Jan Engelhardt wrote:
On Monday 2008-07-07 16:20, Patrick McHardy wrote:
Connection helpers seemed like a good idea at first, since
expected connections inherit the connmark value of the original
connection. However, once an expectation is set up, there is no
way to set up another right after one expectation has been
confirmed.
Why not?
Hm, so this is possible through the conntrack notifier chain?
Why the notifier chain? You can use expectfns for that.
Could this be prone to races -- windows where no exp is set up
but a connection is already made?
- core#1 create tcp packet (src:1024 -> dst:80)
- core#1 send off, conntrack hook sees it
- core#2 creates expectation (src:0 -> dst:80)
- core#2 create tcp packet (src:1025 -> dst:80)
- core#2 send off, conntrack sees it, confirms exp.
- core#3 create tcp packet (src:1026 -> dst:80)
- core#3 no expectation yet => bad
- core#2 notification delivered, exp. (src:0 -> dst:80) created
Expectation registration, notifier calls and expectfn calls
are all synchronous, so there should be no race.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
