subject:"Re\: \[PATCH v4\] add stealth mode"

Re: [PATCH v4] add stealth mode

2015-09-23 Thread Eric Dumazet

On Wed, 2015-09-23 at 18:36 +0200, Matteo Croce wrote:
> 2015-09-16 13:06 GMT+02:00 Florian Westphal :
> >
> > Matteo Croce  wrote:
> > > Add option to disable any reply not related to a listening socket,
> > > like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> > > Also disables ICMP replies to echo request and timestamp.
> > > The stealth mode can be enabled selectively for a single interface.
> >
> > I think it would make more sense to extend the socket match
> > in xtables if it can't be used to achive this already.
> >
> > seems like
> > *filter
> > :INPUT ACCEPT [0:0]
> > -A INPUT -p tcp -m socket --nowildcard -j ACCEPT
> > -A INPUT -p tcp -j DROP
> > COMMIT
> >
> > Already does what you want for tcp, udp should work too.
> > I'd much rather see xtables and/or nftables to be extended
> > with whatever feature(s) are needed to configure such a policy
> > rather than pushing this into the core network stack.
> 
> The point is to do the filtering without *tables at all,
> like /proc/sys/net/ipv4/icmp_echo_ignore_all does for pings

Yes, but this adds code in many places, even for people not caring of
such protection.

The point is : people wanting firewall like protections should instead
use netfilter framework.


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4] add stealth mode

2015-09-23 Thread Matteo Croce

2015-09-16 13:06 GMT+02:00 Florian Westphal :
>
> Matteo Croce  wrote:
> > Add option to disable any reply not related to a listening socket,
> > like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> > Also disables ICMP replies to echo request and timestamp.
> > The stealth mode can be enabled selectively for a single interface.
>
> I think it would make more sense to extend the socket match
> in xtables if it can't be used to achive this already.
>
> seems like
> *filter
> :INPUT ACCEPT [0:0]
> -A INPUT -p tcp -m socket --nowildcard -j ACCEPT
> -A INPUT -p tcp -j DROP
> COMMIT
>
> Already does what you want for tcp, udp should work too.
> I'd much rather see xtables and/or nftables to be extended
> with whatever feature(s) are needed to configure such a policy
> rather than pushing this into the core network stack.

The point is to do the filtering without *tables at all,
like /proc/sys/net/ipv4/icmp_echo_ignore_all does for pings

-- 
Matteo Croce
OpenWrt Developer
  ___ __
 |   |.-.-.-.|  |  |  |..|  |_
 |   -   ||  _  |  -__| ||  |  |  ||   _||   _|
 |___||   __|_|__|__||||__|  ||
  |__| W I R E L E S S   F R E E D O M
 -
 CHAOS CALMER
 -
  * 1 1/2 oz GinShake with a glassful
  * 1/4 oz Triple Sec   of broken ice and pour
  * 3/4 oz Lime Juice   unstrained into a goblet.
  * 1 1/2 oz Orange Juice
  * 1 tsp. Grenadine Syrup
 -
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4] add stealth mode

2015-09-23 Thread David Miller

From: Matteo Croce 
Date: Wed, 23 Sep 2015 18:36:12 +0200

> The point is to do the filtering without *tables at all,
> like /proc/sys/net/ipv4/icmp_echo_ignore_all does for pings

That's not a good argument, sorry.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4] add stealth mode

2015-09-23 Thread David Miller

From: Matteo Croce 
Date: Wed, 23 Sep 2015 18:32:12 +0200

> Add option to disable any reply not related to a listening socket,
> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> Also disables ICMP replies to echo request and timestamp.
> The stealth mode can be enabled selectively for a single interface.
> 
> Signed-off-by: Matteo Croce 

I don't want to see any more submissions of this feature patch, sorry.

I am convinced, based upon other's arguments, that netfilter can
provide this facility wholly.

So until you can convince us otherwise, your patch is inappropriate.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4] add stealth mode

2015-09-23 Thread David Miller

From: Eric Dumazet 
Date: Wed, 23 Sep 2015 10:29:52 -0700

> Yes, but this adds code in many places, even for people not caring of
> such protection.
> 
> The point is : people wanting firewall like protections should instead
> use netfilter framework.

+1
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4] add stealth mode

2015-09-16 Thread Florian Westphal

Matteo Croce  wrote:
> Add option to disable any reply not related to a listening socket,
> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
> Also disables ICMP replies to echo request and timestamp.
> The stealth mode can be enabled selectively for a single interface.

I think it would make more sense to extend the socket match
in xtables if it can't be used to achive this already.

seems like
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p tcp -m socket --nowildcard -j ACCEPT
-A INPUT -p tcp -j DROP
COMMIT

Already does what you want for tcp, udp should work too.
I'd much rather see xtables and/or nftables to be extended
with whatever feature(s) are needed to configure such a policy
rather than pushing this into the core network stack.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4] add stealth mode

2015-09-16 Thread Eric Dumazet

On Wed, 2015-09-16 at 11:54 +0200, Matteo Croce wrote:
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index 93898e0..fe62ae0 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -77,6 +77,7 @@
>  #include 
>  
>  #include 
> +#include 
>  #include 
>  #include 
>  #include 
> @@ -1652,7 +1653,7 @@ csum_error:
>   TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
>  bad_packet:
>   TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
> - } else {
> + } else if (!IN_DEV_STEALTH(skb->dev->ip_ptr)) {
>   tcp_v4_send_reset(NULL, skb);
>   }


It is illegal to deref skb->dev->ip_ptr without proper accessor /
annotations.

