search

Igalia / pflua

Packet filtering in Lua
Other
313 stars 39 forks source link

IPv6 packet unexpectedly allowed #211

Closed lukego closed 9 years ago

lukego commented 9 years ago

Good day to you fine people!

I have a packet that is passing a filter when I expect it to be dropped. This seems to affect the current master (4c947889).

Here is the filter, which is verbose because autogenerated from OpenStack config:

((ip6 and icmp6) or (ip6 and tcp and portrange 32768-65535) or (arp or (ip and icmp)) or (arp or (ip and tcp and portrange 22-22)))

Here is the trace where I had expected the first packet to be dropped:

17:03:55.489437 IP6 2003::1.49671 > 2003::2.2222: Flags [S], seq 2735035200, win 28800, options [mss 1440,sackOK,TS val 7567336 ecr 0,nop,wscale 7], length 0
17:03:55.489482 IP6 2003::2.2222 > 2003::1.49671: Flags [R.], seq 0, ack 2735035201, win 0, length 0

Here is that trace again as a base64 encoded pcap file:

1MOyoQIABAAAAAAAAAAAAP//AAABAAAAW7lUVd13BwBeAAAAXgAAAFJUAAAAAVJUAAAAAIbdYAAA
AAAoBkAgAwAAAAAAAAAAAAAAAAABIAMAAAAAAAAAAAAAAAAAAsIHCK6jBVNAAAAAAKACcIBeNAAA
AgQFoAQCCAoAc3foAAAAAAEDAwdbuVRVCngHAEoAAABKAAAAUlQAAAAAUlQAAAABht1gAAAAABQG
QCADAAAAAAAAAAAAAAAAAAIgAwAAAAAAAAAAAAAAAAABCK7CBwAAAACjBVNBUBQAAEAjAAA=
kbara commented 9 years ago

G'day, Luke!

Why do you expect either packet to be dropped? pflua's behaviour matches libpcap's; both match each packet with the ip6 and tcp and portrange 32768-65535 clause, since both packets are ipv6 tcp packets, both of which involve port 49671, which is in the specified range.

First packet
% ./pflua-pipelines-match /tmp/bug/f.pcap 'ip6 and tcp and portrange 32768-65535' 1
OK: bpf-lua-unopt libpcap-unopt libpcap-opt pure-lua-unopt pure-lua-opt bpf-lua-opt all matched: all were true
Second packet
% ./pflua-pipelines-match /tmp/bug/f.pcap 'ip6 and tcp and portrange 32768-65535' 2
OK: bpf-lua-unopt libpcap-unopt libpcap-opt pure-lua-unopt pure-lua-opt bpf-lua-opt all matched: all were true

(I'm using tcpdump version 4.5.1 and libpcap version 1.5.3).

lukego commented 9 years ago

Hah!

This is my bad: I should be using dst portrange instead of simply portrange for my intended behaviour.

Thanks for the quick feedback!

kbara commented 9 years ago

I wondered... :-) I'm glad you've sorted it out.

lukego commented 9 years ago

I am really impressed with the testing tools you are creating btw! I have heard John Hughes and others give a lot of talks about nice testing techniques but I don't see them so often in the wild.

kbara commented 9 years ago

I'm really happy to be working on a project that has a good design (thanks Andy!) and relatively few dependencies/external bugs, and I have some background in formal verification. And I take http://danluu.com/testing/ and http://danluu.com/everything-is-broken/ and similar seriously, and like to see how software can be done better. I think property-based testing is low-hanging, too-often-ignored fruit, and gave a talk at FOSDEM to that effect, too. :-)