Closed pratikg-infinity closed 2 weeks ago
conntrack -L
is empty?
grep . /sys/module/xt_ndpi/parameters/err_ct*
have non-zero values?
conntrack -L is empty, err_ct_null has non-zero value and other params have 0 values.
$ conntrack -L
conntrack v1.4.7 (conntrack-tools): 0 flow entries have been shown.
$ sudo grep . /sys/module/xt_ndpi/parameters/err_ct*
/sys/module/xt_ndpi/parameters/err_ct_confirm:0 /sys/module/xt_ndpi/parameters/err_ct_free_magic:0 /sys/module/xt_ndpi/parameters/err_ct_ndpi:0 /sys/module/xt_ndpi/parameters/err_ct_nolabel:0 /sys/module/xt_ndpi/parameters/err_ct_null:282
Need nf_conntrack running. I don’t know how to do this in “vyos 1.5” kernel “6.6.37-amd64-vyos”. You may need to add some rule that checks the connection state (iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP)
What does the command lsmod | grep conntrack
show?
Here is the output of lsmod-
$ lsmod | grep conntrack nf_conntrack_netlink 61440 0 nf_conntrack 192512 5 nf_nat,nfnetlink_cthelper,nft_ct,nf_conntrack_netlink,xt_ndpi nf_defrag_ipv6 24576 1 nf_conntrack nf_defrag_ipv4 12288 1 nf_conntrack nfnetlink 20480 4 nfnetlink_cthelper,nft_compat,nf_conntrack_netlink,nf_tables
If "conntrack -L" does not show any connections, nDPI will not work.
@vel21ripn Thanks for guidance. It was helpful. I figured out that, conntrack was not showing connections because NAT configuration was missing. After configuring SNAT rule as following, it started blocking connections.
set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 translation address 'masquerade'
Hello,
I am trying to build ndpi-netfilter module on vyos 1.5 kernel 6.6.37-amd64-vyos.
I have compiled ndpi-netfilter module commit d824fc1 with manually patched kernel based on changes under
ndpi-netfilter/kernel-patch/v6.1.38.diff
as I couldn't succeed building vyos kernel with CONFIG_LIVEPATCH=y.The ndpi-netfilter module was compiled successfully using gcc v12.2.0 and l am able to load module and create iptables rule using ndpi module as following-
iptables -A OUTPUT -m ndpi --proto http -j REJECT
However, the rule is not matching the traffic due to which its not blocking as expected.
Can you please guide how to resolve this issue?