http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27418 Use the module_param functions (you probably want the string variant). See http://tldp.org/LDP/lkmpg/2.6/html/x323.html for examples. Depends on if you need to be able to modify it after the module has already been loaded. If not, a module parameter should suffice. HTH, James -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html James King 2008-12-04T01:01:20 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27417 Hi, After having a lot of help of Grant Taylor in order to analyze if I was able to achieve my idea using the available iptables features, and getting as result the fact that I had to develop my own kernel module. I'm writing to this list because my question is related to the linux kernel programing. I would like to pass parameters to the kernel module in run time from user space. These parameters could be IP address and MAC. Somebody know how I can do this?? I was thinking about passing this parameters thorough a sysctl syscall or using /proc filesystem, but I beleave that this is not the correct way. Also I was taking a look to iptables source code and analyzing the source code of iptables and libiptc lib, but I could not find any clue how to these ones change the kernel parameters. Could you pleas help me??? thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordo ivan 2008-12-03T17:22:27 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27416 I did a little investigation into my one-way voice issue, and noticed that if I don't do voice-menus (i.e. where the Asterisk box itself generates the first outbound INVITE, then passes-through the 2nd INVITE once a handset picks up) then I get two-way voice (i.e. with sending the call directly to the phone). (In this topology, my Asterisk box is also my firewall/NATting router...) If I enable the voice menus in the inbound dialplan, however, it can hear the voice menus, but not the called-party when they pick up their phone (extension). So someone (either the SIP conntrack module on the Asterisk border firewall or else the SBC at the ILEC) is failing to look into the 2nd INVITE (i.e. we're not rewriting it properly as it goes by, or the SBC is failing to see it). I've put traces up on ftp://ftp.redfish-solutions.com/ as: trace-20081128-230313.br0 trace-20081128-230313.br1 trace-20081128-230415.br0 trace-20081128-230415.br1 The traces on interface "br1" are the "internal" network, with privat Philip Prindeville 2008-12-02T22:36:53 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27415 Hello All, This is a patch to the SYSRQ xtables-addon that is, I believe, secure enough to use in moderately untrustworthy environments. This is an updated version of the patch to address comments previously received. The main change, prompted by Patrick McHardy's question, is to allow the hash algorithm to be changed at module load time. Other than that I've clarified the '\n' password termination and updated the man page to include using -m limit, the configurable hash algorithm and made it a little that you can send multiple request keys. Rationale: I want to be able to use SYSRQ to reboot, crash or partially diagnose machines that become unresponsive for one reason or another. These machines, typically, are blades or rack mounted machines that do not have a PS/2 connection for a keyboard and the old method of wheeling round a "crash trolley" that has a monitor and a keyboard on it no longer works: USB keyboards rarely, if ever, work because by the time the machine is responding only John Haxby 2008-12-02T17:46:36 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27414 That's nice to hear! I agree. I've talked this through with some people, but it needs some proper thought. The weaknesses that I've identified are these: * The password can be recovered with an off-line dictionary attack. This is mitigated by using a good salt: in my example in the man page I use a 96 bit salt (dd bs=12 count=1 if=/dev/urandom) which makes a pre-computed dictionary attack difficult without large resources. However, a normal exhaustive search using the common password cracking techniques will yield a poorly chosen password fairly quickly. * The sha-1 hash is thought to be weak under some circumstances which makes its use for new cryptographic applications inappropriate. The weaknesses, however, seem to be that SHA-1 is not good for digital signatures, but it would seem good enough for this purpose. On the other hand, making the hash algorithm a module parameter so that it can be swapped out should SHA-1 prove unsuitable is straightforward (and I should probably do John Haxby 2008-12-02T09:43:36 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27413 From: Jan Engelhardt <jengelh< at >medozas.de> Date: Tue, 2 Dec 2008 02:41:02 +0100 (CET) I said "kernel image" addresses are a problem, not "kernel space." And by "kernel image" I mean addresses within the confines defined by the sections of the vmlinux binary. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html David Miller 2008-12-02T06:55:29 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27412 On Tuesday 2008-12-02 02:39, Patrick McHardy wrote: It looks similar to RFC 2617 HA1 generation. Should be ok. In paranoia mode, the administrator can always change the password after using it (effectively making it some sort of OTP). On the other hand, xt_SYSRQ could, theoretically, also do a full three-way authentication instead of the SPA it currently does. But I think that is a bit of overkill. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Jan Engelhardt 2008-12-02T01:53:37 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27411 On Tuesday 2008-12-02 01:14, David Miller wrote: Yes, kmalloc is already used. But then, what sort of address does kmalloc return, if not an address within kernelspace? (usually >=0xc0000000 on standard i386) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Jan Engelhardt 2008-12-02T01:41:02 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27410 This module is starting to look kind of useful. Maybe its time for a resubmission for review and possibly merging once these patches are included. If we were to merge it, it would also be good to get some feedback from the crypto guys about whether the chosen authentication scheme meets its claims. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Patrick McHardy 2008-12-02T01:39:31 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27409 From: Jan Engelhardt <jengelh< at >medozas.de> Date: Tue, 2 Dec 2008 01:13:34 +0100 (CET) kmalloc and copy it there, or something like that, you just can't use in-kernel addresses, ever. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html David Miller 2008-12-02T00:14:18 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27408 On Tuesday 2008-12-02 01:10, David Miller wrote: Great :-) So what is the best way to use the SHA1 crypto algo with in-kernel addresses? Jan -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Jan Engelhardt 2008-12-02T00:13:34 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27407 From: Jan Engelhardt <jengelh< at >medozas.de> Date: Mon, 1 Dec 2008 23:40:18 +0100 (CET) You can't use these interfaces on kernel image addresses. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html David Miller 2008-12-02T00:10:26 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27406 On Monday 2008-12-01 23:02, John Haxby wrote: Well, sysrq_password is in the .bss section, where as digest_password is on the heap due to being kmalloc'ed. Maybe that makes a difference? Someone more versed with the virtual memory layer might know. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Jan Engelhardt 2008-12-01T22:40:18 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27405 On Monday 2008-12-01 23:02, John Haxby wrote: Oh drats, I did not see that. That's why I prefer explicit zero tests everywhere (except bools, because they are bools, and not integers/pointers), e.g. for (i = 0; sysrq_password[i] != '\0'; ++i) Also, \n could be simply tested for by adding it to the for condition: for (i = 0; sysrq_password[i] != '\0' && sysrq_password[i] != '\n'; ++i) /* loop */; Turns out doing so saves 7 bytes on i586 ;-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Jan Engelhardt 2008-12-01T22:37:58 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27404 I didn't like that much either: the reason given was that it didn't want to rely on kernel resources but that's quite a weak reason for including its own sha-1. On the other hand, for kernels where there isn't an sha-1 available that does make sense. Thanks, I'll work that into the man page. I think it does this anyway doesn't it? The "sysrq_password[i]" loop test stops at the '\0' and the "if (sysrq_password[i] == '\n') break" breaks out early if there's a '\n' in the string. The next assignment either overwrites the trailing '\0' with another one or null-terminates the string at the first LF. No :-) Eventually I discovered the reason my code wasn't working boils down to the definition of sg_set_buf: sg_set_page(sg, virt_to_page(buf), buflen, offset_in_page(buf)) which doesn't work for sysrq_password. I don't know why I'll double check. Yes. Yes. Thanks again. jch -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo< at >vge John Haxby 2008-12-01T22:02:12 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27403 gcc was warning that the return of the nice function should be treated. This patch adds an error message in case of failure. Signed-off-by: Eric Leblond <eric< at >inl.fr> --- src/ulogd.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/src/ulogd.c b/src/ulogd.c index e69079d..ead35b5 100644 --- a/src/ulogd.c +++ b/src/ulogd.c < at >< at > -1129,7 +1129,13 < at >< at > int main(int argc, char* argv[]) } } -nice(-1); +errno = 0; +if (nice(-1) == -1) { +if (errno != 0) +ulogd_log(ULOGD_ERROR, "Could not nice process: %s\n", + strerror(errno)); +} + if (daemonize){ if (fork()) { Eric Leblond 2008-12-01T21:36:06 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27402 If we free pluginstance in the stop function we won't be able to iter anymore on the stack linked list. Signed-off-by: Eric Leblond <eric< at >inl.fr> --- input/packet/ulogd_inppkt_NFLOG.c | 2 -- input/packet/ulogd_inppkt_ULOG.c | 1 - 2 files changed, 0 insertions(+), 3 deletions(-) diff --git a/input/packet/ulogd_inppkt_NFLOG.c b/input/packet/ulogd_inppkt_NFLOG.c index e27355d..9a39234 100644 --- a/input/packet/ulogd_inppkt_NFLOG.c +++ b/input/packet/ulogd_inppkt_NFLOG.c < at >< at > -569,8 +569,6 < at >< at > static int stop(struct ulogd_pluginstance *pi) nflog_unbind_group(ui->nful_gh); nflog_close(ui->nful_h); -free(pi); - return 0; } diff --git a/input/packet/ulogd_inppkt_ULOG.c b/input/packet/ulogd_inppkt_ULOG.c index 00975de..719898d 100644 --- a/input/packet/ulogd_inppkt_ULOG.c +++ b/input/packet/ulogd_inppkt_ULOG.c < at >< at > -309,7 +309,6 < at >< at > static int fini(struct ulogd_pluginstance *pi) struct ulog_input *ui = (struct ulog_input *)pi->private; ulogd_unregister_fd(&ui->ulog_fd); -free(pi); return Eric Leblond 2008-12-01T21:36:08 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27401 This patch fixes a memroy leak in the destructor function which was not releasing the memory allocated for each connection tracking entry. Signed-off-by: Eric Leblond <eric< at >inl.fr> --- input/flow/ulogd_inpflow_NFCT.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/input/flow/ulogd_inpflow_NFCT.c b/input/flow/ulogd_inpflow_NFCT.c index a39bf08..1730ec9 100644 --- a/input/flow/ulogd_inpflow_NFCT.c +++ b/input/flow/ulogd_inpflow_NFCT.c < at >< at > -692,6 +692,13 < at >< at > static int read_cb_nfct(int fd, unsigned int what, void *param) return 0; } +static int do_free(void *data1, void *data2) +{ +struct ct_timestamp *ts = data2; +free(ts->ct); +} + + static int do_purge(void *data1, void *data2) { int ret; < at >< at > -887,6 +894,9 < at >< at > static int destructor_nfct(struct ulogd_pluginstance *pi) struct nfct_pluginstance *cpi = (void *) pi->private; int rc; +/* free existent entries */ +hashtable_iterate(cpi->ct_active, NULL, do_free); + hashtable_destroy(cpi->ct_active); rc = nfc Eric Leblond 2008-12-01T21:36:15 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27400 From: Pablo Neira Ayuso <pablo< at >netfilter.org> This patch cleans up the current key assignation by introducing a set of functions ukey_* to set the key value as Eric Leblond and we discussed during the latest Netfilter Workshop. This patch is based on an idea from Holger Eitzenberger. Signed-off-by: Eric Leblond <eric< at >inl.fr> --- filter/raw2packet/ulogd_raw2packet_BASE.c | 217 ++++++++++------------------ filter/raw2packet/ulogd_raw2packet_LOCAL.c | 7 +- filter/ulogd_filter_HWHDR.c | 76 +++++----- filter/ulogd_filter_IFINDEX.c | 30 +++-- filter/ulogd_filter_IP2BIN.c | 9 +- filter/ulogd_filter_IP2STR.c | 15 +- filter/ulogd_filter_MARK.c | 4 +- filter/ulogd_filter_PRINTFLOW.c | 3 +- filter/ulogd_filter_PRINTPKT.c | 3 +- filter/ulogd_filter_PWSNIFF.c | 27 ++-- include/ulogd/ulogd.h | 60 ++++++++- input/flow/ulogd_inpflow_NFCT.c | 159 Eric Leblond 2008-12-01T21:35:59 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27399 This patch adds the config_stop function which is in charge of releasing ressources allocated for configuration file parsing. Signed-off-by: Eric Leblond <eric< at >inl.fr> --- include/ulogd/conffile.h | 3 +++ src/conffile.c | 4 ++++ src/ulogd.c | 2 ++ 3 files changed, 9 insertions(+), 0 deletions(-) diff --git a/include/ulogd/conffile.h b/include/ulogd/conffile.h index 826d9d5..7431243 100644 --- a/include/ulogd/conffile.h +++ b/include/ulogd/conffile.h < at >< at > -67,4 +67,7 < at >< at > int config_register_file(const char *file); /* parse the config file */ int config_parse_file(const char *section, struct config_keyset *kset); +/* release ressource allocated by config file handling */ +void config_stop(); + #endif /* ifndef _CONFFILE_H */ diff --git a/src/conffile.c b/src/conffile.c index 0c1a2a4..b27187e 100644 --- a/src/conffile.c +++ b/src/conffile.c < at >< at > -222,3 +222,7 < at >< at > cpf_error: return err; } +void config_stop() +{ +free(fname); +} diff --git a/src/ulogd.c b/src/ulogd.c ind Eric Leblond 2008-12-01T21:36:13 http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/27398 This patch adds support for SCTP in the MySQL and PGSQL output plugins. It adds a dedicated SCTP table and modifies the insert_packet_full procedure. Signed-off-by: Eric Leblond <eric< at >inl.fr> --- doc/mysql-ulogd2.sql | 43 ++++++++++++++++++++++++++++++++++++++++--- doc/pgsql-ulogd2.sql | 41 +++++++++++++++++++++++++++++++++++++++-- 2 files changed, 79 insertions(+), 5 deletions(-) diff --git a/doc/mysql-ulogd2.sql b/doc/mysql-ulogd2.sql index f1fc710..0c2973d 100644 --- a/doc/mysql-ulogd2.sql +++ b/doc/mysql-ulogd2.sql < at >< at > -31,6 +31,7 < at >< at > DROP TABLE IF EXISTS `mac`; DROP TABLE IF EXISTS `hwhdr`; DROP TABLE IF EXISTS `tcp`; DROP TABLE IF EXISTS `udp`; +DROP TABLE IF EXISTS `sctp`; DROP TABLE IF EXISTS `icmp`; DROP TABLE IF EXISTS `icmpv6`; DROP TABLE IF EXISTS `nufw`; < at >< at > -128,6 +129,19 < at >< at > ALTER TABLE udp ADD KEY `index_udp_id` (`_udp_id`); ALTER TABLE udp ADD KEY `udp_sport` (`udp_sport`); ALTER TABLE udp ADD KEY `udp_dport` (`udp_dport`); +CREATE TABLE `sctp` ( + `_sctp_id` bigint unsigned Eric Leblond 2008-12-01T21:36:05 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.security.firewalls.netfilter.devel