From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id EDC816CF43 for ; Wed, 3 Feb 2021 15:25:49 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2C3051B279 for ; Wed, 3 Feb 2021 15:25:49 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 6E1E81B1BD for ; Wed, 3 Feb 2021 15:25:45 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 32641461AE for ; Wed, 3 Feb 2021 15:25:45 +0100 (CET) From: Mira Limbeck To: pve-devel@lists.proxmox.com Date: Wed, 3 Feb 2021 15:25:33 +0100 Message-Id: <20210203142536.28480-3-m.limbeck@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210203142536.28480-1-m.limbeck@proxmox.com> References: <20210203142536.28480-1-m.limbeck@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.240 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods NO_DNS_FOR_FROM 0.379 Envelope sender has no MX or A DNS records RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [main.rs] Subject: [pve-devel] [PATCH conntrack-tool v2 3/5] add expectation support X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Feb 2021 14:25:50 -0000 Expectation support requires net.netfilter.nf_conntrack_helper to be set to 1. In addition the helper modules have to be loaded as well. In the tests nf_conntrack_ftp was used as helper. Together with expectation support, string attribute support is also added. Some functions which are conntrack specific are renamed to contain 'conntrack' in their names. Signed-off-by: Mira Limbeck --- v2: - mostly the same changes as for patch 1 src/main.rs | 249 +++++++++++++++++++++++++++++++++++-- src/netfilter_conntrack.rs | 44 +++++++ 2 files changed, 285 insertions(+), 8 deletions(-) diff --git a/src/main.rs b/src/main.rs index 2137556..79779ff 100644 --- a/src/main.rs +++ b/src/main.rs @@ -43,20 +43,37 @@ fn main() -> Result<()> { } } } + + let mut exps = Vec::new(); + socket + .query_expects(&mut exps) + .map_err(|err| format_err!("Error querying expects: {}", err))?; + + for exp in exps.iter() { + match serde_json::to_string(exp) { + Ok(s) => println!("{}", s), + Err(err) => { + eprintln!("Failed to serialize expect: {}", err); + break; + } + } + } } else if args[1] == "insert" { for line in BufReader::new(stdin()) .lines() .map(|line| line.unwrap_or_else(|_| "".to_string())) { - let ct: Conntrack = match serde_json::from_str(&line) { - Ok(ct) => ct, - Err(err) => { - eprintln!("Failed to deserialize conntrack: {}", err); - break; + if let Ok(ct) = serde_json::from_str::(&line) { + if let Err(err) = socket.insert_conntrack(ct) { + eprintln!("Error inserting conntrack: {}", err); } - }; - if let Err(err) = socket.insert_conntrack(ct) { - eprintln!("Error inserting conntrack: {}", err); + } else if let Ok(exp) = serde_json::from_str::(&line) { + if let Err(err) = socket.insert_expect(exp) { + eprintln!("Error inserting expect: {}", err); + } + } else { + eprintln!("Failed to deserialize input: {}", line); + break; } } } else { @@ -92,6 +109,13 @@ const CONNTRACK_INSERT_MSG_TYPE: u16 = ((libc::NFNL_SUBSYS_CTNETLINK << 8) | IPCTNL_MSG_CT_NEW) as u16; const CONNTRACK_INSERT_FLAGS: u16 = (libc::NLM_F_ACK | libc::NLM_F_REQUEST | libc::NLM_F_CREATE) as u16; +const EXPECT_QUERY_MSG_TYPE: u16 = + ((libc::NFNL_SUBSYS_CTNETLINK_EXP << 8) | IPCTNL_MSG_EXP_GET) as u16; +const EXPECT_QUERY_FLAGS: u16 = (libc::NLM_F_ACK | libc::NLM_F_REQUEST | libc::NLM_F_DUMP) as u16; +const EXPECT_INSERT_MSG_TYPE: u16 = + ((libc::NFNL_SUBSYS_CTNETLINK_EXP << 8) | IPCTNL_MSG_EXP_NEW) as u16; +const EXPECT_INSERT_FLAGS: u16 = + (libc::NLM_F_ACK | libc::NLM_F_REQUEST | libc::NLM_F_CREATE) as u16; pub struct Socket { socket: NonNull, @@ -176,6 +200,88 @@ impl Socket { Ok(()) } + fn query_expects(&mut self, exps: &mut Vec) -> Result<()> { + let seq = self.seq(); + self.query_expects_impl(exps, seq, libc::AF_INET as _)?; + let seq = self.seq(); + self.query_expects_impl(exps, seq, libc::AF_INET6 as _)?; + Ok(()) + } + + fn query_expects_impl(&mut self, exps: &mut Vec, seq: u32, proto: u8) -> Result<()> { + let mut buf = [0u8; MNL_SOCKET_DUMP_SIZE as _]; + let hdr = build_msg_header( + buf.as_mut_ptr() as _, + EXPECT_QUERY_MSG_TYPE, + EXPECT_QUERY_FLAGS, + seq, + proto, + ); + self.send_and_receive(hdr, 0, Some(query_exp_cb), exps as *mut Vec as _) + } + + fn insert_expect(&mut self, exp: Expect) -> Result<()> { + let proto = if exp.is_ipv6() { + libc::AF_INET6 as u8 + } else { + libc::AF_INET as u8 + }; + + let mut buf = [0u8; MNL_SOCKET_BUFFER_SIZE as _]; + let hdr = build_msg_header( + buf.as_mut_ptr() as _, + EXPECT_INSERT_MSG_TYPE, + EXPECT_INSERT_FLAGS, + self.seq(), + proto, + ); + + let exph = unsafe { nfexp_new() }; + if exph.is_null() { + bail!("Failed to create new expect object"); + } + + let mut strings = Vec::new(); + let mut cts = Vec::new(); + for attr in exp.attributes { + match attr.value { + ExpectAttrValue::CT(ct) => unsafe { + let (ct, mut s) = build_conntrack(ct)?; + nfexp_set_attr(exph, attr.key, ct as _); + strings.append(&mut s); + cts.push(ct); + }, + ExpectAttrValue::U8(v) => unsafe { + nfexp_set_attr_u8(exph, attr.key, v); + }, + ExpectAttrValue::U16(v) => unsafe { + nfexp_set_attr_u16(exph, attr.key, v); + }, + ExpectAttrValue::U32(v) => unsafe { + nfexp_set_attr_u32(exph, attr.key, v); + }, + ExpectAttrValue::String(v) => unsafe { + nfexp_set_attr(exph, attr.key, v.as_ptr() as _); + strings.push(v); + }, + } + } + + unsafe { + nfexp_nlmsg_build(hdr, exph); + nfexp_destroy(exph); + } + for ct in cts { + unsafe { + nfct_destroy(ct); + } + } + + self.send_and_receive(hdr, 0, None, std::ptr::null_mut())?; + + Ok(()) + } + fn send_and_receive( &mut self, msg: *const libc::nlmsghdr, @@ -409,6 +515,7 @@ fn build_conntrack(ct: Conntrack) -> Result<(*mut nf_conntrack, Vec)> { } Ok((cth, strings)) } + const ALL_ATTRIBUTES: &[(CTAttr, AttrType)] = &[ (CTAttr::ORIG_IPV4_SRC, AttrType::U32), /* u32 bits */ (CTAttr::ORIG_IPV4_DST, AttrType::U32), /* u32 bits */ @@ -486,3 +593,129 @@ const ALL_ATTRIBUTES: &[(CTAttr, AttrType)] = &[ (CTAttr::SYNPROXY_ITS, AttrType::U32), /* u32 bits */ (CTAttr::SYNPROXY_TSOFF, AttrType::U32), /* u32 bits */ ]; + +extern "C" fn query_exp_cb(nlh: *const libc::nlmsghdr, data_ptr: *mut libc::c_void) -> libc::c_int { + let exp = unsafe { nfexp_new() }; + unsafe { + nfexp_nlmsg_parse(nlh, exp); + } + + let mut attributes = Vec::new(); + for (attr, ty) in EXPECT_ALL_ATTRIBUTES { + if unsafe { nfexp_attr_is_set(exp, *attr) } == 0 { + continue; + } + match ty { + ExpectAttrType::CT => { + let ct = unsafe { nfexp_get_attr(exp, *attr) }; + if let Some(ct) = parse_conntrack(ct as _) { + attributes.push(ExpectAttr { + key: *attr, + value: ExpectAttrValue::CT(ct), + }); + } + } + ExpectAttrType::U8 => { + let val = unsafe { nfexp_get_attr_u8(exp, *attr) }; + attributes.push(ExpectAttr { + key: *attr, + value: ExpectAttrValue::U8(val), + }); + } + ExpectAttrType::U16 => { + let val = unsafe { nfexp_get_attr_u16(exp, *attr) }; + attributes.push(ExpectAttr { + key: *attr, + value: ExpectAttrValue::U16(val), + }); + } + ExpectAttrType::U32 => { + let val = unsafe { nfexp_get_attr_u32(exp, *attr) }; + attributes.push(ExpectAttr { + key: *attr, + value: ExpectAttrValue::U32(val), + }); + } + ExpectAttrType::String(Some(len)) => { + let ptr = unsafe { nfexp_get_attr(exp, *attr) }; + let cstr = unsafe { std::ffi::CStr::from_ptr(ptr as _) }; + let s = cstr.to_bytes(); + let s = + unsafe { CString::from_vec_unchecked(s[0..s.len().min((*len) as _)].to_vec()) }; + attributes.push(ExpectAttr { + key: *attr, + value: ExpectAttrValue::String(s), + }); + } + ExpectAttrType::String(None) => { + let ptr = unsafe { nfexp_get_attr(exp, *attr) }; + let cstr = unsafe { std::ffi::CStr::from_ptr(ptr as _) }; + let s = cstr.to_bytes(); + let s = unsafe { CString::from_vec_unchecked(s.to_vec()) }; + attributes.push(ExpectAttr { + key: *attr, + value: ExpectAttrValue::String(s), + }); + } + } + } + + let exps: &mut Vec = unsafe { &mut *(data_ptr as *mut Vec) }; + exps.push(Expect { attributes }); + + MNL_CB_OK +} + +#[derive(Debug, Serialize, Deserialize)] +struct Expect { + attributes: Vec, +} + +impl Expect { + fn is_ipv6(&self) -> bool { + for attr in &self.attributes { + if let ExpectAttrValue::CT(ct) = &attr.value { + return ct.is_ipv6(); + } + } + false + } +} + +enum ExpectAttrType { + CT, + U8, + U16, + U32, + String(Option), +} + +#[derive(Debug, Serialize, Deserialize)] +enum ExpectAttrValue { + CT(Conntrack), + U8(u8), + U16(u16), + U32(u32), + String(CString), +} + +#[derive(Debug, Serialize, Deserialize)] +struct ExpectAttr { + #[serde(rename = "type")] + key: ExpAttr, + value: ExpectAttrValue, +} + +const EXPECT_ALL_ATTRIBUTES: &[(ExpAttr, ExpectAttrType)] = &[ + (ExpAttr::MASTER, ExpectAttrType::CT), // conntrack + (ExpAttr::EXPECTED, ExpectAttrType::CT), // conntrack + (ExpAttr::MASK, ExpectAttrType::CT), // conntrack + (ExpAttr::TIMEOUT, ExpectAttrType::U32), // u32 bits + (ExpAttr::ZONE, ExpectAttrType::U16), // u16 bits + (ExpAttr::FLAGS, ExpectAttrType::U32), // u32 bits + (ExpAttr::HELPER_NAME, ExpectAttrType::String(Some(16))), // string 16 bytes max + (ExpAttr::CLASS, ExpectAttrType::U32), // u32 bits + (ExpAttr::NAT_TUPLE, ExpectAttrType::CT), // conntrack + (ExpAttr::NAT_DIR, ExpectAttrType::U8), // u8 bits + (ExpAttr::FN, ExpectAttrType::String(None)), // string +]; diff --git a/src/netfilter_conntrack.rs b/src/netfilter_conntrack.rs index a9e67e4..8a56ad8 100644 --- a/src/netfilter_conntrack.rs +++ b/src/netfilter_conntrack.rs @@ -39,6 +39,25 @@ extern "C" { pub fn nfct_get_attr_u64(ct: *const nf_conntrack, type_: CTAttr) -> u64; pub fn nfct_attr_is_set(ct: *const nf_conntrack, type_: CTAttr) -> libc::c_int; + + // expectation API + pub fn nfexp_new() -> *mut nf_expect; + pub fn nfexp_destroy(exp: *mut nf_expect); + + pub fn nfexp_set_attr(exp: *mut nf_expect, type_: ExpAttr, value: *const libc::c_void); + pub fn nfexp_set_attr_u8(exp: *mut nf_expect, type_: ExpAttr, value: u8); + pub fn nfexp_set_attr_u16(exp: *mut nf_expect, type_: ExpAttr, value: u16); + pub fn nfexp_set_attr_u32(exp: *mut nf_expect, type_: ExpAttr, value: u32); + + pub fn nfexp_get_attr(exp: *const nf_expect, type_: ExpAttr) -> *const libc::c_void; + pub fn nfexp_get_attr_u8(exp: *const nf_expect, type_: ExpAttr) -> u8; + pub fn nfexp_get_attr_u16(exp: *const nf_expect, type_: ExpAttr) -> u16; + pub fn nfexp_get_attr_u32(exp: *const nf_expect, type_: ExpAttr) -> u32; + + pub fn nfexp_attr_is_set(exp: *const nf_expect, type_: ExpAttr) -> libc::c_int; + + pub fn nfexp_nlmsg_parse(nlh: *const libc::nlmsghdr, exp: *mut nf_expect) -> libc::c_int; + pub fn nfexp_nlmsg_build(nlh: *mut libc::nlmsghdr, exp: *const nf_expect) -> libc::c_int; } // set option @@ -166,3 +185,28 @@ pub enum CTAttr { SYNPROXY_TSOFF = 74, /* u32 bits */ MAX = 75, } + +#[repr(C)] +pub struct nf_expect { + _private: [u8; 0], +} + +#[repr(u32)] +#[non_exhaustive] +#[derive(Debug, Copy, Clone, PartialEq)] +#[derive(serde::Deserialize, serde::Serialize)] +#[allow(non_camel_case_types)] +pub enum ExpAttr { + MASTER = 0, /* pointer to conntrack object */ + EXPECTED = 1, /* pointer to conntrack object */ + MASK = 2, /* pointer to conntrack object */ + TIMEOUT = 3, /* u32 bits */ + ZONE = 4, /* u16 bits */ + FLAGS = 5, /* u32 bits */ + HELPER_NAME = 6, /* string (16 bytes max) */ + CLASS = 7, /* u32 bits */ + NAT_TUPLE = 8, /* pointer to conntrack object */ + NAT_DIR = 9, /* u8 bits */ + FN = 10, /* string */ + MAX = 11, +} -- 2.20.1