From 718ba9a61b59b72dc28430bcee9a1c7d97623aba Mon Sep 17 00:00:00 2001 From: Dustyn Blackmore Date: Sat, 12 May 2018 22:31:41 +1000 Subject: [PATCH] Minor Refactor Initial changes nfpacket object. Removed directional state tracking (For logging) Does not currently compromise security. --- src/config/rules-base.nft | 2 ++ src/index.js | 29 +++++++++++++++++------------ src/nfpacket/actions.js | 16 ++-------------- src/nfpacket/encoding.js | 11 +++++++++++ src/nfpacket/enums.js | 29 +++++++++++++++-------------- src/nfpacket/index.js | 16 ++++++++-------- 6 files changed, 55 insertions(+), 48 deletions(-) create mode 100644 src/nfpacket/encoding.js diff --git a/src/config/rules-base.nft b/src/config/rules-base.nft index 0fcfcf0..37a6242 100644 --- a/src/config/rules-base.nft +++ b/src/config/rules-base.nft @@ -7,6 +7,7 @@ table ip filter { meta mark 666 counter drop comment "NodeJS Rejected"; meta mark 9999 counter comment "NodeJS Accepted - LOGGING"; meta mark 999 counter accept comment "NodeJS Accepted"; + ct state { established, related } counter accept; ct state { invalid, untracked } counter drop; counter; } @@ -18,6 +19,7 @@ table ip filter { meta mark 777 counter reject with icmp type admin-prohibited; meta mark 9999 counter comment "NodeJS Accepted - LOGGING"; meta mark 999 counter accept comment "NodeJS Accepted"; + ct state { established, related } counter accept; ct state { invalid, untracked } counter drop; counter; } diff --git a/src/index.js b/src/index.js index cd0060a..d79cf95 100644 --- a/src/index.js +++ b/src/index.js @@ -5,7 +5,7 @@ const IPv4 = require('pcap/decode/ipv4'); const pcap = require('pcap'); const { exec } = require('child_process'); const nft = require('./nftables')({ exec: exec }); -const nfpacket = require('./nfpacket')({ nfq: nfq, pcap: pcap }) +const netFilterPacket = require('./nfpacket')({ nfq: nfq, pcapIPv4: IPv4 }) const actions = require('./actions')({ fs: fs }) // These are the NFQUEUE result handler options. @@ -140,17 +140,17 @@ function determineVerdict (interface, packet, direction) { // Check if the source port is as our otherwise accepted outgoing destination port, but only on incoming connections // (Basically; established / releated comms) // Required since 'logging' change complexity - but REQUIRES refactor - if (direction === 'incoming' && typeof rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports !== 'undefined') { - if (typeof rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports[packet.payloadDecoded.payload.sport] !== 'undefined') { - console.log('Incoming packet which has a sourceport listed in destination port lists'); - if (rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports[packet.payloadDecoded.payload.sport].policy && rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports[packet.payloadDecoded.payload.sport].policy === 'allow') { - console.log("Possible Related Connection: %s", JSON.stringify(packet)); - verdict.policy = NF_ACCEPT; - - return verdict; - } - } - } + // if (direction === 'incoming' && typeof rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports !== 'undefined') { + // if (typeof rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports[packet.payloadDecoded.payload.sport] !== 'undefined') { + // console.log('Incoming packet which has a sourceport listed in destination port lists'); + // if (rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports[packet.payloadDecoded.payload.sport].policy && rules['outgoing'][packet.payloadDecoded.protocol.toString()][interface.zone].ports[packet.payloadDecoded.payload.sport].policy === 'allow') { + // console.log("Possible Related Connection: %s", JSON.stringify(packet)); + // verdict.policy = NF_ACCEPT; + + // return verdict; + // } + // } + // } // Check we even handle this protocol if (rules[direction][packet.payloadDecoded.protocol.toString()]) { @@ -231,6 +231,11 @@ function updateOutput () { function bindQueueHandlers () { interfaces.forEach(interface => { interface.queueIn = nfq.createQueueHandler(parseInt(interface.number), buffer, (nfpacket) => { + let thisPacket = netFilterPacket(nfpacket); + + thisPacket.encoding.decode(); + + console.log(thisPacket); let decoded = new IPv4().decode(nfpacket.payload, 0); let stringified = nfpacket.payload.toString(); let clonedPacket = Object.assign({}, nfpacket, { payloadDecoded: decoded, payloadStringified: stringified }); diff --git a/src/nfpacket/actions.js b/src/nfpacket/actions.js index 8ae53bc..25991ca 100644 --- a/src/nfpacket/actions.js +++ b/src/nfpacket/actions.js @@ -2,21 +2,9 @@ const actions = (depedencies) => ({ accept: (nfpacket) => { return nfpacket.setVedrict(0, 'add ' + rule); }, - decode: (nfpacket) => { - let IPv4 = dependencies - ? dependencies.pcap - ? dependencies.pcap.decode - ? depdencencies.pcap.decode.ipv4 || null - : null - : null - : null; - - return IPv4 - ? new IPv4().decode(nfpacket.payload, 0) - : nfpacket; - }, reject: (nfpacket) => { - return execute(exec, 'flush ruleset'); + nfpacket.setVerdict(this.enums.NF_REJECT); + return this; }, requeue: (filename) => { return execute(exec, '-f ' + filename); diff --git a/src/nfpacket/encoding.js b/src/nfpacket/encoding.js new file mode 100644 index 0000000..9c964e7 --- /dev/null +++ b/src/nfpacket/encoding.js @@ -0,0 +1,11 @@ +const encoding = (dependencies) => (nfpacket) => ({ + decode: () => { + let IPv4 = dependencies || null; + + nfpacket.nfpacketDecoded = IPv4 + ? new IPv4().decode(nfpacket.payload, 0) + : false; + } +}) + +module.exports = encoding; diff --git a/src/nfpacket/enums.js b/src/nfpacket/enums.js index 08b4f0b..53e6d5a 100644 --- a/src/nfpacket/enums.js +++ b/src/nfpacket/enums.js @@ -1,15 +1,16 @@ -const netfilterVerdict = { - // These are the NFQUEUE result handler options. - NF_REJECT: 0, - NF_ACCEPT: 1, // Accept packet (but no longer seen / disowned by conntrack, - NF_REQUEUE: 4, // Requeue packet (Which we then use a mark to determine the action, -} - -const protocols = { - // Protocol Numbers can be found here, however; libpcap has limited support.. - // https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml - PC_ICMP: 1, - PC_IGMP: 2, - PC_TCP: 6, - PC_UDP: 17, +module.exports = { + netfilterVerdict: { + // These are the NFQUEUE result handler options. + NF_REJECT: 0, + NF_ACCEPT: 1, // Accept packet (but no longer seen / disowned by conntrack, + NF_REQUEUE: 4, // Requeue packet (Which we then use a mark to determine the action, + }, + protocols: { + // Protocol Numbers can be found here, however; libpcap has limited support.. + // https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml + PC_ICMP: 1, + PC_IGMP: 2, + PC_TCP: 6, + PC_UDP: 17, + } } diff --git a/src/nfpacket/index.js b/src/nfpacket/index.js index 6959d6a..bb1cef8 100644 --- a/src/nfpacket/index.js +++ b/src/nfpacket/index.js @@ -1,17 +1,17 @@ const actions = require('./actions'); +const encoding = require('./encoding'); const enums = require('./enums.js'); -const nfpacket = (dependencies) => { - if (Object.keys(dependencies).includes(['pcap', 'nfq'])) { +module.exports = (dependencies) => (nfpacket) => { + if (Object.keys(dependencies).includes('nfq') && Object.keys(dependencies).includes('pcapIPv4')) { return Object.assign( - {}, nfpacket, - enums, - actions(dependencies) - ) + { actions: actions(dependencies) }, + { encoding: encoding(dependencies.pcapIPv4)(nfpacket) }, + { enum: enums }, + { decoded: undefined } + ); } return false; } - -module.exports = nfpacket;