TProxy w/2.6

TProxy w/2.6

[Evan Langlois]

Hello all,

I've been unable to get the TPROXY patch to patch against 2.6.5 ,2.6.6,
nor 2.6.7.  I've tried the patches on the original authors site and the
patches in patch-o-matic-ng.  The ones on the original authors site don't
patch against a vanilla kernel of the version indicated.  I have no idea
what kernel patches they already had installed to make that patch, or what
its supposed to patch against.  I'd really prefer to use 2.6 for epoll.

Does anyone have any suggestions of where to go from here?

Re: TProxy w/2.6

[KOVACS Krisztian]

  Hi,

On Mon, Jun 21, 2004 at 11:31:34AM -0500, Evan Langlois wrote:
> I've been unable to get the TPROXY patch to patch against 2.6.5 ,2.6.6,
> nor 2.6.7.  I've tried the patches on the original authors site and the
> patches in patch-o-matic-ng.  The ones on the original authors site don't
> patch against a vanilla kernel of the version indicated.  I have no idea
> what kernel patches they already had installed to make that patch, or what
> its supposed to patch against.  I'd really prefer to use 2.6 for epoll.
> 
> Does anyone have any suggestions of where to go from here?

  Ask the right person! :)

  The patches on our homepage were created for 2.6.6 with Jozsef
Kadlecsik's TCP window tracking patch applied. The one in POM-ng should
apply on 2.6.6 (and probably fail on others). BTW, applying window
tracking onto 2.6.7 has failed for me, so applying TProxy will fail as
well.

  You can somewhat lower these requirements by skipping 04-nat_delete,
since that is a rarely-used optional part, and it is the only part of the
patches which requires the TCP window tracking code. I've just re-checked
that the patches contained in our tarball apply without rejects on vanilla
2.6.6.

--
 Regards, 
  KOVACS Krisztian

Re: TProxy w/2.6

[Evan Langlois]

Hi,

>   The patches on our homepage were created for 2.6.6 with Jozsef
> Kadlecsik's TCP window tracking patch applied. The one in POM-ng should
> apply on 2.6.6 (and probably fail on others). BTW, applying window
> tracking onto 2.6.7 has failed for me, so applying TProxy will fail as
> well.

tcp-window-tracking from pom applied to vanilla 2.6.6 - cttproxy patches
from web site fails.  cttproxy applied to vanilla 2.6.6 fails.  I tried
using other versions of the window tracking patch, they failed.

>   You can somewhat lower these requirements by skipping 04-nat_delete,
> since that is a rarely-used optional part, and it is the only part of the
> patches which requires the TCP window tracking code. I've just re-checked
> that the patches contained in our tarball apply without rejects on vanilla
> 2.6.6.

tcp-window-tracking applies fine.

the tproxt in pom never works.  The cttproxy package does not apply to
2.6.6 even with tcp-window-tracking applied to a vanilla 2.6.6 kernel. 
Are you using a vanilla kernel from kernel.org, or a kernel from some
distribution that may have modified the original sources?

Note the very large number of failures!  This is against a vanilla 2.6.6
kernel with the latest tcp-window-tracking patch from POMng applied (which
applied cleanly).

Now what?

