* [PATCH 0/2] netfilter fixes for net
@ 2013-02-26 13:45 pablo
2013-02-26 13:45 ` [PATCH 1/2] netfilter: ipset: timeout values corrupted on set resize pablo
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: pablo @ 2013-02-26 13:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Hi David,
The following patchset contains two bugfixes for netfilter/ipset via
Jozsef Kadlecsik, they are:
* Fix timeout corruption if sets are resized, by Josh Hunt.
* Fix bogus error report if the flag nomatch is set, from Jozsef.
You can pull these changes from:
git://1984.lsi.us.es/nf master
Thanks!
Josh Hunt (1):
netfilter: ipset: timeout values corrupted on set resize
Jozsef Kadlecsik (1):
netfilter: ipset: "Directory not empty" error message
include/linux/netfilter/ipset/ip_set_ahash.h | 4 +++-
net/netfilter/ipset/ip_set_core.c | 3 ++-
2 files changed, 5 insertions(+), 2 deletions(-)
--
1.7.10.4
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] netfilter: ipset: timeout values corrupted on set resize
2013-02-26 13:45 [PATCH 0/2] netfilter fixes for net pablo
@ 2013-02-26 13:45 ` pablo
2013-02-26 13:45 ` [PATCH 2/2] netfilter: ipset: "Directory not empty" error message pablo
2013-02-26 22:24 ` [PATCH 0/2] netfilter fixes for net David Miller
2 siblings, 0 replies; 5+ messages in thread
From: pablo @ 2013-02-26 13:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Josh Hunt <johunt@akamai.com>
If a resize is triggered on a set with timeouts enabled, the timeout
values will get corrupted when copying them to the new set. This occured
b/c the wrong timeout value is supplied to type_pf_elem_tadd().
This also adds simple debug statement similar to the one in type_pf_resize().
Signed-off-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set_ahash.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/linux/netfilter/ipset/ip_set_ahash.h b/include/linux/netfilter/ipset/ip_set_ahash.h
index ef9acd3..01d25e6 100644
--- a/include/linux/netfilter/ipset/ip_set_ahash.h
+++ b/include/linux/netfilter/ipset/ip_set_ahash.h
@@ -854,6 +854,8 @@ type_pf_tresize(struct ip_set *set, bool retried)
retry:
ret = 0;
htable_bits++;
+ pr_debug("attempt to resize set %s from %u to %u, t %p\n",
+ set->name, orig->htable_bits, htable_bits, orig);
if (!htable_bits) {
/* In case we have plenty of memory :-) */
pr_warning("Cannot increase the hashsize of set %s further\n",
@@ -873,7 +875,7 @@ retry:
data = ahash_tdata(n, j);
m = hbucket(t, HKEY(data, h->initval, htable_bits));
ret = type_pf_elem_tadd(m, data, AHASH_MAX(h), 0,
- type_pf_data_timeout(data));
+ ip_set_timeout_get(type_pf_data_timeout(data)));
if (ret < 0) {
read_unlock_bh(&set->lock);
ahash_destroy(t);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] netfilter: ipset: "Directory not empty" error message
2013-02-26 13:45 [PATCH 0/2] netfilter fixes for net pablo
2013-02-26 13:45 ` [PATCH 1/2] netfilter: ipset: timeout values corrupted on set resize pablo
@ 2013-02-26 13:45 ` pablo
2013-02-26 22:24 ` [PATCH 0/2] netfilter fixes for net David Miller
2 siblings, 0 replies; 5+ messages in thread
From: pablo @ 2013-02-26 13:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
When an entry flagged with "nomatch" was tested by ipset, it
returned the error message "Kernel error received:
Directory not empty" instead of "<element> is NOT in set <setname>"
(reported by John Brendler).
