From 20b85299abec66a9db02661f56d64b25102348fa Mon Sep 17 00:00:00 2001 From: Itai Spiegel Date: Sat, 3 Feb 2024 14:51:15 +0200 Subject: [PATCH] Fix ports comparison in firewall hook (#3) --- module/netfilter_hook.c | 9 +++------ scripts/send_spoof_icmp_pkt.py | 8 +++++++- user/pkg/fwtypes/reason.go | 2 +- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/module/netfilter_hook.c b/module/netfilter_hook.c index 1f5a127..420e1fb 100644 --- a/module/netfilter_hook.c +++ b/module/netfilter_hook.c @@ -35,6 +35,7 @@ static inline bool match_direction(rule_t *rule, packet_t *packet) { static inline bool match_rule_ports(__be16 rule_port, __be16 skb_port) { // The port numbers are in big endian, so we need to convert them to host // byte order. + // Notice that we assume non UDP and non TCP packets have 0 as their ports. return (rule_port == PORT_ANY || rule_port == skb_port || (rule_port == PORT_ABOVE_1023_BE && be16_to_cpu(skb_port) > 1023)); } @@ -51,12 +52,8 @@ static inline bool match_ip_addrs(rule_t *rule, packet_t *packet) { } static inline bool match_ports(rule_t *rule, packet_t *packet) { - return (rule->protocol == PROT_UDP && - match_rule_ports(rule->src_port, packet->src_port) && - match_rule_ports(rule->dst_port, packet->dst_port)) || - (rule->protocol == PROT_TCP && - match_rule_ports(rule->src_port, packet->src_port) && - match_rule_ports(rule->dst_port, packet->dst_port)); + return match_rule_ports(rule->src_port, packet->src_port) && + match_rule_ports(rule->dst_port, packet->dst_port); } static inline bool match_protocol(rule_t *rule, packet_t *packet) { diff --git a/scripts/send_spoof_icmp_pkt.py b/scripts/send_spoof_icmp_pkt.py index 2b5f6bb..9c85ad9 100644 --- a/scripts/send_spoof_icmp_pkt.py +++ b/scripts/send_spoof_icmp_pkt.py @@ -1,12 +1,17 @@ #!/usr/bin/python3 -from scapy.all import IP, ICMP, send import click +from scapy.all import ICMP, IP, send """ This script is used to send a spoofed ICMP packet to a target IP address. +Notice that in order for the router to successfully route this packet, +you first need to turn off the reverse path filtering. +More info about this here: +https://sysctl-explorer.net/net/ipv4/rp_filter/ """ + @click.command() @click.option("--target-ip", prompt="Target IP", help="IP address of the target") @click.option("--source-ip", prompt="Source IP", help="IP address of the source") @@ -15,5 +20,6 @@ def send_spoof_icmp_packet(target_ip: str, source_ip: str): send(icmp_packet, verbose=0) print("ICMP packet sent from {0} to {1}".format(source_ip, target_ip)) + if __name__ == "__main__": send_spoof_icmp_packet() diff --git a/user/pkg/fwtypes/reason.go b/user/pkg/fwtypes/reason.go index 47fef27..c402da8 100644 --- a/user/pkg/fwtypes/reason.go +++ b/user/pkg/fwtypes/reason.go @@ -17,7 +17,7 @@ func (r Reason) String() string { return "NoMatchingRule" case r == ReasonXmasPacket: return "XmasPacket" - case r > 0: + case r >= 0: return strconv.Itoa(int(r)) default: return "Unknown"