* [PATCH 0/2] Netfilter updates for 3.5-rc5 @ 2012-07-06 11:39 pablo 2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo 2012-07-06 11:39 ` [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down pablo 0 siblings, 2 replies; 6+ messages in thread From: pablo @ 2012-07-06 11:39 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Hi David, The following patches provide two fixes: * One to get the timeout special parameter for the SET target back working (this was introduced while trying to fix another bug in 3.4) from Jozsef Kadlecsik. * One crash fix if containers and nf_conntrack are used reported by Hans Schillstrom by myself. You can pull these fixes from: git://1984.lsi.us.es/nf master Thanks. little notice: I forgot to add my Signed-off-by while manually applying Jozsef's patch, sorry. It was a bit too late to fix, I already pushed out to my master branch. Jozsef Kadlecsik (1): netfilter: ipset: timeout fixing bug broke SET target special timeout value Pablo Neira Ayuso (1): netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down include/net/netfilter/nf_conntrack_ecache.h | 2 +- net/netfilter/xt_set.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) -- 1.7.10 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-07-06 11:39 [PATCH 0/2] Netfilter updates for 3.5-rc5 pablo @ 2012-07-06 11:39 ` pablo 2012-07-09 7:29 ` David Miller 2012-07-06 11:39 ` [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down pablo 1 sibling, 1 reply; 6+ messages in thread From: pablo @ 2012-07-06 11:39 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> The patch "127f559 netfilter: ipset: fix timeout value overflow bug" broke the SET target when no timeout was specified. Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> --- net/netfilter/xt_set.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c index 035960e..b172cbc 100644 --- a/net/netfilter/xt_set.c +++ b/net/netfilter/xt_set.c @@ -16,6 +16,7 @@ #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_set.h> +#include <linux/netfilter/ipset/ip_set_timeout.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); @@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par) info->del_set.flags, 0, UINT_MAX); /* Normalize to fit into jiffies */ - if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC) + if (add_opt.timeout != IPSET_NO_TIMEOUT + && add_opt.timeout > UINT_MAX/MSEC_PER_SEC) add_opt.timeout = UINT_MAX/MSEC_PER_SEC; if (info->add_set.index != IPSET_INVALID_ID) ip_set_add(info->add_set.index, skb, par, &add_opt); -- 1.7.10 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo @ 2012-07-09 7:29 ` David Miller 2012-07-09 8:58 ` Pablo Neira Ayuso 0 siblings, 1 reply; 6+ messages in thread From: David Miller @ 2012-07-09 7:29 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: pablo@netfilter.org Date: Fri, 6 Jul 2012 13:39:38 +0200 > + if (add_opt.timeout != IPSET_NO_TIMEOUT > + && add_opt.timeout > UINT_MAX/MSEC_PER_SEC) We do not write conditionals like this, with operators beginning a continued line. Instead, write this as: if (a && b) Thanks. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-07-09 7:29 ` David Miller @ 2012-07-09 8:58 ` Pablo Neira Ayuso 2012-07-09 9:50 ` David Miller 0 siblings, 1 reply; 6+ messages in thread From: Pablo Neira Ayuso @ 2012-07-09 8:58 UTC (permalink / raw) To: David Miller; +Cc: netfilter-devel, netdev [-- Attachment #1: Type: text/plain, Size: 530 bytes --] On Mon, Jul 09, 2012 at 12:29:03AM -0700, David Miller wrote: > From: pablo@netfilter.org > Date: Fri, 6 Jul 2012 13:39:38 +0200 > > > + if (add_opt.timeout != IPSET_NO_TIMEOUT > > + && add_opt.timeout > UINT_MAX/MSEC_PER_SEC) > > We do not write conditionals like this, with operators beginning > a continued line. Instead, write this as: > > if (a && > b) Oops, indeed, sorry. New patch attached. I've also rebased my tree to include this change. Should I send a new pull request? Let me know what you prefer. [-- Attachment #2: 0001-netfilter-ipset-timeout-fixing-bug-broke-SET-target-.patch --] [-- Type: text/x-diff, Size: 1501 bytes --] >From a73f89a61f92b364f0b4a3be412b5b70553afc23 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Date: Fri, 29 Jun 2012 09:42:28 +0000 Subject: [PATCH] netfilter: ipset: timeout fixing bug broke SET target special timeout value The patch "127f559 netfilter: ipset: fix timeout value overflow bug" broke the SET target when no timeout was specified. Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/xt_set.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c index 035960e..c6f7db7 100644 --- a/net/netfilter/xt_set.c +++ b/net/netfilter/xt_set.c @@ -16,6 +16,7 @@ #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_set.h> +#include <linux/netfilter/ipset/ip_set_timeout.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); @@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par) info->del_set.flags, 0, UINT_MAX); /* Normalize to fit into jiffies */ - if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC) + if (add_opt.timeout != IPSET_NO_TIMEOUT && + add_opt.timeout > UINT_MAX/MSEC_PER_SEC) add_opt.timeout = UINT_MAX/MSEC_PER_SEC; if (info->add_set.index != IPSET_INVALID_ID) ip_set_add(info->add_set.index, skb, par, &add_opt); -- 1.7.10 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-07-09 8:58 ` Pablo Neira Ayuso @ 2012-07-09 9:50 ` David Miller 0 siblings, 0 replies; 6+ messages in thread From: David Miller @ 2012-07-09 9:50 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon, 9 Jul 2012 10:58:27 +0200 > I've also rebased my tree to include this change. Should I send a new > pull request? Next time send a new pull request. This time, I re-pulled, thanks. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down 2012-07-06 11:39 [PATCH 0/2] Netfilter updates for 3.5-rc5 pablo 2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo @ 2012-07-06 11:39 ` pablo 1 sibling, 0 replies; 6+ messages in thread From: pablo @ 2012-07-06 11:39 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Hans reports that he's still hitting: BUG: unable to handle kernel NULL pointer dereference at 000000000000027c IP: [<ffffffff813615db>] netlink_has_listeners+0xb/0x60 PGD 0 Oops: 0000 [#3] PREEMPT SMP CPU 0 It happens when adding a number of containers with do: nfct_query(h, NFCT_Q_CREATE, ct); and most likely one namespace shuts down. this problem was supposed to be fixed by: 70e9942 netfilter: nf_conntrack: make event callback registration per-netns Still, it was missing one rcu_access_pointer to check if the callback is set or not. Reported-by: Hans Schillstrom <hans@schillstrom.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/net/netfilter/nf_conntrack_ecache.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h index a88fb69..e1ce104 100644 --- a/include/net/netfilter/nf_conntrack_ecache.h +++ b/include/net/netfilter/nf_conntrack_ecache.h @@ -78,7 +78,7 @@ nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct) struct net *net = nf_ct_net(ct); struct nf_conntrack_ecache *e; - if (net->ct.nf_conntrack_event_cb == NULL) + if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb)) return; e = nf_ct_ecache_find(ct); -- 1.7.10 ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-07-09 9:50 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-07-06 11:39 [PATCH 0/2] Netfilter updates for 3.5-rc5 pablo 2012-07-06 11:39 ` [PATCH 1/2] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo 2012-07-09 7:29 ` David Miller 2012-07-09 8:58 ` Pablo Neira Ayuso 2012-07-09 9:50 ` David Miller 2012-07-06 11:39 ` [PATCH 2/2] netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down pablo
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).