conntrack can't delete more conntrack records

conntrack can't delete more conntrack records

[Petr Pisar]

Hello,

I'm trying to remove all conntrack records for one source IP address. If
I specify only source IP address it will fail:

$ conntrack -D -s 10.0.0.179
Operation failed: such conntrack doesn't exist

However removing only one specific record using full trasport
source/destinaton address works:

$ conntrack -D -s 10.0.0.179 -d X.23.55.166 -p tcp --sport 4369 --dport 6881

I'm using latest conntrack-tools and dependend libraries
(conntrack-tools-0.9.6.tar.bz2.sig
libnetfilter_conntrack-0.0.89.tar.bz2.sig
libnfnetlink-0.0.33.tar.bz2.sig).

The only problem I met during compilation of conntrack-tools was about
shaddowing of global declaration which I've worked around by removing -Werror
compilar option:

make[1]: Entering directory `/tmp/conntrack-tools-0.9.6/src'
gcc -DPACKAGE_NAME=\"conntrack-tools\" -DPACKAGE_TARNAME=\"conntrack-tools\" -DPACKAGE_VERSION=\"0.9.6\" -DPACKAGE_STRING=\"conntrack-tools\ 0.9.6\" -DPACKAGE_BUGREPORT=\"pablo@netfilter.org\" -DPACKAGE=\"conntrack-tools\" -DVERSION=\"0.9.6\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DYYTEXT_POINTER=1 -DHAVE_LINUX_CAPABILITY_H=1 -DHAVE_LIBNFNETLINK=1 -DHAVE_LIBNETFILTER_CONNTRACK=1 -DHAVE_ARPA_INET_H=1 -DHAVE_INET_PTON=1 -DHAVE_INET_PTON_IPV6=1 -I.  -I../include   -std=gnu99 -W -Wall -Werror -Wmissing-prototypes -Wwrite-strings -Wcast-qual -Wfloat-equal -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-retur
 n -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wstrict-prototypes -Wundef -Wno-unused-parameter -g -O2  -I/usr/local/include   -MT conntrack.o -MD -MP -MF .deps/conntrack.Tpo -c -o conntrack.o conntrack.c
cc1: changing search order for system directory "/usr/local/include"
cc1:   as it has already been specified as a non-system directory
cc1: warnings being treated as errors
In file included from /usr/local/include/libnetfilter_conntrack/libnetfilter_conntrack.h:13,
                 from ../include/conntrack.h:6,
                 from conntrack.c:37:
/usr/local/include/libnfnetlink/libnfnetlink.h:198: warning: declaration of `index' shadows a global declaration
<built-in>:0: warning: shadowed declaration is here
make[1]: *** [conntrack.o] Error 1

(I've met this problem twice.)

So, my question is: Can conntrack remove subset of conntrack table? Is it a bug
or a feature?

-- Petr

Re: conntrack can't delete more conntrack records

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 2880 bytes --]

Petr Pisar wrote:
> Hello,
> 
> I'm trying to remove all conntrack records for one source IP address. If
> I specify only source IP address it will fail:
> 
> $ conntrack -D -s 10.0.0.179
> Operation failed: such conntrack doesn't exist

This is not supported yet but it will in the next release 0.9.7.

> However removing only one specific record using full trasport
> source/destinaton address works:
> 
> $ conntrack -D -s 10.0.0.179 -d X.23.55.166 -p tcp --sport 4369 --dport 6881
> 
> I'm using latest conntrack-tools and dependend libraries
> (conntrack-tools-0.9.6.tar.bz2.sig
> libnetfilter_conntrack-0.0.89.tar.bz2.sig
> libnfnetlink-0.0.33.tar.bz2.sig).
> 
> The only problem I met during compilation of conntrack-tools was about
> shaddowing of global declaration which I've worked around by removing -Werror
> compilar option:
> 
> make[1]: Entering directory `/tmp/conntrack-tools-0.9.6/src'
> gcc -DPACKAGE_NAME=\"conntrack-tools\" -DPACKAGE_TARNAME=\"conntrack-tools\" -DPACKAGE_VERSION=\"0.9.6\" -DPACKAGE_STRING=\"conntrack-tools\ 0.9.6\" -DPACKAGE_BUGREPORT=\"pablo@netfilter.org\" -DPACKAGE=\"conntrack-tools\" -DVERSION=\"0.9.6\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DYYTEXT_POINTER=1 -DHAVE_LINUX_CAPABILITY_H=1 -DHAVE_LIBNFNETLINK=1 -DHAVE_LIBNETFILTER_CONNTRACK=1 -DHAVE_ARPA_INET_H=1 -DHAVE_INET_PTON=1 -DHAVE_INET_PTON_IPV6=1 -I.  -I../include   -std=gnu99 -W -Wall -Werror -Wmissing-prototypes -Wwrite-strings -Wcast-qual -Wfloat-equal -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-ret
 urn -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wstrict-prototypes -Wundef -Wno-unused-parameter -g -O2  -I/usr/local/include   -MT conntrack.o -MD -MP -MF .deps/conn
track.Tpo -c -o conntrack.o conntrack.c
> cc1: changing search order for system directory "/usr/local/include"
> cc1:   as it has already been specified as a non-system directory
> cc1: warnings being treated as errors
> In file included from /usr/local/include/libnetfilter_conntrack/libnetfilter_conntrack.h:13,
>                  from ../include/conntrack.h:6,
>                  from conntrack.c:37:
> /usr/local/include/libnfnetlink/libnfnetlink.h:198: warning: declaration of `index' shadows a global declaration
> <built-in>:0: warning: shadowed declaration is here
> make[1]: *** [conntrack.o] Error 1
> 
> (I've met this problem twice.)

Weird. It must be a global declaration of "index" somewhere in the
system, does the patch attached fix your problem?

> So, my question is: Can conntrack remove subset of conntrack table? Is it a bug
> or a feature?

It will be a feature anytime soon due to popular demand.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 555 bytes --]

Index: include/libnfnetlink/libnfnetlink.h
===================================================================
--- include/libnfnetlink/libnfnetlink.h	(revisi���n: 7400)
+++ include/libnfnetlink/libnfnetlink.h	(copia de trabajo)
@@ -195,7 +195,7 @@
 int nlif_query(struct nlif_handle *nlif_handle);
 int nlif_catch(struct nlif_handle *nlif_handle);
 int nlif_index2name(struct nlif_handle *nlif_handle, 
-		    unsigned int index, 
+		    unsigned int if_index, 
 		    char *name);
 
 /* Pablo: What is the equivalence of be64_to_cpu in userspace?

Re: conntrack can't delete more conntrack records

[Petr Pisar]

On 2008-03-11, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Petr Pisar wrote:
>> Hello,
>> 
>> I'm trying to remove all conntrack records for one source IP address. If
>> I specify only source IP address it will fail:
>> 
>> $ conntrack -D -s 10.0.0.179
>> Operation failed: such conntrack doesn't exist
>
> This is not supported yet but it will in the next release 0.9.7.

Great to hear it.

If somebody would interest in ugly work around, following bash script
does the hard work:

conntrack -L -s "$SRC" | \
        sed  's/\([^ ]*\).*src=\([^ ]*\) dst=\([^ ]*\) sport=\([^ ]*\) dport=\([^ ]*\) src=.*/conntrack -D -s \2 -d \3 -p \1 --sport \4 --dport \5/'| \
        while read; do eval "$REPLY"; done


-- Petr

Re: conntrack can't delete more conntrack records

[Petr Pisar]

On 2008-03-11, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Petr Pisar wrote:
>> 
>> cc1: warnings being treated as errors
>> In file included from /usr/local/include/libnetfilter_conntrack/libnetfilter_conntrack.h:13,
>>                  from ../include/conntrack.h:6,
>>                  from conntrack.c:37:
>> /usr/local/include/libnfnetlink/libnfnetlink.h:198: warning: declaration of `index' shadows a global declaration
>> <built-in>:0: warning: shadowed declaration is here
>> make[1]: *** [conntrack.o] Error 1
>> 
>> (I've met this problem twice.)
>
> Weird. It must be a global declaration of "index" somewhere in the
> system,

yes, it's index(3).

> does the patch attached fix your problem?

Partially. Other problem is:

make[1]: Entering directory `/tmp/conntrack-tools-0.9.6/src'
gcc -DPACKAGE_NAME=\"conntrack-tools\" -DPACKAGE_TARNAME=\"conntrack-tools\" -DPACKAGE_VERSION=\"0.9.6\" -DPACKAGE_STRING=\"conntrack-tools\ 0.9.6\" -DPACKAGE_BUGREPORT=\"pablo@netfilter.org\" -DPACKAGE=\"conntrack-tools\" -DVERSION=\"0.9.6\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DYYTEXT_POINTER=1 -DHAVE_LINUX_CAPABILITY_H=1 -DHAVE_LIBNFNETLINK=1 -DHAVE_LIBNETFILTER_CONNTRACK=1 -DHAVE_ARPA_INET_H=1 -DHAVE_INET_PTON=1 -DHAVE_INET_PTON_IPV6=1 -I.  -I../include   -std=gnu99 -W -Wall -Werror -Wmissing-prototypes -Wwrite-strings -Wcast-qual -Wfloat-equal -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-retur
 n -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wstrict-prototypes -Wundef -Wno-unused-parameter -g -O2   -MT sync-mode.o -MD -MP -MF .deps/sync-mode.Tpo -c -o sync-mode.o sync-mode.c
cc1: warnings being treated as errors
In file included from sync-mode.c:27:
../include/network.h:64: warning: declaration of `conf' shadows a global declaration
../include/conntrackd.h:144: warning: shadowed declaration is here


Another problem is that my compiler looks under /usr/local/include twice and wanr-errors on it.

Don't bother with it. It's an old machine with gcc-3.2 and these issues are
next reason for upgading the system.

-- Petr

Re: conntrack can't delete more conntrack records

[Pablo Neira Ayuso]

Petr Pisar wrote:
> On 2008-03-11, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> Petr Pisar wrote:
>>> cc1: warnings being treated as errors
>>> In file included from /usr/local/include/libnetfilter_conntrack/libnetfilter_conntrack.h:13,
>>>                  from ../include/conntrack.h:6,
>>>                  from conntrack.c:37:
>>> /usr/local/include/libnfnetlink/libnfnetlink.h:198: warning: declaration of `index' shadows a global declaration
>>> <built-in>:0: warning: shadowed declaration is here
>>> make[1]: *** [conntrack.o] Error 1
>>>
>>> (I've met this problem twice.)
>> Weird. It must be a global declaration of "index" somewhere in the
>> system,
> 
> yes, it's index(3).
> 
>> does the patch attached fix your problem?
> 
> Partially. Other problem is:
> 
> make[1]: Entering directory `/tmp/conntrack-tools-0.9.6/src'
> gcc -DPACKAGE_NAME=\"conntrack-tools\" -DPACKAGE_TARNAME=\"conntrack-tools\" -DPACKAGE_VERSION=\"0.9.6\" -DPACKAGE_STRING=\"conntrack-tools\ 0.9.6\" -DPACKAGE_BUGREPORT=\"pablo@netfilter.org\" -DPACKAGE=\"conntrack-tools\" -DVERSION=\"0.9.6\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DYYTEXT_POINTER=1 -DHAVE_LINUX_CAPABILITY_H=1 -DHAVE_LIBNFNETLINK=1 -DHAVE_LIBNETFILTER_CONNTRACK=1 -DHAVE_ARPA_INET_H=1 -DHAVE_INET_PTON=1 -DHAVE_INET_PTON_IPV6=1 -I.  -I../include   -std=gnu99 -W -Wall -Werror -Wmissing-prototypes -Wwrite-strings -Wcast-qual -Wfloat-equal -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-ret
 urn -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wstrict-prototypes -Wundef -Wno-unused-parameter -g -O2   -MT sync-mode.o -MD -MP -MF .deps/sync-mode.Tpo -c -o sync-m
ode.o sync-mode.c
> cc1: warnings being treated as errors
> In file included from sync-mode.c:27:
> ../include/network.h:64: warning: declaration of `conf' shadows a global declaration
> ../include/conntrackd.h:144: warning: shadowed declaration is here

Already applied a patch for that, please get a working copy from SVN 
which includes these fixes. Let me know if it's OK for you.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: conntrack can't delete more conntrack records

[Cédric Krier]

[-- Attachment #1: Type: text/plain, Size: 2515 bytes --]

On 13/03/08 16:51 +0100, Pablo Neira Ayuso wrote:
> Petr Pisar wrote:
>> On 2008-03-11, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>>> Petr Pisar wrote:
>>>> cc1: warnings being treated as errors
>>>> In file included from 
>>>> /usr/local/include/libnetfilter_conntrack/libnetfilter_conntrack.h:13,
>>>>                  from ../include/conntrack.h:6,
>>>>                  from conntrack.c:37:
>>>> /usr/local/include/libnfnetlink/libnfnetlink.h:198: warning: declaration 
>>>> of `index' shadows a global declaration
>>>> <built-in>:0: warning: shadowed declaration is here
>>>> make[1]: *** [conntrack.o] Error 1
>>>>
>>>> (I've met this problem twice.)
>>> Weird. It must be a global declaration of "index" somewhere in the
>>> system,
>> yes, it's index(3).
>>> does the patch attached fix your problem?
>> Partially. Other problem is:
>> make[1]: Entering directory `/tmp/conntrack-tools-0.9.6/src'
>> gcc -DPACKAGE_NAME=\"conntrack-tools\" 
>> -DPACKAGE_TARNAME=\"conntrack-tools\" -DPACKAGE_VERSION=\"0.9.6\" 
>> -DPACKAGE_STRING=\"conntrack-tools\ 0.9.6\" 
>> -DPACKAGE_BUGREPORT=\"pablo@netfilter.org\" -DPACKAGE=\"conntrack-tools\" 
>> -DVERSION=\"0.9.6\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 
>> -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 
>> -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 
>> -DHAVE_DLFCN_H=1 -DYYTEXT_POINTER=1 -DHAVE_LINUX_CAPABILITY_H=1 
>> -DHAVE_LIBNFNETLINK=1 -DHAVE_LIBNETFILTER_CONNTRACK=1 -DHAVE_ARPA_INET_H=1 
>> -DHAVE_INET_PTON=1 -DHAVE_INET_PTON_IPV6=1 -I.  -I../include   -std=gnu99 
>> -W -Wall -Werror -Wmissing-prototypes -Wwrite-strings -Wcast-qual 
>> -Wfloat-equal -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare 
>> -Waggregate-return -Wmissing-declarations -Wredundant-decls 
>> -Wnested-externs -Winline -Wstrict-prototypes -Wundef 
>> -Wno-unused-parameter -g -O2   -MT sync-mode.o -MD -MP -MF 
>> .deps/sync-mode.Tpo -c -o sync-m
> ode.o sync-mode.c
>> cc1: warnings being treated as errors
>> In file included from sync-mode.c:27:
>> ../include/network.h:64: warning: declaration of `conf' shadows a global 
>> declaration
>> ../include/conntrackd.h:144: warning: shadowed declaration is here
>
> Already applied a patch for that, please get a working copy from SVN which 
> includes these fixes. Let me know if it's OK for you.
>

Hi,
I have the same error with the svn version revision 7405 and
with gcc 3.4.6


Cédric Krier

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: conntrack can't delete more conntrack records

[Pablo Neira Ayuso]

Cédric Krier wrote:
> On 13/03/08 16:51 +0100, Pablo Neira Ayuso wrote:
>> Petr Pisar wrote:
>>> On 2008-03-11, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>>>> Petr Pisar wrote:
>>>>> cc1: warnings being treated as errors
>>>>> In file included from 
>>>>> /usr/local/include/libnetfilter_conntrack/libnetfilter_conntrack.h:13,
>>>>>                  from ../include/conntrack.h:6,
>>>>>                  from conntrack.c:37:
>>>>> /usr/local/include/libnfnetlink/libnfnetlink.h:198: warning: declaration 
>>>>> of `index' shadows a global declaration
>>>>> <built-in>:0: warning: shadowed declaration is here
>>>>> make[1]: *** [conntrack.o] Error 1
>>>>>
>>>>> (I've met this problem twice.)
>>>> Weird. It must be a global declaration of "index" somewhere in the
>>>> system,
>>> yes, it's index(3).
>>>> does the patch attached fix your problem?
>>> Partially. Other problem is:
>>> make[1]: Entering directory `/tmp/conntrack-tools-0.9.6/src'
>>> gcc -DPACKAGE_NAME=\"conntrack-tools\" 
>>> -DPACKAGE_TARNAME=\"conntrack-tools\" -DPACKAGE_VERSION=\"0.9.6\" 
>>> -DPACKAGE_STRING=\"conntrack-tools\ 0.9.6\" 
>>> -DPACKAGE_BUGREPORT=\"pablo@netfilter.org\" -DPACKAGE=\"conntrack-tools\" 
>>> -DVERSION=\"0.9.6\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 
>>> -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 
>>> -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 
>>> -DHAVE_DLFCN_H=1 -DYYTEXT_POINTER=1 -DHAVE_LINUX_CAPABILITY_H=1 
>>> -DHAVE_LIBNFNETLINK=1 -DHAVE_LIBNETFILTER_CONNTRACK=1 -DHAVE_ARPA_INET_H=1 
>>> -DHAVE_INET_PTON=1 -DHAVE_INET_PTON_IPV6=1 -I.  -I../include   -std=gnu99 
>>> -W -Wall -Werror -Wmissing-prototypes -Wwrite-strings -Wcast-qual 
>>> -Wfloat-equal -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare 
>>> -Waggregate-return -Wmissing-declarations -Wredundant-decls 
>>> -Wnested-externs -Winline -Wstrict-prototypes -Wundef 
>>> -Wno-unused-parameter -g -O2   -MT sync-mode.o -MD -MP -MF 
>>> .deps/sync-mode.Tpo -c -o sync-m
>> ode.o sync-mode.c
>>> cc1: warnings being treated as errors
>>> In file included from sync-mode.c:27:
>>> ../include/network.h:64: warning: declaration of `conf' shadows a global 
>>> declaration
>>> ../include/conntrackd.h:144: warning: shadowed declaration is here
>> Already applied a patch for that, please get a working copy from SVN which 
>> includes these fixes. Let me know if it's OK for you.
>>
> 
> Hi,
> I have the same error with the svn version revision 7405 and
> with gcc 3.4.6

Still the problem remains? Sorry, I have missed your email.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: conntrack can't delete more conntrack records

[Petr Pisar]

On 2008-03-13, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Petr Pisar wrote:
>> cc1: warnings being treated as errors
>> In file included from sync-mode.c:27:
>> ../include/network.h:64: warning: declaration of `conf' shadows a global declaration
>> ../include/conntrackd.h:144: warning: shadowed declaration is here
>
> Already applied a patch for that, please get a working copy from SVN 
> which includes these fixes. Let me know if it's OK for you.
>
No, revision 7407 of conntrack-tools, the same error. Actually, svn log
doesn't mention anything about the patch.

-- Petr