Modify

Opened 9 years ago

Closed 8 years ago

Last modified 4 years ago

#5628 closed defect (fixed)

netfilter - state match support broken, brcm47xx

Reported by: arus at poczta dot onet dot pl Owned by: nbd
Priority: normal Milestone: Barrier Breaker 14.07
Component: kernel Version: Trunk
Keywords: netfilter iptables state match established Cc:

Description

How to reproduce:

root@OpenWrt:/# iptables -N test
root@OpenWrt:/# iptables -A test -m state --state RELATED,ESTABLISHED -j ACCEPT
root@OpenWrt:/# iptables -D test -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).

Looks like that rule gets additional/different attributes, which are not visible in "iptables -L -v" output.
Established connections never match ESTABLISHED state rules, i.e. the following four lines would not allow SSH connection from LAN:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i br-lan -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

It was working in svn revision 14954. I have no idea when it stopped working.
OpenWRT built on Fedora 11.

Attachments (0)

Change History (8)

comment:1 Changed 9 years ago by arus at poczta dot onet dot pl

The source of the problem is in:
target/linux/generic-26/patches-2.6.xx/110-netfilter_match_speedup.patch.
Removal of that file solves the issue.

Either this patch should be removed or appropriate patch for iptables should be created (I think).

This is rather seriuos disfunction. Could someone raise priority/severity of this ticket, please ?

comment:2 Changed 8 years ago by sebastian.fuchs@…

I can confirm this. Shorewall isn't working in trunk without reversing the above mentioned patch.

comment:3 Changed 8 years ago by Mr.M (forum user)

Hi there,

I am using r18759 and can confirm that removing the above mentioned patch works. - also with shorewall 4.2.11
Ticket #5786 seems to describe the same problem.

I personally think that the patch should be removed if it cannot be repaired, since it makes iptables/netfilter behave in a non-standard way.

By the way, if someone wants to try shorewall 4.2.11:

Change two lines in kamikaze/package/feeds/packages/shorewall-common/Makefile:

PKG_VERSION:=4.2.11

PKG_MD5SUM:=4da98c58a00f1cf1d8c31bdb5db40e96

Change two lines in kamikaze/package/feeds/packages/shorewall-shell/Makefile:

PKG_VERSION:=4.2.11

PKG_MD5SUM:=518a7f389a6f606c109acb7dfbe18372

Worksforme, but I haven't tied out everything yet.

comment:4 Changed 8 years ago by thepeople

  • Owner changed from developers to nbd
  • Status changed from new to assigned

comment:5 Changed 8 years ago by nbd

  • Status changed from assigned to accepted

Please try applying http://nbd.name/nf-fix.patch and then rebuilding with make target/linux/clean world
Then let me know whether my patch fixes this issue

comment:6 Changed 8 years ago by nico

Patch works! Confirmed on uml (r20533)

root@OpenWrt:/# iptables -N test && echo $?
0
root@OpenWrt:/# iptables -A test -m state --state RELATED,ESTABLISHED -j ACCEPT && echo $?
0
root@OpenWrt:/# iptables -D test -m state --state RELATED,ESTABLISHED -j ACCEPT && echo $?
0

comment:7 Changed 8 years ago by nbd

  • Resolution set to fixed
  • Status changed from accepted to closed

fixed in r20552

comment:8 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.