snort-inline-users

[Snort-inline-users] [PATCH] new iptables rule set type

[Eric L. <er...@in...>]

Hi,

snort-inline can be difficult to use because it is necessary to put the
NFQUEUE rule in PREROUTING to get all the packets. In the case where we
only want to analyse what is on FORWARD, there is no easy way to do this.
The following patchset fixes this. By issuing a NF_REPEAT verdict and a
little trick on mark, we can use a simple ruleset.

Let's say we can reserve a bit in the mark for the reinjection process (we
take value 1 for convenience). Then to send all traffic to snort-inline,
we can just add at the top of your ruleset:
 iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE

When packet reaches the FORWARD chain, it matches the first rule and is
send to snort-inline. Instead of accepting the packet, snort-inline
reinject it in the FORWARD chain but change the mark before. Thus, the 
packet does not match this rule and live his life in the standard Netfilter
ruleset.

The cost of the modification is light as it just adds a single rule
check when the packet is reinjected.

BR,
--
Eric Leblond <er...@in...>
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[Snort-inline-users] [PATCH] Add netfilter_reinject_mark option.

[Eric L. <er...@in...>]

If set to non null, snort_inline will mark the packet with the given
value and reinject it in the hook by issuing a NF_REPEAT verdict. This
functionnality can be used to simplify the iptables ruleset. Let's say
you want to use the mark 1, then to send all traffic to snort-inline,
you can just add at the top of your ruleset:
 iptables -I FORWARD -m mark ! --mark 1 -j NFQUEUE
The cost of the modification is light as it just add a single rule
check when the packet is reinjected.

Signed-off-by: Eric Leblond <er...@in...>
---
 src/inline.c |   13 +++++++++++--
 src/parser.c |   20 ++++++++++++++++++++
 src/snort.h  |    3 +++
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/src/inline.c b/src/inline.c
index e938541..2f3b6f0 100644
--- a/src/inline.c
+++ b/src/inline.c
@@ -996,7 +996,12 @@ void HandlePacket()
     else if (iv.replace == 0)
     {
 #ifdef NFNETLINKQ
-        status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, 0, NULL);
+	if (pv.netfilter_reinject_mark)
+	{
+	    status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), 0, NULL);
+	} else {
+	    status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, 0, NULL);
+	}
         if (status < 0)
         {
             fprintf(stderr, "NF_ACCEPT: ");
@@ -1012,7 +1017,11 @@ void HandlePacket()
     else /* implied replace */
     {
 #ifdef NFNETLINKQ
-        status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, m->data_len, m->payload);
+	if (pv.netfilter_reinject_mark) {
+	    status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), m->data_len, m->payload);
+	} else {
+	    status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, m->data_len, m->payload);
+	}
         if (status < 0)
         {
             fprintf(stderr,"NF_ACCEPT: ");
diff --git a/src/parser.c b/src/parser.c
index 5a53f68..991a8f7 100644
--- a/src/parser.c
+++ b/src/parser.c
@@ -6841,6 +6841,26 @@ void ParseConfig(char *rule)
         return;
         
     }
+    else if(!strcasecmp(config, "netfilter_reinject_mark"))
+    {   
+        if(args)
+        {
+            toks = mSplit(args, " ", 1, &num_toks, 0);
+#ifdef GIDS
+#ifdef NFNETLINKQ
+            pv.netfilter_reinject_mark = atoi(toks[0]);
+#endif
+#endif
+
+            mSplitFree( &toks, num_toks );
+        }
+
+        mSplitFree(&rule_toks,num_rule_toks);
+        mSplitFree(&config_decl,num_config_decl_toks);
+
+        return;
+        
+    }
     else if(!strcasecmp(config, "asn1"))
     {
         toks = mSplit(args, ", ", 20, &num_toks, 0);
diff --git a/src/snort.h b/src/snort.h
index 86b3d05..a9ea3a4 100644
--- a/src/snort.h
+++ b/src/snort.h
@@ -298,6 +298,9 @@ typedef struct _progvars
     int divert_port;
     int ipfw_reinject_rule;
 #endif /* USE IPFW DIVERT socket instead of IPtables */
+#ifdef NFNETLINKQ
+    int netfilter_reinject_mark;
+#endif
 #endif /* GIDS */
 #ifdef WIN32
     int syslog_remote_flag;
-- 
1.5.6.5

[Snort-inline-users] [PATCH] Add netfilter_reinject_mask option.

[Eric L. <er...@in...>]

This patch adds a netfilter_reinject_mask option which can be
used to only modify the packet mark with respect to the selected
mask. Let's say you can use mark 1 and mask 1 (thus reserve one
bit to the reinjection process). To send all traffic to snort-inline,
you can just add at the top of your ruleset:
         iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE

Signed-off-by: Eric Leblond <er...@in...>
---
 src/inline.c |   10 +++++++---
 src/parser.c |   20 ++++++++++++++++++++
 src/snort.h  |    1 +
 3 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/src/inline.c b/src/inline.c
index 2f3b6f0..a5f8766 100644
--- a/src/inline.c
+++ b/src/inline.c
@@ -242,7 +242,7 @@ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
    //ipq_pkt.packet_id = glid;
    //ipq_pkt.hw_protocol = ntohs(ph->hw_protocol);
    //ipq_pkt.hook = ph->hook;
-   //ipq_pkt.mark = nfq_get_nfmark(nfa);
+   ipq_pkt.mark = nfq_get_nfmark(nfa);
    
    /* TODO: we only use this for rejects, so we might move
     * this to the reject code */
@@ -998,7 +998,9 @@ void HandlePacket()
 #ifdef NFNETLINKQ
 	if (pv.netfilter_reinject_mark)
 	{
-	    status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), 0, NULL);
+	    status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT,
+					  htonl((pv.netfilter_reinject_mark & pv.netfilter_reinject_mask) | m->mark),
+					  0, NULL);
 	} else {
 	    status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, 0, NULL);
 	}
@@ -1018,7 +1020,9 @@ void HandlePacket()
     {
 #ifdef NFNETLINKQ
 	if (pv.netfilter_reinject_mark) {
-	    status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), m->data_len, m->payload);
+	    status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT,
+					  htonl((pv.netfilter_reinject_mark & pv.netfilter_reinject_mask) | m->mark),
+					  m->data_len, m->payload);
 	} else {
 	    status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, m->data_len, m->payload);
 	}
diff --git a/src/parser.c b/src/parser.c
index 991a8f7..b0ac525 100644
--- a/src/parser.c
+++ b/src/parser.c
@@ -6861,6 +6861,26 @@ void ParseConfig(char *rule)
         return;
         
     }
+    else if(!strcasecmp(config, "netfilter_reinject_mask"))
+    {   
+        if(args)
+        {
+            toks = mSplit(args, " ", 1, &num_toks, 0);
+#ifdef GIDS
+#ifdef NFNETLINKQ
+            pv.netfilter_reinject_mask = atoi(toks[0]);
+#endif
+#endif
+
+            mSplitFree( &toks, num_toks );
+        }
+
+        mSplitFree(&rule_toks,num_rule_toks);
+        mSplitFree(&config_decl,num_config_decl_toks);
+
+        return;
+        
+    }
     else if(!strcasecmp(config, "asn1"))
     {
         toks = mSplit(args, ", ", 20, &num_toks, 0);
diff --git a/src/snort.h b/src/snort.h
index a9ea3a4..d0f1542 100644
--- a/src/snort.h
+++ b/src/snort.h
@@ -300,6 +300,7 @@ typedef struct _progvars
 #endif /* USE IPFW DIVERT socket instead of IPtables */
 #ifdef NFNETLINKQ
     int netfilter_reinject_mark;
+    int netfilter_reinject_mask;
 #endif
 #endif /* GIDS */
 #ifdef WIN32
-- 
1.5.6.5

Re: [Snort-inline-users] [PATCH] Add netfilter_reinject_mask option.

[Will M. <wil...@gm...>]

Thanks for the patches.  We will have a look at them.

