NAT and netfilter help

[x86tech]

I need to simulate a network the consists of a firewall. There's not much info or documentation from what I've read further. I'm currently trying the gsoc-nat repo by vsindhuja but I'm unable to run examples for NAT and netfilter. Any help is greatly appreciated.

[x86tech]

from <vsindhuja/gsoc-nat> mercurial repo. This is the error while building using ./waf command:

.......

In file included from ./ns3/ipv4-nat.h:31,
                 from ./ns3/ipv4-nat-helper.h:23,
                 from ./ns3/internet-module.h:39,
                 from ../examples/error-model/simple-error-model.cc:40:
./ns3/ipv4-netfilter.h:123: error: expected ‘,’ or ‘...’ before ‘>’ token
./ns3/ipv4-netfilter.h:123: error: parse error in template argument list
./ns3/ipv4-netfilter.h:123: error: default argument for parameter of type ‘ns3::ContinueCallback’ has type ‘<unresolved overloaded function type>’
./ns3/ipv4-netfilter.h:123: error: default argument missing for parameter 7 of ‘uint32_t ns3::Ipv4Netfilter::ProcessHook(uint8_t, ns3::Hooks_t, ns3::Ptr<ns3::Packet>, ns3::Ptr<ns3::NetDevice>, ns3::Ptr<ns3::NetDevice>, ns3::ContinueCallback, ns3::Ptr<ns3::Packet>)’
In file included from ./ns3/ipv4-nat.h:31,
                 from ./ns3/ipv4-nat-helper.h:23,
                 from ./ns3/internet-module.h:39,
                 from ../examples/energy/energy-model-example.cc:27:
./ns3/ipv4-netfilter.h:123: error: expected ‘,’ or ‘...’ before ‘>’ token
./ns3/ipv4-netfilter.h:123: error: parse error in template argument list
./ns3/ipv4-netfilter.h:123: error: default argument for parameter of type ‘ns3::ContinueCallback’ has type ‘<unresolved overloaded function type>’
./ns3/ipv4-netfilter.h:123: error: default argument missing for parameter 7 of ‘uint32_t ns3::Ipv4Netfilter::ProcessHook(uint8_t, ns3::Hooks_t, ns3::Ptr<ns3::Packet>, ns3::Ptr<ns3::NetDevice>, ns3::Ptr<ns3::NetDevice>, ns3::ContinueCallback, ns3::Ptr<ns3::Packet>)’
........

Build failed
 -> task in 'simple-error-model' failed (exit status 1):
    {task 4562002576: cxx simple-error-model.cc -> simple-error-model.cc.1.o}
['/usr/bin/g++', '-O0', '-ggdb', '-g3', '-Wall', '-Werror', '-Wno-error=deprecated-declarations', '-fstrict-aliasing', '-Wstrict-aliasing', '-Ibuild', '-I.', '-I.', '-I/Users/reinier/repos/ns-3-allinone', '-DNS3_ASSERT_ENABLE', '-DNS3_LOG_ENABLE', '-DSQLITE3=1', '../examples/error-model/simple-error-model.cc', '-c', '-o', 'examples/error-model/simple-error-model.cc.1.o']
 -> task in 'energy-model-example' failed (exit status 1):
    {task 4561981392: cxx energy-model-example.cc -> energy-model-example.cc.1.o}
['/usr/bin/g++', '-O0', '-ggdb', '-g3', '-Wall', '-Werror', '-Wno-error=deprecated-declarations', '-fstrict-aliasing', '-Wstrict-aliasing', '-Ibuild', '-I.', '-I.', '-I/Users/reinier/repos/ns-3-allinone', '-DNS3_ASSERT_ENABLE', '-DNS3_LOG_ENABLE', '-DSQLITE3=1', '../examples/energy/energy-model-example.cc', '-c', '-o', 'examples/energy/energy-model-example.cc.1.o']

and this is src/internet/model/ipv4-netfilter.h line 123:

  uint32_t ProcessHook (uint8_t protocolFamily, Hooks_t hookNumber, Ptr<Packet> p,Ptr<NetDevice> in, Ptr<NetDevice> out, ContinueCallback cc = MakeNullCallback <uint32_t, Ptr<Packet> > ());    //ContinueCallback ccb = defaultContinueCallback);

 

I'm highlighting the part that possibly causes the error. I'm able to successfully build by replacing the highlighted with the commented line.

[Tom Henderson]

On 09/26/2012 08:11 AM, x86tech wrote:
> from/<vsindhuja/gsoc-nat/> mercurial repo. This is the error while
> building using /./waf/ command:

>
> .......
>
> In file included from ./ns3/ipv4-nat.h:31,
> from ./ns3/ipv4-nat-helper.h:23,
> from ./ns3/internet-module.h:39,
> from ../examples/error-model/simple-error-model.cc:40:

> ./ns3/ipv4-netfilter.h:123: error: expected �,� or �...� before �>�

> token
> ./ns3/ipv4-netfilter.h:123: error: parse error in template argument list
> ./ns3/ipv4-netfilter.h:123: error: default argument for parameter of

> type �ns3::ContinueCallback� has type �<unresolved overloaded
> function type>�

> ./ns3/ipv4-netfilter.h:123: error: default argument missing for

> parameter 7 of �uint32_t ns3::Ipv4Netfilter::ProcessHook(uint8_t,

> ns3::Hooks_t, ns3::Ptr<ns3::Packet>, ns3::Ptr<ns3::NetDevice>,

> ns3::Ptr<ns3::NetDevice>, ns3::ContinueCallback, ns3::Ptr<ns3::Packet>)�

> In file included from ./ns3/ipv4-nat.h:31,
> from ./ns3/ipv4-nat-helper.h:23,
> from ./ns3/internet-module.h:39,
> from ../examples/energy/energy-model-example.cc:27:

> ./ns3/ipv4-netfilter.h:123: error: expected �,� or �...� before �>�

> token
> ./ns3/ipv4-netfilter.h:123: error: parse error in template argument list
> ./ns3/ipv4-netfilter.h:123: error: default argument for parameter of

> type �ns3::ContinueCallback� has type �<unresolved overloaded
> function type>�

> ./ns3/ipv4-netfilter.h:123: error: default argument missing for

> parameter 7 of �uint32_t ns3::Ipv4Netfilter::ProcessHook(uint8_t,

> ns3::Hooks_t, ns3::Ptr<ns3::Packet>, ns3::Ptr<ns3::NetDevice>,

> ns3::Ptr<ns3::NetDevice>, ns3::ContinueCallback, ns3::Ptr<ns3::Packet>)�

> ........
>
> Build failed
> -> task in 'simple-error-model' failed (exit status 1):
> {task 4562002576: cxx simple-error-model.cc ->
> simple-error-model.cc.1.o}
> ['/usr/bin/g++', '-O0', '-ggdb', '-g3', '-Wall', '-Werror',
> '-Wno-error=deprecated-declarations', '-fstrict-aliasing',
> '-Wstrict-aliasing', '-Ibuild', '-I.', '-I.',
> '-I/Users/reinier/repos/ns-3-allinone', '-DNS3_ASSERT_ENABLE',
> '-DNS3_LOG_ENABLE', '-DSQLITE3=1',
> '../examples/error-model/simple-error-model.cc', '-c', '-o',
> 'examples/error-model/simple-error-model.cc.1.o']
> -> task in 'energy-model-example' failed (exit status 1):
> {task 4561981392: cxx energy-model-example.cc ->
> energy-model-example.cc.1.o}
> ['/usr/bin/g++', '-O0', '-ggdb', '-g3', '-Wall', '-Werror',
> '-Wno-error=deprecated-declarations', '-fstrict-aliasing',
> '-Wstrict-aliasing', '-Ibuild', '-I.', '-I.',
> '-I/Users/reinier/repos/ns-3-allinone', '-DNS3_ASSERT_ENABLE',
> '-DNS3_LOG_ENABLE', '-DSQLITE3=1',
> '../examples/energy/energy-model-example.cc', '-c', '-o',
> 'examples/energy/energy-model-example.cc.1.o']
>
>

> and this is /src/internet/model/ipv4-netfilter.h/ line 123:

>
> uint32_t ProcessHook (uint8_t protocolFamily, Hooks_t hookNumber,
> Ptr<Packet> p,Ptr<NetDevice> in, Ptr<NetDevice> out,
> ContinueCallback cc = MakeNullCallback <uint32_t, Ptr<Packet> > ());
> //ContinueCallback ccb = defaultContinueCallback);
>
> I'm highlighting the part that possibly causes the error. I'm able to
> successfully build by replacing the highlighted with the commented line.

You may be looking at code that is not the freshest.

This code is still under development, but if you want to use the latest,
please pull the patches out of the code review referenced here:

http://mailman.isi.edu/pipermail/ns-developers/2012-August/010593.html

Specifically, apply patchsets 1 and 3 located here:
http://codereview.appspot.com/6454146/

- Tom

[x86tech]

Thank you for the information. I will look in to this and try some tests.

[x86tech]

You may be looking at code that is not the freshest.

This code is still under development, but if you want to use the latest,
please pull the patches out of the code review referenced here:

http://mailman.isi.edu/pipermail/ns-developers/2012-August/010593.html

Specifically, apply patchsets 1 and 3 located here:
http://codereview.appspot.com/6454146/

- Tom

Why do I get errors when patching? I re-cloned the repo to make sure there are no outstanding changes. Then, I downloaded the raw patch set for each set (1 & 3) and used hg import for the .diff files.

Here is the error for Patch Set 1:

applying issue6454146_1.diff
file src/internet/examples/netfilter-add-remove.cc already exists
1 out of 1 hunks FAILED -- saving rejects to file src/internet/examples/netfilter-add-remove.cc.rej
abort: patch failed to apply

Is there an option to force the overwrite? I tried -f but it still failed.

For Patch Set 3:

applying issue6454146_4001.diff
patching file doc/models/Makefile
Hunk #1 FAILED at 48
Hunk #2 FAILED at 260
2 out of 2 hunks FAILED -- saving rejects to file doc/models/Makefile.rej
abort: patch failed to apply

 

[x86tech]

Another thing, Is there a way to feed tcpdumps or any other format as the packet data to be passed on by the nodes?

[Tom Henderson]

On 09/30/2012 06:26 PM, x86tech wrote:
> Another thing, Is there a way to feed /tcpdump/s or any other format as

> the packet data to be passed on by the nodes?

I'm not sure that I understand the question. Are you asking whether the
netfilter hooks could instead receive tcpdumps instead of ns-3 packets?

- Tom

[Tom Henderson]

On 09/30/2012 06:25 PM, x86tech wrote:
>
> You may be looking at code that is not the freshest.
>
> This code is still under development, but if you want to use the
> latest,
> please pull the patches out of the code review referenced here:
>
> http://mailman.isi.edu/pipermail/ns-developers/2012-August/010593.html
> <http://mailman.isi.edu/pipermail/ns-developers/2012-August/010593.html>
>
>
> Specifically, apply patchsets 1 and 3 located here:
> http://codereview.appspot.com/6454146/
> <http://codereview.appspot.com/6454146/>
>
> - Tom
>
>
> Why do I get errors when patching? I re-cloned the repo to make sure
> there are no outstanding changes. Then, I downloaded the raw patch set

> for each set (1 & 3) and used */hg import/* for the /.diff/ files.

>
> Here is the error for Patch Set 1:
>
> applying issue6454146_1.diff
> file src/internet/examples/netfilter-add-remove.cc already exists

Are you cloning ns-3-dev? These patches are defined for ns-3-dev.

Also, I would just use "patch" with these; they are not hg changesets.

cd ns-3-dev
patch -p1 -i patchfile1.patch
patch -p1 -i patchfile3.patch

(you can append the --dry-run option to test drive the patch if you wish)

There are a couple of patch failures (mainly documentation related, and
also one log statement) due to a few things being changed in ns-3-dev
since these patches were made, but I think they can be ignored or
manually fixed.

- Tom

[x86tech]

Yes, that is one way I would like to test the netfilter hooks. What I would like to do is to setup a dumbbell-shaped network topology.
> 5 nodes from outside the network (left side of the dumbbell);
> a node containing firewall (middle of the dumbbell);
> and 5 nodes inside the private network (right side of the dumbbell).

I need the 5 nodes "outside the network" to send a data set of known/labeled tcpdumps (compilation of good and bad "attack" connections) to the middle node, acting as a firewall, for the netfilter to work on. These would then be passed on to the "private network" if the rules set allow it to go through.

[x86tech]

Are you cloning ns-3-dev?  These patches are defined for ns-3-dev.

Also, I would just use "patch" with these; they are not hg changesets.

cd ns-3-dev
patch -p1 -i patchfile1.patch
patch -p1 -i patchfile3.patch

(you can append the --dry-run option to test drive the patch if you wish)

There are a couple of patch failures (mainly documentation related, and
also one log statement) due to a few things being changed in ns-3-dev
since these patches were made, but I think they can be ignored or
manually fixed.

- Tom

Using this, it seems to have done the trick for patching in ns-3-dev but I still get the same errors from my above post during build with ./waf . Anyway, I just resorted to using the ns-3-gsoc-nat repo and edited the ipv4-netfilter.h source file that's causing the error. My main problem now is stated in the previous post.

Thanks for the guidance. I hope you could still help me on this.