On Fri, 11 Mar 2005 10:51:36 -0800 David S. Miller wrote:
> On Fri, 11 Mar 2005 15:00:56 +0100
> Patrick McHardy <kaber@xxxxxxxxx> wrote:
>
> > Works fine here. You could try if reverting one of these two patches
> > helps (second one only if its a SMP box).
> >
> > ChangeSet@xxxxxx, 2005-03-09 20:28:17-08:00, bdschuym@xxxxxxxxxx
> > [NETFILTER]: Reduce call chain length in netfilter (take 2)
>
> It's this change, I know it is, because Linus sees the same problem
> on his workstation.
>
> You wouldn't happen to be seeing this problem on a PPC box would
> you? Since Linus's machine is a PPC machine too, that would support
> my theory that this could be a compiler issue on that platform.
>
> Damn, wait, Patrick, I think I know what's happening. The iptables
> IPT_* verdicts are dependant upon the NF_* values, and they don't
> cope with Bart's changes I bet. Can you figure out what the exact
> error would be? This kind of issue would explain the looping inside
> of ipt_do_table(), wouldn't it?
This is not just some buggy code - that patch also breaks interfaces:
include/linux/netfilter_ipv4/ip_tables.h:
#define IPT_RETURN (-NF_MAX_VERDICT - 1)
And this value is visible in userspace. Therefore we cannot modify
NF_MAX_VERDICT without breaking all existing iptables binaries.
pgpSo617XmrWE.pgp
Description: PGP signature
|