new REBOOT target

new REBOOT target

[Wang Jian]

[-- Attachment #1: Type: text/plain, Size: 1711 bytes --]

Hi,

For my own purpose, I write a REBOOT target to remotely reboot a linux
box using specially crafted ICMP packet.

One of my servers has symptom that httpd locks machine:

1. console is locked, not usable;
2. network seems to be good, ICMP echo/reply is ok; tcp connection can
   be established on open ports, but userspace server programs seem to
   be out of luck;
3. if keep it as it for quite a long time, network dies but console
   works again;

The server is hosted in a remote small data center, and it is not
possible to get there everytime it is locked.

That is the scenario this REBOOT target fits. I am interested in other
usage if someone else can find. I post it here in case it is also useful
for others.

Usage: 

# iptables -I INPUT -p icmp -j REBOOT --passphrase pass [--offset offset]
[--hard (0|1)]

A perl script is used to send special ICMP packet.


All files are in attached tarball.

Some notes on the source code:

1. There are hardcode paths in Makefile, so some modification is needed
   to compile;
2. The code is for iptables 1.2.9;
3. --passphrase is mandatory. There is string matching functionality in
   ipt_string, however ipt_string is not standard module, and missing in
   many distributions' kernel. So I write my own matching code. If
   ipt_string becomes standard, then this parameter can be eliminated along
   with --offset.
4. reboot code is ugly. I want it to support a more safe reboot, such as
   sync() then sys_reboot(), but sys_reboot() need a userspace pointer,
   cannot be called directly from kernel.
5. There is a reserved 'count' which can be used to do
   trigger-n-times-then-do-it control.

Any feedback and suggestion is welcome :)



-- 
  lark

[-- Attachment #2: nfreboot-0.1.tar.gz --]
[-- Type: application/octet-stream, Size: 3809 bytes --]

Re: new REBOOT target

[Max Kellermann]

On 2005/02/26 15:30, Wang Jian <lark@linux.net.cn> wrote:
> # iptables -I INPUT -p icmp -j REBOOT --passphrase pass [--offset offset]
> [--hard (0|1)]

Ugly hack for an ugly problem ;) - still, it's an interesting idea for
people plagued with such a problem.

You have implemented the "--passphrase" parameter in your REBOOT
target, but that "--passphrase" is in fact a match, not a target
parameter. Targets should not perform a test on the packet, it's not
their task (it should not assume the packet is ICMP either, that drops
a lot of flexibility). You should implement this part as a match
module.

Maybe someone has already written such a module.. look at
patch-o-matic.

In contrary, "--hard" is not a match, it controls what REBOOT should
do in detail, so this is one ok.

Max

Re[2]: new REBOOT target

[Wang Jian]

Hi Max Kellermann,

See my original post for the note on --offset and --passphrase :)

I know they shouuld be match, and actually, the funcionality is in
string match, partially. Because the kernel I use has no string match
builtin, and I didn't want to compile them, I choose to do the matching
in target itself ;)

It is really ugly hack in some sense. I originally planed to write a
small LKM rootkit to do that, but then I chose netfilter to hook in.
LKM rootkit is more management related ;)

Beside my laziness, the --passphrase is an error-proof mechanism per se.
Let's assume some one wants to use -j REBOOT, but he doesn't specified a
good enough match, just '-p icmp', then boom ;) In this sense, the
--passphrase is not match, but part of target.

On Mon, 28 Feb 2005 10:06:35 +0100, Max Kellermann <max@duempel.org> wrote:

> On 2005/02/26 15:30, Wang Jian <lark@linux.net.cn> wrote:
> > # iptables -I INPUT -p icmp -j REBOOT --passphrase pass [--offset offset]
> > [--hard (0|1)]
> 
> Ugly hack for an ugly problem ;) - still, it's an interesting idea for
> people plagued with such a problem.
> 
> You have implemented the "--passphrase" parameter in your REBOOT
> target, but that "--passphrase" is in fact a match, not a target
> parameter. Targets should not perform a test on the packet, it's not
> their task (it should not assume the packet is ICMP either, that drops
> a lot of flexibility). You should implement this part as a match
> module.
> 
> Maybe someone has already written such a module.. look at
> patch-o-matic.
> 
> In contrary, "--hard" is not a match, it controls what REBOOT should
> do in detail, so this is one ok.
> 
> Max



-- 
  lark

Re: new REBOOT target

[Max Kellermann]

On 2005/02/28 10:41, Wang Jian <lark@linux.net.cn> wrote:
> Beside my laziness, the --passphrase is an error-proof mechanism per
> se.  Let's assume some one wants to use -j REBOOT, but he doesn't
> specified a good enough match, just '-p icmp', then boom ;) In this
> sense, the --passphrase is not match, but part of target.

(my first reply to you didn't get to the list, maybe a mailman
failure?)

Now what about an error proof admin? ;)

Sorry, I don't think this is a good argument, don't try to find an
excuse for writing a dangerous rule (and for writing such a netfilter
"design violation"). If an admin is brave enough to compile REBOOT
into the kernel and write "-j REBOOT" somewhere, it's his own fault he
didn't implement the correct match. Someone with root access should
know better.

REBOOT should ... reboot! Not match the protocol or a certain pass
phrase.

Max

Re: new REBOOT target

[Tobias DiPasquale]

[-- Attachment #1: Type: text/plain, Size: 1139 bytes --]

On Mon, 28 Feb 2005 10:06:35 +0100, Max Kellermann <max@duempel.org> wrote:
> On 2005/02/26 15:30, Wang Jian <lark@linux.net.cn> wrote:
> > # iptables -I INPUT -p icmp -j REBOOT --passphrase pass [--offset offset]
> > [--hard (0|1)]
> 
> Ugly hack for an ugly problem ;) - still, it's an interesting idea for
> people plagued with such a problem.

I agree.
 
> You have implemented the "--passphrase" parameter in your REBOOT
> target, but that "--passphrase" is in fact a match, not a target
> parameter. Targets should not perform a test on the packet, it's not
> their task (it should not assume the packet is ICMP either, that drops
> a lot of flexibility). You should implement this part as a match
> module.
> 
> Maybe someone has already written such a module.. look at
> patch-o-matic.

They have; its called ipt_string. Use that in conjunction with the
attached code to implement the functionality you require.
 
> In contrary, "--hard" is not a match, it controls what REBOOT should
> do in detail, so this is one ok.

Agreed; --hard stuck around for this.

-- 
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d

[-- Attachment #2: REBOOT.tgz --]
[-- Type: application/x-gzip, Size: 3233 bytes --]

Re[2]: new REBOOT target

[Wang Jian]

Hi Tobias DiPasquale,

Thanks for your improvement :)

A note for sendreboot.pl's -I parameter: it is used on multihome host, so
no need to remove it.

Note for ipt_REBOOT.c: KERN_ERROR should be KERN_ERR. But I think check
() should emit KERN_WARNING as other targets do but not KERN_ERR.

With ipt_string, it has no --offset parameter, which can be hazardous
for -j REBOOT in case the passphrase is short. Adding --offset may also give
a little of performance boost to string match.

Will ipt_string go into 2.6 mainline?

PS: Is there any possibility that REBOOT target goes into POM or
mainline? Anyway this toy is trivial :D

On Mon, 28 Feb 2005 21:39:40 -0500, Tobias DiPasquale <codeslinger@gmail.com> wrote:

> On Mon, 28 Feb 2005 10:06:35 +0100, Max Kellermann <max@duempel.org> wrote:
> > On 2005/02/26 15:30, Wang Jian <lark@linux.net.cn> wrote:
> > > # iptables -I INPUT -p icmp -j REBOOT --passphrase pass [--offset offset]
> > > [--hard (0|1)]
> > 
> > Ugly hack for an ugly problem ;) - still, it's an interesting idea for
> > people plagued with such a problem.
> 
> I agree.
>  
> > You have implemented the "--passphrase" parameter in your REBOOT
> > target, but that "--passphrase" is in fact a match, not a target
> > parameter. Targets should not perform a test on the packet, it's not
> > their task (it should not assume the packet is ICMP either, that drops
> > a lot of flexibility). You should implement this part as a match
> > module.
> > 
> > Maybe someone has already written such a module.. look at
> > patch-o-matic.
> 
> They have; its called ipt_string. Use that in conjunction with the
> attached code to implement the functionality you require.
>  
> > In contrary, "--hard" is not a match, it controls what REBOOT should
> > do in detail, so this is one ok.
> 
> Agreed; --hard stuck around for this.
> 
> -- 
> [ Tobias DiPasquale ]
> 0x636f6465736c696e67657240676d61696c2e636f6d



-- 
  lark

Re[2]: new REBOOT target

[Wang Jian]

Hi Max Kellermann,


On Tue, 1 Mar 2005 01:20:58 +0100, Max Kellermann <max@duempel.org> wrote:

> On 2005/02/28 10:41, Wang Jian <lark@linux.net.cn> wrote:
> > Beside my laziness, the --passphrase is an error-proof mechanism per
> > se.  Let's assume some one wants to use -j REBOOT, but he doesn't
> > specified a good enough match, just '-p icmp', then boom ;) In this
> > sense, the --passphrase is not match, but part of target.
> 
> (my first reply to you didn't get to the list, maybe a mailman
> failure?)
> 
> Now what about an error proof admin? ;)
> 
> Sorry, I don't think this is a good argument, don't try to find an
> excuse for writing a dangerous rule (and for writing such a netfilter
> "design violation"). If an admin is brave enough to compile REBOOT
> into the kernel and write "-j REBOOT" somewhere, it's his own fault he
> didn't implement the correct match. Someone with root access should
> know better.
> 
> REBOOT should ... reboot! Not match the protocol or a certain pass
> phrase.


Can't agree more :)

> 
> Max



-- 
  lark

Re: new REBOOT target

[Andrew Kozachenko]

Wang Jian wrote:

>Hi Max Kellermann,
>
>
>On Tue, 1 Mar 2005 01:20:58 +0100, Max Kellermann <max@duempel.org> wrote:
>
>  
>
>>On 2005/02/28 10:41, Wang Jian <lark@linux.net.cn> wrote:
>>    
>>
>>>Beside my laziness, the --passphrase is an error-proof mechanism per
>>>se.  Let's assume some one wants to use -j REBOOT, but he doesn't
>>>specified a good enough match, just '-p icmp', then boom ;) In this
>>>sense, the --passphrase is not match, but part of target.
>>>      
>>>
>>(my first reply to you didn't get to the list, maybe a mailman
>>failure?)
>>
>>Now what about an error proof admin? ;)
>>
>>Sorry, I don't think this is a good argument, don't try to find an
>>excuse for writing a dangerous rule (and for writing such a netfilter
>>"design violation"). If an admin is brave enough to compile REBOOT
>>into the kernel and write "-j REBOOT" somewhere, it's his own fault he
>>didn't implement the correct match. Someone with root access should
>>know better.
>>
>>REBOOT should ... reboot! Not match the protocol or a certain pass
>>phrase.
>>    
>>
Why don't you use snmp trap for this purpose. You can send special snmp 
trap from wherever to machine needs rebooting and running snmptrapd and 
reboots it in a traphandle script.
Consider using net-snmp for this not netfilter.

>
>Can't agree more :)
>
>  
>
>>Max
>>    
>>
>
>
>
>  
>
-- 
Regards,
Andrew Kozachenko
Entri ltd.

    
Look at the source, Luke.

Re[2]: new REBOOT target

[Wang Jian]

Hi Andrew Kozachenko,


On Tue, 01 Mar 2005 10:22:54 +0200, Andrew Kozachenko <andrew@entri.com.ua> wrote:

> >>    
> >>
> Why don't you use snmp trap for this purpose. You can send special snmp 
> trap from wherever to machine needs rebooting and running snmptrapd and 
> reboots it in a traphandle script.
> Consider using net-snmp for this not netfilter.
> 
> >

Because, in this case, user space programs have no chance to run
correctly, only kernel space has chance to do something, for example,
calling machine_restart();

I suspect that some program is hogging the memory system, and system is
busy swapping to death, but I can't make sure that because the console
is locked in this situation. Before I find the culpit, I have to reboot
it when the system is stuck.



-- 
  lark