On Fri, 31 Oct 2014, Florian Westphal wrote: > Sven-Haegar Koch <haegar@xxxxxxxxx> wrote: > > Hallo, > > > > Problem with 32bit userspace iptables, 64bit kernel and the "-m set" > > ipset match. > > > > iptables: > > 32bit, debian 1.4.21-2 plus the ipset patch from the git branch > > > > kernel: > > 64bit, debian 3.2.63-2+deb7u1 plus ipset 6.23 > > > > When trying to add an iptables set match it fails with the following > > error when using 64bit kernel and 32bit userspace: > > > > sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT > > iptables: Invalid argument. Run `dmesg' for more information. > > > > In syslog: > > x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 > > > > > > Adding some hacky paddings to the userspace iptables makes it work with > > my 64bit kernel, but this way is naturally no real solution: > > > > (whitespace damaged, cut&paste) > > > > --- a/include/linux/netfilter/ipset/ip_set.h > > +++ b/include/linux/netfilter/ipset/ip_set.h > > @@ -238,6 +238,7 @@ enum { > > > > struct ip_set_counter_match { > > __u8 op; > > + __u8 padding[7]; > > __u64 value; > > Ouch. > > > I do not see a way to cleanly fix the revision 3 set match, as any > > change would break it for either existing 32+32 or 64+64 environments - > > Right. > > The unclean fix is to provide compat fixup hooks to transparently > convert it in the kernel. > > See net/netfilter/xt_limit.c for full example, essentially the > target/match description has to provide > > static struct xt_match limit_mt_reg __read_mostly = { > .name = "limit", > [..] > #ifdef CONFIG_COMPAT > .compatsize = sizeof(struct compat_xt_rateinfo), > .compat_from_user = limit_mt_compat_from_user, > .compat_to_user = limit_mt_compat_to_user, > #endif > > The size of the 32bit layout and convert hooks that translate > from the 32 to 64 bit layout (and vice versa). > > Jozsef -- v4 or compat crap? :-) v4 of course! That's the best way to go... Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html