Bug 9657 (Malmis)

Summary: iptables won't work
Product: Networking Reporter: Kristoffer Malmström (malmis)
Component: Netfilter/IptablesAssignee: networking_netfilter-iptables (networking_netfilter-iptables)
Severity: high CC: bunk
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.24-rc6-git5 Subsystem:
Regression: Yes Bisected commit-id:
Bug Depends on:    
Bug Blocks: 9243    
Attachments: 2.6.24-rc6-git3
commit fae718ddaf2b00e222dddec6717aca023376723c
firewall script
normal firewall output

Description Kristoffer Malmström 2007-12-28 20:32:27 UTC
Most recent kernel where this bug did not occur: 2.6.24-rc6-git3
Distribution: Slackware 12
Hardware Environment: P3 500
Software Environment:
Problem Description: 
the iptables doesnt work after patching to git5, with same config, and even if i add some options in the config it won't work.

Steps to reproduce:
patching the 2.6.24-rc6 with git5 from any earlier versions, using options for netfilter and iptables and router options.
Comment 1 Adrian Bunk 2007-12-29 00:57:22 UTC
Thanks for your report.

Please attach the output of "dmesg -s 1000000" for both kernels after booting.
Comment 2 Kristoffer Malmström 2007-12-29 01:12:26 UTC
Created attachment 14221 [details]
Comment 3 Kristoffer Malmström 2007-12-29 01:12:48 UTC
Created attachment 14222 [details]
Comment 4 Adrian Bunk 2007-12-29 01:44:33 UTC
Created attachment 14223 [details]
commit fae718ddaf2b00e222dddec6717aca023376723c

Please try whether _reverting_ this patch in 2.6.24-rc6-git5 fixes your problem.

And no matter whether it fixes the problem or not, please verify that 2.6.24-rc6-git5 is really broken by unpacking and compiling it from scratch - this is not meant against you, but I've seen too often (including in "bugs" I found myself) that time was spent on chasing a phantom bug that turned out to be nonreproducible even for the submitter. Things like e.g. a bit error in some file caused by faulty RAM or unpacking kernel sources at full moon ;-) can cause such problems.
Comment 5 Kristoffer Malmström 2007-12-29 01:55:23 UTC
i've unpacked and compiled from scratch 3 times, same thing happens :/
i'm gonna try the patch but isn't thatone already in the git5?
can try it on another computer too.
Comment 6 Adrian Bunk 2007-12-29 02:00:21 UTC
(In reply to comment #5)
> i've unpacked and compiled from scratch 3 times, same thing happens :/

OK, that should be more than enough.

> i'm gonna try the patch but isn't thatone already in the git5?

You should _revert_ it.
Comment 7 Kristoffer Malmström 2007-12-29 02:09:40 UTC
hmm and how do i do that?
Comment 8 Adrian Bunk 2007-12-29 02:16:18 UTC
Save the attachment in a file named patch-netfilter and then do in 2.6.24-rc6-git5:
  patch -p1 -R < patch-netfilter
Comment 9 Kristoffer Malmström 2007-12-29 02:31:34 UTC
patching file include/net/netfilter/nf_conntrack.h
Unreversed patch detected!  Ignore -R? [n]
Apply anyway? [n] y
Hunk #1 FAILED at 249.
1 out of 1 hunk FAILED -- saving rejects to file include/net/netfilter/nf_conntrack.h.rej
patching file net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
Unreversed patch detected!  Ignore -R? [n]
Apply anyway? [n] y
Hunk #1 FAILED at 419.
1 out of 1 hunk FAILED -- saving rejects to file net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c.rej
patching file net/netfilter/nf_conntrack_core.c

doesnt look very good..
Comment 10 Kristoffer Malmström 2007-12-29 02:50:40 UTC
hm can't really understand this, but it works on another computer with same config-file but git6, but what i've seen theres no new patch since git5 for netfilter, so maybe it's just me having problem with this... :(
Comment 11 Rafael J. Wysocki 2007-12-29 06:17:38 UTC
Kristoffer, can you use git to download the kernel sources:

$ git-clone \
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git
> linux-2.6

then go to the linux-2.6 directory and do:

$ git-checkout 81100eb80add328c4d2a377326f15aa0e7236398

compile the kernel and see if it works?
Comment 12 Patrick McHardy 2007-12-29 08:37:42 UTC
In case it doesn't work, please describe more accurately the problems you're seeing and attach your firewall script, commands to load netfilter modules etc.
Comment 13 Kristoffer Malmström 2007-12-29 17:02:15 UTC
Created attachment 14226 [details]
firewall script
Comment 14 Kristoffer Malmström 2007-12-29 17:02:33 UTC
Created attachment 14227 [details]
normal firewall output
Comment 15 Kristoffer Malmström 2007-12-29 17:03:57 UTC
heres some output from the kernel and from when im trying to load the firewall script.

[   46.341294] eth0: link up, 100Mbps, full-duplex, lpa 0x41E1
[   46.604040] eth1: link up, 100Mbps, full-duplex, lpa 0x45E1
[   47.789309] can't load conntrack support for proto=2
[   56.348634] eth0: no IPv6 routers present
[   56.715659] eth1: no IPv6 routers present
[   60.679218] sit1: Disabled Privacy Extensions
root@tux:~# /etc/rc.d/rc.firewall
Loading iptables firewall:
Checking configuration...
Your kernel lacks stateful matching, this would break this script. Aborting.
root@tux:~# uname -a
Linux tux 2.6.24-rc6-g81100eb8 #1 Sat Dec 29 21:07:59 CET 2007 i686 Pentium III (Katmai) GenuineIntel GNU/Linux

attaching normal output from firwall and the script.
Comment 16 Patrick McHardy 2007-12-29 17:15:08 UTC
The failing command appears to be:

${IPTABLES} -A SYSTEST -m state --state ESTABLISHED -j ACCEPT > /dev/null 2>&1

Please also post the output of "strace iptables -A INPUT -m state --state ESTABLISHED" and the lsmod and dmesg output after executing this command.

Do you have any module parameters configured for ip_conntrack, nf_conntrack or nf_conntrack_ipv4?
Comment 17 Kristoffer Malmström 2007-12-29 17:30:34 UTC
i have set every paramter for netfilter, conntrack and almost everything for network that's not experimental.
i don't compile modules, i'm including everything.

posting output of those things soon.
Comment 18 Kristoffer Malmström 2007-12-29 18:58:19 UTC
when i put the configfile from the 2.6.24-rc6-git3 and didn't change anything, then it worked ith 2.6.24-rc6-git5, hmm this makes me confused.

and when i run the strace iptables..... this is shown:

# strace iptables -A INPUT -m state --state > strace.txt
execve("/usr/sbin/iptables", ["iptables", "-A", "INPUT", "-m", "state", "--state"], [/* 28 vars */]) = 0
brk(0)                                  = 0x8054000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=92553, ...}) = 0
mmap2(NULL, 92553, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ed6000
close(3)                                = 0
open("/lib/libdl.so.2", O_RDONLY)       = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\n\0\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=13506, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ed5000
mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7ed1000
mmap2(0xb7ed3000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7ed3000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320d\1"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1583452, ...}) = 0
mmap2(NULL, 1365552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d83000
mmap2(0xb7ecb000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x148) = 0xb7ecb000
mmap2(0xb7ece000, 9776, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ece000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7d82000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7d826c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb7ecb000, 4096, PROT_READ)   = 0
munmap(0xb7ed6000, 92553)               = 0
brk(0)                                  = 0x8054000
brk(0x8075000)                          = 0x8075000
open("/usr/lib/iptables/libipt_state.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\5\0\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=4588, ...}) = 0
mmap2(NULL, 7460, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7eeb000
mmap2(0xb7eec000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xb7eec000
close(3)                                = 0
write(2, "iptables v1.3.8: ", 17iptables v1.3.8: )       = 17
write(2, "Unknown arg `--state\'", 21Unknown arg `--state')  = 21
write(2, "\n", 1
)                       = 1
write(2, "Try `iptables -h\' or \'iptables -"..., 61Try `iptables -h' or 'iptables --help' for more information.
) = 61
exit_group(2)                           = ?
Process 4031 detached
Comment 19 Patrick McHardy 2007-12-30 06:32:20 UTC
(In reply to comment #18)
> # strace iptables -A INPUT -m state --state > strace.txt

This is missing "ESTABLISHED", which is causing the error in your strace.
Comment 20 Kristoffer Malmström 2007-12-30 12:26:32 UTC
ah ok, i see now, i was copy/paste'ing and the ESTABLISHED came on a new row. 
Comment 21 Patrick McHardy 2007-12-31 06:18:01 UTC
So please post the correct strace ...
Comment 22 Patrick McHardy 2008-01-12 13:13:05 UTC
Any further information on this? Otherwise please close.