From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jiri Slaby <jslaby@suse.cz>
Cc: jirislaby@gmail.com, linux-kernel@vger.kernel.org,
Jiri Bohac <jbohac@suse.cz>,
netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org,
coreteam@netfilter.org, netdev@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>,
Patrick McHardy <kaber@trash.net>
Subject: Re: [PATCH 05/15] connection tracking helper for SLP
Date: Wed, 8 May 2013 04:03:28 +0200 [thread overview]
Message-ID: <20130508020328.GA7747@localhost> (raw)
In-Reply-To: <1367936303-13386-5-git-send-email-jslaby@suse.cz>
On Tue, May 07, 2013 at 04:18:13PM +0200, Jiri Slaby wrote:
> From: Jiri Bohac <jbohac@suse.cz>
>
> A simple connection tracking helper for SLP. Marks replies to a
> SLP broadcast query as ESTABLISHED to allow them to pass through the
> firewall.
>
> Signed-off-by: Jiri Bohac <jbohac@suse.cz>
> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
> Cc: netfilter-devel@vger.kernel.org
> Cc: netfilter@vger.kernel.org
> Cc: coreteam@netfilter.org
> Cc: netdev@vger.kernel.org
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Patrick McHardy <kaber@trash.net>
> Cc: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> net/netfilter/Kconfig | 15 +++++
> net/netfilter/Makefile | 1 +
> net/netfilter/nf_conntrack_slp.c | 131 +++++++++++++++++++++++++++++++++++++++
> 3 files changed, 147 insertions(+)
> create mode 100644 net/netfilter/nf_conntrack_slp.c
>
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index 56d22ca..ec61b30 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -320,6 +320,21 @@ config NF_CONNTRACK_TFTP
>
> To compile it as a module, choose M here. If unsure, say N.
>
> +config NF_CONNTRACK_SLP
> + tristate "SLP protocol support"
> + depends on NF_CONNTRACK
> + depends on NETFILTER_ADVANCED
> + help
> + SLP queries are sometimes sent as broadcast messages from an
> + unprivileged port and responded to with unicast messages to the
> + same port. This make them hard to firewall properly because connection
> + tracking doesn't deal with broadcasts. This helper tracks locally
> + originating broadcast SLP queries and the corresponding
> + responses. It relies on correct IP address configuration, specifically
> + netmask and broadcast address.
We have the user-space helper infrastructure in the conntrack-tools,
this helper has to go there.
next prev parent reply other threads:[~2013-05-08 2:03 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-07 14:18 [PATCH 01/15] Char: lp, protect LPGETSTATUS with port_mutex Jiri Slaby
2013-05-07 14:18 ` [PATCH 02/15] mISDN: Add support for group membership check Jiri Slaby
2013-05-07 14:18 ` [PATCH 03/15] ehea: add alias entry for portN properties Jiri Slaby
2013-05-07 14:18 ` [PATCH 04/15] drm/cirrus: Correct register values for 16bpp Jiri Slaby
2013-05-07 14:18 ` Jiri Slaby
2013-05-07 14:18 ` [PATCH 05/15] connection tracking helper for SLP Jiri Slaby
2013-05-08 2:03 ` Pablo Neira Ayuso [this message]
2013-05-07 14:18 ` [PATCH 06/15] netfilter: Implement RFC 1123 for FTP conntrack Jiri Slaby
2013-05-07 14:18 ` [PATCH 07/15] hfs: avoid crash in hfs_bnode_create Jiri Slaby
2013-05-07 19:05 ` Vyacheslav Dubeyko
2013-05-08 15:26 ` [PATCH v2 07/14] " Jiri Slaby
2013-05-07 14:18 ` [PATCH 08/15] reiserfs: fix deadlock with nfs racing on create/lookup Jiri Slaby
2013-05-07 14:18 ` [PATCH 09/15] Make selection of 'readdir-plus' adapt to usage patterns Jiri Slaby
2013-05-07 14:27 ` Myklebust, Trond
2013-05-07 14:32 ` Jiri Slaby
2013-05-07 14:18 ` [PATCH 10/15] acpi: ec_sys: access user space with get_user()/put_user() Jiri Slaby
2013-05-07 14:18 ` [PATCH 11/15] nouveau: Make vga_switcheroo code depend on VGA_SWITCHEROO Jiri Slaby
2013-05-07 14:18 ` [PATCH 12/15] geodefb: Depend on X86_32 Jiri Slaby
2013-05-07 14:18 ` [PATCH 13/15] chipidea: Allow user to select PCI/IMX options Jiri Slaby
2013-05-08 9:07 ` Alexander Shishkin
2013-05-15 15:59 ` Jiri Slaby
2013-05-16 9:36 ` Alexander Shishkin
2013-05-22 8:51 ` Jiri Slaby
2013-05-22 11:10 ` Alexander Shishkin
2013-05-07 14:18 ` [PATCH 14/15] staging/sb105x: remove asm/segment.h dependency Jiri Slaby
2013-05-07 14:18 ` [PATCH 15/15] ptp: PTP_1588_CLOCK_PCH depends on x86 Jiri Slaby
2013-05-07 19:29 ` Richard Cochran
2013-05-14 14:20 ` Jiri Slaby
2013-05-14 18:12 ` Ben Hutchings
2013-05-20 22:31 ` Keller, Jacob E
2013-05-07 14:48 ` [PATCH 01/15] Char: lp, protect LPGETSTATUS with port_mutex Arnd Bergmann
2013-05-07 15:41 ` Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130508020328.GA7747@localhost \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=jbohac@suse.cz \
--cc=jirislaby@gmail.com \
--cc=jslaby@suse.cz \
--cc=kaber@trash.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.