helpers: implement explicit CT helper assignment support

Implement support for explicit per-zone conntrack helper assignment in
the raw table in order to compensate for the now disabled automatic
helper assignment in recent Linux kernels.

This commit adds, along with the required infrastructure, a new per-
zone uci option "helper" which can be used to tie one or more CT helpers
to a given zone.

For example the following configuration:

    config zone
      option name lan
      option network lan
      list helper ftp
      list helper sip

... will assign the FTP and SIP conntrack helpers as specified in
/usr/share/fw3/helpers.conf to traffic originating from the LAN zone.

Additionally, a new boolean option "auto_helper" has been defined for
both "config defaults" and "config zone" sections, with the former
option overruling the latter.

When the default true "option auto_helper" is set, all available helpers
are automatically attached to each non-masq zone (i.e. "lan" by default).

When one or more "list helper" options are specified, the zone has
masquerading enabled or "auto_helper" is set to false, then the automatic
helper attachment is disabled for the corresponding zone.

Furthermore, this commit introduces support for a new 'HELPER' target in
"config rule" sections, along with "option helper" to match helper traffic
and "option set_helper" to assign CT helpers to a stream.

Finally, "config redirect" sections support "option helper" too now,
which causes fw3 to emit helper setting rules for forwarded DNAT traffic.

When "option helper" is not defined for a redirect and when the global
option "auto_helper" is not disabled, fw3 will pick a suitable helper
based on the destination protocol and port and assign it to DNATed traffic.

Signed-off-by: Jo-Philipp Wich <[email protected]>

Author: jow-

CMakeLists.txt

@@ -26,7 +26,7 @@ ENDIF()
 FIND_PATH(uci_include_dir uci.h)
 INCLUDE_DIRECTORIES(${uci_include_dir})
 
-ADD_EXECUTABLE(firewall3 main.c options.c defaults.c zones.c forwards.c rules.c redirects.c snats.c utils.c ubus.c ipsets.c includes.c iptables.c)
+ADD_EXECUTABLE(firewall3 main.c options.c defaults.c zones.c forwards.c rules.c redirects.c snats.c utils.c ubus.c ipsets.c includes.c iptables.c helpers.c)
 TARGET_LINK_LIBRARIES(firewall3 uci ubox ubus xtables m dl ${iptc_libs} ${ext_libs})
 
 SET(CMAKE_INSTALL_PREFIX /usr)

defaults.c

@@ -54,6 +54,7 @@ const struct fw3_option fw3_flag_opts[] = {
 	FW3_OPT("accept_redirects",    bool,     defaults, accept_redirects),
 	FW3_OPT("accept_source_route", bool,     defaults, accept_source_route),
 
+	FW3_OPT("auto_helper",         bool,     defaults, auto_helper),
 	FW3_OPT("custom_chains",       bool,     defaults, custom_chains),
 	FW3_OPT("disable_ipv6",        bool,     defaults, disable_ipv6),
 
@@ -93,6 +94,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
 	defs->tcp_syncookies       = true;
 	defs->tcp_window_scaling   = true;
 	defs->custom_chains        = true;
+	defs->auto_helper          = true;
 
 	uci_foreach_element(&p->sections, e)
 	{

helpers.c

@@ -0,0 +1,277 @@
+/*
+ * firewall3 - 3rd OpenWrt UCI firewall implementation
+ *
+ *   Copyright (C) 2018 Jo-Philipp Wich <[email protected]>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "helpers.h"
+
+
+const struct fw3_option fw3_cthelper_opts[] = {
+	FW3_OPT("enabled",     bool,     cthelper, enabled),
+	FW3_OPT("name",        string,   cthelper, name),
+	FW3_OPT("module",      string,   cthelper, module),
+	FW3_OPT("description", string,   cthelper, description),
+	FW3_OPT("family",      family,   cthelper, family),
+	FW3_OPT("proto",       protocol, cthelper, proto),
+	FW3_OPT("port",        port,     cthelper, port),
+
+	{ }
+};
+
+
+static bool
+test_module(struct fw3_cthelper *helper)
+{
+	struct stat s;
+	char path[sizeof("/sys/module/nf_conntrack_xxxxxxxxxxxxxxxx")];
+
+	snprintf(path, sizeof(path), "/sys/module/%s", helper->module);
+
+	if (stat(path, &s) || !S_ISDIR(s.st_mode))
+		return false;
+
+	return true;
+}
+
+static bool
+check_cthelper(struct fw3_state *state, struct fw3_cthelper *helper, struct uci_element *e)
+{
+	if (!helper->name || !*helper->name)
+	{
+		warn_section("helper", helper, e, "must have a name assigned");
+	}
+	else if (!helper->module || !*helper->module)
+	{
+		warn_section("helper", helper, e, "must have a module assigned");
+	}
+	else if (!helper->proto.protocol || helper->proto.any || helper->proto.invert)
+	{
+		warn_section("helper", helper, e, "must specify a protocol");
+	}
+	else if (helper->port.set && helper->port.invert)
+	{
+		warn_section("helper", helper, e, "must not specify negated ports");
+	}
+	else
+	{
+		return true;
+	}
+
+	return false;
+}
+
+static struct fw3_cthelper *
+fw3_alloc_cthelper(struct fw3_state *state)
+{
+	struct fw3_cthelper *helper;
+
+	helper = calloc(1, sizeof(*helper));
+	if (!helper)
+		return NULL;
+
+	helper->enabled = true;
+	helper->family  = FW3_FAMILY_ANY;
+
+	list_add_tail(&helper->list, &state->cthelpers);
+
+	return helper;
+}
+
+static void
+load_cthelpers(struct fw3_state *state, struct uci_package *p)
+{
+	struct fw3_cthelper *helper;
+	struct uci_section *s;
+	struct uci_element *e;
+
+	uci_foreach_element(&p->sections, e)
+	{
+		s = uci_to_section(e);
+
+		if (strcmp(s->type, "helper"))
+			continue;
+
+		helper = fw3_alloc_cthelper(state);
+
+		if (!helper)
+			continue;
+
+		if (!fw3_parse_options(helper, fw3_cthelper_opts, s))
+			warn_elem(e, "has invalid options");
+
+		if (!check_cthelper(state, helper, e))
+			fw3_free_cthelper(helper);
+	}
+}
+
+void
+fw3_load_cthelpers(struct fw3_state *state, struct uci_package *p)
+{
+	struct uci_package *hp = NULL;
+	FILE *fp;
+
+	INIT_LIST_HEAD(&state->cthelpers);
+
+	fp = fopen(FW3_HELPERCONF, "r");
+
+	if (fp) {
+		uci_import(state->uci, fp, "fw3_ct_helpers", &hp, true);
+		fclose(fp);
+
+		if (hp)
+			load_cthelpers(state, hp);
+	}
+
+	load_cthelpers(state, p);
+}
+
+struct fw3_cthelper *
+fw3_lookup_cthelper(struct fw3_state *state, const char *name)
+{
+	struct fw3_cthelper *h;
+
+	if (list_empty(&state->cthelpers))
+		return NULL;
+
+	list_for_each_entry(h, &state->cthelpers, list)
+	{
+		if (strcasecmp(h->name, name))
+			continue;
+
+		return h;
+	}
+
+	return NULL;
+}
+
+struct fw3_cthelper *
+fw3_lookup_cthelper_by_proto_port(struct fw3_state *state,
+                                  struct fw3_protocol *proto,
+                                  struct fw3_port *port)
+{
+	struct fw3_cthelper *h;
+
+	if (list_empty(&state->cthelpers))
+		return NULL;
+
+	if (!proto || !proto->protocol || proto->any || proto->invert)
+		return NULL;
+
+	if (port && port->invert)
+		return NULL;
+
+	list_for_each_entry(h, &state->cthelpers, list)
+	{
+		if (!h->enabled)
+			continue;
+
+		if (h->proto.protocol != proto->protocol)
+			continue;
+
+		if (h->port.set && (!port || !port->set))
+			continue;
+
+		if (!h->port.set && (!port || !port->set))
+			return h;
+
+		if (h->port.set && port && port->set &&
+		    h->port.port_min <= port->port_min &&
+		    h->port.port_max >= port->port_max)
+		    return h;
+	}
+
+	return NULL;
+}
+
+static void
+print_helper_rule(struct fw3_ipt_handle *handle, struct fw3_cthelper *helper,
+                  struct fw3_zone *zone)
+{
+	struct fw3_ipt_rule *r;
+
+	r = fw3_ipt_rule_create(handle, &helper->proto, NULL, NULL, NULL, NULL);
+
+	if (helper->description && *helper->description)
+		fw3_ipt_rule_comment(r, helper->description);
+	else
+		fw3_ipt_rule_comment(r, helper->name);
+
+	fw3_ipt_rule_sport_dport(r, NULL, &helper->port);
+	fw3_ipt_rule_target(r, "CT");
+	fw3_ipt_rule_addarg(r, false, "--helper", helper->name);
+	fw3_ipt_rule_replace(r, "zone_%s_helper", zone->name);
+}
+
+void
+fw3_print_cthelpers(struct fw3_ipt_handle *handle, struct fw3_state *state,
+                    struct fw3_zone *zone)
+{
+	struct fw3_cthelper *helper;
+	struct fw3_cthelpermatch *match;
+
+	if (handle->table != FW3_TABLE_RAW)
+		return;
+
+	if (!fw3_is_family(zone, handle->family))
+		return;
+
+	if (list_empty(&zone->cthelpers))
+	{
+		if (zone->masq || !zone->auto_helper)
+			return;
+
+		if (list_empty(&state->cthelpers))
+			return;
+
+		info("     - Using automatic conntrack helper attachment");
+
+		list_for_each_entry(helper, &state->cthelpers, list)
+		{
+			if (!helper || !helper->enabled)
+				continue;
+
+			if (!fw3_is_family(helper, handle->family))
+				continue;
+
+			if (!test_module(helper))
+				continue;
+
+			print_helper_rule(handle, helper, zone);
+		}
+	}
+	else
+	{
+		list_for_each_entry(match, &zone->cthelpers, list)
+		{
+			helper = match->ptr;
+
+			if (!helper || !helper->enabled)
+				continue;
+
+			if (!fw3_is_family(helper, handle->family))
+				continue;
+
+			if (!test_module(helper))
+			{
+				info("     ! Conntrack module '%s' for helper '%s' is not loaded",
+				     helper->module, helper->name);
+				continue;
+			}
+
+			print_helper_rule(handle, helper, zone);
+		}
+	}
+}

