I get the following error with iptables on 2.4.18-pre9:
sudo iptables-restore < /etc/sysconfig/iptables
iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Abort (core dumped)
However, if I apply the rules manually (using iptables), I have no
problem; only if I'm using iptables-save or iptables-restore do I get
a dump...
-hpa
--
<[email protected]> at work, <[email protected]> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt <[email protected]>
On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> I get the following error with iptables on 2.4.18-pre9:
>
> sudo iptables-restore < /etc/sysconfig/iptables
> iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> Abort (core dumped)
>
> However, if I apply the rules manually (using iptables), I have no
> problem; only if I'm using iptables-save or iptables-restore do I get
> a dump...
I have this since the netfilter update from pre6 or pre7...
It seems to be caused by a change in the logic for the mangle table:
the userspace tools check only for PREROUTING and OUTPUT chains
(the 1 << 0 | 1 << 3 check), but the kernel code was recently updated
to support more chains in this table (POSTROUTING etc).
So it would seem that we need to have a more recent version of
the userspace tools (CVS maybe, since the latest released version
has the same bug), or the netfilter people should check the
userspace tools version before introducing this kind of
incompatible change.
(BTW, the quick and dirty fix for me was to hand edit
/etc/sysconfig/iptables and remove all references to the mangle table,
since I don't use it).
That being said, IANANG (netfilter guru) :-)
Stelian.
--
Stelian Pop <[email protected]>
|---------------- Free Software Engineer -----------------|
| Alc?ve - http://www.alcove.com - Tel: +33 1 49 22 68 00 |
|------------- Alc?ve, liberating software ---------------|
On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> I get the following error with iptables on 2.4.18-pre9:
>
> sudo iptables-restore < /etc/sysconfig/iptables
> iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> Abort (core dumped)
>
> However, if I apply the rules manually (using iptables), I have no
> problem; only if I'm using iptables-save or iptables-restore do I get
> a dump...
Could you please tell me, what iptables version are you using?
(btw: please follow-up to [email protected])
> -hpa
--
Live long and prosper
- Harald Welte / [email protected] http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
On Fri, Feb 08, 2002 at 09:46:49AM +0100, Harald Welte wrote:
> On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> > I get the following error with iptables on 2.4.18-pre9:
> >
> > sudo iptables-restore < /etc/sysconfig/iptables
> > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > Abort (core dumped)
I've noticed this too.
Specifically it is fine with 2.4.17 but broken with 2.4.18-pre7-ac2
I use the mangle table to set the TOS for a few things but it gives
this error :-
iptables -t mangle -A add-tos -p tcp --dport ssh -m tos --tos Minimize-Delay
iptables: libiptc/libip4tc.c:384: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> Could you please tell me, what iptables version are you using?
> (btw: please follow-up to [email protected])
This is using Redhat 7.2 iptables v1.2.4 from the redhat package
iptables-1.2.4-2.
Apologies if this info is too late but I didn't see a followup to
lkml.
--
Nick Craig-Wood
[email protected]
I ran into the same problems with 2.4.18pre9, however upgrading to
iptables 1.2.5 fixed the problem. (there's no redhat packages for it
yet, i did a compile of the source pkg)
-- Chris
Nick Craig-Wood wrote:
> On Fri, Feb 08, 2002 at 09:46:49AM +0100, Harald Welte wrote:
>
>>On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
>>
>>>I get the following error with iptables on 2.4.18-pre9:
>>>
>>>sudo iptables-restore < /etc/sysconfig/iptables
>>>iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
>>>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
>>>Abort (core dumped)
>>>
>
> I've noticed this too.
>
> Specifically it is fine with 2.4.17 but broken with 2.4.18-pre7-ac2
>
> I use the mangle table to set the TOS for a few things but it gives
> this error :-
>
> iptables -t mangle -A add-tos -p tcp --dport ssh -m tos --tos Minimize-Delay
>
> iptables: libiptc/libip4tc.c:384: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
>
>
>>Could you please tell me, what iptables version are you using?
>>(btw: please follow-up to [email protected])
>>
>
> This is using Redhat 7.2 iptables v1.2.4 from the redhat package
> iptables-1.2.4-2.
>
> Apologies if this info is too late but I didn't see a followup to
> lkml.
>
>
On Thu, Feb 14, 2002 at 04:12:25PM +0000, Nick Craig-Wood wrote:
> > > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > > Abort (core dumped)
>
> I've noticed this too.
[...]
> Apologies if this info is too late but I didn't see a followup to
> lkml.
There were several followups on lkml, search the archives.
The final solution was to rebuild the userspace tools with the
-DNODEBUG make flag (the RH RPM was build with debug enabled due
to a CFLAGS override in the .spec).
Stelian.
--
Stelian Pop <[email protected]>
Alcove - http://www.alcove.com
On Thu, 2002-02-14 at 11:12, Nick Craig-Wood wrote:
> On Fri, Feb 08, 2002 at 09:46:49AM +0100, Harald Welte wrote:
> > On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> > > I get the following error with iptables on 2.4.18-pre9:
> > >
> > > sudo iptables-restore < /etc/sysconfig/iptables
> > > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > > Abort (core dumped)
>
> I've noticed this too.
>
> Specifically it is fine with 2.4.17 but broken with 2.4.18-pre7-ac2
>
> I use the mangle table to set the TOS for a few things but it gives
> this error :-
>
> iptables -t mangle -A add-tos -p tcp --dport ssh -m tos --tos Minimize-Delay
>
> iptables: libiptc/libip4tc.c:384: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
>
> > Could you please tell me, what iptables version are you using?
> > (btw: please follow-up to [email protected])
>
> This is using Redhat 7.2 iptables v1.2.4 from the redhat package
> iptables-1.2.4-2.
>
> Apologies if this info is too late but I didn't see a followup to
> lkml.
Upgrade iptables rpm. I got 1.2.5 and this went away, but comes back in
2.4.17.
------
Michael Cohen
OhDarn.net
> --
> Nick Craig-Wood
> [email protected]
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
This topic has been discussed on netfilter-devel quite recently.
The RedHat RPM for some reason compiles the iptables package with
debugging enabled. This makes the program overly paranoid about
different revisions of the netfilter kernel components.
Details:
When you build iptables from the source tarball then the Makefile
includes -DNDEBUG to disable all debugging. Unfortunately the RPM
build process overrides the compilation options set in the Makefile
and leaves NDEBUG undefined, causing a lot of debug code to be
compiled in.
Regards
Henrik Nordstr?m
On Thursday 14 February 2002 20.01, Chris Chabot wrote:
> I ran into the same problems with 2.4.18pre9, however upgrading to
> iptables 1.2.5 fixed the problem. (there's no redhat packages for
> it yet, i did a compile of the source pkg)
>
> -- Chris
>
> Nick Craig-Wood wrote:
> > On Fri, Feb 08, 2002 at 09:46:49AM +0100, Harald Welte wrote:
> >>On Thu, Feb 07, 2002 at 08:24:28PM -0800, H. Peter Anvin wrote:
> >>>I get the following error with iptables on 2.4.18-pre9:
> >>>
> >>>sudo iptables-restore < /etc/sysconfig/iptables
> >>>iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> >>>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> >>>Abort (core dumped)
> >
> > I've noticed this too.
> >
> > Specifically it is fine with 2.4.17 but broken with
> > 2.4.18-pre7-ac2
> >
> > I use the mangle table to set the TOS for a few things but it
> > gives this error :-
> >
> > iptables -t mangle -A add-tos -p tcp --dport ssh -m tos --tos
> > Minimize-Delay
> >
> > iptables: libiptc/libip4tc.c:384: do_check: Assertion
> > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> >
> >>Could you please tell me, what iptables version are you using?
> >>(btw: please follow-up to [email protected])
> >
> > This is using Redhat 7.2 iptables v1.2.4 from the redhat package
> > iptables-1.2.4-2.
> >
> > Apologies if this info is too late but I didn't see a followup to
> > lkml.
On Thu, Feb 14, 2002 at 04:12:25PM +0000, Nick Craig-Wood wrote:
> > > sudo iptables-restore < /etc/sysconfig/iptables
> > > iptables-restore: libiptc/libip4tc.c:384: do_check: Assertion
> > > `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
> > > Abort (core dumped)
>
> I've noticed this too.
>
> Apologies if this info is too late but I didn't see a followup to
> lkml.
The redhat iptables package has debugging enabled, and the debugging
code does not cope correctly with the new kernels.
We didn't assume that anybody is running debugging-enabled old iptables
versions on production systems, but I guess some unfortunate coincidence
caused this within the redhat package :(
> Nick Craig-Wood
> [email protected]
--
Live long and prosper
- Harald Welte / [email protected] http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
On Thu, Feb 14, 2002 at 08:01:11PM +0100, Chris Chabot wrote:
> I ran into the same problems with 2.4.18pre9, however upgrading to
> iptables 1.2.5 fixed the problem. (there's no redhat packages for it
> yet, i did a compile of the source pkg)
As stated in my earlier replies to this issue:
Certain vendor RPMs for iptables have (unvoluntarily?) compiled in iptables
debugging . At least RedHat and Mandrake seem to be falling in this category.
The debugging code does not work with recent kernels, but nobody was
assuming debugging would be enabled in production systems.
There are two solutions to the problem:
a) update to an iptables package which doesn't have debugging enabled
(which is default with iptables source as distributed by the netfilter
coreteam)
or
b) use iptables from current CVS when you really need to have debugging
enabled. I will release iptables-1.2.6 soon, which will also have
the debugging code fixed.
> -- Chris
--
Live long and prosper
- Harald Welte / [email protected] http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
In article <[email protected]> you wrote:
> Upgrade iptables rpm. I got 1.2.5 and this went away, but comes back in
> 2.4.17.
I have just made RPMS/SRPMS iptables from snapshosts 1.2.6-20020226
Available at ftp://ftp.wsisiz.edu.pl/pub/Linux/rpms-7x
It's works.
--
*[ ?ukasz Tr?bi?ski ]*
SysAdmin @wsisiz.edu.pl