Skip to content

Instantly share code, notes, and snippets.

@hs256

hs256/gsoc-18-netfilter-work.md

Last active August 13, 2018 04:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hs256/b642e53ac2f6b485bc479672381cf6ca to your computer and use it in GitHub Desktop.
Save hs256/b642e53ac2f6b485bc479672381cf6ca to your computer and use it in GitHub Desktop.
Download ZIP
GSOC 2018 with Netfilter Organisation Work - By Harsha Sharma
Raw
gsoc-18-netfilter-work.md

Hello,

My gsoc project was based on implementing fine-grain connection tracking timeout policies in nftables.

Ruleset:

table raw {
  chain pre {
    type filter hook prerouting priority -300;
  }
  chain output {
    type filter hook output priority -300;
  }
}

Adding a connection tracking timeout object:

Syntax:

nft add ct timeout [<family>] <table> <obj_name> { protocol <l4 protocol> ; policy = {<state_name>: <timeout_value>, ... } \; [ l3proto <l3 protocol> ] \; }

Example:

nft add ct timeout ip raw cttime { protocol tcp ; policy = { established: 200, close: 13, close_wait: 16 } \; l3proto ip \; }

Output:

nft list ruleset -a

table ip raw { # handle 2
	ct timeout cttime { # handle 3
		protocol tcp;
		l3proto ip
		policy = {established: 200, close_wait: 16, close: 13}
	}

	chain pre { # handle 1
		type filter hook prerouting priority -300; policy accept;
	}

	chain output { # handle 2
		type filter hook output priority -300; policy accept;
	}
}

Assigning the connection traking poicies via a rule:

Syntax:

nft add rule [<family>] <table> <chain> ct timeout set <obj_name>

Example:

nft add rule ip raw output ct timeout set cttime

Output:

nft list ruleset -a

table ip raw { # handle 2
	ct timeout cttime { # handle 3
		protocol tcp;
		l3proto ip
		policy = {established: 200, close_wait: 16, close: 13}
	}

	chain pre { # handle 1
		type filter hook prerouting priority -300; policy accept;
	}

	chain output { # handle 2
		type filter hook output priority -300; policy accept;
		ct timeout set "cttime" # handle 4
	}
}

Connection tracking real-time event log:

conntrack -E -p tcp

Output:

[NEW] tcp      6 200 ESTABLISHED src=172.16.18.125 dst=172.16.18.1
sport=22 dport=41360 [UNREPLIED] src=172.16.18.1 dst=172.16.18.125
sport=41360 dport=22

Deleting the ct timeout object:

Syntax:

nft delete ct timeout [<family>] <table> <obj_name>

Example:

nft delete ct timeout ip raw cttime

(Need to delete the assigned rule first, otherwise gives Error: Device or resource busy as expected )

I have also added the corresponding tests for nft and libnftnl library.

Kernel Patches for this project:

  1. netfilter: nft_ct: add ct timeout support

  2. netfilter: cttimeout: move ctnl_untimeout to nf_conntrack

  3. netfilter: cttimeout: Make NF_CT_NETLINK_TIMEOUT depend on NF_CONNTRACK_TIMEOUT

Libnftnl patches for this project:

  1. src: add ct timeout support

  2. examples: add nft-ct-timeout-{add,del,get}

  3. examples: Add test for assigning timeout objects via rule

Nftables pathces for this project:

  1. src: add ct timeout support

  2. tests: py: add ct timeout tests

  3. tests: shell: add tests for ct timeout objects

This is the link to my kernel, libnftnl and nftables patches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment