diff mbox

Kernel 4.1.0 broke the TARPIT & DELUGE targets in xtables-addons-2.6

Message ID 6ba05a9b-e2ef-4c32-ab22-5e9e8440c91a@zeracles.net.ru
State Not Applicable
Delegated to: Pablo Neira
Headers show

Commit Message

Alexander Petrenas June 23, 2015, 10:44 a.m. UTC 
Thanks a lot, that works like a charm!

Here are diff patches for your convenience. They probably should be submitted to xtables-addons ASAP, so people's firewalls can continue filtering & tarpitting instead of accepting...


#diff -u xt_TARPIT.orig.c xt_TARPIT.c






Yours, Alexander Petrenas.


> -----Original Message-----
> From: netfilter-devel-owner@vger.kernel.org [mailto:netfilter-devel-
> owner@vger.kernel.org] On Behalf Of Florian Westphal
> Sent: Tuesday, June 23, 2015 12:40 PM
> To: Alexander Petrenas
> Cc: netfilter-devel@vger.kernel.org
>
> > Netfilter changes in the recent 4.1.0 kernel update included removal of
> the BRNF_BRIDGED flag:
> >
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=40
> 451fd013878b005ccae767dfebc07dfecf85d9
> >
> > Unfortunately, getting rid of BRNF_BRIDGED flag broke the xtables-addons-
> 2.6 package, which now fails to build TARPIT & DELUGE targets with the
> following errors:
> >
> > xtables-addons-2.6/extensions/xt_TARPIT.c:253:30: error: ‘BRNF_BRIDGED’
> undeclared (first use in this function)
> >       nskb->nf_bridge->mask & BRNF_BRIDGED))
> >                               ^
> >
> > xtables-addons-2.6/extensions/xt_TARPIT.c:282:2: error: too few arguments
> to function ‘NF_HOOK’
> >   NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
> >   ^
> 
> NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, NULL, nskb, NULL,
> 
> > xtables-addons-2.6/extensions/xt_TARPIT.c:397:2: error: too few arguments
> to function ‘NF_HOOK’
> >   NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
> 
> NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, NULL, nskb, NULL,
> 
> >
> > #ifdef CONFIG_BRIDGE_NETFILTER
> > 	if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
> > 	    nskb->nf_bridge->mask & BRNF_BRIDGED))
> > #else
> 
> if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
>     nskb->nf_bridge->physoutdev))


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Alexander Petrenas June 23, 2015, 11:17 a.m. UTC | #1 
Well, unfortunately, you should disregard previous message in part of submitting it to xtables-addons ASAP. 

While modules compiled without errors, actually applying iptables TARPIT rule results in a connection loss, the nature of which I unfortunately cannot describe at the moment (was trying to apply the update to a remote server without KVM). It kind of looks like a kernel panic though - no messages are written to any logs after adding the TARPIT rule - the server just goes dead.

I guess more research is needed on the matter, I'll try to run some tests on a local machine & post the results.

Yours, Alexander Petrenas.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jan Engelhardt July 6, 2015, 3:45 a.m. UTC | #2 
On Tuesday 2015-06-23 13:17, Alexander Petrenas wrote:

>Well, unfortunately, you should disregard previous message in part of submitting it to xtables-addons ASAP. 
>
>While modules compiled without errors, actually applying iptables TARPIT rule results in a connection loss, the nature of which I unfortunately cannot describe at the moment (was trying to apply the update to a remote server without KVM). It kind of looks like a kernel panic though - no messages are written to any logs after adding the TARPIT rule - the server just goes dead.
>
>I guess more research is needed on the matter, I'll try to run some tests on a local machine & post the results.

Yeah you need to also change dst_output to dst_output_sk.

Don't just ignore compiler warnings!

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

--- xt_TARPIT.orig.c    2015-06-23 13:31:04.406533833 +0300
+++ xt_TARPIT.c 2015-06-23 13:24:03.103202214 +0300
@@ -250,7 +250,7 @@ 

 #ifdef CONFIG_BRIDGE_NETFILTER
        if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
-           nskb->nf_bridge->mask & BRNF_BRIDGED))
+           nskb->nf_bridge->physoutdev))
 #else
        if (hook != NF_INET_FORWARD)
 #endif
@@ -279,7 +279,7 @@ 

        nf_ct_attach(nskb, oldskb);

-       NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, nskb, NULL,
+       NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, NULL, nskb, NULL,
                skb_dst(nskb)->dev, dst_output);
        return;

@@ -394,7 +394,7 @@ 

        nf_ct_attach(nskb, oldskb);

-       NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, nskb, NULL,
+       NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, NULL, nskb, NULL,
                skb_dst(nskb)->dev, dst_output);
        return;





# diff -u xt_DELUDE.orig.c xt_DELUDE.c
--- xt_DELUDE.orig.c    2015-06-23 13:30:57.166533864 +0300
+++ xt_DELUDE.c 2015-06-23 13:28:11.046534539 +0300
@@ -107,7 +107,7 @@ 
        addr_type = RTN_UNSPEC;
 #ifdef CONFIG_BRIDGE_NETFILTER
        if (hook != NF_INET_FORWARD || (nskb->nf_bridge != NULL &&
-           nskb->nf_bridge->mask & BRNF_BRIDGED))
+           nskb->nf_bridge->physoutdev))
 #else
        if (hook != NF_INET_FORWARD)
 #endif