On Fri, Apr 21, 2017 at 4:15 PM, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > Hi, > > On Thu, 8 Dec 2016, Willem de Bruijn wrote: > >> From: Willem de Bruijn <willemb@xxxxxxxxxx> >> >> Between revisions, the layout of xtables data may change completely. >> Do not interpret the data in a revision M with a module of revision N. >> >> Signed-off-by: Willem de Bruijn <willemb@xxxxxxxxxx> >> --- >> iptables/ip6tables.c | 18 ++++++++++++++---- >> iptables/iptables.c | 18 ++++++++++++++---- >> 2 files changed, 28 insertions(+), 8 deletions(-) > > The patch breaks backward/forward compatibility in a match/target. > > When the list of the revisions of a given match/target of iptables is not > exactly the same as for the kernel counter part (when the kernel module > supports less revisions than iptables), then in spite of the supported > match/target, " [unsupported revision]" is printed instead of the > arguments. See https://bugzilla.netfilter.org/show_bug.cgi?id=1147. Thanks for the report. > Please consider reverting the patch. Or we should not stop in > xtables_find_match/xtables_find_target at revision checking when the > revision does not match, until all possibilities is not exhausted. This seems like the better solution to me. The patch fixes a real issue where garbage is printed by misinterpreting struct fields. Iptables should try to lookup the matching revision for a match or target, instead of returning the first one. I'll take a look. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html