TARPIT and newer kernels

felosi · 08-24-2007, 04:46 PM

I specialize in ddos protected and high risk hosting, Im always trying to find better ways of blocking what gets to the server. Recently I checked out this article on
http://www.secureworks.com/research/...s/?threat=ddos

And thought that would be a pretty awesome way to ban, if teh people with bots in their pc didnt think anything was going on they sure would when they get banned by that, well in theory.

So I got patch-o-matic, patched the iptables, compiled fine. Then I patched the kernel 2.6.22.2-grsecurity and on make modules it fails everytime at the tarpit module. The module was selectable from menuconfig so it does look like the patch went throug jut didnt on make. I tried a few different things to no avail would not compile.

Question is has anyone got this module working with the newer kernels? If so did you run into any problems? And anyone with any experience running the module any input would be appreciated

And do you think the grsecurity patches may have gotten in the way somehow?

The artcle isnt that old but they never said what kernel they used and all that unless I completely missed it.

unSpawn · 08-28-2007, 04:41 PM

What's the exact errors?

strohel · 08-31-2007, 01:25 PM

I have the same problem, even with (near-) vanilla kernel 2.6.22, so do not blame grsecurity. I think that TARPIT is just outdated, needs to update to newer kernel API. Unfortunately netfilter bugzilla does not work for me. ( https://bugzilla.netfilter.org/bugzilla/index.cgi )

The exact error follows (also to help people googling exact phrase to find this thread):

Code:

  CC [M]  net/ipv4/netfilter/ipt_TARPIT.o
net/ipv4/netfilter/ipt_TARPIT.c: In function ‘tarpit_tcp’:
net/ipv4/netfilter/ipt_TARPIT.c:87: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:90: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:91: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:92: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:103: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:104: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:122: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:122: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:126: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:127: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:130: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:130: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:130: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:130: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:130: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:130: warning: type defaults to ‘int’ in declaration of ‘type name’
net/ipv4/netfilter/ipt_TARPIT.c:137: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:137: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:137: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:137: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:137: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:137: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:137: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:137: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:137: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:137: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:137: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:137: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:162: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:163: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:167: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:168: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:169: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:179: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:182: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:183: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:186: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:187: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:187: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:188: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c: In function ‘tarpit’:
net/ipv4/netfilter/ipt_TARPIT.c:231: error: ‘struct sk_buff’ has no member named ‘nh’
net/ipv4/netfilter/ipt_TARPIT.c:235: error: ‘struct sk_buff’ has no member named ‘nh’
make[3]: *** [net/ipv4/netfilter/ipt_TARPIT.o] Error 1

felosi · 08-31-2007, 11:21 PM

Thanks, I meant to post my errors here but got to caught up in work, but they are the same exact ones.

I really wish someone would develop and update this module, it would be very handy.

And oh, that article I heard about it from was only published like a month or two ago so they probably used 2.4 kernels or something

osor · 09-01-2007, 04:55 PM

Quote:

Originally Posted by felosi

I really wish someone would develop and update this module, it would be very handy.

And oh, that article I heard about it from was only published like a month or two ago so they probably used 2.4 kernels or something

To be fair, the sk_buff API change was officially merged in late April, and applies only to kernels greater than or equal to 2.6.22 (which was released in July).

Luckily, complying with the new API should be trivial. For example, try this search-and-replace on an affected source file:

Code:

sed 's/\([a-zA-Z_][a-zA-Z0-9_]*\)->nh.iph/ip_hdr(\1)/'

To get a patch for the original file (from patch-o-matic-ng-20070901.tar.bz2), I did this:

Code:

$ sed 's/\([a-zA-Z_][a-zA-Z0-9_]*\)->nh.iph/ip_hdr(\1)/' ipt_TARPIT.c | diff -u ipt_TARPIT.c -
--- ipt_TARPIT.c	2007-04-27 08:03:37.000000000 -0400
+++ -			2007-09-01 17:55:03.590017650 -0400
@@ -84,12 +84,12 @@
 	u_int16_t tmp;
 
 	/* A truncated TCP header isn't going to be useful */
-	if (oskb->len < (oskb->nh.iph->ihl*4) + sizeof(struct tcphdr))
+	if (oskb->len < (ip_hdr(oskb)->ihl*4) + sizeof(struct tcphdr))
 		return;
 
-	otcph = (struct tcphdr *)((u_int32_t*)oskb->nh.iph
-				  + oskb->nh.iph->ihl);
-	otcplen = oskb->len - oskb->nh.iph->ihl*4;
+	otcph = (struct tcphdr *)((u_int32_t*)ip_hdr(oskb)
+				  + ip_hdr(oskb)->ihl);
+	otcplen = oskb->len - ip_hdr(oskb)->ihl*4;
 
 	/* No replies for RST or FIN */
 	if (otcph->rst || otcph->fin)
@@ -100,8 +100,8 @@
 		return;
 
 	/* Check checksum. */
-	if (tcp_v4_check(otcplen, oskb->nh.iph->saddr,
-			 oskb->nh.iph->daddr,
+	if (tcp_v4_check(otcplen, ip_hdr(oskb)->saddr,
+			 ip_hdr(oskb)->daddr,
 			 csum_partial((char *)otcph, otcplen, 0)) != 0)
 		return;
 
@@ -119,23 +119,23 @@
 	nskb->nf_debug = 0;
 #endif
 
-	ntcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
+	ntcph = (struct tcphdr *)((u_int32_t*)ip_hdr(nskb) + nskb->nh.iph->ihl);
 
 	/* Truncate to length (no data) */
 	ntcph->doff = sizeof(struct tcphdr)/4;
-	skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
-	nskb->nh.iph->tot_len = htons(nskb->len);
+	skb_trim(nskb, ip_hdr(nskb)->ihl*4 + sizeof(struct tcphdr));
+	ip_hdr(nskb)->tot_len = htons(nskb->len);
 
 	/* Swap source and dest */
-	nskb->nh.iph->daddr = xchg(&nskb->nh.iph->saddr, nskb->nh.iph->daddr);
+	ip_hdr(nskb)->daddr = xchg(&nskb->nh.iph->saddr, nskb->nh.iph->daddr);
 	tmp = ntcph->source;
 	ntcph->source = ntcph->dest;
 	ntcph->dest = tmp;
 
 	/* Use supplied sequence number or make a new one */
 	ntcph->seq = otcph->ack ? otcph->ack_seq
-		: htonl(secure_tcp_sequence_number(nskb->nh.iph->saddr,
-						   nskb->nh.iph->daddr,
+		: htonl(secure_tcp_sequence_number(ip_hdr(nskb)->saddr,
+						   ip_hdr(nskb)->daddr,
 						   ntcph->source,
 						   ntcph->dest));
 
@@ -159,14 +159,14 @@
 	/* Adjust TCP checksum */
 	ntcph->check = 0;
 	ntcph->check = tcp_v4_check(sizeof(struct tcphdr),
-				   nskb->nh.iph->saddr,
-				   nskb->nh.iph->daddr,
+				   ip_hdr(nskb)->saddr,
+				   ip_hdr(nskb)->daddr,
 				   csum_partial((char *)ntcph,
 						sizeof(struct tcphdr), 0));
 
-	fl.nl_u.ip4_u.daddr = nskb->nh.iph->daddr;
-	fl.nl_u.ip4_u.saddr = local ? nskb->nh.iph->saddr : 0;
-	fl.nl_u.ip4_u.tos = RT_TOS(nskb->nh.iph->tos) | RTO_CONN;
+	fl.nl_u.ip4_u.daddr = ip_hdr(nskb)->daddr;
+	fl.nl_u.ip4_u.saddr = local ? ip_hdr(nskb)->saddr : 0;
+	fl.nl_u.ip4_u.tos = RT_TOS(ip_hdr(nskb)->tos) | RTO_CONN;
 	fl.oif = 0;
 
 	if (ip_route_output_key(&nrt, &fl))
@@ -176,16 +176,16 @@
 	nskb->dst = &nrt->u.dst;
 
 	/* Adjust IP TTL */
-	nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
+	ip_hdr(nskb)->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
 
 	/* Set DF, id = 0 */
-	nskb->nh.iph->frag_off = htons(IP_DF);
-	nskb->nh.iph->id = 0;
+	ip_hdr(nskb)->frag_off = htons(IP_DF);
+	ip_hdr(nskb)->id = 0;
 
 	/* Adjust IP checksum */
-	nskb->nh.iph->check = 0;
-	nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
-					   nskb->nh.iph->ihl);
+	ip_hdr(nskb)->check = 0;
+	ip_hdr(nskb)->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
+					   ip_hdr(nskb)->ihl);
 
 	/* "Never happens" */
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
@@ -228,11 +228,11 @@
 
 	/* Our naive response construction doesn't deal with IP
            options, and probably shouldn't try. */
-	if (skb->nh.iph->ihl*4 != sizeof(struct iphdr))
+	if (ip_hdr(skb)->ihl*4 != sizeof(struct iphdr))
 		return NF_DROP;
 
 	/* We aren't interested in fragments */
-	if (skb->nh.iph->frag_off & htons(IP_OFFSET))
+	if (ip_hdr(skb)->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
 
 	tarpit_tcp(skb,rt,hooknum == NF_IP_LOCAL_IN);

(where boldface represents text I typed at the command-line)

NOTICE: These changes may result in a file incompatible with kernels older than 2.6.22. If you want an always-working solution, use the patch-o-matic system to enable checking for kernel sublevel versions and provide two versions of the file. Alternatively you might armor each change with conditional compilation measures (by using #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) … #else … #endif)

felosi · 09-01-2007, 09:37 PM

Thanks a lot, I will try this next kernel update.

felosi · 09-02-2007, 09:22 PM

UPDATE: I tried doing what you suggested but didnt work for me, I may just make a 2.6.21.5 hardened kernel and use it. Id rather have a new kernel though so Ill keep trying

osor · 09-02-2007, 09:27 PM

Quote:

Originally Posted by felosi

UPDATE: I tried doing what you suggested but didnt work for me,

What errors did you encounter?

felosi · 09-03-2007, 03:48 AM

Code:

root@cp [/src/linux/net/ipv4/netfilter]# \make TARPIT
make: *** No rule to make target `TARPIT'.  Stop.
root@cp [/src/linux/net/ipv4/netfilter]# cd /src/linux
root@cp [/src/linux]# make modules
  CHK     include/linux/version.h
  CHK     include/linux/utsrelease.h
  CALL    scripts/checksyscalls.sh
  CC [M]  net/ipv4/netfilter/ipt_TARPIT.o
net/ipv4/netfilter/ipt_TARPIT.c: In function 'tarpit_tcp':
net/ipv4/netfilter/ipt_TARPIT.c:82: warning: missing initializer
net/ipv4/netfilter/ipt_TARPIT.c:82: warning: (near initialization for 'fl.oif')
net/ipv4/netfilter/ipt_TARPIT.c:87: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:90: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:91: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:92: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:103: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:104: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:119: error: 'struct sk_buff' has no member named 'nf_debug'
net/ipv4/netfilter/ipt_TARPIT.c:122: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:122: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:126: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:127: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:130: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:130: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:130: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:130: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:130: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:130: warning: type defaults to 'int' in declaration of 'type name'
net/ipv4/netfilter/ipt_TARPIT.c:137: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:137: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:137: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:137: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:137: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:137: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:137: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:137: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:137: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:137: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:137: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:137: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:162: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:163: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:167: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:168: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:169: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:179: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:182: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:183: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:186: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:187: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:187: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:188: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c: In function 'tarpit':
net/ipv4/netfilter/ipt_TARPIT.c:231: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:235: error: 'struct sk_buff' has no member named 'nh'
make[3]: *** [net/ipv4/netfilter/ipt_TARPIT.o] Error 1
make[2]: *** [net/ipv4/netfilter] Error 2
make[1]: *** [net/ipv4] Error 2
make: *** [net] Error 2

Same as before.

strohel · 09-03-2007, 07:50 AM

felosi: From the error, it looks like you haven't applied anything. Note that if you typed exact command as osor, it didn't change any file, it just showed the difference (output of sed command was piped to the diff command). In order to actually apply it, redirect output from sed to temporary file (sed '....' ipt_TARPIT.c > ipt_TARPIT.c.new), check the differences (diff -u ipt_TARPIT.c ipt_TARPIT.c.new) and then replace the ipt_TARPIT.c with your temporary file.

I'll try this later when I find time.

osor · 09-03-2007, 12:14 PM

Quote:

Originally Posted by strohel

Note that if you typed exact command as osor, it didn't change any file, it just showed the difference (output of sed command was piped to the diff command).

Yes, sorry about that, I should have been more clear. The command that I entered only gives you a diff that you can apply with the patch utility. If you want to, you can apply the changes to the file “in-place” by using “sed … -i” on the file.

E.g.,

Code:

sed 's/\([a-zA-Z_][a-zA-Z0-9_]*\)->nh.iph/ip_hdr(\1)/' -i ipt_TARPIT.c

felosi · 09-03-2007, 10:08 PM

Ok thanks, Ill try it now. Sorry about that Im not too keen on this type of work yet. Ill do it now and see how it goes

UPDATE: Ok, I did the command osor posted above, this time i got less errors but some the same:

Quote:

net/ipv4/netfilter/ipt_TARPIT.c: In function 'tarpit_tcp':
net/ipv4/netfilter/ipt_TARPIT.c:82: warning: missing initializer
net/ipv4/netfilter/ipt_TARPIT.c:82: warning: (near initialization for 'fl.oif')
net/ipv4/netfilter/ipt_TARPIT.c:119: error: 'struct sk_buff' has no member named 'nf_debug'
net/ipv4/netfilter/ipt_TARPIT.c:122: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:130: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:130: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:130: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:130: error: 'struct sk_buff' has no member named 'nh'
net/ipv4/netfilter/ipt_TARPIT.c:130: warning: type defaults to 'int' in declaration of 'type name'
net/ipv4/netfilter/ipt_TARPIT.c:187: error: 'struct sk_buff' has no member named 'nh'
make[3]: *** [net/ipv4/netfilter/ipt_TARPIT.o] Error 1
make[2]: *** [net/ipv4/netfilter] Error 2
make[1]: *** [net/ipv4] Error 2
make: *** [net] Error 2

Ill try a few other things and see what happens.

I did what strohel said and got this error

Code:

net/ipv4/netfilter/ipt_TARPIT.c: In function 'tarpit_tcp':
net/ipv4/netfilter/ipt_TARPIT.c:82: warning: missing initializer
net/ipv4/netfilter/ipt_TARPIT.c:82: warning: (near initialization for 'fl.oif')
net/ipv4/netfilter/ipt_TARPIT.c:119: error: 'struct sk_buff' has no member named 'nf_debug'
net/ipv4/netfilter/ipt_TARPIT.c:130: error: 'struct sk_buff' has no member named 'nh'
make[3]: *** [net/ipv4/netfilter/ipt_TARPIT.o] Error 1
make[2]: *** [net/ipv4/netfilter] Error 2
make[1]: *** [net/ipv4] Error 2
make: *** [net] Error 2

osor · 09-04-2007, 01:00 PM

Quote:

Originally Posted by felosi

UPDATE: Ok, I did the command osor posted above, this time i got less errors but some the same:

I did what strohel said and got this error

I made a couple errors in my solution.

The first is very simple, I left out a “/g” flag in the sed command. This basically means the find-and-replace will only work on the first match found in a line, and leave the rest of the text on that line alone. The problem is there are a few lines which use the same construct two times, and there is one line that uses it three times. In your case, you end up applying the find-and-replace one time when you followed my instructions, and you end up applying it two times when you followed strohel’s instructions. To remedy this, you can either apply the sed command a third time, or apply this modified sed command to the original file:

Code:

sed 's/\([a-zA-Z_][a-zA-Z0-9_]*\)->nh.iph/ip_hdr(\1)/g' -i ipt_TARPIT.c

(notice the added “g” flag.)

The second error I made was not looking closely enough at all your reported errors! In particular, I overlooked

Code:

net/ipv4/netfilter/ipt_TARPIT.c:119: error: 'struct sk_buff' has no member named 'nf_debug'

I’m not sure what this is still doing in the module (nf_debug was removed from the API over two years ago). To remedy this, just delete lines 118-120. I.e., delete these three lines:

Code:

#ifdef CONFIG_NETFILTER_DEBUG
	nskb->nf_debug = 0;
#endif

Sorry for any confusion.

felosi · 09-05-2007, 10:48 PM

osor, thank you very much for your help and work in this matter. The module compiled fine this time. All I have to do now is put it to the test

strohel · 09-07-2007, 10:35 AM

Thanks from my part, osor. You should be applying for a job in a Linux help centre..