SOURCES (LINUX_2_6): kernel-pom-ng-rpc.patch (NEW) - pom-ng-rpc-20...
zbyniu
zbyniu at pld-linux.org
Wed Aug 15 03:44:30 CEST 2007
Author: zbyniu Date: Wed Aug 15 01:44:30 2007 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- pom-ng-rpc-20060504.patch as reference
---- Files affected:
SOURCES:
kernel-pom-ng-rpc.patch (NONE -> 1.1.2.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/kernel-pom-ng-rpc.patch
diff -u /dev/null SOURCES/kernel-pom-ng-rpc.patch:1.1.2.1
--- /dev/null Wed Aug 15 03:44:30 2007
+++ SOURCES/kernel-pom-ng-rpc.patch Wed Aug 15 03:44:25 2007
@@ -0,0 +1,1706 @@
+ include/linux/netfilter_ipv4/ip_conntrack_rpc.h | 71 +++
+ include/linux/netfilter_ipv4/ipt_rpc.h | 35 +
+ net/ipv4/netfilter/Kconfig | 32 +
+ net/ipv4/netfilter/Makefile | 1
+ net/ipv4/netfilter/ip_conntrack_rpc_tcp.c | 554 ++++++++++++++++++++++++
+ net/ipv4/netfilter/ip_conntrack_rpc_udp.c | 527 ++++++++++++++++++++++
+ net/ipv4/netfilter/ipt_rpc.c | 443 +++++++++++++++++++
+ 7 files changed, 1663 insertions(+)
+
+diff -Nur --exclude '*.orig' linux/include/linux/netfilter_ipv4/ip_conntrack_rpc.h linux/include/linux/netfilter_ipv4/ip_conntrack_rpc.h
+--- linux/include/linux/netfilter_ipv4/ip_conntrack_rpc.h 1970-01-01 01:00:00.000000000 +0100
++++ linux/include/linux/netfilter_ipv4/ip_conntrack_rpc.h 2006-05-04 11:26:08.000000000 +0200
+@@ -0,0 +1,71 @@
++/* RPC extension for IP connection tracking, Version 2.2
++ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima at dcc.unicamp.br>
++ * - original rpc tracking module
++ * - "recent" connection handling for kernel 2.3+ netfilter
++ *
++ * (C) 2001 by Rusty Russell <rusty at rustcorp.com.au>
++ * - upgraded conntrack modules to oldnat api - kernel 2.4.0+
++ *
++ * (C) 2002 by Ian (Larry) Latter <Ian.Latter at mq.edu.au>
++ * - upgraded conntrack modules to newnat api - kernel 2.4.20+
++ * - extended matching to support filtering on procedures
++ *
++ * (C) 2005 by David Stes <stes at pandora.be>
++ * - upgraded to 2.6.13 API
++ *
++ * ip_conntrack_rpc.h,v 2.2 2003/01/12 18:30:00
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version
++ * 2 of the License, or (at your option) any later version.
++ **
++ */
++
++#include <asm/param.h>
++#include <linux/sched.h>
++#include <linux/timer.h>
++#include <linux/stddef.h>
++#include <linux/list.h>
++
++#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
++
++#ifndef _IP_CONNTRACK_RPC_H
++#define _IP_CONNTRACK_RPC_H
++
++#define RPC_PORT 111
++
++
++/* Datum in RPC packets are encoded in XDR */
++#define IXDR_GET_INT32(buf) ((u_int32_t) ntohl((uint32_t)*buf))
++
++/* Fast timeout, to deny DoS atacks */
++#define EXP (60 * HZ)
++
++/* Normal timeouts */
++#define EXPIRES (180 * HZ)
++
++/* For future conections RPC, using client's cache bindings
++ * I'll use ip_conntrack_lock to lock these lists */
++
++/* This identifies each request and stores protocol */
++struct request_p {
++ struct list_head list;
++
++ u_int32_t xid;
++ u_int32_t ip;
++ u_int16_t port;
++
++ /* Protocol */
++ u_int16_t proto;
++
++ struct timer_list timeout;
++};
++
++static inline int request_p_cmp(const struct request_p *p, u_int32_t xid,
++ u_int32_t ip, u_int32_t port) {
++ return (p->xid == xid && p->ip == ip && p->port);
++
++}
++
++#endif /* _IP_CONNTRACK_RPC_H */
+diff -Nur --exclude '*.orig' linux/include/linux/netfilter_ipv4/ipt_rpc.h linux/include/linux/netfilter_ipv4/ipt_rpc.h
+--- linux/include/linux/netfilter_ipv4/ipt_rpc.h 1970-01-01 01:00:00.000000000 +0100
++++ linux/include/linux/netfilter_ipv4/ipt_rpc.h 2006-05-04 11:26:08.000000000 +0200
+@@ -0,0 +1,35 @@
++/* RPC extension for IP netfilter matching, Version 2.2
++ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima at dcc.unicamp.br>
++ * - original rpc tracking module
++ * - "recent" connection handling for kernel 2.3+ netfilter
++ *
++ * (C) 2001 by Rusty Russell <rusty at rustcorp.com.au>
++ * - upgraded conntrack modules to oldnat api - kernel 2.4.0+
++ *
++ * (C) 2002 by Ian (Larry) Latter <Ian.Latter at mq.edu.au>
++ * - upgraded conntrack modules to newnat api - kernel 2.4.20+
++ * - extended matching to support filtering on procedures
++ *
++ * ipt_rpc.h.c,v 2.2 2003/01/12 18:30:00
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version
++ * 2 of the License, or (at your option) any later version.
++ **
++ */
++
++#ifndef _IPT_RPC_H
++#define _IPT_RPC_H
++
++struct ipt_rpc_data;
++
++struct ipt_rpc_info {
++ int inverse;
++ int strict;
++ const char c_procs[1408];
++ int i_procs;
++ struct ipt_rpc_data *data;
++};
++
++#endif /* _IPT_RPC_H */
+diff -Nur --exclude '*.orig' linux/net/ipv4/netfilter/Kconfig linux/net/ipv4/netfilter/Kconfig
+--- linux/net/ipv4/netfilter/Kconfig 2006-05-02 23:38:44.000000000 +0200
++++ linux/net/ipv4/netfilter/Kconfig 2006-05-04 11:26:08.000000000 +0200
+@@ -606,5 +606,37 @@
+ Allows altering the ARP packet payload: source and destination
+ hardware and network addresses.
+
++config IP_NF_MATCH_RPC
++ tristate 'RPC match support'
++ depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
++ help
++ This adds CONFIG_IP_NF_MATCH_RPC, which is the RPC connection
++ matcher and tracker.
++
++ This option supplies two connection tracking modules;
++ ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which track
++ portmapper requests using UDP and TCP respectively.
++
++ This option also adds an RPC match module for iptables, which
++ matches both via the old "record match" method and a new
++ "procedure match" method. The older method matches all RPC
++ procedure packets that relate to previously recorded packets
++ seen querying a portmapper. The newer method matches only
++ those RPC procedure packets explicitly specified by the user,
++ and that can then be related to previously recorded packets
++ seen querying a portmapper.
++
++ These three modules are required if RPCs are to be filtered
++ accurately; as RPCs are allocated pseudo-randomly to UDP and
++ TCP ports as they register with the portmapper.
++
++ Up to 8 portmapper ports per module, and up to 128 RPC
++ procedures per iptables rule, may be specified by the user,
++ to enable effective RPC management.
++
++
++ If you want to compile it as a module, say M here and read
++ <file:Documentation/modules.txt>. If unsure, say `N'.
++
+ endmenu
+
+diff -Nur --exclude '*.orig' linux/net/ipv4/netfilter/Makefile linux/net/ipv4/netfilter/Makefile
+--- linux/net/ipv4/netfilter/Makefile 2006-05-02 23:38:44.000000000 +0200
++++ linux/net/ipv4/netfilter/Makefile 2006-05-04 11:26:08.000000000 +0200
+@@ -0,0 +0,1 @@
++obj-$(CONFIG_IP_NF_MATCH_RPC) += ip_conntrack_rpc_tcp.o ip_conntrack_rpc_udp.o ipt_rpc.o
+diff -Nur --exclude '*.orig' linux/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c linux/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c
+--- linux/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c 1970-01-01 01:00:00.000000000 +0100
++++ linux/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c 2006-05-04 11:26:08.000000000 +0200
+@@ -0,0 +1,554 @@
++/* RPC extension for IP (TCP) connection tracking, Version 2.2
++ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima at dcc.unicamp.br>
++ * - original rpc tracking module
++ * - "recent" connection handling for kernel 2.3+ netfilter
++ *
++ * (C) 2001 by Rusty Russell <rusty at rustcorp.com.au>
++ * - upgraded conntrack modules to oldnat api - kernel 2.4.0+
++ *
++ * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter at mq.edu.au>
++ * - upgraded conntrack modules to newnat api - kernel 2.4.20+
++ * - extended matching to support filtering on procedures
++ *
++ * (c) 2004,2005 by David Stes <stes at pandora.be>
++ * - add nsrexec option for Legato NetWorker
++ * - upgraded to 2.6.12+ conntrack module api
++ *
++ * (c) 2005 by David Stes <stes at pandora.be>
++ * - upgraded to 2.6.13 conntrack module api
++ *
++ * ip_conntrack_rpc_tpc.c,v 2.2 2003/01/12 18:30:00
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version
++ * 2 of the License, or (at your option) any later version.
++ **
++ * Module load syntax:
++ * insmod ip_conntrack_rpc_tcp.o nsrexec=<n> ports=port1,...port<MAX_PORTS>
++ *
++ * Please give the ports of all RPC servers you wish to connect to.
++ * For example, ports=111,7938 for Legato NetWorker's portmapper on 7938.
++ * If you don't specify ports, the default will be port 111 (SUN portmap).
++ *
++ * Please specify nsrexec, the TCP port of the rexec() service of
++ * Legato NetWorker. For example, nsrexec=7937
++ *
++ **
++ * Note to all:
++ *
++ * RPCs should not be exposed to the internet - ask the Pentagon;
++ *
++ * "The unidentified crackers pleaded guilty in July to charges
++ * of juvenile delinquency stemming from a string of Pentagon
++ * network intrusions in February.
++ *
++ * The youths, going by the names TooShort and Makaveli, used
++ * a common server security hole to break in, according to
++ * Dane Jasper, owner of the California Internet service
++ * provider, Sonic. They used the hole, known as the 'statd'
++ * exploit, to attempt more than 800 break-ins, Jasper said."
++ *
++ * From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998
++ * URL: http://www.wired.com/news/politics/0,1283,16098,00.html
++ **
++ */
++
++#include <linux/module.h>
++#include <linux/netfilter.h>
++#include <linux/ip.h>
++#include <net/checksum.h>
++#include <net/tcp.h>
++
++#include <asm/param.h>
++#include <linux/sched.h>
++#include <linux/timer.h>
++#include <linux/stddef.h>
++#include <linux/list.h>
++
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
++#include <linux/netfilter_ipv4/ip_conntrack_rpc.h>
++
++#define MAX_PORTS 8
++static int ports[MAX_PORTS];
++static int ports_n_c = 0;
++static int nsrexec = 0;
++
++#ifdef MODULE_PARM
++module_param(nsrexec,int, 0400);
++MODULE_PARM_DESC(nsrexec, "TCP port of Legato NetWorker's rexec service");
++module_param_array(ports, int, &ports_n_c, 0400);
++MODULE_PARM_DESC(ports, "port numbers (TCP/UDP) of RPC portmapper servers");
++#endif
++
++MODULE_AUTHOR("Marcelo Barbosa Lima <marcelo.lima at dcc.unicamp.br>");
++MODULE_DESCRIPTION("RPC TCP connection tracking module");
++MODULE_LICENSE("GPL");
++
++#define PRINTK(format, args...) printk(KERN_DEBUG "ip_conntrack_rpc_tcp: " \
++ format, ## args)
++
++#if 0
++#define DEBUGP(format, args...) printk(KERN_DEBUG "ip_conntrack_rpc_tcp: " \
++ format, ## args)
++#else
++#define DEBUGP(format, args...)
++#endif
++
++DEFINE_RWLOCK(ipct_rpc_tcp_lock);
++
++#define ASSERT_READ_LOCK(x)
++#define ASSERT_WRITE_LOCK(x)
++
++#include <linux/netfilter_ipv4/listhelp.h>
++
++/* For future conections RPC, using client's cache bindings
++ * I'll use ip_conntrack_lock to lock these lists */
++
++LIST_HEAD(request_p_list_tcp);
++
++
++static void delete_request_p(unsigned long request_p_ul)
++{
++ struct request_p *p = (void *)request_p_ul;
++
++ write_lock_bh(&ipct_rpc_tcp_lock);
++ LIST_DELETE(&request_p_list_tcp, p);
++ write_unlock_bh(&ipct_rpc_tcp_lock);
++ kfree(p);
++ return;
++}
++
++
++static void req_cl(struct request_p * r)
++{
++ write_lock_bh(&ipct_rpc_tcp_lock);
++ del_timer(&r->timeout);
++ LIST_DELETE(&request_p_list_tcp, r);
++ write_unlock_bh(&ipct_rpc_tcp_lock);
++ kfree(r);
++ return;
++}
++
++
++static void clean_request(struct list_head *list)
++{
++ struct list_head *first = list->prev;
++ struct list_head *temp = list->next;
++ struct list_head *aux;
++
++ if (list_empty(list))
++ return;
++
++ while (first != temp) {
++ aux = temp->next;
++ req_cl((struct request_p *)temp);
++ temp = aux;
++ }
++ req_cl((struct request_p *)temp);
++ return;
++}
++
++
++static void alloc_request_p(u_int32_t xid, u_int16_t proto, u_int32_t ip,
++ u_int16_t port)
++{
++ struct request_p *req_p;
++
++ /* Verifies if entry already exists */
++ write_lock_bh(&ipct_rpc_tcp_lock);
++ req_p = LIST_FIND(&request_p_list_tcp, request_p_cmp,
++ struct request_p *, xid, ip, port);
++
++ if (req_p) {
++ /* Refresh timeout */
++ if (del_timer(&req_p->timeout)) {
++ req_p->timeout.expires = jiffies + EXP;
++ add_timer(&req_p->timeout);
++ }
++ write_unlock_bh(&ipct_rpc_tcp_lock);
++ return;
++
++ }
++ write_unlock_bh(&ipct_rpc_tcp_lock);
++
++ /* Allocate new request_p */
++ req_p = (struct request_p *) kmalloc(sizeof(struct request_p), GFP_ATOMIC);
++ if (!req_p) {
++ DEBUGP("can't allocate request_p\n");
++ return;
++ }
++
++ req_p->list.next = NULL;
++ req_p->list.prev = NULL;
++ req_p->xid = xid;
++ req_p->ip = ip;
++ req_p->port = port;
++ req_p->proto = proto;
++
++ /* Initialize timer */
++ init_timer(&req_p->timeout);
++ req_p->timeout.expires = jiffies + EXP;
++ req_p->timeout.data = (unsigned long)req_p;
++ req_p->timeout.function = delete_request_p;
++ add_timer(&req_p->timeout);
++
++ /* Put in list */
++ write_lock_bh(&ipct_rpc_tcp_lock);
++ list_prepend(&request_p_list_tcp, req_p);
++ write_unlock_bh(&ipct_rpc_tcp_lock);
++ return;
++}
++
++
++static int check_rpc_packet(const u_int32_t *data,
++ int dir, struct ip_conntrack *ct,
++ struct list_head request_p_list)
++{
++ u_int32_t xid;
++ int ret = NF_ACCEPT;
++ struct request_p *req_p;
++ struct ip_conntrack_expect *exp;
++
++
++ if (ct == NULL) {
++ DEBUGP("ct is NULL");
++ return ret;
++ }
++
++ /* Translstion's buffer for XDR */
++ u_int16_t port_buf;
++
++ /* Get XID */
++ xid = *data;
++
++ /* This does sanity checking on RPC payloads,
++ * and permits only the RPC "get port" (3)
++ * in authorised procedures in client
++ * communications with the portmapper.
