From b6c3696b7286baa60d3b52a97acf5c3e58af224d Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Sun, 29 Aug 2010 14:26:58 +0000 Subject: [PATCH] * Fix netfilter CONFIG_COMPAT support. svn path=/dists/trunk/linux-2.6/; revision=16211 --- debian/changelog | 3 + .../netfilter-fix-CONFIG_COMPAT-support.patch | 64 +++++++++++++++++++ debian/patches/series/1~experimental.3 | 1 + 3 files changed, 68 insertions(+) create mode 100644 debian/patches/bugfix/all/netfilter-fix-CONFIG_COMPAT-support.patch create mode 100644 debian/patches/series/1~experimental.3 diff --git a/debian/changelog b/debian/changelog index d9757be2a..b3f28406e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -33,6 +33,9 @@ linux-2.6 (2.6.35-1~experimental.3) UNRELEASED; urgency=low * Disable Ralink staging drivers, the in-tree ones reached "works-for-me" status. + [ Aurelien Jarno ] + * Fix netfilter CONFIG_COMPAT support. + -- Ben Hutchings Wed, 18 Aug 2010 02:45:21 +0100 linux-2.6 (2.6.35-1~experimental.2) experimental; urgency=low diff --git a/debian/patches/bugfix/all/netfilter-fix-CONFIG_COMPAT-support.patch b/debian/patches/bugfix/all/netfilter-fix-CONFIG_COMPAT-support.patch new file mode 100644 index 000000000..29e195bc7 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-fix-CONFIG_COMPAT-support.patch @@ -0,0 +1,64 @@ +commit cca77b7c81876d819a5806f408b3c29b5b61a815 +Author: Florian Westphal +Date: Mon Aug 23 14:41:22 2010 -0700 + + netfilter: fix CONFIG_COMPAT support + + commit f3c5c1bfd430858d3a05436f82c51e53104feb6b + (netfilter: xtables: make ip_tables reentrant) forgot to + also compute the jumpstack size in the compat handlers. + + Result is that "iptables -I INPUT -j userchain" turns into -j DROP. + + Reported by Sebastian Roesner on #netfilter, closes + http://bugzilla.netfilter.org/show_bug.cgi?id=669. + + Note: arptables change is compile-tested only. + + Signed-off-by: Florian Westphal + Acked-by: Eric Dumazet + Tested-by: Mikael Pettersson + Signed-off-by: David S. Miller + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index 51d6c31..e8f4f9a 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1420,6 +1420,9 @@ static int translate_compat_table(const char *name, + if (ret != 0) + break; + ++i; ++ if (strcmp(arpt_get_target(iter1)->u.user.name, ++ XT_ERROR_TARGET) == 0) ++ ++newinfo->stacksize; + } + if (ret) { + /* +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 97b64b2..d163f2e 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1751,6 +1751,9 @@ translate_compat_table(struct net *net, + if (ret != 0) + break; + ++i; ++ if (strcmp(ipt_get_target(iter1)->u.user.name, ++ XT_ERROR_TARGET) == 0) ++ ++newinfo->stacksize; + } + if (ret) { + /* +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 29a7bca..8e754be 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1766,6 +1766,9 @@ translate_compat_table(struct net *net, + if (ret != 0) + break; + ++i; ++ if (strcmp(ip6t_get_target(iter1)->u.user.name, ++ XT_ERROR_TARGET) == 0) ++ ++newinfo->stacksize; + } + if (ret) { + /* diff --git a/debian/patches/series/1~experimental.3 b/debian/patches/series/1~experimental.3 new file mode 100644 index 000000000..e2e346042 --- /dev/null +++ b/debian/patches/series/1~experimental.3 @@ -0,0 +1 @@ ++ bugfix/all/netfilter-fix-CONFIG_COMPAT-support.patch