All of lore.kernel.org
 help / color / mirror / Atom feed
* Adding features to xt_recent and xt_cluster
@ 2011-06-08 14:57 Karl Heiss
  2011-06-08 20:08 ` Jan Engelhardt
  0 siblings, 1 reply; 4+ messages in thread
From: Karl Heiss @ 2011-06-08 14:57 UTC (permalink / raw)
  To: netfilter

I am looking into adding functionality to the xt_recent and xt_cluster
modules.  I would like to know if these changes would be something
that upstream would be interested in using.

For the xt_recent module, I will be updating the module to support
matching by destination IP, source-port and destination port.  Port
matching would be supported via the '--rsport' and '--rdport' flags,
and would default to the current behavior of matching IP only if
neither is specified.  Many might be wondering why I choose to include
matching by destination IP since it appears that xt_recent matches
destinations using --rdest.  However, xt_recent does not appear to
differentiate between source and destination addresses within it's
entry tables.  This means it never checks it's stored address against
skb->network_header->daddr during match.  See excerpt below from
net/netfilter/xt_recent.c:

static struct recent_entry *
recent_entry_lookup(const struct recent_table *table,
		    const union nf_inet_addr *addrp, u_int16_t family,
		    u_int8_t ttl)
{
	struct recent_entry *e;
	unsigned int h;

	if (family == NFPROTO_IPV4)
		h = recent_entry_hash4(addrp);
	else
		h = recent_entry_hash6(addrp);

	list_for_each_entry(e, &table->iphash[h], list)
		if (e->family == family &&
		    memcmp(&e->addr, addrp, sizeof(e->addr)) == 0 &&
		    (ttl == e->ttl || ttl == 0 || e->ttl == 0))
			return e;
	return NULL;
}


As for xt_cluster, I will be adding options for hashmode like those
offered by CLUSTERIP to allow matching based on sourceip,
sourceip-sourceport, or sourceip-sourceport-destport.  There is the
potential that I could add a fourth sourceip-destport option as well.

For both modules I am prepared to provide patches for both the kernel
and iptables userland after development is complete.   Any feedback is
greatly appreciated and please excuse any faux pas on my part as I am
new.

Karl Heiss

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Adding features to xt_recent and xt_cluster
  2011-06-08 14:57 Adding features to xt_recent and xt_cluster Karl Heiss
@ 2011-06-08 20:08 ` Jan Engelhardt
  2011-06-09 12:29   ` Karl Heiss
  0 siblings, 1 reply; 4+ messages in thread
From: Jan Engelhardt @ 2011-06-08 20:08 UTC (permalink / raw)
  To: Karl Heiss; +Cc: netfilter


On Wednesday 2011-06-08 16:57, Karl Heiss wrote:
>
>For the xt_recent module, I will be updating the module to support
>matching by destination IP, source-port and destination port. Port
>matching would be supported via the '--rsport' and '--rdport' flags,
>and would default to the current behavior of matching IP only if
>neither is specified.
>
>Many might be wondering why I choose to include matching by
>destination IP since it appears that xt_recent matches destinations
>using --rdest. However, xt_recent does not appear to differentiate
>between source and destination addresses within it's entry tables.

You could use two separate tables, which has the same effect as
storing entries with a unique key of <saddr-or-daddr-bit, addr>
in a single table, unless I missed something.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Adding features to xt_recent and xt_cluster
  2011-06-08 20:08 ` Jan Engelhardt
@ 2011-06-09 12:29   ` Karl Heiss
  2011-06-09 13:23     ` Jan Engelhardt
  0 siblings, 1 reply; 4+ messages in thread
From: Karl Heiss @ 2011-06-09 12:29 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: netfilter

On Wed, Jun 8, 2011 at 4:08 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> On Wednesday 2011-06-08 16:57, Karl Heiss wrote:
>>
>>For the xt_recent module, I will be updating the module to support
>>matching by destination IP, source-port and destination port. Port
>>matching would be supported via the '--rsport' and '--rdport' flags,
>>and would default to the current behavior of matching IP only if
>>neither is specified.
>>
>>Many might be wondering why I choose to include matching by
>>destination IP since it appears that xt_recent matches destinations
>>using --rdest. However, xt_recent does not appear to differentiate
>>between source and destination addresses within it's entry tables.
>
> You could use two separate tables, which has the same effect as
> storing entries with a unique key of <saddr-or-daddr-bit, addr>
> in a single table, unless I missed something.
>

I assume you mean something like this:

iptables -A INPUT -p tcp --dport 23 -m recent --rcheck --seconds 30 -j DROP
iptables -A INPUT -p tcp --dport 23 -m recent --set -j DROP

The problem is, unless you have a deterministic (from the view of
iptables) rule to match when you '--set', you cannot accurately match
a recent entry.  For instance, the rules below would not allow you to
deterministically know which sourceip-sourceport combination would
match which recent table name (clust1 or clust2).


iptables -A FORWARD -m recent --name clust1 --update -j clust1-chain
iptables -A FORWARD -m recent --name clust2 --update -j clust2-chain

iptables -A clust1-chain -m recent --name clust1 --set -j CLUSTERIP
--new --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1
--hashmode sourceip-sourceport
iptables -A clust2-chain -m recent --name clust2 --set -j CLUSTERIP
--new --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 2
--hashmode sourceip-sourceport


In this case, I see no other way around this issue other than to store
the source port within the recent table.

PS.  After taking a second look at the code, I realized I stuck my
foot in my mouth about xt_recent not differentiating between saddr and
daddr.  It does indeed differentiate by choosing the correct address
from the incoming packet to match against the entry IPs.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Adding features to xt_recent and xt_cluster
  2011-06-09 12:29   ` Karl Heiss
@ 2011-06-09 13:23     ` Jan Engelhardt
  0 siblings, 0 replies; 4+ messages in thread
From: Jan Engelhardt @ 2011-06-09 13:23 UTC (permalink / raw)
  To: Karl Heiss; +Cc: netfilter


On Thursday 2011-06-09 14:29, Karl Heiss wrote:
>> You could use two separate tables, which has the same effect as
>> storing entries with a unique key of <saddr-or-daddr-bit, addr>
>> in a single table, unless I missed something.
>
>I assume you mean something like this:
>
>iptables -A INPUT -p tcp --dport 23 -m recent --rcheck --seconds 30 -j DROP
>iptables -A INPUT -p tcp --dport 23 -m recent --set -j DROP

I mean:

-A foo -p tcp [plus other conds] -m recent --name by-srcip --rsource --set
-A foo -p tcp [other conds] -m recent --name by-dstip --rdest --set
-A bar -p tcp -m recent --name by-srcip --rsource --rcheck
-A baz -p tcp -m recent --name by-dstip --rdest --rcheck

>PS.  After taking a second look at the code, I realized I stuck my
>foot in my mouth about xt_recent not differentiating between saddr and
>daddr.  It does indeed differentiate by choosing the correct address
>from the incoming packet to match against the entry IPs.


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-06-09 13:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-06-08 14:57 Adding features to xt_recent and xt_cluster Karl Heiss
2011-06-08 20:08 ` Jan Engelhardt
2011-06-09 12:29   ` Karl Heiss
2011-06-09 13:23     ` Jan Engelhardt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.