2.4.18-pre9: iptables screwed?

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* 2.4.18-pre9: iptables screwed?
@ 2002-02-08  4:24 H. Peter Anvin
  2002-02-08  8:03 ` Stelian Pop
  2002-02-08  8:46 ` Harald Welte
  0 siblings, 2 replies; 11+ messages in thread
From: H. Peter Anvin @ 2002-02-08  4:24 UTC (permalink / raw)
  To: linux-kernel

I get the following error with iptables on 2.4.18-pre9:

sudo iptables-restore < /etc/sysconfig/iptables
iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Abort (core dumped)

However, if I apply the rules manually (using iptables), I have no
problem; only if I'm using iptables-save or iptables-restore do I get
a dump...

	-hpa
-- 
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt	<amsp@zytor.com>

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: 2.4.18-pre9: iptables screwed?
  2002-02-08  4:24 2.4.18-pre9: iptables screwed? H. Peter Anvin
@ 2002-02-08  8:03 ` Stelian Pop
  2002-02-08  8:46 ` Harald Welte
  1 sibling, 0 replies; 11+ messages in thread
From: Stelian Pop @ 2002-02-08  8:03 UTC (permalink / raw)
  To: H. Peter Anvin; +Cc: Linux Kernel Mailing List

On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:

> I get the following error with iptables on 2.4.18-pre9:
> 
> sudo iptables-restore < /etc/sysconfig/iptables
> iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> Abort (core dumped)
> 
> However, if I apply the rules manually (using iptables), I have no
> problem; only if I'm using iptables-save or iptables-restore do I get
> a dump...

I have this since the netfilter update from pre6 or pre7...

It seems to be caused by a change in the logic for the mangle table:
the userspace tools check only for PREROUTING and OUTPUT chains
(the 1 << 0 | 1 << 3 check), but the kernel code was recently updated
to support more chains in this table (POSTROUTING etc).

So it would seem that we need to have a more recent version of 
the userspace tools (CVS maybe, since the latest released version
has the same bug), or the netfilter people should check the
userspace tools version before introducing this kind of 
incompatible change.

(BTW, the quick and dirty fix for me was to hand edit 
/etc/sysconfig/iptables and remove all references to the mangle table,
since I don't use it).

That being said, IANANG (netfilter guru) :-)

Stelian.
-- 
Stelian Pop <stelian.pop@fr.alcove.com>
|---------------- Free Software Engineer -----------------|
| Alcôve - http://www.alcove.com - Tel: +33 1 49 22 68 00 |
|------------- Alcôve, liberating software ---------------|

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: 2.4.18-pre9: iptables screwed?
  2002-02-08  4:24 2.4.18-pre9: iptables screwed? H. Peter Anvin
  2002-02-08  8:03 ` Stelian Pop
@ 2002-02-08  8:46 ` Harald Welte
  2002-02-14 16:12   ` Nick Craig-Wood
  1 sibling, 1 reply; 11+ messages in thread
From: Harald Welte @ 2002-02-08  8:46 UTC (permalink / raw)
  To: H. Peter Anvin; +Cc: linux-kernel, netfilter-devel

On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> I get the following error with iptables on 2.4.18-pre9:
> 
> sudo iptables-restore < /etc/sysconfig/iptables
> iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> Abort (core dumped)
> 
> However, if I apply the rules manually (using iptables), I have no
> problem; only if I'm using iptables-save or iptables-restore do I get
> a dump...

Could you please tell me, what iptables version are you using? 
(btw: please follow-up to netfilter-devel@lists.samba.org)

> 	-hpa

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ 
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: 2.4.18-pre9: iptables screwed?
  2002-02-08  8:46 ` Harald Welte
@ 2002-02-14 16:12   ` Nick Craig-Wood
  2002-02-14 19:01     ` Chris Chabot
                       ` (3 more replies)
  0 siblings, 4 replies; 11+ messages in thread
From: Nick Craig-Wood @ 2002-02-14 16:12 UTC (permalink / raw)
  To: Harald Welte, H. Peter Anvin, linux-kernel, netfilter-devel

On Fri, Feb 08, 2002 at 09:46:49AM +0100, Harald Welte wrote:
> On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> > I get the following error with iptables on 2.4.18-pre9:
> > 
> > sudo iptables-restore < /etc/sysconfig/iptables
> > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > Abort (core dumped)

I've noticed this too.

Specifically it is fine with 2.4.17 but broken with 2.4.18-pre7-ac2

I use the mangle table to set the TOS for a few things but it gives
this error :-

  iptables -t mangle -A add-tos -p tcp --dport ssh -m tos --tos Minimize-Delay

  iptables: libiptc/libip4tc.c:384: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.

> Could you please tell me, what iptables version are you using? 
> (btw: please follow-up to netfilter-devel@lists.samba.org)

This is using Redhat 7.2 iptables v1.2.4 from the redhat package
iptables-1.2.4-2.

Apologies if this info is too late but I didn't see a followup to
lkml.

-- 
Nick Craig-Wood
ncw@axis.demon.co.uk

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: 2.4.18-pre9: iptables screwed?
  2002-02-14 16:12   ` Nick Craig-Wood
@ 2002-02-14 19:01     ` Chris Chabot
  2002-02-14 23:11       ` Henrik Nordstrom
  2002-02-14 23:37       ` Harald Welte
  2002-02-14 19:15     ` Stelian Pop
                       ` (2 subsequent siblings)
  3 siblings, 2 replies; 11+ messages in thread
From: Chris Chabot @ 2002-02-14 19:01 UTC (permalink / raw)
  To: Nick Craig-Wood
  Cc: Harald Welte, H. Peter Anvin, linux-kernel, netfilter-devel

I ran into the same problems with 2.4.18pre9, however upgrading to 
iptables 1.2.5 fixed the problem. (there's no redhat packages for it 
yet, i did a compile of the source pkg)

	-- Chris


Nick Craig-Wood wrote:
> On Fri, Feb 08, 2002 at 09:46:49AM +0100, Harald Welte wrote:
> 
>>On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
>>
>>>I get the following error with iptables on 2.4.18-pre9:
>>>
>>>sudo iptables-restore < /etc/sysconfig/iptables
>>>iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
>>>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
>>>Abort (core dumped)
>>>
> 
> I've noticed this too.
> 
> Specifically it is fine with 2.4.17 but broken with 2.4.18-pre7-ac2
> 
> I use the mangle table to set the TOS for a few things but it gives
> this error :-
> 
>   iptables -t mangle -A add-tos -p tcp --dport ssh -m tos --tos Minimize-Delay
> 
>   iptables: libiptc/libip4tc.c:384: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> 
> 
>>Could you please tell me, what iptables version are you using? 
>>(btw: please follow-up to netfilter-devel@lists.samba.org)
>>
> 
> This is using Redhat 7.2 iptables v1.2.4 from the redhat package
> iptables-1.2.4-2.
> 
> Apologies if this info is too late but I didn't see a followup to
> lkml.
> 
> 




^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: 2.4.18-pre9: iptables screwed?
  2002-02-14 19:01     ` Chris Chabot
@ 2002-02-14 23:11       ` Henrik Nordstrom
  2002-02-14 23:37       ` Harald Welte
  1 sibling, 0 replies; 11+ messages in thread
From: Henrik Nordstrom @ 2002-02-14 23:11 UTC (permalink / raw)
  To: Chris Chabot, Nick Craig-Wood
  Cc: Harald Welte, H. Peter Anvin, linux-kernel, netfilter-devel

This topic has been discussed on netfilter-devel quite recently.

The RedHat RPM for some reason compiles the iptables package with 
debugging enabled. This makes the program overly paranoid about 
different revisions of the netfilter kernel components.

Details:

When you build iptables from the source tarball then the Makefile 
includes -DNDEBUG to disable all debugging. Unfortunately the RPM 
build process overrides the compilation options set in the Makefile 
and leaves NDEBUG undefined, causing a lot of debug code to be 
compiled in.

