弁財天

ゴフマン「専門家を信じるのではなく、自分自身で考えて判断せよ」

【nf_conntrack_update】daq-2.0.7のaclocal-1.15とlibnetfilter_queue-1.0.5の実況w update21

なんらかの方法でsnortを落とす方法があるらすい…

入ってくるパケットはNFQに貯まるので、インラインモードのsnortが落ちると…

nfnetlink_queue: nf_queue: full at 4096 entries, dropping packets(s)

のよーな状態になり、NFQがパンクしてサーバーは応答しなくなるw

問題は落ちたsnortを再起動してもQUEUEの初期化ができなくて起動しなくなること…

nfq DAQ configured to inline.
ERROR: Can't initialize DAQ nfq (-1) - nfq_daq_initialize: nf queue creation failed

Fatal Error, Quitting..

回避するにはサーバーをリブートするしかなくなる…

snort-2.9.16はdaq-2.0.7を使う…

daq-2.0.6だったのが原因らすい…

$ make
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /somewhere/src/snort/daq-2.0.7/missing aclocal-1.15 -I m4
/somewhere/src/snort/daq-2.0.7/missing: 行 81: aclocal-1.15: コマンドが見つかりません
WARNING: 'aclocal-1.15' is missing on your system.
         You should only need it if you modified 'acinclude.m4' or
         'configure.ac' or m4 files included by 'configure.ac'.
         The 'aclocal' program is part of the GNU Automake package:
         
         It also requires GNU Autoconf, GNU m4 and Perl in order to run:
         
         
         
make: *** [Makefile:372: aclocal.m4] エラー 127

$ ls -l /usr/bin/aclocal*
-rwxr-xr-x 2 root root 36478  7月 25  2019 /usr/bin/aclocal
-rwxr-xr-x 2 root root 36478  7月 25  2019 /usr/bin/aclocal-1.16
$ rpm -qf /usr/bin/aclocal-1.16
automake-1.16.1-13.fc31.noarch
$ 

Fedora31のautomake-1.16.1とdaq-2.0.7のautoconfが噛み合わない…

it-swarm.dev→「システムに「aclocal-1.15」がありません」という警告を克服するには?(2015年10月22日)

「./configureを実行する前に、autoreconf -f -iを実行してください。 autoreconfプログラムは、必要に応じてautoheader、aclocal、automake、autopoint、libtoolizeを自動的に実行します。」

$ autoreconf -f -i
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
autom4te: cannot open configure: Permission denied
autoreconf: /usr/bin/autoconf failed with exit status: 1

なんでrootユーザー?知らんがな…

# autoreconf -f -i
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
configure.ac:12: installing './compile'
configure.ac:9: installing './missing'
api/Makefile.am: installing './depcomp'

とにかくでけた…

NFQの監視w

#!/bin/sh

C=0
D=`date +'%H:%M:%S'`
echo ${D}'   q#     pid wait m range qdrop udrop packedid  1'

while true
do
D=`date +'%H:%M:%S'`
if [ ${C} -ge 7 ]; then
echo ${D}'   q#     pid wait m range qdrop udrop packedid  1'
C=0
fi
#####    2   1359     0 2 65531     0     0    14334  1
echo -n ${D}
cat /proc/net/netfilter/nfnetlink_queue
sleep 3
C=`expr ${C} + 1`
done
# sh q2.sh 
15:18:14   q#     pid wait m range qdrop udrop packedid  1
15:18:14    2   1371     0 2 65531     0     0   101287  1
15:18:17    2   1371     0 2 65531     0     0   101354  1
15:18:20    2   1371     0 2 65531     0     0   101407  1
15:18:23    2   1371     0 2 65531     0     0   101470  1
15:18:26    2   1371     0 2 65531     0     0   101524  1
15:18:29    2   1371     0 2 65531     0     0   101617  1
15:18:32    2   1371     0 2 65531     0     0   101898  1

「2 1371 0 2 65531 0 0 101287 1」

キュー#2をpid(1371)が聞いていて、キューには0個溜まっている。キューに入って取り出されると最後のパケットID(packedid)が増えていく…。インラインモードのsnortが落ちるとwaitのカウントが4096まで上がって(溜まって)パンクする。

それが以下のメッセージ…
「nfnetlink_queue: nf_queue: full at 4096 entries, dropping packets(s)」

キューの深さはsnort.confで

config daq_var: queue_len=4096
みたいに設定するのだけど、増やせばいいと言うものでもないだろうw

daq-2.0.7に上げてもsnortが落ちることが判明w。インラインモード使えなくなったw

table ip filter {
        chain INPUT {
                #略
                counter packets 0 bytes 0 jump SNORT_NFQ_BLOCK
                #略
        }

        chain SNORT_NFQ_BLOCK {
                #tcp dport 80 counter packets 0 bytes 0 queue num 2
                #tcp sport 80 counter packets 0 bytes 0 queue num 2
                meta l4proto { tcp, udp, tlsp } @th,16,16 { 80, 443,8443 } queue num 2
        }

みたいなnftablesの書き方にしておいて、snortの戦死をモニターして…

#!/usr/sbin/nft -f
flush chain ip filter SNORT_NFQ_BLOCK
を実行しなければならないw

Jun 15 06:34:01 localhost kernel: BUG: unable to handle page fault for address: 0000000100000084
Jun 15 06:34:01 localhost kernel: #PF: supervisor read access in kernel mode
Jun 15 06:34:01 localhost kernel: #PF: error_code(0x0000) - not-present page
Jun 15 06:34:01 localhost kernel: PGD 412408067 P4D 412408067 PUD 0 
Jun 15 06:34:01 localhost kernel: Oops: 0000 [#1] SMP NOPTI
Jun 15 06:34:01 localhost kernel: CPU: 2 PID: 1840 Comm: snort Tainted: G           OE     5.6.16-200.fc31.x86_64 #1
Jun 15 06:34:01 localhost kernel: Hardware name: わが家サーバw
Jun 15 06:34:01 localhost kernel: RIP: 0010:nf_conntrack_update+0x134/0x350 [nf_conntrack]
Jun 15 06:34:01 localhost kernel: Code: fd ff ff 49 89 c6 48 85 c0 0f 85 83 00 00 00 48 8b 83 b8 00 00 00 48 85 c0 74 30 0f b6 10 84 d2 74 29 48 01 d0 74 24 48 8b 00  80 84 00 00 00 01 74 18 0f b7 43 32 66 83 f8 02 0f 84 32 01 00
Jun 15 06:34:01 localhost kernel: RSP: 0018:ffffbf2a0078b920 EFLAGS: 00010286
Jun 15 06:34:01 localhost kernel: RAX: 0000000100000000 RBX: ffff9fdc0e036640 RCX: 0000000080190015
Jun 15 06:34:01 localhost kernel: RDX: 0000000000000055 RSI: 0000000080190015 RDI: ffff9fdd6783d180
Jun 15 06:34:01 localhost kernel: RBP: ffffbf2a0078b990 R08: 0000000000000000 R09: 0000000000000001
Jun 15 06:34:01 localhost kernel: R10: ffffbf2a0078b900 R11: fffff7eb0b380da0 R12: ffff9fda9184b300
Jun 15 06:34:01 localhost kernel: R13: 0000000000000002 R14: ffff9fdc0e036780 R15: 0000000000000000
Jun 15 06:34:01 localhost kernel: FS:  00007f7fc1e05880(0000) GS:ffff9fdd6f900000(0000) knlGS:0000000000000000
Jun 15 06:34:01 localhost kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 15 06:34:01 localhost kernel: CR2: 0000000100000084 CR3: 000000040c3de000 CR4: 00000000000406e0
Jun 15 06:34:01 localhost kernel: Call Trace:
Jun 15 06:34:01 localhost kernel: ? nfqnl_reinject+0x38/0x50 [nfnetlink_queue]
Jun 15 06:34:01 localhost kernel: ? __nla_validate_parse+0x41/0x880
Jun 15 06:34:01 localhost kernel: nfqnl_reinject+0x38/0x50 [nfnetlink_queue]
Jun 15 06:34:01 localhost kernel: nfqnl_recv_verdict+0x27d/0x4b0 [nfnetlink_queue]
Jun 15 06:34:01 localhost kernel: ? do_select+0x6c4/0x740
Jun 15 06:34:01 localhost kernel: nfnetlink_rcv_msg+0x132/0x220 [nfnetlink]
Jun 15 06:34:01 localhost kernel: ? nfnetlink_net_exit_batch+0x60/0x60 [nfnetlink]
Jun 15 06:34:01 localhost kernel: netlink_rcv_skb+0x49/0x110
Jun 15 06:34:01 localhost kernel: nfnetlink_rcv+0x59/0x121 [nfnetlink]
Jun 15 06:34:01 localhost kernel: netlink_unicast+0x16d/0x210
Jun 15 06:34:01 localhost kernel: netlink_sendmsg+0x233/0x450
Jun 15 06:34:01 localhost kernel: sock_sendmsg+0x5e/0x60
Jun 15 06:34:01 localhost kernel: ____sys_sendmsg+0x1ef/0x260
Jun 15 06:34:01 localhost kernel: ? copy_msghdr_from_user+0xc2/0x130
Jun 15 06:34:01 localhost kernel: ___sys_sendmsg+0x81/0xc0
Jun 15 06:34:01 localhost kernel: ? netlink_recvmsg+0x32e/0x400
Jun 15 06:34:01 localhost kernel: ? __sys_recvfrom+0x124/0x180
Jun 15 06:34:01 localhost kernel: __sys_sendmsg+0x49/0x80
