def Ii111(lisp_thread): lisp.lisp_set_exception() if (lisp.lisp_myrlocs[0] == None): return if 67 - 67: O0 oOOo000oOoO0 = "lo0" if lisp.lisp_is_macos() else "any" if 52 - 52: II111iiii.ooOoO0o / OoOoOO00 / OoooooooOO.i11iIiiIii I1i1i = pcappy.open_live(oOOo000oOoO0, 9000, 0, 100) if 86 - 86: Oo0Ooo / oO0o + O0 * iII111i iiI11I1i1i1iI = "(dst host " OoOOo000o0 = "" for oO0OOoO0 in lisp.lisp_get_all_addresses(): iiI11I1i1i1iI += "{} or ".format(oO0OOoO0) OoOOo000o0 += "{} or ".format(oO0OOoO0) if 12 - 12: II111iiii.I11i / OOooOOo iiI11I1i1i1iI = iiI11I1i1i1iI[0:-4] iiI11I1i1i1iI += ") and ((udp dst port 4341 or 8472 or 4789) or " iiI11I1i1i1iI += "(proto 17 and (ip[6]&0xe0 == 0x20 or " + "(ip[6]&0xe0 == 0 and ip[7] != 0))))" if 77 - 77: ooOoO0o - I1IiiI % I11i - O0 if 67 - 67: OOooOOo + Oo0Ooo if 84 - 84: O0 * OoooooooOO - IiII * IiII if 8 - 8: ooOoO0o / i1IIi.oO0o if 41 - 41: iII111i + OoO0O00 if 86 - 86: OoOoOO00.iIii1I11I1II1 - OoO0O00 OoOOo000o0 = OoOOo000o0[0:-4] iiI11I1i1i1iI += ( " or (not (src host {}) and " + "((udp src port 4342 and ip[28] == 0x28) or " + "(udp dst port 4342 and ip[28] == 0x12)))").format(OoOOo000o0) if 56 - 56: O0 if 61 - 61: o0oOOo0O0Ooo / OOooOOo / Oo0Ooo * O0 if 23 - 23: oO0o - OOooOOo + I11i lisp.lprint("Capturing packets for: '{}'".format(iiI11I1i1i1iI)) I1i1i.filter = iiI11I1i1i1iI if 12 - 12: I1IiiI / ooOoO0o % o0oOOo0O0Ooo / i11iIiiIii % OoooooooOO if 15 - 15: iIii1I11I1II1 % OoooooooOO - Oo0Ooo * Ii1I + I11i if 11 - 11: iII111i * Ii1I - OoOoOO00 if 66 - 66: OoOoOO00.i11iIiiIii - iII111i * o0oOOo0O0Ooo + OoooooooOO * I1ii11iIi11i I1i1i.loop(-1, Oo, [oOOo000oOoO0, lisp_thread]) return if 74 - 74: Oo0Ooo if 61 - 61: Oo0Ooo - I1Ii111 * II111iiii % ooOoO0o * iIii1I11I1II1 + OoO0O00 if 71 - 71: I11i / I11i * oO0o * oO0o / II111iiii if 35 - 35: OOooOOo * o0oOOo0O0Ooo * I1IiiI % Oo0Ooo.OoOoOO00 if 58 - 58: I11i + II111iiii * iII111i * i11iIiiIii - iIii1I11I1II1 if 68 - 68: OoooooooOO % II111iiii if 26 - 26: II111iiii % i11iIiiIii % iIii1I11I1II1 % I11i * I11i * I1ii11iIi11i
def lisp_rtr_pcap_thread(lisp_thread): lisp.lisp_set_exception() if (lisp.lisp_myrlocs[0] == None): return device = "lo0" if lisp.lisp_is_macos() else "any" pcap = pcappy.open_live(device, 9000, 0, 100) # # If "lisp-nat = yes" is configured, then a PETR is co-located with this # RTR functionality. We need to pcap *all* packets (0.0.0.0/0 and 0::/0). # lisp_nat = commands.getoutput("egrep 'lisp-nat = yes' ./lisp.config") lisp_nat = (lisp_nat != "" and lisp_nat[0] == " ") pfilter = "(dst host " afilter = "" for addr in lisp.lisp_get_all_addresses(): pfilter += "{} or ".format(addr) afilter += "{} or ".format(addr) #endif pfilter = pfilter[0:-4] pfilter += ") and ((udp dst port 4341 or 8472 or 4789) or " pfilter += "(proto 17 and (ip[6]&0xe0 == 0x20 or " + \ "(ip[6]&0xe0 == 0 and ip[7] != 0))))" # # For RLOC-probe messages that come via pcap interface so we have the # IP header to grab the TTL. # afilter = afilter[0:-4] pfilter += (" or (not (src host {}) and " + \ "((udp src port 4342 and ip[28] == 0x28) or " + \ "(udp dst port 4342 and ip[28] == 0x12)))").format(afilter) if (lisp_nat): pfilter += " or (dst net 0.0.0.0/0 and not (host {}))".format(afilter) #endif lisp.lprint("Capturing packets for: '{}'".format(pfilter)) pcap.filter = pfilter # # Enter receive loop. # pcap.loop(-1, lisp_rtr_pcap_process_packet, [device, lisp_thread]) return
def oo0OOo0O(lisp_thread): lisp.lisp_set_exception() if (lisp.lisp_myrlocs[0] == None): return if 39 - 39: OoooooooOO + oO0o % OOooOOo / OOooOOo Ii1ii111i1 = "lo0" if lisp.lisp_is_macos() else "any" if 27 - 27: iII111i.I11i.iIii1I11I1II1.iIii1I11I1II1 iIi1i = pcappy.open_live(Ii1ii111i1, 9000, 0, 100) if 4 - 4: I1Ii111 / i11iIiiIii / OOooOOo OooO0ooo0o = "(dst host " iii1 = "" for oO0OOoO0 in lisp.lisp_get_all_addresses(): OooO0ooo0o += "{} or ".format(oO0OOoO0) iii1 += "{} or ".format(oO0OOoO0) if 32 - 32: Ii1I.IiII.OoooooooOO - OoO0O00 + oO0o OooO0ooo0o = OooO0ooo0o[0:-4] OooO0ooo0o += ") and ((udp dst port 4341 or 8472 or 4789) or " OooO0ooo0o += "(proto 17 and (ip[6]&0xe0 == 0x20 or " + "(ip[6]&0xe0 == 0 and ip[7] != 0))))" if 88 - 88: iII111i if 19 - 19: II111iiii * IiII + Ii1I if 65 - 65: OOooOOo.I1Ii111.OoO0O00.iII111i - OOooOOo if 19 - 19: i11iIiiIii + iII111i % ooOoO0o if 14 - 14: OoO0O00.II111iiii.I11i / Ii1I % I1ii11iIi11i - ooOoO0o if 67 - 67: I11i - OOooOOo.i1IIi iii1 = iii1[0:-4] OooO0ooo0o += (" or (not (src host {}) and " + "((udp src port 4342 and ip[28] == 0x28) or " + "(udp dst port 4342 and ip[28] == 0x12)))").format(iii1) if 35 - 35: iII111i + ooOoO0o - oO0o.iII111i.IiII if 87 - 87: OoOoOO00 if 25 - 25: i1IIi.OoO0O00 - OoOoOO00 / OoO0O00 % OoO0O00 * iIii1I11I1II1 lisp.lprint("Capturing packets for: '{}'".format(OooO0ooo0o)) iIi1i.filter = OooO0ooo0o if 50 - 50: OoO0O00.i11iIiiIii - oO0o.oO0o if 31 - 31: OOooOOo / Oo0Ooo * i1IIi.OoOoOO00 if 57 - 57: OOooOOo + iIii1I11I1II1 % i1IIi % I1IiiI if 83 - 83: o0oOOo0O0Ooo / i11iIiiIii % iIii1I11I1II1.I11i % oO0o.OoooooooOO iIi1i.loop(-1, OoO, [Ii1ii111i1, lisp_thread]) return if 94 - 94: Ii1I + iIii1I11I1II1 % OoO0O00 if 93 - 93: Ii1I - OOooOOo + iIii1I11I1II1 * o0oOOo0O0Ooo + I1Ii111.iII111i if 49 - 49: OoooooooOO * I11i - Oo0Ooo.oO0o if 89 - 89: ooOoO0o + Ii1I * ooOoO0o / ooOoO0o if 46 - 46: OoO0O00 if 71 - 71: I11i / I11i * oO0o * oO0o / II111iiii if 35 - 35: OOooOOo * o0oOOo0O0Ooo * I1IiiI % Oo0Ooo.OoOoOO00
def I1iIII1(lisp_thread): lisp.lisp_set_exception() if (lisp.lisp_myrlocs[0] == None): return if 39 - 39: OoooooooOO OOOOoO000 = "lo0" if lisp.lisp_is_macos() else "any" if 38 - 38: I1IiiI oOo0OoOOo0 = pcappy.open_live(OOOOoO000, 9000, 0, 100) if 30 - 30: I1ii11iIi11i % I1IiiI O0Oo00 = "(dst host " ii1IiIIi1i = "" for oO0OOoO0 in lisp.lisp_get_all_addresses(): O0Oo00 += "{} or ".format(oO0OOoO0) ii1IiIIi1i += "{} or ".format(oO0OOoO0) if 54 - 54: ooOoO0o O0Oo00 = O0Oo00[0:-4] O0Oo00 += ") and ((udp dst port 4341 or 8472 or 4789) or " O0Oo00 += "(proto 17 and (ip[6]&0xe0 == 0x20 or " + "(ip[6]&0xe0 == 0 and ip[7] != 0))))" if 67 - 67: OOooOOo.Oo0Ooo + OoOoOO00 - OoooooooOO if 70 - 70: OOooOOo / II111iiii - iIii1I11I1II1 - iII111i if 11 - 11: iIii1I11I1II1.OoooooooOO.II111iiii / i1IIi - I11i if 30 - 30: OoOoOO00 if 21 - 21: i11iIiiIii / I1Ii111 % OOooOOo * O0.I11i - iIii1I11I1II1 if 26 - 26: II111iiii * OoOoOO00 ii1IiIIi1i = ii1IiIIi1i[0:-4] O0Oo00 += (" or (not (src host {}) and " + "((udp src port 4342 and ip[28] == 0x28) or " + "(udp dst port 4342 and ip[28] == 0x12)))").format(ii1IiIIi1i) if 10 - 10: II111iiii.iII111i if 32 - 32: Ii1I.IiII.OoooooooOO - OoO0O00 + oO0o if 88 - 88: iII111i lisp.lprint("Capturing packets for: '{}'".format(O0Oo00)) oOo0OoOOo0.filter = O0Oo00 if 19 - 19: II111iiii * IiII + Ii1I if 65 - 65: OOooOOo.I1Ii111.OoO0O00.iII111i - OOooOOo if 19 - 19: i11iIiiIii + iII111i % ooOoO0o if 14 - 14: OoO0O00.II111iiii.I11i / Ii1I % I1ii11iIi11i - ooOoO0o oOo0OoOOo0.loop(-1, OO0, [OOOOoO000, lisp_thread]) return if 67 - 67: I11i - OOooOOo.i1IIi if 35 - 35: iII111i + ooOoO0o - oO0o.iII111i.IiII if 87 - 87: OoOoOO00 if 25 - 25: i1IIi.OoO0O00 - OoOoOO00 / OoO0O00 % OoO0O00 * iIii1I11I1II1 if 50 - 50: OoO0O00.i11iIiiIii - oO0o.oO0o if 31 - 31: OOooOOo / Oo0Ooo * i1IIi.OoOoOO00 if 57 - 57: OOooOOo + iIii1I11I1II1 % i1IIi % I1IiiI
def lisp_rtr_pcap_thread(lisp_thread): lisp.lisp_set_exception() if (lisp.lisp_myrlocs[0] == None): return device = "lo0" if lisp.lisp_is_macos() else "any" pcap = pcappy.open_live(device, 9000, 0, 100) pfilter = "(dst host " afilter = "" for addr in lisp.lisp_get_all_addresses(): pfilter += "{} or ".format(addr) afilter += "{} or ".format(addr) #endif pfilter = pfilter[0:-4] pfilter += ") and ((udp dst port 4341 or 8472 or 4789) or " pfilter += "(proto 17 and (ip[6]&0xe0 == 0x20 or " + \ "(ip[6]&0xe0 == 0 and ip[7] != 0))))" # # For RLOC-probe messages that come via pcap interface so we have the # IP header to grab the TTL. # afilter = afilter[0:-4] pfilter += (" or (not (src host {}) and " + \ "((udp src port 4342 and ip[28] == 0x28) or " + \ "(udp dst port 4342 and ip[28] == 0x12)))").format(afilter) lisp.lprint("Capturing packets for: '{}'".format(pfilter)) pcap.filter = pfilter # # Enter receive loop. # pcap.loop(-1, lisp_rtr_pcap_process_packet, [device, lisp_thread]) return
def lisp_itr_kernel_filter(sources, dyn_eids): if (os.getenv("LISP_NO_IPTABLES") != None): lisp.lprint("User selected to suppress installing iptables rules") return #endif os.system("sudo iptables -t raw -N lisp") os.system("sudo iptables -t raw -A PREROUTING -j lisp") os.system("sudo ip6tables -t raw -N lisp") os.system("sudo ip6tables -t raw -A PREROUTING -j lisp") # # Have kernel process packets for local addresses when sourced from site # EIDs. We do not want the lisp-itr process to process such packets. # We want the kernel to deliver packets to and from local applications. # And we want the kernel to forward decapsulated packets out interfaces # leading the EIDs. # add = "sudo ip{}tables -t raw -A lisp -j ACCEPT -d {}" addr_set = ["127.0.0.1", "::1", "224.0.0.0/4 -p igmp", "ff00::/8", "fe80::/16"] addr_set += sources + lisp.lisp_get_all_addresses() for addr in addr_set: if (lisp.lisp_is_mac_string(addr)): continue six = "" if addr.find(":") == -1 else "6" os.system(add.format(six, addr)) #endfor # # When source and destination addresses are EIDs for this LISP site, # we want the kernel to do local routing. But as a PITR, we don't want # the kernel to route everything (EID-prefix 0.0.0.0/0) or we can't have # this process encapsulate for any source address to a destination EID. # if (lisp.lisp_pitr == False): add = "sudo ip{}tables -t raw -A lisp -j ACCEPT -s {} -d {}" check = "sudo ip{}tables -t raw -C lisp -j ACCEPT -s {} -d {}" for source in sources: if (lisp.lisp_is_mac_string(source)): continue if (source in dyn_eids): continue six = "" if source.find(":") == -1 else "6" for s in sources: if (lisp.lisp_is_mac_string(s)): continue if (s in dyn_eids): continue if (s.find(".") != -1 and source.find(".") == -1): continue if (s.find(":") != -1 and source.find(":") == -1): continue if (commands.getoutput(check.format(six, source, s)) == ""): continue #endif os.system(add.format(six, source, s)) #endfor #endfor #endif # # Now put in drop rules for each "lisp database-mapping" EID-prefix. # drop = "sudo ip{}tables -t raw -A lisp -j DROP -s {}" for source in sources: if (lisp.lisp_is_mac_string(source)): continue six = "" if source.find(":") == -1 else "6" os.system(drop.format(six, source)) #endif # # Print out rules we just configured. # rules = commands.getoutput("sudo iptables -t raw -S lisp").split("\n") rules += commands.getoutput("sudo ip6tables -t raw -S lisp").split("\n") lisp.lprint("Using kernel filters: {}".format(rules)) # # Check if we need to put in a iptables rule workaround for the virtio TCP # checksum corruption problem for KVM guest OSes. Check environmnt # variable LISP_VIRTIO_BUG. # # Note a debian host system that runs docker will need the following # command so ip6tables works inside of the docker container: # # sudo modprobe ip6table_filter # if (os.getenv("LISP_VIRTIO_BUG") != None): c = ("sudo iptables -A POSTROUTING -t mangle -p tcp -j " + \ "CHECKSUM --checksum-fill; ") c += ("sudo iptables -A POSTROUTING -t mangle -p udp -j " + \ "CHECKSUM --checksum-fill; ") c += ("sudo ip6tables -A POSTROUTING -t mangle -p tcp -j " + \ "CHECKSUM --checksum-fill; ") c += ("sudo ip6tables -A POSTROUTING -t mangle -p udp -j " + \ "CHECKSUM --checksum-fill") os.system(c) virtio = lisp.bold("virtio", False) lisp.lprint("{} bug workaround, configure '{}'".format(virtio, c)) #endif return
def lisp_itr_build_pcap_filter(sources, dyn_eids, l2_overlay, pitr): if (l2_overlay): pfilter = "ether[6:4] >= 0 and ether[10:2] >= 0" lisp.lprint("Using pcap filter: '{}'".format(pfilter)) return(pfilter) #endif ether_pfilter = "(not ether proto 0x806)" probe_pfilter = " or (udp src port 4342 and ip[28] == 0x28)" decent_pfilter = \ " or (ip[16] >= 224 and ip[16] < 240 and (ip[28] & 0xf0) == 0x30)" src_pfilter = "" dst_pfilter = "" for source in sources: insert_source = source if (lisp.lisp_is_mac_string(source)): insert_source = source.split("/")[0] insert_source = insert_source.replace("-", "") mac_str = [] for i in range(0, 12, 2): mac_str.append(insert_source[i:i+2]) insert_source = "ether host " + ":".join(mac_str) #endif src_pfilter += "{}".format(insert_source) if (source not in dyn_eids): dst_pfilter += "{}".format(insert_source) if (sources[-1] == source): break src_pfilter += " or " if (source not in dyn_eids): dst_pfilter += " or " #endfor if (dst_pfilter[-4::] == " or "): dst_pfilter = dst_pfilter[0:-4] # # If "lisp-nat = yes" is configured, then we are a PETR and we need # to accept packets for local EIDs (assigned to loopback interfaces). # So allow the first one to be accepted. # lisp_nat = commands.getoutput("egrep 'lisp-nat = yes' ./lisp.config") lisp_nat = (lisp_nat != "" and lisp_nat[0] == " ") loopback = lisp.lisp_get_loopback_address() if (lisp_nat) else None addr_pfilter = "" addresses = lisp.lisp_get_all_addresses() for addr in addresses: if (addr == loopback): continue addr_pfilter += "{}".format(addr) if (addresses[-1] == addr): break addr_pfilter += " or " #endif if (src_pfilter != ""): src_pfilter = " and (src net {})".format(src_pfilter) #endif if (dst_pfilter != ""): dst_pfilter = " and not (dst net {})".format(dst_pfilter) #endif if (addr_pfilter != ""): addr_pfilter = " and not (dst host {})".format(addr_pfilter) #endif # # A PITR wants to see packets from anywhere so it can encap to possible # LISP sites. But we want the kernel to route and consume for RLOCs for # this system. # if (pitr): dst_pfilter = "" addr_pfilter = addr_pfilter.replace("dst ", "") #endif # # Concatenate all the filters. # pfilter = ether_pfilter + src_pfilter + dst_pfilter + addr_pfilter pfilter += probe_pfilter pfilter += decent_pfilter lisp.lprint("Using pcap filter: '{}'".format(pfilter)) return(pfilter)