Merlin 386.1_2 on AC68U conntrack error

[jonaso]

I'm running firmware 386.1_2 => not working

It definitely worked in 384.19...
and I think it worked in 386.1 (but not 100% sure)

 

[jonaso]

What was the last firmware version that this worked with?

I'm sure it worked with RT-AC68U_384.19_0
I think it worked with RT-AC68U_386.1_0

Shall I file this as a issue on https://github.com/RMerl/asuswrt-merlin.ng ?

 

[itpp20]

>> Asus uses this for the new Parental Control code.

It should be added if possible as additional (new) module.

 

[ColinTaylor]

I'm sure it worked with RT-AC68U_384.19_0
I think it worked with RT-AC68U_386.1_0

Shall I file this as a issue on https://github.com/RMerl/asuswrt-merlin.ng ?

It might be worth doing that. I've just done a diff on the old and current versions of conntrack.c and can see that someone called "Andrew" added a new parameter for "log". The old version was vanilla 1.4.5 code. Given that the error message is complaining about invalid parameters I'm guessing that there's a bug in that new code. (Although that doesn't explain why I'm seeing the same error message with the Entware version )

OK forget the above theory. AFAICT the "invalid parameter" message is the default message when an unexpected error occurs.

I think the real cause of the problem is that the nf_conntrack_netlink module is missing from the current firmware's builtin modules.

EDIT: It looks like the 386 builds added the NFCM=n option to target.mak and extra code was added to Makefile which deletes the CONFIG_NF_CT_NETLINK modules.

I suspect this has broken (at least partially) parental controls as the conntrack user space tool is called directly (e.g. link).

 

[jonaso]

It might be worth doing that. I've just done a diff on the old and current versions of conntrack.c and can see that someone called "Andrew" added a new parameter for "log". The old version was vanilla 1.4.5 code. Given that the error message is complaining about invalid parameters I'm guessing that there's a bug in that new code. (Although that doesn't explain why I'm seeing the same error message with the Entware version )

OK forget the above theory. AFAICT the "invalid parameter" message is the default message when an unexpected error occurs.

I think the real cause of the problem is that the nf_conntrack_netlink module is missing from the current firmware's builtin modules.

EDIT: It looks like the 386 builds added the NFCM=n option to target.mak and extra code was added to Makefile which deletes the CONFIG_NF_CT_NETLINK modules.

I suspect this has broken (at least partially) parental controls as the conntrack user space tool is called directly (e.g. link).

1) missing nf_conntrack_netlink: sounds reasonable,
as I showed in my initial post...I have a bunch of nf_conntrack-XXX modules, but not netlink

2) re broken parental controls: think so too,
this is sort of "good" as it increases likelihood of this being fixed!

Thanks for help!

 

[jonaso]

Sure, https://easyupload.io/emxbrr
libnfnetlink.so
libnfnetlink.so.0
Links to libnfnetlink.so.0.2.0

Hi

Could you try "lsmod" and paste result here (see later posts about missing nf_conntrack_netlink module)

Thanks!

/Jonas

 

[itpp20]

Module                  Size  Used by    Tainted: P
ip6t_LOG                4494  0
ebtable_broute           873  0
ebtable_filter          1061  0
ebtable_nat             1056  0
ebtables               15643  3 ebtable_broute,ebtable_filter,ebtable_nat
usblp                  10321  0
thfsplus               84702  0
tntfs                 493645  0
tfat                  186782  0
ext2                   52776  0
ext4                  221674  0
crc16                   1007  1 ext4
jbd2                   48993  1 ext4
ext3                  106409  0
jbd                    42367  1 ext3
mbcache                 4599  3 ext2,ext4,ext3
usb_storage            34290  0
sg                     19855  0
sd_mod                 21983  0
scsi_wait_scan           416  0
scsi_mod              108738  3 usb_storage,sg,sd_mod
ohci_hcd               17926  0
ehci_hcd               32382  0
nf_nat_ftp              1144  0
nf_conntrack_ftp        4909  1 nf_nat_ftp
ip6table_mangle          934  0
cdc_mbim                3137  0
qmi_wwan                5792  0
cdc_wdm                 7252  2 cdc_mbim,qmi_wwan
cdc_ncm                 8762  1 cdc_mbim
rndis_host              5256  0
cdc_ether               4036  1 rndis_host
asix                   10856  0
cdc_acm                12614  0
usbnet                 11900  6 cdc_mbim,qmi_wwan,cdc_ncm,rndis_host,cdc_ether,asix
usbcore               102572 14 usblp,usb_storage,ohci_hcd,ehci_hcd,cdc_mbim,qmi_wwan,cdc_wdm,cdc_ncm,rndis_host,cdc_ether,asix,cdc_acm,usbnet
mii                     3367  2 asix,usbnet
ip6table_filter          750  1
jffs2                  91274  1
zlib_deflate           19489  1 jffs2
nf_nat_pptp             1602  0
nf_conntrack_pptp       3355  1 nf_nat_pptp
nf_nat_proto_gre         887  1 nf_nat_pptp
nf_conntrack_proto_gre     3296  1 nf_conntrack_pptp
wl                   4198524  0
dpsta                  12782  1 wl
et                     65134  0
igs                    11887  1 wl
emf                    15225  2 wl,igs
ctf                    21199  0

 

[ColinTaylor]

You need to look in /lib/modules/2.6.36.4brcmarm/modules.builtin because the module is compiled into the kernel rather than being "loadable".

 

[john9527]

You need to look in /lib/modules/2.6.36.4brcmarm/modules.builtin because the module is compiled into the kernel rather than being "loadable".

Actually, on Merlin it's compiled separately as a userspace library

obj-$(RTCONFIG_CONNTRACK) += conntrack
obj-$(RTCONFIG_CONNTRACK) += libnfnetlink-1.0.1
obj-$(RTCONFIG_CONNTRACK) += libmnl-1.0.4
obj-$(RTCONFIG_CONNTRACK) += libnetfilter_conntrack-1.0.7
obj-$(RTCONFIG_CONNTRACK) += libnetfilter_cttimeout-1.0.0

I think I see the problem though.....there are two versions of libnfnetlink referenced in the Makefile. One part of conntrack and the other part of ipset support.I think one is overwriting the other (but not sure which is the right one).

 

[jonaso]

You need to look in /lib/modules/2.6.36.4brcmarm/modules.builtin because the module is compiled into the kernel rather than being "loadable".

this is (very long) content of my modules.builtin,
it has kernel/net/netfilter/nf_conntrack.ko ... (and ipv4)

kernel/fs/configfs/configfs.ko
kernel/fs/fuse/fuse.ko
kernel/fs/nls/nls_base.ko
kernel/fs/nls/nls_utf8.ko
kernel/fs/quota/quota_v2.ko
kernel/fs/quota/quota_tree.ko
kernel/fs/squashfs/squashfs.ko
kernel/crypto/crypto.ko
kernel/crypto/crypto_wq.ko
kernel/crypto/crypto_algapi.ko
kernel/crypto/aead.ko
kernel/crypto/crypto_blkcipher.ko
kernel/crypto/chainiv.ko
kernel/crypto/eseqiv.ko
kernel/crypto/crypto_hash.ko
kernel/crypto/pcompress.ko
kernel/crypto/cryptomgr.ko
kernel/crypto/hmac.ko
kernel/crypto/md5.ko
kernel/crypto/sha1_generic.ko
kernel/crypto/ecb.ko
kernel/crypto/aes_generic.ko
kernel/crypto/arc4.ko
kernel/crypto/crc32c.ko
kernel/crypto/rng.ko
kernel/crypto/krng.ko
kernel/crypto/ansi_cprng.ko
kernel/block/deadline-iosched.ko
kernel/block/cfq-iosched.ko
kernel/drivers/block/brd.ko
kernel/drivers/block/loop.ko
kernel/drivers/mtd/mtd.ko
kernel/drivers/mtd/mtdchar.ko
kernel/drivers/mtd/mtd_blkdevs.ko
kernel/drivers/mtd/mtdblock.ko
kernel/drivers/mtd/bcm947xx/nand/brcmnand.ko
kernel/drivers/mtd/chips/chipreg.ko
kernel/drivers/mtd/chips/cfi_probe.ko
kernel/drivers/mtd/chips/cfi_util.ko
kernel/drivers/mtd/chips/cfi_cmdset_0020.ko
kernel/drivers/mtd/chips/cfi_cmdset_0002.ko
kernel/drivers/mtd/chips/cfi_cmdset_0001.ko
kernel/drivers/mtd/chips/gen_probe.ko
kernel/drivers/mtd/maps/bcm947xx-flash.ko
kernel/drivers/mtd/nand/nand.ko
kernel/drivers/mtd/nand/nand_ecc.ko
kernel/drivers/mtd/nand/nand_ids.ko
kernel/drivers/net/ppp_generic.ko
kernel/drivers/net/ppp_async.ko
kernel/drivers/net/ppp_synctty.ko
kernel/drivers/net/ppp_mppe.ko
kernel/drivers/net/pppox.ko
kernel/drivers/net/pppoe.ko
kernel/drivers/net/pptp.ko
kernel/drivers/net/slhc.ko
kernel/drivers/net/ifb.ko
kernel/drivers/rtc/rtc-lib.ko
kernel/drivers/serial/serial_core.ko
kernel/drivers/serial/8250.ko
kernel/drivers/serial/8250_pci.ko
kernel/net/802/p8022.ko
kernel/net/802/psnap.ko
kernel/net/802/stp.ko
kernel/net/8021q/vlan_core.ko
kernel/net/8021q/8021q.ko
kernel/net/bridge/bridge.ko
kernel/net/dns_resolver/dns_resolver.ko
kernel/net/ipv4/inet_lro.ko
kernel/net/ipv4/tcp_cubic.ko
kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko
kernel/net/ipv4/netfilter/nf_nat.ko
kernel/net/ipv4/netfilter/nf_defrag_ipv4.ko
kernel/net/ipv4/netfilter/nf_nat_tftp.ko
kernel/net/ipv4/netfilter/ip_tables.ko
kernel/net/ipv4/netfilter/iptable_filter.ko
kernel/net/ipv4/netfilter/iptable_mangle.ko
kernel/net/ipv4/netfilter/iptable_nat.ko
kernel/net/ipv4/netfilter/iptable_raw.ko
kernel/net/ipv4/netfilter/ipt_addrtype.ko
kernel/net/ipv4/netfilter/ipt_LOG.ko
kernel/net/ipv4/netfilter/ipt_MASQUERADE.ko
kernel/net/ipv4/netfilter/ipt_REJECT.ko
kernel/net/ipv4/netfilter/ipt_TRIGGER.ko
kernel/net/ipv4/netfilter/ipt_cone.ko
kernel/net/ipv4/netfilter/lfp.ko
kernel/net/ipv4/netfilter/dnsmq.ko
kernel/net/ipv6/ipv6.ko
kernel/net/ipv6/inet6_hashtables.ko
kernel/net/ipv6/netfilter/ip6_tables.ko
kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko
kernel/net/ipv6/netfilter/ip6t_rt.ko
kernel/net/l2tp/l2tp_core.ko
kernel/net/l2tp/l2tp_ppp.ko
kernel/net/llc/llc.ko
kernel/net/netfilter/nfnetlink.ko
kernel/net/netfilter/nfnetlink_log.ko
kernel/net/netfilter/nf_conntrack.ko
kernel/net/netfilter/nf_conntrack_tftp.ko
kernel/net/netfilter/x_tables.ko
kernel/net/netfilter/xt_tcpudp.ko
kernel/net/netfilter/xt_mark.ko
kernel/net/netfilter/xt_connmark.ko
kernel/net/netfilter/xt_CLASSIFY.ko
kernel/net/netfilter/xt_DSCP.ko
kernel/net/netfilter/xt_NFLOG.ko
kernel/net/netfilter/xt_NOTRACK.ko
kernel/net/netfilter/xt_TCPMSS.ko
kernel/net/netfilter/xt_connbytes.ko
kernel/net/netfilter/xt_connlimit.ko
kernel/net/netfilter/xt_conntrack.ko
kernel/net/netfilter/xt_helper.ko
kernel/net/netfilter/xt_iprange.ko
kernel/net/netfilter/xt_limit.ko
kernel/net/netfilter/xt_mac.ko
kernel/net/netfilter/xt_multiport.ko
kernel/net/netfilter/xt_recent.ko
kernel/net/netfilter/xt_state.ko
kernel/net/netfilter/xt_statistic.ko
kernel/net/netfilter/xt_string.ko
kernel/net/netfilter/xt_tcpmss.ko
kernel/net/netfilter/xt_time.ko
kernel/net/netfilter/xt_u32.ko
kernel/net/netfilter/xt_webstr.ko
kernel/net/packet/af_packet.ko
kernel/net/sched/act_police.ko
kernel/net/sched/act_mirred.ko
kernel/net/sched/act_ipt.ko
kernel/net/sched/sch_htb.ko
kernel/net/sched/sch_ingress.ko
kernel/net/sched/sch_sfq.ko
kernel/net/sched/sch_fq_codel.ko
kernel/net/sched/sch_prio.ko
kernel/net/sched/cls_u32.ko
kernel/net/sched/cls_route.ko
kernel/net/sched/cls_fw.ko
kernel/net/sched/cls_basic.ko
kernel/net/sched/cls_flow.ko
kernel/net/unix/unix.ko
kernel/lib/bitrev.ko
kernel/lib/crc-ccitt.ko
kernel/lib/crc32.ko
kernel/lib/ts_kmp.ko
kernel/lib/ts_bm.ko
kernel/lib/ts_fsm.ko
kernel/lib/xz/xz_dec.ko
kernel/lib/zlib_inflate/zlib_inflate.ko

