NS3-DCE-1.4 - using iptables application

[Richard]

I'm trying to use iptables within my DCE simulation, but I'm struggling to get it to compile with the appropriate flags.

Whenever I add;

 LDFLAGS=-pie

to configure it causes compilation to fail.

Has anyone else managed to get iptables running in NS3, that could give me a few pointers?

Thanks in advance,

Richard

My current output...

$ ./configure CFLAGS="-fPIC -U_FORTIFY_SOURCE" libnftnl_CFLAGS="-fPIC -U_FORTIFY_SOURCE" libnfnetlink_CFLAGS="-fPIC -U_FORTIFY_SOURCE" libmnl_CFLAGS="-fPIC -U_FORTIFY_SOURCE"  libnetfilter_conntrack_CFLAGS="-fPIC -U_FORTIFY_SOURCE" libnetfilter_conntrack_LIBS="-pie -rdynamic" libnfnetlink_LIBS="-pie -rdynamic" libmnl_LIBS="-pie" libnftnl_LIBS="-pie -rdynamic" --enable-libipq --with-xtlibdir=/lib/xtables --disable-static

 

$ make

... 

make[2]: Entering directory `/home/richard/Software/iptables/utils'

/bin/bash ../libtool  --tag=CC   --mode=link gcc -Wall -Waggregate-return -Wmissing-declarations -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes -Winline -pipe -fPIC -U_FORTIFY_SOURCE   -o nfnl_osf nfnl_osf.o -pie -rdynamic 

libtool: link: gcc -Wall -Waggregate-return -Wmissing-declarations -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes -Winline -pipe -fPIC -U_FORTIFY_SOURCE -o nfnl_osf nfnl_osf.o -pie -rdynamic 

nfnl_osf.o: In function `osf_load_line':

nfnl_osf.c:(.text+0xd77): undefined reference to `nfnl_fill_hdr'

nfnl_osf.c:(.text+0xdb9): undefined reference to `nfnl_fill_hdr'

nfnl_osf.c:(.text+0xde9): undefined reference to `nfnl_addattr_l'

nfnl_osf.c:(.text+0xe29): undefined reference to `nfnl_talk'

nfnl_osf.o: In function `main':

nfnl_osf.c:(.text+0x109c): undefined reference to `nfnl_open'

nfnl_osf.c:(.text+0x110b): undefined reference to `nfnl_subsys_open'

nfnl_osf.c:(.text+0x117f): undefined reference to `nfnl_subsys_close'

nfnl_osf.c:(.text+0x118f): undefined reference to `nfnl_subsys_close'

nfnl_osf.c:(.text+0x119d): undefined reference to `nfnl_close'

nfnl_osf.c:(.text+0x11b2): undefined reference to `nfnl_close'

collect2: error: ld returned 1 exit status

make[2]: *** [nfnl_osf] Error 1

[Hajime Tazaki]

hi,

I tried with iptables-1.4.21 with the following
configuration.


% ./configure LIBS="-pie -rdynamic" CFLAGS="-fPIC -U_FORTIFY_SOURCE" \
--with-xtlibdir=/lib/xtables --disable-static

and it generates proper xtables-multi file with expected
binary format.

in iptables, it seems that LDFLAGS should not be used to
change flags for DCE, because other libraries built with
iptables also use this flag. instead, LIBS variable works
*at this moment* (it may also break in a future, though).

hope this helps you.
have a good day.

-- Hajime

At Mon, 8 Dec 2014 04:19:50 -0800 (PST),
Richard wrote:
>
> [1 <multipart/alternative (7bit)>]
> [1.1 <text/plain; UTF-8 (7bit)>]

> --
> You received this message because you are subscribed to the Google Groups "ns-3-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ns-3-users+...@googlegroups.com.
> To post to this group, send email to ns-3-...@googlegroups.com.
> Visit this group at http://groups.google.com/group/ns-3-users.
> For more options, visit https://groups.google.com/d/optout.
> [1.2 <text/html; UTF-8 (quoted-printable)>]
>

[Richard]

Thanks Hajime,

I can confirm this worked for me after moving to iptables-1.4.21. 

[Richard]

I'm trying to use iptables (with the binary generated above) for load balancing, using the match and mark modules. 

I've started with a simple chain, to mark any new connections with 1;

iptables -A PREROUTING -t mangle -m state --state NEW -j MARK --set-mark 1

Which I have converted into the following code;

    dce.SetBinary ("xtables-multi");
    dce.ResetArguments ();
    dce.ResetEnvironment ();
    dce.AddArgument ("iptables");
    dce.AddArgument("-A");
    dce.AddArgument("PREROUTING");
    dce.AddArgument("-t");
    dce.AddArgument("mangle");
    dce.AddArgument("-m");
    dce.AddArgument("state");
    dce.AddArgument("--state NEW");
    dce.AddArgument ("-j");
    dce.AddArgument ("MARK");
    dce.AddArgument ("--set-mark");
    dce.AddArgument ("1");

I've added the appropriate kernel modules and re-compiled, the simulation runs successfully but I get the following error in the nodes output;

iptables v1.4.21: Couldn't load match `state':No such file or directory

I'm assuming this means I'm lacking the iptables extensions libraries, such as libxt_state.so? If this is the case, does anyone have any recommendation on how to get dce to load them? 

[Richard]

I've stripped the iptables command down significantly, it is still failing though. It doesn't look like any of the tables are actually loaded, I've not managed to verify if the problem is coming from the kernel module or the user space application. 

The following code;

    dce.SetBinary ("xtables-multi");
    dce.ResetArguments ();
    dce.ResetEnvironment ();
    dce.AddArgument ("iptables");

    dce.AddArgument ("-L");

    apps = dce.Install(nodes.Get(1));
    apps.Start(Seconds (2.0)); 

Gives this output in stderr, this seems to be the same no matter which table I specify;

iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

The xtables binary I have generated works, on my machine so I'm assuming it's a kernel issue. 

I've been including all the necessary components as built-ins instead of modules in make menuconfig ARCH=sim. The output from /var/log/messages doesn't suggest anything has gone wrong while loading the kernel modules, and I can see the tables (filter & nat) registering after adding some printk's.

I'm going to keep digging and will update if I get anywhere, if anyone has any pointers in the mean time, it would be greatly appreciated. 

[Richard]

So I have found the reason for the tables not loading properly, I'm yet to come up with an elegant solution though. 

When allocating memory using xt_alloc_table_info for the filter table (net/netfilter/x_table.c).

if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
return NULL;

This condition is always true, as totalram_pages is set to 0 in sim/glue.c, so it will always return null. Commenting it out fixes the problem, and the simple execution of iptables -L works as expected. 

Changing the kernel code isn't ideal, but I can't actually see a better work around at the moment. 

n.b

I also needed to add vzalloc to slab.c.

void *vzalloc(unsigned long size)
{
  return kmalloc (size, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO);
}

Anything that requires the iptables extensions stills fails though, as iptables is trying to manually load them using dlopen, obviously they don't exist in files-0/$(libsdir). 

I've created an application helper to copy the shared libraries into the nodes file system, leading to iptables attempting to load the target or match with dlopen. After that I get a segfault, and I've hit a wall finding a solution. 

Program received signal SIGSEGV, Segmentation fault.
_dl_debug_initialize (ldbase=ldbase@entry=0, ns=-2) at dl-debug.c:58
58 dl-debug.c: No such file or directory.
(gdb) bt
#0  _dl_debug_initialize (ldbase=ldbase@entry=0, ns=-2) at dl-debug.c:58
#1  0xb7ff0725 in _dl_open (file=0xb579eb7c "/usr/local/lib/xtables/libipt_MASQUERADE.so", mode=-2147483646, 
    caller_dlopen=0xb5a343ec <load_extension+502>, nsid=<optimised out>, argc=2, argv=0xbfffebc4, env=0x80be000) at dl-open.c:689
#2  0xb65e0cbc in ?? () from elf-cache/0/libdl.so.2
#3  0xb7fecc26 in _dl_catch_error (objname=0xb65e8018, errstring=0xb65e801c, mallocedp=0xb65e8014, operate=0xb65e0c30, 
    args=0xb579eab0) at dl-error.c:187
#4  0xb65e137c in ?? () from elf-cache/0/libdl.so.2
#5  0xb65e0d71 in dlopen () from elf-cache/0/libdl.so.2
#6  0xb5a343ec in load_extension (search_path=0xb5a3a802 "/usr/local/lib/xtables", af_prefix=0xb5a3a72d "libipt_", 
    name=0x80c1420 "MASQUERADE", is_target=true) at xtables.c:571
#7  0xb5a3491d in xtables_find_target (name=0x80c1420 "MASQUERADE", tryload=XTF_TRY_LOAD) at xtables.c:725

I've added debug flags to the iptables compilation, which doesn't seem to have helped much.

Any suggestions would be really appreciated. 

[Hajime Tazaki]

iptables support for DCE is great to include bakefile.


1) dlopen issue
since DCE can't handle dlopen(3), you may try with
'--disable-shared' for the configure option of iptables.

2) totalram_pages issue has also raised and tracked in the
following bugzilla entry.

https://www.nsnam.org/bugzilla/show_bug.cgi?id=2074

just for your information.

-- Hajime

At Tue, 3 Mar 2015 11:13:11 -0800 (PST),

Richard wrote:
>
> [1 <multipart/alternative (7bit)>]
> [1.1 <text/plain; UTF-8 (7bit)>]

> [1.2 <text/html; utf-8 (quoted-printable)>]
>

[Richard]

Thanks Hajime, 

The following worked for me;

./configure LIBS="-pie -rdynamic" CFLAGS="-fPIC -U_FORTIFY_SOURCE" \ 

    --with-xtlibdir=/lib/xtables --disable-shared

Which worked straight away in Debian 7, but I needed to patch the iptables/Makefile in Ubuntu 14.04, adding -lnetfilter_conntrack to xtables_multi_LDADD

I've attached a working NAT simulation, for anyone that is interested. 

Best,

Richard

[Hajime Tazaki]

Hi Richard,

At Fri, 13 Mar 2015 13:33:35 -0700 (PDT),

Richard wrote:
>
> [1 <multipart/alternative (7bit)>]
> [1.1 <text/plain; UTF-8 (7bit)>]

> Thanks Hajime,
>
> The following worked for me;
>
> ./configure LIBS="-pie -rdynamic" CFLAGS="-fPIC -U_FORTIFY_SOURCE" \
> --with-xtlibdir=/lib/xtables --disable-shared
>
> Which worked straight away in Debian 7, but I needed to patch the
> iptables/Makefile in Ubuntu 14.04, adding -lnetfilter_conntrack
> to xtables_multi_LDADD
>
> I've attached a working NAT simulation, for anyone that is interested.

this is great.

would you mind to include this script to the ns-3-dce
repository ?

I would probably add LinuxStackHelper::RunIptables() and do
cleanup a bit, and document it, with the bakeconf.xml for
the iptables build.

-- Hajime

[Richard Withnell]

No problem.

I've cleaned it up a little and attached patches for LinuxStackHelper::RunIptables() and the vzalloc patch. 

I'll read up on the NS3 patch submission process for future reference too. 

[Hajime Tazaki]

Great!

I'll get you back after reviewing them. 

-- Hajime

<dce_runiptables.patch>

<dce_vzalloc.patch>

<dce-nat-test.cc>

[Hajime Tazaki]

Hi Richard,

1) didn't you have another modification to ns-3-dce ?

I got stderr message like below.

% tail files-1/var/log/*/stderr
(snip)
Another app is currently holding the xtables lock; waiting for it to exit...

it seems unix domain socket was used by iptables and not
correctly handled with abstract path name.


2) plus, it would be greatly helpful if you could give us a
updated bakeconf.xml.

I added by myself below but it may need to add some
dependency like libnetfilter-conntrack ?

+ <module name="iptables-1.4.21">
+ <source type="archive">
+ <attribute name="url" value="http://www.netfilter.org/projects/iptables/files/iptables-1.4.21.tar.bz2"/>
+ </source>
+ <build type="make" objdir="yes">
+ <attribute name="supported_os" value="linux;linux2"/>
+ <attribute name="pre_installation" value="cd $SRCDIR; $SRCDIR/configure LIBS='-pie -rdynamic' CFLAGS='-fPIC -g -U_FORTIFY_SOURCE' --with-xtlibdir=/lib/xtables --disable-shared --prefix=$INSTALLDIR"/>
+ <attribute name="no_installation" value="True"/>
+ <attribute name="post_installation" value="mkdir -p $INSTALLDIR/sbin; cp $SRCDIR/iptables/xtables-multi $INSTALLDIR/sbin"/>
+ </build>
+ </module>

thanks !
-- Hajime

At Sat, 14 Mar 2015 10:56:44 +0900,
Hajime Tazaki wrote:
>
> [1 <text/plain; us-ascii (quoted-printable)>]

> [2 <text/html; utf-8 (quoted-printable)>]
>

[Richard]

Apologies Hajime, 

1) I had forgotten about the locking issue, I fixed it a while ago with a quick and dirty hack to iptables, so it didn't come up in my diff. I basically force it back to lockless behavior if the bind fails. Unfortunately finding a real solution fell off the bottom of my todo list. I'll see what I can do about this and get back to you. 

diff --git a/iptables/xshared.c b/iptables/xshared.c
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -259,7 +259,7 @@ bool xtables_lock(bool wait)
        while (1) {
                ret = bind(xt_socket, (struct sockaddr*)&xt_addr,
                           offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN)
-               if (ret == 0)
+               if (ret <= 0)
                        return true;
                else if (wait == false)
                        return false;

2)  I was having a few issues with the bakefile, there is a known bug in binutils that can cause -static and -pie to throw a linker error. While the compilation does complete, bake catches the error, reporting the build failed. Again this issue only seems to present itself on Ubuntu. 

https://sourceware.org/bugzilla/show_bug.cgi?id=16428

I've attached a patch with the necessary dependencies included (libnfnetlink-dev and libnetfilter-conntrack-dev), which I've tested on my Debian machine. 

Best,

Richard

[Hajime Tazaki]

Hi Richard,

At Mon, 16 Mar 2015 07:49:20 -0700 (PDT),

Richard wrote:
>
> [1 <multipart/alternative (7bit)>]
> [1.1 <text/plain; UTF-8 (7bit)>]

> Apologies Hajime,
>
> 1) I had forgotten about the locking issue, I fixed it a while ago with a
> quick and dirty hack to iptables, so it didn't come up in my diff. I
> basically force it back to lockless behavior if the bind fails.
> Unfortunately finding a real solution fell off the bottom of my todo list.
> I'll see what I can do about this and get back to you.
>
> diff --git a/iptables/xshared.c b/iptables/xshared.c
> > --- a/iptables/xshared.c
> > +++ b/iptables/xshared.c
> > @@ -259,7 +259,7 @@ bool xtables_lock(bool wait)
> > while (1) {
> > ret = bind(xt_socket, (struct sockaddr*)&xt_addr,
> > offsetof(struct sockaddr_un,
> > sun_path)+XT_SOCKET_LEN)
> > - if (ret == 0)
> > + if (ret <= 0)
> > return true;
> > else if (wait == false)
> > return false;

okay. I will put a patch in ns-3-dce/utils so that we can
avoid this issue with DCE.

>
> 2) I was having a few issues with the bakefile, there is a known bug in
> binutils that can cause -static and -pie to throw a linker error. While the
> compilation does complete, bake catches the error, reporting the build
> failed. Again this issue only seems to present itself on Ubuntu.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=16428
>
>
> I've attached a patch with the necessary dependencies included
> (libnfnetlink-dev and libnetfilter-conntrack-dev), which I've tested on my
> Debian machine.

hmm, I can't reproduce the issue with -static and -pie in my
Fedora machine. will test it on ubuntu later.

a couple of things I need to confirm:

1) which version (i.e., branch) of net-next-sim are you
using ?
2) how did you configure (make menuconfig?) the kernel ?
=> .config file would be helpful to see.

iptables-1.4.21 with 2.6.36 kernel seems not be the best
match..

-- Hajime

[Richard]

1) I'm using sim-ns3-3.14.0-branch.

2) It's basically just a case of ensuring you have the NAT and connection tracking netfilter modules built in with menuconfig.

CONFIG_NETFILTER=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_NAT=y
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_IPV4=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_IP_NF_TARGET_MASQUERADE=y

It's worth noting that CONFIG_NF_CONNTRACK_PROCFS is added by default when enabling connection tracking, which causes the dce-nat-test simulation to hang.

I've attached my .config for reference. 

[Hajar Hantouti]

Hello ,
I want to use iptables on my ipv6 nodes , does iptables support ipv6 ?
Thanks for your help

[Tommaso Pecorella]

Sorry to ask, but how this is related to ns-3 or DCE ?

I mean, shouldn't you check the **** iptables manual ?

As a side note: no, iptables doesn't support IPv6. If you have an IPv6 node you can't protect it in any way because the Linux developers decided that IPv6 shouldn't have any firewall.

Does this sound right to you ? Try to think about it.

T.

[Hajar Hantouti]

Hello Tomassao,
I'm asking this because  I read about Ip6tables in the linux systems , so I intend to add ip6tables to my ns3 nodes in order to benefit from the classification functionnality that ip6tables provides.
so iptables or ip6tables is not my interest unless I can find a classifier to work with . what could you suggest me in this field ?
Thanks for your time.
Cordially,
Hajar

[Tommaso Pecorella]

ip6tables is the equivalent for IPv6 of iptables. The two are functionally equivalent, with one working only on IPv6 and the other only on IPv4.

If you have both kinds of traffic, you'll need both.

About their integration in DCE, I guess that both are upped, but I'm not 100% sure. Please refer to the DCE manual (and/or try by yourself).

Cheers,

T.

[Richard Withnell]

I haven't tested ip6tables, however I imagine the required changes will be similar to those proposed in this thread, which should give you a working binary of xtables-multi.

You will have to compile the kernel yourself to add any of the netfilter modules you want to use. 

--
You received this message because you are subscribed to a topic in the Google Groups "ns-3-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ns-3-users/NUlWK-XVmjA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ns-3-users+...@googlegroups.com.

[Hajar Hantouti]

Hello everyone,

Thank you Tomaso and Richard for your explanation.

may I ask which Kernel shall I recompile , is it the Linux Kernel or DCE kernel ?

while installing iptables (the one that you proposed ) , i fail locating the Xtable-multi Elf files , so I stop at this step :
readelf -h iptables/xtables-multi | grep Type:
NB: Iused the DCE basic installation mode on Ubuntu 14.04 Lts.

[Richard Withnell]

You need to copy the xtables-multi binary into the build/bin_dce folder, if it isn't integrated into the build.