From: Florian Westphal <fw@strlen.de>
To: Ren Wei <n05ec@lzu.edu.cn>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org,
phil@nwl.cc, luciano.coelho@nokia.com, kaber@trash.net,
yuantan098@gmail.com, yifanwucs@gmail.com,
tomapufckgml@gmail.com, bird@lzu.edu.cn, royenheart@gmail.com
Subject: Re: [PATCH nf 1/1] netfilter: xt_IDLETIMER: scope timer reuse to the owning netns
Date: Thu, 14 May 2026 12:17:53 +0200 [thread overview]
Message-ID: <agWhUUyIy4JZlVlq@strlen.de> (raw)
In-Reply-To: <9c5661fad291777d8e998e23f3cb27cac37aa607.1775353240.git.royenheart@gmail.com>
Ren Wei <n05ec@lzu.edu.cn> wrote:
> From: Haoze Xie <royenheart@gmail.com>
>
> IDLETIMER keeps timers in a module-global list and reuses them
> solely by label text.
>
> The existing rev0 ALARM guard avoids the panic when rev0 reuses
> a rev1 ALARM timer from another netns, but it still lets same
> labels in different netns share the same timer object and the
> same sysfs entry.
Isn't that by design?
> Track the owning netns in struct idletimer_tg and only reuse
> timers when both the label and netns match. For non-init_net
> timers, derive a namespace-scoped sysfs name from the netns
> inode so non-init namespaces no longer collide in the global
> xt_idletimer sysfs directory.
How can that work? How would userspace daemon relize that the
name has changed?
> This keeps init_net sysfs paths unchanged for ABI compatibility
> and preserves same-netns label reuse, while preventing the
> cross-netns timer-object aliasing that caused refcount, expiry,
> and teardown interference.
I don't think there is a bug here. Two netns using same
files having same sysfs mount should naturally "conflict".
Maybe one could make a patch to force-detach an idletime
in a non-init userns if init userns asks for "foo" that
is already claimed by different userns (to avoid the "Dos"
angle).
But I'm not sure its worth it.
next prev parent reply other threads:[~2026-05-14 10:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1775353240.git.royenheart@gmail.com>
2026-05-14 4:05 ` [PATCH nf 1/1] netfilter: xt_IDLETIMER: scope timer reuse to the owning netns Ren Wei
2026-05-14 10:17 ` Florian Westphal [this message]
2026-05-15 1:54 ` Haoze Xie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agWhUUyIy4JZlVlq@strlen.de \
--to=fw@strlen.de \
--cc=bird@lzu.edu.cn \
--cc=kaber@trash.net \
--cc=luciano.coelho@nokia.com \
--cc=n05ec@lzu.edu.cn \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
--cc=royenheart@gmail.com \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.