Discussion:
Global ingress filter for ip
(too old to reply)
Rodolphe De Saint Leger
2008-03-28 01:36:30 UTC
Permalink
Hi,

I was wondering about adding a global ingress filter functionnality to NetBSD.
I've began to work on it and I wanted to have some advices.

The functionnality is aimed to be used by encap subsystems like gif
and stf. also a sysctl can trigger the filter globally.
Flags are added in the pkthdr struct to keep track of the ingress check.

Actually, I've just implemented the ip_input() side. Are things done
the right way ?
The benefits would be to have a single ingress check by packet
(actually, If a did a good check, the ingress filter is applied for
each configured tunnel). The implementation allows a subsystem to
force the filter for a given packet, and a subsystem can ask for the
packet's ingress status (by using
enable_ipingress()/disable_ipingress())

Here is my current code
http://shumira.roroland.net/20080328/ingress.diff

Regards,
--
int main(int c,char**v){int b,e=(c>>24)+6,g=c==1?1:e>>4;
char*d=c==1?"d3JpdGUgaW4gQw==":g==2?*v:v[c-1];b=c<<6|(*d
+(*d>96?-71:*d>58?-65:*d>47?4:*d>46?16:19));if(*d==61?0:
*d){if((e&=15)>7)putchar((b>>(e-=8))&255); d++;main(((e|
32)<<24)|(b&4095),&d);}return g<2&&c>2?main(--c,v):1;}

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Thor Lancelot Simon
2008-03-28 17:22:55 UTC
Permalink
Post by Rodolphe De Saint Leger
Hi,
I was wondering about adding a global ingress filter functionnality to NetBSD.
I've began to work on it and I wanted to have some advices.
The functionnality is aimed to be used by encap subsystems like gif
and stf. also a sysctl can trigger the filter globally.
Flags are added in the pkthdr struct to keep track of the ingress check.
What does this do that cannot be done by a standard packet filter (e.g.
ipf or pf) using the existing ip_input filter hook?

Thor

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Rodolphe De Saint Leger
2008-03-28 18:03:05 UTC
Permalink
Post by Thor Lancelot Simon
What does this do that cannot be done by a standard packet filter (e.g.
ipf or pf) using the existing ip_input filter hook?
Thor
As far as I know, this can be done using ipf or pf, in an other way:
The ingress test use a lookup in the routing table, rules would use ip
addresses.

However, the tunnel pseudo devices actualy use this test (with an
IFF_LINK). My goal was to make it more centric, generic, and
independant of any processing which could be done on the packet (this
is why the test occurs before NAT).

It's just a way to share code between tunnel pseudo devices. Also,
it's much more light and simpler.

For code sharing, the tunnel pseudo devices would call
enable_ipingress() when cloning interface, and it can check the
ingress status of the packet by looking at the flags in
encap_lookup().

Regards,
--
int main(int c,char**v){int b,e=(c>>24)+6,g=c==1?1:e>>4;
char*d=c==1?"d3JpdGUgaW4gQw==":g==2?*v:v[c-1];b=c<<6|(*d
+(*d>96?-71:*d>58?-65:*d>47?4:*d>46?16:19));if(*d==61?0:
*d){if((e&=15)>7)putchar((b>>(e-=8))&255); d++;main(((e|
32)<<24)|(b&4095),&d);}return g<2&&c>2?main(--c,v):1;}

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Rodolphe De Saint Leger
2008-03-29 15:24:07 UTC
Permalink
Post by Thor Lancelot Simon
What does this do that cannot be done by a standard packet filter (e.g.
ipf or pf) using the existing ip_input filter hook?
Hi,

Just to illustrate my previous mail, i've modified if_gif.c
I've replaced the ingress test with the one I've done. Also, I've
modified sysctl declaration and added ipv6 support.
Some more optimisation could be done as the ingress_check function for
ip and ip6 are similar.

I did the test on if_stf.c (but I need to clean the nat part, so I did
not include it). Actually, if_stf and if_gif are the only subsystems
which use ingress checking

the patch allows if_stf and if_gif to operate the same way (ingress
filtering with iff_link flag) and adds a global ingress filter in ip
and ipv6.
--
int main(int c,char**v){int b,e=(c>>24)+6,g=c==1?1:e>>4;
char*d=c==1?"d3JpdGUgaW4gQw==":g==2?*v:v[c-1];b=c<<6|(*d
+(*d>96?-71:*d>58?-65:*d>47?4:*d>46?16:19));if(*d==61?0:
*d){if((e&=15)>7)putchar((b>>(e-=8))&255); d++;main(((e|
32)<<24)|(b&4095),&d);}return g<2&&c>2?main(--c,v):1;}

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Rodolphe De Saint Leger
2008-03-29 15:25:08 UTC
Permalink
On Sat, Mar 29, 2008 at 4:24 PM, Rodolphe De Saint Leger
Post by Rodolphe De Saint Leger
Hi,
Just to illustrate my previous mail, i've modified if_gif.c
I've replaced the ingress test with the one I've done. Also, I've
modified sysctl declaration and added ipv6 support.
Some more optimisation could be done as the ingress_check function for
ip and ip6 are similar.
I did the test on if_stf.c (but I need to clean the nat part, so I did
not include it). Actually, if_stf and if_gif are the only subsystems
which use ingress checking
the patch allows if_stf and if_gif to operate the same way (ingress
filtering with iff_link flag) and adds a global ingress filter in ip
and ipv6.
Sorry, I forgot the patch link...

http://shumira.roroland.net/patch/20080329/ingress.diff

Regards,
Rodolphe

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2008-04-08 09:20:44 UTC
Permalink
Rodolphe,

Ignoring code style issues...

This seems architecturally confused as you're moving checking that
is currently done by gif into IP but then you're only enabling it when
gif is used. Then there appears to be some occasions when, to use
this feature right, you need to have some special bits in pkthdr that
are in their own field and not there today.

Maybe you should start with adding it to the decapsulation framework
(ip_encap.c) that supports stf/gif interfaces?

Right now, it doesn't look right at all..

Darren
Post by Rodolphe De Saint Leger
On Sat, Mar 29, 2008 at 4:24 PM, Rodolphe De Saint Leger
Post by Rodolphe De Saint Leger
Hi,
Just to illustrate my previous mail, i've modified if_gif.c
I've replaced the ingress test with the one I've done. Also, I've
modified sysctl declaration and added ipv6 support.
Some more optimisation could be done as the ingress_check function for
ip and ip6 are similar.
I did the test on if_stf.c (but I need to clean the nat part, so I did
not include it). Actually, if_stf and if_gif are the only subsystems
which use ingress checking
the patch allows if_stf and if_gif to operate the same way (ingress
filtering with iff_link flag) and adds a global ingress filter in ip
and ipv6.
Sorry, I forgot the patch link...
http://shumira.roroland.net/patch/20080329/ingress.diff
Regards,
Rodolphe
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...