Fix ports comparison in firewall hook (#3)

itaispiegel · Feb 3, 2024 · 20b8529 · 20b8529
1 parent 3e537c3
commit 20b8529
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 8 deletions.
diff --git a/module/netfilter_hook.c b/module/netfilter_hook.c
@@ -35,6 +35,7 @@ static inline bool match_direction(rule_t *rule, packet_t *packet) {
 static inline bool match_rule_ports(__be16 rule_port, __be16 skb_port) {
     // The port numbers are in big endian, so we need to convert them to host
     // byte order.
+    // Notice that we assume non UDP and non TCP packets have 0 as their ports.
     return (rule_port == PORT_ANY || rule_port == skb_port ||
             (rule_port == PORT_ABOVE_1023_BE && be16_to_cpu(skb_port) > 1023));
 }
@@ -51,12 +52,8 @@ static inline bool match_ip_addrs(rule_t *rule, packet_t *packet) {
 }
 
 static inline bool match_ports(rule_t *rule, packet_t *packet) {
-    return (rule->protocol == PROT_UDP &&
-            match_rule_ports(rule->src_port, packet->src_port) &&
-            match_rule_ports(rule->dst_port, packet->dst_port)) ||
-           (rule->protocol == PROT_TCP &&
-            match_rule_ports(rule->src_port, packet->src_port) &&
-            match_rule_ports(rule->dst_port, packet->dst_port));
+    return match_rule_ports(rule->src_port, packet->src_port) &&
+           match_rule_ports(rule->dst_port, packet->dst_port);
 }
 
 static inline bool match_protocol(rule_t *rule, packet_t *packet) {

diff --git a/scripts/send_spoof_icmp_pkt.py b/scripts/send_spoof_icmp_pkt.py
@@ -1,12 +1,17 @@
 #!/usr/bin/python3
 
-from scapy.all import IP, ICMP, send
 import click
+from scapy.all import ICMP, IP, send
 
 """
 This script is used to send a spoofed ICMP packet to a target IP address.
+Notice that in order for the router to successfully route this packet,
+you first need to turn off the reverse path filtering.
+More info about this here:
+https://sysctl-explorer.net/net/ipv4/rp_filter/
 """
 
+
 @click.command()
 @click.option("--target-ip", prompt="Target IP", help="IP address of the target")
 @click.option("--source-ip", prompt="Source IP", help="IP address of the source")
@@ -15,5 +20,6 @@ def send_spoof_icmp_packet(target_ip: str, source_ip: str):
     send(icmp_packet, verbose=0)
     print("ICMP packet sent from {0} to {1}".format(source_ip, target_ip))
 
+
 if __name__ == "__main__":
     send_spoof_icmp_packet()
diff --git a/user/pkg/fwtypes/reason.go b/user/pkg/fwtypes/reason.go
@@ -17,7 +17,7 @@ func (r Reason) String() string {
 		return "NoMatchingRule"
 	case r == ReasonXmasPacket:
 		return "XmasPacket"
-	case r > 0:
+	case r >= 0:
 		return strconv.Itoa(int(r))
 	default:
 		return "Unknown"