status of ipchains in 2.6?

status of ipchains in 2.6?

[David Mosberger]

I recently discovered that ipchains is rather broken.  I noticed the
problem on ia64, but suspect that it's likely to affect all 64-bit
platforms (if not 32-bit platforms).  A more detailed description of
the problem I'm seeing is here:

	http://tinyurl.com/sm9d

Unlike ipchains, iptables works perfectly fine, so perhaps we just
need to update Kconfig to discourage ipchains on ia64 (and/or other
64-bit platforms)?

	--david

Re: status of ipchains in 2.6?

[Holger Schurig]

> Unlike ipchains, iptables works perfectly fine, so perhaps we just
> need to update Kconfig to discourage ipchains on ia64 (and/or other
> 64-bit platforms)?

Perhaps we simply drop ipchains support for good?

-- 
Try Linux 2.6 from BitKeeper for PXA2x0 CPUs at
http://www.mn-logistik.de/unsupported/linux-2.6/

Re: status of ipchains in 2.6?

[Marc-Christian Petersen]

On Tuesday 28 October 2003 09:23, Holger Schurig wrote:

Hi Holger,

> > Unlike ipchains, iptables works perfectly fine, so perhaps we just
> > need to update Kconfig to discourage ipchains on ia64 (and/or other
> > 64-bit platforms)?
> Perhaps we simply drop ipchains support for good?

NO!

ciao, Marc

Re: status of ipchains in 2.6?

[Éric Brunet]

In mailing-lists linux-kernel, you wrote:
>I recently discovered that ipchains is rather broken.  I noticed the
>problem on ia64, but suspect that it's likely to affect all 64-bit
>platforms (if not 32-bit platforms).  A more detailed description of
>the problem I'm seeing is here:
>
>       http://tinyurl.com/sm9d

I have just posted less than 12 hours ago a bug-report about a __very__
similar problem occuring on ia32. I trigger it very easily with a rsync
from the client machine. I haven't been able to obtain a complete trace,
though.

In my case, 2.6.0-test4 is working fine.

Éric Brunet

Re: status of ipchains in 2.6?

[David S. Miller]

On Mon, 27 Oct 2003 17:27:22 -0800
David Mosberger <davidm@napali.hpl.hp.com> wrote:

> I recently discovered that ipchains is rather broken.  I noticed the
> problem on ia64, but suspect that it's likely to affect all 64-bit
> platforms (if not 32-bit platforms).  A more detailed description of
> the problem I'm seeing is here:
> 
> 	http://tinyurl.com/sm9d
> 
> Unlike ipchains, iptables works perfectly fine, so perhaps we just
> need to update Kconfig to discourage ipchains on ia64 (and/or other
> 64-bit platforms)?

Might want to post this to the netfilter lists or netdev....
Nah, that might actually get the bug fixed.

linux-kernel is always the wrong place to report networking
problems, most networking developers do not read linux-kernel.
They do read netdev@oss.sgi.com so please post things there.

Re: status of ipchains in 2.6?

[Miquel van Smoorenburg]

In article <20031028015032.734caf21.davem@redhat.com>,
David S. Miller <davem@redhat.com> wrote:
>linux-kernel is always the wrong place to report networking
>problems, most networking developers do not read linux-kernel.
>They do read netdev@oss.sgi.com so please post things there.

netdev@oss.sgi.com doesn't have an official webpage anywhere
to tell you that it even exists. No info on how to subscribe
or what the rules of the list are.

On http://oss.sgi.com/ the netdev list is not mentioned at all.

I can't find a mailinglist archive of netdev.

I'd like to read netdev but I'm not sure to subscribe since
as I said info on it is basically non-existing.

Perhaps SGI could create a "netdev" page somewhere on
oss.sgi.com, link to it from "projects lists" or "newsgroups
and mailinglists", and resurrect the archive ? Please ?

Mike.

Re: status of ipchains in 2.6?

[Wichert Akkerman]

Previously Miquel van Smoorenburg wrote:
> I can't find a mailinglist archive of netdev.

Luckily google -> netdev archive -> I feel lucky brings you straight to
http://oss.sgi.com/projects/netdev/archive/

Wichert.

-- 
Wichert Akkerman <wichert@wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.

Re: status of ipchains in 2.6?

[Sebastian Piecha]

> 
> netdev@oss.sgi.com doesn't have an official webpage anywhere
> to tell you that it even exists. No info on how to subscribe
> or what the rules of the list are.
> 

Send a mail with "help" in the body to majordomo@oss.sgi.com.



--
Mit freundlichen Gruessen/Best regards,
Sebastian Piecha

EMail: spi@gmxpro.de

Re: status of ipchains in 2.6?

