From: Pablo Neira <pablo@eurodev.net>
To: Harald Welte <laforge@netfilter.org>
Cc: Tobias DiPasquale <codeslinger@gmail.com>,
nf-devel <netfilter-devel@lists.netfilter.org>
Subject: Re: Linux 2.6.12/iptables 1.3.1+CLUSTERIP issues
Date: Wed, 22 Jun 2005 23:05:29 +0200 [thread overview]
Message-ID: <42B9D299.1080902@eurodev.net> (raw)
In-Reply-To: <20050622121509.GG4551@obroa-skai.de.gnumonks.org>
[-- Attachment #1: Type: text/plain, Size: 1345 bytes --]
Hi Harald,
Harald Welte wrote:
>>2. I installed this rule just to test things out:
>>
>>iptables -A INPUT -d 192.168.1.3 -i eth0 -p tcp --dport 3000 -j
>>CLUSTERIP --new --hashmode sourceip-sourceport --clustermac
>>01:23:45:67:89:AB --total-nodes 2 --local-node 1
>>
>>I then tried to remove it (I didn't update iptables rules again since
>>then) by switching the -A to a -D and that failed. I tried all sorts
>>of combinations of the arguments to -j CLUSTERIP but they all failed.
>>Eventually, I was forced to remove the rule by using the iptables rule
>># (e.g. iptables -D INPUT 10). I feel that this is in error, but I've
>>seen at least two patches to CLUSTERIP that claim to fix rule
>>deletion. Am I doing something wrong?
fix-del-with-userspacesize-target.patch:
You still need to apply this patch to iptables, it got lost somehow
since I've posted it some time ago. It fixes ipt_CLUSTERIP deletion. To
be precise, it fixes rule deletion of targets whose userspace size part
differs from the kernel part.
BTW, I forgot if you passed the patch here below (link) to davem? I
can't see it in the current git snapshot. got lost as well ?
http://people.netfilter.org/pablo/patches/fixes/kernel/pending/fix-layout-CLUSTERIP.patch
@Tobias: With both patches applied you'll fix your problems with
CLUSTERIP rule deletion.
--
Pablo
[-- Attachment #2: fix-del-with-userspacesize-target.patch --]
[-- Type: text/x-patch, Size: 795 bytes --]
Index: libiptc/libip4tc.c
===================================================================
--- libiptc/libip4tc.c (revision 3742)
+++ libiptc/libip4tc.c (working copy)
@@ -210,6 +210,7 @@
mptr = matchmask + sizeof(STRUCT_ENTRY);
if (IPT_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
return NULL;
+ mptr += IPT_ALIGN(sizeof(struct ipt_entry_target));
return mptr;
}
Index: libiptc/libip6tc.c
===================================================================
--- libiptc/libip6tc.c (revision 3742)
+++ libiptc/libip6tc.c (working copy)
@@ -242,6 +242,7 @@
mptr = matchmask + sizeof(STRUCT_ENTRY);
if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
return NULL;
+ mptr += IP6T_ALIGN(sizeof(struct ip6t_entry_target));
return mptr;
}
next prev parent reply other threads:[~2005-06-22 21:05 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-21 2:04 Linux 2.6.12/iptables 1.3.1+CLUSTERIP issues Tobias DiPasquale
2005-06-22 12:15 ` Harald Welte
2005-06-22 13:07 ` Tobias DiPasquale
2005-06-22 19:17 ` Harald Welte
2005-06-27 17:34 ` Tobias DiPasquale
2005-06-22 21:05 ` Pablo Neira [this message]
2005-06-22 23:27 ` Tobias DiPasquale
2005-06-23 8:38 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42B9D299.1080902@eurodev.net \
--to=pablo@eurodev.net \
--cc=codeslinger@gmail.com \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.