xtables-addons: ipp2p does not block TCP traffic with nonlinear skb

xtables-addons: ipp2p does not block TCP traffic with nonlinear skb

[ValdikSS]

[-- Attachment #1.1: Type: text/plain, Size: 1448 bytes --]

Hello list,

I'm trying to block BitTorrent protocol on my local machine with ipp2p 
module using xtables-addons 3.24 on Fedora 37 (kernel 6.2.15) by adding 
the following rules:

# iptables -I OUTPUT -m ipp2p --bit --debug -j DROP
# iptables -I INPUT -m ipp2p --bit --debug -j DROP

However the protocol is not blocked completely: the announce is still 
successfully transmitted to the HTTP announcer, apparently due to 
nonlinear skb check in ipp2p.

There's a code to block this case:

> /* Search for BitTorrent commands */
> static unsigned int
> search_bittorrent(const unsigned char *payload, const unsigned int plen)
> ...
> 		if (memcmp(payload, "GET /", 5) == 0) {
> 			if (HX_memmem(payload, plen, "info_hash=", 10) != NULL)
> 				return IPP2P_BIT * 100 + 1;


However, it's not getting processed due to nonlinear skb:

> static bool
> ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
> 	/* make sure that skb is linear */
> 	if (skb_is_nonlinear(skb)) {
> 		if (info->debug)
> 			printk("IPP2P.match: nonlinear skb found\n");
> 		return 0;
> 	}

All I see in dmesg (rule with --debug) is:
IPP2P.match: nonlinear skb found

This could be checked with a simple curl command, which should be 
blocked if ipp2p --bit is active:

$ curl 'http://bt1.archive.org:6969/announce?info_hash=something'

I can see the response when executing this command, however it should be 
blocked.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: xtables-addons: ipp2p does not block TCP traffic with nonlinear skb

[Jan Engelhardt]

On Wednesday 2023-05-31 08:42, ValdikSS wrote:
> However, it's not getting processed due to nonlinear skb:
>
>> static bool
>> ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
>>  /* make sure that skb is linear */
>>  if (skb_is_nonlinear(skb)) {
>>   if (info->debug)
>>   	printk("IPP2P.match: nonlinear skb found\n");
>>  	return 0;
>>  }

It should be possible to just take the code from xt_ECHO and call

if (skb_linearize(skb) < 0)
	return false;

However, none of the xtables matches in the Linux kernel do this linearization,
at least not that I can see directly. Or xt_string's call to skb_find_text is
magic..

Re: xtables-addons: ipp2p does not block TCP traffic with nonlinear skb

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 885 bytes --]

On 2023-05-31, at 11:41:07 +0200, Jan Engelhardt wrote:
> On Wednesday 2023-05-31 08:42, ValdikSS wrote:
> > However, it's not getting processed due to nonlinear skb:
> >
> >> static bool
> >> ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
> >>  /* make sure that skb is linear */
> >>  if (skb_is_nonlinear(skb)) {
> >>   if (info->debug)
> >>   	printk("IPP2P.match: nonlinear skb found\n");
> >>  	return 0;
> >>  }
> 
> It should be possible to just take the code from xt_ECHO and call
> 
> if (skb_linearize(skb) < 0)
> 	return false;
> 
> However, none of the xtables matches in the Linux kernel do this
> linearization, at least not that I can see directly.

They use `skb_header_pointer` instead, I think, which handles the
linearization behind the scenes.  I'll send a patch.

> Or xt_string's call to skb_find_text is magic..

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: xtables-addons: ipp2p does not block TCP traffic with nonlinear skb

[Jan Engelhardt]

On Wednesday 2023-05-31 17:01, Jeremy Sowden wrote:
>> 
>> It should be possible to just take the code from xt_ECHO and call
>> 
>> if (skb_linearize(skb) < 0)
>> 	return false;
>> 
>> However, none of the xtables matches in the Linux kernel do this
>> linearization, at least not that I can see directly.
>
>They use `skb_header_pointer` instead, I think, which handles the
>linearization behind the scenes.  I'll send a patch.

Yeah, header_pointer extracts bytes if need be, which means you need
to have a sufficiently large buffer to copy to.
Just hope you don't get any IPv6 jumbo packet, eh?

Re: xtables-addons: ipp2p does not block TCP traffic with nonlinear skb

[Pablo Neira Ayuso]

On Wed, May 31, 2023 at 11:41:07AM +0200, Jan Engelhardt wrote:
> 
> On Wednesday 2023-05-31 08:42, ValdikSS wrote:
> > However, it's not getting processed due to nonlinear skb:
> >
> >> static bool
> >> ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
> >>  /* make sure that skb is linear */
> >>  if (skb_is_nonlinear(skb)) {
> >>   if (info->debug)
> >>   	printk("IPP2P.match: nonlinear skb found\n");
> >>  	return 0;
> >>  }
> 
> It should be possible to just take the code from xt_ECHO and call
> 
> if (skb_linearize(skb) < 0)
> 	return false;
> 
> However, none of the xtables matches in the Linux kernel do this linearization,
> at least not that I can see directly. Or xt_string's call to skb_find_text is
> magic..

skb_find_text() deals with non-linear skbuff, see skb_seq_read().