Re: ip6tables: Unknown error 4294967295

[Chinh Nguyen <cnguyen@certicom.com>]

net/ipv4/netfilter is a directory in the kernel source code. I took a quick peek
at the latest kernel 2.6.16-rc6. I don't think there's any support for the
"ROUTE" target in the kernel.

Can any netfilter developer confirm?


GuanYao Huang wrote:
> Hi, I have no net/ipv4/netfilter/ directory.
> I am using FC4, iptables-1.3.5. Initially, iptables-1.3.5 does not support ROUTE
> module, which is an extension.
> There is libip6t_ROUTE.c in PWD/extension directory, but it is not compiled. So I
> changed the makefile to include it and add some source code to libip6t_ROUTE.c
> which should be the header file for some definitions. That's all I have done.
> I don't know if there is something else I should do.
> Thanks.
> 
> ÔÚÄúµÄÀ´ÐÅÖÐÔø¾­Ìáµ½:
> 
>>From: Chinh Nguyen <cnguyen@certicom.com>
>>Reply-To: 
>>To: netfilter-devel@lists.netfilter.org
>>Subject: Re: ip6tables: Unknown error 4294967295
>>Date:Fri, 10 Mar 2006 09:57:11 -0500
>>
>>GuanYao Huang wrote:
>>
>>>Hi:
>>>I am doing research into iptables-1.3.5, in which I am trying to use ROUTE
> 
> target
> 
>>>which is an extension to the current iptables. 
>>>I added libip6t_ROUTE.h which makes libip6t_ROUTE.c complied.
>>>When using the following command:
>>>[root@localhost iptables]# /root/CNGI/iptables-1.3.5/ip6tables -A POSTROUTING
> 
> -t
> 
>>>mangle -o eth0 -p tcp --dport 22 -j ROUTE --oif iptun
>>>ip6tables: Unknown error 4294967295
>>>
>>>I don't know why. Can you help me? Thanks.
>>>
>>>
>>>
>>
>>There are 2 parts to netfilter. The modules that are used by iptables to parse
>>arguments and communicate them to the kernel and the kernel modules that are
>>loaded (or compiled in) with the kernel.
>>
>>One problem could be that your current kernel does not have support for the
>>netfilter module you are trying to used.
>>
>>I have often seen this error associated with an 'invalid argument' returned by
>>the netfilter kernel module. In previous versions of iptables, it will say
>>'invalid argument' instead of 'Unknown error 4294967295'.
>>
>>This is typically caused by an invalid or missing condition causing the
>>netfilter kernel to reject the rule in its checkentry function.
>>
>>Unfortunately, sometimes all the necessary valid conditions are not enumerated
>>in any iptables manual or checked by the iptables module.
>>
>>For example, consider this
>> /opt/iptables-1.3.5/bin/iptables -A OUTPUT -m esp --espspi ! 0 -j LOG
>>iptables: Unknown error 4294967295
>>
>>What is not known is that you have to specify '-p esp' if you will to use
> 
> module
> 
>>'esp', which becomes apparent if you look at the kernel source code:
>>
>>net/ipv4/netfilter/ipt_esp.c:
>>static int
>>checkentry(const char *tablename,
>>       const void *ip_void,
>>       void *matchinfo,
>>       unsigned int matchinfosize,
>>       unsigned int hook_mask)
>>{
>>    const struct ipt_esp *espinfo = matchinfo;
>>    const struct ipt_ip *ip = ip_void;
>>
>>    /* Must specify proto == ESP, and no unknown invflags */
>>    if (ip->proto != IPPROTO_ESP || (ip->invflags & IPT_INV_PROTO)) {
>>        duprintf("ipt_esp: Protocol %u != %u\n", ip->proto,
>>             IPPROTO_ESP);
>>        return 0;
>>    }
>>
>>If this is your problem, you might have to do some source code reading :)
>>
>>
> 
> 
>