From mboxrd@z Thu Jan 1 00:00:00 1970 From: Francis Dupont Subject: Re: netfilter spurious ELOOP Date: Wed, 25 Mar 2009 17:37:42 +0000 Message-ID: <20090325173742.3C509E601C@farside.isc.org> References: <200903242302.n2ON25u4024288@givry.fdupont.fr> <20090324.162808.114465835.davem@davemloft.net> <49CA64D8.9040602@trash.net> Cc: David Miller , Francis.Dupont@fdupont.fr, linux-kernel@vger.kernel.org, coreteam@netfilter.org, netfilter-devel@vger.kernel.org, netdev@vger.kernel.org To: Patrick McHardy Return-path: In-reply-to: <49CA64D8.9040602@trash.net> Sender: linux-kernel-owner@vger.kernel.org List-Id: netfilter-devel.vger.kernel.org > Just to clarify: does the problem happens when you have the MARK rule > above in a user-defined chain that has more then one jump leading to > it or does it also happen in other cases? => I triggered the bug with a real world example: - first add a rule with a MARK target using a set mark with the first/sign bit set to one. This target is coded with this mark put at the same place than the verdict field of standard targets. (note this should be triggered by a lot of targets but I got it with MARK) - try to add another rule (with -A or -I but this works too with restore, the idea is to get a replace ioctl with an illegal value in a verdict position). - if you are (un?)lucky you get the ELOOP error. If you read my proposed fix the problem is pretty easy to understand. I asked diff to give enough context for human (i.e., more than needed to apply it as a patch). Thanks Francis_Dupont@isc.org PS: I really need a bug-ticket-etc number because some business is implied (BTW IMHO you prefer to get the report once and by the most direct path, don't you?) PPS: here I've cut & paste the config I used to track the bug: -------------------------------- save file -------------------------------- # Generated by iptables-save v1.4.2 on Tue Mar 24 18:54:43 2009 *filter :INPUT ACCEPT [11843:1222672] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [7216:1221713] COMMIT # Completed on Tue Mar 24 18:54:43 2009 # Generated by iptables-save v1.4.2 on Tue Mar 24 18:54:43 2009 *mangle :PREROUTING ACCEPT [1209557:93278988] :INPUT ACCEPT [1209182:93208843] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [668677:2806960697] :POSTROUTING ACCEPT [668677:2806960697] :MARKOUT1 - [0:0] -A PREROUTING -d 10.0.200.2/32 -p tcp -m tcp --dport 5001 -j MARKOUT1 -A MARKOUT1 -j MARK --set-xmark 0x80000001/0xffffffff -A MARKOUT1 -j CONNMARK --save-mark --nfmask 0x3fffffff --ctmask 0x3fffffff -A MARKOUT1 -j ACCEPT COMMIT # Completed on Tue Mar 24 18:54:43 2009 -------------------------------- cut here -------------------------------- I got the bug with the UDP counterpart: iptables -t mangle -A PREROUTING -d 10.0.200.2/32 -p udp --dport 5001 \ -j MARKOUT1