ip_tables.c: mark_source_chains: bad negative verdict

Patrick McHardy kaber at trash.net
Fri Jul 20 18:35:09 CEST 2007


Thomas Jarosch wrote:
> Hello there,
>
> I've upgraded to kernel 2.6.21.6 / iptables 1.3.7 and now a big firewall table 
> fails to load. The error message from the iptables command is
> "iptables: Too many levels of symbolic links", so I've enabled debugging in 
> net/ipv4/netfilter/ip_tables.c. Here's the debug output from it
> after trying to run "iptables -A C70 -j forward_ok":
> [...]
> Jul 20 17:11:13 intratest2 kernel: Jump rule 232340 -> 232960
> Jul 20 17:11:13 intratest2 kernel: Jump rule 232960 -> 215940
> Jul 20 17:11:13 intratest2 kernel: Jump rule 233176 -> 215940
> Jul 20 17:11:13 intratest2 kernel: mark_source_chains: bad negative verdict 
> (-2140522486)
>
> How can the "bad negative verdict" code be triggered?
> How can it be fixed? :-)
>   

I'm pretty sure its related to the mark_source_chains optimization.
Try removing the " || visited" from the condition just before the
"negative verdict" printk.




More information about the netfilter-devel mailing list