/usr/src/xtables-addons-2.10/extensions/xt_psd.c is in xtables-addons-dkms 2.10-1build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 | /*
This is a module which is used for PSD (portscan detection)
Derived from scanlogd v2.1 written by Solar Designer <solar@false.com>
and LOG target module.
Copyright (C) 2000,2001 astaro AG
This file is distributed under the terms of the GNU General Public
License (GPL). Copies of the GPL can be obtained from:
ftp://prep.ai.mit.edu/pub/gnu/GPL
2000-05-04 Markus Hennig <hennig@astaro.de> : initial
2000-08-18 Dennis Koslowski <koslowski@astaro.de> : first release
2000-12-01 Dennis Koslowski <koslowski@astaro.de> : UDP scans detection added
2001-01-02 Dennis Koslowski <koslowski@astaro.de> : output modified
2001-02-04 Jan Rekorajski <baggins@pld.org.pl> : converted from target to match
2004-05-05 Martijn Lievaart <m@rtij.nl> : ported to 2.6
2007-04-05 Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com> : ported to 2.6.18
2008-03-21 Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com> : ported to 2.6.24
2009-08-07 Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com> : ported to xtables-addons
*/
#define pr_fmt(x) KBUILD_MODNAME ": " x
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/types.h>
#include <linux/tcp.h>
#include <linux/spinlock.h>
#include <linux/vmalloc.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include "xt_psd.h"
#include "compat_xtables.h"
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Dennis Koslowski <koslowski@astaro.com>");
MODULE_AUTHOR("Martijn Lievaart <m@rtij.nl>");
MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
MODULE_AUTHOR(" Mohd Nawawi Mohamad Jamili <nawawi@tracenetworkcorporation.com>");
MODULE_DESCRIPTION("Xtables: PSD - portscan detection");
MODULE_ALIAS("ipt_psd");
MODULE_ALIAS("ip6t_psd");
/*
* Keep track of up to LIST_SIZE source addresses, using a hash table of
* HASH_SIZE entries for faster lookups, but limiting hash collisions to
* HASH_MAX source addresses per the same hash value.
*/
#define LIST_SIZE 0x100
#define HASH_LOG 9
#define HASH_SIZE (1 << HASH_LOG)
#define HASH_MAX 0x10
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
# define WITH_IPV6 1
#endif
/*
* Information we keep per each target port
*/
struct port {
u_int16_t number; /* port number */
u_int8_t proto; /* protocol number */
};
/**
* Information we keep per each source address.
* @next: next entry with the same hash
* @timestamp: last update time
* @count: number of ports in the list
* @weight: total weight of ports in the list
*/
struct host {
struct host *next;
unsigned long timestamp;
__be16 src_port;
uint16_t count;
uint8_t weight;
struct port ports[SCAN_MAX_COUNT-1];
};
/**
* Information we keep per ipv4 source address.
*/
struct host4 {
struct host host;
__be32 saddr;
};
static struct host4 *host_to_host4(const struct host *h)
{
return (struct host4 *)h;
}
struct host6 {
struct host host;
struct in6_addr saddr;
};
/**
* State information for IPv4 portscan detection.
* @list: list of source addresses
* @hash: pointers into the list
* @index: oldest entry to be replaced
*/
static struct {
spinlock_t lock;
struct host4 list[LIST_SIZE];
struct host *hash[HASH_SIZE];
int index;
} state;
#ifdef WITH_IPV6
/**
* State information for IPv6 portscan detection.
* @list: list of source addresses
* @hash: pointers into the list
* @index: oldest entry to be replaced
*/
static struct {
spinlock_t lock;
struct host6 *list;
struct host **hash;
int index;
} state6;
static struct host6 *host_to_host6(const struct host *h)
{
return (struct host6 *) h;
}
/**
* allocate state6 memory only when needed
*/
static bool state6_alloc_mem(void)
{
if (state6.hash != NULL)
return true;
state6.list = vmalloc(LIST_SIZE * sizeof(struct host6));
if (state6.list == NULL)
return false;
memset(state6.list, 0, LIST_SIZE * sizeof(struct host6));
state6.hash = vmalloc(HASH_SIZE * sizeof(struct host*));
if (state6.hash == NULL) {
vfree(state6.list);
return false;
}
memset(state6.hash, 0, HASH_SIZE * sizeof(struct host *));
return true;
}
#endif
/*
* Convert an IP address into a hash table index.
*/
static unsigned int hashfunc(__be32 addr)
{
unsigned int value;
unsigned int hash;
value = addr;
hash = 0;
do {
hash ^= value;
} while ((value >>= HASH_LOG) != 0);
return hash & (HASH_SIZE - 1);
}
static inline unsigned int hashfunc6(const struct in6_addr *addr)
{
__be32 h = addr->s6_addr32[0] ^ addr->s6_addr32[1];
return hashfunc(h ^ addr->s6_addr32[2] ^ addr->s6_addr32[3]);
}
static bool port_in_list(struct host *host, uint8_t proto, uint16_t port)
{
unsigned int i;
for (i = 0; i < host->count; ++i) {
if (host->ports[i].proto != proto)
continue;
if (host->ports[i].number == port)
return true;
}
return false;
}
static uint16_t get_port_weight(const struct xt_psd_info *psd, __be16 port)
{
return ntohs(port) < 1024 ? psd->lo_ports_weight : psd->hi_ports_weight;
}
static bool
is_portscan(struct host *host, const struct xt_psd_info *psdinfo,
const struct tcphdr *tcph, uint8_t proto)
{
if (port_in_list(host, proto, tcph->dest))
return false;
/*
* TCP/ACK and/or TCP/RST to a new port? This could be an
* outgoing connection.
*/
if (proto == IPPROTO_TCP && (tcph->ack || tcph->rst))
return false;
host->timestamp = jiffies;
if (host->weight >= psdinfo->weight_threshold) /* already matched */
return true;
/* Update the total weight */
host->weight += get_port_weight(psdinfo, tcph->dest);
/* Got enough destination ports to decide that this is a scan? */
if (host->weight >= psdinfo->weight_threshold)
return true;
/* Remember the new port */
if (host->count < ARRAY_SIZE(host->ports)) {
host->ports[host->count].number = tcph->dest;
host->ports[host->count].proto = proto;
host->count++;
}
return false;
}
static struct host *host_get_next(struct host *h, struct host **last)
{
if (h->next != NULL)
*last = h;
return h->next;
}
static void ht_unlink(struct host **head, struct host *last)
{
if (last != NULL)
last->next = last->next->next;
else if (*head != NULL)
*head = (*head)->next;
}
static bool
entry_is_recent(const struct host *h, unsigned long delay_threshold,
unsigned long now)
{
return now - h->timestamp <= (delay_threshold * HZ) / 100 &&
time_after_eq(now, h->timestamp);
}
static void remove_oldest(struct host **head, struct host *curr)
{
struct host *h, *last = NULL;
/*
* We are going to re-use the oldest list entry, so remove it from the
* hash table first, if it is really already in use.
*/
h = *head;
while (h != NULL) {
if (curr == h)
break;
last = h;
h = h->next;
}
/* Then, remove it */
if (h != NULL)
ht_unlink(head, last);
}
static void *
get_header_pointer4(const struct sk_buff *skb, unsigned int thoff, void *mem)
{
const struct iphdr *iph = ip_hdr(skb);
int hdrlen;
switch (iph->protocol) {
case IPPROTO_TCP:
hdrlen = sizeof(struct tcphdr);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
hdrlen = sizeof(struct udphdr);
break;
default:
return NULL;
}
return skb_header_pointer(skb, thoff, hdrlen, mem);
}
static bool
handle_packet4(const struct iphdr *iph, const struct tcphdr *tcph,
const struct xt_psd_info *psdinfo, unsigned int hash)
{
unsigned long now;
struct host *curr, *last = NULL, **head;
struct host4 *curr4;
int count = 0;
now = jiffies;
head = &state.hash[hash];
/* Do we know this source address already? */
curr = *head;
while (curr != NULL) {
curr4 = host_to_host4(curr);
if (curr4->saddr == iph->saddr)
break;
count++;
curr = host_get_next(curr, &last);
}
if (curr != NULL) {
/* We know this address, and the entry isn't too old. Update it. */
if (entry_is_recent(curr, psdinfo->delay_threshold, now))
return is_portscan(curr, psdinfo, tcph, iph->protocol);
/* We know this address, but the entry is outdated. Mark it unused, and
* remove from the hash table. We'll allocate a new entry instead since
* this one might get re-used too soon. */
curr4 = host_to_host4(curr);
curr4->saddr = 0;
ht_unlink(head, last);
last = NULL;
}
/* We don't need an ACK from a new source address */
if (iph->protocol == IPPROTO_TCP && tcph->ack)
return false;
/* Got too many source addresses with the same hash value? Then remove the
* oldest one from the hash table, so that they can't take too much of our
* CPU time even with carefully chosen spoofed IP addresses. */
if (count >= HASH_MAX && last != NULL)
last->next = NULL;
if (state.list[state.index].saddr != 0)
head = &state.hash[hashfunc(state.list[state.index].saddr)];
else
head = &last;
/* Get our list entry */
curr4 = &state.list[state.index++];
curr = &curr4->host;
remove_oldest(head, curr);
if (state.index >= LIST_SIZE)
state.index = 0;
/* Link it into the hash table */
head = &state.hash[hash];
curr->next = *head;
*head = curr;
/* And fill in the fields */
curr4 = host_to_host4(curr);
curr4->saddr = iph->saddr;
curr->timestamp = now;
curr->count = 1;
curr->weight = get_port_weight(psdinfo, tcph->dest);
curr->ports[0].number = tcph->dest;
curr->ports[0].proto = iph->protocol;
return false;
}
static bool
xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
{
struct iphdr *iph = ip_hdr(pskb);
struct tcphdr _tcph;
struct tcphdr *tcph;
bool matched;
unsigned int hash;
/* Parameters from userspace */
const struct xt_psd_info *psdinfo = match->matchinfo;
if (iph->frag_off & htons(IP_OFFSET)) {
pr_debug("sanity check failed\n");
return false;
}
/*
* We are using IP address 0.0.0.0 for a special purpose here, so do
* not let them spoof us. [DHCP needs this feature - HW]
*/
if (iph->saddr == 0) {
pr_debug("spoofed source address (0.0.0.0)\n");
return false;
}
tcph = get_header_pointer4(pskb, match->thoff, &_tcph);
if (tcph == NULL)
return false;
hash = hashfunc(iph->saddr);
spin_lock(&state.lock);
matched = handle_packet4(iph, tcph, psdinfo, hash);
spin_unlock(&state.lock);
return matched;
}
#ifdef WITH_IPV6
static bool
handle_packet6(const struct ipv6hdr *ip6h, const struct tcphdr *tcph,
const struct xt_psd_info *psdinfo, uint8_t proto, int hash)
{
unsigned long now;
struct host *curr, *last = NULL, **head;
struct host6 *curr6;
int count = 0;
now = jiffies;
head = &state6.hash[hash];
curr = *head;
while (curr != NULL) {
curr6 = host_to_host6(curr);
