[NETFILTER]: H.323 helper: avoid long expectation chains

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Jing Min Zhao <zhaojingmin@hotmail.com>
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: [NETFILTER]: H.323 helper: avoid long expectation chains
Date: Sat, 25 Feb 2006 10:08:16 +0100	[thread overview]
Message-ID: <44001E80.8080208@trash.net> (raw)

[-- Attachment #1: Type: text/plain, Size: 71 bytes --]

This is the last patch for now, the others still need a bit more work.

[-- Attachment #2: 06.diff --]
[-- Type: text/x-patch, Size: 1522 bytes --]

[NETFILTER]: H.323 helper: avoid long expectation chains

The RAS helper can exect new RAS connections when Gatekeeper discovery
is performed. This could lead to a situation where there is a long
chain of master conntracks which is recursively freed by destroy_conntrack
or which consumes lots of memory with only a single hashed conntrack,
decreasing chances of beeing evicted under memory pressure.

Avoid creating RAS expectations for already expected connections.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 74dc9a728dc33fab70b73ee30aca44bd2a0259ec
tree 6d3d7b250377b8587c9e32236ac22d91f4fb3300
parent 134aa8950c66de37bd644e7826c4d5cb1f1535ab
author Patrick McHardy <kaber@trash.net> Thu, 23 Feb 2006 20:22:10 +0100
committer Patrick McHardy <kaber@trash.net> Thu, 23 Feb 2006 20:22:10 +0100

 net/ipv4/netfilter/ip_conntrack_helper_h323.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
index 5692b2f..fa6e73f 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
@@ -1091,6 +1091,10 @@ static int process_gcf(struct sk_buff **
 	    port == ntohs(ct->tuplehash[dir].tuple.src.u.udp.port))
 		return 0;
 
+	/* Avoid RAS expectation loops. A GCF is never expected. */
+	if (test_bit(IPS_EXPECTED_BIT, &ct->status))
+		return 0;
+
 	/* Need new expect */
 	if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
 		return -1;

                 reply	other threads:[~2006-02-25  9:08 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5692b2f dfblob:fa6e73f )
 OR (
bs:"[NETFILTER]: H.323 helper: avoid long expectation chains" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44001E80.8080208@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=zhaojingmin@hotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.