helpers.conf

@@ -0,0 +1,87 @@
+config helper
+	option name 'amanda'
+	option description 'Amanda backup and archiving proto'
+	option module 'nf_conntrack_amanda'
+	option family 'any'
+	option proto 'udp'
+	option port '10080'
+
+config helper
+	option name 'ftp'
+	option description 'FTP passive connection tracking'
+	option module 'nf_conntrack_ftp'
+	option family 'any'
+	option proto 'tcp'
+	option port '21'
+
+config helper
+	option name 'RAS'
+	option description 'RAS proto tracking'
+	option module 'nf_conntrack_h323'
+	option family 'any'
+	option proto 'udp'
+	option port '1719'
+
+config helper
+	option name 'Q.931'
+	option description 'Q.931 proto tracking'
+	option module 'nf_conntrack_h323'
+	option family 'any'
+	option proto 'tcp'
+	option port '1720'
+
+config helper
+	option name 'irc'
+	option description 'IRC DCC connection tracking'
+	option module 'nf_conntrack_irc'
+	option family 'ipv4'
+	option proto 'tcp'
+	option port '6667'
+
+config helper
+	option name 'netbios-ns'
+	option description 'NetBIOS name service broadcast tracking'
+	option module 'nf_conntrack_netbios_ns'
+	option family 'ipv4'
+	option proto 'udp'
+	option port '137'
+
+config helper
+	option name 'pptp'
+	option description 'PPTP VPN connection tracking'
+	option module 'nf_conntrack_pptp'
+	option family 'ipv4'
+	option proto 'tcp'
+	option port '1723'
+
+config helper
+	option name 'sane'
+	option description 'SANE scanner connection tracking'
+	option module 'nf_conntrack_sane'
+	option family 'any'
+	option proto 'tcp'
+	option port '6566'
+
+config helper
+	option name 'sip'
+	option description 'SIP VoIP connection tracking'
+	option module 'nf_conntrack_sip'
+	option family 'any'
+	option proto 'udp'
+	option port '5060'
+
+config helper
+	option name 'snmp'
+	option description 'SNMP monitoring connection tracking'
+	option module 'nf_conntrack_snmp'
+	option family 'ipv4'
+	option proto 'udp'
+	option port '161'
+
+config helper
+	option name 'tftp'
+	option description 'TFTP connection tracking'
+	option module 'nf_conntrack_tftp'
+	option family 'any'
+	option proto 'udp'
+	option port '69'