[RFC] masquerading/conntrack

[RFC] masquerading/conntrack

[NICOLAS BOULIANE]

Hi,

Here is a problem which I used to have with MASQUERADE,

When the machine boots - naturally there are some connections which

begin to flow as soon as the first ppp interface comes up...
Some of these connections remain open for days - for example - openvpn
and iax2 trunks...


Since ppp0 always come up first, then these connections begin to flow
via ppp0 and with the MASQ IP of ppp0...

Later, when the mangle-rules kick-in, these connections are being
router via ppp4 (which is what I want)...
So far no problem..


The only problem is that these packets now exit via ppp4 but they
continue to keep the source IP of ppp0


Ok, I tried to use the userspace conntrack-tool to search and remove
these entries, but this tool doesn't allow me to do something like this

$> conntrack -L conntrack -d IP

...without asking me the complete tuple-information. I can't delete every

entry with a specific IP either without providing a complete tuple.


Maybe we could add a parameter to the target masquerade, which could add
a flag in the conntrack that would mean "don't use the conntrack entry, we

want to go through the MASQUERADING code again".

What you guys think it should be wise to do ?

thank you
Nick

Re: [RFC] masquerading/conntrack

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 448 bytes --]

On ons, 2008-05-21 at 04:33 -0400, NICOLAS BOULIANE wrote:

> Since ppp0 always come up first, then these connections begin to flow
> via ppp0 and with the MASQ IP of ppp0...
> 
> Later, when the mangle-rules kick-in, these connections are being
> router via ppp4 (which is what I want)...
> So far no problem..

Don't enable forwarding until you have the routing (including policies,
mangle etc) properly configured.

Regards
Henrik

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: [RFC] masquerading/conntrack

[Pablo Neira Ayuso]

NICOLAS BOULIANE wrote:
> Since ppp0 always come up first, then these connections begin to flow
> via ppp0 and with the MASQ IP of ppp0...
> 
> Later, when the mangle-rules kick-in, these connections are being
> router via ppp4 (which is what I want)...
> So far no problem..
> 
> 
> The only problem is that these packets now exit via ppp4 but they
> continue to keep the source IP of ppp0
> 
> 
> Ok, I tried to use the userspace conntrack-tool to search and remove
> these entries, but this tool doesn't allow me to do something like this
> 
> $> conntrack -L conntrack -d IP

Check Git, next version (0.9.7) allows it.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [RFC] masquerading/conntrack

[NICOLAS BOULIANE]

Hi,

thank you for your comments.
---

Pablo:

cc1: warnings being treated as errors
read_config_lex.l: In function 'yylex':
read_config_lex.l:113: warning: incompatible implicit declaration of
built-in function 'strdup'
read_config_lex.l:114: warning: incompatible implicit declaration of
built-in function 'strdup'
read_config_lex.l:115: warning: incompatible implicit declaration of
built-in function 'strdup'
read_config_lex.l:126: warning: incompatible implicit declaration of
built-in function 'strdup'
read_config_lex.c:3845: warning: label 'find_rule' defined but not used
make[1]: *** [read_config_lex.o] Error 1

I get this while compiling the last git snapshot
probably string.h is missing ?

Thank you


On Wed, May 21, 2008 at 5:53 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> NICOLAS BOULIANE wrote:
>> Since ppp0 always come up first, then these connections begin to flow
>> via ppp0 and with the MASQ IP of ppp0...
>>
>> Later, when the mangle-rules kick-in, these connections are being
>> router via ppp4 (which is what I want)...
>> So far no problem..
>>
>>
>> The only problem is that these packets now exit via ppp4 but they
>> continue to keep the source IP of ppp0
>>
>>
>> Ok, I tried to use the userspace conntrack-tool to search and remove
>> these entries, but this tool doesn't allow me to do something like this
>>
>> $> conntrack -L conntrack -d IP
>
> Check Git, next version (0.9.7) allows it.
>
> --
> "Los honestos son inadaptados sociales" -- Les Luthiers
>

Re: [RFC] masquerading/conntrack

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 865 bytes --]

NICOLAS BOULIANE wrote:
> Hi,
> 
> thank you for your comments.
> ---
> 
> Pablo:
> 
> cc1: warnings being treated as errors
> read_config_lex.l: In function 'yylex':
> read_config_lex.l:113: warning: incompatible implicit declaration of
> built-in function 'strdup'
> read_config_lex.l:114: warning: incompatible implicit declaration of
> built-in function 'strdup'
> read_config_lex.l:115: warning: incompatible implicit declaration of
> built-in function 'strdup'
> read_config_lex.l:126: warning: incompatible implicit declaration of
> built-in function 'strdup'
> read_config_lex.c:3845: warning: label 'find_rule' defined but not used
> make[1]: *** [read_config_lex.o] Error 1
> 
> I get this while compiling the last git snapshot
> probably string.h is missing ?

Does the patch attached fix it?

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 271 bytes --]

diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index eb3368a..7daaeab 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -19,6 +19,8 @@
  * Description: configuration file syntax
  */
 
+#include <string.h>
+
 #include "read_config_yy.h"
 %}
 

Re: [RFC] masquerading/conntrack

[NICOLAS BOULIANE]

Pablo,

It fixed the strdup(). But now:

cc1: warnings being treated as errors
read_config_lex.c: In function 'yylex':
read_config_lex.c:3846: warning: label 'find_rule' defined but not used
make[1]: *** [read_config_lex.o] Error 1


if I strip this label (find_rule), then I get:

read_config_lex.c:3593: warning: 'yy_full_match' defined but not used
make[1]: *** [read_config_lex.o] Error 1
make[1]: Leaving directory `/usr/local/src/conntrack-tools/src'
make: *** [all-recursive] Error 1


If I remove this function (yy_full_match), then I get:

cc1: warnings being treated as errors
read_config_lex.c: In function 'yylex':
read_config_lex.c:3782: warning: 'yy_act' may be used uninitialized in
this function
make[1]: *** [read_config_lex.o] Error 1

If I initialize this var (register int yy_act = 0;), then I get:

everything compile now.

I'm using a version I compiled without the -Werror flag, it was more clean.

Nick



On Wed, May 21, 2008 at 10:04 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> NICOLAS BOULIANE wrote:
>> Hi,
>>
>> thank you for your comments.
>> ---
>>
>> Pablo:
>>
>> cc1: warnings being treated as errors
>> read_config_lex.l: In function 'yylex':
>> read_config_lex.l:113: warning: incompatible implicit declaration of
>> built-in function 'strdup'
>> read_config_lex.l:114: warning: incompatible implicit declaration of
>> built-in function 'strdup'
>> read_config_lex.l:115: warning: incompatible implicit declaration of
>> built-in function 'strdup'
>> read_config_lex.l:126: warning: incompatible implicit declaration of
>> built-in function 'strdup'
>> read_config_lex.c:3845: warning: label 'find_rule' defined but not used
>> make[1]: *** [read_config_lex.o] Error 1
>>
>> I get this while compiling the last git snapshot
>> probably string.h is missing ?
>
> Does the patch attached fix it?
>
> --
> "Los honestos son inadaptados sociales" -- Les Luthiers
>
> diff --git a/src/read_config_lex.l b/src/read_config_lex.l
> index eb3368a..7daaeab 100644
> --- a/src/read_config_lex.l
> +++ b/src/read_config_lex.l
> @@ -19,6 +19,8 @@
>  * Description: configuration file syntax
>  */
>
> +#include <string.h>
> +
>  #include "read_config_yy.h"
>  %}
>
>
>

Re: [RFC] masquerading/conntrack

[Pablo Neira Ayuso]

NICOLAS BOULIANE wrote:
> Pablo,
> 
> It fixed the strdup(). But now:
> 
> cc1: warnings being treated as errors
> read_config_lex.c: In function 'yylex':
> read_config_lex.c:3846: warning: label 'find_rule' defined but not used
> make[1]: *** [read_config_lex.o] Error 1
> 
> 
> if I strip this label (find_rule), then I get:
> 
> read_config_lex.c:3593: warning: 'yy_full_match' defined but not used
> make[1]: *** [read_config_lex.o] Error 1
> make[1]: Leaving directory `/usr/local/src/conntrack-tools/src'
> make: *** [all-recursive] Error 1
> 
> 
> If I remove this function (yy_full_match), then I get:
> 
> cc1: warnings being treated as errors
> read_config_lex.c: In function 'yylex':
> read_config_lex.c:3782: warning: 'yy_act' may be used uninitialized in
> this function
> make[1]: *** [read_config_lex.o] Error 1
> 
> If I initialize this var (register int yy_act = 0;), then I get:
> 
> everything compile now.

This report is really strange, your flex implementation is generating
useless code. What version are you using? Here I'm using flex 2.5.33.

> I'm using a version I compiled without the -Werror flag, it was more clean.

The -Werror is there to catch this sort of problems and force users to
report them ;), I plan to keep it there until conntrack-tools hits 1.0
at least.

Probably we have to check for a specific version of flex.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: [RFC] masquerading/conntrack

[NICOLAS BOULIANE]

Pablo,

On Wed, May 21, 2008 at 11:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> NICOLAS BOULIANE wrote:
>> Pablo,
>>
>> It fixed the strdup(). But now:
>>
>> cc1: warnings being treated as errors
>> read_config_lex.c: In function 'yylex':
>> read_config_lex.c:3846: warning: label 'find_rule' defined but not used
>> make[1]: *** [read_config_lex.o] Error 1
>>
>>
>> if I strip this label (find_rule), then I get:
>>
>> read_config_lex.c:3593: warning: 'yy_full_match' defined but not used
>> make[1]: *** [read_config_lex.o] Error 1
>> make[1]: Leaving directory `/usr/local/src/conntrack-tools/src'
>> make: *** [all-recursive] Error 1
>>
>>
>> If I remove this function (yy_full_match), then I get:
>>
>> cc1: warnings being treated as errors
>> read_config_lex.c: In function 'yylex':
>> read_config_lex.c:3782: warning: 'yy_act' may be used uninitialized in
>> this function
>> make[1]: *** [read_config_lex.o] Error 1
>>
>> If I initialize this var (register int yy_act = 0;), then I get:
>>
>> everything compile now.
>
> This report is really strange, your flex implementation is generating
> useless code. What version are you using? Here I'm using flex 2.5.33.
>


[nib@bwm ~]$ flex --version
flex version 2.5.4
[nib@bwm ~]$

[nib@bwm ~]$ yum info flex
Loading "installonlyn" plugin
Setting up repositories
Reading repository metadata in from local files
Installed Packages
Name   : flex
Arch   : i386
Version: 2.5.4a
Release: 41.fc6
Size   : 239 k
Repo   : installed
...

Centos is running on this machine.

>> I'm using a version I compiled without the -Werror flag, it was more clean.
>
> The -Werror is there to catch this sort of problems and force users to
> report them ;), I plan to keep it there until conntrack-tools hits 1.0
> at least.

It's a good idea :)

>
> Probably we have to check for a specific version of flex.
>
> --
> "Los honestos son inadaptados sociales" -- Les Luthiers
>

Nick

Re: [RFC] masquerading/conntrack

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 774 bytes --]

NICOLAS BOULIANE wrote:
>> This report is really strange, your flex implementation is generating
>> useless code. What version are you using? Here I'm using flex 2.5.33.
>>
> 
> [nib@bwm ~]$ flex --version
> flex version 2.5.4
> [nib@bwm ~]$
> 
> [nib@bwm ~]$ yum info flex
> Loading "installonlyn" plugin
> Setting up repositories
> Reading repository metadata in from local files
> Installed Packages
> Name   : flex
> Arch   : i386
> Version: 2.5.4a
> Release: 41.fc6
> Size   : 239 k
> Repo   : installed
> ...
> 
> Centos is running on this machine.

Centos seems to be using a caveman flex version! From 1997, 11 years ago!

I have committed the following patch to warn people about using old flex
version.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 865 bytes --]

diff --git a/configure.in b/configure.in
index f3b8785..0a6b8fe 100644
--- a/configure.in
+++ b/configure.in
@@ -49,6 +49,21 @@ then
 	exit 1
 fi
 
+AC_MSG_CHECKING(flex version)
+flex_version=`$LEX --version | sed 's/version//g' | awk '/flex/ {print $2}'`
+flex_major=`echo $flex_version| cut -d . -f 1`
+flex_minor=`echo $flex_version| cut -d . -f 2`
+flex_rev=`echo $flex_version| cut -d . -f 3`
+ 
+if test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test "$flex_rev" -ge "33"; then
+	AC_MSG_RESULT([$flex_version. OK])
+else
+	AC_MSG_WARN([flex version $flex_version found.
+	Version 2.5.33 or greater is required. You may experience problems
+	while compilating the conntrack-tools. Please, consider to upgrade 
+	flex.])
+fi
+
 AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])])
 
 # Checks for libraries.