iptables-normalizet: argument normalization and DNS resolution?

iptables-normalizet: argument normalization and DNS resolution?

[Daniel Tiebler]

Hello,

I found a thread on the mailing list "netfilter", where 
somebody else was also looking for a normalization (see 
http://marc.info/?t=127538152000002&r=1&w=2 ), but there 
was no solution.

I am looking for the features
* normalization of commandline arguments and
* resolution of DNS names
to convert a configuration file into iptables-save format.

As the manpage constitutes using DNS has its quirks, but 
we want to introduce monitoring against our running 
configuration for cases, where we do see a benefit of 
using DNS names.

If this has been already discussed or fixed elsewhere, 
please do not hesitate to point me to any relevant 
documentation. I'll be happy to RTFM.

The current state of the firewall can be obtained using 
iptables-save. That's clear. But our configuration files 
are calling iptables, so that we cannot compare the output 
of iptables-save with our configuration files directly. We 
could save the state of the firewall immediately after a 
new configuration, but we also want to track changes of IP 
adresses resolved from DNS names. The resulting diff would 
also catch cases, where some "hotfix" has been accidently 
rolled out to the machine, however not yet been added to 
the configuration.

We started to implement a tool, that is parsing the 
commandline arguments of iptables and generating an output 
comparable to the output of iptables-save. However, the 
more complex the rules are the more expensive is the 
development. So we thought of reusing the iptables source 
code.

The idea is the following: Use the parser of iptables and, 
instead of loading the rules into the kernel, output them 
with the generator of iptables-save. I tried the following 
(with version 1.4.12 of iptables on Ubuntu Server 12.04.4 
LTS): I copied the do_output() function from 
iptables-save.c to iptables-restore.c and added the 
missing includes and variable declarations. Then I added 
the struct iptc_handle as an additional argument to this 
function. When iptables-restore reaches the COMMIT line, 
instead of iptc_commit() the function do_output() is 
called. Well, this works pretty well, at first glance. 
But, there are still many calls to the kernel loading the 
data structure iptc_handle and this normalization should 
happen without touching the data structures of the kernel. 
It would be great, if there would be an API, that provides 
this functionality, or even a programm (called 
iptables-convert?).

So our questions are:
* Does a program exists, that can parse calls to iptables 
and output something comparable to iptables-save?
* Is there another solution to our problem?
* Is something similar possible with nftables?

Many thanks in advance.

With kind regards,
Daniel Tiebler

Re: iptables-normalizet: argument normalization and DNS resolution?

[Arturo Borrero Gonzalez]

On 9 April 2014 14:10, Daniel Tiebler
<daniel.tiebler@tik.uni-stuttgart.de> wrote:
[...]
> * Is something similar possible with nftables?
>

In nftables, you can know a low-level (netlink) representation of all
nftables objects (tables, sets, chains, rules...) in userspace (using
libnftnl).

This representation is either XML or JSON, where DNS name resolution,
service name resolution and friends are translations to the internal
kernel data structures.

To know if two rules are the same, you could check if the expressions
set is the same.

For these nftables rules:
 * nft add rule test test tcp dport 22 accept
 * nft add rule test test tcp dport ssh accept

The list of expressions in XML is exactly the same. The handle
attribute is unique for each rule.

<rule>
  <family>ip</family>
  <table>test</table>
  <chain>test</chain>
  <handle>3</handle>
  <flags>0</flags>
  <expr type="payload">
    <dreg>1</dreg>
    <offset>9</offset>
    <len>1</len>
    <base>network</base>
  </expr>
  <expr type="cmp">
    <sreg>1</sreg>
    <op>eq</op>
    <cmpdata>
      <data_reg type="value">
        <len>1</len>
        <data0>0x00000006</data0>
      </data_reg>
    </cmpdata>
  </expr>
  <expr type="payload">
    <dreg>1</dreg>
    <offset>2</offset>
    <len>2</len>
    <base>transport</base>
  </expr>
  <expr type="cmp">
    <sreg>1</sreg>
    <op>eq</op>
    <cmpdata>
      <data_reg type="value">
        <len>2</len>
        <data0>0x00001600</data0>
      </data_reg>
    </cmpdata>
  </expr>
</rule>

If you are using a recent nftables, you can run `nft export
{xml|json}' to get your current ruleset in XML or JSON format.
We plan to add `nft import {xml|json}' operation as well.

Tracking FQDNs changes is another, different issue.
-- 
Arturo Borrero González

Re: iptables-normalizet: argument normalization and DNS resolution?

[Daniel Tiebler]

Hello,

On Wed, 9 Apr 2014 16:00:56 +0200
  Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> 
wrote:
> On 9 April 2014 14:10, Daniel Tiebler
> <daniel.tiebler@tik.uni-stuttgart.de> wrote:
> [...]
>> * Is something similar possible with nftables?
> 
> In nftables, you can know a low-level (netlink) 
> representation of all nftables objects (tables,
> sets, chains, rules...) in userspace (using
> libnftnl).

Userspace is great.
Is it necessary to load the rules into the kernel 
beforehand?
It would be nice to operate in userspace completely to be 
able to compare two sets of rules.



> This representation is either XML or JSON, where DNS 
> name resolution, service name resolution and friends
> are translations to the internal kernel data structures.

If every exported or generated data has the same format, 
that is okay.



> Tracking FQDNs changes is another, different issue.

That's right.
The normalization has a higher priority for us.



At the moment we are using iptables, but if nftables will 
replace iptables, it would be nice, if it would have the 
requested features.



With kind regards,
Daniel Tiebler