Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756823Ab3EHCDj (ORCPT ); Tue, 7 May 2013 22:03:39 -0400 Received: from mail.us.es ([193.147.175.20]:59199 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753526Ab3EHCDh (ORCPT ); Tue, 7 May 2013 22:03:37 -0400 X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus3 (envelope-from , uid 501) with qmail-scanner-2.10 (clamdscan: 0.97.7/17166. spamassassin: 3.3.2. Clear:RC:1(127.0.0.1):SA:0(-97.2/7.5):. Processed in 4.280287 secs); 08 May 2013 02:03:33 -0000 X-Envelope-From: pneira@us.es Date: Wed, 8 May 2013 04:03:28 +0200 From: Pablo Neira Ayuso To: Jiri Slaby Cc: jirislaby@gmail.com, linux-kernel@vger.kernel.org, Jiri Bohac , netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, "David S. Miller" , Patrick McHardy Subject: Re: [PATCH 05/15] connection tracking helper for SLP Message-ID: <20130508020328.GA7747@localhost> References: <1367936303-13386-1-git-send-email-jslaby@suse.cz> <1367936303-13386-5-git-send-email-jslaby@suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1367936303-13386-5-git-send-email-jslaby@suse.cz> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2093 Lines: 51 On Tue, May 07, 2013 at 04:18:13PM +0200, Jiri Slaby wrote: > From: Jiri Bohac > > A simple connection tracking helper for SLP. Marks replies to a > SLP broadcast query as ESTABLISHED to allow them to pass through the > firewall. > > Signed-off-by: Jiri Bohac > Signed-off-by: Jiri Slaby > Cc: netfilter-devel@vger.kernel.org > Cc: netfilter@vger.kernel.org > Cc: coreteam@netfilter.org > Cc: netdev@vger.kernel.org > Cc: "David S. Miller" > Cc: Patrick McHardy > Cc: Pablo Neira Ayuso > --- > net/netfilter/Kconfig | 15 +++++ > net/netfilter/Makefile | 1 + > net/netfilter/nf_conntrack_slp.c | 131 +++++++++++++++++++++++++++++++++++++++ > 3 files changed, 147 insertions(+) > create mode 100644 net/netfilter/nf_conntrack_slp.c > > diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig > index 56d22ca..ec61b30 100644 > --- a/net/netfilter/Kconfig > +++ b/net/netfilter/Kconfig > @@ -320,6 +320,21 @@ config NF_CONNTRACK_TFTP > > To compile it as a module, choose M here. If unsure, say N. > > +config NF_CONNTRACK_SLP > + tristate "SLP protocol support" > + depends on NF_CONNTRACK > + depends on NETFILTER_ADVANCED > + help > + SLP queries are sometimes sent as broadcast messages from an > + unprivileged port and responded to with unicast messages to the > + same port. This make them hard to firewall properly because connection > + tracking doesn't deal with broadcasts. This helper tracks locally > + originating broadcast SLP queries and the corresponding > + responses. It relies on correct IP address configuration, specifically > + netmask and broadcast address. We have the user-space helper infrastructure in the conntrack-tools, this helper has to go there. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/