Re: Snooping expected connections in a user CT helper

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Mon, Aug 22, 2016 at 08:34:41PM -0700, Kevin Cernekee wrote:
> On Wed, Aug 17, 2016 at 6:12 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > Looking at ctnetlink, it should be possible to make it via
> > CTA_EXPECT_HELP_NAME. Thus, by when we find a matching expectation,
> > the helper is set to this new connection too.
> >
> > See line 1086 in nf_conntrack_core.c.
> 
> Thanks, that works.  After setting the helper string, my callback is
> invoked for the replies.
> 
> I'm running into a couple of other issues with the existing ssdp helper, though:
> 
> 1) The code does not call cthelper_add_expect().  Nor do some of the
> other helpers, such as sane.

If you attach the helper via "myct->exp = exp" then the expectation is
set up from nfqueue path.

cthelper_add_expect() was introduced in first place, so it is an older
way to attach expectations from userspace IIRC.

> When I use a restrictive firewall configuration, the expectation is
> never created (according to `conntrack -L expect`) and all of the
> incoming SSDP replies are dropped.  Adding a call to
> cthelper_add_expect() fixes this.  Do we know the circumstances
> under which the current master branch is expected to work properly?
> 
> 2) Just noticed that the sane and tftp modules require Linux 3.12+.
> My test system is running 3.8.  Does ssdp have a similar restriction,
> and if so, what would need to be backported?

Userspace expectation creation via nfqueue is available since 3.12.
The relevant code is under ctnetlink_nfqueue_attach_expect() in
nf_conntrack_netlink.c, if you want to follow that path, you'll have
to backport, then pull accumulated fixes by tracking my nf.git tree.

I can have a look back and see what needs to be passed to -stable (up
to 3.12) if that makes it easier for you.

> 3) It looks like each expectation matches, at most, one new
> connection.  So if my host multicasts an SSDP request and then 5 other
> hosts send replies (each coming from a unique IP/port), only one of
> them will match the expectation and create a state table entry.  Is
> this true, and if so, what is the best way to allow all 5 replies to
> be treated as related connections?

If you set the permanent expectation flag, the expectation remains
there forever, so all 5 replies will go through as related. Permanent
expectations don't get removed by when we see a matching, they remain
there as long as the master conntrack is there in place.

> 4) Ashley's email address was bouncing due to an overzealous spam
> filter.  Will retry one last time.

OK.