Hi Florian.
I hope this patch reflects your suggestion to add a 'v1' match revision
to nfacct. To be sincere, I'm not sure if should have also written
nfacct_mt_v1() and etc, since these would be pretty much duplicate code.
Please let me know if this patch needs more work.
Best regards,
Juliana.
On 8/16/19 5:02 PM, Juliana Rodrigueiro wrote:
When running a 64-bit kernel with a 32-bit iptables binary, the size of
the xt_nfacct_match_info struct diverges.
kernel: sizeof(struct xt_nfacct_match_info) : 40
iptables: sizeof(struct xt_nfacct_match_info)) : 36
Trying to append nfacct related rules results in an unhelpful message.
Although it is suggested to look for more information in dmesg, nothing
can be found there.
# iptables -A <chain> -m nfacct --nfacct-name <acct-object>
iptables: Invalid argument. Run `dmesg' for more information.
This patch fixes the memory misalignment by enforcing 8-byte alignment
within the struct's first revision. This solution is often used in many
other uapi netfilter headers.
Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@xxxxxxxxxxxxx>
---
Changes in v2:
- Keep ABI by creating a v1 of the match struct.
include/uapi/linux/netfilter/xt_nfacct.h | 5 ++++
net/netfilter/xt_nfacct.c | 36 ++++++++++++++++--------
2 files changed, 30 insertions(+), 11 deletions(-)
