Linux ip.Addr and ip.Link plugins

[gcmoreira]

This PR adds the linux.ip.Addr and linux.ip.Link plugins.

linux.ip.Addr:

• It displays information about all network interfaces including network namespace, interface index, interface name, mac address, promiscuous status, IPv4/IPv6 address, prefix, scope type and state.

Example output:

$ python3 ./vol.py -r pretty \
  -f ram-6.2.0-26 \
  linux.ip.Addr
Volatility 3 Framework 2.5.2
Formatting...0.00               Stacking attempts finished                 
  |      NetNS | Index | Interface |               MAC | Promiscuous |                       IP | Prefix | Scope Type |   State
* | 4026531840 |     1 |        lo | 00:00:00:00:00:00 |       False |                127.0.0.1 |      8 |       host | UNKNOWN
* | 4026531840 |     1 |        lo | 00:00:00:00:00:00 |       False |                      ::1 |    128 |       host | UNKNOWN
* | 4026531840 |     2 |     ens32 | 00:0c:29:7f:8b:ab |       False |           172.16.141.130 |     24 |     global |      UP
* | 4026531840 |     2 |     ens32 | 00:0c:29:7f:8b:ab |       False | fe80::20c:29ff:fe7f:8bab |     64 |       link |      UP
* | 4026531840 |     3 |     ens33 | 00:0c:29:7f:8b:b5 |       False |          192.168.249.129 |     24 |     global |      UP
* | 4026531840 |     3 |     ens33 | 00:0c:29:7f:8b:b5 |       False | fe80::20c:29ff:fe7f:8bb5 |     64 |       link |      UP

linux.ip.Link (by @eve-mem )

• It displays information about all network devices configuration including network namespace, interface name, mac address, state, MTU, Qdisc, Qlen and flags.

$ python3 ./vol.py -r pretty \
  -f ram-6.2.0-26 \
  linux.ip.Link
Volatility 3 Framework 2.5.2
Formatting...0.00               Stacking attempts finished                 
  |         NS | Interface |               MAC |   State |   MTU |    Qdisc | Qlen |                           Flags
* | 4026531840 |        lo | 00:00:00:00:00:00 | UNKNOWN | 65536 |  noqueue | 1000 |            LOOPBACK,LOWER_UP,UP
* | 4026531840 |     ens32 | 00:0c:29:7f:8b:ab |      UP |  1500 | fq_codel | 1000 | BROADCAST,LOWER_UP,MULTICAST,UP
* | 4026531840 |     ens33 | 00:0c:29:7f:8b:b5 |      UP |  1500 | fq_codel | 1000 | BROADCAST,LOWER_UP,MULTICAST,UP

Both plugins were tested with the following linux kernel versions:

• 2.6.32-74.142
• 3.10.0-862_el7
• 3.11.0-26
• 4.4.0-210
• 4.13.0-46
• 4.15.0-45
• 4.18.0-10
• 5.3.0-76
• 5.8.0-53
• 5.19.0-50
• 6.2.0-26

See the full test case suite output:
vol3_linux_ip_addr_output.txt

vol3_linux_ip_link_output.txt

[gcmoreira]

Hey @ikelos I'm aware of this #1029 excellent contribution from @eve. We've already discussed this, and we agreed to collaborate, combining our efforts into one.
I will borrow some part of his code, for instance, to display the interface state and use the address conversion from the vol3 helpers instead from the python socket module.
Regarding the plugin name, I like the @eve-mem idea of named it as the new linux commands ip address. That also allows to continue developing other plugins like 'ip link' (@eve-mem already have done that) and other future commands.
My only concern is that probably for users coming from vol2 they would like to see this as ifconfig. Any preference?

[eve-mem]

@gcmoreira - looks really cool, I need to look over it properly. I certainly like pulling out the prefix into it's own column compared with #1029 - that makes it easier to work with programmatically later.

+1 vote to renaming the plugins to linux.ip.addr etc to match the new linux commands. There are already a bunch of commands that were effectively renamed between vol2 and vol3 already.

[ikelos]

Generally looks good, just a couple of minor points to check please. 5:)

[ikelos]

This also looks like it could be a python Enum?

[gcmoreira]

hm here changing this to an Enum makes the code a bit complicated... have a look at how it's used in _get_flag_choices() and _get_net_device_flag_value() to support both kernels <3.15 and >=3.15.

[gcmoreira]

Thanks @ikelos. I will have a look at this soon. I also plan to include the ip.link plugin from @eve-mem in this PR, that's why I marked it as a draft.

In the meantime, could you have a look at the black formatter checks? I'm confused, as far as I understand it's failing on files which are not from this PR

[eve-mem]

@gcmoreira - it looks nice to me. I'll run it against my collection of samples when I can. Can I help adding in ip.Link at all?

[ikelos]

It is, or was, github updated to black 24.1.0, so I went over the while codebase, but it doesn't seem to get that the merge *target* updated, so returning the task still results in the same output. 5:S. Basically if you add a new commit, it should do a proper refresh and either pass or show you how the new black failed it. Hard to tell if there's still something that needs doing, but just a trivial commit will help and I figured since it was in draft it would get added to... 5:)

…

On Mon, 29 Jan 2024, 00:55 gcmoreira, ***@***.***> wrote: Thanks @ikelos <https://github.com/ikelos>. I will have a look at this soon. I also plan to include the ip.link plugin from @eve-mem <https://github.com/eve-mem> in this PR, that's why I marked it as a draft. In the meantime, could you have a look at the black formatter checks? I'm confused, as far as I understand it's failing on files which are not from this PR — Reply to this email directly, view it on GitHub <#1079 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIZVIJNUJJARGODCOUILTYQ3XOXAVCNFSM6AAAAABBTT6DKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJTG44TEMRTG4> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[gcmoreira]

It is, or was, github updated to black 24.1.0, so I went over the while codebase, but it doesn't seem to get that the merge target updated, so returning the task still results in the same output. 5:S. Basically if you add a new commit, it should do a proper refresh and either pass or show you how the new black failed it.

Yep, that did the trick, thanks

[gcmoreira]

@gcmoreira - it looks nice to me. I'll run it against my collection of samples when I can. Can I help adding in ip.Link at all?

@eve-mem sure, go ahead with that ;)

[gcmoreira]

@ikelos This is now ready for review. Added testcases for both plugins

[gcmoreira]

Hi @ikelos, this is still awaiting a review. Maybe @atcuno can have a look? 🙏

[eve-mem]

Looks like there are some merge conflicts with this now.

[ikelos]

@gcmoreira could you or @atcuno resolve the merge conflicts and @atcuno could you please get this reviewed, given it's marked for the parity release?

[ikelos]

Also, since this wants to make a lot of changes to the LinuxUtilities class, could we try splitting it out into a utilities class, similar to the tracing stuff (#1564), so that it can be individually versioned...

[ikelos]

Ok, this one I can't fix with a suggestion, it's too far away in the code, just needs import enum (or reverting my module name changes, and from enum import Enum, IntEnum, Flags). Sorry @gcmoreira, I tried!