Patrick McHardy <kaber@trash.net> writes:

quoted text
>> Hmm.  This is an interesting case.  The proc method is forcing
>> the integer to be either 0 or 1 in a racy fashion.  But none of the
>> users appear to depend upon that.
>> 
>> So this is the least broken set of binary sysctls I have seen caught
>> by my check.
>> 
>> A really good fix would be to remove the binary side and then to
>> modify brnf_sysctl_call_tables to allocate a temporary ctl_table and
>> integer on the stack and only set ctl->data after we have normalized
>> the written value.  But since in practice nothing cares about
>> the race a better fix probably isn't worth it.
>
>
> I seem to be missing something, the entire brnf_sysctl_call_tables
> thing looks purely cosmetic to me, wouldn't it be better to simply
> remove it?

Well it is cosmetic in a user space visible way.  Which means I don't
have a clue which if any user space programs or scripts care if we change
the behavior. 

I just looked in the git history and brnf_sysctl_call_tables has been
that way since sysctl support was added to the bridge netfilter code.

The only comment I can found about the addition is:

    2003/12/24 19:32:34-08:00 bdschuym
    [BRIDGE]: Add 4 sysctl entries for bridge netfilter behavioral control:
    bridge-nf-call-arptables - pass or don't pass bridged ARP traffic to
    arptables' FORWARD chain.
    bridge-nf-call-iptables - pass or don't pass bridged IPv4 traffic to
    iptables' chains.
    bridge-nf-filter-vlan-tagged - pass or don't pass bridged vlan-tagged
    ARP/IP traffic to arptables/iptables.

So since forcing the values to 0 or 1 doesn't seem hard to maintain
I am uncomfortable with removing that check.

Eric

-
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/