conntrack-tools branch, expect/vyatta, updated. conntrack-tools-1.0.0-18-g77427ac

Pablo Neira Ayuso netfilter-cvslog-bounces at lists.netfilter.org
Mon Dec 19 19:02:13 CET 2011


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "conntrack-tools".

The branch, expect/vyatta has been updated
  discards  45057befe21865e8a8f8b3c0e0e89acc33ded415 (commit)
  discards  e79a684dd5b897dd9f7074208d70acaab46138d0 (commit)
  discards  a52fc045a4a1d515b4dba651baf38069aa3459e8 (commit)
  discards  428540aaf1e459aa9f9eb28a7c8a4e5c377beb3d (commit)
  discards  5a04616997d976992b28ebb49d8b42e1751774cd (commit)
  discards  fd6a0bc66cad09188b3c6c0d896f01a028677db0 (commit)
  discards  32e9a9ea7eec097285b13330f24e002b91695b17 (commit)
  discards  706e1567a9db14cfc0aa97d65cf55ee1cf3c5599 (commit)
  discards  624513ac35bc476e8af22245c03c4c1e6d399c9b (commit)
  discards  7205363caff342918eb3bf165a9d0a8c4f42c652 (commit)
  discards  6965380d7df0f5da5153672649b65bed967d2e02 (commit)
       via  77427acd255678d7c6b62cb0aec410c2354920ff (commit)
       via  24af56e743d6c6ea1ec10270a494bb75885df429 (commit)
       via  10373a5fe6c0179e87bac4bdfc12279bcc597233 (commit)
       via  6731ff10ff834ac56d58b6af040b28a327785690 (commit)
       via  f88ed8b2649ecf27e706d3ed7569506364d063a6 (commit)
       via  7c606fe692ba92816cbe2ddbd97d960b885ca939 (commit)
       via  d97d835d7db9f9c0f8577a3660ff29970d2517c1 (commit)
       via  46875ac26121de4cf82080cfe76b637867b02a3e (commit)
       via  420dc2594a8e233483bc9e379ef6b0eee5d13442 (commit)
       via  3af4ab0ec98433c2f027933a9835d7e237c3fcc4 (commit)
       via  6612fe8d073bf292f5dc7f6271c76f714e81d9d1 (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (45057befe21865e8a8f8b3c0e0e89acc33ded415)
            \
             N -- N -- N (77427acd255678d7c6b62cb0aec410c2354920ff)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 77427acd255678d7c6b62cb0aec410c2354920ff
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Mon Dec 19 17:13:25 2011 +0100

    conntrackd: support for expectation synchronization
    
    This patch adds support to synchronize expectations between
    firewalls. This addition aims to re-use as much as possible
    of the existing infrastructure for stability reasons. The
    expectation support has been tested with the FTP helper.
    
    You require one working copy of libnetfilter_conntrack from the
    git.netfilter.org repository to test this. Otherwise, you will
    run into trouble (a couple of patches to fix issues regarding
    the expectation support were applied during the development of
    this patch, you need them!).
    
    You also require a working setup of conntrackd without expectation
    support for test this, of course.
    
    To know more about expectations, if you're not familiar with them,
    I suggest you to read:
    
    "Netfilter's Connection Tracking System"
    http://people.netfilter.org/pablo/docs/login.pdf
    
    Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3
    (Berkeley, CA: USENIX Association, 2006, pp40-45.)
    
    In short, expectations allow one Linux firewall to filter multi-flow
    traffic like FTP, SIP and H.323.
    
    In my testbed, there are two firewalls in a primary-backup configuration
    running keepalived. The use a couple of floating cluster IP address
    (192.168.0.100 and 192.168.1.100) that are used by the client. These
    firewalls protect one FTP server (192.168.1.2) that will be accessed by
    one client.
    
    In ASCII art, it looks like this:
    
         192.168.0.100      192.168.1.100
                  eth1      eth2
                       fw-1
                     /      \       FTP
     -- client ------       ------ server --
      192.168.0.2    \      /   192.168.1.2
                       fw-2
    
    This is the rule-set for the firewalls:
    
    -A POSTROUTING -t nat -s 192.168.0.2/32 -d 192.168.1.2/32 -j SNAT --to-source 192.168.1.100
    
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state INVALID -j DROP
    
    -A FORWARD -m state --state RELATED -j ACCEPT
    -A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT
    -A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
    -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT
    -A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: "
    
    The following steps detail how to check that the expectation support
    works fine for conntrackd:
    
    1) You have to enable the expectation support in the configuration
    file with the following option:
    
     Sync {
            ...
            Options {
                    ExpectationSync On
            }
     }
    
    2) Make sure you have loaded the FTP helper in both firewalls.
    
    root at fw1# modprobe nf_conntrack_ftp
    root at fw2# modprobe nf_conntrack_ftp
    
    3) Switch to the client. Start one FTP control connection to one
    server that is protected by the firewalls, enter passive mode:
    
    (term-1) user at client$ nc 192.168.1.2 21
    220 dummy FTP server
    USER anonymous
    331 Please specify the password.
    PASS nothing
    230 Login successful.
    PASV
    227 Entering Passive Mode (192,168,1,2,163,11).
    
    This means that port 163*256+11=41739 will be used for the data
    traffic. Read this if you are not familiar with the FTP protocol:
    http://www.freefire.org/articles/ftpexample.php
    
    3) Switch to fw-1 (primary) to check that the expectation is in the
       internal cache.
    
    root at fw1# conntrackd -i exp
    proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 5s]
    
    4) Switch to fw-2 (backup) to check that the expectation has been successfully
       replicated.
    
    root at fw2# conntrackd -e exp
    proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s]
    
    5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary.
    
    6) Switch to fw-2 (primary) to commit the external cache into the kernel.
    
    root at fw2# conntrackd -c exp
    
    The logs should display that the commit was successful:
    
    root at fw2# tail -100f /var/log/conntrackd.log
    [Wed Dec  7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations
    [Wed Dec  7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries
    [Wed Dec  7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds
    
    7) Switch to the client. Open a new terminal and connect to the port that
       has been announced by the server:
    
    (term-2) user at client$ nc -vvv 192.168.1.2 41739
    (UNKNOWN) [192.168.1.2] 41739 (?) open
    
    8) Switch to term-1 and ask for the file listing:
    
    [...]
    227 Entering Passive Mode (192,168,1,2,163,11).
    LIST
    
    9) Switch to term-2, it should display the listing. That means
       everything has worked fine.
    
    You may want to try disabling the expectation support and
    repeating the steps to check that *it does not work* without
    the state-synchronization.
    
    You can also display expectation statistics by means of:
    root at fwX# conntrackd -s exp
    
    This update requires no changes in the primary-backup.sh script
    that is used by the HA manager to interact with conntrackd. Thus,
    we provide a backward compatible command line interface.
    
    Regarding the Filter clause and expectations, we use the master
    conntrack to filter expectation events. The filtering is performed
    in user-space. No kernel-space filtering support for expectations
    yet (this support should go in libnetfilter_conntrack).
    
    This patch also includes support to disable caching and to allow
    direct injection of expectations.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 24af56e743d6c6ea1ec10270a494bb75885df429
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Mon Dec 19 17:12:41 2011 +0100

    conntrackd: minor cleanup for commit
    
    Comestical cleanup for better code readability.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 10373a5fe6c0179e87bac4bdfc12279bcc597233
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Dec 14 23:55:47 2011 +0100

    conntrackd: relax checkings in ct_filter_sanity_check
    
    This is required to prepare the expectation support.
    
    The master, expect and mask objects that are part of the
    conntrack object do not have any reply information. This
    allows the expectation support to re-use the existing
    filtering infrastructure.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 6731ff10ff834ac56d58b6af040b28a327785690
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Dec 14 19:51:38 2011 +0100

    conntrackd: constify ct parameter of ct_filter_* functions
    
    The ct object that is passed as parameter is not modified,
    make it constant.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit f88ed8b2649ecf27e706d3ed7569506364d063a6
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Nov 16 02:10:31 2011 +0100

    conntrackd: remove cache_data_get_object and replace by direct pointer
    
    We now include one pointer to the object in the extra section.
    This is required to generalize this code for the expectation
    support. We consume 4-8 bytes extra, but we will not need more
    changes to support expectations which is a good idea.

commit 7c606fe692ba92816cbe2ddbd97d960b885ca939
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Mon Nov 14 22:48:22 2011 +0100

    conntrackd: simplify cache_get_extra function
    
    This patch simplifies cache_get_extra which now takes only one
    parameter that is the cache_object. With it, the extra area can be
    calculated.

commit d97d835d7db9f9c0f8577a3660ff29970d2517c1
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Thu Oct 27 12:18:34 2011 +0200

    conntrackd: generalize local handler actions
    
    This patch prepares the introduction of actions with the expectation
    table. Mostly renamings.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 46875ac26121de4cf82080cfe76b637867b02a3e
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Oct 26 12:54:13 2011 +0200

    conntrackd: generalize/cleanup network message building/parsing
    
    This patch generalizes the network message building and parsing
    to prepare the upcoming expectation support.
    
    Basically, it renames:
    
    - NET_T_STATE_* by NET_T_STATE_CT_*, as I plan to add NET_T_STATE_EXP_*
    - BUILD_NETMSG by BUILD_NETMSG_FROM_CT, and build_payload by ct2msg.
      I plan to add exp2msg.
    - parse_payload by msg2ct, since I plan to add msg2exp.
    - modify object_status_to_network_type to prepare the support of
      expectations.
    - add prefix ct_ to all parsing functions in parse.c, as we will have
      similar functions to convert messages to expectation objects.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 420dc2594a8e233483bc9e379ef6b0eee5d13442
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Thu Oct 27 12:04:50 2011 +0200

    conntrackd: generalize external handlers to prepare expectation support
    
    This patch contains cleanups to prepare the expectation support for
    external handlers. Mostly renamings.
    
    I have also updated the file headers to include Vyatta in the copyright
    statement.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

commit 3af4ab0ec98433c2f027933a9835d7e237c3fcc4
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Mon Oct 24 12:16:02 2011 +0200

    conntrackd: generalize caching infrastructure
    
    This patch generalizes the caching infrastructure to store different
    object types. This patch is the first in the series to prepare
    support for the synchronization of expectations.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

Summary of changes:
 src/internal_bypass.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)


hooks/post-receive
-- 
conntrack-tools



More information about the netfilter-cvslog mailing list