conntrackd: RPC helper added to cthelper

How to use this helper in a few steps:

1) You can enable this helper via:

 nfct helper add rpc inet tcp
 nfct helper add rpc inet udp

2) Configure /etc/conntrackd/conntrackd.conf and launch it.

3) You can test this helper locally with the following rule-set:

 iptables -A OUTPUT -t raw -p udp -m udp --dport 111 -j CT --helper rpc
 iptables -A OUTPUT -t raw -p tcp -m tcp --dport 111 -j CT --helper rpc
 iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 111 -j ACCEPT
 iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 111 -j ACCEPT
 iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -P OUTPUT DROP

4) Configure NFS and export some local directory. Then, mount it with version 3.

 mount.nfs -onfsvers=3 127.0.0.1:/srv/cvs /mnt/

You should see permanent expectations created for this.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 14 insertions, 0 deletions

diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index 711b309..2bf99fa 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -28,6 +28,20 @@ Helper {
 			ExpectTimeout 300
 		}
 	}
+	Type rpc inet tcp {
+		QueueNum 1
+		Policy rpc {
+			ExpectMax 1
+			ExpectTimeout 300
+		}
+	}
+	Type rpc inet udp {
+		QueueNum 2
+		Policy rpc {
+			ExpectMax 1
+			ExpectTimeout 300
+		}
+	}
 }
 
 #