From 15a2fd14f906e186086323240e80055959737521 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 28 Dec 2014 15:23:30 -0800
Subject: [PATCH] Implement TARPIT target

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall-core/lib.cli             |  5 +++++
 Shorewall/Perl/Shorewall/Chains.pm |  4 ++++
 Shorewall/Perl/Shorewall/Config.pm |  8 ++++++++
 Shorewall/Perl/Shorewall/Rules.pm  | 21 ++++++++++++++++++---
 4 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 9f991c62b..51aa595ed 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -2392,6 +2392,7 @@ determine_capabilities() {
     MASQUERADE_TGT=
     UDPLITEREDIRECT=
     NEW_TOS_MATCH=
+    TARPIT_TARGET=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2545,6 +2546,8 @@ determine_capabilities() {
 	qt $NFACCT del $chain
     fi
 
+    qt $g_tool -A $chain -p tcp -j TARPIT && TARPIT_TARGET=Yes
+
     if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain
 
@@ -2822,6 +2825,7 @@ report_capabilities_unsorted() {
     report_capability "MASQUERADE Target" $MASQUERADE_TGT
     report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
     report_capability "New tos Match" $NEW_TOS_MATCH
+    report_capability "TARPIT Target" $TARPIT_TARGET
 
     report_capability "Amanda Helper" $AMANDA_HELPER
     report_capability "FTP Helper" $FTP_HELPER
@@ -2949,6 +2953,7 @@ report_capabilities_unsorted1() {
     report_capability1 MASQUERADE_TGT
     report_capability1 UDPLITEREDIRECT
     report_capability1 NEW_TOS_MATCH
+    report_capability1 TARPIT_TARGET
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 90a72892c..e1c16f779 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -110,6 +110,7 @@ our @EXPORT = ( qw(
 		    INLINERULE
 		    OPTIONS
                     IPTABLES
+		    TARPIT
                     FILTER_TABLE
                     NAT_TABLE
                     MANGLE_TABLE
@@ -426,6 +427,7 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       INLINERULE   =>  0x40000,       #INLINE
 	       OPTIONS      =>  0x80000,       #Target Accepts Options
 	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
+	       TARPIT       => 0x200000,       #TARPIT
 
 	       FILTER_TABLE =>  0x1000000,
 	       MANGLE_TABLE =>  0x2000000,
@@ -2858,6 +2860,7 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IPTABLES'        => IPTABLES,
+		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );
 
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2923,6 +2926,7 @@ sub initialize_chain_table($) {
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		    'INLINE'          => INLINERULE,
 		    'IP6TABLES'       => IPTABLES,
+		    'TARPIT'          => STANDARD + TARPIT + OPTIONS,
 		   );
 
 	for my $chain ( qw(OUTPUT PREROUTING) ) {
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index cdadcf6c8..7daf0091d 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -394,6 +394,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 MASQUERADE_TGT  => 'MASQUERADE Target',
 		 UDPLITEREDIRECT => 'UDPLITE Port Redirection',
 		 NEW_TOS_MATCH   => 'New tos Match',
+		 TARPIT_TARGET   => 'TARPIT Target',
 
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -979,6 +980,7 @@ sub initialize( $;$$) {
 	       UDPLITEREDIRECT => undef,
 	       NEW_TOS_MATCH => undef,
 	       REAP_OPTION => undef,
+	       TARPIT_TARGET => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -4226,6 +4228,10 @@ sub Addrtype() {
     qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
 }
 
+sub Tarpit_Target() {
+    qt1( "$iptables $iptablesw -A $sillyname -p tcp -j TARPIT" );
+}
+
 sub Tcpmss_Match() {
     qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
 }
@@ -4540,6 +4546,7 @@ our %detect_capability =
       SIP0_HELPER => \&SIP0_Helper,
       SNMP_HELPER => \&SNMP_Helper,
       STATISTIC_MATCH => \&Statistic_Match,
+      TARPIT_TARGET => \&Tarpit_Target,
       TCPMSS_MATCH => \&Tcpmss_Match,
       TFTP_HELPER => \&TFTP_Helper,
       TFTP0_HELPER => \&TFTP0_Helper,
@@ -4692,6 +4699,7 @@ sub determine_capabilities() {
 	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
 	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
+	$capabilities{TARPIT_MATCH}    = detect_capability( 'TARPIT_MATCH' );
 
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 83f75adf8..e36cb54f2 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2211,6 +2211,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
     my $blacklist   = ( $section == BLACKLIST_SECTION );
     my $matches     = $rule;
     my $raw_matches = '';
+    my $exceptionrule = '';
 
     if ( $inchain = defined $chainref ) {
 	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@@ -2284,7 +2285,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 	validate_level( $action );
 	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	$action   = 'LOG';
-    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES ) ) ) {
+    } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
 	fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
     }
@@ -2294,7 +2295,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
     #
     fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
     
-    unless ( $actiontype & ( ACTION | INLINE | IPTABLES ) ) {
+    unless ( $actiontype & ( ACTION | INLINE | IPTABLES | TARPIT ) ) {
 	#
 	# Catch empty parameter list
 	#
@@ -2398,6 +2399,20 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		      $action = '';
 		  }
 	      },
+
+	      TARPIT => sub {
+		  require_capability 'TARPIT_TARGET', 'The TARPIT Target', 's';
+
+		  fatal_error "TARPIT is only valid with PROTO tcp (6)" if ( resolve_proto( $proto ) || 0 ) != TCP;
+
+		  if ( $param ) {
+		      fatal_error "TARPIT Parameter must be 'tarpit', 'honeypot' or 'reset'" unless $param =~ /^(tarpit|honeypot|reset)$/;
+		      $action     = "TARPIT --$param";
+		      $log_action = 'TARPIT';
+		  }
+
+		  $exceptionrule = '-p 6 ';
+	      },
 	    );
 
 	my $function = $functions{ $bt };
@@ -2831,7 +2846,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		     $action ,
 		     $loglevel ,
 		     $log_action ,
-		     '' )
+		     $exceptionrule )
 	    unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
     }