[PATCH] Prevent crash on ip_conntrack removal
Thu Aug 19 11:11:59 CEST 2004
Content-Type: text/plain; charset=us-ascii
On Wed, Aug 18, 2004 at 11:13:52AM +0200, Olaf Kirch wrote:
> here's a patch that keeps us from crashing on removal of ip_conntrack.
> This problem came up during IBM's testing of SLES.
Thanks for this detailed bugreport and fix.
> I'm not sure if this issue has been submitted already.
Not that I'm aware of.
> To fix this, the patch below simply drops such skbs. A different fix
> could be to change the conntrack module to flush out all unassembled
> fragments when unloaded; an alternative patch for this is attached as
> well (this one is completely untested).
Since I don't want to put any more conntrack-specific code into the core
network stack, I'd rather go for the 'alternative patch'.
I'm not sure whether it's worth the effort to combine the two, i.e. only
flush entries with skb->dst =3D=3D NULL.
But especially since module unloading is EXPERIMENTAL anyway, I think
it's ok when we completely flush the fragemnt queue.
Dave, is this fine with you? What solution would you prefer?
- Harald Welte <email@example.com> http://www.netfilter.org/
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the netfilter-devel