From: Florian Westphal <fw@strlen.de>
To: Marc Dionne <marc.c.dionne@gmail.com>
Cc: Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
netdev <netdev@vger.kernel.org>
Subject: Re: Multi-thread udp 4.7 regression, bisected to 71d8c47fc653
Date: Mon, 27 Jun 2016 17:38:20 +0200 [thread overview]
Message-ID: <20160627153820.GB10613@breakpoint.cc> (raw)
In-Reply-To: <CAB9dFds=qY=Dk++p7qVX7a8aOOH4wn0rtL3m4poO6HMQPuPrnA@mail.gmail.com>
Marc Dionne <marc.c.dionne@gmail.com> wrote:
> On Mon, Jun 27, 2016 at 11:22 AM, Florian Westphal <fw@strlen.de> wrote:
> > Marc Dionne <marc.c.dionne@gmail.com> wrote:
> >> Hi,
> > hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[hash], hnnode)
> > if (nf_ct_key_equal(h, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
> > - zone, net))
> > - goto out;
> > + zone, net)) {
> > + nf_ct_add_to_dying_list(ct);
> > + ret = nf_ct_resolve_clash(net, skb, ctinfo, h);
> > + goto dying;
> > + }
This is bogus as h can be a reply too (key compare does not deal
with it).
Below is what I actually intended; I can't come up with a reason why
you experience this issue other than that we're getting confused over
reply/original direction.
If the patch doesn't help either, can you tell us what kind of iptables
rules are installed on the affected system or perhaps report perf drop
monitor stat when things go wrong?
Thanks!
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -638,6 +638,12 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb,
struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
struct nf_conntrack_l4proto *l4proto;
+ /* skb being confirmed is always original dir; do not attach to
+ * a reply tuple.
+ */
+ if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
+ goto out;
+
l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
if (l4proto->allow_clash &&
!nf_ct_is_dying(ct) &&
@@ -650,6 +656,7 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb,
skb->nfct = &ct->ct_general;
return NF_ACCEPT;
}
+ out:
NF_CT_STAT_INC(net, drop);
return NF_DROP;
}
next prev parent reply other threads:[~2016-06-27 15:38 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-27 13:41 Multi-thread udp 4.7 regression, bisected to 71d8c47fc653 Marc Dionne
2016-06-27 14:22 ` Florian Westphal
2016-06-27 14:46 ` Marc Dionne
2016-06-27 15:38 ` Florian Westphal [this message]
2016-06-27 17:21 ` Marc Dionne
2016-07-04 12:35 ` Marc Dionne
2016-07-05 12:28 ` Pablo Neira Ayuso
2016-07-10 19:48 ` Marc Dionne
2016-07-11 16:26 ` Pablo Neira Ayuso
2016-07-11 21:17 ` Marc Dionne
2016-07-12 14:25 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160627153820.GB10613@breakpoint.cc \
--to=fw@strlen.de \
--cc=marc.c.dionne@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).