From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 08/15] netfilter: ipset: List timing out entries with "timeout 1" instead of zero
Date: Mon, 11 Jun 2018 11:22:26 +0200 [thread overview]
Message-ID: <20180611092233.3219-9-pablo@netfilter.org> (raw)
In-Reply-To: <20180611092233.3219-1-pablo@netfilter.org>
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
When listing sets with timeout support, there's a probability that
just timing out entries with "0" timeout value is listed/saved.
However when restoring the saved list, the zero timeout value means
permanent elelements.
The new behaviour is that timing out entries are listed with "timeout 1"
instead of zero.
Fixes netfilter bugzilla #1258.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set_timeout.h | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h b/include/linux/netfilter/ipset/ip_set_timeout.h
index bfb3531fd88a..7ad8ddf9ca8a 100644
--- a/include/linux/netfilter/ipset/ip_set_timeout.h
+++ b/include/linux/netfilter/ipset/ip_set_timeout.h
@@ -65,8 +65,14 @@ ip_set_timeout_set(unsigned long *timeout, u32 value)
static inline u32
ip_set_timeout_get(const unsigned long *timeout)
{
- return *timeout == IPSET_ELEM_PERMANENT ? 0 :
- jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;
+ u32 t;
+
+ if (*timeout == IPSET_ELEM_PERMANENT)
+ return 0;
+
+ t = jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;
+ /* Zero value in userspace means no timeout */
+ return t == 0 ? 1 : t;
}
#endif /* __KERNEL__ */
--
2.11.0
next prev parent reply other threads:[~2018-06-11 9:22 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-11 9:22 [PATCH 00/15] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 01/15] netfilter: xt_CT: Reject the non-null terminated string from user space Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 02/15] netfilter: nf_tables: check msg_type before nft_trans_set(trans) Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 03/15] ipvs: register conntrack hooks for ftp Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 04/15] netfilter: nft_reject_bridge: fix skb allocation size in nft_reject_br_send_v6_unreach Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 05/15] ipvs: fix check on xmit to non-local addresses Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 06/15] netfilter: ebtables: fix compat entry padding Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 07/15] netfilter: xt_set: Check hook mask correctly Pablo Neira Ayuso
2018-06-11 9:22 ` Pablo Neira Ayuso [this message]
2018-06-11 9:22 ` [PATCH 09/15] netfilter: ipset: Limit max timeout value Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 10/15] netfilter: ipset: forbid family for hash:mac sets Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 11/15] netfilter: ebtables: reject non-bridge targets Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 12/15] netfilter: nft_set_rbtree: fix parameter of __nft_rbtree_lookup() Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 13/15] netfilter: nf_conntrack: Increase __IPS_MAX_BIT with new bit IPS_OFFLOAD_BIT Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 14/15] netfilter: x_tables: initialise match/target check parameter struct Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 15/15] netfilter: remove include/net/netfilter/nft_dup.h Pablo Neira Ayuso
2018-06-11 23:31 ` [PATCH 00/15] Netfilter/IPVS fixes for net David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180611092233.3219-9-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).