Re: [PATCH nf-next] netns: add and use net_ns_barrier

On Tue, May 30, 2017 at 11:38:12AM +0200, Florian Westphal wrote: > Quoting Joe Stringer: > If a user loads nf_conntrack_ftp, sends FTP traffic through a network > namespace, destroys that namespace then unloads the FTP helper module, > then the kernel will crash. > > Events that lead to

Re: [PATCH nf-next] netns: add and use net_ns_barrier

Pablo Neira Ayuso writes: > Hi! > > On Tue, Jun 13, 2017 at 09:35:20AM -0700, Cong Wang wrote: >> On Mon, Jun 12, 2017 at 11:16 PM, Florian Westphal wrote: >> > Cong Wang wrote: >> >> On Thu, Jun 1, 2017 at 1:52 AM, Florian

Re: [PATCH nf-next] netns: add and use net_ns_barrier

Hi! On Tue, Jun 13, 2017 at 09:35:20AM -0700, Cong Wang wrote: > On Mon, Jun 12, 2017 at 11:16 PM, Florian Westphal wrote: > > Cong Wang wrote: > >> On Thu, Jun 1, 2017 at 1:52 AM, Florian Westphal wrote: > >> > Joe described it nicely,

Re: [PATCH nf-next] netns: add and use net_ns_barrier

On Tue, Jun 13, 2017 at 11:07 AM, Florian Westphal wrote: > Historically it wasn't needed because we just clear out the helper area > in the affected conntracks (i.e, future packets are not inspected by > the helper anymore). > > When conntracks were made per-netns this problem

Re: [PATCH nf-next] netns: add and use net_ns_barrier

On 13 June 2017 at 11:07, Florian Westphal wrote: > Cong Wang wrote: >> On Mon, Jun 12, 2017 at 11:16 PM, Florian Westphal wrote: >> > Cong Wang wrote: >> >> On Thu, Jun 1, 2017 at 1:52 AM, Florian Westphal

Re: [PATCH nf-next] netns: add and use net_ns_barrier

Cong Wang wrote: > On Mon, Jun 12, 2017 at 11:16 PM, Florian Westphal wrote: > > Cong Wang wrote: > >> On Thu, Jun 1, 2017 at 1:52 AM, Florian Westphal wrote: > >> > Joe described it nicely, problem is that

Re: [PATCH nf-next] netns: add and use net_ns_barrier

On Mon, Jun 12, 2017 at 11:16 PM, Florian Westphal wrote: > Cong Wang wrote: >> On Thu, Jun 1, 2017 at 1:52 AM, Florian Westphal wrote: >> > Joe described it nicely, problem is that after unload we may have >> > conntracks that still

Re: [PATCH nf-next] netns: add and use net_ns_barrier

Cong Wang wrote: > On Thu, Jun 1, 2017 at 1:52 AM, Florian Westphal wrote: > > Joe described it nicely, problem is that after unload we may have > > conntracks that still have a nf_conn_help extension attached that > > has a pointer to a structure that

Re: [PATCH nf-next] netns: add and use net_ns_barrier

On Thu, Jun 1, 2017 at 1:52 AM, Florian Westphal wrote: > Joe described it nicely, problem is that after unload we may have > conntracks that still have a nf_conn_help extension attached that > has a pointer to a structure that resided in the (unloaded) module. Why not hold a

Re: [PATCH nf-next] netns: add and use net_ns_barrier

On Wed, May 31, 2017 at 01:13:32PM -0500, Eric W. Biederman wrote: > Florian Westphal writes: > > > Quoting Joe Stringer: > > If a user loads nf_conntrack_ftp, sends FTP traffic through a network > > namespace, destroys that namespace then unloads the FTP helper module, > >

Re: [PATCH nf-next] netns: add and use net_ns_barrier

David Laight wrote: > From: Florian Westphal > > Sent: 30 May 2017 10:38 > > > > Quoting Joe Stringer: > > If a user loads nf_conntrack_ftp, sends FTP traffic through a network > > namespace, destroys that namespace then unloads the FTP helper module, > > then the

RE: [PATCH nf-next] netns: add and use net_ns_barrier

From: Florian Westphal > Sent: 30 May 2017 10:38 > > Quoting Joe Stringer: > If a user loads nf_conntrack_ftp, sends FTP traffic through a network > namespace, destroys that namespace then unloads the FTP helper module, > then the kernel will crash. > > Events that lead to the crash: > 1.

Re: [PATCH nf-next] netns: add and use net_ns_barrier

Eric W. Biederman wrote: > Florian Westphal writes: > > > Quoting Joe Stringer: > > If a user loads nf_conntrack_ftp, sends FTP traffic through a network > > namespace, destroys that namespace then unloads the FTP helper module, > > then the kernel

Re: [PATCH nf-next] netns: add and use net_ns_barrier

On 31 May 2017 at 11:13, Eric W. Biederman wrote: > Florian Westphal writes: > >> Quoting Joe Stringer: >> If a user loads nf_conntrack_ftp, sends FTP traffic through a network >> namespace, destroys that namespace then unloads the FTP helper module, >>

Re: [PATCH nf-next] netns: add and use net_ns_barrier

Florian Westphal writes: > Quoting Joe Stringer: > If a user loads nf_conntrack_ftp, sends FTP traffic through a network > namespace, destroys that namespace then unloads the FTP helper module, > then the kernel will crash. > > Events that lead to the crash: > 1. conntrack

Re: [PATCH nf-next] netns: add and use net_ns_barrier

David Miller writes: > From: Florian Westphal > Date: Tue, 30 May 2017 11:38:12 +0200 > >> Quoting Joe Stringer: >> If a user loads nf_conntrack_ftp, sends FTP traffic through a network >> namespace, destroys that namespace then unloads the FTP helper

Re: [PATCH nf-next] netns: add and use net_ns_barrier

From: Florian Westphal Date: Tue, 30 May 2017 11:38:12 +0200 > Quoting Joe Stringer: > If a user loads nf_conntrack_ftp, sends FTP traffic through a network > namespace, destroys that namespace then unloads the FTP helper module, > then the kernel will crash. > > Events

[PATCH nf-next] netns: add and use net_ns_barrier

Quoting Joe Stringer: If a user loads nf_conntrack_ftp, sends FTP traffic through a network namespace, destroys that namespace then unloads the FTP helper module, then the kernel will crash. Events that lead to the crash: 1. conntrack is created with ftp helper in netns x 2. This netns is