Philip Craig wrote:
Patrick McHardy wrote:
[NETFILTER]: nf_conntrack: optimize hash_conntrack()
Avoid calling jhash three times and hash the entire tuple in one go.
This has broken conntrack on a big endian ARM platform. 'conntrack -L'
shows many unreplied connections all with the same addresses/ports,
instead of just one connection.
It seems the problem is that we are now hashing the padding in struct
nf_conntrack_tuple, which we previously didn't, and this padding isn't
always zeroed, so the hash gives garbage.
Changing NF_CT_TUPLE_U_BLANK() to memset the whole tuple fixes it.
Adding __attribute__ ((packed)) everywhere to remove the padding
didn't seem to fix it, but I don't understand why... maybe I did
something wrong still. This probably isn't a solution anyway since
these structs are used in userspace?
I'm not sure what's special about big-endian or ARM to only affect
this platform. Any ideas?
I can work on this more tomorrow.
Thanks for tracking this down, I didn't realize we had holes
in struct nf_conntrack_tuple on ARM. There are two ways to
fix this, one is two remove the padding, the other one is to
clear the padding as you did. We could join all the tuple
structs to avoid padding, but unfortunately that probably
won't help because the port structs are also padded. Maybe
attribute(packed) on the individual port structs within the
union will work, I'm not sure about that.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html