git.baikalelectronics.ru Git - kernel.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Sat, 30 Apr 2016 22:28:40 +0000 (00:28 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 5 May 2016 14:39:50 +0000 (16:39 +0200)
commit	862c8d4614d823fce79ec16e16661a10729dbb78
tree	3bfe17c0f91a43e69c8d849563572905735abcf9	tree \| snapshot
parent	e8154387849f90bb881dbfab66a1c3cb4f441514	commit \| diff

netfilter: conntrack: introduce clash resolution on insertion race

This patch introduces nf_ct_resolve_clash() to resolve race condition on
conntrack insertions.

This is particularly a problem for connection-less protocols such as
UDP, with no initial handshake. Two or more packets may race to insert
the entry resulting in packet drops.

Another problematic scenario are packets enqueued to userspace via
NFQUEUE after the raw table, that make it easier to trigger this
race.

To resolve this, the idea is to reset the conntrack entry to the one
that won race. Packet and bytes counters are also merged.

The 'insert_failed' stats still accounts for this situation, after
this patch, the drop counter is bumped whenever we drop packets, so we
can watch for unresolved clashes.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nf_conntrack_l4proto.h		diff \| blob \| history
net/netfilter/nf_conntrack_core.c		diff \| blob \| history
net/netfilter/nf_conntrack_proto_udp.c		diff \| blob \| history
net/netfilter/nf_conntrack_proto_udplite.c		diff \| blob \| history