From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 2/3] netfilter: iptables: fix use of cluster match with 32 nodes
Date: Fri, 24 Apr 2009 17:02:43 +0200 [thread overview]
Message-ID: <49F1D493.5000305@trash.net> (raw)
In-Reply-To: <20090424103031.30250.30352.stgit@Decadence>
Pablo Neira Ayuso wrote:
> This patch fixes a problem when you use 32 nodes in the cluster
> match:
>
> % iptables -I PREROUTING -t mangle -i eth0 -m cluster \
> --cluster-total-nodes 32 --cluster-local-node 32 \
> --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff
> iptables: Invalid argument. Run `dmesg' for more information.
> % dmesg | tail -1
> xt_cluster: this node mask cannot be higher than the total number of nodes
>
> The problem is related to this checking:
>
> if (info->node_mask >= (1 << info->total_nodes)) {
> printk(KERN_ERR "xt_cluster: this node mask cannot be "
> "higher than the total number of nodes\n");
> return false;
> }
>
> (1 << 32) is 1. Thus, the checking fails. This patch skips the case
> in which total_nodes is 32 and it adds an extra validation to ensure
> that we don't go over 32 nodes.
>
> BTW, I said this before but I insist: I have only tested the cluster
> match with 2 nodes getting ~45% extra performance in an active-active setup.
> The maximum limit of 32 nodes is still completely arbitrary. I'd really
> appreciate if people that have more nodes in their setups let me know.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Looks good, but I think we can simpify it a bit further:
> diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
> index 6c48476..04af29e 100644
> --- a/net/netfilter/xt_cluster.c
> +++ b/net/netfilter/xt_cluster.c
> @@ -135,7 +135,13 @@ static bool xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
> {
> struct xt_cluster_match_info *info = par->matchinfo;
>
> - if (info->node_mask >= (1 << info->total_nodes)) {
This could either use 1ULL << info->total_nodes to make sure
we don't have an undefined operation, or
> + if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
> + printk(KERN_ERR "xt_cluster: too many total nodes (%u > %u)\n",
> + info->total_nodes, XT_CLUSTER_NODES_MAX);
> + return false;
> + }
> + if (info->total_nodes < XT_CLUSTER_NODES_MAX &&
> + info->node_mask >= (1 << info->total_nodes)) {
we could alternatively use fls.
> printk(KERN_ERR "xt_cluster: this node mask cannot be "
> "higher than the total number of nodes\n");
> return false;
>
Let me know what you think, either way is fine with me.
next prev parent reply other threads:[~2009-04-24 15:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-24 10:29 [PATCH 0/3] netfilter fixes for 2.6.30-rc Pablo Neira Ayuso
2009-04-24 10:30 ` [PATCH 1/3] netfilter: conntrack: add missing role attributes for DCCP Pablo Neira Ayuso
2009-04-24 14:59 ` Patrick McHardy
2009-04-24 10:30 ` [PATCH 2/3] netfilter: iptables: fix use of cluster match with 32 nodes Pablo Neira Ayuso
2009-04-24 15:02 ` Patrick McHardy [this message]
2009-04-24 18:33 ` Pablo Neira Ayuso
2009-04-24 10:30 ` [PATCH 3/3] netfilter: conntrack: fix EINVAL during DCCP loading Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49F1D493.5000305@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.