On Tue, Oct 02, 2018 at 12:51:25PM +0200, Pablo Neira Ayuso wrote: > On Tue, Oct 02, 2018 at 03:38:24AM -0700, Maciej Żenczykowski wrote: > > > Well, you will need a kernel + userspace update anyway, right? > > > > It's true you need new iptables userspace to *see* during dump and/or > > manually *set* during restore the remain counter. > > > > However, (and I believe Chenbo tested this) just a new kernel is > > enough to fix the problem of modifications within the table resetting > > the counter. > > This is because the data gets copied out of kernel and back into > > kernel by old iptables without any further modifications. > > ie. the new kernel not clearing the field on copy to userspace and > > honouring it on copy to kernel is sufficient. > > I see, Willem removed this behaviour in newer kernels. The private > area is now zeroed, is that what you mean right? So I guess this > cannot be done transparently. > > Anyway, I think the --remain approach to fix this longstanding > problem from iptables :-). Argh, broken sentence: I mean, I think it's the way to go for iptables.
