NetfilterQueue Implementation - networking

I am trying to use NetfilterQueue for my project. As a beginning, I tried to run this code. You know the source.
from netfilterqueue import NetfilterQueue
def print_and_accept(pkt):
print pkt
pkt.accept()
nfqueue = NetfilterQueue()
nfqueue.bind(1, print_and_accept)
try:
nfqueue.run()
except KeyboardInterrupt:
print
I passed it the packets filtered by the following rule
sudo iptables -I INPUT -s iitp.ac.in -j NFQUEUE --queue-num 1
I got following error
Traceback (most recent call last):
File "pkt_desc_1.py", line 8, in <module>
if nfqueue.bind(0, print_and_accept) < 0:
File "netfilterqueue.pyx", line 144, in netfilterqueue.NetfilterQueue.bind (netfilterqueue.c:2665)
OSError: Failed to create queue 1.
Can anybody help ?
I am new to the topic. So, please don't mind.

identify process number (type)
ps aux | grep python
it will show processes in python
root 1633 0.0 0.4 16664 8680 pts/1 T 13:03 0:00 python netfilter.py
root 1687 0.0 0.0 6136 956 pts/0 S+ 13:12 0:00 grep python
use kill process (type)
kill -9 1633
hope this helps =D

Related

What does ps auwx | grep nginx means?

I got the below output but I want to know what does ps auwx does ?
root 2257 0.0 0.0 159532 1628 ? Ss 06:07 0:00 nginx: master process /usr/sbin/nginx -g daemon on
; master_process on;
www-data 2258 0.0 0.1 159864 3380 ? S 06:07 0:00 nginx: worker process
root 2280 0.0 0.0 12780 952 pts/0 S+ 06:08 0:00 grep nginx
As with all things Linux/Unix the man pages are your friend: man ps, man grep
auwx are bsd style parameters (note the lack of an -) and the manual states that these letters represent the following options:
a lift 'only yourself' restriction -> list all processes with a terminal.
u 'user format' -> provides additional information columns.
w wide output -> for when you have a screen wide enough to show all info.
x lift 'must have terminal' restriction -> a+x == list everything.
The output is then piped through to grep which then filters out the line and displays any lines with nginx in it.

python script with zabbix causing setroubleshootd high CPU usage

I'm leveraging Zabbix with a custom low-level-discovery that discovers a REST/API endpoint using Python. When the polling is on, the CPU utilization goes through the roof. All the CPU usage is caused by setroubleshootd as show in top:
top - 13:51:56 up 15:33, 1 user, load average: 1.52, 1.43, 1.37
Tasks: 127 total, 3 running, 124 sleeping, 0 stopped, 0 zombie
%Cpu(s): 35.8 us, 6.7 sy, 0.0 ni, 57.3 id, 0.1 wa, 0.0 hi, 0.2 si, 0.0 st
KiB Mem : 8010508 total, 6211020 free, 397104 used, 1402384 buff/cache
KiB Swap: 1679356 total, 1679356 free, 0 used. 6852016 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7986 setroub+ 20 0 424072 130856 11548 R 77.4 1.6 7:12.16
Zabbix calls the agent and requests to execute a "UserParameter" which is shorthand for a script. That script is a bash file that calls my python script. and the call looks like this:
#!/usr/bin/env bash
/usr/bin/python /etc/zabbix/externalscripts/discovery.py $1 $2 $3 $4 $5
When zabbix calls the script, it passes the unique filters, like a server ID or network card ID, as one of the arguments. The python script opens up an https session using requests, leveraging a bearer token if the token file exists. If the token file doesn't exist it creates it.
The script works fine and does everything it is supposed to but setroubleshoot is rebooting a slew of issues, specifically around file folder access. The huge number of setroubleshootd responses is causing the CPU to go nuts. Here is an example of the error:
python: SELinux is preventing /usr/bin/python2.7 from create access on the file 7WMXFl.
The file name is random and changes with every execution. I've tried adding an exception using the selinux tools such as:
ausearch -c 'python' --raw | audit2allow -M my-python
But since the file name is random, the errors persist. I've tried uninstalling setroubleshootd, selinux just reinstalls it. Unfortunately, I need to run enforcing mode, so dropping to permissive or disabling are not options.
I've tried changing so that I'm not running a bash script, that zabbix calls the python script directly, or declaring shebang /usr/bin/python, but passing arguments doesn't seem to work properly. I get an error stating the $1 $2... are unknown arguments.
At a loss at this point. It is running, but I'd really like to get the CPU usage down as 60% of 4 cores is unreasonable for 30-40 HTTPS calls.
I ended up writing an SEModule for this that allows the zabbix user write access to the /tmp folder where these files are being created and managed. CPU usage dropped from 75% to 2%. #NailedIt
$>sudo ausearch -m avc | grep zabbix | grep denied | audit2allow -m zabbixallow > my_script.te
$>checkmodule -M -m -o zabbixallow.mod my_script.te
$>semodule_package -o zabbixallow.pp -m zabbixallow.mod
$>sudo semodule -i zabbixallow.pp
Hopefully this helps someone else if they run across this issue.
External scripts will have to complete within your timeout value, this sounds like it's too big for that. You could convert it to zabbix_sender and schedule it via cron. Then it's just a script with performance problems.

ps aux | grep between two similar processes

I have written a script, which checks for process, if its running or not. If not then it starts the process.
Lets say I have few processes running like this :
root 5780 0.0 2.2 3168184 85828 ? Sl 09:02 0:15 /usr/bin/java -jar /home/vtermina/private/crons/jar/consumer-1.0.jar promotionalSecond
root 5780 0.0 2.2 3168184 85828 ? Sl 09:02 0:15 /usr/bin/java -jar /home/vtermina/private/crons/jar/consumer-1.0.jar promotionalSecond backup
root 8989 0.0 1.4 2966364 57540 ? Sl 09:04 0:07 /usr/bin/java -jar /home/vtermina/private/crons/jar/update-report-1.0.jar Rb1 backup
So I use following command to check if a process is runnig or not :
ps uax|grep -w "consumer-1.0.jar promotionalSecond" |grep -v grep|wc -l
This command returns me one, if it finds a process running.
It was working fine till recently, when I started using some backup consumers also.
Now if a backup consumer is running,this command returns 1,even if consumer is not running,
How can I grep for exact words in ps aux.
So that my command gives correct result.
Doing some research , I got the answer. Using "$" in search-term, does,what is required. $ tells that the search term ends there.
Like, if I want to check only promotionalSecond and not backup, following command works perfectly.
ps uax|grep -w "consumer-1.0.jar promotionalSecond$" |grep -v grep|wc -l

Grabbing .jar application output stream to console after console was closed and new one opened on Oracle Solaris 11

On Oracle Solaris 11 console when ps -ef | grep java command is issued I can see running some java process PID, which was started on other console window and then it (console window) was closed (.jar application output then was visible). Is it some way to grab again that application output without restarting .jar file?
Application was started like this (as a root user):
java -jar SomeFile.jar &
Write output to file is not an option in this case.
Yes, you can do that, but it involves some mad skills with gdb. Here is how to do that in Linux and I believe you can do the same in Solaris (since it has gdb and it has all needed system calls I'm gonna use further).
There are 3 file descriptors for standard streams:
stdin: 0
stdout: 1
stderr: 2
You are interested in stdout and stderr (both are console output), so you need file descriptors with numbers 1 and 2, just keep it in mind.
Now I'm gonna show you how to do what you ask for "okular" application (instead of your "java" application) for stderr stream.
Run "okular" in terminal, like this:
$ okular &
and then close this terminal. This is just to simulate your situation.
Open another terminal
Look for "okular" process:
$ ps aux | grep okular
Output:
joe 27599 2.2 0.9 515644 73944 ? S 23:46 0:00 okular
So "okular" PID is 27599.
Look for open file descriptors of "okular" process:
$ ls -l /proc/27599/fd
Output:
lrwx------ 1 joe joe 64 Feb 18 23:46 0 -> /dev/pts/0 (deleted)
lrwx------ 1 joe joe 64 Feb 18 23:46 1 -> /dev/pts/0 (deleted)
lrwx------ 1 joe joe 64 Feb 18 23:46 2 -> /dev/pts/0 (deleted)
You see that all 3 streams are deleted.
Now let's attach to our process with gdb:
$ gdb -p 27599 /usr/bin/okular
Inside of gdb perform next operations:
(gdb) p close(2)
(gdb) p creat("/tmp/okular_2", 0600)
(gdb) detach
(gdb) quit
Here we invoked 2 system calls:
close(), to close file for stderr stream of our process
creat(), to create new file for stderr stream of our process
p is gdb command, it prints (in our case) system calls return values.
Now all new stderr output of our process will be appended to text file /tmp/okular_2. We can read it constantly this way:
$ tail -f /tmp/okular_2
Conclusion
Ok, that's it, we revived stderr stream. You can do the same for stdout stream, the only difference is that you need to call "close(1)" instead of "close(2)" in gdb. Also, in your case be sure to replace all "okular" words with your "java" word.
The most of answer was inspired by this article.
If you need to revive stdin stream, you can attach it to pipe (FIFO) file, see details here.
Yes, it is possible to snoop any process output with Solaris native tools.
One way would be using dtrace which allows tracing processes even when they are already grabbed by a debugger or similar tool.
This dtrace script will display a given process stdout:
#!/bin/ksh
pid=$1
dtrace -qn "syscall::write:entry /pid == $pid && arg0 == 1 /
{ printf(\"%s\",copyinstr(arg1)); }"
You should should pass the process id of the java application to trace as its first argument, eg. $(pgrep -f "java -jar SomeFile.jar").
Replace arg0 == 1 by arg0 == 2 if you want to trace stderr vs stdin.
Should you want to see non displayable characters (in octal), you might use this slightly modified version:
#!/bin/ksh
pid=$1
dtrace -qn "syscall::write:entry /pid == $pid && arg0 == 1 /
{ printf(\"%s\",copyinstr(arg1)); }" | od -c
Another native way is to use the truss command. The following script will show all writes from your process to any file descriptors, and will include a full detailed trace for both stdout and stderr (3799 is your target process pid):
truss -w1,2 -t write -p 3799
dtrace:
http://docs.oracle.com/cd/E18752_01/html/819-5488/gcgkk.html
truss:
http://docs.oracle.com/cd/E36784_01/html/E36870/truss-1.html#scrolltoc

Serial interface permanently denies requests

my actual problem is, that every time i want to access my serial interface (Arduino), the system returns Permission denied .
root#laptop:/home/user #> cu -l /dev/ttyACM0 -s 115200
/usr/bin/cu: open (/dev/ttyACM0): Permission denied
/usr/bin/cu: /dev/ttyACM0: Line in Use
root#laptop:/home/user #> ls -la /dev/ttyACM*
crw-rw---- 1 root dialout 166, 0 Mär 14 10:37 /dev/ttyACM0
crw-rw---- 1 root dialout 166, 0 Mär 14 10:37 /dev/ttyACM1
crw-rw---- 1 root dialout 166, 0 Mär 14 10:37 /dev/ttyACM2
crw-rw---- 1 root dialout 166, 0 Mär 14 10:37 /dev/ttyACM3
what is another location to seek for the reason of this error?
Thanks for any advice!
I have never used Arduino, so I'll suppose your method is right. First thing I would try is sudoing the first command:
sudo cu -l /dev/ttyACM0 -s 115200
But, since the second message is Line in Use it might also be that the /dev/ttyACM0 is already actually taken/locked. In other words, is there any process using the port? I can't test it on a serial port, but I'd try piping the output of list open files command to grep command:
lsof | grep ACM
It should list the process identifer of the process which locked upon the port. Then you can use the kill command to stop that process:
kill <PID_FROM_OUTPUT_OF_UPPER_COMMAND>
To verify that you succesfully stopped the process you can pipe the output of list all active processes command to the grep command:
ps x | grep <PID_FROM_OUTPUT_OF_UPPER_COMMAND>
which should return no output if the process was successfully stopped. If not, it will ouput that line, so you can try with the -9 flag like this:
kill -9 <PID_FROM_OUTPUT_OF_UPPER_COMMAND>
and it will eventually stop.
Without testing, I'm not sure will the lsof command written in the current form list the taken tty devices. If that is the case then there must be some flag combination which will list them, since everything in Unix is a file.
So, the principle must be valid: find out which process is using the device and stop it (the ps and kill commands will work once you have the right process identifier).
If all of the above is not the case, then probably your method is wrong. In that case, I'd start by carefully rereading the Arduino documentation again :)
As HappyHacking mentioned you need to execute the following command:
sudo adduser [user] dialout
Then logout of the user and log back in.
I created new file in /etc/udev/rules.d/51-arduino.rule with following content:
SUBSYSTEMS=="usb", KERNEL=="ttyACM0", ATTRS{idVendor}=="2341", ATTRS{idProduct}=="0043", GROUP="dialout", MODE="0666"
Be careful to set up idVendor and idProduct properly. After reboot the device privileges are set.

Resources