There is a long-standing race that occurs with module removal
(such as helpers) nfqueue, and unconfirmed (not in hash table) conntracks.
The main issue is that
a). unconfirmed conntracks can't safely be mangled from other cpu (we assume
exclusive access to grow/alter the extension area) and
b). nfqueued skbs leave RCU protection
This series address this by making the queue event similar to a
confirm event:
Just as we do not commit 'dying' conntracks to the main table, refuse to
queue dying and unconfirmed conntracks to userspace.
Combined with a 'drop queued skbs' when a module exit path calls the
ct_iterate_destroy function this closes the hole, see patch #4 for details.
The only change since v1 is a build error that occured in patch 4 when
nfqueue is enabled but conntrack is not, as reported by kbuild test robot.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
