From 1de3034f8c4f597cbe4be35b2f84e2848e46e64e Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 5 Mar 2012 23:13:12 +0100 Subject: doc: fix example on how to filter events via iptables CT target You have to use this: iptables -I PREROUTING -t raw -j CT --ctevents assured,destroy instead of: iptables -I PREROUTING -t raw -j CT --ctevents assured Otherwise, conntrackd cache gets full since no destroy events are delivered. Reported-by: Kerin Millar Signed-off-by: Pablo Neira Ayuso --- doc/manual/conntrack-tools.tmpl | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'doc/manual/conntrack-tools.tmpl') diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index 4936a76..dbf836d 100644 --- a/doc/manual/conntrack-tools.tmpl +++ b/doc/manual/conntrack-tools.tmpl @@ -641,10 +641,11 @@ Sync { broken. The following example shows how to only generate the - assured event: + assured and destroy + events: - # iptables -I PREROUTING -t raw -j CT --ctevents assured + # iptables -I PREROUTING -t raw -j CT --ctevents assured,destroy Assured flows -- cgit v1.2.3 From c88266b35ba130e804422ce2fe0da6704d620bd6 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 16 Jun 2012 17:42:28 +0200 Subject: doc: fix documentation on ExpectationSync and H.323 helper The H.323 helper is actually composed of three helpers: ras q.931 h.245 We have to specify those in the configuration file since h.323 is not any known helper itself. Signed-off-by: Pablo Neira Ayuso --- doc/manual/conntrack-tools.tmpl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'doc/manual/conntrack-tools.tmpl') diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index dbf836d..47e6f84 100644 --- a/doc/manual/conntrack-tools.tmpl +++ b/doc/manual/conntrack-tools.tmpl @@ -689,7 +689,9 @@ Sync { ExpectationSync { ftp sip - h323 + ras # for H.323 + q.931 # for H.323 + h.245 # for H.323 } } } -- cgit v1.2.3 From 3f845636159298fb18b6d6c455066d0344a61bee Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 3 Oct 2012 22:19:25 +0200 Subject: conntrackd: fix crash if ExpectationSync is enabled on old Linux kernels ExpectationSync requires Linux kernel >= 3.5 to work sanely, document this. Still, we don't want to crash if someone enables expectation sync with old Linux kernels (like 2.6.32). Reported-by: James Gutholm Tested-by: James Gutholm Signed-off-by: Pablo Neira Ayuso --- doc/manual/conntrack-tools.tmpl | 7 +++++++ doc/sync/alarm/conntrackd.conf | 3 ++- doc/sync/ftfw/conntrackd.conf | 3 ++- doc/sync/notrack/conntrackd.conf | 3 ++- src/build.c | 3 ++- src/filter.c | 12 +++++++++++- 6 files changed, 26 insertions(+), 5 deletions(-) (limited to 'doc/manual/conntrack-tools.tmpl') diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index 47e6f84..63a53e4 100644 --- a/doc/manual/conntrack-tools.tmpl +++ b/doc/manual/conntrack-tools.tmpl @@ -660,6 +660,13 @@ Sync { Synchronization of expectations + Check your Linux kernel version first + + The synchronization of expectations require a Linux kernel >= 3.5 + to work appropriately. + + + The connection tracking system provides helpers that allows you to filter multi-flow application protocols like FTP, H.323 and SIP among many others. These protocols usually split the control and data traffic in diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index b9520fb..0223745 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -194,7 +194,8 @@ Sync { # Set this option on if you want to enable the synchronization # of expectations. You have to specify the list of helpers that - # you want to enable. Default is off. + # you want to enable. Default is off. This feature requires + # a Linux kernel >= 3.5. # # ExpectationSync { # ftp diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 53a7d0f..65e7b77 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -217,7 +217,8 @@ Sync { # Set this option on if you want to enable the synchronization # of expectations. You have to specify the list of helpers that - # you want to enable. Default is off. + # you want to enable. Default is off. This feature requires + # a Linux kernel >= 3.5. # # ExpectationSync { # ftp diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 11f022e..3d036fb 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -256,7 +256,8 @@ Sync { # Set this option on if you want to enable the synchronization # of expectations. You have to specify the list of helpers that - # you want to enable. Default is off. + # you want to enable. Default is off. This feature requires + # a Linux kernel >= 3.5. # # ExpectationSync { # ftp diff --git a/src/build.c b/src/build.c index 7d4ef12..e15eb4f 100644 --- a/src/build.c +++ b/src/build.c @@ -356,7 +356,8 @@ void exp2msg(const struct nf_expect *exp, struct nethdr *n) exp_build_u32(exp, ATTR_EXP_NAT_DIR, n, NTA_EXP_NAT_DIR); } - exp_build_str(exp, ATTR_EXP_HELPER_NAME, n, NTA_EXP_HELPER_NAME); + if (nfexp_attr_is_set(exp, ATTR_EXP_HELPER_NAME)) + exp_build_str(exp, ATTR_EXP_HELPER_NAME, n, NTA_EXP_HELPER_NAME); if (nfexp_attr_is_set(exp, ATTR_EXP_FN)) exp_build_str(exp, ATTR_EXP_FN, n, NTA_EXP_FN); } diff --git a/src/filter.c b/src/filter.c index 39dd4ca..02a8078 100644 --- a/src/filter.c +++ b/src/filter.c @@ -473,7 +473,17 @@ int exp_filter_find(struct exp_filter *f, const struct nf_expect *exp) return 1; list_for_each_entry(item, &f->list, head) { - const char *name = nfexp_get_attr(exp, ATTR_EXP_HELPER_NAME); + const char *name; + + if (nfexp_attr_is_set(exp, ATTR_EXP_HELPER_NAME)) + name = nfexp_get_attr(exp, ATTR_EXP_HELPER_NAME); + else { + /* No helper name, this is likely to be a kernel older + * which does not include the helper name, just skip + * this so we don't crash. + */ + return 0; + } /* we allow partial matching to support things like sip-PORT. */ if (strncasecmp(item->helper_name, name, -- cgit v1.2.3 From affe4656f3aeeba4040f9d63efd7719ef0345ae9 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 8 Oct 2012 12:22:28 +0200 Subject: doc: detail user-space helper support This patch adds documentation on how to enable user-space helper support. Signed-off-by: Pablo Neira Ayuso --- doc/manual/conntrack-tools.tmpl | 155 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 150 insertions(+), 5 deletions(-) (limited to 'doc/manual/conntrack-tools.tmpl') diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index 63a53e4..f21a4ff 100644 --- a/doc/manual/conntrack-tools.tmpl +++ b/doc/manual/conntrack-tools.tmpl @@ -19,7 +19,7 @@ - 2008-2011 + 2008-2012 Pablo Neira Ayuso @@ -37,7 +37,7 @@ This document details how to install and configure the conntrack-tools - >= 1.0.0. This document will evolve in the future to cover new features + >= 1.4.0. This document will evolve in the future to cover new features and changes. @@ -827,7 +827,154 @@ Sync { -Troubleshooting + + +User-space helpers + + Check your Linux kernel version first + + The user-space helper infrastructure requires a Linux kernel >= 3.6 + to work appropriately. + + + +Connection tracking helpers allows you to filter multi-flow protocols +that usually separate control and data traffic into different flows. +These protocols usually violate network layering by including layer 3/4 +details, eg. IP address and TCP/UDP ports, in their application protocol +(which resides in layer 7). This is problematic for gateways since they +operate at packet-level, ie. layers 3/4, and therefore they miss this +important information to filter these protocols appropriately. + +Helpers inspect packet content (at layer 7) and create the so-called +expectations. These expectations are added to one internal table +that resides in the gateway. For each new packet arriving to the +gateway, the gateway first looks up for matching expectations. If +there is any, then this flow is accepted since it's been expected. +Note this lookup only occurs for the first packet that is part of one +newly established flow, not for all packets. + +Since 1.4.0, conntrackd provides the infrastructure to develop +helpers in user-space. The main features of the user-space infrastructure +for helpers are: + + + +Rapid connection tracking helper development, as developing code +in user-space is usually faster. + +Reliability: A buggy helper does not crash the kernel. If the helper +fails, ie. the conntrackd crashes, Moreover, we can monitor the helper process +and restart it in case of problems. + +Security: Avoid complex string matching and mangling in +kernel-space running in privileged mode. Going further, we can even think +about running user-space helper as a non-root process. + +It allows the development of very specific helpers for +proprietary protocols that are not standard. This is the case of the SQL*net +helper. Implementing this in kernel-space may be problematic, since +this may not be accepted for ainline inclusion in the Linux kernel. +As an alternative, we can still distribute this support as separate +patches. However, my personal experience is that, given that the +kernel API/ABI is not stable, changes in the interface lead to the +breakage of the patch. This highly increase the overhead in the +maintainance. + + + +Currently, the infrastructure supports the following user-space helpers: + + + +Oracle*TNS, to support its special Redirect message. +NFSv3, mind that version 4 does not require this helper. +FTP (this helper is also available in kernel-space). + + +The following steps describe how to enable the RPC portmapper helper for NFSv3 (this is similar for other helpers): + + +Register user-space helper: + + +nfct helper add rpc inet udp +nfct helper add rpc inet tcp + + +This registers the portmapper helper for both UDP and TCP (NFSv3 traffic goes both over TCP and UDP). + + +Add iptables rule using the CT target: + + +# iptables -I OUTPUT -t raw -p udp --dport 111 -j CT --helper rpc +# iptables -I OUTPUT -t raw -p tcp --dport 111 -j CT --helper rpc + + +With this, packets matching port TCP/UDP/111 are passed to user-space for +inspection. If there is no instance of conntrackd configured to support +user-space helpers, no inspection happens and packets are not sent to +user-space. + +Add configuration to conntrackd.conf: + + +Helper { + Type rpc inet udp { + QueueNum 1 + QueueLen 10240 + Policy rpc { + ExpectMax 1 + ExpectTimeout 300 + } + } + Type rpc inet tcp { + QueueNum 2 + QueueLen 10240 + Policy rpc { + ExpectMax 1 + ExpectTimeout 300 + } + } +} + + +This configures conntrackd to use NFQUEUE queue numbers 1 and 2 to send traffic +for inspection to user-space + + If you have some custom libnetfilter_queue application + + Make sure your queue numbers do not collide with those used in your + conntrackd.conf file. + + + + + + + +Now you can test this (assuming you have some working NFSv3 setup) with: + + +mount -t nfs -onfsvers=3 mynfs.server.info:/srv/cvs /mnt/ + + + + +You should see new expectations being added via: + + +# conntrack -E expect + [NEW] 300 proto=17 src=1.2.3.4 dst=1.2.3.4 sport=0 dport=54834 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=1.2.3.4 master-dst=1.2.3.4 sport=58190 dport=111 PERMANENT class=0 helper=rpc + [NEW] 300 proto=6 src=1.2.3.4 dst=1.2.3.4 sport=0 dport=2049 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=1.2.3.4 master-dst=1.2.3.4 sport=55450 dport=111 PERMANENT class=0 helper=rpc + [NEW] 300 proto=17 src=1.2.3.4 dst=1.2.3.4 sport=0 dport=58031 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=1.2.3.4 master-dst=1.2.3.4 sport=56309 dport=111 PERMANENT class=0 helper=rpc + + + + + +Troubleshooting Problems with conntrackd? The following list of questions should help for troubleshooting: @@ -1033,8 +1180,6 @@ not enough space errors: 0 - - -- cgit v1.2.3 From 92246dcc1fdcf222302a42926e0e95af2c30463e Mon Sep 17 00:00:00 2001 From: Ash Hughes Date: Sat, 8 Mar 2014 21:13:34 +0000 Subject: conntrackd: userspace SSDP helper Here is a patch which adds a userspace conntrack helper for the SSDP protocol. This is based on the code found at: http://marc.info/?t=132945775100001&r=1&w=2 I'm not sure how to get my laptop to play at IPv6, so I've not tested this part, but I've tested the IPv4 section and it works. Signed-off-by: Ash Hughes Signed-off-by: Pablo Neira Ayuso --- doc/helper/conntrackd.conf | 8 +++ doc/manual/conntrack-tools.tmpl | 1 + src/helpers/Makefile.am | 7 ++- src/helpers/ssdp.c | 134 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 src/helpers/ssdp.c (limited to 'doc/manual/conntrack-tools.tmpl') diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf index 358ad10..d2d94a9 100644 --- a/doc/helper/conntrackd.conf +++ b/doc/helper/conntrackd.conf @@ -70,6 +70,14 @@ Helper { ExpectTimeout 300 } } + Type ssdp inet udp { + QueueNum 5 + QueueLen 10240 + Policy ssdp { + ExpectMax 1 + ExpectTimeout 300 + } + } } # diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index f21a4ff..d23dec5 100644 --- a/doc/manual/conntrack-tools.tmpl +++ b/doc/manual/conntrack-tools.tmpl @@ -890,6 +890,7 @@ maintainance. Oracle*TNS, to support its special Redirect message. NFSv3, mind that version 4 does not require this helper. FTP (this helper is also available in kernel-space). +SSDP. The following steps describe how to enable the RPC portmapper helper for NFSv3 (this is similar for other helpers): diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am index fe28e83..78ef7aa 100644 --- a/src/helpers/Makefile.am +++ b/src/helpers/Makefile.am @@ -6,7 +6,8 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ ct_helper_rpc.la \ ct_helper_tftp.la \ ct_helper_tns.la \ - ct_helper_sane.la + ct_helper_sane.la \ + ct_helper_ssdp.la ct_helper_amanda_la_SOURCES = amanda.c ct_helper_amanda_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @@ -35,3 +36,7 @@ ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) ct_helper_sane_la_SOURCES = sane.c ct_helper_sane_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) ct_helper_sane_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) + +ct_helper_ssdp_la_SOURCES = ssdp.c +ct_helper_ssdp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) +ct_helper_ssdp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) diff --git a/src/helpers/ssdp.c b/src/helpers/ssdp.c new file mode 100644 index 0000000..2713f23 --- /dev/null +++ b/src/helpers/ssdp.c @@ -0,0 +1,134 @@ +/* + * SSDP connection tracking helper + * (SSDP = Simple Service Discovery Protocol) + * For documentation about SSDP see + * http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol + * + * Copyright (C) 2014 Ashley Hughes + * Based on the SSDP conntrack helper (nf_conntrack_ssdp.c), + * :http://marc.info/?t=132945775100001&r=1&w=2 + * (C) 2012 Ian Pilcher + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#include "conntrackd.h" +#include "helper.h" +#include "myct.h" +#include "log.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define SSDP_MCAST_ADDR "239.255.255.250" +#define UPNP_MCAST_LL_ADDR "FF02::C" /* link-local */ +#define UPNP_MCAST_SL_ADDR "FF05::C" /* site-local */ + +#define SSDP_M_SEARCH "M-SEARCH" +#define SSDP_M_SEARCH_SIZE (sizeof SSDP_M_SEARCH - 1) + +static int ssdp_helper_cb(struct pkt_buff *pkt, uint32_t protoff, + struct myct *myct, uint32_t ctinfo) +{ + int ret = NF_ACCEPT; + union nfct_attr_grp_addr daddr, saddr, taddr; + struct iphdr *net_hdr = (struct iphdr *)pktb_network_header(pkt); + int good_packet = 0; + struct nf_expect *exp; + u_int16_t port; + unsigned int dataoff; + void *sb_ptr; + + cthelper_get_addr_dst(myct->ct, MYCT_DIR_ORIG, &daddr); + switch (nfct_get_attr_u8(myct->ct, ATTR_L3PROTO)) { + case AF_INET: + inet_pton(AF_INET, SSDP_MCAST_ADDR, &(taddr.ip)); + if (daddr.ip == taddr.ip) + good_packet = 1; + break; + case AF_INET6: + inet_pton(AF_INET6, UPNP_MCAST_LL_ADDR, &(taddr.ip6)); + if (daddr.ip6[0] == taddr.ip6[0] && + daddr.ip6[1] == taddr.ip6[1] && + daddr.ip6[2] == taddr.ip6[2] && + daddr.ip6[3] == taddr.ip6[3]) { + good_packet = 1; + break; + } + inet_pton(AF_INET6, UPNP_MCAST_SL_ADDR, &(taddr.ip6)); + if (daddr.ip6[0] == taddr.ip6[0] && + daddr.ip6[1] == taddr.ip6[1] && + daddr.ip6[2] == taddr.ip6[2] && + daddr.ip6[3] == taddr.ip6[3]) { + good_packet = 1; + break; + } + break; + default: + break; + } + + if (!good_packet) { + pr_debug("ssdp_help: destination address not multicast; ignoring\n"); + return NF_ACCEPT; + } + + /* No data? Ignore */ + dataoff = net_hdr->ihl*4 + sizeof(struct udphdr); + if (dataoff >= pktb_len(pkt)) { + pr_debug("ssdp_help: UDP payload too small for M-SEARCH; ignoring\n"); + return NF_ACCEPT; + } + + sb_ptr = pktb_network_header(pkt) + dataoff; + + if (memcmp(sb_ptr, SSDP_M_SEARCH, SSDP_M_SEARCH_SIZE) != 0) { + pr_debug("ssdp_help: UDP payload does not begin with 'M-SEARCH'; ignoring\n"); + return NF_ACCEPT; + } + + cthelper_get_addr_src(myct->ct, MYCT_DIR_ORIG, &saddr); + cthelper_get_port_src(myct->ct, MYCT_DIR_ORIG, &port); + + exp = nfexp_new(); + if (exp == NULL) + return NF_DROP; + + if (cthelper_expect_init(exp, myct->ct, 0, NULL, &saddr, + IPPROTO_UDP, NULL, &port, + NF_CT_EXPECT_PERMANENT)) { + nfexp_destroy(exp); + return NF_DROP; + } + myct->exp = exp; + + return ret; +} + +static struct ctd_helper ssdp_helper = { + .name = "ssdp", + .l4proto = IPPROTO_UDP, + .priv_data_len = 0, + .cb = ssdp_helper_cb, + .policy = { + [0] = { + .name = "ssdp", + .expect_max = 1, + .expect_timeout = 5 * 60, + }, + }, +}; + +static void __attribute__ ((constructor)) ssdp_init(void) +{ + helper_register(&ssdp_helper); +} -- cgit v1.2.3 From 882bb111285a3a4465995b4af03040a291145d7b Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 21 Aug 2015 19:18:38 +0200 Subject: nfct: update syntax in documentation Since dd73ceecdbe8 ("nfct: Update syntax to specify command before subsystem") the command comes before the object type. Update documentation accordingly. Signed-off-by: Pablo Neira Ayuso --- README.nfct | 6 +++--- doc/helper/conntrackd.conf | 2 +- doc/manual/conntrack-tools.tmpl | 4 ++-- nfct.8 | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) (limited to 'doc/manual/conntrack-tools.tmpl') diff --git a/README.nfct b/README.nfct index 4d8e6cc..89dd328 100644 --- a/README.nfct +++ b/README.nfct @@ -9,11 +9,11 @@ more similar to `ip' and `nftables' tools (in the long run!). The `nfct' command line tool allows you to define custom timeout policies: -# nfct timeout add custom-tcp-policy1 inet tcp established 100 +# nfct add timeout custom-tcp-policy1 inet tcp established 100 You can also retrieve the existing timeout policies with: -# nfct timeout list +# nfct list timeout .tcp-policy = { .l3proto = 2, .l4proto = 6, @@ -39,7 +39,7 @@ Then, you can use the timeout policy with iptables: You can define policies for other protocols as well, eg: -# nfct timeout add custom-udp-policy1 inet udp unreplied 10 replied 20 +# nfct add timeout custom-udp-policy1 inet udp unreplied 10 replied 20 And attach them via iptables: diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf index d2d94a9..5c07509 100644 --- a/doc/helper/conntrackd.conf +++ b/doc/helper/conntrackd.conf @@ -6,7 +6,7 @@ Helper { # Before this, you have to make sure you have registered the `ftp' # user-space helper stub via: # - # nfct helper add ftp inet tcp + # nfct add helper ftp inet tcp # Type ftp inet tcp { # diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index d23dec5..87a792e 100644 --- a/doc/manual/conntrack-tools.tmpl +++ b/doc/manual/conntrack-tools.tmpl @@ -899,8 +899,8 @@ maintainance. Register user-space helper: -nfct helper add rpc inet udp -nfct helper add rpc inet tcp +nfct add helper rpc inet udp +nfct add helper rpc inet tcp This registers the portmapper helper for both UDP and TCP (NFSv3 traffic goes both over TCP and UDP). diff --git a/nfct.8 b/nfct.8 index 863fe12..336d9cd 100644 --- a/nfct.8 +++ b/nfct.8 @@ -40,7 +40,7 @@ Displays the version information. Displays the help message. .SH EXAMPLE .TP -.B nfct timeout add test-tcp inet tcp established 100 close 10 close_wait 10 +.B nfct add timeout test-tcp inet tcp established 100 close 10 close_wait 10 .TP This creates a timeout policy for tcp using 100 seconds for the ESTABLISHED state, 10 seconds for CLOSE state and 10 seconds for the CLOSE_WAIT state. .TP -- cgit v1.2.3