On Tue, 16 Apr 2024 19:12:50 -0000
"William N." <netfilter@xxxxxxxxxx> wrote:
> Thank you, Kerin!
>
> Could you please also tell me:
>
> What is the way to actually test this rule? I.e. how do I send
> "improper" packets to see it do its work?
>
> I have been successfully testing my other rules using nmap from another
> host and watching the 'journal -kf' and 'nft monitor trace' but this
> one is difficult for me.
>
Firstly, I wrote the rule in such a way as to ease the testing process.
tcp flags syn meta protocol . tcp option maxseg size { ip . 0-535 counter, ip6 . 0-1219 counter }
Secondly, I wrote a crude script to generate a SYN packet while being able to set the MSS option to an abitrarily value.
#!/usr/bin/perl
use Net::RawIP;
@ARGV == 3 or exit 1;
my ($saddr, $daddr, $mss) = @ARGV;
my $pkt = Net::RawIP->new;
$pkt->set({
'ip' => {
'saddr' => $saddr,
'daddr' => $daddr
},
'tcp' => {
'source' => 1234,
'dest' => 1234,
'syn' => 1
}
});
$pkt->optset('tcp' => { 'type' => [ 2 ], 'data' => [ pack('n', $mss) ] });
$pkt->send(0, 1);
Note that this requires the Net::RawIP module, which should be offered by your distribution as an installable package.
Thirdly, I ran the script, specifying a value that was not expected to match the rule.
# ./test-mss 127.0.0.1 127.0.0.1 536
By listing the ruleset, I could see that the counter had not increased.
Fourthly, I ran the script again, specifying a value that was expected to match the rule.
# ./test-mss 127.0.0.1 127.0.0.1 535
By listing the ruleset, I could see that the counter had increased.
tcp flags syn meta protocol . tcp option maxseg size { ip . 0-535 counter packets 1 bytes 44, ip6 . 0-1219 counter packets 0 bytes 0 }
There are probably some utilities that can do this. Certainly, there are other libraries; I hear that Scapy is a particularly good one.
--
Kerin Millar