linux # cat ../cttproxy-2.6.6-1.9.6/patch_tree/0* | patch -p1 --dry-run
patching file include/linux/netfilter_ipv4/ip_conntrack.h
Hunk #2 succeeded at 256 with fuzz 1 (offset -5 lines).
patching file include/linux/netfilter_ipv4/ip_nat.h
patching file net/ipv4/netfilter/ip_conntrack_core.c
Hunk #3 succeeded at 952 (offset -1 lines).
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
Hunk #1 succeeded at 651 (offset -45 lines).
patching file net/ipv4/netfilter/ip_nat_core.c
patching file net/ipv4/netfilter/ip_nat_proto_icmp.c
patching file net/ipv4/netfilter/ip_nat_proto_tcp.c
patching file net/ipv4/netfilter/ip_nat_proto_udp.c
patching file net/ipv4/netfilter/ip_nat_standalone.c
patching file net/ipv4/netfilter/Kconfig
patching file net/ipv4/netfilter/ip_nat_standalone.c
Hunk #1 FAILED at 392.
1 out of 1 hunk FAILED -- saving rejects to file
net/ipv4/netfilter/ip_nat_standalone.c.rej
patching file include/linux/in.h
patching file include/linux/net.h
patching file include/linux/netfilter_ipv4/ip_conntrack.h
Hunk #2 succeeded at 212 (offset -5 lines).
Hunk #3 FAILED at 268.
1 out of 3 hunks FAILED -- saving rejects to file
include/linux/netfilter_ipv4/ip_conntrack.h.rej

<<stuff deleted for space>>

patching file net/ipv4/netfilter/ip_nat_standalone.c
Hunk #1 FAILED at 398.
1 out of 1 hunk FAILED -- saving rejects to file
net/ipv4/netfilter/ip_nat_standalone.c.rej

<<stuff deleted for space>>

patching file net/ipv4/netfilter/ip_nat_core.c
Hunk #1 succeeded at 96 (offset -19 lines).
Hunk #2 FAILED at 272.
Hunk #3 FAILED at 308.
Hunk #4 FAILED at 368.
Hunk #5 FAILED at 545.
Hunk #6 succeeded at 189 with fuzz 2 (offset -389 lines).
4 out of 6 hunks FAILED -- saving rejects to file
net/ipv4/netfilter/ip_nat_core.c.rej
patching file net/ipv4/netfilter/ip_conntrack_proto_tcp.c
Hunk #1 FAILED at 856.
1 out of 1 hunk FAILED -- saving rejects to file
net/ipv4/netfilter/ip_conntrack_proto_tcp.c.rej
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
Hunk #1 succeeded at 656 (offset -49 lines).
patching file include/linux/netfilter_ipv4/ip_conntrack.h
Hunk #1 FAILED at 54.
Hunk #2 succeeded at 224 (offset -17 lines).
Hunk #3 succeeded at 251 with fuzz 1 (offset -17 lines).
1 out of 3 hunks FAILED -- saving rejects to file
include/linux/netfilter_ipv4/ip_conntrack.h.rej

Re: TProxy w/2.6

[KOVACS Krisztian]

   Hi,

Evan Langlois wrote:
> tcp-window-tracking from pom applied to vanilla 2.6.6 - cttproxy patches
> from web site fails.  cttproxy applied to vanilla 2.6.6 fails.  I tried
> using other versions of the window tracking patch, they failed.
> 
> tcp-window-tracking applies fine.

   For me too, but I was unable to apply it onto 2.6.7.

> the tproxt in pom never works.  The cttproxy package does not apply to
> 2.6.6 even with tcp-window-tracking applied to a vanilla 2.6.6 kernel. 
> Are you using a vanilla kernel from kernel.org, or a kernel from some
> distribution that may have modified the original sources?

   I'm using vanilla sources, but the patch files are _generated_ partly 
using a simple shell script, partly using 'quilt'. The POM-ng port is 
not yet optimal, since it does not use .ladd files, so it's a bit picky 
regarding kernel versions.

> Note the very large number of failures!  This is against a vanilla 2.6.6
> kernel with the latest tcp-window-tracking patch from POMng applied (which
> applied cleanly).

$ wget http://www.balabit.com/downloads/tproxy/linux-2.4/devel/\
cttproxy-2.6.6-1.9.6.tar.gz
$ tar xzf cttproxy*.tar.gz
$ tar xjf linux-2.6.6.tar.bz2
$ cd linux-2.6.6
$ cat ../cttproxy-2.6.6-1.9.6/patch_tree/0{1,2,3}*.diff | patch -p1
patching file include/linux/netfilter_ipv4/ip_conntrack.h
Hunk #2 succeeded at 256 with fuzz 1 (offset -5 lines).
patching file include/linux/netfilter_ipv4/ip_nat.h
patching file net/ipv4/netfilter/ip_conntrack_core.c
Hunk #3 succeeded at 952 (offset -1 lines).
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
Hunk #1 succeeded at 651 (offset -45 lines).
patching file net/ipv4/netfilter/ip_nat_core.c
patching file net/ipv4/netfilter/ip_nat_proto_icmp.c
patching file net/ipv4/netfilter/ip_nat_proto_tcp.c
patching file net/ipv4/netfilter/ip_nat_proto_udp.c
patching file net/ipv4/netfilter/ip_nat_standalone.c
patching file net/ipv4/netfilter/Kconfig
patching file net/ipv4/netfilter/ip_nat_standalone.c
patching file include/linux/in.h
patching file include/linux/net.h
patching file include/linux/netfilter_ipv4/ip_conntrack.h
Hunk #3 succeeded at 268 with fuzz 1 (offset -5 lines).
patching file include/linux/netfilter_ipv4/ip_nat.h
patching file include/linux/netfilter_ipv4/ip_nat_core.h
patching file include/linux/netfilter_ipv4/ip_tproxy.h
patching file include/linux/netfilter_ipv4/ipt_TPROXY.h
patching file include/net/ip.h
patching file net/ipv4/ip_sockglue.c
patching file net/ipv4/netfilter/Kconfig
patching file net/ipv4/netfilter/Makefile
patching file net/ipv4/netfilter/ip_conntrack_core.c
patching file net/ipv4/netfilter/ip_conntrack_standalone.c
Hunk #1 succeeded at 632 (offset -45 lines).
patching file net/ipv4/netfilter/ip_fw_compat_masq.c
patching file net/ipv4/netfilter/ip_nat_amanda.c
patching file net/ipv4/netfilter/ip_nat_core.c
patching file net/ipv4/netfilter/ip_nat_ftp.c
patching file net/ipv4/netfilter/ip_nat_irc.c
patching file net/ipv4/netfilter/ip_nat_rule.c
patching file net/ipv4/netfilter/ip_nat_standalone.c
patching file net/ipv4/netfilter/ip_nat_tftp.c
patching file net/ipv4/netfilter/ipt_MASQUERADE.c
patching file net/ipv4/netfilter/ipt_NETMAP.c
patching file net/ipv4/netfilter/ipt_REDIRECT.c
patching file net/ipv4/netfilter/ipt_SAME.c
patching file net/ipv4/netfilter/ipt_TPROXY.c
patching file net/ipv4/netfilter/ipt_tproxy.c
patching file net/ipv4/netfilter/iptable_tproxy.c
patching file net/ipv4/tcp_ipv4.c
patching file net/ipv4/udp.c
$

   So, I don't see any problems at all. Note that since I did not apply 
the window tracking patch, I skipped 04*.diff as well. Unfortunately I 
was unable to test POM-ng, since the POM-ng from CVS I've just checked 
out fails to apply tcp-window-tracking, because conntrack_error-api 
fails to apply. The approach you've tried is not correct, because the 
patches are dependant on each other, so applying 02-*.diff without 01... 
is not possible. And unfortunately running a simple patch with the 
'--dry-run' option does not know about this, and fails. POM-ng is wiser, 
and should correctly test dependant patchsets as well.

-- 
  Regards,
   Krisztian KOVACS

Re: TProxy w/2.6

[Evan Langlois]

>
>    So, I don't see any problems at all. Note that since I did not apply
> the window tracking patch, I skipped 04*.diff as well. Unfortunately I

Ah .. yes, using dry-run is what did it.  I should have known.  Too much
stress elsewhere I guess.

Thank you so much for the help!

-- Evan