conntrack-tools branch, master, updated. conntrack-tools-1.0.1-11-g414fedd
Pablo Neira Ayuso
netfilter-cvslog-bounces at lists.netfilter.org
Tue Jan 10 01:55:13 CET 2012
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "conntrack-tools".
The branch, master has been updated
discards 81fafa4dfa6d2d321200ceaf16270c6b2310f5f0 (commit)
discards 1bc31abd16a35f177931b8b8c25a10a6f37ac957 (commit)
discards 304ebcdec96f544cd2e794afce2bf336bce59e14 (commit)
discards c4cf490a096482bc0472154ce1314539913a4007 (commit)
discards 32187346844faed846fc185eb1a1e287a414fa87 (commit)
discards 0c76c6e9d40fdd9d24995556187994cd2e4986d9 (commit)
discards 651922d97e258a5036939738b1e7654bd9edced5 (commit)
discards 2f04f27be03aa64444348517e2c4e24ddeb99eae (commit)
discards 42c3135ad981133e6e53e332965231977057ed6b (commit)
discards b9af51a42e902f2a3fef527fd70e4e95e957bed7 (commit)
discards 0190b06320a1f1d98c5cc79b10d3686660b98f0c (commit)
discards f7704c53975713af67455fbab29c74134172caff (commit)
via 414fedd879fdc3cd0a910acd2fd9262251a6bfe7 (commit)
via 79a777c60cfe02197c135adcc4edb2f63ae9a695 (commit)
via eb31a0c3eb9db28e673587d4614662645a10cffa (commit)
via 2719bd93ad5f589139d8ede0726fa6a2ef2eb321 (commit)
via f33b72ca969994384a5db6122f8c85e62cfc46ce (commit)
via 75a7cd3c722e1abca14fc375bec8ab30c34ab284 (commit)
via 79ab299bfb20b7fc1982ca90d77d8b908b824fea (commit)
via 598e465087365db1fa36b67aa53d291e400ec5b1 (commit)
via 931c0eff309d8c7277ebe6d670fd72d8fbe3c674 (commit)
via 395ac42f5f1844834698f29032b101c2890b6772 (commit)
via 65be3d49b0f4350a227dedd70ac17c7c9cf6274e (commit)
This update added new revisions after undoing existing revisions. That is
to say, the old revision is not a strict subset of the new revision. This
situation occurs when you --force push a change and generate a repository
containing something like this:
* -- * -- B -- O -- O -- O (81fafa4dfa6d2d321200ceaf16270c6b2310f5f0)
\
N -- N -- N (414fedd879fdc3cd0a910acd2fd9262251a6bfe7)
When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 414fedd879fdc3cd0a910acd2fd9262251a6bfe7
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Jan 7 18:40:48 2012 +0100
doc: update conntrack-tools manual to detail expectation support
This patch updates the user manual on how to enable the expectation
support for conntrackd.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 79a777c60cfe02197c135adcc4edb2f63ae9a695
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Dec 19 17:13:25 2011 +0100
conntrackd: support for expectation synchronization
This patch adds support to synchronize expectations between
firewalls. This addition aims to re-use as much as possible
of the existing infrastructure for stability reasons. The
expectation support has been tested with the FTP helper.
This extension requires libnetfilter_conntrack 1.0.0.
If this is the first time you're playing with conntrackd,
I *strongly* recommend you to get working setup of conntrackd
without expectation support before as described in the
documentation. Then, enabling expectation support is rather
easy.
To know more about expectations, if you're not familiar with them,
I suggest you to read:
"Netfilter's Connection Tracking System"
http://people.netfilter.org/pablo/docs/login.pdf
Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3
(Berkeley, CA: USENIX Association, 2006, pp40-45.)
In short, expectations allow one Linux firewall to filter multi-flow
traffic like FTP, SIP and H.323.
In my testbed, there are two firewalls in a primary-backup configuration
running keepalived. The use a couple of floating cluster IP address
(192.168.0.100 and 192.168.1.100) that are used by the client. These
firewalls protect one FTP server (192.168.1.2) that will be accessed by
one client.
In ASCII art, it looks like this:
192.168.0.100 192.168.1.100
eth1 eth2
fw-1
/ \ FTP
-- client ------ ------ server --
192.168.0.2 \ / 192.168.1.2
fw-2
This is the rule-set for the firewalls:
-A POSTROUTING -t nat -s 192.168.0.2/32 -d 192.168.1.2/32 -j SNAT --to-source 192.168.1.100
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED -j ACCEPT
-A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: "
The following steps detail how to check that the expectation support
works fine for conntrackd:
1) You have to enable the expectation support in the configuration
file with the following option:
Sync {
...
Options {
ExpectationSync {
ftp
sip
h323
}
}
}
This enables expectation synchronization for the FTP, SIP and H.323 helpers.
You can alternatively use:
Sync {
...
Options {
ExpectationSync On
}
}
To enable expectation synchronization for all helpers.
2) Make sure you have loaded the FTP helper in both firewalls.
root at fw1# modprobe nf_conntrack_ftp
root at fw2# modprobe nf_conntrack_ftp
3) Switch to the client. Start one FTP control connection to one
server that is protected by the firewalls, enter passive mode:
(term-1) user at client$ nc 192.168.1.2 21
220 dummy FTP server
USER anonymous
331 Please specify the password.
PASS nothing
230 Login successful.
PASV
227 Entering Passive Mode (192,168,1,2,163,11).
This means that port 163*256+11=41739 will be used for the data
traffic. Read this if you are not familiar with the FTP protocol:
http://www.freefire.org/articles/ftpexample.php
3) Switch to fw-1 (primary) to check that the expectation is in the
internal cache.
root at fw1# conntrackd -i exp
proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 5s]
4) Switch to fw-2 (backup) to check that the expectation has been successfully
replicated.
root at fw2# conntrackd -e exp
proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s]
5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary.
6) Switch to fw-2 (primary) to commit the external cache into the kernel.
root at fw2# conntrackd -c exp
The logs should display that the commit was successful:
root at fw2# tail -100f /var/log/conntrackd.log
[Wed Dec 7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations
[Wed Dec 7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries
[Wed Dec 7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds
7) Switch to the client. Open a new terminal and connect to the port that
has been announced by the server:
(term-2) user at client$ nc -vvv 192.168.1.2 41739
(UNKNOWN) [192.168.1.2] 41739 (?) open
8) Switch to term-1 and ask for the file listing:
[...]
227 Entering Passive Mode (192,168,1,2,163,11).
LIST
9) Switch to term-2, it should display the listing. That means
everything has worked fine.
You may want to try disabling the expectation support and
repeating the steps to check that *it does not work* without
the state-synchronization.
You can also display expectation statistics by means of:
root at fwX# conntrackd -s exp
This update requires no changes in the primary-backup.sh script
that is used by the HA manager to interact with conntrackd. Thus,
we provide a backward compatible command line interface.
Regarding the Filter clause and expectations, we use the master
conntrack to filter expectation events. The filtering is performed
in user-space. No kernel-space filtering support for expectations
yet (this support should go in libnetfilter_conntrack at some
point).
This patch also includes support to disable caching and to allow
direct injection of expectations.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit eb31a0c3eb9db28e673587d4614662645a10cffa
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Dec 19 17:12:41 2011 +0100
conntrackd: minor cleanup for commit
Comestical cleanup for better code readability.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 2719bd93ad5f589139d8ede0726fa6a2ef2eb321
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Wed Dec 14 23:55:47 2011 +0100
conntrackd: relax checkings in ct_filter_sanity_check
This is required to prepare the expectation support.
The master, expect and mask objects that are part of the
conntrack object do not have any reply information. This
allows the expectation support to re-use the existing
filtering infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit f33b72ca969994384a5db6122f8c85e62cfc46ce
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Wed Dec 14 19:51:38 2011 +0100
conntrackd: constify ct parameter of ct_filter_* functions
The ct object that is passed as parameter is not modified,
make it constant.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 75a7cd3c722e1abca14fc375bec8ab30c34ab284
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Wed Nov 16 02:10:31 2011 +0100
conntrackd: remove cache_data_get_object and replace by direct pointer
We now include one pointer to the object in the extra section.
This is required to generalize this code for the expectation
support. We consume 4-8 bytes extra, but we will not need more
changes to support expectations which is a good idea.
commit 79ab299bfb20b7fc1982ca90d77d8b908b824fea
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Wed Jan 4 14:31:41 2012 +0100
conntrackd: simplify cache_get_extra function
This patch simplifies cache_get_extra which now takes only one
parameter that is the cache_object. With it, the extra area can be
calculated.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 598e465087365db1fa36b67aa53d291e400ec5b1
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Thu Oct 27 12:18:34 2011 +0200
conntrackd: generalize local handler actions
This patch prepares the introduction of actions with the expectation
table. Mostly renamings.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 931c0eff309d8c7277ebe6d670fd72d8fbe3c674
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Wed Jan 4 14:30:02 2012 +0100
conntrackd: generalize/cleanup network message building/parsing
This patch generalizes the network message building and parsing
to prepare the upcoming expectation support.
Basically, it renames:
- NET_T_STATE_* by NET_T_STATE_CT_*, as I plan to add NET_T_STATE_EXP_*
- BUILD_NETMSG by BUILD_NETMSG_FROM_CT, and build_payload by ct2msg.
I plan to add exp2msg.
- parse_payload by msg2ct, since I plan to add msg2exp.
- modify object_status_to_network_type to prepare the support of
expectations.
- add prefix ct_ to all parsing functions in parse.c, as we will have
similar functions to convert messages to expectation objects.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 395ac42f5f1844834698f29032b101c2890b6772
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Thu Oct 27 12:04:50 2011 +0200
conntrackd: generalize external handlers to prepare expectation support
This patch contains cleanups to prepare the expectation support for
external handlers. Mostly renamings.
I have also updated the file headers to include Vyatta in the copyright
statement.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 65be3d49b0f4350a227dedd70ac17c7c9cf6274e
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Wed Jan 4 14:28:50 2012 +0100
conntrackd: generalize caching infrastructure
This patch generalizes the caching infrastructure to store different
object types. This patch is the first in the series to prepare
support for the synchronization of expectations.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
Summary of changes:
hooks/post-receive
--
conntrack-tools
More information about the netfilter-cvslog
mailing list