mirror of
https://github.com/FEX-Emu/linux.git
synced 2024-12-17 22:41:25 +00:00
12f7a50533
There are good reasons to supports helpers in user-space instead: * Rapid connection tracking helper development, as developing code in user-space is usually faster. * Reliability: A buggy helper does not crash the kernel. Moreover, we can monitor the helper process and restart it in case of problems. * Security: Avoid complex string matching and mangling in kernel-space running in privileged mode. Going further, we can even think about running user-space helpers as a non-root process. * Extensibility: It allows the development of very specific helpers (most likely non-standard proprietary protocols) that are very likely not to be accepted for mainline inclusion in the form of kernel-space connection tracking helpers. This patch adds the infrastructure to allow the implementation of user-space conntrack helpers by means of the new nfnetlink subsystem `nfnetlink_cthelper' and the existing queueing infrastructure (nfnetlink_queue). I had to add the new hook NF_IP6_PRI_CONNTRACK_HELPER to register ipv[4|6]_helper which results from splitting ipv[4|6]_confirm into two pieces. This change is required not to break NAT sequence adjustment and conntrack confirmation for traffic that is enqueued to our user-space conntrack helpers. Basic operation, in a few steps: 1) Register user-space helper by means of `nfct': nfct helper add ftp inet tcp [ It must be a valid existing helper supported by conntrack-tools ] 2) Add rules to enable the FTP user-space helper which is used to track traffic going to TCP port 21. For locally generated packets: iptables -I OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp For non-locally generated packets: iptables -I PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp 3) Run the test conntrackd in helper mode (see example files under doc/helper/conntrackd.conf conntrackd 4) Generate FTP traffic going, if everything is OK, then conntrackd should create expectations (you can check that with `conntrack': conntrack -E expect [NEW] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp [DESTROY] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp This confirms that our test helper is receiving packets including the conntrack information, and adding expectations in kernel-space. The user-space helper can also store its private tracking information in the conntrack structure in the kernel via the CTA_HELP_INFO. The kernel will consider this a binary blob whose layout is unknown. This information will be included in the information that is transfered to user-space via glue code that integrates nfnetlink_queue and ctnetlink. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||
---|---|---|
.. | ||
arp_tables.c | ||
arpt_mangle.c | ||
arptable_filter.c | ||
ip_tables.c | ||
ipt_ah.c | ||
ipt_CLUSTERIP.c | ||
ipt_ECN.c | ||
ipt_MASQUERADE.c | ||
ipt_NETMAP.c | ||
ipt_REDIRECT.c | ||
ipt_REJECT.c | ||
ipt_rpfilter.c | ||
ipt_ULOG.c | ||
iptable_filter.c | ||
iptable_mangle.c | ||
iptable_raw.c | ||
iptable_security.c | ||
Kconfig | ||
Makefile | ||
nf_conntrack_l3proto_ipv4_compat.c | ||
nf_conntrack_l3proto_ipv4.c | ||
nf_conntrack_proto_icmp.c | ||
nf_defrag_ipv4.c | ||
nf_nat_amanda.c | ||
nf_nat_core.c | ||
nf_nat_ftp.c | ||
nf_nat_h323.c | ||
nf_nat_helper.c | ||
nf_nat_irc.c | ||
nf_nat_pptp.c | ||
nf_nat_proto_common.c | ||
nf_nat_proto_dccp.c | ||
nf_nat_proto_gre.c | ||
nf_nat_proto_icmp.c | ||
nf_nat_proto_sctp.c | ||
nf_nat_proto_tcp.c | ||
nf_nat_proto_udp.c | ||
nf_nat_proto_udplite.c | ||
nf_nat_proto_unknown.c | ||
nf_nat_rule.c | ||
nf_nat_sip.c | ||
nf_nat_snmp_basic.c | ||
nf_nat_standalone.c | ||
nf_nat_tftp.c |