Re: [PATCH nf-next 2/3] netfilter: nf_ct_helper: use nf_ct_iterate_cleanup to unlink helper objs

Liping Zhang wrote: > Yes, here we should use clear_bit(IPS_SRC_NAT_DONE_BIT, >status); > (For IPS_DST_NAT_DONE, we don't care about it, so we can > leave it unchanged.) Oh, right. > > Thats also broken(racy). We have to audit all the non-atomic writes of > > ct->status

Re: [PATCH nf-next 2/3] netfilter: nf_ct_helper: use nf_ct_iterate_cleanup to unlink helper objs

Hi Florian, 2017-05-21 18:31 GMT+08:00 Florian Westphal : > Liping Zhang wrote: >> Hi Florian, >> >> 2017-05-21 16:15 GMT+08:00 Florian Westphal : >> [...] >> > this is broken for unconfirmed conntracks, as >> > other cpu can reallocate the

Re: [PATCH nf-next 2/3] netfilter: nf_ct_helper: use nf_ct_iterate_cleanup to unlink helper objs

Hi Florian, 2017-05-21 16:15 GMT+08:00 Florian Westphal : [...] > this is broken for unconfirmed conntracks, as > other cpu can reallocate the extension area. Right, I missed this point, thanks for your reminder. > For the module removal case, we have no choice but to toss the >

Re: [PATCH nf-next 2/3] netfilter: nf_ct_helper: use nf_ct_iterate_cleanup to unlink helper objs

Liping Zhang wrote: > From: Liping Zhang > > When we unlink the helper objects, we will iterate the nf_conntrack_hash, > iterate the unconfirmed list, handle the hash resize situation, etc. > > Actually this logic is same as the nf_ct_iterate_cleanup, so