[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1471831902045.98124@alliedtelesis.co.nz>
Date: Mon, 22 Aug 2016 02:11:42 +0000
From: Thomas Winter <Thomas.Winter@...iedtelesis.co.nz>
To: "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Patch to netfilter conntrack for secondary connection logging
Hello,
We are using netfilter to implement a firewall for a router and we had the problem that the ftp data connections were not being logged.
I did some investigating and found that it is conntrack that is allowing the secondary connection by the ftp helper module.
I created a patch to enable such logging for any conntrack helper.
Is this a good change? Or did I miss something really obvious?
Regards,
Thomas Winter
example iptables rules:
Chain FIREWALL_RULE_12 (1 references)
target prot opt source destination
LOG tcp -- anywhere anywhere multiport sports 1024:65535 multiport dports ftp match-set private src,src match-set public dst,dst ctsta
te NEW,RELATED,ESTABLISHED LOG level info prefix "Firewall rule 12: PERMIT "
CONNMARK tcp -- anywhere anywhere multiport sports 1024:65535 multiport dports ftp match-set private src,src match-set public dst,dst ctsta
te NEW,RELATED,ESTABLISHED CONNMARK xset 0x1/0x7
LOG tcp -- anywhere anywhere multiport dports 1024:65535 multiport sports ftp match-set public src,src match-set private dst,dst ctsta
te RELATED,ESTABLISHED LOG level info prefix "Firewall rule 12: PERMIT "
CONNMARK tcp -- anywhere anywhere multiport dports 1024:65535 multiport sports ftp match-set public src,src match-set private dst,dst ctsta
te RELATED,ESTABLISHED CONNMARK xset 0x1/0x7
patch:
[PATCH] ICSAFW-9: Added expected connection logging in netfilter
For ICSA firewall requirements, FTP data connections
must be able to be logged.
Our iptables rules for FTP are not able to log the
data connections because they only take effect on
the control connection. The FTP conntrack helper
module inspects FTP control packets and allows the
data connections when it sees one about to start.
Added a log function for conntrack to be called
when allowing expected connections.
---
include/net/netfilter/nf_conntrack_expect.h | 5 +++++
net/netfilter/nf_conntrack_core.c | 4 ++++
net/netfilter/nf_conntrack_ftp.c | 21 +++++++++++++++++++++
3 files changed, 30 insertions(+)
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index dce56f0..c13a457 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -26,6 +26,11 @@ struct nf_conntrack_expect {
void (*expectfn)(struct nf_conn *new,
struct nf_conntrack_expect *this);
+#ifdef ATL_CHANGE
+ /* Logging function to call when seeing an expected connection */
+ void (*logfn)(const struct nf_conntrack_tuple *tuple);
+#endif
+
/* Helper to assign to new connection */
struct nf_conntrack_helper *helper;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 37d8c06..8f4e15c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -984,6 +984,10 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
if (help)
rcu_assign_pointer(help->helper, exp->helper);
}
+#ifdef ATL_CHANGE
+ if (exp->logfn)
+ exp->logfn(tuple);
+#endif
#ifdef CONFIG_NF_CONNTRACK_MARK
ct->mark = exp->master->mark;
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index b666959..3dd1900 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -382,6 +382,23 @@ static void update_nl_seq(struct nf_conn *ct, u32 nl_seq,
}
}
+#ifdef ATL_CHANGE
+void log_ftp_data_connection(const struct nf_conntrack_tuple *tuple)
+{
+ if (tuple) {
+ if (tuple->src.l3num == PF_INET) {
+ pr_info("FTP data connection initiated by %pI4:%d to %pI4:%d\n",
+ &tuple->src.u3.ip, tuple->src.u.tcp.port,
+ &tuple->dst.u3.ip, tuple->dst.u.tcp.port);
+ } else {
+ pr_info("FTP data connection initiated by %pI6:%d to %pI6:%d\n",
+ &tuple->src.u3.ip, tuple->src.u.tcp.port,
+ &tuple->dst.u3.ip, tuple->dst.u.tcp.port);
+ }
+ }
+}
+#endif
+
static int help(struct sk_buff *skb,
unsigned int protoff,
struct nf_conn *ct,
@@ -529,6 +546,10 @@ skip_nl_seq:
&ct->tuplehash[!dir].tuple.src.u3, daddr,
IPPROTO_TCP, NULL, &cmd.u.tcp.port);
+#ifdef ATL_CHANGE
+ exp->logfn = log_ftp_data_connection;
+#endif
+
/* Now, NAT might want to mangle the packet, and register the
* (possibly changed) expectation itself. */
nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook);
--
2.9.3
Powered by blists - more mailing lists