Re: Netfilter Connection Tracking Race Condition in Kernel 2.4.x

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Phil Oester <kernel@linuxace.com>
Cc: Bob Halley <Bob.Halley@nominum.com>, netfilter-devel@lists.netfilter.org
Subject: Re: Netfilter Connection Tracking Race Condition in Kernel 2.4.x
Date: Wed, 26 Jul 2006 05:56:04 +0200	[thread overview]
Message-ID: <44C6E7D4.5020505@trash.net> (raw)
In-Reply-To: <20060726005415.GA18817@linuxace.com>

Phil Oester wrote:
> On Tue, Jul 25, 2006 at 03:07:24AM +0200, Patrick McHardy wrote:
> 
>>- change conntrack to always put connections in the hash immediately
>>  and remove them again if the connection is dropped before beeing
>>  confirmed.
> 
> 
> This could in theory be implemented via an IPS_UNCONFIRMED_BIT (ignoring
> the sure to be complicated implementation details).  But would there be
> any concern about a DOS against the hash if unconfirmed connections
> were allowed to enter?

There isn't really a difference to keeping them in the unconfirmed
list besides better scalability. The same properties for unconfirmed
entries hold here, usually there should be very few (max 2 per CPU
without preemption), except if queueing is involved. I don't think
there is an increased risk of DOS by using the conntrack hash vs.
using a seperate hash, but with the conntrack hash we can do it all
in one lookup and use the existing eviction mechanism.

next prev parent reply	other threads:[~2006-07-26  3:56 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-07-25  0:31 Netfilter Connection Tracking Race Condition in Kernel 2.4.x Bob Halley
2006-07-25  1:07 ` Patrick McHardy
2006-07-26  0:54   ` Phil Oester
2006-07-26  3:56     ` Patrick McHardy [this message]
2006-07-26  4:49       ` Yasuyuki KOZAKAI
2006-07-28 13:16   ` [PATCH 4/8][CTNETLINK] Fix race condition on conntrack creation Yasuyuki KOZAKAI
2006-07-31 11:15     ` Pablo Neira Ayuso
2006-08-04 14:43       ` Amin Azez
2006-08-08 10:19         ` Patrick McHardy
  -- strict thread matches above, loose matches on Subject: below --
2006-07-25 13:18 Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44C6E7D4.5020505@trash.net \
    --to=kaber@trash.net \
    --cc=Bob.Halley@nominum.com \
    --cc=kernel@linuxace.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.