From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Marc Haber <mh+netfilter@zugschlus.de>
Cc: netfilter@vger.kernel.org
Subject: Re: conntrack helpers in kernel 4.7
Date: Thu, 11 Aug 2016 14:17:34 +0200 [thread overview]
Message-ID: <20160811121734.GA1155@salvia> (raw)
In-Reply-To: <20160811115335.GY9430@torres.zugschlus.de>
On Thu, Aug 11, 2016 at 01:53:36PM +0200, Marc Haber wrote:
> On Thu, Aug 11, 2016 at 01:34:35PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Aug 11, 2016 at 10:52:51AM +0200, Marc Haber wrote:
> > > This confuses me:
> > >
> > > (1) Why does the packet end up in the input queue in the first place?
> > > To me, this looks like the incoming packet on unt381 is not correctly
> > > tracked by the NAT code. It should be natted and processed by the
> > > FORWARD chain.
> > >
> > > (2) Why are the packet counters of all ctstate rules with helper match
> > > "sip" at zero? Why don't they apply for the incoming packet which
> > > seems to fall through until the concluding REJECT rule?
> >
> > Because no conntrack entries are getting the sip helper attached.
> >
> > > (3) do I need the PREROUTING --jump CT rule mentioned in the Securing
> > > helpers page if I only use the default Port 5060?
> >
> > Yes, the CT target explicitly attach the conntrack helper, so you
> > need something like:
> >
> > -A PREROUTING -t raw -p udp --dport 5060 -j CT --helper sip
> >
> > This plugs the sip helper to every new flow going to port 5060.
>
> Can I see in conntrack(1) output whether a flow has a helper attached?
Yes, conntrack -L shows here:
tcp 6 431999 ESTABLISHED src=192.168.3.132 dst=130.89.148.12
sport=54736 dport=21 src=130.89.148.12 dst=192.168.3.132 sport=21
dport=54736 [ASSURED] mark=0 helper=ftp use=2
it should show similar thing for sip.
> Is the helper supposed to be attached to the first packet only?
It is attached to the flow and remains there until the flow is teared
down, the first packet creates the flow entry in the conntrack table.
By then, the helper is set up.
> I now have:
> Chain PREROUTING (policy ACCEPT 1909 packets, 445K bytes)
> pkts bytes target prot opt in out source destination
> 0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 helper match "sip" CT
>
> # Generated by iptables-save v1.4.21 on Thu Aug 11 13:51:44 2016
> *raw
> :PREROUTING ACCEPT [2022:465365]
> :OUTPUT ACCEPT [16:4970]
> -A PREROUTING -p udp -m udp --dport 5060 -m helper --helper sip -j CT
note that:
-m helper sip
is used to match based on the helper name and you have no helper yet.
To attach the helper you have to use:
-j CT --helper sip
and remove the -m helper match given, so this looks like:
-A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip
in the raw table.
next prev parent reply other threads:[~2016-08-11 12:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-11 8:52 conntrack helpers in kernel 4.7 Marc Haber
2016-08-11 11:34 ` Pablo Neira Ayuso
2016-08-11 11:53 ` Marc Haber
2016-08-11 12:17 ` Pablo Neira Ayuso [this message]
2016-08-11 13:29 ` Marc Haber
2016-08-11 19:44 ` Marc Haber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160811121734.GA1155@salvia \
--to=pablo@netfilter.org \
--cc=mh+netfilter@zugschlus.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.