Re: iptables is complaining with bogus unknown error 18446744073709551615

Re: iptables is complaining with bogus unknown error 18446744073709551615

[Maurice Volaski]

Automatic kernel module loading! That is an option and it's off by 
default. When it's off, attempts to load kernel modules are ignored 
internally, and that's why iptables was failing. It tried to load 
xt_tcpudp, but was ignored by the kernel.


>
>At least since 2.6.1.16.1, many calls to iptables no longer function
>at least under 64-bit x86, presumably due to a bug in the netfilter
>kernel code.
>
>The problem is still present in 2.6.17-rc2.
>
>The error from iptables is
>iptables: unknown error 18446744073709551615
>
>Examples of rules that give the error are
>
>1) iptables -A INPUT -i bond0 -s 129.98.90.0/24 -p tcp --dport 548 -j ACCEPT
>2) iptables -A INPUT -i bond0 -s 129.98.90.101/32 -p tcp --dport 497 -j ACCEPT
>3) iptables -A INPUT -i bond0 -s 129.98.90.227/32 -p tcp --dport 22 -j ACCEPT
>
>Example of a rule that does not give the error:
>1) iptables -A INPUT -i bond0 -p ICMP --icmp-type echo-request -s
>129.98.90.13/32 -j ACCEPT
>
>The computer is using IPv4 and not IPv6, which has not been compiled into the
>kernel.
>
>iptables is version 1.3.5.
>
>Kernel configuration related to iptables follows:
>



>lsmod shows
>xt_state                4928  0
>ipt_LOG                 8960  0
>ip_conntrack_ftp       10000  0
>ip_conntrack           57880  2 xt_state,ip_conntrack_ftp
>nfnetlink               8520  1 ip_conntrack
>iptable_filter          5440  0
>ip_tables              22168  1 iptable_filter
>x_tables               17800  3 xt_state,ipt_LOG,ip_tables
>

-- 

Maurice Volaski, mvolaski@aecom.yu.edu
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University

Re: iptables is complaining with bogus unknown error 18446744073709551615

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1239 bytes --]

On Wed, Apr 26, 2006 at 09:12:38PM -0400, Maurice Volaski wrote:
> Automatic kernel module loading! That is an option and it's off by
> default. When it's off, attempts to load kernel modules are ignored
> internally, and that's why iptables was failing. It tried to load 
> xt_tcpudp, but was ignored by the kernel.

What do you mean by "it's an option" and "is off by default".  I would
claim that any major linux distribution that I've seen in the last ten
years has support for module auto loading (enabled by default).

There are many userspace programs that try to autoload modules, such as
device-mapper, ipsec, etc.  

If you disable module autoloading, it's your own responsibility to load
modules manually.

So the only thing that I really consider a bug is that bogus error
message of iptables.  This has been fixed in SVN, case closed.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: iptables is complaining with bogus unknown error 18446744073709551615

[Maurice Volaski]

>On Wed, Apr 26, 2006 at 09:12:38PM -0400, Maurice Volaski wrote:
>>  Automatic kernel module loading! That is an option and it's off by
>>  default. When it's off, attempts to load kernel modules are ignored
>>  internally, and that's why iptables was failing. It tried to load
>>  xt_tcpudp, but was ignored by the kernel.
>
>What do you mean by "it's an option" and "is off by default".  I would
>claim that any major linux distribution that I've seen in the last ten
>years has support for module auto loading (enabled by default).
>

Distribution vendors are free to change it to whatever they want, I 
guess, but it's OFF by default in the official kernel (.config).
-- 

Maurice Volaski, mvolaski@aecom.yu.edu
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University

CONFIG_KMOD in x86_64/defconfig (was Re: iptables is complaining with bogus unknown error 18446744073709551615)

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1393 bytes --]

On Thu, Apr 27, 2006 at 11:41:40AM -0400, Maurice Volaski wrote:
> >On Wed, Apr 26, 2006 at 09:12:38PM -0400, Maurice Volaski wrote:
> >> Automatic kernel module loading! That is an option and it's off by
> >> default. When it's off, attempts to load kernel modules are ignored
> >> internally, and that's why iptables was failing. It tried to load
> >> xt_tcpudp, but was ignored by the kernel.
> >What do you mean by "it's an option" and "is off by default".  I would
> >claim that any major linux distribution that I've seen in the last ten
> >years has support for module auto loading (enabled by default).
> 
> Distribution vendors are free to change it to whatever they want, I guess, but it's OFF by 
> default in the official kernel (.config).

apparently architecture-specific:

grep KMOD arch/i386/defconfig
CONFIG_KMOD=y

grep KMOD arch/x86_64/defconfig
CONFIG_KMOD is not set

don't know why x86_64 turns it off by default.  the help message says
'if unsure, say Y' (which makes sense!)
-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: CONFIG_KMOD in x86_64/defconfig (was Re: iptables is complaining with bogus unknown error 18446744073709551615)

[Maurice Volaski]

>On Thu, Apr 27, 2006 at 11:41:40AM -0400, Maurice Volaski wrote:
>>  >On Wed, Apr 26, 2006 at 09:12:38PM -0400, Maurice Volaski wrote:
>>  >> Automatic kernel module loading! That is an option and it's off by
>>  >> default. When it's off, attempts to load kernel modules are ignored
>>  >> internally, and that's why iptables was failing. It tried to load
>>  >> xt_tcpudp, but was ignored by the kernel.
>>  >What do you mean by "it's an option" and "is off by default".  I would
>>  >claim that any major linux distribution that I've seen in the last ten
>>  >years has support for module auto loading (enabled by default).
>>
>>  Distribution vendors are free to change it to whatever they want, 
>>I guess, but it's OFF by
>>  default in the official kernel (.config).
>
>apparently architecture-specific:
>
>grep KMOD arch/i386/defconfig
>CONFIG_KMOD=y
>
>grep KMOD arch/x86_64/defconfig
>CONFIG_KMOD is not set
>
>don't know why x86_64 turns it off by default.  the help message says

A typo, perhaps? If so, won't be for much longer: 
http://bugzilla.kernel.org/show_bug.cgi?id=6451
-- 

Maurice Volaski, mvolaski@aecom.yu.edu
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University

Re: CONFIG_KMOD in x86_64/defconfig (was Re: iptables is complaining with bogus unknown error 18446744073709551615)

[Arjan van de Ven]

On Thu, 2006-04-27 at 16:24 -0300, Harald Welte wrote:
> On Thu, Apr 27, 2006 at 11:41:40AM -0400, Maurice Volaski wrote:
> > >On Wed, Apr 26, 2006 at 09:12:38PM -0400, Maurice Volaski wrote:
> > >> Automatic kernel module loading! That is an option and it's off by
> > >> default. When it's off, attempts to load kernel modules are ignored
> > >> internally, and that's why iptables was failing. It tried to load
> > >> xt_tcpudp, but was ignored by the kernel.
> > >What do you mean by "it's an option" and "is off by default".  I would
> > >claim that any major linux distribution that I've seen in the last ten
> > >years has support for module auto loading (enabled by default).
> > 
> > Distribution vendors are free to change it to whatever they want, I guess, but it's OFF by 
> > default in the official kernel (.config).
> 
> apparently architecture-specific:
> 
> grep KMOD arch/i386/defconfig
> CONFIG_KMOD=y
> 
> grep KMOD arch/x86_64/defconfig
> CONFIG_KMOD is not set
> 
> don't know why x86_64 turns it off by default.  the help message says
> 'if unsure, say Y' (which makes sense!)


also defconfig is really irrelevant... you should look at what the
Kconfig has to say