* Conntrackd and UDP @ 2009-02-24 8:37 Michele Codutti 2009-02-24 13:47 ` Pablo Neira Ayuso 0 siblings, 1 reply; 5+ messages in thread From: Michele Codutti @ 2009-02-24 8:37 UTC (permalink / raw) To: netfilter Hello, I'm using conntrackd in a ha clustered firewall. Since the initial setup I configured conntrackd (version 0.9.6-4 from a a Debian Lenny) to sync only TCP connections. In the past few days I've read this tutorial: http://iptables-tutorial.frozentux.net/iptables-tutorial.html and after that I've one question: Conntrackd is capable to sync also the UDP entries of the state machine? If it is so: it is a good thing to configure conntrackd to sync also the UDP entries in a clustered firewall? Thank you in advance. -- Michele Codutti Centro Servizi Informatici e Telematici (CSIT) Universita' degli Studi di Udine via Delle Scienze, 208 - 33100 UDINE tel +39 0432 558928 fax +39 0432 558911 e-mail: michele.codutti at uniud.it ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Conntrackd and UDP 2009-02-24 8:37 Conntrackd and UDP Michele Codutti @ 2009-02-24 13:47 ` Pablo Neira Ayuso 2010-02-11 7:22 ` Tino Keitel 0 siblings, 1 reply; 5+ messages in thread From: Pablo Neira Ayuso @ 2009-02-24 13:47 UTC (permalink / raw) To: Michele Codutti; +Cc: netfilter Michele Codutti wrote: > Hello, I'm using conntrackd in a ha clustered firewall. Since the > initial setup I configured conntrackd (version 0.9.6-4 from a a Debian > Lenny) to sync only TCP connections. BTW, that's a one year old release, I *strongly* suggest you to upgrade to some recent release. Similarly, I also suggest you to use lastest kernel release which includes recent versions of ctnetlink. > In the past few days I've read this tutorial: > http://iptables-tutorial.frozentux.net/iptables-tutorial.html > and after that I've one question: > Conntrackd is capable to sync also the UDP entries of the state machine? > If it is so: it is a good thing to configure conntrackd to sync also the > UDP entries in a clustered firewall? It depends on the UDP traffic and your rule-set, for example, I don't synchronize UDP DNS traffic but you may want to do it for long-standing UDP flows for real-time communications. With regards to your rule-set, if you perform UDP filtering based on who starts the communications, like from A -> B allow starting UDP flows, but not the opposite (B -> A), then it may be of help to avoid communications hangs after the failover. UDP is unreliable, so you will lose data during the failover, in real-time applications the user would experience a temporary communication breakage, but the communication would not hang which is one of the targets of conntrackd. -- "Los honestos son inadaptados sociales" -- Les Luthiers ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Conntrackd and UDP 2009-02-24 13:47 ` Pablo Neira Ayuso @ 2010-02-11 7:22 ` Tino Keitel 2010-02-11 11:01 ` Pablo Neira Ayuso 0 siblings, 1 reply; 5+ messages in thread From: Tino Keitel @ 2010-02-11 7:22 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter On Tue, Feb 24, 2009 at 14:47:35 +0100, Pablo Neira Ayuso wrote: [...] > It depends on the UDP traffic and your rule-set, for example, I > don't synchronize UDP DNS traffic but you may want to do it for > long-standing UDP flows for real-time communications. With regards Hi, that sounds like other UDP traffic can be synced. However, it looks like conntrackd does not support UDP at all. Are there plans to support it in upcoming releases? Regards, -- Tino Keitel Software Engineer Innominate Security Technologies AG /protecting industrial networks/ Tel: +49.30.921028-206 Fax: +49.30.921028-020 Rudower Chaussee 13 12489 Berlin / Germany http://www.innominate.com/ Register Court: AG Charlottenburg, HRB 81603 Management Board: Dirk Seewald, Chairman of the Supervisory Board: Volker Bibelhausen ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Conntrackd and UDP 2010-02-11 7:22 ` Tino Keitel @ 2010-02-11 11:01 ` Pablo Neira Ayuso 2010-02-11 14:53 ` Tino Keitel 0 siblings, 1 reply; 5+ messages in thread From: Pablo Neira Ayuso @ 2010-02-11 11:01 UTC (permalink / raw) To: Tino Keitel; +Cc: netfilter [-- Attachment #1: Type: text/plain, Size: 634 bytes --] Tino Keitel wrote: > On Tue, Feb 24, 2009 at 14:47:35 +0100, Pablo Neira Ayuso wrote: > > [...] > >> It depends on the UDP traffic and your rule-set, for example, I >> don't synchronize UDP DNS traffic but you may want to do it for >> long-standing UDP flows for real-time communications. With regards > > Hi, > > that sounds like other UDP traffic can be synced. However, it looks > like conntrackd does not support UDP at all. Are there plans to support > it in upcoming releases? Ops, it seems that I broken UDP filtering during 0.9.14. This patch should fix it. Does it resolve the UDP support or am I missing anything else? [-- Attachment #2: udp.patch --] [-- Type: text/x-patch, Size: 1500 bytes --] conntrackd: fix UDP filtering in configuration file From: Pablo Neira Ayuso <pablo@netfilter.org> UDP filtering was broken during the addition of the UDP-based synchronization protocol that was introduced in 0.9.14. This patch fixes the problem. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- doc/sync/ftfw/conntrackd.conf | 1 + src/read_config_yy.y | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 0 deletions(-) diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index df10aca..877ed68 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -357,6 +357,7 @@ General { TCP SCTP DCCP + # UDP # ICMP # This requires a Linux kernel >= 2.6.31 } diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 6dfca98..5f4e6be 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -1221,6 +1221,25 @@ filter_protocol_item : T_TCP pent->p_proto); }; +filter_protocol_item : T_UDP +{ + struct protoent *pent; + + pent = getprotobyname("udp"); + if (pent == NULL) { + print_err(CTD_CFG_WARN, "getprotobyname() cannot find " + "protocol `udp' in /etc/protocols"); + break; + } + ct_filter_add_proto(STATE(us_filter), pent->p_proto); + + __kernel_filter_start(); + + nfct_filter_add_attr_u32(STATE(filter), + NFCT_FILTER_L4PROTO, + pent->p_proto); +}; + filter_item : T_ADDRESS T_ACCEPT '{' filter_address_list '}' { ct_filter_set_logic(STATE(us_filter), ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: Conntrackd and UDP 2010-02-11 11:01 ` Pablo Neira Ayuso @ 2010-02-11 14:53 ` Tino Keitel 0 siblings, 0 replies; 5+ messages in thread From: Tino Keitel @ 2010-02-11 14:53 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter On Thu, Feb 11, 2010 at 12:01:40 +0100, Pablo Neira Ayuso wrote: [...] > Ops, it seems that I broken UDP filtering during 0.9.14. This patch > should fix it. Does it resolve the UDP support or am I missing anything > else? Seems to work fine after a quick test. Thanks a lot and regards, -- Tino Keitel Software Engineer Innominate Security Technologies AG /protecting industrial networks/ Tel: +49.30.921028-206 Fax: +49.30.921028-020 Rudower Chaussee 13 12489 Berlin / Germany http://www.innominate.com/ Register Court: AG Charlottenburg, HRB 81603 Management Board: Dirk Seewald, Chairman of the Supervisory Board: Volker Bibelhausen ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-02-11 14:53 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-02-24 8:37 Conntrackd and UDP Michele Codutti 2009-02-24 13:47 ` Pablo Neira Ayuso 2010-02-11 7:22 ` Tino Keitel 2010-02-11 11:01 ` Pablo Neira Ayuso 2010-02-11 14:53 ` Tino Keitel
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox