]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commitdiff
netfilter: add SYNPROXY core/target
authorPatrick McHardy <kaber@trash.net>
Tue, 27 Aug 2013 06:50:14 +0000 (08:50 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 27 Aug 2013 22:27:54 +0000 (00:27 +0200)
Add a SYNPROXY for netfilter. The code is split into two parts, the synproxy
core with common functions and an address family specific target.

The SYNPROXY receives the connection request from the client, responds with
a SYN/ACK containing a SYN cookie and announcing a zero window and checks
whether the final ACK from the client contains a valid cookie.

It then establishes a connection to the original destination and, if
successful, sends a window update to the client with the window size
announced by the server.

Support for timestamps, SACK, window scaling and MSS options can be
statically configured as target parameters if the features of the server
are known. If timestamps are used, the timestamp value sent back to
the client in the SYN/ACK will be different from the real timestamp of
the server. In order to now break PAWS, the timestamps are translated in
the direction server->client.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Tested-by: Martin Topholm <mph@one.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 files changed:
include/net/netfilter/nf_conntrack_extend.h
include/net/netfilter/nf_conntrack_seqadj.h
include/net/netfilter/nf_conntrack_synproxy.h [new file with mode: 0644]
include/uapi/linux/netfilter/xt_SYNPROXY.h [new file with mode: 0644]
net/ipv4/netfilter/Kconfig
net/ipv4/netfilter/Makefile
net/ipv4/netfilter/ipt_SYNPROXY.c [new file with mode: 0644]
net/netfilter/Kconfig
net/netfilter/Makefile
net/netfilter/nf_conntrack_core.c
net/netfilter/nf_conntrack_proto_tcp.c
net/netfilter/nf_conntrack_seqadj.c
net/netfilter/nf_synproxy_core.c [new file with mode: 0644]

index 2a22bcbfe6e4faefd20d279d4f784149b0d836f5..ff95434e50ca4273e7e795e55f37134457cca69f 100644 (file)
@@ -9,8 +9,8 @@ enum nf_ct_ext_id {
        NF_CT_EXT_HELPER,
 #if defined(CONFIG_NF_NAT) || defined(CONFIG_NF_NAT_MODULE)
        NF_CT_EXT_NAT,
-       NF_CT_EXT_SEQADJ,
 #endif
+       NF_CT_EXT_SEQADJ,
        NF_CT_EXT_ACCT,
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
        NF_CT_EXT_ECACHE,
@@ -26,6 +26,9 @@ enum nf_ct_ext_id {
 #endif
 #ifdef CONFIG_NF_CONNTRACK_LABELS
        NF_CT_EXT_LABELS,
+#endif
+#if IS_ENABLED(CONFIG_NETFILTER_SYNPROXY)
+       NF_CT_EXT_SYNPROXY,
 #endif
        NF_CT_EXT_NUM,
 };
@@ -39,6 +42,7 @@ enum nf_ct_ext_id {
 #define NF_CT_EXT_TSTAMP_TYPE struct nf_conn_tstamp
 #define NF_CT_EXT_TIMEOUT_TYPE struct nf_conn_timeout
 #define NF_CT_EXT_LABELS_TYPE struct nf_conn_labels
+#define NF_CT_EXT_SYNPROXY_TYPE struct nf_conn_synproxy
 
 /* Extensions: optional stuff which isn't permanently in struct. */
 struct nf_ct_ext {
index 30bfbbed9f4798bb73b42a172f7b44b8a64a5708..f6177a5fe0cafe6de0e00ac6d2abd1ce9856d897 100644 (file)
@@ -30,6 +30,8 @@ static inline struct nf_conn_seqadj *nfct_seqadj_ext_add(struct nf_conn *ct)
        return nf_ct_ext_add(ct, NF_CT_EXT_SEQADJ, GFP_ATOMIC);
 }
 
+extern int nf_ct_seqadj_init(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
+                            s32 off);
 extern int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
                            __be32 seq, s32 off);
 extern void nf_ct_tcp_seqadj_set(struct sk_buff *skb,
diff --git a/include/net/netfilter/nf_conntrack_synproxy.h b/include/net/netfilter/nf_conntrack_synproxy.h
new file mode 100644 (file)
index 0000000..806f54a
--- /dev/null
@@ -0,0 +1,77 @@
+#ifndef _NF_CONNTRACK_SYNPROXY_H
+#define _NF_CONNTRACK_SYNPROXY_H
+
+#include <net/netns/generic.h>
+
+struct nf_conn_synproxy {
+       u32     isn;
+       u32     its;
+       u32     tsoff;
+};
+
+static inline struct nf_conn_synproxy *nfct_synproxy(const struct nf_conn *ct)
+{
+#if IS_ENABLED(CONFIG_NETFILTER_SYNPROXY)
+       return nf_ct_ext_find(ct, NF_CT_EXT_SYNPROXY);
+#else
+       return NULL;
+#endif
+}
+
+static inline struct nf_conn_synproxy *nfct_synproxy_ext_add(struct nf_conn *ct)
+{
+#if IS_ENABLED(CONFIG_NETFILTER_SYNPROXY)
+       return nf_ct_ext_add(ct, NF_CT_EXT_SYNPROXY, GFP_ATOMIC);
+#else
+       return NULL;
+#endif
+}
+
+struct synproxy_stats {
+       unsigned int                    syn_received;
+       unsigned int                    cookie_invalid;
+       unsigned int                    cookie_valid;
+       unsigned int                    cookie_retrans;
+       unsigned int                    conn_reopened;
+};
+
+struct synproxy_net {
+       struct nf_conn                  *tmpl;
+       struct synproxy_stats __percpu  *stats;
+};
+
+extern int synproxy_net_id;
+static inline struct synproxy_net *synproxy_pernet(struct net *net)
+{
+       return net_generic(net, synproxy_net_id);
+}
+
+struct synproxy_options {
+       u8                              options;
+       u8                              wscale;
+       u16                             mss;
+       u32                             tsval;
+       u32                             tsecr;
+};
+
+struct tcphdr;
