* Conntrackd and UDP
@ 2009-02-24 8:37 Michele Codutti
2009-02-24 13:47 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Michele Codutti @ 2009-02-24 8:37 UTC (permalink / raw)
To: netfilter
Hello, I'm using conntrackd in a ha clustered firewall. Since the
initial setup I configured conntrackd (version 0.9.6-4 from a a Debian
Lenny) to sync only TCP connections.
In the past few days I've read this tutorial:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
and after that I've one question:
Conntrackd is capable to sync also the UDP entries of the state machine?
If it is so: it is a good thing to configure conntrackd to sync also the
UDP entries in a clustered firewall?
Thank you in advance.
--
Michele Codutti
Centro Servizi Informatici e Telematici (CSIT)
Universita' degli Studi di Udine
via Delle Scienze, 208 - 33100 UDINE
tel +39 0432 558928
fax +39 0432 558911
e-mail: michele.codutti at uniud.it
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Conntrackd and UDP
2009-02-24 8:37 Conntrackd and UDP Michele Codutti
@ 2009-02-24 13:47 ` Pablo Neira Ayuso
2010-02-11 7:22 ` Tino Keitel
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2009-02-24 13:47 UTC (permalink / raw)
To: Michele Codutti; +Cc: netfilter
Michele Codutti wrote:
> Hello, I'm using conntrackd in a ha clustered firewall. Since the
> initial setup I configured conntrackd (version 0.9.6-4 from a a Debian
> Lenny) to sync only TCP connections.
BTW, that's a one year old release, I *strongly* suggest you to upgrade
to some recent release. Similarly, I also suggest you to use lastest
kernel release which includes recent versions of ctnetlink.
> In the past few days I've read this tutorial:
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> and after that I've one question:
> Conntrackd is capable to sync also the UDP entries of the state machine?
> If it is so: it is a good thing to configure conntrackd to sync also the
> UDP entries in a clustered firewall?
It depends on the UDP traffic and your rule-set, for example, I don't
synchronize UDP DNS traffic but you may want to do it for long-standing
UDP flows for real-time communications. With regards to your rule-set,
if you perform UDP filtering based on who starts the communications,
like from A -> B allow starting UDP flows, but not the opposite (B ->
A), then it may be of help to avoid communications hangs after the failover.
UDP is unreliable, so you will lose data during the failover, in
real-time applications the user would experience a temporary
communication breakage, but the communication would not hang which is
one of the targets of conntrackd.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Conntrackd and UDP
2009-02-24 13:47 ` Pablo Neira Ayuso
@ 2010-02-11 7:22 ` Tino Keitel
2010-02-11 11:01 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Tino Keitel @ 2010-02-11 7:22 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
On Tue, Feb 24, 2009 at 14:47:35 +0100, Pablo Neira Ayuso wrote:
[...]
> It depends on the UDP traffic and your rule-set, for example, I
> don't synchronize UDP DNS traffic but you may want to do it for
> long-standing UDP flows for real-time communications. With regards
Hi,
that sounds like other UDP traffic can be synced. However, it looks
like conntrackd does not support UDP at all. Are there plans to support
it in upcoming releases?
Regards,
--
Tino Keitel
Software Engineer
Innominate Security Technologies AG
/protecting industrial networks/
Tel: +49.30.921028-206
Fax: +49.30.921028-020
Rudower Chaussee 13
12489 Berlin / Germany
http://www.innominate.com/
Register Court: AG Charlottenburg, HRB 81603 Management Board: Dirk
Seewald, Chairman of the Supervisory Board: Volker Bibelhausen
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Conntrackd and UDP
2010-02-11 7:22 ` Tino Keitel
@ 2010-02-11 11:01 ` Pablo Neira Ayuso
2010-02-11 14:53 ` Tino Keitel
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2010-02-11 11:01 UTC (permalink / raw)
To: Tino Keitel; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 634 bytes --]
Tino Keitel wrote:
> On Tue, Feb 24, 2009 at 14:47:35 +0100, Pablo Neira Ayuso wrote:
>
> [...]
>
>> It depends on the UDP traffic and your rule-set, for example, I
>> don't synchronize UDP DNS traffic but you may want to do it for
>> long-standing UDP flows for real-time communications. With regards
>
> Hi,
>
> that sounds like other UDP traffic can be synced. However, it looks
> like conntrackd does not support UDP at all. Are there plans to support
> it in upcoming releases?
Ops, it seems that I broken UDP filtering during 0.9.14. This patch
should fix it. Does it resolve the UDP support or am I missing anything
else?
[-- Attachment #2: udp.patch --]
[-- Type: text/x-patch, Size: 1500 bytes --]
conntrackd: fix UDP filtering in configuration file
From: Pablo Neira Ayuso <pablo@netfilter.org>
UDP filtering was broken during the addition of the UDP-based
synchronization protocol that was introduced in 0.9.14. This
patch fixes the problem.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
doc/sync/ftfw/conntrackd.conf | 1 +
src/read_config_yy.y | 19 +++++++++++++++++++
2 files changed, 20 insertions(+), 0 deletions(-)
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index df10aca..877ed68 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -357,6 +357,7 @@ General {
TCP
SCTP
DCCP
+ # UDP
# ICMP # This requires a Linux kernel >= 2.6.31
}
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 6dfca98..5f4e6be 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1221,6 +1221,25 @@ filter_protocol_item : T_TCP
pent->p_proto);
};
+filter_protocol_item : T_UDP
+{
+ struct protoent *pent;
+
+ pent = getprotobyname("udp");
+ if (pent == NULL) {
+ print_err(CTD_CFG_WARN, "getprotobyname() cannot find "
+ "protocol `udp' in /etc/protocols");
+ break;
+ }
+ ct_filter_add_proto(STATE(us_filter), pent->p_proto);
+
+ __kernel_filter_start();
+
+ nfct_filter_add_attr_u32(STATE(filter),
+ NFCT_FILTER_L4PROTO,
+ pent->p_proto);
+};
+
filter_item : T_ADDRESS T_ACCEPT '{' filter_address_list '}'
{
ct_filter_set_logic(STATE(us_filter),
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: Conntrackd and UDP
2010-02-11 11:01 ` Pablo Neira Ayuso
@ 2010-02-11 14:53 ` Tino Keitel
0 siblings, 0 replies; 5+ messages in thread
From: Tino Keitel @ 2010-02-11 14:53 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
On Thu, Feb 11, 2010 at 12:01:40 +0100, Pablo Neira Ayuso wrote:
[...]
> Ops, it seems that I broken UDP filtering during 0.9.14. This patch
> should fix it. Does it resolve the UDP support or am I missing anything
> else?
Seems to work fine after a quick test. Thanks a lot and regards,
--
Tino Keitel
Software Engineer
Innominate Security Technologies AG
/protecting industrial networks/
Tel: +49.30.921028-206
Fax: +49.30.921028-020
Rudower Chaussee 13
12489 Berlin / Germany
http://www.innominate.com/
Register Court: AG Charlottenburg, HRB 81603 Management Board: Dirk
Seewald, Chairman of the Supervisory Board: Volker Bibelhausen
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-02-11 14:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-02-24 8:37 Conntrackd and UDP Michele Codutti
2009-02-24 13:47 ` Pablo Neira Ayuso
2010-02-11 7:22 ` Tino Keitel
2010-02-11 11:01 ` Pablo Neira Ayuso
2010-02-11 14:53 ` Tino Keitel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.