Re: "Kernel bug detected [...] nf_ct_del_from_dying_or_unconfirmed_list"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> I don't think letting the packet go through is a good idea. Not sure
> NAT will work fine, packets would go through being unmangled? I think
> we should still drop the packet until we fix this.

Unfortuntely this is still a band-aid solution, nfqueue + bridge doesn't
work when mcast/flood is involved.

Problematic cases are NAT (several bindings on same conntrack
simultaneously) and extension realloction.
They are not a problem in most cases due to prealloced space and
because extensions are commonly added before bridge starts to clone
for flooding.

For NAT, the race window is small and iirc we changed nat core to
just warn in case the nat bit is already set.

I think it will work fine in most cases with this patch (i.e.,
witch accept verdict) though; it is better than what we do now.



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux