[Devel] [PATCH RHEL7 COMMIT] ve/iptable_raw: Don't reuse VE_IP_IPTABLES bit

Konstantin Khorenko khorenko at virtuozzo.com
Tue Jun 16 05:11:20 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.13
------>
commit 8ad5e2a13002fb4d05879692f5ca578d32373846
Author: Kirill Tkhai <ktkhai at odin.com>
Date:   Tue Jun 16 16:11:20 2015 +0400

    ve/iptable_raw: Don't reuse VE_IP_IPTABLES bit
    
    We can't use the same bit in _iptables_modules for different
    modules. This leads to a memory leak, because it's cleared
    after pernet exit method, so only one pernet exit is executed.
    
    Found in the process of fixing: https://jira.sw.ru/browse/PSBM-34192.
    
    Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
    Acked-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
---
 net/ipv4/netfilter/iptable_raw.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 6627256..d52e1dd 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -41,10 +41,13 @@ static struct nf_hook_ops *rawtable_ops __read_mostly;
 static int __net_init iptable_raw_net_init(struct net *net)
 {
 	struct ipt_replace *repl;
+	int ret;
 
 	if (!net_ipt_permitted(net, VE_IP_IPTABLES))
 		return 0;
 
+	BUG_ON(net->ipv4.iptable_raw);
+
 	repl = ipt_alloc_initial_table(&packet_raw);
 	if (repl == NULL)
 		return -ENOMEM;
@@ -52,19 +55,21 @@ static int __net_init iptable_raw_net_init(struct net *net)
 		ipt_register_table(net, &packet_raw, repl);
 	kfree(repl);
 
-	net_ipt_module_set(net, VE_IP_IPTABLES);
+	ret = PTR_RET(net->ipv4.iptable_raw);
+	if (ret)
+		net->ipv4.iptable_raw = NULL;
 
-	return PTR_RET(net->ipv4.iptable_raw);
+	return ret;
 }
 
 static void __net_exit iptable_raw_net_exit(struct net *net)
 {
-	if (!net_is_ipt_module_set(net, VE_IP_IPTABLES))
+	if (!net->ipv4.iptable_raw)
 		return;
 
 	ipt_unregister_table(net, net->ipv4.iptable_raw);
 
-	net_ipt_module_clear(net, VE_IP_IPTABLES);
+	net->ipv4.iptable_raw = NULL;
 }
 
 static struct pernet_operations iptable_raw_net_ops = {

More information about the Devel mailing list