Skip to content

Commit

Permalink
Dont use hmark for legacy acls (#1016) (#1018)
Browse files Browse the repository at this point in the history 
Co-authored-by: Amit Limaye <alimaye@paloaltonetworks.com>

Co-authored-by: Amit Limaye <alimaye@paloaltonetworks.com>
  • Loading branch information
@amitlimaye
amitlimaye and Amit Limaye committed Mar 28, 2020
1 parent 2d7fbf9 commit 034a374
Show file tree
Hide file tree
Showing 3 changed files with 75 additions and 37 deletions.
2 changes: 1 addition & 1 deletion controller/internal/supervisor/iptablesctrl/acls.go
View file
Expand Up @@ -45,7 +45,7 @@ func (i *iptables) cgroupChainRules(cfg *ACLInfo) [][]string {
cfg.ContextID,
cfg.AppChain,
cfg.NetChain,
cfg.CgroupMark,
cfg.PacketMark,
cfg.TCPPorts,
cfg.UDPPorts,
cfg.ProxyPort,
Expand Down
95 changes: 66 additions & 29 deletions controller/internal/supervisor/iptablesctrl/rules.go
View file
Expand Up @@ -23,7 +23,10 @@ var globalRules = `
{{.MangleTable}} INPUT -m set ! --match-set {{.ExclusionsSet}} src -j {{.MainNetChain}}
{{.MangleTable}} {{.MainNetChain}} -j {{ .MangleProxyNetChain }}
{{if .IsLegacyKernel}}
{{.MangleTable}} {{.MainNetChain}} -p udp -m set --match-set {{.TargetUDPNetSet}} src -m string --string {{.UDPSignature}} --algo bm --to 65535 -j NFQUEUE --queue-bypass --queue-balance {{.QueueBalanceNetSynAck}}
{{.MangleTable}} {{.MainNetChain}} -m set --match-set {{.TargetTCPNetSet}} src -p tcp --tcp-flags ALL ACK -m tcp --tcp-option 34 -j NFQUEUE --queue-balance {{.QueueBalanceNetAck}}
{{else}}
{{$.MangleTable}} {{$.MainNetChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} src -j HMARK --hmark-tuple src,sport,dst,dport --hmark-offset 0x1 --hmark-rnd {{$.HMarkRandomSeed}} --hmark-mod {{$length}}
{{range $index,$queuenum := .NetSynAckQueues}}
{{$.MangleTable}} {{$.MainNetChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} src -m string --string {{$.UDPSignature}} --algo bm --to 65535 -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-bypass --queue-num {{$queuenum}}
Expand All @@ -32,6 +35,8 @@ var globalRules = `
{{range $index,$queuenum := .NetAckQueues}}
{{$.MangleTable}} {{$.MainNetChain}} -m set --match-set {{$.TargetTCPNetSet}} src -p tcp --tcp-flags ALL ACK -m tcp --tcp-option 34 -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{end}}
{{if isBPFEnabled}}
{{.MangleTable}} {{.MainNetChain}} -m set --match-set {{.TargetTCPNetSet}} src -p tcp --tcp-flags SYN NONE -m bpf --object-pinned {{.BPFPath}} -m state --state ESTABLISHED -j ACCEPT
Expand All @@ -43,14 +48,19 @@ var globalRules = `
{{if isLocalServer}}
{{.MangleTable}} {{.MainNetChain}} -j {{.UIDInput}}
{{end}}
{{if .IsLegacyKernel}}
{{.MangleTable}} {{.MainNetChain}} -m set --match-set {{.TargetTCPNetSet}} src -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-balance {{.QueueBalanceNetSynAck}} --queue-bypass
{{.MangleTable}} {{.MainNetChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} src -m tcp --tcp-option 34 --tcp-flags SYN,ACK SYN -j NFQUEUE --queue-balance {{.QueueBalanceNetSyn}} --queue-bypass
{{else}}
{{range $index,$queuenum := .NetSynAckQueues}}
{{$.MangleTable}} {{$.MainNetChain}} -m set --match-set {{$.TargetTCPNetSet}} src -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass
{{end}}
{{range $index,$queuenum := .NetSynQueues}}
{{$.MangleTable}} {{$.MainNetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-option 34 --tcp-flags SYN,ACK SYN -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass
{{end}}
{{end}}
{{if isLocalServer}}
Expand All @@ -69,17 +79,29 @@ var globalRules = `
{{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultExternalConnmark}} -j ACCEPT
{{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultConnmark}} -p tcp ! --tcp-flags SYN,ACK SYN,ACK -j ACCEPT
{{end}}
{{if .IsLegacyKernel}}
{{else}}
{{$length := len .AppSynQueues}}
{{$.MangleTable}} {{$.MainAppChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} dst -j HMARK --hmark-tuple dst,dport,src,sport --hmark-offset 0x1 --hmark-rnd {{$.HMarkRandomSeed}} --hmark-mod {{$length}}
{{$.MangleTable}} {{$.MainAppChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} dst -j HMARK --hmark-tuple dst,dport,src,sport --hmark-offset 0x1 --hmark-rnd {{$.HMarkRandomSeed}} --hmark-mod {{$length}}
{{end}}
{{if isLocalServer}}
{{.MangleTable}} {{.MainAppChain}} -j {{.UIDOutput}}
{{end}}
{{.MangleTable}} {{.MainAppChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} dst -m tcp --tcp-flags SYN,ACK SYN,ACK -j MARK --set-mark {{.InitialMarkVal}}/{{.MarkMask}}
{{if .IsLegacyKernel}}
{{.MangleTable}} {{.MainAppChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} dst -m tcp --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-balance {{.QueueBalanceAppSynAck}} --queue-bypass
{{else}}
{{range $index,$queuenum := .AppSynAckQueues}}
{{$.MangleTable}} {{$.MainAppChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} dst -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass
{{end}}
{{end}}
{{if isLocalServer}}
{{.MangleTable}} {{.MainAppChain}} -j {{.TriremeOutput}}
{{.MangleTable}} {{.MainAppChain}} -j {{.NetworkSvcOutput}}
Expand Down Expand Up @@ -170,22 +192,29 @@ var packetCaptureTemplate = `
{{if needDnsRules}}
{{.MangleTable}} {{.AppChain}} -p udp -m udp --dport 53 -j ACCEPT
{{end}}
{{range $index,$queuenum := .AppSynQueues}}
{{$.MangleTable}} {{$.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK SYN -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{range $index,$queuenum := .AppAckQueues}}
{{$.MangleTable}} {{$.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{if .IsLegacyKernel}}
{{.MangleTable}} {{.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK SYN -j NFQUEUE --queue-balance {{.QueueBalanceAppSyn}}
{{.MangleTable}} {{.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK ACK -j NFQUEUE --queue-balance {{.QueueBalanceAppAck}}
{{if isUIDProcess}}
{{range $index,$queuenum := .AppSynAckQueues}}
{{$.MangleTable}} {{$.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{.MangleTable}} {{.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-balance {{.QueueBalanceAppSynAck}}
{{end}}
{{end}}
{{range $index,$queuenum := .AppSynQueues}}
{{$.MangleTable}} {{$.AppChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} dst -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{else}}
{{range $index,$queuenum := .AppSynQueues}}
{{$.MangleTable}} {{$.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK SYN -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{range $index,$queuenum := .AppAckQueues}}
{{$.MangleTable}} {{$.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{if isUIDProcess}}
{{range $index,$queuenum := .AppSynAckQueues}}
{{$.MangleTable}} {{$.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{end}}
{{range $index,$queuenum := .AppSynQueues}}
{{$.MangleTable}} {{$.AppChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} dst -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{end}}
{{.MangleTable}} {{.AppChain}} -p udp -m set --match-set {{.TargetUDPNetSet}} dst -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT
{{.MangleTable}} {{.AppChain}} -p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT
Expand All @@ -204,23 +233,31 @@ var packetCaptureTemplate = `
{{.MangleTable}} {{.NetChain}} -p udp -m udp --sport 53 -j ACCEPT
{{end}}
{{range $index,$queuenum := .NetSynQueues}}
{{$.MangleTable}} {{$.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK SYN -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{range $index,$queuenum := .NetAckQueues}}
{{$.MangleTable}} {{$.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{if isUIDProcess}}
{{range $index,$queuenum := .NetSynAckQueues}}
{{$.MangleTable}} {{$.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{end}}
{{range $index,$queuenum := .NetSynQueues}}
{{$.MangleTable}} {{$.NetChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} src --match limit --limit 1000/s -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{if .IsLegacyKernel}}
{{.MangleTable}} {{.NetChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK SYN -j NFQUEUE --queue-balance {{.QueueBalanceNetSyn}}
{{.MangleTable}} {{.NetChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK ACK -j NFQUEUE --queue-balance {{.QueueBalanceNetAck}}
{{if isUIDProcess}}
{{.MangleTable}} {{.NetChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-balance {{.QueueBalanceNetSynAck}}
{{end}}
{{.MangleTable}} {{.NetChain}} -p udp -m set --match-set {{.TargetUDPNetSet}} src --match limit --limit 1000/s -j NFQUEUE --queue-balance {{.QueueBalanceNetSyn}}
{{else}}
{{range $index,$queuenum := .NetSynQueues}}
{{$.MangleTable}} {{$.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK SYN -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{range $index,$queuenum := .NetAckQueues}}
{{$.MangleTable}} {{$.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{if isUIDProcess}}
{{range $index,$queuenum := .NetSynAckQueues}}
{{$.MangleTable}} {{$.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{end}}
{{range $index,$queuenum := .NetSynQueues}}
{{$.MangleTable}} {{$.NetChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} src --match limit --limit 1000/s -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}}
{{end}}
{{end}}
{{.MangleTable}} {{.NetChain}} -p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT
{{range netAnyRules}}
{{joinRule .}}
Expand Down
15 changes: 8 additions & 7 deletions controller/internal/supervisor/iptablesctrl/templates.go
View file
Expand Up @@ -95,8 +95,9 @@ type ACLInfo struct {
MarkMask string
HMarkRandomSeed string
// IPv4 IPv6
DefaultIP string
needICMPRules bool
DefaultIP string
needICMPRules bool
IsLegacyKernel bool

// UDP rules
Numpackets string
Expand Down Expand Up @@ -298,11 +299,11 @@ func (i *iptables) newACLInfo(version int, contextID string, p *policy.PUInfo, p
ProxySetName: proxySetName,

// // UID PUs
UID: uid,
PacketMark: packetMark,
Mark: mark,
PortSet: portSetName,

UID: uid,
PacketMark: packetMark,
Mark: mark,
PortSet: portSetName,
IsLegacyKernel: i.isLegacyKernel,
NFLOGPrefix: policy.DefaultLogPrefix(contextID),
NFLOGAcceptPrefix: policy.DefaultAcceptLogPrefix(contextID),
DefaultNFLOGDropPrefix: policy.DefaultDroppedPacketLogPrefix(contextID),
Expand Down

0 comments on commit 034a374

Please sign in to comment.