* [NETFILTER 2/8]: Add NetBIOS name service helper @ 2005-09-06 17:55 Patrick McHardy 2005-09-06 18:10 ` Patrick McHardy 0 siblings, 1 reply; 8+ messages in thread From: Patrick McHardy @ 2005-09-06 17:55 UTC (permalink / raw) To: David S. Miller; +Cc: Netfilter Development Mailinglist [-- Attachment #1: 02.diff --] [-- Type: text/x-patch, Size: 2272 bytes --] [NETFILTER]: Add NetBIOS name service helper Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit b057eac5e17bda8e06a6f3241a837d415a18be4d tree fd37ca39beae9fad2e0ce5a652756ebc5f9acaab parent d6d0e225ee3dd43d2a14fbd0aaded74bc7d45da1 author Patrick McHardy <kaber@trash.net> Sun, 04 Sep 2005 17:50:41 +0200 committer Patrick McHardy <kaber@trash.net> Sun, 04 Sep 2005 17:50:41 +0200 net/ipv4/netfilter/Kconfig | 19 +++++++++++++++++++ net/ipv4/netfilter/Makefile | 1 + 2 files changed, 20 insertions(+), 0 deletions(-) diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig @@ -85,6 +85,25 @@ config IP_NF_IRC To compile it as a module, choose M here. If unsure, say Y. +config IP_NF_NETBIOS_NS + tristate "NetBIOS name service protocol support (EXPERIMENTAL)" + depends on IP_NF_CONNTRACK && EXPERIMENTAL + help + NetBIOS name service requests are sent as broadcast messages from an + unprivileged port and responded to with unicast messages to the + same port. This make them hard to firewall properly because connection + tracking doesn't deal with broadcasts. This helper tracks locally + originating NetBIOS name service requests and the corresponding + responses. It relies on correct IP address configuration, specifically + netmask and broadcast address. When properly configured, the output + of "ip address show" should look similar to this: + + $ ip -4 address show eth0 + 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 + inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 + + To compile it as a module, choose M here. If unsure, say N. + config IP_NF_TFTP tristate "TFTP protocol support" depends on IP_NF_CONNTRACK diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile @@ -21,6 +21,7 @@ obj-$(CONFIG_IP_NF_AMANDA) += ip_conntra obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o obj-$(CONFIG_IP_NF_FTP) += ip_conntrack_ftp.o obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o +obj-$(CONFIG_IP_NF_NETBIOS_NS) += ip_conntrack_netbios_ns.o # NAT helpers obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat_amanda.o ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [NETFILTER 2/8]: Add NetBIOS name service helper 2005-09-06 17:55 [NETFILTER 2/8]: Add NetBIOS name service helper Patrick McHardy @ 2005-09-06 18:10 ` Patrick McHardy 2005-09-07 2:50 ` Samir Bellabes 0 siblings, 1 reply; 8+ messages in thread From: Patrick McHardy @ 2005-09-06 18:10 UTC (permalink / raw) To: David S. Miller; +Cc: Netfilter Development Mailinglist [-- Attachment #1: Type: text/plain, Size: 295 bytes --] Patrick McHardy wrote: > [NETFILTER]: Add NetBIOS name service helper > > net/ipv4/netfilter/Kconfig | 19 +++++++++++++++++++ > net/ipv4/netfilter/Makefile | 1 + > 2 files changed, 20 insertions(+), 0 deletions(-) Oops, I forgot to add the helper itself :) Updated patch attached. [-- Attachment #2: 02.diff --] [-- Type: text/x-patch, Size: 6249 bytes --] [NETFILTER]: Add NetBIOS name service helper Signed-off-by: Patrick McHardy <kaber@trash.net> --- commit 85bc351b1e912ddda397f10da5961b7b843c66b1 tree 2357ca08f9e7c1ac26701c7d24b709f4837a915c parent d6d0e225ee3dd43d2a14fbd0aaded74bc7d45da1 author Patrick McHardy <kaber@trash.net> Tue, 06 Sep 2005 20:09:02 +0200 committer Patrick McHardy <kaber@trash.net> Tue, 06 Sep 2005 20:09:02 +0200 net/ipv4/netfilter/Kconfig | 19 ++++ net/ipv4/netfilter/Makefile | 1 net/ipv4/netfilter/ip_conntrack_netbios_ns.c | 131 ++++++++++++++++++++++++++ 3 files changed, 151 insertions(+), 0 deletions(-) diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig @@ -85,6 +85,25 @@ config IP_NF_IRC To compile it as a module, choose M here. If unsure, say Y. +config IP_NF_NETBIOS_NS + tristate "NetBIOS name service protocol support (EXPERIMENTAL)" + depends on IP_NF_CONNTRACK && EXPERIMENTAL + help + NetBIOS name service requests are sent as broadcast messages from an + unprivileged port and responded to with unicast messages to the + same port. This make them hard to firewall properly because connection + tracking doesn't deal with broadcasts. This helper tracks locally + originating NetBIOS name service requests and the corresponding + responses. It relies on correct IP address configuration, specifically + netmask and broadcast address. When properly configured, the output + of "ip address show" should look similar to this: + + $ ip -4 address show eth0 + 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 + inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 + + To compile it as a module, choose M here. If unsure, say N. + config IP_NF_TFTP tristate "TFTP protocol support" depends on IP_NF_CONNTRACK diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile @@ -21,6 +21,7 @@ obj-$(CONFIG_IP_NF_AMANDA) += ip_conntra obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o obj-$(CONFIG_IP_NF_FTP) += ip_conntrack_ftp.o obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o +obj-$(CONFIG_IP_NF_NETBIOS_NS) += ip_conntrack_netbios_ns.o # NAT helpers obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat_amanda.o diff --git a/net/ipv4/netfilter/ip_conntrack_netbios_ns.c b/net/ipv4/netfilter/ip_conntrack_netbios_ns.c new file mode 100644 --- /dev/null +++ b/net/ipv4/netfilter/ip_conntrack_netbios_ns.c @@ -0,0 +1,131 @@ +/* + * NetBIOS name service broadcast connection tracking helper + * + * (c) 2005 Patrick McHardy <kaber@trash.net> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + */ +/* + * This helper tracks locally originating NetBIOS name service + * requests by issuing permanent expectations (valid until + * timing out) matching all reply connections from the + * destination network. The only NetBIOS specific thing is + * actually the port number. + */ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/init.h> +#include <linux/skbuff.h> +#include <linux/netdevice.h> +#include <linux/inetdevice.h> +#include <linux/in.h> +#include <linux/ip.h> +#include <linux/udp.h> +#include <net/route.h> + +#include <linux/netfilter.h> +#include <linux/netfilter_ipv4.h> +#include <linux/netfilter_ipv4/ip_conntrack.h> +#include <linux/netfilter_ipv4/ip_conntrack_helper.h> + +MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); +MODULE_DESCRIPTION("NetBIOS name service broadcast connection tracking helper"); +MODULE_LICENSE("GPL"); + +static unsigned int timeout = 3; +module_param(timeout, int, 0600); +MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds"); + +static int help(struct sk_buff **pskb, + struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) +{ + struct ip_conntrack_expect *exp; + struct iphdr *iph = (*pskb)->nh.iph; + struct udphdr _uh, *uh; + struct rtable *rt = (struct rtable *)(*pskb)->dst; + struct in_device *in_dev; + u_int32_t mask = 0; + + /* we're only interested in locally generated packets */ + if ((*pskb)->sk == NULL) + goto out; + if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST)) + goto out; + if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) + goto out; + + rcu_read_lock(); + in_dev = __in_dev_get(rt->u.dst.dev); + if (in_dev != NULL) { + for_primary_ifa(in_dev) { + if (ifa->ifa_broadcast == iph->daddr) { + mask = ifa->ifa_mask; + break; + } + } endfor_ifa(in_dev); + } + rcu_read_unlock(); + + if (mask == 0) + goto out; + + uh = skb_header_pointer(*pskb, iph->ihl * 4, sizeof(_uh), &_uh); + BUG_ON(uh == NULL); + + exp = ip_conntrack_expect_alloc(ct); + if (exp == NULL) + goto out; + memset(&exp->tuple, 0, sizeof(exp->tuple)); + exp->tuple.src.ip = iph->daddr & mask; + exp->tuple.dst.ip = iph->saddr; + exp->tuple.dst.u.udp.port = uh->source; + exp->tuple.dst.protonum = IPPROTO_UDP; + + memset(&exp->mask, 0, sizeof(exp->mask)); + exp->mask.src.ip = mask; + exp->mask.dst.ip = 0xFFFFFFFF; + exp->mask.dst.u.udp.port = 0xFFFF; + exp->mask.dst.protonum = 0xFF; + + exp->expectfn = NULL; + exp->flags = IP_CT_EXPECT_PERMANENT; + + ip_conntrack_expect_related(exp); + ip_conntrack_expect_put(exp); + + ip_ct_refresh_acct(ct, ctinfo, NULL, timeout * HZ); +out: + return NF_ACCEPT; +} + +static struct ip_conntrack_helper helper = { + .name = "netbios-ns", + .tuple = { + .src.u.udp.port = __constant_htons(137), + .dst.protonum = IPPROTO_UDP, + }, + .mask = { + .src.u.udp.port = 0xFFFF, + .dst.protonum = 0xFF, + }, + .max_expected = 1, + .me = THIS_MODULE, + .help = help, +}; + +static int __init init(void) +{ + helper.timeout = timeout; + return ip_conntrack_helper_register(&helper); +} + +static void __exit fini(void) +{ + ip_conntrack_helper_unregister(&helper); +} + +module_init(init); +module_exit(fini); ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [NETFILTER 2/8]: Add NetBIOS name service helper 2005-09-06 18:10 ` Patrick McHardy @ 2005-09-07 2:50 ` Samir Bellabes 2005-09-07 2:56 ` David S. Miller 0 siblings, 1 reply; 8+ messages in thread From: Samir Bellabes @ 2005-09-07 2:50 UTC (permalink / raw) To: Patrick McHardy; +Cc: Netfilter Development Mailinglist, David S. Miller [-- Attachment #1: Type: text/plain, Size: 265 bytes --] Patrick McHardy <kaber@trash.net> writes: > [NETFILTER]: Add NetBIOS name service helper > > Signed-off-by: Patrick McHardy <kaber@trash.net> Hi, this attached patch fix the return valued when creating expectation failed. Please apply. regards, Samir Bellabes [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: ip_ct_netbios_drop.patch --] [-- Type: text/x-patch, Size: 1549 bytes --] tree b731304f287168ee36e45517dffdf27ea9dfe47c parent 48bc41a49c4f3aa760dff84e7f71437f5ed520fe author Samir Bellabes <sbellabes@mandriva.com> 1126061246 +0200 committer Samir Bellabes <sbellabes@mandriva.com> 1126061246 +0200 [NETFILTER] Return NF_DROP if expectation failed for Netbios conntrack Fix the returned value when it's not possible to allocate expectation or if ip_conntrack_expect_related() failed. Signed-off-by: Samir Bellabes <sbellabes@mandriva.com> ------------------------------------------------------------------------------ ip_conntrack_netbios_ns.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) ------------------------------------------------------------------------------ diff --git a/net/ipv4/netfilter/ip_conntrack_netbios_ns.c b/net/ipv4/netfilter/ip_conntrack_netbios_ns.c --- a/net/ipv4/netfilter/ip_conntrack_netbios_ns.c +++ b/net/ipv4/netfilter/ip_conntrack_netbios_ns.c @@ -77,7 +77,7 @@ static int help(struct sk_buff **pskb, exp = ip_conntrack_expect_alloc(ct); if (exp == NULL) - goto out; + return NF_DROP; memset(&exp->tuple, 0, sizeof(exp->tuple)); exp->tuple.src.ip = iph->daddr & mask; exp->tuple.dst.ip = iph->saddr; @@ -93,7 +93,8 @@ static int help(struct sk_buff **pskb, exp->expectfn = NULL; exp->flags = IP_CT_EXPECT_PERMANENT; - ip_conntrack_expect_related(exp); + if (ip_conntrack_expect_related(exp) != 0) + return NF_DROP; ip_conntrack_expect_put(exp); ip_ct_refresh_acct(ct, ctinfo, NULL, timeout * HZ); ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [NETFILTER 2/8]: Add NetBIOS name service helper 2005-09-07 2:50 ` Samir Bellabes @ 2005-09-07 2:56 ` David S. Miller 2005-09-07 3:01 ` Patrick McHardy 0 siblings, 1 reply; 8+ messages in thread From: David S. Miller @ 2005-09-07 2:56 UTC (permalink / raw) To: sbellabes; +Cc: netfilter-devel, kaber From: Samir Bellabes <sbellabes@mandriva.com> Subject: Re: [NETFILTER 2/8]: Add NetBIOS name service helper Date: Wed, 07 Sep 2005 04:50:16 +0200 > [NETFILTER] Return NF_DROP if expectation failed for Netbios conntrack > > Fix the returned value when it's not possible to allocate expectation > or if ip_conntrack_expect_related() failed. > > Signed-off-by: Samir Bellabes <sbellabes@mandriva.com> Patrick, I've applied this, I hope you don't mind :) ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [NETFILTER 2/8]: Add NetBIOS name service helper 2005-09-07 2:56 ` David S. Miller @ 2005-09-07 3:01 ` Patrick McHardy 2005-09-07 3:02 ` David S. Miller 2005-09-07 9:57 ` Samir Bellabes 0 siblings, 2 replies; 8+ messages in thread From: Patrick McHardy @ 2005-09-07 3:01 UTC (permalink / raw) To: David S. Miller; +Cc: netfilter-devel, sbellabes David S. Miller wrote: > From: Samir Bellabes <sbellabes@mandriva.com> > Subject: Re: [NETFILTER 2/8]: Add NetBIOS name service helper > Date: Wed, 07 Sep 2005 04:50:16 +0200 > > >>[NETFILTER] Return NF_DROP if expectation failed for Netbios conntrack >> >>Fix the returned value when it's not possible to allocate expectation >>or if ip_conntrack_expect_related() failed. >> >>Signed-off-by: Samir Bellabes <sbellabes@mandriva.com> > > > Patrick, I've applied this, I hope you don't mind :) Actually it was deliberate, I don't see a reason why the packet should be dropped, its best effort. Besides that the patch creates a reference leak, we always need to call ip_conntrack_expect_put. Please revert the patch. Thanks. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [NETFILTER 2/8]: Add NetBIOS name service helper 2005-09-07 3:01 ` Patrick McHardy @ 2005-09-07 3:02 ` David S. Miller 2005-09-07 9:57 ` Samir Bellabes 1 sibling, 0 replies; 8+ messages in thread From: David S. Miller @ 2005-09-07 3:02 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel, sbellabes From: Patrick McHardy <kaber@trash.net> Date: Wed, 07 Sep 2005 05:01:20 +0200 > Actually it was deliberate, I don't see a reason why the packet > should be dropped, its best effort. Besides that the patch > creates a reference leak, we always need to call > ip_conntrack_expect_put. Please revert the patch. Thanks. Ok, will do. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [NETFILTER 2/8]: Add NetBIOS name service helper 2005-09-07 3:01 ` Patrick McHardy 2005-09-07 3:02 ` David S. Miller @ 2005-09-07 9:57 ` Samir Bellabes 2005-09-07 10:13 ` Patrick McHardy 1 sibling, 1 reply; 8+ messages in thread From: Samir Bellabes @ 2005-09-07 9:57 UTC (permalink / raw) To: Patrick McHardy; +Cc: netfilter-devel, David S. Miller [-- Attachment #1: Type: text/plain, Size: 824 bytes --] Patrick McHardy <kaber@trash.net> writes: >>>[NETFILTER] Return NF_DROP if expectation failed for Netbios conntrack >>>Fix the returned value when it's not possible to allocate expectation >>>or if ip_conntrack_expect_related() failed. >>>Signed-off-by: Samir Bellabes <sbellabes@mandriva.com> >> Patrick, I've applied this, I hope you don't mind :) > > Actually it was deliberate, I don't see a reason why the packet > should be dropped, its best effort. All conntracks are dropping packets, in that way. netbios_ns should do the same, or other conntracks should be patched. > Besides that the patch > creates a reference leak, we always need to call > ip_conntrack_expect_put. Please revert the patch. Thanks. You are right, i'm proposing this patch, which don't introduce the reference leak. regards, Samir Bellabes [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: ip_ct_netbios_drop.patch --] [-- Type: text/x-patch, Size: 1963 bytes --] tree 04acb82014fc0e82fa4c77dae5e2281e90b366c8 parent 48bc41a49c4f3aa760dff84e7f71437f5ed520fe author Samir Bellabes <sbellabes@mandriva.com> 1126085733 +0200 committer Samir Bellabes <sbellabes@mandriva.com> 1126085733 +0200 [NETFILTER] Return NF_DROP if expectation failed for Netbios conntrack Fix the returned value when it's not possible to allocate expectation or if ip_conntrack_expect_related() failed. Signed-off-by: Samir Bellabes <sbellabes@mandriva.com> ------------------------------------------------------------------------------ ip_conntrack_netbios_ns.c | 10 +++++++--- 1 files changed, 7 insertions(+), 3 deletions(-) ------------------------------------------------------------------------------ diff --git a/net/ipv4/netfilter/ip_conntrack_netbios_ns.c b/net/ipv4/netfilter/ip_conntrack_netbios_ns.c --- a/net/ipv4/netfilter/ip_conntrack_netbios_ns.c +++ b/net/ipv4/netfilter/ip_conntrack_netbios_ns.c @@ -48,6 +48,7 @@ static int help(struct sk_buff **pskb, struct rtable *rt = (struct rtable *)(*pskb)->dst; struct in_device *in_dev; u_int32_t mask = 0; + int ret = NF_ACCEPT; /* we're only interested in locally generated packets */ if ((*pskb)->sk == NULL) @@ -76,8 +77,10 @@ static int help(struct sk_buff **pskb, BUG_ON(uh == NULL); exp = ip_conntrack_expect_alloc(ct); - if (exp == NULL) + if (exp == NULL) { + ret = NF_DROP; goto out; + } memset(&exp->tuple, 0, sizeof(exp->tuple)); exp->tuple.src.ip = iph->daddr & mask; exp->tuple.dst.ip = iph->saddr; @@ -93,12 +96,13 @@ static int help(struct sk_buff **pskb, exp->expectfn = NULL; exp->flags = IP_CT_EXPECT_PERMANENT; - ip_conntrack_expect_related(exp); + if (ip_conntrack_expect_related(exp) !=0) + ret = NF_DROP; ip_conntrack_expect_put(exp); ip_ct_refresh_acct(ct, ctinfo, NULL, timeout * HZ); out: - return NF_ACCEPT; + return ret; } static struct ip_conntrack_helper helper = { ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [NETFILTER 2/8]: Add NetBIOS name service helper 2005-09-07 9:57 ` Samir Bellabes @ 2005-09-07 10:13 ` Patrick McHardy 0 siblings, 0 replies; 8+ messages in thread From: Patrick McHardy @ 2005-09-07 10:13 UTC (permalink / raw) To: Samir Bellabes; +Cc: netfilter-devel, David S. Miller Samir Bellabes wrote: > Patrick McHardy <kaber@trash.net> writes: > >>Actually it was deliberate, I don't see a reason why the packet >>should be dropped, its best effort. > > All conntracks are dropping packets, in that way. > netbios_ns should do the same, or other conntracks should be patched. Dropping when NAT fails makes sense because the reply packet must be handled and the state is required for this. Dropping when setting up an expectation fails doesn't make any sense to me, the reply could still make it because for example there are no rules or it is accepted by the rulesset. Connection tracking only does tracking, not filtering, and should only drop packets if necessary for accurate tracking. Look at the FTP helper for example. It also tracks passive mode connections, which are in many cases allowed by the ruleset anyway. By dropping the packet we break what might work otherwise. So I think changing the other helpers to only drop when really neccesary also makes sense. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2005-09-07 10:13 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-09-06 17:55 [NETFILTER 2/8]: Add NetBIOS name service helper Patrick McHardy 2005-09-06 18:10 ` Patrick McHardy 2005-09-07 2:50 ` Samir Bellabes 2005-09-07 2:56 ` David S. Miller 2005-09-07 3:01 ` Patrick McHardy 2005-09-07 3:02 ` David S. Miller 2005-09-07 9:57 ` Samir Bellabes 2005-09-07 10:13 ` Patrick McHardy
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.