linux/net/ipv6
Pablo Neira Ayuso 12f7a50533 netfilter: add user-space connection tracking helper infrastructure
There are good reasons to supports helpers in user-space instead:

* Rapid connection tracking helper development, as developing code
  in user-space is usually faster.

* Reliability: A buggy helper does not crash the kernel. Moreover,
  we can monitor the helper process and restart it in case of problems.

* Security: Avoid complex string matching and mangling in kernel-space
  running in privileged mode. Going further, we can even think about
  running user-space helpers as a non-root process.

* Extensibility: It allows the development of very specific helpers (most
  likely non-standard proprietary protocols) that are very likely not to be
  accepted for mainline inclusion in the form of kernel-space connection
  tracking helpers.

This patch adds the infrastructure to allow the implementation of
user-space conntrack helpers by means of the new nfnetlink subsystem
`nfnetlink_cthelper' and the existing queueing infrastructure
(nfnetlink_queue).

I had to add the new hook NF_IP6_PRI_CONNTRACK_HELPER to register
ipv[4|6]_helper which results from splitting ipv[4|6]_confirm into
two pieces. This change is required not to break NAT sequence
adjustment and conntrack confirmation for traffic that is enqueued
to our user-space conntrack helpers.

Basic operation, in a few steps:

1) Register user-space helper by means of `nfct':

 nfct helper add ftp inet tcp

 [ It must be a valid existing helper supported by conntrack-tools ]

2) Add rules to enable the FTP user-space helper which is
   used to track traffic going to TCP port 21.

For locally generated packets:

 iptables -I OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp

For non-locally generated packets:

 iptables -I PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp

3) Run the test conntrackd in helper mode (see example files under
   doc/helper/conntrackd.conf

 conntrackd

4) Generate FTP traffic going, if everything is OK, then conntrackd
   should create expectations (you can check that with `conntrack':

 conntrack -E expect

    [NEW] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp
[DESTROY] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp

This confirms that our test helper is receiving packets including the
conntrack information, and adding expectations in kernel-space.

The user-space helper can also store its private tracking information
in the conntrack structure in the kernel via the CTA_HELP_INFO. The
kernel will consider this a binary blob whose layout is unknown. This
information will be included in the information that is transfered
to user-space via glue code that integrates nfnetlink_queue and
ctnetlink.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-06-16 15:40:02 +02:00
..
netfilter netfilter: add user-space connection tracking helper infrastructure 2012-06-16 15:40:02 +02:00
addrconf_core.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
addrconf.c Merge branch 'delete-tokenring' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2012-05-16 01:02:40 -04:00
addrlabel.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
af_inet6.c ipv6: bool conversions phase1 2012-05-18 02:24:13 -04:00
ah6.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
anycast.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
datagram.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
esp6.c xfrm: take net hdr len into account for esp payload size calculation 2012-05-27 01:08:29 -04:00
exthdrs_core.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
exthdrs.c net: Remove casts to same type 2012-06-04 11:45:11 -04:00
fib6_rules.c net/ipv6/fib6_rules.c: Checkpatch cleanup 2012-04-02 04:33:46 -04:00
icmp.c inet: Create and use rt{,6}_get_peer_create(). 2012-06-08 23:24:18 -07:00
inet6_connection_sock.c tcp: bind() use stronger condition for bind_conflict 2012-04-14 15:28:55 -04:00
inet6_hashtables.c net: Compute protocol sequence numbers and fragment IDs using MD5. 2011-08-06 18:33:19 -07:00
ip6_fib.c inet: Add inetpeer tree roots to the FIB tables. 2012-06-11 02:09:16 -07:00
ip6_flowlabel.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
ip6_input.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
ip6_output.c inet: Create and use rt{,6}_get_peer_create(). 2012-06-08 23:24:18 -07:00
ip6_tunnel.c ipv6: bool conversions phase1 2012-05-18 02:24:13 -04:00
ip6mr.c net: ipv6: Standardize prefixes for message logging 2012-05-16 01:01:03 -04:00
ipcomp6.c net: ipv4 and ipv6: Convert printk(KERN_DEBUG to pr_debug 2012-05-16 01:01:03 -04:00
ipv6_sockglue.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
Kconfig xfrm: make xfrm_algo.c a module 2012-05-15 13:13:34 -04:00
Makefile [IPV6] MROUTE: Support multicast forwarding. 2008-04-05 22:33:38 +09:00
mcast.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
mip6.c ipv6: correct the ipv6 option name - Pad0 to Pad1 2012-05-17 15:49:51 -04:00
ndisc.c inet: Create and use rt{,6}_get_peer_create(). 2012-06-08 23:24:18 -07:00
netfilter.c Merge branch 'modsplit-Oct31_2011' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2011-11-06 19:44:47 -08:00
proc.c ipv6: fix per device IP snmp counters 2012-01-17 23:56:18 -05:00
protocol.c net: add __rcu annotations to protocol 2010-10-27 11:37:31 -07:00
raw.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
reassembly.c ipv6: use skb coalescing in reassembly 2012-05-19 18:34:57 -04:00
route.c inet: Avoid potential NULL peer dereference. 2012-06-11 04:13:57 -07:00
sit.c net: ipv6: Standardize prefixes for message logging 2012-05-16 01:01:03 -04:00
syncookies.c net: remove ipv6_addr_copy() 2011-11-22 16:43:32 -05:00
sysctl_net_ipv6.c net: Delete all remaining instances of ctl_path 2012-04-20 21:22:30 -04:00
tcp_ipv6.c [PATCH] tcp: Cache inetpeer in timewait socket, and only when necessary. 2012-06-09 14:56:12 -07:00
tunnel6.c net: ipv6: Standardize prefixes for message logging 2012-05-16 01:01:03 -04:00
udp_impl.h net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
udp.c net:ipv6:fixed space issues relating to operators. 2012-05-19 18:34:57 -04:00
udplite.c Merge branch 'modsplit-Oct31_2011' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2011-11-06 19:44:47 -08:00
xfrm6_input.c netfilter: ipv6: use NFPROTO values for NF_HOOK invocation 2010-03-25 16:00:49 +01:00
xfrm6_mode_beet.c ipsec: be careful of non existing mac headers 2012-02-23 16:50:45 -05:00
xfrm6_mode_ro.c [IPSEC]: Make x->lastused an unsigned long 2008-01-28 14:53:52 -08:00
xfrm6_mode_transport.c [IPSEC]: Use IPv6 calling convention as the convention for x->mode->output 2007-10-10 16:55:54 -07:00
xfrm6_mode_tunnel.c ipsec: be careful of non existing mac headers 2012-02-23 16:50:45 -05:00
xfrm6_output.c xfrm6: remove unneeded NULL check in __xfrm6_output() 2012-02-01 02:52:48 -05:00
xfrm6_policy.c inet: Hide route peer accesses behind helpers. 2012-06-11 02:08:47 -07:00
xfrm6_state.c net: remove ipv6_addr_copy() 2011-11-22 16:43:32 -05:00
xfrm6_tunnel.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00