Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1147 Testing: tested by repdoducing original issue with and without changes In short if kernel match/target supports more revisions than current version iptables can configure: highest possible negotiated. If update iptables to new version with support for additional revisions rule listing/saving gets broken because new version negotiates with kernel highest possible and registers *only* that one while on rules dump kernel submits revision rule configured with old version. I propose to extend iptables to register all supported revisions negotiated with kernel in descending order and find correct rule revision during listing/saving while use highest revision for rest of the cases. See indivitual patch description message for more information on the approach. Note that so-version isn't updated while new functions introduced since there may be other changes before release. Thanks, Serhey Serhey Popovych (4): xtables: Do not register matches/targets with incompatible revision xtables: Check match/target size vs XT_ALIGN(size) at register time xtables: Register all match/target revisions supported by us and kernel xtables: Fix rules print/save after iptables update include/xtables.h | 6 ++ iptables/ip6tables.c | 66 +++++++++------ iptables/iptables.c | 66 +++++++++------ libxtables/xtables.c | 221 +++++++++++++++++++++++++++++++++++++------------- 4 files changed, 257 insertions(+), 102 deletions(-) -- 1.7.10.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
