From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next 3/4,v2] netfilter: conntrack: introduce clash resolution on insertion race
Date: Tue, 3 May 2016 16:29:40 +0200 [thread overview]
Message-ID: <20160503142940.GD2395@breakpoint.cc> (raw)
In-Reply-To: <20160503123200.GA11077@salvia>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > + /* Don't modify skb->nfctinfo, we're at POSTROUTING so this
> > > + * packet is already leaving our framework, it is too late.
> > > + */
> >
> > Note that this might be loopback in which case this skb will
> > reappear on PREROUTING.
>
> The comment intention is that we probably already applied a filtering
> decision, so changing the ctinfo here seems awkward to me.
Hmm, but we did not drop the packet, else we would not have ended up in
_confirm().
> In NFQUEUE, this packet may have spent quite a bit of time so it may
> even get a different ctinfo if we reevaluate, but as I said, having
> packets changing its original ctinfo is...
OK, fair enough -- I just wanted to point out that for loopback clashes
we can end up with ->nfct neing set to the "old" one (already in hash
table) while ctinfo is the "new" one (from the ->nfct we tossed since
would could not add it to the table).
But I see that there is no good argument to chose one over the other.
So I'm fine with current version, sorry for the confusion.
> > > + skb->nfct = &ct->ct_general;
> > > + nf_ct_acct_merge(ct, ctinfo, old_ct);
> > > + nf_ct_put(old_ct);
> >
> > Perhaps it would be better to not have old_ct and instead
> > nf_conntrack_put(skb->nfct);
> > skb->nfct = &ct->ct_general;
> >
> > ?
>
> I can use this if you find it more readable, no problem.
Thanks!
> > > + int ret;
> > >
> > > ct = nf_ct_get(skb, &ctinfo);
> > > net = nf_ct_net(ct);
> > > @@ -727,10 +770,11 @@ __nf_conntrack_confirm(struct sk_buff *skb)
> > >
> > > out:
> > > nf_ct_add_to_dying_list(ct);
> > > + ret = nf_ct_resolve_clash(net, skb, ct, ctinfo, h);
> >
> > Is this safe?
> > Seems we jump to out label in other cases as well, not
> > just for clashes.
>
> We're jumping out for dying conntracks too, and clash is handling this
> already so I considered not adding more code. I could just run
> nf_ct_resolve_clash() iff !nf_ct_dying() but I don't see much of a
> benefit on this.
I missed the nf_ct_dying test, that should indeed avoid operating on
*h garbage.
prev parent reply other threads:[~2016-05-03 14:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-03 11:48 [PATCH nf-next 3/4,v2] netfilter: conntrack: introduce clash resolution on insertion race Pablo Neira Ayuso
2016-05-03 12:14 ` Florian Westphal
2016-05-03 12:32 ` Pablo Neira Ayuso
2016-05-03 14:29 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160503142940.GD2395@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.