Analyzing firewall rules programmatically

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I spent some time trying to figure out how to programmatically answer questions like "Does the ruleset R allow reaching service listening on port P from interface I?" or "Does the ruleset R1 allow something that ruleset R2 does not allow?".

I tried to find prior work on this area and was able to find "Verified iptables Firewall Analysis and Verification" [1] that uses the Isabelle proof assistant for iptables rules and "Automated Analysis and Debugging of Network Connectivity Policies" [2, 3] that uses Z3 for some simple Azure firewall ACL rules.

I could not find anything relevant for netfilter so I began experimenting a bit by writing a python function that tries to simulate nftables behavior given a ruleset and a packet. I used output of "nft --json list ruleset" to and soon noticed that it doesn't quite contain all the necessary information for this task.

For example, the default ufw configuration uses iptables to setup

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination
  779 46756 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

which shows up as

$ sudo nft -a list ruleset | grep "handle 247"
		fib daddr type local counter packets 772 bytes 46336

in in the "normal" output. However, in the JSON output critical information (mainly "LOCAL") is entirely missing:

$ sudo nft -a --json list ruleset | jq . | grep -B5 -A19 '"handle": 247'
    {
      "rule": {
        "family": "ip",
        "table": "filter",
        "chain": "ufw-not-local",
        "handle": 247,
        "expr": [
          {
            "xt": {
              "type": "match",
              "name": "addrtype"
            }
          },
          {
            "counter": {
              "packets": 778,
              "bytes": 46696
            }
          },
          {
            "return": null
          }
        ]
      }
    },


I understand that ufw is using a compatibility interface. Nevertheless, I'm in need of a way to analyze firewall configurations of large number of real-world systems programmatically. Can you suggest how I should approach this? I can think of at least the following options:

1) Fix the JSON output.

2) Ignore the JSON output and try to parse the output of "nft list ruleset".

3) Use JSON output of most of the stuff but fill the gaps by also parsing "nft list ruleset".

4) Try to parse the raw netlink traffic seen in "nft --debug=netlink list ruleset".

4) Create separate tools for parsing iptables and netfilter rules and hope that no system mixes these two.


[1] https://link.springer.com/article/10.1007/s10817-017-9445-1
[2] https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/secguru.pdf
[3] https://github.com/Z3Prover/FirewallChecker






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux