[SOLUTION] Re: Fw: 2.4.18-pre9: iptables screwed?

From: Harald Welte (laforge@gnumonks.org)
Date: Fri Feb 08 2002 - 04:55:48 EST


On Fri, Feb 08, 2002 at 01:08:39AM -0800, David Miller wrote:

> Stelian has analyzed the bug already.

This is strange.

> From: Stelian Pop <stelian.pop@fr.alcove.com>
> To: "H. Peter Anvin" <hpa@zytor.com>
> Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
> Subject: Re: 2.4.18-pre9: iptables screwed?
> Reply-To: Stelian Pop <stelian.pop@fr.alcove.com>
> In-Reply-To: <a3vjts$r7l$1@cesium.transmeta.com>
>
> On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
>
> > I get the following error with iptables on 2.4.18-pre9:
> >
> > sudo iptables-restore < /etc/sysconfig/iptables
> > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > Abort (core dumped)

The code you are quoting is only defined if debugging is compiled into
the iptables package. The default distribution of the iptables package
does _not_ ship with debugging enabled.

The Makefile of all iptables versions between 1.1.1 (released way before
the linux 2.4.0 kernel came out!) and 1.2.5 (current) have the following
line in the Makefile:

COPT_FLAGS:=-O2 -DNDEBUG

reads: define no debug

> > However, if I apply the rules manually (using iptables), I have no
> > problem; only if I'm using iptables-save or iptables-restore do I get
> > a dump...
>
> I have this since the netfilter update from pre6 or pre7...
>
> It seems to be caused by a change in the logic for the mangle table:
> the userspace tools check only for PREROUTING and OUTPUT chains
> (the 1 << 0 | 1 << 3 check), but the kernel code was recently updated
> to support more chains in this table (POSTROUTING etc).

This is true. We introduced this change after some testing since it
is needed for complex policy routing scenarios. It's the so-called
mangle5hooks.patch

> So it would seem that we need to have a more recent version of
> the userspace tools (CVS maybe, since the latest released version
> has the same bug), or the netfilter people should check the
> userspace tools version before introducing this kind of
> incompatible change.

I'm running the same iptables-1.2.2 binary (compiled at a 2.4.x kernel in July
2001) with a mangle5hooks-patch'ed linux kernel.

just re-checked it again:
======================================================================
sunbeam# rpm -qi iptables
Name : iptables Relocations: (not relocateable)
Version : 1.2.2 Vendor: Conectiva
Release : 2cl Build Date: Sun 17 Jun 2001 08:17:20 PM CEST
Install date: Thu 08 Nov 2001 01:42:57 PM CET Build Host: mapi2.distro.conectiva
Group : Networking Source RPM: iptables-1.2.2-2cl.src.rpm
Size : 439232 License: GPL
URL : http://netfilter.samba.org
Summary : Packet filtering tool for kernel-2.4.x
Description :
This is the packet filtering tool for kernel-2.4.x. It is much more
advanced than ipchains and can take full advantage of the new
features within the 2.4.x packet filtering code. It allows you to
set up masquerading, full NAT, stateful inspection rules, etc.
sunbeam# rpm -V iptables
sunbeam# cat foo
# Generated by iptables-save v1.2.2 on Fri Feb 8 10:35:05 2002
*mangle
:PREROUTING ACCEPT [36557505:30073123582]
:INPUT ACCEPT [31280258:26426457730]
:FORWARD ACCEPT [5276687:3646630572]
:OUTPUT ACCEPT [28690202:18841029987]
:POSTROUTING ACCEPT [34105840:22505172519]
:knf - [0:0]
-A PREROUTING -p tcp -m tcp --dport 25 -j knf
-A PREROUTING -p tcp -m tcp --dport 6667 -j knf
-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu
-A knf -j MARK --set-mark 0xa
COMMIT
sunbeam# iptables-restore < foo
sunbeam# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.100.0/24 0.0.0.0/0
MASQUERADE all -- 192.168.101.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
======================================================================

Because it was working on several systems, we have decided to forward
this patch to the mainstream kerel.

We always want to make sure that nobody needs to update the iptables
package during the 2.4.x stable kernel series. Because of this (sane)
policy, we are keeping back a whole bunch of changes. We can't just
silently abandon backwards compatibility.

> (BTW, the quick and dirty fix for me was to hand edit
> /etc/sysconfig/iptables and remove all references to the mangle table,
> since I don't use it).

this is of coruse no possible 'solution'.

> Stelian Pop <stelian.pop@fr.alcove.com>

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ 
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Fri Feb 15 2002 - 21:00:17 EST