On Thu, 27 Apr 2017, Willem de Bruijn wrote:
> > Maybe the case can be reproduced with the following steps, but I'm
> > guessing:
> >
> > - rules inserted
> > - iptables binary downgraded/upgraded
> > - rules listed
>
> It will. This is largely what the patch protects against. But perhaps
> it c
>> > It may be more subtle than what you describe. xtables_find_match
>> > can call xtables_fully_register_pending_match which calls
>> > compatible_match_revision to decide whether a match revision
>> > is supported and, if multiple revisions are supported, which to prefer.
>>
>> The case reported
Hi Willem,
On Wed, 26 Apr 2017, Willem de Bruijn wrote:
> On Wed, Apr 26, 2017 at 5:15 PM, Willem de Bruijn
> wrote:
> >>> The patch breaks backward/forward compatibility in a match/target.
> >>>
> >>> When the list of the revisions of a given match/target of iptables is not
> >>> exactly the sa
On Wed, Apr 26, 2017 at 5:15 PM, Willem de Bruijn
wrote:
>>> The patch breaks backward/forward compatibility in a match/target.
>>>
>>> When the list of the revisions of a given match/target of iptables is not
>>> exactly the same as for the kernel counter part (when the kernel module
>>> supports
>> The patch breaks backward/forward compatibility in a match/target.
>>
>> When the list of the revisions of a given match/target of iptables is not
>> exactly the same as for the kernel counter part (when the kernel module
>> supports less revisions than iptables), then in spite of the supported
On Fri, Apr 21, 2017 at 4:15 PM, Jozsef Kadlecsik
wrote:
> Hi,
>
> On Thu, 8 Dec 2016, Willem de Bruijn wrote:
>
>> From: Willem de Bruijn
>>
>> Between revisions, the layout of xtables data may change completely.
>> Do not interpret the data in a revision M with a module of revision N.
>>
>> Sig
Hi,
On Thu, 8 Dec 2016, Willem de Bruijn wrote:
> From: Willem de Bruijn
>
> Between revisions, the layout of xtables data may change completely.
> Do not interpret the data in a revision M with a module of revision N.
>
> Signed-off-by: Willem de Bruijn
> ---
> iptables/ip6tables.c | 18 +++
On Thu, Dec 08, 2016 at 05:16:41PM -0500, Willem de Bruijn wrote:
> From: Willem de Bruijn
>
> Between revisions, the layout of xtables data may change completely.
> Do not interpret the data in a revision M with a module of revision N.
Applied, thanks Willem.
--
To unsubscribe from this list: s
From: Willem de Bruijn
Between revisions, the layout of xtables data may change completely.
Do not interpret the data in a revision M with a module of revision N.
Signed-off-by: Willem de Bruijn
---
iptables/ip6tables.c | 18 ++
iptables/iptables.c | 18 ++
2 f
