From patchwork Fri Aug 13 12:19:55 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Florian Westphal <fw@strlen.de>
X-Patchwork-Id: 61679
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id B13C4B70AA
	for <patchwork-incoming@ozlabs.org>;
	Fri, 13 Aug 2010 22:20:04 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934249Ab0HMMT7 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 13 Aug 2010 08:19:59 -0400
Received: from Chamillionaire.breakpoint.cc ([85.10.199.196]:39715 "EHLO
	Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S934230Ab0HMMT6 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 13 Aug 2010 08:19:58 -0400
Received: id: fw by Chamillionaire.breakpoint.cc with local
	(easymta 1.00 BETA 1)
	id 1OjtEp-0003Is-91; Fri, 13 Aug 2010 14:19:55 +0200
Date: Fri, 13 Aug 2010 14:19:55 +0200
From: Florian Westphal <fw@strlen.de>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>, netdev@vger.kernel.org,
	Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>
Subject: Re: 2.6.35, netfilter/iptables not working with 32bit userspace +
	64bit kernel?
Message-ID: <20100813121955.GI15614@Chamillionaire.breakpoint.cc>
References: <20100813134706.509472n222yo71d6@hayate.sektori.org>
	<1281701885.4470.22.camel@edumazet-laptop>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1281701885.4470.22.camel@edumazet-laptop>
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Eric Dumazet <eric.dumazet@gmail.com> wrote:
> CC netfilter-devel to get more people in touch
> 
> Thanks !
> 
> Le vendredi 13 août 2010 à 13:47 +0300, Jussi Kivilinna a écrit :
> > Hello!
> > 
> > I have server/firewall running Debian lenny with 32bit userspace and  
> > 64bit kernel. After upgrading from 2.6.34 to 2.6.35, I couldn't get  
> > any new chains work. Simply doing (with 32bit iptables)
> > 
> >    iptables -N new_chain
> >    iptables -A OUTPUT -j new_chain
> >    iptables -A OUTPUT -j ACCEPT
> > 
> > cause output to freeze. "iptables -L -vn" shows:
> > 
> > Chain OUTPUT (policy ACCEPT 3397 packets, 637K bytes)
> >   pkts bytes target     prot opt in     out     source         destination
> >      3   252 new_chain  all  --  *      *       0.0.0.0/0      0.0.0.0/0
> >      0     0 ACCEPT     all  --  *      *       0.0.0.0/0      0.0.0.0/0
> > 
> > Ping shows "ping: sendmsg: Operation not permitted".
> > 
> > With recompiled 64bit iptables, example above works fine.

You need this patch:

commit f3c5c1bfd430858d3a05436f82c51e53104feb6b
(netfilter: xtables: make ip_tables reentrant) forgot to
also compute the jumpstack size in the compat handlers.

Result is that "iptables -I INPUT -j userchain" turns into -j DROP.

Reported by Sebastian Roesner on #netfilter, closes
http://bugzilla.netfilter.org/show_bug.cgi?id=669.

Note: arptables change is compile-tested only.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/ipv4/netfilter/arp_tables.c |    3 +++
 net/ipv4/netfilter/ip_tables.c  |    3 +++
 net/ipv6/netfilter/ip6_tables.c |    3 +++
 3 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 6bccba3..4829766 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1418,6 +1418,9 @@ static int translate_compat_table(const char *name,
 		if (ret != 0)
 			break;
 		++i;
+		if (strcmp(arpt_get_target(iter1)->u.user.name,
+		    XT_ERROR_TARGET) == 0)
+			++newinfo->stacksize;
 	}
 	if (ret) {
 		/*
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index c439721..3d3b695 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1749,6 +1749,9 @@ translate_compat_table(struct net *net,
 		if (ret != 0)
 			break;
 		++i;
+		if (strcmp(ipt_get_target(iter1)->u.user.name,
+		    XT_ERROR_TARGET) == 0)
+			++newinfo->stacksize;
 	}
 	if (ret) {
 		/*
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 5359ef4..bad3c7f 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1764,6 +1764,9 @@ translate_compat_table(struct net *net,
 		if (ret != 0)
 			break;
 		++i;
+		if (strcmp(ip6t_get_target(iter1)->u.user.name,
+		    XT_ERROR_TARGET) == 0)
+			++newinfo->stacksize;
 	}
 	if (ret) {
 		/*