Linode Forum

[jeffkyjin]

I am install nf_conntrack_netlink for l7-filter.

But after I compile the kernel modules, and install module.
Error display as follow.

Is there any one who know what' wrong?
Thanks.

root@dd:/home# modprobe nf_conntrack_netlink
FATAL: Error inserting nf_conntrack_netlink (/lib/modules/3.0.4-linode38/kernel/net/netfilter/nf_conntrack_netlink.ko): Device or resource busy

[hoopycat]

I suspect it's conflicting with the nf_conntrack_netlink support already compiled into the kernel:

Code: rtucker@framboise:~$ zgrep -i netlink /proc/config.gz
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CT_NETLINK=y
# CONFIG_SCSI_NETLINK is not set
CONFIG_QUOTA_NETLINK_INTERFACE=y


Try skipping the modprobe and see if your application works.

[jeffkyjin]

Code: root@cow:/etc#  zgrep -i netlink /proc/config.gz
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CT_NETLINK=y
# CONFIG_SCSI_NETLINK is not set
CONFIG_QUOTA_NETLINK_INTERFACE=y

I think the netlink is already compiled into the kernel.

but when I run l7-filter.

It says

Code: root@cow:/etc# l7-filter -vv -f /etc/l7_filter.conf

                      ***WARNING***
Neither the ip_conntrack_netlink nor nf_conntrack_netlink kernel
modules are loaded. Unless these features are compiled into your
kernel, please load one and run l7-filter again.


                      ***WARNING***
Neither the ip_conntrack_ipv4 nor nf_conntrack_ipv4 kernel modules
are loaded.  Unless these features are compiled into your kernel,
please load one and run l7-filter again.


Attempting to read configuration from /etc/l7_filter.conf
Attempting to load pattern from /etc/l7-protocols/protocols/ssh.pat
pattern='^ssh-[12]\.[0-9]'
eflags=0 cflags=11
Added: ssh   mark=5
Attempting to load pattern from /etc/l7-protocols/protocols/bittorrent.pat
pattern='^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]'
eflags=0 cflags=11
Added: bittorrent   mark=6
error during nfq_bind_pf()

[hoopycat]

Looks like it worked, up until the "error during nfq_bind_pf()" part. Any way to find out exactly what error occurred during nfq_bind_pf()? And is it important for your application?

[jeffkyjin]

yes, it's important.

I use l7-filter to control the vpn users can't use Bit Torrent to download unauthorized files.

[saman007uk]

jeffkyjin wrote: Code:
                      ***WARNING***
Neither the ip_conntrack_netlink nor nf_conntrack_netlink kernel
modules are loaded. Unless these features are compiled into your
kernel, please load one and run l7-filter again.


As it explains: Unless these features are compiled into your kernel. And as you said netlink is already compiled into the kernel. So as far as I see the nfq_bind_pf() doesn't have anything to do with loading the netlink kernel modules. It's a separate error.

[hoopycat]

Does it work if you run your distro's kernel via pv-grub? I have a hunch that there is excessively tight coupling between the userspace tools and the kernel drivers, causing it to fail if you aren't running a similar-vintage kernel.

The likelihood of this as a cause depends on distro/version in use... Ubuntu 11.10 = not very likely, CentOS 5 = bring out the punchcards.