Hi Florian, > Why are you interested in getting iptables to work? > > It would be better to ensure that nftables is working properly; unlike > with xtables the kernel representation is hidden from userspace. Sorry I should have been clear initially, I am trying to compile using nftables. > i.e. sizeof(unsigned long) == 16 on this architecture? ... > No idea, I don't know this architecture. > In iptables, userspace and kernel space exchange binary blobs via > get/setsockopt calls, these binary blobs consists of the relevant > ipt/ip6t/xt_entry structures, matches, targets etc. > > Their layout must be the same in userspace and kernel. An unsigned long is 8B, which is why we want to use it instead of a "*", which is a 128b capability in userspace, but is a standard 64b pointer in kernel space. This is what I am trying to achieve; to maintain the layout between kernel and userspace. The layout will be the same in kernel and userspace if unsigned long is used since this is fixed size type to kernel and user. Since these spaces in the structure i am modifying are reserved strictly for *kernel* pointers, they should not be used by the userspace right? So I can safely have userspace assume it is 64b and it will be okay since userspace will not try to dereference what is stored within there? > If they are not, you lose and only "solution" is more crap added to > CONFIG_NETFILTER_XTABLES_COMPAT. > (The reason for this being a Kconfig option is because I want to remove it). I'm not sure I understand what you mean here. Although I have noticed the compat functions in the code, I could not make sense of how/why and when they are needed. Can you explain the use of this option? I guessed they were for xtables/nftables compatibility, so they will not help or are not needed in my instance? > Not tested, looks like it no longer works. Okay thanks that's good to know... > > What I thought might be a solution to compile with my modified headers > > would be to simply copy over and replace the relevant headers which > > are present in the ./include/linux/ directory of the iptables source > > repo. However, even with unmodified kernel headers this throws up its > > own issues, because I see that there are differences between some of > > these headers in the iptables source and those in the kernel source > > itself. > > Yes, but this is unwanted. I guesss fixing up the --with-kernel option to use the specific headers from the kernel repo (in my case my modified ones) would be a more sensible option where I would solve my issue, but also be able to submit a patch that might be of use to others? > No, its just that noone has done a full resync in a long time. > The kernel headers are authoritative, but I fear that just replacing > them with recent upstream versions will result in more surprises just > like the ones you found, which need to be fixed up on userspace side. Okay. Well I suppose if I have to do this for my own work and I can fix any of these surprises this would be useful? Many thanks, Josh
