On Thu, Jul 18, 2019 at 12:18:06PM +0200, Michal Kubecek wrote:
> On Thu, Jul 18, 2019 at 11:21:28AM +0200, Florian Westphal wrote:
> > > I added some more tracing and this is what seems to happen:
> > >
> > > - ipv4_confirm() is called for the conntrack from ip_output() via hook
> > > - nf_confirm() calls attached helper and calls its help() function
> > > which is nfnl_userspace_cthelper(), that returns 0x78003
> > > - nf_confirm() returns that without calling nf_confirm_conntrack()
> > > - verdict 0x78003 is returned to nf_hook_slow() which therefore calls
> > > nf_queue() to pass this to userspace helper on queue 7
> > > - nf_queue() returns 0 which is also returned by nf_hook_slow()
> > > - the packet reappears in nf_reinject() where it passes through
> > > nf_reroute() and nf_iterate() to the main switch statement
> > > - it takes NF_ACCEPT branch to call okfn which is ip_finish_output()
> > > - unless I missed something, there is nothing that could confirm the
> > > conntrack after that
> >
> > I broke this with
> > commit 827318feb69cb07ed58bb9b9dd6c2eaa81a116ad
> > ("netfilter: conntrack: remove helper hook again").
> >
> > Seems we have to revert, i see no other solution at this time.
>
> Thanks for the quick reply. I can confirm that with commit 827318feb69c
> reverted, the helper works as expected.
I'll schedule a revert in the next net batch.
