Is there an OpenWRT package containing the "nfct" command to configure the connection tracking system (conntrack) ?
The "nfct" executable is part of Netfilter conntrack-tools projects .
Thanks,
Laurent
Is there an OpenWRT package containing the "nfct" command to configure the connection tracking system (conntrack) ?
The "nfct" executable is part of Netfilter conntrack-tools projects .
Thanks,
Laurent
I installed every package that uses the same library that nfct
uses. No joy.
OK,
Is there a solution to configure specific timeout values for some application protocols without using "nfct" command ?
For example I want to set a default UDP timeout with sysctl net.netfilter.nf_conntrack_udp_timeout = 120
and have shorter timeouts for some well known UDP protocols (like 30 seconds for DNS on port 53).
Accordoing to OpenWRT distribution "packages/blob/master/net/conntrack-tools/Makefile", Conntrack-tools package only contains :
But NO nfct command
nfct executable gets build but isn't included in the final package.
I modified the makefile to also include nfct but it doesn't work.
nfct add timeout custom-tcp-policy1 inet tcp established 100
nfct v1.4.5: netlink error: Invalid argument
nfct add timeout dns inet
nfct v1.4.5: missing parameters
syntax: nfct add timeout name family protocol state1 timeout1 .
nfct add timeout dns inet tcp
nfct v1.4.5: netlink error: Invalid argument
It errors out as soon as when a level4 protocol is specified.
It depends on kernel feature NF_CT_NETLINK_TIMEOUT
Good hint.
I tought having libnetfilter-cttimeout package enabled would enable
CONFIG_NF_CONNTRACK_TIMEOUT
but it does not.
Patches welcome
I'm not that familiar with the OpenWRT's package structure
But I guess, best would be to create a new netlink package in
package/kernel/linux/modules/netfilter.mk
something like this?
(to cover NF_CT_NETLINK_TIMEOUT)
define KernelPackage/nfnetlink-timeout
TITLE:=Netfilter TIMEOUT over NFNETLINK interface
FILES:=$(foreach mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
KCONFIG:=$(KCONFIG_NFNETLINK_TIMEOUT)
AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_TIMEOUT-m)))
$(call AddDepends/nfnetlink)
endef
define KernelPackage/nfnetlink-timeout/description
Kernel modules support for timeout policies via NFNETLINK
Includes:
- NFTIMEOUT
endef
$(eval $(call KernelPackage,nfnetlink-timeout))
I have no clue what the correct syntax for KCONFIG is.
I guess, NF_CONNTRACK_TIMEOUT needs also to be enabled.
For QUEUE (that also uses netlink) there is iptables target:
define KernelPackage/ipt-nfqueue
TITLE:=Module for user-space packet queuing
KCONFIG:=$(KCONFIG_IPT_NFQUEUE)
FILES:=$(foreach mod,$(IPT_NFQUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFQUEUE-m)))
$(call AddDepends/ipt,+kmod-nfnetlink-queue)
endef
define KernelPackage/ipt-nfqueue/description
Netfilter module for user-space packet queuing
Includes:
- NFQUEUE
endef
$(eval $(call KernelPackage,ipt-nfqueue))
Would it be the right thing to adapt 'timeout' to this structure?
I would suggest putting it into its own group. It's for nf_conntrack tuning, not quite related to what ipt-nfqueue is for.
As for packaging, you may find include/netfilter.mk
useful, for kconfig names and kernel module paths, etc.
NF_CONNTRACK_TIMEOUT enables new iptabkes CT timeout target (-j CT --timeout)
So it is somewhat iptables related...
This option enables support for connection tracking timeout extension. This allows you to attach timeout policies to flow via the CT target.
If unsure, say `N'.
man iptables-extensions
CT
......
--timeout name
Use the timeout policy identified by name for the connection. This is provides more flexible timeout policy definition than global timeout values available at /proc/sys/net/netfilter/nf_conntrack_timeout.
So I guess those are both related?
Sorry, I was a bit confused. There are two kconfig option involved here.
NF_CONNTRACK_TIMEOUT
is for --timeout
argument of iptables CT
target. It's a bool optionNF_CT_NETLINK_TIMEOUT
is a tristate option for tuning conntrack timeout via netlinkOkay, I got it working.
But I think, it is not the best solution but anyway, here it is:
diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
index 7eda8e6270..86383c6e3a 100644
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -120,6 +120,18 @@ endef
$(eval $(call KernelPackage,nf-conntrack6))
+define KernelPackage/nf-conntrack-timeout
+ SUBMENU:=$(NF_MENU)
+ TITLE:=Connection tracking timeout policy support
+ KCONFIG:= \
+ CONFIG_NF_CONNTRACK_TIMEOUT=y \
+ CONFIG_NF_CT_NETLINK_TIMEOUT
+ DEPENDS:=+kmod-nf-conntrack +kmod-nfnetlink +kmod-ipt-raw +IPV6:kmod-ipt-raw6 +libnetfilter-cttimeout
+ FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_cttimeout.ko
+ AUTOLOAD:=$(call AutoProbe,nfnetlink_cttimeout)
+endef
+
+$(eval $(call KernelPackage,nf-conntrack-timeout))
define KernelPackage/nf-nat
SUBMENU:=$(NF_MENU)
I have no clue how to do a diff for a file in the packages feed.
feeds/packages/net/conntrack-tools/Makefile
Line 52-56:
Change to:
define Package/conntrack/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/conntrack $(1)/usr/sbin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/nfct $(1)/usr/sbin/
endef
Usage:
nfct add timeout dns inet udp replied 10
nfct list timeout
.dns = {
.l3proto = 2,
.l4proto = 17,
.policy = {
.UNREPLIED = 10,
.REPLIED = 10,
},
};
iptables -I OUTPUT -t raw -p udp --dport 53 -j CT --timeout dns
iptables-save | grep 'timeout dns'
-A OUTPUT -p udp -m udp --dport 53 -j CT --timeout dns
//edit
Complete example to limit dns connections to a 10sec timeout:
/etc/firewall.user
IPT=$(which iptables)
IPT6=$(which ip6tables)
# Set custom timeout for dns connections
nfct add timeout dns4 inet udp replied 10 unreplied 10 > /dev/null 2>&1 || true
nfct add timeout dns6 inet6 udp replied 10 unreplied 10 > /dev/null 2>&1 || true
$IPT -I PREROUTING -t raw -p udp -m multiport --ports 53 -j CT --timeout dns4
$IPT -I OUTPUT -t raw -p udp -m multiport --ports 53 -j CT --timeout dns4
$IPT6 -I PREROUTING -t raw -p udp -m multiport --ports 53 -j CT --timeout dns6
$IPT6 -I OUTPUT -t raw -p udp -m multiport --ports 53 -j CT --timeout dns6
Note: seems like the "name" (dns4,dns6 in this example) is limited to 4 chars.
Only PREROUTING and OUTPUT can be used.
@yousong
Thank you for pointing me in the right direction.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.