Re: ip_tables.c: mark_source_chains: bad negative verdict

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Thomas Jarosch <thomas.jarosch@intra2net.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: ip_tables.c: mark_source_chains: bad negative verdict
Date: Wed, 25 Jul 2007 17:22:58 +0200	[thread overview]
Message-ID: <46A76AD2.1000000@trash.net> (raw)
In-Reply-To: <200707251116.37230.thomas.jarosch@intra2net.com>

Thomas Jarosch wrote:
> Hello Patrick,
> 
> On Tuesday, 24. July 2007, you wrote:
> 
>>Yes, what you could do is use the original ruleset (not the saved one)
>>and find out which rule causes the error.
> 
> 
> The "saved" one is the only one I got. I executed the rules manually
> and it failed doing something like this: iptables -A R5_FWD xyz -j forward_ok.
> 
> "forward_ok" jumps to "forward_tolanok" which contains two rules jumping 
> to "clicount_in". "clicount_in" is used for accounting and can be referred
> by multiple places. IMHO this is the place where the "visisted" code fails:
> 
> -A forward_ok -o eth0 -j forward_tolan_ok
> -A forward_tolan_ok -i eth1 -m condition --condition inet_eth -j clicount_in
> -A forward_tolan_ok -i ppp0 -m condition --condition inet_ppp -j clicount_in
> 
> The corresponding debug output:
> Jul 20 17:11:13 intratest2 kernel: Jump rule 232960 -> 215940
> Jul 20 17:11:13 intratest2 kernel: Jump rule 233176 -> 215940
> Jul 20 17:11:13 intratest2 kernel: mark_source_chains: bad negative verdict 
> (-2140522486)
> 
> It works if I remove the second jump to clicount_in.
> Does that make sense to you? 


Yes, that makes sense, I think what happens is that the jump back goes
to the wrong position and things fall apart. I wasn't able to make a
simple testcase though.

> Now comes the strange part: The ruleset gets generated by an automatic system. 
> I have the same style of ruleset running on 20 machines, it only failed once. 
> Somehow I get the feeling the order of the rules/chains is important
> to trigger the problem.


It probably is.

     prev parent reply	other threads:[~2007-07-25 15:22 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-20 15:25 ip_tables.c: mark_source_chains: bad negative verdict Thomas Jarosch
2007-07-20 16:35 ` Patrick McHardy
2007-07-21 14:13   ` Thomas Jarosch
2007-07-24 16:40     ` Patrick McHardy
2007-07-25  9:16       ` Thomas Jarosch
2007-07-25 15:22         ` Patrick McHardy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46A76AD2.1000000@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=thomas.jarosch@intra2net.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.