netfilter 03/04: xt_cluster: fix use of cluster match with 32 nodes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, Patrick McHardy <kaber@trash.net>,
	netfilter-devel@vger.kernel.org
Subject: netfilter 03/04: xt_cluster: fix use of cluster match with 32 nodes
Date: Tue,  5 May 2009 18:47:46 +0200 (MEST)	[thread overview]
Message-ID: <20090505164746.19290.81233.sendpatchset@x2.localnet> (raw)
In-Reply-To: <20090505164742.19290.7829.sendpatchset@x2.localnet>

commit 280f37afa2c270ff029cb420b34396aa002909c3
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue May 5 17:46:07 2009 +0200

    netfilter: xt_cluster: fix use of cluster match with 32 nodes
    
    This patch fixes a problem when you use 32 nodes in the cluster
    match:
    
    % iptables -I PREROUTING -t mangle -i eth0 -m cluster \
      --cluster-total-nodes  32  --cluster-local-node  32 \
      --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff
    iptables: Invalid argument. Run `dmesg' for more information.
    % dmesg | tail -1
    xt_cluster: this node mask cannot be higher than the total number of nodes
    
    The problem is related to this checking:
    
    if (info->node_mask >= (1 << info->total_nodes)) {
    	printk(KERN_ERR "xt_cluster: this node mask cannot be "
    			"higher than the total number of nodes\n");
    	return false;
    }
    
    (1 << 32) is 1. Thus, the checking fails.
    
    BTW, I said this before but I insist: I have only tested the cluster
    match with 2 nodes getting ~45% extra performance in an active-active setup.
    The maximum limit of 32 nodes is still completely arbitrary. I'd really
    appreciate if people that have more nodes in their setups let me know.
    
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter/xt_cluster.h b/include/linux/netfilter/xt_cluster.h
index 5e0a0d0..8866826 100644
--- a/include/linux/netfilter/xt_cluster.h
+++ b/include/linux/netfilter/xt_cluster.h
@@ -12,4 +12,6 @@ struct xt_cluster_match_info {
 	u_int32_t		flags;
 };
 
+#define XT_CLUSTER_NODES_MAX	32
+
 #endif /* _XT_CLUSTER_MATCH_H */
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 6c48476..69a639f 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -135,7 +135,13 @@ static bool xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
 {
 	struct xt_cluster_match_info *info = par->matchinfo;
 
-	if (info->node_mask >= (1 << info->total_nodes)) {
+	if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
+		printk(KERN_ERR "xt_cluster: you have exceeded the maximum "
+				"number of cluster nodes (%u > %u)\n",
+				info->total_nodes, XT_CLUSTER_NODES_MAX);
+		return false;
+	}
+	if (info->node_mask >= (1ULL << info->total_nodes)) {
 		printk(KERN_ERR "xt_cluster: this node mask cannot be "
 				"higher than the total number of nodes\n");
 		return false;

next prev parent reply	other threads:[~2009-05-05 16:47 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-05-05 16:47 netfilter 00/04: netfilter fixes Patrick McHardy
2009-05-05 16:47 ` netfilter 01/04: add missing linux/types.h include to xt_LED.h Patrick McHardy
2009-05-05 16:47 ` netfilter 02/04: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE Patrick McHardy
2009-05-05 16:47 ` Patrick McHardy [this message]
2009-05-05 16:47 ` netfilter 04/04: ctnetlink: fix wrong message type in user updates Patrick McHardy
2009-05-05 19:02 ` netfilter 00/04: netfilter fixes David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5e0a0d0 dfblob:8866826 dfblob:6c48476 dfblob:69a639f )
 OR (
bs:"netfilter 03/04: xt_cluster: fix use of cluster match with 32 nodes" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090505164746.19290.81233.sendpatchset@x2.localnet \
    --to=kaber@trash.net \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.