libnetfilter_conntrack: Unable to create an entry in the expectation table (invalid argument)

libnetfilter_conntrack: Unable to create an entry in the expectation table (invalid argument)

[Emmanuel B]

Hi,

The example program (expect_create) given in the utils directory of
libnetfilter_conntrack return the error code -1 (Invalid argument).
The master entry was correctly added to the conntrack table, but
nothing appears in expect table.

I have tested it on a RedHat 2.6.18 and Ubuntu 2.6.22 with the same result.
I use the libnetfilter_conntrack version 0.0.89 and libnfnetlink version 0.0.33

Is there anything wrong in the expect_create.c code or something
missing in kernel or libnetfilter_conntrack?

Thanks.

Re: libnetfilter_conntrack: Unable to create an entry in the expectation table (invalid argument)

[Pablo Neira Ayuso]

Emmanuel B wrote:
> Hi,
> 
> The example program (expect_create) given in the utils directory of
> libnetfilter_conntrack return the error code -1 (Invalid argument).
> The master entry was correctly added to the conntrack table, but
> nothing appears in expect table.
> 
> I have tested it on a RedHat 2.6.18 and Ubuntu 2.6.22 with the same result.
> I use the libnetfilter_conntrack version 0.0.89 and libnfnetlink version 0.0.33
> 
> Is there anything wrong in the expect_create.c code or something
> missing in kernel or libnetfilter_conntrack?

You probably forgot to insmod "nf_conntrack_ftp", anyway I'll
investigate if we can load-on-demand the module to avoid similar reports
to this one.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: libnetfilter_conntrack: Unable to create an entry in the expectation table (invalid argument)

[Emmanuel B]

2008/4/27 Pablo Neira Ayuso <pablo@netfilter.org>:
>
> Emmanuel B wrote:
>  > Hi,
>  >
>  > The example program (expect_create) given in the utils directory of
>  > libnetfilter_conntrack return the error code -1 (Invalid argument).
>  > The master entry was correctly added to the conntrack table, but
>  > nothing appears in expect table.
>  >
>  > I have tested it on a RedHat 2.6.18 and Ubuntu 2.6.22 with the same result.
>  > I use the libnetfilter_conntrack version 0.0.89 and libnfnetlink version 0.0.33
>  >
>  > Is there anything wrong in the expect_create.c code or something
>  > missing in kernel or libnetfilter_conntrack?
>
>  You probably forgot to insmod "nf_conntrack_ftp", anyway I'll
>  investigate if we can load-on-demand the module to avoid similar reports
>  to this one.

Thanks, this was the cause of the problem for the test program
(expect_create). Now it works, master and expect lines are filled.
Nevertheless, I tried to adapt it for the UDP protocol, and although
the "nf_conntrack_ftp" module is inserted, the error is again Invalid
parameters.

Here is the command line that I use (conntrack_tools):
conntrack -I --orig-src 1.1.1.1 --orig-dst 2.2.2.2 --reply-src 2.2.2.2
--reply-dst 1.1.1.1 -p udp --orig-port-src 10000 --orig-port-dst 10001
--reply-port-src 10001 --reply-port-dst 10000  -t 600 -u UNSET
=> Master rule is OK.

conntrack -I expect --orig-src 1.1.1.1 --orig-dst 2.2.2.2 --tuple-src
4.4.4.4 --tuple-dst 5.5.5.5 --mask-src 255.255.255.0 --mask-dst
255.255.255.255 -p udp --orig-port-src 10000 --orig-port-dst 10001 -t
600 --tuple-port-src 10241 --tuple-port-dst 10242 --mask-port-src 10
--mask-port-dst 300
=> Operation failed: invalid parameters

Is the expectation mechanism possible for UDP connections?
I need to accept the response with remote-src-port=* (port is randomly chosen)

Regards,

>
>  --
>  "Los honestos son inadaptados sociales" -- Les Luthiers
>