From: Patrick McHardy <kaber@trash.net>
To: Amin Azez <azez@ufomechanic.net>
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: Re: [PATCH 4/4] first conntrack ID must be 1 not 2
Date: Wed, 12 Apr 2006 20:30:59 +0200 [thread overview]
Message-ID: <443D4763.40903@trash.net> (raw)
In-Reply-To: <443CA579.3030908@ufomechanic.net>
Amin Azez wrote:
> Patrick McHardy wrote:
>
>>> It's no longer the entry of the next conntrack but the entry of the last
>>> conntrack by the time it gets deleted then...? Or have I misunderstood
>>> the way in which the loop would occur?
>>>
>>
>>
>> Yes, the loop is interrupted when the skb is full and continued when
>> userspace issues the next recvmsg(). The reference is kept to find
>> the point where to continue.
>>
>>
> Did you mean "yes, you misunderstood" or "yes, good idea"?
Yes, you misunderstood :)
> I thought that what would theoretically cause the problem if the
> next-conntrack is deleted was the fact that conntrack-put is called
> before ctnetlink_fill_info.
Its only a marker, once we have found it in the list we don't
need that reference anymore.
> The problem may not be entirely theoretical if the conntrack is being
> deleted by a userspace conntrack client in response to what it reads
> when enumerating conntracks. (The conntrack may spring back into
> existance as an resurrected established connection - and also may
> therefore be likely in the case of a full contrack table where
> connections flip-flop their resurrected conntrack entry,
> Rather than issue warnings to conntrack developers to avoid certain
> kinds of design, it would be better to avoid this.
The marker points to the next entry that beed dumped yet, so
enumerate-and-delete won't affect it. It is also not the
ID of the connection but the pointer to the conntrack entry
that is used, so resurrections don't affect it in any way.
The problem is in my opinion purely theoretical so far:
- the bucket beeing dumped must contain enough entries to exceed
the size of a single netlink message (very unlikely)
- when continuing to dump, the entry we wanted to dump next
must be gone - and there must still be enough entries in the
bucket to exceed the skb.
For an endless loop we must have a steady refill of the bucket
with new conntrack entries, otherwise at some point it won't
exceed the skb anymore and we can move on to the next bucket.
The jenkins hash should prevent this situation.
prev parent reply other threads:[~2006-04-12 18:30 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-13 2:41 [PATCH 4/4] first conntrack ID must be 1 not 2 Pablo Neira Ayuso
2006-02-13 11:20 ` Harald Welte
2006-02-16 8:33 ` Patrick McHardy
2006-02-16 8:47 ` Jozsef Kadlecsik
2006-02-16 9:02 ` Patrick McHardy
2006-02-16 9:11 ` Jozsef Kadlecsik
2006-02-16 9:14 ` Patrick McHardy
2006-02-16 9:36 ` Jozsef Kadlecsik
2006-02-16 20:09 ` Patrick McHardy
2006-02-17 8:18 ` Jozsef Kadlecsik
2006-02-17 8:45 ` Martin Josefsson
2006-02-17 9:30 ` Jozsef Kadlecsik
2006-02-17 18:41 ` Jozsef Kadlecsik
2006-03-04 16:23 ` Hashtrie testing (was: Re: [PATCH 4/4] first conntrack ID must be 1 not 2) Martin Josefsson
2006-03-05 9:49 ` Jozsef Kadlecsik
2006-03-05 13:24 ` Martin Josefsson
2006-03-04 20:11 ` Hashtrie testing2 " Martin Josefsson
2006-03-05 11:24 ` Jozsef Kadlecsik
2006-03-05 17:48 ` Martin Josefsson
2006-03-06 13:15 ` Jozsef Kadlecsik
2006-03-07 18:33 ` Martin Josefsson
2006-03-08 6:34 ` Patrick Schaaf
2006-03-12 18:49 ` Martin Josefsson
2006-03-14 11:35 ` Jozsef Kadlecsik
2006-03-23 11:27 ` Jozsef Kadlecsik
2006-03-23 21:07 ` Martin Josefsson
2006-03-25 8:39 ` Jozsef Kadlecsik
2006-03-28 12:26 ` Jozsef Kadlecsik
2006-03-30 8:28 ` Hashtrie testing2, dancing trees Amin Azez
2006-03-31 18:43 ` Jozsef Kadlecsik
2006-02-17 8:50 ` [PATCH 4/4] first conntrack ID must be 1 not 2 Patrick McHardy
2006-03-30 8:31 ` Amin Azez
2006-03-31 1:11 ` Patrick McHardy
2006-03-31 18:35 ` Jozsef Kadlecsik
2006-03-31 18:44 ` Patrick McHardy
2006-04-01 19:31 ` Harald Welte
2006-04-06 11:02 ` Patrick McHardy
2006-04-11 16:09 ` Amin Azez
2006-04-11 16:17 ` Patrick McHardy
[not found] ` <443CA579.3030908@ufomechanic.net>
2006-04-12 18:30 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=443D4763.40903@trash.net \
--to=kaber@trash.net \
--cc=azez@ufomechanic.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.