From: Chinh Nguyen <cnguyen@certicom.com>
To: netfilter-devel@lists.netfilter.org
Subject: Re: ip6tables: Unknown error 4294967295
Date: Fri, 10 Mar 2006 09:57:11 -0500 [thread overview]
Message-ID: <441193C7.2070003@certicom.com> (raw)
In-Reply-To: <341954904.20764@ustc.edu.cn>
GuanYao Huang wrote:
> Hi:
> I am doing research into iptables-1.3.5, in which I am trying to use ROUTE target
> which is an extension to the current iptables.
> I added libip6t_ROUTE.h which makes libip6t_ROUTE.c complied.
> When using the following command:
> [root@localhost iptables]# /root/CNGI/iptables-1.3.5/ip6tables -A POSTROUTING -t
> mangle -o eth0 -p tcp --dport 22 -j ROUTE --oif iptun
> ip6tables: Unknown error 4294967295
>
> I don't know why. Can you help me? Thanks.
>
>
>
There are 2 parts to netfilter. The modules that are used by iptables to parse
arguments and communicate them to the kernel and the kernel modules that are
loaded (or compiled in) with the kernel.
One problem could be that your current kernel does not have support for the
netfilter module you are trying to used.
I have often seen this error associated with an 'invalid argument' returned by
the netfilter kernel module. In previous versions of iptables, it will say
'invalid argument' instead of 'Unknown error 4294967295'.
This is typically caused by an invalid or missing condition causing the
netfilter kernel to reject the rule in its checkentry function.
Unfortunately, sometimes all the necessary valid conditions are not enumerated
in any iptables manual or checked by the iptables module.
For example, consider this
/opt/iptables-1.3.5/bin/iptables -A OUTPUT -m esp --espspi ! 0 -j LOG
iptables: Unknown error 4294967295
What is not known is that you have to specify '-p esp' if you will to use module
'esp', which becomes apparent if you look at the kernel source code:
net/ipv4/netfilter/ipt_esp.c:
static int
checkentry(const char *tablename,
const void *ip_void,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask)
{
const struct ipt_esp *espinfo = matchinfo;
const struct ipt_ip *ip = ip_void;
/* Must specify proto == ESP, and no unknown invflags */
if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) {
duprintf("ipt_esp: Protocol %u != %u\n", ip->proto,
IPPROTO_ESP);
return 0;
}
If this is your problem, you might have to do some source code reading :)
next prev parent reply other threads:[~2006-03-10 14:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-10 1:41 ip6tables: Unknown error 4294967295 GuanYao Huang
2006-03-10 14:57 ` Chinh Nguyen [this message]
[not found] <342126766.19325@ustc.edu.cn>
2006-03-14 14:54 ` Chinh Nguyen
2006-03-14 16:54 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=441193C7.2070003@certicom.com \
--to=cnguyen@certicom.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.