It looks like the netfilter NF_QUEUE interface is inherently racey because it puts a pointer to the nf_hook list element onto the queue, and then later processes and tries to validate that the pointer is still in the list. What happens if the during the interim the hook is removed, and a new hook is added that just happens to be at the same address. Not a real disaster, it just means the packet will get processed by the wrong hook, maybe leaking through or getting dropped. Couldn't an id be used instead of a pointer? - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
