Patrick McHardy wrote: > Pablo Neira Ayuso wrote: >> Patrick McHardy wrote: >>> Ramblewski David wrote: >>>> Hi Eric, >>>> >>>> The conntrack patch works successfully. >>>> >>>>>> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c >>>>>> index 0ffe689..d2657aa 100644 >>>>>> --- a/net/netfilter/nf_conntrack_netlink.c >>>>>> +++ b/net/netfilter/nf_conntrack_netlink.c >>>>>> @@ -923,7 +923,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) >>>>>> unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); >>>>>> d = ct->status ^ status; >>>>>> >>>>>> - if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) >>>>>> + if (d & (IPS_EXPECTED|IPS_DYING)) >>>>>> /* unchangeable */ >>>>>> return -EBUSY; >>>>> I think that we should explicitly report if the user unsets >>>>> IPS_CONFIRMED. Please, don't change this. >>>>> >>>>> Apart from that, the patch seems fine to me. Thanks! >>>> Problem is we now (I mean after my patch) enter >>>> ctnetlink_change_status() with ct->status being null (or at least, >>>> IPS_CONFIRMED not set) >>> Pablo, please let me know whether you want me to apply this. >> ctnetlink_change_helper() also calls nf_ct_ext_add() for conntracks that >> are confirmed (in case of a helper update for an existing conntrack). >> That would also trigger the assertion. If we want to support helper >> assignation via ctnetlink for existing conntracks, we will need to add >> locking to the conntrack extension infrastructure to avoid races. >> >> I don't see a clear solution for this yet. > > I see, this is indeed a problem. Since the helper is known at the > first event, we could restrict this to only allow manual assignment > for newly created conntracks. Most helpers probably can't properly > cope with connections not seen from the beginning anyways. Indeed, changing the helper in the middle of the road doesn't make too much sense to me either. I can send you a patch for this along today, I'll find some spare time to do it. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
