diff mbox

Patch to netfilter conntrack for secondary connection logging

Message ID 1471831902045.98124@alliedtelesis.co.nz
State Awaiting Upstream, archived
Delegated to: David Miller
Headers show

Commit Message

Thomas Winter Aug. 22, 2016, 2:11 a.m. UTC 
Hello,

We are using netfilter to implement a firewall for a router and we had the problem that the ftp data connections were not being logged.
I did some investigating and found that it is conntrack that is allowing the secondary connection by the ftp helper module.
I created a patch to enable such logging for any conntrack helper.
Is this a good change? Or did I miss something really obvious?

Regards,
Thomas Winter


example iptables rules:

Chain FIREWALL_RULE_12 (1 references)
target     prot opt source               destination         
LOG        tcp  --  anywhere             anywhere             multiport sports 1024:65535 multiport dports ftp match-set private src,src match-set public dst,dst ctsta
te NEW,RELATED,ESTABLISHED LOG level info prefix "Firewall rule 12: PERMIT "
CONNMARK   tcp  --  anywhere             anywhere             multiport sports 1024:65535 multiport dports ftp match-set private src,src match-set public dst,dst ctsta
te NEW,RELATED,ESTABLISHED CONNMARK xset 0x1/0x7
LOG        tcp  --  anywhere             anywhere             multiport dports 1024:65535 multiport sports ftp match-set public src,src match-set private dst,dst ctsta
te RELATED,ESTABLISHED LOG level info prefix "Firewall rule 12: PERMIT "
CONNMARK   tcp  --  anywhere             anywhere             multiport dports 1024:65535 multiport sports ftp match-set public src,src match-set private dst,dst ctsta
te RELATED,ESTABLISHED CONNMARK xset 0x1/0x7


patch:

[PATCH] ICSAFW-9: Added expected connection logging in netfilter

For ICSA firewall requirements, FTP data connections
must be able to be logged.

Our iptables rules for FTP are not able to log the
data connections because they only take effect on
the control connection. The FTP conntrack helper
module inspects FTP control packets and allows the
data connections when it sees one about to start.

Added a log function for conntrack to be called
when allowing expected connections.

---
 include/net/netfilter/nf_conntrack_expect.h |  5 +++++
 net/netfilter/nf_conntrack_core.c           |  4 ++++
 net/netfilter/nf_conntrack_ftp.c            | 21 +++++++++++++++++++++
 3 files changed, 30 insertions(+)

Comments

Florian Westphal Aug. 22, 2016, 9 a.m. UTC | #1 
Thomas Winter <Thomas.Winter@alliedtelesis.co.nz> wrote:
> Hello,
> 
> We are using netfilter to implement a firewall for a router and we had the problem that the ftp data connections were not being logged.
> I did some investigating and found that it is conntrack that is allowing the secondary connection by the ftp helper module.
> I created a patch to enable such logging for any conntrack helper.
> Is this a good change? Or did I miss something really obvious?

It should be possible to log the data connections via

-p tcp -m conntrack --ctstate RELATED -m helper --helper ftp -j (NF)LOG
diff mbox

Patch

diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index dce56f0..c13a457 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -26,6 +26,11 @@  struct nf_conntrack_expect {
 	void (*expectfn)(struct nf_conn *new,
 			 struct nf_conntrack_expect *this);
 
+#ifdef ATL_CHANGE
+	/* Logging function to call when seeing an expected connection */
+	void (*logfn)(const struct nf_conntrack_tuple *tuple);
+#endif
+
 	/* Helper to assign to new connection */
 	struct nf_conntrack_helper *helper;
 
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 37d8c06..8f4e15c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -984,6 +984,10 @@  init_conntrack(struct net *net, struct nf_conn *tmpl,
 				if (help)
 					rcu_assign_pointer(help->helper, exp->helper);
 			}
+#ifdef ATL_CHANGE
+			if (exp->logfn)
+				exp->logfn(tuple);
+#endif
 
 #ifdef CONFIG_NF_CONNTRACK_MARK
 			ct->mark = exp->master->mark;
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index b666959..3dd1900 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -382,6 +382,23 @@  static void update_nl_seq(struct nf_conn *ct, u32 nl_seq,
 	}
 }
 
+#ifdef ATL_CHANGE
+void log_ftp_data_connection(const struct nf_conntrack_tuple *tuple)
+{
+	if (tuple) {
+		if (tuple->src.l3num == PF_INET) {
+			pr_info("FTP data connection initiated by %pI4:%d to %pI4:%d\n",
+				&tuple->src.u3.ip, tuple->src.u.tcp.port,
+				&tuple->dst.u3.ip, tuple->dst.u.tcp.port);
+		} else {
+			pr_info("FTP data connection initiated by %pI6:%d to %pI6:%d\n",
+				&tuple->src.u3.ip, tuple->src.u.tcp.port,
+				&tuple->dst.u3.ip, tuple->dst.u.tcp.port);
+		}
+	}
+}
+#endif
+
 static int help(struct sk_buff *skb,
 		unsigned int protoff,
 		struct nf_conn *ct,
@@ -529,6 +546,10 @@  skip_nl_seq:
 			  &ct->tuplehash[!dir].tuple.src.u3, daddr,
 			  IPPROTO_TCP, NULL, &cmd.u.tcp.port);
 
+#ifdef ATL_CHANGE
+	exp->logfn = log_ftp_data_connection;
+#endif
+
 	/* Now, NAT might want to mangle the packet, and register the
 	 * (possibly changed) expectation itself. */
 	nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook);