problems with libnetfilter_conntrack / cntl_test

problems with libnetfilter_conntrack / cntl_test

[Paweł Sikora]

[-- Attachment #1: Type: text/plain, Size: 781 bytes --]

Hi,

I have installed a 2.6.14.2 kernel + grsecurity-2.1.7-2.6.14.2-$latest,
libnfnetlink-0.0.13 and libnetfilter_conntrack-0.0.28.

./ctnl_test fails:

Test for libnetfilter_conntrack

NFNETLINK answers: Invalid argument
TEST 1: create conntrack (-22)
TEST 2: dump conntrack table and reset (-22)
TEST 3: dump conntrack table (-22)
TEST 4: get conntrack (-22)
TEST 5: update conntrack (-22)
NFNETLINK answers: Invalid argument
TEST 6: delete conntrack (-22)
nfnl_open: bind(netlink): Operation not permitted
Can't open handler
Test failed with error -2. Errors=7

Is this a grsec issue?

Regards,
Paweł.

-- 
The only thing necessary for the triumph of evil
  is for good men to do nothing.
                                           - Edmund Burke

[-- Attachment #2: ctnl_test.log --]
[-- Type: text/x-log, Size: 6850 bytes --]

execve("./ctnl_test", ["./ctnl_test"], [/* 39 vars */]) = 0
uname({sys="Linux", node="vmx", ...})   = 0
brk(0)                                  = 0x804a33c
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=87177, ...}) = 0
mmap2(NULL, 87177, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f78000
close(3)                                = 0
open("/lib/libdl.so.2", O_RDONLY)       = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\v\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=9508, ...}) = 0
mmap2(NULL, 12392, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f74000
mmap2(0xb7f76000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7f76000
close(3)                                = 0
open("/usr/lib/libnetfilter_conntrack.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\21"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=18648, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f73000
mmap2(NULL, 17840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f6e000
mmap2(0xb7f72000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4) = 0xb7f72000
close(3)                                = 0
open("/usr/lib/libnfnetlink.so.0", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\v\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=10388, ...}) = 0
mmap2(NULL, 13676, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f6a000
mmap2(0xb7f6d000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb7f6d000
close(3)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20Q\1\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1148008, ...}) = 0
mmap2(NULL, 1154236, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e50000
mmap2(0xb7f64000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x114) = 0xb7f64000
mmap2(0xb7f68000, 7356, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f68000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e4f000
mprotect(0xb7f64000, 4096, PROT_READ)   = 0
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e4f6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0xb7f78000, 87177)               = 0
fstat64(1, {st_mode=S_IFREG|0644, st_size=2691, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f8d000
brk(0)                                  = 0x804a33c
brk(0x806b33c)                          = 0x806b33c
brk(0x806c000)                          = 0x806c000
socket(PF_NETLINK, SOCK_RAW, 12)        = 3
bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(3, {sa_family=AF_NETLINK, pid=32589, groups=00000000}, [12]) = 0
time(NULL)                              = 1132148197
open("/usr/lib/libnetfilter_conntrack//nfct_proto_tcp-0.0.28.so", O_RDONLY) = 5
read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\5\0"..., 512) = 512
fstat64(5, {st_mode=S_IFREG|0755, st_size=4140, ...}) = 0
mmap2(NULL, 7152, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0xb7f8b000
mmap2(0xb7f8c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0) = 0xb7f8c000
close(5)                                = 0
sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\0\1\5\6\3475{C\0\0\0\0\2\0\0\0004\0\1\200\24"..., 156}], msg_controllen=0, msg_flags=0}, 0) = 156
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"$\0\0\0\2\0\0\0\3475{CM\177\0\0\352\377\377\377\234\0\0"..., 8192}], msg_controllen=0, msg_flags=0}, 0) = 36
dup(2)                                  = 5
fcntl64(5, F_GETFL)                     = 0x1 (flags O_WRONLY)
close(5)                                = 0
write(2, "NFNETLINK answers: Invalid argum"..., 36NFNETLINK answers: Invalid argument
) = 36
sendto(3, "\24\0\0\0\3\1\1\3\3505{C\0\0\0\0\2\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"$\0\0\0\2\0\0\0\3505{CM\177\0\0\352\377\377\377\24\0\0"..., 8192}], msg_controllen=0, msg_flags=0}, 0) = 36
sendto(3, "\24\0\0\0\1\1\1\3\3515{C\0\0\0\0\2\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"$\0\0\0\2\0\0\0\3515{CM\177\0\0\352\377\377\377\24\0\0"..., 8192}], msg_controllen=0, msg_flags=0}, 0) = 36
sendto(3, "H\0\0\0\1\1\5\0\3525{C\0\0\0\0\2\0\0\0004\0\1\200\24\0"..., 72, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 72
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"$\0\0\0\2\0\0\0\3525{CM\177\0\0\352\377\377\377H\0\0\0"..., 8192}], msg_controllen=0, msg_flags=0}, 0) = 36
sendto(3, "\234\0\0\0\0\1\5\0\3535{C\0\0\0\0\2\0\0\0004\0\1\200\24"..., 156, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 156
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"$\0\0\0\2\0\0\0\3535{CM\177\0\0\352\377\377\377\234\0\0"..., 8192}], msg_controllen=0, msg_flags=0}, 0) = 36
sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"H\0\0\0\2\1\5\3\3555{C\0\0\0\0\2\0\0\0004\0\1\200\24\0"..., 72}], msg_controllen=0, msg_flags=0}, 0) = 72
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"$\0\0\0\2\0\0\0\3555{CM\177\0\0\352\377\377\377H\0\0\0"..., 8192}], msg_controllen=0, msg_flags=0}, 0) = 36
write(2, "NFNETLINK answers: Invalid argum"..., 36NFNETLINK answers: Invalid argument
) = 36
close(3)                                = 0
socket(PF_NETLINK, SOCK_RAW, 12)        = 3
bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000007}, 12) = -1 EPERM (Operation not permitted)
write(2, "nfnl_open: bind(netlink): Operat"..., 50nfnl_open: bind(netlink): Operation not permitted
) = 50
write(2, "Can\'t open handler\n", 19Can't open handler
)   = 19
write(1, "Test for libnetfilter_conntrack\n"..., 270Test for libnetfilter_conntrack

TEST 1: create conntrack (-22)
TEST 2: dump conntrack table and reset (-22)
TEST 3: dump conntrack table (-22)
TEST 4: get conntrack (-22)
TEST 5: update conntrack (-22)
TEST 6: delete conntrack (-22)
Test failed with error -2. Errors=7
) = 270
munmap(0xb7f8d000, 4096)                = 0
exit_group(36)                          = ?

Re: problems with libnetfilter_conntrack / cntl_test

[Pablo Neira]

Pawel Sikora wrote:
> I have installed a 2.6.14.2 kernel + grsecurity-2.1.7-2.6.14.2-$latest,
> libnfnetlink-0.0.13 and libnetfilter_conntrack-0.0.28.
> 
> ./ctnl_test fails:
> 
> Test for libnetfilter_conntrack
> 
> NFNETLINK answers: Invalid argument
> TEST 1: create conntrack (-22)
> TEST 2: dump conntrack table and reset (-22)
> TEST 3: dump conntrack table (-22)
> TEST 4: get conntrack (-22)
> TEST 5: update conntrack (-22)
> NFNETLINK answers: Invalid argument
> TEST 6: delete conntrack (-22)
> nfnl_open: bind(netlink): Operation not permitted
> Can't open handler
> Test failed with error -2. Errors=7
> 
> Is this a grsec issue?

Hard to say, my last contact with grsec was years ago. That output is
kind of weird. Could you try reverting the grsec patch?

> socket(PF_NETLINK, SOCK_RAW, 12)        = 3
> bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000007}, 12) = -1 EPERM (Operation not permitted)
> write(2, "nfnl_open: bind(netlink): Operat"..., 50nfnl_open: bind(netlink): Operation not permitted
> ) = 50

This line tells me that you are not executing ctnl_test as root.

-- 
Pablo

Re: problems with libnetfilter_conntrack / cntl_test

[Paweł Sikora]

Dnia środa, 16 listopada 2005 16:44, napisałeś:
> Pawel Sikora wrote:
> > I have installed a 2.6.14.2 kernel + grsecurity-2.1.7-2.6.14.2-$latest,
> > libnfnetlink-0.0.13 and libnetfilter_conntrack-0.0.28.
> >
> > ./ctnl_test fails:
> >
> > Test for libnetfilter_conntrack
> >
> > NFNETLINK answers: Invalid argument
> > TEST 1: create conntrack (-22)
> > TEST 2: dump conntrack table and reset (-22)
> > TEST 3: dump conntrack table (-22)
> > TEST 4: get conntrack (-22)
> > TEST 5: update conntrack (-22)
> > NFNETLINK answers: Invalid argument
> > TEST 6: delete conntrack (-22)
> > nfnl_open: bind(netlink): Operation not permitted
> > Can't open handler
> > Test failed with error -2. Errors=7
> >
> > Is this a grsec issue?
>
> Hard to say, my last contact with grsec was years ago. That output is
> kind of weird. Could you try reverting the grsec patch?

currently I get the same error on 2.6.14.2 without grsec on root account.
first failure occurs at first call of nfnl_talk().

