[PATCH] conntrackd: helpers/rpc: Don't add expectation table entry for portmap port

[PATCH] conntrackd: helpers/rpc: Don't add expectation table entry for portmap port

[pda Pfeil Daniel]

After an RPC call to portmap using the portmap program number (100000),
subsequent RPC calls are not handled correctly by connection tracking.
This results in client connections to ports specified in RPC replies
failing to operate.

This issue arises because after an RPC call to portmap using the
program number 100000, conntrackd adds an expectation table entry
for the portmap port (typically 111). Due to this expectation table
entry, subsequent RPC call connections are treated as sibling
connections. Due to kernel restrictions, the connection helper for
sibling connections cannot be changed. This is enforced in the kernel's
handling in "net/netfilter/nf_conntrack_netlink.c", within the
"ctnetlink_change_helper" function, after the comment:
/* don't change helper of sibling connections */.
Due to this kernel restriction, the private RPC data (struct rpc_info)
sent from conntrackd to kernel-space is discarded by the kernel.

To resolve this, the proposed change is to eliminate the creation of
an expectation table entry for the portmap port. The portmap port has
to be opened via an iptables/nftables rule anyway, so adding an
expectation table entry for the portmap port is unnecessary.

Why do our existing clients make RPC calls using the portmap program
number? They use these calls for cyclic keepalive messages to verify
that the link between the client and server is operational.

Signed-Off-By: Daniel Pfeil <pda@keba.com>
---
 src/helpers/rpc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
index 732e9ba..d8e4903 100644
--- a/src/helpers/rpc.c
+++ b/src/helpers/rpc.c
@@ -399,6 +399,11 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
 				 xid, rpc_info->xid);
 			goto out;
 		}
+		/* Ignore portmap program number */
+		if (rpc_info->pm_prog == PMAPPROG) {
+			pr_debug("RPC REPL: ignore portmap program number %lu\n", PMAPPROG);
+			goto out;
+		}
 		if (rpc_reply(data, offset, datalen, rpc_info, &port_ptr) < 0)
 			goto out;
 
-- 
2.30.2

AW: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry for portmap port

[pda Pfeil Daniel]

Dear Netfilter Development Team,

I am following up on the patch I submitted almost two months ago (see below).
I would appreciate any updates on its review process or if any further action is required on my part to facilitate the review.

Best regards,

Daniel Pfeil
pda@keba.com

-----Ursprüngliche Nachricht-----
Von: pda Pfeil Daniel 
Gesendet: Donnerstag, 25. April 2024 14:13
An: netfilter-devel@vger.kernel.org
Betreff: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry for portmap port

After an RPC call to portmap using the portmap program number (100000), subsequent RPC calls are not handled correctly by connection tracking.
This results in client connections to ports specified in RPC replies failing to operate.

This issue arises because after an RPC call to portmap using the program number 100000, conntrackd adds an expectation table entry for the portmap port (typically 111). Due to this expectation table entry, subsequent RPC call connections are treated as sibling connections. Due to kernel restrictions, the connection helper for sibling connections cannot be changed. This is enforced in the kernel's handling in "net/netfilter/nf_conntrack_netlink.c", within the "ctnetlink_change_helper" function, after the comment:
/* don't change helper of sibling connections */.
Due to this kernel restriction, the private RPC data (struct rpc_info) sent from conntrackd to kernel-space is discarded by the kernel.

To resolve this, the proposed change is to eliminate the creation of an expectation table entry for the portmap port. The portmap port has to be opened via an iptables/nftables rule anyway, so adding an expectation table entry for the portmap port is unnecessary.

Why do our existing clients make RPC calls using the portmap program number? They use these calls for cyclic keepalive messages to verify that the link between the client and server is operational.

Signed-Off-By: Daniel Pfeil <pda@keba.com>
---
 src/helpers/rpc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c index 732e9ba..d8e4903 100644
--- a/src/helpers/rpc.c
+++ b/src/helpers/rpc.c
@@ -399,6 +399,11 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
 				 xid, rpc_info->xid);
 			goto out;
 		}
+		/* Ignore portmap program number */
+		if (rpc_info->pm_prog == PMAPPROG) {
+			pr_debug("RPC REPL: ignore portmap program number %lu\n", PMAPPROG);
+			goto out;
+		}
 		if (rpc_reply(data, offset, datalen, rpc_info, &port_ptr) < 0)
 			goto out;
 
--
2.30.2

Re: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry for portmap port

[Pablo Neira Ayuso]

On Thu, Apr 25, 2024 at 12:13:11PM +0000, pda Pfeil Daniel wrote:
> After an RPC call to portmap using the portmap program number (100000),
> subsequent RPC calls are not handled correctly by connection tracking.
> This results in client connections to ports specified in RPC replies
> failing to operate.

Applied, thanks

Re: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry for portmap port

[Pablo Neira Ayuso]

On Wed, Jun 19, 2024 at 01:03:20PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Apr 25, 2024 at 12:13:11PM +0000, pda Pfeil Daniel wrote:
> > After an RPC call to portmap using the portmap program number (100000),
> > subsequent RPC calls are not handled correctly by connection tracking.
> > This results in client connections to ports specified in RPC replies
> > failing to operate.
> 
> Applied, thanks

Wait, program 100000 usually runs on the portmapper port
(tcp,udp/111), which is the one where you install the helper to add
expectations:

   100000    2   tcp    111  portmapper
   100000    2   udp    111  portmapper

How is this working?

AW: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry for portmap port

[pda Pfeil Daniel]

Hi Pablo,

the portmap port must be opened via static iptables/nftables rule anyway, so adding an expectation table entry for the portmap port is unnecessary.

BR Daniel

-----Ursprüngliche Nachricht-----
Von: Pablo Neira Ayuso <pablo@netfilter.org> 
Gesendet: Mittwoch, 19. Juni 2024 13:08
An: pda Pfeil Daniel <pda@keba.com>
Cc: netfilter-devel@vger.kernel.org
Betreff: Re: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry for portmap port

ACHTUNG: Das Mail kommt von einer anderen Organisation ! Links nicht anklicken und Anhänge nicht öffnen, außer der Absender ist bekannt und der Inhalt der Anlage ist sicher. Im Zweifelsfall bitte mit der <https://collaboration.keba.com/trustedurls> Liste vertrauenswürdiger Absender<https://collaboration.keba.com/trustedurls> gegenprüfen, oder  den KEBA IT-Servicedesk kontaktieren!

CAUTION:  This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. In case of doubt please verify with the <https://collaboration.keba.com/trustedurls> list of trustworthy senders<https://collaboration.keba.com/trustedurls>, or contact the IT-Servicedesk!

On Wed, Jun 19, 2024 at 01:03:20PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Apr 25, 2024 at 12:13:11PM +0000, pda Pfeil Daniel wrote:
> > After an RPC call to portmap using the portmap program number 
> > (100000), subsequent RPC calls are not handled correctly by connection tracking.
> > This results in client connections to ports specified in RPC replies 
> > failing to operate.
>
> Applied, thanks

Wait, program 100000 usually runs on the portmapper port (tcp,udp/111), which is the one where you install the helper to add
expectations:

   100000    2   tcp    111  portmapper
   100000    2   udp    111  portmapper

How is this working?

Re: AW: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry for portmap port

[Pablo Neira Ayuso]

Patch is applied, thanks

On Wed, Jun 19, 2024 at 11:29:37AM +0000, pda Pfeil Daniel wrote:
> Hi Pablo,
> 
> the portmap port must be opened via static iptables/nftables rule anyway, so adding an expectation table entry for the portmap port is unnecessary.
> 
> BR Daniel
> 
> -----Ursprüngliche Nachricht-----
> Von: Pablo Neira Ayuso <pablo@netfilter.org> 
> Gesendet: Mittwoch, 19. Juni 2024 13:08
> An: pda Pfeil Daniel <pda@keba.com>
> Cc: netfilter-devel@vger.kernel.org
> Betreff: Re: [PATCH] conntrackd: helpers/rpc: Don't add expectation table entry for portmap port
> 
> ACHTUNG: Das Mail kommt von einer anderen Organisation ! Links nicht anklicken und Anhänge nicht öffnen, außer der Absender ist bekannt und der Inhalt der Anlage ist sicher. Im Zweifelsfall bitte mit der <https://collaboration.keba.com/trustedurls> Liste vertrauenswürdiger Absender<https://collaboration.keba.com/trustedurls> gegenprüfen, oder  den KEBA IT-Servicedesk kontaktieren!
> 
> CAUTION:  This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. In case of doubt please verify with the <https://collaboration.keba.com/trustedurls> list of trustworthy senders<https://collaboration.keba.com/trustedurls>, or contact the IT-Servicedesk!
> 
> On Wed, Jun 19, 2024 at 01:03:20PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Apr 25, 2024 at 12:13:11PM +0000, pda Pfeil Daniel wrote:
> > > After an RPC call to portmap using the portmap program number 
> > > (100000), subsequent RPC calls are not handled correctly by connection tracking.
> > > This results in client connections to ports specified in RPC replies 
> > > failing to operate.
> >
> > Applied, thanks
> 
> Wait, program 100000 usually runs on the portmapper port (tcp,udp/111), which is the one where you install the helper to add
> expectations:
> 
>    100000    2   tcp    111  portmapper
>    100000    2   udp    111  portmapper
> 
> How is this working?