On Wed, Nov 25, 2015 at 05:13:01PM -0200, Marcelo Ricardo Leitner wrote:
> Commit d7ee35190427 ("netfilter: nf_ct_sctp: minimal multihoming
> support") allowed creating conntrack entries based on the heartbeat
> exchange, so that we can track secondary paths too.
>
> This patch adds a vtag verification to that. That is, in order to allow
> a HEARTBEAT or a HEARTBEAT_ACK through, the tuple (src port, dst port,
> vtag) must be already known.
>
> As it's possible that peer A initiated the connection but peer B ends up
> being the first one to send a heartbeat, there is a cross-direction
> check for matching the registered conntrack directions with the
> heartbeat one.
>
> Note that this vtag verification is only possible on peers or routers
> that will see all paths in use by a given association. When used, it
> will only allow secondary paths if the primary one is already there.
> That is, it's usually only useable at the peers themselves, and thus it
> defaults to off, controlled via sysctl
> net.netfilter.nf_conntrack_sctp_validate_vtag.
>
> As we can't really track associations but just their paths, it's
> possible to have multiple hits of the 3-tuple to actually reflect
> multiple associations, just as it's also possible to have different
> vtags for a given pair of ports.
>
> When a heartbeat comes by, it will allow it if the vtag is one of the
> two (or n) in use, no matter which association it really belongs to.
> Yet, if there is a lingering conntrack entry from a previous association
> built from heartbeats for that 5-tuple (saddr, daddr, sport, dport,
> sctp), like from a fast port reuse, it will reject packets with the new
> vtag. This is actually a result of the normal conntrack entry
> verification and is not a result of this patch or d7ee35190427.
>
> SCTP has this particularity that peer addresses are negotiated during
> initial handshake _and_ also via ASCONF chunks (RFC 5061). ASCONF chunks
> must be authenticated, for security reasons, and as conntrack actually
> sits in the middle even when used at the peers, it cannot validate the
> authentication and thus it cannot trust ASCONF chunks, so we cannot
> track IP addresses and thus we can't rebuild the association itself.
>
> It is necessary that the path that initiated the association to continue
> up as it's the only one that gets hashed and we cannot promote secondary
> paths, due to the above. Once the primary path is down, secondary paths
> using those vtags that expires won't be able to re-activate.
>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
> ---
> Documentation/networking/nf_conntrack-sysctl.txt | 9 +
> include/linux/netfilter/nf_conntrack_sctp.h | 17 ++
> net/netfilter/nf_conntrack_proto_sctp.c | 251 ++++++++++++++++++++++-
> 3 files changed, 276 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/networking/nf_conntrack-sysctl.txt b/Documentation/networking/nf_conntrack-sysctl.txt
> index f55599c62c9d61335005202146fdad75c8c133b9..9113fa12fee9548a99e5ea6b5241a4e882ffbfd0 100644
> --- a/Documentation/networking/nf_conntrack-sysctl.txt
> +++ b/Documentation/networking/nf_conntrack-sysctl.txt
> @@ -175,3 +175,12 @@ nf_conntrack_udp_timeout_stream2 - INTEGER (seconds)
>
> This extended timeout will be used in case there is an UDP stream
> detected.
> +
> +nf_conntrack_sctp_validate_vtag - BOOLEAN
> + 0 - disabled (default)
> + not 0 - enabled
> +
> + Enable VTAG validation for conntrack entries created from
> + HEARTBEATs. That is, in order to allow such new entry, that vtag
> + must already be known for that port pair, no matter which
> + addresses are used. Most useful in end peers.
Any specific reason ...
not to have this enable by default?
to have a sysctl switch to enable/disable this?
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
