netfilter buglog - Nov 2009 - [Bug 619] New: If /proc/sys/kernel/modprobe is absent, errno is clobbered in get_modprobe

http://bugzilla.netfilter.org/show_bug.cgi?id=619

           Summary: If /proc/sys/kernel/modprobe is absent, errno is
                    clobbered in get_modprobe
           Product: iptables
           Version: 1.3.5
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: iptables
        AssignedTo: laforge at netfilter.org
        ReportedBy: rbarnhardt at bluecatnetworks.com


In do_command(), if iptc_init() fails, it's expected that errno will be set
to
a useful value that is printed by xtables_error().

However, when iptc_init() fails for the first time, an attempt is made to load
the ip_tables module via xtables_load_ko(), which in turn calls
xtables_insmod(), which calls get_modprobe() to get the path of the binary from
the proc filesystem (if it wasn't explicitly specified with --modprobe).  To
that end, get_modprobe() attempts to open() /proc/sys/kernel/modprobe, which
may be absent (eg. if LKM support is not enabled).  In that case, the failed
open() will set errno to ENOENT, clobbering whatever value it may have held
from the first failed call to iptc_init().  

This will result in a confusing error being reported...

iptables vx.x.x: can't initialize iptables table 'filter': No
chain/target/match by that name

...when the original problem in iptc_init() may have been something else
entirely (eg. ENOMEM).


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.netfilter.org/show_bug.cgi?id=619





------- Comment #1 from rbarnhardt at bluecatnetworks.com  2009-11-09 17:17
-------
I think you can actually see this occurring as a side effect to this
fellow's
problem: <http://markmail.org/message/vctosd7srbeo4hgu>: presumably a
monolithic kernel, malloc() "fails" during iptc_init() (returns 0 for
a 0-byte
allocation), so the error should have been ENOMEM.  Instead, he received the
"no chain/target/match" message that I indicated earlier.

(I'm not suggesting the actual problem here had anything to do with this
bug; I
realise it didn't, I'm just referencing the error message.)


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.netfilter.org/show_bug.cgi?id=619


kaber at trash.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kaber at trash.net




------- Comment #2 from kaber at trash.net  2009-11-09 18:47 -------
I seem to be unable to reproduce this. Could you please test whether 1.4.5 is
still affected by this?

Thanks!


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.netfilter.org/show_bug.cgi?id=619


kaber at trash.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|laforge at netfilter.org       |kaber at trash.net




-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the assignee for the bug, or are watching the assignee.