* IP sets: Suggestion: additional value match
@ 2015-07-30 15:29 Rudolf_AT
2015-08-03 9:13 ` Jozsef Kadlecsik
0 siblings, 1 reply; 4+ messages in thread
From: Rudolf_AT @ 2015-07-30 15:29 UTC (permalink / raw)
To: netfilter-devel
Hi,
when working with IP sets, I came up with the following idea:
adding a value match:
-j SET --add-set set1 flag[,flag]=value
--match-set set1 flag[,flag]=value
Where value is an integer which is set in the added list element of the
SET target. The value does not change the dimension of the list. The
match is true only if the given value is equal to the value stored in
the found element.
Optionally adding an arbitrary value could help using IP sets in even
more ways than now, for example easily tracking packets independently of
other extensions or matches.
For example, instead of using three sets to distinguish between three
different states:
-j SET --add-set state1set src,dst,dst
-j SET --del-set state2set src,dst,dst
-j SET --del-set state3set src,dst,dst
one would write:
-j SET --add-set aset1 src,dst,dst=<integer>
Where <integer> resembles state1|state2|state3 then.
Maybe you can think of more uses for this feature.
As a further enhancement bit operators might be useful, too.
Best Regards,
Rudolf
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IP sets: Suggestion: additional value match
2015-07-30 15:29 IP sets: Suggestion: additional value match Rudolf_AT
@ 2015-08-03 9:13 ` Jozsef Kadlecsik
2015-08-04 5:51 ` Rudolf_AT
0 siblings, 1 reply; 4+ messages in thread
From: Jozsef Kadlecsik @ 2015-08-03 9:13 UTC (permalink / raw)
To: Rudolf_AT; +Cc: netfilter-devel
Hi,
On Thu, 30 Jul 2015, Rudolf_AT wrote:
> when working with IP sets, I came up with the following idea:
> adding a value match:
>
> -j SET --add-set set1 flag[,flag]=value
> --match-set set1 flag[,flag]=value
>
> Where value is an integer which is set in the added list element of the
> SET target. The value does not change the dimension of the list. The
> match is true only if the given value is equal to the value stored in
> the found element.
>
> Optionally adding an arbitrary value could help using IP sets in even
> more ways than now, for example easily tracking packets independently of
> other extensions or matches.
>
> For example, instead of using three sets to distinguish between three
> different states:
> -j SET --add-set state1set src,dst,dst
> -j SET --del-set state2set src,dst,dst
> -j SET --del-set state3set src,dst,dst
> one would write:
> -j SET --add-set aset1 src,dst,dst=<integer>
> Where <integer> resembles state1|state2|state3 then.
>
> Maybe you can think of more uses for this feature.
> As a further enhancement bit operators might be useful, too.
The stored value is not a dimension-like parameter, so it should not be
denoted/matched/updated as a dimension related one.
As far as I see it's quite similar to the "connmark/CONNMARK" match
and target. Why cannot that simply be used?
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IP sets: Suggestion: additional value match
2015-08-03 9:13 ` Jozsef Kadlecsik
@ 2015-08-04 5:51 ` Rudolf_AT
2015-08-06 16:08 ` Rudolf_AT
0 siblings, 1 reply; 4+ messages in thread
From: Rudolf_AT @ 2015-08-04 5:51 UTC (permalink / raw)
To: Jozsef Kadlecsik; +Cc: netfilter-devel
Thanks for your reply!
> As far as I see it's quite similar to the "connmark/CONNMARK" match
> and target. Why cannot that simply be used?
Yes, it is quite similar to connmark. But - to my knowledge - I think at
least the following differences apply:
CONNMARK can be used: a) if there are no conflicts with existing use of
connmark rules - in particular with special firewall/packetfilter
systems with built-in-rules - and b) if a connection should be
identified exactly by src/dest IP + src/dest port.
SET can be used without interfering with connection tracking and other
existing SET rules. Identifying the origin and destination of a packet
is more flexible by using one or all of src/dest IP + one port.
In particular, I used SET instead of CONNMARK to implement the rules
described by Jan Engelhardt in "Detecting and deceiving network scans".
Best Regards,
Rudolf
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IP sets: Suggestion: additional value match
2015-08-04 5:51 ` Rudolf_AT
@ 2015-08-06 16:08 ` Rudolf_AT
0 siblings, 0 replies; 4+ messages in thread
From: Rudolf_AT @ 2015-08-06 16:08 UTC (permalink / raw)
To: Jozsef Kadlecsik; +Cc: netfilter-devel
Hi,
Just to let you know, regarding my previous post:
> In particular, I used SET instead of CONNMARK to implement the rules
> described by Jan Engelhardt in "Detecting and deceiving network scans".
(Has nothing to do with IP sets.)
As it turns out, some legitimate clients open and close TCP connections
in a way which makes them behave like connect scans. This makes the
attempt detecting those scans by the mentioned rules look less appealing.
Best Regards,
Rudolf
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-08-06 16:08 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-30 15:29 IP sets: Suggestion: additional value match Rudolf_AT
2015-08-03 9:13 ` Jozsef Kadlecsik
2015-08-04 5:51 ` Rudolf_AT
2015-08-06 16:08 ` Rudolf_AT
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).