Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 232838 - iptstate doesn't work on kernel 2.6.20-1.2925.fc6
Summary: iptstate doesn't work on kernel 2.6.20-1.2925.fc6
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: iptstate
Version: 6
Hardware: All
OS: Linux
medium
urgent
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact:
URL:
Whiteboard:
Depends On: 210324
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-18 17:42 UTC by Eric Hopper
Modified: 2008-01-08 13:36 UTC (History)
3 users (show)

Fixed In Version: iptstate-2.2.1-1.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-08 13:36:25 UTC


Attachments (Terms of Use)
Compatibility mode extension (deleted)
2007-03-22 16:49 UTC, Tomas Hoger
no flags Details | Diff

Description Eric Hopper 2007-03-18 17:42:52 UTC
Description of problem:
This program no longer displays any information at all.

Version-Release number of selected component (if applicable):
iptstate-1.4-1.1.2.2

How reproducible:
Every time

Steps to Reproduce:
1.Try to use it while having connection tracking loaded
  
Actual results:
Nothing shows up

Expected results:
A list of the tracked connections

Additional info:
This program is going for /proc/net/ip_conntrack and in kernel 2.6.20-1.2925.fc6
(and possibly earlier) this file does not exist.  Instead the file
/proc/net/nf_conntrack is used.

Also, in kernel 2.6.20-1.2925.fc6 /proc/net/nf_conntrack may contain IPv6
information, and I do not know if iptstat yet has the code to handle this at
all, much less display the IPv6 information.

Comment 1 Eric Hopper 2007-03-18 17:51:46 UTC
It's urgent for this package anyway, as it won't work at all with newer kernels
until it's fixed.

Comment 2 Eric Hopper 2007-03-19 03:25:53 UTC
Version 2.2.0 was just released today.  It fixes this problem (and several
others) completely, though it still doesn't show IPv6 states.  It likely will in
a future version though.


Comment 3 Tomas Hoger 2007-03-19 09:46:47 UTC
Latest verions of iptstate seems to prefer using libnetfilter_conntrack to
direct access to /proc files.  However:

- libnetfilter_conntrack is in Extras
- iptstate requires libnetfilter_conntrack version 0.0.50 or later (FC6 extras
contain 0.0.31)


Comment 4 Tomas Hoger 2007-03-20 07:54:23 UTC
libnetfilter_conntrack was updated to 0.0.50 in FC6 extras.  Thanks to Paul P.
Komkoff Jr.

Comment 5 Eric Hopper 2007-03-20 12:59:15 UTC
You mentioned this, but it seems to me that it bears more explicit mention...

libnetfilter_conntrack needs to be moved into core, or iptstate needs to move
into extras.  The situation where iptstate is in Core in a library it depends on
is in Extras isn't OK.


Comment 6 Tomas Hoger 2007-03-20 19:39:21 UTC
Core vs. Extras should no longer be an issue for FC7.

For FC6 and older, it may be possible to compile ipstate with deprecated
"backwards compatability proc mode", but it won't solve ip_conntrack vs.
nf_conntrack issue, as file path is hardcoded (#define-d) in source.


Comment 7 Tomas Hoger 2007-03-22 16:49:13 UTC
Created attachment 150674 [details]
Compatibility mode extension

Attached patch extends iptstate compatibility mode in following ways:

- adds simple runtime detection of ip_conntrack vs. nf_conntrack
- fixes parsing of nf_conntrack file

Works for me, testers are welcome of course ;).

Comment 8 Will Woods 2007-05-16 16:12:53 UTC
Core+Extras have merged for F7, so F7 will get iptables-2.2.x as an update
shortly after release. 

iptables 2.1 has been built for FC6 - you can get test packages here:
http://koji.fedoraproject.org/koji/buildinfo?buildID=1364

Please give those a try and see if they fix your problem.

Comment 9 Warren Togami 2007-05-16 18:07:07 UTC
wwoods and I talked on IRC after this message.  We have subsequently decided
that iptstate can be updated prior to F7, but you need to get working build done
within the next 12 hours or so.


Comment 10 Tomas Hoger 2007-05-18 09:19:16 UTC
New version for FC6 seems to work with latest kernels, but it does *not* provide
solution to the original problem.  That problem was resolved by newer kernels,
which again provide /proc/net/ip_conntrack file besides /proc/net/nf_conntrack.

As a result, on latest FC6 kernels (tested with 2.6.20-1.2948.fc6), both old
(iptstate-1.4-1.1.2.2) and new (iptstate-2.1-1) versions of iptstate work.  On
kernels with nf_conntrack only (e.g. kernel-2.6.20-1.2933.fc6), both versions fail.

If ip_conntrack is back to stay, I guess there's no urgent need to push new
iptstate to FC6.  And if ip_conntrack is going to disappear again soon, new
version will not help.


Comment 11 Till Maas 2008-01-08 13:36:25 UTC
iptstate works on Fedora 7 and older releases are not supported anymore,
therefore I close this bug.


Note You need to log in before you can comment on or make changes to this bug.