search

vel21ripn / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
121 stars 60 forks source link

AT_INGRESS undeclared in 4.4.47-amd64 #38

Closed ydy1234 closed 6 years ago

ydy1234 commented 6 years ago

root@vyos:/home/vyos/vel21/nDPI/ndpi-netfilter# make make -C ipt make[1]: Entering directory '/home/vyos/vel21/nDPI/ndpi-netfilter/ipt' make[1]: Nothing to be done for 'all'. make[1]: Leaving directory '/home/vyos/vel21/nDPI/ndpi-netfilter/ipt' make -C src make[1]: Entering directory '/home/vyos/vel21/nDPI/ndpi-netfilter/src' make -j 4 -C /lib/modules/4.4.47-amd64-vyos/build M=$PWD modules -w; make[2]: Entering directory '/usr/src/linux-headers-4.4.47-amd64-vyos' CC [M] /home/vyos/vel21/nDPI/ndpi-netfilter/src/main.o CC [M] /home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/protocols/../third_party/src/ahocorasick.o CC [M] /home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/ndpi_main.o CC [M] /home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/protocols/../third_party/src/node.o In file included from include/linux/filter.h:16:0, from include/net/sock.h:62, from include/linux/tcp.h:22, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/../include/ndpi_unix.h:48, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/../include/ndpi_main.h:67, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/../include/ndpi_api.h:29, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/protocols/../third_party/src/node.c:27: include/net/sch_generic.h: In function ‘skb_at_tc_ingress’: In file included from include/linux/filter.h:16:0, from include/net/sock.h:62, from include/linux/tcp.h:22, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/../include/ndpi_unix.h:48, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/../include/ndpi_main.h:67, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/../include/ndpi_api.h:29, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/ndpi_main.c:35: include/net/sch_generic.h: In function ‘skb_at_tc_ingress’: include/net/sch_generic.h:414:2: error: implicit declaration of function ‘G_TC_AT’ [-Werror=implicit-function-declaration] return G_TC_AT(skb->tc_verd) & AT_INGRESS; ^ include/net/sch_generic.h:414:33: error: ‘AT_INGRESS’ undeclared (first use in this function) return G_TC_AT(skb->tc_verd) & AT_INGRESS; ^ include/net/sch_generic.h:414:33: note: each undeclared identifier is reported only once for each function it appears in In file included from include/linux/filter.h:16:0, from include/net/sock.h:62, from include/linux/tcp.h:22, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/../include/ndpi_unix.h:48, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/../include/ndpi_main.h:67, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/../include/ndpi_api.h:29, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/protocols/../third_party/src/ahocorasick.c:28: include/net/sch_generic.h: In function ‘skb_at_tc_ingress’: include/net/sch_generic.h:414:2: error: implicit declaration of function ‘G_TC_AT’ [-Werror=implicit-function-declaration] return G_TC_AT(skb->tc_verd) & AT_INGRESS; ^ include/net/sch_generic.h:414:33: error: ‘AT_INGRESS’ undeclared (first use in this function) return G_TC_AT(skb->tc_verd) & AT_INGRESS; ^ include/net/sch_generic.h:414:33: note: each undeclared identifier is reported only once for each function it appears in include/net/sch_generic.h:414:2: error: implicit declaration of function ‘G_TC_AT’ [-Werror=implicit-function-declaration] return G_TC_AT(skb->tc_verd) & AT_INGRESS; ^ include/net/sch_generic.h:414:33: error: ‘AT_INGRESS’ undeclared (first use in this function) return G_TC_AT(skb->tc_verd) & AT_INGRESS; ^ include/net/sch_generic.h:414:33: note: each undeclared identifier is reported only once for each function it appears in In file included from include/linux/filter.h:16:0, from include/net/sock.h:62, from include/linux/tcp.h:22, from include/linux/ipv6.h:73, from /home/vyos/vel21/nDPI/ndpi-netfilter/src/main.c:30: include/net/sch_generic.h: In function ‘skb_at_tc_ingress’: include/net/sch_generic.h:414:2: error: implicit declaration of function ‘G_TC_AT’ [-Werror=implicit-function-declaration] return G_TC_AT(skb->tc_verd) & AT_INGRESS; ^ include/net/sch_generic.h:414:33: error: ‘AT_INGRESS’ undeclared (first use in this function) return G_TC_AT(skb->tc_verd) & AT_INGRESS; ^ include/net/sch_generic.h:414:33: note: each undeclared identifier is reported only once for each function it appears in /home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/ndpi_main.c: At top level: /home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/ndpi_main.c:54:35: fatal error: ndpi_network_list.c.inc: No such file or directory

include "ndpi_network_list.c.inc"

                               ^

cc1: some warnings being treated as errors compilation terminated. cc1: some warnings being treated as errors scripts/Makefile.build:258: recipe for target '/home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/protocols/../third_party/src/node.o' failed make[3]: [/home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/protocols/../third_party/src/node.o] Error 1 make[3]: Waiting for unfinished jobs.... cc1: some warnings being treated as errors scripts/Makefile.build:258: recipe for target '/home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/protocols/../third_party/src/ahocorasick.o' failed make[3]: [/home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/protocols/../third_party/src/ahocorasick.o] Error 1 cc1: some warnings being treated as errors scripts/Makefile.build:258: recipe for target '/home/vyos/vel21/nDPI/ndpi-netfilter/src/main.o' failed make[3]: [/home/vyos/vel21/nDPI/ndpi-netfilter/src/main.o] Error 1 scripts/Makefile.build:258: recipe for target '/home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/ndpi_main.o' failed make[3]: [/home/vyos/vel21/nDPI/ndpi-netfilter/src/../lib/ndpi_main.o] Error 1 Makefile:1402: recipe for target 'module/home/vyos/vel21/nDPI/ndpi-netfilter/src' failed make[2]: [module/home/vyos/vel21/nDPI/ndpi-netfilter/src] Error 2 make[2]: Leaving directory '/usr/src/linux-headers-4.4.47-amd64-vyos' Makefile:165: recipe for target 'modules' failed make[1]: [modules] Error 2 make[1]: Leaving directory '/home/vyos/vel21/nDPI/ndpi-netfilter/src' Makefile:2: recipe for target 'all' failed make: [all] Error 2

Could you help to check where cause the issue how to fix it ?

vel21ripn commented 6 years ago

fatal error: ndpi_network_list.c.inc: No such file or directory

Read ndpi-netfilter/INSTALL "3. Compile and install"

About error G_TC_AT: this is the vanilla kernel 4.4.67 ? What branch: netfilter or netfilter-2.2 ?

ydy1234 commented 6 years ago

Now , it could compile it succesfully. I have another issue , I want to use iptables cmd to let sina packet go through one certain route to one VM machine, do you know the cmd?

elico commented 6 years ago

@ydy1234 What is this sina packet? It's very simple to route a packet or a connection to one VM but if it's a TCP it's one thing while if it's UDP it's another.

ydy1234 commented 6 years ago

hi,@elico, thanks for your quick reply I just want to redirect sina packet which is recongnized by ndpi to one certain destination , such as give one certain output path to certain server. I'm not familiar with iptables cmd to do the route selection, I want to get some msg about the ipatables cmd how to transfer it. It will be more better if theres has some examples.

BRS

ydy1234 commented 6 years ago

![Uploading 3.PNG…]() When i visit weibo.com, the website could visit normally, but i have set reject to it . Could you help to check how to fix it ?

elico commented 6 years ago

@ydy1234 can we focus on one issue at a time? You also do not give enough technical details about what you want to achieve and also I still do not understand what do you know about iptables operations.

