Kernel 6.0.0 bug pptp not work

Kernel 6.0.0 bug pptp not work

[Martin Zaharinov]

Hi Team

I make test image with kernel 6.0.0 and schem is :

internet <> router NAT <> windows client pptp

with l2tp all is fine and connections is establesh.

But when try to make pptp connection  stay on finish phase and not connect .

try to remove module : nf_conntrack_pptp and same not work.


how to debug and find why not work ?


Best regards,
Martin

Re: Kernel 6.0.0 bug pptp not work

[Martin Zaharinov]

Small update 
with kernel 5.19.14 all is fine connect pptp for less that 2 sec

after switch to kernel 6.0.0 one time need more that 1 min to establish pptp connection other time not work .

m

> On 6 Oct 2022, at 2:34, Martin Zaharinov <micron10@gmail.com> wrote:
> 
> Hi Team
> 
> I make test image with kernel 6.0.0 and schem is :
> 
> internet <> router NAT <> windows client pptp
> 
> with l2tp all is fine and connections is establesh.
> 
> But when try to make pptp connection  stay on finish phase and not connect .
> 
> try to remove module : nf_conntrack_pptp and same not work.
> 
> 
> how to debug and find why not work ?
> 
> 
> Best regards,
> Martin

Re: Kernel 6.0.0 bug pptp not work

[Pablo Neira Ayuso]

On Thu, Oct 06, 2022 at 02:34:48AM +0300, Martin Zaharinov wrote:
> Hi Team
> 
> I make test image with kernel 6.0.0 and schem is :
> 
> internet <> router NAT <> windows client pptp
> 
> with l2tp all is fine and connections is establesh.
> 
> But when try to make pptp connection  stay on finish phase and not connect .
> 
> try to remove module : nf_conntrack_pptp and same not work.
> 
> 
> how to debug and find why not work ?

Can you see events via:

conntrack -E expect

?

With debugfs, you can also enable a few pr_debug() in
nf_conntrack_pptp.c, maybe they provide a hint.

Can you see the GRE flow?

I assume this is without the flowtable?

Re: Kernel 6.0.0 bug pptp not work

[Florian Westphal]

Martin Zaharinov <micron10@gmail.com> wrote:
> Hi Team
> 
> I make test image with kernel 6.0.0 and schem is :
> 
> internet <> router NAT <> windows client pptp
> 
> with l2tp all is fine and connections is establesh.
> 
> But when try to make pptp connection  stay on finish phase and not connect .
> 
> try to remove module : nf_conntrack_pptp and same not work.

Did you rely on
sysctl net.netfilter.nf_conntrack_helper=1, or are you assigning the
helper via ruleset?

Re: Kernel 6.0.0 bug pptp not work

[Martin Zaharinov]

Huh
Very strange in kernel 6.0.0 i not found : net.netfilter.nf_conntrack_helper


in old kernel 5.19.14 in sysctl -a | grep net.netfilter.nf_conntrack_helper 

net.netfilter.nf_conntrack_helper = 1


m.

> On 6 Oct 2022, at 14:18, Florian Westphal <fw@strlen.de> wrote:
> 
> Martin Zaharinov <micron10@gmail.com> wrote:
>> Hi Team
>> 
>> I make test image with kernel 6.0.0 and schem is :
>> 
>> internet <> router NAT <> windows client pptp
>> 
>> with l2tp all is fine and connections is establesh.
>> 
>> But when try to make pptp connection  stay on finish phase and not connect .
>> 
>> try to remove module : nf_conntrack_pptp and same not work.
> 
> Did you rely on
> sysctl net.netfilter.nf_conntrack_helper=1, or are you assigning the
> helper via ruleset?

Re: Kernel 6.0.0 bug pptp not work

[Martin Zaharinov]

Hm.. in kernel 6.0-rc7 

Pablo Neira Ayuso (2):
      netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()
      netfilter: conntrack: remove nf_conntrack_helper documentation


https://lwn.net/Articles/909391/




@Pablo Abeni

Same with flowtable and without very slow connect vpn.

now i back to old kernel 5.19.14 to make test and yes all is fine click on connect button and connection established for less that 5 sec



m.

> On 6 Oct 2022, at 15:46, Martin Zaharinov <micron10@gmail.com> wrote:
> 
> Huh
> Very strange in kernel 6.0.0 i not found : net.netfilter.nf_conntrack_helper
> 
> 
> in old kernel 5.19.14 in sysctl -a | grep net.netfilter.nf_conntrack_helper 
> 
> net.netfilter.nf_conntrack_helper = 1
> 
> 
> m.
> 
>> On 6 Oct 2022, at 14:18, Florian Westphal <fw@strlen.de> wrote:
>> 
>> Martin Zaharinov <micron10@gmail.com> wrote:
>>> Hi Team
>>> 
>>> I make test image with kernel 6.0.0 and schem is :
>>> 
>>> internet <> router NAT <> windows client pptp
>>> 
>>> with l2tp all is fine and connections is establesh.
>>> 
>>> But when try to make pptp connection  stay on finish phase and not connect .
>>> 
>>> try to remove module : nf_conntrack_pptp and same not work.
>> 
>> Did you rely on
>> sysctl net.netfilter.nf_conntrack_helper=1, or are you assigning the
>> helper via ruleset?
> 

Re: Kernel 6.0.0 bug pptp not work

[Pablo Neira Ayuso]

On Thu, Oct 06, 2022 at 03:46:37PM +0300, Martin Zaharinov wrote:
> Huh
> Very strange in kernel 6.0.0 i not found : net.netfilter.nf_conntrack_helper
> 
> 
> in old kernel 5.19.14 in sysctl -a | grep net.netfilter.nf_conntrack_helper 
> 
> net.netfilter.nf_conntrack_helper = 1

Yes, default conntrack helper attachment was disabled 10 years ago,
and this option was disabled 6 years ago by default.

See: https://github.com/regit/secure-conntrack-helpers/blob/master/secure-conntrack-helpers.rst

Re: Kernel 6.0.0 bug pptp not work

[Pablo Neira Ayuso]

On Thu, Oct 06, 2022 at 03:57:23PM +0300, Martin Zaharinov wrote:
> Hm.. in kernel 6.0-rc7 
> 
> Pablo Neira Ayuso (2):
>       netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()
>       netfilter: conntrack: remove nf_conntrack_helper documentation

No, it was earlier in the 6.0-rc process.

Re: Kernel 6.0.0 bug pptp not work

[Martin Zaharinov]

Pablo : 

conntrack -E expect
conntrack v1.4.6 (conntrack-tools): 0 expectation events have been shown.


m

> On 6 Oct 2022, at 16:04, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> 
> On Thu, Oct 06, 2022 at 03:57:23PM +0300, Martin Zaharinov wrote:
>> Hm.. in kernel 6.0-rc7 
>> 
>> Pablo Neira Ayuso (2):
>>      netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()
>>      netfilter: conntrack: remove nf_conntrack_helper documentation
> 
> No, it was earlier in the 6.0-rc process.

Re: Kernel 6.0.0 bug pptp not work

[Florian Westphal]

Martin Zaharinov <micron10@gmail.com> wrote:
> Huh
> Very strange in kernel 6.0.0 i not found : net.netfilter.nf_conntrack_helper
> 
> 
> in old kernel 5.19.14 in sysctl -a | grep net.netfilter.nf_conntrack_helper 
> 
> net.netfilter.nf_conntrack_helper = 1

Yes, so this is expected -- 6.0.0 should behave like 5.19.14 with
net.netfilter.nf_conntrack_helper=0.

You need something like:

table inet foo {
        ct helper pptp {
                type "pptp" protocol tcp
                l3proto ip
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                tcp dport 1723 ct helper set "pptp"
        }
}

... so that the helper will start processing traffic on the pptp control port.
You might want to refine the rule a big, e.g.
'iifname ppp*' or similar, to restrict/limit the helper to those clients that need
it.

Re: Kernel 6.0.0 bug pptp not work

[Martin Zaharinov]

Hi Florian

Yes after add this rull with small modifycation work perfect.


Thanks for this !


Martin

> On 6 Oct 2022, at 16:43, Florian Westphal <fw@strlen.de> wrote:
> 
> Martin Zaharinov <micron10@gmail.com> wrote:
>> Huh
>> Very strange in kernel 6.0.0 i not found : net.netfilter.nf_conntrack_helper
>> 
>> 
>> in old kernel 5.19.14 in sysctl -a | grep net.netfilter.nf_conntrack_helper 
>> 
>> net.netfilter.nf_conntrack_helper = 1
> 
> Yes, so this is expected -- 6.0.0 should behave like 5.19.14 with
> net.netfilter.nf_conntrack_helper=0.
> 
> You need something like:
> 
> table inet foo {
>        ct helper pptp {
>                type "pptp" protocol tcp
>                l3proto ip
>        }
> 
>        chain prerouting {
>                type filter hook prerouting priority filter; policy accept;
>                tcp dport 1723 ct helper set "pptp"
>        }
> }
> 
> ... so that the helper will start processing traffic on the pptp control port.
> You might want to refine the rule a big, e.g.
> 'iifname ppp*' or similar, to restrict/limit the helper to those clients that need
> it.