Thread (80 messages) 80 messages, 6 authors, 2005-03-28

Re: iptables breakage WAS(Re: dummy as IMQ replacement

From: Andy Furniss <hidden>
Date: 2005-03-22 21:09:44 

jamal wrote:
Andy,
Thanks for all your efforts.
I will be back on my regular setup by tommorow evening and should be
able to hopefuly test this. I am going to try:

- latest iproute2 with 1.3.x ipt changes
- i am just gonna jump to iptables 1.3.x - we are going to ignore 1.2.11
and below 
- kernel 2.6.11.5 patches with stats

Issues seen so far - the following dont work:

a) tc filter add dev eth0 parent ffff: protocol ip prio 10 u32 \
match u32 0 0 flowid 1:1 action ipt -j MARK --set-mark
[Actually did you test this?]
Not without the 1 - If I do I get

++ /usr/sbin/tc filter add dev eth0 parent ffff: protocol ip prio 10 u32 
match u32 0 0 flowid 1:1 action ipt -j MARK --set-mark
ipt: option `--set-mark' requires an argument
tablename: mangle hook: NF_IP_PRE_ROUTING
         target: MARK set 0x0  index 0
RTNETLINK answers: Invalid argument
We have an error talking to the kernel

With the one -

++ /usr/sbin/tc filter add dev eth0 parent ffff: protocol ip prio 10 u32 
match u32 0 0 flowid 1:1 action ipt -j MARK --set-mark 1
tablename: mangle hook: NF_IP_PRE_ROUTING
         target: MARK set 0x1  index 0
RTNETLINK answers: Invalid argument
We have an error talking to the kernel

b) above with mirred as the next action fails in user space
Yes -

++ /usr/sbin/tc filter add dev eth0 parent ffff: protocol ip prio 10 u32 
match u32 0 0 flowid 1:1 action ipt -j MARK --set-mark 1 action mirred 
egress redirect dev dummy0
tablename: mangle hook: NF_IP_PRE_ROUTING
         target: MARK set 0x1  index 0
bad action type mirred
Usage: ... gact <ACTION> [RAND] [INDEX]
Where: ACTION := reclassify | drop | continue | pass RAND := random 
<RANDTYPE> <ACTION> <VAL>RANDTYPE := netrand | determVAL : = value not 
exceeding 10000INDEX := index value used
bad action parsing
parse_action: bad value (5:mirred)!
Illegal "action"

I notice if I grep iproute for "bad action type" it's in m_gact.c which 
does not contain the word mirred to test at all.

c) a) with a simple "action ok" is also rejected by the kernel
with "Invalid argument"
Yes.

Did i miss anything else?
Don't think so - I can get a and c to work with older iptables and headers.

Andy.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help