• Pablo Neira Ayuso's avatar
    netfilter: add user-space connection tracking helper infrastructure · 12f7a505
    Pablo Neira Ayuso authored
    There are good reasons to supports helpers in user-space instead:
    
    * Rapid connection tracking helper development, as developing code
      in user-space is usually faster.
    
    * Reliability: A buggy helper does not crash the kernel. Moreover,
      we can monitor the helper process and restart it in case of problems.
    
    * Security: Avoid complex string matching and mangling in kernel-space
      running in privileged mode. Going further, we can even think about
      running user-space helpers as a non-root process.
    
    * Extensibility: It allows the development of very specific helpers (most
      likely non-standard proprietary protocols) that are very likely not to be
      accepted for mainline inclusion in the form of kernel-space connection
      tracking helpers.
    
    This patch adds the infrastructure to allow the implementation of
    user-space conntrack helpers by means of the new nfnetlink subsystem
    `nfnetlink_cthelper' and the existing queueing infrastructure
    (nfnetlink_queue).
    
    I had to add the new hook NF_IP6_PRI_CONNTRACK_HELPER to register
    ipv[4|6]_helper which results from splitting ipv[4|6]_confirm into
    two pieces. This change is required not to break NAT sequence
    adjustment and conntrack confirmation for traffic that is enqueued
    to our user-space conntrack helpers.
    
    Basic operation, in a few steps:
    
    1) Register user-space helper by means of `nfct':
    
     nfct helper add ftp inet tcp
    
     [ It must be a valid existing helper supported by conntrack-tools ]
    
    2) Add rules to enable the FTP user-space helper which is
       used to track traffic going to TCP port 21.
    
    For locally generated packets:
    
     iptables -I OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
    
    For non-locally generated packets:
    
     iptables -I PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
    
    3) Run the test conntrackd in helper mode (see example files under
       doc/helper/conntrackd.conf
    
     conntrackd
    
    4) Generate FTP traffic going, if everything is OK, then conntrackd
       should create expectations (you can check that with `conntrack':
    
     conntrack -E expect
    
        [NEW] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp
    [DESTROY] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp
    
    This confirms that our test helper is receiving packets including the
    conntrack information, and adding expectations in kernel-space.
    
    The user-space helper can also store its private tracking information
    in the conntrack structure in the kernel via the CTA_HELP_INFO. The
    kernel will consider this a binary blob whose layout is unknown. This
    information will be included in the information that is transfered
    to user-space via glue code that integrates nfnetlink_queue and
    ctnetlink.
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    12f7a505
netfilter_ipv4.h 2.34 KB