masquerade_check: size 24 != 20

Linux Netfilter discussions
 help / color / mirror / Atom feed

* masquerade_check: size 24 != 20
@ 2003-10-03 12:46 Duncan Sands
  2003-10-03 17:22 ` Tom Eastep
  0 siblings, 1 reply; 5+ messages in thread
From: Duncan Sands @ 2003-10-03 12:46 UTC (permalink / raw)
  To: netfilter; +Cc: Tom Eastep

With 2.4.23-pre and 2.5/6 kernels my firewall setup fails at this line:

iptables -t nat -A atm0_masq -s 192.168.58.0/24 -d 0.0.0.0/0 -j MASQUERADE

(the kernel returns -EINVAL).  On the other hand it works with 2.4.20+gentoo patches
with the same .config.

The command gets as far as the checkentry call into ipt_MASQUERADE.c
(i.e. masquerade_check), at which point it bails out because the size of
the ip_nat_multi_range type (20) differs from the target_size (24) passed
to it:

translate_table: size 1112
Finished chain 0
Finished chain 3
Finished chain 4
find_inlist: loading `ipt_MASQUERADE'.
masquerade_check: size 24 != 20.
ip_tables: check failed for `MASQUERADE'.

The check in question is:

        if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
                DEBUGP("masquerade_check: size %u != %u.\n",
                       targinfosize, sizeof(*mr));
                return 0;
        }

All this suggests to me that the size of some kernel structure has
changed.  Now Tom Eastep tried with the same kernel and didn't
get this, which is kind of informative: it suggests a different compiler
version padding things differently (my gcc version is 3.2.3), or some
config setting I have quietly changing the size of some object.  Before
rummaging around further, I thought I'd ask here if anyone has any
ideas.

Thanks for any help,

Duncan.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* masquerade_check: size 24 != 20
@ 2003-10-03 13:35 Duncan Sands
  0 siblings, 0 replies; 5+ messages in thread
From: Duncan Sands @ 2003-10-03 13:35 UTC (permalink / raw)
  To: netfilter

With 2.4.23-pre and 2.5/6 kernels my firewall setup fails at this line:

iptables -t nat -A atm0_masq -s 192.168.58.0/24 -d 0.0.0.0/0 -j MASQUERADE

(the kernel returns -EINVAL).  On the other hand it works with 2.4.20+gentoo patches
with the same .config.

The command gets as far as the checkentry call into ipt_MASQUERADE.c
(i.e. masquerade_check), at which point it bails out because the size of
the ip_nat_multi_range type (20) differs from the target_size (24) passed
to it:

translate_table: size 1112
Finished chain 0
Finished chain 3
Finished chain 4
find_inlist: loading `ipt_MASQUERADE'.
masquerade_check: size 24 != 20.
ip_tables: check failed for `MASQUERADE'.

The check in question is:

        if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
                DEBUGP("masquerade_check: size %u != %u.\n",
                       targinfosize, sizeof(*mr));
                return 0;
        }

All this suggests to me that the size of some kernel structure has
changed.  Now Tom Eastep tried with the same kernel and didn't
get this, which is kind of informative: it suggests a different compiler
version padding things differently (my gcc version is 3.2.3), or some
config setting I have quietly changing the size of some object.  Before
rummaging around further, I thought I'd ask here if anyone has any
ideas.

Thanks for any help,

Duncan.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: masquerade_check: size 24 != 20
  2003-10-03 12:46 masquerade_check: size 24 != 20 Duncan Sands
@ 2003-10-03 17:22 ` Tom Eastep
  2003-10-04  9:07   ` Duncan Sands
  2003-10-04 13:18   ` Duncan Sands
  0 siblings, 2 replies; 5+ messages in thread
From: Tom Eastep @ 2003-10-03 17:22 UTC (permalink / raw)
  To: Duncan Sands; +Cc: netfilter

On Fri, 2003-10-03 at 05:46, Duncan Sands wrote:

> translate_table: size 1112
> Finished chain 0
> Finished chain 3
> Finished chain 4
> find_inlist: loading `ipt_MASQUERADE'.
> masquerade_check: size 24 != 20.
> ip_tables: check failed for `MASQUERADE'.
> 
> The check in question is:
> 
>         if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
>                 DEBUGP("masquerade_check: size %u != %u.\n",
>                        targinfosize, sizeof(*mr));
>                 return 0;
>         }
> 

Are you applying any updates from Patch-O-Matic?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: masquerade_check: size 24 != 20
  2003-10-03 17:22 ` Tom Eastep
@ 2003-10-04  9:07   ` Duncan Sands
  2003-10-04 13:18   ` Duncan Sands
  1 sibling, 0 replies; 5+ messages in thread
From: Duncan Sands @ 2003-10-04  9:07 UTC (permalink / raw)
  To: Tom Eastep; +Cc: netfilter

On Friday 03 October 2003 19:22, Tom Eastep wrote:
> On Fri, 2003-10-03 at 05:46, Duncan Sands wrote:
> > translate_table: size 1112
> > Finished chain 0
> > Finished chain 3
> > Finished chain 4
> > find_inlist: loading `ipt_MASQUERADE'.
> > masquerade_check: size 24 != 20.
> > ip_tables: check failed for `MASQUERADE'.
> >
> > The check in question is:
> >
> >         if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
> >                 DEBUGP("masquerade_check: size %u != %u.\n",
> >                        targinfosize, sizeof(*mr));
> >                 return 0;
> >         }
>
> Are you applying any updates from Patch-O-Matic?

No.  What's that?

Duncan.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: masquerade_check: size 24 != 20
  2003-10-03 17:22 ` Tom Eastep
  2003-10-04  9:07   ` Duncan Sands
@ 2003-10-04 13:18   ` Duncan Sands
  1 sibling, 0 replies; 5+ messages in thread
From: Duncan Sands @ 2003-10-04 13:18 UTC (permalink / raw)
  To: Tom Eastep; +Cc: netfilter

On Friday 03 October 2003 19:22, Tom Eastep wrote:
> On Fri, 2003-10-03 at 05:46, Duncan Sands wrote:
> > translate_table: size 1112
> > Finished chain 0
> > Finished chain 3
> > Finished chain 4
> > find_inlist: loading `ipt_MASQUERADE'.
> > masquerade_check: size 24 != 20.
> > ip_tables: check failed for `MASQUERADE'.
> >
> > The check in question is:
> >
> >         if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
> >                 DEBUGP("masquerade_check: size %u != %u.\n",
> >                        targinfosize, sizeof(*mr));
> >                 return 0;
> >         }
>
> Are you applying any updates from Patch-O-Matic?

OK, it was a gentoo problem: they patched ip_conntrack_tuple.h
and changed it from:

union ip_conntrack_manip_proto
{
        /* Add other protocols here. */
        u_int16_t all;

        struct {
                u_int16_t port;
        } tcp;
        struct {
                u_int16_t port;
        } udp;
        struct {
                u_int16_t id;
        } icmp;
};

to

union ip_conntrack_manip_proto
{
        /* Add other protocols here. */
        u_int32_t all;

        struct {
                u_int16_t port;
        } tcp;
        struct {
                u_int16_t port;
        } udp;
        struct {
                u_int16_t id;
        } icmp;
        struct {
                u_int32_t key;
        } gre;
};

i.e. two bytes bigger.  Since ip_nat_multi_range includes an
ip_nat_range, and ip_nat_range uses two ip_conntrack_manip_proto,
this led to a size increase of 4 bytes.  The gentoo iptables is compiled
using the gentoo kernel headers, so it is using this larger structure,
and thus doesn't work with vanilla kernels.

Sorry to have wasted your time,

Duncan.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2003-10-04 13:18 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-03 12:46 masquerade_check: size 24 != 20 Duncan Sands
2003-10-03 17:22 ` Tom Eastep
2003-10-04  9:07   ` Duncan Sands
2003-10-04 13:18   ` Duncan Sands
  -- strict thread matches above, loose matches on Subject: below --
2003-10-03 13:35 Duncan Sands

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox