search

vel21ripn / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
118 stars 58 forks source link

Failed to match traffic with manually patched kernel v6.6.37 #199

Closed pratikg-infinity closed 2 weeks ago

pratikg-infinity commented 1 month ago

Hello,

I am trying to build ndpi-netfilter module on vyos 1.5 kernel 6.6.37-amd64-vyos.

I have compiled ndpi-netfilter module commit d824fc1 with manually patched kernel based on changes under ndpi-netfilter/kernel-patch/v6.1.38.diff as I couldn't succeed building vyos kernel with CONFIG_LIVEPATCH=y.

The ndpi-netfilter module was compiled successfully using gcc v12.2.0 and l am able to load module and create iptables rule using ndpi module as following-

iptables -A OUTPUT -m ndpi --proto http -j REJECT

However, the rule is not matching the traffic due to which its not blocking as expected.

 iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi proto http reject-with icmp-port-unreachable

Can you please guide how to resolve this issue?

vel21ripn commented 1 month ago

conntrack -L is empty? grep . /sys/module/xt_ndpi/parameters/err_ct* have non-zero values?

pratikg-infinity commented 1 month ago

conntrack -L is empty, err_ct_null has non-zero value and other params have 0 values.

$ conntrack -L

conntrack v1.4.7 (conntrack-tools): 0 flow entries have been shown.

$ sudo grep . /sys/module/xt_ndpi/parameters/err_ct*

/sys/module/xt_ndpi/parameters/err_ct_confirm:0 /sys/module/xt_ndpi/parameters/err_ct_free_magic:0 /sys/module/xt_ndpi/parameters/err_ct_ndpi:0 /sys/module/xt_ndpi/parameters/err_ct_nolabel:0 /sys/module/xt_ndpi/parameters/err_ct_null:282

vel21ripn commented 1 month ago

Need nf_conntrack running. I don’t know how to do this in “vyos 1.5” kernel “6.6.37-amd64-vyos”. You may need to add some rule that checks the connection state (iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP)

What does the command lsmod | grep conntrack show?

pratikg-infinity commented 1 month ago

Here is the output of lsmod-

$ lsmod | grep conntrack nf_conntrack_netlink 61440 0 nf_conntrack 192512 5 nf_nat,nfnetlink_cthelper,nft_ct,nf_conntrack_netlink,xt_ndpi nf_defrag_ipv6 24576 1 nf_conntrack nf_defrag_ipv4 12288 1 nf_conntrack nfnetlink 20480 4 nfnetlink_cthelper,nft_compat,nf_conntrack_netlink,nf_tables

vel21ripn commented 1 month ago

If "conntrack -L" does not show any connections, nDPI will not work.

pratikg-infinity commented 1 month ago

@vel21ripn Thanks for guidance. It was helpful. I figured out that, conntrack was not showing connections because NAT configuration was missing. After configuring SNAT rule as following, it started blocking connections.

set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 translation address 'masquerade'