STRLCPY/geneva

Engine Allows Port Ranges/Lists

Updated the Geneva engine to allow for port ranges and lists
specifying which ports to monitor to modify packets. This works
using either a range like port 5000 to port 6000 =>
--server-port 5000:6000 or a list like port 5000, 5500, and 6000
=> --server-port 5000,5500,6000.

Any error checking on the port variable will be handled by the
iptables command.

Michael Harrity committed 3 years ago

f149f1c6

1 parent e788720b

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

engine.py

		skipped 46 lines
47	47		demo_mode=False):
48	48		"""
49	49		Args:
50		-	server_port (int): The port the engine will monitor
	50	+	server_port (int): The port(s) the engine will monitor
51	51		string_strategy (str): String representation of strategy DNA to apply to the network
52	52		environment_id (str, None): ID of the given strategy
53	53		server_side (bool, False): Whether or not the engine is running on the server side of the connection
		skipped 167 lines
221	221		add_or_remove = "D"
222	222		cmds = []
223	223		for proto in ["tcp", "udp"]:
224		-	cmds += ["iptables -%s %s -p %s --%s %d -j NFQUEUE --queue-num %d" %
225		-	(add_or_remove, out_chain, proto, port1, self.server_port, self.out_queue_num),
226		-	"iptables -%s %s -p %s --%s %d -j NFQUEUE --queue-num %d" %
227		-	(add_or_remove, in_chain, proto, port2, self.server_port, self.in_queue_num)]
	224	+	# Need to change the match rule if multiple ports are specified
	225	+	# Don't need to do any checking on the port since the iptables command can error, closing the engine
	226	+	# Default match policy is the protocol
	227	+	match_policy = proto
	228	+	if any(x in self.server_port for x in [":", ","]):
	229	+	match_policy = "multiport"
	230	+
	231	+	cmds += ["iptables -%s %s -p %s --match %s --%s %s -j NFQUEUE --queue-num %d" %
	232	+	(add_or_remove, out_chain, proto, match_policy, port1, self.server_port, self.out_queue_num),
	233	+	"iptables -%s %s -p %s --match %s --%s %s -j NFQUEUE --queue-num %d" %
	234	+	(add_or_remove, in_chain, proto, match_policy, port2, self.server_port, self.in_queue_num)]
228	235		# If this machine is acting as a middlebox, we need to add the same rules again
229	236		# in the opposite direction so that we can pass packets back and forth
230	237		if self.forwarder:
231		-	cmds += ["iptables -%s %s -p %s --%s %d -j NFQUEUE --queue-num %d" %
232		-	(add_or_remove, out_chain, proto, port2, self.server_port, self.out_queue_num),
233		-	"iptables -%s %s -p %s --%s %d -j NFQUEUE --queue-num %d" %
234		-	(add_or_remove, in_chain, proto, port1, self.server_port, self.in_queue_num)]
	238	+	cmds += ["iptables -%s %s -p %s --match %s --%s %s -j NFQUEUE --queue-num %d" %
	239	+	(add_or_remove, out_chain, proto, match_policy, port2, self.server_port, self.out_queue_num),
	240	+	"iptables -%s %s -p %s --match %s --%s %s -j NFQUEUE --queue-num %d" %
	241	+	(add_or_remove, in_chain, proto, match_policy, port1, self.server_port, self.in_queue_num)]
235	242
236	243		for cmd in cmds:
237	244		self.logger.debug(cmd)
		skipped 171 lines
409	416		Sets up argparse and collects arguments.
410	417		"""
411	418		parser = argparse.ArgumentParser(description='The engine that runs a given strategy.')
412		-	parser.add_argument('--server-port', type=int, action='store', required=True)
	419	+	# Store a string, not int, in case of port ranges/lists. The iptables command checks the port var
	420	+	parser.add_argument('--server-port', action='store', required=True)
413	421		parser.add_argument('--environment-id', action='store', help="ID of the current strategy under test")
414	422		parser.add_argument('--sender-ip', action='store', help="IP address of sending machine, used for NAT")
415	423		parser.add_argument('--routing-ip', action='store', help="Public IP of this machine, used for NAT")
		skipped 49 lines