diff --git a/.conntrack-tools.metadata b/.conntrack-tools.metadata new file mode 100644 index 0000000..174887b --- /dev/null +++ b/.conntrack-tools.metadata @@ -0,0 +1 @@ +25b36fb6832373ef899bade3b82adf5382b9a05b SOURCES/conntrack-tools-1.4.4.tar.bz2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e5fee0e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/conntrack-tools-1.4.4.tar.bz2 diff --git a/README.md b/README.md deleted file mode 100644 index 98f42b4..0000000 --- a/README.md +++ /dev/null @@ -1,4 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/conntrack-tools-1.4.4-conntrack.patch b/SOURCES/conntrack-tools-1.4.4-conntrack.patch new file mode 100644 index 0000000..5148073 --- /dev/null +++ b/SOURCES/conntrack-tools-1.4.4-conntrack.patch @@ -0,0 +1,438 @@ +diff --git a/src/conntrack.c b/src/conntrack.c +index bd337f4..6e96b58 100644 +--- a/src/conntrack.c ++++ b/src/conntrack.c +@@ -43,6 +43,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -437,6 +439,9 @@ static const int opt2type[] = { + static const int opt2maskopt[] = { + ['s'] = '{', + ['d'] = '}', ++ ['g'] = 0, ++ ['j'] = 0, ++ ['n'] = 0, + ['r'] = 0, /* no netmask */ + ['q'] = 0, /* support yet */ + ['{'] = 0, +@@ -448,6 +453,8 @@ static const int opt2maskopt[] = { + static const int opt2family_attr[][2] = { + ['s'] = { ATTR_ORIG_IPV4_SRC, ATTR_ORIG_IPV6_SRC }, + ['d'] = { ATTR_ORIG_IPV4_DST, ATTR_ORIG_IPV6_DST }, ++ ['g'] = { ATTR_DNAT_IPV4, ATTR_DNAT_IPV6 }, ++ ['n'] = { ATTR_SNAT_IPV4, ATTR_SNAT_IPV6 }, + ['r'] = { ATTR_REPL_IPV4_SRC, ATTR_REPL_IPV6_SRC }, + ['q'] = { ATTR_REPL_IPV4_DST, ATTR_REPL_IPV6_DST }, + ['{'] = { ATTR_ORIG_IPV4_SRC, ATTR_ORIG_IPV6_SRC }, +@@ -459,6 +466,8 @@ static const int opt2family_attr[][2] = { + static const int opt2attr[] = { + ['s'] = ATTR_ORIG_L3PROTO, + ['d'] = ATTR_ORIG_L3PROTO, ++ ['g'] = ATTR_ORIG_L3PROTO, ++ ['n'] = ATTR_ORIG_L3PROTO, + ['r'] = ATTR_REPL_L3PROTO, + ['q'] = ATTR_REPL_L3PROTO, + ['{'] = ATTR_ORIG_L3PROTO, +@@ -1094,58 +1103,85 @@ parse_addr(const char *cp, union ct_address *address, int *mask) + return family; + } + +-static void +-nat_parse(char *arg, struct nf_conntrack *obj, int type) ++static bool ++valid_port(char *cursor) + { +- char *colon, *error; +- union ct_address parse; ++ const char *str = cursor; ++ /* Missing port number */ ++ if (!*str) ++ return false; + +- colon = strchr(arg, ':'); ++ /* Must be entirely digits - no spaces or +/- */ ++ while (*cursor) { ++ if (!isdigit(*cursor)) ++ return false; ++ else ++ ++cursor; ++ } + +- if (colon) { +- uint16_t port; ++ /* Must be in range */ ++ errno = 0; ++ long port = strtol(str, NULL, 10); + +- *colon = '\0'; ++ if ((errno == ERANGE && (port == LONG_MAX || port == LONG_MIN)) ++ || (errno != 0 && port == 0) || (port > USHRT_MAX)) ++ return false; + +- port = (uint16_t)atoi(colon+1); +- if (port == 0) { +- if (strlen(colon+1) == 0) { +- exit_error(PARAMETER_PROBLEM, +- "No port specified after `:'"); +- } else { +- exit_error(PARAMETER_PROBLEM, +- "Port `%s' not valid", colon+1); +- } +- } ++ return true; ++} ++ ++static void ++split_address_and_port(const char *arg, char **address, char **port_str) ++{ ++ char *cursor = strchr(arg, '['); ++ ++ if (cursor) { ++ /* IPv6 address with port*/ ++ char *start = cursor + 1; + +- error = strchr(colon+1, ':'); +- if (error) ++ cursor = strchr(start, ']'); ++ if (start == cursor) { ++ exit_error(PARAMETER_PROBLEM, ++ "No IPv6 address specified"); ++ } else if (!cursor) { + exit_error(PARAMETER_PROBLEM, +- "Invalid port:port syntax"); +- +- if (type == CT_OPT_SRC_NAT) +- nfct_set_attr_u16(tmpl.ct, ATTR_SNAT_PORT, ntohs(port)); +- else if (type == CT_OPT_DST_NAT) +- nfct_set_attr_u16(tmpl.ct, ATTR_DNAT_PORT, ntohs(port)); +- else if (type == CT_OPT_ANY_NAT) { +- nfct_set_attr_u16(tmpl.ct, ATTR_SNAT_PORT, ntohs(port)); +- nfct_set_attr_u16(tmpl.ct, ATTR_DNAT_PORT, ntohs(port)); ++ "No closing ']' around IPv6 address"); + } +- } ++ size_t len = cursor - start; + +- if (parse_addr(arg, &parse, NULL) == AF_UNSPEC) { +- if (strlen(arg) == 0) { +- exit_error(PARAMETER_PROBLEM, "No IP specified"); ++ cursor = strchr(cursor, ':'); ++ if (cursor) { ++ /* Copy address only if there is a port */ ++ *address = strndup(start, len); ++ } ++ } else { ++ cursor = strchr(arg, ':'); ++ if (cursor && !strchr(cursor + 1, ':')) { ++ /* IPv4 address with port */ ++ *address = strndup(arg, cursor - arg); + } else { ++ /* v6 address */ ++ cursor = NULL; ++ } ++ } ++ if (cursor) { ++ /* Parse port entry */ ++ cursor++; ++ if (strlen(cursor) == 0) { + exit_error(PARAMETER_PROBLEM, +- "Invalid IP address `%s'", arg); ++ "No port specified after `:'"); + } ++ if (!valid_port(cursor)) { ++ exit_error(PARAMETER_PROBLEM, ++ "Invalid port `%s'", cursor); ++ } ++ *port_str = strdup(cursor); ++ } else { ++ /* No port colon or more than one colon (ipv6) ++ * assume arg is straight IP address and no port ++ */ ++ *address = strdup(arg); + } +- +- if (type == CT_OPT_SRC_NAT || type == CT_OPT_ANY_NAT) +- nfct_set_attr_u32(tmpl.ct, ATTR_SNAT_IPV4, parse.v4); +- else if (type == CT_OPT_DST_NAT || type == CT_OPT_ANY_NAT) +- nfct_set_attr_u32(tmpl.ct, ATTR_DNAT_IPV4, parse.v4); + } + + static void +@@ -1289,7 +1325,7 @@ nfct_ip6_net_cmp(const union ct_address *addr, const struct ct_network *net) + + static int + nfct_ip_net_cmp(int family, const union ct_address *addr, +- const struct ct_network *net) ++ const struct ct_network *net) + { + switch(family) { + case AF_INET: +@@ -2128,6 +2164,7 @@ static void merge_bitmasks(struct nfct_bitmask **current, + nfct_bitmask_destroy(src); + } + ++ + static void + nfct_build_netmask(uint32_t *dst, int b, int n) + { +@@ -2147,10 +2184,9 @@ nfct_build_netmask(uint32_t *dst, int b, int n) + } + + static void +-nfct_set_addr_opt(int opt, struct nf_conntrack *ct, union ct_address *ad, +- int l3protonum) ++nfct_set_addr_only(const int opt, struct nf_conntrack *ct, union ct_address *ad, ++ const int l3protonum) + { +- options |= opt2type[opt]; + switch (l3protonum) { + case AF_INET: + nfct_set_attr_u32(ct, +@@ -2163,24 +2199,33 @@ nfct_set_addr_opt(int opt, struct nf_conntrack *ct, union ct_address *ad, + &ad->v6); + break; + } ++} ++ ++static void ++nfct_set_addr_opt(const int opt, struct nf_conntrack *ct, union ct_address *ad, ++ const int l3protonum) ++{ ++ options |= opt2type[opt]; ++ nfct_set_addr_only(opt, ct, ad, l3protonum); + nfct_set_attr_u8(ct, opt2attr[opt], l3protonum); + } + + static void +-nfct_parse_addr_from_opt(int opt, struct nf_conntrack *ct, +- struct nf_conntrack *ctmask, +- union ct_address *ad, int *family) ++nfct_parse_addr_from_opt(const int opt, const char *arg, ++ struct nf_conntrack *ct, ++ struct nf_conntrack *ctmask, ++ union ct_address *ad, int *family) + { +- int l3protonum, mask, maskopt; ++ int mask, maskopt; + +- l3protonum = parse_addr(optarg, ad, &mask); ++ const int l3protonum = parse_addr(arg, ad, &mask); + if (l3protonum == AF_UNSPEC) { + exit_error(PARAMETER_PROBLEM, +- "Invalid IP address `%s'", optarg); ++ "Invalid IP address `%s'", arg); + } + set_family(family, l3protonum); + maskopt = opt2maskopt[opt]; +- if (!maskopt && mask != -1) { ++ if (mask != -1 && !maskopt) { + exit_error(PARAMETER_PROBLEM, + "CIDR notation unavailable" + " for `--%s'", get_long_opt(opt)); +@@ -2192,7 +2237,7 @@ nfct_parse_addr_from_opt(int opt, struct nf_conntrack *ct, + nfct_set_addr_opt(opt, ct, ad, l3protonum); + + /* bail if we don't have a netmask to set*/ +- if (!maskopt || mask == -1 || ctmask == NULL) ++ if (mask == -1 || !maskopt || ctmask == NULL) + return; + + switch(l3protonum) { +@@ -2211,6 +2256,24 @@ nfct_parse_addr_from_opt(int opt, struct nf_conntrack *ct, + nfct_set_addr_opt(maskopt, ctmask, ad, l3protonum); + } + ++static void ++nfct_set_nat_details(const int opt, struct nf_conntrack *ct, ++ union ct_address *ad, const char *port_str, ++ const int family) ++{ ++ const int type = opt2type[opt]; ++ ++ nfct_set_addr_only(opt, ct, ad, family); ++ if (port_str && type == CT_OPT_SRC_NAT) { ++ nfct_set_attr_u16(ct, ATTR_SNAT_PORT, ++ ntohs((uint16_t)atoi(port_str))); ++ } else if (port_str && type == CT_OPT_DST_NAT) { ++ nfct_set_attr_u16(ct, ATTR_DNAT_PORT, ++ ntohs((uint16_t)atoi(port_str))); ++ } ++ ++} ++ + int main(int argc, char *argv[]) + { + int c, cmd; +@@ -2289,17 +2352,18 @@ int main(int argc, char *argv[]) + case 'd': + case 'r': + case 'q': +- nfct_parse_addr_from_opt(c, tmpl.ct, tmpl.mask, +- &ad, &family); ++ nfct_parse_addr_from_opt(c, optarg, tmpl.ct, ++ tmpl.mask, &ad, &family); + break; + case '[': + case ']': +- nfct_parse_addr_from_opt(c, tmpl.exptuple, tmpl.mask, +- &ad, &family); ++ nfct_parse_addr_from_opt(c, optarg, tmpl.exptuple, ++ tmpl.mask, &ad, &family); + break; + case '{': + case '}': +- nfct_parse_addr_from_opt(c, tmpl.mask, NULL, &ad, &family); ++ nfct_parse_addr_from_opt(c, optarg, tmpl.mask, ++ NULL, &ad, &family); + break; + case 'p': + options |= CT_OPT_PROTO; +@@ -2341,19 +2405,34 @@ int main(int argc, char *argv[]) + break; + case 'n': + case 'g': +- case 'j': { +- char *tmp = NULL; +- ++ case 'j': + options |= opt2type[c]; +- +- tmp = get_optional_arg(argc, argv); +- if (tmp == NULL) +- continue; +- +- set_family(&family, AF_INET); +- nat_parse(tmp, tmpl.ct, opt2type[c]); ++ char *optional_arg = get_optional_arg(argc, argv); ++ ++ if (optional_arg) { ++ char *port_str = NULL; ++ char *nat_address = NULL; ++ ++ split_address_and_port(optional_arg, ++ &nat_address, ++ &port_str); ++ nfct_parse_addr_from_opt(c, nat_address, ++ tmpl.ct, NULL, ++ &ad, &family); ++ if (c == 'j') { ++ /* Set details on both src and dst ++ * with any-nat ++ */ ++ nfct_set_nat_details('g', tmpl.ct, &ad, ++ port_str, family); ++ nfct_set_nat_details('n', tmpl.ct, &ad, ++ port_str, family); ++ } else { ++ nfct_set_nat_details(c, tmpl.ct, &ad, ++ port_str, family); ++ } ++ } + break; +- } + case 'w': + case '(': + case ')': +diff --git a/tests/conntrack/testsuite/00create b/tests/conntrack/testsuite/00create +index 40e2c19..afe4342 100644 +--- a/tests/conntrack/testsuite/00create ++++ b/tests/conntrack/testsuite/00create +@@ -18,3 +18,9 @@ + -I -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 --state LISTEN -u SEEN_REPLY -t 50 ; OK + # delete reverse + -D -r 2.2.2.2 -q 1.1.1.1 -p tcp --reply-port-src 11 --reply-port-dst 21 ; OK ++# create a v6 conntrack ++-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK ++# delete v6 conntrack ++-D -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p tcp --sport 10 --dport 20 ; OK ++# mismatched address family ++-I -s 2001:DB8::1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +diff --git a/tests/conntrack/testsuite/03nat b/tests/conntrack/testsuite/03nat +index f94e8ff..014feb8 100644 +--- a/tests/conntrack/testsuite/03nat ++++ b/tests/conntrack/testsuite/03nat +@@ -36,5 +36,13 @@ + -L --dst-nat 3.3.3.3:81 ; OK + # show + -L --dst-nat 1.1.1.1:80 ; OK ++# badport ++-L --dst-nat 1.1.1.1: ; BAD ++# badport ++-L --dst-nat 1.1.1.1::; BAD ++# badport ++-L --dst-nat 1.1.1.1:80:80; BAD ++# badport ++-L --dst-nat 1.1.1.1:65536; BAD + # delete + -D -s 1.1.1.1 ; OK +diff --git a/tests/conntrack/testsuite/07nat6 b/tests/conntrack/testsuite/07nat6 +new file mode 100644 +index 0000000..8cecd8e +--- /dev/null ++++ b/tests/conntrack/testsuite/07nat6 +@@ -0,0 +1,56 @@ ++# create dummy ++-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 --dst-nat 2001:DB8::3.3.3.3 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK ++# show ++-L --dst-nat ; OK ++# show ++-L --dst-nat 2001:DB8::3.3.3.3 ; OK ++# show ++-L --src-nat ; OK ++# delete ++-D -s 2001:DB8::1.1.1.1 ; OK ++# create dummy again ++-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 --src-nat 2001:DB8::3.3.3.3 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK ++# show ++-L --src-nat ; OK ++# show ++-L --src-nat 2001:DB8::3.3.3.3 ; OK ++# show ++-L --dst-nat ; OK ++# show any-nat ++-L --any-nat ; OK ++# delete ++-D -s 2001:DB8::1.1.1.1 ; OK ++# bad combination ++-L --dst-nat --any-nat ; BAD ++# bad combination ++-L --src-nat --any-nat ; BAD ++# bad combination ++-L --src-nat --dst-nat --any-nat ; BAD ++# create ++-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 --dst-nat [2001:DB8::3.3.3.3]:80 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK ++# show ++-L --dst-nat [2001:DB8::3.3.3.3]:80 ; OK ++# show ++-L --any-nat [2001:DB8::3.3.3.3]:80 ; OK ++# show ++-L --dst-nat [2001:DB8::3.3.3.3]:81 ; OK ++# show ++-L --dst-nat [2001:DB8::1.1.1.1]:80 ; OK ++# noport ++-L --dst-nat [2001:DB8::1.1.1.1]: ; BAD ++# badport ++-L --dst-nat [2001:DB8::1.1.1.1]:: ; BAD ++# badport ++-L --dst-nat [2001:DB8::1.1.1.1]:80:80 ; BAD ++# badport ++-L --dst-nat [2001:DB8::1.1.1.1]:65536 ; BAD ++# delete ++-D -s 2001:DB8::1.1.1.1 ; OK ++# mismatched address family ++-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 --dst-nat 3.3.3.3 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD ++# mismatched address family ++-I -s 1.1.1.1 -d 2.2.2.2 --dst-nat 2001:DB8::3.3.3.3 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD ++# create - brackets only for ports in nat ++-I -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 --dst-nat [2001:DB8::3.3.3.3] -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD ++# create - brackets rejected elsewhere ++-I -s [2001:DB8::1.1.1.1] -d 2001:DB8::2.2.2.2 --dst-nat 2001:DB8::3.3.3.3 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; BAD +-- +2.7.4 + diff --git a/SOURCES/conntrackd.conf b/SOURCES/conntrackd.conf new file mode 100644 index 0000000..3970e91 --- /dev/null +++ b/SOURCES/conntrackd.conf @@ -0,0 +1,419 @@ + +# See also: http://conntrack-tools.netfilter.org/support.html +# +# There are 3 different modes of running conntrackd: "alarm", "notrack" and "ftfw" +# +# The default package ships with a FTFW configuration, see /usr/share/doc/conntrackd* +# for example configurations for other modes. + + +# +# Synchronizer settings +# +Sync { + Mode FTFW { + # + # Size of the resend queue (in objects). This is the maximum + # number of objects that can be stored waiting to be confirmed + # via acknoledgment. If you keep this value low, the daemon + # will have less chances to recover state-changes under message + # omission. On the other hand, if you keep this value high, + # the daemon will consume more memory to store dead objects. + # Default is 131072 objects. + # + # ResendQueueSize 131072 + + # + # This parameter allows you to set an initial fixed timeout + # for the committed entries when this node goes from backup + # to primary. This mechanism provides a way to purge entries + # that were not recovered appropriately after the specified + # fixed timeout. If you set a low value, TCP entries in + # Established states with no traffic may hang. For example, + # an SSH connection without KeepAlive enabled. If not set, + # the daemon uses an approximate timeout value calculation + # mechanism. By default, this option is not set. + # + # CommitTimeout 180 + + # + # If the firewall replica goes from primary to backup, + # the conntrackd -t command is invoked in the script. + # This command schedules a flush of the table in N seconds. + # This is useful to purge the connection tracking table of + # zombie entries and avoid clashes with old entries if you + # trigger several consecutive hand-overs. Default is 60 seconds. + # + # PurgeTimeout 60 + + # Set the acknowledgement window size. If you decrease this + # value, the number of acknowlegdments increases. More + # acknowledgments means more overhead as conntrackd has to + # handle more control messages. On the other hand, if you + # increase this value, the resend queue gets more populated. + # This results in more overhead in the queue releasing. + # The following value is based on some practical experiments + # measuring the cycles spent by the acknowledgment handling + # with oprofile. If not set, default window size is 300. + # + # ACKWindowSize 300 + + # + # This clause allows you to disable the external cache. Thus, + # the state entries are directly injected into the kernel + # conntrack table. As a result, you save memory in user-space + # but you consume slots in the kernel conntrack table for + # backup state entries. Moreover, disabling the external cache + # means more CPU consumption. You need a Linux kernel + # >= 2.6.29 to use this feature. By default, this clause is + # set off. If you are installing conntrackd for first time, + # please read the user manual and I encourage you to consider + # using the fail-over scripts instead of enabling this option! + # + # DisableExternalCache Off + } + + # + # Multicast IP and interface where messages are + # broadcasted (dedicated link). IMPORTANT: Make sure + # that iptables accepts traffic for destination + # 225.0.0.50, eg: + # + # iptables -I INPUT -d 225.0.0.50 -j ACCEPT + # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT + # + Multicast { + # + # Multicast address: The address that you use as destination + # in the synchronization messages. You do not have to add + # this IP to any of your existing interfaces. If any doubt, + # do not modify this value. + # + IPv4_address 225.0.0.50 + + # + # The multicast group that identifies the cluster. If any + # doubt, do not modify this value. + # + Group 3780 + + # + # IP address of the interface that you are going to use to + # send the synchronization messages. Remember that you must + # use a dedicated link for the synchronization messages. + # + IPv4_interface 192.168.100.100 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + Interface eth2 + + # The multicast sender uses a buffer to enqueue the packets + # that are going to be transmitted. The default size of this + # socket buffer is available at /proc/sys/net/core/wmem_default. + # This value determines the chances to have an overrun in the + # sender queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size + # of the sender buffer. The default size is usually around + # ~100 KBytes which is fairly small for busy firewalls. + # + SndSocketBuffer 1249280 + + # The multicast receiver uses a buffer to enqueue the packets + # that the socket is pending to handle. The default size of this + # socket buffer is available at /proc/sys/net/core/rmem_default. + # This value determines the chances to have an overrun in the + # receiver queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size of + # the receiver buffer. The default size is usually around + # ~100 KBytes which is fairly small for busy firewalls. + # + RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. This is a good + # property to achieve fault-tolerance. In case of doubt, do + # not modify this value. + # + Checksum on + } + # + # You can specify more than one dedicated link. Thus, if one dedicated + # link fails, conntrackd can fail-over to another. Note that adding + # more than one dedicated link does not mean that state-updates will + # be sent to all of them. There is only one active dedicated link at + # a given moment. The `Default' keyword indicates that this interface + # will be selected as the initial dedicated link. You can have + # up to 4 redundant dedicated links. Note: Use different multicast + # groups for every redundant link. + # + # Multicast Default { + # IPv4_address 225.0.0.51 + # Group 3781 + # IPv4_interface 192.168.100.101 + # Interface eth3 + # # SndSocketBuffer 1249280 + # # RcvSocketBuffer 1249280 + # Checksum on + # } + + # + # You can use Unicast UDP instead of Multicast to propagate events. + # Note that you cannot use unicast UDP and Multicast at the same + # time, you can only select one. + # + # UDP { + # + # UDP address that this firewall uses to listen to events. + # + # IPv4_address 192.168.2.100 + # + # or you may want to use an IPv6 address: + # + # IPv6_address fe80::215:58ff:fe28:5a27 + + # + # Destination UDP address that receives events, ie. the other + # firewall's dedicated link address. + # + # IPv4_Destination_Address 192.168.2.101 + # + # or you may want to use an IPv6 address: + # + # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c + + # + # UDP port used + # + # Port 3780 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + # Interface eth2 + + # + # The sender socket buffer size + # + # SndSocketBuffer 1249280 + + # + # The receiver socket buffer size + # + # RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. + # + # Checksum on + # } + + # + # Other unsorted options that are related to the synchronization. + # + # Options { + # + # TCP state-entries have window tracking disabled by default, + # you can enable it with this option. As said, default is off. + # This feature requires a Linux kernel >= 2.6.36. + # + # TCPWindowTracking Off + # } +} + +# +# General settings +# +General { + # + # Set the nice value of the daemon, this value goes from -20 + # (most favorable scheduling) to 19 (least favorable). Using a + # very low value reduces the chances to lose state-change events. + # Default is 0 but this example file sets it to most favourable + # scheduling as this is generally a good idea. See man nice(1) for + # more information. + # + Nice -20 + + # + # Select a different scheduler for the daemon, you can select between + # RR and FIFO and the process priority (minimum is 0, maximum is 99). + # See man sched_setscheduler(2) for more information. Using a RT + # scheduler reduces the chances to overrun the Netlink buffer. + # + # Scheduler { + # Type FIFO + # Priority 99 + # } + + # + # Number of buckets in the cache hashtable. The bigger it is, + # the closer it gets to O(1) at the cost of consuming more memory. + # Read some documents about tuning hashtables for further reference. + # + HashSize 32768 + + # + # Maximum number of conntracks, it should be double of: + # $ cat /proc/sys/net/netfilter/nf_conntrack_max + # since the daemon may keep some dead entries cached for possible + # retransmission during state synchronization. + # + HashLimit 131072 + + # + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off + # + LogFile on + + # + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # Default: off + # + #Syslog on + + # + # Lockfile + # + LockFile /var/lock/conntrack.lock + + # + # Unix socket configuration + # + UNIX { + Path /var/run/conntrackd.ctl + Backlog 20 + } + + # + # Netlink event socket buffer size. If you do not specify this clause, + # the default buffer size value in /proc/net/core/rmem_default is + # used. This default value is usually around 100 Kbytes which is + # fairly small for busy firewalls. This leads to event message dropping + # and high CPU consumption. This example configuration file sets the + # size to 2 MBytes to avoid this sort of problems. + # + NetlinkBufferSize 2097152 + + # + # The daemon doubles the size of the netlink event socket buffer size + # if it detects netlink event message dropping. This clause sets the + # maximum buffer size growth that can be reached. This example file + # sets the size to 8 MBytes. + # + NetlinkBufferSizeMaxGrowth 8388608 + + # + # If the daemon detects that Netlink is dropping state-change events, + # it automatically schedules a resynchronization against the Kernel + # after 30 seconds (default value). Resynchronizations are expensive + # in terms of CPU consumption since the daemon has to get the full + # kernel state-table and purge state-entries that do not exist anymore. + # Be careful of setting a very small value here. You have the following + # choices: On (enabled, use default 30 seconds value), Off (disabled) + # or Value (in seconds, to set a specific amount of time). If not + # specified, the daemon assumes that this option is enabled. + # + # NetlinkOverrunResync On + + # + # If you want reliable event reporting over Netlink, set on this + # option. If you set on this clause, it is a good idea to set off + # NetlinkOverrunResync. This option is off by default and you need + # a Linux kernel >= 2.6.31. + # + # NetlinkEventsReliable Off + + # + # By default, the daemon receives state updates following an + # event-driven model. You can modify this behaviour by switching to + # polling mode with the PollSecs clause. This clause tells conntrackd + # to dump the states in the kernel every N seconds. With regards to + # synchronization mode, the polling mode can only guarantee that + # long-lifetime states are recovered. The main advantage of this method + # is the reduction in the state replication at the cost of reducing the + # chances of recovering connections. + # + # PollSecs 15 + + # + # The daemon prioritizes the handling of state-change events coming + # from the core. With this clause, you can set the maximum number of + # state-change events (those coming from kernel-space) that the daemon + # will handle after which it will handle other events coming from the + # network or userspace. A low value improves interactivity (in terms of + # real-time behaviour) at the cost of extra CPU consumption. + # Default (if not set) is 100. + # + # EventIterationLimit 100 + + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # You can select if conntrackd filters the event messages from + # user-space or kernel-space. The kernel-space event filtering + # saves some CPU cycles by avoiding the copy of the event message + # from kernel-space to user-space. The kernel-space event filtering + # is prefered, however, you require a Linux kernel >= 2.6.29 to + # filter from kernel-space. If you want to select kernel-space + # event filtering, use the keyword 'Kernelspace' instead of + # 'Userspace'. + # + Filter From Userspace { + # + # Accept only certain protocols: You may want to replicate + # the state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + SCTP + DCCP + # UDP + # ICMP # This requires a Linux kernel >= 2.6.31 + # IPv6-ICMP # This requires a Linux kernel >= 2.6.31 + } + + # + # Ignore traffic for a certain set of IP's: Usually all the + # IP assigned to the firewall since local traffic must be + # ignored, only forwarded connections are worth to replicate. + # Note that these values depends on the local IPs that are + # assigned to the firewall. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + IPv4_address 192.168.0.100 # virtual IP 1 + IPv4_address 192.168.1.100 # virtual IP 2 + IPv4_address 192.168.0.1 + IPv4_address 192.168.1.1 + IPv4_address 192.168.100.100 # dedicated link ip + # + # You can also specify networks in format IP/cidr. + # IPv4_address 192.168.0.0/24 + # + # You can also specify an IPv6 address + # IPv6_address ::1 + } + + # + # Uncomment this line below if you want to filter by flow state. + # This option introduces a trade-off in the replication: it + # reduces CPU consumption at the cost of having lazy backup + # firewall replicas. The existing TCP states are: SYN_SENT, + # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, + # TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } +} diff --git a/SOURCES/conntrackd.service b/SOURCES/conntrackd.service new file mode 100644 index 0000000..95a360b --- /dev/null +++ b/SOURCES/conntrackd.service @@ -0,0 +1,13 @@ +[Unit] +Description=connection tracking daemon for debugging and High Availablity +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +# See rhbz#1255578 - daemon will not start if lock file is left dangling +ExecStartPre=/bin/rm -f /var/lock/conntrack.lock +ExecStart=/usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/conntrack-tools.spec b/SPECS/conntrack-tools.spec new file mode 100644 index 0000000..60471ed --- /dev/null +++ b/SPECS/conntrack-tools.spec @@ -0,0 +1,110 @@ +Name: conntrack-tools +Version: 1.4.4 +Release: 4%{?dist} +Summary: Manipulate netfilter connection tracking table and run High Availability +Group: System Environment/Base +License: GPLv2 +URL: http://netfilter.org +Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2 +Source1: conntrackd.service +Source2: conntrackd.conf +BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.6 +BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0 +BuildRequires: libmnl-devel >= 1.0.3, libnetfilter_queue-devel >= 1.0.2 +BuildRequires: pkgconfig bison flex +Requires: libnetfilter_conntrack >= 1.0.6 +Provides: conntrack = 1.0-1 +Obsoletes: conntrack < 1.0-1 +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +BuildRequires: systemd + +Patch1: conntrack-tools-1.4.4-conntrack.patch + +%description +With conntrack-tools you can setup a High Availability cluster and +synchronize conntrack state between multiple firewalls. + +The conntrack-tools package contains two programs: +- conntrack: the command line interface to interact with the connection + tracking system. +- conntrackd: the connection tracking userspace daemon that can be used to + deploy highly available GNU/Linux firewalls and collect + statistics of the firewall use. + +conntrack is used to search, list, inspect and maintain the netfilter +connection tracking subsystem of the Linux kernel. +Using conntrack, you can dump a list of all (or a filtered selection of) +currently tracked connections, delete connections from the state table, +and even add new ones. +In addition, you can also monitor connection tracking events, e.g. +show an event message (one line) per newly established connection. + +%prep +%setup -q +%patch1 -p1 + +%build +# do not use --enable-cthelper --enable-cttimeout, it causes disabling of these features +%configure --disable-static +%{__make} %{?_smp_mflags} +chmod 644 doc/sync/primary-backup.sh +rm -f doc/sync/notrack/conntrackd.conf.orig doc/sync/alarm/conntrackd.conf.orig doc/helper/conntrackd.conf.orig + +%install +%{__make} install DESTDIR=%{buildroot} +find $RPM_BUILD_ROOT -type f -name "*.la" -exec rm -f {} ';' +mkdir -p %{buildroot}%{_sysconfdir}/conntrackd +install -d 0755 %{buildroot}%{_unitdir} +install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/ +install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ + +%files +%doc COPYING AUTHORS TODO doc +%dir %{_sysconfdir}/conntrackd +%config(noreplace) %{_sysconfdir}/conntrackd/conntrackd.conf +%{_unitdir}/conntrackd.service +%{_sbindir}/conntrack +%{_sbindir}/conntrackd +%{_sbindir}/nfct +%{_mandir}/man8/* +%{_mandir}/man5/* +%dir %{_libdir}/conntrack-tools +%{_libdir}/conntrack-tools/* + +%post +%systemd_post conntrackd.service + +%preun +%systemd_preun conntrackd.service + +%postun +%systemd_postun conntrackd.service + +%changelog +* Fri Aug 24 2018 Paul Wouters - 1.4.4-4 +- Resolves: rhbz#1578059 Greatest NVR version of conntrack-tools for ppc64le and x86_64 are different + +* Mon Apr 03 2017 Paul Wouters - 1.4.4-3 +- Resolves: rhbz#1425552 (explicitely Require: libnetfilter_conntrack >= 1.0.6 as it is same .so version) + +* Thu Mar 16 2017 Paul Wouters - 1.4.4-2 +- Resolves: rhbz#1425552 (conntrack cmd was missing IPv6 support as well) + +* Fri Mar 03 2017 Paul Wouters - 1.4.4-1 +- Resolves: rhbz#1425552 conntrack does not support Ipv6 NAT + +* Fri Aug 12 2016 Paul Wouters - 1.4.3-1 +- Resolves: rhbz#1351701 conntrackd -d throws "ERROR: Helper support is disabled" + +* Fri Aug 21 2015 Paul Wouters - 1.4.2-9 +- Resolves: rhbz#1255578 conntrackd could neither be started nor be stopped + +* Tue Aug 18 2015 Paul Wouters - 1.4.2-8 +- Resolves: rhbz#CVE-2015-6496 +- Fold in upstream patches since 1.4.2 release up to git 900d7e8 +- Fold in upstream patch set of 2015-08-18 for coverity issues + +* Thu May 21 2015 Paul Wouters - 1.4.2-7 +- Resolves: rhbz#1122611 [BNE] Add conntrack-tools package to RHEL-7