lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 22 Aug 2016 02:11:42 +0000
From:   Thomas Winter <Thomas.Winter@...iedtelesis.co.nz>
To:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Patch to netfilter conntrack for secondary connection logging

Hello,

We are using netfilter to implement a firewall for a router and we had the problem that the ftp data connections were not being logged.
I did some investigating and found that it is conntrack that is allowing the secondary connection by the ftp helper module.
I created a patch to enable such logging for any conntrack helper.
Is this a good change? Or did I miss something really obvious?

Regards,
Thomas Winter


example iptables rules:

Chain FIREWALL_RULE_12 (1 references)
target     prot opt source               destination         
LOG        tcp  --  anywhere             anywhere             multiport sports 1024:65535 multiport dports ftp match-set private src,src match-set public dst,dst ctsta
te NEW,RELATED,ESTABLISHED LOG level info prefix "Firewall rule 12: PERMIT "
CONNMARK   tcp  --  anywhere             anywhere             multiport sports 1024:65535 multiport dports ftp match-set private src,src match-set public dst,dst ctsta
te NEW,RELATED,ESTABLISHED CONNMARK xset 0x1/0x7
LOG        tcp  --  anywhere             anywhere             multiport dports 1024:65535 multiport sports ftp match-set public src,src match-set private dst,dst ctsta
te RELATED,ESTABLISHED LOG level info prefix "Firewall rule 12: PERMIT "
CONNMARK   tcp  --  anywhere             anywhere             multiport dports 1024:65535 multiport sports ftp match-set public src,src match-set private dst,dst ctsta
te RELATED,ESTABLISHED CONNMARK xset 0x1/0x7


patch:

[PATCH] ICSAFW-9: Added expected connection logging in netfilter

For ICSA firewall requirements, FTP data connections
must be able to be logged.

Our iptables rules for FTP are not able to log the
data connections because they only take effect on
the control connection. The FTP conntrack helper
module inspects FTP control packets and allows the
data connections when it sees one about to start.

Added a log function for conntrack to be called
when allowing expected connections.

---
 include/net/netfilter/nf_conntrack_expect.h |  5 +++++
 net/netfilter/nf_conntrack_core.c           |  4 ++++
 net/netfilter/nf_conntrack_ftp.c            | 21 +++++++++++++++++++++
 3 files changed, 30 insertions(+)

diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index dce56f0..c13a457 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -26,6 +26,11 @@ struct nf_conntrack_expect {
 	void (*expectfn)(struct nf_conn *new,
 			 struct nf_conntrack_expect *this);
 
+#ifdef ATL_CHANGE
+	/* Logging function to call when seeing an expected connection */
+	void (*logfn)(const struct nf_conntrack_tuple *tuple);
+#endif
+
 	/* Helper to assign to new connection */
 	struct nf_conntrack_helper *helper;
 
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 37d8c06..8f4e15c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -984,6 +984,10 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
 				if (help)
 					rcu_assign_pointer(help->helper, exp->helper);
 			}
+#ifdef ATL_CHANGE
+			if (exp->logfn)
+				exp->logfn(tuple);
+#endif
 
 #ifdef CONFIG_NF_CONNTRACK_MARK
 			ct->mark = exp->master->mark;
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index b666959..3dd1900 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -382,6 +382,23 @@ static void update_nl_seq(struct nf_conn *ct, u32 nl_seq,
 	}
 }
 
+#ifdef ATL_CHANGE
+void log_ftp_data_connection(const struct nf_conntrack_tuple *tuple)
+{
+	if (tuple) {
+		if (tuple->src.l3num == PF_INET) {
+			pr_info("FTP data connection initiated by %pI4:%d to %pI4:%d\n",
+				&tuple->src.u3.ip, tuple->src.u.tcp.port,
+				&tuple->dst.u3.ip, tuple->dst.u.tcp.port);
+		} else {
+			pr_info("FTP data connection initiated by %pI6:%d to %pI6:%d\n",
+				&tuple->src.u3.ip, tuple->src.u.tcp.port,
+				&tuple->dst.u3.ip, tuple->dst.u.tcp.port);
+		}
+	}
+}
+#endif
+
 static int help(struct sk_buff *skb,
 		unsigned int protoff,
 		struct nf_conn *ct,
@@ -529,6 +546,10 @@ skip_nl_seq:
 			  &ct->tuplehash[!dir].tuple.src.u3, daddr,
 			  IPPROTO_TCP, NULL, &cmd.u.tcp.port);
 
+#ifdef ATL_CHANGE
+	exp->logfn = log_ftp_data_connection;
+#endif
+
 	/* Now, NAT might want to mangle the packet, and register the
 	 * (possibly changed) expectation itself. */
 	nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook);
-- 
2.9.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