* [PATCH 0/2] Netfilter updates for 3.5-rc5 @ 2012-07-06 11:39 pablo 2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo 2012-07-06 11:39 ` [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down pablo 0 siblings, 2 replies; 6+ messages in thread From: pablo @ 2012-07-06 11:39 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Hi David, The following patches provide two fixes: * One to get the timeout special parameter for the SET target back working (this was introduced while trying to fix another bug in 3.4) from Jozsef Kadlecsik. * One crash fix if containers and nf_conntrack are used reported by Hans Schillstrom by myself. You can pull these fixes from: git://1984.lsi.us.es/nf master Thanks. little notice: I forgot to add my Signed-off-by while manually applying Jozsef's patch, sorry. It was a bit too late to fix, I already pushed out to my master branch. Jozsef Kadlecsik (1): netfilter: ipset: timeout fixing bug broke SET target special timeout value Pablo Neira Ayuso (1): netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down include/net/netfilter/nf_conntrack_ecache.h | 2 +- net/netfilter/xt_set.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) -- 1.7.10 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-07-06 11:39 [PATCH 0/2] Netfilter updates for 3.5-rc5 pablo @ 2012-07-06 11:39 ` pablo 2012-07-09 7:29 ` David Miller 2012-07-06 11:39 ` [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down pablo 1 sibling, 1 reply; 6+ messages in thread From: pablo @ 2012-07-06 11:39 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> The patch "127f559 netfilter: ipset: fix timeout value overflow bug" broke the SET target when no timeout was specified. Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> --- net/netfilter/xt_set.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c index 035960e..b172cbc 100644 --- a/net/netfilter/xt_set.c +++ b/net/netfilter/xt_set.c @@ -16,6 +16,7 @@ #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_set.h> +#include <linux/netfilter/ipset/ip_set_timeout.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); @@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par) info->del_set.flags, 0, UINT_MAX); /* Normalize to fit into jiffies */ - if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC) + if (add_opt.timeout != IPSET_NO_TIMEOUT + && add_opt.timeout > UINT_MAX/MSEC_PER_SEC) add_opt.timeout = UINT_MAX/MSEC_PER_SEC; if (info->add_set.index != IPSET_INVALID_ID) ip_set_add(info->add_set.index, skb, par, &add_opt); -- 1.7.10 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo @ 2012-07-09 7:29 ` David Miller 2012-07-09 8:58 ` Pablo Neira Ayuso 0 siblings, 1 reply; 6+ messages in thread From: David Miller @ 2012-07-09 7:29 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: pablo@netfilter.org Date: Fri, 6 Jul 2012 13:39:38 +0200 > + if (add_opt.timeout != IPSET_NO_TIMEOUT > + && add_opt.timeout > UINT_MAX/MSEC_PER_SEC) We do not write conditionals like this, with operators beginning a continued line. Instead, write this as: if (a && b) Thanks. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-07-09 7:29 ` David Miller @ 2012-07-09 8:58 ` Pablo Neira Ayuso 2012-07-09 9:50 ` David Miller 0 siblings, 1 reply; 6+ messages in thread From: Pablo Neira Ayuso @ 2012-07-09 8:58 UTC (permalink / raw) To: David Miller; +Cc: netfilter-devel, netdev [-- Attachment #1: Type: text/plain, Size: 530 bytes --] On Mon, Jul 09, 2012 at 12:29:03AM -0700, David Miller wrote: > From: pablo@netfilter.org > Date: Fri, 6 Jul 2012 13:39:38 +0200 > > > + if (add_opt.timeout != IPSET_NO_TIMEOUT > > + && add_opt.timeout > UINT_MAX/MSEC_PER_SEC) > > We do not write conditionals like this, with operators beginning > a continued line. Instead, write this as: > > if (a && > b) Oops, indeed, sorry. New patch attached. I've also rebased my tree to include this change. Should I send a new pull request? Let me know what you prefer. [-- Attachment #2: 0001-netfilter-ipset-timeout-fixing-bug-broke-SET-target-.patch --] [-- Type: text/x-diff, Size: 1501 bytes --] >From a73f89a61f92b364f0b4a3be412b5b70553afc23 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Date: Fri, 29 Jun 2012 09:42:28 +0000 Subject: [PATCH] netfilter: ipset: timeout fixing bug broke SET target special timeout value The patch "127f559 netfilter: ipset: fix timeout value overflow bug" broke the SET target when no timeout was specified. Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/xt_set.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c index 035960e..c6f7db7 100644 --- a/net/netfilter/xt_set.c +++ b/net/netfilter/xt_set.c @@ -16,6 +16,7 @@ #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_set.h> +#include <linux/netfilter/ipset/ip_set_timeout.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); @@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par) info->del_set.flags, 0, UINT_MAX); /* Normalize to fit into jiffies */ - if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC) + if (add_opt.timeout != IPSET_NO_TIMEOUT && + add_opt.timeout > UINT_MAX/MSEC_PER_SEC) add_opt.timeout = UINT_MAX/MSEC_PER_SEC; if (info->add_set.index != IPSET_INVALID_ID) ip_set_add(info->add_set.index, skb, par, &add_opt); -- 1.7.10 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-07-09 8:58 ` Pablo Neira Ayuso @ 2012-07-09 9:50 ` David Miller 0 siblings, 0 replies; 6+ messages in thread From: David Miller @ 2012-07-09 9:50 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon, 9 Jul 2012 10:58:27 +0200 > I've also rebased my tree to include this change. Should I send a new > pull request? Next time send a new pull request. This time, I re-pulled, thanks. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down 2012-07-06 11:39 [PATCH 0/2] Netfilter updates for 3.5-rc5 pablo 2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo @ 2012-07-06 11:39 ` pablo 1 sibling, 0 replies; 6+ messages in thread From: pablo @ 2012-07-06 11:39 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Hans reports that he's still hitting: BUG: unable to handle kernel NULL pointer dereference at 000000000000027c IP: [<ffffffff813615db>] netlink_has_listeners+0xb/0x60 PGD 0 Oops: 0000 [#3] PREEMPT SMP CPU 0 It happens when adding a number of containers with do: nfct_query(h, NFCT_Q_CREATE, ct); and most likely one namespace shuts down. this problem was supposed to be fixed by: 70e9942 netfilter: nf_conntrack: make event callback registration per-netns Still, it was missing one rcu_access_pointer to check if the callback is set or not. Reported-by: Hans Schillstrom <hans@schillstrom.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/net/netfilter/nf_conntrack_ecache.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h index a88fb69..e1ce104 100644 --- a/include/net/netfilter/nf_conntrack_ecache.h +++ b/include/net/netfilter/nf_conntrack_ecache.h @@ -78,7 +78,7 @@ nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct) struct net *net = nf_ct_net(ct); struct nf_conntrack_ecache *e; - if (net->ct.nf_conntrack_event_cb == NULL) + if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb)) return; e = nf_ct_ecache_find(ct); -- 1.7.10 ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-07-09 9:50 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-07-06 11:39 [PATCH 0/2] Netfilter updates for 3.5-rc5 pablo 2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo 2012-07-09 7:29 ` David Miller 2012-07-09 8:58 ` Pablo Neira Ayuso 2012-07-09 9:50 ` David Miller 2012-07-06 11:39 ` [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down pablo
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.