| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFFEFTU8kxXV2pQ3B_goRs2Y7p2ecZ1YuSKSjfYF_58eD1tDqw@mail.gmail.com> Date: Fri, 28 Dec 2012 13:32:29 +0800 From: canqun zhang <canqunzhang@...il.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Gao feng <gaofeng@...fujitsu.com>, netfilter-devel@...r.kernel.org, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, Patrick McHardy <kaber@...sh.net>, pablo@...filter.org Subject: Re: [PATCH 01/19] netfilter: move nf_conntrack initialize out of pernet operations yes,Network namespaces in general can be cleaned up in any order,but when doing /etc/ini.d/iptables restart, the system need cleaning up all net namespace,and init_net should be cleanup lastly.init_net is the first namespace,other net namespace is copied for it ,and it is diuty for Initializing resources,so It in itself is special. 2012/12/28 Eric W. Biederman <ebiederm@...ssion.com>: > canqun zhang <canqunzhang@...il.com> writes: > >> Hi all >> As discussed above,if the host machine create several linux >> containers, there will be several net namespaces.Resources with "nf >> conntrack" are registered or unregistered on the first net >> namespace(init_net),But init_net is not unregistered lastly,so >> cleanuping other net namespaces will triger painic. >> If net namespaces are created with the order of 1,2,...n,they should >> be cleaned with the order of n,...2,1,so in this case init_net will be >> unregistered lastly. > > No. Network namespaces in general can be cleaned up in any order. > > In particular you should never ever expect to see the order > n,n-1,n-2,...,2,1. > > It may make sense to special case init_net in the cleanup order > but I would really rather not. > > Now init_net is special and really should never be cleaned up > for non-modular code. So it almost makes sense to special > case init_net. > > Does anyone know why Alexy decided to do this only for init_net? > > My inclination is that Gao Feng is on the rigt path by just removing > the strange init_net special case and performing the work once > per module load, and once per module unload. > >> I fixed it up (see below). I have taken a lot of test! > > Thank you. > > It is nice to see that we have exposed this mis-assumption. > > I am inclined to leave the order of this list as is so that > other assumptions of network namespace unregistration order > are exposed. > > Unless there is a truly good reason to perform magic on init_net. > > Eric > >> diff -r 6a1a258923f5 -r 2667e89e6f50 net/core/net_namespace.c >> --- a/net/core/net_namespace.c Fri Dec 28 11:01:17 2012 +0800 >> +++ b/net/core/net_namespace.c Fri Dec 28 11:05:12 2012 +0800 >> @@ -450,7 +450,7 @@ >> >> list_del(&ops->list); >> for_each_net(net) >> - list_add_tail(&net->exit_list, &net_exit_list); >> + list_add(&net->exit_list, &net_exit_list); >> ops_exit_list(ops, &net_exit_list); >> ops_free_list(ops, &net_exit_lis >> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists