On Tue, May 29, 2018 at 9:27 AM, Alin Năstac <alin.nastac@xxxxxxxxx> wrote:
> On Mon, May 28, 2018 at 9:54 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> wrote:
>> On Mon, May 28, 2018 at 06:07:29PM +0200, Alin Nastac wrote:
>>> Signed-off-by: Alin Nastac <alin.nastac@xxxxxxxxx>
>>> ---
>>> include/linux/netfilter_bridge/ebt_limit.h | 4 ++++
>>> include/linux/netfilter_bridge/ebt_mark_m.h | 5 +++++
>>> include/linux/netfilter_bridge/ebt_mark_t.h | 4 ++++
>>> 3 files changed, 13 insertions(+)
>>>
>>> diff --git a/include/linux/netfilter_bridge/ebt_limit.h
>>> b/include/linux/netfilter_bridge/ebt_limit.h
>>> index 66d80b3..6db2443 100644
>>> --- a/include/linux/netfilter_bridge/ebt_limit.h
>>> +++ b/include/linux/netfilter_bridge/ebt_limit.h
>>> @@ -16,7 +16,11 @@ struct ebt_limit_info {
>>> __u32 burst; /* Period multiplier for upper limit. */
>>>
>>> /* Used internally by the kernel */
>>> +#ifdef KERNEL_64_USERSPACE_32
>>> + uint64_t prev;
>>> +#else
>>> unsigned long prev;
>>> +#endif
>>
>> Isn't CONFIG_COMPAT dealing with this already?
>>
>> We used to do thse KERNEL_64_USERSPACE_32 ifdefs long long time ago,
>> and we removed it in favour of the CONFIG_COMPAT tricks.
>>
>> Probably a bug in ebt_limit or missing code wrt.
>> net/netfilter/xt_limit.c?
>>
>
> My kernel version is 4.1.45 and I'm building ebtables application from
> latest git commit with the following results.
>
> 1) Append -DKERNEL_64_USERSPACE_32 to CFLAGS:
> root@OpenWrt:~# ebtables -A --limit 1
> No chain name specified.
> root@OpenWrt:~# ebtables -A INPUT --limit 1
> [65450.456908] x_tables: eb_tables: limit.0 match: invalid size 32 (kernel)
> != (user) 24
> Unable to update the kernel. Two possible causes:
> 1. Multiple ebtables programs were executing simultaneously. The ebtables
> userspace tool doesn't by default support multiple ebtables programs
> running
> concurrently. The ebtables option --concurrent or a tool like flock can be
> used to support concurrent scripts that update the ebtables kernel tables.
> 2. The kernel doesn't support a certain ebtables extension, consider
> recompiling your kernel or insmod the extension.
>
> 2) Build it with clean CFLAGS:
> root@OpenWrt:~# ebtables -L
> ebtables v2.0.10-4:communication.c:539:--BUG--:
>
> I've checked the kernel code, struct ebt_replace has CONFIG_COMPAT support.
> I will investigate and get back to you guys.
>
After cherry picking kernel commits
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/bridge/netfilter/ebtables.c?h=v4.17-rc7&id=b71812168571fa55e44cdd0254471331b9c4c4c6
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/bridge/netfilter/ebtables.c?h=v4.17-rc7&id=3f1e53abff84cf40b1adb3455d480dd295bf42e8
"ebtables -L" was working, but "ebtables -A" failed with error
"Standard target size too big".
On arm64, structs ebt_entry_match, ebt_entry_watcher and
ebt_entry_target are 4 bytes longer than compat_ebt_entry_mwt (40 vs
36), but ebt_compat_entry_padsize returns 0 because
COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt) is 40.
If I apply this patch:
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1587,9 +1587,9 @@ struct compat_ebt_entry_mwt {
static int ebt_compat_entry_padsize(void)
{
BUILD_BUG_ON(XT_ALIGN(sizeof(struct ebt_entry_match)) <
- COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt)));
+ sizeof(struct compat_ebt_entry_mwt));
return (int) XT_ALIGN(sizeof(struct ebt_entry_match)) -
- COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt));
+ sizeof(struct compat_ebt_entry_mwt);
}
all "ebtables -A" commands I've tried were successful.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
