netfilter: ctnetlink: deliver events for conntracks changed from userspace

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>,
	Netfilter Development Mailinglist
	<netfilter-devel@vger.kernel.org>
Subject: netfilter: ctnetlink: deliver events for conntracks changed from userspace
Date: Mon, 06 Apr 2009 14:32:14 +0200	[thread overview]
Message-ID: <49D9F64E.4050304@trash.net> (raw)

Pablo, I'm looking at a regression introduced by this patch
and I'm not sure about the intentions:

> +int nf_ct_expect_related(struct nf_conntrack_expect *expect)
> +{
> +       int ret;
> +
> +       spin_lock_bh(&nf_conntrack_lock);
> +       ret = __nf_ct_expect_check(expect);
> +       if (ret < 0)
> +               goto out;

This is unfortunately broken since we return 0 when refreshing an
existing expectation. This will create an identical expectation
for each refresh.
>  
>         nf_ct_expect_insert(expect);
> +       atomic_inc(&expect->use);

This I don't understand - the caller is holding a reference, why
do we need another one?

> +       spin_unlock_bh(&nf_conntrack_lock);
>         nf_ct_expect_event(IPEXP_NEW, expect);
> -       ret = 0;
> +       nf_ct_expect_put(expect);
> +       return ret;
>  out:
>         spin_unlock_bh(&nf_conntrack_lock);
>         return ret;
>  }
>  EXPORT_SYMBOL_GPL(nf_ct_expect_related);
>  
> +int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, 
> +                               u32 pid, int report)
> +{
> +       int ret;
> +
> +       spin_lock_bh(&nf_conntrack_lock);
> +       ret = __nf_ct_expect_check(expect);
> +       if (ret < 0)
> +               goto out;

Same problem

> +       nf_ct_expect_insert(expect);
> +out:
> +       spin_unlock_bh(&nf_conntrack_lock);
> +       if (ret == 0)
> +               nf_ct_expect_event_report(IPEXP_NEW, expect, pid, report);

But here we don't take the reference, despite having the exact
same situation.

The next question would be - why do we need those two functions at
all? Aside from the apparently unnecessary reference counting, the
only difference is reporting, and that actually uses the exact
same code path.

> +       return ret;
> +}
> +EXPORT_SYMBOL_GPL(nf_ct_expect_related_report);

next             reply	other threads:[~2009-04-06 12:32 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-06 12:32 Patrick McHardy [this message]
2009-04-06 14:39 ` netfilter: ctnetlink: deliver events for conntracks changed from userspace Pablo Neira Ayuso
2009-04-06 14:50   ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49D9F64E.4050304@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.