Opened 7 years ago

Last modified 7 years ago

#140 closed task

vuurmuur relies on obsolete CONFIG_NF_CONNTRACK_PROCFS kernel option — at Initial Version

Reported by: svoop Owned by: Victor Julien
Priority: minor Milestone: undecided
Component: suite Version: 0.8beta4
Keywords: conntrack kernel Cc:

Description

(This report is based on vuurmuur-0.8_beta4 which is not yet included in the version list below.)

According to Victor, vuurmuur checks at startup if /proc/net/ip_conntrack or /proc/net/nf_conntrack exist on the system and dies with "Error (-1): no connection tracking support in the kernel (in: check_iptcaps:782)" otherwise.

However, CONFIG_NF_CONNTRACK_PROCFS is marked as obsolete on Linux:

This option enables for the list of known conntrack entries to be shown in procfs under net/netfilter/nf_conntrack. This is considered obsolete in favor of using the conntrack(8) tool which uses Netlink.

Maybe a better approach would be to check whether the conntrack userspace utility (the location is configured with vuurmuur_conf: conntrack location) is present and only fall back to the /proc/net entries otherwise.

Question: Do other parts of the vuurmuur code also access the /proc/net entires?

Change History (0)

Note: See TracTickets for help on using tickets.