Patrick McHardy wrote:
quoted text
> Pablo Neira Ayuso wrote:
>> Patrick McHardy wrote:
>>>>> Pablo, please let me know whether you want me to apply this.
>>>> ctnetlink_change_helper() also calls nf_ct_ext_add() for conntracks that
>>>> are confirmed (in case of a helper update for an existing conntrack).
>>>> That would also trigger the assertion. If we want to support helper
>>>> assignation via ctnetlink for existing conntracks, we will need to add
>>>> locking to the conntrack extension infrastructure to avoid races.
>>>>
>>>> I don't see a clear solution for this yet.
>>> I see, this is indeed a problem. Since the helper is known at the
>>> first event, we could restrict this to only allow manual assignment
>>> for newly created conntracks. Most helpers probably can't properly
>>> cope with connections not seen from the beginning anyways.
>> Indeed, changing the helper in the middle of the road doesn't make too
>> much sense to me either. I can send you a patch for this along today,
>> I'll find some spare time to do it.
> 
> Great, thanks Pablo.

I have slightly tested the following patch here. I think it should fix
the problem.

We can revisit ctnetlink_change_helper() later, I think there's some
code there that can be refactorized.

Let me know if you're OK with it.