* NFULNL_CFG_F_CONNTRACK and IPv6
@ 2021-01-12 16:14 Rafael David Tinoco
2021-01-12 16:57 ` Florian Westphal
0 siblings, 1 reply; 13+ messages in thread
From: Rafael David Tinoco @ 2021-01-12 16:14 UTC (permalink / raw)
To: netfilter; +Cc: Ken-ichirou MATSUZAWA, Pablo Neira Ayuso
Hello list, Ken-ichirou and Pablo,
I'm developing github.com/rafaeldtinoco/conntracker and, during my tests, I
realized that the feature:
NFULNL_CFG_F_CONNTRACK
does not seem to be giving me conntrack feature for IPv6 (as it does with
IPv4).I have checked xtables-monitor code and IPv6 tracing seems to be
working when using libnftnl.. but I want to maintain compatibility to old
distros when nf-tables is not available/used.
bug: https://github.com/rafaeldtinoco/conntracker/issues/1
TL;DR version is:
I have a conntrack NEW,ESTABLISHED rule for everything in raw (so all the flows
are accounted). To each identified flow, listened through libnetfilter-
conntrack, I add a rule to trace its events.
I map conntrack <-> trace relation through NFULNL_CFG_F_CONNTRACK feature, this
way I know exactly through which rules that flow passed.
Example:
UDPv4 [ 2] src = 10.250.91.1 (port=1024) to dst = 10.250.91.255 (port=57621)
table: raw, chain: PREROUTING, type: rule, position: 1
table: nat, chain: OUTPUT, type: policy, position: 1
table: nat, chain: POSTROUTING, type: policy, position: 2
table: filter, chain: INPUT, type: policy, position: 1
table: filter, chain: OUTPUT, type: policy, position: 1
Unfortunately with:
nflog_nlmsg_parse(nlh, attrs), my attrs[NFULA_CT] is always NULL for IPv6:
TCPv6 [ 0] src = fe80::1453:5dff:fe1a:ca68 (port=1024) to dst = fe80::216:3eff:fe7f:aedd (port=22) (confirmed)
ICMPv6 [ 0] src = fe80::1453:5dff:fe1a:ca68 to dst = fe80::216:3eff:fe7f:aedd (type=0 | code=0) (confirmed)
ICMPv6 [ 1] src = fe80::1453:5dff:fe1a:ca68 to dst = fe80::3c76:fdff:fea2:82b4 (type=0 | code=0)
This can also be observed with:
libnetfilter-log/utils/nf-log.c code (if BUILD_NFCT)
which I used as a base for this part of the code.
Is there a reason why IPv6 conntrack info is not being sent through netlink ?
Thanks in advance!
-rafaeldtinoco
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: NFULNL_CFG_F_CONNTRACK and IPv6
2021-01-12 16:14 NFULNL_CFG_F_CONNTRACK and IPv6 Rafael David Tinoco
@ 2021-01-12 16:57 ` Florian Westphal
2021-01-12 17:30 ` Rafael David Tinoco
0 siblings, 1 reply; 13+ messages in thread
From: Florian Westphal @ 2021-01-12 16:57 UTC (permalink / raw)
To: Rafael David Tinoco; +Cc: netfilter, Ken-ichirou MATSUZAWA, Pablo Neira Ayuso
Rafael David Tinoco <rafaeldtinoco@ubuntu.com> wrote:
> Hello list, Ken-ichirou and Pablo,
>
> I'm developing github.com/rafaeldtinoco/conntracker and, during my tests, I
> realized that the feature:
>
> NFULNL_CFG_F_CONNTRACK
>
> does not seem to be giving me conntrack feature for IPv6 (as it does with
> IPv4).I have checked xtables-monitor code and IPv6 tracing seems to be
> working when using libnftnl.. but I want to maintain compatibility to old
> distros when nf-tables is not available/used.
>
> bug: https://github.com/rafaeldtinoco/conntracker/issues/1
>
> TL;DR version is:
>
> I have a conntrack NEW,ESTABLISHED rule for everything in raw (so all the flows
> are accounted). To each identified flow, listened through libnetfilter-
> conntrack, I add a rule to trace its events.
>
> I map conntrack <-> trace relation through NFULNL_CFG_F_CONNTRACK feature, this
> way I know exactly through which rules that flow passed.
>
> Example:
>
> UDPv4 [ 2] src = 10.250.91.1 (port=1024) to dst = 10.250.91.255 (port=57621)
> table: raw, chain: PREROUTING, type: rule, position: 1
> table: nat, chain: OUTPUT, type: policy, position: 1
> table: nat, chain: POSTROUTING, type: policy, position: 2
> table: filter, chain: INPUT, type: policy, position: 1
> table: filter, chain: OUTPUT, type: policy, position: 1
>
> Unfortunately with:
>
> nflog_nlmsg_parse(nlh, attrs), my attrs[NFULA_CT] is always NULL for IPv6:
>
> TCPv6 [ 0] src = fe80::1453:5dff:fe1a:ca68 (port=1024) to dst = fe80::216:3eff:fe7f:aedd (port=22) (confirmed)
> ICMPv6 [ 0] src = fe80::1453:5dff:fe1a:ca68 to dst = fe80::216:3eff:fe7f:aedd (type=0 | code=0) (confirmed)
> ICMPv6 [ 1] src = fe80::1453:5dff:fe1a:ca68 to dst = fe80::3c76:fdff:fea2:82b4 (type=0 | code=0)
>
> This can also be observed with:
>
> libnetfilter-log/utils/nf-log.c code (if BUILD_NFCT)
Works for me:
00389d4fd5f00000000a9e2060000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637</payload></log>
(ret=450)
ip_conntrack_info: REPLY / ESTABLISHED
icmpv6 58 30 src=::1 dst=::1 type=128 code=0 id=6 src=::1 dst=::1 type=129 code=0 id=6
Do you have an ip6tables rule that matches on conntrack state?
Otherwise conntrack will be disabled.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: NFULNL_CFG_F_CONNTRACK and IPv6
2021-01-12 16:57 ` Florian Westphal
@ 2021-01-12 17:30 ` Rafael David Tinoco
2021-01-12 17:41 ` Florian Westphal
0 siblings, 1 reply; 13+ messages in thread
From: Rafael David Tinoco @ 2021-01-12 17:30 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter, Ken-ichirou MATSUZAWA, Pablo Neira Ayuso
> > This can also be observed with:
> >
> > libnetfilter-log/utils/nf-log.c code (if BUILD_NFCT)
>
> Works for me:
> 00389d4fd5f00000000a9e2060000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637</payload></log>
> (ret=450)
> ip_conntrack_info: REPLY / ESTABLISHED
> icmpv6 58 30 src=::1 dst=::1 type=128 code=0 id=6 src=::1 dst=::1
> type=129 code=0 id=6
>
> Do you have an ip6tables rule that matches on conntrack state?
> Otherwise conntrack will be disabled.
>
Ha, that's weird.
log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
<log><when><hour>14</hour><min>27</min><sec>16</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev><payload>600041d600200640fe8000000000000014535dfffe1aca68fe8000000000000002163efffe7faedd9b1000161118d258a85cd4bb801001fb267100000101080a011250252a763edf</payload></log> (ret=393)
here... kernel 5.8.0-26-generic and latest libnetfilter-log, using:
ip6tables-legacy -t raw -I OUTPUT 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables-legacy -t raw -I PREROUTING 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
ip6tables-legacy -t raw -A OUTPUT -j TRACE
ip6tables-legacy -t raw -A PREROUTING -j TRACE
(it works with IPv4)... wonder if its a kernel config option :\.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: NFULNL_CFG_F_CONNTRACK and IPv6
2021-01-12 17:30 ` Rafael David Tinoco
@ 2021-01-12 17:41 ` Florian Westphal
2021-01-12 18:01 ` Rafael David Tinoco
0 siblings, 1 reply; 13+ messages in thread
From: Florian Westphal @ 2021-01-12 17:41 UTC (permalink / raw)
To: Rafael David Tinoco
Cc: Florian Westphal, netfilter, Ken-ichirou MATSUZAWA, Pablo Neira Ayuso
Rafael David Tinoco <rafaeldtinoco@ubuntu.com> wrote:
> > > This can also be observed with:
> > >
> > > libnetfilter-log/utils/nf-log.c code (if BUILD_NFCT)
> >
> > Works for me:
> > 00389d4fd5f00000000a9e2060000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637</payload></log>
> > (ret=450)
> > ip_conntrack_info: REPLY / ESTABLISHED
> > icmpv6 58 30 src=::1 dst=::1 type=128 code=0 id=6 src=::1 dst=::1
> > type=129 code=0 id=6
> >
> > Do you have an ip6tables rule that matches on conntrack state?
> > Otherwise conntrack will be disabled.
> >
>
> Ha, that's weird.
>
> log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> <log><when><hour>14</hour><min>27</min><sec>16</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev><payload>600041d600200640fe8000000000000014535dfffe1aca68fe8000000000000002163efffe7faedd9b1000161118d258a85cd4bb801001fb267100000101080a011250252a763edf</payload></log> (ret=393)
>
> here... kernel 5.8.0-26-generic and latest libnetfilter-log, using:
>
> ip6tables-legacy -t raw -I OUTPUT 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> ip6tables-legacy -t raw -I PREROUTING 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> ip6tables-legacy -t raw -A OUTPUT -j TRACE
> ip6tables-legacy -t raw -A PREROUTING -j TRACE
? You need a -j NFLOG rule. -j TRACE might not even use netlink events
but raw printk() when used with classic iptables (rather than
iptables-nft, where this maps to 'meta nftrace set 1'.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: NFULNL_CFG_F_CONNTRACK and IPv6
2021-01-12 17:41 ` Florian Westphal
@ 2021-01-12 18:01 ` Rafael David Tinoco
2021-01-12 18:17 ` Rafael David Tinoco
2021-01-12 18:36 ` Florian Westphal
0 siblings, 2 replies; 13+ messages in thread
From: Rafael David Tinoco @ 2021-01-12 18:01 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter, Ken-ichirou MATSUZAWA, Pablo Neira Ayuso
> > Ha, that's weird.
> >
> > log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> > <log><when><hour>14</hour><min>27</min><sec>16</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev><payload>600041d600200640fe8000000000000014535dfffe1aca68fe8000000000000002163efffe7faedd9b1000161118d258a85cd4bb801001fb267100000101080a011250252a763edf</payload></log> (ret=393)
> >
> > here... kernel 5.8.0-26-generic and latest libnetfilter-log, using:
> >
> > ip6tables-legacy -t raw -I OUTPUT 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> > ip6tables-legacy -t raw -I PREROUTING 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> > ip6tables-legacy -t raw -A OUTPUT -j TRACE
> > ip6tables-legacy -t raw -A PREROUTING -j TRACE
>
> ? You need a -j NFLOG rule. -j TRACE might not even use netlink events
> but raw printk() when used with classic iptables (rather than
> iptables-nft, where this maps to 'meta nftrace set 1'.
-j TRACE uses netlink communication for IPv4, why would it not use for IPv6 if my nf_log:
$ sudo cat /proc/net/netfilter/nf_log
0 NONE (nfnetlink_log)
1 NONE (nfnetlink_log)
2 nfnetlink_log (nfnetlink_log)
3 NONE (nfnetlink_log)
4 NONE (nfnetlink_log)
5 NONE (nfnetlink_log)
6 NONE (nfnetlink_log)
7 NONE (nfnetlink_log)
8 NONE (nfnetlink_log)
9 NONE (nfnetlink_log)
10 nfnetlink_log (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
has proto 2 and 10 to use nfnetlink_log.. and, from kernel:
static struct nf_logger nfulnl_logger __read_mostly = {
.name = "nfnetlink_log",
.type = NF_LOG_TYPE_ULOG,
.logfn = nfulnl_log_packet,
.me = THIS_MODULE,
};
nfnetlink_log shows me that the function nfulnl_log_packet() is the one that builds the netlink packet to userland. So, if it works for IPv4, why would it not work for IPv6 ?
Note: My intent is to have a single rule that gives me one netlink msg to each of the traced events (instead of adding a bunch of NFLOG rules working each one as triggers for the events, which I also could).
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: NFULNL_CFG_F_CONNTRACK and IPv6
2021-01-12 18:01 ` Rafael David Tinoco
@ 2021-01-12 18:17 ` Rafael David Tinoco
2021-01-12 18:36 ` Florian Westphal
1 sibling, 0 replies; 13+ messages in thread
From: Rafael David Tinoco @ 2021-01-12 18:17 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter, Ken-ichirou MATSUZAWA, Pablo Neira Ayuso
On Tue, Jan 12, 2021, at 3:01 PM, Rafael David Tinoco wrote:
> > > Ha, that's weird.
> > >
> > > log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> > > <log><when><hour>14</hour><min>27</min><sec>16</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev><payload>600041d600200640fe8000000000000014535dfffe1aca68fe8000000000000002163efffe7faedd9b1000161118d258a85cd4bb801001fb267100000101080a011250252a763edf</payload></log> (ret=393)
> > >
> > > here... kernel 5.8.0-26-generic and latest libnetfilter-log, using:
> > >
> > > ip6tables-legacy -t raw -I OUTPUT 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> > > ip6tables-legacy -t raw -I PREROUTING 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> > > ip6tables-legacy -t raw -A OUTPUT -j TRACE
> > > ip6tables-legacy -t raw -A PREROUTING -j TRACE
> >
> > ? You need a -j NFLOG rule. -j TRACE might not even use netlink events
> > but raw printk() when used with classic iptables (rather than
> > iptables-nft, where this maps to 'meta nftrace set 1'.
>
> -j TRACE uses netlink communication for IPv4, why would it not use for
> IPv6 if my nf_log:
>
> $ sudo cat /proc/net/netfilter/nf_log
> 0 NONE (nfnetlink_log)
> 1 NONE (nfnetlink_log)
> 2 nfnetlink_log (nfnetlink_log)
> 3 NONE (nfnetlink_log)
> 4 NONE (nfnetlink_log)
> 5 NONE (nfnetlink_log)
> 6 NONE (nfnetlink_log)
> 7 NONE (nfnetlink_log)
> 8 NONE (nfnetlink_log)
> 9 NONE (nfnetlink_log)
> 10 nfnetlink_log (nfnetlink_log)
> 11 NONE (nfnetlink_log)
> 12 NONE (nfnetlink_log)
>
> has proto 2 and 10 to use nfnetlink_log.. and, from kernel:
>
> static struct nf_logger nfulnl_logger __read_mostly = {
> .name = "nfnetlink_log",
> .type = NF_LOG_TYPE_ULOG,
> .logfn = nfulnl_log_packet,
> .me = THIS_MODULE,
> };
>
> nfnetlink_log shows me that the function nfulnl_log_packet() is the one
> that builds the netlink packet to userland. So, if it works for IPv4,
> why would it not work for IPv6 ?
>
> Note: My intent is to have a single rule that gives me one netlink msg
> to each of the traced events (instead of adding a bunch of NFLOG rules
> working each one as triggers for the events, which I also could).
As a quick side note, with the same IPv4 rules:
tcp 6 300 ESTABLISHED src=10.250.97.135 dst=10.250.97.1 sport=36444 dport=6000 src=10.250.97.1 dst=10.250.97.135 sport=6000 dport=36444 [ASSURED]
log received (prefix="TRACE: raw:PREROUTING:policy:3 " hw=0x0800 hook=0 mark=0)
<log><when><hour>15</hour><min>15</min><sec>40</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:PREROUTING:policy:3 </prefix><hook>0</hook><hw><proto>0800</proto><src>00163e7faedd</src></hw><indev>12</indev><payload>450000340efc40004006534c0afa61870afa61018e5c1770fd1122e186613618801001bdd8a200000101080a4f4ed56aa18dbb50</payload></log> (ret=378)
log received (prefix="TRACE: filter:INPUT:policy:1 " hw=0x0800 hook=1 mark=0)
<log><when><hour>15</hour><min>15</min><sec>40</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: filter:INPUT:policy:1 </prefix><hook>1</hook><hw><proto>0800</proto><src>00163e7faedd</src></hw><indev>12</indev><payload>450000340efc40004006534c0afa61870afa61018e5c1770fd1122e186613618801001bdd8a200000101080a4f4ed56aa18dbb50</payload></log> (ret=376)
ip_conntrack_info: ORIGINAL / ESTABLISHED
tcp 6 432000 ESTABLISHED src=10.250.97.135 dst=10.250.97.1 sport=36444 dport=6000 src=10.250.97.1 dst=10.250.97.135 sport=6000 dport=36444 [ASSURED]
the conntrack feature is added to the netlink log msg.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: NFULNL_CFG_F_CONNTRACK and IPv6
2021-01-12 18:01 ` Rafael David Tinoco
2021-01-12 18:17 ` Rafael David Tinoco
@ 2021-01-12 18:36 ` Florian Westphal
2021-01-12 18:54 ` Rafael David Tinoco
1 sibling, 1 reply; 13+ messages in thread
From: Florian Westphal @ 2021-01-12 18:36 UTC (permalink / raw)
To: Rafael David Tinoco
Cc: Florian Westphal, netfilter, Ken-ichirou MATSUZAWA, Pablo Neira Ayuso
Rafael David Tinoco <rafaeldtinoco@ubuntu.com> wrote:
> > > Ha, that's weird.
> > >
> > > log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> > > <log><when><hour>14</hour><min>27</min><sec>16</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev><payload>600041d600200640fe8000000000000014535dfffe1aca68fe8000000000000002163efffe7faedd9b1000161118d258a85cd4bb801001fb267100000101080a011250252a763edf</payload></log> (ret=393)
> > >
> > > here... kernel 5.8.0-26-generic and latest libnetfilter-log, using:
> > >
> > > ip6tables-legacy -t raw -I OUTPUT 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> > > ip6tables-legacy -t raw -I PREROUTING 1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
> > > ip6tables-legacy -t raw -A OUTPUT -j TRACE
> > > ip6tables-legacy -t raw -A PREROUTING -j TRACE
> >
> > ? You need a -j NFLOG rule. -j TRACE might not even use netlink events
> > but raw printk() when used with classic iptables (rather than
> > iptables-nft, where this maps to 'meta nftrace set 1'.
>
> -j TRACE uses netlink communication for IPv4, why would it not use for IPv6 if my nf_log:
>
> $ sudo cat /proc/net/netfilter/nf_log
> 10 nfnetlink_log (nfnetlink_log)
Right, but that works for me as well:
log received (prefix="TRACE: filter:INPUT:policy:1 " hw=0x86dd hook=1 mark=0)
<log><when><hour>19</hour><min>33</min><sec>27</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE:
filter:INPUT:policy:1
</prefix><hook>1</hook><hw><proto>86dd</proto><src>000000000000</src></hw><indev>1</indev><payload>6003d6ac00403a4000000000000000000000000000000001000000000000000000000000000000018100bf186808000377ebfd5f0000000014410f0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637</payload></log>
(ret=479)
ip_conntrack_info: REPLY / ESTABLISHED
icmpv6 58 30 src=::1 dst=::1 type=128 code=0 id=26632 src=::1 dst=::1 type=129 code=0 id=26632
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: NFULNL_CFG_F_CONNTRACK and IPv6
2021-01-12 18:36 ` Florian Westphal
@ 2021-01-12 18:54 ` Rafael David Tinoco
2021-01-12 19:26 ` Florian Westphal
0 siblings, 1 reply; 13+ messages in thread
From: Rafael David Tinoco @ 2021-01-12 18:54 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter, Ken-ichirou MATSUZAWA, Pablo Neira Ayuso
> Right, but that works for me as well:
>
> log received (prefix="TRACE: filter:INPUT:policy:1 " hw=0x86dd hook=1
> mark=0)
> <log><when><hour>19</hour><min>33</min><sec>27</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE:
> filter:INPUT:policy:1
> </prefix><hook>1</hook><hw><proto>86dd</proto><src>000000000000</src></hw><indev>1</indev><payload>6003d6ac00403a4000000000000000000000000000000001000000000000000000000000000000018100bf186808000377ebfd5f0000000014410f0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637</payload></log>
> (ret=479)
> ip_conntrack_info: REPLY / ESTABLISHED
> icmpv6 58 30 src=::1 dst=::1 type=128 code=0 id=26632 src=::1
> dst=::1 type=129 code=0 id=26632
which kernel are you running Florian ? Is it vanilla from any distro (which I could check config options from ?). If not a missing config option (could not find anything related) then it might be a regression or something like it (which I could try to bisect).
thanks!
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: NFULNL_CFG_F_CONNTRACK and IPv6
2021-01-12 18:54 ` Rafael David Tinoco
@ 2021-01-12 19:26 ` Florian Westphal
2021-01-12 21:33 ` Rafael David Tinoco
0 siblings, 1 reply; 13+ messages in thread
From: Florian Westphal @ 2021-01-12 19:26 UTC (permalink / raw)
To: Rafael David Tinoco
Cc: Florian Westphal, netfilter, Ken-ichirou MATSUZAWA, Pablo Neira Ayuso
Rafael David Tinoco <rafaeldtinoco@ubuntu.com> wrote:
> > log received (prefix="TRACE: filter:INPUT:policy:1 " hw=0x86dd hook=1
> > mark=0)
> > <log><when><hour>19</hour><min>33</min><sec>27</sec><wday>3</wday><day>12</day><month>1</month><year>2021</year></when><prefix>TRACE:
> > filter:INPUT:policy:1
> > </prefix><hook>1</hook><hw><proto>86dd</proto><src>000000000000</src></hw><indev>1</indev><payload>6003d6ac00403a4000000000000000000000000000000001000000000000000000000000000000018100bf186808000377ebfd5f0000000014410f0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637</payload></log>
> > (ret=479)
> > ip_conntrack_info: REPLY / ESTABLISHED
> > icmpv6 58 30 src=::1 dst=::1 type=128 code=0 id=26632 src=::1
> > dst=::1 type=129 code=0 id=26632
>
> which kernel are you running Florian?
5.10.5 stable. I can check Fedora tomorrow, I don't have classic
iptables there at the moment.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: NFULNL_CFG_F_CONNTRACK and IPv6
2021-01-12 19:26 ` Florian Westphal
@ 2021-01-12 21:33 ` Rafael David Tinoco
2021-01-13 13:25 ` Rafael David Tinoco
0 siblings, 1 reply; 13+ messages in thread
From: Rafael David Tinoco @ 2021-01-12 21:33 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter, Ken-ichirou MATSUZAWA, Pablo Neira Ayuso
> > which kernel are you running Florian?
>
> 5.10.5 stable. I can check Fedora tomorrow, I don't have classic
> iptables there at the moment.
>
NM Florian,
My code was returning -1 on a callback function, disabling the polling for the netlink socket file descriptor. I had it fixed:
TCPv6 [ 0] src = fe80::5054:ff:fecc:767d (port=1024) to dst = fe80::5054:ff:fecc:767d (port=22) (confirmed)
table: raw, chain: PREROUTING, type: rule, position: 1
and it is working fine now.
Thanks a lot for your support today, checking things for me, really appreciate!
Best,
-rafaeldtinoco
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: NFULNL_CFG_F_CONNTRACK and IPv6
2021-01-12 21:33 ` Rafael David Tinoco
@ 2021-01-13 13:25 ` Rafael David Tinoco
2021-01-13 17:50 ` Pablo Neira Ayuso
0 siblings, 1 reply; 13+ messages in thread
From: Rafael David Tinoco @ 2021-01-13 13:25 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter, Ken-ichirou MATSUZAWA, Pablo Neira Ayuso
On Tue, Jan 12, 2021, at 6:33 PM, Rafael David Tinoco wrote:
> > > which kernel are you running Florian?
> >
> > 5.10.5 stable. I can check Fedora tomorrow, I don't have classic
> > iptables there at the moment.
> >
>
> NM Florian,
>
> My code was returning -1 on a callback function, disabling the polling
> for the netlink socket file descriptor. I had it fixed:
>
> TCPv6 [ 0] src = fe80::5054:ff:fecc:767d (port=1024) to dst =
> fe80::5054:ff:fecc:767d (port=22) (confirmed)
> table: raw, chain: PREROUTING, type: rule, position: 1
>
> and it is working fine now.
>
Too soon, *definitely* conntrack data tied to trace ulog netlink is intermittent. Trying to discover... I'll probably have to trace kernel to figure out why its not being included...
log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
<log><when><hour>2</hour><min>05</min><sec>01</sec><wday>4</wday><day>13</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev></log> (ret=229)
log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
<log><when><hour>2</hour><min>05</min><sec>01</sec><wday>4</wday><day>13</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev></log> (ret=229)
log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
<log><when><hour>2</hour><min>05</min><sec>01</sec><wday>4</wday><day>13</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev></log> (ret=229)
for apparent no reason it stops working.. trace msgs still copied to userland (META/FULL) but conntrack data not attached to the nl msgs. go figure :\
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: NFULNL_CFG_F_CONNTRACK and IPv6
2021-01-13 13:25 ` Rafael David Tinoco
@ 2021-01-13 17:50 ` Pablo Neira Ayuso
2021-01-13 21:07 ` Rafael David Tinoco
0 siblings, 1 reply; 13+ messages in thread
From: Pablo Neira Ayuso @ 2021-01-13 17:50 UTC (permalink / raw)
To: Rafael David Tinoco; +Cc: Florian Westphal, netfilter, Ken-ichirou MATSUZAWA
On Wed, Jan 13, 2021 at 10:25:23AM -0300, Rafael David Tinoco wrote:
> On Tue, Jan 12, 2021, at 6:33 PM, Rafael David Tinoco wrote:
> > > > which kernel are you running Florian?
> > >
> > > 5.10.5 stable. I can check Fedora tomorrow, I don't have classic
> > > iptables there at the moment.
> > >
> >
> > NM Florian,
> >
> > My code was returning -1 on a callback function, disabling the polling
> > for the netlink socket file descriptor. I had it fixed:
> >
> > TCPv6 [ 0] src = fe80::5054:ff:fecc:767d (port=1024) to dst =
> > fe80::5054:ff:fecc:767d (port=22) (confirmed)
> > table: raw, chain: PREROUTING, type: rule, position: 1
> >
> > and it is working fine now.
> >
>
> Too soon, *definitely* conntrack data tied to trace ulog netlink is intermittent. Trying to discover... I'll probably have to trace kernel to figure out why its not being included...
>
> log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> <log><when><hour>2</hour><min>05</min><sec>01</sec><wday>4</wday><day>13</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev></log> (ret=229)
> log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> <log><when><hour>2</hour><min>05</min><sec>01</sec><wday>4</wday><day>13</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev></log> (ret=229)
> log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> <log><when><hour>2</hour><min>05</min><sec>01</sec><wday>4</wday><day>13</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev></log> (ret=229)
There is no conntrack information yet in the raw table.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: NFULNL_CFG_F_CONNTRACK and IPv6
2021-01-13 17:50 ` Pablo Neira Ayuso
@ 2021-01-13 21:07 ` Rafael David Tinoco
0 siblings, 0 replies; 13+ messages in thread
From: Rafael David Tinoco @ 2021-01-13 21:07 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter, Ken-ichirou MATSUZAWA
> > log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> > <log><when><hour>2</hour><min>05</min><sec>01</sec><wday>4</wday><day>13</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev></log> (ret=229)
> > log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> > <log><when><hour>2</hour><min>05</min><sec>01</sec><wday>4</wday><day>13</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev></log> (ret=229)
> > log received (prefix="TRACE: raw:OUTPUT:policy:3 " hw=0x86dd hook=3 mark=0)
> > <log><when><hour>2</hour><min>05</min><sec>01</sec><wday>4</wday><day>13</day><month>1</month><year>2021</year></when><prefix>TRACE: raw:OUTPUT:policy:3 </prefix><hook>3</hook><hw><proto>86dd</proto></hw><outdev>12</outdev></log> (ret=229)
>
> There is no conntrack information yet in the raw table.
Yep, that was it. I had a IPv4 nat rule that made conntrack to confuse me and appear as an intermittent trace for the raw table conntrack rule. Had nothing for ipv6 so that is why IPv6 seemed not to work at all.
Got it:
tcp 6 432000 ESTABLISHED src=fe80::472:eeff:fef8:dbb6 dst=fe80::5054:ff:fecc:767d sport=53866 dport=22 src=fe80::5054:ff:fecc:767d dst=fe80::472:eeff:fef8:dbb6 sport=22 dport=53866 [ASSURED]
log received (prefix="TRACE: mangle:POSTROUTING:policy:1 " hw=0x86dd hook=4 mark=0)
<log><when><hour>18</hour><min>05</min><sec>27</sec><wday>4</wday><day>13</day><month>1</month><year>2021</year></when><prefix>TRACE: mangle:POSTROUTING:policy:1 </prefix><hook>4</hook><hw><proto>86dd</proto></hw><outdev>12</outdev></log> (ret=238)
Thanks a lot Pablo!
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2021-01-13 21:07 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-12 16:14 NFULNL_CFG_F_CONNTRACK and IPv6 Rafael David Tinoco
2021-01-12 16:57 ` Florian Westphal
2021-01-12 17:30 ` Rafael David Tinoco
2021-01-12 17:41 ` Florian Westphal
2021-01-12 18:01 ` Rafael David Tinoco
2021-01-12 18:17 ` Rafael David Tinoco
2021-01-12 18:36 ` Florian Westphal
2021-01-12 18:54 ` Rafael David Tinoco
2021-01-12 19:26 ` Florian Westphal
2021-01-12 21:33 ` Rafael David Tinoco
2021-01-13 13:25 ` Rafael David Tinoco
2021-01-13 17:50 ` Pablo Neira Ayuso
2021-01-13 21:07 ` Rafael David Tinoco
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.