Eric Dumazet wrote: > Le jeudi 22 avril 2010 à 15:17 +0200, Patrick McHardy a écrit : >> Changli Gao wrote: >>>> struct nf_conntrack_tuple_hash * >>>> __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple) >>>> ... >>> We should add a retry limit there. >> We can't do that since that would allow false negatives. > > If one hash slot is under attack, then there is a bug somewhere. > > If we cannot avoid this, we can fallback to a secure mode at the second > retry, and take the spinlock. > > Tis way, most of lookups stay lockless (one pass), and some might take > the slot lock to avoid the possibility of a loop. That sounds like a good idea. But lets what for Jesper's test results before we start fixing this problem :) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
