Re: Is ndo_do_ioctl still acceptable?
On 2015-11-12 11:58, Jason A. Donenfeld wrote: Hi Stephen, Thanks for your response. On Thu, Nov 12, 2015 at 5:34 PM, Stephen Hemmingerwrote: The problem is ioctl's are device specific, and therefore create dependency on the unique features supported by your device. The question always comes up, why is this new API not something general? In this case, it really is for unique features of my device. My device has its own unique notion of a "peer" based on a particular elliptic curve point and some other interesting things. It's not something generalizable to other devices. The thing that makes my particular device special is these attributes that I need to make configurable. I think then, by your criteria, ioctl would actually be perfect. In other words, I interpret what you wrote to mean "generalizable: netlink. device-specific: ioctl." If that's a decent summary, then ioctl is certainly good for me. On the other hand, based on what you are saying about your device, it sounds like you are working on some kind of cryptographically secured (either authenticated or encrypted or both) tunnel, in which case the fact that security is easier to handle with netlink than ioctls becomes important. If you can't ensure security of the endpoint configuration, you can't ensure security of the tunnel itself. smime.p7s Description: S/MIME Cryptographic Signature
Re: [PATCH v2] add stealth mode
On 2015-07-12 19:13, Matteo Croce wrote: 2015-07-08 15:32 GMT+02:00 Austin S Hemmelgarn ahferro...@gmail.com: On 2015-07-06 15:44, Matteo Croce wrote: Just to name a few that I know of off the top of my head: 1. IP packets with any protocol number not supported by your current kernel (these return a special ICMP message). Right, I'll handle them 2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the kernel. Well, I've never played with SCTP before It should still be checked, as should DCCP and RDS (those are the only other Layer 3 protocols that I have ever actually seen people try to scan hosts with besides TCP/UDP/SCTP). SCTP itself is not hugely prevalent outside of some clustering uses, but it is still seen on the internet sometimes (for example, Gentoo has optional patches for OpenSSH to use SCTP). 3. Theoretically, some IGMP messages. 4. NDP messages. 5. ARP queries looking for the machine's IP addresses. Yes I know, but it's unlikely to receive this packets from WAN, right? My flag is intended to be used mostly on WAN interfaces, machines in LAN should be easily discoverable IMHO. In theory it's unlikely, but if you use any kind of IPv4 multicast on the WAN you will get IGMP (and MLD for IPv6 multicast). You may also get some NDP queries also if you are using IPv6 and your WAN is itself behind a NAT router (and yes, there are ISP's who do that). 6. Certain odd flag combinations on single TCP packets (check the documentation for Nmap for more info regarding these), which I believe (although I may be reading the code wrong) you aren't accounting for. I've tried many TCP flags combination with hping3, NUL, SYN/ACK, ACK, SYN/FIN, etc. They doesn't get any response when the flag is set How about FIN/ACK and FIN/PSH/URG? 7. DAD queries. Never looked at this packets, are a subset of NDP? Kind of, it's an ICMPv6 extension for detecting if SLACC configured address is already in use. Most distro's have support for it enabled by default. 8. ICMP address mask queries (which you also don't appear to account for). It's deprecated and actually it doesn't get any response already Just because it's deprecated doesn't mean you shouldn't account for it, although it does appear to get dropped by default by the kernel. You should also test how different combinations of sysctls under /proc/sys/net affect this (there are for example already sysctls for ignoring certain types of ICMP packets). smime.p7s Description: S/MIME Cryptographic Signature
Re: [PATCH v2] add stealth mode
On 2015-07-06 15:44, Matteo Croce wrote: 2015-07-06 12:49 GMT+02:00 valdis.kletni...@vt.edu: On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said: Add option to disable any reply not related to a listening socket, like RST/ACK for TCP and ICMP Port-Unreachable for UDP. Also disables ICMP replies to echo request and timestamp. The stealth mode can be enabled selectively for a single interface. A few notes. 2) You *do* realize that this isn't anywhere near sufficient in order to actually make your machine invisible, right? (Hint: What *other* packets can be sent to a machine to provoke a response?) Other than ICMP, UDP and TCP excluding open TCP/UDP ports? Just to name a few that I know of off the top of my head: 1. IP packets with any protocol number not supported by your current kernel (these return a special ICMP message). 2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the kernel. 3. Theoretically, some IGMP messages. 4. NDP messages. 5. ARP queries looking for the machine's IP addresses. 6. Certain odd flag combinations on single TCP packets (check the documentation for Nmap for more info regarding these), which I believe (although I may be reading the code wrong) you aren't accounting for. 7. DAD queries. 8. ICMP address mask queries (which you also don't appear to account for). This is by no means an exhaustive list, but all of them really should be addressed if you want to do this properly. smime.p7s Description: S/MIME Cryptographic Signature