check = 0;
|
[-]
[+]
|
Changed |
xtables-addons-1.37.tar.bz2/xtables-addons.8.in
^
|
@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "v1.36 (2011-06-03)" "" "v1.36 (2011-06-03)"
+.TH xtables-addons 8 "v1.37 (2011-06-25)" "" "v1.37 (2011-06-25)"
.SH Name
Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
.SH Targets
|