Results 1 to 6 of 6
  1. #1

    ip_conntrack wont work?

    I've got the latest grsec stable, but i'm having a problem with getting ip_conntrack working.

    I did the following with make menuconfig after copying my default kernels config file...

    Networking -> Networking support -> Networking options -> Network packet filtering
    framework (Netfilter) -> Core Netfilter -> Configuration -> Netfilter Xtables support
    (required for ip_tables) -> "conntrack" connection tracking match support.

    After a compile and reboot:

    error: "net.ipv4.netfilter.ip_conntrack_generic_timeout" is an unknown key
    error: "net.ipv4.netfilter.ip_conntrack_icmp_timeout" is an unknown key
    error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close" is an unknown key
    error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait" is an unknown key
    error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack" is an unknown key
    error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait" is an unknown key
    error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait" is an unknown key
    error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key
    error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv" is an unknown key
    error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent" is an unknown key
    error: "net.ipv4.netfilter.ip_conntrack_udp_timeout" is an unknown key
    error: "net.ipv4.netfilter.ip_conntrack_udp_timeout_stream" is an unknown key
    error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key
    error: "net.ipv4.ip_conntrack_max" is an unknown key


    I did a ls on /lib/modules/2.6.27.10-grsec/kernel/net/ipv4/netfilter and dont see the modules that i see in the default kernels...

  2. #2
    Join Date
    May 2009
    Location
    SLASH ROOT
    Posts
    853
    Seems like you would need to download P-O-M (Patch-O-Matic) to enable this module for iptables...

  3. #3
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    Did you look in /lib/modules/2.6.27.10-grsec/kernel/net/netfilter ?
    You may be using nf_conntrack_* instead.

    You can look in your '/proc' pseudo file system as well :
    # ls -l /proc/sys/net/ipv4/netfilter/
    # ls -l /proc/sys/net/netfilter/

  4. #4
    Join Date
    Apr 2009
    Location
    North America
    Posts
    49
    I think it is all nf_* after 2.6.24...
    Try out my opensource software DDoS Mitigation system at http://daedalous.net/

  5. #5
    Quote Originally Posted by whrss View Post
    Seems like you would need to download P-O-M (Patch-O-Matic) to enable this module for iptables...
    Tried but I think it's too outdated,

    [[email protected] patch-o-matic-ng-20040621]# KERNEL_DIR=/usr/src/linux-2.6.27.10-grsec IPTABLES_DIR=/usr/src/iptables-1.4.4 ./runme <option here>
    Your iptables version is unknown for patch-o-matic at ./runme line 214


    Quote Originally Posted by khunj View Post
    Did you look in /lib/modules/2.6.27.10-grsec/kernel/net/netfilter ?
    You may be using nf_conntrack_* instead.

    You can look in your '/proc' pseudo file system as well :
    # ls -l /proc/sys/net/ipv4/netfilter/
    # ls -l /proc/sys/net/netfilter/
    /proc/sys/net/netfilter is there. So it's nf_ and not ip_ now?

  6. #6
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    net.ipv4 handles IPv4 only and sooner or later will be deprecated. All nf_* stuff can handle both IPv4 and IPv6.
    Look inside your config file, there should be a nf_conntrack option or variable to activate before you can compile the source code.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •