* xtables-addons: ipp2p does not block TCP traffic with nonlinear skb
@ 2023-05-31 6:42 ValdikSS
2023-05-31 9:41 ` Jan Engelhardt
0 siblings, 1 reply; 5+ messages in thread
From: ValdikSS @ 2023-05-31 6:42 UTC (permalink / raw)
To: netfilter-devel
[-- Attachment #1.1: Type: text/plain, Size: 1448 bytes --]
Hello list,
I'm trying to block BitTorrent protocol on my local machine with ipp2p
module using xtables-addons 3.24 on Fedora 37 (kernel 6.2.15) by adding
the following rules:
# iptables -I OUTPUT -m ipp2p --bit --debug -j DROP
# iptables -I INPUT -m ipp2p --bit --debug -j DROP
However the protocol is not blocked completely: the announce is still
successfully transmitted to the HTTP announcer, apparently due to
nonlinear skb check in ipp2p.
There's a code to block this case:
> /* Search for BitTorrent commands */
> static unsigned int
> search_bittorrent(const unsigned char *payload, const unsigned int plen)
> ...
> if (memcmp(payload, "GET /", 5) == 0) {
> if (HX_memmem(payload, plen, "info_hash=", 10) != NULL)
> return IPP2P_BIT * 100 + 1;
However, it's not getting processed due to nonlinear skb:
> static bool
> ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
> /* make sure that skb is linear */
> if (skb_is_nonlinear(skb)) {
> if (info->debug)
> printk("IPP2P.match: nonlinear skb found\n");
> return 0;
> }
All I see in dmesg (rule with --debug) is:
IPP2P.match: nonlinear skb found
This could be checked with a simple curl command, which should be
blocked if ipp2p --bit is active:
$ curl 'http://bt1.archive.org:6969/announce?info_hash=something'
I can see the response when executing this command, however it should be
blocked.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: xtables-addons: ipp2p does not block TCP traffic with nonlinear skb
2023-05-31 6:42 xtables-addons: ipp2p does not block TCP traffic with nonlinear skb ValdikSS
@ 2023-05-31 9:41 ` Jan Engelhardt
2023-05-31 15:01 ` Jeremy Sowden
2023-06-01 19:01 ` Pablo Neira Ayuso
0 siblings, 2 replies; 5+ messages in thread
From: Jan Engelhardt @ 2023-05-31 9:41 UTC (permalink / raw)
To: ValdikSS; +Cc: netfilter-devel
On Wednesday 2023-05-31 08:42, ValdikSS wrote:
> However, it's not getting processed due to nonlinear skb:
>
>> static bool
>> ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
>> /* make sure that skb is linear */
>> if (skb_is_nonlinear(skb)) {
>> if (info->debug)
>> printk("IPP2P.match: nonlinear skb found\n");
>> return 0;
>> }
It should be possible to just take the code from xt_ECHO and call
if (skb_linearize(skb) < 0)
return false;
However, none of the xtables matches in the Linux kernel do this linearization,
at least not that I can see directly. Or xt_string's call to skb_find_text is
magic..
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: xtables-addons: ipp2p does not block TCP traffic with nonlinear skb
2023-05-31 9:41 ` Jan Engelhardt
@ 2023-05-31 15:01 ` Jeremy Sowden
2023-05-31 15:15 ` Jan Engelhardt
2023-06-01 19:01 ` Pablo Neira Ayuso
1 sibling, 1 reply; 5+ messages in thread
From: Jeremy Sowden @ 2023-05-31 15:01 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: ValdikSS, netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 885 bytes --]
On 2023-05-31, at 11:41:07 +0200, Jan Engelhardt wrote:
> On Wednesday 2023-05-31 08:42, ValdikSS wrote:
> > However, it's not getting processed due to nonlinear skb:
> >
> >> static bool
> >> ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
> >> /* make sure that skb is linear */
> >> if (skb_is_nonlinear(skb)) {
> >> if (info->debug)
> >> printk("IPP2P.match: nonlinear skb found\n");
> >> return 0;
> >> }
>
> It should be possible to just take the code from xt_ECHO and call
>
> if (skb_linearize(skb) < 0)
> return false;
>
> However, none of the xtables matches in the Linux kernel do this
> linearization, at least not that I can see directly.
They use `skb_header_pointer` instead, I think, which handles the
linearization behind the scenes. I'll send a patch.
> Or xt_string's call to skb_find_text is magic..
J.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: xtables-addons: ipp2p does not block TCP traffic with nonlinear skb
2023-05-31 15:01 ` Jeremy Sowden
@ 2023-05-31 15:15 ` Jan Engelhardt
0 siblings, 0 replies; 5+ messages in thread
From: Jan Engelhardt @ 2023-05-31 15:15 UTC (permalink / raw)
To: Jeremy Sowden; +Cc: ValdikSS, netfilter-devel
On Wednesday 2023-05-31 17:01, Jeremy Sowden wrote:
>>
>> It should be possible to just take the code from xt_ECHO and call
>>
>> if (skb_linearize(skb) < 0)
>> return false;
>>
>> However, none of the xtables matches in the Linux kernel do this
>> linearization, at least not that I can see directly.
>
>They use `skb_header_pointer` instead, I think, which handles the
>linearization behind the scenes. I'll send a patch.
Yeah, header_pointer extracts bytes if need be, which means you need
to have a sufficiently large buffer to copy to.
Just hope you don't get any IPv6 jumbo packet, eh?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: xtables-addons: ipp2p does not block TCP traffic with nonlinear skb
2023-05-31 9:41 ` Jan Engelhardt
2023-05-31 15:01 ` Jeremy Sowden
@ 2023-06-01 19:01 ` Pablo Neira Ayuso
1 sibling, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2023-06-01 19:01 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: ValdikSS, netfilter-devel
On Wed, May 31, 2023 at 11:41:07AM +0200, Jan Engelhardt wrote:
>
> On Wednesday 2023-05-31 08:42, ValdikSS wrote:
> > However, it's not getting processed due to nonlinear skb:
> >
> >> static bool
> >> ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
> >> /* make sure that skb is linear */
> >> if (skb_is_nonlinear(skb)) {
> >> if (info->debug)
> >> printk("IPP2P.match: nonlinear skb found\n");
> >> return 0;
> >> }
>
> It should be possible to just take the code from xt_ECHO and call
>
> if (skb_linearize(skb) < 0)
> return false;
>
> However, none of the xtables matches in the Linux kernel do this linearization,
> at least not that I can see directly. Or xt_string's call to skb_find_text is
> magic..
skb_find_text() deals with non-linear skbuff, see skb_seq_read().
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-06-01 19:01 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-31 6:42 xtables-addons: ipp2p does not block TCP traffic with nonlinear skb ValdikSS
2023-05-31 9:41 ` Jan Engelhardt
2023-05-31 15:01 ` Jeremy Sowden
2023-05-31 15:15 ` Jan Engelhardt
2023-06-01 19:01 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.