Presentation is loading. Please wait.

Presentation is loading. Please wait.

Conntrack + NAT Helpers Jimit Mahadevia Nishit Shah This work is licensed under a Creative Commons Attribution-Share.

Published byMilton Gardner Modified over 8 years ago

Similar presentations

Presentation on theme: "Conntrack + NAT Helpers Jimit Mahadevia Nishit Shah This work is licensed under a Creative Commons Attribution-Share."— Presentation transcript:

1 Conntrack + NAT Helpers Jimit Mahadevia (jimit@elitecore.com) Nishit Shah (nishit@elitecore.com) This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported LicenseCreative Commons Attribution-Share Alike 3.0 Unported License

2 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Introduction Objective of this presentation is to give brief idea about how to write conntrack & NAT helpers for complex protocols

3 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Topics covered Description Position in Netfilter Framework Conntrack/NAT API to register & unregister helper modules Introduction of fields involved in registration. skeleton of a conntrack helper module

4 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Description Objective of writing helper is to track a specific connection to register expected connections based on original connection data and to change the data if requited. The module has the following means to do that: Tell netfilter which packets our module is interested in Register a conntrack function with netfilter. This function is called for every "interesting" packet (as decided by the callback function above) Call ip_conntrack_expect_related to tell netfilter that new connection is expected.

5 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Description In linux kernel 2.4.x, there are seprate conntrack & NAT helpers Where in linux kernel 2.6.x, conntrack & NAT helpers are merged simply in conntrack helpers. NAT helper functions are directly called from conntrack helpers.

6 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Position In Netfilter Framework What we are registering is a conntrack helper. Conntrack Helpers are registered with Conntrack System not with Netfilter. Conntrack has registered hook function for helpers at POST_ROUTING & LOCAL_IN hooks.

7 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Position In Netfilter Framework Thus flow is like, –Core Network code calls Netfilter Hooks –Netfilter calls hooking functions registered at Netfilter Hooks. –One of the hooking function is conntrack helper (ip_conntrack_help() from net/ipv4/netfilter/ip_conntrack_standalone.c.) which is called by netfilter.

8 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Position In Netfilter Framework Flow continues… –We are registering is with conntrack helper hooking function –conntrack helper maintains a queue of helper modules registered with itself and calls them one by one. –So, when Netfilter calls conntrack helper by its priority, conntrack helper will eventually calls our helper only for packets we are interested in.

9 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Position In Netfilter Framework Example Networking Code Netfilter POST_ROUTIN G Hooking functions Conntrack Helpers (ip_conntarck_he lp()) Helper 1 Our Helper Helper N

10 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Fields Involved Basic structure Involved is ip_conntrack_helper. This structure has following fields. tuple (struct ip_conntrack_tuple) mask (struct ip_conntrack_tuple) max_expected timeout help

11 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Fields Involved tuple (struct ip_conntrack_tuple) specifies the packets our conntrack helper module is interested in mask (struct ip_conntrack_tuple) mask specifies which bits of tuple are valid

12 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Fields Involved Fields of ip_conntrack_tuple (following are TCP only) src.ip the source IP address src.u.tcp.port the TCP source port dst.ip the destination IP address dst.protonum the protocol (IPPROTO_TCP,...) dst.u.tcp.port the TCP destination port

13 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Fields Involved max_expected maximum number of expected connections this helper can register timeout timeout of expected connection entry. If expected connection not arrived in timeout value expected connection entry get deleted. help Pointer to our helper’s callback function.

14 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam skeleton Lets say you want to write a helper function for connection tuple as follows Source IPany Source Portany Destination IPany Destination Port110 Max Expected1 Timeout5 minutes

15 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam skeleton #define MY_PORT 110 static int my_help(struct sk_buff **pskb struct ip_conntrack *ct, enum ip_conntrack_info ctinfo) { /* analyze the data passed on this connection and decide how related packets will look like */ if (there_will_be_new_packets_related_to_this_connection) { exp = new_tuple_specifying_related_packets; ip_conntrack_expect_related(exp); } return NF_ACCEPT; }

16 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam skeleton module_init & module_exit macros static struct ip_conntrack_helper my_helper; static int __init init(void) { memset(&my_helper, 0, sizeof(struct ip_conntrack_helper); /* we are interested in all TCP packets with dport 110 */ my_helper.tuple.dst.protonum = IPPROTO_TCP; my_helper.dst.u.tcp.port = htons(MY_PORT); my_helper.mask.dst.protonum = 0xFFFF; my_helper.mask.dst.u.tcp.port = 0xFFFF; my_helper.help = my_help; my_helper.timeout = 300 ; /* 5 minutes */ my_helper.max_expected = 1; return ip_conntrack_helper_register(&my_helper); }

17 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam skeleton module_init & module_exit macros static void __exit fini(void) { ip_conntrack_helper_unregister(&my_helper); } module_init(init); module_exit(fini);

18 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Notes Here we are done with helpers. Major thing invloved in helpers is to register a expected connection. structure used for it is ip_conntrack_expect One can add expect using following steps, Step 1 struct ip_conntrack_expect *exp;

19 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Notes Step 2 /* Allocate expectation which will be inserted */ exp = ip_conntrack_expect_alloc(ct); Step 3 Fillup exp with expected tuple in exp->tuple and exp->mask fields. (Here tuple & mask are ip_conntrack_tuple)

20 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Notes Step 4 Fill some other useful fields of exp exp->flags = 0; you can use these flags later when you have expected connection. exp->expectfn = NULL; static void expect_fn(struct ip_conntrack *ct,struct ip_conntrack_expect *exp) exp->expectfn = expect_fn; expectfn is pointer to callback function that you can register by implementing in your module. It is called for First packet of expected connection. expectfn can be used for various purposes like, -> Copy Some Information from original to expected. -> Apply same NAT as original to expected connection

21 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Notes Last Step……….. /* Actually add expectation */ ip_conntrack_expect_related(exp);

22 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Questions ????

23 Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Thank You

Download ppt "Conntrack + NAT Helpers Jimit Mahadevia Nishit Shah This work is licensed under a Creative Commons Attribution-Share."

Similar presentations

FIFO Queues CSE 2320 – Algorithms and Data Structures Vassilis Athitsos University of Texas at Arlington 1.

FIFO Queues CSE 2320 – Algorithms and Data Structures Vassilis Athitsos University of Texas at Arlington 1.
COMS W6998 Spring 2010 Erich Nahum

COMS W6998 Spring 2010 Erich Nahum
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
OpenvSwitch L7 matchers & conntrack metadatas

OpenvSwitch L7 matchers & conntrack metadatas
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.

Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.
The Linux Kernel: Memory Management

The Linux Kernel: Memory Management
ITINERANT: TCP Socket Migration Titus Winters Dan Berger CS 202: Spring ‘03.

ITINERANT: TCP Socket Migration Titus Winters Dan Berger CS 202: Spring ‘03.
© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.

© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Cache Table. ARP Modules Output Module Sleep until IP packet is received from IP Software Check cache table for entry corresponding to the destination.

Cache Table. ARP Modules Output Module Sleep until IP packet is received from IP Software Check cache table for entry corresponding to the destination.
Packet Mangling for Fun & Profit A Brief Intro to Netfilter, User Mode Linux, and the Linux TCP/IP Stack.

Packet Mangling for Fun & Profit A Brief Intro to Netfilter, User Mode Linux, and the Linux TCP/IP Stack.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of.

TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of.
1 Netfilter in Linux Bing Qi Department of Computer Science and Engineering Auburn university.

1 Netfilter in Linux Bing Qi Department of Computer Science and Engineering Auburn university.
Static Routing Last Update 2011.05.15 1.3.0 1Copyright 2008-2011 Kenneth M. Chipps Ph.D. www.chipps.com.

Static Routing Last Update Copyright Kenneth M. Chipps Ph.D.
TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of.

TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of.
Module A Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson.

Module A Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson.
TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of.

TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls

Similar presentations

Ads by Google