ip_conntrack unload problems

Ho Ming Shun hmshmj@singnet.com.sg
Tue, 16 May 2000 23:20:13 +0800


Hi,

Today, I have been trying to get the same error to occur again, but failed.
However, when that error occured, my brother had been hammering my NAT with
some multiplayer game data, so I will ask him to test that game again ASAP.
Will have to put that thing iunder more stress. Meanwhile, ip_conntrack
unloads normally.

I guess the most surefire way to solve a porblem is to try to recreate it
for a bug report. ;>

I haven't reported to this list that when I was using pre6, everytime the
ip_conntrack unloads, it will complain :
May 14 10:05:00 cyphbox kernel: kmem_destroy: Can't free all objects
c11c6240

Then when it loads again :
May 13 23:54:23 cyphbox kernel: kmem_create: Dup name - ip_conntrack

Below are my scripts. Meanwhile, also check them for errors ;>

--- /etc/ppp/ip-up---
#!/bin/sh

# check if used on an older kernel
if [ ! -z `uname -r|grep '2\.2\.'` ]; then
 /etc/ppp/ip-up-old
 exit
fi

/sbin/modprobe -k ip_tables

####################################################
# Configuration                                    #
####################################################

#IPTABLES=echo                        # for debugging  proposes
IPTABLES=/sbin/iptables               # location of iptables
INET_IF=ppp+                          # interface connected to the net

LOG_ALERT='ALERT '                    # message for dangerous packet
LOG_PACKET='LOG '                     # message for packet logged
LOG_FLOOD='FLOOD '                    # message for flood

FILTER='--table filter'               # filter table
NAT='--table nat'                     # nat table

####################################################
# Define "sub-routines".                           #
####################################################

DefSubs()
{
 # Deny and log the offending packet.
 $IPTABLES $FILTER -N DropNLog
 $IPTABLES $FILTER -A DropNLog -j LOG --log-level err --log-prefix
"$LOG_ALERT"
 $IPTABLES $FILTER -A DropNLog -j DROP

 # Log the packet
 $IPTABLES $FILTER -N LogPacket
 $IPTABLES $FILTER -A LogPacket -j LOG --log-level warn --log-prefix
"$LOG_PACKET"

 # Anti-flooding Rule
 $IPTABLES $FILTER -N AntiFlood
 $IPTABLES $FILTER -A AntiFlood -m limit --limit 1/second -j RETURN
 $IPTABLES $FILTER -A AntiFlood -j LOG --log-level err --log-prefix
"$LOG_FLOOD"
 $IPTABLES $FILTER -A AntiFlood -j DROP
}

####################################################
# Define rules for packets coming in from the net. #
####################################################

Protect(){
 # Shortcut to add rule
 local ADDRULE
 ADDRULE="$IPTABLES $FILTER -A Protect"

 # First create the new chain
 $IPTABLES $FILTER -N Protect

 # TCP Rules
 # Ports < 1023 and ports and X server ports (6000 - 6010) are blocked
 $ADDRULE --proto tcp --dport :1023 -j DropNLog
 $ADDRULE --proto tcp --dport 6000:6010 -j DropNLog


 # UDP Rules
 # Ports < 1023 are blocked
 $ADDRULE --proto udp --dport :1023 -j DropNLog

 # ICMP Rules
 # Limit pings and log all ICMP packets
 $ADDRULE --proto icmp -j LogPacket
 $ADDRULE --proto icmp --icmp-type 8 -j AntiFlood
}

####################################################
# Sets up IP Masquerding                         . #
####################################################

Masq(){
 # Sets up masquerading
 $IPTABLES $NAT -A POSTROUTING --out-interface $INET_IF -j MASQUERADE
 $IPTABLES $FILTER --policy FORWARD ACCEPT
 echo "1">/proc/sys/net/ipv4/ip_forward
}

####################################################
# Main Setup Area.                                 #
####################################################

# load the "sub-routines" into kernel
DefSubs

# Set up filtering.
Protect
$IPTABLES $FILTER -A INPUT --in-interface $INET_IF -j Protect

# Turn on IP Masquerading
Masq
---------

--- /etc/ppp/ip-down---

#!/bin/sh
#
# The pppd executes this script every time a PPP connection goes down
# and passes the following args to it:
#
#  $1 device
#  $2 tty
#  $3 speed
#  $4 local IP addr
#  $5 remote IP addr
#
# You can then execute special commands (like removing routes)
# depending on the arguments passed by the pppd.
#

# check if used on an older kernel
if [ ! -z `uname -r|grep '2\.2\.'` ]; then
        /etc/ppp/ip-down-old
        exit
fi

####################################################
# Configuration                                    #
####################################################

#IPTABLES=echo                        # for debugging  proposes
IPTABLES=/sbin/iptables               # location of iptables

FILTER='--table filter'               # when accessing the filter table
NAT='--table nat'                     # when accessing the nat table

$IPTABLES $FILTER -F
$IPTABLES $FILTER -X

$IPTABLES $NAT -F
$IPTABLES $NAT -X

echo "0">/proc/sys/net/ipv4/ip_forward

-------



--
---------------------Ho Ming Shun aka Cyph-----------------------
 E-mail : hmshmj@singnet.com.sg, cyph31@hotmail.com
 ICQ    : 19906710 (Cyph)
----"Why can't Kernel module support be compile as a module?"----