'cutter' utility doesn't work anymore because it depends on kernel module 'ip_conntrack' which is obsolete

Bug #240147 reported by fbraun on 2008-06-15
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
cutter (Ubuntu)
Low
Ralph Janke

Bug Description

Binary package hint: cutter

It appears, that cutter has some unresolved dependencies, that apt does *not* know about.
Using cutter after a normal installation leads to the following error message. Though I don't fully understand its meaning, I'm quite sure it is a compatibility problem worth fixing.

Console output of cutter:
$ cutter
usage: cutter ip [ port [ ip [ port ] ] ]
$ sudo cutter 172.16.3.104
openning /proc/net/ip_conntrack: No such file or directory

Best regards,
Frederik Braun

P.S.: It is stated in the man page, that cutter has been developed for and tested on ipcop and red hat linux - the author should be informed if we manage to get it working on ubuntu.

P.P.S.: Report based on Ubuntu 8.04 (hardy heron) and cutter 1.03

WORKAROUND: For Ubuntu versions up to the year 2010 with kernel versions below 3.5.x, this problem can be circumvented by either manually loading the kernel module "ip_conntrack" either with "sudo modprobe ip_conntrack" or by adding a line "ip_conntrack" to the /etc/modules file and reboot.

Ralph Janke (txwikinger) wrote :

I can confirm this problem. It occurs when the module ip_conntrack is not loaded into the kernel. "sudo modprobe ip_conntrack" does this. IN order to load this module at every boot time you can inlcude a line "ip_conntrack" into the file /etc/modules.

Changed in cutter:
status: New → Triaged
description: updated
Ralph Janke (txwikinger) wrote :

FIxing this problem by creating install script that will add ip_conntrack to the module list to be loaded by the kernel when the package is installed (and remove it when it is removed)

Changed in cutter:
assignee: nobody → txwikinger
status: Triaged → In Progress
Denis Kasak (denis-kasak) wrote :

What is the status on this bug? It's been some time since it was marked "In Progress". Also, the install script should also manually load the module after install so cutter can be used immediately (without a restart).

fbraun (fbraun) wrote :

this is in progress for far too long..
what's wrong?

Ralph Janke (txwikinger) on 2010-01-06
Changed in cutter (Ubuntu):
importance: Undecided → Low
Cd-MaN (x-at-y-or-z) wrote :

Problem still present in Ubuntu 10.10.

Cd-MaN (x-at-y-or-z) wrote :

This doesn't seem to work at all :(. Even after manually loading the ip_conntrack, it says "No matching connections found", even though a grep on /proc/net/ip_conntrack shows the targeted connection.

vishal17garg (vishal17garg) wrote :

hey all,

I am new and was working with the iptables and could not find the

/proc/net/ip_conntrack file

I did

user@my-pc $ sudo modprobe ip_conntrack

and the file was created.
thnx Ralph Janke

-vishal garg

fbraun (fbraun) on 2012-06-15
description: updated
Luke-Jr (luke-jr) wrote :

I'm having the same problem as Cd-MaN (x-at-y-or-z).

Axel Beckert (xtaran) on 2012-12-26
summary: - conntrack error prevents cutter from working
+ Kernel module ip_conntrack needed by cutter, but not loaded
+ automatically

Luke-Jr and Cd-MaN (x-at-y-or-z) : You are having a different issue, please report it as seperate bug. Your issue seems to be the same one as reported in Debian as bug no. 446343 (not providing the full URL to prevent Launchpad to add a tracker)

B Bobo (yout-bobo123) wrote :

Unfortunately, loading the module ip_conntrack will not work in recent 3.5.x and above kernels because this module is obsolete, and has been replaced by nf_conntrack which does not create /proc/net/ip_conntrack

Could I suggest making cutter use the "conntrack" tool which provides similar information to /proc/net/ip_conntrack?

summary: - Kernel module ip_conntrack needed by cutter, but not loaded
- automatically
+ Kernel module ip_conntrack needed by cutter, but module is not
+ autoloaded in old kernels and is obsolete in >=3.5.x kernels
B Bobo (yout-bobo123) on 2013-05-14
Changed in cutter (Ubuntu):
status: In Progress → Confirmed
Tankypon (tankypon) wrote :

I use Ubuntu 13.04 with Linux kernel 3.11 . Is a workaround exist?

B Bobo (yout-bobo123) on 2013-07-30
summary: - Kernel module ip_conntrack needed by cutter, but module is not
- autoloaded in old kernels and is obsolete in >=3.5.x kernels
+ 'cutter' utility doesn't work anymore because it depends on kernel
+ module 'ip_conntrack' which is obsolete
description: updated
Tankypon (tankypon) wrote :

I search on others community like Archlinux and Debian and I found a possible workaround. But for that, we need the file /proc/net/nf_conntrack! I don't have this file on my computer... Have you this file? Or how can I create a nf_conntrack file?

The workaround used on Archlinux and Debian is just this simple patch (in attachment)... But I believe Ubuntu doesn't create the nf_conntrack file..

From Archlinux:
   - Bug probably solved with Cutter 1.03-5: https://bugs.archlinux.org/task/29978
   - Changelog about Cutter 1.03-5 on Archlinux: https://projects.archlinux.org/svntogit/community.git/commit/trunk?h=packages/cutter&id=b80cc1c8c744f52f155adeae7a98c78c4d66ef5a

The attachment "Patch created by me with Cutter 1.03-5 from Archlinux" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Tankypon (tankypon) wrote :

Sorry for my previous patch, it will be not a patch until I'll have found how to create the nf_conntrack file..
For now, I made the second version of my patch. Now I respect the kernel before 3.5 (for example in Ubuntu LTS 12.04) or after 3.5 (Ubuntu 12.10/13.04).

Tankypon (tankypon) wrote :

Cf. Chapter 5 from this page: http://conntrack-tools.netfilter.org/manual.html
The command "conntrack -L > output" returns the same file which used in previous version of kernel ( <3.5)

Tankypon (tankypon) wrote :

I don't know exactly how this program runs but with my newer patch, I get all time this output from cutter: "No matching connections found"
But maybe that's normal because I'm not in the right condition to run the program!

Now we need a dependency: conntrack and we need to execute the program with root privilege to execute the command conntrack. Anyone can test it? And I don't know how to implement the condition "program executes in root privilege?" in a C program..

Tankypon (tankypon) wrote :
B Bobo (yout-bobo123) wrote :

Since 'cutter' is meant to be a sysadmin tool only, it should be run by root only and therefore does not need extra privileges.

Tankypon (tankypon) wrote :

So we don't have a lot of solutions:
(1) This package have a workaround to be used
(2) Remove this package from Ubuntu.. If it can't be used, anyone can use it! In addition, it exists an other software to do that cutter does, his name is tcpkill.

So anyone can test my patch on his server? I think cutter is only work on computer hosting connections between others computers (like server) but it's just my thought.

i tried your patch and i made sure the connection exists in the conntrack_output file
but just get:

conntrack v1.4.2 (conntrack-tools): 24 flow entries have been shown.
No matching connections found

Chris Lowth (chris-lowth) wrote :

A new version of "cutter" has been released today. It ..
* resolves the "no matching connection" issues on recent kernels
* provides more useful error messages when things dont work out
* improves reliability
You can download the source from www.digitage.co.uk/cutter

elgs (elgs1980) wrote :

Version 1.04 still doesn't work.

# ./cutter 10.0.0.100
openning ip_conntrack or nf_conntrack (is kernel module 'conntrack' loaded?): No such file or directory
root@install:~/cutter-1.04# modprobe ip_conntrack
root@install:~/cutter-1.04# modprobe nf_conntrack
root@install:~/cutter-1.04# ./cutter 10.0.0.100
openning ip_conntrack or nf_conntrack (is kernel module 'conntrack' loaded?): No such file or directory
root@install:~/cutter-1.04# ./cutter

cutter - TCP/IPv4 connection cutter for linux firewalls

Version : 1.04
Home page : http://www.digitage.co.uk/cutter

usage is: cutter ip [ port [ ip [ port ] ] ]

Tor Klingberg (tor-klingberg) wrote :

This still happens on Ubuntu 16.04 with Cutter 1.04. Has a broken package really been in the repos for nine years?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers