From: Roberto Nibali <ratz@tac.ch>
To: Netfilter Developers <netfilter-devel@lists.netfilter.org>
Cc: Patrick McHardy <kaber@trash.net>, Willy Tarreau <willy@w.ods.org>
Subject: Re: [PATCH 2.4] raw table and NOTRACK support
Date: Wed, 23 Nov 2005 14:04:40 +0100 [thread overview]
Message-ID: <438468E8.4090309@tac.ch> (raw)
In-Reply-To: <43833F1D.3060309@tac.ch>
> Damn! I wish I understood that conntrack stuff better ...
Ok, so NOTRACK registers itself into the conntrack table upon target
entry using nf_conntrack_get((*pskb)->nfct). And each skb updates the
nfct counter, but when deregistering the conntrack we still have
references of the fake connection tracking entry of the NOTRACK hook.
This was discussed already and a Patrick submitted a patchset:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b31e5b1bb53b99dfd5e890aa07e943aff114ae1c
Patrick, in the thread leading to this patch we concluded that you would
forward the nf_reset patch to Marcelo for 2.4.x inclusion. I only
realised now that this did not happen and thus the following patch is
needed for 2.4.x to have rmmod ip_conntrack working correctly when
having either bridging or NOTRACK (both not in vanilla) loaded and used
in the kernel:
--- linux-2.4.32-orig/net/ipv4/ip_output.c 2005-11-21 11:29:41 +0100
+++ linux-2.4.32-pab2/net/ipv4/ip_output.c 2005-11-23 11:42:13 +0100
@@ -167,6 +167,9 @@
nf_debug_ip_finish_output2(skb);
#endif /*CONFIG_NETFILTER_DEBUG*/
+ /* Drop conntrack reference when packet leaves IP */
+ nf_reset(skb);
+
if (hh) {
int hh_alen;
Is there a reason not to include this patch in 2.4.x?
Thanks and regards,
Roberto Nibali, ratz
--
-------------------------------------------------------------
addr://Kasinostrasse 30, CH-5001 Aarau tel://++41 62 823 9355
http://www.terreactive.com fax://++41 62 823 9356
-------------------------------------------------------------
terreActive AG Wir sichern Ihren Erfolg
-------------------------------------------------------------
next prev parent reply other threads:[~2005-11-23 13:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-21 10:26 [PATCH 2.4] raw table and NOTRACK support Roberto Nibali
2005-11-22 14:14 ` Roberto Nibali
2005-11-22 15:40 ` Roberto Nibali
2005-11-22 15:54 ` Roberto Nibali
2005-11-23 13:04 ` Roberto Nibali [this message]
2005-11-27 15:36 ` Patrick McHardy
2005-11-27 18:22 ` Roberto Nibali
2005-11-27 18:49 ` Patrick McHardy
2005-11-28 9:11 ` Roberto Nibali
2005-11-28 9:47 ` Roberto Nibali
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=438468E8.4090309@tac.ch \
--to=ratz@tac.ch \
--cc=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=willy@w.ods.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.