Bugzilla – Bug 155004
iptables broken with CONFIG_DEBUG_SLAB enabled
Last modified: 2006-09-28 13:24:30 UTC
SuSEfirewall2 seems to be broken. I use Pegasos PPC. When the machine is started, there are a lot of error messages. What remained on screen, is here: Starting Firewall Initialization (phase 2 of 2) done commit failed on table mangle: Unknown error 4294967295 commit failed on table nat: Unknown error 4294967295 SuSEfirewall2: Error: iptables-batch failed, re-running using iptables iptables: Unknown error 4294967295 iptables: Too many links iptables: Unknown error 4294967295 iptables: Unknown error 4294967295 iptables: Chain already exists iptables: Chain already exists iptables: Chain already exists commit failed on table mangle: Unknown error 4294967295 SuSEfirewall2: Error: ip6tables-batch failed, re-running using ip6tables ip6tables: Unknown error 4294967295 ip6tables: Directory not empty ip6tables: Unknown error 4294967295 ip6tables: Chain already exists done
if this is a 64bit kernel, you need tgo 64bit iptables RPM. check with rpm -q --qf '%{ARCH}\n' iptables if you have the 32bit or 64bit rpm installed. this is a problem of the packagemanager in previous betas I think.
I see the same on g4.
Peter: Please provide the information asked for by Marcus in comment #1
this is a 32bit system.
Taking the PPC-Team into CC and reassigning to Ludwig.
the messages are from iptables so either iptables or the kernel is broken. iptables was last updated feb. 1st so if it worked in previous betas its probably the kernel.
Jaroslav, could you look at this one, please?
I tried beta7 and did not see it. But I did not see it with beta6 either. Is there anything special in your setup?
No, there isn't anything special. I installed both the CD and the factory version, and I had the same problem in both installations. I did not remove any package from the selection, just added a few more selections (kernel developer, apache).
hmm, same here. can you attach the final iptables -L -v -n and lsmod output?
Created attachment 71547 [details] output of starting SuSEfirewall2 I stopped SuSEfirewall2 from loading at boot, so I could collect all of the messages by starting it from a shell.
Created attachment 71548 [details] lsmod
Created attachment 71549 [details] iptables -L -v -n
Jaroslav, you can poke around on mulberry.suse.de. The log indicates that some libs cant be found. They seem to come from iptables.rpm.
Strange, our machine (beta7) does not show this behaviour. I cannot find any mentioned problem. Peter, could you upgrade to latest kernel (ftp://ftp.suse.com/pub/projects/kernel/kotd/ppc/HEAD/)? Also, disabling SuSEfirewall and typing 'modprobe ip6table_filter.ko' on command line might show the error. Is something iptables related in /var/log/messages after this command?
I'm just downloading 'factory' and will make a fresh install tomorrow.
I did a fresh install of sles10 beta7 on date, and now it happens.
_filter.kp gives -EINVAL
_filter.ko gives -EINVAL
ok, its the used .config. I did install a kernel with slab debugging enabled, and now it starts to fail.
Installed factory, and seems to work fine.
kmalloc returns something unaligned when slab debugging is enabled. the working case looks like this: sys_init_module(2019) modprobe(1705):c0,j4294903545 umod 30030008 23d38 '' ip6table_filter: module not supported by Novell, setting U taint flag. translate_table: size 856 check_entry_size_and_hooks(671) modprobe(1705):c0,j4294903592 e c26ab400 al 8 check_entry_size_and_hooks(671) modprobe(1705):c0,j4294903613 e c26ab4d0 al 8 check_entry_size_and_hooks(671) modprobe(1705):c0,j4294903634 e c26ab5a0 al 8 check_entry_size_and_hooks(671) modprobe(1705):c0,j4294903654 e c26ab670 al 8 translate_table(755) modprobe(1705):c0,j4294903675 ret 0 Finished chain 1 Finished chain 2 Finished chain 3 translate_table(790) modprobe(1705):c0,j4294903705 ret 0 ip6t_register_table(1301) modprobe(1705):c0,j4294903720 ret 0 init(176) modprobe(1705):c0,j4294903736 ret 0 init(182) modprobe(1705):c0,j4294903751 ret 0 init(187) modprobe(1705):c0,j4294903766 ret 0 init(192) modprobe(1705):c0,j4294903781 ret 0 sys_init_module(2049) modprobe(1705):c0,j4294903793 ip6table_filter returned 0 in the non-working case it looks like: sys_init_module(2019) modprobe(1695):c0,j4294904596 umod 30030008 23d28 '' ip6table_filter: module not supported by Novell, setting U taint flag. translate_table: size 856 check_entry_size_and_hooks(671) modprobe(1695):c0,j4294904644 e cfc5112c al 8 Bad offset cfc5112c 4 cfc511d4 cfc51484 translate_table(755) modprobe(1695):c0,j4294904676 ret -22 ip6t_register_table(1301) modprobe(1695):c0,j4294904691 ret -22 init(176) modprobe(1695):c0,j4294904708 ret -22 sys_init_module(2049) modprobe(1695):c0,j4294904721 ip6table_filter returned -22 cfc5112c is not 8 byte aligned.
Created attachment 72492 [details] Align kmalloc objects to 8 bytes This is my proposed patch for this issue. Could someone review this patch? Maybe the define should be conditional only when CONFIG_DEBUG_SLAB is not selected.
Created attachment 72545 [details] dmesg.2.6.16-rc6-20060312_ac_on_power-default-iptables-slab.txt helps only for some modules.
Created attachment 72546 [details] dmesg.2.6.16-rc6-20060312_ac_on_power-default-iptables-slab.txt kmalloc_node or vmalloc_node returns unaligned data, in xt_alloc_table_info()
so should kmalloc_node alloc size+8 and store 2 pointers (the malloc return value and the selfaligned pointer)?
I have commited a patch to hide CONFIG_SLAB_DEBUG if CONFIG_NETFILTER is enabled. just to avoid unexpected network failures when SuSEfirewall decides that the default rule should be DROP instead of ACCEPT.