conntrackd: support for expectation synchronization

This patch adds support to synchronize expectations between
firewalls. This addition aims to re-use as much as possible
of the existing infrastructure for stability reasons. The
expectation support has been tested with the FTP helper.

This extension requires libnetfilter_conntrack 1.0.0.

If this is the first time you're playing with conntrackd,
I *strongly* recommend you to get working setup of conntrackd
without expectation support before as described in the
documentation. Then, enabling expectation support is rather
easy.

To know more about expectations, if you're not familiar with them,
I suggest you to read:

"Netfilter's Connection Tracking System"
http://people.netfilter.org/pablo/docs/login.pdf

Reprinted from ;login: The Magazine of USENIX, vol. 31, no. 3
(Berkeley, CA: USENIX Association, 2006, pp40-45.)

In short, expectations allow one Linux firewall to filter multi-flow
traffic like FTP, SIP and H.323.

In my testbed, there are two firewalls in a primary-backup configuration
running keepalived. The use a couple of floating cluster IP address
(192.168.0.100 and 192.168.1.100) that are used by the client. These
firewalls protect one FTP server (192.168.1.2) that will be accessed by
one client.

In ASCII art, it looks like this:

     192.168.0.100      192.168.1.100
              eth1      eth2
                   fw-1
                 /      \       FTP
 -- client ------       ------ server --
  192.168.0.2    \      /   192.168.1.2
                   fw-2

This is the rule-set for the firewalls:

-A POSTROUTING -t nat -s 192.168.0.2/32 -d 192.168.1.2/32 -j SNAT --to-source 192.168.1.100

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP

-A FORWARD -m state --state RELATED -j ACCEPT
-A FORWARD -i eth2 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: "

The following steps detail how to check that the expectation support
works fine for conntrackd:

1) You have to enable the expectation support in the configuration
file with the following option:

 Sync {
        ...
        Options {
                ExpectationSync {
                        ftp
                        sip
                        h323
                }
        }
 }

This enables expectation synchronization for the FTP, SIP and H.323 helpers.
You can alternatively use:

 Sync {
        ...
        Options {
                ExpectationSync On
        }
 }

To enable expectation synchronization for all helpers.

2) Make sure you have loaded the FTP helper in both firewalls.

root@fw1# modprobe nf_conntrack_ftp
root@fw2# modprobe nf_conntrack_ftp

3) Switch to the client. Start one FTP control connection to one
server that is protected by the firewalls, enter passive mode:

(term-1) user@client$ nc 192.168.1.2 21
220 dummy FTP server
USER anonymous
331 Please specify the password.
PASS nothing
230 Login successful.
PASV
227 Entering Passive Mode (192,168,1,2,163,11).

This means that port 163*256+11=41739 will be used for the data
traffic. Read this if you are not familiar with the FTP protocol:
http://www.freefire.org/articles/ftpexample.php

3) Switch to fw-1 (primary) to check that the expectation is in the
   internal cache.

root@fw1# conntrackd -i exp
proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 5s]

4) Switch to fw-2 (backup) to check that the expectation has been successfully
   replicated.

root@fw2# conntrackd -e exp
proto=6 src=192.168.0.2 dst=192.168.1.2 sport=0 dport=41739 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.0.2 master-dst=192.168.1.2 sport=36390 dport=21 [active since 8s]

5) Make the primary firewall fw-1 fail. Now fw-2 becomes primary.

6) Switch to fw-2 (primary) to commit the external cache into the kernel.

root@fw2# conntrackd -c exp

The logs should display that the commit was successful:

root@fw2# tail -100f /var/log/conntrackd.log
[Wed Dec  7 22:16:31 2011] (pid=19195) [notice] committing external cache: expectations
[Wed Dec  7 22:16:31 2011] (pid=19195) [notice] Committed 1 new entries
[Wed Dec  7 22:16:31 2011] (pid=19195) [notice] commit has taken 0.000366 seconds

7) Switch to the client. Open a new terminal and connect to the port that
   has been announced by the server:

(term-2) user@client$ nc -vvv 192.168.1.2 41739
(UNKNOWN) [192.168.1.2] 41739 (?) open

8) Switch to term-1 and ask for the file listing:

[...]
227 Entering Passive Mode (192,168,1,2,163,11).
LIST

9) Switch to term-2, it should display the listing. That means
   everything has worked fine.

You may want to try disabling the expectation support and
repeating the steps to check that *it does not work* without
the state-synchronization.

You can also display expectation statistics by means of:
root@fwX# conntrackd -s exp

This update requires no changes in the primary-backup.sh script
that is used by the HA manager to interact with conntrackd. Thus,
we provide a backward compatible command line interface.

Regarding the Filter clause and expectations, we use the master
conntrack to filter expectation events. The filtering is performed
in user-space. No kernel-space filtering support for expectations
yet (this support should go in libnetfilter_conntrack at some
point).

This patch also includes support to disable caching and to allow
direct injection of expectations.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 49 insertions, 1 deletions

diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 68a83f7..b22784c 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -73,7 +73,7 @@ static void __max_dedicated_links_reached(void);
 %token T_NETLINK_OVERRUN_RESYNC T_NICE T_IPV4_DEST_ADDR T_IPV6_DEST_ADDR
 %token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE
 %token T_DISABLE_INTERNAL_CACHE T_DISABLE_EXTERNAL_CACHE T_ERROR_QUEUE_LENGTH
-%token T_OPTIONS T_TCP_WINDOW_TRACKING
+%token T_OPTIONS T_TCP_WINDOW_TRACKING T_EXPECT_SYNC
 
 %token <string> T_IP T_PATH_VAL
 %token <val> T_NUMBER
@@ -828,6 +828,46 @@ option: T_TCP_WINDOW_TRACKING T_OFF
 	CONFIG(sync).tcp_window_tracking = 0;
 };
 
+option: T_EXPECT_SYNC T_ON
+{
+	CONFIG(flags) |= CTD_EXPECT;
+	CONFIG(netlink).subsys_id = NFNL_SUBSYS_NONE;
+	CONFIG(netlink).groups = NF_NETLINK_CONNTRACK_NEW |
+				 NF_NETLINK_CONNTRACK_UPDATE |
+				 NF_NETLINK_CONNTRACK_DESTROY |
+				 NF_NETLINK_CONNTRACK_EXP_NEW |
+				 NF_NETLINK_CONNTRACK_EXP_UPDATE |
+				 NF_NETLINK_CONNTRACK_EXP_DESTROY;
+};
+
+option: T_EXPECT_SYNC T_OFF
+{
+	CONFIG(netlink).subsys_id = NFNL_SUBSYS_CTNETLINK;
+	CONFIG(netlink).groups = NF_NETLINK_CONNTRACK_NEW |
+				 NF_NETLINK_CONNTRACK_UPDATE |
+				 NF_NETLINK_CONNTRACK_DESTROY;
+};
+
+option: T_EXPECT_SYNC '{' expect_list '}'
+{
+	CONFIG(flags) |= CTD_EXPECT;
+	CONFIG(netlink).subsys_id = NFNL_SUBSYS_NONE;
+	CONFIG(netlink).groups = NF_NETLINK_CONNTRACK_NEW |
+				 NF_NETLINK_CONNTRACK_UPDATE |
+				 NF_NETLINK_CONNTRACK_DESTROY |
+				 NF_NETLINK_CONNTRACK_EXP_NEW |
+				 NF_NETLINK_CONNTRACK_EXP_UPDATE |
+				 NF_NETLINK_CONNTRACK_EXP_DESTROY;
+};
+
+expect_list:
+            | expect_list expect_item ;
+
+expect_item: T_STRING
+{
+	exp_filter_add(STATE(exp_filter), $1);
+}
+
 sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
 {
 	conf.flags |= CTD_SYNC_ALARM;
@@ -1598,6 +1638,7 @@ init_config(char *filename)
 	/* Zero may be a valid facility */
 	CONFIG(syslog_facility) = -1;
 	CONFIG(stats).syslog_facility = -1;
+	CONFIG(netlink).subsys_id = -1;
 
 	yyrestart(fp);
 	yyparse();
@@ -1646,5 +1687,12 @@ init_config(char *filename)
 	if (CONFIG(channelc).error_queue_length == 0)
 		CONFIG(channelc).error_queue_length = 128;
 
+	if (CONFIG(netlink).subsys_id == -1) {
+		CONFIG(netlink).subsys_id = NFNL_SUBSYS_CTNETLINK;
+		CONFIG(netlink).groups = NF_NETLINK_CONNTRACK_NEW |
+					 NF_NETLINK_CONNTRACK_UPDATE |
+					 NF_NETLINK_CONNTRACK_DESTROY;
+	}
+
 	return 0;
 }