mitmproxy_rs icon indicating copy to clipboard operation
mitmproxy_rs copied to clipboard
verified publisher icon mitmproxy

Exclude multicast and broadcast on WinDivert's filter

Open Osherz5 opened this issue 1 year ago • 2 comments

This change is proposed in order to deal with DHCP issues, where the entire machine loses connectivity after a while with mitmproxy running (see https://github.com/mitmproxy/mitmproxy/issues/6902)

Osherz5 avatar Jun 17 '24 19:06 Osherz5

I noticed the filter doesn't work with "!(...)" type of exclusions for some reason, I used the following equivalent instead:

!loopback && (remoteAddr < 224.0.0.0 && remoteAddr < ff00::) && (tcp || udp)

I didn't get to test it with IPv6 yet due to time constraints, but might try to look into it soon

It's a bit hard to debug since we're lacking the redirector's output (https://github.com/mitmproxy/mitmproxy/issues/6970)

In addition I've encountered two other connectivity issues where SMB does not work (I tried excluding TCP port 445 and it worked partially), and also encountered some DNS issues (when redirector was running on Windows Server which acted as a DNS server). I'm not sure if it's relevant to this PR , but worth looking into...

Osherz5 avatar Jul 16 '24 13:07 Osherz5

Thanks! 🍰

(remoteAddr < 224.0.0.0 && remoteAddr < ff00::)

I think this will fail for IPv6 because remoteAddr < 224.0.0.0 is not satisfied.

FWIW you can get the redirector output if you compile in debug mode (maturin develop). In that case a console window should open. But I agree it's something we need to improve.

mhils avatar Jul 16 '24 13:07 mhils

Hi, I've been looking at this merge request and I believe the following should work to address the latest comment re IPv6:

!loopback && ((ip && remoteAddr < 224.0.0.0) || (ip6 && remoteAddr < ff00::)) && (tcp || udp)

I have tested this enough to know that mitmproxy in local redirect mode accepts that filter and works for ignoring DHCP traffic. It also does not blanket ignore all IPv6 traffic. I have not been able to test DHCPv6 because the only IPv6 I have available to me relies on SLAAC which just uses ICMP and isn't diverted

niconorsk avatar Nov 06 '24 02:11 niconorsk

Hey thanks for looking into it! I updated the filter with the ipv6 multicast exclusion, and also reverted the change on the socket operation filters back to "tpc || udp" which was enough to begin with.

Osherz5 avatar Nov 06 '24 06:11 Osherz5

Hey, I thought it would be caught in the tests but just realized the syntax should be 'ipv6 && ...' and not 'ip6 && ...' , should I open a new PR for fixing it?

Osherz5 avatar Nov 07 '24 06:11 Osherz5

Here it is, sorry for the mess https://github.com/mitmproxy/mitmproxy_rs/pull/193

Osherz5 avatar Nov 07 '24 07:11 Osherz5

No worries at all, thanks for double-checking! Our mitmproxy_rs CI isn't great. In the best case this would have shown up in mitmproxy's CI, at which point fixing would have already been annoying. So glad you caught it early. :)

mhils avatar Nov 07 '24 18:11 mhils