Le samedi 30 janvier 2010 à 02:36 -0500, Jon Masters a écrit : > I'll play later. Right now, I'm looking over every iptables/ip call > libvirt makes - it explicitly plays with the netns for the loopback, > which looks interesting. Supposing it does cause the hashtables to get > unintentionally zereod or the sizing to get wiped out, we should also > nonetheless catch the case that the hash function generates a whacko > number or that the hash size is set to zero when we want to use it. > I asked you if you had multiple namespaces, because I was not sure conntracking hash was global (shared by all namespaces), or local. If it is local, then we have a bug, because nf_conntrack_cachep is still shared. Because of SLAB_DESTROY_BY_RCU constraint, we must use a distinct cachep, or an object can be freed from a namespace and immediatly reused into another namespace, without lookups being able to notice. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
