2.4.18-pre9: iptables screwed?

2.4.18-pre9: iptables screwed?

[H. Peter Anvin]

I get the following error with iptables on 2.4.18-pre9:

sudo iptables-restore < /etc/sysconfig/iptables
iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Abort (core dumped)

However, if I apply the rules manually (using iptables), I have no
problem; only if I'm using iptables-save or iptables-restore do I get
a dump...

	-hpa
-- 
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt	<amsp@zytor.com>

Re: 2.4.18-pre9: iptables screwed?

[Stelian Pop]

On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:

> I get the following error with iptables on 2.4.18-pre9:
> 
> sudo iptables-restore < /etc/sysconfig/iptables
> iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> Abort (core dumped)
> 
> However, if I apply the rules manually (using iptables), I have no
> problem; only if I'm using iptables-save or iptables-restore do I get
> a dump...

I have this since the netfilter update from pre6 or pre7...

It seems to be caused by a change in the logic for the mangle table:
the userspace tools check only for PREROUTING and OUTPUT chains
(the 1 << 0 | 1 << 3 check), but the kernel code was recently updated
to support more chains in this table (POSTROUTING etc).

So it would seem that we need to have a more recent version of 
the userspace tools (CVS maybe, since the latest released version
has the same bug), or the netfilter people should check the
userspace tools version before introducing this kind of 
incompatible change.

(BTW, the quick and dirty fix for me was to hand edit 
/etc/sysconfig/iptables and remove all references to the mangle table,
since I don't use it).

That being said, IANANG (netfilter guru) :-)

Stelian.
-- 
Stelian Pop <stelian.pop@fr.alcove.com>
|---------------- Free Software Engineer -----------------|
| Alcôve - http://www.alcove.com - Tel: +33 1 49 22 68 00 |
|------------- Alcôve, liberating software ---------------|

Re: 2.4.18-pre9: iptables screwed?

[Harald Welte]

On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> I get the following error with iptables on 2.4.18-pre9:
> 
> sudo iptables-restore < /etc/sysconfig/iptables
> iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> Abort (core dumped)
> 
> However, if I apply the rules manually (using iptables), I have no
> problem; only if I'm using iptables-save or iptables-restore do I get
> a dump...

Could you please tell me, what iptables version are you using? 
(btw: please follow-up to netfilter-devel@lists.samba.org)

> 	-hpa

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ 
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)

Re: 2.4.18-pre9: iptables screwed?

[Nick Craig-Wood]

On Fri, Feb 08, 2002 at 09:46:49AM +0100, Harald Welte wrote:
> On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> > I get the following error with iptables on 2.4.18-pre9:
> > 
> > sudo iptables-restore < /etc/sysconfig/iptables
> > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > Abort (core dumped)

I've noticed this too.

Specifically it is fine with 2.4.17 but broken with 2.4.18-pre7-ac2

I use the mangle table to set the TOS for a few things but it gives
this error :-

  iptables -t mangle -A add-tos -p tcp --dport ssh -m tos --tos Minimize-Delay

  iptables: libiptc/libip4tc.c:384: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.

> Could you please tell me, what iptables version are you using? 
> (btw: please follow-up to netfilter-devel@lists.samba.org)

This is using Redhat 7.2 iptables v1.2.4 from the redhat package
iptables-1.2.4-2.

Apologies if this info is too late but I didn't see a followup to
lkml.

-- 
Nick Craig-Wood
ncw@axis.demon.co.uk

Re: 2.4.18-pre9: iptables screwed?

[Chris Chabot]

I ran into the same problems with 2.4.18pre9, however upgrading to 
iptables 1.2.5 fixed the problem. (there's no redhat packages for it 
yet, i did a compile of the source pkg)

	-- Chris


Nick Craig-Wood wrote:
> On Fri, Feb 08, 2002 at 09:46:49AM +0100, Harald Welte wrote:
> 
>>On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
>>
>>>I get the following error with iptables on 2.4.18-pre9:
>>>
>>>sudo iptables-restore < /etc/sysconfig/iptables
>>>iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
>>>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
>>>Abort (core dumped)
>>>
> 
> I've noticed this too.
> 
> Specifically it is fine with 2.4.17 but broken with 2.4.18-pre7-ac2
> 
> I use the mangle table to set the TOS for a few things but it gives
> this error :-
> 
>   iptables -t mangle -A add-tos -p tcp --dport ssh -m tos --tos Minimize-Delay
> 
>   iptables: libiptc/libip4tc.c:384: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> 
> 
>>Could you please tell me, what iptables version are you using? 
>>(btw: please follow-up to netfilter-devel@lists.samba.org)
>>
> 
> This is using Redhat 7.2 iptables v1.2.4 from the redhat package
> iptables-1.2.4-2.
> 
> Apologies if this info is too late but I didn't see a followup to
> lkml.
> 
> 

Re: 2.4.18-pre9: iptables screwed?

[Stelian Pop]

On Thu, Feb 14, 2002 at 04:12:25PM +0000, Nick Craig-Wood wrote:

> > > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > > Abort (core dumped)
> 
> I've noticed this too.
[...]
> Apologies if this info is too late but I didn't see a followup to
> lkml.

There were several followups on lkml, search the archives.

The final solution was to rebuild the userspace tools with the
-DNODEBUG make flag (the RH RPM was build with debug enabled due
to a CFLAGS override in the .spec).

Stelian.
-- 
Stelian Pop <stelian.pop@fr.alcove.com>
Alcove - http://www.alcove.com

Re: 2.4.18-pre9: iptables screwed?

[Michael Cohen]

On Thu, 2002-02-14 at 11:12, Nick Craig-Wood wrote:
> On Fri, Feb 08, 2002 at 09:46:49AM +0100, Harald Welte wrote:
> > On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> > > I get the following error with iptables on 2.4.18-pre9:
> > > 
> > > sudo iptables-restore < /etc/sysconfig/iptables
> > > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > > Abort (core dumped)
> 
> I've noticed this too.
> 
> Specifically it is fine with 2.4.17 but broken with 2.4.18-pre7-ac2
> 
> I use the mangle table to set the TOS for a few things but it gives
> this error :-
> 
>   iptables -t mangle -A add-tos -p tcp --dport ssh -m tos --tos Minimize-Delay
> 
>   iptables: libiptc/libip4tc.c:384: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> 
> > Could you please tell me, what iptables version are you using? 
> > (btw: please follow-up to netfilter-devel@lists.samba.org)
> 
> This is using Redhat 7.2 iptables v1.2.4 from the redhat package
> iptables-1.2.4-2.
> 
> Apologies if this info is too late but I didn't see a followup to
> lkml.

Upgrade iptables rpm.  I got 1.2.5 and this went away, but comes back in
2.4.17.

------
Michael Cohen
OhDarn.net

> -- 
> Nick Craig-Wood
> ncw@axis.demon.co.uk
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

Re: 2.4.18-pre9: iptables screwed?

[Henrik Nordstrom]

This topic has been discussed on netfilter-devel quite recently.

The RedHat RPM for some reason compiles the iptables package with 
debugging enabled. This makes the program overly paranoid about 
different revisions of the netfilter kernel components.

Details:

When you build iptables from the source tarball then the Makefile 
includes -DNDEBUG to disable all debugging. Unfortunately the RPM 
build process overrides the compilation options set in the Makefile 
and leaves NDEBUG undefined, causing a lot of debug code to be 
compiled in.

Regards
Henrik Nordström



On Thursday 14 February 2002 20.01, Chris Chabot wrote:
> I ran into the same problems with 2.4.18pre9, however upgrading to
> iptables 1.2.5 fixed the problem. (there's no redhat packages for
> it yet, i did a compile of the source pkg)
>
> 	-- Chris
>
> Nick Craig-Wood wrote:
> > On Fri, Feb 08, 2002 at 09:46:49AM +0100, Harald Welte wrote:
> >>On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> >>>I get the following error with iptables on 2.4.18-pre9:
> >>>
> >>>sudo iptables-restore < /etc/sysconfig/iptables
> >>>iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> >>>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> >>>Abort (core dumped)
> >
> > I've noticed this too.
> >
> > Specifically it is fine with 2.4.17 but broken with
> > 2.4.18-pre7-ac2
> >
> > I use the mangle table to set the TOS for a few things but it
> > gives this error :-
> >
> >   iptables -t mangle -A add-tos -p tcp --dport ssh -m tos --tos
> > Minimize-Delay
> >
> >   iptables: libiptc/libip4tc.c:384: do_check: Assertion
> > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> >
> >>Could you please tell me, what iptables version are you using?
> >>(btw: please follow-up to netfilter-devel@lists.samba.org)
> >
> > This is using Redhat 7.2 iptables v1.2.4 from the redhat package
> > iptables-1.2.4-2.
> >
> > Apologies if this info is too late but I didn't see a followup to
> > lkml.

Re: 2.4.18-pre9: iptables screwed?

[Harald Welte]

On Thu, Feb 14, 2002 at 04:12:25PM +0000, Nick Craig-Wood wrote:

> > > sudo iptables-restore < /etc/sysconfig/iptables
> > > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > > Abort (core dumped)
> 
> I've noticed this too.
> 
> Apologies if this info is too late but I didn't see a followup to
> lkml.

The redhat iptables package has debugging enabled, and the debugging
code does not cope correctly with the new kernels.

We didn't assume that anybody is running debugging-enabled old iptables
versions on production systems, but I guess some unfortunate coincidence
caused this within the redhat package :(

> Nick Craig-Wood
> ncw@axis.demon.co.uk

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ 
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)

Re: 2.4.18-pre9: iptables screwed?

[Harald Welte]

On Thu, Feb 14, 2002 at 08:01:11PM +0100, Chris Chabot wrote:
> I ran into the same problems with 2.4.18pre9, however upgrading to 
> iptables 1.2.5 fixed the problem. (there's no redhat packages for it 
> yet, i did a compile of the source pkg)

As stated in my earlier replies to this issue:

Certain vendor RPMs for iptables have (unvoluntarily?) compiled in iptables
debugging .  At least RedHat and Mandrake seem to be falling in this category.

The debugging code does not work with recent kernels, but nobody was
assuming debugging would be enabled in production systems.

There are two solutions to the problem:

a) update to an iptables package which doesn't have debugging enabled
   (which is default with iptables source as distributed by the netfilter
    coreteam)

or 

b) use iptables from current CVS when you really need to have debugging
   enabled.  I will release iptables-1.2.6 soon, which will also have
   the debugging code fixed.

> 	-- Chris

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ 
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)

Re: 2.4.18-pre9: iptables screwed?

[Lukasz Trabinski]

In article <1013725714.2183.10.camel@ohdarn.net> you wrote:

> Upgrade iptables rpm.  I got 1.2.5 and this went away, but comes back in
> 2.4.17.

I have just made RPMS/SRPMS iptables  from snapshosts 1.2.6-20020226
Available at ftp://ftp.wsisiz.edu.pl/pub/Linux/rpms-7x

It's works.

-- 
*[ Łukasz Trąbiński ]*
SysAdmin @wsisiz.edu.pl