Re: [PATCH 4/4] netfilter: conntrack: optional reliable conntrack event delivery

[Patrick McHardy <kaber@trash.net>]

Pablo Neira Ayuso wrote:
> There's another issue that I have to fix here that I haven't noticed so far:
> 
> +       if (nf_conntrack_event_report(IPCT_DESTROY, ct,
> +                                     NETLINK_CB(skb).pid,
> +                                     nlmsg_report(nlh)) < 0) {
> +               nf_ct_delete_from_lists(ct);
> +               /* we failed to report the event, try later */
> +               nf_ct_insert_dying_list(ct);
> +               nf_ct_put(ct);
> +               return 0;
> +       }
> 
> With this, we send the first destroy event including the netlink pid.
> However, in the second try, we send it using netlink pid 0. The netlink
> pid is important to notice who has triggered this event (the kernel,
> myself or a different process). So I think that I need to add some
> structure like:
> 
> struct nf_conn_dying {
> 	struct list_head head;
> 	u32 pid;
> 	struct nf_conn *ct;
> };
> 
> Thus, destroy events are delivered using the original netlink pid. I can
> get rid of using the nulls list in that case.
> 
> I think this is necessary, or I'm completely driving nuts and seeing
> ghosts everywhere :D.

I agree, this is necessary. But I'd add the pid to the event structure
instead of adding a completely new structure I think. Or perhaps we can
reuse an unused-at-that-time conntrack member.

> Patrick, You still plan to send the patches for
> 2.6.31 along today? I think that I need one extra day, I have to leave
> now and I cannot work on this until tomorrow morning.

Yes, the networking merge window closes a lot earlier than the general
kernel merge window and I have to get the other patches in.

I can delay it today, but I don't want to risk waiting until tomorrow.