├── README
├── iptables
    ├── Makefile
    ├── libipt_TCPWIN.c
    └── libipt_TCPWIN.man
└── kernel
    ├── Makefile
    ├── ipt_TWIN.h
    └── xt_TWIN.c


/README:
--------------------------------------------------------------------------------
 1 | This iptables module changes TCP window header field.
 2 | 
 3 | The purpose is only testing and debugging because of changing TCP window
 4 | usualy is very bad idea.
 5 | 
 6 | Repository contains both iptables module for kernel and iptables plug-in for
 7 | userspace.
 8 | 
 9 | It is based on TTL module written by
10 | Harald Welte <laforge@netfilter.org>
11 | 
12 | Usage example:
13 | 
14 | - make modules and put them to proper places
15 | - modprobe xt_TCPWIN
16 | - iptables -t mangle -I OUTPUT -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -j TCPWIN --tcpwin-set 0
17 | 


--------------------------------------------------------------------------------
/iptables/Makefile:
--------------------------------------------------------------------------------
 1 | CFLAGS = -O2 -Wall
 2 | 
 3 | all: libipt_TCPWIN.so
 4 | 
 5 | lib%.so: lib%.o
 6 | 	gcc -shared -fPIC -o $@ $^;
 7 | 
 8 | lib%.o: lib%.c
 9 | 	gcc ${CFLAGS} -D_INIT=lib$*_init -fPIC -c -o $@ $<;
10 | 
11 | clean:
12 | 	rm -f *.{o,so}
13 | 


--------------------------------------------------------------------------------
/iptables/libipt_TCPWIN.c:
--------------------------------------------------------------------------------
 1 | /* Shared library add-on to iptables for the TCP window target
 2 |  * (C) 2015 by Sergej Pupykin <sergej@p5n.pp.ru>
 3 |  *
 4 |  * This program is distributed under the terms of GNU GPL
 5 |  */
 6 | #include <stdio.h>
 7 | #include <xtables.h>
 8 | #include "../kernel/ipt_TWIN.h"
 9 | 
10 | static const struct xt_option_entry TWIN_opts[] = {
11 | 	{.name = "tcpwin-set", .type = XTTYPE_UINT16, .id = 1,
12 | 	 .excl = 0, .flags = XTOPT_PUT, XTOPT_POINTER(struct ipt_TWIN_info, win)},
13 | 	XTOPT_TABLEEND,
14 | };
15 | 
16 | static void TWIN_help(void)
17 | {
18 | 	printf("TCP window target options\n"
19 | 		"  --tcpwin-set value		Set TCP window to <value 0-65535>\n");
20 | }
21 | 
22 | static void TWIN_parse(struct xt_option_call *cb)
23 | {
24 | 	xtables_option_parse(cb);
25 | }
26 | 
27 | static void TWIN_check(struct xt_fcheck_call *cb)
28 | {
29 | }
30 | 
31 | static void TWIN_save(const void *ip, const struct xt_entry_target *target)
32 | {
33 | 	const struct ipt_TWIN_info *info = 
34 | 		(struct ipt_TWIN_info *) target->data;
35 | 	printf(" --tcpwin-set %u", info->win);
36 | }
37 | 
38 | static void TWIN_print(const void *ip, const struct xt_entry_target *target,
39 |                       int numeric)
40 | {
41 | 	const struct ipt_TWIN_info *info =
42 | 		(struct ipt_TWIN_info *) target->data;
43 | 	printf(" TCP window set to %u", info->win);
44 | }
45 | 
46 | static struct xtables_target twin_tg_reg = {
47 | 	.name		= "TCPWIN",
48 | 	.version	= XTABLES_VERSION,
49 | 	.family		= NFPROTO_IPV4,
50 | 	.size		= XT_ALIGN(sizeof(struct ipt_TWIN_info)),
51 | 	.userspacesize	= XT_ALIGN(sizeof(struct ipt_TWIN_info)),
52 | 	.help		= TWIN_help,
53 | 	.print		= TWIN_print,
54 | 	.save		= TWIN_save,
55 | 	.x6_parse	= TWIN_parse,
56 | 	.x6_fcheck	= TWIN_check,
57 | 	.x6_options	= TWIN_opts,
58 | };
59 | 
60 | void _init(void)
61 | {
62 | 	xtables_register_target(&twin_tg_reg);
63 | }
64 | 


--------------------------------------------------------------------------------
/iptables/libipt_TCPWIN.man:
--------------------------------------------------------------------------------
 1 | This is used to modify the IPv4 TCP window field.
 2 | .PP
 3 | Setting TCP window field can potentially be very dangerous,
 4 | so it should be avoided at any cost. This target is only valid in
 5 | .B mangle
 6 | table.
 7 | .PP
 8 | .TP
 9 | \fB\-\-tcpwin\-set\fP \fIvalue\fP
10 | Set the TCP window value to `value'.
11 | 


--------------------------------------------------------------------------------
/kernel/Makefile:
--------------------------------------------------------------------------------
 1 | ifneq ($(KERNELRELEASE),)
 2 | 
 3 | obj-m += xt_TCPWIN.o
 4 | xt_TCPWIN-y := xt_TWIN.o
 5 | 
 6 | else
 7 | 
 8 | KDIR	:= /lib/modules/$(shell uname -r)/build
 9 | PWD	:= $(shell pwd)
10 | 
11 | all:	modules
12 | 
13 | modules:
14 | 	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules
15 | 
16 | clean:
17 | 	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) clean
18 | 
19 | endif
20 | 


--------------------------------------------------------------------------------
/kernel/ipt_TWIN.h:
--------------------------------------------------------------------------------
 1 | /* TCP window modification module for IP tables
 2 |  * (C) 2015 by Sergej Pupykin <sergej@p5n.pp.ru> */
 3 | 
 4 | #ifndef _IPT_TWIN_H
 5 | #define _IPT_TWIN_H
 6 | 
 7 | #include <linux/types.h>
 8 | 
 9 | struct ipt_TWIN_info {
10 | 	__u16	win;
11 | };
12 | 
13 | #endif
14 | 


--------------------------------------------------------------------------------
/kernel/xt_TWIN.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * TCP window modification target for IP tables
 3 |  * (C) 2015 by Sergej Pupykin <sergej@p5n.pp.ru>
 4 |  * (C) 2017 fixes by Vadim Fedorenko <junjunk@fromru.com>
 5 |  *
 6 |  * This program is free software; you can redistribute it and/or modify
 7 |  * it under the terms of the GNU General Public License version 2 as
 8 |  * published by the Free Software Foundation.
 9 |  */
10 | 
11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12 | #include <linux/module.h>
13 | #include <linux/skbuff.h>
14 | #include <linux/ip.h>
15 | #include <linux/tcp.h>
16 | #include <net/checksum.h>
17 | 
18 | #include <linux/netfilter/x_tables.h>
19 | #include "ipt_TWIN.h"
20 | 
21 | MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
22 | MODULE_AUTHOR("Vadim Fedorenko <junjunk@fromru.com>");
23 | MODULE_DESCRIPTION("Xtables: TCPWIN field modification target");
24 | MODULE_LICENSE("GPL");
25 | 
26 | static unsigned int
27 | twin_tg(struct sk_buff *skb, const struct xt_action_param *par)
28 | {
29 |         struct tcphdr *tcph;
30 |         struct iphdr *iph;
31 |         const struct ipt_TWIN_info *info = par->targinfo;
32 |         int offset, len;
33 | 
34 |         if (!skb_make_writable(skb, skb->len))
35 |                 return NF_DROP;
36 |         if (skb_linearize(skb))
37 |                 return NF_DROP;
38 |         iph = ip_hdr(skb);
39 |         if (iph && iph->protocol)
40 |         {
41 |                 tcph = tcp_hdr(skb);
42 |                 tcph->window = htons(info->win);
43 |                 offset = skb_transport_offset(skb);
44 |                 len = skb->len - offset;
45 |                 tcph->check = 0;
46 |                 tcph->check = csum_tcpudp_magic((iph->saddr), (iph->daddr), len, IPPROTO_TCP, csum_partial((char *)tcph, len, 0));
47 |                 skb->ip_summed = CHECKSUM_NONE;
48 |         }
49 |         return XT_CONTINUE;
50 | }
51 | 
52 | static int twin_tg_check(const struct xt_tgchk_param *par)
53 | {
54 | 	return 0;
55 | }
56 | 
57 | static struct xt_target hl_tg_reg[] __read_mostly = {
58 | 	{
59 | 		.name       = "TCPWIN",
60 | 		.revision   = 0,
61 | 		.family     = NFPROTO_IPV4,
62 | 		.target     = twin_tg,
63 | 		.targetsize = sizeof(struct ipt_TWIN_info),
64 | 		.table      = "mangle",
65 | 		.checkentry = twin_tg_check,
66 | 		.me         = THIS_MODULE,
67 | 	},
68 | };
69 | 
70 | static int __init hl_tg_init(void)
71 | {
72 | 	return xt_register_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg));
73 | }
74 | 
75 | static void __exit hl_tg_exit(void)
76 | {
77 | 	xt_unregister_targets(hl_tg_reg, ARRAY_SIZE(hl_tg_reg));
78 | }
79 | 
80 | module_init(hl_tg_init);
81 | module_exit(hl_tg_exit);
82 | MODULE_ALIAS("ipt_TCPWIN");
83 | 


--------------------------------------------------------------------------------