On Thu, Feb 23, 2012 at 01:43:06PM +0100, Jozsef Kadlecsik wrote: > Hi Pablo, > > On Thu, 23 Feb 2012, Pablo Neira Ayuso wrote: > > > On Tue, Feb 21, 2012 at 04:06:59PM +0100, Jozsef Kadlecsik wrote: > > > Or do I miss something else here? > > > > I just noticed one problem. > > > > With your approach, we may lose race if one packet inserts same conntrack > > entry while we're adding one conntrack. Thus resulting in two conntracks > > with the same tuples in the table. > > Yes, you're right, that race condition is possible. > > > One possible solution would be to check if it already exists before > > adding it to the list, but this will add too many extra cycles for > > each conntrack that is added via ctnetlink. > > Actually, netfilter for normal conntrack entries does the same in > __nf_conntrack_confirm. So entries added via ctnetlink would not be > penalized if the same checking were added to ctnetlink_create_conntrack > in the locked region. Shall I send a patch over the previous one? Yes, please. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
