Ticket #515 (closed Bug report: fixed)

Opened 10 years ago

Last modified 9 years ago

Critical iptables failure with recent changes which put the node id in iptables

Reported by: andrewhodel@… Owned by: gbastien
Priority: blocker Milestone: Gateway 1.1.5
Component: Gateway Version: Gateway 20090925
Keywords: Cc:

Change History

follow-up: ↓ 2   Changed 10 years ago by jean-philippe.menil@…

I experiment the same issue with debian lenny. I've never seen this issue in etch.

uname: 2.6.26-1-amd64

iptables v1.4.1.1

in reply to: ↑ 1   Changed 10 years ago by jean-philippe.menil@…

Replying to jean-philippe.menil@univ-nantes.fr:

I experiment the same issue with debian lenny. I've never seen this issue in etch. uname: 2.6.26-1-amd64 iptables v1.4.1.1

Sorry for my quick reply. Your issue is for the too longer name of the chain. Mine is different: [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t mangle -F WiFiDog_cr1_Trusted [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t mangle -F WiFiDog_cr1_Outgoing [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t mangle -F WiFiDog_cr1_Incoming [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t mangle -X WiFiDog_cr1_Trusted [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t mangle -X WiFiDog_cr1_Outgoing [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t mangle -X WiFiDog_cr1_Incoming [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -D PREROUTING 1 [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -F WiFiDog_cr1_AuthServers [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -F WiFiDog_cr1_Outgoing [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -F WiFiDog_cr1_WIFI2Router [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -F WiFiDog_cr1_WIFI2Internet [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -F WiFiDog_cr1_Global [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -F WiFiDog_cr1_Unknown [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -X WiFiDog_cr1_AuthServers [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -X WiFiDog_cr1_Outgoing [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -X WiFiDog_cr1_WIFI2Router [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -X WiFiDog_cr1_WIFI2Internet [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -X WiFiDog_cr1_Global [3][Wed Jan 7 20:44:55 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t nat -X WiFiDog_cr1_Unknown [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_WIFI2Internet [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_AuthServers [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_Locked [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_Global [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_Validate [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_Known [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -F WiFiDog_cr1_Unknown [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_WIFI2Internet [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_AuthServers [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_Locked [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_Global [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_Validate [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_Known [3][Wed Jan 7 20:44:56 2009][601](fw_iptables.c:116) iptables comand failed(127): iptables -t filter -X WiFiDog_cr1_Unknown

Even, all the rules are loaded. Strnage...

  Changed 10 years ago by anonymous

This is the case since rev 1375 with the addition of id

fw_iptables.h

33/**Iptable table names used by WifiDog */ 34 #define TABLE_WIFIDOG_OUTGOING "WiFiDog_$ID$_Outgoing" 35 #define TABLE_WIFIDOG_WIFI_TO_INTERNET "WiFiDog_$ID$_WIFI2Internet" 36 #define TABLE_WIFIDOG_WIFI_TO_ROUTER "WiFiDog_$ID$_WIFI2Router" 37 #define TABLE_WIFIDOG_INCOMING "WiFiDog_$ID$_Incoming" 38 #define TABLE_WIFIDOG_AUTHSERVERS "WiFiDog_$ID$_AuthServers" 39 #define TABLE_WIFIDOG_GLOBAL "WiFiDog_$ID$_Global" 40 #define TABLE_WIFIDOG_VALIDATE "WiFiDog_$ID$_Validate" 41 #define TABLE_WIFIDOG_KNOWN "WiFiDog_$ID$_Known" 42 #define TABLE_WIFIDOG_UNKNOWN "WiFiDog_$ID$_Unknown" 43 #define TABLE_WIFIDOG_LOCKED "WiFiDog_$ID$_Locked" 44 #define TABLE_WIFIDOG_TRUSTED "WiFiDog_$ID$_Trusted" 45 /*@}*/

  Changed 10 years ago by frank

hello

same issue with whiterussian

chain name 'WiFiDog_000000000000_WIFI2Internet' is too long (must be under 30 chars)

frank

  Changed 10 years ago by anonymous

hello,

Why not use GatewayInterface? instead of GatewayID for ID? In this way the chain iptables is necessarily shorter.

  Changed 10 years ago by tof@…

In fw_iptables.h , I replaced

#define TABLE_WIFIDOG_OUTGOING "WiFiDog_$ID$_Outgoing" #define TABLE_WIFIDOG_WIFI_TO_INTERNET "WiFiDog_$ID$_WIFI2Internet" #define TABLE_WIFIDOG_WIFI_TO_ROUTER "WiFiDog_$ID$_WIFI2Router" #define TABLE_WIFIDOG_INCOMING "WiFiDog_$ID$_Incoming" #define TABLE_WIFIDOG_AUTHSERVERS "WiFiDog_$ID$_AuthServers" #define TABLE_WIFIDOG_GLOBAL "WiFiDog_$ID$_Global" #define TABLE_WIFIDOG_VALIDATE "WiFiDog_$ID$_Validate" #define TABLE_WIFIDOG_KNOWN "WiFiDog_$ID$_Known" #define TABLE_WIFIDOG_UNKNOWN "WiFiDog_$ID$_Unknown" #define TABLE_WIFIDOG_LOCKED "WiFiDog_$ID$_Locked" #define TABLE_WIFIDOG_TRUSTED "WiFiDog_$ID$_Trusted"

by #define TABLE_WIFIDOG_OUTGOING "Wdog_$ID$_Out" #define TABLE_WIFIDOG_WIFI_TO_INTERNET "Wdog_$ID$_W2net" #define TABLE_WIFIDOG_WIFI_TO_ROUTER "Wdog_$ID$_W2GW" #define TABLE_WIFIDOG_INCOMING "Wdog_$ID$_In" #define TABLE_WIFIDOG_AUTHSERVERS "Wdog_$ID$_AuthS" #define TABLE_WIFIDOG_GLOBAL "Wdog_$ID$_Glob" #define TABLE_WIFIDOG_VALIDATE "Wdog_$ID$_Valid" #define TABLE_WIFIDOG_KNOWN "Wdog_$ID$_Known" #define TABLE_WIFIDOG_UNKNOWN "Wdog_$ID$_Uknown" #define TABLE_WIFIDOG_LOCKED "Wdog_$ID$_Locked" #define TABLE_WIFIDOG_TRUSTED "Wdog_$ID$_Trusted"

and it seems to be better

  Changed 10 years ago by artickl

The same problem - after change fw_iptables.h, everything is fine )))

OS: debian lenny 2.6.26-2-686 iptables: v1.4.2

  Changed 10 years ago by benoitg

  • owner set to wichert@…
  • priority changed from high to blocker

  Changed 9 years ago by gbastien

For whiterussian and iptables v1.3.3, for some reason, the string must be even shorter to work with the actual name. The $ID$ part must be at most 6 char or some --jump rule fails (even though it is under 30 chars)

On the auth server, $ID$ can be as long as 32 char so tof solution would not work for all cases.

Wichert, do you think you can work on this before the end of september? Or give me a hint on what would be an acceptable solution and I could do it.

  Changed 9 years ago by gbastien

  • owner changed from wichert@… to gbastien

  Changed 9 years ago by gbastien

  • status changed from new to closed
  • resolution set to fixed

replaced the gateway_id by the gateway_interface

  Changed 9 years ago by jean-philippe.menil

I haven't test so far, but i think, it's not sufficient:
before the patch, i haved that:
(fw_iptables.c:116) iptables command failed(1): iptables -t mangle -F WiFiDog_default_Trusted
After, the patch, i've always the error:
(fw_iptables.c:116) iptables command failed(1): iptables -t mangle -F WiFiDog_eth1_Trusted
And if, in fw_iptables.h, i replace, for example, WiFiDog_$ID$_Trusted by WD_$ID$_Trusted, i've always the same error:
(fw_iptables.c:116) iptables command failed(1): iptables -t mangle -F WD_eth1_Trusted

In an other server, my gateway id, is shorter than the name of the interface:
example: gateway id = AM
interface of the gateway = eth1.193

Maybe can we suppress the error message, because all the iptables rules are loaded correctly.

  Changed 9 years ago by gbastien

The iptables flushing (-F) errors are normal and will still be there (see #532 comment by herman)

The $ID$ part must be at most 8 characters for the largest iptables name to work. In your case Jean-Philippe, I guess you never experienced that problem since both gw_id and gw_interface are small enough. When the $ID$ part was too long, the gateway wouldn't work at all because some iptables wouldn't load...

But you're right, I thought mostly of openwrt interfaces which have small names but if you can have a 8 char interface name, I guess someone can have more chars...

We could try to shorten the length of the rules, as tof suggested AND ensure before replacing the $ID$ that it is short enough AND shorten it if needed

  Changed 9 years ago by jodoreps

  • version set to Gateway 20090925
  • description modified (diff)
Note: See TracTickets for help on using tickets.