On Friday 03 October 2003 19:22, Tom Eastep wrote:
> On Fri, 2003-10-03 at 05:46, Duncan Sands wrote:
> > translate_table: size 1112
> > Finished chain 0
> > Finished chain 3
> > Finished chain 4
> > find_inlist: loading `ipt_MASQUERADE'.
> > masquerade_check: size 24 != 20.
> > ip_tables: check failed for `MASQUERADE'.
> >
> > The check in question is:
> >
> > if (targinfosize != IPT_ALIGN(sizeof(*mr))) {
> > DEBUGP("masquerade_check: size %u != %u.\n",
> > targinfosize, sizeof(*mr));
> > return 0;
> > }
>
> Are you applying any updates from Patch-O-Matic?
OK, it was a gentoo problem: they patched ip_conntrack_tuple.h
and changed it from:
union ip_conntrack_manip_proto
{
/* Add other protocols here. */
u_int16_t all;
struct {
u_int16_t port;
} tcp;
struct {
u_int16_t port;
} udp;
struct {
u_int16_t id;
} icmp;
};
to
union ip_conntrack_manip_proto
{
/* Add other protocols here. */
u_int32_t all;
struct {
u_int16_t port;
} tcp;
struct {
u_int16_t port;
} udp;
struct {
u_int16_t id;
} icmp;
struct {
u_int32_t key;
} gre;
};
i.e. two bytes bigger. Since ip_nat_multi_range includes an
ip_nat_range, and ip_nat_range uses two ip_conntrack_manip_proto,
this led to a size increase of 4 bytes. The gentoo iptables is compiled
using the gentoo kernel headers, so it is using this larger structure,
and thus doesn't work with vanilla kernels.
Sorry to have wasted your time,
Duncan.
