Bug #1212: forecast iptables commit failed: Invalid argument - strongSwan

Bug #1212

forecast iptables commit failed: Invalid argument

Added by John Woo almost 10 years ago. Updated over 9 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

libcharon

Target version:

5.4.0

Start date:

19.11.2015

Due date:

Estimated time:

Affected version:

5.3.3

Resolution:

Fixed

Description

Hi,

i'm using openwrt firmware (arm architecture) and there is an issue with forecast plugin.
can we rule out this issue?

last comment from martin willi:

https://lists.strongswan.org/pipermail/users/2015-June/008317.html

i will do anything to help. debug with gdb for example.

thanks,
docmax

999-connmark_align.patch (5.33 KB) 999-connmark_align.patch	Patch for connmark module	Saso Slavicic, 25.11.2015 11:43
999-forecast_align.patch (4.26 KB) 999-forecast_align.patch	Patch for forecast module	Saso Slavicic, 29.11.2015 19:59
999-forecast_align2.patch (4.26 KB) 999-forecast_align2.patch	Patch for forecast module (fixed)	Saso Slavicic, 29.11.2015 20:06

History

#1 Updated by Tobias Brunner almost 10 years ago

Status changed from New to Feedback

So why don't you start by answering Martin's questions?

#2 Updated by John Woo almost 10 years ago

Where is the question? In that thread? It's not my thread.

The architecture of OpenWrt is:

root@router:~# uname -a
Linux router 4.1.11 #4 Thu Nov 19 22:13:40 CET 2015 mips n

#3 Updated by Tobias Brunner almost 10 years ago

Where is the question? In that thread? It's not my thread.

Yes. Martin asked the original poster whether his kernel supports the MARK target and the udp/esp matches.

Linux router 4.1.11 #4 Thu Nov 19 22:13:40 CET 2015 mips n

He also mentioned that he only tested it on x86/x64 and that it could be an issue with the architecture. Since you are running on MIPS (big-endian) it could be an endianness or an alignment issue.

#4 Updated by John Woo almost 10 years ago

right, and how can we proceed further?
i enabled my kernel to support MARK.

#5 Updated by Saso Slavicic almost 10 years ago

It's an alignment issue. Each of the stucts in struct ipt should be sized XT_ALIGN(sizeof).
I don't think this can be achieved with static structs.

I have test-tried 2 approaches:
- use existing struct ipt, but then memcpy each member into dynamically allocated memory at the proper (aligned) offset (& fixing _size and _offset)
- allocate dynamic struct *ipt and build it with pointers

In both cases the rules load into OpenWRT Strongswan, but I must have missed something as the best I can get is:

57  8083 CONNMARK   all  --  *      *       84.xx.xx.xx        89.xx.xx.xx       policy match dir in pol ipsec spi 0xc09484c2[16 bytes of unknown target data]
64  7143 CONNMARK   all  --  *      *       89.xx.xx.xx        84.xx.xx.xx       [16 bytes of unknown target data]

(the PREROUTING rule seems ok though...)

#6 Updated by Saso Slavicic almost 10 years ago

File 999-connmark_align.patch 999-connmark_align.patch added

So it appears my code was ok, but I was missing libxt_connmark on my openwrt.

I've cleanup my patch a bit and I'm posting it here. This works for me on mips OpenWRT (ar71xx).

#7 Updated by John Woo almost 10 years ago

i still get the error

Sun Nov 29 03:35:31 2015 authpriv.info : 08[IKE] CHILD_SA ikev2-pubkey{1} established with SPIs ceb33618_i 670c4770_o and TS 192.168.1.0/24 239.255.255.250/32 === 192.168.1.239/32 239.255.255.250/32
Sun Nov 29 03:35:31 2015 daemon.info : 08[CFG] forecast iptables commit failed: Invalid argument
Sun Nov 29 03:35:31 2015 local0.notice vpn: + C=DE, O=docmax-net, CN=aquarism5.docmax-net.docmax.net 192.168.1.239/32 2.204.165.202 -- 78.53.156.170 192.168.1.0/24

#8 Updated by Saso Slavicic almost 10 years ago

There are 2 plugins that use similar code: forecast & connmark. Connmark was apparently based from the forecast plugin code as it prints out exactly the same error message: forecast iptables commit failed (in connmark_listener.c). I was testing connmark plugin and found this report and only later noticed there is another plugin with the same problem :-)

The above patch fixes the connmark plugin. Forecast plugin can be fixed in the same way, with just a few modifications to the above patch.
I can prepare it, if the solution is acceptable.

#9 Updated by John Woo almost 10 years ago

yes i noticed this, too. but i don't have the skills to do it. so please provide a patch for forecast.
thx!!

#10 Updated by Saso Slavicic almost 10 years ago

File 999-forecast_align.patch 999-forecast_align.patch added

Here's the forecast module patch. Note that I haven't tested it beyond compiling.

#11 Updated by Saso Slavicic almost 10 years ago

File 999-forecast_align2.patch 999-forecast_align2.patch added

One typo in the above patch...here's a fixed version :-)

#12 Updated by John Woo almost 10 years ago

thank you, it works

#13 Updated by Tobias Brunner almost 10 years ago

Could you please try the patches in the 1212-ipt-alignment branch.

#14 Updated by Saso Slavicic almost 10 years ago

Connmark plugin from the 1212-ipt-alignment branch works for me on mips Openwrt.

#15 Updated by Tobias Brunner over 9 years ago

Tracker changed from Issue to Bug
Category set to libcharon
Assignee set to Tobias Brunner
Target version set to 5.4.0
Resolution set to Fixed

#16 Updated by Tobias Brunner over 9 years ago

Status changed from Feedback to Closed

Project

General

Profile

strongSwan

Issues