Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1147
Testing: tested by repdoducing original issue with and without changes

In short if kernel match/target supports more revisions than current
version iptables can configure: highest possible negotiated.

If update iptables to new version with support for additional revisions
rule listing/saving gets broken because new version negotiates with
kernel highest possible and registers *only* that one while on rules
dump kernel submits revision rule configured with old version.

I propose to extend iptables to register all supported revisions
negotiated with kernel in descending order and find correct rule
revision during listing/saving while use highest revision for rest of
the cases.

See indivitual patch description message for more information on
the approach.

Note that so-version isn't updated while new functions introduced
since there may be other changes before release.

Thanks,
Serhey

Serhey Popovych (4):
  xtables: Do not register matches/targets with incompatible revision
  xtables: Check match/target size vs XT_ALIGN(size) at register time
  xtables: Register all match/target revisions supported by us and
    kernel
  xtables: Fix rules print/save after iptables update

 include/xtables.h    |    6 ++
 iptables/ip6tables.c |   66 +++++++++------
 iptables/iptables.c  |   66 +++++++++------
 libxtables/xtables.c |  221 +++++++++++++++++++++++++++++++++++++-------------
 4 files changed, 257 insertions(+), 102 deletions(-)

-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to