From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@linux01.gwdg.de>
Cc: Netfilter Developer Mailing List
<netfilter-devel@lists.netfilter.org>,
James Morris <jmorris@namei.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] chaostables
Date: Thu, 08 Mar 2007 18:15:12 +0100 [thread overview]
Message-ID: <45F044A0.50001@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.61.0703081652310.2448@yvahk01.tjqt.qr>
Jan Engelhardt wrote:
>>>Index: linux-2.6.21-rc3/net/netfilter/xt_CHAOS.c
>>>+ /* Equivalent to:
>>>+ * -A chaos -m statistic --mode random --probability \
>>>+ * $reject_percentage -j REJECT --reject-with host-unreach;
>>>+ * -A chaos -m statistic --mode random --probability \
>>>+ * $delude_percentage -j DELUDE;
>>>+ * -A chaos -j DROP;
>>>+ */
>>
>>What does this do that can't be done by simply adding those individual
>>rules?
>
>
> It "wraps it all up", reducing the overall number of rules and user
> chains required in the filtering tables to implement the wanted logic.
> Reducing the number of filtering rules also reduces the time process a
> packet. These two are, in my opinion, a good thing.
By that argument we could just codify every ruleset and put it in the
kernel. Its three simple rules. There is no chance I'm going to take
this part.
> Take xt_portscan as an example, which would require a minimum of 23
> filtering rules (which cannot reproduce the module's action in its
> fullest). 23 rules means we will be looping a bit in ipt_do_table() for
> a single packet, repeatedly checking for "-p tcp", i.e. calling into
> xt_tcpudp, checking for port ranges and perhaps other TCP fields that
> are never examined in xt_portscan.
I'm guessing xt_portscan tries to detect and match on portscans, but
its not obvious why it looks at and changes skb->mark and nfct->ctmark,
so I suggest you start by explaining what it really does.
>>>+++ linux-2.6.21-rc3/net/netfilter/xt_DELUDE.c
>>
>>Looks like a copy of the REJECT target. What does it do,
>>why can't you use REJECT?
>
>
> Looking only at TCP,
> REJECT sends a RST for any packet (if requested), or ICMP otherwise.
> DELUDE sends a SYN-ACK on SYN, otherwise RST.
> (And TARPIT, for reference, keeps the connection open anytime. Its code
> is also quite a replication of REJECT.)
>
> If you think it is better to merge the respond-with-SYNACK into REJECT
> rather than having DELUDE, say so.
I'd rather not add hacks to mildly annoy people anywhere.
>>We already have the psd match for years, but decided against merging it.
>
>
> On what basis? As far as I flew over psd's code, it uses a heuristic
> like "how often did that client recently connect" for match decision.
> (P2P clients randomly port knocking, anyone?) I would not think of that
> as a reliable way to tell portscans either. However, half-open TCP
> connect for example is a more clear action to define a portscan.
The question is what we gain by being able to detect portscans.
So far my opinion is thats its close to nothing. Besides that,
it should be possible to do this by using the recent match.
WARNING: multiple messages have this Message-ID (diff)
From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@linux01.gwdg.de>
Cc: James Morris <jmorris@namei.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Netfilter Developer Mailing List
<netfilter-devel@lists.netfilter.org>
Subject: Re: [PATCH] chaostables
Date: Thu, 08 Mar 2007 18:15:12 +0100 [thread overview]
Message-ID: <45F044A0.50001@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.61.0703081652310.2448@yvahk01.tjqt.qr>
Jan Engelhardt wrote:
>>>Index: linux-2.6.21-rc3/net/netfilter/xt_CHAOS.c
>>>+ /* Equivalent to:
>>>+ * -A chaos -m statistic --mode random --probability \
>>>+ * $reject_percentage -j REJECT --reject-with host-unreach;
>>>+ * -A chaos -m statistic --mode random --probability \
>>>+ * $delude_percentage -j DELUDE;
>>>+ * -A chaos -j DROP;
>>>+ */
>>
>>What does this do that can't be done by simply adding those individual
>>rules?
>
>
> It "wraps it all up", reducing the overall number of rules and user
> chains required in the filtering tables to implement the wanted logic.
> Reducing the number of filtering rules also reduces the time process a
> packet. These two are, in my opinion, a good thing.
By that argument we could just codify every ruleset and put it in the
kernel. Its three simple rules. There is no chance I'm going to take
this part.
> Take xt_portscan as an example, which would require a minimum of 23
> filtering rules (which cannot reproduce the module's action in its
> fullest). 23 rules means we will be looping a bit in ipt_do_table() for
> a single packet, repeatedly checking for "-p tcp", i.e. calling into
> xt_tcpudp, checking for port ranges and perhaps other TCP fields that
> are never examined in xt_portscan.
I'm guessing xt_portscan tries to detect and match on portscans, but
its not obvious why it looks at and changes skb->mark and nfct->ctmark,
so I suggest you start by explaining what it really does.
>>>+++ linux-2.6.21-rc3/net/netfilter/xt_DELUDE.c
>>
>>Looks like a copy of the REJECT target. What does it do,
>>why can't you use REJECT?
>
>
> Looking only at TCP,
> REJECT sends a RST for any packet (if requested), or ICMP otherwise.
> DELUDE sends a SYN-ACK on SYN, otherwise RST.
> (And TARPIT, for reference, keeps the connection open anytime. Its code
> is also quite a replication of REJECT.)
>
> If you think it is better to merge the respond-with-SYNACK into REJECT
> rather than having DELUDE, say so.
I'd rather not add hacks to mildly annoy people anywhere.
>>We already have the psd match for years, but decided against merging it.
>
>
> On what basis? As far as I flew over psd's code, it uses a heuristic
> like "how often did that client recently connect" for match decision.
> (P2P clients randomly port knocking, anyone?) I would not think of that
> as a reliable way to tell portscans either. However, half-open TCP
> connect for example is a more clear action to define a portscan.
The question is what we gain by being able to detect portscans.
So far my opinion is thats its close to nothing. Besides that,
it should be possible to do this by using the recent match.
next prev parent reply other threads:[~2007-03-08 17:15 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-08 6:35 [PATCH] chaostables Jan Engelhardt
2007-03-08 12:59 ` Patrick McHardy
2007-03-08 13:14 ` Alan Cox
2007-03-08 14:55 ` James Morris
2007-03-08 16:39 ` Jan Engelhardt
2007-03-08 16:39 ` Jan Engelhardt
2007-03-08 17:15 ` Patrick McHardy [this message]
2007-03-08 17:15 ` Patrick McHardy
2007-03-08 20:26 ` Jan Engelhardt
2007-03-09 9:35 ` Amin Azez
2007-03-09 10:19 ` Jan Engelhardt
2007-03-09 11:54 ` Amin Azez
2007-03-09 17:30 ` Jan Engelhardt
2007-03-09 17:30 ` Jan Engelhardt
2007-03-09 7:54 ` Jan Engelhardt
2007-03-08 18:14 ` Alan Cox
2007-03-08 18:14 ` Alan Cox
2007-03-09 8:07 ` jimmy
2007-03-09 16:23 ` Petr Tesařík
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45F044A0.50001@trash.net \
--to=kaber@trash.net \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jengelh@linux01.gwdg.de \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.