xtables does not reconise ipportiphash/ipportnethash sets

xtables does not reconise ipportiphash/ipportnethash sets

[Mr Dash Four]

I compiled xtables (1.28) from source on x86_64 system and it installs 
OK, except that none of the above two set types seem to be recognised!

When I type ipport --help ipportnethash/ipportiphash it all works as 
expected (the same goes for the man pages), but when I actually try to 
create this type of set I am getting 'unknown set type' error message.

Close examination of /lib/modules/... directory reveals that, actually, 
NO ip_set_ipportiphash.ko/ipportnethash.ko modules are present. The 
source directory (extensions/ipset) contains the source and header 
files, but that's about it - no .o, .so or .ko files, which leads me to 
believe that they have been completely ignored by the Makefile.

There is an additional file in that directory called modules.order, 
which seems to be automatically generated, and it does NOT contain these 
two files in its list.

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Jan Engelhardt]

On Wednesday 2010-09-22 21:19, Mr Dash Four wrote:

>I compiled xtables (1.28) from source on x86_64 system and it installs 
>OK, except that none of the above two set types seem to be recognised!
>
>Close examination of /lib/modules/... directory reveals that, actually, 
>NO ip_set_ipportiphash.ko/ipportnethash.ko modules are present.

Yes, it seems to be an unfortunate omission in the Kbuild file. A new 
release will be up shortly, since I have already been pointed towards 
2.6.36 changes.

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Mr Dash Four]

> Yes, it seems to be an unfortunate omission in the Kbuild file. A new 
> release will be up shortly, since I have already been pointed towards 
> 2.6.36 changes.
>   
Oh, it's getting worse!

Because I use a custom-built kernel (built from source), every time a 
new kernel version is released I go through a little ritual:

Since the 2 kmod-* and xtabbles-addons rpms do not recognise the 
custom-built string after the kernel version - they moan (see the rpm 
-post and -pre scripts to know what I mean), so I have to build xtables 
from source. So, once I've compiled and installed my custom-built kernel 
I do the same thing with the xtables addons because of the above 
shortcoming.

As soon as the last kernel version was released (7-56 I think) I did 
compile xtables and installed it properly (though I did not notice the 
absence of these two ipsets). That was, by memory, last week.

A few days ago, I reinstalled a patched version of iptables (you know 
that, don't you!) so that I get to see the secmarks in their full glory. 
Earlier today, after I found out about the absence of the above two 
modules, I decided to do 'make clean' on the whole xtables source 
directory and compile it from scratch in the hope to trace back what is 
wrong.

Guess what? I cannot compile xtables now. I am getting the following error:

CC libxt_CHAOS.oo
libxt_CHAOS.c:99: warning: implicit declaration of function ‘ALIGN’
libxt_CHAOS.c:99: error: initializer element is not constant
libxt_CHAOS.c:99: error: (near initialization for ‘chaos_tg_reg.size’)
libxt_CHAOS.c:100: error: initializer element is not constant
libxt_CHAOS.c:100: error: (near initialization for 
‘chaos_tg_reg.userspacesize’)
make[3]: *** [libxt_CHAOS.oo] Error 1


I don't need to mention that I've never had this error before. At first 
I thought it is Tom's patch which caused this (thanks, Tom!), so I did 
download the iptables source and compiled it without the patch using 
rpmbuld -bb etc, then installed it. Nope! Same error.

What I will try in the next half an hour or so is to install the rpm 
which comes with F13 repos to see if that makes any difference because 
if it doesn't I am stuck. If it does work that means the rpm built with 
rpmbuild -bb from source is somewhat different from the one coming out 
of FC13 repos, which, to me, is rather odd!

Will post again when I know the outcome.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Mr Dash Four]

> Will post again when I know the outcome.
Nope! It looks as though I stumbled over another kernel bug in 2.6.34 
described here - https://dev.openwrt.org/ticket/7730

So, I am stuck!

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Jan Engelhardt]

On Thursday 2010-09-23 01:23, Mr Dash Four wrote:
>
>>Yes, it seems to be an unfortunate omission in the Kbuild file. A new release
>>will be up shortly, since I have already been pointed towards 2.6.36 changes.
>  
>Oh, it's getting worse!

You willingly chose to use Redhat/Fedora. Now endure the pain! :-)

>Since the 2 kmod-* and xtabbles-addons rpms do not recognise the custom-built
>string after the kernel version -

Sounds like another Fedora problem. I know it works in openSUSE,
but that is probably because they make sure the custom string is
actually _in_ the version (as evidenced by `uname -r`).

>A few days ago, I reinstalled[...]
>
>Guess what? I cannot compile xtables now. I am getting the following error:
>
> CC libxt_CHAOS.oo
> libxt_CHAOS.c:99: warning: implicit declaration of function ‘ALIGN’
> libxt_CHAOS.c:99: error: initializer element is not constant
> libxt_CHAOS.c:99: error: (near initialization for ‘chaos_tg_reg.size’)
> libxt_CHAOS.c:100: error: initializer element is not constant
> libxt_CHAOS.c:100: error: (near initialization for
> ‘chaos_tg_reg.userspacesize’)
> make[3]: *** [libxt_CHAOS.oo] Error 1

Yes, someone made a big boo and furthermore did not send the fix to
-stable (actually I don't know that), but what I know is that it
did not appear in -stable yet. And then there is that 2.6.34 is
no longer maintained. Let alone distros mostly don't even think
about updating. So everybody using linux-glibc-devel-2.6.34
(that is the userspace package providing /usr/include/linux) is
screwed.
http://bugs.gentoo.org/show_bug.cgi?id=325257
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Mr Dash Four]

> You willingly chose to use Redhat/Fedora. Now endure the pain! :-)
>   
I just wished I hadn't! 5 minutes ago I found yet ANOTHER bug - this 
time in selinux-policy - the SELinux context on all iptables executables 
is set wrong simply because whoever wrote the policy choose the wrong 
location of these files - in FC13 they are all installed in /sbin, but 
iptables.fc says /usr/sbin so the context is not set. Lovely stuff!

>> Since the 2 kmod-* and xtabbles-addons rpms do not recognise the custom-built
>> string after the kernel version -
>>     
>
> Sounds like another Fedora problem. I know it works in openSUSE,
> but that is probably because they make sure the custom string is
> actually _in_ the version (as evidenced by `uname -r`).
>   
So is on FC13 - I just checked and it is displayed - version + custom 
string. The problem is that the scripts are actually looking for the 
kernel numbers, ASSUMING there is nothing after it. How daft is that?


> Yes, someone made a big boo and furthermore did not send the fix to
> -stable (actually I don't know that), but what I know is that it
> did not appear in -stable yet. And then there is that 2.6.34 is
> no longer maintained. Let alone distros mostly don't even think
> about updating. So everybody using linux-glibc-devel-2.6.34
> (that is the userspace package providing /usr/include/linux) is
> screwed.
> http://bugs.gentoo.org/show_bug.cgi?id=325257
>   
I just found that out to my cost - need to download the patch, update my 
source and rebuild the kernel again, then rinse, repeat with xtables and 
hope that it works.

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Jan Engelhardt]

On Thursday 2010-09-23 02:30, Mr Dash Four wrote:
>
>>You willingly chose to use Redhat/Fedora. Now endure the pain! :-)
>
>I just wished I hadn't! 5 minutes ago I found yet ANOTHER bug - this 
>time in selinux-policy - the SELinux context on all iptables 
>executables is set wrong simply because whoever wrote the policy choose 
>the wrong location of these files - in FC13 they are all installed in 
>/sbin, but iptables.fc says /usr/sbin so the context is not set. Lovely 
>stuff!

That starts to sounds like the project is run with an uncorrelated 
concurrent asynchronous interaction of the manus(es). Suggested anger 
management should involve the double-agent maintainer who was bribed to 
put iptables in /sbin in the first place.

>> Sounds like another Fedora problem. I know it works in openSUSE,
>> but that is probably because they make sure the custom string is
>> actually _in_ the version (as evidenced by `uname -r`).
> 
>So is on FC13 - I just checked and it is displayed - version + custom string.
>The problem is that the scripts are actually looking for the kernel numbers,
>ASSUMING there is nothing after it. How daft is that?

(Oh I can tell tales too. The most recent one is a bug report that ended 
in pretty much "if you don't want to use the graphical installer, live 
with whatever strange decisions anaconda unilaterally did for you". 
But... I digress.)

>[bugzilla.gentoo.org/325257]
>I just found that out to my cost - need to download the patch, update 
>my source and rebuild the kernel again, then rinse, repeat with xtables 
>and hope that it

I wonder. F13 ships with linux-glibc-devel-2.6.33, F14A with -2.6.35. So 
where is the actual issue? Nevertheless, I have devised a workaround for 
2.6.34 headers. Check out xt-a's 
b5e2c7255a87f3d981968e21ea7f88401fe8f8ad and let me know.

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Mr Dash Four]

> That starts to sounds like the project is run with an uncorrelated 
> concurrent asynchronous interaction of the manus(es). Suggested anger 
> management should involve the double-agent maintainer who was bribed to 
> put iptables in /sbin in the first place.
>   
Should they be in /usr/sbin then?

>> [bugzilla.gentoo.org/325257]
>> I just found that out to my cost - need to download the patch, update 
>> my source and rebuild the kernel again, then rinse, repeat with xtables 
>> and hope that it
>>     
>
> I wonder. F13 ships with linux-glibc-devel-2.6.33, F14A with -2.6.35. So 
> where is the actual issue? Nevertheless, I have devised a workaround for 
> 2.6.34 headers. Check out xt-a's 
> b5e2c7255a87f3d981968e21ea7f88401fe8f8ad and let me know.
>   
On my system it shows glibc-devel-2.12-3 (I don't have linux-glibc-devel).

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Jan Engelhardt]

On Thursday 2010-09-23 03:01, Mr Dash Four wrote:
>
>> That starts to sounds like the project is run with an uncorrelated concurrent
>> asynchronous interaction of the manus(es). Suggested anger management should
>> involve the double-agent maintainer who was bribed to put iptables in /sbin in
>> the first place.
> 
> Should they be in /usr/sbin then?

Yes. They are not essential to run fsck/mount/thelike in case of an 
emergency.

>>> [bugzilla.gentoo.org/325257]
>>> I just found that out to my cost - need to download the patch, update my
>>> source and rebuild the kernel again, then rinse, repeat with xtables and hope
>>> that it
>>>    
>>
>> I wonder. F13 ships with linux-glibc-devel-2.6.33, F14A with -2.6.35. So where
>> is the actual issue? Nevertheless, I have devised a workaround for 2.6.34
>> headers. Check out xt-a's b5e2c7255a87f3d981968e21ea7f88401fe8f8ad and let me
>> know.
>>  
> On my system it shows glibc-devel-2.12-3 (I don't have linux-glibc-devel).

It's called kernel-headers in Fedora. (Reason for it being called 
elsewhere is that some noobs spout out "you need kernel headers to build 
modules" and another noob installs kernel-headers rather than 
kernel-devel-XYZ.)

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Mr Dash Four]

>>> I wonder. F13 ships with linux-glibc-devel-2.6.33, F14A with -2.6.35. So where
>>> is the actual issue? Nevertheless, I have devised a workaround for 2.6.34
>>> headers. Check out xt-a's b5e2c7255a87f3d981968e21ea7f88401fe8f8ad and let me
>>> know.
>>>  
>>>       
>> On my system it shows glibc-devel-2.12-3 (I don't have linux-glibc-devel).
>>     
>
> It's called kernel-headers in Fedora. (Reason for it being called 
> elsewhere is that some noobs spout out "you need kernel headers to build 
> modules" and another noob installs kernel-headers rather than 
> kernel-devel-XYZ.)
>   
So, in other words I should be looking for kernel-devel (I am sure I've 
got that)? Also, how do I 'check out xt-a's 
b5e2c7255a87f3d981968e21ea7f88401fe8f8ad'?

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Jan Engelhardt]

On Thursday 2010-09-23 12:48, Mr Dash Four wrote:

>
>>>> I wonder. F13 ships with linux-glibc-devel-2.6.33, F14A with -2.6.35. So
>>>> where
>>>> is the actual issue? Nevertheless, I have devised a workaround for 2.6.34
>>>> headers. Check out xt-a's b5e2c7255a87f3d981968e21ea7f88401fe8f8ad and let
>>>> me
>>>> know.
>>>>       
>>> On my system it shows glibc-devel-2.12-3 (I don't have linux-glibc-devel).
>>>    
>>
>> It's called kernel-headers in Fedora. (Reason for it being called elsewhere is
>> that some noobs spout out "you need kernel headers to build modules" and
>> another noob installs kernel-headers rather than kernel-devel-XYZ.)
>>  
> So, in other words I should be looking for kernel-devel (I am sure I've got

rpm -q kernel-headers

> that)? Also, how do I 'check out xt-a's
> b5e2c7255a87f3d981968e21ea7f88401fe8f8ad'?

`git clone git://xtables-addons.git.sf.net/gitroot/xtables-addons/xtables-addons` 

is what you probably seek.

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Mr Dash Four]

> rpm -q kernel-headers
>   
kernel-headers-2.6.34.7-56.<my local string>.fc13.x86_64 (this was 
compiled from source)

>   
>> that)? Also, how do I 'check out xt-a's
>> b5e2c7255a87f3d981968e21ea7f88401fe8f8ad'?
>>     
>
> `git clone git://xtables-addons.git.sf.net/gitroot/xtables-addons/xtables-addons` 
>
> is what you probably seek.
>   
Done, though there is no 'configure'! How do I compile this stuff?

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Jan Engelhardt]

On Thursday 2010-09-23 13:21, Mr Dash Four wrote:
>
>> rpm -q kernel-headers
>>  
> kernel-headers-2.6.34.7-56.<my local string>.fc13.x86_64 (this was compiled
> from source)
>
>>  
>>> that)? Also, how do I 'check out xt-a's
>>> b5e2c7255a87f3d981968e21ea7f88401fe8f8ad'?
>>>    
>>
>> `git clone
>> git://xtables-addons.git.sf.net/gitroot/xtables-addons/xtables-addons` 
>> is what you probably seek.
>>  
> Done, though there is no 'configure'! How do I compile this stuff?

./autogen.sh, then configure.

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Mr Dash Four]

> ./autogen.sh, then configure.
>   
on make I am getting this:

CC libxt_pknock.oo
libxt_pknock.c:330: warning: implicit declaration of function ‘ALIGN’
libxt_pknock.c:330: error: initializer element is not constant
libxt_pknock.c:330: error: (near initialization for ‘pknock_mt_reg.size’)
libxt_pknock.c:331: error: initializer element is not constant
libxt_pknock.c:331: error: (near initialization for 
‘pknock_mt_reg.userspacesize’)
make[5]: *** [libxt_pknock.oo] Error 1


So, basically, the same thing!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Jan Engelhardt]

On Thursday 2010-09-23 14:21, Mr Dash Four wrote:
>
>> ./autogen.sh, then configure.
>>  
> on make I am getting this:
>
> CC libxt_pknock.oo
> libxt_pknock.c:330: warning: implicit declaration of function ‘ALIGN’
> libxt_pknock.c:330: error: initializer element is not constant
> libxt_pknock.c:330: error: (near initialization for ‘pknock_mt_reg.size’)
> libxt_pknock.c:331: error: initializer element is not constant
> libxt_pknock.c:331: error: (near initialization for
> ‘pknock_mt_reg.userspacesize’)
> make[5]: *** [libxt_pknock.oo] Error 1

Hm. Can you just send me your F13 kernel-headers-2.6.34 rpm in private 
please, so I can figure out why the workaround does not fly yet.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Mr Dash Four]

> Hm. Can you just send me your F13 kernel-headers-2.6.34 rpm in private 
> please, so I can figure out why the workaround does not fly yet.
>   
Sent privately! You've probably noticed this, but it is a different file 
this time - libxt_pknock.oo

Re: xtables does not reconise ipportiphash/ipportnethash sets

[Mr Dash Four]

> Hm. Can you just send me your F13 kernel-headers-2.6.34 rpm in private 
> please, so I can figure out why the workaround does not fly yet.
>   
Just noticed another error further up (about 50 lines above the last I 
sent you):

CC libxt_ACCOUNT.oo
libxt_ACCOUNT.c:147: warning: implicit declaration of function ‘ALIGN’
libxt_ACCOUNT.c:147: error: initializer element is not constant
libxt_ACCOUNT.c:147: error: (near initialization for ‘account_tg_reg.size’)
make[5]: *** [libxt_ACCOUNT.oo] Error 1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html