On Mon, May 30, 2016 at 09:19:34PM +0200, Jozsef Kadlecsik wrote: > Hello, > > On Sat, 28 May 2016, Art Emius wrote: > > > This makes me feel confused, but seems it doesn't work at all. I've > > tried both src,src and src,dst parameters. Still I see packets are being > > dropped. But I use -i / -o in iptables rules it works fine. > > Sorry, I messed up the parameters. > > I think your kernel does not contain the patch > > commit ef5b6e127761667f78d99b7510a3876077fe9abe > Author: Florian Westphal <fw@xxxxxxxxx> > Date: Sun Jun 17 09:56:46 2012 +0000 > > netfilter: ipset: fix interface comparision in hash-netiface sets > > ifname_compare() assumes that skb->dev is zero-padded, > e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does > > strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1); > > in e1000_probe(), so once device is registered dev->name memory contains > 'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare > fail. > > Use plain strcmp() instead. > > which went into the kernel v4.2. I assume it was not backported into older > kernel releases. This seems to apply cleanly against 3.2.x and 3.4.x. I can request -stable submission for these two. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
