On Tue, Feb 21, 2012 at 04:06:59PM +0100, Jozsef Kadlecsik wrote: > Hi Pablo, > > On Tue, 21 Feb 2012, Pablo Neira Ayuso wrote: > [...] > > Still one issue, see below. > > > > > @@ -1512,25 +1513,22 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, > > > > > > spin_lock_bh(&nf_conntrack_lock); > > > if (cda[CTA_TUPLE_ORIG]) > > > - h = __nf_conntrack_find(net, zone, &otuple); > > > + h = nf_conntrack_find_get(net, zone, &otuple); > > > else if (cda[CTA_TUPLE_REPLY]) > > > - h = __nf_conntrack_find(net, zone, &rtuple); > > > + h = nf_conntrack_find_get(net, zone, &rtuple); > > > + spin_unlock_bh(&nf_conntrack_lock); > > > > We still have to keep the lock for the update case. Otherwise we may > > clash with one update from the kernel. > > By calling nf_conntrack_find_get we are safe to release the lock, because > the conntack entry won't be removed behind us. Later in the patch the lock > is re-acquired to serialize the updates: > > + spin_lock_bh(&nf_conntrack_lock); > err = ctnetlink_change_conntrack(ct, cda); > + spin_unlock_bh(&nf_conntrack_lock); > > Or do I miss something else here? Oh, I missed that part of the patch. It's fine. I'll pass it for mainstream. Thanks Jozsef! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
