Included are the following:
1) 1 spelling correction in random.c
2) 1 fix(?) to new_tunnel.c after I got
new_tunnel.c: In function Tunnel_xmit':
new_tunnel.c:270: warning: assignment from incompatible pointer type
while compiling pre-2.0.31-5. I don't know the code there, but I did
what looked appropriate, and the warning went away. :)
3) My changes to the SYN flood reporting. Instead of printing IP's in
hex, they get printed in dotted-quad format so can read them without
breaking out a hex->dec converter. Also, much more info is reported
when possible SYN flooding is detected. I also added a warning to
Configure.help that the reported source addr in SYN flood warnings
is likely to have been forged.
4) Someone else's suggested change to Makefile warning people that
SMP=0 won't mean what they think it means.
I have added features for softdog.c that I'd kind of like to contribute,
but is there any possibility of them making it into 2.0.3x? I've been
using them for over a year without problems.
What's the status of noatime? It looks like its in pre5, but I can't seem
to get -o noatime to work.
diff -ruN --exclude *.orig --exclude *~ linux-pre5/Documentation/Configure.help linux/Documentation/Configure.help
--- linux-pre5/Documentation/Configure.help Wed Aug 13 18:40:05 1997
+++ linux/Documentation/Configure.help Thu Aug 14 00:35:45 1997
@@ -472,7 +472,10 @@
the same end. SYN cookies use less space than RST cookies,
but have a small probability of introducing an non timed-out
failure to connect in the remote TCP. You can use both options
- simultatenously.
+ simultatenously. If you are SYN flooded, the source address
+ reported by the kernel is likely to have been forged by the attacker.
+ The source address is reported as an aid in tracing the packets to
+ their actual source.
SYN flood protection
CONFIG_RST_COOKIES
@@ -486,7 +489,10 @@
The SYN_COOKIES option provides an alternative method to accomplish
the same end. RST cookies use more space than SYN cookies on your
machine, but never increase the probability of a frozen connection
- in a remote TCP. You can use both options simultatenously.
+ in a remote TCP. You can use both options simultatenously. If you
+ are SYN flooded, the source address reported by the kernel is likely
+ to have been forged by the attacker. The source address is reported
+ as an aid in tracing the packets to their actual source.
Sun floppy controller support
CONFIG_BLK_DEV_SUNFD
diff -ruN --exclude *.orig --exclude *~ linux-pre5/Makefile linux/Makefile
--- linux-pre5/Makefile Wed Aug 13 18:40:05 1997
+++ linux/Makefile Thu Aug 14 00:50:59 1997
@@ -10,6 +10,7 @@
# on "CONFIG_SMP"
#
# NOTE! SMP is experimental. See the file Documentation/SMP.txt
+# When disabling SMP, comment out "SMP = 1". Do not set "SMP = 0".
#
# SMP = 1
#
diff -ruN --exclude *.orig --exclude *~ linux-pre5/drivers/char/random.c linux/drivers/char/random.c
--- linux-pre5/drivers/char/random.c Wed Aug 13 18:40:07 1997
+++ linux/drivers/char/random.c Wed Aug 13 23:42:21 1997
@@ -349,6 +349,8 @@
#define MIN(a,b) (((a) < (b)) ? (a) : (b))
#endif
+char *in_ntoa(unsigned long in);
+
/*
* Unfortunately, while the GCC optimizer for the i386 understands how
* to optimize a static rotate left of x bits, it doesn't know how to
@@ -1337,8 +1339,14 @@
do_gettimeofday(&tv);
seq = tmp[1] + tv.tv_usec+tv.tv_sec*1000000;
#if 0
- printk("init_seq(%lx, %lx, %d, %d) = %d\n",
- saddr, daddr, sport, dport, seq);
+ /*
+ ugh...we can only use in_ntoa once per printk, and splitting
+ a single line of info into multiple printk's confuses klogd.
+ */
+ printk("init_seq(%s:%d, %d.%d.%d.%d:%d) = %d\n",
+ in_ntoa(saddr), sport, ((unsigned char *)&daddr)[0],
+ ((unsigned char *)&daddr)[1], ((unsigned char *)&daddr)[2],
+ ((unsigned char *)&daddr)[3], dport, seq);
#endif
return (seq);
}
@@ -1361,7 +1369,7 @@
/*
* Pick a random secret the first time we open a TCP
- * connection, and expire secretes older than 5 minutes.
+ * connection, and expire secrets older than 5 minutes.
*/
if (is_init == 0 || jiffies-secret_timestamp[offset] > 600*HZ) {
if (is_init == 0) valid_secret[0] = valid_secret[1] = 0;
@@ -1386,14 +1394,21 @@
if (!validate) {
if (seq == sseq) seq++;
#if 0
- printk("init_seq(%lx, %lx, %d, %d, %d) = %d\n",
- saddr, daddr, sport, dport, sseq, seq);
+ printk("init_seq(%s:%d %d.%d.%d.%d:%d, %d) = %d\n",
+ in_ntoa(saddr), sport, ((unsigned char *)&daddr)[0],
+ ((unsigned char *)&daddr)[1],
+ ((unsigned char *)&daddr)[2],
+ ((unsigned char *)&daddr)[3], dport, sseq, seq);
#endif
return (seq);
} else {
if (seq == sseq || (seq+1) == sseq) {
- printk("validated probe(%lx, %lx, %d, %d, %d)\n",
- saddr, daddr, sport, dport, sseq);
+ printk("validated probe(%s:%d, %d.%d.%d.%d:%d, %d)\n",
+ in_ntoa(saddr), sport,
+ ((unsigned char *)&daddr)[0],
+ ((unsigned char *)&daddr)[1],
+ ((unsigned char *)&daddr)[2],
+ ((unsigned char *)&daddr)[3], dport, sseq);
return 1;
}
if (jiffies-secret_timestamp[(offset+1)%2] <= 1200*HZ) {
@@ -1405,15 +1420,24 @@
seq = tmp[1];
if (seq == sseq || (seq+1) == sseq) {
#ifdef 0
- printk("validated probe(%lx, %lx, %d, %d, %d)\n",
- saddr, daddr, sport, dport, sseq);
+ printk("validated probe(%s:%d, %d.%d.%d.%d:%d, %d)\n",
+ in_ntoa(saddr), sport,
+ ((unsigned char *)&daddr)[0],
+ ((unsigned char *)&daddr)[1],
+ ((unsigned char *)&daddr)[2],
+ ((unsigned char *)&daddr)[3],
+ dport, sseq);
#endif
return 1;
}
}
#ifdef 0
- printk("failed validation on probe(%lx, %lx, %d, %d, %d)\n",
- saddr, daddr, sport, dport, sseq);
+ printk("failed validation on probe(%s:%d, %d.%d.%d.%d:%d, %d)\n",
+ in_ntoa(saddr), sport, ((unsigned char *)&daddr)[0],
+ ((unsigned char *)&daddr)[1],
+ ((unsigned char *)&daddr)[2],
+ ((unsigned char *)&daddr)[3],
+ dport, sseq);
#endif
return 0;
}
diff -ruN --exclude *.orig --exclude *~ linux-pre5/drivers/net/new_tunnel.c linux/drivers/net/new_tunnel.c
--- linux-pre5/drivers/net/new_tunnel.c Wed Aug 13 18:40:14 1997
+++ linux/drivers/net/new_tunnel.c Wed Aug 13 23:14:58 1997
@@ -267,7 +267,7 @@
/* Tack on our header */
new_skb->h.iph = (struct iphdr *) skb_push(new_skb, tunnel_hlen);
- new_skb->mac.raw = new_skb->ip_hdr;
+ new_skb->mac.raw = (unsigned char *) new_skb->ip_hdr;
/* Free the old packet, we no longer need it */
dev_kfree_skb(skb, FREE_WRITE);
diff -ruN --exclude *.orig --exclude *~ linux-pre5/net/ipv4/tcp_input.c linux/net/ipv4/tcp_input.c
--- linux-pre5/net/ipv4/tcp_input.c Wed Aug 13 18:40:25 1997
+++ linux/net/ipv4/tcp_input.c Wed Aug 13 23:54:26 1997
@@ -41,6 +41,8 @@
#include <linux/random.h>
#include <net/tcp.h>
+char *in_ntoa(unsigned long in);
+
/*
* Policy code extracted so it's now separate
*/
@@ -618,7 +620,12 @@
/* Only let this warning get printed once a minute. */
if (jiffies - warning_time > HZ*60) {
warning_time = jiffies;
- printk(KERN_INFO "Warning: possible SYN flooding on port %d. Sending cookies.\n", ntohs(th->dest));
+ printk(KERN_INFO "Warning: possible SYN flooding on %s:%d from %d.%d.%d.%d. Sending cookies.\n",
+ in_ntoa(daddr),ntohs(th->dest),
+ ((unsigned char *)&saddr)[0],
+ ((unsigned char *)&saddr)[1],
+ ((unsigned char *)&saddr)[2],
+ ((unsigned char *)&saddr)[3]);
}
#ifdef CONFIG_RST_COOKIES
tcp_send_synack_probe(daddr, saddr, th, &tcp_prot,
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/message.
Florida Digital Turnpike |
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____