Skip to content

Commit

Permalink
Minor Refactor
Browse files Browse the repository at this point in the history 
Initial changes nfpacket object.

Removed directional state tracking (For logging)

Does not currently compromise security.
  • Loading branch information
Dustyn Blackmore committed May 12, 2018
1 parent 2129aff commit 718ba9a
Show file tree
Hide file tree
Showing 6 changed files with 55 additions and 48 deletions.
2 changes: 2 additions & 0 deletions src/config/rules-base.nft
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ table ip filter {
meta mark 666 counter drop comment "NodeJS Rejected";
meta mark 9999 counter comment "NodeJS Accepted - LOGGING";
meta mark 999 counter accept comment "NodeJS Accepted";
ct state { established, related } counter accept;
ct state { invalid, untracked } counter drop;
counter;
}
Expand All @@ -18,6 +19,7 @@ table ip filter {
meta mark 777 counter reject with icmp type admin-prohibited;
meta mark 9999 counter comment "NodeJS Accepted - LOGGING";
meta mark 999 counter accept comment "NodeJS Accepted";
ct state { established, related } counter accept;
ct state { invalid, untracked } counter drop;
counter;
}
Expand Down
29 changes: 17 additions & 12 deletions src/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ const IPv4 = require('pcap/decode/ipv4');
const pcap = require('pcap');
const { exec } = require('child_process');
const nft = require('./nftables')({ exec: exec });
const nfpacket = require('./nfpacket')({ nfq: nfq, pcap: pcap })
const netFilterPacket = require('./nfpacket')({ nfq: nfq, pcapIPv4: IPv4 })
const actions = require('./actions')({ fs: fs })

// These are the NFQUEUE result handler options.
Expand Down Expand Up @@ -140,17 +140,17 @@ function determineVerdict (interface, packet, direction) {
// Check if the source port is as our otherwise accepted outgoing destination port, but only on incoming connections
// (Basically; established / releated comms)
// Required since 'logging' change complexity - but REQUIRES refactor
if (direction === 'incoming' && typeof rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports !== 'undefined') {
if (typeof rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports[packet.payloadDecoded.payload.sport] !== 'undefined') {
console.log('Incoming packet which has a sourceport listed in destination port lists');
if (rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports[packet.payloadDecoded.payload.sport].policy && rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports[packet.payloadDecoded.payload.sport].policy === 'allow') {
console.log("Possible Related Connection: %s", JSON.stringify(packet));
verdict.policy = NF_ACCEPT;

return verdict;
}
}
}
// if (direction === 'incoming' && typeof rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports !== 'undefined') {
// if (typeof rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports[packet.payloadDecoded.payload.sport] !== 'undefined') {
// console.log('Incoming packet which has a sourceport listed in destination port lists');
// if (rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports[packet.payloadDecoded.payload.sport].policy && rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports[packet.payloadDecoded.payload.sport].policy === 'allow') {
// console.log("Possible Related Connection: %s", JSON.stringify(packet));
// verdict.policy = NF_ACCEPT;

// return verdict;
// }
// }
// }

// Check we even handle this protocol
if (rules[direction][packet.payloadDecoded.protocol.toString()]) {
Expand Down Expand Up @@ -231,6 +231,11 @@ function updateOutput () {
function bindQueueHandlers () {
interfaces.forEach(interface => {
interface.queueIn = nfq.createQueueHandler(parseInt(interface.number), buffer, (nfpacket) => {
let thisPacket = netFilterPacket(nfpacket);

thisPacket.encoding.decode();

console.log(thisPacket);
let decoded = new IPv4().decode(nfpacket.payload, 0);
let stringified = nfpacket.payload.toString();
let clonedPacket = Object.assign({}, nfpacket, { payloadDecoded: decoded, payloadStringified: stringified });
Expand Down
16 changes: 2 additions & 14 deletions src/nfpacket/actions.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,21 +2,9 @@ const actions = (depedencies) => ({
accept: (nfpacket) => {
return nfpacket.setVedrict(0, 'add ' + rule);
},
decode: (nfpacket) => {
let IPv4 = dependencies
? dependencies.pcap
? dependencies.pcap.decode
? depdencencies.pcap.decode.ipv4 || null
: null
: null
: null;

return IPv4
? new IPv4().decode(nfpacket.payload, 0)
: nfpacket;
},
reject: (nfpacket) => {
return execute(exec, 'flush ruleset');
nfpacket.setVerdict(this.enums.NF_REJECT);
return this;
},
requeue: (filename) => {
return execute(exec, '-f ' + filename);
Expand Down
11 changes: 11 additions & 0 deletions src/nfpacket/encoding.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
const encoding = (dependencies) => (nfpacket) => ({
decode: () => {
let IPv4 = dependencies || null;

nfpacket.nfpacketDecoded = IPv4
? new IPv4().decode(nfpacket.payload, 0)
: false;
}
})

module.exports = encoding;
29 changes: 15 additions & 14 deletions src/nfpacket/enums.js
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,16 @@
const netfilterVerdict = {
// These are the NFQUEUE result handler options.
NF_REJECT: 0,
NF_ACCEPT: 1, // Accept packet (but no longer seen / disowned by conntrack,
NF_REQUEUE: 4, // Requeue packet (Which we then use a mark to determine the action,
}

const protocols = {
// Protocol Numbers can be found here, however; libpcap has limited support..
// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
PC_ICMP: 1,
PC_IGMP: 2,
PC_TCP: 6,
PC_UDP: 17,
module.exports = {
netfilterVerdict: {
// These are the NFQUEUE result handler options.
NF_REJECT: 0,
NF_ACCEPT: 1, // Accept packet (but no longer seen / disowned by conntrack,
NF_REQUEUE: 4, // Requeue packet (Which we then use a mark to determine the action,
},
protocols: {
// Protocol Numbers can be found here, however; libpcap has limited support..
// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
PC_ICMP: 1,
PC_IGMP: 2,
PC_TCP: 6,
PC_UDP: 17,
}
}
16 changes: 8 additions & 8 deletions src/nfpacket/index.js
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
const actions = require('./actions');
const encoding = require('./encoding');
const enums = require('./enums.js');

const nfpacket = (dependencies) => {
if (Object.keys(dependencies).includes(['pcap', 'nfq'])) {
module.exports = (dependencies) => (nfpacket) => {
if (Object.keys(dependencies).includes('nfq') && Object.keys(dependencies).includes('pcapIPv4')) {
return Object.assign(
{},
nfpacket,
enums,
actions(dependencies)
)
{ actions: actions(dependencies) },
{ encoding: encoding(dependencies.pcapIPv4)(nfpacket) },
{ enum: enums },
{ decoded: undefined }
);
}

return false;
}

module.exports = nfpacket;

0 comments on commit 718ba9a

Please sign in to comment.