Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
6. (U) Limitations
(S//NF) The kernel modules will only work with compatible Linux kernels. It is possible
that a particular target’s kernel will be a different version, or be built with a configuration
that causes module loading to fail. In that case, it is likely that a new module could be
built for that configuration. If requesting support for a new version or configuration,
please include the output of the “uname -a” command.
(S//NF) In the context of the “dpxvke8h18” table, the DROP target means that packet
processing continues (to the “nat” table, and then the “filter” table). The ACCEPT target
means that packet processing stops for the PREROUTING chain. For this reason, the
default policy is DROP for this table. Do *NOT* change the default policy, or add
rules that don’t have DNAT as the target, without consulting the developer.
(S//NF) As with normal NAT rules, traffic may be affected by other iptables rules. For
example, if the traffic requires forwarding, and a rule or policy in the FORWARD chain
blocks the traffic, it will not be forwarded. Similarly, IP forwarding must be enabled. To
check, look at “/proc/sys/net/ipv4/ip_forward”:
TARG# cat /proc/sys/net/ipv4/ip_forward
0
(S//NF) A value of “1” indicates that forwarding is enabled. To enable forwarding,
“echo” can be used:
TARG# echo “1” > /proc/sys/net/ipv4/ip_forward
(S//NF) As mentioned in the Installation section, the target must have a “nat” table.
(S//NF) Because the kernel module is not present in the target’s “modules.dep” file, the
“modprobe” command cannot be used to remove the module. Instead, the “rmmod”
command must be used.
(S//NF) If the target’s iptables service is stopped or restarted, the kernel module will enter
a “dormant” state. The module will remain loaded and appear in the output of the
“lsmod” command, but the hidden table will no longer be present. To re-enable the
hidden table, uninstall the module using the “rmmod” command, then reinstall the
module using the “insmod” command.
(S//NF) IPv6 is not supported.
7
SECRET//NOFORN