[2 bugs] iptable_nat module makes a black hole for GRE packets, iptables only plays with ICMP/UDP/TCP

From: David Ford (david@kalifornia.com)
Date: Sun Jun 04 2000 - 10:48:17 EST

Next message: David Ford: "[bug] drivers/char/serial.c causes NULL ptr deref. OOPS w/ pnp guessing"
Previous message: John Fremlin: "PATCH: swap_out mega (100+ times) speedboost"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alan first. Alan, please remove "GRE is broken" from the todo list.
Replace it with "iptable_nat module breaks GRE" and add "iptables
generally doesn't handle protocols outside the top 3".

Now on with the rest of the story.

BUG #1 reference:
I wanted to escape the agony of frequent crashes caused by interface
up/down cycles in pre6 so I decided to try things out in various
configurations. Lo and behold, when iptables wasn't in core, GRE
tunnels worked again. So I built a 2.4.0-test1-ac7 kernel (no other
patches) and made all the iptables stuff modular. One by one I added
the modules. At the point of iptable_nat insertion, all traffic across
the GRE tunnels immediately ceased. I removed the module and traffic
flowed freely again.

There is no indication via klog svc of any dropped packets or whatnot.
Packets seemingly disappear off the OUTPUT chain. To be more correct,
you cannot get iptables to log any packets other than the top three in
the compile that I have...I'm quite confused. I don't exactly know
where the packets are getting lost.

BUG #2 reference:

     Chain OUTPUT (policy ACCEPT 17920 packets, 2271317 bytes)
      pkts bytes target prot opt in out
     source destination
        11 572 LOG all -- * eth0
     0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4

99.(lots of 9s)% of the packets are and will be GRE. You can't set a
rule to match proto 47 for any form of action. Well, I take that back.
Sure you can set it, but it doesn't do any good. It's ignored:

0 0 LOG 47 -- * eth0
0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4

Hmmmm. This isn't too spiffy.

Ok, well let's scratch our heads and wander on. ipt_LOG.c surely
indicates it should be handled yet only the top three are showing up in
klog. Well I'm starting to come up pretty short. The unknown protocol
handling is pretty empty :(

The problem is, I need to a) have NAT capability and b) be able to do
things with protocols other than the top 3. I'm not talking about fancy
stuff, just the standard things as would be done with the headers of any
regular tcp/ip packet.

-blu3

-- "The difference between 'involvement' and 'commitment' is like an eggs-and-ham breakfast: the chicken was 'involved' - the pig was 'committed'."

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: David Ford: "[bug] drivers/char/serial.c causes NULL ptr deref. OOPS w/ pnp guessing"
Previous message: John Fremlin: "PATCH: swap_out mega (100+ times) speedboost"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:18 EST