iptables u32 tests and user logging

iptables u32 tests and user logging

[Padmanabhan]

Hello All,
I am couple of questions on whether iptables can used to achieve my requirement.

Test Setup
Two Fedora core 9 ( kernel 2.6.25.6-55) systems running Intel 2 core
duo processor as iSCSI initiator/target connected via Gig Ethernet
switch
IP Tables v 1.4.0

Requirement
On the target system, I have to look for packets that have TOS bits
set and in those packets, I have look beyond the TCP header i.e. into
iSCSI header for specific values.
In this case, i am looking for iSCSI read command( first byte) and
notedown ITT value ( 4 bytes, from 16-19 )

I studied manual pages and I am not sure whetehr IP tables/u32/ulog
can help me to achieve me this requirement.

Questions
1. I just need to pull out few bytes out from the packet and log it.
2. Whether ulog can record only few bytes or interested bytes in the paylod ??

Thanks in advance for your suggestions

Regards
Padmanabhan

Re: iptables u32 tests and user logging

[Jan Engelhardt]

On Monday 2008-07-21 08:15, Padmanabhan wrote:

>Hello All,
>I am couple of questions on whether iptables can used to achieve my requirement.
>
>Test Setup
>Two Fedora core 9 ( kernel 2.6.25.6-55) systems running Intel 2 core
>duo processor as iSCSI initiator/target connected via Gig Ethernet
>switch
>IP Tables v 1.4.0
>
>Requirement
>On the target system, I have to look for packets that have TOS bits
>set and in those packets, I have look beyond the TCP header i.e. into
>iSCSI header for specific values.
>In this case, i am looking for iSCSI read command( first byte) and
>notedown ITT value ( 4 bytes, from 16-19 )

-p tcp -m tos --tos 0x10/0x10 -m u32
--u32 "0 >> 22 & 0x3C @ 12 >> 28 @ 0 >> 24 = 0x13 &&
       0 >> 22 & 0x3C @ 12 >> 28 @ @ 16 = 0x1337"

Reading as:

(- offset is 0)
- bytes 0-3 from the IP header, shift them right by 22 (giving the IHL),
  and with 0x3C
- add that value to the offset
(- offset is now the TCP header)
- bytes 12-15 from the TCP header, shift them right by 28 (giving the Offset),
- add that value to the offset
(- offset is now the iSCSI header)
- bytes 0-3 from the iSCSI header, shift them right by 24 (therefore giving
  the first byte), compare with 0x13 (assuming this is the number for the
  read command)

[I hope I got it right]

and the same tests with byte 16-19, checking for example, 0x1337 as ITT.
Note that this matches one specific ITT value only. If you want to
log all ITTs, then you should omit the ITT test and only test for iSCSI,
and log that using your favorite method.

Re: iptables u32 tests and user logging

[Grant Taylor]

On 07/21/08 02:51, Jan Engelhardt wrote:
> and the same tests with byte 16-19, checking for example, 0x1337 as 
> ITT. Note that this matches one specific ITT value only. If you want 
> to log all ITTs, then you should omit the ITT test and only test for 
> iSCSI, and log that using your favorite method.

Is there a way to log the data extracted from the matched packet with 
out passing the packet to user space for logging?  Or are you matching 
the desired packets and sending them user space for logging?

In other words is there a way to have IPTables read some contents of a 
packet and then LOG the contents with out passing the entire packet to 
user space?  (To the best of my knowledge there is no way to do this.)



Grant. . . .

Re: iptables u32 tests and user logging

[Padmanabhan]

Hello, Jan,
I came up with following  u32 rule ,,should I not multiply by 4 for
TCP header length to get the offset , as we do for the IP header ?

iptables -m u32 --u32 " 0>>22&0x3C@12>>26&0x3C@0&0xFF000000=0x01
&&
0>>22&0x3C@12>>26&0x3C@16=0x00000000:0xFFFFFFFF" -j ulog

for TOS bits set packet, I am inspecting first byte of TCP payload and
if that matches, need to record/log value from 16-19 in the TCP
payload. Since a test has to be made, i just compared those byte value
to be in the range of all 0's to all FF's.. which obviously it would
be ...So, with this test done, the action I would like to do is log
those four byte value .

1. My requirement is as stated by Grant, just need to log those four
bytes ( ITT value) from the iscsi header. Is there any options in
linux space ? With u32 I came so close, yet it was not able to fulfill
it.

2. I tried ulog, to provide a option to log interested bytes,, Will cp
range provide first few bytes of the packet say 100 bytes ?
Can i use this option instead of 0 ? ( caution in the man page says to
leave it to 0)

Thanks again ,,
Padmanabhan

Re: iptables u32 tests and user logging

[Jan Engelhardt]

On Monday 2008-07-21 18:41, Padmanabhan wrote:

>Hello, Jan,
>I came up with following  u32 rule ,,should I not multiply by 4 for
>TCP header length to get the offset , as we do for the IP header ?

Right, I probably missed out on that. I do not use u32 that often,
but I am happy to see someone use it at all :-)

>iptables -m u32 --u32 " 0>>22&0x3C@12>>26&0x3C@0&0xFF000000=0x01
>&&
>0>>22&0x3C@12>>26&0x3C@16=0x00000000:0xFFFFFFFF" -j ulog
>
>for TOS bits set packet, I am inspecting first byte of TCP payload and

Well for TOS, I used -m tos for sheer readability of the match but
of course you are free to use u32 for that too to save the memory
that would otherwise be required by xt_tos.

>if that matches, need to record/log value from 16-19 in the TCP
>payload. Since a test has to be made, i just compared those byte value
>to be in the range of all 0's to all FF's.. which obviously it would
>be ...So, with this test done, the action I would like to do is log
>those four byte value .
>
>1. My requirement is as stated by Grant, just need to log those four
>bytes ( ITT value) from the iscsi header. Is there any options in
>linux space ? With u32 I came so close, yet it was not able to fulfill
>it.

u32 is just a match, not a log-this-and-that target.

Re: iptables u32 tests and user logging

[Padmanabhan]

Hello,
Is there way we can add code to u32 to do this function ,, after
matching a criteria,  print/ log interested bytes  ?


Thanks
Padmanabhan

Re: iptables u32 tests and user logging

[Jan Engelhardt]

On Monday 2008-07-21 20:06, Padmanabhan wrote:

>Hello,
>Is there way we can add code to u32 to do this function ,, after
>matching a criteria,  print/ log interested bytes  ?

u32 is a match. It is supposed to be dumb.
But one could introduce (probably to the dismay of Patrick)
something like a LOGU32 target to be used in a fashion like
--u32.

Re: iptables u32 tests and user logging

[Grant Taylor]

On 07/21/08 13:06, Padmanabhan wrote:
> Is there way we can add code to u32 to do this function ,, after 
> matching a criteria,  print/ log interested bytes?

Rather than having u32 do the logging, you could use u32 to create 
multiple different rules (one per ITT you want to log) and then use a 
generic LOG target to do the logging for you.  I.e.

Does ITT match "A", log "bla, bla, A, bla..."
Does ITT match "B", log "bla, bla, B, bla..."
Does ITT match "C", log "bla, bla, C, bla..."

You may want to make this a sub chain that is jumped to after matching 
the common portion of the IPTables rule.



Grant. . . .

Re: iptables u32 tests and user logging

[Padmanabhan]

Hello Grant,
My interested 4 bytes can have value between all 0's to all FF's...
that's the reason that without matching it for a specific value,

I want to record those values.. without using any capturing programs
like tcpdump/wireshark.. u32 provided me flexibility to look for only
specific bytes...but the action which I would like perform is not
currently supported ....

I have another story after recording these values :-)

Thanks
Padmanabhan

Re: iptables u32 tests and user logging

[Grant Taylor]

On 07/21/08 15:15, Padmanabhan wrote:
> My interested 4 bytes can have value between all 0's to all FF's... 
> that's the reason that without matching it for a specific value,

*nod*  That makes things a little bit more difficult, but not impossible.

> I want to record those values.. without using any capturing programs 
> like tcpdump/wireshark.. u32 provided me flexibility to look for only 
> specific bytes...but the action which I would like perform is not 
> currently supported ....

Do you want to capture all packets in a connection or just one per 
connection?  If you want one per connection, you might want to match in 
the NAT table, which only sees the first packet in a connection.

> I have another story after recording these values :-)

*nod*

I'm always curious, probably to a fault.



Grant. . . .