[PATCH] netfilter: xt_osf: Add missing permission checks

_NET_ADMIN to bypass the netlink_net_capable() check: vpnns -- nfnl_osf -f /tmp/pf.os vpnns -- nfnl_osf -f /tmp/pf.os -d These non-root operations successfully modify the systemwide OS fingerprint list. Add new capable() checks so that they can't. Signed-off-by: Kevin Cernekee <cerne...

[PATCH] netfilter: nfnetlink_cthelper: Add missing permission checks

a_len = 24, .status = enabled, }; Add capable() checks in nfnetlink_cthelper, as this is cleaner than trying to generalize the solution. Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- net/netfilter/nfnetlink_cthelper.c | 10 ++ 1 file changed, 10 inserti

[PATCH 1/2 conntrack-tools] conntrackd: cthelper: Free pktb after use

According to valgrind, this currently leaks ~512B to 2kB for each packet sent to the userspace helper. Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- src/cthelper.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cthelper.c b/src/cthelper.c index 54eb830..f01c509

[PATCH 2/2 conntrack-tools] conntrackd: config: Free strdup()ed tokens

This frees T_IP, T_PATH_VAL, and T_STRING tokens. They were being flagged by valgrind as memory leaks. Lightly tested using doc/helper/conntrackd.conf and doc/stats/conntrackd.conf. Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- src/read_config_yy.

[PATCH V2 1/2] netfilter: ctnetlink: Fix regression in CTA_STATUS processing

and helpers because they operate on unconfirmed connections. Instead of returning -EBUSY if the user program asks to modify an unchangeable bit, simply ignore the change. Also, fix the logic so that user programs are allowed to clear the bits that they are allowed to change. Signed-off-by: Ke

[RFC/PATCH 1/3] netfilter: ctnetlink: Fix regression in CTA_TIMEOUT processing

f 0 is set for an unconfirmed connection, restore the old behavior of ignoring it (rather than setting up a connection that expires immediately). Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- net/netfilter/nf_conntrack_netlink.c | 12 1 file changed, 8 insertions(+), 4 de

[RFC/PATCH 2/3] netfilter: ctnetlink: Fix regression in CTA_STATUS processing

use they operate on unconfirmed connections. Instead of returning -EBUSY if the user program asks to modify an unchangeable bit, simply ignore the change. Also, fix the logic so that user programs are allowed to clear the bits that they are allowed to change. Signed-off-by: Kevin Cernekee <

[RFC/PATCH 0/3] Fix ctnetlink regressions

remains bug-compatible with old user code. Kevin Cernekee (3): netfilter: ctnetlink: Fix regression in CTA_TIMEOUT processing netfilter: ctnetlink: Fix regression in CTA_STATUS processing netfilter: ctnetlink: Fix regression in CTA_HELP processing include/uapi/linux/netfilter/nf_conntrack_c

[RFC/PATCH 3/3] netfilter: ctnetlink: Fix regression in CTA_HELP processing

If a user program specifies CTA_HELP but the argument matches the current conntrack helper name, ignore it instead of generating an error. Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- net/netfilter/nf_conntrack_netlink.c | 13 + 1 file changed, 9 insertions

Re: [PATCH V2 conntrack-tools] conntrackd: cthelper: ssdp: Track UPnP eventing

On Thu, Jan 5, 2017 at 1:42 PM, Kevin Cernekee <cerne...@chromium.org> wrote: > + * nfct timeout add long-timewait inet tcp \ > + * established 1000 close 10 time_wait 10 last_ack 10 > + * nfct timeout add long-timewait inet tcp time_wait 3600 > + * iptables -

[PATCH V2 conntrack-tools] conntrackd: cthelper: ssdp: Track UPnP eventing

the CALLBACK URL. Tested with and without NAT. Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- doc/helper/conntrackd.conf | 10 +- src/helpers/ssdp.c | 477 - 2 files changed, 480 insertions(+), 7 deletions(-) diff --git a/doc/

[PATCH libnetfilter_cttimeout] Use __EXPORTED rather than EXPORT_SYMBOL

t exported to library callers. Move the attribute up into the function definition to make clang happy. Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- doxygen.cfg.in | 2 +- src/internal.h | 5 ++--- src/libnetfilter_

