conntrack-tools branch, expect/vyatta, updated. conntrack-tools-1.0.0-16-g0c3365d

Pablo Neira Ayuso netfilter-cvslog-bounces at lists.netfilter.org
Thu Dec 15 00:10:11 CET 2011


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "conntrack-tools".

The branch, expect/vyatta has been updated
  discards  8f2dcf7cd9d37f6f073444fd07c188b6ab12d124 (commit)
       via  0c3365dfdc59f277c4168227d22e24534103b5b5 (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (8f2dcf7cd9d37f6f073444fd07c188b6ab12d124)
            \
             N -- N -- N (0c3365dfdc59f277c4168227d22e24534103b5b5)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 0c3365dfdc59f277c4168227d22e24534103b5b5
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Thu Oct 27 13:01:40 2011 +0200

    conntrackd: support for expectation synchronization
    
    This patch adds support to synchronize expectations between
    firewalls. This addition aims to re-use as much as possible
    of the existing infrastructure for stability reasons. The
    expectation support has been tested with the FTP helper.
    
    You require one working copy of libnetfilter_conntrack from the
    git.netfilter.org repository to test this. Otherwise, you will
    run into trouble (a couple of patches to fix issues regarding
    the expectation support were applied during the development of
    this patch, you need them!).
    
    You also require a working setup of conntrackd without expectation
    support for test this, of course.
    
    To know more about expectations, if you're not familiar with them,
    I suggest you to read:
    
    "Netfilter's Connection Tracking System"
    http://people.netfilter.org/pablo/docs/login.pdf
    
    Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3
    (Berkeley, CA: USENIX Association, 2006, pp40-45.)
    
    In short, expectations allow one Linux firewall to filter multi-flow
    traffic like FTP, SIP and H.323.
    
    In my testbed, there are two firewalls in a primary-backup configuration
    running keepalived. The use a couple of floating cluster IP address
    (192.168.0.100 and 192.168.1.100) that are used by the client. These
    firewalls protect one FTP server (192.168.1.2) that will be accessed by
    one client.
    
    In ASCII art, it looks like this:
    
         192.168.0.100      192.168.1.100
                  eth1      eth2
                       fw-1
                     /      \       FTP
     -- client ------       ------ server --
      192.168.0.2    \      /   192.168.1.2
                       fw-2
    
    This is the rule-set for the firewalls:
    
    -A POSTROUTING -t nat -s 192.168.0.2/32 -d 192.168.1.2/32 -j SNAT --to-source 192.168.1.100
    
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state INVALID -j DROP
    
    -A FORWARD -m state --state RELATED -j ACCEPT
    -A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT
    -A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
    -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT
    -A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: "
    
    The following steps detail how to check that the expectation support
    works fine for conntrackd:
    
    1) You have to enable the expectation support in the configuration
    file with the following option:
    
     Sync {
            ...
            Options {
                    ExpectationSync On
            }
     }
    
    2) Make sure you have loaded the FTP helper in both firewalls.
    
    root at fw1# modprobe nf_conntrack_ftp
    root at fw2# modprobe nf_conntrack_ftp
    
    3) Switch to the client. Start one FTP control connection to one
    server that is protected by the firewalls, enter passive mode:
    
    (term-1) user at client$ nc 192.168.1.2 21
    220 dummy FTP server
    USER anonymous
    331 Please specify the password.
    PASS nothing
    230 Login successful.
    PASV
    227 Entering Passive Mode (192,168,1,2,163,11).
    
    This means that port 163*256+11=41739 will be used for the data
    traffic. Read this if you are not familiar with the FTP protocol:
    http://www.freefire.org/articles/ftpexample.php
    
    3) Switch to fw-1 (primary) to check that the expectation is in the
       internal cache.
    
    root at fw1# conntrackd -i exp
    proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 5s]
    
    4) Switch to fw-2 (backup) to check that the expectation has been successfully
       replicated.
    
    root at fw2# conntrackd -e exp
    proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s]
    
    5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary.
    
    6) Switch to fw-2 (primary) to commit the external cache into the kernel.
    
    root at fw2# conntrackd -c exp
    
    The logs should display that the commit was successful:
    
    root at fw2# tail -100f /var/log/conntrackd.log
    [Wed Dec  7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations
    [Wed Dec  7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries
    [Wed Dec  7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds
    
    7) Switch to the client. Open a new terminal and connect to the port that
       has been announced by the server:
    
    (term-2) user at client$ nc -vvv 192.168.1.2 41739
    (UNKNOWN) [192.168.1.2] 41739 (?) open
    
    8) Switch to term-1 and ask for the file listing:
    
    [...]
    227 Entering Passive Mode (192,168,1,2,163,11).
    LIST
    
    9) Switch to term-2, it should display the listing. That means
       everything has worked fine.
    
    You may want to try disabling the expectation support and
    repeating the steps to check that *it does not work* without
    the state-synchronization.
    
    Regarding the Filter clause and expectations, we use the master
    conntrack to filter expectation events. The filtering is performed
    in user-space. No kernel-space filtering support for expectations
    yet (this support should go in libnetfilter_conntrack).
    
    This is still work-in-progress, but almost finished.
    
    The only thing that remains to be implemented is the direct
    injection support for expectations.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

Summary of changes:
 src/internal_cache.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)


hooks/post-receive
-- 
conntrack-tools



More information about the netfilter-cvslog mailing list