iptables 1.2.9 in gentoo

Moises Silva moises.silva at gmail.com
Tue Aug 2 03:21:03 CEST 2005

Hi i have some questions, i hope somebody can help me, so i will be
able to understand better how iptables, iproute and the modules in the
kernel interact each others.

I recently have read a howto for QoS. So i installed a new gentoo box
with the vanilla-sources, kernel 2.6.9, i patched it with the qnet
patchset for qos and some other stuff. If you want to see the contents
of the patches, is in this url:


the last patch (2.6.10-ipp2p_0.7.1.patch.bz2) it was intented for
kernel 2.6.10,  but it seems that it worked good for kernel 2.6.9.

then i installed iptables doing "emerge '=iptables-2.6.9-r4'" but i
have an overlay in gentoo (that means i modified the original ebuild )
and i added the following patch to the sources of iptables:


the ebuild is in here:


the thing is, that when i started the qos-script, that you can find here:


it gave me errors when the script issued the next commands:

/sbin/iptables -t mangle -A SHAPER-IN -p tcp -m connmark --mark 21 -j
CONNMARK --restore-mark
iptables: Invalid argument

/sbin/iptables -t mangle -A SHAPER-IN -p tcp -m ipp2p --ipp2p -j
CONNMARK --set-mark 21
iptables: Invalid argument

/sbin/iptables -t mangle -A SHAPER-OUT -p tcp -m connmark --mark 29 -j
CONNMARK --restore-mark
iptables: Invalid argument

/sbin/iptables -t mangle -A SHAPER-OUT -p tcp -m ipp2p --ipp2p -j
CONNMARK --set-mark 29
iptables: Invalid argument

after trying adding and deleting parameters i realized that the
CONNMARK module was the problem.
So i googled around, and found this:


and yes, when `dmesg` showed me 

'CONNMARK: targinfosize 8 != 12'

but when i tried to upgrade iptables just showed me more errors :( so
i got back to the 1.2.9 version.

I started to check some code in the patches and the kernel headers to
look what the problem is with CONNMARK, and
i must say that im not a C coder, so excuse me if is stupid what i have done :(
i entered the file '/usr/src/linux/net/ipv4/netfilter/ipt_CONNMARK.c'
and realized that the error to dmesg was originated by the function
checkentry, line 82:

	struct ipt_connmark_target_info *matchinfo = targinfo;
	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
		printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
		       IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
		return 0;

so i looked around and found this struct in the header
	struct ipt_connmark_target_info {
		unsigned long mark;
		unsigned long mask;
		u_int8_t mode;

so i looked into the iptables source code and found the same header
with the next struct:

	struct ipt_connmark_target_info {
		unsigned long mark;
		u_int8_t mode;
it appears that is the same struct, but with some missing element. I
just added the missing element (unsigned long mask) and the error

so the questions:

not sure if it will work, i need to test it, but i would like to know
if you think it could be problems with this?
i will appreciate any reference, guideline to understand better how
interact the code in iptables against the kernel modules.

best regards

"Su nombre es GNU/Linux, no solamente Linux, mas info en http://www.gnu.org"

More information about the netfilter mailing list