git.baikalelectronics.ru Git - kernel.git/commit

author	Anders K. Pedersen <akp@cohaesio.com>
	Sun, 20 Nov 2016 16:38:47 +0000 (16:38 +0000)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 24 Nov 2016 13:43:34 +0000 (14:43 +0100)
commit	391f0d9562e10055393a496bed98bda017c6a88e
tree	81cbe225d30cc88bb084a810a1d7d98f7026ac3a	tree \| snapshot
parent	5774277a57e44ef3d9b6d12e19d5bd730173c414	commit \| diff

netfilter: nf_tables: fix inconsistent element expiration calculation

As Liping Zhang reports, after commit ba373cecf896 ("netfilter: nft_dynset:
fix element timeout for HZ != 1000"), priv->timeout was stored in jiffies,
while set->timeout was stored in milliseconds. This is inconsistent and
incorrect.

Firstly, we already call msecs_to_jiffies in nft_set_elem_init, so
priv->timeout will be converted to jiffies twice.

Secondly, if the user did not specify the NFTA_DYNSET_TIMEOUT attr,
set->timeout will be used, but we forget to call msecs_to_jiffies
when do update elements.

Fix this by using jiffies internally for traditional sets and doing the
conversions to/from msec when interacting with userspace - as dynset
already does.

This is preferable to doing the conversions, when elements are inserted or
updated, because this can happen very frequently on busy dynsets.

Fixes: ba373cecf896 ("netfilter: nft_dynset: fix element timeout for HZ != 1000")
Reported-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Anders K. Pedersen <akp@cohaesio.com>
Acked-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nf_tables.h		diff \| blob \| history
net/netfilter/nf_tables_api.c		diff \| blob \| history