Patrick McHardy wrote:
> Dmitry Mishin wrote:
>
>>It's better, but I see the issue with iterate with compat_check_entry() calls.
>>If it fails, some of target/matches' check_* functions are called, some not.
>>Please, review my version of this patch.
>
>
>
> You're right again, thanks. Patch applied.
>
With one minor change:
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 9c294a5..e992cd6 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -265,14 +265,17 @@ ipt_get_target(struct ipt_entry *e)
})
/* fn returns 0 to continue iteration */
-#define IPT_ENTRY_ITERATE_CONTINUE(entries, size, i, fn, args...) \
+#define IPT_ENTRY_ITERATE_CONTINUE(entries, size, n, fn, args...) \
({ \
- unsigned int __i; \
+ unsigned int __i, __n; \
int __ret = 0; \
struct ipt_entry *__entry; \
\
- for (__i = i; __i < (size); __i += __entry->next_offset) { \
+ for (__i = 0, __n = 0; __i < (size); \
+ __i += __entry->next_offset, __n++) { \
__entry = (void *)(entries) + __i; \
+ if (__n < n) \
+ continue; \
\
__ret = fn(__entry , ## args); \
if (__ret != 0) \
