From patchwork Fri Aug 13 12:19:55 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: 2.6.35,
 netfilter/iptables not working with 32bit userspace + 64bit kernel?
Date: Fri, 13 Aug 2010 02:19:55 -0000
From: Florian Westphal <fw@strlen.de>
X-Patchwork-Id: 61679
Message-Id: <20100813121955.GI15614@Chamillionaire.breakpoint.cc>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>, netdev@vger.kernel.org,
 Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>

Eric Dumazet <eric.dumazet@gmail.com> wrote:
> CC netfilter-devel to get more people in touch
> 
> Thanks !
> 
> Le vendredi 13 août 2010 à 13:47 +0300, Jussi Kivilinna a écrit :
> > Hello!
> > 
> > I have server/firewall running Debian lenny with 32bit userspace and  
> > 64bit kernel. After upgrading from 2.6.34 to 2.6.35, I couldn't get  
> > any new chains work. Simply doing (with 32bit iptables)
> > 
> >    iptables -N new_chain
> >    iptables -A OUTPUT -j new_chain
> >    iptables -A OUTPUT -j ACCEPT
> > 
> > cause output to freeze. "iptables -L -vn" shows:
> > 
> > Chain OUTPUT (policy ACCEPT 3397 packets, 637K bytes)
> >   pkts bytes target     prot opt in     out     source         destination
> >      3   252 new_chain  all  --  *      *       0.0.0.0/0      0.0.0.0/0
> >      0     0 ACCEPT     all  --  *      *       0.0.0.0/0      0.0.0.0/0
> > 
> > Ping shows "ping: sendmsg: Operation not permitted".
> > 
> > With recompiled 64bit iptables, example above works fine.

You need this patch:

commit f3c5c1bfd430858d3a05436f82c51e53104feb6b
(netfilter: xtables: make ip_tables reentrant) forgot to
also compute the jumpstack size in the compat handlers.

Result is that "iptables -I INPUT -j userchain" turns into -j DROP.

Reported by Sebastian Roesner on #netfilter, closes
http://bugzilla.netfilter.org/show_bug.cgi?id=669.

Note: arptables change is compile-tested only.

Signed-off-by: Florian Westphal <fw@strlen.de>

---
net/ipv4/netfilter/arp_tables.c |    3 +++
 net/ipv4/netfilter/ip_tables.c  |    3 +++
 net/ipv6/netfilter/ip6_tables.c |    3 +++
 3 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 6bccba3..4829766 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1418,6 +1418,9 @@ static int translate_compat_table(const char *name,
 		if (ret != 0)
 			break;
 		++i;
+		if (strcmp(arpt_get_target(iter1)->u.user.name,
+		    XT_ERROR_TARGET) == 0)
+			++newinfo->stacksize;
 	}
 	if (ret) {
 		/*
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index c439721..3d3b695 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1749,6 +1749,9 @@ translate_compat_table(struct net *net,
 		if (ret != 0)
 			break;
 		++i;
+		if (strcmp(ipt_get_target(iter1)->u.user.name,
+		    XT_ERROR_TARGET) == 0)
+			++newinfo->stacksize;
 	}
 	if (ret) {
 		/*
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 5359ef4..bad3c7f 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1764,6 +1764,9 @@ translate_compat_table(struct net *net,
 		if (ret != 0)
 			break;
 		++i;
+		if (strcmp(ip6t_get_target(iter1)->u.user.name,
+		    XT_ERROR_TARGET) == 0)
+			++newinfo->stacksize;
 	}
 	if (ret) {
 		/*