* iptables nftables compat weirdness
@ 2015-06-09 11:16 Andreas Schultz
2015-06-16 16:07 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Andreas Schultz @ 2015-06-09 11:16 UTC (permalink / raw)
To: netfilter-devel
Hi,
While testing iptables-compat, I've come across some weird behavior:
# iptables-compat -t mangle -N TEST
# iptables-compat -t mangle -A PREROUTING -j TEST
This works nicely, but when we put something in the TEST chain:
# iptables-compat -t mangle -A TEST -j MARK --set-mark 0x80000000/0x80000000
# iptables-compat -t mangle -A PREROUTING -j TEST
iptables-compat: Invalid argument. Run `dmesg' for more information.
dmesg does not contain any information.
The same problem exists for all default chains in mangle, filter and nat.
Kernel is: 4.1-rc5
iptables: git://git.netfilter.org/iptables, branch master, commit 0bb1859e2d6dd79a0a59c3ee65f6a78cba118b86
nftables: git://git.netfilter.org/nftables, branch next-4.1, commit a93bc1795b272174a10d90961a248f2c620bfa2c
Any ideas?
Regards
Andreas
--
--
Andreas Schultz
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables nftables compat weirdness
2015-06-09 11:16 iptables nftables compat weirdness Andreas Schultz
@ 2015-06-16 16:07 ` Pablo Neira Ayuso
2015-06-17 10:19 ` Andreas Schultz
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-16 16:07 UTC (permalink / raw)
To: Andreas Schultz; +Cc: netfilter-devel
On Tue, Jun 09, 2015 at 11:16:30AM +0000, Andreas Schultz wrote:
> Hi,
>
> While testing iptables-compat, I've come across some weird behavior:
>
> # iptables-compat -t mangle -N TEST
> # iptables-compat -t mangle -A PREROUTING -j TEST
>
> This works nicely, but when we put something in the TEST chain:
>
> # iptables-compat -t mangle -A TEST -j MARK --set-mark 0x80000000/0x80000000
> # iptables-compat -t mangle -A PREROUTING -j TEST
> iptables-compat: Invalid argument. Run `dmesg' for more information.
>
> dmesg does not contain any information.
>
> The same problem exists for all default chains in mangle, filter and nat.
>
> Kernel is: 4.1-rc5
> iptables: git://git.netfilter.org/iptables, branch master, commit 0bb1859e2d6dd79a0a59c3ee65f6a78cba118b86
> nftables: git://git.netfilter.org/nftables, branch next-4.1, commit a93bc1795b272174a10d90961a248f2c620bfa2c
Given that the pernet netfilter hooks are on its way to reach
mainstream (Eric Bierderman is working on that).
Could you help me diagnosing this problem? The nf_tables kernel side
is rejecting this with -EINVAL. Is this a new bug in the 4.1-rc
series?
Thank you.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables nftables compat weirdness
2015-06-16 16:07 ` Pablo Neira Ayuso
@ 2015-06-17 10:19 ` Andreas Schultz
2015-06-17 10:28 ` Andreas Schultz
0 siblings, 1 reply; 4+ messages in thread
From: Andreas Schultz @ 2015-06-17 10:19 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Hi,
----- Original Message -----
> From: "Pablo Neira Ayuso" <pablo@netfilter.org>
> To: "Andreas Schultz" <aschultz@tpip.net>
> Cc: netfilter-devel@vger.kernel.org
> Sent: Tuesday, June 16, 2015 6:07:25 PM
> Subject: Re: iptables nftables compat weirdness
[...]
> Could you help me diagnosing this problem? The nf_tables kernel side
> is rejecting this with -EINVAL. Is this a new bug in the 4.1-rc
> series?
I've only worked with this on 4.1-rc5. I'm currently rebuilding the
system for testing with 3.19 and 4.0, but this will take some time.
I did inject some debug printk's and was able to track the -EINVAL
to nft_target_validate. It seems that this validate is only
executed when then target chain contains some rules. The validation
is not executed when the target chain is empty.
>
> Thank you.
Andreas
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables nftables compat weirdness
2015-06-17 10:19 ` Andreas Schultz
@ 2015-06-17 10:28 ` Andreas Schultz
0 siblings, 0 replies; 4+ messages in thread
From: Andreas Schultz @ 2015-06-17 10:28 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
----- Original Message -----
> From: "Andreas Schultz" <aschultz@tpip.net>
> To: "Pablo Neira Ayuso" <pablo@netfilter.org>
> Cc: netfilter-devel@vger.kernel.org
> Sent: Wednesday, June 17, 2015 12:19:15 PM
> Subject: Re: iptables nftables compat weirdness
> Hi,
>
> ----- Original Message -----
>> From: "Pablo Neira Ayuso" <pablo@netfilter.org>
>> To: "Andreas Schultz" <aschultz@tpip.net>
>> Cc: netfilter-devel@vger.kernel.org
>> Sent: Tuesday, June 16, 2015 6:07:25 PM
>> Subject: Re: iptables nftables compat weirdness
>
> [...]
>
>> Could you help me diagnosing this problem? The nf_tables kernel side
>> is rejecting this with -EINVAL. Is this a new bug in the 4.1-rc
>> series?
Seems to be an old bug. I was able to reproduce it on Ubuntu 15.10, Kernel 3.19
with nftables 0.4 and libnftnl-dev 1.0.3 packages and iptables from git head.
Test sequence:
# nft delete table filter
# iptables-compat -N test
# iptables-compat -A INPUT -j test
# iptables-compat -A test -j MARK --set-mark 0x80000000/0x80000000
# iptables-compat -A INPUT -j test
iptables: Invalid argument. Run `dmesg' for more information.
Andreas
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-06-17 10:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-06-09 11:16 iptables nftables compat weirdness Andreas Schultz
2015-06-16 16:07 ` Pablo Neira Ayuso
2015-06-17 10:19 ` Andreas Schultz
2015-06-17 10:28 ` Andreas Schultz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.