论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2008-01-30 16:25 |只看该作者 |倒序浏览

最近在探索l7-filter-userspace，使用包里默认的配置文件，在执行l7-filter -f <configfile> -v -v -v -v 以后输出：

unbinding existing nf_queue handler for AF_INET (if any)
binding nfnetlink_queue as nf_queue handler for AF_INET
binding this socket to queue '0'
setting copy_packet mode

复制代码

然后就停止不动，看了下程序，是在void l7_queue::start(int queuenum) 中阻塞：

...
l7printf(3, "setting copy_packet mode\n");
if(nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
cerr << "can't set packet_copy mode\n";
exit(1);
}
nh = nfq_nfnlh(h);
fd = nfnl_fd(nh);
// this is the main loop
while (true){
while ((rv = recv(fd, buf, sizeof(buf), 0)) && rv >= 0)
nfq_handle_packet(h, buf, rv);
...

复制代码

即recv()函数阻塞，我的理解是l7-filter没有受到iptables发过来的封包；
又查了半天iptables的配置，因为之前没怎么接触过，还是没有头绪，以下是iptables的配置：

[root@fedora7 sysconfig]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -j NFQUEUE
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
[root@fedora7 sysconfig]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFQUEUE 0 -- anywhere anywhere NFQUEUE num 0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

复制代码

日志文件中有类似输出：

Jan 30 16:20:28 fedora7 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jan 30 16:23:09 fedora7 kernel: ip_conntrack version 2.4 (4090 buckets, 32720 max) - 196 bytes per conntrack
Jan 30 16:23:09 fedora7 kernel: ctnetlink v0.90: registering with nfnetlink.

复制代码

机器有两个网卡：

[root@fedora7 sysconfig]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:08:A1:05:24:B5
inet addr:192.168.5.200 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fe80::208:a1ff:fe05:24b5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:208405 errors:0 dropped:0 overruns:0 frame:0
TX packets:40379 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23832515 (22.7 MiB) TX bytes:15146954 (14.4 MiB)
Interrupt:11 Base address:0xd800
eth1 Link encap:Ethernet HWaddr 00:08:A1:05:22:9F
inet addr:192.168.5.254 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fe80::208:a1ff:fe05:229f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6785040 errors:0 dropped:0 overruns:0 frame:0
TX packets:823 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3537398437 (3.2 GiB) TX bytes:41836 (40.8 KiB)
Interrupt:9 Base address:0xd400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4138 errors:0 dropped:0 overruns:0 frame:0
TX packets:4138 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:23549732 (22.4 MiB) TX bytes:23549732 (22.4 MiB)

复制代码

其中eth0是交换机镜像输出的端口(不过也可以从该地址登录上来)，eth1是控制端口，也可以从该地址登录上来。

各位帮我看看问题大概出在那一步？谢谢。

[ 本帖最后由 digex 于 2008-1-30 16:35 编辑 ]

文库|博客

digex

白手起家

论坛徽章:: 0

2楼 [报告]

发表于 2008-01-31 09:17 |只看该作者

自顶.iptables-1.3.7,l7-filter-userspace-v0.4 ,操作系统，Linux fedora7 2.6.21 #1 SMP Mon Jan 28 16:02:43 CST 2008 i686 i686 i386 GNU/Linux

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

digex

白手起家

论坛徽章:: 0

3楼 [报告]

发表于 2008-02-01 15:50 |只看该作者

参照http://l7-filter.sourceforge.net/HOWTO-userspace
For Linux 2.6.20 and newer, Netfilter has new "Layer 3 Independent Connection tracking" which l7-filter is not yet compatible with (mostly due to lack of library support from libnetfilter_conntrack). While the old layer 3 dependent connection tracking is still available, it is not selected by default, so you will probably need to recompile your kernel with it. In the Linux kernel config, go to Networking → Networking options → Network packet filtering framework (Netfilter) → Core Netfilter Configuration. Under "Netfilter connection tracking support", select "Layer 3 Dependent Connection tracking (OBSOLETE)". Then go to Networking → Networking options → Network packet filtering framework → IP: Netfilter Configuration" and enable "Connection tracking netlink interface" (and probably most of the rest of the stuff on that page). This is a pain in the ass, sorry!
将该页里的模块全部选中，重新编译下内核就好了。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

platinum

广告杀手

论坛徽章:: 0

4楼 [报告]

发表于 2008-02-01 15:55 |只看该作者

内核不支持 netlink 吧？

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

digex

白手起家

论坛徽章:: 0

5楼 [报告]

发表于 2008-02-21 11:11 |只看该作者

将 Networking → Networking options → Network packet filtering framework → IP: Netfilter Configuration" 页面里全部选项选中以后，重新编译了下内核就可以了。
iptables -A FORWARD -j NFQUEUE 发现l7-filter受到的包很少，增加了
iptables -A INPUT -i eth1 -j NFQUEUE，l7-filter受到的包倒是多很多，
不过识别的好像不太理想，配置文件：
msn-filetransfer       55
msnmessenger 56
qq    68
xunlei  110
skypeout       78
skypetoskype 79
ssh    87
telnet  94
tftp 96
bittorrent    16
dhcp 24
dns    26
edonkey 28
ftp    32
http 43
jabber  49
pop3 67
sip    77
识别的有dhcp dns edonkey qq skypeout skypetoskype。
这是通过l7-filter -v -v -v -v 输出日志里的 “matched dhcp”之类的信息来判断，不知道是否准确。
还有下一步该做什么工作？

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

返回列表

Chinaunix › 论坛 › 操作系统 › Linux系统管理 › l7-filter-usespace收不到iptables的QUEUE

[网络管理] l7-filter-usespace收不到iptables的QUEUE [复制链接]

浏览过的版块