Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 165669

Summary: New ebuild: net-firewall/conntrackd
Product: Gentoo Linux Reporter: Natanael Copa <natanael.copa>
Component: New packagesAssignee: Default Assignee for New Packages <maintainer-wanted>
Status: RESOLVED DUPLICATE    
Severity: enhancement CC: radek
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://people.netfilter.org/pablo/conntrackd/
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 165684, 165687    
Bug Blocks:    
Attachments: conntrackd-0.9.2.ebuild
files/conntrackd.initd
files/conntrackd.confd
conntrackd-0.9.2.ebuild
files/conntrackd.initd

Description Natanael Copa 2007-02-06 20:35:57 UTC 
Conntrackd is the userspace daemon for the Netfilter's Connection Tracking System. This daemon maintains a copy of the Connection Tracking System in userspace. It is entirely written in C and is highly configurable and easily extensible. Currently it covers the specific aspects of Stateful Linux firewalls to enable high availability solutions and can be used as statistics collector of the firewall use.
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-02-06 21:24:25 UTC 
Zzzzzzzz...
Comment 2 Natanael Copa 2007-02-06 21:57:43 UTC 
What info do you need?
Or did you mean NEEDBEER, or NEEDSLEEP? ;)
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2007-02-06 22:02:16 UTC 
Is this a request for ebuild or what exactly?
Comment 4 Natanael Copa 2007-02-06 22:12:41 UTC 
It is a request for a new ebuild for conntrackd, yes. Its firewall software so it should go to net-firewall.

It depends on libnfnetlink ≥ 0.0.25 and libnetfilter_conntrack ≥ 0.0.50 which both are in portage but needs a version bump.
Comment 5 Natanael Copa 2007-02-06 23:03:06 UTC 
Created attachment 109390 [details]
conntrackd-0.9.2.ebuild

Does not compile against uclibc, but it's a start at least.

In file included from /usr/include/sys/uio.h:24,
                 from /usr/include/sys/socket.h:27,
                 from /usr/include/libnfnetlink/libnfnetlink.h:19,
                 from proxy.c:19:
/usr/include/sys/types.h:61: error: conflicting types for 'dev_t'
/usr/include/linux/types.h:27: error: previous declaration of 'dev_t' was here
/usr/include/sys/types.h:71: error: conflicting types for 'mode_t'
/usr/include/linux/types.h:33: error: previous declaration of 'mode_t' was here
/usr/include/sys/types.h:76: error: conflicting types for 'nlink_t'
/usr/include/linux/types.h:36: error: previous declaration of 'nlink_t' was here
In file included from /usr/include/sys/types.h:215,
                 from /usr/include/sys/uio.h:24,
                 from /usr/include/sys/socket.h:27,
                 from /usr/include/libnfnetlink/libnfnetlink.h:19,
                 from proxy.c:19:
/usr/include/sys/select.h:68: error: conflicting types for 'fd_set'
/usr/include/linux/types.h:24: error: previous declaration of 'fd_set' was here
In file included from /usr/include/sys/uio.h:24,
                 from /usr/include/sys/socket.h:27,
                 from /usr/include/libnfnetlink/libnfnetlink.h:19,
                 from proxy.c:19:
/usr/include/sys/types.h:230: error: conflicting types for 'blkcnt_t'
/usr/include/linux/types.h:158: error: previous declaration of 'blkcnt_t' was here
make[1]: *** [proxy.o] Error 1
Comment 6 Natanael Copa 2007-02-08 16:33:11 UTC 
The ebuild compiles fine on amd64, but fails on uclibc.
Comment 7 Natanael Copa 2007-02-13 10:26:44 UTC 
conntrackd compiled just fine on uclibc when sys-kernel/linux-headers-2.6.20 was installed. Unfortunally, uclibc did not.

I guess we only need an init.d script and a default /etc/conntrackd/conntrackd.conf file.
Comment 8 Natanael Copa 2007-03-17 09:41:23 UTC 
Created attachment 113550 [details]
files/conntrackd.initd

/etc/init.d/conntrackd
Comment 9 Natanael Copa 2007-03-17 09:41:57 UTC 
Created attachment 113552 [details]
files/conntrackd.confd

/etc/conf.d/conntrackd
Comment 10 Natanael Copa 2007-03-17 09:43:39 UTC 
Created attachment 113554 [details]
conntrackd-0.9.2.ebuild

Updated ebuild.

It copies the examples/stats/conntrackd.conf file as default config.
Comment 11 Natanael Copa 2007-03-20 15:21:24 UTC 
I have a question.
In the INSTALL file I read this:
 6) Disable TCP window tracking

 Until the appropiate patches don't go into kernel mainline, you will have
 to disable TCP window tracking, consider this as a temporary solution:

    # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

[end of cite]

I wonder if the the init.d script should silently just set the setting on "start" or just fail with an eerror saying that user should enable ip_conntrack_tcp_be_liberal in /etc/sysctl.conf?

Comments?
Comment 12 Natanael Copa 2007-03-26 14:32:50 UTC 
Created attachment 114487 [details]
files/conntrackd.initd

Updated init.d script that verifies that TCP window tracking is disabled.
Comment 13 Natanael Copa 2007-06-21 09:12:25 UTC 

*** This bug has been marked as a duplicate of bug 182019 ***