The Network Check Plugin - net_check
- is a plugin for the Multipath
TCP Daemon - mptcpd
- that blocks
mptcp through untrusted
networks. It works by reading trusted networks from a allowlist or
untrusted networks from a blocklist. It requires a
patched version of mptcpd
that adds configuration files for plugins, plugin notification of
existing system network interfaces and control over event flooding to
plugins.
To build net_check
the following dependencies are required:
- Build dependencies
- C compiler (C99 compliant)
- GNU Autoconf
- GNU Automake
- GNU Libtool
- GNU Autoconf Archive
- pkg-config
- Pandoc >= 2.2.1 (needed to convert
README.md
contents from the GitHub markdown format content to plain text)
- Run and build dependencies
- Patched mptcpd
- Linux kernel NetFilter user API headers
- Embedded Linux Library >= v0.30
- Library Minimalistic NetLink
- libnftnl
- libnetfilter_queue
- libstuncli(optional)
Assuming all build dependencies listed above are installed, bootstrapping
net_check
simply requires to run the bootstrap
script
in the top-level source directory, e.g.:
$ ./bootstrap
These build steps are the same as the ones found in all Autotool enabled
software packages, i.e. running the configure
followed by the command
make
.
./configure
make
If configure
returns an error about mptcpd
not being found set the
environment variable PKG_CONFIG_PATH
to /usr/local/lib/pkgconfig
and run it again, e.g.:
$ PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure
Optionally if it is desired to use the system libstuncli
, it can be done
by giving the --with-libstuncli
option to configure
, e.g.:
#to use system libstuncli
$ ./configure --with-libstuncli
NOTE: Installing net_check
requires to be run with sudo
if the
mptcpd
plugin directory is owned by root
.
Installing net_check
on any Linux system just requires to run:
make install
The net_check
plugin can be configured with a configuration file
net_check.conf
in the plugin configuration folder (default:
/usr/local/etc/mptcpd/plugins.conf.d
). The following gives an
explanation of the possible options.
[core]
# a list of trusted networks, it can contain IPv4 or IPv6 and with or without mask
allowlist=10.0.16.0/20,10.0.3.20,fe80::0/64
# a list of untrusted networks, it can contain IPv4 or IPv6 and with or without mask
blocklist=10.0.24.0/24
# enables the use of STUN to get the public IPv4
[stun]
# Stun server to use
server=stun.l.google.com
# Stun server port to connect
port=3478
At least, either a allowlist or blocklist have to be defined, and if
use-stun
is set to true
both stun-server
and stun-port
have to be
setted.
For the plugin to work properly it is necessary that the existing
notify-flags
is active, e.g.:
$ mptcpd --notify-flags=existing
Since mptcpd
, by default, loads the plugins in alphabetic order, it can
happen that there is another plugin with the same priority that would be
the first to be loaded and receive the event, instead of this plugin.
A workaround to this is to use the mptcpd
--load-plugins
option and
put net_check
as the first plugin, followed by the others plugins wished
to load, e.g.:
$ mptcpd --load-plugins=net_check,addr_adv,misc_plugin --notify-flags=existing