Re: netstat *:* udp sockets
Sebastian Benoit wrote: > > > or what should it show? Only sockets that are bound > > > but not connected (local port != 0 but remote addr/port = 0)? > > > > see my other mail for that diff. > > here. Ok for one or the other? as a non expert, this matches my expectation of what "listening" would map onto for udp. ok fwiw.
Re: netstat *:* udp sockets
On Mon, Dec 17, 2018 at 06:05:00PM +0100, Sebastian Benoit wrote: > Sebastian Benoit(benoit-li...@fb12.de) on 2018.12.17 17:59:49 +0100: > > Claudio Jeker(cje...@diehard.n-r-g.com) on 2018.12.17 08:25:07 +0100: > > > On Sun, Dec 16, 2018 at 05:09:06PM -0500, Ted Unangst wrote: > > > > Claudio Jeker wrote: > > > > > On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote: > > > > > > Philip Guenther wrote: > > > > > > > And, perhaps more directly, how would I block this in pf.conf? > > > > > > > > > > > > > > > > > > > > > > Excellent choice, blocking dhclient from receiving the leases > > > > > > > that it > > > > > > > requests. > > > > > > > "What problem are you trying to solve?" > > > > > > > > > > > > Well, this may be something of a lost cause, but I would prefer > > > > > > that chrome > > > > > > not listen for stuff I don't understand. It listens on port 5353 as > > > > > > well, for > > > > > > mDNS, and I can block that easily enough. It's the socket without a > > > > > > port > > > > > > that's giving me trouble. > > > > > > > > > > But a socket without a port is not listening on anything. It will not > > > > > get > > > > > any packets. It does not need to be filtered. This is how UDP works, > > > > > it is > > > > > a connectionless protocol. > > > > > > > > ok, thank you, I was confused because they show up in netstat -ln too. > > > > I guess > > > > that's just historic how it is behavior. > > > > nothing historic about it, i added -l last year. > > > > but i wanted to keep it simple, i thought that its obvious what "listening" > > sockets mean in this context (i.e. that it only really is a concept in TCP). > > > > > I guess we should change that. Problem is that UDP does not support > > > listen(2) and so there is no listening state. Should netstat exclude all > > > of UDP when using -l > > > > here is a diff for that > > > > > or what should it show? Only sockets that are bound > > > but not connected (local port != 0 but remote addr/port = 0)? > > > > see my other mail for that diff. > > here. Ok for one or the other? > > (netstat_l_udp_only_otherside_zero.diff) > > diff --git usr.bin/netstat/inet.c usr.bin/netstat/inet.c > index e8e2a4dcd4f..d378bfe6280 100644 > --- usr.bin/netstat/inet.c > +++ usr.bin/netstat/inet.c > @@ -225,6 +225,7 @@ netdomainpr(struct kinfo_file *kf, int proto) > int addrlen = 22; > int isany = 0; > int istcp = 0; > + int isudp = 0; > int isip6 = 0; > > /* XXX should fix kinfo_file instead but not now */ > @@ -282,6 +283,7 @@ netdomainpr(struct kinfo_file *kf, int proto) > case IPPROTO_UDP: > name = "udp"; > name6 = "udp6"; > + isudp = 1; > break; > case IPPROTO_DIVERT: > name = "divert"; > @@ -303,6 +305,9 @@ netdomainpr(struct kinfo_file *kf, int proto) > if (!aflag && lflag && istcp && > kf->t_state != TCPS_LISTEN) > return; > + if (!aflag && lflag && isudp && > + (kf->inp_lport == 0 || kf->inp_fport != 0)) > + return; > > if (af != kf->so_family || type != kf->so_type) { > af = kf->so_family; > @@ -310,7 +315,7 @@ netdomainpr(struct kinfo_file *kf, int proto) > printf("Active Internet connections"); > if (aflag) > printf(" (including servers)"); > - else if (lflag) > + else if (lflag && (istcp||isudp)) Needs some spaces ^^ here > printf(" (only servers)"); > putchar('\n'); > if (Aflag) { > Apart from that OK claudio@ -- :wq Claudio
Re: netstat *:* udp sockets
Sebastian Benoit(benoit-li...@fb12.de) on 2018.12.17 17:59:49 +0100: > Claudio Jeker(cje...@diehard.n-r-g.com) on 2018.12.17 08:25:07 +0100: > > On Sun, Dec 16, 2018 at 05:09:06PM -0500, Ted Unangst wrote: > > > Claudio Jeker wrote: > > > > On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote: > > > > > Philip Guenther wrote: > > > > > > And, perhaps more directly, how would I block this in pf.conf? > > > > > > > > > > > > > > > > > > > Excellent choice, blocking dhclient from receiving the leases that > > > > > > it > > > > > > requests. > > > > > > "What problem are you trying to solve?" > > > > > > > > > > Well, this may be something of a lost cause, but I would prefer that > > > > > chrome > > > > > not listen for stuff I don't understand. It listens on port 5353 as > > > > > well, for > > > > > mDNS, and I can block that easily enough. It's the socket without a > > > > > port > > > > > that's giving me trouble. > > > > > > > > But a socket without a port is not listening on anything. It will not > > > > get > > > > any packets. It does not need to be filtered. This is how UDP works, it > > > > is > > > > a connectionless protocol. > > > > > > ok, thank you, I was confused because they show up in netstat -ln too. I > > > guess > > > that's just historic how it is behavior. > > nothing historic about it, i added -l last year. > > but i wanted to keep it simple, i thought that its obvious what "listening" > sockets mean in this context (i.e. that it only really is a concept in TCP). > > > I guess we should change that. Problem is that UDP does not support > > listen(2) and so there is no listening state. Should netstat exclude all > > of UDP when using -l > > here is a diff for that > > > or what should it show? Only sockets that are bound > > but not connected (local port != 0 but remote addr/port = 0)? > > see my other mail for that diff. here. Ok for one or the other? (netstat_l_udp_only_otherside_zero.diff) diff --git usr.bin/netstat/inet.c usr.bin/netstat/inet.c index e8e2a4dcd4f..d378bfe6280 100644 --- usr.bin/netstat/inet.c +++ usr.bin/netstat/inet.c @@ -225,6 +225,7 @@ netdomainpr(struct kinfo_file *kf, int proto) int addrlen = 22; int isany = 0; int istcp = 0; + int isudp = 0; int isip6 = 0; /* XXX should fix kinfo_file instead but not now */ @@ -282,6 +283,7 @@ netdomainpr(struct kinfo_file *kf, int proto) case IPPROTO_UDP: name = "udp"; name6 = "udp6"; + isudp = 1; break; case IPPROTO_DIVERT: name = "divert"; @@ -303,6 +305,9 @@ netdomainpr(struct kinfo_file *kf, int proto) if (!aflag && lflag && istcp && kf->t_state != TCPS_LISTEN) return; + if (!aflag && lflag && isudp && + (kf->inp_lport == 0 || kf->inp_fport != 0)) + return; if (af != kf->so_family || type != kf->so_type) { af = kf->so_family; @@ -310,7 +315,7 @@ netdomainpr(struct kinfo_file *kf, int proto) printf("Active Internet connections"); if (aflag) printf(" (including servers)"); - else if (lflag) + else if (lflag && (istcp||isudp)) printf(" (only servers)"); putchar('\n'); if (Aflag) {
Re: netstat *:* udp sockets
Claudio Jeker(cje...@diehard.n-r-g.com) on 2018.12.17 08:25:07 +0100: > On Sun, Dec 16, 2018 at 05:09:06PM -0500, Ted Unangst wrote: > > Claudio Jeker wrote: > > > On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote: > > > > Philip Guenther wrote: > > > > > And, perhaps more directly, how would I block this in pf.conf? > > > > > > > > > > > > > > > > Excellent choice, blocking dhclient from receiving the leases that it > > > > > requests. > > > > > "What problem are you trying to solve?" > > > > > > > > Well, this may be something of a lost cause, but I would prefer that > > > > chrome > > > > not listen for stuff I don't understand. It listens on port 5353 as > > > > well, for > > > > mDNS, and I can block that easily enough. It's the socket without a port > > > > that's giving me trouble. > > > > > > But a socket without a port is not listening on anything. It will not get > > > any packets. It does not need to be filtered. This is how UDP works, it is > > > a connectionless protocol. > > > > ok, thank you, I was confused because they show up in netstat -ln too. I > > guess > > that's just historic how it is behavior. nothing historic about it, i added -l last year. but i wanted to keep it simple, i thought that its obvious what "listening" sockets mean in this context (i.e. that it only really is a concept in TCP). > I guess we should change that. Problem is that UDP does not support > listen(2) and so there is no listening state. Should netstat exclude all > of UDP when using -l here is a diff for that > or what should it show? Only sockets that are bound > but not connected (local port != 0 but remote addr/port = 0)? see my other mail for that diff. (netstat_l_only_tcp.diff) diff --git usr.bin/netstat/main.c usr.bin/netstat/main.c index 17c889768a2..6bf155205ee 100644 --- usr.bin/netstat/main.c +++ usr.bin/netstat/main.c @@ -189,6 +189,8 @@ main(int argc, char *argv[]) break; case 'l': lflag = 1; + tp = knownname("tcp"); + pflag = 1; break; case 'M': memf = optarg; @@ -203,7 +205,8 @@ main(int argc, char *argv[]) nflag = 1; break; case 'p': - if ((tp = name2protox(optarg)) == NULL) { + if (pflag == 0 && + (tp = name2protox(optarg)) == NULL) { (void)fprintf(stderr, "%s: %s: unknown protocol\n", __progname, optarg);
Re: netstat *:* udp sockets
On 08:25 Mon 17 Dec, Claudio Jeker wrote: > On Sun, Dec 16, 2018 at 05:09:06PM -0500, Ted Unangst wrote: > > Claudio Jeker wrote: > > > On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote: > > > > Philip Guenther wrote: > > > > > And, perhaps more directly, how would I block this in pf.conf? > > > > > > > > > > > > > > > > Excellent choice, blocking dhclient from receiving the leases that it > > > > > requests. > > > > > "What problem are you trying to solve?" > > > > > > > > Well, this may be something of a lost cause, but I would prefer that > > > > chrome > > > > not listen for stuff I don't understand. It listens on port 5353 as > > > > well, for > > > > mDNS, and I can block that easily enough. It's the socket without a port > > > > that's giving me trouble. > > > > > > But a socket without a port is not listening on anything. It will not get > > > any packets. It does not need to be filtered. This is how UDP works, it is > > > a connectionless protocol. > > > > ok, thank you, I was confused because they show up in netstat -ln too. I > > guess > > that's just historic how it is behavior. > > I guess we should change that. Problem is that UDP does not support > listen(2) and so there is no listening state. Should netstat exclude all > of UDP when using -l or what should it show? Only sockets that are bound > but not connected (local port != 0 but remote addr/port = 0)? A listening socket is a socket that can "accept" new "connections" -- it's possible to send data to it from some new host (e.g. via sendto). So local_port != 0 remote_addr == NULL is perfectly fine IMO.
Re: netstat *:* udp sockets
On Sun, Dec 16, 2018 at 05:09:06PM -0500, Ted Unangst wrote: > Claudio Jeker wrote: > > On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote: > > > Philip Guenther wrote: > > > > And, perhaps more directly, how would I block this in pf.conf? > > > > > > > > > > > > > Excellent choice, blocking dhclient from receiving the leases that it > > > > requests. > > > > "What problem are you trying to solve?" > > > > > > Well, this may be something of a lost cause, but I would prefer that > > > chrome > > > not listen for stuff I don't understand. It listens on port 5353 as well, > > > for > > > mDNS, and I can block that easily enough. It's the socket without a port > > > that's giving me trouble. > > > > But a socket without a port is not listening on anything. It will not get > > any packets. It does not need to be filtered. This is how UDP works, it is > > a connectionless protocol. > > ok, thank you, I was confused because they show up in netstat -ln too. I guess > that's just historic how it is behavior. I guess we should change that. Problem is that UDP does not support listen(2) and so there is no listening state. Should netstat exclude all of UDP when using -l or what should it show? Only sockets that are bound but not connected (local port != 0 but remote addr/port = 0)? -- :wq Claudio
Re: netstat *:* udp sockets
Claudio Jeker wrote: > On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote: > > Philip Guenther wrote: > > > And, perhaps more directly, how would I block this in pf.conf? > > > > > > > > > > Excellent choice, blocking dhclient from receiving the leases that it > > > requests. > > > "What problem are you trying to solve?" > > > > Well, this may be something of a lost cause, but I would prefer that chrome > > not listen for stuff I don't understand. It listens on port 5353 as well, > > for > > mDNS, and I can block that easily enough. It's the socket without a port > > that's giving me trouble. > > But a socket without a port is not listening on anything. It will not get > any packets. It does not need to be filtered. This is how UDP works, it is > a connectionless protocol. ok, thank you, I was confused because they show up in netstat -ln too. I guess that's just historic how it is behavior.
Re: netstat *:* udp sockets
On Fri, Dec 14, 2018 at 01:26:25PM -0500, Ted Unangst wrote: > Philip Guenther wrote: > > And, perhaps more directly, how would I block this in pf.conf? > > > > > > > Excellent choice, blocking dhclient from receiving the leases that it > > requests. > > "What problem are you trying to solve?" > > Well, this may be something of a lost cause, but I would prefer that chrome > not listen for stuff I don't understand. It listens on port 5353 as well, for > mDNS, and I can block that easily enough. It's the socket without a port > that's giving me trouble. But a socket without a port is not listening on anything. It will not get any packets. It does not need to be filtered. This is how UDP works, it is a connectionless protocol. -- :wq Claudio
Re: netstat *:* udp sockets
>Ted Unangst wrote: >> Philip Guenther wrote: >> > And, perhaps more directly, how would I block this in pf.conf? >> > > >> > >> > Excellent choice, blocking dhclient from receiving the leases that it >> > requests. >> > "What problem are you trying to solve?" >> >> Well, this may be something of a lost cause, but I would prefer that chrome >> not listen for stuff I don't understand. It listens on port 5353 as well, for >> mDNS, and I can block that easily enough. It's the socket without a port >> that's giving me trouble. > >Oops, followup question. If the situation is that these are simply unbound >sockets that don't receive traffic, that makes life easier. I wasn't sure if >they were some catch-all sockets or what. They will receive responses to traffic they send.
Re: netstat *:* udp sockets
>Philip Guenther wrote: >> And, perhaps more directly, how would I block this in pf.conf? >> > >> >> Excellent choice, blocking dhclient from receiving the leases that it >> requests. >> "What problem are you trying to solve?" > >Well, this may be something of a lost cause, but I would prefer that chrome >not listen for stuff I don't understand. It listens on port 5353 as well, for >mDNS, and I can block that easily enough. It's the socket without a port >that's giving me trouble. So it doesn't bind() and it doesn't connect(), but uses sendto It is part of POSIX If you want to block that piece of talking to the mothership you're going to have to get into the source code.
Re: netstat *:* udp sockets
Ted Unangst wrote: > Philip Guenther wrote: > > And, perhaps more directly, how would I block this in pf.conf? > > > > > > > Excellent choice, blocking dhclient from receiving the leases that it > > requests. > > "What problem are you trying to solve?" > > Well, this may be something of a lost cause, but I would prefer that chrome > not listen for stuff I don't understand. It listens on port 5353 as well, for > mDNS, and I can block that easily enough. It's the socket without a port > that's giving me trouble. Oops, followup question. If the situation is that these are simply unbound sockets that don't receive traffic, that makes life easier. I wasn't sure if they were some catch-all sockets or what.
Re: netstat *:* udp sockets
Philip Guenther wrote: > And, perhaps more directly, how would I block this in pf.conf? > > > > Excellent choice, blocking dhclient from receiving the leases that it > requests. > "What problem are you trying to solve?" Well, this may be something of a lost cause, but I would prefer that chrome not listen for stuff I don't understand. It listens on port 5353 as well, for mDNS, and I can block that easily enough. It's the socket without a port that's giving me trouble.
Re: netstat *:* udp sockets
On 2018-12-14, Sebastian Benoit wrote: > As for chrome, i have no idea what it is doing... ;) My first guess would be maybe it's using this to send probes for QUIC / HTTP/3. I don't see that in chromium here but maybe something in testing (they run different "field trials" for different people)
Re: netstat *:* udp sockets
On 13:38 Thu 13 Dec, Ted Unangst wrote: > netstat -an tells me I am listening to all the udp. > > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address(state) > udp 0 0 *.**.* > udp 0 0 127.0.0.1.53 *.* > udp 0 0 *.**.* > udp 0 0 *.5353 *.* > udp 0 0 *.**.* > > What are those *.* sockets doing? How can you listen to all the ports? > > According to fstat, two belong to dhclient and one to chrome. > > root dhclient 552413* internet dgram udp *:0 > root dhclient 552415* internet dgram udp *:0 > tedu chrome 52839 107* internet dgram udp *:0 > > Although now they are printed as *:0. How do such sockets work? > > And, perhaps more directly, how would I block this in pf.conf? Wait, ain't $ netstat -anl should be used to get _listening_ sockets?
Re: netstat *:* udp sockets
Ted Unangst(t...@tedunangst.com) on 2018.12.13 13:38:58 -0500: > netstat -an tells me I am listening to all the udp. > > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address(state) > udp 0 0 *.**.* > udp 0 0 127.0.0.1.53 *.* > udp 0 0 *.**.* > udp 0 0 *.5353 *.* > udp 0 0 *.**.* > > What are those *.* sockets doing? How can you listen to all the ports? In the case of dhclient, it opens that SOCK_RAW socket to send packets to a dhcp server: get_udp_sock() does socket(AF_INET, SOCK_RAW, IPPROTO_UDP). But it does not bind() or connect(). Thats why you have "Local Address" and "Foreign Address" *.*. I think the second one might be the one it opens with ioctlfd = socket(AF_INET, SOCK_DGRAM, 0). It only uses it to do ioctl() on it, see section INTERFACES in netintro(4). > According to fstat, two belong to dhclient and one to chrome. > > root dhclient 552413* internet dgram udp *:0 > root dhclient 552415* internet dgram udp *:0 > tedu chrome 52839 107* internet dgram udp *:0 > > Although now they are printed as *:0. How do such sockets work? The first socket above is used in send_packet() in sendmsg(ifi->ufdesc, msg, &0) to a specific dhcp server. It is not used to receive packets and indeed it cannot receive any on that socket. It sends broadcast packets via bpf(4) and receives packets via bpf(4). > And, perhaps more directly, how would I block this in pf.conf? In the case of dhclient, you cant. Well, you can try, but it will break things. The problem is that dhclient is special, it needs to send things while there is no IP configuration on an interfaces. So it needs to do things itself that the IP stack would do for normal programs. If you run dhclient, you trust it not to send bad things, and not to receive things it should not see (It configures the bpf filter to only get packets to port 67). As for chrome, i have no idea what it is doing... ;)
Re: netstat *:* udp sockets
Den fre 14 dec. 2018 kl 03:58 skrev Philip Guenther : > On Thu, Dec 13, 2018 at 10:40 AM Ted Unangst wrote: > > netstat -an tells me I am listening to all the udp. > > > > Active Internet connections (including servers) > > Proto Recv-Q Send-Q Local Address Foreign Address > > (state) > > udp 0 0 *.**.* > > udp 0 0 127.0.0.1.53 *.* > > udp 0 0 *.**.* > > udp 0 0 *.5353 *.* > > udp 0 0 *.**.* > > > > What are those *.* sockets doing? How can you listen to all the ports? > > Those are just UDP sockets on which connect() hasn't been called and that > aren't in the middle of a recvfrom() or recvmsg(), no? Isn't there something inherently weird in listing a lot of things which "sort -u" would remove? The streams at the bottom of netstat output are at least unique in some sense: 0x81e50880 stream 0 00x0 0x81e509000x00x0 ..even if they might not tell me much more than udp *.* -- May the most significant bit of your life be positive.
Re: netstat *:* udp sockets
On Thu, Dec 13, 2018 at 10:40 AM Ted Unangst wrote: > netstat -an tells me I am listening to all the udp. > > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address > (state) > udp 0 0 *.**.* > udp 0 0 127.0.0.1.53 *.* > udp 0 0 *.**.* > udp 0 0 *.5353 *.* > udp 0 0 *.**.* > > What are those *.* sockets doing? How can you listen to all the ports? > Those are just UDP sockets on which connect() hasn't been called and that aren't in the middle of a recvfrom() or recvmsg(), no? And, perhaps more directly, how would I block this in pf.conf? > Excellent choice, blocking dhclient from receiving the leases that it requests. "What problem are you trying to solve?" Philip Guenther