This fixes rule deletion in CLUSTERIP in iptables (Pablo Neira)
diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c
index e4ab918..d2bee97 100644
--- a/extensions/libipt_CLUSTERIP.c
+++ b/extensions/libipt_CLUSTERIP.c
@@ -7,6 +7,7 @@
#include <string.h>
#include <stdlib.h>
#include <getopt.h>
+#include <stddef.h>
#if defined(__GLIBC__) && __GLIBC__ == 2
#include <net/ethernet.h>
@@ -16,7 +17,7 @@
#include <iptables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
+#include "../include/linux/netfilter_ipv4/ipt_CLUSTERIP.h"
static void
help(void)
@@ -242,7 +243,7 @@
.name = "CLUSTERIP",
.version = IPTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_clusterip_tgt_info)),
+ .userspacesize = offsetof(struct ipt_clusterip_tgt_info, config),
.help = &help,
.init = &init,
.parse = &parse,
diff --git a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
new file mode 100644
index 0000000..6f76060
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
@@ -0,0 +1,37 @@
+#ifndef _IPT_CLUSTERIP_H_target
+#define _IPT_CLUSTERIP_H_target
+
+enum clusterip_hashmode {
+ CLUSTERIP_HASHMODE_SIP = 0,
+ CLUSTERIP_HASHMODE_SIP_SPT,
+ CLUSTERIP_HASHMODE_SIP_SPT_DPT,
+};
+
+#define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT
+
+#define CLUSTERIP_MAX_NODES 16
+
+#define CLUSTERIP_FLAG_NEW 0x00000001
+
+struct clusterip_config;
+
+struct ipt_clusterip_tgt_info {
+
+ u_int32_t flags;
+
+ /* only relevant for new ones */
+ u_int8_t clustermac[6];
+ u_int16_t num_total_nodes;
+ u_int16_t num_local_nodes;
+ u_int16_t local_nodes[CLUSTERIP_MAX_NODES];
+ enum clusterip_hashmode hash_mode;
+ u_int32_t hash_initval;
+
+#ifdef KERNEL_64_USERSPACE_32
+ u_int64_t config;
+#else
+ struct clusterip_config *config;
+#endif
+};
+
+#endif /*_IPT_CLUSTERIP_H_target*/