Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > This patch introduces nf_ct_resolve_clash() to resolve race condition on > conntrack insertions. > > This is particularly a problem for connection-less protocols such as > UDP, with no initial handshake. Two or more packets may race to insert > the entry resulting in packet drops. > > Another problematic scenario are packets enqueued to userspace via > NFQUEUE after the raw table, that make it easier to trigger this > race. > > To resolve this, the idea is to reset the conntrack entry to the one > that won race. Packet and bytes counters are also merged. > > The 'insert_failed' stats still accounts for this situation, after > this patch, the drop counter is bumped whenever we drop packets, so we > can watch for unresolved clashes. > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > --- > v4: Explicit initialization of ret = NF_DROP for dying conntracks. Looks good, thanks for working on this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
