[PATCH 0/2] address type match limited to incoming interface

[PATCH 0/2] address type match limited to incoming interface

[Laszlo Attila Toth]

Hello,

Current version of address type match lets incoming packets filter by
address type such as LOCAL (local address of any interface). With this
the following patches this type check can be limited to the interface
the packet coming in. For instance the lets SSH in on every interface
and nothing else:

iptables -P INPUT DROP
(some additional checks may be here such as -m state --state INVALID -j
DROP)
iptables -A INPUT -p tcp -m tcp --dport 22 -m addrtype --dst-type LOCAL
--limit-iface -j ACCEPT

If a packet arrives on eth0 with the IP address of the eth0 it is
accepted but if it is an address of eth1 it is dropped.

Also it can be used for checking IP spoofing.

Regards,
	Attila

[PATCH 1/2] Find address type on a specific or on any interface

[Laszlo Attila Toth]

From: Tóth László Attila <panther@balabit.hu>

Address type search can be limited to any interface by
inet_addr_type_on_dev function.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/net/route.h     |    1 +
 net/ipv4/fib_frontend.c |   21 +++++++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/include/net/route.h b/include/net/route.h
index f7ce625..4a0e3bc 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -119,6 +119,7 @@ extern unsigned short	ip_rt_frag_needed(struct iphdr *iph, unsigned short new_mt
 extern void		ip_rt_send_redirect(struct sk_buff *skb);
 
 extern unsigned		inet_addr_type(__be32 addr);
+extern unsigned		inet_addr_type_on_dev(__be32 addr, const struct net_device *on_dev);
 extern void		ip_rt_multicast_event(struct in_device *);
 extern int		ip_rt_ioctl(unsigned int cmd, void __user *arg);
 extern void		ip_rt_get_source(u8 *src, struct rtable *rt);
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index eff6bce..9d93a20 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -145,7 +145,11 @@ out:
 	return dev;
 }
 
-unsigned inet_addr_type(__be32 addr)
+/*
+ * Find address type as if only "on_dev" was present in the system. If
+ * on_dev is NULL then all interfaces are taken into consideration.
+ */
+static inline unsigned __inet_addr_type_on_dev(__be32 addr, const struct net_device *on_dev)
 {
 	struct flowi		fl = { .nl_u = { .ip4_u = { .daddr = addr } } };
 	struct fib_result	res;
@@ -164,13 +168,25 @@ unsigned inet_addr_type(__be32 addr)
 		ret = RTN_UNICAST;
 		if (!ip_fib_local_table->tb_lookup(ip_fib_local_table,
 						   &fl, &res)) {
-			ret = res.type;
+			if ((!on_dev || on_dev == res.fi->fib_dev)) {
+			        ret = res.type;
+			}
 			fib_res_put(&res);
 		}
 	}
 	return ret;
 }
 
+unsigned inet_addr_type(__be32 addr)
+{
+  return __inet_addr_type_on_dev(addr, NULL);
+}
+
+unsigned inet_addr_type_on_dev(__be32 addr, const struct net_device *on_dev)
+{
+  return __inet_addr_type_on_dev(addr, on_dev);
+}
+
 /* Given (packet source, input interface) and optional (dst, oif, tos):
    - (main) check, that source is valid i.e. not broadcast or our local
      address.
@@ -922,4 +938,5 @@ void __init ip_fib_init(void)
 }
 
 EXPORT_SYMBOL(inet_addr_type);
+EXPORT_SYMBOL(inet_addr_type_on_dev);
 EXPORT_SYMBOL(ip_dev_find);
-- 
1.5.2.5

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 2/2] Addrtype match extension: limit addrtype check on the packet's interface

[Laszlo Attila Toth]

From: Tóth László Attila <panther@balabit.hu>

Addrtype match has a new revision (1), which lets address type checking
limit to the interface the current packet belongs to.

Revision 0 lets older userspace programs use the match as earlier.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/linux/netfilter_ipv4/ipt_addrtype.h |   15 +++++++
 net/ipv4/netfilter/ipt_addrtype.c           |   59 ++++++++++++++++++++-------
 2 files changed, 59 insertions(+), 15 deletions(-)

diff --git a/include/linux/netfilter_ipv4/ipt_addrtype.h b/include/linux/netfilter_ipv4/ipt_addrtype.h
index 166ed01..019ab47 100644
--- a/include/linux/netfilter_ipv4/ipt_addrtype.h
+++ b/include/linux/netfilter_ipv4/ipt_addrtype.h
@@ -1,9 +1,24 @@
 #ifndef _IPT_ADDRTYPE_H
 #define _IPT_ADDRTYPE_H
 
+#define IPT_ADDRTYPE_REVISION        0x0001
+
+enum
+{
+	IPT_ADDRTYPE_INVERT_SOURCE = 0x0001,
+	IPT_ADDRTYPE_INVERT_DEST   = 0x0002,
+	IPT_ADDRTYPE_LIMIT_IFACE   = 0x0004,
+};
+
 struct ipt_addrtype_info {
 	u_int16_t	source;		/* source-type mask */
 	u_int16_t	dest;		/* dest-type mask */
+	u_int32_t       flags;
+};
+
+struct ipt_addrtype_info_v0 {
+	u_int16_t	source;		/* source-type mask */
+	u_int16_t	dest;		/* dest-type mask */
 	u_int32_t	invert_source;
 	u_int32_t	invert_dest;
 };
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 59f01f7..e9d1f23 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -22,44 +22,73 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 MODULE_DESCRIPTION("iptables addrtype match");
 
-static inline bool match_type(__be32 addr, u_int16_t mask)
+static inline bool match_type(__be32 addr, const struct net_device *in, u_int16_t mask)
 {
-	return !!(mask & (1 << inet_addr_type(addr)));
+	return !!(mask & (1 << inet_addr_type_on_dev(addr, in)));
 }
 
-static bool match(const struct sk_buff *skb,
+static bool match_v0(const struct sk_buff *skb,
+		    const struct net_device *in, const struct net_device *out,
+		    const struct xt_match *match, const void *matchinfo,
+		    int offset, unsigned int protoff, bool *hotdrop)
+{
+	const struct ipt_addrtype_info_v0 *info = matchinfo;
+	const struct iphdr *iph = ip_hdr(skb);
+	bool ret = true;
+
+	if (info->source)
+		ret &= match_type(iph->saddr, NULL, info->source)^info->invert_source;
+	if (ret && (info->dest))
+		ret &= match_type(iph->daddr, NULL, info->dest)^info->invert_dest;
+
+	return ret;
+}
+
+static bool match_v1(const struct sk_buff *skb,
 		  const struct net_device *in, const struct net_device *out,
 		  const struct xt_match *match, const void *matchinfo,
 		  int offset, unsigned int protoff, bool *hotdrop)
 {
 	const struct ipt_addrtype_info *info = matchinfo;
 	const struct iphdr *iph = ip_hdr(skb);
+	const struct net_device *limit_dev = (info->flags & IPT_ADDRTYPE_LIMIT_IFACE) ? in : NULL;
 	bool ret = true;
 
 	if (info->source)
-		ret &= match_type(iph->saddr, info->source)^info->invert_source;
-	if (info->dest)
-		ret &= match_type(iph->daddr, info->dest)^info->invert_dest;
-
+		ret &= match_type(iph->saddr, limit_dev, info->source) ^ (info->flags & IPT_ADDRTYPE_INVERT_SOURCE);
+	if (ret && (info->dest))
+		ret &= match_type(iph->daddr, limit_dev, info->dest) ^ (info->flags & IPT_ADDRTYPE_INVERT_DEST);
+	
 	return ret;
 }
 
-static struct xt_match addrtype_match __read_mostly = {
-	.name		= "addrtype",
-	.family		= AF_INET,
-	.match		= match,
-	.matchsize	= sizeof(struct ipt_addrtype_info),
-	.me		= THIS_MODULE
+ static struct xt_match addrtype_match[] = {
+ 	{
+ 		.name		= "addrtype",
+ 		.family		= AF_INET,
+ 		.revision       = 0,
+ 		.match		= match_v0,
+ 		.matchsize	= sizeof(struct ipt_addrtype_info_v0),
+ 		.me		= THIS_MODULE
+ 	},
+ 	{
+ 		.name		= "addrtype",
+ 		.family		= AF_INET,
+ 		.revision       = 1,
+ 		.match		= match_v1,
+ 		.matchsize	= sizeof(struct ipt_addrtype_info),
+ 		.me		= THIS_MODULE
+ 	}
 };
 
