Getting Parse error: insufficient bytes to unmarshal QUIC
koraybilgi opened this issue · 5 comments
Hi,
For all forwarded quic packages, I'm getting "Parse error: insufficient bytes to unmarshal QUIC" error.
Any idea what it could be or what to do to debug the problem?
Thanks.
PCAP file:
sniqueue.ipv4.pcap.zip
System:
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
uname -a
Linux homedevice 5.16.17-sun50iw9 #3.0.6 SMP Tue Aug 9 13:51:16 CST 2022 aarch64 aarch64 aarch64 GNU/LinuxNftables config:
flush ruleset
table inet filter {
flowtable f {
hook ingress priority 0;
}
chain input {
type filter hook input priority filter; policy accept;
}
chain sniqueue {
type filter hook forward priority -2; policy accept;
ct mark 101 accept comment "Accept known good SNI not yet offloaded"
tcp dport 443 ct mark 100 reject with tcp reset comment "Reject known bad TCP SNI"
udp dport 443 ct mark 100 reject with icmp type port-unreachable comment "Reject known bad QUIC SNI"
tcp dport 443 ct mark set 102 comment "Mark all unjudged packets"
udp dport 443 ct mark set 102 comment "Mark all unjudged packets"
meta mark set ct mark
tcp dport 443 ct original packets <20 queue num 100 bypass
udp dport 443 ct original packets <20 queue num 100 bypass
}
chain sniqueue_block {
type filter hook forward priority -1; policy accept;
ct mark set meta mark
ct mark 102 accept comment "Accept packets without verdict"
tcp dport 443 ct mark 100 reject with tcp reset comment "Reject known bad TCP"
udp dport 443 ct mark 100 reject with icmp type port-unreachable comment "Reject known bad QUIC"
ct mark 101 flow offload @f comment "Offload known good SNI"
}
chain forward {
type filter hook forward priority filter; policy accept;
ct mark != 102 flow offload @f comment "Offload packets not sent to SNIqueue"
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
ct state new,related,established counter packets 91 bytes 6939 masquerade
}
}
I'll have to look into this more closely. I have not had problems with quic myself. This could take some time.
In the mean time, if you really want to block access, you can deny outgoing access to udp 443.
Thank you, I'd really appreciate that. I blocked the udp 443 when I ran into the issue, and it seemed to cause a slight slowdown in apps that use quic.
Hi, I managed to track down your issue, hugely thanks to your packet capture.
This is due to the QUIC version used by the server to be Facebook mvfst (draft-27) 0xfaceb002.
Unfortunately this draft version is not supported by the library I use (go-quic).
This sadly means I cannot fix this error. I did add some tests to catch this in that latest version.
Hi,
Turns out it was as easy as finding the correct salt to use for decryption. This Quic version is now supported by sniqueue.
Are you able to test PR #27 and see if that fixes your issue?
Should you need any help, please ask!
Hi @jsimonetti, it's working perfectly fine right now. Thank you very much for taking the time to implement it.