Issue with 2.6.32 kernel and iptables-1.4.5
NetFlow iptables module for Linux kernel
Brought to you by:
aabc
Menu
▾
▴
#31 Issue with 2.6.32 kernel and iptables-1.4.5
debian:/usr/src/ipt_netflow# make
Compiling for kernel 2.6.32
make -C /lib/modules/2.6.32/build M=/usr/src/ipt_netflow modules
make[1]: Entering directory `/usr/src/linux-2.6.32'
CC [M] /usr/src/ipt_netflow/ipt_NETFLOW.o
/usr/src/ipt_netflow/ipt_NETFLOW.c: In function ‘hsize_procctl’:
/usr/src/ipt_netflow/ipt_NETFLOW.c:319: warning: passing argument 5 of ‘proc_dointvec’ from incompatible pointer type
/usr/src/ipt_netflow/ipt_NETFLOW.c:319: error: too many arguments to function ‘proc_dointvec’
/usr/src/ipt_netflow/ipt_NETFLOW.c: In function ‘sndbuf_procctl’:
/usr/src/ipt_netflow/ipt_NETFLOW.c:345: warning: passing argument 5 of ‘proc_dointvec’ from incompatible pointer type
/usr/src/ipt_netflow/ipt_NETFLOW.c:345: error: too many arguments to function ‘proc_dointvec’
/usr/src/ipt_netflow/ipt_NETFLOW.c: In function ‘destination_procctl’:
/usr/src/ipt_netflow/ipt_NETFLOW.c:363: warning: passing argument 5 of ‘proc_dostring’ from incompatible pointer type
/usr/src/ipt_netflow/ipt_NETFLOW.c:363: error: too many arguments to function ‘proc_dostring’
/usr/src/ipt_netflow/ipt_NETFLOW.c: In function ‘aggregation_procctl’:
/usr/src/ipt_netflow/ipt_NETFLOW.c:378: warning: passing argument 5 of ‘proc_dostring’ from incompatible pointer type
/usr/src/ipt_netflow/ipt_NETFLOW.c:378: error: too many arguments to function ‘proc_dostring’
/usr/src/ipt_netflow/ipt_NETFLOW.c: At top level:
/usr/src/ipt_netflow/ipt_NETFLOW.c:423: warning: initialization from incompatible pointer type
/usr/src/ipt_netflow/ipt_NETFLOW.c:430: warning: initialization from incompatible pointer type
/usr/src/ipt_netflow/ipt_NETFLOW.c:438: warning: initialization from incompatible pointer type
/usr/src/ipt_netflow/ipt_NETFLOW.c:446: warning: initialization from incompatible pointer type
make[2]: *** [/usr/src/ipt_netflow/ipt_NETFLOW.o] Error 1
make[1]: *** [_module_/usr/src/ipt_netflow] Error 2
make[1]: Leaving directory `/usr/src/linux-2.6.32'
make: *** [ipt_NETFLOW.ko] Error 2
----------
I know there is no support kernel > 2.6.29 but 2.6.31.6 looks works well, so maybe 2.6.32 will suite some way?
2.6.30 got some work becasue people sent me patches, but it is still not completely tested or reviewed. Thanks for your bugreport, maybe ppl will send solutions!
The issue due to some sysctl changes.
Here the diff which resolve the issue. ( sorry,for not a complete patch)
========================
# diff ipt_netflow/ipt_NETFLOW.c ipt_netflow2/ipt_NETFLOW.c
311c311
< static int hsize_procctl(ctl_table *ctl, int write, struct file *filp,
---
> static int hsize_procctl(ctl_table *ctl, int write,
319c319
< ret = proc_dointvec(ctl, write, filp, buffer, lenp, fpos);
---
> ret = proc_dointvec(ctl, write, buffer, lenp, fpos);
329c329
< static int sndbuf_procctl(ctl_table *ctl, int write, struct file *filp,
---
> static int sndbuf_procctl(ctl_table *ctl, int write,
345c345
< ret = proc_dointvec(ctl, write, filp, buffer, lenp, fpos);
---
> ret = proc_dointvec(ctl, write, buffer, lenp, fpos);
358c358
< static int destination_procctl(ctl_table *ctl, int write, struct file *filp,
---
> static int destination_procctl(ctl_table *ctl, int write,
363c363
< ret = proc_dostring(ctl, write, filp, buffer, lenp, fpos);
---
> ret = proc_dostring(ctl, write, buffer, lenp, fpos);
371c371
< static int aggregation_procctl(ctl_table *ctl, int write, struct file *filp,
---
> static int aggregation_procctl(ctl_table *ctl, int write,
378c378
< ret = proc_dostring(ctl, write, filp, buffer, lenp, fpos);
---
> ret = proc_dostring(ctl, write, buffer, lenp, fpos);
------------
This broke compatibility with pre-2.6.32 kernel, so more advanced approach required.
here the compile screen
debian:/usr/src/ipt_netflow# make clean
make -C /lib/modules/2.6.32/build M=/usr/src/ipt_netflow clean
make[1]: Entering directory `/usr/src/linux-2.6.32'
make[1]: Leaving directory `/usr/src/linux-2.6.32'
rm -f *.so *.o modules.order
debian:/usr/src/ipt_netflow# rm /lib/modules/2.6.32/extra/ipt_NETFLOW.ko
rm: cannot remove `/lib/modules/2.6.32/extra/ipt_NETFLOW.ko': No such file or directory
debian:/usr/src/ipt_netflow# make
Compiling for kernel 2.6.32
make -C /lib/modules/2.6.32/build M=/usr/src/ipt_netflow modules
make[1]: Entering directory `/usr/src/linux-2.6.32'
CC [M] /usr/src/ipt_netflow/ipt_NETFLOW.o
Building modules, stage 2.
MODPOST 1 modules
CC /usr/src/ipt_netflow/ipt_NETFLOW.mod.o
LD [M] /usr/src/ipt_netflow/ipt_NETFLOW.ko
make[1]: Leaving directory `/usr/src/linux-2.6.32'
debian:/usr/src/ipt_netflow# make install
make -C /lib/modules/2.6.32/build M=/usr/src/ipt_netflow modules_install
make[1]: Entering directory `/usr/src/linux-2.6.32'
INSTALL /usr/src/ipt_netflow/ipt_NETFLOW.ko
DEPMOD 2.6.32
make[1]: Leaving directory `/usr/src/linux-2.6.32'
gcc -O2 -Wall -Wunused -I/lib/modules/2.6.32/build/include -I../iptables-1.4.5/include -DIPTABLES_VERSION=\"1.4.5\" -fPIC -o libipt_NETFLOW_sh.o -c libipt_NETFLOW.c
gcc -shared -o libipt_NETFLOW.so libipt_NETFLOW_sh.o
cp -a libipt_NETFLOW.so /lib/xtables
debian:/usr/src/ipt_netflow# lsmod
Module Size Used by
iptable_filter 2250 0
ip_tables 15755 1 iptable_filter
ip_set_ipmap 2922 2
ip_set_iphash 6588 1
ip_set 12381 4 ip_set_ipmap,ip_set_iphash
x_tables 14606 1 ip_tables
loop 13647 0
floppy 54171 0
serio_raw 3968 0
sr_mod 12026 0
pcspkr 1707 0
cdrom 33319 1 sr_mod
e1000 99204 0
debian:/usr/src/ipt_netflow# modprobe ipt_NETFLOW destination=127.0.0.1:9995
debian:/usr/src/ipt_netflow# sysctl -a|grep netflow
error: permission denied on key 'net.ipv4.route.flush'
net.netflow.active_timeout = 1800
net.netflow.inactive_timeout = 15
net.netflow.debug = 0
net.netflow.hashsize = 8191
net.netflow.sndbuf = 122880
net.netflow.destination = 127.0.0.1:9995
net.netflow.aggregation =
net.netflow.maxflows = 2000000
debian:/usr/src/ipt_netflow#
Thanks again! Does module works ok for you after patch?
Look like it works. I cant say is flow data is fully correct, and has no misses. But every my test passed well. No hangs of kernel traces detected on load unload module.
Main concern was does it crash kernel or not, and basically works. (Flow data should be corrrect as it correct for other versions of kernel, and doubtfully new kernel will affect that.) Thanks again for the patch and answers.
commit 8d65af789f3e2cf4cfbdbf71a0f7a61ebcd41d38
Author: Alexey Dobriyan <adobriyan@gmail.com>
Date: Wed Sep 23 15:57:19 2009 -0700
sysctl: remove "struct file *" argument of ->proc_handler
It's unused.
It isn't needed -- read or write flag is already passed and sysctl
shouldn't care about the rest.
It _was_ used in two places at arch/frv for some reason.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---------the root of the issue-----------
it for short period of time, but in general should be same on large amount of time.
---------------------------
[ 27.922988] ipt_netflow version 1.6 (8191 buckets)
[ 27.926998] netflow: registered: /proc/net/stat/ipt_netflow
[ 27.930959] netflow: registered: sysctl net.netflow
[ 27.934422] netflow: added destination 127.0.0.1:2055
[ 27.934997] ipt_netflow loaded.
[ 32.553246] ipt_netflow unloading..
[ 32.554001] netflow: remove destination 127.0.0.1:2055 (ffff88003f740dc0)
[ 32.557974] ipt_netflow unloaded.
[ 54.183770] ipt_netflow version 1.6 (8191 buckets)
[ 54.187981] netflow: registered: /proc/net/stat/ipt_netflow
[ 54.191960] netflow: registered: sysctl net.netflow
[ 54.195706] netflow: added destination 127.0.0.1:9995
[ 54.198351] ipt_netflow loaded.
[ 65.508722] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 77.536998] device lo entered promiscuous mode
[ 128.192994] device lo left promiscuous mode
[ 203.613835] ipt_netflow unloading..
[ 203.617179] netflow: remove destination 127.0.0.1:9995 (ffff88003f740dc0)
[ 203.618002] ipt_netflow unloaded.
[ 208.806999] device lo entered promiscuous mode
[ 213.075983] device lo left promiscuous mode
[ 235.312972] ip_set version 4 loaded
[ 256.098988] ipt_netflow version 1.6 (8191 buckets)
[ 256.102006] netflow: registered: /proc/net/stat/ipt_netflow
[ 256.105547] netflow: registered: sysctl net.netflow
[ 256.108004] netflow: added destination 127.0.0.1:9995
[ 256.110828] ipt_netflow loaded.
[ 277.873976] device lo entered promiscuous mode
[ 1122.791351] ipt_netflow unloading..
[ 1122.796643] netflow: remove destination 127.0.0.1:9995 (ffff88003a01b600)
[ 1122.799890] ipt_netflow unloaded.