extensions: nfacct: Fix alignment mismatch in xt_nfacct_match_info

When running a 64-bit kernel with a 32-bit iptables binary, the
size of the xt_nfacct_match_info struct diverges.

    kernel: sizeof(struct xt_nfacct_match_info) : 40
    iptables: sizeof(struct xt_nfacct_match_info)) : 36

This patch is the userspace fix of the memory misalignment.

It introduces a v1 ABI with the correct alignment and stays
compatible with unfixed revision 0 kernels.

Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_nfacct.c b/extensions/libxt_nfacct.c
index 2ad59d52f3645ebf37f9850855b37ca321335da4..d9c0309a864e6f26e17b221935441ce10b9d1662 100644 (file)
--- a/extensions/libxt_nfacct.c
+++ b/extensions/libxt_nfacct.c
@@ -70,20 +70,36 @@ static void nfacct_save(const void *ip, const struct xt_entry_match *match)
        nfacct_print_name(info, "--");
 }
 
-static struct xtables_match nfacct_match = {
-       .family         = NFPROTO_UNSPEC,
-       .name           = "nfacct",
-       .version        = XTABLES_VERSION,
-       .size           = XT_ALIGN(sizeof(struct xt_nfacct_match_info)),
-       .userspacesize  = offsetof(struct xt_nfacct_match_info, nfacct),
-       .help           = nfacct_help,
-       .x6_parse       = nfacct_parse,
-       .print          = nfacct_print,
-       .save           = nfacct_save,
-       .x6_options     = nfacct_opts,
+static struct xtables_match nfacct_matches[] = {
+       {
+               .family         = NFPROTO_UNSPEC,
+               .revision       = 0,
+               .name           = "nfacct",
+               .version        = XTABLES_VERSION,
+               .size           = XT_ALIGN(sizeof(struct xt_nfacct_match_info)),
+               .userspacesize  = offsetof(struct xt_nfacct_match_info, nfacct),
+               .help           = nfacct_help,
+               .x6_parse       = nfacct_parse,
+               .print          = nfacct_print,
+               .save           = nfacct_save,
+               .x6_options     = nfacct_opts,
+       },
+       {
+               .family         = NFPROTO_UNSPEC,
+               .revision       = 1,
+               .name           = "nfacct",
+               .version        = XTABLES_VERSION,
+               .size           = XT_ALIGN(sizeof(struct xt_nfacct_match_info_v1)),
+               .userspacesize  = offsetof(struct xt_nfacct_match_info_v1, nfacct),
+               .help           = nfacct_help,
+               .x6_parse       = nfacct_parse,
+               .print          = nfacct_print,
+               .save           = nfacct_save,
+               .x6_options     = nfacct_opts,
+       },
 };
 
 void _init(void)
 {
-       xtables_register_match(&nfacct_match);
+       xtables_register_matches(nfacct_matches, ARRAY_SIZE(nfacct_matches));
 }

diff --git a/include/linux/netfilter/xt_nfacct.h b/include/linux/netfilter/xt_nfacct.h
index 59ab00dd86d09d3a0459be56c21a86c331277076..04ec2b04afd45a0b93df10762f56381d0448ef85 100644 (file)
--- a/include/linux/netfilter/xt_nfacct.h
+++ b/include/linux/netfilter/xt_nfacct.h
@@ -14,4 +14,9 @@ struct xt_nfacct_match_info {
        struct nf_acct  *nfacct;
 };
 
+struct xt_nfacct_match_info_v1 {
+       char            name[NFACCT_NAME_MAX];
+       struct nf_acct  *nfacct __attribute__((aligned(8)));
+};
+
 #endif /* _XT_NFACCT_MATCH_H */