Re: problem with conntrack-0.81

Re: problem with conntrack-0.81

[Pablo Neira]

Hi,

David Walker wrote:
> I'm using conntrack-0.81, libnfnetlink-0.0.10, libnfnetlink_conntrack-0.0.10, 
> linux-2.6.14-rc5 on my bridging firewall.
> 
> When I list the connection table with:
> 
>>conntrack -L
> 
> unknown  0 431987 src=0.0.0.0 dst=0.0.0.0 src=0.0.0.0 dst=0.0.0.0 [ASSURED] 
> mark=0 use=1 id=351262
> ...
> 
> I don't get the protocol or ip addresses. 
> 
>>cat /proc/net/ip_conntrack
> 
> tcp      6 431993 ESTABLISHED src=216.231.49.19 dst=81.59.116.198 sport=55734 
> dport=6346 packets=6406 bytes=2232236 src=81.59.116.198 dst=216.231.49.19 
> sport=6346 dport=55734 packets=8115 bytes=7268987 [ASSURED] mark=0 use=1
> ...
> displays the protocol and ip addresses.
> 
> Is this caused by something I'm doing wrong?

*A lot of changes* has been applied to conntrack and the userspace 
libraries last days, some of them to keep them in sync with kernelspace 
changes. Please check out a working copy from netfilter SVN, that will 
fix your problem.

I still have some things that I want to do before the first 1.0 release, 
among them learning how to add new releases to the netfilter.org 
webpage, Harald? any help?

--
Pablo

Re: problem with conntrack-0.81

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1357 bytes --]

On Wed, Oct 26, 2005 at 09:15:30AM +0200, Pablo Neira wrote:

> I still have some things that I want to do before the first 1.0
> release, among them learning how to add new releases to the
> netfilter.org webpage, Harald? any help?

just check out the 'trunk/homepage' directory and try whether a 'make'
does in fact generate a working copy of the homepage.   The build system
works on Debian systems quite fine, you'll need xsltproc and
docbook-website.

Once that works, I suggest looking at
http://svn.netfilter.org/netfilter/trunk/homepage/xml/projects/conntrack/downloads.xml
and adding the release to the xml code.  then rebuild the page.  if
everything works fine, send me a patch, I'll apply it, rebuild and
upload the homepage.

The more important issues is, how we're going to handle signing and
uploading of the respective files to ftp and http server.  At the
moment, only the core team can sign releases (and has the respective
upload permissions).

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: problem with conntrack-0.81

[Pablo Neira]

Harald Welte wrote:
> On Wed, Oct 26, 2005 at 09:15:30AM +0200, Pablo Neira wrote:
>>I still have some things that I want to do before the first 1.0
>>release, among them learning how to add new releases to the
>>netfilter.org webpage, Harald? any help?
> 
> just check out the 'trunk/homepage' directory and try whether a 'make'
> does in fact generate a working copy of the homepage.   The build system
> works on Debian systems quite fine, you'll need xsltproc and
> docbook-website.

Installed both packages on my laptop (debian). Besides I needed to
install libxml-writer-perl (Write.pm required) and:

pablo@legba:~/SVN-netfilter/trunk/homepage$ touch depends.tabular
pablo@legba:~/SVN-netfilter/trunk/homepage/xml$ touch depends.tabular

and then, type make.

pablo@legba:~/SVN-netfilter/trunk/homepage$ make
make -C xml
make[1]: Entering directory `/usr/src/SVN/trunk/homepage/xml'
perl -I../scripts -I../../patch-o-matic-ng ../scripts/pom2docbook.pl
--xmldir ./patch-o-matic --repository pending
../../patch-o-matic-ng/patchlets
Your linux version  is unknown for patch-o-matic at
../scripts/pom2docbook.pl line 119
make[1]: *** [patch-o-matic/pom-pending.xml] Error 255
make[1]: Leaving directory `/usr/src/SVN/trunk/homepage/xml'
make: *** [all] Error 2

any clue on what's wrong?

> Once that works, I suggest looking at
> http://svn.netfilter.org/netfilter/trunk/homepage/xml/projects/conntrack/downloads.xml
> and adding the release to the xml code.  then rebuild the page.  if
> everything works fine, send me a patch, I'll apply it, rebuild and
> upload the homepage.

OK.

> The more important issues is, how we're going to handle signing and
> uploading of the respective files to ftp and http server.  At the
> moment, only the core team can sign releases (and has the respective
> upload permissions).

During the WS you told me that you needed someone that could do the
releasing stuff. Well, I don't know if this could help but if you
consider that I could that such work, what will it consist on?

-- 
Pablo

Re: problem with conntrack-0.81

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 2392 bytes --]

On Fri, Nov 04, 2005 at 07:40:58PM +0100, Pablo Neira wrote:

> pablo@legba:~/SVN-netfilter/trunk/homepage$ make
> make -C xml
> make[1]: Entering directory `/usr/src/SVN/trunk/homepage/xml'
> perl -I../scripts -I../../patch-o-matic-ng ../scripts/pom2docbook.pl
> --xmldir ./patch-o-matic --repository pending
> ../../patch-o-matic-ng/patchlets
> Your linux version  is unknown for patch-o-matic at
> ../scripts/pom2docbook.pl line 119
> make[1]: *** [patch-o-matic/pom-pending.xml] Error 255
> make[1]: Leaving directory `/usr/src/SVN/trunk/homepage/xml'
> make: *** [all] Error 2
> 
> any clue on what's wrong?

it tries to execute patch-o-matic-ng, but doesn't find a linux kernel in
the default location (don't know where the default is, you'd have to
check the sources).

this is for auto-creating the xml/html pages from the patch-o-matic
tree.


> > The more important issues is, how we're going to handle signing and
> > uploading of the respective files to ftp and http server.  At the
> > moment, only the core team can sign releases (and has the respective
> > upload permissions).
> 
> During the WS you told me that you needed someone that could do the
> releasing stuff. Well, I don't know if this could help but if you
> consider that I could that such work, what will it consist on?

well, basicaully it would mean that you'd be doing the 'make distrib',
uploading the files to the http/ftp server, updating the homepage xml,
rebuilding html from the xml, and (at least in the iptables case)
manually write the changelog based on the diff to the previous version
and the svn commit messages.

PGP/GPG signign is an issue, and currently we only have one key for the
coreteam.  Maybe we should create a separate 'release signing key' that
would be kept with the releasemaster (e.g. you).

An alternative was to wait for somebody in the netfilter project to send
you the signed released file, and you would just do the
copying/updating/rebuilding/checking/...

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

web & releasing [was Re: problem with conntrack-0.81]

[Pablo Neira]

Hi Harald,

Harald Welte wrote:
> On Fri, Nov 04, 2005 at 07:40:58PM +0100, Pablo Neira wrote:
> 
>>pablo@legba:~/SVN-netfilter/trunk/homepage$ make
>>make -C xml
>>make[1]: Entering directory `/usr/src/SVN/trunk/homepage/xml'
>>perl -I../scripts -I../../patch-o-matic-ng ../scripts/pom2docbook.pl
>>--xmldir ./patch-o-matic --repository pending
>>../../patch-o-matic-ng/patchlets
>>Your linux version  is unknown for patch-o-matic at
>>../scripts/pom2docbook.pl line 119
>>make[1]: *** [patch-o-matic/pom-pending.xml] Error 255
>>make[1]: Leaving directory `/usr/src/SVN/trunk/homepage/xml'
>>make: *** [all] Error 2
>>
>>any clue on what's wrong?
> 
> it tries to execute patch-o-matic-ng, but doesn't find a linux kernel in
> the default location (don't know where the default is, you'd have to
> check the sources).
> 
> this is for auto-creating the xml/html pages from the patch-o-matic
> tree.

The problem was that I forgot to set KERNEL_DIR and IPTABLES_DIR. OK,
now the problem is something different. Once I type make:

...
projects/libnetfilter_conntrack/downloads.xml:
projects/libnetfilter_conntrack/downloads.html
projects/conntrack/index.xml: projects/conntrack/index.html
projects/conntrack/downloads.xml: projects/conntrack/downloads.html
projects/ipset/index.xml: projects/ipset/index.html
projects/hipac/index.xml: projects/hipac/index.html
patch-o-matic/index.xml: projects/patch-o-matic/index.html
patch-o-matic/pom-submitted.xml: projects/patch-o-matic/pom-submitted.html
warning: failed to load external entity "patch-o-matic/pom-pending.xml"
patch-o-matic/pom-pending.xml: missing ID.
make: *** [autolayout.xml] Error 10

That file is missing. OK, to work around the problem I just remove the
reference to pom-pending.xml in layout.xml. Now I typed "make" again,
and the compilation loops forever.

make[1]: Entering directory `/usr/src/SVN/trunk/homepage/xml'
...
make[2]: Entering directory `/usr/src/SVN/trunk/homepage/xml'

and so on. Any clue?

>>>The more important issues is, how we're going to handle signing and
>>>uploading of the respective files to ftp and http server.  At the
>>>moment, only the core team can sign releases (and has the respective
>>>upload permissions).
>>
>>During the WS you told me that you needed someone that could do the
>>releasing stuff. Well, I don't know if this could help but if you
>>consider that I could that such work, what will it consist on?
> 
> well, basicaully it would mean that you'd be doing the 'make distrib',
> uploading the files to the http/ftp server, updating the homepage xml,
> rebuilding html from the xml, and (at least in the iptables case)
> manually write the changelog based on the diff to the previous version
> and the svn commit messages.

OK, that looks quite easy to automate. But, about iptables, maybe we
could add a ChangeLog file? That would make my life easier.

> PGP/GPG signign is an issue, and currently we only have one key for the
> coreteam.  Maybe we should create a separate 'release signing key' that
> would be kept with the releasemaster (e.g. you).
> 
> An alternative was to wait for somebody in the netfilter project to send
> you the signed released file, and you would just do the
> copying/updating/rebuilding/checking/...

Whatever. If I get some autonomy I'll be able to do things more
efficiently, so I prefer the first option. It's up to you.

cheers,
Pablo