pptp-conntrack-nat

pptp-conntrack-nat

[Mike Machado]

I used CVS/POM and patched my vanilla 2.4.20 kernel to include support
for ip_conntrack_pptp and ip_nat_pptp, but after I do this, the
MASQUERADE target no longer works. lsmod shows both modules load
successfully as well as the ipt_MASQUERADE, but when I run my nat rule:

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

it just says Invalid Argument. I have two identical kernels, one with
the pptp patch applied, one without, and the one without allows the
MASQUERADE target just fine. Is there a known bug with the latest CVS
pptp-conntrack-nat patch interfearing with masquerading? Thanks.

-- 
Mike Machado
mike@innercite.com
InnerCite Inc.
Engineering Director / CTO

Re: pptp-conntrack-nat

[Mike Machado]

There appears to be something that affects more than just the MASQUERADE
target. For shitz and gigglez I tried changing the rule to

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j REJECT

and got the same Invalid Argument. I then tried -j DROP and that worked.
ipt_REJECT is also loaded, so is it possible that the pptp-conntrack-nat
patches changes some internal nat structures or code that is not
allowing the other ipt_ modules to function?

Just to be thorough, did a fresh cvs update I applied all the pending
patches, and got the same thing. 

On Wed, 2003-06-11 at 17:04, Mike Machado wrote:
> I used CVS/POM and patched my vanilla 2.4.20 kernel to include support
> for ip_conntrack_pptp and ip_nat_pptp, but after I do this, the
> MASQUERADE target no longer works. lsmod shows both modules load
> successfully as well as the ipt_MASQUERADE, but when I run my nat rule:
> 
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
> 
> it just says Invalid Argument. I have two identical kernels, one with
> the pptp patch applied, one without, and the one without allows the
> MASQUERADE target just fine. Is there a known bug with the latest CVS
> pptp-conntrack-nat patch interfearing with masquerading? Thanks.
-- 
Mike Machado
mike@innercite.com
InnerCite Inc.
Engineering Director / CTO

Re: pptp-conntrack-nat

[Philip Craig]

Mike Machado wrote:
> I used CVS/POM and patched my vanilla 2.4.20 kernel to include support
> for ip_conntrack_pptp and ip_nat_pptp, but after I do this, the
> MASQUERADE target no longer works. lsmod shows both modules load
> successfully as well as the ipt_MASQUERADE, but when I run my nat rule:
> 
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
> 
> it just says Invalid Argument. I have two identical kernels, one with
> the pptp patch applied, one without, and the one without allows the
> MASQUERADE target just fine. Is there a known bug with the latest CVS
> pptp-conntrack-nat patch interfearing with masquerading? Thanks.

The pptp patch changes the size of the kernel structures.
You need to recompile the userspace iptables.

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

pptp-conntrack-nat

[Oleg Savostyanov]

I tryed to install extra package - pptp-conntrack-nat
but failed to do this.

The script tells me "Could not find place to slot in
ip_conntrack.h line", while testing and if I force it to install,
it installs.
And after that I do not see additional configure options while
configuring my kernel.
Do you have any ideas what to do?


Welcome to Rusty's Patch-o-matic!
Kernel:    /usr/src/kernel-source-2.4.18
Userspace: /usr/src
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Testing... pptp-conntrack-nat.patch NOT APPLIED (8 missing files)
The extra/pptp-conntrack-nat patch:
   Author: Harald Welte <laforge@gnumonks.org>
   Status: Beta
   This adds CONFIG_IP_NF_PPTP:
   Connection tracking and NAT support for PPTP.
   Note that this code currently has limitations
   - can only NAT connections from PNS to PAC
   - doesnt' support multiple calls within one session
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
Testing patch extra/pptp-conntrack-nat.patch...
   Placed new Config.in line
   Placed new Configure.help entry
   Placed new Makefile line
   Placed new Makefile line
   Placed new ip_conntrack.h line
   Placed new ip_conntrack.h line
Could not find place to slot in ip_conntrack.h line
Could not find place to slot in ip_conntrack.h line
Could not find place to slot in ip_conntrack.h line
Could not find place to slot in ip_conntrack.h line
Could not find place to slot in ip_conntrack.h line
Could not find place to slot in ip_conntrack.h line
TEST FAILED: patch NOT applied.
[Press enter to continue]
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] f
Applying patch extra/pptp-conntrack-nat.patch...
Failed to patch copy of /usr/src/kernel-source-2.4.18

  

-- 
working tel.+7-095-933-2033
mob. tel.+7-095-790-5354
Regards Oleg
Oleg                          mailto:savostyanov@internetplustravel.ru

Re: pptp-conntrack-nat

[Oleg Savostyanov]

I didn't receive any answer to my question
Is there any other group - may be which deal with extention
developing to IP Tables?
I even tryed to direct my question to developer of that
package Harald Welte, but didn't got any answer.



