Bug#298155: marked as done ([amd64] iptables fails on x86_64 kernels)

Debian Bug Tracking System Sun, 27 Aug 2006 09:53:32 -0700

Your message dated Wed, 09 Aug 2006 01:15:02 +0300
with message-id <[EMAIL PROTECTED]>
and subject line 32-bit iptables on 64-bit kernels
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: iptables
Version: 1.2.11-10
Severity: important

Hi,

I managed to track down the problem with i386 iptables and x86_64
kernels.

The problem is in

kernel_profectio/include/linux/netfilter_ipv4/ip_tables.h: 273:

| /* The argument to IPT_SO_GET_ENTRIES. */
| struct ipt_get_entries
| {
|       /* Which table: user fills this in. */
|       char name[IPT_TABLE_MAXNAMELEN];
| 
|       /* User fills this in: total entry size. */
|       unsigned int size;
| 
|       /* The entries. */
|       struct ipt_entry entrytable[0];
| };

With gcc -m32 the sizeof(ipt_get_entries) == 36, with gcc -m64
sizeof(ipt_get_entries) == 40. The iptables SO_GET_ENTRIES hook
recieves the size as argument, checks for the right size and returns
an error (36 != 40) and iptables then says: 

iptables v1.2.11: can't initialize iptables table `filter': Module is wrong 
version
Perhaps iptables or your kernel needs to be upgraded.


What happens is the following (there might be more but this one
prevents iptables -L from working):

ipt_entry on i386 has 4 byte alignment while ipt_entry on x86_64 has 8
byte alignment which adds 4 padding bytes after "unsigned int
size". Other archs (tested hppa, sparc and mips) already have those
padding bytes in 32bit so iptables continues to work with a 64bit
kernel.


I'm not sure how to fix this. You would have to build two flavours,
one with padding and one without, and choose the right one at
runtime. But how do you detect a x86_64 kernel with a 32bit
personality (when you call 'linux32 iptables')? The uname would say
i686.

I have a simple patch to build iptables64 and iptables64-dev packages
compiled with "gcc-3.4 -m64" for i386 which solves the problem by
letting the user pick the right one. Are you intrested in that or can
you think of a better solution?

MfG
        Goswin

-- System Information:
Debian Release: 3.1
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.8-frosties-1
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages iptables depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an

-- no debconf information

diff -Nru /tmp/EtPxdtPHbE/iptables-1.2.11/debian/changelog 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/changelog
--- /tmp/EtPxdtPHbE/iptables-1.2.11/debian/changelog    2004-12-02 
01:23:20.000000000 +0100
+++ /tmp/TuAosPjjOD/iptables-1.2.11/debian/changelog    2005-03-05 
06:07:19.000000000 +0100
@@ -1,3 +1,9 @@
+iptables (1.2.11-10.0.0.1.pure64) unstable; urgency=medium
+
+  * Build iptables64 and iptables64-dev on i386
+
+ -- Goswin von Brederlow <[EMAIL PROTECTED]>  Sat,  5 Mar 2005 06:07:34 +0100
+
 iptables (1.2.11-10) unstable; urgency=medium
 
   * fixed scripts/prep.sh: patching and patch ordering
diff -Nru /tmp/EtPxdtPHbE/iptables-1.2.11/debian/control 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/control
--- /tmp/EtPxdtPHbE/iptables-1.2.11/debian/control      2004-03-17 
15:22:05.000000000 +0100
+++ /tmp/TuAosPjjOD/iptables-1.2.11/debian/control      2005-03-05 
06:06:56.000000000 +0100
@@ -2,7 +2,7 @@
 Section: net
 Priority: important
 Maintainer: Laurence J. Lane <[EMAIL PROTECTED]>
-Build-Depends: debhelper (>>4.0), linuxdoc-tools, html2text, bzip2
+Build-Depends: debhelper (>>4.0), linuxdoc-tools, html2text, bzip2, gcc-3.4 
[i386], lib64gcc1 [i386], amd64-libs-dev [i386]
 Standards-Version: 3.5.6.0
 
 Package: iptables
@@ -11,6 +11,7 @@
 Suggests: ipmasq, iproute
 Section: net
 Depends: ${shlibs:Depends}
+Conflicts: iptables64
 Description: Linux kernel 2.4+ iptables administration tools
  netfilter and iptables provide a Linux kernel framework for
  stateful and stateless packet filtering, network and port addresss
@@ -27,6 +28,36 @@
 Architecture: any
 Priority: optional
 Depends: iptables
+Conflicts: iptables64-dev
+Section: devel
+Description: development files for iptable's libipq and libiptc
+ Header files, static libs and documentation for libipq (iptables 
+ user-space packet queuing library) and libiptc.
+
+Package: iptables64
+Architecture: i386
+Priority: important
+Suggests: ipmasq, iproute
+Section: net
+Depends: ${shlibs:Depends}
+Conflicts: iptables
+Description: Linux kernel 2.4+ iptables administration tools
+ netfilter and iptables provide a Linux kernel framework for
+ stateful and stateless packet filtering, network and port addresss
+ translation, and other IP packet manipulation. The framework is the
+ successor to ipchains.
+ .
+ netfilter and iptables are used in applications such as Internet
+ connection sharing, firewalls, IP accounting, transparent proxying,
+ advanced routing and traffic control.
+ .
+ iptables web site: http://www.iptables.org/
+
+Package: iptables64-dev
+Architecture: i386
+Priority: optional
+Depends: iptables64
+Conflicts: iptables-dev
 Section: devel
 Description: development files for iptable's libipq and libiptc
  Header files, static libs and documentation for libipq (iptables 
diff -Nru 
/tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64-dev.doc-base.netfilter-extensions
 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64-dev.doc-base.netfilter-extensions
--- 
/tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64-dev.doc-base.netfilter-extensions
 1970-01-01 01:00:00.000000000 +0100
+++ 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64-dev.doc-base.netfilter-extensions
 2005-03-05 02:57:05.000000000 +0100
@@ -0,0 +1,10 @@
+Document: netfilter-extensions
+Title: Netfilter Extensions HOWTO
+Author: Fabrice MARIE <[EMAIL PROTECTED]>
+Abstract: This document describes how to install and use current iptables
+  extensions for netfilter.
+Section: Apps/Programming
+
+Format: HTML
+Index: /usr/share/doc/iptables64-dev/html/netfilter-extensions-HOWTO.html
+Files: /usr/share/doc/iptables64-dev/html/netfilter-extensions-HOWTO-?.html
diff -Nru 
/tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64-dev.doc-base.netfilter-hacking
 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64-dev.doc-base.netfilter-hacking
--- 
/tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64-dev.doc-base.netfilter-hacking
    1970-01-01 01:00:00.000000000 +0100
+++ 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64-dev.doc-base.netfilter-hacking
    2005-03-05 02:57:17.000000000 +0100
@@ -0,0 +1,12 @@
+Document: netfilter-hacking
+Title: Linux netfilter Hacking HOWTO
+Author: Rusty Russell
+Abstract: This document describes the netfilter architecture for Linux, 
+  how to hack it, and some of the major systems which sit on top of it, 
+  such as packet filtering, connection tracking and Network Address 
+  Translation.
+Section: Apps/Programming
+
+Format: HTML
+Index: /usr/share/doc/iptables64-dev/html/netfilter-hacking-HOWTO.html
+Files: /usr/share/doc/iptables64-dev/html/netfilter-hacking-HOWTO-?.html
diff -Nru /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64-dev.install 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64-dev.install
--- /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64-dev.install       
1970-01-01 01:00:00.000000000 +0100
+++ /tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64-dev.install       
2005-03-05 02:59:16.000000000 +0100
@@ -0,0 +1,8 @@
+debian/build/iptables_profectio64/include/*.h usr/include
+debian/build/iptables_profectio64/include/lib* usr/include
+debian/build/iptables_profectio64/libiptc/*.a usr/lib
+debian/build/iptables_profectio64/libipq/*.a usr/lib
+debian/build/iptables_profectio64/*.a usr/lib
+debian/build/iptables_profectio64/libipq/*.3 usr/share/man/man3
+debian/build/doc/netfilter-extensions-HOWTO* usr/share/doc/iptables64-dev/html
+debian/build/doc/netfilter-hacking-HOWTO* usr/share/doc/iptables64-dev/html
diff -Nru /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.doc-base.nat 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.doc-base.nat
--- /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.doc-base.nat      
1970-01-01 01:00:00.000000000 +0100
+++ /tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.doc-base.nat      
2005-03-05 02:59:32.000000000 +0100
@@ -0,0 +1,11 @@
+Document: nat
+Title: Linux 2.4 NAT HOWTO
+Author: Rusty Russell
+Abstract: This document describes how to do masquerading, transparent 
+ proxying, port forwarding, and other forms of Network Address 
+ Translations with the 2.4+ Linux Kernels.
+Section: Apps/System
+
+Format: HTML
+Index: /usr/share/doc/iptables64/html/NAT-HOWTO.html
+Files: /usr/share/doc/iptables64/html/NAT-HOWTO*.html
diff -Nru 
/tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.doc-base.packet-filter 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.doc-base.packet-filter
--- /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.doc-base.packet-filter    
1970-01-01 01:00:00.000000000 +0100
+++ /tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.doc-base.packet-filter    
2005-03-05 02:59:56.000000000 +0100
@@ -0,0 +1,10 @@
+Document: packet-filter
+Title: Linux 2.4 Packet Filtering HOWTO
+Author: Rusty Russell
+Abstract: This document describes how to use iptables to filter 
+ IP packets for the 2.4+ Linux kernels.
+Section: Apps/System
+
+Format: HTML
+Index: /usr/share/doc/iptables64/html/packet-filtering-HOWTO.html
+Files: /usr/share/doc/iptables64/html/packet-filtering-HOWTO*.html
diff -Nru /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.docs 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.docs
--- /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.docs      1970-01-01 
01:00:00.000000000 +0100
+++ /tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.docs      2003-12-30 
20:53:57.000000000 +0100
@@ -0,0 +1 @@
+debian/build/doc/changelog
diff -Nru /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.examples 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.examples
--- /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.examples  1970-01-01 
01:00:00.000000000 +0100
+++ /tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.examples  2003-12-30 
20:53:57.000000000 +0100
@@ -0,0 +1 @@
+examples/*
diff -Nru /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.install 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.install
--- /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.install   1970-01-01 
01:00:00.000000000 +0100
+++ /tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.install   2005-03-05 
03:00:41.000000000 +0100
@@ -0,0 +1,7 @@
+debian/*.8 usr/share/man/man8
+debian/build/iptables_profectio64/*.8 usr/share/man/man8
+debian/build/iptables_profectio64/*-save sbin
+debian/build/iptables_profectio64/*-restore sbin
+debian/build/doc/NAT-HOWTO* usr/share/doc/iptables/html
+debian/build/doc/packet-filtering-HOWTO* usr/share/doc/iptables/html
+debian/build/iptables_profectio64/ippool/ippool sbin
\ No newline at end of file
diff -Nru /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.lintian.override 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.lintian.override
--- /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.lintian.override  
1970-01-01 01:00:00.000000000 +0100
+++ /tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.lintian.override  
2005-03-05 03:34:29.000000000 +0100
@@ -0,0 +1 @@
+iptables64: shared-lib-without-dependency-information
diff -Nru /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.postinst 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.postinst
--- /tmp/EtPxdtPHbE/iptables-1.2.11/debian/iptables64.postinst  1970-01-01 
01:00:00.000000000 +0100
+++ /tmp/TuAosPjjOD/iptables-1.2.11/debian/iptables64.postinst  2003-12-30 
20:53:57.000000000 +0100
@@ -0,0 +1,27 @@
+#!/bin/sh
+set -e
+
+#clean-up 1.2.6-a{1,2} posinst error
+foo="/etc/init.d/iptables exists"
+if test -f /1; then
+  if grep -q "$foo" /1; then
+    rm -f /1
+  fi
+fi
+
+# iptables 1.2.7-8 dumped debconf
+if [ -e /usr/share/debconf/confmodule ]; then
+        . /usr/share/debconf/confmodule
+        db_purge
+fi
+
+# remove ugly alternatives hack for owner match
+
+if [ -x /usr/sbin/update-alternatives ]; then
+  update-alternatives --remove \
+    libipt_owner.so /lib/iptables/libipt_owner.so+pre-2.4.20
+  update-alternatives --remove \
+    libipt_owner.so /lib/iptables/libipt_owner.so+post-2.4.20
+fi
+
+#DEBHELPER#
diff -Nru /tmp/EtPxdtPHbE/iptables-1.2.11/debian/rules 
/tmp/TuAosPjjOD/iptables-1.2.11/debian/rules
--- /tmp/EtPxdtPHbE/iptables-1.2.11/debian/rules        2004-07-31 
06:03:47.000000000 +0200
+++ /tmp/TuAosPjjOD/iptables-1.2.11/debian/rules        2005-03-05 
06:06:37.000000000 +0100
@@ -20,21 +20,31 @@
 
 BUILD_DIR := $(CURDIR)/debian/build
 SRC_DIR := $(BUILD_DIR)/$(IPTABLES)
+SRC64_DIR := $(BUILD_DIR)/$(IPTABLES)64
 STAMP_DIR := $(BUILD_DIR)/stamp
 
 MANDIR = MANDIR=/usr/share/man
 BINDIR = BINDIR=/sbin
 LIBDIR = LIBDIR=/lib
 DESTDIR := DESTDIR=$(CURDIR)/debian/iptables
+DEST64DIR := DESTDIR=$(CURDIR)/debian/iptables64
 KERNEL_DIR := KERNEL_DIR=$(BUILD_DIR)/$(KERNEL)
 
 BUILD_VARS := $(LIBDIR) $(KERNEL_DIR)
 INSTALL_VARS := $(DESTDIR) $(MANDIR) $(LIBDIR) $(BINDIR) $(KERNEL_DIR)
+INSTALL64_VARS := $(DEST64DIR) $(MANDIR) $(LIBDIR) $(BINDIR) $(KERNEL_DIR)
 BUILD_TARGETS = all ip6tables-save ip6tables-restore
 
+DEB_BUILD_ARCH := $(shell dpkg-architecture -qDEB_BUILD_ARCH)
+CC64 := gcc-3.4 -m64
+
 prep: $(STAMP_DIR)/prep-stamp
 $(STAMP_DIR)/prep-stamp:
        $(MAKE) prep
+ifneq (substring($(DEB_BUILD_ARCH),i386),)
+       mkdir -p $(SRC64_DIR)
+       cp -a $(SRC_DIR)/. $(SRC64_DIR)/.
+endif
        touch $@
 
 build: $(STAMP_DIR)/build-stamp
@@ -46,6 +56,13 @@
        cd $(SRC_DIR); ar rcs libiptables.a iptables.o
        cd $(SRC_DIR); ar rcs libip6tables.a ip6tables.o
 
+ifneq (substring($(DEB_BUILD_ARCH),i386),)
+       CC="$(CC64)" $(MAKE) -C $(SRC64_DIR) $(BUILD_TARGETS) $(BUILD_VARS)
+
+       cd $(SRC64_DIR); ar rcs libiptables.a iptables.o
+       cd $(SRC64_DIR); ar rcs libip6tables.a ip6tables.o
+endif
+
        touch $@
 
 clean:
@@ -62,6 +79,13 @@
        install -m0644 -D $(CURDIR)/debian/iptables.lintian.override \
        $(CURDIR)/debian/iptables/usr/share/lintian/overrides/iptables
 
+ifneq (substring($(DEB_BUILD_ARCH),i386),)
+       $(MAKE) -C $(SRC64_DIR) install $(INSTALL64_VARS)
+       rm -rf $(SRC64_DIR)/include/libipulog
+       install -m0644 -D $(CURDIR)/debian/iptables64.lintian.override \
+       $(CURDIR)/debian/iptables64/usr/share/lintian/overrides/iptables64
+endif
+
 binary-indep: build install
 
 binary-arch: build install

--- End Message ---

--- Begin Message ---

This bug is fixed on the kernel side, on 2.6.17+.
Please see commit 2722971cbe831117686039d5c334f2c0f560be13 [1].

It is unlikely that this bug will be ever fixed on iptables' side and
even more unlikely that such a patch will be included in Debian,
especially considering that etch is going to release with 2.6.17 or
later. I'm not the maintainer though, so that's just a speculation.

Regards,
Faidon

1:
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2722971cbe831117686039d5c334f2c0f560be13

--- End Message ---

Bug#298155: marked as done ([amd64] iptables fails on x86_64 kernels)

Reply via email to