Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(network.threat.manager): Update ipv6 flooding protection and fragment filtering #4840

Merged
merged 9 commits into from
Sep 7, 2023
Merged

feat(network.threat.manager): Update ipv6 flooding protection and fragment filtering #4840

merged 9 commits into from
Sep 7, 2023

Conversation

pierantoniomerlino
Copy link
Contributor

Note: We are using the Conventional Commits convention for our pull request titles. Please take a look at the PR title format document for the supported types and scopes.

This PR updates the org.eclipse.kura.network.threat.manager for IPv6 and chagne the way the TCP fragments are filtered.

Description of the solution adopted: The following rules are added for managing the flooding protection for IPv6 (see here):

"-A prerouting-kura -m conntrack --ctstate INVALID -j DROP",
"-A prerouting-kura -p tcp ! --syn -m conntrack --ctstate NEW -j DROP",
"-A prerouting-kura -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP",
"-A prerouting-kura -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP",
"-A prerouting-kura -p tcp --tcp-flags SYN,RST SYN,RST -j DROP",
"-A prerouting-kura -p tcp --tcp-flags FIN,RST FIN,RST -j DROP",
"-A prerouting-kura -p tcp --tcp-flags FIN,ACK FIN -j DROP",
"-A prerouting-kura -p tcp --tcp-flags ACK,URG URG -j DROP",
"-A prerouting-kura -p tcp --tcp-flags ACK,FIN FIN -j DROP",
"-A prerouting-kura -p tcp --tcp-flags ACK,PSH PSH -j DROP",
"-A prerouting-kura -p tcp --tcp-flags ALL ALL -j DROP",
"-A prerouting-kura -p tcp --tcp-flags ALL NONE -j DROP",
"-A prerouting-kura -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP",
"-A prerouting-kura -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP",
"-A prerouting-kura -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP",
"-A prerouting-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 128 -j DROP",
"-A prerouting-kura -p ipv6-icmp -m ipv6-icmp --icmpv6-type 129 -j DROP",
"-A prerouting-kura -m ipv6header --header dst --soft -j DROP",
"-A prerouting-kura -m ipv6header --header hop --soft -j DROP",
"-A prerouting-kura -m ipv6header --header route --soft -j DROP",
"-A prerouting-kura -m ipv6header --header frag --soft -j DROP",
"-A prerouting-kura -m ipv6header --header auth --soft -j DROP",
"-A prerouting-kura -m ipv6header --header esp --soft -j DROP",
"-A prerouting-kura -m ipv6header --header none --soft -j DROP",
"-A prerouting-kura -m rt --rt-type 0 -j DROP", "-A output-kura -m rt --rt-type 0 -j DROP"

Moreover, to properly filter the TCP fragments, the /proc/sys/net/ipv4/ipfrag_low_thresh, /proc/sys/net/ipv4/ipfrag_high_thresh, /proc/sys/net/netfilter/nf_conntrack_frag6_low_thresh and /proc/sys/net/netfilter/nf_conntrack_frag6_high_thresh are configured. See here, here and here for more details about fragment filtering.

@pierantoniomerlino pierantoniomerlino self-assigned this Sep 6, 2023
marcellorinaldo
marcellorinaldo reviewed Sep 6, 2023
View reviewed changes
...c/main/java/org/eclipse/kura/internal/floodingprotection/FloodingProtectionConfigurator.java Show resolved Hide resolved
kura/org.eclipse.kura.network.threat.manager/META-INF/MANIFEST.MF Outdated
@@ -15,6 +15,7 @@ Import-Package: javax.ws.rs;version="2.0.1",
org.eclipse.kura.core.configuration;version="[2.0,3.0)",
org.eclipse.kura.core.configuration.metatype;version="[1.0,2.0)",
org.eclipse.kura.net.admin;version="[1.0,3.0)",
org.eclipse.kura.net.admin.ipv6;version="[1.0,2.0)",
org.eclipse.kura.security;version="[1.1,2.0)",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the minimum version in org.eclipse.kura.security;version="[1.1,2.0)", should be changed to [1.2,2.0) to ensure that the imported package has the latest introduced methods getFloodingProtectionFilterRulesIPv6, getFloodingProtectionNatRulesIPv6, and getFloodingProtectionMangleRulesIPv6 which are implemented here.

@pierantoniomerlino
First implementation of flooding protection ipv6
d3db740 
Signed-off-by: pierantoniomerlino <[email protected]>
@pierantoniomerlino
Added headers filtering to flooding protection
c507cf1 
Signed-off-by: pierantoniomerlino <[email protected]>
@pierantoniomerlino
Updated tests; minor fixes
3c5d6ad 
Signed-off-by: pierantoniomerlino <[email protected]>
@pierantoniomerlino
Added fragment filtering feature
1aadf54 
Signed-off-by: pierantoniomerlino <[email protected]>
@pierantoniomerlino
Updated tests
c278b8a 
Signed-off-by: pierantoniomerlino <[email protected]>
@pierantoniomerlino
Refactored test in Gerkin style
9ea5d16 
Signed-off-by: pierantoniomerlino <[email protected]>
@pierantoniomerlino
Fixed service configuration
3d9a285 
Signed-off-by: pierantoniomerlino <[email protected]>
@pierantoniomerlino
Updated dependency version
2b44d84 
Signed-off-by: pierantoniomerlino <[email protected]>
@pierantoniomerlino pierantoniomerlino force-pushed the update_ipv6_flooding_protection branch from 22f55ed to 2b44d84 Compare September 7, 2023 08:09
@pierantoniomerlino
Updated net.firewall tests
c9e3c39 
Signed-off-by: pierantoniomerlino <[email protected]>
@pierantoniomerlino pierantoniomerlino merged commit c988373 into develop Sep 7, 2023
@pierantoniomerlino pierantoniomerlino deleted the update_ipv6_flooding_protection branch September 7, 2023 12:43
pierantoniomerlino added a commit that referenced this pull request Sep 26, 2023
@pierantoniomerlino
feat(network.threat.manager): Update ipv6 flooding protection and fra…
0e3ab39 
…gment filtering (#4840)

* First implementation of flooding protection ipv6

Signed-off-by: pierantoniomerlino <[email protected]>

* Added headers filtering to flooding protection

Signed-off-by: pierantoniomerlino <[email protected]>

* Updated tests; minor fixes

Signed-off-by: pierantoniomerlino <[email protected]>

* Added fragment filtering feature

Signed-off-by: pierantoniomerlino <[email protected]>

* Updated tests

Signed-off-by: pierantoniomerlino <[email protected]>

* Refactored test in Gerkin style

Signed-off-by: pierantoniomerlino <[email protected]>

* Fixed service configuration

Signed-off-by: pierantoniomerlino <[email protected]>

* Updated dependency version

Signed-off-by: pierantoniomerlino <[email protected]>

* Updated net.firewall tests

Signed-off-by: pierantoniomerlino <[email protected]>

---------

Signed-off-by: pierantoniomerlino <[email protected]>
This was referenced Nov 23, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcellorinaldo marcellorinaldo marcellorinaldo approved these changes

@MMaiero MMaiero Awaiting requested review from MMaiero

Assignees

@pierantoniomerlino pierantoniomerlino

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pierantoniomerlino @marcellorinaldo