From f6b4263850a4b41008b7daab00ec1cf269b8057a Mon Sep 17 00:00:00 2001 From: amitlimaye Date: Fri, 27 Mar 2020 23:42:35 -0700 Subject: [PATCH] Dont user hmark for legacy acls --- .../internal/supervisor/iptablesctrl/acls.go | 2 +- .../internal/supervisor/iptablesctrl/rules.go | 122 ++++++++++++------ .../supervisor/iptablesctrl/templates.go | 15 ++- 3 files changed, 92 insertions(+), 47 deletions(-) diff --git a/controller/internal/supervisor/iptablesctrl/acls.go b/controller/internal/supervisor/iptablesctrl/acls.go index 027c07370..a77b3e013 100644 --- a/controller/internal/supervisor/iptablesctrl/acls.go +++ b/controller/internal/supervisor/iptablesctrl/acls.go @@ -45,7 +45,7 @@ func (i *iptables) cgroupChainRules(cfg *ACLInfo) [][]string { cfg.ContextID, cfg.AppChain, cfg.NetChain, - cfg.CgroupMark, + cfg.PacketMark, cfg.TCPPorts, cfg.UDPPorts, cfg.ProxyPort, diff --git a/controller/internal/supervisor/iptablesctrl/rules.go b/controller/internal/supervisor/iptablesctrl/rules.go index 2022716d5..765c46155 100644 --- a/controller/internal/supervisor/iptablesctrl/rules.go +++ b/controller/internal/supervisor/iptablesctrl/rules.go @@ -21,30 +21,46 @@ var globalRules = ` {{$length := len .NetSynQueues}} {{.MangleTable}} INPUT -m set ! --match-set {{.ExclusionsSet}} src -j {{.MainNetChain}} {{.MangleTable}} {{.MainNetChain}} -j {{ .MangleProxyNetChain }} +{{if .IsLegacyKernel}} + {{.MangleTable}} {{.MainNetChain}} -p udp -m set --match-set {{.TargetUDPNetSet}} src -m string --string {{.UDPSignature}} --algo bm --to 65535 -j NFQUEUE --queue-bypass --queue-balance {{.QueueBalanceNetSynAck}} + {{.MangleTable}} {{.MainNetChain}} -m set --match-set {{.TargetTCPNetSet}} src -p tcp --tcp-flags ALL ACK -m tcp --tcp-option 34 -j NFQUEUE --queue-balance {{.QueueBalanceNetAck}} +{{else}} + {{$.MangleTable}} {{$.MainNetChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} src -j HMARK --hmark-tuple src,sport,dst,dport --hmark-offset 0x1 --hmark-rnd {{$.HMarkRandomSeed}} --hmark-mod {{$length}} + {{range $index,$queuenum := .NetSynAckQueues}} + {{$.MangleTable}} {{$.MainNetChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} src -m string --string {{$.UDPSignature}} --algo bm --to 65535 -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-bypass --queue-num {{$queuenum}} + {{end}} -{{$.MangleTable}} {{$.MainNetChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} src -j HMARK --hmark-tuple src,sport,dst,dport --hmark-offset 0x1 --hmark-rnd {{$.HMarkRandomSeed}} --hmark-mod {{$length}} -{{range $index,$queuenum := .NetSynAckQueues}} -{{$.MangleTable}} {{$.MainNetChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} src -m string --string {{$.UDPSignature}} --algo bm --to 65535 -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-bypass --queue-num {{$queuenum}} -{{end}} + {{$.MangleTable}} {{$.MainNetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -j HMARK --hmark-tuple src,sport,dst,dport --hmark-offset 0x1 --hmark-rnd {{$.HMarkRandomSeed}} --hmark-mod {{$length}} + {{range $index,$queuenum := .NetAckQueues}} + {{$.MangleTable}} {{$.MainNetChain}} -m set --match-set {{$.TargetTCPNetSet}} src -p tcp --tcp-flags ALL ACK -m tcp --tcp-option 34 -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} + {{end}} -{{$.MangleTable}} {{$.MainNetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -j HMARK --hmark-tuple src,sport,dst,dport --hmark-offset 0x1 --hmark-rnd {{$.HMarkRandomSeed}} --hmark-mod {{$length}} -{{range $index,$queuenum := .NetAckQueues}} -{{$.MangleTable}} {{$.MainNetChain}} -m set --match-set {{$.TargetTCPNetSet}} src -p tcp --tcp-flags ALL ACK -m tcp --tcp-option 34 -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} {{end}} + {{.MangleTable}} {{.MainNetChain}} -m connmark --mark {{.DefaultExternalConnmark}} -j ACCEPT {{.MangleTable}} {{.MainNetChain}} -m connmark --mark {{.DefaultConnmark}} -p tcp ! --tcp-flags SYN,ACK SYN,ACK -j ACCEPT + + {{if isLocalServer}} -{{.MangleTable}} {{.MainNetChain}} -j {{.UIDInput}} -{{end}} -{{range $index,$queuenum := .NetSynAckQueues}} -{{$.MangleTable}} {{$.MainNetChain}} -m set --match-set {{$.TargetTCPNetSet}} src -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass + {{.MangleTable}} {{.MainNetChain}} -j {{.UIDInput}} {{end}} -{{range $index,$queuenum := .NetSynQueues}} -{{$.MangleTable}} {{$.MainNetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-option 34 --tcp-flags SYN,ACK SYN -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass +{{if .IsLegacyKernel}} + {{.MangleTable}} {{.MainNetChain}} -m set --match-set {{.TargetTCPNetSet}} src -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-balance {{.QueueBalanceNetSynAck}} --queue-bypass + {{.MangleTable}} {{.MainNetChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} src -m tcp --tcp-option 34 --tcp-flags SYN,ACK SYN -j NFQUEUE --queue-balance {{.QueueBalanceNetSyn}} --queue-bypass +{{else}} + {{range $index,$queuenum := .NetSynAckQueues}} + {{$.MangleTable}} {{$.MainNetChain}} -m set --match-set {{$.TargetTCPNetSet}} src -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass + {{end}} + + {{range $index,$queuenum := .NetSynQueues}} + {{$.MangleTable}} {{$.MainNetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-option 34 --tcp-flags SYN,ACK SYN -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass + {{end}} + {{end}} + {{if isLocalServer}} {{.MangleTable}} {{.MainNetChain}} -j {{.TriremeInput}} {{.MangleTable}} {{.MainNetChain}} -j {{.NetworkSvcInput}} @@ -57,17 +73,29 @@ var globalRules = ` {{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultExternalConnmark}} -j ACCEPT {{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultConnmark}} -p tcp ! --tcp-flags SYN,ACK SYN,ACK -j ACCEPT + + +{{if .IsLegacyKernel}} + +{{else}} {{$length := len .AppSynQueues}} {{$.MangleTable}} {{$.MainAppChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} dst -j HMARK --hmark-tuple dst,dport,src,sport --hmark-offset 0x1 --hmark-rnd {{$.HMarkRandomSeed}} --hmark-mod {{$length}} {{$.MangleTable}} {{$.MainAppChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} dst -j HMARK --hmark-tuple dst,dport,src,sport --hmark-offset 0x1 --hmark-rnd {{$.HMarkRandomSeed}} --hmark-mod {{$length}} +{{end}} + {{if isLocalServer}} {{.MangleTable}} {{.MainAppChain}} -j {{.UIDOutput}} {{end}} {{.MangleTable}} {{.MainAppChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} dst -m tcp --tcp-flags SYN,ACK SYN,ACK -j MARK --set-mark {{.InitialMarkVal}}/{{.MarkMask}} + +{{if .IsLegacyKernel}} +{{.MangleTable}} {{.MainAppChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} dst -m tcp --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-balance {{.QueueBalanceAppSynAck}} --queue-bypass +{{else}} {{range $index,$queuenum := .AppSynAckQueues}} {{$.MangleTable}} {{$.MainAppChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} dst -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass + {{end}} {{end}} {{if isLocalServer}} @@ -159,22 +187,29 @@ var packetCaptureTemplate = ` {{if needDnsRules}} {{.MangleTable}} {{.AppChain}} -p udp -m udp --dport 53 -j ACCEPT {{end}} -{{range $index,$queuenum := .AppSynQueues}} -{{$.MangleTable}} {{$.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK SYN -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} -{{end}} -{{range $index,$queuenum := .AppAckQueues}} - -{{$.MangleTable}} {{$.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} -{{end}} +{{if .IsLegacyKernel}} +{{.MangleTable}} {{.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK SYN -j NFQUEUE --queue-balance {{.QueueBalanceAppSyn}} +{{.MangleTable}} {{.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK ACK -j NFQUEUE --queue-balance {{.QueueBalanceAppAck}} {{if isUIDProcess}} -{{range $index,$queuenum := .AppSynAckQueues}} -{{$.MangleTable}} {{$.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} -{{end}} +{{.MangleTable}} {{.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-balance {{.QueueBalanceAppSynAck}} {{end}} +{{else}} + {{range $index,$queuenum := .AppSynQueues}} + {{$.MangleTable}} {{$.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK SYN -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} + {{end}} + {{range $index,$queuenum := .AppAckQueues}} + {{$.MangleTable}} {{$.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} + {{end}} + {{if isUIDProcess}} + {{range $index,$queuenum := .AppSynAckQueues}} + {{$.MangleTable}} {{$.AppChain}} -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} + {{end}} + {{end}} + {{range $index,$queuenum := .AppSynQueues}} + {{$.MangleTable}} {{$.AppChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} dst -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} + {{end}} -{{range $index,$queuenum := .AppSynQueues}} -{{$.MangleTable}} {{$.AppChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} dst -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} {{end}} {{.MangleTable}} {{.AppChain}} -p udp -m set --match-set {{.TargetUDPNetSet}} dst -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT @@ -193,21 +228,30 @@ var packetCaptureTemplate = ` {{.MangleTable}} {{.NetChain}} -p udp -m udp --sport 53 -j ACCEPT {{end}} -{{range $index,$queuenum := .NetSynQueues}} -{{$.MangleTable}} {{$.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK SYN -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} -{{end}} -{{range $index,$queuenum := .NetAckQueues}} -{{$.MangleTable}} {{$.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} -{{end}} -{{if isUIDProcess}} -{{range $index,$queuenum := .NetSynAckQueues}} -{{$.MangleTable}} {{$.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} -{{end}} -{{end}} - -{{range $index,$queuenum := .NetSynQueues}} -{{$.MangleTable}} {{$.NetChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} src --match limit --limit 1000/s -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} +{{if .IsLegacyKernel}} + {{.MangleTable}} {{.NetChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK SYN -j NFQUEUE --queue-balance {{.QueueBalanceNetSyn}} + {{.MangleTable}} {{.NetChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK ACK -j NFQUEUE --queue-balance {{.QueueBalanceNetAck}} + {{if isUIDProcess}} + {{.MangleTable}} {{.NetChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-balance {{.QueueBalanceNetSynAck}} + {{end}} + {{.MangleTable}} {{.NetChain}} -p udp -m set --match-set {{.TargetUDPNetSet}} src --match limit --limit 1000/s -j NFQUEUE --queue-balance {{.QueueBalanceNetSyn}} +{{else}} + {{range $index,$queuenum := .NetSynQueues}} + {{$.MangleTable}} {{$.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK SYN -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} + {{end}} + {{range $index,$queuenum := .NetAckQueues}} + {{$.MangleTable}} {{$.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} + {{end}} + + {{if isUIDProcess}} + {{range $index,$queuenum := .NetSynAckQueues}} + {{$.MangleTable}} {{$.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN,ACK SYN,ACK -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} + {{end}} + {{end}} + {{range $index,$queuenum := .NetSynQueues}} + {{$.MangleTable}} {{$.NetChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} src --match limit --limit 1000/s -m mark --mark {{Increment $index}}/{{$.QueueMask}} -j NFQUEUE --queue-num {{$queuenum}} + {{end}} {{end}} {{.MangleTable}} {{.NetChain}} -p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT diff --git a/controller/internal/supervisor/iptablesctrl/templates.go b/controller/internal/supervisor/iptablesctrl/templates.go index 6873ef630..34f40bfe7 100644 --- a/controller/internal/supervisor/iptablesctrl/templates.go +++ b/controller/internal/supervisor/iptablesctrl/templates.go @@ -94,8 +94,9 @@ type ACLInfo struct { MarkMask string HMarkRandomSeed string // IPv4 IPv6 - DefaultIP string - needICMPRules bool + DefaultIP string + needICMPRules bool + IsLegacyKernel bool // UDP rules Numpackets string @@ -298,11 +299,11 @@ func (i *iptables) newACLInfo(version int, contextID string, p *policy.PUInfo, p ProxySetName: proxySetName, // // UID PUs - UID: uid, - PacketMark: packetMark, - Mark: mark, - PortSet: portSetName, - + UID: uid, + PacketMark: packetMark, + Mark: mark, + PortSet: portSetName, + IsLegacyKernel: i.isLegacyKernel, NFLOGPrefix: policy.DefaultLogPrefix(contextID), NFLOGAcceptPrefix: policy.DefaultAcceptLogPrefix(contextID), DefaultNFLOGDropPrefix: policy.DefaultDroppedPacketLogPrefix(contextID),