+struct xt_synproxy_info;
+extern void synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
+                                  const struct tcphdr *th,
+                                  struct synproxy_options *opts);
+extern unsigned int synproxy_options_size(const struct synproxy_options *opts);
+extern void synproxy_build_options(struct tcphdr *th,
+                                  const struct synproxy_options *opts);
+
+extern void synproxy_init_timestamp_cookie(const struct xt_synproxy_info *info,
+                                          struct synproxy_options *opts);
+extern void synproxy_check_timestamp_cookie(struct synproxy_options *opts);
+
+extern unsigned int synproxy_tstamp_adjust(struct sk_buff *skb,
+                                          unsigned int protoff,
+                                          struct tcphdr *th,
+                                          struct nf_conn *ct,
+                                          enum ip_conntrack_info ctinfo,
+                                          const struct nf_conn_synproxy *synproxy);
+
+#endif /* _NF_CONNTRACK_SYNPROXY_H */
diff --git a/include/uapi/linux/netfilter/xt_SYNPROXY.h b/include/uapi/linux/netfilter/xt_SYNPROXY.h
new file mode 100644 (file)
index 0000000..2d59fba
--- /dev/null
@@ -0,0 +1,16 @@
+#ifndef _XT_SYNPROXY_H
+#define _XT_SYNPROXY_H
+
+#define XT_SYNPROXY_OPT_MSS            0x01
+#define XT_SYNPROXY_OPT_WSCALE         0x02
+#define XT_SYNPROXY_OPT_SACK_PERM      0x04
+#define XT_SYNPROXY_OPT_TIMESTAMP      0x08
+#define XT_SYNPROXY_OPT_ECN            0x10
+
+struct xt_synproxy_info {
+       __u8    options;
+       __u8    wscale;
+       __u16   mss;
+};
+
+#endif /* _XT_SYNPROXY_H */
index 4e9028017428405ef2005f7558406c5ba3086a24..1657e39b291f2ae8747e21e944627def23ebfcbb 100644 (file)
@@ -110,6 +110,19 @@ config IP_NF_TARGET_REJECT
 
          To compile it as a module, choose M here.  If unsure, say N.
 
+config IP_NF_TARGET_SYNPROXY
+       tristate "SYNPROXY target support"
+       depends on NF_CONNTRACK && NETFILTER_ADVANCED
+       select NETFILTER_SYNPROXY
+       select SYN_COOKIES
+       help
+         The SYNPROXY target allows you to intercept TCP connections and
+         establish them using syncookies before they are passed on to the
+         server. This allows to avoid conntrack and server resource usage
+         during SYN-flood attacks.
+
+         To compile it as a module, choose M here. If unsure, say N.
+
 config IP_NF_TARGET_ULOG
        tristate "ULOG target support (obsolete)"
        default m if NETFILTER_ADVANCED=n
index 007b128eecc90246af3353f1e210bb07f267fe20..3622b248b6dd7ad78aa4411243b4b507731d7e2b 100644 (file)
@@ -46,6 +46,7 @@ obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
 obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
 obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
+obj-$(CONFIG_IP_NF_TARGET_SYNPROXY) += ipt_SYNPROXY.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 
 # generic ARP tables
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
new file mode 100644 (file)
index 0000000..94371db
--- /dev/null
@@ -0,0 +1,472 @@
+/*
+ * Copyright (c) 2013 Patrick McHardy <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <net/tcp.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_SYNPROXY.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
+#include <net/netfilter/nf_conntrack_synproxy.h>
+
+static struct iphdr *
+synproxy_build_ip(struct sk_buff *skb, u32 saddr, u32 daddr)
+{
+       struct iphdr *iph;
+
+       skb_reset_network_header(skb);
+       iph = (struct iphdr *)skb_put(skb, sizeof(*iph));
+       iph->version    = 4;
+       iph->ihl        = sizeof(*iph) / 4;
+       iph->tos        = 0;
+       iph->id         = 0;
+       iph->frag_off   = htons(IP_DF);
+       iph->ttl        = sysctl_ip_default_ttl;
+       iph->protocol   = IPPROTO_TCP;
+       iph->check      = 0;
+       iph->saddr      = saddr;
+       iph->daddr      = daddr;
+
+       return iph;
+}
+
+static void
+synproxy_send_tcp(const struct sk_buff *skb, struct sk_buff *nskb,
+                 struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo,
+                 struct iphdr *niph, struct tcphdr *nth,
+                 unsigned int tcp_hdr_size)
+{
+       nth->check = ~tcp_v4_check(tcp_hdr_size, niph->saddr, niph->daddr, 0);
+       nskb->ip_summed   = CHECKSUM_PARTIAL;
+       nskb->csum_start  = (unsigned char *)nth - nskb->head;
+       nskb->csum_offset = offsetof(struct tcphdr, check);
+
+       skb_dst_set_noref(nskb, skb_dst(skb));
+       nskb->protocol = htons(ETH_P_IP);
+       if (ip_route_me_harder(nskb, RTN_UNSPEC))
+               goto free_nskb;
+
+       if (nfct) {
+               nskb->nfct = nfct;
+               nskb->nfctinfo = ctinfo;
+               nf_conntrack_get(nfct);
+       }
+
+       ip_local_out(nskb);
+       return;
+
+free_nskb:
+       kfree_skb(nskb);
+}
+
+static void
+synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th,
+                           const struct synproxy_options *opts)
+{
+       struct sk_buff *nskb;
+       struct iphdr *iph, *niph;
+       struct tcphdr *nth;
+       unsigned int tcp_hdr_size;
+       u16 mss = opts->mss;
+
+       iph = ip_hdr(skb);
+
+       tcp_hdr_size = sizeof(*nth) + synproxy_options_size(opts);
+       nskb = alloc_skb(sizeof(*niph) + tcp_hdr_size + MAX_TCP_HEADER,
+                        GFP_ATOMIC);
+       if (nskb == NULL)
+               return;
+       skb_reserve(nskb, MAX_TCP_HEADER);
+
+       niph = synproxy_build_ip(nskb, iph->daddr, iph->saddr);
+
+       skb_reset_transport_header(nskb);
+       nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size);
+       nth->source     = th->dest;
+       nth->dest       = th->source;
+       nth->seq        = htonl(__cookie_v4_init_sequence(iph, th, &mss));
+       nth->ack_seq    = htonl(ntohl(th->seq) + 1);
+       tcp_flag_word(nth) = TCP_FLAG_SYN | TCP_FLAG_ACK;
+       if (opts->options & XT_SYNPROXY_OPT_ECN)
+               tcp_flag_word(nth) |= TCP_FLAG_ECE;
+       nth->doff       = tcp_hdr_size / 4;
+       nth->window     = 0;
+       nth->check      = 0;
+       nth->urg_ptr    = 0;
+
+       synproxy_build_options(nth, opts);
+
+       synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
+                         niph, nth, tcp_hdr_size);
+}
+
+static void
+synproxy_send_server_syn(const struct synproxy_net *snet,
+                        const struct sk_buff *skb, const struct tcphdr *th,
+                        const struct synproxy_options *opts, u32 recv_seq)
+{
+       struct sk_buff *nskb;
+       struct iphdr *iph, *niph;
+       struct tcphdr *nth;
+       unsigned int tcp_hdr_size;
+
+       iph = ip_hdr(skb);
+
+       tcp_hdr_size = sizeof(*nth) + synproxy_options_size(opts);
+       nskb = alloc_skb(sizeof(*niph) + tcp_hdr_size + MAX_TCP_HEADER,
+                        GFP_ATOMIC);
+       if (nskb == NULL)
+               return;
+       skb_reserve(nskb, MAX_TCP_HEADER);
+
+       niph = synproxy_build_ip(nskb, iph->saddr, iph->daddr);
+
+       skb_reset_transport_header(nskb);
+       nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size);
+       nth->source     = th->source;
+       nth->dest       = th->dest;
+       nth->seq        = htonl(recv_seq - 1);
+       /* ack_seq is used to relay our ISN to the synproxy hook to initialize
+        * sequence number translation once a connection tracking entry exists.
+        */
+       nth->ack_seq    = htonl(ntohl(th->ack_seq) - 1);
+       tcp_flag_word(nth) = TCP_FLAG_SYN;
+       if (opts->options & XT_SYNPROXY_OPT_ECN)
+               tcp_flag_word(nth) |= TCP_FLAG_ECE | TCP_FLAG_CWR;
+       nth->doff       = tcp_hdr_size / 4;
+       nth->window     = th->window;
+       nth->check      = 0;
+       nth->urg_ptr    = 0;
+
+       synproxy_build_options(nth, opts);
+
+       synproxy_send_tcp(skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
+                         niph, nth, tcp_hdr_size);
+}
+
+static void
+synproxy_send_server_ack(const struct synproxy_net *snet,
+                        const struct ip_ct_tcp *state,
+                        const struct sk_buff *skb, const struct tcphdr *th,
+                        const struct synproxy_options *opts)
+{
+       struct sk_buff *nskb;
+       struct iphdr *iph, *niph;
+       struct tcphdr *nth;
+       unsigned int tcp_hdr_size;
+
+       iph = ip_hdr(skb);
+
+       tcp_hdr_size = sizeof(*nth) + synproxy_options_size(opts);
+       nskb = alloc_skb(sizeof(*niph) + tcp_hdr_size + MAX_TCP_HEADER,
+                        GFP_ATOMIC);
+       if (nskb == NULL)
+               return;
+       skb_reserve(nskb, MAX_TCP_HEADER);
+
+       niph = synproxy_build_ip(nskb, iph->daddr, iph->saddr);
+
+       skb_reset_transport_header(nskb);
+       nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size);
+       nth->source     = th->dest;
+       nth->dest       = th->source;
+       nth->seq        = htonl(ntohl(th->ack_seq));
+       nth->ack_seq    = htonl(ntohl(th->seq) + 1);
+       tcp_flag_word(nth) = TCP_FLAG_ACK;
+       nth->doff       = tcp_hdr_size / 4;
+       nth->window     = htons(state->seen[IP_CT_DIR_ORIGINAL].td_maxwin);
+       nth->check      = 0;
+       nth->urg_ptr    = 0;
+
+       synproxy_build_options(nth, opts);
+
+       synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+}
+
+static void
+synproxy_send_client_ack(const struct synproxy_net *snet,
+                        const struct sk_buff *skb, const struct tcphdr *th,
+                        const struct synproxy_options *opts)
+{
+       struct sk_buff *nskb;
+       struct iphdr *iph, *niph;
+       struct tcphdr *nth;
+       unsigned int tcp_hdr_size;
+
+       iph = ip_hdr(skb);
+
+       tcp_hdr_size = sizeof(*nth) + synproxy_options_size(opts);
+       nskb = alloc_skb(sizeof(*niph) + tcp_hdr_size + MAX_TCP_HEADER,
+                        GFP_ATOMIC);
+       if (nskb == NULL)
+               return;
+       skb_reserve(nskb, MAX_TCP_HEADER);
+
+       niph = synproxy_build_ip(nskb, iph->saddr, iph->daddr);
+
+       skb_reset_transport_header(nskb);
+       nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size);
+       nth->source     = th->source;
+       nth->dest       = th->dest;
+       nth->seq        = htonl(ntohl(th->seq) + 1);
+       nth->ack_seq    = th->ack_seq;
+       tcp_flag_word(nth) = TCP_FLAG_ACK;
+       nth->doff       = tcp_hdr_size / 4;
+       nth->window     = ntohs(htons(th->window) >> opts->wscale);
+       nth->check      = 0;
+       nth->urg_ptr    = 0;
+
+       synproxy_build_options(nth, opts);
+
+       synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+}
+
+static bool
+synproxy_recv_client_ack(const struct synproxy_net *snet,
+                        const struct sk_buff *skb, const struct tcphdr *th,
+                        struct synproxy_options *opts, u32 recv_seq)
+{
+       int mss;
+
+       mss = __cookie_v4_check(ip_hdr(skb), th, ntohl(th->ack_seq) - 1);
+       if (mss == 0) {
+               this_cpu_inc(snet->stats->cookie_invalid);
+               return false;
+       }
+
+       this_cpu_inc(snet->stats->cookie_valid);
+       opts->mss = mss;
+
+       if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP)
+               synproxy_check_timestamp_cookie(opts);
+
+       synproxy_send_server_syn(snet, skb, th, opts, recv_seq);
+       return true;
+}
+
+static unsigned int
+synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
+{
+       const struct xt_synproxy_info *info = par->targinfo;
+       struct synproxy_net *snet = synproxy_pernet(dev_net(par->in));
+       struct synproxy_options opts = {};
+       struct tcphdr *th, _th;
+
+       if (nf_ip_checksum(skb, par->hooknum, par->thoff, IPPROTO_TCP))
+               return NF_DROP;
+
+       th = skb_header_pointer(skb, par->thoff, sizeof(_th), &_th);
+       if (th == NULL)
+               return NF_DROP;
+
+       synproxy_parse_options(skb, par->thoff, th, &opts);
+
+       if (th->syn && !th->ack) {
+               /* Initial SYN from client */
+               this_cpu_inc(snet->stats->syn_received);
+
+               if (th->ece && th->cwr)
+                       opts.options |= XT_SYNPROXY_OPT_ECN;
+
+               opts.options &= info->options;
+               if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
+                       synproxy_init_timestamp_cookie(info, &opts);
+               else
+                       opts.options &= ~(XT_SYNPROXY_OPT_WSCALE |
+                                         XT_SYNPROXY_OPT_SACK_PERM |
+                                         XT_SYNPROXY_OPT_ECN);
+
+               synproxy_send_client_synack(skb, th, &opts);
+       } else if (th->ack && !(th->fin || th->rst))
+               /* ACK from client */
+               synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));
+
+       return NF_DROP;
+}
+
+static unsigned int ipv4_synproxy_hook(unsigned int hooknum,
+                                      struct sk_buff *skb,
+                                      const struct net_device *in,
+                                      const struct net_device *out,
+                                      int (*okfn)(struct sk_buff *))
+{
+       struct synproxy_net *snet = synproxy_pernet(dev_net(in ? : out));
+       enum ip_conntrack_info ctinfo;
+       struct nf_conn *ct;
+       struct nf_conn_synproxy *synproxy;
+       struct synproxy_options opts = {};
+       const struct ip_ct_tcp *state;
+       struct tcphdr *th, _th;
+       unsigned int thoff;
+
+       ct = nf_ct_get(skb, &ctinfo);
+       if (ct == NULL)
+               return NF_ACCEPT;
+
+       synproxy = nfct_synproxy(ct);
+       if (synproxy == NULL)
+               return NF_ACCEPT;
+
+       if (nf_is_loopback_packet(skb))
+               return NF_ACCEPT;
+
+       thoff = ip_hdrlen(skb);
+       th = skb_header_pointer(skb, thoff, sizeof(_th), &_th);
+       if (th == NULL)
+               return NF_DROP;
+
+       state = &ct->proto.tcp;
+       switch (state->state) {
+       case TCP_CONNTRACK_CLOSE:
+               if (th->rst && !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
+                       nf_ct_seqadj_init(ct, ctinfo, synproxy->isn -
+                                                     ntohl(th->seq) + 1);
+                       break;
+               }
+
+               if (!th->syn || th->ack ||
+                   CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
+                       break;
+
+               /* Reopened connection - reset the sequence number and timestamp
+                * adjustments, they will get initialized once the connection is
+                * reestablished.
+                */
+               nf_ct_seqadj_init(ct, ctinfo, 0);
+               synproxy->tsoff = 0;
+               this_cpu_inc(snet->stats->conn_reopened);
+
+               /* fall through */
+       case TCP_CONNTRACK_SYN_SENT:
+               synproxy_parse_options(skb, thoff, th, &opts);
+
+               if (!th->syn && th->ack &&
+                   CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) {
+                       /* Keep-Alives are sent with SEG.SEQ = SND.NXT-1,
+                        * therefore we need to add 1 to make the SYN sequence
+                        * number match the one of first SYN.
