Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

c) we're REALLY just dependent on openvpn configuring tun0
EXPORT_SYMBOL(ipt_do_table);
on Linux: the standard solution is iproute2/iproute
-/sbin/ip ~ 173K on FC5 iproute-2.6.15-1.2
-/sbin/tc ~ 216K, On WRT45G /usr/sbin/tc is 228.2k
from man iptables:
We have one classifier rule:
tc filter add dev eth3 parent 1:0 protocol ip fw
Earlier we had many rules just like below:
iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j
MARK --set-mark 0x10502
iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j
MARK --set-mark 0x10503
Using IPMARK target we can replace all the mangle/mark rules with only
one:
iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK
--addr=dst --and-mask=0xffff --or-
mask=0x10000
Best solution: just manipulate the kernel's routing table directly...
ipt_pfilter allows for bypass of rules around filter table
A selective higher priority bypass of the filter table with a higher priority table
Concept: walk the packet around the filter table
1. disable filter hook by replacing hook function registration w ith dummy (debug funcs)
2. re-enable the filter table. find the filter table by iterating over pfilter's packet_filter.list and
searching for the name
3. call the table's rules directly after processing local pfilter table
forward pinhole over a openvpn or socat tun interface.
Create a virtual IP mapping VIP to pinhole mapping (does not need to be known to the end user)
e.g. 10.1.2.3

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh