Modify

Opened 6 years ago

Last modified 4 years ago

#10993 new defect

iptables-snmp.so crashes snmpd

Reported by: Alfred Ganz <alfred-ganz+openwrt@…> Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

I have attempted to use iptables-snmp with snmpd on Buffalo
WZR-HP-G300NH under bleeding edge, r30556. With a minor hack to
/etc/init.d/snmpd I was able to add the module to snmpd. However, trying to access its elements with an snmpwalk from another system,
snmpd crashed after returning the 2 static variables:

IPTABLES-MIB::iptablesMIB.6.1.1.0.1 = STRING: "0.1"
IPTABLES-MIB::iptablesMIB.6.1.1.0.2 = STRING: "1.3.3"

(the snmpwalk works without trouble with the vanilla configuration).

Looking at the libraries loaded with snmpd (using lsof), I find that
iptables-snmp.so is lodaed, but libiptc.so is not, but it is needed
by iptables-snmp.so. Looking at the binary file iptables-snmp.so it
seems that it doesn't contain a reference to libiptc.so. Since this
module used to be linked with a static libiptc.ar, is it possible
that a reference for the dynamic library is missing?

Attachments (0)

Change History (6)

comment:1 Changed 6 years ago by Alfred Ganz <alfred-ganz+openwrt@…>

A question: is there a trick to force the loading of a library in the
absence of a linking loader so I could check if things would work with
libiptc present?

Thanks, AG

comment:2 Changed 6 years ago by Alfred Ganz <alfred-ganz+openwrt@…>

OK, I have done some scrounging around now. Here is what I have found:

  • the source URL seems to be unreachable, I had to retrieved the source form somewhere else on the net
  • the sourcefile (iptables-snmp.c) did an include for a local version of libipt/libiptc.h
  • as expected, there were problems with the Makefile, the link command relied on a local copy of LDFLAGS which was overwritten by the build, that happens to be the reason why libiptc.so.0 was never used
  • after the above fixes there remains a large number (between 15 and 20) warnings, but all for the same double pointer reference that I have not sorted out. However, in order to do that one has to understand the iptables data structures much better than I at the moment do.

So I end up with the question, is there *any* interest in resurrecting iptables-snmp?

comment:3 Changed 6 years ago by Alfred Ganz <alfred-ganz+openwrt@…>

I have now played around some more:

  • with some changes to the Makefile{.in} the module can be built without using a private version of libiptc.
  • it turns out that the above double pointers are indeed due to a change in the iptc interface definitions, and one indirection can simply be removed when building under iptables-1.4.10.
  • also, building under iptables-1.3.5, compiling with -liptc works fine, but compiling under iptables-1.4.10 requires -lip4tc.
  • access to the iptables chain information failed, but after adding a proper reference to make_data_context for the chains it is now available as well.
  • unfortunately, the most interesting information, the various counters, can not yet be reached because of a problem with snmp_set_var_typed_value() for ASN_COUNTER64, that I don't know how to fix (yet).

comment:4 Changed 6 years ago by Alfred Ganz <alfred-ganz+openwrt@…>

So here is the answer to the counter puzzles:

  • all the counters are 64 bits, and they are now of ASN_COUNTER64 type (they were different in the MIB), and they are only available with snmp v2 and higher.
  • the counters associated with builtin chains were not available because the loop over chain policies was terminated with the first none builtin policy, and the chain counters happen to be associated with policies in the iptc world.

I now have a patch file with patches for various files in iptables-snmp-0.1 that make
a working module for snmpd.

I want to clean things up a bit and then submit the patches.

comment:5 Changed 6 years ago by Alfred Ganz <alfred-ganz+openwrt@…>

I have submitted a new ticket (#11045) with patches for all of the above.
This ticket can now be closed.

comment:6 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.