Commit 9714be7d authored by Krzysztof Piotr Oledzki's avatar Krzysztof Piotr Oledzki Committed by David S. Miller

netfilter: fix two recent sysctl problems

Starting with 9043476f ("[PATCH]
sanitize proc_sysctl") we have two netfilter releated problems:

 - WARNING: at kernel/sysctl.c:1966 unregister_sysctl_table+0xcc/0x103(),
   caused by wrong order of ini/fini calls

 - net.netfilter is duplicated and has truncated set of records

Thanks to very useful guidelines from Al Viro, this patch fixes both
of them.
Signed-off-by: default avatarKrzysztof Piotr Oledzki <ole@ans.pl>
Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 1ca615fb
...@@ -1032,10 +1032,10 @@ void nf_conntrack_cleanup(void) ...@@ -1032,10 +1032,10 @@ void nf_conntrack_cleanup(void)
nf_ct_free_hashtable(nf_conntrack_hash, nf_conntrack_vmalloc, nf_ct_free_hashtable(nf_conntrack_hash, nf_conntrack_vmalloc,
nf_conntrack_htable_size); nf_conntrack_htable_size);
nf_conntrack_proto_fini();
nf_conntrack_helper_fini();
nf_conntrack_expect_fini();
nf_conntrack_acct_fini(); nf_conntrack_acct_fini();
nf_conntrack_expect_fini();
nf_conntrack_helper_fini();
nf_conntrack_proto_fini();
} }
struct hlist_head *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced) struct hlist_head *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced)
......
...@@ -324,6 +324,7 @@ static int log_invalid_proto_min = 0; ...@@ -324,6 +324,7 @@ static int log_invalid_proto_min = 0;
static int log_invalid_proto_max = 255; static int log_invalid_proto_max = 255;
static struct ctl_table_header *nf_ct_sysctl_header; static struct ctl_table_header *nf_ct_sysctl_header;
static struct ctl_table_header *nf_ct_netfilter_header;
static ctl_table nf_ct_sysctl_table[] = { static ctl_table nf_ct_sysctl_table[] = {
{ {
...@@ -383,12 +384,6 @@ static ctl_table nf_ct_sysctl_table[] = { ...@@ -383,12 +384,6 @@ static ctl_table nf_ct_sysctl_table[] = {
#define NET_NF_CONNTRACK_MAX 2089 #define NET_NF_CONNTRACK_MAX 2089
static ctl_table nf_ct_netfilter_table[] = { static ctl_table nf_ct_netfilter_table[] = {
{
.ctl_name = NET_NETFILTER,
.procname = "netfilter",
.mode = 0555,
.child = nf_ct_sysctl_table,
},
{ {
.ctl_name = NET_NF_CONNTRACK_MAX, .ctl_name = NET_NF_CONNTRACK_MAX,
.procname = "nf_conntrack_max", .procname = "nf_conntrack_max",
...@@ -409,18 +404,29 @@ EXPORT_SYMBOL_GPL(nf_ct_log_invalid); ...@@ -409,18 +404,29 @@ EXPORT_SYMBOL_GPL(nf_ct_log_invalid);
static int nf_conntrack_standalone_init_sysctl(void) static int nf_conntrack_standalone_init_sysctl(void)
{ {
nf_ct_sysctl_header = nf_ct_netfilter_header =
register_sysctl_paths(nf_ct_path, nf_ct_netfilter_table); register_sysctl_paths(nf_ct_path, nf_ct_netfilter_table);
if (nf_ct_sysctl_header == NULL) { if (!nf_ct_netfilter_header)
printk("nf_conntrack: can't register to sysctl.\n"); goto out;
return -ENOMEM;
} nf_ct_sysctl_header =
register_sysctl_paths(nf_net_netfilter_sysctl_path,
nf_ct_sysctl_table);
if (!nf_ct_sysctl_header)
goto out_unregister_netfilter;
return 0; return 0;
out_unregister_netfilter:
unregister_sysctl_table(nf_ct_netfilter_header);
out:
printk("nf_conntrack: can't register to sysctl.\n");
return -ENOMEM;
} }
static void nf_conntrack_standalone_fini_sysctl(void) static void nf_conntrack_standalone_fini_sysctl(void)
{ {
unregister_sysctl_table(nf_ct_netfilter_header);
unregister_sysctl_table(nf_ct_sysctl_header); unregister_sysctl_table(nf_ct_sysctl_header);
} }
#else #else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment