conntrack-tools - conntrack-tools tree

	Commit message (Collapse)	Author	Age	Files	Lines
*	nfct: remove lazy binding	Pablo Neira Ayuso	2022-03-09	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when daemon starts"), userspace conntrack helpers do not depend on a previous invocation of nfct to set up the userspace helpers. Move helper definitions to nfct-extensions/helper.c since existing deployments might still invoke nfct, even if not required anymore. This patch was motivated by the removal of the lazy binding. Phil Sutter says: "For security purposes, distributions might want to pass -Wl,-z,now linker flags to all builds, thereby disabling lazy binding globally. In the past, nfct relied upon lazy binding: It uses the helper objects' parsing functions without but doesn't provide all symbols the objects use." Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	Makefile.am: Use ${} instead of @...@	Phil Sutter	2019-11-12	1	-2/+2
\| \| \| \| \| \| \| \| \| \|	Referencing to variables using @...@ means they will be replaced by configure. This is not needed and may cause problems later. Suggested-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	conntrackd: cthelper: Add new SLP helper	Michal Kubecek	2019-07-22	1	-0/+5
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Service Location Protocol (SLP) uses multicast requests for DA (Directory agent) and SA (Service agent) discovery. Replies to these requests are unicast and their source address does not match destination address of the request so that we need a conntrack helper. A kernel helper was submitted back in 2013 but was rejected as userspace helper infrastructure is preferred. This adds an SLP helper to conntrackd. As the function of SLP helper is the same as what existing mDNS helper does, src/helpers/slp.c is essentially just a copy of src/helpers/mdns.c, except for the default timeout and example usage. As with mDNS helper, there is no NAT support for the time being as that would probably require kernel side changes and certainly further study (and could possibly work only for source NAT). Signed-off-by: Michal Kubecek <mkubecek@suse.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	conntrackd: search for RPC headers	Ash Hughes	2019-05-30	1	-1/+1
\| \| \| \| \| \| \| \|	Attempts to get RPC headers from libtirpc if they aren't otherwise available. Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	Link nfct and helper modules with `-z lazy`	Kevin Cernekee	2016-09-20	1	-18/+21
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Some distributions, such as Gentoo and Chrome OS, try to link all programs with `-z now` as a security hardening measure. This breaks nfct, because nfct cannot satisfy all of the helper modules' symbols. Therefore nfct implicitly depends on lazy binding. Have autoconf probe the linker to see if `-z lazy` works, and if so, use it to link nfct and the helpers. conntrackd itself is unaffected, and should still work with `-z now`. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	conntrackd: cthelper: Add new mdns helper	Kevin Cernekee	2016-09-09	1	-0/+5
\| \| \| \| \| \| \| \| \| \|	This allows unicast replies to multicast DNS (mDNS / RFC6762) queries. These queries are often used when a full-featured mDNS service (such as avahi-daemon) is not running, or if an mDNS client does not have permission to bind to port 5353. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	conntrackd: userspace SSDP helper	Ash Hughes	2014-03-12	1	-1/+6
\| \| \| \| \| \| \| \| \| \| \| \| \|	Here is a patch which adds a userspace conntrack helper for the SSDP protocol. This is based on the code found at: http://marc.info/?t=132945775100001&r=1&w=2 I'm not sure how to get my laptop to play at IPv6, so I've not tested this part, but I've tested the IPv4 section and it works. Signed-off-by: Ash Hughes <ashley.hughes@blueyonder.co.uk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	conntrackd: cthelper: add amanda helper	Pablo Neira Ayuso	2013-10-07	1	-1/+6
\| \| \| \| \| \| \|	This patch adds a userspace port of the amanda helper that is currently implemented in the kernel. Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
*	conntrackd: cthelper: add TFTP helper	Pablo Neira Ayuso	2013-10-03	1	-0/+5
\| \| \| \| \| \| \| \|	This patch adds an userspace port of the TFTP helper that is currently implemented in the kernel. This includes NAT support. It requires a Linux kernel 3.12. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	conntrackd: cthelper: add SANE helper	Pablo Neira Ayuso	2013-10-03	1	-1/+6
\| \| \| \| \|	This patch adds an userspace port of the SANE helper that is currently implemented in the kernel. This requires Linux kernel 3.12 to work.
*	conntrackd: helpers: add DHCPv6 helper	Pablo Neira Ayuso	2013-09-26	1	-1/+6
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	This patch adds support for the DHCPv6 helper. 1) nfct helper add dhcpv6 inet6 udp 2) ip6tables -I OUTPUT -t raw -p udp --sport 546 -j CT --helper dhcpv6 3) run conntrackd You should see: % conntrack -L exp -f ipv6 279 proto=17 src=:: dst=ff02::1:2 sport=0 dport=546 mask-src=:: mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=fe80::221:ccff:fe4a:7f9c master-dst=ff02::1:2 sport=546 dport=547 PERMANENT class=0 helper=dhcpv6 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	conntrackd: TNS helper added to cthelper	Jozsef Kadlecsik	2012-08-01	1	-1/+6
\| \| \| \| \|	Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	conntrackd: RPC helper added to cthelper	Jozsef Kadlecsik	2012-08-01	1	-2/+5
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	How to use this helper in a few steps: 1) You can enable this helper via: nfct helper add rpc inet tcp nfct helper add rpc inet udp 2) Configure /etc/conntrackd/conntrackd.conf and launch it. 3) You can test this helper locally with the following rule-set: iptables -A OUTPUT -t raw -p udp -m udp --dport 111 -j CT --helper rpc iptables -A OUTPUT -t raw -p tcp -m tcp --dport 111 -j CT --helper rpc iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 111 -j ACCEPT iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 111 -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P OUTPUT DROP 4) Configure NFS and export some local directory. Then, mount it with version 3. mount.nfs -onfsvers=3 127.0.0.1:/srv/cvs /mnt/ You should see permanent expectations created for this. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	conntrackd: add cthelper infrastructure (+ example FTP helper)	Pablo Neira Ayuso	2012-08-01	1	-0/+9
	This patch adds the user-space helper infrastructure. It also contains the implementation of the FTP helper in user-space. There's one example file that you can use to configure conntrackd as user-space connection tracking helper under: doc/helper/conntrackd.conf Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>