Message ID | 6ba05a9b-e2ef-4c32-ab22-5e9e8440c91a@zeracles.net.ru |
---|---|
State | Not Applicable |
Delegated to: | Pablo Neira |
Headers | show |
Well, unfortunately, you should disregard previous message in part of submitting it to xtables-addons ASAP. While modules compiled without errors, actually applying iptables TARPIT rule results in a connection loss, the nature of which I unfortunately cannot describe at the moment (was trying to apply the update to a remote server without KVM). It kind of looks like a kernel panic though - no messages are written to any logs after adding the TARPIT rule - the server just goes dead. I guess more research is needed on the matter, I'll try to run some tests on a local machine & post the results. Yours, Alexander Petrenas. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tuesday 2015-06-23 13:17, Alexander Petrenas wrote: >Well, unfortunately, you should disregard previous message in part of submitting it to xtables-addons ASAP. > >While modules compiled without errors, actually applying iptables TARPIT rule results in a connection loss, the nature of which I unfortunately cannot describe at the moment (was trying to apply the update to a remote server without KVM). It kind of looks like a kernel panic though - no messages are written to any logs after adding the TARPIT rule - the server just goes dead. > >I guess more research is needed on the matter, I'll try to run some tests on a local machine & post the results. Yeah you need to also change dst_output to dst_output_sk. Don't just ignore compiler warnings! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--- xt_TARPIT.orig.c 2015-06-23 13:31:04.406533833 +0300 +++ xt_TARPIT.c 2015-06-23 13:24:03.103202214 +0300 @@ -250,7 +250,7 @@ #ifdef CONFIG_BRIDGE_NETFILTER if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL && - nskb->nf_bridge->mask & BRNF_BRIDGED)) + nskb->nf_bridge->physoutdev)) #else if (hook != NF_INET_FORWARD) #endif @@ -279,7 +279,7 @@ nf_ct_attach(nskb, oldskb); - NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL, + NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, NULL, nskb, NULL, skb_dst(nskb)->dev, dst_output); return; @@ -394,7 +394,7 @@ nf_ct_attach(nskb, oldskb); - NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL, + NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, NULL, nskb, NULL, skb_dst(nskb)->dev, dst_output); return; # diff -u xt_DELUDE.orig.c xt_DELUDE.c --- xt_DELUDE.orig.c 2015-06-23 13:30:57.166533864 +0300 +++ xt_DELUDE.c 2015-06-23 13:28:11.046534539 +0300 @@ -107,7 +107,7 @@ addr_type = RTN_UNSPEC; #ifdef CONFIG_BRIDGE_NETFILTER if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL && - nskb->nf_bridge->mask & BRNF_BRIDGED)) + nskb->nf_bridge->physoutdev)) #else if (hook != NF_INET_FORWARD) #endif