Am 12.04.2011 23:59, schrieb Pablo Neira Ayuso: > Hi Patrick, > > The following patches rework the userspace expectation support > to fix one problematic scenario: if the master conntrack vanishes > while there are still userspace expectations, we hit an oops > in the destroy event path for expectations. Just wondering, how can this happen? We take a reference for userspace expectations just as we do for kernel expectations. Ok, I see, we are releasing it again at the end of ctnetlink_create_expect(), that seems to be the actual problem if I'm not mistaken. > > The idea to fix this is to extend the iptables CT target to > explicit allocate the helper extension for conntracks that > are suppose to behave as master for user-space expectations. > > In the case of the userspace FTP helper, people would need > to add the following rule: > > iptables -A PREROUTING -t raw \ > -p tcp --dport 21 -j CT --userspace-helper > > Thus, we can store the list of expectations that belong to > one master, and delete them in case that the master vanishes. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