Regards
Henrik Nordström



On Thursday 14 February 2002 20.01, Chris Chabot wrote:
> I ran into the same problems with 2.4.18pre9, however upgrading to
> iptables 1.2.5 fixed the problem. (there's no redhat packages for
> it yet, i did a compile of the source pkg)
>
> 	-- Chris
>
> Nick Craig-Wood wrote:
> > On Fri, Feb 08, 2002 at 09:46:49AM +0100, Harald Welte wrote:
> >>On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> >>>I get the following error with iptables on 2.4.18-pre9:
> >>>
> >>>sudo iptables-restore < /etc/sysconfig/iptables
> >>>iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> >>>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> >>>Abort (core dumped)
> >
> > I've noticed this too.
> >
> > Specifically it is fine with 2.4.17 but broken with
> > 2.4.18-pre7-ac2
> >
> > I use the mangle table to set the TOS for a few things but it
> > gives this error :-
> >
> >   iptables -t mangle -A add-tos -p tcp --dport ssh -m tos --tos
> > Minimize-Delay
> >
> >   iptables: libiptc/libip4tc.c:384: do_check: Assertion
> > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> >
> >>Could you please tell me, what iptables version are you using?
> >>(btw: please follow-up to netfilter-devel@lists.samba.org)
> >
> > This is using Redhat 7.2 iptables v1.2.4 from the redhat package
> > iptables-1.2.4-2.
> >
> > Apologies if this info is too late but I didn't see a followup to
> > lkml.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: 2.4.18-pre9: iptables screwed?
  2002-02-14 19:01     ` Chris Chabot
  2002-02-14 23:11       ` Henrik Nordstrom
@ 2002-02-14 23:37       ` Harald Welte
  1 sibling, 0 replies; 11+ messages in thread
From: Harald Welte @ 2002-02-14 23:37 UTC (permalink / raw)
  To: Chris Chabot
  Cc: Nick Craig-Wood, H. Peter Anvin, linux-kernel, netfilter-devel

On Thu, Feb 14, 2002 at 08:01:11PM +0100, Chris Chabot wrote:
> I ran into the same problems with 2.4.18pre9, however upgrading to 
> iptables 1.2.5 fixed the problem. (there's no redhat packages for it 
> yet, i did a compile of the source pkg)

As stated in my earlier replies to this issue:

Certain vendor RPMs for iptables have (unvoluntarily?) compiled in iptables
debugging .  At least RedHat and Mandrake seem to be falling in this category.

The debugging code does not work with recent kernels, but nobody was
assuming debugging would be enabled in production systems.

There are two solutions to the problem:

a) update to an iptables package which doesn't have debugging enabled
   (which is default with iptables source as distributed by the netfilter
    coreteam)

or 

b) use iptables from current CVS when you really need to have debugging
   enabled.  I will release iptables-1.2.6 soon, which will also have
   the debugging code fixed.

> 	-- Chris

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ 
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: 2.4.18-pre9: iptables screwed?
  2002-02-14 16:12   ` Nick Craig-Wood
  2002-02-14 19:01     ` Chris Chabot
@ 2002-02-14 19:15     ` Stelian Pop
  2002-02-14 22:28     ` Michael Cohen
  2002-02-14 23:31     ` Harald Welte
  3 siblings, 0 replies; 11+ messages in thread
From: Stelian Pop @ 2002-02-14 19:15 UTC (permalink / raw)
  To: Nick Craig-Wood; +Cc: Linux Kernel Mailing List

On Thu, Feb 14, 2002 at 04:12:25PM +0000, Nick Craig-Wood wrote:

> > > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > > Abort (core dumped)
> 
> I've noticed this too.
[...]
> Apologies if this info is too late but I didn't see a followup to
> lkml.

There were several followups on lkml, search the archives.

The final solution was to rebuild the userspace tools with the
-DNODEBUG make flag (the RH RPM was build with debug enabled due
to a CFLAGS override in the .spec).

Stelian.
-- 
Stelian Pop <stelian.pop@fr.alcove.com>
Alcove - http://www.alcove.com

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: 2.4.18-pre9: iptables screwed?
  2002-02-14 16:12   ` Nick Craig-Wood
  2002-02-14 19:01     ` Chris Chabot
  2002-02-14 19:15     ` Stelian Pop
@ 2002-02-14 22:28     ` Michael Cohen
  2002-02-27  1:15       ` Lukasz Trabinski
  2002-02-14 23:31     ` Harald Welte
  3 siblings, 1 reply; 11+ messages in thread
From: Michael Cohen @ 2002-02-14 22:28 UTC (permalink / raw)
  To: linux-kernel

On Thu, 2002-02-14 at 11:12, Nick Craig-Wood wrote:
> On Fri, Feb 08, 2002 at 09:46:49AM +0100, Harald Welte wrote:
> > On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> > > I get the following error with iptables on 2.4.18-pre9:
> > > 
> > > sudo iptables-restore < /etc/sysconfig/iptables
> > > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > > Abort (core dumped)
> 
> I've noticed this too.
> 
> Specifically it is fine with 2.4.17 but broken with 2.4.18-pre7-ac2
> 
> I use the mangle table to set the TOS for a few things but it gives
> this error :-
> 
>   iptables -t mangle -A add-tos -p tcp --dport ssh -m tos --tos Minimize-Delay
> 
>   iptables: libiptc/libip4tc.c:384: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> 
> > Could you please tell me, what iptables version are you using? 
> > (btw: please follow-up to netfilter-devel@lists.samba.org)
> 
> This is using Redhat 7.2 iptables v1.2.4 from the redhat package
> iptables-1.2.4-2.
> 
> Apologies if this info is too late but I didn't see a followup to
> lkml.

Upgrade iptables rpm.  I got 1.2.5 and this went away, but comes back in
2.4.17.

------
Michael Cohen
OhDarn.net

> -- 
> Nick Craig-Wood
> ncw@axis.demon.co.uk
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: 2.4.18-pre9: iptables screwed?
  2002-02-14 22:28     ` Michael Cohen
@ 2002-02-27  1:15       ` Lukasz Trabinski
  0 siblings, 0 replies; 11+ messages in thread
From: Lukasz Trabinski @ 2002-02-27  1:15 UTC (permalink / raw)
  To: linux-kernel

In article <1013725714.2183.10.camel@ohdarn.net> you wrote:

> Upgrade iptables rpm.  I got 1.2.5 and this went away, but comes back in
> 2.4.17.

I have just made RPMS/SRPMS iptables  from snapshosts 1.2.6-20020226
Available at ftp://ftp.wsisiz.edu.pl/pub/Linux/rpms-7x

It's works.

-- 
*[ Łukasz Trąbiński ]*
SysAdmin @wsisiz.edu.pl

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: 2.4.18-pre9: iptables screwed?
  2002-02-14 16:12   ` Nick Craig-Wood
                       ` (2 preceding siblings ...)
  2002-02-14 22:28     ` Michael Cohen
@ 2002-02-14 23:31     ` Harald Welte
  3 siblings, 0 replies; 11+ messages in thread
From: Harald Welte @ 2002-02-14 23:31 UTC (permalink / raw)
  To: Nick Craig-Wood; +Cc: H. Peter Anvin, linux-kernel, netfilter-devel

On Thu, Feb 14, 2002 at 04:12:25PM +0000, Nick Craig-Wood wrote:

> > > sudo iptables-restore < /etc/sysconfig/iptables
> > > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > > Abort (core dumped)
> 
> I've noticed this too.
> 
> Apologies if this info is too late but I didn't see a followup to
> lkml.

The redhat iptables package has debugging enabled, and the debugging
code does not cope correctly with the new kernels.

We didn't assume that anybody is running debugging-enabled old iptables
versions on production systems, but I guess some unfortunate coincidence
caused this within the redhat package :(

> Nick Craig-Wood
> ncw@axis.demon.co.uk

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ 
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2002-02-27  1:17 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-02-08  4:24 2.4.18-pre9: iptables screwed? H. Peter Anvin
2002-02-08  8:03 ` Stelian Pop
2002-02-08  8:46 ` Harald Welte
2002-02-14 16:12   ` Nick Craig-Wood
2002-02-14 19:01     ` Chris Chabot
2002-02-14 23:11       ` Henrik Nordstrom
2002-02-14 23:37       ` Harald Welte
2002-02-14 19:15     ` Stelian Pop
2002-02-14 22:28     ` Michael Cohen
2002-02-27  1:15       ` Lukasz Trabinski
2002-02-14 23:31     ` Harald Welte

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox