All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH conntrackd,v2 1/2] cthelper: Set up userspace helpers when daemon starts
@ 2021-05-28 11:43 Pablo Neira Ayuso
  2021-05-28 11:43 ` [PATCH conntrackd,v2 2/2] doc: manual: Document userspace helper configuration at daemon startup Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2021-05-28 11:43 UTC (permalink / raw)
  To: netfilter-devel

Add a new setting to allow conntrackd to autoconfigure the userspace
helpers at startup.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: do not destroy helper, it hits EBUSY if it is used from the ruleset.

 doc/helper/conntrackd.conf | 14 ++++++++++++--
 include/conntrackd.h       |  1 +
 src/cthelper.c             |  5 +++++
 src/read_config_lex.l      |  1 +
 src/read_config_yy.y       | 13 ++++++++++++-
 5 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index 6ffe00863c88..cbcb284aa92d 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -3,11 +3,21 @@
 #
 
 Helper {
-	# Before this, you have to make sure you have registered the `ftp'
-	# user-space helper stub via:
+	#
+	# Set up the userspace helpers when the daemon is started. If unset,
+	# you have manually set up the user-space helper stub, e.g.
 	#
 	# nfct add helper ftp inet tcp
 	#
+	# This new setting simplifies new deployment, so it is recommended to
+	# turn it on. On existing deployments, make sure to remove the nfct
+	# command invocation since it is not required anymore.
+	#
+	# Default: no (for backward compatibility reasons)
+	# Recommended: yes
+	#
+	Setup yes
+
 	Type ftp inet tcp {
 		#
 		# Set NFQUEUE number you want to use to receive traffic from
diff --git a/include/conntrackd.h b/include/conntrackd.h
index fe9ec1854a7d..3e0d09585b26 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -138,6 +138,7 @@ struct ct_conf {
 	} stats;
 	struct {
 		struct list_head list;
+		bool setup;
 	} cthelper;
 };
 
diff --git a/src/cthelper.c b/src/cthelper.c
index f01c509abaa4..07b781f73c80 100644
--- a/src/cthelper.c
+++ b/src/cthelper.c
@@ -49,6 +49,7 @@
 #include <linux/netfilter.h>
 #include <libnetfilter_queue/pktbuff.h>
 
+
 void cthelper_kill(void)
 {
 	mnl_socket_close(STATE_CTH(nl));
@@ -386,6 +387,10 @@ static int cthelper_setup(struct ctd_helper_instance *cur)
 	nfct_helper_attr_set_u32(t, NFCTH_ATTR_QUEUE_NUM, cur->queue_num);
 	nfct_helper_attr_set_u16(t, NFCTH_ATTR_PROTO_L3NUM, cur->l3proto);
 	nfct_helper_attr_set_u8(t, NFCTH_ATTR_PROTO_L4NUM, cur->l4proto);
+	if (CONFIG(cthelper).setup) {
+		nfct_helper_attr_set_u32(t, NFCTH_ATTR_PRIV_DATA_LEN,
+					 cur->helper->priv_data_len);
+	}
 	nfct_helper_attr_set_u32(t, NFCTH_ATTR_STATUS,
 					NFCT_HELPER_STATUS_ENABLED);
 
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index f1f4fe3f5b5d..7dc400a3a9b5 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -141,6 +141,7 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
 "ExpectTimeout"			{ return T_HELPER_EXPECT_TIMEOUT; }
 "Systemd"			{ return T_SYSTEMD; }
 "StartupResync"			{ return T_STARTUP_RESYNC; }
+"Setup"				{ return T_SETUP; }
 
 {is_true}		{ return T_ON; }
 {is_false}		{ return T_OFF; }
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index b215a729b716..95845a19e768 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -63,7 +63,7 @@ enum {
 
 %token T_IPV4_ADDR T_IPV4_IFACE T_PORT T_HASHSIZE T_HASHLIMIT T_MULTICAST
 %token T_PATH T_UNIX T_REFRESH T_IPV6_ADDR T_IPV6_IFACE
-%token T_BACKLOG T_GROUP T_IGNORE
+%token T_BACKLOG T_GROUP T_IGNORE T_SETUP
 %token T_LOG T_UDP T_ICMP T_IGMP T_VRRP T_TCP
 %token T_LOCK T_BUFFER_SIZE_MAX_GROWN T_EXPIRE T_TIMEOUT
 %token T_GENERAL T_SYNC T_STATS T_BUFFER_SIZE
@@ -1454,6 +1454,7 @@ helper_list:
 	    ;
 
 helper_line: helper_type
+	    | helper_setup
 	    ;
 
 helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
@@ -1562,6 +1563,16 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
 	list_add(&helper_inst->head, &CONFIG(cthelper).list);
 };
 
+helper_setup : T_SETUP T_ON
+{
+	CONFIG(cthelper).setup = true;
+};
+
+helper_setup : T_SETUP T_OFF
+{
+	CONFIG(cthelper).setup = false;
+};
+
 helper_type_list:
 		| helper_type_list helper_type_line
 		;
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [PATCH conntrackd,v2 2/2] doc: manual: Document userspace helper configuration at daemon startup
  2021-05-28 11:43 [PATCH conntrackd,v2 1/2] cthelper: Set up userspace helpers when daemon starts Pablo Neira Ayuso
@ 2021-05-28 11:43 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2021-05-28 11:43 UTC (permalink / raw)
  To: netfilter-devel

Describe how to configure conntrackd using the new simple setup approach.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: no changes.

 doc/manual/conntrack-tools.tmpl | 42 ++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl
index 64ac5dd54690..822dd496747a 100644
--- a/doc/manual/conntrack-tools.tmpl
+++ b/doc/manual/conntrack-tools.tmpl
@@ -905,32 +905,13 @@ maintainance.</para></listitem>
 <para>The following steps describe how to enable the RPC portmapper helper for NFSv3 (this is similar for other helpers):</para>
 
 <orderedlist>
-<listitem><para>Register user-space helper:
-
-<programlisting>
-nfct add helper rpc inet udp
-nfct add helper rpc inet tcp
-</programlisting>
-
-This registers the portmapper helper for both UDP and TCP (NFSv3 traffic goes both over TCP and UDP).
-</para></listitem>
-
-<listitem><para>Add iptables rule using the CT target:
-
-<programlisting>
-# iptables -I OUTPUT -t raw -p udp --dport 111 -j CT --helper rpc
-# iptables -I OUTPUT -t raw -p tcp --dport 111 -j CT --helper rpc
-</programlisting>
-
-With this, packets matching port TCP/UDP/111 are passed to user-space for
-inspection. If there is no instance of conntrackd configured to support
-user-space helpers, no inspection happens and packets are not sent to
-user-space.</para></listitem>
 
 <listitem><para>Add configuration to conntrackd.conf:
 
 <programlisting>
 Helper {
+        Setup yes
+
         Type rpc inet udp {
                 QueueNum 1
 		QueueLen 10240
@@ -962,6 +943,25 @@ for inspection to user-space</para>
 
 </listitem>
 
+<listitem><para>Run conntrackd:
+<programlisting>
+# conntrackd -d -C /path/to/conntrackd.conf
+</programlisting>
+</para>
+</listitem>
+
+<listitem><para>Add iptables rule using the CT target:
+
+<programlisting>
+# iptables -I OUTPUT -t raw -p udp --dport 111 -j CT --helper rpc
+# iptables -I OUTPUT -t raw -p tcp --dport 111 -j CT --helper rpc
+</programlisting>
+
+With this, packets matching port TCP/UDP/111 are passed to user-space for
+inspection. If there is no instance of conntrackd configured to support
+user-space helpers, no inspection happens and packets are not sent to
+user-space.</para></listitem>
+
 </orderedlist>
 
 <para>Now you can test this (assuming you have some working NFSv3 setup) with:
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-05-28 11:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-28 11:43 [PATCH conntrackd,v2 1/2] cthelper: Set up userspace helpers when daemon starts Pablo Neira Ayuso
2021-05-28 11:43 ` [PATCH conntrackd,v2 2/2] doc: manual: Document userspace helper configuration at daemon startup Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.