Linux ip.Addr and ip.Link plugins

[gcmoreira]

This PR adds the linux.ip.Addr and linux.ip.Link plugins.

linux.ip.Addr:

• It displays information about all network interfaces including network namespace, interface index, interface name, mac address, promiscuous status, IPv4/IPv6 address, prefix, scope type and state.

Example output:

$ python3 ./vol.py -r pretty \
  -f ram-6.2.0-26 \
  linux.ip.Addr
Volatility 3 Framework 2.5.2
Formatting...0.00               Stacking attempts finished                 
  |      NetNS | Index | Interface |               MAC | Promiscuous |                       IP | Prefix | Scope Type |   State
* | 4026531840 |     1 |        lo | 00:00:00:00:00:00 |       False |                127.0.0.1 |      8 |       host | UNKNOWN
* | 4026531840 |     1 |        lo | 00:00:00:00:00:00 |       False |                      ::1 |    128 |       host | UNKNOWN
* | 4026531840 |     2 |     ens32 | 00:0c:29:7f:8b:ab |       False |           172.16.141.130 |     24 |     global |      UP
* | 4026531840 |     2 |     ens32 | 00:0c:29:7f:8b:ab |       False | fe80::20c:29ff:fe7f:8bab |     64 |       link |      UP
* | 4026531840 |     3 |     ens33 | 00:0c:29:7f:8b:b5 |       False |          192.168.249.129 |     24 |     global |      UP
* | 4026531840 |     3 |     ens33 | 00:0c:29:7f:8b:b5 |       False | fe80::20c:29ff:fe7f:8bb5 |     64 |       link |      UP

linux.ip.Link (by @eve-mem )

• It displays information about all network devices configuration including network namespace, interface name, mac address, state, MTU, Qdisc, Qlen and flags.

$ python3 ./vol.py -r pretty \
  -f ram-6.2.0-26 \
  linux.ip.Link
Volatility 3 Framework 2.5.2
Formatting...0.00               Stacking attempts finished                 
  |         NS | Interface |               MAC |   State |   MTU |    Qdisc | Qlen |                           Flags
* | 4026531840 |        lo | 00:00:00:00:00:00 | UNKNOWN | 65536 |  noqueue | 1000 |            LOOPBACK,LOWER_UP,UP
* | 4026531840 |     ens32 | 00:0c:29:7f:8b:ab |      UP |  1500 | fq_codel | 1000 | BROADCAST,LOWER_UP,MULTICAST,UP
* | 4026531840 |     ens33 | 00:0c:29:7f:8b:b5 |      UP |  1500 | fq_codel | 1000 | BROADCAST,LOWER_UP,MULTICAST,UP

Both plugins were tested with the following linux kernel versions:

• 2.6.32-74.142
• 3.10.0-862_el7
• 3.11.0-26
• 4.4.0-210
• 4.13.0-46
• 4.15.0-45
• 4.18.0-10
• 5.3.0-76
• 5.8.0-53
• 5.19.0-50
• 6.2.0-26

See the full test case suite output:
vol3_linux_ip_addr_output.txt

vol3_linux_ip_link_output.txt

[gcmoreira]

Hey @ikelos I'm aware of this #1029 excellent contribution from @eve. We've already discussed this, and we agreed to collaborate, combining our efforts into one.
I will borrow some part of his code, for instance, to display the interface state and use the address conversion from the vol3 helpers instead from the python socket module.
Regarding the plugin name, I like the @eve-mem idea of named it as the new linux commands ip address. That also allows to continue developing other plugins like 'ip link' (@eve-mem already have done that) and other future commands.
My only concern is that probably for users coming from vol2 they would like to see this as ifconfig. Any preference?

[eve-mem]

@gcmoreira - looks really cool, I need to look over it properly. I certainly like pulling out the prefix into it's own column compared with #1029 - that makes it easier to work with programmatically later.

+1 vote to renaming the plugins to linux.ip.addr etc to match the new linux commands. There are already a bunch of commands that were effectively renamed between vol2 and vol3 already.

[ikelos]

Generally looks good, just a couple of minor points to check please. 5:)

[ikelos]

I'd be happier if this were a get with a default value? Having said that, it's such a short function, perhaps it's not worth having at all (given it's private so can't be used by anyone else?)

[gcmoreira]

Default value and error managed.
I prefer to keep it as a function, even though it's short and private. This way, it serves the purpose of documenting what it does and increases the code's readability. I would let the language to implement the bytecode inline if needed.
Anyway, if you still think it should be inline, let me know, and I will change it.

[ikelos]

Should these be Enums rather than just a list of strings? If may potentially lead to typos?

[gcmoreira]

Done. This is used by value, so I don't think at the moment being an Enum offers any usability advantage. Although I reckon it may look better to Pythonic eyes ;)

[ikelos]

This also looks like it could be a python Enum?

[gcmoreira]

hm here changing this to an Enum makes the code a bit complicated... have a look at how it's used in _get_flag_choices() and _get_net_device_flag_value() to support both kernels <3.15 and >=3.15.

[gcmoreira]

Thanks @ikelos. I will have a look at this soon. I also plan to include the ip.link plugin from @eve-mem in this PR, that's why I marked it as a draft.

In the meantime, could you have a look at the black formatter checks? I'm confused, as far as I understand it's failing on files which are not from this PR

[eve-mem]

@gcmoreira - it looks nice to me. I'll run it against my collection of samples when I can. Can I help adding in ip.Link at all?

[ikelos]

It is, or was, github updated to black 24.1.0, so I went over the while codebase, but it doesn't seem to get that the merge *target* updated, so returning the task still results in the same output. 5:S. Basically if you add a new commit, it should do a proper refresh and either pass or show you how the new black failed it. Hard to tell if there's still something that needs doing, but just a trivial commit will help and I figured since it was in draft it would get added to... 5:)

…

On Mon, 29 Jan 2024, 00:55 gcmoreira, ***@***.***> wrote: Thanks @ikelos <https://github.com/ikelos>. I will have a look at this soon. I also plan to include the ip.link plugin from @eve-mem <https://github.com/eve-mem> in this PR, that's why I marked it as a draft. In the meantime, could you have a look at the black formatter checks? I'm confused, as far as I understand it's failing on files which are not from this PR — Reply to this email directly, view it on GitHub <#1079 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIZVIJNUJJARGODCOUILTYQ3XOXAVCNFSM6AAAAABBTT6DKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJTG44TEMRTG4> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[gcmoreira]

It is, or was, github updated to black 24.1.0, so I went over the while codebase, but it doesn't seem to get that the merge target updated, so returning the task still results in the same output. 5:S. Basically if you add a new commit, it should do a proper refresh and either pass or show you how the new black failed it.

Yep, that did the trick, thanks

[gcmoreira]

@gcmoreira - it looks nice to me. I'll run it against my collection of samples when I can. Can I help adding in ip.Link at all?

@eve-mem sure, go ahead with that ;)

[gcmoreira]

@ikelos This is now ready for review. Added testcases for both plugins

[gcmoreira]

Hi @ikelos, this is still awaiting a review. Maybe @atcuno can have a look? 🙏