New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
python-iptables shows error when using JOOL_SIIT for dual-stack rules #337
Comments
F1xes #337. Solution provided by @yaoli-zheng-axcient.
Is it normal that it doesn't list any rules in PREROUTING mangle after running the script with apparent success?
|
Yes, the rules are not inserted, you can use this code to insert rules instead:
|
4.1.2 released; closing. |
Fixes Debian bug 1029268: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029268 man 3 dlopen: > Use of _init and _fini is now deprecated in favor of the > aforementioned constructors and destructors, which among other > advantages, permit multiple initialization and finalization functions > to be defined. Replace _init() with __attribute__((constructor)). Vincent Bernat already confirmed this works. Also returns the static keyword, which was removed during #337. I'm conjecturing that patch likely was a misled accident, and the current one should be the proper fix for both bugs. This, I'm not completely sure will work, but we'll see.
Edit: The problem has nothing to do with jool (any probably python-iptables has no control over it too). libxtables is probably not prepared to handle multiple protocols in one process so using JOOL(_SIIT) with both IPv4 and IPv6 in a single run is not handled correctly. |
Without
With
Edit: constructor name is irrelevant since dlopen runs registered constructor(s) before returning and ctypes uses dlopen |
Sorry; I have time now.
So are there any problems left with 490ddb0? I'm ok with returning
I don't think this is the case. Did you try opening two sockets? I wrote a custom binary that requests one
|
This prints the same results; this means the two sockets can also coexist. |
That patch is perfectly fine,
Your tests has nothing to do with libxtables. You opened 2 netlink sockets what is perfectly fine (although unnecessary). What libxtables does (and python-iptables too because it loads libxtables by dlopen) is loading extensions dynamically but it does not account for L3 protocol because it is not meant to do that since there are two distinct executable for two L3 protocol. The root cause (to my understanding) is that when libxtables loads an extension it identifies the extension only by its name. When it first loads and extension everything loads correctly, python-iptables uses the loaded module just fine. But when you would like to use the same module for the other protocol the module loading fails since it is already loaded. python-iptables tries to work around the problem by using a combined key ( |
Hi,
When I use python-iptables to create rules with jool_siit for both IPv4 and IPv6, I got this error:
Here is the script to re-produce the issue:
I found similar issue for other matches(ldx/python-iptables#164) and the solution seems to change _init function in src/usr/iptables/common.c to be non static, not sure if jool_siit will support or fix this use case?
Thanks!
Yaoli
The text was updated successfully, but these errors were encountered: