iptables netflow module (ipt-netflow) - pve8 kernel 6.x

E

emunt6

Active Member
Oct 3, 2022
162
36
33
Hi!

There is a Netflow/IPFIX package for iptables in the base Debian12, but not compatible with the pve8 kernel 6.x
Is there any way to make it to work?

https://bugs.launchpad.net/ubuntu/+source/iptables-netflow/+bug/2023306

Code: 
$> aptitude search netflow
p   iptables-netflow-dkms                                   - iptables target which generates netflows


Code: 
$> aptitude show iptables-netflow-dkms

Package: iptables-netflow-dkms        
Version: 2.6-4
State: not installed
Priority: optional
Section: kernel
Maintainer: Axel Beckert <abe@debian.org>
Architecture: amd64
Uncompressed Size: 299 k
Depends: dkms (>= 2.8.4-3~), libc6-dev, libxtables-dev, pkg-config, libc6 (>= 2.3.4)
Recommends: iptables
Suggests: irqtop, nfdump
Description: iptables target which generates netflows
 ipt-netflow is an iptables/netfilter target which generates traffic statistics in NetFlow v5 and v9 format as well as in IPFIX
 format.
 
 It provides high performance and scalability. For highest performance module could be run without conntrack being enabled in
 kernel. Reported to be able to handle 10Gbit traffic with more than 1500000 pps with negligible server load (on S5500BC).
Homepage: https://github.com/aabc/ipt-netflow


Code: 
$> aptitude install iptables-netflow-dkms

The following NEW packages will be installed:
  dkms{a} iptables-netflow-dkms libxtables-dev{a}
The following packages will be REMOVED:
  pve-headers{u} pve-headers-6.2{u} pve-kernel-6.2{u} python3-psutil{u} python3-xapp{u}
0 packages upgraded, 3 newly installed, 5 to remove and 18 not upgraded.
Need to get 137 kB of archives. After unpacking 526 kB will be freed.
Do you want to continue? [Y/n/?] n
Abort.
 
Last edited:
Just apt will not have those problems in my test machine:

Code: 
root@proxmox-test:~# apt install iptables-netflow-dkms
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  build-essential cpp cpp-12 dkms dpkg-dev fakeroot g++ g++-12 gcc gcc-12 libabsl20220623 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libaom3 libasan8 libatomic1
  libavif15 libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libdav1d6 libde265-0 libdeflate0 libdpkg-perl libfakeroot libfile-fcntllock-perl libgav1-1 libgcc-12-dev libgd3 libgomp1
  libheif1 libisl23 libitm1 libjbig0 liblerc4 liblsan0 libmpc3 libmpfr6 libnsl-dev libpkgconf3 libquadmath0 librav1e0 libstdc++-12-dev libsvtav1enc1 libtiff6 libtirpc-dev libtsan2 libubsan1 libwebp7
  libx265-199 libxpm4 libxtables-dev libyuv0 linux-libc-dev lsb-release make manpages-dev patch pkg-config pkgconf pkgconf-bin pve-headers-6.1 pve-headers-6.1.10-1-pve rpcsvc-proto sudo
Suggested packages:
  cpp-doc gcc-12-locales cpp-12-doc menu debian-keyring g++-multilib g++-12-multilib gcc-12-doc gcc-multilib autoconf automake libtool flex bison gdb gcc-doc gcc-12-multilib irqtop nfdump glibc-doc
  git bzr libgd-tools libstdc++-12-doc make-doc ed diffutils-doc
The following NEW packages will be installed:
  build-essential cpp cpp-12 dkms dpkg-dev fakeroot g++ g++-12 gcc gcc-12 iptables-netflow-dkms libabsl20220623 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libaom3
  libasan8 libatomic1 libavif15 libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libdav1d6 libde265-0 libdeflate0 libdpkg-perl libfakeroot libfile-fcntllock-perl libgav1-1 libgcc-12-dev
  libgd3 libgomp1 libheif1 libisl23 libitm1 libjbig0 liblerc4 liblsan0 libmpc3 libmpfr6 libnsl-dev libpkgconf3 libquadmath0 librav1e0 libstdc++-12-dev libsvtav1enc1 libtiff6 libtirpc-dev libtsan2
  libubsan1 libwebp7 libx265-199 libxpm4 libxtables-dev libyuv0 linux-libc-dev lsb-release make manpages-dev patch pkg-config pkgconf pkgconf-bin pve-headers-6.1 pve-headers-6.1.10-1-pve
  rpcsvc-proto sudo
0 upgraded, 69 newly installed, 0 to remove and 0 not upgraded.
Need to get 85.5 MB of archives.
After this operation, 373 MB of additional disk space will be used.
Do you want to continue? [Y/n]
 
apt/apt-get was cache problem, fixed with cleaning, but the DKMS module is not building:

Code: 
$> apt-get clean all
$> apt-get autoclean
$> apt-get update

$> apt-get install iptables-netflow-dkms
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  dkms libxtables-dev
Suggested packages:
  menu irqtop nfdump
The following NEW packages will be installed:
  dkms iptables-netflow-dkms libxtables-dev
0 upgraded, 3 newly installed, 0 to remove and 21 not upgraded.
Need to get 137 kB of archives.
After this operation, 544 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.us.debian.org/debian bookworm/main amd64 dkms all 3.0.10-8+deb12u1 [48.7 kB]
Get:2 http://ftp.us.debian.org/debian bookworm/main amd64 libxtables-dev amd64 1.8.9-2 [13.2 kB]
Get:3 http://ftp.us.debian.org/debian bookworm/main amd64 iptables-netflow-dkms amd64 2.6-4 [74.6 kB]
Fetched 137 kB in 1s (150 kB/s)                
Selecting previously unselected package dkms.
(Reading database ... 640356 files and directories currently installed.)
Preparing to unpack .../dkms_3.0.10-8+deb12u1_all.deb ...
Unpacking dkms (3.0.10-8+deb12u1) ...
Selecting previously unselected package libxtables-dev:amd64.
Preparing to unpack .../libxtables-dev_1.8.9-2_amd64.deb ...
Unpacking libxtables-dev:amd64 (1.8.9-2) ...
Selecting previously unselected package iptables-netflow-dkms.
Preparing to unpack .../iptables-netflow-dkms_2.6-4_amd64.deb ...
Unpacking iptables-netflow-dkms (2.6-4) ...
Setting up libxtables-dev:amd64 (1.8.9-2) ...
Setting up dkms (3.0.10-8+deb12u1) ...
Setting up iptables-netflow-dkms (2.6-4) ...
Loading new ipt-netflow-2.6 DKMS files...
Building for 6.2.16-8-pve
Building initial module for 6.2.16-8-pve
Error! Bad return status for module build on kernel: 6.2.16-8-pve (x86_64)
Consult /var/lib/dkms/ipt-netflow/2.6/build/make.log for more information.
dpkg: error processing package iptables-netflow-dkms (--configure):
 installed iptables-netflow-dkms package post-installation script subprocess returned error exit status 10
Processing triggers for man-db (2.11.2-2) ...
Errors were encountered while processing:
 iptables-netflow-dkms
E: Sub-process /usr/bin/dpkg returned an error code (1)

Code: 
$> cat /var/lib/dkms/ipt-netflow/2.6/build/make.log

DKMS make.log for ipt-netflow-2.6 for kernel 6.2.16-8-pve (x86_64)
Sun Sep 10 12:10:13 PM CEST 2023
./gen_compat_def > compat_def.h
Test symbol xt_family linux/netfilter_ipv4/ip_tables.h  declared
Test struct timeval linux/ktime.h  undeclared
Test struct proc_ops linux/proc_fs.h  declared
Test symbol synchronize_sched linux/rcupdate.h  undeclared
Test symbol nf_bridge_info_get linux/netfilter_bridge.h  declared
Test struct vlan_dev_priv linux/if_vlan.h  declared
Test member nf_ct_event_notifier.ct_event net/netfilter/nf_conntrack_ecache.h  declared
Compiling 2.6 for kernel 6.2.16-8-pve
make -C /lib/modules/6.2.16-8-pve/build M=/var/lib/dkms/ipt-netflow/2.6/build modules
make[1]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
make[1]: Entering directory '/usr/src/linux-headers-6.2.16-8-pve'
  CC [M]  /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.o
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c: In function ‘nf_seq_show’:
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:762:60: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘s64’ {aka ‘long long int’} [-Wformat=]
  762 |                         seq_printf(seq, " Flows selected %lu, discarded %lu.",
      |                                                          ~~^
      |                                                            |
      |                                                            long unsigned int
      |                                                          %llu
  763 |                             atomic64_read(&flows_selected),
      |                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                             |
      |                             s64 {aka long long int}
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:762:75: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 4 has type ‘s64’ {aka ‘long long int’} [-Wformat=]
  762 |                         seq_printf(seq, " Flows selected %lu, discarded %lu.",
      |                                                                         ~~^
      |                                                                           |
      |                                                                           long unsigned int
      |                                                                         %llu
  763 |                             atomic64_read(&flows_selected),
  764 |                             atomic64_read(&flows_observed) - atomic64_read(&flows_selected));
      |                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                                                            |
      |                                                            s64 {aka long long int}
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:766:60: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘s64’ {aka ‘long long int’} [-Wformat=]
  766 |                         seq_printf(seq, " Flows selected %lu.", atomic64_read(&flows_selected));
      |                                                          ~~^    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                                                            |    |
      |                                                            |    s64 {aka long long int}
      |                                                            long unsigned int
      |                                                          %llu
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c: In function ‘netflow_scan_and_export’:
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:4455:39: error: implicit declaration of function ‘prandom_u32_max’; did you mean ‘prandom_u32_state’? [-Werror=implicit-function-declaration]
 4455 |                                 val = prandom_u32_max(interval);
      |                                       ^~~~~~~~~~~~~~~
      |                                       prandom_u32_state
In file included from /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:79:
/var/lib/dkms/ipt-netflow/2.6/build/murmur3.h: In function ‘murmur3’:
/var/lib/dkms/ipt-netflow/2.6/build/murmur3.h:35:28: warning: this statement may fall through [-Wimplicit-fallthrough=]
   35 |                 case 3: k1 ^= tail[2] << 16; /* FALLTHROUGH */
      |                         ~~~^~~~~~~~~~~~~~~~
/var/lib/dkms/ipt-netflow/2.6/build/murmur3.h:36:17: note: here
   36 |                 case 2: k1 ^= tail[1] << 8;  /* FALLTHROUGH */
      |                 ^~~~
/var/lib/dkms/ipt-netflow/2.6/build/murmur3.h:36:28: warning: this statement may fall through [-Wimplicit-fallthrough=]
   36 |                 case 2: k1 ^= tail[1] << 8;  /* FALLTHROUGH */
      |                         ~~~^~~~~~~~~~~~~~~
/var/lib/dkms/ipt-netflow/2.6/build/murmur3.h:37:17: note: here
   37 |                 case 1: k1 ^= tail[0];
      |                 ^~~~
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c: In function ‘parse_sampler’:
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:2228:21: warning: this statement may fall through [-Wimplicit-fallthrough=]
 2228 |                 ret = -EINVAL;
/var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.c:2230:9: note: here
 2230 |         case '\0': /* empty */
      |         ^~~~
cc1: some warnings being treated as errors
make[2]: *** [scripts/Makefile.build:260: /var/lib/dkms/ipt-netflow/2.6/build/ipt_NETFLOW.o] Error 1
make[1]: *** [Makefile:2026: /var/lib/dkms/ipt-netflow/2.6/build] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-6.2.16-8-pve'
make: *** [Makefile:27: ipt_NETFLOW.ko] Error 2
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom