The UHF of the film world.
Latest news

quietearth [General News 11.16.06]



Iptstate is like top but for active connections in the iptables firewall. It simply reads the device file /proc/net/ip_conntrack and refreshes periodically. Here's what it looks like running:

                          IPTState - IPTables State Top
Version: 2.1          Sort: SrcIP           b: change sorting   h: help
Source                     Destination            Proto State       TTL
127.0.1.2:57164            127.0.1.1:22           tcp   ESTABLISHED 111:58:19
127.0.1.3:5129             127.0.1.1:22           tcp   ESTABLISHED 111:59:19
127.0.1.4:6672             127.0.1.1:947          udp               0:01:37
127.0.1.5:4803             127.0.1.1:947          udp               0:01:44
127.0.1.2:10568            127.0.1.1:947          udp               0:01:49



WARNING: This code has severe memory leaks, if you run it for more then a couple of minutes you're going to need to reboot your router. I tried compiling this normally and running it through valgrind, but could not find leaks anywhere. It's gotta be somewhere in one of the libs that are used in openwrt, but I don't really want to spend that much time on it.

The source code is located at:
http://www.quietearth.us/src/iptstate-2.1_openwrt.tar.gz

And the binary is located at:
http://www.quietearth.us/src/iptstate.bin

md5sums are:
f67e0e8b25e6915cc812509778ee3640  iptstate.bin
047ac269755870a31655220375b61fab  iptstate-2.1_openwrt.tar.gz


To get this compiling, you will need the openwrt SDK, read the directions at:
http://wiki.openwrt.org/BuildingPackagesHowTo

Once you have the sdk all you have to do is gunztar the src in the sdk root directory and run make, it will compile and build the package for you, or optionally you could just download the binary.

Here's an strace of what ipstate with getline does, it tries an ioctl for non-exclusive use of a tty which I don't think is appropriate here, then it can't set the flags properly, regardless it goes into an infinite loop never actually reading the data from ip_conntrack. I replaced the uclibc++ getline code with a fgetln routine. If you manage to fix the memory leak(s), please let me know!
open("/proc/net/ip_conntrack", O_RDONLY) = 3
ioctl(3, TIOCNXCL, 0x7fff7750)          = -1 ENOTTY (Inappropriate ioctl for device)
brk(0x10005000)                         = 0x10005000
_llseek(3, 0, [0], SEEK_SET)            = 0
fcntl(3, F_GETFL)                       = 0 (flags O_RDONLY)
fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK)  = 0
read(3, "", 32)                         = 0
fcntl(3, F_SETFL, O_RDONLY)             = 0
fcntl(3, F_GETFL)                       = 0 (flags O_RDONLY)
fcntl(3, F_SETFL, O_RDONLY)             = 0
fcntl(3, F_SETFL, O_RDONLY)             = 0
fcntl(3, F_GETFL)                       = 0 (flags O_RDONLY)
fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK)  = 0
fcntl(3, F_SETFL, O_RDONLY)             = 0
fcntl(3, F_GETFL)                       = 0 (flags O_RDONLY)
fcntl(3, F_SETFL, O_RDONLY)             = 0
fcntl(3, F_SETFL, O_RDONLY)             = 0

You might also like

avatar

MartinK (7 months ago) Reply

Thanks. Another solution works great for me.

Since the bin-file was not download able (http/500) I looked around and found:

* http://conntrack-tools.netfilter.org/manual.html

Installed via

* opkg update
* opkg install conntrack-tools

and listed the conntrack-table via:
* conntrack -L

found the "wrong entry" using:
* conntrack -L | grep 60007

and deleted it via:
* conntrack -D udp --dport 60007

And after, the communication on udp/60007 worked for me.


What was my problem?
OpenVPN-daemon is running on udp/60007 behind a Fritz!Box (using DNAT/Portforwarding) and behind my OpenWRT-Router (via another DNAT). My OpenWRT-Router has not forwarded the packets to the vpn-daemon, so the vpn could not work.

Topology:
* Internet -- DSL -- (nat)Fritz!Box -- (nat)OpenWRT-Router -- OpenVPN-daemon


Thanks,

MartinK


Leave a comment