Florian CROUZAT
2011-Sep-28 08:01 UTC
[CentOS] CentOS 6.0: iptables stacktrace with named chains > 28 chars
Hi, I'm not sure where to ask this question, you, redhat or netfilter so I'll ask you guys first, hoping you can redirect me where this post belongs. I have an issue with my CentOS 6 box with named chains in iptables. Apparently there is a builtin #define to limit chain names up to 30 chars, but the test condition fails and iptables crashes with a stacktrace. # cat /etc/redhat-release CentOS Linux release 6.0 (Final) # rpm -qa | fgrep iptables iptables-ipv6-1.4.7-3.el6.x86_64 iptables-1.4.7-3.el6.x86_64 Use cases prove that you can create chains with names up to =30 chars but you can only reference <=28 chars named chains. Trying to reference a 29 or 30 chars named chains will crash iptables. ==== Use cases with 28,29,30 and 31 chars long named chains: # iptables -N $(for((i=0;i<28;i++));do printf "%s" "a";done) && echo ok || echo ko ok # iptables -N $(for((i=0;i<29;i++));do printf "%s" "b";done) && echo ok || echo ko ok # iptables -N $(for((i=0;i<30;i++));do printf "%s" "c";done) && echo ok || echo ko ok iptables -N $(for((i=0;i<31;i++));do printf "%s" "d";done) && echo ok || echo ko iptables v1.4.7: chain name `ddddddddddddddddddddddddddddddd' too long (must be under 30 chars) Try `iptables -h' or 'iptables --help' for more information. ko # iptables -I INPUT -j aaaaaaaaaaaaaaaaaaaaaaaaaaaa && echo ok || echo ko ok # iptables -I INPUT -j bbbbbbbbbbbbbbbbbbbbbbbbbbbbb && echo ok || echo ko <stacktrace> ko # iptables -I INPUT -j cccccccccccccccccccccccccccccc && echo ok || echo ko <stacktrace> ko I can attach strace output or the stacktrace if required. Any infos where to report this issue much appreciated. Florian.
Florian Crouzat
2011-Sep-29 07:38 UTC
[CentOS] CentOS 6.0: iptables stacktrace with named chains > 28 chars
Florian CROUZAT wrote on?2011-09-28:> Hi, > > I'm not sure where to ask this question, you, redhat or netfilter so > I'll ask you guys first, hoping you can redirect me where this post > belongs. I have an issue with my CentOS 6 box with named chains in > iptables. Apparently there is a builtin #define to limit chain names up > to 30 chars, but the test condition fails and iptables crashes with a > stacktrace. > > # cat /etc/redhat-release > CentOS Linux release 6.0 (Final) > > # rpm -qa | fgrep iptables > iptables-ipv6-1.4.7-3.el6.x86_64 > iptables-1.4.7-3.el6.x86_64 > > Use cases prove that you can create chains with names up to =30 chars > but you can only reference <=28 chars named chains. Trying to reference > a 29 or 30 chars named chains will crash iptables. > > ====> > Use cases with 28,29,30 and 31 chars long named chains: > > # iptables -N $(for((i=0;i<28;i++));do printf "%s" "a";done) && echo ok > || echo ko ok > > # iptables -N $(for((i=0;i<29;i++));do printf "%s" "b";done) && echo ok > || echo ko ok > > # iptables -N $(for((i=0;i<30;i++));do printf "%s" "c";done) && echo ok > || echo ko ok > > iptables -N $(for((i=0;i<31;i++));do printf "%s" "d";done) && echo ok || > echo ko iptables v1.4.7: chain name `ddddddddddddddddddddddddddddddd' > too long (must be under 30 chars) Try `iptables -h' or 'iptables --help' > for more information. ko > > # iptables -I INPUT -j aaaaaaaaaaaaaaaaaaaaaaaaaaaa && echo ok || echo > ko ok > > # iptables -I INPUT -j bbbbbbbbbbbbbbbbbbbbbbbbbbbbb && echo ok || echo > ko <stacktrace> ko > > # iptables -I INPUT -j cccccccccccccccccccccccccccccc && echo ok || > echo ko > <stacktrace> > ko > > I can attach strace output or the stacktrace if required. > Any infos where to report this issue much appreciated. > > Florian. > http://lists.centos.org/mailman/listinfo/centosThis bug is not reproducible on CentOS release 5.6 (Final). Florian