Pablo Neira wrote:

>> 2) If not, you must extend the size of the structure, so old kernels
>> will fail, and new kernels will be able to tell whether they are to use
>> the new or old structure.  The IPT_ALIGN'ed size of the structure must
>> change for this to work!
>
>
> My idea, I don't know how crazy it is. Instead of using the size to 
> guess the target/match version, we could steal 1 byte from char name[] 
> to define a new field called version, so we could register different 
> versions of a match/target.
>
> Possible scenarios:
> a) Old kernel, new iptables binary: since names are manipulated with 
> str* functions, it shouldn't be any problem with the version stuff 
> because it will be ignored since info after first '\0' is ignored.
> b) New kernel, old iptables: version value is zero, so kernel guess 
> that it must handle the thing with first version of the target/match.


I finally found some spare time to go back this issue, I've finished two 
patches for the kernel part of my idea of adding versions to 
targets/matches. One for ip_tables, and other for ipt_MARK, this based 
on Rusty's.

iptables (user space) patches is still missing  :(

It works for me (TM) on a x86/gcc-2.95 with both patches applied and 
using an old binary version of iptables to test that doesn't break 
backward compatibility.

Please, say crap/cool/dirty/crazy/whatever about this.

--
Pablo