| Age | Commit message (Collapse) | Author |
|---|
|
Reported-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support for:
conntrack -L dying
conntrack -L unconfirmed
To display the list of dying and unconfirmed conntracks. This provides
some instrumentation in case that `conntrack -C` really deviates from
what `conntrack -L | wc -l` says.
Users like to check this to make sure things are going OK. Still, some
conntrack objects may be still in the dying and the unconfirmed list.
With this patch, we can also dump their content, before it was not
possible.
In normal cases both lists would be simply empty, or in the case of
the dying list, you can observe that entries go slightly down in
number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The existing code may nest several signal blocking and unblocking
calls in different paths of the code. This may result in deadlocks
while receiving signals.
This patch simplifies the signal blocking approach. Now signals
are blocked in three paths:
1) Internal timers handling, while running timer callback
for expired timers.
2) File descriptor handling, while running file descriptor
callbacks.
3) While handling signals, to avoid that SIGINT and SIGTERM
in a row results in a deadlock.
Thanks a lot to Ulrich Weber <ulrich.weber@sophos.com> for
discussing a fix for this problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds documentation on how to enable user-space helper support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
ExpectationSync requires Linux kernel >= 3.5 to work sanely, document this.
Still, we don't want to crash if someone enables expectation sync with
old Linux kernels (like 2.6.32).
Reported-by: James Gutholm <gutholmj@evergreen.edu>
Tested-by: James Gutholm <gutholmj@evergreen.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Several includes are missing when netfilter libs are not in the
standard path.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the QueueLen option, that allows you to increase
the maximum number of packets waiting in the nfnetlink_queue to
receive a verdict from userspace.
Rising the default value (1024) is useful to avoid hitting the following
error message: "nf_queue: full at X entries, dropping packets(s)".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
It was set to NFCT_HELPER_NAME_MAX (16 bytes), but we have function
names that are larger, eg. nf-nat-follow-master which is 18 bytes
long.
This leads to hitting malformed message while synchronizing
expectations.
I'll add some new constant to libnetfilter_conntrack instead of
hardcoding this, later.
Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes few compile warnings and errors.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
%pI4 also exists in the Linux kernel.
It would be good to have some generic functions to convert binary data
to address string. Later.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The pr_debug call should be converted to use dlog instead.
I'll try to add some some configuration parameter to
enable/disable debugging in runtime. This is not very flexible.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
conntrackd was segfaulting with `ExpectationSync` set to `Off`
and PollSecs (polling mode) in use.
Signed-off-by: Vincent Bernat <bernat@luffy.cx>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Instead of hardcoded path to /usr/lib/conntrack-tools/ which might
not be true if options like --prefix with different location is
passed to conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the automated testing infrastructure the user-space
helpers. Basically, this adds the `cthelper-test' program that can
be invoked from the command line:
./cthelper-test pcaps/oracle-tns-redirect.pcap tns tcp 1521
To test the helper with one PCAP file that contains traces of Oracle TNS
traffic. It also provides tweaks to test the DNAT content mangling code:
./cthelper-test pcaps/oracle-tns-redirect.pcap tns tcp 1521 dnat
This will also allow fuzzy testing of user-space helper, for further
validation, not yet implemented.
To compile this tool, you have to run:
./configure
make check
under the qa/cthelper-test/ directory. I'm doing like this because
this directory is not included in the standalone tarball that
make distcheck generates (I don't want to bloat it with development
tools that can be retrieved from the git repository).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
How to use this helper in a few steps:
1) You can enable this helper via:
nfct helper add rpc inet tcp
nfct helper add rpc inet udp
2) Configure /etc/conntrackd/conntrackd.conf and launch it.
3) You can test this helper locally with the following rule-set:
iptables -A OUTPUT -t raw -p udp -m udp --dport 111 -j CT --helper rpc
iptables -A OUTPUT -t raw -p tcp -m tcp --dport 111 -j CT --helper rpc
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 111 -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 111 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P OUTPUT DROP
4) Configure NFS and export some local directory. Then, mount it with version 3.
mount.nfs -onfsvers=3 127.0.0.1:/srv/cvs /mnt/
You should see permanent expectations created for this.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the user-space helper infrastructure. It also
contains the implementation of the FTP helper in user-space.
There's one example file that you can use to configure conntrackd
as user-space connection tracking helper under:
doc/helper/conntrackd.conf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves the specific ctnetlink code to ctnl.c to prepare
the introduction of the cthelper infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch generalizes the select-based file descriptor infrastructure
by allowing you to register file descriptors and its callbacks. Instead
of hardcoding the descriptors that needs to be checked.
Now, struct fds_item contains a callback and pointer to data that is
passed to it:
struct fds_item {
struct list_head head;
int fd;
+ void (*cb)(void *data);
+ void *data;
};
Then, we check which ones are active in the select_main_step() function:
list_for_each_entry(cur, &STATE(fds)->list, head) {
if (FD_ISSET(cur->fd, &readfds))
cur->cb(cur->data);
}
And it invoked the corresponding callback.
I had to slightly modify the channel infrastructure to fit it into
the changes.
This modularity is required for the upcoming cthelper support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
/proc/sys/net/netfilter/nf_conntrack_count
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Since Linux kernel >= 3.6.x, we can dump the conntrack statistics
via ctnetlink instead of using the /proc interface:
conntrack -S
cpu=0 searched=9177 found=387086 new=250451 invalid=1 ignore=4 delete=254093 delete_list=5467 insert=1825 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=1 searched=390 found=37493 new=1531 invalid=0 ignore=0 delete=345 delete_list=345 insert=1531 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=2 searched=333 found=68061 new=1895 invalid=0 ignore=1 delete=607 delete_list=607 insert=1896 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=3 searched=71 found=13364 new=1254 invalid=0 ignore=0 delete=75 delete_list=75 insert=1254 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
conntrack -S exp
cpu=0 expect_new=9177 expect_create=387284 expect_delete=251141
cpu=1 expect_new=390 expect_create=37496 expect_delete=1531
cpu=2 expect_new=333 expect_create=68117 expect_delete=1895
cpu=3 expect_new=71 expect_create=13366 expect_delete=1255
Note that the output is not backward-compatible, but we fail back to previous
output in case that ctnetlink stats dumping is not available.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch changes the current behaviour of `-t' and `-F' commands,
that results in flushing the kernel conntrack table. With this patch,
the entries that match the Filter clauses in conntrackd.conf are
ignored.
This fixes the situation in which some local ssh connection to the
firewall is lost during the failover (since `-t' is invoked from the
primary-backup.sh script).
Note that the Filter clause tells what entries have to be ignored,
ie. the entries that do not need to be replicated. It makes sense
not to flush entries that are not replicated (usually traffic to
the local firewall).
Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
While adding the expectation support for conntrackd, I accidentally
broke synchrony in 'conntrackd -c' command.
Basically, conntrackd -c should not return control to the shell
until the cache has been committed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Flushing the external cache, ie. conntrackd -f, while commit is in progress
is not allowed anymore, ie. conntrackd -c.
Note that conntrackd -c is synchronous. Thus, it returns control to the
caller once the commit has finished.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The H.323 helper is actually composed of three helpers:
ras
q.931
h.245
We have to specify those in the configuration file since h.323 is
not any known helper itself.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Making all in src
make[1]: Entering directory `/home/oden/RPM/BUILD/conntrack-tools-1.2.0/src'
CC parse.o
parse.c: In function 'msg2ct':
parse.c:258:34: error: 'NULL' undeclared (first use in this function)
parse.c:258:34: note: each undeclared identifier is reported only once for
each function it appears in
parse.c: In function 'msg2exp':
parse.c:438:16: error: 'NULL' undeclared (first use in this function)
Reported-by: Oden Eriksson <oeriksson@mandriva.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Before this patch, we called accept() to likely return EAGAIN.
This is not required as select() will tell us that we're ready
to accept. Therefore, that early accept() invocation complicates
the whole handling just to get the connection accepted a bit
before.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
this release fixes a compilation issue in 1.2.0, sorry.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
nfct-extensions/timeout.c: In function ‘nfct_timeout_cb’:
nfct-extensions/timeout.c:99:2: warning: passing argument 4 of ‘nfct_timeout_snprintf’ makes integer from pointer without a cast [enabled by default]
/usr/include/libnetfilter_cttimeout/libnetfilter_cttimeout.h:114:5: note: expected ‘unsigned int’ but argument is of type ‘struct nfct_timeout *’
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This files includes some short description on `nfct'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
For automated testing of the conntrack utility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
All automated testing for the conntrack-tools will now reside under
the test directory.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
libnetfilter_conntrack 1.0.1 includes important updates for the
expectation side, which is used in this major milestone release.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
CC nfct-extensions/timeout.o
../../src/nfct-extensions/timeout.c: In function ‘nfct_cmd_timeout_parse_params’:
../../src/nfct-extensions/timeout.c:40:27: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Major milestone including the new `nfct' utility and the expectation
support for conntrackd.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the automated tests for the cttimeout infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
I'll need for the upcoming cthelper infrastructure. Moreover, we avoid
more fragmentation in the netfilter user-space utilities. And the plan
is that `nfct' will replace `conntrack' at some point.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
else, piping "conntrack -E expect" output will be buffered/delayed,
which is not what users expect. Normal conntrack events are already
flushed.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds missing information regarding several conntrackd
options to the manpage and the help info that is displayed in the
command line.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
You have to use this:
iptables -I PREROUTING -t raw -j CT --ctevents assured,destroy
instead of:
iptables -I PREROUTING -t raw -j CT --ctevents assured
Otherwise, conntrackd cache gets full since no destroy events
are delivered.
Reported-by: Kerin Millar <kerframil@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Now it includes:
ExpectationSync {
...
ras
q.931
h.245
}
Which are the set of helpers for h.323.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
You can use:
ExpectationSync {
ftp
ras
q.931
sip
}
or:
ExpectationSync {
FTP
RAS
Q.931
SIP
}
no matter lower/upper case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch uses the new infrastructure that allows us to filter
by mark from kernel-space.
This change ensures backward compatibility with kernels with
no support for filtering by mark (Linux kernel <= 3.4.x).
This requires lastest libnetfilter_conntrack library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
I forgot to modify the body of msg2exp to include the recently
committed support for the expectation class, helper name and NAT.
This patch fixes the problem.
Now in node-1 (primary), it shows:
proto=17 src=192.168.11.4 dst=192.168.10.5 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.5 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENT class=0 helper=sip [active since 31s]
And it node-2 (secondary), it shows:
proto=17 src=192.168.11.4 dst=192.168.10.5 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.5 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENT class=0 helper=sip [active since 180s]
This has been tested with the SIP conntrack helper.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
