Most recent kernel where this bug did not occur: none known, this is a fresh install Distribution: Debian unstable Hardware Environment: 32-bit PowerPC 604 with PReP subarch (using old ARCH=ppc) Software Environment: usual 32-bit ppc userspace, gcc 4.0.3 Problem Description: iptables operations usually just give "Incalida operation". modprobe iptable_filter and adding rules to the nat table have failed in testing while iptable_nat can be modprobed and listed. Steps to reproduce: modprobe iptable_filter (errors out with Invalid Argument) iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to 192.168.1.1 (usually errors out with Invalid Argument, sometimes succeeds, when succeeds then the rule works fine)
Additionally, when stracing the failed iptables -A ..., iptables is killed with SIGSEGV (not while in a syscall) and doen not yield a Invalid Argument error. This might of course be another bug, in ppc ptrace or iptables userspace program or whatever.
bugme-daemon@bugzilla.kernel.org wrote: > > http://bugzilla.kernel.org/show_bug.cgi?id=6613 > > Summary: iptables broken on 32-bit PReP (ARCH=ppc) > Kernel Version: 2.6.17-rc4 > Status: NEW > Severity: normal > Owner: laforge@gnumonks.org > Submitter: mroos@linux.ee > > > Most recent kernel where this bug did not occur: none known, this is a fresh > install > Distribution: Debian unstable > Hardware Environment: 32-bit PowerPC 604 with PReP subarch (using old > ARCH=ppc) > Software Environment: usual 32-bit ppc userspace, gcc 4.0.3 > Problem Description: iptables operations usually just give "Incalida > operation". modprobe iptable_filter and adding rules to the nat table have > failed in testing while iptable_nat can be modprobed and listed. > > Steps to reproduce: > modprobe iptable_filter (errors out with Invalid Argument) > iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to 192.168.1.1 (usually > errors out with Invalid Argument, sometimes succeeds, when succeeds then the > rule works fine) >
Andrew Morton wrote: > bugme-daemon@bugzilla.kernel.org wrote: > >>http://bugzilla.kernel.org/show_bug.cgi?id=6613 >> >> Summary: iptables broken on 32-bit PReP (ARCH=ppc) >> Kernel Version: 2.6.17-rc4 >> Status: NEW >> Severity: normal >> Owner: laforge@gnumonks.org >> Submitter: mroos@linux.ee >> >> >>Most recent kernel where this bug did not occur: none known, this is a fresh >>install >>Distribution: Debian unstable >>Hardware Environment: 32-bit PowerPC 604 with PReP subarch (using old >>ARCH=ppc) >>Software Environment: usual 32-bit ppc userspace, gcc 4.0.3 >>Problem Description: iptables operations usually just give "Incalida >>operation". modprobe iptable_filter and adding rules to the nat table have >>failed in testing while iptable_nat can be modprobed and listed. >> >>Steps to reproduce: >>modprobe iptable_filter (errors out with Invalid Argument) >>iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to 192.168.1.1 (usually >>errors out with Invalid Argument, sometimes succeeds, when succeeds then the >>rule works fine) Meelis, it would really help if you could try 2.6.16 and in case that doesn't work 2.6.15 to give an idea about whether this is a recent regression or an old problem. We had a number of changes in this area in the last two kernel versions that could be related.
> Meelis, it would really help if you could try 2.6.16 and in case > that doesn't work 2.6.15 to give an idea about whether this is a > recent regression or an old problem. We had a number of changes > in this area in the last two kernel versions that could be related. Yes, I'm still compiling 2.6.16, since just before sending the report. Will let you know ASAP.
>>> http://bugzilla.kernel.org/show_bug.cgi?id=6613 > > Meelis, it would really help if you could try 2.6.16 and in case > that doesn't work 2.6.15 to give an idea about whether this is a > recent regression or an old problem. We had a number of changes > in this area in the last two kernel versions that could be related. 2.6.16 doesn't work either. Tried 2.6.8-3 from sarge package, it is working. Compiling 2.6.15 now...
