lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 18 Jun 2019 11:46:13 +0200
From:   Florian Westphal <fw@...len.de>
To:     Pablo Neira Ayuso <pablo@...filter.org>
Cc:     Florian Westphal <fw@...len.de>, wenxu@...oud.cn,
        netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH] netfilter: nft_paylaod: add base type
 NFT_PAYLOAD_LL_HEADER_NO_TAG

Pablo Neira Ayuso <pablo@...filter.org> wrote:
> On Tue, Jun 18, 2019 at 12:42:32AM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso <pablo@...filter.org> wrote:
> > > > Subject: Change bridge l3 dependency to meta protocol
> > > > 
> > > > This examines skb->protocol instead of ethernet header type, which
> > > > might be different when vlan is involved.
> > > >  
> > > > +	if (ctx->pctx.family == NFPROTO_BRIDGE && desc == &proto_eth) {
> > > > +		if (expr->payload.desc == &proto_ip ||
> > > > +		    expr->payload.desc == &proto_ip6)
> > > > +			desc = &proto_metaeth;
> > > > +	}i
> > > 
> > > Is this sufficient to restrict the matching? Is this still buggy from
> > > ingress?
> > 
> > This is what netdev family uses as well (skb->protocol i mean).
> > I'm not sure it will work for output however (haven't checked).
> 
> You mean for locally generated traffic?

Yes.

> > > I wonder if an explicit NFT_PAYLOAD_CHECK_VLAN flag would be useful in
> > > the kernel, if so we could rename NFTA_PAYLOAD_CSUM_FLAGS to
> > > NFTA_PAYLOAD_FLAGS and place it there. Just an idea.
> > 
> > What would NFT_PAYLOAD_CHECK_VLAN do?
> 
> Similar to the checksum approach, it provides a hint to the kernel to
> say that "I want to look at the vlan header" from the link layer.

I see.  Its a bit of a furhter problem because tags can be nested,
so we would have to provide a more dynamic approach, similar to tunnel
matching (vlan header 0 id 42 vlan header 1 id 23' etc).

> > What might be useful is an nft switch to turn off dependeny
> > insertion, this would also avoid the problem (if users restrict the
> > matching properly...).
> 
> Hm. How does this toggle would look like?

nft --nodep add rule bridge filter input ip protocol icmp # broken, has false positives
nft --nodep add rule bridge filter input ip version 4 ip protocol icmp # might work
nft --nodep add rule bridge filter input meta protocol ip ip protocol icmp # might work too

Its kind of I-Know-What-I-Am-Doing switch ...

We can already do this with raw payload expressions but those aren't that user
friendly.

> > Another unresolved issue is presence of multiple vlan tags, so we might
> > have to add yet another meta key to retrieve the l3 protocol in use
> > 
> > (the problem at hand was 'ip protocol icmp' not matching traffic inside
> >  a vlan).
> 
> Could you describe this problem a bit more? Small example rule plus
> scenario.

It was what wenxu reported originally:

nft add rule bridge filter forward ip protocol counter ..

The rule only matches if the ip packet is contained in an ethernet frame
without vlan tag -- and thats neither expected nor desirable.

This rule works when using 'meta protocol ip' as dependency instead
of ether type ip (what we do now), because VLAN stripping will fix/alter
skb->protocol to the inner type when the VLAN tag gets removes.

It will still fail in case there are several VLAN tags, so we might
need another meta expression that can figure out the l3 protocol type.

Does that make sense so far?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