ipt-netflow icon indicating copy to clipboard operation
ipt-netflow copied to clipboard
verified publisher icon aabc

Не могу собрать с --enable-natevents

Open TTpartizan opened this issue 4 years ago • 8 comments

`[root@shluz8x16 ipt-netflow]# ./configure --enable-natevents --disable-snmp-agent --ipt-src=/home/temp/iptables-1.8.7/ Module version: 2.6-7-g6a55739 Kernel version: 5.4.163-1.IMQ.el7.x86_64 (uname) Kernel sources: /lib/modules/5.4.163-1.IMQ.el7.x86_64/build (found) Checking for presence of include/linux/netfilter.h... Yes netfilter.h uses CONFIG_NF_NAT_NEEDED... No Checking for presence of include/linux/llist.h... Yes Checking for presence of include/linux/grsecurity.h... No Iptables binary version: 1.8.7 (legacy) (detected from /usr/sbin/iptables) pkg-config for version 1.8.7 (legacy) exists: No Check for working gcc: Yes (gcc) Checking for presence of xtables.h... Yes User specified source directory: /home/temp/iptables-1.8.7/ Found iptables sources at /home/temp/iptables-1.8.7/ Checking iptables sources version: 1.8.7 (legacy) (ok) Iptables include flags: -I/home/temp/iptables-1.8.7//include (from source) Iptables module path: /lib64/xtables/ (from libxtables.so, from binary) Checking for DKMS... Yes. Creating Makefile.. done.

If you need some options enabled run ./configure --help Now run: make all install

[root@shluz8x16 ipt-netflow]# make all install ./gen_compat_def > compat_def.h- Test function xt_family linux/netfilter_ipv4/ip_tables.h declared Test struct timeval linux/ktime.h declared Test struct proc_ops linux/proc_fs.h undeclared Test function synchronize_sched linux/rcupdate.h undeclared Test function nf_bridge_info_get linux/netfilter_bridge.h declared Test struct vlan_dev_priv linux/if_vlan.h declared Test function put_unaligned_be24 asm/unaligned.h undeclared Test function totalram_pages linux/mm.h declared Test symbol totalram_pages linux/mm.h declared Test member nf_ct_event_notifier.ct_event net/netfilter/nf_conntrack_ecache.h undeclared mv compat_def.h- compat_def.h Compiling 2.6-7-g6a55739 for kernel 5.4.163-1.IMQ.el7.x86_64 make -C /lib/modules/5.4.163-1.IMQ.el7.x86_64/build M=/home/ipt-netflow modules make[1]: Entering directory '/usr/src/kernels/5.4.163-1.IMQ.el7.x86_64' CC [M] /home/ipt-netflow/ipt_NETFLOW.o /home/ipt-netflow/ipt_NETFLOW.c: In function ‘netflow_conntrack_event’: /home/ipt-netflow/ipt_NETFLOW.c:4622:36: warning: passing argument 2 of ‘notifier->fcn’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] 4622 | ret = notifier->ct_event(events, item); | ^~~~ /home/ipt-netflow/ipt_NETFLOW.c:4622:36: note: expected ‘struct nf_ct_event *’ but argument is of type ‘const struct nf_ct_event ’ /home/ipt-netflow/ipt_NETFLOW.c: At top level: /home/ipt-netflow/ipt_NETFLOW.c:4687:14: error: initialization of ‘int ()(unsigned int, struct nf_ct_event )’ from incompatible pointer type ‘int ()(const unsigned int, const struct nf_ct_event *)’ [-Werror=incompatible-pointer-types] 4687 | .ct_event = netflow_conntrack_event | ^~~~~~~~~~~~~~~~~~~~~~~ /home/ipt-netflow/ipt_NETFLOW.c:4687:14: note: (near initialization for ‘ctnl_notifier.fcn’) cc1: some warnings being treated as errors make[2]: *** [scripts/Makefile.build:262: /home/ipt-netflow/ipt_NETFLOW.o] Error 1 make[1]: *** [Makefile:1734: /home/ipt-netflow] Error 2 make[1]: Leaving directory '/usr/src/kernels/5.4.163-1.IMQ.el7.x86_64' make: *** [Makefile:27: ipt_NETFLOW.ko] Error 2`

Не могу собрать с --enable-natevents ядро 5.4.163. Centos7 CONFIG_NF_CONNTRACK_EVENTS=y - было CONFIG_NF_NAT_NEEDED=y - не было - добавил. не помогло. - при компиляции убирает CONFIG_NF_NAT_NEEDED=y - как я понял она уже с 5.2 деприкейт

TTpartizan avatar Dec 15 '21 15:12 TTpartizan

make[1]: Entering directory '/usr/src/kernels/5.4.163-1.IMQNF.el7.x86_64' CC [M] /home/ipt-netflow-2.6/ipt_NETFLOW.o In file included from /home/ipt-netflow-2.6/ipt_NETFLOW.c:77: /home/ipt-netflow-2.6/ipt_NETFLOW.c: In function ‘register_ct_events’: /home/ipt-netflow-2.6/compat.h:174:21: error: implicit declaration of function ‘ref_module’; did you mean ‘use_module’? [-Werror=implicit-function-declaration] 174 | # define use_module ref_module | ^~~~~~~~~~ /home/ipt-netflow-2.6/ipt_NETFLOW.c:5498:3: note: in expansion of macro ‘use_module’ 5498 | use_module(THIS_MODULE, netlink_m); | ^~~~~~~~~~ cc1: some warnings being treated as errors make[2]: *** [scripts/Makefile.build:262: /home/ipt-netflow-2.6/ipt_NETFLOW.o] Error 1 make[1]: *** [Makefile:1734: /home/ipt-netflow-2.6] Error 2 make[1]: Leaving directory '/usr/src/kernels/5.4.163-1.IMQNF.el7.x86_64' make: *** [Makefile:27: ipt_NETFLOW.ko] Error 2 пробовал 2.6 собрать - положительного результата не получил

TTpartizan avatar Dec 15 '21 17:12 TTpartizan

так после git reset --hard c0badb8323e76cff61a0dbf191769b607c7245e9 собралось. что-то сломалось с 5.2 и 5.12 ядрами.

TTpartizan avatar Dec 15 '21 17:12 TTpartizan

да .. net.netflow.hashsize = 32768 net.netflow.maxflows = 5000000 net.netflow.sndbuf = 10485760 sysctl: cannot stat /proc/sys/net/netflow/natevents: No such file or directory net.netflow.active_timeout = 300 net.netflow.protocol = 9

собрало, но natevents нету

TTpartizan avatar Dec 15 '21 18:12 TTpartizan

modinfo ipt_NETFLOW filename: /lib/modules/5.4.163-1.IMQNF.el7.x86_64/extra/ipt_NETFLOW.ko alias: ip6t_NETFLOW version: 2.6-1-g352cdb2 description: iptables NETFLOW target module author: [email protected] license: GPL srcversion: D80E04E167D1AB6E01BB35E depends: retpoline: Y name: ipt_NETFLOW vermagic: 5.4.163-1.IMQNF.el7.x86_64 SMP mod_unload modversions parm: destination:export destination ipaddress:port (charp) parm: inactive_timeout:inactive flows timeout in seconds (int) parm: active_timeout:active flows timeout in seconds (int) parm: exportcpu:lock exporter to this cpu (int) parm: debug:debug verbosity level (int) parm: sndbuf:udp socket SNDBUF size (int) parm: protocol:netflow protocol version (5, 9, 10=IPFIX) (int) parm: refresh_rate:NetFlow v9/IPFIX refresh rate (packets) (uint) parm: timeout_rate:NetFlow v9/IPFIX timeout rate (minutes) (uint) parm: scan_min:Minimal interval between export scans (jiffies) (uint) parm: natevents:enable NAT Events (int) parm: hashsize:hash table size (int) parm: maxflows:maximum number of flows (int) parm: engine_id:Observation Domain ID (int)

TTpartizan avatar Dec 15 '21 19:12 TTpartizan

проблема в том что грузится модуль впереди паровоза :) сети, если выгрузить и загрузить подхватывает natevents как его заставить грузится позже не знаю. кроме как в скрипты добавить.

TTpartizan avatar Dec 15 '21 20:12 TTpartizan

По идее, модуль пытается загрузить nf_conntrack_netlink (отвечающий за NAT events) перед собой. Так что, возможно, это баг. А как сейчас он грузится и какой это дистрибутив?

aabc avatar Dec 27 '21 14:12 aabc

ядро 5.4.163. Centos7 в module-loads я его убрал, но всё ровно грузится - не очень понимаю от куда. в rc.local добавил просто /sbin/modprobe -r ipt_NETFLOW. /sbin/modprobe ipt_NETFLOW destination=172.16.1.50:9994 protocol=9 natevents=1

Такую проблему уже тут писали англоязычные. причем на старом серваке с 4.8 ядром этой проблемы не было.

TTpartizan avatar Dec 28 '21 10:12 TTpartizan

I've got similar problem on debian 9 (kernel 4.9) after git reset --hard c0badb8 I can complie it.

sanlupkim avatar Jan 13 '22 19:01 sanlupkim