[MPTCP] Re: [MPTCP][PATCH mptcp-next 1/3] mptcp: add add_addr_echo sysctl

[MPTCP] Re: [MPTCP][PATCH mptcp-next 1/3] mptcp: add add_addr_echo sysctl

[Geliang Tang]

[-- Attachment #1: Type: text/plain, Size: 3287 bytes --]

Hi Matt, Paolo,

Matthieu Baerts <matthieu.baerts(a)tessares.net> 于2020年9月26日周六 上午4:45写道：
>
> Hi Geliang, Paolo,
>
> On 25/09/2020 10:55, Paolo Abeni wrote:
> > On Fri, 2020-09-25 at 13:25 +0800, Geliang Tang wrote:
> >> Paolo Abeni <pabeni(a)redhat.com> 于2020年9月23日周三 下午6:26写道：
> >>> On Tue, 2020-09-22 at 16:12 +0800, Geliang Tang wrote:
> >>>> This patch added a new sysctl, named add_addr_echo, to control
> >>>> the
> >>>> ADD_ADDR
> >>>> echo ability.
> >>>>
> >>>> Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
> >>>
> >>> If I read the series correctly, this sysctl is only needed for
> >>> self-
> >>> test's sake, right? can you instead drop the add_addr packet with
> >>> some
> >>> netfilter rules ? possibly matching on TCP PROTO, TCP len == 0 and
> >>> the
> >>> appropriate packet len should be sufficient.
> >>
> >> I still have not found the rules that can drop ADD_ADDR packets. But
> >> I found
> >> something useful like this:
> >>
> >> # iptables -A OUTPUT -p tcp --tcp-option 30 -m length --length 0:100
> >> -j DROP
> >>
> >> "tcp-option 30" can match MPTCP packets, and "length" can match the
> >> IP
> >> packet's total length. But they are not sufficient.
> >
> > You can use u32 to check that the sub-option type is 3 (== ADD_ADDR),
> > with something alike:
> >
> > iptables -A OUTPUT -p tcp --tcp-option 30 -m length 80 -m u32 "37&0xFF==0x1 && 38&0xFF==0x1 && 39&0xFF==0x8 && 49&0xFF==0x1e && 51&0xFF==0x3" -j DROP
>
> Another technique is to use libpcap filter and then convert it to cBPF
> filter. That's very similar to Paolo's technique using offsets but maybe
> easier to validate:
>
> - first, find the libpcap filter:
>    - Manual: https://www.tcpdump.org/manpages/pcap-filter.7.html
>    - You can use offset from TCP layer: tcp[<offset>] & <mask> == <value>
>    - e.g. check MPTCP is used at the offset 20(tcp)+12(timestamps):
>      tcp[32]==30
>    - and check the subtype is 3: (tcp[34] & 0xf0) == 0x30
>    - (of course, feel free to check the length, the protocol, etc.)
>
> - try it:
>    $ tcpdump -nr trace.pcap "tcp[32] == 30 and (tcp[34] & 0xf0) == 0x30"
>      16:58:30.494716 IP 1.2.3.4.5001 > 4.3.2.1.38900: Flags [.], ack
> 3693886387, win 224, options [nop,nop,TS val 525599374 ecr
> 341597418,mptcp add-addr id 3 2.2.2.2,mptcp dss ack 419984920], length 0
>
> - convert it to cBPF:
>    $ docker run quay.io/casey_callendrello/nfbpf_compile "tcp[32] == 30
> and (tcp[34] & 0xf0) == 0x30"
>    15,48 0 0 0,84 0 0 240,21 0 11 64,48 0 0 9,21 0 9 6,40 0 0 6,69 7 0
> 8191,177 0 0 0,80 0 0 32,21 0 4 30,80 0 0 34,84 0 0 240,21 0 1 48,6 0 0
> 65535,6 0 0 0
>
> - Use it with IPTables:
>    $ iptables -w -A OUTPUT -m bpf --bytecode '15,48 0 0 0,84 0 0 240,21
> 0 11 64,48 0 0 9,21 0 9 6,40 0 0 6,69 7 0 8191,177 0 0 0,80 0 0 32,21 0
> 4 30,80 0 0 34,84 0 0 240,21 0 1 48,6 0 0 65535,6 0 0 0' -j DROP
>    - feel free to combine that with other matcher, e.g. "-p tcp
> --tcp-option 30" and just use cBPF to find the subtype: "(tcp[34] &
> 0xf0) == 0x30"

Thanks for your help. I added this in patch v2.

-Geliang

>
> Cheers,
> Matt
> --
> Tessares | Belgium | Hybrid Access Solutions
> www.tessares.net

[MPTCP] Re: [MPTCP][PATCH mptcp-next 1/3] mptcp: add add_addr_echo sysctl

[Matthieu Baerts]

[-- Attachment #1: Type: text/plain, Size: 2975 bytes --]

Hi Geliang, Paolo,

On 25/09/2020 10:55, Paolo Abeni wrote:
> On Fri, 2020-09-25 at 13:25 +0800, Geliang Tang wrote:
>> Paolo Abeni <pabeni(a)redhat.com> 于2020年9月23日周三 下午6:26写道：
>>> On Tue, 2020-09-22 at 16:12 +0800, Geliang Tang wrote:
>>>> This patch added a new sysctl, named add_addr_echo, to control
>>>> the
>>>> ADD_ADDR
>>>> echo ability.
>>>>
>>>> Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
>>>
>>> If I read the series correctly, this sysctl is only needed for
>>> self-
>>> test's sake, right? can you instead drop the add_addr packet with
>>> some
>>> netfilter rules ? possibly matching on TCP PROTO, TCP len == 0 and
>>> the
>>> appropriate packet len should be sufficient.
>>
>> I still have not found the rules that can drop ADD_ADDR packets. But
>> I found
>> something useful like this:
>>
>> # iptables -A OUTPUT -p tcp --tcp-option 30 -m length --length 0:100
>> -j DROP
>>
>> "tcp-option 30" can match MPTCP packets, and "length" can match the
>> IP
>> packet's total length. But they are not sufficient.
> 
> You can use u32 to check that the sub-option type is 3 (== ADD_ADDR),
> with something alike:
> 
> iptables -A OUTPUT -p tcp --tcp-option 30 -m length 80 -m u32 "37&0xFF==0x1 && 38&0xFF==0x1 && 39&0xFF==0x8 && 49&0xFF==0x1e && 51&0xFF==0x3" -j DROP

Another technique is to use libpcap filter and then convert it to cBPF 
filter. That's very similar to Paolo's technique using offsets but maybe 
easier to validate:

- first, find the libpcap filter:
   - Manual: https://www.tcpdump.org/manpages/pcap-filter.7.html
   - You can use offset from TCP layer: tcp[<offset>] & <mask> == <value>
   - e.g. check MPTCP is used at the offset 20(tcp)+12(timestamps):
     tcp[32]==30
   - and check the subtype is 3: (tcp[34] & 0xf0) == 0x30
   - (of course, feel free to check the length, the protocol, etc.)

- try it:
   $ tcpdump -nr trace.pcap "tcp[32] == 30 and (tcp[34] & 0xf0) == 0x30"
     16:58:30.494716 IP 1.2.3.4.5001 > 4.3.2.1.38900: Flags [.], ack 
3693886387, win 224, options [nop,nop,TS val 525599374 ecr 
341597418,mptcp add-addr id 3 2.2.2.2,mptcp dss ack 419984920], length 0

- convert it to cBPF:
   $ docker run quay.io/casey_callendrello/nfbpf_compile "tcp[32] == 30 
and (tcp[34] & 0xf0) == 0x30"
   15,48 0 0 0,84 0 0 240,21 0 11 64,48 0 0 9,21 0 9 6,40 0 0 6,69 7 0 
8191,177 0 0 0,80 0 0 32,21 0 4 30,80 0 0 34,84 0 0 240,21 0 1 48,6 0 0 
65535,6 0 0 0

- Use it with IPTables:
   $ iptables -w -A OUTPUT -m bpf --bytecode '15,48 0 0 0,84 0 0 240,21 
0 11 64,48 0 0 9,21 0 9 6,40 0 0 6,69 7 0 8191,177 0 0 0,80 0 0 32,21 0 
4 30,80 0 0 34,84 0 0 240,21 0 1 48,6 0 0 65535,6 0 0 0' -j DROP
   - feel free to combine that with other matcher, e.g. "-p tcp 
--tcp-option 30" and just use cBPF to find the subtype: "(tcp[34] & 
0xf0) == 0x30"

Cheers,
Matt
-- 
Tessares | Belgium | Hybrid Access Solutions
www.tessares.net

[MPTCP] Re: [MPTCP][PATCH mptcp-next 1/3] mptcp: add add_addr_echo sysctl

[Paolo Abeni]

[-- Attachment #1: Type: text/plain, Size: 2740 bytes --]

On Fri, 2020-09-25 at 13:25 +0800, Geliang Tang wrote:
> Paolo Abeni <pabeni(a)redhat.com> 于2020年9月23日周三 下午6:26写道：
> > On Tue, 2020-09-22 at 16:12 +0800, Geliang Tang wrote:
> > > This patch added a new sysctl, named add_addr_echo, to control
> > > the
> > > ADD_ADDR
> > > echo ability.
> > > 
> > > Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
> > 
> > If I read the series correctly, this sysctl is only needed for
> > self-
> > test's sake, right? can you instead drop the add_addr packet with
> > some
> > netfilter rules ? possibly matching on TCP PROTO, TCP len == 0 and
> > the
> > appropriate packet len should be sufficient.
> 
> I still have not found the rules that can drop ADD_ADDR packets. But
> I found
> something useful like this:
> 
> # iptables -A OUTPUT -p tcp --tcp-option 30 -m length --length 0:100
> -j DROP
> 
> "tcp-option 30" can match MPTCP packets, and "length" can match the
> IP
> packet's total length. But they are not sufficient.

You can use u32 to check that the sub-option type is 3 (== ADD_ADDR),
with something alike:

iptables -A OUTPUT -p tcp --tcp-option 30 -m length 80 -m u32 "37&0xFF==0x1 && 38&0xFF==0x1 && 39&0xFF==0x8 && 49&0xFF==0x1e && 51&0xFF==0x3" -j DROP

The basic u32 match syntax is:

<offset> & <mask> = <value>

u32 will read the 4 bytes from the packet at starting from <offset>
intepreting them a little-endian integer, will mask (bitwise 'and')
with <mask> and will compare the result with the provided <value>. More
expression can be concatenated with '&&'.

The above u32 match assumes there are no IP options, so that the TCP
header starts at offset 20 and the first TCP option starts at offset
40. To read a byte a such offset we must actually load the 4bytes
integer starting 3 bytes earlier so that bytes with offset 40 will be
the least significant one in the loaded (little-endian) u32.

Overall the above checks that the TCP options are 2 nops  (37&0xFF==0x1
&& 38&0xFF==0x1), a timestamp (&& 39&0x8=0x8), an MPTCP (&&
49&0xFF==0x1e) with suboption 3 (&& 51=0x3), which means ADD_ADDR. 

That is the layout I observe here with wireshark for an MPTCP ADD_ADDR
packet over ipv4. Generally speaking this kind of matches are fragile,
but in this case should be roboust enough.

I also refined the IP len to 80, which is the value I observe here.
Again I think should be stable enough in this case.

All the above is completely non tested, so it may include syntax errors
and could be inaccurate, please double check!

@Florian: do you think something alike the above could be enough to
drop ADD_ADDR only? any better option? (likely nft is the tool here ;)

Thanks!

Paolo

[MPTCP] Re: [MPTCP][PATCH mptcp-next 1/3] mptcp: add add_addr_echo sysctl

[Geliang Tang]

[-- Attachment #1: Type: text/plain, Size: 1403 bytes --]

Hi Paolo,

Paolo Abeni <pabeni(a)redhat.com> 于2020年9月23日周三 下午6:26写道：
>
> On Tue, 2020-09-22 at 16:12 +0800, Geliang Tang wrote:
> > This patch added a new sysctl, named add_addr_echo, to control the
> > ADD_ADDR
> > echo ability.
> >
> > Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
>
> If I read the series correctly, this sysctl is only needed for self-
> test's sake, right? can you instead drop the add_addr packet with some
> netfilter rules ? possibly matching on TCP PROTO, TCP len == 0 and the
> appropriate packet len should be sufficient.

I still have not found the rules that can drop ADD_ADDR packets. But I found
something useful like this:

# iptables -A OUTPUT -p tcp --tcp-option 30 -m length --length 0:100 -j DROP

"tcp-option 30" can match MPTCP packets, and "length" can match the IP
packet's total length. But they are not sufficient.

Could you please give me some suggestions about this? Can I write a new
netfiler module to do this? Is this acceptable?

Thanks.

-Geliang

>
> Disabling the echo would likely violate the RFC, I think that exposing
> this ability to user-space would be too much even for unix
> philosophy[1] ;)
>
> Cheers,
>
> Paolo
>
> [1] http://www.anvari.org/fortune/Miscellaneous_Collections/412232_the-unix-philosophy-basically-involves-giving-you-enough-rope-to-hang-yourself.html
>

[MPTCP] Re: [MPTCP][PATCH mptcp-next 1/3] mptcp: add add_addr_echo sysctl

[Paolo Abeni]

[-- Attachment #1: Type: text/plain, Size: 804 bytes --]

On Tue, 2020-09-22 at 16:12 +0800, Geliang Tang wrote:
> This patch added a new sysctl, named add_addr_echo, to control the
> ADD_ADDR
> echo ability.
> 
> Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>

If I read the series correctly, this sysctl is only needed for self-
test's sake, right? can you instead drop the add_addr packet with some
netfilter rules ? possibly matching on TCP PROTO, TCP len == 0 and the
appropriate packet len should be sufficient.

Disabling the echo would likely violate the RFC, I think that exposing
this ability to user-space would be too much even for unix
philosophy[1] ;)

Cheers,

Paolo

[1] http://www.anvari.org/fortune/Miscellaneous_Collections/412232_the-unix-philosophy-basically-involves-giving-you-enough-rope-to-hang-yourself.html