From 249ddc79a38a8918ad53ac22606ca8af694344a5 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Tue, 24 May 2011 10:20:17 +0200 Subject: [PATCH 1/5] netfilter: ipset: Use proper timeout value to jiffies conversion Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/ipset/ip_set_timeout.h | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h b/include/linux/netfilter/ipset/ip_set_timeout.h index 9f30c5f2ec1c..bcdd40ad39ed 100644 --- a/include/linux/netfilter/ipset/ip_set_timeout.h +++ b/include/linux/netfilter/ipset/ip_set_timeout.h @@ -45,7 +45,7 @@ ip_set_timeout_test(unsigned long timeout) { return timeout != IPSET_ELEM_UNSET && (timeout == IPSET_ELEM_PERMANENT || - time_after(timeout, jiffies)); + time_is_after_jiffies(timeout)); } static inline bool @@ -53,7 +53,7 @@ ip_set_timeout_expired(unsigned long timeout) { return timeout != IPSET_ELEM_UNSET && timeout != IPSET_ELEM_PERMANENT && - time_before(timeout, jiffies); + time_is_before_jiffies(timeout); } static inline unsigned long @@ -64,7 +64,7 @@ ip_set_timeout_set(u32 timeout) if (!timeout) return IPSET_ELEM_PERMANENT; - t = timeout * HZ + jiffies; + t = msecs_to_jiffies(timeout * 1000) + jiffies; if (t == IPSET_ELEM_UNSET || t == IPSET_ELEM_PERMANENT) /* Bingo! */ t++; @@ -75,7 +75,8 @@ ip_set_timeout_set(u32 timeout) static inline u32 ip_set_timeout_get(unsigned long timeout) { - return timeout == IPSET_ELEM_PERMANENT ? 0 : (timeout - jiffies)/HZ; + return timeout == IPSET_ELEM_PERMANENT ? 0 : + jiffies_to_msecs(timeout - jiffies)/1000; } #else @@ -89,14 +90,14 @@ static inline bool ip_set_timeout_test(unsigned long timeout) { return timeout == IPSET_ELEM_PERMANENT || - time_after(timeout, jiffies); + time_is_after_jiffies(timeout); } static inline bool ip_set_timeout_expired(unsigned long timeout) { return timeout != IPSET_ELEM_PERMANENT && - time_before(timeout, jiffies); + time_is_before_jiffies(timeout); } static inline unsigned long @@ -107,7 +108,7 @@ ip_set_timeout_set(u32 timeout) if (!timeout) return IPSET_ELEM_PERMANENT; - t = timeout * HZ + jiffies; + t = msecs_to_jiffies(timeout * 1000) + jiffies; if (t == IPSET_ELEM_PERMANENT) /* Bingo! :-) */ t++; @@ -118,7 +119,8 @@ ip_set_timeout_set(u32 timeout) static inline u32 ip_set_timeout_get(unsigned long timeout) { - return timeout == IPSET_ELEM_PERMANENT ? 0 : (timeout - jiffies)/HZ; + return timeout == IPSET_ELEM_PERMANENT ? 0 : + jiffies_to_msecs(timeout - jiffies)/1000; } #endif /* ! IP_SET_BITMAP_TIMEOUT */ From b141c242ff978b63cdf0f3d1a767a5152750166b Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Tue, 24 May 2011 10:20:18 +0200 Subject: [PATCH 2/5] netfilter: ipset: remove unused variable from type_pf_tdel() Variable 'ret' is set in type_pf_tdel() but not used, remove. Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/ipset/ip_set_ahash.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/netfilter/ipset/ip_set_ahash.h b/include/linux/netfilter/ipset/ip_set_ahash.h index a0196ac79051..ac3c822eb39a 100644 --- a/include/linux/netfilter/ipset/ip_set_ahash.h +++ b/include/linux/netfilter/ipset/ip_set_ahash.h @@ -839,7 +839,7 @@ type_pf_tdel(struct ip_set *set, void *value, u32 timeout) struct htable *t = h->table; const struct type_pf_elem *d = value; struct hbucket *n; - int i, ret = 0; + int i; struct type_pf_elem *data; u32 key; @@ -850,7 +850,7 @@ type_pf_tdel(struct ip_set *set, void *value, u32 timeout) if (!type_pf_data_equal(data, d)) continue; if (type_pf_data_expired(data)) - ret = -IPSET_ERR_EXIST; + return -IPSET_ERR_EXIST; if (i != n->pos - 1) /* Not last one */ type_pf_data_copy(data, ahash_tdata(n, n->pos - 1)); From 9184a9cba622d9e38462ce11dff7da094b4fea84 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Tue, 24 May 2011 10:20:19 +0200 Subject: [PATCH 3/5] netfilter: ipset: fix ip_set_flush return code ip_set_flush returned -EPROTO instead of -IPSET_ERR_PROTOCOL, fixed Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso --- net/netfilter/ipset/ip_set_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index 72d1ac611fdc..8041befc6555 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -815,7 +815,7 @@ ip_set_flush(struct sock *ctnl, struct sk_buff *skb, ip_set_id_t i; if (unlikely(protocol_failed(attr))) - return -EPROTO; + return -IPSET_ERR_PROTOCOL; if (!attr[IPSET_ATTR_SETNAME]) { for (i = 0; i < ip_set_max; i++) From 97242c85a2c8160eac5a6e945209b5b6ae8ab5a3 Mon Sep 17 00:00:00 2001 From: David Miller Date: Thu, 19 May 2011 18:14:39 -0400 Subject: [PATCH 4/5] netfilter: Fix several warnings in compat_mtw_from_user(). Kill set but not used 'entry_offset'. Add a default case to the switch statement so the compiler can see that we always initialize off and size_kern before using them. Signed-off-by: David S. Miller Signed-off-by: Pablo Neira Ayuso --- net/bridge/netfilter/ebtables.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 1a92b369c820..2b5ca1a0054d 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1883,14 +1883,13 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, struct xt_target *wt; void *dst = NULL; int off, pad = 0; - unsigned int size_kern, entry_offset, match_size = mwt->match_size; + unsigned int size_kern, match_size = mwt->match_size; strlcpy(name, mwt->u.name, sizeof(name)); if (state->buf_kern_start) dst = state->buf_kern_start + state->buf_kern_offset; - entry_offset = (unsigned char *) mwt - base; switch (compat_mwt) { case EBT_COMPAT_MATCH: match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE, @@ -1933,6 +1932,9 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, size_kern = wt->targetsize; module_put(wt->me); break; + + default: + return -EINVAL; } state->buf_kern_offset += match_size + off; From c74c0bfe0b61cf41a897c2444c038e0d3f600556 Mon Sep 17 00:00:00 2001 From: Hans Schillstrom Date: Tue, 24 May 2011 14:11:05 +0200 Subject: [PATCH 5/5] IPVS: bug in ip_vs_ftp, same list heaad used in all netns. When ip_vs was adapted to netns the ftp application was not adapted in a correct way. However this is a fix to avoid kernel errors. In the long term another solution might be chosen. I.e the ports that the ftp appl, uses should be per netns. Signed-off-by: Hans Schillstrom Acked-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso --- include/net/ip_vs.h | 3 ++- net/netfilter/ipvs/ip_vs_ftp.c | 27 +++++++++++++++++++-------- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h index 4fff432aeade..481f856c650f 100644 --- a/include/net/ip_vs.h +++ b/include/net/ip_vs.h @@ -797,7 +797,8 @@ struct netns_ipvs { struct list_head rs_table[IP_VS_RTAB_SIZE]; /* ip_vs_app */ struct list_head app_list; - + /* ip_vs_ftp */ + struct ip_vs_app *ftp_app; /* ip_vs_proto */ #define IP_VS_PROTO_TAB_SIZE 32 /* must be power of 2 */ struct ip_vs_proto_data *proto_data_table[IP_VS_PROTO_TAB_SIZE]; diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c index 6b5dd6ddaae9..af63553fa332 100644 --- a/net/netfilter/ipvs/ip_vs_ftp.c +++ b/net/netfilter/ipvs/ip_vs_ftp.c @@ -411,25 +411,35 @@ static struct ip_vs_app ip_vs_ftp = { static int __net_init __ip_vs_ftp_init(struct net *net) { int i, ret; - struct ip_vs_app *app = &ip_vs_ftp; + struct ip_vs_app *app; + struct netns_ipvs *ipvs = net_ipvs(net); + + app = kmemdup(&ip_vs_ftp, sizeof(struct ip_vs_app), GFP_KERNEL); + if (!app) + return -ENOMEM; + INIT_LIST_HEAD(&app->a_list); + INIT_LIST_HEAD(&app->incs_list); + ipvs->ftp_app = app; ret = register_ip_vs_app(net, app); if (ret) - return ret; + goto err_exit; for (i=0; iprotocol, ports[i]); if (ret) - break; + goto err_unreg; pr_info("%s: loaded support on port[%d] = %d\n", app->name, i, ports[i]); } + return 0; - if (ret) - unregister_ip_vs_app(net, app); - +err_unreg: + unregister_ip_vs_app(net, app); +err_exit: + kfree(ipvs->ftp_app); return ret; } /* @@ -437,9 +447,10 @@ static int __net_init __ip_vs_ftp_init(struct net *net) */ static void __ip_vs_ftp_exit(struct net *net) { - struct ip_vs_app *app = &ip_vs_ftp; + struct netns_ipvs *ipvs = net_ipvs(net); - unregister_ip_vs_app(net, app); + unregister_ip_vs_app(net, ipvs->ftp_app); + kfree(ipvs->ftp_app); } static struct pernet_operations ip_vs_ftp_ops = {