Regards,

Will

On Tue, Dec 2, 2008 at 3:16 AM, Eric Leblond <er...@in...> wrote:
> This patch adds a netfilter_reinject_mask option which can be
> used to only modify the packet mark with respect to the selected
> mask. Let's say you can use mark 1 and mask 1 (thus reserve one
> bit to the reinjection process). To send all traffic to snort-inline,
> you can just add at the top of your ruleset:
>         iptables -I FORWARD -m mark ! --mark 1/1 -j NFQUEUE
>
> Signed-off-by: Eric Leblond <er...@in...>
> ---
>  src/inline.c |   10 +++++++---
>  src/parser.c |   20 ++++++++++++++++++++
>  src/snort.h  |    1 +
>  3 files changed, 28 insertions(+), 3 deletions(-)
>
> diff --git a/src/inline.c b/src/inline.c
> index 2f3b6f0..a5f8766 100644
> --- a/src/inline.c
> +++ b/src/inline.c
> @@ -242,7 +242,7 @@ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
>    //ipq_pkt.packet_id = glid;
>    //ipq_pkt.hw_protocol = ntohs(ph->hw_protocol);
>    //ipq_pkt.hook = ph->hook;
> -   //ipq_pkt.mark = nfq_get_nfmark(nfa);
> +   ipq_pkt.mark = nfq_get_nfmark(nfa);
>
>    /* TODO: we only use this for rejects, so we might move
>     * this to the reject code */
> @@ -998,7 +998,9 @@ void HandlePacket()
>  #ifdef NFNETLINKQ
>        if (pv.netfilter_reinject_mark)
>        {
> -           status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), 0, NULL);
> +           status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT,
> +                                         htonl((pv.netfilter_reinject_mark & pv.netfilter_reinject_mask) | m->mark),
> +                                         0, NULL);
>        } else {
>            status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, 0, NULL);
>        }
> @@ -1018,7 +1020,9 @@ void HandlePacket()
>     {
>  #ifdef NFNETLINKQ
>        if (pv.netfilter_reinject_mark) {
> -           status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT, htonl(pv.netfilter_reinject_mark), m->data_len, m->payload);
> +           status = nfq_set_verdict_mark(qhndl, glid, NF_REPEAT,
> +                                         htonl((pv.netfilter_reinject_mark & pv.netfilter_reinject_mask) | m->mark),
> +                                         m->data_len, m->payload);
>        } else {
>            status = nfq_set_verdict(qhndl, glid, NF_ACCEPT, m->data_len, m->payload);
>        }
> diff --git a/src/parser.c b/src/parser.c
> index 991a8f7..b0ac525 100644
> --- a/src/parser.c
> +++ b/src/parser.c
> @@ -6861,6 +6861,26 @@ void ParseConfig(char *rule)
>         return;
>
>     }
> +    else if(!strcasecmp(config, "netfilter_reinject_mask"))
> +    {
> +        if(args)
> +        {
> +            toks = mSplit(args, " ", 1, &num_toks, 0);
> +#ifdef GIDS
> +#ifdef NFNETLINKQ
> +            pv.netfilter_reinject_mask = atoi(toks[0]);
> +#endif
> +#endif
> +
> +            mSplitFree( &toks, num_toks );
> +        }
> +
> +        mSplitFree(&rule_toks,num_rule_toks);
> +        mSplitFree(&config_decl,num_config_decl_toks);
> +
> +        return;
> +
> +    }
>     else if(!strcasecmp(config, "asn1"))
>     {
>         toks = mSplit(args, ", ", 20, &num_toks, 0);
> diff --git a/src/snort.h b/src/snort.h
> index a9ea3a4..d0f1542 100644
> --- a/src/snort.h
> +++ b/src/snort.h
> @@ -300,6 +300,7 @@ typedef struct _progvars
>  #endif /* USE IPFW DIVERT socket instead of IPtables */
>  #ifdef NFNETLINKQ
>     int netfilter_reinject_mark;
> +    int netfilter_reinject_mask;
>  #endif
>  #endif /* GIDS */
>  #ifdef WIN32
> --
> 1.5.6.5
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>