On Mon, Feb 09, 2009 at 06:10:03PM +0100, thus spake Patrick McHardy: > Ignacy Gawedzki wrote: >> Hi everybody, >> >> I'm currently working on a project that relies on manipulation of iptables in >> order to perform fine data packet accounting. This manipulation is performed >> dynamically, so the code initially used libiptc. >> >> Since iptables 1.4.0, libiptc is not distributed anymore, so I resolved to >> incorporate the code into our own source distribution, just as people from >> collectd seemingly did. All seemed to work well until yesterday, when we >> eventually pinpointed our calls to the (internal) libiptc as a cause of a >> kernel freeze. It only happened on a generic Ubuntu Hardy kernel >> (2.6.24-22-generic) on one particular laptop (I didn't succeed in reproducing >> the freeze on another hardware with the same distribution). I suppose it has >> something to do with the change of the format of data flowing to kernelspace >> (iptables 1.3.8 came distributed on that freezing machine), could anyone here >> confirm that this is possible indeed? > > It should never crash the kernel, and the ABI is supposed to be > compatible. Good to know, thanks. > >> >> Now my question is: how are we supposed to proceed from now on in order to >> manipulate iptables? I read about libxtables and the corresponding libxtc.h >> (though these are not yet packaged in the current Ubuntu Intrepid), but it's >> not clear to me how the communication with the kernel is actually to be done. >> >> Thanks for any information that could help me making this work properly. > > Hard to tell without seeing the exact crash you're getting. As far as I know, the crash is a complete freeze. I don't know whether there are any console messages to recover (using netconsole for instance). My question was not about how to prevent the machine from crashing, but rather how are we supposed to manipulate iptables, now that libiptc is not available. As for the kernel crash itself, it is right now pretty difficult for me to analyze, since I don't have the machine at hand and the person using it is too busy at the moment. So maybe I'll be able to take a look at some later time. Thanks for your reply. -- :wq! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
