diff options
author | juhosg <juhosg@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2008-04-15 06:11:23 +0000 |
---|---|---|
committer | juhosg <juhosg@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2008-04-15 06:11:23 +0000 |
commit | a58eaf210a223672f67c03d2070fa2fefdb2595b (patch) | |
tree | afa05fc32fd52e099867c546d48d880948f8be5a /package/iptables/patches/009-tarpit-support.patch | |
parent | 3a26d2990b9a481e44f1ddd36dfc84536c2ab39f (diff) |
update iptables to 1.4.0 (2.6 kernels only), refresh kernel patches
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@10843 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/iptables/patches/009-tarpit-support.patch')
-rw-r--r-- | package/iptables/patches/009-tarpit-support.patch | 106 |
1 files changed, 0 insertions, 106 deletions
diff --git a/package/iptables/patches/009-tarpit-support.patch b/package/iptables/patches/009-tarpit-support.patch deleted file mode 100644 index 310537987..000000000 --- a/package/iptables/patches/009-tarpit-support.patch +++ /dev/null @@ -1,106 +0,0 @@ -diff -N -u -r iptables-1.3.8-20070817/extensions/libipt_TARPIT.c iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.c ---- iptables-1.3.8-20070817/extensions/libipt_TARPIT.c 1969-12-31 19:00:00.000000000 -0500 -+++ iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.c 2007-08-18 14:49:25.000000000 -0400 -@@ -0,0 +1,58 @@ -+/* Shared library add-on to iptables for TARPIT support */ -+#include <stdio.h> -+#include <getopt.h> -+#include <iptables.h> -+ -+static void -+help(void) -+{ -+ fputs( -+"TARPIT takes no options\n" -+"\n", stdout); -+} -+ -+static struct option opts[] = { -+ { 0 } -+}; -+ -+static int -+parse(int c, char **argv, int invert, unsigned int *flags, -+ const struct ipt_entry *entry, -+ struct ipt_entry_target **target) -+{ -+ return 0; -+} -+ -+static void final_check(unsigned int flags) -+{ -+} -+ -+static void -+print(const struct ipt_ip *ip, -+ const struct ipt_entry_target *target, -+ int numeric) -+{ -+} -+ -+static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target) -+{ -+} -+ -+static struct iptables_target tarpit = { -+ .next = NULL, -+ .name = "TARPIT", -+ .version = IPTABLES_VERSION, -+ .size = IPT_ALIGN(0), -+ .userspacesize = IPT_ALIGN(0), -+ .help = &help, -+ .parse = &parse, -+ .final_check = &final_check, -+ .print = &print, -+ .save = &save, -+ .extra_opts = opts -+}; -+ -+void _init(void) -+{ -+ register_target(&tarpit); -+} -diff -N -u -r iptables-1.3.8-20070817/extensions/libipt_TARPIT.man iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.man ---- iptables-1.3.8-20070817/extensions/libipt_TARPIT.man 1969-12-31 19:00:00.000000000 -0500 -+++ iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.man 2007-08-18 14:49:25.000000000 -0400 -@@ -0,0 +1,34 @@ -+Captures and holds incoming TCP connections using no local -+per-connection resources. Connections are accepted, but immediately -+switched to the persist state (0 byte window), in which the remote -+side stops sending data and asks to continue every 60-240 seconds. -+Attempts to close the connection are ignored, forcing the remote side -+to time out the connection in 12-24 minutes. -+ -+This offers similar functionality to LaBrea -+<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated -+hardware or IPs. Any TCP port that you would normally DROP or REJECT -+can instead become a tarpit. -+ -+To tarpit connections to TCP port 80 destined for the current machine: -+.IP -+iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT -+.P -+To significantly slow down Code Red/Nimda-style scans of unused address -+space, forward unused ip addresses to a Linux box not acting as a router -+(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP -+forwarding on the Linux box, and add: -+.IP -+iptables -A FORWARD -p tcp -j TARPIT -+.IP -+iptables -A FORWARD -j DROP -+.TP -+NOTE: -+If you use the conntrack module while you are using TARPIT, you should -+also use the NOTRACK target, or the kernel will unnecessarily allocate -+resources for each TARPITted connection. To TARPIT incoming -+connections to the standard IRC port while using conntrack, you could: -+.IP -+iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK -+.IP -+iptables -A INPUT -p tcp --dport 6667 -j TARPIT -diff -N -u -r iptables-1.3.8-20070817/extensions/.TARPIT-test iptables-1.3.8-20070817-nf/extensions/.TARPIT-test ---- iptables-1.3.8-20070817/extensions/.TARPIT-test 1969-12-31 19:00:00.000000000 -0500 -+++ iptables-1.3.8-20070817-nf/extensions/.TARPIT-test 2007-08-18 14:49:25.000000000 -0400 -@@ -0,0 +1,2 @@ -+#! /bin/sh -+[ -f $KERNEL_DIR/net/netfilter/xt_TARPIT.c ] && echo TARPIT |