summaryrefslogtreecommitdiffstats
path: root/include/linux/netfilter
diff options
context:
space:
mode:
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>2014-11-06 19:15:26 +0100
committerJozsef Kadlecsik <kadlec@blackhole.kfki.hu>2014-11-06 19:15:26 +0100
commita40cd9b784590ee09f1be4897f28bb0b2ce1096d (patch)
tree57cad29658356b7ea75daab99a2d2e6efccece1a /include/linux/netfilter
parentda6c162ce5fb42fa5439ae0b95c321fb476b9cb7 (diff)
Alignment problem between 64bit kernel 32bit userspace
Sven-Haegar Koch reported the issue: sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. In syslog: x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 which was introduced by the counter extension in ipset. The patch fixes the alignment issue with introducing a new set match revision with the fixed underlying 'struct ip_set_counter_match' structure. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Diffstat (limited to 'include/linux/netfilter')
-rw-r--r--include/linux/netfilter/ipset/ip_set.h8
-rw-r--r--include/linux/netfilter/xt_set.h9
2 files changed, 16 insertions, 1 deletions
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index 7f1d6041..b69bbc72 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -236,11 +236,17 @@ enum {
IPSET_COUNTER_GT,
};
-struct ip_set_counter_match {
+/* Backward compatibility for set match v3 */
+struct ip_set_counter_match0 {
__u8 op;
__u64 value;
};
+struct ip_set_counter_match {
+ __aligned_u64 value;
+ __u8 op;
+};
+
/* Interface to iptables/ip6tables */
#define SO_IP_SET 83
diff --git a/include/linux/netfilter/xt_set.h b/include/linux/netfilter/xt_set.h
index d6a1df1f..4210c9bf 100644
--- a/include/linux/netfilter/xt_set.h
+++ b/include/linux/netfilter/xt_set.h
@@ -66,6 +66,15 @@ struct xt_set_info_target_v2 {
struct xt_set_info_match_v3 {
struct xt_set_info match_set;
+ struct ip_set_counter_match0 packets;
+ struct ip_set_counter_match0 bytes;
+ __u32 flags;
+};
+
+/* Revision 4 match */
+
+struct xt_set_info_match_v4 {
+ struct xt_set_info match_set;
struct ip_set_counter_match packets;
struct ip_set_counter_match bytes;
__u32 flags;