[PATCH conntrackd] cthelper: Set up userspace helpers when daemon starts

[PATCH conntrackd] cthelper: Set up userspace helpers when daemon starts

[Pablo Neira Ayuso]

Add a new setting to allow conntrackd to autoconfigure the userspace
helpers at startup.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/helper/conntrackd.conf |  9 +++++--
 include/conntrackd.h       |  1 +
 src/cthelper.c             | 55 ++++++++++++++++++++++++++++++++++++++
 src/read_config_lex.l      |  1 +
 src/read_config_yy.y       | 13 ++++++++-
 5 files changed, 76 insertions(+), 3 deletions(-)

diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index 6ffe00863c88..0255c2c42a95 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -3,11 +3,16 @@
 #
 
 Helper {
-	# Before this, you have to make sure you have registered the `ftp'
-	# user-space helper stub via:
+	#
+	# Set up the userspace helpers when the daemon is started. If unset,
+	# you have manually set up the user-space helper stub, e.g.
 	#
 	# nfct add helper ftp inet tcp
 	#
+	# Default: no (for backward compatibility reasons)
+	#
+	Setup yes
+
 	Type ftp inet tcp {
 		#
 		# Set NFQUEUE number you want to use to receive traffic from
diff --git a/include/conntrackd.h b/include/conntrackd.h
index fe9ec1854a7d..3e0d09585b26 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -138,6 +138,7 @@ struct ct_conf {
 	} stats;
 	struct {
 		struct list_head list;
+		bool setup;
 	} cthelper;
 };
 
diff --git a/src/cthelper.c b/src/cthelper.c
index f01c509abaa4..870c0026b758 100644
--- a/src/cthelper.c
+++ b/src/cthelper.c
@@ -49,8 +49,59 @@
 #include <linux/netfilter.h>
 #include <libnetfilter_queue/pktbuff.h>
 
+static int cthelper_destroy(struct ctd_helper_instance *cur)
+{
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nfct_helper *h;
+	struct nlmsghdr *nlh;
+	uint32_t seq;
+	int ret;
+
+	h = nfct_helper_alloc();
+	if (!h)
+		return -1;
+
+	nfct_helper_attr_set(h, NFCTH_ATTR_NAME, cur->helper->name);
+	nfct_helper_attr_set_u16(h, NFCTH_ATTR_PROTO_L3NUM, cur->l3proto);
+	nfct_helper_attr_set_u8(h, NFCTH_ATTR_PROTO_L4NUM, cur->l4proto);
+
+	seq = time(NULL);
+	nlh = nfct_helper_nlmsg_build_hdr(buf, NFNL_MSG_CTHELPER_DEL,
+					  NLM_F_ACK, seq);
+	nfct_helper_nlmsg_build_payload(nlh, h);
+
+	if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
+		dlog(LOG_ERR, "destroying cthelper configuration");
+		goto err_out;
+	}
+
+	ret = mnl_socket_recvfrom(STATE_CTH(nl), buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, STATE_CTH(portid), NULL, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(STATE_CTH(nl), buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		dlog(LOG_ERR, "trying to destroy cthelper `%s': %s",
+			cur->helper->name, strerror(errno));
+		goto err_out;
+	}
+
+	return 0;
+err_out:
+	nfct_helper_free(h);
+	return -1;
+}
+
 void cthelper_kill(void)
 {
+	struct ctd_helper_instance *cur;
+
+	if (CONFIG(cthelper).setup) {
+		list_for_each_entry(cur, &CONFIG(cthelper).list, head)
+			cthelper_destroy(cur);
+	}
 	mnl_socket_close(STATE_CTH(nl));
 	free(state.cthelper);
 }
@@ -386,6 +437,10 @@ static int cthelper_setup(struct ctd_helper_instance *cur)
 	nfct_helper_attr_set_u32(t, NFCTH_ATTR_QUEUE_NUM, cur->queue_num);
 	nfct_helper_attr_set_u16(t, NFCTH_ATTR_PROTO_L3NUM, cur->l3proto);
 	nfct_helper_attr_set_u8(t, NFCTH_ATTR_PROTO_L4NUM, cur->l4proto);
+	if (CONFIG(cthelper).setup) {
+		nfct_helper_attr_set_u32(t, NFCTH_ATTR_PRIV_DATA_LEN,
+					 cur->helper->priv_data_len);
+	}
 	nfct_helper_attr_set_u32(t, NFCTH_ATTR_STATUS,
 					NFCT_HELPER_STATUS_ENABLED);
 
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index f1f4fe3f5b5d..7dc400a3a9b5 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -141,6 +141,7 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
 "ExpectTimeout"			{ return T_HELPER_EXPECT_TIMEOUT; }
 "Systemd"			{ return T_SYSTEMD; }
 "StartupResync"			{ return T_STARTUP_RESYNC; }
+"Setup"				{ return T_SETUP; }
 
 {is_true}		{ return T_ON; }
 {is_false}		{ return T_OFF; }
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index b215a729b716..95845a19e768 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -63,7 +63,7 @@ enum {
 
 %token T_IPV4_ADDR T_IPV4_IFACE T_PORT T_HASHSIZE T_HASHLIMIT T_MULTICAST
 %token T_PATH T_UNIX T_REFRESH T_IPV6_ADDR T_IPV6_IFACE
-%token T_BACKLOG T_GROUP T_IGNORE
+%token T_BACKLOG T_GROUP T_IGNORE T_SETUP
 %token T_LOG T_UDP T_ICMP T_IGMP T_VRRP T_TCP
 %token T_LOCK T_BUFFER_SIZE_MAX_GROWN T_EXPIRE T_TIMEOUT
 %token T_GENERAL T_SYNC T_STATS T_BUFFER_SIZE
@@ -1454,6 +1454,7 @@ helper_list:
 	    ;
 
 helper_line: helper_type
+	    | helper_setup
 	    ;
 
 helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
@@ -1562,6 +1563,16 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
 	list_add(&helper_inst->head, &CONFIG(cthelper).list);
 };
 
+helper_setup : T_SETUP T_ON
+{
+	CONFIG(cthelper).setup = true;
+};
+
+helper_setup : T_SETUP T_OFF
+{
+	CONFIG(cthelper).setup = false;
+};
+
 helper_type_list:
 		| helper_type_list helper_type_line
 		;
-- 
2.30.2

[PATCH conntrackd] doc: manual: Document userspace helper configuration at daemon startup

[Pablo Neira Ayuso]

Describe how to configure conntrackd using the new simple setup approach.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/manual/conntrack-tools.tmpl | 42 ++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl
index 64ac5dd54690..822dd496747a 100644
--- a/doc/manual/conntrack-tools.tmpl
+++ b/doc/manual/conntrack-tools.tmpl
@@ -905,32 +905,13 @@ maintainance.</para></listitem>
 <para>The following steps describe how to enable the RPC portmapper helper for NFSv3 (this is similar for other helpers):</para>
 
 <orderedlist>
-<listitem><para>Register user-space helper:
-
-<programlisting>
-nfct add helper rpc inet udp
-nfct add helper rpc inet tcp
-</programlisting>
-
-This registers the portmapper helper for both UDP and TCP (NFSv3 traffic goes both over TCP and UDP).
-</para></listitem>
-
-<listitem><para>Add iptables rule using the CT target:
-
-<programlisting>
-# iptables -I OUTPUT -t raw -p udp --dport 111 -j CT --helper rpc
-# iptables -I OUTPUT -t raw -p tcp --dport 111 -j CT --helper rpc
-</programlisting>
-
-With this, packets matching port TCP/UDP/111 are passed to user-space for
-inspection. If there is no instance of conntrackd configured to support
-user-space helpers, no inspection happens and packets are not sent to
-user-space.</para></listitem>
 
 <listitem><para>Add configuration to conntrackd.conf:
 
 <programlisting>
 Helper {
+        Setup yes
+
         Type rpc inet udp {
                 QueueNum 1
 		QueueLen 10240
@@ -962,6 +943,25 @@ for inspection to user-space</para>
 
 </listitem>
 
+<listitem><para>Run conntrackd:
+<programlisting>
+# conntrackd -d -C /path/to/conntrackd.conf
+</programlisting>
+</para>
+</listitem>
+
+<listitem><para>Add iptables rule using the CT target:
+
+<programlisting>
+# iptables -I OUTPUT -t raw -p udp --dport 111 -j CT --helper rpc
+# iptables -I OUTPUT -t raw -p tcp --dport 111 -j CT --helper rpc
+</programlisting>
+
+With this, packets matching port TCP/UDP/111 are passed to user-space for
+inspection. If there is no instance of conntrackd configured to support
+user-space helpers, no inspection happens and packets are not sent to
+user-space.</para></listitem>
+
 </orderedlist>
 
 <para>Now you can test this (assuming you have some working NFSv3 setup) with:
-- 
2.30.2