Breakpoint 2, nfnl_talk (nfnlh=0x804b0b0, n=0xbfcb2680, peer=0, groups=0, 
answer=0x0, junk=0, jarg=0x0)
    at libnfnetlink.c:384
384             struct iovec iov = {

(gdb) bt
#0  nfnl_talk (nfnlh=0x804b0b0, n=0xbfcb2680, peer=0, groups=0, answer=0x0,
              junk=0, jarg=0x0)
    at libnfnetlink.c:384
#1  0xb7f84072 in nfct_create_conntrack (cth=0x804b0b0, ct=0x804b008)
    at libnetfilter_conntrack.c:800
#2  0x08048b89 in main (argc=1, argv=0xbfcb3804)
    at ctnl_test.c:85

(gdb) p *nfnlh
$1 = {fd = 6, local = {nl_family = 16, nl_pad = 0, nl_pid = 5330, nl_groups = 
0}, peer = {nl_family = 16,
    nl_pad = 0, nl_pid = 0, nl_groups = 0}, subsys_id = 1 '\001', seq = 
1132160442, dump = 0,
  last_nlhdr = 0x0, cb_count = 4 '\004', cb = 0x804b0f8}

(gdb) p *n
$2 = {nlmsg_len = 156, nlmsg_type = 256, nlmsg_flags = 1541, nlmsg_seq = 
1132160442, nlmsg_pid = 0}

(gdb) s
387             struct msghdr msg = {
(gdb)
394             memset(&nladdr, 0, sizeof(nladdr));
(gdb)
395             nladdr.nl_family = AF_NETLINK;
(gdb)
396             nladdr.nl_pid = peer;
(gdb)
397             nladdr.nl_groups = groups;
(gdb)
399             n->nlmsg_seq = seq = ++nfnlh->seq;
(gdb)
401             if (!answer)
(gdb)
402                     n->nlmsg_flags |= NLM_F_ACK;
(gdb)
404             status = sendmsg(nfnlh->fd, &msg, 0);
(gdb) p msg
$3 = {msg_name = 0xbfcb0630, msg_namelen = 12, msg_iov = 0xbfcb0618, 
msg_iovlen = 1, msg_control = 0x0,
  msg_controllen = 0, msg_flags = 0}
(gdb) s
405             if (status < 0) {
(gdb)
409             iov.iov_base = buf;
(gdb)
410             iov.iov_len = sizeof(buf);
(gdb)
413                     status = recvmsg(nfnlh->fd, &msg, 0);
(gdb)
414                     if (status < 0) {
(gdb) p status
$4 = 36
(gdb) s
420                     if (status == 0) {
(gdb)
424                     if (msg.msg_namelen != sizeof(nladdr)) {
(gdb)
430                     for (h = (struct nlmsghdr *)buf; status >= 
sizeof(*h); ) {
(gdb)
431                             int len = h->nlmsg_len;
(gdb)
432                             int l = len - sizeof(*h);
(gdb)
435                             if (l < 0 || len > status) {
(gdb)
444                             if (h->nlmsg_pid != nfnlh->local.nl_pid ||
(gdb)
454                             if (h->nlmsg_type == NLMSG_ERROR) {
(gdb)
455                                     struct nlmsgerr *err = NLMSG_DATA(h);
(gdb) p *h
$5 = {nlmsg_len = 36, nlmsg_type = 2, nlmsg_flags = 0, nlmsg_seq = 1132160443, 
nlmsg_pid = 5330}


I can provide more info if you need.

BR,

-- 
The only thing necessary for the triumph of evil
  is for good men to do nothing.
                                           - Edmund Burke

Re: problems with libnetfilter_conntrack / cntl_test

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 1284 bytes --]

Paweł Sikora wrote:
> Dnia środa, 16 listopada 2005 16:44, napisałeś:
> 
>>Pawel Sikora wrote:
>>
>>>I have installed a 2.6.14.2 kernel + grsecurity-2.1.7-2.6.14.2-$latest,
>>>libnfnetlink-0.0.13 and libnetfilter_conntrack-0.0.28.
>>>
>>>./ctnl_test fails:
>>>
>>>Test for libnetfilter_conntrack
>>>
>>>NFNETLINK answers: Invalid argument
>>>TEST 1: create conntrack (-22)
>>>TEST 2: dump conntrack table and reset (-22)
>>>TEST 3: dump conntrack table (-22)
>>>TEST 4: get conntrack (-22)
>>>TEST 5: update conntrack (-22)
>>>NFNETLINK answers: Invalid argument
>>>TEST 6: delete conntrack (-22)
>>>nfnl_open: bind(netlink): Operation not permitted
>>>Can't open handler
>>>Test failed with error -2. Errors=7
>>>
>>>Is this a grsec issue?
>>
>>Hard to say, my last contact with grsec was years ago. That output is
>>kind of weird. Could you try reverting the grsec patch?
> 
> 
> currently I get the same error on 2.6.14.2 without grsec on root account.
> first failure occurs at first call of nfnl_talk().

There's nothing wrong in nfnl_talk. It is the kernel that is returning
-EINVAL to userspace. Please apply the patch attached. It enables
debugging. Send me the output since I'm not able to reproduce that
problem that you're reporting. BTW, is that a x86 box?

-- 
Pablo

[-- Attachment #2: debug.patch --]
[-- Type: text/plain, Size: 1032 bytes --]

Index: linux-2.6.14.2/net/netfilter/nfnetlink.c
===================================================================
--- linux-2.6.14.2.orig/net/netfilter/nfnetlink.c	2005-11-11 06:33:12.000000000 +0100
+++ linux-2.6.14.2/net/netfilter/nfnetlink.c	2005-11-17 02:35:21.000000000 +0100
@@ -43,7 +43,7 @@ MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NE
 
 static char __initdata nfversion[] = "0.30";
 
-#if 0
+#if 1
 #define DEBUGP(format, args...)	\
 		printk(KERN_DEBUG "%s(%d):%s(): " format, __FILE__, \
 			__LINE__, __FUNCTION__, ## args)
Index: linux-2.6.14.2/net/ipv4/netfilter/ip_conntrack_netlink.c
===================================================================
--- linux-2.6.14.2.orig/net/ipv4/netfilter/ip_conntrack_netlink.c	2005-11-11 06:33:12.000000000 +0100
+++ linux-2.6.14.2/net/ipv4/netfilter/ip_conntrack_netlink.c	2005-11-17 02:35:02.000000000 +0100
@@ -46,7 +46,7 @@ MODULE_LICENSE("GPL");
 
 static char __initdata version[] = "0.90";
 
-#if 0
+#if 1
 #define DEBUGP printk
 #else
 #define DEBUGP(format, args...)

Re: problems with libnetfilter_conntrack / cntl_test

[Paweł Sikora]

Dnia czwartek, 17 listopada 2005 02:38, Pablo Neira napisał:
> Paweł Sikora wrote:
> > Dnia środa, 16 listopada 2005 16:44, napisałeś:
> >>Pawel Sikora wrote:
> >>>I have installed a 2.6.14.2 kernel + grsecurity-2.1.7-2.6.14.2-$latest,
> >>>libnfnetlink-0.0.13 and libnetfilter_conntrack-0.0.28.
> >>>
> >>>./ctnl_test fails:
> >>>
> >>>Test for libnetfilter_conntrack
> >>>
> >>>NFNETLINK answers: Invalid argument
> >>>TEST 1: create conntrack (-22)
> >>>TEST 2: dump conntrack table and reset (-22)
> >>>TEST 3: dump conntrack table (-22)
> >>>TEST 4: get conntrack (-22)
> >>>TEST 5: update conntrack (-22)
> >>>NFNETLINK answers: Invalid argument
> >>>TEST 6: delete conntrack (-22)
> >>>nfnl_open: bind(netlink): Operation not permitted
> >>>Can't open handler
> >>>Test failed with error -2. Errors=7
> >>>
> >>>Is this a grsec issue?
> >>
> >>Hard to say, my last contact with grsec was years ago. That output is
> >>kind of weird. Could you try reverting the grsec patch?
> >
> > currently I get the same error on 2.6.14.2 without grsec on root account.
> > first failure occurs at first call of nfnl_talk().
>
> There's nothing wrong in nfnl_talk. It is the kernel that is returning
> -EINVAL to userspace. (...)

sorry for the noise, /me is brainless :)
`modprobe ip_conntrack_netlink` solved problem.

-- 
The only thing necessary for the triumph of evil
  is for good men to do nothing.
                                           - Edmund Burke

Re: problems with libnetfilter_conntrack / cntl_test

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 656 bytes --]

On Thu, Nov 17, 2005 at 04:21:43AM +0100, Paweł Sikora wrote:

> sorry for the noise, /me is brainless :)
> `modprobe ip_conntrack_netlink` solved problem.

the autoloading of ip_conntrack_netlink was only introduced in the
2.6.15 series.  2.6.14[.y] doesn't have it, sorry.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]