diff -ruN iptables-1.3.5.orig/extensions/.CHAOS-test iptables-1.3.5/extensions/.CHAOS-test --- iptables-1.3.5.orig/extensions/.CHAOS-test 1970-01-01 01:00:00.000000000 +0100 +++ iptables-1.3.5/extensions/.CHAOS-test 2007-01-09 16:05:23.251885840 +0100 @@ -0,0 +1,2 @@ +#!/bin/sh +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS"; diff -ruN iptables-1.3.5.orig/extensions/.DELUDE-test iptables-1.3.5/extensions/.DELUDE-test --- iptables-1.3.5.orig/extensions/.DELUDE-test 1970-01-01 01:00:00.000000000 +0100 +++ iptables-1.3.5/extensions/.DELUDE-test 2007-01-09 16:05:18.104057722 +0100 @@ -0,0 +1,2 @@ +#!/bin/sh +echo "DELUDE"; diff -ruN iptables-1.3.5.orig/extensions/libipt_CHAOS.c iptables-1.3.5/extensions/libipt_CHAOS.c --- iptables-1.3.5.orig/extensions/libipt_CHAOS.c 1970-01-01 01:00:00.000000000 +0100 +++ iptables-1.3.5/extensions/libipt_CHAOS.c 2007-01-09 16:05:23.251885840 +0100 @@ -0,0 +1,111 @@ +/* + CHAOS target for iptables + + Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007 + released under the terms of the GNU General Public + License version 2.x and only versions 2.x. +*/ +#include <getopt.h> +#include <stdio.h> +#include <string.h> + +#include <iptables.h> +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter/xt_CHAOS.h> + +static void libipt_chaos_help(void) +{ + printf( + "CHAOS target v%s options:\n" + " --delude Enable DELUDE processing for TCP\n" + " --tarpit Enable TARPIT processing for TCP\n", + IPTABLES_VERSION); + return; +} + +static int libipt_chaos_parse(int c, char **argv, int invert, + unsigned int *flags, const struct ipt_entry *entry, + struct ipt_entry_target **target) +{ + struct xt_chaos_info *info = (void *)((*target)->data); + switch(c) { + case 'd': + info->variant = XTCHAOS_DELUDE; + *flags |= 0x02; + return 1; + case 't': + info->variant = XTCHAOS_TARPIT; + *flags |= 0x01; + return 1; + } + return 0; +} + +static void libipt_chaos_check(unsigned int flags) +{ + if(flags != 0x03) + return; + /* If flags == 0x03, both were specified, which should not be. */ + exit_error(PARAMETER_PROBLEM, + "CHAOS: only one of --tarpit or --delude may be specified"); + return; +} + +static void libipt_chaos_print(const struct ipt_ip *ip, + const struct ipt_entry_target *target, int numeric) +{ + const struct xt_chaos_info *info = (const void *)target->data; + switch(info->variant) { + case XTCHAOS_DELUDE: + printf("DELUDE "); + break; + case XTCHAOS_TARPIT: + printf("TARPIT "); + break; + default: + break; + } + return; +} + +static void libipt_chaos_save(const struct ipt_ip *ip, + const struct ipt_entry_target *target) +{ + const struct xt_chaos_info *info = (const void *)target->data; + switch(info->variant) { + case XTCHAOS_DELUDE: + printf("--delude "); + break; + case XTCHAOS_TARPIT: + printf("--tarpit "); + break; + default: + break; + } + return; +} + +static struct option libipt_chaos_opts[] = { + {"delude", 0, NULL, 'd'}, + {"tarpit", 0, NULL, 't'}, + {NULL}, +}; + +static struct iptables_target libipt_chaos_info = { + .name = "CHAOS", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct xt_chaos_info)), + .userspacesize = IPT_ALIGN(sizeof(struct xt_chaos_info)), + .help = libipt_chaos_help, + .parse = libipt_chaos_parse, + .final_check = libipt_chaos_check, + .print = libipt_chaos_print, + .save = libipt_chaos_save, + .extra_opts = libipt_chaos_opts, +}; + +static __attribute__((constructor)) void libipt_chaos_init(void) +{ + register_target(&libipt_chaos_info); + return; +} diff -ruN iptables-1.3.5.orig/extensions/libipt_DELUDE.c iptables-1.3.5/extensions/libipt_DELUDE.c --- iptables-1.3.5.orig/extensions/libipt_DELUDE.c 1970-01-01 01:00:00.000000000 +0100 +++ iptables-1.3.5/extensions/libipt_DELUDE.c 2007-01-09 16:05:18.104057722 +0100 @@ -0,0 +1,66 @@ +/* + DELUDE target for iptables + + Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007 + released under the terms of the GNU General Public + License version 2.x and only versions 2.x. +*/ +#include <getopt.h> +#include <stdio.h> +#include <string.h> + +#include <iptables.h> +#include <linux/netfilter_ipv4/ip_tables.h> + +static void libipt_delude_help(void) +{ + printf("DELUDE takes no options\n"); + return; +} + +static int libipt_delude_parse(int c, char **argv, int invert, + unsigned int *flags, const struct ipt_entry *entry, + struct ipt_entry_target **target) +{ + return 0; +} + +static void libipt_delude_check(unsigned int flags) +{ + return; +} + +static void libipt_delude_print(const struct ipt_ip *ip, + const struct ipt_entry_target *target, int numeric) +{ + return; +} + +static void libipt_delude_save(const struct ipt_ip *ip, + const struct ipt_entry_target *target) +{ + return; +} + +static struct option libipt_delude_opts[] = { + {NULL}, +}; + +static struct iptables_target libipt_delude_info = { + .name = "DELUDE", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(0), + .userspacesize = IPT_ALIGN(0), + .help = libipt_delude_help, + .parse = libipt_delude_parse, + .final_check = libipt_delude_check, + .print = libipt_delude_print, + .save = libipt_delude_save, + .extra_opts = libipt_delude_opts, +}; + +static __attribute__((constructor)) void libipt_delude_init(void) +{ + register_target(&libipt_delude_info); + return; +} diff -ruN iptables-1.3.5.orig/extensions/libipt_portscan.c iptables-1.3.5/extensions/libipt_portscan.c --- iptables-1.3.5.orig/extensions/libipt_portscan.c 1970-01-01 01:00:00.000000000 +0100 +++ iptables-1.3.5/extensions/libipt_portscan.c 2007-01-09 16:05:14.228187134 +0100 @@ -0,0 +1,129 @@ +/* + portscan match for iptables + + Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007 + released under the terms of the GNU General Public + License version 2.x and only versions 2.x. +*/ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> + +#include <iptables.h> +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter/xt_portscan.h> + +static void libipt_portscan_help(void) +{ + printf( + "portscan match v%s options:\n" + "(Combining them will make them match by OR-logic)\n" + " --stealth Match TCP Stealth packets\n" + " --synscan Match TCP SYN scans\n" + " --cnscan Match TCP Connect scans\n" + " --grscan Match Banner Grabbing scans\n", + IPTABLES_VERSION); + return; +} + +static void libipt_portscan_mtinit(struct ipt_entry_match *match, + unsigned int *nfcache) +{ + /* Cannot cache this */ + *nfcache |= NFC_UNKNOWN; + return; +} + +static int libipt_portscan_parse(int c, char **argv, int invert, + unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfc, + struct ipt_entry_match **match) +{ + struct xt_portscan_info *info = (void *)((*match)->data); + + switch(c) { + case 'c': + info->match_cn = 1; + return 1; + case 'g': + info->match_gr = 1; + return 1; + case 's': + info->match_syn = 1; + return 1; + case 'x': + info->match_stealth = 1; + return 1; + default: + return 0; + } +} + +static void libipt_portscan_check(unsigned int flags) +{ + return; +} + +static void libipt_portscan_print(const struct ipt_ip *ip, + const struct ipt_entry_match *match, int numeric) +{ + const struct xt_portscan_info *info = (const void *)(match->data); + const char *s = ""; + + printf("portscan "); + if(info->match_stealth) { + printf("STEALTH"); + s = ","; + } + if(info->match_syn) { + printf("%sSYNSCAN", s); + s = ","; + } + if(info->match_cn) { + printf("%sCNSCAN", s); + s = ","; + } + if(info->match_gr) + printf("%sGRSCAN", s); + printf(" "); + return; +} + +static void libipt_portscan_save(const struct ipt_ip *ip, + const struct ipt_entry_match *match) +{ + const struct xt_portscan_info *info = (const void *)(match->data); + if(info->match_stealth) printf("--stealth "); + if(info->match_syn) printf("--synscan "); + if(info->match_cn) printf("--cnscan "); + if(info->match_gr) printf("--grscan "); + return; +} + +static struct option libipt_portscan_opts[] = { + {"stealth", 0, NULL, 'x'}, + {"synscan", 0, NULL, 's'}, + {"cnscan", 0, NULL, 'c'}, + {"grscan", 0, NULL, 'g'}, + {NULL}, +}; + +static struct iptables_match libipt_portscan_info = { + .name = "portscan", + .version = IPTABLES_VERSION, + .size = IPT_ALIGN(sizeof(struct xt_portscan_info)), + .userspacesize = IPT_ALIGN(sizeof(struct xt_portscan_info)), + .help = libipt_portscan_help, + .init = libipt_portscan_mtinit, + .parse = libipt_portscan_parse, + .final_check = libipt_portscan_check, + .print = libipt_portscan_print, + .save = libipt_portscan_save, + .extra_opts = libipt_portscan_opts, +}; + +static __attribute__((constructor)) void libipt_portscan_init(void) +{ + register_match(&libipt_portscan_info); + return; +} diff -ruN iptables-1.3.5.orig/extensions/.portscan-test iptables-1.3.5/extensions/.portscan-test --- iptables-1.3.5.orig/extensions/.portscan-test 1970-01-01 01:00:00.000000000 +0100 +++ iptables-1.3.5/extensions/.portscan-test 2007-01-09 16:05:14.228187134 +0100 @@ -0,0 +1,2 @@ +#!/bin/sh +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan";