iptalbe增加模块常见错误invalid size 0 != 16或者Unknown error -4294967295解决方法
给iptables增加模块,或者打补丁的人多半遇到过invalid size 0 != 16(或者叫iptables: Unknown error -4294967295错误,一个为直接输出错误,一个是通过dmesg|tail查看到的错误)这个错误,但我却没有在网上找到过这个错误的解决方案。自己调试了一下,将方法告诉给大家,希望对大家有帮助:
以ipt_time.c为例:最终解决方法为:
修改ipt_time.c加入:.matchsize = sizeof(struct ipt_time_info),这一行,如下:
static struct ipt_match time_match = {
.name = "time",
.match = match,
.matchsize = sizeof(struct ipt_time_info),
.checkentry = checkentry,
.me = THIS_MODULE
};
另外,linux对内核的checkentry,match两个函数不同版本有所变化,例如:
Linux 2.6.22.5
"include/linux/netfilter/x_tables.h" 396L, 10122C
struct xt_match
{
struct list_head list;
const char name[XT_FUNCTION_MAXNAMELEN-1];
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.6.9, as this must now handle
non-linear skb, using skb_header_pointer and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop);
/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mask);
linux 2.6.18.1
struct xt_match
{
struct list_head list;
const char name[XT_FUNCTION_MAXNAMELEN-1];
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.6.9, as this must now handle
non-linear skb, using skb_header_pointer and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop);
}
如果你只希望知道解决方法,那可以不必往下看了,下面为我的解决过程:
[root@localhost ~]# iptables -A INPUT -m time --timestart 01:00 --timestop 22:00 -j ACCEPT
报错如下:
libipt_time init start!
libipt_time init end!
added by liuzhb,iptables libipt_time.c init!
added by liuzhb,iptables libipt_time.c final_check!
iptables: Unknown error 4294967295
[root@localhost ~]# dmesg |tail
ipt_time loading
ip_tables: time match: invalid size 0 != 16
ipt_time unloaded
ipt_time loading
ip_tables: time match: invalid size 0 != 16
ipt_time unloaded
ipt_time loading
ip_tables: time match: invalid size 0 != 16
ip_tables: time match: invalid size 0 != 16
ip_tables: time match: invalid size 0 != 16
其中已经修改了libipt_time.c代码,增加了几个输入,例如:
/* Final check */
static void
final_check(unsigned int flags)
{
printf("iptables libipt_time.c final_check!\n");
/* Nothing to do */
}
[root@localhost ~]# iptables -A INPUT -m time –help
有输出,说明已经找到了libipt_time.so的动态库。并且final_check是iptables最后一个检查函数!说明问题不在iptables.
[root@localhost net]# pwd
linux-2.6.18.1-NETFILTER-MODULE/linux-2.6.18.1/net
[root@localhost net]# grep -nr "invalid size" *
Binary file built-in.o matches
Binary file netfilter/x_tables.o matches
Binary file netfilter/built-in.o matches
netfilter/x_tables.c:251: printk("%s_tables: %s match: invalid size %Zu != %u\n",
netfilter/x_tables.c:328: printk("%s_tables: %s target: invalid size %Zu != %u\n",
[root@localhost net]#
因此最终发现,错误来源于x_tables.c!
重新编译linux内核,make menuconfig修改其中的IP: Netfilter Configuration ---> <M> IP tables support (required for filtering/masq/NAT)这一项为模块编译!
然后make bzImage cp config/sysmap/bzimageboot 修改grub
make modules/modules_install mkinitrd ……
不断地在ip_tables.c中增加输出(printk….),按如下方法编译
make M=net/ipv4/netfilter/ modules
make M=net/ipv4/netfilter/ modules_install
rmmod ipt_time
rmmod iptables_filter
rmmod ip_tables
modprobe ip_tables
modprobe iptable_filter
之后在linux源代码中修改代码,增加输出,得到数据包的流程!
流程如下:
xt_check_match
{ printk("%s_tables: %s match: invalid size %Zu != %u\n",
xt_prefix[family], match->name,
XT_ALIGN(match->matchsize), size);
return -EINVAL;
}
[root@radius-server netfilter]# grep -nr "xt_check_match" *
ip_tables.c:509: ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
[root@radius-server netfilter]#
发现整个代码都集中在ip_tables.c中!!!
static inline int check_match
{
printk(KERN_INFO "Netfilter check_match before try_then_request_module:\n\tipt_entry_match->u.user.name is:%s;\n\tipt_entry_match->u.user.revision is:%d; !\n",m->u.user.name,m->u.user.revision);
//发现此处能够输出name为“time”!!
match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
m->u.user.revision),
"ipt_%s", m->u.user.name);
if (IS_ERR(match) || !match) {
duprintf("check_match: `%s' not found\n", m->u.user.name);
return match ? PTR_ERR(match) : -ENOENT;
}
m->u.kernel.match = match;
printk(KERN_INFO "Netfilter check_match before xt_check_match:\n\tipt_match->matchsize is:%d;\n\tsize(m->u.match_size-sizeof(*m)) is :%d;\n\tsizeof(*m) is :%d;!\n",match->matchsize,m->u.match_size-sizeof(*m),sizeof(*m));
//发现上面的输出中两个size已经不相等,其中ipt_match->matchsize为0!
ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
name, hookmask, ip->proto,
ip->invflags & IPT_INV_PROTO);
}
此时,比较ipt_time.c和linux源代码中的ipt_TTL.c发现:
static struct ipt_match ttl_match = {
.name = "ttl",
.match = match,
.matchsize = sizeof(struct ipt_ttl_info),
.me = THIS_MODULE,
};
static struct ipt_match time_match = {
.name = "time",
.match = &match,
.checkentry = &checkentry,
.me = THIS_MODULE
};
修改ipt_time.c加入:
static struct ipt_match time_match = {
.name = "time",
.match = match,
.matchsize = sizeof(struct ipt_time_info),
.checkentry = checkentry,
.me = THIS_MODULE
};
成功!
通过在ip_tbales.c中增加输出,发现了流程如下:
do_ipt_set_ctl ->do_replace ->translate_table ->check_entry-> check_match-> xt_check_match
[ 本帖最后由 yifei429 于 2008-4-10 16:32 编辑 ]
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
分析的好,支持原创
如果再排一下版就好了,把代码部分用 code 代码括起来
我用word排版好了,拷贝过来之后就这样了。。。
bbs有排版工具么?下次看看。
另外,谢谢给加入了精华,呵呵
那不如直接把 word 文档压缩后传上来呀
LZ 我也遇到这样的问题,我报的错是
ip_tables: time match: invalid size 0 != 16
iptables: Unknown error 4294967295
按照您说的方法把:
static struct ipt_match time_match = {
.name = "time",
.match = &match,
.checkentry = &checkentry,
.me = THIS_MODULE
};
修改为:
static struct ipt_match time_match = {
.name = "time",
.match = match,
.matchsize = sizeof(struct ipt_time_info),
.checkentry = checkentry,
.me = THIS_MODULE
};
但是还是报了一个错,如下:
iptables: Unknown error 4294967295
我的内核是2.6.20.3
好呀!
我正需要这样的案例哦!
:em12: 网上有很多遇到这样的问题的,但是没什么解决方案啊。。哪位遇到并解决了的,出来分享下哈。。。
还是6楼的问题哈,内核是2.6.20.3 iptables是1.3.5。
[ 本帖最后由 chuizx 于 2009-5-21 12:03 编辑 ]
学习