+                        */
+                       if (synproxy_recv_client_ack(snet, skb, th, &opts,
+                                                    ntohl(th->seq) + 1))
+                               this_cpu_inc(snet->stats->cookie_retrans);
+
+                       return NF_DROP;
+               }
+
+               synproxy->isn = ntohl(th->ack_seq);
+               if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
+                       synproxy->its = opts.tsecr;
+               break;
+       case TCP_CONNTRACK_SYN_RECV:
+               if (!th->syn || !th->ack)
+                       break;
+
+               synproxy_parse_options(skb, thoff, th, &opts);
+               if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
+                       synproxy->tsoff = opts.tsval - synproxy->its;
+
+               opts.options &= ~(XT_SYNPROXY_OPT_MSS |
+                                 XT_SYNPROXY_OPT_WSCALE |
+                                 XT_SYNPROXY_OPT_SACK_PERM);
+
+               swap(opts.tsval, opts.tsecr);
+               synproxy_send_server_ack(snet, state, skb, th, &opts);
+
+               nf_ct_seqadj_init(ct, ctinfo, synproxy->isn - ntohl(th->seq));
+
+               swap(opts.tsval, opts.tsecr);
+               synproxy_send_client_ack(snet, skb, th, &opts);
+
+               consume_skb(skb);
+               return NF_STOLEN;
+       default:
+               break;
+       }
+
+       synproxy_tstamp_adjust(skb, thoff, th, ct, ctinfo, synproxy);
+       return NF_ACCEPT;
+}
+
+static int synproxy_tg4_check(const struct xt_tgchk_param *par)
+{
+       const struct ipt_entry *e = par->entryinfo;
+
+       if (e->ip.proto != IPPROTO_TCP ||
+           e->ip.invflags & XT_INV_PROTO)
+               return -EINVAL;
+
+       return nf_ct_l3proto_try_module_get(par->family);
+}
+
+static void synproxy_tg4_destroy(const struct xt_tgdtor_param *par)
+{
+       nf_ct_l3proto_module_put(par->family);
+}
+
+static struct xt_target synproxy_tg4_reg __read_mostly = {
+       .name           = "SYNPROXY",
+       .family         = NFPROTO_IPV4,
+       .target         = synproxy_tg4,
+       .targetsize     = sizeof(struct xt_synproxy_info),
+       .checkentry     = synproxy_tg4_check,
+       .destroy        = synproxy_tg4_destroy,
+       .me             = THIS_MODULE,
+};
+
+static struct nf_hook_ops ipv4_synproxy_ops[] __read_mostly = {
+       {
+               .hook           = ipv4_synproxy_hook,
+               .owner          = THIS_MODULE,
+               .pf             = NFPROTO_IPV4,
+               .hooknum        = NF_INET_LOCAL_IN,
+               .priority       = NF_IP_PRI_CONNTRACK_CONFIRM - 1,
+       },
+       {
+               .hook           = ipv4_synproxy_hook,
+               .owner          = THIS_MODULE,
+               .pf             = NFPROTO_IPV4,
+               .hooknum        = NF_INET_POST_ROUTING,
+               .priority       = NF_IP_PRI_CONNTRACK_CONFIRM - 1,
+       },
+};
+
+static int __init synproxy_tg4_init(void)
+{
+       int err;
+
+       err = nf_register_hooks(ipv4_synproxy_ops,
+                               ARRAY_SIZE(ipv4_synproxy_ops));
+       if (err < 0)
+               goto err1;
+
+       err = xt_register_target(&synproxy_tg4_reg);
+       if (err < 0)
+               goto err2;
+
+       return 0;
+
+err2:
+       nf_unregister_hooks(ipv4_synproxy_ops, ARRAY_SIZE(ipv4_synproxy_ops));
+err1:
+       return err;
+}
+
+static void __exit synproxy_tg4_exit(void)
+{
+       xt_unregister_target(&synproxy_tg4_reg);
+       nf_unregister_hooks(ipv4_synproxy_ops, ARRAY_SIZE(ipv4_synproxy_ops));
+}
+
+module_init(synproxy_tg4_init);
+module_exit(synproxy_tg4_exit);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
index c45fc1a60e0dde53416508ff29e22ee567f8883c..62a171ab204f46ed1f0f9a55840db91d3ce076e6 100644 (file)
@@ -408,6 +408,9 @@ config NF_NAT_TFTP
        depends on NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_TFTP
 
+config NETFILTER_SYNPROXY
+       tristate
+
 endif # NF_CONNTRACK
 
 config NETFILTER_XTABLES
index 89a9c1658f5e52bc459ddf3a87e13aea604d74d9..c3a0a12907f693630b841400d3e47babfd338bde 100644 (file)
@@ -61,6 +61,9 @@ obj-$(CONFIG_NF_NAT_IRC) += nf_nat_irc.o
 obj-$(CONFIG_NF_NAT_SIP) += nf_nat_sip.o
 obj-$(CONFIG_NF_NAT_TFTP) += nf_nat_tftp.o
 
+# SYNPROXY
+obj-$(CONFIG_NETFILTER_SYNPROXY) += nf_synproxy_core.o
+
 # generic X tables 
 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
 
index 00a7a94d4132fd56c9c85eb90e6f8844602e8af5..5d892febd64ca88d957d6eeffac5de12daeaff77 100644 (file)
@@ -48,6 +48,7 @@
 #include <net/netfilter/nf_conntrack_timestamp.h>
 #include <net/netfilter/nf_conntrack_timeout.h>
 #include <net/netfilter/nf_conntrack_labels.h>
+#include <net/netfilter/nf_conntrack_synproxy.h>
 #include <net/netfilter/nf_nat.h>
 #include <net/netfilter/nf_nat_core.h>
 #include <net/netfilter/nf_nat_helper.h>
@@ -799,6 +800,11 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
        if (IS_ERR(ct))
                return (struct nf_conntrack_tuple_hash *)ct;
 
+       if (tmpl && nfct_synproxy(tmpl)) {
+               nfct_seqadj_ext_add(ct);
+               nfct_synproxy_ext_add(ct);
+       }
+
        timeout_ext = tmpl ? nf_ct_timeout_find(tmpl) : NULL;
        if (timeout_ext)
                timeouts = NF_CT_TIMEOUT_EXT_DATA(timeout_ext);
index 984a8d1a33594ede7106d7b6fea7a4b157e252a0..44d1ea32570a07338dc39f34624bd823b6f76916 100644 (file)
@@ -28,6 +28,7 @@
 #include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_ecache.h>
 #include <net/netfilter/nf_conntrack_seqadj.h>
+#include <net/netfilter/nf_conntrack_synproxy.h>
 #include <net/netfilter/nf_log.h>
 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
@@ -946,6 +947,21 @@ static int tcp_packet(struct nf_conn *ct,
                                  "state %s ", tcp_conntrack_names[old_state]);
                return NF_ACCEPT;
        case TCP_CONNTRACK_MAX:
+               /* Special case for SYN proxy: when the SYN to the server or
+                * the SYN/ACK from the server is lost, the client may transmit
+                * a keep-alive packet while in SYN_SENT state. This needs to
+                * be associated with the original conntrack entry in order to
+                * generate a new SYN with the correct sequence number.
+                */
+               if (nfct_synproxy(ct) && old_state == TCP_CONNTRACK_SYN_SENT &&
+                   index == TCP_ACK_SET && dir == IP_CT_DIR_ORIGINAL &&
+                   ct->proto.tcp.last_dir == IP_CT_DIR_ORIGINAL &&
+                   ct->proto.tcp.seen[dir].td_end - 1 == ntohl(th->seq)) {
+                       pr_debug("nf_ct_tcp: SYN proxy client keep alive\n");
+                       spin_unlock_bh(&ct->lock);
+                       return NF_ACCEPT;
+               }
+
                /* Invalid packet */
                pr_debug("nf_ct_tcp: Invalid dir=%i index=%u ostate=%u\n",
                         dir, get_conntrack_index(th), old_state);
index 483eb9ce321606f329cdd7647807773e4472b5e8..5f9bfd060deac302955f91dce75a3a86962a14d5 100644 (file)
@@ -6,6 +6,26 @@
 #include <net/netfilter/nf_conntrack_extend.h>
 #include <net/netfilter/nf_conntrack_seqadj.h>
 
+int nf_ct_seqadj_init(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
+                     s32 off)
+{
+       enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+       struct nf_conn_seqadj *seqadj;
+       struct nf_ct_seqadj *this_way;
+
+       if (off == 0)
+               return 0;
+
+       set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
+
+       seqadj = nfct_seqadj(ct);
+       this_way = &seqadj->seq[dir];
+       this_way->offset_before  = off;
+       this_way->offset_after   = off;
+       return 0;
+}
+EXPORT_SYMBOL_GPL(nf_ct_seqadj_init);
+
 int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
                     __be32 seq, s32 off)
 {
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
new file mode 100644 (file)
index 0000000..d23dc79
--- /dev/null
@@ -0,0 +1,432 @@
+/*
+ * Copyright (c) 2013 Patrick McHardy <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <asm/unaligned.h>
+#include <net/tcp.h>
+#include <net/netns/generic.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_tcpudp.h>
+#include <linux/netfilter/xt_SYNPROXY.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_extend.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
+#include <net/netfilter/nf_conntrack_synproxy.h>
+
+int synproxy_net_id;
+EXPORT_SYMBOL_GPL(synproxy_net_id);
+
+void
+synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
+                      const struct tcphdr *th, struct synproxy_options *opts)
+{
+       int length = (th->doff * 4) - sizeof(*th);
+       u8 buf[40], *ptr;
+
+       ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf);
+       BUG_ON(ptr == NULL);
+
+       opts->options = 0;
+       while (length > 0) {
+               int opcode = *ptr++;
+               int opsize;
+
+               switch (opcode) {
+               case TCPOPT_EOL:
+                       return;
+               case TCPOPT_NOP:
+                       length--;
+                       continue;
+               default:
+                       opsize = *ptr++;
+                       if (opsize < 2)
+                               return;
+                       if (opsize > length)
+                               return;
+
+                       switch (opcode) {
+                       case TCPOPT_MSS:
+                               if (opsize == TCPOLEN_MSS) {
+                                       opts->mss = get_unaligned_be16(ptr);
+                                       opts->options |= XT_SYNPROXY_OPT_MSS;
+                               }
+                               break;
+                       case TCPOPT_WINDOW:
+                               if (opsize == TCPOLEN_WINDOW) {
+                                       opts->wscale = *ptr;
+                                       if (opts->wscale > 14)
+                                               opts->wscale = 14;
+                                       opts->options |= XT_SYNPROXY_OPT_WSCALE;
+                               }
+                               break;
+                       case TCPOPT_TIMESTAMP:
+                               if (opsize == TCPOLEN_TIMESTAMP) {
+                                       opts->tsval = get_unaligned_be32(ptr);
+                                       opts->tsecr = get_unaligned_be32(ptr + 4);
+                                       opts->options |= XT_SYNPROXY_OPT_TIMESTAMP;
+                               }
+                               break;
+                       case TCPOPT_SACK_PERM:
+                               if (opsize == TCPOLEN_SACK_PERM)
+                                       opts->options |= XT_SYNPROXY_OPT_SACK_PERM;
+                               break;
+                       }
+
+                       ptr += opsize - 2;
+                       length -= opsize;
+               }
+       }
+}
+EXPORT_SYMBOL_GPL(synproxy_parse_options);
+
+unsigned int synproxy_options_size(const struct synproxy_options *opts)
+{
+       unsigned int size = 0;
+
+       if (opts->options & XT_SYNPROXY_OPT_MSS)
+               size += TCPOLEN_MSS_ALIGNED;
+       if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP)
+               size += TCPOLEN_TSTAMP_ALIGNED;
+       else if (opts->options & XT_SYNPROXY_OPT_SACK_PERM)
+               size += TCPOLEN_SACKPERM_ALIGNED;
+       if (opts->options & XT_SYNPROXY_OPT_WSCALE)
+               size += TCPOLEN_WSCALE_ALIGNED;
+
+       return size;
+}
+EXPORT_SYMBOL_GPL(synproxy_options_size);
+
+void
+synproxy_build_options(struct tcphdr *th, const struct synproxy_options *opts)
+{
+       __be32 *ptr = (__be32 *)(th + 1);
+       u8 options = opts->options;
+
+       if (options & XT_SYNPROXY_OPT_MSS)
+               *ptr++ = htonl((TCPOPT_MSS << 24) |
+                              (TCPOLEN_MSS << 16) |
+                              opts->mss);
+
+       if (options & XT_SYNPROXY_OPT_TIMESTAMP) {
+               if (options & XT_SYNPROXY_OPT_SACK_PERM)
+                       *ptr++ = htonl((TCPOPT_SACK_PERM << 24) |
+                                      (TCPOLEN_SACK_PERM << 16) |
+                                      (TCPOPT_TIMESTAMP << 8) |
+                                      TCPOLEN_TIMESTAMP);
+               else
+                       *ptr++ = htonl((TCPOPT_NOP << 24) |
+                                      (TCPOPT_NOP << 16) |
+                                      (TCPOPT_TIMESTAMP << 8) |
+                                      TCPOLEN_TIMESTAMP);
+
+               *ptr++ = htonl(opts->tsval);
+               *ptr++ = htonl(opts->tsecr);
+       } else if (options & XT_SYNPROXY_OPT_SACK_PERM)
+               *ptr++ = htonl((TCPOPT_NOP << 24) |
+                              (TCPOPT_NOP << 16) |
+                              (TCPOPT_SACK_PERM << 8) |
+                              TCPOLEN_SACK_PERM);
+
+       if (options & XT_SYNPROXY_OPT_WSCALE)
+               *ptr++ = htonl((TCPOPT_NOP << 24) |
+                              (TCPOPT_WINDOW << 16) |
+                              (TCPOLEN_WINDOW << 8) |
+                              opts->wscale);
+}
+EXPORT_SYMBOL_GPL(synproxy_build_options);
+
+void synproxy_init_timestamp_cookie(const struct xt_synproxy_info *info,
+                                   struct synproxy_options *opts)
+{
+       opts->tsecr = opts->tsval;
+       opts->tsval = tcp_time_stamp & ~0x3f;
+
+       if (opts->options & XT_SYNPROXY_OPT_WSCALE)
+               opts->tsval |= info->wscale;
+       else
+               opts->tsval |= 0xf;
+
+       if (opts->options & XT_SYNPROXY_OPT_SACK_PERM)
+               opts->tsval |= 1 << 4;
+
+       if (opts->options & XT_SYNPROXY_OPT_ECN)
+               opts->tsval |= 1 << 5;
+}
+EXPORT_SYMBOL_GPL(synproxy_init_timestamp_cookie);
+
+void synproxy_check_timestamp_cookie(struct synproxy_options *opts)
+{
+       opts->wscale = opts->tsecr & 0xf;
+       if (opts->wscale != 0xf)
+               opts->options |= XT_SYNPROXY_OPT_WSCALE;
+
+       opts->options |= opts->tsecr & (1 << 4) ? XT_SYNPROXY_OPT_SACK_PERM : 0;
+
+       opts->options |= opts->tsecr & (1 << 5) ? XT_SYNPROXY_OPT_ECN : 0;
+}
+EXPORT_SYMBOL_GPL(synproxy_check_timestamp_cookie);
+
+unsigned int synproxy_tstamp_adjust(struct sk_buff *skb,
+                                   unsigned int protoff,
+                                   struct tcphdr *th,
+                                   struct nf_conn *ct,
+                                   enum ip_conntrack_info ctinfo,
+                                   const struct nf_conn_synproxy *synproxy)
+{
+       unsigned int optoff, optend;
+       u32 *ptr, old;
+
+       if (synproxy->tsoff == 0)
+               return 1;
+
+       optoff = protoff + sizeof(struct tcphdr);
+       optend = protoff + th->doff * 4;
+
+       if (!skb_make_writable(skb, optend))
+               return 0;
+
+       while (optoff < optend) {
+               unsigned char *op = skb->data + optoff;
+
+               switch (op[0]) {
+               case TCPOPT_EOL:
+                       return 1;
+               case TCPOPT_NOP:
+                       optoff++;
+                       continue;
+               default:
+                       if (optoff + 1 == optend ||
+                           optoff + op[1] > optend ||
+                           op[1] < 2)
+                               return 0;
+                       if (op[0] == TCPOPT_TIMESTAMP &&
+                           op[1] == TCPOLEN_TIMESTAMP) {
+                               if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
+                                       ptr = (u32 *)&op[2];
+                                       old = *ptr;
+                                       *ptr = htonl(ntohl(*ptr) -
+                                                    synproxy->tsoff);
+                               } else {
+                                       ptr = (u32 *)&op[6];
+                                       old = *ptr;
+                                       *ptr = htonl(ntohl(*ptr) +
+                                                    synproxy->tsoff);
+                               }
+                               inet_proto_csum_replace4(&th->check, skb,
+                                                        old, *ptr, 0);
+                               return 1;
+                       }
+                       optoff += op[1];
+               }
+       }
+       return 1;
+}
+EXPORT_SYMBOL_GPL(synproxy_tstamp_adjust);
+
+static struct nf_ct_ext_type nf_ct_synproxy_extend __read_mostly = {
+       .len            = sizeof(struct nf_conn_synproxy),
+       .align          = __alignof__(struct nf_conn_synproxy),
+       .id             = NF_CT_EXT_SYNPROXY,
+};
+
+#ifdef CONFIG_PROC_FS
+static void *synproxy_cpu_seq_start(struct seq_file *seq, loff_t *pos)
+{
+       struct synproxy_net *snet = synproxy_pernet(seq_file_net(seq));
+       int cpu;
+
+       if (*pos == 0)
+               return SEQ_START_TOKEN;
+
+       for (cpu = *pos - 1; cpu < nr_cpu_ids; cpu++) {
+               if (!cpu_possible(cpu))
+                       continue;
+               *pos = cpu + 1;
+               return per_cpu_ptr(snet->stats, cpu);
+       }
+
+       return NULL;
+}
+
+static void *synproxy_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
+{
+       struct synproxy_net *snet = synproxy_pernet(seq_file_net(seq));
+       int cpu;
+
+       for (cpu = *pos; cpu < nr_cpu_ids; cpu++) {
+               if (!cpu_possible(cpu))
+                       continue;
+               *pos = cpu + 1;
+               return per_cpu_ptr(snet->stats, cpu);
+       }
+
+       return NULL;
+}
+
+static void synproxy_cpu_seq_stop(struct seq_file *seq, void *v)
+{
+       return;
+}
+
+static int synproxy_cpu_seq_show(struct seq_file *seq, void *v)
+{
+       struct synproxy_stats *stats = v;
+
+       if (v == SEQ_START_TOKEN) {
+               seq_printf(seq, "entries\t\tsyn_received\t"
+                               "cookie_invalid\tcookie_valid\t"
+                               "cookie_retrans\tconn_reopened\n");
+               return 0;
+       }
+
+       seq_printf(seq, "%08x\t%08x\t%08x\t%08x\t%08x\t%08x\n", 0,
+                  stats->syn_received,
+                  stats->cookie_invalid,
+                  stats->cookie_valid,
+                  stats->cookie_retrans,
+                  stats->conn_reopened);
+
+       return 0;
+}
+
+static const struct seq_operations synproxy_cpu_seq_ops = {
+       .start          = synproxy_cpu_seq_start,
+       .next           = synproxy_cpu_seq_next,
+       .stop           = synproxy_cpu_seq_stop,
+       .show           = synproxy_cpu_seq_show,
+};
+
+static int synproxy_cpu_seq_open(struct inode *inode, struct file *file)
+{
+       return seq_open_net(inode, file, &synproxy_cpu_seq_ops,
+                           sizeof(struct seq_net_private));
+}
+
+static const struct file_operations synproxy_cpu_seq_fops = {
+       .owner          = THIS_MODULE,
+       .open           = synproxy_cpu_seq_open,
+       .read           = seq_read,
+       .llseek         = seq_lseek,
+       .release        = seq_release_net,
+};
+
+static int __net_init synproxy_proc_init(struct net *net)
+{
+       if (!proc_create("synproxy", S_IRUGO, net->proc_net_stat,
+                        &synproxy_cpu_seq_fops))
+               return -ENOMEM;
+       return 0;
+}
+
+static void __net_exit synproxy_proc_exit(struct net *net)
+{
+       remove_proc_entry("synproxy", net->proc_net_stat);
+}
+#else
+static int __net_init synproxy_proc_init(struct net *net)
+{
+       return 0;
+}
+
+static void __net_exit synproxy_proc_exit(struct net *net)
+{
+       return;
+}
+#endif /* CONFIG_PROC_FS */
+
+static int __net_init synproxy_net_init(struct net *net)
+{
+       struct synproxy_net *snet = synproxy_pernet(net);
+       struct nf_conntrack_tuple t;
+       struct nf_conn *ct;
+       int err = -ENOMEM;
+
+       memset(&t, 0, sizeof(t));
+       ct = nf_conntrack_alloc(net, 0, &t, &t, GFP_KERNEL);
+       if (IS_ERR(ct)) {
+               err = PTR_ERR(ct);
+               goto err1;
+       }
+
+       __set_bit(IPS_TEMPLATE_BIT, &ct->status);
+       __set_bit(IPS_CONFIRMED_BIT, &ct->status);
+       if (!nfct_seqadj_ext_add(ct))
+               goto err2;
+       if (!nfct_synproxy_ext_add(ct))
+               goto err2;
+
+       snet->tmpl = ct;
+
+       snet->stats = alloc_percpu(struct synproxy_stats);
+       if (snet->stats == NULL)
+               goto err2;
+
+       err = synproxy_proc_init(net);
+       if (err < 0)
+               goto err3;
+
+       return 0;
+
+err3:
+       free_percpu(snet->stats);
+err2:
+       nf_conntrack_free(ct);
+err1:
+       return err;
+}
+
+static void __net_exit synproxy_net_exit(struct net *net)
+{
+       struct synproxy_net *snet = synproxy_pernet(net);
+
+       nf_conntrack_free(snet->tmpl);
+       synproxy_proc_exit(net);
+       free_percpu(snet->stats);
+}
+
+static struct pernet_operations synproxy_net_ops = {
+       .init           = synproxy_net_init,
+       .exit           = synproxy_net_exit,
+       .id             = &synproxy_net_id,
+       .size           = sizeof(struct synproxy_net),
+};
+
+static int __init synproxy_core_init(void)
+{
+       int err;
+
+       err = nf_ct_extend_register(&nf_ct_synproxy_extend);
+       if (err < 0)
+               goto err1;
+
+       err = register_pernet_subsys(&synproxy_net_ops);
+       if (err < 0)
+               goto err2;
+
+       return 0;
+
+err2:
+       nf_ct_extend_unregister(&nf_ct_synproxy_extend);
+err1:
+       return err;
+}
+
+static void __exit synproxy_core_exit(void)
+{
+       unregister_pernet_subsys(&synproxy_net_ops);
+       nf_ct_extend_unregister(&nf_ct_synproxy_extend);
+}
+
+module_init(synproxy_core_init);
+module_exit(synproxy_core_exit);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");