Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

whitelist_mark doesn't pass frang rules #1949

Closed
krizhanovsky opened this issue Jul 25, 2023 · 1 comment · Fixed by #1994
Closed

whitelist_mark doesn't pass frang rules #1949

krizhanovsky opened this issue Jul 25, 2023 · 1 comment · Fixed by #1994
Assignees
@EvgeniiMekhanik
Labels
bug
Milestone
0.8 - Beta

Comments

@krizhanovsky
Copy link
Contributor

krizhanovsky commented Jul 25, 2023
edited
Loading

whitelist_mark 1; and iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.23 -j MARK --set-mark 1 still don't pass frang:

[ 4995.577824] [tempesta fw] Warning: frang: new connections rate exceeded for 192.168.1.23: 51 (lim=50)
[ 4995.579500] [tempesta fw] Warning: frang: new connections rate exceeded for 192.168.1.23: 52 (lim=50)
[ 4995.581117] [tempesta fw] Warning: frang: new connections rate exceeded for 192.168.1.23: 53 (lim=50)
[ 4995.582041] [tempesta fw] Warning: frang: new connections rate exceeded for 192.168.1.23: 54 (lim=50)
[ 4995.583662] [tempesta fw] Warning: frang: new connections rate exceeded for 192.168.1.23: 55 (lim=50)
[ 4995.585283] [tempesta fw] Warning: frang: new connections rate exceeded for 192.168.1.23: 56 (lim=50)
[ 4995.586903] [tempesta fw] Warning: frang: new connections rate exceeded for 192.168.1.23: 57 (lim=50)
[ 4995.588518] [tempesta fw] Warning: frang: new connections rate exceeded for 192.168.1.23: 58 (lim=50)

Tempesta config:

root@server:/tmp/tempesta/configs# cat /etc/tempesta/tempesta_fw.conf
listen 0.0.0.0:80;
whitelist_mark 1;
#INCLUDE VHOSTS
!include /tmp/tempesta/configs/vhosts		
# ddos=True
frang_limits {
        # DDOS rate limits
	#ip_block on;
        request_rate 100;
        connection_rate 50;
        client_header_timeout 20;
        client_body_timeout 10;
        http_header_chunk_cnt 10;        # Message level limits (per-vhost)
        http_methods GET HEAD;
        http_uri_len 1000;
        http_resp_code_block 400 403 404 100 10;
}
block_action attack reply;
block_action error reply;

http_chain {
    # INCLUDE HTTP_CHAINS
    !include /tmp/tempesta/configs/http_chains
}

root@server:/tmp/tempesta/configs# cat vhosts/nb03.com.conf# 
-------------------------------------------------------------------------
#	[nb03.com](http://nb03.com/)
# -------------------------------------------------------------------------
srv_group nb03.com {    server 1.1.1.1:80;}
vhost nb03.com {
    resp_hdr_set Strict-Transport-Security "max-age=31536000; includeSubDomains";
    resp_hdr_set Content-Security-Policy "upgrade-insecure-requests";
     sticky {
        cookie enforce name=cname;
        js_challenge resp_code=503 delay_min=1000 delay_range=1500
        delay_limit=100 ;
     }
    proxy_pass nb03.com;
}

root@server:/tmp/tempesta/configs# cat   http_chains/nb03.com.conf
hdr "Host" == "*.nb03.com"	-> nb03.com;

Tests are defined in #917
@krizhanovsky krizhanovsky added this to the 0.8 - Beta milestone Jul 25, 2023
@krizhanovsky krizhanovsky mentioned this issue Jul 25, 2023
Closed
@mbabitski-t mbabitski-t mentioned this issue Oct 9, 2023
Merged
@mbabitski-t
Copy link
Contributor

Test is implemented in t_frang.test_whitelist_mark.FrangWhitelistMarkTestCase.test_whitelisted_frang_connection_rate with tcp_connection_rate directive (renamed).

@EvgeniiMekhanik EvgeniiMekhanik self-assigned this Oct 27, 2023
EvgeniiMekhanik added a commit that referenced this issue Oct 30, 2023
@EvgeniiMekhanik
Pass marked skb to tempesta_new_clntsk function.
9529717 
We need `skb->mark` to check if we can to create new
connection or no in frang module.

Closes #1949
@EvgeniiMekhanik EvgeniiMekhanik mentioned this issue Oct 30, 2023
Merged
EvgeniiMekhanik added a commit that referenced this issue Oct 31, 2023
@EvgeniiMekhanik
Pass marked skb to tempesta_new_clntsk function.
6fca103 
We need `skb->mark` to check if we can to create new
connection or no in frang module.

Closes #1949
EvgeniiMekhanik added a commit that referenced this issue Oct 31, 2023
@EvgeniiMekhanik
Pass marked skb to tempesta_new_clntsk function.
c17eefd 
We need `skb->mark` to check if we can to create new
connection or no in frang module.

Closes #1949
EvgeniiMekhanik added a commit that referenced this issue Oct 31, 2023
@EvgeniiMekhanik
Pass marked skb to tempesta_new_clntsk function.
abb62cb 
We need `skb->mark` to check if we can to create new
connection or no in frang module.

Closes #1949
EvgeniiMekhanik added a commit that referenced this issue Nov 7, 2023
@EvgeniiMekhanik
Pass marked skb to tempesta_new_clntsk function.
42c5b11 
We need `skb->mark` to check if we can to create new
connection or no in frang module.

Closes #1949
EvgeniiMekhanik added a commit that referenced this issue Nov 14, 2023
@EvgeniiMekhanik
Pass marked skb to tempesta_new_clntsk function.
e728e54 
We need `skb->mark` to check if we can to create new
connection or no in frang module.

Closes #1949
EvgeniiMekhanik added a commit that referenced this issue Nov 14, 2023
@EvgeniiMekhanik
Pass marked skb to tempesta_new_clntsk function.
ba90726 
We need `skb->mark` to check if we can to create new
connection or no in frang module.

Closes #1949
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EvgeniiMekhanik EvgeniiMekhanik

Labels
bug
Projects
None yet
Milestone
0.8 - Beta
Development

Successfully merging a pull request may close this issue.

Pass marked skb to tempesta_new_clntsk function. tempesta-tech/tempesta
3 participants
@krizhanovsky @EvgeniiMekhanik @mbabitski-t