On 15 February 2015 at 07:08, Nicolas Dichtel <nicolas.dich...@6wind.com> wrote:
> Le 15/02/2015 05:47, Joe Stringer a écrit :
>
>> On 14 February 2015 at 11:56, Thomas Graf <tg...@suug.ch> wrote:
>>>
>>> On 02/14/15 at 12:13am, Joe Stringer wrote:
>>>
>>> [..]
>>>
>>>> +static bool skb_has_valid_nfct(const struct net *net, u16 zone,
>>>> + const struct sk_buff *skb)
>>>> +{
>>>> + enum ip_conntrack_info ctinfo;
>>>> + struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
>>>> +
>>>> + if (!ct)
>>>> + return false;
>>>> + if (!net_eq(net, ct->ct_net))
>>>> + return false;
>>>
>>>
>>> I'm surprised that this is needed. Shouldn't we call skb_scrub_packet()
>>> between namespaces and invalidate the ct associated with the skb.
>>
>>
>> Right, it was more of a general sanity check which is likely unneeded.
>> I'm not aware of any particular case that this handles.
>
> I agree with Thomas. If we fall into this case, it's probably a real bug ;-)
We can BUG_ON(), then.
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
