Build with conntrack_timestamp support

clutch2sft · December 20, 2022, 4:32pm

Trying to get timestamps from conntrack but cannot figure out how to build with support for same. Is this possible?

clutch2sft · December 24, 2022, 1:28pm

Ok I have been looking through the build system for a week-ish and am not figuring it out on my own. I have read old and new versions of developer documentation as well as poured through build logs leveraging V=sc trying to understand. The good news is that I am 1 week smarter about how the system works than I was 1 week ago. The bad news is I still don't fully get it.

Maybe a discussion can be had surrounding how a particular exisitng hack was built and that will help everyone understand more about the build system. Focusing on one hack I found, that seems to implement something like what I want to, on the MASTER it is 650-netfilter-add-xt_FLOWOFFLOAD-target.patch.

Ok so this "hack" in the 5.15 kernel sets up some new options in a few Kconfigs:

/net/ipv4/netfilter/Kconfig
/net/ipv6/netfilter/Kconfig
/net/netfilter/Kconfig

And so on. Great. But the patch itself doesn't seem to pick a default or setting for the options that are provided.

Looking for those options in "make menuconfig" I don't actually see them and the patch doesn't really appear to get applied until the make world process anyway. (maybe another make to build the kernel would also apply it but I didn't play with anything other than make world)

So can someone help explain how an option gets selected from this hack? for instance:

 config NF_FLOW_TABLE
 	tristate "Netfilter flow table module"
 	depends on NETFILTER_INGRESS
 	depends on NF_CONNTRACK
-	depends on NF_TABLES
 	help
 	  This option adds the flow table core infrastructure.

That is added by this hack. But how/where does that option get "set" as it doesn't seem to be builder choice anywhere.

johnth · December 24, 2022, 7:36pm

Thank you for putting in the time to start to work this out. There is always more to learn.

These kernel config symbols can be set from a number of places.

First is the generic config: https://github.com/openwrt/openwrt/blob/master/target/linux/generic/config-5.15
target, and subtarget config: example ath79: https://github.com/openwrt/openwrt/blob/master/target/linux/ath79/config-5.15
they can be adjusted by patches from generic, target, and subtarget
by OpenWrt options: https://github.com/openwrt/openwrt/blob/master/config/Config-kernel.in
by KernelPackages: example: https://github.com/openwrt/openwrt/blob/master/package/kernel/linux/modules/netfilter.mk

My general process, with some findings to try to help:

Look up the symbol in OpenWrt source, to see if it is configured or packaged anywhere: git grep NF_CONNTRACK_TIMESTAMP
No, only is not set in the generic config.
Look up the symbol in the linux source, to find out how it works (boolean or tri-state in Kconfig, and dependencies, and similar symbols): https://elixir.bootlin.com/linux/v5.15.85/K/ident/CONFIG_NF_CONNTRACK_TIMESTAMP
- built-in, depends on NETFILTER_ADVANCED
- there are a number of these depends on NETFILTER_ADVANCED config options, see if we can find a use example in OpenWrt

git grep 'NF_CONNTRACK_.*=y'
package/kernel/linux/modules/netfilter.mk:        CONFIG_NF_CONNTRACK_MARK=y \
package/kernel/linux/modules/netfilter.mk:        CONFIG_NF_CONNTRACK_ZONES=y \
package/kernel/linux/modules/netfilter.mk:  KCONFIG:=CONFIG_NF_CT_NETLINK CONFIG_NF_CONNTRACK_EVENTS=y CONFIG_NETFILTER_NETLINK_GLUE_CT=y

github.com

openwrt/openwrt/blob/59254010077c9086afee8a8b4c490943d6749065/package/kernel/linux/modules/netfilter.mk#L97


      
          
          $(eval $(call KernelPackage,ipt-core))
          
          
          define KernelPackage/nf-conntrack
            SUBMENU:=$(NF_MENU)
            TITLE:=Netfilter connection tracking
            KCONFIG:= \
                  CONFIG_NETFILTER=y \
                  CONFIG_NETFILTER_ADVANCED=y \
                  CONFIG_NF_CONNTRACK_MARK=y \
                  CONFIG_NF_CONNTRACK_ZONES=y \
          	$(KCONFIG_NF_CONNTRACK)
            FILES:=$(foreach mod,$(NF_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko)
            AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_CONNTRACK-m)))
          endef
          
          define KernelPackage/nf-conntrack/install
          	$(INSTALL_DIR) $(1)/etc/sysctl.d
          	$(INSTALL_DATA) ./files/sysctl-nf-conntrack.conf $(1)/etc/sysctl.d/11-nf-conntrack.conf
          endef

This file shows that most of the netfilter parts are packaged as a kernel module. It is made more complex by an included file: https://github.com/openwrt/openwrt/blob/master/include/netfilter.mk, but we may be able to ignore that for now because our symbol is built-in, so we do not need to package a module.

I would try to add this symbol in netfilter.mk under the KCONFIG option for KernelPackage/nf-conntrack, then build kernel and see if the build system complains, if not, boot an initramfs and try it out.

--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -95,6 +95,7 @@ define KernelPackage/nf-conntrack
         CONFIG_NETFILTER=y \
         CONFIG_NETFILTER_ADVANCED=y \
         CONFIG_NF_CONNTRACK_MARK=y \
+        CONFIG_NF_CONNTRACK_TIMESTAMP=y \
         CONFIG_NF_CONNTRACK_ZONES=y \
        $(KCONFIG_NF_CONNTRACK)
   FILES:=$(foreach mod,$(NF_CONNTRACK-m),$(LINUX_DIR)/net/$(mod).ko)

Let us know if you need more hints.

clutch2sft · December 25, 2022, 1:43am

Yeah I'm a moron. Staring at me all along was

make kernel_menuconfig

Which delivered the settings I was looking for.

And I was all over the things you pointed out but I was so intent on making a user choice I missed that Boolean means "Built in."

So thankful for your detailed response! Using git grep (new to me) so much easier than files system grep that pulls in things from all sort of unneeded places! In all - this is a steep learning curve so thank you!

system · January 4, 2023, 1:43am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.