On Mon, Jul 09, 2012 at 12:29:03AM -0700, David Miller wrote:
> From: pablo@xxxxxxxxxxxxx
> Date: Fri, 6 Jul 2012 13:39:38 +0200
>
> > + if (add_opt.timeout != IPSET_NO_TIMEOUT
> > + && add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
>
> We do not write conditionals like this, with operators beginning
> a continued line. Instead, write this as:
>
> if (a &&
> b)
Oops, indeed, sorry. New patch attached.
I've also rebased my tree to include this change. Should I send a new
pull request?
Let me know what you prefer.
>From a73f89a61f92b364f0b4a3be412b5b70553afc23 Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
Date: Fri, 29 Jun 2012 09:42:28 +0000
Subject: [PATCH] netfilter: ipset: timeout fixing bug broke SET target
special timeout value
The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
broke the SET target when no timeout was specified.
Reported-by: Jean-Philippe Menil <jean-philippe.menil@xxxxxxxxxxxxxx>
Signed-off-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
net/netfilter/xt_set.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 035960e..c6f7db7 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -16,6 +16,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>");
@@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
info->del_set.flags, 0, UINT_MAX);
/* Normalize to fit into jiffies */
- if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
+ if (add_opt.timeout != IPSET_NO_TIMEOUT &&
+ add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
add_opt.timeout = UINT_MAX/MSEC_PER_SEC;
if (info->add_set.index != IPSET_INVALID_ID)
ip_set_add(info->add_set.index, skb, par, &add_opt);
--
1.7.10
