[PATCH] netfilter: conntrack: fix cloned unconfirmed skb->_nfct race in __nf_conntrack_confirm

For bridge(br_flood) or broadcast/multicast packets, they could clone skb with unconfirmed conntrack which break the rule that unconfirmed skb->_nfct is never shared. With nfqueue running on my system, the race can be easily reproduced with following warning calltrace: [13257.707525] CPU: 0

Re: [PATCH] netfilter: conntrack: fix cloned unconfirmed skb->_nfct race in __nf_conntrack_confirm

Hi! On Wed, Oct 31, 2018 at 02:02:07PM +0800, Chieh-Min Wang wrote: > From: Chieh-Min Wang > > For bridge(br_flood) or broadcast/multicast packets, they could clone skb with > unconfirmed conntrack which break the rule that unconfirmed skb->_nfct is > never shared. > With nfqueue running on my