The internal error code was not properly transformed before returning
to userspace, fixed.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 6d6d8f2..38ca630 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1470,7 +1470,8 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
if (ret == -EAGAIN)
ret = 1;
- return ret < 0 ? ret : ret > 0 ? 0 : -IPSET_ERR_EXIST;
+ return (ret < 0 && ret != -ENOTEMPTY) ? ret :
+ ret > 0 ? 0 : -IPSET_ERR_EXIST;
}
/* Get headed data of a set */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/2] netfilter fixes for net
2013-02-26 13:45 [PATCH 0/2] netfilter fixes for net pablo
2013-02-26 13:45 ` [PATCH 1/2] netfilter: ipset: timeout values corrupted on set resize pablo
2013-02-26 13:45 ` [PATCH 2/2] netfilter: ipset: "Directory not empty" error message pablo
@ 2013-02-26 22:24 ` David Miller
2 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2013-02-26 22:24 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: pablo@netfilter.org
Date: Tue, 26 Feb 2013 14:45:18 +0100
> From: Pablo Neira Ayuso <pablo@netfilter.org>
>
> Hi David,
>
> The following patchset contains two bugfixes for netfilter/ipset via
> Jozsef Kadlecsik, they are:
>
> * Fix timeout corruption if sets are resized, by Josh Hunt.
>
> * Fix bogus error report if the flag nomatch is set, from Jozsef.
>
> You can pull these changes from:
>
> git://1984.lsi.us.es/nf master
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] netfilter: ipset: timeout values corrupted on set resize
2013-02-21 16:45 [PATCH 0/2] ipset patches Jozsef Kadlecsik
@ 2013-02-21 16:45 ` Jozsef Kadlecsik
0 siblings, 0 replies; 5+ messages in thread
From: Jozsef Kadlecsik @ 2013-02-21 16:45 UTC (permalink / raw)
To: netfilter-devel; +Cc: Pablo Neira Ayuso
From: Josh Hunt <johunt@akamai.com>
If a resize is triggered on a set with timeouts enabled, the timeout
values will get corrupted when copying them to the new set. This occured
b/c the wrong timeout value is supplied to type_pf_elem_tadd().
This also adds simple debug statement similar to the one in type_pf_resize().
Signed-off-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set_ahash.h | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set_ahash.h b/include/linux/netfilter/ipset/ip_set_ahash.h
index ef9acd3..01d25e6 100644
--- a/include/linux/netfilter/ipset/ip_set_ahash.h
+++ b/include/linux/netfilter/ipset/ip_set_ahash.h
@@ -854,6 +854,8 @@ type_pf_tresize(struct ip_set *set, bool retried)
retry:
ret = 0;
htable_bits++;
+ pr_debug("attempt to resize set %s from %u to %u, t %p\n",
+ set->name, orig->htable_bits, htable_bits, orig);
if (!htable_bits) {
/* In case we have plenty of memory :-) */
pr_warning("Cannot increase the hashsize of set %s further\n",
@@ -873,7 +875,7 @@ retry:
data = ahash_tdata(n, j);
m = hbucket(t, HKEY(data, h->initval, htable_bits));
ret = type_pf_elem_tadd(m, data, AHASH_MAX(h), 0,
- type_pf_data_timeout(data));
+ ip_set_timeout_get(type_pf_data_timeout(data)));
if (ret < 0) {
read_unlock_bh(&set->lock);
ahash_destroy(t);
--
1.7.0.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-02-26 22:24 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-02-26 13:45 [PATCH 0/2] netfilter fixes for net pablo
2013-02-26 13:45 ` [PATCH 1/2] netfilter: ipset: timeout values corrupted on set resize pablo
2013-02-26 13:45 ` [PATCH 2/2] netfilter: ipset: "Directory not empty" error message pablo
2013-02-26 22:24 ` [PATCH 0/2] netfilter fixes for net David Miller
-- strict thread matches above, loose matches on Subject: below --
2013-02-21 16:45 [PATCH 0/2] ipset patches Jozsef Kadlecsik
2013-02-21 16:45 ` [PATCH 1/2] netfilter: ipset: timeout values corrupted on set resize Jozsef Kadlecsik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.