Sven-Haegar Koch <haegar@xxxxxxxxx> wrote: > Hallo, > > Problem with 32bit userspace iptables, 64bit kernel and the "-m set" > ipset match. > > iptables: > 32bit, debian 1.4.21-2 plus the ipset patch from the git branch > > kernel: > 64bit, debian 3.2.63-2+deb7u1 plus ipset 6.23 > > When trying to add an iptables set match it fails with the following > error when using 64bit kernel and 32bit userspace: > > sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT > iptables: Invalid argument. Run `dmesg' for more information. > > In syslog: > x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 > > > Adding some hacky paddings to the userspace iptables makes it work with > my 64bit kernel, but this way is naturally no real solution: > > (whitespace damaged, cut&paste) > > --- a/include/linux/netfilter/ipset/ip_set.h > +++ b/include/linux/netfilter/ipset/ip_set.h > @@ -238,6 +238,7 @@ enum { > > struct ip_set_counter_match { > __u8 op; > + __u8 padding[7]; > __u64 value; Ouch. > I do not see a way to cleanly fix the revision 3 set match, as any > change would break it for either existing 32+32 or 64+64 environments - Right. The unclean fix is to provide compat fixup hooks to transparently convert it in the kernel. See net/netfilter/xt_limit.c for full example, essentially the target/match description has to provide static struct xt_match limit_mt_reg __read_mostly = { .name = "limit", [..] #ifdef CONFIG_COMPAT .compatsize = sizeof(struct compat_xt_rateinfo), .compat_from_user = limit_mt_compat_from_user, .compat_to_user = limit_mt_compat_to_user, #endif The size of the 32bit layout and convert hooks that translate from the 32 to 64 bit layout (and vice versa). Jozsef -- v4 or compat crap? :-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html