netfilter: nf_conntrack: make event callback registration per-netns

This patch fixes an oops that can be triggered following this recipe: 0) make sure nf_conntrack_netlink and nf_conntrack_ipv4 are loaded. 1) container is started. 2) connect to it via lxc-console. 3) generate some traffic with the container to create some conntrack entries in its table. 4) stop the container: you hit one oops because the conntrack table cleanup tries to report the destroy event to user-space but the per-netns nfnetlink socket has already gone (as the nfnetlink socket is per-netns but event callback registration is global). To fix this situation, we make the ctnl_notifier per-netns so the callback is registered/unregistered if the container is created/destroyed. Alex Bligh and Alexey Dobriyan originally proposed one small patch to check if the nfnetlink socket is gone in nfnetlink_has_listeners, but this is a very visited path for events, thus, it may reduce performance and it looks a bit hackish to check for the nfnetlink socket only to workaround this situation. As a result, I decided to follow the bigger path choice, which seems to look nicer to me. Cc: Alexey Dobriyan <adobriyan@gmail.com> Reported-by: Alex Bligh <alex@alex.org.uk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2011-11-21 18:16:51 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2011-11-21 18:34:47 -0500
commit: 70e9942f17a6193e9172a804e6569a8806633d6b (patch)
tree: 5cb0fe0a38a99aa51b70c01f7a7e729480ec5c73 /include
parent: 5e2afba4ecd7931ea06e6fa116ab28e6943dbd42 (diff)
2 files changed, 12 insertions, 9 deletions
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index 4283508b3e18..a88fb6939387 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -67,18 +67,18 @@ struct nf_ct_event_notifier {
        int (*fcn)(unsigned int events, struct nf_ct_event *item);
 };
-extern struct nf_ct_event_notifier __rcu *nf_conntrack_event_cb;
+extern int nf_conntrack_register_notifier(struct net *net, struct nf_ct_event_notifier *nb);
-extern int nf_conntrack_register_notifier(struct nf_ct_event_notifier *nb);
+extern void nf_conntrack_unregister_notifier(struct net *net, struct nf_ct_event_notifier *nb);
-extern void nf_conntrack_unregister_notifier(struct nf_ct_event_notifier *nb);
 extern void nf_ct_deliver_cached_events(struct nf_conn *ct);
 static inline void
 nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
 {
+        struct net *net = nf_ct_net(ct);
        struct nf_conntrack_ecache *e;
-        if (nf_conntrack_event_cb == NULL)
+        if (net->ct.nf_conntrack_event_cb == NULL)
                return;
        e = nf_ct_ecache_find(ct);
@@ -95,11 +95,12 @@ nf_conntrack_eventmask_report(unsigned int eventmask,
                              int report)
 {
        int ret = 0;
+        struct net *net = nf_ct_net(ct);
        struct nf_ct_event_notifier *notify;
        struct nf_conntrack_ecache *e;
        rcu_read_lock();
-        notify = rcu_dereference(nf_conntrack_event_cb);
+        notify = rcu_dereference(net->ct.nf_conntrack_event_cb);
        if (notify == NULL)
                goto out_unlock;
@@ -164,9 +165,8 @@ struct nf_exp_event_notifier {
        int (*fcn)(unsigned int events, struct nf_exp_event *item);
 };
-extern struct nf_exp_event_notifier __rcu *nf_expect_event_cb;
+extern int nf_ct_expect_register_notifier(struct net *net, struct nf_exp_event_notifier *nb);
-extern int nf_ct_expect_register_notifier(struct nf_exp_event_notifier *nb);
+extern void nf_ct_expect_unregister_notifier(struct net *net, struct nf_exp_event_notifier *nb);
-extern void nf_ct_expect_unregister_notifier(struct nf_exp_event_notifier *nb);
 static inline void
 nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
@@ -174,11 +174,12 @@ nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
                          u32 pid,
                          int report)
 {
+        struct net *net = nf_ct_exp_net(exp);
        struct nf_exp_event_notifier *notify;
        struct nf_conntrack_ecache *e;
        rcu_read_lock();
-        notify = rcu_dereference(nf_expect_event_cb);
+        notify = rcu_dereference(net->ct.nf_expect_event_cb);
        if (notify == NULL)
                goto out_unlock;
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 0249399e51a7..7a911eca0f18 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -18,6 +18,8 @@ struct netns_ct {
        struct hlist_nulls_head unconfirmed;
        struct hlist_nulls_head dying;
        struct ip_conntrack_stat __percpu *stat;
+        struct nf_ct_event_notifier __rcu *nf_conntrack_event_cb;
+        struct nf_exp_event_notifier __rcu *nf_expect_event_cb;
        int                     sysctl_events;
        unsigned int            sysctl_events_retry_timeout;
        int                     sysctl_acct;
author	Pablo Neira Ayuso <pablo@netfilter.org>	2011-11-21 18:16:51 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2011-11-21 18:34:47 -0500
commit	70e9942f17a6193e9172a804e6569a8806633d6b (patch)
tree	5cb0fe0a38a99aa51b70c01f7a7e729480ec5c73 /include
parent	5e2afba4ecd7931ea06e6fa116ab28e6943dbd42 (diff)