ip_tables.c: mark_source_chains: bad negative verdict
kaber at trash.net
Fri Jul 20 18:35:09 CEST 2007
Thomas Jarosch wrote:
> Hello there,
> I've upgraded to kernel 126.96.36.199 / iptables 1.3.7 and now a big firewall table
> fails to load. The error message from the iptables command is
> "iptables: Too many levels of symbolic links", so I've enabled debugging in
> net/ipv4/netfilter/ip_tables.c. Here's the debug output from it
> after trying to run "iptables -A C70 -j forward_ok":
> Jul 20 17:11:13 intratest2 kernel: Jump rule 232340 -> 232960
> Jul 20 17:11:13 intratest2 kernel: Jump rule 232960 -> 215940
> Jul 20 17:11:13 intratest2 kernel: Jump rule 233176 -> 215940
> Jul 20 17:11:13 intratest2 kernel: mark_source_chains: bad negative verdict
> How can the "bad negative verdict" code be triggered?
> How can it be fixed? :-)
I'm pretty sure its related to the mark_source_chains optimization.
Try removing the " || visited" from the condition just before the
"negative verdict" printk.
More information about the netfilter-devel