From: Patrick McHardy <kaber@trash.net>
To: Stephen Frost <sfrost@snowman.net>
Cc: gcoady.lk@gmail.com, laforge@netfilter.org,
netfilter-devel@lists.netfilter.org,
linux-kernel@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>,
marcelo@kvack.org, willy@w.ods.org,
Amin Azez <azez@ufomechanic.net>
Subject: Re: [PATCH] fix mem-leak in netfilter
Date: Mon, 15 May 2006 20:49:32 +0200 [thread overview]
Message-ID: <4468CD3C.3000908@trash.net> (raw)
In-Reply-To: <20060515142834.GL7774@kenobi.snowman.net>
Stephen Frost wrote:
> * Patrick McHardy (kaber@trash.net) wrote:
>
>>Anyway, here goes the first shot at a replacement, it should be fully
>>compatible. Comments and testing welcome.
>
>
> This patch didn't apply cleanly against 2.6.16; I didn't think there had
> been other changes since then. As it was an entire replacement I just
> pulled out the '[+ ]' lines from the patch. Hopefully this doesn't lead
> to problems in my review.
That should be fine. That patch applies on top of Jespers patch which
started this thread, which I plan to push to Dave today.
> It probably would have been better to integrate it with ipset, as I've
> mentioned previously. Other comments:
Unfortunately we need to provide compatibility.
> recent_entry_init() appears to just look for something to delete when
> the maximum number of entries has been reached, starting from the hash
> position of the address. The original ipt_recent, quite intentionally,
> looked for the *oldest* address to replace. This meant that the list
> only had to be large enough to cover the number of addresses seen in a
> given time-period. This change would mean that the list would need to
> be large enough to hold all addresses seen always, to be able to enforce
> the time-based rules ipt_recent was written for.
>
> ie: List of 100 addresses. Highest timeout value in the ruleset is 60
> seconds. Average of 100 individual addresses in a 60-second timeframe.
> The old ipt_recent would correctly enforce the 60-second requirement in
> the ruleset. With the new version, as soon as the list was full the
> next address could replace any address in the list, even if that address
> was only 15 seconds old.
>
> One way to handle this would be to track the highest time value in the
> rulesets but as the ruleset is dynamic you could end up throwing away an
> address which would have been caught by a rule that was about to be
> added. The old module was written with the expectation of the list
> always being full and that it would only be less-than-full shortly after
> booting. By then only removing the oldest entry in the table for each
> new address seen the maximum amount of time possible for the given table
> size and distinct addresses seen is achieved.
I wasn't sure whether eviction was happening intentional in the old code
at all - still not able to locate the code where this happens, just
noticed that it does do eviction when I manually tried to trigger
a table overflow by adding entries through /proc. Anyway, it should
be easy to fix by keeping an additional lru list. I'll post
an updated patch soon.
WARNING: multiple messages have this Message-ID (diff)
From: Patrick McHardy <kaber@trash.net>
To: Stephen Frost <sfrost@snowman.net>
Cc: Amin Azez <azez@ufomechanic.net>,
"David S. Miller" <davem@davemloft.net>,
willy@w.ods.org, gcoady.lk@gmail.com, laforge@netfilter.org,
netfilter-devel@lists.netfilter.org,
linux-kernel@vger.kernel.org, marcelo@kvack.org
Subject: Re: [PATCH] fix mem-leak in netfilter
Date: Mon, 15 May 2006 20:49:32 +0200 [thread overview]
Message-ID: <4468CD3C.3000908@trash.net> (raw)
In-Reply-To: <20060515142834.GL7774@kenobi.snowman.net>
Stephen Frost wrote:
> * Patrick McHardy (kaber@trash.net) wrote:
>
>>Anyway, here goes the first shot at a replacement, it should be fully
>>compatible. Comments and testing welcome.
>
>
> This patch didn't apply cleanly against 2.6.16; I didn't think there had
> been other changes since then. As it was an entire replacement I just
> pulled out the '[+ ]' lines from the patch. Hopefully this doesn't lead
> to problems in my review.
That should be fine. That patch applies on top of Jespers patch which
started this thread, which I plan to push to Dave today.
> It probably would have been better to integrate it with ipset, as I've
> mentioned previously. Other comments:
Unfortunately we need to provide compatibility.
> recent_entry_init() appears to just look for something to delete when
> the maximum number of entries has been reached, starting from the hash
> position of the address. The original ipt_recent, quite intentionally,
> looked for the *oldest* address to replace. This meant that the list
> only had to be large enough to cover the number of addresses seen in a
> given time-period. This change would mean that the list would need to
> be large enough to hold all addresses seen always, to be able to enforce
> the time-based rules ipt_recent was written for.
>
> ie: List of 100 addresses. Highest timeout value in the ruleset is 60
> seconds. Average of 100 individual addresses in a 60-second timeframe.
> The old ipt_recent would correctly enforce the 60-second requirement in
> the ruleset. With the new version, as soon as the list was full the
> next address could replace any address in the list, even if that address
> was only 15 seconds old.
>
> One way to handle this would be to track the highest time value in the
> rulesets but as the ruleset is dynamic you could end up throwing away an
> address which would have been caught by a rule that was about to be
> added. The old module was written with the expectation of the list
> always being full and that it would only be less-than-full shortly after
> booting. By then only removing the oldest entry in the table for each
> new address seen the maximum amount of time possible for the given table
> size and distinct addresses seen is achieved.
I wasn't sure whether eviction was happening intentional in the old code
at all - still not able to locate the code where this happens, just
noticed that it does do eviction when I manually tried to trigger
a table overflow by adding entries through /proc. Anyway, it should
be easy to fix by keeping an additional lru list. I'll post
an updated patch soon.
next prev parent reply other threads:[~2006-05-15 18:49 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-07 2:26 [PATCH] fix mem-leak in netfilter Jesper Juhl
2006-05-07 9:36 ` Willy Tarreau
2006-05-07 9:36 ` Willy Tarreau
2006-05-07 22:42 ` Grant Coady
2006-05-08 5:07 ` Willy Tarreau
2006-05-08 5:43 ` David S. Miller
2006-05-08 5:43 ` David S. Miller
2006-05-08 8:36 ` Amin Azez
2006-05-08 8:36 ` Amin Azez
2006-05-08 9:08 ` Juergen Kreileder
2006-05-08 9:08 ` Juergen Kreileder
2006-05-12 7:40 ` Patrick McHardy
2006-05-12 7:40 ` Patrick McHardy
2006-05-12 11:09 ` Jesper Juhl
2006-05-12 11:33 ` Patrick McHardy
2006-05-12 12:13 ` Jesper Juhl
2006-05-12 12:40 ` Willy Tarreau
2006-05-12 12:40 ` Willy Tarreau
2006-05-12 12:49 ` Patrick McHardy
2006-05-12 12:49 ` Patrick McHardy
2006-05-12 13:42 ` Amin Azez
2006-05-15 8:25 ` Patrick McHardy
2006-05-15 8:25 ` Patrick McHardy
2006-05-15 14:28 ` Stephen Frost
2006-05-15 14:28 ` Stephen Frost
2006-05-15 18:49 ` Patrick McHardy [this message]
2006-05-15 18:49 ` Patrick McHardy
2006-05-15 19:27 ` Stephen Frost
2006-05-15 19:27 ` Stephen Frost
2006-05-15 20:09 ` Patrick McHardy
2006-05-15 20:09 ` Patrick McHardy
2006-05-15 20:41 ` Stephen Frost
2006-05-15 20:41 ` Stephen Frost
2006-05-15 20:45 ` Patrick McHardy
2006-05-15 20:45 ` Patrick McHardy
2006-05-15 21:03 ` Stephen Frost
2006-05-17 6:26 ` Patrick McHardy
2006-05-17 6:59 ` David S. Miller
2006-05-17 6:59 ` David S. Miller
2006-05-17 7:19 ` Patrick McHardy
2006-05-17 7:19 ` Patrick McHardy
2006-05-17 10:55 ` Stephen Frost
2006-05-17 7:09 ` David S. Miller
2006-05-17 7:13 ` Roland Dreier
2006-05-17 7:19 ` Patrick McHardy
2006-05-17 13:14 ` Stephen Frost
2006-05-17 13:14 ` Stephen Frost
2006-06-01 13:43 ` Andrew James Wade
2006-06-01 14:53 ` Patrick McHardy
2006-06-02 21:32 ` Andrew James Wade
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4468CD3C.3000908@trash.net \
--to=kaber@trash.net \
--cc=azez@ufomechanic.net \
--cc=davem@davemloft.net \
--cc=gcoady.lk@gmail.com \
--cc=laforge@netfilter.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo@kvack.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=sfrost@snowman.net \
--cc=willy@w.ods.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.