(sorry to send this e-mail again, last mail is rejected by server due to non-acceptable content) Jesper Dangaard Brouer <brouer@xxxxxxxxxx> wrote: >> In function __nf_conntrack_confirm, we check the conntrack if it was >> already dead, before insert it into hash-table. >> We do this because if we insert an already 'dead' hash, it will >> block further use of that particular connection. >Have you run into this problem in practice, or is this based on a theory? If we insert a dead conntrack into hash-table, let's see what will happen to the packet which has the same tuple with that dead conntrack: 1) if it is a valid packet, it will enter in nf_conntrack_in hook, then 2) we will find a corresponding conntrack for that packet in __nf_conntrack_find_get, and there is no doubt that we will find that dead conntrack, according to the current implement, we don't use dead conntrack, so we create a new conntrack which is unconfirmed. 3) because there is already a conntrack with the same tuples in hash-table, the new conntrack can not be inserted into hash-table, it will return NF_DROP, 4) the packet will be dropped due to the failure of nf_conntrack_confirm. That's why inserting an already 'dead' hash will block further use of that particular connection. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
