Filter based on string (or other content)

Filter based on string (or other content)

[K. de Jong]

[-- Attachment #1: Type: text/plain, Size: 1608 bytes --]

I switched to nftables, but I miss one key feature. That is the ability
to filter packets based on a string. The goal is to filter all traffic
going to facebook.com or m.facebook.com for a set of days and time
ranges. The time ranges and days features are present in nftables, I've
spotted them. So I'll not focus on that. nftables-translate gave
errors.


This is what I had in my iptables script:


---

# Some variables, there are used in the rules below
facebook_filters=("www.facebook.com" "fbcdn.net" "m.facebook.com")
week_fb_timestart="03:00:00"
week_fb_timestop="20:00:00"
weekend_fb_timestart="03:00:00"
weekend_fb_timestop="17:00:00"


# Create table called facebook, which includes day and time
specifications
iptables -A facebook -p tcp -m multiport --dports 80,443 -m conntrack
--ctstate NEW,RELATED,ESTABLISHED -m comment --comment "Reject Facebook
during the week" -m time --timestart "$week_fb_timestart" --timestop
"$week_fb_timestop" --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT --reject-
with icmp-port-unreachable


# A rule that applies the string filter, created by a loop through the
facebook_filters array
for filter in "${facebook_filters[@]}"; do
  iptables -A FORWARD -i tun+ -s "$vpn_ipv4_sub" -m string --string
"$filter" --algo bm -j facebook
done


---

I can't seem to find an equal feature in nftables that can perform the
same like I do here in iptables. A filter based on IPs is not reliable,
so adding the IPs of facebook.com might work for a while, until those
IPs change.

Does anyone know a solution to do this with nftables?

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Filter based on string (or other content)

[Duncan Roe]

On Sat, Sep 12, 2020 at 03:41:00PM +0200, K. de Jong wrote:
> I switched to nftables, but I miss one key feature. That is the ability
> to filter packets based on a string. The goal is to filter all traffic
> going to facebook.com or m.facebook.com for a set of days and time
> ranges. The time ranges and days features are present in nftables, I've
> spotted them. So I'll not focus on that. nftables-translate gave
> errors.
>
>
> This is what I had in my iptables script:
>
>
> ---
>
> # Some variables, there are used in the rules below
> facebook_filters=("www.facebook.com" "fbcdn.net" "m.facebook.com")
> week_fb_timestart="03:00:00"
> week_fb_timestop="20:00:00"
> weekend_fb_timestart="03:00:00"
> weekend_fb_timestop="17:00:00"
>
>
> # Create table called facebook, which includes day and time
> specifications
> iptables -A facebook -p tcp -m multiport --dports 80,443 -m conntrack
> --ctstate NEW,RELATED,ESTABLISHED -m comment --comment "Reject Facebook
> during the week" -m time --timestart "$week_fb_timestart" --timestop
> "$week_fb_timestop" --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT --reject-
> with icmp-port-unreachable
>
>
> # A rule that applies the string filter, created by a loop through the
> facebook_filters array
> for filter in "${facebook_filters[@]}"; do
>   iptables -A FORWARD -i tun+ -s "$vpn_ipv4_sub" -m string --string
> "$filter" --algo bm -j facebook
> done
>
>
> ---
>
> I can't seem to find an equal feature in nftables that can perform the
> same like I do here in iptables. A filter based on IPs is not reliable,
> so adding the IPs of facebook.com might work for a while, until those
> IPs change.
>
> Does anyone know a solution to do this with nftables?


I think I have done something like what you're after using 'queue' target and
writing a netfilter-queue program. See https://github.com/duncan-roe/nfq

Cheers ... Duncan.

Re: Filter based on string (or other content)

[G.W. Haywood]

Hi there,

On Sun, 13 Sep 2020, Duncan Roe wrote:

> On Sat, Sep 12, 2020 at 03:41:00PM +0200, K. de Jong wrote:
>> I switched to nftables, but I miss one key feature. That is the ability
>> to filter packets based on a string.  ...
>> Does anyone know a solution to do this with nftables?
>
> I think I have done something like what you're after using 'queue' target and
> writing a netfilter-queue program. See https://github.com/duncan-roe/nfq

Looks like good work.

Shouldn't the TLDs be taken from the special use domains?

https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml

-- 

73,
Ged.

Re: Filter based on string (or other content)

[K. de Jong]

[-- Attachment #1: Type: text/plain, Size: 2038 bytes --]

On Sat, 2020-09-12 at 17:45 +0200, david@hajes.org wrote:
> sounds like Layer-7 filtering.
> 
> There is something similar what you seek 
> <
> https://serverfault.com/questions/998962/nftables-support-string-matching-support> 
> 

That indeed looks like what I'm trying to do. I fiddled around with it,
but it's very different than the iptables method of simply provide a
filter for a string and iptables will parse headers for it and block
anything that matches.

I tried it with nftables, by putting this in there for the output chain
on my laptop:

chain output {
  ct state invalid drop
  meta l4proto tcp @th,160,128 0x0970726f787970697065036e657400 counter
drop comment "block queries for proxypipe.net"
  type filter hook output priority 0; policy accept;
  oifname "lo" accept
  ip6 daddr $ipv4_rfc3964 log prefix "6TO4_REJECT: " counter reject
with icmpv6 type addr-unreachable comment "Reject 6to4 (RFC3964)"
}

But it doesn't block anything in Chrome when I visit proxypipe.net. And
I'm just guessing at this point because these nftable options are way
more complex than iptables. The example from server fault is about
blocking DNS UDP requests to that website. But what I want to do is
block web requests. Which worked fine for Facebook with iptables. And
was easy to setup.

Could someone guide me towards the right direction? Simply blocking DNS
requests won't cut it, since I want to deny the website on specific
days and time ranges. If facebook.com is still in the DNS cache, it
will load the website. I have my own (unbound) recursive resolver, so
blocking Facebook entirely is no issue in terms of a DNS block. But the
thing is, I sometimes would like to allow Facebook on a firewall level.
That way I can enforce it for my phone via VPN as well. There are apps
for this as well. And Android has something builtin to limit website
visit time with Digital Wellbeing. But I prefer to have this central
solution.

Any suggestions or more specific examples for this use case?

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Filter based on string (or other content)

[Duncan Roe]

Hi Ged,

On Sun, Sep 13, 2020 at 09:49:44AM +0100, G.W. Haywood wrote:
> Hi there,
>
> On Sun, 13 Sep 2020, Duncan Roe wrote:
>
> > On Sat, Sep 12, 2020 at 03:41:00PM +0200, K. de Jong wrote:
> > > I switched to nftables, but I miss one key feature. That is the ability
> > > to filter packets based on a string.  ...
> > > Does anyone know a solution to do this with nftables?
> >
> > I think I have done something like what you're after using 'queue' target and
> > writing a netfilter-queue program. See https://github.com/duncan-roe/nfq
>
> Looks like good work.
>
> Shouldn't the TLDs be taken from the special use domains?
>
> https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
>
> --
>
> 73,
> Ged.

Thank you for that URL! I didn't know about those reserved names before.

Seems to work really well: 'dig' Query time for sys8.admin.invalid was 1msec
while sys8.admin.inval was 200.

Normally queries for these names shouldn't happen and shouldn't make it to the
Internet if they do, but it would be neat to use them anyway so I'll put it on
my todo list.

Cheers ... Duncan.