nfnetlink-ctnetlink working: INSTRUCTIONS

nfnetlink-ctnetlink working: INSTRUCTIONS

[Amin Azez]

Many thanks to Pablo (and Harald whose work was also contained in some 
of the patches Pablo sent) I now have nfnetlink-ctnetlink modules and 
libraries working such that ctnltest (part of libctnetlink) returns 
valid data on open network connections.

[On note: It seems deliberate that the new nfnetlink module conflicts 
with ip_queue because both listen on the same netlink socket number 
NETLINK_FIREWALL (is that the right terminology). Is there a reason for 
this?]

I document here the full steps required to make this work on pristine 
2.6.11 kernel sources, and I repeat the steps as I write them here so 
there will be full confidence that the steps are accurate.

(Perhaps there may be other patches that are desired, such as 
http://lists.netfilter.org/pipermail/netfilter-devel/2005-April/019177.html)

This means that only one of these modules can be loaded at a time.

What is the reason for this?]


1) Get the pristine 2.6.11 sources and un-tar

2) apply pablos patches from 
http://people.netfilter.org/pablo/patches/nfnetlink-conntrack-0.50-2.6.11/

3) edit net/Kconfig and insert:
source "net/netfilter/Kconfig"
just before:
source "net/ipv4/Kconfig"

4) edit net/Makefile
obj-$(CONFIG_NETFILTER_NETLINK) += netfilter/
just after:
obj-$(CONFIG_NET)              += $(tmp-y)

5) configure, build and install your kernel and modules
My config includes:
CONFIG_NETFILTER_NETLINK=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CONNTRACK_NETLINK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_NETFILTER=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y

once you done that, reboot to your new kernel (may as well)

6) now get libctnetlink from: 
ftp://ftp.netfilter.org/pub/libctnetlink/snapshot/
I got the 20050410 snapshot. Possibly newer snapshots will have some of 
the next patches already attached.

7) now get libnfnetlink from:
ftp://ftp.netfilter.org/pub/libnfnetlink/snapshot/
I got the 20050410 snapshot. Possibly newer snapshots will have some of 
the next patches already attached.

8) untar both these files from the same dir, and then create a symlink 
from your libnfnetlink-2005???? folder to libnfnetlink, so that 
libctnetlink can find it. I did it like this:
ln -s libnfnetlink-20050410 libnfnetlink

9) Get and apply Pablos patches from
http://lists.netfilter.org/pipermail/netfilter-devel/2005-April/019182.html
(the last patch in the list is for libnfnetlink, the others are for 
libctnetlink)

10) Apply this patch in libctnetlink to fix the "test/demo" program
--- ctnltest.c  2005-04-11 14:06:08.000000000 -0400
+++ ctnltest.c.orig     2005-04-11 13:58:53.000000000 -0400
@@ -10,7 +10,7 @@

  #include <linux/types.h>
  #include <linux/netlink.h>
-#include <linux/netfilter_ipv4/ip_conntrack_netlink.h>
+#include <linux/nfnetlink_conntrack.h>

  #include "libctnetlink.h"

@@ -115,7 +115,7 @@
         if (cb[CTA_ORIG]) {
                 printf("orig: %s\n",
 
display_tuple_flat(NFA_DATA(cb[CTA_ORIG])));
-               ctnl_del_conntrack(cth, NFA_DATA(cb[CTA_ORIG]),CTA_UNSPEC);
+               ctnl_del_conntrack(cth, NFA_DATA(cb[CTA_ORIG]));
         }
         if (cb[CTA_RPLY])
                 printf("rply: %s\n",
@@ -169,7 +169,7 @@
                 exit(2);
         }

-       ctnl_wilddump_request(cth, AF_INET, IPCTNL_MSG_GETCONNTRACK);
+       ctnl_wilddump_request(cth, AF_INET, CTNL_MSG_GETCONNTRACK);

         while (len = recv(cth->nfnlh.fd, &buf, sizeof(buf), 0)) {
                 printf("pkt received\n");


