[RFC] masquerading/conntrack

All of lore.kernel.org
 help / color / mirror / Atom feed

* [RFC] masquerading/conntrack
@ 2008-05-21  8:33 NICOLAS BOULIANE
  2008-05-21  8:48 ` Henrik Nordstrom
  2008-05-21  9:53 ` Pablo Neira Ayuso
  0 siblings, 2 replies; 9+ messages in thread
From: NICOLAS BOULIANE @ 2008-05-21  8:33 UTC (permalink / raw)
  To: Netfilter Developer Mailing List

Hi,

Here is a problem which I used to have with MASQUERADE,

When the machine boots - naturally there are some connections which

begin to flow as soon as the first ppp interface comes up...
Some of these connections remain open for days - for example - openvpn
and iax2 trunks...

Since ppp0 always come up first, then these connections begin to flow
via ppp0 and with the MASQ IP of ppp0...

Later, when the mangle-rules kick-in, these connections are being
router via ppp4 (which is what I want)...
So far no problem..

The only problem is that these packets now exit via ppp4 but they
continue to keep the source IP of ppp0

Ok, I tried to use the userspace conntrack-tool to search and remove
these entries, but this tool doesn't allow me to do something like this

$> conntrack -L conntrack -d IP

...without asking me the complete tuple-information. I can't delete every

entry with a specific IP either without providing a complete tuple.

Maybe we could add a parameter to the target masquerade, which could add
a flag in the conntrack that would mean "don't use the conntrack entry, we

want to go through the MASQUERADING code again".

What you guys think it should be wise to do ?

thank you
Nick

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [RFC] masquerading/conntrack
  2008-05-21  8:33 [RFC] masquerading/conntrack NICOLAS BOULIANE
@ 2008-05-21  8:48 ` Henrik Nordstrom
  2008-05-21  9:53 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 9+ messages in thread
From: Henrik Nordstrom @ 2008-05-21  8:48 UTC (permalink / raw)
  To: NICOLAS BOULIANE; +Cc: Netfilter Developer Mailing List

[-- Attachment #1: Type: text/plain, Size: 448 bytes --]

On ons, 2008-05-21 at 04:33 -0400, NICOLAS BOULIANE wrote:

> Since ppp0 always come up first, then these connections begin to flow
> via ppp0 and with the MASQ IP of ppp0...
> 
> Later, when the mangle-rules kick-in, these connections are being
> router via ppp4 (which is what I want)...
> So far no problem..

Don't enable forwarding until you have the routing (including policies,
mangle etc) properly configured.

Regards
Henrik

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [RFC] masquerading/conntrack
  2008-05-21  8:33 [RFC] masquerading/conntrack NICOLAS BOULIANE
  2008-05-21  8:48 ` Henrik Nordstrom
@ 2008-05-21  9:53 ` Pablo Neira Ayuso
  2008-05-21 13:23   ` NICOLAS BOULIANE
  1 sibling, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2008-05-21  9:53 UTC (permalink / raw)
  To: NICOLAS BOULIANE; +Cc: Netfilter Developer Mailing List

NICOLAS BOULIANE wrote:
> Since ppp0 always come up first, then these connections begin to flow
> via ppp0 and with the MASQ IP of ppp0...
> 
> Later, when the mangle-rules kick-in, these connections are being
> router via ppp4 (which is what I want)...
> So far no problem..
> 
> 
> The only problem is that these packets now exit via ppp4 but they
> continue to keep the source IP of ppp0
> 
> 
> Ok, I tried to use the userspace conntrack-tool to search and remove
> these entries, but this tool doesn't allow me to do something like this
> 
> $> conntrack -L conntrack -d IP

Check Git, next version (0.9.7) allows it.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [RFC] masquerading/conntrack
  2008-05-21  9:53 ` Pablo Neira Ayuso
@ 2008-05-21 13:23   ` NICOLAS BOULIANE
  2008-05-21 14:04     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 9+ messages in thread
From: NICOLAS BOULIANE @ 2008-05-21 13:23 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Netfilter Developer Mailing List

Hi,

thank you for your comments.
---

Pablo:

cc1: warnings being treated as errors
read_config_lex.l: In function 'yylex':
read_config_lex.l:113: warning: incompatible implicit declaration of
built-in function 'strdup'
read_config_lex.l:114: warning: incompatible implicit declaration of
built-in function 'strdup'
read_config_lex.l:115: warning: incompatible implicit declaration of
built-in function 'strdup'
read_config_lex.l:126: warning: incompatible implicit declaration of
built-in function 'strdup'
read_config_lex.c:3845: warning: label 'find_rule' defined but not used
make[1]: *** [read_config_lex.o] Error 1

I get this while compiling the last git snapshot
probably string.h is missing ?

Thank you


On Wed, May 21, 2008 at 5:53 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> NICOLAS BOULIANE wrote:
>> Since ppp0 always come up first, then these connections begin to flow
>> via ppp0 and with the MASQ IP of ppp0...
>>
>> Later, when the mangle-rules kick-in, these connections are being
>> router via ppp4 (which is what I want)...
>> So far no problem..
>>
>>
>> The only problem is that these packets now exit via ppp4 but they
>> continue to keep the source IP of ppp0
>>
>>
>> Ok, I tried to use the userspace conntrack-tool to search and remove
>> these entries, but this tool doesn't allow me to do something like this
>>
>> $> conntrack -L conntrack -d IP
>
> Check Git, next version (0.9.7) allows it.
>
> --
> "Los honestos son inadaptados sociales" -- Les Luthiers
>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [RFC] masquerading/conntrack
  2008-05-21 13:23   ` NICOLAS BOULIANE
@ 2008-05-21 14:04     ` Pablo Neira Ayuso
  2008-05-21 14:25       ` NICOLAS BOULIANE
  0 siblings, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2008-05-21 14:04 UTC (permalink / raw)
  To: NICOLAS BOULIANE; +Cc: Netfilter Developer Mailing List

[-- Attachment #1: Type: text/plain, Size: 865 bytes --]

NICOLAS BOULIANE wrote:
> Hi,
> 
> thank you for your comments.
> ---
> 
> Pablo:
> 
> cc1: warnings being treated as errors
> read_config_lex.l: In function 'yylex':
> read_config_lex.l:113: warning: incompatible implicit declaration of
> built-in function 'strdup'
> read_config_lex.l:114: warning: incompatible implicit declaration of
> built-in function 'strdup'
> read_config_lex.l:115: warning: incompatible implicit declaration of
> built-in function 'strdup'
> read_config_lex.l:126: warning: incompatible implicit declaration of
> built-in function 'strdup'
> read_config_lex.c:3845: warning: label 'find_rule' defined but not used
> make[1]: *** [read_config_lex.o] Error 1
> 
> I get this while compiling the last git snapshot
> probably string.h is missing ?

Does the patch attached fix it?

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 271 bytes --]

diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index eb3368a..7daaeab 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -19,6 +19,8 @@
  * Description: configuration file syntax
  */
 
+#include <string.h>
+
 #include "read_config_yy.h"
 %}
 

^ permalink raw reply related	[flat|nested] 9+ messages in thread

* Re: [RFC] masquerading/conntrack
  2008-05-21 14:04     ` Pablo Neira Ayuso
@ 2008-05-21 14:25       ` NICOLAS BOULIANE
  2008-05-21 15:10         ` Pablo Neira Ayuso
  0 siblings, 1 reply; 9+ messages in thread
From: NICOLAS BOULIANE @ 2008-05-21 14:25 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Netfilter Developer Mailing List

Pablo,

It fixed the strdup(). But now:

cc1: warnings being treated as errors
read_config_lex.c: In function 'yylex':
read_config_lex.c:3846: warning: label 'find_rule' defined but not used
make[1]: *** [read_config_lex.o] Error 1


if I strip this label (find_rule), then I get:

read_config_lex.c:3593: warning: 'yy_full_match' defined but not used
make[1]: *** [read_config_lex.o] Error 1
make[1]: Leaving directory `/usr/local/src/conntrack-tools/src'
make: *** [all-recursive] Error 1


If I remove this function (yy_full_match), then I get:

cc1: warnings being treated as errors
read_config_lex.c: In function 'yylex':
read_config_lex.c:3782: warning: 'yy_act' may be used uninitialized in
this function
make[1]: *** [read_config_lex.o] Error 1

If I initialize this var (register int yy_act = 0;), then I get:

everything compile now.

I'm using a version I compiled without the -Werror flag, it was more clean.

Nick



On Wed, May 21, 2008 at 10:04 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> NICOLAS BOULIANE wrote:
>> Hi,
>>
>> thank you for your comments.
>> ---
>>
>> Pablo:
>>
>> cc1: warnings being treated as errors
>> read_config_lex.l: In function 'yylex':
>> read_config_lex.l:113: warning: incompatible implicit declaration of
>> built-in function 'strdup'
>> read_config_lex.l:114: warning: incompatible implicit declaration of
>> built-in function 'strdup'
>> read_config_lex.l:115: warning: incompatible implicit declaration of
>> built-in function 'strdup'
>> read_config_lex.l:126: warning: incompatible implicit declaration of
>> built-in function 'strdup'
>> read_config_lex.c:3845: warning: label 'find_rule' defined but not used
>> make[1]: *** [read_config_lex.o] Error 1
>>
>> I get this while compiling the last git snapshot
>> probably string.h is missing ?
>
> Does the patch attached fix it?
>
> --
> "Los honestos son inadaptados sociales" -- Les Luthiers
>
> diff --git a/src/read_config_lex.l b/src/read_config_lex.l
> index eb3368a..7daaeab 100644
> --- a/src/read_config_lex.l
> +++ b/src/read_config_lex.l
> @@ -19,6 +19,8 @@
>  * Description: configuration file syntax
>  */
>
> +#include <string.h>
> +
>  #include "read_config_yy.h"
>  %}
>
>
>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [RFC] masquerading/conntrack
  2008-05-21 14:25       ` NICOLAS BOULIANE
@ 2008-05-21 15:10         ` Pablo Neira Ayuso
  2008-05-21 16:13           ` NICOLAS BOULIANE
  0 siblings, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2008-05-21 15:10 UTC (permalink / raw)
  To: NICOLAS BOULIANE; +Cc: Netfilter Developer Mailing List

NICOLAS BOULIANE wrote:
> Pablo,
> 
> It fixed the strdup(). But now:
> 
> cc1: warnings being treated as errors
> read_config_lex.c: In function 'yylex':
> read_config_lex.c:3846: warning: label 'find_rule' defined but not used
> make[1]: *** [read_config_lex.o] Error 1
> 
> 
> if I strip this label (find_rule), then I get:
> 
> read_config_lex.c:3593: warning: 'yy_full_match' defined but not used
> make[1]: *** [read_config_lex.o] Error 1
> make[1]: Leaving directory `/usr/local/src/conntrack-tools/src'
> make: *** [all-recursive] Error 1
> 
> 
> If I remove this function (yy_full_match), then I get:
> 
> cc1: warnings being treated as errors
> read_config_lex.c: In function 'yylex':
> read_config_lex.c:3782: warning: 'yy_act' may be used uninitialized in
> this function
> make[1]: *** [read_config_lex.o] Error 1
> 
> If I initialize this var (register int yy_act = 0;), then I get:
> 
> everything compile now.

This report is really strange, your flex implementation is generating
useless code. What version are you using? Here I'm using flex 2.5.33.

> I'm using a version I compiled without the -Werror flag, it was more clean.

The -Werror is there to catch this sort of problems and force users to
report them ;), I plan to keep it there until conntrack-tools hits 1.0
at least.

Probably we have to check for a specific version of flex.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [RFC] masquerading/conntrack
  2008-05-21 15:10         ` Pablo Neira Ayuso
@ 2008-05-21 16:13           ` NICOLAS BOULIANE
  2008-05-22 13:00             ` Pablo Neira Ayuso
  0 siblings, 1 reply; 9+ messages in thread
From: NICOLAS BOULIANE @ 2008-05-21 16:13 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Netfilter Developer Mailing List

Pablo,

On Wed, May 21, 2008 at 11:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> NICOLAS BOULIANE wrote:
>> Pablo,
>>
>> It fixed the strdup(). But now:
>>
>> cc1: warnings being treated as errors
>> read_config_lex.c: In function 'yylex':
>> read_config_lex.c:3846: warning: label 'find_rule' defined but not used
>> make[1]: *** [read_config_lex.o] Error 1
>>
>>
>> if I strip this label (find_rule), then I get:
>>
>> read_config_lex.c:3593: warning: 'yy_full_match' defined but not used
>> make[1]: *** [read_config_lex.o] Error 1
>> make[1]: Leaving directory `/usr/local/src/conntrack-tools/src'
>> make: *** [all-recursive] Error 1
>>
>>
>> If I remove this function (yy_full_match), then I get:
>>
>> cc1: warnings being treated as errors
>> read_config_lex.c: In function 'yylex':
>> read_config_lex.c:3782: warning: 'yy_act' may be used uninitialized in
>> this function
>> make[1]: *** [read_config_lex.o] Error 1
>>
>> If I initialize this var (register int yy_act = 0;), then I get:
>>
>> everything compile now.
>
> This report is really strange, your flex implementation is generating
> useless code. What version are you using? Here I'm using flex 2.5.33.
>


[nib@bwm ~]$ flex --version
flex version 2.5.4
[nib@bwm ~]$

[nib@bwm ~]$ yum info flex
Loading "installonlyn" plugin
Setting up repositories
Reading repository metadata in from local files
Installed Packages
Name   : flex
Arch   : i386
Version: 2.5.4a
Release: 41.fc6
Size   : 239 k
Repo   : installed
...

Centos is running on this machine.

>> I'm using a version I compiled without the -Werror flag, it was more clean.
>
> The -Werror is there to catch this sort of problems and force users to
> report them ;), I plan to keep it there until conntrack-tools hits 1.0
> at least.

It's a good idea :)

>
> Probably we have to check for a specific version of flex.
>
> --
> "Los honestos son inadaptados sociales" -- Les Luthiers
>

Nick

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [RFC] masquerading/conntrack
  2008-05-21 16:13           ` NICOLAS BOULIANE
@ 2008-05-22 13:00             ` Pablo Neira Ayuso
  0 siblings, 0 replies; 9+ messages in thread
From: Pablo Neira Ayuso @ 2008-05-22 13:00 UTC (permalink / raw)
  To: NICOLAS BOULIANE; +Cc: Netfilter Developer Mailing List

[-- Attachment #1: Type: text/plain, Size: 774 bytes --]

NICOLAS BOULIANE wrote:
>> This report is really strange, your flex implementation is generating
>> useless code. What version are you using? Here I'm using flex 2.5.33.
>>
> 
> [nib@bwm ~]$ flex --version
> flex version 2.5.4
> [nib@bwm ~]$
> 
> [nib@bwm ~]$ yum info flex
> Loading "installonlyn" plugin
> Setting up repositories
> Reading repository metadata in from local files
> Installed Packages
> Name   : flex
> Arch   : i386
> Version: 2.5.4a
> Release: 41.fc6
> Size   : 239 k
> Repo   : installed
> ...
> 
> Centos is running on this machine.

Centos seems to be using a caveman flex version! From 1997, 11 years ago!

I have committed the following patch to warn people about using old flex
version.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 865 bytes --]

diff --git a/configure.in b/configure.in
index f3b8785..0a6b8fe 100644
--- a/configure.in
+++ b/configure.in
@@ -49,6 +49,21 @@ then
 	exit 1
 fi
 
+AC_MSG_CHECKING(flex version)
+flex_version=`$LEX --version | sed 's/version//g' | awk '/flex/ {print $2}'`
+flex_major=`echo $flex_version| cut -d . -f 1`
+flex_minor=`echo $flex_version| cut -d . -f 2`
+flex_rev=`echo $flex_version| cut -d . -f 3`
+ 
+if test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test "$flex_rev" -ge "33"; then
+	AC_MSG_RESULT([$flex_version. OK])
+else
+	AC_MSG_WARN([flex version $flex_version found.
+	Version 2.5.33 or greater is required. You may experience problems
+	while compilating the conntrack-tools. Please, consider to upgrade 
+	flex.])
+fi
+
 AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])])
 
 # Checks for libraries.

^ permalink raw reply related	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2008-05-22 13:00 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-21  8:33 [RFC] masquerading/conntrack NICOLAS BOULIANE
2008-05-21  8:48 ` Henrik Nordstrom
2008-05-21  9:53 ` Pablo Neira Ayuso
2008-05-21 13:23   ` NICOLAS BOULIANE
2008-05-21 14:04     ` Pablo Neira Ayuso
2008-05-21 14:25       ` NICOLAS BOULIANE
2008-05-21 15:10         ` Pablo Neira Ayuso
2008-05-21 16:13           ` NICOLAS BOULIANE
2008-05-22 13:00             ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.