Hi i have some questions, i hope somebody can help me, so i will be able to understand better how iptables, iproute and the modules in the kernel interact each others. I recently have read a howto for QoS. So i installed a new gentoo box with the vanilla-sources, kernel 2.6.9, i patched it with the qnet patchset for qos and some other stuff. If you want to see the contents of the patches, is in this url: http://galileo.econovoice.com/netfilter/patch-2.6.9-qnet1.bz2 http://galileo.econovoice.com/netfilter/patch-2.6.9-ck3-server.bz2 http://galileo.econovoice.com/netfilter/2.6.10-ipp2p_0.7.1.patch.bz2 the last patch (2.6.10-ipp2p_0.7.1.patch.bz2) it was intented for kernel 2.6.10, but it seems that it worked good for kernel 2.6.9. then i installed iptables doing "emerge '=iptables-2.6.9-r4'" but i have an overlay in gentoo (that means i modified the original ebuild ) and i added the following patch to the sources of iptables: http://galileo.econovoice.com/netfilter/iptables_ipp2p-7.1.patch the ebuild is in here: http://galileo.econovoice.com/netfilter/iptables-1.2.9-r4.ebuild the thing is, that when i started the qos-script, that you can find here: http://galileo.econovoice.com/netfilter/qosadmin it gave me errors when the script issued the next commands: /sbin/iptables -t mangle -A SHAPER-IN -p tcp -m connmark --mark 21 -j CONNMARK --restore-mark iptables: Invalid argument /sbin/iptables -t mangle -A SHAPER-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --set-mark 21 iptables: Invalid argument /sbin/iptables -t mangle -A SHAPER-OUT -p tcp -m connmark --mark 29 -j CONNMARK --restore-mark iptables: Invalid argument /sbin/iptables -t mangle -A SHAPER-OUT -p tcp -m ipp2p --ipp2p -j CONNMARK --set-mark 29 iptables: Invalid argument after trying adding and deleting parameters i realized that the CONNMARK module was the problem. So i googled around, and found this: https://lists.netfilter.org/pipermail/netfilter/2004-March/051495.html and yes, when `dmesg` showed me 'CONNMARK: targinfosize 8 != 12' but when i tried to upgrade iptables just showed me more errors :( so i got back to the 1.2.9 version. I started to check some code in the patches and the kernel headers to look what the problem is with CONNMARK, and i must say that im not a C coder, so excuse me if is stupid what i have done :( i entered the file '/usr/src/linux/net/ipv4/netfilter/ipt_CONNMARK.c' and realized that the error to dmesg was originated by the function checkentry, line 82: struct ipt_connmark_target_info *matchinfo = targinfo; if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) { printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n", targinfosize, IPT_ALIGN(sizeof(struct ipt_connmark_target_info))); return 0; } so i looked around and found this struct in the header '/usr/src/linux/include/linux/netfilter_ipv4/ipt_CONNMARK.h': struct ipt_connmark_target_info { unsigned long mark; unsigned long mask; u_int8_t mode; }; so i looked into the iptables source code and found the same header with the next struct: struct ipt_connmark_target_info { unsigned long mark; u_int8_t mode; }; it appears that is the same struct, but with some missing element. I just added the missing element (unsigned long mask) and the error dissapeared. so the questions: not sure if it will work, i need to test it, but i would like to know if you think it could be problems with this? i will appreciate any reference, guideline to understand better how interact the code in iptables against the kernel modules. best regards -- "Su nombre es GNU/Linux, no solamente Linux, mas info en http://www.gnu.org";
