lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.64.0808050000360.29400@bizon.gios.gov.pl>
Date:	Tue, 5 Aug 2008 00:04:51 +0200 (CEST)
From:	Krzysztof Oledzki <ole@....pl>
To:	Al Viro <viro@...IV.linux.org.uk>
cc:	Arjan van de Ven <arjan@...radead.org>, netdev@...r.kernel.org,
	kaber@...sh.net
Subject: Re: Warning when unloading the nf_conntack module (regression?)



On Mon, 4 Aug 2008, Al Viro wrote:

> On Mon, Aug 04, 2008 at 11:16:07PM +0200, Krzysztof Oledzki wrote:
>
>> Solves partially: no more WARNING, however entries are still missing &
>> duplicated:
>>
>> # sysctl -a 2>/dev/null|grep net.netfilter
>> net.netfilter.nf_conntrack_generic_timeout = 600
>> net.netfilter.nf_conntrack_acct = 1
>> net.netfilter.nf_conntrack_generic_timeout = 600
>> net.netfilter.nf_conntrack_acct = 1
>
> Very interesting.  Could you see at which point duplicates appear?  I.e.
> in which sequence do you get registrations, at least on the level of "this
> module is loaded first, no duplicates, this one comes after, etc."

All I need to do is to load a single "nf_conntrack" module.

> 	... ah, hell.  I see what's going on.  The trouble is in
> nf_conntrack_standalone; you get a table that has _both_ net.netfilter.* and
> net.nf_conntrack_max, which means that it's attached to unified tree at
> net; if we already have something with net.netfilter, you've got trouble -
> which entry net.netfilter will come from?

Indeed.

> _All_ this crap comes from lousy historical API; it's too much for this
> cycle, but for .28 I'm going to clean that mess up.  For now, split that
> table in two and register them separately.  I.e. register nf_ct_sysctl_table[]
> at nf_net_netfilter_sysctl_path *and* remove the "netfilter" entry from
> nf_ct_netfilter_table[].

Will do. Thanks.

> I'm really going down right now; will follow up after I get some sleep...

Right. I'll try to prepare and test your ideas at that time. Thank you 
again.

Best regards,

 				Krzysztof Olędzki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