On Sun, Dec 09, 2012 at 03:16:29PM +0400, Vitaly E. Lavrov wrote:
> Appears when stopping container without emptying tables (iptables
> -F/iptables -t mangle -F)
> 
> Problem: recent_mt_destroy called after __net_exit recent_net_exit() !
> 
> xt_hashlimit contains a BUG () and should be corrected similarly

I'll be really happy if we find a way to reverse the order of those
calls, so we don't need to hack xt_recent and xt_hashlimit.

Could you test this patch?

Thanks.

> Possible patch for xt_recent is below
> =============
> diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
> index d2ff15a..0fc5c32 100644
> --- a/net/netfilter/xt_recent.c
> +++ b/net/netfilter/xt_recent.c
> @@ -75,6 +75,9 @@ struct recent_entry {
>  struct recent_table {
>         struct list_head        list;
>         char                    name[XT_RECENT_NAME_LEN];
> +#ifdef CONFIG_PROC_FS
> +       struct proc_dir_entry   *pe;
> +#endif
>         unsigned int            refcnt;
>         unsigned int            entries;
>         struct list_head        lru_list;
> @@ -375,6 +378,7 @@ static int recent_mt_check(const struct
> xt_mtchk_param *par)
>         }
>         pde->uid = ip_list_uid;
>         pde->gid = ip_list_gid;
> +       t->pe = pde;
>  #endif
>         spin_lock_bh(&recent_lock);
>         list_add_tail(&t->list, &recent_net->tables);
> @@ -398,7 +402,8 @@ static void recent_mt_destroy(const struct
> xt_mtdtor_param *par)
>                 list_del(&t->list);
>                 spin_unlock_bh(&recent_lock);
>  #ifdef CONFIG_PROC_FS
> -               remove_proc_entry(t->name, recent_net->xt_recent);
> +               if(t->pe)
> +                       remove_proc_entry(t->name, recent_net->xt_recent);
>  #endif
>                 recent_table_flush(t);
>                 kfree(t);
> @@ -607,7 +612,19 @@ static void __net_exit recent_net_exit(struct net *net)
>  {
>         struct recent_net *recent_net = recent_pernet(net);
> 
> -       BUG_ON(!list_empty(&recent_net->tables));
> +       if(!list_empty(&recent_net->tables)) {
> +#ifdef CONFIG_PROC_FS
> +               struct recent_table *t;
> +               spin_lock_bh(&recent_lock);
> +               list_for_each_entry(t, &recent_net->tables, list) {
> +                       t->pe = NULL;
> +                       remove_proc_entry(t->name, recent_net->xt_recent);
> +               }
> +               spin_unlock_bh(&recent_lock);
> +#endif
> +               printk(KERN_INFO "%s net %x: Warning! Tables not empty!\n",
> +                               __func__,(u32)net);
> +       }
>         recent_proc_net_exit(net);
>  }
> ==================
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html