> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1147 > Testing: tested by repdoducing original issue with and without changes > In short if kernel match/target supports more revisions than current > version iptables can configure: highest possible negotiated. > If update iptables to new version with support for additional revisions > rule listing/saving gets broken because new version negotiates with > kernel highest possible and registers *only* that one while on rules > dump kernel submits revision rule configured with old version. > I propose to extend iptables to register all supported revisions > negotiated with kernel in descending order and find correct rule > revision during listing/saving while use highest revision for rest of > the cases. > See indivitual patch description message for more information on > the approach. > Note that so-version isn't updated while new functions introduced > since there may be other changes before release. > Thanks, > Serhey > Serhey Popovych (4): > xtables: Do not register matches/targets with incompatible revision > xtables: Check match/target size vs XT_ALIGN(size) at register time > xtables: Register all match/target revisions supported by us and > kernel > xtables: Fix rules print/save after iptables update > include/xtables.h | 6 ++ > iptables/ip6tables.c | 66 +++++++++------ > iptables/iptables.c | 66 +++++++++------ > libxtables/xtables.c | 221 +++++++++++++++++++++++++++++++++++++------------- > 4 files changed, 257 insertions(+), 102 deletions(-) > -- For the series: Acked-by: Willem de Bruijn <willemb@xxxxxxxxxx> Thanks for fixing this, Serhey. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
