On Monday 2008-07-07 16:20, Patrick McHardy wrote: >> >> Connection helpers seemed like a good idea at first, since >> expected connections inherit the connmark value of the original >> connection. However, once an expectation is set up, there is no >> way to set up another right after one expectation has been >> confirmed. > > Why not? > Hm, so this is possible through the conntrack notifier chain? Could this be prone to races -- windows where no exp is set up but a connection is already made? - core#1 create tcp packet (src:1024 -> dst:80) - core#1 send off, conntrack hook sees it - core#2 creates expectation (src:0 -> dst:80) - core#2 create tcp packet (src:1025 -> dst:80) - core#2 send off, conntrack sees it, confirms exp. - core#3 create tcp packet (src:1026 -> dst:80) - core#3 no expectation yet => bad - core#2 notification delivered, exp. (src:0 -> dst:80) created -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
