* [MPTCP] Re: [MPTCP][PATCH mptcp-next 1/3] mptcp: add add_addr_echo sysctl
@ 2020-09-27 10:36 Geliang Tang
0 siblings, 0 replies; 5+ messages in thread
From: Geliang Tang @ 2020-09-27 10:36 UTC (permalink / raw)
To: mptcp
[-- Attachment #1: Type: text/plain, Size: 3287 bytes --]
Hi Matt, Paolo,
Matthieu Baerts <matthieu.baerts(a)tessares.net> 于2020年9月26日周六 上午4:45写道:
>
> Hi Geliang, Paolo,
>
> On 25/09/2020 10:55, Paolo Abeni wrote:
> > On Fri, 2020-09-25 at 13:25 +0800, Geliang Tang wrote:
> >> Paolo Abeni <pabeni(a)redhat.com> 于2020年9月23日周三 下午6:26写道:
> >>> On Tue, 2020-09-22 at 16:12 +0800, Geliang Tang wrote:
> >>>> This patch added a new sysctl, named add_addr_echo, to control
> >>>> the
> >>>> ADD_ADDR
> >>>> echo ability.
> >>>>
> >>>> Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
> >>>
> >>> If I read the series correctly, this sysctl is only needed for
> >>> self-
> >>> test's sake, right? can you instead drop the add_addr packet with
> >>> some
> >>> netfilter rules ? possibly matching on TCP PROTO, TCP len == 0 and
> >>> the
> >>> appropriate packet len should be sufficient.
> >>
> >> I still have not found the rules that can drop ADD_ADDR packets. But
> >> I found
> >> something useful like this:
> >>
> >> # iptables -A OUTPUT -p tcp --tcp-option 30 -m length --length 0:100
> >> -j DROP
> >>
> >> "tcp-option 30" can match MPTCP packets, and "length" can match the
> >> IP
> >> packet's total length. But they are not sufficient.
> >
> > You can use u32 to check that the sub-option type is 3 (== ADD_ADDR),
> > with something alike:
> >
> > iptables -A OUTPUT -p tcp --tcp-option 30 -m length 80 -m u32 "37&0xFF==0x1 && 38&0xFF==0x1 && 39&0xFF==0x8 && 49&0xFF==0x1e && 51&0xFF==0x3" -j DROP
>
> Another technique is to use libpcap filter and then convert it to cBPF
> filter. That's very similar to Paolo's technique using offsets but maybe
> easier to validate:
>
> - first, find the libpcap filter:
> - Manual: https://www.tcpdump.org/manpages/pcap-filter.7.html
> - You can use offset from TCP layer: tcp[<offset>] & <mask> == <value>
> - e.g. check MPTCP is used at the offset 20(tcp)+12(timestamps):
> tcp[32]==30
> - and check the subtype is 3: (tcp[34] & 0xf0) == 0x30
> - (of course, feel free to check the length, the protocol, etc.)
>
> - try it:
> $ tcpdump -nr trace.pcap "tcp[32] == 30 and (tcp[34] & 0xf0) == 0x30"
> 16:58:30.494716 IP 1.2.3.4.5001 > 4.3.2.1.38900: Flags [.], ack
> 3693886387, win 224, options [nop,nop,TS val 525599374 ecr
> 341597418,mptcp add-addr id 3 2.2.2.2,mptcp dss ack 419984920], length 0
>
> - convert it to cBPF:
> $ docker run quay.io/casey_callendrello/nfbpf_compile "tcp[32] == 30
> and (tcp[34] & 0xf0) == 0x30"
> 15,48 0 0 0,84 0 0 240,21 0 11 64,48 0 0 9,21 0 9 6,40 0 0 6,69 7 0
> 8191,177 0 0 0,80 0 0 32,21 0 4 30,80 0 0 34,84 0 0 240,21 0 1 48,6 0 0
> 65535,6 0 0 0
>
> - Use it with IPTables:
> $ iptables -w -A OUTPUT -m bpf --bytecode '15,48 0 0 0,84 0 0 240,21
> 0 11 64,48 0 0 9,21 0 9 6,40 0 0 6,69 7 0 8191,177 0 0 0,80 0 0 32,21 0
> 4 30,80 0 0 34,84 0 0 240,21 0 1 48,6 0 0 65535,6 0 0 0' -j DROP
> - feel free to combine that with other matcher, e.g. "-p tcp
> --tcp-option 30" and just use cBPF to find the subtype: "(tcp[34] &
> 0xf0) == 0x30"
Thanks for your help. I added this in patch v2.
