* moe infos...
@ 2005-11-15 0:39 Bernd Zeimetz
2005-11-15 0:46 ` Bernd Zeimetz
2005-11-15 16:15 ` BUG: iptables -j does not work for chains with a length >=28 (was moe infos...) Bernd Zeimetz
0 siblings, 2 replies; 5+ messages in thread
From: Bernd Zeimetz @ 2005-11-15 0:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: 327007
Hi,
I've run into this bug today, which is allready listed as 327007 on
bugs.debian.org
0 think:~# iptables -N 123456789012345678901234567
0 think:~# iptables -A FORWARD -j 123456789012345678901234567
0 think:~# iptables -N 1234567890123456789012345678
0 think:~# iptables -A FORWARD -j 1234567890123456789012345678
0 think:~# iptables -N 12345678901234567890123456789
0 think:~# iptables -A FORWARD -j 12345678901234567890123456789
0 think:~# iptables -N 12345678901234567890abcdefg
0 think:~# iptables -A FORWARD -j 12345678901234567890abcdefg
0 think:~# iptables -N 12345678901234567890abcdefgh
0 think:~# iptables -A FORWARD -j 12345678901234567890abcdefgh
0 think:~# iptables -N 12345678901234567890abcdefghi
0 think:~# iptables -A FORWARD -j 12345678901234567890abcdefghi
0 think:~# iptables -N 12345678901234567890abcdefghij
0 think:~# iptables -A FORWARD -j 12345678901234567890abcdefghij
1 think:~# iptables -N 1234567890123456789zabcdefghij
0 think:~# iptables -A FORWARD -j 1234567890123456789zabcdefghij
iptables: No chain/target/match by that name
0 think:~# iptables -N abcde678901234567890abcdefghij
0 think:~# iptables -A FORWARD -j abcde678901234567890abcdefghij
iptables: No chain/target/match by that name
1 think:~# iptables -N abcdesdasdasdfafasfaabcdefghij
0 think:~# iptables -A FORWARD -j abcdesdasdasdfafasfaabcdefghij
iptables: No chain/target/match by that name
1 think:~# iptables -N 0bcdesdasdasdfafasfaabcdefghij
0 think:~# iptables -A FORWARD -j 0bcdesdasdasdfafasfaabcdefghij
iptables: No chain/target/match by that name
1 think:~# iptables -N 0bcdesdasdasdfafasfaabcdefghi
0 think:~# iptables -A FORWARD -j 0bcdesdasdasdfafasfaabcdefghi
iptables: No chain/target/match by that name
1 think:~# iptables -N 0bcdesdasdasdfafasfaabcdefgh
0 think:~# iptables -A FORWARD -j 0bcdesdasdasdfafasfaabcdefgh
As you can see the bug does not happen for chains
- with a length <=28
- with a name containing only numbers
- with a name beginning with numbers and having less than ~11 letters at the
end.
The interesting part comes now:
iptables -N 123456789012345678yzabcdefgh
and this works:
iptables -A FORWARD -j 123456789012345678yzabcdefghij
The bug takes place during the call of
set_revision(target->t->u.user.name, target->revision); // iptables.c:2397
(which is in the part starting with
/* If they didn't specify a target, or it's a chain
name, use standard. */
if (!target
&& (strlen(jumpto) == 0
|| iptc_is_chain(jumpto, *handle)))
-- just to make sure you'll find the right one)
Obviously the problem is in this function:
static void set_revision(char *name, u_int8_t revision)
{
/* Old kernel sources don't have ".revision" field,
but we stole a byte from name. */
name[IPT_FUNCTION_MAXNAMELEN - 2] = '\0';
name[IPT_FUNCTION_MAXNAMELEN - 1] = revision;
}
As a workaround a return 0; on top of set_revision works, but I'm not sure if
this opens other bugs because I have no clue what this function is (was!?)
for - and to speak the truth - I'm too lazy to work myself trough the whole
code to understand what it does ;)
Hope somebody can fix that :)
Best regards!
Bernd Zeimetz
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: moe infos...
2005-11-15 0:39 moe infos Bernd Zeimetz
@ 2005-11-15 0:46 ` Bernd Zeimetz
2005-11-15 16:15 ` BUG: iptables -j does not work for chains with a length >=28 (was moe infos...) Bernd Zeimetz
1 sibling, 0 replies; 5+ messages in thread
From: Bernd Zeimetz @ 2005-11-15 0:46 UTC (permalink / raw)
To: netfilter-devel
oh, sorry for that broken subject. Was supposed to be 'more infos' first,
because the mail was supposed to go to bugs.debian.org only. Then I forgot to
change it....
Shame on me!
Bernd
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: BUG: iptables -j does not work for chains with a length >=28 (was moe infos...)
2005-11-15 0:39 moe infos Bernd Zeimetz
2005-11-15 0:46 ` Bernd Zeimetz
@ 2005-11-15 16:15 ` Bernd Zeimetz
2005-11-15 17:46 ` Bug#327007: " Pablo Neira
1 sibling, 1 reply; 5+ messages in thread
From: Bernd Zeimetz @ 2005-11-15 16:15 UTC (permalink / raw)
To: netfilter-devel; +Cc: 327007
Hi,
> As you can see the bug does not happen for chains
> - with a length <=28
> - with a name containing only numbers
> - with a name beginning with numbers and having less than ~11 letters at
> the end.
this is - of course - not true. I didn't realize that
> iptables -N 123456789012345678yzabcdefgh
> and this works:
> iptables -A FORWARD -j 123456789012345678yzabcdefghij
this happened pretty often while testing.
> set_revision(target->t->u.user.name, target->revision); // iptables.c:2397
What does set_revision really do? Is it still needed?
Thanks,
Bernd
^ permalink raw reply [flat|nested] 5+ messages in thread
* Bug#327007: BUG: iptables -j does not work for chains with a length >=28 (was moe infos...)
2005-11-15 16:15 ` BUG: iptables -j does not work for chains with a length >=28 (was moe infos...) Bernd Zeimetz
@ 2005-11-15 17:46 ` Pablo Neira
2005-11-17 12:50 ` Harald Welte
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira @ 2005-11-15 17:46 UTC (permalink / raw)
To: Bernd Zeimetz; +Cc: netfilter-devel, 327007
[-- Attachment #1: Type: text/plain, Size: 877 bytes --]
Bernd Zeimetz wrote:
> Hi,
>
>
>>As you can see the bug does not happen for chains
>>- with a length <=28
>>- with a name containing only numbers
>>- with a name beginning with numbers and having less than ~11 letters at
>>the end.
>
>
> this is - of course - not true. I didn't realize that
>
>
>>iptables -N 123456789012345678yzabcdefgh
>>and this works:
>>iptables -A FORWARD -j 123456789012345678yzabcdefghij
>
>
> this happened pretty often while testing.
>
>
>>set_revision(target->t->u.user.name, target->revision); // iptables.c:2397
>
> What does set_revision really do? Is it still needed?
This was included to add support for match/target revisions without
breaking backward compatibility.
The patch attached fixes the problem that you're reporting here. I tried
with the shell script attached and seems to work fine. I'll pass it to
Harald.
--
Pablo
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 537 bytes --]
Index: iptables.c
===================================================================
--- iptables.c (revision 4511)
+++ iptables.c (working copy)
@@ -2394,7 +2396,9 @@
target->t = fw_calloc(1, size);
target->t->u.target_size = size;
strcpy(target->t->u.user.name, jumpto);
- set_revision(target->t->u.user.name, target->revision);
+ if (!iptc_is_chain(jumpto, *handle))
+ set_revision(target->t->u.user.name,
+ target->revision);
if (target->init != NULL)
target->init(target->t, &fw.nfcache);
}
[-- Attachment #3: test.sh --]
[-- Type: text/x-sh, Size: 1260 bytes --]
iptables -N 123456789012345678901234567
iptables -A FORWARD -j 123456789012345678901234567
iptables -N 1234567890123456789012345678
iptables -A FORWARD -j 1234567890123456789012345678
iptables -N 12345678901234567890123456789
iptables -A FORWARD -j 12345678901234567890123456789
iptables -N 12345678901234567890abcdefg
iptables -A FORWARD -j 12345678901234567890abcdefg
iptables -N 12345678901234567890abcdefgh
iptables -A FORWARD -j 12345678901234567890abcdefgh
iptables -N 12345678901234567890abcdefghi
iptables -A FORWARD -j 12345678901234567890abcdefghi
iptables -N 12345678901234567890abcdefghij
iptables -A FORWARD -j 12345678901234567890abcdefghij
iptables -N 1234567890123456789zabcdefghij
iptables -A FORWARD -j 1234567890123456789zabcdefghij
iptables -N abcde678901234567890abcdefghij
iptables -A FORWARD -j abcde678901234567890abcdefghij
iptables -N abcdesdasdasdfafasfaabcdefghij
iptables -A FORWARD -j abcdesdasdasdfafasfaabcdefghij
iptables -N 0bcdesdasdasdfafasfaabcdefghij
iptables -A FORWARD -j 0bcdesdasdasdfafasfaabcdefghij
iptables -N 0bcdesdasdasdfafasfaabcdefghi
iptables -A FORWARD -j 0bcdesdasdasdfafasfaabcdefghi
iptables -N 0bcdesdasdasdfafasfaabcdefgh
iptables -A FORWARD -j 0bcdesdasdasdfafasfaabcdefgh
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: BUG: iptables -j does not work for chains with a length >=28 (was moe infos...)
2005-11-15 17:46 ` Bug#327007: " Pablo Neira
@ 2005-11-17 12:50 ` Harald Welte
0 siblings, 0 replies; 5+ messages in thread
From: Harald Welte @ 2005-11-17 12:50 UTC (permalink / raw)
To: Pablo Neira; +Cc: Bernd Zeimetz, 327007, netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 654 bytes --]
On Tue, Nov 15, 2005 at 06:46:59PM +0100, Pablo Neira wrote:
> The patch attached fixes the problem that you're reporting here. I tried
> with the shell script attached and seems to work fine. I'll pass it to
> Harald.
already found it. looks fine, I'll apply it to svn.
--
- Harald Welte <laforge@netfilter.org> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-11-17 12:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-15 0:39 moe infos Bernd Zeimetz
2005-11-15 0:46 ` Bernd Zeimetz
2005-11-15 16:15 ` BUG: iptables -j does not work for chains with a length >=28 (was moe infos...) Bernd Zeimetz
2005-11-15 17:46 ` Bug#327007: " Pablo Neira
2005-11-17 12:50 ` Harald Welte
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.