Critical iptables failure with recent changes which put the node id in iptables

[andrewhodel@…]

[3][Sun Jan 4 03:14:18 2009][1744](fw_iptables.c:116) iptables comand failed(2): iptables -t nat -A WiFiDog_00156DA6E1CA_Unknown -j WiFiDog_00156DA6E1CA_AuthServers iptables v1.4.1.1: chain name `WiFiDog_00156DA6E1CA_WIFI2Internet' too long (must be under 30 chars)

wifidog -f

svn trunk build of openwrt with svn dist build of wifidog

Unfortunately, the 1.1.5 version which comes with openwrt works but forces users to relogin after the client timeout regardless of ping replies, traffic, or dhcp updates.

[jean-philippe.menil@…]

I experiment the same issue with debian lenny. I've never seen this issue in etch.

uname: 2.6.26-1-amd64

iptables v1.4.1.1

[jean-philippe.menil@…]

Replying to jean-philippe.menil@univ-nantes.fr:

I experiment the same issue with debian lenny. I've never seen this issue in etch. uname: 2.6.26-1-amd64 iptables v1.4.1.1

Sorry for my quick reply. Your issue is for the too longer name of the chain. Mine is different: [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t mangle -F WiFiDog_cr1_Trusted [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t mangle -F WiFiDog_cr1_Outgoing [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t mangle -F WiFiDog_cr1_Incoming [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t mangle -X WiFiDog_cr1_Trusted [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t mangle -X WiFiDog_cr1_Outgoing [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t mangle -X WiFiDog_cr1_Incoming [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -D PREROUTING 1 [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -F WiFiDog_cr1_AuthServers [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -F WiFiDog_cr1_Outgoing [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -F WiFiDog_cr1_WIFI2Router [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -F WiFiDog_cr1_WIFI2Internet [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -F WiFiDog_cr1_Global [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -F WiFiDog_cr1_Unknown [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -X WiFiDog_cr1_AuthServers [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -X WiFiDog_cr1_Outgoing [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -X WiFiDog_cr1_WIFI2Router [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -X WiFiDog_cr1_WIFI2Internet [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -X WiFiDog_cr1_Global [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -X WiFiDog_cr1_Unknown [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_WIFI2Internet [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_AuthServers [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_Locked [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_Global [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_Validate [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_Known [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_Unknown [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_WIFI2Internet [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_AuthServers [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_Locked [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_Global [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_Validate [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_Known [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_Unknown

Even, all the rules are loaded. Strnage...

[anonymous]

This is the case since rev 1375 with the addition of id

fw_iptables.h

33/**Iptable table names used by WifiDog? */ 34 #define TABLE_WIFIDOG_OUTGOING "WiFiDog_$ID$_Outgoing" 35 #define TABLE_WIFIDOG_WIFI_TO_INTERNET "WiFiDog_$ID$_WIFI2Internet" 36 #define TABLE_WIFIDOG_WIFI_TO_ROUTER "WiFiDog_$ID$_WIFI2Router" 37 #define TABLE_WIFIDOG_INCOMING "WiFiDog_$ID$_Incoming" 38 #define TABLE_WIFIDOG_AUTHSERVERS "WiFiDog_$ID$_AuthServers" 39 #define TABLE_WIFIDOG_GLOBAL "WiFiDog_$ID$_Global" 40 #define TABLE_WIFIDOG_VALIDATE "WiFiDog_$ID$_Validate" 41 #define TABLE_WIFIDOG_KNOWN "WiFiDog_$ID$_Known" 42 #define TABLE_WIFIDOG_UNKNOWN "WiFiDog_$ID$_Unknown" 43 #define TABLE_WIFIDOG_LOCKED "WiFiDog_$ID$_Locked" 44 #define TABLE_WIFIDOG_TRUSTED "WiFiDog_$ID$_Trusted" 45 /*@}*/

[frank]

hello

same issue with whiterussian

chain name 'WiFiDog_000000000000_WIFI2Internet' is too long (must be under 30 chars)

frank

[anonymous]

hello,

Why not use GatewayInterface? instead of GatewayID for ID? In this way the chain iptables is necessarily shorter.

[tof@…]

In fw_iptables.h , I replaced

#define TABLE_WIFIDOG_OUTGOING "WiFiDog_$ID$_Outgoing" #define TABLE_WIFIDOG_WIFI_TO_INTERNET "WiFiDog_$ID$_WIFI2Internet" #define TABLE_WIFIDOG_WIFI_TO_ROUTER "WiFiDog_$ID$_WIFI2Router" #define TABLE_WIFIDOG_INCOMING "WiFiDog_$ID$_Incoming" #define TABLE_WIFIDOG_AUTHSERVERS "WiFiDog_$ID$_AuthServers" #define TABLE_WIFIDOG_GLOBAL "WiFiDog_$ID$_Global" #define TABLE_WIFIDOG_VALIDATE "WiFiDog_$ID$_Validate" #define TABLE_WIFIDOG_KNOWN "WiFiDog_$ID$_Known" #define TABLE_WIFIDOG_UNKNOWN "WiFiDog_$ID$_Unknown" #define TABLE_WIFIDOG_LOCKED "WiFiDog_$ID$_Locked" #define TABLE_WIFIDOG_TRUSTED "WiFiDog_$ID$_Trusted"

by #define TABLE_WIFIDOG_OUTGOING "Wdog_$ID$_Out" #define TABLE_WIFIDOG_WIFI_TO_INTERNET "Wdog_$ID$_W2net" #define TABLE_WIFIDOG_WIFI_TO_ROUTER "Wdog_$ID$_W2GW" #define TABLE_WIFIDOG_INCOMING "Wdog_$ID$_In" #define TABLE_WIFIDOG_AUTHSERVERS "Wdog_$ID$_AuthS" #define TABLE_WIFIDOG_GLOBAL "Wdog_$ID$_Glob" #define TABLE_WIFIDOG_VALIDATE "Wdog_$ID$_Valid" #define TABLE_WIFIDOG_KNOWN "Wdog_$ID$_Known" #define TABLE_WIFIDOG_UNKNOWN "Wdog_$ID$_Uknown" #define TABLE_WIFIDOG_LOCKED "Wdog_$ID$_Locked" #define TABLE_WIFIDOG_TRUSTED "Wdog_$ID$_Trusted"

and it seems to be better

[artickl]

The same problem - after change fw_iptables.h, everything is fine )))

OS: debian lenny 2.6.26-2-686 iptables: v1.4.2

[gbastien]

For whiterussian and iptables v1.3.3, for some reason, the string must be even shorter to work with the actual name. The $ID$ part must be at most 6 char or some --jump rule fails (even though it is under 30 chars)

On the auth server, $ID$ can be as long as 32 char so tof solution would not work for all cases.

Wichert, do you think you can work on this before the end of september? Or give me a hint on what would be an acceptable solution and I could do it.

[gbastien]

replaced the gateway_id by the gateway_interface

[jean-philippe.menil]

I haven't test so far, but i think, it's not sufficient:
before the patch, i haved that:
(fw_iptables.c:116) iptables command failed(1): iptables -t mangle -F WiFiDog_default_Trusted
After, the patch, i've always the error:
(fw_iptables.c:116) iptables command failed(1): iptables -t mangle -F WiFiDog_eth1_Trusted
And if, in fw_iptables.h, i replace, for example, WiFiDog_$ID$_Trusted by WD_$ID$_Trusted, i've always the same error:
(fw_iptables.c:116) iptables command failed(1): iptables -t mangle -F WD_eth1_Trusted

In an other server, my gateway id, is shorter than the name of the interface:
example: gateway id = AM
interface of the gateway = eth1.193

Maybe can we suppress the error message, because all the iptables rules are loaded correctly.

[gbastien]

The iptables flushing (-F) errors are normal and will still be there (see #532 comment by herman)

The $ID$ part must be at most 8 characters for the largest iptables name to work. In your case Jean-Philippe, I guess you never experienced that problem since both gw_id and gw_interface are small enough. When the $ID$ part was too long, the gateway wouldn't work at all because some iptables wouldn't load...

But you're right, I thought mostly of openwrt interfaces which have small names but if you can have a 8 char interface name, I guess someone can have more chars...

We could try to shorten the length of the rules, as tof suggested AND ensure before replacing the $ID$ that it is short enough AND shorten it if needed