From: Jim Robinson <jrobinson@infoblox.com>
To: Patrick McHardy <kaber@trash.net>
Cc: Jan Engelhardt <jengelh@inai.de>, <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH] netfilter: have r->cost != 0 case work
Date: Mon, 24 Sep 2012 13:34:58 -0700 [thread overview]
Message-ID: <5060C3F2.9020901@infoblox.com> (raw)
In-Reply-To: <58f14b4c-67ab-48aa-bbaf-3ce244500b93@email.android.com>
[Retry with text formatting to try to make the vger.kernel.org spam
filter happy this time]
Patrick McHardy wrote:
>
> Jan Engelhardt <jengelh@inai.de> schrieb:
>
>> Commit v2.6.19-rc1~1272^2~41 tells us that r->cost != 0 can happen when
>> a running state is saved to userspace and then reinstated from there.
>>
>> Make sure that priv is initialized with some values when that happens.
>>
>> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
>> ---
>> net/netfilter/xt_limit.c | 8 ++++----
>> 1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
>> index 5c22ce8..a4c1e45 100644
>> --- a/net/netfilter/xt_limit.c
>> +++ b/net/netfilter/xt_limit.c
>> @@ -117,11 +117,11 @@ static int limit_mt_check(const struct
>> xt_mtchk_param *par)
>>
>> /* For SMP, we only want to use one set of state. */
>> r->master = priv;
>> + /* User avg in seconds * XT_LIMIT_SCALE: convert to jiffies *
>> + 128. */
>> + priv->prev = jiffies;
>> + priv->credit = user2credits(r->avg * r->burst); /* Credits full. */
>> if (r->cost == 0) {
>> - /* User avg in seconds * XT_LIMIT_SCALE: convert to jiffies *
>> - 128. */
>> - priv->prev = jiffies;
>> - priv->credit = user2credits(r->avg * r->burst); /* Credits
full. */
>> r->credit_cap = priv->credit; /* Credits full. */
>> r->cost = user2credits(r->avg);
>> }
> I don't think we can do any better than this. We could reuse the old
state from userspace, but that might have changed in the kernel as well.
>
> Perhaps for the future we can find some way to optionally associate
elements of the new ruleset with the old one and keep states when
parameters haven't changed. Probably hard though since the new ruleset
is constructed in the kernel while the old one is still active.
>
Can you possibly elaborate on why my initial patch does not actually fix
the problem? Specifically, the concern seems to be that the values in
'r->master' in limit_mt_check() may not be reliable. In my testing I saw
that r->master was the same (both address and values) as had been being
used in limit_mt() calls for the rule. So if you could elaborate on the
circumstances that could cause the values to not be the same, it would
be appreciated. In particular I don't understand the reference to
'userspace'.
Below is the debugging trace I included as one the attachments I sent.
It shows the calls applied to the same rate limit rule. Note that
'r->master' in limit_mt_check() is the same address as 'r->master' in
the previous limit_mt() calls. My testing indicated that the values were
the same as well. Also note that the call to limit_mt_check() was
triggered by an iptables change unrelated to that rule.
BTW, I am not at all saying you're wrong - you're the experts here. I'm
just trying to understand why my patch doesn't actually fix the problem.
This is for my own benefit and also because I'll have to explain it to
my own powers-that-be, since the proposed fix basically resets the
values and will guarantee a match in the next mt_limit() call(s)
regardless of what should actually happen.
And as something of an aside, can you say why limit_mt_check() is called
on all the rate limit rules when an unrelated iptables change occurs?
This is what I observed.
Thanks
Jim
limit_mt(): par=ffff880028203bd0 r=ffffc90003cfb138
master=ffff88020f930fa0
limit_mt(): par=ffff880028203bd0 r=ffffc90003cfb138
master=ffff88020f930fa0
limit_mt(): par=ffff880028203bd0 r=ffffc90003cfb138
master=ffff88020f930fa0
# bug triggered here
limit_mt_check(): par=ffff880176a3bd98 r=ffffc90003d39138
master=ffff88020f930fa0
new-master=ffff88020f930140 [this is the
kmalloc()ed 'priv']
limit_mt_destroy(): par=ffff880176a3bd38 r=ffffc90003cfb138
master=ffff88020f930fa0
limit_mt(): par=ffff880028203bd0 r=ffffc90003d39138
master=ffff88020f930140
limit_mt(): par=ffff880028203bd0 r=ffffc90003d39138
master=ffff88020f930140
limit_mt(): par=ffff880028203bd0 r=ffffc90003d39138
master=ffff88020f930140
next prev parent reply other threads:[~2012-09-24 20:35 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <505CE985.7000907@infoblox.com>
2012-09-22 3:09 ` Bug in limit_mt_check() Jan Engelhardt
2012-09-22 8:03 ` Jan Engelhardt
2012-09-22 8:13 ` Jan Engelhardt
2012-09-22 8:26 ` [PATCH] netfilter: have r->cost != 0 case work Jan Engelhardt
2012-09-23 12:43 ` Patrick McHardy
2012-09-24 13:02 ` Jan Engelhardt
2012-09-24 13:12 ` Patrick McHardy
2012-09-24 20:34 ` Jim Robinson [this message]
2012-09-24 21:30 ` Jan Engelhardt
2012-09-25 14:39 ` Pablo Neira Ayuso
2012-09-25 14:52 ` Jan Engelhardt
2012-09-25 23:27 ` Pablo Neira Ayuso
2012-09-26 13:28 ` Jan Engelhardt
2012-09-26 14:47 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5060C3F2.9020901@infoblox.com \
--to=jrobinson@infoblox.com \
--cc=jengelh@inai.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).