Hi Pablo, On Tue, 31 May 2016, Pablo Neira Ayuso wrote: > On Mon, May 30, 2016 at 09:19:34PM +0200, Jozsef Kadlecsik wrote: > > > > On Sat, 28 May 2016, Art Emius wrote: > > > > > This makes me feel confused, but seems it doesn't work at all. I've > > > tried both src,src and src,dst parameters. Still I see packets are being > > > dropped. But I use -i / -o in iptables rules it works fine. > > > > Sorry, I messed up the parameters. > > > > I think your kernel does not contain the patch > > > > commit ef5b6e127761667f78d99b7510a3876077fe9abe > > Author: Florian Westphal <fw@xxxxxxxxx> > > Date: Sun Jun 17 09:56:46 2012 +0000 > > > > netfilter: ipset: fix interface comparision in hash-netiface sets > > > > ifname_compare() assumes that skb->dev is zero-padded, > > e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does > > > > strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1); > > > > in e1000_probe(), so once device is registered dev->name memory contains > > 'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare > > fail. > > > > Use plain strcmp() instead. > > > > which went into the kernel v4.2. I assume it was not backported into older > > kernel releases. > > This seems to apply cleanly against 3.2.x and 3.4.x. > > I can request -stable submission for these two. It'd be great, please request the submissions. Thanks! Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
