Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > One way would be to return 0 in that case (in > > nf_conntrack_hash_check_insert()). What do you think? > > This is misleading to the user that adds an entry via ctnetlink? > > ETIMEDOUT also looks a bit confusing to report to userspace. > Rewinding: if the intention is to deal with stale conntrack extension, > for example, helper module has been removed while this entry was > added. Then, probably call EAGAIN so nfnetlink has a chance to retry > transparently? Seems we first need to add a "bool *inserted" so we know when the ct entry went public. I'll also have a look at switching to a refcount based model for all extensions that reference external objects, this would avoid the entire problem, but thats likely more intrusive.
