On Wed, Jul 26, 2017 at 12:02:30AM +0200, Florian Westphal wrote: > There is a long-standing race that occurs with module removal > (such as helpers) nfqueue, and unconfirmed (not in hash table) conntracks. > > The main issue is that > a). unconfirmed conntracks can't safely be mangled from other cpu (we assume > exclusive access to grow/alter the extension area) and > b). nfqueued skbs leave RCU protection > > This series address this by making the queue event similar to a > confirm event: > > Just as we do not commit 'dying' conntracks to the main table, refuse to > queue dying and unconfirmed conntracks to userspace. > > Combined with a 'drop queued skbs' when a module exit path calls the > ct_iterate_destroy function this closes the hole, see patch #4 for details. > > The only change since v1 is a build error that occured in patch 4 when > nfqueue is enabled but conntrack is not, as reported by kbuild test robot. Series applied. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
