On Wed, May 04, 2016 at 12:27:36AM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > - if (NF_CT_DIRECTION(hash)) > > > - goto release; > > > - if (nf_ct_l3num(ct) != AF_INET) > > > + /* check if we raced w. object reuse */ > > > + if (!nf_ct_is_confirmed(ct) || > > > > This refactoring includes this new check, is this intentional? > > Hmm, yes and no. > > I should have put it in an extra commit :-/ > > Without this, we might erronously print a conntrack that is NEW > and which isn't confirmed yet. > > We won't crash since seq_print doesn't depend on extensions being > set up properly, but it seems better to only display those conntracks > that are part of the conntrack hash table (i.e., have the confirmed bit > set). I see, a conntrack that shouldn't be printed be sneak in the listing. > Let me know if you want me to respin this as a separate fix, thanks! I will just append a notice on the commit message before applying. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
