Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore,/etc/rc.d/init.d/iptables
On Sat, 8 Sep 2001, Ben Reser wrote: > On Sun, Sep 09, 2001 at 10:54:46AM +0800, Ian C. Sison wrote: > > Agreed. BTW, Looking over the KNOWN_BUGS for iptables 1.2.2, it said > > > > "4) iptables-restore and -save still have problems. Sorry." > > > > I just feel good that someone's on it. The people at mandrake are quite > > packaging the "bigger picture" to be bothered by this problem, which > > really seems like quite a show stopper for those wanting to use iptables > > with the initscripts. > > I don't think it's a show stopper. I think it's a minor nuisance. I > use iptables with the init scripts and it works just fine. All you have > to do is one of two things. Well in the sense that i got the feeling that the entire initscript of iptables wasn't tested [due to the '-f' in iptables-restore] and the segfault, yes it gave me the idea that the iptables support was problematic at the very least. > Either put your data in the same format iptables-save uses. > Or put it in via the iptables the way you want it and then use > iptables-save to write the file. > "/etc/init.d/iptables save" will write the file for you. This would look good in the README file at least in the RPM version which has the initscript... > After having looked at iptables-restore for several hours today it would > require rewritting iptables-restore from scratch to support what you > want. I don't see the value in it and I doubt anybody else is going to. > I'm just gonna write the patch that makes iptables-restore print an > error message and exit out. Currently I'm using "Line %u does not > appear to be valid iptables-save data.\n" I figure that will give those > who are confused a hint. I understand. It's good enough. That seems like a workable solution for now.
Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore, /etc/rc.d/init.d/iptables
On Sun, Sep 09, 2001 at 10:54:46AM +0800, Ian C. Sison wrote: > Agreed. BTW, Looking over the KNOWN_BUGS for iptables 1.2.2, it said > > "4) iptables-restore and -save still have problems. Sorry." > > I just feel good that someone's on it. The people at mandrake are quite > packaging the "bigger picture" to be bothered by this problem, which > really seems like quite a show stopper for those wanting to use iptables > with the initscripts. I don't think it's a show stopper. I think it's a minor nuisance. I use iptables with the init scripts and it works just fine. All you have to do is one of two things. Either put your data in the same format iptables-save uses. Or put it in via the iptables the way you want it and then use iptables-save to write the file. "/etc/init.d/iptables save" will write the file for you. After having looked at iptables-restore for several hours today it would require rewritting iptables-restore from scratch to support what you want. I don't see the value in it and I doubt anybody else is going to. I'm just gonna write the patch that makes iptables-restore print an error message and exit out. Currently I'm using "Line %u does not appear to be valid iptables-save data.\n" I figure that will give those who are confused a hint. -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org Just when you think you're not in Kansas anymore, turns out you are! - Colonel Jack O'Neill SG1
Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore,/etc/rc.d/init.d/iptables
On Sat, 8 Sep 2001, Ben Reser wrote: > I agree that it shouldn't be segfaulting. That's why I'm spending today > figuring out how to patch it so it doesn't. Actually I think I know how > I just need to setup a copy in vmware since my firewall doesn't have > development tools. > > > Furthermore, As /etc/sysconfig/iptables (like ipchains) is coded manually, > > to effect global settings to the firewall, incidents like this will occur, > > and segfaults are truly misleading. MY mistake was that i didn't look > > much into the format of iptables-save before reporting the error. > > > > In any case. now that that is cleared up what is more correct? The old > > format of ipchains in /etc/sysconfig/iptables (which a lot of people are > > used to), or follow the new convention of iptables-restore? > > I think we need to follow the new conventions. Or make > iptables-restore, pay attention to the -t. I think I can make the > latter work pretty easily. Which should make your existing > /etc/sysconfig/iptables work, but at the same time make iptables-save > output work as well. > > I think making it work for more people is the better solution. Agreed. BTW, Looking over the KNOWN_BUGS for iptables 1.2.2, it said "4) iptables-restore and -save still have problems. Sorry." I just feel good that someone's on it. The people at mandrake are quite packaging the "bigger picture" to be bothered by this problem, which really seems like quite a show stopper for those wanting to use iptables with the initscripts. Thanks!
Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore, /etc/rc.d/init.d/iptables
On Sat, Sep 08, 2001 at 05:15:01PM +0800, Ian C. Sison wrote: > It _is_ a bug in that it should not segfault when given a wrong input > stream. If the format of the file changed radically from ipchains-save, > then this situation should be handled gracefully, and not with a segfault. > Segfaults leave users clueless and will find a way around it. In fact the > original iniscript even called iptables-restore with a '-f' flag, which > led me to believe that the package was not tested before it was released. > More doubt here. I agree that it shouldn't be segfaulting. That's why I'm spending today figuring out how to patch it so it doesn't. Actually I think I know how I just need to setup a copy in vmware since my firewall doesn't have development tools. > Furthermore, As /etc/sysconfig/iptables (like ipchains) is coded manually, > to effect global settings to the firewall, incidents like this will occur, > and segfaults are truly misleading. MY mistake was that i didn't look > much into the format of iptables-save before reporting the error. > > In any case. now that that is cleared up what is more correct? The old > format of ipchains in /etc/sysconfig/iptables (which a lot of people are > used to), or follow the new convention of iptables-restore? I think we need to follow the new conventions. Or make iptables-restore, pay attention to the -t. I think I can make the latter work pretty easily. Which should make your existing /etc/sysconfig/iptables work, but at the same time make iptables-save output work as well. I think making it work for more people is the better solution. -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org Just when you think you're not in Kansas anymore, turns out you are! - Colonel Jack O'Neill SG1
Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore,/etc/rc.d/init.d/iptables
On Fri, 7 Sep 2001, Ben Reser wrote: > On Thu, Aug 30, 2001 at 07:50:52PM +0800, Ian C. Sison wrote: > > Yes iptables works, but if you go via the /etc/sysconfig/iptables and > > start it using the initscript of iptables, it will bomb out with a > > segfault. iptables-restore has some bug, however if you invoke iptables > > with the lines inside /etc/sysconfig/iptables individually, it works. > > WRONG WRONG WRONG WRONG! Don't do that. It'll start emmitting all > kinds of errors when you do: /etc/init.d/iptables save which calls > iptables-save. > > The problem is that iptables-restore doesn't realize people are doing > things wrong and segfaults when it sees a -t flag. > > > I made a modification to the initscript and sent it off to the maintainer > > of the package already. > > Yeah and they applied it and it causes preciously the problem I > described above. It _is_ a bug in that it should not segfault when given a wrong input stream. If the format of the file changed radically from ipchains-save, then this situation should be handled gracefully, and not with a segfault. Segfaults leave users clueless and will find a way around it. In fact the original iniscript even called iptables-restore with a '-f' flag, which led me to believe that the package was not tested before it was released. More doubt here. Furthermore, As /etc/sysconfig/iptables (like ipchains) is coded manually, to effect global settings to the firewall, incidents like this will occur, and segfaults are truly misleading. MY mistake was that i didn't look much into the format of iptables-save before reporting the error. In any case. now that that is cleared up what is more correct? The old format of ipchains in /etc/sysconfig/iptables (which a lot of people are used to), or follow the new convention of iptables-restore?
Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore, /etc/rc.d/init.d/iptables
On Thu, Aug 30, 2001 at 07:50:52PM +0800, Ian C. Sison wrote: > Yes iptables works, but if you go via the /etc/sysconfig/iptables and > start it using the initscript of iptables, it will bomb out with a > segfault. iptables-restore has some bug, however if you invoke iptables > with the lines inside /etc/sysconfig/iptables individually, it works. WRONG WRONG WRONG WRONG! Don't do that. It'll start emmitting all kinds of errors when you do: /etc/init.d/iptables save which calls iptables-save. The problem is that iptables-restore doesn't realize people are doing things wrong and segfaults when it sees a -t flag. > I made a modification to the initscript and sent it off to the maintainer > of the package already. Yeah and they applied it and it causes preciously the problem I described above. -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org Just when you think you're not in Kansas anymore, turns out you are! - Colonel Jack O'Neill SG1
Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore, /etc/rc.d/init.d/iptables
On Wed, Aug 29, 2001 at 10:40:22PM +0800, Ian C. Sison wrote: > > Hello, does anyone care to fix this problem? > > IPTables still SEGFAULTS with a simple iptables config file! > > > i've tried to use iptables-1.2.2-3.1mdk with the latest > kernel-2.4.7.12.3mdk, with the file /etc/sysconfig/iptables: > > == > -t nat -A POSTROUTING -o eth0 -j MASQUERADE > -A FORWARD -i eth1 -j ACCEPT > == > > and iptables-restore bombs out with a segfault.. > > ~/srpm (#1028) cat /etc/sysconfig/iptables | iptables-restore > Segmentation fault (core dumped) This isn't a real bug. The problem is the difference between what you're doing above and what iptables-restore is expecting. iptables-restore is used to work on data produced by iptables-save. For example in your situation iptables-save would produce something like this: # Generated by iptables-save v1.2.2 on Sat Sep 8 05:53:27 2001 *nat :PREROUTING ACCEPT [23484:1599071] :POSTROUTING ACCEPT [21819:1438770] :OUTPUT ACCEPT [553:44179] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Sat Sep 8 05:53:27 2001 # Generated by iptables-save v1.2.2 on Sat Sep 8 05:53:27 2001 *filter :INPUT ACCEPT [5102:604719] :FORWARD DROP [0:0] :OUTPUT ACCEPT [4199:606881] -A FORWARD -i eth1 -j ACCEPT COMMIT # Completed on Sat Sep 8 05:53:27 2001 Note the lack of -t, but rather it uses *nat and COMMIT to show the begging and ending of a table. Switch to this format and your segfault will go away. -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org Just when you think you're not in Kansas anymore, turns out you are! - Colonel Jack O'Neill SG1
RE: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore, /etc/rc.d/init.d/iptables
> > > > What bugfix do you need? Current iptables from cooker work (I'm using it > > just now). I do not know if it is tied to particular kernel release, my > > guess is no. Just provide it as an update for 8.0. > > > > Yes iptables works, but if you go via the /etc/sysconfig/iptables and > start it using the initscript of iptables, it will bomb out with a > segfault. iptables-restore has some bug, however if you invoke iptables > with the lines inside /etc/sysconfig/iptables individually, it works. > No. I said that I use it verbatim without any modifications. Exactly the same version as found in current cooker. -andrej
RE: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore,/etc/rc.d/init.d/iptables
On Thu, 30 Aug 2001, Andrej Borsenkow wrote: > > What bugfix do you need? Current iptables from cooker work (I'm using it > just now). I do not know if it is tied to particular kernel release, my > guess is no. Just provide it as an update for 8.0. > Yes iptables works, but if you go via the /etc/sysconfig/iptables and start it using the initscript of iptables, it will bomb out with a segfault. iptables-restore has some bug, however if you invoke iptables with the lines inside /etc/sysconfig/iptables individually, it works. I made a modification to the initscript and sent it off to the maintainer of the package already.
Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore, /etc/rc.d/init.d/iptables
"R.I.P. Deaddog" <[EMAIL PROTECTED]> writes: > On Wed, 29 Aug 2001, [ISO-8859-1] Grégoire Colbert wrote: > > > bad. I remember that years ago, around Mandrake 6.0, I fixed a startup > > script so that dhcpcd could be used (nameless "pump" was the only > > choice). I had to write numerous messages to the list, first saying > > "Redhat's Pump does not work, please allow Dhcpcd", and later I fixed > > the script myself, and it goes ignored for many weeks, until Pixel > > finally corrected the bug... on his own. Anyway, I had to fight for > > I have given up on fixing things and posting patch onto this list too, as > this is not productive at all. Usually ignored, without single bit of > acknowledgement. Might be that's because I'm not persistent enough, but now i wonder if clean bugfix patches have ever been rejected... for iptables, it's in no way a bugfix, more like a bug report. Bug reports are taken into account when the maintainer has some time (and chmouel is ill) and the will to fix it. Give a correct bugfix and it will be fixed much sooner.
Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore,/etc/rc.d/init.d/iptables
(groan) Maybe it's just as case of barking up the wrong tree? I've reported this problem of iptables-restore segfaulting ever since kernel 2.4.5, complete with a sample config which will definitely prove a repeatable bug, but with no real response from the mdk-cooker team. I can't go directly to the iptables maintainers, because they will just point me back to the maintainer of my kernel/distro, which put in so many patches from stock. So what am i to do about this? I've found out that iptables-restore is the problem, and if i do a line by line execution of the contents of /etc/sysconfig/iptables, it doesn't segfault. This means changing the initscript for iptables. Oh well.. On Thu, 30 Aug 2001, R.I.P. Deaddog wrote: > On Wed, 29 Aug 2001, [ISO-8859-1] Grégoire Colbert wrote: > > > bad. I remember that years ago, around Mandrake 6.0, I fixed a startup > > script so that dhcpcd could be used (nameless "pump" was the only > > choice). I had to write numerous messages to the list, first saying > > "Redhat's Pump does not work, please allow Dhcpcd", and later I fixed > > the script myself, and it goes ignored for many weeks, until Pixel > > finally corrected the bug... on his own. Anyway, I had to fight for > > I have given up on fixing things and posting patch onto this list too, as > this is not productive at all. Usually ignored, without single bit of > acknowledgement. Might be that's because I'm not persistent enough, but now > I learned to post a bugzilla and ignore it afterwards, let unfixed packages > go unfixed, and just doing any fix for personal use; or sometimes contact > software maintainers directly instead of whining here. The latter seems to > be better way of fixing things. > > Again, wasting time doing fixes yourself is still better than being > angry without anything done. > > Abel > >
Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore,/etc/rc.d/init.d/iptables
On Wed, 29 Aug 2001, Paul Cox wrote: > On Wednesday, Aug 29, 2001, Ian C. Sison wrote: > > > Hello, does anyone care to fix this problem? > > > > IPTables still SEGFAULTS with a simple iptables config file! > > > > > > i've tried to use iptables-1.2.2-3.1mdk with the latest > > kernel-2.4.7.12.3mdk, with the file /etc/sysconfig/iptables: > > > > == > > -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > -A FORWARD -i eth1 -j ACCEPT > > == > > > > and iptables-restore bombs out with a segfault.. > > I would suggest trying an 'rpm --rebuild' on the .src.rpm. Sometimes's > that's necessary when you update your running kernel. I did just that. Same problem...
Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore, /etc/rc.d/init.d/iptables
On Wednesday, Aug 29, 2001, Ian C. Sison wrote: > Hello, does anyone care to fix this problem? > > IPTables still SEGFAULTS with a simple iptables config file! > > > i've tried to use iptables-1.2.2-3.1mdk with the latest > kernel-2.4.7.12.3mdk, with the file /etc/sysconfig/iptables: > > == > -t nat -A POSTROUTING -o eth0 -j MASQUERADE > -A FORWARD -i eth1 -j ACCEPT > == > > and iptables-restore bombs out with a segfault.. I would suggest trying an 'rpm --rebuild' on the .src.rpm. Sometimes's that's necessary when you update your running kernel. -- Paul Cox Kernel: 2.4.7-12.3mdk - Uptime: 8 days 19 hours 56 minutes.
Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore,/etc/rc.d/init.d/iptables
On Wed, 29 Aug 2001, [ISO-8859-1] Grégoire Colbert wrote: > bad. I remember that years ago, around Mandrake 6.0, I fixed a startup > script so that dhcpcd could be used (nameless "pump" was the only > choice). I had to write numerous messages to the list, first saying > "Redhat's Pump does not work, please allow Dhcpcd", and later I fixed > the script myself, and it goes ignored for many weeks, until Pixel > finally corrected the bug... on his own. Anyway, I had to fight for I have given up on fixing things and posting patch onto this list too, as this is not productive at all. Usually ignored, without single bit of acknowledgement. Might be that's because I'm not persistent enough, but now I learned to post a bugzilla and ignore it afterwards, let unfixed packages go unfixed, and just doing any fix for personal use; or sometimes contact software maintainers directly instead of whining here. The latter seems to be better way of fixing things. Again, wasting time doing fixes yourself is still better than being angry without anything done. Abel
Re: [Cooker] [STILL NOT WORKING 2.4.7-12.3mdk] ISSUES iptables-restore, /etc/rc.d/init.d/iptables
Ian C. Sison wrote: > Hello, does anyone care to fix this problem? Dear Ian, Keep praying that notices your message and it will perhaps be fixed. Warning : if you provide a fix yourself, it will go ignored : as you might have noticed, my thread called "Holy Minimal Install" scored almost 50 answers of useless discussions, and the ones about IEEE1394, with actual research on my side, with finally a fixed package, keeps being ignored for the last three days (and it's not over yet). That makes me mad, as all I want is someone to grab my RPM and put it into contrib. Would take 15 seconds max. I'm very sure that my bugfix won't break anything, I know that I did not put a "rm -rf /" in the spec file, etc. However, ignored. Ooooh, MandrakeSoft people do a lot of work every day (changelog), but writing a bug fix takes time for contributors, who are usually not "professional hackers", and as such, their messages could at least be answered with a "it will be done when we have the time, thank you for your help in making LM better", instead of being ignored, seemingly or really ignored. This is frustrating and takes away the motivation like kryptonit with Superman. You never know if someone noticed, like when you write to a commercial company for requesting a Linux port : you feel bad. I remember that years ago, around Mandrake 6.0, I fixed a startup script so that dhcpcd could be used (nameless "pump" was the only choice). I had to write numerous messages to the list, first saying "Redhat's Pump does not work, please allow Dhcpcd", and later I fixed the script myself, and it goes ignored for many weeks, until Pixel finally corrected the bug... on his own. Anyway, I had to fight for that, with dozens of messages, even though the bugfix was three lines long... I understand that some things are more important than others, but when someone provides a fix just for you, please GO and GET IT. Well, maybe read access to /incoming could help, as other contributors could say "that package is debugged, as far as I've tested it, you can safely put it in the contribs". That would make things more pleasant. Grégoire > IPTables still SEGFAULTS with a simple iptables config file! > > > i've tried to use iptables-1.2.2-3.1mdk with the latest > kernel-2.4.7.12.3mdk, with the file /etc/sysconfig/iptables: > > == > -t nat -A POSTROUTING -o eth0 -j MASQUERADE > -A FORWARD -i eth1 -j ACCEPT > == > > and iptables-restore bombs out with a segfault.. > > ~/srpm (#1028) cat /etc/sysconfig/iptables | iptables-restore > Segmentation fault (core dumped) > > > Ideas?