Re: [PATCH v4] add stealth mode
On Wed, 2015-09-23 at 18:36 +0200, Matteo Croce wrote: > 2015-09-16 13:06 GMT+02:00 Florian Westphal: > > > > Matteo Croce wrote: > > > Add option to disable any reply not related to a listening socket, > > > like RST/ACK for TCP and ICMP Port-Unreachable for UDP. > > > Also disables ICMP replies to echo request and timestamp. > > > The stealth mode can be enabled selectively for a single interface. > > > > I think it would make more sense to extend the socket match > > in xtables if it can't be used to achive this already. > > > > seems like > > *filter > > :INPUT ACCEPT [0:0] > > -A INPUT -p tcp -m socket --nowildcard -j ACCEPT > > -A INPUT -p tcp -j DROP > > COMMIT > > > > Already does what you want for tcp, udp should work too. > > I'd much rather see xtables and/or nftables to be extended > > with whatever feature(s) are needed to configure such a policy > > rather than pushing this into the core network stack. > > The point is to do the filtering without *tables at all, > like /proc/sys/net/ipv4/icmp_echo_ignore_all does for pings Yes, but this adds code in many places, even for people not caring of such protection. The point is : people wanting firewall like protections should instead use netfilter framework. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4] add stealth mode
2015-09-16 13:06 GMT+02:00 Florian Westphal: > > Matteo Croce wrote: > > Add option to disable any reply not related to a listening socket, > > like RST/ACK for TCP and ICMP Port-Unreachable for UDP. > > Also disables ICMP replies to echo request and timestamp. > > The stealth mode can be enabled selectively for a single interface. > > I think it would make more sense to extend the socket match > in xtables if it can't be used to achive this already. > > seems like > *filter > :INPUT ACCEPT [0:0] > -A INPUT -p tcp -m socket --nowildcard -j ACCEPT > -A INPUT -p tcp -j DROP > COMMIT > > Already does what you want for tcp, udp should work too. > I'd much rather see xtables and/or nftables to be extended > with whatever feature(s) are needed to configure such a policy > rather than pushing this into the core network stack. The point is to do the filtering without *tables at all, like /proc/sys/net/ipv4/icmp_echo_ignore_all does for pings -- Matteo Croce OpenWrt Developer ___ __ | |.-.-.-.| | | |..| |_ | - || _ | -__| || | | || _|| _| |___|| __|_|__|__||||__| || |__| W I R E L E S S F R E E D O M - CHAOS CALMER - * 1 1/2 oz GinShake with a glassful * 1/4 oz Triple Sec of broken ice and pour * 3/4 oz Lime Juice unstrained into a goblet. * 1 1/2 oz Orange Juice * 1 tsp. Grenadine Syrup - -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4] add stealth mode
From: Matteo CroceDate: Wed, 23 Sep 2015 18:36:12 +0200 > The point is to do the filtering without *tables at all, > like /proc/sys/net/ipv4/icmp_echo_ignore_all does for pings That's not a good argument, sorry. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4] add stealth mode
From: Matteo CroceDate: Wed, 23 Sep 2015 18:32:12 +0200 > Add option to disable any reply not related to a listening socket, > like RST/ACK for TCP and ICMP Port-Unreachable for UDP. > Also disables ICMP replies to echo request and timestamp. > The stealth mode can be enabled selectively for a single interface. > > Signed-off-by: Matteo Croce I don't want to see any more submissions of this feature patch, sorry. I am convinced, based upon other's arguments, that netfilter can provide this facility wholly. So until you can convince us otherwise, your patch is inappropriate. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4] add stealth mode
From: Eric DumazetDate: Wed, 23 Sep 2015 10:29:52 -0700 > Yes, but this adds code in many places, even for people not caring of > such protection. > > The point is : people wanting firewall like protections should instead > use netfilter framework. +1 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4] add stealth mode
Matteo Crocewrote: > Add option to disable any reply not related to a listening socket, > like RST/ACK for TCP and ICMP Port-Unreachable for UDP. > Also disables ICMP replies to echo request and timestamp. > The stealth mode can be enabled selectively for a single interface. I think it would make more sense to extend the socket match in xtables if it can't be used to achive this already. seems like *filter :INPUT ACCEPT [0:0] -A INPUT -p tcp -m socket --nowildcard -j ACCEPT -A INPUT -p tcp -j DROP COMMIT Already does what you want for tcp, udp should work too. I'd much rather see xtables and/or nftables to be extended with whatever feature(s) are needed to configure such a policy rather than pushing this into the core network stack. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4] add stealth mode
On Wed, 2015-09-16 at 11:54 +0200, Matteo Croce wrote: > diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c > index 93898e0..fe62ae0 100644 > --- a/net/ipv4/tcp_ipv4.c > +++ b/net/ipv4/tcp_ipv4.c > @@ -77,6 +77,7 @@ > #include > > #include > +#include > #include > #include > #include > @@ -1652,7 +1653,7 @@ csum_error: > TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS); > bad_packet: > TCP_INC_STATS_BH(net, TCP_MIB_INERRS); > - } else { > + } else if (!IN_DEV_STEALTH(skb->dev->ip_ptr)) { > tcp_v4_send_reset(NULL, skb); > } It is illegal to deref skb->dev->ip_ptr without proper accessor / annotations. Check struct in_device *in_dev = __in_dev_get_rcu(skb->dev); (Same remarks in other places of your patch) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4] add stealth mode
On 09/16/2015 11:54 AM, Matteo Croce wrote: Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface. Signed-off-by: Matteo Croce--- rebased on 4.3-rc1 Documentation/networking/ip-sysctl.txt | 14 ++ include/linux/inetdevice.h | 1 + include/linux/ipv6.h | 1 + include/uapi/linux/ip.h| 1 + net/ipv4/devinet.c | 1 + net/ipv4/icmp.c| 6 ++ net/ipv4/ip_input.c| 5 +++-- net/ipv4/tcp_ipv4.c| 3 ++- net/ipv4/udp.c | 4 +++- net/ipv6/addrconf.c| 7 +++ net/ipv6/icmp.c| 3 ++- net/ipv6/ip6_input.c | 5 +++-- net/ipv6/tcp_ipv6.c| 2 +- net/ipv6/udp.c | 3 ++- 14 files changed, 47 insertions(+), 9 deletions(-) diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index ebe94f2..1d46adc 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -1206,6 +1206,13 @@ igmp_link_local_mcast_reports - BOOLEAN 224.0.0.X range. Default TRUE +stealth - BOOLEAN + Disable any reply not related to a listening socket, + like RST/ACK for TCP and ICMP Port-Unreachable for UDP. + Also disables ICMP replies to echo requests and timestamp + and ICMP errors for unknown protocols. + Default value is 0. + Hmm, what about all other protocols besides TCP/UDP such as SCTP, DCCP, etc? It seems it gives false expectations in such cases when the user enables being "stealth", but finds out it has no effect at all there ... nmap f.e. has a couple of scanning options for SCTP, and at least SCTP is still relevant in telco space. I know this question has been asked before, but the only answer on this was so far: "well, I've never played with SCTP before" ... :/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4] add stealth mode
On 09/16/2015 12:45 PM, Matteo Croce wrote: 2015-09-16 12:26 GMT+02:00 Daniel Borkmann: On 09/16/2015 11:54 AM, Matteo Croce wrote: Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface. Signed-off-by: Matteo Croce --- rebased on 4.3-rc1 Documentation/networking/ip-sysctl.txt | 14 ++ include/linux/inetdevice.h | 1 + include/linux/ipv6.h | 1 + include/uapi/linux/ip.h| 1 + net/ipv4/devinet.c | 1 + net/ipv4/icmp.c| 6 ++ net/ipv4/ip_input.c| 5 +++-- net/ipv4/tcp_ipv4.c| 3 ++- net/ipv4/udp.c | 4 +++- net/ipv6/addrconf.c| 7 +++ net/ipv6/icmp.c| 3 ++- net/ipv6/ip6_input.c | 5 +++-- net/ipv6/tcp_ipv6.c| 2 +- net/ipv6/udp.c | 3 ++- 14 files changed, 47 insertions(+), 9 deletions(-) diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index ebe94f2..1d46adc 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -1206,6 +1206,13 @@ igmp_link_local_mcast_reports - BOOLEAN 224.0.0.X range. Default TRUE +stealth - BOOLEAN + Disable any reply not related to a listening socket, + like RST/ACK for TCP and ICMP Port-Unreachable for UDP. + Also disables ICMP replies to echo requests and timestamp + and ICMP errors for unknown protocols. + Default value is 0. + Hmm, what about all other protocols besides TCP/UDP such as SCTP, DCCP, etc? It seems it gives false expectations in such cases when the user enables being "stealth", but finds out it has no effect at all there ... nmap f.e. has a couple of scanning options for SCTP, and at least SCTP is still relevant in telco space. I know this question has been asked before, but the only answer on this was so far: "well, I've never played with SCTP before" ... :/ Right, I was thinking to add them in a later version I feel, there would be many follow-ups. :/ Architecturally on the bigger picture, nft and its connection tracker would be the much better place for such policies, and it also provides matches for various protocols already. What has been tried to address this more generically f.e. inside netfilter subsystem, and why is it absolutely not possible to extend this functionality over there? Sorry if my question is stubborn, but from reading over the old threads it still is not fully clear to me. Thanks again, Daniel -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html