Message ID | 1331033084-23803-1-git-send-email-denys@visp.net.lb |
---|---|
State | Superseded |
Headers | show |
Hi Denys, On Tue, Mar 06, 2012 at 01:24:44PM +0200, Denys Fedoryshchenko wrote: > Use case for this feature: > 1)In some occasions if you need to allow,block,match specific subnet. > 2)I can use recent as a trigger when netfilter rule matches, with mask 0.0.0.0 > > Example: > > If you ping 8.8.8.8, after that you can't ping 2.2.2.10 Could you provide an useful example for this new feature? I also think you can make this with hashlimit, that allows you to set the network mask. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Pablo On 2012-04-12 02:14, Pablo Neira Ayuso wrote: > Hi Denys, > > On Tue, Mar 06, 2012 at 01:24:44PM +0200, Denys Fedoryshchenko wrote: >> Use case for this feature: >> 1)In some occasions if you need to allow,block,match specific >> subnet. >> 2)I can use recent as a trigger when netfilter rule matches, with >> mask 0.0.0.0 >> >> Example: >> >> If you ping 8.8.8.8, after that you can't ping 2.2.2.10 > > Could you provide an useful example for this new feature? > > I also think you can make this with hashlimit, that allows you to > set the network mask. Yes, technically hashlimit can do a lot, but not everything. Especially because xt_recent can be "fine-grained" in steps, depends on timeline of event, and can be updated accordingly to time of reoccurred event. It is generally not related to mask option, but mask gives power to block subnets. Why for example /24? Well, it is minimal mask for BGP announce :) It is very often, that requesting ip has more ip's in same subnet (load-balancing, or multiple ip's on dedicated server), and mask will be highly useful for that, to reduce number of entries and to tighten weak points (usually after ip blocked, they try from neighbor ip to check, if destination just blocked single ip). Plus rttl and hitcount another sweet things that are available in xt_recent, but aren't in hashlimit. iptables -t mangle -N SIP # If someone abuse our SIP, block him completely at least for 10 seconds, if he try again, update and block for new 120 seconds iptables -t mangle -A SIP -m recent --name X --update --seconds 10 --mask 255.255.255.0 -j MARK --set-mark 0x1 # 120 - 600 seconds handle him over special relay (that will log his query, but wont pass him to real SIP server) iptables -t mangle -A SIP -m recent --name X --rcheck --seconds 600 --mask 255.255.255.0 -j MARK --set-mark 0x2 In this case i will log only invalid queries, but for example some DDoS or scanners that flood servers by packets will be silently ignored. Maybe if hitcount really bad, i will add them to ipset, and block permanently, by -m set --add-set. For me personally it is useful, because i have around 140 NAS servers, and i give each of them /24 "gray" subnets, and in some cases i need to handle bad users, that are changing dynamic ip and attacking from new ip each time. I just block non-critical service for whole subnet then, till technician on duty will solve issue completely. And sure if attack are stopped, subnet will be unblocked "automagically". Sure this feature not critical, or "a must", and if code are not good, it is up to you, if it should be added or not. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Apr 12, 2012 at 12:00:03PM +0300, Denys Fedoryshchenko wrote: [...] > For me personally it is useful, because i have around 140 NAS > servers, and i give each of them /24 "gray" subnets, and in some > cases i need to handle bad users, that are changing dynamic ip and > attacking from new ip each time. I just block non-critical service > for whole subnet then, till technician on duty will solve issue > completely. And sure if attack are stopped, subnet will be unblocked > "automagically". OK, if you need this, I'm fine with it. > Sure this feature not critical, or "a must", and if code are not > good, it is up to you, if it should be added or not. I didn't say anything about the code yet. E-mail reviewing this will follow. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Mar 06, 2012 at 01:24:44PM +0200, Denys Fedoryshchenko wrote: > Use case for this feature: > 1)In some occasions if you need to allow,block,match specific subnet. > 2)I can use recent as a trigger when netfilter rule matches, with mask 0.0.0.0 > > Example: > > If you ping 8.8.8.8, after that you can't ping 2.2.2.10 > > Tested for backward compatibility: > )old (userspace) iptables, new kernel > )old kernel, new iptables > )new kernel, new iptables > > Signed-off-by: Denys Fedoryshchenko <denys@visp.net.lb> > --- > include/linux/netfilter.h | 11 +++++ > include/linux/netfilter/xt_recent.h | 10 +++++ > net/netfilter/xt_recent.c | 70 +++++++++++++++++++++++++++++++---- > 3 files changed, 83 insertions(+), 8 deletions(-) > > diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h > index b809265..c132de6 100644 > --- a/include/linux/netfilter.h > +++ b/include/linux/netfilter.h > @@ -85,6 +85,17 @@ static inline int NF_DROP_GETERR(int verdict) > return -(verdict >> NF_VERDICT_QBITS); > } > > + > +static inline void nf_inet_addr_mask(const union nf_inet_addr *a1, > + union nf_inet_addr *result, > + const union nf_inet_addr *mask) > +{ > + result->all[0] = a1->all[0] & mask->all[0]; > + result->all[1] = a1->all[1] & mask->all[1]; > + result->all[2] = a1->all[2] & mask->all[2]; > + result->all[3] = a1->all[3] & mask->all[3]; > +} Please, put this function in the xt_recent. I prefer leave it there until more clients of it show up. > + > static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1, > const union nf_inet_addr *a2) > { > diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h > index 83318e0..6ef36c1 100644 > --- a/include/linux/netfilter/xt_recent.h > +++ b/include/linux/netfilter/xt_recent.h > @@ -32,4 +32,14 @@ struct xt_recent_mtinfo { > __u8 side; > }; > > +struct xt_recent_mtinfo_v1 { > + __u32 seconds; > + __u32 hit_count; > + __u8 check_set; > + __u8 invert; > + char name[XT_RECENT_NAME_LEN]; > + __u8 side; > + union nf_inet_addr mask; > +}; > + > #endif /* _LINUX_NETFILTER_XT_RECENT_H */ > diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c > index d2ff15a..bdc38fa 100644 > --- a/net/netfilter/xt_recent.c > +++ b/net/netfilter/xt_recent.c > @@ -75,6 +75,7 @@ struct recent_entry { > struct recent_table { > struct list_head list; > char name[XT_RECENT_NAME_LEN]; > + union nf_inet_addr mask; > unsigned int refcnt; > unsigned int entries; > struct list_head lru_list; > @@ -228,10 +229,11 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par) > { > struct net *net = dev_net(par->in ? par->in : par->out); > struct recent_net *recent_net = recent_pernet(net); > - const struct xt_recent_mtinfo *info = par->matchinfo; > + const struct xt_recent_mtinfo_v1 *info = par->matchinfo; > struct recent_table *t; > struct recent_entry *e; > union nf_inet_addr addr = {}; > + union nf_inet_addr addr_masked; > u_int8_t ttl; > bool ret = info->invert; > > @@ -261,12 +263,15 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par) > > spin_lock_bh(&recent_lock); > t = recent_table_lookup(recent_net, info->name); > - e = recent_entry_lookup(t, &addr, par->family, > + > + nf_inet_addr_mask(&addr, &addr_masked, &t->mask); > + > + e = recent_entry_lookup(t, &addr_masked, par->family, > (info->check_set & XT_RECENT_TTL) ? ttl : 0); > if (e == NULL) { > if (!(info->check_set & XT_RECENT_SET)) > goto out; > - e = recent_entry_init(t, &addr, par->family, ttl); > + e = recent_entry_init(t, &addr_masked, par->family, ttl); > if (e == NULL) > par->hotdrop = true; > ret = !ret; > @@ -306,10 +311,10 @@ out: > return ret; > } > > -static int recent_mt_check(const struct xt_mtchk_param *par) > +static int recent_mt_check(const struct xt_mtchk_param *par, > + const struct xt_recent_mtinfo_v1 *info) > { > struct recent_net *recent_net = recent_pernet(par->net); > - const struct xt_recent_mtinfo *info = par->matchinfo; > struct recent_table *t; > #ifdef CONFIG_PROC_FS > struct proc_dir_entry *pde; > @@ -361,6 +366,8 @@ static int recent_mt_check(const struct xt_mtchk_param *par) > goto out; > } > t->refcnt = 1; > + > + memcpy(&t->mask, &info->mask, sizeof(t->mask)); > strcpy(t->name, info->name); > INIT_LIST_HEAD(&t->lru_list); > for (i = 0; i < ip_list_hash_size; i++) > @@ -385,10 +392,37 @@ out: > return ret; > } > > +static int recent_mt_check_v0(const struct xt_mtchk_param *par) > +{ > + const struct xt_recent_mtinfo_v0 *info_v0 = par->matchinfo; > + struct xt_recent_mtinfo_v1 *info_v1 = par->matchinfo; > + int ret; > + > + info_v1 = kzalloc(sizeof(struct xt_recent_mtinfo_v1), > + GFP_KERNEL); Better allocate this in the stack. It's fairly small and it is used temporarily. > + if (info_v1 == NULL) > + return -ENOMEM; > + > + > + /* Copy old data */ > + memcpy(info_v1, info_v0, sizeof(struct xt_recent_mtinfo)); > + /* Default mask will make same behavior as old recent */ > + memset(info_v1->mask.all, 0xFF, sizeof(info_v1->mask.all)); > + ret = recent_mt_check(par, info_v1); > + > + kfree(info_v1); > + return ret; > +} > + > +static int recent_mt_check_v1(const struct xt_mtchk_param *par) > +{ > + return recent_mt_check(par, par->matchinfo); > +} > + > static void recent_mt_destroy(const struct xt_mtdtor_param *par) > { > struct recent_net *recent_net = recent_pernet(par->net); > - const struct xt_recent_mtinfo *info = par->matchinfo; > + const struct xt_recent_mtinfo_v1 *info = par->matchinfo; > struct recent_table *t; > > mutex_lock(&recent_mutex); > @@ -625,7 +659,7 @@ static struct xt_match recent_mt_reg[] __read_mostly = { > .family = NFPROTO_IPV4, > .match = recent_mt, > .matchsize = sizeof(struct xt_recent_mtinfo), > - .checkentry = recent_mt_check, > + .checkentry = recent_mt_check_v0, > .destroy = recent_mt_destroy, > .me = THIS_MODULE, > }, > @@ -635,10 +669,30 @@ static struct xt_match recent_mt_reg[] __read_mostly = { > .family = NFPROTO_IPV6, > .match = recent_mt, > .matchsize = sizeof(struct xt_recent_mtinfo), > - .checkentry = recent_mt_check, > + .checkentry = recent_mt_check_v0, > .destroy = recent_mt_destroy, > .me = THIS_MODULE, > }, > + { > + .name = "recent", > + .revision = 1, > + .family = NFPROTO_IPV4, > + .match = recent_mt, > + .matchsize = sizeof(struct xt_recent_mtinfo_v1), > + .checkentry = recent_mt_check_v1, > + .destroy = recent_mt_destroy, > + .me = THIS_MODULE, > + }, > + { > + .name = "recent", > + .revision = 1, > + .family = NFPROTO_IPV6, > + .match = recent_mt, > + .matchsize = sizeof(struct xt_recent_mtinfo_v1), > + .checkentry = recent_mt_check_v1, > + .destroy = recent_mt_destroy, > + .me = THIS_MODULE, > + } > }; > > static int __init recent_mt_init(void) > -- > 1.7.3.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index b809265..c132de6 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -85,6 +85,17 @@ static inline int NF_DROP_GETERR(int verdict) return -(verdict >> NF_VERDICT_QBITS); } + +static inline void nf_inet_addr_mask(const union nf_inet_addr *a1, + union nf_inet_addr *result, + const union nf_inet_addr *mask) +{ + result->all[0] = a1->all[0] & mask->all[0]; + result->all[1] = a1->all[1] & mask->all[1]; + result->all[2] = a1->all[2] & mask->all[2]; + result->all[3] = a1->all[3] & mask->all[3]; +} + static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1, const union nf_inet_addr *a2) { diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h index 83318e0..6ef36c1 100644 --- a/include/linux/netfilter/xt_recent.h +++ b/include/linux/netfilter/xt_recent.h @@ -32,4 +32,14 @@ struct xt_recent_mtinfo { __u8 side; }; +struct xt_recent_mtinfo_v1 { + __u32 seconds; + __u32 hit_count; + __u8 check_set; + __u8 invert; + char name[XT_RECENT_NAME_LEN]; + __u8 side; + union nf_inet_addr mask; +}; + #endif /* _LINUX_NETFILTER_XT_RECENT_H */ diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c index d2ff15a..bdc38fa 100644 --- a/net/netfilter/xt_recent.c +++ b/net/netfilter/xt_recent.c @@ -75,6 +75,7 @@ struct recent_entry { struct recent_table { struct list_head list; char name[XT_RECENT_NAME_LEN]; + union nf_inet_addr mask; unsigned int refcnt; unsigned int entries; struct list_head lru_list; @@ -228,10 +229,11 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par) { struct net *net = dev_net(par->in ? par->in : par->out); struct recent_net *recent_net = recent_pernet(net); - const struct xt_recent_mtinfo *info = par->matchinfo; + const struct xt_recent_mtinfo_v1 *info = par->matchinfo; struct recent_table *t; struct recent_entry *e; union nf_inet_addr addr = {}; + union nf_inet_addr addr_masked; u_int8_t ttl; bool ret = info->invert; @@ -261,12 +263,15 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par) spin_lock_bh(&recent_lock); t = recent_table_lookup(recent_net, info->name); - e = recent_entry_lookup(t, &addr, par->family, + + nf_inet_addr_mask(&addr, &addr_masked, &t->mask); + + e = recent_entry_lookup(t, &addr_masked, par->family, (info->check_set & XT_RECENT_TTL) ? ttl : 0); if (e == NULL) { if (!(info->check_set & XT_RECENT_SET)) goto out; - e = recent_entry_init(t, &addr, par->family, ttl); + e = recent_entry_init(t, &addr_masked, par->family, ttl); if (e == NULL) par->hotdrop = true; ret = !ret; @@ -306,10 +311,10 @@ out: return ret; } -static int recent_mt_check(const struct xt_mtchk_param *par) +static int recent_mt_check(const struct xt_mtchk_param *par, + const struct xt_recent_mtinfo_v1 *info) { struct recent_net *recent_net = recent_pernet(par->net); - const struct xt_recent_mtinfo *info = par->matchinfo; struct recent_table *t; #ifdef CONFIG_PROC_FS struct proc_dir_entry *pde; @@ -361,6 +366,8 @@ static int recent_mt_check(const struct xt_mtchk_param *par) goto out; } t->refcnt = 1; + + memcpy(&t->mask, &info->mask, sizeof(t->mask)); strcpy(t->name, info->name); INIT_LIST_HEAD(&t->lru_list); for (i = 0; i < ip_list_hash_size; i++) @@ -385,10 +392,37 @@ out: return ret; } +static int recent_mt_check_v0(const struct xt_mtchk_param *par) +{ + const struct xt_recent_mtinfo_v0 *info_v0 = par->matchinfo; + struct xt_recent_mtinfo_v1 *info_v1 = par->matchinfo; + int ret; + + info_v1 = kzalloc(sizeof(struct xt_recent_mtinfo_v1), + GFP_KERNEL); + if (info_v1 == NULL) + return -ENOMEM; + + + /* Copy old data */ + memcpy(info_v1, info_v0, sizeof(struct xt_recent_mtinfo)); + /* Default mask will make same behavior as old recent */ + memset(info_v1->mask.all, 0xFF, sizeof(info_v1->mask.all)); + ret = recent_mt_check(par, info_v1); + + kfree(info_v1); + return ret; +} + +static int recent_mt_check_v1(const struct xt_mtchk_param *par) +{ + return recent_mt_check(par, par->matchinfo); +} + static void recent_mt_destroy(const struct xt_mtdtor_param *par) { struct recent_net *recent_net = recent_pernet(par->net); - const struct xt_recent_mtinfo *info = par->matchinfo; + const struct xt_recent_mtinfo_v1 *info = par->matchinfo; struct recent_table *t; mutex_lock(&recent_mutex); @@ -625,7 +659,7 @@ static struct xt_match recent_mt_reg[] __read_mostly = { .family = NFPROTO_IPV4, .match = recent_mt, .matchsize = sizeof(struct xt_recent_mtinfo), - .checkentry = recent_mt_check, + .checkentry = recent_mt_check_v0, .destroy = recent_mt_destroy, .me = THIS_MODULE, }, @@ -635,10 +669,30 @@ static struct xt_match recent_mt_reg[] __read_mostly = { .family = NFPROTO_IPV6, .match = recent_mt, .matchsize = sizeof(struct xt_recent_mtinfo), - .checkentry = recent_mt_check, + .checkentry = recent_mt_check_v0, .destroy = recent_mt_destroy, .me = THIS_MODULE, }, + { + .name = "recent", + .revision = 1, + .family = NFPROTO_IPV4, + .match = recent_mt, + .matchsize = sizeof(struct xt_recent_mtinfo_v1), + .checkentry = recent_mt_check_v1, + .destroy = recent_mt_destroy, + .me = THIS_MODULE, + }, + { + .name = "recent", + .revision = 1, + .family = NFPROTO_IPV6, + .match = recent_mt, + .matchsize = sizeof(struct xt_recent_mtinfo_v1), + .checkentry = recent_mt_check_v1, + .destroy = recent_mt_destroy, + .me = THIS_MODULE, + } }; static int __init recent_mt_init(void)
Use case for this feature: 1)In some occasions if you need to allow,block,match specific subnet. 2)I can use recent as a trigger when netfilter rule matches, with mask 0.0.0.0 Example: If you ping 8.8.8.8, after that you can't ping 2.2.2.10 Tested for backward compatibility: )old (userspace) iptables, new kernel )old kernel, new iptables )new kernel, new iptables Signed-off-by: Denys Fedoryshchenko <denys@visp.net.lb> --- include/linux/netfilter.h | 11 +++++ include/linux/netfilter/xt_recent.h | 10 +++++ net/netfilter/xt_recent.c | 70 +++++++++++++++++++++++++++++++---- 3 files changed, 83 insertions(+), 8 deletions(-) -- 1.7.3.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html