Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 93557f53 authored by Jiri Olsa's avatar Jiri Olsa Committed by Patrick McHardy
Browse files

netfilter: nf_conntrack: nf_conntrack snmp helper 

Adding support for SNMP broadcast connection tracking. The SNMP
broadcast requests are now paired with the SNMP responses.
Thus allowing using SNMP broadcasts with firewall enabled.

Please refer to the following conversation:
http://marc.info/?l=netfilter-devel&m=125992205006600&w=2



Patrick McHardy wrote:
> > The best solution would be to add generic broadcast tracking, the
> > use of expectations for this is a bit of abuse.
> > The second best choice I guess would be to move the help() function
> > to a shared module and generalize it so it can be used for both.
This patch implements the "second best choice".

Since the netbios-ns conntrack module uses the same helper
functionality as the snmp, only one helper function is added
for both snmp and netbios-ns modules into the new object -
nf_conntrack_broadcast.

Signed-off-by: default avatarJiri Olsa <jolsa@redhat.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 94d117a1

include/linux/netfilter/nf_conntrack_snmp.h

0 → 100644
+9 −0
Original line number Diff line number Diff line 
#ifndef _NF_CONNTRACK_SNMP_H

#define _NF_CONNTRACK_SNMP_H



extern int (*nf_nat_snmp_hook)(struct sk_buff *skb,

				unsigned int protoff,

				struct nf_conn *ct,

				enum ip_conntrack_info ctinfo);



#endif /* _NF_CONNTRACK_SNMP_H */

include/net/netfilter/nf_conntrack_helper.h

+6 −0
Original line number Diff line number Diff line
@@ -63,4 +63,10 @@ static inline struct nf_conn_help *nfct_help(const struct nf_conn *ct) 
extern int nf_conntrack_helper_init(void);

extern void nf_conntrack_helper_fini(void);



extern int nf_conntrack_broadcast_help(struct sk_buff *skb,

				       unsigned int protoff,

				       struct nf_conn *ct,

				       enum ip_conntrack_info ctinfo,

				       unsigned int timeout);



#endif /*_NF_CONNTRACK_HELPER_H*/

net/ipv4/netfilter/Kconfig

+2 −1
Original line number Diff line number Diff line
@@ -206,8 +206,9 @@ config IP_NF_TARGET_REDIRECT 


config NF_NAT_SNMP_BASIC

	tristate "Basic SNMP-ALG support"

	depends on NF_NAT

	depends on NF_CONNTRACK_SNMP && NF_NAT

	depends on NETFILTER_ADVANCED

	default NF_NAT && NF_CONNTRACK_SNMP

	---help---



	  This module implements an Application Layer Gateway (ALG) for

net/ipv4/netfilter/nf_nat_snmp_basic.c

+5 −4
Original line number Diff line number Diff line
@@ -54,6 +54,7 @@ 
#include <net/netfilter/nf_conntrack_expect.h>

#include <net/netfilter/nf_conntrack_helper.h>

#include <net/netfilter/nf_nat_helper.h>

#include <linux/netfilter/nf_conntrack_snmp.h>



MODULE_LICENSE("GPL");

MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
@@ -1310,9 +1311,9 @@ static int __init nf_nat_snmp_basic_init(void) 
{

	int ret = 0;



	ret = nf_conntrack_helper_register(&snmp_helper);

	if (ret < 0)

		return ret;

	BUG_ON(nf_nat_snmp_hook != NULL);

	rcu_assign_pointer(nf_nat_snmp_hook, help);



	ret = nf_conntrack_helper_register(&snmp_trap_helper);

	if (ret < 0) {

		nf_conntrack_helper_unregister(&snmp_helper);
@@ -1323,7 +1324,7 @@ static int __init nf_nat_snmp_basic_init(void) 


static void __exit nf_nat_snmp_basic_fini(void)

{

	nf_conntrack_helper_unregister(&snmp_helper);

	rcu_assign_pointer(nf_nat_snmp_hook, NULL);

	nf_conntrack_helper_unregister(&snmp_trap_helper);

}

net/netfilter/Kconfig

+19 −0
Original line number Diff line number Diff line
@@ -185,9 +185,13 @@ config NF_CONNTRACK_IRC 


	  To compile it as a module, choose M here.  If unsure, say N.



config NF_CONNTRACK_BROADCAST

	tristate



config NF_CONNTRACK_NETBIOS_NS

	tristate "NetBIOS name service protocol support"

	depends on NETFILTER_ADVANCED

	select NF_CONNTRACK_BROADCAST

	help

	  NetBIOS name service requests are sent as broadcast messages from an

	  unprivileged port and responded to with unicast messages to the
@@ -204,6 +208,21 @@ config NF_CONNTRACK_NETBIOS_NS 


	  To compile it as a module, choose M here.  If unsure, say N.



config NF_CONNTRACK_SNMP

	tristate "SNMP service protocol support"

	depends on NETFILTER_ADVANCED

	select NF_CONNTRACK_BROADCAST

	help

	  SNMP service requests are sent as broadcast messages from an

	  unprivileged port and responded to with unicast messages to the

	  same port. This make them hard to firewall properly because connection

	  tracking doesn't deal with broadcasts. This helper tracks locally

	  originating SNMP service requests and the corresponding

	  responses. It relies on correct IP address configuration, specifically

	  netmask and broadcast address.



	  To compile it as a module, choose M here.  If unsure, say N.



config NF_CONNTRACK_PPTP

	tristate "PPtP protocol support"

	depends on NETFILTER_ADVANCED