Hi Xiao, On Tue, May 14, 2019 at 03:45:13PM +0800, 肖瑞珠 wrote: > Hi Pablo, > > Thanks very much for your reply. > > >On Thu, May 13, 2019 at 07:26PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > >wrote: > > > >I wonder if we can handle this from __nf_ct_expect_check() itself. > > > >We could just check if master mismatches, then return -EALREADY from > >there? > > > >Similar to 876c27314ce51, but catch the master mismatches case. > > Thanks for your proposal. It is a neater solution. OK, thanks for exploring this path and confirming this works! Still one more question before we go: I wonder if we should enable this through flag, eg. extend nf_ct_expect_related() to take a flag that NFCT_EXP_F_MASTER_MISMATCH. This would change the behaviour for the other existing helpers, which would prevent them from creating expectations with the same tuple from different master conntracks. So I would just turn on this for SIP unless there is some reasoning here that turning it for all existing helpers is fine. One more comment below. > Please find the patch updated accordingly below. For some reason this patch is not showing in patchwork: https://patchwork.ozlabs.org/project/netfilter-devel/list/ Would you resubmit via git send-mail? Thanks.
