| View previous topic :: View next topic |
| Author |
Message |
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
 Posted: Mon Dec 12, 2005 11:04 pm Post subject: iptables: Invalid argument problem |
 |
|
I try to do some bandwidth limiting on my router. The router also runs a glftpd server.
Why do I get this "invalid argument"?
| Code: | # iptables -t mangle -A OUTPUT -m owner --cmd-owner glftpd -j MARK --set-mark 2
iptables: Invalid argument
|
I think that I have all the modules that iptables needs. Also if that would be the case, wouldn't I get an error saying something else?
What do I do?
I have read https://forums.gentoo.org/viewtopic-t-225863-postdays-0-postorder-asc-highlight-wondershaper-start-0.html and several other pages about this subject... |
|
| Back to top |
|
 |
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Tue Dec 13, 2005 7:01 am Post subject: |
|
|
Hello
I tried your iptables statement and got the same result. I adjusted --cmd-owner to --uid-owner and it worked. I checked my /var/log/messages and found the answer there...
This is what happens when I tried the following:
| Code: | | iptables -t mangle -A OUTPUT -m owner --cmd-owner glftpd -j MARK --set-mark 2 |
Output:
| Code: | | iptables: Invalid argument |
But viewing /var/log/messages shows this:
| Code: | | ipt_owner: pid, sid and command matching not supported anymore |
I think you'll want to find the uid of glftpd and do a --uid-owner instead.
HTH
hanji |
|
| Back to top |
|
|
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
| Posted: Tue Dec 13, 2005 11:26 am Post subject: |
|
|
Thanks for leading me in the right direction.
Unfortunately glftpd has to be running as root. So if I run this command it marks all packets that comes from root, and that is not so good.
If I do ps -fA I get lines like this:
140 26932 1822 0 07:52 ? 00:00:07 glftpd:xxx.xxx.xxx.xxx: ftpuser
Where the 140 is the UID.
If I have understand the workings of glftpd right, the glftpd process runs as root. Then it does the chroot command and let that chroot command run as another user. Every glftpd user has his own UID in /glftpd/etc/passwd. The UIDs goes from 105 ->.
So what I want to do is to mark these UID's, if it is not possible to mark everything from glftpd.
This seems a littlebit too complicated. Especially since it seems as if it was possible to mark packets with the owner statement before.
This command seems to work:
| Code: |
iptables -t mangle -A OUTPUT -m owner --uid-owner 105 -j MARK --set-mark 2
|
But iptables does not seem to understand ranges of UIDs like 105-200. So using this method I would have to create a loop that runs this command 100 times.
This feels like there is a much simpler way.
Any better ideas of how to accomplish what I want? |
|
| Back to top |
|
|
Gentree
Watchman
Joined: 01 Jul 2003
Posts: 5350
Location: France, Old Europe
|
| Posted: Tue Dec 13, 2005 5:38 pm Post subject: |
|
|
I'm far from being an expert but may be you need to use the uid as you are then set an ESTABLISHED rule that will allow the rest through irrespective of port , etc.
HTH 
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
| Back to top |
|
|
Jeremy_Z
l33t
Joined: 05 Apr 2004
Posts: 671
Location: Shanghai
|
| Posted: Tue Dec 13, 2005 6:07 pm Post subject: |
|
|
I am not familiar with those iptables commands, but what about using a group and then --gid-owner ? seams a better solution since you got the bonus that adding / removing users won't need to redo your iptables rules.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals |
|
| Back to top |
|
|
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
| Posted: Tue Dec 13, 2005 8:28 pm Post subject: |
|
|
I got even more confused by your replies 
This is what I wanted to do:
| Code: | $ tc qdisc add dev eth0 root handle 1: htb default 10
$ tc class add dev eth0 parent 1: classid 1:1 htb rate 800kbit
$ tc class add dev eth0 parent 1:1 classid 1:10 htb rate 800kbit prio 1
$ tc class add dev eth0 parent 1:1 classid 1:20 htb rate 800kbit prio 2
$ tc class add dev eth0 parent 1:1 classid 1:30 htb rate 120kbit prio 3
$ tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10
$ tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10
$ tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10
#glftpd
$ iptables -t mangle -A OUTPUT -m owner --cmd-owner glftpd -j MARK --set-mark 2
$ tc filter add dev eth0 protocol ip parent 1:0 handle 2 fw flowid 1:20 |
The iptables command just marks all packets that originates from glftpd.
That is according to the guide.
But that command does not work. So my best solution so far is what I mentioned above. Which seems unsmooth to me. |
|
| Back to top |
|
|
Gentree
Watchman
Joined: 01 Jul 2003
Posts: 5350
Location: France, Old Europe
|
| Posted: Tue Dec 13, 2005 11:31 pm Post subject: |
|
|
I know nothing about glftpd nor this tc stuff. but if you set up iptables to allow OUTPUT from (all or )whatever port the chroot things initiate, the reply can be allowed back in using ESTABLISHED in another iptable entry.
you must have port 20 and 21 open on input anyway and as soon as one of your chroot child processes puts out a reply the rest will get through .
Hope that's a bit clearer.
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
| Back to top |
|
|
Kaapeli
Tux's lil' helper
Joined: 27 Dec 2004
Posts: 110
Location: Oulu, Finland
|
| Posted: Wed Dec 14, 2005 9:02 am Post subject: |
|
|
I just found out that my existing shaper rules no longer work the way they used to work. I used to use
| Code: |
for a in $NOPRIOAPP
do
iptables -t mangle -A POSTROUTING -o $OUT -p tcp -m owner --cmd-owner $a -j MARK --set-mark 4
done
|
to set lower priority to certain applications. It worked like a charm until I upgraded my kernel from 2.6.11-love2 to 2.6.14-acid2. Now I get the same error message as posted earlier on this thread.
What if I really want to add per application rules on my iptables filers? Is it possible to do it anymore at all? For example, if I want to set rtorrent on lower priority regardless who is running it and what port they have set it to listen to. Obiviously the only chance would be to use cmd-owner rule. But if that doesn't work, what choices do I have?
_________________
Temperatures |
|
| Back to top |
|
|
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
| Posted: Wed Dec 14, 2005 8:50 pm Post subject: |
|
|
I find it quite strange that I have not found anything about the disappearing of this command when googling around. I haven't found anything explaining why it has been removed and what to use instead.
I ran some tests with a few users in glftpd. The marking --uid-owner works. I still havent done a script that does this on all the users. |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Wed Dec 14, 2005 9:16 pm Post subject: |
|
|
Have you checked you've got the command owner IP tables option in the kernel?
CONFIG_IP_NF_MATCH_OWNER=y |
|
| Back to top |
|
|
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
| Posted: Wed Dec 14, 2005 11:18 pm Post subject: |
|
|
| magic919 wrote: | Have you checked you've got the command owner IP tables option in the kernel?
CONFIG_IP_NF_MATCH_OWNER=y |
Yes. When I started, I didn't have it. iptables complained that it did not understand my command. After I added it to the kernel, I got this other message. |
|
| Back to top |
|
|
|
Networking & Security
