[PATCH] fix dreaded "Unknown error 4294967295"

[PATCH] fix dreaded "Unknown error 4294967295"

[Denis Vlasenko]

[-- Attachment #1: Type: text/plain, Size: 326 bytes --]

google.com gives 968 hits on 'iptables "Unknown error 4294967295"'.

The reason is that iptables sets errno
to error return value of setsockopt(), which is always -1.

A few small inrelated changes are also there:
stray ')' in message, array of error messages made static,
prevention of errno corruption in ipq_perror.
--
vda

[-- Attachment #2: iptables-1.3.5.patch --]
[-- Type: text/x-diff, Size: 1730 bytes --]

diff -urpN iptables-1.3.5.0/libipq/libipq.c iptables-1.3.5.1/libipq/libipq.c
--- iptables-1.3.5.0/libipq/libipq.c	2005-07-28 16:53:11.000000000 +0200
+++ iptables-1.3.5.1/libipq/libipq.c	2006-09-21 22:12:41.000000000 +0200
@@ -366,13 +366,14 @@ char *ipq_errstr(void)
 
 void ipq_perror(const char *s)
 {
+	int e = errno;
 	if (s)
 		fputs(s, stderr);
 	else
 		fputs("ERROR", stderr);
 	if (ipq_errno)
 		fprintf(stderr, ": %s", ipq_errstr());
-	if (errno)
-		fprintf(stderr, ": %s", strerror(errno));
+	if (e)
+		fprintf(stderr, ": %s", strerror(e));
 	fputc('\n', stderr);
 }
diff -urpN iptables-1.3.5.0/libiptc/libiptc.c iptables-1.3.5.1/libiptc/libiptc.c
--- iptables-1.3.5.0/libiptc/libiptc.c	2006-01-30 09:43:09.000000000 +0100
+++ iptables-1.3.5.1/libiptc/libiptc.c	2006-09-21 23:22:33.000000000 +0200
@@ -1118,7 +1118,7 @@ const char *standard_target_map(int verd
 			return LABEL_QUEUE;
 			break;
 		default:
-			fprintf(stderr, "ERROR: %d not a valid target)\n",
+			fprintf(stderr, "ERROR: %d not a valid target\n",
 				verdict);
 			abort();
 			break;
@@ -2097,7 +2097,7 @@ TC_COMMIT(TC_HANDLE_T *handle)
 	ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
 			 sizeof(*repl) + repl->size);
 	if (ret < 0) {
-		errno = ret;
+		/* errno = ret; */
 		goto out_free_newcounters;
 	}
 
@@ -2191,7 +2191,7 @@ TC_COMMIT(TC_HANDLE_T *handle)
 	ret = setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
 			 newcounters, counterlen);
 	if (ret < 0) {
-		errno = ret;
+		/* errno = ret; */
 		goto out_free_newcounters;
 	}
 
@@ -2225,7 +2225,7 @@ const char *
 TC_STRERROR(int err)
 {
 	unsigned int i;
-	struct table_struct {
+	static const struct table_struct {
 		void *fn;
 		int err;
 		const char *message;

Re: [PATCH] fix dreaded "Unknown error 4294967295"

[Patrick McHardy]

Denis Vlasenko wrote:
> google.com gives 968 hits on 'iptables "Unknown error 4294967295"'.
> 
> The reason is that iptables sets errno
> to error return value of setsockopt(), which is always -1.

Thats already fixed in the current SVN version, which will be released
as 1.3.6 soon.

Re: [PATCH] fix dreaded "Unknown error 4294967295"

[Denis Vlasenko]

Hello Patrick,

On Monday 25 September 2006 11:35, Patrick McHardy wrote:
> Denis Vlasenko wrote:
> > google.com gives 968 hits on 'iptables "Unknown error 4294967295"'.
> > 
> > The reason is that iptables sets errno
> > to error return value of setsockopt(), which is always -1.
> 
> Thats already fixed in the current SVN version, which will be released
> as 1.3.6 soon.

Cool, thank you.

I have some troubles setting up firewall on AMD64 kernel
with 32-bit userspace.

When I pointed KERNEL_DIR= to the build directory
of currently running kernel, i saw -DKERNEL_64_USERSPACE_32
in gcc commands and resulting iptables was utterly useless.
It was throwing "Unknown error 4294967295" on practically anything.

I rebuilt it, pointing KERNEL_DIR= to pristine, unconfigured
2.6.18 source. Now it works most of the time.

However, on some commands it does not:

iptables -t nat -A OUTPUT --match connmark --mark 22 -j RETURN
iptables -t nat -A OUTPUT -j CONNMARK --set-mark 22

give the same error and in dmesg I see:

ip_tables: connmark match: invalid size 24 != 12
ip_tables: CONNMARK target: invalid size 24 != 12
ip_tables: connmark match: invalid size 24 != 12
ip_tables: CONNMARK target: invalid size 24 != 12

Same happens on MARK target.

Help?
--
vda

Re: [PATCH] fix dreaded "Unknown error 4294967295"

[Patrick McHardy]

[removed CC: webmaster@gnumonks.org]

Denis Vlasenko wrote:
> I have some troubles setting up firewall on AMD64 kernel
> with 32-bit userspace.
> 
> When I pointed KERNEL_DIR= to the build directory
> of currently running kernel, i saw -DKERNEL_64_USERSPACE_32
> in gcc commands and resulting iptables was utterly useless.
> It was throwing "Unknown error 4294967295" on practically anything.
> 
> I rebuilt it, pointing KERNEL_DIR= to pristine, unconfigured
> 2.6.18 source. Now it works most of the time.
> 
> However, on some commands it does not:
> 
> iptables -t nat -A OUTPUT --match connmark --mark 22 -j RETURN
> iptables -t nat -A OUTPUT -j CONNMARK --set-mark 22
> 
> give the same error and in dmesg I see:
> 
> ip_tables: connmark match: invalid size 24 != 12
> ip_tables: CONNMARK target: invalid size 24 != 12
> ip_tables: connmark match: invalid size 24 != 12
> ip_tables: CONNMARK target: invalid size 24 != 12
> 
> Same happens on MARK target.

The latest -git kernel includes compatibility functions for 32 bit
userspace. You need to compile your iptables without the
KERNEL_64_USERSPACE_32 thing though (edit main Makefile).