iptables/ipset "-m set" alignment problem 64bit kernel 32bit userspace

All of lore.kernel.org
 help / color / mirror / Atom feed

* iptables/ipset "-m set" alignment problem 64bit kernel 32bit userspace
@ 2014-10-31 22:30 Sven-Haegar Koch
  2014-10-31 22:50 ` Florian Westphal
  0 siblings, 1 reply; 4+ messages in thread
From: Sven-Haegar Koch @ 2014-10-31 22:30 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Jozsef Kadlecsik

Hallo,

Problem with 32bit userspace iptables, 64bit kernel and the "-m set" 
ipset match.

iptables:
32bit, debian 1.4.21-2 plus the ipset patch from the git branch

kernel:
64bit, debian 3.2.63-2+deb7u1 plus ipset 6.23

When trying to add an iptables set match it fails with the following 
error when using 64bit kernel and 32bit userspace:

sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT
iptables: Invalid argument. Run `dmesg' for more information.

In syslog:
x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32

Adding some hacky paddings to the userspace iptables makes it work with 
my 64bit kernel, but this way is naturally no real solution:

(whitespace damaged, cut&paste)

--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -238,6 +238,7 @@ enum {

 struct ip_set_counter_match {
        __u8 op;
+       __u8 padding[7];
        __u64 value;
 };

--- a/include/linux/netfilter/xt_set.h
+++ b/include/linux/netfilter/xt_set.h
@@ -66,9 +66,11 @@ struct xt_set_info_target_v2 {

 struct xt_set_info_match_v3 {
        struct xt_set_info match_set;
+       __u32 padding1;
        struct ip_set_counter_match packets;
        struct ip_set_counter_match bytes;
        __u32 flags;
+       __u32 padding2;
 };

 /* Revision 3 target */

I do not see a way to cleanly fix the revision 3 set match, as any 
change would break it for either existing 32+32 or 64+64 environments - 
the only clean way I see would be a revision 4 that works correctly and 
accept that rev 3 does not work in the mixed environment.

c'ya
sven-haegar

-- 
Three may keep a secret, if two of them are dead.
- Ben F.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: iptables/ipset "-m set" alignment problem 64bit kernel 32bit userspace
  2014-10-31 22:30 iptables/ipset "-m set" alignment problem 64bit kernel 32bit userspace Sven-Haegar Koch
@ 2014-10-31 22:50 ` Florian Westphal
  2014-10-31 22:57   ` Jan Engelhardt
  2014-11-01  9:51   ` Jozsef Kadlecsik
  0 siblings, 2 replies; 4+ messages in thread
From: Florian Westphal @ 2014-10-31 22:50 UTC (permalink / raw)
  To: Sven-Haegar Koch; +Cc: netfilter-devel, Jozsef Kadlecsik

Sven-Haegar Koch <haegar@sdinet.de> wrote:
> Hallo,
> 
> Problem with 32bit userspace iptables, 64bit kernel and the "-m set" 
> ipset match.
> 
> iptables:
> 32bit, debian 1.4.21-2 plus the ipset patch from the git branch
> 
> kernel:
> 64bit, debian 3.2.63-2+deb7u1 plus ipset 6.23
> 
> When trying to add an iptables set match it fails with the following 
> error when using 64bit kernel and 32bit userspace:
> 
> sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT
> iptables: Invalid argument. Run `dmesg' for more information.
> 
> In syslog:
> x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32
> 
> 
> Adding some hacky paddings to the userspace iptables makes it work with 
> my 64bit kernel, but this way is naturally no real solution:
> 
> (whitespace damaged, cut&paste)
> 
> --- a/include/linux/netfilter/ipset/ip_set.h
> +++ b/include/linux/netfilter/ipset/ip_set.h
> @@ -238,6 +238,7 @@ enum {
>  
>  struct ip_set_counter_match {
>         __u8 op;
> +       __u8 padding[7];
>         __u64 value;

Ouch.

> I do not see a way to cleanly fix the revision 3 set match, as any 
> change would break it for either existing 32+32 or 64+64 environments -

Right.

The unclean fix is to provide compat fixup hooks to transparently
convert it in the kernel.

See net/netfilter/xt_limit.c for full example, essentially the
target/match description has to provide

static struct xt_match limit_mt_reg __read_mostly = {
        .name             = "limit",
[..]
#ifdef CONFIG_COMPAT
        .compatsize       = sizeof(struct compat_xt_rateinfo),
        .compat_from_user = limit_mt_compat_from_user,
        .compat_to_user   = limit_mt_compat_to_user,
#endif

The size of the 32bit layout and convert hooks that translate
from the 32 to 64 bit layout (and vice versa).

Jozsef -- v4 or compat crap? :-)

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: iptables/ipset "-m set" alignment problem 64bit kernel 32bit userspace
  2014-10-31 22:50 ` Florian Westphal
@ 2014-10-31 22:57   ` Jan Engelhardt
  2014-11-01  9:51   ` Jozsef Kadlecsik
  1 sibling, 0 replies; 4+ messages in thread
From: Jan Engelhardt @ 2014-10-31 22:57 UTC (permalink / raw)
  To: Florian Westphal; +Cc: Sven-Haegar Koch, netfilter-devel, Jozsef Kadlecsik


On Friday 2014-10-31 23:50, Florian Westphal wrote:
>
>The unclean fix is to provide compat fixup hooks to transparently
>convert it in the kernel.
>
>[..]
>#ifdef CONFIG_COMPAT
>        .compatsize       = sizeof(struct compat_xt_rateinfo),
>        .compat_from_user = limit_mt_compat_from_user,
>        .compat_to_user   = limit_mt_compat_to_user,
>#endif
>
>The size of the 32bit layout and convert hooks that translate
>from the 32 to 64 bit layout (and vice versa).

That is not going to work, especially if you have more than three or
more ABIs in the system. Like, o32/n32/64 for mips (or
i386/x86_64/x32). A report about that happens about every year on the
mailing list.

The only fix is to define a v4, and to make sure that there is no
implicit padding of 32 bits or more.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: iptables/ipset "-m set" alignment problem 64bit kernel 32bit userspace
  2014-10-31 22:50 ` Florian Westphal
  2014-10-31 22:57   ` Jan Engelhardt
@ 2014-11-01  9:51   ` Jozsef Kadlecsik
  1 sibling, 0 replies; 4+ messages in thread
From: Jozsef Kadlecsik @ 2014-11-01  9:51 UTC (permalink / raw)
  To: Florian Westphal; +Cc: Sven-Haegar Koch, netfilter-devel

On Fri, 31 Oct 2014, Florian Westphal wrote:

> Sven-Haegar Koch <haegar@sdinet.de> wrote:
> > Hallo,
> > 
> > Problem with 32bit userspace iptables, 64bit kernel and the "-m set" 
> > ipset match.
> > 
> > iptables:
> > 32bit, debian 1.4.21-2 plus the ipset patch from the git branch
> > 
> > kernel:
> > 64bit, debian 3.2.63-2+deb7u1 plus ipset 6.23
> > 
> > When trying to add an iptables set match it fails with the following 
> > error when using 64bit kernel and 32bit userspace:
> > 
> > sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT
> > iptables: Invalid argument. Run `dmesg' for more information.
> > 
> > In syslog:
> > x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32
> > 
> > 
> > Adding some hacky paddings to the userspace iptables makes it work with 
> > my 64bit kernel, but this way is naturally no real solution:
> > 
> > (whitespace damaged, cut&paste)
> > 
> > --- a/include/linux/netfilter/ipset/ip_set.h
> > +++ b/include/linux/netfilter/ipset/ip_set.h
> > @@ -238,6 +238,7 @@ enum {
> >  
> >  struct ip_set_counter_match {
> >         __u8 op;
> > +       __u8 padding[7];
> >         __u64 value;
> 
> Ouch.
> 
> > I do not see a way to cleanly fix the revision 3 set match, as any 
> > change would break it for either existing 32+32 or 64+64 environments -
> 
> Right.
> 
> The unclean fix is to provide compat fixup hooks to transparently
> convert it in the kernel.
> 
> See net/netfilter/xt_limit.c for full example, essentially the
> target/match description has to provide
> 
> static struct xt_match limit_mt_reg __read_mostly = {
>         .name             = "limit",
> [..]
> #ifdef CONFIG_COMPAT
>         .compatsize       = sizeof(struct compat_xt_rateinfo),
>         .compat_from_user = limit_mt_compat_from_user,
>         .compat_to_user   = limit_mt_compat_to_user,
> #endif
> 
> The size of the 32bit layout and convert hooks that translate
> from the 32 to 64 bit layout (and vice versa).
> 
> Jozsef -- v4 or compat crap? :-)

v4 of course! That's the best way to go...

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2014-11-01  9:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-31 22:30 iptables/ipset "-m set" alignment problem 64bit kernel 32bit userspace Sven-Haegar Koch
2014-10-31 22:50 ` Florian Westphal
2014-10-31 22:57   ` Jan Engelhardt
2014-11-01  9:51   ` Jozsef Kadlecsik

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.