@@ -10,6 +10,7 @@ obj-${build_CHAOS} += xt_CHAOS.o
obj-${build_DELUDE} += xt_DELUDE.o
obj-${build_DHCPMAC} += xt_DHCPMAC.o
obj-${build_DNETMAP} += xt_DNETMAP.o
+obj-${build_XOR} += xt_XOR.o
ifeq (${VERSION},3)
obj-${build_ECHO} += xt_ECHO.o
endif
@@ -5,6 +5,7 @@ obj-${build_CHAOS} += libxt_CHAOS.so
obj-${build_DELUDE} += libxt_DELUDE.so
obj-${build_DHCPMAC} += libxt_DHCPMAC.so libxt_dhcpmac.so
obj-${build_DNETMAP} += libxt_DNETMAP.so
+obj-${build_XOR} += libxt_XOR.so
obj-${build_ECHO} += libxt_ECHO.so
obj-${build_IPMARK} += libxt_IPMARK.so
obj-${build_LOGMARK} += libxt_LOGMARK.so
new file mode 100644
@@ -0,0 +1,110 @@
+/*
+ * "XOR" target extension for xtables-addons
+ * Copyright © Andrew Smith, 2014
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License; either
+ * version 2 of the License, or any later version, as published by the
+ * Free Software Foundation.
+ */
+#include <netinet/in.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include "xt_XOR.h"
+#include "compat_user.h"
+
+enum {
+ FLAGS_KEY = 1 << 0,
+ FLAGS_BLOCK = 1 << 1,
+};
+
+static const struct option xor_opts[] = {
+ {.name = "key", .has_arg = true, .val = 'k'},
+ {.name = "block-size", .has_arg = true, .val ='b'},
+ {},
+};
+
+static void xor_help(void)
+{
+ printf(
+ "XOR target options:\n"
+ " --key <string>\n"
+ " --block-size <size>\n"
+ );
+}
+
+static int
+xor_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_xor_info *info = (void *)(*target)->data;
+ unsigned long v;
+
+ switch (c) {
+ case 'k':
+ if (strlen(optarg) > sizeof(info->key))
+ xtables_error(PARAMETER_PROBLEM, "XOR: Maximum key size is
%zu",sizeof(info->key));
+ strncpy(info->key, optarg, sizeof(info->key));
+ *flags |= FLAGS_KEY;
+ return true;
+ case 'b':
+ if (!xtables_strtoul(optarg, NULL, &v, 1, 5))
+ xtables_param_act(XTF_BAD_VALUE, "XOR",
+ "--block-size", optarg);
+ info->block_size = v;
+ *flags |= FLAGS_BLOCK;
+ return true;
+ }
+ return false;
+}
+static void xor_check(unsigned int flags)
+{
+ if (!(flags & FLAGS_KEY))
+ xtables_error(PARAMETER_PROBLEM, "XOR: "
+ "\"--key\" is required.");
+ if (!(flags & FLAGS_BLOCK))
+ xtables_error(PARAMETER_PROBLEM, "XOR: "
+ "\"--block-size\" is required.");
+}
+
+static void
+xor_print(const void *entry, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_xor_info *info = (const void *)target->data;
+ printf(" --key %s --block-size %d ",info->key, info->block_size);
+}
+
+static void
+xor_save(const void *entry, const struct xt_entry_target *target)
+{
+ const struct xt_xor_info *info = (const void *)target->data;
+ printf(" --key %s --block-size %d ",info->key, info->block_size);
+}
+
+static struct xtables_target xor_reg[] = {
+ {
+ .version = XTABLES_VERSION,
+ .name = "XOR",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_xor_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_xor_info)),
+ .help = xor_help,
+ .parse = xor_parse,
+ .final_check = xor_check,
+ .print = xor_print,
+ .save = xor_save,
+ .extra_opts = xor_opts,
+ },
+};
+
+static void _init(void)
+{
+ xtables_register_targets(xor_reg,
+ sizeof(xor_reg) / sizeof(*xor_reg));
+}
new file mode 100644
@@ -0,0 +1,47 @@
+The XOR target enables the user to encrypt TCP and UDP traffic using
a simple xor encryption.
+.PP
+Usage:
+.PP
+XOR takes two mandatory parameters
+.TP
+\fB\-\-key\fR \fIkeyvalue\fR
+where \fIkeyvalue\fR is a set of characters used in turn to xor with
packet payloads.
+.TP
+\fB\-\-block\-size\fR \fIblocksize\fR
+where \fIblocksize\fR indicates the run-count in the payload of bytes
to be encrypted before using the next character of the key.
+.PP
+Example use to use this target between hosts 1.2.3.5 and 1.2.3.4.
+.PP
+(on host A, 1.2.3.4)
+.br
+iptables \-t mangle \-A OUTPUT -d 1.2.3.5 \-j XOR \-\-key somekey
\-\-block\-size 3
+.br
+iptables \-t mangle \-A INPUT -s 1.2.3.4 \-j XOR \-\-key somekey
\-\-block\-size 3
+.PP
+iptables \-t mangle \-L
+.br
+Chain OUTPUT (policy ACCEPT)
+.br
+target prot opt source destination
+.br
+XOR all \-\- anywhere 1.2.3.5 key:
somekey block\-size: 3
+.br
+XOR all \-\- 1.2.3.5 anywhere key:
somekey block\-size: 3
+.PP
+(on host B, 1.2.3.5)
+.br
+iptables \-t mangle \-A OUTPUT \-d 1.2.3.4 \-j XOR \-\-key somekey
\-\-block\-size 3
+.br
+iptables \-t mangle \-A INPUT \-s 1.2.3.5 \-j XOR \-\-key somekey
\-\-block\-size 3
+.PP
+iptables \-t mangle \-L
+.br
+Chain OUTPUT (policy ACCEPT)
+.br
+target prot opt source destination
+.br
+XOR all \-\- anywhere 1.2.3.4 key:
somekey block\-size: 3
+.br
+XOR all \-\- 1.2.3.4 anywhere key:
somekey block\-size: 3
+.PP
+xtables\-addons implementation by Andrew Smith
<andrew.smith@appsense.com>, based upon the original module by Tim
Vandermeersch <Tim.Vandermeersch@pandora.be>
new file mode 100644
@@ -0,0 +1,126 @@
+/* XOR target for xtables-addons
+ * original iptables implementation
+ * (C) 2000 by Tim Vandermeersch <Tim.Vandermeersch@pandora.be>
+ * Based on ipt_TTL.c
+ *
+ * xtables implementation
+ * (C) 2014 by Andrew Smith <andrew.smith@appsense.com>
+ * Version 1.1
+ *
+ * This software is distributed under the terms of GNU GPL
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <net/tcp.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
+#include "compat_xtables.h"
+#include "xt_XOR.h"
+
+MODULE_AUTHOR("Andrew Smith <andrew.smith@appsense.com>");
+MODULE_DESCRIPTION("IP tables XOR module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_XOR");
+
+static unsigned int
+xt_xor_target(struct sk_buff *pskb, const struct xt_action_param *par)
+{
+ const struct xt_xor_info *info = par->targinfo;
+ struct iphdr *iph;
+ /* To avoid warnings */
+ struct tcphdr *tcph = 0;
+ struct udphdr *udph = 0;
+ int i, j, k;
+ char *buf_pos;
+ int data_len;
+
+ iph = ip_hdr(pskb);
+ /* All of the packet please */
+ if (!skb_make_writable(pskb, ntohs(iph->tot_len)))
+ return NF_DROP;
+
+ /* Writable = new pointers */
+ iph = ip_hdr(pskb);
+ /* Beginning of the packet */
+ buf_pos = pskb->data;
+ /* Advance over the ip header */
+ buf_pos += iph->ihl*4;
+
+ /* Set up lengths and data positioning */
+ if (iph->protocol == IPPROTO_TCP) {
+ tcph = (struct tcphdr *) buf_pos;
+ buf_pos += tcph->doff*4;
+ data_len = ntohs(iph->tot_len) - iph->ihl*4 - tcph->doff*4;
