From: "billbonaparte" <programme110@gmail.com>
To: "Jesper Dangaard Brouer" <brouer@redhat.com>
Cc: "Netfilter Developer Mailing List"
<netfilter-devel@vger.kernel.org>,
"Pablo Neira Ayuso" <pablo@netfilter.org>,
"Patrick McHardy" <kaber@trash.net>, <kadlec@blackhole.kfki.hu>,
<davem@davemloft.net>, "Changli Gao" <xiaosuo@gmail.com>,
"Andrey Vagin" <avagin@openvz.org>
Subject: Re: netfilter: nf_conntrack: there maybe a bug in __nf_conntrack_confirm, when it race against get_next_corpse
Date: Tue, 4 Nov 2014 09:52:58 +0800 [thread overview]
Message-ID: <01b101cff7d2$1715ef20$4541cd60$@gmail.com> (raw)
(sorry to send this e-mail again, last mail is rejected by server due to
non-acceptable content)
Jesper Dangaard Brouer <brouer@redhat.com> wrote:
>> In function __nf_conntrack_confirm, we check the conntrack if it was
>> already dead, before insert it into hash-table.
>> We do this because if we insert an already 'dead' hash, it will
>> block further use of that particular connection.
>Have you run into this problem in practice, or is this based on a theory?
If we insert a dead conntrack into hash-table, let's see what will happen to
the packet which has the same tuple with that dead conntrack:
1) if it is a valid packet, it will enter in nf_conntrack_in hook, then
2) we will find a corresponding conntrack for that packet in
__nf_conntrack_find_get, and there is no doubt that we will find that dead
conntrack,
according to the current implement, we don't use dead conntrack, so we
create a new conntrack which is unconfirmed.
3) because there is already a conntrack with the same tuples in hash-table,
the new conntrack can not be inserted into hash-table, it will return
NF_DROP,
4) the packet will be dropped due to the failure of nf_conntrack_confirm.
That's why inserting an already 'dead' hash will block further use of that
particular connection.
next reply other threads:[~2014-11-04 1:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-04 1:52 billbonaparte [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-11-07 6:47 netfilter: nf_conntrack: there maybe a bug in __nf_conntrack_confirm, when it race against get_next_corpse Bill Bonaparte
2014-11-04 1:48 billbonaparte
2014-11-06 13:00 ` Jesper Dangaard Brouer
[not found] <02ef01cff25f$29887f60$7c997e20$@gmail.com>
2014-10-28 3:37 ` billbonaparte
2014-10-28 9:46 ` Florian Westphal
2014-10-28 10:11 ` Jesper Dangaard Brouer
2014-10-28 3:27 billbonaparte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='01b101cff7d2$1715ef20$4541cd60$@gmail.com' \
--to=programme110@gmail.com \
--cc=avagin@openvz.org \
--cc=brouer@redhat.com \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=xiaosuo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.