Patrick McHardy a écrit :
> Eric Dumazet wrote:
>> Hi Patrick
>>
>> Here is the patch I had the time to test this time...
>> No problem so far on my machine.
>> I did a UDP flood stress.
>
> Thanks Eric. Most parts looks good, just two questions below:
>
>> diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
>> b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
>> index 6ba5c55..fcbcf62 100644
>> --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
>> +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
>> @@ -25,30 +25,30 @@ struct ct_iter_state {
>> unsigned int bucket;
>> };
>>
>> -static struct hlist_node *ct_get_first(struct seq_file *seq)
>> +static struct hlist_nulls_node *ct_get_first(struct seq_file *seq)
>> {
>> struct net *net = seq_file_net(seq);
>> struct ct_iter_state *st = seq->private;
>> - struct hlist_node *n;
>> + struct hlist_nulls_node *n;
>>
>> for (st->bucket = 0;
>> st->bucket < nf_conntrack_htable_size;
>> st->bucket++) {
>> n = rcu_dereference(net->ct.hash[st->bucket].first);
>> - if (n)
>> + if (!is_a_nulls(n))
>> return n;
>> }
>> return NULL;
>> }
>
> Don't we need to make sure the entry is not reused while dumping
> it?
>
Ah yes, I forgot that for UDP/TCP I had to change locking on this part.
Because messing with reference count was crazy...
But in UDP/TCP we have different spinlock for each chain, so hold time
was small enough.
So I guess that with central conntrack lock, we need to take references on entries
while dumping them.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