++ */
++
++ /* perform direction dependant RPC work */
++ if (dir == IP_CT_DIR_ORIGINAL) {
++
++ data += 5;
++
++ /* Get RPC requestor */
++ if (IXDR_GET_INT32(data) != 3) {
++ DEBUGP("RPC packet contains an invalid (non \"get\") requestor. [skip]\n");
++ return NF_ACCEPT;
++ }
++ DEBUGP("RPC packet contains a \"get\" requestor. [cont]\n");
++
++ data++;
++
++ /* Jump Credentials and Verfifier */
++ data += IXDR_GET_INT32(data) + 2;
++ data += IXDR_GET_INT32(data) + 2;
++
++ /* Get RPC procedure */
++ DEBUGP("RPC packet contains procedure request [%u]. [cont]\n",
++ (unsigned int)IXDR_GET_INT32(data));
++
++ /* Get RPC protocol and store against client parameters */
++ data = data + 2;
++ alloc_request_p(xid, IXDR_GET_INT32(data), ct->tuplehash[dir].tuple.src.ip,
++ ct->tuplehash[dir].tuple.src.u.all);
++
++ DEBUGP("allocated RPC req_p for xid=%u proto=%u %u.%u.%u.%u:%u\n",
++ xid, IXDR_GET_INT32(data),
++ NIPQUAD(ct->tuplehash[dir].tuple.src.ip),
++ ntohs(ct->tuplehash[dir].tuple.src.u.all));
++
++ DEBUGP("allocated RPC request for protocol %u. [done]\n",
++ (unsigned int)IXDR_GET_INT32(data));
++
++ } else {
++
++ /* Check for returning packet's stored counterpart */
++ req_p = LIST_FIND(&request_p_list_tcp, request_p_cmp,
++ struct request_p *, xid,
++ ct->tuplehash[!dir].tuple.src.ip,
++ ct->tuplehash[!dir].tuple.src.u.all);
++
++ /* Drop unexpected packets */
++ if (!req_p) {
++ DEBUGP("packet is not expected. [skip]\n");
++ return NF_ACCEPT;
++ }
++
++ /* Verifies if packet is really an RPC reply packet */
++ data++;
++ if (IXDR_GET_INT32(data) != 1) {
++ DEBUGP("packet is not a valid RPC reply. [skip]\n");
++ return NF_ACCEPT;
++ }
++
++ /* Is status accept? */
++ data++;
++ if (IXDR_GET_INT32(data)) {
++ DEBUGP("packet is not an RPC accept. [skip]\n");
++ return NF_ACCEPT;
++ }
++
++ /* Get Verifier length. Jump verifier */
++ data++;
++ data = data + IXDR_GET_INT32(data) + 2;
++
++ /* Is accpet status "success"? */
++ if (IXDR_GET_INT32(data)) {
++ DEBUGP("packet is not an RPC accept status of success. [skip]\n");
++ return NF_ACCEPT;
++ }
++
++ /* Get server port number */
++ data++;
++ port_buf = (u_int16_t) IXDR_GET_INT32(data);
++
++ /* If a packet has made it this far then it deserves an
++ * expectation ... if port == 0, then this service is
++ * not going to be registered.