There are many examples on how to use iptables and couple on how to use the nDPI module. The nDPI module is not in a level of http proxy or any other MiTM software.

How did you set to reject the traffic using nDPI, what commands have you used? I can test it locally but I need to understand first what you are doing....

ydy1234 commented 6 years ago

iptables -i output -m ndpi --sina -j reject then i visit weibo.com and sina.com,the web display normally not my expection which is cant visit. i have add new protocolid ndpi_service_sina and add sina host in ndpi_content_list.c.inc. iptables -nvL all 0 value when visit sina.

and the same issue when i test yahoo. iptables -i output -m ndpi --sina -j reject

elico commented 6 years ago

@ydy1234 First try to block a known service like youtube and google. If it still doesn't block\drop\reject then you will need to rewrite your rules. From what I remember you need mangle rules to make it work. You can see a complex example at: https://github.com/vel21ripn/nDPI/issues/26#issuecomment-338062088

but I would start by adding these:

iptables -t mangle -A PREROUTING -m ndpi --all 
iptables -t mangle -A FORWARD -m ndpi --all 
iptables -t mangle -A POSTROUTING -m ndpi --all 
iptables -t mangle -A INPUT -m ndpi --all 
iptables -t mangle -A OUTPOUT -m ndpi --all

and see if the counters are adding. Also you should know that in order for you to route "sina" packets to a specific VM then you would need a proxy service rather then an nDPI module. The nDPI module will identify these sina packets only after the connection will be already in an ESTABLISHED mode and there for routing to another VM for something probably will not do what you expect. I believe that a combination of DNS interception or eavesdropping with some ipset rules will do much then what nDPI currently can do.

ydy1234 commented 6 years ago

root@ubuntu:/home/ntop/Desktop/veldpi/MyVelDpi/MyVelDpi/nDPI-netfilter/ndpi-netfilter/src# iptables -t mangle -A PREROUTING -m ndpi --all root@ubuntu:/home/ntop/Desktop/veldpi/MyVelDpi/MyVelDpi/nDPI-netfilter/ndpi-netfilter/src# iptables -t mangle -A FORWARD -m ndpi --all root@ubuntu:/home/ntop/Desktop/veldpi/MyVelDpi/MyVelDpi/nDPI-netfilter/ndpi-netfilter/src# iptables -t mangle -A POSTROUTING -m ndpi --all root@ubuntu:/home/ntop/Desktop/veldpi/MyVelDpi/MyVelDpi/nDPI-netfilter/ndpi-netfilter/src# iptables -t mangle -A INPUT -m ndpi --all root@ubuntu:/home/ntop/Desktop/veldpi/MyVelDpi/MyVelDpi/nDPI-netfilter/ndpi-netfilter/src# iptables -t mangle -A OUTPOUT -m ndpi --all iptables: No chain/target/match by that name. root@ubuntu:/home/ntop/Desktop/veldpi/MyVelDpi/MyVelDpi/nDPI-netfilter/ndpi-netfilter/src# iptables -nvL Chain INPUT (policy ACCEPT 20799 packets, 33M bytes) pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 16208 packets, 1286K bytes) pkts bytes target prot opt in out source destination

When i add example rules, i see nothing ,just chain Output ***bytes is increasing. is there anything wrong the cmd i use ?

elico commented 6 years ago

@ydy1234 these details are really not related to the issue. Since the topic got the right answer and you have questions about another subject first close this issue and then either open a new issue about iptables usage\operation or\and contact me on my email: eliezer@ngtech.co.il. I do not know what your past experience with iptables but it seems that you are missing some fundamentals. I will be more then happy to try and assist you to understand more but for some reason I couldn't find using google the right iptables text tutorial for you so later I will try to find it again.

ydy1234 commented 6 years ago

@elico,Thx a lot. I'm one newer in iptables and WAN. I have read some website about iptables . It will be better if you could give me some advice or some examples abot how to ues it in live NW or production.