* iptables & new CONNMARK 32bit marks
@ 2005-10-24 15:57 Deti Fliegl
2005-10-30 9:43 ` Harald Welte
0 siblings, 1 reply; 4+ messages in thread
From: Deti Fliegl @ 2005-10-24 15:57 UTC (permalink / raw)
To: netfilter-devel
Hello *,
when using kernel 2.6.14rc5 the mark values have become 32bit but latest
iptables code still uses 64bit values. This causes the kernel module to
say "CONNMARK: Only supports 32bit mark" - it seems that the iptables
svn repository needs to be updated.
I've made some patch that works for me but if there's an official
version please let me know...
Deti
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables & new CONNMARK 32bit marks
2005-10-24 15:57 iptables & new CONNMARK 32bit marks Deti Fliegl
@ 2005-10-30 9:43 ` Harald Welte
2005-10-30 10:27 ` Deti Fliegl
2005-11-02 9:25 ` Deti Fliegl
0 siblings, 2 replies; 4+ messages in thread
From: Harald Welte @ 2005-10-30 9:43 UTC (permalink / raw)
To: Deti Fliegl; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 911 bytes --]
On Mon, Oct 24, 2005 at 05:57:10PM +0200, Deti Fliegl wrote:
> Hello *,
>
> when using kernel 2.6.14rc5 the mark values have become 32bit but
> latest iptables code still uses 64bit values.
It sends a 64bit value to the kernel, there's nothing wrong with that.
The kernel is able to parse that.
> This causes the kernel module to say "CONNMARK: Only supports 32bit
> mark"
This should only happen if you actually specify a mark that is bigger
than 0xffffffff.
Please post the specific rules in case of any doubt.
--
- Harald Welte <laforge@netfilter.org> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables & new CONNMARK 32bit marks
2005-10-30 9:43 ` Harald Welte
@ 2005-10-30 10:27 ` Deti Fliegl
2005-11-02 9:25 ` Deti Fliegl
1 sibling, 0 replies; 4+ messages in thread
From: Deti Fliegl @ 2005-10-30 10:27 UTC (permalink / raw)
To: Harald Welte; +Cc: netfilter-devel
Harald Welte wrote:
>>when using kernel 2.6.14rc5 the mark values have become 32bit but
>>latest iptables code still uses 64bit values.
>
>
> It sends a 64bit value to the kernel, there's nothing wrong with that.
> The kernel is able to parse that.
>
>
>>This causes the kernel module to say "CONNMARK: Only supports 32bit
>>mark"
>
>
> This should only happen if you actually specify a mark that is bigger
> than 0xffffffff.
Yes you are right but if you are on a 64bit platform you might run into
trouble with these initializations in libipt_connmark.c:
markinfo->mask = ~0UL or if(mask != ~0UL)
This will evaluate to 0xffffffffffffffff on a long variable. You should
netter should use 0xffffffff than the hack above.
Further a #ifdef KERNEL_64_USERSPACE_32 version of the code does not
make sense to me as 32bit will always be 32bit even on 64bit platforms :)
> Please post the specific rules in case of any doubt.
iptables -t mangle -A PREROUTING --proto tcp -j CONNMARK --restore-mark
Deti
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables & new CONNMARK 32bit marks
2005-10-30 9:43 ` Harald Welte
2005-10-30 10:27 ` Deti Fliegl
@ 2005-11-02 9:25 ` Deti Fliegl
1 sibling, 0 replies; 4+ messages in thread
From: Deti Fliegl @ 2005-11-02 9:25 UTC (permalink / raw)
To: Harald Welte; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 596 bytes --]
Hi,
the patch attached to this mail fixes the 32bit connmark issues on 64bit
systems. Please could anyone test if the code is still working on 32bit
systems?
Changes:
* replaced any occurences of ~0UL by 0xffffffff which is now platform
independently 32bit wide.
* the ipt_connmark_target_info structure still uses long variables
(which 64bit on 64bit systems) for mask & mark - IMHO someone should
change this to u_int32_t if mark values are meant to be 32bit wide.
* remove any code that has to be compiled #ifdef KERNEL_64_USERSPACE_32
as 32bit stay 32bit even on 64bit systems
Deti
[-- Attachment #2: iptables-connmark-32bit.patch --]
[-- Type: text/x-patch, Size: 3326 bytes --]
Index: extensions/libipt_CONNMARK.c
===================================================================
--- extensions/libipt_CONNMARK.c (revision 4421)
+++ extensions/libipt_CONNMARK.c (working copy)
@@ -72,25 +72,17 @@
struct ipt_connmark_target_info *markinfo
= (struct ipt_connmark_target_info *)(*target)->data;
-#ifdef KERNEL_64_USERSPACE_32
- markinfo->mask = ~0ULL;
-#else
- markinfo->mask = ~0UL;
-#endif
+ markinfo->mask = 0xffffffffUL;
switch (c) {
char *end;
case '1':
markinfo->mode = IPT_CONNMARK_SET;
-#ifdef KERNEL_64_USERSPACE_32
- markinfo->mark = strtoull(optarg, &end, 0);
- if (*end == '/' && end[1] != '\0')
- markinfo->mask = strtoull(end+1, &end, 0);
-#else
+
markinfo->mark = strtoul(optarg, &end, 0);
if (*end == '/' && end[1] != '\0')
markinfo->mask = strtoul(end+1, &end, 0);
-#endif
+
if (*end != '\0' || end == optarg)
exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
if (*flags)
@@ -116,11 +108,8 @@
if (!*flags)
exit_error(PARAMETER_PROBLEM,
"CONNMARK target: Can't specify --mask without a operation");
-#ifdef KERNEL_64_USERSPACE_32
- markinfo->mask = strtoull(optarg, &end, 0);
-#else
markinfo->mask = strtoul(optarg, &end, 0);
-#endif
+
if (*end != '\0' || end == optarg)
exit_error(PARAMETER_PROBLEM, "Bad MASK value `%s'", optarg);
break;
@@ -139,23 +128,7 @@
"CONNMARK target: No operation specified");
}
-#ifdef KERNEL_64_USERSPACE_32
static void
-print_mark(unsigned long long mark)
-{
- printf("0x%llx", mark);
-}
-
-static void
-print_mask(const char *text, unsigned long long mask)
-{
- if (mask != ~0ULL)
- printf("%s0x%llx", text, mask);
-}
-
-#else
-
-static void
print_mark(unsigned long mark)
{
printf("0x%lx", mark);
@@ -164,10 +137,9 @@
static void
print_mask(const char *text, unsigned long mask)
{
- if (mask != ~0UL)
+ if (mask != 0xffffffffUL)
printf("%s0x%lx", text, mask);
}
-#endif
/* Prints out the target info. */
Index: extensions/libipt_connmark.c
===================================================================
--- extensions/libipt_connmark.c (revision 4421)
+++ extensions/libipt_connmark.c (working copy)
@@ -66,17 +66,13 @@
char *end;
case '1':
check_inverse(optarg, &invert, &optind, 0);
-#ifdef KERNEL_64_USERSPACE_32
- markinfo->mark = strtoull(optarg, &end, 0);
- markinfo->mask = ~0ULL;
- if (*end == '/')
- markinfo->mask = strtoull(end+1, &end, 0);
-#else
+
markinfo->mark = strtoul(optarg, &end, 0);
- markinfo->mask = ~0UL;
+ markinfo->mask = 0xffffffffUL;
+
if (*end == '/')
markinfo->mask = strtoul(end+1, &end, 0);
-#endif
+
if (*end != '\0' || end == optarg)
exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
if (invert)
@@ -90,25 +86,14 @@
return 1;
}
-#ifdef KERNEL_64_USERSPACE_32
static void
-print_mark(unsigned long long mark, unsigned long long mask, int numeric)
-{
- if(mask != ~0ULL)
- printf("0x%llx/0x%llx ", mark, mask);
- else
- printf("0x%llx ", mark);
-}
-#else
-static void
print_mark(unsigned long mark, unsigned long mask, int numeric)
{
- if(mask != ~0UL)
+ if(mask != 0xffffffffUL)
printf("0x%lx/0x%lx ", mark, mask);
else
printf("0x%lx ", mark);
}
-#endif
/* Final check; must have specified --mark. */
static void
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-11-02 9:25 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-24 15:57 iptables & new CONNMARK 32bit marks Deti Fliegl
2005-10-30 9:43 ` Harald Welte
2005-10-30 10:27 ` Deti Fliegl
2005-11-02 9:25 ` Deti Fliegl
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.