There is a long-standing race that occurs with module removal (such as helpers)
nfqueue, and unconfirmed (not in hash table) conntracks.
The main issue is that
a). unconfirmed conntracks can't safely be mangled from other cpu (we assume
exclusive access to grow/alter the extension area) and
b). nfqueued skbs leave RCU protection
This series address this by making the queue event similar to a confirm event:
Just as we do not commit 'dying' conntracks to the main table, refuse
to queue dying and unconfirmed conntracks to userspace.
Combined with a 'drop queued skbs' when a module exit path calls
the ct_iterate_destroy function this closes the hole, see patch #4 for details.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
