disabling connection tracking

disabling connection tracking

[Kurt Tragant]

[-- Attachment #1: Type: text/plain, Size: 659 bytes --]

Hi list,

I did some tests with connection tracking and decided finally to switch off
conntrack. So I deselected connection tracking in the kernel. But if I start the
computer there is still a:

ip_conntrack version 2.1 (2047 buckets, 16376 max) - 152 bytes per conntrack

And if I do a

cat /proc/net/ip_conntrack

I see the tracked connections. I even did a make mrproper in the Kernelsource
and recompiled the kernel again - still the same.

How can I disable connection tracking? Thanks for an answer,

Regards
Kurt Tragant

_________________________________________________________________
www.ebay.de Hier Finden Sie Auktionen und Festpreisangebote!

Re: disabling connection tracking

[Philip Craig]

Kurt Tragant wrote:
> I did some tests with connection tracking and decided finally to switch off
> conntrack. So I deselected connection tracking in the kernel. But if I start the
> computer there is still a:
> 
> ip_conntrack version 2.1 (2047 buckets, 16376 max) - 152 bytes per conntrack

You probably have an ip_conntrack module that it is loading still.
Do a lsmod to see.  You'll need to delete it (or you might be able
to add something to /etc/modules.conf).  Look under
/lib/modules/$(KERNELRELEASE)/kernel/net/ipv4/netfilter/

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

Re: disabling connection tracking

[k.tragant]

Hi Philip!

> You probably have an ip_conntrack module that it is loading still.
> Do a lsmod to see.  You'll need to delete it (or you might be able
> to add something to /etc/modules.conf).  Look under
> /lib/modules/$(KERNELRELEASE)/kernel/net/ipv4/netfilter/

Thank you for an answer. Unfortunately, this is not correct, because I've 
build a monolithic kernel without module support. These are the netfilter 
compononet, I switched on in the kernel:

# CONFIG_MODULES is not set

#   IP: Netfilter Configuration
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y

Maybe there are other ideas?

Regards
Kurt Tragant

Re: disabling connection tracking

[Philip Craig]

k.tragant@firemail.de wrote:
> # CONFIG_MODULES is not set
> 
> #   IP: Netfilter Configuration
> CONFIG_IP_NF_IPTABLES=y
> CONFIG_IP_NF_MATCH_MULTIPORT=y
> CONFIG_IP_NF_FILTER=y
> CONFIG_IP_NF_TARGET_REJECT=y
> CONFIG_IP_NF_TARGET_LOG=y

I built a kernel with this config, and it didn't have ip_conntrack.

> Maybe there are other ideas?

Just a couple of things to track down exactly where the problem is:

grep tells me that net/ipv4/netfilter/ip_conntrack_core.c is the only
place in the kernel that "ip_conntrack version" appears, so check if
net/ipv4/netfilter/ip_conntrack_core.o exists.  If it does, then double
check your config, or look in net/ipv4/netfilter/Makefile to work out
what is causing it to be compiled.

If it doesn't exist, then cat /proc/version to ensure you are running
the new kernel.

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

Re: disabling connection tracking

[k.tragant]

Hi,

thanks again for the help. I've compiled the kernel from the new source and 
now it works. Don't know, what I have done wrong.

Regards
Kurt Tragant