-Geliang
>
> Cheers,
> Matt
> --
> Tessares | Belgium | Hybrid Access Solutions
> www.tessares.net
^ permalink raw reply [flat|nested] 5+ messages in thread
* [MPTCP] Re: [MPTCP][PATCH mptcp-next 1/3] mptcp: add add_addr_echo sysctl
@ 2020-09-25 20:45 Matthieu Baerts
0 siblings, 0 replies; 5+ messages in thread
From: Matthieu Baerts @ 2020-09-25 20:45 UTC (permalink / raw)
To: mptcp
[-- Attachment #1: Type: text/plain, Size: 2975 bytes --]
Hi Geliang, Paolo,
On 25/09/2020 10:55, Paolo Abeni wrote:
> On Fri, 2020-09-25 at 13:25 +0800, Geliang Tang wrote:
>> Paolo Abeni <pabeni(a)redhat.com> 于2020年9月23日周三 下午6:26写道:
>>> On Tue, 2020-09-22 at 16:12 +0800, Geliang Tang wrote:
>>>> This patch added a new sysctl, named add_addr_echo, to control
>>>> the
>>>> ADD_ADDR
>>>> echo ability.
>>>>
>>>> Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
>>>
>>> If I read the series correctly, this sysctl is only needed for
>>> self-
>>> test's sake, right? can you instead drop the add_addr packet with
>>> some
>>> netfilter rules ? possibly matching on TCP PROTO, TCP len == 0 and
>>> the
>>> appropriate packet len should be sufficient.
>>
>> I still have not found the rules that can drop ADD_ADDR packets. But
>> I found
>> something useful like this:
>>
>> # iptables -A OUTPUT -p tcp --tcp-option 30 -m length --length 0:100
>> -j DROP
>>
>> "tcp-option 30" can match MPTCP packets, and "length" can match the
>> IP
>> packet's total length. But they are not sufficient.
>
> You can use u32 to check that the sub-option type is 3 (== ADD_ADDR),
> with something alike:
>
> iptables -A OUTPUT -p tcp --tcp-option 30 -m length 80 -m u32 "37&0xFF==0x1 && 38&0xFF==0x1 && 39&0xFF==0x8 && 49&0xFF==0x1e && 51&0xFF==0x3" -j DROP
Another technique is to use libpcap filter and then convert it to cBPF
filter. That's very similar to Paolo's technique using offsets but maybe
easier to validate:
- first, find the libpcap filter:
- Manual: https://www.tcpdump.org/manpages/pcap-filter.7.html
- You can use offset from TCP layer: tcp[<offset>] & <mask> == <value>
- e.g. check MPTCP is used at the offset 20(tcp)+12(timestamps):
tcp[32]==30
- and check the subtype is 3: (tcp[34] & 0xf0) == 0x30
- (of course, feel free to check the length, the protocol, etc.)
- try it:
$ tcpdump -nr trace.pcap "tcp[32] == 30 and (tcp[34] & 0xf0) == 0x30"
16:58:30.494716 IP 1.2.3.4.5001 > 4.3.2.1.38900: Flags [.], ack
3693886387, win 224, options [nop,nop,TS val 525599374 ecr
341597418,mptcp add-addr id 3 2.2.2.2,mptcp dss ack 419984920], length 0
- convert it to cBPF:
$ docker run quay.io/casey_callendrello/nfbpf_compile "tcp[32] == 30
and (tcp[34] & 0xf0) == 0x30"
15,48 0 0 0,84 0 0 240,21 0 11 64,48 0 0 9,21 0 9 6,40 0 0 6,69 7 0
8191,177 0 0 0,80 0 0 32,21 0 4 30,80 0 0 34,84 0 0 240,21 0 1 48,6 0 0
65535,6 0 0 0
- Use it with IPTables:
$ iptables -w -A OUTPUT -m bpf --bytecode '15,48 0 0 0,84 0 0 240,21
0 11 64,48 0 0 9,21 0 9 6,40 0 0 6,69 7 0 8191,177 0 0 0,80 0 0 32,21 0
4 30,80 0 0 34,84 0 0 240,21 0 1 48,6 0 0 65535,6 0 0 0' -j DROP
- feel free to combine that with other matcher, e.g. "-p tcp
--tcp-option 30" and just use cBPF to find the subtype: "(tcp[34] &
0xf0) == 0x30"
Cheers,
Matt
--
Tessares | Belgium | Hybrid Access Solutions
www.tessares.net
^ permalink raw reply [flat|nested] 5+ messages in thread
* [MPTCP] Re: [MPTCP][PATCH mptcp-next 1/3] mptcp: add add_addr_echo sysctl
@ 2020-09-25 8:55 Paolo Abeni
0 siblings, 0 replies; 5+ messages in thread
From: Paolo Abeni @ 2020-09-25 8:55 UTC (permalink / raw)
To: mptcp
[-- Attachment #1: Type: text/plain, Size: 2740 bytes --]
On Fri, 2020-09-25 at 13:25 +0800, Geliang Tang wrote:
> Paolo Abeni <pabeni(a)redhat.com> 于2020年9月23日周三 下午6:26写道:
> > On Tue, 2020-09-22 at 16:12 +0800, Geliang Tang wrote:
> > > This patch added a new sysctl, named add_addr_echo, to control
> > > the
> > > ADD_ADDR
> > > echo ability.
> > >
> > > Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
> >
> > If I read the series correctly, this sysctl is only needed for
> > self-
> > test's sake, right? can you instead drop the add_addr packet with
> > some
> > netfilter rules ? possibly matching on TCP PROTO, TCP len == 0 and
> > the
> > appropriate packet len should be sufficient.
>
> I still have not found the rules that can drop ADD_ADDR packets. But
> I found
> something useful like this:
>
> # iptables -A OUTPUT -p tcp --tcp-option 30 -m length --length 0:100
> -j DROP
>
> "tcp-option 30" can match MPTCP packets, and "length" can match the
> IP
> packet's total length. But they are not sufficient.
You can use u32 to check that the sub-option type is 3 (== ADD_ADDR),
with something alike:
iptables -A OUTPUT -p tcp --tcp-option 30 -m length 80 -m u32 "37&0xFF==0x1 && 38&0xFF==0x1 && 39&0xFF==0x8 && 49&0xFF==0x1e && 51&0xFF==0x3" -j DROP
The basic u32 match syntax is:
<offset> & <mask> = <value>
u32 will read the 4 bytes from the packet at starting from <offset>
intepreting them a little-endian integer, will mask (bitwise 'and')
with <mask> and will compare the result with the provided <value>. More
expression can be concatenated with '&&'.
The above u32 match assumes there are no IP options, so that the TCP
header starts at offset 20 and the first TCP option starts at offset
40. To read a byte a such offset we must actually load the 4bytes
integer starting 3 bytes earlier so that bytes with offset 40 will be
the least significant one in the loaded (little-endian) u32.
Overall the above checks that the TCP options are 2 nops (37&0xFF==0x1
&& 38&0xFF==0x1), a timestamp (&& 39&0x8=0x8), an MPTCP (&&
49&0xFF==0x1e) with suboption 3 (&& 51=0x3), which means ADD_ADDR.
That is the layout I observe here with wireshark for an MPTCP ADD_ADDR
packet over ipv4. Generally speaking this kind of matches are fragile,
but in this case should be roboust enough.
I also refined the IP len to 80, which is the value I observe here.
Again I think should be stable enough in this case.
All the above is completely non tested, so it may include syntax errors
and could be inaccurate, please double check!
@Florian: do you think something alike the above could be enough to
drop ADD_ADDR only? any better option? (likely nft is the tool here ;)
Thanks!
Paolo
^ permalink raw reply [flat|nested] 5+ messages in thread
* [MPTCP] Re: [MPTCP][PATCH mptcp-next 1/3] mptcp: add add_addr_echo sysctl
@ 2020-09-25 5:25 Geliang Tang
0 siblings, 0 replies; 5+ messages in thread
From: Geliang Tang @ 2020-09-25 5:25 UTC (permalink / raw)
To: mptcp
[-- Attachment #1: Type: text/plain, Size: 1403 bytes --]
Hi Paolo,
Paolo Abeni <pabeni(a)redhat.com> 于2020年9月23日周三 下午6:26写道:
>
> On Tue, 2020-09-22 at 16:12 +0800, Geliang Tang wrote:
> > This patch added a new sysctl, named add_addr_echo, to control the
> > ADD_ADDR
> > echo ability.
> >
> > Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
>
> If I read the series correctly, this sysctl is only needed for self-
> test's sake, right? can you instead drop the add_addr packet with some
> netfilter rules ? possibly matching on TCP PROTO, TCP len == 0 and the
> appropriate packet len should be sufficient.
I still have not found the rules that can drop ADD_ADDR packets. But I found
something useful like this:
# iptables -A OUTPUT -p tcp --tcp-option 30 -m length --length 0:100 -j DROP
"tcp-option 30" can match MPTCP packets, and "length" can match the IP
packet's total length. But they are not sufficient.
Could you please give me some suggestions about this? Can I write a new
netfiler module to do this? Is this acceptable?
Thanks.
-Geliang
>
> Disabling the echo would likely violate the RFC, I think that exposing
> this ability to user-space would be too much even for unix
> philosophy[1] ;)
>
> Cheers,
>
> Paolo
>
> [1] http://www.anvari.org/fortune/Miscellaneous_Collections/412232_the-unix-philosophy-basically-involves-giving-you-enough-rope-to-hang-yourself.html
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [MPTCP] Re: [MPTCP][PATCH mptcp-next 1/3] mptcp: add add_addr_echo sysctl
@ 2020-09-23 10:26 Paolo Abeni
0 siblings, 0 replies; 5+ messages in thread
From: Paolo Abeni @ 2020-09-23 10:26 UTC (permalink / raw)
To: mptcp
[-- Attachment #1: Type: text/plain, Size: 804 bytes --]
On Tue, 2020-09-22 at 16:12 +0800, Geliang Tang wrote:
> This patch added a new sysctl, named add_addr_echo, to control the
> ADD_ADDR
> echo ability.
>
> Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
If I read the series correctly, this sysctl is only needed for self-
test's sake, right? can you instead drop the add_addr packet with some
netfilter rules ? possibly matching on TCP PROTO, TCP len == 0 and the
appropriate packet len should be sufficient.
Disabling the echo would likely violate the RFC, I think that exposing
this ability to user-space would be too much even for unix
philosophy[1] ;)
Cheers,
Paolo
[1] http://www.anvari.org/fortune/Miscellaneous_Collections/412232_the-unix-philosophy-basically-involves-giving-you-enough-rope-to-hang-yourself.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-09-27 10:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-27 10:36 [MPTCP] Re: [MPTCP][PATCH mptcp-next 1/3] mptcp: add add_addr_echo sysctl Geliang Tang
-- strict thread matches above, loose matches on Subject: below --
2020-09-25 20:45 Matthieu Baerts
2020-09-25 8:55 Paolo Abeni
2020-09-25 5:25 Geliang Tang
2020-09-23 10:26 Paolo Abeni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.