* Extended martian logging with data dump: patch not working, why? RFC on idea
@ 2013-10-31 9:36 Fiedler Roman
0 siblings, 0 replies; only message in thread
From: Fiedler Roman @ 2013-10-31 9:36 UTC (permalink / raw)
To: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1292 bytes --]
Hello List,
I have tried to extend the martian logging functionale in kernel, but the patch does not work.
Rationale (SKIP IF NOT INTERESTED): martian packets do not inter iptables stack, hence cannot be full-packet-capture logged via e.g. ulog. The capure would be interesting to distinguish these 3 cases: a) normal noise, e.g. VM-hosts with virtual local networks that occasionally leak packets without natting those, b) unskilled attacker using forbidden source IP by chance/accident with not so problematic payloads c) skilled attacker, who is sending crafted payloads and knows which source-IP/dest/service/vuln he targets. Since source policy check also has security advantages, hence complete disabling is out of question. Otherwise moving source route checks would require to re-implement those rules in iptables to get same effect, a duplication I do want to make.
CONTINUE HERE FOR PROGRAMMING PROBLEM: I added log_martian type 2, where packet dump should also be produced. Why does setting echo 2 > log_martians not activate my new code? Does
./include/linux/inetdevice.h:#define IN_DEV_LOG_MARTIANS(in_dev) IN_DEV_ORCONF((in_dev), LOG_MARTIANS)
only return 0 or 1?
Any help appreciated, I hope Outlook does not mixup the plaintext too much,
Roman
[-- Attachment #2: martian.patch --]
[-- Type: application/octet-stream, Size: 3732 bytes --]
--- net/ipv4/route.c 2013-10-23 17:42:05.304049876 +0000
+++ net/ipv4/route.c 2013-10-24 08:38:39.886599741 +0000
@@ -778,6 +778,10 @@
" Advised path = %pI4 -> %pI4\n",
&old_gw, dev->name, &new_gw,
&saddr, &daddr);
+ if((IN_DEV_LOG_MARTIANS(in_dev) == 2) && net_ratelimit()) {
+ print_hex_dump(KERN_INFO, "packet data: ", DUMP_PREFIX_OFFSET,
+ 16, 1, skb->data, skb->len, true);
+ }
}
#endif
;
@@ -886,10 +890,15 @@
++peer->rate_tokens;
#ifdef CONFIG_IP_ROUTE_VERBOSE
if (log_martians &&
- peer->rate_tokens == ip_rt_redirect_number)
+ peer->rate_tokens == ip_rt_redirect_number) {
net_warn_ratelimited("host %pI4/if%d ignores redirects for %pI4 to %pI4\n",
&ip_hdr(skb)->saddr, inet_iif(skb),
&ip_hdr(skb)->daddr, &gw);
+ if(log_martians == 2) {
+ print_hex_dump(KERN_WARNING, "packet data: ", DUMP_PREFIX_OFFSET,
+ 16, 1, skb->data, skb->len, true);
+ }
+ }
#endif
}
out_put_peer:
@@ -1494,9 +1503,11 @@
__be32 daddr,
__be32 saddr)
{
+ int log_martians;
RT_CACHE_STAT_INC(in_martian_src);
#ifdef CONFIG_IP_ROUTE_VERBOSE
- if (IN_DEV_LOG_MARTIANS(in_dev) && net_ratelimit()) {
+ log_martians = IN_DEV_LOG_MARTIANS(in_dev);
+ if (log_martians && net_ratelimit()) {
/*
* RFC1812 recommendation, if source is martian,
* the only hint is MAC header.
@@ -1509,6 +1520,10 @@
skb_mac_header(skb),
dev->hard_header_len, true);
}
+ if(log_martians == 2) {
+ print_hex_dump(KERN_WARNING, "packet data: ", DUMP_PREFIX_OFFSET,
+ 16, 1, skb->data, skb->len, true);
+ }
}
#endif
}
@@ -1791,9 +1806,14 @@
martian_destination:
RT_CACHE_STAT_INC(in_martian_dst);
#ifdef CONFIG_IP_ROUTE_VERBOSE
- if (IN_DEV_LOG_MARTIANS(in_dev))
+ if (IN_DEV_LOG_MARTIANS(in_dev)) {
net_warn_ratelimited("martian destination %pI4 from %pI4, dev %s\n",
&daddr, &saddr, dev->name);
+ if((IN_DEV_LOG_MARTIANS(in_dev) == 2) && net_ratelimit()) {
+ print_hex_dump(KERN_WARNING, "packet data: ", DUMP_PREFIX_OFFSET,
+ 16, 1, skb->data, skb->len, true);
+ }
+ }
#endif
e_inval:
--- net/ipv4/ip_input.c 2013-10-24 08:24:59.303206597 +0000
+++ net/ipv4/ip_input.c 2013-10-24 08:39:36.591381089 +0000
@@ -262,6 +262,7 @@
struct ip_options *opt;
const struct iphdr *iph;
struct net_device *dev = skb->dev;
+ int log_martians;
/* It looks as overkill, because not all
IP options require packet mangling.
@@ -289,10 +290,15 @@
if (in_dev) {
if (!IN_DEV_SOURCE_ROUTE(in_dev)) {
- if (IN_DEV_LOG_MARTIANS(in_dev))
+ log_martians = IN_DEV_LOG_MARTIANS(in_dev);
+ if (log_martians)
net_info_ratelimited("source route option %pI4 -> %pI4\n",
&iph->saddr,
&iph->daddr);
+ if((log_martians == 2) && net_ratelimit()) {
+ print_hex_dump(KERN_INFO, "packet data: ", DUMP_PREFIX_OFFSET,
+ 16, 1, skb->data, skb->len, true);
+ }
goto drop;
}
}
--- Documentation/networking/ip-sysctl.txt 2013-10-19 19:28:15.000000000 +0000
+++ Documentation/networking/ip-sysctl.txt 2013-10-24 08:42:46.785998632 +0000
@@ -810,11 +810,12 @@
conf/all/* is special, changes the settings for all interfaces
-log_martians - BOOLEAN
+log_martians - INTEGER
Log packets with impossible addresses to kernel log.
log_martians for the interface will be enabled if at least one of
- conf/{all,interface}/log_martians is set to TRUE,
- it will be disabled otherwise
+ conf/{all,interface}/log_martians is set to non-zero value,
+ it will be disabled otherwise. When the value is 2, not
+ only source and destination but full packet will be logged.
accept_redirects - BOOLEAN
Accept ICMP redirect messages.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-10-31 9:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-10-31 9:36 Extended martian logging with data dump: patch not working, why? RFC on idea Fiedler Roman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).