netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] netfilter code cleanup
@ 2009-02-19 23:43 Hagen Paul Pfeifer
  2009-02-19 23:43 ` [PATCH 1/2] nf_conntrack: table max size should hold at least table size Hagen Paul Pfeifer
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Hagen Paul Pfeifer @ 2009-02-19 23:43 UTC (permalink / raw)
  To: netdev; +Cc: netfilter-devel

I stumbled accross some unattractive code in the netfilter core.
These two patches try address them.

Best regards, Hagen Paul Pfeifer



^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH 1/2] nf_conntrack: table max size should hold at least table size
  2009-02-19 23:43 [PATCH] netfilter code cleanup Hagen Paul Pfeifer
@ 2009-02-19 23:43 ` Hagen Paul Pfeifer
  2009-02-19 23:43 ` [PATCH 2/2] netfilter: fix hardcoded size assumptions Hagen Paul Pfeifer
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Hagen Paul Pfeifer @ 2009-02-19 23:43 UTC (permalink / raw)
  To: netdev; +Cc: netfilter-devel

Table size is defined as unsigned, wheres the table maximum size is
defined as a signed integer. The calculation of max is 8 or 4,
multiplied the table size. Therefore the max value is aligned to
unsigned.

Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net>
---
 include/net/netfilter/nf_conntrack.h |    2 +-
 net/netfilter/nf_conntrack_core.c    |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 2e0c536..4dfb793 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -287,7 +287,7 @@ static inline int nf_ct_is_untracked(const struct sk_buff *skb)
 
 extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp);
 extern unsigned int nf_conntrack_htable_size;
-extern int nf_conntrack_max;
+extern unsigned int nf_conntrack_max;
 
 #define NF_CT_STAT_INC(net, count)	\
 	(per_cpu_ptr((net)->ct.stat, raw_smp_processor_id())->count++)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 90ce9dd..f3aa4e6 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -54,7 +54,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_lock);
 unsigned int nf_conntrack_htable_size __read_mostly;
 EXPORT_SYMBOL_GPL(nf_conntrack_htable_size);
 
-int nf_conntrack_max __read_mostly;
+unsigned int nf_conntrack_max __read_mostly;
 EXPORT_SYMBOL_GPL(nf_conntrack_max);
 
 struct nf_conn nf_conntrack_untracked __read_mostly;
-- 
1.5.6.5


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH 2/2] netfilter: fix hardcoded size assumptions
  2009-02-19 23:43 [PATCH] netfilter code cleanup Hagen Paul Pfeifer
  2009-02-19 23:43 ` [PATCH 1/2] nf_conntrack: table max size should hold at least table size Hagen Paul Pfeifer
@ 2009-02-19 23:43 ` Hagen Paul Pfeifer
  2009-02-20  9:48 ` [PATCH] netfilter code cleanup Patrick McHardy
  2009-02-28  1:54 ` Jan Engelhardt
  3 siblings, 0 replies; 5+ messages in thread
From: Hagen Paul Pfeifer @ 2009-02-19 23:43 UTC (permalink / raw)
  To: netdev; +Cc: netfilter-devel

get_random_bytes() is sometimes called with a hard coded size assumption
of an integer. This could not be true for next centuries. This patch
replace it with a compile time statement.

Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net>
---
 net/netfilter/nf_conntrack_core.c   |    5 +++--
 net/netfilter/nf_conntrack_expect.c |    2 +-
 net/netfilter/xt_hashlimit.c        |    2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index f3aa4e6..2235432 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -472,7 +472,8 @@ struct nf_conn *nf_conntrack_alloc(struct net *net,
 	struct nf_conn *ct;
 
 	if (unlikely(!nf_conntrack_hash_rnd_initted)) {
-		get_random_bytes(&nf_conntrack_hash_rnd, 4);
+		get_random_bytes(&nf_conntrack_hash_rnd,
+				sizeof(nf_conntrack_hash_rnd));
 		nf_conntrack_hash_rnd_initted = 1;
 	}
 
@@ -1103,7 +1104,7 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
 
 	/* We have to rehahs for the new table anyway, so we also can
 	 * use a newrandom seed */
-	get_random_bytes(&rnd, 4);
+	get_random_bytes(&rnd, sizeof(rnd));
 
 	/* Lookups in the old hash might happen in parallel, which means we
 	 * might get false negatives during connection lookup. New connections
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 3a8a34a..19b4779 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -72,7 +72,7 @@ static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple
 	unsigned int hash;
 
 	if (unlikely(!nf_ct_expect_hash_rnd_initted)) {
-		get_random_bytes(&nf_ct_expect_hash_rnd, 4);
+		get_random_bytes(&nf_ct_expect_hash_rnd, sizeof(nf_ct_expect_hash_rnd));
 		nf_ct_expect_hash_rnd_initted = 1;
 	}
 
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index f97fded..2482055 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -149,7 +149,7 @@ dsthash_alloc_init(struct xt_hashlimit_htable *ht,
 	/* initialize hash with random val at the time we allocate
 	 * the first hashtable entry */
 	if (!ht->rnd_initialized) {
-		get_random_bytes(&ht->rnd, 4);
+		get_random_bytes(&ht->rnd, sizeof(ht->rnd));
 		ht->rnd_initialized = 1;
 	}
 
-- 
1.5.6.5


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] netfilter code cleanup
  2009-02-19 23:43 [PATCH] netfilter code cleanup Hagen Paul Pfeifer
  2009-02-19 23:43 ` [PATCH 1/2] nf_conntrack: table max size should hold at least table size Hagen Paul Pfeifer
  2009-02-19 23:43 ` [PATCH 2/2] netfilter: fix hardcoded size assumptions Hagen Paul Pfeifer
@ 2009-02-20  9:48 ` Patrick McHardy
  2009-02-28  1:54 ` Jan Engelhardt
  3 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2009-02-20  9:48 UTC (permalink / raw)
  To: Hagen Paul Pfeifer; +Cc: netdev, netfilter-devel

Hagen Paul Pfeifer wrote:
> I stumbled accross some unattractive code in the netfilter core.
> These two patches try address them.

I know that feeling :) Both applied, thanks Hagen.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] netfilter code cleanup
  2009-02-19 23:43 [PATCH] netfilter code cleanup Hagen Paul Pfeifer
                   ` (2 preceding siblings ...)
  2009-02-20  9:48 ` [PATCH] netfilter code cleanup Patrick McHardy
@ 2009-02-28  1:54 ` Jan Engelhardt
  3 siblings, 0 replies; 5+ messages in thread
From: Jan Engelhardt @ 2009-02-28  1:54 UTC (permalink / raw)
  To: Hagen Paul Pfeifer; +Cc: netdev, netfilter-devel


On Friday 2009-02-20 00:43, Hagen Paul Pfeifer wrote:

>I stumbled accross some unattractive code in the netfilter core.
>These two patches try address them.
>
>Best regards, Hagen Paul Pfeifer

I think these are good to go in.

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-02-28  1:54 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-02-19 23:43 [PATCH] netfilter code cleanup Hagen Paul Pfeifer
2009-02-19 23:43 ` [PATCH 1/2] nf_conntrack: table max size should hold at least table size Hagen Paul Pfeifer
2009-02-19 23:43 ` [PATCH 2/2] netfilter: fix hardcoded size assumptions Hagen Paul Pfeifer
2009-02-20  9:48 ` [PATCH] netfilter code cleanup Patrick McHardy
2009-02-28  1:54 ` Jan Engelhardt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).