[patch] match limit with inverse [!]
Jerome de Vivie
jerome.de-vivie@wanadoo.fr
Thu, 08 Nov 2001 23:52:28 +0100
Ooops, i've just send u a private mail with the same contents of the one
i've post into the mailing-list !
Harald Welte a écrit :
> The only question remaining is: What happens if somebody updates his
> kernel to a new version (one with the extended struct ipt_rateinfo)
> and still uses his old, not recompiled iptables binaries?
>
> This is a common case, because people tend to have distributor-shipped
> RPM packages...
>
> We have to make sure that users don't experience any undesired behaviour in
> this case.
>
> could you make some statement about this? thanks.
In the kernel space module, we have:
>static int
>ipt_limit_checkentry(const char *tablename,
> const struct ipt_ip *ip,
> void *matchinfo,
> unsigned int matchsize,
> unsigned int hook_mask)
>{
> struct ipt_rateinfo *r = matchinfo;
Here r->inv is statically set to 0 (C language) , so it works like
previous behaviour. But, on the next line:
>
> if (matchsize != IPT_ALIGN(sizeof(struct ipt_rateinfo)))
> return 0;
And here, if matchsize is the size of the old user-space structure =>
bug !
I haven't thougt about :-(
regards,
j.