connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

[Bgs]

  Greetings,

I tried to compile the above setup but the compilation fails. I've seen 
this error with 2.6.23/2.6.24 kernels before but used 2.6.22.X in 
production. Has anything changed in the way to patch it?


   CC      net/ipv4/netfilter/ipt_connlimit.o
In file included from net/ipv4/netfilter/ipt_connlimit.c:23:
include/net/netfilter/nf_conntrack.h:99: error: field 'ct_general' has 
incomplete type
include/net/netfilter/nf_conntrack.h: In function 'nf_ct_get':
include/net/netfilter/nf_conntrack.h:160: error: 'const struct sk_buff' 
has no member named 'nfct'
include/net/netfilter/nf_conntrack.h: In function 'nf_ct_put':
include/net/netfilter/nf_conntrack.h:167: error: implicit declaration of 
function 'nf_conntrack_put'
include/net/netfilter/nf_conntrack.h: In function 'nf_ct_is_untracked':
include/net/netfilter/nf_conntrack.h:249: error: 'const struct sk_buff' 
has no member named 'nfct'
In file included from net/ipv4/netfilter/ipt_connlimit.c:24:
include/net/netfilter/nf_conntrack_core.h: In function 
'nf_conntrack_confirm':
include/net/netfilter/nf_conntrack_core.h:68: error: 'struct sk_buff' 
has no member named 'nfct'
net/ipv4/netfilter/ipt_connlimit.c: In function 'count_them':
net/ipv4/netfilter/ipt_connlimit.c:98: error: too many arguments to 
function 'nf_conntrack_find_get'
net/ipv4/netfilter/ipt_connlimit.c: At top level:
net/ipv4/netfilter/ipt_connlimit.c:312: warning: initialization from 
incompatible pointer type
net/ipv4/netfilter/ipt_connlimit.c:316: warning: initialization from 
incompatible pointer type
make[3]: *** [net/ipv4/netfilter/ipt_connlimit.o] Error 1
make[2]: *** [net/ipv4/netfilter] Error 2
make[1]: *** [net/ipv4] Error 2
make: *** [net] Error 2


Bye
Bgs

Re: connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

[Jan Engelhardt]

On Thursday 2008-04-03 14:08, Bgs wrote:

>
> Greetings,
>
> I tried to compile the above setup but the compilation fails. I've seen this 
> error with 2.6.23/2.6.24 kernels before but used 2.6.22.X in production. Has 
> anything changed in the way to patch it?

pom is pretty much an ancient blob of code, being replaced by 
xtables-addons. connlimit has been merged into mainline, btw.

Re: connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

[Pascal Hambourg]

Hello,

Jan Engelhardt a écrit :
> 
> connlimit has been merged into mainline, btw.

Since 2.6.23.

Re: connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

[Bgs]

My problem is that it doesn't seem to work with the merged version:

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m 
connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables: Invalid argument

connlimit is compiled in:
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y


Jan Engelhardt wrote:
> 
> On Thursday 2008-04-03 14:08, Bgs wrote:
> 
>>
>> Greetings,
>>
>> I tried to compile the above setup but the compilation fails. I've 
>> seen this error with 2.6.23/2.6.24 kernels before but used 2.6.22.X in 
>> production. Has anything changed in the way to patch it?
> 
> pom is pretty much an ancient blob of code, being replaced by 
> xtables-addons. connlimit has been merged into mainline, btw.
> 

Re: connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

[Bgs]

I know, that's why I wrote "I've seen this error with 2.6.23/2.6.24 
kernels before" :)

Pascal Hambourg wrote:
> Hello,
> 
> Jan Engelhardt a écrit :
>>
>> connlimit has been merged into mainline, btw.
> 
> Since 2.6.23.
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

[Jan Engelhardt]

On Thursday 2008-04-03 15:39, Bgs wrote:

> My problem is that it doesn't seem to work with the merged version:
>
> iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit 
> --connlimit-above 20 --connlimit-mask 32 -j DROP
> iptables: Invalid argument

Try looking in the kernel log (dmesg) what ip_tables has to say.

