From: Ray Van Dolson <rayvd@digitalpath.net>
To: netfilter@lists.netfilter.org
Subject: iptables: Invalid argument when using -t nat on CentOS 4.2
Date: Wed, 26 Oct 2005 22:01:48 -0700 [thread overview]
Message-ID: <20051027050148.GA3298@digitalpath.net> (raw)
Running CentOS 4.2, I wanted to add the pptp/gre conntrack features to my
kernel (2.6.9-22.EL).
Downloaded the latest POM and installed the kernel-sourcecode RPM for CentOS.
Ran patch-o-matic, selected the patches, applied -- no problems yet.
Successfully rebuild kernel with the PPTP/GRE options for netfilter.
Installed kernel & modules and rebooted.
Now is where the fun begins...
Running the following gives me an error now:
/sbin/iptables -A POSTROUTING -t nat -o eth0 -s 192.168.11.0/24 -j MASQUERADE
iptables: Invalid argument
Ok, whoops, forgot to rebuild iptables. I retrieve the iptables src rpm and
rebuild it and reinstall iptables. Same problem.
I download the iptables source code and build it manually, installing to
/usr/local. Run /usr/local/sbin/iptables ... (as above). Same error.
I note that iptables is probably picking up headers from /usr/include/linux
which are part of the glibc-kernheaders package in CentOS/RHES. The
/usr/include/linux/netfilter_ipv4 do not include the headers added by the
pptp/gre patches above. Shot in the dark...
Try and build iptables against /usr/src/linux-2.6.9-22.EL's includes. No go
-- tells me to use the glibc-kernelheders ones. So I copy the newly added
pptp/gre headers out of the kernel source dir into
/usr/include/linux/netfilter_ipv4 and rebuild.
Still getting the same invalid argument as above.
Well, maybe kernel modules aren't loading correctly?
[root@langw rc.d]# lsmod
Module Size Used by
ipt_MASQUERADE 3968 0
ip_nat_tftp 4272 0
ip_conntrack_tftp 4464 0
md5 4352 1
ipv6 235968 12
autofs4 23684 0
i2c_dev 11776 0
i2c_core 22528 1 i2c_dev
tun 9472 1
sunrpc 160100 1
iptable_nat 23612 2 ipt_MASQUERADE,ip_nat_tftp
ipt_limit 3200 5
ipt_REJECT 6912 2
ipt_LOG 6784 2
ipt_multiport 2304 2
ipt_state 2176 5
ip_conntrack 41140 5 ipt_MASQUERADE,ip_nat_tftp,ip_conntrack_tftp,iptable_nat,ipt_state
iptable_filter 3200 1
ip_tables 17152 8 ipt_MASQUERADE,iptable_nat,ipt_limit,ipt_REJECT,ipt_LOG,ipt_multiport,ipt_state,iptable_filter
button 6928 0
battery 9220 0
ac 5124 0
snd_via82xx 26756 0
snd_ac97_codec 64336 1 snd_via82xx
snd_pcm_oss 49592 0
snd_mixer_oss 18432 1 snd_pcm_oss
snd_pcm 97416 2 snd_via82xx,snd_pcm_oss
snd_timer 30340 1 snd_pcm
snd_page_alloc 10120 2 snd_via82xx,snd_pcm
snd_mpu401_uart 9088 1 snd_via82xx
snd_rawmidi 27044 1 snd_mpu401_uart
snd_seq_device 8584 1 snd_rawmidi
snd 56164 9 snd_via82xx,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer,snd_mpu401_uart,snd_rawmidi,snd_seq_device
soundcore 10336 1 snd
8139too 26368 0
via_rhine 23560 0
mii 4992 2 8139too,via_rhine
floppy 58800 0
dm_snapshot 16836 0
dm_zero 2304 0
dm_mirror 27632 0
ext3 116744 2
jbd 71192 1 ext3
dm_mod 56468 6 dm_snapshot,dm_zero,dm_mirror
Everything looks good. I see iptable_nat and ipt_MASQUERADE too!
strace on iptables...
[root@langw iptables-1.2.11.orig]# strace /usr/local/sbin/iptables -A POSTROUTING -t nat -o eth0 -s 192.168.10.0/24 -j MASQUERADE
execve("/usr/local/sbin/iptables", ["/usr/local/sbin/iptables", "-A", "POSTROUTING", "-t", "nat", "-o", "eth0", "-s", "192.168.10.0/24", "-j", "MASQUERADE"], [/* 19 vars */]) = 0
uname({sys="Linux", node="langw.digitalpath.net", ...}) = 0
brk(0) = 0x89e5000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=35116, ...}) = 0
old_mmap(NULL, 35116, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ff7000
close(3) = 0
open("/lib/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260+c\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=15324, ...}) = 0
old_mmap(0x632000, 12388, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x632000
old_mmap(0x634000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x634000
close(3) = 0
open("/lib/libnsl.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320To\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=95148, ...}) = 0
old_mmap(0x6f2000, 88064, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x6f2000
old_mmap(0x704000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x704000
old_mmap(0x706000, 6144, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x706000
close(3) = 0
open("/lib/tls/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\257"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1454462, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ff6000
old_mmap(0x506000, 1219772, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x506000
old_mmap(0x62a000, 16384, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x124000) = 0x62a000
old_mmap(0x62e000, 7356, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x62e000
close(3) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ff5000
mprotect(0x62a000, 4096, PROT_READ) = 0
mprotect(0x502000, 4096, PROT_READ) = 0
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7ff56c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0xb7ff7000, 35116) = 0
brk(0) = 0x89e5000
brk(0x8a06000) = 0x8a06000
open("/usr/local/lib/iptables/libipt_MASQUERADE.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\34\4\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=4103, ...}) = 0
old_mmap(NULL, 6432, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0xd54000
old_mmap(0xd55000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xd55000
close(3) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
getsockopt(3, SOL_IP, 0x40 /* IP_??? */, "nat\0\264\3545\300\264\3545\300U\0\0\0\305\267\24\300\340"..., [84]) = 0
getsockopt(3, SOL_IP, 0x41 /* IP_??? */, "nat\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [656]) = 0
setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "nat\0\300\332b\0RADE\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 876) = -1 EINVAL (Invalid argument)
write(2, "iptables: Invalid argument\n", 27iptables: Invalid argument) = 27
exit_group(1) = ?
Process 19506 detached
What am I missing here?
This all works perfectly again if I revert to the stock CentOS 2.6.9-22.EL
kernel (without the GRE/PPTP conntrack patches).
gdb on iptables perhaps?
Ray
reply other threads:[~2005-10-27 5:01 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051027050148.GA3298@digitalpath.net \
--to=rayvd@digitalpath.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox