From 0db65a8984d1dddc1522ecfbf16f2db8f52966fe Mon Sep 17 00:00:00 2001 From: Viktor Liu <17948409+lixmal@users.noreply.github.com> Date: Fri, 28 Feb 2025 20:04:59 +0100 Subject: [PATCH] Add routed packet drop flow (#3410) --- client/firewall/uspfilter/tracer.go | 2 +- client/firewall/uspfilter/uspfilter.go | 52 +++++++++++++++++++++----- client/internal/netflow/types/types.go | 3 +- flow/proto/flow.pb.go | 28 ++++++++------ flow/proto/flow.proto | 1 + 5 files changed, 62 insertions(+), 24 deletions(-) diff --git a/client/firewall/uspfilter/tracer.go b/client/firewall/uspfilter/tracer.go index a4c653b3b..87cd706ba 100644 --- a/client/firewall/uspfilter/tracer.go +++ b/client/firewall/uspfilter/tracer.go @@ -351,7 +351,7 @@ func (m *Manager) handleNativeRouter(trace *PacketTrace) *PacketTrace { } func (m *Manager) handleRouteACLs(trace *PacketTrace, d *decoder, srcIP, dstIP net.IP) *PacketTrace { - proto := getProtocolFromPacket(d) + proto, _ := getProtocolFromPacket(d) srcPort, dstPort := getPortsFromPacket(d) allowed := m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort) diff --git a/client/firewall/uspfilter/uspfilter.go b/client/firewall/uspfilter/uspfilter.go index 7485c5267..e84b3f30a 100644 --- a/client/firewall/uspfilter/uspfilter.go +++ b/client/firewall/uspfilter/uspfilter.go @@ -656,8 +656,25 @@ func (m *Manager) dropFilter(packetData []byte) bool { // If it returns true, the packet should be dropped. func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP net.IP, packetData []byte) bool { if m.peerACLsBlock(srcIP, packetData, m.incomingRules, d) { - m.logger.Trace("Dropping local packet (ACL denied): src=%s dst=%s", - srcIP, dstIP) + srcIP, _ := netip.AddrFromSlice(srcIP) + dstIP, _ := netip.AddrFromSlice(dstIP) + _, pnum := getProtocolFromPacket(d) + srcPort, dstPort := getPortsFromPacket(d) + + m.logger.Trace("Dropping local packet (ACL denied): proto=%v src=%s:%d dst=%s:%d", + pnum, srcIP, srcPort, dstIP, dstPort) + + m.flowLogger.StoreEvent(nftypes.EventFields{ + FlowID: uuid.New(), + Type: nftypes.TypeDrop, + Direction: nftypes.Ingress, + Protocol: pnum, + SourceIP: srcIP, + DestIP: dstIP, + SourcePort: srcPort, + DestPort: dstPort, + // TODO: icmp type/code + }) return true } @@ -706,12 +723,27 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP net.IP, packetDat return false } - proto := getProtocolFromPacket(d) + proto, pnum := getProtocolFromPacket(d) srcPort, dstPort := getPortsFromPacket(d) if !m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort) { - m.logger.Trace("Dropping routed packet (ACL denied): src=%s:%d dst=%s:%d proto=%v", - srcIP, srcPort, dstIP, dstPort, proto) + srcIP, _ := netip.AddrFromSlice(srcIP) + dstIP, _ := netip.AddrFromSlice(dstIP) + + m.logger.Trace("Dropping routed packet (ACL denied): proto=%v src=%s:%d dst=%s:%d", + pnum, srcIP, srcPort, dstIP, dstPort) + + m.flowLogger.StoreEvent(nftypes.EventFields{ + FlowID: uuid.New(), + Type: nftypes.TypeDrop, + Direction: nftypes.Ingress, + Protocol: pnum, + SourceIP: srcIP, + DestIP: dstIP, + SourcePort: srcPort, + DestPort: dstPort, + // TODO: icmp type/code + }) return true } @@ -724,16 +756,16 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP net.IP, packetDat return true } -func getProtocolFromPacket(d *decoder) firewall.Protocol { +func getProtocolFromPacket(d *decoder) (firewall.Protocol, nftypes.Protocol) { switch d.decoded[1] { case layers.LayerTypeTCP: - return firewall.ProtocolTCP + return firewall.ProtocolTCP, nftypes.TCP case layers.LayerTypeUDP: - return firewall.ProtocolUDP + return firewall.ProtocolUDP, nftypes.UDP case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6: - return firewall.ProtocolICMP + return firewall.ProtocolICMP, nftypes.ICMP default: - return firewall.ProtocolALL + return firewall.ProtocolALL, nftypes.ProtocolUnknown } } diff --git a/client/internal/netflow/types/types.go b/client/internal/netflow/types/types.go index 2729a8ea0..09b59a6ae 100644 --- a/client/internal/netflow/types/types.go +++ b/client/internal/netflow/types/types.go @@ -35,9 +35,10 @@ func (p Protocol) String() string { type Type int const ( - TypeUnknown = iota + TypeUnknown = Type(iota) TypeStart TypeEnd + TypeDrop ) type Direction int diff --git a/flow/proto/flow.pb.go b/flow/proto/flow.pb.go index 1cd621d21..60a57e8d3 100644 --- a/flow/proto/flow.pb.go +++ b/flow/proto/flow.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.26.0 -// protoc v3.21.9 +// protoc v4.24.3 // source: flow.proto package proto @@ -28,6 +28,7 @@ const ( Type_TYPE_UNKNOWN Type = 0 Type_TYPE_START Type = 1 Type_TYPE_END Type = 2 + Type_TYPE_DROP Type = 3 ) // Enum value maps for Type. @@ -36,11 +37,13 @@ var ( 0: "TYPE_UNKNOWN", 1: "TYPE_START", 2: "TYPE_END", + 3: "TYPE_DROP", } Type_value = map[string]int32{ "TYPE_UNKNOWN": 0, "TYPE_START": 1, "TYPE_END": 2, + "TYPE_DROP": 3, } ) @@ -543,19 +546,20 @@ var file_flow_proto_rawDesc = []byte{ 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x08, 0x69, 0x63, 0x6d, 0x70, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x69, 0x63, 0x6d, 0x70, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x08, 0x69, 0x63, 0x6d, 0x70, 0x43, 0x6f, 0x64, - 0x65, 0x2a, 0x36, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x10, 0x0a, 0x0c, 0x54, 0x59, 0x50, + 0x65, 0x2a, 0x45, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x10, 0x0a, 0x0c, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0e, 0x0a, 0x0a, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x52, 0x54, 0x10, 0x01, 0x12, 0x0c, 0x0a, 0x08, 0x54, - 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x44, 0x10, 0x02, 0x2a, 0x3b, 0x0a, 0x09, 0x44, 0x69, 0x72, - 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x15, 0x0a, 0x11, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, - 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0b, 0x0a, - 0x07, 0x49, 0x4e, 0x47, 0x52, 0x45, 0x53, 0x53, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x45, 0x47, - 0x52, 0x45, 0x53, 0x53, 0x10, 0x02, 0x32, 0x42, 0x0a, 0x0b, 0x46, 0x6c, 0x6f, 0x77, 0x53, 0x65, - 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x33, 0x0a, 0x06, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x12, - 0x0f, 0x2e, 0x66, 0x6c, 0x6f, 0x77, 0x2e, 0x46, 0x6c, 0x6f, 0x77, 0x45, 0x76, 0x65, 0x6e, 0x74, - 0x1a, 0x12, 0x2e, 0x66, 0x6c, 0x6f, 0x77, 0x2e, 0x46, 0x6c, 0x6f, 0x77, 0x45, 0x76, 0x65, 0x6e, - 0x74, 0x41, 0x63, 0x6b, 0x22, 0x00, 0x28, 0x01, 0x30, 0x01, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x44, 0x10, 0x02, 0x12, 0x0d, 0x0a, 0x09, 0x54, 0x59, 0x50, + 0x45, 0x5f, 0x44, 0x52, 0x4f, 0x50, 0x10, 0x03, 0x2a, 0x3b, 0x0a, 0x09, 0x44, 0x69, 0x72, 0x65, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x15, 0x0a, 0x11, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x49, + 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, + 0x49, 0x4e, 0x47, 0x52, 0x45, 0x53, 0x53, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x45, 0x47, 0x52, + 0x45, 0x53, 0x53, 0x10, 0x02, 0x32, 0x42, 0x0a, 0x0b, 0x46, 0x6c, 0x6f, 0x77, 0x53, 0x65, 0x72, + 0x76, 0x69, 0x63, 0x65, 0x12, 0x33, 0x0a, 0x06, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x0f, + 0x2e, 0x66, 0x6c, 0x6f, 0x77, 0x2e, 0x46, 0x6c, 0x6f, 0x77, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x1a, + 0x12, 0x2e, 0x66, 0x6c, 0x6f, 0x77, 0x2e, 0x46, 0x6c, 0x6f, 0x77, 0x45, 0x76, 0x65, 0x6e, 0x74, + 0x41, 0x63, 0x6b, 0x22, 0x00, 0x28, 0x01, 0x30, 0x01, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/flow/proto/flow.proto b/flow/proto/flow.proto index 5896ce583..dd725c8a0 100644 --- a/flow/proto/flow.proto +++ b/flow/proto/flow.proto @@ -63,6 +63,7 @@ enum Type { TYPE_UNKNOWN = 0; TYPE_START = 1; TYPE_END = 2; + TYPE_DROP = 3; } // Flow direction