* Patch to netfilter conntrack for secondary connection logging
@ 2016-08-22 2:11 Thomas Winter
2016-08-22 9:00 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: Thomas Winter @ 2016-08-22 2:11 UTC (permalink / raw)
To: netdev
Hello,
We are using netfilter to implement a firewall for a router and we had the problem that the ftp data connections were not being logged.
I did some investigating and found that it is conntrack that is allowing the secondary connection by the ftp helper module.
I created a patch to enable such logging for any conntrack helper.
Is this a good change? Or did I miss something really obvious?
Regards,
Thomas Winter
example iptables rules:
Chain FIREWALL_RULE_12 (1 references)
target prot opt source destination
LOG tcp -- anywhere anywhere multiport sports 1024:65535 multiport dports ftp match-set private src,src match-set public dst,dst ctsta
te NEW,RELATED,ESTABLISHED LOG level info prefix "Firewall rule 12: PERMIT "
CONNMARK tcp -- anywhere anywhere multiport sports 1024:65535 multiport dports ftp match-set private src,src match-set public dst,dst ctsta
te NEW,RELATED,ESTABLISHED CONNMARK xset 0x1/0x7
LOG tcp -- anywhere anywhere multiport dports 1024:65535 multiport sports ftp match-set public src,src match-set private dst,dst ctsta
te RELATED,ESTABLISHED LOG level info prefix "Firewall rule 12: PERMIT "
CONNMARK tcp -- anywhere anywhere multiport dports 1024:65535 multiport sports ftp match-set public src,src match-set private dst,dst ctsta
te RELATED,ESTABLISHED CONNMARK xset 0x1/0x7
patch:
[PATCH] ICSAFW-9: Added expected connection logging in netfilter
For ICSA firewall requirements, FTP data connections
must be able to be logged.
Our iptables rules for FTP are not able to log the
data connections because they only take effect on
the control connection. The FTP conntrack helper
module inspects FTP control packets and allows the
data connections when it sees one about to start.
Added a log function for conntrack to be called
when allowing expected connections.
---
include/net/netfilter/nf_conntrack_expect.h | 5 +++++
net/netfilter/nf_conntrack_core.c | 4 ++++
net/netfilter/nf_conntrack_ftp.c | 21 +++++++++++++++++++++
3 files changed, 30 insertions(+)
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index dce56f0..c13a457 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -26,6 +26,11 @@ struct nf_conntrack_expect {
void (*expectfn)(struct nf_conn *new,
struct nf_conntrack_expect *this);
+#ifdef ATL_CHANGE
+ /* Logging function to call when seeing an expected connection */
+ void (*logfn)(const struct nf_conntrack_tuple *tuple);
+#endif
+
/* Helper to assign to new connection */
struct nf_conntrack_helper *helper;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 37d8c06..8f4e15c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -984,6 +984,10 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
if (help)
rcu_assign_pointer(help->helper, exp->helper);
}
+#ifdef ATL_CHANGE
+ if (exp->logfn)
+ exp->logfn(tuple);
+#endif
#ifdef CONFIG_NF_CONNTRACK_MARK
ct->mark = exp->master->mark;
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index b666959..3dd1900 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -382,6 +382,23 @@ static void update_nl_seq(struct nf_conn *ct, u32 nl_seq,
}
}
+#ifdef ATL_CHANGE
+void log_ftp_data_connection(const struct nf_conntrack_tuple *tuple)
+{
+ if (tuple) {
+ if (tuple->src.l3num == PF_INET) {
+ pr_info("FTP data connection initiated by %pI4:%d to %pI4:%d\n",
+ &tuple->src.u3.ip, tuple->src.u.tcp.port,
+ &tuple->dst.u3.ip, tuple->dst.u.tcp.port);
+ } else {
+ pr_info("FTP data connection initiated by %pI6:%d to %pI6:%d\n",
+ &tuple->src.u3.ip, tuple->src.u.tcp.port,
+ &tuple->dst.u3.ip, tuple->dst.u.tcp.port);
+ }
+ }
+}
+#endif
+
static int help(struct sk_buff *skb,
unsigned int protoff,
struct nf_conn *ct,
@@ -529,6 +546,10 @@ skip_nl_seq:
&ct->tuplehash[!dir].tuple.src.u3, daddr,
IPPROTO_TCP, NULL, &cmd.u.tcp.port);
+#ifdef ATL_CHANGE
+ exp->logfn = log_ftp_data_connection;
+#endif
+
/* Now, NAT might want to mangle the packet, and register the
* (possibly changed) expectation itself. */
nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook);
--
2.9.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: Patch to netfilter conntrack for secondary connection logging
2016-08-22 2:11 Patch to netfilter conntrack for secondary connection logging Thomas Winter
@ 2016-08-22 9:00 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2016-08-22 9:00 UTC (permalink / raw)
To: Thomas Winter; +Cc: netdev
Thomas Winter <Thomas.Winter@alliedtelesis.co.nz> wrote:
> Hello,
>
> We are using netfilter to implement a firewall for a router and we had the problem that the ftp data connections were not being logged.
> I did some investigating and found that it is conntrack that is allowing the secondary connection by the ftp helper module.
> I created a patch to enable such logging for any conntrack helper.
> Is this a good change? Or did I miss something really obvious?
It should be possible to log the data connections via
-p tcp -m conntrack --ctstate RELATED -m helper --helper ftp -j (NF)LOG
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-08-22 9:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-22 2:11 Patch to netfilter conntrack for secondary connection logging Thomas Winter
2016-08-22 9:00 ` Florian Westphal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.