| |
| |
| |
|
Comments:
<0> iptables -t nat -A OUTPUT -d ordbogen.com -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080 <- this rule only seems to affect the machine it's entered on, and not the clients using it for NAT, ideas?
<1> Riis: FORWARD is your friend (and this is a #iptables question)
<0> Regit: oh, i forgot vwe had an #iptables, thanks :)
<2> gug
<3> gug
<2> hello
<4> apparently f-secure antivirus / firewall thingy for linux uses iptables as firewall instead of inventing the wheel again
<5> a
<5> gandalf: good to know
<2> hi LaF0rge, Gandalf_
<4> hi LaF0rge, Hidden, Octavian
<4> LaF0rge: but I don't know how it manages the rules, but apparently it monitors the rules, so if you insert your own rules it deletes them within a few seconds
<6> ip_tables: tcp match: only valid for protocol 6
<6> What does this kernel message mean?
<6> I only did `iptables -A INPUT -m tcp`
<6> iptables 1.3.5 on 2.6.17-rc6
<4> with '-m tcp' instead of '-p tcp' you call the tcp matching routine without filtering out all none tcp packets first :)
<6> Well whatever
<4> s/none/not/
<6> I get the error on ALL iptables commands
<4> hmm
<6> iptables -A INPUT -m random for example gives
<6> ip_tables: random match: invalid size 0 != 4
<6> (and userspace error 4294967295)
<6> probably caused by net/netfilter/x_tables.c, xt_check_match
<6> oh hold
<6> -p tcp works lol
<6> So it looks like I did something wrong when porting ipt_random from pomng into the kernel ... :/
<6> or rather, the userspace part
<4> :)
<6> hey this is not funny. I've got to have a kernel package ready by tomorrow :/
<6> So in xt_check_match(), XT_ALIGN(match->matchsize)==0 but size==4
<6> Sounds like userspace sent the iptables -A command incorrectly, right?
<4> yes it does
<2> gug
<5> hi hidden
<4> hi Hidden, LaF0rge
<6> Gandalf_ : Hey I think I found it
<2> jengelh: ?
<6> the ipt_* (kernel) modules lack the ->matchsize/->targetsize present in other modules...
<6> Hidden: Yes?
<2> jengelh: I'm just curious :)
<6> Oh I wonder why a lot of POMNG modules fail to be used.
<6> Apparently, their kernel parts don't have ->matchsize, but userspace has.
<6> therefore giving stuff like
<6> ip_tables: random match: invalid size 0 != 4
<6> Which would also explain error 42943...5 I wrote you about with tproxy
<6> Hidden : Other than that I could not test tproxy more yet since I have to wrap up my whole repo till tomorrow :)
<2> maybe, I'll have a look at it tomorrow
<6> Woah it works.
<2> :)
<6> Ok where to send POMNG patches to?
<6> uh
<6> where has ipt_random gone in /patch-o-matic-ng-20060607?
<6> can't be that I am the only one maintaining that now
<6> Help!
<4> it has been combined into a statistics match and submitted for 2.6.18 :)
<4> combined together with the nth match that is
<6> Nice
<6> Currently, I have all these in my kernel tree
<6> AS_16-nf_ROUTE.diff AS_19-nf_connlimit.diff AS_22-nf_u32.diff
<6> AS_17-nf_TARPIT.diff AS_20-nf_nth.diff AS_23-nf_layer7.diff
<6> AS_18-nf_XOR.diff AS_21-nf_random.diff AS_24-nf_SYSRQ.diff
<6> AS_52-tproxy-2.0.4-2.6.17.diff
<6> Hidden: I've got another tproxy kernel patch...
<4> nf_SYSRQ ?
<2> jengelh: thanks, just send it in email :)
<6> hidden: done
<6> Gandalf_ : ipt_SYSRQ.
<2> jengelh: thanks a lot for fixing this
<4> jengelh: ahh
<6> I just named the files nf to note it's netfilter. Whether it's a target or a match is then derived from [A-Z] or [a-z]
<6> Gandalf_ : Any other besides random+nth to be merged?
<4> sip conntrack helper
<6> well, of those I mentioned :)
<4> quota match
<4> well, not of the ones you mentioned
<6> off the top of the head, what was the last pomng snapshot to contain random?
<6> 20060511 looks like a candidate
<6> yop that's it
<4> I havn't used snapshots in ages... 'svn up' is usually enough :)
<6> Gandalf_ : The last pomng, 20060511, does not have .matchsize in the kernel part too.
<6> Can you make sure that .matchsize and .targetsize are present in the current code?
<6> That would be all.
<4> .matchsize is set in the statistics match
<6> Hidden : Make sure that your modules also have .matchsize in net/ipv*/netfilter/ipt_*.c
<2> jengelh: ok
<6> i.e. ipt_TPROXY.c and ipt_tproxy.c.
<6> btw, where is tproxy3 gone? The "old" one is 2.0.4, the new one you sent me was tproxy4-alpha...
<2> tproxy 3 is internal only
<2> it's not worth releasing separately
<2> (although it's present in our public kernel patchset)
<2> it has too much dependencies and only the UDP-related functions were changed
<2> (it depends on a couple of other, non strictly tproxy-related patches)
<2> (UDP accept() for example, which is a hack-hack-hack... :)
<6> a waste of a major number :)
<6> so, i'm off. hopefully my issue is fixed.
<2> :)
<6> Oh yes, the rpms ought to pop up in no more than 12 hours
<6> and kernel compilation takes time
<2> ok, it's time to sleep
<2> gub
<4> gub, sweet dreams
Return to
#netfilter
or
Go to some related
logs:
ubuntu64 +brother
notlame kubuntu
gtk change-theme ubuntu
libfaac0 unbuntu
#oe
autoreplay vlc
Authdir /var/gdm does not exist
#linux
#debian
#debian
|
|