From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Patrick McHardy <kaber@trash.net>
Cc: Ramblewski David <David.Ramblewski@atosorigin.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>,
netdev <netdev@vger.kernel.org>
Subject: Re: kernel stack trace using conntrack
Date: Thu, 18 Feb 2010 13:18:42 +0100 [thread overview]
Message-ID: <4B7D3022.9030405@netfilter.org> (raw)
In-Reply-To: <4B7D215A.6060400@trash.net>
Patrick McHardy wrote:
> Pablo Neira Ayuso wrote:
>> Patrick McHardy wrote:
>>> Ramblewski David wrote:
>>>> Hi Eric,
>>>>
>>>> The conntrack patch works successfully.
>>>>
>>>>>> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
>>>>>> index 0ffe689..d2657aa 100644
>>>>>> --- a/net/netfilter/nf_conntrack_netlink.c
>>>>>> +++ b/net/netfilter/nf_conntrack_netlink.c
>>>>>> @@ -923,7 +923,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
>>>>>> unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
>>>>>> d = ct->status ^ status;
>>>>>>
>>>>>> - if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
>>>>>> + if (d & (IPS_EXPECTED|IPS_DYING))
>>>>>> /* unchangeable */
>>>>>> return -EBUSY;
>>>>> I think that we should explicitly report if the user unsets
>>>>> IPS_CONFIRMED. Please, don't change this.
>>>>>
>>>>> Apart from that, the patch seems fine to me. Thanks!
>>>> Problem is we now (I mean after my patch) enter
>>>> ctnetlink_change_status() with ct->status being null (or at least,
>>>> IPS_CONFIRMED not set)
>>> Pablo, please let me know whether you want me to apply this.
>> ctnetlink_change_helper() also calls nf_ct_ext_add() for conntracks that
>> are confirmed (in case of a helper update for an existing conntrack).
>> That would also trigger the assertion. If we want to support helper
>> assignation via ctnetlink for existing conntracks, we will need to add
>> locking to the conntrack extension infrastructure to avoid races.
>>
>> I don't see a clear solution for this yet.
>
> I see, this is indeed a problem. Since the helper is known at the
> first event, we could restrict this to only allow manual assignment
> for newly created conntracks. Most helpers probably can't properly
> cope with connections not seen from the beginning anyways.
Indeed, changing the helper in the middle of the road doesn't make too
much sense to me either. I can send you a patch for this along today,
I'll find some spare time to do it.
next prev parent reply other threads:[~2010-02-18 12:18 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-16 9:11 kernel stack trace using conntrack Ramblewski David
2010-02-16 9:51 ` Eric Dumazet
2010-02-16 10:25 ` Ramblewski David
2010-02-16 11:15 ` Eric Dumazet
2010-02-16 13:33 ` Pablo Neira Ayuso
2010-02-16 13:45 ` Eric Dumazet
2010-02-18 9:37 ` Ramblewski David
2010-02-18 10:34 ` Patrick McHardy
2010-02-18 11:02 ` Pablo Neira Ayuso
2010-02-18 11:15 ` Patrick McHardy
2010-02-18 12:18 ` Pablo Neira Ayuso [this message]
2010-02-18 12:19 ` Patrick McHardy
2010-02-19 2:18 ` Pablo Neira Ayuso
2010-02-19 12:33 ` Eric Dumazet
2010-02-19 13:25 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2010-02-11 13:18 Ramblewski David
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B7D3022.9030405@netfilter.org \
--to=pablo@netfilter.org \
--cc=David.Ramblewski@atosorigin.com \
--cc=eric.dumazet@gmail.com \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.