On Thu, 17 Nov 2011, Gao feng wrote:
> ? 2011?11?17? 16:07, Jozsef Kadlecsik ??:
> > No, the connection entry won't be destroyed by nf_ct_kill. Why do you
> > think so?
>
> nf_ct will be destroy when tcp_packet return -NF_REPEAT to nf_conntrack_in.
> nf_conntrack_in will call nf_conntrack_put to destroy nf_conn
> nf_conntrack_in:
>
> ret = l4proto->packet(ct, skb, dataoff, ctinfo, pf, hooknum);
> if (ret <= 0) {
> /* Invalid: inverse of the return code tells
> * the netfilter core what to do */
> pr_debug("nf_conntrack_in: Can't track with proto module\n");
> nf_conntrack_put(skb->nfct);
> skb->nfct = NULL;
> NF_CT_STAT_INC_ATOMIC(net, invalid);
> if (ret == -NF_DROP)
> NF_CT_STAT_INC_ATOMIC(net, drop);
> return -ret;
> }
>
> I am wrong?
No, but I still don't get what's the problem with the code segment you
cited. You left out the comment:
} else if (((state->state == TCP_CONNTRACK_SYN_SENT
&& dir == IP_CT_DIR_ORIGINAL)
|| (state->state == TCP_CONNTRACK_SYN_RECV
&& dir == IP_CT_DIR_REPLY))
&& after(end, sender->td_end)) {
/*
* RFC 793: "if a TCP is reinitialized ... then it need
* not wait at all; it must only be sure to use sequence
* numbers larger than those recently used."
*/
This is the reinitialization case in the SYN_SENT and SYN_RECV states.
We destroy the connection in the reopen case, and in that path the code
segment above won't be called as you noticed.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