Re: connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

[Jan Engelhardt]

(please keep the mailing list in Cc)

On Thursday 2008-04-03 15:47, Bgs wrote:
>
> Sorry for spamming, but forgot this from my previous mail:
>
> ip_tables: connlimit match: invalid size 32 != 16
>
> This is the error I get since 2.6.23 if I try the merged connlimit.
>

Fix your iptables package, it still runs with the old connlimit.

Re: connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

[Bgs]

Just recompiled the latest iptables (1.4.0) from vanilla source:

root@db05:/usr/src/iptables# iptables -A INPUT -p tcp -m tcp --tcp-flags 
FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 20 --connlimit-mask 
32 -j DROP
iptables: Invalid argument
root@db05:/usr/src/iptables/root# dmesg
cannot load conntrack support for address family 2


Jan Engelhardt wrote:
> 
> (please keep the mailing list in Cc)
> 
> On Thursday 2008-04-03 15:47, Bgs wrote:
>>
>> Sorry for spamming, but forgot this from my previous mail:
>>
>> ip_tables: connlimit match: invalid size 32 != 16
>>
>> This is the error I get since 2.6.23 if I try the merged connlimit.
>>
> 
> Fix your iptables package, it still runs with the old connlimit.
> 

Re: connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

[Jan Engelhardt]

On Thursday 2008-04-03 16:32, Bgs wrote:

> Just recompiled the latest iptables (1.4.0) from vanilla source:
>
> root@db05:/usr/src/iptables# iptables -A INPUT -p tcp -m tcp --tcp-flags 
> FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 20 --connlimit-mask 32 -j 
> DROP
> iptables: Invalid argument
> root@db05:/usr/src/iptables/root# dmesg
> cannot load conntrack support for address family 2

Fix your kernel, you need connection tracking enabled. :D



-- 
make boldconfig -- to boldly select what no one has selected before

Re: connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

[Bgs]

I have this in the kernel:

CONFIG_NF_CONNTRACK_ENABLED=y
CONFIG_NF_CONNTRACK=y


Jan Engelhardt wrote:
> 
> On Thursday 2008-04-03 16:32, Bgs wrote:
> 
>> Just recompiled the latest iptables (1.4.0) from vanilla source:
>>
>> root@db05:/usr/src/iptables# iptables -A INPUT -p tcp -m tcp 
>> --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 20 
>> --connlimit-mask 32 -j DROP
>> iptables: Invalid argument
>> root@db05:/usr/src/iptables/root# dmesg
>> cannot load conntrack support for address family 2
> 
> Fix your kernel, you need connection tracking enabled. :D
> 
> 
> 

Re: connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

[Jan Engelhardt]

On Thursday 2008-04-03 16:40, Bgs wrote:
>
> I have this in the kernel:
>
> CONFIG_NF_CONNTRACK_ENABLED=y
> CONFIG_NF_CONNTRACK=y
>
That is not enough, you need the others too, CONFIG_NF_CONNTRACK_IPV4

Re: connlimit: 2.6.24.4 + p-o-m 20080331 compile problems

[Bgs]

Funny... IPV4 is marked as experimental. And I can compile in 
ftp/irc/etc contrack helpers without enabling ipv4 conntrack. Shouldn't 
this be a dependency? (require ipv4 or ipv6 conntrack)

Also: the connlimit description says: "This match allows you to match 
against the number of parallel connections to a server per client IP 
address (or address block)." 1) It's a conntrack module 2) it states 
that it's an ipvX module -> but it does not depend on having ipvX 
conntrack enabled.

Just recompiled and the rules loaded ok.

Bye
Bgs


Jan Engelhardt wrote:
> 
> On Thursday 2008-04-03 16:40, Bgs wrote:
>>
>> I have this in the kernel:
>>
>> CONFIG_NF_CONNTRACK_ENABLED=y
>> CONFIG_NF_CONNTRACK=y
>>
> That is not enough, you need the others too, CONFIG_NF_CONNTRACK_IPV4
>