Re: Last night Linus bk - netfilter busted?

Fri, 11 Mar 2005 13:02:20 -0800

David S. Miller wrote: 
Damn, wait, Patrick, I think I know what's happening.  The iptables
IPT_* verdicts are dependant upon the NF_* values, and they don't
cope with Bart's changes I bet.  Can you figure out what the exact
error would be?  This kind of issue would explain the looping inside
of ipt_do_table(), wouldn't it?


You're right, good catch. IPT_RETURN is interpreted internally by
ip_tables, but since the value changed it isn't recognized by ip_tables
anymore and returned to nf_iterate() as NF_REPEAT. This patch restores
the old value.

# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
#   2005/03/11 21:41:01+01:00 [EMAIL PROTECTED] 
#   [NETFILTER]: Fix iptables userspace compatibility breakage
#   
#   Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
# 
# include/linux/netfilter_ipv6/ip6_tables.h
#   2005/03/11 21:40:52+01:00 [EMAIL PROTECTED] +1 -1
#   [NETFILTER]: Fix iptables userspace compatibility breakage
#   
#   Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
# 
# include/linux/netfilter_ipv4/ip_tables.h
#   2005/03/11 21:40:52+01:00 [EMAIL PROTECTED] +1 -1
#   [NETFILTER]: Fix iptables userspace compatibility breakage
#   
#   Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
# 
diff -Nru a/include/linux/netfilter_ipv4/ip_tables.h 
b/include/linux/netfilter_ipv4/ip_tables.h
--- a/include/linux/netfilter_ipv4/ip_tables.h  2005-03-11 21:41:32 +01:00
+++ b/include/linux/netfilter_ipv4/ip_tables.h  2005-03-11 21:41:32 +01:00
@@ -166,7 +166,7 @@
 #define IPT_CONTINUE 0xFFFFFFFF
 
 /* For standard target */
-#define IPT_RETURN (-NF_MAX_VERDICT - 1)
+#define IPT_RETURN (-NF_REPEAT - 1)
 
 /* TCP matching stuff */
 struct ipt_tcp
diff -Nru a/include/linux/netfilter_ipv6/ip6_tables.h 
b/include/linux/netfilter_ipv6/ip6_tables.h
--- a/include/linux/netfilter_ipv6/ip6_tables.h 2005-03-11 21:41:32 +01:00
+++ b/include/linux/netfilter_ipv6/ip6_tables.h 2005-03-11 21:41:32 +01:00
@@ -166,7 +166,7 @@
 #define IP6T_CONTINUE 0xFFFFFFFF
 
 /* For standard target */
-#define IP6T_RETURN (-NF_MAX_VERDICT - 1)
+#define IP6T_RETURN (-NF_REPEAT - 1)
 
 /* TCP matching stuff */
 struct ip6t_tcp

Reply via email to