Re: problems with libnetfilter_conntrack / cntl_test

[Pablo Neira <pablo@eurodev.net>]

[-- Attachment #1: Type: text/plain, Size: 1284 bytes --]

Paweł Sikora wrote:
> Dnia środa, 16 listopada 2005 16:44, napisałeś:
> 
>>Pawel Sikora wrote:
>>
>>>I have installed a 2.6.14.2 kernel + grsecurity-2.1.7-2.6.14.2-$latest,
>>>libnfnetlink-0.0.13 and libnetfilter_conntrack-0.0.28.
>>>
>>>./ctnl_test fails:
>>>
>>>Test for libnetfilter_conntrack
>>>
>>>NFNETLINK answers: Invalid argument
>>>TEST 1: create conntrack (-22)
>>>TEST 2: dump conntrack table and reset (-22)
>>>TEST 3: dump conntrack table (-22)
>>>TEST 4: get conntrack (-22)
>>>TEST 5: update conntrack (-22)
>>>NFNETLINK answers: Invalid argument
>>>TEST 6: delete conntrack (-22)
>>>nfnl_open: bind(netlink): Operation not permitted
>>>Can't open handler
>>>Test failed with error -2. Errors=7
>>>
>>>Is this a grsec issue?
>>
>>Hard to say, my last contact with grsec was years ago. That output is
>>kind of weird. Could you try reverting the grsec patch?
> 
> 
> currently I get the same error on 2.6.14.2 without grsec on root account.
> first failure occurs at first call of nfnl_talk().

There's nothing wrong in nfnl_talk. It is the kernel that is returning
-EINVAL to userspace. Please apply the patch attached. It enables
debugging. Send me the output since I'm not able to reproduce that
problem that you're reporting. BTW, is that a x86 box?

-- 
Pablo

[-- Attachment #2: debug.patch --]
[-- Type: text/plain, Size: 1032 bytes --]

Index: linux-2.6.14.2/net/netfilter/nfnetlink.c
===================================================================
--- linux-2.6.14.2.orig/net/netfilter/nfnetlink.c	2005-11-11 06:33:12.000000000 +0100
+++ linux-2.6.14.2/net/netfilter/nfnetlink.c	2005-11-17 02:35:21.000000000 +0100
@@ -43,7 +43,7 @@ MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NE
 
 static char __initdata nfversion[] = "0.30";
 
-#if 0
+#if 1
 #define DEBUGP(format, args...)	\
 		printk(KERN_DEBUG "%s(%d):%s(): " format, __FILE__, \
 			__LINE__, __FUNCTION__, ## args)
Index: linux-2.6.14.2/net/ipv4/netfilter/ip_conntrack_netlink.c
===================================================================
--- linux-2.6.14.2.orig/net/ipv4/netfilter/ip_conntrack_netlink.c	2005-11-11 06:33:12.000000000 +0100
+++ linux-2.6.14.2/net/ipv4/netfilter/ip_conntrack_netlink.c	2005-11-17 02:35:02.000000000 +0100
@@ -46,7 +46,7 @@ MODULE_LICENSE("GPL");
 
 static char __initdata version[] = "0.90";
 
-#if 0
+#if 1
 #define DEBUGP printk
 #else
 #define DEBUGP(format, args...)