[Sis-SCPS-INTEREST] kernel configuration

Feighery, Patrick D. feighery at mitre.org
Mon Apr 24 12:09:33 EDT 2006 

Let me ask a more basic question - why do you think something is wrong.
When I run the gateway in the lab I get...
 
=========================================
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
Nothing to flush.
Nothing to flush.
Nothing to flush.
sh: -c: line 1: unexpected EOF while looking for matching ``'
sh: -c: line 2: syntax error: unexpected end of file
iptables:: iptables -A PREROUTING -t mangle -s 10.60.1.1 -j ACCEPT
iptables:: iptables -A PREROUTING -t mangle -d 10.60.1.1 -j ACCEPT
iptables:: iptables -A PREROUTING -t mangle -s 10.60.2.1 -j ACCEPT
iptables:: iptables -A PREROUTING -t mangle -d 10.60.2.1 -j ACCEPT
iptables:: iptables -A PREROUTING -t mangle --protocol tcp --syn -i
eth1 -j MARK --set-mark 1
iptables:: iptables -A PREROUTING -t mangle --protocol tcp --syn -i
eth1 -j ACCEPT
iptables:: iptables -A PREROUTING -t mangle --protocol tcp --syn -i
eth2 -j MARK --set-mark 2
iptables:: iptables -A PREROUTING -t mangle --protocol tcp --syn -i
eth2 -j ACCEPT
iptables:: iptables -A PREROUTING -t mangle --protocol tcp  -i eth1 -j
MARK --set-mark 3
iptables:: iptables -A PREROUTING -t mangle --protocol tcp  -i eth1 -j
ACCEPT
iptables:: iptables -A PREROUTING -t mangle --protocol tcp  -i eth2 -j
MARK --set-mark 3
iptables:: iptables -A PREROUTING -t mangle --protocol tcp  -i eth2 -j
ACCEPT
iptables:: iptables -A PREROUTING -t mangle --protocol 105  -i eth1 -j
MARK --set-mark 3
iptables:: iptables -A PREROUTING -t mangle --protocol 105  -i eth1 -j
ACCEPT
iptables:: iptables -A PREROUTING -t mangle --protocol 105  -i eth2 -j
MARK --set-mark 3
iptables:: iptables -A PREROUTING -t mangle --protocol 105  -i eth2 -j
ACCEPT
iptables:: ip rule add fwmark 1 table 200
iptables:: ip rule add fwmark 2 table 201
iptables:: ip rule add fwmark 3 table 202
iptables:: ip addr add 10.99.99.1 peer 10.99.99.2 dev tun0
iptables:: ip addr add 10.99.98.1 peer 10.99.98.2 dev tun1
iptables:: ip addr add 10.99.97.1 peer 10.99.97.2 dev tun2
iptables:: ip link set dev tun0 up
iptables:: ip link set dev tun1 up
iptables:: ip link set dev tun2 up
iptables:: ip route add default dev tun0 table 200
iptables:: ip route add default dev tun1 table 201
iptables:: ip route add default dev tun2 table 202
===================================
 
The "RTNETLINK answers: No such process" and "Nothing to flush" are
validr responses.  The first thing the gateway does when it starts is
to clean up after itself in case the gateway was not terminated
normally from before...
 
The next two lines are from a cut and paste oops.  The the code there
is a line of code that should have been deleted.  Essentially I am
calling "system()" with an uninitialized string.  Mia Culpa - bad
programmer - no m&ms  ;-(
 
The next series of commands sets up the underling plumbing to pass
packets from/to the kernel/scps_gateway.  I also assumes the iptables
and then ip commands are pathed properly
 
    Pat.
 



________________________________

	From: Dan Miller [mailto:dan at anacominc.com] 
	Sent: Friday, April 21, 2006 4:12 PM
	To: Feighery, Patrick D.
	Cc: sis-scps-interest at mailman.ccsds.org
	Subject: Re: [Sis-SCPS-INTEREST] kernel configuration
	
	
	Okay, I'll have to make a guess at this.
	Problem 1 is that I'm running on the kernel as installed from
SuSE 9.3, so I'm not sure how it's actually configured.
	
	I loaded up "make menuconfig" and I can't actually find all the
entries that you mention below,
	however, I let it generate a .config for me, and it contains
the following entries related
	to MARK:
	
	CONFIG_IP_ROUTE_FWMARK=y
	CONFIG_IP_NF_CONNTRACK_MARK=y
	CONFIG_IP_NF_MATCH_MARK=m
	CONFIG_IP_NF_MATCH_CONNMARK=m
	CONFIG_IP_NF_TARGET_MARK=m
	CONFIG_IP_NF_TARGET_CONNMARK=m
	
	So it looks as though all the MARKs that you suggested are
there, as <m>odules; do they need to be compiled into the kernel rather
than modules??  Beyond that, I should probably actually build my kernel
so I know exactly what I have...
	
	Dan
	
	Feighery, Patrick D. wrote: 

		It sounds like the kernel is not configured properly
		 
		The RTNETLINK message is being printed because a call
to 'system()' failed.  Yes the message itself is not too useful to put
it mildly.
		 
		The TUN version for linux uses a couple of things from
Linux Advanced Routing and Traffic Control (LARTC) which needs to be
compiled into the kernel.  It sound like the MARK feature of LARTC in
your kernel configuration file is missing.  If you look at the kernel
configuration file do you see the following enabled?  
		 
		Advanced Router
		  IP policy routing
		    IP use netfilter MARK value as routing key
<<======
		    
		IP Netfilter Configuration
		  IP tables support
		    netfilter MARK match support
<<======
		 
		  Packet mangling  
		    MARK target support
<<======
		 
		Best Regards
		 
		    Pat
		 
		
		


________________________________

			From: Dan Miller [mailto:dan at anacominc.com] 
			Sent: Friday, April 21, 2006 3:00 PM
			To: Feighery, Patrick D.
			Cc: Walid Assafiri;
sis-scps-interest at mailman.ccsds.org
			Subject: Re: [Sis-SCPS-INTEREST] first load
			
			
			Okay, I have a kernel 2.6 (specifically
2.6.11.4-20a-default) system here with two ethernet interfaces; 
			eth0 is a real ethernet interface, and eth1 is
our satellite interface.  Both interfaces are properly configured, and
have routes associated with them.  I can ping other addresses on each
interface.  
			
			I have scps compiled as a tun device.  When I
load the gateway, it reads my rfile successfully, displays a bunch of
status information, then displays the following messages.  The eth0 and
eth1 addresses are correct.  I have a couple of questions now:
			
			- I don't know what the RTNETLINK messages
mean... I hand configured the network, using ifconfig and route
commands.  Do these messages mean I've left something unconfigured??
Do they have anything to do with scps, or are these just network issues
that I should research elsewhere??
			
			- The line
			   sh:  ¤: command not found
			is disconcerting - what did the gateway think
it was executing here??
			
			Thank you for your assistance
			
			Dan Miller
			
			
			Trying to Open up tun
			Trying to Open up tun
			Trying to Open up tun
			Got eth0 interface address:  172.18.100.40
			Got eth1 interface address:  192.168.11.1
			RTNETLINK answers: No such process
			RTNETLINK answers: No such process
			RTNETLINK answers: No such process
			Nothing to flush.
			Nothing to flush.
			Nothing to flush.
			sh:  ¤: command not found
			iptables:: iptables -A PREROUTING -t mangle -s
172.18.100.40 -j ACCEPT
			...  followed by a bunch of other iptables
messages that I don't yet understand.
			
			
			

				  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ccsds.org/pipermail/sis-scps-interest/attachments/20060424/ba82ec31/attachment-0001.htm

More information about the Sis-SCPS-INTEREST mailing list