valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-06 17:45:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix missing negations, duplicate rows in iptables table (#6713)

Browse Source
This commit is contained in:
Ryan Mack 2020-10-16 14:33:25 -04:00 committed by GitHub
parent 5c1bf4ff0c
commit d71420be93
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
osquery/tables/networking/linux/iptables.cpp
View File

@ -35,6 +35,12 @@ static const std::string kHexMap = "0123456789ABCDEF";
static const int kMaskHighBits = 4;
static const int kMaskLowBits = 15;
namespace {
std::string formatInvFlag(const iptcproxy_rule& rule, int flag) {
return (rule.ip_data.invflags & flag) ? "!" : "";
}
} // namespace
void parseIptcpRule(const iptcproxy_rule& rule, Row& r) {
if (rule.target != nullptr) {
r["target"] = TEXT(rule.target);
@ -58,21 +64,26 @@ void parseIptcpRule(const iptcproxy_rule& rule, Row& r) {
r["dst_port"] = "";
}
r["protocol"] = INTEGER(rule.ip_data.proto);
r["protocol"] =
formatInvFlag(rule, IPTC_INV_PROTO) + INTEGER(rule.ip_data.proto);
if (strlen(rule.ip_data.iniface)) {
r["iniface"] = TEXT(rule.ip_data.iniface);
r["iniface"] =
formatInvFlag(rule, IPTC_INV_VIA_IN) + TEXT(rule.ip_data.iniface);
} else {
r["iniface"] = "all";
}
if (strlen(rule.ip_data.outiface)) {
r["outiface"] = TEXT(rule.ip_data.outiface);
r["outiface"] =
formatInvFlag(rule, IPTC_INV_VIA_OUT) + TEXT(rule.ip_data.outiface);
} else {
r["outiface"] = "all";
}
r["src_ip"] = ipAsString(&rule.ip_data.src);
r["dst_ip"] = ipAsString(&rule.ip_data.dst);
r["src_ip"] =
formatInvFlag(rule, IPTC_INV_SRCIP) + ipAsString(&rule.ip_data.src);
r["dst_ip"] =
formatInvFlag(rule, IPTC_INV_DSTIP) + ipAsString(&rule.ip_data.dst);
r["src_mask"] = ipAsString(&rule.ip_data.smsk);
r["dst_mask"] = ipAsString(&rule.ip_data.dmsk);
@ -126,8 +137,9 @@ void genIPTablesRules(const std::string &filter, QueryData &results) {
for (auto rule = iptcproxy_first_rule(chain->chain, handle);
rule != nullptr;
rule = iptcproxy_next_rule(handle)) {
parseIptcpRule(*rule, r);
results.push_back(r);
Row ruleRow{r};
parseIptcpRule(*rule, ruleRow);
results.push_back(std::move(ruleRow));
} // Rule iteration
results.push_back(r);
} // Chain iteration

10
osquery/tables/networking/linux/iptc_proxy.h
View File

@ -50,6 +50,16 @@ struct iptcproxy_rule {
};
typedef struct iptcproxy_rule iptcproxy_rule;
/* Values for "invflags" field in struct ip_data. */
#define IPTC_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
#define IPTC_INV_VIA_OUT 0x02 /* Invert the sense of OUT IFACE */
#define IPTC_INV_TOS 0x04 /* Invert the sense of TOS. */
#define IPTC_INV_SRCIP 0x08 /* Invert the sense of SRC IP. */
#define IPTC_INV_DSTIP 0x10 /* Invert the sense of DST OP. */
#define IPTC_INV_FRAG 0x20 /* Invert the sense of FRAG. */
#define IPTC_INV_PROTO 0x40 /* Invert the sense of PROTO. */
#define IPTC_INV_MASK 0x7F /* All possible flag bits mask. */
const iptcproxy_handle* iptcproxy_init(const char* filter);
void iptcproxy_free(const iptcproxy_handle* handle);

3
osquery/tables/networking/tests/linux/iptables_tests.cpp
View File

@ -32,6 +32,7 @@ iptcproxy_rule getIpEntryContent() {
strcpy(ip_rule.ip_data.outiface, "eth0");
inet_aton("123.123.123.123", &ip_rule.ip_data.src);
inet_aton("45.45.45.45", &ip_rule.ip_data.dst);
ip_rule.ip_data.invflags = IPTC_INV_DSTIP;
inet_aton("250.251.252.253", &ip_rule.ip_data.smsk);
inet_aton("253.252.251.250", &ip_rule.ip_data.dmsk);
memset(ip_rule.ip_data.iniface_mask, 0xfe, IFNAMSIZ);
@ -52,7 +53,7 @@ Row getIpEntryExpectedResults() {
row["iniface"] = "all";
row["outiface"] = "eth0";
row["src_ip"] = "123.123.123.123";
row["dst_ip"] = "45.45.45.45";
row["dst_ip"] = "!45.45.45.45";
row["src_mask"] = "250.251.252.253";
row["dst_mask"] = "253.252.251.250";
row["iniface_mask"] = "FEFEFEFEFEFEFEFEFEFEFEFEFEFEFE";