ip_conntrack vs. nf_conntrack

ip_conntrack vs. nf_conntrack

[Martin]

Hi to all.

I've some doubts in what changes have been done to conntrack modules,
but can't find some info about.

Here is my situation:

I use to have a 2.6.18 kernel with some patches, including POM and
netfilter ones. The modules I insmod are ip_conntrack_ftp,
ip_conntrack_irc, ip_conntrack_tftp, ip_conntrack_amanda and
ip_conntrack_sip.

Asking around, have finally find that to get patches on mainstream, some
names've changed and some code have been modified ¿is that right?
Anyway, there aren't nf_conntrack_amanda, nf_conntrack_irc, etc. ¿are
there available by now, or need some extra patches or something else?


Thanks in advance, hope someone can give me some light here...


Martin

Re: ip_conntrack vs. nf_conntrack

[Pascal Hambourg]

Hello,

Martin a écrit :
> 
> I use to have a 2.6.18 kernel with some patches, including POM and
> netfilter ones. The modules I insmod are ip_conntrack_ftp,
> ip_conntrack_irc, ip_conntrack_tftp, ip_conntrack_amanda and
> ip_conntrack_sip.
> 
> Asking around, have finally find that to get patches on mainstream, some
> names've changed and some code have been modified ¿is that right?

nf_conntrack is layer 3-independent and works with both IPv4 and IPv6, 
while ip_conntrack was IPv4-only.

> Anyway, there aren't nf_conntrack_amanda, nf_conntrack_irc, etc. ¿are
> there available by now, or need some extra patches or something else?

Most of them were introduced in kernel 2.6.20 along with IPv4 stateful 
NAT. Aliases have been defined, so you can keep using the old names.

Re: ip_conntrack vs. nf_conntrack

[Jan Engelhardt]

On Friday 2008-05-16 17:08, Pascal Hambourg wrote:
>
>> Anyway, there aren't nf_conntrack_amanda, nf_conntrack_irc, etc. ¿are
>> there available by now, or need some extra patches or something else?
>
> Most of them were introduced in kernel 2.6.20 along with IPv4 stateful NAT.
> Aliases have been defined, so you can keep using the old names.

No aliases have been defined.

$ modinfo nf_conntrack
filename:       /lib/modules/2.6.25.3-jen65-default/kernel/net/netfilter/nf_conntrack.ko
license:        GPL
srcversion:     3BD1C8DA6B930848245F7A5
depends:        
vermagic:       2.6.25.3-jen65-default SMP mod_unload 586 
parm:           expect_hashsize:uint

Re: ip_conntrack vs. nf_conntrack

[Jan Engelhardt]

On Friday 2008-05-16 17:14, Jan Engelhardt wrote:
>
>On Friday 2008-05-16 17:08, Pascal Hambourg wrote:
>>
>>> Anyway, there aren't nf_conntrack_amanda, nf_conntrack_irc, etc. ¿are
>>> there available by now, or need some extra patches or something else?
>>
>> Most of them were introduced in kernel 2.6.20 along with IPv4 stateful NAT.
>> Aliases have been defined, so you can keep using the old names.
>
>No aliases have been defined.
>
>$ modinfo nf_conntrack
>filename:       /lib/modules/2.6.25.3-jen65-default/kernel/net/netfilter/nf_conntrack.ko
>license:        GPL
>srcversion:     3BD1C8DA6B930848245F7A5
>depends:        
>vermagic:       2.6.25.3-jen65-default SMP mod_unload 586 
>parm:           expect_hashsize:uint
>
Meh, jmp $gun. nf_conntrack_ipv4 has them, but of course, switching
protects against surprises.

Re: ip_conntrack vs. nf_conntrack

[Martin]

On Fri, 2008-05-16 at 17:08 +0200, Pascal Hambourg wrote:
> Hello,
> 
> Martin a écrit :
> > 
> > I use to have a 2.6.18 kernel with some patches, including POM and
> > netfilter ones. The modules I insmod are ip_conntrack_ftp,
> > ip_conntrack_irc, ip_conntrack_tftp, ip_conntrack_amanda and
> > ip_conntrack_sip.
> > 
> > Asking around, have finally find that to get patches on mainstream, some
> > names've changed and some code have been modified ¿is that right?
> 
> nf_conntrack is layer 3-independent and works with both IPv4 and IPv6, 
> while ip_conntrack was IPv4-only.
> 
> > Anyway, there aren't nf_conntrack_amanda, nf_conntrack_irc, etc. ¿are
> > there available by now, or need some extra patches or something else?
> 
> Most of them were introduced in kernel 2.6.20 along with IPv4 stateful 
> NAT. Aliases have been defined, so you can keep using the old names.

Thanks Pascal for the response.

Couldn't find any documentation about that on netfilter site, but've
seen that on the list.

When compiling kernel there are potions to introduce them in netfilter
modules, but there aren't modules or aliases to those names ¿can you
tell me how to add those alias? insmod keep telling me that
ip_conntrack_amanda and ftp couldn't be loaded (I keep trying to load
them on my firewall script). 
I've found nf_conntrack_* files, but are .h ones, and are at the include
path of the kernel source code, at netfilter section.


I'll keep searching for more info.

Cheers.

Martin

Re: ip_conntrack vs. nf_conntrack

[Pascal Hambourg]

Jan Engelhardt a écrit :
> On Friday 2008-05-16 17:08, Pascal Hambourg wrote:
> 
>>>Anyway, there aren't nf_conntrack_amanda, nf_conntrack_irc, etc. ¿are
>>>there available by now, or need some extra patches or something else?
>>
>>Most of them were introduced in kernel 2.6.20 along with IPv4 stateful NAT.
>>Aliases have been defined, so you can keep using the old names.
> 
> No aliases have been defined.
> 
> $ modinfo nf_conntrack

I meant aliases for helper modules. In most cases other netfilter 
modules should be autoloaded by iptables rules creation or other module 
dependencies, so it should be useless to load them explicitly.

Re: ip_conntrack vs. nf_conntrack

[Martin]

On Fri, 2008-05-16 at 17:45 +0200, Pascal Hambourg wrote:

> I meant aliases for helper modules. In most cases other netfilter 
> modules should be autoloaded by iptables rules creation or other module 
> dependencies, so it should be useless to load them explicitly.


Ok, here is my progress:

I've solved the connlimit problem. I was using as iptables source, an
little old one from debian. Using iptables 1.4 source form netrfilter do
the trick.


So I've just one question at least. If there aren't nf_conntrack_*
modules or aliases, does the amanda, ftp, quake3, etc. modules work just
loading nf_conntrack? If so, I think I'm ready to go with this kernel
history.

Thanks to all for your help.

Cheers


Martin 

Re: ip_conntrack vs. nf_conntrack

[Pascal Hambourg]

Martin a écrit :
> 
> When compiling kernel there are potions to introduce them in netfilter
> modules, but there aren't modules or aliases to those names ¿can you
> tell me how to add those alias? insmod keep telling me that
> ip_conntrack_amanda and ftp couldn't be loaded (I keep trying to load
> them on my firewall script). 

I am not sure I understand you but AFAIK insmod doesn't support aliases 
and requires the real module names. Use modprobe instead.

Re: ip_conntrack vs. nf_conntrack

[Jan Engelhardt]

On Friday 2008-05-16 18:07, Martin wrote:
>
>So I've just one question at least. If there aren't nf_conntrack_*
>modules or aliases, does the amanda, ftp, quake3, etc. modules work just
>loading nf_conntrack? If so, I think I'm ready to go with this kernel
>history.

No, nf_conntrack_ftp is required for FTP (and similarly for the
others).

Re: ip_conntrack vs. nf_conntrack

[Pascal Hambourg]

Martin a écrit :
> 
> So I've just one question at least. If there aren't nf_conntrack_*
> modules or aliases, does the amanda, ftp, quake3, etc. modules work just
> loading nf_conntrack?

I don't understand. What "amanda, ftp, quake3, etc. modules" are you 
talking about if there "aren't nf_conntrack_* modules" ?

Re: ip_conntrack vs. nf_conntrack

[Martin]

On Sat, 2008-05-17 at 13:30 +0200, Jan Engelhardt wrote:
> On Friday 2008-05-16 18:07, Martin wrote:
> >
> >So I've just one question at least. If there aren't nf_conntrack_*
> >modules or aliases, does the amanda, ftp, quake3, etc. modules work just
> >loading nf_conntrack? If so, I think I'm ready to go with this kernel
> >history.
> 
> No, nf_conntrack_ftp is required for FTP (and similarly for the
> others).


But there isn't nf_conntrack_ftp.ko module. May be it have been renamed
to /lib/modules/2.6.25/kernel/net/ipv4/netfilter/nf_nat_ftp.ko ?


Cheers

Martin

Re: ip_conntrack vs. nf_conntrack

[Martin]

On Sat, 2008-05-17 at 13:36 +0200, Pascal Hambourg wrote:
> Martin a écrit :
> > 
> > So I've just one question at least. If there aren't nf_conntrack_*
> > modules or aliases, does the amanda, ftp, quake3, etc. modules work just
> > loading nf_conntrack?
> 
> I don't understand. What "amanda, ftp, quake3, etc. modules" are you 
> talking about if there "aren't nf_conntrack_* modules" ?


On ip_conntrack modules, I use to load some modules that open a second
port (ftp, quake3, and so) and make it able to mark packets as related.

Those modules were ip_conntrack_ftp, ip_conntrack_quake3 and
ip_conntrack_amanda. So, now netfilter packages and modules are in
mainstream, some names and modules have changed, and I'm searching for
the replace of those modules under the new nomenclature (nf_conntrack).

My problem comes as there are not a nf_conntrack_(ftp/quake3/amanda),
but there are nf_nat_(ftp/amanda).ko files, and wonder to know if those
file are the replace of the old ip_conntrack, or if I must install some
kind of patches or something else.


Thanks.


Martin

Re: ip_conntrack vs. nf_conntrack

[Pascal Hambourg]

Martin a écrit :
> 
> On ip_conntrack modules, I use to load some modules that open a second
> port (ftp, quake3, and so) and make it able to mark packets as related.

Conntrack modules do not open any port, they just mark packets as 
RELATED. The actual filtering job is done by iptables rules.

> Those modules were ip_conntrack_ftp, ip_conntrack_quake3 and
> ip_conntrack_amanda. So, now netfilter packages and modules are in
> mainstream, some names and modules have changed, and I'm searching for
> the replace of those modules under the new nomenclature (nf_conntrack).

ip_conntrack_* helper modules have been replaced by nf_conntrack_* when 
available and moved from net/ipv4/netfilter to net/netfilter.

> My problem comes as there are not a nf_conntrack_(ftp/quake3/amanda),
> but there are nf_nat_(ftp/amanda).ko files, and wonder to know if those
> file are the replace of the old ip_conntrack, or if I must install some
> kind of patches or something else.

If you have some NAT helper modules, then you should have the 
corresponding conntrack helpers as NAT depends on conntrack, unless you 
messed with your .config file. Maybe you have the conntrack helpers 
built-in instead of built as modules. Check in your .config or 
/proc/config.gz if available.

AFAIK quake3 conntrack support was never included in mainstream, it was 
only in patch-o-matic for ip_conntrack. I don't know if it has been 
converted to nf_conntrack.

Re: ip_conntrack vs. nf_conntrack

[Martin]

On Mon, 2008-05-19 at 16:41 +0200, Pascal Hambourg wrote:
> Martin a écrit :
> > 
> > On ip_conntrack modules, I use to load some modules that open a second
> > port (ftp, quake3, and so) and make it able to mark packets as related.
> 
> Conntrack modules do not open any port, they just mark packets as 
> RELATED. The actual filtering job is done by iptables rules.

That's right. Sorry, I expressed wrong.

> > Those modules were ip_conntrack_ftp, ip_conntrack_quake3 and
> > ip_conntrack_amanda. So, now netfilter packages and modules are in
> > mainstream, some names and modules have changed, and I'm searching for
> > the replace of those modules under the new nomenclature (nf_conntrack).
> 
> ip_conntrack_* helper modules have been replaced by nf_conntrack_* when 
> available and moved from net/ipv4/netfilter to net/netfilter.
> 
> > My problem comes as there are not a nf_conntrack_(ftp/quake3/amanda),
> > but there are nf_nat_(ftp/amanda).ko files, and wonder to know if those
> > file are the replace of the old ip_conntrack, or if I must install some
> > kind of patches or something else.
> 
> If you have some NAT helper modules, then you should have the 
> corresponding conntrack helpers as NAT depends on conntrack, unless you 
> messed with your .config file. Maybe you have the conntrack helpers 
> built-in instead of built as modules. Check in your .config or 
> /proc/config.gz if available.

That's exactly what happened. I've built-in nf_conntrack_ftp and amanda
in kernel. Should I compile them as modules? 


> AFAIK quake3 conntrack support was never included in mainstream, it was 
> only in patch-o-matic for ip_conntrack. I don't know if it has been 
> converted to nf_conntrack.

I write quake just to try to explain what I was searching for.


Thanks Pascal for your response, I see it much more clearer now. I know
that I've those modules build-in kernel and they are working and no need
to modprobe them anyway.


Cheers


Martin

Re: ip_conntrack vs. nf_conntrack

[Pascal Hambourg]

Martin a écrit :
> 
> I've built-in nf_conntrack_ftp and amanda
> in kernel. Should I compile them as modules? 

Not unless you need to be able to unload them or load them with 
different parameters (e.g. port list) without rebooting.

Re: ip_conntrack vs. nf_conntrack

[Jan Engelhardt]

On Monday 2008-05-19 15:13, Martin wrote:
>> On Friday 2008-05-16 18:07, Martin wrote:
>> >
>> >So I've just one question at least. If there aren't nf_conntrack_*
>> >modules or aliases, does the amanda, ftp, quake3, etc. modules work just
>> >loading nf_conntrack? If so, I think I'm ready to go with this kernel
>> >history.
>> 
>> No, nf_conntrack_ftp is required for FTP (and similarly for the
>> others).
>
>But there isn't nf_conntrack_ftp.ko module. May be it have been renamed
>to /lib/modules/2.6.25/kernel/net/ipv4/netfilter/nf_nat_ftp.ko ?

19:34 yaguchi:~/pub/Documents > modinfo nf_conntrack_ftp
filename:
/lib/modules/2.6.23.17-ccj64-rt/kernel/net/netfilter/nf_conntrack_ftp.ko
alias:          ip_conntrack_ftp
description:    ftp connection tracking helper
author:         Rusty Russell <rusty@rustcorp.com.au>
license:        GPL
srcversion:     5719E7793C1052C8385FF11
depends:        nf_conntrack
vermagic:       2.6.23.17-ccj64-rt SMP preempt mod_unload 586 REGPARM 
parm:           ports:array of ushort
parm:           loose:bool

When I say nf_conntrack_ftp, I meant nf_conntrack_ftp.

Re: ip_conntrack vs. nf_conntrack

[Martin]

On Mon, 2008-05-19 at 19:42 +0200, Jan Engelhardt wrote:
> On Monday 2008-05-19 15:13, Martin wrote:
> >> On Friday 2008-05-16 18:07, Martin wrote:
> >> >
> >> >So I've just one question at least. If there aren't nf_conntrack_*
> >> >modules or aliases, does the amanda, ftp, quake3, etc. modules work just
> >> >loading nf_conntrack? If so, I think I'm ready to go with this kernel
> >> >history.
> >> 
> >> No, nf_conntrack_ftp is required for FTP (and similarly for the
> >> others).
> >
> >But there isn't nf_conntrack_ftp.ko module. May be it have been renamed
> >to /lib/modules/2.6.25/kernel/net/ipv4/netfilter/nf_nat_ftp.ko ?
> 
> 19:34 yaguchi:~/pub/Documents > modinfo nf_conntrack_ftp
> filename:
> /lib/modules/2.6.23.17-ccj64-rt/kernel/net/netfilter/nf_conntrack_ftp.ko
> alias:          ip_conntrack_ftp
> description:    ftp connection tracking helper
> author:         Rusty Russell <rusty@rustcorp.com.au>
> license:        GPL
> srcversion:     5719E7793C1052C8385FF11
> depends:        nf_conntrack
> vermagic:       2.6.23.17-ccj64-rt SMP preempt mod_unload 586 REGPARM 
> parm:           ports:array of ushort
> parm:           loose:bool
> 
> When I say nf_conntrack_ftp, I meant nf_conntrack_ftp.


Pascal explained me that. Sorry, my fault. I made
nf_conntrack_(ftp/amanda) build-in kernel, not as a module, so there
isn't any *.ko with that name to modprobe.

Thanks for your advice, I'll search for more docs about difference
module--build-in, just to see if I can change some parameters while
modprobe or so.


Cheers


Martín

Re: ip_conntrack vs. nf_conntrack

[Pascal Hambourg]

Martin a écrit :
> 
> I'll search for more docs about difference
> module--build-in, just to see if I can change some parameters while
> modprobe or so.

Built-in module parameters can only be set at boot time in the kernel 
command line. See Documentation/kernel-parameters.txt in the Linux 
kernel source tree.

Re: ip_conntrack vs. nf_conntrack

[Martin]

On Tue, 2008-05-20 at 16:41 +0200, Pascal Hambourg wrote:
> Martin a écrit :
> > 
> > I'll search for more docs about difference
> > module--build-in, just to see if I can change some parameters while
> > modprobe or so.
> 
> Built-in module parameters can only be set at boot time in the kernel 
> command line. See Documentation/kernel-parameters.txt in the Linux 
> kernel source tree.


Thanks, I'll check that.



I want to thanks the whole netfilter list too. I was pretty much
confused about ip_conntrack and nf_conntrack thing.

Now I'm able to know the differences, similitudes, and more about how
they work. How they are loaded, alias, etc.

I can go on with it now, and start looking fore more options (like
7-layer and IMQ), but those are may be for another thread in some
future ;)


Thanks again to all of you.


Martin

Re: ip_conntrack vs. nf_conntrack

[Jan Engelhardt]

On Tuesday 2008-05-20 15:05, Martin wrote:
>> 
>> When I say nf_conntrack_ftp, I meant nf_conntrack_ftp.
>
>
>Pascal explained me that. Sorry, my fault. I made
>nf_conntrack_(ftp/amanda) build-in kernel, not as a module, so there
>isn't any *.ko with that name to modprobe.
>
>Thanks for your advice, I'll search for more docs about difference
>module--build-in, just to see if I can change some parameters while
>modprobe or so.


Self-compiled kernels always lead to surprises.
Been there. Done that. Threw it out.

Just pick a default distro kernel which uses modules. You will be
happier for your life.