diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2011-11-21 23:16:51 (GMT) |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2011-11-21 23:34:47 (GMT) |
commit | 70e9942f17a6193e9172a804e6569a8806633d6b (patch) | |
tree | 5cb0fe0a38a99aa51b70c01f7a7e729480ec5c73 /lib/audit.c | |
parent | 5e2afba4ecd7931ea06e6fa116ab28e6943dbd42 (diff) | |
download | linux-fsl-qoriq-70e9942f17a6193e9172a804e6569a8806633d6b.tar.xz |
netfilter: nf_conntrack: make event callback registration per-netns
This patch fixes an oops that can be triggered following this recipe:
0) make sure nf_conntrack_netlink and nf_conntrack_ipv4 are loaded.
1) container is started.
2) connect to it via lxc-console.
3) generate some traffic with the container to create some conntrack
entries in its table.
4) stop the container: you hit one oops because the conntrack table
cleanup tries to report the destroy event to user-space but the
per-netns nfnetlink socket has already gone (as the nfnetlink
socket is per-netns but event callback registration is global).
To fix this situation, we make the ctnl_notifier per-netns so the
callback is registered/unregistered if the container is
created/destroyed.
Alex Bligh and Alexey Dobriyan originally proposed one small patch to
check if the nfnetlink socket is gone in nfnetlink_has_listeners,
but this is a very visited path for events, thus, it may reduce
performance and it looks a bit hackish to check for the nfnetlink
socket only to workaround this situation. As a result, I decided
to follow the bigger path choice, which seems to look nicer to me.
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Reported-by: Alex Bligh <alex@alex.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'lib/audit.c')
0 files changed, 0 insertions, 0 deletions