On Tue, May 07, 2013 at 04:18:13PM +0200, Jiri Slaby wrote: > From: Jiri Bohac <jbo...@suse.cz> > > A simple connection tracking helper for SLP. Marks replies to a > SLP broadcast query as ESTABLISHED to allow them to pass through the > firewall. > > Signed-off-by: Jiri Bohac <jbo...@suse.cz> > Signed-off-by: Jiri Slaby <jsl...@suse.cz> > Cc: netfilter-de...@vger.kernel.org > Cc: netfil...@vger.kernel.org > Cc: coret...@netfilter.org > Cc: net...@vger.kernel.org > Cc: "David S. Miller" <da...@davemloft.net> > Cc: Patrick McHardy <ka...@trash.net> > Cc: Pablo Neira Ayuso <pa...@netfilter.org> > --- > net/netfilter/Kconfig | 15 +++++ > net/netfilter/Makefile | 1 + > net/netfilter/nf_conntrack_slp.c | 131 > +++++++++++++++++++++++++++++++++++++++ > 3 files changed, 147 insertions(+) > create mode 100644 net/netfilter/nf_conntrack_slp.c > > diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig > index 56d22ca..ec61b30 100644 > --- a/net/netfilter/Kconfig > +++ b/net/netfilter/Kconfig > @@ -320,6 +320,21 @@ config NF_CONNTRACK_TFTP > > To compile it as a module, choose M here. If unsure, say N. > > +config NF_CONNTRACK_SLP > + tristate "SLP protocol support" > + depends on NF_CONNTRACK > + depends on NETFILTER_ADVANCED > + help > + SLP queries are sometimes sent as broadcast messages from an > + unprivileged port and responded to with unicast messages to the > + same port. This make them hard to firewall properly because connection > + tracking doesn't deal with broadcasts. This helper tracks locally > + originating broadcast SLP queries and the corresponding > + responses. It relies on correct IP address configuration, specifically > + netmask and broadcast address.
We have the user-space helper infrastructure in the conntrack-tools, this helper has to go there. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
