From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C432C3A5A3 for ; Tue, 27 Aug 2019 11:18:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0C38820828 for ; Tue, 27 Aug 2019 11:18:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726772AbfH0LSg (ORCPT ); Tue, 27 Aug 2019 07:18:36 -0400 Received: from Chamillionaire.breakpoint.cc ([193.142.43.52]:37556 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726380AbfH0LSg (ORCPT ); Tue, 27 Aug 2019 07:18:36 -0400 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1i2ZUf-0002W1-Ic; Tue, 27 Aug 2019 13:18:33 +0200 Date: Tue, 27 Aug 2019 13:18:33 +0200 From: Florian Westphal To: Shmulik Ladkani Cc: Florian Westphal , Pablo Neira Ayuso , netdev@vger.kernel.org, shmulik@metanetworks.com Subject: Re: [REGRESSION] netfilter: conntrack: Unable to change conntrack accounting of a net namespace via 'nf_conntrack_acct' sysfs Message-ID: <20190827111833.GZ20113@breakpoint.cc> References: <20190827135754.7d460ef8@pixies> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190827135754.7d460ef8@pixies> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Shmulik Ladkani wrote: > -static int nf_conntrack_acct_init_sysctl(struct net *net) > -{ > - struct ctl_table *table; > - > - table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table), > - GFP_KERNEL); > - if (!table) > - goto out; > - > - table[0].data = &net->ct.sysctl_acct; > - > > (where 'nf_conntrack_acct_init_sysctl()' was originally called by > 'nf_conntrack_acct_pernet_init()'). > > However POST d912dec12428, the per-net netfilter sysctl table simply > inherits from global 'nf_ct_sysctl_table[]', which has > > + .data = &init_net.ct.sysctl_acct, > > effectivly making any 'net.netfilter.nf_conntrack_acct' sysctl change > affect the 'init_net' and not relevant net namespace. > > Also, looks like "nf_conntrack_helper", "nf_conntrack_events", > "nf_conntrack_timestamp" where also harmed in a similar way, see: > > d912dec12428 ("netfilter: conntrack: merge acct and helper sysctl table with main one") > cb2833ed0044 ("netfilter: conntrack: merge ecache and timestamp sysctl tables with main one") Thanks for reporting this bug, I will submit a patch soon.