Changes - j0ke.net Open Build Service

Changes of Revision 26

[-] [+]	Changed	xtables-addons.spec
@@ -1,6 +1,6 @@ Name: xtables-addons -Version: 1.36 +Version: 1.37 Release: 1 Group: Productivity/Networking/Security Summary: IP Packet Filter Administration Extensions @@ -61,6 +61,9 @@ %{_libdir}/xtables-addons/xt_geoip_dl %changelog +* Sat Jul 30 2011 Carsten Schoene <cs@linux-administrator.com> - 1.37-1 +- update to release 1.37 + * Tue Jun 07 2011 Carsten Schoene <cs@linux-administrator.com> - 1.36-1 - update to release 1.36
[-] [+]	Changed	xtables-addons-1.37.tar.bz2/configure ^
@@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for xtables-addons 1.36. +# Generated by GNU Autoconf 2.68 for xtables-addons 1.37. # # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -706,8 +706,8 @@ # Identity of this package. PACKAGE_NAME='xtables-addons' PACKAGE_TARNAME='xtables-addons' -PACKAGE_VERSION='1.36' -PACKAGE_STRING='xtables-addons 1.36' +PACKAGE_VERSION='1.37' +PACKAGE_STRING='xtables-addons 1.37' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1441,7 +1441,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures xtables-addons 1.36 to adapt to many kinds of systems. +\`configure' configures xtables-addons 1.37 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1511,7 +1511,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short \| recursive ) echo "Configuration of xtables-addons 1.36:";; + short \| recursive ) echo "Configuration of xtables-addons 1.37:";; esac cat <<\_ACEOF @@ -1628,7 +1628,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -xtables-addons configure 1.36 +xtables-addons configure 1.37 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -1993,7 +1993,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by xtables-addons $as_me 1.36, which was +It was created by xtables-addons $as_me 1.37, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -2811,7 +2811,7 @@ # Define the identity of the package. PACKAGE='xtables-addons' - VERSION='1.36' + VERSION='1.37' cat >>confdefs.h <<_ACEOF @@ -10909,7 +10909,7 @@ if test -n "$kbuilddir"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel version that we will build against" >&5 $as_echo_n "checking kernel version that we will build against... " >&6; } - krel="$(make -sC "$kbuilddir" M=. kernelrelease)"; + krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease)"; kmajor="${krel%%[^0-9]*}"; kmajor="$(($kmajor+0))"; krel="${krel:${#kmajor}}"; @@ -10932,7 +10932,7 @@ echo "WARNING: You are trying a newer kernel. Results may vary. :-)"; elif test "$kmajor" -eq 3; then :; - elif test "$kmajor" -eq 2 -a "$kminor" -ge 29; then + elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 29; then :; else echo "WARNING: That kernel version is not supported."; @@ -11480,7 +11480,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by xtables-addons $as_me 1.36, which was +This file was extended by xtables-addons $as_me 1.37, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -11546,7 +11546,7 @@ cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -xtables-addons config.status 1.36 +xtables-addons config.status 1.37 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\"
[-] [+]	Changed	xtables-addons-1.37.tar.bz2/configure.ac ^
@@ -1,5 +1,4 @@ - -AC_INIT([xtables-addons], [1.36]) +AC_INIT([xtables-addons], [1.37]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) AC_PROG_INSTALL @@ -42,7 +41,7 @@ if test -n "$kbuilddir"; then AC_MSG_CHECKING([kernel version that we will build against]) - krel="$(make -sC "$kbuilddir" M=. kernelrelease)"; + krel="$(make -sC "$kbuilddir" M=$PWD kernelrelease)"; kmajor="${krel%%[[^0-9]]*}"; kmajor="$(($kmajor+0))"; krel="${krel:${#kmajor}}"; @@ -65,7 +64,7 @@ echo "WARNING: You are trying a newer kernel. Results may vary. :-)"; elif test "$kmajor" -eq 3; then :; - elif test "$kmajor" -eq 2 -a "$kminor" -ge 29; then + elif test "$kmajor" -eq 2 -a "$kminor" -eq 6 -a "$kmicro" -ge 29; then :; else echo "WARNING: That kernel version is not supported.";
[-] [+]	Changed	xtables-addons-1.37.tar.bz2/doc/changelog.txt ^
@@ -3,6 +3,14 @@ ==== +v1.37 (2011-06-25) +================== +Fixes: +- xt_SYSRQ: make IPv6 trigger work again +- xt_SYSRQ: improve security: include host address in digest +- xt_TARPIT: fix a kernel oops in --reset mode + + v1.36 (2011-06-03) ================== Changes:
[-] [+]	Changed	xtables-addons-1.37.tar.bz2/extensions/libxt_SYSRQ.man ^
@@ -36,6 +36,8 @@ .IP echo \-n "password" >/sys/module/xt_SYSRQ/parameters/password .PP +The module will not respond to sysrq requests until a password has been set. +.PP Alternatively, the password may be specified at modprobe time, but this is insecure as people can possible see it through ps(1). You can use an option line in e.g. /etc/modprobe.d/xt_sysrq if it is properly guarded, that is, only @@ -52,7 +54,7 @@ but the \fIdebug\fP module parameter can be used to find exactly why a seemingly correct request is not being processed. .PP -To trigger SYSRQ from a remote host, just use netcat or socat: +To trigger SYSRQ from a remote host, just use socat: .PP .nf sysrq_key="s" # the SysRq key(s) @@ -60,12 +62,11 @@ seqno="$(date +%s)" salt="$(dd bs=12 count=1 if=/dev/urandom 2>/dev/null \| openssl enc \-base64)" +ipaddr=10.10.25.7 req="$sysrq_key,$seqno,$salt" -req="$req,$(echo \-n "$req,$password" \| sha1sum \| cut \-c1\-40)" +req="$req,$(echo \-n "$req,$ipaddr,$password" \| sha1sum \| cut \-c1\-40)" -echo "$req" \| socat stdin udp\-sendto:10.10.25.7:9 -# or -echo "$req" \| netcat \-uw1 10.10.25.7 9 +echo "$req" \| socat stdin udp\-sendto:$ipaddr:9 .fi .PP See the Linux docs for possible sysrq keys. Important ones are: re(b)oot, @@ -73,8 +74,10 @@ sysrq key can be used at once, but bear in mind that, for example, a sync may not complete before a subsequent reboot or poweroff. .PP +An IPv4 address should have no leading zeros, an IPv6 address should +be in the form recommended by RFC 5952. The debug option will log the +correct form of the address. +.PP The hashing scheme should be enough to prevent mis-use of SYSRQ in many environments, but it is not perfect: take reasonable precautions to -protect your machines. Most importantly ensure that each machine has a -different password; there is scant protection for a SYSRQ packet being -applied to a machine that happens to have the same password. +protect your machines.
[-] [+]	Changed	xtables-addons-1.37.tar.bz2/extensions/xt_SYSRQ.c ^
@@ -4,6 +4,8 @@ * * Based upon the ipt_SYSRQ idea by Marek Zalem <marek [at] terminus sk> * + * Security additions John Haxby <john.haxby [at] oracle com> + * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * version 2 or 3 as published by the Free Software Foundation. @@ -58,13 +60,13 @@ * is a series of sysrq requests; <seqno> is a sequence number that must be * greater than the last sequence number; <salt> is some random bytes; and * <hash> is the hash of everything up to and including the preceding "," - * together with the password. + * together with "<dstaddr>,<password>". * * For example * * salt=$RANDOM * req="s,$(date +%s),$salt" - * echo "$req,$(echo -n $req,secret \| sha1sum \| cut -c1-40)" + * echo "$req,$(echo -n $req,10.10.25.1,secret \| sha1sum \| cut -c1-40)" * * You will want a better salt and password than that though :-) / @@ -121,7 +123,6 @@ sg_init_table(sg, 2); #endif sg_set_buf(&sg[0], data, n); - strcpy(sysrq_digest_password, sysrq_password); i = strlen(sysrq_digest_password); sg_set_buf(&sg[1], sysrq_digest_password, i); ret = crypto_hash_digest(&desc, sg, n + i, sysrq_digest); @@ -223,6 +224,8 @@ ": " NIPQUAD_FMT ":%u -> :%u len=%u\n", NIPQUAD(iph->saddr), htons(udph->source), htons(udph->dest), len); + sprintf(sysrq_digest_password, NIPQUAD_FMT ",%s", + NIPQUAD(iph->daddr), sysrq_password); return sysrq_tg((void )udph + sizeof(struct udphdr), len); } @@ -253,7 +256,9 @@ ": " NIP6_FMT ":%hu -> :%hu len=%u\n", NIP6(iph->saddr), ntohs(udph->source), ntohs(udph->dest), len); - return sysrq_tg(udph + sizeof(struct udphdr), len); + sprintf(sysrq_digest_password, NIP6_FMT ",%s", + NIP6(iph->daddr), sysrq_password); + return sysrq_tg((void )udph + sizeof(struct udphdr), len); } #endif @@ -340,7 +345,9 @@ sysrq_hexdigest = kmalloc(2 sysrq_digest_size + 1, GFP_KERNEL); if (sysrq_hexdigest == NULL) goto fail; - sysrq_digest_password = kmalloc(sizeof(sysrq_password), GFP_KERNEL); + sysrq_digest_password = + kmalloc(sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255") + + sizeof(sysrq_password), GFP_KERNEL); if (sysrq_digest_password == NULL) goto fail; do_gettimeofday(&now); @@ -376,6 +383,7 @@ module_exit(sysrq_tg_exit); MODULE_DESCRIPTION("Xtables: triggering SYSRQ remotely"); MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>"); +MODULE_AUTHOR("John Haxby <john.haxby@oracle.com"); MODULE_LICENSE("GPL"); MODULE_ALIAS("ipt_SYSRQ"); MODULE_ALIAS("ip6t_SYSRQ");
[-] [+]	Changed	xtables-addons-1.37.tar.bz2/extensions/xt_TARPIT.c ^
@@ -58,7 +58,7 @@ struct sk_buff nskb; const struct iphdr oldhdr; struct iphdr niph; - u_int16_t tmp; + uint16_t tmp, payload; / A truncated TCP header is not going to be useful / if (oldskb->len < ip_hdrlen(oldskb) + sizeof(struct tcphdr)) @@ -69,29 +69,6 @@ if (oth == NULL) return; - if (mode == XTTARPIT_TARPIT) { - / No replies for RST, FIN or !SYN,!ACK / - if (oth->rst \|\| oth->fin \|\| (!oth->syn && !oth->ack)) - return; -#if 0 - / Rate-limit replies to !SYN,ACKs / - if (!oth->syn && oth->ack) - if (!xrlim_allow(rt_dst(ort), HZ)) - return; -#endif - } else if (mode == XTTARPIT_HONEYPOT) { - / Do not answer any resets regardless of combination / - if (oth->rst \|\| oth->seq == 0xDEADBEEF) - return; - } else if (mode == XTTARPIT_RESET) { - tcph->window = 0; - tcph->ack = false; - tcph->syn = false; - tcph->rst = true; - tcph->seq = oth->ack_seq; - tcph->ack_seq = oth->seq; - } - / Check checksum. / if (nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), IPPROTO_TCP)) return; @@ -127,6 +104,9 @@ tcph->source = tcph->dest; tcph->dest = tmp; + / Calculate payload size?? / + payload = nskb->len - ip_hdrlen(nskb) - sizeof(struct tcphdr); + / Truncate to length (no data) / tcph->doff = sizeof(struct tcphdr) / 4; skb_trim(nskb, ip_hdrlen(nskb) + sizeof(struct tcphdr)); @@ -136,7 +116,9 @@ ((u_int8_t )tcph)[13] = 0; if (mode == XTTARPIT_TARPIT) { - /* Use supplied sequence number or make a new one / + / No replies for RST, FIN or !SYN,!ACK / + if (oth->rst \|\| oth->fin \|\| (!oth->syn && !oth->ack)) + return; tcph->seq = oth->ack ? oth->ack_seq : 0; / Our SYN-ACKs must have a >0 window / @@ -149,7 +131,16 @@ tcph->ack = true; tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn); } +#if 0 + / Rate-limit replies to !SYN,ACKs / + if (!oth->syn && oth->ack) + if (!xrlim_allow(rt_dst(ort), HZ)) + return; +#endif } else if (mode == XTTARPIT_HONEYPOT) { + / Do not answer any resets regardless of combination / + if (oth->rst \|\| oth->seq == 0xDEADBEEF) + return; / Send a reset to scanners. They like that. / if (oth->syn && oth->ack) { tcph->window = 0; @@ -159,23 +150,29 @@ tcph->seq = oth->ack_seq; tcph->rst = true; } + / SYN > SYN-ACK / if (oth->syn && !oth->ack) { tcph->syn = true; tcph->ack = true; - tcph->window = oth->window; - tcph->ack_seq = oth->seq; - tcph->seq = htonl(net_random() \| ~oth->seq); + tcph->window = oth->window & + ((net_random() & 0x1f) - 0xf); + tcph->seq = htonl(net_random() & ~oth->seq); + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn); } + / ACK > ACK / - if (oth->ack && !oth->fin && !oth->syn) { + if (oth->ack && (!(oth->fin \|\| oth->syn))) { tcph->syn = false; tcph->ack = true; tcph->window = oth->window & ((net_random() & 0x1f) - 0xf); - tcph->ack_seq = htonl(ntohl(oth->seq) + 1); + tcph->ack_seq = payload > 100 ? + htonl(ntohl(oth->seq) + payload) : + oth->seq; tcph->seq = oth->ack_seq; } + / * FIN > RST. * We cannot terminate gracefully so just be abrupt. @@ -188,6 +185,13 @@ tcph->ack = false; tcph->rst = true; } + } else if (mode == XTTARPIT_RESET) { + tcph->window = 0; + tcph->ack = false; + tcph->syn = false; + tcph->rst = true; + tcph->seq = oth->ack_seq; + tcph->ack_seq = oth->seq; } /* Adjust TCP checksum / @@ -204,7 +208,7 @@ / Set DF, id = 0 / niph->frag_off = htons(IP_DF); - if (mode == XTTARPIT_TARPIT) + if (mode == XTTARPIT_TARPIT \|\| mode == XTTARPIT_RESET) niph->id = 0; else if (mode == XTTARPIT_HONEYPOT) niph->id = ~oldhdr->id + 1; @@ -225,7 +229,10 @@ nskb->ip_summed = CHECKSUM_NONE; / Adjust IP TTL / - niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT); + if (mode == XTTARPIT_HONEYPOT) + niph->ttl = 128; + else + niph->ttl = dst_metric(skb_dst(nskb), RTAX_HOPLIMIT); / Adjust IP checksum */ niph->check = 0;
[-] [+]	Changed	xtables-addons-1.37.tar.bz2/xtables-addons.8.in ^
@@ -1,4 +1,4 @@ -.TH xtables-addons 8 "v1.36 (2011-06-03)" "" "v1.36 (2011-06-03)" +.TH xtables-addons 8 "v1.37 (2011-06-25)" "" "v1.37 (2011-06-25)" .SH Name Xtables-addons \(em additional extensions for iptables, ip6tables, etc. .SH Targets