Author: pawelz Date: Mon Sep 20 18:48:00 2010 GMT Module: packages Tag: HEAD ---- Log message: - fixes: http://bugzilla.netfilter.org/show_bug.cgi?id=669 - patch source: http://kerneltrap.org/mailarchive/linux-netdev/2010/8/23/6283605
---- Files affected: packages/kernel: kernel-netfilter-bug-669.patch (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: packages/kernel/kernel-netfilter-bug-669.patch diff -u /dev/null packages/kernel/kernel-netfilter-bug-669.patch:1.1 --- /dev/null Mon Sep 20 20:48:00 2010 +++ packages/kernel/kernel-netfilter-bug-669.patch Mon Sep 20 20:47:55 2010 @@ -0,0 +1,66 @@ +commit f3c5c1bfd430858d3a05436f82c51e53104feb6b +(netfilter: xtables: make ip_tables reentrant) forgot to +also compute the jumpstack size in the compat handlers. + +Result is that "iptables -I INPUT -j userchain" turns into -j DROP. + +Reported by Sebastian Roesner on #netfilter, closes +http://bugzilla.netfilter.org/show_bug.cgi?id=669. + +Note: arptables change is compile-tested only. + +Signed-off-by: Florian Westphal <[email protected]> +Acked-by: Eric Dumazet <[email protected]> +--- + David, it would nice if you could take this patch as Patrick seems + to be on vacation. + + Problem introduced during 2.6.35 development cycle. + + net/ipv4/netfilter/arp_tables.c | 3 +++ + net/ipv4/netfilter/ip_tables.c | 3 +++ + net/ipv6/netfilter/ip6_tables.c | 3 +++ + 3 files changed, 9 insertions(+), 0 deletions(-) + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index 51d6c31..e8f4f9a 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1420,6 +1420,9 @@ static int translate_compat_table(const char *name, + if (ret != 0) + break; + ++i; ++ if (strcmp(arpt_get_target(iter1)->u.user.name, ++ XT_ERROR_TARGET) == 0) ++ ++newinfo->stacksize; + } + if (ret) { + /* +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 97b64b2..d163f2e 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1751,6 +1751,9 @@ translate_compat_table(struct net *net, + if (ret != 0) + break; + ++i; ++ if (strcmp(ipt_get_target(iter1)->u.user.name, ++ XT_ERROR_TARGET) == 0) ++ ++newinfo->stacksize; + } + if (ret) { + /* +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 29a7bca..8e754be 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1766,6 +1766,9 @@ translate_compat_table(struct net *net, + if (ret != 0) + break; + ++i; ++ if (strcmp(ip6t_get_target(iter1)->u.user.name, ++ XT_ERROR_TARGET) == 0) ++ ++newinfo->stacksize; + } + if (ret) { + /* ================================================================ _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
