Message ID | 8737y7irc8.fsf_-_@x220.int.ebiederm.org |
---|---|
State | Awaiting Upstream |
Delegated to: | Pablo Neira |
Headers | show |
Hello, On Mon, 21 Sep 2015, Eric W. Biederman wrote: > I am gradually working my way through the netfilter stack passing struct > down into the netfilter hooks and from the netfilter hooks and from > there down into the functions that actually care. This removes the need > for netfilter functions to guess how to figure out how to compute which > network namespace they are in and instead provides a simple and reliable > method to do so. > > The cleanups stand on their own but this is part of a larger effort to > have routes with an output device that is not in the current network > namespace. > > The IPVS code has been a bit more of a challenge than most. Just > passing struct net through to where it is needed did not feel clean to > me. The practical issue is that the ipvs code in most places actually > wants struct netns_ipvs and not struct net. > > So as part of this process I have turned the relationship between struct > net and the structs netns_ipvs, ip_vs_conn_param, ip_vs_conn, and > ip_vs_service inside out. I have modified the ipvs functions to take a > struct netns_ipvs not a struct net. The net is code with fewer > conversions from one type of structure to another. I did wind up adding > a struct netns_ipvs parameter to quite a few functions that did not have > it before so I could pass the structure down from the netfilter hooks to > where it is actually needed to avoid guessing. > > I have broken up the work in a bunch of small patches so there is at > least a chance and reviewing that each step I took is correct. The > series compiles at each step so bisecting it should not be a problem > if something weird comes up. > > The first two changes in this series are actually bug fixes. The first > is a compile fix for a bug in sctp that came in, in the last round of > ipvs changes merged into nf-next. The second fixes an older bug where > in pathological circumstances the wrong network namespace could be used > when a proc file is written to. > > The rest of the patchset is a bunch of boring changes getting pushing > struct netns_ipvs (and by extension ipvs->net) where it needs to be. > Either by replacing struct net pointers or adding new struct netns_ipvs > pointers. With a handful of other minor cleanups (like removing > skb_net). > > I have incorporated Julian Anastasov's feedback, which critically > involves fixing a wrong piece of code. > > The changes are also available against nf-next at: > git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/net-next.git master > > My entire pending set of changes for those who want to look ahead is at: > git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/net-next.git for-testing > > Eric v2 looks good to me, Acked-by: Julian Anastasov <ja@ssi.bg> Regards -- Julian Anastasov <ja@ssi.bg> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Sep 22, 2015 at 10:22:13AM +0300, Julian Anastasov wrote: [...] > > v2 looks good to me, > > Acked-by: Julian Anastasov <ja@ssi.bg> Thanks a lot for reviewing Julian. Simon, please let me know how you want to handle this. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Sep 22, 2015 at 10:50:41AM +0200, Pablo Neira Ayuso wrote: > On Tue, Sep 22, 2015 at 10:22:13AM +0300, Julian Anastasov wrote: > [...] > > > > v2 looks good to me, > > > > Acked-by: Julian Anastasov <ja@ssi.bg> > > Thanks a lot for reviewing Julian. > > Simon, please let me know how you want to handle this. Thanks. I will see about taking it through my tree (as usual). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Sep 23, 2015 at 09:17:27AM +0900, Simon Horman wrote: > On Tue, Sep 22, 2015 at 10:50:41AM +0200, Pablo Neira Ayuso wrote: > > On Tue, Sep 22, 2015 at 10:22:13AM +0300, Julian Anastasov wrote: > > [...] > > > > > > v2 looks good to me, > > > > > > Acked-by: Julian Anastasov <ja@ssi.bg> > > > > Thanks a lot for reviewing Julian. > > > > Simon, please let me know how you want to handle this. Thanks. > > I will see about taking it through my tree (as usual). Thanks Simon! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c index 3d461f417c1d..d1d168c7fc68 100644 --- a/net/netfilter/ipvs/ip_vs_conn.c +++ b/net/netfilter/ipvs/ip_vs_conn.c @@ -360,7 +360,7 @@ struct ip_vs_conn *ip_vs_ct_in_get(const struct ip_vs_conn_param *p) hlist_for_each_entry_rcu(cp, &ip_vs_conn_tab[hash], c_list) { if (unlikely(p->pe_data && p->pe->ct_match)) { - if (cp->ipvs == p->ipvs) + if (cp->ipvs != p->ipvs) continue; if (p->pe == cp->pe && p->pe->ct_match(p, cp)) { if (__ip_vs_conn_get(cp)) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index f7386d5b231c..e7c1b052c2a3 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -1157,7 +1157,7 @@ static void ip_vs_dest_trash_expire(unsigned long data) * Add a service into the service hash table */ static int - ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, +ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, struct ip_vs_service **svc_p) { int ret = 0, i; @@ -3858,7 +3858,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs) } else tbl = vs_vars; /* Initialize sysctl defaults */ - for (idx = 0; idx < sizeof(vs_vars)/sizeof(vs_vars[0]); idx++) { + for (idx = 0; idx < ARRAY_SIZE(vs_vars); idx++) { if (tbl[idx].proc_handler == proc_do_defense_mode) tbl[idx].extra2 = ipvs; } diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c index 0733f36732b4..d30c327bb578 100644 --- a/net/netfilter/ipvs/ip_vs_ftp.c +++ b/net/netfilter/ipvs/ip_vs_ftp.c @@ -468,8 +468,10 @@ err_unreg: static void __ip_vs_ftp_exit(struct net *net) { struct netns_ipvs *ipvs = net_ipvs(net); + if (!ipvs) return; + unregister_ip_vs_app(ipvs, &ip_vs_ftp); }