netfilter buglog - Apr 2006 - [Bug 467] iptables is complaining with bogus unknown error 18446744073709551615

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467





------- Additional Comments From mvolaski@aecom.yu.edu  2006-04-14 01:35 MET
-------
Examples of rules that give the error are

1) iptables -A INPUT -i bond0 -s 129.98.90.0/24 -p tcp --dport 548 -j ACCEPT
2) iptables -A INPUT -i bond0 -s 129.98.90.101/32 -p tcp --dport 497 -j ACCEPT
3) iptables -A INPUT -i bond0 -s 129.98.90.227/32 -p tcp --dport 22 -j ACCEPT

Example of a rule that does not give the error:
1) iptables -A INPUT -i bond0 -p ICMP --icmp-type echo-request -s 
129.98.90.13/32 -j ACCEPT

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467





------- Additional Comments From mvolaski@aecom.yu.edu  2006-04-14 01:36 MET
-------
Some more info, the buggy netfilter in 2.6.16.1 is also present in 2.6.17-rc1.

Here's tail end of output from strace on executing

iptables -A INPUT -i bond0 -s 129.98.90.0/24 -p tcp --dport 548 -j ACCEPT

in 2.6.17-rc1

open("/lib64/iptables/libipt_standard.so", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0
\4\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=3112, ...}) = 0
mmap(NULL, 1050528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
0x2ac9564a1000
mprotect(0x2ac9564a2000, 1044480, PROT_NONE) = 0
mmap(0x2ac9565a1000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x2ac9565a1000
close(3)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
getsockopt(3, SOL_IP, 0x40 /* IP_??? */,
"filter\0\377\0\0\0\0\0\0\0\0(\235v\361\0\201\377\377\241"..., [84]) =
0
getsockopt(3, SOL_IP, 0x41 /* IP_??? */,
"filter\0\0\200\336(V\311*\0\0M\215@\0\0\0\0\0\1\0\0\0\0"..., [672]) =
0
setsockopt(3, SOL_IP, 0x40 /* IP_??? */,
"filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 928) = -1
ENOENT
(No such file or directory)
write(2, "iptables: Unknown error 18446744"..., 45iptables: Unknown
error
18446744073709551615
) = 45
exit_group(1)                           = ?

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467





------- Additional Comments From mvolaski@aecom.yu.edu  2006-04-21 08:13 MET
-------
Still broken in 2.6.17-rc2.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467





------- Additional Comments From kaber@trash.net  2006-04-21 08:18 MET -------
You seem to be missing CONFIG_NETFILTER_XTABLES_MATCH_TCPUDP. The bogus error
code is a different issue, apparently something is interpreting it as an
unsigned number.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467





------- Additional Comments From kaber@trash.net  2006-04-21 08:18 MET -------
You seem to be missing CONFIG_NETFILTER_XTABLES_MATCH_TCPUDP. The bogus error
code is a different issue, apparently something is interpreting it as an
unsigned number.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467





------- Additional Comments From mvolaski@aecom.yu.edu  2006-04-21 08:37 MET
-------
I am missing CONFIG_NETFILTER_XTABLES_MATCH_TCPUDP or was it accidently left out
of the kernel? 

Now added to the kernel bugzilla as
http://bugzilla.kernel.org/show_bug.cgi?id=6420

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467


laforge@netfilter.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From laforge@netfilter.org  2006-04-21 13:57 MET
-------
As you have discovered it yourself, it was neither left out nor anything else.

If you cannot find the reason why autoloading didn't work for you, please
reopen
this bug

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467


mvolaski@aecom.yu.edu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |




------- Additional Comments From mvolaski@aecom.yu.edu  2006-04-21 17:14 MET
-------
A-ha. I knew there had to be something amiss but just apparently on my system.
xt_tcpudp should be loading automatically and if it had, you wouldn't be
bugged
with any of this.

So I'm on Gentoo it is configured to load a few netfilter modules
automatically.
These are
ip_tables
iptable_filter
ip_conntrack
ip_conntrack_ftp
ipt_LOG
ipt_state

And they do indeed load

It appears that
x_tables
nfnetlink
xt_state

load on their own or at least in response to some of the rules that are executed
at boot time.

Of course, xt_tcpudp does not.

modinfo says
filename:       /lib/modules/2.6.17-rc2/kernel/net/netfilter/xt_tcpudp.ko
alias:          ip6t_tcp
alias:          ip6t_udp
alias:          ipt_tcp
alias:          ipt_udp
alias:          xt_udp
alias:          xt_tcp
license:        GPL
description:    x_tables match for TCP and UDP, supports IPv4 and IPv6
depends:        x_tables
vermagic:       2.6.17-rc2 SMP mod_unload gcc-3.4

It does load when I do modprobe ipt_tcp, but not when I execute a command like 
iptables -A INPUT -i bond0 -s 129.98.90.0/24 -p tcp --dport 548 -j ACCEPT

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467


mvolaski@aecom.yu.edu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From mvolaski@aecom.yu.edu  2006-04-27 03:26 MET
-------
Automatic kernel module loading! That option had been off. It appears all this
happened because the kernel developers decided to make that an option and for it
to be off by default.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.