Commit 12f7a505 authored May 13, 2012 by Pablo Neira Ayuso

netfilter: add user-space connection tracking helper infrastructure



There are good reasons to supports helpers in user-space instead:

* Rapid connection tracking helper development, as developing code
  in user-space is usually faster.

* Reliability: A buggy helper does not crash the kernel. Moreover,
  we can monitor the helper process and restart it in case of problems.

* Security: Avoid complex string matching and mangling in kernel-space
  running in privileged mode. Going further, we can even think about
  running user-space helpers as a non-root process.

* Extensibility: It allows the development of very specific helpers (most
  likely non-standard proprietary protocols) that are very likely not to be
  accepted for mainline inclusion in the form of kernel-space connection
  tracking helpers.

This patch adds the infrastructure to allow the implementation of
user-space conntrack helpers by means of the new nfnetlink subsystem
`nfnetlink_cthelper' and the existing queueing infrastructure
(nfnetlink_queue).

I had to add the new hook NF_IP6_PRI_CONNTRACK_HELPER to register
ipv[4|6]_helper which results from splitting ipv[4|6]_confirm into
two pieces. This change is required not to break NAT sequence
adjustment and conntrack confirmation for traffic that is enqueued
to our user-space conntrack helpers.

Basic operation, in a few steps:

1) Register user-space helper by means of `nfct':

 nfct helper add ftp inet tcp

 [ It must be a valid existing helper supported by conntrack-tools ]

2) Add rules to enable the FTP user-space helper which is
   used to track traffic going to TCP port 21.

For locally generated packets:

 iptables -I OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp

For non-locally generated packets:

 iptables -I PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp

3) Run the test conntrackd in helper mode (see example files under
   doc/helper/conntrackd.conf

 conntrackd

4) Generate FTP traffic going, if everything is OK, then conntrackd
   should create expectations (you can check that with `conntrack':

 conntrack -E expect

    [NEW] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp
[DESTROY] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp

This confirms that our test helper is receiving packets including the
conntrack information, and adding expectations in kernel-space.

The user-space helper can also store its private tracking information
in the conntrack structure in the kernel via the CTA_HELP_INFO. The
kernel will consider this a binary blob whose layout is unknown. This
information will be included in the information that is transfered
to user-space via glue code that integrates nfnetlink_queue and
ctnetlink.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent ae243bee

include/linux/netfilter/Kbuild

+1 −0

Original line number	Diff line number	Diff line
		@@ -10,6 +10,7 @@ header-y += nfnetlink.h
		header-y += nfnetlink_acct.h
		header-y += nfnetlink_compat.h
		header-y += nfnetlink_conntrack.h
		header-y += nfnetlink_cthelper.h
		header-y += nfnetlink_cttimeout.h
		header-y += nfnetlink_log.h
		header-y += nfnetlink_queue.h

include/linux/netfilter/nfnetlink.h

+2 −1

Original line number	Diff line number	Diff line
		@@ -50,7 +50,8 @@ struct nfgenmsg {
		#define NFNL_SUBSYS_IPSET 6
		#define NFNL_SUBSYS_ACCT 7
		#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8
		#define NFNL_SUBSYS_COUNT 9
		#define NFNL_SUBSYS_CTHELPER 9
		#define NFNL_SUBSYS_COUNT 10

		#ifdef __KERNEL__

include/linux/netfilter/nfnetlink_cthelper.h

0 → 100644

+55 −0

Original line number	Diff line number	Diff line
		#ifndef _NFNL_CTHELPER_H_
		#define _NFNL_CTHELPER_H_

		#define NFCT_HELPER_STATUS_DISABLED 0
		#define NFCT_HELPER_STATUS_ENABLED 1

		enum nfnl_acct_msg_types {
		NFNL_MSG_CTHELPER_NEW,
		NFNL_MSG_CTHELPER_GET,
		NFNL_MSG_CTHELPER_DEL,
		NFNL_MSG_CTHELPER_MAX
		};

		enum nfnl_cthelper_type {
		NFCTH_UNSPEC,
		NFCTH_NAME,
		NFCTH_TUPLE,
		NFCTH_QUEUE_NUM,
		NFCTH_POLICY,
		NFCTH_PRIV_DATA_LEN,
		NFCTH_STATUS,
		__NFCTH_MAX
		};
		#define NFCTH_MAX (__NFCTH_MAX - 1)

		enum nfnl_cthelper_policy_type {
		NFCTH_POLICY_SET_UNSPEC,
		NFCTH_POLICY_SET_NUM,
		NFCTH_POLICY_SET,
		NFCTH_POLICY_SET1 = NFCTH_POLICY_SET,
		NFCTH_POLICY_SET2,
		NFCTH_POLICY_SET3,
		NFCTH_POLICY_SET4,
		__NFCTH_POLICY_SET_MAX
		};
		#define NFCTH_POLICY_SET_MAX (__NFCTH_POLICY_SET_MAX - 1)

		enum nfnl_cthelper_pol_type {
		NFCTH_POLICY_UNSPEC,
		NFCTH_POLICY_NAME,
		NFCTH_POLICY_EXPECT_MAX,
		NFCTH_POLICY_EXPECT_TIMEOUT,
		__NFCTH_POLICY_MAX
		};
		#define NFCTH_POLICY_MAX (__NFCTH_POLICY_MAX - 1)

		enum nfnl_cthelper_tuple_type {
		NFCTH_TUPLE_UNSPEC,
		NFCTH_TUPLE_L3PROTONUM,
		NFCTH_TUPLE_L4PROTONUM,
		__NFCTH_TUPLE_MAX,
		};
		#define NFCTH_TUPLE_MAX (__NFCTH_TUPLE_MAX - 1)

		#endif /* _NFNL_CTHELPER_H */

include/linux/netfilter_ipv4.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -66,6 +66,7 @@ enum nf_ip_hook_priorities {
		NF_IP_PRI_SECURITY = 50,
		NF_IP_PRI_NAT_SRC = 100,
		NF_IP_PRI_SELINUX_LAST = 225,
		NF_IP_PRI_CONNTRACK_HELPER = 300,
		NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
		NF_IP_PRI_LAST = INT_MAX,
		};

include/linux/netfilter_ipv6.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -71,6 +71,7 @@ enum nf_ip6_hook_priorities {
		NF_IP6_PRI_SECURITY = 50,
		NF_IP6_PRI_NAT_SRC = 100,
		NF_IP6_PRI_SELINUX_LAST = 225,
		NF_IP6_PRI_CONNTRACK_HELPER = 300,
		NF_IP6_PRI_LAST = INT_MAX,
		};