if (ipv6_addr_equal(&curr6->saddr, &ip6h->saddr))
break;
count++;
curr = host_get_next(curr, &last);
}
if (curr != NULL) {
if (entry_is_recent(curr, psdinfo->delay_threshold, now))
return is_portscan(curr, psdinfo, tcph, proto);
curr6 = host_to_host6(curr);
memset(&curr6->saddr, 0, sizeof(curr6->saddr));
ht_unlink(head, last);
last = NULL;
}
if (proto == IPPROTO_TCP && tcph->ack)
return false;
if (count >= HASH_MAX && last != NULL)
last->next = NULL;
if (!ipv6_addr_any(&state6.list[state6.index].saddr))
head = &state6.hash[hashfunc6(&state6.list[state6.index].saddr)];
else
head = &last;
curr6 = &state6.list[state6.index++];
curr = &curr6->host;
remove_oldest(head, curr);
if (state6.index >= LIST_SIZE)
state6.index = 0;
head = &state6.hash[hash];
curr->next = *head;
*head = curr;
curr6 = host_to_host6(curr);
curr6->saddr = ip6h->saddr;
curr->timestamp = now;
curr->count = 1;
curr->weight = get_port_weight(psdinfo, tcph->dest);
curr->ports[0].number = tcph->dest;
curr->ports[0].proto = proto;
return false;
}
static void *
get_header_pointer6(const struct sk_buff *skb, void *mem, uint8_t *proto)
{
static const uint8_t types[] = {IPPROTO_TCP,
IPPROTO_UDP, IPPROTO_UDPLITE};
unsigned int i, offset = 0;
int err;
size_t hdrlen;
for (i = 0; i < ARRAY_SIZE(types); ++i) {
err = ipv6_find_hdr(skb, &offset, types[i], NULL, NULL);
if (err < 0)
continue;
switch (types[i]) {
case IPPROTO_TCP:
hdrlen = sizeof(struct tcphdr);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
hdrlen = sizeof(struct udphdr);
break;
default:
return NULL;
}
*proto = types[i];
return skb_header_pointer(skb, offset, hdrlen, mem);
}
return NULL;
}
static bool
xt_psd_match6(const struct sk_buff *pskb, struct xt_action_param *match)
{
const struct ipv6hdr *ip6h = ipv6_hdr(pskb);
struct tcphdr _tcph;
struct tcphdr *tcph;
uint8_t proto = 0;
bool matched;
int hash;
const struct xt_psd_info *psdinfo = match->matchinfo;
if (ipv6_addr_any(&ip6h->saddr))
return false;
tcph = get_header_pointer6(pskb, &_tcph, &proto);
if (tcph == NULL)
return false;
hash = hashfunc6(&ip6h->saddr);
spin_lock(&state6.lock);
matched = handle_packet6(ip6h, tcph, psdinfo, proto, hash);
spin_unlock(&state6.lock);
return matched;
}
#endif
static int psd_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_psd_info *info = par->matchinfo;
if (info->weight_threshold == 0)
/* 0 would match on every 1st packet */
return -EINVAL;
if ((info->lo_ports_weight | info->hi_ports_weight) == 0)
/* would never match */
return -EINVAL;
if (info->delay_threshold > PSD_MAX_RATE ||
info->weight_threshold > PSD_MAX_RATE ||
info->lo_ports_weight > PSD_MAX_RATE ||
info->hi_ports_weight > PSD_MAX_RATE)
return -EINVAL;
return 0;
}
#ifdef WITH_IPV6
static int psd_mt_check6(const struct xt_mtchk_param *par)
{
if (!state6_alloc_mem())
return -ENOMEM;
return psd_mt_check(par);
}
#endif
static struct xt_match xt_psd_reg[] __read_mostly = {
{
.name = "psd",
.family = NFPROTO_IPV4,
.revision = 1,
.checkentry = psd_mt_check,
.match = xt_psd_match,
.matchsize = sizeof(struct xt_psd_info),
.me = THIS_MODULE,
#ifdef WITH_IPV6
}, {
.name = "psd",
.family = NFPROTO_IPV6,
.revision = 1,
.checkentry = psd_mt_check6,
.match = xt_psd_match6,
.matchsize = sizeof(struct xt_psd_info),
.me = THIS_MODULE,
#endif
}
};
static int __init xt_psd_init(void)
{
spin_lock_init(&(state.lock));
#ifdef WITH_IPV6
spin_lock_init(&(state6.lock));
#endif
return xt_register_matches(xt_psd_reg, ARRAY_SIZE(xt_psd_reg));
}
static void __exit xt_psd_exit(void)
{
xt_unregister_matches(xt_psd_reg, ARRAY_SIZE(xt_psd_reg));
#ifdef WITH_IPV6
vfree(state6.list);
vfree(state6.hash);
#endif
}
module_init(xt_psd_init);
module_exit(xt_psd_exit);
|