[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Fwd: Re: Shorewall and SPARC]

Eric Nichols wrote:
I apologize for the long thread.  This was a discussion I had with the
shorewall maintainer for debian.  Might be a sparc issue?

------------------------------ Original Message ------------------------------
Subject: Re: Shorewall and SPARC
From:    Roberto C. Sánchez <roberto@connexer.com>
Date:    Thu, August 21, 2008 8:05 pm
To:      "Eric Nichols" <eric@dirwiz.com>

On Thu, Aug 21, 2008 at 07:25:50PM -0400, Eric Nichols wrote:
Roberto C. Sánchez wrote:
On Thu, Aug 21, 2008 at 12:34:57PM -0400, Eric Nichols wrote:
I've been using shorewall in Etch for quite a while and I absolutely
love it.  I am currently running this on a Sun Ultra 2 (SPARC processor)
and get the following messages below.  Should I be concerned about them?
I can't find anything that references these items.

ip_tables: conntrack match: invalid size 80 != 72
ip_tables: connmark match: invalid size 24 != 16
ip_tables: MARK target: invalid size 16 != 8
ip_tables: CONNMARK target: invalid size 24 != 16

OK.  I should have been able to diagnose this right away, but it escaped
me.  After consultation with the author of Shorewall, I can point you at
this: http://www.shorewall.net/3.0/FAQ.htm#faq61

Basically, I think that this can be caused by a partially upgraded
system.  Did you happen to upgrade iptables but not the kernel?



I've seen this on just about every sparc install I've done.  I'm running
stock etch with everything current.  I'm leaning more towards an issue
in the sparc build itself.  It's not the most widely maintained
architecture.  Thanks for the followup.

I've never used Debian on Sparc hardware, so I don't know.  However,
according to Tom (the author of Shorewall), this is a common occurrence
on Debian and it has to do with iptables being built against an
incompatible set of kernel headers (as compared to the kernel against
which it is running).

If you try asking your question on the mailing list (and at least
mention that you have already been give an answer, but that you are
looking for more info), you might find a Debian+Sparc user who can help.
You might also try the netfilter mailing list, as this is not



I know that there are issues with some versions of iptables on sparc64 where the userland parameters assume 32-bit pointers while the kernel netfilter stuff assumes 64-bit. I don't know whether/when that was fixed, i.e. what version of kernel and (more importantly) iptables is known to work, in practice I only found it directly relevant to rate limiting.

Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[Opinions above are the author's, not those of his employers or colleagues]

Reply to: