Bug#636170: linux-image-3.0.0-1-loongson-2f doesn't allow some connections through iptables
Package: linux-2.6
Version: 3.0.0-1
Severity: important
*** Please type your report below this line ***
I'm using a lemote mini-pc as my gateway through simple iptables
configuration. I use debian unstable. With yesterday upgrade which
updated linux kernel to 3.0.0-1 and iptables as well, my gateway
broke.
% cat /var/log/aptitude
...
[UPGRADE] iptables 1.4.11.1-3 -> 1.4.12-1
...
[UPGRADE] linux-image-loongson-2f 2.6.39+35.1 -> 3.0.0+39
...
What got broken is some connection from internal boxes connected to
the gateway to some outside places external to the gateway.
For example, trying to upgrade again Today from the gateway had no
problem at all. However trying to upgrade from an internal box was
hard, both in the sense that getting the headers took way longer than
in the gateway, and that when the time came for safe-upgrade and after
downloading the packages, apt-listbugs just failed indicating it
couldn't connect to extract the bug information. To get to upgrade on
the internal boxes, the apt-listbugs part of the process was canceled.
I also connect to a msn account through pidgin. But since the upgrade
until I installed back 2.6.39-2 linux kernel, I could NOT connect at
all to msn. To get msn workign back, I just had to install old prior
working kernel 2.6.39-2.
The prior confirms to me that actually the problem was not with
iptables, since I didn't have to even try downgrading it. Just by
installing 2.6.39-2 linux kernel version for loongson-2f worked out
great.
Notice that there are several changes in the kernel config files
(under boot) between 2.6.39-2 and 3.0.0-1, however I couldn't
appreciate any significant variation that could have affected the
iptables behavior. My iptables script that is under:
/etc/network/if-up.d/00_gateway
It's pretty simple:
++++++++++
# delete all existing rules and clean up.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i ppp0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -o
eth0 -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
++++++++++
That's it, pretty simple as well... Also I'm using an usb NIC to
connect outside the gateway through ppp:
/etc/network/interfaces
++++++++++
auto lo
iface lo inet loopback
# The internal LAN on embedded NIC
auto eth0
iface eth0 inet static
pre-up /sbin/ethtool -K eth0 rx off
post-up /sbin/ethtool -K eth0 rx off
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
# The external LAN USB NIC
auto eth1
iface eth1 inet manual
## The dsl-provider through PPPoE
auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth1 up # line maintained by pppoeconf
provider dsl-provider
post-down /sbin/ifconfig eth1 down
++++++++++
I didn't have the post-up command before for the built-in NIC, but one
of my initial thoughs was that perhaps one of the changes was related
to that, but in reality it was not the issue. One needs to disable
hardware crc sum calculation on the realtek built-in card otherwise
the NIC transports wrong packages... Again this seems not to be the
issue though, since the setting (/sbin/ethtool -K eth0 rx off) is
working out in the prior kernel, and has no observed effect in the
current one.
So I can't really use at this moment linux kernel 3.0.0-1 on my
gateway. My work around was to use prior one 2.6.39-2 still present
on testing, and with the work around the problems go away, :-)
Not sure what changes in the linux kernel for loongson-2f cause the
new misbehavior, but it's sure the kernel is the one preventing my
connections from internal boxes connected to my gateway...
% aptitude search '~i' | 'grep' linux-image
u linux-image-2.6-loongson-2f - Linux for Loongson 2F (dummy package)
i linux-image-2.6.39-2-loongson-2 - Linux 2.6.39 for Loongson 2F
i A linux-image-3.0.0-1-loongson-2f - Linux 3.0.0 for Loongson 2F
i linux-image-loongson-2f - Linux for Loongson 2F (meta-package)
Any help to get the kernel work properly with iptables for a gateway
will be most appreciated...
Thanks,
Javier.
-- Package-specific info:
** Model information
system type : lemote-fuloong-2f-box
cpu model : ICT Loongson-2 V0.3 FPU V0.1
** PCI devices:
00:06.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd.
RTL-8169 Gigabit Ethernet [10ec:8169] (rev 10)
Subsystem: Realtek Semiconductor Co., Ltd. RTL8169/8110 Family
PCI Gigabit Ethernet NIC [10ec:8169]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop-
ParErr+ Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=medium
>TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64 (8000ns min, 16000ns max), Cache Line Size: 32 bytes
Interrupt: pin A routed to IRQ 36
Region 0: I/O ports at 4000 [size=256]
Region 1: Memory at 50072000 (32-bit, non-prefetchable) [size=256]
Expansion ROM at 50040000 [size=128K]
Capabilities: <access denied>
Kernel driver in use: r8169
00:08.0 VGA compatible controller [0300]: Silicon Integrated Systems
[SiS] 315PRO PCI/AGP VGA Display Adapter [1039:0325] (prog-if 00 [VGA
controller])
Subsystem: Device [3030:3030]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium
>TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 71 (750ns min, 4000ns max)
Interrupt: pin A routed to IRQ 38
BIST result: 00
Region 0: Memory at 40000000 (32-bit, prefetchable) [size=256M]
Region 1: Memory at 50000000 (32-bit, non-prefetchable) [size=256K]
Region 2: I/O ports at 4800 [size=128]
Expansion ROM at 50060000 [size=64K]
Capabilities: <access denied>
Kernel driver in use: sisfb
00:0e.0 ISA bridge [0601]: Advanced Micro Devices [AMD] CS5536 [Geode
companion] ISA [1022:2090] (rev 03)
Subsystem: Advanced Micro Devices [AMD] CS5536 [Geode
companion] ISA [1022:2090]
Control: I/O+ Mem- BusMaster- SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Region 0: I/O ports at 4cf0 [size=8]
Region 1: I/O ports at 4400 [size=256]
Region 2: I/O ports at 4c80 [size=64]
Region 4: I/O ports at 4880 [size=128]
Region 5: I/O ports at 4cc0 [size=32]
00:0e.2 IDE interface [0101]: Advanced Micro Devices [AMD] CS5536
[Geode companion] IDE [1022:209a] (rev 01) (prog-if 80 [Master])
Subsystem: Advanced Micro Devices [AMD] CS5536 [Geode
companion] IDE [1022:209a]
Control: I/O+ Mem- BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64 (16000ns max), Cache Line Size: 32 bytes
Interrupt: pin A routed to IRQ 14
Region 0: [virtual] Memory at 000001f0 (32-bit,
non-prefetchable) [size=8]
Region 1: [virtual] Memory at 000003f0 (type 3,
non-prefetchable) [size=1]
Region 2: [virtual] Memory at 00000170 (32-bit,
non-prefetchable) [size=8]
Region 3: [virtual] Memory at 00000370 (type 3,
non-prefetchable) [size=1]
Region 4: I/O ports at 4ce0 [size=16]
Kernel driver in use: pata_amd
00:0e.3 Multimedia audio controller [0401]: Advanced Micro Devices
[AMD] CS5536 [Geode companion] Audio [1022:2093] (rev 01)
Subsystem: Advanced Micro Devices [AMD] CS5536 [Geode
companion] Audio [1022:2093]
Control: I/O+ Mem- BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0 (16000ns max), Cache Line Size: 32 bytes
Interrupt: pin A routed to IRQ 9
Region 0: I/O ports at 4c00 [size=128]
Kernel driver in use: cs5535audio
00:0e.4 USB Controller [0c03]: Advanced Micro Devices [AMD] CS5536
[Geode companion] OHC [1022:2094] (rev 02) (prog-if 10 [OHCI])
Subsystem: Advanced Micro Devices [AMD] CS5536 [Geode
companion] OHC [1022:2094]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0 (16000ns max), Cache Line Size: 32 bytes
Interrupt: pin A routed to IRQ 11
Region 0: Memory at 50070000 (32-bit, non-prefetchable) [size=4K]
Kernel driver in use: ohci_hcd
00:0e.5 USB Controller [0c03]: Advanced Micro Devices [AMD] CS5536
[Geode companion] EHC [1022:2095] (rev 02) (prog-if 20 [EHCI])
Subsystem: Advanced Micro Devices [AMD] CS5536 [Geode
companion] EHC [1022:2095]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0 (16000ns max), Cache Line Size: 32 bytes
Interrupt: pin A routed to IRQ 11
Region 0: Memory at 50071000 (32-bit, non-prefetchable) [size=4K]
Kernel driver in use: ehci_hcd
** USB devices:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 002: ID 9710:7830 MosChip Semiconductor MCS7830 10/100
Mbps Ethernet adapter
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: mipsel (mips64)
Kernel: Linux 2.6.39-2-loongson-2f
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages linux-image-3.0.0-1-loongson-2f depends on:
ii debconf [debconf-2.0] 1.5.41 Debian configuration management sy
ii linux-base 3.3 Linux image base package
ii module-init-tools 3.16-1 tools for managing Linux kernel mo
Versions of packages linux-image-3.0.0-1-loongson-2f recommends:
ii firmware-linux-free 3 Binary firmware for various driver
Versions of packages linux-image-3.0.0-1-loongson-2f suggests:
pn linux-doc-3.0.0 <none> (no description available)
Versions of packages linux-image-3.0.0-1-loongson-2f is related to:
pn firmware-bnx2 <none> (no description available)
pn firmware-bnx2x <none> (no description available)
pn firmware-ipw2x00 <none> (no description available)
pn firmware-ivtv <none> (no description available)
pn firmware-iwlwifi <none> (no description available)
ii firmware-linux 0.33 Binary firmware for various driver
ii firmware-linux-nonfree 0.33 Binary firmware for various driver
pn firmware-qlogic <none> (no description available)
pn firmware-ralink <none> (no description available)
pn xen-hypervisor <none> (no description available)
-- debconf information:
linux-image-3.0.0-1-loongson-2f/prerm/removing-running-kernel-3.0.0-1-loongson-2f:
true
linux-image-3.0.0-1-loongson-2f/postinst/missing-firmware-3.0.0-1-loongson-2f:
linux-image-3.0.0-1-loongson-2f/postinst/depmod-error-initrd-3.0.0-1-loongson-2f:
false
linux-image-3.0.0-1-loongson-2f/postinst/ignoring-ramdisk:
Reply to: