=> I triggered the bug with a real world example:
- first add a rule with a MARK target using a set mark with the first/sign
bit set to one. This target is coded with this mark put at the same
place than the verdict field of standard targets. (note this should
be triggered by a lot of targets but I got it with MARK)
- try to add another rule (with -A or -I but this works too with restore,
the idea is to get a replace ioctl with an illegal value in a verdict
position).
- if you are (un?)lucky you get the ELOOP error.
If you read my proposed fix the problem is pretty easy to understand.
I asked diff to give enough context for human (i.e., more than needed
to apply it as a patch).
Thanks
Francis_Dupont@isc.org
PS: I really need a bug-ticket-etc number because some business is implied
(BTW IMHO you prefer to get the report once and by the most direct path,
don't you?)
PPS: here I've cut & paste the config I used to track the bug:
-------------------------------- save file --------------------------------
# Generated by iptables-save v1.4.2 on Tue Mar 24 18:54:43 2009
COMMIT
# Completed on Tue Mar 24 18:54:43 2009
# Generated by iptables-save v1.4.2 on Tue Mar 24 18:54:43 2009
-A PREROUTING -d 10.0.200.2/32 -p tcp -m tcp --dport 5001 -j MARKOUT1
-A MARKOUT1 -j MARK --set-xmark 0x80000001/0xffffffff
-A MARKOUT1 -j CONNMARK --save-mark --nfmask 0x3fffffff --ctmask 0x3fffffff
-A MARKOUT1 -j ACCEPT
COMMIT
# Completed on Tue Mar 24 18:54:43 2009
-------------------------------- cut here --------------------------------
I got the bug with the UDP counterpart:
iptables -t mangle -A PREROUTING -d 10.0.200.2/32 -p udp --dport 5001 \
-j MARKOUT1
--
