Re: Possible race condition in conntracking

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Patrick McHardy

Subject: Re: Possible race condition in conntracking

Date: Tuesday, January 27, 2009 - 6:48 am

Tobias Klausmann wrote:
quoted text> So the question remains what to do instead and how to do it. That
> probably is deep Netfilter mojo, so I could only speculate wildly.
> 
>> You should see the insert_failed conntrack counter show this
>> (/proc/net/stat/nf_conntrack).
> 
> We do, as I said in my first mail. Near as I can tell,
> nf_conntrack_confirm() is the only function that ever increases
> that counter, so it's definitely dropped there. As to how one
> could handle it differently, I have to defer to people with more
> Netfilter expertise. No point in "fixing" this by breaking other
> stuff.

Fixing this requires some rather intrusive changes. We need
to perform a lookup on the unconfirmed list when a conntrack
is not found in the hash and use the one we find there, if any.
The entries on that list are not reference counted and there
are a lot of assumptions in the code that an unconfirmed conntrack
is exclusively associated with a single packet. This needs to
be audited and fixed, but it looks quite hard.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Possible race condition in conntracking, Tobias Klausmann, (Tue Jan 27, 12:57 am)

Re: Possible race condition in conntracking, Patrick McHardy, (Tue Jan 27, 2:20 am)

Re: Possible race condition in conntracking, Tobias Klausmann, (Tue Jan 27, 6:06 am)

Re: Possible race condition in conntracking, Patrick McHardy, (Tue Jan 27, 6:14 am)

Re: Possible race condition in conntracking, Tobias Klausmann, (Tue Jan 27, 6:28 am)

Re: Possible race condition in conntracking, Patrick McHardy, (Tue Jan 27, 6:48 am)


linux-kernel:
Mr. James W. Laferriere	Re: Linux 2.6.25-rc1 , syntax error near unexpected token `;'
Linus Torvalds	Linux 2.6.34-rc4
David Miller	Re: 'global' rq->clock
Christoph Lameter	Re: [bug] SLUB + mm/slab.c boot crash in -rc9
Uwe	NOHZ: local_softirq_pending 20
git:
Len Brown	Re: fatal: unable to create '.git/index': File exists
Oliver Hoffmann	git init --bare versus git --bare init
Sam Vilain	Re: RFC: Flat directory for notes, or fan-out? Both!
Linus Torvalds	Re: git-diff should not fire up $PAGER, period!
Jonathan Nieder	Re: git-daemon serving repos with repo.git/git-daemon-export-ok
linux-netdev:
Jamie Lokier	Re: POHMELFS high performance network filesystem. Transactions, failover, performa...
William Allen Simpson	[net-next-2.6 PATCH v8 0/7] TCPCT part 1: cookie option exchange
Steffen Klassert	[PATCH] 3c59x: Use device_set_wakeup_enable
Chuck Ebbert	Oops in nf_nat_core.c:find_appropriate_src(), kernel 2.6.25.4
Ilpo Järvinen	Re: [PATCH v2] tcp: fix MSG_PEEK race check
openbsd-misc:
Sevan / Venture37	Re: This is what Linus Torvalds calls openBSD crowd
Netmaffia.hu	Tini Lányok AKCIÓBAN OTTHON
Darrin Chandler	Re: OT: Python (was Re: vi in /bin)
Gilles Chehade	Re: Longest Uptime?
KURS ENGLESKOG JEZIKA NA 10 CD-a	AUDIO-VIZUELNA METODA UCENJA ENGLESKOG JEZIKA na 10 CD-a
git-commits-head:
Linux Kernel Mailing List	ASoC: fix registration of the SoC card in the Freescale MPC8610 drivers
Linux Kernel Mailing List	drivers/acpi: use kasprintf
Linux Kernel Mailing List	checkpatch: add check for too short Kconfig descriptions
Linux Kernel Mailing List	V4L/DVB (10826): cx88: Add IR support to pcHDTV HD3000 & HD5500
Linux Kernel Mailing List	[ARM] Remove asm/hardware.h, use asm/arch/hardware.h instead