netfilter: fix two recent sysctl problems
authorKrzysztof Piotr Oledzki <ole@ans.pl>
Wed, 6 Aug 2008 09:35:44 +0000 (02:35 -0700)
committerDavid S. Miller <davem@davemloft.net>
Wed, 6 Aug 2008 09:35:44 +0000 (02:35 -0700)
Starting with 9043476f726802f4b00c96d0c4f418dde48d1304 ("[PATCH]
sanitize proc_sysctl") we have two netfilter releated problems:

 - WARNING: at kernel/sysctl.c:1966 unregister_sysctl_table+0xcc/0x103(),
   caused by wrong order of ini/fini calls

 - net.netfilter is duplicated and has truncated set of records

Thanks to very useful guidelines from Al Viro, this patch fixes both
of them.

Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/netfilter/nf_conntrack_core.c
net/netfilter/nf_conntrack_standalone.c

index c519d090bdb942a74f6f9508435786b5fcb150c1..9d1830da8e84b86286c793cf8f58f98f10f793ce 100644 (file)
@@ -1032,10 +1032,10 @@ void nf_conntrack_cleanup(void)
        nf_ct_free_hashtable(nf_conntrack_hash, nf_conntrack_vmalloc,
                             nf_conntrack_htable_size);
 
-       nf_conntrack_proto_fini();
-       nf_conntrack_helper_fini();
-       nf_conntrack_expect_fini();
        nf_conntrack_acct_fini();
+       nf_conntrack_expect_fini();
+       nf_conntrack_helper_fini();
+       nf_conntrack_proto_fini();
 }
 
 struct hlist_head *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced)
index 869ef9349d0f1c748e3ec7a4619827c9759ccef7..8509db14670b7683772aabf53420d9d355ab44e1 100644 (file)
@@ -324,6 +324,7 @@ static int log_invalid_proto_min = 0;
 static int log_invalid_proto_max = 255;
 
 static struct ctl_table_header *nf_ct_sysctl_header;
+static struct ctl_table_header *nf_ct_netfilter_header;
 
 static ctl_table nf_ct_sysctl_table[] = {
        {
@@ -383,12 +384,6 @@ static ctl_table nf_ct_sysctl_table[] = {
 #define NET_NF_CONNTRACK_MAX 2089
 
 static ctl_table nf_ct_netfilter_table[] = {
-       {
-               .ctl_name       = NET_NETFILTER,
-               .procname       = "netfilter",
-               .mode           = 0555,
-               .child          = nf_ct_sysctl_table,
-       },
        {
                .ctl_name       = NET_NF_CONNTRACK_MAX,
                .procname       = "nf_conntrack_max",
@@ -409,18 +404,29 @@ EXPORT_SYMBOL_GPL(nf_ct_log_invalid);
 
 static int nf_conntrack_standalone_init_sysctl(void)
 {
-       nf_ct_sysctl_header =
+       nf_ct_netfilter_header =
                register_sysctl_paths(nf_ct_path, nf_ct_netfilter_table);
-       if (nf_ct_sysctl_header == NULL) {
-               printk("nf_conntrack: can't register to sysctl.\n");
-               return -ENOMEM;
-       }
+       if (!nf_ct_netfilter_header)
+               goto out;
+
+       nf_ct_sysctl_header =
+                register_sysctl_paths(nf_net_netfilter_sysctl_path,
+                                       nf_ct_sysctl_table);
+       if (!nf_ct_sysctl_header)
+               goto out_unregister_netfilter;
+
        return 0;
 
+out_unregister_netfilter:
+       unregister_sysctl_table(nf_ct_netfilter_header);
+out:
+       printk("nf_conntrack: can't register to sysctl.\n");
+       return -ENOMEM;
 }
 
 static void nf_conntrack_standalone_fini_sysctl(void)
 {
+       unregister_sysctl_table(nf_ct_netfilter_header);
        unregister_sysctl_table(nf_ct_sysctl_header);
 }
 #else