Re: [PATCH 18/29] netfilter: notify about NF_QUEUE vs emergency skbs

[PATCH 00/29] swap over networked storage -v11 · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 09/29] selinux: tag avc cache alloc as non-critical · Peter Zijlstra <hidden> · 2007-02-21
Re: [PATCH 09/29] selinux: tag avc cache alloc as non-critical · James Morris <jmorris@namei.org> · 2007-02-21
[PATCH 29/29] balance_dirty_pages() vs throttle_vm_writeout() deadlock · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 02/29] mm: slab allocation fairness · Peter Zijlstra <hidden> · 2007-02-21
Re: [PATCH 02/29] mm: slab allocation fairness · Pekka Enberg <hidden> · 2007-02-21
[PATCH 21/29] mm: prepare swap entry methods for use in page methods · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 25/29] nfs: only use stable storage for swap · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 05/29] mm: emergency pool · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 24/29] nfs: remove mempools · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 10/29] net: wrap sk->sk_backlog_rcv() · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 19/29] netvm: skb processing · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 26/29] nfs: teach the NFS client how to treat PG_swapcache pages · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 16/29] netvm: filter emergency skbs. · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 18/29] netfilter: notify about NF_QUEUE vs emergency skbs · Peter Zijlstra <hidden> · 2007-02-21
Re: [PATCH 18/29] netfilter: notify about NF_QUEUE vs emergency skbs · Patrick McHardy <hidden> · 2007-02-24
Re: [PATCH 18/29] netfilter: notify about NF_QUEUE vs emergency skbs · Peter Zijlstra <hidden> · 2007-02-24
Re: [PATCH 18/29] netfilter: notify about NF_QUEUE vs emergency skbs · Patrick McHardy <hidden> · 2007-02-24
Re: [PATCH 18/29] netfilter: notify about NF_QUEUE vs emergency skbs · Peter Zijlstra <hidden> · 2007-02-24
Re: [PATCH 18/29] netfilter: notify about NF_QUEUE vs emergency skbs · Patrick McHardy <hidden> · 2007-02-24
Re: [PATCH 18/29] netfilter: notify about NF_QUEUE vs emergency skbs · Peter Zijlstra <hidden> · 2007-02-24
[PATCH 07/29] mm: allow mempool to fall back to memalloc reserves · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 20/29] uml: rename arch/um remove_mapping() · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 08/29] mm: kmem_cache_objs_to_pages() · Peter Zijlstra <hidden> · 2007-02-21
Re: [PATCH 08/29] mm: kmem_cache_objs_to_pages() · Pekka Enberg <hidden> · 2007-02-21
Re: [PATCH 08/29] mm: kmem_cache_objs_to_pages() · Peter Zijlstra <hidden> · 2007-02-22
Re: [PATCH 08/29] mm: kmem_cache_objs_to_pages() · Pekka Enberg <hidden> · 2007-02-22
Re: [PATCH 08/29] mm: kmem_cache_objs_to_pages() · Pekka Enberg <hidden> · 2007-02-22
[PATCH 04/29] mm: serialize access to min_free_kbytes · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 03/29] mm: allow PF_MEMALLOC from softirq context · Peter Zijlstra <hidden> · 2007-02-21
Re: [PATCH 03/29] mm: allow PF_MEMALLOC from softirq context · Arjan van de Ven <hidden> · 2007-02-21
Re: [PATCH 03/29] mm: allow PF_MEMALLOC from softirq context · Peter Zijlstra <hidden> · 2007-02-22
Re: [PATCH 03/29] mm: allow PF_MEMALLOC from softirq context · Arjan van de Ven <hidden> · 2007-02-22
[PATCH 17/29] netvm: prevent a TCP specific deadlock · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 23/29] mm: methods for teaching filesystems about PG_swapcache pages · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 12/29] net: remove alloc_skb_from_cache · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 06/29] mm: __GFP_EMERGENCY · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 27/29] nfs: disable data cache revalidation for swapfiles · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 11/29] net: packet split receive api · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 13/29] netvm: link network to vm layer · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 28/29] nfs: enable swap on NFS · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 22/29] mm: add support for non block device backed swap files · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 01/29] mm: page allocation rank · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 15/29] netvm: hook skb allocation to reserves · Peter Zijlstra <hidden> · 2007-02-21
[PATCH 14/29] netvm: INET reserves. · Peter Zijlstra <hidden> · 2007-02-21

From: Patrick McHardy <hidden>
Date: 2007-02-24 15:27:21
Also in: linux-mm, lkml

Peter Zijlstra wrote:

quoted hunk ↗ jump to hunk

Emergency skbs should never touch user-space, however NF_QUEUE is fully user
configurable. Notify the user of his mistake and try to continue.

--- linux-2.6-git.orig/net/netfilter/core.c	2007-02-14 12:09:07.000000000 +0100
+++ linux-2.6-git/net/netfilter/core.c	2007-02-14 12:09:18.000000000 +0100

@@ -187,6 +187,11 @@ next_hook:
 		kfree_skb(*pskb);
 		ret = -EPERM;
 	} else if ((verdict & NF_VERDICT_MASK)  == NF_QUEUE) {
+		if (unlikely((*pskb)->emergency)) {
+			printk(KERN_ERR "nf_hook: NF_QUEUE encountered for "
+					"emergency skb - skipping rule.\n");
+			goto next_hook;
+		}

If I'm not mistaken any skb on the receive side might get
allocated from the reserve. I don't see how the user could
avoid this except by not using queueing at all.

I also didn't see a patch dropping packets allocated from
the reserve that are forwarded or processed directly without
getting queued to a socket, so this would allow them to
bypass userspace queueing and still go through.

I think the user should just exclude packets necessary for
swapping from queueing manually, based on IP addresses,
port numbers or something like that.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help