Do I need to patch the kernel of openSUSE leap? about ndpi HOT 10 CLOSED

@elico, you add rules to filter chain, but should at mangle chain.

iptables -t mangle -A PREROUTING -m ndpi --all     
iptables -t mangle -A POSTROUTING -m ndpi --all    

from ndpi.

@k0ste I configured the next as a test and I really don't know what to say:

 # iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 62 packets, 6458 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi all protocols

Chain INPUT (policy ACCEPT 60 packets, 6200 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi all protocols

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi all protocols

Chain OUTPUT (policy ACCEPT 41 packets, 4924 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi all protocols

Chain POSTROUTING (policy ACCEPT 41 packets, 4924 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi all protocols

However I have found this thread: http://www.linux.org.ru/forum/general/9685281/page10#comments
Which seems like IMQ is required but still I am not sure because my native language is not Russian.

from ndpi.

@elico, IMQ is not necessary, so it might seem because of the general pattern of use.
Before use ndpi don't forget empty conntrack table by calling:

conntrack -F

P.S.: @vel21ripn wrote, only since 1.7.0-netfilter-211-e616e74 version works without kernel patch. But all (?) active module users use it only with the kernel patch.

from ndpi.

@k0ste I tried couple things but didn't managed to make it work.
I will try to publish my kernel recompilation script for testing.

from ndpi.

@k0ste @vel21ripn
I created a docker build node and scripts at: https://github.com/elico/osuse-ndpi-docker
I do not know if it is the right way to create the modules or if some kernel patching is required.
I will try to test it now on my router and see if it works with OpenSUSE leap latest kernel and update.

from ndpi.

@k0ste @vel21ripn the results on my router are:

 # iptables -t mangle -L PREROUTING  -nv
Chain PREROUTING (policy ACCEPT 4271 packets, 15M bytes)
 pkts bytes target     prot opt in     out     source               destination
   12  2344 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol ssh
   57  5871 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol bittorrent
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol edonkey
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol gnutella
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol windows_update
   75  7637 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol skype
 2241 1276K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol google
 9337 8111K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol youtube
  443  368K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol irc
   20  1336 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol http_proxy
 9228 3209K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol http

I will try to see how it will work on a new and empty machine.

from ndpi.

@elico, here I wrote, you need add some targets at top on chain to match all incoming and outgoing traffic.
For make modules, is not something special. See PKGBUILD, it's easy.

from ndpi.

@k0ste what do you mean by that:

For make modules, is not something special. See PKGBUILD, it's easy.

Do you mean I can look at an example? if so for what do you mean?
I do not understand why do I need the all?
You mean that if I want to use the filter table I need to add a mangle match for all?

from ndpi.

Do you mean I can look at an example?

Yes.

I do not understand why do I need the all?

A module must pass all packets in both directions.

You mean that if I want to use the filter table I need to add a mangle match for all?

I mean, for property work, all traffic should be matched.
What you wanna do in FILTER? DROP some traffic?

from ndpi.

@k0ste I do not know how the netfilter module works exactly but in general with iptables you don't need the lines you mentioned for every setup.
The nefilter flow graph: https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
describes what happens per packet.
But there are couple things which are involving connection tracking and similar things.
Once a connection entered a connection tracking it's there always never mind what is the state of the connection.
The rule you mentioned is a mangle and "ACCEPT" everything and if it will be the first matched then any later present rule will not be verified and applied.
In the above case it will be useless unless the all rule has a special property like the limit module which needs to be present in order to accept(and be matched) what is not limited and to not accept any connection\packet that passed the limit.
The POSTROUTING and PREROUTING match rules needs to be there in the case I want to mark them or do something else but since it works fine for me and since the PREROUTING will always see the packet in a routing mode.

I do not want to use the filter since it's cruel to drop connections in a router but there are couple scenarios which it's required.
The first example is when the router is a filtering box which needs to allow "non inspected" traffic only to the proxy.
I think that for the case of FILTER + DROP or REJECT I might need the MANGLE all rule but still it would be weird to me that a connection tracking based module will need this.

from ndpi.