How to drop all connections

Discussion in 'Tomato Firmware' started by mirec73, Jul 5, 2018.

  1. mirec73

    mirec73 New Member Member

    Hi, I would like to drop all connections listed in /proc/net/ip_conntrack , without the need to reboot my router, or reconnect to my ISP. I found this command, that should do it :

    echo 15 > /proc/net/expire_early

    It seems to work for everyone else, but on my router it allways returns this error, no matter how i execute it (as root via SSH or locally via tomato command utility) :

    -sh: can't create /proc/net/expire_early: nonexistent directory

    It is wierd, because the directory exist, i can list its content using the ls commad. Is this some kind of bug or am I just doing something wrong ?

    My specs :

    HW - Asus RT-N18U

    FW - Advanced Tomato, latest version 3.5-140 K26ARM USB AIO-64K

    Thanks in advance
     
  2. koitsu

    koitsu Network Guru Member

    Two things:

    1. The proper way to flush the conntrack table is through conntrack -F or conntrack --flush. However, TomatoUSB does not include conntrack-tools due to firmware size constraints, thus there is no conntrack command on present-day TomatoUSB.

    2. You get the error in question because there is no such file called /proc/net/expire_early, and because /proc will not let you create new files in /proc/net. This is normal behaviour.

    /proc/net/expire_early is a 100% Tomato-specific netfilter module.

    While I can find the source code for the modules, and even the related HTTP server use of this file, it does not appear this module is being compiled.

    For ARM, the module is in linux/linux-2.6.36/net/ipv4/netfilter/tomato_ct.c (link goes to FreshTomato, not Advanced Tomato, but the code is the same)

    The following two files are involved in its compilation or lack thereof:

    linux/linux-2.6.36/net/ipv4/netfilter/Makefile
    linux/linux-2.6.36/net/ipv4/netfilter/Kconfig

    In the Makefile, I can see there is an internal configuration clause that relies on a kernel compile-time configuration variable called CONFIG_IP_NF_TOMATOCT. In Kconfig there's a more clear description of the above:

    Code:
    config IP_NF_TOMATOCT
            tristate  'tomato_ct'
            depends on NF_CONNTRACK_MARK && EXPERIMENTAL
    
    So for this module to work, CONFIG_IP_NF_TOMATOCT needs to be enabled in linux/linux-2.6.36/config_base (i.e. CONFIG_IP_NF_TOMATOCT=y). Right now it isn't set at all, which means it's not being built/included. CONFIG_NF_CONNTRACK_MARK is set to y, which means the module it depends on is being compiled/included statically.

    I make no guarantees this module works. It may crash the router. It may have other effects (there is other code in it that does other things that may cause problems/issues). Everything I find online is from Very Old Days(tm) so I make no promises.

    My general advice is that the projects try to figure out how to add conntrack-tools to the system so that the conntrack command is available and can be used like a normal Linux system, not custom netfilter modules with magic /proc/net entries.

    You can file this request with the Advanced Tomato folks.
     
  3. mirec73

    mirec73 New Member Member

    Thank you for reply.

    I was not able to install conntrack command, but I found an opkg package - libnetfilter-conntrack. Based on its description, I presume that it provides some basic operations with conntrack table. Unfortunately it seems like it is just some kind of a library rather than a collection of usable commands. So because I am not that skilled in programming routers and i was not able find well documented examples, I wont be able to use it.

    Anyways , i was trying this because of my VOIP - every time the router reconnects to my ISP (for some reason this is happening +- every 10 hours) it fails to register. I have read, that it is some kind of bug in tomato FW, an adding simple script to turn off, delay and turn on vlan solves this. And it does work, but for me it only works if the delay is greater then 250 seconds, which is a little bit long.
     
  4. koitsu

    koitsu Network Guru Member

    libnetfilter-conntrack is a C library intended for use by programs wishing to interface with netfilter/conntrack within the kernel. So yes, it's a programming-related library, and does not include any utilities/programs. I don't even know how Entware provides this, because such a library requires tie-ins to kernel-specific netfilter/conntrack structures (and the documentation confirms this) at compile-time. The description of the package clearly states it's used by conntrack-tools, and the package is not a dependency of any other package:

    Code:
    root@gw:/tmp/home/root# opkg list | grep conntrack-tools
    libnetfilter-conntrack - 2017-07-25-e8704326-1 - libnetfilter_conntrack is a userspace library providing a programming interface (API) to the in-kernel connection tracking state table. The library libnetfilter_conntrack has been previously known as libnfnetlink_conntrack and libctnetlink. This library is currently used by conntrack-tools among many other applications.
    
    root@gw:/tmp/home/root# opkg whatdepends libnetfilter-conntrack
    Root set:
    What depends on root set
    
    I do not know how or why this library even exists for Entware. I think someone intended to make conntrack-tools available in Entware, but then realised it's nearly impossible due to netfilter/iptables/kernel version variance.

    conntrack-tools is the official software that contains the conntrack command. HOWEVER: this is not a package available via Entware. Because of what I described above, it would have to be part of TomatoUSB, not part of Entware. The netfilter/iptables versions differ between MIPS vs. ARM as well.

    So, as I said: this is a utility that would have to be compiled/built in to the TomatoUSB firmware. The reason it has not been done historically is because of size constraints. ARM routers tend to have more flash, so it may be something that could be added to ARM builds. You would need to file a ticket with the Advanced Tomato folks to ask for it.

    Without said command or TomatoUSB's strange custom module, I do not know of any other way to flush the conntrack table aside from rebooting.

    The bug you describe with Advanced Tomato may related to dnsmasq and/or IPv6 capability. Where did you read about it? Can you link to the discussion? If it's the exact bug I describe, then IIRC, this problem has been fixed in FreshTomato-ARM (not Advanced Tomato).

    P.S. -- Why do you think clearing the conntrack table is necessary in combination with your existing workaround? Specifically the confusing part for me is this: how do you know you need that capability when it's never been available to you? :) I do not think you need to clear the conntrack table; netfilter/iptables is pretty smart about figuring out how to "resume" existing sessions as long as the NAT'd port numbers (ex. WAN IP-and-port<--> LAN IP-and-port) all match up. VoIP is UDP-based which has no state tracking, but conntrack still tracks UDP for NAT anyway (it has to). Maybe for TCP resuming works well but UDP doesn't? Not sure.
     
    mirec73 likes this.
  5. pomidor1

    pomidor1 Networkin' Nut Member

    mirec73 and koitsu like this.
  6. mirec73

    mirec73 New Member Member

    So, about the bug and script i am currently using, but with larger delay (250s) :
    http://www.dslreports.com/forum/r23981069-
    http://www.dslreports.com/forum/r23423987-Equipment-Tomato-with-VOIP-warning
    It is working, but as i said, it takes too long to recover and I thought this would help. I also tried adjusting intervals on voip, as well as udp timeouts on tomato, but it didnt seem to work.
    I noticed that if i change voip port (for exmple 5060 -> 5061) when it fails to register, it starts to work again. So i made a python script, that would check its status and if the status is failed to register, the script would change the port. It works, but it isnt the best solution either.
    I didnt have this problem with voip while using older zyxel router or dd wrt, but there were other problems and i like the modern gui of tomato.

    So, I think I will migrate to newer and more updated version of tomato.
    Thanks for help.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice