Bug 9657 (Malmis)
Summary: | iptables won't work | ||
---|---|---|---|
Product: | Networking | Reporter: | Kristoffer Malmström (malmis) |
Component: | Netfilter/Iptables | Assignee: | networking_netfilter-iptables (networking_netfilter-iptables) |
Status: | CLOSED INSUFFICIENT_DATA | ||
Severity: | high | CC: | bunk |
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | 2.6.24-rc6-git5 | Subsystem: | |
Regression: | Yes | Bisected commit-id: | |
Bug Depends on: | |||
Bug Blocks: | 9243 | ||
Attachments: |
2.6.24-rc6-git3
2.6.24-rc6-git5 commit fae718ddaf2b00e222dddec6717aca023376723c firewall script normal firewall output |
Description
Kristoffer Malmström
2007-12-28 20:32:27 UTC
Thanks for your report. Please attach the output of "dmesg -s 1000000" for both kernels after booting. Created attachment 14221 [details]
2.6.24-rc6-git3
Created attachment 14222 [details]
2.6.24-rc6-git5
Created attachment 14223 [details]
commit fae718ddaf2b00e222dddec6717aca023376723c
Please try whether _reverting_ this patch in 2.6.24-rc6-git5 fixes your problem.
And no matter whether it fixes the problem or not, please verify that 2.6.24-rc6-git5 is really broken by unpacking and compiling it from scratch - this is not meant against you, but I've seen too often (including in "bugs" I found myself) that time was spent on chasing a phantom bug that turned out to be nonreproducible even for the submitter. Things like e.g. a bit error in some file caused by faulty RAM or unpacking kernel sources at full moon ;-) can cause such problems.
i've unpacked and compiled from scratch 3 times, same thing happens :/ i'm gonna try the patch but isn't thatone already in the git5? can try it on another computer too. (In reply to comment #5) > i've unpacked and compiled from scratch 3 times, same thing happens :/ OK, that should be more than enough. > i'm gonna try the patch but isn't thatone already in the git5? >... You should _revert_ it. hmm and how do i do that? Save the attachment in a file named patch-netfilter and then do in 2.6.24-rc6-git5: patch -p1 -R < patch-netfilter patching file include/net/netfilter/nf_conntrack.h Unreversed patch detected! Ignore -R? [n] Apply anyway? [n] y Hunk #1 FAILED at 249. 1 out of 1 hunk FAILED -- saving rejects to file include/net/netfilter/nf_conntrack.h.rej patching file net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c Unreversed patch detected! Ignore -R? [n] Apply anyway? [n] y Hunk #1 FAILED at 419. 1 out of 1 hunk FAILED -- saving rejects to file net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c.rej patching file net/netfilter/nf_conntrack_core.c doesnt look very good.. hm can't really understand this, but it works on another computer with same config-file but git6, but what i've seen theres no new patch since git5 for netfilter, so maybe it's just me having problem with this... :( Kristoffer, can you use git to download the kernel sources:
$ git-clone \
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git
> linux-2.6
then go to the linux-2.6 directory and do:
$ git-checkout 81100eb80add328c4d2a377326f15aa0e7236398
compile the kernel and see if it works?
In case it doesn't work, please describe more accurately the problems you're seeing and attach your firewall script, commands to load netfilter modules etc. Created attachment 14226 [details]
firewall script
Created attachment 14227 [details]
normal firewall output
heres some output from the kernel and from when im trying to load the firewall script. [ 46.341294] eth0: link up, 100Mbps, full-duplex, lpa 0x41E1 [ 46.604040] eth1: link up, 100Mbps, full-duplex, lpa 0x45E1 [ 47.789309] can't load conntrack support for proto=2 [ 56.348634] eth0: no IPv6 routers present [ 56.715659] eth1: no IPv6 routers present [ 60.679218] sit1: Disabled Privacy Extensions root@tux:~# /etc/rc.d/rc.firewall Loading iptables firewall: Checking configuration... Your kernel lacks stateful matching, this would break this script. Aborting. root@tux:~# uname -a Linux tux 2.6.24-rc6-g81100eb8 #1 Sat Dec 29 21:07:59 CET 2007 i686 Pentium III (Katmai) GenuineIntel GNU/Linux root@tux:~# attaching normal output from firwall and the script. The failing command appears to be: ${IPTABLES} -A SYSTEST -m state --state ESTABLISHED -j ACCEPT > /dev/null 2>&1 Please also post the output of "strace iptables -A INPUT -m state --state ESTABLISHED" and the lsmod and dmesg output after executing this command. Do you have any module parameters configured for ip_conntrack, nf_conntrack or nf_conntrack_ipv4? i have set every paramter for netfilter, conntrack and almost everything for network that's not experimental. i don't compile modules, i'm including everything. posting output of those things soon. when i put the configfile from the 2.6.24-rc6-git3 and didn't change anything, then it worked ith 2.6.24-rc6-git5, hmm this makes me confused. and when i run the strace iptables..... this is shown: # strace iptables -A INPUT -m state --state > strace.txt execve("/usr/sbin/iptables", ["iptables", "-A", "INPUT", "-m", "state", "--state"], [/* 28 vars */]) = 0 brk(0) = 0x8054000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=92553, ...}) = 0 mmap2(NULL, 92553, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ed6000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\n\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=13506, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ed5000 mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7ed1000 mmap2(0xb7ed3000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7ed3000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320d\1"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1583452, ...}) = 0 mmap2(NULL, 1365552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d83000 mmap2(0xb7ecb000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x148) = 0xb7ecb000 mmap2(0xb7ece000, 9776, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ece000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7d82000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7d826c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7ecb000, 4096, PROT_READ) = 0 munmap(0xb7ed6000, 92553) = 0 brk(0) = 0x8054000 brk(0x8075000) = 0x8075000 open("/usr/lib/iptables/libipt_state.so", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\5\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=4588, ...}) = 0 mmap2(NULL, 7460, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7eeb000 mmap2(0xb7eec000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xb7eec000 close(3) = 0 write(2, "iptables v1.3.8: ", 17iptables v1.3.8: ) = 17 write(2, "Unknown arg `--state\'", 21Unknown arg `--state') = 21 write(2, "\n", 1 ) = 1 write(2, "Try `iptables -h\' or \'iptables -"..., 61Try `iptables -h' or 'iptables --help' for more information. ) = 61 exit_group(2) = ? Process 4031 detached (In reply to comment #18) > # strace iptables -A INPUT -m state --state > strace.txt This is missing "ESTABLISHED", which is causing the error in your strace. ah ok, i see now, i was copy/paste'ing and the ESTABLISHED came on a new row. So please post the correct strace ... Any further information on this? Otherwise please close. |