summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2012-01-10conntrackd: support for expectation synchronizationPablo Neira Ayuso
This patch adds support to synchronize expectations between firewalls. This addition aims to re-use as much as possible of the existing infrastructure for stability reasons. The expectation support has been tested with the FTP helper. This extension requires libnetfilter_conntrack 1.0.0. If this is the first time you're playing with conntrackd, I *strongly* recommend you to get working setup of conntrackd without expectation support before as described in the documentation. Then, enabling expectation support is rather easy. To know more about expectations, if you're not familiar with them, I suggest you to read: "Netfilter's Connection Tracking System" http://people.netfilter.org/pablo/docs/login.pdf Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3 (Berkeley, CA: USENIX Association, 2006, pp40-45.) In short, expectations allow one Linux firewall to filter multi-flow traffic like FTP, SIP and H.323. In my testbed, there are two firewalls in a primary-backup configuration running keepalived. The use a couple of floating cluster IP address (192.168.0.100 and 192.168.1.100) that are used by the client. These firewalls protect one FTP server (192.168.1.2) that will be accessed by one client. In ASCII art, it looks like this: 192.168.0.100 192.168.1.100 eth1 eth2 fw-1 / \ FTP -- client ------ ------ server -- 192.168.0.2 \ / 192.168.1.2 fw-2 This is the rule-set for the firewalls: -A POSTROUTING -t nat -s 192.168.0.2/32 -d 192.168.1.2/32 -j SNAT --to-source 192.168.1.100 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A FORWARD -m state --state RELATED -j ACCEPT -A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT -A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: " The following steps detail how to check that the expectation support works fine for conntrackd: 1) You have to enable the expectation support in the configuration file with the following option: Sync { ... Options { ExpectationSync { ftp sip h323 } } } This enables expectation synchronization for the FTP, SIP and H.323 helpers. You can alternatively use: Sync { ... Options { ExpectationSync On } } To enable expectation synchronization for all helpers. 2) Make sure you have loaded the FTP helper in both firewalls. root@fw1# modprobe nf_conntrack_ftp root@fw2# modprobe nf_conntrack_ftp 3) Switch to the client. Start one FTP control connection to one server that is protected by the firewalls, enter passive mode: (term-1) user@client$ nc 192.168.1.2 21 220 dummy FTP server USER anonymous 331 Please specify the password. PASS nothing 230 Login successful. PASV 227 Entering Passive Mode (192,168,1,2,163,11). This means that port 163*256+11=41739 will be used for the data traffic. Read this if you are not familiar with the FTP protocol: http://www.freefire.org/articles/ftpexample.php 3) Switch to fw-1 (primary) to check that the expectation is in the internal cache. root@fw1# conntrackd -i exp proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 5s] 4) Switch to fw-2 (backup) to check that the expectation has been successfully replicated. root@fw2# conntrackd -e exp proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s] 5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary. 6) Switch to fw-2 (primary) to commit the external cache into the kernel. root@fw2# conntrackd -c exp The logs should display that the commit was successful: root@fw2# tail -100f /var/log/conntrackd.log [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds 7) Switch to the client. Open a new terminal and connect to the port that has been announced by the server: (term-2) user@client$ nc -vvv 192.168.1.2 41739 (UNKNOWN) [192.168.1.2] 41739 (?) open 8) Switch to term-1 and ask for the file listing: [...] 227 Entering Passive Mode (192,168,1,2,163,11). LIST 9) Switch to term-2, it should display the listing. That means everything has worked fine. You may want to try disabling the expectation support and repeating the steps to check that *it does not work* without the state-synchronization. You can also display expectation statistics by means of: root@fwX# conntrackd -s exp This update requires no changes in the primary-backup.sh script that is used by the HA manager to interact with conntrackd. Thus, we provide a backward compatible command line interface. Regarding the Filter clause and expectations, we use the master conntrack to filter expectation events. The filtering is performed in user-space. No kernel-space filtering support for expectations yet (this support should go in libnetfilter_conntrack at some point). This patch also includes support to disable caching and to allow direct injection of expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: minor cleanup for commitPablo Neira Ayuso
Comestical cleanup for better code readability. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: relax checkings in ct_filter_sanity_checkPablo Neira Ayuso
This is required to prepare the expectation support. The master, expect and mask objects that are part of the conntrack object do not have any reply information. This allows the expectation support to re-use the existing filtering infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: constify ct parameter of ct_filter_* functionsPablo Neira Ayuso
The ct object that is passed as parameter is not modified, make it constant. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: remove cache_data_get_object and replace by direct pointerPablo Neira Ayuso
We now include one pointer to the object in the extra section. This is required to generalize this code for the expectation support. We consume 4-8 bytes extra, but we will not need more changes to support expectations which is a good idea.
2012-01-10conntrackd: simplify cache_get_extra functionPablo Neira Ayuso
This patch simplifies cache_get_extra which now takes only one parameter that is the cache_object. With it, the extra area can be calculated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: generalize local handler actionsPablo Neira Ayuso
This patch prepares the introduction of actions with the expectation table. Mostly renamings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: generalize/cleanup network message building/parsingPablo Neira Ayuso
This patch generalizes the network message building and parsing to prepare the upcoming expectation support. Basically, it renames: - NET_T_STATE_* by NET_T_STATE_CT_*, as I plan to add NET_T_STATE_EXP_* - BUILD_NETMSG by BUILD_NETMSG_FROM_CT, and build_payload by ct2msg. I plan to add exp2msg. - parse_payload by msg2ct, since I plan to add msg2exp. - modify object_status_to_network_type to prepare the support of expectations. - add prefix ct_ to all parsing functions in parse.c, as we will have similar functions to convert messages to expectation objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: generalize external handlers to prepare expectation supportPablo Neira Ayuso
This patch contains cleanups to prepare the expectation support for external handlers. Mostly renamings. I have also updated the file headers to include Vyatta in the copyright statement. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: generalize caching infrastructurePablo Neira Ayuso
This patch generalizes the caching infrastructure to store different object types. This patch is the first in the series to prepare support for the synchronization of expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-04build: bump version to 1.0.1conntrack-tools-1.0.1Pablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-04conntrackd: fix checking of return value of queue_add()Pablo Neira Ayuso
Most callers of queue_add() assume that it returns != 0 in case of success. However, it may return -1 in case that the queue gets full. In that case, most callers have to: - release the object that they want to enqueue. - decrement the refcount, in case they have bumped it. However, most of these callers are using the tx_queue which currently has no limit in size at all. This fix is necessary in case that I decide to limit the size of the transmission queue in the future (which makes a lot of sense indeed). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-12-30doc: primary-backup.sh: clarify licensing terms (GPLv2+)Pablo Neira Ayuso
This script is released under GPLv2+. Update copyright notice as well. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-12-27Merge branch 'master' of git://dev.medozas.de/conntrack-toolsPablo Neira Ayuso
2011-12-19conntrackd: fix filtering of dump output if internal cache is disabledPablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-12-17build: disable implicit .tar.gz archive generation and use POSIX modeJan Engelhardt
2011-12-17build: use AC_CONFIG_AUX_DIR and stash away toolsJan Engelhardt
2011-12-17Update .gitignoreJan Engelhardt
Only ignore these paths if they are a directory.
2011-10-24conntrackd: add missing initial caching of gettimeofday()Pablo Neira Ayuso
Thus, we fix conntrackd -i for flows that were just retrieved from the kernel: tcp 6 ESTABLISHED src=192.168.1.135 dst=208.68.163.220 sport=42179 dport=5222 src=208.68.163.220 dst=192.168.1.135 sport=5222 dport=42179 [ASSURED] mark=0 [active since 1319450515s] Note the wrong "active since" value. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-07-08conntrack: add missing break when parsing --id/--secmark optionsFlorian Westphal
commit 147ed522f52a62ab0d854ddc443d27d97dbf6cdf (conntrack: add support for mark mask) failed to add a break after secmark/id option parsing. Results in '-m 42 -c 1' to search for mark 1 instead of 42. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-07-08testsuite: add tests for --mark optionFlorian Westphal
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-06-22conntrack: remove unused variable with -SPablo Neira Ayuso
Error: UNUSED_VALUE: conntrack-tools-1.0.0/src/conntrack.c:1297: returned_pointer: Pointer "nl" returned by "strchr(buf, 10)" is never used. Reported-by: Jiri Popelka <jpopelka@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-06-15conntrack: skip sending update message to kernel if conntrack is unchangedFlorian Westphal
This speeds up operation when a lot of conntracks exist, but only a few of them have to be altered. This change is user-visible because the exit message ("%d flow entries have been updated") will now print the number of entries that have been altered instead of the total number of conntracks seen. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-06-15conntrack: add support for mark maskFlorian Westphal
Extend --mark option to optionally take a mask, seperated by '/', e.g. --mark 0x80/0xf0. When used with -L, only test those bits of the mark that are in the mask range (behaves like iptables like -m mark). When used with -U, zero out those bits indicated by the mask and XOR the new mark into the result (behaves like iptables -j MARK --set-xmark). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-03-15build: Linux kernel-style for compilation messagesPablo Neira Ayuso
[...] CC external_inject.o CC internal_cache.o CC internal_bypass.o CC read_config_yy.o CC read_config_lex.o CCLD conntrackd Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-27build: bump version to 1.0.0conntrack-tools-1.0.0Pablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-27doc: prepare 1.0.0 release in conntrack-tools manualPablo Neira Ayuso
Remove reference which states that this is still under development and refer to version 1.0.0. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-24build: conntrack-tools now requires libnetfilter_conntrack >= 0.9.1Pablo Neira Ayuso
The existing code requires new features that went into the current library version. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-22doc: add missing conntrackd -s invocation with optionsPablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-22doc: add reference to the CT target againPablo Neira Ayuso
Now that we have fixed several aspects of the event filtering in 2.6.38, I reintroduce the documentation for this feature. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-22conntrack: support SYN_SENT2 TCP state as --state parameterPablo Neira Ayuso
Since Linux kernel 2.6.31, the LISTEN state is SYN_SENT2. With this patch, we allow to use -p tcp --state SYN_SENT2 which was not possible so far. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-22conntrack: display informative message if expectation table is flushedPablo Neira Ayuso
With this patch, we display the following message after: # conntrack -F expect conntrack v0.9.15 (conntrack-tools): expectation table has been emptied. To make it consistent with the message displayed with conntrack -F. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-18doc: document redundant link support for conntrackdPablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-18doc: document -s option of conntrackd in the manualPablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-18conntrackd: remove use of deprecated nfct_maxsize()Pablo Neira Ayuso
This patch removes the use of nfct_maxsize() and several abusive stack-based allocations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-17conntrack: allocate template objects in the heapPablo Neira Ayuso
With this patch, we don't abuse the stack anymore, instead we allocate the template objects that are used in the heap. We stop using nfct_maxsize() which is now deprecated in libnetfilter_conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-17conntrackd: use nfct_copy() with override flag in cache_object_new()Pablo Neira Ayuso
Using memcpy() is not safe, it breaks secctx and it may break more things in the future. Moreover, nfct_size*() functions will be deprecated soon, they are evil since they open the window to memcpy(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-17conntrack: add -o ktimestamp option (it requires linux >= 2.6.38)Pablo Neira Ayuso
This option requires Linux kernel >= 2.6.38, you have to enable conntrack timestamping with: echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp # conntrack -L -o ktimestamp udp 17 59 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=121 [start=Thu Feb 17 17:41:18 2011] use=1 # conntrack -L conntrack v0.9.15 (conntrack-tools): 20 flow entries have been shown. udp 17 31 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=149 use=1 # conntrack -E -o ktimestamp ... [DESTROY] udp 17 src=192.168.1.128 dst=192.168.1.1 sport=40162 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=40162 [ASSURED] delta-time=3 [start=Thu Feb 17 17:44:57 2011] [stop=Thu Feb 17 17:45:00 2011] # conntrack -E [DESTROY] udp 17 src=192.168.1.128 dst=77.226.252.14 sport=123 dport=123 src=77.226.252.14 dst=192.168.1.128 sport=123 dport=123 delta-time=8 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-16conntrackd: rise number of committed entries per stepPablo Neira Ayuso
This patch rises the number of committed entries per step from 64 to 8192. Experimental results in active-active setups here show that we reduce the commit time with this value significantly. This deserves some more study, it can be a good idea to remove this commit per step completely. I leave this for the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-16conntrackd: event iteration limiter is already reset in main select loopPablo Neira Ayuso
This patch removes an unnecessary reset of the event iteration limiter that is already done in the main select loop. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-15cache: log if we received a commit request while already one in progressPablo Neira Ayuso
This patch improves the case in which we receive a commit request but we are already performing one. This behaviour is suspicious since the HA manager should not trigger a double master transition. Otherwise, something probably is not configured appropriately. This improves 98756c2608f0879a2322919c7441973216565272 "cache: close commit request if we already have one in progress". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-13cache: close commit request if we already have one in progressPablo Neira Ayuso
We close a commit request if there's already one in progress. This patch fixes a problem that may be triggered if two consecutive commit requests are received. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-13sync: don't override initial return value of local handlerPablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-13local: don't override initial return valuePablo Neira Ayuso
The return initial value is overriden after the initial read. Don't override this value, instead we check the return value of the read() operation. This patch also changes the error statistics accounting since we consider that a request with no data is an error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-01doc: remove reference to the CT targetPablo Neira Ayuso
Sorry, the iptables CT target is not yet ready for use until some patches are pushed to the Linux kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-01-16doc: update conntrack-tools manualPablo Neira Ayuso
This update adds to the documentation the following information: * add reference to "Demystifying cluster-based fault-tolerant firewalls" * add how-to disable the external cache * add how-to disable the internal cache * add how-to set the synchronization transport protocol * document iptables CT target * ask for sponsors to finish H323 and SIP support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2010-11-05build: remove redundant bison/lex testsJan Engelhardt
AC_PROG_{LEX,YACC} already searches for the programs, so no need to do it again with AC_CHECK_PROGS. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
2010-11-05build: use AM_YFLAGS instead of overriding YACCJan Engelhardt
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
2010-11-05build: run autoupdate to replace obsolete constructsJan Engelhardt
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
2010-11-05build: default to not building static librariesJan Engelhardt
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>