Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Не могу собрать с --enable-natevents #187

Open
TTpartizan opened this issue Dec 15, 2021 · 8 comments
Open

Не могу собрать с --enable-natevents #187

TTpartizan opened this issue Dec 15, 2021 · 8 comments

Comments

@TTpartizan
Copy link

TTpartizan commented Dec 15, 2021
edited

`[root@shluz8x16 ipt-netflow]# ./configure --enable-natevents --disable-snmp-agent --ipt-src=/home/temp/iptables-1.8.7/
Module version: 2.6-7-g6a55739
Kernel version: 5.4.163-1.IMQ.el7.x86_64 (uname)
Kernel sources: /lib/modules/5.4.163-1.IMQ.el7.x86_64/build (found)
Checking for presence of include/linux/netfilter.h... Yes
netfilter.h uses CONFIG_NF_NAT_NEEDED... No
Checking for presence of include/linux/llist.h... Yes
Checking for presence of include/linux/grsecurity.h... No
Iptables binary version: 1.8.7 (legacy) (detected from /usr/sbin/iptables)
pkg-config for version 1.8.7 (legacy) exists: No
Check for working gcc: Yes (gcc)
Checking for presence of xtables.h... Yes
User specified source directory: /home/temp/iptables-1.8.7/
Found iptables sources at /home/temp/iptables-1.8.7/
Checking iptables sources version: 1.8.7 (legacy) (ok)
Iptables include flags: -I/home/temp/iptables-1.8.7//include (from source)
Iptables module path: /lib64/xtables/ (from libxtables.so, from binary)
Checking for DKMS... Yes.
Creating Makefile.. done.

If you need some options enabled run ./configure --help
Now run: make all install

[root@shluz8x16 ipt-netflow]# make all install
./gen_compat_def > compat_def.h-
Test function xt_family linux/netfilter_ipv4/ip_tables.h declared
Test struct timeval linux/ktime.h declared
Test struct proc_ops linux/proc_fs.h undeclared
Test function synchronize_sched linux/rcupdate.h undeclared
Test function nf_bridge_info_get linux/netfilter_bridge.h declared
Test struct vlan_dev_priv linux/if_vlan.h declared
Test function put_unaligned_be24 asm/unaligned.h undeclared
Test function totalram_pages linux/mm.h declared
Test symbol totalram_pages linux/mm.h declared
Test member nf_ct_event_notifier.ct_event net/netfilter/nf_conntrack_ecache.h undeclared
mv compat_def.h- compat_def.h
Compiling 2.6-7-g6a55739 for kernel 5.4.163-1.IMQ.el7.x86_64
make -C /lib/modules/5.4.163-1.IMQ.el7.x86_64/build M=/home/ipt-netflow modules
make[1]: Entering directory '/usr/src/kernels/5.4.163-1.IMQ.el7.x86_64'
CC [M] /home/ipt-netflow/ipt_NETFLOW.o
/home/ipt-netflow/ipt_NETFLOW.c: In function ‘netflow_conntrack_event’:
/home/ipt-netflow/ipt_NETFLOW.c:4622:36: warning: passing argument 2 of ‘notifier->fcn’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
4622 | ret = notifier->ct_event(events, item);
| ^~~~
/home/ipt-netflow/ipt_NETFLOW.c:4622:36: note: expected ‘struct nf_ct_event *’ but argument is of type ‘const struct nf_ct_event
/home/ipt-netflow/ipt_NETFLOW.c: At top level:
/home/ipt-netflow/ipt_NETFLOW.c:4687:14: error: initialization of ‘int ()(unsigned int, struct nf_ct_event )’ from incompatible pointer type ‘int ()(const unsigned int, const struct nf_ct_event *)’ [-Werror=incompatible-pointer-types]
4687 | .ct_event = netflow_conntrack_event
| ^~~~~~~~~~~~~~~~~~~~~~~
/home/ipt-netflow/ipt_NETFLOW.c:4687:14: note: (near initialization for ‘ctnl_notifier.fcn’)
cc1: some warnings being treated as errors
make[2]: *** [scripts/Makefile.build:262: /home/ipt-netflow/ipt_NETFLOW.o] Error 1
make[1]: *** [Makefile:1734: /home/ipt-netflow] Error 2
make[1]: Leaving directory '/usr/src/kernels/5.4.163-1.IMQ.el7.x86_64'
make: *** [Makefile:27: ipt_NETFLOW.ko] Error 2`

Не могу собрать с --enable-natevents ядро 5.4.163. Centos7
CONFIG_NF_CONNTRACK_EVENTS=y - было
CONFIG_NF_NAT_NEEDED=y - не было - добавил.
не помогло. - при компиляции убирает CONFIG_NF_NAT_NEEDED=y - как я понял она уже с 5.2 деприкейт
@TTpartizan
Copy link
Author

make[1]: Entering directory '/usr/src/kernels/5.4.163-1.IMQNF.el7.x86_64' CC [M] /home/ipt-netflow-2.6/ipt_NETFLOW.o In file included from /home/ipt-netflow-2.6/ipt_NETFLOW.c:77: /home/ipt-netflow-2.6/ipt_NETFLOW.c: In function ‘register_ct_events’: /home/ipt-netflow-2.6/compat.h:174:21: error: implicit declaration of function ‘ref_module’; did you mean ‘use_module’? [-Werror=implicit-function-declaration] 174 | # define use_module ref_module | ^~~~~~~~~~ /home/ipt-netflow-2.6/ipt_NETFLOW.c:5498:3: note: in expansion of macro ‘use_module’ 5498 | use_module(THIS_MODULE, netlink_m); | ^~~~~~~~~~ cc1: some warnings being treated as errors make[2]: *** [scripts/Makefile.build:262: /home/ipt-netflow-2.6/ipt_NETFLOW.o] Error 1 make[1]: *** [Makefile:1734: /home/ipt-netflow-2.6] Error 2 make[1]: Leaving directory '/usr/src/kernels/5.4.163-1.IMQNF.el7.x86_64' make: *** [Makefile:27: ipt_NETFLOW.ko] Error 2
пробовал 2.6 собрать - положительного результата не получил

@TTpartizan
Copy link
Author

так после
git reset --hard c0badb8
собралось. что-то сломалось с 5.2 и 5.12 ядрами.

@TTpartizan
Copy link
Author

да ..
net.netflow.hashsize = 32768
net.netflow.maxflows = 5000000
net.netflow.sndbuf = 10485760
sysctl: cannot stat /proc/sys/net/netflow/natevents: No such file or directory
net.netflow.active_timeout = 300
net.netflow.protocol = 9

собрало, но natevents нету

@TTpartizan
Copy link
Author

TTpartizan commented Dec 15, 2021
edited

modinfo ipt_NETFLOW
filename: /lib/modules/5.4.163-1.IMQNF.el7.x86_64/extra/ipt_NETFLOW.ko
alias: ip6t_NETFLOW
version: 2.6-1-g352cdb2
description: iptables NETFLOW target module
author: abc@openwall.com
license: GPL
srcversion: D80E04E167D1AB6E01BB35E
depends:
retpoline: Y
name: ipt_NETFLOW
vermagic: 5.4.163-1.IMQNF.el7.x86_64 SMP mod_unload modversions
parm: destination:export destination ipaddress:port (charp)
parm: inactive_timeout:inactive flows timeout in seconds (int)
parm: active_timeout:active flows timeout in seconds (int)
parm: exportcpu:lock exporter to this cpu (int)
parm: debug:debug verbosity level (int)
parm: sndbuf:udp socket SNDBUF size (int)
parm: protocol:netflow protocol version (5, 9, 10=IPFIX) (int)
parm: refresh_rate:NetFlow v9/IPFIX refresh rate (packets) (uint)
parm: timeout_rate:NetFlow v9/IPFIX timeout rate (minutes) (uint)
parm: scan_min:Minimal interval between export scans (jiffies) (uint)
parm: natevents:enable NAT Events (int)
parm: hashsize:hash table size (int)
parm: maxflows:maximum number of flows (int)
parm: engine_id:Observation Domain ID (int)

@TTpartizan
Copy link
Author

TTpartizan commented Dec 15, 2021
edited

проблема в том что грузится модуль впереди паровоза :) сети, если выгрузить и загрузить подхватывает natevents
как его заставить грузится позже не знаю. кроме как в скрипты добавить.

@aabc
Copy link
Owner

aabc commented Dec 27, 2021

По идее, модуль пытается загрузить nf_conntrack_netlink (отвечающий за NAT events) перед собой. Так что, возможно, это баг. А как сейчас он грузится и какой это дистрибутив?

@TTpartizan
Copy link
Author

TTpartizan commented Dec 28, 2021
edited

ядро 5.4.163. Centos7
в module-loads я его убрал, но всё ровно грузится - не очень понимаю от куда.
в rc.local добавил просто
/sbin/modprobe -r ipt_NETFLOW.
/sbin/modprobe ipt_NETFLOW destination=172.16.1.50:9994 protocol=9 natevents=1

Такую проблему уже тут писали англоязычные.
причем на старом серваке с 4.8 ядром этой проблемы не было.

@sanlupkim
Copy link

I've got similar problem on debian 9 (kernel 4.9)
after
git reset --hard c0badb8
I can complie it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aabc @TTpartizan @sanlupkim