REPOST: nfnetlink / ctnetlink / iptables2 questions

REPOST: nfnetlink / ctnetlink / iptables2 questions

[Phil Dibowitz]

[-- Attachment #1: Type: text/plain, Size: 2223 bytes --]

NOTE: I'm reposting this as I never got a response. I independently 
posted to both netfilter and netfilter-devel before, but am now posting 
to both. Hopefully _someone_ can answer this.


Hey folks,

A while back Herald Welte emailed me (and CC'd the list) and suggested I 
port my application (iptstate) to use the new ctnetlink/nfnetlink 
framework (as opposed to reading data out of /proc).

I haven't had much time since then, but I decided to sit down and look 
at this, and I'm a bit confused by what I found. I found libnfnetlink here:
http://ftp.iasi.roedu.net/netfilter/libnfnetlink/snapshot/
and libctnetlink here:
http://ftp.iasi.roedu.net/netfilter/libctnetlink/snapshot/

And since cfnetlink requires nfnetlink, I went to compile that first. 
And ran into some problems. So I started browsing the archives, and it 
seems people refer to an old "ctnetlink/nfnetlink" and a new one... and 
the new one is part of "iptables2" ? I haven't followed 
netfilter/iptables developement very carefully, so I don't know what 
iptables2 is, but seems to be the latest suite of "frontend" 
applications to netfilter.

At the very least, libnfnetlink requires nfnetlink.h, which I would have 
thought was part of libnfnetlink, but it appears it's not. I found a 
mention of a "release" of iptables2 here:

http://lists.netfilter.org/pipermail/netfilter/2001-November/016646.html

but the download requires a password which I don't have. Additionally 
the post talkes about a whole lot of kernel incompatibilities between 
old versions and new versions and it doesn't appear the latest versions 
have made it into the main kernel tree yet. Is this correct? If so, this 
doesn't actually sound like something ready for primetime yet...

Perhaps someone can relate ctnetlink/nfnetlink (old and new) to 
libcfnetlink/libnfnetlink and iptables2, and the current kernels for me?

Thanks...
-- 
Phil Dibowitz                             phil@ipom.com
Freeware and Technical Pages              Insanity Palace of Metallica
http://www.phildev.net/                   http://www.ipom.com/

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
  - Benjamin Franklin, 1759


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

Re: REPOST: nfnetlink / ctnetlink / iptables2 questions

[Henrik Nordstrom]

On Fri, 17 Dec 2004, Phil Dibowitz wrote:

> At the very least, libnfnetlink requires nfnetlink.h, which I would have 
> thought was part of libnfnetlink, but it appears it's not.

It is included as part of the required nfnetlink-ctnetlink kernel patch.

Regards
Henrik

Re: REPOST: nfnetlink / ctnetlink / iptables2 questions

[Phil Dibowitz]

[-- Attachment #1: Type: text/plain, Size: 738 bytes --]

Henrik Nordstrom wrote:
> On Fri, 17 Dec 2004, Phil Dibowitz wrote:
> 
>> At the very least, libnfnetlink requires nfnetlink.h, which I would 
>> have thought was part of libnfnetlink, but it appears it's not.
> 
> 
> It is included as part of the required nfnetlink-ctnetlink kernel patch.

Hey, that's a start, thanks. Can you tell me where this kernel patch is?

I haven't found such a patch....

-- 
Phil Dibowitz                             phil@ipom.com
Freeware and Technical Pages              Insanity Palace of Metallica
http://www.phildev.net/                   http://www.ipom.com/

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
  - Benjamin Franklin, 1759


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

Re: REPOST: nfnetlink / ctnetlink / iptables2 questions

[Jason Opperisano]

On Sat, 2004-12-18 at 17:45, Phil Dibowitz wrote:
> Henrik Nordstrom wrote:
> > On Fri, 17 Dec 2004, Phil Dibowitz wrote:
> > 
> >> At the very least, libnfnetlink requires nfnetlink.h, which I would 
> >> have thought was part of libnfnetlink, but it appears it's not.
> > 
> > 
> > It is included as part of the required nfnetlink-ctnetlink kernel patch.
> 
> Hey, that's a start, thanks. Can you tell me where this kernel patch is?
> 
> I haven't found such a patch....

it's in patch-o-matic.  both patch-o-matic-ng-20040621 and CVS appear to
have the same version (0.13):

http://netfilter.org/files/patch-o-matic-ng-20040621.tar.bz2

http://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng/nfnetlink-ctnetlink-0.13/

-j

--
"When will I learn? The answer to life's problems aren't at the bottom
 of a bottle, they're on TV!"
	--The Simpsons

Re: REPOST: nfnetlink / ctnetlink / iptables2 questions

[Henrik Nordstrom]

On Sat, 18 Dec 2004, Phil Dibowitz wrote:

> Henrik Nordstrom wrote:
>> On Fri, 17 Dec 2004, Phil Dibowitz wrote:
>> 
>>> At the very least, libnfnetlink requires nfnetlink.h, which I would have 
>>> thought was part of libnfnetlink, but it appears it's not.
>> 
>> 
>> It is included as part of the required nfnetlink-ctnetlink kernel patch.
>
> Hey, that's a start, thanks. Can you tell me where this kernel patch is?

patch-o-matic-ng

you can also find the patch in netfilter-ha.

Regards
Henrik