> Just to clarify: does the problem happens when you have the MARK rule > above in a user-defined chain that has more then one jump leading to > it or does it also happen in other cases? => I triggered the bug with a real world example: - first add a rule with a MARK target using a set mark with the first/sign bit set to one. This target is coded with this mark put at the same place than the verdict field of standard targets. (note this should be triggered by a lot of targets but I got it with MARK) - try to add another rule (with -A or -I but this works too with restore, the idea is to get a replace ioctl with an illegal value in a verdict position). - if you are (un?)lucky you get the ELOOP error. If you read my proposed fix the problem is pretty easy to understand. I asked diff to give enough context for human (i.e., more than needed to apply it as a patch). Thanks Francis_Dupont@xxxxxxx PS: I really need a bug-ticket-etc number because some business is implied (BTW IMHO you prefer to get the report once and by the most direct path, don't you?) PPS: here I've cut & paste the config I used to track the bug: -------------------------------- save file -------------------------------- # Generated by iptables-save v1.4.2 on Tue Mar 24 18:54:43 2009 *filter :INPUT ACCEPT [11843:1222672] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [7216:1221713] COMMIT # Completed on Tue Mar 24 18:54:43 2009 # Generated by iptables-save v1.4.2 on Tue Mar 24 18:54:43 2009 *mangle :PREROUTING ACCEPT [1209557:93278988] :INPUT ACCEPT [1209182:93208843] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [668677:2806960697] :POSTROUTING ACCEPT [668677:2806960697] :MARKOUT1 - [0:0] -A PREROUTING -d 10.0.200.2/32 -p tcp -m tcp --dport 5001 -j MARKOUT1 -A MARKOUT1 -j MARK --set-xmark 0x80000001/0xffffffff -A MARKOUT1 -j CONNMARK --save-mark --nfmask 0x3fffffff --ctmask 0x3fffffff -A MARKOUT1 -j ACCEPT COMMIT # Completed on Tue Mar 24 18:54:43 2009 -------------------------------- cut here -------------------------------- I got the bug with the UDP counterpart: iptables -t mangle -A PREROUTING -d 10.0.200.2/32 -p udp --dport 5001 \ -j MARKOUT1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
