Fw: [PATCH net-2.6 1/2] [IPV4] [NETFILTER] Misc Cleanups.

Fw: [PATCH net-2.6 1/2] [IPV4] [NETFILTER] Misc Cleanups.

[David Miller]

[-- Attachment #1: Type: Text/Plain, Size: 54 bytes --]


Forwarding to netfilter-devel where this belongs...


[-- Attachment #2: Type: Message/Rfc822, Size: 4104 bytes --]

[-- Attachment #2.1.1: Type: text/plain, Size: 609 bytes --]

Hi,

	In this patch, these three fixes were made in net/ipv4/netfilter/ip_queue.c:
	
	1) No need to perform data_len = 0 in the switch command, since data_len
	   is initialized to 0 in the beginning of the method
,ipq_build_packet_message().
		
	2) We can reach nlmsg_failure only from one place; skb is sure to be NULL
	   when getting there; since skb is NULL, there is no need to check this fact
	   and call kfree_skb().
	
	3) Add #ifdef CONFIG_PROC_FS when removing the VFS entry,
 		 proc_net_remove(&init_net, IPQ_PROC_FS_NAME);
	

Regards,
Rami Rosen


Signed-off-by: Rami Rosen <ramirose@gmail.com>

[-- Attachment #2.1.2: patch1.txt --]
[-- Type: text/plain, Size: 959 bytes --]

diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index 26a37ce..7bc3a29 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -156,7 +156,6 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
 	case IPQ_COPY_META:
 	case IPQ_COPY_NONE:
 		size = NLMSG_SPACE(sizeof(*pmsg));
-		data_len = 0;
 		break;
 
 	case IPQ_COPY_PACKET:
@@ -224,8 +223,6 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
 	return skb;
 
 nlmsg_failure:
-	if (skb)
-		kfree_skb(skb);
 	*errp = -EINVAL;
 	printk(KERN_ERR "ip_queue: error creating packet message\n");
 	return NULL;
@@ -610,7 +607,9 @@ cleanup_sysctl:
 	unregister_sysctl_table(ipq_sysctl_header);
 #endif
 	unregister_netdevice_notifier(&ipq_dev_notifier);
+#ifdef CONFIG_PROC_FS
 	proc_net_remove(&init_net, IPQ_PROC_FS_NAME);
+#endif	
 cleanup_ipqnl: __maybe_unused
 	netlink_kernel_release(ipqnl);
 	mutex_lock(&ipqnl_mutex);

Re: Fw: [PATCH net-2.6 1/2] [IPV4] [NETFILTER] Misc Cleanups.

[Patrick McHardy]

David Miller wrote:
> Forwarding to netfilter-devel where this belongs...

Thanks.

> 	In this patch, these three fixes were made in net/ipv4/netfilter/ip_queue.c:
> 	
> 	1) No need to perform data_len = 0 in the switch command, since data_len
> 	   is initialized to 0 in the beginning of the method
> ,ipq_build_packet_message().
> 		
> 	2) We can reach nlmsg_failure only from one place; skb is sure to be NULL
> 	   when getting there; since skb is NULL, there is no need to check this fact
> 	   and call kfree_skb().
> 	
> 	3) Add #ifdef CONFIG_PROC_FS when removing the VFS entry,
>  		 proc_net_remove(&init_net, IPQ_PROC_FS_NAME);
> 	
> 
> Regards,
> Rami Rosen
> 
> 
> Signed-off-by: Rami Rosen <ramirose@gmail.com>

1) also affects ip6_queue and nfnetlink_queue
2) also affects ip6_queue
3) is unnecessary since proc_net_remove is a NOP without
    CONFIG_PROC_FS

Please update your patch to also change ip6_queue and
nfnetlink_queue where applicable. Thanks.

[PATCH net-2.6] [NETFILTER] Misc Cleanups.

[Rami Rosen]

[-- Attachment #1: Type: text/plain, Size: 2157 bytes --]

Hi,
  - Thanks for your comments; I was not aware that this issues occur
in other places too; attached here is another patch, fixing where
applicable in ip6_queue and nfnetlink_queue.

  1) in net/ipv6/netfilter/ip6_queue.c
    - No need to perform data_len = 0 in the switch command, since data_len
	   is initialized to 0 in the beginning of the
ipq_build_packet_message() method
    - We can reach nlmsg_failure only from one place; skb is sure to be NULL
	     when getting there; since skb is NULL, there is no need to check this fact
	     and call kfree_skb().

2) in net/netfilter/nfnetlink_queue.c:
    - No need to perform data_len = 0 in the switch command, since data_len
	   is initialized to 0 in the beginning of the
nfqnl_build_packet_message() method

(Note: here, as opposed to previous patch, nlmsg_failure must check
skb and free it if it is not NULL, so the call to kfree_skb() is
needed , so it is not removed)
	
 	

Regards,
Rami Rosen


Signed-off-by: Rami Rosen <ramirose@gmail.com>


On Mon, Jun 2, 2008 at 12:46 PM, Patrick McHardy <kaber@trash.net> wrote:
> David Miller wrote:
>>
>> Forwarding to netfilter-devel where this belongs...
>
> Thanks.
>
>>        In this patch, these three fixes were made in
>> net/ipv4/netfilter/ip_queue.c:
>>
>>        1) No need to perform data_len = 0 in the switch command, since
>> data_len
>>           is initialized to 0 in the beginning of the method
>> ,ipq_build_packet_message().
>>
>>        2) We can reach nlmsg_failure only from one place; skb is sure to
>> be NULL
>>           when getting there; since skb is NULL, there is no need to check
>> this fact
>>           and call kfree_skb().
>>
>>        3) Add #ifdef CONFIG_PROC_FS when removing the VFS entry,
>>                 proc_net_remove(&init_net, IPQ_PROC_FS_NAME);
>>
>>
>> Regards,
>> Rami Rosen
>>
>>
>> Signed-off-by: Rami Rosen <ramirose@gmail.com>
>
> 1) also affects ip6_queue and nfnetlink_queue
> 2) also affects ip6_queue
> 3) is unnecessary since proc_net_remove is a NOP without
>   CONFIG_PROC_FS
>
> Please update your patch to also change ip6_queue and
> nfnetlink_queue where applicable. Thanks.
>
>
>

[-- Attachment #2: patch.txt --]
[-- Type: text/plain, Size: 1068 bytes --]

diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 2eff3ae..1b8815f 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -159,7 +159,6 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
 	case IPQ_COPY_META:
 	case IPQ_COPY_NONE:
 		size = NLMSG_SPACE(sizeof(*pmsg));
-		data_len = 0;
 		break;
 
 	case IPQ_COPY_PACKET:
@@ -226,8 +225,6 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
 	return skb;
 
 nlmsg_failure:
-	if (skb)
-		kfree_skb(skb);
 	*errp = -EINVAL;
 	printk(KERN_ERR "ip6_queue: error creating packet message\n");
 	return NULL;
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 3447025..04e9c96 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -243,7 +243,6 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
 	switch ((enum nfqnl_config_mode)queue->copy_mode) {
 	case NFQNL_COPY_META:
 	case NFQNL_COPY_NONE:
-		data_len = 0;
 		break;
 
 	case NFQNL_COPY_PACKET:

Re: [PATCH net-2.6] [NETFILTER] Misc Cleanups.

[Patrick McHardy]

Rami Rosen wrote:
> Hi,
>   - Thanks for your comments; I was not aware that this issues occur
> in other places too; attached here is another patch, fixing where
> applicable in ip6_queue and nfnetlink_queue.
> 
>   1) in net/ipv6/netfilter/ip6_queue.c
>     - No need to perform data_len = 0 in the switch command, since data_len
> 	   is initialized to 0 in the beginning of the
> ipq_build_packet_message() method
>     - We can reach nlmsg_failure only from one place; skb is sure to be NULL
> 	     when getting there; since skb is NULL, there is no need to check this fact
> 	     and call kfree_skb().
> 
> 2) in net/netfilter/nfnetlink_queue.c:
>     - No need to perform data_len = 0 in the switch command, since data_len
> 	   is initialized to 0 in the beginning of the
> nfqnl_build_packet_message() method
> 
> (Note: here, as opposed to previous patch, nlmsg_failure must check
> skb and free it if it is not NULL, so the call to kfree_skb() is
> needed , so it is not removed)


I've queued this patch and the previous one (without the procfs
bits) as one combined patch for 2.6.27, thanks.