1
linux/net/netfilter
Patrick McHardy d696c7bdaa netfilter: nf_conntrack: fix hash resizing with namespaces
As noticed by Jon Masters <jonathan@jonmasters.org>, the conntrack hash
size is global and not per namespace, but modifiable at runtime through
/sys/module/nf_conntrack/hashsize. Changing the hash size will only
resize the hash in the current namespace however, so other namespaces
will use an invalid hash size. This can cause crashes when enlarging
the hashsize, or false negative lookups when shrinking it.

Move the hash size into the per-namespace data and only use the global
hash size to initialize the per-namespace value when instanciating a
new namespace. Additionally restrict hash resizing to init_net for
now as other namespaces are not handled currently.

Cc: stable@kernel.org
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-08 11:18:07 -08:00
..
ipvs ipvs: Add boundary check on ioctl arguments 2010-01-04 16:37:12 +01:00
core.c sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
Kconfig Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2009-06-15 03:02:23 -07:00
Makefile netfilter: passive OS fingerprint xtables match 2009-06-08 17:01:51 +02:00
nf_conntrack_acct.c sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
nf_conntrack_amanda.c
nf_conntrack_core.c netfilter: nf_conntrack: fix hash resizing with namespaces 2010-02-08 11:18:07 -08:00
nf_conntrack_ecache.c sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
nf_conntrack_expect.c netfilter: nf_conntrack: fix hash resizing with namespaces 2010-02-08 11:18:07 -08:00
nf_conntrack_extend.c nf_conntrack: Use rcu_barrier() 2009-06-25 16:32:52 +02:00
nf_conntrack_ftp.c netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq() 2010-01-07 18:33:18 +01:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: nf_conntrack: fix hash resizing with namespaces 2010-02-08 11:18:07 -08:00
nf_conntrack_irc.c
nf_conntrack_l3proto_generic.c
nf_conntrack_netbios_ns.c net: skb->rtable accessor 2009-06-03 02:51:02 -07:00
nf_conntrack_netlink.c netfilter: nf_conntrack: fix hash resizing with namespaces 2010-02-08 11:18:07 -08:00
nf_conntrack_pptp.c
nf_conntrack_proto_dccp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
nf_conntrack_proto_generic.c sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
nf_conntrack_proto_gre.c net: Simplify conntrack_proto_gre pernet operations. 2009-12-01 16:15:55 -08:00
nf_conntrack_proto_sctp.c sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
nf_conntrack_proto_tcp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
nf_conntrack_proto_udp.c sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
nf_conntrack_proto_udplite.c sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
nf_conntrack_proto.c
nf_conntrack_sane.c
nf_conntrack_sip.c netfilter: nf_conntrack_sip: fix off-by-one in compact header parsing 2010-01-19 19:06:59 +01:00
nf_conntrack_standalone.c netfilter: nf_conntrack: fix hash resizing with namespaces 2010-02-08 11:18:07 -08:00
nf_conntrack_tftp.c
nf_internals.h
nf_log.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6 2009-12-08 07:38:50 -08:00
nf_queue.c netfilter: queue: use NFPROTO_ for queue callsites 2009-05-08 10:30:46 +02:00
nf_sockopt.c net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
nf_tproxy_core.c
nfnetlink_log.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2009-12-03 13:23:12 -08:00
nfnetlink_queue.c netfilter: remove unneccessary checks from netlink notifiers 2009-11-06 17:04:00 +01:00
nfnetlink.c netfilter: nfnetlink: constify message attributes and headers 2009-08-25 16:07:58 +02:00
x_tables.c mm: replace various uses of num_physpages by totalram_pages 2009-09-22 07:17:38 -07:00
xt_CLASSIFY.c
xt_cluster.c netfilter: fix some sparse endianess warnings 2009-06-22 14:15:02 +02:00
xt_comment.c
xt_connbytes.c
xt_connlimit.c netfilter: xt_connlimit: fix regression caused by zero family value 2009-11-06 18:08:32 -08:00
xt_connmark.c netfilter: xtables: remove xt_connmark v0 2009-08-10 12:25:12 +02:00
xt_CONNMARK.c netfilter: xtables: remove xt_CONNMARK v0 2009-08-10 12:25:11 +02:00
xt_CONNSECMARK.c
xt_conntrack.c netfilter: xtables: fix conntrack match v1 ipt-save output 2009-11-23 10:43:57 +01:00
xt_dccp.c
xt_dscp.c netfilter: xtables: remove xt_TOS v0 2009-08-10 12:25:11 +02:00
xt_DSCP.c netfilter: xtables: remove xt_TOS v0 2009-08-10 12:25:11 +02:00
xt_esp.c
xt_hashlimit.c mm: replace various uses of num_physpages by totalram_pages 2009-09-22 07:17:38 -07:00
xt_helper.c
xt_hl.c
xt_HL.c
xt_iprange.c netfilter: xtables: remove xt_iprange v0 2009-08-10 13:09:44 +02:00
xt_LED.c
xt_length.c
xt_limit.c netfilter: xt_limit: fix invalid return code in limit_mt_check() 2009-11-23 13:37:23 +01:00
xt_mac.c
xt_mark.c netfilter: xtables: remove xt_mark v0 2009-08-10 13:09:45 +02:00
xt_MARK.c netfilter: xtables: remove xt_MARK v0, v1 2009-08-10 12:25:12 +02:00
xt_multiport.c
xt_NFLOG.c
xt_NFQUEUE.c netfilter: fix some sparse endianess warnings 2009-06-22 14:15:02 +02:00
xt_NOTRACK.c
xt_osf.c netfilter: xt_osf: fix xt_osf_remove_callback() return value 2009-11-19 13:16:26 -08:00
xt_owner.c netfilter: xtables: remove xt_owner v0 2009-08-10 13:32:30 +02:00
xt_physdev.c
xt_pkttype.c
xt_policy.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xt_quota.c netfilter: xt_quota: fix wrong return value (error case) 2009-08-23 19:09:23 -07:00
xt_rateest.c netfilter: xt_rateest: fix comparison with self 2009-06-22 14:17:12 +02:00
xt_RATEEST.c net: restore gnet_stats_basic to previous definition 2009-08-17 21:33:49 -07:00
xt_realm.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xt_recent.c tree-wide: convert open calls to remove spaces to skip_spaces() lib function 2009-12-15 08:53:32 -08:00
xt_sctp.c
xt_SECMARK.c
xt_socket.c netfilter: xt_socket: make module available for INPUT chain 2009-10-29 15:35:10 +01:00
xt_state.c
xt_statistic.c
xt_string.c
xt_tcpmss.c
xt_TCPMSS.c net: skb->dst accessors 2009-06-03 02:51:04 -07:00
xt_TCPOPTSTRIP.c
xt_tcpudp.c
xt_time.c
xt_TPROXY.c
xt_TRACE.c
xt_u32.c