View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions nf_conntrack_netlink install failed.
Log in to Ask a Question

nf_conntrack_netlink install failed.

general

I am install nfconntracknetlink for l7-filter.

But after I compile the kernel modules, and install module.

Error display as follow.

Is there any one who know what' wrong?

Thanks.

root@dd:/home# modprobe nfconntracknetlink

FATAL: Error inserting nfconntracknetlink (/lib/modules/3.0.4-linode38/kernel/net/netfilter/nfconntracknetlink.ko): Device or resource busy

6 Replies

I suspect it's conflicting with the nfconntracknetlink support already compiled into the kernel:

rtucker@framboise:~$ zgrep -i netlink /proc/config.gz
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CT_NETLINK=y
# CONFIG_SCSI_NETLINK is not set
CONFIG_QUOTA_NETLINK_INTERFACE=y

Try skipping the modprobe and see if your application works.

````
root@cow:/etc# zgrep -i netlink /proc/config.gz
CONFIGNETFILTERNETLINK=y
CONFIGNETFILTERNETLINKQUEUE=y CONFIGNETFILTERNETLINKLOG=y
CONFIGNFCT_NETLINK=y

CONFIGSCSINETLINK is not set

CONFIGQUOTANETLINK_INTERFACE=y

I think the netlink is already compiled into the kernel.

but when I run l7-filter.

It says

root@cow:/etc# l7-filter -vv -f /etc/l7_filter.conf

                  ***WARNING***

Neither the ipconntracknetlink nor nfconntracknetlink kernel
modules are loaded. Unless these features are compiled into your
kernel, please load one and run l7-filter again.

                  ***WARNING***

Neither the ipconntrackipv4 nor nfconntrackipv4 kernel modules
are loaded. Unless these features are compiled into your kernel,
please load one and run l7-filter again.

Attempting to read configuration from /etc/l7filter.conf Attempting to load pattern from /etc/l7-protocols/protocols/ssh.pat pattern='^ssh-[12].[0-9]' eflags=0 cflags=11 Added: ssh mark=5 Attempting to load pattern from /etc/l7-protocols/protocols/bittorrent.pat pattern='^(\x13bittorrent protocol|azver\x01$|get /scrape\?infohash=get /announce\?infohash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P)[RP]' eflags=0 cflags=11 Added: bittorrent mark=6 error during nfqbind_pf()
````

Looks like it worked, up until the "error during nfqbindpf()" part. Any way to find out exactly what error occurred during nfqbindpf()? And is it important for your application?

yes, it's important.

I use l7-filter to control the vpn users can't use Bit Torrent to download unauthorized files.

@jeffkyjin: 

                      ***WARNING***
Neither the ip_conntrack_netlink nor nf_conntrack_netlink kernel
modules are loaded. Unless these features are compiled into your
kernel, please load one and run l7-filter again.

As it explains: Unless these features are compiled into your kernel. And as you said netlink is already compiled into the kernel. So as far as I see the nfqbindpf() doesn't have anything to do with loading the netlink kernel modules. It's a separate error.

Does it work if you run your distro's kernel via pv-grub? I have a hunch that there is excessively tight coupling between the userspace tools and the kernel drivers, causing it to fail if you aren't running a similar-vintage kernel.

The likelihood of this as a cause depends on distro/version in use… Ubuntu 11.10 = not very likely, CentOS 5 = bring out the punchcards.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct