From f7824f63ae45c4979abe95fd3e7702eacd63bec1 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 5 Feb 2012 21:03:43 +0100 Subject: conntrackd: add support expectation class synchronization This patch adds support for synchronizing the expectation class. Signed-off-by: Pablo Neira Ayuso --- include/network.h | 1 + src/build.c | 2 ++ src/parse.c | 5 +++++ 3 files changed, 8 insertions(+) diff --git a/include/network.h b/include/network.h index ab95499..f3ee9ed 100644 --- a/include/network.h +++ b/include/network.h @@ -269,6 +269,7 @@ enum nta_exp_attr { NTA_EXP_MASK_PORT, /* struct nfct_attr_grp_port */ NTA_EXP_TIMEOUT, /* uint32_t */ NTA_EXP_FLAGS, /* uint32_t */ + NTA_EXP_CLASS, /* uint32_t */ NTA_EXP_MAX }; diff --git a/src/build.c b/src/build.c index 3193884..b845e0b 100644 --- a/src/build.c +++ b/src/build.c @@ -322,4 +322,6 @@ void exp2msg(const struct nf_expect *exp, struct nethdr *n) exp_build_u32(exp, ATTR_EXP_TIMEOUT, n, NTA_EXP_TIMEOUT); exp_build_u32(exp, ATTR_EXP_FLAGS, n, NTA_EXP_FLAGS); + if (nfexp_attr_is_set(exp, ATTR_EXP_CLASS)) + exp_build_u32(exp, ATTR_EXP_CLASS, n, NTA_EXP_CLASS); } diff --git a/src/parse.c b/src/parse.c index 81e9c6b..f1fd628 100644 --- a/src/parse.c +++ b/src/parse.c @@ -341,6 +341,11 @@ static struct exp_parser { .exp_attr = ATTR_EXP_FLAGS, .size = NTA_SIZE(sizeof(uint32_t)), }, + [NTA_EXP_CLASS] = { + .parse = exp_parse_u32, + .exp_attr = ATTR_EXP_CLASS, + .size = NTA_SIZE(sizeof(uint32_t)), + }, }; static void exp_parse_ct_group(void *ct, int attr, void *data) -- cgit v1.2.3 From 8259e6dca13127e51f81ca7e75e419969417597f Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 7 Feb 2012 00:27:51 +0100 Subject: conntrackd: add NAT expectation support This patch adds the missing bits to support NAT expectation support. Signed-off-by: Pablo Neira Ayuso --- include/network.h | 4 ++++ src/build.c | 15 +++++++++++++++ src/parse.c | 23 +++++++++++++++++++++++ 3 files changed, 42 insertions(+) diff --git a/include/network.h b/include/network.h index f3ee9ed..f3b1f8e 100644 --- a/include/network.h +++ b/include/network.h @@ -270,6 +270,10 @@ enum nta_exp_attr { NTA_EXP_TIMEOUT, /* uint32_t */ NTA_EXP_FLAGS, /* uint32_t */ NTA_EXP_CLASS, /* uint32_t */ + NTA_EXP_NAT_IPV4, /* struct nfct_attr_grp_ipv4 */ + NTA_EXP_NAT_PORT, /* struct nfct_attr_grp_port */ + NTA_EXP_NAT_L4PROTO, /* uint8_t */ + NTA_EXP_NAT_DIR, /* uint32_t */ NTA_EXP_MAX }; diff --git a/src/build.c b/src/build.c index b845e0b..c07f429 100644 --- a/src/build.c +++ b/src/build.c @@ -324,4 +324,19 @@ void exp2msg(const struct nf_expect *exp, struct nethdr *n) exp_build_u32(exp, ATTR_EXP_FLAGS, n, NTA_EXP_FLAGS); if (nfexp_attr_is_set(exp, ATTR_EXP_CLASS)) exp_build_u32(exp, ATTR_EXP_CLASS, n, NTA_EXP_CLASS); + + /* include NAT information, if any. */ + ct = nfexp_get_attr(exp, ATTR_EXP_NAT_TUPLE); + if (ct != NULL) { + if (nfct_attr_grp_is_set(ct, ATTR_GRP_ORIG_IPV4)) { + ct_build_group(ct, ATTR_GRP_ORIG_IPV4, n, + NTA_EXP_NAT_IPV4, + sizeof(struct nfct_attr_grp_ipv4)); + } + ct_build_u8(ct, ATTR_L4PROTO, n, NTA_EXP_NAT_L4PROTO); + if (exp_l4proto_fcn[l4proto].build) + exp_l4proto_fcn[l4proto].build(ct, n, NTA_EXP_NAT_PORT); + + exp_build_u32(exp, ATTR_EXP_NAT_DIR, n, NTA_EXP_NAT_DIR); + } } diff --git a/src/parse.c b/src/parse.c index f1fd628..2430001 100644 --- a/src/parse.c +++ b/src/parse.c @@ -346,6 +346,29 @@ static struct exp_parser { .exp_attr = ATTR_EXP_CLASS, .size = NTA_SIZE(sizeof(uint32_t)), }, + [NTA_EXP_NAT_IPV4] = { + .parse = exp_parse_ct_group, + .exp_attr = ATTR_EXP_NAT_TUPLE, + .ct_attr = ATTR_GRP_ORIG_IPV4, + .size = NTA_SIZE(sizeof(struct nfct_attr_grp_ipv4)), + }, + [NTA_EXP_NAT_L4PROTO] = { + .parse = exp_parse_ct_u8, + .exp_attr = ATTR_EXP_NAT_TUPLE, + .ct_attr = ATTR_L4PROTO, + .size = NTA_SIZE(sizeof(uint8_t)), + }, + [NTA_EXP_NAT_PORT] = { + .parse = exp_parse_ct_group, + .exp_attr = ATTR_EXP_NAT_TUPLE, + .ct_attr = ATTR_GRP_ORIG_PORT, + .size = NTA_SIZE(sizeof(struct nfct_attr_grp_port)), + }, + [NTA_EXP_NAT_DIR] = { + .parse = exp_parse_u32, + .exp_attr = ATTR_EXP_NAT_DIR, + .size = NTA_SIZE(sizeof(uint32_t)), + }, }; static void exp_parse_ct_group(void *ct, int attr, void *data) -- cgit v1.2.3 From 721fbbde40ee5ecc966c144be11516839ab86728 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 7 Feb 2012 00:53:10 +0100 Subject: conntrackd: add support to synchronize helper name For both conntrack and expectations. Signed-off-by: Pablo Neira Ayuso --- include/network.h | 2 ++ src/build.c | 18 ++++++++++++++++++ src/parse.c | 37 +++++++++++++++++++++++++++++++++++-- 3 files changed, 55 insertions(+), 2 deletions(-) diff --git a/include/network.h b/include/network.h index f3b1f8e..225ef0e 100644 --- a/include/network.h +++ b/include/network.h @@ -239,6 +239,7 @@ enum nta_attr { NTA_ICMP_ID, /* uint16_t */ NTA_TCP_WSCALE_ORIG, /* uint8_t */ NTA_TCP_WSCALE_REPL, /* uint8_t */ + NTA_HELPER_NAME, /* string (variable length) */ NTA_MAX }; @@ -274,6 +275,7 @@ enum nta_exp_attr { NTA_EXP_NAT_PORT, /* struct nfct_attr_grp_port */ NTA_EXP_NAT_L4PROTO, /* uint8_t */ NTA_EXP_NAT_DIR, /* uint32_t */ + NTA_EXP_HELPER_NAME, /* string (variable length) */ NTA_EXP_MAX }; diff --git a/src/build.c b/src/build.c index c07f429..a2901b1 100644 --- a/src/build.c +++ b/src/build.c @@ -65,6 +65,13 @@ ct_build_u32(const struct nf_conntrack *ct, int a, struct nethdr *n, int b) addattr(n, b, &data, sizeof(uint32_t)); } +static inline void +ct_build_str(const struct nf_conntrack *ct, int a, struct nethdr *n, int b) +{ + const char *data = nfct_get_attr(ct, a); + addattr(n, b, data, strlen(data)+1); +} + static inline void ct_build_group(const struct nf_conntrack *ct, int a, struct nethdr *n, int b, int size) @@ -223,6 +230,9 @@ void ct2msg(const struct nf_conntrack *ct, struct nethdr *n) /* NAT sequence adjustment */ if (nfct_attr_is_set_array(ct, nat_type, 6)) ct_build_natseqadj(ct, n); + + if (nfct_attr_is_set(ct, ATTR_HELPER_NAME)) + ct_build_str(ct, ATTR_HELPER_NAME, n, NTA_HELPER_NAME); } static void @@ -270,6 +280,13 @@ exp_build_u32(const struct nf_expect *exp, int a, struct nethdr *n, int b) addattr(n, b, &data, sizeof(uint32_t)); } +static inline void +exp_build_str(const struct nf_expect *exp, int a, struct nethdr *n, int b) +{ + const char *data = nfexp_get_attr(exp, a); + addattr(n, b, data, strlen(data)+1); +} + void exp2msg(const struct nf_expect *exp, struct nethdr *n) { const struct nf_conntrack *ct = nfexp_get_attr(exp, ATTR_EXP_MASTER); @@ -339,4 +356,5 @@ void exp2msg(const struct nf_expect *exp, struct nethdr *n) exp_build_u32(exp, ATTR_EXP_NAT_DIR, n, NTA_EXP_NAT_DIR); } + exp_build_str(exp, ATTR_EXP_HELPER_NAME, n, NTA_EXP_HELPER_NAME); } diff --git a/src/parse.c b/src/parse.c index 2430001..ceb9e26 100644 --- a/src/parse.c +++ b/src/parse.c @@ -28,6 +28,7 @@ static void ct_parse_u8(struct nf_conntrack *ct, int attr, void *data); static void ct_parse_u16(struct nf_conntrack *ct, int attr, void *data); static void ct_parse_u32(struct nf_conntrack *ct, int attr, void *data); +static void ct_parse_str(struct nf_conntrack *ct, int attr, void *data); static void ct_parse_group(struct nf_conntrack *ct, int attr, void *data); static void ct_parse_nat_seq_adj(struct nf_conntrack *ct, int attr, void *data); @@ -35,6 +36,7 @@ struct ct_parser { void (*parse)(struct nf_conntrack *ct, int attr, void *data); int attr; int size; + int max_size; }; static struct ct_parser h[NTA_MAX] = { @@ -172,6 +174,11 @@ static struct ct_parser h[NTA_MAX] = { .attr = ATTR_TCP_WSCALE_REPL, .size = NTA_SIZE(sizeof(uint8_t)), }, + [NTA_HELPER_NAME] = { + .parse = ct_parse_str, + .attr = ATTR_HELPER_NAME, + .max_size = NFCT_HELPER_NAME_MAX, + }, }; static void @@ -195,6 +202,12 @@ ct_parse_u32(struct nf_conntrack *ct, int attr, void *data) nfct_set_attr_u32(ct, h[attr].attr, ntohl(*value)); } +static void +ct_parse_str(struct nf_conntrack *ct, int attr, void *data) +{ + nfct_set_attr(ct, h[attr].attr, data); +} + static void ct_parse_group(struct nf_conntrack *ct, int attr, void *data) { @@ -236,7 +249,11 @@ int msg2ct(struct nf_conntrack *ct, struct nethdr *net, size_t remain) return -1; if (attr->nta_attr > NTA_MAX) return -1; - if (attr->nta_len != h[attr->nta_attr].size) + if (h[attr->nta_attr].size && + attr->nta_len != h[attr->nta_attr].size) + return -1; + if (h[attr->nta_attr].max_size && + attr->nta_len > h[attr->nta_attr].max_size) return -1; if (h[attr->nta_attr].parse == NULL) { attr = NTA_NEXT(attr, len); @@ -252,12 +269,14 @@ int msg2ct(struct nf_conntrack *ct, struct nethdr *net, size_t remain) static void exp_parse_ct_group(void *ct, int attr, void *data); static void exp_parse_ct_u8(void *ct, int attr, void *data); static void exp_parse_u32(void *exp, int attr, void *data); +static void exp_parse_str(void *exp, int attr, void *data); static struct exp_parser { void (*parse)(void *obj, int attr, void *data); int exp_attr; int ct_attr; int size; + int max_size; } exp_h[NTA_EXP_MAX] = { [NTA_EXP_MASTER_IPV4] = { .parse = exp_parse_ct_group, @@ -369,6 +388,11 @@ static struct exp_parser { .exp_attr = ATTR_EXP_NAT_DIR, .size = NTA_SIZE(sizeof(uint32_t)), }, + [NTA_EXP_HELPER_NAME] = { + .parse = exp_parse_str, + .exp_attr = ATTR_EXP_HELPER_NAME, + .max_size = NFCT_HELPER_NAME_MAX, + }, }; static void exp_parse_ct_group(void *ct, int attr, void *data) @@ -388,6 +412,11 @@ static void exp_parse_u32(void *exp, int attr, void *data) nfexp_set_attr_u32(exp, exp_h[attr].exp_attr, ntohl(*value)); } +static void exp_parse_str(void *exp, int attr, void *data) +{ + nfexp_set_attr(exp, exp_h[attr].exp_attr, data); +} + int msg2exp(struct nf_expect *exp, struct nethdr *net, size_t remain) { int len; @@ -418,7 +447,11 @@ int msg2exp(struct nf_expect *exp, struct nethdr *net, size_t remain) goto err; if (attr->nta_attr > NTA_MAX) goto err; - if (attr->nta_len != exp_h[attr->nta_attr].size) + if (exp_h[attr->nta_attr].size && + attr->nta_len != exp_h[attr->nta_attr].size) + goto err; + if (exp_h[attr->nta_attr].max_size && + attr->nta_len > exp_h[attr->nta_attr].max_size) goto err; if (exp_h[attr->nta_attr].parse == NULL) { attr = NTA_NEXT(attr, len); -- cgit v1.2.3 From a07ef78b7f3d6628f889f2f2167fb5e748eb567e Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 5 Feb 2012 21:42:31 +0100 Subject: conntrackd: support expectfn synchronization for expectations Signed-off-by: Pablo Neira Ayuso --- include/network.h | 1 + src/build.c | 2 ++ src/parse.c | 5 +++++ 3 files changed, 8 insertions(+) diff --git a/include/network.h b/include/network.h index 225ef0e..41c35af 100644 --- a/include/network.h +++ b/include/network.h @@ -276,6 +276,7 @@ enum nta_exp_attr { NTA_EXP_NAT_L4PROTO, /* uint8_t */ NTA_EXP_NAT_DIR, /* uint32_t */ NTA_EXP_HELPER_NAME, /* string (variable length) */ + NTA_EXP_FN, /* string (variable length) */ NTA_EXP_MAX }; diff --git a/src/build.c b/src/build.c index a2901b1..7d4ef12 100644 --- a/src/build.c +++ b/src/build.c @@ -357,4 +357,6 @@ void exp2msg(const struct nf_expect *exp, struct nethdr *n) exp_build_u32(exp, ATTR_EXP_NAT_DIR, n, NTA_EXP_NAT_DIR); } exp_build_str(exp, ATTR_EXP_HELPER_NAME, n, NTA_EXP_HELPER_NAME); + if (nfexp_attr_is_set(exp, ATTR_EXP_FN)) + exp_build_str(exp, ATTR_EXP_FN, n, NTA_EXP_FN); } diff --git a/src/parse.c b/src/parse.c index ceb9e26..6695cc8 100644 --- a/src/parse.c +++ b/src/parse.c @@ -393,6 +393,11 @@ static struct exp_parser { .exp_attr = ATTR_EXP_HELPER_NAME, .max_size = NFCT_HELPER_NAME_MAX, }, + [NTA_EXP_FN] = { + .parse = exp_parse_str, + .exp_attr = ATTR_EXP_FN, + .max_size = NFCT_HELPER_NAME_MAX, + }, }; static void exp_parse_ct_group(void *ct, int attr, void *data) -- cgit v1.2.3 From 167eb3e2028561ab2cc0f2b7b6ff9d24c56514f6 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 7 Feb 2012 21:25:48 +0100 Subject: conntrackd: fix parsing of expectation class, helper name and NAT I forgot to modify the body of msg2exp to include the recently committed support for the expectation class, helper name and NAT. This patch fixes the problem. Now in node-1 (primary), it shows: proto=17 src=192.168.11.4 dst=192.168.10.5 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.5 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENT class=0 helper=sip [active since 31s] And it node-2 (secondary), it shows: proto=17 src=192.168.11.4 dst=192.168.10.5 sport=0 dport=5060 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.10.5 master-dst=192.168.11.4 sport=5060 dport=5060 PERMANENT class=0 helper=sip [active since 180s] This has been tested with the SIP conntrack helper. Signed-off-by: Pablo Neira Ayuso --- src/parse.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/parse.c b/src/parse.c index 6695cc8..732bc44 100644 --- a/src/parse.c +++ b/src/parse.c @@ -426,7 +426,7 @@ int msg2exp(struct nf_expect *exp, struct nethdr *net, size_t remain) { int len; struct netattr *attr; - struct nf_conntrack *master, *expected, *mask; + struct nf_conntrack *master, *expected, *mask, *nat; if (remain < net->len) return -1; @@ -446,6 +446,10 @@ int msg2exp(struct nf_expect *exp, struct nethdr *net, size_t remain) if (mask == NULL) goto err_mask; + nat = nfct_new(); + if (nat == NULL) + goto err_nat; + while (len > ssizeof(struct netattr)) { ATTR_NETWORK2HOST(attr); if (attr->nta_len > len) @@ -473,8 +477,17 @@ int msg2exp(struct nf_expect *exp, struct nethdr *net, size_t remain) exp_h[attr->nta_attr].parse(mask, attr->nta_attr, NTA_DATA(attr)); break; + case ATTR_EXP_NAT_TUPLE: + exp_h[attr->nta_attr].parse(nat, attr->nta_attr, + NTA_DATA(attr)); + nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat); + break; case ATTR_EXP_TIMEOUT: case ATTR_EXP_FLAGS: + case ATTR_EXP_CLASS: + case ATTR_EXP_HELPER_NAME: + case ATTR_EXP_NAT_DIR: + case ATTR_EXP_FN: exp_h[attr->nta_attr].parse(exp, attr->nta_attr, NTA_DATA(attr)); break; @@ -495,9 +508,12 @@ int msg2exp(struct nf_expect *exp, struct nethdr *net, size_t remain) nfct_destroy(mask); nfct_destroy(expected); nfct_destroy(master); + nfct_destroy(nat); return 0; err: + nfct_destroy(nat); +err_nat: nfct_destroy(mask); err_mask: nfct_destroy(expected); -- cgit v1.2.3