On 14 February 2015 at 11:56, Thomas Graf <tg...@suug.ch> wrote:
> On 02/14/15 at 12:13am, Joe Stringer wrote:
>
> [..]
>
>> +static bool skb_has_valid_nfct(const struct net *net, u16 zone,
>> + const struct sk_buff *skb)
>> +{
>> + enum ip_conntrack_info ctinfo;
>> + struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
>> +
>> + if (!ct)
>> + return false;
>> + if (!net_eq(net, ct->ct_net))
>> + return false;
>
> I'm surprised that this is needed. Shouldn't we call skb_scrub_packet()
> between namespaces and invalidate the ct associated with the skb.
Right, it was more of a general sanity check which is likely unneeded.
I'm not aware of any particular case that this handles.
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
