2020-02-05 22:16:58 +00:00
|
|
|
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
2020-03-25 15:40:36 +00:00
|
|
|
// Package filter contains a stateful packet filter.
|
2020-02-05 22:16:58 +00:00
|
|
|
package filter
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"log"
|
|
|
|
"sync"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/golang/groupcache/lru"
|
2020-05-08 18:30:22 +00:00
|
|
|
"golang.org/x/time/rate"
|
2020-02-05 22:16:58 +00:00
|
|
|
"tailscale.com/wgengine/packet"
|
|
|
|
)
|
|
|
|
|
2020-03-25 07:47:55 +00:00
|
|
|
type filterState struct {
|
|
|
|
mu sync.Mutex
|
2020-03-25 15:40:36 +00:00
|
|
|
lru *lru.Cache // of tuple
|
2020-03-25 07:47:55 +00:00
|
|
|
}
|
|
|
|
|
2020-03-25 15:40:36 +00:00
|
|
|
// Filter is a stateful packet filter.
|
2020-02-05 22:16:58 +00:00
|
|
|
type Filter struct {
|
|
|
|
matches Matches
|
2020-03-25 07:47:55 +00:00
|
|
|
state *filterState
|
2020-02-05 22:16:58 +00:00
|
|
|
}
|
|
|
|
|
2020-03-25 15:40:36 +00:00
|
|
|
// Response is a verdict: either a Drop, Accept, or noVerdict skip to
|
|
|
|
// continue processing.
|
2020-02-05 22:16:58 +00:00
|
|
|
type Response int
|
|
|
|
|
|
|
|
const (
|
|
|
|
Drop Response = iota
|
|
|
|
Accept
|
|
|
|
noVerdict // Returned from subfilters to continue processing.
|
|
|
|
)
|
|
|
|
|
|
|
|
func (r Response) String() string {
|
|
|
|
switch r {
|
|
|
|
case Drop:
|
|
|
|
return "Drop"
|
|
|
|
case Accept:
|
|
|
|
return "Accept"
|
|
|
|
case noVerdict:
|
|
|
|
return "noVerdict"
|
|
|
|
default:
|
|
|
|
return "???"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-03-25 15:40:36 +00:00
|
|
|
// RunFlags controls the filter's debug log verbosity at runtime.
|
2020-02-05 22:16:58 +00:00
|
|
|
type RunFlags int
|
|
|
|
|
|
|
|
const (
|
|
|
|
LogDrops RunFlags = 1 << iota
|
|
|
|
LogAccepts
|
|
|
|
HexdumpDrops
|
|
|
|
HexdumpAccepts
|
|
|
|
)
|
|
|
|
|
|
|
|
type tuple struct {
|
2020-05-11 14:19:17 +00:00
|
|
|
SrcIP packet.IP
|
|
|
|
DstIP packet.IP
|
2020-02-05 22:16:58 +00:00
|
|
|
SrcPort uint16
|
|
|
|
DstPort uint16
|
|
|
|
}
|
|
|
|
|
2020-03-25 15:40:36 +00:00
|
|
|
const lruMax = 512 // max entries in UDP LRU cache
|
2020-02-05 22:16:58 +00:00
|
|
|
|
2020-03-25 15:40:36 +00:00
|
|
|
// MatchAllowAll matches all packets.
|
2020-02-05 22:16:58 +00:00
|
|
|
var MatchAllowAll = Matches{
|
2020-04-30 05:49:17 +00:00
|
|
|
Match{[]NetPortRange{NetPortRangeAny}, []Net{NetAny}},
|
2020-02-05 22:16:58 +00:00
|
|
|
}
|
|
|
|
|
2020-03-25 15:40:36 +00:00
|
|
|
// NewAllowAll returns a packet filter that accepts everything.
|
2020-02-05 22:16:58 +00:00
|
|
|
func NewAllowAll() *Filter {
|
2020-03-25 07:47:55 +00:00
|
|
|
return New(MatchAllowAll, nil)
|
2020-02-05 22:16:58 +00:00
|
|
|
}
|
|
|
|
|
2020-03-25 15:40:36 +00:00
|
|
|
// NewAllowNone returns a packet filter that rejects everything.
|
2020-02-05 22:16:58 +00:00
|
|
|
func NewAllowNone() *Filter {
|
2020-03-25 07:47:55 +00:00
|
|
|
return New(nil, nil)
|
2020-02-05 22:16:58 +00:00
|
|
|
}
|
|
|
|
|
2020-03-25 15:40:36 +00:00
|
|
|
// New creates a new packet Filter with the given Matches rules.
|
|
|
|
// If shareStateWith is non-nil, the returned filter shares state
|
|
|
|
// with the previous one, to enable rules to be changed at runtime
|
|
|
|
// without breaking existing flows.
|
2020-03-25 07:47:55 +00:00
|
|
|
func New(matches Matches, shareStateWith *Filter) *Filter {
|
|
|
|
var state *filterState
|
|
|
|
if shareStateWith != nil {
|
|
|
|
state = shareStateWith.state
|
|
|
|
} else {
|
|
|
|
state = &filterState{
|
2020-03-25 15:40:36 +00:00
|
|
|
lru: lru.New(lruMax),
|
2020-03-25 07:47:55 +00:00
|
|
|
}
|
|
|
|
}
|
2020-02-05 22:16:58 +00:00
|
|
|
f := &Filter{
|
|
|
|
matches: matches,
|
2020-03-25 07:47:55 +00:00
|
|
|
state: state,
|
2020-02-05 22:16:58 +00:00
|
|
|
}
|
|
|
|
return f
|
|
|
|
}
|
|
|
|
|
|
|
|
func maybeHexdump(flag RunFlags, b []byte) string {
|
2020-05-08 18:30:22 +00:00
|
|
|
if flag == 0 {
|
2020-02-05 22:16:58 +00:00
|
|
|
return ""
|
|
|
|
}
|
2020-05-08 18:30:22 +00:00
|
|
|
return packet.Hexdump(b) + "\n"
|
2020-02-05 22:16:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// TODO(apenwarr): use a bigger bucket for specifically TCP SYN accept logging?
|
|
|
|
// Logging is a quick way to record every newly opened TCP connection, but
|
|
|
|
// we have to be cautious about flooding the logs vs letting people use
|
|
|
|
// flood protection to hide their traffic. We could use a rate limiter in
|
|
|
|
// the actual *filter* for SYN accepts, perhaps.
|
2020-05-08 18:30:22 +00:00
|
|
|
var acceptBucket = rate.NewLimiter(rate.Every(10*time.Second), 3)
|
|
|
|
var dropBucket = rate.NewLimiter(rate.Every(5*time.Second), 10)
|
2020-02-05 22:16:58 +00:00
|
|
|
|
|
|
|
func logRateLimit(runflags RunFlags, b []byte, q *packet.QDecode, r Response, why string) {
|
2020-05-08 18:30:22 +00:00
|
|
|
if r == Drop && (runflags&LogDrops) != 0 && dropBucket.Allow() {
|
2020-02-05 22:16:58 +00:00
|
|
|
var qs string
|
|
|
|
if q == nil {
|
|
|
|
qs = fmt.Sprintf("(%d bytes)", len(b))
|
|
|
|
} else {
|
|
|
|
qs = q.String()
|
|
|
|
}
|
|
|
|
log.Printf("Drop: %v %v %s\n%s", qs, len(b), why, maybeHexdump(runflags&HexdumpDrops, b))
|
2020-05-08 18:30:22 +00:00
|
|
|
} else if r == Accept && (runflags&LogAccepts) != 0 && acceptBucket.Allow() {
|
2020-02-05 22:16:58 +00:00
|
|
|
log.Printf("Accept: %v %v %s\n%s", q, len(b), why, maybeHexdump(runflags&HexdumpAccepts, b))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *Filter) RunIn(b []byte, q *packet.QDecode, rf RunFlags) Response {
|
|
|
|
r := pre(b, q, rf)
|
|
|
|
if r == Accept || r == Drop {
|
|
|
|
// already logged
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
|
|
|
r, why := f.runIn(q)
|
|
|
|
logRateLimit(rf, b, q, r, why)
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *Filter) RunOut(b []byte, q *packet.QDecode, rf RunFlags) Response {
|
|
|
|
r := pre(b, q, rf)
|
|
|
|
if r == Drop || r == Accept {
|
|
|
|
// already logged
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
r, why := f.runOut(q)
|
|
|
|
logRateLimit(rf, b, q, r, why)
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *Filter) runIn(q *packet.QDecode) (r Response, why string) {
|
|
|
|
switch q.IPProto {
|
|
|
|
case packet.ICMP:
|
2020-04-29 07:53:32 +00:00
|
|
|
if q.IsEchoResponse() || q.IsError() {
|
|
|
|
// ICMP responses are allowed.
|
|
|
|
// TODO(apenwarr): consider using conntrack state.
|
|
|
|
// We could choose to reject all packets that aren't
|
|
|
|
// related to an existing ICMP-Echo, TCP, or UDP
|
|
|
|
// session.
|
|
|
|
return Accept, "icmp response ok"
|
|
|
|
} else if matchIPWithoutPorts(f.matches, q) {
|
|
|
|
// If any port is open to an IP, allow ICMP to it.
|
2020-02-05 22:16:58 +00:00
|
|
|
return Accept, "icmp ok"
|
|
|
|
}
|
|
|
|
case packet.TCP:
|
|
|
|
// For TCP, we want to allow *outgoing* connections,
|
|
|
|
// which means we want to allow return packets on those
|
|
|
|
// connections. To make this restriction work, we need to
|
|
|
|
// allow non-SYN packets (continuation of an existing session)
|
|
|
|
// to arrive. This should be okay since a new incoming session
|
|
|
|
// can't be initiated without first sending a SYN.
|
|
|
|
// It happens to also be much faster.
|
|
|
|
// TODO(apenwarr): Skip the rest of decoding in this path?
|
|
|
|
if q.IPProto == packet.TCP && !q.IsTCPSyn() {
|
|
|
|
return Accept, "tcp non-syn"
|
|
|
|
}
|
|
|
|
if matchIPPorts(f.matches, q) {
|
|
|
|
return Accept, "tcp ok"
|
|
|
|
}
|
|
|
|
case packet.UDP:
|
|
|
|
t := tuple{q.SrcIP, q.DstIP, q.SrcPort, q.DstPort}
|
|
|
|
|
2020-03-25 07:47:55 +00:00
|
|
|
f.state.mu.Lock()
|
|
|
|
_, ok := f.state.lru.Get(t)
|
|
|
|
f.state.mu.Unlock()
|
2020-02-05 22:16:58 +00:00
|
|
|
|
|
|
|
if ok {
|
|
|
|
return Accept, "udp cached"
|
|
|
|
}
|
|
|
|
if matchIPPorts(f.matches, q) {
|
|
|
|
return Accept, "udp ok"
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
return Drop, "Unknown proto"
|
|
|
|
}
|
|
|
|
return Drop, "no rules matched"
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *Filter) runOut(q *packet.QDecode) (r Response, why string) {
|
|
|
|
if q.IPProto == packet.UDP {
|
|
|
|
t := tuple{q.DstIP, q.SrcIP, q.DstPort, q.SrcPort}
|
2020-03-25 15:40:36 +00:00
|
|
|
var ti interface{} = t // allocate once, rather than twice inside mutex
|
2020-02-05 22:16:58 +00:00
|
|
|
|
2020-03-25 07:47:55 +00:00
|
|
|
f.state.mu.Lock()
|
2020-03-25 15:40:36 +00:00
|
|
|
f.state.lru.Add(ti, ti)
|
2020-03-25 07:47:55 +00:00
|
|
|
f.state.mu.Unlock()
|
2020-02-05 22:16:58 +00:00
|
|
|
}
|
|
|
|
return Accept, "ok out"
|
|
|
|
}
|
|
|
|
|
|
|
|
func pre(b []byte, q *packet.QDecode, rf RunFlags) Response {
|
|
|
|
if len(b) == 0 {
|
|
|
|
// wireguard keepalive packet, always permit.
|
|
|
|
return Accept
|
|
|
|
}
|
|
|
|
if len(b) < 20 {
|
|
|
|
logRateLimit(rf, b, nil, Drop, "too short")
|
|
|
|
return Drop
|
|
|
|
}
|
|
|
|
q.Decode(b)
|
|
|
|
|
|
|
|
if q.IPProto == packet.Junk {
|
|
|
|
// Junk packets are dangerous; always drop them.
|
|
|
|
logRateLimit(rf, b, q, Drop, "junk!")
|
|
|
|
return Drop
|
|
|
|
} else if q.IPProto == packet.Fragment {
|
|
|
|
// Fragments after the first always need to be passed through.
|
|
|
|
// Very small fragments are considered Junk by QDecode.
|
|
|
|
logRateLimit(rf, b, q, Accept, "fragment")
|
|
|
|
return Accept
|
|
|
|
}
|
|
|
|
|
|
|
|
return noVerdict
|
|
|
|
}
|