> Meelis, it would really help if you could try 2.6.16 and in case > that doesn't work 2.6.15 to give an idea about whether this is a > recent regression or an old problem. We had a number of changes > in this area in the last two kernel versions that could be related. Unfortunatlety, 2.6.15 does not boot on this machine so I'm locked out remotely at the moment. Will see if I can find the boot cure - there used to be a Motorola Powerstack-specific patch to make it boot that Debian 2.6.18 and IIRC 2.6.12 packages included and that was integrated somewhere later - maybe it's missing fom 2.6.15.
>>> modprobe iptable_filter (errors out with Invalid Argument) >>> iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to 192.168.1.1 (usually >>> errors out with Invalid Argument, sometimes succeeds, when succeeds then the >>> rule works fine) > > Meelis, it would really help if you could try 2.6.16 and in case > that doesn't work 2.6.15 to give an idea about whether this is a > recent regression or an old problem. We had a number of changes > in this area in the last two kernel versions that could be related. Have not gotten 2.6.15 to work with one evening of tinkering - the irq patch was not sufficent, there is something more broken in booting that I dodn't figure out yet. So no test results for 2.6.15 yet.
Meelis Roos wrote: >> Meelis, it would really help if you could try 2.6.16 and in case >> that doesn't work 2.6.15 to give an idea about whether this is a >> recent regression or an old problem. We had a number of changes >> in this area in the last two kernel versions that could be related. > > > Have not gotten 2.6.15 to work with one evening of tinkering - the irq > patch was not sufficent, there is something more broken in booting that > I dodn't figure out yet. So no test results for 2.6.15 yet. Then lets try something different. Please enable the DEBUG_IP_FIREWALL_USER define in net/ipv4/netfilter/ip_tables.c and post the results, if any.
> Then lets try something different. Please enable the > DEBUG_IP_FIREWALL_USER define in net/ipv4/netfilter/ip_tables.c and > post the results, if any. On bootup I get this in dmesg (one Bad offset has been added): ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (1536 buckets, 12288 max) - 224 bytes per conntrack translate_table: size 632 Bad offset cb437924 ip_nat_init: can't setup rules. And on iptables -t nat -L translate_table: size 632 Bad offset cb4368f4 ip_nat_init: can't setup rules. translate_table: size 632 Bad offset cb4368f4 ip_nat_init: can't setup rules. Seems iptable_nat does not load at all this time. Modprobe iptable_filter still fails, dmesg contains translate_table: size 632 Finished chain 1 Finished chain 2 Finished chain 3 Next modprobe iptable_nat gives translate_table: size 632 Bad offset c8e01944 ip_nat_init: can't setup rules.
Meelis Roos wrote: >> Then lets try something different. Please enable the >> DEBUG_IP_FIREWALL_USER define in net/ipv4/netfilter/ip_tables.c and >> post the results, if any. > > > On bootup I get this in dmesg (one Bad offset has been added): > > ip_tables: (C) 2000-2006 Netfilter Core Team > Netfilter messages via NETLINK v0.30. > ip_conntrack version 2.4 (1536 buckets, 12288 max) - 224 bytes per > conntrack > translate_table: size 632 > Bad offset cb437924 > ip_nat_init: can't setup rules. > > And on iptables -t nat -L > > translate_table: size 632 > Bad offset cb4368f4 > ip_nat_init: can't setup rules. > translate_table: size 632 > Bad offset cb4368f4 > ip_nat_init: can't setup rules. > > Seems iptable_nat does not load at all this time. > > Modprobe iptable_filter still fails, dmesg contains > translate_table: size 632 > Finished chain 1 > Finished chain 2 > Finished chain 3 > > Next modprobe iptable_nat gives > > translate_table: size 632 > Bad offset c8e01944 > ip_nat_init: can't setup rules. Very strange, this means that the initial table data must somehow be wrong, but for some reason it still seems to get past the size and offset checks for the filter table. I can't see how loading the filter table could fail after the "Finished chain .." messages without another message. Which kernel version did you perform these test on?
> Very strange, this means that the initial table data must somehow > be wrong, but for some reason it still seems to get past the > size and offset checks for the filter table. I can't see how > loading the filter table could fail after the "Finished chain .." > messages without another message. Which kernel version did you > perform these test on? Yesterdays 2.6.17-rc5+git.
Meelis Roos wrote: >> Very strange, this means that the initial table data must somehow >> be wrong, but for some reason it still seems to get past the >> size and offset checks for the filter table. I can't see how >> loading the filter table could fail after the "Finished chain .." >> messages without another message. Which kernel version did you >> perform these test on? > > > Yesterdays 2.6.17-rc5+git. Please enable DEBUG_IP_FIREWALL_USER in net/netfilter/x_tables.c as well and retry. Results of the raw or mangle table would also be interesting because they contain a different number of built-in chains.
> Please enable DEBUG_IP_FIREWALL_USER in net/netfilter/x_tables.c as well > and retry. Results of the raw or mangle table would also be interesting > because they contain a different number of built-in chains. Sorry it took so long, I was away. Adding this define does not seem to do much (table->private->number prints only): On boot (1 nat rule): ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (1536 buckets, 12288 max) - 224 bytes per conntrack translate_table: size 632 Finished chain 0 Finished chain 3 Finished chain 4 table->private->number = 4 t->private->number = 4 translate_table: size 800 Bad offset cba528d4 modprobe iptable_nat succeeded in manual modprobe. modprobe iptable_filter: translate_table: size 632 Bad offset cbbd910c modprobe iptable_mangle: translate_table: size 936 Bad offset cbbd80dc modprobe iptable_raw: translate_table: size 480 Bad offset cb8abd44 Retrying ifup and ifdown that tried to do iptables -D and iptables -I: t->private->number = 4 t->private->number = 4 t->private->number = 4 translate_table: size 800 Bad offset cbbd80dc t->private->number = 4 And retrying it more (succeeded this time): t->private->number = 4 t->private->number = 4 translate_table: size 800 Finished chain 0 Finished chain 3 Finished chain 4 ip_tables: Translated table do_replace: oldnum=4, initnum=4, newnum=5 t->private->number = 5
Hmm, I think I'm bitten by this same bug, on an Apple Powerbook (ARCH=powerpc) here. Running latest git as of now. All the relevant netfilter options are set to 'y', however /proc/net/ip_tables_names shows only the 'raw' table and all I'm able to find in the kernel logs are those init messages: Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (8192 buckets, 65536 max) - 204 bytes per conntrack ip_tables: (C) 2000-2006 Netfilter Core Team ip_nat_init: can't setup rules. ipt_recent v0.3.1: Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/ arp_tables: (C) 2002 David S. Miller I'm attacing the full .config. Stelian.
Created attachment 8255 [details] .config for 2.6.17-rc5-git
I've examined my logs, and I believe this problem was not in the original 2.6.17-rc4...
After some more research, I found out that the problem exists in both 2.6.17-rc4 and -rc3, but it only happens when you compile with CONFIG_DEBUG_SLAB.
in 2.6.16 (with DEBUG_SLAB), /proc/net/ip_tables_names shows 'raw' and 'filter', but no 'nat' table. Same message (ip_nat_init: can't setup rules) in dmesg.
2.6.15 is ok.
Created attachment 8265 [details] Patch hopefully fixing the problem The problem was caused by an alignment problem. On PowerPC, vmalloc() does not always return an __alignof__(struct _xt_align) aligned address, causing some test to fail later. The fix is crude, it is probably possible to do better than that but right now I need some sleep :) Please make sure this patch (or a better version of it) hits Linus ASAP, hopefully before final 2.6.17 is released. Stelian.
> The problem was caused by an alignment problem. On PowerPC, vmalloc() does > not > always return an __alignof__(struct _xt_align) aligned address, causing some > test to fail later. This patch works for me too.
Stelian, what's the status on this patch, has it been submitted? Thanks.
(In reply to comment #22) > Stelian, what's the status on this patch, has it been submitted? > Thanks. I must say I don't know, it's been a long time... Since I haven't activated CONFIG_DEBUG_SLAB since, I haven't been affected by the bug, should it still be present. This should be retested.
Meelis, I don't see Stelian's patch in the git tree, but still some other changes could've fixed your problem. Can you please test the new kernel 2.6.22+ and confirm the problem is still there or otherwise.
> I don't see Stelian's patch in the git tree, but still some other changes > could've fixed your problem. Can you please test the new kernel 2.6.22+ and > confirm the problem is still there or otherwise. Tried it with SLAB debug and everyting worked fine (2.6.23-rc1+git). So it seems to have been fixed meanwhile by something else.
OK, thanks, let's close the report.