Failing to construct a 'set' for TCP Flag filtering.

Failing to construct a 'set' for TCP Flag filtering.

[Chris Hall]

I have constructed the file 'tryx' containing:

#---------------------------------------------------
flush ruleset
add table ip MAIN

add set ip MAIN tcp_good_flags { type tcp_flag ; flags constant ; \
elements = {                  \
   ( 0 | 0 | 0 |ack| 0 | 0 ),  \
   ( 0 | 0 | 0 |ack| 0 |urg),  \
   ( 0 | 0 | 0 |ack|psh| 0 ),  \
   ( 0 | 0 | 0 |ack|psh|urg),  \
   ( 0 | 0 |rst| 0 | 0 | 0 ),  \
   ( 0 | 0 |rst|ack| 0 | 0 ),  \
   ( 0 | 0 |rst|ack| 0 |urg),  \
   ( 0 | 0 |rst|ack|psh| 0 ),  \
   ( 0 | 0 |rst|ack|psh|urg),  \
   ( 0 |syn| 0 | 0 | 0 | 0 ),  \
   ( 0 |syn| 0 |ack| 0 | 0 ),  \
   ( 0 |syn| 0 |ack| 0 |urg),  \
   ( 0 |syn| 0 |ack|psh| 0 ),  \
   ( 0 |syn| 0 |ack|psh|urg),  \
   (fin| 0 | 0 |ack| 0 | 0 ),  \
   (fin| 0 | 0 |ack| 0 |urg),  \
   (fin| 0 | 0 |ack|psh| 0 ),  \
   (fin| 0 | 0 |ack|psh|urg)   \
} ; }

list ruleset
#---------------------------------------------------

With a view to using this to filter out invalid combinations of TCP flags.

When I give that to nft I get:

# nft -f tryx
table ip MAIN {
         set tcp_good_flags {
                 type tcp_flag
                 flags constant
                 elements = { ack, 0x30, 0x18, 0x38, rst,
                              0x14, 0x34, 0x1c, 0x3c, syn,
                              0x12, 0x32, 0x1a, 0x3a, 0x11,
                              0x31, 0x19, 0x39 }
         }
}

...which suggests that all is well so far... but it isn't.  And if I try 
to check the state of the ruleset again:

# nft list ruleset
BUG: Unknown expression binop
nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed.
Aborted (core dumped)

Indeed, nothing seems to work until I 'flush ruleset' again !

Am I asking for the impossible here ?

Thanks,

Chris

Re: Failing to construct a 'set' for TCP Flag filtering.

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 1917 bytes --]

On Wed, Sep 02, 2020 at 05:44:11PM +0100, Chris Hall wrote:
> 
> I have constructed the file 'tryx' containing:
> 
> #---------------------------------------------------
> flush ruleset
> add table ip MAIN
> 
> add set ip MAIN tcp_good_flags { type tcp_flag ; flags constant ; \
> elements = {                  \
>   ( 0 | 0 | 0 |ack| 0 | 0 ),  \
>   ( 0 | 0 | 0 |ack| 0 |urg),  \
>   ( 0 | 0 | 0 |ack|psh| 0 ),  \
>   ( 0 | 0 | 0 |ack|psh|urg),  \
>   ( 0 | 0 |rst| 0 | 0 | 0 ),  \
>   ( 0 | 0 |rst|ack| 0 | 0 ),  \
>   ( 0 | 0 |rst|ack| 0 |urg),  \
>   ( 0 | 0 |rst|ack|psh| 0 ),  \
>   ( 0 | 0 |rst|ack|psh|urg),  \
>   ( 0 |syn| 0 | 0 | 0 | 0 ),  \
>   ( 0 |syn| 0 |ack| 0 | 0 ),  \
>   ( 0 |syn| 0 |ack| 0 |urg),  \
>   ( 0 |syn| 0 |ack|psh| 0 ),  \
>   ( 0 |syn| 0 |ack|psh|urg),  \
>   (fin| 0 | 0 |ack| 0 | 0 ),  \
>   (fin| 0 | 0 |ack| 0 |urg),  \
>   (fin| 0 | 0 |ack|psh| 0 ),  \
>   (fin| 0 | 0 |ack|psh|urg)   \
> } ; }
> 
> list ruleset
> #---------------------------------------------------
> 
> With a view to using this to filter out invalid combinations of TCP flags.
> 
> When I give that to nft I get:
> 
> # nft -f tryx
> table ip MAIN {
>         set tcp_good_flags {
>                 type tcp_flag
>                 flags constant
>                 elements = { ack, 0x30, 0x18, 0x38, rst,
>                              0x14, 0x34, 0x1c, 0x3c, syn,
>                              0x12, 0x32, 0x1a, 0x3a, 0x11,
>                              0x31, 0x19, 0x39 }
>         }
> }
> 
> ...which suggests that all is well so far... but it isn't.  And if I try to
> check the state of the ruleset again:
> 
> # nft list ruleset
> BUG: Unknown expression binop
> nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed.
> Aborted (core dumped)
> 
> Indeed, nothing seems to work until I 'flush ruleset' again !
> 
> Am I asking for the impossible here ?

It's a bug, I'll apply this patch to git.


[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 621 bytes --]

diff --git a/src/mergesort.c b/src/mergesort.c
index 02094b486aeb..4d5bdbd414db 100644
--- a/src/mergesort.c
+++ b/src/mergesort.c
@@ -44,7 +44,15 @@ static int expr_msort_cmp(const struct expr *e1, const struct expr *e2)
 	case EXPR_MAPPING:
 		return expr_msort_cmp(e1->left, e2->left);
 	case EXPR_BINOP:
-		return expr_msort_cmp(e1->left, e2->left);
+		switch (e2->etype) {
+		case EXPR_VALUE:
+			return expr_msort_cmp(e1->left, e2);
+		case EXPR_BINOP:
+			return expr_msort_cmp(e1->left, e2->left);
+		default:
+			break;
+		}
+		/* fall through */
 	default:
 		BUG("Unknown expression %s\n", expr_name(e1));
 	}

Re: Failing to construct a 'set' for TCP Flag filtering.

[Chris Hall]

On 02/09/2020 18:51, Pablo Neira Ayuso wrote:
> On Wed, Sep 02, 2020 at 05:44:11PM +0100, Chris Hall wrote:
 >> .... issue with 'add set ip MAIN tcp_good_flags...'
>> Indeed, nothing seems to work until I 'flush ruleset' again !
>>
>> Am I asking for the impossible here ?

> It's a bug, I'll apply this patch to git.

Ah.  I'm impressed that it's quickly fixable...

...but my Fedora appears to be 9 months behind on nftables v0.9.3, so I 
guess I have a bit of a wait :-(

I tried building nftables, but ./configure says:

   Package 'libnftnl' has version '1.1.3', required version is '>= 1.1.7'

I tried building and installing libnftnl, which created 
'/usr/local/lib/libnftnl.so.11.3.0'.  But that does not seem to satisfy 
the ./configure for nftables ?

I guess what I need to do is build (on my development machine) an .rpm 
to install on the firewall... but I'm not getting far.

Thanks,

Chris

Re: Failing to construct a 'set' for TCP Flag filtering.

[Florian Westphal]

Chris Hall <nftables@gmch.uk> wrote:
> On 02/09/2020 18:51, Pablo Neira Ayuso wrote:
> > On Wed, Sep 02, 2020 at 05:44:11PM +0100, Chris Hall wrote:
> >> .... issue with 'add set ip MAIN tcp_good_flags...'
> > > Indeed, nothing seems to work until I 'flush ruleset' again !
> > > 
> > > Am I asking for the impossible here ?
> 
> > It's a bug, I'll apply this patch to git.
> 
> Ah.  I'm impressed that it's quickly fixable...
> 
> ...but my Fedora appears to be 9 months behind on nftables v0.9.3, so I
> guess I have a bit of a wait :-(
> 
> I tried building nftables, but ./configure says:
> 
>   Package 'libnftnl' has version '1.1.3', required version is '>= 1.1.7'
> 
> I tried building and installing libnftnl, which created
> '/usr/local/lib/libnftnl.so.11.3.0'.  But that does not seem to satisfy the
> ./configure for nftables ?

