[PATCH] - ipsecrx match - was Re: Writing iptables IPSEC reception support.

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH]  - ipsecrx match - was Re: Writing iptables IPSEC reception support.
       [not found]   ` <406B73E1.6020504@trash.net>
@ 2004-04-01  4:36     ` Matthew Grant
       [not found]     ` <1080793472.1768.14.camel@knox.wgtn.cat-it.co.nz>
  1 sibling, 0 replies; 3+ messages in thread
From: Matthew Grant @ 2004-04-01  4:36 UTC (permalink / raw)
  To: Patrick McHardy; +Cc: netfilter-devel, herbert, ljlane


[-- Attachment #1.1: Type: text/plain, Size: 1602 bytes --]

Didn't post to correct address.

PS: I am also submitting to Debian kernel maintainers and iptables
maintainer as this patch is extremely simple, and it works as tested,
and thus is robust.  This problem needs fixing.

Patrick,

Have written new patches.  Basically they just mark packets that came
from IPSEC by setting a bit in the nfcache field in the skbuff. 
Inspired by the longstanding nfmark feature.  Had to write quickly as I
need a solution to this problem for security reasons.  Far simpler than
the secpath stuff you wrote.

I have attached the patches.  Not ready for patch-o-matic yet, but what
do you think?

Cheers,

Matthew Grant




On Thu, 2004-04-01 at 13:44, Patrick McHardy wrote:
> Harald Welte wrote:
> > On Thu, Apr 01, 2004 at 10:29:40AM +1200, Matthew Grant wrote:
> > 
> >>Harold,
> >>
> >>I have written a patch against 2.4.x IPSEC backport, and am presently
> >>getting it applying against the 2.6.x tree.
> > 
> > 
> > Please coordinate your work with Patrick McHardy.  He's been working on
> > this very complex issue for the last couple of weeks, and published his
> > intermediate patches a number of times.
> 
> Matthew,
> 
> I don't get from this mail if you have written new patches for ipsec
> support or ported the existing ones. In any case, please post them
> to netfilter-devel, I'm sure not only me would like to see them.
> 
> Regards
> Patrick
> 
> > 
> > I can hardly imagine you have missed them on netfilter-devel and netdev
> > mailinglists.
> > 
> > 
> >>Cheers,
> >>Matthew Grant
> > 
> > 
> 

[-- Attachment #1.2: iptables-1.2.9-ipsecrx-krnlheaders.patch --]
[-- Type: application/octet-stream, Size: 996 bytes --]

diff -uNr iptables-1.2.9-debian/include/linux/netfilter_ipv4/ipt_ipsecrx.h iptables-1.2.9-mine/include/linux/netfilter_ipv4/ipt_ipsecrx.h
--- iptables-1.2.9-debian/include/linux/netfilter_ipv4/ipt_ipsecrx.h	1970-01-01 12:00:00.000000000 +1200
+++ iptables-1.2.9-mine/include/linux/netfilter_ipv4/ipt_ipsecrx.h	2004-03-30 15:29:29.000000000 +1200
@@ -0,0 +1,8 @@
+#ifndef _IPT_IPSECRX_H
+#define _IPT_IPSECRX_H
+
+struct ipt_ipsecrx_info {
+    u_int8_t invert;
+};
+
+#endif /*_IPT_IPSECRX_H*/
diff -uNr iptables-1.2.9-debian/include/linux/netfilter_ipv6/ip6t_ipsecrx.h iptables-1.2.9-mine/include/linux/netfilter_ipv6/ip6t_ipsecrx.h
--- iptables-1.2.9-debian/include/linux/netfilter_ipv6/ip6t_ipsecrx.h	1970-01-01 12:00:00.000000000 +1200
+++ iptables-1.2.9-mine/include/linux/netfilter_ipv6/ip6t_ipsecrx.h	2004-03-31 17:10:25.000000000 +1200
@@ -0,0 +1,8 @@
+#ifndef _IP6T_IPSECRX_H
+#define _IP6T_IPSECRX_H
+
+struct ip6t_ipsecrx_info {
+    u_int8_t invert;
+};
+
+#endif /*_IP6T_IPSECRX_H*/

[-- Attachment #1.3: iptables-1.2.9-ipsecrx.patch --]
[-- Type: application/octet-stream, Size: 6794 bytes --]

diff -uNr iptables-1.2.9-debian/extensions/libip6t_ipsecrx.c iptables-1.2.9-mine/extensions/libip6t_ipsecrx.c
--- iptables-1.2.9-debian/extensions/libip6t_ipsecrx.c	1970-01-01 12:00:00.000000000 +1200
+++ iptables-1.2.9-mine/extensions/libip6t_ipsecrx.c	2004-03-31 17:21:26.000000000 +1200
@@ -0,0 +1,115 @@
+/* Shared library add-on to iptables to add NFMARK matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <ip6tables.h>
+#include <linux/netfilter_ipv6/ip6t_ipsecrx.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+	printf(
+"IPSEC reception match v%s options:\n"
+"[!] --ipsecrx         Match packet received off IPSEC\n"
+"\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{ "ipsecrx", 0, 0, '1' },
+	{0}
+};
+
+/* Initialize the match. */
+static void
+init(struct ip6t_entry_match *m, unsigned int *nfcache)
+{
+	/* Can't cache this. */
+	*nfcache |= NFC_UNKNOWN;
+}
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const struct ip6t_entry *entry,
+      unsigned int *nfcache,
+      struct ip6t_entry_match **match)
+{
+	struct ip6t_ipsecrx_info *ipsecrx_info = (struct ip6t_ipsecrx_info *)(*match)->data;
+
+	switch (c) {
+	case '1':
+		check_inverse(optarg, &invert, &optind, 0);
+		if (invert)
+			ipsecrx_info->invert = 1;
+		*flags = 1;
+		break;
+
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+/* Final check; must have specified --ipsecrx. */
+static void
+final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM,
+			   "IPSEC reception match: You must specify `--ipsecrx'");
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const struct ip6t_ip6 *ip,
+      const struct ip6t_entry_match *match,
+      int numeric)
+{
+	struct ip6t_ipsecrx_info *info = (struct ip6t_ipsecrx_info *)match->data;
+
+	printf("ipsecrx match ");
+
+	if (info->invert)
+		printf("!");
+	
+	printf("ipsecrx ");
+}
+
+/* Saves the union ip6t_matchinfo in parsable form to stdout. */
+static void
+save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
+{
+	struct ip6t_ipsecrx_info *info = (struct ip6t_ipsecrx_info *)match->data;
+
+	if (info->invert)
+		printf("! ");
+	
+	printf("--ipsecrx ");
+}
+
+static
+struct ip6tables_match ipsecrx
+= { NULL,
+    "ipsecrx",
+    IPTABLES_VERSION,
+    IP6T_ALIGN(sizeof(struct ip6t_ipsecrx_info)),
+    IP6T_ALIGN(sizeof(struct ip6t_ipsecrx_info)),
+    &help,
+    &init,
+    &parse,
+    &final_check,
+    &print,
+    &save,
+    opts
+};
+
+void _init(void)
+{
+	register_match6(&ipsecrx);
+}
diff -uNr iptables-1.2.9-debian/extensions/libipt_ipsecrx.c iptables-1.2.9-mine/extensions/libipt_ipsecrx.c
--- iptables-1.2.9-debian/extensions/libipt_ipsecrx.c	1970-01-01 12:00:00.000000000 +1200
+++ iptables-1.2.9-mine/extensions/libipt_ipsecrx.c	2004-03-31 17:17:06.000000000 +1200
@@ -0,0 +1,115 @@
+/* Shared library add-on to iptables to add NFMARK matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ipt_ipsecrx.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+	printf(
+"IPSEC reception match v%s options:\n"
+"[!] --ipsecrx         Match packet received off IPSEC\n"
+"\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{ "ipsecrx", 0, 0, '1' },
+	{0}
+};
+
+/* Initialize the match. */
+static void
+init(struct ipt_entry_match *m, unsigned int *nfcache)
+{
+	/* Can't cache this. */
+	*nfcache |= NFC_UNKNOWN;
+}
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const struct ipt_entry *entry,
+      unsigned int *nfcache,
+      struct ipt_entry_match **match)
+{
+	struct ipt_ipsecrx_info *ipsecrx_info = (struct ipt_ipsecrx_info *)(*match)->data;
+
+	switch (c) {
+	case '1':
+		check_inverse(optarg, &invert, &optind, 0);
+		if (invert)
+			ipsecrx_info->invert = 1;
+		*flags = 1;
+		break;
+
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+/* Final check; must have specified --ipsecrx. */
+static void
+final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM,
+			   "IPSEC reception match: You must specify `--ipsecrx'");
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const struct ipt_ip *ip,
+      const struct ipt_entry_match *match,
+      int numeric)
+{
+	struct ipt_ipsecrx_info *info = (struct ipt_ipsecrx_info *)match->data;
+
+	printf("ipsecrx match ");
+
+	if (info->invert)
+		printf("!");
+	
+	printf("ipsecrx ");
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void
+save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
+{
+	struct ipt_ipsecrx_info *info = (struct ipt_ipsecrx_info *)match->data;
+
+	if (info->invert)
+		printf("! ");
+	
+	printf("--ipsecrx ");
+}
+
+static
+struct iptables_match ipsecrx
+= { NULL,
+    "ipsecrx",
+    IPTABLES_VERSION,
+    IPT_ALIGN(sizeof(struct ipt_ipsecrx_info)),
+    IPT_ALIGN(sizeof(struct ipt_ipsecrx_info)),
+    &help,
+    &init,
+    &parse,
+    &final_check,
+    &print,
+    &save,
+    opts
+};
+
+void _init(void)
+{
+	register_match(&ipsecrx);
+}
diff -uNr iptables-1.2.9-debian/extensions/Makefile iptables-1.2.9-mine/extensions/Makefile
--- iptables-1.2.9-debian/extensions/Makefile	2003-10-16 20:34:36.000000000 +1300
+++ iptables-1.2.9-mine/extensions/Makefile	2004-03-31 17:17:42.000000000 +1200
@@ -5,8 +5,8 @@
 # header files are present in the include/linux directory of this iptables
 # package (HW)
 #
-PF_EXT_SLIB:=ah connlimit connmark conntrack dscp ecn esp helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
-PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner standard tcp udp HL LOG MARK TRACE
+PF_EXT_SLIB:=ah connlimit connmark conntrack dscp ecn esp helper icmp iprange ipsecrx length limit mac mark multiport owner physdev pkttype realm rpc standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
+PF6_EXT_SLIB:=eui64 hl icmpv6 ipsecrx length limit mac mark multiport owner standard tcp udp HL LOG MARK TRACE
 
 # Optionals
 PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))

[-- Attachment #1.4: linux-2.4.25-ipsecrx.patch --]
[-- Type: application/octet-stream, Size: 7741 bytes --]

--- kernel-source-2.4.25/net/ipv4/xfrm4_input.c	2003-09-04 23:26:36.000000000 +1200
+++ kernel-source-2.4.25-patched/net/ipv4/xfrm4_input.c	2004-03-30 14:25:16.000000000 +1200
@@ -14,6 +14,10 @@
 #include <net/ip.h>
 #include <net/xfrm.h>
 
+#ifdef CONFIG_NETFILTER
+#include <linux/netfilter.h>
+#endif
+
 int xfrm4_rcv(struct sk_buff *skb)
 {
 	return xfrm4_rcv_encap(skb, 0);
@@ -138,6 +142,10 @@
 			dst_release(skb->dst);
 			skb->dst = NULL;
 		}
+#ifdef CONFIG_NETFILTER
+		/* Tag packet as being from IPSEC for netfilter targets */
+		skb->nfcache |= NFC_IPSECRX;
+#endif
 		netif_rx(skb);
 		return 0;
 	} else {
--- kernel-source-2.4.25/net/ipv6/xfrm6_input.c	2003-09-04 23:26:36.000000000 +1200
+++ kernel-source-2.4.25-patched/net/ipv6/xfrm6_input.c	2004-03-30 15:00:05.000000000 +1200
@@ -15,6 +15,10 @@
 #include <net/ipv6.h>
 #include <net/xfrm.h>
 
+#ifdef CONFIG_NETFILTER
+#include <linux/netfilter.h>
+#endif
+
 static inline void ipip6_ecn_decapsulate(struct sk_buff *skb)
 {
 	struct ipv6hdr *outer_iph = skb->nh.ipv6h;
@@ -122,6 +126,10 @@
 			dst_release(skb->dst);
 			skb->dst = NULL;
 		}
+#ifdef CONFIG_NETFILTER
+		/* Tag packet as being from IPSEC for netfilter targets */
+		skb->nfcache |= NFC_IPSECRX;
+#endif
 		netif_rx(skb);
 		return -1;
 	} else {
--- kernel-source-2.4.25/include/linux/netfilter.h	2004-03-30 14:03:07.000000000 +1200
+++ kernel-source-2.4.25-patched/include/linux/netfilter.h	2004-03-31 15:19:01.000000000 +1200
@@ -23,7 +23,8 @@
    <= 0x2000 is used for protocol-flags. */
 #define NFC_UNKNOWN 0x4000
 #define NFC_ALTERED 0x8000
-#define NFC_TRACE   0x10000
+/* #define NFC_TRACE   0x20000 */
+#define NFC_IPSECRX 0x40000	/* xfrm sets this */
 
 #ifdef __KERNEL__
 #include <linux/config.h>
--- kernel-source-2.4.25/include/linux/netfilter_ipv4/ipt_ipsecrx.h	1970-01-01 12:00:00.000000000 +1200
+++ kernel-source-2.4.25-patched/include/linux/netfilter_ipv4/ipt_ipsecrx.h	2004-03-29 16:14:03.000000000 +1200
@@ -0,0 +1,8 @@
+#ifndef _IPT_IPSECRX_H
+#define _IPT_IPSECRX_H
+
+struct ipt_ipsecrx_info {
+    u_int8_t invert;
+};
+
+#endif /*_IPT_IPSECRX_H*/
--- kernel-source-2.4.25/net/ipv4/netfilter/ipt_ipsecrx.c	1970-01-01 12:00:00.000000000 +1200
+++ kernel-source-2.4.25-patched/net/ipv4/netfilter/ipt_ipsecrx.c	2004-03-30 14:54:42.000000000 +1200
@@ -0,0 +1,51 @@
+/* Kernel module to match packets recieved off IPSEC. */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter_ipv4/ipt_ipsecrx.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+	const struct ipt_ipsecrx_info *info = matchinfo;
+
+	return ((skb->nfcache & NFC_IPSECRX) == NFC_IPSECRX) ^ info->invert;
+}
+
+static int
+checkentry(const char *tablename,
+           const struct ipt_ip *ip,
+           void *matchinfo,
+           unsigned int matchsize,
+           unsigned int hook_mask)
+{
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_ipsecrx_info)))
+		return 0;
+
+	return 1;
+}
+
+static struct ipt_match ipsecrx_match
+= { { NULL, NULL }, "ipsecrx", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+	return ipt_register_match(&ipsecrx_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&ipsecrx_match);
+}
+
+module_init(init);
+module_exit(fini);
+MODULE_LICENSE("GPL");
--- kernel-source-2.4.25/net/ipv4/netfilter/Config.in	2004-03-30 14:03:07.000000000 +1200
+++ kernel-source-2.4.25-patched/net/ipv4/netfilter/Config.in	2004-03-29 15:54:11.000000000 +1200
@@ -31,6 +31,7 @@
   dep_tristate '  MAC address match support' CONFIG_IP_NF_MATCH_MAC $CONFIG_IP_NF_IPTABLES
   dep_tristate '  Packet type match support' CONFIG_IP_NF_MATCH_PKTTYPE $CONFIG_IP_NF_IPTABLES
   dep_tristate '  netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES
+  dep_tristate '  IPSEC reception match support' CONFIG_IP_NF_MATCH_IPSECRX $CONFIG_IP_NF_IPTABLES
   dep_tristate '  Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES
   dep_tristate '  Multiple port with ranges match support' CONFIG_IP_NF_MATCH_MPORT $CONFIG_IP_NF_IPTABLES
   dep_tristate '  TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES
--- kernel-source-2.4.25/net/ipv4/netfilter/Makefile	2004-03-30 14:03:07.000000000 +1200
+++ kernel-source-2.4.25-patched/net/ipv4/netfilter/Makefile	2004-03-29 15:54:33.000000000 +1200
@@ -84,6 +84,8 @@
 obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o
 
 
+obj-$(CONFIG_IP_NF_MATCH_IPSECRX) += ipt_ipsecrx.o
+
 obj-$(CONFIG_IP_NF_MATCH_RANDOM) += ipt_random.o
 
 obj-$(CONFIG_IP_NF_MATCH_PSD) += ipt_psd.o
--- kernel-source-2.4.25/include/linux/netfilter_ipv6/ip6t_ipsecrx.h	1970-01-01 12:00:00.000000000 +1200
+++ kernel-source-2.4.25-patched/include/linux/netfilter_ipv6/ip6t_ipsecrx.h	2004-03-31 16:15:50.000000000 +1200
@@ -0,0 +1,8 @@
+#ifndef _IP6T_IPSECRX_H
+#define _IP6T_IPSECRX_H
+
+struct ip6t_ipsecrx_info {
+    u_int8_t invert;
+};
+
+#endif /*_IP6T_IPSECRX_H*/
--- kernel-source-2.4.25/net/ipv6/netfilter/ip6t_ipsecrx.c	1970-01-01 12:00:00.000000000 +1200
+++ kernel-source-2.4.25-patched/net/ipv6/netfilter/ip6t_ipsecrx.c	2004-03-31 16:51:32.000000000 +1200
@@ -0,0 +1,51 @@
+/* Kernel module to match packets recieved off IPSEC. */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter_ipv6/ip6t_ipsecrx.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+	const struct ip6t_ipsecrx_info *info = matchinfo;
+
+	return ((skb->nfcache & NFC_IPSECRX) == NFC_IPSECRX) ^ info->invert;
+}
+
+static int
+checkentry(const char *tablename,
+           const struct ip6t_ip *ip,
+           void *matchinfo,
+           unsigned int matchsize,
+           unsigned int hook_mask)
+{
+	if (matchsize != IPT_ALIGN(sizeof(struct ip6t_ipsecrx_info)))
+		return 0;
+
+	return 1;
+}
+
+static struct ip6t_match ipsecrx_match
+= { { NULL, NULL }, "ipsecrx", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+	return ip6t_register_match(&ipsecrx_match);
+}
+
+static void __exit fini(void)
+{
+	ip6t_unregister_match(&ipsecrx_match);
+}
+
+module_init(init);
+module_exit(fini);
+MODULE_LICENSE("GPL");
--- kernel-source-2.4.25/net/ipv6/netfilter/Config.in	2004-03-30 14:03:07.000000000 +1200
+++ kernel-source-2.4.25-patched/net/ipv6/netfilter/Config.in	2004-03-31 16:43:28.000000000 +1200
@@ -39,6 +39,7 @@
   fi
 #  dep_tristate '  MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES
   dep_tristate '  netfilter MARK match support' CONFIG_IP6_NF_MATCH_MARK $CONFIG_IP6_NF_IPTABLES
+  dep_tristate '  IPSEC reception match support' CONFIG_IP6_NF_MATCH_IPSECRX $CONFIG_IP6_NF_IPTABLES
   if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
     dep_tristate '  IPv6 Extension Headers Match (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_IPV6HEADER $CONFIG_IP6_NF_IPTABLES
   fi
--- kernel-source-2.4.25/net/ipv6/netfilter/Makefile	2004-03-30 14:03:08.000000000 +1200
+++ kernel-source-2.4.25-patched/net/ipv6/netfilter/Makefile	2004-03-31 16:14:33.000000000 +1200
@@ -33,6 +33,8 @@
 obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
 obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
 
