[PATCH 1/2] ipt_MARK extension with backwards compatibility (kernel side).

Pablo Neira pablo at eurodev.net
Tue Dec 7 22:20:04 CET 2004


Pablo Neira wrote:

>> 2) If not, you must extend the size of the structure, so old kernels
>> will fail, and new kernels will be able to tell whether they are to use
>> the new or old structure.  The IPT_ALIGN'ed size of the structure must
>> change for this to work!
>
>
> My idea, I don't know how crazy it is. Instead of using the size to 
> guess the target/match version, we could steal 1 byte from char name[] 
> to define a new field called version, so we could register different 
> versions of a match/target.
>
> Possible scenarios:
> a) Old kernel, new iptables binary: since names are manipulated with 
> str* functions, it shouldn't be any problem with the version stuff 
> because it will be ignored since info after first '\0' is ignored.
> b) New kernel, old iptables: version value is zero, so kernel guess 
> that it must handle the thing with first version of the target/match.


I finally found some spare time to go back this issue, I've finished two 
patches for the kernel part of my idea of adding versions to 
targets/matches. One for ip_tables, and other for ipt_MARK, this based 
on Rusty's.

iptables (user space) patches is still missing  :(

It works for me (TM) on a x86/gcc-2.95 with both patches applied and 
using an old binary version of iptables to test that doesn't break 
backward compatibility.

Please, say crap/cool/dirty/crazy/whatever about this.

--
Pablo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ip_table-version.patch
Type: text/x-patch
Size: 6541 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20041207/9b410c39/ip_table-version.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipt_mark.patch
Type: text/x-patch
Size: 4685 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20041207/9b410c39/ipt_mark.bin


More information about the netfilter-devel mailing list