* [PATCH 0/2] Netfilter updates for 3.5-rc5
@ 2012-07-06 11:39 pablo
2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo
2012-07-06 11:39 ` [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down pablo
0 siblings, 2 replies; 6+ messages in thread
From: pablo @ 2012-07-06 11:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Hi David,
The following patches provide two fixes:
* One to get the timeout special parameter for the SET target back working
(this was introduced while trying to fix another bug in 3.4) from
Jozsef Kadlecsik.
* One crash fix if containers and nf_conntrack are used reported by Hans
Schillstrom by myself.
You can pull these fixes from:
git://1984.lsi.us.es/nf master
Thanks.
little notice: I forgot to add my Signed-off-by while manually applying
Jozsef's patch, sorry. It was a bit too late to fix, I already pushed out
to my master branch.
Jozsef Kadlecsik (1):
netfilter: ipset: timeout fixing bug broke SET target special timeout value
Pablo Neira Ayuso (1):
netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down
include/net/netfilter/nf_conntrack_ecache.h | 2 +-
net/netfilter/xt_set.c | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
--
1.7.10
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value
2012-07-06 11:39 [PATCH 0/2] Netfilter updates for 3.5-rc5 pablo
@ 2012-07-06 11:39 ` pablo
2012-07-09 7:29 ` David Miller
2012-07-06 11:39 ` [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down pablo
1 sibling, 1 reply; 6+ messages in thread
From: pablo @ 2012-07-06 11:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
broke the SET target when no timeout was specified.
Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
net/netfilter/xt_set.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 035960e..b172cbc 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -16,6 +16,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
@@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
info->del_set.flags, 0, UINT_MAX);
/* Normalize to fit into jiffies */
- if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
+ if (add_opt.timeout != IPSET_NO_TIMEOUT
+ && add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
add_opt.timeout = UINT_MAX/MSEC_PER_SEC;
if (info->add_set.index != IPSET_INVALID_ID)
ip_set_add(info->add_set.index, skb, par, &add_opt);
--
1.7.10
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down
2012-07-06 11:39 [PATCH 0/2] Netfilter updates for 3.5-rc5 pablo
2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo
@ 2012-07-06 11:39 ` pablo
1 sibling, 0 replies; 6+ messages in thread
From: pablo @ 2012-07-06 11:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Hans reports that he's still hitting:
BUG: unable to handle kernel NULL pointer dereference at 000000000000027c
IP: [<ffffffff813615db>] netlink_has_listeners+0xb/0x60
PGD 0
Oops: 0000 [#3] PREEMPT SMP
CPU 0
It happens when adding a number of containers with do:
nfct_query(h, NFCT_Q_CREATE, ct);
and most likely one namespace shuts down.
this problem was supposed to be fixed by:
70e9942 netfilter: nf_conntrack: make event callback registration per-netns
Still, it was missing one rcu_access_pointer to check if the callback
is set or not.
Reported-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_conntrack_ecache.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index a88fb69..e1ce104 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -78,7 +78,7 @@ nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
struct net *net = nf_ct_net(ct);
struct nf_conntrack_ecache *e;
- if (net->ct.nf_conntrack_event_cb == NULL)
+ if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
return;
e = nf_ct_ecache_find(ct);
--
1.7.10
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value
2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo
@ 2012-07-09 7:29 ` David Miller
2012-07-09 8:58 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: David Miller @ 2012-07-09 7:29 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: pablo@netfilter.org
Date: Fri, 6 Jul 2012 13:39:38 +0200
> + if (add_opt.timeout != IPSET_NO_TIMEOUT
> + && add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
We do not write conditionals like this, with operators beginning
a continued line. Instead, write this as:
if (a &&
b)
Thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value
2012-07-09 7:29 ` David Miller
@ 2012-07-09 8:58 ` Pablo Neira Ayuso
2012-07-09 9:50 ` David Miller
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2012-07-09 8:58 UTC (permalink / raw)
To: David Miller; +Cc: netfilter-devel, netdev
[-- Attachment #1: Type: text/plain, Size: 530 bytes --]
On Mon, Jul 09, 2012 at 12:29:03AM -0700, David Miller wrote:
> From: pablo@netfilter.org
> Date: Fri, 6 Jul 2012 13:39:38 +0200
>
> > + if (add_opt.timeout != IPSET_NO_TIMEOUT
> > + && add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
>
> We do not write conditionals like this, with operators beginning
> a continued line. Instead, write this as:
>
> if (a &&
> b)
Oops, indeed, sorry. New patch attached.
I've also rebased my tree to include this change. Should I send a new
pull request?
Let me know what you prefer.
[-- Attachment #2: 0001-netfilter-ipset-timeout-fixing-bug-broke-SET-target-.patch --]
[-- Type: text/x-diff, Size: 1501 bytes --]
>From a73f89a61f92b364f0b4a3be412b5b70553afc23 Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Fri, 29 Jun 2012 09:42:28 +0000
Subject: [PATCH] netfilter: ipset: timeout fixing bug broke SET target
special timeout value
The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
broke the SET target when no timeout was specified.
Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/xt_set.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 035960e..c6f7db7 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -16,6 +16,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
@@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
info->del_set.flags, 0, UINT_MAX);
/* Normalize to fit into jiffies */
- if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
+ if (add_opt.timeout != IPSET_NO_TIMEOUT &&
+ add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
add_opt.timeout = UINT_MAX/MSEC_PER_SEC;
if (info->add_set.index != IPSET_INVALID_ID)
ip_set_add(info->add_set.index, skb, par, &add_opt);
--
1.7.10
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value
2012-07-09 8:58 ` Pablo Neira Ayuso
@ 2012-07-09 9:50 ` David Miller
0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2012-07-09 9:50 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 9 Jul 2012 10:58:27 +0200
> I've also rebased my tree to include this change. Should I send a new
> pull request?
Next time send a new pull request.
This time, I re-pulled, thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-07-09 9:50 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-06 11:39 [PATCH 0/2] Netfilter updates for 3.5-rc5 pablo
2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo
2012-07-09 7:29 ` David Miller
2012-07-09 8:58 ` Pablo Neira Ayuso
2012-07-09 9:50 ` David Miller
2012-07-06 11:39 ` [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down pablo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.