summaryrefslogtreecommitdiff
path: root/include
AgeCommit message (Collapse)Author
2012-01-10conntrackd: support for expectation synchronizationPablo Neira Ayuso
This patch adds support to synchronize expectations between firewalls. This addition aims to re-use as much as possible of the existing infrastructure for stability reasons. The expectation support has been tested with the FTP helper. This extension requires libnetfilter_conntrack 1.0.0. If this is the first time you're playing with conntrackd, I *strongly* recommend you to get working setup of conntrackd without expectation support before as described in the documentation. Then, enabling expectation support is rather easy. To know more about expectations, if you're not familiar with them, I suggest you to read: "Netfilter's Connection Tracking System" http://people.netfilter.org/pablo/docs/login.pdf Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3 (Berkeley, CA: USENIX Association, 2006, pp40-45.) In short, expectations allow one Linux firewall to filter multi-flow traffic like FTP, SIP and H.323. In my testbed, there are two firewalls in a primary-backup configuration running keepalived. The use a couple of floating cluster IP address (192.168.0.100 and 192.168.1.100) that are used by the client. These firewalls protect one FTP server (192.168.1.2) that will be accessed by one client. In ASCII art, it looks like this: 192.168.0.100 192.168.1.100 eth1 eth2 fw-1 / \ FTP -- client ------ ------ server -- 192.168.0.2 \ / 192.168.1.2 fw-2 This is the rule-set for the firewalls: -A POSTROUTING -t nat -s 192.168.0.2/32 -d 192.168.1.2/32 -j SNAT --to-source 192.168.1.100 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A FORWARD -m state --state RELATED -j ACCEPT -A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT -A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: " The following steps detail how to check that the expectation support works fine for conntrackd: 1) You have to enable the expectation support in the configuration file with the following option: Sync { ... Options { ExpectationSync { ftp sip h323 } } } This enables expectation synchronization for the FTP, SIP and H.323 helpers. You can alternatively use: Sync { ... Options { ExpectationSync On } } To enable expectation synchronization for all helpers. 2) Make sure you have loaded the FTP helper in both firewalls. root@fw1# modprobe nf_conntrack_ftp root@fw2# modprobe nf_conntrack_ftp 3) Switch to the client. Start one FTP control connection to one server that is protected by the firewalls, enter passive mode: (term-1) user@client$ nc 192.168.1.2 21 220 dummy FTP server USER anonymous 331 Please specify the password. PASS nothing 230 Login successful. PASV 227 Entering Passive Mode (192,168,1,2,163,11). This means that port 163*256+11=41739 will be used for the data traffic. Read this if you are not familiar with the FTP protocol: http://www.freefire.org/articles/ftpexample.php 3) Switch to fw-1 (primary) to check that the expectation is in the internal cache. root@fw1# conntrackd -i exp proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 5s] 4) Switch to fw-2 (backup) to check that the expectation has been successfully replicated. root@fw2# conntrackd -e exp proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s] 5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary. 6) Switch to fw-2 (primary) to commit the external cache into the kernel. root@fw2# conntrackd -c exp The logs should display that the commit was successful: root@fw2# tail -100f /var/log/conntrackd.log [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries [Wed Dec 7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds 7) Switch to the client. Open a new terminal and connect to the port that has been announced by the server: (term-2) user@client$ nc -vvv 192.168.1.2 41739 (UNKNOWN) [192.168.1.2] 41739 (?) open 8) Switch to term-1 and ask for the file listing: [...] 227 Entering Passive Mode (192,168,1,2,163,11). LIST 9) Switch to term-2, it should display the listing. That means everything has worked fine. You may want to try disabling the expectation support and repeating the steps to check that *it does not work* without the state-synchronization. You can also display expectation statistics by means of: root@fwX# conntrackd -s exp This update requires no changes in the primary-backup.sh script that is used by the HA manager to interact with conntrackd. Thus, we provide a backward compatible command line interface. Regarding the Filter clause and expectations, we use the master conntrack to filter expectation events. The filtering is performed in user-space. No kernel-space filtering support for expectations yet (this support should go in libnetfilter_conntrack at some point). This patch also includes support to disable caching and to allow direct injection of expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: constify ct parameter of ct_filter_* functionsPablo Neira Ayuso
The ct object that is passed as parameter is not modified, make it constant. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: remove cache_data_get_object and replace by direct pointerPablo Neira Ayuso
We now include one pointer to the object in the extra section. This is required to generalize this code for the expectation support. We consume 4-8 bytes extra, but we will not need more changes to support expectations which is a good idea.
2012-01-10conntrackd: simplify cache_get_extra functionPablo Neira Ayuso
This patch simplifies cache_get_extra which now takes only one parameter that is the cache_object. With it, the extra area can be calculated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: generalize local handler actionsPablo Neira Ayuso
This patch prepares the introduction of actions with the expectation table. Mostly renamings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: generalize/cleanup network message building/parsingPablo Neira Ayuso
This patch generalizes the network message building and parsing to prepare the upcoming expectation support. Basically, it renames: - NET_T_STATE_* by NET_T_STATE_CT_*, as I plan to add NET_T_STATE_EXP_* - BUILD_NETMSG by BUILD_NETMSG_FROM_CT, and build_payload by ct2msg. I plan to add exp2msg. - parse_payload by msg2ct, since I plan to add msg2exp. - modify object_status_to_network_type to prepare the support of expectations. - add prefix ct_ to all parsing functions in parse.c, as we will have similar functions to convert messages to expectation objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: generalize external handlers to prepare expectation supportPablo Neira Ayuso
This patch contains cleanups to prepare the expectation support for external handlers. Mostly renamings. I have also updated the file headers to include Vyatta in the copyright statement. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-01-10conntrackd: generalize caching infrastructurePablo Neira Ayuso
This patch generalizes the caching infrastructure to store different object types. This patch is the first in the series to prepare support for the synchronization of expectations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-02-15cache: log if we received a commit request while already one in progressPablo Neira Ayuso
This patch improves the case in which we receive a commit request but we are already performing one. This behaviour is suspicious since the HA manager should not trigger a double master transition. Otherwise, something probably is not configured appropriately. This improves 98756c2608f0879a2322919c7441973216565272 "cache: close commit request if we already have one in progress". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2010-07-05conntrack: add zone supportPablo Neira Ayuso
This patch adds `--zone' to the command line tool. This adds the missing user-space support for Patrick's McHardy iptables CT target. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2010-07-01conntrack: add `--any-nat' to filter any NATted flowPablo Neira Ayuso
This patch adds the --any-nat option that allows to display src-NATted OR dst-NATted flows. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2010-06-22conntrack: put all the commands and options code togetherPablo Neira Ayuso
This patch is a cleanup, it puts all the commands and options code together. This makes easier and less error-prone the task to add new commands and options. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2010-02-17conntrackd: fix `conntrackd -c' if external cache is disabledPablo Neira Ayuso
This patch fixes a hung that occurs if you invoke `conntrackd -c' and you have disabled the external cache. Note that `conntrackd -c' does nothing since there is no entries in the external cache to be committed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2010-02-11conntrackd: add support for TCP window scale factor synchronizationPablo Neira Ayuso
This patch adds a new option TCPWindowTracking that allows not to disable TCP window tracking as it occurs by default. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-12-19conntrackd: add ICMP support for state-synchronizationPablo Neira Ayuso
This patch adds state-synchronization for ICMP. You SHOULD use a Linux kernel >= 2.6.31, otherwise this patch can result in tons of state-updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-10-21conntrackd: add `DisableInternalCache' clausePablo Neira Ayuso
This patch adds the clause `DisableInternalCache' that allows you to bypass the internal cache. This clause can only be used with the notrack synchronization mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-09-23conntrackd: add retention queue for TCP errorsPablo Neira Ayuso
Under stress, the TCP stack may return EAGAIN if there is not space left in the sender buffer. We also enqueue any other error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-09-23conntrackd: fix re-connect with multiple TCP channelsPablo Neira Ayuso
This patch fixes a bug in the TCP support that breaks re-connections of the client side if several TCP channels are used in the configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-09-11conntrackd: fix MTU for TCP channelsPablo Neira Ayuso
Use the TCP header size (20 bytes) instead of the UDP header size (8 bytes) to calculate the maximum packet size. Reported-by: Samuel Gauthier <samuel.gauthier@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-09-03conntrackd: net message memory allocation is unsafePablo Neira Ayuso
We cannot assume that we will not write in the net message before we send it, because the memory allocated for the net message (__net) is only reserved in BUILD_NETMSG (because of the { } block in it). This patch marks the buffer as static to avoid this problem. Based on a patch from Samuel Gauthier <samuel.gauthier@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-08-23conntrackd: add support state-replication based on TCPPablo Neira Ayuso
This patch adds support for TCP as protocol to replicate state-changes between two daemons. Note that this only makes sense with the notrack mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-08-21conntrackd: allow to remove file descriptors from setPablo Neira Ayuso
With this patch, we can remove file descriptors dinamically from our own file descriptor pool. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-08-21conntrackd: reduce the number of gettimeofday() syscallsPablo Neira Ayuso
This patch reduces the number of gettimeofday syscalls by caching the current time in a variable at the beginning of the main loop. Based on a suggestion from Vincent Jardin. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-08-19conntrackd: add `DisableExternalCache' clausePablo Neira Ayuso
This patch adds the clause `DisableExternalCache' that allows you to disable the external cache and to directly inject the entries into the kernel conntrack table. As a result, the CPU consumption of conntrackd increases. This clause can only be used with the FT-FW and the notrack synchronization modes, but not with the alarm mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-07-21conntrackd: add support for IPv6 kernel-space filtering via BSFPablo Neira Ayuso
This patch adds the missing support to filter IPv6 from kernel-space by means of the BSF API that libnetfilter_conntrack provides. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-07-21conntrackd: add clause to enable ctnetlink reliable event deliveryPablo Neira Ayuso
This patch adds the NetlinkEventsReliable clause, this is useful to turn on reliable Netlink event delivery. This features requires a Linux kernel >= 2.6.31. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-07-19conntrackd: rework commit not to fork a child processPablo Neira Ayuso
This patch reworks the commit phase to avoid the forking. This is particularly useful in active-active setups in which one node has to commit the external cache while it is receiving new entries to be added in the external cache. This results in really high commit times due to the penalty of the copy-on-write that fork performs. The default number of steps in one run loop is limited to 64 by now. No option to tune this parameter is still available via the configuration file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-07-17conntrackd: add iterators with limited steps in hash and cache typesPablo Neira Ayuso
This patch adds cache_iterate_limit() and hashtable_iterate_limit() that allows to limit the iteration to given a number of states. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-07-17local: add LOCAL_RET_* return values for UNIX sockets callbacksPablo Neira Ayuso
This patch adds the LOCAL_RET_* return values. The return value LOCAL_RET_STOLEN which allows to leave a client socket open while waiting for an operation to finish. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-20conntrackd: add statistics for enospc errors in queuesPablo Neira Ayuso
This patch adds a new statistic field to count the number of enospc errors while adding new nodes to some queue. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-20conntrackd: add `-s queue' to display queue statisticsPablo Neira Ayuso
This patch re-introduces `-s queue' but now it displays generic queue statistics. # conntrackd -s queue active queue objects: 0 queue txqueue: current elements: 0 maximum elements: 2147483647 not enough space errors: 0 queue rsqueue: current elements: 72 maximum elements: 128 not enough space errors: 0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-20conntrackd: add the name field to queuesPablo Neira Ayuso
This patch adds the name field to identify the queue by means of a string. This patch is used by the next one that introduces per-queue statistics. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-20conntrackd: rename `-s queue' option by `-s rsqueue'Pablo Neira Ayuso
This patch renames the statistics option that displays the content of the resend queue which is used by the ftfw mode. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-12build: use TLV format for SCTP/DCCP protocol informationPablo Neira Ayuso
In 400ae54438c4b85126f9fab0ae1dc067823b70f7, we added the SCTP support by means of a structure that was encapsulated in an TLV attribute. However, this structure didn't handle alignment and endianess issues appropriately. Similar problem was introduced in b808645ec71b7cc22cf5106b3d79625d07e6077c along with the DCCP support. This patch moves every field of this structure to independent attributes. I decided not to use nesting to make building and parsing more simple. Using TLV is a good idea, specially for DCCP and SCTP that are under development and that may include new fields and obsolete them in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-11conntrackd: add support to display statistics on existing child processesPablo Neira Ayuso
This patch adds the ability to dump the list of existing child processes. In general, it would be hard to display one since child processes are generally forked for very specific tasks, like commit and flush operations, and they have very limited lifetime. However, this can be handy for debugging problems. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-11conntrackd: use a permanent handler for commit operationsPablo Neira Ayuso
This patch adds a dedicated commit handler since there is a possible race condition that can happen if the child process ends before we have received all the event messages that the commit request has triggered. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-11conntrackd: use a permanent handler for flush operationsPablo Neira Ayuso
In 6f5666a29cb7cbff08ce926ee1edb84a311ff6ee, I moved the flush operation into a child process and to use a disposable handler to perform flush requests. This patch adds a dedicated flush handler since there is a possible race condition that can happen if the child process ends before we have received all the event messages that the flush request has triggered. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-11conntrackd: allow to limit the number of simultaneous child processesPablo Neira Ayuso
This patch allows to limit the number of simultaneous child processes. This is required by the next patch that replaces disposable handlers to commit and flush with permanent handlers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-10conntrackd: remove unused request nfct handlerPablo Neira Ayuso
This patch is a cleanup, it removes an unused nfct handler. This removal is due to recent commits that has obsolete it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-05-24conntrackd: remove an unused extern declaration in cache.hPablo Neira Ayuso
This patch removes a reminiscent of the lifetime cache feature. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-05-23conntrackd: remove the cache write-through policyPablo Neira Ayuso
This patch removes the cache write-through clause. This feature remained undocumented although some has found it looking at the source code. This feature has remained in the tree for quite some time although it has several limitations. Moreover, it is specifically broken and dangerous for Linux kernels >= 2.6.29 since it generates loops in the synchronization. We do this removal first to prepare the introduction of a feature to bypass the external cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-05-23conntrackd: flush operation use the child process and origin infrastructurePablo Neira Ayuso
With this patch, the flush operation is performed by a child process. Thus, the parent process digests destroy events that ctnetlink reports back and, thanks to the origin infrastructure, we skip the messy implicit synchronization that are triggered by such events. This patch requires a Linux kernel >= 2.6.29 to benefit from this change, otherwise it has no effect. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-05-23conntrackd: detect where the events comes fromPablo Neira Ayuso
Since Linux kernel 2.6.29, ctnetlink reports the changes that have been done using ctnetlink. With this patch, conntrackd can recognize who is the origin of the event messages. For example, this is interesting to avoid a messy implicit bulk send during the commit of entries. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-05-23conntrackd: add child process infrastructurePablo Neira Ayuso
This patch adds a simple infrastructure that allows to account the child processes that have been forked. This also includes a callback handler that can be registered that is called once the child process finishes. We can extended this later to include an alarm to limit the maximum lifetime of a forked child process. This is good to ensure that child processes behave timely. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-04-24sync: add support for DCCP state replicationPablo Neira Ayuso
This patch adds initial support for DCCP state replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-04-18sync: add support for SCTP state replicationPablo Neira Ayuso
This patch adds initial support for SCTP state replication. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-04-18conntrack: add GRE supportPablo Neira Ayuso
This patch adds GRE support for the command line tool conntrack. With this patch, we support all protocols available in the kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.
2009-04-14conntrackd: change scheduler and priority via configuration filePablo Neira Ayuso
With this patch, you can change the scheduler policy and priority for conntrackd. Using a RT scheduler policy reduces the chances to hit ENOBUFS in Netlink. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-04-11conntrack: add DCCP supportPablo Neira Ayuso
This patch adds DCCP support for the command line tool conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-04-11conntrack: add SCTP supportPablo Neira Ayuso
This patch adds SCTP support to the command line tool conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>