Linux Netfilter discussions
 help / color / mirror / Atom feed
From: Duncan Sands <baldrick@free.fr>
To: Tom Eastep <teastep@shorewall.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: masquerade_check: size 24 != 20
Date: Sat, 4 Oct 2003 15:18:26 +0200	[thread overview]
Message-ID: <200310041518.26254.baldrick@free.fr> (raw)
In-Reply-To: <1065201775.27885.4.camel@wookie.shorewall.net>

On Friday 03 October 2003 19:22, Tom Eastep wrote:
> On Fri, 2003-10-03 at 05:46, Duncan Sands wrote:
> > translate_table: size 1112
> > Finished chain 0
> > Finished chain 3
> > Finished chain 4
> > find_inlist: loading `ipt_MASQUERADE'.
> > masquerade_check: size 24 != 20.
> > ip_tables: check failed for `MASQUERADE'.
> >
> > The check in question is:
> >
> >         if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
> >                 DEBUGP("masquerade_check: size %u != %u.\n",
> >                        targinfosize, sizeof(*mr));
> >                 return 0;
> >         }
>
> Are you applying any updates from Patch-O-Matic?

OK, it was a gentoo problem: they patched ip_conntrack_tuple.h
and changed it from:

union ip_conntrack_manip_proto
{
        /* Add other protocols here. */
        u_int16_t all;

        struct {
                u_int16_t port;
        } tcp;
        struct {
                u_int16_t port;
        } udp;
        struct {
                u_int16_t id;
        } icmp;
};

to

union ip_conntrack_manip_proto
{
        /* Add other protocols here. */
        u_int32_t all;

        struct {
                u_int16_t port;
        } tcp;
        struct {
                u_int16_t port;
        } udp;
        struct {
                u_int16_t id;
        } icmp;
        struct {
                u_int32_t key;
        } gre;
};

i.e. two bytes bigger.  Since ip_nat_multi_range includes an
ip_nat_range, and ip_nat_range uses two ip_conntrack_manip_proto,
this led to a size increase of 4 bytes.  The gentoo iptables is compiled
using the gentoo kernel headers, so it is using this larger structure,
and thus doesn't work with vanilla kernels.

Sorry to have wasted your time,

Duncan.


  parent reply	other threads:[~2003-10-04 13:18 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-10-03 12:46 masquerade_check: size 24 != 20 Duncan Sands
2003-10-03 17:22 ` Tom Eastep
2003-10-04  9:07   ` Duncan Sands
2003-10-04 13:18   ` Duncan Sands [this message]
  -- strict thread matches above, loose matches on Subject: below --
2003-10-03 13:35 Duncan Sands

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200310041518.26254.baldrick@free.fr \
    --to=baldrick@free.fr \
    --cc=netfilter@lists.netfilter.org \
    --cc=teastep@shorewall.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox