After a stable branch update from December 19'th any iptables command containing "--cmd-owner" flag will fail. Reproducible: Always Steps to Reproduce: iptables -A OUTPUT -p tcp -o ppp0 --sport 1024: --dport 0:65535 -m owner --uid-owner 5000 --cmd-owner kdeinit -m state --state NEW,ESTABLISHED -j ACCEPT Strace Output: execve("/sbin/iptables", ["iptables", "-A", "OUTPUT", "-p", "tcp", "-o", "ppp0", "--sport", "1024:", "--dport", "0:65535", "-m", "owner", "--uid-owner", "5000", "--cmd-owner", ...], [/* 38 vars */]) = 0 uname({sys="Linux", node="athlon64", ...}) = 0 brk(0) = 0x50d000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaac0000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=98002, ...}) = 0 mmap(NULL, 98002, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2aaaaaac1000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\17\0"..., 640) = 640 lseek(3, 624, SEEK_SET) = 624 read(3, "\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\4\0\0\0"..., 32) = 32 fstat(3, {st_mode=S_IFREG|0755, st_size=11280, ...}) = 0 mmap(NULL, 1056984, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2aaaaabc1000 mprotect(0x2aaaaabc3000, 1048792, PROT_NONE) = 0 mmap(0x2aaaaacc2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x2aaaaacc2000 close(3) = 0 open("/lib/libnsl.so.1", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 H\0\0\0"..., 640) = 640 lseek(3, 624, SEEK_SET) = 624 read(3, "\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\4\0\0\0"..., 32) = 32 fstat(3, {st_mode=S_IFREG|0755, st_size=84816, ...}) = 0 mmap(NULL, 1137416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2aaaaacc4000 mprotect(0x2aaaaacd7000, 1059592, PROT_NONE) = 0 mmap(0x2aaaaadd6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12000) = 0x2aaaaadd6000 mmap(0x2aaaaadd8000, 6920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2aaaaadd8000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \307\1\0"..., 640) = 640 lseek(3, 64, SEEK_SET) = 64 read(3, "\6\0\0\0\5\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0"..., 616) = 616 lseek(3, 680, SEEK_SET) = 680 read(3, "\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\6\0\0\0"..., 32) = 32 fstat(3, {st_mode=S_IFREG|0755, st_size=1255872, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaadda000 lseek(3, 64, SEEK_SET) = 64 read(3, "\6\0\0\0\5\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0"..., 616) = 616 mmap(NULL, 2248680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2aaaaaddb000 mprotect(0x2aaaaaef7000, 1085416, PROT_NONE) = 0 mmap(0x2aaaaaff6000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11b000) = 0x2aaaaaff6000 mmap(0x2aaaaaffc000, 16360, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaffc000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaab000000 mprotect(0x2aaaaaff6000, 12288, PROT_READ) = 0 mprotect(0x2aaaaabbf000, 4096, PROT_READ) = 0 arch_prctl(ARCH_SET_FS, 0x2aaaab0006e0) = 0 munmap(0x2aaaaaac1000, 98002) = 0 open("/dev/urandom", O_RDONLY) = 3 read(3, "\226+\3672\327E\366\212", 8) = 8 close(3) = 0 brk(0) = 0x50d000 brk(0x52e000) = 0x52e000 open("/etc/nsswitch.conf", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=503, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaac1000 read(3, "# /etc/nsswitch.conf:\n# $Header:"..., 4096) = 503 read(3, "", 4096) = 0 close(3) = 0 munmap(0x2aaaaaac1000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=98002, ...}) = 0 mmap(NULL, 98002, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2aaaaaac1000 close(3) = 0 open("/lib64/tls/x86_64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/lib64/tls/x86_64", 0x7ffffffc32f0) = -1 ENOENT (No such file or directory) open("/lib64/tls/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/lib64/tls", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 open("/lib64/x86_64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/lib64/x86_64", 0x7ffffffc32f0) = -1 ENOENT (No such file or directory) open("/lib64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/lib64", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 open("/usr/lib64/tls/x86_64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib64/tls/x86_64", 0x7ffffffc32f0) = -1 ENOENT (No such file or directory) open("/usr/lib64/tls/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib64/tls", 0x7ffffffc32f0) = -1 ENOENT (No such file or directory) open("/usr/lib64/x86_64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib64/x86_64", 0x7ffffffc32f0) = -1 ENOENT (No such file or directory) open("/usr/lib64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/usr/lib64", {st_mode=S_IFDIR|0755, st_size=32768, ...}) = 0 munmap(0x2aaaaaac1000, 98002) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=98002, ...}) = 0 mmap(NULL, 98002, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2aaaaaac1000 close(3) = 0 open("/lib/libnss_files.so.2", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 #\0\0\0"..., 640) = 640 lseek(3, 624, SEEK_SET) = 624 read(3, "\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\4\0\0\0"..., 32) = 32 fstat(3, {st_mode=S_IFREG|0755, st_size=44384, ...}) = 0 mmap(NULL, 1090856, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2aaaab001000 mprotect(0x2aaaab00b000, 1049896, PROT_NONE) = 0 mmap(0x2aaaab10a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x2aaaab10a000 close(3) = 0 munmap(0x2aaaaaac1000, 98002) = 0 open("/etc/protocols", O_RDONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=1623, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaac1000 read(3, "# /etc/protocols\n#\n# Internet (I"..., 4096) = 1623 close(3) = 0 munmap(0x2aaaaaac1000, 4096) = 0 open("/lib64/iptables/libipt_tcp.so", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\t\0"..., 640) = 640 fstat(3, {st_mode=S_IFREG|0755, st_size=8888, ...}) = 0 mmap(NULL, 1056192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2aaaab10c000 mprotect(0x2aaaab10e000, 1048000, PROT_NONE) = 0 mmap(0x2aaaab20d000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x2aaaab20d000 close(3) = 0 open("/lib64/iptables/libipt_owner.so", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\10\0"..., 640) = 640 fstat(3, {st_mode=S_IFREG|0755, st_size=6552, ...}) = 0 mmap(NULL, 1053856, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2aaaab20e000 mprotect(0x2aaaab210000, 1045664, PROT_NONE) = 0 mmap(0x2aaaab30f000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x2aaaab30f000 close(3) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 3 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 3 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=98002, ...}) = 0 mmap(NULL, 98002, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2aaaab310000 close(3) = 0 open("/lib/libnss_compat.so.2", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\26\0"..., 640) = 640 lseek(3, 624, SEEK_SET) = 624 read(3, "\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\4\0\0\0"..., 32) = 32 fstat(3, {st_mode=S_IFREG|0755, st_size=32000, ...}) = 0 mmap(NULL, 1078536, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2aaaab328000 mprotect(0x2aaaab32f000, 1049864, PROT_NONE) = 0 mmap(0x2aaaab42e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x2aaaab42e000 close(3) = 0 munmap(0x2aaaab310000, 98002) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=98002, ...}) = 0 mmap(NULL, 98002, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2aaaab310000 close(3) = 0 open("/lib/libnss_nis.so.2", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340$\0\0"..., 640) = 640 lseek(3, 624, SEEK_SET) = 624 read(3, "\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\4\0\0\0"..., 32) = 32 fstat(3, {st_mode=S_IFREG|0755, st_size=40496, ...}) = 0 mmap(NULL, 1086648, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2aaaab430000 mprotect(0x2aaaab439000, 1049784, PROT_NONE) = 0 mmap(0x2aaaab538000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8000) = 0x2aaaab538000 close(3) = 0 munmap(0x2aaaab310000, 98002) = 0 open("/etc/passwd", O_RDONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 lseek(3, 0, SEEK_CUR) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=1926, ...}) = 0 mmap(NULL, 1926, PROT_READ, MAP_SHARED, 3, 0) = 0x2aaaab310000 lseek(3, 1926, SEEK_SET) = 1926 fstat(3, {st_mode=S_IFREG|0644, st_size=1926, ...}) = 0 munmap(0x2aaaab310000, 1926) = 0 close(3) = 0 open("/lib64/iptables/libipt_state.so", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\6\0"..., 640) = 640 fstat(3, {st_mode=S_IFREG|0755, st_size=4952, ...}) = 0 mmap(NULL, 1052256, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2aaaab53a000 mprotect(0x2aaaab53b000, 1048160, PROT_NONE) = 0 mmap(0x2aaaab63a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x2aaaab63a000 close(3) = 0 open("/lib64/iptables/libipt_standard.so", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \4\0\0\0"..., 640) = 640 fstat(3, {st_mode=S_IFREG|0755, st_size=3120, ...}) = 0 mmap(NULL, 1050528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2aaaab63b000 mprotect(0x2aaaab63c000, 1046432, PROT_NONE) = 0 mmap(0x2aaaab73b000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x2aaaab73b000 close(3) = 0 socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3 getsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0 getsockopt(3, SOL_IP, 0x41 /* IP_??? */, "filter\0\0x\313\377\252\252*\0\0\250\214@\0\0\0\0\0\2\0"..., [672]) = 0 setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1040) = -1 EINVAL (Invalid argument) write(2, "iptables: Invalid argument\n", 27iptables: Invalid argument ) = 27 exit_group(1) = ? Emerge Info: Portage 2.0.51.22-r3 (default-linux/amd64/2005.0, gcc-3.4.4, glibc-2.3.5-r2, 2.6.14-gentoo-r2 x86_64) ================================================================= System uname: 2.6.14-gentoo-r2 x86_64 AMD Athlon(tm) 64 Processor 3400+ Gentoo Base System version 1.6.13 dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=k8 -fomit-frame-pointer -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib64/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=k8 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X acl acpi alsa audiofile avi berkdb bitmap-fonts bzip2 cdr crypt cups curl dts dvd dvdr dvdread eds emboss encode exif expat fam flac foomaticdb fortran gif glut gnome gpm gstreamer gtk gtk2 idn imagemagick imlib ipv6 javascript joystick jpeg kde lcms lm_sensors lzw lzw-tiff mad mng mozilla mp3 mpeg ncurses nls nptl ogg opengl pam pcre pdflib perl png ppds python qt quicktime readline samba scanner sdl spell ssl tcpd tiff truetype truetype-fonts type1-fonts udev usb userlocales v4l vcd xml2 xmms xpm xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
Maybe because it's not available any more in >=2.6.14 kernels... <snip> [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner Rip out cmd/sid/pid matching since its unfixable broken and stands in the way of locking changes to tasklist_lock. </snip>
I use this module (ipt_owner). And after change kernel to 2.6.14: 1. #mv /usr/src/linux-2.6.12-gentoo-r9/net/ipv4/netfilter/ipt_owner.c /usr/src/linux-2.6.14-hardened-r3/net/ipv4/netfilter/ipt_owner.c 2. Patch it: --- /usr/src/linux-2.6.12-gentoo-r9/net/ipv4/netfilter/ipt_owner.c 2005-12-15 11:35:50.000000000 +0300 +++ /usr/src/linux-2.6.14-hardened-r3/net/ipv4/netfilter/ipt_owner.c 2006-01-25 11:09:26.844206750 +0300 @@ -36,7 +36,7 @@ files = p->files; if(files) { spin_lock(&files->file_lock); - for (i=0; i < files->max_fds; i++) { + for (i=0; i < files->fdt->max_fds; i++) { if (fcheck_files(files, i) == skb->sk->sk_socket->file) { spin_unlock(&files->file_lock); @@ -68,7 +68,7 @@ files = p->files; if(files) { spin_lock(&files->file_lock); - for (i=0; i < files->max_fds; i++) { + for (i=0; i < files->fdt->max_fds; i++) { if (fcheck_files(files, i) == skb->sk->sk_socket->file) { spin_unlock(&files->file_lock); @@ -102,7 +102,7 @@ files = p->files; if (files) { spin_lock(&files->file_lock); - for (i=0; i < files->max_fds; i++) { + for (i=0; i < files->fdt->max_fds; i++) { if (fcheck_files(files, i) == file) { found = 1; break; 3. #make bzImage May be I do wrong, I don't know. But all work ok.
