[PATCH nf v3 0/4] netfilter: ipt_CLUSTERIP: fix bugs in ipt_CLUSTERIP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patchset fixes bugs in ipt_CLUSTERIP.

First patch fixes deadlock when netns is destroyed.
When netns is destroyed cleanup_net() is called.
That function calls ->exit callback of pernet_ops.
->exit callback of ipt_CLUSTERIP hold same lock with cleanup_net().
so that deadlock will occurred.

Second patch removes wrong WARN_ON_ONCE() in clusterip_net_exit().
A WARN_ON_ONCE() in clusterip_net_exit() is for checking cleanup
is successfully done. but clusterip_net_exit() is called earlier than
cleanup function(clusterip_tg_destroy). so that it can't check about that.

Third patch fixes sleep-in-atomic bug when config structure is destroyed.
In order to sync create and remove of proc entry, proc_remove() is placed in spin_lock.
But proc_remove() can sleep. so that proc_remove() shouldn't be inside
of spin_lock.

Fourth patch do not allow incompatible MAC address config setting.
If same destination IP address config is already existing, that config is
just used. MAC address also should be same.
However, there is no MAC address checking routine.

v3: add Fourth patch.
v2:
 - use spin_lock_bh() instead of spin_lock() (Pablo Neira Ayuso)
 - add missing dev_mc_add() and dev_mc_del().
 - add Third patch.
v1: Initial patch

Taehee Yoo (4):
  netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
  netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit
    routine
  netfilter: ipt_CLUSTERIP: fix sleep-in-atomic bug in
    clusterip_config_entry_put()
  netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is
    set

 net/ipv4/netfilter/ipt_CLUSTERIP.c | 178 +++++++++++++++++------------
 1 file changed, 103 insertions(+), 75 deletions(-)

-- 
2.17.1




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux