LARTC - Dec 2005 - MARK: targinfosize 8 != 4

Hello all,
   I got this problem while trying to shape traffic with iptables MARK and
HTB.

MARK: targinfosize 8 != 4

--set-mark gives "invalid argument" error message.

Kernel version is 2.4.29 (some patches from patch o matic applied)
Iptables version 1.3.4

Intel x86 architecture.

I saw this problem discussed in a few places, but the discussions
didn''t
come to a conclusion or solution.

please help...

thanks
Salim

Hi Salim :)

 * Salim <salim.si@askey.com.tw> dixit:
>    I got this problem while trying to shape traffic with iptables MARK and
> HTB.
> 
> MARK: targinfosize 8 != 4
> 
> --set-mark gives "invalid argument" error message.
>
> Kernel version is 2.4.29 (some patches from patch o matic applied)
> Iptables version 1.3.4
> 
> Intel x86 architecture.
> 
> I saw this problem discussed in a few places, but the discussions
didn''t
> come to a conclusion or solution.
    You''ve hit a bug in iptables :( I''ve notified in the
bugzilla but
I have had no answers. You''re building iptables with no shared
libraries (NO_SHARED_LIBS=1). This means that the code in iptables,
when loading the "modules" for the matches and targets is taking a
slightly different code path. The problem is that the MARK target
has two versions, 0 and 1, and kernel 2.4.x (at least until 31)
supports only version 0. If you don''t use share libraries in
iptables, both versions are loaded and v1 is used instead of v2.
Unfortunately, v1 has a bigger data structure than v0 and your kernel
complaints.

    The only solution for your problem is to rebuild iptables with
shared libraries instead of compiling the matches and targets in the
binary, statically. I''ve tried to make a patch, and worked for me but
I don''t want to mess anything so I''ve described the problem,
the
wrong code path and other details to the iptables people. If you want
to take a look the bug is #413 in bugzilla.netfilter.org

    And yes, nobody seems to have this problem because it seems that
only few people uses iptables built statically :?? or because nobody
seems to be interested.

    Raúl Núñez de Arenas Coronado

-- 
Linux Registered User 88736 | dervishd.net
pleyades.net & gotesdelluna.net
It''s my PC and I''ll cry if I want to...

DervishD wrote:
>     Hi Salim :)
> 
>  * Salim <salim.si@askey.com.tw> dixit:
> 
>>   I got this problem while trying to shape traffic with iptables MARK
and
>>HTB.
>>
>>MARK: targinfosize 8 != 4
>>
>>--set-mark gives "invalid argument" error message.
>>
>>Kernel version is 2.4.29 (some patches from patch o matic applied)
>>Iptables version 1.3.4
>>
>>Intel x86 architecture.
>>
>>I saw this problem discussed in a few places, but the discussions
didn''t
>>come to a conclusion or solution.
> 
> 
>     You''ve hit a bug in iptables :( I''ve notified in the
bugzilla but
> I have had no answers. You''re building iptables with no shared
> libraries (NO_SHARED_LIBS=1). This means that the code in iptables,
> when loading the "modules" for the matches and targets is taking
a
> slightly different code path. The problem is that the MARK target
> has two versions, 0 and 1, and kernel 2.4.x (at least until 31)
> supports only version 0. If you don''t use share libraries in
> iptables, both versions are loaded and v1 is used instead of v2.
> Unfortunately, v1 has a bigger data structure than v0 and your kernel
> complaints.
That can''t be the reason, all revisions of a single match/target are
in the same object file and the supported revision is (supposed to be)
probed. Salim, can you send a strace of the failing iptables command?

> That can''t be the reason, all revisions of a single match/target
are
> in the same object file and the supported revision is (supposed to be)
> probed. Salim, can you send a strace of the failing iptables command?
The key being "supposed to be". :-)
Try the patch below. (It''s bug #413 in bugzilla)

    /Jones

Signed-off-by: Jones Desougi <jones@ingate.com>

diff -r -u --new-file iptables-1.3.4/include/ip6tables.h
iptables/include/ip6tables.h
--- iptables-1.3.4/include/ip6tables.h	2005-06-24 18:34:17.000000000 +0200
+++ iptables/include/ip6tables.h	2005-11-19 16:31:07.000000000 +0100
@@ -130,6 +130,7 @@
 
 enum ip6t_tryload {
 	DONT_LOAD,
+	DURING_LOAD,
 	TRY_LOAD,
 	LOAD_MUST_SUCCEED
 };
diff -r -u --new-file iptables-1.3.4/include/iptables.h
iptables/include/iptables.h
--- iptables-1.3.4/include/iptables.h	2005-11-19 16:26:12.000000000 +0100
+++ iptables/include/iptables.h	2005-11-19 16:30:47.000000000 +0100
@@ -162,6 +162,7 @@
 
 enum ipt_tryload {
 	DONT_LOAD,
+	DURING_LOAD,
 	TRY_LOAD,
 	LOAD_MUST_SUCCEED
 };
diff -r -u --new-file iptables-1.3.4/ip6tables.c iptables/ip6tables.c
--- iptables-1.3.4/ip6tables.c	2005-07-29 15:28:56.000000000 +0200
+++ iptables/ip6tables.c	2005-11-19 16:36:22.000000000 +0100
@@ -734,7 +734,7 @@
   	}
 
 #ifndef NO_SHARED_LIBS
-	if (!ptr && tryload != DONT_LOAD) {
+	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
 		char path[strlen(lib_dir) + sizeof("/libip6t_.so")
 			 + strlen(name)];
 		if (!icmphack)
@@ -986,7 +986,7 @@
 	}
 
 #ifndef NO_SHARED_LIBS
-	if (!ptr && tryload != DONT_LOAD) {
+	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
 		char path[strlen(lib_dir) + sizeof("/libip6t_.so")
 			 + strlen(name)];
 		sprintf(path, "%s/libip6t_%s.so", lib_dir, name);
@@ -1058,7 +1058,7 @@
 		exit(1);
 	}
 
-	if (find_match(me->name, DONT_LOAD, NULL)) {
+	if (find_match(me->name, DURING_LOAD, NULL)) {
 		fprintf(stderr, "%s: match `%s'' already registered.\n",
 			program_name, me->name);
 		exit(1);
@@ -1088,7 +1088,7 @@
 		exit(1);
 	}
 
-	if (find_target(me->name, DONT_LOAD)) {
+	if (find_target(me->name, DURING_LOAD)) {
 		fprintf(stderr, "%s: target `%s'' already registered.\n",
 			program_name, me->name);
 		exit(1);
diff -r -u --new-file iptables-1.3.4/iptables.c iptables/iptables.c
--- iptables-1.3.4/iptables.c	2005-11-19 16:26:12.000000000 +0100
+++ iptables/iptables.c	2005-11-19 16:34:17.000000000 +0100
@@ -710,7 +710,7 @@
 	}
 
 #ifndef NO_SHARED_LIBS
-	if (!ptr && tryload != DONT_LOAD) {
+	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
 		char path[strlen(lib_dir) + sizeof("/libipt_.so")
 			 + strlen(name)];
 		sprintf(path, "%s/libipt_%s.so", lib_dir, name);
@@ -1021,7 +1021,7 @@
 	}
 
 #ifndef NO_SHARED_LIBS
-	if (!ptr && tryload != DONT_LOAD) {
+	if (!ptr && tryload != DONT_LOAD && tryload != DURING_LOAD) {
 		char path[strlen(lib_dir) + sizeof("/libipt_.so")
 			 + strlen(name)];
 		sprintf(path, "%s/libipt_%s.so", lib_dir, name);
@@ -1146,7 +1146,7 @@
 		exit(1);
 	}
 
-	old = find_match(me->name, DONT_LOAD, NULL);
+	old = find_match(me->name, DURING_LOAD, NULL);
 	if (old) {
 		if (old->revision == me->revision) {
 			fprintf(stderr,
@@ -1202,7 +1202,7 @@
 		exit(1);
 	}
 
-	old = find_target(me->name, DONT_LOAD);
+	old = find_target(me->name, DURING_LOAD);
 	if (old) {
 		struct iptables_target **i;

Hi Jones :)))

 * Jones Desougi <jones@ingate.com> dixit:
> > That can''t be the reason, all revisions of a single
match/target
> > are in the same object file and the supported revision is
> > (supposed to be) probed.
    They are not due to the DONT_LOAD usage ;)) The patch below is
much better than the one I tested ;)))
> Try the patch below. (It''s bug #413 in bugzilla)
    Thanks a lot :)) I''ll test it as soon as I can.

    Raúl Núñez de Arenas Coronado

-- 
Linux Registered User 88736 | dervishd.net
pleyades.net & gotesdelluna.net
It''s my PC and I''ll cry if I want to...

Jones Desougi wrote:
>>That can''t be the reason, all revisions of a single
match/target are
>>in the same object file and the supported revision is (supposed to be)
>>probed. Salim, can you send a strace of the failing iptables command?
> 
> 
> The key being "supposed to be". :-)
I somehow expected something like this :)
> Try the patch below. (It''s bug #413 in bugzilla)
This looks good, thanks. I''m going to apply it as soon as
there is confirmation that it really fixes the problem
people are seeing.

It worked when I changed to NO_SHARED_LIBS=0.
thanks guys.
will try out the patch today.

the command that was failing was a simple --set-mark. Let me know if anyone
still wants an strace. Will send it.

----- Original Message -----
From: "Patrick McHardy" <kaber@trash.net>
To: "DervishD" <lartc@dervishd.net>
Cc: "Salim" <salim.si@askey.com.tw>;
<lartc@mailman.ds9a.nl>; "Netfilter
Development Mailinglist" <netfilter-devel@lists.netfilter.org>
Sent: Tuesday, December 13, 2005 8:01 PM
Subject: Re: [LARTC] MARK: targinfosize 8 != 4

> DervishD wrote:
> >     Hi Salim :)
> >
> >  * Salim <salim.si@askey.com.tw> dixit:
> >
> >>   I got this problem while trying to shape traffic with iptables
MARK
and
> >>HTB.
> >>
> >>MARK: targinfosize 8 != 4
> >>
> >>--set-mark gives "invalid argument" error message.
> >>
> >>Kernel version is 2.4.29 (some patches from patch o matic applied)
> >>Iptables version 1.3.4
> >>
> >>Intel x86 architecture.
> >>
> >>I saw this problem discussed in a few places, but the discussions
didn''t
> >>come to a conclusion or solution.
> >
> >
> >     You''ve hit a bug in iptables :( I''ve notified in
the bugzilla but
> > I have had no answers. You''re building iptables with no
shared
> > libraries (NO_SHARED_LIBS=1). This means that the code in iptables,
> > when loading the "modules" for the matches and targets is
taking a
> > slightly different code path. The problem is that the MARK target
> > has two versions, 0 and 1, and kernel 2.4.x (at least until 31)
> > supports only version 0. If you don''t use share libraries in
> > iptables, both versions are loaded and v1 is used instead of v2.
> > Unfortunately, v1 has a bigger data structure than v0 and your kernel
> > complaints.
>
> That can''t be the reason, all revisions of a single match/target
are
> in the same object file and the supported revision is (supposed to be)
> probed. Salim, can you send a strace of the failing iptables command?

Jones Desougi wrote:
> Try the patch below. (It''s bug #413 in bugzilla)
> 
Applied, thanks Jones.