Shorewall users - May 2011 - shorewall show connections with bytes and packets

Hi,

I used a custom script to count packets and bytes from "shorewall show
connections". I noticed that on another more recent server, this script
fails because /proc/net/nf_conntrack does not contain either bytes or packets.

Example while opening www.google.com:

ipv4     2 tcp      6 431999 ESTABLISHED src=10.215.144.48 dst=209.85.147.104
sport=52531 dport=80 src=209.85.147.104 dst=10.215.144.48 sport=80 dport=52531
[ASSURED] mark=0 secmark=0 use=2

ipv4     2 tcp      6 431999 ESTABLISHED src=10.215.144.48 dst=209.85.147.104
sport=52533 dport=80 src=209.85.147.104 dst=10.215.144.48 sport=80 dport=52533
[ASSURED] mark=0 secmark=0 use=2

ipv4     2 tcp      6 431999 ESTABLISHED src=10.215.144.48 dst=209.85.147.104
sport=52530 dport=80 src=209.85.147.104 dst=10.215.144.48 sport=80 dport=52530
[ASSURED] mark=0 secmark=0 use=2

ipv4     2 tcp      6 431998 ESTABLISHED src=10.215.144.48 dst=209.85.147.104
sport=52532 dport=80 src=209.85.147.104 dst=10.215.144.48 sport=80 dport=52532
[ASSURED] mark=0 secmark=0 use=2

kernel is 2.6.36.

Am I missing something?

Vieri



------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

On May 6, 2011, at 7:12 AM, Vieri Di Paola wrote:
> Hi,
> 
> I used a custom script to count packets and bytes from "shorewall show
connections". I noticed that on another more recent server, this script
fails because /proc/net/nf_conntrack does not contain either bytes or packets.
> 
> Example while opening www.google.com:
> 
> ipv4     2 tcp      6 431999 ESTABLISHED src=10.215.144.48
dst=209.85.147.104 sport=52531 dport=80 src=209.85.147.104 dst=10.215.144.48
sport=80 dport=52531 [ASSURED] mark=0 secmark=0 use=2
> 
> ipv4     2 tcp      6 431999 ESTABLISHED src=10.215.144.48
dst=209.85.147.104 sport=52533 dport=80 src=209.85.147.104 dst=10.215.144.48
sport=80 dport=52533 [ASSURED] mark=0 secmark=0 use=2
> 
> ipv4     2 tcp      6 431999 ESTABLISHED src=10.215.144.48
dst=209.85.147.104 sport=52530 dport=80 src=209.85.147.104 dst=10.215.144.48
sport=80 dport=52530 [ASSURED] mark=0 secmark=0 use=2
> 
> ipv4     2 tcp      6 431998 ESTABLISHED src=10.215.144.48
dst=209.85.147.104 sport=52532 dport=80 src=209.85.147.104 dst=10.215.144.48
sport=80 dport=52532 [ASSURED] mark=0 secmark=0 use=2
> 
> kernel is 2.6.36.
> 
> Am I missing something?

Have you tried running ''contract -L''? That''s what
''shorewall show connections'' does if conntrack is installed.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

--- On Fri, 5/6/11, Tom Eastep <teastep@shorewall.net> wrote:
> From: Tom Eastep <teastep@shorewall.net>
> Subject: Re: [Shorewall-users] shorewall show connections with bytes and
packets
> To: "Shorewall Users"
<shorewall-users@lists.sourceforge.net>
> Date: Friday, May 6, 2011, 5:29 PM
> 
> On May 6, 2011, at 7:12 AM, Vieri Di Paola wrote:
> 
> > Hi,
> > 
> > I used a custom script to count packets and bytes from
> "shorewall show connections". I noticed that on another more
> recent server, this script fails because
> /proc/net/nf_conntrack does not contain either bytes or
> packets.
> > 
> > Example while opening www.google.com:
> > 
> > ipv4     2 tcp     
> 6 431999 ESTABLISHED src=10.215.144.48 dst=209.85.147.104
> sport=52531 dport=80 src=209.85.147.104 dst=10.215.144.48
> sport=80 dport=52531 [ASSURED] mark=0 secmark=0 use=2
> > 
> > ipv4     2 tcp     
> 6 431999 ESTABLISHED src=10.215.144.48 dst=209.85.147.104
> sport=52533 dport=80 src=209.85.147.104 dst=10.215.144.48
> sport=80 dport=52533 [ASSURED] mark=0 secmark=0 use=2
> > 
> > ipv4     2 tcp     
> 6 431999 ESTABLISHED src=10.215.144.48 dst=209.85.147.104
> sport=52530 dport=80 src=209.85.147.104 dst=10.215.144.48
> sport=80 dport=52530 [ASSURED] mark=0 secmark=0 use=2
> > 
> > ipv4     2 tcp     
> 6 431998 ESTABLISHED src=10.215.144.48 dst=209.85.147.104
> sport=52532 dport=80 src=209.85.147.104 dst=10.215.144.48
> sport=80 dport=52532 [ASSURED] mark=0 secmark=0 use=2
> > 
> > kernel is 2.6.36.
> > 
> > Am I missing something?
> 
> 
> Have you tried running ''contract -L''? That''s
what
> ''shorewall show connections'' does if conntrack is 
> installed.
I''m supposing you meant "conntrack -L".
I didn''t have it installed so I grabbed the package.
Still, conntrack -L gives the same output without "bytes",
"packets".
I don''t know if I need to reboot the kernel but I won''t be
able to do it before Monday morning.
Or maybe my kernel/netfilter installation is wrong.

Thanks for the tip.

Vieri

 


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

On May 6, 2011, at 10:45 AM, Vieri Di Paola <vieridipaola@yahoo.com>
wrote:
> 
>> 
>> Have you tried running ''contract -L''? That''s
what
>> ''shorewall show connections'' does if conntrack is 
>> installed.
> 
> I''m supposing you meant "conntrack -L".
> I didn''t have it installed so I grabbed the package.
> Still, conntrack -L gives the same output without "bytes",
"packets".
> I don''t know if I need to reboot the kernel but I won''t
be able to do it before Monday morning.
> Or maybe my kernel/netfilter installation is wrong.
One possibly there is a new option to conn track?

Tom
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

--- On Fri, 5/6/11, Tom Eastep <teastep@shorewall.net> wrote:
> >> Have you tried running ''contract -L''?
That''s what
> >> ''shorewall show connections'' does if conntrack
is
> 
> >> installed.
> > 
> > I''m supposing you meant "conntrack -L".
> > I didn''t have it installed so I grabbed the package.
> > Still, conntrack -L gives the same output without
> "bytes", "packets".
> > I don''t know if I need to reboot the kernel but I
> won''t be able to do it before Monday morning.
> > Or maybe my kernel/netfilter installation is wrong.
> 
> One possibly there is a new option to conn track?
Just in case someone''s interested:
newer kernel versions seem to require the user set:

sysctl -w net.netfilter.nf_conntrack_acct=1

Vieri


------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay

On 12/05/2011 08:31, Vieri Di Paola wrote:
> Just in case someone''s interested:
> newer kernel versions seem to require the user set:
> 
> sysctl -w net.netfilter.nf_conntrack_acct=1
Or you can set a modprobe option if your kernel is modular (or set a
kernel command line?)

Cheers

Ed W

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay

--- On Fri, 5/13/11, Ed W <lists@wildgooses.com> wrote:
> On 12/05/2011 08:31, Vieri Di Paola
> wrote:
> > Just in case someone''s interested:
> > newer kernel versions seem to require the user set:
> > 
> > sysctl -w net.netfilter.nf_conntrack_acct=1
> 
> Or you can set a modprobe option if your kernel is modular
> (or set a
> kernel command line?)
I don''t know if a "module option" can be passed to modprobe
for this particular setting.
Also, users may have conntrack built-in and I don''t know of any other
way except via sysctl.

Vieri


------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay