From: Pablo Neira Ayuso <pablo@netfilter.org>
To: David Miller <davem@davemloft.net>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value
Date: Mon, 9 Jul 2012 10:58:27 +0200 [thread overview]
Message-ID: <20120709085827.GA10776@1984> (raw)
In-Reply-To: <20120709.002903.592402805831614695.davem@davemloft.net>
[-- Attachment #1: Type: text/plain, Size: 530 bytes --]
On Mon, Jul 09, 2012 at 12:29:03AM -0700, David Miller wrote:
> From: pablo@netfilter.org
> Date: Fri, 6 Jul 2012 13:39:38 +0200
>
> > + if (add_opt.timeout != IPSET_NO_TIMEOUT
> > + && add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
>
> We do not write conditionals like this, with operators beginning
> a continued line. Instead, write this as:
>
> if (a &&
> b)
Oops, indeed, sorry. New patch attached.
I've also rebased my tree to include this change. Should I send a new
pull request?
Let me know what you prefer.
[-- Attachment #2: 0001-netfilter-ipset-timeout-fixing-bug-broke-SET-target-.patch --]
[-- Type: text/x-diff, Size: 1501 bytes --]
>From a73f89a61f92b364f0b4a3be412b5b70553afc23 Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Fri, 29 Jun 2012 09:42:28 +0000
Subject: [PATCH] netfilter: ipset: timeout fixing bug broke SET target
special timeout value
The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
broke the SET target when no timeout was specified.
Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/xt_set.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 035960e..c6f7db7 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -16,6 +16,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
@@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
info->del_set.flags, 0, UINT_MAX);
/* Normalize to fit into jiffies */
- if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
+ if (add_opt.timeout != IPSET_NO_TIMEOUT &&
+ add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
add_opt.timeout = UINT_MAX/MSEC_PER_SEC;
if (info->add_set.index != IPSET_INVALID_ID)
ip_set_add(info->add_set.index, skb, par, &add_opt);
--
1.7.10
next prev parent reply other threads:[~2012-07-09 8:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-06 11:39 [PATCH 0/2] Netfilter updates for 3.5-rc5 pablo
2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo
2012-07-09 7:29 ` David Miller
2012-07-09 8:58 ` Pablo Neira Ayuso [this message]
2012-07-09 9:50 ` David Miller
2012-07-06 11:39 ` [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120709085827.GA10776@1984 \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.