Re: [PATCH 1/1] netfilter: fix soft lockup when netlink adds new entries

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Thu, Feb 23, 2012 at 01:43:06PM +0100, Jozsef Kadlecsik wrote:
> Hi Pablo,
> 
> On Thu, 23 Feb 2012, Pablo Neira Ayuso wrote:
> 
> > On Tue, Feb 21, 2012 at 04:06:59PM +0100, Jozsef Kadlecsik wrote:
> > > Or do I miss something else here?
> > 
> > I just noticed one problem.
> > 
> > With your approach, we may lose race if one packet inserts same conntrack
> > entry while we're adding one conntrack. Thus resulting in two conntracks
> > with the same tuples in the table.
> 
> Yes, you're right, that race condition is possible.
>  
> > One possible solution would be to check if it already exists before
> > adding it to the list, but this will add too many extra cycles for
> > each conntrack that is added via ctnetlink.
> 
> Actually, netfilter for normal conntrack entries does the same in 
> __nf_conntrack_confirm. So entries added via ctnetlink would not be 
> penalized if the same checking were added to ctnetlink_create_conntrack
> in the locked region. Shall I send a patch over the previous one?

Yes, please.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

Powered by Linux