Advertisement
teknoraver

openwrt stealth

Jul 6th, 2015
335
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Diff 8.17 KB | None | 0 0
  1. From 1ab6ef66f52115c028dca1124b494e16a58d3119 Mon Sep 17 00:00:00 2001
  2. From: Matteo Croce <matteo@openwrt.org>
  3. Date: Mon, 6 Jul 2015 22:03:21 +0200
  4. Subject: [PATCH 14/14] add stealth mode for WAN interfaces
  5.  
  6. ---
  7. .../files/etc/hotplug.d/iface/20-stealth           |   3 +
  8.  .../linux/generic/patches-3.18/682-stealth.patch   | 204 +++++++++++++++++++++
  9.  2 files changed, 207 insertions(+)
  10.  create mode 100755 package/base-files/files/etc/hotplug.d/iface/20-stealth
  11.  create mode 100644 target/linux/generic/patches-3.18/682-stealth.patch
  12.  
  13. diff --git a/package/base-files/files/etc/hotplug.d/iface/20-stealth b/package/base-files/files/etc/hotplug.d/iface/20-stealth
  14. new file mode 100755
  15. index 0000000..2f87a6c
  16. --- /dev/null
  17. +++ b/package/base-files/files/etc/hotplug.d/iface/20-stealth
  18. @@ -0,0 +1,3 @@
  19. +#!/bin/sh
  20. +
  21. +[ "$ACTION" = ifup -a "$INTERFACE" = wan ] && echo 1 >/proc/sys/net/ipv4/conf/$DEVICE/stealth
  22. diff --git a/target/linux/generic/patches-3.18/682-stealth.patch b/target/linux/generic/patches-3.18/682-stealth.patch
  23. new file mode 100644
  24. index 0000000..f398fcf
  25. --- /dev/null
  26. +++ b/target/linux/generic/patches-3.18/682-stealth.patch
  27. @@ -0,0 +1,204 @@
  28. +Index: linux-3.18.17/Documentation/networking/ip-sysctl.txt
  29. +===================================================================
  30. +--- linux-3.18.17.orig/Documentation/networking/ip-sysctl.txt
  31. ++++ linux-3.18.17/Documentation/networking/ip-sysctl.txt
  32. +@@ -1116,6 +1116,12 @@ tag - INTEGER
  33. +   Allows you to write a number, which can be used as required.
  34. +   Default value is 0.
  35. +
  36. ++stealth - BOOLEAN
  37. ++  Disable any reply not related to a listening socket,
  38. ++  like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
  39. ++  Also disables ICMP replies to echo requests and timestamp.
  40. ++  Default value is 0.
  41. ++
  42. + Alexey Kuznetsov.
  43. + kuznet@ms2.inr.ac.ru
  44. +
  45. +@@ -1466,6 +1472,12 @@ suppress_frag_ndisc - INTEGER
  46. +   1 - (default) discard fragmented neighbor discovery packets
  47. +   0 - allow fragmented neighbor discovery packets
  48. +
  49. ++stealth - BOOLEAN
  50. ++  Disable any reply not related to a listening socket,
  51. ++  like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
  52. ++  Also disables ICMPv6 replies to echo requests.
  53. ++  Default value is 0.
  54. ++
  55. + icmp/*:
  56. + ratelimit - INTEGER
  57. +   Limit the maximal rates for sending ICMPv6 packets.
  58. +Index: linux-3.18.17/include/linux/inetdevice.h
  59. +===================================================================
  60. +--- linux-3.18.17.orig/include/linux/inetdevice.h
  61. ++++ linux-3.18.17/include/linux/inetdevice.h
  62. +@@ -125,6 +125,7 @@ static inline void ipv4_devconf_setall(s
  63. + #define IN_DEV_ARP_ANNOUNCE(in_dev)   IN_DEV_MAXCONF((in_dev), ARP_ANNOUNCE)
  64. + #define IN_DEV_ARP_IGNORE(in_dev) IN_DEV_MAXCONF((in_dev), ARP_IGNORE)
  65. + #define IN_DEV_ARP_NOTIFY(in_dev) IN_DEV_MAXCONF((in_dev), ARP_NOTIFY)
  66. ++#define IN_DEV_STEALTH(in_dev)        IN_DEV_MAXCONF((in_dev), STEALTH)
  67. +
  68. + struct in_ifaddr {
  69. +   struct hlist_node   hash;
  70. +Index: linux-3.18.17/include/linux/ipv6.h
  71. +===================================================================
  72. +--- linux-3.18.17.orig/include/linux/ipv6.h
  73. ++++ linux-3.18.17/include/linux/ipv6.h
  74. +@@ -51,6 +51,7 @@ struct ipv6_devconf {
  75. +   __s32       force_tllao;
  76. +   __s32           ndisc_notify;
  77. +   __s32       suppress_frag_ndisc;
  78. ++  __s32       stealth;
  79. +   void        *sysctl;
  80. + };
  81. +
  82. +Index: linux-3.18.17/include/uapi/linux/ip.h
  83. +===================================================================
  84. +--- linux-3.18.17.orig/include/uapi/linux/ip.h
  85. ++++ linux-3.18.17/include/uapi/linux/ip.h
  86. +@@ -164,6 +164,7 @@ enum
  87. +   IPV4_DEVCONF_ROUTE_LOCALNET,
  88. +   IPV4_DEVCONF_IGMPV2_UNSOLICITED_REPORT_INTERVAL,
  89. +   IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL,
  90. ++  IPV4_DEVCONF_STEALTH,
  91. +   __IPV4_DEVCONF_MAX
  92. + };
  93. +
  94. +Index: linux-3.18.17/net/ipv4/devinet.c
  95. +===================================================================
  96. +--- linux-3.18.17.orig/net/ipv4/devinet.c
  97. ++++ linux-3.18.17/net/ipv4/devinet.c
  98. +@@ -2143,6 +2143,7 @@ static struct devinet_sysctl_table {
  99. +                         "promote_secondaries"),
  100. +       DEVINET_SYSCTL_FLUSHING_ENTRY(ROUTE_LOCALNET,
  101. +                         "route_localnet"),
  102. ++      DEVINET_SYSCTL_RW_ENTRY(STEALTH, "stealth"),
  103. +   },
  104. + };
  105. +
  106. +Index: linux-3.18.17/net/ipv4/icmp.c
  107. +===================================================================
  108. +--- linux-3.18.17.orig/net/ipv4/icmp.c
  109. ++++ linux-3.18.17/net/ipv4/icmp.c
  110. +@@ -879,6 +879,9 @@ static void icmp_echo(struct sk_buff *sk
  111. + {
  112. +   struct net *net;
  113. +
  114. ++  if (IN_DEV_STEALTH(skb->dev->ip_ptr))
  115. ++      return true;
  116. ++
  117. +   net = dev_net(skb_dst(skb)->dev);
  118. +   if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
  119. +       struct icmp_bxm icmp_param;
  120. +@@ -910,6 +913,9 @@ static void icmp_timestamp(struct sk_buf
  121. +   if (skb->len < 4)
  122. +       goto out_err;
  123. +
  124. ++  if (IN_DEV_STEALTH(skb->dev->ip_ptr))
  125. ++      return true;
  126. ++
  127. +   /*
  128. +    *  Fill in the current time as ms since midnight UT:
  129. +    */
  130. +Index: linux-3.18.17/net/ipv4/tcp_ipv4.c
  131. +===================================================================
  132. +--- linux-3.18.17.orig/net/ipv4/tcp_ipv4.c
  133. ++++ linux-3.18.17/net/ipv4/tcp_ipv4.c
  134. +@@ -77,6 +77,7 @@
  135. + #include <net/busy_poll.h>
  136. +
  137. + #include <linux/inet.h>
  138. ++#include <linux/inetdevice.h>
  139. + #include <linux/ipv6.h>
  140. + #include <linux/stddef.h>
  141. + #include <linux/proc_fs.h>
  142. +@@ -1695,7 +1696,7 @@ csum_error:
  143. +       TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
  144. + bad_packet:
  145. +       TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
  146. +-  } else {
  147. ++  } else if (!IN_DEV_STEALTH(skb->dev->ip_ptr)) {
  148. +       tcp_v4_send_reset(NULL, skb);
  149. +   }
  150. +
  151. +Index: linux-3.18.17/net/ipv4/udp.c
  152. +===================================================================
  153. +--- linux-3.18.17.orig/net/ipv4/udp.c
  154. ++++ linux-3.18.17/net/ipv4/udp.c
  155. +@@ -96,6 +96,7 @@
  156. + #include <linux/timer.h>
  157. + #include <linux/mm.h>
  158. + #include <linux/inet.h>
  159. ++#include <linux/inetdevice.h>
  160. + #include <linux/netdevice.h>
  161. + #include <linux/slab.h>
  162. + #include <net/tcp_states.h>
  163. +@@ -1811,7 +1812,8 @@ int __udp4_lib_rcv(struct sk_buff *skb,
  164. +       goto csum_error;
  165. +
  166. +   UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
  167. +-  icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
  168. ++  if (!IN_DEV_STEALTH(skb->dev->ip_ptr))
  169. ++      icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
  170. +
  171. +   /*
  172. +    * Hmm.  We got an UDP packet to a port to which we
  173. +Index: linux-3.18.17/net/ipv6/addrconf.c
  174. +===================================================================
  175. +--- linux-3.18.17.orig/net/ipv6/addrconf.c
  176. ++++ linux-3.18.17/net/ipv6/addrconf.c
  177. +@@ -5224,6 +5224,13 @@ static struct addrconf_sysctl_table
  178. +           .proc_handler   = proc_dointvec,
  179. +       },
  180. +       {
  181. ++          .procname   = "stealth",
  182. ++          .data       = &ipv6_devconf.stealth,
  183. ++          .maxlen     = sizeof(int),
  184. ++          .mode       = 0644,
  185. ++          .proc_handler   = proc_dointvec,
  186. ++      },
  187. ++      {
  188. +           /* sentinel */
  189. +       }
  190. +   },
  191. +Index: linux-3.18.17/net/ipv6/icmp.c
  192. +===================================================================
  193. +--- linux-3.18.17.orig/net/ipv6/icmp.c
  194. ++++ linux-3.18.17/net/ipv6/icmp.c
  195. +@@ -723,7 +723,8 @@ static int icmpv6_rcv(struct sk_buff *sk
  196. +
  197. +   switch (type) {
  198. +   case ICMPV6_ECHO_REQUEST:
  199. +-      icmpv6_echo_reply(skb);
  200. ++      if (!idev->cnf.stealth)
  201. ++          icmpv6_echo_reply(skb);
  202. +       break;
  203. +
  204. +   case ICMPV6_ECHO_REPLY:
  205. +Index: linux-3.18.17/net/ipv6/tcp_ipv6.c
  206. +===================================================================
  207. +--- linux-3.18.17.orig/net/ipv6/tcp_ipv6.c
  208. ++++ linux-3.18.17/net/ipv6/tcp_ipv6.c
  209. +@@ -1505,7 +1505,7 @@ csum_error:
  210. +       TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
  211. + bad_packet:
  212. +       TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
  213. +-  } else {
  214. ++  } else if (!__in6_dev_get(skb->dev)->cnf.stealth) {
  215. +       tcp_v6_send_reset(NULL, skb);
  216. +   }
  217. +
  218. +Index: linux-3.18.17/net/ipv6/udp.c
  219. +===================================================================
  220. +--- linux-3.18.17.orig/net/ipv6/udp.c
  221. ++++ linux-3.18.17/net/ipv6/udp.c
  222. +@@ -919,7 +919,8 @@ int __udp6_lib_rcv(struct sk_buff *skb,
  223. +       goto csum_error;
  224. +
  225. +   UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
  226. +-  icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
  227. ++  if (!__in6_dev_get(skb->dev)->cnf.stealth)
  228. ++      icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
  229. +
  230. +   kfree_skb(skb);
  231. +   return 0;
  232. --
  233. 2.1.4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement