From 1188a69604c3df2a63daca9e735fdb535e8f6b63 Mon Sep 17 00:00:00 2001 From: Fernando Fernandez Mancera Date: Sat, 22 Jun 2019 19:12:08 +0200 Subject: src: introduce SYNPROXY matching Add support for "synproxy" statement. For example (for TCP port 8888): table ip x { chain y { type filter hook prerouting priority raw; policy accept; tcp dport 8888 tcp flags syn notrack } chain z { type filter hook input priority filter; policy accept; tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm ct state invalid drop } } Signed-off-by: Fernando Fernandez Mancera Signed-off-by: Pablo Neira Ayuso --- doc/statements.txt | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) (limited to 'doc') diff --git a/doc/statements.txt b/doc/statements.txt index bc2f9449..e17068a8 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -483,6 +483,93 @@ table inet x { } ------------------------------------- +SYNPROXY STATEMENT +~~~~~~~~~~~~~~~~~~ +This statement will process TCP three-way-handshake parallel in netfilter +context to protect either local or backend system. This statement requires +connection tracking because sequence numbers need to be translated. + +[verse] +*synproxy* [*mss* 'mss_value'] [*wscale* 'wscale_value'] ['SYNPROXY_FLAGS'] + +.synproxy statement attributes +[options="header"] +|================= +| Name | Description +| mss | Maximum segment size announced to clients. This must match the backend. +| wscale | Window scale announced to clients. This must match the backend. +|================= + +.synproxy statement flags +[options="header"] +|================= +| Flag | Description +| sack-perm | +Pass client selective acknowledgement option to backend (will be disabled if +not present). +| timestamp | +Pass client timestamp option to backend (will be disabled if not present, also +needed for selective acknowledgement and window scaling). +|================= + +.Example ruleset for synproxy statement +--------------------------------------- +Determine tcp options used by backend, from an external system + + tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)' + port 80 & + telnet 192.0.2.42 80 + 18:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757: + Flags [S.], seq 360414582, ack 788841994, win 14480, + options [mss 1460,sackOK, + TS val 1409056151 ecr 9690221, + nop,wscale 9], + length 0 + +Switch tcp_loose mode off, so conntrack will mark out-of-flow packets as state INVALID. + + echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose + +Make SYN packets untracked. + + table ip x { + chain y { + type filter hook prerouting priority raw; policy accept; + tcp flags syn notrack + } + } + +Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states and send +them to SYNPROXY. This rule will respond to SYN packets with SYN+ACK +syncookies, create ESTABLISHED for valid client response (3WHS ACK packets) and +drop incorrect cookies. Flags combinations not expected during 3WHS will not +match and continue (e.g. SYN+FIN, SYN+ACK). Finally, drop invalid packets, this +will be out-of-flow packets that were not matched by SYNPROXY. + + table ip foo { + chain z { + type filter hook input priority filter; policy accept; + ct state { invalid, untracked } synproxy mss 1460 wscale 9 timestamp sack-perm + ct state invalid drop + } + } + +The outcome ruleset of the steps above should be similar to the one below. + + table ip x { + chain y { + type filter hook prerouting priority raw; policy accept; + tcp flags syn notrack + } + + chain z { + type filter hook input priority filter; policy accept; + ct state { invalid, untracked } synproxy mss 1460 wscale 9 timestamp sack-perm + ct state invalid drop + } + } +--------------------------------------- + FLOW STATEMENT ~~~~~~~~~~~~~~ A flow statement allows us to select what flows you want to accelerate -- cgit v1.2.3