From: Eric White <eric.white@ionpipe.com>
To: netfilter-devel@lists.netfilter.org, netfilter@lists.netfilter.org
Subject: Re: "bad argument" trouble with iptables-restore (ipt v.1.3.4 + gentoo 2.6.16)
Date: Thu, 25 May 2006 11:39:32 -0500 [thread overview]
Message-ID: <4475DDC4.4090008@ionpipe.com> (raw)
In-Reply-To: <4474EEC4.4070909@ionpipe.com>
With a little more experimentation, I see that manually poking a new
chain definition (e.g., "iptables -t filter -N :A:Svc:ABD ") and then
issuing iptables-save generates a
::A:Svc:ABD - [0:0]
line in the output. So, I modified the ruleset, replacing all -N
occurrences with the corresponding ":" prefix and added the "- [0:0]'
suffix, with the same result; i.e., the COMMIT line generates a "bad
argument" error.
So, I can poke these things in with the iptables call (which is what the
current script does at an agonizing rate), but I can't seem to get
iptables-restore to behave the same.
Eric White wrote:
> I've got ~930 rules with which I'd like to initialize via
> iptables-restore. The file includes rules for nat, filter and mangle
> tables. I've got iptables v1.3.4 running on a Gentoo 2.6.16 kernel,
> with some of my own, in-progress extensions (hence the '-m devset'
> specifiers).
>
> At the first COMMIT, I get an error:
>
> Bad argument 'COMMIT'
> Error occurred at line: 209
>
> I've cut the main file into 3 different files (filter, nat, mangle)
> and get the same results at each file's 'COMMIT'. I'm including the
> filter list below (since it's relatively small), hoping someone can
> give it a quick glance and note my mistakes.
>
> thanks
>
> =======================
>
>
> #Filter table
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -N :A:Svc:ABD
> -N :X:Abd:Clients:General:Ulog
> -N :X:Abd:Clients:Darkspace:Ulog
> -N :X:Abd:Clients:PrivAddr:Ulog
> -A :A:Svc:ABD -j :X:Abd:Clients:General:Ulog
> -A :A:Svc:ABD -j :X:Abd:Clients:Darkspace:Ulog
> -A :A:Svc:ABD -j :X:Abd:Clients:PrivAddr:Ulog
> -N :A:Global
> -A :A:Global -p tcp ! --syn -m state --state NEW -j DROP
> -A :A:Global -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP
> -A :A:Global -p tcp --tcp-flags ALL NONE -j DROP
> -A :A:Global -s 224.0.0.0/4 -j DROP
> -A :A:Global -s 127.0.0.0/8 -j DROP
> -N :A:Node:Server
> -N :A:Nodes
> -N :M:X:ToServer
> -N :M:Nodes
> -N :M:X:FromServer
> -N :D:Global
> -N :D:Node:Server
> -N :D:Nodes
> -A INPUT -j :A:Global
> -A OUTPUT -j :A:Global
> -A FORWARD -j :A:Global
> -A INPUT -j :A:Nodes
> -A OUTPUT -j :A:Node:Server
> -A FORWARD -j :A:Nodes
> -A INPUT -j :M:X:ToServer
> -A FORWARD -j :M:Nodes
> -A OUTPUT -j :M:X:FromServer
> -A INPUT -j :D:Global
> -A OUTPUT -j :D:Global
> -A FORWARD -j :D:Global
> -A INPUT -j :D:Node:Server
> -A OUTPUT -j :D:Nodes
> -A FORWARD -j :D:Nodes
> -N :A:Q:Clients
> -N :A:Node:Clients
> -A :A:Q:Clients -m devset --set-name 2 --device in -j :A:Node:Clients
> -A :A:Nodes -j :A:Q:Clients
> -N :D:Q:Clients
> -N :D:Node:Clients
> -A :D:Q:Clients -m devset --set-name 2 --device out -j :D:Node:Clients
> -A :D:Nodes -j :D:Q:Clients
> -N :M:Q:Clients
> -N :M:X:Clients
> -A :M:Q:Clients -m devset --set-name 2 --device in -j :M:X:Clients
> -A :M:Nodes -j :M:Q:Clients
> -N :M:Q:Clients:Server
> -N :M:X:Clients:Server
> -A :M:Q:Clients:Server -m devset --set-name 2 --device in -j
> :M:X:Clients:Server
> -A :M:X:ToServer -j :M:Q:Clients:Server
> -N :M:Q:Clients:Clients
> -N :M:X:Clients:Clients
> -A :M:Q:Clients:Clients -m devset --set-name 2 --device out -j
> :M:X:Clients:Clients
> -A :M:X:Clients -j :M:Q:Clients:Clients
> -N :M:Q:Server:Clients
> -N :M:X:Server:Clients
> -A :M:Q:Server:Clients -m devset --set-name 2 --device out -j
> :M:X:Server:Clients
> -A :M:X:FromServer -j :M:Q:Server:Clients
> -A :A:Node:Clients -j :A:Svc:ABD
> -N :A:Q:WAN
> -N :A:Node:WAN
> -A :A:Q:WAN -m devset --set-name 3 --device in -j :A:Node:WAN
> -A :A:Nodes -j :A:Q:WAN
> -N :D:Q:WAN
> -N :D:Node:WAN
> -A :D:Q:WAN -m devset --set-name 3 --device out -j :D:Node:WAN
> -A :D:Nodes -j :D:Q:WAN
> -N :M:Q:WAN
> -N :M:X:WAN
> -A :M:Q:WAN -m devset --set-name 3 --device in -j :M:X:WAN
> -A :M:Nodes -j :M:Q:WAN
> -N :M:Q:WAN:Server
> -N :M:X:WAN:Server
> -A :M:Q:WAN:Server -m devset --set-name 3 --device in -j :M:X:WAN:Server
> -A :M:X:ToServer -j :M:Q:WAN:Server
> -N :M:Q:WAN:Clients
> -N :M:X:WAN:Clients
> -A :M:Q:WAN:Clients -m devset --set-name 2 --device out -j
> :M:X:WAN:Clients
> -A :M:X:WAN -j :M:Q:WAN:Clients
> -N :M:Q:WAN:WAN
> -N :M:X:WAN:WAN
> -A :M:Q:WAN:WAN -m devset --set-name 3 --device out -j :M:X:WAN:WAN
> -A :M:X:WAN -j :M:Q:WAN:WAN
> -N :M:Q:Server:WAN
> -N :M:X:Server:WAN
> -A :M:Q:Server:WAN -m devset --set-name 3 --device out -j :M:X:Server:WAN
> -A :M:X:FromServer -j :M:Q:Server:WAN
> -N :M:Q:Clients:WAN
> -N :M:X:Clients:WAN
> -A :M:Q:Clients:WAN -m devset --set-name 3 --device out -j
> :M:X:Clients:WAN
> -A :M:X:Clients -j :M:Q:Clients:WAN
> -N :A:Q:VPN
> -N :A:Node:VPN
> -A :A:Q:VPN -m devset --set-name 4 --device in -j :A:Node:VPN
> -A :A:Nodes -j :A:Q:VPN
> -N :D:Q:VPN
> -N :D:Node:VPN
> -A :D:Q:VPN -m devset --set-name 4 --device out -j :D:Node:VPN
> -A :D:Nodes -j :D:Q:VPN
> -N :M:Q:VPN
> -N :M:X:VPN
> -A :M:Q:VPN -m devset --set-name 4 --device in -j :M:X:VPN
> -A :M:Nodes -j :M:Q:VPN
> -N :M:Q:VPN:Server
> -N :M:X:VPN:Server
> -A :M:Q:VPN:Server -m devset --set-name 4 --device in -j :M:X:VPN:Server
> -A :M:X:ToServer -j :M:Q:VPN:Server
> -N :M:Q:VPN:Clients
> -N :M:X:VPN:Clients
> -A :M:Q:VPN:Clients -m devset --set-name 2 --device out -j
> :M:X:VPN:Clients
> -A :M:X:VPN -j :M:Q:VPN:Clients
> -N :M:Q:VPN:WAN
> -N :M:X:VPN:WAN
> -A :M:Q:VPN:WAN -m devset --set-name 3 --device out -j :M:X:VPN:WAN
> -A :M:X:VPN -j :M:Q:VPN:WAN
> -N :M:Q:VPN:VPN
> -N :M:X:VPN:VPN
> -A :M:Q:VPN:VPN -m devset --set-name 4 --device out -j :M:X:VPN:VPN
> -A :M:X:VPN -j :M:Q:VPN:VPN
> -N :M:Q:Server:VPN
> -N :M:X:Server:VPN
> -A :M:Q:Server:VPN -m devset --set-name 4 --device out -j :M:X:Server:VPN
> -A :M:X:FromServer -j :M:Q:Server:VPN
> -N :M:Q:Clients:VPN
> -N :M:X:Clients:VPN
> -A :M:Q:Clients:VPN -m devset --set-name 4 --device out -j
> :M:X:Clients:VPN
> -A :M:X:Clients -j :M:Q:Clients:VPN
> -N :M:Q:WAN:VPN
> -N :M:X:WAN:VPN
> -A :M:Q:WAN:VPN -m devset --set-name 4 --device out -j :M:X:WAN:VPN
> -A :M:X:WAN -j :M:Q:WAN:VPN
> -A :M:X:Server:Clients -j ACCEPT
> -A :M:X:Server:VPN -j ACCEPT
> -A :M:X:Server:WAN -j ACCEPT
> -A :M:X:Clients:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A :M:X:Clients:Server -p udp --dport 29922 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29922 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29924 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29914 -j ACCEPT
> -A :M:X:Clients:Server -p udp --dport 53 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 53 -j ACCEPT
> -A :M:X:Clients:Server -p udp --dport 29923 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29923 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29900 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29901 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29908 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29909 -j ACCEPT
> -N :X:DHCP:Accept
> -A :M:X:Clients:Server -p udp --sport bootpc -j :X:DHCP:Accept
> -N :X:Clients:ToServer:Accept
> -A :M:X:Clients:Server -j :X:Clients:ToServer:Accept
> -N :X:Abd:Clients:ToServer:Ulog
> -N :X:Abd:Clients:ToServer:Uni:Pass
> -A :X:Abd:Clients:ToServer:Uni:Pass -d 255.255.255.255 -j RETURN
> -A :X:Abd:Clients:ToServer:Uni:Pass -j :X:Abd:Clients:ToServer:Ulog
> -A :M:X:Clients:Server -j :X:Abd:Clients:ToServer:Uni:Pass
> -N :X:Clients:Clients:Pass
> -A :M:X:Clients:Clients -j :X:Clients:Clients:Pass
> -N :X:VPNSubnet:FromClients:Pass
> -A :X:VPNSubnet:FromClients:Pass -j DROP
> -A :M:X:Clients:VPN -j :X:VPNSubnet:FromClients:Pass
> -N :X:ClientMark:VPN:Accept
> -A :M:X:Clients:VPN -j :X:ClientMark:VPN:Accept
> -A :M:X:Clients:VPN -m state --state ESTABLISHED,RELATED -j ACCEPT
> -N :X:WalledGarden:Accept
> -A :M:X:Clients:WAN -j :X:WalledGarden:Accept
> -N :X:Quarantine:Drop
> -A :M:X:Clients:WAN -j :X:Quarantine:Drop
> -N :X:ClientMark:WAN:Accept
> -A :X:ClientMark:WAN:Accept -m markset --set-name 0 -j ACCEPT
> -A :M:X:Clients:WAN -j :X:ClientMark:WAN:Accept
> -A :M:X:VPN:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A :M:X:VPN:Server -p tcp --dport 29910 -j ACCEPT
> -A :M:X:VPN:Server -p tcp --dport 29918 -j ACCEPT
> -A :M:X:VPN:Server -p udp --dport 161 -j ACCEPT
> -A :M:X:VPN:Server -p udp --dport 162 -j ACCEPT
> -A :M:X:VPN:Server -p tcp --dport 29903 -j ACCEPT
> -A :M:X:VPN:Server -p icmp -j ACCEPT
> -N :X:VPN:ToServer:Accept
> -A :M:X:VPN:Server -j :X:VPN:ToServer:Accept
> -A :M:X:VPN:Clients -m state --state ESTABLISHED,RELATED -j ACCEPT
> -N :X:VPNSubnet:ToClients:Pass
> -A :X:VPNSubnet:ToClients:Pass -j DROP
> -A :M:X:VPN:Clients -j :X:VPNSubnet:ToClients:Pass
> -A :M:X:VPN:Clients -j ACCEPT
> -A :M:X:VPN:WAN -j DROP
> -A :M:X:WAN:Server -p udp --sport 500 --dport 500 -j ACCEPT
> -A :M:X:WAN:Server -p tcp --dport 29903 -j ACCEPT
> -N :X:WAN:ToServer:Accept
> -A :M:X:WAN:Server -j :X:WAN:ToServer:Accept
> -A :M:X:WAN:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
> -N :X:Abd:WAN:Clients:Ulog
> -A :M:X:WAN:Clients -j :X:Abd:WAN:Clients:Ulog
> -A :M:X:WAN:Clients -m state --state ESTABLISHED,RELATED -j ACCEPT
> -N :X:Network:Accept
> -A :M:X:WAN:Clients -j :X:Network:Accept
> -N :X:PortXlation:Accept
> -A :M:X:WAN:Clients -j :X:PortXlation:Accept
> -N :X:PortForwarding:Accept
> -A :M:X:WAN:Clients -j :X:PortForwarding:Accept
> -A :M:X:WAN:VPN -j DROP
> COMMIT
>
>
next prev parent reply other threads:[~2006-05-25 16:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-24 23:39 "bad argument" trouble with iptables-restore (ipt v.1.3.4 + gentoo 2.6.16) Eric White
2006-05-25 16:39 ` Eric White [this message]
2006-05-25 17:50 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4475DDC4.4090008@ionpipe.com \
--to=eric.white@ionpipe.com \
--cc=netfilter-devel@lists.netfilter.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.