[bill davidsen]

In article <20031028015032.734caf21.davem@redhat.com>,
David S. Miller <davem@redhat.com> wrote:
| On Mon, 27 Oct 2003 17:27:22 -0800
| David Mosberger <davidm@napali.hpl.hp.com> wrote:
| 
| > I recently discovered that ipchains is rather broken.  I noticed the
| > problem on ia64, but suspect that it's likely to affect all 64-bit
| > platforms (if not 32-bit platforms).  A more detailed description of
| > the problem I'm seeing is here:
| > 
| > 	http://tinyurl.com/sm9d
| > 
| > Unlike ipchains, iptables works perfectly fine, so perhaps we just
| > need to update Kconfig to discourage ipchains on ia64 (and/or other
| > 64-bit platforms)?
| 
| Might want to post this to the netfilter lists or netdev....
| Nah, that might actually get the bug fixed.
| 
| linux-kernel is always the wrong place to report networking
| problems, most networking developers do not read linux-kernel.
| They do read netdev@oss.sgi.com so please post things there.

The other side of the problem is that most people reading here don't
read netdev, so you don't trigger the "I have that too, and didn't
report it because I thought it was just me" replies. That's an imperfect
way to run the world, but it does reflect human nature.

I personally hesitate to post to netdev until I have really researched
a problem, as opposed to reporting that something working in testN
fails in test{N+1}. Given my free time, that often means that someone
else reports a bug (usually here) first.

Your continued reminders when appropriate are useful, perhaps an
occasional forward of a message would be as well.
-- 
bill davidsen <davidsen@tmr.com>
  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.

Re: status of ipchains in 2.6?

[bill davidsen]

In article <bnl92k$iae$2@sea.gmane.org>,
Holger Schurig  <h.schurig@mn-logistik.de> wrote:
| > Unlike ipchains, iptables works perfectly fine, so perhaps we just
| > need to update Kconfig to discourage ipchains on ia64 (and/or other
| > 64-bit platforms)?
| 
| Perhaps we simply drop ipchains support for good?

Since it worked in early test versions, how 'bout we just unbreak it?
Since the support has been in the kernel, and did work until it was
recently broken, perhaps we could skip the "I don't need it" phase and
fix the problem.
-- 
bill davidsen <davidsen@tmr.com>
  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.

Re: status of ipchains in 2.6?

[David Mosberger]

>>>>> On Tue, 28 Oct 2003 01:50:32 -0800, "David S. Miller" <davem@redhat.com> said:

  DaveM> On Mon, 27 Oct 2003 17:27:22 -0800 David Mosberger
  DaveM> <davidm@napali.hpl.hp.com> wrote:

  >> I recently discovered that ipchains is rather broken.  I noticed
  >> the problem on ia64, but suspect that it's likely to affect all
  >> 64-bit platforms (if not 32-bit platforms).  A more detailed
  >> description of the problem I'm seeing is here:

  >> http://tinyurl.com/sm9d

  >> Unlike ipchains, iptables works perfectly fine, so perhaps we
  >> just need to update Kconfig to discourage ipchains on ia64
  >> (and/or other 64-bit platforms)?

  DaveM> Might want to post this to the netfilter lists or netdev....
  DaveM> Nah, that might actually get the bug fixed.

$ fgrep -i ipchain MAINTAINERS
$

Might want to consider updating the MAINTAINERS file?

	--david

Re: status of ipchains in 2.6?

[David S. Miller]

On Tue, 28 Oct 2003 09:56:58 -0800
David Mosberger <davidm@napali.hpl.hp.com> wrote:

> >>>>> On Tue, 28 Oct 2003 01:50:32 -0800, "David S. Miller" <davem@redhat.com> said:
> 
> $ fgrep -i ipchain MAINTAINERS

Try netfilter, ipchains is a part of netfilter.

Re: status of ipchains in 2.6?

[Martin Josefsson]

[-- Attachment #1: Type: text/plain, Size: 1725 bytes --]

On Tue, 2003-10-28 at 02:27, David Mosberger wrote:
> I recently discovered that ipchains is rather broken.  I noticed the
> problem on ia64, but suspect that it's likely to affect all 64-bit
> platforms (if not 32-bit platforms).  A more detailed description of
> the problem I'm seeing is here:
> 
> 	http://tinyurl.com/sm9d
> 
> Unlike ipchains, iptables works perfectly fine, so perhaps we just
> need to update Kconfig to discourage ipchains on ia64 (and/or other
> 64-bit platforms)?

Please try this patch that just got included in linus tree.

ChangeSet 1.1360, 2003/10/27 00:01:25-08:00, rusty@rustcorp.com.au

	[NETFILTER]: Fix ipchains oops in NAT
	
	We updated ip_nat_setup_info to set the initialized flag and call
	place_in_hashes, but *didn't* change the call in ip_fw_compat_masq.c
	which also calls place_in_hashes() itself (again!).  Result: corrupt
	list, and next thing which lands in the same hash bucket goes boom.
	
	Thanks to Andy Polyakov for chasing this down.


# This patch includes the following deltas:
#	           ChangeSet	1.1359  -> 1.1360 
#	net/ipv4/netfilter/ip_fw_compat_masq.c	1.11    -> 1.12   
#

 ip_fw_compat_masq.c |    3 ---
 1 files changed, 3 deletions(-)


diff -Nru a/net/ipv4/netfilter/ip_fw_compat_masq.c b/net/ipv4/netfilter/ip_fw_compat_masq.c
--- a/net/ipv4/netfilter/ip_fw_compat_masq.c	Mon Oct 27 12:07:33 2003
+++ b/net/ipv4/netfilter/ip_fw_compat_masq.c	Mon Oct 27 12:07:33 2003
@@ -91,9 +91,6 @@
 			WRITE_UNLOCK(&ip_nat_lock);
 			return ret;
 		}
-
-		place_in_hashes(ct, info);
-		info->initialized = 1;
 	} else
 		DEBUGP("Masquerading already done on this conn.\n");
 	WRITE_UNLOCK(&ip_nat_lock);

-- 
/Martin

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: status of ipchains in 2.6?

[David Mosberger]

>>>>> On Tue, 28 Oct 2003 09:57:47 -0800, "David S. Miller" <davem@redhat.com> said:

  David> On Tue, 28 Oct 2003 09:56:58 -0800 David Mosberger
  David> <davidm@napali.hpl.hp.com> wrote:

  >> >>>>> On Tue, 28 Oct 2003 01:50:32 -0800, "David S. Miller"
  >> <davem@redhat.com> said:

  >> $ fgrep -i ipchain MAINTAINERS

  David> Try netfilter, ipchains is a part of netfilter.

I took ipchains not being mentioned in MAINTAINERS as a sign that
nobody wanted to hear bug reports about it, hence my choice of lkml.
Perhaps you prefer to flame people rather than making it easier
for them to find the right mailing-list?

	--david

Re: status of ipchains in 2.6?

[David Mosberger]

Yes, Rusty mentioned the same patch yesterday.  I tried it now and
ipchain masquerading seems to be working fine again.

	--david

>>>>> On Tue, 28 Oct 2003 19:23:37 +0100, Martin Josefsson <gandalf@wlug.westbo.se> said:

  Martin> Please try this patch that just got included in linus tree.

  Martin> ChangeSet 1.1360, 2003/10/27 00:01:25-08:00, rusty@rustcorp.com.au

  Martin> [NETFILTER]: Fix ipchains oops in NAT

  Martin> We updated ip_nat_setup_info to set the initialized flag and call
  Martin> place_in_hashes, but *didn't* change the call in ip_fw_compat_masq.c
  Martin> which also calls place_in_hashes() itself (again!).  Result: corrupt
  Martin> list, and next thing which lands in the same hash bucket goes boom.

  Martin> Thanks to Andy Polyakov for chasing this down.


  Martin> # This patch includes the following deltas:
  Martin> #	           ChangeSet	1.1359  -> 1.1360 
  Martin> #	net/ipv4/netfilter/ip_fw_compat_masq.c	1.11    -> 1.12   
  Martin> #

  Martin> ip_fw_compat_masq.c |    3 ---
  Martin> 1 files changed, 3 deletions(-)


  Martin> diff -Nru a/net/ipv4/netfilter/ip_fw_compat_masq.c b/net/ipv4/netfilter/ip_fw_compat_masq.c
  Martin> --- a/net/ipv4/netfilter/ip_fw_compat_masq.c	Mon Oct 27 12:07:33 2003
  Martin> +++ b/net/ipv4/netfilter/ip_fw_compat_masq.c	Mon Oct 27 12:07:33 2003
  Martin> @@ -91,9 +91,6 @@
  Martin> WRITE_UNLOCK(&ip_nat_lock);
  Martin> return ret;
  Martin> }
  Martin> -
  Martin> -		place_in_hashes(ct, info);
  Martin> -		info->initialized = 1;
  Martin> } else
  Martin> DEBUGP("Masquerading already done on this conn.\n");
  Martin> WRITE_UNLOCK(&ip_nat_lock);

  Martin> -- 
  Martin> /Martin

Re: status of ipchains in 2.6?

[Éric Brunet]

>Please try this patch that just got included in linus tree.
>
>ChangeSet 1.1360, 2003/10/27 00:01:25-08:00, rusty@rustcorp.com.au
>
>       [NETFILTER]: Fix ipchains oops in NAT

This fixes my problem too.

Thanks,

	Éric Brunet

Re: status of ipchains in 2.6?

[Andi Kleen]

Éric Brunet <Eric.Brunet@lps.ens.fr> writes:
> 
> In my case, 2.6.0-test4 is working fine.

Can you do a binary search in the versions to see which version
broke it? 

test5-test8 all had netfilter changes.

-Andi