1. 23 Jun, 2009 6 commits
  2. 22 Jun, 2009 7 commits
    • Patrick McHardy's avatar
      netfilter: xt_rateest: fix comparison with self · 4d900f9d
      Patrick McHardy authored
      As noticed by Trk Edwin <edwintorok@gmail.com>:
      
      Compiling the kernel with clang has shown this warning:
      
      net/netfilter/xt_rateest.c:69:16: warning: self-comparison always results in a
      constant value
                              ret &= pps2 == pps2;
                                          ^
      Looking at the code:
      if (info->flags & XT_RATEEST_MATCH_BPS)
                  ret &= bps1 == bps2;
              if (info->flags & XT_RATEEST_MATCH_PPS)
                  ret &= pps2 == pps2;
      
      Judging from the MATCH_BPS case it seems to be a typo, with the intention of
      comparing pps1 with pps2.
      
      http://bugzilla.kernel.org/show_bug.cgi?id=13535
      
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      4d900f9d
    • Jan Engelhardt's avatar
      netfilter: xt_quota: fix incomplete initialization · 6d62182f
      Jan Engelhardt authored
      Commit v2.6.29-rc5-872-gacc738fe
      
       ("xtables: avoid pointer to self")
      forgot to copy the initial quota value supplied by iptables into the
      private structure, thus counting from whatever was in the memory
      kmalloc returned.
      Signed-off-by: default avatarJan Engelhardt <jengelh@medozas.de>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      6d62182f
    • Patrick McHardy's avatar
    • Patrick McHardy's avatar
      netfilter: fix some sparse endianess warnings · f9ffc312
      Patrick McHardy authored
      
      
      net/netfilter/xt_NFQUEUE.c:46:9: warning: incorrect type in assignment (different base types)
      net/netfilter/xt_NFQUEUE.c:46:9:    expected unsigned int [unsigned] [usertype] ipaddr
      net/netfilter/xt_NFQUEUE.c:46:9:    got restricted unsigned int
      net/netfilter/xt_NFQUEUE.c:68:10: warning: incorrect type in assignment (different base types)
      net/netfilter/xt_NFQUEUE.c:68:10:    expected unsigned int [unsigned] <noident>
      net/netfilter/xt_NFQUEUE.c:68:10:    got restricted unsigned int
      net/netfilter/xt_NFQUEUE.c:69:10: warning: incorrect type in assignment (different base types)
      net/netfilter/xt_NFQUEUE.c:69:10:    expected unsigned int [unsigned] <noident>
      net/netfilter/xt_NFQUEUE.c:69:10:    got restricted unsigned int
      net/netfilter/xt_NFQUEUE.c:70:10: warning: incorrect type in assignment (different base types)
      net/netfilter/xt_NFQUEUE.c:70:10:    expected unsigned int [unsigned] <noident>
      net/netfilter/xt_NFQUEUE.c:70:10:    got restricted unsigned int
      net/netfilter/xt_NFQUEUE.c:71:10: warning: incorrect type in assignment (different base types)
      net/netfilter/xt_NFQUEUE.c:71:10:    expected unsigned int [unsigned] <noident>
      net/netfilter/xt_NFQUEUE.c:71:10:    got restricted unsigned int
      
      net/netfilter/xt_cluster.c:20:55: warning: incorrect type in return expression (different base types)
      net/netfilter/xt_cluster.c:20:55:    expected unsigned int
      net/netfilter/xt_cluster.c:20:55:    got restricted unsigned int const [usertype] ip
      net/netfilter/xt_cluster.c:20:55: warning: incorrect type in return expression (different base types)
      net/netfilter/xt_cluster.c:20:55:    expected unsigned int
      net/netfilter/xt_cluster.c:20:55:    got restricted unsigned int const [usertype] ip
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      f9ffc312
    • Patrick McHardy's avatar
      netfilter: nf_conntrack: fix conntrack lookup race · 8d8890b7
      Patrick McHardy authored
      
      
      The RCU protected conntrack hash lookup only checks whether the entry
      has a refcount of zero to decide whether it is stale. This is not
      sufficient, entries are explicitly removed while there is at least
      one reference left, possibly more. Explicitly check whether the entry
      has been marked as dying to fix this.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      8d8890b7
    • Patrick McHardy's avatar
      netfilter: nf_conntrack: fix confirmation race condition · 5c8ec910
      Patrick McHardy authored
      
      
      New connection tracking entries are inserted into the hash before they
      are fully set up, namely the CONFIRMED bit is not set and the timer not
      started yet. This can theoretically lead to a race with timer, which
      would set the timeout value to a relative value, most likely already in
      the past.
      
      Perform hash insertion as the final step to fix this.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      5c8ec910
    • Eric Dumazet's avatar
      netfilter: nf_conntrack: death_by_timeout() fix · 8cc20198
      Eric Dumazet authored
      
      
      death_by_timeout() might delete a conntrack from hash list
      and insert it in dying list.
      
       nf_ct_delete_from_lists(ct);
       nf_ct_insert_dying_list(ct);
      
      I believe a (lockless) reader could *catch* ct while doing a lookup
      and miss the end of its chain.
      (nulls lookup algo must check the null value at the end of lookup and
      should restart if the null value is not the expected one.
      cf Documentation/RCU/rculist_nulls.txt for details)
      
      We need to change nf_conntrack_init_net() and use a different "null" value,
      guaranteed not being used in regular lists. Choose very large values, since
      hash table uses [0..size-1] null values.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Acked-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      8cc20198
  3. 21 Jun, 2009 7 commits
  4. 20 Jun, 2009 5 commits
  5. 19 Jun, 2009 15 commits