From: Patrick McHardy <kaber@trash.net>
To: Francis Dupont <Francis_Dupont@isc.org>
Cc: David Miller <davem@davemloft.net>,
Francis.Dupont@fdupont.fr, linux-kernel@vger.kernel.org,
coreteam@netfilter.org, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: netfilter spurious ELOOP
Date: Wed, 25 Mar 2009 19:12:45 +0100 [thread overview]
Message-ID: <49CA741D.3080705@trash.net> (raw)
In-Reply-To: <20090325173742.3C509E601C@farside.isc.org>
Francis Dupont wrote:
>> Just to clarify: does the problem happens when you have the MARK rule
>> above in a user-defined chain that has more then one jump leading to
>> it or does it also happen in other cases?
>
> => I triggered the bug with a real world example:
> - first add a rule with a MARK target using a set mark with the first/sign
> bit set to one. This target is coded with this mark put at the same
> place than the verdict field of standard targets. (note this should
> be triggered by a lot of targets but I got it with MARK)
> - try to add another rule (with -A or -I but this works too with restore,
> the idea is to get a replace ioctl with an illegal value in a verdict
> position).
> - if you are (un?)lucky you get the ELOOP error.
>
> PS: I really need a bug-ticket-etc number because some business is implied
I'm not a service center, sorry :) Feel free to create an entry in
the netfilter bugzilla, I'll mark it resolved once the patch is
upstream.
> PPS: here I've cut & paste the config I used to track the bug:#
> ....
> :MARKOUT1 - [0:0]
> -A PREROUTING -d 10.0.200.2/32 -p tcp -m tcp --dport 5001 -j MARKOUT1
> -A MARKOUT1 -j MARK --set-xmark 0x80000001/0xffffffff
> -A MARKOUT1 -j CONNMARK --save-mark --nfmask 0x3fffffff --ctmask 0x3fffffff
> -A MARKOUT1 -j ACCEPT
>
> I got the bug with the UDP counterpart:
>
> iptables -t mangle -A PREROUTING -d 10.0.200.2/32 -p udp --dport 5001 \
> -j MARKOUT1
Thanks, that answers my question. I'll apply your patch and send it to
-stable once its in the mainline kernel.
next prev parent reply other threads:[~2009-03-25 18:12 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-24 23:02 netfilter spurious ELOOP Francis Dupont
2009-03-24 23:28 ` David Miller
2009-03-25 17:07 ` Patrick McHardy
2009-03-25 17:37 ` Francis Dupont
2009-03-25 18:12 ` Patrick McHardy [this message]
2009-03-25 18:38 ` Patrick McHardy
2009-03-25 18:41 ` Patrick McHardy
2009-03-26 15:22 ` Thomas Jarosch
2009-03-26 15:25 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49CA741D.3080705@trash.net \
--to=kaber@trash.net \
--cc=Francis.Dupont@fdupont.fr \
--cc=Francis_Dupont@isc.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.