Jun 15 06:34:01 localhost kernel: do_syscall_64+0x5b/0x1c0
Jun 15 06:34:01 localhost kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jun 15 06:34:01 localhost kernel: RIP: 0033:0x7f7fc1d0480d
Jun 15 06:34:01 localhost kernel: Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 ea ec ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 48 89 44 24 08 e8 1e ed ff ff 48
Jun 15 06:34:01 localhost kernel: RSP: 002b:00007ffc7c29a4d0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
Jun 15 06:34:01 localhost kernel: RAX: ffffffffffffffda RBX: 00007ffc7c29a5a0 RCX: 00007f7fc1d0480d
Jun 15 06:34:01 localhost kernel: RDX: 0000000000000000 RSI: 00007ffc7c29a510 RDI: 0000000000000004
Jun 15 06:34:01 localhost kernel: RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f7fc1c60e10
Jun 15 06:34:01 localhost kernel: R10: 00007ffc7c29a498 R11: 0000000000000293 R12: 00000000064913c8
Jun 15 06:34:01 localhost kernel: R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffc7c29a6c0
Jun 15 06:34:01 localhost kernel: Modules linked in: nft_queue bnep rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc fscache nfnetlink_queue bluetooth ecdh_generic ecc cfg80211 rfkill vboxnetadp(OE) vboxnetflt(OE) nft_ct nf_conntrack vboxdrv(OE) nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nft_counter nf_tables_set nf_tables nfnetlink ebtable_filter ebtables vfat fat edac_mce_amd kvm_amd ccp kvm joydev irqbypass snd_hda_codec_realtek crct10dif_pclmul snd_hda_codec_generic crc32_pclmul ledtrig_audio snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg snd_hda_codec ghash_clmulni_intel snd_hda_core snd_hwdep sp5100_tco snd_seq snd_seq_device pcspkr snd_pcm k10temp i2c_piix4 snd_timer snd soundcore acpi_cpufreq binfmt_misc ip_tables radeon i2c_algo_bit drm_kms_helper ttm drm crc32c_intel r8169 video fuse
Jun 15 06:34:01 localhost kernel: CR2: 0000000100000084
Jun 15 06:34:01 localhost kernel: ---[ end trace 4474f46c8481d8a1 ]---
Jun 15 06:34:01 localhost kernel: RIP: 0010:nf_conntrack_update+0x134/0x350 [nf_conntrack]
Jun 15 06:34:01 localhost kernel: Code: fd ff ff 49 89 c6 48 85 c0 0f 85 83 00 00 00 48 8b 83 b8 00 00 00 48 85 c0 74 30 0f b6 10 84 d2 74 29 48 01 d0 74 24 48 8b 00  80 84 00 00 00 01 74 18 0f b7 43 32 66 83 f8 02 0f 84 32 01 00
Jun 15 06:34:01 localhost kernel: RSP: 0018:ffffbf2a0078b920 EFLAGS: 00010286
Jun 15 06:34:01 localhost kernel: RAX: 0000000100000000 RBX: ffff9fdc0e036640 RCX: 0000000080190015
Jun 15 06:34:01 localhost kernel: RDX: 0000000000000055 RSI: 0000000080190015 RDI: ffff9fdd6783d180
Jun 15 06:34:01 localhost kernel: RBP: ffffbf2a0078b990 R08: 0000000000000000 R09: 0000000000000001
Jun 15 06:34:01 localhost kernel: R10: ffffbf2a0078b900 R11: fffff7eb0b380da0 R12: ffff9fda9184b300
Jun 15 06:34:01 localhost kernel: R13: 0000000000000002 R14: ffff9fdc0e036780 R15: 0000000000000000
Jun 15 06:34:01 localhost kernel: FS:  00007f7fc1e05880(0000) GS:ffff9fdd6f900000(0000) knlGS:0000000000000000
Jun 15 06:34:01 localhost kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 15 06:34:01 localhost kernel: CR2: 0000000100000084 CR3: 000000040c3de000 CR4: 00000000000406e0

libnetfilter_queue-1.0.2のバグだわw

code.woboq.org→nfnetlink_queue.c source code [linux/net/netfilter/nfnetlink_queue.c] - Woboq Code Browser

static void nfqnl_reinject(struct nf_queue_entry *entry, unsigned int verdict)
{
	struct nf_ct_hook *ct_hook;
	int err;
	if (verdict == NF_ACCEPT ||
	    verdict == NF_REPEAT ||
	    verdict == NF_STOP) {
		rcu_read_lock();
		ct_hook = rcu_dereference(nf_ct_hook);
		if (ct_hook) {
			err = ct_hook->update(entry->state.net, entry->skb);
			if (err < 0)
				verdict = NF_DROP;
		}
		rcu_read_unlock();
	}
	nf_reinject(entry, verdict);
}
Re: [PATCH nf-next 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

libnetfilter_queue-1.0.2 → libnetfilter_queue-1.0.5

依存関係はlibnetfilter_queue-1.0.5→daq-2.0.7→snort-2.9.16

再発する原因はKernelのコードか?/usr/lib64/したライブラリを拾っていたからw

# rpm -e daq-modules-2.0.6-8.fc31.x86_64 daq-devel-2.0.6-8.fc31.x86_64 daq-2.0.6-8.fc31.x86_64

Jun 16 07:24:17 localhost kernel: general protection fault, probably for non-canonical address 0x6029d83100000000: 0000 [#1] SMP NOPTI
Jun 16 07:24:17 localhost kernel: CPU: 2 PID: 1989 Comm: snort Tainted: G           OE     5.6.16-200.fc31.x86_64 #1
Jun 16 07:24:17 localhost kernel: Hardware name: わが家サーバw
Jun 16 07:24:17 localhost kernel: RIP: 0010:nf_conntrack_update+0x134/0x350 [nf_conntrack]
Jun 16 07:24:17 localhost kernel: Code: fd ff ff 49 89 c6 48 85 c0 0f 85 83 00 00 00 48 8b 83 b8 00 00 00 48 85 c0 74 30 0f b6 10 84 d2 74 29 48 01 d0 74 24 48 8b 00  80 84 00 00 00 01 74 18 0f b7 43 32 66 83 f8 02 0f 84 32 01 00
Jun 16 07:24:17 localhost kernel: RSP: 0018:ffff9d8c00ee7920 EFLAGS: 00010282
Jun 16 07:24:17 localhost kernel: RAX: 6029d83100000000 RBX: ffff8d603e359cc0 RCX: 0000000080190018
Jun 16 07:24:17 localhost kernel: RDX: 0000000000000055 RSI: 0000000080190018 RDI: ffff8d6119acb880
Jun 16 07:24:17 localhost kernel: RBP: ffff9d8c00ee7990 R08: 0000000000000000 R09: 0000000000000001
Jun 16 07:24:17 localhost kernel: R10: ffff9d8c00ee7901 R11: ffffe0324cf8d620 R12: ffff8d5d029be300
Jun 16 07:24:17 localhost kernel: R13: 0000000000000002 R14: ffff8d603e358500 R15: 0000000000000000
Jun 16 07:24:17 localhost kernel: FS:  00007f80408cd880(0000) GS:ffff8d612f900000(0000) knlGS:0000000000000000
Jun 16 07:24:17 localhost kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 16 07:24:17 localhost kernel: CR2: 00002cef085ab014 CR3: 0000000373f4e000 CR4: 00000000000406e0
Jun 16 07:24:17 localhost kernel: Call Trace:
Jun 16 07:24:17 localhost kernel: ? nfqnl_reinject+0x38/0x50 [nfnetlink_queue]
Jun 16 07:24:17 localhost kernel: ? __nla_validate_parse+0x41/0x880

kernel.org→ChangeLog-5.6.16

commit 28cba63f480ba4d824ec54026b5ee01568a3c08f
Author: Nathan Chancellor 
Date:   Wed May 27 01:10:39 2020 -0700

    netfilter: conntrack: Pass value of ctinfo to __nf_conntrack_update
    
    commit 46c1e0621a72e0469ec4edfdb6ed4d387ec34f8a upstream.
    
    Clang warns:
    
    net/netfilter/nf_conntrack_core.c:2068:21: warning: variable 'ctinfo' is
    uninitialized when used here [-Wuninitialized]
            nf_ct_set(skb, ct, ctinfo);
                               ^~~~~~
    net/netfilter/nf_conntrack_core.c:2024:2: note: variable 'ctinfo' is
    declared here
            enum ip_conntrack_info ctinfo;
            ^
    1 warning generated.
    
    nf_conntrack_update was split up into nf_conntrack_update and
    __nf_conntrack_update, where the assignment of ctinfo is in
    nf_conntrack_update but it is used in __nf_conntrack_update.
    
    Pass the value of ctinfo from nf_conntrack_update to
    __nf_conntrack_update so that uninitialized memory is not used
    and everything works properly.
    
    Fixes: ee04805ff54a ("netfilter: conntrack: make conntrack userspace helpers work again")
    Link: https://github.com/ClangBuiltLinux/linux/issues/1039
    Signed-off-by: Nathan Chancellor 
    Signed-off-by: Pablo Neira Ayuso 
    Signed-off-by: Greg Kroah-Hartman 
nf_conntrack_updateがふつうに壊れたw。5.6.13まで撤退w

kernel-5.6.18-300.fc32.x86_64でテストしたけど nf_conntrack_updateでやはりクラッシュw

#!/bin/sh

TARGET=`seq 1 18|xargs`
for i in $TARGET
do
wget http://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.${i}
done

$ grep nf_ ChangeLog-5.6.[1-9] ChangeLog-5.6.1[0-9]
ChangeLog-5.6.4:    Looks like addrconf_sysctl_addr_gen_mode() bypasses the original "is
ChangeLog-5.6.5:    Modules linked in: scsi_debug sd_mod t10_pi brd scsi_transport_iscsi af_packet crct10dif_pclmul sg aesni_intel glue_helper virtio_balloon button crypto_simd cryptd intel_agp intel_gtt agpgart ip_tables x_tables ipv6 nf_defrag_ipv6 autofs4 ext4 crc16 mbcache jbd2 hid_generic usbhid hid sr_mod cdrom ata_generic pata_acpi virtio_blk virtio_net net_failover failover ata_piix xhci_pci ahci libahci xhci_hcd i2c_piix4 libata virtio_pci usbcore i2c_core virtio_ring scsi_mod usb_common virtio [last unloaded: scsi_debug]
ChangeLog-5.6.5:    [  298.768595][T14664] Modules linked in: netdevsim(-) openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 n][  298.771343][T14664] CPU: 2 PID: 14664 Comm: cat Tainted: G        W         5.5.0+ #1
ChangeLog-5.6.7:    netfilter: nf_tables: report EOPNOTSUPP on unsupported flags/object type
ChangeLog-5.6.7:    Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to set elements")
ChangeLog-5.6.8:    [   81.503173] Modules linked in: virtio_console fuse xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nft_counter nf_nat_tftp nft_objref nf_conntrack_tftp tun bridge stp llc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 nft_chain_route_ipv6 nft_chain_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nft_chain_route_ipv4 ip6_tables nft_compat ip_set nf_tables nfnetlink sunrpc bochs_drm drm_vram_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm i2c_piix4 pcspkr crct10dif_pclmul crc32_pclmul joydev ghash_clmulni_intel ip_tables xfs libcrc32c sd_mod sg ata_generic ata_piix virtio_net libata crc32c_intel net_failover failover serio_raw virtio_scsi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: virtio_console]
ChangeLog-5.6.8:    [   40.603871][  T146]  ? nf_tables_dump_setelem+0xa0/0xa0 [nf_tables]
ChangeLog-5.6.8:    Modules linked in: mcetest_slb(OE+) af_packet(E) xt_tcpudp(E) ip6t_rpfilter(E) ip6t_REJECT(E) ipt_REJECT(E) xt_conntrack(E) ip_set(E) nfnetlink(E) ebtable_nat(E) ebtable_broute(E) ip6table_nat(E) ip6table_mangle(E) ip6table_raw(E) ip6table_security(E) iptable_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) iptable_mangle(E) iptable_raw(E) iptable_security(E) ebtable_filter(E) ebtables(E) ip6table_filter(E) ip6_tables(E) iptable_filter(E) ip_tables(E) x_tables(E) xfs(E) ibmveth(E) vmx_crypto(E) gf128mul(E) uio_pdrv_genirq(E) uio(E) crct10dif_vpmsum(E) rtc_generic(E) btrfs(E) libcrc32c(E) xor(E) zstd_decompress(E) zstd_compress(E) raid6_pq(E) sr_mod(E) sd_mod(E) cdrom(E) ibmvscsi(E) scsi_transport_srp(E) crc32c_vpmsum(E) dm_mod(E) sg(E) scsi_mod(E)
ChangeLog-5.6.9:    WARNING: CPU: 0 PID: 19934 at net/netfilter/nf_nat_core.c:1106
ChangeLog-5.6.9:    nf_nat_unregister_fn+0x532/0x5c0 net/netfilter/nf_nat_core.c:1106
ChangeLog-5.6.9:    RIP: 0010:nf_nat_unregister_fn+0x532/0x5c0 net/netfilter/nf_nat_core.c:1106
ChangeLog-5.6.9:     nf_nat_ipv6_unregister_fn net/netfilter/nf_nat_proto.c:1017 [inline]
ChangeLog-5.6.9:     nf_nat_inet_register_fn net/netfilter/nf_nat_proto.c:1038 [inline]
ChangeLog-5.6.9:     nf_nat_inet_register_fn+0xfc/0x140 net/netfilter/nf_nat_proto.c:1023
ChangeLog-5.6.9:     nf_tables_register_hook net/netfilter/nf_tables_api.c:224 [inline]
ChangeLog-5.6.9:     nf_tables_addchain.constprop.0+0x82e/0x13c0 net/netfilter/nf_tables_api.c:1981
ChangeLog-5.6.9:     nf_tables_newchain+0xf68/0x16a0 net/netfilter/nf_tables_api.c:2235
ChangeLog-5.6.9:    netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag
ChangeLog-5.6.9:    Fixes: f3a2181e16f1 ("netfilter: nf_tables: Support for sets with multiple ranged fields")
ChangeLog-5.6.9:    iwlwifi: actually check allocated conf_tlv pointer
ChangeLog-5.6.9:    conf_tlvs") attempted to fix a typoe introduced by commit 17b809c9b22e
ChangeLog-5.6.9:    Fixes: 71bc0334a637 ("iwlwifi: check allocated pointer when allocating conf_tlvs")
ChangeLog-5.6.11:      Modules linked in: bonding ipip tunnel4 geneve ip6_udp_tunnel udp_tunnel ip6_gre ip6_tunnel tunnel6 ip_gre ip_tunnel gre mlx5_ib mlx5_core mlxfw pci_hyperv_intf act_ct nf_flow_table ptp pps_core rdma_ucm ib_uverbs ib_ipoib ib_umad 8021q garp mrp openvswitch nsh nf_conncount nfsv3 nfs_acl xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype iptable_filter xt_conntrack br_netfilter bridge stp llc rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache overlay rpcrdma ib_isert iscsi_target_mod ib_iser kvm_intel ib_srpt iTCO_wdt target_core_mod iTCO_vendor_support kvm ib_srp nf_nat irqbypass crc32_pclmul crc32c_intel nf_conntrack rfkill nf_defrag_ipv6 virtio_net nf_defrag_ipv4 pcspkr ghash_clmulni_intel i2c_i801 net_failover failover i2c_core lpc_ich mfd_core rdma_cm ib_cm iw_cm button ib_core sunrpc sch_fq_codel ip_tables serio_raw [last unloaded: tunnel4]
ChangeLog-5.6.13:    netfilter: nf_osf: avoid passing pointer to local var
ChangeLog-5.6.13:    net/netfilter/nfnetlink_osf.c: In function 'nf_osf_hdr_ctx_init':
ChangeLog-5.6.13:    Fixes: 31a9c29210e2 ("netfilter: nf_osf: add struct nf_osf_hdr_ctx")
ChangeLog-5.6.13:    Fixes: 5b1158e909ec ("[NETFILTER]: Add NAT support for nf_conntrack")
ChangeLog-5.6.14:    Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
ChangeLog-5.6.14:    'rmmod nf_conntrack' can hang forever, because the netns exit
ChangeLog-5.6.14:    gets stuck in nf_conntrack_cleanup_net_list():
ChangeLog-5.6.14:      nf_ct_iterate_cleanup(kill_all, net, 0, 0);
ChangeLog-5.6.14:    When nf_ct_iterate_cleanup iterates the conntrack table, all nf_conn
ChangeLog-5.6.14:    all nf_conn objects are added twice, once in original, once for reply
ChangeLog-5.6.14:    nf_conntrack_cleanup_net_list() always skips it completely.
ChangeLog-5.6.14:    net/netfilter/nf_conntrack_core.c: In function '__nf_conntrack_alloc':
ChangeLog-5.6.14:    net/netfilter/nf_conntrack_core.c:1522:9: warning: array subscript 0 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[0]'} [-Wzero-length-bounds]
ChangeLog-5.6.14:    In file included from net/netfilter/nf_conntrack_core.c:37:
ChangeLog-5.6.14:    include/net/netfilter/nf_conntrack.h:90:5: note: while referencing '__nfct_init_offset'
ChangeLog-5.6.14:    [    5.916803]  ? nf_nat_ipv6_out+0x10/0xa0
ChangeLog-5.6.14:    [    5.916804]  ? nf_hook_slow+0x84/0x100
ChangeLog-5.6.14:    This patch uses function pinconf_to_config_param(config), which
ChangeLog-5.6.16:    netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build
ChangeLog-5.6.16:    >> include/linux/netfilter/nf_conntrack_pptp.h:13:20: warning: 'const' type qualifier on return type has no effect [-Wignored-qualifiers]
ChangeLog-5.6.16:    Fixes: 4c559f15efcc ("netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code")
ChangeLog-5.6.16:    netfilter: conntrack: Pass value of ctinfo to __nf_conntrack_update
ChangeLog-5.6.16:    net/netfilter/nf_conntrack_core.c:2068:21: warning: variable 'ctinfo' is
ChangeLog-5.6.16:            nf_ct_set(skb, ct, ctinfo);
ChangeLog-5.6.16:    net/netfilter/nf_conntrack_core.c:2024:2: note: variable 'ctinfo' is
ChangeLog-5.6.16:    nf_conntrack_update was split up into nf_conntrack_update and
ChangeLog-5.6.16:    __nf_conntrack_update, where the assignment of ctinfo is in
ChangeLog-5.6.16:    nf_conntrack_update but it is used in __nf_conntrack_update.
ChangeLog-5.6.16:    Pass the value of ctinfo from nf_conntrack_update to
ChangeLog-5.6.16:    __nf_conntrack_update so that uninitialized memory is not used
ChangeLog-5.6.16:    net/netfilter/nf_conntrack_core.c: In function nf_confirm_cthelper:
ChangeLog-5.6.16:    net/netfilter/nf_conntrack_core.c:2117:15: warning: comparison of unsigned expression in < 0 is always false [-Wtype-limits]
ChangeLog-5.6.16:    netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
ChangeLog-5.6.16:    Fixes: f09943fefe6b ("[NETFILTER]: nf_conntrack/nf_nat: add PPTP helper port")
ChangeLog-5.6.16:    3. Extend the existing nf_queue ct update hook to allow a forced
ChangeLog-5.6.16:    [ 1110.866730] Modules linked in: pppoe ppp_async batman_adv ath10k_pci ath10k_core ath pppox ppp_generic nf_conntrack_ipv6 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_state xt_nat xt_multiport xt_mark xt_mac xt_limit xt_conntrack xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_FLOWOFFLOAD slhc nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack iptable_mangle iptable_filter ip_tables crc_ccitt compat nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 usb_storage xhci_plat_hcd xhci_pci xhci_hcd dwc3 usbcore usb_common

# grubby --set-default /boot/vmlinuz-5.6.13-200.fc31.x86_64
# grubby --default-index
# grubby --default-kernel

…
libtool: link: gcc -g -O2 -DSF_VISIBILITY -fvisibility=hidden -Wall -o snort debug.o decode.o encode.o active.o log.o mstring.o hashstring.o parser.o profiler.o plugbase.o snort.o strlcatu.o strlcpyu.o tag.o util.o detect.o signature.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o byte_extract.o sfthreshold.o packet_time.o event_wrapper.o event_queue.o ppm.o log_text.o detection_filter.o detection_util.o rate_filter.o pkt_tracer.o obfuscation.o sfdaq.o reload.o idle_processing.o reg_test.o memory_stats.o  -L/usr/local/lib -L/somewhere/src/snort/daq-2.0.7 -L/usr/lib64 output-plugins/libspo.a detection-plugins/libspd.a dynamic-plugins/libdynamic.a dynamic-output/plugins/liboutput.a preprocessors/libspp.a parser/libparser.a target-based/libtarget_based.a preprocessors/HttpInspect/libhttp_inspect.a preprocessors/Session/libsession.a preprocessors/Stream6/libstream6.a sfutil/libsfutil.a control/libsfcontrol.a file-process/libfileAPI.a file-process/libs/libfile.a reload-adjust/libreload_adjust.a /usr/local/lib/libdaq_static.a -lpcre -luuid -lm -lcrypto -ldl /usr/local/lib/libdaq_static_modules.a /usr/local/lib/libnetfilter_queue.so /usr/local/lib/libmnl.so /usr/local/lib/libnfnetlink.so /usr/local/lib/libsfbpf.so -lpcap -ldnet -ltirpc -lz -llzma -lpthread -Wl,-rpath -Wl,/usr/local/lib -Wl,-rpath -Wl,/usr/local/lib
/usr/bin/ld: preprocessors/libspp.a(spp_session.o):/somewhere/src/snort/snort-2.9.16/src/preprocessors/spp_session.c:73: multiple definition of `sessionPerfStats'; detection-plugins/libspd.a(sp_session.o):/somewhere/src/snort/snort-2.9.16/src/detection-plugins/sp_session.c:83: first defined here
/usr/bin/ld: preprocessors/Stream6/libstream6.a(snort_stream_tcp.o):/somewhere/src/snort/snort-2.9.16/src/preprocessors/Stream6/stream_paf.h:78: multiple definition of `FlushMode'; preprocessors/libspp.a(spp_stream6.o):/somewhere/src/snort/snort-2.9.16/src/preprocessors/../../src/preprocessors/Stream6/stream_paf.h:78: first defined here
/usr/bin/ld: preprocessors/Stream6/libstream6.a(stream_paf.o):/somewhere/src/snort/snort-2.9.16/src/preprocessors/Stream6/stream_paf.h:78: multiple definition of `FlushMode'; preprocessors/libspp.a(spp_stream6.o):/somewhere/src/snort/snort-2.9.16/src/preprocessors/../../src/preprocessors/Stream6/stream_paf.h:78: first defined here
/usr/bin/ld: sfutil/libsfutil.a(util_jsnorm.o):/somewhere/src/snort/snort-2.9.16/src/sfutil/util_jsnorm.c:93: multiple definition of `hex_lookup'; preprocessors/libspp.a(spp_httpinspect.o):(.bss+0x420): first defined here
collect2: error: ld returned 1 exit status
make[3]: *** [Makefile:528: snort] エラー 1
make[3]: ディレクトリ '/somewhere/src/snort/snort-2.9.16/src' から出ます
make[2]: *** [Makefile:558: all-recursive] エラー 1
make[2]: ディレクトリ '/somewhere/src/snort/snort-2.9.16/src' から出ます
make[1]: *** [Makefile:516: all-recursive] エラー 1
make[1]: ディレクトリ '/somewhere/src/snort/snort-2.9.16' から出ます
make: *** [Makefile:382: all] エラー 2
#

gentoo.org→snort-2.9.15.1-fno-common.patch\files\snort\net-analyzer - repo/gentoo.git - Official Gentoo ebuild repository

gcc-9.3.1-2.fc31.x86_64.rpm → gcc-10.1.1-1.fc32.x86_64

$ find . -name "*.[ch]" -exec egrep '(sessionPerfStats|FlushMode)' {} \; -print
extern PreprocStats sessionPerfStats;
./src/preprocessors/spp_session.h
PreprocStats sessionPerfStats;
        RegisterPreprocessorProfile("session_manager", &sessionPerfStats, 0, &totalPerfStats, NULL);
        RegisterPreprocessorProfile("session_ha", &sessionHAPerfStats, 1, &sessionPerfStats, NULL);
    PREPROC_PROFILE_START(sessionPerfStats);
                        PREPROC_PROFILE_END(sessionPerfStats);
                        PREPROC_PROFILE_END(sessionPerfStats);
    PREPROC_PROFILE_END(sessionPerfStats);
./src/preprocessors/spp_session.c
} FlushMode_t;
extern FlushMode_t FlushMode;
./src/preprocessors/Stream6/stream_paf.h
PreprocStats sp_sessionPerfStats;
    RegisterPreprocessorProfile("session", &sp_sessionPerfStats, 3, &ruleOTNEvalPerfStats, NULL);
    PREPROC_PROFILE_START(sp_sessionPerfStats);
                 PREPROC_PROFILE_END(sp_sessionPerfStats);
    PREPROC_PROFILE_END(sp_sessionPerfStats);
./src/detection-plugins/sp_session.c
extern PreprocStats sp_sessionPerfStats;
./src/detection-plugins/sp_session.h
$ 

気付かなかったバグがfc32のgcc-10で判明してパッチを当てて再ビルド…
別のソースに定義された同じ構造体名が混乱してバグる障害をgcc-10では検出可能になった…

# grubby --set-default-index 0
The default is /boot/loader/entries/cf557c5d7dbd4f75a28277269a37efa9-5.6.18-300.fc32.x86_64.conf with index 0 and kernel /boot/vmlinuz-5.6.18-300.fc32.x86_64
# grubby --default-index
0
# grubby --default-kernel
/boot/vmlinuz-5.6.18-300.fc32.x86_64
# 

再び kernel-5.6.18-300.fc32.x86_64 で再発w。5.6.13まで撤退ゲラゲラ

spinics.net→Linux Netfilter Devel — Re: compilation of netfilter missing libnftnl functions - undefined reference - (RASPBERRY pi 3B)

nftables-0.9.3-3.fc32.x86_64 → nftables-0.9.6.tar.bz2

ここまでやるか?w

libnftnl-1.1.7.tar.bz2
libnetfilter_conntrack-1.0.8.tar.bz2

# dnf install readline-devel
# dnf install asciidoc

checking for XTABLES... no
configure: error: Package requirements (xtables >= 1.6.1) were not met:

Package 'xtables', required by 'virtual:world', not found

xtables て iptables-develのことw

# dnf install iptables-devel
# dnf install jansson-devel

nftnlとリンクできないのはLIBS設定がないから。つか環境変数の使い方がライブラリ毎に微妙に違う…

#LDFLAGS="-L/usr/local/lib -lmnl -lnfnetlink -lnetfilter_queue -ltirpc -lnetfilter_conntrack -lnftnl"
LDFLAGS="-L/usr/local/lib"
LIBS="-lnftnl"
export LDFLAGS LIBS

$ which nft
/usr/local/sbin/nft
$ nft -v
nftables v0.9.6 (Capital Idea #2)
$ 

たぶん原因は

ct state established,related accept
とqueue num 2の順序だなw
許可既のトラフィックがNFQにジャブジャブ流れ込むとnf_conntrack_updateが壊れるのでは?w
許可既でもinlineでチェックすべきなのではとか議論はあるのだろうけどw

nftables v0.9.6 ✕ kernel-5.6.18-300.fc32.x86_64 でも再発w。5.6.13まで撤退ゲラゲラ

moutane.net→Nftables and IPS/Éric Leblond/Stamus Networks (PDF) July 8, 2014年7月8日

Building the perfect IPS ruleset (1/2)
Implementation
We name chains accordingly to function
We set a higher priority to IPS chain
Creating the chains
nft −i
nft > add table filter
nft > add chain filter firewall { type filter hook forward priority 0 ; }
nft > add chain filter IPS { type filter hook forward priority 10; }

snortのNFQを使ったIPSモード(inline)と、nftのct(connection tracking)は、まさに接続を追跡してパケットをドロップするという同じ機能であり、ロジックが互いに矛盾して競合してしまうことになるw。2014年の推奨アーキテクチャはpriority設定で後に処理すること…。うーむ、これも議論があるだろうけど、それが仕様ならどうにもならないw

パケットに印を付けて追跡する仕掛け…

でもこれって同じLinux内部の優先順位よる解決策だ。通信パケットは筐体を超えて転送される。優先順位は別筐体のF/WやIPSには設定できない。で、それが競合するとどーなるの?みたいな話になっていく…。

nftables v0.9.6 ✕ kernel-5.6.18-300.fc32.x86_64 でテスト完了
nftables v0.9.6 ✕ kernel-5.6.19-300.fc32.x86_64 で再発w、しかも構成上5.6.13には戻れなくなったw

snortが戦死してカーネル内部のNFQで自爆テロを起こすのかぁ…

snortをIPS(inline)モードで運用するのは中止w

しょーがないなー。suricata-5.0.3-1.fc32.x86_64に切り替えw

suricata-5.0.3が東品川からの大量の偽ACKと偽RST攻撃を検知w

投稿されたコメント:

コメント
コメントは無効になっています。