 

[ColinTaylor]

this is (very long) content of my modules.builtin,
it has kernel/net/netfilter/nf_conntrack.ko ... (and ipv4)

The 384 firmware had an additional entry for kernel/net/netfilter/nf_conntrack_netlink.ko

 

[RMerlin]

Actually, on Merlin it's compiled separately as a userspace library

obj-$(RTCONFIG_CONNTRACK) += conntrack
obj-$(RTCONFIG_CONNTRACK) += libnfnetlink-1.0.1
obj-$(RTCONFIG_CONNTRACK) += libmnl-1.0.4
obj-$(RTCONFIG_CONNTRACK) += libnetfilter_conntrack-1.0.7
obj-$(RTCONFIG_CONNTRACK) += libnetfilter_cttimeout-1.0.0

I think I see the problem though.....there are two versions of libnfnetlink referenced in the Makefile. One part of conntrack and the other part of ipset support.I think one is overwriting the other (but not sure which is the right one).

I only see one here - libnfnetlink-1.0.1

obj-$(RTCONFIG_CONNTRACK) += libnfnetlink-1.0.1
obj-$(RTCONFIG_NFCM) += libnfnetlink-1.0.1
obj-y += libnfnetlink-1.0.1

 

[RMerlin]

Explicitly disabling NFCM would cause the CONFIG_NF_CT_NETLINK support to be removed from the kernel. I just removed the explicit NFCM=n code in Makefile, conntrack -E and -L now work correctly.

 

[john9527]

I only see one here - libnfnetlink-1.0.1

Didn't think I was that senile (at least not yet ). I forgot I had the 384 branch checked out looking at something and it does have two libnfnetlink versions. Sorry for the false alarm.

 

[RMerlin]

Didn't think I was that senile (at least not yet ). I forgot I had the 384 branch checked out looking at something and it does have two libnfnetlink versions. Sorry for the false alarm.

There are so many similarly named libraries that I myself triple-checked to make sure I hadn't missed it LOL

 

[jonaso]

Explicitly disabling NFCM would cause the CONFIG_NF_CT_NETLINK support to be removed from the kernel. I just removed the explicit NFCM=n code in Makefile, conntrack -E and -L now work correctly.

Does this mean that it's fixed in next version ?
(or maybe even in a current beta)

/Jonas

 

[jonaso]

and for reference, it is this, https://github.com/RMerl/asuswrt-merlin.ng/commit/0bbc055140d0841b5c845223f6fc1ea7eb54adbe
right ?

 

[jonaso]

Does this mean that it's fixed in next version ?
(or maybe even in a current beta)

/Jonas

yes, found it in RT-AC68U_386.2_beta3.zip

Are betas generally safe to use ?
When will next real release be ?

/Jonas

 

[RMerlin]

and for reference, it is this, https://github.com/RMerl/asuswrt-merlin.ng/commit/0bbc055140d0841b5c845223f6fc1ea7eb54adbe
right ?

Yes.

 

[jonaso]

Yes.

Are betas generally safe to use ?
When will next real release be ? is it known/planned ?

/Jonas