| Age | Commit message (Collapse) | Author |
|---|
|
From patchwork Thu Nov 29 13:52:20 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: conntrack: add support to dump the dying and unconfirmed list via
ctnetlink
Date: Thu, 29 Nov 2012 03:52:20 -0000
From: Pablo Neira <pablo@netfilter.org>
X-Patchwork-Id: 202751
Message-Id: <1354197140-8498-1-git-send-email-pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
From: Pablo Neira Ayuso <pablo@netfilter.org>
This patch adds support for:
conntrack -L dying
conntrack -L unconfirmed
To display the list of dying and unconfirmed conntracks. This provides
some instrumentation in case that `conntrack -C` really deviates from
what `conntrack -L | wc -l` says.
Users like to check this to make sure things are going OK. Still, some
conntrack objects may be still in the dying and the unconfirmed list.
With this patch, we can also dump their content, before it was not
possible.
In normal cases both lists would be simply empty, or in the case of
the dying list, you can observe that entries go slightly down in
number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/conntrack.c | 108 ++++++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 95 insertions(+), 13 deletions(-)
Index: conntrack-tools-oxnard-2d010c5/src/conntrack.c
===================================================================
--- conntrack-tools-oxnard-2d010c5.orig/src/conntrack.c 2012-11-30 22:02:18.356340288 +0100
+++ conntrack-tools-oxnard-2d010c5/src/conntrack.c 2012-11-30 22:02:31.011558172 +0100
@@ -820,27 +820,45 @@
*cmd |= newcmd;
}
-static unsigned int
-check_type(int argc, char *argv[])
+static char *get_table(int argc, char *argv[])
{
char *table = NULL;
- /* Nasty bug or feature in getopt_long ?
+ /* Nasty bug or feature in getopt_long ?
* It seems that it behaves badly with optional arguments.
* Fortunately, I just stole the fix from iptables ;) */
if (optarg)
return 0;
- else if (optind < argc && argv[optind][0] != '-'
- && argv[optind][0] != '!')
+ else if (optind < argc && argv[optind][0] != '-' &&
+ argv[optind][0] != '!')
table = argv[optind++];
-
- if (!table)
- return 0;
-
+
+ return table;
+}
+
+enum {
+ CT_TABLE_CONNTRACK,
+ CT_TABLE_EXPECT,
+ CT_TABLE_DYING,
+ CT_TABLE_UNCONFIRMED,
+};
+
+static unsigned int check_type(int argc, char *argv[])
+{
+ const char *table = get_table(argc, argv);
+
+ /* default to conntrack subsystem if nothing has been specified. */
+ if (table == NULL)
+ return CT_TABLE_CONNTRACK;
+
if (strncmp("expect", table, strlen(table)) == 0)
- return 1;
+ return CT_TABLE_EXPECT;
else if (strncmp("conntrack", table, strlen(table)) == 0)
- return 0;
+ return CT_TABLE_CONNTRACK;
+ else if (strncmp("dying", table, strlen(table)) == 0)
+ return CT_TABLE_DYING;
+ else if (strncmp("unconfirmed", table, strlen(table)) == 0)
+ return CT_TABLE_UNCONFIRMED;
else
exit_error(PARAMETER_PROBLEM, "unknown type `%s'", table);
@@ -1633,6 +1651,27 @@
return MNL_CB_OK;
}
+static int mnl_nfct_dump_cb(const struct nlmsghdr *nlh, void *data)
+{
+ struct nf_conntrack *ct;
+ char buf[4096];
+
+ ct = nfct_new();
+ if (ct == NULL)
+ return MNL_CB_OK;
+
+ nfct_nlmsg_parse(nlh, ct);
+
+ nfct_snprintf(buf, sizeof(buf), ct, NFCT_T_UNKNOWN, NFCT_O_DEFAULT, 0);
+ printf("%s\n", buf);
+
+ nfct_destroy(ct);
+
+ counter++;
+
+ return MNL_CB_OK;
+}
+
static struct ctproto_handler *h;
int main(int argc, char *argv[])
@@ -1667,6 +1706,16 @@
switch(c) {
/* commands */
case 'L':
+ type = check_type(argc, argv);
+ /* Special case: dumping dying and unconfirmed list
+ * are handled like normal conntrack dumps.
