Staging (#2150)

* Feature to ability monitor traffic between cape result server and sandbox. (#2116) * Feature for use VRF to change behavior of handling traffic by loopback. Now traffic will be go to dirty line.
kevoreilly · Aug 24, 2024 · c1ee53a · c1ee53a
1 parent 6fe2ebc
commit c1ee53a
Show file tree

Hide file tree

Showing 7 changed files with 206 additions and 172 deletions.
diff --git a/conf/default/routing.conf.default b/conf/default/routing.conf.default
@@ -22,6 +22,14 @@ route = none
 # (For example, to route all VMs through eth0 by default: "internet = eth0").
 internet = none
 
+# When set to no masquerade rule has been not generated.
+nat = yes
+
+# When property nat set to yes. That property not used.
+# When property nat set to no and no_local_routing to yes, a vrf configuration 
+# will be generated and local traffic will go through by internet interface (dirty_line).
+no_local_routing = yes
+
 # Routing table name/id for "dirty line" interface. If "dirty line" is
 # also default gateway in the system you can leave "main" value. Otherwise add
 # new routing table by adding "<id> <name>" line to /etc/iproute2/rt_tables

diff --git a/lib/cuckoo/core/analysis_manager.py b/lib/cuckoo/core/analysis_manager.py
@@ -525,6 +525,7 @@ def route_network(self):
  elif self.route == "internet" and routing.routing.internet != "none":
  self.interface = routing.routing.internet
  self.rt_table = routing.routing.rt_table
+ self.no_local_routing = routing.routing.no_local_routing
  if routing.routing.reject_segments != "none":
  self.reject_segments = routing.routing.reject_segments
  if routing.routing.reject_hostports != "none":
@@ -592,13 +593,29 @@ def route_network(self):
  self.route = "drop"
 
  if self.interface:
- self.rooter_response = rooter("forward_enable", self.machine.interface, self.interface, self.machine.ip)
+ if self.no_local_routing:
+ input_interface = "dirty-line"
+ # Traffic from lan to machine
+ self.rooter_response = rooter("forward_enable", input_interface, self.machine.interface, "0.0.0.0/0", self.machine.ip)
+ else:
+ input_interface = self.machine.interface
+ # Traffic outbound from machine
+ self.rooter_response = rooter("forward_enable", input_interface, self.interface, self.machine.ip)
  self._rooter_response_check()
  if self.reject_segments:
  self.rooter_response = rooter(
  "forward_reject_enable", self.machine.interface, self.interface, self.machine.ip, self.reject_segments
  )
  self._rooter_response_check()
+ if self.no_local_routing:
+ # Need for forward traffic between sandbox and CAPE
+ self.rooter_response = rooter(
+ "forward_enable", input_interface, self.interface, self.machine.ip, self.cfg.resultserver.ip, "tcp", str(self.cfg.resultserver.port)
+ )
+ self.rooter_response = rooter(
+ "forward_enable", input_interface, self.machine.interface, self.cfg.resultserver.ip, self.machine.ip
+ )
+ self._rooter_response_check()
  if self.reject_hostports:
  self.rooter_response = rooter(
  "hostports_reject_enable", self.machine.interface, self.machine.ip, self.reject_hostports
@@ -607,28 +624,46 @@ def route_network(self):
 
  self.log.info("Enabled route '%s'.", self.route)
 
- if self.rt_table:
+ if self.no_local_routing:
+ rooter("add_dev_to_vrf", self.machine.interface)
+ elif self.rt_table:
  self.rooter_response = rooter("srcroute_enable", self.rt_table, self.machine.ip)
  self._rooter_response_check()
 
  def unroute_network(self):
  routing = Config("routing")
  if self.interface:
- self.rooter_response = rooter("forward_disable", self.machine.interface, self.interface, self.machine.ip)
+ if self.no_local_routing:
+ input_interface = "dirty-line"
+ # Traffic from lan to machine
+ self.rooter_response = rooter("forward_disable", input_interface, self.machine.interface, "0.0.0.0/0", self.machine.ip)
+ else:
+ input_interface = self.machine.interface
+ # Traffic outbound from machine
+ self.rooter_response = rooter("forward_disable", input_interface, self.interface, self.machine.ip)
  self._rooter_response_check()
  if self.reject_segments:
  self.rooter_response = rooter(
  "forward_reject_disable", self.machine.interface, self.interface, self.machine.ip, self.reject_segments
  )
  self._rooter_response_check()
+ if self.no_local_routing:
+ self.rooter_response = rooter(
+ "forward_disable", input_interface, self.interface, self.machine.ip, self.cfg.resultserver.ip, "tcp", str(self.cfg.resultserver.port)
+ )
+ self.rooter_response = rooter(
+ "forward_disable", input_interface, self.machine.interface, self.cfg.resultserver.ip, self.machine.ip
+ )
  if self.reject_hostports:
  self.rooter_response = rooter(
  "hostports_reject_disable", self.machine.interface, self.machine.ip, self.reject_hostports
  )
  self._rooter_response_check()
  self.log.info("Disabled route '%s'", self.route)
 
- if self.rt_table:
+ if self.no_local_routing:
+ rooter("delete_dev_from_vrf", self.machine.interface)
+ elif self.rt_table:
  self.rooter_response = rooter("srcroute_disable", self.rt_table, self.machine.ip)
  self._rooter_response_check()
 

diff --git a/lib/cuckoo/core/startup.py b/lib/cuckoo/core/startup.py
@@ -342,6 +342,7 @@ def init_rooter():
  raise CuckooStartupError(f"Unknown rooter error: {e}")
 
  rooter("cleanup_rooter")
+ rooter("cleanup_vrf", routing.routing.internet)
 
  # Do not forward any packets unless we have explicitly stated so.
  rooter("forward_drop")
@@ -424,12 +425,16 @@ def init_routing():
  f"The routing table that has been configured ({routing.routing.rt_table}) for dirty line interface is not available"
  )
 
- # Disable & enable NAT on this network interface. Disable it just
- # in case we still had the same rule from a previous run.
- rooter("disable_nat", routing.routing.internet)
- rooter("enable_nat", routing.routing.internet)
-
- # Populate routing table with entries from main routing table.
+ if routing.routing.nat:
+ # Disable & enable NAT on this network interface. Disable it just
+ # in case we still had the same rule from a previous run.
+ rooter("disable_nat", routing.routing.internet)
+ rooter("enable_nat", routing.routing.internet)
+ # Populate routing table with entries from main routing table.
+ else:
+ rooter("disable_nat", routing.routing.internet)
+ if routing.routing.no_local_routing:
+ rooter("init_vrf", routing.routing.rt_table, routing.routing.internet)
  if routing.routing.auto_rt:
  rooter("flush_rttable", routing.routing.rt_table)
  rooter("init_rttable", routing.routing.rt_table, routing.routing.internet)