Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> Florian Westphal says:
>
> "Problem is that after the helper hook was merged back into the confirm
> one, the queueing itself occurs from the confirm hook, i.e. we queue
> from the last netfilter callback in the hook-list.
>
> Therefore, on return, the packet bypasses the confirm action and the
> connection is never committed to the main conntrack table.
>
> Therefore, on return, the packet bypasses the confirm action and the
> connection is never committed to the main conntrack table.
>
> To fix this there are several ways:
> 1. revert the 'Fixes' commit and have a extra helper hook again.
> Works, but has the drawback of adding another indirect call for
> everyone.
>
> 2. Special case this: split the hooks only when userspace helper
> gets added, so queueing occurs at a lower priority again,
> and normal nqueue reinject would eventually call the last hook.
>
> 3. Extend the existing nf_queue ct update hook to allow a forced
> confirmation (plus run the seqadj code).
>
> This goes for 3)."
>
> Fixes: 827318feb69cb ("netfilter: conntrack: remove helper hook again")
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> v2: call __nf_conntrack_update() before ct helper confirmation.
Reviewed-by: Florian Westphal <fw@xxxxxxxxx>
