Re: 2.6.13-mm2

Re: 2.6.13-mm2

[Andrew Morton]

"J.A. Magallon" <jamagallon@able.es> wrote:
>
> 
> On 09.08, Andrew Morton wrote:
> > 
> > ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.13/2.6.13-mm2/
> > 
> > (kernel.org propagation is slow.  There's a temp copy at
> > http://www.zip.com.au/~akpm/linux/patches/stuff/2.6.13-mm2.bz2)
> > 
> > 
> 
> I can not ifup an interface while iptables is using it.
> Is this expected behaviour ?

Maybe it's expected, but breaking existing userspace is a serious issue.

> There is a possible bug (IMHO) in Mandrake initscripts, that start iptables
> before network interfaces, but this had always worked.
> 
> Any ideas ?

Please always cc netdev@vger.kernel.org on networking matters.

Re: 2.6.13-mm2

[Patrick McHardy]

Andrew Morton wrote:
> "J.A. Magallon" <jamagallon@able.es> wrote:
> 
>>I can not ifup an interface while iptables is using it.
>>Is this expected behaviour ?
> 
> Maybe it's expected, but breaking existing userspace is a serious issue.

No, its not expected.

>>There is a possible bug (IMHO) in Mandrake initscripts, that start iptables
>>before network interfaces, but this had always worked.
>>
>>Any ideas ?

What's happening when you try to set the interface up? Please
provide output of ifup and strace of the failing command. Thanks.

Re: 2.6.13-mm2

[J.A. Magallon]

On 09.11, Patrick McHardy wrote:
> Andrew Morton wrote:
> > "J.A. Magallon" <jamagallon@able.es> wrote:
> > 
> >>I can not ifup an interface while iptables is using it.
> >>Is this expected behaviour ?
> > 
> > Maybe it's expected, but breaking existing userspace is a serious issue.
> 
> No, its not expected.
> 
> >>There is a possible bug (IMHO) in Mandrake initscripts, that start iptables
> >>before network interfaces, but this had always worked.
> >>
> >>Any ideas ?
> 
> What's happening when you try to set the interface up? Please
> provide output of ifup and strace of the failing command. Thanks.

werewolf:~# ifdown eth0
werewolf:~# service iptables start
Applying iptables firewall rules: 
                                                                [  OK  ]
werewolf:~# iptables -v -t nat -L
Chain PREROUTING (policy ACCEPT 2 packets, 156 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 5 packets, 300 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 5 packets, 300 bytes)
 pkts bytes target     prot opt in     out     source               destination         
werewolf:~# iptables -v -t filter -L
Chain INPUT (policy ACCEPT 257 packets, 51631 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0   eth1    anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  eth1   eth0    anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 251 packets, 51163 bytes)
 pkts bytes target     prot opt in     out     source               destination         

werewolf:~# ifup eth0

Determining IP information for eth0...Operation failed.
 failed.

I traced the problem to pump, and I did a diff between strace of pump
when it works and when it doesnt (witout and with iptables started):

 socket(PF_FILE, SOCK_STREAM, 0)         = 3
 connect(3, {sa_family=AF_FILE, path="/var/run/pump.sock"}, 20) = 0
 write(3, "\0\0\0\0eth0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300"..., 4280) = 4280
-read(3, "\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4280) = 4280
-exit_group(0)                           = ?
-Process 7931 detached
+read(3, "\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4280) = 4280
+socket(PF_FILE, SOCK_STREAM, 0)         = 4
+connect(4, {sa_family=AF_FILE, path="/var/run/pump.sock"}, 20) = 0
+write(4, "\0\0\0\0eth0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300"..., 4280) = 4280
+read(4, "\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4280) = 4280
+write(2, "Operation failed.\n", 18Operation failed.
+)     = 18
+exit_group(1)                           = ?
+Process 7822 detached

pump seems to write something in the socket, try to read it again and gets
different results.

Note, my iptables are modular and I did not unload the modules, just stopped
them with 'service iptables stop'. Digging further, if I just do
iptables -t nat -F, pump works again.

Hope this helps.

--
J.A. Magallon <jamagallon()able!es>     \               Software is like sex:
werewolf!able!es                         \         It's better when it's free
Mandriva Linux release 2006.0 (Cooker) for i586
Linux 2.6.13-jam3 (gcc 4.0.1 (4.0.1-5mdk for Mandriva Linux release 2006.0))

Re: 2.6.13-mm2

[J.A. Magallon]

On 09.11, J.A. Magallon wrote:
> 
> On 09.11, Patrick McHardy wrote:
> > Andrew Morton wrote:
> > > "J.A. Magallon" <jamagallon@able.es> wrote:
> > > 
> > >>I can not ifup an interface while iptables is using it.
> > >>Is this expected behaviour ?
> > > 
> > > Maybe it's expected, but breaking existing userspace is a serious issue.
> > 
> > No, its not expected.
> > 
> > >>There is a possible bug (IMHO) in Mandrake initscripts, that start iptables
> > >>before network interfaces, but this had always worked.
> > >>
> > >>Any ideas ?
> > 
> > What's happening when you try to set the interface up? Please
> > provide output of ifup and strace of the failing command. Thanks.
> 
> werewolf:~# ifdown eth0
> werewolf:~# service iptables start
> Applying iptables firewall rules: 
>                                                                 [  OK  ]
> werewolf:~# iptables -v -t nat -L
> Chain PREROUTING (policy ACCEPT 2 packets, 156 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
> 
> Chain POSTROUTING (policy ACCEPT 5 packets, 300 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
>     0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere            
> 
> Chain OUTPUT (policy ACCEPT 5 packets, 300 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
> werewolf:~# iptables -v -t filter -L
> Chain INPUT (policy ACCEPT 257 packets, 51631 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
> 
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
>     0     0 ACCEPT     all  --  eth0   eth1    anywhere             anywhere            state RELATED,ESTABLISHED 
>     0     0 ACCEPT     all  --  eth1   eth0    anywhere             anywhere            
> 
> Chain OUTPUT (policy ACCEPT 251 packets, 51163 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
> 
> werewolf:~# ifup eth0
> 
> Determining IP information for eth0...Operation failed.
>  failed.
> 
> I traced the problem to pump, and I did a diff between strace of pump
> when it works and when it doesnt (witout and with iptables started):
> 
>  socket(PF_FILE, SOCK_STREAM, 0)         = 3
>  connect(3, {sa_family=AF_FILE, path="/var/run/pump.sock"}, 20) = 0
>  write(3, "\0\0\0\0eth0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300"..., 4280) = 4280
> -read(3, "\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4280) = 4280
> -exit_group(0)                           = ?
> -Process 7931 detached
> +read(3, "\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4280) = 4280
> +socket(PF_FILE, SOCK_STREAM, 0)         = 4
> +connect(4, {sa_family=AF_FILE, path="/var/run/pump.sock"}, 20) = 0
> +write(4, "\0\0\0\0eth0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300"..., 4280) = 4280
> +read(4, "\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4280) = 4280
> +write(2, "Operation failed.\n", 18Operation failed.
> +)     = 18
> +exit_group(1)                           = ?
> +Process 7822 detached
> 
> pump seems to write something in the socket, try to read it again and gets
> different results.
> 
> Note, my iptables are modular and I did not unload the modules, just stopped
> them with 'service iptables stop'. Digging further, if I just do
> iptables -t nat -F, pump works again.
> 
> Hope this helps.
> 

And I also get this on syslog:

Sep 11 02:56:58 werewolf kernel: MASQUERADE: eth0 ate my IP address
Sep 11 02:56:58 werewolf kernel: MASQUERADE: eth0 ate my IP address


--
J.A. Magallon <jamagallon()able!es>     \               Software is like sex:
werewolf!able!es                         \         It's better when it's free
Mandriva Linux release 2006.0 (Cooker) for i586
Linux 2.6.13-jam3 (gcc 4.0.1 (4.0.1-5mdk for Mandriva Linux release 2006.0))

Re: 2.6.13-mm2

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 547 bytes --]

J.A. Magallon wrote:
> And I also get this on syslog:
> 
> Sep 11 02:56:58 werewolf kernel: MASQUERADE: eth0 ate my IP address
> Sep 11 02:56:58 werewolf kernel: MASQUERADE: eth0 ate my IP address

Thanks, I'm pretty sure its caused by this patch. The problem is that
pump uses a regular UDP socket (some other dhcp clients use AF_PACKET
sockets), and packet sent by it are also handled by iptables. The
MASQUERADE rule can't find a local IP address and drops the packet.
I'm not sure how to fix it yet, reverting the patch is not a good
option.


[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1219 bytes --]

[NETFILTER]: Don't exclude local packets from MASQUERADING

Increases consistency in source-address selection.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

---
commit 9baa5c67ff4ce57b6b9f68c90714a1bb876fccd7
tree 27f2c48e12e1bb5e3e6d5f8320651c213892ed20
parent fb13ab2849074244a51ae5147483610529a29ced
author Patrick McHardy <kaber@trash.net> Sun, 14 Aug 2005 17:32:50 -0700
committer David S. Miller <davem@sunset.davemloft.net> Mon, 29 Aug 2005 15:58:36 -0700

 net/ipv4/netfilter/ipt_MASQUERADE.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -86,11 +86,6 @@ masquerade_target(struct sk_buff **pskb,
 
 	IP_NF_ASSERT(hooknum == NF_IP_POST_ROUTING);
 
-	/* FIXME: For the moment, don't do local packets, breaks
-	   testsuite for 2.3.49 --RR */
-	if ((*pskb)->sk)
-		return NF_ACCEPT;
-
 	ct = ip_conntrack_get(*pskb, &ctinfo);
 	IP_NF_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED
 	                    || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));

Re: 2.6.13-mm2

[J.A. Magallon]

On 09.11, Patrick McHardy wrote:
> J.A. Magallon wrote:
> > And I also get this on syslog:
> > 
> > Sep 11 02:56:58 werewolf kernel: MASQUERADE: eth0 ate my IP address
> > Sep 11 02:56:58 werewolf kernel: MASQUERADE: eth0 ate my IP address
> 
> Thanks, I'm pretty sure its caused by this patch. The problem is that
> pump uses a regular UDP socket (some other dhcp clients use AF_PACKET
> sockets), and packet sent by it are also handled by iptables. The
> MASQUERADE rule can't find a local IP address and drops the packet.
> I'm not sure how to fix it yet, reverting the patch is not a good
> option.
> 
> 

> [NETFILTER]: Don't exclude local packets from MASQUERADING
> 
> Increases consistency in source-address selection.
> 
> Signed-off-by: Patrick McHardy <kaber@trash.net>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> ---
> commit 9baa5c67ff4ce57b6b9f68c90714a1bb876fccd7
> tree 27f2c48e12e1bb5e3e6d5f8320651c213892ed20
> parent fb13ab2849074244a51ae5147483610529a29ced
> author Patrick McHardy <kaber@trash.net> Sun, 14 Aug 2005 17:32:50 -0700
> committer David S. Miller <davem@sunset.davemloft.net> Mon, 29 Aug 2005 15:58:36 -0700
> 
>  net/ipv4/netfilter/ipt_MASQUERADE.c |    5 -----
>  1 files changed, 0 insertions(+), 5 deletions(-)
> 
> diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
> --- a/net/ipv4/netfilter/ipt_MASQUERADE.c
> +++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
> @@ -86,11 +86,6 @@ masquerade_target(struct sk_buff **pskb,
>  
>  	IP_NF_ASSERT(hooknum == NF_IP_POST_ROUTING);
>  
> -	/* FIXME: For the moment, don't do local packets, breaks
> -	   testsuite for 2.3.49 --RR */
> -	if ((*pskb)->sk)
> -		return NF_ACCEPT;
> -
>  	ct = ip_conntrack_get(*pskb, &ctinfo);
>  	IP_NF_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED
>  	                    || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
> 

Thanks, reverting this made things work again.

Are you confident in fixing this shortly, or should I just drop pump ?

--
J.A. Magallon <jamagallon()able!es>     \               Software is like sex:
werewolf!able!es                         \         It's better when it's free
Mandriva Linux release 2006.0 (Cooker) for i586
Linux 2.6.13-jam3 (gcc 4.0.1 (4.0.1-5mdk for Mandriva Linux release 2006.0))

Re: 2.6.13-mm2

[Patrick McHardy]

J.A. Magallon wrote:
> On 09.11, Patrick McHardy wrote:
> 
>>[NETFILTER]: Don't exclude local packets from MASQUERADING
>>
> Thanks, reverting this made things work again.
> 
> Are you confident in fixing this shortly, or should I just drop pump ?

I should have a fix within the next couple of days.