+ } else if (iph->protocol == IPPROTO_UDP) {
+ udph = (struct udphdr *) buf_pos;
+ buf_pos += sizeof(struct udphdr);
+ data_len = ntohs(udph->len)-8;
+ } else {
+ /* If for some reason we it's not UDP or TCP let another layer handle */
+ return XT_CONTINUE;
+ }
+ /* Apply the key */
+ for (i=0, j=0; i<data_len; ) {
+ for (k=0; k<=info->block_size && i<data_len; k++) {
+ buf_pos[i] ^= info->key[j];
+ i++;
+ }
+ j++;
+ if (info->key[j] == 0x00)
+ j = 0;
+ }
+ return XT_CONTINUE;
+}
+
+static int xt_xor_checkentry(const struct xt_tgchk_param *par)
+{
+ const struct xt_xor_info *info = par->targinfo;
+
+ if (strcmp(par->table, "mangle")) {
+ printk(KERN_WARNING "XOR: can only be called from"
+ "\"mangle\" table, not \"%s\"\n", par->table);
+ return -EINVAL;
+ }
+
+ if (!strcmp(info->key, "")) {
+ printk(KERN_WARNING "XOR: You must specify a key");
+ return -EINVAL;
+ }
+
+ if (info->block_size == 0) {
+ printk(KERN_WARNING "XOR: You must specify a block-size");
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static struct xt_target xt_xor = {
+ .name = "XOR",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .table = "mangle",
+ .target = xt_xor_target,
+ .targetsize = sizeof(struct xt_xor_info),
+ .checkentry = xt_xor_checkentry,
+ .me = THIS_MODULE,
+};
+
+static int __init xor_tg_init(void)
+{
+ return xt_register_target(&xt_xor);
+}
+
+static void __exit xor_target_exit(void)
+{
+ xt_unregister_target(&xt_xor);
+}
+
+module_init(xor_tg_init);
+module_exit(xor_target_exit);
new file mode 100644
@@ -0,0 +1,9 @@
+#ifndef _XT_XOR_H
+#define _XT_XOR_H
+
+struct xt_xor_info {
+ char key[30];
+ u_int8_t block_size;
+};
+
+#endif /* _XT_XOR_H */
@@ -4,6 +4,7 @@ build_ACCOUNT=m
build_CHAOS=m
build_DELUDE=m
build_DHCPMAC=m
+build_XOR=m
build_DNETMAP=m
build_ECHO=m
build_IPMARK=m
And the diff from the 1.47.1 tag..
@@ -9,6 +9,7 @@ obj-${build_ACCOUNT} += ACCOUNT/
obj-${build_CHAOS} += xt_CHAOS.o
obj-${build_CHECKSUM} += xt_CHECKSUM.o
obj-${build_DELUDE} += xt_DELUDE.o
+obj-${build_XOR} += xt_XOR.o
obj-${build_DHCPMAC} += xt_DHCPMAC.o
obj-${build_DNETMAP} += xt_DNETMAP.o
ifeq (${VERSION},3)
@@ -4,6 +4,7 @@ obj-${build_ACCOUNT} += ACCOUNT/
obj-${build_CHAOS} += libxt_CHAOS.so
obj-${build_CHECKSUM} += libxt_CHECKSUM.so
obj-${build_DELUDE} += libxt_DELUDE.so
+obj-${build_XOR} += libxt_XOR.so
obj-${build_DHCPMAC} += libxt_DHCPMAC.so libxt_dhcpmac.so
obj-${build_DNETMAP} += libxt_DNETMAP.so
obj-${build_ECHO} += libxt_ECHO.so
new file mode 100644
@@ -0,0 +1,110 @@
+/*
+ * "XOR" target extension for xtables-addons
+ * Copyright © Andrew Smith, 2014
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License; either
+ * version 2 of the License, or any later version, as published by the
+ * Free Software Foundation.
+ */
+#include <netinet/in.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include "xt_XOR.h"
+#include "compat_user.h"
+
+enum {
+ FLAGS_KEY = 1 << 0,
+ FLAGS_BLOCK = 1 << 1,
+};
+
+static const struct option xor_opts[] = {
+ {.name = "key", .has_arg = true, .val = 'k'},
+ {.name = "block-size", .has_arg = true, .val ='b'},
+ {},
+};
+
+static void xor_help(void)
+{
+ printf(
+ "XOR target options:\n"
+ " --key <string>\n"
+ " --block-size <size>\n"
+ );
+}
+
+static int
+xor_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_xor_info *info = (void *)(*target)->data;
+ unsigned long v;
+
+ switch (c) {
+ case 'k':
+ if (strlen(optarg) > sizeof(info->key))
+ xtables_error(PARAMETER_PROBLEM, "XOR: Maximum key size is
%zu",sizeof(info->key));
+ strncpy(info->key, optarg, sizeof(info->key));
+ *flags |= FLAGS_KEY;
+ return true;
+ case 'b':
+ if (!xtables_strtoul(optarg, NULL, &v, 1, 5))
+ xtables_param_act(XTF_BAD_VALUE, "XOR",
+ "--block-size", optarg);
+ info->block_size = v;
+ *flags |= FLAGS_BLOCK;
+ return true;
+ }
+ return false;
+}
+static void xor_check(unsigned int flags)
+{
+ if (!(flags & FLAGS_KEY))
+ xtables_error(PARAMETER_PROBLEM, "XOR: "
+ "\"--key\" is required.");
+ if (!(flags & FLAGS_BLOCK))
+ xtables_error(PARAMETER_PROBLEM, "XOR: "
+ "\"--block-size\" is required.");
+}
+
+static void
+xor_print(const void *entry, const struct xt_entry_target *target,
+ int numeric)
+{
+ const struct xt_xor_info *info = (const void *)target->data;
+ printf(" --key %s --block-size %d ",info->key, info->block_size);
+}
+
+static void
+xor_save(const void *entry, const struct xt_entry_target *target)
+{
+ const struct xt_xor_info *info = (const void *)target->data;
+ printf(" --key %s --block-size %d ",info->key, info->block_size);
+}
+
+static struct xtables_target xor_reg[] = {
+ {
+ .version = XTABLES_VERSION,
+ .name = "XOR",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct xt_xor_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_xor_info)),
+ .help = xor_help,
+ .parse = xor_parse,
+ .final_check = xor_check,
+ .print = xor_print,
+ .save = xor_save,
+ .extra_opts = xor_opts,
+ },
+};
+
+static void _init(void)
+{
+ xtables_register_targets(xor_reg,
+ sizeof(xor_reg) / sizeof(*xor_reg));
+}
new file mode 100644
@@ -0,0 +1,47 @@
+The XOR target enables the user to encrypt TCP and UDP traffic using
a simple xor encryption.
+.PP
+Usage:
+.PP
+XOR takes two mandatory parameters
+.TP
+\fB\-\-key\fR \fIkeyvalue\fR
+where \fIkeyvalue\fR is a set of characters used in turn to xor with
packet payloads.
+.TP
+\fB\-\-block\-size\fR \fIblocksize\fR
+where \fIblocksize\fR indicates the run-count in the payload of bytes
to be encrypted before using the next character of the key.
+.PP
+Example use to use this target between hosts 1.2.3.5 and 1.2.3.4.
+.PP
+(on host A, 1.2.3.4)
+.br
+iptables \-t mangle \-A OUTPUT -d 1.2.3.5 \-j XOR \-\-key somekey
\-\-block\-size 3
+.br
+iptables \-t mangle \-A INPUT -s 1.2.3.4 \-j XOR \-\-key somekey
\-\-block\-size 3
+.PP
+iptables \-t mangle \-L
+.br
+Chain OUTPUT (policy ACCEPT)
+.br
+target prot opt source destination
+.br
+XOR all \-\- anywhere 1.2.3.5 key:
somekey block\-size: 3
+.br
+XOR all \-\- 1.2.3.5 anywhere key:
somekey block\-size: 3
+.PP
+(on host B, 1.2.3.5)
+.br
+iptables \-t mangle \-A OUTPUT \-d 1.2.3.4 \-j XOR \-\-key somekey
\-\-block\-size 3
+.br
+iptables \-t mangle \-A INPUT \-s 1.2.3.5 \-j XOR \-\-key somekey
\-\-block\-size 3
+.PP
+iptables \-t mangle \-L
+.br
+Chain OUTPUT (policy ACCEPT)
+.br
+target prot opt source destination
+.br
+XOR all \-\- anywhere 1.2.3.4 key:
somekey block\-size: 3
+.br
+XOR all \-\- 1.2.3.4 anywhere key:
somekey block\-size: 3
+.PP
+xtables\-addons implementation by Andrew Smith
<andrew.smith@appsense.com>, based upon the original module by Tim
Vandermeersch <Tim.Vandermeersch@pandora.be>
new file mode 100644
@@ -0,0 +1,126 @@
+/* XOR target for xtables-addons
+ * original iptables implementation
+ * (C) 2000 by Tim Vandermeersch <Tim.Vandermeersch@pandora.be>
+ * Based on ipt_TTL.c
+ *
+ * xtables implementation
+ * (C) 2014 by Andrew Smith <andrew.smith@appsense.com>
+ * Version 1.1
+ *
+ * This software is distributed under the terms of GNU GPL
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <net/tcp.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
+#include "compat_xtables.h"
+#include "xt_XOR.h"
+
+MODULE_AUTHOR("Andrew Smith <andrew.smith@appsense.com>");
+MODULE_DESCRIPTION("IP tables XOR module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_XOR");
+
+static unsigned int
+xt_xor_target(struct sk_buff **pskb, const struct xt_action_param *par)
+{
+ const struct xt_xor_info *info = par->targinfo;
+ struct iphdr *iph;
+ /* To avoid warnings */
+ struct tcphdr *tcph = 0;
+ struct udphdr *udph = 0;
+ int i, j, k;
+ char *buf_pos;
+ int data_len;
+
+ iph = ip_hdr(*pskb);
+ /* All of the packet please */
+ if (!skb_make_writable(pskb, ntohs(iph->tot_len)))
+ return NF_DROP;
+
+ /* Writable = new pointers */
+ iph = ip_hdr(*pskb);
+ /* Beginning of the packet */
+ buf_pos = (*pskb)->data;
+ /* Advance over the ip header */
+ buf_pos += iph->ihl*4;
+
+ /* Set up lengths and data positioning */
+ if (iph->protocol == IPPROTO_TCP) {
+ tcph = (struct tcphdr *) buf_pos;
+ buf_pos += tcph->doff*4;
+ data_len = ntohs(iph->tot_len) - iph->ihl*4 - tcph->doff*4;
+ } else if (iph->protocol == IPPROTO_UDP) {
+ udph = (struct udphdr *) buf_pos;
+ buf_pos += sizeof(struct udphdr);
+ data_len = ntohs(udph->len)-8;
+ } else {
+ /* If for some reason we it's not UDP or TCP let another layer handle */
+ return XT_CONTINUE;
+ }
+ /* Apply the key */
+ for (i=0, j=0; i<data_len; ) {
+ for (k=0; k<=info->block_size && i<data_len; k++) {
+ buf_pos[i] ^= info->key[j];
+ i++;
+ }
+ j++;
+ if (info->key[j] == 0x00)
+ j = 0;
+ }
+ return XT_CONTINUE;
+}
+
+static int xt_xor_checkentry(const struct xt_tgchk_param *par)
+{
+ const struct xt_xor_info *info = par->targinfo;
+
+ if (strcmp(par->table, "mangle")) {
+ printk(KERN_WARNING "XOR: can only be called from"
+ "\"mangle\" table, not \"%s\"\n", par->table);
+ return -EINVAL;
+ }
+
+ if (!strcmp(info->key, "")) {
+ printk(KERN_WARNING "XOR: You must specify a key");
+ return -EINVAL;
+ }
+
+ if (info->block_size == 0) {
+ printk(KERN_WARNING "XOR: You must specify a block-size");
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static struct xt_target xt_xor = {
+ .name = "XOR",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .table = "mangle",
+ .target = xt_xor_target,
+ .targetsize = sizeof(struct xt_xor_info),
+ .checkentry = xt_xor_checkentry,
+ .me = THIS_MODULE,
+};
+
+static int __init xor_tg_init(void)
+{
+ return xt_register_target(&xt_xor);
+}
+
+static void __exit xor_target_exit(void)
+{
+ xt_unregister_target(&xt_xor);
+}
+
+module_init(xor_tg_init);
+module_exit(xor_target_exit);
new file mode 100644
@@ -0,0 +1,9 @@
+#ifndef _XT_XOR_H
+#define _XT_XOR_H
+
+struct xt_xor_info {
+ char key[30];
+ u_int8_t block_size;
+};
+
+#endif /* _XT_XOR_H */
@@ -4,6 +4,7 @@ build_ACCOUNT=m
build_CHAOS=m
build_CHECKSUM=
build_DELUDE=m
+build_XOR=m
build_DHCPMAC=m
build_DNETMAP=m
build_ECHO=m