| Message ID | 1520413843-24456-1-git-send-email-serhe.popovych@gmail.com |
|---|---|
| Headers | show |
| Series | iptables: Fix [unsupported revision] for matches/targets after update | expand |
> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1147 > Testing: tested by repdoducing original issue with and without changes > In short if kernel match/target supports more revisions than current > version iptables can configure: highest possible negotiated. > If update iptables to new version with support for additional revisions > rule listing/saving gets broken because new version negotiates with > kernel highest possible and registers *only* that one while on rules > dump kernel submits revision rule configured with old version. > I propose to extend iptables to register all supported revisions > negotiated with kernel in descending order and find correct rule > revision during listing/saving while use highest revision for rest of > the cases. > See indivitual patch description message for more information on > the approach. > Note that so-version isn't updated while new functions introduced > since there may be other changes before release. > Thanks, > Serhey > Serhey Popovych (4): > xtables: Do not register matches/targets with incompatible revision > xtables: Check match/target size vs XT_ALIGN(size) at register time > xtables: Register all match/target revisions supported by us and > kernel > xtables: Fix rules print/save after iptables update > include/xtables.h | 6 ++ > iptables/ip6tables.c | 66 +++++++++------ > iptables/iptables.c | 66 +++++++++------ > libxtables/xtables.c | 221 +++++++++++++++++++++++++++++++++++++------------- > 4 files changed, 257 insertions(+), 102 deletions(-) > -- For the series: Acked-by: Willem de Bruijn <willemb@google.com> Thanks for fixing this, Serhey. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1147 Testing: tested by repdoducing original issue with and without changes In short if kernel match/target supports more revisions than current version iptables can configure: highest possible negotiated. If update iptables to new version with support for additional revisions rule listing/saving gets broken because new version negotiates with kernel highest possible and registers *only* that one while on rules dump kernel submits revision rule configured with old version. I propose to extend iptables to register all supported revisions negotiated with kernel in descending order and find correct rule revision during listing/saving while use highest revision for rest of the cases. See indivitual patch description message for more information on the approach. Note that so-version isn't updated while new functions introduced since there may be other changes before release. Thanks, Serhey Serhey Popovych (4): xtables: Do not register matches/targets with incompatible revision xtables: Check match/target size vs XT_ALIGN(size) at register time xtables: Register all match/target revisions supported by us and kernel xtables: Fix rules print/save after iptables update include/xtables.h | 6 ++ iptables/ip6tables.c | 66 +++++++++------ iptables/iptables.c | 66 +++++++++------ libxtables/xtables.c | 221 +++++++++++++++++++++++++++++++++++++------------- 4 files changed, 257 insertions(+), 102 deletions(-)