Re: Possible race condition in conntracking

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Tobias Klausmann <klausman@schwarzvogel.de>
Cc: netdev@vger.kernel.org,
	Netfilter Development Mailinglist
	<netfilter-devel@vger.kernel.org>
Subject: Re: Possible race condition in conntracking
Date: Tue, 27 Jan 2009 14:48:10 +0100	[thread overview]
Message-ID: <497F109A.7080502@trash.net> (raw)
In-Reply-To: <20090127132810.GA21498@eric.schwarzvogel.de>

Tobias Klausmann wrote:
> So the question remains what to do instead and how to do it. That
> probably is deep Netfilter mojo, so I could only speculate wildly.
> 
>> You should see the insert_failed conntrack counter show this
>> (/proc/net/stat/nf_conntrack).
> 
> We do, as I said in my first mail. Near as I can tell,
> nf_conntrack_confirm() is the only function that ever increases
> that counter, so it's definitely dropped there. As to how one
> could handle it differently, I have to defer to people with more
> Netfilter expertise. No point in "fixing" this by breaking other
> stuff.

Fixing this requires some rather intrusive changes. We need
to perform a lookup on the unconfirmed list when a conntrack
is not found in the hash and use the one we find there, if any.
The entries on that list are not reference counted and there
are a lot of assumptions in the code that an unconfirmed conntrack
is exclusively associated with a single packet. This needs to
be audited and fixed, but it looks quite hard.

     prev parent reply	other threads:[~2009-01-27 13:48 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20090127075744.GA19875@eric.schwarzvogel.de>
2009-01-27  9:20 ` Possible race condition in conntracking Patrick McHardy
2009-01-27 13:06   ` Tobias Klausmann
2009-01-27 13:14     ` Patrick McHardy
2009-01-27 13:28       ` Tobias Klausmann
2009-01-27 13:48         ` Patrick McHardy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=497F109A.7080502@trash.net \
    --to=kaber@trash.net \
    --cc=klausman@schwarzvogel.de \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.