| Age | Commit message (Collapse) | Author |
|---|
|
conntrack-tools 1.4.2 release
|
|
conntrack-tools 1.4.0 release
|
|
Fix a possible crash if conntrackd sees DCCP, SCTP and ICMPv6 traffic
and the corresponding kernel modules that track this traffic are not
available.
Fixes: http://bugzilla.netfilter.org/show_bug.cgi?id=910
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
- check if ct has label attribute, and at least one label
(bit) is set
- serialize bitmap into array-of-u32, in network byte order
- add code to build new nfct_bitmask object from array-of-u32
Current parse functions don't have length information,
this adds optional parse2() which gets struct netattr pointer.
Attributes that want to use parse2 need to set .maxsize to nonzero
value.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
ExpectationSync requires Linux kernel >= 3.5 to work sanely, document this.
Still, we don't want to crash if someone enables expectation sync with
old Linux kernels (like 2.6.32).
Reported-by: James Gutholm <gutholmj@evergreen.edu>
Tested-by: James Gutholm <gutholmj@evergreen.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
For both conntrack and expectations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the missing bits to support NAT expectation support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support for synchronizing the expectation class.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds support to synchronize expectations between
firewalls. This addition aims to re-use as much as possible
of the existing infrastructure for stability reasons. The
expectation support has been tested with the FTP helper.
This extension requires libnetfilter_conntrack 1.0.0.
If this is the first time you're playing with conntrackd,
I *strongly* recommend you to get working setup of conntrackd
without expectation support before as described in the
documentation. Then, enabling expectation support is rather
easy.
To know more about expectations, if you're not familiar with them,
I suggest you to read:
"Netfilter's Connection Tracking System"
http://people.netfilter.org/pablo/docs/login.pdf
Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3
(Berkeley, CA: USENIX Association, 2006, pp40-45.)
In short, expectations allow one Linux firewall to filter multi-flow
traffic like FTP, SIP and H.323.
In my testbed, there are two firewalls in a primary-backup configuration
running keepalived. The use a couple of floating cluster IP address
(192.168.0.100 and 192.168.1.100) that are used by the client. These
firewalls protect one FTP server (192.168.1.2) that will be accessed by
one client.
In ASCII art, it looks like this:
192.168.0.100 192.168.1.100
eth1 eth2
fw-1
/ \ FTP
-- client ------ ------ server --
192.168.0.2 \ / 192.168.1.2
fw-2
This is the rule-set for the firewalls:
-A POSTROUTING -t nat -s 192.168.0.2/32 -d 192.168.1.2/32 -j SNAT --to-source 192.168.1.100
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED -j ACCEPT
-A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: "
The following steps detail how to check that the expectation support
works fine for conntrackd:
1) You have to enable the expectation support in the configuration
file with the following option:
Sync {
...
Options {
ExpectationSync {
ftp
sip
h323
}
}
}
This enables expectation synchronization for the FTP, SIP and H.323 helpers.
You can alternatively use:
Sync {
...
Options {
ExpectationSync On
}
}
To enable expectation synchronization for all helpers.
2) Make sure you have loaded the FTP helper in both firewalls.
root@fw1# modprobe nf_conntrack_ftp
root@fw2# modprobe nf_conntrack_ftp
3) Switch to the client. Start one FTP control connection to one
server that is protected by the firewalls, enter passive mode:
(term-1) user@client$ nc 192.168.1.2 21
220 dummy FTP server
USER anonymous
331 Please specify the password.
PASS nothing
230 Login successful.
PASV
227 Entering Passive Mode (192,168,1,2,163,11).
This means that port 163*256+11=41739 will be used for the data
traffic. Read this if you are not familiar with the FTP protocol:
http://www.freefire.org/articles/ftpexample.php
3) Switch to fw-1 (primary) to check that the expectation is in the
internal cache.
root@fw1# conntrackd -i exp
proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 5s]
4) Switch to fw-2 (backup) to check that the expectation has been successfully
replicated.
root@fw2# conntrackd -e exp
proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s]
5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary.
6) Switch to fw-2 (primary) to commit the external cache into the kernel.
root@fw2# conntrackd -c exp
The logs should display that the commit was successful:
root@fw2# tail -100f /var/log/conntrackd.log
[Wed Dec 7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations
[Wed Dec 7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries
[Wed Dec 7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds
7) Switch to the client. Open a new terminal and connect to the port that
has been announced by the server:
(term-2) user@client$ nc -vvv 192.168.1.2 41739
(UNKNOWN) [192.168.1.2] 41739 (?) open
8) Switch to term-1 and ask for the file listing:
[...]
227 Entering Passive Mode (192,168,1,2,163,11).
LIST
9) Switch to term-2, it should display the listing. That means
everything has worked fine.
You may want to try disabling the expectation support and
repeating the steps to check that *it does not work* without
the state-synchronization.
You can also display expectation statistics by means of:
root@fwX# conntrackd -s exp
This update requires no changes in the primary-backup.sh script
that is used by the HA manager to interact with conntrackd. Thus,
we provide a backward compatible command line interface.
Regarding the Filter clause and expectations, we use the master
conntrack to filter expectation events. The filtering is performed
in user-space. No kernel-space filtering support for expectations
yet (this support should go in libnetfilter_conntrack at some
point).
This patch also includes support to disable caching and to allow
direct injection of expectations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch generalizes the network message building and parsing
to prepare the upcoming expectation support.
Basically, it renames:
- NET_T_STATE_* by NET_T_STATE_CT_*, as I plan to add NET_T_STATE_EXP_*
- BUILD_NETMSG by BUILD_NETMSG_FROM_CT, and build_payload by ct2msg.
I plan to add exp2msg.
- parse_payload by msg2ct, since I plan to add msg2exp.
- modify object_status_to_network_type to prepare the support of
expectations.
- add prefix ct_ to all parsing functions in parse.c, as we will have
similar functions to convert messages to expectation objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch fixes several minor nitpicks to support IPv6 failover:
* ICMPv6 type/code/id were missing in synchronization messages.
* The use of '-' as string in the configuration file was not allowed.
* Include example in configuration file under doc/.
Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch move the ports addition to the layer 4 functions, instead
of checking for the port attribute. It also add a function for UDP
otherwise we break support for this protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds a new option TCPWindowTracking that allows not
to disable TCP window tracking as it occurs by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds state-synchronization for ICMP. You SHOULD use a
Linux kernel >= 2.6.31, otherwise this patch can result in tons
of state-updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, we use an indirect call to build the layer 4
information into the synchronization message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
In 400ae54438c4b85126f9fab0ae1dc067823b70f7, we added the SCTP
support by means of a structure that was encapsulated in an
TLV attribute. However, this structure didn't handle alignment
and endianess issues appropriately. Similar problem was
introduced in b808645ec71b7cc22cf5106b3d79625d07e6077c along
with the DCCP support.
This patch moves every field of this structure to independent
attributes. I decided not to use nesting to make building and
parsing more simple.
Using TLV is a good idea, specially for DCCP and SCTP that are
under development and that may include new fields and obsolete
them in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Signed-off-by: Samuel Gauthier <samuel.gauthier@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds initial support for DCCP state replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds initial support for SCTP state replication.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
During the commit phase, the entries in the external cache entries
are inserted in the kernel conntrack table. Currently, we use a
fixed timeout that is specified in the config file. With this patch,
if you don't specify the fixed timeout value via CommitTimeout, the
daemon calculates the real timeout value during the commit phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch simplifies the message format of the replication
messages. As a result, we save four bytes. The netpld header
was introduced in the early protocol design. Today, it does
not have any reason to exist.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
With this patch, NTA_TIMEOUT is not included in the replication
messages anymore. During the fail-over, we set a small timeout
to purge the entries that were not recovered successfully
(however, unsuccessful recovery should not happen ever).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch adds the size of the attribute header (4 bytes) to the
length field of netattr. This fixes a possible invalid memory
access in malformed messages.
This change is included in the set of scheduled changes for 0.9.9
that break backward compatibility.
This patch also removes a memset of 4096 by one to initialize
the headers and the netattr paddings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reworks the TLV-based protocol to reduce the overhead
in the message building. The idea is to group some attributes
that must be present in a consistent configuration. Putting them
together help us to save some cycles in the message building.
Now, oprofile reports ~15% of samples in the build path instead
of ~25%. CPU consumption for 3000 HTTP GET requests per second
(1000 concurrent with apache benchmark tool) is ~45% in my
testbed, that is ~19% more consumption than with no replication
at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
only which is incompatible AFAIK
|
|
has been Max Kellermann and has no issues with relicensing their contributions.
|
|
|
|
o add support for NAT sequence adjustment (requires Linux kernel >= 2.6.25)
o remove TODO file from release tarballs
|
|
use size_t
|
|
use C99 integers (uint32_t instead of u_int32_t)
|
|
o update leftover references to `persistent' and `nack' modes
|
|
o fix missing `-g' and `-n' options in getopt_long control string
o add support for secmark (requires Linux kernel >= 2.6.25)
o add mark and secmark information to the manpage
o cleanup error message
= conntrackd =
o add support for secmark (requires Linux kernel >= 2.6.25)
o add conntrackd (8) manpage
|
|
|
|
- add len field to nethdr
- implement buffered send/recv to batch messages
- stop using netlink format for network messages: use similar TLV-based format
- reduce synchronization messages size up to 60%
- introduce periodic alive messages for sync-nack protocol
- timeslice alarm implementation: remove alarm pthread, remove locking
- simplify debugging functions: use nfct_snprintf instead
- remove major use of libnfnetlink functions: use libnetfilter_conntrack API
- deprecate conntrackd -F, use conntrack -F instead
- major rework of the network infrastructure: much simple, less messy
|
