Shorewall users - Jun 2008 - helper match

Hello all,

From my reading of the iptables manpage I have come across the
"helper"
match:

   helper
       This module matches packets related to a specific conntrack-helper.

       --helper string
              Matches packets related to the specified conntrack-helper.

              string  can  be  "ftp"  for  packets related to a
ftp-session on
              default port.  For other ports append -portnr to the value,  ie.
              "ftp-2121".

              Same rules apply for other conntrack-helpers.

This seems a very interesting match target.  I wonder if all helpers can
be used with this match (i.e. is it built into the conntrack framework
enough that each conntrack module does not need to specifically add
support for it).  For example would:

 pkts bytes target prot opt in out source    destination         
    0     0 MARK   all  --  *  *   0.0.0.0/0 0.0.0.0/0    helper match
"sip" MARK set 0x1

actually match SIP packets and set the specified (0x1) mark on it?  I
understand that RELATED packets inherit the mark too, so this should
also result in the marking of the RTP streams brokered by the SIP
packets, no?

It''s getting late here to start playing with this option but I will
give
this a spin tomorrow.  Of course the relevance to Shorewall is going to
be how to create arbitrary matches like this in Shorewall configurations
files, specifically the tcrules file.  :-)

Cheers,
b.



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Brian J. Murrell wrote:
> This seems a very interesting match target.  I wonder if all helpers can
> be used with this match (i.e. is it built into the conntrack framework
> enough that each conntrack module does not need to specifically add
> support for it).  For example would:
> 
>  pkts bytes target prot opt in out source    destination         
>     0     0 MARK   all  --  *  *   0.0.0.0/0 0.0.0.0/0    helper match
"sip" MARK set 0x1
> 
> actually match SIP packets and set the specified (0x1) mark on it?
I don''t know. I haven''t played with it.
> I
> understand that RELATED packets inherit the mark too, so this should
> also result in the marking of the RTP streams brokered by the SIP
> packets, no?
RELATED connections inherit _connection_ marks, not _packet_ marks.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Thu, 2008-06-05 at 07:36 -0700, Tom Eastep wrote:
> 
> I don''t know. I haven''t played with it.
Yeah.  I gave it a quick shot this morning.  No joy yet.
> RELATED connections inherit _connection_ marks, not _packet_ marks.
Ahhhh.  Right.  I have still got to get this marking in connections and
packets and saving and restoring them back and forth straight.

So, given the example

pkts bytes target prot opt in out source    destination         
   0     0 MARK   all  --  *  *   0.0.0.0/0 0.0.0.0/0    helper match
"sip" MARK set 0x1

and given that related *connections* "should" get the "0x1"
connection
mark, is there anything I have to do to get packets in that connection
to get marked per the connection mark or does that just happen
automagically?

b.



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Brian J. Murrell wrote:
> 
> So, given the example
> 
> pkts bytes target prot opt in out source    destination         
>    0     0 MARK   all  --  *  *   0.0.0.0/0 0.0.0.0/0    helper match
"sip" MARK set 0x1
> 
> and given that related *connections* "should" get the
"0x1" connection
> mark, is there anything I have to do to get packets in that connection
> to get marked per the connection mark or does that just happen
> automagically?
Please see http://www.shorewall.net/PacketMarking.html.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Brian J. Murrell wrote:
> Of course the relevance to Shorewall is going to
> be how to create arbitrary matches like this in Shorewall configurations
> files, specifically the tcrules file.  :-)
We can invent some new syntax or simply add another column. Not a big deal. 
But I personally will only add the feature to Shorewall-perl.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Thu, 2008-06-05 at 11:49 -0400, Brian J. Murrell
wrote:
> On Thu, 2008-06-05 at 07:36 -0700, Tom Eastep wrote:
> > 
> > I don''t know. I haven''t played with it.
> 
> Yeah.  I gave it a quick shot this morning.  No joy yet.
I seem to have proven this works!

Here''s my tcfor chain:

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source               destination
 4267  945K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
CONNMARK restore mask 0xff
 3379  670K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK match !0x0/0xff
    1   200 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
helper match "sip" MARK set 0x1
    1   200 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK match !0x0/0xff CONNMARK save mask 0xff

This was newly loaded right before I placed a SIP call via my Asterisk
PBX.

That "1" packet in the helper match "sip" rule corresponds
to the
outgoing SIP packet to a SIP provider and the large count in the first
two rules is the RTP stream.  Here is the ip_conntrack entry for the RTP
stream:

# grep -e 11822 /proc/net/ip_conntrack
udp      17 179 src=64.22.120.13 dst=67.193.220.102 sport=27904 dport=11822
packets=1255 bytes=251000 src=10.75.22.3 dst=64.22.120.13 sport=11822
dport=27904 packets=1246 bytes=249200 [ASSURED] mark=257 use=1

The "mark=257" is a result of the mark set above as well as the
MultiISP
routing mark.

Sweet.

Is there a short-term hack I can use to insert a rule of the following
form:

# iptables -t mangle -I tcfor 3 -m helper --helper sip -j MARK --set-mark 0x1

Where "3" is the number of rules (or number of the last rule) in the
tcfor chain?

I''m thinking of something in the "start" script, or even a
compile-time
script, but I don''t know if I have knowledge of the number of rules in
a
given chain or not.  I suppose I could just count them in the script,
but that''s a bit hacky.  :-)

I''m using shorewall-perl 4.0.6 on the control station and
shorewall-lite
4.0.5 on the router.

b.



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Brian J. Murrell wrote:
> Is there a short-term hack I can use to insert a rule of the following
> form:
> 
> # iptables -t mangle -I tcfor 3 -m helper --helper sip -j MARK --set-mark
0x1
> 
> Where "3" is the number of rules (or number of the last rule) in
the
> tcfor chain?
> 
> I''m thinking of something in the "start" script, or even
a compile-time
> script, but I don''t know if I have knowledge of the number of
rules in a
> given chain or not.
A compile-time script won''t work because this is the mangle table.

I suppose I could just count them in the script,
> but that''s a bit hacky.  :-)
It''s the best you can do until 4.2.0 Beta 2.
> 
> I''m using shorewall-perl 4.0.6 on the control station and
shorewall-lite
> 4.0.5 on the router.
Shorewall-perl 4.2.0 Beta2 has a HELPER column in tcrules.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Thu, 2008-06-05 at 12:39 -0700, Tom Eastep wrote:
> 
> It''s the best you can do until 4.2.0 Beta 2.
Yeah.  I figured as much and that''s what I did.

I''ve wondered a number of times if it would be useful to export a bunch
of useful stuff like that into the environment of the extension scripts
for these kinds of corner cases.
> Shorewall-perl 4.2.0 Beta2 has a HELPER column in tcrules.
Cool.  Thanx!

b.



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php