Modify

Opened 5 years ago

Last modified 2 years ago

#12598 new defect

new package iptables-mod-ndpi

Reported by: heil Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

This package is a GPL implementation of an iptables and netfilter module for
nDPI integration into the Linux kernel. It a userspace and a kernel part. To ensure
that is builds properly, CONFIG_NF_CONNTRACK_EVENTS=y must be set
After that and with a opkg install iptables-mod-ndpi kmod-ipt-ndpi things like

iptables -I OUTPUT -m ndpi --http -j REJECT

To get all possible target issue

iptables -m ndpi --help

With all these targets it should be become more easier to write QOS rules that depends on protocol matching.

Attachments (2)

iptables-mod-npdi.patch (2.4 KB) - added by heil 5 years ago.
iptables-mod-ndpi.patch
z99-ndpi.patch (4.3 KB) - added by anonymous 5 years ago.

Download all attachments as: .zip

Change History (13)

Changed 5 years ago by heil

iptables-mod-ndpi.patch

comment:1 Changed 5 years ago by anonymous

Not working on latest trunk (34775). Probably the problem is in kernel. According to https://github.com/ewildgoose/ndpi-netfilter/ repo new kernel require patch to allow registration of second conntrack listening event.
https://github.com/ewildgoose/ndpi-netfilter/blob/master/kernel-patch/hack-conntrack-events.patch

comment:2 Changed 5 years ago by anonymous

Could you tell me the version of the kernel you would like to use and also post the error?

comment:3 Changed 5 years ago by anonymous

Kernel verison is 3.6.11
There is no errors. Package compiles and installs fine.
I'm adding this iptables rule for testing:

iptables -I OUTPUT -m ndpi --http -j LOG --log-prefix "HTTP OUT: "

and then use

logread -f

but I don't see any messages

comment:4 Changed 5 years ago by anonymous

I've portet this https://github.com/ewildgoose/ndpi-netfilter/blob/master/kernel-patch/hack-conntrack-events.patch as openwrt kernel patch, but still no result. Can anybody help me?
(Patch in attachments)

Changed 5 years ago by anonymous

comment:5 follow-up: Changed 5 years ago by heil

Ive build it with barrier_breaker and 3.6.11.

root@wrt-36-11-r1:/# uname -r
3.6.11
root@wrt-36-11-r1:/# uname -m
x86_64

no i issued iptables -I OUTPUT -m ndpi --http -j LOG --log-prefix "HTTP OUT: " and then
i tried opkg update

Dec 24 00:35:39 wrt-36-11-r1 user.warn kernel: [  334.914313] HTTP OUT: IN= OUT=eth0 SRC=172.18.4.237 DST=78.47.109.197 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=34495 DF PROTO=TCP SPT=45092 DPT=80 WINDOW=363 RES=0x00 ACK URGP=0
Dec 24 00:35:39 wrt-36-11-r1 user.warn kernel: [  334.914313] HTTP OUT: IN= OUT=eth0 SRC=172.18.4.237 DST=78.47.109.197 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=34496 DF PROTO=TCP SPT=45092 DPT=80 WINDOW=409 RES=0x00 ACK URGP=0
Dec 24 00:35:39 wrt-36-11-r1 user.warn kernel: [  334.914313] HTTP OUT: IN= OUT=eth0 SRC=172.18.4.237 DST=78.47.109.197 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=34497 DF PROTO=TCP SPT=45092 DPT=80 WINDOW=477 RES=0x00 ACK URGP=0
Dec 24 00:35:39 wrt-36-11-r1 user.warn kernel: [  334.914313] HTTP OUT: IN= OUT=eth0 SRC=172.18.4.237 DST=78.47.109.197 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=34498 DF PROTO=TCP SPT=45092 DPT=80 WINDOW=496 RES=0x00 ACK URGP=0
Dec 24 00:35:39 wrt-36-11-r1 user.warn kernel: [  334.914313] HTTP OUT: IN= OUT=eth0 SRC=172.18.4.237 

this is without the conntrack patch. you can also tell ewildgoose, that the modul loads fine. So could you tell me what architecture you are using and which revision?

comment:6 in reply to: ↑ 5 ; follow-up: Changed 5 years ago by anonymous

Replying to heil:

this is without the conntrack patch. you can also tell ewildgoose, that the modul loads fine. So could you tell me what architecture you are using and which revision?

I'm testing this on WNDR3800 (ar71xx). Revision 34872.

comment:7 in reply to: ↑ 6 Changed 5 years ago by anonymous

Replying to anonymous:

Replying to heil:

this is without the conntrack patch. you can also tell ewildgoose, that the modul loads fine. So could you tell me what architecture you are using and which revision?

I'm testing this on WNDR3800 (ar71xx). Revision 34872.

Also here is result of lsmod

Module                  Size  Used by    Tainted: G  
af_key                 22944  0 
option                 19264  0 
usb_wwan                5296  1 option
usbserial              21520  2 option,usb_wwan
ath79_wdt               2224  1 
ledtrig_usbdev          1840  0 
ledtrig_netdev          3024  0 
xt_ndpi               144112  0 
nf_nat_irc               784  0 
nf_nat_ftp               976  0 
nf_conntrack_irc        2592  1 nf_nat_irc
nf_conntrack_ftp        4704  1 nf_nat_ftp
xt_policy               1856  1 
xt_esp                   688  0 
ipt_ah                   608  0 
compat_xtables          1536  0 
ipt_MASQUERADE           976  4 
iptable_nat             2576  1 
nf_nat                 10064  4 nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,iptable_nat
xt_recent               6000  0 
xt_helper                784  0 
xt_connmark             1136  0 
xt_connbytes            1408  0 
pppoe                   7472  0 
xt_conntrack            2048  3 
xt_CT                   2144  0 
xt_NOTRACK               448  0 
iptable_raw              560  1 
xt_state                 608  0 
nf_conntrack_ipv4       4544  6 iptable_nat,nf_nat
nf_defrag_ipv4           624  1 nf_conntrack_ipv4
nf_conntrack           43504 16 xt_ndpi,nf_nat_irc,nf_nat_ftp,nf_conntrack_irc,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,xt_helper,xt_connmark,xt_connbytes,xt_conntrack,xt_CT,xt_NOTRACK,xt_state,nf_conntrack_ipv4
pppox                   1120  1 pppoe
ipt_REJECT              1808  2 
xt_TCPMSS               1824  1 
xt_LOG                  6368  0 
xt_comment               400 12 
xt_multiport            1104  0 
xt_mac                   528  0 
xt_limit                 928  1 
iptable_mangle           832  1 
iptable_filter           592  1 
ip_tables               8864  4 iptable_nat,iptable_raw,iptable_mangle,iptable_filter
xt_tcpudp               1632 32 
x_tables                9984 27 xt_ndpi,xt_policy,xt_esp,ipt_ah,compat_xtables,ipt_MASQUERADE,iptable_nat,xt_recent,xt_helper,xt_connmark,xt_connbytes,xt_conntrack,xt_CT,xt_NOTRACK,iptable_raw,xt_state,ipt_REJECT,xt_TCPMSS,xt_LOG,xt_comment,xt_multiport,xt_mac,xt_limit,iptable_mangle,iptable_filter,ip_tables,xt_tcpudp
xfrm6_tunnel            1936  0 
xfrm6_mode_tunnel       1040  1 
xfrm6_mode_transport      672  0 
xfrm6_mode_beet         1072  0 
esp6                    4624  0 
ah6                     4112  0 
xfrm4_tunnel             992  0 
xfrm4_mode_tunnel       1648  2 
xfrm4_mode_transport      624  0 
xfrm4_mode_beet         1424  0 
esp4                    4896  1 
ah4                     4176  0 
tunnel6                 1488  1 xfrm6_tunnel
tunnel4                 1584  1 xfrm4_tunnel
tun                    11664  0 
ppp_async               5952  0 
ppp_generic            18848  3 pppoe,pppox,ppp_async
slhc                    4368  1 ppp_generic
xfrm_user              17456  3 
xfrm_algo               3088  6 af_key,esp6,ah6,esp4,ah4,xfrm_user
ath9k                  85328  0 
ath9k_common            1152  1 ath9k
ath9k_hw              337376  2 ath9k,ath9k_common
ath                    14336  3 ath9k,ath9k_common,ath9k_hw
mac80211              274496  1 ath9k
crc_ccitt                944  1 ppp_async
ipv6                  231136 27 xfrm6_tunnel,xfrm6_mode_tunnel,xfrm6_mode_beet,esp6,ah6,tunnel6
cfg80211              155168  3 ath9k,ath,mac80211
compat                  2976  5 ath9k,ath9k_common,ath9k_hw,mac80211,cfg80211
chainiv                 2192  1 
eseqiv                  1856  0 
crypto_wq                368  1 chainiv
sha1_generic            1392  1 
krng                     592  1 
rng                     1264  3 chainiv,eseqiv,krng
md5                     1424  0 
hmac                    2224  2 
des_generic            18720  0 
deflate                 1280  0 
cbc                     1904  1 
authenc                 5120  1 
arc4                    1232  4 
aes_generic            29808 10 
crypto_blkcipher        9584  5 chainiv,eseqiv,cbc,authenc,arc4
cryptomgr               1808  0 
aead                    3936  4 esp6,esp4,authenc,cryptomgr
usb_storage            34672  0 
ohci_hcd               16320  0 
ehci_hcd               33584  0 
sd_mod                 23232  0 
ext4                  250192  0 
jbd2                   41616  1 ext4
mbcache                 3488  1 ext4
usbcore                98480  7 option,usb_wwan,usbserial,ledtrig_usbdev,usb_storage,ohci_hcd,ehci_hcd
usb_common               480  1 usbcore
scsi_mod               70016  2 usb_storage,sd_mod
nls_base                4640  1 usbcore
crc16                    944  1 ext4
zlib_inflate           12112  1 deflate
zlib_deflate           17472  1 deflate
crypto_hash             7888  8 ah6,ah4,sha1_generic,md5,hmac,authenc,ext4,jbd2
crypto_algapi           9440 14 chainiv,eseqiv,krng,hmac,des_generic,deflate,cbc,authenc,arc4,aes_generic,crypto_blkcipher,cryptomgr,aead,crypto_hash
ledtrig_timer            992  0 
ledtrig_default_on       416  0 
leds_gpio               1536  0 
gpio_button_hotplug     3360  0 

dmesh also show that module loads fine.

[   33.430000] xt_ndpi 0.1 (nDPI wrapper module).

What else should I check ?

comment:8 Changed 5 years ago by Infactum

I've made some more tests, and I can confirm that this package works in openwrt x86 build.
Any ideas on how to make it work on WNDR3800 (ar71xx) ?

comment:9 Changed 5 years ago by anonymous

Ive updated the package under https://github.com/heil/owrt-package/tree/master/net/iptables-mod-ndpi. Would you mind try again, so see if endian issues are gone?

comment:10 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

comment:11 Changed 2 years ago by bittorf@…

can you please send a pullrequest in openwrt-packages?

https://github.com/openwrt/packages

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.