It does, but its finding the wrong/old installation, or not searching in
/usr/local.

Try

 ./configure PKG_CONFIG_PATH=/path/to/where/the/1.1.7.pc-file-is

when building nftables.

find -name '*.pc' /usr/local

might tell you the right directory.

Re: Failing to construct a 'set' for TCP Flag filtering.

[Chris Hall]

On 03/09/2020 15:24, Florian Westphal wrote:
...
> Try
> 
>   ./configure PKG_CONFIG_PATH=/path/to/where/the/1.1.7.pc-file-is

Thank you.  I have now succeeded in building nft and libnftnl.so.11.3.0, 
and copying same to the firewall machine.  (Yay!)

Having applied the suggested patch, I now find that with the (same) file 
'tryx' as before I now get:

# nft -f tryx
table ip MAIN {
         set tcp_good_flags {
                 type tcp_flag
                 flags constant
         }
}

...which appears to be a step backwards :-(  BUT when I now check the 
ruleset I get:

# nft list ruleset
table ip MAIN {
         set tcp_good_flags {
                 type tcp_flag
                 flags constant
                 elements = { fin | psh | ack | urg, fin | psh | ack, 
fin | ack | urg, fin | ack, syn | psh | ack | urg,
                              syn | psh | ack, syn | ack | urg, syn | 
ack, syn, rst | psh | ack | urg,
                              rst | psh | ack, rst | ack | urg, rst | 
ack, rst, psh | ack | urg,
                              psh | ack, ack | urg, ack }
         }
}

So it's not crashing any more -- hurrah !

BTW: if I have a 'list ruleset' in an .nft script, what should I expect 
it to show me ?  I ask because if I do (as above):

# nft -f xxxx.nft      -- where the last line is 'list ruleset'
# nft list ruleset

the second command seems to show a more complete ruleset ?

FWIW:

   add rule ip MAIN FORWARD tcp flags & (fin|syn|rst|ack|psh|urg) \
     @tcp_good_flags goto FwdTCP

is accepted (and I hope will do what I want !).

Thanks,

Chris

'meta mark' and 'meta mark set' -- any restrictions on their use ?

[Chris Hall]

Can anyone point me in the direction of some documentation that tells me 
how my ruleset may use the 'meta mark' ?

I assume that nothing in the kernel and nothing in nftables itself 
depends on the value of the 'mark' ?  So I may make whatever use I like 
of it in my ruleset ?

I gather that the initial value of the mark may be set by the ConnTrack 
stuff, if the connection is not new and 'ct mark set <value>' has been 
used.  Is that true ?

I guess the default value for the mark is 0.  Is that true ?

I gather that I may

   add rule ... meta mark set xx

in order to set the mark, and later I can:

   add rule meta mark yy ...

to do something if the mark is equal to yy.

Or:

   add rule (meta mark yy & 0x11) != 0 ...

to do something if yy contains either of the bits in 0x11.

I assume I have understood correctly ?

Experiment also suggests that I may:

   add rule ... meta mark set (meta mark | 0x100)

to modify the mark.  I assume that is meant to work ?  (I note that the 
second 'meta' appears to be redundant.)

There is clearly a quite sophisticated <expression> syntax layered on 
top of what the man-page calls a "Primary Expression" (and the terms 
<expr> in 'define <variable> = <expr>' and <value> in 'meta mark set 
<value>' and elsewhere).  Can anyone point me in the direction of the 
documentation for all this ?

Thanks,

Chris