-
Notifications
You must be signed in to change notification settings - Fork 23
/
SYNwall_netfilter.h
executable file
·167 lines (156 loc) · 5.84 KB
/
SYNwall_netfilter.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
/*
*
* SYNwall
* Copyright (C) 2019 Sorint.lab
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>
*
*/
/**
* __psk_strlen - retruns the length of a null terminated string
* @str: pointer to the string
*
* This is just a replacement of the strlen lib function. Not sure if
* it make sense to use it instead of the standard one.
* Returns the length.
*/
static size_t __psk_strlen(const char *str);
/**
* portk_check - check for port knocking
* @dest: destination port (port knocked)
* @saddr: source address (who is knocking)
*
* Check if a port knocking has been received, in case disable the module
* for a while by resetting the "initialized" variable.
* The knocking sequence must be sent "portk_interval" (default 1000 mills).
*/
static void portk_check(uint16_t destp, uint32_t saddr);
/**
* icmp_echo - check if it's an ICMP ECHO request
* @iph: IP header pointer
*
* Check if it's an ICMP ECHO reuest.
* Returns 1 if echo request, 0 otherwise.
*/
static u8 icmp_echo(struct iphdr *iph);
/**
* antidos_check - DoS check
*
* If enabled, this function checks the last time an OTP has been computed,
* so we can limit the number of OTPs per time interval.
* The limit is defined by "allow_otp_ms" (default 1000 ms). So, if enabled
* it will limit the OTP computation to 1 per second.
* Returns 1 if the time limit is not elapsed (so packet will be discarded)
*/
static u8 antidos_check(void);
/**
* check_linear - check the sk buffer for "linearity"
* @skb: sk buffer pointer
* @iph: IP header pointer to be refreshed if linearization occured
* NULL if not used
* @tcph: TCP header pointer to be refreshed if linearization occured
* NULL if not used
* @udph: UDP header pointer to be refreshed if linearization occured
* NULL if not used
*
* It checks if the sk buffer is linear. If not, it tries to linearize it.
* Returns:
* 0 no action done (buffer already linear)
* 1 buffer linearized
* -1 linearization failed
*/
static u8 check_linear(struct sk_buff *skb, struct iphdr **iph,
struct tcphdr **tcph, struct udphdr **udph);
/**
* check_udp_blacklist - check if UDP service is blacklisted
* @udph: UDP header pointer
*
* Since some UDP protocols are widely used for a lot of "underlying"
* services (NTP, DNS, etc), we need to avoid to add the OTP that may
* breaks the communication. This function is used to check if the current
* protocol is one of those.
* Returns 0 if not blacklisted, 1 otherwise.
*/
static u8 check_udp_blacklist(struct udphdr *udph);
/**
* process_tcp_in - process incoming TCP packets
* @skb: sk buffer pointer
* @iph: IP header pointer
* @tcph: TCP header pointer
*
* It process the incoming TCP packet.
* As first step it checks the lenght of the payload, to understand if
* something is present (usually it is 0). If so calls the OTP generation
* function and compare the result with the incoming value.
* It could fails for some reasons, like memory allocation issues or errors
* in generating the OTP.
* Returns 0 if OTP matches, otherwise return 1
*/
static u8 process_tcp_in(struct sk_buff *skb, struct iphdr *iph,
struct tcphdr *tcph);
/**
* process_tcp_out - process outgoing TCP packets
* @skb: sk buffer pointer
* @iph: IP header pointer
* @tcph: TCP header pointer
*
* It process the outgoing TCP packet.
* The function calls the OTP generation function and the OTP "append"
* function.
* It could fails for some reasons, like memory allocation issues or errors
* in generating the OTP.
* Returns 0 if packet must be accepted, otherwise return 1
*/
static u8 process_tcp_out(struct sk_buff *skb, struct iphdr *iph,
struct tcphdr *tcph);
/**
* process_udp_out - process outgoing UDP packets
* @skb: sk buffer pointer
* @iph: IP header pointer
* @udph: UDP header pointer
*
* It process the outgoing UDP packet.
* The function calls the OTP generation function and the OTP "append"
* function.
* It could fails for some reasons, like memory allocation issues or errors
* in generating the OTP.
* Returns 0 if packet must be accepted, otherwise return 1
*/
static u8 process_udp_out(struct sk_buff *skb, struct iphdr *iph,
struct udphdr *udph);
/**
* process_udp_in - process incoming UDP packets
* @skb: sk buffer pointer
* @iph: IP header pointer
* @udph: UDP header pointer
*
* It process the incoming UDP packet.
* As first step it checks the lenght of the payload, to understand if
* a minmimal length is present. If so calls the OTP generation
* function and compare the result with the incoming value.
* It could fails for some reasons, like memory allocation issues or errors
* in generating the OTP.
* If the OTP is recognized and validated, is then stripped from the packet.
* Returns 0 if OTP matches, otherwise return 1
*/
static u8 process_udp_in(struct sk_buff *skb, struct iphdr *iph,
struct udphdr *udph);
/**
* logs_udp_error - logs an error
*
* When UDP protocol is enabled, a CONNTRACK module (and a CONNTRACK rule)
* is needed. This just prints out an error when this condition is not
* satisfied
*/
static void logs_udp_error(void);