From: Florian Westphal <fw@strlen.de>
To: Jay Elliott <jelliott@arista.com>
Cc: pablo@netfilter.org, fw@strlen.de, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] netfilter: conntrack: use 64-bit conntracking timestamps
Date: Sat, 11 Nov 2017 01:07:22 +0100 [thread overview]
Message-ID: <20171111000722.GH5512@breakpoint.cc> (raw)
In-Reply-To: <1510356081-35555-1-git-send-email-jelliott@arista.com>
Jay Elliott <jelliott@arista.com> wrote:
> As of commit 58e207e4983d ("netfilter: evict stale entries when user reads
> /proc/net/nf_conntrack"), timeouts are evaluated by casting the difference
> between a timeout value and the nfct_time_stamp to a signed integer and
> comparing that to zero.
>
> This means that any timeout greater than or equal to (1<<31) will be
> considered negative, and the conntracking code will think it has
> immediately expired. Prior to 58e207e4983d, they would have been treated
> as very large positive timeouts.
>
> Using 64-bit will allow the full range of a 32-bit unsigned integer to be
> used as a positive value without changing any of the logic used to
> evaluate timeouts. The timeout value input from userspace over the
> netlink is still 32-bit.
>
> Fixes: 58e207e4983d ("netfilter: evict stale entries when user reads /proc/net/nf_conntrack")
> Signed-off-by: Jay Elliott <jelliott@arista.com>
> ---
> include/net/netfilter/nf_conntrack.h | 10 +++++-----
> net/netfilter/nf_conntrack_netlink.c | 6 ++++--
> 2 files changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
> index 792c3f6..62bfc33 100644
> --- a/include/net/netfilter/nf_conntrack.h
> +++ b/include/net/netfilter/nf_conntrack.h
> @@ -71,8 +71,8 @@ struct nf_conn {
> /* Have we seen traffic both ways yet? (bitset) */
> unsigned long status;
>
> - /* jiffies32 when this ct is considered dead */
> - u32 timeout;
> + /* jiffies64 when this ct is considered dead */
> + u64 timeout;
I know his fits in a padding hole and sruct size doesn't increase.
Still, I wonder why we need timeouts larger than 2**31.
(More than 20 days assuming HZ=1000).
If the problem is that userspace can set them via nfnetlink I would
propose to just truncate to INT_MAX in that case.
next prev parent reply other threads:[~2017-11-11 0:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-10 23:21 [PATCH] netfilter: conntrack: use 64-bit conntracking timestamps Jay Elliott
2017-11-11 0:07 ` Florian Westphal [this message]
2017-11-11 0:50 ` Jay Elliott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171111000722.GH5512@breakpoint.cc \
--to=fw@strlen.de \
--cc=jelliott@arista.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.