Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blacklist Host test fails #111

Open
mlhaigh opened this issue Mar 11, 2019 · 2 comments
Open

Blacklist Host test fails #111

mlhaigh opened this issue Mar 11, 2019 · 2 comments

Comments

@mlhaigh
Copy link
Contributor

mlhaigh commented Mar 11, 2019

In multihost mode the test "TCP blacklist host @ unbound" currently fails. Connections on the blacklist host are getting processed as if they are not blacklisted.
@strictlymike
Copy link
Collaborator

strictlymike commented Mar 20, 2020
edited
Loading

I believe the problem occurs as follows:

  1. FakeNet-NG uses a NetFilter PREROUTING/REDIRECT rule that handles IP NAT for foreign-destined packets in MultiHost mode, in the hopes that the robust connection correlation code in conntrack may do a better job of maintaining consistency than an implementation in FakeNet-NG
  2. The NetFilter REDIRECT target modifies the datagram's IPv4 header to a destination IP corresponding to the FakeNet-NG external interface
  3. The blacklisting code never sees a datagram bearing the blacklisted IP address, and thus dynamic port forwarding is processed as normal.

This log output of a failed TCP blacklisted host @ unbound test seems to coincide with the sequence above.

[PCAP] Writing initial packet TCP 192.168.231.185:1574->6.6.6.6:9999 / IPv4 csum 0x3911 / TCP csum 0x20cb 
[GENPKTV] | handle_nonlocal TCP |   None | None     | 192.168.231.185:1574  |         6.6.6.6:9999  |    52 | SYN         | Seq=1403189503, Ack=0               |
[NONLOC] Nonlocal TCP 192.168.231.185:1574->6.6.6.6:9999
Received nonlocal IPv4 datagram destined for 6.6.6.6

<snip>
This is where the PREROUTING/REDIRECT rule is presumed to do its work
</snip>

[PCAP] Writing initial packet TCP 192.168.231.185:1574->192.168.231.131:9999 / IPv4 csum 0x9cf0 / TCP csum 0x84aa 
[GENPKTV] | handle_incoming TCP |   None | None     | 192.168.231.185:1574  | 192.168.231.131:9999  |    52 | SYN         | Seq=1403189503, Ack=0               |
[DPF] Redirecting TCP 192.168.231.185:1574->192.168.231.131:9999 to go to port 38926
[PCAP] Writing mangled packet TCP 192.168.231.185:1574->192.168.231.131:38926 / IPv4 csum 0x9cf0->0x9cf0 / TCP csum 0x84aa->0x13ab

If this is confirmed to be the problem, then here are two candidate solutions:

  • Program additional PREROUTING rules to leave packets from blacklisted hosts alone
  • Retire the PREROUTING/REDIRECT rule and implement IP NAT in all configurations by adding maybe_redir_ip to the correct hook location for incoming packets in MultiHost mode, at the risk of regressions due to cases that conntrack was gracefully and silently handling

@3V3RYONE
Copy link
Contributor

We might want to document this known failure in testing.md.

Spent a lot of time trying to figure out why this test was failing in multi-host mode, then got to know this is a known failure via this issue xD

@3V3RYONE 3V3RYONE mentioned this issue Aug 27, 2023
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mlhaigh @strictlymike @3V3RYONE