bugzilla-daemon at netfilter.org
2017-Apr-21 00:00 UTC
[Bug 1147] New: iptables rule to match a 'set' shows [unsupported revision]
https://bugzilla.netfilter.org/show_bug.cgi?id=1147
Bug ID: 1147
Summary: iptables rule to match a 'set' shows [unsupported
revision]
Product: iptables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: iptables
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: anubis at iwwd.com
On a Debian 8 instance I'm receiving the following output for a 'match
set'
rule:
Chain POSTROUTING (policy ACCEPT 3 packets, 214 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0
0.0.0.0/0 set [unsupported revision]
I'm using iptables-1.6.1 and ipset-6.32
Is there perhaps something I'm missing or is this an issue? Will the set
continue to function?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170421/e598e1ed/attachment.html>
bugzilla-daemon at netfilter.org
2017-Apr-26 21:22 UTC
[Bug 1147] iptables rule to match a 'set' shows [unsupported revision]
https://bugzilla.netfilter.org/show_bug.cgi?id=1147
Willem de Bruijn <willem.j.debruijn at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |willem.j.debruijn at gmail.com
--- Comment #1 from Willem de Bruijn <willem.j.debruijn at gmail.com> ---
We're looking into this. See also the discussion in the thread for the patch
that likely introduced this regression
[next] iptables: on revision mismatch, do not call print/save
bfa3321fedcb5b4b313d255753351397447a5669
https://patchwork.ozlabs.org/patch/704255/
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170426/ed798f85/attachment.html>
bugzilla-daemon at netfilter.org
2017-Apr-26 22:56 UTC
[Bug 1147] iptables rule to match a 'set' shows [unsupported revision]
https://bugzilla.netfilter.org/show_bug.cgi?id=1147 --- Comment #2 from Willem de Bruijn <willem.j.debruijn at gmail.com> --- Can you paste the exact commands that you used, as well as the output of `uname -a` to give the kernel version? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170426/95af9c39/attachment.html>
bugzilla-daemon at netfilter.org
2017-Apr-27 11:41 UTC
[Bug 1147] iptables rule to match a 'set' shows [unsupported revision]
https://bugzilla.netfilter.org/show_bug.cgi?id=1147
--- Comment #3 from anubis at iwwd.com ---
Hi Willem,
Thanks for the update.
The system base is Debian 8.7.1
I'm using a custom kernel which is based on the pure kernel source 4.9.0
patched to include the IMQ driver.
Linux camulus 4.9.0-kustkernel-20170208 #2 SMP Thu Feb 9 00:39:02 AEDT 2017
x86_64 GNU/Linux
The iptables version is "iptables v1.6.1" patched for the IMQ driver
inclusion.
The ipset version is "ipset v6.32"
The commands used were:
ipset create LocalMasq hash:net
ipset add LocalMasq 192.168.2.0/24
ipset add LocalMasq 192.168.10.0/24
iptables -t nat -A POSTROUTING -m set --match-set LocalMasq src -o eth0 -j
MASQUERADE
root at camulus:~# iptables -t nat -vxnL
...SNIP...
Chain POSTROUTING (policy ACCEPT 12756 packets, 905661 bytes)
pkts bytes target prot opt in out source
destination
615 35682 MASQUERADE all -- * eth0 0.0.0.0/0
0.0.0.0/0 set [unsupported revision]
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170427/9eb818d4/attachment.html>
bugzilla-daemon at netfilter.org
2017-Apr-30 20:35 UTC
[Bug 1147] iptables rule to match a 'set' shows [unsupported revision]
https://bugzilla.netfilter.org/show_bug.cgi?id=1147
--- Comment #4 from Willem de Bruijn <willem.j.debruijn at gmail.com> ---
Thanks for the step-by-step instructions.
I am unable to reproduce those steps on an upstream v4.9 or v4.11-rc8 with
ipset 6.32 and iptables 1.6.1 both built from head:
./xtables-multi.1.6.1 iptables --version
iptables v1.6.1
./ipset -v
ipset v6.32, protocol version: 6
./ipset create LocalMasq hash:net
./ipset add LocalMasq 192.168.2.0/24
./ipset add LocalMasq 192.168.10.0/24
./xtables-multi.1.6.1 iptables -A POSTROUTING -t nat -m set --match-set myset
src -o eth0 -j MASQUERADE
./xtables-multi.1.6.1 iptables -t nat -A POSTROUTING -m set --match-set
LocalMasq src -o eth0 -j MASQUERADE
./xtables-multi.1.6.1 iptables -vxnL -t nat
./xtables-multi.1.6.1 iptables -t nat -F
./ipset --destroy LocalMasq
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0
0.0.0.0/0 match-set myset src
0 0 MASQUERADE all -- * eth0 0.0.0.0/0
0.0.0.0/0 match-set LocalMasq src
We are aware of one issue that would trigger this output: when different
iptables binaries are used on the same machine, such that one binary supports
fewer match revision than the other and the kernel. I am working on a fix.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170430/94c26932/attachment.html>
bugzilla-daemon at netfilter.org
2017-May-01 02:19 UTC
[Bug 1147] iptables rule to match a 'set' shows [unsupported revision]
https://bugzilla.netfilter.org/show_bug.cgi?id=1147
--- Comment #5 from Willem de Bruijn <willem.j.debruijn at gmail.com> ---
The default iptables in debian 8 is 1.4.21 according to [1]
That version lacks revision 4 of match set. Inserting a set with this binary,
then reading with a manually compiled one will indeed trigger
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0
0.0.0.0/0 set [unsupported revision]
[1] https://packages.debian.org/jessie/admin/iptables
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170501/6edd152f/attachment-0001.html>
bugzilla-daemon at netfilter.org
2018-Mar-07 08:51 UTC
[Bug 1147] iptables rule to match a 'set' shows [unsupported revision]
https://bugzilla.netfilter.org/show_bug.cgi?id=1147
Serhey Popovych <serhe.popovych at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |serhe.popovych at gmail.com
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180307/fe6d2fbf/attachment.html>
bugzilla-daemon at netfilter.org
2018-Apr-30 09:32 UTC
[Bug 1147] iptables rule to match a 'set' shows [unsupported revision]
https://bugzilla.netfilter.org/show_bug.cgi?id=1147 --- Comment #6 from Serhey Popovych <serhe.popovych at gmail.com> --- Proposed fix merged into master: 12a52ff xtables: Fix rules print/save after iptables update 1197c5e xtables: Register all match/target revisions supported by us and kernel e3bb24c xtables: Check match/target size vs XT_ALIGN(size) at register time 3b2530c xtables: Do not register matches/targets with incompatible revision Will mark as resolved after iptables release (v1.6.3). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180430/806b383d/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-12 11:04 UTC
[Bug 1147] iptables rule to match a 'set' shows [unsupported revision]
https://bugzilla.netfilter.org/show_bug.cgi?id=1147
Jozsef Kadlecsik <kadlec at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
CC| |kadlec at netfilter.org
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/dc8cae27/attachment.html>