RPC connection tracking

The RPC connection tracking modules are used to support RPC based services across an iptables based firewall.

The RPC framework is specified in RFC 1050 (RPC: Remote Procedure Call Protocol specification) and RFC 1014 (XDR: External Data Representation standard).

The RPC based service registers its tcp/udp service port under a RPC program number with a portmapper running on the same machine. The standard portmapper runs on the well-known service port 111/(udp/tcp).

The remote RPC client queries the portmapper for a certain RPC program number (along with procedure number and version) and the portmapper returns the previously registered service port to the client.

The job of the RPC connection tracking modules is the supervision of the traffic to and from the RPC portmapper(s). The service ports of the portmapper(s) are specified when loading the modules into the kernel.

Each time the portmapper sends the port of the requested service back to the client the connection tracking modules can open the firewall for traffic from the client to the specifed service port. By using the -rpc match the firewall administrator is able to specify the RPC program numbers (and thus the service ports) that are allowed for communication.

The RPC connection tracking modules were written respectively extended by

  • Marcelo Barbosa Lima
    • original rpc tracking modules
    • connection handling for kernel 2.3+ netfilter
  • Rusty Russell
    • upgraded conntrack modules to oldnat api - kernel 2.4.0+
  • Ian (Larry) Latter
    • upgraded conntrack modules to newnat api - kernel 2.4.20+
    • extended matching to support filtering on procedures
  • David Stes
    • nsrexec option for Legato NetWorker
  • Franz Regensburger (FABR)
    • rpc program 100000 (portmapper) procedure DUMP
    • proprietary RPC based negotiation of server ports for Clear Case (albd daemon)
    • adaptions for new APIs - kernel 2.6.18
    • WEB page at people.netfilter.org

The active development on RPC connection tracking stopped in Mai 2008. However, the WEB-space at people.netfilter.org is still maintained by <Franz.Regensburger@odorf.de>.

Volunteers for further development especially for the adaption to never kernel versions are welcome.