conntrack-tools i.e. conntrack and conntrackd (mirror of https://github.com/vyos/conntrack-tools.git) https://git.amelek.net/vyos/conntrack-tools.git/atom?h=upstream 2015-05-21T12:48:47+00:00 2015-05-21T12:48:47+00:00 Felix Janda felix.janda@posteo.de 2015-05-16T10:05:33+00:00 urn:sha1:fe1f2d58add1e56e651c43de8cd60db8123d49bb The source uses linux names for members of tcphdr. For example "source" instead of "th_sport", ... musl libc's headers need _GNU_SOURCE defined in order to expose these. Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-05-21T12:46:53+00:00 Felix Janda felix.janda@posteo.de 2015-05-16T09:38:53+00:00 urn:sha1:1c637fe7ea8a70a77273366d24e221b0d3d64702 Signed-off-by: Felix Janda <felix.janda@posteo.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2014-03-12T12:34:57+00:00 Ash Hughes ashley.hughes@blueyonder.co.uk 2014-03-08T21:13:34+00:00 urn:sha1:92246dcc1fdcf222302a42926e0e95af2c30463e Here is a patch which adds a userspace conntrack helper for the SSDP protocol. This is based on the code found at: http://marc.info/?t=132945775100001&r=1&w=2 I'm not sure how to get my laptop to play at IPv6, so I've not tested this part, but I've tested the IPv4 section and it works. Signed-off-by: Ash Hughes <ashley.hughes@blueyonder.co.uk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-10-07T13:34:14+00:00 Pablo Neira Ayuso pablo@soleta.eu 2013-10-07T12:41:20+00:00 urn:sha1:808a25129605c9e7de9f86fb8d5a5ed3310edd43 This patch adds a userspace port of the amanda helper that is currently implemented in the kernel. Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu> 2013-10-03T08:51:03+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-10-02T17:21:01+00:00 urn:sha1:ea753a152cbf3a2658b5ec5bacfb738c13a4c476 This patch adds an userspace port of the TFTP helper that is currently implemented in the kernel. This includes NAT support. It requires a Linux kernel 3.12. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-10-03T08:43:30+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-10-03T07:49:25+00:00 urn:sha1:9b99aa2980574f4d3bf26145a1bf8bd69d34e764 This patch adds an userspace port of the SANE helper that is currently implemented in the kernel. This requires Linux kernel 3.12 to work. 2013-09-26T16:52:26+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-08-06T12:21:04+00:00 urn:sha1:36118bfc4901b0978d2c8f17912fe91ec66f35e8 This patch adds support for the DHCPv6 helper. 1) nfct helper add dhcpv6 inet6 udp 2) ip6tables -I OUTPUT -t raw -p udp --sport 546 -j CT --helper dhcpv6 3) run conntrackd You should see: % conntrack -L exp -f ipv6 279 proto=17 src=:: dst=ff02::1:2 sport=0 dport=546 mask-src=:: mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=fe80::221:ccff:fe4a:7f9c master-dst=ff02::1:2 sport=546 dport=547 PERMANENT class=0 helper=dhcpv6 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-21T11:48:23+00:00 Pablo Neira Ayuso pablo@netfilter.org 2012-08-21T11:46:02+00:00 urn:sha1:137b0a2ac9568638be078126ca92ac62ca51e1f4 %pI4 also exists in the Linux kernel. It would be good to have some generic functions to convert binary data to address string. Later. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-01T17:20:17+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-05-15T12:43:20+00:00 urn:sha1:40f4330e6b50ed2b198549b1006c6fcb349f5a3b Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-01T17:20:12+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-05-15T12:31:35+00:00 urn:sha1:969d93f14fffadb5cae67a7662484c1e064bbff1 How to use this helper in a few steps: 1) You can enable this helper via: nfct helper add rpc inet tcp nfct helper add rpc inet udp 2) Configure /etc/conntrackd/conntrackd.conf and launch it. 3) You can test this helper locally with the following rule-set: iptables -A OUTPUT -t raw -p udp -m udp --dport 111 -j CT --helper rpc iptables -A OUTPUT -t raw -p tcp -m tcp --dport 111 -j CT --helper rpc iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 111 -j ACCEPT iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 111 -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P OUTPUT DROP 4) Configure NFS and export some local directory. Then, mount it with version 3. mount.nfs -onfsvers=3 127.0.0.1:/srv/cvs /mnt/ You should see permanent expectations created for this. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>