Oleh Danilovskyi <oleh.danilovskyi@xxxxxxxxx> wrote: > I have implemented a custom extension for conntrack. It is basically > extra pointer which resides in "struct nf_conn". > The pointer references a slab buffer and it is used/modified in custom > netfilter match extension. > I'm not sure whether it is possible that different skbs with the same > nf_conn can be simultaneously handled on different CPUs. Yes, its possible. > My question is, should I protect the buffer (custom_buffer_ptr) with a > spinlock in the match callback of the extension (struct > xt_match.match)? Depends on what kind of modification occurs. Anything that needs strict serialization needs some type of locking. (can be spinlock or rwlock or seqlock). If the conntrack is not confirmed yet, its only visible to one cpu, so if nf_conn->foo gets set up only when nf_conn isn't confirmed yet no lock is needed.