Unable to add rule on Chain with 28 characters

Unable to add rule on Chain with 28 characters

[Rafael Dreher]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm trying do add a rule on a user-defined chain, on the NAT table, with 28 characters.

The chain have bee added without any problem, but when I add the rule, iptables says that it's unable do find the chain.

If I reduce the chain to 25 characters, it works. I'm trying to migrate a set of rules form iptables-1.2.11 to 1.3.1,
and I don't want to rewrite the rules.

Someone can help me?

My iptables version: 1.3.1
My kernel version: 2.4.31

POM-Patches:

CLASSIFY
SAME
comment
NETMAP
iprange
quota
time
IPMARK
ROUTE
account
h323-conntrack-nat
ipp2p
l7-filter-pom-1.4
mms-conntrack-nat
msnp-conntrack-nat
pptp-conntrack-nat
quake3-conntrack-nat
string
mport

Thanks in advance.

- --
Rafael Dreher

- -:: Red Hat Certified Engineer ::-
- -:: Nr: 807303498507617 ::-
http://www.redhat.com/training/certification/verify
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFCzsuhGgX4r17upEoRAiSEAKCFXiQwYyYFZY9RbIMsUAdI8gkGmgCgorWt
2bTPgyVCPQhkP6IJNSyVlZQ=
=vz3q
-----END PGP SIGNATURE-----

Unable to add rule on Chain with 28 characters.

[Rafael Dreher]

Hi,

I'm trying do add a rule on a user-defined chain, on the NAT table, with 28 characters.

The chain have bee added without any problem, but when I add the rule, iptables says that it's unable do find the chain.

If I reduce the chain to 25 characters, it works. I'm trying to migrate a set of rules form iptables-1.2.11 to 1.3.1,
and I don't want to rewrite the rules.

Someone can help me?

My iptables version: 1.3.1
My kernel version: 2.4.31

POM-Patches:

CLASSIFY
SAME
comment
NETMAP
iprange
quota
time
IPMARK
ROUTE
account
h323-conntrack-nat
ipp2p
l7-filter-pom-1.4
mms-conntrack-nat
msnp-conntrack-nat
pptp-conntrack-nat
quake3-conntrack-nat
string
mport

Thanks in advance.

-- 
Rafael Dreher

-:: Red Hat Certified Engineer ::-
-:: Nr: 807303498507617 ::-
http://www.redhat.com/training/certification/verify

Re: Unable to add rule on Chain with 28 characters.

[Jason Opperisano]

On Fri, Jul 08, 2005 at 04:00:23PM -0300, Rafael Dreher wrote:
> Hi,
> 
> I'm trying do add a rule on a user-defined chain, on the NAT table, with 28 
> characters.

my guess is you're leaving out the '-t nat' as custom chains only exist
in the table they're created in:

  # iptables -t nat -N GqKOJUpUAOboDEbYcaVUCDqprFy
  # iptables -t nat -A GqKOJUpUAOboDEbYcaVUCDqprFy -j ACCEPT
  # iptables -t nat -A PREROUTING -j GqKOJUpUAOboDEbYcaVUCDqprFy
  # iptables -t nat -vnxL
  Chain GqKOJUpUAOboDEbYcaVUCDqprFy (1 references)
      pkts      bytes target     prot opt in     out     source
  destination
         1       78 ACCEPT     all  --  *      *       0.0.0.0/0
  0.0.0.0/0

  Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
      pkts      bytes target     prot opt in     out     source
  destination
         1       78 GqKOJUpUAOboDEbYcaVUCDqprFy  all  --  *      *
  0.0.0.0/0            0.0.0.0/0

  <--- snip --->

  # iptables -V && uname -r
  iptables v1.3.1
  2.6.11.4-21.7-default

i also tested this on:

  # iptables -V && uname -r
  iptables v1.2.11
  2.4.27-2-386

alas--i have no 2.4 + 1.3.1 combo i can test on; so i cannot say there
isn't some weird interaction between those two that causes your issue to
crop up.

-j

--
"Brian: Whose leg do I have to hump to get a dry martini around here?"
        --Family Guy

Re: Unable to add rule on Chain with 28 characters.

[Rafael Dreher]

>>Hi,
>>
>>I'm trying do add a rule on a user-defined chain, on the NAT table, with 28 
>>characters.
> 
> 
> my guess is you're leaving out the '-t nat' as custom chains only exist
> in the table they're created in:
> 

Hi, again.

I guess no. :)

[root@ward] [16:55:58]
[~]#iptables -t nat -N ecommerce-internet@POSTROUTING

[root@ward] [16:56:01]
[~]#iptables -t nat -A POSTROUTING -j ecommerce-internet@POSTROUTING
iptables: No chain/target/match by that name

[root@ward] [16:56:19]
[~]#

Am I crazy? :)

This chain has 30 characters... the max.. if I reduce it to 28, it's added wihtout any problem.

Thank's

-- 
Rafael Dreher

-:: Red Hat Certified Engineer ::-
-:: Nr: 807303498507617 ::-
http://www.redhat.com/training/certification/verify

Re: Unable to add rule on Chain with 28 characters.

[Jason Opperisano]

On Fri, Jul 08, 2005 at 05:01:03PM -0300, Rafael Dreher wrote:
> >>Hi,
> >>
> >>I'm trying do add a rule on a user-defined chain, on the NAT table, with 
> >>28 characters.
> >
> >
> >my guess is you're leaving out the '-t nat' as custom chains only exist
> >in the table they're created in:
> >
> 
> Hi, again.
> 
> I guess no. :)

provide more info next time and i won't have to guess.  :-D

> [root@ward] [16:55:58]
> [~]#iptables -t nat -N ecommerce-internet@POSTROUTING
> 
> [root@ward] [16:56:01]
> [~]#iptables -t nat -A POSTROUTING -j ecommerce-internet@POSTROUTING
> iptables: No chain/target/match by that name
> 
> [root@ward] [16:56:19]
> [~]#
> 
> Am I crazy? :)
> 
> This chain has 30 characters... the max.. if I reduce it to 28, it's added 
> wihtout any problem.

(note:  your OP said the error was with the 28 char chain)

it looks like 29 characters is the max:

  30 char chain name:

  # iptables -t nat -N PubABFZhrRJgwChbszxazNssqWKWB
  # iptables -t nat -A PREROUTING -j PubABFZhrRJgwChbszxazNssqWKWB
  iptables: No chain/target/match by that name

  29 char chain name:

  # iptables -t nat -N PubABFZhrRJgwChbszxazNssqWKW
  # iptables -t nat -A PREROUTING -j PubABFZhrRJgwChbszxazNssqWKW
  #

-j

--
"Peter: This party couldn't be better if Jesus was here.
 Jesus: For my next miracle, I will turn water... into FUNK."
        --Family Guy

Re: Unable to add rule on Chain with 28 characters.

[Royce Kemp]

I have run into this problem as well. Learn to stick to 28 characters.

-r

At 01:01 PM 7/8/2005, Rafael Dreher wrote:
>>>Hi,
>>>
>>>I'm trying do add a rule on a user-defined chain, on the NAT table, with 
>>>28 characters.
>>
>>my guess is you're leaving out the '-t nat' as custom chains only exist
>>in the table they're created in:
>
>Hi, again.
>
>I guess no. :)
>
>[root@ward] [16:55:58]
>[~]#iptables -t nat -N ecommerce-internet@POSTROUTING
>
>[root@ward] [16:56:01]
>[~]#iptables -t nat -A POSTROUTING -j ecommerce-internet@POSTROUTING
>iptables: No chain/target/match by that name
>
>[root@ward] [16:56:19]
>[~]#
>
>Am I crazy? :)
>
>This chain has 30 characters... the max.. if I reduce it to 28, it's added 
>wihtout any problem.
>
>Thank's
>
>--
>Rafael Dreher
>
>-:: Red Hat Certified Engineer ::-
>-:: Nr: 807303498507617 ::-
>http://www.redhat.com/training/certification/verify

Re: Unable to add rule on Chain with 28 characters.

[Jason Opperisano]

On Fri, Jul 08, 2005 at 04:09:37PM -0400, Jason Opperisano wrote:
> it looks like 29 characters is the max:
> 
>   30 char chain name:
> 
>   # iptables -t nat -N PubABFZhrRJgwChbszxazNssqWKWB
>   # iptables -t nat -A PREROUTING -j PubABFZhrRJgwChbszxazNssqWKWB
>   iptables: No chain/target/match by that name
> 
>   29 char chain name:
> 
>   # iptables -t nat -N PubABFZhrRJgwChbszxazNssqWKW
>   # iptables -t nat -A PREROUTING -j PubABFZhrRJgwChbszxazNssqWKW
>   #

stupid off-by-one math.  subtract 1 from everything i said...

-j

--
"Peter: Hey, Brian. If cops are pigs, does that make you a Snausage?
 Brian: Clever, Peter. Did you stay up all night writing that?
 Peter: No, I got to bed around two, two-thirty."
        --Family Guy

Re: Unable to add rule on Chain with 28 characters.

[Jan Engelhardt]

>> This chain has 30 characters... the max.. if I reduce it to 28, it's added 
>> wihtout any problem.
>
>(note:  your OP said the error was with the 28 char chain)
>
>it looks like 29 characters is the max:

It's documented:

       --log-prefix prefix
              Prefix  log messages with the specified prefix; up to 29 letters
              long, and useful for distinguishing messages in the logs.

So I guess there's more places with the 30 limit (read: 1 for the '\0' char).



Jan Engelhardt                                                               
--                                                                            
| Alphagate Systems, http://alphagate.hopto.org/

Re: Unable to add rule on Chain with 28 characters

[John A. Sullivan III]

On Fri, 2005-07-08 at 15:53 -0300, Rafael Dreher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> I'm trying do add a rule on a user-defined chain, on the NAT table, with 28 characters.
> 
> The chain have bee added without any problem, but when I add the rule, iptables says that it's unable do find the chain.
> 
> If I reduce the chain to 25 characters, it works. I'm trying to migrate a set of rules form iptables-1.2.11 to 1.3.1,
> and I don't want to rewrite the rules.
> 
> Someone can help me?
<snip>
> 
I don't have a direct solution for you.  From what I recall, the chain
name length is hard-coded at 32 characters.  That bit us on the ISCS
network security management project (http://iscs.sourceforge.net) where
we had very long names due to the hierarchical structure of groups and
the inheritance model.  We switched to automatically generating chain
names based upon incrementing numbers.

I do not know if the size of the name field has changed with subsequent
iptables versions.  Wish I could be of more help - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Unable to add rule on Chain with 28 characters.

[Rafael Dreher]

So, that's a BUG.

Why iptbles let me add a chain with 30 characters, if I can't use this chain?

[root@ward] [10:07:54]
[~]#iptables -t nat -N 123456789012345678901234567890

[root@ward] [10:08:05]
[~]#iptables -t nat -A POSTROUTING -j 123456789012345678901234567890
iptables: No chain/target/match by that name

Hey, gurus, can anyone help me? :)

Thank's

Royce Kemp wrote:
> I have run into this problem as well. Learn to stick to 28 characters.
> 
> -r
> 
> At 01:01 PM 7/8/2005, Rafael Dreher wrote:
> 
>>>> Hi,
>>>>
>>>> I'm trying do add a rule on a user-defined chain, on the NAT table, 
>>>> with 28 characters.
>>>
>>>
>>> my guess is you're leaving out the '-t nat' as custom chains only exist
>>> in the table they're created in:
>>
>>
>> Hi, again.
>>
>> I guess no. :)
>>
>> [root@ward] [16:55:58]
>> [~]#iptables -t nat -N ecommerce-internet@POSTROUTING
>>
>> [root@ward] [16:56:01]
>> [~]#iptables -t nat -A POSTROUTING -j ecommerce-internet@POSTROUTING
>> iptables: No chain/target/match by that name
>>
>> [root@ward] [16:56:19]
>> [~]#
>>
>> Am I crazy? :)
>>
>> This chain has 30 characters... the max.. if I reduce it to 28, it's 
>> added wihtout any problem.
>>
>> Thank's
>>
>> -- 
>> Rafael Dreher
>>
>> -:: Red Hat Certified Engineer ::-
>> -:: Nr: 807303498507617 ::-
>> http://www.redhat.com/training/certification/verify
> 
> 
> 
> 


-- 
Rafael Dreher
-:: Interage Integradora ::-
-:: Pesquisa e Desenvolvimento ::-
-:: www.gatepro.com.br || www.interage.com.br ::-
-:: Red Hat Certified Engineer ::-
-:: Nr: 807303498507617 ::-
http://www.redhat.com/training/certification/verify

Re: Unable to add rule on Chain with 28 characters.

[Jan Engelhardt]

> So, that's a BUG.
> Why iptbles let me add a chain with 30 characters, if I can't use this chain?
>
> [root@ward] [10:07:54]
> [~]#iptables -t nat -N 123456789012345678901234567890
>
> [root@ward] [10:08:05]
> [~]#iptables -t nat -A POSTROUTING -j 123456789012345678901234567890
> iptables: No chain/target/match by that name

Try
  iptables -t nat                -N 123456789012345678901234567890
  iptables -t nat -A POSTROUTING -j 1234567890123456789012345678

(Maybe add a '9' to the last.) If that's the case, then this is not really a 
bug, but some code silently truncates the -N request.



Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/

Re: Re: Unable to add rule on Chain with 28 characters.

[Rafael Dreher]

No, that's not the case. I'm still thinking that's a bug.

[root@ward] [10:18:30]
[~]#iptables -t nat -N 123456789012345678901234567890

[root@ward] [10:18:38]
[~]#iptables -t nat -A POSTROUTING -j 1234567890123456789012345678
iptables v1.3.2: Couldn't load target
`1234567890123456789012345678':/usr/local/lib/iptables/libipt_1234567890123456789012345678.so: cannot open shared object
file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

[root@ward] [10:18:41]
[~]#

Any idea?

Thank 's

Jan Engelhardt wrote:
>>So, that's a BUG.
>>Why iptbles let me add a chain with 30 characters, if I can't use this chain?
>>
>>[root@ward] [10:07:54]
>>[~]#iptables -t nat -N 123456789012345678901234567890
>>
>>[root@ward] [10:08:05]
>>[~]#iptables -t nat -A POSTROUTING -j 123456789012345678901234567890
>>iptables: No chain/target/match by that name
> 
> 
> Try
>   iptables -t nat                -N 123456789012345678901234567890
>   iptables -t nat -A POSTROUTING -j 1234567890123456789012345678
> 
> (Maybe add a '9' to the last.) If that's the case, then this is not really a 
> bug, but some code silently truncates the -N request.
> 
> 
> 
> Jan Engelhardt

-- 
Rafael Dreher

-:: Red Hat Certified Engineer ::-
-:: Nr: 807303498507617 ::-
http://www.redhat.com/training/certification/verify