Re: [PATCH 4/4] netfilter: conntrack: optional reliable conntrack event delivery

[Pablo Neira Ayuso <pablo@netfilter.org>]

Patrick McHardy wrote:
> Pablo Neira Ayuso wrote:
>> Pablo Neira Ayuso wrote:
>>> This patch improves ctnetlink event reliability if one broadcast
>>> listener has set the NETLINK_BROADCAST_ERROR socket option.
>>
>> This is missing reliable event delivery for _eventmask_report(). I'm
>> going to resend this patch. Sorry and rebase my git tree with the new
>> patch.
> 
> OK thanks. I'll back them out again from my tree :)

There's another issue that I have to fix here that I haven't noticed so far:

+       if (nf_conntrack_event_report(IPCT_DESTROY, ct,
+                                     NETLINK_CB(skb).pid,
+                                     nlmsg_report(nlh)) < 0) {
+               nf_ct_delete_from_lists(ct);
+               /* we failed to report the event, try later */
+               nf_ct_insert_dying_list(ct);
+               nf_ct_put(ct);
+               return 0;
+       }

With this, we send the first destroy event including the netlink pid.
However, in the second try, we send it using netlink pid 0. The netlink
pid is important to notice who has triggered this event (the kernel,
myself or a different process). So I think that I need to add some
structure like:

struct nf_conn_dying {
	struct list_head head;
	u32 pid;
	struct nf_conn *ct;
};

Thus, destroy events are delivered using the original netlink pid. I can
get rid of using the nulls list in that case.

I think this is necessary, or I'm completely driving nuts and seeing
ghosts everywhere :D. Patrick, You still plan to send the patches for
2.6.31 along today? I think that I need one extra day, I have to leave
now and I cannot work on this until tomorrow morning.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers