Conntrack-tools nfct command

laurent_omnia · December 18, 2019, 10:48am

Is there an OpenWRT package containing the "nfct" command to configure the connection tracking system (conntrack) ?
The "nfct" executable is part of Netfilter conntrack-tools projects .

Thanks,

Laurent

lleachii · December 18, 2019, 6:21pm

I installed every package that uses the same library that nfct uses. No joy.

laurent_omnia · December 19, 2019, 10:32am

OK,

Is there a solution to configure specific timeout values for some application protocols without using "nfct" command ?

For example I want to set a default UDP timeout with sysctl net.netfilter.nf_conntrack_udp_timeout = 120 and have shorter timeouts for some well known UDP protocols (like 30 seconds for DNS on port 53).

laurent_omnia · December 23, 2019, 9:09am

Accordoing to OpenWRT distribution "packages/blob/master/net/conntrack-tools/Makefile", Conntrack-tools package only contains :

conntrack : executable to list existing connections handlled by Netfilter connection tracking system
conntrackd : User-space daemon to interract with contrack, used by some distributed firewall systems

But NO nfct command

shm0 · February 17, 2020, 11:27pm

nfct executable gets build but isn't included in the final package.
I modified the makefile to also include nfct but it doesn't work.

nfct add timeout custom-tcp-policy1 inet tcp established 100
nfct v1.4.5: netlink error: Invalid argument

nfct add timeout dns inet
nfct v1.4.5: missing parameters
syntax: nfct add timeout name family protocol state1 timeout1 .

nfct add timeout dns inet tcp
nfct v1.4.5: netlink error: Invalid argument

It errors out as soon as when a level4 protocol is specified.

yousong · February 18, 2020, 10:35am

It depends on kernel feature NF_CT_NETLINK_TIMEOUT

shm0 · February 18, 2020, 10:47am

Good hint.
I tought having libnetfilter-cttimeout package enabled would enable
CONFIG_NF_CONNTRACK_TIMEOUT
but it does not.

yousong · February 18, 2020, 10:55am

Patches welcome

shm0 · February 18, 2020, 12:00pm

I'm not that familiar with the OpenWRT's package structure
But I guess, best would be to create a new netlink package in
package/kernel/linux/modules/netfilter.mk
something like this?
(to cover NF_CT_NETLINK_TIMEOUT)

define KernelPackage/nfnetlink-timeout
  TITLE:=Netfilter TIMEOUT over NFNETLINK interface
  FILES:=$(foreach mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
  KCONFIG:=$(KCONFIG_NFNETLINK_TIMEOUT)
  AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_TIMEOUT-m)))
  $(call AddDepends/nfnetlink)
endef

define KernelPackage/nfnetlink-timeout/description
 Kernel modules support for timeout policies via NFNETLINK
 Includes:
 - NFTIMEOUT
endef


$(eval $(call KernelPackage,nfnetlink-timeout))

I have no clue what the correct syntax for KCONFIG is.

I guess, NF_CONNTRACK_TIMEOUT needs also to be enabled.
For QUEUE (that also uses netlink) there is iptables target:

define KernelPackage/ipt-nfqueue
  TITLE:=Module for user-space packet queuing
  KCONFIG:=$(KCONFIG_IPT_NFQUEUE)
  FILES:=$(foreach mod,$(IPT_NFQUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
  AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFQUEUE-m)))
  $(call AddDepends/ipt,+kmod-nfnetlink-queue)
endef

define KernelPackage/ipt-nfqueue/description
 Netfilter module for user-space packet queuing
 Includes:
 - NFQUEUE
endef

$(eval $(call KernelPackage,ipt-nfqueue))

Would it be the right thing to adapt 'timeout' to this structure?

yousong · February 18, 2020, 1:06pm

I would suggest putting it into its own group. It's for nf_conntrack tuning, not quite related to what ipt-nfqueue is for.

As for packaging, you may find include/netfilter.mk useful, for kconfig names and kernel module paths, etc.

shm0 · February 18, 2020, 2:01pm

NF_CONNTRACK_TIMEOUT enables new iptabkes CT timeout target (-j CT --timeout)
So it is somewhat iptables related...

This option enables support for connection tracking timeout extension. This allows you to attach timeout policies to flow via the CT target.

If unsure, say `N'.

man iptables-extensions

CT
......
--timeout name
Use the timeout policy identified by name for the connection. This is provides more flexible timeout policy definition than global timeout values available at /proc/sys/net/netfilter/nf_conntrack_timeout.

So I guess those are both related?

yousong · February 18, 2020, 2:46pm

Sorry, I was a bit confused. There are two kconfig option involved here.

NF_CONNTRACK_TIMEOUT is for --timeout argument of iptables CT target. It's a bool option
NF_CT_NETLINK_TIMEOUT is a tristate option for tuning conntrack timeout via netlink

shm0 · February 18, 2020, 6:46pm

Okay, I got it working.
But I think, it is not the best solution but anyway, here it is:

diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
index 7eda8e6270..86383c6e3a 100644
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -120,6 +120,18 @@ endef
 
 $(eval $(call KernelPackage,nf-conntrack6))
 
+define KernelPackage/nf-conntrack-timeout
+  SUBMENU:=$(NF_MENU)
+  TITLE:=Connection tracking timeout policy support
+  KCONFIG:= \
+       CONFIG_NF_CONNTRACK_TIMEOUT=y \
+       CONFIG_NF_CT_NETLINK_TIMEOUT
+    DEPENDS:=+kmod-nf-conntrack +kmod-nfnetlink +kmod-ipt-raw +IPV6:kmod-ipt-raw6 +libnetfilter-cttimeout
+  FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_cttimeout.ko
+  AUTOLOAD:=$(call AutoProbe,nfnetlink_cttimeout)
+endef
+
+$(eval $(call KernelPackage,nf-conntrack-timeout))
 
 define KernelPackage/nf-nat
   SUBMENU:=$(NF_MENU)

I have no clue how to do a diff for a file in the packages feed.
feeds/packages/net/conntrack-tools/Makefile
Line 52-56:
Change to:

define Package/conntrack/install
	$(INSTALL_DIR) $(1)/usr/sbin
	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/conntrack $(1)/usr/sbin/
	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/nfct $(1)/usr/sbin/
endef

Usage:

nfct add timeout dns inet udp replied 10
nfct list timeout
.dns = {
        .l3proto = 2,
        .l4proto = 17,
        .policy = {
                .UNREPLIED = 10,
                .REPLIED = 10,
        },
};
iptables -I OUTPUT -t raw -p udp --dport 53 -j CT --timeout dns
iptables-save | grep 'timeout dns'
-A OUTPUT -p udp -m udp --dport 53 -j CT --timeout dns

//edit
Complete example to limit dns connections to a 10sec timeout:
/etc/firewall.user

IPT=$(which iptables)
IPT6=$(which ip6tables)

# Set custom timeout for dns connections
nfct add timeout dns4 inet udp replied 10 unreplied 10 > /dev/null 2>&1 || true
nfct add timeout dns6 inet6 udp replied 10 unreplied 10 > /dev/null 2>&1 || true

$IPT -I PREROUTING -t raw -p udp -m multiport --ports 53 -j CT --timeout dns4
$IPT -I OUTPUT -t raw -p udp -m multiport --ports 53 -j CT --timeout dns4
$IPT6 -I PREROUTING -t raw -p udp -m multiport --ports 53 -j CT --timeout dns6
$IPT6 -I OUTPUT -t raw -p udp -m multiport --ports 53 -j CT --timeout dns6

Note: seems like the "name" (dns4,dns6 in this example) is limited to 4 chars.
Only PREROUTING and OUTPUT can be used.

@yousong
Thank you for pointing me in the right direction.

tmomas · February 28, 2020, 6:49pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.