* some bug in iproute2
@ 2009-08-06 8:50 Sergey Popov
2009-08-07 10:12 ` Jarek Poplawski
0 siblings, 1 reply; 4+ messages in thread
From: Sergey Popov @ 2009-08-06 8:50 UTC (permalink / raw)
To: netdev
# tc f add dev eth0 parent 1: proto ip prio 2 u32 match u32 0 0 action ipt -j MARK --set-mark 1
/usr/lib64/iptables/libipt_mark.so: cannot open shared object file: No such file or directory
failed to find target MARK
bad action parsing
parse_action: bad value (5:ipt)!
Illegal "action"
But mark target is compiled in kernel (not a module)
# iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 1
# iptables -t mangle -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere MARK xset
0x1/0xffffffff
This shouldn't be.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: some bug in iproute2
2009-08-06 8:50 some bug in iproute2 Sergey Popov
@ 2009-08-07 10:12 ` Jarek Poplawski
2009-08-07 14:28 ` jamal
0 siblings, 1 reply; 4+ messages in thread
From: Jarek Poplawski @ 2009-08-07 10:12 UTC (permalink / raw)
To: Sergey Popov; +Cc: netdev, jamal
On 06-08-2009 10:50, Sergey Popov wrote:
> # tc f add dev eth0 parent 1: proto ip prio 2 u32 match u32 0 0 action ipt -j MARK --set-mark 1
> /usr/lib64/iptables/libipt_mark.so: cannot open shared object file: No such file or directory
> failed to find target MARK
>
> bad action parsing
> parse_action: bad value (5:ipt)!
> Illegal "action"
>
>
> But mark target is compiled in kernel (not a module)
>
> # iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 1
> # iptables -t mangle -L PREROUTING
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> MARK all -- anywhere anywhere MARK xset
> 0x1/0xffffffff
>
> This shouldn't be.
If you're using iptables > 1.4.2 then it's a known problem.
You can read more in a netdev thread:
Subject: iproute2 action/policer question
starting date: Tue, 09 Jun 2009 22:10:46 +0200
Jarek P.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: some bug in iproute2
2009-08-07 10:12 ` Jarek Poplawski
@ 2009-08-07 14:28 ` jamal
[not found] ` <20090807202725.784dab6b@azure>
0 siblings, 1 reply; 4+ messages in thread
From: jamal @ 2009-08-07 14:28 UTC (permalink / raw)
To: Jarek Poplawski; +Cc: Sergey Popov, netdev
On Fri, 2009-08-07 at 10:12 +0000, Jarek Poplawski wrote:
> On 06-08-2009 10:50, Sergey Popov wrote:
> If you're using iptables > 1.4.2 then it's a known problem.
> You can read more in a netdev thread:
> Subject: iproute2 action/policer question
> starting date: Tue, 09 Jun 2009 22:10:46 +0200
I am giving up on fixing it for that release for general distros.
I will wait until iptables 1.4.4 becomes mainstream then i will make
another fix. It is very hard to keep up concurently with a) apis
changing randomly on the part of iptables b) distros picking random
versions of iptables and c) iproute2 being released in random
uncoordinated manner.
Maybe a solution that would work is to fork iproute2 or make ipt
part of iptables. In the meantime i can work with anyone who wants
to get it to work with fixed version of iproute2 + iptables. Sergey,
if this is of interest to you let me know.
cheers,
jamal
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: some bug in iproute2
[not found] ` <1249734651.7101.38.camel@dogo.mojatatu.com>
@ 2009-08-08 12:49 ` jamal
0 siblings, 0 replies; 4+ messages in thread
From: jamal @ 2009-08-08 12:49 UTC (permalink / raw)
To: Sergey Popov; +Cc: Patrick McHardy, Stephen Hemminger, netdev
Sergey,
Hope you dont mind if i cc some other people so we can
resolve this issue because i am looking at the git logs
and seeing tons of activities which affect what you are
trying to do.
On Sat, 2009-08-08 at 08:30 -0400, jamal wrote:
> Hi,
>
> On Fri, 2009-08-07 at 20:27 +0300, Sergey Popov wrote:
> > В Fri, 07 Aug 2009 10:28:05 -0400
> > Now i want to police the incoming traffic and drop all the packets
> > that exceeds the 1000 kbit and redirect packets
> > to ifb, but next line doesn't work as expected [by me]:
> >
>
> What distro are you running?
>
> > # tc f add dev $INETIF parent ffff: proto ip prio 1 u32 match u32 0 0 \
> > action police rate 1000kbit burst 1k drop \
> > action mirred egress redirect dev $IFBIF
> >
> > Illegal "action"
> > bad action parsing
> > parse_action: bad value (12:police)!
> > Illegal "action"
>
> Let me try simple version:
> dogo:~# tc q add dev lo ingress
> dogo:~# tc f add dev lo parent ffff: proto ip prio 1 u32 match u32 0 0
> action police rate 1000kbit burst 1k drop action mirred egress redirect
> dev eth0
> Illegal "action"
> bad action parsing
> parse_action: bad value (12:police)!
> Illegal "action"
> dogo:~#
>
> Ok, this seems to be a bug with policer...
> Although your syntax above seems wrong since you didnt specify flowid.
> You must specify flowid always or strange things will happen even if
> the syntax is accepted.
Your usage and syntax is perfectly legal and very useful.
The problem is in the old policer syntax the keyword "action" had some
speacial meaning. Some old scripts used it and broke if new syntax was
used.
The only clean option i see forward (which doesnt break any legacy stuff
or play acrobatics) is to introduce new action "npolice". Patrick,
thoughts?
cheers,
jamal
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-08-08 12:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-06 8:50 some bug in iproute2 Sergey Popov
2009-08-07 10:12 ` Jarek Poplawski
2009-08-07 14:28 ` jamal
[not found] ` <20090807202725.784dab6b@azure>
[not found] ` <1249734651.7101.38.camel@dogo.mojatatu.com>
2009-08-08 12:49 ` jamal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).