Modify

Opened 7 years ago

Closed 7 years ago

Last modified 3 years ago

#8366 closed defect (fixed)

(at least) layer7 broken with current kernels

Reported by: ddxx0n Owned by: jow
Priority: high Milestone: Barrier Breaker 14.07
Component: kernel Version: Trunk
Keywords: iptables layer7 Cc:

Description

Since a couple of people are having this serious problem https://forum.openwrt.org/viewtopic.php?id=27602 here's the regular bug ticket.

I am using Backfire trunk (r24246) with kernel 2.6.36.1 on a WNDR3700.

Unfortunately, I cannot get layer7 matching to work: even a simple 'iptables -A FORWARD -m layer7 --l7proto irc -j REJECT' creates the respnse 'iptables: Input/output error.'. I am unable to find anything useful through Google. The error stays the same with all -A or -j variants I have tried.

... the problem is NOT a missing layer7 kernel module (or the error would be 'iptables v1.4.9.1: Couldn't load match `layer7':File not found')

... the problem is NOT a missing pattern file /etc/l7-protocols/irc.pat (or the error would be 'iptables v1.4.9.1: Couldn't find a pattern definition file for irc.')

It might have something to do with iptables extras moving to userspace via xtables. See also this thread: http://forum.slackware.pl/viewtopic.php?f=12&p=189226 ... or, if your polish is not up to date: http://translate.google.de/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=pl&tl=en&u=http://forum.slackware.pl/viewtopic.php%3Ff%3D12%26p%3D189226&act=url

I did not try the current iptables 1.4.10, the version in the repository is outdated. Fixing this might even fix at least another bug: /ticket/8211.html

Attachments (0)

Change History (10)

comment:1 Changed 7 years ago by ddxx0n

The repository versions of iptables (1.4.9.1) and xtables-addons (1.29) are not compatible with 2.6.36, updating to current 1.4.10 / 1.31 might do the trick.

comment:2 Changed 7 years ago by ddxx0n

No, unfortunately the updates from /ticket/8369.html didn't solve the problem, I'm still getting the 'iptables: Input/output error.' ... maybe it has to do something with an /outdated?) openwrt patch to iptables breaking things?

comment:3 Changed 7 years ago by ddxx0n

The kernel patch 100-netfilter_layer7_2.22.patch for 2.6.36+ in the repository doesn't seem to apply cleanly and might even be outdated, see http://l7-filter.clearfoundation.com/tracker/view.php?id=11

comment:4 Changed 7 years ago by ddxx0n

The only difference between kernel 2.6.36 and both patch versions (openwrt & clearfoundation) is that the current kernel's xt_layer7.h has an additional member "u_int8_t pkt" in "struct xt_layer7_info" and xt_layer7.c makes use of it. However, these newer xt_layer7.c and xt_layer7.h aren't overwritten while compiling. This is not the cause of the "iptables: Input/output error".

comment:5 Changed 7 years ago by acoul

  • Resolution set to fixed
  • Status changed from new to closed

this should be fixed in r24345

comment:6 Changed 7 years ago by Ernesto

  • Resolution fixed deleted
  • Status changed from closed to reopened

I confirm this Problems are back on ORION since few days and the last changes on libtool/Kernels and/or iptables Updates :(

I checked with an actual trunk before 2 hours, and the qos-package is no longer working.

comment:7 Changed 7 years ago by jow

  • Owner changed from developers to jow
  • Status changed from reopened to accepted

comment:8 Changed 7 years ago by ddxx0n

For me, it's working since /changeset/24728.html (on ar71xx (WNDR3700) w/ Kernel 2.6.36.2) - Thanks.

comment:9 Changed 7 years ago by nbd

  • Resolution set to fixed
  • Status changed from accepted to closed

comment:10 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.