[PATCH conntrackd,v2 1/2] cthelper: Set up userspace helpers when daemon starts

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH conntrackd,v2 1/2] cthelper: Set up userspace helpers when daemon starts
@ 2021-05-28 11:43 Pablo Neira Ayuso
  2021-05-28 11:43 ` [PATCH conntrackd,v2 2/2] doc: manual: Document userspace helper configuration at daemon startup Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2021-05-28 11:43 UTC (permalink / raw)
  To: netfilter-devel

Add a new setting to allow conntrackd to autoconfigure the userspace
helpers at startup.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: do not destroy helper, it hits EBUSY if it is used from the ruleset.

 doc/helper/conntrackd.conf | 14 ++++++++++++--
 include/conntrackd.h       |  1 +
 src/cthelper.c             |  5 +++++
 src/read_config_lex.l      |  1 +
 src/read_config_yy.y       | 13 ++++++++++++-
 5 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index 6ffe00863c88..cbcb284aa92d 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -3,11 +3,21 @@
 #
 
 Helper {
-	# Before this, you have to make sure you have registered the `ftp'
-	# user-space helper stub via:
+	#
+	# Set up the userspace helpers when the daemon is started. If unset,
+	# you have manually set up the user-space helper stub, e.g.
 	#
 	# nfct add helper ftp inet tcp
 	#
+	# This new setting simplifies new deployment, so it is recommended to
+	# turn it on. On existing deployments, make sure to remove the nfct
+	# command invocation since it is not required anymore.
+	#
+	# Default: no (for backward compatibility reasons)
+	# Recommended: yes
+	#
+	Setup yes
+
 	Type ftp inet tcp {
 		#
 		# Set NFQUEUE number you want to use to receive traffic from
diff --git a/include/conntrackd.h b/include/conntrackd.h
index fe9ec1854a7d..3e0d09585b26 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -138,6 +138,7 @@ struct ct_conf {
 	} stats;
 	struct {
 		struct list_head list;
+		bool setup;
 	} cthelper;
 };
 
diff --git a/src/cthelper.c b/src/cthelper.c
index f01c509abaa4..07b781f73c80 100644
--- a/src/cthelper.c
+++ b/src/cthelper.c
@@ -49,6 +49,7 @@
 #include <linux/netfilter.h>
 #include <libnetfilter_queue/pktbuff.h>
 
+
 void cthelper_kill(void)
 {
 	mnl_socket_close(STATE_CTH(nl));
@@ -386,6 +387,10 @@ static int cthelper_setup(struct ctd_helper_instance *cur)
 	nfct_helper_attr_set_u32(t, NFCTH_ATTR_QUEUE_NUM, cur->queue_num);
 	nfct_helper_attr_set_u16(t, NFCTH_ATTR_PROTO_L3NUM, cur->l3proto);
 	nfct_helper_attr_set_u8(t, NFCTH_ATTR_PROTO_L4NUM, cur->l4proto);
+	if (CONFIG(cthelper).setup) {
+		nfct_helper_attr_set_u32(t, NFCTH_ATTR_PRIV_DATA_LEN,
+					 cur->helper->priv_data_len);
+	}
 	nfct_helper_attr_set_u32(t, NFCTH_ATTR_STATUS,
 					NFCT_HELPER_STATUS_ENABLED);
 
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index f1f4fe3f5b5d..7dc400a3a9b5 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -141,6 +141,7 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
 "ExpectTimeout"			{ return T_HELPER_EXPECT_TIMEOUT; }
 "Systemd"			{ return T_SYSTEMD; }
 "StartupResync"			{ return T_STARTUP_RESYNC; }
+"Setup"				{ return T_SETUP; }
 
 {is_true}		{ return T_ON; }
 {is_false}		{ return T_OFF; }
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index b215a729b716..95845a19e768 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -63,7 +63,7 @@ enum {
 
 %token T_IPV4_ADDR T_IPV4_IFACE T_PORT T_HASHSIZE T_HASHLIMIT T_MULTICAST
 %token T_PATH T_UNIX T_REFRESH T_IPV6_ADDR T_IPV6_IFACE
-%token T_BACKLOG T_GROUP T_IGNORE
+%token T_BACKLOG T_GROUP T_IGNORE T_SETUP
 %token T_LOG T_UDP T_ICMP T_IGMP T_VRRP T_TCP
 %token T_LOCK T_BUFFER_SIZE_MAX_GROWN T_EXPIRE T_TIMEOUT
 %token T_GENERAL T_SYNC T_STATS T_BUFFER_SIZE
@@ -1454,6 +1454,7 @@ helper_list:
 	    ;
 
 helper_line: helper_type
+	    | helper_setup
 	    ;
 
 helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
@@ -1562,6 +1563,16 @@ helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
 	list_add(&helper_inst->head, &CONFIG(cthelper).list);
 };
 
+helper_setup : T_SETUP T_ON
+{
+	CONFIG(cthelper).setup = true;
+};
+
+helper_setup : T_SETUP T_OFF
+{
+	CONFIG(cthelper).setup = false;
+};
+
 helper_type_list:
 		| helper_type_list helper_type_line
 		;
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [PATCH conntrackd,v2 2/2] doc: manual: Document userspace helper configuration at daemon startup
  2021-05-28 11:43 [PATCH conntrackd,v2 1/2] cthelper: Set up userspace helpers when daemon starts Pablo Neira Ayuso
@ 2021-05-28 11:43 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2021-05-28 11:43 UTC (permalink / raw)
  To: netfilter-devel

Describe how to configure conntrackd using the new simple setup approach.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: no changes.

 doc/manual/conntrack-tools.tmpl | 42 ++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl
index 64ac5dd54690..822dd496747a 100644
--- a/doc/manual/conntrack-tools.tmpl
+++ b/doc/manual/conntrack-tools.tmpl
@@ -905,32 +905,13 @@ maintainance.</para></listitem>
 <para>The following steps describe how to enable the RPC portmapper helper for NFSv3 (this is similar for other helpers):</para>
 
 <orderedlist>
-<listitem><para>Register user-space helper:
-
-<programlisting>
-nfct add helper rpc inet udp
-nfct add helper rpc inet tcp
-</programlisting>
-
-This registers the portmapper helper for both UDP and TCP (NFSv3 traffic goes both over TCP and UDP).
-</para></listitem>
-
-<listitem><para>Add iptables rule using the CT target:
-
-<programlisting>
-# iptables -I OUTPUT -t raw -p udp --dport 111 -j CT --helper rpc
-# iptables -I OUTPUT -t raw -p tcp --dport 111 -j CT --helper rpc
-</programlisting>
-
-With this, packets matching port TCP/UDP/111 are passed to user-space for
-inspection. If there is no instance of conntrackd configured to support
-user-space helpers, no inspection happens and packets are not sent to
-user-space.</para></listitem>
 
 <listitem><para>Add configuration to conntrackd.conf:
 
 <programlisting>
 Helper {
+        Setup yes
+
         Type rpc inet udp {
                 QueueNum 1
 		QueueLen 10240
@@ -962,6 +943,25 @@ for inspection to user-space</para>
 
 </listitem>
 
+<listitem><para>Run conntrackd:
+<programlisting>
+# conntrackd -d -C /path/to/conntrackd.conf
+</programlisting>
+</para>
+</listitem>
+
+<listitem><para>Add iptables rule using the CT target:
+
+<programlisting>
+# iptables -I OUTPUT -t raw -p udp --dport 111 -j CT --helper rpc
+# iptables -I OUTPUT -t raw -p tcp --dport 111 -j CT --helper rpc
+</programlisting>
+
+With this, packets matching port TCP/UDP/111 are passed to user-space for
+inspection. If there is no instance of conntrackd configured to support
+user-space helpers, no inspection happens and packets are not sent to
+user-space.</para></listitem>
+
 </orderedlist>
 
 <para>Now you can test this (assuming you have some working NFSv3 setup) with:
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-05-28 11:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-05-28 11:43 [PATCH conntrackd,v2 1/2] cthelper: Set up userspace helpers when daemon starts Pablo Neira Ayuso
2021-05-28 11:43 ` [PATCH conntrackd,v2 2/2] doc: manual: Document userspace helper configuration at daemon startup Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).