Expect conntrack-天翼云开发者社区

# cat expect_test.c

MODULE_DESCRIPTION("expect helper test");

struct test_proto {

int type;

int port;

union nf_inet_addr addr;

};

static int test_help(struct sk_buff *skb,

unsigned int protoff,

struct nf_conn *ct,

enum ip_conntrack_info ctinfo)

{

unsigned int dataoff, datalen;

const struct tcphdr *th;

struct tcphdr _tcph;

int ret;

char *dt_ptr;

struct nf_conntrack_expect *exp;

int dir = CTINFO2DIR(ctinfo);

struct test_proto prot = {0};

uint16_t port = ntohs((uint16_t)prot.port);

char test_buffer[512];

if (ctinfo != IP_CT_ESTABLISHED

&& ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {

return NF_ACCEPT;

}

th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);

dataoff = protoff + th->doff * 4;

datalen = skb->len - dataoff;

dt_ptr = skb_header_pointer(skb, dataoff, datalen, test_buffer);

//get proto header

memcpy(&prot, dt_ptr, sizeof(struct test_proto));

if (prot.type != 100) {

ret = NF_ACCEPT;

goto out;

}

exp = nf_ct_expect_alloc(ct);

port = ntohs((uint16_t)prot.port);

nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, AF_INET,

&ct->tuplehash[dir].tuple.src.u3, &prot.addr,

IPPROTO_TCP, NULL, &port);

if (nf_ct_expect_related(exp) != 0)

ret = NF_DROP;

else

ret = NF_ACCEPT;

out:

return ret;

}

static const struct nf_conntrack_expect_policy test_policy = {

.max_expected = 10,

.timeout = 50 * 60,

};

#define PORT 5000

static struct nf_conntrack_helper test = {

.name = "test",

.me = THIS_MODULE,

.tuple.src.l3num = AF_INET,

.tuple.src.u.tcp.port = cpu_to_be16(5000),

.tuple.dst.protonum = IPPROTO_TCP,

.help = test_help,

.expect_policy = &test_policy,

};

static void nf_conntrack_test_fini(void)

{

nf_conntrack_helper_unregister(&test);

}

static int __init nf_conntrack_test_init(void)

{

int ret = nf_conntrack_helper_register(&test);

return ret;

}

module_init(nf_conntrack_test_init);

module_exit(nf_conntrack_test_fini);

usage:

1. 本地防火墙只允许访问192.168.0.2:2152

iptables -A OUTPUT -m conntrack --ctstatus EXPECTED -j ACCEPT

iptables -A OUTPUT -d 192.168.0.2 -j ACCEPT

iptables -A OUTPUT -j DROP

iptables -t raw -A OUTPUT -d 192.168.0.2 -p tcp --dport 12345 -j CT --helper test

2. 本地connect 192.168.0.2:2152后发送定义test_proto协议

struct test_proto {

int type;

int port;

in_addr_t addr;

};

struct test_proto ap = {0};

ap.addr = inet_addr("192.168.0.3");

ap.type = 100;

ap.port = 2152;

len = sizeof(struct aa_proto);

sbuf = ≈

write(sock, (char *)sbuf, len);

3. 本地connect 192.168.0.3:2152成功, 第2步建立了一个expect conntrack,可以通过第1步的第一条firewall规则

# cat expect_test.c

MODULE_DESCRIPTION("expect helper test");

struct test_proto {

int type;

int port;

union nf_inet_addr addr;

};

static int test_help(struct sk_buff *skb,

unsigned int protoff,

struct nf_conn *ct,

enum ip_conntrack_info ctinfo)

{

unsigned int dataoff, datalen;

const struct tcphdr *th;

struct tcphdr _tcph;

int ret;

char *dt_ptr;

struct nf_conntrack_expect *exp;

int dir = CTINFO2DIR(ctinfo);

struct test_proto prot = {0};

uint16_t port = ntohs((uint16_t)prot.port);

char test_buffer[512];

if (ctinfo != IP_CT_ESTABLISHED

&& ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {

return NF_ACCEPT;

}

th = skb_header_pointer(skb, protoff, sizeof(_tcph), &_tcph);

dataoff = protoff + th->doff * 4;

datalen = skb->len - dataoff;

dt_ptr = skb_header_pointer(skb, dataoff, datalen, test_buffer);

//get proto header

memcpy(&prot, dt_ptr, sizeof(struct test_proto));

if (prot.type != 100) {

ret = NF_ACCEPT;

goto out;

}

exp = nf_ct_expect_alloc(ct);

port = ntohs((uint16_t)prot.port);

nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, AF_INET,

&ct->tuplehash[dir].tuple.src.u3, &prot.addr,

IPPROTO_TCP, NULL, &port);

if (nf_ct_expect_related(exp) != 0)

ret = NF_DROP;

else

ret = NF_ACCEPT;

out:

return ret;

}

static const struct nf_conntrack_expect_policy test_policy = {

.max_expected = 10,

.timeout = 50 * 60,

};

#define PORT 5000

static struct nf_conntrack_helper test = {

.name = "test",

.me = THIS_MODULE,

.tuple.src.l3num = AF_INET,

.tuple.src.u.tcp.port = cpu_to_be16(5000),

.tuple.dst.protonum = IPPROTO_TCP,

.help = test_help,

.expect_policy = &test_policy,

};

static void nf_conntrack_test_fini(void)

{

nf_conntrack_helper_unregister(&test);

}

static int __init nf_conntrack_test_init(void)

{

int ret = nf_conntrack_helper_register(&test);

return ret;

}

module_init(nf_conntrack_test_init);

module_exit(nf_conntrack_test_fini);

usage:

1. 本地防火墙只允许访问192.168.0.2:2152

iptables -A OUTPUT -m conntrack --ctstatus EXPECTED -j ACCEPT

iptables -A OUTPUT -d 192.168.0.2 -j ACCEPT

iptables -A OUTPUT -j DROP

iptables -t raw -A OUTPUT -d 192.168.0.2 -p tcp --dport 12345 -j CT --helper test

2. 本地connect 192.168.0.2:2152后发送定义test_proto协议

struct test_proto {

int type;

int port;

in_addr_t addr;

};

struct test_proto ap = {0};

ap.addr = inet_addr("192.168.0.3");

ap.type = 100;

ap.port = 2152;

len = sizeof(struct aa_proto);

sbuf = ≈

write(sock, (char *)sbuf, len);

3. 本地connect 192.168.0.3:2152成功, 第2步建立了一个expect conntrack,可以通过第1步的第一条firewall规则

应用商城

合作伙伴

开发者

支持与服务

了解天翼云

Expect conntrack

Expect conntrack

活动

应用商城

合作伙伴

开发者

支持与服务

了解天翼云

Expect conntrack

Expect conntrack