++ */
++ if (port_buf && port_buf != nsrexec) {
++ DEBUGP("port found: %u\n", port_buf);
++
++ exp = ip_conntrack_expect_alloc(ct);
++ if (!exp) {
++ ret = NF_DROP;
++ goto out;
++ }
++
++ /* Watch out, Radioactive-Man! */
++ exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
++ exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
++ exp->mask.src.ip = 0xffffffff;
++ exp->mask.dst.ip = 0xffffffff;
++
++ switch (req_p->proto) {
++ case IPPROTO_UDP:
++ exp->tuple.src.u.udp.port = 0;
++ exp->tuple.dst.u.udp.port = htons(port_buf);
++ exp->tuple.dst.protonum = IPPROTO_UDP;
++ exp->mask.src.u.udp.port = 0;
++ exp->mask.dst.u.udp.port = htons(0xffff);
++ exp->mask.dst.protonum = 0xff;
++ break;
++
++ case IPPROTO_TCP:
++ exp->tuple.src.u.tcp.port = 0;
++ exp->tuple.dst.u.tcp.port = htons(port_buf);
++ exp->tuple.dst.protonum = IPPROTO_TCP;
++ exp->mask.src.u.tcp.port = 0;
++ exp->mask.dst.u.tcp.port = htons(0xffff);
++ exp->mask.dst.protonum = 0xff;
++ break;
++ }
++ exp->expectfn = NULL;
++ exp->master = ct;
++
++ if (exp->master->helper == NULL) {
++ DEBUGP("master helper NULL");
++ ret = NF_ACCEPT;
++ }
++
++ DEBUGP("expect related ip %u.%u.%u.%u:0-%u.%u.%u.%u:%u proto=%u\n",
++ NIPQUAD(exp->tuple.src.ip),
++ NIPQUAD(exp->tuple.dst.ip),
++ port_buf, req_p->proto);
++
++ DEBUGP("expect related mask %u.%u.%u.%u:0-%u.%u.%u.%u:65535 proto=%u\n",
++ NIPQUAD(exp->mask.src.ip),
++ NIPQUAD(exp->mask.dst.ip),
++ exp->mask.dst.protonum);
++
++ if (ip_conntrack_expect_related(exp) != 0) {
++ ret = NF_DROP;
++ }
++
++ }
++
++out:
++ req_cl(req_p);
++
++ DEBUGP("packet evaluated. [expect]\n");
++ }
++
++ return ret;
++
++}
++
++
++/* RPC TCP helper */
++/* static int help(const struct iphdr *iph, size_t len,
++ struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) */
++static int help(struct sk_buff **pskb,
++ struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
++{
++ int dir;
++ int crp_ret;
++ struct tcphdr _tcph, *tcph;
++ const u_int32_t *data;
++ size_t tcplen;
++ struct iphdr *iph;
++ size_t len;
++
++ /* Not whole TCP header? */
++ iph=(*pskb)->nh.iph;
++ tcph = skb_header_pointer(*pskb,iph->ihl*4,sizeof(_tcph),&_tcph);
++ if (!tcph)
++ return NF_ACCEPT;
++
++ len = (*pskb)->len; /* stes */
++ data = (const u_int32_t *)tcph + tcph->doff;
++ tcplen = len - iph->ihl * 4;
++ dir = CTINFO2DIR(ctinfo);
++
++ DEBUGP("new packet to evaluate ..\n");
++
++ /* This works for packets like handshake packets, ignore */
++ if (len == ((tcph->doff + iph->ihl) * 4)) {
++ DEBUGP("packet has no data (may still be handshaking). [skip]\n");
++ return NF_ACCEPT;
++ }
++
++ /* Until there's been traffic both ways, don't look in packets. */
++ if (ctinfo != IP_CT_ESTABLISHED
++ && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
++ DEBUGP("connection tracking state is; ctinfo=%u ..\n", ctinfo);
<<Diff was trimmed, longer than 597 lines>>
More information about the pld-cvs-commit
mailing list