Extended martian logging with data dump: patch not working, why? RFC on idea

Extended martian logging with data dump: patch not working, why? RFC on idea

[Fiedler Roman]

[-- Attachment #1: Type: text/plain, Size: 1292 bytes --]

Hello List,

I have tried to extend the martian logging functionale in kernel, but the patch does not work.

Rationale (SKIP IF NOT INTERESTED): martian packets do not inter iptables stack, hence cannot be full-packet-capture logged via e.g. ulog. The capure would be interesting to distinguish these 3 cases: a) normal noise, e.g. VM-hosts with virtual local networks that occasionally leak packets without natting those, b) unskilled attacker using forbidden source IP by chance/accident with not so problematic payloads c) skilled attacker, who is sending crafted payloads and knows which source-IP/dest/service/vuln he targets. Since source policy check also has security advantages, hence complete disabling is out of question. Otherwise moving source route checks would require to re-implement those rules in iptables to get same effect, a duplication I do want to make.

CONTINUE HERE FOR PROGRAMMING PROBLEM: I added log_martian type 2, where packet dump should also be produced. Why does setting echo 2 > log_martians not activate my new code? Does

./include/linux/inetdevice.h:#define IN_DEV_LOG_MARTIANS(in_dev)        IN_DEV_ORCONF((in_dev), LOG_MARTIANS)

only return 0 or 1? 

Any help appreciated, I hope Outlook does not mixup the plaintext too much,

Roman


[-- Attachment #2: martian.patch --]
[-- Type: application/octet-stream, Size: 3732 bytes --]

--- net/ipv4/route.c	2013-10-23 17:42:05.304049876 +0000
+++ net/ipv4/route.c	2013-10-24 08:38:39.886599741 +0000
@@ -778,6 +778,10 @@
 				     "  Advised path = %pI4 -> %pI4\n",
 				     &old_gw, dev->name, &new_gw,
 				     &saddr, &daddr);
+		if((IN_DEV_LOG_MARTIANS(in_dev) == 2) && net_ratelimit()) {
+			print_hex_dump(KERN_INFO, "packet data: ", DUMP_PREFIX_OFFSET,
+				16, 1, skb->data, skb->len, true);
+		}
 	}
 #endif
 	;
@@ -886,10 +890,15 @@
 		++peer->rate_tokens;
 #ifdef CONFIG_IP_ROUTE_VERBOSE
 		if (log_martians &&
-		    peer->rate_tokens == ip_rt_redirect_number)
+		    peer->rate_tokens == ip_rt_redirect_number) {
 			net_warn_ratelimited("host %pI4/if%d ignores redirects for %pI4 to %pI4\n",
 					     &ip_hdr(skb)->saddr, inet_iif(skb),
 					     &ip_hdr(skb)->daddr, &gw);
+			if(log_martians == 2) {
+				print_hex_dump(KERN_WARNING, "packet data: ", DUMP_PREFIX_OFFSET,
+					16, 1, skb->data, skb->len, true);
+			}
+		}
 #endif
 	}
 out_put_peer:
@@ -1494,9 +1503,11 @@
 				     __be32 daddr,
 				     __be32 saddr)
 {
+	int log_martians;
 	RT_CACHE_STAT_INC(in_martian_src);
 #ifdef CONFIG_IP_ROUTE_VERBOSE
-	if (IN_DEV_LOG_MARTIANS(in_dev) && net_ratelimit()) {
+	log_martians = IN_DEV_LOG_MARTIANS(in_dev);
+	if (log_martians && net_ratelimit()) {
 		/*
 		 *	RFC1812 recommendation, if source is martian,
 		 *	the only hint is MAC header.
@@ -1509,6 +1520,10 @@
 				       skb_mac_header(skb),
 				       dev->hard_header_len, true);
 		}
+		if(log_martians == 2) {
+			print_hex_dump(KERN_WARNING, "packet data: ", DUMP_PREFIX_OFFSET,
+				16, 1, skb->data, skb->len, true);
+		}
 	}
 #endif
 }
@@ -1791,9 +1806,14 @@
 martian_destination:
 	RT_CACHE_STAT_INC(in_martian_dst);
 #ifdef CONFIG_IP_ROUTE_VERBOSE
-	if (IN_DEV_LOG_MARTIANS(in_dev))
+	if (IN_DEV_LOG_MARTIANS(in_dev)) {
 		net_warn_ratelimited("martian destination %pI4 from %pI4, dev %s\n",
 				     &daddr, &saddr, dev->name);
+		if((IN_DEV_LOG_MARTIANS(in_dev) == 2) && net_ratelimit()) {
+			print_hex_dump(KERN_WARNING, "packet data: ", DUMP_PREFIX_OFFSET,
+				16, 1, skb->data, skb->len, true);
+		}
+	}
 #endif
 
 e_inval:
--- net/ipv4/ip_input.c	2013-10-24 08:24:59.303206597 +0000
+++ net/ipv4/ip_input.c	2013-10-24 08:39:36.591381089 +0000
@@ -262,6 +262,7 @@
 	struct ip_options *opt;
 	const struct iphdr *iph;
 	struct net_device *dev = skb->dev;
+	int log_martians;
 
 	/* It looks as overkill, because not all
 	   IP options require packet mangling.
@@ -289,10 +290,15 @@
 
 		if (in_dev) {
 			if (!IN_DEV_SOURCE_ROUTE(in_dev)) {
-				if (IN_DEV_LOG_MARTIANS(in_dev))
+				log_martians = IN_DEV_LOG_MARTIANS(in_dev);
+				if (log_martians)
 					net_info_ratelimited("source route option %pI4 -> %pI4\n",
 							     &iph->saddr,
 							     &iph->daddr);
+				if((log_martians == 2) && net_ratelimit()) {
+					print_hex_dump(KERN_INFO, "packet data: ", DUMP_PREFIX_OFFSET,
+						16, 1, skb->data, skb->len, true);
+				}
 				goto drop;
 			}
 		}
--- Documentation/networking/ip-sysctl.txt	2013-10-19 19:28:15.000000000 +0000
+++ Documentation/networking/ip-sysctl.txt	2013-10-24 08:42:46.785998632 +0000
@@ -810,11 +810,12 @@
 
 	conf/all/*	  is special, changes the settings for all interfaces
 
-log_martians - BOOLEAN
+log_martians - INTEGER
 	Log packets with impossible addresses to kernel log.
 	log_martians for the interface will be enabled if at least one of
-	conf/{all,interface}/log_martians is set to TRUE,
-	it will be disabled otherwise
+	conf/{all,interface}/log_martians is set to non-zero value,
+	it will be disabled otherwise. When the value is 2, not
+	only source and destination but full packet will be logged.
 
 accept_redirects - BOOLEAN
 	Accept ICMP redirect messages.