On Tuesday 2011-04-12 23:03, Ed W wrote: > >However, to be clear - my problem is with xtables.c / xtables_insmod(). >This function is called multiple times (in 1.4.10) even doing a simple >"iptables -h" on a kernel where there are no modules. I don't quite >understand what *causes* that code to be called, my point is simply that >it's called repeatedly (and needlessly) on each invocation of "iptables -h" Then I suggest to grab backtraces with gdb. >It may well be the case that it's the kernel which is running the code >in xtables.c. No no no. Not unless you run a hack like Kernel Mode Linux, which I doubt you do. Or do you? I have no idea what grsec put into their stuff, or whether you have an authentic unpatched iptables program. It does not look standard at all. >chroot:quad iptables-1.4.10 # iptables -h >FATAL: Could not load >/lib/modules/2.6.36.2-grsec2.2.1-vs2.3.0.36.38.4/modules.dep: No such >file or directory >[repeated 21 times] >...snip normal iptables help text... > >> echo '#!/bin/sh' >/tmp/modp >> echo 'echo "$@" >>/tmp/modp.log' >>/tmp/modp >> echo /tmp/modp >/proc/sys/kernel/modprobe >> iptables-restore foo.txt > >OK, with the addition of an "chmod +x" I run the above and get >(deliberately used non existent foo.txt): > >$ iptables-restore foo.txt >Can't open foo.txt: No such file or directory >$ cat /tmp/modp.log >ip_tables -q >-q -- ipt_SET >-q -- ipt_SET >-q -- ipt_set >-q -- ipt_set The trailing -q is a hint towards the call from iptables, whereas the leading -q is kernel-invoked calls. Specifically, it seems that xt_set is indeed not built-in, but a module. >OK, I'm slightly unsure why there are fewer calls in that last time I >did exactly this, but nonetheless we see a bunch of modprobe calls. >strace also this code being called. Please try with your real ruleset rather than foo.txt after clearing modp.log. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
