From: Patrick McHardy <kaber@trash.net>
To: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>
Cc: laforge@netfilter.org, netfilter-devel@lists.netfilter.org,
pablo@netfilter.org
Subject: Re: [PATCH 3/3][CONNTRACK] Fix race condition in early drop
Date: Wed, 23 Aug 2006 06:38:55 +0200 [thread overview]
Message-ID: <44EBDBDF.8070308@trash.net> (raw)
In-Reply-To: <200608230228.k7N2SDTf000802@toshiba.co.jp>
Yasuyuki KOZAKAI wrote:
>>Pablo Neira Ayuso wrote:
>>
>>>>How about incrementing {ip,nf}_conntrack_count at first ?
>>>>
>>>> 1. atomic_add()
>>>> 2. if {ip,nf}_conntrack_count > {ip,nf}_conntrack_max (not '>=' )
>>>> then early_drop()
>>>> 3. if early_drop() failed, atomic_dec()
>>>
>>>
>>>I thought about this possibility but then we can't guarantee the fixed
>>>maximum number of conntracks in the system.
>>
>>Hm, actually this is wrong, we can guarantee the maximum number but
>>aren't we somehow fooling the counter? I mean, the counter can reach
>>values higher than conntrack_max during a short period.
>
>
> good point. I don't mind fooling the counter in this short period,
Me neither. We can already be off by more than one since early_drop
just removes a conntrack from the hash tables, but it is not necessarily
destroyed immediately (at which point the counter is decremented).
This is a reason why we can't loop while waiting for the counter to
decrement.
next prev parent reply other threads:[~2006-08-23 4:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-21 8:47 [PATCH 3/3][CONNTRACK] Fix race condition in early drop Pablo Neira Ayuso
2006-08-22 4:35 ` Yasuyuki KOZAKAI
[not found] ` <200608220435.k7M4ZSLf001686@toshiba.co.jp>
2006-08-22 13:46 ` Pablo Neira Ayuso
2006-08-22 14:39 ` Pablo Neira Ayuso
[not found] ` <200608230228.k7N2SDTf000802@toshiba.co.jp>
2006-08-23 4:38 ` Patrick McHardy [this message]
2006-08-23 2:28 ` Yasuyuki KOZAKAI
2006-08-24 11:47 ` Jarek Poplawski
2006-08-24 13:02 ` Jarek Poplawski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44EBDBDF.8070308@trash.net \
--to=kaber@trash.net \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pablo@netfilter.org \
--cc=yasuyuki.kozakai@toshiba.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.