Re: New DLT needed for PPP active/passiv filtering

[Karsten Keil <kkeil () suse de>]

On Tue, Aug 17, 2004 at 01:55:11PM +0200, Hannes Gredler wrote:
> karsten,
>
> could you elaborate a bit more on "it creates binary incompatible filters";

The filter needed for PPP activ/passiv filtering work on the raw PPP
paket with the modified 4 byte PPP header, all prior kernel use this format.
If I compile a filter with  LINUX_SLL the filter offsets are for an 16 byte
header, so the routine which pass the paket through the filter must add this
16 byte header, which make the kernel incompatible (you need new kernel
and new pppd). Unfortunatly the kernel filter API have no field to determine
for which DLT a filter was compiled, so it is not possible to detect a
mismatch and workaround. So if you just try a new kernel, PPP activ/passiv
filtering is not longer working, without any notice (if you have a time
based internet tarif you will see that on your bill, if you use dial on
demand).

> in my testbed the linux machine creates 100% correct BPF filters;

Yes for capturing PPP data it's OK, since it was implemented for LINUX_SLL.
The activ/passiv PPP filtering was implemented for DLT_PPP.

> e.g.
>
> --->encaps is LINUX_SLL
> # tcpdump -i ppp0 icmp   
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
>
> --->lets try the filter code for icmp ....
> # tcpdump -i ppp0 -d icmp   
> (000) ldh      [14]
> (001) jeq      #0x800           jt 2    jf 5
> (002) ldb      [25]
> (003) jeq      #0x1             jt 4    jf 5
> (004) ret      #96
> (005) ret      #0
>
> ---> lets match on inbound direction
> # tcpdump -d -i ppp0 inbound 
> (000) ldh      [0]
> (001) jeq      #0x0             jt 2    jf 3
> (002) ret      #96
> (003) ret      #0
>
> ---> and outbound
> # tcpdump -d -i ppp0 outbound   
> (000) ldh      [0]
> (001) jeq      #0x4             jt 2    jf 3
> (002) ret      #96
> (003) ret      #0
>
>
> /hannes
>
>
> On Tue, Aug 17, 2004 at 12:53:54PM +0200, Karsten Keil wrote:
> | Hi,
> | 
> | between libpcap version 0.7 and 0.8 the DLT_PPP was cleaned up to not longer
> | support the faked IN/OUT flag which was needed to compile filter rules
> | for the PPP activ/passiv filtering.
> | The cleanup is OK, since the nativ PPP frame do not have any IN/OUT flag,
> | so for traffic analysers it is confusing to have a faked first byte.
> | 
> | But for activ/passiv filtering, which is needed to determine for dial on
> | demand which pakets are allowed to create a new connection or which pakets
> | hold the current connection open, it is a strong demand to differ between
> | own (OUT) and incoming traffic (which may contain unwanted pakets, like
> | port scans or pakets from old lost connections (dynamic IPs maybe
> | reassingned).
> | 
> | So I was told some months ago to use cooked mode with DLT_LINUX_SLL, which
> | used a faked 16 byte ethernet header instead of the 4 byte PPP header.
> | I implement a solution based on this, but it has big disadventages:
> | 
> | - it creates binary incompatible filters, it need new core routines for
> |   activ/passiv filter (which replace the 4 byte header with a 16 byte
> |   header) 
> | - waste of resources, the paket handler must extend the headspace from 4 to
> |   16 byte only for executing the filter
> | 
> | Because the incompatibility this solutions was rejected by the PPP
> | maintainers and I think they are right.
> | 
> | A solution may be to create a new DLT_PPP_INOUT (better names welcome),
> | which take the first PPP byte, which is not needed for filtering as IN/OUT
> | Flag (same behavior as libpcap 0.7 DLT_PPP had).
> | This solution is backward compatible and need no changes in the PPP core
> | routines. Old ppp binary (libpcap 0.7 based) will still work.
> | The main DLT_PPP for traffic analyser stuff will remain clean and not
> | got confused this extra stuff.
> | 
> | So I need a DLT number assigned for this new DLT_PPP_INOUT.
> | 
> | -- 
> | Karsten Keil
> | ISDN development
> | -
> | This is the tcpdump-workers list.
> | Visit https://lists.sandelman.ca/ to unsubscribe.
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe.

-- 
Karsten Keil
ISDN development
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.