Rusty Russell wrote:

>We've been chasing this for a while; thanks to Bart for the final piece!
>  
>

that is good news, we finally drop that heavy anchor :)

>2) If not, you must extend the size of the structure, so old kernels
>will fail, and new kernels will be able to tell whether they are to use
>the new or old structure.  The IPT_ALIGN'ed size of the structure must
>change for this to work!
>  
>

My idea, I don't know how crazy it is. Instead of using the size to 
guess the target/match version, we could steal 1 byte from char name[] 
to define a new field called version, so we could register different 
versions of a match/target.

Possible scenarios:
a) Old kernel, new iptables binary: since names are manipulated with 
str* functions, it shouldn't be any problem with the version stuff 
because it will be ignored since info after first '\0' is ignored.
b) New kernel, old iptables: version value is zero, so kernel guess that 
it must handle the thing with first version of the target/match.

Possible Inconvenients?:
a) Current target/match with a name 29 byte long. Hm I think that 
there's no target/match like that.
b) Could gcc mess things with alignments and break compatibility?
c) Something I'm missing 8)

Attached just the beginning of a possible patch, things like 
ipt_register_* version aware should be implemented.

--
Pablo