On Fri, 11 Mar 2005 10:51:36 -0800 David S. Miller wrote: > On Fri, 11 Mar 2005 15:00:56 +0100 > Patrick McHardy <[EMAIL PROTECTED]> wrote: > > > Works fine here. You could try if reverting one of these two patches > > helps (second one only if its a SMP box). > > > > [EMAIL PROTECTED], 2005-03-09 20:28:17-08:00, [EMAIL PROTECTED] > > [NETFILTER]: Reduce call chain length in netfilter (take 2) > > It's this change, I know it is, because Linus sees the same problem > on his workstation. > > You wouldn't happen to be seeing this problem on a PPC box would > you? Since Linus's machine is a PPC machine too, that would support > my theory that this could be a compiler issue on that platform. > > Damn, wait, Patrick, I think I know what's happening. The iptables > IPT_* verdicts are dependant upon the NF_* values, and they don't > cope with Bart's changes I bet. Can you figure out what the exact > error would be? This kind of issue would explain the looping inside > of ipt_do_table(), wouldn't it?
This is not just some buggy code - that patch also breaks interfaces: include/linux/netfilter_ipv4/ip_tables.h: #define IPT_RETURN (-NF_MAX_VERDICT - 1) And this value is visible in userspace. Therefore we cannot modify NF_MAX_VERDICT without breaking all existing iptables binaries.
pgpz60SKWdZA8.pgp
Description: PGP signature
