[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: RPC extension to IPfilter
From:       David Stes <stes () pandora ! be>
Date:       2008-01-12 10:00:09
Message-ID: 20080112110009.B182 () newt ! telenet ! be
[Download RAW message or body]


The table is still hardcoded, so yes the argument is not yet used.

But this is the syntax that could be used, and that in fact is implemented
in ippool (not in ipf , but it was tested and implemented in ippool).

Currently the table of valid RPC numbers is hardcoded in the file ip_state.c,
and it is the specific table that I'm interested in : 100000 + nsr rpcs.

(so the table is portmapper + NetWorker RPC's like 390101 etc.)

Anyway, everything is still very much under development, I just needed a bit
your feedback, so for example the fact that I have to take ipfilter 5.x as
base is good news, so that I at least know that, and that you are open to add
RPC / XID matching in for example 5.x.

Instead of continue-ing to work on 4.1.27, I could hence take 5.x as base.
Makes sense since I noticed that there was already a 4.1.28.

Would you like me to port the changes, and provide you a patch to some 5.x,
version ?  (or maybe you can easily code yourself in a few hours, what took
me 3 weeks or so, as I'm not much of a IPfilter wizard :-)).

The paper was just to explain the idea, and the test-implementation was about
seeing what would happen when I ran EMC NetWorker backups over the firewall.

Which had encouraging results, so far; (for both UDP, and more important TCP).

DAvid.

On Sat, Jan 12, 2008 at 11:12:45AM +1100, Darren Reed wrote:
> David,
> 
> Are you sure the patch you uploaded was correct?
> 
> When I look at the parsing of ipf.conf, I see:
> +       | IPFY_RPC
> +               { DOALL(fr->fr_flags |= FR_RPC;) }
> +       | IPFY_RPC IPFY_IN YY_STR
> +               { DOALL(fr->fr_flags |= FR_RPC;) }
> 
> 
> So rules that have this:
> pass in quick proto tcp from any to any keep state (rpc in tcppool)
> 
> Are not going to do anything special because the name "tcppool" is
> not being saved anywhere or looked up.
> 
> Darren
> 
> 
[prev in list] [next in list] [prev in thread] [next in thread]