Thursday, November 27, 2003, 6:34:15 PM, you wrote:

OS> I tryed to install extra package - pptp-conntrack-nat
OS> but failed to do this.

OS> The script tells me "Could not find place to slot in
OS> ip_conntrack.h line", while testing and if I force it to install,
OS> it installs.
OS> And after that I do not see additional configure options while
OS> configuring my kernel.
OS> Do you have any ideas what to do?


OS> Welcome to Rusty's Patch-o-matic!
OS> Kernel:    /usr/src/kernel-source-2.4.18
OS> Userspace: /usr/src
OS> Each patch is a new feature: many have minimal impact, some do not.
OS> Almost every one has bugs, so I don't recommend applying them all!
OS> -------------------------------------------------------
OS> Testing... pptp-conntrack-nat.patch NOT APPLIED (8 missing files)
OS> The extra/pptp-conntrack-nat patch:
OS>    Author: Harald Welte <laforge@gnumonks.org>
OS>    Status: Beta
OS>    This adds CONFIG_IP_NF_PPTP:
OS>    Connection tracking and NAT support for PPTP.
OS>    Note that this code currently has limitations
OS>    - can only NAT connections from PNS to PAC
OS>    - doesnt' support multiple calls within one session
OS> -----------------------------------------------------------------
OS> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
OS> Testing patch extra/pptp-conntrack-nat.patch...
OS>    Placed new Config.in line
OS>    Placed new Configure.help entry
OS>    Placed new Makefile line
OS>    Placed new Makefile line
OS>    Placed new ip_conntrack.h line
OS>    Placed new ip_conntrack.h line
OS> Could not find place to slot in ip_conntrack.h line
OS> Could not find place to slot in ip_conntrack.h line
OS> Could not find place to slot in ip_conntrack.h line
OS> Could not find place to slot in ip_conntrack.h line
OS> Could not find place to slot in ip_conntrack.h line
OS> Could not find place to slot in ip_conntrack.h line
OS> TEST FAILED: patch NOT applied.
OS> [Press enter to continue]
OS> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] f
OS> Applying patch extra/pptp-conntrack-nat.patch...
OS> Failed to patch copy of /usr/src/kernel-source-2.4.18

  



-- 
Best regards,
 Oleg                            mailto:savostyanov@internetplustravel.ru

Re: pptp-conntrack-nat

[Goetz Bock]

On Mon, Dec 01 '03 at 14:43, Oleg Savostyanov wrote:
> OS> I tryed to install extra package - pptp-conntrack-nat
> OS> but failed to do this.
> ...
> OS> Could not find place to slot in ip_conntrack.h line
> OS> TEST FAILED: patch NOT applied.
> OS> [Press enter to continue]
> OS> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] f
> OS> Applying patch extra/pptp-conntrack-nat.patch...
> OS> Failed to patch copy of /usr/src/kernel-source-2.4.18
patch-o-matic works fine for me when i ask it to insert
pptp-conntrack-net. But I'm using 2.4.22 and 2.4.23. Maybe you should
try a more recent kernel :-)
-- 
/"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
\ /                     (c) 2003 as GNU FDL 1.1
 X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
/ \  [ 3. Reply to the list - 4. Read the archive *before* you post ]

RE: pptp-conntrack-nat

[Rob Sterenborg]

> I didn't receive any answer to my question Is there any other 
> group - may be which deal with extention developing to IP Tables?

http://www.netfilter.org/contact.html#devlist ?


Gr,
Rob

pptp-conntrack-nat.

[Ampugnani, Fernando]

Hi all,
	I tried apply the patch pptp conntrack on 3 different kernel
versions. None of them worked for me. I tried on 2.4.14, 2.4.21 and 2.4.26.
The patch is not getting applied cleanly on any of these.Could anyone please
tell me with which kernel version this patch works?
This is the output that I can see:
Welcome to Patch-o-matic (1.14)!
Kernel:         /usr/src/linux
Iptables:       /usr/src/iptables
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-----------------------------------------------------
Already applied:
Not all requirements fulfilled for pptp-conntrack-nat, skipping:
 This patch is missing Config.in for 2.4.x
Excellent! Source trees are ready for compilation.
Thanks in advance.

Fernando Ampugnani
EDS Argentina - Software, Storage & Network
Information Technology Outsourcing
Tel: 5411 4704 3428
Mail: fernando.ampugnani@eds.com

Re: pptp-conntrack-nat.

[Philip Craig]

Ampugnani, Fernando wrote:
> Hi all,
> 	I tried apply the patch pptp conntrack on 3 different kernel
> versions. None of them worked for me. I tried on 2.4.14, 2.4.21 and 2.4.26.
> The patch is not getting applied cleanly on any of these.Could anyone please
> tell me with which kernel version this patch works?

It will work with any recent 2.4 kernel.  So definitely 2.4.26,
probably 2.4.21, and definitely not 2.4.14.

> This is the output that I can see:
> Welcome to Patch-o-matic (1.14)!
> Kernel:         /usr/src/linux
> Iptables:       /usr/src/iptables
> Each patch is a new feature: many have minimal impact, some do not.
> Almost every one has bugs, so don't apply what you don't need!
> -----------------------------------------------------
> Already applied:
> Not all requirements fulfilled for pptp-conntrack-nat, skipping:
>  This patch is missing Config.in for 2.4.x
> Excellent! Source trees are ready for compilation.
> Thanks in advance.

This is a known problem with the 20040302 pom-ng, and has been
fixed in CVS.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

Re: pptp-conntrack-nat.

[Andrew E. Mileski]

Ampugnani, Fernando wrote:
> Hi all,
> 	I tried apply the patch pptp conntrack on 3 different kernel
> versions. None of them worked for me. I tried on 2.4.14, 2.4.21 and 2.4.26.
> The patch is not getting applied cleanly on any of these.Could anyone please
> tell me with which kernel version this patch works?

[This might be a dupe, as my addressbook had the wrong address]

I'm using 2.4.22-1.nptl from Fedora.  I'd use newer, but this
is what my company's products are currently using.

If it will help, I can make the kernels available.  I've compiled
for all x86 arch's, and have a modified iptables (required) as
well.  Or you can use my SRPM and compile your own.

-- 
Andrew E. Mileski

RE: pptp-conntrack-nat.

[Ampugnani, Fernando]

Many thanks!!
That's compile properly.

Regards,
Fernando.

-----Original Message-----
From: Philip Craig [mailto:philipc@snapgear.com] 
Sent: Wednesday, May 05, 2004 12:24 AM
To: Ampugnani, Fernando
Cc: netfilter@lists.netfilter.org
Subject: Re: pptp-conntrack-nat.


Ampugnani, Fernando wrote:
> Hi all,
> 	I tried apply the patch pptp conntrack on 3 different kernel 
> versions. None of them worked for me. I tried on 2.4.14, 2.4.21 and 
> 2.4.26. The patch is not getting applied cleanly on any of these.Could 
> anyone please tell me with which kernel version this patch works?

It will work with any recent 2.4 kernel.  So definitely 2.4.26, probably
2.4.21, and definitely not 2.4.14.

> This is the output that I can see:
> Welcome to Patch-o-matic (1.14)!
> Kernel:         /usr/src/linux
> Iptables:       /usr/src/iptables
> Each patch is a new feature: many have minimal impact, some do not. 
> Almost every one has bugs, so don't apply what you don't need!
> -----------------------------------------------------
> Already applied:
> Not all requirements fulfilled for pptp-conntrack-nat, skipping:  This 
> patch is missing Config.in for 2.4.x Excellent! Source trees are ready 
> for compilation. Thanks in advance.

This is a known problem with the 20040302 pom-ng, and has been fixed in CVS.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

pptp-conntrack-nat

[lucas baresi]

Hi people.

I have a dumb question, If my pptpd server and my
firewall netfilter are in the same box, I need the
module pptp-conntrack-nat?, no! it´s rigth?

Thx,
Lucky 


		
______________________________________________
Renovamos el Correo Yahoo!: ¡100 MB GRATIS!
Nuevos servicios, más seguridad
http://correo.yahoo.es

Re: pptp-conntrack-nat

[rruegner]

no if your pptp server is on the firewall box you dont need the pptp 
module, openning ports is enough

lucas baresi schrieb:
> Hi people.
> 
> I have a dumb question, If my pptpd server and my
> firewall netfilter are in the same box, I need the
> module pptp-conntrack-nat?, no! it´s rigth?
> 
> Thx,
> Lucky 
> 
> 
> 		
> ______________________________________________
> Renovamos el Correo Yahoo!: ¡100 MB GRATIS!
> Nuevos servicios, más seguridad
> http://correo.yahoo.es
> 

Re: pptp-conntrack-nat

[Jason Opperisano]

On Tue, 2004-09-14 at 12:10, lucas baresi wrote:
> Hi people.
> 
> I have a dumb question, If my pptpd server and my
> firewall netfilter are in the same box, I need the
> module pptp-conntrack-nat?, no! it´s rigth?

no--you do not need the pptp-conntrack-nat patch.

allow TCP port 1723 and IP protocol 47 (GRE) inbound and you'll be good
to go.

-j

-- 
Jason Opperisano <opie@817west.com>