Re: Combining/compacting 2 rules into 1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 16 Apr 2024 19:12:50 -0000
"William N." <netfilter@xxxxxxxxxx> wrote:

> Thank you, Kerin!
> 
> Could you please also tell me:
> 
> What is the way to actually test this rule? I.e. how do I send
> "improper" packets to see it do its work?
> 
> I have been successfully testing my other rules using nmap from another
> host and watching the 'journal -kf' and 'nft monitor trace' but this
> one is difficult for me.
> 

Firstly, I wrote the rule in such a way as to ease the testing process.

tcp flags syn meta protocol . tcp option maxseg size { ip . 0-535 counter, ip6 . 0-1219 counter }

Secondly, I wrote a crude script to generate a SYN packet while being able to set the MSS option to an abitrarily value.

#!/usr/bin/perl
use Net::RawIP;
@ARGV == 3 or exit 1;
my ($saddr, $daddr, $mss) = @ARGV;
my $pkt = Net::RawIP->new;
$pkt->set({
    'ip'  => {
        'saddr' => $saddr,
        'daddr' => $daddr
    },
    'tcp' => {
        'source'  => 1234,
        'dest'    => 1234,
        'syn'     => 1
    }
});
$pkt->optset('tcp' => { 'type' => [ 2 ], 'data' => [ pack('n', $mss) ] });
$pkt->send(0, 1);

Note that this requires the Net::RawIP module, which should be offered by your distribution as an installable package.

Thirdly, I ran the script, specifying a value that was not expected to match the rule.

# ./test-mss 127.0.0.1 127.0.0.1 536

By listing the ruleset, I could see that the counter had not increased.

Fourthly, I ran the script again, specifying a value that was expected to match the rule.

# ./test-mss 127.0.0.1 127.0.0.1 535

By listing the ruleset, I could see that the counter had increased.
 
tcp flags syn meta protocol . tcp option maxseg size { ip . 0-535 counter packets 1 bytes 44, ip6 . 0-1219 counter packets 0 bytes 0 }

There are probably some utilities that can do this. Certainly, there are other libraries; I hear that Scapy is a particularly good one.

-- 
Kerin Millar




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux