* ip6tables: Unknown error 4294967295
@ 2006-03-10 1:41 GuanYao Huang
2006-03-10 14:57 ` Chinh Nguyen
0 siblings, 1 reply; 4+ messages in thread
From: GuanYao Huang @ 2006-03-10 1:41 UTC (permalink / raw)
To: netfilter-devel
Hi:
I am doing research into iptables-1.3.5, in which I am trying to use ROUTE target
which is an extension to the current iptables.
I added libip6t_ROUTE.h which makes libip6t_ROUTE.c complied.
When using the following command:
[root@localhost iptables]# /root/CNGI/iptables-1.3.5/ip6tables -A POSTROUTING -t
mangle -o eth0 -p tcp --dport 22 -j ROUTE --oif iptun
ip6tables: Unknown error 4294967295
I don't know why. Can you help me? Thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ip6tables: Unknown error 4294967295
2006-03-10 1:41 ip6tables: Unknown error 4294967295 GuanYao Huang
@ 2006-03-10 14:57 ` Chinh Nguyen
0 siblings, 0 replies; 4+ messages in thread
From: Chinh Nguyen @ 2006-03-10 14:57 UTC (permalink / raw)
To: netfilter-devel
GuanYao Huang wrote:
> Hi:
> I am doing research into iptables-1.3.5, in which I am trying to use ROUTE target
> which is an extension to the current iptables.
> I added libip6t_ROUTE.h which makes libip6t_ROUTE.c complied.
> When using the following command:
> [root@localhost iptables]# /root/CNGI/iptables-1.3.5/ip6tables -A POSTROUTING -t
> mangle -o eth0 -p tcp --dport 22 -j ROUTE --oif iptun
> ip6tables: Unknown error 4294967295
>
> I don't know why. Can you help me? Thanks.
>
>
>
There are 2 parts to netfilter. The modules that are used by iptables to parse
arguments and communicate them to the kernel and the kernel modules that are
loaded (or compiled in) with the kernel.
One problem could be that your current kernel does not have support for the
netfilter module you are trying to used.
I have often seen this error associated with an 'invalid argument' returned by
the netfilter kernel module. In previous versions of iptables, it will say
'invalid argument' instead of 'Unknown error 4294967295'.
This is typically caused by an invalid or missing condition causing the
netfilter kernel to reject the rule in its checkentry function.
Unfortunately, sometimes all the necessary valid conditions are not enumerated
in any iptables manual or checked by the iptables module.
For example, consider this
/opt/iptables-1.3.5/bin/iptables -A OUTPUT -m esp --espspi ! 0 -j LOG
iptables: Unknown error 4294967295
What is not known is that you have to specify '-p esp' if you will to use module
'esp', which becomes apparent if you look at the kernel source code:
net/ipv4/netfilter/ipt_esp.c:
static int
checkentry(const char *tablename,
const void *ip_void,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask)
{
const struct ipt_esp *espinfo = matchinfo;
const struct ipt_ip *ip = ip_void;
/* Must specify proto == ESP, and no unknown invflags */
if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) {
duprintf("ipt_esp: Protocol %u != %u\n", ip->proto,
IPPROTO_ESP);
return 0;
}
If this is your problem, you might have to do some source code reading :)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ip6tables: Unknown error 4294967295
[not found] <342126766.19325@ustc.edu.cn>
@ 2006-03-14 14:54 ` Chinh Nguyen
2006-03-14 16:54 ` Patrick McHardy
0 siblings, 1 reply; 4+ messages in thread
From: Chinh Nguyen @ 2006-03-14 14:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: GuanYao Huang
net/ipv4/netfilter is a directory in the kernel source code. I took a quick peek
at the latest kernel 2.6.16-rc6. I don't think there's any support for the
"ROUTE" target in the kernel.
Can any netfilter developer confirm?
GuanYao Huang wrote:
> Hi, I have no net/ipv4/netfilter/ directory.
> I am using FC4, iptables-1.3.5. Initially, iptables-1.3.5 does not support ROUTE
> module, which is an extension.
> There is libip6t_ROUTE.c in PWD/extension directory, but it is not compiled. So I
> changed the makefile to include it and add some source code to libip6t_ROUTE.c
> which should be the header file for some definitions. That's all I have done.
> I don't know if there is something else I should do.
> Thanks.
>
> ÔÚÄúµÄÀ´ÐÅÖÐÔø¾Ìáµ½:
>
>>From: Chinh Nguyen <cnguyen@certicom.com>
>>Reply-To:
>>To: netfilter-devel@lists.netfilter.org
>>Subject: Re: ip6tables: Unknown error 4294967295
>>Date:Fri, 10 Mar 2006 09:57:11 -0500
>>
>>GuanYao Huang wrote:
>>
>>>Hi:
>>>I am doing research into iptables-1.3.5, in which I am trying to use ROUTE
>
> target
>
>>>which is an extension to the current iptables.
>>>I added libip6t_ROUTE.h which makes libip6t_ROUTE.c complied.
>>>When using the following command:
>>>[root@localhost iptables]# /root/CNGI/iptables-1.3.5/ip6tables -A POSTROUTING
>
> -t
>
>>>mangle -o eth0 -p tcp --dport 22 -j ROUTE --oif iptun
>>>ip6tables: Unknown error 4294967295
>>>
>>>I don't know why. Can you help me? Thanks.
>>>
>>>
>>>
>>
>>There are 2 parts to netfilter. The modules that are used by iptables to parse
>>arguments and communicate them to the kernel and the kernel modules that are
>>loaded (or compiled in) with the kernel.
>>
>>One problem could be that your current kernel does not have support for the
>>netfilter module you are trying to used.
>>
>>I have often seen this error associated with an 'invalid argument' returned by
>>the netfilter kernel module. In previous versions of iptables, it will say
>>'invalid argument' instead of 'Unknown error 4294967295'.
>>
>>This is typically caused by an invalid or missing condition causing the
>>netfilter kernel to reject the rule in its checkentry function.
>>
>>Unfortunately, sometimes all the necessary valid conditions are not enumerated
>>in any iptables manual or checked by the iptables module.
>>
>>For example, consider this
>> /opt/iptables-1.3.5/bin/iptables -A OUTPUT -m esp --espspi ! 0 -j LOG
>>iptables: Unknown error 4294967295
>>
>>What is not known is that you have to specify '-p esp' if you will to use
>
> module
>
>>'esp', which becomes apparent if you look at the kernel source code:
>>
>>net/ipv4/netfilter/ipt_esp.c:
>>static int
>>checkentry(const char *tablename,
>> const void *ip_void,
>> void *matchinfo,
>> unsigned int matchinfosize,
>> unsigned int hook_mask)
>>{
>> const struct ipt_esp *espinfo = matchinfo;
>> const struct ipt_ip *ip = ip_void;
>>
>> /* Must specify proto == ESP, and no unknown invflags */
>> if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) {
>> duprintf("ipt_esp: Protocol %u != %u\n", ip->proto,
>> IPPROTO_ESP);
>> return 0;
>> }
>>
>>If this is your problem, you might have to do some source code reading :)
>>
>>
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ip6tables: Unknown error 4294967295
2006-03-14 14:54 ` Chinh Nguyen
@ 2006-03-14 16:54 ` Patrick McHardy
0 siblings, 0 replies; 4+ messages in thread
From: Patrick McHardy @ 2006-03-14 16:54 UTC (permalink / raw)
To: Chinh Nguyen; +Cc: netfilter-devel, GuanYao Huang
Chinh Nguyen wrote:
> net/ipv4/netfilter is a directory in the kernel source code. I took a quick peek
> at the latest kernel 2.6.16-rc6. I don't think there's any support for the
> "ROUTE" target in the kernel.
>
> Can any netfilter developer confirm?
No, there isn't. But you still should not get this error.
Can you send a strace of the failing command please?
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-03-14 16:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-10 1:41 ip6tables: Unknown error 4294967295 GuanYao Huang
2006-03-10 14:57 ` Chinh Nguyen
[not found] <342126766.19325@ustc.edu.cn>
2006-03-14 14:54 ` Chinh Nguyen
2006-03-14 16:54 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.