Cannot remove shorewall modules

ertank · August 22, 2020, 11:05am

NethServer Version: NethServer 7.8.2003
Module: Shorewall

Hello,

I wanted to remove following modules in order to have 3CX connections working.
nf_nat_sip
nf_conntrack_sip

I did add these in relevant configuration files. Rebooted my system and when I check they still seem to be loaded as can be seen below:

[root@neth ~]# cat /etc/e-smith/templates/etc/shorewall/shorewall.conf/60options|grep DONT
DONT_LOAD=nf_nat_sip,nf_conntrack_sip

[root@neth ~]# cat /etc/shorewall/shorewall.conf|grep DONT
DONT_LOAD=nf_nat_sip,nf_conntrack_sip

[root@neth ~]# lsmod|grep nf_nat_sip
nf_nat_sip             17191  0 
nf_conntrack_sip       33780  1 nf_nat_sip
nf_nat                 26583  11 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,nf_nat_masquerade_ipv4
nf_conntrack          139264  29 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,nf_nat,xt_state,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp

[root@neth ~]# lsmod|grep nf_conntrack_sip
nf_conntrack_sip       33780  1 nf_nat_sip
nf_conntrack          139264  29 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,nf_nat,xt_state,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
[root@neth ~]#

I did not understand why, but it is possible I missed something obvious and wanted to ask in here.

Any help is appreciated.

Thanks & Regards,
Ertan

ertank · August 22, 2020, 1:51pm

I have to be wrong as following command tells otherwise:

[root@neth ~]# rmmod nf_sip_nat
rmmod: ERROR: Module nf_sip_nat is not currently loaded

It seems system reports modules but not all of them are actually loaded. However, manual page of lsmod says it lists loaded modules:

DESCRIPTION
       lsmod is a trivial program which nicely formats the contents of the /proc/modules, showing what kernel modules are currently loaded.

That confused me a lot.

mrmarkuz · August 23, 2020, 10:02am

The correct module name is “nf_nat_sip”, not “nf_sip_nat”.

ertank · August 23, 2020, 10:54am

Right, my mistake. Sorry about that.

However, problem seems to be existing. Module is loaded at boot time even if it is put in DONT_LOAD section of relevant configuration files. It is actually un-loaded if I manually issue “rmmod”.

[root@neth ~]# cat /etc/e-smith/templates/etc/shorewall/shorewall.conf/60options|grep DONT
DONT_LOAD=nf_nat_sip,nf_conntrack_sip

[root@neth ~]# cat /etc/shorewall/shorewall.conf|grep DONT
DONT_LOAD=nf_nat_sip,nf_conntrack_sip

[root@neth ~]# lsmod|grep nf_nat_sip
nf_nat_sip             17191  0 
nf_conntrack_sip       33780  1 nf_nat_sip
nf_nat                 26583  11 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,nf_nat_masquerade_ipv4
nf_conntrack          139264  29 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,nf_nat,xt_state,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp

[root@neth ~]# rmmod nf_nat_sip

[root@neth ~]# rmmod nf_conntrack_sip

[root@neth ~]# lsmod|grep nf_nat_sip

[root@neth ~]# lsmod|grep nf_conntract_sip

mrmarkuz · August 23, 2020, 12:17pm

Editing /etc/shorewall/capabilities and changing

SIP_HELPER=Yes

to

SIP_HELPER=

helped in my tests.
After restarting shorewall the modules are not loaded anymore.

ertank · August 23, 2020, 9:31pm

That did not help me. Test I am doing is a complete reboot of the system. DONT_LOAD sections still exists in relevant files.

[root@neth ~]# cat /etc/shorewall/capabilities |grep SIP
SIP0_HELPER=
SIP_HELPER=
[root@neth ~]# lsmod|grep nf_nat_sip
nf_nat_sip             17191  0 
nf_conntrack_sip       33780  1 nf_nat_sip
nf_nat                 26583  11 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,nf_nat_masquerade_ipv4
nf_conntrack          139264  29 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,nf_nat,xt_state,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
[root@neth ~]#

mrmarkuz · August 23, 2020, 10:09pm

I blacklisted the modules too, maybe that did the trick:

I commented out the modules in /etc/e-smith/templates/etc/shorewall/helpers/20helpers too.

#loadmodule nf_conntrack_sip         sip_direct_media=0
...
#loadmodule nf_nat_sip

ertank · August 24, 2020, 11:36am

Interesting, none of them seems to be working on my system. I wonder what is the difference. I know that system is up to date as of two days ago in terms of application updates.

[root@neth ~]# cat /etc/shorewall/shorewall.conf |grep DONT
DONT_LOAD=nf_nat_sip,nf_conntrack_sip
[root@neth ~]# cat /etc/e-smith/templates/etc/shorewall/shorewall.conf/60options|grep DONT
DONT_LOAD=nf_nat_sip,nf_conntrack_sip
[root@neth ~]# cat /etc/shorewall/capabilities |grep SIP
SIP0_HELPER=
SIP_HELPER=
[root@neth ~]# cat /etc/shorewall/conntrack |grep SIP
#?if __SIP_HELPER // Here all three lines are commented, I don't know how to grep them all
[root@neth ~]# cat /etc/modprobe.d/blacklist.conf 
blacklist nf_nat_sip,nf_conntrack_sip  // Keeping just nf_conntrack_sip is not helping, too

mrmarkuz · August 24, 2020, 12:35pm

IIRC you need a separate blacklist line for each module like

blacklist module1
blacklist module2

stephdl · November 5, 2020, 3:53pm

I wonder if you need also to remove the alias of kernel module : nf_conntrack_sip, nf_nat_sip
alias: ip_conntrack_sip
alias: ip_nat_sip

root@ns7loc15 ~]# modinfo nf_conntrack_sip
filename:       /lib/modules/3.10.0-1127.18.2.el7.x86_64/kernel/net/netfilter/nf_conntrack_sip.ko.xz
alias:          nfct-helper-sip
alias:          ip_conntrack_sip
description:    SIP connection tracking helper
author:         Christian Hentschel <chentschel@arnet.com.ar>
license:        GPL
retpoline:      Y
rhelversion:    7.8
srcversion:     55190A00B759A250C9631DB
depends:        nf_conntrack
intree:         Y
vermagic:       3.10.0-1127.18.2.el7.x86_64 SMP mod_unload modversions 
signer:         CentOS Linux kernel signing key
sig_key:        C6:5D:F3:F8:0C:5C:C3:53:A7:25:6E:1F:8E:44:52:89:1E:D8:9C:FE
sig_hashalgo:   sha256
parm:           ports:port numbers of SIP servers (array of ushort)
parm:           sip_timeout:timeout for the master SIP session (uint)
parm:           sip_direct_signalling:expect incoming calls from registrar only (default 1) (int)
parm:           sip_direct_media:Expect Media streams between signalling endpoints only (default 1) (int)

[root@ns7loc15 ~]# modinfo nf_nat_sip
filename:       /lib/modules/3.10.0-1127.18.2.el7.x86_64/kernel/net/netfilter/nf_nat_sip.ko.xz
alias:          ip_nat_sip
description:    SIP NAT helper
author:         Christian Hentschel <chentschel@arnet.com.ar>
license:        GPL
retpoline:      Y
rhelversion:    7.8
srcversion:     42E5288B3BB05DA394CEC7A
depends:        nf_conntrack,nf_conntrack_sip,nf_nat
intree:         Y
vermagic:       3.10.0-1127.18.2.el7.x86_64 SMP mod_unload modversions 
signer:         CentOS Linux kernel signing key
sig_key:        C6:5D:F3:F8:0C:5C:C3:53:A7:25:6E:1F:8E:44:52:89:1E:D8:9C:FE
sig_hashalgo:   sha256

stephdl · November 5, 2020, 4:11pm

we have in development a feature related to this

ertank · November 5, 2020, 8:50pm

How can I do that? I will not be able to test it soon. But, I am going to as soon as possible.

ertank · November 5, 2020, 8:51pm

Is there an estimate date to expect it as an option in web GUI?

stephdl · November 5, 2020, 9:04pm

We need tests, no ETA, but you can install the last two rpms of the GH pull request, then go to the settings page of the firewall application

ertank · November 9, 2020, 1:28pm

Which file I need to modify to do that?

stephdl · November 9, 2020, 2:31pm

we have two rpm in nethserver-testing

you need to take care to remove your customizations, then go to the setting page of the firewall

ertank · November 9, 2020, 2:38pm

I am still a newbie to NethServer.
I am not sure how I can switch to testing branch or how to download and install relevant package.

There are several port forwarding rules and that’s all about it. If that is customization then I can do them again.

stephdl · November 9, 2020, 2:40pm

about customization I meant about how you removed the nf_conntrack_sip kernel module, not the tcp or service rules

either wait some time (we are on QA stage) or

yum install nethserver-firewall-base nethserver-firewall-base-ui --enablerepo=nethserver-testing

ertank · November 9, 2020, 2:43pm

I have upgraded NethServer last Friday (I wish I didn’t).
Now 3CX cannot connect to SIP trunk.
I am sure that SIP modules are not loaded in kernel but yet problem remains.

I would like to give it a go to see if it will be of any help.

stephdl · November 9, 2020, 2:45pm

lsmod | grep sip
lsmod | grep H323