Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 25 Nov 2013 11:42:43 -0800
From:      "R. Tyler Croy" <tyler@monkeypox.org>
To:        Frank Knobbe <frank@knobbe.us>
Cc:        freebsd-hackers <freebsd-hackers@freebsd.org>
Subject:   Re: Do pfil(9) hooks receive TCP retransmissions?
Message-ID:  <20131125194243.GD6275@kiwi.coupleofllamas.com>
In-Reply-To: <20131125192633.GB75749@knobbe.us>
References:  <20131125181232.GB6275@kiwi.coupleofllamas.com> <20131125183829.GA75749@knobbe.us> <20131125190803.GC6275@kiwi.coupleofllamas.com> <20131125192633.GB75749@knobbe.us>

next in thread | previous in thread | raw e-mail | index | archive | help

--uxuisgdDHaNETlh8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


On Mon, 25 Nov 2013, Frank Knobbe wrote:

> On Mon, Nov 25, 2013 at 11:08:03AM -0800, R. Tyler Croy wrote:
> > Let's say for example I wanted to filter out a specific HTTP response, =
just as
> > a more complex kind of traffic on top of the TCP stream. Would my hook =
be
> > invoked for packets 1-100 of the HTTP response 100 times, or could it be
> > invoked any number of times depending on whether there are retransmissi=
ons of
> > various packets?
>=20
> Ah, gotcha. The answer is Yes. :)  pfil works at the packet level. You wi=
ll
> receive ALL packets going through the system. That means your function has
> to look for HTTP traffic (and ignore/pass the rest). You will also=20
> have to keep track of the session state. In essence, you get all packets
> involved in the TCP 3-way handshake. You probably want to track that and
> mark a session as established. Then on established sessions, you probably
> want to keep track of HTTP content and "HTTP level session state", for
> example limiting your actions on responses to GET requests (or POSTs or
> whatever you need), and not the request itself. Then finally evaluate the=
=20
> packet (well, stream) content for the response.
>=20
> Since the pfil hooks work on each packet, you will also have to reassemble
> the TCP/HTTP stream properly so that your checks can not be bypassed by
> fragmentation attacks. Say your tracking the packets, tracking 3-way,=20
> building an established TCP session table, tracking the in- or outbound
> request, and then wait for a response, an "attacker" could feed the respo=
nse
> with, say, 2 byte packets, so your function will have to catch all these,
> in the proper order, and reassemble a complete response before you can
> perform any sort of content matching.=20
>=20
> This will be quite an effort. It might be easier to see if there are HTTP
> proxies (for example, Apache) where you could hook into in order to avoid
> having to do all the grunt work from the packet level up.=20


I don't disagree with you that this might be a large amount of effort.
Unfortunately I've not found any existing tools that give me the ability to
create application layer filtering, while still acting as a full transparent
TCP proxy.

Performing such filtering in an HTTP proxy is fine, but I'm more interested
(academically) in filtering traffic transparently across more than just HTT=
P.


> The pfil interface is for a very low level of network traffic, and it sou=
nds
> like you're wanting to build something for a much higher level in the OSI
> stack. Can it be done with pfil? Sure, but I wonder if the effort required
> would make pfil a good choice.


Agreed, pfil(9) is a very big and basic hammer.

- R. Tyler Croy
--------------------------------------
    Code: https://github.com/rtyler
 Chatter: https://twitter.com/agentdero
          rtyler@jabber.org

--uxuisgdDHaNETlh8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlKTqDMACgkQFCbH3D9R4W9JrgCgoiMU5lqWuZMJy/bx8QWfXXlb
/jAAn2j6UHzwOv5HHXCO4GGCFA7LeyJ0
=4jeB
-----END PGP SIGNATURE-----

--uxuisgdDHaNETlh8--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20131125194243.GD6275>