Re: [PATCH] Orphaned expectations

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira <pablo@eurodev.net>
To: Chris Wilson <chris@netservers.co.uk>,
	Phil Oester <kernel@linuxace.com>,
	Netfilter Development Mailinglist
	<netfilter-devel@lists.netfilter.org>
Subject: Re: [PATCH] Orphaned expectations
Date: Thu, 22 Apr 2004 00:54:15 +0200	[thread overview]
Message-ID: <4086FB97.9020902@eurodev.net> (raw)
In-Reply-To: <Pine.LNX.4.44.0404211215030.726-100000@chris.camcom.co.uk>

Hi Chris,

Chris Wilson wrote:

>>So now, with only an udp packet, we have a conntrack which is not 
>>confirmed with an expectation associated, and as Phil pointed out, if 
>>this conntrack is destroyed the expectation keeps there forever.
>>    
>>
>
>Thanks very much for your explanation. So, to prevent this from happening, 
>what is the best thing to do?
>
>1. Audit all helpers to check that they don't create expectations to 
>unconfirmed conntracks
>  
>

I think that this assumption is wrong for udp based helpers. When 
connection tracking sees udp packet which has a helper associated for 
first time, a conntrack (not confirmed yet) and its respective 
expectation are created, and surely this conntrack will be confirmed later.

>2. Modify destroy_conntrack to destroy any associated expectations, 
>whether or not the conntrack is confirmed (presumably right now it only 
>does so if the conntrack is confirmed? hence the problem?)
>  
>

yes, I think that Phil's solution is ok, this could also prevent any 
other weird combinations.

regards,
Pablo

next prev parent reply	other threads:[~2004-04-21 22:54 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-04-19 20:37 [PATCH] Orphaned expectations Phil Oester
2004-04-20 11:51 ` Chris Wilson
2004-04-20 15:14   ` Phil Oester
2004-04-20 23:33   ` Pablo Neira
2004-04-21 11:17     ` Chris Wilson
2004-04-21 22:54       ` Pablo Neira [this message]
2004-04-25  0:25 ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4086FB97.9020902@eurodev.net \
    --to=pablo@eurodev.net \
    --cc=chris@netservers.co.uk \
    --cc=kernel@linuxace.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.