[BUG] ipt_SAME rule can't be deleted

Henrik Nordstrom hno at marasystems.com
Tue Dec 7 16:47:26 CET 2004

On Tue, 7 Dec 2004, Pablo Neira wrote:

> In iptables, target_difference() complains because, in the case of ipt_same, 
> iparray isn't NULL. Same thing with iplimit. I think that in pkttables we 
> need a private info part for match/targets which is not shared with user 
> space.

As already pointed out iptables actually have a similar concept, but the 
kernel data must be at the end, and userspace must know the total size to 
allocate it properly within the table..

limit uses this correctly.

SAME does not.

In addition, pointers is hazardous as the opinion on the size may differ 
between kernel and userland on certain architectures. Only fixed size 
items should be used in iptables target/match info structures. C unions 
can make this somewhat manageable.


More information about the netfilter-devel mailing list