Richard Guy Briggs writes:
> On 2017-05-24 19:31, Pablo Neira Ayuso wrote:
>> Cc'ing Eric Biederman.
>>
>> On Thu, May 18, 2017 at 01:21:52PM -0400, Richard Guy Briggs wrote:
>> > diff --git a/net/bridge/netfilter/ebtables.c
>> > b/net/bridge/netfilter/ebtables.c
>> > index 59b63a8..0f77b2a 100
;> 5. ftp helper is unloaded, which resets all helpers of the conntracks
>> via for_each_net()
>>
>> but because netns is already gone from list the for_each_net() loop
>> doesn't include it, therefore all of these conntracks are unaffected.
>>
>>
ecause netns is already gone from list the for_each_net() loop
> doesn't include it, therefore all of these conntracks are unaffected.
>
> 6. helper module unload finishes
> 7. netns wq invokes destructor for rmmod'ed helper
>
> CC: "Eric W. Biederman"
> Repor
disable
> helpers. It's very old thing indeed and as you can see, very sparse
> grain for the netns era... But still I think we need this.
>
> So I'm inclined to take this, and keep an eye to deprecate this
> behaviour in a several years ahead once. Probably we can ge
Cong Wang writes:
> On Tue, Jul 24, 2018 at 8:14 AM David Ahern wrote:
>>
>> On 7/19/18 11:12 AM, Cong Wang wrote:
>> > On Thu, Jul 19, 2018 at 9:16 AM David Ahern wrote:
>> >>
>> >> Chatting with Nikolay about this and he brought up a good corollary - ip
>> >> fragmentation. It really is a sim
David Ahern writes:
> On 7/25/18 6:33 AM, Eric W. Biederman wrote:
>> Cong Wang writes:
>>
>>> On Tue, Jul 24, 2018 at 8:14 AM David Ahern wrote:
>>>>
>>>> On 7/19/18 11:12 AM, Cong Wang wrote:
>>>>> On Thu, Jul 19, 2018 at 9:16 A
David Ahern writes:
> On 7/25/18 11:38 AM, Eric W. Biederman wrote:
>>
>> Absolutely NOT. Global thresholds are exactly correct given the fact
>> you are running on a single kernel.
>>
>> Memory is not free (Even though we are swimming in enough of it memor
David Laight writes:
> From: Eric W. Biederman
>> Sent: 25 July 2018 18:38
> ...
>> >> Further unless I misread something you are increasing the number of
>> >> timers to 3 per namespace. If I create create a thousand network
>> >> namespaces
David Ahern writes:
> On 7/25/18 1:17 PM, Eric W. Biederman wrote:
>> David Ahern writes:
>>
>>> On 7/25/18 11:38 AM, Eric W. Biederman wrote:
>>>>
>>>> Absolutely NOT. Global thresholds are exactly correct given the fact
>>>> you
David Miller writes:
> From: Nikolay Borisov
> Date: Mon, 15 Feb 2016 12:02:57 +0200
>
>> This series continues namespacifying more net related knobs.
>> The focus here is on ip options. Patches 1,3,4,5 namespacify
>> the respective sysctl knobs. Patch 2 moves some igmp code to the
>> correct f
Pablo Neira Ayuso writes:
> On Wed, May 11, 2016 at 05:41:13PM +0200, Florian Westphal wrote:
>> diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
>> index 5baa8e2..9722819 100644
>> --- a/net/netfilter/nf_queue.c
>> +++ b/net/netfilter/nf_queue.c
>> @@ -102,6 +102,13 @@ void nf_qu
Florian Westphal writes:
> Eric W. Biederman wrote:
>> > On Wed, May 11, 2016 at 05:41:13PM +0200, Florian Westphal wrote:
>> >> diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
>> >> index 5baa8e2..9722819 100644
>> >> --- a/ne
Florian Westphal writes:
> Eric W. Biederman wrote:
>> > AFAICS no other callers do something similar, but yes,
>> > we'd need this all over the place if there are others.
>> >
>> > Maybe we need a saner fix, e.g. by adding bounds check to net_gene
could have similar issues.
Eric
From: "Eric W. Biederman"
Date: Fri, 13 May 2016 15:26:03 -0500
Subject: [PATCH] nf_queue: Make the queue_handler pernet
Florian Weber reported:
> Under full load (unshare() in loop -> OOM conditions) we can
> get kernel panic:
>
> BUG
Florian Westphal writes:
> Eric W. Biederman wrote:
>> Florian could you test and verify this patch fixes your issues?
>
> Yes, this seems to work.
>
> Pablo, I'm fine with this patch going into -nf/stable but I do not think
> making the pointers per netns is a
eue module to be
reused with no changes except for making it per net.
The syncrhonize_rcu from nf_unregister_queue_handler is moved to a new
function nfnl_queue_net_exit_batch so that the worst case of having a
syncrhonize_rcu in the pernet exit path is not experienced in batch
mode.
Re
Florian Westphal writes:
> Eric W. Biederman wrote:
>> Florian Westphal writes:
>>
>> > Eric W. Biederman wrote:
>> >> Florian could you test and verify this patch fixes your issues?
>> >
>> > Yes, this seems to work.
>> >
>
Kevin Cernekee writes:
> From: "Eric W. Biederman"
>
> Making this work is a little tricky as it really isn't kosher to
> change the xt_owner_match_info in a check function.
>
> Without changing xt_owner_match_info we need to know the user
> namespace the uid
Florian Westphal writes:
> Kevin Cernekee wrote:
>> @@ -35,6 +63,7 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param
>> *par)
>> const struct xt_owner_match_info *info = par->matchinfo;
>> const struct file *filp;
>> struct sock *sk = skb_to_full_sk(skb);
>> +cons
Pablo Neira Ayuso writes:
> On Mon, Jun 13, 2016 at 09:06:55PM -0500, Eric W. Biederman wrote:
>> Florian Westphal writes:
>>
>> > Kevin Cernekee wrote:
>> >> @@ -35,6 +63,7 @@ owner_mt(const struct sk_buff *skb, struct
>> >> xt_action_para
There is already a
> precendens for this in rtnl_link_unregister() which addresses similar
> race.
So this analysis of a problem appears to be spot on.
Reviewed-by: "Eric W. Biederman"
I really really want there to be a better way to do this, but it is
really not ok for a ho
Baole Ni writes:
> I find that the developers often just specified the numeric value
> when calling a macro which is defined with a parameter for access permission.
> As we know, these numeric value for access permission have had the
> corresponding macro,
> and that using macro can improve the
Christoph Hellwig writes:
> The shole seq_file sequence already operates under a single RCU lock pair,
> so move the pid namespace lookup into it, and stop grabbing a reference
> and remove all kinds of boilerplate code.
This is wrong.
Move task_active_pid_ns(current) from open to seq_start act
Christoph Hellwig writes:
> Use remove_proc_subtree to remove the whole subtree on cleanup, and
> unwind the registration loop into individual calls. Switch to use
> proc_create_seq where applicable.
Can you please explain why you are removing the error handling when
you are unwinding the regis
REG|S_IRUGO so I don't think the write support was ever finished.
That cap_capable in the write method looks down right scary/buggy.
Acked-by: "Eric W. Biederman"
Eric
>
> Signed-off-by: Christoph Hellwig
> ---
> drivers/ide/ide-proc.c | 46 --
Christoph Hellwig writes:
> On Sat, May 05, 2018 at 07:51:18AM -0500, Eric W. Biederman wrote:
>> Christoph Hellwig writes:
>>
>> > Use remove_proc_subtree to remove the whole subtree on cleanup, and
>> > unwind the registration loop into individual calls. S
Christoph Hellwig writes:
> On Sat, May 05, 2018 at 07:37:33AM -0500, Eric W. Biederman wrote:
>> Christoph Hellwig writes:
>>
>> > The shole seq_file sequence already operates under a single RCU lock pair,
>> > so move the pid namespace lookup into it, and s
Christoph Hellwig writes:
> On Thu, May 17, 2018 at 12:28:01AM -0500, Eric W. Biederman wrote:
>> > struct pid_namespace *proc_pid_namespace(struct inode *inode)
>> > {
>> >// maybe warn on for s_magic not on procfs??
>> >return inode->i_sb-
28 matches
Mail list logo