summaryrefslogtreecommitdiff
path: root/lib/debugobjects.c
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2024-08-07 21:28:41 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2024-08-14 23:37:23 +0200
commit7d8dc1c7be8d3509e8f5164dd5df64c8e34d7eeb (patch)
tree6c9e46a8826f58e13a337aaa9974df82e610d491 /lib/debugobjects.c
parente9767137308daf906496613fd879808a07f006a2 (diff)
netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
Conntrack assumes an unconfirmed entry (not yet committed to global hash table) has a refcount of 1 and is not visible to other cores. With multicast forwarding this assumption breaks down because such skbs get cloned after being picked up, i.e. ct->use refcount is > 1. Likewise, bridge netfilter will clone broad/mutlicast frames and all frames in case they need to be flood-forwarded during learning phase. For ip multicast forwarding or plain bridge flood-forward this will "work" because packets don't leave softirq and are implicitly serialized. With nfqueue this no longer holds true, the packets get queued and can be reinjected in arbitrary ways. Disable this feature, I see no other solution. After this patch, nfqueue cannot queue packets except the last multicast/broadcast packet. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'lib/debugobjects.c')
0 files changed, 0 insertions, 0 deletions