Comments (10)
Yes, this would be good to have. Conntrack support in firewalld could be used for lots of things.
from firewalld.
There is conntrack helper support in firewalld 0.4.4, but there is no conntrackd support so far.
Do you have a configuration that is making upnp work with conntrackd?
from firewalld.
I did, but I can't get it to run at the moment. Fedora doesn't currently come with the nfnetlink_cthelper module, which I think is required. Building it requires CONFIG_NETFILTER_NETLINK_GLUE_CT, which also seems not to be set by default. I think I would have to rebuild the whole kernel.
When I had it working, I followed the recipe here: http://conntrack-tools.netfilter.org/manual.html#helpers
I used:
nfct add helper ssdp inet udp
and something like:
iptables -I OUTPUT -t raw -p udp --dport 1900 -j CT --helper ssdp
or (I can't remember, this is from https://www.mail-archive.com/[email protected]/msg03351.html):
iptables -t raw -A OUTPUT -p udp --dport 1900 -j CT --helper ssdp
iptables -t raw -A PREROUTING -p udp --dport 1900 -j CT --helper ssdp
finally, the following in conntrackd.conf:
Helper {
# Before this, you have to make sure you have registered the `ftp'
# user-space helper stub via:
#
# nfct helper add ftp inet tcp
#
Type ssdp inet udp {
#
# Set NFQUEUE number you want to use to receive traffic from
# the kernel.
#
QueueNum 0
#
# Maximum number of packets waiting in the queue to receive
# a verdict from user-space. Default is 1024.
#
# Rise value if you hit the following error message:
# "nf_queue: full at X entries, dropping packets(s)"
#
QueueLen 10240
#
# Set the Expectation policy for this helper.
#
Policy ssdp {
#
# Maximum number of simultaneous expectations
#
ExpectMax 1
#
# Maximum living time for one expectation (in seconds).
#
ExpectTimeout 300
}
}
}
from firewalld.
I got the nfnetlink_cthelper module built and loaded, but I've not yet succeeded in getting SSDP to work correctly again. Not sure if it's lack of CONFIG_NETFILTER_NETLINK_GLUE_CT or not.
from firewalld.
I just found this trying to figure out how to use the rpc helper with firewalld
from firewalld.
Now that the direct interface is deprecated, how do we do this?
Now I have this:
# firewall-cmd --direct --get-all-rules
ipv6 raw OUTPUT 0 -d FF02::C -p udp -m udp --dport 1900 --sport 32768:60999 -j CT --helper ssdp
ipv6 raw OUTPUT 0 -d FF05::C -p udp -m udp --dport 1900 --sport 32768:60999 -j CT --helper ssdp
ipv4 raw OUTPUT 0 -d 239.255.255.250/32 -p udp -m udp --dport 1900 --sport 32768:60999 -j CT --helper ssdp
I guess I could possibly add a helper with module nf_conntrack_ssdp
for port 1900 and then attach it to OUTPUT using a policy object, but there are at least two issues with this:
- how do I add
-d FF02::C
etc.? - it's going to try loading
nf_conntrack_ssdp
andnf_nat_ssdp
and result in errors, how do I tell it that these are module-less conntrackd helpers?
from firewalld.
Now that the direct interface is deprecated, how do we do this?
I added a footer to that section of the post. Deprecation is not removal. It'll be years (v2.0.0) until the direct interface gets removed. This bug is a good example of a situation that still requires the direct interface.
Now I have this:
# firewall-cmd --direct --get-all-rules ipv6 raw OUTPUT 0 -d FF02::C -p udp -m udp --dport 1900 --sport 32768:60999 -j CT --helper ssdp ipv6 raw OUTPUT 0 -d FF05::C -p udp -m udp --dport 1900 --sport 32768:60999 -j CT --helper ssdp ipv4 raw OUTPUT 0 -d 239.255.255.250/32 -p udp -m udp --dport 1900 --sport 32768:60999 -j CT --helper ssdp
I guess I could possibly add a helper with module
nf_conntrack_ssdp
for port 1900 and then attach it to OUTPUT using a policy object, but there are at least two issues with this:1. how do I add `-d FF02::C` etc.? 2. it's going to try loading `nf_conntrack_ssdp` and `nf_nat_ssdp` and result in errors, how do I tell it that these are module-less conntrackd helpers?
You are correct. Helpers based on conntrackd are not supported natively. I'll bump the priority of this bug.
from firewalld.
I added a footer to that section of the post. Deprecation is not removal. It'll be years (v2.0.0) until the direct interface gets removed. This bug is a good example of a situation that still requires the direct interface.
Yep, I saw a similar note in iptables backend deprecation, so I'm not too worried yet, but there was a sentence telling me to file an issue for stuff that can't be done without the direct interface, and that's why I bumped this. :-)
You are correct. Helpers based on conntrackd are not supported natively. I'll bump the priority of this bug.
Awesome, thanks a lot for the quick reply! Keep up the good work. 🎉
from firewalld.
@liskin , have you tried this since 88e76dd (v0.8.0+)? That commit made module loading failures non-fatal. AFAIK, using userspace helpers is no different in regards to the nftables rules.
Edit: You might have to make a dummy helper, e.g. --new-helper
and --add-helper
from firewalld.
I've tried this with 0.9.3 that's in debian testing/stable and I ran into other issues related to policy objects (ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 49 failed
, Can't convert policy to chain name: test1, raw, False
, …), possibly because I'm still on the iptables backend, or perhaps these have since been fixed. I then decided to just take a look at the documentation and sources and try to come up with other possible issues (the inability to specify source ports and src/dst multicast addresses, the loading of modules) as I don't have time now to dig very deep into this.
Good to hear that the loading of modules is non-fatal. That makes that bit just a minor issue then.
I guess I could create a VM with a more recent firewalld and try it again, but not right now.
from firewalld.
Related Issues (20)
- Various test suite failure on Debian sid HOT 5
- Firewalld is blocking Network/Samba Client in KDE/Dolphin HOT 4
- Firewalld 2.0: Error from removeSource Call HOT 9
- Doc: Include better explainations of the effects various configurations (i.e. what does the setting do?)
- ipset: config checks should verify that the number of elements does not exceed ipset size
- firewall-config doesn't show policy objects
- Render, but don't apply, rules - for debugging
- In rocky8, I have a question about firewall. Can't iptables command see firewall rules? HOT 4
- Preserve source IP when using masquerade + rich-rule port-forwading
- Policy and IPv6 HOT 3
- Add port forwarding to firewalld doesn't take effect actually HOT 4
- Applet icon missing in the tray but randomly appears after relog HOT 3
- Add SCTP for DLM
- --runtime-to-permanent removing public zone from active zones HOT 2
- Should `https.xml` include `http3.xml`? HOT 1
- Bug in `wrong_args_for_callable()` causes firewall-applet to crash (regression introduced in 2.1.0) HOT 1
- rework D-Bus bindings and move away from deprecated python-dbus
- Disruptive remnants of firewalld.service remain after removal HOT 3
- Non compacted IPv6 address conflict after reload HOT 1
- Unfriendly error message with `firewall-cmd --load-zone-defaults` without customization.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from firewalld.