Re: xtables use of NFPROTO_UNSPEC as wildcard incomplete :-(

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jan Engelhardt wrote:
On Tuesday 2009-01-13 22:38, Christian von Roques wrote:
I have a production server where I had to replace a failed on-board
Ethernet port with a 3c905 requiring a very new kernel (due to a
regression in the 3c905 driver, which was just recently fixed).  This
server requires netfilter/xt_MARK.c for IPv4.  Unfortunately your
changes to make NFPROTO_UNSPEC act like a protocol wildcard seem
incomplete.  -j MARK does not work anymore.  Replacing NFPROTO_UNSPEC
with NFPROTO_IPV4 in xt_MARK.c fixed my problem, but obviously
disabled the MARK target for all other protocols (which I fortunately
don't need).

Is this a know problem?
Are you able to reproduce the problem?
The simplest command which used to fail was:
iptables -t mangle -A OUTPUT -j MARK --set-mark 0x14


This is probably the same as
http://marc.info/?l=netfilter&m=123174116204956&w=2 and only
manifests itself under the condition that kernel < 2.6.28 && iptables
<= 1.4.0. Most people should-have (read it as a recommendation)
upgraded their iptables long ago, really, since some distros just
keep on shipping old stuff like almost forever.

I'm not sure what you mean, the problem that patch fixed affects
kernel == 2.6.28 and all iptables versions as long as you use
anything but revision 0.

Anyways, I'll send the patch to -stable shortly.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux