| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
These variables are not referred to after assigning within their scope
(or until they're overwritten).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Coverity tool complains about accessing a local variable at non-zero
offset. Avoid this by using a helper union. This should silence the
checker, although the code is still probably not Big Endian-safe.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
daemon starts"), userspace conntrack helpers do not depend on a previous
invocation of nfct to set up the userspace helpers.
Move helper definitions to nfct-extensions/helper.c since existing
deployments might still invoke nfct, even if not required anymore.
This patch was motivated by the removal of the lazy binding.
Phil Sutter says:
"For security purposes, distributions might want to pass -Wl,-z,now
linker flags to all builds, thereby disabling lazy binding globally.
In the past, nfct relied upon lazy binding: It uses the helper objects'
parsing functions without but doesn't provide all symbols the objects
use."
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Use the already correctly determined transport header offset instead of
assuming that the packet is IPv4.
Signed-off-by: Aaron Thompson <dev@aaront.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This fixes this warning:
#warning "libnetfilter_queue/linux_nfnetlink_queue.h is deprecated, add #include <linux/netfilter/nfnetlink_queue.h> to your source code before #include <libnetfilter_queue/libnetfilter_queue.h>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix for the following warning:
In file included from rpc.c:29:
/usr/include/tirpc/rpc/rpc_msg.h:214:52: warning: 'struct rpc_err' declared inside parameter list will not be visible outside of this definition or declaration
214 | extern void _seterr_reply(struct rpc_msg *, struct rpc_err *);
| ^~~~~~~
Struct rpc_err is declared in rpc/clnt.h which also declares rpc_call(),
therefore rename the local version.
Fixes: 5ededc4476f27 ("conntrackd: search for RPC headers")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Referencing to variables using @...@ means they will be replaced by
configure. This is not needed and may cause problems later.
Suggested-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Service Location Protocol (SLP) uses multicast requests for DA (Directory
agent) and SA (Service agent) discovery. Replies to these requests are
unicast and their source address does not match destination address of the
request so that we need a conntrack helper. A kernel helper was submitted
back in 2013 but was rejected as userspace helper infrastructure is
preferred. This adds an SLP helper to conntrackd.
As the function of SLP helper is the same as what existing mDNS helper
does, src/helpers/slp.c is essentially just a copy of src/helpers/mdns.c,
except for the default timeout and example usage. As with mDNS helper,
there is no NAT support for the time being as that would probably require
kernel side changes and certainly further study (and could possibly work
only for source NAT).
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Attempts to get RPC headers from libtirpc if they aren't otherwise
available.
Signed-off-by: Ash Hughes <sehguh.hsa@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The value dhcpv6_msg_type points at is used as index to dhcpv6_timeouts
array, so upper boundary check has to treat a value of
ARRAY_SIZE(dhcpv6_timeouts) as invalid.
Fixes: 36118bfc4901b ("conntrackd: helpers: add DHCPv6 helper")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
For musl libc to expose the members of `struct tcphdr`, _GNU_SOURCE
needs to be defined.
Fixes: b61c4543cbde ("conntrackd: cthelper: ssdp: Track UPnP eventing")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The UPnP Device Architecture spec provides a way for devices to connect
back to control points, called "Eventing" (chapter 4). This sequence can
look something like:
1) Outbound multicast M-SEARCH packet (dst: 1900/udp)
- Create expectation for unicast reply from <any host> to source port
2) Inbound unicast reply (there may be several of these from different devices)
- Find the device's URL, e.g.
LOCATION: http://192.168.1.123:1400/xml/device_description.xml
- Create expectation to track connections to this host:port (tcp)
3) Outbound connection to device's web server (there will be several of these)
- Watch for a SUBSCRIBE request
- Find the control point's callback URL, e.g.
CALLBACK: <http://192.168.1.124:3500/notify>
- Create expectation to open up inbound connections to this host:port
4) Inbound connections to control point's web server
- The device will send NOTIFY HTTP requests to inform the control point
of new events. These can continue indefinitely. Each NOTIFY
request arrives on a new TCP connection and may have a different
source port.
Add the necessary code to create expectations for each of these
connections and rewrite the IP in the CALLBACK URL. Tested with and
without NAT.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
nfexp_set_attr() copies |nat_tuple| rather than taking ownership, so
it should be freed at the end of the loop. Some of the other helpers
(like rpc.c) do this, but it is missing here.
Reported-by: Eric Caruso <ejcaruso@chromium.org>
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some distributions, such as Gentoo and Chrome OS, try to link all
programs with `-z now` as a security hardening measure. This breaks
nfct, because nfct cannot satisfy all of the helper modules' symbols.
Therefore nfct implicitly depends on lazy binding.
Have autoconf probe the linker to see if `-z lazy` works, and if so,
use it to link nfct and the helpers.
conntrackd itself is unaffected, and should still work with `-z now`.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This allows unicast replies to multicast DNS (mDNS / RFC6762) queries.
These queries are often used when a full-featured mDNS service (such as
avahi-daemon) is not running, or if an mDNS client does not have
permission to bind to port 5353.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
matchoff is relative to dataoff, i.e. matchoff=0 (as utilized by
nfq_tcp_mangle_ipv4()) points to the first byte of the TCP payload.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently matchoff and matchlen are 0, so IP mangling is performed in
the wrong place if NAT is used:
FTP_NAT: type 0, off 0 len 0
The resultant packet is clearly incorrect:
0x0000: 9410 3eb8 00ab 00e0 4c68 0012 0800 4510 ..>.....Lh....E.
0x0010: 0081 9ed9 4000 4006 cd35 646b 0370 646b ....@.@..5dk.pdk
0x0020: 0212 0015 87c5 8cc2 de50 aa28 4842 8018 .........P.(HB..
0x0030: 00e3 459d 0000 0101 080a e916 985e 2a3b ..E..........^*;
0x0040: b82d 3530 3020 2731 3030 2c31 3037 2c32 .-500.'100,107,2
0x0050: 2c31 382c 3134 392c 3739 504f 5254 2031 ,18,149,79PORT.1
0x0060: 3932 2c31 3638 2c32 3534 2c32 2c31 3439 92,168,254,2,149
0x0070: 2c37 3927 3a20 636f 6d6d 616e 6420 6e6f ,79':.command.no
0x0080: 7420 756e 6465 7273 746f 6f64 2e0d 0a t.understood...
Add the missing assignments.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The GNU version of 'struct tcphdr' is not exposed by musl libc headers
unless _GNU_SOURCE is defined. Without this definition, the build fails
with:
rpc.c: In function 'rpc_helper_cb':
rpc.c:351:15: error: 'struct tcphdr' has no member named 'doff'
offset += th->doff * 4;
^
Signed-off-by: Rodrigo Rebello <rprebello@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The source uses linux names for members of tcphdr. For example
"source" instead of "th_sport", ... musl libc's headers need
_GNU_SOURCE defined in order to expose these.
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Here is a patch which adds a userspace conntrack helper for the SSDP
protocol. This is based on the code found at:
http://marc.info/?t=132945775100001&r=1&w=2
I'm not sure how to get my laptop to play at IPv6, so I've not tested
this part, but I've tested the IPv4 section and it works.
Signed-off-by: Ash Hughes <ashley.hughes@blueyonder.co.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds a userspace port of the amanda helper that is
currently implemented in the kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
| |
|
|
|
|
|
|
| |
This patch adds an userspace port of the TFTP helper that is currently
implemented in the kernel. This includes NAT support. It requires a
Linux kernel 3.12.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
This patch adds an userspace port of the SANE helper that is currently
implemented in the kernel. This requires Linux kernel 3.12 to work.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for the DHCPv6 helper.
1) nfct helper add dhcpv6 inet6 udp
2) ip6tables -I OUTPUT -t raw -p udp --sport 546 -j CT --helper dhcpv6
3) run conntrackd
You should see:
% conntrack -L exp -f ipv6
279 proto=17 src=:: dst=ff02::1:2 sport=0 dport=546 mask-src=:: mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=fe80::221:ccff:fe4a:7f9c master-dst=ff02::1:2 sport=546 dport=547 PERMANENT class=0 helper=dhcpv6
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
%pI4 also exists in the Linux kernel.
It would be good to have some generic functions to convert binary data
to address string. Later.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
How to use this helper in a few steps:
1) You can enable this helper via:
nfct helper add rpc inet tcp
nfct helper add rpc inet udp
2) Configure /etc/conntrackd/conntrackd.conf and launch it.
3) You can test this helper locally with the following rule-set:
iptables -A OUTPUT -t raw -p udp -m udp --dport 111 -j CT --helper rpc
iptables -A OUTPUT -t raw -p tcp -m tcp --dport 111 -j CT --helper rpc
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 111 -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 111 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P OUTPUT DROP
4) Configure NFS and export some local directory. Then, mount it with version 3.
mount.nfs -onfsvers=3 127.0.0.1:/srv/cvs /mnt/
You should see permanent expectations created for this.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
This patch adds the user-space helper infrastructure. It also
contains the implementation of the FTP helper in user-space.
There's one example file that you can use to configure conntrackd
as user-space connection tracking helper under:
doc/helper/conntrackd.conf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
