Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > Ok, I finally managed to get this tested, and it does not seem to
> > solve the problem, it keeps dnating twice after the packet is enqueued
> > by nfqueue
>
> dnatting twice is required to deal with the conntrack confirmation race.
Antonio could also try this hack:
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -379,7 +379,7 @@ static void nfqnl_reinject(struct nf_queue_entry *entry, unsigned int verdict)
unsigned int ct_verdict = verdict;
rcu_read_lock();
- ct_hook = rcu_dereference(nf_ct_hook);
+ ct_hook = NULL;
if (ct_hook)
ct_verdict = ct_hook->update(entry->state.net, entry->skb);
rcu_read_unlock();
which defers this to the clash resolution logic.
The ct_hook->update infra predates this, I'm not sure we need
it anymore.