Check 

struct in_device *in_dev = __in_dev_get_rcu(skb->dev); 

(Same remarks in other places of your patch)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4] add stealth mode

2015-09-16 Thread Daniel Borkmann


On 09/16/2015 11:54 AM, Matteo Croce wrote:

Add option to disable any reply not related to a listening socket,
like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
Also disables ICMP replies to echo request and timestamp.
The stealth mode can be enabled selectively for a single interface.

Signed-off-by: Matteo Croce 
---
rebased on 4.3-rc1

  Documentation/networking/ip-sysctl.txt | 14 ++
  include/linux/inetdevice.h |  1 +
  include/linux/ipv6.h   |  1 +
  include/uapi/linux/ip.h|  1 +
  net/ipv4/devinet.c |  1 +
  net/ipv4/icmp.c|  6 ++
  net/ipv4/ip_input.c|  5 +++--
  net/ipv4/tcp_ipv4.c|  3 ++-
  net/ipv4/udp.c |  4 +++-
  net/ipv6/addrconf.c|  7 +++
  net/ipv6/icmp.c|  3 ++-
  net/ipv6/ip6_input.c   |  5 +++--
  net/ipv6/tcp_ipv6.c|  2 +-
  net/ipv6/udp.c |  3 ++-
  14 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt 
b/Documentation/networking/ip-sysctl.txt
index ebe94f2..1d46adc 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1206,6 +1206,13 @@ igmp_link_local_mcast_reports - BOOLEAN
224.0.0.X range.
Default TRUE

+stealth - BOOLEAN
+   Disable any reply not related to a listening socket,
+   like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
+   Also disables ICMP replies to echo requests and timestamp
+   and ICMP errors for unknown protocols.
+   Default value is 0.
+


Hmm, what about all other protocols besides TCP/UDP such as SCTP, DCCP,
etc? It seems it gives false expectations in such cases when the user
enables being "stealth", but finds out it has no effect at all there ...
nmap f.e. has a couple of scanning options for SCTP, and at least SCTP
is still relevant in telco space.

I know this question has been asked before, but the only answer on this
was so far: "well, I've never played with SCTP before" ... :/
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4] add stealth mode

2015-09-16 Thread Daniel Borkmann


On 09/16/2015 12:45 PM, Matteo Croce wrote:

2015-09-16 12:26 GMT+02:00 Daniel Borkmann :

On 09/16/2015 11:54 AM, Matteo Croce wrote:


Add option to disable any reply not related to a listening socket,
like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
Also disables ICMP replies to echo request and timestamp.
The stealth mode can be enabled selectively for a single interface.

Signed-off-by: Matteo Croce 
---
rebased on 4.3-rc1

   Documentation/networking/ip-sysctl.txt | 14 ++
   include/linux/inetdevice.h |  1 +
   include/linux/ipv6.h   |  1 +
   include/uapi/linux/ip.h|  1 +
   net/ipv4/devinet.c |  1 +
   net/ipv4/icmp.c|  6 ++
   net/ipv4/ip_input.c|  5 +++--
   net/ipv4/tcp_ipv4.c|  3 ++-
   net/ipv4/udp.c |  4 +++-
   net/ipv6/addrconf.c|  7 +++
   net/ipv6/icmp.c|  3 ++-
   net/ipv6/ip6_input.c   |  5 +++--
   net/ipv6/tcp_ipv6.c|  2 +-
   net/ipv6/udp.c |  3 ++-
   14 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt
b/Documentation/networking/ip-sysctl.txt
index ebe94f2..1d46adc 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1206,6 +1206,13 @@ igmp_link_local_mcast_reports - BOOLEAN
 224.0.0.X range.
 Default TRUE

+stealth - BOOLEAN
+   Disable any reply not related to a listening socket,
+   like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
+   Also disables ICMP replies to echo requests and timestamp
+   and ICMP errors for unknown protocols.
+   Default value is 0.
+


Hmm, what about all other protocols besides TCP/UDP such as SCTP, DCCP,
etc? It seems it gives false expectations in such cases when the user
enables being "stealth", but finds out it has no effect at all there ...
nmap f.e. has a couple of scanning options for SCTP, and at least SCTP
is still relevant in telco space.

I know this question has been asked before, but the only answer on this
was so far: "well, I've never played with SCTP before" ... :/


Right, I was thinking to add them in a later version


I feel, there would be many follow-ups. :/ Architecturally on the bigger
picture, nft and its connection tracker would be the much better place for
such policies, and it also provides matches for various protocols already.

What has been tried to address this more generically f.e. inside netfilter
subsystem, and why is it absolutely not possible to extend this functionality
over there?

Sorry if my question is stubborn, but from reading over the old threads
it still is not fully clear to me.

Thanks again,
Daniel
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4] add stealth mode

Re: [PATCH v4] add stealth mode

Re: [PATCH v4] add stealth mode

Re: [PATCH v4] add stealth mode

Re: [PATCH v4] add stealth mode

Re: [PATCH v4] add stealth mode

Re: [PATCH v4] add stealth mode

Re: [PATCH v4] add stealth mode

Re: [PATCH v4] add stealth mode

9 matches

Site Navigation

Mail list logo

Footer information