netdev
[Top] [All Lists]

Re: iptables breakage WAS(Re: dummy as IMQ replacement

To: hadi@xxxxxxxxxx
Subject: Re: iptables breakage WAS(Re: dummy as IMQ replacement
From: Andy Furniss <andy.furniss@xxxxxxxxxxxxx>
Date: Mon, 21 Mar 2005 21:50:37 +0000
Cc: Harald Welte <laforge@xxxxxxxxxxxx>, Patrick McHardy <kaber@xxxxxxxxx>, Remus <rmocius@xxxxxxxxxxxxxx>, netdev@xxxxxxxxxxx, Nguyen Dinh Nam <nguyendinhnam@xxxxxxxxx>, Andre Tomt <andre@xxxxxxxx>, syrius.ml@xxxxxxxxxx, Damion de Soto <damion@xxxxxxxxxxxx>
In-reply-to: <1111410890.1092.195.camel@xxxxxxxxxxxxxxxx>
References: <1107123123.8021.80.camel@xxxxxxxxxxxxxxxx> <0fcf01c5077f$579e4b80$6e69690a@RIMAS> <1107174142.8021.121.camel@xxxxxxxxxxxxxxxx> <00c301c524b4$938cd240$6e69690a@RIMAS> <1110379135.1091.143.camel@xxxxxxxxxxxxxxxx> <1110416767.1111.76.camel@xxxxxxxxxxxxxxxx> <025501c52552$2dbf87c0$6e69690a@RIMAS> <1110453757.1108.87.camel@xxxxxxxxxxxxxxxx> <423B7BCB.10400@xxxxxxxxxxxxx> <1111410890.1092.195.camel@xxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b) Gecko/20050217
jamal wrote:
On Fri, 2005-03-18 at 20:09, Andy Furniss wrote:

jamal wrote:

Hi Remus,
I could not reproduce this one - it is also a bit odd for calloc to
fail. I dont have iptables 1.3.1 but i will get and retry.
Does this happen all the time?

I get the same with iptables 1.3.1 and 1.3.0

iptables: calloc failed: Cannot allocate memory

using kernel 2.6.11.3 and tc iproute2-ss050314

If I try an earlier iptables (tested 9, 10, 11) I get



Ok, I think i figured this one out as well - sorry dont have access to
my test hardware still to verify.

As i was suspecting this is related to iptables breaking backwards
compatibility. Starting with 1.3.0 the target structure changed ;->
(right at the top is a new field called version)
I suspect the iptables folks maybe unaware that there are other users of
iptables and assume that anyone needing to use new iptables will
recompile everything from scratch. BAD! BAD!
I am ccing the necessary evil doers (Harald and Patrick - at least they
would know who the real evildoer is).
To test the theory copy iptables.h and iptables_common.h from
iptables-1.3.1/include into iproute2/include with the latest iproute2
and recompile. Make sure m_ipt.c is recompiled - you may have to do a make clean in iproute2/tc/

I haven't done a new kernel with stats patched yet. Using iptables 1.3.1 and iproute2-ss050314 with iptables headers I now get below instead of memory error.

++ /usr/sbin/tc filter add dev eth0 parent ffff: protocol ip prio 10 u32 match u32 0 0 flowid 1:1 action ipt -j MARK --set-mark 1 action mirred egress redirect dev dummy0
tablename: mangle hook: NF_IP_PRE_ROUTING
        target: MARK set 0x1  index 0
bad action type mirred
Usage: ... gact <ACTION> [RAND] [INDEX]
Where: ACTION := reclassify | drop | continue | pass RAND := random <RANDTYPE> <ACTION> <VAL>RANDTYPE := netrand | determVAL : = value not exceeding 10000INDEX := index value used
bad action parsing
parse_action: bad value (5:mirred)!
Illegal "action"

I will try with new kernel later tonight.


I should be able to validate all this stuff starting tommorow evening.
Also I have a feeling if you make this change, things will not work for
iptables <=1.2.9/10/11. Can you verify that?


Yes it segfaults with iptables v1.2.11


++ /usr/sbin/tc filter add dev eth0 parent ffff: protocol ip prio 10 u32 match u32 0 0 flowid 1:1 action ipt -j MARK --set-mark 1 action mirred egress redirect dev dummy0 ./dummy-ingress-2: line 43: 1345 Segmentation fault $TC filter add dev eth0 parent ffff: protocol ip prio 10 u32 match u32 0 0 flowid 1:1 action ipt -j MARK --set-mark 1 action mirred egress redirect dev dummy0




<Prev in Thread] Current Thread [Next in Thread>