Re: iptables is complaining with bogus unknown error 18446744073709551615

Re: iptables is complaining with bogus unknown error 18446744073709551615

[Maurice Volaski]

At least since 2.6.1.16.1, many calls to iptables no longer function 
at least under 64-bit x86, presumably due to a bug in the netfilter 
kernel code.

The problem is still present in 2.6.17-rc2.

The error from iptables is
iptables: unknown error 18446744073709551615

Examples of rules that give the error are

1) iptables -A INPUT -i bond0 -s 129.98.90.0/24 -p tcp --dport 548 -j ACCEPT
2) iptables -A INPUT -i bond0 -s 129.98.90.101/32 -p tcp --dport 497 -j ACCEPT
3) iptables -A INPUT -i bond0 -s 129.98.90.227/32 -p tcp --dport 22 -j ACCEPT

Example of a rule that does not give the error:
1) iptables -A INPUT -i bond0 -p ICMP --icmp-type echo-request -s 
129.98.90.13/32 -j ACCEPT

The computer is using IPv4 and not IPv6, which has not been compiled into the
kernel.

iptables is version 1.3.5.

Kernel configuration related to iptables follows:

CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CONNTRACK_NETLINK=m
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=m
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_NETBIOS_NS is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_PPTP is not set
# CONFIG_IP_NF_H323 is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_FILTER=m
# CONFIG_IP_NF_TARGET_REJECT is not set
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
# CONFIG_IP_NF_NAT is not set
CONFIG_IP_NF_MANGLE=m
# CONFIG_IP_NF_TARGET_TOS is not set
# CONFIG_IP_NF_TARGET_ECN is not set
# CONFIG_IP_NF_TARGET_DSCP is not set
# CONFIG_IP_NF_TARGET_TTL is not set
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m

lsmod shows
xt_state                4928  0
ipt_LOG                 8960  0
ip_conntrack_ftp       10000  0
ip_conntrack           57880  2 xt_state,ip_conntrack_ftp
nfnetlink               8520  1 ip_conntrack
iptable_filter          5440  0
ip_tables              22168  1 iptable_filter
x_tables               17800  3 xt_state,ipt_LOG,ip_tables


This issue has been posted to netfilter bugzilla as 
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467
and to kernel bugzilla as
http://bugzilla.kernel.org/show_bug.cgi?id=6420
-- 

Maurice Volaski, mvolaski@aecom.yu.edu
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University

Re: iptables is complaining with bogus unknown error 18446744073709551615

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1478 bytes --]

Hi Maurice.

Didn't you report this bug already to bugzilla.netfilter.org (and maybe
eben to the bugme.osdl.org)?  Reporting a bug in three distinct places,
even though it has been replied to at one place is not really going to
use developer resources efficiently, don't you think?

On Fri, Apr 21, 2006 at 02:21:17AM -0400, Maurice Volaski wrote:
> At least since 2.6.1.16.1, many calls to iptables no longer function at least under 64-bit x86, 
> presumably due to a bug in the netfilter kernel code.

It probably was since 2.6.16 then, that was when the x_tables patches
were merged, the code most likely to have affected any such
incompatibility of the binary interface.  It was tested thoroughlt,
especially on x86_64, whihc is my main development platform.

However, your problem seems to be something different.  I suspect that
all rules with '-p tcp' or '-p udp' don't work, whereas others do.  You
seem to be missing the xt_tcpudp.ko module, which implements that
feature in 2.6.17-rcX kernels. 

Please refer to
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: iptables is complaining with bogus unknown error 18446744073709551615

[Maurice Volaski]

Thank you for your reply.

>Hi Maurice.
>
>Didn't you report this bug already to bugzilla.netfilter.org (and maybe
>eben to the bugme.osdl.org)?  Reporting a bug in three distinct places,
>even though it has been replied to at one place is not really going to
>use developer resources efficiently, don't you think?

Sorry, to post it multiple times. Actually, two places netfilter and 
then kernel bugzilla. I made the second report after it appeared 
there'd would be no feedback to the first one and another kernel 
revision had been issued with the problem still evident. (The first 
feedback on the netfilter report crossed in the mail with the kernel 
report.)

>However, your problem seems to be something different.  I suspect that
>all rules with '-p tcp' or '-p udp' don't work, whereas others do.  You
>seem to be missing the xt_tcpudp.ko module, which implements that
>feature in 2.6.17-rcX kernels.

Yep, that's it. How could one know that there is such a module called 
xt_tcpudp.ko, especially since there is no corresponding config 
option? Wouldn't up-to-date and complete documentation explain how to 
set up the kernel config and indicate which modules should be loaded?

On the other hand, shouldn't this module be loading automatically?
-- 

Maurice Volaski, mvolaski@aecom.yu.edu
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University

Re: iptables is complaining with bogus unknown error 18446744073709551615

[Nick Warne]

I also ask the same - this 'config' problem/option has been posted on
the list previously, I believe.

I was about to update my gateway box to 2.6.16.9 this weekend, and I
do not build modules on that - so what do I need to do to ensure this
xt_tcpudp is built in?

Is '> make oldconfig' enough to pull this in?

Nick

On 21/04/06, Maurice Volaski <mvolaski@aecom.yu.edu> wrote:
> Thank you for your reply.
>
> >Hi Maurice.
> >
> >Didn't you report this bug already to bugzilla.netfilter.org (and maybe
> >eben to the bugme.osdl.org)?  Reporting a bug in three distinct places,
> >even though it has been replied to at one place is not really going to
> >use developer resources efficiently, don't you think?
>
> Sorry, to post it multiple times. Actually, two places netfilter and
> then kernel bugzilla. I made the second report after it appeared
> there'd would be no feedback to the first one and another kernel
> revision had been issued with the problem still evident. (The first
> feedback on the netfilter report crossed in the mail with the kernel
> report.)
>
> >However, your problem seems to be something different.  I suspect that
> >all rules with '-p tcp' or '-p udp' don't work, whereas others do.  You
> >seem to be missing the xt_tcpudp.ko module, which implements that
> >feature in 2.6.17-rcX kernels.
>
> Yep, that's it. How could one know that there is such a module called
> xt_tcpudp.ko, especially since there is no corresponding config
> option? Wouldn't up-to-date and complete documentation explain how to
> set up the kernel config and indicate which modules should be loaded?
>
> On the other hand, shouldn't this module be loading automatically?
> --
>
> Maurice Volaski, mvolaski@aecom.yu.edu
> Computing Support, Rose F. Kennedy Center
> Albert Einstein College of Medicine of Yeshiva University
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: iptables is complaining with bogus unknown error 18446744073709551615

[Alessandro Suardi]

On 4/21/06, Nick Warne <nick.warne@gmail.com> wrote:
> I also ask the same - this 'config' problem/option has been posted on
> the list previously, I believe.
>
> I was about to update my gateway box to 2.6.16.9 this weekend, and I
> do not build modules on that - so what do I need to do to ensure this
> xt_tcpudp is built in?
>
> Is '> make oldconfig' enough to pull this in?
>
> Nick

Hmm, let's see:

[asuardi@donkey src]$ grep tcpudp linux-2.6.17-rc1-git4/net/netfilter/Makefile
obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o

OK, I recall configuring this a while ago when still using FC3,
 as I was bitten too by iptables complaining with the bogus
 error code which I eventually tracked back to the XTABLES
 stuff (no - make oldconfig didn't do it for me and I had to go
 through the config options by hand enabling what I thought
 was useful). That was since...

[asuardi@donkey src]$ grep -i XTABLES /fc3/usr/src/.config-2.6.1[0-7]*
/fc3/usr/src/.config-2.6.15-git10:CONFIG_NETFILTER_XTABLES=m
/fc3/usr/src/.config-2.6.15-git11:CONFIG_NETFILTER_XTABLES=m
/fc3/usr/src/.config-2.6.16-rc1-git4:CONFIG_NETFILTER_XTABLES=m
/fc3/usr/src/.config-2.6.16-rc2-git7:CONFIG_NETFILTER_XTABLES=m

And without any special tricks, my bittorrent box (which also
 has peerguardian running) loads xt_tcpudp automatically,
 as it should be...

[asuardi@donkey src]$ lsmod
Module                  Size  Used by
xt_tcpudp               3200  0
iptable_filter          3072  1
ip_tables              13960  1 iptable_filter
x_tables               14468  2 xt_tcpudp,ip_tables
sd_mod                 18000  2
usb_storage            35588  1
scsi_mod              101064  2 sd_mod,usb_storage
floppy                 58052  0
ehci_hcd               30984  0
uhci_hcd               22792  0
psmouse                38280  0
parport_pc             28644  0
parport                26496  1 parport_pc
8139too                25920  0
8139cp                 21824  0

> On 21/04/06, Maurice Volaski <mvolaski@aecom.yu.edu> wrote:
> > Thank you for your reply.
> >
> > >Hi Maurice.
> > >
> > >Didn't you report this bug already to bugzilla.netfilter.org (and maybe
> > >eben to the bugme.osdl.org)?  Reporting a bug in three distinct places,
> > >even though it has been replied to at one place is not really going to
> > >use developer resources efficiently, don't you think?
> >
> > Sorry, to post it multiple times. Actually, two places netfilter and
> > then kernel bugzilla. I made the second report after it appeared
> > there'd would be no feedback to the first one and another kernel
> > revision had been issued with the problem still evident. (The first
> > feedback on the netfilter report crossed in the mail with the kernel
> > report.)
> >
> > >However, your problem seems to be something different.  I suspect that
> > >all rules with '-p tcp' or '-p udp' don't work, whereas others do.  You
> > >seem to be missing the xt_tcpudp.ko module, which implements that
> > >feature in 2.6.17-rcX kernels.
> >
> > Yep, that's it. How could one know that there is such a module called
> > xt_tcpudp.ko, especially since there is no corresponding config
> > option? Wouldn't up-to-date and complete documentation explain how to
> > set up the kernel config and indicate which modules should be loaded?
> >
> > On the other hand, shouldn't this module be loading automatically?

--alessandro

 "Dreamer ? Each one of us is a dreamer. We just push it down deep because
   we are repeatedly told that we are not allowed to dream in real life"
     (Reinhold Ziegler)

Re: iptables is complaining with bogus unknown error 18446744073709551615

[Nick Warne]

On Saturday 22 April 2006 01:05, Alessandro Suardi wrote:
> On 4/21/06, Nick Warne <nick.warne@gmail.com> wrote:
> > I also ask the same - this 'config' problem/option has been posted on
> > the list previously, I believe.
> >
> > I was about to update my gateway box to 2.6.16.9 this weekend, and I
> > do not build modules on that - so what do I need to do to ensure this
> > xt_tcpudp is built in?
> >
> > Is '> make oldconfig' enough to pull this in?
> >
> > Nick
>
> Hmm, let's see:
>
> [asuardi@donkey src]$ grep tcpudp
> linux-2.6.17-rc1-git4/net/netfilter/Makefile
> obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
>
> OK, I recall configuring this a while ago when still using FC3,
>  as I was bitten too by iptables complaining with the bogus
>  error code which I eventually tracked back to the XTABLES
>  stuff (no - make oldconfig didn't do it for me and I had to go
>  through the config options by hand enabling what I thought
>  was useful). That was since...
>
> [asuardi@donkey src]$ grep -i XTABLES /fc3/usr/src/.config-2.6.1[0-7]*
> /fc3/usr/src/.config-2.6.15-git10:CONFIG_NETFILTER_XTABLES=m
> /fc3/usr/src/.config-2.6.15-git11:CONFIG_NETFILTER_XTABLES=m
> /fc3/usr/src/.config-2.6.16-rc1-git4:CONFIG_NETFILTER_XTABLES=m
> /fc3/usr/src/.config-2.6.16-rc2-git7:CONFIG_NETFILTER_XTABLES=m

OK, to confirm, 'make oldconfig' did indeed pull in the new XTABLES stuff 
without modules.  I presume this will work OK, as my 233MHz box is still 
building (and will be for a few hours yet)...

Nick

-- 
"Person who say it cannot be done should not interrupt person doing it."
-Chinese Proverb

Re: iptables is complaining with bogus unknown error 18446744073709551615

[Maurice Volaski]

Automatic kernel module loading! That is an option and it's off by 
default. When it's off, attempts to load kernel modules are ignored 
internally, and that's why iptables was failing. It tried to load 
xt_tcpudp, but was ignored by the kernel.


>
>At least since 2.6.1.16.1, many calls to iptables no longer function
>at least under 64-bit x86, presumably due to a bug in the netfilter
>kernel code.
>
>The problem is still present in 2.6.17-rc2.
>
>The error from iptables is
>iptables: unknown error 18446744073709551615
>
>Examples of rules that give the error are
>
>1) iptables -A INPUT -i bond0 -s 129.98.90.0/24 -p tcp --dport 548 -j ACCEPT
>2) iptables -A INPUT -i bond0 -s 129.98.90.101/32 -p tcp --dport 497 -j ACCEPT
>3) iptables -A INPUT -i bond0 -s 129.98.90.227/32 -p tcp --dport 22 -j ACCEPT
>
>Example of a rule that does not give the error:
>1) iptables -A INPUT -i bond0 -p ICMP --icmp-type echo-request -s
>129.98.90.13/32 -j ACCEPT
>
>The computer is using IPv4 and not IPv6, which has not been compiled into the
>kernel.
>
>iptables is version 1.3.5.
>
>Kernel configuration related to iptables follows:
>



>lsmod shows
>xt_state                4928  0
>ipt_LOG                 8960  0
>ip_conntrack_ftp       10000  0
>ip_conntrack           57880  2 xt_state,ip_conntrack_ftp
>nfnetlink               8520  1 ip_conntrack
>iptable_filter          5440  0
>ip_tables              22168  1 iptable_filter
>x_tables               17800  3 xt_state,ipt_LOG,ip_tables
>

-- 

Maurice Volaski, mvolaski@aecom.yu.edu
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University

Re: iptables is complaining with bogus unknown error 18446744073709551615

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1239 bytes --]

On Wed, Apr 26, 2006 at 09:12:38PM -0400, Maurice Volaski wrote:
> Automatic kernel module loading! That is an option and it's off by
> default. When it's off, attempts to load kernel modules are ignored
> internally, and that's why iptables was failing. It tried to load 
> xt_tcpudp, but was ignored by the kernel.

What do you mean by "it's an option" and "is off by default".  I would
claim that any major linux distribution that I've seen in the last ten
years has support for module auto loading (enabled by default).

There are many userspace programs that try to autoload modules, such as
device-mapper, ipsec, etc.  

If you disable module autoloading, it's your own responsibility to load
modules manually.

So the only thing that I really consider a bug is that bogus error
message of iptables.  This has been fixed in SVN, case closed.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: iptables is complaining with bogus unknown error 18446744073709551615

[Maurice Volaski]

>On Wed, Apr 26, 2006 at 09:12:38PM -0400, Maurice Volaski wrote:
>>  Automatic kernel module loading! That is an option and it's off by
>>  default. When it's off, attempts to load kernel modules are ignored
>>  internally, and that's why iptables was failing. It tried to load
>>  xt_tcpudp, but was ignored by the kernel.
>
>What do you mean by "it's an option" and "is off by default".  I would
>claim that any major linux distribution that I've seen in the last ten
>years has support for module auto loading (enabled by default).
>

Distribution vendors are free to change it to whatever they want, I 
guess, but it's OFF by default in the official kernel (.config).
-- 

Maurice Volaski, mvolaski@aecom.yu.edu
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University