Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_google_msm/net/ipv4
History
Pablo Neira Ayuso 191c3003e8 netfilter: add user-space connection tracking helper infrastructure 
There are good reasons to supports helpers in user-space instead:

* Rapid connection tracking helper development, as developing code
  in user-space is usually faster.

* Reliability: A buggy helper does not crash the kernel. Moreover,
  we can monitor the helper process and restart it in case of problems.

* Security: Avoid complex string matching and mangling in kernel-space
  running in privileged mode. Going further, we can even think about
  running user-space helpers as a non-root process.

* Extensibility: It allows the development of very specific helpers (most
  likely non-standard proprietary protocols) that are very likely not to be
  accepted for mainline inclusion in the form of kernel-space connection
  tracking helpers.

This patch adds the infrastructure to allow the implementation of
user-space conntrack helpers by means of the new nfnetlink subsystem
`nfnetlink_cthelper' and the existing queueing infrastructure
(nfnetlink_queue).

I had to add the new hook NF_IP6_PRI_CONNTRACK_HELPER to register
ipv[4|6]_helper which results from splitting ipv[4|6]_confirm into
two pieces. This change is required not to break NAT sequence
adjustment and conntrack confirmation for traffic that is enqueued
to our user-space conntrack helpers.

Basic operation, in a few steps:

1) Register user-space helper by means of `nfct':

 nfct helper add ftp inet tcp

 [ It must be a valid existing helper supported by conntrack-tools ]

2) Add rules to enable the FTP user-space helper which is
   used to track traffic going to TCP port 21.

For locally generated packets:

 iptables -I OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp

For non-locally generated packets:

 iptables -I PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp

3) Run the test conntrackd in helper mode (see example files under
   doc/helper/conntrackd.conf

 conntrackd

4) Generate FTP traffic going, if everything is OK, then conntrackd
   should create expectations (you can check that with `conntrack':

 conntrack -E expect

    [NEW] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp
[DESTROY] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp

This confirms that our test helper is receiving packets including the
conntrack information, and adding expectations in kernel-space.

The user-space helper can also store its private tracking information
in the conntrack structure in the kernel via the CTA_HELP_INFO. The
kernel will consider this a binary blob whose layout is unknown. This
information will be included in the information that is transfered
to user-space via glue code that integrates nfnetlink_queue and
ctnetlink.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: Ifad12a30d86a6eb0b72d20f079336a24348d711b
2018-12-07 22:02:09 +04:00
..
netfilter netfilter: add user-space connection tracking helper infrastructure 2018-12-07 22:02:09 +04:00
af_inet.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
ah4.c
arp.c ipv4: add option to drop gratuitous ARP packets 2018-12-07 21:59:38 +04:00
cipso_ipv4.c
datagram.c ipv4: fix possible seqlock deadlock 2013-12-08 07:29:41 -08:00
devinet.c ipv4: add option to drop gratuitous ARP packets 2018-12-07 21:59:38 +04:00
esp4.c
fib_frontend.c ipv4, fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif 2018-08-27 14:52:49 +00:00
fib_lookup.h
fib_rules.c
fib_semantics.c ipv4, fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif 2018-08-27 14:52:49 +00:00
fib_trie.c fib_trie: remove potential out of bound access 2013-09-14 06:02:09 -07:00
gre.c
icmp.c net: add a sysctl to reflect the fwmark on replies 2014-05-12 22:39:57 -07:00
igmp.c inetpeer: get rid of ip_id_count 2014-08-14 08:42:35 +08:00
inet_connection_sock.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
inet_diag.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
inet_fragment.c
inet_hashtables.c net: do not call sock_put() on TIMEWAIT sockets 2013-11-04 04:23:40 -08:00
inet_lro.c
inet_timewait_sock.c
inetpeer.c inetpeer: get rid of ip_id_count 2014-08-14 08:42:35 +08:00
ip_forward.c ipv4: try to cache dst_entries which would cause a redirect 2016-10-29 23:12:10 +08:00
ip_fragment.c inet: frags: fix defragmented packet's IP header for af_packet 2016-03-21 09:17:46 +08:00
ip_gre.c ip_tunnel: fix kernel panic with icmp_dest_unreach 2013-06-27 11:27:32 -07:00
ip_input.c ipv4: add option to drop unicast encapsulated in L2 multicast 2018-12-07 21:59:38 +04:00
ip_options.c ipv4: fix buffer overflow in ip_options_compile() 2014-07-28 07:06:46 -07:00
ip_output.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
ip_sockglue.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
ipcomp.c
ipconfig.c
ipip.c net: tunnels - enable module autoloading 2014-06-26 15:10:28 -04:00
ipmr.c ipv4, fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif 2018-08-27 14:52:49 +00:00
Kconfig net: diag: Support destroying TCP sockets. 2017-12-15 22:54:58 +03:00
Makefile
netfilter.c
ping.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
proc.c
protocol.c
raw.c Revert "net: core: Support UID-based routing." 2017-08-27 19:09:20 +03:00
route.c net: Loopback ifindex is constant now 2018-08-27 14:52:48 +00:00
syncookies.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
sysctl_net_ipv4.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
sysfs_net_ipv4.c
tcp.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
tcp_bic.c
tcp_cong.c
tcp_cubic.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
tcp_diag.c net: diag: Support destroying TCP sockets. 2017-12-15 22:54:58 +03:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
tcp_ipv4.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
tcp_lp.c
tcp_memcontrol.c
tcp_minisocks.c
tcp_output.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
tcp_probe.c
tcp_scalable.c
tcp_timer.c WLAN subsystem: Sysctl support for key TCP/IP parameters 2016-10-29 23:12:27 +08:00
tcp_vegas.c tcp: Fix integer-overflow in TCP vegas 2014-08-14 08:42:36 +08:00
tcp_vegas.h
tcp_veno.c tcp: Fix integer-overflows in TCP veno 2014-08-14 08:42:36 +08:00
tcp_westwood.c
tcp_yeah.c
tunnel4.c
udp.c Merge remote-tracking branch 'stable/linux-3.4.y' into lineage-15.1 2017-12-27 17:13:15 +03:00
udp_diag.c
udp_impl.h
udplite.c
xfrm4_input.c
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c inetpeer: get rid of ip_id_count 2014-08-14 08:42:35 +08:00
xfrm4_output.c
xfrm4_policy.c Revert "net: core: Support UID-based routing." 2017-08-27 19:09:20 +03:00
xfrm4_state.c
xfrm4_tunnel.c