Re: conntrack helpers in kernel 4.7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Pablo,

thanks for helping!

On Thu, Aug 11, 2016 at 01:34:35PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Aug 11, 2016 at 10:52:51AM +0200, Marc Haber wrote:
> > This confuses me:
> > 
> > (1) Why does the packet end up in the input queue in the first place?
> > To me, this looks like the incoming packet on unt381 is not correctly
> > tracked by the NAT code. It should be natted and processed by the
> > FORWARD chain.
> > 
> > (2) Why are the packet counters of all ctstate rules with helper match
> > "sip" at zero? Why don't they apply for the incoming packet which
> > seems to fall through until the concluding REJECT rule?
> 
> Because no conntrack entries are getting the sip helper attached.
> 
> > (3) do I need the PREROUTING --jump CT rule mentioned in the Securing
> > helpers page if I only use the default Port 5060?
> 
> Yes, the CT target explicitly attach the conntrack helper, so you
> need something like:
> 
>         -A PREROUTING -t raw -p udp --dport 5060 -j CT --helper sip
> 
> This plugs the sip helper to every new flow going to port 5060.

Can I see in conntrack(1) output whether a flow has a helper attached?
Is the helper supposed to be attached to the first packet only?

I now have:
Chain PREROUTING (policy ACCEPT 1909 packets, 445K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 helper match "sip" CT

# Generated by iptables-save v1.4.21 on Thu Aug 11 13:51:44 2016
*raw
:PREROUTING ACCEPT [2022:465365]
:OUTPUT ACCEPT [16:4970]
-A PREROUTING -p udp -m udp --dport 5060 -m helper --helper sip -j CT

and, as you can see, the rule counters are at zero while packets still
fall through to the REJECT rule t the end of the INPUT chain.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux