rmmod ip_conntrack hangs.....

rmmod ip_conntrack hangs.....

[Nishit Shah]

Hi,
        when I do rmmod ip_conntrack, rmmod hangs. It is not the case
everytime but sometimes "rmmod ip_conntrack" hangs.
        After that I have tried to debug the problem and got following
observations..

    1.) in net/ipv4/netfilter/ip_conntrack_core.c, following code of
function ip_conntrack_cleanup is stuck in infinite loop...

 i_see_dead_people:
        ip_conntrack_flush();
        if (atomic_read(&ip_conntrack_count) != 0) {
                schedule();
                goto i_see_dead_people;
        }

    2.) after that i have added printk in while loop

 i_see_dead_people:
        ip_conntrack_flush();
        if (atomic_read(&ip_conntrack_count) != 0) {
                schedule();
                if (net_ratelimit())
                        printk(KERN_ERR "conntrack count is<%d>\n",
atomic_read(&ip_conntrack_count));
                goto i_see_dead_people;
        }

        And each and every time I got count value as 1.
        Also at this point, "cat /proc/slabinfo | grep conntrack" lists 1
entry allocated from slab.


Regards,
Nishit Shah.

Re: rmmod ip_conntrack hangs.....

[Phil Oester]

On Wed, Apr 25, 2007 at 12:30:09PM +0530, Nishit Shah wrote:
> Hi,
>         when I do rmmod ip_conntrack, rmmod hangs. It is not the case
> everytime but sometimes "rmmod ip_conntrack" hangs.
>         After that I have tried to debug the problem and got following
> observations..
> 
>     1.) in net/ipv4/netfilter/ip_conntrack_core.c, following code of
> function ip_conntrack_cleanup is stuck in infinite loop...

Which kernel version?

Phil

Re: rmmod ip_conntrack hangs.....

[Nishit Shah]

kernel version is 2.6.16.13

Regards,
Nishit Shah.


----- Original Message ----- 
From: "Phil Oester" <kernel@linuxace.com>
To: "Nishit Shah" <nishit@elitecore.com>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Wednesday, April 25, 2007 7:48 PM
Subject: Re: rmmod ip_conntrack hangs.....


> On Wed, Apr 25, 2007 at 12:30:09PM +0530, Nishit Shah wrote:
> > Hi,
> >         when I do rmmod ip_conntrack, rmmod hangs. It is not the case
> > everytime but sometimes "rmmod ip_conntrack" hangs.
> >         After that I have tried to debug the problem and got following
> > observations..
> > 
> >     1.) in net/ipv4/netfilter/ip_conntrack_core.c, following code of
> > function ip_conntrack_cleanup is stuck in infinite loop...
> 
> Which kernel version?
> 
> Phil
> 
> 

Re: rmmod ip_conntrack hangs.....

[Yasuyuki KOZAKAI]

From: "Nishit Shah" <nishit@elitecore.com>
Date: Wed, 25 Apr 2007 12:30:09 +0530

> Hi,
>         when I do rmmod ip_conntrack, rmmod hangs. It is not the case
> everytime but sometimes "rmmod ip_conntrack" hangs.

It has been already fixed by following patch, which is available in 2.6.21,
I think.

commit ec68e97dedacc1c7fb20a4b23b7fa76bee56b5ff
Author: Patrick McHardy <kaber@trash.net>
Date:   Sun Mar 4 15:57:01 2007 -0800

    [NETFILTER]: conntrack: fix {nf,ip}_ct_iterate_cleanup endless loops
    
    Fix {nf,ip}_ct_iterate_cleanup unconfirmed list handling:
    
    - unconfirmed entries can not be killed manually, they are removed on
      confirmation or final destruction of the conntrack entry, which means
      we might iterate forever without making forward progress.
    
      This can happen in combination with the conntrack event cache, which
      holds a reference to the conntrack entry, which is only released when
      the packet makes it all the way through the stack or a different
      packet is handled.
    
    - taking references to an unconfirmed entry and using it outside the
      locked section doesn't work, the list entries are not refcounted and
      another CPU might already be waiting to destroy the entry
    
    What the code really wants to do is make sure the references of the hash
    table to the selected conntrack entries are released, so they will be
    destroyed once all references from skbs and the event cache are dropped.
    
    Since unconfirmed entries haven't even entered the hash yet, simply mark
    them as dying and skip confirmation based on that.
    
    Reported and tested by Chuck Ebbert <cebbert@redhat.com>
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h b/include/linux/netfilter_ipv4/ip_conntrack_core.h
index 907d4f5..e3a6df0 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_core.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h
@@ -45,7 +45,7 @@ static inline int ip_conntrack_confirm(struct sk_buff **pskb)
 	int ret = NF_ACCEPT;
 
 	if (ct) {
-		if (!is_confirmed(ct))
+		if (!is_confirmed(ct) && !is_dying(ct))
 			ret = __ip_conntrack_confirm(pskb);
 		ip_ct_deliver_cached_events(ct);
 	}
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 7fdc72c..85634e1 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -64,7 +64,7 @@ static inline int nf_conntrack_confirm(struct sk_buff **pskb)
 	int ret = NF_ACCEPT;
 
 	if (ct) {
-		if (!nf_ct_is_confirmed(ct))
+		if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
 			ret = __nf_conntrack_confirm(pskb);
 		nf_ct_deliver_cached_events(ct);
 	}
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index 07ba1dd..23b99ae 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1254,7 +1254,7 @@ get_next_corpse(int (*iter)(struct ip_conntrack *i, void *data),
 	list_for_each_entry(h, &unconfirmed, list) {
 		ct = tuplehash_to_ctrack(h);
 		if (iter(ct, data))
-			goto found;
+			set_bit(IPS_DYING_BIT, &ct->status);
 	}
 	write_unlock_bh(&ip_conntrack_lock);
 	return NULL;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 32891eb..4fdf484 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1070,7 +1070,7 @@ get_next_corpse(int (*iter)(struct nf_conn *i, void *data),
 	list_for_each_entry(h, &unconfirmed, list) {
 		ct = nf_ct_tuplehash_to_ctrack(h);
 		if (iter(ct, data))
-			goto found;
+			set_bit(IPS_DYING_BIT, &ct->status);
 	}
 	write_unlock_bh(&nf_conntrack_lock);
 	return NULL;

Re: rmmod ip_conntrack hangs.....

[Nishit Shah]

Thanks very much.

Regards,
Nishit Shah.

----- Original Message ----- 
From: "Yasuyuki KOZAKAI" <yasuyuki.kozakai@toshiba.co.jp>
To: <nishit@elitecore.com>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Thursday, April 26, 2007 4:35 PM
Subject: Re: rmmod ip_conntrack hangs.....


> From: "Nishit Shah" <nishit@elitecore.com>
> Date: Wed, 25 Apr 2007 12:30:09 +0530
>
> > Hi,
> >         when I do rmmod ip_conntrack, rmmod hangs. It is not the case
> > everytime but sometimes "rmmod ip_conntrack" hangs.
>
> It has been already fixed by following patch, which is available in
2.6.21,
> I think.
>
> commit ec68e97dedacc1c7fb20a4b23b7fa76bee56b5ff
> Author: Patrick McHardy <kaber@trash.net>
> Date:   Sun Mar 4 15:57:01 2007 -0800
>
>     [NETFILTER]: conntrack: fix {nf,ip}_ct_iterate_cleanup endless loops
>
>     Fix {nf,ip}_ct_iterate_cleanup unconfirmed list handling:
>
>     - unconfirmed entries can not be killed manually, they are removed on
>       confirmation or final destruction of the conntrack entry, which
means
>       we might iterate forever without making forward progress.
>
>       This can happen in combination with the conntrack event cache, which
>       holds a reference to the conntrack entry, which is only released
when
>       the packet makes it all the way through the stack or a different
>       packet is handled.
>
>     - taking references to an unconfirmed entry and using it outside the
>       locked section doesn't work, the list entries are not refcounted and
>       another CPU might already be waiting to destroy the entry
>
>     What the code really wants to do is make sure the references of the
hash
>     table to the selected conntrack entries are released, so they will be
>     destroyed once all references from skbs and the event cache are
dropped.
>
>     Since unconfirmed entries haven't even entered the hash yet, simply
mark
>     them as dying and skip confirmation based on that.
>
>     Reported and tested by Chuck Ebbert <cebbert@redhat.com>
>
>     Signed-off-by: Patrick McHardy <kaber@trash.net>
>     Signed-off-by: David S. Miller <davem@davemloft.net>
>
> diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h
b/include/linux/netfilter_ipv4/ip_conntrack_core.h
> index 907d4f5..e3a6df0 100644
> --- a/include/linux/netfilter_ipv4/ip_conntrack_core.h
> +++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h
> @@ -45,7 +45,7 @@ static inline int ip_conntrack_confirm(struct sk_buff
**pskb)
>   int ret = NF_ACCEPT;
>
>   if (ct) {
> - if (!is_confirmed(ct))
> + if (!is_confirmed(ct) && !is_dying(ct))
>   ret = __ip_conntrack_confirm(pskb);
>   ip_ct_deliver_cached_events(ct);
>   }
> diff --git a/include/net/netfilter/nf_conntrack_core.h
b/include/net/netfilter/nf_conntrack_core.h
> index 7fdc72c..85634e1 100644
> --- a/include/net/netfilter/nf_conntrack_core.h
> +++ b/include/net/netfilter/nf_conntrack_core.h
> @@ -64,7 +64,7 @@ static inline int nf_conntrack_confirm(struct sk_buff
**pskb)
>   int ret = NF_ACCEPT;
>
>   if (ct) {
> - if (!nf_ct_is_confirmed(ct))
> + if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
>   ret = __nf_conntrack_confirm(pskb);
>   nf_ct_deliver_cached_events(ct);
>   }
> diff --git a/net/ipv4/netfilter/ip_conntrack_core.c
b/net/ipv4/netfilter/ip_conntrack_core.c
> index 07ba1dd..23b99ae 100644
> --- a/net/ipv4/netfilter/ip_conntrack_core.c
> +++ b/net/ipv4/netfilter/ip_conntrack_core.c
> @@ -1254,7 +1254,7 @@ get_next_corpse(int (*iter)(struct ip_conntrack *i,
void *data),
>   list_for_each_entry(h, &unconfirmed, list) {
>   ct = tuplehash_to_ctrack(h);
>   if (iter(ct, data))
> - goto found;
> + set_bit(IPS_DYING_BIT, &ct->status);
>   }
>   write_unlock_bh(&ip_conntrack_lock);
>   return NULL;
> diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
> index 32891eb..4fdf484 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -1070,7 +1070,7 @@ get_next_corpse(int (*iter)(struct nf_conn *i, void
*data),
>   list_for_each_entry(h, &unconfirmed, list) {
>   ct = nf_ct_tuplehash_to_ctrack(h);
>   if (iter(ct, data))
> - goto found;
> + set_bit(IPS_DYING_BIT, &ct->status);
>   }
>   write_unlock_bh(&nf_conntrack_lock);
>   return NULL;
>
>

Re: rmmod ip_conntrack hangs.....

[Patrick McHardy]

Nishit Shah wrote:
> Thanks very much.


Please let me know if that patch works for you, I'll push it
to stable-2.6.16 if it does.

Re: rmmod ip_conntrack hangs.....

[Nishit Shah]

Definatly I will do it and let you know.....

Regards,
Nishit Shah.

----- Original Message ----- 
From: "Patrick McHardy" <kaber@trash.net>
To: "Nishit Shah" <nishit@elitecore.com>
Cc: "Yasuyuki KOZAKAI" <yasuyuki.kozakai@toshiba.co.jp>;
<netfilter-devel@lists.netfilter.org>
Sent: Thursday, April 26, 2007 9:47 PM
Subject: Re: rmmod ip_conntrack hangs.....


> Nishit Shah wrote:
> > Thanks very much.
>
>
> Please let me know if that patch works for you, I'll push it
> to stable-2.6.16 if it does.
>
>
>

Re: rmmod ip_conntrack hangs.....

[Patrick McHardy]

Nishit Shah wrote:
> Well, it is a long time for this reply.....
> 
>             Ya it is working fine for me.I tried a lot to regenrate that
> error in last few months, but no success !!!!


Great. Could you send me the patch you're using so I don't have
to backport it myself?

Re: rmmod ip_conntrack hangs.....

[nishit]

Hi,
         I am adding the patch that patrick had submitted.

diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h
b/include/linux/netfilter_ipv4/ip_conntrack_core.h
index 907d4f5..e3a6df0 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_core.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h
@@ -45,7 +45,7 @@ static inline int ip_conntrack_confirm(struct sk_buff
**pskb)
         int ret = NF_ACCEPT;

         if (ct) {
-                if (!is_confirmed(ct))
+                if (!is_confirmed(ct) && !is_dying(ct))
                         ret = __ip_conntrack_confirm(pskb);
                 ip_ct_deliver_cached_events(ct);
         }
diff --git a/include/net/netfilter/nf_conntrack_core.h
b/include/net/netfilter/nf_conntrack_core.h
index 7fdc72c..85634e1 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -64,7 +64,7 @@ static inline int nf_conntrack_confirm(struct sk_buff
**pskb)
         int ret = NF_ACCEPT;

         if (ct) {
-                if (!nf_ct_is_confirmed(ct))
+                if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
                         ret = __nf_conntrack_confirm(pskb);
                 nf_ct_deliver_cached_events(ct);
         }
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c
b/net/ipv4/netfilter/ip_conntrack_core.c
index 07ba1dd..23b99ae 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1254,7 +1254,7 @@ get_next_corpse(int (*iter)(struct ip_conntrack *i,
void *data),
         list_for_each_entry(h, &unconfirmed, list) {
                 ct = tuplehash_to_ctrack(h);
                 if (iter(ct, data))
-                        goto found;
+                        set_bit(IPS_DYING_BIT, &ct->status);
         }
         write_unlock_bh(&ip_conntrack_lock);
         return NULL;
diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index 32891eb..4fdf484 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1070,7 +1070,7 @@ get_next_corpse(int (*iter)(struct nf_conn *i, void
*data),
         list_for_each_entry(h, &unconfirmed, list) {
                 ct = nf_ct_tuplehash_to_ctrack(h);
                 if (iter(ct, data))
-                        goto found;
+                        set_bit(IPS_DYING_BIT, &ct->status);
         }
         write_unlock_bh(&nf_conntrack_lock);
         return NULL;


It seems to me that some changes are required to apply this patch on
2.6.16. So, i am adding the patch for 2.6.16.


--- linux-2.6.16/include/linux/netfilter_ipv4/ip_conntrack_core.h	Fri Jun 
9 20:17:29 2006
+++
linux-2.6.16SMP-9420-nishit/include/linux/netfilter_ipv4/ip_conntrack_core.h	Wed
May 23 12:11:45 2007
@@ -45,9 +45,13 @@
 	int ret = NF_ACCEPT;

 	if (ct) {
-		if (!is_confirmed(ct))
+		if (!is_confirmed(ct) && !is_dying(ct))
 			ret = __ip_conntrack_confirm(pskb);
 		ip_ct_deliver_cached_events(ct);
 	}
 	return ret;
 }
--- linux-2.6.16/include/net/netfilter/nf_conntrack_core.h	Tue Jan  3
17:08:14 2006
+++ linux-2.6.16-9420-nishit/include/net/netfilter/nf_conntrack_core.h	Mon
Oct  8 17:45:14 2007
@@ -61,7 +61,7 @@
 	int ret = NF_ACCEPT;

 	if (ct) {
-		if (!nf_ct_is_confirmed(ct))
+		if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
 			ret = __nf_conntrack_confirm(pskb);
 		nf_ct_deliver_cached_events(ct);
 	}
--- linux-2.6.16/net/ipv4/netfilter/ip_conntrack_core.c	Fri May  5
23:08:09 2006
+++ linux-2.6.16-9420-nishit/net/ipv4/netfilter/ip_conntrack_core.c	Fri
Jul  6 17:30:40 2007
@@ -1357,11 +1376,18 @@
 		if (h)
 			break;
 	}
-	if (!h)
+	if (!h){
 		h = LIST_FIND_W(&unconfirmed, do_iter,
 				struct ip_conntrack_tuple_hash *, iter, data);
-	if (h)
+		if (h){
+			struct ip_conntrack * ct = tuplehash_to_ctrack(h);
+			if (iter(ct, data))
+				set_bit(IPS_DYING_BIT, &ct->status);
+		}
+		h = NULL;
+	}else{
 		atomic_inc(&tuplehash_to_ctrack(h)->ct_general.use);
+	}
 	write_unlock_bh(&ip_conntrack_lock);

 	return h;
--- linux-2.6.16/net/netfilter/nf_conntrack_core.c	Wed Mar 22 15:37:01 2006
+++ linux-2.6.16-9420-nishit/net/netfilter/nf_conntrack_core.c	Thu Oct 11
01:04:33 2007
@@ -1504,11 +1504,18 @@
 		if (h)
 			break;
  	}
-	if (!h)
+	if (!h){
 		h = LIST_FIND_W(&unconfirmed, do_iter,
 				struct nf_conntrack_tuple_hash *, iter, data);
-	if (h)
+		if (h){
+			struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
+			if (iter(ct, data))
+				set_bit(IPS_DYING_BIT, &ct->status);
+		}
+		h = NULL;
+	}else{
 		atomic_inc(&nf_ct_tuplehash_to_ctrack(h)->ct_general.use);
+	}
 	write_unlock_bh(&nf_conntrack_lock);

 	return h;


Rgds,
Nishit Shah.


> Nishit Shah wrote:
>> Well, it is a long time for this reply.....
>>
>>             Ya it is working fine for me.I tried a lot to regenrate that
>> error in last few months, but no success !!!!
>
>
> Great. Could you send me the patch you're using so I don't have
> to backport it myself?
>

Re: rmmod ip_conntrack hangs.....

[Patrick McHardy]

nishit@elitecore.com wrote:
> Hi,
>          I am adding the patch that patrick had submitted.


The patch doesn't apply because your mailer replaced tabs by spaces.
Please resend as attachment, thanks.

Re: rmmod ip_conntrack hangs.....

[Nishit Shah]

[-- Attachment #1: Type: text/plain, Size: 640 bytes --]

Sorry for that !!!!!
                                    I am adding the attachment !!!!

Rgds,
Nishit Shah.

----- Original Message ----- 
From: "Patrick McHardy" <kaber@trash.net>
To: <nishit@elitecore.com>
Cc: "Yasuyuki KOZAKAI" <yasuyuki.kozakai@toshiba.co.jp>; "Netfilter
Development Mailinglist" <netfilter-devel@vger.kernel.org>
Sent: Thursday, October 11, 2007 10:46 AM
Subject: Re: rmmod ip_conntrack hangs.....


> nishit@elitecore.com wrote:
> > Hi,
> >          I am adding the patch that patrick had submitted.
>
>
> The patch doesn't apply because your mailer replaced tabs by spaces.
> Please resend as attachment, thanks.
>

[-- Attachment #2: rmmod_conntrack --]
[-- Type: application/octet-stream, Size: 2615 bytes --]

diff -Paur linux-2.6.16.13/include/linux/netfilter_ipv4/ip_conntrack_core.h linux-2.6.16.13-dev/include/linux/netfilter_ipv4/ip_conntrack_core.h
--- linux-2.6.16.13/include/linux/netfilter_ipv4/ip_conntrack_core.h	Wed May  3 03:08:44 2006
+++ linux-2.6.16.13-dev/include/linux/netfilter_ipv4/ip_conntrack_core.h	Fri Oct 12 19:39:45 2007
@@ -45,7 +45,7 @@
 	int ret = NF_ACCEPT;
 
 	if (ct) {
-		if (!is_confirmed(ct))
+		if (!is_confirmed(ct) && !is_dying(ct))
 			ret = __ip_conntrack_confirm(pskb);
 		ip_ct_deliver_cached_events(ct);
 	}
diff -Paur linux-2.6.16.13/include/net/netfilter/nf_conntrack_core.h linux-2.6.16.13-dev/include/net/netfilter/nf_conntrack_core.h
--- linux-2.6.16.13/include/net/netfilter/nf_conntrack_core.h	Wed May  3 03:08:44 2006
+++ linux-2.6.16.13-dev/include/net/netfilter/nf_conntrack_core.h	Fri Oct 12 19:40:52 2007
@@ -61,7 +61,7 @@
 	int ret = NF_ACCEPT;
 
 	if (ct) {
-		if (!nf_ct_is_confirmed(ct))
+		if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
 			ret = __nf_conntrack_confirm(pskb);
 		nf_ct_deliver_cached_events(ct);
 	}
diff -Paur linux-2.6.16.13/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.16.13-dev/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.6.16.13/net/ipv4/netfilter/ip_conntrack_core.c	Wed May  3 03:08:44 2006
+++ linux-2.6.16.13-dev/net/ipv4/netfilter/ip_conntrack_core.c	Fri Oct 12 19:30:38 2007
@@ -1251,11 +1251,18 @@
 		if (h)
 			break;
 	}
-	if (!h)
+	if (!h){
 		h = LIST_FIND_W(&unconfirmed, do_iter,
 				struct ip_conntrack_tuple_hash *, iter, data);
-	if (h)
+		if (h){
+			struct ip_conntrack * ct = tuplehash_to_ctrack(h);
+			if (iter(ct, data))
+				set_bit(IPS_DYING_BIT, &ct->status);
+		}
+		h = NULL;
+	}else{
 		atomic_inc(&tuplehash_to_ctrack(h)->ct_general.use);
+	}
 	write_unlock_bh(&ip_conntrack_lock);
 
 	return h;
diff -Paur linux-2.6.16.13/net/netfilter/nf_conntrack_core.c linux-2.6.16.13-dev/net/netfilter/nf_conntrack_core.c
--- linux-2.6.16.13/net/netfilter/nf_conntrack_core.c	Wed May  3 03:08:44 2006
+++ linux-2.6.16.13-dev/net/netfilter/nf_conntrack_core.c	Fri Oct 12 19:38:23 2007
@@ -1504,11 +1504,18 @@
 		if (h)
 			break;
  	}
-	if (!h)
+	if (!h){
 		h = LIST_FIND_W(&unconfirmed, do_iter,
 				struct nf_conntrack_tuple_hash *, iter, data);
-	if (h)
+		if (h){
+			struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
+			if (iter(ct, data))
+				set_bit(IPS_DYING_BIT, &ct->status);
+		}
+		h = NULL;
+	}else{
 		atomic_inc(&nf_ct_tuplehash_to_ctrack(h)->ct_general.use);
+	}
 	write_unlock_bh(&nf_conntrack_lock);
 
 	return h;

Re: rmmod ip_conntrack hangs.....

[Nishit Shah]

Have you receievd the proper attachment ?

Rgds,
Nishit Shah.

----- Original Message ----- 
From: "Nishit Shah" <nishit@elitecore.com>
To: "Patrick McHardy" <kaber@trash.net>
Cc: "Yasuyuki KOZAKAI" <yasuyuki.kozakai@toshiba.co.jp>; "Netfilter
Development Mailinglist" <netfilter-devel@vger.kernel.org>
Sent: Friday, October 12, 2007 8:32 PM
Subject: Re: rmmod ip_conntrack hangs.....


> Sorry for that !!!!!
>                                     I am adding the attachment !!!!
>
> Rgds,
> Nishit Shah.
>
> ----- Original Message ----- 
> From: "Patrick McHardy" <kaber@trash.net>
> To: <nishit@elitecore.com>
> Cc: "Yasuyuki KOZAKAI" <yasuyuki.kozakai@toshiba.co.jp>; "Netfilter
> Development Mailinglist" <netfilter-devel@vger.kernel.org>
> Sent: Thursday, October 11, 2007 10:46 AM
> Subject: Re: rmmod ip_conntrack hangs.....
>
>
> > nishit@elitecore.com wrote:
> > > Hi,
> > >          I am adding the patch that patrick had submitted.
> >
> >
> > The patch doesn't apply because your mailer replaced tabs by spaces.
> > Please resend as attachment, thanks.
> >
>