Kapil Juneja wrote:
Currently NF_CONNTRACK assumes that a running timer is present before refreshing
the connection or destroying it. This may not be the case when, for example,
another forwarding engine hooks up to it to listen to new connections
but disables the NF_CONNTRACK timer in order to have more control.
In such a scenario, only control packets may be terminated to NF_CONNTRACK for
it to decode and update the connection status. It will not impact the present
scenario of kernel forwarding without the aid of any forwarding engine.
Do you have a pointer to the code you're talking about?
+ if (newtime - ct->timeout.expires >= HZ) {
+ /*
+ * The timer could have already been deleted
+ * while still alive (for example connection
+ * offloaded to a forwarding module other than
+ * the kernel stack).
+ */
+ mod_timer(&ct->timeout, newtime);
event = IPCT_REFRESH;
This adds a race, we don't want to update the timer if it already
went off this that means the connection is already destroyed.
Same problem with the other chunk.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