[PATCH libnetfilter_cthelper] Use __EXPORTED rather than EXPORT_SYMBOL

t exported to library callers. Move the attribute up into the function definition to make clang happy. Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- doxygen.cfg.in | 2 +- src/internal.h | 5 ++- src/libnetfilter

[PATCH conntrack-tools] Link nfct and helper modules with `-z lazy`

if `-z lazy` works, and if so, use it to link nfct and the helpers. conntrackd itself is unaffected, and should still work with `-z now`. Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- Note that the autoconf script is GPLv3. But I've seen it used in other projects, and it seeme

Re: Snooping expected connections in a user CT helper

On Thu, Sep 1, 2016 at 4:47 PM, Kevin Cernekee <cerne...@chromium.org> wrote: > The patch that I sent out last night is able to handle scenarios in > which the event occurs shortly after the subscription is established. > But in my testing I am noticing two other problems: > >

[PATCH conntrack-tools] conntrackd: cthelper: Add new mdns helper

This allows unicast replies to multicast DNS (mDNS / RFC6762) queries. These queries are often used when a full-featured mDNS service (such as avahi-daemon) is not running, or if an mDNS client does not have permission to bind to port 5353. Signed-off-by: Kevin Cernekee <cerne...@chromium.

Re: Snooping expected connections in a user CT helper

On Tue, Aug 23, 2016 at 8:36 AM, Pablo Neira Ayuso wrote: >> 2) Just noticed that the sane and tftp modules require Linux 3.12+. >> My test system is running 3.8. Does ssdp have a similar restriction, >> and if so, what would need to be backported? > > Userspace expectation

[PATCH 2/3] conntrackd: cthelper: ftp: Fix debug print

matchoff is relative to dataoff, i.e. matchoff=0 (as utilized by nfq_tcp_mangle_ipv4()) points to the first byte of the TCP payload. Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- src/helpers/ftp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helpers/f

[PATCH 1/3] conntrackd: cthelper: ftp: Set match offset/len for PORT mangling

031 ,18,149,79PORT.1 0x0060: 3932 2c31 3638 2c32 3534 2c32 2c31 3439 92,168,254,2,149 0x0070: 2c37 3927 3a20 636f 6d6d 616e 6420 6e6f ,79':.command.no 0x0080: 7420 756e 6465 7273 746f 6f64 2e0d 0at.understood... Add the missing assignments. Signed-off-by: Kevin Cernekee <

[RFC 3/3] conntrackd: cthelper: ssdp: Track UPnP eventing

this is complete, the subscription should work Add the necessary code to add expectations for each of these connections and rewrite the IP in the CALLBACK URL. Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- This needs more testing on my end, so I'm posting it as an RFC to solicit prelim

Re: Snooping expected connections in a user CT helper

On Wed, Aug 17, 2016 at 6:12 PM, Pablo Neira Ayuso wrote: > Looking at ctnetlink, it should be possible to make it via > CTA_EXPECT_HELP_NAME. Thus, by when we find a matching expectation, > the helper is set to this new connection too. > > See line 1086 in

Snooping expected connections in a user CT helper

Hi, I am trying to extend the ssdp user helper in conntrackd to handle event subscriptions on a UPnP control point. The flow looks like this: 1) Outbound multicast M-SEARCH packet (dst: 1900/udp) - Create expectation for unicast reply from to source port 2) Inbound unicast reply (there may

[PATCH libnetfilter_conntrack] src: Make the library compile under clang

Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- src/conntrack/api.c | 4 ++-- src/expect/api.c| 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/conntrack/api.c b/src/conntrack/api.c index e4d4acc312bb..bed2e42c8f43 100644 --- a/src/conntrack/api.c +++ b/src

[PATCH V3] net: Allow xt_owner in any user namespace

onvert from their encoded from into the kernel internal format for uids and gids and perform the owner match. Similar to ping_group_range, this code does not try to detect noncontiguous UID/GID ranges. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Kevin

[PATCH V2] net: Allow xt_owner in any user namespace

onvert from their encoded from into the kernel internal format for uids and gids and perform the owner match. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Kevin Cernekee <cerne...@chromium.org> --- Original post: https://lists.linuxfoundation.org/pi