Hallo, Problem with 32bit userspace iptables, 64bit kernel and the "-m set" ipset match. iptables: 32bit, debian 1.4.21-2 plus the ipset patch from the git branch kernel: 64bit, debian 3.2.63-2+deb7u1 plus ipset 6.23 When trying to add an iptables set match it fails with the following error when using 64bit kernel and 32bit userspace: sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. In syslog: x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 Adding some hacky paddings to the userspace iptables makes it work with my 64bit kernel, but this way is naturally no real solution: (whitespace damaged, cut&paste) --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h @@ -238,6 +238,7 @@ enum { struct ip_set_counter_match { __u8 op; + __u8 padding[7]; __u64 value; }; --- a/include/linux/netfilter/xt_set.h +++ b/include/linux/netfilter/xt_set.h @@ -66,9 +66,11 @@ struct xt_set_info_target_v2 { struct xt_set_info_match_v3 { struct xt_set_info match_set; + __u32 padding1; struct ip_set_counter_match packets; struct ip_set_counter_match bytes; __u32 flags; + __u32 padding2; }; /* Revision 3 target */ I do not see a way to cleanly fix the revision 3 set match, as any change would break it for either existing 32+32 or 64+64 environments - the only clean way I see would be a revision 4 that works correctly and accept that rev 3 does not work in the mixed environment. c'ya sven-haegar -- Three may keep a secret, if two of them are dead. - Ben F. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html