Page MenuHomeFreeBSD
Differential D18897

Add a simple port filter to SIFTR
ClosedPublic
Actions

Authored by rscheff on Jan 18 2019, 7:32 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Feb 24, 10:28 PM
Unknown Object (File)
Mon, Feb 24, 12:38 AM
Unknown Object (File)
Jan 4 2025, 12:12 AM
Unknown Object (File)
Dec 20 2024, 2:28 PM
Unknown Object (File)
Dec 6 2024, 8:26 AM
Unknown Object (File)
Dec 1 2024, 10:22 AM
Unknown Object (File)
Nov 23 2024, 12:22 AM
Unknown Object (File)
Nov 12 2024, 2:26 PM
View All Files
Subscribers
imp

Details

Reviewers
cc
imp
brooks
Commits
rS343756: MFC r343587:
rS343587: Add a simple port filter to SIFTR.
Summary

SIFTR does not allow any kind of filtering, but captures every packet processed by the TCP stack.
Often, only a specific session or service is of interest, and doing the filtering in post-processing of the log adds to the overhead of SIFTR.

This adds a new sysctl net.inet.siftr.port_filter. When set to zero, all packets get captured as previously. If set to any other value, only packets where either the source or the destination ports match, are captured in the log file.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

rscheff created this revision.Jan 18 2019, 7:32 PM
Harbormaster completed remote builds in B22042: Diff 53008.Jan 18 2019, 7:32 PM
rscheff added a reviewer: cc.Jan 18 2019, 7:43 PM
rscheff set the repository for this revision to rS FreeBSD src repository - subversion.
Herald added a subscriber: imp. · View Herald TranscriptJan 18 2019, 7:43 PM
rscheff added reviewers: imp, brooks.Jan 18 2019, 8:09 PM
brooks added inline comments.Jan 18 2019, 9:49 PM
sys/netinet/siftr.c
322 ↗(On Diff #53008)

Does it make sense to use SYSCTL_U16 and a uint16_t here to match the port number?

919 ↗(On Diff #53008)

I'd tend to use an explicit != 0 since this isn't a bool.

rscheff updated this revision to Diff 53021.Jan 18 2019, 10:30 PM
  • let us not forget on IPv6
  • have sysctl check the port number range directly
Harbormaster completed remote builds in B22048: Diff 53021.Jan 18 2019, 10:30 PM
rscheff updated this revision to Diff 53022.Jan 18 2019, 10:32 PM
rscheff marked 2 inline comments as done.
  • line wrap
Harbormaster completed remote builds in B22049: Diff 53022.Jan 18 2019, 10:32 PM
rscheff updated this revision to Diff 53023.Jan 18 2019, 10:33 PM
  • line wrap6
Harbormaster completed remote builds in B22050: Diff 53023.Jan 18 2019, 10:33 PM
rscheff added inline comments.Jan 27 2019, 11:40 AM
sys/netinet/siftr.c
322 ↗(On Diff #53008)

I assume that also implies that range checking of the user provided value is then done by the sysctl framework? Absolutely, I have to admit, I didn't check all the various types available when fetching the patch.

cc added inline comments.Jan 28 2019, 2:37 PM
sys/netinet/siftr.c
322 ↗(On Diff #53008)

With SYSCTL_U16, this will wraparound and cause unexpected storage. Prefer the SYSCTL_UINT.

ccui@FBSD11:~/siftr % sudo sysctl net.inet.siftr.port_filter=22
net.inet.siftr.port_filter: 0 -> 22
ccui@FBSD11:~/siftr % sudo sysctl net.inet.siftr.port_filter=65535
net.inet.siftr.port_filter: 22 -> 65535
ccui@FBSD11:~/siftr % sudo sysctl net.inet.siftr.port_filter=65536 << using SYSCTL_U16
net.inet.siftr.port_filter: 65535 -> 0
ccui@FBSD11:~/siftr % sudo sysctl net.inet.siftr.port_filter=65537
net.inet.siftr.port_filter: 0 -> 1
ccui@FBSD11:~/siftr % sudo sysctl net.inet.siftr.port_filter
net.inet.siftr.port_filter: 1

brooks added inline comments.Jan 29 2019, 7:30 PM
sys/netinet/siftr.c
322 ↗(On Diff #53008)

Crappy kernel API design... The handler should reject over-long inputs, but it's probably unfixable at this date. I'm not sure I care about this case of user error...

rscheff added inline comments.Jan 29 2019, 7:54 PM
sys/netinet/siftr.c
322 ↗(On Diff #53008)

Suggestion:

  • The uint16_t would probably require 4 bytes due to alignment anyway; perhaps we use SYSCTL_INT, and log an error when set >65535 into the siftr log?
  • Alternatively keep it as a uint16_t for siftr, but have our own SYSCTL_PROC handler with CTLINT when changing the value...
  • Slightly preferred: keep it as SYSCTL_U16 and be done with it...

Whichever way, I believe having a light-weight port filtering available at the siftr level reduces the clutter in the log files enough to be worthwhile.

(Also, sysctl returns the actually set value already; if misconfigurations happen frequently, a check should be scripted when setting the filter value, that the set value is the expected value...)

cc accepted this revision.Jan 29 2019, 9:11 PM

Looks good. Thanks.

This revision is now accepted and ready to land.Jan 29 2019, 9:11 PM
Closed by commit rS343587: Add a simple port filter to SIFTR. (authored by brooks). · Explain WhyJan 30 2019, 5:44 PM
This revision was automatically updated to reflect the committed changes.
rscheff mentioned this in D21619: Update SIFTR man page, and minor trailing whitespace nit..Sep 12 2019, 3:17 PM

Revision Contents
Changeset List

PathSize
head/
sys/
netinet/
25 lines

Diff 53428

View Options

head/sys/netinet/siftr.c

Loading...