Project

General

Profile

Bug #1212

forecast iptables commit failed: Invalid argument

Added by John Woo about 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Tobias Brunner
Category:
libcharon
Target version:
5.4.0
Start date:
19.11.2015
Due date:
Estimated time:
Affected version:
5.3.3
Resolution:
Fixed

Description

Hi,

i'm using openwrt firmware (arm architecture) and there is an issue with forecast plugin.
can we rule out this issue?

last comment from martin willi:

https://lists.strongswan.org/pipermail/users/2015-June/008317.html

i will do anything to help. debug with gdb for example.

thanks,
docmax

999-connmark_align.patch (5.33 KB) 999-connmark_align.patch Patch for connmark module Saso Slavicic, 25.11.2015 11:43
999-forecast_align.patch (4.26 KB) 999-forecast_align.patch Patch for forecast module Saso Slavicic, 29.11.2015 19:59
999-forecast_align2.patch (4.26 KB) 999-forecast_align2.patch Patch for forecast module (fixed) Saso Slavicic, 29.11.2015 20:06

Associated revisions

Revision c4cb652a (diff)
Added by Tobias Brunner almost 6 years ago

connmark: Fix alignment when adding rules

The structs that make up a message sent to the kernel have all to be
aligned with XT_ALIGN. That was not necessarily the case when
initializing the complete message as struct.

Fixes #1212.

Revision 44456532 (diff)
Added by Tobias Brunner almost 6 years ago

forecast: Fix alignment when adding rules

Basically the same issue as with the connmark plugin.

Fixes #1212.

History

#1 Updated by Tobias Brunner about 6 years ago

  • Status changed from New to Feedback

So why don't you start by answering Martin's questions?

#2 Updated by John Woo about 6 years ago

Where is the question? In that thread? It's not my thread.

The architecture of OpenWrt is:

root@router:~# uname -a
Linux router 4.1.11 #4 Thu Nov 19 22:13:40 CET 2015 mips n

#3 Updated by Tobias Brunner about 6 years ago

Where is the question? In that thread? It's not my thread.

Yes. Martin asked the original poster whether his kernel supports the MARK target and the udp/esp matches.

Linux router 4.1.11 #4 Thu Nov 19 22:13:40 CET 2015 mips n

He also mentioned that he only tested it on x86/x64 and that it could be an issue with the architecture. Since you are running on MIPS (big-endian) it could be an endianness or an alignment issue.

#4 Updated by John Woo about 6 years ago

right, and how can we proceed further?
i enabled my kernel to support MARK.

#5 Updated by Saso Slavicic about 6 years ago

It's an alignment issue. Each of the stucts in struct ipt should be sized XT_ALIGN(sizeof).
I don't think this can be achieved with static structs.

I have test-tried 2 approaches:
- use existing struct ipt, but then memcpy each member into dynamically allocated memory at the proper (aligned) offset (& fixing _size and _offset)
- allocate dynamic struct *ipt and build it with pointers

In both cases the rules load into OpenWRT Strongswan, but I must have missed something as the best I can get is:

57  8083 CONNMARK   all  --  *      *       84.xx.xx.xx        89.xx.xx.xx       policy match dir in pol ipsec spi 0xc09484c2[16 bytes of unknown target data]
64  7143 CONNMARK   all  --  *      *       89.xx.xx.xx        84.xx.xx.xx       [16 bytes of unknown target data]

(the PREROUTING rule seems ok though...)

#6 Updated by Saso Slavicic about 6 years ago

So it appears my code was ok, but I was missing libxt_connmark on my openwrt.

I've cleanup my patch a bit and I'm posting it here. This works for me on mips OpenWRT (ar71xx).

#7 Updated by John Woo about 6 years ago

i still get the error

Sun Nov 29 03:35:31 2015 authpriv.info : 08[IKE] CHILD_SA ikev2-pubkey{1} established with SPIs ceb33618_i 670c4770_o and TS 192.168.1.0/24 239.255.255.250/32 === 192.168.1.239/32 239.255.255.250/32
Sun Nov 29 03:35:31 2015 daemon.info : 08[CFG] forecast iptables commit failed: Invalid argument
Sun Nov 29 03:35:31 2015 local0.notice vpn: + C=DE, O=docmax-net, CN=aquarism5.docmax-net.docmax.net 192.168.1.239/32 2.204.165.202 -- 78.53.156.170 192.168.1.0/24

#8 Updated by Saso Slavicic about 6 years ago

There are 2 plugins that use similar code: forecast & connmark. Connmark was apparently based from the forecast plugin code as it prints out exactly the same error message: forecast iptables commit failed (in connmark_listener.c). I was testing connmark plugin and found this report and only later noticed there is another plugin with the same problem :-)

The above patch fixes the connmark plugin. Forecast plugin can be fixed in the same way, with just a few modifications to the above patch.
I can prepare it, if the solution is acceptable.

#9 Updated by John Woo about 6 years ago

yes i noticed this, too. but i don't have the skills to do it. so please provide a patch for forecast.
thx!!

#10 Updated by Saso Slavicic about 6 years ago

Here's the forecast module patch. Note that I haven't tested it beyond compiling.

#11 Updated by Saso Slavicic about 6 years ago

One typo in the above patch...here's a fixed version :-)

#12 Updated by John Woo about 6 years ago

thank you, it works

#13 Updated by Tobias Brunner about 6 years ago

Could you please try the patches in the 1212-ipt-alignment branch.

#14 Updated by Saso Slavicic about 6 years ago

Connmark plugin from the 1212-ipt-alignment branch works for me on mips Openwrt.

#15 Updated by Tobias Brunner almost 6 years ago

  • Tracker changed from Issue to Bug
  • Category set to libcharon
  • Assignee set to Tobias Brunner
  • Target version set to 5.4.0
  • Resolution set to Fixed

#16 Updated by Tobias Brunner almost 6 years ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF