Florian Westphal wrote: > commit d6d3f08b0fd998b647a05540cedd11a067b72867 > (netfilter: xtables: conntrack match revision 2) does break the > v1 conntrack match iptables-save output in a subtle way. > > Problem is as follows: > > up = kmalloc(sizeof(*up), GFP_KERNEL); > [..] > /* > * The strategy here is to minimize the overhead of v1 matching, > * by prebuilding a v2 struct and putting the pointer into the > * v1 dataspace. > */ > memcpy(up, info, offsetof(typeof(*info), state_mask)); > [..] > *(void **)info = up; > > As the v2 struct pointer is saved in the match data space, > it clobbers the first structure member (->origsrc_addr). > > Because the _v1 match function grabs this pointer and does not actually > look at the v1 origsrc, run time functionality does not break. > But iptables -nvL (or iptables-save) cannot know that v1 origsrc_addr > has been overloaded in this way: > > $ iptables -p tcp -A OUTPUT -m conntrack --ctorigsrc 10.0.0.1 -j ACCEPT > $ iptables-save > -A OUTPUT -p tcp -m conntrack --ctorigsrc 128.173.134.206 -j ACCEPT > > (128.173... is the address to the v2 match structure). > > To fix this, we take advantage of the fact that the v1 and v2 structures > are identical with exception of the last two structure members (u8 in v1, > u16 in v2). > > We extract them as early as possible and prevent the v2 matching function > from looking at those two members directly. > > Previously reported by Michel Messerschmidt via Ben Hutchings, also > see Debian Bug tracker #556587. Applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
