conntrackd helpers about firewalld HOT 10 OPEN

Yes, this would be good to have. Conntrack support in firewalld could be used for lots of things.

from firewalld.

There is conntrack helper support in firewalld 0.4.4, but there is no conntrackd support so far.
Do you have a configuration that is making upnp work with conntrackd?

from firewalld.

I did, but I can't get it to run at the moment. Fedora doesn't currently come with the nfnetlink_cthelper module, which I think is required. Building it requires CONFIG_NETFILTER_NETLINK_GLUE_CT, which also seems not to be set by default. I think I would have to rebuild the whole kernel.

When I had it working, I followed the recipe here: http://conntrack-tools.netfilter.org/manual.html#helpers
I used:

nfct add helper ssdp inet udp

and something like:
iptables -I OUTPUT -t raw -p udp --dport 1900 -j CT --helper ssdp

or (I can't remember, this is from https://www.mail-archive.com/[email protected]/msg03351.html):
iptables -t raw -A OUTPUT -p udp --dport 1900 -j CT --helper ssdp
iptables -t raw -A PREROUTING -p udp --dport 1900 -j CT --helper ssdp

finally, the following in conntrackd.conf:

Helper {
	# Before this, you have to make sure you have registered the `ftp'
	# user-space helper stub via:
	#
	# nfct helper add ftp inet tcp
	#
	Type ssdp inet udp {
		#
		# Set NFQUEUE number you want to use to receive traffic from
		# the kernel.
		#
		QueueNum 0

		#
		# Maximum number of packets waiting in the queue to receive
		# a verdict from user-space. Default is 1024.
		#
		# Rise value if you hit the following error message:
		# "nf_queue: full at X entries, dropping packets(s)"
		#
		QueueLen 10240

		#
		# Set the Expectation policy for this helper.
		#
		Policy ssdp {
			#
			# Maximum number of simultaneous expectations
			#
			ExpectMax 1
			#
			# Maximum living time for one expectation (in seconds).
			#
			ExpectTimeout 300
		}
	}
}

from firewalld.

I got the nfnetlink_cthelper module built and loaded, but I've not yet succeeded in getting SSDP to work correctly again. Not sure if it's lack of CONFIG_NETFILTER_NETLINK_GLUE_CT or not.

from firewalld.

I just found this trying to figure out how to use the rpc helper with firewalld

from firewalld.

Now that the direct interface is deprecated, how do we do this?

Now I have this:

# firewall-cmd --direct --get-all-rules
ipv6 raw OUTPUT 0 -d FF02::C -p udp -m udp --dport 1900 --sport 32768:60999 -j CT --helper ssdp
ipv6 raw OUTPUT 0 -d FF05::C -p udp -m udp --dport 1900 --sport 32768:60999 -j CT --helper ssdp
ipv4 raw OUTPUT 0 -d 239.255.255.250/32 -p udp -m udp --dport 1900 --sport 32768:60999 -j CT --helper ssdp

I guess I could possibly add a helper with module nf_conntrack_ssdp for port 1900 and then attach it to OUTPUT using a policy object, but there are at least two issues with this:

1. how do I add -d FF02::C etc.?
2. it's going to try loading nf_conntrack_ssdp and nf_nat_ssdp and result in errors, how do I tell it that these are module-less conntrackd helpers?

from firewalld.

Now that the direct interface is deprecated, how do we do this?

I added a footer to that section of the post. Deprecation is not removal. It'll be years (v2.0.0) until the direct interface gets removed. This bug is a good example of a situation that still requires the direct interface.

Now I have this:

# firewall-cmd --direct --get-all-rules
ipv6 raw OUTPUT 0 -d FF02::C -p udp -m udp --dport 1900 --sport 32768:60999 -j CT --helper ssdp
ipv6 raw OUTPUT 0 -d FF05::C -p udp -m udp --dport 1900 --sport 32768:60999 -j CT --helper ssdp
ipv4 raw OUTPUT 0 -d 239.255.255.250/32 -p udp -m udp --dport 1900 --sport 32768:60999 -j CT --helper ssdp

I guess I could possibly add a helper with module nf_conntrack_ssdp for port 1900 and then attach it to OUTPUT using a policy object, but there are at least two issues with this:

1. how do I add `-d FF02::C` etc.?

2. it's going to try loading `nf_conntrack_ssdp` and `nf_nat_ssdp` and result in errors, how do I tell it that these are module-less conntrackd helpers?

You are correct. Helpers based on conntrackd are not supported natively. I'll bump the priority of this bug.

from firewalld.

I added a footer to that section of the post. Deprecation is not removal. It'll be years (v2.0.0) until the direct interface gets removed. This bug is a good example of a situation that still requires the direct interface.

Yep, I saw a similar note in iptables backend deprecation, so I'm not too worried yet, but there was a sentence telling me to file an issue for stuff that can't be done without the direct interface, and that's why I bumped this. :-)

You are correct. Helpers based on conntrackd are not supported natively. I'll bump the priority of this bug.

Awesome, thanks a lot for the quick reply! Keep up the good work. 🎉

from firewalld.

@liskin , have you tried this since 88e76dd (v0.8.0+)? That commit made module loading failures non-fatal. AFAIK, using userspace helpers is no different in regards to the nftables rules.

Edit: You might have to make a dummy helper, e.g. --new-helper and --add-helper

from firewalld.

I've tried this with 0.9.3 that's in debian testing/stable and I ran into other issues related to policy objects (ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 49 failed, Can't convert policy to chain name: test1, raw, False, …), possibly because I'm still on the iptables backend, or perhaps these have since been fixed. I then decided to just take a look at the documentation and sources and try to come up with other possible issues (the inability to specify source ports and src/dst multicast addresses, the loading of modules) as I don't have time now to dig very deep into this.

Good to hear that the loading of modules is non-fatal. That makes that bit just a minor issue then.

I guess I could create a VM with a more recent firewalld and try it again, but not right now.

from firewalld.