tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: fix two recent sysctl problems

Starting with 9043476f726802f4b00c96d0c4f418dde48d1304 ("[PATCH]
sanitize proc_sysctl") we have two netfilter releated problems:

- WARNING: at kernel/sysctl.c:1966 unregister_sysctl_table+0xcc/0x103(),
caused by wrong order of ini/fini calls

- net.netfilter is duplicated and has truncated set of records

Thanks to very useful guidelines from Al Viro, this patch fixes both
of them.

Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by Krzysztof Piotr Oledzki and committed by David S. Miller 9714be7d 1ca615fb

+20 -14
unified split
+3 -3
net/netfilter/nf_conntrack_core.c
··· 1032 1032 nf_ct_free_hashtable(nf_conntrack_hash, nf_conntrack_vmalloc, 1033 1033 nf_conntrack_htable_size); 1034 1034 1035 - nf_conntrack_proto_fini(); 1036 - nf_conntrack_helper_fini(); 1037 - nf_conntrack_expect_fini(); 1038 1035 nf_conntrack_acct_fini(); 1036 + nf_conntrack_expect_fini(); 1037 + nf_conntrack_helper_fini(); 1038 + nf_conntrack_proto_fini(); 1039 1039 } 1040 1040 1041 1041 struct hlist_head *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced)
+17 -11
net/netfilter/nf_conntrack_standalone.c
··· 324 324 static int log_invalid_proto_max = 255; 325 325 326 326 static struct ctl_table_header *nf_ct_sysctl_header; 327 + static struct ctl_table_header *nf_ct_netfilter_header; 327 328 328 329 static ctl_table nf_ct_sysctl_table[] = { 329 330 { ··· 385 384 386 385 static ctl_table nf_ct_netfilter_table[] = { 387 386 { 388 - .ctl_name = NET_NETFILTER, 389 - .procname = "netfilter", 390 - .mode = 0555, 391 - .child = nf_ct_sysctl_table, 392 - }, 393 - { 394 387 .ctl_name = NET_NF_CONNTRACK_MAX, 395 388 .procname = "nf_conntrack_max", 396 389 .data = &nf_conntrack_max, ··· 404 409 405 410 static int nf_conntrack_standalone_init_sysctl(void) 406 411 { 407 - nf_ct_sysctl_header = 412 + nf_ct_netfilter_header = 408 413 register_sysctl_paths(nf_ct_path, nf_ct_netfilter_table); 409 - if (nf_ct_sysctl_header == NULL) { 410 - printk("nf_conntrack: can't register to sysctl.\n"); 411 - return -ENOMEM; 412 - } 414 + if (!nf_ct_netfilter_header) 415 + goto out; 416 + 417 + nf_ct_sysctl_header = 418 + register_sysctl_paths(nf_net_netfilter_sysctl_path, 419 + nf_ct_sysctl_table); 420 + if (!nf_ct_sysctl_header) 421 + goto out_unregister_netfilter; 422 + 413 423 return 0; 414 424 425 + out_unregister_netfilter: 426 + unregister_sysctl_table(nf_ct_netfilter_header); 427 + out: 428 + printk("nf_conntrack: can't register to sysctl.\n"); 429 + return -ENOMEM; 415 430 } 416 431 417 432 static void nf_conntrack_standalone_fini_sysctl(void) 418 433 { 434 + unregister_sysctl_table(nf_ct_netfilter_header); 419 435 unregister_sysctl_table(nf_ct_sysctl_header); 420 436 } 421 437 #else