1. 19 Jun, 2012 7 commits
  2. 18 Jun, 2012 23 commits
  3. 17 Jun, 2012 6 commits
  4. 16 Jun, 2012 4 commits
    • David S. Miller's avatar
      Merge branch 'master' of git://1984.lsi.us.es/nf-next · 82f437b9
      David S. Miller authored
      Pablo says:
      This is the second batch of Netfilter updates for net-next. It contains the
      kernel changes for the new user-space connection tracking helper
      More details on this infrastructure are provides here:
      Still, I plan to provide some official documentation through the
      conntrack-tools user manual on how to setup user-space utilities for this.
      So far, it provides two helper in user-space, one for NFSv3 and another for
      Oracle/SQLnet/TNS. Yet in my TODO list.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Eldad Zack's avatar
      include/net/dst.h: neaten asterisk placement · 7f95e188
      Eldad Zack authored
      Fix code style - place the asterisk where it belongs.
      Signed-off-by: default avatarEldad Zack <eldad@fogrefinery.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Pablo Neira Ayuso's avatar
      netfilter: add user-space connection tracking helper infrastructure · 12f7a505
      Pablo Neira Ayuso authored
      There are good reasons to supports helpers in user-space instead:
      * Rapid connection tracking helper development, as developing code
        in user-space is usually faster.
      * Reliability: A buggy helper does not crash the kernel. Moreover,
        we can monitor the helper process and restart it in case of problems.
      * Security: Avoid complex string matching and mangling in kernel-space
        running in privileged mode. Going further, we can even think about
        running user-space helpers as a non-root process.
      * Extensibility: It allows the development of very specific helpers (most
        likely non-standard proprietary protocols) that are very likely not to be
        accepted for mainline inclusion in the form of kernel-space connection
        tracking helpers.
      This patch adds the infrastructure to allow the implementation of
      user-space conntrack helpers by means of the new nfnetlink subsystem
      `nfnetlink_cthelper' and the existing queueing infrastructure
      I had to add the new hook NF_IP6_PRI_CONNTRACK_HELPER to register
      ipv[4|6]_helper which results from splitting ipv[4|6]_confirm into
      two pieces. This change is required not to break NAT sequence
      adjustment and conntrack confirmation for traffic that is enqueued
      to our user-space conntrack helpers.
      Basic operation, in a few steps:
      1) Register user-space helper by means of `nfct':
       nfct helper add ftp inet tcp
       [ It must be a valid existing helper supported by conntrack-tools ]
      2) Add rules to enable the FTP user-space helper which is
         used to track traffic going to TCP port 21.
      For locally generated packets:
       iptables -I OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
      For non-locally generated packets:
       iptables -I PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
      3) Run the test conntrackd in helper mode (see example files under
      4) Generate FTP traffic going, if everything is OK, then conntrackd
         should create expectations (you can check that with `conntrack':
       conntrack -E expect
          [NEW] 301 proto=6 src= dst= sport=0 dport=54037 mask-src= mask-dst= sport=0 dport=65535 master-src= master-dst= sport=57127 dport=21 class=0 helper=ftp
      [DESTROY] 301 proto=6 src= dst= sport=0 dport=54037 mask-src= mask-dst= sport=0 dport=65535 master-src= master-dst= sport=57127 dport=21 class=0 helper=ftp
      This confirms that our test helper is receiving packets including the
      conntrack information, and adding expectations in kernel-space.
      The user-space helper can also store its private tracking information
      in the conntrack structure in the kernel via the CTA_HELP_INFO. The
      kernel will consider this a binary blob whose layout is unknown. This
      information will be included in the information that is transfered
      to user-space via glue code that integrates nfnetlink_queue and
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    • Pablo Neira Ayuso's avatar
      netfilter: ctnetlink: add CTA_HELP_INFO attribute · ae243bee
      Pablo Neira Ayuso authored
      This attribute can be used to modify and to dump the internal
      protocol information.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>