 static int __init ipt_addrtype_init(void)
 {
-	return xt_register_match(&addrtype_match);
+	return xt_register_matches(addrtype_match, ARRAY_SIZE(addrtype_match));
 }
 
 static void __exit ipt_addrtype_fini(void)
 {
-	xt_unregister_match(&addrtype_match);
+	xt_unregister_matches(addrtype_match, ARRAY_SIZE(addrtype_match));
 }
 
 module_init(ipt_addrtype_init);
-- 
1.5.2.5

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/2] Addrtype match extension: limit addrtype check on the packet's interface

[Patrick McHardy]

Laszlo Attila Toth wrote:
> +static bool match_v1(const struct sk_buff *skb,
>  		  const struct net_device *in, const struct net_device *out,
>  		  const struct xt_match *match, const void *matchinfo,
>  		  int offset, unsigned int protoff, bool *hotdrop)
>  {
>  	const struct ipt_addrtype_info *info = matchinfo;
>  	const struct iphdr *iph = ip_hdr(skb);
> +	const struct net_device *limit_dev = (info->flags & IPT_ADDRTYPE_LIMIT_IFACE) ? in : NULL;


The match can be used on any hook, using the incoming interface
is a bit unflexible. How about using the incoming interface for
src-address and outgoing interface for destination address matches?
Alternatively add two flags to specify which device to use. You'll
need to add proper checks of course to make sure the interface is
valid for the hook the match is used in.

Re: [PATCH 2/2] Addrtype match extension: limit addrtype check on the packet's interface

[Laszlo Attila Toth]

Patrick McHardy írta:
> Laszlo Attila Toth wrote:
>> +static bool match_v1(const struct sk_buff *skb,
>>            const struct net_device *in, const struct net_device *out,
>>            const struct xt_match *match, const void *matchinfo,
>>            int offset, unsigned int protoff, bool *hotdrop)
>>  {
>>      const struct ipt_addrtype_info *info = matchinfo;
>>      const struct iphdr *iph = ip_hdr(skb);
>> +    const struct net_device *limit_dev = (info->flags & 
>> IPT_ADDRTYPE_LIMIT_IFACE) ? in : NULL;
> 
> 
> The match can be used on any hook, using the incoming interface
> is a bit unflexible. How about using the incoming interface for
> src-address and outgoing interface for destination address matches?
> Alternatively add two flags to specify which device to use. You'll
> need to add proper checks of course to make sure the interface is
> valid for the hook the match is used in.

Two flags would be better because the forward chain can be handled 
specially. For all the others two different options arn't necessary.
In the forward chain both src and the dst addrtypes would be checked 
twice in this case, once on the input interface and once on the output.

-- 
Attila
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/2] Addrtype match extension: limit addrtype check on the packet's interface

[Laszlo Attila Toth]

Patrick McHardy írta:
> Laszlo Attila Toth wrote:
>> +static bool match_v1(const struct sk_buff *skb,
>>            const struct net_device *in, const struct net_device *out,
>>            const struct xt_match *match, const void *matchinfo,
>>            int offset, unsigned int protoff, bool *hotdrop)
>>  {
>>      const struct ipt_addrtype_info *info = matchinfo;
>>      const struct iphdr *iph = ip_hdr(skb);
>> +    const struct net_device *limit_dev = (info->flags & 
>> IPT_ADDRTYPE_LIMIT_IFACE) ? in : NULL;
> 
> 
> The match can be used on any hook, using the incoming interface
> is a bit unflexible. How about using the incoming interface for
> src-address and outgoing interface for destination address matches?

But what happens when I use only dst-type in the rule in the INPUT chain?

I think in the INPUT chain the incoming interface with the dst-type and 
in the OUTPUT chain the outgoing interface with the src-type parameter 
could be used. And what should I check in the other 3 chains? In FORWARD 
it seems pointless to let the limit-iface option.

> Alternatively add two flags to specify which device to use. You'll
> need to add proper checks of course to make sure the interface is
> valid for the hook the match is used in.

Hm, I need a hooknum parameter in the match function which exists only 
in the target functions.


-- 
Attila
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/2] Find address type on a specific or on any interface

[Patrick McHardy]

Laszlo Attila Toth wrote:
> +/*
> + * Find address type as if only "on_dev" was present in the system. If
> + * on_dev is NULL then all interfaces are taken into consideration.
> + */
> +static inline unsigned __inet_addr_type_on_dev(__be32 addr, const struct net_device *on_dev)

I would prefer the name "__inet_dev_addr_type" or "__dev_inet_addr_type"

>  {
>  	struct flowi		fl = { .nl_u = { .ip4_u = { .daddr = addr } } };
>  	struct fib_result	res;
> @@ -164,13 +168,25 @@ unsigned inet_addr_type(__be32 addr)
>  		ret = RTN_UNICAST;
>  		if (!ip_fib_local_table->tb_lookup(ip_fib_local_table,
>  						   &fl, &res)) {
> -			ret = res.type;
> +			if ((!on_dev || on_dev == res.fi->fib_dev)) {
> +			        ret = res.type;
> +			}

No braces around single statements that fit on one line please.

>  			fib_res_put(&res);
>  		}
>  	}
>  	return ret;
>  }
>  
> +unsigned inet_addr_type(__be32 addr)
> +{
> +  return __inet_addr_type_on_dev(addr, NULL);

Use tabs for indenting.

[PATCH 0/2] Addrtype match limit to a specific interface. Patches

[Tóth László Attila]

The address type check can be limited to the interface the packets belongs to
and it matches only if the incoming interface (of the packet) has the same
IP address as the packet's source or destination address depending on the
source or destionation type settings.

[PATCH 1/2] Find address type on a specific or on any interface

[Tóth László Attila]

Address type search can be limited to any interface by
inet_addr_type_on_dev function.

Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
---
 include/net/route.h     |    1 +
 net/ipv4/fib_frontend.c |   21 +++++++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/include/net/route.h b/include/net/route.h
index f7ce625..4a0e3bc 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -119,6 +119,7 @@ extern unsigned short	ip_rt_frag_needed(struct iphdr *iph, unsigned short new_mt
 extern void		ip_rt_send_redirect(struct sk_buff *skb);
 
 extern unsigned		inet_addr_type(__be32 addr);
+extern unsigned		inet_addr_type_on_dev(__be32 addr, const struct net_device *on_dev);
 extern void		ip_rt_multicast_event(struct in_device *);
 extern int		ip_rt_ioctl(unsigned int cmd, void __user *arg);
 extern void		ip_rt_get_source(u8 *src, struct rtable *rt);
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index eff6bce..9d93a20 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -145,7 +145,11 @@ out:
 	return dev;
 }
 
-unsigned inet_addr_type(__be32 addr)
+/*
+ * Find address type as if only "on_dev" was present in the system. If
+ * on_dev is NULL then all interfaces are taken into consideration.
+ */
+static inline unsigned __inet_addr_type_on_dev(__be32 addr, const struct net_device *on_dev)
 {
 	struct flowi		fl = { .nl_u = { .ip4_u = { .daddr = addr } } };
 	struct fib_result	res;
@@ -164,13 +168,25 @@ unsigned inet_addr_type(__be32 addr)
 		ret = RTN_UNICAST;
 		if (!ip_fib_local_table->tb_lookup(ip_fib_local_table,
 						   &fl, &res)) {
-			ret = res.type;
+			if ((!on_dev || on_dev == res.fi->fib_dev)) {
+			        ret = res.type;
+			}
 			fib_res_put(&res);
 		}
 	}
 	return ret;
 }
 
+unsigned inet_addr_type(__be32 addr)
+{
+  return __inet_addr_type_on_dev(addr, NULL);
+}
+
+unsigned inet_addr_type_on_dev(__be32 addr, const struct net_device *on_dev)
+{
+  return __inet_addr_type_on_dev(addr, on_dev);
+}
+
 /* Given (packet source, input interface) and optional (dst, oif, tos):
    - (main) check, that source is valid i.e. not broadcast or our local
      address.
@@ -922,4 +938,5 @@ void __init ip_fib_init(void)
 }
 
 EXPORT_SYMBOL(inet_addr_type);
+EXPORT_SYMBOL(inet_addr_type_on_dev);
 EXPORT_SYMBOL(ip_dev_find);
-- 
1.5.2.5