diff options
| author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2014-11-30 13:56:53 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-12-03 06:43:35 -0500 |
| commit | a51b9199b1e092da5ee4a89852e84b4c52ae6044 (patch) | |
| tree | 6753ba88f049b6e6527e22209861b51dac19b18c /include/uapi/linux | |
| parent | 86ac79c7bea1543423f96f388b7ac2e3acca66b3 (diff) | |
netfilter: ipset: Alignment problem between 64bit kernel 32bit userspace
Sven-Haegar Koch reported the issue:
sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT
iptables: Invalid argument. Run `dmesg' for more information.
In syslog:
x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32
which was introduced by the counter extension in ipset.
The patch fixes the alignment issue with introducing a new set match
revision with the fixed underlying 'struct ip_set_counter_match'
structure.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/uapi/linux')
| -rw-r--r-- | include/uapi/linux/netfilter/ipset/ip_set.h | 8 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/xt_set.h | 13 |
2 files changed, 18 insertions, 3 deletions
diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h index ca03119111a2..5ab4e60894cf 100644 --- a/include/uapi/linux/netfilter/ipset/ip_set.h +++ b/include/uapi/linux/netfilter/ipset/ip_set.h | |||
| @@ -256,11 +256,17 @@ enum { | |||
| 256 | IPSET_COUNTER_GT, | 256 | IPSET_COUNTER_GT, |
| 257 | }; | 257 | }; |
| 258 | 258 | ||
| 259 | struct ip_set_counter_match { | 259 | /* Backward compatibility for set match v3 */ |
| 260 | struct ip_set_counter_match0 { | ||
| 260 | __u8 op; | 261 | __u8 op; |
| 261 | __u64 value; | 262 | __u64 value; |
| 262 | }; | 263 | }; |
| 263 | 264 | ||
| 265 | struct ip_set_counter_match { | ||
| 266 | __aligned_u64 value; | ||
| 267 | __u8 op; | ||
| 268 | }; | ||
| 269 | |||
| 264 | /* Interface to iptables/ip6tables */ | 270 | /* Interface to iptables/ip6tables */ |
| 265 | 271 | ||
| 266 | #define SO_IP_SET 83 | 272 | #define SO_IP_SET 83 |
diff --git a/include/uapi/linux/netfilter/xt_set.h b/include/uapi/linux/netfilter/xt_set.h index d6a1df1f2947..d4e02348384c 100644 --- a/include/uapi/linux/netfilter/xt_set.h +++ b/include/uapi/linux/netfilter/xt_set.h | |||
| @@ -66,8 +66,8 @@ struct xt_set_info_target_v2 { | |||
| 66 | 66 | ||
| 67 | struct xt_set_info_match_v3 { | 67 | struct xt_set_info_match_v3 { |
| 68 | struct xt_set_info match_set; | 68 | struct xt_set_info match_set; |
| 69 | struct ip_set_counter_match packets; | 69 | struct ip_set_counter_match0 packets; |
| 70 | struct ip_set_counter_match bytes; | 70 | struct ip_set_counter_match0 bytes; |
| 71 | __u32 flags; | 71 | __u32 flags; |
| 72 | }; | 72 | }; |
| 73 | 73 | ||
| @@ -81,4 +81,13 @@ struct xt_set_info_target_v3 { | |||
| 81 | __u32 timeout; | 81 | __u32 timeout; |
| 82 | }; | 82 | }; |
| 83 | 83 | ||
| 84 | /* Revision 4 match */ | ||
| 85 | |||
| 86 | struct xt_set_info_match_v4 { | ||
| 87 | struct xt_set_info match_set; | ||
| 88 | struct ip_set_counter_match packets; | ||
| 89 | struct ip_set_counter_match bytes; | ||
| 90 | __u32 flags; | ||
| 91 | }; | ||
| 92 | |||
| 84 | #endif /*_XT_SET_H*/ | 93 | #endif /*_XT_SET_H*/ |