+obj-$(CONFIG_IP6_NF_MATCH_IPSECRX) += ip6t_ipsecrx.o
+
 obj-$(CONFIG_IP6_NF_MATCH_RANDOM) += ip6t_random.o
 
 obj-$(CONFIG_IP6_NF_MATCH_NTH) += ip6t_nth.o

[-- Attachment #1.5: linux-2.6.4-ipsecrx.patch --]
[-- Type: application/octet-stream, Size: 9321 bytes --]

diff -uNr kernel-source-2.6.4/include/linux/netfilter.h kernel-source-2.6.4-patched/include/linux/netfilter.h
--- kernel-source-2.6.4/include/linux/netfilter.h	2003-07-03 08:48:08.000000000 +1200
+++ kernel-source-2.6.4-patched/include/linux/netfilter.h	2004-04-01 11:25:30.000000000 +1200
@@ -24,6 +24,9 @@
 #define NFC_UNKNOWN 0x4000
 #define NFC_ALTERED 0x8000
 
+/* Tracking of packets off xfrm IPSEC stuff */
+#define NFC_IPSECRX 0x40000	/* xfrm sets this */
+
 #ifdef __KERNEL__
 #include <linux/config.h>
 #ifdef CONFIG_NETFILTER
diff -uNr kernel-source-2.6.4/include/linux/netfilter_ipv4/ipt_ipsecrx.h kernel-source-2.6.4-patched/include/linux/netfilter_ipv4/ipt_ipsecrx.h
--- kernel-source-2.6.4/include/linux/netfilter_ipv4/ipt_ipsecrx.h	1970-01-01 12:00:00.000000000 +1200
+++ kernel-source-2.6.4-patched/include/linux/netfilter_ipv4/ipt_ipsecrx.h	2004-04-01 11:22:40.000000000 +1200
@@ -0,0 +1,8 @@
+#ifndef _IPT_IPSECRX_H
+#define _IPT_IPSECRX_H
+
+struct ipt_ipsecrx_info {
+    u_int8_t invert;
+};
+
+#endif /*_IPT_IPSECRX_H*/
diff -uNr kernel-source-2.6.4/include/linux/netfilter_ipv6/ip6t_ipsecrx.h kernel-source-2.6.4-patched/include/linux/netfilter_ipv6/ip6t_ipsecrx.h
--- kernel-source-2.6.4/include/linux/netfilter_ipv6/ip6t_ipsecrx.h	1970-01-01 12:00:00.000000000 +1200
+++ kernel-source-2.6.4-patched/include/linux/netfilter_ipv6/ip6t_ipsecrx.h	2004-04-01 11:22:47.000000000 +1200
@@ -0,0 +1,8 @@
+#ifndef _IP6T_IPSECRX_H
+#define _IP6T_IPSECRX_H
+
+struct ip6t_ipsecrx_info {
+    u_int8_t invert;
+};
+
+#endif /*_IP6T_IPSECRX_H*/
diff -uNr kernel-source-2.6.4/net/ipv4/netfilter/ipt_ipsecrx.c kernel-source-2.6.4-patched/net/ipv4/netfilter/ipt_ipsecrx.c
--- kernel-source-2.6.4/net/ipv4/netfilter/ipt_ipsecrx.c	1970-01-01 12:00:00.000000000 +1200
+++ kernel-source-2.6.4-patched/net/ipv4/netfilter/ipt_ipsecrx.c	2004-04-01 11:22:40.000000000 +1200
@@ -0,0 +1,51 @@
+/* Kernel module to match packets recieved off IPSEC. */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter_ipv4/ipt_ipsecrx.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+	const struct ipt_ipsecrx_info *info = matchinfo;
+
+	return ((skb->nfcache & NFC_IPSECRX) == NFC_IPSECRX) ^ info->invert;
+}
+
+static int
+checkentry(const char *tablename,
+           const struct ipt_ip *ip,
+           void *matchinfo,
+           unsigned int matchsize,
+           unsigned int hook_mask)
+{
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_ipsecrx_info)))
+		return 0;
+
+	return 1;
+}
+
+static struct ipt_match ipsecrx_match
+= { { NULL, NULL }, "ipsecrx", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+	return ipt_register_match(&ipsecrx_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&ipsecrx_match);
+}
+
+module_init(init);
+module_exit(fini);
+MODULE_LICENSE("GPL");
diff -uNr kernel-source-2.6.4/net/ipv4/netfilter/Kconfig kernel-source-2.6.4-patched/net/ipv4/netfilter/Kconfig
--- kernel-source-2.6.4/net/ipv4/netfilter/Kconfig	2004-02-05 21:19:58.000000000 +1300
+++ kernel-source-2.6.4-patched/net/ipv4/netfilter/Kconfig	2004-04-01 11:36:17.000000000 +1200
@@ -127,6 +127,17 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP_NF_MATCH_IPSECRX
+	tristate "IPSEC reception match support"
+	depends on IP_NF_IPTABLES
+	help
+	  IPSEC reception matching is used to identify packets coming
+	  off the IPSEC stack, or not coming off the stack.  It uses
+	  a bit set in the buffer headers by the IPSEC xfrm code.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+
 config IP_NF_MATCH_MARK
 	tristate "netfilter MARK match support"
 	depends on IP_NF_IPTABLES
diff -uNr kernel-source-2.6.4/net/ipv4/netfilter/Makefile kernel-source-2.6.4-patched/net/ipv4/netfilter/Makefile
--- kernel-source-2.6.4/net/ipv4/netfilter/Makefile	2003-09-27 12:02:03.000000000 +1200
+++ kernel-source-2.6.4-patched/net/ipv4/netfilter/Makefile	2004-04-01 11:44:25.000000000 +1200
@@ -42,6 +42,7 @@
 # matches
 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
+obj-$(CONFIG_IP_NF_MATCH_IPSECRX) += ipt_ipsecrx.o
 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
 obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
diff -uNr kernel-source-2.6.4/net/ipv4/xfrm4_input.c kernel-source-2.6.4-patched/net/ipv4/xfrm4_input.c
--- kernel-source-2.6.4/net/ipv4/xfrm4_input.c	2003-09-13 12:11:55.000000000 +1200
+++ kernel-source-2.6.4-patched/net/ipv4/xfrm4_input.c	2004-04-01 11:22:40.000000000 +1200
@@ -14,6 +14,10 @@
 #include <net/ip.h>
 #include <net/xfrm.h>
 
+#ifdef CONFIG_NETFILTER
+#include <linux/netfilter.h>
+#endif
+
 int xfrm4_rcv(struct sk_buff *skb)
 {
 	return xfrm4_rcv_encap(skb, 0);
@@ -138,6 +142,10 @@
 			dst_release(skb->dst);
 			skb->dst = NULL;
 		}
+#ifdef CONFIG_NETFILTER
+		/* Tag packet as being from IPSEC for netfilter targets */
+		skb->nfcache |= NFC_IPSECRX;
+#endif
 		netif_rx(skb);
 		return 0;
 	} else {
diff -uNr kernel-source-2.6.4/net/ipv6/netfilter/ip6t_ipsecrx.c kernel-source-2.6.4-patched/net/ipv6/netfilter/ip6t_ipsecrx.c
--- kernel-source-2.6.4/net/ipv6/netfilter/ip6t_ipsecrx.c	1970-01-01 12:00:00.000000000 +1200
+++ kernel-source-2.6.4-patched/net/ipv6/netfilter/ip6t_ipsecrx.c	2004-04-01 11:22:47.000000000 +1200
@@ -0,0 +1,51 @@
+/* Kernel module to match packets recieved off IPSEC. */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter_ipv6/ip6t_ipsecrx.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+	const struct ip6t_ipsecrx_info *info = matchinfo;
+
+	return ((skb->nfcache & NFC_IPSECRX) == NFC_IPSECRX) ^ info->invert;
+}
+
+static int
+checkentry(const char *tablename,
+           const struct ip6t_ip *ip,
+           void *matchinfo,
+           unsigned int matchsize,
+           unsigned int hook_mask)
+{
+	if (matchsize != IPT_ALIGN(sizeof(struct ip6t_ipsecrx_info)))
+		return 0;
+
+	return 1;
+}
+
+static struct ip6t_match ipsecrx_match
+= { { NULL, NULL }, "ipsecrx", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+	return ip6t_register_match(&ipsecrx_match);
+}
+
+static void __exit fini(void)
+{
+	ip6t_unregister_match(&ipsecrx_match);
+}
+
+module_init(init);
+module_exit(fini);
+MODULE_LICENSE("GPL");
diff -uNr kernel-source-2.6.4/net/ipv6/netfilter/Kconfig kernel-source-2.6.4-patched/net/ipv6/netfilter/Kconfig
--- kernel-source-2.6.4/net/ipv6/netfilter/Kconfig	2004-02-19 21:56:07.000000000 +1300
+++ kernel-source-2.6.4-patched/net/ipv6/netfilter/Kconfig	2004-04-01 11:37:32.000000000 +1200
@@ -111,6 +111,16 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP6_NF_MATCH_IPSECRX
+        tristate "IPSEC reception match support"
+        depends on IP6_NF_IPTABLES
+        help
+          IPSEC reception matching is used to identify packets coming
+          off the IPSEC stack, or not coming off the stack.  It uses
+          a bit set in the buffer headers by the IPSEC xfrm code.
+                                                                                                                              
+          To compile it as a module, choose M here.  If unsure, say N.
+
 #  dep_tristate '  MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES
 config IP6_NF_MATCH_MARK
 	tristate "netfilter MARK match support"
diff -uNr kernel-source-2.6.4/net/ipv6/netfilter/Makefile kernel-source-2.6.4-patched/net/ipv6/netfilter/Makefile
--- kernel-source-2.6.4/net/ipv6/netfilter/Makefile	2003-05-05 11:53:32.000000000 +1200
+++ kernel-source-2.6.4-patched/net/ipv6/netfilter/Makefile	2004-04-01 11:44:40.000000000 +1200
@@ -5,6 +5,7 @@
 # Link order matters here.
 obj-$(CONFIG_IP6_NF_IPTABLES) += ip6_tables.o
 obj-$(CONFIG_IP6_NF_MATCH_LIMIT) += ip6t_limit.o
+obj-$(CONFIG_IP6_NF_MATCH_IPSECRX) += ip6t_ipsecrx.o
 obj-$(CONFIG_IP6_NF_MATCH_MARK) += ip6t_mark.o
 obj-$(CONFIG_IP6_NF_MATCH_LENGTH) += ip6t_length.o
 obj-$(CONFIG_IP6_NF_MATCH_MAC) += ip6t_mac.o
diff -uNr kernel-source-2.6.4/net/ipv6/xfrm6_input.c kernel-source-2.6.4-patched/net/ipv6/xfrm6_input.c
--- kernel-source-2.6.4/net/ipv6/xfrm6_input.c	2003-09-13 12:11:55.000000000 +1200
+++ kernel-source-2.6.4-patched/net/ipv6/xfrm6_input.c	2004-04-01 11:22:40.000000000 +1200
@@ -15,6 +15,10 @@
 #include <net/ipv6.h>
 #include <net/xfrm.h>
 
+#ifdef CONFIG_NETFILTER
+#include <linux/netfilter.h>
+#endif
+
 static inline void ipip6_ecn_decapsulate(struct sk_buff *skb)
 {
 	struct ipv6hdr *outer_iph = skb->nh.ipv6h;
@@ -121,6 +125,10 @@
 			dst_release(skb->dst);
 			skb->dst = NULL;
 		}
+#ifdef CONFIG_NETFILTER
+		/* Tag packet as being from IPSEC for netfilter targets */
+		skb->nfcache |= NFC_IPSECRX;
+#endif
 		netif_rx(skb);
 		return -1;
 	} else {

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

[parent not found: <1080793472.1768.14.camel@knox.wgtn.cat-it.co.nz>]

[parent not found: <406C07B7.90601@trash.net>]

* Re: [PATCH]  - ipsecrx match - was Re: Writing iptables IPSEC reception support.
       [not found]       ` <406C07B7.90601@trash.net>
@ 2004-04-01 23:23         ` Matthew Grant
  2004-04-05  1:27           ` Patrick McHardy
  0 siblings, 1 reply; 3+ messages in thread
From: Matthew Grant @ 2004-04-01 23:23 UTC (permalink / raw)
  To: Patrick McHardy; +Cc: netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 2041 bytes --]

Patrick,

Isn't there room for both ways of doing it?

I have read the Web CVS for the policy match and you have only checked
in IPv4.

There is a security hole with the way iptables has to be set up to allow
traffic in off the 2.6 IPSEC that allows packet injection off the
immediate external ethernet.

The solution I have got is simple, and it also supports IPv6, and it
closes the above hole by matching decapsulated traffic off the IPSEC
tunnel.  We have a VPN network at work that we need to convert to racoon
and the new IPSEC stack, and this problem needs to be sorted because of
security auditing reasons.

The question is, how soon can you get the policy match in the mainline
netfilter releases?  How well is it working? Do you support IPv6 yet? On
reading the code it looks simple, so it should be easy to get right.  I
could if you want get the thing finished if that is the preferred way to
get things done.

Could you please let me know how you are placed.  A good solution is put
the fix I have in now, and then add yours when it is ready.  They both
do not stomp on each others toes, and can coexist together.

Thank you very much for your time and help.

Regards,

Matthew Grant

PS: I am also the Debian Maintainer for ipsec-tools and racoon packages.

On Fri, 2004-04-02 at 00:14, Patrick McHardy wrote:
> Matthew Grant wrote:
> > Patrick,
> > 
> > Have written new patches.  Basically they just mark packets that came
> > from IPSEC by setting a bit in the nfcache field in the skbuff. 
> > Inspired by the longstanding nfmark feature.  Had to write quickly as I
> > need a solution to this problem for security reasons.  Far simpler than
> > the secpath stuff you wrote.
> > 
> > I have attached the patches.  Not ready for patch-o-matic yet, but what
> > do you think?
> 
> I think we need more flexibility than this. The policy match allows you
> to match --pol ipsec/none, but both ways.
> 
> Regards
> Patrick
> 
> > 
> > Cheers,
> > 
> > Matthew Grant
> 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH]  - ipsecrx match - was Re: Writing iptables IPSEC reception support.
  2004-04-01 23:23         ` Matthew Grant
@ 2004-04-05  1:27           ` Patrick McHardy
  0 siblings, 0 replies; 3+ messages in thread
From: Patrick McHardy @ 2004-04-05  1:27 UTC (permalink / raw)
  To: Matthew Grant; +Cc: netfilter-devel

Matthew Grant wrote:
> Patrick,
> 
> Isn't there room for both ways of doing it?

I don't think we need this match. The policy match offers a more
generic way for matching if a packet came from a tunnel. It works
in input and output, in tunnel and transport mode. This match only
supports input side in tunnel mode, and it needs to touch other
code.

> I have read the Web CVS for the policy match and you have only checked
> in IPv4.

Right, but it the only IPv4-specific thing it does is comparing the
tunnel endpoints.

> There is a security hole with the way iptables has to be set up to allow
> traffic in off the 2.6 IPSEC that allows packet injection off the
> immediate external ethernet.
> 
> The solution I have got is simple, and it also supports IPv6, and it
> closes the above hole by matching decapsulated traffic off the IPSEC
> tunnel.  We have a VPN network at work that we need to convert to racoon
> and the new IPSEC stack, and this problem needs to be sorted because of
> security auditing reasons.
> 
> The question is, how soon can you get the policy match in the mainline
> netfilter releases?  How well is it working? Do you support IPv6 yet? On
> reading the code it looks simple, so it should be easy to get right.  I
> could if you want get the thing finished if that is the preferred way to
> get things done.

Personal use and reports indicate it's working fine. It doesn't touch
other code, so it can't break anything. More testing is of course
welcome.

> Could you please let me know how you are placed.  A good solution is put
> the fix I have in now, and then add yours when it is ready.  They both
> do not stomp on each others toes, and can coexist together.

I guess I'll add an IPv6 counterpart, but I can't tell you when it's
going to get submitted. I don't think we should add your patch until
then for these reasons:

1. we have a working solution available as patch
2. we don't want to put it in and rip it out again after a short time
3. it's clearly no permanent solution.

Regards
Patrick

> 
> Thank you very much for your time and help.
> 
> Regards,
> 
> Matthew Grant
> 
> PS: I am also the Debian Maintainer for ipsec-tools and racoon packages.
> 
> On Fri, 2004-04-02 at 00:14, Patrick McHardy wrote:
> 
>>Matthew Grant wrote:
>>
>>>Patrick,
>>>
>>>Have written new patches.  Basically they just mark packets that came
>>>from IPSEC by setting a bit in the nfcache field in the skbuff. 
>>>Inspired by the longstanding nfmark feature.  Had to write quickly as I
>>>need a solution to this problem for security reasons.  Far simpler than
>>>the secpath stuff you wrote.
>>>
>>>I have attached the patches.  Not ready for patch-o-matic yet, but what
>>>do you think?
>>
>>I think we need more flexibility than this. The policy match allows you
>>to match --pol ipsec/none, but both ways.
>>
>>Regards
>>Patrick
>>
>>
>>>Cheers,
>>>
>>>Matthew Grant
>>
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-04-05  1:27 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <1080772179.5070.9.camel@knox.wgtn.cat-it.co.nz>
     [not found] ` <20040401004343.GS1616@sunbeam.de.gnumonks.org>
     [not found]   ` <406B73E1.6020504@trash.net>
2004-04-01  4:36     ` [PATCH] - ipsecrx match - was Re: Writing iptables IPSEC reception support Matthew Grant
     [not found]     ` <1080793472.1768.14.camel@knox.wgtn.cat-it.co.nz>
     [not found]       ` <406C07B7.90601@trash.net>
2004-04-01 23:23         ` Matthew Grant
2004-04-05  1:27           ` Patrick McHardy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.