From: Valko Laszlo <valko@linux.karinthy.hu>
To: netfilter-devel@lists.netfilter.org
Cc: valko@linux.karinthy.hu
Subject: sparc64 compatibility
Date: Wed, 11 Dec 2002 13:52:40 +0100 [thread overview]
Message-ID: <20021211135240.A12659@linux.karinthy.hu> (raw)
Hi!
I have tried to migrate my firewall from x86 to sparc64. It was a
partial success: there is at least one netfilter module (ipt_limit)
which does not work correctly as it is in 2.4.20.
The basic issue is that the user-space and the kernel-space differ
in word-length. This means that sizeof(unsigned long) is 8 when
compiling the kernel module, and 4 when compiling iptables.
This makes IPT_ALIGN(sizeof(struct ipt_rateinfo)) different
in iptables than in the kernel, which results
iptables: Invalid argument
when trying to use the ipt_limit module in
iptables -A FORWARD -m limit --limit 3/sec -j LOG
The root cause is twofold:
We have a rather ugly structure definition (used BOTH for in-kernel
storage AND user-space - kernel-space communication with setsockopt):
struct ipt_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
/* Used internally by the kernel */
unsigned long prev;
u_int32_t credit;
u_int32_t credit_cap, cost;
/* Ugly, ugly fucker. */
struct ipt_rateinfo *master;
};
AND we use the size of this structure to validate the request from user-space.
>From an architectural point of view, it would be nice to have a structure
used for communication between iptables and the kernel module, which does
not include any "Used internally by the kernel" comments (and variables),
and have a different structure for internal kernel use (maybe this could
include the other).
However, the main problem is that variables in the kernel-only part
are not word-length independent (prev & master) AND ipt_limit_checkentry
uses a check like this:
if (matchsize != IPT_ALIGN(sizeof(struct ipt_rateinfo)))
return 0;
This check makes it almost impossible to handle my situation in user-land.
So, my proposal is to change ipt_limit_checkentry. Here comes my dilemma:
how to make it correct for my case without breaking all the existing machines?
I would be interested in making this work (I could do that by myself) but I
also would like to see the result generally useful to be merged into
the mainline code. That's the reason I'm posing my questions.
Also, if someone knows right away that some other code in the netfilter
source was not architected to survive such a platform (different word
sizes between kernel and user-space), or some code does an unaligned
memory access (eg. doing 4-byte memory read with the lowest 2 bits of the
address being non-zero results in a trap on SPARC and Alpha), please, tell
me to make it easier for me to use the code.
Please, give me some ideas how I could help to make the code cleaner.
Thanks in advance,
Laszlo
reply other threads:[~2002-12-11 12:52 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021211135240.A12659@linux.karinthy.hu \
--to=valko@linux.karinthy.hu \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.