Hello, We are using netfilter to implement a firewall for a router and we had the problem that the ftp data connections were not being logged. I did some investigating and found that it is conntrack that is allowing the secondary connection by the ftp helper module. I created a patch to enable such logging for any conntrack helper. Is this a good change? Or did I miss something really obvious?
Regards, Thomas Winter example iptables rules: Chain FIREWALL_RULE_12 (1 references) target prot opt source destination LOG tcp -- anywhere anywhere multiport sports 1024:65535 multiport dports ftp match-set private src,src match-set public dst,dst ctsta te NEW,RELATED,ESTABLISHED LOG level info prefix "Firewall rule 12: PERMIT " CONNMARK tcp -- anywhere anywhere multiport sports 1024:65535 multiport dports ftp match-set private src,src match-set public dst,dst ctsta te NEW,RELATED,ESTABLISHED CONNMARK xset 0x1/0x7 LOG tcp -- anywhere anywhere multiport dports 1024:65535 multiport sports ftp match-set public src,src match-set private dst,dst ctsta te RELATED,ESTABLISHED LOG level info prefix "Firewall rule 12: PERMIT " CONNMARK tcp -- anywhere anywhere multiport dports 1024:65535 multiport sports ftp match-set public src,src match-set private dst,dst ctsta te RELATED,ESTABLISHED CONNMARK xset 0x1/0x7 patch: [PATCH] ICSAFW-9: Added expected connection logging in netfilter For ICSA firewall requirements, FTP data connections must be able to be logged. Our iptables rules for FTP are not able to log the data connections because they only take effect on the control connection. The FTP conntrack helper module inspects FTP control packets and allows the data connections when it sees one about to start. Added a log function for conntrack to be called when allowing expected connections. --- include/net/netfilter/nf_conntrack_expect.h | 5 +++++ net/netfilter/nf_conntrack_core.c | 4 ++++ net/netfilter/nf_conntrack_ftp.c | 21 +++++++++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index dce56f0..c13a457 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h @@ -26,6 +26,11 @@ struct nf_conntrack_expect { void (*expectfn)(struct nf_conn *new, struct nf_conntrack_expect *this); +#ifdef ATL_CHANGE + /* Logging function to call when seeing an expected connection */ + void (*logfn)(const struct nf_conntrack_tuple *tuple); +#endif + /* Helper to assign to new connection */ struct nf_conntrack_helper *helper; diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 37d8c06..8f4e15c 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -984,6 +984,10 @@ init_conntrack(struct net *net, struct nf_conn *tmpl, if (help) rcu_assign_pointer(help->helper, exp->helper); } +#ifdef ATL_CHANGE + if (exp->logfn) + exp->logfn(tuple); +#endif #ifdef CONFIG_NF_CONNTRACK_MARK ct->mark = exp->master->mark; diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c index b666959..3dd1900 100644 --- a/net/netfilter/nf_conntrack_ftp.c +++ b/net/netfilter/nf_conntrack_ftp.c @@ -382,6 +382,23 @@ static void update_nl_seq(struct nf_conn *ct, u32 nl_seq, } } +#ifdef ATL_CHANGE +void log_ftp_data_connection(const struct nf_conntrack_tuple *tuple) +{ + if (tuple) { + if (tuple->src.l3num == PF_INET) { + pr_info("FTP data connection initiated by %pI4:%d to %pI4:%d\n", + &tuple->src.u3.ip, tuple->src.u.tcp.port, + &tuple->dst.u3.ip, tuple->dst.u.tcp.port); + } else { + pr_info("FTP data connection initiated by %pI6:%d to %pI6:%d\n", + &tuple->src.u3.ip, tuple->src.u.tcp.port, + &tuple->dst.u3.ip, tuple->dst.u.tcp.port); + } + } +} +#endif + static int help(struct sk_buff *skb, unsigned int protoff, struct nf_conn *ct, @@ -529,6 +546,10 @@ skip_nl_seq: &ct->tuplehash[!dir].tuple.src.u3, daddr, IPPROTO_TCP, NULL, &cmd.u.tcp.port); +#ifdef ATL_CHANGE + exp->logfn = log_ftp_data_connection; +#endif + /* Now, NAT might want to mangle the packet, and register the * (possibly changed) expectation itself. */ nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook); -- 2.9.3