Hello list,I'm trying to block BitTorrent protocol on my local machine with ipp2p module using xtables-addons 3.24 on Fedora 37 (kernel 6.2.15) by adding the following rules:
# iptables -I OUTPUT -m ipp2p --bit --debug -j DROP # iptables -I INPUT -m ipp2p --bit --debug -j DROPHowever the protocol is not blocked completely: the announce is still successfully transmitted to the HTTP announcer, apparently due to nonlinear skb check in ipp2p.
There's a code to block this case:
/* Search for BitTorrent commands */
static unsigned int
search_bittorrent(const unsigned char *payload, const unsigned int plen)
...
if (memcmp(payload, "GET /", 5) == 0) {
if (HX_memmem(payload, plen, "info_hash=", 10) != NULL)
return IPP2P_BIT * 100 + 1;
However, it's not getting processed due to nonlinear skb:
static bool
ipp2p_mt(const struct sk_buff *skb, struct xt_action_param *par)
/* make sure that skb is linear */
if (skb_is_nonlinear(skb)) {
if (info->debug)
printk("IPP2P.match: nonlinear skb found\n");
return 0;
}
All I see in dmesg (rule with --debug) is: IPP2P.match: nonlinear skb foundThis could be checked with a simple curl command, which should be blocked if ipp2p --bit is active:
$ curl 'http://bt1.archive.org:6969/announce?info_hash=something'I can see the response when executing this command, however it should be blocked.
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