+ */
+ if (type == CT_TABLE_DYING ||
+ type == CT_TABLE_UNCONFIRMED)
+ add_command(&command, cmd2type[c][0]);
+ else
+ add_command(&command, cmd2type[c][type]);
+ break;
case 'I':
case 'D':
case 'G':
@@ -1677,14 +1726,25 @@
case 'C':
case 'S':
type = check_type(argc, argv);
+ if (type == CT_TABLE_DYING ||
+ type == CT_TABLE_UNCONFIRMED) {
+ exit_error(PARAMETER_PROBLEM,
+ "Can't do that command with "
+ "tables `dying' and `unconfirmed'");
+ }
add_command(&command, cmd2type[c][type]);
break;
case 'U':
type = check_type(argc, argv);
- if (type == 0)
+ if (type == CT_TABLE_DYING ||
+ type == CT_TABLE_UNCONFIRMED) {
+ exit_error(PARAMETER_PROBLEM,
+ "Can't do that command with "
+ "tables `dying' and `unconfirmed'");
+ } else if (type == CT_TABLE_CONNTRACK)
add_command(&command, CT_UPDATE);
else
- exit_error(PARAMETER_PROBLEM,
+ exit_error(PARAMETER_PROBLEM,
"Can't update expectations");
break;
/* options */
@@ -1884,6 +1944,28 @@
struct nfct_filter_dump *filter_dump;
case CT_LIST:
+ if (type == CT_TABLE_DYING) {
+ if (nfct_mnl_socket_open() < 0)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+
+ res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
+ IPCTNL_MSG_CT_GET_DYING,
+ mnl_nfct_dump_cb);
+
+ nfct_mnl_socket_close();
+ break;
+ } else if (type == CT_TABLE_UNCONFIRMED) {
+ if (nfct_mnl_socket_open() < 0)
+ exit_error(OTHER_PROBLEM, "Can't open handler");
+
+ res = nfct_mnl_dump(NFNL_SUBSYS_CTNETLINK,
+ IPCTNL_MSG_CT_GET_UNCONFIRMED,
+ mnl_nfct_dump_cb);
+
+ nfct_mnl_socket_close();
+ break;
+ }
+
cth = nfct_open(CONNTRACK, 0);
if (!cth)
exit_error(OTHER_PROBLEM, "Can't open handler");
(cherry picked from commit 2cd070dbd7966af448ef38b245bb59c002bbcedb)
Conflicts:
debian/changelog
|
|
ignoring ignored addresses during flush
|
|
pacifica
Conflicts:
include/helper.h
src/expect.c
src/helpers/ftp.c
src/helpers/rpc.c
src/helpers/tns.c
tests/conntrackd/cthelper/main.c
tests/conntrackd/cthelper/run-test.sh
|
|
This patch adds the user-space helper infrastructure. It also
contains the implementation of the FTP helper in user-space.
There's one example file that you can use to configure conntrackd
as user-space connection tracking helper under:
doc/helper/conntrackd.conf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
user_space_helpers
Conflicts:
.gitignore
src/run.c
|
|
This patch adds the user-space helper infrastructure. It also
contains the implementation of the FTP helper in user-space.
There's one example file that you can use to configure conntrackd
as user-space connection tracking helper under:
doc/helper/conntrackd.conf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch moves the specific ctnetlink code to ctnl.c to prepare
the introduction of the cthelper infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch generalizes the select-based file descriptor infrastructure
by allowing you to register file descriptors and its callbacks. Instead
of hardcoding the descriptors that needs to be checked.
Now, struct fds_item contains a callback and pointer to data that is
passed to it:
struct fds_item {
struct list_head head;
int fd;
+ void (*cb)(void *data);
+ void *data;
};
Then, we check which ones are active in the select_main_step() function:
list_for_each_entry(cur, &STATE(fds)->list, head) {
if (FD_ISSET(cur->fd, &readfds))
cur->cb(cur->data);
}
And it invoked the corresponding callback.
I had to slightly modify the channel infrastructure to fit it into
the changes.
This modularity is required for the upcoming cthelper support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
I'll need for the upcoming cthelper infrastructure. Moreover, we avoid
more fragmentation in the netfilter user-space utilities. And the plan
is that `nfct' will replace `conntrack' at some point.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
For both conntrack and expectations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the missing bits to support NAT expectation support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support for synchronizing the expectation class.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
expectations in XML format."
Generated files got committed by git commit -a, thus reverting the commit.
This reverts commit d8def099fed622b42f7b66468981d6d5c7aac74c.
|
|
expectations in XML format.
|
|
|
|
This patch allows you to dump the internal and external expectation
cache in XML.
% conntrackd -i exp -x
<flow><layer3 protonum="2" protoname="ipv4"><expected><src>192.168.1.135</src><dst>130.89.148.12</dst></expected><mask><src>255.255.255.255</src><dst>255.255.255.255</dst></mask><master><src>192.168.1.135</src><dst>130.89.148.12</dst></master></layer3><layer4 protonum="6" protoname="tcp"><expected><sport>0</sport><dport>9082</dport></expected><mask><sport>0</sport><dport>65535</dport></mask><master><sport>50518</sport><dport>21</dport></master></layer4><meta><helper-name>ftp</helper-name></meta></flow>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
1.0.1
|
|
This patch adds support to synchronize expectations between
firewalls. This addition aims to re-use as much as possible
of the existing infrastructure for stability reasons. The
expectation support has been tested with the FTP helper.
This extension requires libnetfilter_conntrack 1.0.0.
If this is the first time you're playing with conntrackd,
I *strongly* recommend you to get working setup of conntrackd
without expectation support before as described in the
documentation. Then, enabling expectation support is rather
easy.
To know more about expectations, if you're not familiar with them,
I suggest you to read:
"Netfilter's Connection Tracking System"
http://people.netfilter.org/pablo/docs/login.pdf
Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3
(Berkeley, CA: USENIX Association, 2006, pp40-45.)
In short, expectations allow one Linux firewall to filter multi-flow
traffic like FTP, SIP and H.323.
In my testbed, there are two firewalls in a primary-backup configuration
running keepalived. The use a couple of floating cluster IP address
(192.168.0.100 and 192.168.1.100) that are used by the client. These
firewalls protect one FTP server (192.168.1.2) that will be accessed by
one client.
In ASCII art, it looks like this:
192.168.0.100 192.168.1.100
eth1 eth2
fw-1
/ \ FTP
-- client ------ ------ server --
192.168.0.2 \ / 192.168.1.2
fw-2
This is the rule-set for the firewalls:
-A POSTROUTING -t nat -s 192.168.0.2/32 -d 192.168.1.2/32 -j SNAT --to-source 192.168.1.100
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED -j ACCEPT
-A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: "
The following steps detail how to check that the expectation support
works fine for conntrackd:
1) You have to enable the expectation support in the configuration
file with the following option:
Sync {
...
Options {
ExpectationSync {
ftp
sip
h323
}
}
}
This enables expectation synchronization for the FTP, SIP and H.323 helpers.
You can alternatively use:
Sync {
...
Options {
ExpectationSync On
}
}
To enable expectation synchronization for all helpers.
2) Make sure you have loaded the FTP helper in both firewalls.
root@fw1# modprobe nf_conntrack_ftp
root@fw2# modprobe nf_conntrack_ftp
3) Switch to the client. Start one FTP control connection to one
server that is protected by the firewalls, enter passive mode:
(term-1) user@client$ nc 192.168.1.2 21
220 dummy FTP server
USER anonymous
331 Please specify the password.
PASS nothing
230 Login successful.
PASV
227 Entering Passive Mode (192,168,1,2,163,11).
This means that port 163*256+11=41739 will be used for the data
traffic. Read this if you are not familiar with the FTP protocol:
http://www.freefire.org/articles/ftpexample.php
3) Switch to fw-1 (primary) to check that the expectation is in the
internal cache.
root@fw1# conntrackd -i exp
proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 5s]
4) Switch to fw-2 (backup) to check that the expectation has been successfully
replicated.
root@fw2# conntrackd -e exp
proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s]
5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary.
6) Switch to fw-2 (primary) to commit the external cache into the kernel.
root@fw2# conntrackd -c exp
The logs should display that the commit was successful:
root@fw2# tail -100f /var/log/conntrackd.log
[Wed Dec 7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations
[Wed Dec 7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries
[Wed Dec 7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds
7) Switch to the client. Open a new terminal and connect to the port that
has been announced by the server:
(term-2) user@client$ nc -vvv 192.168.1.2 41739
(UNKNOWN) [192.168.1.2] 41739 (?) open
8) Switch to term-1 and ask for the file listing:
[...]
227 Entering Passive Mode (192,168,1,2,163,11).
LIST
9) Switch to term-2, it should display the listing. That means
everything has worked fine.
You may want to try disabling the expectation support and
repeating the steps to check that *it does not work* without
the state-synchronization.
You can also display expectation statistics by means of:
root@fwX# conntrackd -s exp
This update requires no changes in the primary-backup.sh script
that is used by the HA manager to interact with conntrackd. Thus,
we provide a backward compatible command line interface.
Regarding the Filter clause and expectations, we use the master
conntrack to filter expectation events. The filtering is performed
in user-space. No kernel-space filtering support for expectations
yet (this support should go in libnetfilter_conntrack at some
point).
This patch also includes support to disable caching and to allow
direct injection of expectations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
The ct object that is passed as parameter is not modified,
make it constant.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
We now include one pointer to the object in the extra section.
This is required to generalize this code for the expectation
support. We consume 4-8 bytes extra, but we will not need more
changes to support expectations which is a good idea.
|
|
This patch simplifies cache_get_extra which now takes only one
parameter that is the cache_object. With it, the extra area can be
calculated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch prepares the introduction of actions with the expectation
table. Mostly renamings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch generalizes the network message building and parsing
to prepare the upcoming expectation support.
Basically, it renames:
- NET_T_STATE_* by NET_T_STATE_CT_*, as I plan to add NET_T_STATE_EXP_*
- BUILD_NETMSG by BUILD_NETMSG_FROM_CT, and build_payload by ct2msg.
I plan to add exp2msg.
- parse_payload by msg2ct, since I plan to add msg2exp.
- modify object_status_to_network_type to prepare the support of
expectations.
- add prefix ct_ to all parsing functions in parse.c, as we will have
similar functions to convert messages to expectation objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch contains cleanups to prepare the expectation support for
external handlers. Mostly renamings.
I have also updated the file headers to include Vyatta in the copyright
statement.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch generalizes the caching infrastructure to store different
object types. This patch is the first in the series to prepare
support for the synchronization of expectations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch improves the case in which we receive a commit request
but we are already performing one. This behaviour is suspicious
since the HA manager should not trigger a double master transition.
Otherwise, something probably is not configured appropriately.
This improves 98756c2608f0879a2322919c7441973216565272
"cache: close commit request if we already have one in progress".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds `--zone' to the command line tool. This adds
the missing user-space support for Patrick's McHardy iptables
CT target.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the --any-nat option that allows to display src-NATted
OR dst-NATted flows.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch is a cleanup, it puts all the commands and options code
together. This makes easier and less error-prone the task to add
new commands and options.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
This patch fixes a hung that occurs if you invoke `conntrackd -c'
and you have disabled the external cache.
Note that `conntrackd -c' does nothing since there is no entries
in the external cache to be committed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds state-synchronization for ICMP. You SHOULD use a
Linux kernel >= 2.6.31, otherwise this patch can result in tons
of state-updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause `DisableInternalCache' that allows you
to bypass the internal cache. This clause can only be used with
the notrack synchronization mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Under stress, the TCP stack may return EAGAIN if there is not
space left in the sender buffer. We also enqueue any other
error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes a bug in the TCP support that breaks
re-connections of the client side if several TCP
channels are used in the configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Use the TCP header size (20 bytes) instead of the UDP header size
(8 bytes) to calculate the maximum packet size.
Reported-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
We cannot assume that we will not write in the net message before we
send it, because the memory allocated for the net message (__net) is
only reserved in BUILD_NETMSG (because of the { } block in it).
This patch marks the buffer as static to avoid this problem.
Based on a patch from Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support for TCP as protocol to replicate
state-changes between two daemons. Note that this only
makes sense with the notrack mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we can remove file descriptors dinamically
from our own file descriptor pool.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reduces the number of gettimeofday syscalls by caching
the current time in a variable at the beginning of the main loop.
Based on a suggestion from Vincent Jardin.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the clause `DisableExternalCache' that allows you
to disable the external cache and to directly inject the entries
into the kernel conntrack table. As a result, the CPU consumption
of conntrackd increases. This clause can only be used with the
FT-FW and the notrack synchronization modes, but not with the
alarm mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the missing support to filter IPv6 from kernel-space
by means of the BSF API that libnetfilter_conntrack provides.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the NetlinkEventsReliable clause, this is useful
to turn on reliable Netlink event delivery. This features
requires a Linux kernel >= 2.6.31.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reworks the commit phase to avoid the forking. This is
particularly useful in active-active setups in which one node
has to commit the external cache while it is receiving new entries
to be added in the external cache. This results in really high
commit times due to the penalty of the copy-on-write that fork
performs.
The default number of steps in one run loop is limited to 64 by now.
No option to tune this parameter is still available via the
configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds cache_iterate_limit() and hashtable_iterate_limit()
that allows to limit the iteration to given a number of states.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the LOCAL_RET_* return values. The return value
LOCAL_RET_STOLEN which allows to leave a client socket open while
waiting for an operation to finish.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a new statistic field to count the number of
enospc errors while adding new nodes to some queue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
