Opened 7 years ago
Closed 6 years ago
#140 closed task (fixed)
vuurmuur relies on obsolete CONFIG_NF_CONNTRACK_PROCFS kernel option
| Reported by: | svoop | Owned by: | Victor Julien |
|---|---|---|---|
| Priority: | minor | Milestone: | undecided |
| Component: | suite | Version: | 0.8beta4 |
| Keywords: | conntrack kernel | Cc: |
Description (last modified by )
(This report is based on vuurmuur-0.8_beta4 which is not yet included in the version list below.)
According to Victor, vuurmuur checks at startup if /proc/net/ip_conntrack or /proc/net/nf_conntrack exist on the system and dies with "Error (-1): no connection tracking support in the kernel (in: check_iptcaps:782)" otherwise.
However, CONFIG_NF_CONNTRACK_PROCFS is marked as obsolete on Linux:
This option enables for the list of known conntrack entries to be shown in procfs under net/netfilter/nf_conntrack. This is considered obsolete in favor of using the conntrack(8) tool which uses Netlink.
Maybe a better approach would be to check whether the conntrack userspace utility (the location is configured with vuurmuur_conf: conntrack location) is present and only fall back to the /proc/net entries otherwise.
Question: Do other parts of the vuurmuur code also access the /proc/net entires?
Change History (1)
comment:1 Changed 6 years ago by
| Description: | modified (diff) |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
| Version: | svn → 0.8beta4 |
0.8rc1 now uses the conntrack utility as suggested.
In other parts of the capabilities checking /proc/net entries are used indeed: /proc/net/ip6_tables_matches /proc/net/ip6_tables_names /proc/net/ip6_tables_targets
/proc/net/ip_tables_matches /proc/net/ip_tables_names /proc/net/ip_tables_targets
are used to determine which tables, matches and modules are supported.