diff options
author | Fernando Fernandez Mancera <ffmancera@riseup.net> | 2019-06-22 19:12:08 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-07-17 10:22:39 +0200 |
commit | 1188a69604c3df2a63daca9e735fdb535e8f6b63 (patch) | |
tree | 21887d78f5b30023546f40da96aaa4cf256a59e5 /doc | |
parent | 82cc676289803cfd1e69dfeaa4658d57a1547a86 (diff) |
src: introduce SYNPROXY matching
Add support for "synproxy" statement. For example (for TCP port 8888):
table ip x {
chain y {
type filter hook prerouting priority raw; policy accept;
tcp dport 8888 tcp flags syn notrack
}
chain z {
type filter hook input priority filter; policy accept;
tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm
ct state invalid drop
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/statements.txt | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/doc/statements.txt b/doc/statements.txt index bc2f9449..e17068a8 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -483,6 +483,93 @@ table inet x { } ------------------------------------- +SYNPROXY STATEMENT +~~~~~~~~~~~~~~~~~~ +This statement will process TCP three-way-handshake parallel in netfilter +context to protect either local or backend system. This statement requires +connection tracking because sequence numbers need to be translated. + +[verse] +*synproxy* [*mss* 'mss_value'] [*wscale* 'wscale_value'] ['SYNPROXY_FLAGS'] + +.synproxy statement attributes +[options="header"] +|================= +| Name | Description +| mss | Maximum segment size announced to clients. This must match the backend. +| wscale | Window scale announced to clients. This must match the backend. +|================= + +.synproxy statement flags +[options="header"] +|================= +| Flag | Description +| sack-perm | +Pass client selective acknowledgement option to backend (will be disabled if +not present). +| timestamp | +Pass client timestamp option to backend (will be disabled if not present, also +needed for selective acknowledgement and window scaling). +|================= + +.Example ruleset for synproxy statement +--------------------------------------- +Determine tcp options used by backend, from an external system + + tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)' + port 80 & + telnet 192.0.2.42 80 + 18:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757: + Flags [S.], seq 360414582, ack 788841994, win 14480, + options [mss 1460,sackOK, + TS val 1409056151 ecr 9690221, + nop,wscale 9], + length 0 + +Switch tcp_loose mode off, so conntrack will mark out-of-flow packets as state INVALID. + + echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose + +Make SYN packets untracked. + + table ip x { + chain y { + type filter hook prerouting priority raw; policy accept; + tcp flags syn notrack + } + } + +Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states and send +them to SYNPROXY. This rule will respond to SYN packets with SYN+ACK +syncookies, create ESTABLISHED for valid client response (3WHS ACK packets) and +drop incorrect cookies. Flags combinations not expected during 3WHS will not +match and continue (e.g. SYN+FIN, SYN+ACK). Finally, drop invalid packets, this +will be out-of-flow packets that were not matched by SYNPROXY. + + table ip foo { + chain z { + type filter hook input priority filter; policy accept; + ct state { invalid, untracked } synproxy mss 1460 wscale 9 timestamp sack-perm + ct state invalid drop + } + } + +The outcome ruleset of the steps above should be similar to the one below. + + table ip x { + chain y { + type filter hook prerouting priority raw; policy accept; + tcp flags syn notrack + } + + chain z { + type filter hook input priority filter; policy accept; + ct state { invalid, untracked } synproxy mss 1460 wscale 9 timestamp sack-perm + ct state invalid drop + } + } +--------------------------------------- + FLOW STATEMENT ~~~~~~~~~~~~~~ A flow statement allows us to select what flows you want to accelerate |