Network Check Plugin

The Network Check Plugin - net_check - is a plugin for the Multipath TCP Daemon - mptcpd - that blocks mptcp through untrusted networks. It works by reading trusted networks from a allowlist or untrusted networks from a blocklist. It requires a patched version of mptcpd that adds configuration files for plugins, plugin notification of existing system network interfaces and control over event flooding to plugins.

Building

To build net_check the following dependencies are required:

• Build dependencies
  • C compiler (C99 compliant)
  • GNU Autoconf
  • GNU Automake
  • GNU Libtool
  • GNU Autoconf Archive
  • pkg-config
  • Pandoc >= 2.2.1 (needed to convert README.md contents from the GitHub markdown format content to plain text)
• Run and build dependencies
  • Patched mptcpd
  • Linux kernel NetFilter user API headers
  • Embedded Linux Library >= v0.30
  • Library Minimalistic NetLink
  • libnftnl
  • libnetfilter_queue
  • libstuncli(optional)

Bootstrapping

Assuming all build dependencies listed above are installed, bootstrapping net_check simply requires to run the bootstrap script in the top-level source directory, e.g.:

$ ./bootstrap

Build Steps

These build steps are the same as the ones found in all Autotool enabled software packages, i.e. running the configure followed by the command make.

./configure
make

If configure returns an error about mptcpd not being found set the environment variable PKG_CONFIG_PATH to /usr/local/lib/pkgconfig and run it again, e.g.:

$ PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure

Optionally if it is desired to use the system libstuncli, it can be done by giving the --with-libstuncli option to configure, e.g.:

#to use system libstuncli
$ ./configure --with-libstuncli

Instalation

NOTE: Installing net_check requires to be run with sudo if the mptcpd plugin directory is owned by root.

Installing net_check on any Linux system just requires to run:

make install

Configuration

The net_check plugin can be configured with a configuration file net_check.conf in the plugin configuration folder (default: /usr/local/etc/mptcpd/plugins.conf.d). The following gives an explanation of the possible options.

[core]

# a list of trusted networks, it can contain IPv4 or IPv6 and with or without mask
allowlist=10.0.16.0/20,10.0.3.20,fe80::0/64

# a list of untrusted networks, it can contain IPv4 or IPv6 and with or without mask
blocklist=10.0.24.0/24

# enables the use of STUN to get the public IPv4
[stun]

# Stun server to use
server=stun.l.google.com

# Stun server port to connect
port=3478

At least, either a allowlist or blocklist have to be defined, and if use-stun is set to true both stun-server and stun-port have to be setted.

Running

For the plugin to work properly it is necessary that the existing notify-flags is active, e.g.:

$ mptcpd --notify-flags=existing

Since mptcpd, by default, loads the plugins in alphabetic order, it can happen that there is another plugin with the same priority that would be the first to be loaded and receive the event, instead of this plugin. A workaround to this is to use the mptcpd --load-plugins option and put net_check as the first plugin, followed by the others plugins wished to load, e.g.:

$ mptcpd --load-plugins=net_check,addr_adv,misc_plugin --notify-flags=existing