Modify

Opened 10 years ago

Closed 8 years ago

Last modified 2 years ago

#988 closed defect (fixed)

iptables -m conntrack does not accept valid syntax. Shorewall declines to use conntrack

Reported by: Hugo.Mildenberger@… Owned by: florian
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version:
Keywords: iptables conntrack shorewall Cc:

Description

Shorewall declines to use conntrack because the following statements result in "iptables: Invalid argument".

    iptables -N fooX1234
    iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT 

The conntrack modules are installed.

"iptables -A fooX1234 -m conntrack --help" displays:

[...]
[!] --version   -V              print package version.

conntrack match v1.3.3 options:
 [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]
                                State(s) to match
 [!] --ctproto  proto           Protocol to match; by number or name, eg. `tcp'
     --ctorigsrc  [!] address[/mask]
                                Original source specification
     --ctorigdst  [!] address[/mask]
                                Original destination specification
     --ctreplsrc  [!] address[/mask]
                                Reply source specification
     --ctrepldst  [!] address[/mask]
                                Reply destination specification
 [!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]
                                Status(es) to match
 [!] --ctexpire time[:time]     Match remaining lifetime in seconds against
                                value or range of values (inclusive)

The following modules are loaded:

Module                  Size  Used by    Tainted: P  
ipt_ULOG                3760   0 (unused)
ipt_TTL                  944   0 (unused)
ipt_ttl                  496   0 (unused)
ipt_TOS                  976   0 (unused)
ipt_tos                  304   0 (unused)
ipt_tcpmss               656   0 (unused)
ipt_REDIRECT             640   0 (unused)
ipt_recent              8208   0
ipt_pkttype              288   4
ipt_physdev              896   0
ipt_owner               1280   0
ipt_mac                  544   0 (unused)
ipt_limit                880  14
ipt_length               336   0
ipt_ipp2p               7320   0
ipt_helper               560   0 (unused)
ipt_esp                  464   0 (unused)
ipt_ECN                 1616   0 (unused)
ipt_ecn                  656   0 (unused)
ipt_DSCP                 960   0 (unused)
ipt_dscp                 304   0 (unused)
ipt_conntrack           1104   0
ipt_CONNMARK             816   0
ipt_connmark             352   0
ipt_CLASSIFY             704   0
ipt_ah                   464   0 (unused)
ip_nat_tftp             1824   0 (unused)
ip_conntrack_tftp       1728   1
ip_nat_snmp_basic       8912   0 (unused)
ip_nat_proto_gre        1536   0 (unused)
ip_conntrack_proto_gre    2440   0 (unused)
ip_conntrack_amanda     1232   0 (unused)
wlcompat               15520   0 (unused)
ppp_async               8108   0
ppp_generic            22868   0 [ppp_async]
slhc                    6352   0 [ppp_generic]
ipt_LOG                 3888  14
wl                    423640   0 (unused)
switch-adm              6196   0 (unused)
switch-core             4896   0 [switch-adm]
diag                   18176   0 (unused)

Attachments (1)

iptables_brcm_2.4.patch (307 bytes) - added by anonymous 8 years ago.
Fix/workaround for brcm-2.4

Download all attachments as: .zip

Change History (17)

comment:1 Changed 10 years ago by florian

  • Owner changed from developers to florian
  • Status changed from new to assigned

Confirmed, I will try to see what happens here.

comment:2 Changed 10 years ago by keitsi

I'm having a similar problem with RC6 on Asus WL-500gP.

Here's the command output from Ubuntu 6.06 computer:

 root@kdev32bit:~# modprobe ipt_limit
 root@kdev32bit:~# lsmod|grep ipt
 ipt_limit               3584  0
 ip_tables              23552  1 ipt_limit
 root@kdev32bit:~# iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
 root@kdev32bit:~#

And this happens on OpenWrt:

 root@kbox:~# insmod ipt_limit
 Using /lib/modules/2.4.30/ipt_limit.o
 insmod: A module named ipt_limit already exists
 root@kbox:~# lsmod
 Module                  Size  Used by    Tainted: P
 ipt_limit                880   0 (unused)
 ehci-hcd               20556   0 (unused)
 usbcore                74808   1 [ehci-hcd]
 ip_nat_tftp             1824   0 (unused)
 ip_conntrack_tftp       1728   1
 ip_nat_snmp_basic       8912   0 (unused)
 ip_nat_proto_gre        1536   0 (unused)
 ip_conntrack_proto_gre    2440   0 (unused)
 ip_conntrack_amanda     1232   0 (unused)
 tun                     4504   3
 wlcompat               15520   0 (unused)
 wl                    423640   0 (unused)
 switch-robo             4460   0 (unused)
 switch-core             4896   0 [switch-robo]
 diag                   18176   0 (unused)
 root@kbox:~# iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
 iptables v1.3.3: Couldn't load match `limit':File not found
 
 Try `iptables -h' or 'iptables --help' for more information.

comment:3 Changed 10 years ago by anonymous

Is there a fix/workaround for this? I really need a working conntrack/limit.

comment:4 Changed 10 years ago by florian

I cannot reproduce the bug with the limit target. Ensure you have installed kmod-ipt-extra and iptables-mod-extra.

comment:5 Changed 10 years ago by anonymous

I believe the problem also related to this
"conntrack doesn't accept --ctstate syntax"
So, I've tried iptables -A smth -m conntrack --ctstate DNAT" -> Invalid syntax

comment:6 Changed 10 years ago by anonymous

Sorry, limit works for me, but not conntrack:
root@OpenWrt:~# iptables -A INPUT -m conntrack --ctstate RELATED
iptables: Invalid argument
Anything that I can do?

comment:7 Changed 10 years ago by vasquez

Problem still exists in 09test.

comment:8 Changed 9 years ago by nbd

  • Milestone changed from 0.9/rc6 to Kamikaze

comment:9 Changed 9 years ago by florian

  • Resolution set to fixed
  • Status changed from assigned to closed

Should be fixed now.

comment:10 Changed 9 years ago by weimaraner@…

  • Resolution fixed deleted
  • Status changed from closed to reopened

KAMIKAZE (7.07):
Linux OpenWrt 2.4.34 #13 Thu Jul 26 17:55:20 CEST 2007 mips unknown

root@OpenWrt:~# iptables -t mangle -A PREROUTING -i eth0.1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1
iptables: Invalid argument

Problem still exist on 2.4 version of kmkz

comment:11 follow-up: Changed 8 years ago by anonymous

still not fixed?

comment:12 in reply to: ↑ 11 Changed 8 years ago by anonymous

Replying to anonymous:

still not fixed?

Yes, problem is pending.

comment:13 Changed 8 years ago by anonymous

Hi there,

I encountered the same "BUG" and found a possible Solution:

My buggie command was:
(private Values made generic)
~# iptables -t mangle -A pre_inet_classify_p2p -m conntrack --ctorigsrc 192.168.0.0/24 -j CLASSIFY --set-class 4:1
"iptables: Invalid argument"

after googling i watched at the dmesg output which said:
"ip_tables: CLASSIFY target: bad hook_mask 1/28"

with this message i found no resources on the internet, but grepping throug the kernel sources brought up the following code-lines from "xt_CLASSIFY.c":

if (hook_mask & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |

(1 << NF_IP_POST_ROUTING))) {

so marking inside POSTROUTING chains solved my "BUG".

So my suggestion for you: Look at what dmesg says and what rules the kernel-code applies.
If you do not have any sources at hand try looking at
fe.: http://www.linuxhq.com/kernel/v2.6/16/net/netfilter/xt_CLASSIFY.c

comment:14 Changed 8 years ago by anonymous

The problem is a mismatch between the data structure in iptables and in the brcm-2.4 kernel (presumably an upstream bug). I'll attach a patch that fixes it for me, but probably breaks everything other than brcm-2.4. This patch should be applied to iptables in build_dir.

Changed 8 years ago by anonymous

Fix/workaround for brcm-2.4

comment:15 Changed 8 years ago by florian

  • Resolution set to fixed
  • Status changed from reopened to closed

Applied in [13235], sorry for the delay, and thanks !

comment:16 Changed 2 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.