Differences
This shows you the differences between two versions of the page.
|
ep:labs:061:contents:tasks:ex1 [2026/04/06 21:49] maria.popescu2812 [01. [20p] Primer / Reminder] |
ep:labs:061:contents:tasks:ex1 [2026/04/06 21:51] (current) maria.popescu2812 [01. [20p] Primer / Reminder] |
||
|---|---|---|---|
| Line 145: | Line 145: | ||
| $ man 8 iptables-extensions nfbpf_compile | $ man 8 iptables-extensions nfbpf_compile | ||
| </code> | </code> | ||
| - | |||
| - | <note warning> | ||
| - | **Table matters** | ||
| - | |||
| - | This rule uses the ''TTL'' target, which is only valid in **a certain table**. If you forget it, ''iptables'' will accept your command silently and still fail at kernel level. You won't see an error in the terminal — you'll see this: | ||
| - | |||
| - | <code> | ||
| - | iptables: Invalid argument. Run `dmesg' for more information. | ||
| - | </code> | ||
| - | |||
| - | Check ''dmesg'' whenever ''iptables'' gives you "Invalid argument". You'll find the actual error there. | ||
| - | |||
| - | This is intentional behavior: the kernel module that handles the TTL target implements a **rule check callback** that validates the structure received from userspace. It doesn't trust you. If something is wrong, it logs to the kernel ring buffer — so ''dmesg'' is always your first stop when debugging ''iptables'' rules. | ||
| - | </note> | ||
| ---- | ---- | ||
| Line 172: | Line 158: | ||
| Also, use this [[https://www.mankier.com/8/nfbpf_compile|man page]] rather than installing it separately. | Also, use this [[https://www.mankier.com/8/nfbpf_compile|man page]] rather than installing it separately. | ||
| + | </note> | ||
| + | |||
| + | <note important> | ||
| + | **Table matters** | ||
| + | |||
| + | This rule uses the ''TTL'' target, which is only valid in **a certain table**. If you forget it, ''iptables'' will accept your command silently and still fail at kernel level. You won't see an error in the terminal — you'll see this: | ||
| + | |||
| + | <code> | ||
| + | iptables: Invalid argument. Run `dmesg' for more information. | ||
| + | </code> | ||
| + | |||
| + | Check ''dmesg'' whenever ''iptables'' gives you "Invalid argument". You'll find the actual error there. | ||
| + | |||
| + | This is intentional behavior: the kernel module that handles the TTL target implements a **rule check callback** that validates the structure received from userspace. It doesn't trust you. If something is wrong, it logs to the kernel ring buffer — so ''dmesg'' is always your first stop when debugging ''iptables'' rules. | ||
| </note> | </note> | ||
