* ip_tables init broken
@ 2006-12-30 17:14 Jan Engelhardt
2006-12-30 18:30 ` Sergey Vlasov
2006-12-30 19:48 ` ip_tables init broken Rob Sterenborg
0 siblings, 2 replies; 4+ messages in thread
From: Jan Engelhardt @ 2006-12-30 17:14 UTC (permalink / raw)
To: Netfilter Mailing List, Linux Kernel Mailing List
Hello,
when the ip_tables module is loaded automatically when inserting the
first rule, something gets screwed up, as -L -v -n shows:
17:39 ichi:~ # lsmod | grep ip_tables
17:39 ichi:~ # iptables -t mangle -A FORWARD -i eth1 -j MARK --set-mark 161
17:39 ichi:~ # iptables -t mangle -A FORWARD -i eth1 -j MARK --set-mark 161
17:39 ichi:~ # iptables -t mangle -L -v -n | grep eth1
p b targ pr opt in out src dst
0 0 MARK 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 0xa1
0 0 MARK 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0xa1
Everything is fine if ip_tables was loaded before.
This box runs 2.6.18.5. Can anyone confirm this bug?
-`J'
--
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ip_tables init broken
2006-12-30 17:14 ip_tables init broken Jan Engelhardt
@ 2006-12-30 18:30 ` Sergey Vlasov
2006-12-30 22:08 ` ip_tables init broken [fixd] Jan Engelhardt
2006-12-30 19:48 ` ip_tables init broken Rob Sterenborg
1 sibling, 1 reply; 4+ messages in thread
From: Sergey Vlasov @ 2006-12-30 18:30 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 980 bytes --]
On Sat, 30 Dec 2006 18:14:35 +0100 (MET) Jan Engelhardt wrote:
> when the ip_tables module is loaded automatically when inserting the
> first rule, something gets screwed up, as -L -v -n shows:
>
>
> 17:39 ichi:~ # lsmod | grep ip_tables
> 17:39 ichi:~ # iptables -t mangle -A FORWARD -i eth1 -j MARK --set-mark 161
> 17:39 ichi:~ # iptables -t mangle -A FORWARD -i eth1 -j MARK --set-mark 161
> 17:39 ichi:~ # iptables -t mangle -L -v -n | grep eth1
> p b targ pr opt in out src dst
> 0 0 MARK 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 0xa1
> 0 0 MARK 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0xa1
>
> Everything is fine if ip_tables was loaded before.
>
> This box runs 2.6.18.5. Can anyone confirm this bug?
Looks like this problem was fixed between iptables releases 1.3.5 and
1.3.7 (the old buggy version was trying to detect whether the kernel
supports the newer MARK target version before loading the ip_tables
module, therefore the check was giving bogus results).
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: ip_tables init broken
2006-12-30 17:14 ip_tables init broken Jan Engelhardt
2006-12-30 18:30 ` Sergey Vlasov
@ 2006-12-30 19:48 ` Rob Sterenborg
1 sibling, 0 replies; 4+ messages in thread
From: Rob Sterenborg @ 2006-12-30 19:48 UTC (permalink / raw)
To: 'Netfilter Mailing List'
> when the ip_tables module is loaded automatically when inserting the
> first rule, something gets screwed up, as -L -v -n shows:
>
>
> 17:39 ichi:~ # lsmod | grep ip_tables
> 17:39 ichi:~ # iptables -t mangle -A FORWARD -i eth1 -j MARK
--set-mark 161
> 17:39 ichi:~ # iptables -t mangle -A FORWARD -i eth1 -j MARK
--set-mark 161
> 17:39 ichi:~ # iptables -t mangle -L -v -n | grep eth1
> p b targ pr opt in out src dst
> 0 0 MARK 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 0xa1
> 0 0 MARK 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0xa1
>
> Everything is fine if ip_tables was loaded before.
>
> This box runs 2.6.18.5. Can anyone confirm this bug?
AFAICS, not here with 2.6.18.3 with pom-ng-20061124:
(Copy/pase of command sequence and response.)
Linux 2.6.18.3.
# lsmod | grep ip_tables
# iptables -t mangle -A FORWARD -i eth0 -j MARK --set-mark 161
# iptables -t mangle -A FORWARD -i eth0 -j MARK --set-mark 161
# iptables -t mangle -nvL | grep eth0
p b targ pr opt in out src dst
0 0 MARK 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0 MARK set 0xa1
0 0 MARK 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0 MARK set 0xa1
# lsmod | grep ip_tables
ip_tables 12252 1 iptable_mangle
x_tables 11524 2 xt_MARK,ip_tables
This box does not start a firewall script (yet) and it doesn't have any
NF modules loaded after boot.
Grts,
Rob
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ip_tables init broken [fixd]
2006-12-30 18:30 ` Sergey Vlasov
@ 2006-12-30 22:08 ` Jan Engelhardt
0 siblings, 0 replies; 4+ messages in thread
From: Jan Engelhardt @ 2006-12-30 22:08 UTC (permalink / raw)
To: Sergey Vlasov; +Cc: netfilter, linux-kernel
On Dec 30 2006 21:30, Sergey Vlasov wrote:
>On Sat, 30 Dec 2006 18:14:35 +0100 (MET) Jan Engelhardt wrote:
>
>> when the ip_tables module is loaded automatically when inserting the
>> first rule, something gets screwed up, as -L -v -n shows:
>>
>>
>> 17:39 ichi:~ # lsmod | grep ip_tables
>> 17:39 ichi:~ # iptables -t mangle -A FORWARD -i eth1 -j MARK --set-mark 161
>> 17:39 ichi:~ # iptables -t mangle -A FORWARD -i eth1 -j MARK --set-mark 161
>> 17:39 ichi:~ # iptables -t mangle -L -v -n | grep eth1
>> p b targ pr opt in out src dst
>> 0 0 MARK 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 0xa1
>> 0 0 MARK 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0xa1
>>
>> Everything is fine if ip_tables was loaded before.
>>
>> This box runs 2.6.18.5. Can anyone confirm this bug?
>
>Looks like this problem was fixed between iptables releases 1.3.5 and
>1.3.7 (the old buggy version was trying to detect whether the kernel
>supports the newer MARK target version before loading the ip_tables
>module, therefore the check was giving bogus results).
Yup, upgrading to 1.3.7 fixed the problem, thanks for giving hint.
(netfilter svn commit #6692 seems relevant)
-`J'
--
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-12-30 22:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-12-30 17:14 ip_tables init broken Jan Engelhardt
2006-12-30 18:30 ` Sergey Vlasov
2006-12-30 22:08 ` ip_tables init broken [fixd] Jan Engelhardt
2006-12-30 19:48 ` ip_tables init broken Rob Sterenborg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.