Modify

Opened 9 years ago

Closed 8 years ago

Last modified 4 years ago

#5141 closed defect (fixed)

multiport match appears to be broken in brcm-2.4

Reported by: netprince (at) vt (dot) edu Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: iptables multiport match Cc:

Description

Just built and installed trunk, r15879. I noticed this while loading qos-scripts. Further inspection reveals the problem is with the multiport match

iptables -t mangle -A wan_qos_ct -m mark --mark 0 -p tcp -m multiport --dports 21,22 -j MARK --set-mark 3

Swap the multiport match with a single port match, all is fine.

Here is what I have installed:

opkg list_installed
base-files-brcm-2.4 - 20-r15879 -
bridge - 1.0.6-1 -
busybox - 1.11.3-6 -
customizer - 955 -
dnsmasq - 2.47-3 -
dropbear - 0.52-2 -
empty-bgp - 0.6.15b-2 -
firewall - 1-3 -
iptables - 1.4.3.2-1 -
iptables-mod-conntrack - 1.4.3.2-1 -
iptables-mod-conntrack-extra - 1.4.3.2-1 -
iptables-mod-extra - 1.4.3.2-1 -
iptables-mod-filter - 1.4.3.2-1 -
iptables-mod-imq - 1.4.3.2-1 -
iptables-mod-ipopt - 1.4.3.2-1 -
iptables-mod-nat - 1.4.3.2-1 -
iptables-mod-nat-extra - 1.4.3.2-1 -
kernel - 2.4.35.4-brcm-2.4-1 -
kmod-brcm-wl - 2.4.35.4+4.150.10.5.3-brcm-2.4-2 -
kmod-crypto-arc4 - 2.4.35.4-brcm-2.4-1 -
kmod-crypto-core - 2.4.35.4-brcm-2.4-1 -
kmod-crypto-sha1 - 2.4.35.4-brcm-2.4-1 -
kmod-diag - 2.4.35.4-brcm-2.4-4 -
kmod-gre - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-conntrack - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-conntrack-extra - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-core - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-extra - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-filter - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-imq - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-ipopt - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-nat - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-nat-extra - 2.4.35.4-brcm-2.4-1 -
kmod-ipt-nathelper - 2.4.35.4-brcm-2.4-1 -
kmod-mppe - 2.4.35.4-brcm-2.4-1 -
kmod-ppp - 2.4.35.4-brcm-2.4-1 -
kmod-pppoe - 2.4.35.4-brcm-2.4-1 -
kmod-sched - 2.4.35.4-brcm-2.4-1 -
kmod-switch - 2.4.35.4-brcm-2.4-2 -
kmod-wlcompat - 2.4.35.4+4.150.10.5.3-brcm-2.4-2 -
libc - 0.9.29-20 -
libgcc - 3.4.6-20 -
libiptc - 1.4.3.2-1 -
librrd1-bgp - 1.0.50-1 -
libuci - 0.7.5-1 -
libxtables - 1.4.3.2-1 -
mtd - 8 -
nas - 4.150.10.5.3-2 -
nvram - 4 -
opkg - 4564-3 -
ppp - 2.4.3-11 -
ppp-mod-pppoe - 2.4.3-11 -
pptpd-bgp - 1.2.3-1 -
qos-scripts - 1.2.1-2 -
rrdcgi1-bgp - 1.0.50-1 -
rrdcollect-bgp - 0.2.3-3 -
rrdtool1-bgp - 1.0.50-1 -
ssmtp-bgp - 2.61-2 -
tc-bgp - 2.6.25-1 -
uci - 0.7.5-1 -
wireless-tools - 29-3 -
wl - 4.150.10.5.3-2 -
wlc - 4.150.10.5.3-2 -
wput-bgp - 0.5-1 -
zlib - 1.2.3-5 -

Here are the loaded modules:

lsmod | awk '{print $1}'
Module
ip_gre
ppp_mppe_mppc
ppp_async
ppp_generic
slhc
sha1
arc4
ipt_IMQ
cls_u32
ipt_dscp
ipt_tos
ipt_length
ipt_layer7
ipt_multiport
ipt_mark
ipt_MARK
ipt_CONNMARK
sch_red
sch_sfq
sch_hfsc
cls_fw
imq
ip_nat_ftp
ip_conntrack_ftp
ipt_TTL
ipt_TCPMSS
ipt_LOG
ipt_MASQUERADE
ipt_ttl
ipt_state
ipt_recent
ipt_limit
ipt_connbytes
iptable_mangle
iptable_nat
iptable_filter
ip_tables
ip_conntrack
wlcompat
wl
switch-robo
switch-core
diag

also, here is what is available in /usr/lib/iptables:

ls -l /usr/lib/iptables/
drwxr-xr-x    2 root     root          841 May 16  2009 ./
drwxr-xr-x    1 root     root            0 May 16  2009 ../
-rwxr-xr-x    1 root     root         5.4k May 16  2009 libipt_DNAT.so*
-rwxr-xr-x    1 root     root         4.3k May 16  2009 libipt_ECN.so*
-rwxr-xr-x    1 root     root         6.0k May 16  2009 libipt_LOG.so*
-rwxr-xr-x    1 root     root         4.3k May 16  2009 libipt_MASQUERADE.so*
-rwxr-xr-x    1 root     root         2.3k May 16  2009 libipt_MIRROR.so*
-rwxr-xr-x    1 root     root         4.2k May 16  2009 libipt_NETMAP.so*
-rwxr-xr-x    1 root     root         4.3k May 16  2009 libipt_REDIRECT.so*
-rwxr-xr-x    1 root     root         4.8k May 16  2009 libipt_REJECT.so*
-rwxr-xr-x    1 root     root         5.4k May 16  2009 libipt_SNAT.so*
-rwxr-xr-x    1 root     root         4.0k May 16  2009 libipt_TTL.so*
-rwxr-xr-x    1 root     root         4.4k May 16  2009 libipt_ecn.so*
-rwxr-xr-x    1 root     root         6.2k May 16  2009 libipt_icmp.so*
-rwxr-xr-x    1 root     root         4.3k May 16  2009 libipt_ttl.so*
-rwxr-xr-x    1 root     root         2.3k May 16  2009 libipt_unclean.so*
-rwxr-xr-x    1 root     root         3.2k May 16  2009 libxt_CLASSIFY.so*
-rwxr-xr-x    1 root     root         8.8k May 16  2009 libxt_CONNMARK.so*
-rwxr-xr-x    1 root     root         4.6k May 16  2009 libxt_DSCP.so*
-rwxr-xr-x    1 root     root         3.1k May 16  2009 libxt_IMQ.so*
-rwxr-xr-x    1 root     root         6.6k May 16  2009 libxt_MARK.so*
-rwxr-xr-x    1 root     root         3.7k May 16  2009 libxt_TCPMSS.so*
-rwxr-xr-x    1 root     root         6.8k May 16  2009 libxt_TOS.so*
-rwxr-xr-x    1 root     root         5.3k May 16  2009 libxt_connbytes.so*
-rwxr-xr-x    1 root     root         4.7k May 16  2009 libxt_connmark.so*
-rwxr-xr-x    1 root     root        16.7k May 16  2009 libxt_conntrack.so*
-rwxr-xr-x    1 root     root         4.7k May 16  2009 libxt_dscp.so*
-rwxr-xr-x    1 root     root         3.4k May 16  2009 libxt_helper.so*
-rwxr-xr-x    1 root     root         7.4k May 16  2009 libxt_layer7.so*
-rwxr-xr-x    1 root     root         4.2k May 16  2009 libxt_length.so*
-rwxr-xr-x    1 root     root         4.5k May 16  2009 libxt_limit.so*
-rwxr-xr-x    1 root     root         3.8k May 16  2009 libxt_mac.so*
-rwxr-xr-x    1 root     root         4.5k May 16  2009 libxt_mark.so*
-rwxr-xr-x    1 root     root         9.0k May 16  2009 libxt_multiport.so*
-rwxr-xr-x    1 root     root        10.1k May 16  2009 libxt_owner.so*
-rwxr-xr-x    1 root     root         3.9k May 16  2009 libxt_pkttype.so*
-rwxr-xr-x    1 root     root         7.1k May 16  2009 libxt_recent.so*
-rwxr-xr-x    1 root     root         2.4k May 16  2009 libxt_standard.so*
-rwxr-xr-x    1 root     root         4.4k May 16  2009 libxt_state.so*
-rwxr-xr-x    1 root     root         7.1k May 16  2009 libxt_string.so*
-rwxr-xr-x    1 root     root         7.7k May 16  2009 libxt_tcp.so*
-rwxr-xr-x    1 root     root         4.3k May 16  2009 libxt_tcpmss.so*
-rwxr-xr-x    1 root     root         5.5k May 16  2009 libxt_tos.so*
-rwxr-xr-x    1 root     root         5.2k May 16  2009 libxt_udp.so*

Finally, I have verified the multiport extension with :

iptables -m multiport -h
iptables v1.4.3.2

Usage: iptables -[AD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
                                List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
                                Print the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain]          Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
[!] --proto     -p proto        protocol: by number or name, eg. `tcp'
[!] --source    -s address[/mask]
                                source specification
[!] --destination -d address[/mask]
                                destination specification
[!] --in-interface -i input name[+]
                                network interface name ([+] for wildcard)
 --jump -j target
                                target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
[!] --out-interface -o output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.

multiport match options:
 --source-ports port[,port,port...]
 --sports ...
                                match source port(s)
 --destination-ports port[,port,port...]
 --dports ...
                                match destination port(s)
 --ports port[,port,port]
                                match both source and destination port(s)
 NOTE: this kernel does not support port ranges in multiport.

Attachments (0)

Change History (4)

comment:1 Changed 8 years ago by thomas@…

This bug is still not fixed in 8.09.2. It also may be a duplicate of ticket #2558

comment:2 Changed 8 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

Fix added in r19761

comment:3 Changed 8 years ago by thomas@…

Thanks. This also fixed ticket #2558, after more than 2 years NAT finally works again!

comment:4 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.