[BTW make sure libnfnetlink and libctnetlink see your new kernel source]

11) build libnfnetlink:
cd libnfnetlink-2005????
automake-1.4
autoconf
./configure
make && make install

12) build libctnetlink
cd libctnetlink-2005????
automake-1.4
autoconf
./configure
make && make install

13) build ctnltest.c with
gcc -o ctnltest ctnltest.c -L/usr/local/lib \
-I/opt/KERNEL/linux-2.6.11.6/include/ -lctnetlink -lnfnetlink

14) You may need to add /usr/local/lib to /etc/ld.so.conf and run ldconfig

15) get kernel modules loaded:
rmmod ip_queue # cos it conflicts with nfnetlink (used by 
ip_conntrack_netlink)
modprobe ip_conntrack_netlink

15) try out ctnltest:
./ctnltest
It should print out data on active network connections
It doesn't print out data on new connections as they form, I don't know 
if it should.

16) .... write your own userspace client based on ctnltest and any 
documentation you can find?

Amin

Re: nfnetlink-ctnetlink working: INSTRUCTIONS

[Wang Jian]

Hi Amin Azez,

The patch is not enough at least when compiled using gcc 3.4.


[root@qos linux-2.6.11-w]# make O=/home/QoSTestBuild/ modules                     Using /home/linux-2.6.11-w as source for kernel
  GEN    /home/QoSTestBuild/Makefile
  CHK     include/linux/version.h
  SPLIT   include/linux/autoconf.h -> include/config/*
make[2]: `arch/i386/kernel/asm-offsets.s' is up to date.
  CHK     include/asm-i386/asm_offsets.h
gcc: drivers/atm/../../include/asm/byteorder.h: No such file or directory
gcc: no input files
  CC [M]  net/ipv4/netfilter/ip_conntrack_netlink.o
/home/linux-2.6.11-w/net/ipv4/netfilter/ip_conntrack_netlink.c: In function `ctnetlink_create_conntrack':
/home/linux-2.6.11-w/include/linux/netfilter_ipv4/ip_conntrack.h:344: sorry, unimplemented: inlining failed in call to 'ip_conntrack_free': function body not available
/home/linux-2.6.11-w/net/ipv4/netfilter/ip_conntrack_netlink.c:652: sorry, unimplemented: called from here
/home/linux-2.6.11-w/include/linux/netfilter_ipv4/ip_conntrack.h:346: sorry, unimplemented: inlining failed in call to 'ip_conntrack_insert': function body not available
/home/linux-2.6.11-w/net/ipv4/netfilter/ip_conntrack_netlink.c:656: sorry, unimplemented: called from here
make[4]: *** [net/ipv4/netfilter/ip_conntrack_netlink.o] Error 1
make[3]: *** [net/ipv4/netfilter] Error 2
make[2]: *** [net/ipv4] Error 2
make[1]: *** [net] Error 2
make: *** [modules] Error 2

and net/ipv4/netfilter/ip_conntrack_core.c has the same problem.

The ip_conntrac_free() is defined in ip_conntrack_core.c as inline after
first usage.

Didn't you meet the same problem?


On Mon, 11 Apr 2005 11:45:23 +0100, Amin Azez <azez@ufomechanic.net> wrote:

> Many thanks to Pablo (and Harald whose work was also contained in some 
> of the patches Pablo sent) I now have nfnetlink-ctnetlink modules and 
> libraries working such that ctnltest (part of libctnetlink) returns 
> valid data on open network connections.
> 
> [On note: It seems deliberate that the new nfnetlink module conflicts 
> with ip_queue because both listen on the same netlink socket number 
> NETLINK_FIREWALL (is that the right terminology). Is there a reason for 
> this?]
> 
> I document here the full steps required to make this work on pristine 
> 2.6.11 kernel sources, and I repeat the steps as I write them here so 
> there will be full confidence that the steps are accurate.
> 
> (Perhaps there may be other patches that are desired, such as 
> http://lists.netfilter.org/pipermail/netfilter-devel/2005-April/019177.html)
> 
> This means that only one of these modules can be loaded at a time.
> 
> What is the reason for this?]
> 
> 
> 1) Get the pristine 2.6.11 sources and un-tar
> 
> 2) apply pablos patches from 
> http://people.netfilter.org/pablo/patches/nfnetlink-conntrack-0.50-2.6.11/
> 
> 3) edit net/Kconfig and insert:
> source "net/netfilter/Kconfig"
> just before:
> source "net/ipv4/Kconfig"
> 
> 4) edit net/Makefile
> obj-$(CONFIG_NETFILTER_NETLINK) += netfilter/
> just after:
> obj-$(CONFIG_NET)              += $(tmp-y)
> 
> 5) configure, build and install your kernel and modules
> My config includes:
> CONFIG_NETFILTER_NETLINK=m
> CONFIG_IP_NF_CONNTRACK=m
> CONFIG_IP_NF_CONNTRACK_NETLINK=m
> CONFIG_IP_NF_CT_ACCT=y
> CONFIG_IP_NF_CONNTRACK_MARK=y
> CONFIG_NETFILTER=y
> CONFIG_IP_NF_CONNTRACK_EVENTS=y
> 
> once you done that, reboot to your new kernel (may as well)
> 
> 6) now get libctnetlink from: 
> ftp://ftp.netfilter.org/pub/libctnetlink/snapshot/
> I got the 20050410 snapshot. Possibly newer snapshots will have some of 
> the next patches already attached.
> 
> 7) now get libnfnetlink from:
> ftp://ftp.netfilter.org/pub/libnfnetlink/snapshot/
> I got the 20050410 snapshot. Possibly newer snapshots will have some of 
> the next patches already attached.
> 
> 8) untar both these files from the same dir, and then create a symlink 
> from your libnfnetlink-2005???? folder to libnfnetlink, so that 
> libctnetlink can find it. I did it like this:
> ln -s libnfnetlink-20050410 libnfnetlink
> 
> 9) Get and apply Pablos patches from
> http://lists.netfilter.org/pipermail/netfilter-devel/2005-April/019182.html
> (the last patch in the list is for libnfnetlink, the others are for 
> libctnetlink)
> 
> 10) Apply this patch in libctnetlink to fix the "test/demo" program
> --- ctnltest.c  2005-04-11 14:06:08.000000000 -0400
> +++ ctnltest.c.orig     2005-04-11 13:58:53.000000000 -0400
> @@ -10,7 +10,7 @@
> 
>   #include <linux/types.h>
>   #include <linux/netlink.h>
> -#include <linux/netfilter_ipv4/ip_conntrack_netlink.h>
> +#include <linux/nfnetlink_conntrack.h>
> 
>   #include "libctnetlink.h"
> 
> @@ -115,7 +115,7 @@
>          if (cb[CTA_ORIG]) {
>                  printf("orig: %s\n",
>  
> display_tuple_flat(NFA_DATA(cb[CTA_ORIG])));
> -               ctnl_del_conntrack(cth, NFA_DATA(cb[CTA_ORIG]),CTA_UNSPEC);
> +               ctnl_del_conntrack(cth, NFA_DATA(cb[CTA_ORIG]));
>          }
>          if (cb[CTA_RPLY])
>                  printf("rply: %s\n",
> @@ -169,7 +169,7 @@
>                  exit(2);
>          }
> 
> -       ctnl_wilddump_request(cth, AF_INET, IPCTNL_MSG_GETCONNTRACK);
> +       ctnl_wilddump_request(cth, AF_INET, CTNL_MSG_GETCONNTRACK);
> 
>          while (len = recv(cth->nfnlh.fd, &buf, sizeof(buf), 0)) {
>                  printf("pkt received\n");
> 
> 
> [BTW make sure libnfnetlink and libctnetlink see your new kernel source]
> 
> 11) build libnfnetlink:
> cd libnfnetlink-2005????
> automake-1.4
> autoconf
> ./configure
> make && make install
> 
> 12) build libctnetlink
> cd libctnetlink-2005????
> automake-1.4
> autoconf
> ./configure
> make && make install
> 
> 13) build ctnltest.c with
> gcc -o ctnltest ctnltest.c -L/usr/local/lib \
> -I/opt/KERNEL/linux-2.6.11.6/include/ -lctnetlink -lnfnetlink
> 
> 14) You may need to add /usr/local/lib to /etc/ld.so.conf and run ldconfig
> 
> 15) get kernel modules loaded:
> rmmod ip_queue # cos it conflicts with nfnetlink (used by 
> ip_conntrack_netlink)
> modprobe ip_conntrack_netlink
> 
> 15) try out ctnltest:
> ./ctnltest
> It should print out data on active network connections
> It doesn't print out data on new connections as they form, I don't know 
> if it should.
> 
> 16) .... write your own userspace client based on ctnltest and any 
> documentation you can find?
> 
> Amin
> 



-- 
  lark

Re: nfnetlink-ctnetlink working: INSTRUCTIONS

[Pablo Neira]

Wang Jian wrote:
> Hi Amin Azez,
> 
> The patch is not enough at least when compiled using gcc 3.4.
> 
> 
> [root@qos linux-2.6.11-w]# make O=/home/QoSTestBuild/ modules                     Using /home/linux-2.6.11-w as source for kernel
>   GEN    /home/QoSTestBuild/Makefile
>   CHK     include/linux/version.h
>   SPLIT   include/linux/autoconf.h -> include/config/*
> make[2]: `arch/i386/kernel/asm-offsets.s' is up to date.
>   CHK     include/asm-i386/asm_offsets.h
> gcc: drivers/atm/../../include/asm/byteorder.h: No such file or directory
> gcc: no input files
>   CC [M]  net/ipv4/netfilter/ip_conntrack_netlink.o
> /home/linux-2.6.11-w/net/ipv4/netfilter/ip_conntrack_netlink.c: In function `ctnetlink_create_conntrack':
> /home/linux-2.6.11-w/include/linux/netfilter_ipv4/ip_conntrack.h:344: sorry, unimplemented: inlining failed in call to 'ip_conntrack_free': function body not available
> /home/linux-2.6.11-w/net/ipv4/netfilter/ip_conntrack_netlink.c:652: sorry, unimplemented: called from here
> /home/linux-2.6.11-w/include/linux/netfilter_ipv4/ip_conntrack.h:346: sorry, unimplemented: inlining failed in call to 'ip_conntrack_insert': function body not available
> /home/linux-2.6.11-w/net/ipv4/netfilter/ip_conntrack_netlink.c:656: sorry, unimplemented: called from here
> make[4]: *** [net/ipv4/netfilter/ip_conntrack_netlink.o] Error 1
> make[3]: *** [net/ipv4/netfilter] Error 2
> make[2]: *** [net/ipv4] Error 2
> make[1]: *** [net] Error 2
> make: *** [modules] Error 2
> 
> and net/ipv4/netfilter/ip_conntrack_core.c has the same problem.

Just eemove `inline' from ip_conntrack_free and ip_conntrack_insert. 
I've just fixed those in the patches, so alternatively you could 
download the patch again. This seems to be something gcc-3.4 related 
since I didn't get such error with gcc-2.95.

--
Pablo

Re: nfnetlink-ctnetlink working: INSTRUCTIONS

[Wang Jian]

Hi Pablo Neira,


> 
> Just eemove `inline' from ip_conntrack_free and ip_conntrack_insert. 
> I've just fixed those in the patches, so alternatively you could 
> download the patch again. This seems to be something gcc-3.4 related 
> since I didn't get such error with gcc-2.95.
> 

I remove the inline prefix from include/linux/netfilter_ipv4/ip_conntrack.h,
and now it compiles.

But I think 

EXPORT_SYMBOL(ip_conntrack_insert);

is missing in net/ipv4/netfilter/ip_conntrack_standalone.c, isn't it?


-- 
  lark

Re: nfnetlink-ctnetlink working: INSTRUCTIONS

[Wang Jian]

Hi Amin Azez,


On Mon, 11 Apr 2005 11:45:23 +0100, Amin Azez <azez@ufomechanic.net> wrote:

> 
> 10) Apply this patch in libctnetlink to fix the "test/demo" program
> --- ctnltest.c  2005-04-11 14:06:08.000000000 -0400
> +++ ctnltest.c.orig     2005-04-11 13:58:53.000000000 -0400
> @@ -10,7 +10,7 @@
> 
>   #include <linux/types.h>
>   #include <linux/netlink.h>
> -#include <linux/netfilter_ipv4/ip_conntrack_netlink.h>
> +#include <linux/nfnetlink_conntrack.h>
> 
>   #include "libctnetlink.h"
> 
> @@ -115,7 +115,7 @@
>          if (cb[CTA_ORIG]) {
>                  printf("orig: %s\n",
>  
> display_tuple_flat(NFA_DATA(cb[CTA_ORIG])));
> -               ctnl_del_conntrack(cth, NFA_DATA(cb[CTA_ORIG]),CTA_UNSPEC);
> +               ctnl_del_conntrack(cth, NFA_DATA(cb[CTA_ORIG]));
>          }
>          if (cb[CTA_RPLY])
>                  printf("rply: %s\n",
> @@ -169,7 +169,7 @@
>                  exit(2);
>          }
> 
> -       ctnl_wilddump_request(cth, AF_INET, IPCTNL_MSG_GETCONNTRACK);
> +       ctnl_wilddump_request(cth, AF_INET, CTNL_MSG_GETCONNTRACK);
> 
>          while (len = recv(cth->nfnlh.fd, &buf, sizeof(buf), 0)) {
>                  printf("pkt received\n");
> 
> 
> [BTW make sure libnfnetlink and libctnetlink see your new kernel source]
> 

This patch is reversed.

> 11) build libnfnetlink:
> cd libnfnetlink-2005????
> automake-1.4
> autoconf
> ./configure
> make && make install
> 
> 12) build libctnetlink
> cd libctnetlink-2005????
> automake-1.4
> autoconf
> ./configure
> make && make install
> 

Yes. automake-1.4 must be used.

> 13) build ctnltest.c with
> gcc -o ctnltest ctnltest.c -L/usr/local/lib \
> -I/opt/KERNEL/linux-2.6.11.6/include/ -lctnetlink -lnfnetlink
> 
> 14) You may need to add /usr/local/lib to /etc/ld.so.conf and run ldconfig
> 
> 15) get kernel modules loaded:
> rmmod ip_queue # cos it conflicts with nfnetlink (used by 
> ip_conntrack_netlink)
> modprobe ip_conntrack_netlink
> 
> 15) try out ctnltest:
> ./ctnltest
> It should print out data on active network connections
> It doesn't print out data on new connections as they form, I don't know 
> if it should.

Looking at the code, it looks like it should

in __ip_conntrack_confirm()

                ip_conntrack_event_cache(master_ct(ct) ?
                                         IPCT_RELATED : IPCT_NEW, *pskb);

But no one calls it.

> 
> 16) .... write your own userspace client based on ctnltest and any 
> documentation you can find?
> 
> Amin
> 



-- 
  lark

Re: nfnetlink-ctnetlink working: INSTRUCTIONS

[Pablo Neira]

Wang Jian wrote:
>>Just eemove `inline' from ip_conntrack_free and ip_conntrack_insert. 
>>I've just fixed those in the patches, so alternatively you could 
>>download the patch again. This seems to be something gcc-3.4 related 
>>since I didn't get such error with gcc-2.95.
>>
> 
> 
> I remove the inline prefix from include/linux/netfilter_ipv4/ip_conntrack.h,
> and now it compiles.
> 
> But I think 
> 
> EXPORT_SYMBOL(ip_conntrack_insert);
> 
> is missing in net/ipv4/netfilter/ip_conntrack_standalone.c, isn't it?

Right, I've just fixed it, thanks.

--
Pablo

Re: nfnetlink-ctnetlink working: INSTRUCTIONS

[Amin Azez]

Thanks for your feedback Wang, comments inline

Wang Jian wrote:
> This patch is reversed.

*sign* so it is, how embarrassing, thanks for spotting that.

>>13) build ctnltest.c with
>>15) try out ctnltest:
>>./ctnltest
>>It should print out data on active network connections
>>It doesn't print out data on new connections as they form, I don't know 
>>if it should.
> 
> 
> Looking at the code, it looks like it should
> 
> in __ip_conntrack_confirm()
> 
>                 ip_conntrack_event_cache(master_ct(ct) ?
>                                          IPCT_RELATED : IPCT_NEW, *pskb);
> 
> But no one calls it.

Thanks, I will take a look at this. I realised that something needed to 
be done with ip_conntrack_event_cache, but didn't think it was in there. 
I had seen that the IPCNTL_MSG_UPDCONNTRACK was not implemented and I am 
supposing that is for tracking ther updates, so I'm just working out the 
approach to add that. Its a straightforward job I am sure, but I am 
still getting familiar with the netlink internals.

When I wrote that I was a little unsure at what ctnltest was supposed to 
do, since then I have added upport for the CONFIG_IP_NF_CT_ACCT byte and 
packet counters to the nfnetlink_ctnetlink patches that Pablo put 
together. I sent this to Pablo, but now he has since released his 
changes as a pom-ng so I shall do that for the CONFIG_IP_NF_CT_ACCT 
enhancements I did unless he beats me to it.

Amin

Re: nfnetlink-ctnetlink working: INSTRUCTIONS

[Amin Azez]

Wang Jian wrote:
> Hi Amin Azez,
> 
> The patch is not enough at least when compiled using gcc 3.4.
...

> Didn't you meet the same problem?

I was using gcc 3.2.2 but I see Pablo has a fix for you.

Amin

Re: nfnetlink-ctnetlink working: INSTRUCTIONS

[Wang Jian]

Hi Pablo Neira,

The current patches (dated 14-Apr), seems to not emit event messages,
such as when new connection is established.

The only event emitter I find is in ip_conntrack_in()

        if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
                ip_conntrack_event_cache(IPCT_STATUS, *pskb);

set_reply is set to 1 only when the first reply packet seen from server
end of a "connection", and !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status)
is supposed to be true at the moment. So it will emit event once. But
in my test, cntltest doesn't receive this event.

Did I miss something?


On Thu, 14 Apr 2005 12:20:51 +0200, Pablo Neira <pablo@eurodev.net> wrote:

> Wang Jian wrote:
> >>Just eemove `inline' from ip_conntrack_free and ip_conntrack_insert. 
> >>I've just fixed those in the patches, so alternatively you could 
> >>download the patch again. This seems to be something gcc-3.4 related 
> >>since I didn't get such error with gcc-2.95.
> >>
> > 
> > 
> > I remove the inline prefix from include/linux/netfilter_ipv4/ip_conntrack.h,
> > and now it compiles.
> > 
> > But I think 
> > 
> > EXPORT_SYMBOL(ip_conntrack_insert);
> > 
> > is missing in net/ipv4/netfilter/ip_conntrack_standalone.c, isn't it?
> 
> Right, I've just fixed it, thanks.
> 
> --
> Pablo



-- 
  lark

Re: nfnetlink-ctnetlink working: INSTRUCTIONS

[Pablo Neira]

Wang Jian wrote:
> Hi Pablo Neira,
> 
> The current patches (dated 14-Apr), seems to not emit event messages,
> such as when new connection is established.

Hm it works just fine here.

o The ct-event notification API is ok, try this test:
http://people.netfilter.org/~pablo/patches/test/ct-event-test.tar.gz

o Netlink notification works fine as well via:
http://people.netfilter.org/~pablo/conntrack-tool/

Try:
# conntrack -E conntrack

So I don't see any problem.

> The only event emitter I find is in ip_conntrack_in()
> 
>         if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
>                 ip_conntrack_event_cache(IPCT_STATUS, *pskb);
> 
> set_reply is set to 1 only when the first reply packet seen from server
> end of a "connection", and !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status)
> is supposed to be true at the moment. So it will emit event once. But
> in my test, cntltest doesn't receive this event.
> 
> Did I miss something?

I'll update ctnltest.c soon since it's currently broken. I haven't mind 
about it so far.

--
Pablo

Re: nfnetlink-ctnetlink working: INSTRUCTIONS

[Wang Jian]

Hi Pablo Neira,

Thanks for you information :)

I will look into conntrack-tool.

BTW:

Is there any documentation about ct-event notification API /
libnfnetlink / libctnetlink?

If there is none, I think I can help drafting it. But I need some hints
on the big picture.

On Fri, 15 Apr 2005 22:25:21 +0200, Pablo Neira <pablo@eurodev.net> wrote:

> Wang Jian wrote:
> > Hi Pablo Neira,
> > 
> > The current patches (dated 14-Apr), seems to not emit event messages,
> > such as when new connection is established.
> 
> Hm it works just fine here.
> 
> o The ct-event notification API is ok, try this test:
> http://people.netfilter.org/~pablo/patches/test/ct-event-test.tar.gz
> 
> o Netlink notification works fine as well via:
> http://people.netfilter.org/~pablo/conntrack-tool/
> 
> Try:
> # conntrack -E conntrack
> 
> So I don't see any problem.
> 
> > The only event emitter I find is in ip_conntrack_in()
> > 
> >         if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
> >                 ip_conntrack_event_cache(IPCT_STATUS, *pskb);
> > 
> > set_reply is set to 1 only when the first reply packet seen from server
> > end of a "connection", and !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status)
> > is supposed to be true at the moment. So it will emit event once. But
> > in my test, cntltest doesn't receive this event.
> > 
> > Did I miss something?
> 
> I'll update ctnltest.c soon since it's currently broken. I haven't mind 
> about it so far.
> 
> --
> Pablo



-- 
  lark

Re: nfnetlink-ctnetlink working: INSTRUCTIONS

[Wang Jian]

Hi Pablo Neira,

I have tried conntrack-tool and it works fine. Thanks for your great
work. I did some trivial changes (remove id) to use ctnetlink and
nfnetlink just added to pom-ng.

Here I list some issues I meet:

1. conntrack-tools 0.12 's Makefile doesn't work at least for gcc 3.3.4
and 3.4.x

The link command line

        ${CC} ${LINKOPTS} src/conntrack.o src/libct.o -o conntrack

should be

        ${CC} src/conntrack.o src/libct.o -o conntrack ${LINKOPTS}

and

LINKOPTS=-ldl -lnfnetlink -lctnetlink -rdynamic

should be

LINKOPTS=-ldl -lctnetlink -lnfnetlink -rdynamic

otherwise, linker will complains that symbols are undefined. It takes me
some time to figure out the cause is the order of options.

This is also true for your patches agains 2.6.11.


2. A little confusing output for connection refused case

# ./conntrack -E conntrack

type: [NEW] src=192.168.0.123 dst=192.168.0.254 sport=2515 dport=20 src=192.168.0.254 dst=192.168.0.123 sport=20 dport=2515 status:8 timeout:120 tcp 6
type: [DESTROY] src=192.168.0.123 dst=192.168.0.254 sport=2515 dport=20 src=192.168.0.254 dst=192.168.0.123 sport=20 dport=2515 status:8 timeout:120 

type: [NEW] src=192.168.0.123 dst=192.168.0.254 sport=2515 dport=20 src=192.168.0.254 dst=192.168.0.123 sport=20 dport=2515 status:10 tcp 6

Should the third event after destroying ct be emit before DESTORY?

3. There seems to be an empty or invalid entry at the end of destory
message, which leads to an extra "\n" be printed by event_handler().

4. Also, for successful connection, there is an extra '\n'.

type: [NEW] src=192.168.0.254 dst=192.168.0.27 sport=2394 dport=22 src=192.168.0.27 dst=192.168.0.254 sport=22 dport=2394 status:8 timeout:120 tcp 6
type: [NEW] src=192.168.0.254 dst=192.168.0.27 sport=2394 dport=22 src=192.168.0.27 dst=192.168.0.254 sport=22 dport=2394 status:10 timeout:60 tcp 6

type: [NEW] src=192.168.0.254 dst=192.168.0.27 sport=2394 dport=22 src=192.168.0.27 dst=192.168.0.254 sport=22 dport=2394 timeout:432000 tcp 6



On Sat, 16 Apr 2005 07:50:32 +0800, Wang Jian <lark@linux.net.cn> wrote:

> Hi Pablo Neira,
> 
> Thanks for you information :)
> 
> I will look into conntrack-tool.
> 
> BTW:
> 
> Is there any documentation about ct-event notification API /
> libnfnetlink / libctnetlink?
> 
> If there is none, I think I can help drafting it. But I need some hints
> on the big picture.
> 
> On Fri, 15 Apr 2005 22:25:21 +0200, Pablo Neira <pablo@eurodev.net> wrote:
> 
> > Wang Jian wrote:
> > > Hi Pablo Neira,
> > > 
> > > The current patches (dated 14-Apr), seems to not emit event messages,
> > > such as when new connection is established.
> > 
> > Hm it works just fine here.
> > 
> > o The ct-event notification API is ok, try this test:
> > http://people.netfilter.org/~pablo/patches/test/ct-event-test.tar.gz
> > 
> > o Netlink notification works fine as well via:
> > http://people.netfilter.org/~pablo/conntrack-tool/
> > 
> > Try:
> > # conntrack -E conntrack
> > 
> > So I don't see any problem.
> > 
> > > The only event emitter I find is in ip_conntrack_in()
> > > 
> > >         if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
> > >                 ip_conntrack_event_cache(IPCT_STATUS, *pskb);
> > > 
> > > set_reply is set to 1 only when the first reply packet seen from server
> > > end of a "connection", and !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status)
> > > is supposed to be true at the moment. So it will emit event once. But
> > > in my test, cntltest doesn't receive this event.
> > > 
> > > Did I miss something?
> > 
> > I'll update ctnltest.c soon since it's currently broken. I haven't mind 
> > about it so far.
> > 
> > --
> > Pablo
> 
> 
> 
> -- 
>   lark
> 



-- 
  lark

Re: nfnetlink-ctnetlink working: INSTRUCTIONS

[Amin Azez]

Pablo Neira wrote:
> Wang Jian wrote:
> 
>> Hi Pablo Neira,
>>
>> The current patches (dated 14-Apr), seems to not emit event messages,
>> such as when new connection is established.
> 
> 
> Hm it works just fine here.
> 
> o The ct-event notification API is ok, try this test:
> http://people.netfilter.org/~pablo/patches/test/ct-event-test.tar.gz
> 
> o Netlink notification works fine as well via:
> http://people.netfilter.org/~pablo/conntrack-tool/
> 
> Try:
> # conntrack -E conntrack

I'm just taking conntrack to bits, and I am puzzled about the existance 
of libctnetlink.h and libnfnetlink.h in conntrack's include directory.

The main difference seems to be the extra parameter in 
ctnl_get_conntrack and ctnl_del_conntrack which is not part of my 
libctnetlink library.

Pablo, is this the old id that is no longer needed because the tuples 
are enough, but still in your libctnetlink? Or something else?

Sam