Re: [PATCH 1/1 ] Conntrack extensions : Interrupt timeout

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please don't drop the mailing list CC when replying.  There are people
here much more talented than myself that might be able to help.

On Sat, Dec 20, 2008 at 11:40 AM, Piotr Duszynski <regis44@xxxxxxxxx> wrote:
> Dear James,
>
> I have rewritten my code according to your advice. Unfortunately I am
> still getting the same exception ( death_by_timeout () ) at random
> moments ( Sometimes this occurs after creating many conntracks with nc
> www.google.com . Another time instantly after first tcp connection has
> been made . I would be very grateful If you could point me the direction
> in which I could investigate this problem .
>
> I don't know if this has anything to do, but I am testing this patch on
> VMware Fedora 10 wit selinux enabled .
>
> Best regards
> Piotr Duszynski
>
> I have attached new patch to this e-mail :
>
> diff -uNr
> linux-2.6.27.i686.orig/include/linux/netfilter/nf_conntrack_common.h
> linux-2.6.27.i686.new/include/linux/netfilter/nf_conntrack_common.h
> ---
> linux-2.6.27.i686.orig/include/linux/netfilter/nf_conntrack_common.h
> 2008-11-28 07:31:14.000000000 +0100
> +++ linux-2.6.27.i686.new/include/linux/netfilter/nf_conntrack_common.h
> 2008-12-09 17:42:47.000000000 +0100
> @@ -73,6 +73,10 @@
>        /* Connection has fixed timeout. */
>        IPS_FIXED_TIMEOUT_BIT = 10,
>        IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
> +
> +       /* Connection has src L2 info */
> +       IPS_L2_INFO_BIT = 11,
> +       IPS_L2_INFO = (1 << IPS_L2_INFO_BIT),
>  };
>
>  /* Connection tracking event bits */
> diff -uNr
> linux-2.6.27.i686.orig/include/net/netfilter/nf_conntrack_extend.h
> linux-2.6.27.i686.new/include/net/netfilter/nf_conntrack_extend.h
> --- linux-2.6.27.i686.orig/include/net/netfilter/nf_conntrack_extend.h
> 2008-11-28 07:31:53.000000000 +0100
> +++ linux-2.6.27.i686.new/include/net/netfilter/nf_conntrack_extend.h
> 2008-12-14 04:16:44.000000000 +0100
> @@ -8,12 +8,14 @@
>        NF_CT_EXT_HELPER,
>        NF_CT_EXT_NAT,
>        NF_CT_EXT_ACCT,
> +       NF_CT_EXT_L2INFO,
>        NF_CT_EXT_NUM,
>  };
>
>  #define NF_CT_EXT_HELPER_TYPE struct nf_conn_help
>  #define NF_CT_EXT_NAT_TYPE struct nf_conn_nat
>  #define NF_CT_EXT_ACCT_TYPE struct nf_conn_counter
> +#define NF_CT_EXT_L2INFO_TYPE struct nf_conn_l2info
>
>  /* Extensions: optional stuff which isn't permanently in struct. */
>  struct nf_ct_ext {
> diff -uNr
> linux-2.6.27.i686.orig/include/net/netfilter/nf_conntrack_l2info.h
> linux-2.6.27.i686.new/include/net/netfilter/nf_conntrack_l2info.h
> --- linux-2.6.27.i686.orig/include/net/netfilter/nf_conntrack_l2info.h
> 1970-01-01 01:00:00.000000000 +0100
> +++ linux-2.6.27.i686.new/include/net/netfilter/nf_conntrack_l2info.h
> 2008-12-19 06:58:47.000000000 +0100
> @@ -0,0 +1,39 @@
> +#ifndef _NF_CONNTRACK_L2INFO_H
> +#define _NF_CONNTRACK_L2INFO_H
> +
> +#include <linux/if_ether.h>
> +#include <linux/netfilter/nf_conntrack_tuple_common.h>
> +#include <net/netfilter/nf_conntrack_extend.h>
> +
> +struct nf_conn_l2info {
> +       // MAC only at the moment
> +       unsigned char src_addr[ETH_ALEN];
> +       unsigned char dst_addr[ETH_ALEN];
> +};
> +
> +
> +static inline
> +struct nf_conn_l2info  *nfct_l2info(const struct nf_conn *ct)
> +{
> +        return nf_ct_ext_find(ct,NF_CT_EXT_L2INFO);
> +}
> +
> +
> +static inline
> +struct nf_conn_l2info *nf_ct_l2info_ext_add(struct nf_conn *ct, gfp_t gfp)
> +{
> +       struct nf_conn_l2info *l2info;
> +
> +       l2info = nf_ct_ext_add(ct, NF_CT_EXT_L2INFO,GFP_ATOMIC);
> +        if (l2info == NULL) {
> +                            printk(KERN_INFO "failed to add L2INFO
> extension\n");
> +                            }
> +
> +       return l2info;
> +};
> +
> +extern int nf_conntrack_l2info_init(void);
> +extern void nf_conntrack_l2info_fini(void);
> +
> +
> +#endif
> diff -uNr linux-2.6.27.i686.orig/net/netfilter/Kconfig
> linux-2.6.27.i686.new/net/netfilter/Kconfig
> --- linux-2.6.27.i686.orig/net/netfilter/Kconfig        2008-11-28
> 07:29:39.000000000 +0100
> +++ linux-2.6.27.i686.new/net/netfilter/Kconfig 2008-12-09
> 18:52:13.000000000 +0100
> @@ -380,6 +380,16 @@
>
>          To compile it as a module, choose M here.  If unsure, say N.
>
> +
> +config NETFILTER_XT_TARGET_L2INFO
> +       tristate  '"L2INFO" target support'
> +       depends on NETFILTER_XTABLES
> +       depends on NF_CONNTRACK
> +       help
> +         Adds L2 info to the connection
> +         If unsure, say `N'.
> +
> +
>  config NETFILTER_XT_TARGET_NOTRACK
>        tristate  '"NOTRACK" target support'
>        depends on NETFILTER_XTABLES
> diff -uNr linux-2.6.27.i686.orig/net/netfilter/Makefile
> linux-2.6.27.i686.new/net/netfilter/Makefile
> --- linux-2.6.27.i686.orig/net/netfilter/Makefile       2008-11-28
> 07:29:33.000000000 +0100
> +++ linux-2.6.27.i686.new/net/netfilter/Makefile        2008-12-19
> 20:35:01.000000000 +0100
> @@ -1,6 +1,6 @@
>  netfilter-objs := core.o nf_log.o nf_queue.o nf_sockopt.o
>
> -nf_conntrack-y := nf_conntrack_core.o nf_conntrack_standalone.o
> nf_conntrack_expect.o nf_conntrack_helper.o nf_conntrack_proto.o
> nf_conntrack_l3proto_generic.o nf_conntrack_proto_generic.o
> nf_conntrack_proto_tcp.o nf_conntrack_proto_udp.o nf_conntrack_extend.o
> nf_conntrack_acct.o
> +nf_conntrack-y := nf_conntrack_core.o nf_conntrack_standalone.o
> nf_conntrack_expect.o nf_conntrack_helper.o nf_conntrack_proto.o
> nf_conntrack_l3proto_generic.o nf_conntrack_proto_generic.o
> nf_conntrack_proto_tcp.o nf_conntrack_proto_udp.o nf_conntrack_extend.o
> nf_conntrack_acct.o nf_conntrack_l2info.o
>  nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
>
>  obj-$(CONFIG_NETFILTER) = netfilter.o
> @@ -49,6 +49,7 @@
>  obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) += xt_RATEEST.o
>  obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
>  obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
> +obj-$(CONFIG_NETFILTER_XT_TARGET_L2INFO) += xt_L2INFO.o
>  obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o
>  obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
>
> diff -uNr linux-2.6.27.i686.orig/net/netfilter/nf_conntrack_core.c
> linux-2.6.27.i686.new/net/netfilter/nf_conntrack_core.c
> --- linux-2.6.27.i686.orig/net/netfilter/nf_conntrack_core.c    2008-11-28
> 07:29:33.000000000 +0100
> +++ linux-2.6.27.i686.new/net/netfilter/nf_conntrack_core.c     2008-12-19
> 06:55:31.000000000 +0100
> @@ -38,6 +38,7 @@
>  #include <net/netfilter/nf_conntrack_core.h>
>  #include <net/netfilter/nf_conntrack_extend.h>
>  #include <net/netfilter/nf_conntrack_acct.h>
> +#include <net/netfilter/nf_conntrack_l2info.h>
>
>  #define NF_CONNTRACK_VERSION   "0.5.0"
>
> @@ -557,6 +558,7 @@
>        }
>
>        nf_ct_acct_ext_add(ct, GFP_ATOMIC);
> +       nf_ct_l2info_ext_add(ct, GFP_ATOMIC);
>
>        spin_lock_bh(&nf_conntrack_lock);
>        exp = nf_ct_find_expectation(tuple);
> @@ -1032,6 +1034,8 @@
>        nf_ct_free_hashtable(nf_conntrack_hash, nf_conntrack_vmalloc,
>                             nf_conntrack_htable_size);
>
> +
> +       nf_conntrack_l2info_fini();
>        nf_conntrack_acct_fini();
>        nf_conntrack_expect_fini();
>        nf_conntrack_helper_fini();
> @@ -1178,6 +1182,11 @@
>        ret = nf_conntrack_acct_init();
>        if (ret < 0)
>                goto out_fini_helper;
> +
> +       ret = nf_conntrack_l2info_init();
> +       if (ret < 0)
> +               goto out_fini_helper;
> +
>
>        /* For use by REJECT target */
>        rcu_assign_pointer(ip_ct_attach, nf_conntrack_attach);
> diff -uNr linux-2.6.27.i686.orig/net/netfilter/nf_conntrack_l2info.c
> linux-2.6.27.i686.new/net/netfilter/nf_conntrack_l2info.c
> --- linux-2.6.27.i686.orig/net/netfilter/nf_conntrack_l2info.c
> 1970-01-01 01:00:00.000000000 +0100
> +++ linux-2.6.27.i686.new/net/netfilter/nf_conntrack_l2info.c   2008-12-19
> 23:37:04.000000000 +0100
> @@ -0,0 +1,33 @@
> +#include <linux/netfilter.h>
> +#include <linux/kernel.h>
> +#include <linux/moduleparam.h>
> +#include <net/netfilter/nf_conntrack.h>
> +#include <net/netfilter/nf_conntrack_extend.h>
> +#include <net/netfilter/nf_conntrack_l2info.h>
> +
> +MODULE_PARM_DESC(acct, "Enable l2info tracking.");
> +
> +static struct nf_ct_ext_type l2info_extend __read_mostly = {
> +       .len            = sizeof(struct nf_conn_l2info),
> +       .align          = __alignof__(struct nf_conn_l2info),
> +       .id             = NF_CT_EXT_L2INFO,
> +};
> +
> +int nf_conntrack_l2info_init(void)
> +{
> +
> +       int ret;
> +
> +       ret = nf_ct_extend_register(&l2info_extend);
> +       if (ret < 0) {
> +               printk(KERN_ERR "Unable to register L2INFO extension\n");
> +               return ret;
> +       }
> +
> +       return 0;
> +}
> +
> +void nf_conntrack_l2info_fini(void)
> +{
> +       nf_ct_extend_unregister(&l2info_extend);
> +}
> diff -uNr linux-2.6.27.i686.orig/net/netfilter/nf_conntrack_standalone.c
> linux-2.6.27.i686.new/net/netfilter/nf_conntrack_standalone.c
> --- linux-2.6.27.i686.orig/net/netfilter/nf_conntrack_standalone.c
> 2008-11-28 07:29:39.000000000 +0100
> +++ linux-2.6.27.i686.new/net/netfilter/nf_conntrack_standalone.c
> 2008-12-19 07:27:41.000000000 +0100
> @@ -26,6 +26,8 @@
>  #include <net/netfilter/nf_conntrack_expect.h>
>  #include <net/netfilter/nf_conntrack_helper.h>
>  #include <net/netfilter/nf_conntrack_acct.h>
> +#include <net/netfilter/nf_conntrack_l2info.h>
> +
>
>  MODULE_LICENSE("GPL");
>
> @@ -151,6 +153,32 @@
>        if (test_bit(IPS_ASSURED_BIT, &ct->status))
>                if (seq_printf(s, "[ASSURED] "))
>                        return -ENOSPC;
> +       if (test_bit(IPS_L2_INFO, &ct->status))
> +           {
> +               if (seq_printf(s, "[L2INFO] "))
> +                       return -ENOSPC;
> +               struct nf_conn_l2info* l2info = nfct_l2info(ct);
> +
> +               if (!l2info)
> +                       return -ENOSPC;
> +
> +               int
> ret=seq_printf(s,"[%.2x:%.2x:%.2x:%.2x:%.2x:%.2x]<->[%.2x:%.2x:%.2x:%.2x:%.2x:%.2x]
> ",
> +                l2info->src_addr[0],
> +                l2info->src_addr[1],
> +                l2info->src_addr[2],
> +                l2info->src_addr[3],
> +                l2info->src_addr[4],
> +                l2info->dst_addr[5],
> +                l2info->dst_addr[0],
> +                l2info->dst_addr[1],
> +                l2info->dst_addr[2],
> +                l2info->dst_addr[3],
> +                l2info->dst_addr[4],
> +                l2info->dst_addr[5]);
> +
> +               if (ret)
> +               return -ENOSPC;
> +           }
>
>  #if defined(CONFIG_NF_CONNTRACK_MARK)
>        if (seq_printf(s, "mark=%u ", ct->mark))
> diff -uNr linux-2.6.27.i686.orig/net/netfilter/xt_L2INFO.c
> linux-2.6.27.i686.new/net/netfilter/xt_L2INFO.c
> --- linux-2.6.27.i686.orig/net/netfilter/xt_L2INFO.c    1970-01-01
> 01:00:00.000000000 +0100
> +++ linux-2.6.27.i686.new/net/netfilter/xt_L2INFO.c     2008-12-19
> 06:54:02.000000000 +0100
> @@ -0,0 +1,113 @@
> +#include <linux/skbuff.h>
> +#include <linux/netfilter/x_tables.h>
> +#include <net/netfilter/nf_conntrack.h>
> +#include <linux/ip.h>
> +#include <net/checksum.h>
> +#include <net/netfilter/nf_conntrack_l2info.h>
> +#include <linux/kernel.h>
> +#include <linux/module.h>
> +#include <linux/netfilter.h>
> +#include <linux/netfilter_ipv4.h>
> +#include <linux/inet.h>
> +#include <linux/version.h>
> +
> +
> +MODULE_AUTHOR("Piotr Duszynski L2 info target");
> +MODULE_DESCRIPTION("x_tables per-conntrack L2info target");
> +MODULE_LICENSE("GPL");
> +
> +
> +static unsigned int target(struct sk_buff *skb,
> +       const struct net_device *in,
> +       const struct net_device *out,
> +       unsigned int hooknum,
> +       const struct xt_target *target,
> +       const void *targinfo)
> +{
> +       struct nf_conn_l2info *l2info ;
> +       struct nf_conn *ct;
> +       enum ip_conntrack_info ctinfo;
> +       struct ethhdr *eth;
> +
> +       ct = nf_ct_get(skb, &ctinfo);
> +
> +       if (ct && (! test_bit(IPS_L2_INFO,&ct->status)))
> +       {
> +
> +       if(IP_CT_ESTABLISHED!=ctinfo
> +       && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY)
> +       return XT_CONTINUE;
> +
> +       if (  IP_CT_ESTABLISHED==ctinfo)
> +       printk(KERN_INFO "L2INFO ESTABLISHED\n");
> +       if ( ctinfo == IP_CT_ESTABLISHED+IP_CT_IS_REPLY)
> +       printk(KERN_INFO "L2INFO REPLY ESTABLISHED\n");
> +
> +               l2info = nfct_l2info(ct);
> +               if (!l2info) {
> +                       printk(KERN_INFO "failed to find L2INFO extension\n");
> +                       return XT_CONTINUE;
> +                       }
> +
> +               eth = (struct ethhdr *)skb_mac_header(skb);
> +               printk( KERN_INFO "L2INFO: [ %.2x:%.2x:%.2x:%.2x:%.2x:%.2x ->
> %.2x:%.2x:%.2x:%.2x:%.2x:%.2x] \n",
> +                 eth->h_source[0],
> +                 eth->h_source[1],
> +                 eth->h_source[2],
> +                 eth->h_source[3],
> +                 eth->h_source[4],
> +                 eth->h_source[5],
> +                 eth->h_dest[0],
> +                 eth->h_dest[1],
> +                 eth->h_dest[2],
> +                 eth->h_dest[3],
> +                 eth->h_dest[4],
> +                 eth->h_dest[5]);
> +
> +               l2info->src_addr[0]=eth->h_source[0];
> +                l2info->src_addr[1]=eth->h_source[1];
> +                l2info->src_addr[2]=eth->h_source[2];
> +                l2info->src_addr[3]=eth->h_source[3];
> +                l2info->src_addr[4]=eth->h_source[4];
> +                l2info->src_addr[5]=eth->h_source[5];
> +                l2info->dst_addr[0]=eth->h_dest[0];
> +                l2info->dst_addr[1]=eth->h_dest[1];
> +                l2info->dst_addr[2]=eth->h_dest[2];
> +                l2info->dst_addr[3]=eth->h_dest[3];
> +                l2info->dst_addr[4]=eth->h_dest[4];
> +                l2info->dst_addr[5]=eth->h_dest[5];
> +
> +               //memcpy(l2info->src_addr,eth->h_source,sizeof( unsigned char
> )*ETH_ALEN );
> +               //memcpy(l2info->src_addr,eth->h_dest,sizeof( unsigned char )*ETH_ALEN );
> +               set_bit(IPS_L2_INFO,&ct->status);
> +       }
> +               return XT_CONTINUE;
> +}
> +
> +
> +static struct xt_target xt_l2info __read_mostly = {
> +               .name           = "L2INFO",
> +               .family         = AF_INET,
> +               .target         = target,
> +               .me             = THIS_MODULE,
> +};
> +
> +static int __init xt_l2info_init(void)
> +{
> +       int ret;
> +
> +       ret = xt_register_target(&xt_l2info);
> +       if (ret < 0)
> +       printk(KERN_ERR "xt_L2INFO: Unable to register target \n");
> +
> +       return ret;
> +}
> +
> +static void __exit xt_l2info_fin(void)
> +{
> +       xt_unregister_target(&xt_l2info);
> +}
> +
> +module_init(xt_l2info_init);
> +module_exit(xt_l2info_fin);
> +
>
>
>
> James King wrote:
>> On Wed, Dec 17, 2008 at 12:22 PM, Piotr Duszynski <regis44@xxxxxxxxx> wrote:
>>> I wanted to write a module that would track all the MAC information for
>>> all established connections. Unfortunately, after the module is loaded
>>> and all the information is being properly recorded to the conntrack
>>> computer hangs . I can read that it is related with interrupt timeout,
>>> but after several hours of trying to fix this I am still in the same
>>> spot . I would really appreciate any guidance in this matter .
>>>
>>> +               l2info = nfct_l2info(ct);
>>> +               if (!l2info) {
>>> +                       printk(KERN_INFO "Adding L2INFO extension\n");
>>> +                       l2info = nf_ct_ext_add(ct, NF_CT_EXT_L2INFO,GFP_ATOMIC);
>>
>> You shouldn't call nf_ct_ext_add from within your target, as your
>> private structure needs to be added before the conntrack is confirmed
>> (preferably at allocation time).  From _nf_ct_ext_add() in
>> nf_conntrack_extend.c:
>>
>>  /* Conntrack must not be confirmed to avoid races on reallocation. */
>> NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
>>
>> Take a look at init_conntrack() in nf_conntrack_core.c to see how
>> nf_conntrack_acct does it.  lxr.linux.no is your friend :)
>>
>> HTH,
>> James
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux