Changing the conntrack / NATP information.

Changing the conntrack / NATP information.

[Emmanuel Guiton]

Hi!

I wish to change the connection tracking / NAPT information of my target 
upon reception of a certain nf_conntrack event. Is it possible to do so 
by doing the following for example:

u_int32_t  ip_address;
conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip = ip_address;
conntrack->nat.info.manips[IP_CT_DIR_ORIGINAL].manip.ip = ip_address;

Or is there more complicated interactions that makes these operations 
not possible? (And then, do you have an advice on how to overcome them?)
To tell the truth, I am investigating the reasons of my kernel crashes :)

                Emmanuel

Re: Changing the conntrack / NATP information.

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 898 bytes --]

On Mon, Mar 15, 2004 at 05:12:03PM +0200, Emmanuel Guiton wrote:
> 
> Hi!
> 
> I wish to change the connection tracking / NAPT information of my target 
> upon reception of a certain nf_conntrack event. Is it possible to do so 
> by doing the following for example:

you can do so.  Please make sure you get the locking right
(ip_conntrack_find_get() / _put()) and note that any change after the
first packet has already been transformed is too late since it will
break the connection.
>                Emmanuel

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Using NF_DROP or NF_STOLEN?

[Emmanuel Guiton]

Hi!

I have a situation when I record in my module a packet for later 
processing. When I do that, I do not wish hte iptables to do anyhting 
with it anymore. As I do that operation in a conntrack  packet() 
function, should I then return NF_STOLEN or NF_DROP? For my operations 
it does not change anything as long as the packet is not in transit 
anymore. But what about the netfilter code? I do not know what 
operations iptables do regarding that flag.

Emmanuel

problem when loading ip_tables

[Emmanuel Guiton]

Hi!

After having modified a few things in the nat part of the iptables code, 
I was sent back to an old problem:

modprobe: Can't locate module ip_tables
iptables v1.2.9: can't initialize iptables 'nat': Table does not exist 
(do you need to insmod?)
Perhaps iptables or your kernel need to be upgraded.

I can't remember exactly when did the problem appear, but it may have 
been after I had added something in ip_conntrack_standalone.c
Anyway, I compiled again, again and again until now when I have a brand 
new kernel (2.4.23) and iptables library (1.2.9, patched) compiled. 
Still, I cannot get rid of that error. Moreover, if I try manually to 
load ip_tables I also get an error

insmod: ip_tables: no module by that name found

while the module ip_tables.o exists. insmod finds without problem the 
other modules like for example ipt_REDIRECT, ip_conntrack, iptable_nat...

Any advice about that?

         Emmanuel

Re: problem when loading ip_tables

[Henrik Nordstrom]

On Wed, 24 Mar 2004, Emmanuel Guiton wrote:

> insmod: ip_tables: no module by that name found
> 
> while the module ip_tables.o exists. insmod finds without problem the 
> other modules like for example ipt_REDIRECT, ip_conntrack, iptable_nat...


Probably your modules.dep is not up to date.

Regards
Henrik

Re: problem when loading ip_tables

[Emmanuel Guiton]

Hi!

I can refine my question.
Of course I cannot insert the module ip_tables in the kernel since... it 
already is. ip_tables is compiled directly as part of the kernel. That's 
for the error about insmod, but that was not the core of the problem anyway.

After a check, I don't think the problem comes from the aditional code 
I've written. So I may forget to do something silly but I can't find it.

Any help is welcome.


          Emmanuel



Emmanuel Guiton wrote:

> Hi!
>
> After having modified a few things in the nat part of the iptables 
> code, I was sent back to an old problem:
>
> modprobe: Can't locate module ip_tables
> iptables v1.2.9: can't initialize iptables 'nat': Table does not exist 
> (do you need to insmod?)
> Perhaps iptables or your kernel need to be upgraded.
>
> I can't remember exactly when did the problem appear, but it may have 
> been after I had added something in ip_conntrack_standalone.c
> Anyway, I compiled again, again and again until now when I have a 
> brand new kernel (2.4.23) and iptables library (1.2.9, patched) 
> compiled. Still, I cannot get rid of that error. Moreover, if I try 
> manually to load ip_tables I also get an error
>
> insmod: ip_tables: no module by that name found
>
> while the module ip_tables.o exists. insmod finds without problem the 
> other modules like for example ipt_REDIRECT, ip_conntrack, iptable_nat...
>
> Any advice about that?
>
>         Emmanuel
>

Re: problem when loading ip_tables

[Emmanuel Guiton]

hi!

Thanks for your suggestion, but I guess it may not be the problem. When 
I recompiled the kernel, I did it from scratch icluding make dep. So it 
should be up to date. However how can I ensure it?
However, looking at modules.dep i noticed that I have a module A that 
depends on a module B that itself depend on A. Can this interdependance 
be a problem?

        Emmanuel



Henrik Nordstrom wrote:

>On Wed, 24 Mar 2004, Emmanuel Guiton wrote:
>
>  
>
>>insmod: ip_tables: no module by that name found
>>
>>while the module ip_tables.o exists. insmod finds without problem the 
>>other modules like for example ipt_REDIRECT, ip_conntrack, iptable_nat...
>>    
>>
>
>
>Probably your modules.dep is not up to date.
>
>Regards
>Henrik
>  
>

Re: problem when loading ip_tables - solved.

[Emmanuel Guiton]

Hi!

The problem was the interdependance I mentioned earlier. I had included 
the header file of my module in the ip_conntrack_standalone.c which 
caused the ip_conntrack module to depend on my module which depends on 
ip_conntrack.

Thanks you Henrik for the clue about modules.dep!

Bye,

         Emmanuel



Emmanuel Guiton wrote:

>
> hi!
>
> Thanks for your suggestion, but I guess it may not be the problem. 
> When I recompiled the kernel, I did it from scratch icluding make dep. 
> So it should be up to date. However how can I ensure it?
> However, looking at modules.dep i noticed that I have a module A that 
> depends on a module B that itself depend on A. Can this 
> interdependance be a problem?
>
>        Emmanuel
>
>
>
> Henrik Nordstrom wrote:
>
>> On Wed, 24 Mar 2004, Emmanuel Guiton wrote:
>>
>>  
>>
>>> insmod: ip_tables: no module by that name found
>>>
>>> while the module ip_tables.o exists. insmod finds without problem 
>>> the other modules like for example ipt_REDIRECT, ip_conntrack, 
>>> iptable_nat...
>>>   
>>
>>
>>
>> Probably your modules.dep is not up to date.
>>
>> Regards
>> Henrik
>>  
>>
>
>
>